Listen to this Post
Introduction:
In the high-stakes world of penetration testing, efficiency is the difference between a thorough assessment and a missed vulnerability. Automation is no longer a luxury but a necessity, allowing security professionals to focus on complex attack chains rather than repetitive tasks. This article delves into a curated set of powerful, open-source scripts designed to automate critical phases of a penetration test, from reconnaissance and scanning to cryptographic analysis and network pivoting.
Learning Objectives:
- Learn how to automate the parsing of vulnerability scanner and network mapping output for actionable intelligence.
- Understand methods to perform system reconnaissance and bypass Intrusion Prevention Systems (IPS) during scanning.
- Gain practical skills in cryptographic manipulation and complex network pivoting for enterprise-grade assessments.
You Should Know:
1. Automating Vulnerability Analysis with Nessus CSV Parsing
Manually sifting through massive Nessus CSV reports is time-consuming. This Python script extracts the most critical columns—IP Address, Plugin Name, Severity, and Description—to deliver immediate, actionable findings.
Verified Code Snippet (Python):
import csv
def parse_nessus_csv(input_file, output_file):
with open(input_file, 'r') as infile, open(output_file, 'w', newline='') as outfile:
reader = csv.DictReader(infile)
fieldnames = ['Host', 'Name', 'Risk', 'Description']
writer = csv.DictWriter(outfile, fieldnames=fieldnames)
writer.writeheader()
for row in reader:
writer.writerow({
'Host': row['Host'],
'Name': row['Name'],
'Risk': row['Risk'],
'Description': row['Description']
})
Usage:
parse_nessus_csv('full_nessus_scan.csv', 'parsed_findings.csv')
Step-by-step guide:
- Run your Nessus scan and export the results in `.csv` format.
2. Save the above script as `nessus_parser.py`.
- Execute the script from your terminal:
python3 nessus_parser.py. - The script will generate a new file,
parsed_findings.csv, containing only the essential data for your report and remediation tracking.
2. Rapid Host Reconnaissance with MachineCheck
Initial foothold often requires quick, scripted reconnaissance. This PowerShell tool builds a comprehensive system profile, checking connectivity and enumerating services without triggering heavy defenses.
Verified Code Snippet (PowerShell):
$Hostname = $env:COMPUTERNAME
$IPAddress = (Test-Connection -ComputerName $Hostname -Count 1).IPV4Address.IPAddressToString
$OutPath = [bash]::GetFolderPath("MyDocuments") + "\SystemProfile.csv"
Check Internet Connectivity
$CanReachGoogle = (Test-NetConnection -ComputerName 8.8.8.8 -Port 53 -InformationLevel Quiet).TcpTestSucceeded
Get Network Listener Information
$Listeners = Get-NetTCPConnection -State Listen | Select-Object LocalAddress, LocalPort, OwningProcess -Unique
$Processes = Get-Process | Select-Object Id, ProcessName
$ListenerDetails = $Listeners | ForEach-Object {
$ProcName = ($Processes | Where-Object { $<em>.Id -eq $</em>.OwningProcess }).ProcessName
[bash]@{
Hostname = $Hostname
IP = $IPAddress
Protocol = "TCP"
LocalPort = $<em>.LocalPort
ProcessID = $</em>.OwningProcess
ProcessName = $ProcName
InternetAccess = $CanReachGoogle
}
}
$ListenerDetails | Export-Csv -Path $OutPath -NoTypeInformation
Write-Host "System profile saved to: $OutPath"
Step-by-step guide:
- Open a PowerShell window (as a user, not necessarily administrator).
2. Copy and paste the entire script.
- The script automatically gathers the hostname, IP, checks for internet access, and lists all listening TCP ports with their associated Process ID and Name.
- The results are saved as a CSV file in your Documents folder for easy review and integration into larger assessment frameworks.
3. Evading IPS by Parsing Nmap Packet Traces
Modern IPS often injects fake open ports to confuse scanners. This script analyzes `nmap –packet-trace` output to filter out these decoys by identifying packets with a zero TCP sequence number, revealing the real service landscape.
Verified Code Snippet (Bash):
!/bin/bash
Usage: ./parse_nmap_trace.sh nmap_trace_output.txt
grep "Received packet" "$1" | grep -v "TCP sequence: 0" | awk '{print $5}' | cut -d':' -f1 | sort -u > real_ports.txt
echo "Genuine open ports identified:"
cat real_ports.txt
Step-by-step guide:
- First, run your nmap scan with the packet trace flag:
sudo nmap -sS --packet-trace -p- <target_IP> > nmap_trace_output.txt 2>&1. - Save the bash script as `parse_nmap_trace.sh` and give it execute permissions:
chmod +x parse_nmap_trace.sh. - Run the script against your trace file:
./parse_nmap_trace.sh nmap_trace_output.txt. - The script outputs a list of ports that responded with non-zero sequence numbers, which are the genuine services, bypassing the IPS deception.
