Thursday, 12 January 2012

Introductions, Automation and Simplification

Ok, so time to introduce myself, I'm Ben (bdpuk) I've been a tester for over 5 years and like every other tester out there I spend much more time reading blogs than writing them. This is hopefully about to change.

So my latest obsession is automation and simplification. Put quite simply, getting the grunt work out of the way to make time for the fun stuff. This applies across the board in testing, but really shines through when dealing with internal network assessments or "Evil Insider" type scenarios.

Now I'm not advocating point and shoot ownage, that would be downright irresponsible (see db_autopwn as to why). I'm talking about data collection and aggregation to allow for quick analysis and more to the point less time on customer site.

I think the way this is going to work (if it works at all) is for each post I'm going to write about a few one liners or useful tools that can eventually be put together into one all incompassing framework, the scripts will collect all the required information, process it for use and also hopefully display it in a useful/pretty way. Kind of like a lego project that you attempt to complete over a few weeks, some weeks you might cover a lot, others nothing, maybe a few drastic revisions here and there and in the end you might never complete it, but it's the experience that counts right?

So we're going to start with a subnet, and lets for arguments sake call the subnet (one I can remember throughout this series), that'll be our starting point and from here we'll start the datamining. First things first, a lot of tools don't accept CIDR notation (think onesixtyone et al) so we'll need a list of IPs. NMaps list scan comes in handy here:

nmap -sL -n | grep "Nmap scan" | cut -f 5 -d " " > ~/<target_org>/targets/IPs.txt

To break that down we're using the nmap list command to produce a list of targets without actually scanning them, and then manipulating the output with grep and cut to provide only a list of IPs.

In the file structure we should save it as IPs.txt in a targets folder, something a long the lines of:


That's a good place to draw to a close on this article, It will continue...

Ninja Edit: Part 2 is located here.


  1. Hey dude, awesome first post!

  2. Use -n as well to bypass DNS resolution.


  3. Doh! I knew I'd forgotten something in there, will update.

  4. Cool first post ! Gives a good start for a systematic follow up. Waiting for future posts

  5. third paragraph: "point less" -> "pointless" ?