In this bash basics HakTip we’re downloading files from .htaccess protected web directories without storing the password in the bash history.
In this bash basics HakTip we’re downloading files from .htaccess protected web directories without storing the password in the bash history.
We’ll begin by issuing the history command. This useful tool is useful for reusing previously issued commands. In its default form it’ll simple dislpay the last commands used. The same could be achieved with cat ~/.bash_history.
While it’s nice that this history is here, and while we could use history control commands to limit what goes in, I find it easier to specify passwords into temporary variables when using them in plain-text commands.
For example, if I were trying to download secret.jpg from http://www.twitterphishr.com/hiddenstuff/ I could issue wget –user darren –password lamepassword http://www.twitterphishr.com/hiddenstuff/secret.jpg and the file would download, but now I have my password stored in plain text.
You’re probably also thinking to yourself, but wait he’s downloading from HTTP rather than HTTPS so it doesn’t matter — it was plain-text in transit — and you’re absolutely right. Now stop pestering me with technicalities and enjoy the technique that is storing passwords in temporary variables
To substitute our plain-text password with our variable one, we’ll first need to define it. To do so issue read -e -s -p “pass?” password
The important bit here is the -p which tells read to use an interactive prompt, in our case “pass?”, for the variable “password”.
With our variable newly created and for illustrative purposes we can test to see that it actually has the value with the echo command so I’ll issue echo $password.
Now to string it together with wget I’ll issue wget –user darren –password “$password” http://www.twitterphishr.com/hiddenstuff/secret.jpg and there you have it — the secret file has been obtained and if I run history you won’t see my lame password anywhere!
Now it should be noted that with wget version 1.12 the –ask-password opiton was added, but if you’re on a system with an older version of wget I hope this comes in handy. And obviously this can be adapted to more than just wget, so I’m interested in hearing how you go about dealing with this sort of issue.
Ok, so I want to hear your feedback. What apps do you use? Let me know what you think or what apps to check out by emailing me — tips@hak5.org or send me a note in the comments below.
And be sure to check out our sister show, Hak5 for more great stuff just like this.
What program do you use? Hit me up in the comments or email me — tips@hak5.org.
And be sure to check out our sister show, Hak5 for more great stuff just like this.
Hahaha! A cat picture
Would it not be sufficient to put “export HISTCONTROL=ignorespace” in the .bashrc file and then put a whitespace before the command, like ” ls” ?
Or would this possibility be less secure?
I combined a couple of the hack tips. Instead of having multiple commands on separate lines, I just used backticks to run a command from within a command.
wget --user darren --password `read -esp "pass?" password; echo $password; unset password` http://twitterphishr.com/hiddenstuff/secret.jpg
see behind –password is a command. The same one as Darren ‘read -esp “pass?” password’ which prompts you to enter the password. Then it runs echo, which outputs the password into the command line for wget. After that it unsets, or clears, the password variable so it is not stored in the system that way either.
-Gohst
Should really mask the username too. Whatever can be hidden from a brute force attack should be.
Try this.
PASSWORD=lamepassword
wget –user darren –password $PASSWORD http://twitterphishr.com/hiddenstuff/secret.jpg
typing a ‘ ‘ before the command prevent an entry in the history.
Not a one liner but also a possible solution.
Creating an alias for passwrd seems to be working:
alias passwrd=’read -esp “pass?” password; echo $password; unset password’
Well,
I got to say that was not that quiet good at all Darren.. Cause if you issue like in the shell promt:
History … You will get the lamepassword above the text.. and you ofc. do want to get rid of that … might you should try clean the logs, and as well the /tmp/ files at the website
… Fun stuff at there…
I got a last question … Was your website just Ddosed or what did just happen to it a few days ago it was down!… I was worried (:
Yours faithfully,
GhostMX
Bear in mind that read removes trailing whitespace, and truncates consecutive whitespace eg:
if you typed (assume _ is space here):
my__password_____with___many_spaces______
it becomes
my_password_with_many_spaces
I like your podcast and now see it (FULL HD) even more than the Cali Lewis podcast
I’ve started viewing with my streamer 3 years ago.
I’ll send few new Linux tips/ commands to tips@kak5.org (Use Linux since graduation in 1982..)
However I beg that the same way Shanon Morison talks in such a clear expression (great)
I wish Darren will. He is a very smart guy, but every time He talks I fill losing 20% or so
from the wise things said. Maybe enable a link to see the things said in text ? That could be great.
I was finding myself repeating scenes over and over trying to find out near 100%
of understanding and this was hard.
Cheers for the great podcast !
Eli Orr
Rehovot
Israel