Penetration Test

Using scripting in pen testing

SCRIPTING FOR PENETRATION TESTING

• Why bother with scripts?
  • Automate mundane/repetitive tasks
  • Faster
  • Less error prone
  • Repeatable
• What is a script?
  • Interpreted sequence of commands
  • Written in a specific language with its own sytax
  • Easy to code
  • Not compiled or assembled

COMMON SCRIPTING LANGUAGES

• Bash - Bourne Again Shell
  • Command shell for most Linux/MAC OS systems
  • Freely available version of the UNIX Bourne shell(sh)
• PowerShell - Windows-based admin and automation shell
  • Available in Windows since 2006
  • Powerful scripting language
• Ruby - object-oriented high-level interpreted general purpose programming language
  • Influenced by Perl, Smalltalk, Ada, Lisp
• Python - object-oriented high-level interpreted general purpose programming language
  • Extensive available libraries

ADDITIONAL RESCOURCES

• Bash
  • Curated list - https://github.com/awesome-lists/awesome-bash
  • https://www.commonexploits.com/penetration-testing-scripts/
  • https://github.com/averagesecurityguy/scripts
  • https://github.com/bitvijays/Pentest-Scripts
• PowerShell
  • https://www.businessnewsdaily.com/10760-best-free-powershell-training-resources.html
• Ruby
  • http://www.ruby-lang.org/en/
  • https://hackr.io/tutorials/learn-ruby
  • http://ruby-for-beginners.rubymonstas.org/index.html
• Python
  • https://learnpythonthehardway.org/
  • https://www.oreilly.com/search/?query=python&extended_publisher_data=true&highlight=true&include_assessments=false&include_case_studies=true&include_courses=true&include_playlists=true&include_collections=true&include_notebooks=true&is_academic_institution_account=false&source=user&sort=relevance&facet_json=true&page=0&include_facets=false&include_scenarios=true&include_sandboxes=true&json_facets=true

SCRIPTING

• Variables
  • Temporary data storage
• Substitutions
  • Input parameters and environment variables
• Common operations
  • Strings and comparisons
• Logic
  • Looping and flow control
• Basic I/O
  • Read input and write output(file, terminal, and network)
• Error handling
  • When things don't work
• Arrays
  • Simple data structure
• Encoding/decoding
  • Handling special characters

QUICK REVIEW

• Scripts help automate repetitive actions
• Scripts are good for standardizing testing activities
• Scripts also reduce typing errors and make tests repeatable, as well as help in documenting test activities