Merge remote-tracking branch 'upstream/master' into case-insensitive-search

This commit is contained in:
Tyler Culp 2018-09-20 13:46:23 -04:00
commit b6cd3dae38
44 changed files with 1478 additions and 15 deletions

View File

@ -1,7 +1,8 @@
Contributing
============
If you would like to contribute cheetsheets or program functionality, please
fork this repository, make your changes, and submit a pull request.
fork this repository, make your changes, and submit a pull request against the
`master` branch.
## Python standards ##
@ -22,4 +23,7 @@ tar -cvf /path/to/foo.tar /path/to/foo/
tar -xzvf /path/to/foo.tgz
```
If you are submitting a cheatsheet that contains side-by-side columns of text,
please align the columns using spaces rather than tabs.
[PEP 8]: http://legacy.python.org/dev/peps/pep-0008/

View File

@ -42,7 +42,7 @@ from docopt import docopt
if __name__ == '__main__':
# parse the command-line options
options = docopt(__doc__, version='cheat 2.2.0')
options = docopt(__doc__, version='cheat 2.2.3')
# list directories
if options['--directories']:

5
cheat/cheatsheets/alias Normal file
View File

@ -0,0 +1,5 @@
# Show a list of your current shell aliases
alias
# Map `ll` to `ls -l` (Can be used per session or put inside a shell config file)
alias ll='ls -l'

8
cheat/cheatsheets/cat Normal file
View File

@ -0,0 +1,8 @@
# Display the contents of a file
cat /path/to/foo
# Display contents with line numbers
cat -n /path/to/foo
# Display contents with line numbers (blank lines excluded)
cat -b /path/to/foo

11
cheat/cheatsheets/cd Normal file
View File

@ -0,0 +1,11 @@
#Go to the given directory
cd path/to/directory
#Go to home directory of current user
cd
#Go up to the parent of the current directory
cd ..
#Go to the previously chosen directory
cd -

11
cheat/cheatsheets/cp Normal file
View File

@ -0,0 +1,11 @@
# Create a copy of a file
cp ~/Desktop/foo.txt ~/Downloads/foo.txt
# Create a copy of a directory
cp -r ~/Desktop/cruise_pics/ ~/Pictures/
# Create a copy but ask to overwrite if the destination file already exists
cp -i ~/Desktop/foo.txt ~/Documents/foo.txt
# Create a backup file with date
cp foo.txt{,."$(date +%Y%m%d-%H%M%S)"}

View File

@ -16,7 +16,7 @@ SHELL=/bin/bash
*/15 * * * * /home/user/command.sh
# every midnight
* 0 * * * /home/user/command.sh
0 0 * * * /home/user/command.sh
# every Saturday at 8:05 AM
5 8 * * 6 /home/user/command.sh

View File

@ -0,0 +1,8 @@
# open encrypted partition /dev/sdb1 (reachable at /dev/mapper/backup)
cryptsetup open --type luks /dev/sdb1 backup
# open encrypted partition /dev/sdb1 using a keyfile (reachable at /dev/mapper/hdd)
cryptsetup open --type luks --key-file hdd.key /dev/sdb1 hdd
# close luks container at /dev/mapper/hdd
cryptsetup close hdd

View File

@ -33,3 +33,9 @@ curl http://ifconfig.me/all/json
# Limit the rate of a download
curl --limit-rate 1000B -O http://path.to.the/file
# Get your global IP
curl httpbin.org/ip
# Get only the HTTP status code
curl -o /dev/null -w '%{http_code}\n' -s -I URL

View File

@ -1,7 +1,7 @@
# Read from {/dev/urandom} 2*512 Bytes and put it into {/tmp/test.txt}
# Note: At the first iteration, we read 512 Bytes.
# Note: At the second iteration, we read 512 Bytes.
dd if=/dev/urandom of=/tmp/test.txt count=512 bs=2
dd if=/dev/urandom of=/tmp/test.txt count=2 bs=512
# Watch the progress of 'dd'
dd if=/dev/zero of=/dev/null bs=4KB &; export dd_pid=`pgrep '^dd'`; while [[ -d /proc/$dd_pid ]]; do kill -USR1 $dd_pid && sleep 1 && clear; done

View File

@ -1,3 +1,7 @@
# Extract contents of a .deb file
$ ar vx foo.deb # -> data.tar.gz
$ tar xf data.tar.gz
# Install .deb file to a debian like system, e.g. ubuntu
$ sudo dpkg -i foo.deb
$ sudo apt-get install -f

View File

@ -1,12 +1,19 @@
# Running emacs
GUI mode $ emacs
Terminal mode $ emacs -nw
# Basic usage
Indent Select text then press TAB
Cut CTRL-w
Copy ALT-w
Paste ("yank") CTRL-y
Begin selection CTRL-SPACE
Search/Find CTRL-s
Replace ALT-% (ALT-SHIFT-5)
Save CTRL-x CTRL-s
Save as CTRL-x CTRL-w
Load/Open CTRL-x CTRL-f
Undo CTRL-x u
Highlight all text CTRL-x h
@ -15,7 +22,7 @@
Font size bigger CTRL-x CTRL-+
Font size smaller CTRL-x CTRL--
# Buffers
# Buffers
Split screen vertically CTRL-x 2
Split screen vertically with 5 row height CTRL-u 5 CTRL-x 2
@ -23,11 +30,21 @@
Split screen horizontally with 24 column width CTRL-u 24 CTRL-x 3
Revert to single screen CTRL-x 1
Hide the current screen CTRL-x 0
Kill the current screen CTRL-x k
Move to the next buffer CTRL-x O
Move to the next screen CTRL-x o
Kill the current buffer CTRL-x k
Select a buffer CTRL-x b
Run command in the scratch buffer CTRL-x CTRL-e
# Navigation ( backward / forward )
Character-wise CTRL-b , CTRL-f
Word-wise ALT-b , ALT-f
Line-wise CTRL-p , CTRL-n
Sentence-wise ALT-a , ALT-e
Paragraph-wise ALT-{ , ALT-}
Function-wise CTRL-ALT-a , CTRL-ALT-e
Line beginning / end CTRL-a , CTRL-e
# Other stuff
Open a shell ALT-x eshell

5
cheat/cheatsheets/export Normal file
View File

@ -0,0 +1,5 @@
# Calling export with no arguments will show current shell attributes
export
# Create new environment variable
export VARNAME="value"

View File

@ -19,11 +19,11 @@ find ./path/ -name '*.txt' -exec rm '{}' \;
# To find files with extension '.txt' and look for a string into them:
find ./path/ -name '*.txt' | xargs grep 'string'
# To find files with size bigger than 5 Mb and sort them by size:
# To find files with size bigger than 5 Mebibyte and sort them by size:
find . -size +5M -type f -print0 | xargs -0 ls -Ssh | sort -z
# To find files bigger thank 2 MB and list them:
find . -type f -size +20000k -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'
# To find files bigger than 2 Megabyte and list them:
find . -type f -size +200000000c -exec ls -lh {} \; | awk '{ print $9 ": " $5 }'
# To find files modified more than 7 days ago and list file information
find . -type f -mtime +7d -ls

