If you want to switch from Kali Linux (or another distribution that provides a ready-to-use pentest environment) to Arch Linux, you are at the right place to prepare your future weapon. In this article we will see a complete set of open source tools to be used both in the personal world (CTF challenges or others) and in the professional world (technical auditor, pentester, digital forensic analyst and more). To have a good understanding of the tools, examples, tips and tricks will be given in order to use the most appropriate tool for the situation.
Information and requirements
These elements are to be taken into consideration to follow this article:
- any time the word hacking that is used on this site shall be regarded as ethical hacking. Do not attempt to violate the law with anything contained here. If you planned to use the content for illegal purpose, then please leave this site immediately! I will not be responsible for any illegal actions,
- this list of tools is by no means fixed and will certainly be improved as new tools come out and my knowledge grows,
- tools are installed on Arch Linux.
Information gathering and enumeration
RustScan is a tool to accelerate the open ports enumeration. It’s not a substitute of
Nmap, quite the contrary, they work well together. Once the open ports have been found, the list is piped to
Nmap, the detection of the services and their versions is performed.
yay -S rustscan
You can tune RustScan by decreasing batch size or increasing open file limit. By executing
ulimit -Sn, it will give you an idea on the open file limit of your operating system. Mine is
1024, RustScan advises me to set the batch size to
924 like follow.
rustscan -b 924 <IP address>
Once it is done,
Nmap takes the lead and executes its job.
The well-known network scanner. As everybody knows it, I won’t spend a lot of time explaining what
Nmap does, but I’ll give you the most important flags.
yay -S nmap
TCP uses a handshake process when querying a port to determine whether the port is open, closed or filtered. If the port is open, a three-way handshake takes place. First, the client sends a
syn packet, which signals the beginning of a communication. Then the server then responds with a
syn-ack, or acknowledgment of the
syn packet it received, prompting the client to finish with an
ack or acknowledgment of the server’s response. The tranfer of data can then occur. If the port is closed, the server responds with a
rst packet instead of a
syn-ack. If the traffic is being filtered by a firewall, the client will typically receive no response from the server.
If you want to fully scan a host, you probably have to execute the following command.
mkdir nmap sudo nmap -sC -sV -O -oN nmap/recon <IP address>
-sC: performs a script scan using the default set of scripts,
-sV: probe open ports to determine service and version information,
-O: enables OS detection,
-oN: output be directed to the given filename (think to create the directory before).
yay -S exploitdb
You can find exploits, shellcodes or papers related to
MySQL 5.5 for example by doing this.
searchsploit mysql 5.5 --------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------- --------------------------------- MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation | linux/local/40360.txt MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition | linux/local/40678.c MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' System User Privilege Escalation | linux/local/40679.sh MySQL 5.1/5.5 (Windows) - 'MySQLJackpot' Remote Command Execution | windows/remote/23073.txt MySQL 5.5.45 (x64) - Local Credentials Disclosure | windows_x86-64/local/40337.py MySQL 5.5.45 - procedure analyse Function Denial of Service | multiple/dos/39867.py MySQL 5.5.8 - Remote Denial of Service | windows/dos/18269.py MySQL < 5.6.35 / < 5.7.17 - Integer Overflow | multiple/dos/41954.py MySQL Eventum 1.5.5 - 'login.php' SQL Injection | php/webapps/1134.pl MySQL Quick Admin 1.5.5 - 'cookie' Local File Inclusion | php/webapps/6641.txt MySQL Quick Admin 1.5.5 - Local File Inclusion | php/webapps/7020.txt --------------------------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results
Now you have the list, you can see more information by using the
-p flag and passing the number displayed in the
Path section. Let’s take an example with the exploit
MySQL 5.5.8 - Remote Denial of Service.
