Pentesting tools

hydra options $user/$passOptions $ip/$url serviceOptions
Example I used during a CTF to find valid usernames:

hydra -L usernames.txt -p password -f -s 5001 35.227.x.x http-post-form "/hash/login:username=^USER^&password=^PASS^:Invalid username" -t 64

Another bruteforcing tool, for password hashes this time. I explain how to add a new rule in this post.

john --wordlist=password.lst --rules mypasswd

hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 200 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking.

Important note: a VM won't have access to your hardware so you'll need to do modifications to make it work as it will try to use GPU.

I use this tool a lot for SQL injections. For more information, check this tutorial.

sqlmap -u $url options

Very useful option:
--forms: Parse and test forms

WPScan is a free, for non-commercial use, black box WordPress vulnerability scanner written for security professionals and blog maintainers to test the security of their sites.

wpscan --url myblog.com

If a more stealthy approach is required, then
wpscan --stealthy --url myblog.com can be used.

When using the --enumerate option, don't forget to set the --plugins-detection accordingly, as its default is 'passive'.

The PHP reverse shell I use the most, you'll find it on this page with a tutorial on how to use it. Explore the rest of the Pentestmonkey website, it's great.

SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

No need to introduce this extremely useful tool, but here my usual command if it interests you:
nmap -sV -sC -oN myscan.txt $ip

• -sV: Version/Service info
• -sC: Run default scripts
• -oN: Normal output

Or the shorter version which combines sV and sC:
nmap -A -oN myscan.txt $ip

And if you do not need to be discreet (for certain CTFs without firewall f.ex.), you can add T5 which is the insane mode. T0 being the paranoid mode and will be a very slow scan.
nmap -A -T5 -oN myscan.txt $ip

Useful one-liner to look all the scripts that nmap can provide:
locate -r '\.nse$' | xargs grep categories | grep 'default\|version'

Let's say you're looking for SMB scripts:
locate -r '\.nse$' | xargs grep categories | grep 'default\|version' | grep smb

Extremely useful for enumeration, Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing, etc.

wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.1.202/FUZZ

Another enumeration tool I use a lot.

dirb http://$ip/ /usr/share/wordlists/dirb/common.txt

Never enough enumeration tools! One more. This one as a GUI, so just type the command 'dirbuster' and it will launch the program.

Did I say enumeration again? Nikto is the last enumeration tool I use. Never underestimate an effective enumeration during the recon phase.

nikto -Display 1234EP -o report.html -Format htm -Tuning 123bde -host $ip

I know, I know: more enumeration. But trust me having different tools to enumerate directories often helped me during CTFs in the recon phase. Just choose the ones that will do the job.

gobuster -e -u $ip -w $wordlist

Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. Sublist3r enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu, and Ask. Sublist3r also enumerates subdomains using Netcraft, Virustotal, ThreatCrowd, DNSdumpster, and ReverseDNS.

python sublist3r.py -d example.com

List of Awesome Red Team / Red Teaming Resources. This list is for anyone wishing to learn about Red Teaming but do not have a starting point.

Osmedeus allows you automated run the collection of awesome tools to reconnaissance and vulnerability scanning against the target. Even has a slack bot to send notifications!

./osmedeus.py -t example.com

XSS Hunter allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS. The service works by hosting specialized XSS probes which, upon firing, scan the page and send information about the vulnerable page to the XSS Hunter service.

Upon signing up you will create a special xss.ht short domain such as yoursubdomain.xss.ht which identifies your XSS vulnerabilities and hosts your payload. You then use this subdomain in your XSS testing and XSS Hunter will automatically serve up XSS probes and collect the resulting information when they fire.

pspy is a command line tool designed to snoop on processes without need for root permissions. It allows you to see commands run by other users, cron jobs, etc. as they execute. Great for enumeration of Linux systems in CTFs. Also great to demonstrate your colleagues why passing secrets as arguments on the command line is a bad idea.

Scripted Local Linux Enumeration & Privilege Escalation Checks.

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.

The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques.

This is a template for a pentest report kindly given by the Cyber Mentor (subscribe to his channel, awesome content), and in his own words:

"I am frequently asked what an actual pentest report looks like. I am providing a barebones demo report for "demo company" that consisted of an external penetration test. The report only includes one finding and is meant to be a starter template for others to use. Please feel free to download and make this your own."

A simple, intuitive web app for analysing and decoding data without having to deal with complex tools or programming languages. CyberChef encourages both technical and non-technical people to explore data formats, encryption and compression.

Extremely usefull to quickly decrypt simple hashes. Highly recommend.

ExifTool is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files.

Wireshark is the world’s foremost and widely-used network protocol analyzer. It lets you see what’s happening on your network at a microscopic level and is the standard.

In many forensic CTF challenges, you might have a pcap (Packet Capture Data) to analyze and Wireshark is more than often the best tool to do that.

A much bigger inventory of tools and resources about CyberSecurity than mine here. Highly recommend if you want to scroll around and look at all the awesome tools that we have to play with.

explainshell is a tool (with a web interface) capable of parsing man pages, extracting options and explain a given command-line by matching each argument to the relevant help text in the man page.
Tool recommended for this list by @n1cfury

A list of useful payloads and bypasses for Web Application Security.

You can contribute through pull requests, beers IRL or with buymeacoffee.com