root:~#
root:~#

Exploitation Resources

 revsh3ll included in Resources & Tools
  About 1900 words 9 minutes 

Exploitation

Abusing misconfigurations and vulnerabilities to gain access to the target.

In the exploitation phase, we’re researching and abusing found vulnerabilities and misconfigurations with the goal of gaining initial access to our target.

Few examples:

  • Abusing a poorly configured web app(E.g., injections, RCE, etc).
  • Brute-forcing or abusing default credentials against login services (E.g., email portal, admin panel, VPNs, etc).
  • Abusing remote services (VPN, RDP, etc).
  • Exploiting unpatched and/or misconfigured services, apps, and hosts (E.g., Kernel vulnerabilities, host and app vulnerabilities and/or misconfigurations, etc).

This is a list of tools which use exploitation techniques (E.g., Abusing remote services, applications, valid accounts, and more) to gain access to the target.  

Exploit Warning!
Use caution when downloading and/or executing any malicious code! I’m not responsible for your actions.


Regarding my notes:

  • The brackets ( ) after each tool will indicate if the tool is:

    1. (Built-in) = Within Kali’s repo. If not already installed, run the following:

      1

      sudo apt update && sudo apt install *tool-to-install*

    2. (External) = Outside Kali’s repo. It’ll need downloaded then installed.

    3. (Website) = Part of a website.

    4. There’s others but they’re self-explanatory.

  • I’ll also try specifying any restrictions I know of.
    1. API access needed.
    2. Paywalls.
    3. etc.

C2 Frameworks

  1. Covenant - (Built-in) - Windows agents only.

    • Built-In version may be outdated and is the kali repo package called “covenant-kbx”.
    • How-To and details at Covenant’s Wiki.
    • Based on .NET Core.

  2. Empire - (Built-in) - Windows, Linux, and Mac agents supported.

    • C2 used after post-exploitation.
    • MITRE ATT&CK integration.
    • How-To and Details at Empire’s Wiki.
    • Client agents use: PowerShell, Python3, C#, and IronPython3.
    • Modules use: AssemblyExecution, BOF Execution, Mimikatz, SeatBelt, Rubeus, SharpSploit, Certify, ProcessInjection, and many more.

  3. Metasploit - (Built-in) - Windows, Linux, and Mac agents supported.

    • Penetration testing framework usable at any step of a penetration test.
    • Some exploit-db exploits are integrated into the free version. Pro version integrates even more. Integrated exploits searchable via searchcommand.
    • Differences of free and pro versions found at Rapid 7.

  4. Mythic - (Built-in) - Windows, Linux, and Mac agents supported.

    • Many components but very flexible and collab friendly.
    • Mythic documentation.
    • Many operational pieces like MITRE ATT&CK integration and screenshots. A list found here.

  5. TrevorC2 - (External) - Windows, Linux, and Mac agents supported.

    • Obfuscation and encoding Client/Server model used for tunneling C2 traffic through a website.
    • Client browser agent reads commands from a custom website’s body and sends results back to a server.

  6. Sliver - (Built-in) - Windows, Linux, and Mac agents supported. Server running Linux recommended.

    • To allow metasploit integrates, server requires metasploit installation.
    • MinGW package required if doing DLL payloads from a Linux server.
    • Written in Golang, so server can run on a variety of platforms, but is larger in size.
    • Simple to standup.

Exploits

Databases & Forums

  1. 0x00sec - (Website)

    • How-Tos, discussions, exploits, etc.

  2. 0day.today - (Website)

    • Newer exploit database that competes with exploit-db.com.
    • Buys and sells exploits.

  3. Exploit-DB - (Built-in & Website)

    • Largest exploit DB and still reigns king.
    • Locally stored and updated in Kali distribution (/usr/share/exploitdb/).

  4. CXSecurity DB - (Website)

    • CXSecurity is buy only one person.
    • Free database with PoCs for CVEs, etc.

  5. Hack Forums - (Website)

    • Older, active forum.

  6. Rapid7 DB - (Website) - Premium tier may be required.

    • Rapid7 database which links with metasploit updates.

  7. Snyk DB - (Website)

    • Info and remediation guidance of known vulnerabilities.

  8. Shodan Exploits - (Website)

    • Searches across many platforms for exploits.

  9. Packet Storm Files - (Website)

    • Active forum posting exploits.
    • Built to allow researchers share exploits.

  10. Vulners - (Website)

    • Vulnerability Database and Search Engine

Git Abuse

  1. GitTools - (External)
    • Tools used to abuse git version control systems. (E.g. .git/). by downloading then restoring the repository .git folder granting source code access.
    • Great for finding sensitive information in a misconfigured web server hosting Git.

