Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:02,280 --> 00:00:07,750 commandline fun in this module we'll 2 00:00:06,070 --> 00:00:09,879 take an introductory look at a few 3 00:00:07,750 --> 00:00:12,550 popular linux command line programs 4 00:00:09,879 --> 00:00:14,950 please refer to the kali linux training 5 00:00:12,550 --> 00:00:17,610 site for a refresher or more in-depth 6 00:00:14,950 --> 00:00:17,610 discussion 7 00:00:18,380 --> 00:00:23,780 the Bosch environment Bosch is a shell 8 00:00:21,470 --> 00:00:25,580 that allows us to run complex commands 9 00:00:23,780 --> 00:00:28,190 and perform different tasks from a 10 00:00:25,580 --> 00:00:30,080 terminal window it incorporates useful 11 00:00:28,190 --> 00:00:32,830 features from both the corn shell and 12 00:00:30,080 --> 00:00:32,830 sea shell 13 00:00:33,130 --> 00:00:38,810 environment variables when opening a 14 00:00:36,620 --> 00:00:41,030 terminal window a new Bosch process 15 00:00:38,810 --> 00:00:44,690 which has its own environment variables 16 00:00:41,030 --> 00:00:46,910 is initialized these variables are a 17 00:00:44,690 --> 00:00:49,309 form of global storage for various 18 00:00:46,910 --> 00:00:51,230 settings inherited by any applications 19 00:00:49,309 --> 00:00:53,540 that are run during that terminal 20 00:00:51,230 --> 00:00:55,580 session one of the most commonly 21 00:00:53,540 --> 00:00:58,400 referenced environment variables is path 22 00:00:55,580 --> 00:01:00,770 which is a colon separated list of 23 00:00:58,400 --> 00:01:02,750 directory paths that Bosch will search 24 00:01:00,770 --> 00:01:05,540 through whenever a command is run 25 00:01:02,750 --> 00:01:07,640 without a full path we can view the 26 00:01:05,540 --> 00:01:10,070 contents of a given environment variable 27 00:01:07,640 --> 00:01:12,619 with the echo command followed by the 28 00:01:10,070 --> 00:01:15,740 dollar sign character and an environment 29 00:01:12,619 --> 00:01:17,509 variable name for example let's examine 30 00:01:15,740 --> 00:01:21,830 the contents of the path environment 31 00:01:17,509 --> 00:01:27,940 variable some other useful environment 32 00:01:21,830 --> 00:01:30,320 variables include user PWD and home 33 00:01:27,940 --> 00:01:33,170 which hold the values of the current 34 00:01:30,320 --> 00:01:35,240 terminal users user name present working 35 00:01:33,170 --> 00:01:38,780 directory and home directory 36 00:01:35,240 --> 00:01:41,060 respectively we can define an 37 00:01:38,780 --> 00:01:44,090 environment variable with the export 38 00:01:41,060 --> 00:01:45,770 command for example if we are scanning a 39 00:01:44,090 --> 00:01:48,649 target and don't want to type in the 40 00:01:45,770 --> 00:01:50,479 system's IP address repeatedly we can 41 00:01:48,649 --> 00:01:54,190 quickly assign it an environment 42 00:01:50,479 --> 00:01:54,190 variable and use that instead 43 00:01:56,479 --> 00:02:01,280 the export command makes the variable 44 00:01:58,820 --> 00:02:05,270 accessible to any subprocesses we might 45 00:02:01,280 --> 00:02:06,740 spawn from our current bash instance 46 00:02:05,270 --> 00:02:09,709 if we set an environment variable 47 00:02:06,740 --> 00:02:12,650 without export it will only be available 48 00:02:09,709 --> 00:02:14,660 in the current shell let's launch 49 00:02:12,650 --> 00:02:17,780 another instance of bash and try to 50 00:02:14,660 --> 00:02:20,030 display the variable again 51 00:02:17,780 --> 00:02:23,150 since we defined our variable without 52 00:02:20,030 --> 00:02:26,380 the export command we can't access it in 53 00:02:23,150 --> 00:02:26,380 the new bash instance 54 00:02:27,790 --> 00:02:32,049 after exiting back to our original bash 55 00:02:29,650 --> 00:02:35,349 session we have access to the variable 56 00:02:32,049 --> 00:02:39,599 again now let's see what happens when we 57 00:02:35,349 --> 00:02:39,599 use export to define a variable 58 00:02:40,330 --> 00:02:45,130 nothing has changed so far but let's see 59 00:02:43,240 --> 00:02:47,820 what happens when we launch a new Bosch 60 00:02:45,130 --> 00:02:47,820 instance 61 00:02:48,870 --> 00:02:54,860 this time we can access the variable 62 00:02:51,900 --> 00:02:54,860 from the new instance 63 00:02:55,830 --> 00:02:59,760 there are many other environment 64 00:02:57,420 --> 00:03:03,390 variables defined by default in kali 65 00:02:59,760 --> 00:03:06,900 linux we can view these by running env 66 00:03:03,390 --> 00:03:09,300 at the command line take some time to 67 00:03:06,900 --> 00:03:12,500 review an experiment with predefined 68 00:03:09,300 --> 00:03:12,500 environment variables 69 00:03:14,569 --> 00:03:20,239 tab-completion the bash shell 70 00:03:17,769 --> 00:03:22,730 autocomplete function allows us to 71 00:03:20,239 --> 00:03:25,489 complete filenames and directory paths 72 00:03:22,730 --> 00:03:28,040 with the tab key this is such a 73 00:03:25,489 --> 00:03:30,970 time-saver that makes other shells which 74 00:03:28,040 --> 00:03:33,439 lack this feature feel clumsy and slow 75 00:03:30,970 --> 00:03:35,540 let's take a look at how this works from 76 00:03:33,439 --> 00:03:37,640 the callee user home directory 77 00:03:35,540 --> 00:03:41,090 we'll start by typing the following 78 00:03:37,640 --> 00:03:44,239 command when we hit the tab key the 79 00:03:41,090 --> 00:03:46,310 first time after D bash suggests that 80 00:03:44,239 --> 00:03:48,439 there are three directories starting 81 00:03:46,310 --> 00:03:51,709 with that letter then presents our 82 00:03:48,439 --> 00:03:54,590 partially completed command for us since 83 00:03:51,709 --> 00:03:57,950 we decide to specify desktop will type e 84 00:03:54,590 --> 00:04:00,019 followed by the tab key again at this 85 00:03:57,950 --> 00:04:02,090 point the bash shell magically Auto 86 00:04:00,019 --> 00:04:04,639 completes the rest of the word desktop 87 00:04:02,090 --> 00:04:08,299 as this is the only choice that starts 88 00:04:04,639 --> 00:04:11,049 with de refer to your lab guide for more 89 00:04:08,299 --> 00:04:11,049 information 90 00:04:12,390 --> 00:04:18,239 bash history tricks when engaged in a 91 00:04:16,109 --> 00:04:19,950 penetration test it's important to keep 92 00:04:18,239 --> 00:04:21,560 a record of commands that have been 93 00:04:19,950 --> 00:04:24,060 entered into the shell 94 00:04:21,560 --> 00:04:26,070 fortunately bash maintains a record of 95 00:04:24,060 --> 00:04:27,360 commands that have been entered which 96 00:04:26,070 --> 00:04:29,199 can be displayed with the history 97 00:04:27,360 --> 00:04:31,870 command 98 00:04:29,199 --> 00:04:33,939 rather than retyping along command from 99 00:04:31,870 --> 00:04:37,389 our history we can make use of the 100 00:04:33,939 --> 00:04:40,029 history expansion facility for example 101 00:04:37,389 --> 00:04:43,060 each entry in our history is preceded