Logging terminal session - continued

Viewing the logs of your saved terminal session

As mentioned in my previous article about logging the terminal session, it would be very nice to have the date time echo-ed regularly, to be able to find your way in the log-file.

Ofcourse we won’t be doing the date -I command ourselfs. I’ll show you an automated way of doing it and show you how to retrieve a list of commands from the log-files with the time you executed them.

Customize Bash Prompt

In Bash, we can customize the prompt as you want by changing the value of PS1 environment variable.

Usually, the BASH prompt will look something like this.

root@kali:~$

Here root is the username, and kali is the hostname. The ~ is the current path, where ~ stands for the home directory of the user.

PLEASE NOTE

Please make a copy of your .bashrc file now.
$ cp ~/.bashrc ~/.bashrc.bak

When you test your change, start a new bash shell and leave your current shell running to recover any mistakes.

You can view your current bash prompt as follows:

echo $PS1

The bash prompt even supports colors, date and time and more. Below some of the many options for your prompt:

 \u    username-aligned
 \h    hostname
 \H    FQDN
 \s    shell name
 \v    shell version
 \t    current time in 24-hour HH:MM:SS format
 \T    current time in 12-hour HH:MM:SS format
 \@    current time in 12-hour am/pm format
 \A    current time in 24-hour HH:MM format

Add the time to your prompt

Adding the current time to the bash prompt, would solve our problem. After each command the prompt is shown with the current time. With some bash-fu, we will be able to extract the executed command and the time it was executed.

So, to prefix the current prompt with the current time in 24 hour format, you can add \A in front of the PS1 variable. Let’s separate the time from the original prompt with the ‘=’ character. At the bottom of your .bashrc file you can add the following:

export PS1 = '\A=' + $PS1

Retrieve commands from logfile

Now, retrieving the command and time from the logfile, becomes really easy.

root@kali:~# sed -n -e '/^[0-9]*:[0-9]*/p' logfile
21:06=root@kali:~# xload --help
21:07=root@kali:~# xload -update 1 -bg black -fg yellow -hl blue -geometry 200x60
21:08=root@kali:~# exit
root@kali:~#

Hide the time

Okay, we’ve archieved our goal, but I really loved my old prompt. Can’t we fix this, without changing the prompt.

Ofcourse we can, sort of… We could print the time, and then print a bunch of backspace characters, so the time is printed, but doesn’t show… Printing a backspace, can be done with \010.

export PS1="\A=\010\010\010\010\010\010$PS1"

When we try to filter out only the time and command, we will use a space as separator and some extra characters to get the layout exactely right.

export PS1="\A= \010\010\010\010\010\010\010 \010$PS1"

Now we can use sed and cut to get an overview of which commands are executed at what time:

root@kali:~# sed -n -e '/^[0-9]*:[0-9]*/p' logfile | cut -d' ' -f1,3-
21:06=root@kali:~# xload --help
21:07=root@kali:~# xload -update 1 -bg black -fg yellow -hl blue -geometry 200x60
21:08=root@kali:~# exit
root@kali:~#

Wrap up

So now we can easily check what commands a logfile contains and at what time the commands are executed. Perfectly for writing a detailed report.

Posts you may also enjoy

Just received the email this morning that I passed the Penetration Testing with Kali Linux exam and obtained my Offensive Security Certified Professional (OSCP) certification. Hooray!

On many trips and holidays I find public Wi-Fi hotspots, e.g. in hotels or bars, which use a “captive portal” where you have to authenticate before you are allowed to access the internet.

With the new Kali 2019.4 release, Kali comes with an ‘undercover’ mode which make the Kali desktop look like Windows 10.

Many times I’ve used Netcat to setup (reverse) shell from a compromised machine. Digging into services lately, I thought why not use a service to make Netcat a persistent to be able to return to the machine.