View File

@ -10,8 +10,26 @@ do
echo $var
done
# loop over all the JPG files in the current directory
for jpg_file in *.jpg
do
echo $jpg_file
done
# loop specified number of times
for i in `seq 1 10`
do
echo $i
done
# loop specified number of times: the C/C++ style
for ((i=1;i<=10;++i))
do
echo $i
done
# loop specified number of times: the brace expansion
for i in {1..10}
do
echo $i
done

12
cheat/cheatsheets/gyb Normal file
View File

@ -0,0 +1,12 @@
# To estimate the number and the size of all mails on youremail@gmail.com
gyb --email youremail@gmail.com --action estimate
# To backup from youremail@gmail.com to your local-folder
gyb --email youremail@gmail.com --action backup --local-folder "~/MyLocalFolder/"
# To backup from youremail@gmail.com only important or starred emails to the
# default local folder GYB-GMail-Backup-youremail@gmail.com
gyb --email youremail@gmail.com --search "is:important OR is:starred"
# To restore from your local-folder to youremail@gmail.com
gyb --email youremail@gmail.com --action restore --local-folder "~/MyLocalFolder/"

3
cheat/cheatsheets/iconv Normal file
View File

@ -0,0 +1,3 @@
# To convert file (iconv.src) from iso-8859-1 to utf-8 and save to
# /tmp/iconv.out
iconv -f iso-8859-1 -t utf-8 iconv.src -o /tmp/iconv.out

5
cheat/cheatsheets/kill Normal file
View File

@ -0,0 +1,5 @@
# Kill a process gracefully
kill -15 <process id>
# Kill a process forcefully
kill -9 <process id>

21
cheat/cheatsheets/lsblk Normal file
View File

@ -0,0 +1,21 @@
# Show all available block devices along with their partitioning schemes
lsblk
# To show SCSI devices:
lsblk --scsi
# To show a specific device
lsblk /dev/sda
# To verify TRIM support:
# Check the values of DISC-GRAN (discard granularity) and DISC-MAX (discard max bytes) columns.
# Non-zero values indicate TRIM support
lsblk --discard
# To featch info about filesystems:
lsblk --fs
# For JSON, LIST or TREE output formats use the following flags:
lsblk --json
lsblk --list
lsblk --tree # default view

View File

@ -38,7 +38,7 @@ This is [an example](http://example.com "Title") inline link.
# image
![Alt Text](/path/to/file.png)
# emphasis
# formatting
*em* _em_
**strong** __strong__
~~strikethrough~~

22
cheat/cheatsheets/mutt Normal file
View File

@ -0,0 +1,22 @@
# Create new mailbox in IMAP
+ When located in mailbox list (c)
shift + C
# Move multiple messages to folder (bulk operations)
1. Select/tag them with alt+'t'
2. ;s in mail inbox overview for bulk operation
# Deleting / Undeleting all messages in mutt
1. In mutts index, hit D (UPPERCASE D)
2. It will prompt you with “Delete messages matching: “
+ enter this string:
~A
3. It should mark all for deletion!
4. Conversely, you can do the same thing with UPPERCASE U to undelete multiple messages.

17
cheat/cheatsheets/mv Normal file
View File

@ -0,0 +1,17 @@
# Move a file from one place to another
mv ~/Desktop/foo.txt ~/Documents/foo.txt
# Move a file from one place to another and automatically overwrite if the destination file exists
# (This will override any previous -i or -n args)
mv -f ~/Desktop/foo.txt ~/Documents/foo.txt
# Move a file from one place to another but ask before overwriting an existing file
# (This will override any previous -f or -n args)
mv -i ~/Desktop/foo.txt ~/Documents/foo.txt
# Move a file from one place to another but never overwrite anything
# (This will override any previous -f or -i args)
mv -n ~/Desktop/foo.txt ~/Documents/foo.txt
# Move listed files to a directory
mv -t ~/Desktop/ file1 file2 file3

View File

@ -29,3 +29,9 @@ UPDATE tbl_name SET col1 = "example";
# Basic DELETE Statement
DELETE FROM tbl_name WHERE user = 'jcole';
# To check stored procedure
SHOW PROCEDURE STATUS;
# To check stored function
SHOW FUNCTION STATUS;

View File

@ -34,7 +34,10 @@ nmcli dev status
# Add a dynamic ethernet connection - parameters:
# <name> -- the name of the connection
# <iface_name> -- the name of the interface
ncmli con add type ethernet con-name <name> ifname <iface_name>
nmcli con add type ethernet con-name <name> ifname <iface_name>
# Import OpenVPN connection settings from file:
nmcli con import type openvpn file <path_to_ovpn_file>
# Bring up the ethernet connection
nmcli con up <name>

View File

@ -15,6 +15,9 @@ openssl req -text -noout -in server.csr
# To show certificate information for generated certificate
openssl x509 -text -noout -in server.crt
# To get the sha256 fingerprint of a certificate
openssl x509 -in server.crt -noout -sha256 -fingerprint
# To view certificate expiration:
echo | openssl s_client -connect <hostname>:443 2> /dev/null | \
awk '/-----BEGIN/,/END CERTIFICATE-----/' | \

8
cheat/cheatsheets/perl Normal file
View File

@ -0,0 +1,8 @@
# To view the perl version:
perl -v
# Replace string "\n" to newline
echo -e "foo\nbar\nbaz" | perl -pe 's/\n/\\n/g;'
# Replace newline with multiple line to space
cat test.txt | perl -0pe "s/test1\ntest2/test1 test2/m"

5
cheat/cheatsheets/pgrep Normal file
View File

@ -0,0 +1,5 @@
# Get a list of PIDs matching the pattern
pgrep example
# Kill all PIDs matching the pattern
pgrep -f example | xargs kill

View File

@ -23,5 +23,8 @@ pip list --outdated
# Upgrade all outdated packages, thanks to http://stackoverflow.com/a/3452888
pip freeze --local | grep -v '^\-e' | cut -d = -f 1 | xargs -n1 pip install -U
# Upgrade outdated packages on latest version of pip
pip list --outdated --format=freeze | cut -d = -f 1 | xargs -n1 pip install -U
# Install specific version of a package
pip install -I SomePackage1==1.1.0 'SomePackage2>=1.0.4'

5
cheat/cheatsheets/pkill Normal file
View File

@ -0,0 +1,5 @@
# To kill a process using it's full process name
pkill <processname>
# To kill a process by it's partial name
pkill -f <string>

26
cheat/cheatsheets/psql Normal file
View File

