ZSH Tricks and Aliases to Level up [Discussion]

This is a continuation of Useful Aliases in bash, but it’s 2020, and I have a bunch of aliases and functions I’ve been using to make my general life easier.

I use ZSH, but these additions can be transposed pretty easily to any shell.

In my .zshrc, the first trick I use is exporting wordlists, I’ve spoken about this before but I think it’s important to reiterate to those who haven’t used variables for common paths how helpful it can be.e

export BIG="~/Lists/SecLists/Discovery/Web-Content/big.txt"
export WEB="~/Lists/SecLists/Discovery/Web-Content/"
export DNS="~/Lists/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt"
export DIRS_LARGE="~/Lists/SecLists/Discovery/Web-Content/raft-large-directories.txt"
export DIRS_SMALL="~/Lists/SecLists/Discovery/Web-Content/raft-small-directories.txt"
export FILES_LARGE="~/Lists/SecLists/Discovery/Web-Content/raft-large-files.txt"
export FILES_SMALL="~/Lists/SecLists/Discovery/Web-Content/raft-small-files.txt"
export SECLISTS="~/Lists/SecLists/"

This means that I can do things such as ffuf -ac -w $FILES_LARGE https://host.com/, and not have to write out the entire path.

The next thing I have in my zshrc is:

alias hades="axiom-boxes new hades && axiom-init hades --restore=hades && axiom-ssh hades --tmux && axiom-backup hades && axiom
-rm hades -f"

This is a one-liner to start a VPS with my new tool, Axiom, a tool used for managing dynamic infrastructure. This one-liner will initialize a new instance, restore the last backup, and drop me into a tmux sessoin. Once I detach from the session, it will backup the machine (just the changes) and delete the box. As I only get charged when the machine is on, I can have multiple machines that I only initialize when I need it.

The beauty of dynamic infrastructure too is that I can spin this same machine up in any region at a moments notice, got a target that is located in San Francisco? Let me just tear down and put back up my scanning box in SFO2, oh we need to test London too? I can run

axiom-backup hades
axiom-region select lon1 <- work in progress ->
axiom-init hades-london --restore=hades

And then I have two identical machines, one in London, and one in San Francisco, when I’m done, I can tear them both down and back up their data. Should I want to restore my personal box to my work Digital Ocean for further work, I can do that too.

Eventually, I’m looking to expand to other cloud providers, I’m essentially trying to make portable cloud machine, where you control the data because you can just stop paying the provider and cancel the account at a moments notice.

But those are my handy aliases, this discussion is not just about me, what are your favourite aliases? And do we have any windows hackers on here with their shell tweaks? Share them all!


I’ll toss some in that make my life easier, though they’re more for convenience than anything.

I also use macOS for many of my general activity (and Linux or Windows once I need to go after specific things), so keep that in mind.

First off, whenever I get into a network, I run these first in the order they appear (stole them from a FireEye pentester I know). I poke around while they run, but I upload them to a custom Lair instance once they’re finished to get a good idea of what’s going on. You can run the last two together I guess, but it’s louder.

alias firedisc="sudo nmap -oA discovery --stats-every 60s --log-errors --traceroute --reason --randomize-hosts -Pn -v -R -PE -PP -PM -PO -PU -PY80,23,443,21,22,25,3389,110,445,139 -PS80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900,1025,587,8888,199,1720,465,548,113,81,6001,10000,514,5060,179,1026,2000,8443,8000,32768,554,26,1433,49152,2001,515,8008,49154,1027,5666,646 -PA80,23,443,21,22,25,3389,110,445,139,143,53,135,3306,8080,1723,111,995,993,5900,1025,587,8888,199,1720,465,548,113,81,6001,10000,514,5060,179,1026,2000,8443,8000,32768,554,26,1433,49152,2001,515,8008,49154,1027,5666,646 -sS -sV -p21,22,23,25,80,443,8080,8443"
alias firelive="grep 'Up' discovery.gnmap | awk '{print \$2}' > live.txt"
alias firetcp="sudo nmap -oA all_tcp_ports --stats-every 60s --log-errors --reason --randomize-hosts -v -R - Pn -A -sSVC -p0- -iL live.txt"
alias fireudp="sudo nmap -oA udp-top-100 --stats-every 60s --log-errors --reason --randomize-hosts -v -R -Pn -sUVC --top-ports 100 -iL live.txt"

I also use Docker when possible to avoid having to run a Kali VM for a single tool or deal with Python dependencies breaking:

alias dcup='sudo docker-compose up'
alias dkali='docker run -t -i kali/custom /bin/bash'
alias dtestssl='docker run --rm -ti drwetter/testssl.sh'
alias dwpscan='docker run -it --rm wpscanteam/wpscan'
alias dimpacket='docker run --rm -it rflathers/impacket sh'
alias dsniper='docker run --rm -it xerosecurity/sn1per /bin/bash'
alias dscout='docker run --rm -t -v /Users/saso/.aws:/root/.aws:ro -v "$(pwd)/results:/opt/scoutsuite-report" scoutsuite:latest aws'
alias dosme='docker run -it --rm mablanco/osmedeus /bin/bash'
alias dosmevol='docker run -it --rm --name osmedeus -v osmedeus_workspaces:/root/.osmedeus/workspaces mablanco/osmedeus /bin/bash'
alias demailgen='docker run -it a06bb5f8e079'
alias dmsf='docker run --rm -it -v "${HOME}/.msf4:/home/msf/.msf4" -p 8443-8500:8443-8500 metasploitframework/metasploit-framework ./msfconsole'
alias dshell="docker run --rm -i -t --entrypoint=/bin/bash"
alias dshellsh="docker run --rm -i -t --entrypoint=/bin/sh"
alias dk="docker kill"
alias dps='docker ps'
alias dv='docker volume'
alias di='docker images'

For when I inevitably need to deal with Python virtual environments:

# python2 aliases
alias pinstall='sudo /Users/saso/Library/Python/3.7/bin/pipenv install'
alias pshell='sudo /Users/saso/Library/Python/3.7/bin/pipenv shell'
# python3 aliases
alias pvc='sudo python3 -m venv venv'
alias pva='source venv/bin/activate'
alias pvd='deactivate'

Some other random things that make my life easier:

# get quick and dirty examples for a binary
# ex: "cheat grep"
function cheat () (
    curl cheat.sh/"$1";

# don't type out searchsploit all the time
alias ss='searchsploit'
alias ssm='searchsploit -m'
alias ssx='searchsploit -x'

Super basic, but they make me less irritated at the small stuff.


This is pretty freaking lit!

I’m actually in the middle of making an enumeration ‘framework’ of sorts that allows me to scan in the cloud and then pull down and parse the data.

It’s missed in the screenshot, but I did a ‘select uber.com

Going to be sharing these shortly!

1 Like