`

The first argument is the parent domain and the second is the

path to the file containing all possible subdomains.

The sed Approach

We can use sed to write content to the end of each line in a file.

In Listing 4-6, the command uses the $ sign to find the end of a line,

then replace it with the target domain prefixed with a dot

(.example.com) to complete the domain name.

$ sed 's/$/.example.com/g' subdomains-1000.txt

relay.example.com

files.example.com

newsletter.example.com

Listing 4-6

Generating a list of subdomains using sed

The s at the beginning of the argument to sed stands for

substitute, and g means that sed will replace all matches in the file,

not just the first match. So, in simple words, we substitute the end of

each line in the file with .example.com. If you save this code to a

script, the output should look the same as in the previous example.

Host Discovery

When testing a range of addresses, one of the first things you’ll

likely want to do is find out information about them. Do they have

any open ports? What services are behind those ports, and are they

vulnerable to any security flaws? It’s possible to answer these

questions manually, but this can be challenging if you need to do it

for against hundreds or thousands of hosts. Let’s use bash to

automate network enumeration tasks.

One way to identify live hosts is by attempting to send them

network packets and wait for them to return responses. In this

section, we’ll use bash and additional network utilities to perform

host discovery.

ping

At its most basic form, the ping command takes one argument:

a target IP address or domain name. Run the following command to

see its output:

$ ping 172.16.10.10

Black Hat Bash (Early Access) © 2023 by Dolev Farhi and Nick Aleks