Tools & Scripts 10 January 2025 4 min read

Bash Scripting for Penetration Testers: Automate Your Workflow

Bash scripting allows penetration testers to automate repetitive tasks, process data efficiently, and create custom tools. This guide covers essential Bash scripting concepts with practical examples for security testing.

Bash Basics

Creating a Script

#!/bin/bash
# This is a comment
echo "Hello, World!"

# Make executable
chmod +x script.sh

# Run
./script.sh
bash script.sh

Variables

#!/bin/bash
# Variable assignment (no spaces!)
name="hacker"
ip="192.168.1.1"

# Using variables
echo "Hello, $name"
echo "Target IP: ${ip}"

# Command substitution
current_date=$(date)
files=$(ls -la)

# Read user input
read -p "Enter target IP: " target
echo "Scanning $target"

Arguments

#!/bin/bash
# $0 = script name
# $1, $2, etc. = arguments
# $# = number of arguments
# $@ = all arguments

echo "Script: $0"
echo "First arg: $1"
echo "All args: $@"
echo "Number of args: $#"

# Usage: ./script.sh arg1 arg2

Conditionals

#!/bin/bash
# If statement
if [ "$1" == "" ]; then
    echo "Usage: $0 "
    exit 1
fi

# Numeric comparison
if [ $count -gt 10 ]; then
    echo "More than 10"
elif [ $count -eq 10 ]; then
    echo "Exactly 10"
else
    echo "Less than 10"
fi

# File tests
if [ -f "$file" ]; then
    echo "File exists"
fi

if [ -d "$dir" ]; then
    echo "Directory exists"
fi

if [ -r "$file" ]; then
    echo "File is readable"
fi

# String tests
if [ -z "$var" ]; then
    echo "Variable is empty"
fi

if [ -n "$var" ]; then
    echo "Variable is not empty"
fi

Loops

#!/bin/bash
# For loop - iterate over list
for ip in 192.168.1.1 192.168.1.2 192.168.1.3; do
    ping -c 1 $ip
done

# For loop - iterate over range
for i in {1..254}; do
    ping -c 1 192.168.1.$i
done

# For loop - iterate over file
for line in $(cat hosts.txt); do
    echo "Scanning $line"
done

# While loop
counter=1
while [ $counter -le 10 ]; do
    echo $counter
    ((counter++))
done

# Read file line by line
while read line; do
    echo "$line"
done < hosts.txt

Functions

#!/bin/bash
# Define function
scan_host() {
    local ip=$1
    ping -c 1 $ip > /dev/null 2>&1
    if [ $? -eq 0 ]; then
        echo "$ip is up"
    fi
}

# Call function
scan_host 192.168.1.1

# Function with return value
check_port() {
    timeout 1 bash -c "echo > /dev/tcp/$1/$2" 2>/dev/null
    return $?
}

if check_port 192.168.1.1 80; then
    echo "Port 80 is open"
fi

Practical Scripts

Ping Sweep

#!/bin/bash
if [ "$1" == "" ]; then
    echo "Usage: $0 "
    echo "Example: $0 192.168.1"
    exit 1
fi

for ip in {1..254}; do
    ping -c 1 -W 1 $1.$ip > /dev/null 2>&1 &
    if [ $? -eq 0 ]; then
        echo "$1.$ip is up"
    fi
done
wait

Port Scanner

#!/bin/bash
if [ $# -ne 2 ]; then
    echo "Usage: $0  "
    echo "Example: $0 192.168.1.1 1-1000"
    exit 1
fi

ip=$1
range=$2
start=$(echo $range | cut -d- -f1)
end=$(echo $range | cut -d- -f2)

for port in $(seq $start $end); do
    timeout 1 bash -c "echo > /dev/tcp/$ip/$port" 2>/dev/null && echo "Port $port is open"
done

Subdomain Enumerator

#!/bin/bash
if [ $# -ne 2 ]; then
    echo "Usage: $0  "
    exit 1
fi

domain=$1
wordlist=$2

while read sub; do
    host "$sub.$domain" 2>/dev/null | grep "has address" && echo "$sub.$domain"
done < $wordlist

Log Parser

#!/bin/bash
# Extract IPs from access log
cat access.log | awk '{print $1}' | sort | uniq -c | sort -rn | head -20

# Find failed SSH attempts
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn

Automated Recon Script

#!/bin/bash
target=$1
output_dir="recon_$target"

mkdir -p $output_dir

echo "[*] Running Nmap scan..."
nmap -sC -sV -oA $output_dir/nmap $target

echo "[*] Running Gobuster..."
gobuster dir -u http://$target -w /usr/share/wordlists/dirb/common.txt -o $output_dir/gobuster.txt

echo "[*] Running Nikto..."
nikto -h $target -output $output_dir/nikto.txt

echo "[*] Recon complete! Results in $output_dir"

Tips and Best Practices

  • Always quote variables: "$var" not $var
  • Use shellcheck to validate scripts
  • Add error handling with set -e
  • Use meaningful variable names
  • Add usage information for scripts
  • Test scripts in a safe environment first

Summary

Bash scripting is a powerful skill for penetration testers. Start with simple scripts and gradually build more complex automation. The time invested in learning Bash pays off quickly when you can automate reconnaissance, parsing, and repetitive tasks during engagements.

Written by

Window Events

Leave a Reply

Your email address will not be published. Required fields are marked *