» oneliners

Penetration Testing : NMAP.XML to TAB

Posted on October 6, 2010 by The Shell Shakespear in Main | 1 Comment

Following up on my last NMAP post, processing port scan data in a meaningful manner is essential to network penetration testing. For those who wish to skip the SQL stage and get quick results, the following one-liner will use xmlstarlet to parse a NMAP XML file:

cat nmap.xml | xmlstarlet sel -T -t -m "//state[@state='open']" -m ../../.. -v address/@addr -m hostnames/hostname -i @name -o ' (' -v @name -o ')' -b -b -b -o "	" -m .. -v @portid -o '/' -v @protocol -o "	" -m service -v @name -i "@tunnel='ssl'" -o 's' -b -o "	" -v @product -o ' ' -v @version -v @extrainfo -b -n -

Into the following tab delimited format:

IP (HOST) \t PORT/PROTOCOL \t SERVICE \t EXTRAINFO

This command sorts ports properly, but does not properly order the hosts. To do this, pipe the above command to the following:

sed 's_^\([^\t ]*\)\( ([^)]*)\)\?\t\([^\t ]*\)_\1.\3\2_' | sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 | sed 's_^\(\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}\)\.\([^ \t]*\)\( ([^)]*)\)\?_\1\4\t\3_'

This command converts lines that look like IP (HOST) \t PORT to IP.PORT (HOST), sorts it, and then converts them back to IP (HOST) \t PORT. From there, it is simply a matter of grepping for your favorite service. For example, if you wanted to focus on web penetration testing, all you would have to do is pipe the above to:

grep -i -e http

To get a list of services relevant to your testing. Happy Hacking.

String Encoding in the Shell

Posted on July 24, 2009 by The Shell Shakespear Leave a comment

Data encoding in the shell is a quick and reliable method to parse input in one type of format to format of another type. This could be done in order to determine how an application has converted input, or to encode your input in such a way as to bypass a security filter. These include some valuable methods such as HEX, HTML, URL, various password representations, common hashes and even some compression encodings. What follows are some of my favourite methods to convert input on the command line. Some of these rely on commands that are non-standard, but typically available from your Linux Distribution’s repository. Lots of Python snippets are included as well. These examples can be run individually by or all together in a bash file encode.sh:

#!/bin/bash
 
if [ $# -ne 1 ]
then
  echo "Performs a number of encodings on the first argument string"
  echo "Usage: `basename $0` {string}"
  exit 1
fi
 
printf "\n# String Scrambles:\n"
printf "%-20s\t" 'Normal:'; echo "$1"
printf "%-20s\t" 'Reversed:'; echo "$1" | rev
printf "%-20s\t" 'Case Reversed:'; echo "$1" | tr '[A-Z][a-z]' '[a-z][A-Z]'
printf "%-20s\t" 'ROT13:'; echo "$1" | gcipher -c Rot -k 13
#printf "%-20s\t" 'Rot13:' ; python -c "print '''$1'''.encode('rot13')"
printf "%-20s\t" 'GIE:'; echo "$1" | gcipher -c Gie
printf "%-20s\t" 'Caesar:'; echo "$1" | gcipher -c Ceasar
printf "%-20s\t" 'Vigenere:'; echo "$1" | gcipher -c Vigenere -k vigenere
# printf "%-20s\t" 'Anagrams:'; wordplay -s "$1" | sort -u | sed -n '1h;2,$H;${g;s/\n/, /g;p}'
# Due to both terminal and editor encodings, this is better executed on a non-UTF8 terminal:
printf "%-20s\t" 'Leet (l334):'; echo "$1" | tr [a-z] [A-Z] | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' '4ß(Ð3ƒ9H1JK£MN0PQ®$7µVWX¥2' | sed 's_H_|-|_g;s_J_\_|_g;s_K_|{_g;s_M_|\\/|_g;s_N_|\\|_g;s_P_|°_g;s_Q_¶¸_g;s_V_\\/_g;s_W_\\/\\/_g;s_X_)(_g' #See http://www.albinoblacksheep.com/text/leet
 
