Commands tagged Security (51)

  • Test for weak SSL version. Show Sample Output


    1
    openssl s_client -connect localhost:443 -ssl2
    fernandomerces · 2011-04-02 06:34:39 6
  • Put a space in front of your command on the command line and it will not be logged as part of your command line history. Show Sample Output


    1
    <space> secret -p password
    pcholt · 2011-09-16 12:41:16 6
  • Here Strings / A variant of here documents, the format is: (from bash manpage)


    1
    md5sum<<<'text to be encrypted'
    waldvogel · 2012-02-14 19:57:52 4

  • 1
    echo -n 'the_password' | md5sum -
    jfreak53 · 2012-06-04 13:18:33 4
  • The lastb command presents you with the history of failed login attempts (stored in /var/log/btmp). The reference file is read/write by root only by default. This can be quite an exhaustive list with lots of bots hammering away at your machine. Sometimes it is more important to see the scale of things, or in this case the volume of failed logins tied to each source IP. The awk statement determines if the 3rd element is an IP address, and if so increments the running count of failed login attempts associated with it. When done it prints the IP and count. The sort statement sorts numerically (-n) by column 3 (-k 3), so you can see the most aggressive sources of login attempts. Note that the ':' character is the 2nd column, and that the -n and -k can be combined to -nk. Please be aware that the btmp file will contain every instance of a failed login unless explicitly rolled over. It should be safe to delete/archive this file after you've processed it. Show Sample Output


    1
    sudo lastb | awk '{if ($3 ~ /([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}/)a[$3] = a[$3]+1} END {for (i in a){print i " : " a[i]}}' | sort -nk 3
    sgowie · 2012-09-11 14:51:10 5
  • You might want to secure your AWS operations requiring to use a MFA token. But then to use API or tools, you need to pass credentials generated with a MFA token. This commands asks you for the MFA code and retrieves these credentials using AWS Cli. To print the exports, you can use: `awk '{ print "export AWS_ACCESS_KEY_ID=\"" $1 "\"\n" "export AWS_SECRET_ACCESS_KEY=\"" $2 "\"\n" "export AWS_SESSION_TOKEN=\"" $3 "\"" }'` You must adapt the command line to include: * $MFA_IDis ARN of the virtual MFA or serial number of the physical one * TTL for the credentials Show Sample Output


    1
    head -n1 | xargs -I {} aws sts get-session-token --serial-number $MFA_ID --duration-seconds 900 --token-code {} --output text --query [Credentials.AccessKeyId,Credentials.SecretAccessKey,Credentials.SessionToken]
    keymon · 2016-04-12 10:57:00 54
  • This is wonderful perl script to check the web server security and vulnerability .Get it from here :http://www.cirt.net/nikto2 Here are some key features of "Nikto": ? Uses rfp's LibWhisker as a base for all network funtionality ? Main scan database in CSV format for easy updates ? Determines "OK" vs "NOT FOUND" responses for each server, if possible ? Determines CGI directories for each server, if possible ? Switch HTTP versions as needed so that the server understands requests properly ? SSL Support (Unix with OpenSSL or maybe Windows with ActiveState's Perl/NetSSL) ? Output to file in plain text, HTML or CSV ? Generic and "server type" specific checks ? Plugin support (standard PERL) ? Checks for outdated server software ? Proxy support (with authentication) ? Host authentication (Basic) ? Watches for "bogus" OK responses ? Attempts to perform educated guesses for Authentication realms ? Captures/prints any Cookies received ? Mutate mode to "go fishing" on web servers for odd items ? Builds Mutate checks based on robots.txt entries (if present) ? Scan multiple ports on a target to find web servers (can integrate nmap for speed, if available) ? Multiple IDS evasion techniques ? Users can add a custom scan database ? Supports automatic code/check updates (with web access) ? Multiple host/port scanning (scan list files) ? Username guessing plugin via the cgiwrap program and Apache ~user methods Show Sample Output


