Kali tools
crunch
Word list creation. Example:
crunch 6 6 + + + -o 6charcapslowernumber.txt
+ = wildchar: lower, caps, numbers generates: 6 char pwd list, lowercase, uppercase and numbers
Charsets
crunch 8 8 -f /usr/share/rainbowcrack/charset.txt mixalpha -o /root/alphawordlist.lst
charset.txt:
numeric = [0123456789]
alpha = [ABCDEFGHIJKLMNOPQRSTUVWXYZ]
alpha-numeric = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
loweralpha = [abcdefghijklmnopqrstuvwxyz]
loweralpha-numeric = [abcdefghijklmnopqrstuvwxyz0123456789]
mixalpha = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ]
mixalpha-numeric = [abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789]
ascii-32-95 = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~]
ascii-32-65-123-4 = [ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`{|}~]
alpha-numeric-symbol32-space = [ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_+=~`[]{}|\:;"'<>,.?/ ]
Pattern
crunch 8 8 -t @@@@@@56 -o /root/birthdaywordlist.lst -t <pattern> = Giving crunch the pattern @@@@@@56. This word generate passwords up to 8 characters (6 lower case variable and 4 fixed) long that all ended with 56.
@ -- lower case alpha characters , -- upper case alhpa characters % -- numeric characters ^ -- special characters (including space)
Hydra
SSH bruteforce
hydra -s 22 -v -V -l root -P <path_to_wordlist> -e -ns -t 16 192.168.0.101 ssh
metagoofil
python metagoofil.py –d www.victima.com –l 20 –f pdf –o out.html –t out-files”
-d = dominio de la victima
-l = numero de archives maximos a descargar
-f = tipo de archivos (pdf, doc, xls, all)
-o = como se guardara el resultado
-t = directorio que contendrá los archivos descargado
patator
Patator v0.5 (http://code.google.com/p/patator/) Usage: patator.py module --help Available modules: + ftp_login : Brute-force FTP + ssh_login : Brute-force SSH + telnet_login : Brute-force Telnet + smtp_login : Brute-force SMTP + smtp_vrfy : Enumerate valid users using SMTP VRFY + smtp_rcpt : Enumerate valid users using SMTP RCPT TO + finger_lookup : Enumerate valid users using Finger + http_fuzz : Brute-force HTTP + pop_login : Brute-force POP3 + pop_passd : Brute-force poppassd (http://netwinsite.com/poppassd/) + imap_login : Brute-force IMAP4 + ldap_login : Brute-force LDAP + smb_login : Brute-force SMB + smb_lookupsid : Brute-force SMB SID-lookup + vmauthd_login : Brute-force VMware Authentication Daemon + mssql_login : Brute-force MSSQL + oracle_login : Brute-force Oracle + mysql_login : Brute-force MySQL + mysql_query : Brute-force MySQL queries + pgsql_login : Brute-force PostgreSQL + vnc_login : Brute-force VNC + dns_forward : Forward lookup names + dns_reverse : Reverse lookup subnets + snmp_login : Brute-force SNMP v1/2/3 + unzip_pass : Brute-force the password of encrypted ZIP files + keystore_pass : Brute-force the password of Java keystore files + tcp_fuzz : Fuzz TCP services + dummy_test : Testing module
webscarab
smali
usage: java -jar smali.jar [options] [--] [<smali-file>|folder]*
assembles a set of smali files into a dex file
-?,--help prints the help message then exits. Specify twice for debug options
-a,--api-level <API_LEVEL> The numeric api-level of the file to generate, e.g. 14 for ICS. If not
specified, it defaults to 14 (ICS).
-o,--output <FILE> the name of the dex file that will be written. The default is out.dex
-v,--version prints the version then exits
-x,--allow-odex-instructions allow odex instructions to be compiled into the dex file. Only a few
instructions are supported - the ones that can exist in a dead code path and
not cause dalvik to reject the class
paros
Gui crawler
oscanner
Oracle Scanner 1.0.6 by patrik@cqure.net -------------------------------------- OracleScanner -s <ip> -r <repfile> [options] -s <servername> -f <serverlist> -P <portnr> -v be verbose
dirbuster
another bruteforce application
dbpwaudit
DBPwAudit v0.8 by Patrik Karlsson <patrik@cqure.net> ---------------------------------------------------- DBPwAudit -s <server> -d <db> -D <driver> -U <users> -P <passwords> [options] -s - Server name or address. -p - Port of database server/instance. -d - Database/Instance name to audit. -D - The alias of the driver to use (-L for aliases) -U - File containing usernames to guess. -P - File containing passwords to guess. -L - List driver aliases.
casefile
Vulnerability Scan uniscan
#################################### # Uniscan project # # http://uniscan.sourceforge.net/ # #################################### V. 6.2 OPTIONS: -h help -u <url> example: https://www.example.com/ -f <file> list of url's -b Uniscan go to background -q Enable Directory checks -w Enable File checks -e Enable robots.txt and sitemap.xml check -d Enable Dynamic checks -s Enable Static checks -r Enable Stress checks -i <dork> Bing search -o <dork> Google search -g Web fingerprint -j Server fingerprint usage: [1] perl ./uniscan.pl -u http://www.example.com/ -qweds [2] perl ./uniscan.pl -f sites.txt -bqweds [3] perl ./uniscan.pl -i uniscan [4] perl ./uniscan.pl -i "ip:xxx.xxx.xxx.xxx" [5] perl ./uniscan.pl -o "inurl:test" [6] perl ./uniscan.pl -u https://www.example.com/ -r report saved to: /usr/share/uniscan/report/www.example.com.html
vega (GUI)
Rebind
IP rebind attack for routers
https://www.youtube.com/watch?v=0duYxPIx8gU
http://rebind.googlecode.com
Rebind v0.3.4 Usage: rebind [OPTIONS] -i <interface> Specify the network interface to bind to -d <fqdn> Specify your registered domain name -u <user> Specify the Basic Authentication user name [admin] -a <pass> Specify the Basic Authentication password [admin] -r <path> Specify the initial URL request path [/] -t <ip> Specify a comma separated list of target IP addresses [client IP] -n <time> Specify the callback interval in milliseconds [2000] -p <port> Specify the target port [80] -c <port> Specify the callback port [81] -C <value> Specify a cookie to set for the client -H <file> Specify a file of HTTP headers for the client to send to the target