CalvinBackup/thc-tips-tricks-hacks-cheat-sheet
1
0
Fork 0
mirror of https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet.git synced 2026-05-31 19:41:33 +02:00
Code Issues Packages Projects Releases Wiki Activity
2 Commits 1 Branch 0 Tags
df82464e55249518537d70174f43c379b1be7b4b
T
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
rootTHC df82464e55 Update README.md 
initial commit
2020-01-23 16:14:27 +00:00
README.md
Update README.md
2020-01-23 16:14:27 +00:00

README.md

thc-1001-tips-and-tricks

Various tips & tricks

A collection of our favorite tricks. Many of those tricks are not from us. We merely collect them.

We show the tricks 'as is' without any explanation why they work. You need to know Linux to understand how and why they work.

Got tricks? Send them to root@thc.org.

1. Leave bash without history:

Tell Bash that there is no history file (~/.bash_history).

$ unset HISTFILE

This is the first command we issue on our shell.

It is good housekeeping to 'commit suicide' when exiting the shell:

$ kill -9 $$

2. Almost invisilbe ssh

$ ssh -o UserKnownHostsFile=/dev/null -T user@host.org "bash -i"

This will not add your user to the /var/log/utmp file and you wont show up in w or who command of logged in users. On your client side it will stop logging the host name to ~/.ssh/known_hosts.

3. SSH tunnel OUT

We use this all the time to circumvent local firewalls or IP filtering:

$ ssh -g -L31337:1.2.3.4:80 user@host.org

You or anyone else can now connect to your computer on port 31337 and gets connected to 1.2.3.4:80 and appearing from host 'host.org'

4. SSH tunnel IN

We use this to give access to a friend to an internal machine that is not on the public internet:

$ ssh -o ExitOnForwardFailure=yes -g -R31338:192.168.0.5:80 user@host.org

Anyone connecting to host.org:31338 will get connected to the compuyter 192.168.0.5 on port 80 via your computer.

5. Hide your command

$ cp `which nmap` syslogd
$ PATH=.:$PATH syslogd -T0 10.0.2.1/24

In this example we execute nmap but let it appear with the name syslogd in ps alxwww process list

6. Hide your arguments

Continuing from above..FIXME: can this be done witout LD_PRELOAD and just in bash?

7. ARP discover computers on the local network

$ nmap -r -sn -PR 192.168.0.1/24

This will Arp-ping all local machines. ARP ping always seems to work and is very steahlthy (e.g. does not show up in the target's firewall).

8. Sniff a SSH session

$ strace -p <PID of ssh> -e trace=read -o ~/.ssh/ssh_log.txt
$ grep 'read(4' ~/.ssh/ssh_log.txt | cut -f1 -d\"

Dirty way to monitor a user who is using ssh to connect to another host from a computer that you control.

9. Sniff a SSH session without root priviledges

Even dirtier way in case /proc/sys/kernel/yama/ptrace_scope is set to 1 (strace will fail on already running SSH clients unless uid=0)

FIXME: alias it..

10. File transfer - uuencode

Sometimes there is a need to transfer a file from your system to the target system to which you are logged in with a shell. This tricks works great when you do not have a real tty or can not reach the target by any other means but the one shell you have running.

In this example we copy our local /etc/issue.net to the remote system and save it there as issue.net-COPY:

$ uuencode /etc/issue.net issuer.net-COPY
begin 644 issue-net-COPY
356)U;G1U(#$X+C`T+C(@3%13"@``
`
end

Now cut & paste the output (4 lines, starting with 'being 644 ...') into your remote shell after executing:

$ uudecode
begin 644 issue-net-COPY
356)U;G1U(#$X+C`T+C(@3%13"@``
`
end

11. File transfer - openssl

uuencode is rarely available these days. Openssl works just fine as well:

$ openssl base64 </etc/issue.net
VWJ1bnR1IDE4LjA0LjIgTFRTCg==

Then cut & paste everything into this command:

$ openssl base64 -d >issue.net-COPY

12. File transfer - screen from REMOTE to LOCAL

Transfer a file FROM the remote system to your local system:

Have a screen running on your local computer and log into the remote system from within your shell. Instruct your local screen to log all output:

  1. CTRL-a : logfile screen-xfer.txt
  2. CTRL-a H

On the remote system use 'uuencode' to encode the file:

uuencode /etc/issue.net issue.net-COPY

Stop your local screen from logging any further data:

  1. CTRL-a H

On your local computer and from a different shell decode the file:

$ uudecode <screen-xfer.txt
$ rm -rf screen-xfer.txt

13. File transfer - screen from LOCAL to REMOTE

Use uuencode as before. On the remote system (and from within the current screen):

$ uudecode

Get screen to slurp the uuencoded data into its own clipboard.

  1. CTRL-a : readbuf /etc/issue.net-COPY
  2. CTRL-a : paste .

14. Shred & Erase a file

$ shred -z foobar.txt

15. Shred & Erase without shred

$ FILENAME=foobar.txt; dd bs=1k count="`du -sk \"${FILENAME}\" | cut -f1`" if=/dev/urandom >"${FILENAME}"; rm -f "${FILENAME}"

Note: Or deploy your files in /dev/shm directory so that no data is written to the harddrive. Wont survive a reboot. Note: Or delete the file and then fill the entire harddrive with /dev/urandom and then rm -rf the dump file.

Reference in New Issue View Git Blame Copy Permalink
S
Description
No description provided
Readme 1.1 MiB
Languages
Shell 93.6%
C 4%
PHP 2.4%