Anbu

 

Anbu is a CLI tool that helps perform everyday tasks in an expert way. Just like the Anbu Black Ops division in Naruto, this tool helps carry out all the shadow-operations in your daily workflow.

Installation • Usage • Acknowledgements • Tips & Tricks

A summary of everything that Anbu can perform:

Operation	Details
Time Operations	Display current time in various formats, calculate time differences, and parse time strings
Secrets Management	Securely store, retrieve, and serve secrets with encryption at rest
Network Tunneling	Create TCP and SSH tunnels (forward and reverse) to securely access remote services
Simple HTTP/HTTPS Server	Host a simple webserver over HTTP/HTTPS with optional file upload capability
Secrets Scan	Find common secrets in file systems using regular expressions
IP Information	Display local and public IP details, including geolocation information
Bulk Rename	Batch rename files or directories using regular expression patterns
Data & Encoding Conversion	Convert between data formats (YAML/JSON), decode JWTs, and handle various encodings (Base64, Hex, URL)
File Encryption/Decryption	Secure file encryption and decryption with AES-256-GCM symmetric encryption
RSA Key Pair Generation	Create RSA key pairs for encryption or SSH authentication
String Generation	Generate random strings, UUIDs, passwords, and passphrases for various purposes
Google Drive Interaction	Interact with Google Drive to list, upload, and download files and folders
Box Interaction	Interact with Box.com to list, upload, and download files and folders
File System Synchronization	Synchronize files between client and server using WebSocket with real-time change propagation
Neo4j Database Interaction	Execute Cypher queries against Neo4j databases from command line or YAML files

Installation

• Download directly from RELEASES. Anbu is available for AMD64 and ARM64 for Linux and MacOS.
• To build latest commit directly via Go, use:

  go install github.com/tanq16/anbu@latest

• To clone and build locally for development, use:

  git clone https://github.com/tanq16/anbu.git && \
  cd anbu && \
  go build .

Usage

Anbu supports a large number of operations across the board. All commands support the --debug flag to enable debug logging.

The specific details of each are:

• Time Operations (alias: t)

  anbu time          # prints time in various formats
  anbu time now      # prints time in various formats
  anbu time purple   # print time and public IP for purple teams
  anbu time diff -e 1744192475 -e 1744497775  # print time difference between 2 epochs
  anbu time parse -t "13 Apr 25 16:30 EDT"  # read given time and print in multiple formats
  anbu time parse -t "13 Apr 25 16:30 EDT" -p purple  # parse time and print in purple team format
  anbu time until -t "13 Apr 25 16:30 EDT"  # read time and print difference from now

• Secrets Management (alias: p)

  anbu pass list  # List all secrets
  
  # Managing Secrets (Password asked or from ANBUPW env var)
  anbu pass add API_KEY     # Create a new secret (encrypted with AES GCM at rest)
  anbu pass add API_KEY -m  # Create a new multi-line secret
  anbu pass get API_KEY     # Retrieve a secret (decrypted value)
  anbu pass delete API_KEY  # Delete a secret
  
  # Import and Export to file
  anbu pass export backup.json  # Export to a file (secrets are decrypted)
  anbu pass import backup.json  # Import from a file
  
  # Serve secrets over an API
  anbu pass serve
  # Interact with a remote server
  anbu pass --remote http://127.0.0.1:8080 list

• Network Tunneling

  # forward TCP tunnels
  anbu tunnel tcp -l localhost:8000 -r example.com:80
  anbu tunnel tcp -l localhost:4430 -r example.com:443 --tls --insecure
  
  # forward SSH tunnels
  anbu tunnel ssh -l localhost:8000 -r target.com:3306 -s ssh.vm.com:22 -u bob -p "builder"
  anbu tunnel ssh -l localhost:8000 -r target.com:3306 -s ssh.vm.com:22 -u bob -k ~/.ssh/mykey
  
  # reverse SSH tunnels
  anbu tunnel rssh -l localhost:3389 -r 0.0.0.0:8080 -s ssh.vm.com:22 -u bob -p "builder"

• Simple HTTP/HTTPS Server

  anbu http-server                     # Serves current directory on http://localhost:8000
  anbu http-server -l 0.0.0.0:8080 -t  # Serve HTTPS on given add:port with a self-signed cert
  anbu http-server -t --domain my.dev  # Serve HTTPS with a specific domain in the cert
  anbu http-server -u                  # Enables file upload via PUT requests

• Secrets Scan

  anbu secret-scan                 # Scans current directory for secrets based on regex matches
  anbu secret-scan ./path/to/scan  # Scans path for secrets based on regex matches
  anbu secret-scan ./path -p       # Scans path with generic matches table (maybe false positive)

• IP Information (alias: ip)

  anbu ip-info      # Print local and public IP information
  anbu ip-info -6   # Print local (IPv4 & IPv6) and public IP information

