Automation has been a buzz word
for quite some time now, but the principles behind it are as strong as ever. For a hacker or pentester, Bash scripting is one form of automation that cannot be ignored. Virtually any command that can be run from the terminal can be scripted — and should be, in many cases — to save valuable time and effort. And a Bash script just happens to be great for recon
Tutorials sponsored by PoltechSolutions (www.poltechsolutions.xyz )
Start the Script
To get started, create a Bash script and name it whatever you like. I'll call mine recon.sh. Using your favorite text editor, make the first line look like this:
This is called a shebang, or hashbang, and simply points to the system's interpreter for Bash.
Next, we'll make sure the user supplies input to the script, and if not, prints a usage example and exits. Use a conditional if-then block:
if [ -z "$1" ] then echo "Usage: ./recon.sh
"exit 1 fi
The $1 is the argument we will pass to the script, and the -z option returns true if the string is null. So basically, this says if no argument is passed, print the usage example and exit. The argument we'll use is an IP address.
Scan the Host
The next section will run an Nmap scan on the host IP address we supply. First, we'll print a heading for Nmap just to keep things pretty and organized:
printf "\n----- NMAP -----\n\n" > results
We use printf here because it handles newlines (\n) more reliably than echo. This is being written to a text file called results — it will first create the file since it doesn't exist yet, and it will overwrite the file in the future with subsequent scans.
Next, we will print a message and actually run the command:
echo "Running Nmap..." nmap $1 | tail -n +5 | head -n -3 results
The nmap command takes the argument we supplied the script, the IP address, and appends the results to our output file. The tail and head commands remove some lines from the beginning and end of the Nmap output — this is just my personal preference and makes it look a little cleaner in my opinion.
The next section will take the results of the Nmap scan and attempt to enumerate HTTP if certain criteria are met. We will run Gobuster to scan for directories and WhatWeb to get some information about the web server.
We'll use a while loop to read each line from our results file, and if it finds an open port running HTTP, it will kick off Gobuster and WhatWeb:
while read line do if [[ $line == *open* ]] && [[ $line == *http* ]] then echo "Running Gobuster..." gobuster dir -u $1 -w /usr/share/wordlists/dirb/common.txt -qz > temp1 echo "Running WhatWeb..." whatweb $1 -v > temp2 fi done < results
If an open HTTP port is found, the code in the if-then block will run. Gobuster takes the IP address we supplied as the -u option and uses a wordlist specified by the -w option. We will also use the -q and -z options here to disable the banner and hide the progress — again, just to keep the output tidy. This will write to a temporary file that will be utilized later in the script.
WhatWeb simply takes the IP address we supplied and writes the output to a second temporary file. The -v option here gives us verbose results. When the while loop exhausts all lines of the results file, it completes, and the script moves on to the next section.
Display the Results
The next block of code will determine if the temporary files from earlier exist, and if so, will append the output to the main results file:
if [ -e temp1 ] then printf "\n----- DIRS -----\n\n" >> results cat temp1 >> results rm temp1 fi if [ -e temp2 ] then printf "\n----- WEB -----\n\n" >> results cat temp2 >> results rm temp2 fi
The -e option checks if the file exists — if it does, the code after then runs. It prints another heading, writes the contents of the temporary file to our results, and removes the temporary file.
Finally, the last line of our script will simply display the results on our screen:
Review the Script
The entire script should now look like this:
if [ -z "$1" ] then echo "Usage: ./recon.sh!/bin/bash
"exit 1 fi printf "\n----- NMAP -----\n\n" > results echo "Running Nmap..." nmap $1 | tail -n +5 | head -n -3 >> results while read line do if [[ $line == *open* ]] && [[ $line == *http* ]] then echo "Running Gobuster..." gobuster dir -u $1 -w /usr/share/wordlists/dirb/common.txt -qz > temp1 echo "Running WhatWeb..." whatweb $1 -v > temp2 fi done < results if [ -e temp1 ] then printf "\n----- DIRS -----\n\n" >> results cat temp1 >> results rm temp1 fi if [ -e temp2 ] then printf "\n----- WEB -----\n\n" >> results cat temp2 >> results rm temp2 fi cat results
Run the Script
Now we should be ready to run our recon script. In my example, I'm using Metasploitable 2 as the target.
First, make the script executable:
~# chmod +x recon.shIf we try to run it without an argument, it gives us the usage example: ~# ./recon.sh Usage: ./recon.sh
Simply supply the IP address and run it again:
It tells us what's running (ignore the ruby error for WhatWeb) and prints out a nice display of the results when it is done.
*Expanding the Script*
In its current state, this Bash script isn't complicated. It runs an Nmap scan, and if an open HTTP port is found, it kicks off Gobuster and WhatWeb. While useful, this could be expanded in many ways.
First of all, we're only running a basic Nmap scan. We could scan additional ports, run the default scripts, enable OS detection, and more. Basically, anything you can do from the command line you can put in the script. The same thing goes for Gobuster and WhatWeb.
We could also expand the script to enumerate other services besides HTTP. Things like SMB, SSH, and FTP could all be good candidates to add in there. Again, Bash scripting is powerful because it is possible to automate many of the functions typically used in a command-line form.
In this tutorial, we created a Bash script to automate some of the activities used in the reconnaissance phase of a penetration test. The script took an IP address as an argument, ran an Nmap scan on the target, and if an open HTTP port was found, kicked off Gobuster and WhatWeb. Bash Scripting is extremely powerful, and even this simple script saved us a ton of time and typing.
Sign up at www.poltechsolutions.xyz for more