orangepeelbeef · January 21, 2021 02:05
diff --git a/hacking_ctf_tools b/hacking_ctf_tools
 # Generic Tools:
 CyberChef
  This tool works in many categories, Encode/Decode, file detection, file carving, etc.  Very very very handy 
  https://gchq.github.io/CyberChef/
 strings
  extract all strings from a file
  ex:  strings myfile,  or  strings myfile -n 10 (get all strings with length at least 10)
 file:
  unix file command, determine file type
  ex: file Templeton_Peck.jpg 
      Templeton_Peck.jpg: JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 224x280, components 3
 hex editor:
  there are a lot of good hex editors out there, and sometimes examining a file manually is enough to find the data you need
  bless is pretty good, but 010 editor knows binary file signatures so it's pretty much the best
  https://www.sweetscape.com/download/010editor/
 hexdump:
  commandline hex dumper 
  ex: hexdump -C
 xxd:
  https://www.tutorialspoint.com/unix_commands/xxd.htm

 # Image Metadata:
 exiftool
  ex: exiftool myfile
 zsteg PNG & BMP
  https://github.com/zed-0xff/zsteg

 # File Carving:
 foremost
   ex:  foremost myfile -o outputdir
 binwalk
   ex:  binwalk -e myfile

 # Password cracking:
 john the ripper
  john itself is pretty good at cracking although a bit slow, however it comes with a ton of great tools for getting hashes out of files
  (office2john, pdf2john)   
  ex: john filename
 hashcat
  hashcat is generally much faster than john because it uses GPU instead of CPU, it is a lot more complicated and has a ton of modes and rules
  hashcat can use the hashes gathered with office2john, etc
  ex cracking word 2013 document pw: 
  hashcat -a 0 -m 9600 --username office_hash.txt rockyou.txt  -O
  ex usage of rules, you can use multiple
  hashcat -a 0 -m 0 cracklist.db wordlist.txt -r /usr/share/hashcat/rules/best64.rule -O
  ex combination attack left and right wordlists (change the order if you want to try them flipped)
  hashcat -a 1 -m 0 cracklist.db biology rockyou.txt
  ex incremental mask attack (adds digits and symbols to the end of everything in wordlist)
  hashcat -a 6 -m 0 cracklist.db francais.txt -1 ?d?s ?1?1?1?1?1 -i
  ex incremental mask attack (add digits and symbols to the front of everything in wordlist)
  hashcat -a 7 -m 0 cracklist.db -1 ?d?s ?1?1?1?1?1 francais.txt -i
  
 # Wordlists for pw cracking & fuzzing:
  https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/big-list-of-naughty-strings.txt
  rockyou 
  dirb (usually /usr/share/dirb/wordlists/)
  CeWL takes a webpage and makes a wordlist out of it (seems buggy in testing, especially with unicode characters)
  wyd takes a file and makes a wordlist
  cupp gather osint data and make a wordlist, or expand an existing wordlit
  crunch make wordlists from character sets
    ex:  crunch 3 3 ABCDEFGHIJKLMNOPQRSTUVWXYZ   (all combinations of uppercase letters of length 3)

 # Ports:
 nmap 
  syn scan all tcp ports
  ex: nmap -sS -p1:65535 somehost
  scan all TCP & UDP ports
  ex: nmap -sU -sT -p- somehost
  
 # DNS tools:
 dnsrecon
  ex:  dnsrecon -d somehost
  dnsrecon bruteforce
  ex: dnsrecon -d somehost -t brt wordlist.txt  
 fierce
  ex: fierce somehost
 dnsenum

 # Web application tools:
 Proxies:
  burpsuite (usually runs on 8080)
  fiddler (runs on 8888)
  parosproxy (runs on 8080)
 Crawlers:
  gobuster
  dirbuster
  dirsearch
  dirb
 Specialized Tools
  sqlmap (look for sql injection vulns when you find a vulnerable endpoint)
  gitTools https://github.com/internetwache/GitTools (things for exposed .git dirs)
  
 # Fuzzing
  Hydra
  Wfuzz
    ex: wfuzz -z file,${WORDLIST} -b cookie=value -d "title=FUZZ&body=FUZZ" --sc 500 https://host/api/entry
    
 # Vulnerability Scanners:
  nessus
  nikto (web app vuln scanner)
  https://www.rapid7.com/info/nexpose-community/

 # Software Defined Radio/Audio signal stuff:
 fldigi
  you can get data straight from the sound card with fldigi
 gqrx
  reads from an SDR or recorded SDR files and can do a lot of things
  can also output to a network stream for piping into multimon-ng
 multimon-ng
  decoders for a ton of different signal types, morse, pocsag, etc
  very nice chained from gqrx via sox
  https://www.bastibl.net/pocsag/

 # Cryptography/Encryption/Encoding
  https://charcharbinks.com/post/ctf_crypto_for_beginners/

 # Useful Cheatsheets
  usefull commands shell/exploits https://gtfobins.github.io/
	# Generic Tools:
	CyberChef
	This tool works in many categories, Encode/Decode, file detection, file carving, etc. Very very very handy
	https://gchq.github.io/CyberChef/
	strings
	extract all strings from a file
	ex: strings myfile, or strings myfile -n 10 (get all strings with length at least 10)
	file:
	unix file command, determine file type
	ex: file Templeton_Peck.jpg
	Templeton_Peck.jpg: JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 224x280, components 3
	hex editor:
	there are a lot of good hex editors out there, and sometimes examining a file manually is enough to find the data you need
	bless is pretty good, but 010 editor knows binary file signatures so it's pretty much the best
	https://www.sweetscape.com/download/010editor/
	hexdump:
	commandline hex dumper
	ex: hexdump -C
	xxd:
	https://www.tutorialspoint.com/unix_commands/xxd.htm

	# Image Metadata:
	exiftool
	ex: exiftool myfile
	zsteg PNG & BMP
	https://github.com/zed-0xff/zsteg

	# File Carving:
	foremost
	ex: foremost myfile -o outputdir
	binwalk
	ex: binwalk -e myfile

	# Password cracking:
	john the ripper
	john itself is pretty good at cracking although a bit slow, however it comes with a ton of great tools for getting hashes out of files
	(office2john, pdf2john)
	ex: john filename
	hashcat
	hashcat is generally much faster than john because it uses GPU instead of CPU, it is a lot more complicated and has a ton of modes and rules
	hashcat can use the hashes gathered with office2john, etc
	ex cracking word 2013 document pw:
	hashcat -a 0 -m 9600 --username office_hash.txt rockyou.txt -O
	ex usage of rules, you can use multiple
	hashcat -a 0 -m 0 cracklist.db wordlist.txt -r /usr/share/hashcat/rules/best64.rule -O
	ex combination attack left and right wordlists (change the order if you want to try them flipped)
	hashcat -a 1 -m 0 cracklist.db biology rockyou.txt
	ex incremental mask attack (adds digits and symbols to the end of everything in wordlist)
	hashcat -a 6 -m 0 cracklist.db francais.txt -1 ?d?s ?1?1?1?1?1 -i
	ex incremental mask attack (add digits and symbols to the front of everything in wordlist)
	hashcat -a 7 -m 0 cracklist.db -1 ?d?s ?1?1?1?1?1 francais.txt -i

	# Wordlists for pw cracking & fuzzing:
	https://github.com/danielmiessler/SecLists/blob/master/Fuzzing/big-list-of-naughty-strings.txt
	rockyou
	dirb (usually /usr/share/dirb/wordlists/)
	CeWL takes a webpage and makes a wordlist out of it (seems buggy in testing, especially with unicode characters)
	wyd takes a file and makes a wordlist
	cupp gather osint data and make a wordlist, or expand an existing wordlit
	crunch make wordlists from character sets
	ex: crunch 3 3 ABCDEFGHIJKLMNOPQRSTUVWXYZ (all combinations of uppercase letters of length 3)

	# Ports:
	nmap
	syn scan all tcp ports
	ex: nmap -sS -p1:65535 somehost
	scan all TCP & UDP ports
	ex: nmap -sU -sT -p- somehost

	# DNS tools:
	dnsrecon
	ex: dnsrecon -d somehost
	dnsrecon bruteforce
	ex: dnsrecon -d somehost -t brt wordlist.txt
	fierce
	ex: fierce somehost
	dnsenum

	# Web application tools:
	Proxies:
	burpsuite (usually runs on 8080)
	fiddler (runs on 8888)
	parosproxy (runs on 8080)
	Crawlers:
	gobuster
	dirbuster
	dirsearch
	dirb
	Specialized Tools
	sqlmap (look for sql injection vulns when you find a vulnerable endpoint)
	gitTools https://github.com/internetwache/GitTools (things for exposed .git dirs)

	# Fuzzing
	Hydra
	Wfuzz
	ex: wfuzz -z file,${WORDLIST} -b cookie=value -d "title=FUZZ&body=FUZZ" --sc 500 https://host/api/entry

	# Vulnerability Scanners:
	nessus
	nikto (web app vuln scanner)
	https://www.rapid7.com/info/nexpose-community/

	# Software Defined Radio/Audio signal stuff:
	fldigi
	you can get data straight from the sound card with fldigi
	gqrx
	reads from an SDR or recorded SDR files and can do a lot of things
	can also output to a network stream for piping into multimon-ng
	multimon-ng
	decoders for a ton of different signal types, morse, pocsag, etc
	very nice chained from gqrx via sox
	https://www.bastibl.net/pocsag/

	# Cryptography/Encryption/Encoding
	https://charcharbinks.com/post/ctf_crypto_for_beginners/

	# Useful Cheatsheets
	usefull commands shell/exploits https://gtfobins.github.io/