207. Analyzing Scripts (OBJ 5.2)
In the last section of the course, we focused on learning the basics of scripting and programming languages by understanding variables, loops, logic control structures, data structures, and some object-oriented programming concepts using pseudocode. Now, in this section of the course, we’re going to focus on some real world scripting and programming languages. This includes Bash, PowerShell, Python, Perl, JavaScript, and Ruby. We’re going to be taking those pseudocode concepts that we discussed in the last section and now we’re going to translate them into each of these six languages. Why? Well, for the exam, it’s important to be able to analyze code snippets and identify their functions.
In Domain 5 Tools and Code Analysis, you’re going to find Objective 5.2. As we go through this section of the course, we’re going to be exclusively focused on the first half of Objective 5.2. This objective states that given a scenario, you must analyze a script or code sample for use in a penetration test. Now, I’m not going to lie to you here and start telling you how excited I am to cover all the material in this section with you, because truthfully, I’m not. Now, it isn’t that I don’t think that scripting and programming isn’t important, because I really do think it is, but I really don’t like the fact that CompTIA includes this objective inside the PenTest+ exam because it really seems a bit unfair to me. After all, if you look up Objective 5.2 in your official exam objectives, you’re going to see that it simply lists out two sections called shells and programming languages.
Now under shells, it says Bash and PS, which is PowerShell. Under programming languages, it says Python, Ruby, Perl, and JavaScript. Great, so you need to know all six of these things, but based on the objective, you also need to be able to read, analyze, and understand code written in all six of these languages. And honestly, that is a really big ask on CompTIA’s part for somebody who’s trying to study for the PenTest+ exam. Now each of these languages by themself could be a separate 10 to 20-hour course or more just to make you basically proficient in any of these languages. And this is why I think it’s a little bit unfair that they’re including this in the objectives without really providing you with more detailed left and right boundaries of what you need to know for the exam. Now, if you have a copy of the official CompTIA PenTest+ Student Guide for the PT0-002 exam, you’re going to see their complete coverage of these objectives is located in chapter 15, which is a grand total of about 20 pages of content, which again, I find to be entirely too little based on the scope of this objective. So here is how we’re going to tackle this objective for this course.
First, we’re going to go over the basic syntax used in a particular language, such as Bash, and then convert all the pseudocode from the last section into actual Bash coding examples. Then I’m going to provide you with a sample script written in that language, such as Bash, and then we’re going to explain the code line by line so you can start learning how to analyze a script on your own. Now, as we go through this section, we’re going to follow the same process by learning how to conduct coding in that language and then reviewing a script written in that language. So we’re going to begin with Bash and then take a look at PowerShell, Python, Perl, JavaScript, and finally Ruby. At the end of this section, you are not going to be an expert in any of these languages, but hopefully, you’ll begin to understand how to read and understand the basic functions of a given script or piece of code. Now, if you’ve never coded before or programmed before, I’m going to warn you this objective is probably going to be one that you struggle with the most on the real exam.
That said, even if you fail every single coding question on the exam, you can still pass the PenTest+ certification if you do well on the rest of the exam questions. So what kind of questions should you expect on the exam from this objective? Well, these questions might be anything from analyzing a line or two of code to identify a vulnerability within it or analyzing the code to identify its function. For example, if they give you three to five lines of code, can you identify if the code is acting as a port scanner, a key logger, or reverse shell? Conversely, I’ve also seen questions about how you can interact with a given data structure using one of these languages. For example, maybe they give you a sequence in numbers like 1, 2, 3, 4, 5, 6, 7, 8, 9, 0 and store that in a variable called numbers.
Can you create a single line of Python code or Bash code that can return the value of 4, 5, 6 by interacting with that variable’s data structure and displaying only the fourth, fifth, and sixth digits in this sequence to the screen? Or if I gave you eight different blocks of code, could you choose the right three blocks of code to insert in the right places of a partially written script to be able to complete that script so it’ll actually operate properly and conduct a given function like a port scan of a handful of targets? Well, this is the level of knowledge that you need to have to be able to complete the questions focused on Objective 5.2 come exam day. As I said before, you don’t have to be an expert, but you do need to be able to identify if a piece of code is written in Bash, Powershell, Python, Peal, JavaScript, or Ruby, and how to understand its basic functions. All right, it’s time to continue our coverage of Domain 5 Tools and Code Analysis by analyzing scripts in this section of the course.
