top of page
Search

Scripting Basics for Hackers: BASH Scripting for Reconnaissance

Tools are only as good as the person using them. It doesn't matter if you have the latest computer or the fanciest keyboard – if you don't understand how systems work, you won't be able to hack them effectively. That's why learning, practicing, and gaining real-world experience are so important in cybersecurity.


With this in mind, let's talk about BASH scripting. It's a valuable skill that can make cybersecurity professionals much more effective at their jobs. BASH allows you to automate tasks, combine different tools, and create custom solutions for security problems.



Master OTW has previously published articles covering the basics of BASH scripting. Given this, I assume you already have a foundational understanding. Our mission: develop a modular framework for automating both passive and active reconnaissance - the critical first phase of any successful cyber operation.


DNS Reconnaissance with BASH


We'll begin with a shebang to designate our script as a BASH executable, followed by a short mission briefing. Then, we'll create an interactive prompt to acquire our target domain, setting the stage for our recon assault.



I used 'read -p' to show the prompt and get input together. I also added a line to visually separate this block of the program.


First, we’ll focus on DNS intelligence gathering. We'll deploy a custom function, "dns_recon," to systematically probe for A, MX, and NS records.



local record_type=$1 - here, we're capturing the first argument passed to the function. This will be the type of DNS record we're looking up - A for IP addresses, MX for mail servers, NS for name servers.


local result=$(dig +short "$record_type" "$domain") - this is where the magic happens. We're using the dig command, a powerful DNS lookup utility. The “+short” option tells dig to give us just the answer, without any fluff. We store the result in a local variable for further processing.


if [ -n "$result" ]; then – this if statement checks if we got a result. If we did, we print it. If not, we inform the user that no records of the specified type were found.


We can call this function multiple times to gather different types of DNS information:



I saved the record values in variables for later analysis. Let's review what we have so far.


We know their IP addresses, mail servers, and name servers - all valuable data for planning our next moves.


Next, let’s check if a DNS zone transfer (also known as AXFR) is possible. This is an important security check, as misconfigured DNS servers might allow unauthorized zone transfers, potentially exposing sensitive information. To do this, let's add the “check_zone_transfer” function, which tries to perform a zone transfer using the dig axfr command.



+noall +answer - options that tell dig to suppress the default output (+noall) but show us the answer section (+answer)


|| - operator, which means "or". If the dig command fails (the zone transfer is unsuccessful) it will print this error message.


Now let's use this function in a loop to try a zone transfer from each of our target's name servers:


Website Technology Discovery


One crucial piece of intelligence is understanding what technologies your target is using. Let’s explore it with Whatweb.



Firstly, we inform the user that the WhatWeb scan is starting.


USER_AGENT="Mozilla/5.0 (Windows NT 10.0; Win64; x64)" - this line sets a custom User Agent. In the world of web hacking, stealth is crucial. By setting a common User Agent (in this case, mimicking a Windows 10 machine), we're making our scan look like regular web traffic. This helps avoid detection and potential blocking by intrusion detection systems.


whatweb -a 3 - sets the aggression level to 3 (out of 4). This balances between thoroughness and stealth.


Let's check our script at the current stage.



BASH Scripting for Active Reconnaissance


We're going to enhance our information gathering capabilities by integrating Censys, a powerful search engine for internet-connected devices, into our BASH reconnaissance script.


To get started, you need to install the Censys CLI tool:


kali> pip install censys


Configure your Censys API credential:


kali> censys config


We'll start by creating a new function and checking if there are any records in Censys for our domain.



We received a lot of data in json format.


Let's try to get only the IP addresses from it and run an nmap scan. To do this, modify the function as follows:


grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b" - extracts only the matching part (IP addresses) from the input. These unusual symbols are regular expressions or regex. This is a powerful pattern matching language.


  • -o: Only print matching parts of the lines.

  • -E: Interpret the pattern as an extended regular expression (ERE).

  • \b: Word boundary.

  • ([0-9]{1,3}\.){3}: Matches three groups of 1-3 digits followed by a dot using regex.

  • [0-9]{1,3}: Matches 1-3 digits.




Summary


Remember, Cyber Warriors: this script is just the beginning. As you evolve in your offensive capabilities, continue to enhance and customize this framework. Add more reconnaissance modules, integrate with other attack tools, and always adapt to the ever-changing digital battlefield.

bottom of page