Difference between revisions of "Kali tools"
Jump to navigation
Jump to search
Rafahsolis (talk | contribs) |
Rafahsolis (talk | contribs) m (→Examples) Tag: visualeditor |
||
| (21 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
[http://tools.kali.org/tools-listing Tools list] | [http://tools.kali.org/tools-listing Tools list] | ||
| − | == crunch== | + | ==crunch== |
Word list creation. Example: | Word list creation. Example: | ||
| − | crunch 6 6 + + + -o 6charcapslowernumber.txt | + | crunch 6 6 + + + + -o 6charcapslowernumber.txt |
| − | generates: 6 char pwd list, lowercase, uppercase and numbers | + | generates: 6 char pwd list, lowercase, uppercase and numbers<br /> |
| + | + = wildchar, order is: lower, caps, numbers, special chars<br /> | ||
| + | -o --> output file<br /> | ||
| − | == Hydra == | + | ==Examples== |
| − | SSH bruteforce | + | |
| − | + | <syntaxhighlight lang="bash"> | |
| + | crunch 8 8 -f /usr/share/rainbowcrack/charset.txt loweralpha-numeric -o loweralpha-numeric_8_8.lst | ||
| + | |||
| + | crunch 8 10 -f /usr/share/rainbowcrack/charset.txt mixalpha-numericdot -d 1@ -d 1, -d 1% | parallel -j6 python wallet_bruteforce_simple.py | ||
| + | </syntaxhighlight> | ||
| + | |||
| + | ===Charsets (-f)=== | ||
| + | crunch 8 8 -f /usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst | ||
| + | charset.txt: | ||
| + | <nowiki> | ||
| + | numeric = [0123456789] | ||
| + | |||
| + | alpha = [ABCDEFGHIJKLMNOPQRSTUVWXYZ] | ||
| + | alpha-numeric = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] | ||
| + | |||
| + | loweralpha = [abcdefghijklmnopqrstuvwxyz] | ||
| + | loweralpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789] | ||
| + | |||
| + | mixalpha = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ] | ||
| + | mixalpha-numeric = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789] | ||
| + | |||
| + | ascii-32-95 = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~] | ||
| + | ascii-32-65-123-4 = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`{|}~] | ||
| + | alpha-numeric-symbol32-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]</nowiki> | ||
| + | Specifiying charsets on command line: | ||
| + | crunch 6 6 0123456789ABCDEF | ||
| + | escape char: \ | ||
| + | ABC\!\@\#\$ | ||
| + | |||
| + | ===Patterns (-t)=== | ||
| + | crunch 8 8 -t @@@@@@56 -o /root/birthdaywordlist.lst | ||
| + | -t <pattern> = Giving crunch the pattern @@@@@@56. This word generate passwords up to 8 characters (6 lower case variable and 4 fixed) long that all ended with 56.<br /> | ||
| + | <nowiki> | ||
| + | @ -- lower case alpha characters | ||
| + | , -- upper case alhpa characters | ||
| + | % -- numeric characters | ||
| + | ^ -- special characters (including space)</nowiki> | ||
| + | To specify diferent character set for @ follow this example where @ can be one of [123abcDEF]: | ||
| + | crunch 8 8 123abcDEF -t TEST@@@@ | ||
| + | Enclose the character set whith "" if space is included | ||
| + | crunch "123abcDEF " -t TEST@@@@ | ||
| + | |||
| + | To escape @ in a pattern use -l: | ||
| + | crunch 6 6 -t b@d%%% -l @ | ||
| + | crunch 8 8 -f charset.lst mixalpha -t pass@,%^ -l %^ | ||
| + | will treat @ as a fixed character | ||
| + | |||
| + | Pattern with limited characters: | ||
| + | crunch 8 8 abcdef ABCDEF 12345 @#$%- -t @@,,%%^^ | ||
| + | crunch 8 8 abcdef + 12345 + -t @@,,%%^^ | ||
| + | |||
| + | ===Limits the number of duplicate characters (-d numbersymbol)=== | ||
| + | Limits the number of duplicate characters. -d 2@ limits the lower case alphabet to output like aab and aac. aaa would not be generated as | ||
| + | that is 3 consecutive letters of a. The format is number then symbol where number is the maximum number of consecutive characters and sym‐ | ||
| + | bol is the symbol of the the character set you want to limit i.e. @,%^ See examples 17-19. | ||
| + | |||
