Commands tagged Security (51)

  • Test for weak SSL version. Show Sample Output


    1
    openssl s_client -connect localhost:443 -ssl2
    fernandomerces · 2011-04-02 06:34:39 4
  • Put a space in front of your command on the command line and it will not be logged as part of your command line history. Show Sample Output


    1
    <space> secret -p password
    pcholt · 2011-09-16 12:41:16 4
  • Here Strings / A variant of here documents, the format is: (from bash manpage)


    1
    md5sum<<<'text to be encrypted'
    waldvogel · 2012-02-14 19:57:52 2

  • 1
    echo -n 'the_password' | md5sum -
    jfreak53 · 2012-06-04 13:18:33 2
  • The lastb command presents you with the history of failed login attempts (stored in /var/log/btmp). The reference file is read/write by root only by default. This can be quite an exhaustive list with lots of bots hammering away at your machine. Sometimes it is more important to see the scale of things, or in this case the volume of failed logins tied to each source IP. The awk statement determines if the 3rd element is an IP address, and if so increments the running count of failed login attempts associated with it. When done it prints the IP and count. The sort statement sorts numerically (-n) by column 3 (-k 3), so you can see the most aggressive sources of login attempts. Note that the ':' character is the 2nd column, and that the -n and -k can be combined to -nk. Please be aware that the btmp file will contain every instance of a failed login unless explicitly rolled over. It should be safe to delete/archive this file after you've processed it. Show Sample Output


    1
    sudo lastb | awk '{if ($3 ~ /([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}/)a[$3] = a[$3]+1} END {for (i in a){print i " : " a[i]}}' | sort -nk 3
    sgowie · 2012-09-11 14:51:10 2
  • You might want to secure your AWS operations requiring to use a MFA token. But then to use API or tools, you need to pass credentials generated with a MFA token. This commands asks you for the MFA code and retrieves these credentials using AWS Cli. To print the exports, you can use: `awk '{ print "export AWS_ACCESS_KEY_ID=\"" $1 "\"\n" "export AWS_SECRET_ACCESS_KEY=\"" $2 "\"\n" "export AWS_SESSION_TOKEN=\"" $3 "\"" }'` You must adapt the command line to include: * $MFA_IDis ARN of the virtual MFA or serial number of the physical one * TTL for the credentials Show Sample Output


    1
    head -n1 | xargs -I {} aws sts get-session-token --serial-number $MFA_ID --duration-seconds 900 --token-code {} --output text --query [Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]
    keymon · 2016-04-12 10:57:00 26
  • This is wonderful perl script to check the web server security and vulnerability .Get it from here :http://www.cirt.net/nikto2 Here are some key features of "Nikto": ? Uses rfp's LibWhisker as a base for all network funtionality ? Main scan database in CSV format for easy updates ? Determines "OK" vs "NOT FOUND" responses for each server, if possible ? Determines CGI directories for each server, if possible ? Switch HTTP versions as needed so that the server understands requests properly ? SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's Perl/NetSSL) ? Output to file in plain text, HTML or CSV ? Generic and "server type" specific checks ? Plugin support (standard PERL) ? Checks for outdated server software ? Proxy support (with authentication) ? Host authentication (Basic) ? Watches for "bogus" OK responses ? Attempts to perform educated guesses for Authentication realms ? Captures/prints any Cookies received ? Mutate mode to "go fishing" on web servers for odd items ? Builds Mutate checks based on robots.txt entries (if present) ? Scan multiple ports on a target to find web servers (can integrate nmap for speed, if available) ? Multiple IDS evasion techniques ? Users can add a custom scan database ? Supports automatic code/check updates (with web access) ? Multiple host/port scanning (scan list files) ? Username guessing plugin via the cgiwrap program and Apache ~user methods Show Sample Output


    0
    nikto.pl -h yourwebserver
    unixbhaskar · 2009-08-29 04:54:43 6
  • Change the IP address from 127.0.0.1 to the target machines ip address. Even if the target has ICMP (ping) blocked, it will show you what ports are open on the target. Very handy for situations where you know the target is up and online but wont respond to pings. Show Sample Output


    0
    nmap -sT -PN -vv <target ip>
    Richie086 · 2011-07-22 02:37:19 2
  • Decrypt with: gpg -o- foo.tgz.gpg | tar zxvf -


    0
    tar zcf - foo | gpg -c --cipher-algo aes256 -o foo.tgz.gpg
    skkzsh · 2013-03-13 09:44:39 2
  • Searched strings: passthru, shell_exec, system, phpinfo, base64_decode, chmod, mkdir, fopen, fclose, readfile Since some of the strings may occur in normal text or legitimately you will need to adjust the command or the entire regex to suit your needs.