printf "\n# Numerical Representations:\n"
printf "%-20s\t" 'INT:'; echo -n "$1" | hexdump -ve '/1 "%03i"'; echo
printf "%-20s\t" 'HEX:'; echo -n "$1" | hexdump -ve '/1 "%02x"'; echo
printf "%-20s\t" 'OCT:'; echo -n "$1" | hexdump -ve '/1 "%02o"'; echo
printf "%-20s\t" 'BIN:'; echo -n "$1" | xxd -b -g0 -c0 | cut -b10-56 | tr -d '\n '; echo
 
printf "\n# Passwords:\n"
printf "%-20s\t" "CRYPT w/o SALT:"; echo -n "$1" | openssl passwd -crypt -stdin -salt 00
printf "%-20s\t" "CRYPT w/ Random SALT:"; echo -n "$1" | openssl passwd -crypt -stdin
printf "%-20s\t" "DES w/ CR SALT:"; echo -n "$1" | openssl passwd -crypt -stdin -salt CR
printf "%-20s\t" "Shadow w/o SALT:"; echo -n "$1" | openssl passwd -1 -stdin -salt 00000000
printf "%-20s\t" "Shadow w/ RANDOM SALT:"; echo -n "$1" | openssl passwd -1 -stdin
printf "%-20s\t" "Apache w/o SALT:"; echo -n "$1" |  openssl passwd -apr1 -stdin -salt 00000000
printf "%-20s\t" "Apache w/ RANDOM SALT:"; echo -n "$1" |  openssl passwd -apr1 -stdin
printf "%-20s\t" "LM Password:"; python -c "import smbpasswd; print smbpasswd.lmhash(\"\"\"$1\"\"\")" #requires python-smbpasswd
printf "%-20s\t" "NTLM Password:"; python -c "import smbpasswd; print smbpasswd.nthash(\"\"\"$1\"\"\")" #requires python-smbpasswd
 
printf "\n# Digest Hashes (newline not included):\n"
#printf "%-20s\t" 'BINARY MD5:' ; echo -n $1 | openssl dgst -binary
printf "%-20s\t" 'MD5:'; echo -n $1 | openssl dgst -md5
printf "%-20s\t" 'MD4:'; echo -n $1 | openssl dgst -md4
printf "%-20s\t" 'MD2:'; echo -n $1 | openssl dgst -md2
printf "%-20s\t" 'SHA1:'; echo -n $1 | openssl dgst -sha1
printf "%-20s\t" 'SHA:'; echo -n $1 | openssl dgst -sha
printf "%-20s\t" 'SHA224:'; echo -n $1 | openssl dgst -sha224
printf "%-20s\t" 'SHA256:'; echo -n $1 | openssl dgst -sha256
printf "%-20s\t" 'SHA384:'; echo -n $1 | openssl dgst -sha384
printf "%-20s\t" 'SHA512:'; echo -n $1 | openssl dgst -sha512
#printf "%-20s\t" 'MDC2:' ; echo -n $1 | openssl dgst -mdc2
printf "%-20s\t" 'RIPEMD160:'; echo -n $1 | openssl dgst -ripemd160
printf "%-20s\t" 'CRC32:'; python -c "import binascii; print binascii.crc32('''$1''') & 0xffffffff"
 
printf "\n# Web Encodings\n"
printf "%-20s\t" 'URLQuote:'; python -c "import urllib; print urllib.quote('''$1''')"
printf "%-20s\t" 'URLEscape:'; echo "$1" | recode ..HTML
printf "%-20s\t" 'HTML HEX Entity:'; echo -n "$1" | hexdump -ve '/1 "&#x%02x;"'; echo
printf "%-20s\t" 'HTML Entity:'; echo -n "$1" | hexdump -ve '/1 "&#%02i;"'; echo
printf "%-20s\t" 'Javascript String'; echo -n "String.fromCharCode("; echo -n "$1" | hexdump -ve '/1 "%i,"' | sed 's_,$_)\n_'
printf "%-20s\t" 'SQL String'; echo -n $1 | hexdump -ve '/1 "char(%i)+"' | sed 's_+$_\n_g'
 