by 102 00:04:40,029 --> 00:04:45,189 a line number to rerun a command we 103 00:04:43,060 --> 00:04:48,460 simply type an exclamation mark followed 104 00:04:45,189 --> 00:04:51,159 by the line number in this case we'll re 105 00:04:48,460 --> 00:04:54,580 execute the command clear which is 106 00:04:51,159 --> 00:04:56,800 identified by line number 32 another 107 00:04:54,580 --> 00:04:59,529 helpful history shortcut is the double 108 00:04:56,800 --> 00:05:01,900 exclamation mark which repeats the last 109 00:04:59,529 --> 00:05:04,350 command that was executed during our 110 00:05:01,900 --> 00:05:07,110 terminal session 111 00:05:04,350 --> 00:05:09,630 by default the command history is saved 112 00:05:07,110 --> 00:05:12,470 to the bash history file in the users 113 00:05:09,630 --> 00:05:12,470 home directory 114 00:05:12,520 --> 00:05:20,970 to environment variables control history 115 00:05:14,949 --> 00:05:20,970 size hist size and hist file size 116 00:05:21,030 --> 00:05:25,020 his size controls the number of commands 117 00:05:23,190 --> 00:05:28,350 stored in memory for the current session 118 00:05:25,020 --> 00:05:30,680 and his file size configures how many 119 00:05:28,350 --> 00:05:33,480 commands are kept in the history file 120 00:05:30,680 --> 00:05:35,280 these variables can be edited according 121 00:05:33,480 --> 00:05:38,910 to our needs and saved to the bash 122 00:05:35,280 --> 00:05:41,550 configuration file dot bash RC that we 123 00:05:38,910 --> 00:05:43,500 will explore later one of the simplest 124 00:05:41,550 --> 00:05:45,960 ways to explore the bash history is 125 00:05:43,500 --> 00:05:47,430 right from the command line prompt we 126 00:05:45,960 --> 00:05:49,800 can browse through the history with some 127 00:05:47,430 --> 00:05:52,680 useful keyboard shortcuts with the two 128 00:05:49,800 --> 00:05:55,680 most common being the up arrow and down 129 00:05:52,680 --> 00:05:58,080 arrow the up arrow Scrolls backwards in 130 00:05:55,680 --> 00:06:01,440 history and the down arrow Scrolls 131 00:05:58,080 --> 00:06:04,200 forward last but not least holding down 132 00:06:01,440 --> 00:06:07,350 ctrl and pressing R will invoke the 133 00:06:04,200 --> 00:06:09,870 reverse I search facility if we type a 134 00:06:07,350 --> 00:06:11,640 letter for example C we'll get a match 135 00:06:09,870 --> 00:06:14,790 for the most recent command in our 136 00:06:11,640 --> 00:06:16,410 history that contains the letter C we 137 00:06:14,790 --> 00:06:18,330 can keep trying to narrow down our match 138 00:06:16,410 --> 00:06:21,690 and when we find the desired command 139 00:06:18,330 --> 00:06:23,520 we'll press ENTER to execute it bash has 140 00:06:21,690 --> 00:06:25,860 a number of history features that can 141 00:06:23,520 --> 00:06:28,310 save a great deal of time and repetitive 142 00:06:25,860 --> 00:06:28,310 typing 143 00:06:30,750 --> 00:06:36,540 typing and redirection every program run 144 00:06:34,620 --> 00:06:38,700 from the command line has three data 145 00:06:36,540 --> 00:06:40,830 streams connected to it that serve as 146 00:06:38,700 --> 00:06:43,470 communication channels with the external 147 00:06:40,830 --> 00:06:46,410 environment these streams are defined as 148 00:06:43,470 --> 00:06:49,050 standard input which is data fed into 149 00:06:46,410 --> 00:06:51,750 the program standard output which is 150 00:06:49,050 --> 00:06:54,660 output from the program and defaults to 151 00:06:51,750 --> 00:06:56,880 the terminal and standard error which 152 00:06:54,660 --> 00:07:00,600 contains error messages and are also 153 00:06:56,880 --> 00:07:03,660 displayed by default in the terminal 154 00:07:00,600 --> 00:07:06,220 typing using the pipe operator and 155 00:07:03,660 --> 00:07:09,190 redirection using the left and right 156 00:07:06,220 --> 00:07:11,500 angle bracket operators also known as 157 00:07:09,190 --> 00:07:13,930 Chevron's or greater than and less than 158 00:07:11,500 --> 00:07:17,290 signs connect these streams between 159 00:07:13,930 --> 00:07:21,540 programs and files to accommodate a near 160 00:07:17,290 --> 00:07:21,540 infinite number of possible use cases 161 00:07:23,450 --> 00:07:28,650 redirecting to a new file 162 00:07:26,670 --> 00:07:31,940 in the previous command examples the 163 00:07:28,650 --> 00:07:31,940 output was printed to the screen 164 00:07:31,960 --> 00:07:36,430 this is convenient most of the time but 165 00:07:34,960 --> 00:07:40,000 we can use the right angle bracket 166 00:07:36,430 --> 00:07:41,620 operator to save the output to a file to 167 00:07:40,000 --> 00:07:44,650 keep it for future reference or 168 00:07:41,620 --> 00:07:47,800 manipulation if we redirect the output 169 00:07:44,650 --> 00:07:51,330 to a non-existent file the file will be 170 00:07:47,800 --> 00:07:51,330 created automatically 171 00:07:51,380 --> 00:07:57,570 however if we save the output to a file 172 00:07:54,449 --> 00:08:00,590 that already exists that files content 173 00:07:57,570 --> 00:08:00,590 will be replaced 174 00:08:01,030 --> 00:08:07,530 be very careful with three direction 175 00:08:03,430 --> 00:08:07,530 there is no undo function 176 00:08:08,310 --> 00:08:13,360 redirecting to an existing file to 177 00:08:11,470 --> 00:08:15,819 append additional data to an existing 178 00:08:13,360 --> 00:08:17,949 file as opposed to overwriting the file 179 00:08:15,819 --> 00:08:20,520 use the double right angle bracket 180 00:08:17,949 --> 00:08:20,520 operator 181 00:08:21,250 --> 00:08:26,260 once again be sure to exercise caution 182 00:08:24,250 --> 00:08:29,790 with three directions so you don't 183 00:08:26,260 --> 00:08:29,790 overwrite anything important 184 00:08:31,300 --> 00:08:37,370 redirecting from a file as you may have 185 00:08:35,089 --> 00:08:39,680 guessed we can use the left angle 186 00:08:37,370 --> 00:08:43,519 bracket operator to send data the other 187 00:08:39,680 --> 00:08:46,579 way in this example will redirect the WC 188 00:08:43,519 --> 00:08:49,130 commands standard input with data 189 00:08:46,579 --> 00:08:51,740 originating from the file we generated 190 00:08:49,130 --> 00:08:55,610 in the previous section let's try this 191 00:08:51,740 --> 00:08:56,560 with W cm which counts characters in the 192 00:08:55,610 --> 00:08:59,810 file 193 00:08:56,560 --> 00:09:02,240 note that this effectively connected the 194 00:08:59,810 --> 00:09:06,759 contents of our file to the standard 195 00:09:02,240 --> 00:09:06,759 input of the WC - M command 196 00:09:08,690 --> 00:09:14,940 redirecting standard error according to 197 00:09:12,779 --> 00:09:17,790 the POSIX specification the file 198 00:09:14,940 --> 00:09:20,910 descriptors for standard input standard 199 00:09:17,790 --> 00:09:25,529 output and standard error are defined as 200 00:09:20,910 --> 00:09:27,149 zero one and two respectively these 201 00:09:25,529 --> 00:09:29,070 numbers are important as they can be 202 00:09:27,149 --> 00:09:31,529 used to manipulate the corresponding 203 00:09:29,070 --> 00:09:34,110 data streams from the command line while 204 00:09:31,529 --> 00:09:36,600 executing or joining different commands 205 00:09:34,110 --> 00:09:38,070 together to get a better grasp of how 206 00:09:36,600 --> 00:09:40,860 the file descriptor numbers work 207 00:09:38,070 --> 00:09:43,790 consider this example which redirects 208 00:09:40,860 --> 00:09:43,790 the standard error 209 00:09:46,560 --> 00:09:52,019 note that error dot txt only contains 210 00:09:49,560 --> 00:09:54,779 the error message generated on standard 211 00:09:52,019 --> 00:09:56,699 error we did this by prepending the 212 00:09:54,779 --> 00:09:59,730 stream number to the right angle bracket 213 00:09:56,699 --> 00:10:02,629 operator where two corresponds to 214 00:09:59,730 --> 00:10:02,629 standard error 215 00:10:04,310 --> 00:10:10,579 typing continuing with the example using 216 00:10:07,879 --> 00:10:13,069 the WC command let's have a look at how 217 00:10:10,579 --> 00:10:16,330 to redirect the output from one command 218 00:10:13,069 --> 00:10:19,750 into the input of another 219 00:10:16,330 --> 00:10:21,760 we'll use the pipe character to redirect 220 00:10:19,750 --> 00:10:25,470 the output of the cat command to the 221 00:10:21,760 --> 00:10:25,470 input of the WC command 222 00:10:27,360 --> 00:10:31,949 this concept may seem trivial but piping 223 00:10:30,449 --> 00:10:34,619 together different commands is a 224 00:10:31,949 --> 00:10:36,829 powerful way to manipulate all sorts of 225 00:10:34,619 --> 00:10:36,829 data 226 00:10:41,420 --> 00:10:47,000 text searching and manipulation in this 227 00:10:44,900 --> 00:10:49,250 section we'll gain efficiency with file 228 00:10:47,000 --> 00:10:53,800 and text handling by introducing a few 229 00:10:49,250 --> 00:10:56,030 commands grep said cut and awk 230 00:10:53,800 --> 00:10:57,860 advanced usage of some of these tools 231 00:10:56,030 --> 00:11:01,570 requires a good understanding of how 232 00:10:57,860 --> 00:11:01,570 regular expressions work 233 00:11:02,019 --> 00:11:08,350 grep in a nutshell grep searches text 234 00:11:06,429 --> 00:11:11,259 files for the occurrence of a given 235 00:11:08,350 --> 00:11:13,540 regular expression and outputs any line 236 00:11:11,259 --> 00:11:16,050 containing a match to standard output 237 00:11:13,540 --> 00:11:20,160 which is usually the terminal screen 238 00:11:16,050 --> 00:11:20,160 consider the following example 239 00:11:20,310 --> 00:11:25,950 we listed all the files in the user bin 240 00:11:23,250 --> 00:11:28,770 directory with LS and pipe the output 241 00:11:25,950 --> 00:11:32,340 into the grep command which searches for 242 00:11:28,770 --> 00:11:33,840 any line containing the string zip some 243 00:11:32,340 --> 00:11:36,570 of the most commonly used switches 244 00:11:33,840 --> 00:11:40,410 include - R for recursive searching and 245 00:11:36,570 --> 00:11:42,000 - I to ignore the case of the text refer 246 00:11:40,410 --> 00:11:44,120 to the grep man page for more 247 00:11:42,000 --> 00:11:46,500 information about various options 248 00:11:44,120 --> 00:11:50,690 understanding the grep tool and when to 249 00:11:46,500 --> 00:11:50,690 use it can prove incredibly useful 250 00:11:53,030 --> 00:12:00,890 said said is a powerful stream editor 251 00:11:57,740 --> 00:12:03,500 it's also very complex so we'll only 252 00:12:00,890 --> 00:12:06,440 briefly scratch the surface here at a 253 00:12:03,500 --> 00:12:09,140 high level said performs text editing on 254 00:12:06,440 --> 00:12:13,100 a stream of text either a set of 255 00:12:09,140 --> 00:12:15,610 specific files or standard output let's 256 00:12:13,100 --> 00:12:15,610 look at an example 257 00:12:16,370 --> 00:12:21,680 we created a stream of text using the 258 00:12:18,950 --> 00:12:24,650 echo command and then piped it to said 259 00:12:21,680 --> 00:12:27,800 in order to replace the word hard with 260 00:12:24,650 --> 00:12:29,510 harder note that by default the output 261 00:12:27,800 --> 00:12:31,820 of the entire command has been 262 00:12:29,510 --> 00:12:35,830 automatically redirected to standard 263 00:12:31,820 --> 00:12:35,830 output or the terminal screen 264 00:12:36,250 --> 00:12:43,960 cut the cut command is simple but often 265 00:12:40,810 --> 00:12:46,000 comes in quite handy cut is used to 266 00:12:43,960 --> 00:12:49,360 extract a section of text from a line 267 00:12:46,000 --> 00:12:51,550 and output it to standard output some of 268 00:12:49,360 --> 00:12:54,370 the most commonly used switches include 269 00:12:51,550 --> 00:12:59,230 - F for the field number we are cutting 270 00:12:54,370 --> 00:13:02,800 and - d to define the field delimiter 271 00:12:59,230 --> 00:13:05,380 here we echoed a line of text and piped 272 00:13:02,800 --> 00:13:08,470 it to the cut command to extract the 273 00:13:05,380 --> 00:13:10,990 second field using a comma as a field 274 00:13:08,470 --> 00:13:14,170 delimiter the same command can be used 275 00:13:10,990 --> 00:13:16,540 to cut lines found in text files this 276 00:13:14,170 --> 00:13:19,600 time a list of users is extracted from 277 00:13:16,540 --> 00:13:24,060 Etsy password by using a colon as a 278 00:13:19,600 --> 00:13:24,060 delimiter and retrieving the first field 279 00:13:27,030 --> 00:13:32,910 Ark Ark is a programming language 280 00:13:30,630 --> 00:13:35,310 designed for text processing and is 281 00:13:32,910 --> 00:13:37,460 typically used as a data extraction and 282 00:13:35,310 --> 00:13:40,500 reporting tool it is also extremely 283 00:13:37,460 --> 00:13:42,420 powerful and can be quite complex so 284 00:13:40,500 --> 00:13:45,390 again we will only scratch the surface 285 00:13:42,420 --> 00:13:48,750 here a commonly used switch with awk is 286 00:13:45,390 --> 00:13:51,750 - capital F which is the field separator 287 00:13:48,750 --> 00:13:55,440 and the print command which outputs the 288 00:13:51,750 --> 00:13:57,060 result text here we echoed a line and 289 00:13:55,440 --> 00:14:00,360 piped it to awk 290 00:13:57,060 --> 00:14:03,500 to extract the 1st and 3rd fields using 291 00:14:00,360 --> 00:14:06,120 a double colon as a field separator the 292 00:14:03,500 --> 00:14:09,180 most prominent difference between the 293 00:14:06,120 --> 00:14:11,820 cut and awk examples we used is that cut 294 00:14:09,180 --> 00:14:14,850 can only accept a single character as a 295 00:14:11,820 --> 00:14:17,150 field delimiter while awk is much more 296 00:14:14,850 --> 00:14:19,730 flexible 297 00:14:17,150 --> 00:14:21,830 as a general rule of thumb use a single 298 00:14:19,730 --> 00:14:24,490 op command instead of multiple cut 299 00:14:21,830 --> 00:14:24,490 operations 300 