PoCs for CVEs

  1. PoC-in-GitHub - (GitHub Repo)

    • GitHup repo which updates regularly with PoCs for the latest CVEs.

  2. Trickest Repo - (GitHub Repo)

    • Another GitHup repo which updates regularly with PoCs for the latest CVEs.

Search for PoCs

  1. GitHub Search - (Website)

    • Seriously, you can find allot with GitHub search.

  2. Google - (Website)

    • Seriously, you can find allot with Google.

  3. SearchSploit - (Built-in)

    • CLI tool which searches local exploit-db database.
    • Make sure to update your exploit-db for the latest before searching!

Passwords Attacks

Hash Identification

  1. Hashcat’s hash example webpage - (Website)

    • Example hashes with their related Hash-Mode number which is needed for option -m.

  2. hash-identifier - (Built-in)

    • Helps identify different types of hashes used for data and password encryptions

Online Password Attacks

  1. ncrack - (Built-in)

    • High-speed network authentication cracking tool.
    • Runs on Linux, *BSD, Windows, and Mac OS X.
    • “Protocols supported include SSH, RDP, FTP, Telnet, HTTP(S), Wordpress, POP3(S), IMAP, CVS, SMB, VNC, SIP, Redis, PostgreSQL, MQTT, MySQL, MSSQL, MongoDB, Cassandra, WinRM, OWA, and DICOM”

  2. Patator - (Built-in)

    • Written in Python and created out of the frustrations of using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks.
    • Supported modules at link above.

  3. THC-Hydra - (Built-in)

    • Parallelized login cracker supported many protocols.
    • GUI binary is xhydra.
    • THC Hydra comes with a handful of additional tools. Cool additional binary pw-inspector. You specify the minimum and maximum lengths then the wordlist and it’ll create a new wordlist based on lengths specified.
    • Protocols supports includes: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Offline Password Attacks

  1. chntpw - (Built-in)

    • From Linux, you can reset or blank out the local passwords by editing the SAM database which stores the Windows password hashes.
    • Note: This only applies to local accounts and not email bound accounts.

  2. hashcat - (Built-in)

    • “Advanced password recovery”
    • Modules(-m) are what tells hashcat which algorithm to use against the hash you provide.
    • My quick process is:
      1. Identifying the hash using hash-identifer.
        1. No results? Google it.
      2. Then I search via CLI hashcat --help | grep -e '<example-hash-name> or hashcat’s examples webpage for the needed “Hash-Mode”.
    • To list the many modes hashcat supports, run:
    1

    hashcat --help | less +/'Hash modes'

  3. john the ripper - (Built-in)

    • Popular offline cracking tool.
    • Can cover more unique hashes than hashcat but hashcat has better GPU support.
    • Includes many conversion tools, E.g. *2john, as it may need converted. Think of it like the extra step needed with hashcat’s -m options.
    • Example scenario: You need to crack the passphrase of a SSH private key(RSA, DSA, OPENSSH, EC). ssh2john will convert this for john.

  4. ophcrack - (Built-in)

    • Supports Windows NT, 2000, XP, VISTA, 7 hashes only.
    • Uses rainbow tables to do cracking based on time-memory trade-off.

Zip Password Crackers

  1. frackzip - (Built-in)

    • Fast zip password cracker.
    • Brute-force or dictionary based attacks.
    • Can crack cpmask’d images too.

  2. rarcrack - (Built-in)

    • Cracks .zip, .7z, and .rar.
    • Brute-force only.

  3. zip2john module - (Built-in)

    • zip2john example.zip > example.zip.txt then sudo john --format=zip example.zip.txt.
    • If rar format, same as before but --format=rar.

OS Distributions

Create your own

  1. PTF (Penetration Testers Framework) - (GitHub Repo)
    • Modules way of creating custom OS based on Debian, Arch, or Ubuntu.

Malware Analysis

  1. FlareVM - (OS)
    • Based on Windows.
    • Includes scripts/tools to allow easy implementation of malware analysis environment.

Pentest OSs

  1. CommandoVM - (OS)

    • Based on Windows and born from FlareVM.
    • Penetration and Red Teaming VM.

  2. Kali - (OS)

    • Based on Debian Linux.
    • Forensics & Pentesting OS.

  3. ParrotOS - (OS)

    • Based on Debian.
    • Pretty and quick GUI.

Scanners w/ exploits

Network Scanners

  1. Nmap (Built-in)
    • The “goto” network and port scanner with many capabilities beyond scanning via NSE.

CMS Scanners

  1. CMSmap (External)

    • CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.