printf "\n# UTF Encodings\n"
printf "%-20s\t" 'UTF-7:'; echo $1 | iconv -t utf7
printf "%-20s\t" 'UTF-8:'; echo $1 | iconv -t utf8
printf "%-20s\t" 'UTF-16:'; echo $1 | iconv -t utf16
printf "%-20s\t" 'UTF-32:'; echo $1 | iconv -t utf32
printf "%-20s\t" 'Unicode:'; echo $1 | iconv -t unicode
printf "%-20s\t" 'ASCII:'; echo $1 | iconv -t ascii
 
printf "\n# Encodings\n" #http://docs.python.org/library/codecs.html#standard-encodings
printf "%-20s\t" 'Base64:'; echo -n $1 | openssl enc -e -base64
#printf "%-20s\t" 'Base64:'; python -c "import base64; print base64.b64encode('''$1''')"
printf "%-20s\t" 'Base32:'; python -c "import base64; print base64.b32encode('''$1''')"
printf "%-20s\t" 'Base16:'; python -c "import base64; print base64.b16encode('''$1''')"
#printf "%-20s\t" 'UUEncode:'; python -c "print repr('''$1'''.encode('uu_codec'))"
#printf "%-20s\t" 'UUEncode:';; echo -n $1 | hexdump -ve '/1 "#%02x"' | tr '#' '%'
printf "%-20s\t" 'UUEncode:'; python -c "import binascii; print binascii.b2a_uu('''$1''')" | tr -s '\n'
printf "%-20s\t" 'Punycode:' ; python -c "print '''$1'''.encode('punycode')"
printf "%-20s\t" 'Mime Quotable:' ; python -c "print '''$1'''.encode('quopri_codec')"
 
printf "\n# Compression Encodings\n"
#printf "%-20s\t" 'Bzip2:' ; python -c "print repr('''$1'''.encode('bz2_codec'))" | sed "s_^'\(.*\)'\$_\1_"
#printf "%-20s\t" 'Zlib (gzip):' ; python -c "print repr('''$1'''.encode('zlib_codec'))" | sed "s_^'\(.*\)'\$_\1_"
printf "%-20s\t" '7z:' ; echo -n "$1" | 7z a dummy -tgzip -si -so 2>/dev/null | hexdump -ve '/1 "%02x"'| sed "s_\(..\)_\\\x\1_g"; echo
printf "%-20s\t" 'Bzip2:' ; echo -n "$1" | bzip2 -f | hexdump -ve '/1 "%02x"'| sed "s_\(..\)_\\\x\1_g"; echo
printf "%-20s\t" 'GZip:' ; echo -n "$1" | gzip -f | hexdump -ve '/1 "%02x"'| sed "s_\(..\)_\\\x\1_g"; echo
printf "%-20s\t" 'Zip:' ; echo -n "$1" | zip 2>/dev/null | hexdump -ve '/1 "%02x"'| sed "s_\(..\)_\\\x\1_g"; echo
 
#printf "\n# OpenSSL Ciphers with empty passphrase, key and iv:\n"
#for line in `openssl enc -h 2>&1 | sed -n '/Cipher Types/,//p' | grep -v -e "Cipher Types" -e "^$" | tr -s [:space:] '\n'`; do printf "%-20s\t" "$line:"; echo -n $1 | openssl enc -k "" -e -a -p -K 0 -iv 0 "$line" | sed -n '1h;2,$H;${g;s/\n/, /g;p}'; done
 
#printf "\n# All iconv Output Encodings ~= 1153:\n"
#for line in `iconv -l`; do printf "%-20s\t" "$line"; echo -n $1 | iconv -t "$line" 2>/dev/null; echo; done

Example Run:

$ ./encode.sh '<strong>Hello World!</strong>'
 
# String Scrambles:
Normal:             	<strong>Hello World!</strong>
Reversed:           	&gt;b/&lt;!dlroW olleH&gt;b&lt;
Case Reversed:      	<strong>hELLO wORLD!</strong>
ROT13:              	Uryyb Jbeyq!
GIE:                	Svool Dliow!
Caesar:             	Khoor Zruog!
Vigenere:           	Pkpys Nsmtj!
Leet (l334):        	|-|3££0 \/\/0®£Ð!
 