00:14:25,240 --> 00:14:30,100 practical example let's take a look at a 301 00:14:28,360 --> 00:14:32,170 practical example that ties together 302 00:14:30,100 --> 00:14:35,290 many of the commands we've explored so 303 00:14:32,170 --> 00:14:37,899 far we've been given an apache HTTP 304 00:14:35,290 --> 00:14:42,700 server log that contains evidence of an 305 00:14:37,899 --> 00:14:45,670 attack our task is to use bash commands 306 00:14:42,700 --> 00:14:48,220 to inspect the file and discover various 307 00:14:45,670 --> 00:14:51,100 pieces of information such as who the 308 00:14:48,220 --> 00:14:53,640 attackers were and what exactly happened 309 00:14:51,100 --> 00:14:53,640 on the server 310 00:14:53,900 --> 00:15:00,110 first we'll use the head and WC commands 311 00:14:57,620 --> 00:15:04,120 to take a quick peek at the log file in 312 00:15:00,110 --> 00:15:06,970 order to understand its structure 313 00:15:04,120 --> 00:15:10,420 the head command displays the first 10 314 00:15:06,970 --> 00:15:13,360 lines in a file and the WC command along 315 00:15:10,420 --> 00:15:16,149 with the - L option displays a total 316 00:15:13,360 --> 00:15:18,999 number of lines in the file notice that 317 00:15:16,149 --> 00:15:21,819 the log file is text-based and contains 318 00:15:18,999 --> 00:15:26,980 different space delimited fields like IP 319 00:15:21,819 --> 00:15:29,499 address timestamp HTTP request etc this 320 00:15:26,980 --> 00:15:31,689 is a perfectly grep friendly file and 321 00:15:29,499 --> 00:15:33,900 will work well for all the tools we've 322 00:15:31,689 --> 00:15:35,970 covered so far 323 00:15:33,900 --> 00:15:38,970 we'll begin by searching through the 324 00:15:35,970 --> 00:15:41,310 HTTP requests made to the server for all 325 00:15:38,970 --> 00:15:44,610 the IP addresses recorded in this log 326 00:15:41,310 --> 00:15:47,190 file to do this we'll cap the log file 327 00:15:44,610 --> 00:15:50,430 and pipe the output into the cut and 328 00:15:47,190 --> 00:15:52,529 sort commands this might give us a clue 329 00:15:50,430 --> 00:15:55,620 about the number of potential attackers 330 00:15:52,529 --> 00:15:58,050 were dealing with here we see that less 331 00:15:55,620 --> 00:16:00,330 than 10 I P addresses were recorded in 332 00:15:58,050 --> 00:16:03,589 the log file although this still doesn't 333 00:16:00,330 --> 00:16:06,900 tell us anything about the attackers 334 00:16:03,589 --> 00:16:09,900 next we'll use unique and sort to show 335 00:16:06,900 --> 00:16:12,480 unique lines further refine our output 336 00:16:09,900 --> 00:16:16,620 and sort the data by the number of times 337 00:16:12,480 --> 00:16:19,560 each IP address access the server the - 338 00:16:16,620 --> 00:16:21,180 C option of unique will prefix the 339 00:16:19,560 --> 00:16:25,650 output line with the number of 340 00:16:21,180 --> 00:16:27,930 occurrences a few IP addresses stand out 341 00:16:25,650 --> 00:16:32,150 but we'll focus on the address that has 342 00:16:27,930 --> 00:16:32,150 the highest access frequency first 343 00:16:32,620 --> 00:16:37,600 to filter out the suspicious IP address 344 00:16:35,140 --> 00:16:40,570 and display and count the resources that 345 00:16:37,600 --> 00:16:44,040 were being requested by that IP we can 346 00:16:40,570 --> 00:16:44,040 use the following sequence 347 00:16:45,120 --> 00:16:49,500 from this output it seems that the IP 348 00:16:47,310 --> 00:16:53,460 address was accessing the admin 349 00:16:49,500 --> 00:16:55,790 directory exclusively let's inspect this 350 00:16:53,460 --> 00:16:55,790 further 351 00:16:58,540 --> 00:17:03,820 apparently the suspicious IP has been 352 00:17:01,000 --> 00:17:06,970 involved in an HTTP brute-force attempt 353 00:17:03,820 --> 00:17:10,510 against the web server we can verify 354 00:17:06,970 --> 00:17:13,390 this with greps - V flag to reverse the 355 00:17:10,510 --> 00:17:16,480 search and only show lines that do not 356 00:17:13,390 --> 00:17:19,890 contain the word admin as we can see our 357 00:17:16,480 --> 00:17:22,360 log files contain no such entry 358 00:17:19,890 --> 00:17:24,430 furthermore after about a thousand 359 00:17:22,360 --> 00:17:27,580 attempts it seems like the brute-force 360 00:17:24,430 --> 00:17:32,170 attempt succeeded as indicated by the 361 00:17:27,580 --> 00:17:33,970 HTTP 200 message this is a good example 362 00:17:32,170 --> 00:17:37,110 that ties together many of the basic 363 00:17:33,970 --> 00:17:37,110 commands we've explored 364 00:17:40,870 --> 00:17:46,330 editing files from the command-line next 365 00:17:44,170 --> 00:17:48,820 let's take a look at file editing in a 366 00:17:46,330 --> 00:17:50,559 command shell environment this is an 367 00:17:48,820 --> 00:17:52,780 extremely important linux skill 368 00:17:50,559 --> 00:17:55,570 especially if you happen to get access 369 00:17:52,780 --> 00:17:58,000 to a unix-like OS during a penetration 370 00:17:55,570 --> 00:18:00,580 test although there are text editors 371 00:17:58,000 --> 00:18:02,320 like G edit and leafpad that might be 372 00:18:00,580 --> 00:18:05,260 more visually appealing due to their 373 00:18:02,320 --> 00:18:07,750 graphic user interface we will focus on 374 00:18:05,260 --> 00:18:10,650 text-based terminal editors which 375 00:18:07,750 --> 00:18:13,000 emphasize both speed and versatility 376 00:18:10,650 --> 00:18:15,010 everyone seems to have a preference when 377 00:18:13,000 --> 00:18:17,500 it comes to text editors but we will 378 00:18:15,010 --> 00:18:21,660 cover basic usage for the two most 379 00:18:17,500 --> 00:18:21,660 common options Nano and VI 380 00:18:22,230 --> 00:18:29,560 nano nano is one of the simplest to use 381 00:18:25,840 --> 00:18:32,770 text editors to open a file and begin 382 00:18:29,560 --> 00:18:36,250 editing simply run nano passing a file 383 00:18:32,770 --> 00:18:38,380 name as an optional argument once the 384 00:18:36,250 --> 00:18:40,780 file is opened we can immediately start 385 00:18:38,380 --> 00:18:42,900 making any required changes to the file 386 00:18:40,780 --> 00:18:45,940 just as we would in a graphical editor 387 00:18:42,900 --> 00:18:48,100 the Nano command menu is located at the 388 00:18:45,940 --> 00:18:51,130 bottom of the screen some of the most 389 00:18:48,100 --> 00:18:55,510 used commands to memorize include ctrl o 390 00:18:51,130 --> 00:18:58,720 to write changes to the file ctrl K to 391 00:18:55,510 --> 00:19:01,450 cut the current line and control you to 392 00:18:58,720 --> 00:19:05,680 uncut a line and paste it at the cursor 393 00:19:01,450 --> 00:19:10,000 location ctrl W is used to search within 394 00:19:05,680 --> 00:19:12,450 the file and finally ctrl X is used to 395 00:19:10,000 --> 00:19:12,450 exit 396 00:19:13,360 --> 00:19:19,920 for additional information regarding 397 00:19:15,220 --> 00:19:19,920 nano refer to