@ -0,0 +1,26 @@
# psql is the PostgreSQL terminal interface. The following commands were tested on version 9.5.
# Connection options:
# -U username (if not specified current OS user is used).
# -p port.
# -h server hostname/address.
# Connect to a specific database:
psql -U postgres -h serverAddress -d dbName
# Get databases on a server:
psql -U postgres -h serverAddress --list
# Execute sql query and save output to file:
psql -U postgres -d dbName -c 'select * from tableName;' -o fileName
# Execute query and get tabular html output:
psql -U postgres -d dbName -H -c 'select * from tableName;'
# Execute query and save resulting rows to csv file:
psql -U postgres -d dbName -t -A -P fieldsep=',' -c 'select * from tableName;' -o fileName.csv
# Read commands from file:
psql -f fileName
# Restore databases from file:
psql -f fileName.backup postgres

2
cheat/cheatsheets/pwd Normal file
View File

@ -0,0 +1,2 @@
# Show the absolute path of your current working directory on the filesystem
pwd

936
cheat/cheatsheets/r2 Normal file
View File

@ -0,0 +1,936 @@
# Command Line options
-L: List of supported IO plugins
-q: Exit after processing commands
-w: Write mode enabled
-i: Interprets a r2 script
-A: Analize executable at load time (xrefs, etc)
-n: Bare load. Do not load executable info as the entrypoint
-c'cmds': Run r2 and execute commands (eg: r2 -wqc'wx 3c @ main')
-p: Creates a project for the file being analyzed (CC add a comment when opening a file as a project)
-: Opens r2 with the malloc plugin that gives a 512 bytes memory area to play with (size can be changed); Similar to r2 malloc://512
-----------------------------------------------------------------------------------------------------------------------------
# Configuration properties
e: Returs configuration properties
e <property>: Checks a specific property:
e asm.tabs => false
e <property>=<value>: Change property value
e asm.arch=ppc
e? help about a configuration property
e? cmd.stack
# Show comments at right of disassembly if they fit in screen
e asm.cmtright=true
# Shows pseudocode in disassembly. Eg mov eax, str.ok = > eax = str.ok
e asm.pseudo = true
# Display stack and register values on top of disasembly view (visual mode)
e cmd.stack = true
# Solarized theme
eco solarized
# Use UTF-8 to show cool arrows that do not look like crap :)
e scr.utf8 = true
-----------------------------------------------------------------------------------------------------------------------------
# Basic Commands
; Command chaining: x 3;s+3;pi 3;s+3;pxo 4;
| Pipe with shell commands: pd | less
! Run shell commands: !cat /etc/passwd
!! Escapes to shell, run command and pass output to radare buffer
Note: The double exclamation mark tells radare to skip the plugin list to find an IO plugin handling this
command to launch it directly to the shell. A single one will walk through the io plugin list.
` Radare commands: wx `!ragg2 -i exec`
~ grep
~! grep -v
~[n] grep by columns afl~[0]
~:n grep by rows afl~:0
<command>~.. less/more mode
+-------------------------------------------------------------------
pi~mov,eax ; lines with mov or eax
pi~mov&eax ; lines with mov and eax
pi~mov,eax:6 ; 6 first lines with mov or eax
pd 20~call[0]:0 ; grep first column of the first row matching 'call'
+-------------------------------------------------------------------
.cmd Interprets command output
+-------------------------------------------------------------------
is* prints symbolos
.is* interprets output and define the symbols in radare (normally they are already loaded if r2 was not invoked with -n)
+-------------------------------------------------------------------
.. repeats last commands (same as enter \n)
( Used to define and run macros
$ Used to define alias
$$: Resolves to current address
Offsets (@) are absolute, we can use $$ for relative ones @ $$+4
? Evaluate expression
+-------------------------------------------------------------------
[0x00000000]> ? 33 +2
35 0x23 043 0000:0023 35 00100011 35.0 0.000000
Note: | and & need to be escaped
+-------------------------------------------------------------------
?$? Help for variables used in expressions
$$: Here
$s: File size
$b: Block size
$l: Opcode length
$j: When $$ is at a jmp, $j is the address where we are going to jump to
$f: Same for jmp fail address
$m: Opcode memory reference (e.g. mov eax,[0x10] => 0x10)
??? Help for ? command
?i Takes input from stdin. Eg ?i username
?? Result from previous operations
?s from to [step]: Generates sequence from to every
?p: Get physical address for given virtual address
?P: Get virtual address for given physical one
?v Show hex value of math expr
+-------------------------------------------------------------------
?v 0x1625d4ca ^ 0x72ca4247 = 0x64ef968d
?v 0x4141414a - 0x41414140 = 0xa
+-------------------------------------------------------------------
?l str: Returns the length of string
@@: Used for iteractions
+-------------------------------------------------------------------
wx ff @@10 20 30 Writes ff at offsets 10, 20 and 30
wx ff @@`?s 1 10 2` Writes ff at offsets 1, 2 and 3
wx 90 @@ sym.* Writes a nop on every symbol
+-------------------------------------------------------------------
# Positioning
s address: Move cursor to address or symbol
s-5 (5 bytes backwards)
s- undo seek
s+ redo seek
# Block Size
b size: Change block size
# Analyze
aa: Analyze all (fcns + bbs) same that running r2 with -A
ahl <length> <range>: fake opcode length for a range of bytes
ad: Analyze data
ad@rsp (analize the stack)
+ Normal mode
af: Analyze functions
afl: List all functions
number of functions: afl~?