| + | ===Divided output (-b | -c)=== | ||
| + | crunch 6 6 0123456789 -b 1mb -o START | ||
| + | Creates 1mb files<br /> | ||
| + | Size definition can be in: kb, mb, gb or kib, mib, gib (ib--> 1024 base; mb --> 1000 base)<br /> | ||
| + | -o START must be specified as it is | ||
| + | |||
| + | crunch 6 6 0123456789 -c 200000 -o START | ||
| + | Divide into files with no more than 200000 lines | ||
| + | |||
| + | ===Stop at certain word (-e)=== | ||
| + | crunch 6 6 -t %%%%%% -e 333333 | ||
| + | Creates 6 char numeric wordlist until 333333<br /> | ||
| + | |||
| + | ===Invert direction from left->wright to wright->left (-i)=== | ||
| + | |||
| + | ===Words/Characters permutations (-p | -q)=== | ||
| + | -p: command line<br /> | ||
| + | -q: file<br /> | ||
| + | Words permutations: | ||
| + | crunch 1 1 -p bird cat dog | ||
| + | Letter permutations: | ||
| + | crunch 1 1 -p abcd | ||
| + | -p MUST be the last switch | ||
| + | |||
| + | crunch 1 1 -q test.txt | ||
| + | being test.txt a word list (1 word per line) | ||
| + | |||
| + | ===Stop/Resume Wordlist creation (ctrl+c/... -r)=== | ||
| + | crunch 8 8 0123456789 -o test.txt | ||
| + | Stop the creation with a Ctrl C, then restart with ; | ||
| + | crunch 8 8 0123456789 -o test.txt -r | ||
| + | Note: if -s was used it must be removed at the resume line | ||
| + | |||
| + | ===Start from specific position (-s)=== | ||
| + | crunch 7 7 0123456789 -s 9670549 -o test.txt | ||
| + | Will start at 9670549 | ||
| + | |||
| + | ===Piping Crunch=== | ||
| + | use: -u | | ||
| + | crunch 8 8 -t %%%%%%%% -u | aircrack-ng -e SSID -w - /pathto/capfile.cap | ||
| + | crunch 8 8 -t %%%%%%%% -u | cowpatty -f - -r /pathto/capfile.cap -s SSID | ||
| + | crunch 8 8 -t %%%%%%%% -u | pyrit -i - -r /pathto/capfile.cap -e ESSID attack_passthrough | ||
| + | |||
| + | ===Compressing (-z)=== | ||
| + | |||
| + | *gzip (quick) | ||
| + | *bzip | ||
| + | *lzma (smallest) | ||
| + | |||
| + | crunch 6 6 -f charset.lst lalpha -o test.txt -z gzip | ||
| + | crunch 6 6 -f charset.lst lalpha -o test.txt -z bzip2 | ||
| + | crunch 6 6 -f charset.lst lalpha -o test.txt -z lzma | ||
| + | |||
| + | ==Hydra== | ||
| + | |||
| + | |||
| + | ===Website Bruteforce=== | ||
| + | hydra www.example.com -L /usr/share/wordlists/users.txt -P /usr/share/wordlists/passwords.txt -V -f http-get /members | ||
| + | |||
| + | ===SSH bruteforce=== | ||
| + | hydra -s 22 -v -V -l root -P <path_to_wordlist> -e -ns -t 16 192.168.0.101 ssh | ||
| + | |||
| + | ===RDP Bruteforce (Port: 3389)=== | ||
| + | hydra -t 2 -V -f -l administrator -P rockyou.txt rdp://10.28.0.196 | ||
| + | With ncrack | ||
| + | ncrack -vv -U common.usr -P top50000.pwd -T 4 10.28.0.161:3389 | ||
| + | |||
| + | ==metagoofil== | ||
| + | |||
| + | python metagoofil.py –d www.victima.com –l 20 –f pdf –o out.html –t out-files” | ||
| + | |||
| + | -d = dominio de la victima<br /> | ||
| + | -l = numero de archives maximos a descargar<br /> | ||
| + | -f = tipo de archivos (pdf, doc, xls, all)<br /> | ||
| + | -o = como se guardara el resultado<br /> | ||
| + | -t = directorio que contendrá los archivos descargado<br /> | ||
| − | == patator == | + | ==patator== |
<nowiki>Patator v0.5 (http://code.google.com/p/patator/) | <nowiki>Patator v0.5 (http://code.google.com/p/patator/) | ||
| − | Usage: patator.py module --help | + | Usage: patator.py module --help |
| − | + | ||
| − | Available modules: | + | Available modules: |
| − | + | + ftp_login : Brute-force FTP | |
| − | + | + ssh_login : Brute-force SSH | |
| − | + | + telnet_login : Brute-force Telnet | |
| − | + | + smtp_login : Brute-force SMTP | |
| − | + | + smtp_vrfy : Enumerate valid users using SMTP VRFY | |
| − | + | + smtp_rcpt : Enumerate valid users using SMTP RCPT TO | |
| − | + | + finger_lookup : Enumerate valid users using Finger | |
| − | + | + http_fuzz : Brute-force HTTP | |
