Overview, Tools, and Pathways

These are a few of the plethora of tools out there. These are ones in which I have used at some point.

General Enumeration | Scanning | Reconnaissance

whatweb

• This is often the first tool used when given a domain, to determine basic info about the web server (in cases where a domain is the given target) and to obtain the IP address.

Nmap

• Among the most commonly used tools, nmap allows one to scan the target machine and gain a great deal of information about it, including open ports, services, and even vulnerability assessment via
• scripts.

rustscan

• Extremely fast alternative to nmap. Does not provide the depth of information but scans the entire port range in a fraction of the time.

wpscan

• If a wordpress site is identified, wpscan is extremely useful in finding potential vulnerabilities by enumerating plugins along with various other powerful features including bruteforce attacks if xmlrpc is enabled.

Nessus

• Nessus is an all-around vulnerability scanner and can help identify potential vulnerabilities and avenues of attack

OWASP Zap

• OWASP Zap is a GUI-based scanning tool that is focused on the OWASP top 10 vulnerabilities. This is another tool that can be useful in determining potential vulnerabilities.

Dig, dnsenum, and nslookup

• These tools, along with various others, are useful in automating the process of DNS queries and can be extremely useful in reconnaissance of a website and in understanding the ownership and relationship between domain names and IPs.

Shodan

• Extremely powerful passive recon engine.

---

Web and Network Exploitation

There are thousands and thousands of different tools, scripts, and applications out there for all the various different attack types and vulnerabilities. The following are ones which I have personally used in labs and challenges and which I am at least fairly comfortable using.

Enumeration && Exploitation Tools

BURP Suite

• Powerful proxy -> intercept and modify requests, leading to a large variety of potential uses

dirb, dirbuster, gobuster

• Directory enumeration

gospider

• Spider/crawler written in go.

ffuf, hydra

• Web fuzzing, directory enumeration, account brute forcing

sstimap, lfimap

• LFI and SSTI vulnerability scanner and exploitation tool

LinPEAS, WinPEAS

• Extremely comprehensive PrivEsc scripts

curl, wget

• Linux commands, useful for RCE and file transfer

enum4linux, smbmap, smbscan

• SMB enumeration scripts

lftp

• Useful tool for transferring files to and from ftp

revshells.com

• Convenient website to create simple reverse shell payloads

---

Automated Exploitation Tools

Metasploit

• Massive collection of known exploits, scripts, payloads, and database

SQLMap

• SQLi scanner and exploitation tool

xsssniper

• XSS scanner and exploitation tool. I rarely use this is favor or manual XSS exploitation, but is sometimes handy to have when nothing else works.

rapidscan

• Tool which essentially creates a suite of other popular exploitation tools like sqlmap, dirb, etc.

Responder

• Capture authentication hashes

impacket suite

psexec, wmiexec, smbserver, etc.

bloodhound/sharphound

• Domain discovery

---

Investigative, Post-Exploitation Tools

hashcat

• GUI-accelerated password cracking tool. Extremely quick.

John the Ripper and john2__

• Another password cracking tool, particularly useful for it's auto-detection and john2'other' conversion scripts.

cewl, crunch

• Custom password and wordlist generators

binwalk, exiftools

• Linux file analysis tools

PhotoSecUtils

• My personal file analysis tool for analyzing jpegs

---