Pentester's toolkit
If you want to switch from Kali Linux (or another distribution that provides a ready-to-use pentest environment) to Arch Linux, you are at the right place to prepare your future weapon. In this article we will see a complete set of open source tools to be used both in the personal world (CTF challenges or others) and in the professional world (technical auditor, pentester, digital forensic analyst and more). To have a good understanding of the tools, examples, tips and tricks will be given in order to use the most appropriate tool for the situation.
Information and requirements
These elements are to be taken into consideration to follow this article:
- Any time the word hacking that is used on this site shall be regarded as ethical hacking. Do not attempt to violate the law with anything contained here. If you planned to use the content for illegal purpose, then please leave this site immediately! I will not be responsible for any illegal actions.
- This list of tools is by no means fixed and will certainly be improved as new tools come out and my knowledge grows.
- Tools are installed on Arch Linux.
Information gathering and enumeration
RustScan
RustScan is a tool to accelerate the open ports enumeration. It’s not a substitute of Nmap
, quite the contrary, they work well together. Once the open ports have been found, the list is piped to Nmap
, the detection of the services and their versions is performed.
yay -S rustscan
You can tune RustScan by decreasing batch size or increasing open file limit. By executing ulimit -Sn
, it will give you an idea on the open file limit of your operating system. Mine is 1024
, RustScan advises me to set the batch size to 924
like follow.
rustscan -b 924 <IP address>
Once it is done, Nmap
takes the lead and executes its job.
Nmap
The well-known network scanner. As everybody knows it, I won’t spend a lot of time explaining what Nmap
does, but I’ll give you the most important flags.
yay -S nmap
TCP uses a handshake process when querying a port to determine whether the port is open, closed or filtered. If the port is open, a three-way handshake takes place. First, the client sends a syn
packet, which signals the beginning of a communication. Then the server then responds with a syn-ack
, or acknowledgment of the syn
packet it received, prompting the client to finish with an ack
or acknowledgment of the server’s response. The tranfer of data can then occur. If the port is closed, the server responds with a rst
packet instead of a syn-ack
. If the traffic is being filtered by a firewall, the client will typically receive no response from the server.
If you want to fully scan a host, you probably have to execute the following command.
mkdir nmap
sudo nmap -sC -sV -O -oN nmap/recon <IP address>
Flags explanation:
-sC
: performs a script scan using the default set of scripts,-sV
: probe open ports to determine service and version information,-O
: enables OS detection,-oN
: output be directed to the given filename (think to create the directory before).
Exploitdb (SearchSploit)
This tool allows you to find exploits. It is connected to the The Exploit Database, a project sponsored by Offensive Security
yay -S exploitdb
You can find exploits, shellcodes or papers related to MySQL 5.5
for example by doing this.
searchsploit mysql 5.5
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------- ---------------------------------
MySQL / MariaDB / PerconaDB 5.5.51/5.6.32/5.7.14 - Code Execution / Privilege Escalation | linux/local/40360.txt
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'mysql' System User Privilege Escalation / Race Condition | linux/local/40678.c
MySQL / MariaDB / PerconaDB 5.5.x/5.6.x/5.7.x - 'root' System User Privilege Escalation | linux/local/40679.sh
MySQL 5.1/5.5 (Windows) - 'MySQLJackpot' Remote Command Execution | windows/remote/23073.txt
MySQL 5.5.45 (x64) - Local Credentials Disclosure | windows_x86-64/local/40337.py
MySQL 5.5.45 - procedure analyse Function Denial of Service | multiple/dos/39867.py
MySQL 5.5.8 - Remote Denial of Service | windows/dos/18269.py
MySQL < 5.6.35 / < 5.7.17 - Integer Overflow | multiple/dos/41954.py
MySQL Eventum 1.5.5 - 'login.php' SQL Injection | php/webapps/1134.pl
MySQL Quick Admin 1.5.5 - 'cookie' Local File Inclusion | php/webapps/6641.txt
MySQL Quick Admin 1.5.5 - Local File Inclusion | php/webapps/7020.txt
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results
Now you have the list, you can see more information by using the -p
flag and passing the number displayed in the Path
section. Let’s take an example with the exploit MySQL 5.5.8 - Remote Denial of Service
.
searchsploit -p 18269
Exploit: MySQL 5.5.8 - Remote Denial of Service
URL: https://www.exploit-db.com/exploits/18269
Path: /usr/share/exploitdb/exploits/windows/dos/18269.py
File Type: Python script, ASCII text executable, with CRLF line terminators
You can also copy (in your current working directory) the exploit file by using the -m
flag.
searchsploit -m 18269
Exploit: MySQL 5.5.8 - Remote Denial of Service
URL: https://www.exploit-db.com/exploits/18269
Path: /usr/share/exploitdb/exploits/windows/dos/18269.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/ap/18269.py
As usual, more options are well documented with the -h
flag.
