# Tools and Utilities

Here we can find some tools and utilities commonly used for practices related to web exploitation:

## <mark style="color:green;">Burp Suite</mark>

* A digital platform that collects tools for specialized web penetration testing
* It is a framework written in Java that aims to provide a one-stop shop for web application penetration testing
* Capture and manipulate all of the traffic between an attacker and a web server
* Can intercept, view, and modify requests
* Burp Suite has modules that can be added

### <mark style="color:yellow;">**Features**</mark>

* **Proxy:** Allows us to intercept and modify requests/responses
* **Repeater:** Allows us to capture, modify, and then resend the same request numerous times. We could also craft requests by hand
* **Intruder:** Allows us to spray an endpoint with requests
* **Decoder:** This allows us to transform data, decode captured information, or encode a payload
* **Comparer:** Allows us to compare two pieces of data at either the word or byte level
* **Sequencer:** Help us asses random tokens or other generated data

### <mark style="color:yellow;">Configuration</mark>

* **For configuring HTTP Proxy:**
  * We required the *FoxyProxy* extension
  * Create a proxy profile on *FoxyProxy* specifying *IP* as *127.0.0.1* and *PORT* as *8080*
  * Select the profile on the extension
  * Then go to the *Burp Suite* proxy tab and set intercept to *on*
* **For configuring HTTPS Proxy:**
  * Activate the proxy and go to *<http://burp/cert>* in the browser
  * Download the *cacert.der* file
  * Go to *about:preferences* on the browser
  * Search *Certificates* and select *View Certificates*
  * Click on Import and select the *cacer.der* file
  * Mark, *Trust this CA to identify websites* and save all

### <mark style="color:yellow;">Utilities</mark>

* **To define a scope:**
  * Go to the target tab
  * On the left side, select the IP/Domain
  * Right-click it and select *Add to scope*
  * Then go to *proxy settings* on the proxy tab
  * Go to the *Request Interception* part and mark, *And URL is in target scope*
  * Go to *proxy settings,* then to the *Response Interception* part, and mark *Intercept responses,* and *Or Request was intercepted*

### <mark style="color:yellow;">Hotkeys</mark>

* ***Ctrl+R*****:** Send the petition to *Repeater*
* ***Ctlr+U*****:** URL-encode selected text

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install burpsuite
```

{% endcode %}

## <mark style="color:green;">ZAP</mark>

* Proxy utility to intercept network traffic and generate attacks on websites
* Stands for Zed Attack Proxy

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install zaproxy
```

{% endcode %}

### <mark style="color:yellow;">**Features**</mark>

* **Contexts:** Delimit the scope of the scanning
* **Spider:** Use spidering to get links in the code of a website
* **Active scan:** Attacks the website to get more information
* **Alerts:** Give vulnerabilities found on the website
* **Sites:** Shows all the URLs spidered with their petitions and vulnerabilities
* **History:** Shows petitions made to target sites

### <mark style="color:yellow;">**Configuration**</mark>

* **For configuring HTTP Proxy:**
  * Install *SwitchyOmega* extension
  * Configure the server to *localhost* and the port to *8080,* and save changes
* **For configuring HTTPS Proxy:**
  * Go to *options>Network>Server Certificates* and save the certificate
  * Go to your browser settings, search for certificates, and import the downloaded certificate in the *Authorities* section (If the browser doesn't have this tab, import it in the certificates section)
  * Mark, *Trust this CA to identify websites* and save all

### <mark style="color:yellow;">Utilities</mark>

* Go to the *adds-on* tab, update all installed and from the marketplace instal&#x6C;*, Directory List 2.3, Directory List 2.3 LC, FuzzDB Files, FuzzDB Offensive, python scripting, community scripts, custom payloads, JSON view, JWT support, Viewstate*
* Go to O*ptions>Network>Global Exclusions* and mark *Site - Google Chrome extension updates and Site - Google Analytics*. Then go to *Add* and create a new entry with the expression *^https?://.\*\\.brave\\.com.\*$* and another with the expression *^https?://.\*\\.gstatic\\.com.\*$*
* Go to O*ptions>HUD* and unmark *Enable when using the ZAP desktop* and *welcome screen when a browser is opened*
* Right-click petitions, go to *Save Raw>Request>All or Save Raw>Response>All*, to save information about them for posterior use