its online documentation 398 00:19:20,400 --> 00:19:27,180 VI VI is an extremely powerful text 399 00:19:24,900 --> 00:19:29,460 editor capable of blazing speed 400 00:19:27,180 --> 00:19:32,310 especially when it comes to automating 401 00:19:29,460 --> 00:19:34,740 repetitive tasks however it has a 402 00:19:32,310 --> 00:19:37,250 relatively steep learning curve and is 403 00:19:34,740 --> 00:19:40,500 nowhere near as simple to use as nano 404 00:19:37,250 --> 00:19:43,710 due to its complexity we will only cover 405 00:19:40,500 --> 00:19:46,470 the very basics here as with nano to 406 00:19:43,710 --> 00:19:48,780 edit a file simply pass its name as an 407 00:19:46,470 --> 00:19:51,990 argument to VI 408 00:19:48,780 --> 00:19:54,930 once the file is opened enable insert 409 00:19:51,990 --> 00:19:59,550 text mode to begin typing to do this 410 00:19:54,930 --> 00:20:02,130 press the i key and start typing away to 411 00:19:59,550 --> 00:20:05,400 disable insert text mode and go back to 412 00:20:02,130 --> 00:20:08,790 command mode press the Escape key while 413 00:20:05,400 --> 00:20:12,090 in command mode use DD to delete the 414 00:20:08,790 --> 00:20:15,330 current line press YY to copy the 415 00:20:12,090 --> 00:20:17,970 current line and press P to paste the 416 00:20:15,330 --> 00:20:20,610 clipboard contents to delete the current 417 00:20:17,970 --> 00:20:24,660 character under the cursor press the X 418 00:20:20,610 --> 00:20:30,620 key to write the current file to disk 419 00:20:24,660 --> 00:20:30,620 and remain in V I type : w 420 00:20:30,909 --> 00:20:36,429 type : Q followed by an exclamation mark 421 00:20:33,909 --> 00:20:39,519 to quit without writing the file to the 422 00:20:36,429 --> 00:20:46,440 disk to quickly save the file and quit 423 00:20:39,519 --> 00:20:46,440 VI enter : WQ exclamation point 424 00:20:47,490 --> 00:20:53,580 because VI seemed so awkward to use many 425 00:20:50,880 --> 00:20:56,309 users avoid it however from a 426 00:20:53,580 --> 00:20:58,500 penetration testers point of view VI can 427 00:20:56,309 --> 00:21:00,809 save a great deal of time in the hands 428 00:20:58,500 --> 00:21:05,270 of an experienced user and is installed 429 00:21:00,809 --> 00:21:05,270 on every POSIX compliant system 430 00:21:05,930 --> 00:21:12,600 comparing files file comparison may seem 431 00:21:10,170 --> 00:21:16,260 irrelevant but system administrators 432 00:21:12,600 --> 00:21:18,630 network engineers penetration testers IT 433 00:21:16,260 --> 00:21:21,540 support technicians and many other 434 00:21:18,630 --> 00:21:24,540 technically oriented professionals rely 435 00:21:21,540 --> 00:21:26,940 on this skill fairly often in this 436 00:21:24,540 --> 00:21:29,520 section we'll take a look at a couple of 437 00:21:26,940 --> 00:21:32,400 tools that can help streamline the often 438 00:21:29,520 --> 00:21:34,850 tedious but rewarding process of file 439 00:21:32,400 --> 00:21:34,850 comparison 440 00:21:35,100 --> 00:21:41,429 calm the calm command compares to text 441 00:21:39,299 --> 00:21:44,039 files displaying the lines that are 442 00:21:41,429 --> 00:21:46,850 unique to each one as well as the lines 443 00:21:44,039 --> 00:21:46,850 they have in common 444 00:21:51,150 --> 00:21:58,470 in the first example comm display the 445 00:21:53,880 --> 00:22:02,309 unique lines in scan - a text the unique 446 00:21:58,470 --> 00:22:04,650 lines in scan - B dot text and the Lions 447 00:22:02,309 --> 00:22:08,670 found in both files respectively 448 00:22:04,650 --> 00:22:11,400 comm outputs three space offset columns 449 00:22:08,670 --> 00:22:14,970 the first contains lines that are unique 450 00:22:11,400 --> 00:22:16,920 to the first file or argument the second 451 00:22:14,970 --> 00:22:19,650 contains lines that are unique to the 452 00:22:16,920 --> 00:22:21,840 second file or argument and the third 453 00:22:19,650 --> 00:22:24,120 column contains lines that are shared by 454 00:22:21,840 --> 00:22:28,529 both files 455 00:22:24,120 --> 00:22:31,710 the - n switch where n is either 1 2 or 456 00:22:28,529 --> 00:22:34,590 3 can be used to suppress one or more 457 00:22:31,710 --> 00:22:37,340 columns depending on the need let's take 458 00:22:34,590 --> 00:22:37,340 a look at an example 459 00:22:37,630 --> 00:22:43,059 this time come displayed only the lines 460 00:22:40,600 --> 00:22:46,740 that were found in both files since we 461 00:22:43,059 --> 00:22:46,740 suppress columns 1 & 2 462 00:22:48,540 --> 00:22:54,870 diff the diff command is used to detect 463 00:22:52,170 --> 00:22:58,020 differences between files similar to the 464 00:22:54,870 --> 00:23:01,170 comm command however diff is much more 465 00:22:58,020 --> 00:23:04,230 complex and supports many output formats 466 00:23:01,170 --> 00:23:06,840 two of the most popular formats include 467 00:23:04,230 --> 00:23:10,170 the context format and the unified 468 00:23:06,840 --> 00:23:14,190 format display results in context format 469 00:23:10,170 --> 00:23:16,710 use the - see option this output uses 470 00:23:14,190 --> 00:23:19,440 the - indicator to show that the line 471 00:23:16,710 --> 00:23:22,740 appears in the first file but not in the 472 00:23:19,440 --> 00:23:24,630 second conversely the + indicator shows 473 00:23:22,740 --> 00:23:28,200 that the line appears in the second file 474 00:23:24,630 --> 00:23:31,820 but not in the first now let's see what 475 00:23:28,200 --> 00:23:31,820 the unified format returns 476 00:23:33,410 --> 00:23:37,610 the most notable difference between 477 00:23:35,240 --> 00:23:40,190 these formats is that the unified format 478 00:23:37,610 --> 00:23:43,100 does not show lines that match between 479 00:23:40,190 --> 00:23:45,169 files making the results shorter the 480 00:23:43,100 --> 00:23:48,549 indicators however have identical 481 00:23:45,169 --> 00:23:48,549 meaning in both formats 482 00:23:51,940 --> 00:24:00,820 vim diff vim diff opens vim an extended 483 00:23:57,280 --> 00:24:03,400 version of VI with multiple files one in 484 00:24:00,820 --> 00:24:05,230 each window the differences between the 485 00:24:03,400 --> 00:24:07,630 files are highlighted which makes it 486 00:24:05,230 --> 00:24:09,450 easier to visually inspect them there 487 00:24:07,630 --> 00:24:13,120 are a few shortcuts that might be useful 488 00:24:09,450 --> 00:24:15,670 for example pressing ctrl W followed by 489 00:24:13,120 --> 00:24:18,760 an arrow key allows us to switch between 490 00:24:15,670 --> 00:24:21,190 windows pressing the right bracket and 491 00:24:18,760 --> 00:24:24,940 the letter C will jump to the next 492 00:24:21,190 --> 00:24:27,370 change in the diff and the left bracket 493 00:24:24,940 --> 00:24:30,640 followed by the letter C will jump to 494 00:24:27,370 --> 00:24:32,740 the previous change the do key 495 00:24:30,640 --> 00:24:34,810 combination will get a change from the 496 00:24:32,740 --> 00:24:37,110 other window and put it in the current 497 00:24:34,810 --> 00:24:37,110 one 498 00:24:39,590 --> 00:24:44,900 combination we'll put the change from 499 00:24:41,600 --> 00:24:47,720 the current window into the other one to 500 00:24:44,900 --> 00:24:50,020 quit vim diff use the same shortcuts as 501 00:24:47,720 --> 00:24:50,020 VI 502 00:24:56,980 --> 00:25:03,050 managing processes the Linux kernel 503 00:25:00,710 --> 00:25:05,630 manages multitasking through the use of 504 00:25:03,050 --> 00:25:07,910 processes the kernel maintains 505 00:25:05,630 --> 00:25:10,790 information about each process to help 506 00:25:07,910 --> 00:25:14,980 keep things organized and each process 507 00:25:10,790 --> 00:25:17,990 is assigned a number called a process ID 508 00:25:14,980 --> 00:25:20,840 the Linux shell also introduces the 509 00:25:17,990 --> 00:25:23,480 concept of jobs to ease our workflow 510 00:25:20,840 --> 00:25:26,059 during a terminal session for example 511 00:25:23,480 --> 00:25:29,410 this is a pipeline of two processes 512 00:25:26,059 --> 00:25:32,270 which the shell considers a single job 513 00:25:29,410 --> 00:25:34,820 job control refers to the ability to 514 00:25:32,270 --> 00:25:37,309 selectively suspend the execution of 515 00:25:34,820 --> 00:25:39,270 jobs and resume their execution at a 516 00:25:37,309 --> 00:25:41,250 later time 517 00:25:39,270 --> 00:25:43,050 we can achieve this with the help of 518 00:25:41,250 --> 00:25:45,530 specific commands which will soon 519 00:25:43,050 --> 00:25:45,530 explore 520 00:25:45,940 --> 00:25:52,700 background is the previous jobs in this 521 00:25:50,960 --> 00:25:55,280 module have been run in the foreground 522 00:25:52,700 --> 00:25:57,650 which means the terminal is occupied and 523 00:25:55,280 --> 00:26:00,440 no other commands can be executed until 524 00:25:57,650 --> 00:26:02,030 the current one finishes since most of 525 00:26:00,440 --> 00:26:04,760 our examples have been short and sweet 526 00:26:02,030 --> 00:26:06,950 this hasn't caused a problem we will 527 00:26:04,760 --> 00:26:09,590 however be running longer and more 528 00:26:06,950 --> 00:26:11,930 complex commands in later modules which 529 00:26:09,590 --> 00:26:14,060 we can send to the background in order 530 00:26:11,930 --> 00:26:17,210 to regain control of the terminal and 531 00:26:14,060 --> 00:26:19,580 execute additional commands the quickest 532 00:26:17,210 --> 00:26:21,680 way to background a process is to append 533 00:26:19,580 --> 00:26:24,260 an ampersand to the end of the command 534 00:26:21,680 --> 00:26:26,660 to send it to the background immediately 535 00:26:24,260 --> 00:26:30,050 after it starts let's try a brief 536 00:26:26,660 --> 00:26:32,630 example we'll send 400 ICMP echo 537 00:26:30,050 --> 00:26:35,060 requests to the local interface with the 538 00:26:32,630 --> 00:26:38,510 ping command and write the results to a 539 00:26:35,060 --> 00:26:39,230 file the execution automatically runs in 540 00:26:38,510 --> 00:26:41,330 the background 541 00:26:39,230 --> 00:26:43,700 leaving the shell free for additional 542 00:26:41,330 --> 00:26:45,290 operations but what would have happened 543 00:26:43,700 --> 00:26:48,680 if we had forgotten to append the 544 00:26:45,290 --> 00:26:50,870 ampersand at the end of the command this 545 00:26:48,680 --> 00:26:52,730 command will run in the foreground and 546 00:26:50,870 --> 00:26:55,340 we are forced to either cancel the 547 00:26:52,730 --> 00:26:57,470 command with control C or wait until the 548 00:26:55,340 --> 00:27:00,050 command finishes to regain control of 549 00:26:57,470 --> 00:27:02,510 the terminal the other option is to 550 00:27:00,050 --> 00:27:05,300 suspend the job using control Z after 551 00:27:02,510 --> 00:27:07,580 it's already started once a job has been 552 00:27:05,300 --> 00:27:11,090 suspended we can resume it in the 553 00:27:07,580 --> 00:27:12,740 background using the BG command the job 554 00:27:11,090 --> 00:27:14,690 is now running in the background and we 555 00:27:12,740 --> 00:27:16,419 can continue using the terminal as we 556 00:27:14,690 --> 00:27:19,149 wish 557 00:27:16,419 --> 00:27:21,789 while doing this keep in mind that some 558 00:27:19,149 --> 00:27:24,820 processes are time sensitive and may 559 00:27:21,789 --> 00:27:27,309 give incorrect results if left suspended 560 00:27:24,820 --> 00:27:30,909 for too long for instance in the ping 561 00:27:27,309 --> 00:27:32,889 example the echo reply may come back but 562 00:27:30,909 --> 00:27:35,590 if the process is suspended when the 563 00:27:32,889 --> 00:27:38,289 packet comes in the process may miss it 564 00:27:35,590 --> 00:27:39,759 leading to incorrect output always 565 00:27:38,289 --> 00:27:42,009 consider the context of what the 566 00:27:39,759 --> 00:27:45,389 commands you are running are doing when 567 00:27:42,009 --> 00:27:45,389 engaging in job control 568 00:27:46,250 --> 00:27:53,690 control jobs and FG to quickly check on 569 00:27:50,810 --> 00:27:55,550 the status of our ICMP echo requests we 570 00:27:53,690 --> 00:27:59,240 need to make use of two additional 571 00:27:55,550 --> 00:28:02,180 commands jobs and FG let's begin by 572 00:27:59,240 --> 00:28:04,810 starting and suspending to long-running 573 00:28:02,180 --> 00:28:04,810 commands 574 00:28:10,340 --> 00:28:12,400 you 575 00:28:12,890 --> 00:28:18,470 the built-in jobs utility lists the jobs 576 00:28:16,490 --> 00:28:21,679 that are running in the current terminal 577 00:28:18,470 --> 00:28:25,340 session running the F G command followed 578 00:28:21,679 --> 00:28:28,220 by a % and job number returns a job to 579 00:28:25,340 --> 00:28:30,679 the foreground will use control-c to 580 00:28:28,220 --> 00:28:33,220 terminate this ping process and run jobs 581 00:28:30,679 --> 00:28:33,220 again 582 00:28:33,840 --> 00:28:39,060 with only one job running we can run FG 583 00:28:37,170 --> 00:28:42,080 without any additional arguments to 584 00:28:39,060 --> 00:28:42,080 return it to the foreground 585 00:28:42,760 --> 00:28:50,679 specific jobs can also be referenced by 586 00:28:45,409 --> 00:28:50,679 their process ID number or command name 587 00:28:56,239 --> 00:29:02,549 process control PS and kill one of the 588 00:29:00,899 --> 00:29:04,919 most useful commands for monitoring 589 00:29:02,549 --> 00:29:07,979 processes on almost any unix-like 590 00:29:04,919 --> 00:29:09,889 operating system is PS which is short 591 00:29:07,979 --> 00:29:13,289 for process status 592 00:29:09,889 --> 00:29:16,259 unlike the jobs command PS lists 593 00:29:13,289 --> 00:29:18,629 processes system-wide not only for the 594 00:29:16,259 --> 00:29:20,700 current terminal session PS is 595 00:29:18,629 --> 00:29:23,549 considered a standard on unix-like os's 