Pentester's toolkit

If you want to switch from Kali Linux (or another distribution that provides a ready-to-use pentest environment) to Arch Linux, you are at the right place to prepare your future weapon. In this article we will see a complete set of open source tools to be used both in the personal world (CTF challenges or others) and in the professional world (technical auditor, pentester, digital forensic analyst and more). To have a good understanding of the tools, examples, tips and tricks will be given in order to use the most appropriate tool for the situation.

Information and requirements

These elements are to be taken into consideration to follow this article:

Information gathering and enumeration

RustScan

RustScan is a tool to accelerate the open ports enumeration. It’s not a substitute of Nmap, quite the contrary, they work well together. Once the open ports have been found, the list is piped to Nmap, the detection of the services and their versions is performed.

yay -S rustscan

You can tune RustScan by decreasing batch size or increasing open file limit. By executing ulimit -Sn, it will give you an idea on the open file limit of your operating system. Mine is 1024, RustScan advises me to set the batch size to 924 like follow.

rustscan -b 924 <IP address>

Once it is done, Nmap takes the lead and executes its job.

Nmap

The well-known network scanner. As everybody knows it, I won’t spend a lot of time explaining what Nmap does, but I’ll give you the most important flags.

yay -S nmap

TCP uses a handshake process when querying a port to determine whether the port is open, closed or filtered. If the port is open, a three-way handshake takes place. First, the client sends a syn packet, which signals the beginning of a communication. Then the server then responds with a syn-ack, or acknowledgment of the syn packet it received, prompting the client to finish with an ack or acknowledgment of the server’s response. The tranfer of data can then occur. If the port is closed, the server responds with a rst packet instead of a syn-ack. If the traffic is being filtered by a firewall, the client will typically receive no response from the server.

If you want to fully scan a host, you probably have to execute the following command.

mkdir nmap
sudo nmap -sC -sV -O -oN nmap/recon <IP address>

Flags explanation:

Exploitdb (SearchSploit)

This tool allows you to find exploits. It is connected to the The Exploit Database, a project sponsored by Offensive Security

yay -S exploitdb

You can find exploits, shellcodes or papers related to MySQL 5.5 for example by doing this.

searchsploit mysql 5.5
--------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                 |  Path
--------------------------------------------------------------------------------------------------------------- ---------------------------------
MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation                       | linux/local/40360.txt
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition      | linux/local/40678.c
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' System User Privilege Escalation                        | linux/local/40679.sh
MySQL 5.1/5.5 (Windows) - 'MySQLJackpot' Remote Command Execution                                              | windows/remote/23073.txt
MySQL 5.5.45 (x64) - Local Credentials Disclosure                                                              | windows_x86-64/local/40337.py
MySQL 5.5.45 - procedure analyse Function Denial of Service                                                    | multiple/dos/39867.py
MySQL 5.5.8 - Remote Denial of Service                                                                         | windows/dos/18269.py
MySQL < 5.6.35 / < 5.7.17 - Integer Overflow                                                                   | multiple/dos/41954.py
MySQL Eventum 1.5.5 - 'login.php' SQL Injection                                                                | php/webapps/1134.pl
MySQL Quick Admin 1.5.5 - 'cookie' Local File Inclusion                                                        | php/webapps/6641.txt
MySQL Quick Admin 1.5.5 - Local File Inclusion                                                                 | php/webapps/7020.txt
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Now you have the list, you can see more information by using the -p flag and passing the number displayed in the Path section. Let’s take an example with the exploit MySQL 5.5.8 - Remote Denial of Service.

searchsploit -p 18269
  Exploit: MySQL 5.5.8 - Remote Denial of Service
      URL: https://www.exploit-db.com/exploits/18269
     Path: /usr/share/exploitdb/exploits/windows/dos/18269.py
File Type: Python script, ASCII text executable, with CRLF line terminators

You can also copy (in your current working directory) the exploit file by using the -m flag.

searchsploit -m 18269
  Exploit: MySQL 5.5.8 - Remote Denial of Service
      URL: https://www.exploit-db.com/exploits/18269
     Path: /usr/share/exploitdb/exploits/windows/dos/18269.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied to: /home/ap/18269.py

As usual, more options are well documented with the -h flag.

Gobuster

Gobuster is a directory, file, DNS and virtual host busting tool.

yay -S gobuster

If you wou want to discover files or directory behind a IP address (or domain name), you should do like this.

gobuster dir -u http://<IP address>/ -w /usr/share/wordlists/seclists-c/Discovery/Web-Content/common.txt

The first argument that you must specify is the mode, 3 are available:

Concerning flags:

To learn more flags for a specific mode, do gobuster <mode> --help.

ExifTool

ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. It’s widely used during steganography analysis

yay -S perl-image-exiftool

Retrieving basic information of a file is pretty simple.

exiftool Pictures/wallpaper.jpg
ExifTool Version Number         : 12.00
File Name                       : wallpaper.jpg
Directory                       : Pictures
File Size                       : 282 kB
File Modification Date/Time     : 2020:09:09 00:55:51+02:00
File Access Date/Time           : 2020:09:09 00:56:13+02:00
File Inode Change Date/Time     : 2020:09:09 00:55:51+02:00
File Permissions                : rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
Image Width                     : 1920
Image Height                    : 1080
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 1920x1080
Megapixels                      : 2.1

enum4liux

Enum4linux is a tool for enumerating information from Windows and Samba systems.

yay -S enum4linux

If you want to get user list and operating system information, you can act as follow.

enum4linux -U -o <IP address>

Listing Windows shares can be done as follow. You can also specify username with -u flag and password with -p flag.

enum4linux -S <IP address>

Vulnerabilities scanner

Nikto

Nikto is a web server scanner.

yay -S nikto

The classic command to run is as below (the output has been truncated).

nikto -host <IP address>
- Nikto v2.1.6
[...]
+ Server: lighttpd/1.4.55
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /img/: This might be interesting...
[...]

Nikto will give you vulnerabilities id (if it detects ones) from OSVDB (Open Source Vulnerability Database). By default, the port 80 is scanned, you can modify this behavior by using the -p <port> flag.

Privilege Escalation Awesome Scripts Suite (PEASS)

This package provides tool to search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.

yay -S peass

Once installed, directories that interest us are located at /usr/share/peass. The file linPEAS/linepeas.sh is for GNU/Linux distribution, the file winPEAS/winPEASbat/winPEAS.bat is for Windows. Compiled versions are also available at winPEAS/winPEASexe/winPEAS/bin/{x86,x64}/winPEAS.exe

Wfuzz

Wfuzz (stands for Web fuzzer) is a tool designed for bruteforcing web applications (HTTP parameters) among many others. Wfuzz is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload. A payload in Wfuzz is a source of data.

yay -S wfuzz

As always, let’s take an example to understand how it works. Imagine that you’ve found a restricted access at <IP address>/admin/login.php. A form is displayed, you can just enter a password. By analyzing the source code, you see that the input name is pw. Obviously, you want to brute-force this form. You should do something like follows.

wfuzz -u "http://<IP address>/admin/login.php" -X POST -d "pw:FUZZ" -w /usr/share/wfuzz/wordlists/general/common.txt
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://<IP address>/admin/index.php?login
Total requests: 949

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================

000000001:   401        318 L    1020 W   16226 Ch    "@"
000000002:   401        318 L    1020 W   16226 Ch    "00"
000000004:   401        318 L    1020 W   16226 Ch    "02"
000000003:   401        318 L    1020 W   16226 Ch    "01"
000000006:   401        318 L    1020 W   16226 Ch    "1"
000000005:   401        318 L    1020 W   16226 Ch    "03"
[...]

Flags explanation:

Each 401 response type significates that the password is not the good one. By adding --hc 401 (hide code), you remove 401 responses from the output.

wfuzz -u "http://<IP address>/admin/login.php" -X POST -d "pw:FUZZ" /usr/share/wfuzz/wordlists/general/common.txt --hc 401
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer                         *
********************************************************

Target: http://<IP address>/admin/index.php?login
Total requests: 949

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================

000000648:   200        318 L    1020 W   16226 Ch    "protected"

As shown, 401 responses are hidden and only the 200 response is displayed, which is the password.

Cracking

John The Ripper

Is it really necessary to present John The Ripper?

yay -S john

The menu: an example! You are in posession of a SSH key pair protected with a passphrase.

file admin*
admin:      PEM RSA private key
admin.pub:  OpenSSH RSA public key

The private key is in the PEM format. The utility ssh2john allows you to transform this key to a John’s comprehensive format.

ssh2john admin > admin.hash
file admin.hash
admin.hash: ASCII text, with very long lines

Now, use john to crack the password.

john admin.hash --wordlist=/usr/share/dict/rockyou.txt
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 12 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
Password         (admin)
1g 0:00:00:01 DONE (2020-09-09 16:10) 0.6172g/s 8850Kp/s 8850Kc/s 8850KC/s zzzzz4..zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
Session completed

In less than 4 seconds, the password is found: Password.

Hashcat

Hashcat is John the Ripper on steroids.

yay -S hashcat

To take full advantage of hashcat, be sure to install the drivers of your GPU. If you have a computer with an Intel CPU based (without additional GPU) you must install the compatible runtime. For my laptop, intel-compute-runtime works. The flag -I allows you to show info about detected backend API devices.

You can perform many attack types, they are all explained here.

I will just show you quick win for password cracking with hashcat but not diving in. Indeed, this tool is very full featured and it requires a full article, maybe soon!

The flag --help will give you hash modes. By specifing a hash id (-m 0 here), you tell to hashcat the hash type you want to crack. For example the mode 0 is for MD5, let’s try to crack a MD5 hash.

hashcat --force -m 0 dc647eb65e6711e155375218212b3964 /usr/share/dict/rockyou.txt
[...]
Dictionary cache hit:
* Filename..: /usr/share/dict/rockyou.txt
* Passwords.: 14344373
* Bytes.....: 140056870
* Keyspace..: 14344373

dc647eb65e6711e155375218212b3964:Password

Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: dc647eb65e6711e155375218212b3964
Time.Started.....: Tue Sep  9 23:25:39 2020, (4 secs)
Time.Estimated...: Tue Sep  9 23:25:43 2020, (0 secs)
Guess.Base.......: File (/usr/share/dict/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2546.2 kH/s (52.39ms) @ Accel:1024 Loops:1 Thr:8 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 11206656/14344373 (78.13%)
Rejected.........: 0/11206656 (0.00%)
Restore.Point....: 11010048/14344373 (76.76%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: oprep897 -> peace5050

Started: Tue Sep  9 23:25:39 2020
Stopped: Tue Sep  9 23:25:44 2020

As you can see with my processor (Intel Core i7-9750H), hashcat tries 2542 kH/s, 1 kH/s is 1,000 hashes per second. Is it a lot? You’re joking! With a nVidia RTX 2080 SUPER on an MD5 hash it’s about 60.000 MH/s!

Hydra

Hydra is a parallelized login cracker which supports numerous protocols to attack: ftp, ssh, mysql

yay -S hydra

As an example, below a syntax to brute foce a SSH server with root as user.

hydra -l root -P /usr/share/dict/rockyou.txt ssh://<IP address>

Flags explanation:

Fcrackzip

Fcrackzip is a ZIP password cracker. It’s really stupid, there are two modes of attack: brute-force and dictionary. You can also tell it the size of the password if you know it (usually not, but in the case of a CTF it’s not unlikely)

yay -S fcrackzip

Let’s create dummy files, zip them and encrypt the archive.

touch file01.txt file02.txt file03.txt file04.txt file05.txt
zip -qe files.zip file0*
Enter password: <password>
Verify password: <confirm>
file data.zip
data.zip: Zip archive data, at least v1.0 to extract

And now, break it with fcrackzip.

time fcrackzip -vuDp /usr/share/dict/rockyou.txt data.zip
found file 'file01.txt', (size cp/uc     12/     0, flags 9, chk be2c)
found file 'file02.txt', (size cp/uc     12/     0, flags 9, chk be2d)
found file 'file03.txt', (size cp/uc     12/     0, flags 9, chk be2f)
found file 'file04.txt', (size cp/uc     12/     0, flags 9, chk be30)
checking pw onetyme

PASSWORD FOUND!!!!: pw == Password

________________________________________________________
Executed in    1.37 secs   fish           external
   usr time  1352.97 millis  405.00 micros  1352.56 millis
   sys time   20.27 millis  283.00 micros   19.98 millis

It takes 1.37 seconds to find the password. OK the password is easy but if this one is in your wordlist, you’ll find it.

Flags explanation:

Metasploit

I will not present it. Normally you started hacking with this tool! Didn’t you? In any case, this tool is far too complete to give one or two examples, I will do a full article on it.

yay -S metasploit

Wordlists, dictionary and payloads

Rockyou

The well-known rockyou.txt wordlist is more than fourteen million of passwords retrieved in many databases. You can use this one in case of brute-force attack with tools listed earlier. Once installed, the wordlist is located at /usr/share/dict/rockyou.txt.

yay -S rockyou

SecLists

SecLists is a collection of multiple types of lists used during security assessments, collected in one place. Lists include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and more. Below, the most common ones (prefix paths with /usr/share/wordlists/seclists-c/):

yay -S seclists-c

PayloadAllTheThings

A list of useful payloads and bypass for web application security, pentest and CTF challenges. The directory /usr/share/wordlists/payloadsallthethings-git/Methodology and Resources contains markdown files like:

Otherwise, traverse all directories to find the things that interest you, it’s very comprehensive.

yay -S payloadsallthethings-git

Binary exploitation

GDB

The Gnu DeBugger is the standard debugger of the GNU project. If this tool doesn’t ring a bell, it’s useless to give examples. Once again, this tool requires the writing of an article.

yay -S gdb

Quickly, GDB (a debugger generally speaking) allows you to launch a program, place breakpoints in certain places, sometimes under certain conditions, execute instructions step by step, study and modify the memory (RAM, registers…).

Radare2

Radare2 (a.k.a r2) is a framework for reverse engineering and analyzing binaries (as GDB moreover). Once again, Radare2 is too complete to explain it quickly here.

yay -S radare2

Resources

GTFOBins

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. Everything you need is on this site.