208. Coding in Bash (OBJ 5.2)
In this lesson we’re going to talk about coding in Bash. Now Bash is the first one we’re going to cover because it comes installed by default inside every Linux distribution you’re going to come across. Bash is a command line scripting language that’s used for the command shell inside Unix-like systems including Linux and macOS. Now if you’re familiar with Linux and you’ve done some command line programming before, you’re probably really used to using the Bash shell to be able to execute those commands. As a scripting language, Bash is extremely useful when you’re automating tasks that use command line environments inside of Unix. If you want to be able to call things like Nmap for example, you could do that using Bash shell scripts because they already know how to interact with those different tools that are installed on your Linux system. The one big limitation when scripting in Bash is that it is not an object-oriented language so you are a little bit more limited when you’re using Bash for scripting than you are in other languages like Python, Perl, Ruby, PowerShell or JavaScript. Now in this lesson we’re going to go through some basic Bash syntax and commands that you may come across as you’re working with Bash scripts. First, any time you start looking at a Bash script, it should always start out with the same line and this is #!/bin/bash. This means you’re going to see that hashtag which normally signifies a comment line and then the bang or exclamation mark.
Then /bin/bash which says this is a Bash script and it should be executed using the Bash shell. From there, you’re then going to have whatever else you want coded into that script for what you want to do. Now if you’re looking at a script and you’re trying to figure out if it’s a Bash script, what’s the first thing you should look at? That’s right. You should look at the first line. If it has #!/bin/bash, you know it’s a Bash script. Now any other time you see that hashtag, you should remember that this is a comment. Now this holds true in many different programming languages. Bash, Python, Ruby and PowerShell all use the syntax of a hashtag to signify everything beyond that hashtag is going to be ignored by the scripting engine or compiler because it’s just a human readable comment. So I might say # This is the first line of my script and that just tells people that that’s the first line of my script.
Or I might tell them exactly what the script is used for. Maybe it’s # This script is used to do backups of my systems, something like that. The next thing we need to talk about inside of Bash is the idea of variables. Now we’ve talked generally about variables before and how they’re used to represent any value and that they can be changed during the execution of the program. For Bash, you can declare a variable by using the variable name equals and the thing you want it to be. For example, if I did CustomerName = Jason, that would now define that variable CustomerName as a variable. Now any time I want to call that CustomerName variable,
I’m not going to write CustomerName. Instead, I’m going to use $CustomerName and the $CustomerName says I want to call the variable known as CustomerName. So when you’re assigning something, there’s no dollar sign. When you’re calling it, there is a dollar sign. Also notice that I use a syntax of uppercase and lowercase letters here. Generally, in Bash and a lot of our other naming schemes, we will call things as variables using title case where the first letter is capitalized and the rest of the word is lowercase. This just makes it easier to read when I have double name words like CustomerName being used as a single variable. In Bash, when you declare your variable, you can also type that variable. Now typing is where you declare a specific function essentially for that variable. Is it going to be a string, a numeric array, a number or something that? Essentially to do this, you’re going to do declare option the variable name equals the value. So for example, if I wanted to create a variable called PhoneNumber and I wanted it to be treated as a number, I can declare it by saying declare -i, then PhoneNumber equals and whatever value I want like 1111111.
This is now my seven digit phone number and it will be treated as a number. Now if you want to make something a constant where it’s not going to change such as the definition of pi, we can do that by again using the declare option. We’re going to do declare -r Pi = 3.14. In this case, I made that variable read only or in other words it became a constant because I can’t change it again. The next thing we need to understand is how to use arrays inside of Bash. Now if I want to create an array in Bash, I’m simply going to give it a name like I would a variable. So I might use something like tempArray equals and then I want to put all of the things it’s going to equal inside of parentheses and separated by commas. So tempArray = (value1, value2, value3). Now I have an array with three different items in it listed as value one, two and three. If you want to get information stored in an array back out inside of Bash, you’re simply going to refer to it as dollar sign, the array, bracket and the position number.
