Tools and Utilities

Here we can find some tools and utilities commonly used for practices related to web exploitation:

Burp Suite

A digital platform that collects tools for specialized web penetration testing
Is a framework written in Java that aims to provide a one-stop-shop for web application penetration testing
Capture and manipulate all of the traffic between an attacker and a web server
Can intercept, view, and modify requests
Burp Suite has modules that can be added

Features

Proxy: Allows us to intercept and modify requests/responses
Repeater: Allows us to capture, modify, and then resend the same request numerous times. We could craft requests by hand too
Intruder: Allows us to spray an endpoint with requests
Decoder: This allows us to transform data, decode captured information, or encode a payload
Comparer: Allows us to compare two pieces of data at either word or byte level
Sequencer: Help us asses random tokens or other generated data

Configuration

For configuring HTTP Proxy:
- We required the FoxyProxy extension
- Create a proxy profile on FoxyProxy specifying IP as 127.0.0.1 and PORT as 8080
- Select the profile on the extension
- Then go to the burp suite proxy tab and set intercept to on
For configuring HTTPS Proxy:
- Activate the proxy and go to http://burp/cert on the browser
- Download the cacert.der file
- Go to about:preferences on the browser
- Search Certificates and select View Certificates
- Click on Import and select the cacer.der file
- Mark Trust this CA to identify websites and save all

Utilities

To define a scope:
- Go to the target tab
- On the left side select the IP/Domain
- Right-click it and select Add to scope
- Then go to proxy settings on the proxy tab
- Go to the Request Interception part and mark And URL is in target scope
- Go to proxy settings then to the Response Interception part and mark Intercept responses and Or Request was intercepted

Hotkeys

Ctrl+R: Send the petition to Repeater
Ctlr+U: URL-encode selected text

Commands

Installation

sudo apt install burpsuite

ZAP

Proxy utility to intercept network traffic and generate attacks on websites
Stands for Zed Attack Proxy

Commands

Installation

sudo apt install zaproxy

Features

Contexts: Delimit the scope of the scanning
Spider: Use spidering to get links in the code of a website
Active scan: Attacks the website to get more information
Alerts: Give vulnerabilities found on the website
Sites: Shows all the URLs spidered with their petitions and vulnerabilities
History: Shows petitions made to target sites

Configuration

For configuring HTTP Proxy:
- Install SwitchyOmega extension
- Configure server to localhost and port to 8080 and save changes
For configuring HTTPS Proxy:
- Go to options>Network>Server Certificates and save the certificate
- Go to your browser settings, search for certificates, and import the downloaded certificate in the Authorities section (If the browser doesn't have this tab, import it on the certificates section)
- Mark Trust this CA to identify websites and save all

Utilities

Go to the adds-on tab, update all installed and from marketplace install, Directory List 2.3, Directory List 2.3 LC, FuzzDB Files, FuzzDB Ofensive, python scripting, community scripts, custom payloads, JSON view, JWT support, Viewstate
Go to Options>Network>Global Exclusions and mark Site - Google Chrome extension updates and Site - Google Analytics. Then go to Add and create a new entry with the expression ^https?://.*\.brave\.com.*$ and another with the expression ^https?://.*\.gstatic\.com.*$
Go to Options>HUD and unmark Enable when using the ZAP desktop and welcome screen when a browser is opened
Right-click petitions, go to Save Raw>Request>All or Save Raw>Response>All, to save information about them for posterior use

Usage

For fuzzing:
- Select a part of the request, right-click it, and select Fuzz
- Select the Payloads button, and select the dictionary file or enter custom words
- In the Fuzz>Message Processors tab add a new one of type Tag Creator and set it to categorize responses with specific content
To handle user tokens, go to Options>Anti-CSRF Tokens, and add the token's parameter name to the petition
For enumeration, we can use automatic tools like external fuzzers and redirect the requests to ZAP, use the Spider option, use the AJAX Spider option in the context we have defined, and even complement with manual enumeration
Configure attacks of specific types for the Active Scan option. We right-click a petition and go to Attack>Active Scan>Scop, mark Show Advanced Options, then go to the Policy tab and set the desired options
Double-click a context and go to the Authentication tab to set the proper specifications for the credentials handle of the session
Generate interactive reports via Report>Generate Report on the options bar