afi: Returns information about the functions we are currently at
afr: Rename function: structure and flag
afr off: Restore function name set by r2
afn: Rename function
afn strlen 0x080483f0
af-: Removes metadata generated by the function analysis
af+: Define a function manually given the start address and length
af+ 0xd6f 403 checker_loop
axt: Returns cross references to (xref to)
axf: Returns cross references from (xref from)
+ Visual mode
d, f: Function analysis
d, u: Remove metadata generated by function analysis
+ Opcode analysis
ao x: Analize x opcodes from current offset
a8 bytes: Analize the instruction represented by specified bytes
# Information
iI: File info
iz: Strings in data section
izz: Strings in the whole binary
iS: Sections
iS~w returns writable sections
is: Symbols
is~FUNC exports
il: Linked libraries
ii: Imports
ie: Entrypoint
+ Mitigations
i~pic : check if the binary has position-independent-code
i~nx : check if the binary has non-executable stack
i~canary : check if the binary has canaries
# Print
psz n @ offset: Print n zero terminated String
px n @ offset: Print hexdump (or just x) of n bytes
pxw n @ offset: Print hexdump of n words
pxw size@offset prints hexadecimal words at address
pd n @ offset: Print n opcodes disassambled
pD n @ offset: Print n bytes disassembled
pi n @ offset: Print n instructions disassambeled (no address, XREFs, etc. just instrunctions)
pdf @ offset: Print disassembled function
pdf~XREF (grep: XREFs)
pdf~call (grep: calls)
pcp n @ offset: Print n bytes in python string output.
pcp 0x20@0x8048550
import struct
buf = struct.pack ("32B",
0x55,0x89,0xe5,0x83,0xzz,0xzz,0xzz,0xzz,0xf0,0x00,0x00,
0x00,0x00,0xc7,0x45,0xf4,0x00,0x00,0x00,0x00,0xeb,0x20,
0xc7,0x44,0x24,0x04,0x01,0x00,0x00,0x00,0xzz,0xzz)
p8 n @ offset: Print n bytes (8bits) (no hexdump)
pv: Print file contents as IDA bar and shows metadata for each byte (flags , ...)
pt: Interpret data as dates
pf: Print with format
pf.: list all formats
p=: Print entropy ascii graph
# Write
wx: Write hex values in current offset
wx 123456
wx ff @ 4
wa: Write assembly
wa jnz 0x400d24
wc: Write cache commit
wv: Writes value doing endian conversion and padding to byte
wo[x]: Write result of operation
wow 11223344 @102!10
write looped value from 102 to 102+10
0x00000066 1122 3344 1122 3344 1122 0000 0000 0000
wox 0x90
XOR the current block with 0x90. Equivalent to wox 0x90 $$!$b (write from current position, a whole block)
wox 67 @4!10
XOR from offset 4 to 10 with value 67
wf file: Writes the content of the file at the current address or specified offset (ASCII characters only)
wF file: Writes the content of the file at the current address or specified offset
wt file [sz]: Write to file (from current seek, blocksize or sz bytes)
Eg: Dump ELF files with wt @@ hit0* (after searching for ELF headers: \x7fELF)
woO 41424344 : get the index in the De Bruijn Pattern of the given word
# Flags
f: List flags
f label @ offset: Define a flag `label` at offset
f str.pass_len @ 0x804999c
f -label: Removes flag
fr: Rename flag
fd: Returns position from nearest flag (looking backwards). Eg => entry+21
fs: Show all flag spaces
fs flagspace: Change to the specified flag space
fe loop and create numbered flags:
1. fs demo_flagspace
2. fe demo_flagspace @@=`pdf~jne[1]`
# Yank & Paste
y n: Copies n bytes from current position
y: Shows yank buffer contentent with address and length where each entry was copied from
yp: Prints yank buffer
yy offset: Paste the contents of the yank buffer at the specified offset
yt n target @ source: Yank to. Copy n bytes fromsource to target address
# Visual Mode
q: Exits visual mode
hjkl: move around (or HJKL) (left-down-up-right)
o: go/seek to given offset
?: Help
.: Seek EIP
<enter>: Follow address of the current jump/call
:cmd: Enter radare commands. Eg: x @ esi
d[f?]: Define cursor as a string, data, code, a function, or simply to undefine it.
dr: Rename a function
df: Define a function
v: Get into the visual code analysis menu to edit/look closely at the current function.
p/P: Rotate print (visualization) modes
hex, the hexadecimal view
disasm, the disassembly listing
Use numbers in [] to follow jump
Use "u" to go back
debug, the debugger
words, the word-hexidecimal view
buf, the C-formatted buffer
annotated, the annotated hexdump.
c: Changes to cursor mode or exits the cursor mode
select: Shift+[hjkl]
i: Insert mode
a: assembly inline
A: Assembly in visual mode
y: Copy
Y: Paste
f: Creates a flag where cursor points to
<tab> in the hexdump view to toggle between hex and strings columns
V: View ascii-art basic block graph of current function
W: WebUI
x, X: XREFs to current function. ("u" to go back)
t: track flags (browse symbols, functions..)
