Pentest Tools

Pentest Tools

Reading time ~1 minute

0 Framework 攻击框架

[Tool] Utilities for MITRE™ ATT&CK https://github.com/nshalabi/ATTACK-Tools
[Tool] 好用的渗透工具列表 https://github.com/enaqx/awesome-pentest
[Book] Kali渗透 https://jobrest.gitbooks.io/kali-linux-cn/content/
[Paper] MITRE ATT&CK 发布了 7 款安全产品的评估 https://medium.com/mitre-attack/first-round-of-mitre-att-ck-evaluations-released-15db64ea970d

1 Reconnaissance 信息搜集

OSINT CheckList Reconnaissance

Dnstrails - Best for enumerating Subdomains
Viewdns.info - Various tools [Finding Origin IP behind Cloudflare, and so on) - Recommended
Google ASE aka Google Dorking [Most effective in some cases]
Pentest-tools [Paid/Rate-Limited]
Dnsdumpster [Free]
VirusTotal [Free]
Crt.sh - Best for enumerating related domains [Free]
Dnsgoodies [Free]
Shodan [Paid/Rate-limited]
Censys [Free mostly]
Fofa.so [Free mostly]
Spiderfoot [Currently Free, just request for a Spiderfoot instance]
Zoomeye [Free mostly and works well]
Binaryedge [Paid/Rate-Limited]
onyphe.io [Free mostly]

2 Entry 入口突破

2.1 Phishing

[Tools] https://github.com/klionsec/PhishingExploit
[Cases] 利用谷歌开放平台OAuth授权，伪装成Google Doc使用GMail传播钓鱼 https://www.reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/
[Blog] Office在线视频钓鱼 https://blog.cymulate.com/abusing-microsoft-office-online-video
[Tools] 邮件钓鱼工具 https://www.mailsploit.com/index
[Trick] 利用DOCX文档远程模板注入执行宏https://xz.aliyun.com/t/2496

2.2 HID Attack

[Paper] 打印机利用 http://archive.hack.lu/2010/Costin-HackingPrintersForFunAndProfit-slides.pdf
[Tools] BadUSB https://mp.weixin.qq.com/s/mIcRNcf5HmZ4axe8N92S7Q

2.3 Wireless Attack

[Tools] 无需四次握手包破解WPA&WPA2密码 http://www.freebuf.com/articles/wireless/179953.html

3 Exploit 漏洞利用

[Tools] PE文件转为Shellcode / https://github.com/hasherezade/pe_to_shellcode

4 Privilege Escalation 权限提升

[Cheatsheet] Windows提权笔记 https://xz.aliyun.com/t/2519
[Cheatsheet] Windows提权小抄 https://guif.re/windowseop
[Cheatsheet] Windows本地提权技巧 http://payloads.online/archivers/2018-10-08/1
[Cheatsheet] Linux提权小抄 https://guif.re/linuxeop
[Exploit] Windows-Exploit-Suggester https://github.com/GDSSecurity/Windows-Exploit-Suggester/blob/master/windows-exploit-suggester.py
[Exploit] Linux-Exploit-Suggester https://github.com/PenturaLabs/Linux_Exploit_Suggester/
[Exploit] Windows Exploits https://github.com/abatchy17/WindowsExploits
[Exploit] Windows Sherlock本地提权漏洞检查 https://github.com/rasta-mouse/Sherlock
[Cheatsheet] Linux sudo滥用提权 http://touhidshaikh.com/blog/?p=790
[Blog] 深入解读MS14-068漏洞：微软精心策划的后门？http://www.freebuf.com/vuls/56081.html

5 Persistent 持久化后门

[Tools] Gray Dragon .NET应用Runtime注入工具 / https://www.digitalbodyguard.com/graydragon.html
[Trick] 利用环境变量，在任意.Net应用DLL注入 / https://mobile.twitter.com/subTee/status/864903111952875521 https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/bb384689(v=vs.100)
[Tools] PHP-FPM无文件后门Webshell https://www.anquanke.com/post/id/163197
[Tools] 利用PrintDialog持久化+执行命令 http://www.hexacorn.com/blog/2018/08/11/printdialog-exe-yet-another-lolbin-for-loading-dlls/
[Tools] SystemSettings http://www.hexacorn.com/blog/2018/08/12/systemsettings-exe-yet-another-lolbin-for-loading-dlls/

