These are my list of useful pentesting and CTF tools, broken down by category.
- Analyzing Disk Images (
Autopsy
,Sleuthkit
)- Description: Autopsy is the GUI implementation of Sleuthkit, both of which are used for analyzing disk images and recovering files from them
- Installation: sudo apt-get install autopsy sleuthkit
AbuseIPDB
andCisco Talos Intelligence
- Link: https://www.abuseipdb.com/ and https://www.talosintelligence.com/
- Description: These are open-source databases that report information about suspicious and malicious threat actors. Allow lookup by IP.
- Framework stack (
Wappalyzer
)- Description: Is a website and browser extension that provides information about the framework stack, CMS, payment processors, etc. a website is using
- Link: https://www.wappalyzer.com/
- Directory Busting (
ffuf
,dirb
andgobuster
)- Description: For finding directories, paths, and content on a website. Note: These tools are often paired with wordlists like SecLists.
- Installation:
sudo apt install ffuf dirb gobuster
-
- DNS Enumeration (
dnsrecon
,Sublist3r
) - Description: In addition to directory busting, we can also use tools to automate the DNS search for discovering the subdomains of a website.
- Link: https://github.com/darkoperator/dnsrecon and https://github.com/aboul3la/Sublist3r
- Example:
dnsrecon -t brt -d acmeitsupport.thm
to do brute force domains and hosts using a given dictionary.
- DNS Enumeration (
- Subdomain Enumeration - Virtual Hosts (
ffuf
)- Description: Often times a subdomain won't have a DNS entry for it in a large public DNS server, and instead it's on a private DNS server or is resolved dynamically by the web server of the service by looking at the
HOST
header in the HTTP request. As a result, we can useffuf
to alter this header to see if we get a different result - Example:
ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/namelist.txt -H "Host: FUZZ.acmeitsupport.thm" -u http://10.10.100.147 -fs {size}
- The
FUZZ
parameter denotes the variable to be dynamically changed using the wordlist.
- The
- Description: Often times a subdomain won't have a DNS entry for it in a large public DNS server, and instead it's on a private DNS server or is resolved dynamically by the web server of the service by looking at the
- Certificate Transparency (CT) logs
- Description: CA has publicly accessible logs for certificates they issue. These can provide information about subdomains that exists on a website.
- Link:
http://crt.sh/
andhttps://ui.ctsearch.entrust.com/ui/ctsearchui
SecLists
- Often you want wordlists for password cracking, fuzzy payloads, directory busting, etc. SecLists provide a wide-encompassing directory of these lists
- Link: https://github.com/danielmiessler/SecLists
- Note: Locally I have these installed at
/usr/share/wordlists/SecLists
- Comprehensive OSINT Tools List
- Google Dorking
- Link: https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06 and https://www.exploit-db.com/google-hacking-database
- Description: By adding specific operators to our Google Search, we can more easily uncover information about specific person or organization
- Reverse Image Search
- Link: https://pimeyes.com/ and https://images.google.com/
- Description: PinEyes use AI facial recognition to find photos of a person across the web. Google Images also provide reverse image searching for pictures with well-known locations.
- Username Search
- Link: https://epieos.com and https://checkusernames.com
- Description: Given an email, Epieos can look for accounts on commonly used social media websites associated with that email. In addition, checkusernames crawl across many social media page to check if a username is in use there.
- Social Media Activity:
- Link: https://www.social-searcher.com
- Description: Social Searcher performs Google searches to find activity and posts relevant to a given username or name.