gG: Begging or end of file
HUD
_ Show HUD
backspace: Exits HUD
We can add new commands to HUD in: radare2/shlr/hud/main
;[-]cmt: Add/remove comment
m<char>: Define a bookmark
'<char>: Go to previously defined bookmark
# ROP
/R opcodes: Search opcodes
/R pop,pop,ret
/Rl opcodes: Search opcodes and print them in linear way
/Rl jmp eax,call ebx
/a: Search assembly
/a jmp eax
pda: Returns a library of gadgets that can be use. These gadgets are obtained by disassmbling byte per byte instead of obeying to opcode leng
e search.roplen = 4 (change the depth of the search, to speed-up the hunt)
# Searching
/ bytes: Search bytes
\x7fELF
+-------------------------------------------------------------------
push ebp
mov ebp, esp
Opcodes: 5589e5
/x 5589e5
[# ]hits: 54c0f4 < 0x0804c600 hits = 1
0x08049f70 hit0_0 5589e557565383e4f081ec
0x0804c31a hit0_1 5589e583ec18c704246031
0x0804c353 hit0_2 5589e583ec1889442404c7
0x0804c379 hit0_3 5589e583ec08e87cffffff
0x0804c3a2 hit0_4 5589e583ec18c70424302d
pi 5 @@hit* (Print 5 first instructions of every hit)
+-------------------------------------------------------------------
Its possible to run a command for each hit. Use the cmd.hit property:
e cmd.hit=px
# Comments and defines
Cd [size]: Define as data
C- [size]: Define as code
Cs [size]: Define as String
Cf [size]: Define as struct
We can define structures to be shown in the disassmbly
CC: List all comments or add a new comment in console mode
C* Show all comments/metadata
CC <comment> add new comment
CC- remove comment
# Magic files
pm: Print Magic files analysis
[0x00000000]> pm
0x00000000 1 ELF 32-bit LSB executable, Intel 80386, version 1
/m [magicfile]: Search magic number headers with libmagic
search.align
search.from (0 = beginning)
search.to (0 = end)
search.asmstr
search.in
# Yara
:yara scan
# Zignatures
zg <language> <output file>: Generate signatures
eg: zg go go.z
Run the generated script to load signatures
eg: . go.z
z: To show signatures loaded:
+-------------------------------------------------------------------
r2-(pid2)> pd 35 @ 0x08049adb-10
| 0x08049adb call fcn.0805b030
| fcn.0805b030(unk, unk, unk, unk) ; sign.sign.b.sym.fmt.Println
| 0x08049ae0 add esp, 0xc
| 0x08049ae3 call fcn.08095580
+-------------------------------------------------------------------
# Compare Files
r2 -m 0xf0000 /etc/fstab ; Open source file
o /etc/issue ; Open file2 at offset 0
o ; List both files
cc offset: Diff by columns between current offset address and "offset"
# Graphs
+ Basic block graphs
af: Load function metadata
ag $$ > a.dot: Dump basic block graph to file
ag $$ | xdot: Show current function basic block graph
+ Call graphs
af: Load function metadata
agc $$ > b.dot: Dump basic block graph to file
+ Convert .dot in .png
dot -Tpng -o /tmp/b.png b.dot
+ Generate graph for file
radiff2 -g main crackme.bin crackme.bin > /tmp/a
xdot /tmp/a
# Debugger
+ Start r2 in debugger mode. r2 will fork and attach
r2 -d [pid|cmd|ptrace] (if command contains spaces use quotes: r2 -d "ls /")
ptrace://pid (debug backend does not notice, only access to mapped memory)
+ Pass arguments
r2 -d rarun2 program=pwn1 arg1=$(python exploit.py)
+ Pass stdin
r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py)
+ Commands
do: Reopen program
dp: Shows debugged process, child processes and threads
dc: Continue
dcu <address or symbol>: Continue until symbol (sets bp in address, continua until bp and remove bp)
dc[sfcp]: Continue until syscall(eg: write), fork, call, program address (To exit a library)
ds: Step in
dso: Step out
dss: Skip instruction
dr register=value: Change register value
dr(=)?: Show register values
db address: Sets a breakpoint at address
db sym.main add breakpoint into sym.main
db 0x804800 add breakpoint
db -0x804800 remove breakpoint
dsi (conditional step): Eg: "dsi eax==3,ecx>0"
dbt: Shows backtrace
drr: Display in colors and words all the refs from registers or memory
dm: Shows memory map (* indicates current section)
[0xb776c110]> dm
sys 0x08048000 - 0x08062000 s r-x /usr/bin/ls
sys 0x08062000 - 0x08064000 s rw- /usr/bin/ls
sys 0xb776a000 - 0xb776b000 s r-x [vdso]
sys 0xb776b000 * 0xb778b000 s r-x /usr/lib/ld-2.17.so
sys 0xb778b000 - 0xb778d000 s rw- /usr/lib/ld-2.17.so
sys 0xbfe5d000 - 0xbfe7e000 s rw- [stack]
+ To follow child processes in forks (set-follow-fork-mode in gdb)
dcf until a fork happen then use dp to select what process you want to debug.
+ PEDA like details
drr;pd 10@-10;pxr 40@esp
+ Debug in visual mode
toggl breakpoints with F2
single-step with F7 (s)
step-over with F8 (S)
continue with F9
# WebGUI
=h: Start the server
=H: Start server and browser
# rax2 - Base Conversion
-e: Change endian
-k: random ASCII art to represent a number/hash. Similar to how SSH represents keys
-s: ASCII to hex
rax2 -S hola (from string to hex)
rax2 -s 686f6c61 (from hex to string)
-S: binary to hex (for files)
-N: pack an integer
rax2 -N 0x1234 # \x34\x12\x00\x00
# rahash2 - Entropy, hashes and checksums
-a: Specify the algorithm
-b XXX: Block size
-B: Print all blocks
-a entropy: Show file entropy or entropy per block (-B -b 512 -a entropy)
+ Rot13 with rahash2
rahash2 -E rot -S s:13 -s Hello\n
# radiff2 - File diffing
-s: Calculate text distance from two files.
-d: Delta diffing (For files with different sizes. Its not byte per byte)
-C: Code diffing (instead of data)
+-------------------------------------------------------------------
Diff original and patched on x86_32, using graphdiff algorithm
radiff2 -a x86 -b32 -C original patched
Show differences between original and patched on x86_32
radiff2 -a x86 -b32 original patched :
+-------------------------------------------------------------------
# rasm2 - Assembly/Disasembly
-L: Supported architectures
-a arch instruction: Sets architecture
rasm2 -a x86 'mov eax,30' => b81e000000
-b tam: Sets block size
-d: Disassembly
rasm2 -d b81e000000 => mov eax, 0x1e
-C: Assembly in C output
rasm2 -C 'mov eax,30' => "\xb8\x1e\x00\x00\x00"
-D: Disassemble showing hexpair and opcode
rasm2 -D b81e0000 => 0x00000000 5 b81e000000 mov eax, 0x1e
-f: Read data from file instead of ARG.