# Numerical Representations:
INT:                	060098062072101108108111032087111114108100033060047098062
HEX:                	3c623e48656c6c6f20576f726c64213c2f623e
OCT:                	74142761101451541541574012715716215414441745714276
BIN:                	00111100011000100011111001001000011001010110110011011000110111100100000010101110110111101110010110110001100100001000010011110000101111011000100111110
 
# Passwords:
CRYPT w/o SALT:     	00H1EnAbbudEI
CRYPT w/ Random SALT:	/4tA4dY0Q8cJ6
DES w/ CR SALT:     	CRIFJgo.7OagA
Shadow w/o SALT:    	$1$00000000$PMrPd4yWfOkVwO2sHSqTv0
Shadow w/ RANDOM SALT:	$1$oJ0Qki6o$gNf/bXtOWA8Mi0wLa0SUp1
Apache w/o SALT:    	$apr1$00000000$XxCLeI7Ovl7HAPRfPavSe.
Apache w/ RANDOM SALT:	$apr1$Xr5GeJLw$Io1K0NZ0nvA4tClI77nyP/
LM Password:        	40033C993361335925522E685FA5299A
NTLM Password:      	E78EC9AB6886A6EADA6E61AAC053B93F
 
# Digest Hashes (newline not included):
MD5:                	26228b4d80d62285a839a475c9c7574f
MD4:                	1554d219d316077223f51c640d164ca6
MD2:                	f8057b72e7f174ef7cf80165fef67b37
SHA1:               	b44e743e733384dc8db8aa971f496ff3d22041db
SHA:                	e0053cc39e21839c3826c170b15a919d6a2c58e5
SHA224:             	08568694b48256a072ff5a1ed9e5b7ac52a0de09f93819d98e9d3188
SHA256:             	27889613b22d5c515af08ff865713664c4d53fcf9c9f7f280f6fa269177a6aac
SHA384:             	318e1f73428cb544afa1967328847fcc64a1c33d5f27319848ee203192b8b9e958c4417db4732499a848fb05107f0372
SHA512:             	fe1ab72b5677a17695134eb27f44548a0c02e4275997e364176c3adbac735ff73810a38b5674a311b97da81b16f35fa9e9618d0f02bbb0e5818cdd76b01a9dc3
RIPEMD160:          	cd47833973c967e0ff1d64b957adbaedcac2202a
CRC32:              	1574079884
 
# Web Encodings
URLQuote:           	%3Cb%3EHello%20World%21%3C/b%3E
URLEscape:          	&amp;lt;b&amp;gt;Hello World!&amp;lt;/b&amp;gt;
HTML HEX Entity:    	&lt;b&gt;Hello World!&lt;/b&gt;
HTML Entity:        	&lt;b&gt;Hello World!&lt;/b&gt;
Javascript String   	String.fromCharCode(60,98,62,72,101,108,108,111,32,87,111,114,108,100,33,60,47,98,62)
SQL String          	char(60)+char(98)+char(62)+char(72)+char(101)+char(108)+char(108)+char(111)+char(32)+char(87)+char(111)+char(114)+char(108)+char(100)+char(33)+char(60)+char(47)+char(98)+char(62)
 
# UTF Encodings
UTF-7:              	+ADw-b+AD4-Hello World+ACEAPA-/b+AD4
UTF-8:              	<strong>Hello World!</strong>
UTF-16:             	ÿþ<strong>Hello World!</strong>
UTF-32:             	ÿþ<strong>Hello World!</strong>
Unicode:            	ÿþ<strong>Hello World!</strong>
ASCII:              	<strong>Hello World!</strong>
 
