195 shaares
132 results
tagged
bash
xxd [options] [infile [outfile]]
xxd -r [-s [-]offset] [-c cols] [-ps] [infile [outfile]]
ASCII, decimal, hexadecimal, octal dump
Special
xxd -p -c 10000 # export in hexa with 10000 octets by column
xxd -p -u -c 10000 # export in hexa with 10000 octets by column and in uppercase
xxd -s 0x200 -l 0x200 dump.vmdk| xxd -r # print readable contentUsefull
-s [+][-]seek # start at <seek> bytes abs. (or +: rel.) infile offset
-l len # stop after <len> octets
-r # reverse operation: convert (or patch) hexdump into binary
-r -s off # revert with <off> added to file positions found in hexdump
-u # use upper case hex lettersAll
-a # toggle autoskip: A single '*' replaces nul-lines. Default off
-b # binary digit dump (incompatible with -ps,-i,-r). Default hex
-C # capitalize variable names in C include file style (-i)
-c cols # format <cols> octets per line. Default 16 (-i: 12, -ps: 30)
-E # show characters in EBCDIC. Default ASCII
-e # little-endian dump (incompatible with -ps,-i,-r)
-g bytes # number of octets per group in normal output. Default 2 (-e: 4)
-i # output in C include file style
-l len # stop after <len> octets
-o off # add <off> to the displayed file position
-ps # output in postscript plain hexdump style
-r # reverse operation: convert (or patch) hexdump into binary
-r -s off # revert with <off> added to file positions found in hexdump
-d # show offset in decimal instead of hex
-s [+][-]seek # start at <seek> bytes abs. (or +: rel.) infile offset
-u # use upper case hex lettersInstall
sudo apt install bsdmainutilshttps://pev.sourceforge.io/doc/manual/en_us/ch06.html
ofs2rva
ofs2rva <offset> FILE
Convert raw file offset to RVA
Example
ofs2rva 0x1b9b8 calc.exepedis
pedis OPTIONS FILE
PE sections and functions (by default, until found a RET or LEAVE instruction)
--att # set AT&T syntax
-e, --entrypoint # disassemble entrypoint
-f, --format <text|csv|xml|html> change output format (default: text)
-m, --mode <16|32|64> # disassembly mode (default: auto)
-i, <number> # number of instructions to be disassembled
-n, <number> # number of bytes to be disassembled
-o, --offset <offset> # disassemble at specified file offset
-r, --rva <rva> # disassemble at specified RVA
-s, --section <section_name> # disassemble entire section givenpehash
pehash OPTIONS FILE
Calculate hashes of PE pieces
-f, --format <text|csv|xml|html> # change output format (default: text)
-a, --all # hash file, sections and headers with md5, sha1, sha256, ssdeep and imphash
-c, --content # hash only the file content (default)
-h, --header <dos|coff|optional> # hash only the header with the specified name
-s, --section <section_name> # hash only the section with the specified name
--section-index <section_index> # hash only the section at the specified index (1..n)peres
peres OPTIONS FILE
Show information about resource section and extract it
-a, --all # Show all information, statistics and extract resources
-i, --info # Show resources information
-s, --statistics # Show resources statistics
-x, --extract # Extract resources
-v, --file-version # Show File Version from PE resource directorypesec
pesec [OPTIONS] FILE
Check for security features in PE files
-f, --format <text|csv|xml|html> # change output format (default: text)
-c, --certoutform <text|pem> # specifies the certificate output format (default: text)
-o, --certout <filename> # specifies the output filename to write certificates to (default: stdout)
pescan
pescan OPTIONS FILE
Search for suspicious things in PE files
-f, --format <text|html|xml|csv|json> # change output format (default: text)
-v, --verbose # show more info about items foundreadpe
readpe OPTIONS FILE
Show PE file headers
-A, --all # full output (default)
-H, --all-headers # print all PE headers
-S, --all-sections # print all PE sections headers
-f, --format <text|csv|xml|html> change output format (default: text)
-d, --dirs # show data directories
-h, --header <dos|coff|optional> show specific header
-i, --imports # show imported functions
-e, --exports # show exported functionsrva2ofs
rva2ofs <rva> FILE
Convert RVA to raw file offset
Example
rva2ofs 0x12db cards.dllInstall
sudo apt install binwalkbinwalk [OPTIONS] [FILE1] [FILE2] ...
tool for searching binary images for embedded files and executable code
Special
binwalk $file # Get signatures (same as -B)
binwalk --hexdump --red $file1 $file2 # show only different lines
binwalk --raw $str $file # search string $str in file. use "\x00" for hexa character ("\x37" for 7)
binwalk --entropy $str $file # get entropy
binwalk --signature $str $file # search string $str in file. use "\x00" for hexa character ("\x37" for 7)
binwalk --extract $file && tree _${file}.extracted/ # extract files and show files in treeUsefull
-W, --hexdump # Perform a hexdump / diff of a file or files
-i, --red # Only show lines containing bytes that are different among all files
-U, --blue # Only show lines containing bytes that are different among some files
-e, --extract # Automatically extract known file types
-E, --entropy # Calculate file entropyAll
Signature Scan Options:
-B, --signature # Scan target file(s) for common file signatures
-R, --raw=<str> # Scan target file(s) for the specified sequence of bytes
-A, --opcodes # Scan target file(s) for common executable opcode signatures
-m, --magic=<file> # Specify a custom magic file to use
-b, --dumb # Disable smart signature keywords
-I, --invalid # Show results marked as invalid
-x, --exclude=<str> # Exclude results that match <str>
-y, --include=<str> # Only show results that match <str>
Extraction Options:
-e, --extract # Automatically extract known file types
-D, --dd=<type:ext:cmd> # Extract <type> signatures, give the files an extension of <ext>, and execute <cmd>
-M, --matryoshka # Recursively scan extracted files
-d, --depth=<int> # Limit matryoshka recursion depth (default: 8 levels deep)
-C, --directory=<str> # Extract files/folders to a custom directory (default: current working directory)
-j, --size=<int> # Limit the size of each extracted file
-n, --count=<int> # Limit the number of extracted files
-r, --rm # Delete carved files after extraction
-z, --carve # Carve data from files, but don't execute extraction utilities
-V, --subdirs # Extract into sub-directories named by the offset
Entropy Options:
-E, --entropy # Calculate file entropy
-F, --fast # Use faster, but less detailed, entropy analysis
-J, --save # Save plot as a PNG
-Q, --nlegend # Omit the legend from the entropy plot graph
-N, --nplot # Do not generate an entropy plot graph
-H, --high=<float> # Set the rising edge entropy trigger threshold (default: 0.95)
-L, --low=<float> # Set the falling edge entropy trigger threshold (default: 0.85)
Binary Diffing Options:
-W, --hexdump # Perform a hexdump / diff of a file or files
-G, --green # Only show lines containing bytes that are the same among all files
-i, --red # Only show lines containing bytes that are different among all files
-U, --blue # Only show lines containing bytes that are different among some files
-u, --similar # Only display lines that are the same between all files
-w, --terse # Diff all files, but only display a hex dump of the first file
Raw Compression Options:
-X, --deflate # Scan for raw deflate compression streams
-Z, --lzma # Scan for raw LZMA compression streams
-P, --partial # Perform a superficial, but faster, scan
-S, --stop # Stop after the first result
General Options:
-l, --length=<int> # Number of bytes to scan
-o, --offset=<int> # Start scan at this file offset
-O, --base=<int> # Add a base address to all printed offsets
-K, --block=<int> # Set file block size
-g, --swap=<int> # Reverse every n bytes before scanning
-f, --log=<file> # Log results to file
-c, --csv # Log results to file in CSV format
-t, --term # Format output to fit the terminal window
-q, --quiet # Suppress output to stdout
-v, --verbose # Enable verbose output
-h, --help # Show help output
-a, --finclude=<str> # Only scan files whose names match this regex
-p, --fexclude=<str> # Do not scan files whose names match this regex
-s, --status=<int> # Enable the status server on the specified portInstall
sudo apt install binwalkbalbuzard
balbuzard [options] <filename> [filename2 ...]
