← Back to Blog

Bash Scripting for Pentesting

Type: Technical Notes Category: Scripting / Automation
Bash Scripting Automation OSCP Enumeration

If there was one thing that OSCP drills into above all else, it is the importance of enumeration. This further translates into the importance of balancing thorough enumeration with efficiency as time is certainly a limiting factor when you have 24 hours to take over an entire active directory domain and 3 separate systems.

This project was a way to gain hands-on knowledge of using bash in a practical application while also furthering enumeration efficiency in the course.

Note: This script is tailored for the OSCP specifically and is extremely "loud" so may not be suitable for certain scenarios.

The main enumeration script: start.sh on GitHub

Script Structure

The script uses argument parsing with getopts and modular functions:

#!/bin/bash

opts='i:d:x:nlbawshvf'
while getopts $opts arg; do
  case $arg in
    i ) ip=$OPTARG;;
    d ) domain=$OPTARG;;
    l ) lfi=1;;
    s ) sub=1;;
    w ) web=1;;
    n ) nmap=1;;
    f ) network=1;;
    a ) all=1;;
    b ) smb=1;;
    v ) exp=1;;
    h ) help=1;;
    * ) echo "unknown argument";;
  esac
done

Port Scanning

Using rustscan for speed combined with nmap for detailed analysis:

rustall() {
    echo " Starting full port scan.."
    rustscan -a $ip --ulimit 5000 -g > $rports
    cat $rports | awk '/->/{print $3}' | tr -d '[]' | tr "," "\n" |tr -d "^ " > $open
}

nmap_run() {
    ropen=$(cat $rports | awk '/->/{print $3}' | tr -d '[]')
    echo 'The following ports are open: '$ropen
    sudo nmap -sS -sC -vv -sV $ip -p "$(echo $ropen)" -oX $LOG2 -oG $LOGFILE
}

Web Discovery

Automated web server detection and directory enumeration:

search_discover() {
  while read port; do
    echo "Checking for webserver on: $ip:$port"
    httpx http://$ip:$port
    if (httpx http://$ip:$port | grep -q -Eo '200 OK'); then
        echo $port >> output/scan_$ip/webserv.txt
        whatweb http://$ip:$port
    fi
  done < output/scan_$ip/open.txt

  # Directory enumeration
  while read wport; do
    gospider -s http://$ip:$wport
    gobuster dir -u http://$ip:$wport --wordlist /usr/share/wordlists/SecLists-master/Discovery/Web-Content/raft-medium-directories.txt -x php,txt,js,html -o $web_out
  done < output/scan_$ip/webserv.txt
}

Exploit Discovery

Automated searchsploit queries based on nmap results:

searchspl() {
  ssh_() {
    if (cat $LOG2 | grep -q 'ssh'); then
      cat $LOG2 | grep 'ssh' | grep -o 'product=".*"' | cut -d \" -f2 | grep -o '^\S*'  > srch.txt
      cat $LOG2 | grep 'ssh' | grep -oE 'version="[0-9]?.[0-9]?.' | grep -Eo '[0-9]?.[0.9]..' >> srch.txt
      vv=$(cat srch.txt)
      echo 'Searching exploitdb for' $vv
      searchsploit $vv
    fi
  }
  ssh_
  # Similar functions for ftp, smb, web...
}

SMB Enumeration

smb_scan() {
  if grep -q -E '(^|, )139(,|$)|(^|, )445(,|$)' $rports; then
    echo "Found open SMB ports"
    enum4linux $ip
  else
    echo 'SMB not found'
  fi
}

Script Dependencies

  • rustscan
  • nmap
  • smbclient
  • gobuster
  • httpx
  • gospider
  • searchsploit
  • whatweb
  • dnsrecon
  • sublist3r
  • enum4linux

Usage Examples

# Full scan with all options
./start.sh -i 10.10.x.x -a

# Specific scans
./start.sh -i 10.10.x.x -n -d example.com -v -b

# Web enumeration only
./start.sh -i 10.10.x.x -w