BASH ============================================================== Bash: ============================================================== Imagine that you are tasks with listing all the cisco.com subdomains listed on their index page and then find their corresponding IP addresses. Doing this manually would be frustrating and take a long time however with some simple bash commands we can turn this in to a simple task. Lets start with downloading the index page for cisco.com with the wget command. #wget cicso.com A clean list of unique domain names taken from the first wget command above. #cat index.html grep| "href=" |cut -d"/" -f3 |grep "cisco\.com" |cut -d'"' -f1 |sort -u Lets open up a text file and write a bash script that will - read all of the domain names from the cisco.txt file - and then run the host command against each one of them, providing a nice clean output to the console. using the nano text editor to create a file called cisco.sh: #nano cisco.sh ------------------------------------------------ #!/bin/bash for url in $(cat cisco.txt);do host $url |grep "has address" |cut -d" " -f4 done ------------------------------------------------ Give the script executable permissions: #chmod 755 cisco.sh Execute the file: #./cisco.sh The output of this script produces a list of IPs. No domain names can be seen in the output. ------------------------------------------------ The fact is, that the whole exercise could have been achieved with a single line of bash, similar to the following: #for url in $(grep -o '[A-Za-z0-9_\.-]*\.*cisco.com' index.html |sort -u); do host $url|grep "has address"|cut -d" " -f4;done ------------------------------------------------ BASH PING SWEEPER: ------------------------------------- #!/bin/bash for ip in $(seq 200 254); do ping -c 1 192.168.31.$ip |grep "bytes from" |cut -d" " -f4 |cut -d":" -f1 & done ------------------------------------- We are given an apache HTTP server log that contains evidence of an attack. Our task is to use simple Bash commands to inspect the file and discover various pieces of information, such as who the attackers were, and what exactly happened on the server. We firs use the head and wc commands to take a quick peak at the log file to understand its structure. #gunzip access_log.txt.gz #mv access_log.txt access.log #head access.log OUPUT NOW SHOWN - details in PDF manual. #wc -l access.log upon inspection we can see that the log is grep friendly. We will pipe the output of the cat command in to cut and sort commands #cat access.log |cut -d" " -f1 |sort -u For the data file on hand, this command provides a list of IPs. We see less than ten IP addresses. Next we use the uniq and sort commands to further refine our output and sort the data by the number of times each IP address accessed the server. #cat access.log |cut -d" " -f1 |sort |uniq -c |cort -urn Focusing in on the one IP with the highest access count. To display and count the resources that were being requested by the IP address, the following command sequence can be used: #cat access.log |grep '208.68.234.99' |cut -d "\"" -f2 |uniq -c From the output above, it looks like this IP was accessing only the /admin directory Lets take a closer look #cat access.log |grep '208.68.324.99' |grep '/admin ' |sort -u The output from the above command looks like this IP has been involved in a http brute force attempt on the server.. Furthermore it looks like after around 1070 attempts, the brute force attempt succeeded, as indicated by the 200 web response from the server recorded in the logs. BASH - ACTIVE INFORMATION GATHERING: SMTP VRFY Bash Script //////////////////////////////////////////////////////// //// MAIL SERVERS ARE THE TARGETS IN THE LABS HERE ///// //////////////////////////////////////////////////////// A list of users in users.txt root backup bob dick david harry apache igor ron mike harry joseph In a real world scenario, this list of users would be filled with information found in the user information gathering stage. Automatically connect to the SMTP server on port 25 and issue the VRFY command for each users in users.txt #for user in $(cat users.txt); do echo VRFY $user |nc -nv -w 1 192.168.31.215 2>/dev/null |grep ^"250";done In a script: ---------------------------------------------- #!/bin/bash #for user in $(cat users.txt); do echo VRFY $user |nc -nv -w 1 192.168.31.215 2>/dev/null |grep ^"250"; done ------------------------------------------------