malware analysis tools to extract patterns of interest and crack obfuscation such as XOR
Special
balbuzard $file # resume all founds
balbuzard $file -v|grep ^---- -A2 # show all sectionsUsefull
-c CSV, --csv=CSV # export results to a CSV file
-r # find files recursively in subdirectories.All
-h, --help # show this help message and exit
-c CSV, --csv=CSV # export results to a CSV file
-v # verbose display, with hex view.
-r # find files recursively in subdirectories.
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD # if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+)
-f ZIP_FNAME, --zipfname=ZIP_FNAME # if the file is a zip archive, file(s) to be opened within the zip. Wildcards * and ? are supported. (default:*)Install
pip2 install -U balbuzardbbcrack
bbcrack [options] <filename>
uses a new algorithm based on patterns of interest to bruteforce typical malware obfuscation such as XOR, ROL, ADD and various combinations, in order to guess which algorithms/keys have been used
All
-l LEVEL, --level=LEVEL # select transforms with level 1, 2 or 3 and below
-i INCLEVEL, --inclevel=INCLEVEL # select transforms only with level 1, 2 or 3 (incremental)
-k KEEP, --keep=KEEP number of transforms to keep after stage 1
-s SAVE, --save=SAVE number of transforms to save to files after stage 2
-t TRANSFORM, --transform=TRANSFORM # only check specific transforms (comma separated list, or "-t list" to display all available transforms)
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD # if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+)
-p # profiling: measure time spent on each pattern.bbharvest
bbharvest [options] <filename>
extracts all patterns of interest found when applying typical malware obfuscation transforms such as XOR, ROL, ADD and various combinations, trying all possible keys. It is especially useful when several keys or several transforms are used in a single file
All
-l LEVEL, --level=LEVEL # select transforms level 1, 2 or 3
-i INCLEVEL, --inclevel=INCLEVEL # select transforms only with level 1, 2 or 3 (incremental)
-c CSV, --csv=CSV # export results to a CSV file
-t TRANSFORM, --transform=TRANSFORM # only check specific transforms (comma separated list, or "-t list" to display all available transforms)
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD # if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+)
-p # profiling: measure time spent on each pattern.bbharvest
bbtrans [options] <filename>
can apply any of the transforms from bbcrack (XOR, ROL, ADD and various combinations) to a file
All
-t TRANSFORM, --transform=TRANSFORM # transform to be applied (or "-t list" to display all available transforms)
-p PARAMS, --params=PARAMS # parameters for transform (comma separated list)
-z ZIP_PASSWORD, --zip=ZIP_PASSWORD # if the file is a zip archive, open first file from it, using the provided password (requires Python 2.6+)hexdump [-bcCdovx] [-e format_string] [-f format_file] [-n length] [-s offset] file ...
ASCII, decimal, hexadecimal, octal dump
Special
hexdump -v # do not use * to replace duplicate lines
hexdump -ve '"%02X"' # convert in uppercase hexadecimal
hexdump -ve '8/1 "%02X"' # convert in uppercase hexadecimal in classic format 8bytes
hexdump -e '"%08_ax""|"' -e '16/1 "%02x ""|"' -e '16/1 "%_p""|\n"' # 1 bytes
hexdump -e '"%08_ax""|"' -e '8/2 "%04x ""|"' -e '16/1 "%_p""|\n"' # 2 bytes
hexdump -e '"%08_ax""|"' -e '4/4 "%08x ""|"' -e '16/1 "%_p""|\n"' # 4 bytesUsefull
-C # Canonical hex+ASCII display. Display the input offset in hexadecimal, followed by sixteen space-separated, two column, hexadecimal bytes, followed by the same sixteen bytes in %_p format enclosed in ``|'' characters. Calling the command hd implies this option.
-n length # Interpret only length bytes of input.
-s offset # Skip offset bytes from the beginning of the input. By default, offset is interpreted as a decimal number.
-v # Cause hexdump to display all input data. Without the -v option, any number of groups of output lines, which would be identical to the immediately preceding group of output lines (except for the input offsets), are replaced with a line comprised of a single asterisk.All
-b # One-byte octal display. Display the input offset in hexadecimal, followed by sixteen space-separated, three column, zero-filled, bytes of input data, in octal, per line.
-c # One-byte character display. Display the input offset in hexadecimal, followed by sixteen space-separated, three column, space-filled, characters of input data per line.
-C # Canonical hex+ASCII display. Display the input offset in hexadecimal, followed by sixteen space-separated, two column, hexadecimal bytes, followed by the same sixteen bytes in %_p format enclosed in ``|'' characters. Calling the command hd implies this option.
-d # Two-byte decimal display. Display the input offset in hexadecimal, followed by eight space-separated, five column, zero-filled, two-byte units of input data, in unsigned decimal, per line.
-e format_string # Specify a format string to be used for displaying data.
-f format_file # Specify a file that contains one or more newline separated format strings. Empty lines and lines whose first non-blank character is a hash mark (#) are ignored.
-n length # Interpret only length bytes of input.
-o # Two-byte octal display. Display the input offset in hexadecimal, followed by eight space-separated, six column, zero-filled, two byte quantities of input data, in octal, per line.
-s offset # Skip offset bytes from the beginning of the input. By default, offset is interpreted as a decimal number. With a leading 0x or 0X, offset is interpreted as a hexadecimal number, otherwise, with a leading 0, offset is interpreted as an octal number. Appending the character b, k, or m to offset causes it to be interpreted as a multiple of 512, 1024, or 1048576, respectively.
-v # Cause hexdump to display all input data. Without the -v option, any number of groups of output lines, which would be identical to the immediately preceding group of output lines (except for the input offsets), are replaced with a line comprised of a single asterisk.
