Black Hat Bash: Creative Scripting for Hackers and Pentesters

Cover....1

 Title Page....4

 Copyright....5

 About the Authors....6

 About the Technical Reviewer....6

 Brief Contents....8

 Contents in Detail....10

 Acknowledgments ....18

 Introduction....20

 What Is in This Book....21

 The Scripting Exercises....22

 How to Use This Book....23

 1. Bash Basics....24

 Environmental Setup....25

 Accessing the Bash Shell....25

 Installing a Text Editor....25

 Exploring the Shell....26

 Checking Environment Variables....26

 Running Linux Commands....27

 Elements of a Bash Script....29

 The Shebang Line....29

 Comments....30

 Commands....31

 Execution....31

 Debugging....32

 Basic Syntax....33

 Variables....33

 Arithmetic Operators....36

 Arrays....37

 Streams....38

 Control Operators....39

 Redirection Operators....41

 Positional Arguments....43

 Input Prompting....45

 Exit Codes....46

 Exercise 1: Recording Your Name and the Date....48

 Summary....48

 2. Flow Control and Text Processing....50

 Test Operators....50

 if Conditions....52

 Linking Conditions....54

 Testing Command Success....55

 Checking Subsequent Conditions....55

 Functions....56

 Returning Values....57

 Accepting Arguments....57

 Loops and Loop Controls....58

 while....58

 until....60

 for....61

 break and continue....63

 case Statements....64

 Text Processing and Parsing....65

 Filtering with grep....65

 Filtering with awk....66

 Editing Streams with sed....67

 Job Control....68

 Managing the Background and Foreground....69

 Keeping Jobs Running After Logout....69

 Bash Customizations for Penetration Testers....70

 Placing Scripts in Searchable Paths....70

 Shortening Commands with Aliases....71

 Customizing the ~/.bashrc Profile....71

 Importing Custom Scripts....72

 Capturing Terminal Session Activity....72

 Exercise 2: Pinging a Domain....73

 Summary....73

 3. Setting Up a Hacking Lab....74

 Security Lab Precautions....75

 Installing Kali....75

 The Target Environment....77

 Installing Docker and Docker Compose....77

 Cloning the Book’s Repository....78

 Deploying Docker Containers....79

 Testing and Verifying the Containers....80

 The Network Architecture....80

 The Public Network....81

 The Corporate Network....81

 Kali Network Interfaces....81

 The Machines....82

 Managing the Lab....83

 Shutting Down....83

 Removing....83

 Rebuilding....83

 Accessing Individual Lab Machines....84

 Installing Additional Hacking Tools....84

 WhatWeb....84

 RustScan....85

 Nuclei....85

 dirsearch....86

 Linux Exploit Suggester 2....86

 Gitjacker....87

 pwncat....87

 LinEnum....88

 unix-privesc-check....89

 Assigning Aliases to Hacking Tools....89

 Summary....90

 4. Reconnaissance....92

 Creating Reusable Target Lists....93

 Consecutive IP Addresses....93

 Possible Subdomains....94

 Host Discovery....96

 ping....96

 Nmap....98

 arp-scan....98

 Exercise 3: Receiving Alerts About New Hosts....99

 Port Scanning....101

 Nmap....101

 RustScan....103

 Netcat....104

 Exercise 4: Organizing Scan Results....104

 Detecting New Open Ports....106

 Banner Grabbing....108

 Using Active Banner Grabbing....109

 Detecting HTTP Responses....110

 Using Nmap Scripts....112

 Detecting Operating Systems....113

 Analyzing Websites and JSON....115

 Summary....117

 5. Vulnerability Scanning and Fuzzing....118

 Scanning Websites with Nikto....118

 Building a Directory Indexing Scanner....120

 Identifying Suspicious robots.txt Entries....121

 Exercise 5: Exploring Non-indexed Endpoints....123

 Brute-Forcing Directories with dirsearch....123

 Exploring Git Repositories....125

 Cloning the Repository....125

 Viewing Commits with git log....125

 Filtering git log Information....126

 Inspecting Repository Files....127

 Vulnerability Scanning with Nuclei....128

 Understanding Templates....128

 Writing a Custom Template....129

 Applying the Template....130

 Running a Full Scan....130

 Exercise 6: Parsing Nuclei’s Findings....134

 Fuzzing for Hidden Files....135

 Creating a Wordlist of Possible Filenames....135

 Fuzzing with ffuf....136

 Fuzzing with Wfuzz....136

 Assessing SSH Servers with Nmap’s Scripting Engine....137

 Exercise 7: Combining Tools to Find FTP Issues....138

 Summary....139

 6. Gaining a Web Shell....140

 Arbitrary File Upload Vulnerabilities....141