# Encodings
Base64:             	PGI+SGVsbG8gV29ybGQhPC9iPg==
Base32:             	HRRD4SDFNRWG6ICXN5ZGYZBBHQXWEPQ=
Base16:             	3C623E48656C6C6F20576F726C64213C2F623E
UUEncode:           	3/&amp;(^2&amp;5L;&amp;\@5V]R;&amp;0A/"]B/@
Punycode:           	<strong>Hello World!</strong>-
Mime Quotable:      	<strong>Hello=20World!</strong>
 
# Compression Encodings
7z:                 	\x1f\x8b\x08\x00\x38\x5b\x6b\x4a\x00\x00\x01\x13\x00\xec\xff\x3c\x62\x3e\x48\x65\x6c\x6c\x6f\x20\x57\x6f\x72\x6c\x64\x21\x3c\x2f\x62\x3e\x8c\x8d\xd2\x5d\x13\x00\x00\x00
Bzip2:              	\x42\x5a\x68\x39\x31\x41\x59\x26\x53\x59\x59\x24\xfc\x0e\x00\x00\x02\x1f\x80\x60\x00\x80\x05\x00\x40\x00\x80\x16\x04\x90\x00\x20\x00\x21\xa9\xa3\x13\x68\xd0\x80\x68\x03\x0c\x3c\x90\xd3\xf8\xc2\x97\x82\x5a\x2e\xe4\x8a\x70\xa1\x20\xb2\x49\xf8\x1c
GZip:               	\x1f\x8b\x08\x00\xb8\x09\x6a\x4a\x00\x03\xb3\x49\xb2\xf3\x48\xcd\xc9\xc9\x57\x08\xcf\x2f\xca\x49\x51\xb4\xd1\x4f\xb2\x03\x00\x8c\x8d\xd2\x5d\x13\x00\x00\x00
Zip:                	\x50\x4b\x03\x04\x14\x00\x08\x00\x08\x00\xae\x62\xf8\x3a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x2d\xb3\x49\xb2\xf3\x48\xcd\xc9\xc9\x57\x08\xcf\x2f\xca\x49\x51\xb4\xd1\x4f\xb2\x03\x00\x50\x4b\x07\x08\x8c\x8d\xd2\x5d\x15\x00\x00\x00\x13\x00\x00\x00\x50\x4b\x01\x02\x17\x03\x14\x00\x08\x00\x08\x00\xae\x62\xf8\x3a\x8c\x8d\xd2\x5d\x15\x00\x00\x00\x13\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x80\x11\x00\x00\x00\x00\x2d\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00\x2f\x00\x00\x00\x44\x00\x00\x00\x00\x00

Anyone else have some useful oneliner encodings that are not included here? Best post gets a cookie!

Sed, Grep and Awk

Posted on July 8, 2009 by The Shell Shakespear 1 Comment

Sed, Grep and Awk are true *nix tools, known for their awkward names and equally awkward syntax. They represent the most immediate access to Regular Expressions (REs) which are themselves worthy of knowledge. Even their attempted replacement, Perl, is also known producing useful yet unreadable code. Though I acknowledge their awkward natures, their usefulness cannot be ignored, and learning how to use each will aid you in your ascension to line processing supremacy. Each is best used in the following manner:

  • Grep: Matching
  • Sed: Replacing and Line Manipulation
  • Awk: Advanced Line Processing
# Insert 'Beginning' at the start of a file, and 'Ending' at the end
sed "1s/\(.*\)/Beginning\n\1/;\$a\\Ending"
 
#Escape shell metacharacters active within double quotes
sed 's/\([\\/\\`\\"$\\\\^.\\+\\{\\}]\)/\\\1/g'
 
#Replace all literal newlines with their representation '\n'
sed -e :a -e '$!N;s/\n/\\n/;ta'
 