Gobuster
Gobuster is a directory, file, DNS and virtual host busting tool.
yay -S gobuster
If you wou want to discover files or directory behind a IP address (or domain name), you should do like this.
gobuster dir -u http://<IP address>/ -w /usr/share/wordlists/seclists-c/Discovery/Web-Content/common.txt
The first argument that you must specify is the mode, 3 are available:
dir
: uses directory or file brutceforcing,dns
: uses DNS subdomain bruteforcing,vhost
: uses virtual host bruteforcing.
Concerning flags:
-u
: required, the targetURL
,-w
: required, path to the wordlist (scroll down to theWordlists, dictionary and payloads
section to learn more about wordlists),-x
: optional, file extensions to search for (to focus on specific files),-p
: optional, proxy (Burp Suite generally) to use for requests, (format:http(s)://host:port
])
To learn more flags for a specific mode, do gobuster <mode> --help
.
ExifTool
ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files. It’s widely used during steganography analysis
yay -S perl-image-exiftool
Retrieving basic information of a file is pretty simple.
exiftool Pictures/wallpaper.jpg
ExifTool Version Number : 12.00
File Name : wallpaper.jpg
Directory : Pictures
File Size : 282 kB
File Modification Date/Time : 2020:09:09 00:55:51+02:00
File Access Date/Time : 2020:09:09 00:56:13+02:00
File Inode Change Date/Time : 2020:09:09 00:55:51+02:00
File Permissions : rw-r--r--
File Type : JPEG
File Type Extension : jpg
MIME Type : image/jpeg
Image Width : 1920
Image Height : 1080
Encoding Process : Baseline DCT, Huffman coding
Bits Per Sample : 8
Color Components : 3
Y Cb Cr Sub Sampling : YCbCr4:2:0 (2 2)
Image Size : 1920x1080
Megapixels : 2.1
enum4liux
Enum4linux is a tool for enumerating information from Windows and Samba systems.
yay -S enum4linux
If you want to get user list and operating system information, you can act as follow.
enum4linux -U -o <IP address>
Listing Windows shares can be done as follow. You can also specify username with -u
flag and password with -p
flag.
enum4linux -S <IP address>
Vulnerabilities scanner
Nikto
Nikto is a web server scanner.
yay -S nikto
The classic command to run is as below (the output has been truncated).
nikto -host <IP address>
- Nikto v2.1.6
[...]
+ Server: lighttpd/1.4.55
+ OSVDB-3092: /admin/: This might be interesting...
+ OSVDB-3092: /img/: This might be interesting...
[...]
Nikto will give you vulnerabilities id (if it detects ones) from OSVDB (Open Source Vulnerability Database). By default, the port 80 is scanned, you can modify this behavior by using the -p <port>
flag.
Privilege Escalation Awesome Scripts Suite (PEASS)
This package provides tool to search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily.
yay -S peass
Once installed, directories that interest us are located at /usr/share/peass
. The file linPEAS/linepeas.sh
is for GNU/Linux distribution, the file winPEAS/winPEASbat/winPEAS.bat
is for Windows. Compiled versions are also available at winPEAS/winPEASexe/winPEAS/bin/{x86,x64}/winPEAS.exe
Wfuzz
Wfuzz (stands for Web fuzzer) is a tool designed for bruteforcing web applications (HTTP parameters) among many others. Wfuzz is based on a simple concept: it replaces any reference to the FUZZ
keyword by the value of a given payload. A payload in Wfuzz is a source of data.
yay -S wfuzz
As always, let’s take an example to understand how it works. Imagine that you’ve found a restricted access at <IP address>/admin/login.php
. A form is displayed, you can just enter a password. By analyzing the source code, you see that the input name is pw
. Obviously, you want to brute-force this form. You should do something like follows.
wfuzz -u "http://<IP address>/admin/login.php" -X POST -d "pw:FUZZ" -w /usr/share/wfuzz/wordlists/general/common.txt
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://<IP address>/admin/index.php?login
Total requests: 949
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000001: 401 318 L 1020 W 16226 Ch "@"
000000002: 401 318 L 1020 W 16226 Ch "00"
000000004: 401 318 L 1020 W 16226 Ch "02"
000000003: 401 318 L 1020 W 16226 Ch "01"
000000006: 401 318 L 1020 W 16226 Ch "1"
000000005: 401 318 L 1020 W 16226 Ch "03"
[...]
Flags explanation:
-u
: specify a URL for the request,-X
: specify an HTTP method for the request,-d
: use post data (format:"username=FUZZ&other=12"
),-w
: specify a wordlist file.
Each 401
response type significates that the password is not the good one. By adding --hc 401
(hide code), you remove 401
responses from the output.
wfuzz -u "http://<IP address>/admin/login.php" -X POST -d "pw:FUZZ" /usr/share/wfuzz/wordlists/general/common.txt --hc 401
********************************************************
* Wfuzz 2.4.5 - The Web Fuzzer *
********************************************************
Target: http://<IP address>/admin/index.php?login
Total requests: 949
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000648: 200 318 L 1020 W 16226 Ch "protected"
As shown, 401
responses are hidden and only the 200
response is displayed, which is the password.
Cracking
John The Ripper
Is it really necessary to present John The Ripper?
yay -S john
The menu: an example! You are in posession of a SSH key pair protected with a passphrase.
file admin*
admin: PEM RSA private key
admin.pub: OpenSSH RSA public key
The private key is in the PEM
format. The utility ssh2john
allows you to transform this key to a John’s comprehensive format.
ssh2john admin > admin.hash
file admin.hash
admin.hash: ASCII text, with very long lines
Now, use john
to crack the password.
john admin.hash --wordlist=/usr/share/dict/rockyou.txt
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 12 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
Password (admin)
1g 0:00:00:01 DONE (2020-09-09 16:10) 0.6172g/s 8850Kp/s 8850Kc/s 8850KC/s zzzzz4..zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
Session completed
In less than 4 seconds, the password is found: Password
.
Hashcat
Hashcat is John the Ripper on steroids.
yay -S hashcat
To take full advantage of hashcat, be sure to install the drivers of your GPU. If you have a computer with an Intel CPU based (without additional GPU) you must install the compatible runtime. For my laptop, intel-compute-runtime
works. The flag -I
allows you to show info about detected backend API devices.
You can perform many attack types, they are all explained here.
I will just show you quick win for password cracking with hashcat but not diving in. Indeed, this tool is very full featured and it requires a full article, maybe soon!
The flag --help
will give you hash modes. By specifing a hash id (-m 0
here), you tell to hashcat the hash type you want to crack. For example the mode 0
is for MD5, let’s try to crack a MD5 hash.
hashcat --force -m 0 dc647eb65e6711e155375218212b3964 /usr/share/dict/rockyou.txt
[...]
Dictionary cache hit:
* Filename..: /usr/share/dict/rockyou.txt
* Passwords.: 14344373
* Bytes.....: 140056870
* Keyspace..: 14344373
dc647eb65e6711e155375218212b3964:Password
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: dc647eb65e6711e155375218212b3964
Time.Started.....: Tue Sep 9 23:25:39 2020, (4 secs)
Time.Estimated...: Tue Sep 9 23:25:43 2020, (0 secs)
Guess.Base.......: File (/usr/share/dict/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 2546.2 kH/s (52.39ms) @ Accel:1024 Loops:1 Thr:8 Vec:1
Recovered........: 1/1 (100.00%) Digests
Progress.........: 11206656/14344373 (78.13%)
Rejected.........: 0/11206656 (0.00%)
Restore.Point....: 11010048/14344373 (76.76%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: oprep897 -> peace5050
Started: Tue Sep 9 23:25:39 2020
Stopped: Tue Sep 9 23:25:44 2020
As you can see with my processor (Intel Core i7-9750H), hashcat tries 2542 kH/s, 1 kH/s is 1,000 hashes per second. Is it a lot? You’re joking! With a nVidia RTX 2080 SUPER on an MD5 hash it’s about 60.000 MH/s!
Hydra
Hydra is a parallelized login cracker which supports numerous protocols to attack: ftp
, ssh
, mysql
…
yay -S hydra
As an example, below a syntax to brute foce a SSH server with root as user.
hydra -l root -P /usr/share/dict/rockyou.txt ssh://<IP address>
Flags explanation:
-l root
: login name,-P /usr/share/dict/rockyou.txt
: load passwords from file.
Fcrackzip
Fcrackzip is a ZIP password cracker. It’s really stupid, there are two modes of attack: brute-force and dictionary. You can also tell it the size of the password if you know it (usually not, but in the case of a CTF it’s not unlikely)
yay -S fcrackzip
Let’s create dummy files, zip them and encrypt the archive.
touch file01.txt file02.txt file03.txt file04.txt file05.txt
zip -qe files.zip file0*
Enter password: <password>
Verify password: <confirm>
file data.zip
data.zip: Zip archive data, at least v1.0 to extract
And now, break it with fcrackzip.
time fcrackzip -vuDp /usr/share/dict/rockyou.txt data.zip
found file 'file01.txt', (size cp/uc 12/ 0, flags 9, chk be2c)
found file 'file02.txt', (size cp/uc 12/ 0, flags 9, chk be2d)
found file 'file03.txt', (size cp/uc 12/ 0, flags 9, chk be2f)
found file 'file04.txt', (size cp/uc 12/ 0, flags 9, chk be30)
checking pw onetyme
PASSWORD FOUND!!!!: pw == Password
________________________________________________________
Executed in 1.37 secs fish external
usr time 1352.97 millis 405.00 micros 1352.56 millis
sys time 20.27 millis 283.00 micros 19.98 millis
It takes 1.37 seconds to find the password. OK the password is easy but if this one is in your wordlist, you’ll find it.
Flags explanation:
-v
: be more verbose,-u
: use unzip to weed out wrong passwords,-D
: use a dictionary,-p
: use string as initial password/file.
Metasploit
I will not present it. Normally you started hacking with this tool! Didn’t you? In any case, this tool is far too complete to give one or two examples, I will do a full article on it.
yay -S metasploit
Wordlists, dictionary and payloads
Rockyou
The well-known rockyou.txt
wordlist is more than fourteen million of passwords retrieved in many databases. You can use this one in case of brute-force attack with tools listed earlier. Once installed, the wordlist is located at /usr/share/dict/rockyou.txt
.
yay -S rockyou
SecLists
SecLists is a collection of multiple types of lists used during security assessments, collected in one place. Lists include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and more. Below, the most common ones (prefix paths with /usr/share/wordlists/seclists-c/
):
Discovery/Web-Content/common.txt
to discover most common files or directories on a HTTP server,Discovery/Web-Content/directory-list-*.txt
to discover most common directories on a HTTP server,Usernames/xato-net-10-million-usernames.txt
to discover most common usernames for authentication,Web-Shells/laudanum-0.8/*
is a collection of injectable files, designed to be used in a pentest when upload vulnerabilities, administrative interfaces, and SQL injection flaws are found. These files are written in multiple languages for different environments. They provide functionality such as shell, DNS query, LDAP retrieval and others.
yay -S seclists-c
PayloadAllTheThings
A list of useful payloads and bypass for web application security, pentest and CTF challenges. The directory /usr/share/wordlists/payloadsallthethings-git/Methodology and Resources
contains markdown files like:
- Cheatsheet.
- Privilege escalation.
- Post exploitation.
- Enumeration.
- Techniques and tricks.
Otherwise, traverse all directories to find the things that interest you, it’s very comprehensive.
yay -S payloadsallthethings-git
Binary exploitation
GDB
The Gnu DeBugger is the standard debugger of the GNU project. If this tool doesn’t ring a bell, it’s useless to give examples. Once again, this tool requires the writing of an article.
yay -S gdb
Quickly, GDB (a debugger generally speaking) allows you to launch a program, place breakpoints in certain places, sometimes under certain conditions, execute instructions step by step, study and modify the memory (RAM, registers…).
Radare2
Radare2 (a.k.a r2) is a framework for reverse engineering and analyzing binaries (as GDB moreover). Once again, Radare2 is too complete to explain it quickly here.
yay -S radare2
Resources
GTFOBins
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. Everything you need is on this site.