 Fuzzing for Arbitrary File Uploads....142

 Bypassing File Upload Controls....144

 Uploading Files with Burp Suite....148

 Staging Web Shells....151

 Finding Directory Traversal Vulnerabilities....152

 Uploading Malicious Payloads....153

 Executing Web Shell Commands....155

 Exercise 8: Building a Web Shell Interface....156

 Limitations of Web Shells....157

 Lack of Persistence....157

 Lack of Real-Time Responses....157

 Limited Functionality....157

 OS Command Injection....158

 Exercise 9: Building a Command Injection Interface....161

 Bypassing Command Injection Restrictions....162

 Obfuscation and Encoding....162

 Globbing....163

 Summary....164

 7. Reverse Shells....166

 How Reverse Shells Work....167

 Ingress vs. Egress Controls....167

 Shell Payloads and Listeners....167

 The Communication Sequence....168

 Executing a Connection....169

 Setting Up a Netcat Listener....169

 Crafting a Payload....169

 Delivering and Initializing the Payload....170

 Executing Commands....171

 Listening with pwncat....172

 Bypassing Security Controls....173

 Encrypting and Encapsulating Traffic....174

 Alternating Between Destination Ports....175

 Spawning TTY Shells with Pseudo-terminal Devices....177

 Python’s pty Module....177

 socat....178

 Post-exploitation Binary Staging....178

 Serving Netcat....179

 Uploading Files with pwncat....180

 Downloading Binaries from Trusted Sites....180

 Exercise 10: Maintaining a Continuous Reverse Shell Connection....181

 Initial Access with Brute Force....182

 Exercise 11: Brute-Forcing an SSH Server....183

 Summary....185

 8. Local Information Gathering....186

 The Filesystem Hierarchy Standard....187

 The Shell Environment....188

 Environment Variables....188

 Sensitive Information in Bash Profiles....188

 Users and Groups....189

 Local Accounts....189

 Local Groups....190

 Home Folder Access....191

 Valid Shells....192

 Processes....193

 Viewing Process Files....193

 Running ps....195

 Examining Root Processes....196

 The Operating System....196

 Exercise 12: Writing a Linux Operating System Detection Script....197

 Login Sessions and User Activity....197

 Collecting User Sessions....197

 Investigating Executed Commands....198

 Networking....198

 Network Interfaces and Routes....199

 Connections and Neighbors....202

 Firewall Rules....203

 Network Interface Configuration Files....204

 Domain Resolvers....204

 Software Installations....205

 Storage....206

 Block Devices....207

 The Filesystem Tab File....209

 Logs....209

 System Logs....210

 Application Logs....210

 Exercise 13: Recursively Searching for Readable Logfiles....211

 Kernels and Bootloaders....211

 Configuration Files....212

 Scheduled Tasks....214

 Cron....214

 At....216

 Exercise 14: Writing a Cron Job Script to Find Credentials....217

 Hardware....217

 Virtualization....219

 Using Dedicated Tools....219

 Living Off the Land....220

 Automating Information Gathering with LinEnum....220

 Exercise 15: Adding Custom Functionality to LinEnum....221

 Summary....222

 9. Privilege Escalation....224

 What Is Privilege Escalation?....224

 Linux File and Directory Permissions....225

 Viewing Permissions....225

 Setting Permissions....226

 Creating File Access Control Lists....227

 Viewing SetUID and SetGID....228

 Setting the Sticky Bit....229

 Finding Files Based on Permissions....230

 Exploiting a SetUID Misconfiguration....231

 Scavenging for Credentials....233

 Passwords and Secrets....233

 Private Keys....235

 Exercise 16: Brute-Forcing GnuPG Key Passphrases....238

 Examining the sudo Configuration....239

 Abusing Text Editor Tricks....241

 Downloading Malicious sudoers Files....242

 Hijacking Executables via PATH Misconfigurations....243

 Exercise 17: Maliciously Modifying a Cron Job....245

 Finding Kernel Exploits....247

 SearchSploit....248

 Linux Exploit Suggester 2....248

 Attacking Adjacent Accounts....249

 Privilege Escalation with GTFOBins....251

 Exercise 18: Mapping GTFOBins Exploits to Local Binaries....252

 Automating Privilege Escalation....252

 LinEnum....252

 unix-privesc-check....253

 MimiPenguin....253

 Linuxprivchecker....254

 Bashark....254

 Summary....254

 10. Persistence....256

 The Enemies of Persistent Access....257

 Modifying Service Configurations....257