So in the case of my temporary array with my three values, if I wanted to pull out value two, I would use $tempArray[1]. This would then be able to give me the value from position number two because we count from zero, then one, then two inside of computers and that would give me value2 back as the thing I’m referencing. Next we have named arrays and associative arrays. This works almost like a table inside of a database and any data stored in this array is now going to be based on names. When we talked earlier about dictionaries, this is kind of like what we’re talking about with a named array. So in Bash, I do this by having to declare the array using a specific type and that type is -A. Let’s go ahead and declare a named array or associative array inside of Bash. To do this, I’m going to use declare -A and then the array name. In my case,
I’m going to call it PhoneBook. Now when I want to get information into that, I’m simply going to go ahead and say PhoneBook, bracket and the key I want to use, let’s say name. Then I’m going to equal that to the name I want to store such as Jason. Then if I want to put additional information in there, I can simply use something like PhoneBook[Number] equals, then the number, 111-1111. Now if I want to get information back out of this array, I can do it by doing ${PhoneBook[name]} and this will then give me the information back out such as the name which was Jason. If I wanted to get the phone number back out, I would simply use ${PhoneBook[number]} and the number will come back out as 111-1111 which was the phone number I stored in there. This essentially is storing these key value pairs inside of the array for us and this is a way that we can use these associative arrays.
Next let’s talk about doing comparisons inside of Bash. As we talked about before, we’re going to do a lot of different flow controls and a lot of those flows are going to be based on doing some kind of a comparison like is something equal or not equal or greater than or greater than or equal to, less than, less than or equal to and things like that. Now when we’re doing arithmetic comparisons inside of Bash, we’re normally going to use text to signify that instead of actually using the symbols. For example, if I wanted to compare two variables known as A and B, I can do that by doing if [“$a” -eq “$b”]. This says is A equal to B.
If it is, it returns a value of one. If it’s not, if returns a value of zero. Now if I wanted to check if two things are not equal, I can do that by using -ne so it would be if $a -ne $b. That’s going to check is A not equal to B so if A and B are equal, I will get a zero. If they’re not equal, I’ll get a one because this is basically reverse Boolean logic. If I want to do something is greater than something else, I’m going to use -gt. If I want to say is something greater than or equal to something else, I’m going to use -ge. If I want less than, I’m going to use -lt. And if I want to use less than or equal to, I’m going to use -le. Now in addition to this, in newer versions of Bash, you can use the arithmetic symbols such as the less than sign, the less than equal to, the greater than and the greater than equal to sign. But when you do that, you need to use double parentheses around the thing you’re testing.
So instead of saying if [$a -le $b], we would then use (($a < $b)). This double parentheses replaces the word if and those brackets inside of the comparisons. In addition to being able to compare mathematical things, we also sometimes need to do comparisons with strings. For example, are two strings equal. Well we can do that if we use the if command so again we’re going to use if [$a = $b]. Notice when we were doing mathematical comparisons, we were using the -eq in this format, but now because we’re using the equal sign, we’re doing this as a text string comparison. This would test something like the word Jason against the word Jason. If one had a capital letter and one had a lowercase letter, those two words are not going to be equal and we’re going to get a zero returned by this function. Now in addition to using a single equal, you could also use a double equal sign and these are equivalent and it doesn’t really make a difference when you’re doing a string comparison. Now the next thing we have is the not equal to. If you want to compare two strings and see if they are not equal to each other, you can do this by comparing them using if [$a != $b]. Essentially we are going to use an != to mean not equal to.
Next we have the less than and greater than and again we can compare string text using less than or greater than. Now you may wonder how do you compare two things that are words. Well we do it based on ASCII order. For example, if I compared the word Jason to the word Dion, Jason is greater than Dion because J comes after D in the ASCII alphabet. To use these, you’re going to do if [$a \< $b]. Notice I had to have that slash there. This is an escape character because we are inside a single bracket. If I didn’t want to use that escape character, I can type it out as if [[$a < $b]] instead and that way I don’t need to use the escape character. This same format is also used for the greater than sign where you’re going to use double brackets with just the greater than sign or single brackets and the slash and the greater than sign when comparing two ASCII strings against each other.
Next we have our logical comparisons inside of Bash. The most basic form of this is an if then statement. Inside of Bash, you’re going to do if, the condition you’re testing, then the command you want to run and then you’re going to close it out using fi. This takes the place of using any kind of brackets or parentheses inside of these function calls. Now if you want to do something a little bit more complex, you can use something like if, then, else if, then, else fi. Now what this means is I’m going to test a first condition, then do some code if it’s true. If it’s not true, I’m going to go to a second else condition. I’m going to test that condition. If it’s true, I’m going to do some code. If it’s not, then I’m going to do the third option. Now the next thing we have is our loops and we call these our for, our do while and our while commands when we went though the different flow control options in an earlier lesson. Now in Bash, we actually term them a little bit different. When we talk about the for loop, we are really talking about a for do done and that’s the statement syntax we’re going to use. When you use a for do done, you’re going to perform a set of commands for each item in a given list.
