Basic bash scripting for penetration testers

When it comes to pen testing using a linux distro, bash scripting can really help you out by speeding things up. You can quickly and easily create scripts on the fly to aid your assessment.

Example 1:

So lets say I wanted to do a quick ping sweep using nmap. I am going to use switch -oG to make a grepable file.

nmap -sP 10.10.101.0/24 -oG ipaddr.txt

Lets display the contents of ipaddr.txt.

cat ipaddr.txt 
# Nmap 5.51 scan initiated Sat Jul 30 16:07:02 2011 as: nmap -v -sP -oG ipaddr.txt 10.10.101.0/24
# Ports scanned: TCP(0;) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.10.101.0 ()	Status: Down
Host: 10.10.101.1 ()	Status: Down
Host: 10.10.101.2 ()	Status: Down
Host: 10.10.101.3 ()	Status: Down
Host: 10.10.101.4 ()	Status: Down
Host: 10.10.101.5 ()	Status: Down
Host: 10.10.101.6 ()	Status: Down
Host: 10.10.101.7 ()	Status: Down
Host: 10.10.101.8 ()	Status: Down
Host: 10.10.101.9 ()	Status: Down
Host: 10.10.101.10 ()	Status: Down
Host: 10.10.101.11 ()	Status: Up
Host: 10.10.101.12 ()	Status: Down
Host: 10.10.101.13 ()	Status: Up
Host: 10.10.101.14 ()	Status: Down
Host: 10.10.101.15 ()	Status: Down
Host: 10.10.101.16 ()	Status: Down
Host: 10.10.101.17 ()	Status: Down
Host: 10.10.101.18 ()	Status: Down
Host: 10.10.101.19 ()	Status: Down
Host: 10.10.101.20 ()	Status: Down
Host: 10.10.101.21 ()	Status: Down
Host: 10.10.101.22 ()	Status: Down
Host: 10.10.101.23 ()	Status: Down
Host: 10.10.101.24 ()	Status: Down
Host: 10.10.101.25 ()	Status: Down
Host: 10.10.101.26 ()	Status: Down
Host: 10.10.101.27 ()	Status: Down
Host: 10.10.101.28 ()	Status: Down
Host: 10.10.101.29 ()	Status: Down
Host: 10.10.101.30 ()	Status: Down
Host: 10.10.101.31 ()	Status: Down
Host: 10.10.101.32 ()	Status: Down
Host: 10.10.101.33 ()	Status: Down
Host: 10.10.101.34 ()	Status: Down
Host: 10.10.101.35 ()	Status: Down
Host: 10.10.101.36 ()	Status: Down
Host: 10.10.101.37 ()	Status: Down
Host: 10.10.101.38 ()	Status: Down
Host: 10.10.101.39 ()	Status: Down
Host: 10.10.101.40 ()	Status: Down
Host: 10.10.101.41 ()	Status: Down
Host: 10.10.101.42 ()	Status: Down
Host: 10.10.101.43 ()	Status: Down
Host: 10.10.101.44 ()	Status: Down
Host: 10.10.101.45 ()	Status: Down
Host: 10.10.101.46 ()	Status: Down
Host: 10.10.101.47 ()	Status: Down
Host: 10.10.101.48 ()	Status: Down
Host: 10.10.101.49 ()	Status: Down
Host: 10.10.101.50 ()	Status: Down
Host: 10.10.101.51 ()	Status: Down
Host: 10.10.101.52 ()	Status: Down
Host: 10.10.101.53 ()	Status: Down
Host: 10.10.101.54 ()	Status: Down
Host: 10.10.101.55 ()	Status: Down
Host: 10.10.101.56 ()	Status: Down
Host: 10.10.101.57 ()	Status: Down
Host: 10.10.101.58 ()	Status: Down
Host: 10.10.101.59 ()	Status: Down
Host: 10.10.101.60 ()	Status: Up
Host: 10.10.101.61 ()	Status: Down
Host: 10.10.101.62 ()	Status: Down
Host: 10.10.101.63 ()	Status: Down
Host: 10.10.101.64 ()	Status: Down
Host: 10.10.101.65 ()	Status: Down
Host: 10.10.101.66 ()	Status: Down
Host: 10.10.101.67 ()	Status: Down
Host: 10.10.101.68 ()	Status: Down
Host: 10.10.101.69 ()	Status: Down
Host: 10.10.101.70 ()	Status: Down
Host: 10.10.101.71 ()	Status: Down
Host: 10.10.101.72 ()	Status: Down
Host: 10.10.101.73 ()	Status: Down
Host: 10.10.101.74 ()	Status: Down
Host: 10.10.101.75 ()	Status: Down
