Kali tools
Revision as of 21:56, 10 February 2016 by Rafahsolis (talk | contribs)
crunch
Word list creation. Example:
crunch 6 6 + + + + -o 6charcapslowernumber.txt
generates: 6 char pwd list, lowercase, uppercase and numbers
+ = wildchar, order is: lower, caps, numbers, special chars
-o --> output file
Charsets (-f)
crunch 8 8 -f /usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst
charset.txt:
numeric = [0123456789]
alpha = [ABCDEFGHIJKLMNOPQRSTUVWXYZ]
alpha-numeric = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
loweralpha = [abcdefghijklmnopqrstuvwxyz]
loweralpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789]
mixalpha = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]
mixalpha-numeric = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
ascii-32-95 = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~]
ascii-32-65-123-4 = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`{|}~]
alpha-numeric-symbol32-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]
Specifiying charsets on command line:
crunch 6 6 0123456789ABCDEF
escape char: \
ABC\!\@\#\$
Patterns (-t)
crunch 8 8 -t @@@@@@56 -o /root/birthdaywordlist.lst
-t <pattern> = Giving crunch the pattern @@@@@@56. This word generate passwords up to 8 characters (6 lower case variable and 4 fixed) long that all ended with 56.
@ -- lower case alpha characters
, -- upper case alhpa characters
% -- numeric characters
^ -- special characters (including space)
To specify diferent character set for @ follow this example where @ can be one of [123abcDEF]:
crunch 8 8 123abcDEF -t TEST@@@@
Enclose the character set whith "" if space is included
crunch "123abcDEF " -t TEST@@@@
To escape @ in a pattern use -l:
crunch 6 6 -t b@d%%% -l @ crunch 8 8 -f charset.lst mixalpha -t pass@,%^ -l %^
will treat @ as a fixed character
Pattern with limited characters:
crunch 8 8 abcdef ABCDEF 12345 @#$%- -t @@,,%%^^ crunch 8 8 abcdef + 12345 + -t @@,,%%^^
Divided output (-b | -c)
crunch 6 6 0123456789 -b 1mb -o START
Creates 1mb files
Size definition can be in: kb, mb, gb or kib, mib, gib (ib--> 1024 base; mb --> 1000 base)
-o START must be specified as it is
crunch 6 6 0123456789 -c 200000 -o START
Divide into files with no more than 200000 lines
Stop at certain word (-e)
crunch 6 6 -t %%%%%% -e 333333
Creates 6 char numeric wordlist until 333333
Invert direction from left->wright to wright->left (-i)
Words/Characters permutations (-p | -q)
-p: command line
-q: file
Words permutations:
crunch 1 1 -p bird cat dog
Letter permutations:
crunch 1 1 -p abcd
-p MUST be the last switch
crunch 1 1 -q test.txt
being test.txt a word list (1 word per line)
Stop/Resume Wordlist creation (ctrl+c/... -r)
crunch 8 8 0123456789 -o test.txt
Stop the creation with a Ctrl C, then restart with ;
crunch 8 8 0123456789 -o test.txt -r
Note: if -s was used it must be removed at the resume line
Start from specific position (-s)
crunch 7 7 0123456789 -s 9670549 -o test.txt
Will start at 9670549
Piping Crunch
use: -u |
crunch 8 8 -t %%%%%%%% -u | aircrack-ng -e SSID -w - /pathto/capfile.cap crunch 8 8 -t %%%%%%%% -u | cowpatty -f - -r /pathto/capfile.cap -s SSID crunch 8 8 -t %%%%%%%% -u | pyrit -i - -r /pathto/capfile.cap -e ESSID attack_passthrough
Compressing (-z)
- gzip (quick)
- bzip
- lzma (smallest)
crunch 6 6 -f charset.lst lalpha -o test.txt -z gzip crunch 6 6 -f charset.lst lalpha -o test.txt -z bzip2 crunch 6 6 -f charset.lst lalpha -o test.txt -z lzma
Hydra
SSH bruteforce
hydra -s 22 -v -V -l root -P <path_to_wordlist> -e -ns -t 16 192.168.0.101 ssh
metagoofil
python metagoofil.py –d www.victima.com –l 20 –f pdf –o out.html –t out-files”
-d = dominio de la victima
-l = numero de archives maximos a descargar
-f = tipo de archivos (pdf, doc, xls, all)
-o = como se guardara el resultado
-t = directorio que contendrá los archivos descargado
patator
Patator v0.5 (http://code.google.com/p/patator/) Usage: patator.py module --help Available modules: + ftp_login : Brute-force FTP + ssh_login : Brute-force SSH + telnet_login : Brute-force Telnet + smtp_login : Brute-force SMTP + smtp_vrfy : Enumerate valid users using SMTP VRFY + smtp_rcpt : Enumerate valid users using SMTP RCPT TO + finger_lookup : Enumerate valid users using Finger + http_fuzz : Brute-force HTTP + pop_login : Brute-force POP3 + pop_passd : Brute-force poppassd (http://netwinsite.com/poppassd/) + imap_login : Brute-force IMAP4 + ldap_login : Brute-force LDAP + smb_login : Brute-force SMB + smb_lookupsid : Brute-force SMB SID-lookup + vmauthd_login : Brute-force VMware Authentication Daemon + mssql_login : Brute-force MSSQL + oracle_login : Brute-force Oracle + mysql_login : Brute-force MySQL + mysql_query : Brute-force MySQL queries + pgsql_login : Brute-force PostgreSQL + vnc_login : Brute-force VNC + dns_forward : Forward lookup names + dns_reverse : Reverse lookup subnets + snmp_login : Brute-force SNMP v1/2/3 + unzip_pass : Brute-force the password of encrypted ZIP files + keystore_pass : Brute-force the password of Java keystore files + tcp_fuzz : Fuzz TCP services + dummy_test : Testing module
webscarab
smali
usage: java -jar smali.jar [options] [--] [<smali-file>|folder]*
assembles a set of smali files into a dex file
-?,--help prints the help message then exits. Specify twice for debug options
-a,--api-level <API_LEVEL> The numeric api-level of the file to generate, e.g. 14 for ICS. If not
specified, it defaults to 14 (ICS).
-o,--output <FILE> the name of the dex file that will be written. The default is out.dex
-v,--version prints the version then exits
-x,--allow-odex-instructions allow odex instructions to be compiled into the dex file. Only a few
instructions are supported - the ones that can exist in a dead code path and
not cause dalvik to reject the class
paros
Gui crawler
oscanner
Oracle Scanner 1.0.6 by patrik@cqure.net -------------------------------------- OracleScanner -s <ip> -r <repfile> [options] -s <servername> -f <serverlist> -P <portnr> -v be verbose
dirbuster
another bruteforce application
hash-identifier
dbpwaudit
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net> ---------------------------------------------------- DBPwAudit -s <server> -d <db> -D <driver> -U <users> -P <passwords> [options] -s - Server name or address. -p - Port of database server/instance. -d - Database/Instance name to audit. -D - The alias of the driver to use (-L for aliases) -U - File containing usernames to guess. -P - File containing passwords to guess. -L - List driver aliases.
casefile
Vulnerability Scan uniscan
#################################### # Uniscan project # # http://uniscan.sourceforge.net/ # #################################### V. 6.2 OPTIONS: -h help -u <url> example: https://www.example.com/ -f <file> list of url's -b Uniscan go to background -q Enable Directory checks -w Enable File checks -e Enable robots.txt and sitemap.xml check -d Enable Dynamic checks -s Enable Static checks -r Enable Stress checks -i <dork> Bing search -o <dork> Google search -g Web fingerprint -j Server fingerprint usage: [1] perl ./uniscan.pl -u http://www.example.com/ -qweds [2] perl ./uniscan.pl -f sites.txt -bqweds [3] perl ./uniscan.pl -i uniscan [4] perl ./uniscan.pl -i "ip:xxx.xxx.xxx.xxx" [5] perl ./uniscan.pl -o "inurl:test" [6] perl ./uniscan.pl -u https://www.example.com/ -r report saved to: /usr/share/uniscan/report/www.example.com.html
vega (GUI)
Rebind
IP rebind attack for routers
https://www.youtube.com/watch?v=0duYxPIx8gU
http://rebind.googlecode.com
Rebind v0.3.4 Usage: rebind [OPTIONS] -i <interface> Specify the network interface to bind to -d <fqdn> Specify your registered domain name -u <user> Specify the Basic Authentication user name [admin] -a <pass> Specify the Basic Authentication password [admin] -r <path> Specify the initial URL request path [/] -t <ip> Specify a comma separated list of target IP addresses [client IP] -n <time> Specify the callback interval in milliseconds [2000] -p <port> Specify the target port [80] -c <port> Specify the callback port [81] -C <value> Specify a cookie to set for the client -H <file> Specify a file of HTTP headers for the client to send to the target