  2. WPScan (Built-in)

    • WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites.

Specialized Scanners

  1. log4j-scan (External)

    • A fully automated, accurate, and extensive scanner for finding log4j RCE CVE-2021-44228.
    • Supports lists of URLs, 60+ HTTP headers, Bypass payloads for WAFs(Web Application Firewall), etc.

  2. ItWasAllADream (External)

    • CVE-2021-34527 (PrintNightmare) RCE python scanner.
    • Scan entire subnets for PrintNightmare RCE(Remote code execution) and export CVS report.
    • Does NOT apply to LPE(Local privilege escalation)! Only RCE!

Shells, Payloads, & Obfuscation

Shells and Payloads are easy to detect and most of the time you’ll need to obfuscate, encode, or use newer methods to compromise a host. Below are some basic resources.
More can be found searching through the Additional Resources section.

Shells & Payloads

  1. Groovy Language(Jenkins) (GitHub Repo)

    • WebShell for Groovy Language, usually found on the Jenkins platform.

  2. MSFVenom (Built-in)

    • Payload and encoding creation tool.
    • Compliments Metasploit as it allows for meterpreter payloads.
    • Easily picked up by many endpoint security, even Windows Defender.

  3. Reverse Cheat Sheet @ PayLoadAllTheThings (GitHub Repo)

    • Many reverse shells.

  4. PentestMonkey’s Reverse Shells (Website)

    • Short list of reverse shells.

  5. WebShells (GitHub Repo)

    • Open repo to hosting webshells.
    • As this repo is OPEN, carefully review all code for backdoors before executing!

Shell Generators

  1. revshells.com (Website)

    • Online generator of many reverse shells.

  2. Shellerator (External)

    • Tool used to generate shell code locally.

  3. Reverse Shell Generator (Website)

    • Online generator of many reverse shells.

Obfuscators

  1. PHP Obfuscator - (Website)

    • Online PHP obfuscator by Gaijin.at
    • Helps hide malicious code by obfuscating it.

  2. Nishang’s Shells/Payloads (GitHub Repo)

    • Powershell Scripts and Payloads used to bypass security through means of obfuscation, encoding, etc.

  3. Vulkan (External)

    • Offensive tool to obfuscate powershell payloads.

Web

Web App Proxy

  1. BurpSuite (Built-in) - Free version has rate limited brute-forcing. Paid version has many features.

    • AIO web app security testing.
    • Free community extensions can help improve the free version.

  2. Zed Attack Proxy (ZAP) (Built-in)

    • Free and open-source web app scanner.
    • No limit on brute-force attempts.

  3. Foxy Proxy (Browser Extension)

    • Browser proxy used with ZAP and Burp.

Web Code Analysis

  1. CyberChef - (Website & Self-hosted)

    • “The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis”.

  2. JSON Decode Online - (Website)

    • Decode JSON cookies.

  3. URL Decode & Encode - (Website)

    • Allows you to quickly decode or encode web shells, etc.

Web Training

  1. bWAPP (buggy WebApp) - (External - Self-Hosted)

    • Older but still effective when practicing the basics.

  2. OWASP “Juice Shop” - (External - Self-Hosted)

    • OWASP created web server created to gamify(scoreboard) web security learning.
    • Naturally it runs through the OWASP Top 10.

  3. PortSwigger Web Security Academy - (Website)

    • Online web security training built from the creators of Burp Suite.

  4. Totally Insecure Web Application Project (TIWAP) - (External - Self-Hosted)

    • Web App Security Lab made for learning and practicing web vulnerabilities.

Wireless

  1. aircrack-ng - (Built-in)
    • AIO wireless security suite.
    • Contains both passive and active recon tools, along with exploitation tools.

Additional Resources

  1. HackingArticles.in - (Website)

    • Quick and simple walkthrough guides to various tools and techniques.

  2. HackTricks - (Website)

    • Great resources for anything penetration testing and red teaming.

  3. 0xJs RedTeam CheatSheet - (GitHub Repo)

    • CheatSheet to anything Red Team.

  4. SwissKy - (GitHub Repo)

    • AIO repo focusing on webapp payloads but includes many other pentesting & red teaming resources.
    • Home for the popular PayLoadAllTheThings repo.

  5. The Hive - (Website)

    • Great resource to search and learn from. Holds many resources that other blogs may lack.
    • Overall great to keep in your notes.
Updated on 11-29-2023 
ExploitationInitial AccessToolsResourcesDefense Evasion
Back | Home
0%