Reference List
    1. EyeWitness
    2. rbndr
    3. pwncat
    4. pwncat-cs
    5. AutoRecon
    6. SleuthKit
    7. FatCat
    8. SSHAmble
    9. cURL

EyeWitness – Automates taking screenshots of websites and retrieving server headers [Link].

sudo apt install eyewitness
eyewitness -f list.txt

rbndr – A single-file C program that allows pentesters to test software against TOCTOU (time-of-check, time-of-use) vulnerabilities using DNS rebinding [Link].

Installation for self-hosting:

git clone https://github.com/taviso/rbndr.git
cd rbndr
gcc rebinder.c -o rebinder

Note: Your real domain needs to point to the server running this application. Update the static const struct root kExpectedDomain property (line 42) to match your domain before compiling. The app is over a decade old and may require minor code changes to build successfully (out of scope for this post).

Using the free online server (.rbndr.us):

  • Domain syntax: <ipv4 in hex>.<ipv4 in hex>.rbndr.us
  • Example: 7f000001.c0a80001.rbndr.us
    • 7f000001 hex to decimal = 127.0.0.1
    • c0a80001 hex to decimal = 192.168.0.1

A syntax helper is available here [Link].


PwnCat – An improved Netcat with firewall and endpoint monitoring evasion for bind and reverse shells. It self-injects a shell, supports port forwarding, and prevents accidental shell interruption when Ctrl+C is pressed [Link].

  • Install
sudo apt install pwncat -y

OR

pip install pwncat
  • Listener
pwncat -l 1337

PwnCat-cs – A post-exploitation tool that wraps around basic bind and reverse shells to improve the overall experience. It spawns a pty using several methods (with previously enumerated executables), then sets the terminal to raw mode so it behaves like a real SSH session [Link].

  • Installation in a Python VENV
sudo mkdir -p /opt/pwncat && chmod 777 /opt/pwncat
python -m venv /opt/pwncat
/opt/pwncat/bin/pip install pwncat-cs
sudo ln -s /opt/pwncat/bin/pwncat-cs /usr/local/bin
  • Listener
pwncat-cs -l :1337

CTRL+D is the key combination that switches between Local and Remote.

See the official documentation for more information [Link].


AutoRecon – A multi-threaded network reconnaissance tool that automates service enumeration by chaining results from well-known tools already present on the system [Link].

sudo apt install autorecon -y

SleuthKit – A collection of UNIX-based command-line tools for file system and volume forensic analysis [Link].

sudo apt install sleuthkit -y
sudo fsstat /dev/nvme0n1p1
sudo mmls /dev/nvme0n1
sudo fls -r -m / /dev/nvme0n1p1
sudo icat /dev/nvme0n1p1 <inode_number_here> > recovered.txt
sudo istat /dev/nvme0n1p1 <inode_number_here>
sudo blkls /dev/nvme0n1p1 | strings | grep -i password

FatCat – Manipulates FAT filesystem disks and images to extract, repair, and recover forensic evidence [Link].

sudo apt install fatcat -y
fatcat disk.img -i
fatcat disk.img -l /root
fatcat disk.img -r /flag.txt
fatcat disk.img -r /picture.jpg > picture.jpg
fatcat disk.img -x -d output/
fatcat disk.img -l / -d

SSHAmble – An open-source reconnaissance tool for identifying SSH protocol vulnerabilities [Link].

Installation

export CGO_ENABLED=0 go install github.com/runZeroInc/sshamble@latest

Usage

./sshamble badkeys-update
./sshamble scan -o results.jsonl 10.10.10.0/24 --users root,admin --password-file password.list
./sshamble analyze -o /PATH/output-results results.jsonl

cURLcurl is one of the most fundamental tools for web exploitation and automation, and it is available virtually everywhere.

  • User-Agent Spoofing
curl -A "Chrome/Mozila/etc" http://10.10.10.10/
  • Custom Headers
curl -H "Authorization: Bearer <TOKEN>" 
curl -H "Host: <DOMAIN>" http://10.10.10.10/
  • Saving and reusing a cookie or session token
curl -c cookies.txt -d "username=admin&password=admin" http://10.10.10.10/
curl -b cookies.txt http://10.10.10.10/
  • POST Data
curl -s -X POST -d "key1=value1&key2=value2" http://10.10.10.10/
  • Force resolution and port translation
curl --connect-to example.com:80:10.10.10.10:8080 http://example.com