Black-Hat Bash scripting part 16

3 min readJan 19, 2025

Hi, I literally just finished the other chapter but the work has to be done regardless, no days off. Now moving onto chapter 11 that is Network probing and lateral movement.

real life enterprise environments emphasise security of the externally facing assets: meaning assets that are exposed on the wild internet. External is more risk than internal networks that trusted users or employees use. internet-facing assets can be web-servers or marketing websites while internal networks are target asset rich such as printers, network switches, employee computers, file servers, smart devices.

to replicate and identify these so called resources, we can start with good ol recon, fathering valuable network info, identifying and exploiting vulns, compromising endpoints.

probing the corporate network

10.1.0.0./24 corporate network, building a small port scanner that uses special files to map found ports to named services and speed up port scanning by prioritising ports based on frequently they are found open in the wild. Internal networks tend to have more assets than a pen-tester might see from the outside as most agreements would be a black-box testing scenario(gotta get the access yourself), so tweaking your processes and tools can help accelerate this asset discovery.

Service Mapping

On Linux, the /etc/services file maps services to the port numbers by the Internet Assigned Numbers Authority. the file contains columns , that are separated by tabs such as the service name, the. port number and protocol(22/tcp).

With grep the -w keyword is performing a word-match and -e is looking for multiple tcp ports. This file can be used to iterate thorough common ports and identify the services they are likely running.

Port Frequencies

the etc/services file offers a simple port to service name mapping which we can improve upon. this frequency of data below helps to prfioritize which ports to scan, remove ports that are not commonly seen open.