    0
    nikto.pl -h yourwebserver
    unixbhaskar · 2009-08-29 04:54:43 8
  • Change the IP address from 127.0.0.1 to the target machines ip address. Even if the target has ICMP (ping) blocked, it will show you what ports are open on the target. Very handy for situations where you know the target is up and online but wont respond to pings. Show Sample Output


    0
    nmap -sT -PN -vv <target ip>
    Richie086 · 2011-07-22 02:37:19 9
  • Decrypt with: gpg -o- foo.tgz.gpg | tar zxvf -


    0
    tar zcf - foo | gpg -c --cipher-algo aes256 -o foo.tgz.gpg
    skkzsh · 2013-03-13 09:44:39 6
  • Searched strings: passthru, shell_exec, system, phpinfo, base64_decode, chmod, mkdir, fopen, fclose, readfile Since some of the strings may occur in normal text or legitimately you will need to adjust the command or the entire regex to suit your needs.


    0
    find ./public_html/ -name \*.php -exec grep -HRnDskip "\(passthru\|shell_exec\|system\|phpinfo\|base64_decode\|chmod\|mkdir\|fopen\|fclose\|readfile\) *(" {} \;
    lpanebr · 2013-04-03 12:42:19 9
  • I have found that base64 encoded webshells and the like contain lots of data but hardly any newlines due to the formatting of their payloads. Checking the "width" will not catch everything, but then again, this is a fuzzy problem that relies on broad generalizations and heuristics that are never going to be perfect. What I have done is set an arbitrary threshold (200 for example) and compare the values that are produced by this script, only displaying those above the threshold. One webshell I tested this on scored 5000+ so I know it works for at least one piece of malware.


    0
    for ii in $(find /path/to/docroot -type f -name \*.php); do echo $ii; wc -lc $ii | awk '{ nr=$2/($1 + 1); printf("%d\n",nr); }'; done
    faceinthecrowd · 2013-04-05 19:06:17 11
  • ipscore <your ip> number ipscore 186.78.151.135 2 a high score represents a bad remote address (honeypot, tor, botnet..) Show Sample Output


    0
    function ipscore() { local OLD_IFS="$IFS" IFS=","; local result="`curl -s "http://wafsec.com/api?ip=$1"`" && local results=(${result}) && printf -- '%s\n' "${results[@]}" | grep '"Score":' | cut -d':' -f2; IFS="$OLD_IFS"; }; ipscore ${target_ip}
    LoadLow · 2014-11-20 23:18:46 9
  • chkrootkit is a tool to locally check for signs of a rootkit,Get it from the website http://www.chkrootkit.org


    -1
    chkrootkit -x | less
    unixbhaskar · 2009-08-30 12:47:08 3
  • This must be run the first time while logged into your Mac desktop, as it will graphically prompt for access permissions. Subsequent uses will not prompt, assuming you select "Always allow". Show Sample Output


    -1
    security unlock-keychain; security find-generic-password -ga "/Users/mruser/.ssh/id_dsa" 2>&1 > /dev/null
    curiousstranger · 2010-02-02 21:14:57 4
  • This command imports the certificate file cert.pfx into the keystore file, using BouncyCastle as security provider. It was validated using - OpenJDK Runtime Environment (Zulu 8.36.0.1-CA-linux64) - Java(TM) SE Runtime Environment (build 1.8.0_192-ea-b04) - OpenJDK Runtime Environment (build 9.0.4+11) - OpenJDK Runtime Environment 18.9 (build 11.0.2+9) Show Sample Output


