Reference List
    1. MassDNS
    2. ShuffleDNS
    3. DNSProbe
    4. Amass
    5. Jok3r
    6. Medusa
    7. Ncrack
    8. SubBrute
    9. Steghide
    10. StegCracker
    11. Zsteg
    12. Exiv2
    13. Binwalk
    14. oleVBA

MassDNS – A high-performance DNS stub resolver for massive amounts of domains [Link]. In its repository, there is a file with one thousand DNS resolver IPs. See also Subjack: it scans a list of subdomains concurrently and identifies ones that are able to be hijacked [Link].

sudo apt install massdns
massdns -r resolvers.lst -t A -w results.output domains.lst

ShuffleDNS – It is a tool capable of brute-force domain resolve and handle wildcard subdomains [Link].

GO111MODULE=on go get -v
~/go/bin/shuffledns -h

Subdomain Bruteforcing:

~/go/bin/shuffledns -d -w wordlist.lst -r resolvers.txt -t 200

To resolve a list of subdomains:

~/go/bin/shuffledns -d -list subdomains.lst -r resolvers.txt
subfinder -d -silent | ~/go/bin/shuffledns -d -r resolvers.txt

DNSProbe – perform multiple DNS queries (A, AAAA, CNAME, TXT, MX) with list of resolvers [Link].

GO111MODULE=on go get -v
subfinder -d -silent | ~/go/bin/dnsprobe -r cname
subfinder -d -silent | ~/go/bin/dnsprobe -r txt
subfinder -d -silent | ~/go/bin/dnsprobe -r mx
subfinder -d -silent | ~/go/bin/dnsprobe -r a
subfinder -d -silent | ~/go/bin/dnsprobe -r aaaa -silent

Amass – The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques [Link].


  • DNS: Brute-forcing, rDNS sweeping, NSEC zone walking, Zone transfers, FQDN alterations/permutations, FQDN Similarity-based Guessing.
  • Scraping: Ask, Baidu, Bing, BuiltWith, DNSDumpster, HackerOne, IPv4Info, RapidDNS, Riddler, SiteDossier, Yahoo.
  • Certificates: Active pulls (optional), Censys, CertSpotter, Crtsh, FacebookCT, GoogleCT.
  • APIs: AlienVault, Anubis, BinaryEdge, BGPView, BufferOver, C99, CIRCL, Cloudflare, CommonCrawl, DNSDB, GitHub, HackerTarget, Mnemonic, NetworksDB, PassiveTotal, Pastebin, RADb, ReconDev, Robtex, SecurityTrails, ShadowServer, Shodan, SonarSearch, Spyse, Sublist3rAPI, TeamCymru, ThreatBook, ThreatCrowd, ThreatMiner, Twitter, Umbrella, URLScan, VirusTotal, WhoisXML, ZETAlytics, ZoomEye.
  • Web Archives: ArchiveIt, ArchiveToday, Wayback.
sudo apt install amass
amass enum -d
amass enum -passive -d -src

Jok3r – It is a framework that aids penetration testers for network infrastructure and web security assessments [Link]. It does automatically all the basic work with just a few prompts. Great for a starting point and obvious vulnerabilities.

Installing and executing:

sudo docker pull koutto/jok3r
sudo docker run -i -t --name jok3r-container -w /root/jok3r -e DISPLAY=$DISPLAY -v /tmp/.X11-unix:/tmp/.X11-unix --shm-size 2g --net=host koutto/jok3r

The final image will be 16.4 GB big 🙁

Re-starting or getting a shell:

sudo docker start -i jok3r-container
sudo docker exec -it jok3r-container bash
  • ./ info –checks http
  • ./ attack -t –add2db default
  • ./ attack -t –add2db default –fast
  • ./ db
    • mission -h
    • hosts
    • services
    • products
    • vulns
    • vulns –no-truncation
    • creds
    • report

To copy the reports to the host machine:

sudo docker cp jok3r-container:/root/jok3r/reports/ .

Medusa – x [Link].

medusa -d
medusa -h -u root -P passwords.txt -e ns -M smbnt
medusa -H hosts.txt -U users.txt -P passwords.txt -T 20 -t 10 -L -F -M smbnt
medusa -M smbnt -C combo.txt
medusa -M smbnt -C combo.txt -H hosts.txt
  • -d
    • list available modules
  • -q
    • display module usage info
  •  -M
    • mode
  • -h
    • hostname or IP
  • -H
    • list of hosts
  • -u
    • username
  • -U
    • list of users
  • -p
    • password
  • -P
    • list of passwords
  • -C
    • combo of entries
  • -e
    • additional password checks, n for no password and s for password = username
  • -T
    • total number of hosts
  • -t
    • total number of logins

Ncrack – Ncrack is a high-speed network authentication cracking tool developed by the nmap team [Link]. The supported protocols include SSH, RDP, FTP, Telnet, HTTP(S), POP3(S), IMAP, SMB, VNC, SIP, Redis, PostgreSQL, MySQL, MSSQL, MongoDB, Cassandra, WinRM, and OWA.

ncrack --user root -p ssh -P passwords.txt
ncrack -u root -p 22 -P passwords.txt -T5
ncrack -u root -p 21 -P passwords.txt -T 5
ncrack -u root -p 21 -P passwords.txt
ncrack -u root -p 3389 -P passwords.txt

SubBrute – Brute force app to discover subdomains [Link].

./ > output.txt
./ -t domainslist.txt

Steghide – A steganography tool that hides data in some of the least significant bits of pictures (.jpg, .bmp) or audio (.wav, .au) files [Link].

sudo apt install steghide steghide-doc -y
steghide info fileName
steghide embed -cf image.jpg -ef secret.txt -v
steghide extract -sf image.jpg
steghide embed -cf audio.wav -ef secret.txt -p password
steghide --encinfo
steghide embed -cf image.bmp -ef secret.txt -e des

StegCracker – Steganography brute-force utility to uncover hidden data inside files [Link].

pip3 install stegcracker
stegcracker fileName /path/wordlist.txt

Zsteg – A tool that can detect hidden data in .png and .bmp files. [Link].

gem install zsteg
zsteg fileName
zsteg -a fileName
zsteg -E "b8,rgb,lsb,xy" fileName > extracted.exe

Exiv2 – A command-line utility to read, write, delete and modify Exif, IPTC, XMP, and ICC image metadata [Link]. Official website [Link].

sudo apt install exiv2 -y
exiv2 fileName

Binwalk – A tool for analyzing, reverse engineering, and extracting firmware images [Link].

sudo apt install binwalk -y
binwalk fileName
binwalk -e fileName

oleVBA – A script to parse OLE and OpenXML files such as MS Office documents, to extract VBA Macro code [Link].

olevba3 fileName.doc
olevba3 fileName.xls

After extracting the VBA code from a document, you can use a web tool such as OnlineGDB [Link] to compile and run the code safely.

– [Link].

– [Link].

– [Link].

– [Link].