# Filter out URL parameters
sed 's_=[^&amp;]*\(&amp;\|$\)_=\1_g'
 
# Get rid of regular expressions in a variable
sed 's:[]\[\^\$\.\*\/]:\\\\&amp;:g'`
 
#Replace last comma(,) in each line with 'and'
sed 's#\(.*\),\([^,]*\)#\1 and\2#'
 
#Match phone numbers with area code in any given format and output in format: (nnn) nnn-nnnn
# SED DOES NOT RESPECT the shorthand character classes \c\s\S\d\D\w\W
sed -e 's#[^0-9]*\([0-9]\{3\}\)[^0-9]*\([0-9]\{3\}\)[^0-9]*\([0-9]\{4\}\)#(\1) \2-\3#'
grep -o '(\?[0-9]\{3\})\? \?[0-9]\{3\}-\?[0-9]\{4\}'
 
# Match CVE Numbers
grep -o 'CVE-[0-9]\{4\}-[0-9]\{1,5\}'
 
# Match input fields with a hidden input type in an HTML file
grep -io ']*hidden[^&gt;]*&gt;' hidden.csv | sed 's#""#"#g;s#value="[^"]*"#value=""#g' | sort -u | less
 
#Parse IIS Logs for a certain IP ADDRESS (127.0.0.1)
grep 127.0.0.1 *.log | grep -v -e ".gif" -e ".jpg" -e ".ico" -e ".css" -e ".pdf" -e "404" | cut -d' ' -f2,4,5,6,10 | awk '{printf "%s %-04s http://site.com%s?%s  Ref:(%s)\n",$1,$2,$3,$4,$5}' | tr -d '-' | sed 's/Ref:()//g' | sed 's/\? //g' | awk '{printf "%s %-04s %-70s\t%s\n",$1,$2,$3,$4}'
 
#Find all links in a file
egrep -IRo '(((http(s)?|ftp|telnet|news|gopher)://|mailto:)[^\(\)&lt;\"'\''[:space:]]+)'
 
#Pretty printing fields with awk
awk -F':' '{printf "%-16s %-16s\n",$1,$2}'
 
# 'uniq' the file using only the first field
awk '!x[$1]++'
 
# uniq 3rd field in a file
awk '{ if (! third_col[$3]) print $0;  third_col[$3]++; }'
 
# Lists directories where the tree contains one or more files:
find ./ -type f | awk -F/ '{$NF=""} d[$0]++==0' OFS=/
 
# How many lines in a file that do not start with # and are not empty would fit in a tweet (140 characters)?
grep -v '^#\|^$' shell1liners.sh | awk '{if (length&lt;141) {print "Tweet("length"): " $0;}}'
grep -v '^#\|^$' shell1liners.sh | awk '{if (length&gt;140) {print "No Tweet("length"): " $0;}}'

Handling HTTP and SSL in the Shell

Posted on July 1, 2009 by The Shell Shakespear Leave a comment

The topic of this week’s shell1liners is handling HTTP and SSL in Bash:

#netcat scanner for HTTP servers
for i in $(seq 1 255); do nc -n -v -z "192.168.1.$i" 80 | grep "open"; done | tee webservers.txt
 
# Manually perform a HTTP Get Request
echo -ne "GET / HTTP/1.0\n\n" | nc www.redspin.com 80
# Manually perform a HTTP Get Request on a SSL Port
echo -ne "GET / HTTP/1.0\n\n" | socat – OPENSSL:www.website.com:443,verify=0
# Create a local TCP pipe to a remote SSL port (to allow netcat to probe a SSL service)
socat -vd TCP-LISTEN:8888,fork OPENSSL:www.redspin.com:443,verify=0
 
# Always connect to a given webserver PORT regardless if it is SSL or normal HTTP
(curl -iks -m2 "https://www.redspin.com:PORT" || curl -iks -m2 "www.redspin.com:PORT")
 
