Advenced techniques

How to Automate Reconnaissance with Bash and Python

cyberSec
Last update :

 Reconnaissance is a critical phase in cybersecurity and bug bounty hunting. By automating repetitive tasks, you can save time and focus on identifying vulnerabilities. In this guide, we’ll show you how to automate reconnaissance using Bash and Python scripts, enabling you to collect, organize, and analyze data more efficiently.

How to Automate Reconnaissance with Bash and Python


Why Automate Reconnaissance?

  1. Efficiency: Speed up repetitive tasks like subdomain enumeration, port scanning, or HTTP probing.
  2. Consistency: Reduce errors caused by manual steps.
  3. Focus: Free up time for deeper analysis of critical findings.

Step 1: Setting Up Your Environment

Before diving into scripting, ensure you have the necessary tools installed:

  • Linux/Unix environment: Bash comes pre-installed.
  • Python 3: Install it via your package manager (e.g., sudo apt install python3).
  • Recon tools: Tools like nmap, amass, subfinder, and httpx. Install them using apt or download them from GitHub.

Step 2: Bash Script for Reconnaissance

Let’s start with a Bash script to automate subdomain enumeration, HTTP probing, and port scanning.

Bash Script Example

#!/bin/bash

# Input target domain
DOMAIN=$1

# Create output directory
OUTPUT_DIR="recon_results/$DOMAIN"
mkdir -p $OUTPUT_DIR

# Subdomain enumeration
echo "[+] Enumerating subdomains..."
subfinder -d $DOMAIN -o $OUTPUT_DIR/subdomains.txt

# HTTP probing
echo "[+] Probing HTTP servers..."
httpx -l $OUTPUT_DIR/subdomains.txt -o $OUTPUT_DIR/http_servers.txt

# Port scanning
echo "[+] Scanning open ports..."
nmap -iL $OUTPUT_DIR/http_servers.txt -oN $OUTPUT_DIR/nmap_scan.txt

echo "[+] Reconnaissance completed! Results saved in $OUTPUT_DIR"

How to Run

  1. Save the script as recon.sh.
  2. Make it executable: chmod +x recon.sh.
  3. Run the script: ./recon.sh example.com.

Step 3: Python Script for Data Analysis

Python is perfect for parsing and analyzing the data collected during reconnaissance. Below is a script to extract and analyze HTTP status codes.

Python Script Example

import requests
from concurrent.futures import ThreadPoolExecutor

# Read subdomains from file
def read_subdomains(file_path):
    with open(file_path, 'r') as file:
        return [line.strip() for line in file.readlines()]

# Check HTTP status codes
def check_status(subdomain):
    try:
        response = requests.get(f"http://{subdomain}", timeout=5)
        return subdomain, response.status_code
    except requests.exceptions.RequestException:
        return subdomain, None

# Main function
def main():
    input_file = "recon_results/example.com/http_servers.txt"
    output_file = "recon_results/example.com/status_codes.txt"

    subdomains = read_subdomains(input_file)
    results = []

    with ThreadPoolExecutor(max_workers=10) as executor:
        futures = [executor.submit(check_status, subdomain) for subdomain in subdomains]
        for future in futures:
            results.append(future.result())

    # Save results to file
    with open(output_file, 'w') as file:
        for subdomain, status in results:
            file.write(f"{subdomain}: {status}\n")

    print("[+] HTTP status codes saved to", output_file)

if __name__ == "__main__":
    main()

How to Run

  1. Install requests: pip install requests.
  2. Save the script as analyze_status.py.
  3. Run the script: python3 analyze_status.py.

Step 4: Combining Bash and Python

Integrate both scripts by calling the Python script at the end of the Bash script:

echo "[+] Analyzing HTTP status codes..."

python3 analyze_status.py

Step 5: Automating with Cron Jobs

Set up a cron job to run your reconnaissance scripts regularly:

  1. Open the cron editor: crontab -e.
  2. Add a cron job
0 2 * * * /path/to/recon.sh example.com

Key Tools for Reconnaissance

  • Subfinder: Fast subdomain enumeration.
  • Amass: Comprehensive subdomain discovery.
  • HTTPx: HTTP probing for live hosts.
  • Nmap: Network scanning.
  • Python libraries: requests, argparse, concurrent.futures.

Conclusion

Automating reconnaissance with Bash and Python can significantly streamline your workflow. Start with basic scripts and expand them as you encounter new challenges. With time, you’ll have a powerful, customized toolkit for bug bounty hunting or penetration testing.


Edit This Article
Tags

You may like these posts

Comments