├── README.md └── brs.sh /README.md: -------------------------------------------------------------------------------- 1 | # Bash Recon Scan - BRS 2 | 3 | It is a bash script that can use nc/netcat/ncat and fping/ping to find hosts in a network, and then scan several ports (1-1024 and 8000-8100) of the active hosts found. 4 | 5 | It is very usefull to use when you want to search and scan hosts in a network and you dont have better tools than nc and ping. 6 | 7 | The netmask that are currently supported are: **/24** and **/16**. 8 | 9 | This tool doesn't need root pvivileges. 10 | 11 | In the help of the tool you can find the main usage: 12 | ```bash 13 | └──╼ $./brs.sh 14 | ./brs.sh / [] 15 | ./brs.sh tcp 192.168.0.1/24 22 16 | ./brs.sh icmp 192.168.0.1/16 17 | ./brs.sh tcp,icmp 192.168.0.1/24 22 18 | The output will be saved in /24__brs_recon.txt 19 | All the active hosts will appear in the terminal and saved in the file active_ips.txt 20 | Available protocols are: tcp,icmp (you can select all at the same time) 21 | The tool will scan ports some ranges of ports of the active hosts: 1-1024 and 8000-8100 22 | The data of the scanned ports will be saved inside port_scan.txt 23 | ``` 24 | 25 | You can find usufull also the following oneliners: 26 | 27 | Recon a /24 network using nc 28 | ```bash 29 | for j in $(seq 1 254); do nc -v -n -z -w 1 192.168.1.$j 22 2>> s.txt; done; grep -v "Connection refused\|Version\|bytes\| out" s.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' s.txt | sort | uniq > ips.txt; 30 | 31 | #Faster recon using timeout instead of -w and -z 32 | for j in $(seq 1 254); do timeout 0.5 nc -v -n 192.168.1.$j 22 2>> s.txt; done; grep -v "Connection refused\|Version\|bytes\| out" s.txt | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' s.txt | sort | uniq > ips.txt; 33 | ``` 34 | Recon /24 network using ping or timeout + ping (faster) 35 | ```bash 36 | for j in $(seq 0 255); do timeout 0.7 ping 192.168.1.$j; done; 37 | for j in $(seq 0 255); do ping 192.168.1.$j; done; 38 | ``` 39 | 40 | Search for open ports in one ip or reading host from ips.txt 41 | ```bash 42 | nc -v -z -n 1-1024 #For one host 43 | while read host; do nc -v -z -n $host 1-1024 2>> ps.txt; done < ips.txt; cat ps.txt | grep -v "Connection refused\|Version\|bytes\| out"; 44 | ``` 45 | 46 | If you **cant select a range of ports** in your netcat version, use this oneliner to scan for ports (reading from a file) 47 | ```bash 48 | for p in $(seq 1 1024); do nc -v -z -n -w 1 $p 2>> ps.txt; done; #For one host 49 | while read host; do for p in $(seq 1 1024); do nc -v -z -n -w 1 $host $p 2>> ps.txt; done; done < ips.txt; cat ps.txt | grep -v "Connection refused\|Version\|bytes\| out"; 50 | 51 | #Faster scan using timeout instead of -w and -z 52 | for p in $(seq 1 1024); do timeout 0.5 nc -v -n $p 2>> ps.txt; done; #For one host 53 | while read host; do for p in $(seq 1 1024); do timeout 0.5 nc -v -n $host $p 2>> ps.txt; done; done < ips.txt; cat ps.txt | grep -v "Connection refused\|Version\|bytes\| out"; 54 | ``` 55 | -------------------------------------------------------------------------------- /brs.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | HELP="$0 / []\n$0 tcp 192.168.0.1/24 22\n$0 icmp 192.168.0.1/16\n$0 tcp,icmp 192.168.0.1/24 22\nThe output will be saved in /24__brs_recon.txt\nAll the active hosts will appear in the terminal and saved in the file active_ips.txt\nAvailable protocols are: tcp,icmp (you can select all at the same time)\nThe tool will scan ports some ranges of ports of the active hosts: 1-1024 and 8000-8100\nThe data of the scanned ports will be saved inside port_scan.txt"; 4 | 5 | if [ "$#" -ne 2 ] && [ "$#" -ne 3 ] ; then 6 | echo -e $HELP; 7 | exit 1; 8 | fi 9 | 10 | FILENAME_SCANPORTS="port_scan.txt" 11 | IP=$(echo $2 | cut -d "/" -f 1) 12 | NETMASK=$(echo $2 | cut -d "/" -f 2) 13 | ACTIVE_IPS="active_ips.txt" 14 | 15 | rm -f *_brs_recon.txt 2>/dev/null 16 | rm -f $FILENAME_SCANPORTS 2>/dev/null 17 | rm $ACTIVE_IPS 2>/dev/null 18 | 19 | 20 | #Look for nc 21 | NC=$(which nc 