# Tools and Utilities

Here we can find some tools and utilities commonly used for practices related to web exploitation:

## <mark style="color:green;">Burp Suite</mark>

* A digital platform that collects tools for specialized web penetration testing
* It is a framework written in Java that aims to provide a one-stop shop for web application penetration testing
* Capture and manipulate all of the traffic between an attacker and a web server
* Can intercept, view, and modify requests
* Burp Suite has modules that can be added

### <mark style="color:yellow;">**Features**</mark>

* **Proxy:** Allows us to intercept and modify requests/responses
* **Repeater:** Allows us to capture, modify, and then resend the same request numerous times. We could also craft requests by hand
* **Intruder:** Allows us to spray an endpoint with requests
* **Decoder:** This allows us to transform data, decode captured information, or encode a payload
* **Comparer:** Allows us to compare two pieces of data at either the word or byte level
* **Sequencer:** Help us asses random tokens or other generated data

### <mark style="color:yellow;">Configuration</mark>

* **For configuring HTTP Proxy:**
  * We required the *FoxyProxy* extension
  * Create a proxy profile on *FoxyProxy* specifying *IP* as *127.0.0.1* and *PORT* as *8080*
  * Select the profile on the extension
  * Then go to the *Burp Suite* proxy tab and set intercept to *on*
* **For configuring HTTPS Proxy:**
  * Activate the proxy and go to *<http://burp/cert>* in the browser
  * Download the *cacert.der* file
  * Go to *about:preferences* on the browser
  * Search *Certificates* and select *View Certificates*
  * Click on Import and select the *cacer.der* file
  * Mark, *Trust this CA to identify websites* and save all

### <mark style="color:yellow;">Utilities</mark>

* **To define a scope:**
  * Go to the target tab
  * On the left side, select the IP/Domain
  * Right-click it and select *Add to scope*
  * Then go to *proxy settings* on the proxy tab
  * Go to the *Request Interception* part and mark, *And URL is in target scope*
  * Go to *proxy settings,* then to the *Response Interception* part, and mark *Intercept responses,* and *Or Request was intercepted*

### <mark style="color:yellow;">Hotkeys</mark>

* ***Ctrl+R*****:** Send the petition to *Repeater*
* ***Ctlr+U*****:** URL-encode selected text

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install burpsuite
```

{% endcode %}

## <mark style="color:green;">ZAP</mark>

* Proxy utility to intercept network traffic and generate attacks on websites
* Stands for Zed Attack Proxy

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install zaproxy
```

{% endcode %}

### <mark style="color:yellow;">**Features**</mark>

* **Contexts:** Delimit the scope of the scanning
* **Spider:** Use spidering to get links in the code of a website
* **Active scan:** Attacks the website to get more information
* **Alerts:** Give vulnerabilities found on the website
* **Sites:** Shows all the URLs spidered with their petitions and vulnerabilities
* **History:** Shows petitions made to target sites

### <mark style="color:yellow;">**Configuration**</mark>

* **For configuring HTTP Proxy:**
  * Install *SwitchyOmega* extension
  * Configure the server to *localhost* and the port to *8080,* and save changes
* **For configuring HTTPS Proxy:**
  * Go to *options>Network>Server Certificates* and save the certificate
  * Go to your browser settings, search for certificates, and import the downloaded certificate in the *Authorities* section (If the browser doesn't have this tab, import it in the certificates section)
  * Mark, *Trust this CA to identify websites* and save all

### <mark style="color:yellow;">Utilities</mark>

* Go to the *adds-on* tab, update all installed and from the marketplace instal&#x6C;*, Directory List 2.3, Directory List 2.3 LC, FuzzDB Files, FuzzDB Offensive, python scripting, community scripts, custom payloads, JSON view, JWT support, Viewstate*
* Go to O*ptions>Network>Global Exclusions* and mark *Site - Google Chrome extension updates and Site - Google Analytics*. Then go to *Add* and create a new entry with the expression *^https?://.\*\\.brave\\.com.\*$* and another with the expression *^https?://.\*\\.gstatic\\.com.\*$*
* Go to O*ptions>HUD* and unmark *Enable when using the ZAP desktop* and *welcome screen when a browser is opened*
* Right-click petitions, go to *Save Raw>Request>All or Save Raw>Response>All*, to save information about them for posterior use

### <mark style="color:yellow;">Usage</mark>

* For fuzzing:&#x20;
  * Select a part of the request, right-click it, and select *Fuzz*
  * Select the *Payloads* button, and select the dictionary file or enter custom words
  * In the *Fuzz>Message Processors* tab, add a new one of type *Tag Creator* and set it to categorize responses with specific content
* To handle user tokens, go to *Options>Anti-CSRF Tokens*, and add the token's parameter name to the petition
* For enumeration, we can use automatic tools like external fuzzers and redirect the requests to *ZAP*, use the *Spider* option, use the *AJAX Spider* option in the context we have defined, and even complement with manual enumeration
* Configure attacks of specific types for the *Active Scan* optio&#x6E;*.* We right-click a petition and go to *Attack>Active Scan>Scope,* mark *Show Advanced Options,* then go to the *Policy* tab and set the desired options
* Double-click a context and go to the *Authentication* tab to set the proper specifications for the credentials handle of the session
* Generate interactive reports via *Report>Generate Repor*t on the options bar

### <mark style="color:yellow;">Tips</mark>

* Configure *Global Alert Filters* and *Passive Scan Rules* on *Options* to deactivate or set your grade for the alert of a vulnerability
* From the *History* tab, you can right-click and select *Open/Resend with Request Editor* to modify a petition made before and send it again
* In *Options>Anti-CSRF cert token,* add the tokens detected in forms POST petitions
* When not getting a consistent token handle in the *Fuzz>Options* tab, reduce the threads to 1
* When getting *304* responses, go to *Fuzz>Options* and mark *Follow Redirects*
* For doing SQLi via the *Fuzz* option, we can use the file fuzzer *FuzzDB*
* Export petitions in *raw* format to use them in other tools, for example, in SQLmap for SQLi
* Try intercepting requests with the option Set Break (the green circle button on the options bar) to analyze and modify the content before reaching the destination endpoint

## <mark style="color:green;">Hacktools</mark>

* Browser extension that helps us with scripts, commands, and tips for web attacks
* <https://addons.mozilla.org/en-US/firefox/addon/hacktools/>

## <mark style="color:green;">FoxyProxy</mark>

* A browser extension that helps us to create proxies, usually for request-response analysis
* <https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/>

## <mark style="color:green;">Proxy SwitchyOmega</mark>

* Browser extension that helps us to create proxies, similar to FoxyProxy but for Chrome-based browsers
* <https://chromewebstore.google.com/detail/proxy-switchyomega/padekgcemlokbadohgkifijomclgjgif?hl=en>

## <mark style="color:green;">Wappalyzer</mark>

* A browser extension that gives us anonymous information about websites visited, including domain name and identified technologies.
* <https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/>

## <mark style="color:green;">Daniel Miessler Wordlists</mark>

* Well-known wordlists for almost every process of fuzzing or brute-forcing
* <https://github.com/danielmiessler/SecLists>

## <mark style="color:green;">Gobuster</mark>

* A directory and file brute-forcing tool used to find hidden files, directories, and subdomains on websites
* It operates by sending HTTP requests based on a wordlist and identifying resources that are not publicly linked but still accessible

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install gobuster
```

{% endcode %}

***

* Scan

{% code overflow="wrap" lineNumbers="true" %}

```bash
gobuster -u $URL #Scan url
gobuster -u $url -w $wordlist #Specify wordlist path
gobuster dir -u $url -w $wordlist #Directory and file mode
gobuster dns -u $url -w $wordlist #For DNS enumeration
gobuster vhost -u $url -w $wordlist #Subdomain mode
gobuster vhost -u $url -w $wordlist --append-domain #To set de subdomain first
```

{% endcode %}

{% hint style="warning" %}
Remember that when using the `vhost` option, you have to have the domain IP on the list of known hosts
{% endhint %}

## <mark style="color:green;">ffuf</mark>

* Flexible and fast web fuzzing tool used for brute-forcing directories, files, subdomains, and more

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install ffuf
```

{% endcode %}

***

* Scan

{% code overflow="wrap" lineNumbers="true" %}

```bash
ffuf -u $URL/FUZZ -w $wordlist #FUZZ to fill the part to be fuzz
ffuf -u $URL/FUZZ -w $wordlist -o $filename #get output in a file
```

{% endcode %}

{% hint style="info" %}
**Note:** Optional keywords can be added after `$wordlist` separating them with `,`&#x20;
{% endhint %}

## <mark style="color:green;">dirb</mark>

* Web content scanner that automates the task of discovering hidden directories and files on a web server by brute-forcing URL paths using a wordlist

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install dirb
```

{% endcode %}

***

* Scan

<pre class="language-bash" data-overflow="wrap" data-line-numbers><code class="lang-bash">dirb $URL #Scan URL
dirb $URL $wordlist #Use wordlist
dirb $URL $wordlist -w #Ignore warning messages
dirb $URL $wordlist -u $username:$password #Use 
<strong>dirb $URL $wordlist -E $certificate  #Use certificate
</strong></code></pre>

## <mark style="color:green;">Nikto</mark>

* A tool for scanning vulnerabilities of websites

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install nikto
```

{% endcode %}

***

* Usage

{% code overflow="wrap" lineNumbers="true" %}

```bash
nikto -h $host        #Scan a website
nikto -h $host -ssl   #Scan a website using HTTPS
nikto -h $IPtxtFile   #Scan all directions from a text file
nikto -h $host -o $outFile    #Output results to a file
nikto -h $host -o $outFile -Format $format #Indicate format of the output
nikto -h $host -Tuning b #Just run fingerprinting modules
```

{% endcode %}

## <mark style="color:green;">Payload Box</mark>

* GitHub repository with payloads for different web application attacks
* <https://github.com/payloadbox>

## <mark style="color:green;">Feroxbuster</mark>

* A directory and file brute-forcing tool (fuzzer) written in *Rust*

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install feroxbuster
```

{% endcode %}

***

* Scan

{% code overflow="wrap" lineNumbers="true" %}

```bash
feroxbuster -u $URL #Scan URL
feroxbuster -u $url -w $wordlist #Specify wordlist path
feroxbuster -u $url -t $threads #Specify number of concurrent threads
feroxbuster -u $url -L $threads #Limit number of concurrent scans
feroxbuster -u $url -t $threads #Specify file for output
feroxbuster -u $url -x $extension #Specify extension of files
feroxbuster -u $url -n #Don't scan recursively folders or endpoints
```

{% endcode %}

## <mark style="color:green;">Git-Dumper</mark>

* &#x20;A tool to fetch the files and reconstruct a Git repository locally
* <https://github.com/arthaud/git-dumper>

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
git clone https://github.com/arthaud/git-dumper
cd /git-dumper
pip install -r requirements.txt
python git_dumper.py  http://$target/.git/ ./repo
```

{% endcode %}

## <mark style="color:green;">GitSniff</mark>

* &#x20;A tool to fuzz *GitHub* repositories in search of hidden, deleted, or private forks
* <https://github.com/NotReallyJustin/GitSniff>

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
git clone https://github.com/NotReallyJustin/GitSniff
cd /GitSniff
pip install requests
pip install tqdm
```

{% endcode %}

***

* Usage

{% code overflow="wrap" lineNumbers="true" %}

```bash
python ./gitsniff.py -u $repositoryURL
```

{% endcode %}

## <mark style="color:green;">Security Headers</mark>

* A web service that analyzes the HTTP response headers of any website and gives it a grade based on its security posture
* <https://securityheaders.com>