iTerm2 Customizations for Hackers

I use iTerm2 exclusively as my terminal of choice on the Mac platform. In fact it’s in the top 10 reasons why it would be incredibly challenging for me to ever leave the Apple platform.

I’ve added a few customized triggers to help me as a penetration tester. These are all regular expressions which iTerm2 uses to analyze console output and will perform an action when the pattern matches. The triggers can get pretty complex (help page on triggers).

Trigger actions
Trigger actions

If you have any more customizations or ideas for iTerm2, I’d love to hear about them! Find me on Twitter @beyondnegative

To set this up, open up your “Preferences” in iTerm2 and go to the “Advanced” tab:

Screen Shot 2018-01-15 at 07.41.15

Triggers -> Edit

Screen Shot 2018-01-15 at 07.42.07

To add a trigger, click on the “+” button at the bottom left of the window (not shown)

Highlight IP addresses:

  • Action: Highlight Text
  • Colors: Text White, Background Red
\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b

Screen Shot 2018-01-15 at 08.15.16

Highlight MAC addresses:

  • Action: Highlight Text
  • Colors: Text White, Background Dark Red
([0-9A-Fa-f]{2}[:-]){5}([0-9A-Fa-f]{2})

(See highlighted MAC in IP highlight example above)

Highlight the tail of suspected base64:

  • Action: Highlight Text
  • Colors: Text White (my console default text is a lighter shade of grey), Background Black
[0-9A-Za-z]{6}==

Screen Shot 2018-01-15 at 08.15.29

Highlight suspected LM or NTLM hash:

  • Action: Highlight Text
  • Colors: Yellow Text, Black Background
[0-9A-Za-z]{32}

Screen Shot 2018-01-15 at 08.15.04

Highlight a disabled LM hash:

  • Action: Highlight Text
  • Colors: Dark Yellow Text, Black Background
aad3b435b51404eeaad3b435b51404ee

(See darker yellow hashes in example above)

Alert when an Empire agent checks-in for the first time:

  • Action: Post Notification
  • Message: Empire beacon check-in
\[\+\]\sInitial\sagent

Screen Shot 2018-01-15 at 08.10.00

Alert when Nmap is done scanning:

  • Action: Post Notification
  • Message: Nmap Scan Finished
#\sNmap\sdone\sat\s[A-za-z]*\s[A-Za-z]*\s\s[0-9]+\s[0-9]+\:[0-9]*\:[0-9]+\s[0-9]+

Alert when a Meterpreter session opens:

  • Action: Post Notification
  • Message: Meterpreter Session Opened
\*\sMeterpreter\ssession\s[0-9]+\sopened

Alert when enum4linux is done:

  • Action: Post Notification
  • Message: Enum4Linux Complete
enum4linux\scomplete\son

Alert when Responder captures a hash:

  • Action: Post Notification
  • Message: Responder Hash Captured
\[[A-Zv0-2]*\]\s[A-Zv0-2\-]+\sHash

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s