WEBVTT

1
00:00:00.040 --> 00:00:02.839
<v Speaker 1>There's a certain thrill, isn't there in wheeling the power

2
00:00:02.839 --> 00:00:04.519
<v Speaker 1>of text to command a computer?

3
00:00:04.679 --> 00:00:04.839
<v Speaker 2>Oh?

4
00:00:04.919 --> 00:00:08.359
<v Speaker 1>Absolutely, And when you apply that to security, well, it

5
00:00:08.359 --> 00:00:13.759
<v Speaker 1>becomes this incredibly potent skill. Definitely. So today we're plunging

6
00:00:13.759 --> 00:00:17.079
<v Speaker 1>into the world of Bash scripting for ethical hacking and

7
00:00:17.120 --> 00:00:23.239
<v Speaker 1>penetration testing. We're really focusing on that crucial first phase reconnaissance.

8
00:00:23.320 --> 00:00:25.160
<v Speaker 2>Yeah, the information gathering part.

9
00:00:25.320 --> 00:00:29.120
<v Speaker 1>Our goal here is to distill the essential knowledge from

10
00:00:29.160 --> 00:00:32.719
<v Speaker 1>some key materials. Understand exactly how Bash and as buddy

11
00:00:32.719 --> 00:00:35.960
<v Speaker 1>tools are used to get that critical first layer of

12
00:00:36.039 --> 00:00:38.359
<v Speaker 1>information about potential targets.

13
00:00:38.479 --> 00:00:41.640
<v Speaker 2>And we're drawing from resources really aimed at security pros

14
00:00:41.640 --> 00:00:44.799
<v Speaker 2>who want to harness Bash. It covers the whole setup too.

15
00:00:44.840 --> 00:00:47.920
<v Speaker 1>Write things like setting up your environment maybe WSL, Windows

16
00:00:47.920 --> 00:00:51.079
<v Speaker 1>Subsystem for Linux or Siguin, picking a.

17
00:00:51.039 --> 00:00:54.640
<v Speaker 2>Text editor, and then getting into the Bash fundamentals, variables

18
00:00:54.679 --> 00:00:58.520
<v Speaker 2>for storing data or raise for collections, understanding streams.

19
00:00:58.359 --> 00:00:59.920
<v Speaker 1>Standard input output.

20
00:00:59.640 --> 00:01:02.320
<v Speaker 2>Error, that kind of thing, exactly how commands talk to

21
00:01:02.359 --> 00:01:05.959
<v Speaker 2>each other. These basics, they're the foundation for everything else

22
00:01:06.000 --> 00:01:06.560
<v Speaker 2>we'll discuss.

23
00:01:06.840 --> 00:01:10.799
<v Speaker 1>Okay, so environment sorted command line feels hopefully a bit

24
00:01:10.840 --> 00:01:14.319
<v Speaker 1>less intimidating. Now the exciting part putting Bash to work

25
00:01:14.359 --> 00:01:17.879
<v Speaker 1>for reconnaissance, and like any assessment, first job is figuring

26
00:01:17.920 --> 00:01:20.680
<v Speaker 1>out who we're looking at, creating those target.

27
00:01:20.480 --> 00:01:24.799
<v Speaker 2>Lists precisely the materials really stressed defining the scope clearly first.

28
00:01:25.040 --> 00:01:29.200
<v Speaker 2>Are we talking specific IPS, whole networks.

29
00:01:28.799 --> 00:01:30.840
<v Speaker 1>Or domain subdomains, that sort of thing.

30
00:01:30.760 --> 00:01:34.719
<v Speaker 2>Exactly, And Bash actually gives us some well, surprisingly efficient

31
00:01:34.760 --> 00:01:36.359
<v Speaker 2>ways to generate these lists.

32
00:01:36.439 --> 00:01:38.280
<v Speaker 1>Okay, let's start with IPS. Say you need to hit

33
00:01:38.280 --> 00:01:40.799
<v Speaker 1>a range like one seventy two point one six, but

34
00:01:40.920 --> 00:01:43.760
<v Speaker 1>ten's part one up to dot two point four. Typing

35
00:01:43.760 --> 00:01:46.599
<v Speaker 1>that manually is well not ideal.

36
00:01:46.400 --> 00:01:49.599
<v Speaker 2>Definitely not. The sources show a few clever Bash stricks.

37
00:01:49.959 --> 00:01:52.480
<v Speaker 2>One uses the c command inside of for loop.

38
00:01:52.519 --> 00:01:55.239
<v Speaker 1>Okay, pretty straightforward, iterate the numbers output the IPS.

39
00:01:55.359 --> 00:01:57.879
<v Speaker 2>It works, but they're usually quicker ways, right like Bash's

40
00:01:57.879 --> 00:01:58.680
<v Speaker 2>brace expansion.

41
00:01:58.760 --> 00:02:00.640
<v Speaker 1>Ah, yes, that's much shorter.

42
00:02:00.760 --> 00:02:02.560
<v Speaker 2>Yeah, you could just do echo one seventy two point

43
00:02:02.599 --> 00:02:04.680
<v Speaker 2>one since send down one point twenty five to four.

44
00:02:04.799 --> 00:02:06.599
<v Speaker 2>That gives you a space separated list, but.

45
00:02:06.599 --> 00:02:08.719
<v Speaker 1>You probably want them on separate lines for tools.

46
00:02:08.879 --> 00:02:11.240
<v Speaker 2>Usually, Yes, so you pipe that echo command to says

47
00:02:11.360 --> 00:02:13.960
<v Speaker 2>lines replace spaces with new lines.

48
00:02:14.159 --> 00:02:17.319
<v Speaker 1>Simple, very neat and there was a third way, something

49
00:02:17.360 --> 00:02:17.879
<v Speaker 1>with print.

50
00:02:18.159 --> 00:02:20.759
<v Speaker 2>That's right, print line one seventy two point one six

51
00:02:20.840 --> 00:02:23.280
<v Speaker 2>point one zero percent might be even cleaner.

52
00:02:23.439 --> 00:02:24.159
<v Speaker 1>How does that work?

53
00:02:24.360 --> 00:02:26.840
<v Speaker 2>The per scene is a placeholder for a number and

54
00:02:26.919 --> 00:02:29.919
<v Speaker 2>integer Bash fills it in for each number in the braces,

55
00:02:30.000 --> 00:02:33.120
<v Speaker 2>and the N automatically adds the new line. No extra

56
00:02:33.199 --> 00:02:34.080
<v Speaker 2>formatting needed.

57
00:02:34.240 --> 00:02:38.479
<v Speaker 1>Clever. Okay, so that handles IP ranges. What about finding subdomains?

58
00:02:38.800 --> 00:02:40.439
<v Speaker 1>Organizations have tons of those.

59
00:02:40.280 --> 00:02:43.120
<v Speaker 2>These days, they really do. The common strategy detailed is

60
00:02:43.240 --> 00:02:45.479
<v Speaker 2>using a word list, you know, just a big text

61
00:02:45.479 --> 00:02:50.960
<v Speaker 2>file with potential subdomain names like mail, ftpwww, dev, things

62
00:02:51.000 --> 00:02:53.879
<v Speaker 2>like that exactly. Then the job is just sticking the

63
00:02:53.919 --> 00:02:55.919
<v Speaker 2>main domain name onto the end of each word in

64
00:02:55.960 --> 00:02:58.879
<v Speaker 2>the list. A standard Bash while read loop is perfect

65
00:02:58.879 --> 00:02:59.120
<v Speaker 2>for this.

66
00:02:59.240 --> 00:03:01.319
<v Speaker 1>So it reads a line say mail, then you echo

67
00:03:01.360 --> 00:03:02.879
<v Speaker 1>mail plus dot example dot.

68
00:03:02.680 --> 00:03:04.879
<v Speaker 2>Com yep if example dot com is your target. The

69
00:03:04.919 --> 00:03:07.639
<v Speaker 2>material even points to an example word list on GitHub

70
00:03:08.000 --> 00:03:11.360
<v Speaker 2>subdomains dash one thousand dot txt in the black Hatbash

71
00:03:11.400 --> 00:03:12.240
<v Speaker 2>repo useful.

72
00:03:12.759 --> 00:03:14.159
<v Speaker 1>Is there another way besides the loop?

73
00:03:14.520 --> 00:03:18.000
<v Speaker 2>Yeah? They also mentioned using said directly. You can tell

74
00:03:18.039 --> 00:03:21.520
<v Speaker 2>said to just appennthdomain dot example dot com to the end.

75
00:03:21.560 --> 00:03:24.360
<v Speaker 2>Of every single line in the wordless file does the

76
00:03:24.360 --> 00:03:26.000
<v Speaker 2>same thing, just a different command.

77
00:03:26.080 --> 00:03:30.800
<v Speaker 1>Okay, makes sense. So we've generated our lists potential targets identified.

78
00:03:31.080 --> 00:03:33.319
<v Speaker 1>Now we need to see which ones are actually you know,

79
00:03:33.400 --> 00:03:36.479
<v Speaker 1>alive and kicking host discovery.

80
00:03:36.080 --> 00:03:40.080
<v Speaker 2>Right, and the classic first check is ping, good old ping.

81
00:03:40.360 --> 00:03:43.439
<v Speaker 2>But when scripting, you need those flags to stop it

82
00:03:43.560 --> 00:03:48.000
<v Speaker 2>waiting forever nanac one for just one packet and timeouts yeah,

83
00:03:48.080 --> 00:03:50.400
<v Speaker 2>nash to W one or natch w one to set

84
00:03:50.400 --> 00:03:52.919
<v Speaker 2>a weight time maybe one second, so your script doesn't

85
00:03:52.960 --> 00:03:55.800
<v Speaker 2>just hang there if a host is down or ignoring pings.

86
00:03:55.520 --> 00:03:58.400
<v Speaker 1>Because they might ignore ICMP, right, firewalls.

87
00:03:57.919 --> 00:04:01.879
<v Speaker 2>And stuff exactly. Ping uses ICM and lots of systems

88
00:04:01.879 --> 00:04:04.400
<v Speaker 2>block it, so no ping response doesn't always mean the

89
00:04:04.439 --> 00:04:07.000
<v Speaker 2>host is offline. It's a piece of the puzzle, but

90
00:04:07.000 --> 00:04:07.840
<v Speaker 2>not the whole picture.

91
00:04:08.039 --> 00:04:10.439
<v Speaker 1>So for the local network, ping might miss things. That's

92
00:04:10.439 --> 00:04:11.560
<v Speaker 1>where arp scan fits in.

93
00:04:11.759 --> 00:04:14.039
<v Speaker 2>That's right. Arpscan is great for your local segment. It

94
00:04:14.080 --> 00:04:17.319
<v Speaker 2>works using ARP the Address Resolution Protocol Layer two stuff

95
00:04:17.399 --> 00:04:19.720
<v Speaker 2>exactly layer two, so it can spot devices even if

96
00:04:19.720 --> 00:04:22.040
<v Speaker 2>they're blocking pings higher up the stack. The command is

97
00:04:22.079 --> 00:04:26.120
<v Speaker 2>like pseudo arpscan Network twenty four I interface.

98
00:04:25.680 --> 00:04:28.199
<v Speaker 1>And the sources mentioned a specific lab setup.

99
00:04:28.399 --> 00:04:31.160
<v Speaker 2>Yeah, they used republic as the interface on the one

100
00:04:31.279 --> 00:04:35.839
<v Speaker 2>seventy two point one six zero point zero two four network.

101
00:04:35.879 --> 00:04:39.160
<v Speaker 2>In their examples, the key is ARP works locally and

102
00:04:39.160 --> 00:04:41.360
<v Speaker 2>can find hosts that ICMP might miss.

103
00:04:41.399 --> 00:04:43.000
<v Speaker 1>And they even showed how to put ARP scan in

104
00:04:43.000 --> 00:04:45.480
<v Speaker 1>a loop like to watch for new devices popping up.

105
00:04:45.639 --> 00:04:48.720
<v Speaker 2>Yes, a while loop to run ARP scan periodically if

106
00:04:48.759 --> 00:04:51.399
<v Speaker 2>it spots a new MSA address, it uses send mail

107
00:04:51.439 --> 00:04:52.879
<v Speaker 2>to fire off an email alert.

108
00:04:53.160 --> 00:04:55.839
<v Speaker 1>That's pretty cool. You set variables for known hosts the

109
00:04:55.920 --> 00:04:57.279
<v Speaker 1>network who to email.

110
00:04:57.439 --> 00:05:00.399
<v Speaker 2>It's a great example of automating basic network mode ing

111
00:05:00.480 --> 00:05:03.360
<v Speaker 2>with just Bash and standard tools. Simple but effective.

112
00:05:03.439 --> 00:05:05.800
<v Speaker 1>Okay, so we're building a picture of who's online. Next

113
00:05:05.839 --> 00:05:08.639
<v Speaker 1>logical step, what are they doing? What services are running?

114
00:05:08.800 --> 00:05:10.360
<v Speaker 1>Port scanning time exactly?

115
00:05:10.439 --> 00:05:12.839
<v Speaker 2>And the big names here are NMP, the classic and

116
00:05:12.879 --> 00:05:15.759
<v Speaker 2>maybe the faster rust scan for initial suitees.

117
00:05:15.600 --> 00:05:18.360
<v Speaker 1>MAP is the powerhouse though right blows of options.

118
00:05:18.000 --> 00:05:21.199
<v Speaker 2>Oh yeah, very versatile. The Decimey dis ray is highlighted.

119
00:05:21.240 --> 00:05:23.079
<v Speaker 2>Service version detection super useful.

120
00:05:23.199 --> 00:05:24.600
<v Speaker 1>Why is it so important.

121
00:05:24.439 --> 00:05:27.720
<v Speaker 2>Because knowing the exact software and version running on a

122
00:05:27.759 --> 00:05:31.519
<v Speaker 2>port lets you immediately look up known vulnerabilities for it speeds.

123
00:05:31.240 --> 00:05:34.120
<v Speaker 1>Things up a lot, makes sense, and you can feed

124
00:05:34.240 --> 00:05:35.480
<v Speaker 1>en map our target lists.

125
00:05:35.600 --> 00:05:38.839
<v Speaker 2>Yep. The isile filum option takes your list like the

126
00:05:38.959 --> 00:05:41.160
<v Speaker 2>one hundred and seventy two to sixteen to ten hosts

127
00:05:41.199 --> 00:05:43.879
<v Speaker 2>dot txt we talked about and scans all of them.

128
00:05:44.160 --> 00:05:47.279
<v Speaker 1>And the sources had a script for handling NMAP output too,

129
00:05:47.360 --> 00:05:49.680
<v Speaker 1>didn't they enmap to portfiles dotsh Right.

130
00:05:50.040 --> 00:05:52.800
<v Speaker 2>That one's quite clever. It takes nmp's output, looks for

131
00:05:52.839 --> 00:05:55.720
<v Speaker 2>the line saying TCP open, and then creates files named

132
00:05:55.720 --> 00:05:57.800
<v Speaker 2>after the port number exactly. So you get eighty dot

133
00:05:57.800 --> 00:06:00.560
<v Speaker 2>tx T four four three, dot tx two twenty two

134
00:06:00.600 --> 00:06:03.920
<v Speaker 2>dot TXD whatever ports are open, and inside each file

135
00:06:04.079 --> 00:06:06.800
<v Speaker 2>is the list of IP addresses that have that specific

136
00:06:06.839 --> 00:06:07.360
<v Speaker 2>port open.

137
00:06:07.639 --> 00:06:10.839
<v Speaker 1>That sounds incredibly useful for organizing results like show me

138
00:06:10.879 --> 00:06:12.199
<v Speaker 1>all hosts running a web server.

139
00:06:12.360 --> 00:06:15.240
<v Speaker 2>It really is great for prioritizing. Then there's the other script,

140
00:06:15.399 --> 00:06:18.680
<v Speaker 2>portwatchdog dot sh. That one shows continuous monitoring.

141
00:06:18.720 --> 00:06:19.560
<v Speaker 1>How does that one work?

142
00:06:19.839 --> 00:06:22.800
<v Speaker 2>It uses rust scan, which is really fast in a loop,

143
00:06:22.959 --> 00:06:25.399
<v Speaker 2>just checking if a specific port you care about opens

144
00:06:25.480 --> 00:06:26.160
<v Speaker 2>up on a target.

145
00:06:26.240 --> 00:06:29.279
<v Speaker 1>So like watching port eighty eighty on one machine exactly.

146
00:06:29.519 --> 00:06:32.399
<v Speaker 2>If rust scan suddenly sees it open, then the script

147
00:06:32.399 --> 00:06:35.319
<v Speaker 2>triggers n MAP with NSV to do a proper service

148
00:06:35.360 --> 00:06:38.079
<v Speaker 2>scan just on that newly open port and logs it.

149
00:06:38.199 --> 00:06:40.839
<v Speaker 1>Wow, like an automated trip wire for new services. Right

150
00:06:40.959 --> 00:06:45.360
<v Speaker 1>I remember manually digging through huge n MAP logs. Scripts

151
00:06:45.399 --> 00:06:46.560
<v Speaker 1>like these are game changers.

152
00:06:46.720 --> 00:06:49.199
<v Speaker 2>They really save a ton of time and effort. Automation

153
00:06:49.399 --> 00:06:49.720
<v Speaker 2>is key.

154
00:06:49.759 --> 00:06:51.480
<v Speaker 1>Okay, so we found open ports. Now we want to

155
00:06:51.480 --> 00:06:53.199
<v Speaker 1>pokem a bit, see what's actually listening.

156
00:06:53.519 --> 00:06:56.639
<v Speaker 2>Banner grabbing, banner grabbing yep, trying to get the service

157
00:06:56.680 --> 00:07:01.639
<v Speaker 2>to announce itself send back. A banner often contains software names, versions.

158
00:07:01.199 --> 00:07:03.319
<v Speaker 1>And the tool for that is often netcat, dot NC.

159
00:07:03.639 --> 00:07:09.199
<v Speaker 2>Netcat is fundamental, ncdah vip port just tries to connect

160
00:07:09.360 --> 00:07:14.040
<v Speaker 2>the sv gives verbose output. Many services, especially older ones

161
00:07:14.079 --> 00:07:17.000
<v Speaker 2>like FTP or SSH might just spit out a banner

162
00:07:17.040 --> 00:07:19.399
<v Speaker 2>right away. There's a script to that too, yep, netcat

163
00:07:19.439 --> 00:07:22.399
<v Speaker 2>banner grab dot sah to automate running NC against a

164
00:07:22.439 --> 00:07:24.120
<v Speaker 2>list of ips and a specific port.

165
00:07:24.199 --> 00:07:26.519
<v Speaker 1>What about web servers, They don't always give banners easily

166
00:07:26.600 --> 00:07:28.360
<v Speaker 1>with netcat true.

167
00:07:28.120 --> 00:07:32.079
<v Speaker 2>For eahttp, the material points to CURL specifically using the

168
00:07:32.120 --> 00:07:35.519
<v Speaker 2>head method because head asks for just the HTTP headers,

169
00:07:35.560 --> 00:07:38.040
<v Speaker 2>not the whole web page content. It's faster if you

170
00:07:38.079 --> 00:07:39.759
<v Speaker 2>only want info like the server.

171
00:07:39.560 --> 00:07:42.360
<v Speaker 1>Header AH, which often tells you if it's apatche and

172
00:07:42.519 --> 00:07:44.120
<v Speaker 1>jinx is exactly.

173
00:07:44.519 --> 00:07:47.079
<v Speaker 2>And there's a curl banner grab dot S script that

174
00:07:47.120 --> 00:07:49.639
<v Speaker 2>prompts for an ip in port, does the curl head

175
00:07:49.879 --> 00:07:52.279
<v Speaker 2>and then uses grepen oc to pull out just that

176
00:07:52.360 --> 00:07:52.920
<v Speaker 2>server line.

177
00:07:52.959 --> 00:07:53.680
<v Speaker 1>Pretty targeted.

178
00:07:53.839 --> 00:07:56.759
<v Speaker 2>And don't forget n MAP again. It's scripting engine.

179
00:07:56.560 --> 00:07:57.800
<v Speaker 1>N SE right n S.

180
00:07:58.120 --> 00:08:00.480
<v Speaker 2>There's a banner dot NS script. You can run nmap

181
00:08:00.800 --> 00:08:03.639
<v Speaker 2>svscript banner dot n S and it does the service

182
00:08:03.680 --> 00:08:06.000
<v Speaker 2>detection and banner grabbing together very efficient.