    -1
    keytool -importcert -providerpath bcprov-jdk15on-1.60.jar -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storetype BCPKCS12 -trustcacerts -alias <alias> -file <filename.cer> -keystore <filename>
    andresaquino · 2019-02-25 08:39:05 32
  • This command imports the keystore file cert.pfx into the keystore file, using BouncyCastle as security provider. It was validated using - OpenJDK Runtime Environment (Zulu 8.36.0.1-CA-linux64) - Java(TM) SE Runtime Environment (build 1.8.0_192-ea-b04) - OpenJDK Runtime Environment (build 9.0.4+11) - OpenJDK Runtime Environment 18.9 (build 11.0.2+9) Show Sample Output


    -1
    keytool -importkeystore -providerpath bcprov.jar -provider BouncyCastleProvider -srckeystore <filename.pfx> -srcstoretype pkcs12 -srcalias <src-alias> -destkeystore <filename.ks> -deststoretype BCPKCS12 -destalias <dest-alias>
    andresaquino · 2019-02-25 08:40:18 31
  • Explination: https://stackoverflow.com/questions/2257441/random-string-generation-with-upper-case-letters-and-digits/23728630#23728630 Why 16 Characters: https://www.wired.com/story/7-steps-to-password-perfection/ Show Sample Output


    -1
    python -c "import string; import random;print(''.join(random.SystemRandom().choice(string.ascii_uppercase + string.digits + string.ascii_lowercase) for _ in range(16)))"
    rootduck · 2019-06-14 17:35:12 41
  • rkhunter (Rootkit Hunter) is a Unix-based tool that scans for rootkits, backdoors and possible local exploits. rkhunter is a shell script which carries out various checks on the local system to try and detect known rootkits and malware. It also performs checks to see if commands have been modified, if the system startup files have been modified, and various checks on the network interfaces, including checks for listening applications.


    -2
    rkhunter --check
    unixbhaskar · 2009-08-30 12:53:33 7
  • This command lists the fingerprints of all of the certificates in the keystore, using BouncyCastle as security provider. Show Sample Output


    -2
    keytool -list -providerpath bcprov-jdk15on-1.60.jar -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storetype BCPKCS12 -storepass <passphrase> -keystore <filename>
    andresaquino · 2019-02-25 08:44:32 34
  • Change :alnum: to :graph: for all printable characters Show Sample Output


    -2
    cat /dev/urandom |tr -c -d '[:alnum:]'|head -c 16;echo
    AndrewM · 2019-06-17 17:51:04 38
  • Now a bit of explanation required for this command.Once you type the command it opens up an vi editor with an temporary file enlisting the password file information .So if you make an change it will not reflected in the passwd file until you save the file.The reason behind using this command over other way to view the password file in network environment is that it locks the password file when you start working with it.So no one can temper with it during that period.Once you are done(means you save the tmp file) ,it will release the lock associated with it.I think it's a better mechanism to view the sensitive data like passwd file.Never ever use other tool like cat, nano or any other means. Show Sample Output


    -3
    vipw
    unixbhaskar · 2009-08-29 03:46:42 3
  • If you follow my previous posting regarding "vipw" then no explanation required.The same method goes behind this command also.It will open an tmp file in vi editor to give you the enlisting to edit the group file.And most importantly to attach a lock with it.Once you are done ,the lock is released and the changed reflected to the original file.So you can securely edit the group file over the network without the fear of being tampered . Show Sample Output


    -3
    vigr
    unixbhaskar · 2009-08-29 03:56:07 3
  • If you follow my other posting regarding "vipw" and "vigr' then no explanation required.It has done the same thing as did with those two command.Open the /etc/sudoers file and attach a lock with it. Once you are done with it ,the lock gets released and the changes reflected to the original file.It will open a tmp file in vi editor to give you the chance to edit the sudoers file securely.visudo parses the sudoers file after the edit and will not save the changes if there is a syntax error. Upon finding an error, visudo will print a message stating the line number(s) where the error occurred and the user will receive the "What now?" prompt. At this point the user may enter "e" to re-edit the sudoers file, "x" to exit without saving the changes, or "Q" to quit and save changes. The "Q" option should be used with extreme care because if visudo believes there to be a parse error, so will sudo and no one will be able to sudo again until the error is fixed. If "e" is typed to edit the sudoers file after a parse error has been detected, the cursor will be placed on the line where the error occurred (if the editor supports this feature). PS: Although I have had experienced myself and few people shown to me that it behaves badly in some distribution ,noteably SLES.But the problem can be rectified with little caution. Show Sample Output


    -3
    visudo
    unixbhaskar · 2009-08-29 04:06:11 3
  • eliminates "l" and "o" characters change length by changing 'x' here: cut -c 1-x Show Sample Output


    -3
    openssl rand -base64 1000 | tr "[:upper:]" "[:lower:]" | tr -cd "[:alnum:]" | tr -d "lo" | cut -c 1-8 | pbcopy
    _eirik · 2009-12-29 17:18:25 32
  • This is a safest variation for "sitepass function" that includes a SALT over a long loop for sha512sum hash Show Sample Output


    -4
    sitepass2() {salt="this_salt";pass=`echo -n "$@"`;for i in {1..500};do pass=`echo -n $pass$salt|sha512sum`;done;echo$pass|gzip -|strings -n 1|tr -d "[:space:]"|tr -s '[:print:]' |tr '!-~' 'P-~!-O'|rev|cut -b 2-15;history -d $(($HISTCMD-1));}
    Soubsoub · 2010-12-09 08:42:24 5
  •  < 1 2 3 > 

What's this?

commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.

Share Your Commands


Check These Out

Find out the starting directory of a script
Invoked from within a shell script, this will print the directory in which the script resides. Doesn't depend on external tools, /proc/self/*, etc.. (`echo` is a shell builtin.) To see the *current working* directory of a script, use `pwd`.

Summarise the size of all files matching a simple regex
Use the find command to match certain files and summarise their total size in KBytes.

shows the full path of shell commands

generate a telephone keypad
seems a useless command ...

Disable WoL on eth0

See system users

journalctl -f
a tail -f variant of systemd journal. Follow the most recent updates or if events are appended to the journal

Determine if a command is in your $PATH using POSIX
it is generally advised to avoid using which(1) whenever possible. which(1) is usually a csh(1) script, or sometimes a compiled binary. It's output is highly variable from operating system to operating system, so platform independent scripts could become quite complicated with the logic. On HP-UX 10.20, for example, it prints "no bash in /path /path /path ..."; on OpenBSD 4.1, it prints "bash: Command not found."; on Debian (3.1 through 5.0 at least) and SuSE, it prints nothing at all; on Red Hat 5.2, it prints "which: no bash in (/path:/path:...)"; on Red Hat 6.2, it writes the same message, but on standard error instead of standard output; and on Gentoo, it writes something on stderr. And given all these differences, it's still variable based on your shell. This is why POSIX is king. See http://mywiki.wooledge.org/BashFAQ/081 for more ways on avoiding which(1).

Change the homepage of Firefox
This command modifies the preferences file of Firefox that is located in .mozilla/firefox/*.default/prefs.js. It edits the file with sed and the -i option. Then it searches the string "browser.startup.homepage", and the string next to it (second string). Finally, it replaces the second string with the new homepage, that is http://sliceoflinux.com in the example. It doesn't work if you haven't set any homepage.

Create a Multi-Part Archive Without Proprietary Junkware
Leave it to a proprietary software vendor to turn a cheap and easy parlor trick into a selling point. "Hey guys, why don't we turn our _collection of multiple files_ into a *collection of multiple files*!!" Extract the ^above with this: $ cat pics.tar.gz.??? | tar xzv ^extract on any Unix - no need to install junkware! (If you must make proprietary software, at least make it do something *new*) if [ -e windows ]; then use 7-Zip


Stay in the loop…

Follow the Tweets.

Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.

» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10

Subscribe to the feeds.

Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):

Subscribe to the feed for: