n the world of cybersecurity, reconnaissance is a critical phase where security professionals gather information about their target to identify potential vulnerabilities. Automating this process with Bash scripts not only saves time but also ensures consistency and efficiency. In this tutorial, we’ll walk you through how to automate reconnaissance using Bash scripting, making your red team or penetration testing engagements more effective.
What is Reconnaissance in Cybersecurity?
Reconnaissance is the initial phase of a penetration test or ethical hacking process. It involves collecting as much information as possible about the target system or network, such as IP addresses, open ports, running services, and domain details. This information is crucial for planning further exploitation.
Why Automate Reconnaissance with Bash Scripts?
- Efficiency: Automate repetitive tasks to save time.
- Consistency: Avoid human errors by running the same commands uniformly.
- Customization: Tailor the script to your specific reconnaissance needs.
- Integration: Easily combine with other tools and scripts.
Prerequisites
- Basic knowledge of Linux command line and Bash scripting.
- Tools installed:
nmap,whois,dig,curl,grep,awk. - A Linux environment (Kali Linux, Ubuntu, etc.).
Step 1: Setting Up Your Bash Script
Create a new Bash script file and make it executable.
touch recon.sh
chmod +x recon.shOpen the file in your favorite text editor.
Step 2: Define the Target
Start your script by accepting the target domain or IP as an argument.
#!/bin/bash
if [ -z "$1" ]; then
echo "Usage: $0 <target>"
exit 1
fi
TARGET=$1Step 3: Perform Basic DNS Reconnaissance
Use dig and whois to gather DNS information and domain registration details.
echo "[*] Performing DNS lookup for $TARGET"
dig $TARGET +short
echo "[*] Performing WHOIS lookup for $TARGET"
whois $TARGET | grep -E 'Registrar|Creation Date|Expiration Date|Name Server'Step 4: Scan for Open Ports with Nmap
Use nmap to scan for common open ports and services.
echo "[*] Scanning for open ports on $TARGET"
nmap -sS -Pn -T4 $TARGET -oN nmap_scan.txtStep 5: Extract HTTP Headers and Website Info
Use curl to get HTTP headers and basic website info.
echo "[*] Fetching HTTP headers from $TARGET"
curl -I http://$TARGETStep 6: Automate Subdomain Enumeration (Optional)
You can add subdomain enumeration using dig or other tools.
echo "[*] Enumerating subdomains for $TARGET"
subdomains=("www" "mail" "ftp" "test" "dev")
for sub in "${subdomains[@]}"; do
dig +short $sub.$TARGET
doneStep 7: Save Output to a Log File
Redirect all output to a file for later review.
LOGFILE="${TARGET}_recon_$(date +%F).log"
exec > >(tee -a $LOGFILE) 2>&1Place this line after defining the target variable to capture all output.
Full Script Example
#!/bin/bash
if [ -z "$1" ]; then
echo "Usage: $0 <target>"
exit 1
fi
TARGET=$1
LOGFILE="${TARGET}_recon_$(date +%F).log"
exec > >(tee -a $LOGFILE) 2>&1
echo "[*] Starting reconnaissance on $TARGET"
echo "[*] Performing DNS lookup for $TARGET"
dig $TARGET +short
echo "[*] Performing WHOIS lookup for $TARGET"
whois $TARGET | grep -E 'Registrar|Creation Date|Expiration Date|Name Server'
echo "[*] Scanning for open ports on $TARGET"
nmap -sS -Pn -T4 $TARGET -oN nmap_scan.txt
echo "[*] Fetching HTTP headers from $TARGET"
curl -I http://$TARGET
echo "[*] Enumerating subdomains for $TARGET"
subdomains=("www" "mail" "ftp" "test" "dev")
for sub in "${subdomains[@]}"; do
dig +short $sub.$TARGET
done
echo "[*] Reconnaissance completed. Results saved in $LOGFILE and nmap_scan.txt"Step 8: Run Your Script
Execute the script by passing the target domain or IP.
./recon.sh example.com
Ready to go deeper? 🚀
👉 Join Nebitex Lite Membership for free and gain access to more tutorials, micro-courses, walkthroughs, and exclusive hacking resources.
👉 Join the movement on WhatsApp: Cyber Warrior Africa — connect with like-minded Africans, share your passions, struggles, and wins as you grow in cybersecurity.
Start today at www.nebitex.africa.
Conclusion
Automating reconnaissance with Bash scripts is a powerful way to streamline your security assessments. This basic script can be expanded with additional tools like theHarvester, amass, or custom parsing to enhance your reconnaissance capabilities.
I’m Emmanuel Okaiwele, a Secure Web Developer, Offensive Security Engineer, Member Cybersecurity Experts Association of Nigeria – CSEAN, and the founder of Nebitex Africa — a platform dedicated to making cybersecurity simple, practical, and accessible for Africans.