Tips

Configure Global Alert Filters and Passive Scan Rules on Options to deactivate or set your own grade for the alert of a vulnerability
From the History tab, you can right-click and select Open/Resend with Request Editor to modify a petition made before and send it again
In Options>Anti-CSRF cert token add the tokens detected in forms POST petitions
When not getting a consistent token handle in the Fuzz>Options tab reduce the threads to 1
When getting 304 responses go to Fuzz>Options mark Follow Redirects
For doing SQLi via the Fuzz option we can use the file fuzzer FuzzDB
Export petitions in raw format to use them in other tools, for example in SQLmap for SQLi
Try intercepting requests with the option Set Break (the green circle button on the options bar) to analyze and modify the content before reaching the destination endpoint

Hacktools

Browser extension that helps us with scripts, commands, and tips for web attacks

FoxyProxy

Browser extension that helps us to create proxies, usually for request-response analysis

Proxy SwitchyOmega

Browser extension that helps us to create proxies, similar to FoxyProxy but for Chrome-based browser

Wappalyzer

Browser extension that gives us anonymous information about websites visited, including domain name and identified technologies.

Daniel Miessler Wordlists

Well-known wordlists for almost every process of fuzzing or brute-forcing

Gobuster

Directory and file brute-forcing tool used to find hidden files, directories, and subdomains on websites
It operates by sending HTTP requests based on a wordlist and identifying resources that are not publicly linked but still accessible

Commands

Installation

sudo apt install gobuster

Scan

gobuster -u $URL #Scan url
gobuster -u $url-w $wordlist #Specify wordlist path
gobuster dir -u $url -w $wordlist #Directory and file mode
gobuster dns -u $url -w $wordlist #For DNS enumeration
gobuster vhost -u $url -w $wordlist #Subdomain mode
gobuster vhost -u $url -w $wordlist --append-domain #To set de subdomain first

ffuf

Flexible and fast web fuzzing tool used for brute-forcing directories, files, subdomains, and more

Commands

Installation

sudo apt install ffuf

Scan

ffuf -u $URL/FUZZ -w $wordlist #FUZZ to fill the part to be fuzz
ffuf -u $URL/FUZZ -w $wordlist -o $filename #get output in a file

Note: Optional keywords can be added after $wordlist separating them with ,

dirb

Web content scanner that automates the task of discovering hidden directories and files on a web server by brute-forcing URL paths using a wordlist

Commands

Installation

sudo apt install dirb

Scan

dirb $URL #Scan URL
dirb $URL $wordlist #Use wordlist
dirb $URL $wordlist -w #Ignore warning messages
dirb $URL $wordlist -u $username:$password #Use 
dirb $URL $wordlist -E $certificate  #Use certificate

Nikto

Tool for scanning vulnerabilities of websites

Commands

Installation

sudo apt install nikto

Usage

nikto -h $host        #Scan a website
nikto -h $host -ssl   #Scan a website using HTTPS
nikto -h $IPtxtFile   #Scan all directions from a text file
nikto -h $host -o $outFile    #Output results to a file
nikto -h $host -o $outFile -Format $format #Indicate format of the output

gvm

Open-Source Vulnerability Management suite used as a vulnerability scanner

Commands

Installation

sudo apt install gvm

Usage

sudo gvm-start #Start tool

Payload Box

GitHub repository with payloads for different web application attacks

Feroxbuster

Directory and file brute-forcing tool (fuzzer) written in Rust

Commands

Installation

sudo apt install feroxbuster

Scan

feroxbuster -u $URL #Scan URL
feroxbuster -u $url -w $wordlist #Specify wordlist path
feroxbuster -u $url -t $threads #Specify number of concurrent threads
feroxbuster -u $url -L $threads #Limit number of concurrent scans
feroxbuster -u $url -t $threads #Specify file for output
feroxbuster -u $url -x $extension #Specify extension of files
feroxbuster -u $url -n #Don't scan recursively folders or endpoints

Last updated 2 months ago

Was this helpful?

Tools and Utilities

Here we can find some tools and utilities commonly used for practices related to web exploitation:

Burp Suite

A digital platform that collects tools for specialized web penetration testing
Is a framework written in Java that aims to provide a one-stop-shop for web application penetration testing
Capture and manipulate all of the traffic between an attacker and a web server
Can intercept, view, and modify requests
Burp Suite has modules that can be added

Features

Proxy: Allows us to intercept and modify requests/responses
Repeater: Allows us to capture, modify, and then resend the same request numerous times. We could craft requests by hand too
Intruder: Allows us to spray an endpoint with requests
Decoder: This allows us to transform data, decode captured information, or encode a payload
Comparer: Allows us to compare two pieces of data at either word or byte level
Sequencer: Help us asses random tokens or other generated data

Configuration

For configuring HTTP Proxy:
- We required the FoxyProxy extension
- Create a proxy profile on FoxyProxy specifying IP as 127.0.0.1 and PORT as 8080
- Select the profile on the extension
- Then go to the burp suite proxy tab and set intercept to on
For configuring HTTPS Proxy:
- Activate the proxy and go to http://burp/cert on the browser
- Download the cacert.der file
- Go to about:preferences on the browser
- Search Certificates and select View Certificates
- Click on Import and select the cacer.der file
- Mark Trust this CA to identify websites and save all

Utilities

To define a scope:
- Go to the target tab
- On the left side select the IP/Domain
- Right-click it and select Add to scope
- Then go to proxy settings on the proxy tab
- Go to the Request Interception part and mark And URL is in target scope
- Go to proxy settings then to the Response Interception part and mark Intercept responses and Or Request was intercepted

Hotkeys

Ctrl+R: Send the petition to Repeater
Ctlr+U: URL-encode selected text

Commands

Installation

sudo apt install burpsuite

ZAP

Proxy utility to intercept network traffic and generate attacks on websites
Stands for Zed Attack Proxy

Commands

Installation

sudo apt install zaproxy

Features

Contexts: Delimit the scope of the scanning
Spider: Use spidering to get links in the code of a website
Active scan: Attacks the website to get more information
Alerts: Give vulnerabilities found on the website
Sites: Shows all the URLs spidered with their petitions and vulnerabilities
History: Shows petitions made to target sites

Configuration

For configuring HTTP Proxy:
- Install SwitchyOmega extension
- Configure server to localhost and port to 8080 and save changes
For configuring HTTPS Proxy:
- Go to options>Network>Server Certificates and save the certificate
- Go to your browser settings, search for certificates, and import the downloaded certificate in the Authorities section (If the browser doesn't have this tab, import it on the certificates section)
- Mark Trust this CA to identify websites and save all

Utilities

Go to the adds-on tab, update all installed and from marketplace install, Directory List 2.3, Directory List 2.3 LC, FuzzDB Files, FuzzDB Ofensive, python scripting, community scripts, custom payloads, JSON view, JWT support, Viewstate
Go to Options>Network>Global Exclusions and mark Site - Google Chrome extension updates and Site - Google Analytics. Then go to Add and create a new entry with the expression ^https?://.*\.brave\.com.*$ and another with the expression ^https?://.*\.gstatic\.com.*$
Go to Options>HUD and unmark Enable when using the ZAP desktop and welcome screen when a browser is opened
Right-click petitions, go to Save Raw>Request>All or Save Raw>Response>All, to save information about them for posterior use

Usage

For fuzzing:
- Select a part of the request, right-click it, and select Fuzz
- Select the Payloads button, and select the dictionary file or enter custom words
- In the Fuzz>Message Processors tab add a new one of type Tag Creator and set it to categorize responses with specific content
To handle user tokens, go to Options>Anti-CSRF Tokens, and add the token's parameter name to the petition
For enumeration, we can use automatic tools like external fuzzers and redirect the requests to ZAP, use the Spider option, use the AJAX Spider option in the context we have defined, and even complement with manual enumeration
Configure attacks of specific types for the Active Scan option. We right-click a petition and go to Attack>Active Scan>Scop, mark Show Advanced Options, then go to the Policy tab and set the desired options
Double-click a context and go to the Authentication tab to set the proper specifications for the credentials handle of the session
Generate interactive reports via Report>Generate Report on the options bar