Host: 10.10.101.76 ()	Status: Down
Host: 10.10.101.77 ()	Status: Down
Host: 10.10.101.78 ()	Status: Down
Host: 10.10.101.79 ()	Status: Down
Host: 10.10.101.80 ()	Status: Down
Host: 10.10.101.81 ()	Status: Down
Host: 10.10.101.82 ()	Status: Down
Host: 10.10.101.83 ()	Status: Down
Host: 10.10.101.84 ()	Status: Down
Host: 10.10.101.85 ()	Status: Down
Host: 10.10.101.86 ()	Status: Down
Host: 10.10.101.87 ()	Status: Down
Host: 10.10.101.88 ()	Status: Down
Host: 10.10.101.89 ()	Status: Down
Host: 10.10.101.90 ()	Status: Down
Host: 10.10.101.91 ()	Status: Down
Host: 10.10.101.92 ()	Status: Down
Host: 10.10.101.93 ()	Status: Down
Host: 10.10.101.94 ()	Status: Down
Host: 10.10.101.95 ()	Status: Down
Host: 10.10.101.96 ()	Status: Down
Host: 10.10.101.97 ()	Status: Down
Host: 10.10.101.98 ()	Status: Down
Host: 10.10.101.99 ()	Status: Down
Host: 10.10.101.100 ()	Status: Down
Host: 10.10.101.101 ()	Status: Up
Host: 10.10.101.102 ()	Status: Down
Host: 10.10.101.103 ()	Status: Down
Host: 10.10.101.104 ()	Status: Down
Host: 10.10.101.105 ()	Status: Down
Host: 10.10.101.106 ()	Status: Down
Host: 10.10.101.107 ()	Status: Down
Host: 10.10.101.108 ()	Status: Down
Host: 10.10.101.109 ()	Status: Down
Host: 10.10.101.110 ()	Status: Down
Host: 10.10.101.111 ()	Status: Down
Host: 10.10.101.112 ()	Status: Down
Host: 10.10.101.113 ()	Status: Down
Host: 10.10.101.114 ()	Status: Down
Host: 10.10.101.115 ()	Status: Down
Host: 10.10.101.116 ()	Status: Down
Host: 10.10.101.117 ()	Status: Down
Host: 10.10.101.118 ()	Status: Down
Host: 10.10.101.119 ()	Status: Down
Host: 10.10.101.120 ()	Status: Down
Host: 10.10.101.121 ()	Status: Down
Host: 10.10.101.122 ()	Status: Down
Host: 10.10.101.123 ()	Status: Down
Host: 10.10.101.124 ()	Status: Down
Host: 10.10.101.125 ()	Status: Down
Host: 10.10.101.126 ()	Status: Down
Host: 10.10.101.127 ()	Status: Down
Host: 10.10.101.128 ()	Status: Down
Host: 10.10.101.129 ()	Status: Down
Host: 10.10.101.130 ()	Status: Down
Host: 10.10.101.131 ()	Status: Down
Host: 10.10.101.132 ()	Status: Down
Host: 10.10.101.133 ()	Status: Down
Host: 10.10.101.134 ()	Status: Down
Host: 10.10.101.135 ()	Status: Down
Host: 10.10.101.136 ()	Status: Down
Host: 10.10.101.137 ()	Status: Down
Host: 10.10.101.138 ()	Status: Down
Host: 10.10.101.139 ()	Status: Down
Host: 10.10.101.140 ()	Status: Down
Host: 10.10.101.141 ()	Status: Down
Host: 10.10.101.142 ()	Status: Down
Host: 10.10.101.143 ()	Status: Down
Host: 10.10.101.144 ()	Status: Down
Host: 10.10.101.145 ()	Status: Down
Host: 10.10.101.146 ()	Status: Down
Host: 10.10.101.147 ()	Status: Down
Host: 10.10.101.148 ()	Status: Down
Host: 10.10.101.149 ()	Status: Down
Host: 10.10.101.150 ()	Status: Down
Host: 10.10.101.151 ()	Status: Down
Host: 10.10.101.152 ()	Status: Down
Host: 10.10.101.153 ()	Status: Down
Host: 10.10.101.154 ()	Status: Down
Host: 10.10.101.155 ()	Status: Down
Host: 10.10.101.156 ()	Status: Down
Host: 10.10.101.157 ()	Status: Down
Host: 10.10.101.158 ()	Status: Down
Host: 10.10.101.159 ()	Status: Down
Host: 10.10.101.160 ()	Status: Down
Host: 10.10.101.161 ()	Status: Down
Host: 10.10.101.162 ()	Status: Down
Host: 10.10.101.163 ()	Status: Down
Host: 10.10.101.164 ()	Status: Down
Host: 10.10.101.165 ()	Status: Down
Host: 10.10.101.166 ()	Status: Down
Host: 10.10.101.167 ()	Status: Down
