Commands using strings (23)
-
Find random strings within /dev/urandom. Using grep filter to just Alphanumeric characters, and then print the first 30 and remove all the line feeds. Show Sample Output
54strings /dev/urandom | grep -o '[[:alnum:]]' | head -n 30 | tr -d '\n'; echo -
cat? dd? RTFM
27sudo strings /dev/mem -
read the memory from C:0000 to F:FFFF without the need auf dmidecode
16# dd if=/dev/mem bs=1k skip=768 count=256 2>/dev/null | strings -n 8 -
This command lets you see and scroll through all of the strings that are stored in the RAM at any given time. Press space bar to scroll through to see more pages (or use the arrow keys etc). Sometimes if you don't save that file that you were working on or want to get back something you closed it can be found floating around in here! The awk command only shows lines that are longer than 20 characters (to avoid seeing lots of junk that probably isn't "human readable"). If you want to dump the whole thing to a file replace the final '| less' with '> memorydump'. This is great for searching through many times (and with the added bonus that it doesn't overwrite any memory...). Here's a neat example to show up conversations that were had in pidgin (will probably work after it has been closed)...
sudo cat /proc/kcore | strings | grep '([0-9]\{2\}:[0-9]\{2\}:[0-9]\{2\})'(depending on sudo settings it might be best to runsudo sufirst to get to a # prompt)15sudo cat /proc/kcore | strings | awk 'length > 20' | less -
usage: sitepass MaStErPaSsWoRd example.com description: An admittedly excessive amount of hashing, but this will give you a pretty secure password, It also eliminates repeated characters and deletes itself from your command history. tr '!-~' 'P-~!-O' # this bit is rot47, kinda like rot13 but more nerdy rev # this avoids the first few bytes of gzip payload, and the magic bytes. Show Sample Output
13sitepass() { echo -n "$@" | md5sum | sha1sum | sha224sum | sha256sum | sha384sum | sha512sum | gzip - | strings -n 1 | tr -d "[:space:]" | tr -s '[:print:]' | tr '!-~' 'P-~!-O' | rev | cut -b 2-11; history -d $(($HISTCMD-1)); } -
Someone over at Mozilla dot Org probably said, "I know, let's create a super-duper universal replacement for browser cookies that are persistent and even more creepy and then NOT give our browser users the tools they need to monitor, read, block or selectively remove them!" . This will let you see all the DOM object users in all your firefox profiles. Feel free to toss a `| sort -u` on the end to remove dupes. . I highly recommend you treat these as "session cookies" by scripting something that deletes this sqlite database during each firefox start-up. . note: does not do anything for so-called "flash cookies" Show Sample Output
8strings ~/.mozilla/firefox/*/webappsstore.sqlite|grep -Eo "^.+\.:" |rev -
* to get the English dictionary: wget http://www.mavi1.org/web_security/wordlists/webster-dictionary.txt Show Sample Output
7head -100000 /dev/urandom | strings > temp.txt && for w in $(cat webster-dictionary.txt); do if [ ${#w} -gt 3 ]; then grep -io $w temp.txt; fi; done -
6strings /dev/mem|less
-
This works just as well for SMTP. You could run this on your mail server to watch e-mail senders and recipients: tcpdump -l -s0 -w - tcp dst port 25 | strings | grep -i 'MAIL FROM\|RCPT TO' Show Sample Output
4tcpdump -l -s0 -w - tcp dst port 25 | strings | grep -i 'MAIL FROM\|RCPT TO' -
The router Technicolor TC7200 has an exploit where the file http://192.168.0.1/goform/system/GatewaySettings.bin is open for unauthenticated access. Even though it is binary, the 2 last strings are the username and password for the pages for router management. It can be read using the 'strings' command, 'hexdump -C' or a hexadecimal editor. (default user/password = admin/admin) Reveals more configuration, including SSID name and Key for the wifi network:
wget -q -O - http://192.168.0.1/goform/system/GatewaySettings.binHexadecimal dump of the file:wget -q -O - http://192.168.0.1/goform/system/GatewaySettings.bin | hexdump -CShow Sample Output3wget -q -O - http://192.168.0.1/goform/system/GatewaySettings.bin | strings | tail -n 2 -
This command is similar to the alternate, except with head(1), you can pick as many passwords as you wish to generate by changing the number of lines you wish to preview. Show Sample Output
2strings /dev/urandom | tr -cd '[:alnum:]' | fold -w 30 | head -n 1 -
This is for Debian, simply change the path if your Flash plugin is installed elsewhere. Show Sample Output
1strings /usr/lib/flashplugin-nonfree/libflashplayer.so |grep ^LNX -
0strings libc-2.2.5.so | grep stat.h
-
Using large wordlists is cumbersome. Using password cracking programs with rules such as Hashcat or John the ripper is much more effective. In order to do this many times we need to "clean" a wordlist removing all numbers, special characters, spaces, whitespace and other garbage. This command will covert a entire wordlist to all lowercase with no garbage.
0cat dirtyfile.txt | awk '{gsub(/[[:punct:]]/,"")}1' | tr A-Z a-z | sed 's/[0-9]*//g' | sed -e 's/ //g' | strings | tr -cs '[:alpha:]' '\ ' | sed -e 's/ /\n/g' | tr A-Z a-z | sort -u > cleanfile.txt -
0strings -f sample.txt
-
0ioreg -lw0 | grep IODisplayEDID | sed "/[^<]*</s///" | xxd -p -r | strings -6
-
Convert all .weblock files (Apple url) to a url on the stdout.
0strings * |grep -v "Apple" |grep http |uniq |sed "s/<[^>]\+>//g" -
0cat /dev/urandom | strings | grep -o '[[:alnum:]]' | head -n 15 | tr -d '\n'; echo
-
-1ioreg -lw0 | grep IODisplayEDID | sed "/[^<]*</s///" | xxd -p -r | strings -6
-
Use this like the cat command with the additional feature to strip out unprintable characters from the input, newlines will stay. Show Sample Output
-1strings -1 <file> -
It's not a big line, and it *may not* work for everybody, I guess it depends on the detail of access_log configuration in your httpd.conf. I use it as a prerotate command for logrotate in httpd section so it executes before access_log rotation, everyday at midnight.
-2cat /var/log/httpd/access_log | grep q= | awk '{print $11}' | awk -F 'q=' '{print $2}' | sed 's/+/ /g;s/%22/"/g;s/q=//' | cut -d "&" -f 1 | mail youremail@isp.com -s "[your-site] search strings for `date`" -
This is a safest variation for "sitepass function" that includes a SALT over a long loop for sha512sum hash Show Sample Output
-4sitepass2() {salt="this_salt";pass=`echo -n "$@"`;for i in {1..500};do pass=`echo -n $pass$salt|sha512sum`;done;echo$pass|gzip -|strings -n 1|tr -d "[:space:]"|tr -s '[:print:]' |tr '!-~' 'P-~!-O'|rev|cut -b 2-15;history -d $(($HISTCMD-1));} -
recently some in the #linux shared this. to find out the kernel version name from the binary without using uname Show Sample Output
-10strings /boot/kernel-file | grep 2.6
What's this?
commandlinefu.com is the place to record those command-line gems that you return to again and again. That way others can gain from your CLI wisdom and you from theirs too. All commands can be commented on, discussed and voted up or down.
Check These Out
Stay in the loop…
- Follow the Tweets.
-
Every new command is wrapped in a tweet and posted to Twitter. Following the stream is a great way of staying abreast of the latest commands. For the more discerning, there are Twitter accounts for commands that get a minimum of 3 and 10 votes - that way only the great commands get tweeted.
» http://twitter.com/commandlinefu
» http://twitter.com/commandlinefu3
» http://twitter.com/commandlinefu10 - Subscribe to the feeds.
-
Use your favourite RSS aggregator to stay in touch with the latest commands. There are feeds mirroring the 3 Twitter streams as well as for virtually every other subset (users, tags, functions,…):
Subscribe to the feed for:
- » all commands
- » commands with 3 up-votes (commandlinefu3)
- » commands with 10 up-votes (commandlinefu10)
- » commands using strings