Introduction
As a pentester and a CTF player, we enjoy what we do, but at the same time, we try to avoid some hassles and repetitive tasks involved as much as possible. Although some of them are not avoidable (e.g. writing reports đ), we can make our lives easier by doing things in some more elegant ways. In this article, I will share some small bash tricks that I use to make it a bit more elegant and to increase my productivity.
Organise Workspaces
1
2
3
4
5
6
7
8
workspace() {
ws="$HOME/$1"
if [ ! -d "$ws" ]; then
mkdir "$ws"
fi
cd "$ws"
tmux
}
I use the above bash function to create workspace directories before starting the actual work. It first checks if the directory with the specified name already exists, creates it if it does not, and cd to it. Then it starts a tmux session within that directory. The good thing in this is that every shell spawned in the tmux session will have an initial working directory being that directory. In this way, you can have your in-scope files well organised in the project workspace.
Tmux
Speaking of tmux, it is the terminal multiplexer that I use quite heavily. I wonât write about it becasue you can learn enough to begin using it from this video by IppSec:
Log Terminal Sessions
Sometimes you may find some key information missing in your notes when you try to turn them into a report after a pentest. This situation could be a disaster since you may need to do the exploit again. But itâs common because everyone may forget to write things down when they focus on their exploit during the engagement. Here comes why itâs important to log your terminal sessions. Recently Iâm getting used to run script command to do that before I start exploitations. And I would recommend that you begin using it if you havenât.
Custom Nmap Commands
nmap is a command that we run at the recon phase of almost every engagement. So you definitely donât want to type the entire command with complicated arguments every time. So I have the following functions defined to facilitate myself a bit.
nmap-default
1
2
3
4
5
6
nmap-default() {
if [ ! -d recon ]; then
mkdir recon
fi
sudo nmap -sC -sV -oA recon/default "$1"
}
nmap-default is a command I will run whenever I need to run a normal nmap tcp scan. It will enumerate service versions (-sV), run default NSE scripts (-sC), and output all formats (-oA). It runs with sudo to be able to use raw packets, assuring that its default behaviour is a syn scan (-sS) rather than a connect scan (-sT).
Before running the scan, it will first check if a directory named recon already exists in the current working directory. It creates the directory if it does not exist, and this directory will be where all the output files located. This is just another small trick to keep things organised.
nmap-full
1
2
3
4
5
6
7
8
9
10
11
12
13
nmap-full() {
ports=$(sudo nmap -p- -T4 --min-rate=1000 "$1" | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
if [ -z "$ports" ]
then
echo "No ports open!"
else
echo "Open ports: $ports"
if [ ! -d recon ]; then
mkdir recon
fi
sudo nmap -sC -sV -oA recon/full -p "$ports" "$1"
fi
}
nmap-full is a two-phase full port (1-65535) tcp scan. Although itâs not used as often, it is still defined as a function in my shell resource files since it becomes handy when a full port scan is needed. In the first phase it will run a simpler full port scan, trading-off some accuracy for speed (--min-rate=1000 and -T4). Some people may prefer masscan in this phase. But I just find nmap itself can do the job with roughly the same level of speed and higher accuracy and stability. The purpose of the first phase is only to produce a list of open ports. In the second phase, another âheavierâ nmap scan with similar options to nmap-default is performed only to this list of open ports. In this way, the scan can achieve both good performance and thoroughness.
Conclusion
These are some of the small tricks how I save myself from hassles and keep things organised. Itâs really nothing fancy there. But the âhackyâ way is sometimes just as simple. If you have some real m@g1c wanting to share with me, please find me at Github!