Pentest Toolbox Part 2
Knockpy:
Still one of my favourite tools for finding subdomains.
You can install it with:
$ git clone https://github.com/guelfoweb/knock$ cd knock$ vim knockpy/config.json.. Then add your Virustotal API key
Setup:
$ sudo python setup.py install(Yes I know sudo python setup.py is lazy and insecure so use a virtualenv if you don’t like doing it this way.)
Test if it installed correctly:
knockpy yahoo.comWhen you run the above command check if you see any errors.
You could have installed it in a virtualenv if you really wanted to.
You can pass knockpy a wordlist like this:
knockpy site.com -w ~/Desktop/pentest/SecLists/Discovery/DNS/merged-no-duplicates.txtInstall massscan:
I am a huge fan of nmap and if I ever were to go into the matrix then I would
be finding SSH 0'days with nmap, but I’m not in the matrix so I will be adding mass scan to my pentest toolbox.
Here is a cool usage guide by Daniel Miessler on the topic of Mass Scan:
https://danielmiessler.com/study/masscan/
I just installed masscan with:
$ brew install massscanDirsearch.py
Still hands down one of my favourite dir buster alternatives. Really cool guy who maintains the code, I’ve emailed him a few times and always got a very friendly reply.
git clone https://github.com/maurosoria/dirsearchcd dirsearch/python3 dirsearch.py --help
What do I like most of this tool?
It is fast and you can exclude certain response codes. This is cool when you are attacking an application that gives odd responses to try and confuse attackers.
A cool trick which I like to use (I’m certain most people who hack web applications probably do this but havn’t heard many people talk about it) is I proxy my dirsearch.py requests via burp suite. That way I get to map out the application’s route’s quite quickly.
python3 dirsearch.py -u http://whateveraa.test -w $HOME/Desktop/pentest/SecLists/Discovery/Web-Content/merged-no-duplicates.txt -e php -x 301,400,403 --proxy http://127.0.0.1:8080Something I never thought of was to use dirsearch to map out an API that requires JWT auth. I just did it this way and passed the results to Burp Suite:
python3 dirsearch.py -u http://our.site.test -w ~/Desktop/pentest/SecLists/Discovery/Web-Content/merged-no-duplicates.txt -e php -x 301,400,403,307 --proxy http://127.0.0.1:8080 -H "Authorization: Bearer YOUR-JWT-GOES-HERE"SQLMAP:
Even SQLMap’s traffic can be proxied via Burp Suite. his isn’t always a good idea, but sometimes it can be helpful or even just interesting to see what SQLmap tries. Just make sure to turn off intercept.
$ python sqlmap.py ... --proxy="http://127.0.0.1:8080"
