Tools

Various tools, need to give better case explanations

Aquatone

This is a great tool for visualizing nmap scans - output your nmap scan as xml -oX and then pipe it to aquatone:

cat nmap.xml | aquatone -nmap

BurpSuite

A great tool that covers everything from intercepting traffic to credential stuffing/brute forcing, this will need its own page probably with images

Can use the integrated browser, but the FoxyProxy extension is also nice to use

Chisel

[need to fill info]

Feroxbuster

Like Gobuster but a little nicer, colored output, progress indicators, etc. only does directories though

use -b for session cookie for authenticated requests
can also use -H for headers

feroxbuster -u [target] -w [wordlist] -b session=adsljkfhsaf

Gobuster

Virtual Hosts

gobuster vhost -u http://[target_IP_address] -w [wordlist_file] --append-domain

--append-domain would be used if you're looking for virtual hosts which are subdomains and you use a TLD instead of IP (I think)

Subdomains

gobuster dns --domain [target domain] -w [wordlist]

Directories

gobuster dir -u [target domain] -w [wordlist]

Hashcat

Need to go over basic uses, but mainly building wordlists and using masks

Hoaxshell

[need to fill info]

Hydra

Brute forcing tool for ssh/web forms

hydra [hostIP] -l [login] -L [loginfile] -p [pass] -P [passfile] -C [user:pass file] [service]

For web form:

hydra -l [login] -P [pass list] [target] -s [port] http-post-form "/[endpoint.ext]:[userparam]=^USER^&[passparam]=^PASS^:F=[failure string]"

Nmap

network scan
- sudo nmap [CIDR ADDR] -sn -oA tnet | grep for | cut -d" " -f5
- using list of hosts
  - -iL [host list]
-sT is the most stealthy scan, as it uses the entire TCP handshake to check ports
-sA to bypass many IPS and IDS
-Pn disable ping
-n disable DNS resolution
--disable-arp-ping disable ARP ping, good for investigating further
--packet-trace get more info on send and recv
--reason get more info on the port state
-D decoy - nmap inserts random IPs in the IP header of the scans
--source-port specify a source port, often 53 to slide through dns port
- can also specify this in netcat when connecting to a port

NXC

Need to come back to this but making a quick note

Gathering Data for Bloodhound

nxc ldap [ds-host] -u [username] -p '[password]' --bloodhound --dns-server [dns ip] --collection all

Generating a hosts file entry

netexec smb [target ip] --generate-hosts-file hosts
cat hosts /etc/hosts | sponge /etc/hosts

RPCClient

Get info on ActiveDirectory

srvinfo

Get Server Information

querydominfo

Get Domain Information

enumdomusers

Enumerate domain users

enumdomgroups

Enumerate domain groups

querygroup [group id]

Get Group Information

queryuser [username]

Get User information

enumprivs

Enumerate privileges of current user

getdompwinfo

Get basic domain password information

getusrdompwinfo [user id]

Get user-specific password information

lsaenumsid

Enumerate SID from LSA

netshareenum AND netshareenumall

enumerate SMB shares

enumdomains

Enumerate domains

querydispinfo

more comprehensive info of enumdomusers

Changing user password

chgpasswd [user] [old pass] [new pass]

Creating a user

Sometimes we can create a user on the domain

setuderinfo2
- level: An integer that specifies the type of information being set. For changing a user's password, the standard value is 23. Some older documentation may reference level 24

createdomuser [username]
setuserinfo2 [username] [level] [password]
enumdomusers (to verify)

WhatWeb

Great for enumeration of websites, should return webserver information and versions, any CMS, etc.

whatweb [target domain]

WPScan

Enumeration for WordPress websites

wpscan --url [target domain] --enumerate

Can Also be used as a brute forcer:

wpscan --password-attack xmlrpc -t 20 -U [username] -P [wordlist] --url [target domain]

PreviousDiscovery NextFile Inclusion

Last updated 11 days ago