Created
February 22, 2017 13:01
-
-
Save wb4r/426f645a34e87baeb26ece40113d2c40 to your computer and use it in GitHub Desktop.
Revisions
-
wb4r created this gist
Feb 22, 2017 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,177 @@ [0] FIND / GREP notes-w1.txt [*] FIND - Depth $ find . -maxdepth 1 - Find and then copy (exec) $ ... -exec cp {} /home/caine/etccopy/ \; - Size: c (bytes) k (kilobytes) M (MB) G (GB) - Size: smaller than X bytes => $ ... -10240c bigger than X bytes => $ ... +10240c exactly X bytes => $ ... 10240c - Owned by $ ... -user caine - Group $ ... -group groupname - Permissions $ ... -perm 664 [*] GREP - Searches in contents of a file. - Uses Regex with -E $ grep -E expression file - CAse insensitive -i [1] HEAD & TAIL - Print 3 lines $ head/tail -3 file [*] HEAD [*] WC chars => --chars lines => -l words => -w [2] PERMISSIONS - Chmod - letters: The change is one or more of 'ugo', then '+-=', then zero or more of 'rwx' - Chmod - numeric: 4 = r(Read) 3 = w(Write) 1 = x(eXecute) [3] MD5 / CMP [*] MD5SUM $ md5sum filename - Hash Collisions • If two files have different hash values then they are definitely not identical. • If two files have the same hash values then they are probably identical. • If two files are different but have the same hash they are referred to as a hash collision or a false positive. [*] CMP $ cmp file1 file2 [4] DD - Data Blocks [*] DD - Overwrite block 2 of file2 with block 10 of file1. $ dd if=file1.dd skip=10 of=file2.dd seek=2 count=1 bs=512 conv=notrunc START $ dd FROM if=file1.dd skip=10 TO of=file2.dd seek=2 NUMBER count=1 ALWAYS THE SAME bs=512 conv=notrunc [*] XXD - Open a data block (such as MBR) $ dd if=file1.dd skip=0 count=1 bs=512 | xxd [5] U/MOUNT, PARTITIONS & DISKS [*] MOUNT, UMOUNT - Mount, unmount partitions $ mount /what /where $ umount /where [*] SFDISK - Read partition structure $ sfdisk -l -uS /dev/sda [*] LOOSETUP - Mount files $ losetup /dev/loop0 /file1.dd [OR] if /file1.dd is a whole disk, and you want to mount partition 1 $ losetup /dev/loop0 /img1.dd –o (sfdisk's Start * 521) [AND] $ mount /dev/loop0 /where -o ro - Show info $ losetup -a - Unmount files $ umount /dev/loop0 [AND] $ losetup -d /dev/loop0 [6] DISK ANALYSIS [*] MBR - Read MBR $ dd if=image.dd skip=0 count=1 bs=512 | xxd [*] VBR - Volume Boot Record - Read VBR $ dd if=image.dd skip=63 count=1 bs=512 | xxd [*] MMLS - Displays the contents of a volume system $ mmls image.dd [7] BINARIES [*] XXD - View file $ xxd /bin/ls - View block $ dd if=file1.dd skip=0 count=1 bs=512 | xxd - Binari writing $ echo -ne "LITTLE ENDIAN" | DEST conv=notrunc bs=1 $ echo -ne "\x65" | dd of=test.dat seek=100 count=1 bs=1 conv=notrunc [6] SORT - Delimiter (random,15) -t"," - Sort by one kolumn (3 in this case) -k 3,3 - Same but numeric sort -k 3n,3n - Sort by one kolumn and then another (3 and 5 in this case) -k 3n,5n - Uniqueness -u [9] REGEXP "?" for a single character "*" for any number of chars (0 or more) [abc] match 1 character && must be one of those in the square brackets "^x" starts with x "n$" ends with n "." can match any character \. to actually look for a dot, escaping char \[ to actually look for a [, escaping char {n} repeat pattern n times Examples: - Starting with 'u' and finishing with '.conf' $ ... 'u*.conf' - Using dot: "^a.*z$" abuzz, adz "^a.z$" adz '^a*z$' fucks it up and only gives "z" as a result - Word has ‘a’ then ‘b’ then ‘c’, with 0 or more characters in between 'a.*b.*c' - Three characters where the first character is A '(a..)' - Three vowels appearing together '([aeiou][aeiou][aeiou])' OR '([aeiou]{3})' #