Problems with Bash Script

Scrag · 07-09-2019, 05:52 PM

I am pretty new to bash scripting and I am having some problems with the bash script I am tying to create. What it does is it reads in a text file list of sub-domains, then it uses the host command to determine if the sub-domain exists, and prints the domain and IP if it does. Then lastly it runs a masscan on the IP and prints the ports it found.

1.) First problem is this:

Example Output from host command:

root@xss:~# host mail.ru
mail.ru has address 94.100.180.202
mail.ru has address 217.69.139.202
mail.ru has address 94.100.180.200
mail.ru has address 217.69.139.200
mail.ru has IPv6 address 2a00:1148:db00:0:b0b0::1
mail.ru mail is handled by 10 mxs.mail.ru.

If the host command returns more then one IP address, like in the example above, my script only takes the first IP address then ignores the rest. I'd like it to print out all the IP addresses associated with the domain, the n scan them.

2.) The second problem is that the masscan results print on the page, I'd like it to only list the open ports it finds. it currently does this, but it prints it after all the masscan info that I'd like to omit.

I know its a lot of loaded questions, but I'd really appreciate any help.

Below is the script I'm working on.

Code:

#!/bin/bash
# Usage: ./subsearch.sh <Sub Domain List> <Domain>
# Example: ./subsearch.sh sublist yahoo.com


GREEN='\033[0;32m'              #Setup green color to be used in echo commands
NC='\033[0m'                    #This changes color back to normal or no color
RED='\033[0;31m'                #Setup red color to be used in echo statements

for sub in $(cat $1);do {       #Read list of sub-domains from file and determine the IP from host command
        OUTPUT=`host $sub.$2`   #Set output of host command into OUTPUT variable
        DOMAIN=`echo $OUTPUT |cut -d" " -f1`    #Echo domain name into DOMAIN variable
        IP=`echo $OUTPUT |cut -d" " -f4`        #Echo IP address into IP variable
        echo -e "${GREEN}Domain: "$DOMAIN       #Print Domain name
        echo -e "IP:     "$IP                   #Print IP address
        echo -e "${NC}"                                 #Change color back to normal
        SCAN=`masscan $IP -p0-65535 --rate 10000`       #Masscan the IP address
        echo -e $SCAN |cut -d" " -f4                    #Print out discoverd open ports
      }
done

Scrag · 07-09-2019, 06:01 PM

PS..I've attached an output of the current script if that helps.

Thanks again.

BW-userx · 07-09-2019, 07:40 PM

Just playing around with it for a minute. This might give you an idea.
using mail

Code:

#!/bin/bash
# Usage: ./subsearch.sh <Sub Domain List> <Domain>
# Example: ./subsearch.sh sublist yahoo.com

#  host mail.ru


GREEN='\033[0;32m'              #Setup green color to be used in echo commands
NC='\033[0m'                    #This changes color back to normal or no color
RED='\033[0;31m'                #Setup red color to be used in echo statements
i=0
for sub in $(cat $1);
do {       #Read list of sub-domains from file and determine the IP from host command
	addme=$(host "$sub".$2)
	
	echo $addme
	echo;echo
	#dynamically add values into an array, dynamically
	IP+=$(echo $addme | egrep -o '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}')
	#OUTPUT+=($addme)   #Set output of host command into OUTPUT variable
}
done
 
 #loop populated array to use its contents. 
g=0
for i in ${IP[*]}
do
	echo "IP[$g]= $i"
	 #SCAN=`masscan $IP -p0-65535 --rate 10000` 
	SCAN+=$(sudo  masscan "$i" -p0-65535 --rate 10000)
	echo
	((g++))
done

for d in ${SCAN[*]}
do
	echo
	echo $d
	echo
done

Code:

userx@slack.it.netters:~
$ domains bin/subdomains ru
mail.ru has address 217.69.139.202 mail.ru has address 94.100.180.200 mail.ru has address 94.100.180.202 mail.ru has address 217.69.139.200 mail.ru has IPv6 address 2a00:1148:db00:0:b0b0::1 mail.ru mail is handled by 10 mxs.mail.ru.


IP[0]= 217.69.139.202

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-07-10 02:09:31 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
                                                                             
IP[1]= 94.100.180.200

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-07-10 02:09:53 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
                                                                             
IP[2]= 94.100.180.202

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-07-10 02:10:14 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
                                                                             
IP[3]= 217.69.139.200

Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-07-10 02:10:34 GMT
 -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [65536 ports/host]
                                                                             

Discovered


open


port


443/tcp


on


94.100.180.200


Discovered


open


port


80/tcp


on


94.100.180.202


Discovered


open


port


443/tcp


on


217.69.139.200

individual · 07-09-2019, 10:49 PM

Here's a slightly different way of doing it, keeping in line with what you currently have.

Code:

#!/bin/bash

GREEN='\033[0;32m'              #Setup green color to be used in echo commands
NC='\033[0m'                    #This changes color back to normal or no color
RED='\033[0;31m'                #Setup red color to be used in echo statements

subdomain_file=$1
hostname=$2

# Exit unless the file of subdomains exists.
[[ -e "$subdomain_file" ]] || exit

# For each subdomain in the file, try to resolve $sub.$hostname.
# If it's successful, grep will match all IPv4 addresses and send them to the scanning loop.
while read -r sub; do
    while read -r resolved_host; do
        if [[ "$resolved_host" = *"has address"* ]]; then
            domain="${resolved_host%% *}"
            ip="${resolved_host##* }"

            echo -e "${GREEN}Domain: $domain"
            echo -e "IP:     $ip$NC"

            # Send stderr (the banner info, etc.) to /dev/null. It will still print open ports.
            sudo masscan "$ip" -p0-65535 --rate 10000 2>/dev/null | cut -d' ' -f4
        fi
    done <<< "$(host "$sub.$hostname")"
done < <(cat "$subdomain_file")

Scrag · 07-10-2019, 08:52 AM

Thank you both. I found both your posts very helpful. Individual - your post was exactly what I was looking for.

Thanks again,
Scrag

individual · 07-10-2019, 09:16 AM

Quote:

Originally Posted by Scrag

Thank you both. I found both your posts very helpful. Individual - your post was exactly what I was looking for.

Thanks again,
Scrag

Glad it worked for you. Ignore the grep comment; I was originally using grep to check for IPv4 addresses but realized host prints out "has address" for hosts with IPv4 addresses.