searchsploit -p 18269 Exploit: MySQL 5.5.8 - Remote Denial of Service URL: https://www.exploit-db.com/exploits/18269 Path: /usr/share/exploitdb/exploits/windows/dos/18269.py File Type: Python script, ASCII text executable, with CRLF line terminators
You can also copy (in your current working directory) the exploit file by using the
searchsploit -m 18269 Exploit: MySQL 5.5.8 - Remote Denial of Service URL: https://www.exploit-db.com/exploits/18269 Path: /usr/share/exploitdb/exploits/windows/dos/18269.py File Type: Python script, ASCII text executable, with CRLF line terminators Copied to: /home/ap/18269.py
As usual, more options are well documented with the
Gobuster is a directory, file, DNS and virtual host busting tool.
yay -S gobuster
If you wou want to discover files or directory behind a IP address (or domain name), you should do like this.
gobuster dir -u http://<IP address>/ -w /usr/share/wordlists/seclists-c/Discovery/Web-Content/common.txt
The first argument that you must specify is the mode, 3 are available:
dir: uses directory or file brutceforcing,
dns: uses DNS subdomain bruteforcing,
vhost: uses virtual host bruteforcing.
-u: required, the target
-w: required, path to the wordlist (scroll down to the
Wordlists, dictionary and payloadssection to learn more about wordlists),
-x: optional, file extensions to search for (to focus on specific files),
-p: optional, proxy (Burp Suite generally) to use for requests, (format:
To learn more flags for a specific mode, do
gobuster <mode> --help.
ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. It’s widely used during steganography analysis
yay -S perl-image-exiftool
Retrieving basic information of a file is pretty simple.
exiftool Pictures/wallpaper.jpg ExifTool Version Number : 12.00 File Name : wallpaper.jpg Directory : Pictures File Size : 282 kB File Modification Date/Time : 2020:09:09 00:55:51+02:00 File Access Date/Time : 2020:09:09 00:56:13+02:00 File Inode Change Date/Time : 2020:09:09 00:55:51+02:00 File Permissions : rw-r--r-- File Type : JPEG File Type Extension : jpg MIME Type : image/jpeg Image Width : 1920 Image Height : 1080 Encoding Process : Baseline DCT, Huffman coding Bits Per Sample : 8 Color Components : 3 Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2) Image Size : 1920x1080 Megapixels : 2.1
Enum4linux is a tool for enumerating information from Windows and Samba systems.
yay -S enum4linux
If you want to get user list and operating system information, you can act as follow.
enum4linux -U -o <IP address>
Listing Windows shares can be done as follow. You can also specify username with
-u flag and password with
enum4linux -S <IP address>
Nikto is a web server scanner.
yay -S nikto
The classic command to run is as below (the output has been truncated).
nikto -host <IP address> - Nikto v2.1.6 [...] + Server: lighttpd/1.4.55 + OSVDB-3092: /admin/: This might be interesting... + OSVDB-3092: /img/: This might be interesting... [...]
Nikto will give you vulnerabilities id (if it detects ones) from OSVDB (Open Source Vulnerability Database). By default, the port 80 is scanned, you can modify this behavior by using the
-p <port> flag.
Privilege Escalation Awesome Scripts Suite (PEASS)
This package provides tool to search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.
yay -S peass
Once installed, directories that interest us are located at
/usr/share/peass. The file
linPEAS/linepeas.sh is for GNU/Linux distribution, the file
winPEAS/winPEASbat/winPEAS.bat is for Windows. Compiled versions are also available at
Wfuzz (stands for Web fuzzer) is a tool designed for bruteforcing web applications (HTTP parameters) among many others. Wfuzz is based on a simple concept: it replaces any reference to the
FUZZ keyword by the value of a given payload. A payload in Wfuzz is a source of data.
yay -S wfuzz
As always, let’s take an example to understand how it works. Imagine that you’ve found a restricted access at
<IP address>/admin/login.php. A form is displayed, you can just enter a password. By analyzing the source code, you see that the input name is
pw. Obviously, you want to brute-force this form. You should do something like follows.
wfuzz -u "http://<IP address>/admin/login.php" -X POST -d "pw:FUZZ" -w /usr/share/wfuzz/wordlists/general/common.txt ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://<IP address>/admin/index.php?login Total requests: 949 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000001: 401 318 L 1020 W 16226 Ch "@" 000000002: 401 318 L 1020 W 16226 Ch "00" 000000004: 401 318 L 1020 W 16226 Ch "02" 000000003: 401 318 L 1020 W 16226 Ch "01" 000000006: 401 318 L 1020 W 16226 Ch "1" 000000005: 401 318 L 1020 W 16226 Ch "03" [...]