| − | + | + pop_login : Brute-force POP3 | |
| − | + | + pop_passd : Brute-force poppassd (http://netwinsite.com/poppassd/) | |
| − | + | + imap_login : Brute-force IMAP4 | |
| − | + | + ldap_login : Brute-force LDAP | |
| − | + | + smb_login : Brute-force SMB | |
| − | + | + smb_lookupsid : Brute-force SMB SID-lookup | |
| − | + | + vmauthd_login : Brute-force VMware Authentication Daemon | |
| − | + | + mssql_login : Brute-force MSSQL | |
| − | + | + oracle_login : Brute-force Oracle | |
| − | + | + mysql_login : Brute-force MySQL | |
| − | + | + mysql_query : Brute-force MySQL queries | |
| − | + | + pgsql_login : Brute-force PostgreSQL | |
| − | + | + vnc_login : Brute-force VNC | |
| − | + | + dns_forward : Forward lookup names | |
| − | + | + dns_reverse : Reverse lookup subnets | |
| − | + | + snmp_login : Brute-force SNMP v1/2/3 | |
| − | + | + unzip_pass : Brute-force the password of encrypted ZIP files | |
| − | + | + keystore_pass : Brute-force the password of Java keystore files | |
| − | + | + tcp_fuzz : Fuzz TCP services | |
| − | + | + dummy_test : Testing module | |
| − | </nowiki> | + | </nowiki> |
| − | == webscarab == | + | ==webscarab== |
| − | == smali == | + | ==smali== |
<nowiki> | <nowiki> | ||
| − | usage: java -jar smali.jar [options] [--] [<smali-file>|folder]* | + | usage: java -jar smali.jar [options] [--] [<smali-file>|folder]* |
| − | assembles a set of smali files into a dex file | + | assembles a set of smali files into a dex file |
| − | + | -?,--help prints the help message then exits. Specify twice for debug options | |
| − | + | -a,--api-level <API_LEVEL> The numeric api-level of the file to generate, e.g. 14 for ICS. If not | |
| − | + | specified, it defaults to 14 (ICS). | |
| − | + | -o,--output <FILE> the name of the dex file that will be written. The default is out.dex | |
| − | + | -v,--version prints the version then exits | |
| − | + | -x,--allow-odex-instructions allow odex instructions to be compiled into the dex file. Only a few | |
| − | + | instructions are supported - the ones that can exist in a dead code path and | |
| − | + | not cause dalvik to reject the class | |
| − | </nowiki> | + | </nowiki> |
| − | == paros == | + | ==paros== |
Gui crawler | Gui crawler | ||
| − | == oscanner == | + | ==oscanner== |
<nowiki> | <nowiki> | ||
| − | + | Oracle Scanner 1.0.6 by patrik@cqure.net | |
| − | + | -------------------------------------- | |
| − | + | OracleScanner -s <ip> -r <repfile> [options] | |
| − | + | -s <servername> | |
| − | + | -f <serverlist> | |
| − | + | -P <portnr> | |
| − | + | -v be verbose | |
| − | </nowiki> | + | </nowiki> |
| − | == dirbuster == | + | ==dirbuster== |
another bruteforce application | another bruteforce application | ||
| − | == dbpwaudit == | + | ==dirb== |
| + | Bruteforce URL's with wordlist | ||
| + | dirb http://10.28.0.161/ | ||
| + | |||
| + | ==hash-identifier== | ||
| + | ==dbpwaudit== | ||
<nowiki> DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net> | <nowiki> DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net> | ||
| − | ---------------------------------------------------- | + | ---------------------------------------------------- |
| − | DBPwAudit -s <server> -d <db> -D <driver> -U <users> -P <passwords> [options] | + | DBPwAudit -s <server> -d <db> -D <driver> -U <users> -P <passwords> [options] |
| + | |||
| + | -s - Server name or address. | ||
| + | -p - Port of database server/instance. | ||
| + | -d - Database/Instance name to audit. | ||
| + | -D - The alias of the driver to use (-L for aliases) | ||
| + | -U - File containing usernames to guess. | ||
| + | -P - File containing passwords to guess. | ||
| + | -L - List driver aliases. | ||
| + | </nowiki> | ||
| + | ==casefile== | ||
| − | -s - | + | ==Vulnerability Scan uniscan== |
| − | - | + | <nowiki> |
| − | + | #################################### | |
| − | - | + | # Uniscan project # |
