Nmap (“Network Mapper”) is a free and open source utility for network discovery, scanning and security auditing.
Nmap help. (--help) nmap --help | |
Host discovery only. (-sn) nmap -sn example.com | |
Port scan all ports. (-p-) nmap -p- example.com | |
Scan in verbose mode (-v), enable OS detection, version detection, script scanning, and traceroute (-A), with version detection (-sV) and all ports (-p-) against the target IP nmap -v -A -sV -p- example.com | |
A more extensive list of Nmap commands can be found here: https://tools.kali.org/information-gathering/nmap |
Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.
Enum4linux help. (-h) enum4linux -h | |
Enum4Linux full scan. (Enumerates everything) enum4linux example.com | |
Enum4Linux scan for userlist (-U) and OS information (-o). enum4linux -U -o example.com | |
A more extensive list of Enum4Linux commands can be found here: https://tools.kali.org/information-gathering/enum4linux |
WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”. WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1700 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
Whatweb help. (-h) whatweb -h | |
Whatweb scanning in verbose mode (-v) using max aggression (-a 4). whatweb -v -a 4 example.com | |
A more extensive list of WhatWeb commands can be found here: https://tools.kali.org/web-applications/whatweb |
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
Nikto help. (-H) nikto -H | |
Webserver scan. (-h) nikto -h example.com | |
Webserver scan on specific port. (-p) nikto -h example.com -p 8080 | |
Webserver scan to include /cgi directories. (-C all) nikto -h example.com -C all | |
A more extensive list of Nikto commands can be found here: https://tools.kali.org/information-gathering/nikto |
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response.
DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner.
Dirb help. dirb | |
Webserver directory buster. dirb http://example.com | |
Webserver directory buster on a specific port. (:) dirb http://example.com:8080 | |
Webserver directory buster non recursively. (-r) dirb http://example.com -r | |
A more extensive list of Dirb commands can be found here: https://tools.kali.org/web-applications/dirb |
Gobuster is a tool used to brute-force URIs, DNS, Virtual Host names and Open Amazon S3 buckets.
Gobuster help. gobuster -h | |
Gobuster directory/file bruteforcing mode. gobuster dir -u http://example.com -w /usr/share/wordlists/dirb/common.txt | |
Gobuster VHOST bruteforcing mode. gobuster vhost -u http://example.com -w /usr/share/wordlists/dirb/common.txt | |
Gobuster DNS bruteforcing mode. gobuster dns -d http://example.com -w /usr/share/wordlists/dirb/common.txt | |
A more extensive list of Gobuster commands can be found here: https://github.com/OJ/gobuster |
WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.
Wordpress scan. (--help) wpscan --help | |
Wordpress scan to enumerate all users. (-e u) wpscan --url http://example.com -e u | |
Wordpress scan to enumerate all plugins. (-e ap) wpscan --url http://example.com -e ap | |
Wordpress scan to enumerate all themes. (-e at) wpscan --url http://example.com -e at | |
A more extensive list of WPscan commands can be found here: https://tools.kali.org/web-applications/wpscan |
SQLMap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
SQLmap full help list. (-hh) sqlmap -hh | |
Declare the url. (-u) sqlmap -u "http://example.com" | |
List all databases on the site. (--dbs) sqlmap -u "http://example.com" --dbs | |
Enumerate all users in the database. (--users) sqlmap -u "http://example.com" --users | |
Enumerate all password hashes in the database. (--passwords) sqlmap -u "http://example.com" --passwords | |
Dump DBMS database table entries. (--dump) sqlmap -u "http://example.com" --dump | |
Dump all DBMS database table entries. (--dump-all) sqlmap -u "http://example.com" --dump-all | |
Read a file from the back-end DBMS file system and save locally. (--file-read --output-dir) sqlmap -u "http://example.com/exploitpath.php?id=1" --file-read=/var/www/html/administration/targetfile.php --output-dir=/home/kali Then cat the file. | |
A more extensive list of SQLmap commands can be found here: https://tools.kali.org/vulnerability-analysis/sqlmap |
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.
Wfuzz full help list. (--help) wfuzz --help | |
Use colour output (-c), a wordlist as a payload (-z file,/usr/share/wfuzz/wordlist/general/common.txt), and hide 404 messages (–hc 404) to fuzz the given URL (http://example.com/FUZZ). wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://example.com/FUZZ ***Note, you must add /FUZZ to the end of your target URL in order for the script to run. | |
A more extensive list of Wfuzz commands can be found here: https://tools.kali.org/web-applications/wfuzz |
DNSRecon – A powerful DNS enumeration script.
Dnsrecon help. (-help) dnsrecon -h | |
Basic domain enumeration. (-d) Must be a domain name, not an IP. dnsrecon -d example.com | |
A more extensive list of dnsrecon commands can be found here: https://tools.kali.org/information-gathering/dnsrecon |
Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.
Dnsenum help. (-h) dnsenum -h | |
Basic domain enumeration. Must be a domain name, not an IP. dnsenum example.com | |
A more extensive list of dnsenum commands can be found here: https://tools.kali.org/information-gathering/dnsenum |
Dig is a network administration command-line tool for querying the Domain Name System (DNS).
Dig help. (-h) dig -h | |
Basic domain enumeration. Must be a domain name, not an IP. dig example.com any | |
A more extensive list of Dig commands can be found here: https://en.wikipedia.org/wiki/Dig_(command) |
Software to identify the different types of hashes used to encrypt data and especially passwords.
Hash-Identifier usage. hash-identifier | |
A more extensive list of hashs can be found here: https://tools.kali.org/password-attacks/hash-identifier |
This script will run Whatweb, Nmap, Nikto and Dirb then output all results to separate files.
Web Recon 2.0 wget https://raw.githubusercontent.com/NoDisassemble/Python-3-PenTesting/master/Web%20Recon/WebReconV2.py Must run as root python3 WebReconV2.py Enter target: target.com or IP Go for a walk, this will take a while. |
Host discovery.
Ping Sweep wget https://raw.githubusercontent.com/aryanguenthner/365/master/pingsweep.sh chmod +x pingsweep.sh ./pingsweep.sh |