Function: Displays network connections and listening ports.
Use Case: Identifying active connections on the system.
Example:netstat -an to list all active connections and listening ports.
Net Commands
Function: Manages network resources, users, and services.
Use Case: Administering network shares, user accounts, and services.
Example:net user to list user accounts.
cmd.exe
Function: Windows command prompt.
Use Case: Executing commands and scripts.
Example: Running batch files or individual commands.
explorer.exe
Function: Windows graphical user interface.
Use Case: Browsing files and directories.
Example:explorer.exe to open the file explorer.
ftp.exe
Function: File Transfer Protocol client.
Use Case: Transferring files to/from remote servers.
Example:ftp.exe <server> to connect to an FTP server.
mmc.exe
Function: Microsoft Management Console.
Use Case: Managing Windows administrative tools.
Example:mmc.exe to open the management console.
rundll
Function: Runs functions exported from DLLs.
Use Case: Executing DLL functions.
Example:rundll32.exe <dllname>,<entrypoint> to execute a function.
msbuild
Function: Builds .NET applications.
Use Case: Compiling and executing code.
Example:msbuild <project>.proj to build a .NET project.
route
Function: Displays and modifies the routing table.
Use Case: Managing network routes.
Example:route print to display the routing table.
strings/findstr.exe
Function: Searches for text strings in files.
Use Case: Finding specific text in files.
Example:findstr <text> <filename> to search for text within a file.
Covenant
Function: Command and control framework.
Covenant is an open-source, .NET-based Command and Control (C2) framework designed for red teaming and penetration testing.
It allows security professionals to simulate advanced attacks, manage compromised hosts, and conduct post-exploitation activities in a controlled manner.
Covenant supports a variety of attack techniques and provides an interactive web-based interface for managing and orchestrating operations.
Use Case: Managing compromised systems and executing commands remotely.
Example: Using Covenant to execute PowerShell scripts on compromised hosts.
CrackMapExec
Function: Post-exploitation tool for managing Windows networks.
Use Case: Automating various tasks such as credential validation and command execution.
Example: Using CrackMapExec to enumerate users and shares.
Impacket
Function: Collection of Python classes for working with network protocols.
Use Case: Scripting and automating network tasks.
Example: Using psexec.py from Impacket to execute commands on remote systems.
Netcat
Function: Network utility for reading and writing data across network connections.
Use Case: Creating reverse or bind shells.
Example:nc -lvp <port> to start a listener.
sshuttle
Function: Transparent proxy server that works as a poor man’s VPN.
sshuttle is an open-source tool that provides a simple way to create a VPN-like connection over SSH.
It allows users to forward all traffic from their local machine through an SSH tunnel to a remote server, effectively allowing access to remote networks as if they were directly connected to them.
It’s particularly useful for bypassing network restrictions and accessing internal resources securely.
Features:
Transparent Proxy: Routes traffic from your local machine through an SSH tunnel, making it appear as if you’re on the remote network.
No Root Required: Operates without needing root privileges on the local machine.
Supports IPv4 and IPv6: Handles both IPv4 and IPv6 traffic.
Simple Setup: Easy to configure and use with minimal setup required.
Use Case: Tunneling traffic through a compromised host.
Example:sshuttle -r user@host 0.0.0.0/0 to tunnel all traffic through an SSH connection.
Usage → sshuttle -r <user@remote_host> <network>
Proxychains
Function: Forces any TCP connection made by any application to follow through proxy like TOR or any other SOCKS4, SOCKS5 or HTTP(S) proxy.
Proxychains is a Linux utility that allows you to force any TCP connection made by any given application to go through a proxy (such as SOCKS or HTTP proxies).
It is especially useful for network penetration testing, privacy, and anonymizing traffic.
Proxychains works by intercepting network calls and redirecting them through specified proxy servers.
Features:
Support for Multiple Proxy Types: Supports SOCKS5, SOCKS4, and HTTP proxies.
Flexible Proxy Chain: Allows chaining multiple proxies to enhance anonymity.
Application Transparency: Routes traffic for any application without requiring modifications to the application itself.
Configuration File: Provides a configuration file where proxies and options are defined.
Use Case: Obfuscating traffic through multiple proxies.
Example:proxychains nmap -sT <target> to run Nmap through proxies.
PowerShell Integrated Scripting Environment (ISE)
Function: Development environment for PowerShell scripts.
PowerShell Integrated Scripting Environment (ISE) is a Microsoft development tool that provides a rich graphical interface for creating, testing, and debugging PowerShell scripts.
It is an integrated environment that enhances the scripting and automation capabilities of PowerShell by offering features like syntax highlighting, IntelliSense, and debugging tools.
Although PowerShell ISE has been deprecated in favor of Visual Studio Code with the PowerShell extension, it is still used in various environments.
Features:
Script Editor: Provides a text editor for writing and editing PowerShell scripts with syntax highlighting.
IntelliSense: Offers auto-completion for commands, parameters, and variables, improving script accuracy and efficiency.
Script Debugger: Includes tools for debugging scripts, such as breakpoints, variable inspection, and step execution.
Integrated Console: Allows you to run and test PowerShell commands interactively within the ISE.
Command Add-ons: Supports custom add-ons and modules to extend functionality.
Use Case: Writing and debugging PowerShell scripts.
Example: Using PowerShell ISE to develop and test scripts for enumeration and exploitation.
Usage: Launch → powershell_ise
Batch Files
Function: Scripts that execute a series of commands in Windows.
Batch files are scripts containing a sequence of commands to be executed by the command-line interpreter (CMD.EXE) on Windows operating systems.
They automate repetitive tasks, manage system configurations, and execute commands in a batch process.
Batch files use a simple scripting language that includes basic programming constructs like loops, conditionals, and variables.
Features:
Command Automation: Automates sequences of command-line operations.
System Configuration: Used for setting environment variables, managing files, and configuring system settings.
Simple Scripting: Employs a straightforward scripting language with basic programming capabilities.
File Extension: Typically saved with the .bat or .cmd file extension.
Use Case: Automating tasks and command sequences.
Example: Creating a batch file to automate network scans.
Metasploit
Function: Penetration testing framework.
Use Case: Exploiting vulnerabilities and managing post-exploitation activities.
Example: Using Metasploit modules to exploit known vulnerabilities and establish sessions.
PsExec
Function: Executes processes on remote systems.
PsExec is a command-line tool from Microsoft’s Sysinternals suite that allows users to execute processes on remote systems and interact with them as if they were running locally.
It can be used for various administrative tasks such as running scripts, installing applications, and managing processes on remote machines.
PsExec is often employed in system administration, troubleshooting, and penetration testing.
Features:
Remote Execution: Run commands and processes on remote systems.
Interactive Session: Launch interactive sessions on remote machines.
Service Management: Start and stop services on remote systems.
File Execution: Execute applications and scripts remotely.
Use Case: Running commands and scripts remotely.
Example:psexec \\<remote_host> -u <user> -p <password> cmd to open a command prompt on a remote machine.
Mimikatz
Function: Post-exploitation tool for extracting plaintext passwords, hashes, PIN codes, and Kerberos tickets from memory.
Mimikatz is an open-source tool developed by Benjamin Delpy that is used for extracting and manipulating authentication credentials from Windows systems.
It is widely used in penetration testing and security research to demonstrate and exploit vulnerabilities related to Windows authentication mechanisms.
Mimikatz can extract plaintext passwords, hash values, and Kerberos tickets, and perform various attacks on Windows authentication protocols.
Use Case: Credential dumping and privilege escalation.
Example: Using Mimikatz to dump Windows password hashes from memory.
WHOIS → Tools to gather information from public records about domain ownership.
Nslookup → Tools to help identify the IP addresses associated with an organization.
theHarvester → scours search engines and other resources to find email addresses, employee names, and infrastructure details about an organization.
Recon-ng → A modular web reconnaissance framework that organizes and manages OSINT work.
Censys → A web-based tool that probes IP addresses across the Internet and then pro- vides penetration testers with access to that information through a search engine.
FOCA (Fingerprinting Organizations with Collected Archives) → an open source tool used to find metadata within Office documents, PDFs, and other common file formats.
Shodan → A specialized search engine to provide discovery of vulnerable Internet of Things (IoT) devices from public sources.
Maltego → A commercial product that assists with the visualization of data gathered from OSINT efforts.
Nessus → A commercial vulnerability scanning tool used to scan a wide variety of devices.
OpenVAS → An open source alternative to commercial tools such as Nessus. OpenVAS also performs network vulnerability scans.
Sqlmap → An open source tool used to automate SQL injection attacks against web applications with database back ends.
Nikto, Wapiti, and W3AF → Open source web application vulnerability scanners. WPScan is a web application testing tool designed to work with websites running the WordPress content management system.
Security Content Automation Protocol (SCAP) → A set of tools designed to help organi- zations manage compliance with security standards.
The Social Engineer Toolkit (SET) → Provides a framework for automating the social engi- neering process, including sending spear phishing messages, hosting fake websites, and collecting credentials.
Browser Exploitation Framework (BeEF) → Provides an automated toolkit for using social engineering to take over a victim’s web browser.
Immunity Debugger → Designed specifically to support penetration testing and the reverse engineering of malware.
GDB → A widely used open source debugger for Linux that works with a variety of programming languages.
OllyDbg → A Windows debugger that works on binary code at the assembly language level.
WinDbg → Another Windows-specific debugging tool that was created by Microsoft. IDA is a commercial debugging tool that works on Windows, Mac, and Linuxplatforms.
Brakeman → A static software analysis tool used for scanning Ruby on Rails applications.
Covenant → A software security testing tool used for testing .NET applications.
TruffleHog → A tool that scans through code repositories for accidentally published secrets.
Rogue wireless access points → Used to attract connections from unsuspecting users. - EAPHammer → Used to conduct evil twin attacks against WPA2-Enterprise wireless networks.
Reaver → Used to conduct attacks against networks that support Wi-Fi Protected Setup (WPS).
Spooftooph → Used to perform attacks against Bluetooth-enabled devices.
The Wireless Geographic Logging Engine (WiGLE) → An open database of wireless network information collected by the community and published for open access.
Online SSL checkers → Used to determine whether websites are susceptible to SSL and/ or TLS vulnerabilities.
Secure Shell (SSH) → Provides secure encrypted connections between systems.
Ncat and Netcat → Provide an easy way to read and write data over network connections.
Proxychains → Allows testers to force connections through a proxy server where they may be inspected and altered before being passed on to their final destination.
ScoutSuite → A cloud security auditing tool that can work across commonly used cloud environments.
CloudBrute → A scanner used to identify the cloud components used by an organization. Pacu is a cloud exploitation framework focused on Amazon Web Services (AWS)-hosted environments.
Cloud Custodian → A rule enforcement engine that allows the consistent application of security policies across cloud environments.