u915

Daniel Cano Merchán - Hacking & Tech

Hacking tools

Simple list/cheatsheet about Hacking tools

A simple list of tools in one page

Basic vulnerability scanners

Nikto
- Standard
  
  nikto –h (HOSTNAME) –(HTTP PORT)
- Skip SSL
  
  nikto –h (HOSTNAME) –nossl
- Force SSL
  
  nikto –h (HOSTNAME) –ssl
Nessus
- https://www.tenable.com/products/nessus
- Start/stop the service
  
  sudo /bin/systemctl start nessusd.service
- https://127.0.0.1:8834
Wordpress vuln scanner
- Standard
  
  wpscan --url URL --api-token=X
- Without TLS
  
  wpscan --url URL --disable-tls-checks --api-token=X

Scanning

Nmap
- Quick scan
  
  nmap -p- --open -T5 -v IP -n -oN quick_ports.txt
- Standard single target, slow
  
  sudo nmap -sS -sC -sV -O -p- -oN scan.txt --script vuln IP
- Ping sweep ICMP
  
  nmap -sP IP/MASK
- UDP port scan
  
  nmap -sU IP/MASK
- TCP port scan
  
  nmap -sS IP/MASK
- Normal output to file
  
  nmap -oN IP/MASK file.txt
- Output file XML
  
  nmap -oX IP/MASK file.xml
- Scan with custom list
  
  nmap IP/MASK -iL file.txt
- Change source port
  
  nmap IP/MASK --source-port 8080 -p 1337
- OS fingerprint/guessing
  
  nmap IP/MASK -O -v --osscan-guess
- Service detection
  
  nmap IP/MASK -sV
- Agressivity level (-T5 max)
  
  nmap IP/MASK -T4
- Idle scan (Zombie scan)
  
  nmap -sI ZombieIP IP
Hping3
- TCP SYN scan sudo hping3 IP -S -p PORT
  - No packets > Filtered
    
    47 packets transmitted, 0 packets received, 100% packet loss
  - Packets with flag=RA (RESET & ACK) > Closed
    
    len=40 ip=IP ttl=127 id=248 sport=53 flags=RA seq=0 win=0 rtt=199.6 ms
  - Packets with flag=SA (SYNC & ACK) > Open
    
    len=46 ip=IP ttl=64 DF id=31674 sport=21 flags=SA seq=0 win=29868 rtt=0.9 ms

Information gathering

Whois
- Console
  
  whois domain
- Web tools
  
  https://whois.domaintools.com
  
  https://who.is/
nslookup
- nslookup standard (default A records)
  
  type=txt [DOMAIN]
- nslookup ns records
  
  type=ns [DOMAIN]
- nslookup a records
  
  type=a [DOMAIN]
- nslookup txt records
  
  type=txt [DOMAIN]
- nslookup reverse
  
  type=txt [IP]
dig
- DNS
  
  dig IP/DOMAIN
- reverse DNS
  
  dig -x IP/DOMAIN
- Zone transfer
  
  dig @IP domain -t AXFR +nocookie

Web url path scanners

Dirbuster
- Wordlists
  
  /usr/share/dirbuster/wordlists/*
Gobuster, (-w DIC, -u URL)
- HTTP
  
  gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u IP
- HTTPS , -k skip CERT if needed
  
  gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://IP/ -k
Wfuzz
- Fuzz files
  
  wfuzz -c -z file,common.txt --hc 404 http://IP/news.php?file=FUZZ
- Fuzz domains
  
  wfuzz -w big.txt -H "HOST:FUZZ.domain" -u http://IP/ --hc 400,301 -t 50 -c
- Fuzz path
  
  wfuzz -w usernames.txt -t 50 --hc 404 http://DOMAIN/user/FUZZ

Wordlists

Extra github
- https://github.com/danielmiessler/SecLists
- https://github.com/swisskyrepo/PayloadsAllTheThings
Kali
- Path
  
  /usr/share/wordlists/*
Crafting wordlist web
- cewl, https://tools.kali.org/password-attacks/cewl
  
  cewl -d 2 -m 6 -w generated.txt IP

Search IP on file

grep -oP ‘\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}’ file | sort -u

[WIP]