6 Post Exploitation 后渗透、据点挖掘

Windows

无Powershell.exe的Powershell工具 / https://github.com/Ben0xA/nps
全阶段的Powershell渗透测试脚本 / https://github.com/samratashok/nishang
命令执行 Living off the Land https://github.com/api0cradle/LOLBAS
C# 后渗透测试库 SharpSploit 介绍 https://posts.specterops.io/introducing-sharpsploit-a-c-post-exploitation-library-5c7be5f16c51
[Blog] Windows执行命令和下载文件总结 https://www.cnblogs.com/17bdw/p/8550189.html
[Tricks] 使用Rundll32运行.Net程序 https://blog.xpnsec.com/rundll32-your-dotnet/
[Tools] .NET DllExport https://github.com/3F/DllExport

Linux

纯Bash实现的后渗透工具 / https://github.com/TheSecondSun/Bashark/

7 凭据窃取

[Tool] SafetyKatz https://github.com/GhostPack/SafetyKatz

8 Letaral Movement 横向移动、内网渗透

[Tools] 域信息搜集，域管理员的六度空间 https://github.com/BloodHoundAD/SharpHound
[Usage] NMap空闲隐蔽扫描 https://nmap.org/book/idlescan.html
[Blog] 使用meterpreter进行NTLM中继攻击 https://diablohorn.com/2018/08/25/remote-ntlm-relaying-through-meterpreter-on-windows-port-445/
[Tools] Responder NetBIOS名称欺骗和LLMNR欺骗 https://github.com/SpiderLabs/Responder
[Tools] NTLM Relay 攻击 Exchange Web Services https://github.com/Arno0x/NtlmRelayToEWS
[Tools] SMB中间人劫持 https://github.com/quickbreach/SMBetray
[Tools] 代理隧道 https://github.com/txthinking/brook

9 Defense Evasion 绕过检测

[Book] 效果不错的免杀，使用C#绕过杀毒软件
[Tool] 生成免杀的Metasploit Payload / https://github.com/Veil-Framework/Veil
[Code] 自定义Meterpreter加载 / http://www.freebuf.com/articles/system/53818.html
[Blog] 九种姿势执行Mimikaz
[Blog] 使用.Net可执行程序进行渗透
[Blog] ATT&CK 攻击矩阵躲避防御
[Blog] 绕过下一代杀软
[Blog] Windows NTFS特殊文件夹绕过检测
[Paper] Winnti Bootkit http://williamshowalter.com/a-universal-windows-bootkit/
[Paper] UEFI Rootkit https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/
[Twitter] Linux Bash 混淆 https://twitter.com/DissectMalware/status/1025580967384305664
[Tools] 免杀工具 AVEThttps://github.com/govolution/avet

10 C&C

[Tools] ICMP后门 https://github.com/inquisb/icmpsh
[Tools] Windows远控 in C# https://github.com/quasar/QuasarRAT

11 Data Exfiltration

[Blog] 数据外传技术 https://www.pentestpartners.com/security-blog/data-exfiltration-techniques/

12 Misc

渗透论坛 https://www.hackthebox.eu/
Java Runtime.exec(String)执行任意命令 https://www.anquanke.com/post/id/159554 https://mp.weixin.qq.com/s/pzpc44-xH932M4eCJ8LxYg http://jackson.thuraisamy.me/runtime-exec-payloads.html

13 Laws

美国信息泄露通知法：

14 Detection

针对微软活动目录（AD）的七大高级攻击技术及相应检测方法 https://www.anquanke.com/post/id/161815
攻防对抗：活动目录中的欺骗技术 https://www.anquanke.com/post/id/162210

15 MITM

Tools https://github.com/LionSec/xerosploit

16 Misc

Tools 代码生成手绘图 https://www.websequencediagrams.com/
Tools 本地代码生成ascii文本绘图 graph::easy

17 Android

Paper Frida操作手册 https://github.com/hookmaster/frida-all-in-one