`

10.1.0.3

--snip--

Listing 4-3

Generating a list of IP addresses with echo and sed

The printf and Brace Expansion Approach

Alternatively, you can use the printf command to generate the

same list. Using printf wont require piping to sed, producing a

cleaner output (Listing 4-4).

$ printf "10.1.0.%d\n" {1..254}

Listing 4-4

Generating a list of IP addresses with printf

The %d is an integer placeholder, and it will be swapped with the

numbers defined in the brace expansion to produce a list of IP

addresses from 10.1.0.1 to 10.1.0.254. Now using this list is just a

matter of redirecting the output to a new file and using it as an input

file.

Compiling a List of Possible Subdomains

Say youre performing a penetration test against a company with

the parent domain example.com. In this engagement, youre not

restricted to any specific IP address or domain name, which means

that any asset you find on this parent domain during the information-

gathering stage is considered in scope.

Companies tend to host their services and application on

dedicated subdomains. These subdomains can be anything, but more

often than not, companies use names that make sense to humans and

are easy to enter into a web browser. For example, you might find

the helpdesk portal at helpdesk.example.com, a monitoring system at

monitoring.example.com, the continuous integration system at

jenkins.example.com, the email server at mail.example.com, and the

file transfer server at ftp.example.com.

How can we generate a list of possible subdomains for our

target? Bash makes this very easy. First, we’ll need a list of common

subdomains. You can find such a list built into Kali at

/usr/share/wordlists/amass/subdomains-top1mil-110000.txt or

/usr/share/wordlists/amass/bitquark_subdomains_top100K.txt. To

look for wordlists on the internet, you could use the following

Black Hat Bash (Early Access) © 2023 by Dolev Farhi and Nick Aleks