Changes

8,046 bytes added , 20:19, 7 February 2020

m

→‎Examples

Line 1: Line 1: −

== patator ==

+

[http://tools.kali.org/tools-listing Tools list]

+

==crunch==

+

Word list creation. Example:

+

crunch 6 6 + + + + -o 6charcapslowernumber.txt

+

generates: 6 char pwd list, lowercase, uppercase and numbers

+

+ = wildchar, order is: lower, caps, numbers, special chars

+

-o --> output file

+

==Examples==

+

+

crunch 8 8 -f /usr/share/rainbowcrack/charset.txt loweralpha-numeric -o loweralpha-numeric_8_8.lst

+

crunch 8 10 -f /usr/share/rainbowcrack/charset.txt mixalpha-numericdot -d 1@ -d 1, -d 1% | parallel -j6 python wallet_bruteforce_simple.py

+

</syntaxhighlight>

+

===Charsets (-f)===

+

crunch 8 8 -f /usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst

+

charset.txt:

+

+

numeric = [0123456789]

+

alpha = [ABCDEFGHIJKLMNOPQRSTUVWXYZ]

+

alpha-numeric = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]

+

loweralpha = [abcdefghijklmnopqrstuvwxyz]

+

loweralpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789]

+

mixalpha = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]

+

mixalpha-numeric = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]

+

ascii-32-95 = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~]

+

ascii-32-65-123-4 = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`{|}~]

+

alpha-numeric-symbol32-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]</nowiki>

+

Specifiying charsets on command line:

+

crunch 6 6 0123456789ABCDEF

+

escape char: \

+

ABC\!\@\#\$

+

===Patterns (-t)===

+

crunch 8 8 -t @@@@@@56 -o /root/birthdaywordlist.lst

+

-t <pattern> = Giving crunch the pattern @@@@@@56. This word generate passwords up to 8 characters (6 lower case variable and 4 fixed) long that all ended with 56.

+

+

@ -- lower case alpha characters

+

, -- upper case alhpa characters

+

% -- numeric characters

+

^ -- special characters (including space)</nowiki>

+

To specify diferent character set for @ follow this example where @ can be one of [123abcDEF]:

+

crunch 8 8 123abcDEF -t TEST@@@@

+

Enclose the character set whith "" if space is included

+

crunch "123abcDEF " -t TEST@@@@

+

To escape @ in a pattern use -l:

+

crunch 6 6 -t b@d%%% -l @

+

crunch 8 8 -f charset.lst mixalpha -t pass@,%^ -l %^

+

will treat @ as a fixed character

+

Pattern with limited characters:

+

crunch 8 8 abcdef ABCDEF 12345 @#$%- -t @@,,%%^^

+

crunch 8 8 abcdef + 12345 + -t @@,,%%^^

+

===Limits the number of duplicate characters (-d numbersymbol)===

+

Limits the number of duplicate characters. -d 2@ limits the lower case alphabet to output like aab and aac. aaa would not be generated as

+

that is 3 consecutive letters of a. The format is number then symbol where number is the maximum number of consecutive characters and sym‐

+

bol is the symbol of the the character set you want to limit i.e. @,%^ See examples 17-19.

+

===Divided output (-b | -c)===

+

crunch 6 6 0123456789 -b 1mb -o START

+

Creates 1mb files

+

Size definition can be in: kb, mb, gb or kib, mib, gib (ib--> 1024 base; mb --> 1000 base)

+

-o START must be specified as it is

+

crunch 6 6 0123456789 -c 200000 -o START

+

Divide into files with no more than 200000 lines

+

===Stop at certain word (-e)===

+

crunch 6 6 -t %%%%%% -e 333333

+

Creates 6 char numeric wordlist until 333333

+

===Invert direction from left->wright to wright->left (-i)===

+

===Words/Characters permutations (-p | -q)===

+

-p: command line

+

-q: file

+

Words permutations:

+

crunch 1 1 -p bird cat dog

+

Letter permutations:

+

crunch 1 1 -p abcd

+

-p MUST be the last switch

+

crunch 1 1 -q test.txt

+

being test.txt a word list (1 word per line)

+

===Stop/Resume Wordlist creation (ctrl+c/... -r)===

+

crunch 8 8 0123456789 -o test.txt

+

Stop the creation with a Ctrl C, then restart with ;

+

crunch 8 8 0123456789 -o test.txt -r

+

Note: if -s was used it must be removed at the resume line

+

===Start from specific position (-s)===

+

crunch 7 7 0123456789 -s 9670549 -o test.txt

+

Will start at 9670549

+

===Piping Crunch===

+

use: -u |

+

crunch 8 8 -t %%%%%%%% -u | aircrack-ng -e SSID -w - /pathto/capfile.cap

+

crunch 8 8 -t %%%%%%%% -u | cowpatty -f - -r /pathto/capfile.cap -s SSID

+

crunch 8 8 -t %%%%%%%% -u | pyrit -i - -r /pathto/capfile.cap -e ESSID attack_passthrough

+

===Compressing (-z)===

+

*gzip (quick)

+

*bzip

+

*lzma (smallest)

+

crunch 6 6 -f charset.lst lalpha -o test.txt -z gzip

+

crunch 6 6 -f charset.lst lalpha -o test.txt -z bzip2

+

crunch 6 6 -f charset.lst lalpha -o test.txt -z lzma

+

==Hydra==

+

===Website Bruteforce===

+

hydra www.example.com -L /usr/share/wordlists/users.txt -P /usr/share/wordlists/passwords.txt -V -f http-get /members

+

===SSH bruteforce===

+

hydra -s 22 -v -V -l root -P <path_to_wordlist> -e -ns -t 16 192.168.0.101 ssh

+

===RDP Bruteforce (Port: 3389)===

+

hydra -t 2 -V -f -l administrator -P rockyou.txt rdp://10.28.0.196

+

With ncrack

+

ncrack -vv -U common.usr -P top50000.pwd -T 4 10.28.0.161:3389

+

==metagoofil==

+

python metagoofil.py –d www.victima.com –l 20 –f pdf –o out.html –t out-files”

+

-d = dominio de la victima

+

-l = numero de archives maximos a descargar

+

-f = tipo de archivos (pdf, doc, xls, all)

+

-o = como se guardara el resultado

+

-t = directorio que contendrá los archivos descargado

+

==patator==

<nowiki>Patator v0.5 (http://code.google.com/p/patator/)

−

Usage: patator.py module --help

+

Usage: patator.py module --help

+

Available modules:

+

+ ftp_login : Brute-force FTP

+

+ ssh_login : Brute-force SSH

+

+ telnet_login : Brute-force Telnet

+

+ smtp_login : Brute-force SMTP

+

+ smtp_vrfy : Enumerate valid users using SMTP VRFY

+

+ smtp_rcpt : Enumerate valid users using SMTP RCPT TO

+

+ finger_lookup : Enumerate valid users using Finger

+

+ http_fuzz : Brute-force HTTP

+

+ pop_login : Brute-force POP3

+

+ pop_passd : Brute-force poppassd (http://netwinsite.com/poppassd/)

+

+ imap_login : Brute-force IMAP4

+

+ ldap_login : Brute-force LDAP

+

+ smb_login : Brute-force SMB

+

+ smb_lookupsid : Brute-force SMB SID-lookup

+

+ vmauthd_login : Brute-force VMware Authentication Daemon

+

+ mssql_login : Brute-force MSSQL

+

+ oracle_login : Brute-force Oracle

+

+ mysql_login : Brute-force MySQL

+

+ mysql_query : Brute-force MySQL queries

+

+ pgsql_login : Brute-force PostgreSQL

+

+ vnc_login : Brute-force VNC

+

+ dns_forward : Forward lookup names

+

+ dns_reverse : Reverse lookup subnets

+

+ snmp_login : Brute-force SNMP v1/2/3

+

+ unzip_pass : Brute-force the password of encrypted ZIP files

+

+ keystore_pass : Brute-force the password of Java keystore files

+

+ tcp_fuzz : Fuzz TCP services

+

+ dummy_test : Testing module

+

</nowiki>

+

==webscarab==

+

==smali==

+

+

usage: java -jar smali.jar [options] [--] [<smali-file>|folder]*

+

assembles a set of smali files into a dex file

+

-?,--help prints the help message then exits. Specify twice for debug options

+

-a,--api-level <API_LEVEL> The numeric api-level of the file to generate, e.g. 14 for ICS. If not

+

specified, it defaults to 14 (ICS).

+

-o,--output <FILE> the name of the dex file that will be written. The default is out.dex

+

-v,--version prints the version then exits

+

-x,--allow-odex-instructions allow odex instructions to be compiled into the dex file. Only a few

+

instructions are supported - the ones that can exist in a dead code path and

+

not cause dalvik to reject the class

+

</nowiki>

+

==paros==

+

Gui crawler

+

==oscanner==

+

+

Oracle Scanner 1.0.6 by patrik@cqure.net

+

--------------------------------------

+

OracleScanner -s <ip> -r <repfile> [options]

+

-s <servername>

+

-f <serverlist>

+

-P <portnr>

+

-v be verbose

+

</nowiki>

+

==dirbuster==

+

another bruteforce application

−

~~Available modules:~~

+

==dirb==

−

~~+ ftp_login : Brute-force FTP~~

+

Bruteforce URL's with wordlist

−

~~+ ssh_login~~ : ~~Brute-force SSH~~

+

dirb http://10.28.0.161/

−

~~+ telnet_login : Brute-force Telnet~~

+

−

~~+ smtp_login : Brute~~-~~force SMTP~~

+

==hash-identifier==

−

~~+ smtp_vrfy : Enumerate valid users using SMTP VRFY~~

+

==dbpwaudit==

−

~~+ smtp_rcpt : Enumerate valid users using SMTP RCPT TO~~

+

<nowiki> DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net>

−

~~+ finger_lookup : Enumerate valid users using Finger~~

+

----------------------------------------------------

−

~~+ http_fuzz : Brute~~-~~force HTTP~~

+

DBPwAudit -s <server> -d <db> -D <driver> -U <users> -P <passwords> [options]

−

~~+ pop_login : Brute~~-~~force POP3~~

+

−

~~+ pop_passd : Brute~~-~~force poppassd (http://netwinsite.com/poppassd/)~~

+

-s - Server name or address.

−

~~+ imap_login : Brute~~-~~force IMAP4~~

+

-p - Port of database server/instance.

−

~~+ ldap_login : Brute~~-~~force LDAP~~

+

-d - Database/Instance name to audit.

−

~~+ smb_login : Brute~~-~~force SMB~~

+

-D - The alias of the driver to use (-L for aliases)

−

~~+ smb_lookupsid : Brute~~-~~force SMB SID~~-~~lookup~~

+

-U - File containing usernames to guess.

−

~~+ vmauthd_login : Brute~~-~~force VMware Authentication Daemon~~

+

-P - File containing passwords to guess.

−

~~+ mssql_login : Brute~~-~~force MSSQL~~

+

-L - List driver aliases.

−

~~+ oracle_login~~ ~~: Brute~~-~~force Oracle~~

+

</nowiki>

−

~~+ mysql_login : Brute~~-~~force MySQL~~

+

==casefile==

−

~~+ mysql_query : Brute~~-~~force MySQL queries~~

+

−

~~+ pgsql_login : Brute~~-~~force PostgreSQL~~

+

==Vulnerability Scan uniscan==

−

~~+ vnc_login : Brute~~-~~force VNC~~

−

~~+ dns_forward : Forward lookup names~~

−

~~+ dns_reverse : Reverse lookup subnets~~

−

~~+ snmp_login : Brute~~-~~force SNMP v1~~/2/3

−

~~+ unzip_pass : Brute~~-~~force~~ the ~~password of encrypted ZIP files~~

−

~~+ keystore_pass : Brute~~-~~force the password of Java keystore files~~

−

~~+ tcp_fuzz : Fuzz TCP services~~

−

~~+ dummy_test : Testing module~~

−

</nowiki>

−

== ~~webscarab~~ ==

−

== ~~smali~~ ==

−

~~usage~~: ~~java -jar smali~~.~~jar [options] [~~--~~] [~~<~~smali~~-file>|folder]*