-t: Write data to file
+ Disassemble shellcode from hex stdin
+-------------------------------------------------------------------
echo -n "31c048bbd19d9691d08c97ff48f7db53545f995257545eb03b0f05" | rasm2 -a x86 -b 64 -d -
xor eax, eax
movabs rbx, 0xff978cd091969dd1
neg rbx
push rbx
push rsp
pop rdi
cdq
push rdx
push rdi
push rsp
pop rsi
mov al, 0x3b
syscall
+-------------------------------------------------------------------
# rafind2 - Search
-Z: Look for Zero terminated strings
-s str: Look for specifc string
-X: Hex dump around output
+ Search "/bin/sh" in libc
rafind2 -X -s "/bin/sh" /usr/lib/libc.so.6
# ragg2 - Shellcode generator, C/opcode compiler
P: Generate De Bruijn patterns
ragg2 -P 300 -r
-a arch: Configure architecture
-b bits: Specify architecture bits (32/64)
-i shellcode: Specify shellcode to generate
-e encoder: Specify encoder
+ ragg2-cc: Generate shellcode from c
+ Generate a x86, 32 bits exec shellcode
ragg2 -a x86 -b 32 -i exec
# rabin2 - Executable analysis: symbols, imports, strings
-I: Executable information
-C: Returns classes. Useful to list Java Classes
-l: Dynamic linked libraries
-s: Symbols
-z: Strings
# rarun2 - Launcher to run programs with different environments, args, stdin, permissions, fds
r2 -b 32 -d rarun2 program=pwn1 arg1=$(ragg2 -P 300 -r) : runs pwn1 with a De Bruijn Pattern as first argument, inside radare2's debugger, and force 32 bits
r2 -d rarun2 program=/bin/ls stdin=$(python exploit.py) : runs /bin/ls with the output of exploit.py directed to stdin
# ESIL emulation
1) aei: Initialize ESIL VM
2) aeim: Assign ESIL stack
aeim 0xffffd000 0x1000 stack
3) aeip: Program counter to current seek
4) e io.cache=true: Enable caching read/write of virtual memory (Important if self modifying code)
5) aes: Single stepping in emulation mode
+ Toggle IL representation via O in Visual Mode
# ESIL Linear emulation
Find all references to curr. address using linear esil emulation on all imports.
/re$$@@ sym.imp.*
# ESIL IL Representation
op esil
------------
mov =
mul *
div /
and &
neg !
read []
if ?{
add +
sub -
xor ^
or |
cmp ==
write =[]
+ prefix is %
+ carry from bit x -> %cx
+ borrow from bit x -> %bx
+ zero-flag -> %z
+ parity of dst -> %p
+ sign-flag -> %s
+ overflow-flag -> %o
+ BREAK - Stop parsing and emulate next instruction
+ LOOP - restart emulation of instruction
+ GOTO n - jump to n
+ TODO - stop emulation and eprintf("TDOD %s", ins)
x86 ESIL
------------------------------------------------------
mov eax, ebx ebx,eax,=
jz 0xaabbccdd zf,?{,0xaabbccdd,eip,=,}
cmp ecx,edx edx,ecx,==,%z,zf,=,%b32,cf,=,%p,pf,=,%s,sf,=
push ebp 4,esp,-=ebp,esp,=[4]
+ ESIL Doc
https://github.com/radare/radare2book/blob/master/esil.md
# r2pipe commands
+ Invoke r2pipe script via r2 cmdline
[0x00000000]> #!pipe node script.js
[0x00000000]> #!pipe python script.py
+ Good collection:
https://radare.org/get/r2pipe-nn2015.pdf
https://github.com/jpenalbae/r2-scripts
# Parsing ELF
!!! open with r2 -nn
+ Parse 9 program headers (elf_phdr) from curr. seek plus offset 0x40 with temporary block size 0x200 in less mode (~..)
[0x00000000]> pf 9? (elf_phdr)phdr @ $$+0x40!0x200~..
# pf Templates
+ Generate templates for structs/enums with td command
"td enum elf_class {ELFCLASSNONE=0, ELFCLASS32=1, ELFCLASS64=2};"
https://github.com/Maijin/r2-pf-templates/
+ Cast data @ <addr> to <type> and print it
tp <type> = <address>
# r2scapy
r2 -i r2scapy.py dump.bin
[0x00000000]> scapy DNS 0x81de3c 48
DNS(aa=1L, qr=1L, an=DNSRR(rclass=32769, ttl=120, rrname='flashair.local.', rdata='192.168.0.1', type=1), ad=0L, nscount=0, qdcount=1, ns=None, tc=0L, rd=1L, arcount=0, ar=None, opcode=0L, ra=0L, cd=0L, z=0L, rcode=0L, id=0, ancount=1, qd=DNSQR(qclass=32769, qtype=255, qname='flashair.local.'))
+ generate packets with scapy
>>> from scapy.all import *
>>> sr1(IP(dst="8.8.8.8")/UDP(dport=53)/DNS(rd=1,qd=DNSQR(qname="www.thepacketgeek.com")),verbose=0)
# r2m2 -Miasm Intermediate Representation Plugin
+ Assemble and disassemble MIPS32 using rasm2
r2m2$ export R2M2_ARCH=mips32l; rasm2 -a r2m2 'addiu a0, a1, 2' |rasm2 -a r2m2 -d -
ADDIU A0, A1, 0x2
+ Disassemble random MSP430 instructions in r2
r2m2$ R2M2_ARCH=msp430 r2 -a r2m2 -qc 'woR; pd 5' -
0x00000000 07fa and.w R10, R7
0x00000002 47ad dadd.b R13, R7
0x00000004 f05e0778 add.b @R14+, 0x7807(PC)
0x00000008 f46d81ed addc.b @R13+, 0xED81(R4)
0x0000000c 3fdc bis.w @R12+, R15
+ Assemble MIPS32 using rasm2 and display the call graph using r2
r2m2$ R2M2_ARCH=mips32b rasm2 -a r2m2 'j 0x4; nop' -B > j_nop.bin
r2m2$ R2M2_ARCH=mips32b r2 -a r2m2 -qc 'pd 2' j_nop.bin
,=< 0x00000000 0c000001 JAL 0x4
`-> 0x00000004 00000000 NOP
# bin carving with r2
+ Open raw dump
r2 -n dump.bin
+ Searching for magic
[0x00000000]> / \x7fELF
Searching 4 bytes from 0x00000000 to 0x0000002d: 7f 45 4c 46
0x00001340 hit0_0
0x00001744 hit0_1
...
+ Dump 1M with at several hits
[0x00000000]> b 1M
[0x00000000]> wt @@ hit0*
+ Automate it
$ for a in dump.* ; do
sz=`rabin2 -Z $a` # get RBin.filesize
r2 -wnqc"r $sz" $a # resize file
done
http://radare.today/posts/carving-bins/
# r4ge - symbolic execution
+ https://github.com/gast04/r4ge
Usage: https://asciinema.org/a/155856
# r2wiki -Macro for using wiki in commandline
+ https://github.com/securisec/r2wiki
$wiki "query string"

26
cheat/cheatsheets/rcs Normal file
View File

@ -0,0 +1,26 @@
# Initial check-in of file (leaving file active in filesystem)
ci -u <filename>
# Check out with lock
co -l <filename>
# Check in and unlock (leaving file active in filesystem)
ci -u <filename>
# Display version x.y of a file
co -px.y <filename>
# Undo to version x.y (overwrites file active in filesystem with the specified revision)
co -rx.y <filename>
# Diff file active in filesystem and last revision
rcsdiff <filename>
# Diff versions x.y and x.z
rcsdiff -rx.y -rx.z <filename>
# View log of check-ins
rlog <filename>
# Break an RCS lock held by another person on a file
rcs -u <filename>

View File

@ -12,3 +12,6 @@ rsync -auv /src/foo /dest
# Explicitly copy /src/foo to /dest/foo
rsync -auv /src/foo/ /dest/foo
# Copy file from local to remote over ssh with non standard port 1234 to destination folder in remoteuser's home directory
rsync -avz -e "ssh -p1234" /source/file1 remoteuser@X.X.X.X:~/destination/

View File

@ -15,3 +15,9 @@ sed '/^$/d' file.txt
# To replace newlines in multiple lines
sed ':a;N;$!ba;s/\n//g' file.txt
# Insert a line before a matching pattern:
sed '/Once upon a time/i\Chapter 1'
# Add a line after a matching pattern:
sed '/happily ever after/a\The end.'

15
cheat/cheatsheets/slurm Normal file
View File

@ -0,0 +1,15 @@
# Submit a new job:
sbatch job.sh
# List all jobs for a user:
squeue -u user_name
# Cancel a job by id or name:
scancel job_id
scancel --name job_name
# List all information for a job:
scontrol show jobid -dd job_id
# Status info for currently running job:
sstat --format=AveCPU,AvePages,AveRSS,AveVMSize,JobID -j job_id --allsteps

View File

@ -19,6 +19,9 @@ tar -xjvf /path/to/foo.tgz
# To create a .bz2 archive:
tar -cjvf /path/to/foo.tgz /path/to/foo/
# To extract a .tar in specified Directory:
tar -xvf /path/to/foo.tar -C /path/to/destination/
# To list the content of an .bz2 archive:
tar -jtvf /path/to/foo.tgz

18
cheat/cheatsheets/wc Normal file
View File

@ -0,0 +1,18 @@
# Count the number of words (file or STDIN)
wc -w /path/to/foo.txt
cat /path/to/foo.txt | wc -w
# Count the number of lines (file or STDIN)
wc -l /path/to/foo.txt
cat /path/to/foo.txt | wc -l
# Count the number of bytes (file or STDIN)
wc -c /path/to/foo.txt
cat /path/to/foo.txt | wc -c
# Count files and directories at a given location
ls -l | wc -l
# If you ever use `wc` in a shell script and need to compare the output with an int you can
# clean the output (wc returns extra characters around the integer) by using xargs:
ls -l | wc -l | xargs

View File

@ -10,3 +10,7 @@ find -name *.pdf | xargs -I{} rm -rf '{}'
# -n1 => One file by one file. ( -n2 => 2 files by 2 files )
find -name *.pdf | xargs -I{} -n1 echo '&{}='
# If find returns no result, do not run rm
# This option is a GNU extension.
find -name "*.pdf" | xargs --no-run-if-empty rm

View File

@ -16,5 +16,8 @@ youtube-dl --playlist-start 5 example.com/watch?v=id&list=listid
# To simulate a download with youtube-dl:
youtube-dl -s example.com/watch?v=id
# To download audio in mp3 format with best quality available
youtube-dl --extract-audio --audio-format mp3 --audio-quality 0 example.com/watch?v=id
# For all video formats see
# http://en.wikipedia.org/wiki/YouTube#Quality_and_codecs

126
cheat/cheatsheets/zfs Normal file
View File

@ -0,0 +1,126 @@
# WARNING:
# In order to avoid headaches when moving ZFS physical devices around,
# one will be much better served to reference devices by their *immutable*
# ID - as in /dev/disk/by-id/* - rather than their block device name -
# as in /dev/{sd,nvme}* - which is bound to change as per PCI enumeration
# order.
# For the sake of briefness, we'll use the following variables:
# ${device} device (/dev/disk/by-id/${device})
# ${part} partition (/dev/disk/by-id/${part=${device}-part${N}})
# ${pool} ZFS pool (name)
# ${fs_vol} ZFS file system or volume (name)
# ${snapshot} ZFS snapshot (name)
## Pools
# Create a new "RAID-5" (raidz1) pool
# Recommended: use entire devices rather than partitions
zpool create ${pool} raidz1 ${device} ${device} ${device} [...]