4. Manipulating AES-CBC for App Testing and CTFs
Testing mobile applications or solving CTF challenges often requires manual encryption and decryption. This Python tool provides an interactive interface for AES-CBC operations using the PKCS7 padding standard.
Verified Code Snippet (Python):
from Crypto.Cipher import AES from Crypto.Util.Padding import pad, unpad import base64 def aes_cbc_encrypt(key_hex, iv_hex, plaintext): key = bytes.fromhex(key_hex) iv = bytes.fromhex(iv_hex) cipher = AES.new(key, AES.MODE_CBC, iv) ciphertext = cipher.encrypt(pad(plaintext.encode(), AES.block_size)) return base64.b64encode(ciphertext).decode() def aes_cbc_decrypt(key_hex, iv_hex, ciphertext_b64): key = bytes.fromhex(key_hex) iv = bytes.fromhex(iv_hex) ciphertext = base64.b64decode(ciphertext_b64) cipher = AES.new(key, AES.MODE_CBC, iv) decrypted = unpad(cipher.decrypt(ciphertext), AES.block_size) return decrypted.decode() Example Usage for Decryption: key = "00112233445566778899aabbccddeeff" iv = "000102030405060708090a0b0c0d0e0f" ct = "u8f7M...<your_base64_ciphertext>" print(aes_cbc_decrypt(key, iv, ct))
Step-by-step guide:
- Ensure you have the `pycryptodome` library installed:
pip3 install pycryptodome. - Integrate the functions into a script or use them in an interactive Python shell.
- For encryption, provide a 16-byte (32-character hex) key and IV, along with your plaintext. The function will return a Base64-encoded ciphertext.
- For decryption (e.g., to decrypt a captured network token), provide the same key and IV with the Base64 ciphertext to retrieve the original plaintext.
5. Pivoting Nessus Through a Ligolo-NG Tunnel
Enterprise environments often have segmented networks. This technique solves the problem of forcing a scanner like Nessus to route its traffic through a Ligolo-NG proxy tunnel to reach otherwise inaccessible subnets.
Verified Commands and Steps:
On Attacker Machine (Kali) 1. Create a simple TCP proxy that forwards traffic to the target subnet via the jumper. socat TCP-LISTEN:8080,fork TCP:<JUMPER_INTERNAL_IP>:9090 & <ol> <li>Forward this proxy port to the Jumper via SSH. ssh -L 9090:127.0.0.1:8080 user@jumper-ip -N</p></li> <li><p>On the Jumper, create a Ligolo-NG tunnel back to the Attacker. ./ligolo-ng -connect attacker-ip:11601</p></li> <li><p>On the Attacker, inside the Ligolo-NG shell, set the route and start the tunnel. ligolo-ng» session ligolo-ng» ifconfig config 10.42.0.1/30 Assign a temporary IP to the tunnel ligolo-ng» start</p></li> <li><p>On the Nessus host, add a route for the target subnet via the Ligolo interface IP. sudo ip route add <TARGET_SUBNET> via 10.42.0.1 dev ligolo</p></li> <li><p>In the Nessus UI, configure the scan to use 10.42.0.1 as the source IP.
Step-by-step guide:
- Establish a foothold on a “jumper” host in the target network and deploy Ligolo-NG.
- On your attacker machine, set up the `socat` proxy and SSH forward as shown.
- Use the Ligolo-NG interface to assign an IP and start the tunnel.
- The critical step is adding a static route on the host running Nessus, directing traffic for the internal subnet through the Ligolo virtual interface.
- Configure the Nessus scan policy to use the assigned Ligolo interface IP as the source, forcing all scan traffic through the tunnel.
What Undercode Say:
- Automation is the Force Multiplier: The most effective penetration testers are not those who run manual commands the fastest, but those who strategically automate the boring and the repetitive. This frees up cognitive resources for advanced exploitation and lateral movement.
- Deep Understanding Trumps Blind Tool Usage: Scripts like the IPS bypass and the Nessus pivot are born from a fundamental understanding of network protocols (TCP handshake, routing) and tool limitations. This knowledge allows for the creation of bespoke solutions that off-the-shelf tools cannot provide.
The scripts presented are more than just time-savers; they represent a methodological shift. They demonstrate that the core of modern penetration testing lies in adaptability and problem-solving. The ability to write a simple script to parse data, manipulate cryptography, or force a proprietary tool through an unconventional pivot is what separates a junior tester from a senior consultant. As defenses become more automated and sophisticated, the offensive community’s response must be to leverage automation not just for execution, but for intelligent evasion and precision.
Prediction:
The increasing complexity of hybrid cloud environments and the pervasive deployment of smart IPS/IDS will make manual penetration testing techniques progressively less effective. The future of offensive security will be dominated by AI-assisted toolchains that can autonomously adapt to network conditions, generate custom evasion scripts in real-time, and orchestrate complex, multi-point pivots. Testers who cannot transition from pure manual execution to script-augmented, adaptive methodologies will find their effectiveness sharply limited, while those who embrace automation will be able to uncover deeper, more critical systemic vulnerabilities.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Ahmed Osama – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