 System V....258

 systemd....260

 Hooking into Pluggable Authentication Modules....261

 Exercise 19: Coding a Malicious pam_exec Bash Script....261

 Generating Rogue SSH Keys....262

 Repurposing Default System Accounts....263

 Poisoning Bash Environment Files....264

 Exercise 20: Intercepting Data via Profile Tampering....266

 Credential Theft....268

 Hooking a Text Editor....268

 Streaming Executed Commands....270

 Forging a Not-So-Innocent sudo....272

 Exercise 21: Hijacking Password Utilities....274

 Distributing Malicious Packages....274

 Understanding DEB Packages....275

 Packaging Innocent Software....276

 Converting Package Formats with alien....277

 Exercise 22: Writing a Malicious Package Installer....277

 Summary....279

 11. Network Probing and Lateral Movement....280

 Probing the Corporate Network....281

 Service Mapping....281

 Port Frequencies....283

 Exercise 23: Scanning Ports Based on Frequencies....284

 Exploiting Cron Scripts on Shared Volumes....286

 Verifying Exploitability....287

 Checking the User Context....288

 Exercise 24: Gaining a Reverse Shell on the Backup Server....288

 Exploiting a Database Server....289

 Port Forwarding....289

 Brute-Forcing with Medusa....290

 Backdooring WordPress....291

 Running SQL Commands with Bash....293

 Exercise 25: Executing Shell Commands via WordPress....294

 Compromising a Redis Server....294

 Raw CLI Commands....295

 Metasploit....296

 Exposed Database Files....298

 Dumping Sensitive Information....300

 Uploading a Web Shell with SQL....301

 Summary....302

 12. Defense Evasion and Exfiltration....304

 Defensive Controls....304

 Endpoint Security....305

 Application and API Security....306

 Network Security....307

 Honeypots....307

 Log Collection and Aggregation....308

 Exercise 26: Auditing Hosts for Landmines....308

 Concealing Malicious Processes....309

 Library Preloading....309

 Process Hiding....311

 Process Masquerading....312

 Exercise 27: Rotating Process Names...313

 Dropping Files in Shared Memory....315

 Disabling Runtime Security Controls....315

 Manipulating History....317

 Tampering with Session Metadata....318

 Concealing Data....319

 Encoding....320

 Encryption....321

 Exercise 28: Writing Substitution Cipher Functions....322

 Exfiltration....323

 Raw TCP....323

 DNS....324

 Text Storage Sites....325

 Slack Webhooks....326

 Sharding Files....327

 Number of Lines....327

 Size....327

 Chunks....328

 Exercise 29: Sharding and Scheduling Exfiltration....328

 Summary....329

 Index....330

 Back Cover....346

In the hands of the penetration tester, bash scripting becomes a powerful offensive security tool. In Black Hat Bash, you’ll learn how to use bash to automate tasks, develop custom tools, uncover vulnerabilities, and execute advanced, living-off-the-land attacks against Linux servers. You’ll build a toolbox of bash scripts that will save you hours of manual work. And your only prerequisite is basic familiarity with the Linux operating system.You’ll learn the basics of bash syntax, then set up a Kali Linux lab to apply your skills across each stage of a penetration test—from initial access to data exfiltration. Along the way, you’ll learn how to perform OS command injection, access remote machines, gather information stealthily, and navigate restricted networks to find the crown jewels. Hands-on exercises throughout will have you applying your newfound skills.

Key topics covered include:

• Bash scripting essentials: From control structures, functions, loops, and text manipulation with grep, awk, and sed.
• How to set up your lab: Create a hacking environment with Kali and Docker and install additional tools.
• Reconnaissance and vulnerability scanning: Learn how to perform host discovery, fuzzing, and port scanning using tools like Wfuzz, Nmap, and Nuclei.
• Exploitation and privilege escalation: Establish web and reverse shells, and maintain continuous access.
• Defense evasion and lateral movement: Audit hosts for landmines, avoid detection, and move through networks to uncover additional targets.

Whether you’re a pentester, a bug bounty hunter, or a student entering the cybersecurity field, Black Hat Bash will teach you how to automate, customize, and optimize your offensive security strategies quickly and efficiently, with no true sorcery required.