# Add 2nd-level "RAID-1" (mirror) ZFS Intent Log (ZIL; synchronous write cache)
# Recommended: use separate, fast, low-latency devices (e.g. NVMe)
zpool add ${pool} log mirror ${part} ${part}
# Add 2nd-level "RAID-0" Adaptive Replacement Cache (ARC; read cache)
# Recommended: use separate, fast, low-latency devices (e.g. NVMe)
zpool add ${pool} cache ${part} ${part} [...]
# Remove log or cache components
zpool remove zfs ${part} [...]
# Import (enable) existing pool from newly connected devices
# Note: this will create the /etc/zfs/zpool.cache devices cache
zpool import -d /dev/disk/by-id -aN
# Import (enable) existing pool using the devices cache
zpool import -c /etc/zfs/zpool.cache -aN
# Export (disable) pool (e.g. before shutdown)
zpool export -a
# List all (imported) pools
zpool list
# See pool status
zpool status ${pool}
# See detailed pool I/O statistics
zpool iostat ${pool} -v
# Verify pool integrity (data checksums)
# (watch progress with 'zpool status')
zpool scrub ${pool}
# Remove a failing device from a pool
# Note: redundant pools (mirror, raidz) will continue working in degraded state
zpool detach ${pool} ${device}
# Replace a failed device in a pool
# Note: new device will be "resilvered" automatically (parity reconstruction)
# (watch progress with 'zpool status')
zpool replace ${pool} ${failed-device} ${new-device}
# Erase zpool labels ("superblock") from a device/partition
# WARNING: MUST do before reusing a device/partition for other purposes
zpool labelclear ${device}
# Query pool configuration (properties)
zpool get all ${pool}
# Change pool configuration (property)
zpool set <property>=<value> ${pool}
# Dump the entire pool (commands) history
zpool history ${pool}
# More...
man zpool
## File systems / Volumes
# Create a new file system
zfs create ${pool}/${fs_vol}
# Create a new volume ("block device")
# Note: look for it in /dev/zvol/${pool}/${fs_vol}
zfs create -V <size> ${pool}/${fs_vol}
# List all file systems / volumes
zfs list
# Mount all file systems
# Note: see 'zfs get mountpoint ${pool}' for mountpoint root path
zfs mount -a
# Create a snapshot
zfs snapshot ${pool}/${fs_vol}@${snapshot}
# Delete a snapshot
zfs destroy ${pool}/${fs_vol}@${snapshot}
# Full backup
# Note: pipe (|) source to destination through netcat, SSH, etc.
# ... on source:
zfs send -p -R ${pool}/${fs_vol}@${snapshot}
# ... on destination:
zfs receive -F ${pool}/${fs_vol}
# Incremental backup
# Note: pipe (|) source to destination through netcat, SSH, etc.
# ... on source:
zfs send -p -R -i ${pool}/${fs_vol}@${snapshot-previous} ${pool}/${fs_vol}@${snapshot}
# ... on destination:
zfs receive -F ${pool}/${fs_vol}
# Query file system / volume configuration (properties)
zfs get all ${pool}
zfs get all ${pool}/${fs_vol}
# Change file system / volume configuration (property)
zfs set <property>=<value> ${pool}/${fs_vol}
# More...
man zfs

View File

@ -1,5 +1,8 @@
# Create zip file
zip archive.zip file1 directory/
# Create zip file with password
zip -P password archive.zip file1
# To list, test and extract zip archives, see unzip
cheat unzip

82
cheat/cheatsheets/zsh Normal file
View File

@ -0,0 +1,82 @@
# A plain old glob
print -l *.txt
print -l **/*.txt
# Show text files that end in a number from 1 to 10
print -l **/*<1-10>.txt
# Show text files that start with the letter a
print -l **/[a]*.txt
# Show text files that start with either ab or bc
print -l **/(ab|bc)*.txt
# Show text files that don't start with a lower or uppercase c
print -l **/[^cC]*.txt
# Show only directories
print -l **/*(/)
# Show only regular files
print -l **/*(.)
# Show empty files
print -l **/*(L0)
# Show files greater than 3 KB
print -l **/*(Lk+3)
# Show files modified in the last hour
print -l **/*(mh-1)
# Sort files from most to least recently modified and show the last 3
print -l **/*(om[1,3])
# `.` show files, `Lm-2` smaller than 2MB, `mh-1` modified in last hour,
# `om` sort by modification date, `[1,3]` only first 3 files
print -l **/*(.Lm-2mh-1om[1,3])
# Show every directory that contain directory `.git`
print -l **/*(e:'[[ -d $REPLY/.git ]]':)
# Return the file name (t stands for tail)
print -l *.txt(:t)
# Return the file name without the extension (r stands for remove_extension)
print -l *.txt(:t:r)
# Return the extension
print -l *.txt(:e)
# Return the parent folder of the file (h stands for head)
print -l *.txt(:h)
# Return the parent folder of the parent
print -l *.txt(:h:h)
# Return the parent folder of the first file
print -l *.txt([1]:h)
# Parameter expansion
files=(*.txt) # store a glob in a variable
print -l $files
print -l $files(:h) # this is the syntax we saw before
print -l ${files:h}
print -l ${files(:h)} # don't mix the two, or you'll get an error
print -l ${files:u} # the :u modifier makes the text uppercase
# :s modifier
variable="path/aaabcd"
echo ${variable:s/bc/BC/} # path/aaaBCd
echo ${variable:s_bc_BC_} # path/aaaBCd
echo ${variable:s/\//./} # path.aaabcd (escaping the slash \/)
echo ${variable:s_/_._} # path.aaabcd (slightly more readable)
echo ${variable:s/a/A/} # pAth/aaabcd (only first A is replaced)
echo ${variable:gs/a/A/} # pAth/AAAbcd (all A is replaced)
# Split the file name at each underscore
echo ${(s._.)file}
# Join expansion flag, opposite of the split flag.
array=(a b c d)
echo ${(j.-.)array} # a-b-c-d

View File

@ -3,7 +3,7 @@ import os
setup(
name = 'cheat',
version = '2.2.0',
version = '2.2.3',
author = 'Chris Lane',
author_email = 'chris@chris-allen-lane.com',
license = 'GPL3',