BASH Scripting Tutorial for Penetration Testers
The Bash shell (or any other shell for that matter) is a very powerful scripting environment. On many occasions we need to automate an action or perform repetitive time consuming tasks. This is where Bash scripting comes in handy.
Incase you are not familiar with Bash Scripting it would be better if you gather some knowledge on the Bash scripting first as in this tutorial we will be focussing on how we can use the Bash scripts to automate some of the penetration testing work .
I will begin with a simple exercise . Assume you were assigned with the task of gathering as many EXAMPLE.com server names as possible with minimum traffic generation. Imagine you had to pay $200 for every kilobyte generated by your computer for this task. While browsing the site, you notice that their main page contains links to many of their services, which are located on different servers. The exercise requires Linux Bash text manipulation in order to extract all the server names from the target site main page.
Solution : Bash Scripting To your Rescue and we have made a bash scripting tutorial for you.
Step 1 : Start by using wget to download the main page to your machine:
root@bt:~# wget http://example.com -O example.txt -o /dev/null root@bt:~# ls -l example.txt -rw-r--r-- 1 root root 54032 Oct 17 14:12 example.txt
Step 2 : Extract the lines containing the string href=, indicating that this line contains an HTTP link:
root@bt:~# grep 'href=' example.txt
This is still a mess, but you’re getting closer. A typical “good” line looks like this:
<a href="http://company.example.com/info/advertise.html" class="fLink">
Step 3 : If you split this line using a / delimiter, the third field should contain the server name.
root@bt:~# grep 'href=' example.txt | cut -d"/" -f3
This should give you a list of example.com servers. If you look closely at the output, you will notice that
some rouge lines have found their way into the list. You want filter out lines such as:
'+link2+'" target="_blank"><img src="http:
Step 4 : You’ll grep out all the non-relevant lines, sort the list, and remove duplicate entries:
root@bt:~# grep 'href=' example.txt | cut -d"/" -f3 |grep example.com |sort -u blogs.example.com c.example.com chat.example.com company.example.com download.example.com gallery.example.com games.example.com greetings.example.com groups.example.com people.example.com search.example.com www.example.com root@bt:~#
Note that this method of extracting links from HTML pages is crude. The more elegant way of
completing this exercise is to use a higher scripting language such as Python or Perl and to parse the
HTML using regular expressions. This exercise simply demonstrates the power of the Bash
environment.
Step 5 : Now that you have the fully qualified domain names (FQDNs) for these servers, you are tasked
with finding out the IP addresses of these servers. Using a simple BASH script and a loop, this task
becomes a piece of cake. Issue the host command for each FQDN found. Start by outputting the
server list into a text file .
root@bt:~# grep ‘href=’ example.txt | cut -d”/” -f3 |grep example.com |sort -u > example-srv.txt
root@bt:~#
Step 6 : You can now write a short script that reads example-srv.txt and executes the host command for each
line. Use your favorite text editor to write this script findexample.sh:
#!/bin/bash for hostname in $(cat example-srv.txt);do host $hostname done
Step 7 : Don’t forget to make this script executable before running it:
root@bt:~# chmod 755 findexample.sh root@bt:~# ./findexample.sh blogs.example.com is an alias for www.gwww.example.com. www.gwww.example.com has address xxx.xxx.xxx.xxx c.example.com is an alias for c.example.com.edgesuite.net. c.example.com.edgesuite.net is an alias for a949.g.net. a949.g.example.net has address xxx.xxx.xxx.xxx a949.g.example.net has address xxx.xxx.xxx.xxx chat.example.com is an alias for www.gwww.example.com. www.gwww.example.com has address xxx.xxx.xxx.xxx company.example.com is an alias for redirect.example.com. redirect.example.com is an alias for redirect.gredirect.example.com. people.example.com is an alias for www.gwww.example.com. www.gwww.example.com has address xxx.xxx.xxx.xxx search.example.com is an alias for search.gsearch.example.com. search.gsearch.example.com has address xxx.xxx.xxx.xxx www.example.com is an alias for www.gwww.example.com. www.gwww.example.com has address xxx.xxx.xxx.xxx root@bt:~#
Yes, the output is a mess. You need to improve the script. If you look at the output, you will see that
most of the names are aliases to other names:
greetings.example.com is an alias for www.gwww.example.com. You are interested in lines similar to this: www.example.com has address xxx.xxx.xxx.xxx
Step 8 : Filter all the lines that contain the string has address:
#!/bin/bash for hostname in $(cat example-srv.txt);do host $hostname |grep "has address" done
Once you run the script again, the output looks much better:
root@bt:~# ./findexample.sh www.gwww.example.com has address xxx.xxx.xxx.xxx a949.g.example.net has address xxx.xxx.xxx.xxx a949.g.example.net has address xxx.xxx.xxx.xxx www.gwww.example.com has address xxx.xxx.xxx.xxx redirect.gredirect.example.com has address xxx.xxx.xxx.xxx … a1442.g.example.net has address xxx.xxx.xxx.xxx www.gwww.example.com has address xxx.xxx.xxx.xxx www.gwww.example.com has address xxx.xxx.xxx.xxx www.gwww.example.com has address xxx.xxx.xxx.xxx search.gsearch.example.com has address xxx.xxx.xxx.xxx www.gwww.example.com has address xxx.xxx.xxx.xxx root@bt:~#
Step 9 : The final task in this exercise is to get the IP addresses of these servers, again, by using Bash text
manipulation:
root@bt:~# ./findexample.sh > example-ips.txt root@bt:~# cat example-ips.txt |cut -d" " -f4 |sort -u xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx root@bt:~#
This is all for this bash scripting tutorial . Please Post in the comments if you need help on bash script in some other scenario .
Wai Yan Phyo says
Dear Sir,
May I know more details about bash scripting knowledge? Thanks always sir!
Vanshit Malhotra says
Bash scripting can be learnt from lots of online sources . There is no specific I recommend . Take challenges and google where you get stuck !! code … code … code …. That is the best way to learn Bash .