01. Development

Research

Before starting the development of the Rogue Bash script, I conducted thorough research to gain an understanding of the fundamentals of Bash scripting, the Metasploit Framework, and Linux-based vulnerabilities. To begin with, I analyzed existing open-source scripts and frameworks to get a general idea of how they worked. This provided insights into the best practices and design patterns used in scripting for security testing. Open-source tools such as Sn1per, fsociety, Recox, Pureblood, and Discover all helped me to recognize the necessary processes to achieve my desired outcome.

After deciding to use Bash for the language the script would be written in, I researched the basics of Bash scripting, including syntax, variables, loops, functions, and other essential concepts. Jason Cannon's Shell Scripting: How to Automate Command Line Tasks Using Bash Scripting and Shell Programming and Chris Johnson and Jayant Varma's Pro Bash Programming: Scripting the GNU/Linux Shell Second Edition were some of the key resources used to learn the fundamentals of Bash scripting.

Shortly after, I enrolled in an e-course titled "Practical Ethical Hacking - The Complete Course" by TCM Security. This course provided me with hands-on experience and allowed me to apply the knowledge I had acquired through my research. These resources provided a thorough understanding of the penetration testing process and the tools and techniques involved.

To ensure that the script adhered to industry standards and best practices, I studied the Penetration Testing Execution Standard (PTES) and read Pearson's Penetration Testing Fundamentals: A Hands-On Guide to Reliable Security Audits by Chuck Easttom. These resources provided me with a clear understanding of the penetration testing process, its methodologies, and its documentation.

Furthermore, since Metasploit is based on Ruby, it was necessary to gain familiarity with the Ruby programming language to create the resource scripts. For this purpose, as the final step in my research, I read Packt's Metasploit Revealed: Secrets of the Expert Pentester by Sagar Rahalkar and Nipun Jaswal and Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni. These books provided me with an in-depth understanding of Metasploit and a basic understanding of the Ruby language.

Planning Methodology

I collaborated with my professor to conceptualize a fully automated penetration testing tool. I began by researching potential tools and strategies that could be used in the project. After examining existing scripts, I set about creating an algorithm to guide script development. However, due to the parameters of the project, it was necessary to scale down the size of the algorithm significantly. To help me visualize the tasks and their interconnections, I implemented a flowchart program to lay out my algorithm.

Since Python is well-known for cybersecurity applications, I initially started script development using Python. Nevertheless, based on my familiarity with Linux and the command line, I found Bash to be more intuitive for scripting purposes. This enabled me to make use of my existing knowledge in these areas.

While attempting to make my script work across any system, it became clear why professional development teams spend years constructing such frameworks. To stay within the scope of a single course project, I had to reduce the target OS list to Linux-based systems. I initially sought to limit my project to Nmap, Nikto, and Metasploit to simplify maintenance. However, as I continued to develop my concept, I realized that further tools and strategies were necessary for a comprehensive and successful script.

As I progressed, I annotated my code with comments to record progress and facilitate troubleshooting. Once each segment was complete, I ran tests to confirm that the output matched my expectations. Finally, I checked my entire script for accuracy and precision and recorded a successful run of the script against a Metasploitable 2 virtual machine.