There's a certain thrill, isn't there in wheeling the power of text to command a computer?
Oh?
Absolutely, And when you apply that to security, well, it becomes this incredibly potent skill. Definitely. So today we're plunging into the world of Bash scripting for ethical hacking and penetration testing. We're really focusing on that crucial first phase reconnaissance.
Yeah, the information gathering part.
Our goal here is to distill the essential knowledge from some key materials. Understand exactly how Bash and as buddy tools are used to get that critical first layer of information about potential targets.
And we're drawing from resources really aimed at security pros who want to harness Bash. It covers the whole setup too.
Write things like setting up your environment maybe WSL, Windows Subsystem for Linux or Siguin, picking a.
Text editor, and then getting into the Bash fundamentals, variables for storing data or raise for collections, understanding streams.
Standard input output.
Error, that kind of thing, exactly how commands talk to each other. These basics, they're the foundation for everything else we'll discuss.
Okay, so environment sorted command line feels hopefully a bit less intimidating. Now the exciting part putting Bash to work for reconnaissance, and like any assessment, first job is figuring out who we're looking at, creating those target.
Lists precisely the materials really stressed defining the scope clearly first. Are we talking specific IPS, whole networks.
Or domain subdomains, that sort of thing.
Exactly, And Bash actually gives us some well, surprisingly efficient ways to generate these lists.
Okay, let's start with IPS. Say you need to hit a range like one seventy two point one six, but ten's part one up to dot two point four. Typing that manually is well not ideal.
Definitely not. The sources show a few clever Bash stricks. One uses the c command inside of for loop.
Okay, pretty straightforward, iterate the numbers output the IPS.
It works, but they're usually quicker ways, right like Bash's brace expansion.
Ah, yes, that's much shorter.
Yeah, you could just do echo one seventy two point one since send down one point twenty five to four. That gives you a space separated list, but.
You probably want them on separate lines for tools.
Usually, Yes, so you pipe that echo command to says lines replace spaces with new lines.
Simple, very neat and there was a third way, something with print.
That's right, print line one seventy two point one six point one zero percent might be even cleaner.
How does that work?
The per scene is a placeholder for a number and integer Bash fills it in for each number in the braces, and the N automatically adds the new line. No extra formatting needed.
Clever. Okay, so that handles IP ranges. What about finding subdomains? Organizations have tons of those.
These days, they really do. The common strategy detailed is using a word list, you know, just a big text file with potential subdomain names like mail, ftpwww, dev, things like that exactly. Then the job is just sticking the main domain name onto the end of each word in the list. A standard Bash while read loop is perfect for this.
So it reads a line say mail, then you echo mail plus dot example dot.
Com yep if example dot com is your target. The material even points to an example word list on GitHub subdomains dash one thousand dot txt in the black Hatbash repo useful.
Is there another way besides the loop?
Yeah? They also mentioned using said directly. You can tell said to just appennthdomain dot example dot com to the end. Of every single line in the wordless file does the same thing, just a different command.
Okay, makes sense. So we've generated our lists potential targets identified. Now we need to see which ones are actually you know, alive and kicking host discovery.
Right, and the classic first check is ping, good old ping. But when scripting, you need those flags to stop it waiting forever nanac one for just one packet and timeouts yeah, nash to W one or natch w one to set a weight time maybe one second, so your script doesn't just hang there if a host is down or ignoring pings.
Because they might ignore ICMP, right, firewalls.
And stuff exactly. Ping uses ICM and lots of systems block it, so no ping response doesn't always mean the host is offline. It's a piece of the puzzle, but not the whole picture.
So for the local network, ping might miss things. That's where arp scan fits in.
That's right. Arpscan is great for your local segment. It works using ARP the Address Resolution Protocol Layer two stuff exactly layer two, so it can spot devices even if they're blocking pings higher up the stack. The command is like pseudo arpscan Network twenty four I interface.
And the sources mentioned a specific lab setup.
Yeah, they used republic as the interface on the one seventy two point one six zero point zero two four network. In their examples, the key is ARP works locally and can find hosts that ICMP might miss.
And they even showed how to put ARP scan in a loop like to watch for new devices popping up.
Yes, a while loop to run ARP scan periodically if it spots a new MSA address, it uses send mail to fire off an email alert.
That's pretty cool. You set variables for known hosts the network who to email.
It's a great example of automating basic network mode ing with just Bash and standard tools. Simple but effective.
Okay, so we're building a picture of who's online. Next logical step, what are they doing? What services are running? Port scanning time exactly?
And the big names here are NMP, the classic and maybe the faster rust scan for initial suitees.
MAP is the powerhouse though right blows of options.
Oh yeah, very versatile. The Decimey dis ray is highlighted. Service version detection super useful.
Why is it so important.
Because knowing the exact software and version running on a port lets you immediately look up known vulnerabilities for it speeds.
Things up a lot, makes sense, and you can feed en map our target lists.
Yep. The isile filum option takes your list like the one hundred and seventy two to sixteen to ten hosts dot txt we talked about and scans all of them.
