Technology Reviews

Discover – Custom Bash Scripts Used To Automate Various Penetration Testing Tasks Including Recon, Scanning, Parsing, And Creating Malicious Payloads And Listeners With Metasploit

Custom bash scripts used to automate quite a lot of penetration trying out duties together with recon, scanning, parsing, and growing malicious payloads and listeners with Metasploit. For use with Kali Linux and the Penetration Testers Framework (PTF).

  • Lee Baird @discoverscripts
  • Jay “L1ghtn1ng” Townsend @jay_townsend1
  • Jason Ashton @ninewires /choose/uncover/

  • All scripts should be ran from this location.
  • cd /choose/uncover/
  • ./
    1. Domain
    2. Person
    3. Parse salesforce

    4. Generate goal listing
    5. CIDR
    6. List
    7. IP, vary, or area
    8. Rerun Nmap scripts and MSF aux

    9. Insecure direct object reference
    10. Open more than one tabs in Firefox
    11. Nikto
    12. SSL

    13. Parse XML
    14. Generate a malicious payload
    15. Start a Metasploit listener
    16. Update
    17. Exit




    1. Passive
    2. Active
    3. Import names into an current recon-ng workspace
    4. Previous menu

    Passive makes use of ARIN, dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit, URLCrazy, Whois, more than one web pages, and recon-ng.
    Active makes use of dnsrecon, WAF00W, traceroute, Whatweb, and recon-ng.
    [*] Acquire API keys for Bing, Builtwith, Fullcontact, GitHub, Google, Hashes, Hunter, SecurityTrails, and Shodan for most effects with recon-ng and theHarvester.

    API key places:

    display keys
    keys upload bing_api




    First identify:
    Last identify:
    • Combines data from more than one web pages.

    Parse salesforce

    Create a unfastened account at salesforce (
    Perform a seek for your goal corporate > make a selection the corporate identify > see all.
    Copy the consequences into a brand new document.

    Enter the positioning of your listing:
    • Gather names and positions right into a blank listing.


    Generate goal listing


    1. Local space community
    2. NetBIOS
    3. netdiscover
    4. Ping sweep
    5. Previous menu
    • Use other gear to create a goal listing together with Angry IP Scanner, arp-scan, netdiscover and nmap pingsweep.

    CIDR, List, IP, Range, or URL

    Type of scan:

    1. External
    2. Internal
    3. Previous menu
    • External scan will set the nmap supply port to 53 and the max-rrt-timeout to 1500ms.
    • Internal scan will set the nmap supply port to 88 and the max-rrt-timeout to 500ms.
    • Nmap is used to accomplish host discovery, port scanning, carrier enumeration and OS id.
    • Matching nmap scripts are used for added enumeration.
    • Addition gear: enum4linux, smbclient, and ike-scan.
    • Matching Metasploit auxiliary modules also are leveraged.


    Insecure direct object reference

    Using Burp, authenticate to a web page, map & Spider, then log off.
    Target > Site map > make a selection the URL > proper click on > Copy URLs on this host.
    Paste the consequences into a brand new document.

    Enter the positioning of your document:

    Open more than one tabs in Firefox

    Open more than one tabs in Firefox with:

    1. List
    2. Directories from robots.txt.
    3. Previous menu
    • Use an inventory containing IPs and/or URLs.
    • Use wget to tug a website’s robotic.txt document, then open the entire directories.


    Run more than one cases of Nikto in parallel.

    1. List of IPs.
    2. List of IP:port.
    3. Previous menu


    Check for SSL certificates problems.

    Enter the positioning of your listing:
    • Use sslscan and sslyze to test for SSL/TLS certificates problems.


    Parse XML

    Parse XML to CSV.

    1. Burp (Base64)
    2. Nessus (.nessus)
    3. Nexpose (XML 2.0)
    4. Nmap
    5. Qualys
    6. Previous menu

    Generate a malicious payload

    Malicious Payloads

    1. android/meterpreter/reverse_tcp
    2. cmd/home windows/reverse_powershell
    3. java/jsp_shell_reverse_tcp (Linux)
    4. java/jsp_shell_reverse_tcp (Windows)
    5. linux/x64/meterpreter_reverse_https
    6. linux/x64/meterpreter_reverse_tcp
    7. linux/x64/shell/reverse_tcp
    8. osx/x64/meterpreter_reverse_https
    9. osx/x64/meterpreter_reverse_tcp
    10. php/meterpreter/reverse_tcp
    11. python/meterpreter_reverse_https
    12. python/meterpreter_reverse_tcp
    13. home windows/x64/meterpreter_reverse_https
    14. home windows/x64/meterpreter_reverse_tcp
    15. Previous menu

    Start a Metasploit listener

    Metasploit Listeners

    1. android/meterpreter/reverse_tcp
    2. cmd/home windows/reverse_powershell
    3. java/jsp_shell_reverse_tcp
    4. linux/x64/meterpreter_reverse_https
    5. linux/x64/meterpreter_reverse_tcp
    6. linux/x64/shell/reverse_tcp
    7. osx/x64/meterpreter_reverse_https
    8. osx/x64/meterpreter_reverse_tcp
    9. php/meterpreter/reverse_tcp
    10. python/meterpreter_reverse_https
    11. python/meterpreter_reverse_tcp
    12. home windows/x64/meterpreter_reverse_https
    13. home windows/x64/meterpreter_reverse_tcp
    14. Previous menu


    • Use to replace Kali Linux , Discover scripts, quite a lot of gear, and the find database.
    Download Discover