### <mark style="color:yellow;">Usage</mark>

* For fuzzing:&#x20;
  * Select a part of the request, right-click it, and select *Fuzz*
  * Select the *Payloads* button, and select the dictionary file or enter custom words
  * In the *Fuzz>Message Processors* tab, add a new one of type *Tag Creator* and set it to categorize responses with specific content
* To handle user tokens, go to *Options>Anti-CSRF Tokens*, and add the token's parameter name to the petition
* For enumeration, we can use automatic tools like external fuzzers and redirect the requests to *ZAP*, use the *Spider* option, use the *AJAX Spider* option in the context we have defined, and even complement with manual enumeration
* Configure attacks of specific types for the *Active Scan* optio&#x6E;*.* We right-click a petition and go to *Attack>Active Scan>Scope,* mark *Show Advanced Options,* then go to the *Policy* tab and set the desired options
* Double-click a context and go to the *Authentication* tab to set the proper specifications for the credentials handle of the session
* Generate interactive reports via *Report>Generate Repor*t on the options bar

### <mark style="color:yellow;">Tips</mark>

* Configure *Global Alert Filters* and *Passive Scan Rules* on *Options* to deactivate or set your grade for the alert of a vulnerability
* From the *History* tab, you can right-click and select *Open/Resend with Request Editor* to modify a petition made before and send it again
* In *Options>Anti-CSRF cert token,* add the tokens detected in forms POST petitions
* When not getting a consistent token handle in the *Fuzz>Options* tab, reduce the threads to 1
* When getting *304* responses, go to *Fuzz>Options* and mark *Follow Redirects*
* For doing SQLi via the *Fuzz* option, we can use the file fuzzer *FuzzDB*
* Export petitions in *raw* format to use them in other tools, for example, in SQLmap for SQLi
* Try intercepting requests with the option Set Break (the green circle button on the options bar) to analyze and modify the content before reaching the destination endpoint

## <mark style="color:green;">Hacktools</mark>

* Browser extension that helps us with scripts, commands, and tips for web attacks
* <https://addons.mozilla.org/en-US/firefox/addon/hacktools/>

## <mark style="color:green;">FoxyProxy</mark>

* A browser extension that helps us to create proxies, usually for request-response analysis
* <https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/>

## <mark style="color:green;">Proxy SwitchyOmega</mark>

* Browser extension that helps us to create proxies, similar to FoxyProxy but for Chrome-based browsers
* <https://chromewebstore.google.com/detail/proxy-switchyomega/padekgcemlokbadohgkifijomclgjgif?hl=en>

## <mark style="color:green;">Wappalyzer</mark>

* A browser extension that gives us anonymous information about websites visited, including domain name and identified technologies.
* <https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/>

## <mark style="color:green;">Daniel Miessler Wordlists</mark>

* Well-known wordlists for almost every process of fuzzing or brute-forcing
* <https://github.com/danielmiessler/SecLists>

## <mark style="color:green;">Gobuster</mark>

* A directory and file brute-forcing tool used to find hidden files, directories, and subdomains on websites
* It operates by sending HTTP requests based on a wordlist and identifying resources that are not publicly linked but still accessible

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install gobuster
```

{% endcode %}

***

* Scan

{% code overflow="wrap" lineNumbers="true" %}

```bash
gobuster -u $URL #Scan url
gobuster -u $url -w $wordlist #Specify wordlist path
gobuster dir -u $url -w $wordlist #Directory and file mode
gobuster dns -u $url -w $wordlist #For DNS enumeration
gobuster vhost -u $url -w $wordlist #Subdomain mode
gobuster vhost -u $url -w $wordlist --append-domain #To set de subdomain first
```

{% endcode %}

{% hint style="warning" %}
Remember that when using the `vhost` option, you have to have the domain IP on the list of known hosts
{% endhint %}

## <mark style="color:green;">ffuf</mark>

* Flexible and fast web fuzzing tool used for brute-forcing directories, files, subdomains, and more

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install ffuf
```

{% endcode %}

***

* Scan

{% code overflow="wrap" lineNumbers="true" %}

```bash
ffuf -u $URL/FUZZ -w $wordlist #FUZZ to fill the part to be fuzz
ffuf -u $URL/FUZZ -w $wordlist -o $filename #get output in a file
```

{% endcode %}

{% hint style="info" %}
**Note:** Optional keywords can be added after `$wordlist` separating them with `,`&#x20;
{% endhint %}

## <mark style="color:green;">dirb</mark>

* Web content scanner that automates the task of discovering hidden directories and files on a web server by brute-forcing URL paths using a wordlist

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install dirb
```

{% endcode %}

***

* Scan

<pre class="language-bash" data-overflow="wrap" data-line-numbers><code class="lang-bash">dirb $URL #Scan URL
dirb $URL $wordlist #Use wordlist
dirb $URL $wordlist -w #Ignore warning messages
dirb $URL $wordlist -u $username:$password #Use 
<strong>dirb $URL $wordlist -E $certificate  #Use certificate
</strong></code></pre>

## <mark style="color:green;">Nikto</mark>

* A tool for scanning vulnerabilities of websites

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install nikto
```

{% endcode %}

***

* Usage

{% code overflow="wrap" lineNumbers="true" %}

```bash
nikto -h $host        #Scan a website
nikto -h $host -ssl   #Scan a website using HTTPS
nikto -h $IPtxtFile   #Scan all directions from a text file
nikto -h $host -o $outFile    #Output results to a file
nikto -h $host -o $outFile -Format $format #Indicate format of the output
nikto -h $host -Tuning b #Just run fingerprinting modules
```

{% endcode %}

## <mark style="color:green;">Payload Box</mark>

* GitHub repository with payloads for different web application attacks
* <https://github.com/payloadbox>

## <mark style="color:green;">Feroxbuster</mark>

* A directory and file brute-forcing tool (fuzzer) written in *Rust*

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
sudo apt install feroxbuster
```

{% endcode %}

***

* Scan

{% code overflow="wrap" lineNumbers="true" %}

```bash
feroxbuster -u $URL #Scan URL
feroxbuster -u $url -w $wordlist #Specify wordlist path
feroxbuster -u $url -t $threads #Specify number of concurrent threads
feroxbuster -u $url -L $threads #Limit number of concurrent scans
feroxbuster -u $url -t $threads #Specify file for output
feroxbuster -u $url -x $extension #Specify extension of files
feroxbuster -u $url -n #Don't scan recursively folders or endpoints
```

{% endcode %}

## <mark style="color:green;">Git-Dumper</mark>

* &#x20;A tool to fetch the files and reconstruct a Git repository locally
* <https://github.com/arthaud/git-dumper>

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
git clone https://github.com/arthaud/git-dumper
cd /git-dumper
pip install -r requirements.txt
python git_dumper.py  http://$target/.git/ ./repo
```

{% endcode %}

## <mark style="color:green;">GitSniff</mark>

* &#x20;A tool to fuzz *GitHub* repositories in search of hidden, deleted, or private forks
* <https://github.com/NotReallyJustin/GitSniff>

### <mark style="color:yellow;">Commands</mark>

* Installation

{% code overflow="wrap" lineNumbers="true" %}

```bash
git clone https://github.com/NotReallyJustin/GitSniff
cd /GitSniff
pip install requests
pip install tqdm
```

{% endcode %}

***

* Usage

{% code overflow="wrap" lineNumbers="true" %}

```bash
python ./gitsniff.py -u $repositoryURL
```

{% endcode %}

## <mark style="color:green;">Security Headers</mark>

* A web service that analyzes the HTTP response headers of any website and gives it a grade based on its security posture
* <https://securityheaders.com>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kryptocoder.gitbook.io/hacking-knowledge/web-exploitation/tools-and-utilities.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.