Quick Bash Fu to get an overview of a target

As your standard enumeration scripts run, you may need a quick overview of the target. Whether conducting a penetration test or getting a quick overview of a potential client’s domain, efficiency is key. Below are some of the Bash commands I frequently use to gather initial data. These commands help identify subdomains, check web server responses, and find potential vulnerabilities.

  1. Finding Subdomains and Their IPs
echo domain.com | assetfinder | while read line; do dig +short $line | while read ip; do echo $line $ip;done; done

Purpose: This pipeline finds subdomains of domain.com using assetfinder and then resolves their IP addresses using dig.

Example Output:

subdomain1.domain.com 192.0.2.1
subdomain2.domain.com 198.51.100.2
  1. Checking Web Server Responses
cat hosts | httpx -sc -title -td -cl -bp 10

Purpose: This command takes a list of hosts, checks them with httpx to get status codes, titles, and content lengths, and find the technologies used

Example Output:

https://subdomain1.domain.com [200] [Home Page] [Cloudflare, Wordpress, PHP] [2100] [DOCTYP!]
  1. Discovering Directories or Files
cat hosts | sed 's|$|/keys|g' | httpx -sc -cl -bp 20

Purpose: This modifies each host URL to append /keys at the end, then uses httpx to check for the status code and content length, potentially discovering exposed directories or files.

  1. Testing for Honeypots
cat hosts | sed 's|$|?RandomVariable=../../../../../../../../etc/passwd|g' | httpx -x all -sc -title -bp 20

Purpose: This command tests for basic honeypot detection by appending a query that attempts directory traversal. It uses httpx to send requests for all methods, if a random variable gets LFI it’s a honeypot. I hope it’s a honeypot; the alternative is insane.

Example Output:

https://subdomain1.domain.com?RandomVariable=../../../../../../../../etc/passwd [400] "Bad Request"
  1. Probing for Active Hosts
prips subnet | httprobe | tee hosts

Purpose: Generates IP addresses within a specified subnet using prips, checks for active web servers using httprobe, and saves the results to a file.

Example Output:

http://192.0.2.1
https://198.51.100.2
  1. DNS Lookup for IP Addresses
prips subnet | while read line; do host $line; done

Purpose: This command generates IP addresses within a subnet and performs a DNS lookup to find associated domain names.

Example Output:

192.0.2.1 is an alias for subdomain1.domain.com.
198.51.100.2 is an alias for subdomain2.domain.com.
  1. Checking for Cloudflare Bypass by DNS History
curl https://api.dnslytics.net/v1/hostinghistory/<domain>?apikey=<apikey> | jq

Purpose: Queries the DNS history of a domain to identify past hosting providers, which can be useful for bypassing Cloudflare by finding the origin IP.

Example Output:

{
  "data": [
    {
      "ip": "192.0.2.1",
      "first_seen": "2023-01-01",
      "last_seen": "2023-06-01",
      "hostnames": ["subdomain1.domain.com"]
    }
  ]
}

Conclusion

These commands are just the tip of the iceberg but serve as a powerful starting point for anyone looking to get a quick overview of a domain during a pentest. Remember, the effectiveness of these commands depends on the scope of your engagement and the specific objectives of your assessment. Always ensure you have permission before engaging with any target.




Enjoy Reading This Article?

Here are some more articles you might like to read next:

  • Internal Penetration Test Notes
  • Is the exploit not working? Keep going; don’t stop
  • Blind SQL Injection
  • Large Language Model Penetration Testing
  • Changing the exploit