2 - Linux Tools - JA Smith

# Enum & Other Common Tools | Tool Name | Description | | ------------------ | -------------------------------------------------------------------------------------- | | `nmap` | Port and service scanning+fingerprinting | | `fping -asgq` | Ping sweep | | `nc` | Used as a listener and to shuttle files | | `searchsploit` | Command line based search against `exploit-db.com` | | `msfconsole` | Metasploit framework | | `msfvenom` | Generate custom payloads | | `scp` | Copy files with SSH | | `netcat` | Manual banner grabbing | | `telnet` | Connect to POP3 and IMAP | | `openssl` | Connect to POP3S and IMAPS | | `smtp-user-enum` | Enumerate emails accounts with SMTP | | `swaks` | Send simple emails via SMTP | | `ftp` | Connect to FTP | | `rpcclient` | Connect to RPC | | `smbclient` | Connect to SMB | | `smbmap` | Enumerate SMB | | `onesixtyone` | Use wordlist to identify community strings usually in `[xxx]` format | | `snmpwalk` | Use community string from `onesixtyone` output to query SNMP devices and retrieve info | | `braa` | SNMP scanner | | `mysql` | Connect to MySQL | | `hashcat` | Crack hashes and generate custom wordlists | | `john` | Crack hashes and convert files with various `blanktojohn` modules | | `hydra` | Brute force multiple protocols such as HTTP, FTP, SMB, SSH, POP3, IMAP, etc. | | `medusa` | Brute force multiple protocols such as HTTP, FTP, SMB, SSH, POP3, IMAP, etc. | | `hashid` | Identify hash type | | `rockyou.txt` | Large wordlist of leaked passwords | | `jsmith.txt` | Concise wordlist of usernames | | `username-anarchy` | Mutate a short list of names | | `cupp` | Username generator tool (interactive questionaire) | | `cewl` | Username generator based on URL | | `LinPEAS.sh` | Automated privesc enum | | `tcpdump` | Capture network traffic as a `.pcap` file | | `tshark` | Command line version of `wireshark` | | `PCredz.py` | Extract creds and authentication tokens from `.pcap` files | | `strings` | Extract sequences of printable chars from dbs and binary files | | `exiftool` | Read and write metadata for many files types such as images, audio, documents, etc. | --- # Pivoting | Tool Name | Description | | ----------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | `ligolo-ng` | Pivot tool with client and proxy specific binaries. `Proxychains4` not required | | `chisel` | Pivot tool with client/server agnostic binary. Requires `proxychains4 -q` appended to commands. Here, `/etc/proxychains4.conf` would need the last line to read `socks5 127.0.0.1 9050` | | `ssh -D 9050 user@<target_ip>` | Setup a SOCK5 proxy that works `proxychain4 -q` appended to commands. Here, `/etc/proxychains4.conf` would need the last line to read `socks5 127.0.0.1 9050` | | `ssh -L 1234:localhost:3306 user@<target_ip>` | Lock port forward MySQL server on target to localhost port 1234. | | `ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 user@<ExternalIPofPivotHost> -vN` | Setup remote/reverse port forwarding | | `socat` | Bidirectional relay tool that can create pipe sockets between 2 independent network channels without SSH tunneling | | `sshuttle` | Pivoting over SSH and doesn't provide other options for pivoting over HTTPS | --- # Web Enum & Attacks | Tool Name | Description | | ------------------------------ | -------------------------------------------------------------------------------------------------------------------------- | | `ffuf` | Web fuzzing tool | | `gobuster` | Web fuzzing tool | | `whatweb` | Webserver tech stack fingerprinting | | `Nikto` | Webserver vuln scanner that checks for known issues such as outdated SW, insecure files, misconfigs, default scripts, etc. | | `FinalRecon` | Web recon toolkit | | `Recon-ng` | Web recon framework | | `dnsrecon -d TARGET -t std -k` | Query the Certificate Transparency log wrt TARGET | | `dnsenum` | Enumerate DNS info | | `dig` | Enumerate DNS info | | `nslookup` | Enumerate DNS info | | `gospider` | Simple web crawling tool | | `reconspider.py` | OSINT framework | | `TheHarvester` | Gather email addresses and subdomains from OSINT | | `Aquatone` | Takes screenshots of websites across multiple hosts | | `EyeWitness` | Takes screenshots of websites, provide some server header info, and identify default creds if possible | | `XSStrike.py` | XSS enum | | `sqlmap` | Automated SQL injection | | `wpscan` | WordPress vuln scanner | | `strings` | Extract sequences of printable chars from dbs and binary files | | `exiftool` | Read and write metadata for many files types such as images, audio, documents, etc. |