• Bulk Rename

  anbu rename 'prefix_(.*)' 'new_\1'        # Rename files matching regex pattern
  anbu rename -d 'old_(.*)' 'new_\1'        # Rename directories instead of files
  anbu rename '(.*)\.(.*)' '\1_backup.\2'   # Add _backup before extension
  anbu rename 'image-(\d+).jpg' 'IMG_\1.jpeg' -r # Perform a dry-run without renaming

• Data & Encoding Conversion (alias: c)

  # File format conversion
  anbu convert yaml-json config.yaml  # Convert YAML file to JSON
  anbu convert json-yaml data.json    # Convert JSON file to YAML
  
  # Encoding conversion
  anbu convert b64 "Hello World"              # Convert text to base64
  anbu convert b64d "SGVsbG8gV29ybGQ="        # Decode base64 to text
  anbu convert hex "Hello World"              # Convert text to hex
  anbu convert hexd "48656c6c6f20576f726c64"  # Decode hex to text
  anbu convert url "Hello World"              # URL encode text
  anbu convert urld "Hello%20World"           # URL decode text
  
  # Cross-encoding conversion
  anbu convert b64-hex "SGVsbG8gV29ybGQ="        # Convert base64 to hex
  anbu convert hex-b64 "48656c6c6f20576f726c64"  # Convert hex to base64
  
  # JWT Decoding
  anbu convert jwtd "$TOKEN"  # Decodes and prints the headers and payload

• File Encryption/Decryption (alias: fc)

  anbu file-crypt /path/to/file.zip -p "P@55w0rd"    # Encrypt a file
  anbu file-crypt /path/to/encrypted.enc -p "P@55w0rd" -d # Decrypt a file

• RSA Key Pair Generation

  anbu key-pair -o mykey -k 4096  # 4096 bit RSA key pair in PEM format
  anbu key-pair -s -o anbu-key    # 2048 bit RSA key pair in OpenSSH format

• String Generation (alias: s)

  anbu string 23               # generate 23 (100 if not specified) random alphanumeric chars
  anbu string seq 29           # prints "abcdefghijklmnopqrstuvxyz" until desired length
  anbu string rep 23 str2rep   # prints "str2repstr2rep...23 times"
  
  anbu string uuid     # generates a uuid
  anbu string ruid 16  # generates a short uuid of length b/w 1-32
  anbu string suid     # generates a short uuid of length 18
  
  anbu string password           # generate a 12-character complex password
  anbu string password 16        # generate a 16-character complex password
  anbu string password 8 simple  # generate an 8-letter lowercase password
  
  anbu string passphrase               # generate a 3-word passphrase with hyphens
  anbu string passphrase 5             # generate a 5-word passphrase with hyphens
  anbu string passphrase 4 '@'         # generate a 4-word passphrase with a custom separator

• Google Drive Interaction (alias: gd)

  # Set up credentials by placing credentials.json at ~/.anbu-gdrive-credentials.json or pass with --credentials flag
  anbu gdrive -c path/to/credentials.json list
  
  # List files and folders (defaults to root 'My Drive')
  anbu gdrive list
  anbu gd ls "My Folder"
  
  # Upload a file or folder (defaults uploading to root 'My Drive' when not specified)
  anbu gdrive upload local-file.txt "My Folder"
  anbu gd up-f local-folder # uploads to root
  
  # Download a file or folder to the current working directory
  anbu gdrive download "My Drive Folder/remote-file.txt"
  anbu gd dl-f "My Drive Folder/remote-folder"

• Box Interaction

  # Set up credentials by placing credentials.json at ~/.anbu-box-credentials.json or pass with --credentials flag
  anbu box -c path/to/credentials.json list
  
  # List files and folders (defaults to root folder)
  anbu box list
  anbu box ls "My Folder"
  
  # Upload a file or folder (defaults uploading to root when not specified)
  anbu box upload local-file.txt "My Folder"
  anbu box up-f local-folder # uploads to root
  
  # Download a file or folder to the current working directory
  anbu box download "My Folder/remote-file.txt"
  anbu box dl-f "My Folder/remote-folder"

• File System Synchronization

  # Run the fs-sync server (maintains source of truth)
  anbu fs-sync server -p 8080 -d /path/to/sync/dir
  anbu fs-sync server --port 8080 --dir ./sync-dir --ignore ".git/*,*.tmp"
  
  # Run the fs-sync client (connects to server and syncs)
  anbu fs-sync client -a ws://server.example.com:8080/ws -d /path/to/local/dir
  anbu fs-sync client --addr wss://file.sync.com/ws --dir ./local-dir --ignore "node_modules/*,*.log"

• Neo4j Database Interaction

  # Execute a single Cypher query
  anbu neo4j -q "MATCH (n) RETURN n LIMIT 5"
  anbu neo4j -r neo4j://localhost:7687 -u neo4j -p password -d neo4j -q "MATCH (n) RETURN count(n)"
  
  # Execute queries from a YAML file (multi-line queries supported using '|' in YAML)
  anbu neo4j --query-file ./queries.yaml --output-file results.json
  
  # Execute write queries (CREATE, UPDATE, DELETE, etc.)
  anbu neo4j --write -q "CREATE (n:Person {name: 'Alice'}) RETURN n"
  
  # Custom connection settings
  anbu neo4j -r neo4j+s://example.com:7687 -u admin -p secret -d mydb -q "MATCH (n) RETURN n" -o output.json

Tips & Tricks

Connecting Two NAT-hidden Machines via Public VPS

Machine A →

anbu tunnel rssh -l localhost:3389 -r 0.0.0.0:8001 -s vps.example.com:22 -u bob -p builder

Machine B →

anbu tunnel ssh -l localhost:3389 -r localhost:8001 -s vps.example.com:22 -u bob -p builder

Now, connecting to localhost:3389 on Machine B will allow access to Machine A's 3389.

