Black-Hat Bash scripting part 7
Hi, today is the next chapter with the look at what makes hacking, espionage work. Recon. Information especially the right form of it is power and in the book it’s bash automation.
- seq and for loop approach
using the sequence and for loop to search for addresses
- echo and brace expansion approach
yeah, that’s right i did an echo-echo bit…it was funny in my head
a much cleaner echo-echo of the ip addresses…yes i did it again, sue me
- printf and brace expansion approach
Compiling a List of Possible Subdomains
Let’s say you know of jhaddix, tomnomnomnom, katiephd who are in the bug bounty field the first thing they do is recon of subdomains both internal and external of the scope and sometimes they do go out of scope and find something really critical to the target, now for penetration testers it is the scope that you have been given permission to engage, read that again permission….subdomains are what developers create for pages and they normally name them in an easy way to remember. But you cannot ignore human error it is the beauty of nature, which is why there are common lists of subdomains on kali, on GitHub, on twitter.
this is the basics of subdomains, next would be the filtering, cleaning like tomnomnom would do, but that’s to show the impact to find a domain that is affected with a vuln. Anyway, from the while loop it is taking two arguments and while it has those two different arguments such as domain(a website) and the file as the book told you to download it to the home directory, the script then takes the two arguments, looks through the subdomain file and the domain site and parses the results as it shows above and below.
The sed approach
the s is substitute, so each end of the line is substituted and the result does not look that much different than the first script.
These sub-topics remind me of the naming sense of a big bang theory episode. crickets…Moving on!
Host Discovery
All aboard, this is where you start to think about automation, why do say this, imagine if you had a thousand to a million hosts to look into, this is where bash can save you time.
Nmap
exericse 3 Receiving Notifications When New Hosts Are Detected
exercise 4 organizing scan results by port number
exercise 5: Detecting a new open port on a given host
Banner grabbing
if you have played with nmap and nectat before this book, there is a way to get more info on services, how they run, what version they are and that is by banner grabbing there are two different ways such as active and passive. Passive is goign the 3rd party route to parse said info, while Active is you actually connecting to a server and interacting to parse said info. Honeypots are a way to combat threat actors or pen testers from accessing server info from orgs if their security architecture is actually security resilient like that, spoiler alert not everyone is..
performing active banner grabbing with Netcat
well… apparently i have posted too many screenshots and memes so imma end the chapter on the next one and yes, the writing stopped once I focused, no point in talking about it when the authors have done their best to explain what each script does
Till next time,
May you always be in a state of flow.