    0
    find ./public_html/ -name \*.php -exec grep -HRnDskip "\(passthru\|shell_exec\|system\|phpinfo\|base64_decode\|chmod\|mkdir\|fopen\|fclose\|readfile\) *(" {} \;
    lpanebr · 2013-04-03 12:42:19 4
  • I have found that base64 encoded webshells and the like contain lots of data but hardly any newlines due to the formatting of their payloads. Checking the "width" will not catch everything, but then again, this is a fuzzy problem that relies on broad generalizations and heuristics that are never going to be perfect. What I have done is set an arbitrary threshold (200 for example) and compare the values that are produced by this script, only displaying those above the threshold. One webshell I tested this on scored 5000+ so I know it works for at least one piece of malware.


    0
    for ii in $(find /path/to/docroot -type f -name \*.php); do echo $ii; wc -lc $ii | awk '{ nr=$2/($1 + 1); printf("%d\n",nr); }'; done
    faceinthecrowd · 2013-04-05 19:06:17 4
  • ipscore <your ip> number ipscore 186.78.151.135 2 a high score represents a bad remote address (honeypot, tor, botnet..) Show Sample Output


    0
    function ipscore() { local OLD_IFS="$IFS" IFS=","; local result="`curl -s "http://wafsec.com/api?ip=$1"`" && local results=(${result}) && printf -- '%s\n' "${results[@]}" | grep '"Score":' | cut -d':' -f2; IFS="$OLD_IFS"; }; ipscore ${target_ip}
    LoadLow · 2014-11-20 23:18:46 5
  • chkrootkit is a tool to locally check for signs of a rootkit,Get it from the website http://www.chkrootkit.org


    -1
    chkrootkit -x | less
    unixbhaskar · 2009-08-30 12:47:08 1
  • This must be run the first time while logged into your Mac desktop, as it will graphically prompt for access permissions. Subsequent uses will not prompt, assuming you select "Always allow". Show Sample Output


    -1
    security unlock-keychain; security find-generic-password -ga "/Users/mruser/.ssh/id_dsa" 2>&1 > /dev/null
    curiousstranger · 2010-02-02 21:14:57 2
  • This command imports the certificate file cert.pfx into the keystore file, using BouncyCastle as security provider. It was validated using - OpenJDK Runtime Environment (Zulu 8.36.0.1-CA-linux64) - Java(TM) SE Runtime Environment (build 1.8.0_192-ea-b04) - OpenJDK Runtime Environment (build 9.0.4+11) - OpenJDK Runtime Environment 18.9 (build 11.0.2+9) Show Sample Output


    -1
    keytool -importcert -providerpath bcprov-jdk15on-1.60.jar -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storetype BCPKCS12 -trustcacerts -alias <alias> -file <filename.cer> -keystore <filename>
    andresaquino · 2019-02-25 08:39:05 20
  • This command imports the keystore file cert.pfx into the keystore file, using BouncyCastle as security provider. It was validated using - OpenJDK Runtime Environment (Zulu 8.36.0.1-CA-linux64) - Java(TM) SE Runtime Environment (build 1.8.0_192-ea-b04) - OpenJDK Runtime Environment (build 9.0.4+11) - OpenJDK Runtime Environment 18.9 (build 11.0.2+9) Show Sample Output


    -1
    keytool -importkeystore -providerpath bcprov.jar -provider BouncyCastleProvider -srckeystore <filename.pfx> -srcstoretype pkcs12 -srcalias <src-alias> -destkeystore <filename.ks> -deststoretype BCPKCS12 -destalias <dest-alias>
    andresaquino · 2019-02-25 08:40:18 20
  • Explination: https://stackoverflow.com/questions/2257441/random-string-generation-with-upper-case-letters-and-digits/23728630#23728630 Why 16 Characters: https://www.wired.com/story/7-steps-to-password-perfection/ Show Sample Output


    -1
    python -c "import string; import random;print(''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits + string.ascii_lowercase) for _ in range(16)))"
    rootduck · 2019-06-14 17:35:12 26
  • rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.


    -2
    rkhunter --check
    unixbhaskar · 2009-08-30 12:53:33 6
  • This command lists the fingerprints of all of the certificates in the keystore, using BouncyCastle as security provider. Show Sample Output


    -2
    keytool -list -providerpath bcprov-jdk15on-1.60.jar -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storetype BCPKCS12 -storepass <passphrase> -keystore <filename>
    andresaquino · 2019-02-25 08:44:32 22
  • Change :alnum: to :graph: for all printable characters Show Sample Output