| − | - | + | # http://uniscan.sourceforge.net/ # |
| − | + | #################################### | |
| − | + | V. 6.2 | |
| − | </nowiki> | + | |
| − | + | ||
| + | OPTIONS: | ||
| + | -h help | ||
| + | -u <url> example: https://www.example.com/ | ||
| + | -f <file> list of url's | ||
| + | -b Uniscan go to background | ||
| + | -q Enable Directory checks | ||
| + | -w Enable File checks | ||
| + | -e Enable robots.txt and sitemap.xml check | ||
| + | -d Enable Dynamic checks | ||
| + | -s Enable Static checks | ||
| + | -r Enable Stress checks | ||
| + | -i <dork> Bing search | ||
| + | -o <dork> Google search | ||
| + | -g Web fingerprint | ||
| + | -j Server fingerprint | ||
| + | |||
| + | usage: | ||
| + | [1] perl ./uniscan.pl -u http://www.example.com/ -qweds | ||
| + | [2] perl ./uniscan.pl -f sites.txt -bqweds | ||
| + | [3] perl ./uniscan.pl -i uniscan | ||
| + | [4] perl ./uniscan.pl -i "ip:xxx.xxx.xxx.xxx" | ||
| + | [5] perl ./uniscan.pl -o "inurl:test" | ||
| + | [6] perl ./uniscan.pl -u https://www.example.com/ -r | ||
| + | |||
| + | report saved to: /usr/share/uniscan/report/www.example.com.html</nowiki> | ||
| − | == | + | vega (GUI) |
| − | + | ==Rebind== | |
| − | + | IP rebind attack for routers<br /> | |
| − | + | https://www.youtube.com/watch?v=0duYxPIx8gU<br /> | |
| − | + | http://rebind.googlecode.com | |
| − | + | <nowiki> | |
| − | + | Rebind v0.3.4 | |
| − | + | ||
| − | + | Usage: rebind [OPTIONS] | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | -i <interface> Specify the network interface to bind to | |
| − | + | -d <fqdn> Specify your registered domain name | |
| − | + | -u <user> Specify the Basic Authentication user name [admin] | |
| − | + | -a <pass> Specify the Basic Authentication password [admin] | |
| − | + | -r <path> Specify the initial URL request path [/] | |
| − | + | -t <ip> Specify a comma separated list of target IP addresses [client IP] | |
| − | + | -n <time> Specify the callback interval in milliseconds [2000] | |
| − | + | -p <port> Specify the target port [80] | |
| − | + | -c <port> Specify the callback port [81] | |
| + | -C <value> Specify a cookie to set for the client | ||
| + | -H <file> Specify a file of HTTP headers for the client to send to the target</nowiki> | ||
| + | ==websploit== | ||
| + | [[Kali_Linux:_Wifi_Jamming|Wifi Jamming]] | ||
Latest revision as of 20:19, 7 February 2020
crunch
Word list creation. Example:
crunch 6 6 + + + + -o 6charcapslowernumber.txt
generates: 6 char pwd list, lowercase, uppercase and numbers
+ = wildchar, order is: lower, caps, numbers, special chars
-o --> output file
Examples
crunch 8 8 -f /usr/share/rainbowcrack/charset.txt loweralpha-numeric -o loweralpha-numeric_8_8.lst
crunch 8 10 -f /usr/share/rainbowcrack/charset.txt mixalpha-numericdot -d 1@ -d 1, -d 1% | parallel -j6 python wallet_bruteforce_simple.py
Charsets (-f)
crunch 8 8 -f /usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst
charset.txt:
numeric = [0123456789]
alpha = [ABCDEFGHIJKLMNOPQRSTUVWXYZ]
alpha-numeric = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
loweralpha = [abcdefghijklmnopqrstuvwxyz]
loweralpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789]
mixalpha = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]
mixalpha-numeric = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
ascii-32-95 = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~]
ascii-32-65-123-4 = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`{|}~]
alpha-numeric-symbol32-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]
Specifiying charsets on command line:
crunch 6 6 0123456789ABCDEF
escape char: \
ABC\!\@\#\$
Patterns (-t)
crunch 8 8 -t @@@@@@56 -o /root/birthdaywordlist.lst
-t <pattern> = Giving crunch the pattern @@@@@@56. This word generate passwords up to 8 characters (6 lower case variable and 4 fixed) long that all ended with 56.
@ -- lower case alpha characters
, -- upper case alhpa characters
% -- numeric characters
^ -- special characters (including space)
To specify diferent character set for @ follow this example where @ can be one of [123abcDEF]:
crunch 8 8 123abcDEF -t TEST@@@@
Enclose the character set whith "" if space is included
crunch "123abcDEF " -t TEST@@@@
To escape @ in a pattern use -l:
crunch 6 6 -t b@d%%% -l @ crunch 8 8 -f charset.lst mixalpha -t pass@,%^ -l %^
will treat @ as a fixed character
Pattern with limited characters:
crunch 8 8 abcdef ABCDEF 12345 @#$%- -t @@,,%%^^ crunch 8 8 abcdef + 12345 + -t @@,,%%^^
Limits the number of duplicate characters (-d numbersymbol)
Limits the number of duplicate characters. -d 2@ limits the lower case alphabet to output like aab and aac. aaa would not be generated as
that is 3 consecutive letters of a. The format is number then symbol where number is the maximum number of consecutive characters and sym‐
bol is the symbol of the the character set you want to limit i.e. @,%^ See examples 17-19.
Divided output (-b | -c)
crunch 6 6 0123456789 -b 1mb -o START
Creates 1mb files
Size definition can be in: kb, mb, gb or kib, mib, gib (ib--> 1024 base; mb --> 1000 base)
-o START must be specified as it is
crunch 6 6 0123456789 -c 200000 -o START
Divide into files with no more than 200000 lines
Stop at certain word (-e)
crunch 6 6 -t %%%%%% -e 333333
Creates 6 char numeric wordlist until 333333
Invert direction from left->wright to wright->left (-i)
Words/Characters permutations (-p | -q)
-p: command line
-q: file
Words permutations:
crunch 1 1 -p bird cat dog
Letter permutations:
crunch 1 1 -p abcd
-p MUST be the last switch
crunch 1 1 -q test.txt
being test.txt a word list (1 word per line)
Stop/Resume Wordlist creation (ctrl+c/... -r)
crunch 8 8 0123456789 -o test.txt
Stop the creation with a Ctrl C, then restart with ;
crunch 8 8 0123456789 -o test.txt -r
Note: if -s was used it must be removed at the resume line
Start from specific position (-s)
crunch 7 7 0123456789 -s 9670549 -o test.txt
Will start at 9670549
Piping Crunch
use: -u |
crunch 8 8 -t %%%%%%%% -u | aircrack-ng -e SSID -w - /pathto/capfile.cap crunch 8 8 -t %%%%%%%% -u | cowpatty -f - -r /pathto/capfile.cap -s SSID crunch 8 8 -t %%%%%%%% -u | pyrit -i - -r /pathto/capfile.cap -e ESSID attack_passthrough
Compressing (-z)
- gzip (quick)
- bzip
- lzma (smallest)
crunch 6 6 -f charset.lst lalpha -o test.txt -z gzip crunch 6 6 -f charset.lst lalpha -o test.txt -z bzip2 crunch 6 6 -f charset.lst lalpha -o test.txt -z lzma
Hydra
Website Bruteforce
hydra www.example.com -L /usr/share/wordlists/users.txt -P /usr/share/wordlists/passwords.txt -V -f http-get /members
SSH bruteforce
hydra -s 22 -v -V -l root -P <path_to_wordlist> -e -ns -t 16 192.168.0.101 ssh
RDP Bruteforce (Port: 3389)
hydra -t 2 -V -f -l administrator -P rockyou.txt rdp://10.28.0.196
With ncrack
ncrack -vv -U common.usr -P top50000.pwd -T 4 10.28.0.161:3389
metagoofil
python metagoofil.py –d www.victima.com –l 20 –f pdf –o out.html –t out-files”
-d = dominio de la victima
-l = numero de archives maximos a descargar
-f = tipo de archivos (pdf, doc, xls, all)
-o = como se guardara el resultado
-t = directorio que contendrá los archivos descargado
patator
Patator v0.5 (http://code.google.com/p/patator/) Usage: patator.py module --help Available modules: + ftp_login : Brute-force FTP + ssh_login : Brute-force SSH + telnet_login : Brute-force Telnet + smtp_login : Brute-force SMTP + smtp_vrfy : Enumerate valid users using SMTP VRFY + smtp_rcpt : Enumerate valid users using SMTP RCPT TO + finger_lookup : Enumerate valid users using Finger + http_fuzz : Brute-force HTTP + pop_login : Brute-force POP3 + pop_passd : Brute-force poppassd (http://netwinsite.com/poppassd/) + imap_login : Brute-force IMAP4 + ldap_login : Brute-force LDAP + smb_login : Brute-force SMB + smb_lookupsid : Brute-force SMB SID-lookup + vmauthd_login : Brute-force VMware Authentication Daemon + mssql_login : Brute-force MSSQL + oracle_login : Brute-force Oracle + mysql_login : Brute-force MySQL + mysql_query : Brute-force MySQL queries + pgsql_login : Brute-force PostgreSQL + vnc_login : Brute-force VNC + dns_forward : Forward lookup names + dns_reverse : Reverse lookup subnets + snmp_login : Brute-force SNMP v1/2/3 + unzip_pass : Brute-force the password of encrypted ZIP files + keystore_pass : Brute-force the password of Java keystore files + tcp_fuzz : Fuzz TCP services + dummy_test : Testing module
webscarab
smali
usage: java -jar smali.jar [options] [--] [<smali-file>|folder]*
assembles a set of smali files into a dex file
-?,--help prints the help message then exits. Specify twice for debug options
-a,--api-level <API_LEVEL> The numeric api-level of the file to generate, e.g. 14 for ICS. If not
specified, it defaults to 14 (ICS).
-o,--output <FILE> the name of the dex file that will be written. The default is out.dex
-v,--version prints the version then exits
-x,--allow-odex-instructions allow odex instructions to be compiled into the dex file. Only a few
instructions are supported - the ones that can exist in a dead code path and
not cause dalvik to reject the class
paros
Gui crawler
oscanner
Oracle Scanner 1.0.6 by patrik@cqure.net -------------------------------------- OracleScanner -s <ip> -r <repfile> [options] -s <servername> -f <serverlist> -P <portnr> -v be verbose
dirbuster
another bruteforce application
dirb
Bruteforce URL's with wordlist
dirb http://10.28.0.161/
hash-identifier
dbpwaudit
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net> ---------------------------------------------------- DBPwAudit -s <server> -d <db> -D <driver> -U <users> -P <passwords> [options] -s - Server name or address. -p - Port of database server/instance. -d - Database/Instance name to audit. -D - The alias of the driver to use (-L for aliases) -U - File containing usernames to guess. -P - File containing passwords to guess. -L - List driver aliases.
casefile
Vulnerability Scan uniscan
#################################### # Uniscan project # # http://uniscan.sourceforge.net/ # #################################### V. 6.2 OPTIONS: -h help -u <url> example: https://www.example.com/ -f <file> list of url's -b Uniscan go to background -q Enable Directory checks -w Enable File checks -e Enable robots.txt and sitemap.xml check -d Enable Dynamic checks -s Enable Static checks -r Enable Stress checks -i <dork> Bing search -o <dork> Google search -g Web fingerprint -j Server fingerprint usage: [1] perl ./uniscan.pl -u http://www.example.com/ -qweds [2] perl ./uniscan.pl -f sites.txt -bqweds [3] perl ./uniscan.pl -i uniscan [4] perl ./uniscan.pl -i "ip:xxx.xxx.xxx.xxx" [5] perl ./uniscan.pl -o "inurl:test" [6] perl ./uniscan.pl -u https://www.example.com/ -r report saved to: /usr/share/uniscan/report/www.example.com.html
vega (GUI)
Rebind
IP rebind attack for routers
https://www.youtube.com/watch?v=0duYxPIx8gU
http://rebind.googlecode.com
Rebind v0.3.4 Usage: rebind [OPTIONS] -i <interface> Specify the network interface to bind to -d <fqdn> Specify your registered domain name -u <user> Specify the Basic Authentication user name [admin] -a <pass> Specify the Basic Authentication password [admin] -r <path> Specify the initial URL request path [/] -t <ip> Specify a comma separated list of target IP addresses [client IP] -n <time> Specify the callback interval in milliseconds [2000] -p <port> Specify the target port [80] -c <port> Specify the callback port [81] -C <value> Specify a cookie to set for the client -H <file> Specify a file of HTTP headers for the client to send to the target