Automating Common Pentest Tasks with

At the start of a CTF challenge or penetration test, I virtually always run the same set of fundamental scanning and enumeration commands. To save some time and accelerate my workflow I have created, a Bash shell which automates the common initial scanning and enumeration tasks for a penetration test (hence the name, Pentest Bootstrap), so you can spend your time focussing on the details.

The script is provided with some information about the target and then can be left unattended while various scans are conducted. It simplifies scanning numerous systems from the command line in a repeatable and hands off way.

Screenshot of in operation.


The script runs within a Bash Linux command shell. A standard directory tree structure is created to organise the output from various tools such as nmap, nikto and dirb. The script’s features are as follows:

  • Creates a folder structure for the project with sub-directories such as recon, creds, etc., for storing test findings and output generated by tools.
  • Performs staged scanning and enumeration of the target, using nmap to identify open network ports and subsequently executing protocol-specific tools depending on results of the initial scans (e.g. only runs snmpwalk if target has a accessible SNMP service port).
  • Runs a background ping process for the duration of the script execution, which can be used to check for network connectivity issues encountered during runtime (useful for unattended operation).
  • Captures all generated network traffic to a gzipped pcap file for post-scan diagnostics/review.

The tool will produce the following directory tree structure:

./<project name>/
recon/ -- Output of target scanning tools.
enum/ -- Output of service enumeration jobs.
creds/ -- Empty directory for user convenience.
loot/ -- Empty directory for user convenience.
misc/ -- Empty directory for user convenience.

The recon and enum directories contain the xml and gnmap subdirectories for storing machine readable nmap output files.


This script has been tested on a Kali Linux 2018.1 installation with the kali-linux-all package group installed. If in doubt, review the ‘tool path’ script variables to see which external programs are expected to be present.


Clone or download the file from the GitHub repository to your Kali Linux environment. Run the script with the desired target machine details specified on the command line. Unless specified with the -o option, target output directories will be created in the same directory as A scan can take anywhere from five minutes to a couple of hours depending on the nature of the target system and interconnecting network.

Command line usage syntax:

Usage: ./ -n projectname -t targetip [-i interface] [-d dns-resolver] [-o outputdir] [-h]
-n: Project name for this target.
-t: IP address of target.
-i: Network interface to use (optional, defaults to eth0).
-d: DNS resolver to supply to tools for this target (optional).
-o: Base location to create project files (optional, defaults to '.').
-h: Shows this usage information.

If no DNS resolver IP address is provided, all tools will be configured to perform no DNS lookups (where supported). Manual specification of a DNS server IP address is frequently useful for internal private network testing where a private DNS service should be used.

For example:

./ -n mywebserver -t

Will create a directory called mywebserver containing scanning and enumeration data for

More Information

I have released this script under the MIT licence. It can be downloaded from the ptboot GitHub repository.

Did you like this article? Please consider supporting this site.

Page last updated: