At the start of a CTF challenge or penetration test, I virtually always run the same set of fundamental scanning and enumeration commands. To save some time and accelerate my workflow I have created
ptboot.sh, a Bash shell which automates the common initial scanning and enumeration tasks for a penetration test (hence the name, Pentest Bootstrap), so you can spend your time focussing on the details.
The script is provided with some information about the target and then can be left unattended while various scans are conducted. It simplifies scanning numerous systems from the command line in a repeatable and hands off way.
ptboot.sh script runs within a Bash Linux command shell. A standard directory tree structure is created to organise the output from various tools such as
dirb. The script’s features are as follows:
- Creates a folder structure for the project with sub-directories such as
creds, etc., for storing test findings and output generated by tools.
- Performs staged scanning and enumeration of the target, using nmap to identify open network ports and subsequently executing protocol-specific tools depending on results of the initial scans (e.g. only runs
snmpwalkif target has a accessible SNMP service port).
- Runs a background ping process for the duration of the script execution, which can be used to check for network connectivity issues encountered during runtime (useful for unattended operation).
- Captures all generated network traffic to a gzipped pcap file for post-scan diagnostics/review.
The tool will produce the following directory tree structure:
enum directories contain the
gnmap subdirectories for storing machine readable nmap output files.
This script has been tested on a Kali Linux 2018.1 installation with the
kali-linux-all package group installed. If in doubt, review the ‘tool path’ script variables to see which external programs are expected to be present.
Clone or download the
ptboot.sh file from the GitHub repository to your Kali Linux environment. Run the script with the desired target machine details specified on the command line. Unless specified with the
-o option, target output directories will be created in the same directory as
ptboot.sh. A scan can take anywhere from five minutes to a couple of hours depending on the nature of the target system and interconnecting network.
Command line usage syntax:
If no DNS resolver IP address is provided, all tools will be configured to perform no DNS lookups (where supported). Manual specification of a DNS server IP address is frequently useful for internal private network testing where a private DNS service should be used.
Will create a directory called
mywebserver containing scanning and enumeration data for
I have released this script under the MIT licence. It can be downloaded from the ptboot GitHub repository.
Did you like this article? Please consider supporting this site.
Page last updated: