Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: list of tools with future support #51

Open
ocervell opened this issue Mar 9, 2023 · 0 comments
Open

feat: list of tools with future support #51

ocervell opened this issue Mar 9, 2023 · 0 comments
Assignees
@ocervell
Labels
enhancement New feature or request important meta

Comments

@ocervell
Copy link
Contributor

ocervell commented Mar 9, 2023
edited
Loading

Tools

  • exploit:

    • msfconsole
    • sqlmap
    • jexboss [python][maybe] # JBoss verify and exploitation tool
    • shocker.py [python][maybe] # Shellshock tester
      • python $PLUGINS_DIR/shocker/shocker.py -H $TARGET --cgilist $PLUGINS_DIR/shocker/shocker-cgi_list --port 80
    • smuggler [python][maybe] # HTTP request smuggling / desync testing tool
    • clusterd [python][maybe] # JBoss, ColdFusion, WebLogic, Tomcat, Railo, Axis2, Glassfish
    • zarp # Local networks exploitation tool

  • utils:

    • gf # pattern matching
    • arjun # parameter detection
    • searchsploit # search exploit from CVEs
    • cook # wordlist generator

  • vuln:

    • nuclei
    • nmap NSE scripts:
      • vulscan
      • vulners
    • dalfox # LFI / XSS automated tester
    • grype # Scan vulnerabilities in code, containers and repositories
    • gitleaks # Scan secrets in Git repositories
    • deepfense/SecretScanner # unprotected secrets in container images and file systems
    • nosqli # Scan NoSQLI vulns
    • trivy # Scan vulnerabilities and misconfigurations in code, containers, repositories, GKE, EKS, ...
    • tfsec # Terraform security scanner
    • nikto [perl][maybe, obsolete] # HTTP vulnerability scanner
    • cmsmap [python][maybe] # Find vulnerabilities in common CMS (Wordpress, Joomla, Drupal, Moodle)
    • arachni -> scnr
    • Inject-X fuzzer [python][maybe] # Scan dynamic URLs for common OWASP vulns
    • wapiti3 [python][maybe]
    • vuls

  • bruteforce:

  • binary:

    • AFplusplus # Binary fuzzer for dinosaurs

  • recon:

    • recon/multi:

      • blackwidow [python][maybe]
      • scilla
      • bane # Python-based XSS / RCE tester + attack framework
      • V3n0m-Scanner # LFI / RCE / XSS / Dorks / AdminPage finder, DNS bruteforce, FTP scan
      • legion # cmd automator, can get some good CLI commands here

    • recon/windows:

    • recon/network/internal:

    • recon/network:

      • nmap
      • fingerprintx # Service detection on open ports
      • wafwoof
      • whois [shell][maybe] # Network utility (WHOIS)
      • ssh-audit [python][maybe] # SSH server and client auditing
      • arp
      • sslscan:
        • sslscan --no-failed $TARGET
      • asnip:
        • asnip -t $TARGET
      • hackertarget [python][maybe] # Network utilities (traceroute, ping, reverse DNS, zone transfer, whois, ip loc, port scan, subnet lookup)
      • BruteX [shell][maybe] # Bruteforce all services
      • Other interesting commands:
        • curl -s https://www.ultratools.com/tools/ipWhoisLookupResult\?ipAddress\=$TARGET | grep -A2 label | grep -v input | grep span | cut -d">" -f2 | cut -d"<" -f1 | sed 's/\&nbsp\;//g'
        • wget -q http://www.intodns.com/$TARGET -O $LOOT_DIR/osint/intodns-$TARGET.html
        • curl -s -L --data "ip=$TARGET" https://2ip.me/en/services/information-service/provider-ip\?a\=act | grep -o -E '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}/[0-9]{1,2}' # subnet retrieval

    • recon/http:

      • gau
      • gospider
      • ffuf
      • httpx
      • dirsearch
      • feroxbuster
      • katana
      • openapi-fuzzer
      • crawlergo
      • autoscrape-py
      • geziyor
      • jsluice
      • gobuster
      • wfuzz # can use FUZZ keyword in other parts of the URL not just at the end like ffuf
      • kiterunner # API routes discovery
      • goscrape # download websites to disk
      • wapiti3 [python][maybe]
      • whatweb [ruby][nope]
      • wig
      • webtech
      • wpscan [ruby] # Wordpress scan
      • Other interesting commands:
        • curl -sX GET "http://index.commoncrawl.org/CC-MAIN-2022-33-index?url=*.$TARGET&output=json" # passive spider
        • curl -s GET "https://api.hackertarget.com/pagelinks/?q=https://$TARGET" | egrep -v "API count|no links found|input url is invalid|API count|no links found|input url is invalid|error getting links"

    • recon/dns:

      • subfinder [go] # passive subdomain finder
      • spyse: # subdomain finder
        • spyse -target $TARGET --subdomains
      • censys: # subdomain finder
        • python $PLUGINS_DIR/censys-subdomain-finder/censys_subdomain_finder.py --censys-api-id $CENSYS_APP_ID --censys-api-secret $CENSYS_API_SECRET $TARGET
      • dnscan [?][maybe] # DNS bruteforcer
        • python3 $PLUGINS_DIR/dnscan/dnscan.py -d $TARGET -w $DOMAINS_QUICK -o $LOOT_DIR/domains/domains-dnscan-$TARGET.txt -i $LOOT_DIR/domains/domains-ips-$TARGET.txt
      • crt.sh # gather certificate subdomain
        • curl -s https://crt.sh/?q=%25.$TARGET
      • github-subdomains (https://github.com/1N3/AttackSurfaceManagement/blob/master/bin/github-subdomains.py)
      • urlcrazy:
        • urlcrazy $TARGET # dns alterations
      • shodan:
        • shodan init $SHODAN_API_KEY
        • shodan search "hostname:*.$TARGET"
      • subbrute:
        • python "$INSTALL_DIR/plugins/massdns/scripts/subbrute.py" $INSTALL_DIR/wordlists/domains-all.txt $TARGET
      • altdns:
        • altdns -i /tmp/domain -w $INSTALL_DIR/wordlists/altdns.txt
      • dnsgen:
        • dnsgen /tmp/domain
      • massdns:
        • massdns -r /usr/share/sniper/plugins/massdns/lists/resolvers.txt $LOOT_DIR/domains/domains-$TARGET-alldns.txt -o S -t A -w $LOOT_DIR/domains/domains-$TARGET-massdns.txt
      • subover: # subdomain hijacking
        • subover -l $LOOT_DIR/domains/domains-$TARGET-full.txt
      • subjack: # subdomain hijacking scan
        • ~/go/bin/subjack -w $LOOT_DIR/domains/domains-$TARGET-full.txt -c ~/go/src/github.com/haccer/subjack/fingerprints.json -t $THREADS -timeout 30 -o $LOOT_DIR/nmap/subjack-$TARGET.txt -a -v
      • Other interesting commands:
        • curl -fsSL "https://dns.bufferover.run/dns?q=.$TARGET"
        • curl -s "https://rapiddns.io/subdomain/$TARGET?full=1&down=1#exportData()"
        • dig $TARGET CNAME | egrep -i "netlify|anima|bitly|wordpress|instapage|heroku|github|bitbucket|squarespace|fastly|feed|fresh|ghost|helpscout|helpjuice|instapage|pingdom|surveygizmo|teamwork|tictail|shopify|desk|teamwork|unbounce|helpjuice|helpscout|pingdom|tictail|campaign|monitor|cargocollective|statuspage|tumblr|amazon|hubspot|modulus|unbounce|uservoice|wpengine|cloudapp" # CNAME subdomain hijacking

    • recon/windows:

    • recon/cloud:

      • s3recon # S3 reckon
      • slurp # S3 bucket enumerator
        • ./slurp-linux-amd64 domain --domain $TARGET # S3 bucket scan

    • recon/osint:

      • 3klector # Company ASN information
      • degoogle # Google dorks
      • 'holehe' # Email to registered accounts
      • metagoofil:
        • python metagoofil.py -d $TARGET -t doc,pdf,xls,csv,txt -l 25 -n 25 -o $LOOT_DIR/osint/ -f $LOOT_DIR/osint/$TARGET.html # online documents
      • gitgraber:
        • python3 gitGraber.py -q "\"org:$ORGANIZATION\"" # github secret grabber
      • git-vuln-finder # github vuln finder
      • goohak:
        • goohak $TARGET # google hacking queries
      • h8mail:
        • h8mail -q domain --target $TARGET -o $LOOT_DIR/osint/h8mail-$TARGET.csv # checking compromised credentials
      • amass:
        • amass enum -ip -o $LOOT_DIR/domains/domains-$TARGET-amass.txt -rf /usr/share/sniper/plugins/massdns/lists/resolvers.txt -d $TARGET # dns subdomains
        • amass intel -whois -d $TARGET # reverse whois
        • subfinder -o $LOOT_DIR/domains/domains-$TARGET-subfinder.txt -d $TARGET -nW -rL /sniper/wordlists/resolvers.txt
      • theHarvester [python][maybe] # OSInt tool
      • curl --insecure -L -s "https://urlscan.io/api/v1/search/?q=domain:$TARGET" 2> /dev/null | egrep "country|server|domain|ip|asn|$TARGET|prt"| sort -u
      • curl -s "https://api.hunter.io/v2/domain-search?domain=$TARGET&api_key=$HUNTERIO_KEY"
      • msfconsole -x "use auxiliary/gather/search_email_collector; set DOMAIN $TARGET; run; exit y" # gather emails via metasploit
      • php /usr/share/sniper/bin/inurlbr.php --dork "site:$TARGET" -s inurlbr-$TARGET
      • curl -s https://www.email-format.com/d/$TARGET| grep @$TARGET | grep -v div | sed "s/\t//g" | sed "s/ //g"
      • dig:
        • dig $TARGET txt | egrep -i 'spf|DMARC|dkim' # email
        • dig iport._domainkey.${TARGET} txt | egrep -i 'spf|DMARC|DKIM' # email
        • dig _dmarc.${TARGET} txt | egrep -i 'spf|DMARC|DKIM' # email

  • Other interesting tools:

Lists

Nuclei templates

Third-party Integrations

  • Shodan
  • OWASP ZAP
  • Burp Suite
  • Nessus
  • OpenVAS
  • Ivre # network scanner meta tool & relationship manager
  • YETI # relationship manager
  • Snyk # code scanner

References
@ocervell ocervell added bug Something isn't working important enhancement New feature or request and removed bug Something isn't working labels Mar 13, 2023
@ocervell ocervell assigned ocervell and unassigned ocervell Mar 30, 2023
@ocervell ocervell added the v2.0 label Apr 8, 2023
@ocervell ocervell pinned this issue Apr 8, 2023
@ocervell ocervell changed the title feat: list of supported tools feat: list of tools with future support Oct 12, 2023
@ocervell ocervell added tasks and removed v2.0 labels Jan 26, 2024
@ocervell ocervell added meta and removed tasks labels Feb 4, 2024
@ocervell ocervell mentioned this issue Jul 7, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ocervell ocervell

Labels
enhancement New feature or request important meta
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ocervell