596 00:29:20,700 --> 00:29:26,549 and its name is so well recognized that 597 00:29:23,549 --> 00:29:28,979 even on windows powershell PS is a 598 00:29:26,549 --> 00:29:31,619 predefined command alias for the get 599 00:29:28,979 --> 00:29:34,310 process command --let which essentially 600 00:29:31,619 --> 00:29:37,010 serves the same purpose 601 00:29:34,310 --> 00:29:38,900 as a penetration tester one of the first 602 00:29:37,010 --> 00:29:41,420 things to check after obtaining remote 603 00:29:38,900 --> 00:29:43,280 access to a system is the software 604 00:29:41,420 --> 00:29:46,190 currently running on the compromised 605 00:29:43,280 --> 00:29:48,200 machine this could provide clues to help 606 00:29:46,190 --> 00:29:50,270 elevate our privileges or collect 607 00:29:48,200 --> 00:29:52,580 additional information in order to 608 00:29:50,270 --> 00:29:55,850 acquire further access into the network 609 00:29:52,580 --> 00:29:58,750 as an example let's start the leafpad 610 00:29:55,850 --> 00:29:58,750 text editor 611 00:30:02,490 --> 00:30:07,740 now let's try to find the leafpad 612 00:30:05,190 --> 00:30:09,270 process ID from the command line using 613 00:30:07,740 --> 00:30:13,020 the PS command 614 00:30:09,270 --> 00:30:16,590 we'll run PS with the - EF options where 615 00:30:13,020 --> 00:30:20,790 e selects all processes and F displays a 616 00:30:16,590 --> 00:30:22,830 full format listing finding our leafpad 617 00:30:20,790 --> 00:30:25,230 application that massive listing is 618 00:30:22,830 --> 00:30:27,660 definitely not easy but since we know 619 00:30:25,230 --> 00:30:30,060 the application name were looking for we 620 00:30:27,660 --> 00:30:33,270 can replace the - e switch with - 621 00:30:30,060 --> 00:30:37,350 capital C and specify the command name 622 00:30:33,270 --> 00:30:39,300 which is leafpad in our case the process 623 00:30:37,350 --> 00:30:43,530 search has returned a single result 624 00:30:39,300 --> 00:30:46,020 which contains leaf pads process ID take 625 00:30:43,530 --> 00:30:48,120 some time to explore the PS manual as it 626 00:30:46,020 --> 00:30:51,060 really is the Swiss Army knife of 627 00:30:48,120 --> 00:30:53,040 process management let's say we now want 628 00:30:51,060 --> 00:30:55,320 to stop the leaf pad process without 629 00:30:53,040 --> 00:30:58,050 interacting with the GUI the kill 630 00:30:55,320 --> 00:31:00,180 command can help us here as its purpose 631 00:30:58,050 --> 00:31:02,880 is to send a specific signal to a 632 00:31:00,180 --> 00:31:05,130 process the kill command requires the 633 00:31:02,880 --> 00:31:07,650 PID of the process we want to send the 634 00:31:05,130 --> 00:31:10,520 signal to since we've already gathered 635 00:31:07,650 --> 00:31:13,620 leaf pads process ID we can proceed 636 00:31:10,520 --> 00:31:17,220 because the default signal for kill is 637 00:31:13,620 --> 00:31:19,950 sig term or request termination our 638 00:31:17,220 --> 00:31:22,440 application has been terminated we can 639 00:31:19,950 --> 00:31:24,740 verify this with PS after killing leaf 640 00:31:22,440 --> 00:31:24,740 pad 641 00:31:30,149 --> 00:31:35,099 file and command monitoring it's 642 00:31:33,599 --> 00:31:37,799 extremely valuable to know how to 643 00:31:35,099 --> 00:31:39,749 monitor files and commands in real time 644 00:31:37,799 --> 00:31:41,879 during the course of a penetration test 645 00:31:39,749 --> 00:31:45,830 two commands that help with this task 646 00:31:41,879 --> 00:31:48,100 include tail and watch 647 00:31:45,830 --> 00:31:50,169 tail 648 00:31:48,100 --> 00:31:52,299 most common use of tail is to monitor 649 00:31:50,169 --> 00:31:54,600 log file entries as they are being 650 00:31:52,299 --> 00:31:54,600 written 651 00:31:54,690 --> 00:31:59,489 for example we may want to monitor the 652 00:31:57,179 --> 00:32:02,009 Apache logs to see if a web server is 653 00:31:59,489 --> 00:32:04,349 being contacted by a given client we are 654 00:32:02,009 --> 00:32:07,649 attempting to attack with a client-side 655 00:32:04,349 --> 00:32:10,320 exploit the dash F option is very useful 656 00:32:07,649 --> 00:32:13,229 it continuously updates the output as 657 00:32:10,320 --> 00:32:15,119 the target file grows since our local 658 00:32:13,229 --> 00:32:17,070 Apache web server is already running 659 00:32:15,119 --> 00:32:19,700 will visit the default page using 660 00:32:17,070 --> 00:32:19,700 Firefox 661 00:32:22,890 --> 00:32:29,750 if we go back to our terminal we should 662 00:32:25,530 --> 00:32:29,750 see the requests made in the log file 663 00:32:33,850 --> 00:32:40,630 another convenience which is - NX which 664 00:32:38,260 --> 00:32:44,740 outputs the last X number of lines 665 00:32:40,630 --> 00:32:46,600 instead of the default value of 10 tail 666 00:32:44,740 --> 00:32:50,040 has a number of other useful options 667 00:32:46,600 --> 00:32:50,040 outlined in its mane page 668 00:32:52,400 --> 00:32:59,510 watch the watch command is used to run a 669 00:32:56,750 --> 00:33:03,080 designated command at regular intervals 670 00:32:59,510 --> 00:33:05,330 by default it runs every two seconds but 671 00:33:03,080 --> 00:33:08,360 we can specify a different interval by 672 00:33:05,330 --> 00:33:10,240 using the dash NX option to have it run 673 00:33:08,360 --> 00:33:12,980 every X number of seconds 674 00:33:10,240 --> 00:33:16,310 for example this command will list 675 00:33:12,980 --> 00:33:20,270 logged in users output from the W 676 00:33:16,310 --> 00:33:22,130 command once every 5 seconds to 677 00:33:20,270 --> 00:33:24,020 terminate the watch command and return 678 00:33:22,130 --> 00:33:26,650 to the interactive terminal use 679 00:33:24,020 --> 00:33:26,650 control-c 680 00:33:30,780 --> 00:33:36,420 downloading files next let's take a look 681 00:33:34,290 --> 00:33:39,960 at some tools that can download files to 682 00:33:36,420 --> 00:33:43,870 a Linux system from the command line 683 00:33:39,960 --> 00:33:46,539 w get the W get command which we use 684 00:33:43,870 --> 00:33:51,640 extensively downloads files using the 685 00:33:46,539 --> 00:33:54,340 HTTP and FTP protocols W get can be used 686 00:33:51,640 --> 00:33:56,049 along with the - capital o switch to 687 00:33:54,340 --> 00:33:59,820 save the destination file with a 688 00:33:56,049 --> 00:33:59,820 different name on the local machine 689 00:34:01,530 --> 00:34:07,910 w get has many features and can do far 690 00:34:04,290 --> 00:34:07,910 more than simply download files 691 00:34:08,040 --> 00:34:13,170 refer to its documentation for more 692 00:34:10,480 --> 00:34:13,170 information 693 00:34:16,520 --> 00:34:23,600 Curl Curl is a tool used to transfer 694 00:34:20,450 --> 00:34:26,330 data to or from a server using a host of 695 00:34:23,600 --> 00:34:29,090 protocols a penetration tester can use 696 00:34:26,330 --> 