Tips

Configure Global Alert Filters and Passive Scan Rules on Options to deactivate or set your own grade for the alert of a vulnerability
From the History tab, you can right-click and select Open/Resend with Request Editor to modify a petition made before and send it again
In Options>Anti-CSRF cert token add the tokens detected in forms POST petitions
When not getting a consistent token handle in the Fuzz>Options tab reduce the threads to 1
When getting 304 responses go to Fuzz>Options mark Follow Redirects
For doing SQLi via the Fuzz option we can use the file fuzzer FuzzDB
Export petitions in raw format to use them in other tools, for example in SQLmap for SQLi
Try intercepting requests with the option Set Break (the green circle button on the options bar) to analyze and modify the content before reaching the destination endpoint

Hacktools

Browser extension that helps us with scripts, commands, and tips for web attacks

FoxyProxy

Browser extension that helps us to create proxies, usually for request-response analysis

Proxy SwitchyOmega

Browser extension that helps us to create proxies, similar to FoxyProxy but for Chrome-based browser

Wappalyzer

Browser extension that gives us anonymous information about websites visited, including domain name and identified technologies.

Daniel Miessler Wordlists

Well-known wordlists for almost every process of fuzzing or brute-forcing

Gobuster

Directory and file brute-forcing tool used to find hidden files, directories, and subdomains on websites
It operates by sending HTTP requests based on a wordlist and identifying resources that are not publicly linked but still accessible

Commands

Installation

sudo apt install gobuster

Scan

gobuster -u $URL #Scan url
gobuster -u $url-w $wordlist #Specify wordlist path
gobuster dir -u $url -w $wordlist #Directory and file mode
gobuster dns -u $url -w $wordlist #For DNS enumeration
gobuster vhost -u $url -w $wordlist #Subdomain mode
gobuster vhost -u $url -w $wordlist --append-domain #To set de subdomain first

ffuf

Flexible and fast web fuzzing tool used for brute-forcing directories, files, subdomains, and more

Commands

Installation

sudo apt install ffuf

Scan

ffuf -u $URL/FUZZ -w $wordlist #FUZZ to fill the part to be fuzz
ffuf -u $URL/FUZZ -w $wordlist -o $filename #get output in a file

Note: Optional keywords can be added after $wordlist separating them with ,

dirb

Web content scanner that automates the task of discovering hidden directories and files on a web server by brute-forcing URL paths using a wordlist

Commands

Installation

sudo apt install dirb

Scan

dirb $URL #Scan URL
dirb $URL $wordlist #Use wordlist
dirb $URL $wordlist -w #Ignore warning messages
dirb $URL $wordlist -u $username:$password #Use 
dirb $URL $wordlist -E $certificate  #Use certificate

Nikto

Tool for scanning vulnerabilities of websites

Commands

Installation

sudo apt install nikto

Usage

nikto -h $host        #Scan a website
nikto -h $host -ssl   #Scan a website using HTTPS
nikto -h $IPtxtFile   #Scan all directions from a text file
nikto -h $host -o $outFile    #Output results to a file
nikto -h $host -o $outFile -Format $format #Indicate format of the output

gvm

Open-Source Vulnerability Management suite used as a vulnerability scanner

Commands

Installation

sudo apt install gvm

Usage

sudo gvm-start #Start tool

Payload Box

GitHub repository with payloads for different web application attacks

Feroxbuster

Directory and file brute-forcing tool (fuzzer) written in Rust

Commands

Installation

sudo apt install feroxbuster

Scan

feroxbuster -u $URL #Scan URL
feroxbuster -u $url -w $wordlist #Specify wordlist path
feroxbuster -u $url -t $threads #Specify number of concurrent threads
feroxbuster -u $url -L $threads #Limit number of concurrent scans
feroxbuster -u $url -t $threads #Specify file for output
feroxbuster -u $url -x $extension #Specify extension of files
feroxbuster -u $url -n #Don't scan recursively folders or endpoints

Last updated 2 months ago

Was this helpful?