Creating a Secure Database (or service) Connection Tunnel

When working with remote databases or services that don't allow direct access, this method can enable connections. Create an SSH tunnel to the database server:

anbu tunnel ssh -l localhost:3306 -r db.internal.network:3306 -s jumpbox.vpn.com:22 -u bob -p builder

Now, connect your database client to localhost:3306, which will forward requests via the SSH forward proxy through the jumphost:

mysql -u dbuser -p -h localhost -P 3306

This allows a connection to restricted databases while maintaining security best practices.

Use Anbu within Shell Commands

It's quite helpful to use Anbu within shell commands for simple things like UUIDs or for more sensitive things like secrets. Imagine a shell script that requires a username and password:

hypothetical --neo4j-username neo4j --neo4j-password sensitive

Using such commands leaves credentials within the shell history and is not safe for screen sharing. Instead of exposing secrets here, we can use anbu:

hypothetical --neo4j-username $(anbu pass get n4jun) --neo4j-password $(anbu pass get neo4jpw)

Furthermore, you can create an alias for anbu as a and use it to say generate a UUID like so:

hypothetical_command --uuid $(a s uuid)

Creating Google Drive API Credentials

To use the gdrive command, you need to create OAuth 2.0 credentials. Here’s how to do it:

1. Go to the Google Cloud Console: Navigate to https://console.cloud.google.com/ and create a new project (or select an existing one).
2. Enable the Google Drive API: In the project dashboard, search for "Google Drive API" and enable it.
3. Create OAuth Credentials:
   • Go to APIs & Services > Credentials.
   • Click Create Credentials > OAuth client ID.
   • Select Desktop app as the application type.
   • Give it a name and click Create.
4. Download Credentials:
   • After creation, a dialog will show your client ID and secret. Click Download JSON to save the credentials.json file.
   • Place this file at ~/.anbu-gdrive-credentials.json or provide its path using the --credentials flag.
5. Publish the App:
   • In the OAuth consent screen tab, you need to configure the consent screen. For personal use, you can keep it in "Testing" mode and add your Google account as a test user.
   • If you want to allow other users, you must publish the app, which may require verification by Google.

Authentication Flow:

When you run a gdrive command for the first time, anbu will:

1. Print a URL to your console.
2. Open this URL in your web browser. You will be prompted to sign in with your Google account.
3. Since the app is not verified by Google, you will see a warning screen. Click Advanced and then Go to (unsafe) to proceed.
4. After you grant permission, the browser will redirect to a localhost address, which will likely fail to load. This is expected.
5. Copy the authorization code from the URL in your browser’s address bar (it will be a long string in the code parameter).
6. Paste this code back into the terminal where anbu is waiting.

anbu will then use this code to get an access token and refresh token, which it will store for future use.

Creating Box API Credentials

To use the box command, you need to create OAuth 2.0 credentials. Here's how to do it:

1. Go to the Box Developer Console: Navigate to Developer Console and sign in with your Box account.
2. Create a New App:
   • Click Create Platform App and then Custom App,
   • Name it and choose User Authentication (OAuth 2.0).
3. Configure OAuth Settings:
   • Go to the Configuration tab of the new app.
   • Under OAuth 2.0 Credentials, copy and store your Client ID and Client Secret.
   • Add http://localhost:8080 as a Redirect URI.
   • Enable the option for Write all files and folders stored in Box.
4. Create Credentials File:
   • Create a JSON file with the following structure:

     {
       "client_id": "your_client_id",
       "client_secret": "your_client_secret"
     }

   • Save this file as ~/.anbu-box-credentials.json or provide its path using the --credentials flag.

Authentication Flow:

When you run a box command for the first time, anbu will:

1. Print a URL to your console. Open this in your web browser. You will be prompted to sign in with Box.
2. After granting permission, the browser will redirect to a localhost address, which will fail to load. This is expected.
3. Copy the full redirect URL from the address bar (it looks like http://localhost:8080/?code=...&state=...).
4. Paste the URL back into the terminal where anbu is waiting.

anbu will then use this URL to extract the authorization code and exchange it for an access token and refresh token, which will be stored for future use. Future commands will not require the credentials flag.

Acknowledgements

Anbu takes inspiration from the following projects:

• GoST
• SimpleHTTPServer
• TruffleHog, GitLeaks, and NoseyParker for secret regular expressions