And the sources had a script for handling NMAP output too, didn't they enmap to portfiles dotsh Right.
That one's quite clever. It takes nmp's output, looks for the line saying TCP open, and then creates files named after the port number exactly. So you get eighty dot tx T four four three, dot tx two twenty two dot TXD whatever ports are open, and inside each file is the list of IP addresses that have that specific port open.
That sounds incredibly useful for organizing results like show me all hosts running a web server.
It really is great for prioritizing. Then there's the other script, portwatchdog dot sh. That one shows continuous monitoring.
How does that one work?
It uses rust scan, which is really fast in a loop, just checking if a specific port you care about opens up on a target.
So like watching port eighty eighty on one machine exactly.
If rust scan suddenly sees it open, then the script triggers n MAP with NSV to do a proper service scan just on that newly open port and logs it.
Wow, like an automated trip wire for new services. Right I remember manually digging through huge n MAP logs. Scripts like these are game changers.
They really save a ton of time and effort. Automation is key.
Okay, so we found open ports. Now we want to pokem a bit, see what's actually listening.
Banner grabbing, banner grabbing yep, trying to get the service to announce itself send back. A banner often contains software names, versions.
And the tool for that is often netcat, dot NC.
Netcat is fundamental, ncdah vip port just tries to connect the sv gives verbose output. Many services, especially older ones like FTP or SSH might just spit out a banner right away. There's a script to that too, yep, netcat banner grab dot sah to automate running NC against a list of ips and a specific port.
What about web servers, They don't always give banners easily with netcat true.
For eahttp, the material points to CURL specifically using the head method because head asks for just the HTTP headers, not the whole web page content. It's faster if you only want info like the server.
Header AH, which often tells you if it's apatche and jinx is exactly.
And there's a curl banner grab dot S script that prompts for an ip in port, does the curl head and then uses grepen oc to pull out just that server line.
Pretty targeted.
And don't forget n MAP again. It's scripting engine.
N SE right n S.
There's a banner dot NS script. You can run nmap svscript banner dot n S and it does the service detection and banner grabbing together very efficient.
Okay, banners grabbed services ID. What about the OS? Can we figure out if it's Linux, Windows, something else.
NMAP again is the main tool here. It uses TCPIP fingerprinting.
Fingerprinting how does that work? Sounds complex?
It kind of is. NMP sends specific unusual packets and analyzes tiny details on how the target system responds, timings, flag settings, things like that. Different operating systems have slightly different network stacks that react uniquely.
This is like a network level fingerprint basically.
Yes, the aoflag tells nmap to try this.
OS detection and let me guess there's a script for parsing that output.
You got it, astetection dot ssh nmap has a greppable output format OGG. This script uses rep ac set on that output to find the lines with host and OS and pull out the IP and the OS gus. It looks for certain patterns to extract the info cleanly.
It's amazing what you can learn just from how a machine talks in the network. Okay, one last area mentioned web applications, specifically using woppolizer.
Right, woppolizer, fantastic tool. It's all about identifying the technologies behind a website or a web app, all kind of technology, things like the web framework React, Angular View, the back end language maybe PHP, NOJS, the CMS like WordPress or Druple, JavaScript library is web servers, lots of stuff.
How does do that?
It has a database of signatures. It looks for specific clues in the site's code, headers, cookies, scripts.
And the example usage was simple.
Yeah, just wappalizer, HTDP, dot IP, dot port. It spits out JSON data.
Jason, you need something to read it that easily exactly.
The example pipes the JSON output to JQ, which is a command line Jason processor. You can use JQ to pull out just the fields you want, like the technology name, the version it detected, and the confidence score.
So you get a nice structured list of the tech stack that seems really valuable for figuring out where potential weakness is as might lie later on.
Absolutely knowing the stack guides your next steps like looking for specific vulnerabilities in those components. It complements the network for you.
Okay, let's try and pull this all together. We've seen how Bash acting as the glue, combined with tools like ping, ARP scan, end map, rust scan, netcat, curl, and woppilizer, well, it forms a seriously capable toolkit for that initial recon phase. Definitely, we can build target lists efficiently, find out who's online, scan for open ports and running services, grab banners for software versions, and even make educated guesses about the OS and web technologies.
And the core idea really is that Bash isn't just a shell, it's a scripting language. It lets you automate these tools, chain them together, process their output. It makes reconnaissance scalable and much more efficient.
So understanding the tools and how to script them in Bash is.
Crucial, absolutely essential for effective large scale information gathering. You can't just click buttons for everything.
This deep dive has given us a really solid ground in Bash for recon and it sounds like the source material goes even further into vulnerability scanning, maybe exploitation.
Yeah, this is really just scratching the surface of the initial steps.
Right. So for you listening, here's something to think about. How could you maybe apply some of these Bash techniques, even just the basic ideas in your own work or areas of interest. How can they help you understand the systems you interact with just a little bit better.
Maybe check out some of those tools and map or woppalizer or even brows that get hub Repo mentioned it could be a good next step.