00:34:32,780 curl to download or upload files and 697 00:34:29,090 --> 00:34:35,419 build complex requests its most basic 698 00:34:32,780 --> 00:34:38,480 use is very similar to W get but with a 699 00:34:35,419 --> 00:34:40,750 lowercase o to specify the output file 700 00:34:38,480 --> 00:34:40,750 name 701 00:34:41,390 --> 00:34:46,070 curl is incredibly versatile and you'll 702 00:34:43,820 --> 00:34:49,060 find ample documentation and example 703 00:34:46,070 --> 00:34:49,060 usage online 704 00:34:50,600 --> 00:34:57,740 axel axel is a download accelerator that 705 00:34:54,500 --> 00:35:00,530 transfers a file from an FTP or HTTP 706 00:34:57,740 --> 00:35:02,930 server through multiple connections this 707 00:35:00,530 --> 00:35:05,540 tool has a vast array of features but 708 00:35:02,930 --> 00:35:07,250 the most common option is dash n which 709 00:35:05,540 --> 00:35:09,980 is used to specify the number of 710 00:35:07,250 --> 00:35:12,260 multiple connections to use we also like 711 00:35:09,980 --> 00:35:15,950 using the dash a option for a more 712 00:35:12,260 --> 00:35:17,810 concise progress indicator and - o to 713 00:35:15,950 --> 00:35:20,590 specify a different file name for the 714 00:35:17,810 --> 00:35:20,590 downloaded file 715 00:35:21,300 --> 00:35:25,680 axl speeds up downloads extremely well 716 00:35:23,730 --> 00:35:28,280 and is especially useful for large 717 00:35:25,680 --> 00:35:28,280 downloads 718 00:35:33,170 --> 00:35:37,339 customizing the Bosch environment 719 00:35:39,310 --> 00:35:45,190 bash history customization earlier in 720 00:35:43,270 --> 00:35:47,890 this module we discussed environment 721 00:35:45,190 --> 00:35:49,720 variables and the history command we can 722 00:35:47,890 --> 00:35:51,790 use a number of environment variables to 723 00:35:49,720 --> 00:35:55,120 change how the history command operates 724 00:35:51,790 --> 00:35:58,930 and returns data the most common include 725 00:35:55,120 --> 00:36:04,390 his to control hist ignore and hist time 726 00:35:58,930 --> 00:36:06,310 format the hist control variable defines 727 00:36:04,390 --> 00:36:09,040 whether or not to remove duplicate 728 00:36:06,310 --> 00:36:12,640 commands commands that begin with spaces 729 00:36:09,040 --> 00:36:14,800 from the history or both by default both 730 00:36:12,640 --> 00:36:17,440 are removed but you may find it more 731 00:36:14,800 --> 00:36:20,980 useful to only omit duplicate commands 732 00:36:17,440 --> 00:36:23,050 the histogram is particularly useful for 733 00:36:20,980 --> 00:36:27,310 filtering out basic commands that are 734 00:36:23,050 --> 00:36:32,170 run frequently such as LS exit history 735 00:36:27,310 --> 00:36:34,510 BG etc let's run a few commands to see 736 00:36:32,170 --> 00:36:37,170 if history ignores our specified 737 00:36:34,510 --> 00:36:37,170 commands 738 00:36:42,609 --> 00:36:44,670 you 739 00:36:45,880 --> 00:36:52,650 as expected the ls and history commands 740 00:36:49,210 --> 00:36:56,650 do not appear in our command history 741 00:36:52,650 --> 00:36:59,500 lastly hist time format controls date 742 00:36:56,650 --> 00:37:02,280 and/or time stamps in the output of the 743 00:36:59,500 --> 00:37:02,280 history command 744 00:37:03,230 --> 00:37:12,109 in this example we used percent capital 745 00:37:06,290 --> 00:37:17,090 F or year-month-day ISO 8601 format and 746 00:37:12,109 --> 00:37:20,420 percent capital T 24-hour time 747 00:37:17,090 --> 00:37:23,980 other formats can be found in the strf 748 00:37:20,420 --> 00:37:23,980 time man page 749 00:37:30,609 --> 00:37:37,760 alias an alias is a string we can define 750 00:37:34,609 --> 00:37:39,800 that replaces a command name aliases are 751 00:37:37,760 --> 00:37:42,349 useful for replacing commonly used 752 00:37:39,800 --> 00:37:45,740 commands and switches with a shorter 753 00:37:42,349 --> 00:37:48,230 command or alias that we define in other 754 00:37:45,740 --> 00:37:50,750 words an alias is a command that we 755 00:37:48,230 --> 00:37:54,950 define ourselves built from other 756 00:37:50,750 --> 00:37:58,790 commands for example we typically tend 757 00:37:54,950 --> 00:38:02,150 to use LS - la to display results in a 758 00:37:58,790 --> 00:38:03,770 long list including hidden files let's 759 00:38:02,150 --> 00:38:07,310 take a look at how we can use an alias 760 00:38:03,770 --> 00:38:10,820 to replace this command by defining our 761 00:38:07,310 --> 00:38:13,700 own command LS a we can quickly execute 762 00:38:10,820 --> 00:38:17,390 LS - la without having to type any 763 00:38:13,700 --> 00:38:20,240 arguments at all we can see the list of 764 00:38:17,390 --> 00:38:22,960 defined aliases by running alias without 765 00:38:20,240 --> 00:38:22,960 arguments 766 00:38:28,890 --> 00:38:34,900 persistent bash customization the 767 00:38:32,859 --> 00:38:38,170 behavior of interactive shells in bash 768 00:38:34,900 --> 00:38:42,490 is determined by the system-wide bash RC 769 00:38:38,170 --> 00:38:46,660 file located in slash Etsy slash bash 770 00:38:42,490 --> 00:38:48,760 bash RC the system-wide bash settings 771 00:38:46,660 --> 00:38:52,180 can be overridden by editing the dot 772 00:38:48,760 --> 00:38:55,119 bash RC file located in any users home 773 00:38:52,180 --> 00:38:57,970 directory in the previous section we 774 00:38:55,119 --> 00:39:00,099 explored the alias command which sets an 775 00:38:57,970 --> 00:39:02,920 alias for the current terminal session 776 00:39:00,099 --> 00:39:05,710 we can also insert this command into the 777 00:39:02,920 --> 00:39:09,099 dot bash RC file in a user's home 778 00:39:05,710 --> 00:39:11,740 directory to setup persistent alias the 779 00:39:09,099 --> 00:39:14,289 dot bash RC script is executed anytime 780 00:39:11,740 --> 00:39:16,720 that user logs in since this file is a 781 00:39:14,289 --> 00:39:18,970 shell script we can insert any command 782 00:39:16,720 --> 00:39:21,400 that could be executed from the command 783 00:39:18,970 --> 00:39:24,990 prompt let's examine a few lines of our 784 00:39:21,400 --> 00:39:24,990 default bash RC file 785 00:39:25,190 --> 00:39:32,560 you might recognize the hist size and 786 00:39:28,040 --> 00:39:32,560 hist file size environment variables 787 00:39:33,060 --> 00:39:38,070 and the alias command that displays 788 00:39:35,520 --> 00:39:39,780 colored output you will also find some 789 00:39:38,070 --> 00:39:42,500 other aliases in this file there 790 00:39:39,780 --> 00:39:42,500 commented out 791 00:39:47,160 --> 00:39:53,920 wrapping up in this module we took an 792 00:39:51,280 --> 00:39:57,400 introductory look at a few popular linux 793 00:39:53,920 --> 00:40:00,010 command line programs remember to refer 794 00:39:57,400 --> 00:40:05,040 to the kali linux training site for a 795 00:40:00,010 --> 00:40:05,040 refresher or more in-depth discussion 59364