    -2
    cat /dev/urandom |tr -c -d '[:alnum:]'|head -c 16;echo
    AndrewM · 2019-06-17 17:51:04 24
  • Now a bit of explanation required for this command.Once you type the command it opens up an vi editor with an temporary file enlisting the password file information .So if you make an change it will not reflected in the passwd file until you save the file.The reason behind using this command over other way to view the password file in network environment is that it locks the password file when you start working with it.So no one can temper with it during that period.Once you are done(means you save the tmp file) ,it will release the lock associated with it.I think it's a better mechanism to view the sensitive data like passwd file.Never ever use other tool like cat, nano or any other means. Show Sample Output


    -3
    vipw
    unixbhaskar · 2009-08-29 03:46:42 2
  • If you follow my previous posting regarding "vipw" then no explanation required.The same method goes behind this command also.It will open an tmp file in vi editor to give you the enlisting to edit the group file.And most importantly to attach a lock with it.Once you are done ,the lock is released and the changed reflected to the original file.So you can securely edit the group file over the network without the fear of being tampered . Show Sample Output


    -3
    vigr
    unixbhaskar · 2009-08-29 03:56:07 2
  • If you follow my other posting regarding "vipw" and "vigr' then no explanation required.It has done the same thing as did with those two command.Open the /etc/sudoers file and attach a lock with it. Once you are done with it ,the lock gets released and the changes reflected to the original file.It will open a tmp file in vi editor to give you the chance to edit the sudoers file securely.visudo parses the sudoers file after the edit and will not save the changes if there is a syntax error. Upon finding an error, visudo will print a message stating the line number(s) where the error occurred and the user will receive the "What now?" prompt. At this point the user may enter "e" to re-edit the sudoers file, "x" to exit without saving the changes, or "Q" to quit and save changes. The "Q" option should be used with extreme care because if visudo believes there to be a parse error, so will sudo and no one will be able to sudo again until the error is fixed. If "e" is typed to edit the sudoers file after a parse error has been detected, the cursor will be placed on the line where the error occurred (if the editor supports this feature). PS: Although I have had experienced myself and few people shown to me that it behaves badly in some distribution ,noteably SLES.But the problem can be rectified with little caution. Show Sample Output


    -3
    visudo
    unixbhaskar · 2009-08-29 04:06:11 2
  • eliminates "l" and "o" characters change length by changing 'x' here: cut -c 1-x Show Sample Output


    -3
    openssl rand -base64 1000 | tr "[:upper:]" "[:lower:]" | tr -cd "[:alnum:]" | tr -d "lo" | cut -c 1-8 | pbcopy
    _eirik · 2009-12-29 17:18:25 8
  • This is a safest variation for "sitepass function" that includes a SALT over a long loop for sha512sum hash Show Sample Output


    -4
    sitepass2() {salt="this_salt";pass=`echo -n "$@"`;for i in {1..500};do pass=`echo -n $pass$salt|sha512sum`;done;echo$pass|gzip -|strings -n 1|tr -d "[:space:]"|tr -s '[:print:]' |tr '!-~' 'P-~!-O'|rev|cut -b 2-15;history -d $(($HISTCMD-1));}
    Soubsoub · 2010-12-09 08:42:24 3
  •  < 1 2 3 > 

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands


Check These Out

Take a screenshot every 2 seconds
Take a screenshot every 2 seconds and save it as a png file

encode image to base64 and copy to clipboard
I use it for embedding images in CSS for Stylish, the Firefox addon. Thought it might be useful to others.

Testing php configuration
Run the function phpinfo() on the shell

Displays the attempted user name, ip address, and time of SSH failed logins on Debian machines
A variation of a script I found on this site and then slimmed down to just use awk. It displays all users who have attempted to login to the box and failed using SSH. Pipe it to the sort command to see which usernames have the most failed logins.

Using mplayer to play the audio only but suppress the video
Sometimes you only want to linsten the audio while output the video will be a waste of CPU resource and an annoying window. With option -vo null, you will enjoy the audio!

check open ports without netstat or lsof

get a process list by listen port

Make sure your script runs with a minimum Bash version
If you use new features of a certain Bash version in your shell script, make sure that it actually runs with the required version.

Get AWS temporary credentials ready to export based on a MFA virtual appliance
You might want to secure your AWS operations requiring to use a MFA token. But then to use API or tools, you need to pass credentials generated with a MFA token. This commands asks you for the MFA code and retrieves these credentials using AWS Cli. To print the exports, you can use: `awk '{ print "export AWS_ACCESS_KEY_ID=\"" $1 "\"\n" "export AWS_SECRET_ACCESS_KEY=\"" $2 "\"\n" "export AWS_SESSION_TOKEN=\"" $3 "\"" }'` You must adapt the command line to include: * $MFA_IDis ARN of the virtual MFA or serial number of the physical one * TTL for the credentials

Advanced python tracing
Trace python statement execution and syscalls invoked during that simultaneously


Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: