This writeup assumes that you're using Kali Linux.
... (finish quck access)
On Kali distros we have a selection of wordlists located in the /usr/share/wordlists/ directory. A good general wordlist is rockyou.txt. To extract it to a new directory called wordlist in your home dir, you can run this one-liner:
mkdir ~/wordlists;gunzip -c /usr/share/wordlists/rockyou.txt.gz > ~/wordlists/rockyou.txt
Now you'll be ready to feed your ~/wordlists/rockyou.txt wordlist to your cracking tools.
If you don't find it download the list here
Audacity is an audio editor that can be useful in certain CTF challenges that hide data in audio files. You can install it with sudo apt install audacity or if it's not in your repository you can get it here https://www.audacityteam.org/download/linux/.
Nessus requires registration and isn't free if you want to unlock all of its abilities but it's powerful and thus worth using. Go to https://www.tenable.com/downloads/nessus and download the package for your repository (likely the Kali x64 .deb file). Then install it with sudo dpkg -i ~/Downloads/[filename].deb. Now run /bin/systemctl start nessusd.service to start the nessus service and head over to the web interface that nessus gave you. Now pick Nessus Essentials for the free version and register to get your activation code.
Sherlock allows you to find social media accounts by usernames. Might be useful for certain creative CTF challenges. Install with:
git clone https://github.com/sherlock-project/sherlock.git;cd sherlock;python3 -m pip install -r requirements.txt
Best practice: Use the file command. This uses magicbytes to try to identify what kind of file it might be.
Alternatives:
Best practice: Use the hash-identifier command. This comes preinstalled on Kali.
Alternatives:
Hidden data in images
- Aperisolve
- Online Exif
- Printout
- Hidden bits
- Png check ->
apt-get install pngcheck exiftoolcommand to check an image for exif data
Hidden data in pdf's
TODO
Best practice: Import the file in audacity and check the spectrum analyzer.
Alternatives:
Best practice: Use the strings command.
Alternatives:
- Ghidra (GUI tool)
Every modern printer adds to every printout some metadata in the form of yellow dots. These can be decoded with this table. Note: If the year is 5 it means 2005. Also: if you can't find the dots use a tool like Aperisolve and look at the Image generated with th boosted blue tones.
Best practice: Use sherlock with python3 sherlock username.
Alternatives:
- Manually using google/bing/yandex/etc.
Best practice: https://crackstation.net/
Alternatives:
Best practice: Use the script provided in this repository at /scripts/zipception.py.
Alternatives:
- Lots of manual clicking... :)
Best practice: Start metasploit with msfconsole. Then start WMAP with load wmap. Now we add the site/ip we want to attack wmap_sites -a http://127.0.0.1. Next we'll add the actual web interface with wmap_targets -t http://127.0.0.1/index.php. Now we'll actually start the scan with wmap_run -e. Afterwards you can use wmap_vulns -l to list any found vulnerabilities. Now simply use these to attack the target.
Alternatives:
- OWASP zap (GUI tool)
- Nessus (GUI tool)
Best practice: Use sqlmap to scan your target.
Alternatives:
- Manual sql injection with cheatsheets like https://www.invicti.com/blog/web-security/sql-injection-cheat-sheet/
- Burp Suite (GUI tool)
Best Practice: Ghidra (GUI tool)
Alternatives:
- Use the
ltracecommand.
Best Practice: Run fcrackzip -u -D -p ~/wordlists/rockyou.txt filename.zip
Alternatives:
- None?
Best Practice: Use the script provided in this repository at /scripts/portloop.py.
Alternatives:
- None?
Best Practice: Try <root><excerpt>TESTING</excerpt></root> to query the entire root of the XML.
Alternatives:
- None?
Best Practice: TODO
Alternatives:
- None?