Information Gathering Social Engineering Password Cracking Web Application Cloud Security

1. Nmap 1. GoPhish 1. Hashcat Assessment 1. AWS GuardDuty

2. Shodan 2. HiddenEye 2. John the Ripper 1. OWASP ZAP 2. Azure Security
3. Maltego 3. SocialFish 3. Hydra 2. Burp Suite Center
4. TheHarvester 4. EvilURL 4. Medusa 3. Nikto 3. Google Cloud
5. Recon-NG 5. Evilginx 5. Cain & Abel 4. WPScan Security Command
6. Amass 6. SET 6. Ophcrack 5. Acunetix Center
7. Censys (Social-Engineering Vulnerability Scanning 6. Arachni 4. Prisma Cloud
8. OSINT Framework Toolkit) 1. Nessus Network Defense 5. Lacework
9. Gobuster Exploitation 2. OpenVAS 1. Snort Threat Intelligence
10. Spiderfoot 1. Metasploit 3. Nexpose 2. Suricata 1. ThreatConnect
Framework 4. Qualys 3. pfSense 2. Recorded Future
Wireless Hacking 2. Burp Suite 5. Acunetix 4. Security Onion 3. AlienVault OTX
1. Aircrack-NG 3. SQL Map 6. Lynis 5. AlienVault OSSIM 4. IBM X-Force
2. Wifite 4. ExploitDB Forensics Endpoint Security Exchange
3. Kismet 5. Core Impact 1. Wireshark 1. CrowdStrike Falcon 5. MISP (Malware
4. TCPDump 6. Cobalt Strike 2. Autopsy 2. SentinelOne Information Sharing
5. Reaver 7. Empire 3. Volatility 3. Carbon Black Platform)
6. Wireshark 4. SleuthKit 4. Symantec Endpoint
5. Binwalk Protection
6. Foremost 5. Microsoft Defender
7. EnCase for Endpoint

in/harunseker/ 1
 No Tool Explanation Example Usage URLs

Information Gathering
Network scanning and discovery tool
nmap -sV 192.168.1.0/24 to scan a network Nmap:
1 Nmap used to find open ports, services, and OS
for open ports and service versions https://nmap.org/
information

Search engine for Internet-connected

devices, allowing users to find specific Searching for "webcamxp country:US" to find Shodan:
2 Shodan
types of devices, vulnerabilities, or exposed webcams in the United States https://www.shodan.io/
services

Data mining and visual link analysis tool Creating a graph of an organization's online
Maltego:
3 Maltego for investigating relationships between presence, including domains, email
https://www.maltego.com/
pieces of information addresses, and social media accounts

Tool for gathering email addresses, theHarvester -d example.com -b all to gather

TheHarvester:
4 TheHarvester subdomains, hosts, and employee information about a domain using all
https://github.com/laramies/theHarvester
names from various public sources available data sources

Full-featured reconnaissance framework

Using the whois_pocs module to gather Recon-NG:
5 Recon-NG designed for web-based open source
contact information for a target domain https://github.com/lanmaster53/recon-ng
reconnaissance

Tool for in-depth DNS enumeration and amass enum -d example.com to enumerate Amass:
6 Amass
network mapping subdomains of a target domain https://github.com/OWASP/Amass

in/harunseker/ 2
 Search engine that allows users to find
7 Censys specific types of devices connected to
the internet
Collection of various OSINT tools and
8 OSINT Framework
resources categorized by function
Tool used to brute-force URIs, DNS
9 Gobuster
subdomains, and virtual host names
Automated OSINT framework that
10 Spiderfoot integrates with multiple data sources for gather associated IP addresses, email
gathering intelligence
Suite of tools for auditing wireless
1 Aircrack-NG networks, capable of cracking WEP and
WPA/WPA2-PSK keys
Automated wireless attack tool that can
2 Wifite
crack multiple networks simultaneously
Wireless network detector, sniffer, and
3 Kismet
intrusion detection system
in/harunseker/
Searching for "80.http.get.headers.server: Censys:
Apache" to find Apache web servers https://search.censys.io/
Using the framework to find social media OSINT Framework:
profiles associated with an email address https://osintframework.com/
gobuster dir -u http://example.com -w
Gobuster:
wordlist.txt to find hidden directories on a
https://github.com/OJ/gobuster
website
Running a scan on a domain to automatically Spiderfoot:
https://intel471.com/attack-surface-docum
addresses, and social media profiles entation
Wireless Hacking
aircrack-ng -w wordlist.txt
Aircrack-NG:
capture.cap to crack a WPA handshake
https://www.aircrack-ng.org/
captured in capture.cap file
wifite --dict wordlist.txt to
Wifite:
automatically attack nearby networks using a
https://github.com/derv82/wifite2
wordlist
Running Kismet to passively detect hidden Kismet:
wireless networks and capture packets https://www.kismetwireless.net/
3
 tcpdump -i wlan0 -w
TCPDump:
4 TCPDump Command-line packet analyzer capture.pcap to capture wireless traffic
https://www.tcpdump.org/
on wlan0 interface

reaver -i wlan0 -b
Tool specifically designed to attack WPS
00:11:22:33:44:55 -vv to attempt Reaver:
5 Reaver (Wi-Fi Protected Setup) enabled wireless
a WPS PIN brute-force attack on a specific https://github.com/t6x/reaver-wps-fork-t6x
routers
access point

Using Wireshark to capture and analyze Wi-Fi

Network protocol analyzer with Wireshark:
6 Wireshark traffic, including decrypting WPA2 traffic with
capabilities for wireless packet analysis https://www.wireshark.org/
the correct key

Open-source phishing toolkit for creating
1 GoPhish
and managing phishing campaigns
Social Engineering
Setting up a simulated phishing campaign to
test employee awareness by sending fake GoPhish: https://getgophish.com/
login pages

HiddenEye:
Advanced phishing tool with multiple Creating a fake login page for a popular social
2 HiddenEye https://github.com/DarkSecDevelopers/Hid
attack vectors media platform to capture credentials
denEye

Generating a clone of a social networking site

Educational tool for social media SocialFish:
3 SocialFish to demonstrate how easily users can be
phishing https://github.com/UndeadSec/SocialFish
tricked

Tool for generating unicode domains for Creating a domain like "аррӏе.com" that EvilURL:
4 EvilURL
phishing attacks looks like "apple.com" to fool users https://github.com/UndeadSec/EvilURL

in/harunseker/ 4
 Man-in-the-middle attack framework for Setting up a proxy to intercept login attempts
Evilginx:
5 Evilginx phishing login credentials and session to a target website, bypassing two-factor
https://github.com/kgretzky/evilginx2
cookies authentication

SET Using the "Spear-Phishing Attack Vector" to SET:

Framework for creating and executing
6 (Social-Engineering send targeted emails with malicious https://github.com/trustedsec/social-engin
social engineering attacks
Toolkit) attachments to specific individuals eer-toolkit

Exploitation
Using the
Metasploit Open-source penetration testing and exploit/windows/smb/ms17_010_e Metasploit Framework:
1
Framework exploitation framework ternalblue module to exploit the https://www.metasploit.com/
EternalBlue vulnerability

Web application security testing Intercepting and modifying HTTP requests to Burp Suite:
2 Burp Suite
platform test for SQL injection vulnerabilities https://portswigger.net/burp

sqlmap -u
Automated SQL injection and database "http://example.com/page.php?i SQL Map:
3 SQL Map
takeover tool d=1" --dbs to enumerate databases on a https://sqlmap.org/
vulnerable website

Searching for "Apache Struts" to find

Archive of public exploits and ExploitDB:
4 ExploitDB known exploits for the Apache Struts
corresponding vulnerable software https://www.exploit-db.com/
framework

Core Impact:
Commercial penetration testing Conducting a network scan and automatically
5 Core Impact https://www.coresecurity.com/products/co
software exploiting discovered vulnerabilities
re-impact

in/harunseker/ 5
 Adversary simulation and red team
6 Cobalt Strike
operations software
PowerShell and Python post-exploitation
7 Empire
framework
Advanced password recovery tool that
1 Hashcat
supports hundreds of hashing algorithms
Versatile password cracker that
2 John the Ripper
combines multiple cracking modes
Online password cracking tool for
3 Hydra
various network protocols and services
Parallel network login brute-forcer
4 Medusa
supporting multiple protocols
Windows-based password recovery tool Using the GUI to capture and crack network
5 Cain & Abel
with multiple functions
Cross-platform tool specializing in
6 Ophcrack Windows password cracking using
rainbow tables
in/harunseker/
Using its beacon payload for post-exploitation Cobalt Strike:
activities and lateral movement https://www.cobaltstrike.com/
Executing a PowerShell script on a
Empire:
compromised Windows machine for privilege
https://github.com/BC-SECURITY/Empire
escalation
Password Cracking
hashcat -m 0 -a 0 hash.txt
Hashcat:
wordlist.txt to crack MD5 hashes using
https://hashcat.net/
a wordlist
john --format=raw-md5 hash.txt John The Ripper:
to crack MD5 hashes using default settings https://www.openwall.com/john/
hydra -l user -P pass.txt Hydra:
ftp://192.168.1.1 to brute force FTP https://github.com/vanhauser-thc/thc-hydr
login a
medusa -h 192.168.1.1 -u admin Medusa:
-P passwords.txt -M http to attack http://foofus.net/goons/jmk/medusa/med
HTTP basic auth usa.html
Cain & Abel:
passwords or dump hashes http://www.oxid.it/cain.html
Loading a Windows SAM file and cracking Ophcrack:
passwords using pre-computed tables https://ophcrack.sourceforge.io/
6
 Vulnerability Scanning
Commercial vulnerability scanner with a
large plugin database. Detects
1 Nessus
vulnerabilities, misconfigurations, and
compliance issues.
Open-source vulnerability scanner and
manager. Performs
2 OpenVAS
authenticated/unauthenticated testing
and supports various protocols.
Commercial vulnerability management
software. Provides risk-based
3 Nexpose
prioritization and integration with
Metasploit.
Cloud-based vulnerability management
4 Qualys platform. Offers continuous monitoring
and asset discovery.
Specialized web application security
scanner. Detects over 7000 web
5 Acunetix
vulnerabilities including XSS and SQL
injection.
in/harunseker/
Scanning a network for known vulnerabilities: Nessus:
nessus scan -t 192.168.1.0/24 https://www.tenable.com/products/nessus
Running a full scan on a web server:
omp -u admin -w password
--create-target="Web Server"
--hosts=192.168.1.100 OpenVAS: https://www.openvas.org/
--create-task="Web Server
Scan" --config="Full and fast"
--start-task
Creating a site and running a scan:
Nexpose:
nexpose_cli.rb -r CreateSite
https://www.rapid7.com/products/nexpose
-n "TestSite" -H 192.168.1.100
/
-S
Scheduling a weekly scan of critical assets
Qualys: https://www.qualys.com/
through the Qualys web interface
Scanning a web application:
acunetix_console --scan Acunetix: https://www.acunetix.com/
http://example.com
7
 Open-source security auditing tool for
Unix/Linux systems. Performs system
6 Lynis
hardening, compliance testing, and
vulnerability scanning.
Network protocol analyzer for capturing
1 Wireshark
and analyzing network traffic
Digital forensics platform for disk image Analyzing a disk image to recover deleted
2 Autopsy
analysis
Memory forensics framework for
3 Volatility
analyzing RAM dumps
Collection of command-line tools for
4 SleuthKit
investigating disk images
Tool for analyzing and extracting
5 Binwalk
firmware images
Data carving tool for recovering files
6 Foremost
based on headers and footers
in/harunseker/
Running a system audit:
Lynis: https://cisofy.com/lynis/
lynis audit system
Forensics
Capturing HTTP traffic to analyze a potential
Wireshark:
data exfiltration attempt: wireshark -i eth0 -f
https://www.wireshark.org/
"port 80"
Autopsy:
files: autopsy disk_image.dd https://www.autopsy.com/
Extracting running processes from a memory
dump: Volatility:
volatility -f memory.dmp --profile=Win10x64 https://www.volatilityfoundation.org/
pslist
Extracting file system information: SleuthKit:
fls -r disk_image.dd https://www.sleuthkit.org/
Identifying embedded files in firmware: Binwalk:
binwalk router_firmware.bin https://github.com/ReFirmLabs/binwalk
Recovering JPEGs from a disk image:
Foremost:
foremost -t jpeg -i
http://foremost.sourceforge.net/
disk_image.dd
8

Commercial forensic software suite for
7 EnCase
evidence acquisition and analysis
Web Application Assessment
Open-source web application security
1 OWASP ZAP scanner. Performs automated scanning
and allows manual testing.
Integrated platform for web application
security testing. Includes tools for
2 Burp Suite
mapping, analyzing, and exploiting web
applications.
Open-source web server scanner that
3 Nikto performs comprehensive tests against
web servers for multiple items.
Black box WordPress vulnerability
4 WPScan
scanner.
Automated web application security
5 Acunetix testing tool. Detects over 7000 web
vulnerabilities.
in/harunseker/
Creating a forensic image of a hard drive: EnCase:
encase -e /dev/sda https://www.guidancesoftware.com/encas
evidence.E01 e-forensic
Running an automated scan: zap-cli
quick-scan --self-contained
OWASP ZAP:
--start-options "-config
https://www.zaproxy.org/
api.disablekey=true"
https://example.com
Using Burp Proxy to intercept and modify
HTTP requests: Configure browser to use Burp Suite:
Burp as proxy, then intercept and modify https://portswigger.net/burp
requests in Burp
Scanning a web server: Nikto:
nikto -h http://example.com https://cirt.net/Nikto2
Scanning a WordPress site: wpscan --url
WPScan:
http://example.com --enumerate
https://wpscan.org/
vp,u,tt,t
Scheduling a weekly scan of critical assets Acunetix:
through the Acunetix web interface https://www.acunetix.com/
9
 Web application security scanner
6 Arachni
framework.
Open-source intrusion detection and
prevention system (IDS/IPS) that
1 Snort
performs real-time traffic analysis and
packet logging
High-performance network IDS, IPS, and
2 Suricata
network security monitoring engine
Open-source firewall and router
3 pfSense
platform based on FreeBSD
Linux distribution for intrusion
4 Security Onion detection, network security monitoring, analyze network traffic: sudo so-setup to
and log management
Open-source security information and
5 AlienVault OSSIM
event management (SIEM) system
in/harunseker/
Running a scan: Arachni:
arachni http://example.com https://www.arachni-scanner.com/
Network Defense
Configuring Snort rules to detect and alert on
suspicious network traffic: alert tcp any any
-> $HOME_NET 22 (msg:"SSH brute force Snort:
attempt"; flow:to_server; threshold:type https://www.snort.org/
both, track by_src, count 5, seconds 60;
sid:1000001;)
Setting up Suricata to monitor network traffic
Suricata:
and generate alerts: suricata -c
https://suricata-ids.org/
/etc/suricata/suricata.yaml -i eth0
Configuring a pfSense firewall rule to allow
pfSense:
inbound HTTPS traffic: pass in on wan proto
https://www.pfsense.org/
tcp from any to (wan) port 443
Deploying Security Onion to collect and
Security Onion:
https://securityonion.net/
initiate the setup wizard
Using OSSIM to correlate security events
AlienVault OSSIM:
from multiple sources: Configure log sources
https://cybersecurity.att.com/products/ossi
in the web interface and create correlation
m
rules to detect complex attack patterns
Endpoint Security
10
 Cloud-native endpoint protection
Detecting and preventing a zero-day malware CrowdStrike Falcon:
1 CrowdStrike Falcon platform using AI and behavioral
attack in real-time on an employee's laptop https://www.crowdstrike.com/
analytics

Automatically isolating an infected

AI-powered endpoint security platform SentinelOne:
2 SentinelOne workstation and rolling back malicious
with autonomous response capabilities https://www.sentinelone.com/
changes

Endpoint detection and response (EDR) Investigating the root cause of a security Carbon Black:
3 Carbon Black
solution with threat hunting capabilities incident across multiple endpoints https://www.carbonblack.com/

Symantec Endpoint Protection:

Symantec Endpoint Traditional antivirus combined with Blocking a ransomware attack attempt on a
4 https://www.broadcom.com/products/cyb
Protection advanced threat protection corporate server
er-security/endpoint

Microsoft Defender for Endpoint:

Microsoft Defender Built-in endpoint security for Windows Identifying and remediating a vulnerability
5 https://www.microsoft.com/en-us/microso
for Endpoint with cloud-powered protection across all Windows devices in an organization
ft-365/security/endpoint-defender

Intelligent threat detection service that
1 AWS GuardDuty continuously monitors AWS accounts
and workloads
Cloud Security
Detecting a potential data exfiltration
AWS GuardDuty:
attempt by identifying unusual API calls from
https://aws.amazon.com/guardduty/
a compromised EC2 instance

Using Security Center to assess the security

Unified infrastructure security Azure Security Center:
Azure Security state of all Azure resources and receive
2 management system that strengthens https://azure.microsoft.com/en-us/services
Center actionable recommendations to remediate
the security posture of data centers /security-center/
vulnerabilities

in/harunseker/ 11
 Google Cloud Centralized security and risk Utilizing the Security Health Analytics feature Google Cloud Security Command Center:
3 Security Command management platform for Google Cloud to detect misconfigurations in Google Cloud https://cloud.google.com/security-comman
Center resources Platform (GCP) services d-center

Implementing Prisma Cloud to enforce

Cloud-native security platform providing Prisma Cloud:
compliance policies across multi-cloud
4 Prisma Cloud visibility and threat protection across https://www.paloaltonetworks.com/prisma
environments and detect anomalous user
public clouds /cloud
activities

Automated cloud security platform that Using Lacework's behavioral anomaly

5 Lacework provides threat detection, compliance, detection to identify and alert on unusual Lacework: https://www.lacework.com/
and vulnerability management container activities in a Kubernetes cluster

Threat Intelligence
A threat intelligence platform that Using ThreatConnect to correlate indicators
ThreatConnect:
1 ThreatConnect aggregates, analyzes, and acts on threat of compromise (IoCs) across different threat
https://threatconnect.com/
data from multiple sources feeds and internal data sources

Leveraging Recorded Future's browser

A security intelligence platform that
extension to get instant risk scores for IP Recorded Future:
2 Recorded Future provides real-time threat intelligence
addresses, domains, and vulnerabilities while https://www.recordedfuture.com/
from a wide range of sources
browsing

Subscribing to OTX pulses to receive real-time

Open Threat Exchange (OTX) is an open
updates on emerging threats and AlienVault OTX:
3 AlienVault OTX threat intelligence community that
incorporating this data into your security https://otx.alienvault.com/
allows sharing of threat data
tools

in/harunseker/ 12
 Using X-Force Exchange to research a
A cloud-based threat intelligence sharing
IBM X-Force suspicious IP address and view its associated IBM X-Force Exchange:
4 platform that provides detailed
Exchange malware, vulnerabilities, and threat actor https://exchange.xforce.ibmcloud.com/
information about threats
information

Setting up a MISP instance to share threat

MISP (Malware An open-source threat intelligence
intelligence within your organization or with MISP:
5 Information platform for sharing, storing, and
trusted partners, and automating the import https://www.misp-project.org/
Sharing Platform) correlating IoCs
of this data into your security tools.

in/harunseker/ 13