183
00:08:06.240 --> 00:08:10.399
<v Speaker 1>Okay, banners grabbed services ID. What about the OS? Can

184
00:08:10.399 --> 00:08:12.600
<v Speaker 1>we figure out if it's Linux, Windows, something else.

185
00:08:13.000 --> 00:08:16.920
<v Speaker 2>NMAP again is the main tool here. It uses TCPIP fingerprinting.

186
00:08:17.079 --> 00:08:19.800
<v Speaker 1>Fingerprinting how does that work? Sounds complex?

187
00:08:19.959 --> 00:08:23.480
<v Speaker 2>It kind of is. NMP sends specific unusual packets and

188
00:08:23.560 --> 00:08:27.600
<v Speaker 2>analyzes tiny details on how the target system responds, timings,

189
00:08:27.720 --> 00:08:31.160
<v Speaker 2>flag settings, things like that. Different operating systems have slightly

190
00:08:31.199 --> 00:08:33.080
<v Speaker 2>different network stacks that react uniquely.

191
00:08:33.159 --> 00:08:35.200
<v Speaker 1>This is like a network level fingerprint basically.

192
00:08:35.279 --> 00:08:38.240
<v Speaker 2>Yes, the aoflag tells nmap to try this.

193
00:08:38.240 --> 00:08:41.200
<v Speaker 1>OS detection and let me guess there's a script for

194
00:08:41.279 --> 00:08:42.120
<v Speaker 1>parsing that output.

195
00:08:42.240 --> 00:08:46.200
<v Speaker 2>You got it, astetection dot ssh nmap has a greppable

196
00:08:46.320 --> 00:08:50.480
<v Speaker 2>output format OGG. This script uses rep ac set on

197
00:08:50.559 --> 00:08:53.759
<v Speaker 2>that output to find the lines with host and OS

198
00:08:54.080 --> 00:08:56.559
<v Speaker 2>and pull out the IP and the OS gus. It

199
00:08:56.600 --> 00:08:59.120
<v Speaker 2>looks for certain patterns to extract the info cleanly.

200
00:08:59.320 --> 00:09:01.399
<v Speaker 1>It's amazing what you can learn just from how a

201
00:09:01.440 --> 00:09:04.960
<v Speaker 1>machine talks in the network. Okay, one last area mentioned

202
00:09:05.519 --> 00:09:08.080
<v Speaker 1>web applications, specifically using woppolizer.

203
00:09:08.279 --> 00:09:11.960
<v Speaker 2>Right, woppolizer, fantastic tool. It's all about identifying the technologies

204
00:09:11.960 --> 00:09:14.159
<v Speaker 2>behind a website or a web app, all kind of technology,

205
00:09:14.240 --> 00:09:16.799
<v Speaker 2>things like the web framework React, Angular View, the back

206
00:09:16.919 --> 00:09:22.240
<v Speaker 2>end language maybe PHP, NOJS, the CMS like WordPress or Druple,

207
00:09:22.679 --> 00:09:26.080
<v Speaker 2>JavaScript library is web servers, lots of stuff.

208
00:09:26.120 --> 00:09:26.759
<v Speaker 1>How does do that?

209
00:09:27.000 --> 00:09:29.519
<v Speaker 2>It has a database of signatures. It looks for specific

210
00:09:29.559 --> 00:09:32.440
<v Speaker 2>clues in the site's code, headers, cookies, scripts.

211
00:09:32.120 --> 00:09:33.399
<v Speaker 1>And the example usage was simple.

212
00:09:33.519 --> 00:09:37.200
<v Speaker 2>Yeah, just wappalizer, HTDP, dot IP, dot port. It spits

213
00:09:37.240 --> 00:09:38.879
<v Speaker 2>out JSON data.

214
00:09:38.919 --> 00:09:41.960
<v Speaker 1>Jason, you need something to read it that easily exactly.

215
00:09:42.360 --> 00:09:45.639
<v Speaker 2>The example pipes the JSON output to JQ, which is

216
00:09:45.679 --> 00:09:48.759
<v Speaker 2>a command line Jason processor. You can use JQ to

217
00:09:48.799 --> 00:09:51.519
<v Speaker 2>pull out just the fields you want, like the technology name,

218
00:09:51.600 --> 00:09:53.720
<v Speaker 2>the version it detected, and the confidence score.

