u915

Daniel Cano Merchán - Hacking & Tech

Hacking tools

Simple list/cheatsheet about Hacking tools

A simple list of tools in one page

Basic vulnerability scanners

  • Nikto

    • Standard

      nikto –h (HOSTNAME) –(HTTP PORT)

    • Skip SSL

      nikto –h (HOSTNAME) –nossl

    • Force SSL

      nikto –h (HOSTNAME) –ssl

  • Nessus

  • Wordpress vuln scanner

    • Standard

      wpscan --url URL --api-token=X

    • Without TLS

      wpscan --url URL --disable-tls-checks --api-token=X

Scanning

  • Nmap

    • Quick scan

      nmap -p- --open -T5 -v IP -n -oN quick_ports.txt

    • Standard single target, slow

      sudo nmap -sS -sC -sV -O -p- -oN scan.txt --script vuln IP

    • Ping sweep ICMP

      nmap -sP IP/MASK

    • UDP port scan

      nmap -sU IP/MASK

    • TCP port scan

      nmap -sS IP/MASK

    • Normal output to file

      nmap -oN IP/MASK file.txt

    • Output file XML

      nmap -oX IP/MASK file.xml

    • Scan with custom list

      nmap IP/MASK -iL file.txt

    • Change source port

      nmap IP/MASK --source-port 8080 -p 1337

    • OS fingerprint/guessing

      nmap IP/MASK -O -v --osscan-guess

    • Service detection

      nmap IP/MASK -sV

    • Agressivity level (-T5 max)

      nmap IP/MASK -T4

    • Idle scan (Zombie scan)

      nmap -sI ZombieIP IP

  • Hping3

    • TCP SYN scan sudo hping3 IP -S -p PORT
      • No packets > Filtered

        47 packets transmitted, 0 packets received, 100% packet loss

      • Packets with flag=RA (RESET & ACK) > Closed

        len=40 ip=IP ttl=127 id=248 sport=53 flags=RA seq=0 win=0 rtt=199.6 ms

      • Packets with flag=SA (SYNC & ACK) > Open

        len=46 ip=IP ttl=64 DF id=31674 sport=21 flags=SA seq=0 win=29868 rtt=0.9 ms

Information gathering

  • Whois

  • nslookup

    • nslookup standard (default A records)

      type=txt [DOMAIN]

    • nslookup ns records

      type=ns [DOMAIN]

    • nslookup a records

      type=a [DOMAIN]

    • nslookup txt records

      type=txt [DOMAIN]

    • nslookup reverse

      type=txt [IP]

  • dig

    • DNS

      dig IP/DOMAIN

    • reverse DNS

      dig -x IP/DOMAIN

    • Zone transfer

      dig @IP domain -t AXFR +nocookie

Web url path scanners

  • Dirbuster

    • Wordlists

      /usr/share/dirbuster/wordlists/*

  • Gobuster, (-w DIC, -u URL)

    • HTTP

      gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u IP

    • HTTPS , -k skip CERT if needed

      gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u https://IP/ -k

  • Wfuzz

    • Fuzz files

      wfuzz -c -z file,common.txt --hc 404 http://IP/news.php?file=FUZZ

    • Fuzz domains

      wfuzz -w big.txt -H "HOST:FUZZ.domain" -u http://IP/ --hc 400,301 -t 50 -c

    • Fuzz path

      wfuzz -w usernames.txt -t 50 --hc 404 http://DOMAIN/user/FUZZ

Wordlists

Search IP on file

  • grep -oP ‘\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}’ file | sort -u

[WIP]