-x # Two-byte hexadecimal display. Display the input offset in hexadecimal, followed by eight, space separated, four column, zero-filled, two-byte quantities of input data, in hexadecimal, per line.Install
sudo apt install bsdmainutilsrabin2 [-AceghHiIsSMzlpRrLxvhqQTuUwV] [-a arch] [-b bits] [-B addr] [-C fmt:C:[D]] [-D lang sym|-] [-f subbin] [-k query] [-K algo] [-O binop] [-o str] [-m addr] [-@ addr] [-n str] [-X fmt file ...] file
Binary program info extractor
Special
rabin2 -H $file | grep -i timedate # compilation date
rabin2 -H $file | grep -i sizeofcode # size of code
rabin2 -i $file | grep -i " $dll " | wc -l # count imported functions in specific dll
rabin2 -i $file | awk '{print $5}' | grep -v '^\(lib\|\)$' | sort -u # show all imported libs (dll)
rabin2 -s $file | grep -i " $dll " | wc -l # count symbols functions in specific dll
rabin2 -H $file|grep -iA2 debug # debuger detection present
rabin2 -g Program|grep -i debug # details about debuger detection present
rabin2 -z $file | sed -n "/$str1/,/$str2/p" | sed 's/^.* ascii *//' > $fileout # extract data between 2 strings in fileUsefull
-H # Show header fields (see ih command in r2)
-g # Show all possible information
-I # Show binary info (iI in r2)
-i # Show imports (symbols imported from libraries) (ii)
-R # Show relocations
-s # Show exported symbols
-S # Show sections
-SS # Show segments
-t # Show file hashes
-T # Show Certificates
-U # Show Resources
-z # Show strings inside .data section (like gnu strings does)
-x # Extract all sub binaries from a fat binary (f.ex: fatmach0)
-X format file ... # Package a fat or zip containing all the files passed (fat, zip)
-l # List linked libraries to the binary
-e # Show entrypoints for disk and on-memoryAll
-@ addr # Show information (symbol, section, import) of the given address
-A # List sub-binaries and their associated arch-bits pairs
-a arch # Set arch (x86, arm, .. accepts underscore for bits x86_32)
-b bits # Set bits (32, 64, ...)
-B addr # Override baddr
-c # List classes
-cc # List classes in header format
-C [fmt:C[:D]] Create [elf,mach0,pe] # for arm and x86-32/64 tiny binaries where 'C' is an hexpair list of the code bytes and ':D' is an optional concatenation to describe the bytes for the data section.
-d # Show debug/dwarf information
-D lang symbolname # - Demangle symbol name (or - to read from stdin) for lang (cxx, swift, java, cxx, ..)
-e # Show entrypoints for disk and on-memory
-ee # Show constructor/destructors (extended entrypoints)
-f subbin # Select sub-binary architecture. Useful for fat-mach0 binaries
-F binfmt # Force to use that bin plugin (ignore header check)
-g # Show all possible information
-G addr # Load address . offset to header
-h # Show usage help message.
-H # Show header fields (see ih command in r2)
-I # Show binary info (iI in r2)
-i # Show imports (symbols imported from libraries) (ii)
-j # Output in json
-k query # Perform SDB query on loaded file
-K algo # Select a rahash2 checksum algorithm to be performed on sections listing (and maybe others in the future) i.e 'rabin2 -K md5 -S /bin/ls'
-l # List linked libraries to the binary
-L # List supported bin plugins
-M # Show address of 'main' symbol
-m addr # Show source line reference from a given address
-N minlen:maxlen # Force minimum and maximum number of chars per string (see -z and -zz). if (strlen>minlen && (!maxlen || strlen<=maxlen))
-n str # Show information (symbol, section, import) at string offset
-o str # Output file/folder for write operations (out by default)
-O binop # Perform binary operation on target binary (dump, resize, change sections, ...) see '-O help' for more information
-p # Disable VA. Show physical addresses
-P # Show debug/pdb information
-PP # Download pdb file for binary
-q # Be quiet, just show fewer data
-qq # Show less info (no offset/size for -z for ex.)
-Q # Show load address used by dlopen (non-aslr libs)
-r # Show output in radare format
-R # Show relocations
-s # Show exported symbols
-S # Show sections
-SS # Show segments
-t # Show file hashes
-T # Show Certificates
-u # Unfiltered (no rename duplicated symbols/sections)
-U # Show Resources
-v # Show version information
-V # Show binary version information
-w # Show try/catch blocks
-x # Extract all sub binaries from a fat binary (f.ex: fatmach0)
-X format file ... # Package a fat or zip containing all the files passed (fat, zip)
-z # Show strings inside .data section (like gnu strings does)
-Z # Guess size of binary program
-zz # Shows strings from raw bins
-zzz # Dump raw strings to stdout (for huge files)Install
sudo apt install radare2objdump <option(s)> <file(s)>
Display information from object <file(s)>
Usefull
objdump Program -x|sed -n '1,/.rdata section/p'
objdump Program -s|grep -A1 ^Contents
objdump Program -sj $section # section=".data"-a, --archive-headers # Display archive header information
-f, --file-headers # Display the contents of the overall file header
-h, --[section-]headers Display the contents of the section headers
-x, --all-headers # Display the contents of all headers
-s, --full-contents # Display the full contents of all sections requestedAll
At least one of the following switches must be given:
-a, --archive-headers # Display archive header information
-f, --file-headers # Display the contents of the overall file header
-p, --private-headers # Display object format specific file header contents
-P, --private=OPT,OPT... Display object format specific contents
-h, --[section-]headers Display the contents of the section headers
-x, --all-headers # Display the contents of all headers
-d, --disassemble # Display assembler contents of executable sections
-D, --disassemble-all # Display assembler contents of all sections
--disassemble=<sym> Display assembler contents from <sym>
-S, --source # Intermix source code with disassembly
--source-comment[=<txt>] Prefix lines of source code with <txt>
-s, --full-contents # Display the full contents of all sections requested
-g, --debugging # Display debug information in object file
-e, --debugging-tags # Display debug information using ctags style
-G, --stabs # Display (in raw form) any STABS info in the file
-W[lLiaprmfFsoRtUuTgAckK] or --dwarf[=rawline,=decodedline,=info,=abbrev,=pubnames,=aranges,=macro,=frames, =frames-interp,=str,=loc,=Ranges,=pubtypes, =gdb_index,=trace_info,=trace_abbrev,=trace_aranges, =addr,=cu_index,=links,=follow-links] # Display DWARF info in the file
--ctf=SECTION # Display CTF info from SECTION
-t, --syms # Display the contents of the symbol table(s)
-T, --dynamic-syms # Display the contents of the dynamic symbol table
-r, --reloc # Display the relocation entries in the file
-R, --dynamic-reloc # Display the dynamic relocation entries in the file
@<file> # Read options from <file>
-v, --version # Display this program's version number
-i, --info # List object formats and architectures supported
-H, --help # Display this information
The following switches are optional:
-b, --target=BFDNAME # Specify the target object format as BFDNAME
-m, --architecture=MACHINE # Specify the target architecture as MACHINE
-j, --section=NAME # Only display information for section NAME
-M, --disassembler-options=OPT Pass text OPT on to the disassembler
-EB --endian=big # Assume big endian format when disassembling
-EL --endian=little # Assume little endian format when disassembling
--file-start-context # Include context from start of file (with -S)
-I, --include=DIR # Add DIR to search list for source files
-l, --line-numbers # Include line numbers and filenames in output
-F, --file-offsets # Include file offsets when displaying information
-C, --demangle[=STYLE] # Decode mangled/processed symbol names. The STYLE, if specified, can be `auto', `gnu', `lucid', `arm', `hp', `edg', `gnu-v3', `java' or `gnat'
--recurse-limit # Enable a limit on recursion whilst demangling. [Default]
--no-recurse-limit # Disable a limit on recursion whilst demangling
-w, --wide # Format output for more than 80 columns
-z, --disassemble-zeroes # Do not skip blocks of zeroes when disassembling
--start-address=ADDR # Only process data whose address is >= ADDR
--stop-address=ADDR # Only process data whose address is < ADDR
--prefix-addresses # Print complete address alongside disassembly
--[no-]show-raw-insn # Display hex alongside symbolic disassembly
--insn-width=WIDTH # Display WIDTH bytes on a single line for -d
--adjust-vma=OFFSET # Add OFFSET to all displayed section addresses
--special-syms # Include special symbols in symbol dumps
--inlines # Print all inlines for source line (with -l)
--prefix=PREFIX # Add PREFIX to absolute paths for -S
--prefix-strip=LEVEL # Strip initial directory names for -S
--dwarf-depth=N # Do not display DIEs at depth N or greater
--dwarf-start=N # Display DIEs starting with N, at the same depth or deeper
--dwarf-check # Make additional dwarf internal consistency checks.
--ctf-parent=SECTION # Use SECTION as the CTF parent
--visualize-jumps # Visualize jumps by drawing ASCII art lines
--visualize-jumps=color # Use colors in the ASCII art
--visualize-jumps=extended-color # Use extended 8-bit color codes
--visualize-jumps=off # Disable jump visualizationInstall
sudo apt install binutils-commonclamscan [options] [file/directory/-]
Scan files and directories for viruses
Usefull
-i --infected # Only print infected files
-r --recursive[=yes/no(*)] # Scan subdirectories recursively
-f --file-list=FILE FILE # Scan files from FILE
All
-a --archive-verbose # Show filenames inside scanned archives
--stdout # Write to stdout instead of stderr. Does not affect 'debug' messages.
--no-summary # Disable summary at end of scanning
-i --infected # Only print infected files
--suppress-ok-results -o # Skip printing OK files
--bell # Sound bell on virus detection
--tempdir=DIRECTORY # Create temporary files in DIRECTORY
--leave-temps[=yes/no(*)] # Do not remove temporary files
--gen-json[=yes/no(*)] # Generate JSON description of scanned file(s). JSON will be printed and also dropped to the temp directory if --leave-temps is enabled.
-d --database=FILE/DIR FILE/DIR # Load virus database from FILE or load all supported db files from DIR
--official-db-only[=yes/no(*)] # Only load official signatures
-l --log=FILE FILE # Save scan report to FILE
-r --recursive[=yes/no(*)] # Scan subdirectories recursively
-z --allmatch[=yes/no(*)] # Continue scanning within file after finding a match
--cross-fs[=yes(*)/no] # Scan files and directories on other filesystems
--follow-dir-symlinks[=0/1(*)/2] # Follow directory symlinks (0 = never, 1 = direct, 2 = always)
--follow-file-symlinks[=0/1(*)/2] # Follow file symlinks (0 = never, 1 = direct, 2 = always)
-f --file-list=FILE FILE # Scan files from FILE
--remove[=yes/no(*)] # Remove infected files. Be careful!
--move=DIRECTORY # Move infected files into DIRECTORY
--copy=DIRECTORY # Copy infected files into DIRECTORY
--exclude=REGEX # Don't scan file names matching REGEX
--exclude-dir=REGEX # Don't scan directories matching REGEX
--include=REGEX # Only scan file names matching REGEX
--include-dir=REGEX # Only scan directories matching REGEX
--bytecode[=yes(*)/no] # Load bytecode from the database
--bytecode-unsigned[=yes/no(*)] # Load unsigned bytecode **Caution**: You should NEVER run bytecode signatures from untrusted sources. Doing so may result in arbitrary code execution.
--bytecode-timeout=N # Set bytecode timeout (in milliseconds)
--statistics[=none(*)/bytecode/pcre] # Collect and print execution statistics
--detect-pua[=yes/no(*)] # Detect Possibly Unwanted Applications
--exclude-pua=CAT # Skip PUA sigs of category CAT
--include-pua=CAT # Load PUA sigs of category CAT
--detect-structured[=yes/no(*)] # Detect structured data (SSN, Credit Card)
--structured-ssn-format=X # SSN format (0=normal,1=stripped,2=both)
--structured-ssn-count=N # Min SSN count to generate a detect
--structured-cc-count=N # Min CC count to generate a detect
--structured-cc-mode=X # CC mode (0=credit debit and private label, 1=credit cards only
--scan-mail[=yes(*)/no] # Scan mail files
--phishing-sigs[=yes(*)/no] # Enable email signature-based phishing detection
--phishing-scan-urls[=yes(*)/no] # Enable URL signature-based phishing detection
--heuristic-alerts[=yes(*)/no] # Heuristic alerts
--heuristic-scan-precedence[=yes/no(*)] # Stop scanning as soon as a heuristic match is found
--normalize[=yes(*)/no] # Normalize html, script, and text files. Use normalize=no for yara compatibility
--scan-pe[=yes(*)/no] # Scan PE files
--scan-elf[=yes(*)/no] # Scan ELF files
--scan-ole2[=yes(*)/no] # Scan OLE2 containers
--scan-pdf[=yes(*)/no] # Scan PDF files
--scan-swf[=yes(*)/no] # Scan SWF files
--scan-html[=yes(*)/no] # Scan HTML files
--scan-xmldocs[=yes(*)/no] # Scan xml-based document files
--scan-hwp3[=yes(*)/no] # Scan HWP3 files
--scan-archive[=yes(*)/no] # Scan archive files (supported by libclamav)
--alert-broken[=yes/no(*)] # Alert on broken executable files (PE & ELF)
--alert-broken-media[=yes/no(*)] # Alert on broken graphics files (JPEG, TIFF, PNG, GIF)
--alert-encrypted[=yes/no(*)] # Alert on encrypted archives and documents
--alert-encrypted-archive[=yes/no(*)] # Alert on encrypted archives
--alert-encrypted-doc[=yes/no(*)] # Alert on encrypted documents
--alert-macros[=yes/no(*)] # Alert on OLE2 files containing VBA macros
--alert-exceeds-max[=yes/no(*)] # Alert on files that exceed max file size, max scan size, or max recursion limit
--alert-phishing-ssl[=yes/no(*)] # Alert on emails containing SSL mismatches in URLs
--alert-phishing-cloak[=yes/no(*)] # Alert on emails containing cloaked URLs
--alert-partition-intersection[=yes/no(*)] # Alert on raw DMG image files containing partition intersections
--nocerts # Disable authenticode certificate chain verification in PE files
--dumpcerts # Dump authenticode certificate chain in PE files
--max-scantime=#n # Scan time longer than this will be skipped and assumed clean (milliseconds)
--max-filesize=#n # Files larger than this will be skipped and assumed clean
--max-scansize=#n # The maximum amount of data to scan for each container file (**)
--max-files=#n # The maximum number of files to scan for each container file (**)
--max-recursion=#n # Maximum archive recursion level for container file (**)
--max-dir-recursion=#n # Maximum directory recursion level
--max-embeddedpe=#n # Maximum size file to check for embedded PE
--max-htmlnormalize=#n # Maximum size of HTML file to normalize
--max-htmlnotags=#n # Maximum size of normalized HTML file to scan
--max-scriptnormalize=#n # Maximum size of script file to normalize
--max-ziptypercg=#n # Maximum size zip to type reanalyze
--max-partitions=#n # Maximum number of partitions in disk image to be scanned
--max-iconspe=#n # Maximum number of icons in PE file to be scanned
--max-rechwp3=#n # Maximum recursive calls to HWP3 parsing function
--pcre-match-limit=#n # Maximum calls to the PCRE match function.
--pcre-recmatch-limit=#n # Maximum recursive calls to the PCRE match function.
--pcre-max-filesize=#n # Maximum size file to perform PCRE subsig matching.
--disable-cache # Disable caching and cache checks for hash sums of scanned files.
-h --help # Show this help
--debug # Enable libclamav's debug messages
--quiet # Only output error messages
-v --verbose # Be verbose
-V --version # Print version numberInstall
sudo apt install clamavpescan OPTIONS FILE
Search for suspicious things in PE files
Usefull
-f, --format <text|html|xml|csv|json> # change output format (default: text)All
-f, --format <text|html|xml|csv|json> # change output format (default: text)
-v, --verbose # show more info about items found
-V, --version # show version and exit
--help # show this help and exitInstall
sudo apt install pevstrings [option(s)] [file(s)]
Display printable strings in [file(s)] (stdin by default)
Usefull
-s --output-separator=<string> String used to separate strings in output.All
-a - --all # Scan the entire file, not just the data section [default]
-d --data # Only scan the data sections in the file
-f --print-file-name # Print the name of the file before each string
-n --bytes=[number] # Locate & print any NUL-terminated sequence of at -<number> least [number] characters (default 4)
-t --radix={o,d,x} # Print the location of the string in base 8, 10 or 16
-w --include-all-whitespace Include all whitespace as valid string characters
-o # An alias for --radix=o
-T --target=<BFDNAME> # Specify the binary file format
-e --encoding={s,S,b,l,B,L} Select character size and endianness: s = 7-bit, S = 8-bit, {b,l} = 16-bit, {B,L} = 32-bit
@<file> # Read options from <file>
-h --help # Display this information
-v -V --version # Print the program's version numberfile [OPTION...] [FILE...]
Determine type of FILEs.
Usefull
-z, --uncompress # try to look inside compressed files
-F, --separator STRING # use string as separator instead of `:'All
-m, --magic-file LIST # use LIST as a colon-separated list of magic number files
-z, --uncompress # try to look inside compressed files
-Z, --uncompress-noreport only print the contents of compressed files
-b, --brief # do not prepend filenames to output lines
-c, --checking-printout # print the parsed form of the magic file, use in conjunction with -m to debug a new magic file before installing it
-e, --exclude TEST # exclude TEST from the list of test to be performed for file. Valid tests are: apptype, ascii, cdf, compress, csv, elf, encoding, soft, tar, json, text, tokens
-f, --files-from FILE # read the filenames to be examined from FILE
-F, --separator STRING # use string as separator instead of `:'
-i, --mime # output MIME type strings (--mime-type and --mime-encoding)
--apple # output the Apple CREATOR/TYPE
--extension # output a slash-separated list of extensions
--mime-type # output the MIME type
--mime-encoding # output the MIME encoding
-k, --keep-going # don't stop at the first match
-l, --list # list magic strength
-L, --dereference # follow symlinks (default if POSIXLY_CORRECT is set)
-h, --no-dereference # don't follow symlinks (default if POSIXLY_CORRECT is not set) (default)
-n, --no-buffer # do not buffer output
-N, --no-pad # do not pad output
-0, --print0 # terminate filenames with ASCII NUL
-p, --preserve-date # preserve access times on files
-P, --parameter # set file engine parameter limits
indir 15 recursion limit for indirection
name 30 use limit for name/use magic
elf_notes 256 max ELF notes processed
elf_phnum 128 max ELF prog sections processed
elf_shnum 32768 max ELF sections processed
-r, --raw # don't translate unprintable chars to \ooo
-s, --special-files # treat special (block/char devices) files as ordinary ones
-S, --no-sandbox # disable system call sandboxing
-C, --compile # compile file specified by -m
-d, --debug # print debugging messages
--help # display this help and exit
-v, --version # output version information and exitinstall
see foralyse in https://code.ambau.fr
info
variables
file=/share/memory/dump
profile=Win7SP0x86
vol2 -f $file --profile $profile
# Options
--output dot/greptext/html/json/sqlite/text/xlsxvol2 --info # get all informations from volatility
vol2 --info|sed -n '/^Profiles/,/^$/ p' # available profiles
vol2 --info|sed -n '/^Address/,/^$/ p' # available address spaces
vol2 --info|sed -n '/^Scanner/,/^$/ p' # available scanner
vol2 --info|sed -n '/^Plugins/,/^$/ p' # available plugins
vol2 --info|sed -n '/^Plugins/,/^$/ p'|grep -v '^mac_\|^linux_' # windows plugins
vol2 --info|sed -n '/^Plugins/,/^$/ p'|grep '^linux_' # linux plugins
vol2 --info|sed -n '/^Plugins/,/^$/ p'|grep '^mac_' # mac pluginsspecial
hash
vol2 hashdump -f ${dump} --profile=${profile} -y ${offset_system} -s ${offset_sam}plugins
cmd
clipboard # Extract the contents of the windows clipboard
cmdline # Display process command-line arguments
cmdscan # Extract command history by scanning for _COMMAND_HISTORY
consoles # Extract command history by scanning for _CONSOLE_INFORMATIONdevice
devicetree # Show device tree
mbrparser # Scans for and parses potential Master Boot Records (MBRs)dll
dlldump -D PATH # Dump DLLs from a process address space to PATH
-p PID # specify a process by his PID
-o OFFSET # specify a process by his Virtual OFFSET
dlllist # Print list of loaded dlls for each process
-p PID # specify a process by his PID
ldrmodules # Detect unlinked DLLsdump
cachedump # Dumps cached domain hashes from memory
dumpcerts # Dump RSA private and public SSL keys
dlldump -D PATH # Dump DLLs from a process address space to PATH
-p PID # specify a process by his PID
-o OFFSET # specify a process by his Virtual OFFSET
dumpfiles # Extract memory mapped and cached files
hashdump # Dumps passwords hashes (LM/NTLM) from memory
hivedump # Prints out a hive
lsadump # Dump (decrypted) LSA secrets from the registry
procdump # Dump a process to an executable file sample
-o OFFSET, --offset=OFFSET # EPROCESS offset (in hex) in the physical address space
-p PID, --pid=PID # Operate on these Process IDs (comma-separated)
-n NAME, --name=NAME # Operate on these process names (regex)
-D DUMP_DIR, --dump-dir=DUMP_DIR # Directory in which to dump executable filesexecutable
impscan # Scan for calls to imported functions
-p PID, --pid=PID # Process ID (leave off to scan kernel memory)
-o OFFSET, --offset=OFFSET # EPROCESS offset (in hex) in the physical address space
-b BASE, --base=BASE # Base address in process memory if --pid is supplied, otherwise an address in kernel space
-s SIZE, --size=SIZE # Size of memory to scan
joblinks # Print process job link information
malfind # Find hidden and injected code
privs # Display process privileges
shimcache # Parses the Application Compatibility Shim Cache registry key
verinfo # Prints out the version information from PE imagesfile
dumpfiles # Extract memory mapped and cached files
filescan # Pool scanner for file objects
mftparser # Scans for and parses potential Master Boot Records (MBRs)
notepad # List currently displayed notepad texthive
amcache # Print AmCache information
hivescan # Pool scanner for registry hives
hivedump # Prints out a hive
hivelist # Print list of registry hives
printkey # Print a registry key, and its subkeys and values
shimcache # Parses the Application Compatibility Shim Cache registry key
shutdowntime # Print ShutdownTime of machine from registry
userassist # Print userassist registry keys and informationhook
apihooks # Detect API hooks in process and kernel memory
driverirp # Driver IRP hook detection
eventhooks # Print details on windows event hooks
messagehooks # List desktop and thread window message hooksimage
imageinfo # get info from OS and profiles
kdbgscan # Search for and dump potential KDBG valuesmemory
bigpools # Dump the big page pools using BigPagePoolScanner
cachedump # Dumps cached domain hashes from memory
hpakextract # Extract physical memory from an HPAK file
hpakinfo # Info on an HPAK file
memdump # Dump the addressable memory for a process
memmap # Print the memory map
patcher # Patches memory based on page scans
raw2dmp # Converts a physical memory sample to a windbg crash dumpmodule
drivermodule # Associate driver objects to kernel modules
moddump # Dump a kernel driver to an executable file sample
modscan # Pool scanner for kernel modules
modules # Print list of loaded modules
timers # Print kernel timers and associated module DPCs
unloadedmodules # Print list of unloaded modulesnetwork
connections # Print list of open connections [Windows XP and 2003 Only]
connscan # Pool scanner for tcp connections
netscan # list of connections
sockets # Print list of open sockets
sockscan # Pool scanner for tcp socket objectspassword
dumpcerts # Dump RSA private and public SSL keys
hashdump # Dumps passwords hashes (LM/NTLM) from memory
truecryptmaster # Recover TrueCrypt 7.1a Master Keys
truecryptpassphrase # TrueCrypt Cached Passphrase Finder
truecryptsummary # TrueCrypt Summaryprocess
envars # Display process environment variables
getsids # Print the SIDs owning each process
handles # Print list of open handles for each process
privs # Display process privileges
procdump # Dump a process to an executable file sample
pslist # Print all running processes by following the EPROCESS lists
-P # print for physical offset
psscan # Pool scanner for process objects
pstree # Print process list as a tree
psxview # Find hidden processes with various process listings
thrdscan # Pool scanner for thread objects
threads # Investigate _ETHREAD and _KTHREADsservice
getservicesids # Get the names of services in the Registry and return Calculated SID
servicediff # List Windows services (ala Plugx)
svcscan # Scan for Windows servicessystem
auditpol # Prints out the Audit Policies from HKLM\SECURITY\Policy\PolAdtEv
bioskbd # Reads the keyboard buffer from Real Mode memory
callbacks # Print system-wide notification routines
crashinfo # Dump crash-dump information
driverirp # Driver IRP hook detection
driverscan # Pool scanner for driver objects
envars # Display process environment variables
evtlogs # Extract Windows Event Logs (XP/2003 only)
kpcrscan # Search for and dump potential KPCR values
machoinfo # Dump Mach-O file format information
mutantscan # Pool scanner for mutex objects
objtypescan # Scan for Windows object type objects
screenshot # Save a pseudo-screenshot based on GDI windows (require PIL)
shutdowntime # Print ShutdownTime of machine from registry
symlinkscan # Pool scanner for symlink objectstimeline
timeliner # Creates a timeline from various artifacts in memory
timers # Print kernel timers and associated module DPCsuser
atoms # Print session and window station atom tables
atomscan # Pool scanner for atom tables
clipboard # Extract the contents of the windows clipboard
deskscan # Poolscaner for tagDESKTOP (desktops)
gahti # Dump the USER handle type information
sessions # List details on _MM_SESSION_SPACE (user logon sessions)
userassist # Print userassist registry keys and information
userhandles # Dump the USER handle tablesvad
vaddump # Dumps out the vad sections to a file
vadinfo # Dump the VAD info
vadtree # Walk the VAD tree and display in tree format
vadwalk # Walk the VAD treevirtual
qemuinfo # Dump Qemu information
vboxinfo # Dump virtualbox information
vmwareinfo # Dump VMware VMSS/VMSN informationvolshell
Use addrspace() for Kernel/Virtual AS
Use addrspace().base for Physical AS
Use proc() to get the current process object
proc().get_process_address_space() for the current process AS
proc().get_load_modules() for the current process DLLs
addrspace() # Get the current kernel/virtual address space.
cc(offset=None, pid=None, name=None, physical=False) # Change current shell context.
db(address, length=128, space=None) # Print bytes as canonical hexdump.
dd(address, length=128, space=None) # Print dwords at address.
dis(address, length=128, space=None, mode=None) # Disassemble code at a given address.
dq(address, length=128, space=None) # Print qwords at address.
dt(objct, address=None, space=None, recursive=False, depth=0) # Describe an object or show type info.
find(needle, max=1, shift=0, skip=0, count=False, length=128)
getmods() # Generator for kernel modules (scripting).
getprocs() # Generator of process objects (scripting).
hh(cmd=None) # Get help on a command.
list_entry(head, objname, offset=-1, fieldname=None, forward=True, space=None) # Traverse a _LIST_ENTRY.
modules() # Print loaded modules in a table view.
proc() # Get the current process object.
ps() # Print active processes in a table view.
sc() # Show the current context.
For help on a specific command, type 'hh(<command>)'windows
windows # Print Desktop Windows (verbose details)
wintree # Print Z-Order Desktop Windows Tree
wndscan # Pool scanner for window stationsothers
editbox # Displays information about Edit controls. (Listbox experimental.)
gditimers # Print installed GDI timers and callbacks
gdt # Display Global Descriptor Table
idt # Display Interrupt Descriptor Table
hibinfo # Dump hibernation file information
imagecopy --profile $profile $file -O $file-converted
iehistory # Reconstruct Internet Explorer cache / history
poolpeek # Configurable pool scanner plugin
shellbags # Prints ShellBags info
strings # Match physical offsets to virtual addresses (may take a while, VERY verbo
yarascan # Scan process or kernel memory with Yara signaturesOperators
See wireshark
Usefull
select
tshark -r ${dump} -e ip.src # get all source ip addresses
tshark -r ${dump} -e ip.proto -Tfields
tshark -r ${file} -e http.user_agent -Tfieldsfilter
tshark -r ${dump} -e ip.src # get all source ip addresses
tshark -r ${dump} -Y http -w filtered.pcapng # filter all http streams to file
tshark -r ${dump} -Y "not ip.addr == 93.184.221.240" -w filtered.pcapng # filter by IP address
tshark -r ${dump} -Y "frame.time_epoch >= 1631211000" -w filtered.pcapng # filter by frame time epochhelp
tshark [ -i <capture interface>|- ] [ -f <capture filter> ] [ -2 ] [ -r <infile> ] [ -w <outfile>|- ] [ options ] [ <filter> ]
qtshark -G [ <report type> ] [ --elastic-mapping-filter <protocols> ]
Dump and analyze network traffic
Capture interface
-i <interface>, --interface <interface> # name or idx of interface (def: first non-loopback)
-f <capture filter> # packet filter in libpcap filter syntax
-s <snaplen>, --snapshot-length <snaplen> # packet snapshot length (def: appropriate maximum)
-p, --no-promiscuous-mode # don't capture in promiscuous mode
-I, --monitor-mode # capture in monitor mode, if available
-B <buffer size>, --buffer-size <buffer size> # size of kernel buffer (def: 2MB)
-y <link type>, --linktype <link type> # link layer type (def: first appropriate)
--time-stamp-type <type> # timestamp method for interface
-D, --list-interfaces # print list of interfaces and exit
-L, --list-data-link-types # print list of link-layer types of iface and exit
--list-time-stamp-types # print list of timestamp types for iface and exit Capture stop conditions
-c <packet count> stop after n packets (def: infinite)
-a <autostop cond.> ..., --autostop <autostop cond.> ...
duration:NUM - stop after NUM seconds
filesize:NUM - stop this file after NUM KB
files:NUM - stop after NUM files
packets:NUM - stop after NUM packets```Capture output
-b <ringbuffer opt.> ..., --ring-buffer <ringbuffer opt.>
duration:NUM - switch to next file after NUM secs
filesize:NUM - switch to next file after NUM KB
files:NUM - ringbuffer: replace after NUM files
packets:NUM - switch to next file after NUM packets
interval:NUM - switch to next file when the time is an exact multiple of NUM secsInput file
-r <infile>, --read-file <infile>Processing
-2 # perform a two-pass analysis
-M <packet count> # perform session auto reset
-R <read filter>, --read-filter <read filter> # packet Read filter in Wireshark display filter syntax (requires -2)
-Y <display filter>, --display-filter <display filter> # packet displaY filter in Wireshark display filter syntax
-n # disable all name resolutions (def: all enabled)
-N <name resolve flags> # enable specific name resolution(s): "mnNtdv"
-d <layer_type>==<selector>,<decode_as_protocol> ... # "Decode As", see the man page for details Example: tcp.port==8888,http
-H <hosts file> # read a list of entries from a hosts file, which will then be written to a capture file. (Implies -W n)
--enable-protocol <proto_name> # enable dissection of proto_name
--disable-protocol <proto_name> # disable dissection of proto_name
--enable-heuristic <short_name> # enable dissection of heuristic protocol
--disable-heuristic <short_name> # disable dissection of heuristic protocolOutput
-w <outfile|-> # write packets to a pcapng-format file named "outfile" (or '-' for stdout)
--capture-comment <comment> # set the capture file comment, if supported
-C <config profile> # start with specified configuration profile
-F <output file type> # set the output file type, default is pcapng an empty "-F" option will list the file types
-V # add output of packet tree # (Packet Details)
-O <protocols> # Only show packet details of these protocols, comma separated
-P, --print # print packet summary even when writing to a file
-S <separator> # the line separator to print between packets
-x # add output of hex and ASCII dump (Packet Bytes)
-T pdml|ps|psml|json|jsonraw|ek|tabs|text|fields|? # format of text output (def: text)
-j <protocolfilter> # protocols layers filter if -T ek|pdml|json selected (e.g. "ip ip.flags text", filter does not expand child nodes, unless child is specified also in the filter)
-J <protocolfilter> # top level protocol filter if -T ek|pdml|json selected (e.g. "http tcp", filter which expands all child nodes)
-e <field> # field to print if -Tfields selected (e.g. tcp.port, _ws.col.Info) this option can be repeated to print multiple fields
-E<fieldsoption>=<value> set options for output when -Tfields selected:
bom=y|n # print a UTF-8 BOM
header=y|n # switch headers on and off
separator=/t|/s|<char> # select tab, space, printable character as separator
occurrence=f|l|a # print first, last or all occurrences of each field
aggregator=,|/s|<char> # select comma, space, printable character as aggregator
quote=d|s|n # select double, single, no quotes for values
-t a|ad|adoy|d|dd|e|r|u|ud|udoy # output format of time stamps (def: r: rel. to first)
-u s|hms # output format of seconds (def: s: seconds)
-l # flush standard output after each packet
-q # be more quiet on stdout (e.g. when using statistics)
-Q # only log true errors to stderr (quieter than -q)
-g # enable group read access on the output file(s)
-W n # Save extra information in the file, if supported. n = write network address resolution information
-X <key>:<value> # eXtension options, see the man page for details
-U tap_name # PDUs export mode, see the man page for details
-z <statistics> # various statistics, see the man page for details
--export-objects <protocol>,<destdir> # save exported objects for a protocol to a directory named "destdir"
--color # color output text similarly to the Wireshark GUI, requires a terminal with 24-bit color support Also supplies color attributes to pdml and psml formats (Note that attributes are nonstandard)
--no-duplicate-keys # If -T json is specified, merge duplicate keys in an object into a single key with as value a json array containing all values
--elastic-mapping-filter <protocols> # If -G elastic-mapping is specified, put only the specified protocols within the mapping fileMiscellaneous
-h, --help # display this help and exit
-v, --version # display version info and exit
-o <name>:<value> ... # override preference setting
-K <keytab> # keytab file to use for kerberos decryption
-G [report] # dump one of several available reports and exit default report="fields" use "-G help" for more helpCOLOR
base
# normal
m=0; for i in {16..128}; do echo -en "\e[${m};${i}m${i}\e[0m" ; done; echo
# bold
m=1; for i in {16..128}; do echo -en "\e[${m};${i}m${i}\e[0m" ; done; echo
# all
for j in {0..5}; do echo "- ${j}"; for i in {16..256}; do echo -en "\e[${j};${i}m${i}\e[0m" ; done; echo; done; echo256
for i in {16..255}; do echo -en "$i \e[38;5;${i}m#\e[0m" ; done; echoInstallation
yay -S maxima # xmaxima
yay -S ttf-mathtype wxmaxima # wxmaximaUSB
RTL8821CU
https://github.com/brektrou/rtl8821CU
RTL88x2BU / RTL8822BU
manjaro
https://github.com/cilynx/rtl88x2BU_WiFi_linux_v5.3.1_27678.20180430_COEX20180427-5959
ubuntu
INSTALL
MANJARO
yay -S autofs sshfsCONFIGURATION
SSHFS
SSH KEY
Do not forget to put root key in remote server !!
autofs use root rights to connect
MANJARO
/etc/autofs/auto.master.d/cluster.autofs
echo "/home/cluster /etc/autofs/auto.sshfs uid=1000,gid=1000, --timeout=30, --ghost" | sudo tee /etc/autofs/auto.master.d/cluster.autofs/etc/autofs/auto.sshfs
echo "node1 -fstype=fuse,port=2002,rw,allow_other :sshfs\#root@node1\:/" | sudo tee /etc/autofs/auto.sshfsTEST SSHFS
path=/tmp/node1
mkdir -p ${path}
sshfs root@node1:/ ${path}MAN
systemd-resolve [OPTIONS...] HOSTNAME|ADDRESS...
systemd-resolve [OPTIONS...] --service [[NAME] TYPE] DOMAIN
systemd-resolve [OPTIONS...] --openpgp EMAIL@DOMAIN...
systemd-resolve [OPTIONS...] --statistics
systemd-resolve [OPTIONS...] --reset-statistics
Resolve domain names, IPv4 and IPv6 addresses, DNS records, and services.
-h --help # Show this help
--version # Show package version
--no-pager # Do not pipe output into a pager
-4 # Resolve IPv4 addresses
-6 # Resolve IPv6 addresses
-i --interface=INTERFACE # Look on interface
-p --protocol=PROTO|help # Look via protocol
-t --type=TYPE|help # Query RR with DNS type
-c --class=CLASS|help # Query RR with DNS class
--service # Resolve service (SRV)
--service-address=BOOL # Resolve address for services (default: yes)
--service-txt=BOOL # Resolve TXT records for services (default: yes)
--openpgp # Query OpenPGP public key
--tlsa # Query TLS public key
--cname=BOOL # Follow CNAME redirects (default: yes)
--search=BOOL # Use search domains for single-label names (default: yes)
--raw[=payload|packet] # Dump the answer as binary data
--legend=BOOL # Print headers and additional info (default: yes)
--statistics # Show resolver statistics
--reset-statistics # Reset resolver statistics
--status # Show link and server status
--flush-caches # Flush all local DNS caches
--reset-server-features # Forget learnt DNS server feature levels
--set-dns=SERVER # Set per-interface DNS server address
--set-domain=DOMAIN # Set per-interface search domain
--set-llmnr=MODE # Set per-interface LLMNR mode
--set-mdns=MODE # Set per-interface MulticastDNS mode
--set-dnsovertls=MODE # Set per-interface DNS-over-TLS mode
--set-dnssec=MODE # Set per-interface DNSSEC mode
--set-nta=DOMAIN # Set per-interface DNSSEC NTA
--revert # Revert per-interface configurationTRICKS
LXC
bind DNS from host to containers
dynamically
# for selected interface
resolvectl --interface lxdbr0 dnssec set no
# add DNS configuration to lxd domain
resolvectl dns lxdbr0 "$(lxc network show lxdbr0 | sed -n 's|.*ipv4\.address: \(.*\)/.*|\1|p')"
resolvectl domain lxdbr0 '~lxd'
# old style
# systemd-resolve --interface lxdbr0 --set-dnssec no #~ old style
#sed -i 's|^.\?DNSSEC=.*$|DNSSEC=allow-downgrade|' /etc/systemd/resolved.conf # global / not too advisable
#systemd-resolve --interface lxdbr0 --set-domain '~lxd' --set-dns "$(lxc network show lxdbr0 | sed -n 's|.*ipv4\.address: \(.*\)/.*|\1|p')"persistently
path="/etc/systemd/resolved.conf.d/"
[ -d "${path}" ] || mkdir -p "${path}"
cidr="$(lxc network show lxdbr0 | sed -n 's|.*ipv4\.address: \(.*\)/.*|\1|p')"
echo "# Configuration file for lxdbr0
[Resolve]
DNS=${cidr}
Domains=lxd
DNSSEC=no" > "${path}/lxd.conf"start & enable service
[ "$(systemctl status systemd-resolved.service)" = "inactive" ] && systemctl start systemd-resolved.service
[ "$(systemctl is-enabled systemd-resolved.service)" ] && systemctl enable systemd-resolved.servicetest
resolvectl query sp20-www.lxd
#systemd-resolve -i lxdbr0 sp20-www.lxdUse TAB to select options & values !!
journalctl -p err|alert|crit|debug|emerg|err|info|notice|warning # print only level
-u $service # show logs for unit apache2
_PID=1 # show journal for one PID
<command> # show journal for one command (ex: /usr/sbin/apache2)OTHERS
systemd-cgls [OPTIONS...] [CGROUP...]
Recursively show control group contents
-a --all Show all groups, including empty
-u --unit Show the subtrees of specifified system units
--user-unit Show the subtrees of specifified user units
-l --full Do not ellipsize output
-k Include kernel threads in output
-M --machine= Show containersystemd-cgtop [OPTIONS...] [CGROUP]
Show top control groups by their resource usage
-p --order=path Order by path
-t --order=tasks Order by number of tasks/processes
-c --order=cpu Order by CPU load (default)
-m --order=memory Order by memory load
-i --order=io Order by IO load
-r --raw Provide raw (not human-readable) numbers
--cpu=percentage Show CPU usage as percentage (default)
--cpu=time Show CPU usage as time
-P Count userspace processes instead of tasks (excl. kernel)
-k Count all processes instead of tasks (incl. kernel)
--recursive=BOOL Sum up process count recursively
-d --delay=DELAY Delay between updates
-n --iterations=N Run for N iterations before exiting
-b --batch Run in batch mode, accepting no input
--depth=DEPTH Maximum traversal depth (default: 3)
-M --machine= Show container