This is going to take the form of for variable in list do some commands done. So for example, for value in {1..5} do echo $value done echo All done. This script is basically going to do counting. It’s going to start out and set the value to one and then it’s going to echo value of one to the screen. Next it’s going to set it to two and echo that to the screen. Then three, then four, then five. Once all five are done, it’s then going to go to the final echo command and say all done. So what you’ll see on the screen is 12345All done.
The second one we have is what’s known as a do while. Now a do while inside of Bash is instead called a while do done. This performs a set of commands while a test is true so it’s going to take the form of while some test do some commands done. Consider the following sample script. Counter=1 while compare the counter variable less than 10 do echo counter. Then counter++ done echo All done. So what is this doing? Well we’re going to start out by setting the counter to one. Then as long as the variable of counter is less than 10, we’re going to go through this loop. In this case, we just set the variable to one so one is less than 10. So we are going to do the echo or printing something to the screen which is the counter so we print one to the screen.
Then counter++ means take the value of counter, add one and save it back to the counter variable so now my counter is two. Is two less than 10? Yes, it is. So we’ll print that to the screen. We’ll increment to three. We’ll continue doing that all the way through. As we go through, nine, it’s less than 10. We’ll print nine to the screen. We’ll increment and now we’re at 10. When we check that, 10 is not less than 10 so we’ll stop. So what you’ll see is that counter is going to print 123456789All done to your screen. The final one we have in Bash is going to be the while command and in Bash we actually call this until do done. This performs a set of commands until a test returns true. So we’ll do until some test do these commands done. For example, counter=1 until counter is greater than five do echo counter counter++ done echo All done.
This says we’re going to set our counter at one. Until the counter is greater than five, we’re going to do everything in the loop. Since our counter is one, we’re going to echo that counter to the screen. Then we’re going to increment the counter and make it two. Is two greater than five? No so we’re going to keep doing that function. Echo two to the screen. Make it three. Is three greater than five? No. Print that to the screen. Is four greater than five? No. Print that to the screen. Is five greater than five? No so print that to the screen. And then is six now greater than five? Yes. We can stop doing that function. This is the way flow control works inside of Bash when you’re using these different types of controls. Next we need to talk about some basic string operations. String operations are the commands that are used to manipulate data that is of the string format, things like words. Now when you’re dealing with strings, you’re going to have a variable like testString = “Test String”. That means that variable of testString now contains the words test, space and string. Now that I have that string stored as testString, I can display it in multiple ways by manipulating what is going to be displayed.
If I use the echo command and use $testString, it’s just going to show me the entire thing, test, space, string. But I can also manipulate that string before displaying it. Now if I wanted to show a substring, I can do that by using positioning inside of calling that variable. So let’s say I did echo ${testString:2:4}. What does this say? Well this is saying that I want to start at position two and I want to count four places from there. So in my case of using the testString as my variable with the content of test, space, string as my string, I can now have starting at position two which is the S, I’m going to count four places so S, T, space, S. That is what I’m going to show on the screen when I use this echo command.
There are lots of other ways to do string operations and we’re just touching the surface here, but I just wanted to introduce you to the concept that what you have stored in a variable can be modified when you display it or modified and stored back into the variable. The next thing we need to talk about in terms of Bash is going to be inputting and outputting data. You want to take input from the keyboard from your user and give output back to the monitor when you want to give them information. I’ve already used echo many times in this demonstration, but echo is the easiest way to send things back to the monitor. You simply use echo and the variable or echo and a quote with whatever string you want to display. For example, let’s say I wanted to say please enter your name on the screen.
So I would do echo “Please enter your name:”. That’s going to display that string on the screen. Now if I wanted to read information from you, I can use the command read and a variable name such as username. Now when you enter in your username and hit enter, it’s going to be stored in the variable username. If I want to display that back to the screen, I would then type echo “Hello $username!”. And so what this would look like is please enter your name. I would type in Jason, hit enter and then you’d see Hello Jason! That’s the idea of input and output to a screen. Now in addition to inputting and outputting things to the screen, you can also read or write data into files. If you want to do this in Bash, it’s quite simple.
You’re going to create a variable name that’s going to act as that file. For instance, TempFile. You’re going to set that equal to $(<filename). So I might use something like TempFile =$(<test.txt). By doing this, I have just sent all of the contents of test.txt into the temporary file. Now if I want to show the contents of that file, I’ll simply use echo $TempFile and that’ll display the contents of that file that I just put in that variable to my screen. Now on the other hand, if I want to send data to a file, I can use the greater than symbol instead of the less than symbol. Less than means input, greater than means output. Now there’s two ways to write to a file. One is to use the single greater than sign.