+

####################################

−

~~assembles a set of smali files into a dex file~~

+

# Uniscan project #

−

-?,--~~help prints the help message then exits~~. ~~Specify twice for debug options~~

+

# http://uniscan.sourceforge.net/ #

−

-a,--~~api~~-~~level~~ <~~API_LEVEL~~> ~~The numeric api~~-~~level of the file to generate, e~~.g. ~~14 for ICS~~. ~~If not~~

+

####################################

−

~~specified, it defaults to 14 (ICS)~~.

+

V. 6.2

−

-o,-~~-output <FILE> the name of the dex file that will be written~~. ~~The default is out~~.~~dex~~

+

−

-v,--~~version prints the version then exits~~

+

−

~~-x,--allow-odex-instructions~~ ~~allow odex instructions~~ to ~~be compiled into the dex file~~. ~~Only a few~~

+

OPTIONS:

−

~~instructions are supported - the ones that can exist in a dead code path and~~

+

-h help

−

~~not cause dalvik to reject the class~~

+

-u <url> example: https://www.example.com/

−

</nowiki>

+

-f <file> list of url's

−

== ~~paros~~ ==

+

-b Uniscan go to background

−

~~Gui crawler~~

+

-q Enable Directory checks

+

-w Enable File checks

+

-e Enable robots.txt and sitemap.xml check

+

-d Enable Dynamic checks

+

-s Enable Static checks

+

-r Enable Stress checks

+

-i <dork> Bing search

+

-o <dork> Google search

+

-g Web fingerprint

+

-j Server fingerprint

+

usage:

+

[1] perl ./uniscan.pl -u http://www.example.com/ -qweds

+

[2] perl ./uniscan.pl -f sites.txt -bqweds

+

[3] perl ./uniscan.pl -i uniscan

+

[4] perl ./uniscan.pl -i "ip:xxx.xxx.xxx.xxx"

+

[5] perl ./uniscan.pl -o "inurl:test"

+

[6] perl ./uniscan.pl -u https://www.example.com/ -r

+

report saved to: /usr/share/uniscan/report/www.example.com.html</nowiki>

+

vega (GUI)

+

==Rebind==

+

IP rebind attack for routers

+

https://www.youtube.com/watch?v=0duYxPIx8gU

+

http://rebind.googlecode.com

−

~~== oscanner ==~~

+

Rebind v0.3.4

−

~~Oracle Scanner 1~~.0.~~6 by patrik@cqure.net~~

+

−

~~---------------------------------~~-----

+

Usage: rebind [OPTIONS]

−

~~OracleScanner~~ -s <ip> -r <~~repfile~~> [~~options~~]

+

−

-s <~~servername~~>

+

-i <interface> Specify the network interface to bind to

−

-f <~~serverlist~~>

+

-d <fqdn> Specify your registered domain name

−

-P <~~portnr~~>

+

-u <user> Specify the Basic Authentication user name [admin]

−

-~~v be verbose~~

+

-a <pass> Specify the Basic Authentication password [admin]

−

</nowiki>

+

-r <path> Specify the initial URL request path [/]

+

-t <ip> Specify a comma separated list of target IP addresses [client IP]

+

-n <time> Specify the callback interval in milliseconds [2000]

+

-p <port> Specify the target port [80]

+

-c <port> Specify the callback port [81]

+

-C <value> Specify a cookie to set for the client

+

-H <file> Specify a file of HTTP headers for the client to send to the target</nowiki>

+

==websploit==

+

[[Kali_Linux:_Wifi_Jamming|Wifi Jamming]]

Rafahsolis

Bureaucrats, Administrators

2,306

edits

Changes

Kali tools (view source)

Revision as of 20:19, 7 February 2020

Navigation menu

Search