2>/dev/null) 22 | if [ -z "$NC" ]; then 23 | NC=$(which netcat 2>/dev/null); 24 | fi 25 | if [ -z "$NC" ]; then 26 | NC=$(which ncat 2>/dev/null); 27 | fi 28 | if [ -z "$NC" ]; then 29 | echo "Neither netcat nor nc nor ncat was found, tcp and scan cannot be done"; 30 | else 31 | NC_SCAN="$NC -v -n -z -w 1" 32 | $($NC 127.0.0.1 65321 &>/dev/null) 33 | if [ $? -eq 2 ] 34 | then 35 | NC_SCAN="timeout 0.7 $NC -v -n" 36 | fi 37 | echo $NC_SCAN; 38 | fi 39 | 40 | 41 | function tcp_recon(){ 42 | IP3=$(echo $1 | cut -d "." -f 1,2,3) 43 | PORT=$2 44 | FILENAME_TCP=$3 45 | rm -f $FILENAME_TCP 2>/dev/null 46 | 47 | for j in $(seq 1 254) 48 | do 49 | $($NC_SCAN $IP3.$j $PORT 2>> $FILENAME_TCP.temp;) 50 | done 51 | 52 | grep -v "Connection refused\|Version\|bytes\| out" $FILENAME_TCP.temp | grep -o '[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}' | sort | uniq >> $FILENAME_TCP; 53 | rm $FILENAME_TCP.temp; 54 | } 55 | 56 | function icmp_recon(){ 57 | IP3=$(echo $1 | cut -d "." -f 1,2,3) 58 | FILENAME_ICMP=$2 59 | rm -f $FILENAME_ICMP 2>/dev/null 60 | 61 | for j in $(seq 0 255) 62 | do 63 | if timeout 0.7 ping -c 1 $IP3.$j &> /dev/null 64 | then 65 | echo $IP3.$j >> $FILENAME_ICMP; 66 | fi 67 | done 68 | } 69 | 70 | function tcp_scan(){ 71 | HOST=$1 72 | FILENAME_SCANPORTS_temp=$FILENAME_SCANPORTS".temp" 73 | 74 | #Start port scanning 75 | for PORT in {1..1024} {8000..8100} 76 | do 77 | $($NC_SCAN $HOST $PORT 2>> $FILENAME_SCANPORTS_temp;) 78 | done 79 | } 80 | 81 | 82 | 83 | #TCP option 84 | if [[ $1 == *tcp* ]]; then 85 | #Check parameters 86 | if [ "$#" -ne 3 ] ; then 87 | echo "tcp option needs / "; 88 | exit 1; 89 | fi 90 | 91 | if [ -z "$NC" ]; then #No nc 92 | exit 1; 93 | fi 94 | 95 | echo "Starting TCP recon" 96 | FILENAME=$IP"_"$NETMASK"_tcp_brs_recon.txt" 97 | PORT=$3 98 | 99 | #Check netmask 100 | if [[ $NETMASK == "24" ]]; then 101 | echo "netmask /24 detected, starting..." 102 | tcp_recon $IP $PORT $FILENAME 103 | 104 | elif [[ $NETMASK == "16" ]]; then 105 | echo "netmask /16 detected, starting..." 106 | for i in $(seq 0 255) 107 | do 108 | NEWIP=$(echo $IP | cut -d "." -f 1,2).$i.1 109 | NEWFILE=$NEWIP-24_$1_recon.txt 110 | tcp_recon $NEWIP $PORT $NEWFILE 111 | done 112 | fi 113 | fi 114 | 115 | #ICMP option 116 | if [[ $1 == *icmp* ]]; then 117 | #Check parameters 118 | if [ "$#" -ne 2 ]; then 119 | if [[ ! $1 == *tcp* ]]; then #If bad num of params and not tcp 120 | echo "icmp option needs only /"; 121 | exit 1; 122 | fi 123 | fi 124 | 125 | echo "Starting ICMP recon" 126 | FILENAME=$IP"_"$NETMASK"_icmp_brs_recon.txt" 127 | 128 | #If fping 129 | FPING=$(which fping) 130 | if [ ! -z "$FPING" ]; then 131 | echo "Fping was found, using it..." 132 | fping -a -q -g $2 > $FILENAME; 133 | else 134 | #It no fping, use ping 135 | PING=$(which ping) 136 | if [ -z "$PING" ] 137 | then 138 | echo "Ping not found"; 139 | exit 1; 140 | fi 141 | 142 | #Check netmask 143 | if [[ $NETMASK == "24" ]]; then 144 | echo "netmask /24 detected, starting..." 145 | icmp_recon $IP $FILENAME 146 | 147 | elif [[ $NETMASK == "16" ]]; then 148 | echo "netmask /16 detected, starting..." 149 | for i in $(seq 1 254) 150 | do 151 | NEWIP=$(echo $IP | cut -d "." -f 1,2).$i.1 152 | NEWFILE=$NEWIP/24_$1_recon.txt 153 | icmp_recon $NEWIP $NEWFILE 154 | done 155 | fi 156 | fi 157 | fi 158 | 159 | 160 | cat *_brs_recon.txt | sort | uniq > $ACTIVE_IPS; 161 | rm -f *_brs_recon.txt; 162 | echo "Active IPs:" 163 | cat $ACTIVE_IPS; 164 | 165 | #If no nc, stop here 166 | if [ -z "$NC" ] #No nc 167 | then 168 | exit 1; 169 | fi 170 | 171 | echo "Starting scanning ports of active hosts"; 172 | rm -f $FILENAME_SCANPORTS_temp 2>/dev/null 173 | 174 | #Scan each host in background 175 | while read host 176 | do 177 | tcp_scan $host 178 | done < $ACTIVE_IPS 179 | 180 | cat $FILENAME_SCANPORTS_temp | grep -v "Connection refused\|Version\|bytes\| out" | sort | uniq >> $FILENAME_SCANPORTS; 181 | rm -f $FILENAME_SCANPORTS_temp 182 | cat $FILENAME_SCANPORTS; 183 | --------------------------------------------------------------------------------