-u: specify a URL for the request,
-X: specify an HTTP method for the request,
-d: use post data (format:
-w: specify a wordlist file.
401 response type significates that the password is not the good one. By adding
--hc 401 (hide code), you remove
401 responses from the output.
wfuzz -u "http://<IP address>/admin/login.php" -X POST -d "pw:FUZZ" /usr/share/wfuzz/wordlists/general/common.txt --hc 401 ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://<IP address>/admin/index.php?login Total requests: 949 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000648: 200 318 L 1020 W 16226 Ch "protected"
401 responses are hidden and only the
200 response is displayed, which is the password.
John The Ripper
Is it really necessary to present John The Ripper?
yay -S john
The menu: an example! You are in posession of a SSH key pair protected with a passphrase.
file admin* admin: PEM RSA private key admin.pub: OpenSSH RSA public key
The private key is in the
PEM format. The utility
ssh2john allows you to transform this key to a John’s comprehensive format.
ssh2john admin > admin.hash file admin.hash admin.hash: ASCII text, with very long lines
john to crack the password.
john admin.hash --wordlist=/usr/share/dict/rockyou.txt Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl" Use the "--format=ssh-opencl" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 12 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status Password (admin) 1g 0:00:00:01 DONE (2020-09-09 16:10) 0.6172g/s 8850Kp/s 8850Kc/s 8850KC/s zzzzz4..zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz Session completed
In less than 4 seconds, the password is found:
Hashcat is John the Ripper on steroids.
yay -S hashcat
To take full advantage of hashcat, be sure to install the drivers of your GPU. If you have a computer with an Intel CPU based (without additional GPU) you must install the compatible runtime. For my laptop,
intel-compute-runtime works. The flag
-I allows you to show info about detected backend API devices.
You can perform many attack types, they are all explained here.
I will just show you quick win for password cracking with hashcat but not diving in. Indeed, this tool is very full featured and it requires a full article, maybe soon!
--help will give you hash modes. By specifing a hash id (
-m 0 here), you tell to hashcat the hash type you want to crack. For example the mode
0 is for MD5, let’s try to crack a MD5 hash.
hashcat --force -m 0 dc647eb65e6711e155375218212b3964 /usr/share/dict/rockyou.txt [...] Dictionary cache hit: * Filename..: /usr/share/dict/rockyou.txt * Passwords.: 14344373 * Bytes.....: 140056870 * Keyspace..: 14344373 dc647eb65e6711e155375218212b3964:Password Session..........: hashcat Status...........: Cracked Hash.Name........: MD5 Hash.Target......: dc647eb65e6711e155375218212b3964 Time.Started.....: Tue Sep 9 23:25:39 2020, (4 secs) Time.Estimated...: Tue Sep 9 23:25:43 2020, (0 secs) Guess.Base.......: File (/usr/share/dict/rockyou.txt) Guess.Queue......: 1/1 (100.00%) Speed.#1.........: 2546.2 kH/s (52.39ms) @ Accel:1024 Loops:1 Thr:8 Vec:1 Recovered........: 1/1 (100.00%) Digests Progress.........: 11206656/14344373 (78.13%) Rejected.........: 0/11206656 (0.00%) Restore.Point....: 11010048/14344373 (76.76%) Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1 Candidates.#1....: oprep897 -> peace5050 Started: Tue Sep 9 23:25:39 2020 Stopped: Tue Sep 9 23:25:44 2020
As you can see with my processor (Intel Core i7-9750H), hashcat tries 2542 kH/s, 1 kH/s is 1,000 hashes per second. Is it a lot? You’re joking! With a nVidia RTX 2080 SUPER on an MD5 hash it’s about 60.000 MH/s!
Hydra is a parallelized login cracker which supports numerous protocols to attack:
yay -S hydra
As an example, below a syntax to brute foce a SSH server with root as user.
hydra -l root -P /usr/share/dict/rockyou.txt ssh://<IP address>
-l root: login name,
-P /usr/share/dict/rockyou.txt: load passwords from file.
Fcrackzip is a ZIP password cracker. It’s really stupid, there are two modes of attack: brute-force and dictionary. You can also tell it the size of the password if you know it (usually not, but in the case of a CTF it’s not unlikely)
yay -S fcrackzip
Let’s create dummy files, zip them and encrypt the archive.
touch file01.txt file02.txt file03.txt file04.txt file05.txt zip -qe files.zip file0* Enter password: <password> Verify password: <confirm> file data.zip data.zip: Zip archive data, at least v1.0 to extract
And now, break it with fcrackzip.
time fcrackzip -vuDp /usr/share/dict/rockyou.txt data.zip found file 'file01.txt', (size cp/uc 12/ 0, flags 9, chk be2c) found file 'file02.txt', (size cp/uc 12/ 0, flags 9, chk be2d) found file 'file03.txt', (size cp/uc 12/ 0, flags 9, chk be2f) found file 'file04.txt', (size cp/uc 12/ 0, flags 9, chk be30) checking pw onetyme PASSWORD FOUND!!!!: pw == Password ________________________________________________________ Executed in 1.37 secs fish external usr time 1352.97 millis 405.00 micros 1352.56 millis sys time 20.27 millis 283.00 micros 19.98 millis
It takes 1.37 seconds to find the password. OK the password is easy but if this one is in your wordlist, you’ll find it.
-v: be more verbose,
-u: use unzip to weed out wrong passwords,
-D: use a dictionary,
-p: use string as initial password/file.
I will not present it. Normally you started hacking with this tool! Didn’t you? In any case, this tool is far too complete to give one or two examples, I will do a full article on it.
yay -S metasploit
Wordlists, dictionary and payloads
rockyou.txt wordlist is more than fourteen million of passwords retrieved in many databases. You can use this one in case of brute-force attack with tools listed earlier. Once installed, the wordlist is located at
yay -S rockyou
SecLists is a collection of multiple types of lists used during security assessments, collected in one place. Lists include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and more. Below, the most common ones (prefix paths with
Discovery/Web-Content/common.txtto discover most common files or directories on a HTTP server,
Discovery/Web-Content/directory-list-*.txtto discover most common directories on a HTTP server,
Usernames/xato-net-10-million-usernames.txtto discover most common usernames for authentication,
Web-Shells/laudanum-0.8/*is a collection of injectable files, designed to be used in a pentest when upload vulnerabilities, administrative interfaces, and SQL injection flaws are found. These files are written in multiple languages for different environments. They provide functionality such as shell, DNS query, LDAP retrieval and others.
yay -S seclists-c
A list of useful payloads and bypass for web application security, pentest and CTF challenges. The directory
/usr/share/wordlists/payloadsallthethings-git/Methodology and Resources contains markdown files like:
- privilege escalation,
- post exploitation,
- techniques and tricks.
Otherwise, traverse all directories to find the things that interest you, it’s very comprehensive.
yay -S payloadsallthethings-git
The Gnu DeBugger is the standard debugger of the GNU project. If this tool doesn’t ring a bell, it’s useless to give examples. Once again, this tool requires the writing of an article.
yay -S gdb
Quickly, GDB (a debugger generally speaking) allows you to launch a program, place breakpoints in certain places, sometimes under certain conditions, execute instructions step by step, study and modify the memory (RAM, registers…).
Radare2 (a.k.a r2) is a framework for reverse engineering and analyzing binaries (as GDB moreover). Once again, Radare2 is too complete to explain it quickly here.
yay -S radare2
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. Everything you need is on this site.