When you do this, any input you give is going to go into that file. If that file already exists, it’s actually going to be overwritten with what you put there. Now if you want to append things to that file, you’re going to use a double greater than sign. So for example, if I said echo “This is now going to be added to the end of the file as the next line”>>test.txt, that’s exactly what’s going to happen. That string I just typed, it’s going to be echoed. Instead of going to the screen, it’s going to go into the file at the end of the file without overwriting the current contents. I know that was a lot of information as we start covering the basics of Bash. Now the good news is as we go into our other programming languages, we’re not going to have to explain everything as much because we just covered it. Instead, I’m going to be explaining what the exact syntax is in those languages, but I’m going to be leaving the explanation of how each of these things work inside of this lesson only because we already covered all those commands inside of Bash and so now we only need to learn the differences for the other languages that we’re going to be looking at.
209. Bash Example (OBJ 5.2)
In this lesson, I’m going to walk you through a short Bash simple script, and we’re going to figure out what it’s doing. Now on exam day, they’re not going to give you something that says bin/bash like I have here on the top. Now that makes it really easy for me to identify that this is a Bash script, but on test day they’re going to leave that out. Let’s look at the rest of this and see what it’s doing and figure out is this a Bash script or would it be something else? Well, the first command we have is if dollar sign one does not equal empty.
What is that telling us? It’s saying that if there is nothing there, then don’t do anything, but, if it’s not empty, then our target file is going to equal dollar sign one, that variable. We’re going to set our report directory to VAR/log/nmap. So we’re probably going to be doing something with nmap if we’re setting it to the nmap directory. Next, for target in dollar sign cat target file. Now, there, we can see that for the variable target, we are going to sign each line inside that target file to the value of target, and then run through that loop.
Once we run out of lines, that would be the end of that for loop, and we will be finished with doing these commands. Next we’re going to echo scanning target, whatever that target is that we just pulled in from that target file. So what do we have on the next line? Well we have /user/bin/nmap-on and then a lot of stuff, as you can see, it takes up over two lines. Now, what is this telling us to do? Well, this is saying we’re going to run the nmap command and we’re going to use it with these different parameters. And we’ll go into that in a second. You should remember these from our nmap scanning lectures. And then we have the done. Otherwise, we’re going to echo you did not provide any command line options usage program parentheses file echo echo and then fi to end the if loop. So what is this short Bash script really doing for us? Have you figured it out yet? Well, if not, pause the video, look through it, and then restart it so you can see if you have the right answer. All right, you’re back. Great. So what is this script doing? Well, it’s going to take in from the command line, we’re going to run it by writing the program name, the script, and then giving it a file. Every time there is something in that file like an IP address or a domain name, it’s going to run an nmap scan against it. So all this command is doing is allowing me to take whatever inputs from a file, one per line for IP addresses, and run a different scan on them each time.
So in this case, I’m going to pull the file in, I’m going to read one at a time from there, and every time there’s something on the line and it’s not empty, I’m going to run an nmap scan against it. Now, what is this nmap scan doing? Well, this is a slow, comprehensive scan. We’re using T4, which is not too aggressive. We’re using -a, which searches for everything including OS detection and versioning. We’re doing SS for a sin scan. We’re using a -on for output files in nmap format, and each one is going to be saved to its own file named target.nmap. So if I had three IP addresses, say I had scan me.nmap.org, jsondion.com, and diontraining.com, it’s going to pull each of those. It’s going to do a full nmap scan and save a file jsondion.com.nmap, diontraining.com.nmap, right? And I can go back and look at those results later.
So I can run the script, go home, come back the next day, and have all my scans completed. It’s really great. Now, for bonus, you may want to look through this nmap scan and figure out what are all these parameters like the SS for sin scan, the T4 for the timing, the -a for all versioning, -v for verbose, right? What are all those things? And you can look through that. And so instead of me having to run this scan three different times on three different IPs, I can just give it a file and this script will pull the information out and run those scans for me.
So what might a question like this look like on the exam? Well, they might give you something like this and then say what’s the function of it? And the correct answer would be that this is performing an nmap scan against targets provided from an input file. Something like that, right? That’s the idea here, and so you don’t need to understand every single nuance of this script, but you should be able to identify that it’s a Bash script and what the basic function is, in this case, it’s going to go through a file, read each time what’s in that file, and run an nmap scan against them.