Host: 10.10.101.168 ()	Status: Down
Host: 10.10.101.169 ()	Status: Down
Host: 10.10.101.170 ()	Status: Down
Host: 10.10.101.171 ()	Status: Down
Host: 10.10.101.172 ()	Status: Down
Host: 10.10.101.173 ()	Status: Down
Host: 10.10.101.174 ()	Status: Down
Host: 10.10.101.175 ()	Status: Down
Host: 10.10.101.176 ()	Status: Down
Host: 10.10.101.177 ()	Status: Down
Host: 10.10.101.178 ()	Status: Down
Host: 10.10.101.179 ()	Status: Down
Host: 10.10.101.180 ()	Status: Down
Host: 10.10.101.181 ()	Status: Down
Host: 10.10.101.182 ()	Status: Down
Host: 10.10.101.183 ()	Status: Down
Host: 10.10.101.184 ()	Status: Down
Host: 10.10.101.185 ()	Status: Down
Host: 10.10.101.186 ()	Status: Down
Host: 10.10.101.187 ()	Status: Down
Host: 10.10.101.188 ()	Status: Down
Host: 10.10.101.189 ()	Status: Down
Host: 10.10.101.190 ()	Status: Down
Host: 10.10.101.191 ()	Status: Down
Host: 10.10.101.192 ()	Status: Down
Host: 10.10.101.193 ()	Status: Down
Host: 10.10.101.194 ()	Status: Down
Host: 10.10.101.195 ()	Status: Down
Host: 10.10.101.196 ()	Status: Down
Host: 10.10.101.197 ()	Status: Down
Host: 10.10.101.198 ()	Status: Down
Host: 10.10.101.199 ()	Status: Down
Host: 10.10.101.200 ()	Status: Down
Host: 10.10.101.201 ()	Status: Down
Host: 10.10.101.202 ()	Status: Down
Host: 10.10.101.203 ()	Status: Down
Host: 10.10.101.204 ()	Status: Down
Host: 10.10.101.205 ()	Status: Down
Host: 10.10.101.206 ()	Status: Down
Host: 10.10.101.207 ()	Status: Down
Host: 10.10.101.208 ()	Status: Down
Host: 10.10.101.209 ()	Status: Down
Host: 10.10.101.210 ()	Status: Down
Host: 10.10.101.211 ()	Status: Down
Host: 10.10.101.212 ()	Status: Down
Host: 10.10.101.213 ()	Status: Down
Host: 10.10.101.214 ()	Status: Down
Host: 10.10.101.215 ()	Status: Down
Host: 10.10.101.216 ()	Status: Down
Host: 10.10.101.217 ()	Status: Down
Host: 10.10.101.218 ()	Status: Down
Host: 10.10.101.219 ()	Status: Down
Host: 10.10.101.220 ()	Status: Down
Host: 10.10.101.221 ()	Status: Down
Host: 10.10.101.222 ()	Status: Down
Host: 10.10.101.223 ()	Status: Down
Host: 10.10.101.224 ()	Status: Down
Host: 10.10.101.225 ()	Status: Down
Host: 10.10.101.226 ()	Status: Down
Host: 10.10.101.227 ()	Status: Down
Host: 10.10.101.228 ()	Status: Down
Host: 10.10.101.229 ()	Status: Down
Host: 10.10.101.230 ()	Status: Down
Host: 10.10.101.231 ()	Status: Down
Host: 10.10.101.232 ()	Status: Down
Host: 10.10.101.233 ()	Status: Down
Host: 10.10.101.234 ()	Status: Down
Host: 10.10.101.235 ()	Status: Down
Host: 10.10.101.236 ()	Status: Down
Host: 10.10.101.237 ()	Status: Down
Host: 10.10.101.238 ()	Status: Down
Host: 10.10.101.239 ()	Status: Down
Host: 10.10.101.240 ()	Status: Down
Host: 10.10.101.241 ()	Status: Down
Host: 10.10.101.242 ()	Status: Down
Host: 10.10.101.243 ()	Status: Down
Host: 10.10.101.244 ()	Status: Down
Host: 10.10.101.245 ()	Status: Down
Host: 10.10.101.246 ()	Status: Down
Host: 10.10.101.247 ()	Status: Down
Host: 10.10.101.248 ()	Status: Down
Host: 10.10.101.249 ()	Status: Down
Host: 10.10.101.250 ()	Status: Down
Host: 10.10.101.251 ()	Status: Down
Host: 10.10.101.252 ()	Status: Down
Host: 10.10.101.253 ()	Status: Down
Host: 10.10.101.254 ()	Status: Down
Host: 10.10.101.255 ()	Status: Down
# Nmap done at Sat Jul 30 16:07:05 2011 -- 256 IP addresses (4 hosts up) scanned in 3.16 seconds

We are only concerned about the hosts that are alive, so how do we quickly get a listing of just hosts that are up?
Like this:

cat ipaddr.txt | grep Up | cut -d" " -f2
10.10.101.11
10.10.101.13
10.10.101.60
10.10.101.101

This command cats the contents of ipaddr.txt, uses grep to just show matches for the keyword Up, uses cut with the delimiter of a space, and just displays field 2. The results are a nice clean listing of IP addresses.

Example 2:

So lets say you got a listing of domains you want to attempt zone transfers on. You don’t want to slowly try each one individually. Most pentests are limited in time so you want to get as much as possible done in a short period.
So lets whip a script up that does this based on your list of domains.
The domains listing format will be a text file with:

gooble.com
testcompany.net
fakecompany.org

Save this file as domains.txt and get scripting on a tool that attempts zone transfers on your list.

#!/bin/bash

for i in $(cat domains.txt) 
  do host -l $i 
done

Save the script as zonetransfer.sh and run:

chmod +x zontransfer.sh

This will make the file executable. Also make sure domains.txt is in the same folder as the script.

Example 3:

So lets say you have a bunch of failed zone transfers because the company you are doing a pentest for blocks zone transfers from anyone but their DNS servers. If you happen to have a particular subnet in your scope, you can attempt do reverse lookups of each IP to gather dns PTR records. If you did each IP individually it would take a decent amount of time. Lets have bash do the work for us.

#!/bin/bash

i="1" 

echo "Please enter first 3 octets. e.g 192.168.1" 
read subnet
        while [ $i -le 254 ]; do 
        host -l "$subnet"."$i"
        i=$(( $i + 1))
        done

This bash script will iterate IP 1 through 254 doing reverse lookups of each IP address.

Example 4:

So in this example we will assume you have root access to a compromised linux server. You want to gather information from the server to place in your pentest report and to assist in possibly compromising additional servers.

#!/bin/bash

echo "#############################" >> .gathered_info
echo "#Linux info gather script" >> .gathered_info
echo "#############################" >> .gathered_info
echo " " >> .gathered_info
echo "[+]Running whoami..."
echo "*********WHOAMI**************" >> .gathered_info
whoami >> .gathered_info
echo "[+]Gathering hosts..."
echo "*********HOSTS FILE**********" >> .gathered_info
echo " " >> .gathered_info
cat /etc/hosts >> .gathered_info
echo " " >> .gathered_info
echo "[+]Gathering network info..." 
echo "*********IFCONFIG************" >> .gathered_info
echo " " >> .gathered_info
/sbin/ifconfig >> .gathered_info
echo " " >> .gathered_info
echo "[+]Gathering arp info..."
echo "*********ARP****************" >> .gathered_info
echo " " >> .gathered_info
/usr/sbin/arp -a >> .gathered_info
echo " " >> .gathered_info
echo "[+]Gathering IPtables..."
echo "********IPtables************" >> .gathered_info
echo " " >> .gathered_info
/sbin/iptables -L >> .gathered_info
echo " " >> .gathered_info
echo "[+]Gathering Route info..."
echo "********Route info**********" >> .gathered_info
echo " " >> .gathered_info
/sbin/route >> .gathered_info
echo " " >> .gathered_info
echo "[+]Gathering Shadow file..."
echo "********Shadow file*********" >> .gathered_info
echo " " >> .gathered_info
/bin/cat /etc/shadow >> .gathered_info
echo " " >> .gathered_info
echo "****************************" >> .gathered_info

The end result is all gathered info placed neatly in a hidden text file. It certainly beats running each command manually to gather information.

I hope these examples show you the power and flexibility of bash whether used in penetration testing or even everyday system administration.

Advertisements

Tags: ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: