Developing an Automated Tool{PortWitness} using Bash Scripting for OSINT

Sahil T. Sahil T.

Sahil T.

Offensive Security - Practice Lead @Finesse

发布日期: 2018年5月1日
+ 关注

Today I would like to share my work on how i automate my tasks using bash scripting for Web app pentesting.One month back I saw this tool on my twitter feed named as “Eyewitness”, this tool could be used to get information about whether Multiple sub-domains of a particular Domain name are active or not, i just cloned it and started using it ,when it is run in the terminal it takes snapshots of all the sub-domains of let’s say sub-domain’s of google.com eg:- xyz.google.com,abc.google.com etc passed to it as a list ,it happens a lot that whenever you have a particular site while working on WAPT projects or Bug-bounties and its given *.site.com in scope , so after fetching the entire sub-domains of a particular site it becomes a tedious task to select every sub-domain and open it manually in a browser to check if its working or not.I just thought of working on a tool with more accuracy as there is a timeout when waiting for a response from server while using Eyewitness , so sometimes it can result in false positives.Right away I opened Sublime Text Editor and started to automate this tedious task in my own way by going into the network part.The entire code that will be shown below is written in bash scripting . Lets start with this code snippet which is divided into 4 parts.

Part One

Always start your bash script with a declaration like #!/bin/bash , it is just to define the shell you are using , it can also be like #!/bin/sh accordingly. {{tput}} is a command that can be used to clear screen similar to what {{clear}} does in terminal.In the {{if}} loop we are checking that whether any argument(domain name) is passed to the script or not using $1 variable, if not then we print the {{banner}} specifying the Usage.Next we jump onto the {{else}} loop that gets executed if any argument(Domain name) is supplied ,we can also use {{tput}} for formatting features like making the content Bold, in the beginning of the else loop first a banner is presented and using {{read}} command in bash, input of the user is taken.If User asks to check for active state of sub-domains then a nested {{if-else}} loop gets started within the {{else}} loop , hence if a User selects a “Y” then

Part Two

we go to the Sublist3r Directory which comes along with the cloned package , a Great tool to enumerate sub-domains, once sub-domains are generated they are stored in “output.txt” file in the same directory, i will be writing every command in reverse quotes(``) to execute it in bash scripting.Now using “-f” to check if a file from previous scan is present , if its there then remove{{rm}} it.Start with an nslookup on all the sub-domains stored in “output.txt” file because this tool works by looking for open 80,443 ports of sub-domains to verify whether they are active or not so we need the ip addresses of all the sub-domains before we can proceed with an Nmap scan , We use {{awk}} command with nslookup to fetch only the ip address of the sub-domains from the entire output and these “>>” means that we are not overwriting anything in the output “ip_$1.txt” file, we use {{echo}} command to print a message every time we want to display something , you might have also noticed one thing that i have been using “-e” after echo ,this “-e” signifies the usage of escape sequences like /e[1m……./e[0m , this escape sequence is used for making the text bold, i have also used it for coloring the text , the color codes can be found on google. So moving forward Once all the ip’s are fetched then {{Nmap}} scan is carried out on ports 80,443 of all the ip addresses by using -iL option to pass it the list of ip’s previously generated and using -oG to generate an output list of all the active ip’s[but with a lot of other content]. finally we get an output file like “port_status_$1.txt” from nmap , “while” loop is being used with {{-r read line}} to go through the entire input file passed to it. So

Part Three

Now we remove any file containing active ip’s that previously existed in the directory. Also to put the output of any command in a text file {{echo}} is used.The output from nmap contains a lot of content so by using {{grep}} and {{cut}} commands we get an output file containing just active ip addresses in a file “active_ip_$1.txt” , but wait the ip adresses we get here are in a horizontal format ,so again using awk command with a “for” loop to align the results in a vertical format and storing in a file “result.txt” , {{tee -a }} command is also used to put the output in a file.If we would have used echo here instead of “tee” then the output would be again in a horizontal format which we don’t want.In the final stage of the “else” loop which we have been parsing we now use nslookup again in a while loop to fetch the ip addresses of all sub-domains generated from Sublist3r and if output from nslookup is empty we print “sub-domain is inactive” , otherwise we compare each output of nslookup i.e ip’s with the ip’s of the result.txt file by using {{cat file | grep -c parameter }} , the output of this command results in a 0 or 1.If we get a “0” value that means ip from nslookup wasn’t found in the active ip’s list[results.txt], thus print an output like “sub-domain is inactive” otherwise “sub-domain is active” on the terminal and hence store all the active subdomain’s name in a file[active_domain.txt] using {{echo}} and {{>>}}. Now lets move further

Part Four

The beginning of Part Four consists of the same code that is given in the Part Three , this is just an else portion which is called when we are running the tool for the first time and the “active_domain.txt” doesn’t exist.If it exists then its “if” part which is quite similar and mentioned above will be called and {{rm}} will be done first.Finally we have all our active Sub-Domains stored in a file which can be further used for scanning and exploitation. But what if we had entered a “N” at the beginning when we were asked a Q , whether or not to check for active sub-domains? Then what? then we jump to the else part where we now just want to check the same procedure is being carried out of first converting the domain name to ip and then an Nmap scan is being performed and finally the output is being stored in an output file , so if [$z != “”] this means there is content in the output file hence “Sub-domain is active” will be printed on the terminal and vice-versa.This was a complete overview of my tool PortWitness.

{All the if-else loops used in bash are ended with “fi” statement , and while loops end with a “done” statement}

Happy Hacking !!

要查看或添加评论,请登录

Sahil T.的更多文章

社区洞察

其他会员也浏览了