# Perform a check on a list of webservers (HTTP or HTTPS): HOST:PORT -&gt; HOST:PORT|WEB SERVER|HTML Title
# Includes a 2 seconds timeout using curl's -m2, and parallelization using xargs's -P10
cat webservers.txt | xargs -P10 -I'{}' bash -c '(curl -Liks -m2 "https://{}" || curl -Liks -m2 "{}") | grep -iao -e "^Server: .*" -e "" | sed "s#Server: \(.*\)#|\1|#i;s###ig" | tr -d "\r\n" | sed "1s/^/{}/;\$a\\" | sed "s/^\([^|]*\)|$/\1||/"' | tee webserver_info.txt
 
# Check if Trace is enabled on a given website
echo -ne "TRACE /something HTTP/1.0\nX-Header: Trace Enabled\n\n" | socat - OPENSSL:www.website.com:443,verify=0
# Check for the insecure SSLv2 protocol on a website
echo -e '' | openssl s_client -connect WEBSITE:PORT -ssl2 -no_ssl3 -no_tls1 2&gt;/dev/null | grep 'SSLv2'
 
# Bruteforce a given numerical webpath, printing the HTTP status code for each request
for ((i=0;i/dev/null | grep HTTP/1.1) | tee webbf.txt ; done
 
# Simple HTTP Listener
python -m SimpleHTTPServer
# Simple HTTPS (SSL) Listener without a server certificate
sudo openssl s_server -accept 443 -nocert
# Simple HTTPS (SSL) Listener with a bad self-signed server certificate
echo -ne "\n\n\n\n\n\n\n" | openssl req -new -newkey rsa:1024 -days 1 -nodes -x509 -keyout out.pem -out out.pem ; openssl s_server -cert out.pem -www

An Introduction to Shell One Liners

Posted on June 25, 2009 by The Shell Shakespear 3 Comments

The knowledge and use of the command line is a powerful tool that can aid in the creation, modification and automation of routine tasks that a security auditor or any computer user may come up against.  The flexibility, simplicity, and leetness of the shell oneliner can replace thousand-line perl code which otherwise would be thrown away after the task is complete.  We have decided to provide share some of our favorite oneliners that we have found useful, either culled from other sources or created by ourselves.  All of these examples should run comfortably from a Linux bash shell or Cygwin-Windows equivalent, with the required applications listed in the oneliner.

The topic of this week is IP address manipulation:

# Sort by IP Addresses
sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4
 
# Sort by IP Addresses and Port like IP:PORT
sed 's#:#.#' | sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4 -k5,5 | sed 's#\(\([0-9]\{1,3\}\.\)\{4\}\)#\1:#;s#\.:#:#'
 
# IP2HOST: IP -&gt; IP (HOST) using 'bind-host' package built into Ubuntu
for i in $(cat ips.txt); do echo "$i ("`host $i | grep -v NXDOMAIN | cut -d' ' -f5`")"; done | sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4 | sed 's#()##' | tee ip_hosts.txt
 
# HOST2IP: HOST -&gt; IP (HOST) using 'host' package available in Ubuntu
for i in $(cat hosts.txt); do host `echo "$i" | tr -d [[:blank:]]` | grep -v -e 'alias' -e 'handled' -e 'timed' | sed 's/Host \(.*\) .*/\1 0.0.0.0/' | sed "s/;;.*/$i - - 0.0.0.0/" | awk -F' ' '{printf "%s (%s)\n",$4,$1}'; done | sort -n -t. -k1,1 -k2,2 -k3,3 -k4,4 | tee ip_hosts.txt
 
#Print IP addresses in a file
egrep -o '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}'
 
# Print IP addresses in a file: Perl edition
perl -nle 'print $&amp; if /(\d{1,3}\.){3}\d{1,3}/'
 
# Print IP address in all files in the current directory tree with some pretty color matching
find . -type f -exec egrep -a -H -n --color=auto '[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}\.[[:digit:]]{1,3}' {} \;

Thanks to readers for suggesting the color syntax support implemented using wp-syntax. I furthermore learned that the Visual Editor of WP was oppressing my HTML code, stripping tags in the WP-Syntax <pre> tag that should be present, so I’ll be keeping my edits in HTML mode from now on.