BASH for Pentesters – extra information for our students

BASH for Pentesters – extra information for our students

Henry Dalziel | Concise Courses | February 28, 2014

This post refers to our BASH for Pentesters class which last took place on February 15th. This course is a three hour live interactive course which contains the following modules:

  • Learn how to create files and directories using BASH
  • Learn how to get inside the command line environment
  • Learn the commands available to you in the BASH shell
  • Learn how to manipulate the output of penetration testing tools
  • Learn how to combine commands
  • Take complicated commands and “script” them into a file
  • Learn programming fundamentals (like for loops)
  • Overview of the *Nix philosophy

More information on this three hour live BASH course

The following is written by our BASH instructor Lisha Sterling:

When we ended our class on Saturday, we only just barely touched on scripting. I told you that you could basically take any group of commands that you ran on the command line and save them to a file to make a script, and I hinted very quickly at the fact that there are control structures such as for loops, if/else clauses and while loops.

The best way to learn more about all of those is to either read the BASH Reference Manual at or to get the O’Reilly book Learning the bash shell. I’d like to give you a little bit more of a headstart before I send you on your merry way, however.

First off, let’s look at fc again. fc is super useful for turning a bunch of commands you’ve been experimenting with into a script.

fc -l
is useful to help you figure out which lines you want to snag and put into your script. This command will list the last few commands you typed along with their line numbers in .bash_history.

But, let’s say that the really cool stuff you did was a few lines before what you see when you type that. You can go back further, or print out exactly the lines you want.

fc -l 1300
will print out all the command from line 1300 onward.

fc -l 1300 1320
will print out the commands starting with line 1300 and finishing with line 1320, inclusive.

Once you’ve figured out which lines you want to put into your script, you can have them open up in your favorite editor like this:

fc -ln 1310 1315 > && emacs
Notice the -n. That’s so that it doesn’t print the line numbers, since you won’t want those in your script. Of course, you can change emacs to nano or vi or whatever other editor you like.

Cats, Cars, Cages

Remember when I showed you brace expansion and then totally couldn’t think on my feet to give you 20 cats, 20 cars, 20 cages? Let’s look at that again now.

First off, I was trying to show you how brace expansion can be used with text.

echo ca{t,r,ge}s
gives you “cats cars cages” because BASH puts each of the options inside the braces into an instance of the word. If we want to put something else with each of those words, though, we’re going to have to use a control structure to do it.

for cas in ca{t,r,ge}s;do echo $(( 4*5 )) $cas; done

You can do more useful thins with brace expansion, though, like iterate over a bunch of numbers like this:
for i in {1..10};do user$i; done

Let’s say that you needed leading 0’s in your users, though. You could get that with printf instead of echo.
for i in {1..10};do printf "user%0*dn" 3 $i; done

Another useful expansion to know about is command expansion. Sometimes you want to use the output of a command rather than the command itself, and piping just isn’t good enough. For this you can either use dollar sign and parentheses $() or backticks “.
echo $(date)
is the same as
echo `date`

The other command structures in BASH are case, if/else, while, until, and select. Use the help command to learn more about each of these.

More about help

The help command turns out to be incredibly useful in BASH. If you are following me on Twitter you might have noticed me squeeing over the usefulness of bash help. I can’t believe I never learned about it before! The bash help command won’t give you information about commands that aren’t directly part of bash, but it will give you lots of information about commands and structures in bash scripting.

help printf
to help you understand why I used printf above instead of echo, and all the ways that you could take advantage of that command.

If you followed my suggestion to read the scripts that are already on your machine in the form of .bashrc and .bash_profile files, you probably found a lot of commands you didn’t know. Now you can use help to understand how those commands work.

help alias

Some script examples

I’ve included a few examples in script form that you can download, run and experiment with. Take a look at how they differ from when you type a whole script on a single line. Remember that each line in the script is like a single line on the command line. If you wouldn’t have to put a semicolon or ampersand at the end directly on the command line, you don’t need to do it in your script, either. Also note that the indentation is not necessary, but it does make reading the code a whole lot easier!

Example 1


for filename in $(ls)
case $filename in
# if it’s a jpeg, use stegdetect
*.jpg ) stegdetect $filename ;;

# obviously, all gifs are sent by the evil Internet cats
*.gif ) echo “There are cats in here!” ;;

* ) echo “findPosStego: I don’t know how to test $filename for steganography.”
exit 1 ;;

Example 2


for cas in ca{t,r,ge}s
echo $(( 4*5 )) $cas

Example 3


# here we choose how many digits to pad

# now we give the smallest and largest number
# if you only have 300 accounts to create
# change 999 to 300.
for i in 1 {2..999};
# to make things easy, we’re gonna put the
# username and password into variables
# you can do this without them,
# but then its ickier to write, and harder to read/understand
user=$(printf “user%0*d” $padtowidth $i);
password=$(printf “password%0*d” $padtowidth $i);

# now add the user
useradd $user
# now give the user a password
echo -e “${password}n${password}” | passwd $user

Leave a comment or reply below...thanks!