219
00:09:53.919 --> 00:09:56.000
<v Speaker 1>So you get a nice structured list of the tech

220
00:09:56.039 --> 00:09:59.600
<v Speaker 1>stack that seems really valuable for figuring out where potential

221
00:09:59.600 --> 00:10:01.000
<v Speaker 1>weakness is as might lie later on.

222
00:10:01.120 --> 00:10:04.120
<v Speaker 2>Absolutely knowing the stack guides your next steps like looking

223
00:10:04.120 --> 00:10:08.080
<v Speaker 2>for specific vulnerabilities in those components. It complements the network

224
00:10:08.080 --> 00:10:08.279
<v Speaker 2>for you.

225
00:10:08.440 --> 00:10:11.360
<v Speaker 1>Okay, let's try and pull this all together. We've seen

226
00:10:11.399 --> 00:10:14.720
<v Speaker 1>how Bash acting as the glue, combined with tools like ping,

227
00:10:15.000 --> 00:10:21.240
<v Speaker 1>ARP scan, end map, rust scan, netcat, curl, and woppilizer, well,

228
00:10:21.279 --> 00:10:25.320
<v Speaker 1>it forms a seriously capable toolkit for that initial recon phase. Definitely,

229
00:10:25.399 --> 00:10:28.240
<v Speaker 1>we can build target lists efficiently, find out who's online,

230
00:10:28.399 --> 00:10:31.440
<v Speaker 1>scan for open ports and running services, grab banners for

231
00:10:31.480 --> 00:10:34.679
<v Speaker 1>software versions, and even make educated guesses about the OS

232
00:10:34.679 --> 00:10:35.720
<v Speaker 1>and web technologies.

233
00:10:35.759 --> 00:10:38.320
<v Speaker 2>And the core idea really is that Bash isn't just

234
00:10:38.360 --> 00:10:41.519
<v Speaker 2>a shell, it's a scripting language. It lets you automate

235
00:10:41.519 --> 00:10:45.000
<v Speaker 2>these tools, chain them together, process their output. It makes

236
00:10:45.039 --> 00:10:47.200
<v Speaker 2>reconnaissance scalable and much more efficient.

237
00:10:47.480 --> 00:10:49.879
<v Speaker 1>So understanding the tools and how to script them in

238
00:10:49.919 --> 00:10:50.600
<v Speaker 1>Bash is.

239
00:10:50.600 --> 00:10:55.440
<v Speaker 2>Crucial, absolutely essential for effective large scale information gathering. You

240
00:10:55.480 --> 00:10:57.360
<v Speaker 2>can't just click buttons for everything.

241
00:10:57.759 --> 00:11:00.000
<v Speaker 1>This deep dive has given us a really solid ground

242
00:11:00.240 --> 00:11:03.120
<v Speaker 1>in Bash for recon and it sounds like the source

243
00:11:03.159 --> 00:11:07.240
<v Speaker 1>material goes even further into vulnerability scanning, maybe exploitation.

244
00:11:07.480 --> 00:11:09.480
<v Speaker 2>Yeah, this is really just scratching the surface of the

245
00:11:09.519 --> 00:11:10.320
<v Speaker 2>initial steps.

246
00:11:10.759 --> 00:11:13.600
<v Speaker 1>Right. So for you listening, here's something to think about.

247
00:11:14.399 --> 00:11:17.440
<v Speaker 1>How could you maybe apply some of these Bash techniques,

248
00:11:17.600 --> 00:11:20.120
<v Speaker 1>even just the basic ideas in your own work or

249
00:11:20.120 --> 00:11:22.639
<v Speaker 1>areas of interest. How can they help you understand the

250
00:11:22.720 --> 00:11:25.240
<v Speaker 1>systems you interact with just a little bit better.

251
00:11:25.399 --> 00:11:27.720
<v Speaker 2>Maybe check out some of those tools and map or

252
00:11:27.759 --> 00:11:30.919
<v Speaker 2>woppalizer or even brows that get hub Repo mentioned it

253
00:11:30.960 --> 00:11:32.200
<v Speaker 2>could be a good next step.