This is a list of security tools & commands that I have used or recommend. I'm using Kali Linux VM with a Windows host computer. Welcome any contributions! πͺ
& Wish you all good luck on your way of finding the hidden treasures. π
Author: Lee Ting Ting
π Software Tools
π Web Scripts
π Useful Python Libraries & Scripts
π Online Tools
π Learning / Practicing Websites
π Curated GitHub Repos / Toolkits
π Special Thanks
- Ghidra: Decompile binary files.
- Satisfy the minimum requirements (Java 11 JDK) and download Ghidra from the above website.
- After extracting the downloaded Ghidra package, open
ghidraRun.bat
to start. - Select New project > Import Files, then select your binary file to analyze.
- In the
Symbol Tree
tab on the left, find and selectmain
underFunctions
. - Then, select
Windows
>Decompile:main
from the top menu to see readable code.
- StegSolve: A java app that solves steganography by apply various filters.
- Steganography is to conceal a message, image, or file within another message, image, or file.
- Installation instruction is in the above link.
- Reference: Wiki
- Burp Suite Professional: A software that uses proxy (usually localhost:8080) to intercept HTTP requests.
- You can edit and resend the intercepted HTTP requests.
- The Community version is very slow.. don't use it. You should be able to find free professional licenses online:)
- IDA Pro 32/64 bit: A software that generates assembly code from binary files.
- Download IDA Pro 64-bit from the above link, and download IDA Pro 32-bit with pseudocode decompiler here.
- Hotkeys:
F5
: view pseudocodetab
: toggle between the disassembly code view and pseudocode view.Shift+F12
: view all strings in the program.
- Note that 32-bit programs need to be opened with IDA Pro 32-bit, and vice versa.
- Reference: IDA Pro Hotkey Cheatsheet
- GIMP: The GNU Image Manipulation Platform
-
lsof -i -P -n | grep LISTEN
: Show listening ports.- lsof: list open files and processes that opened them.
-i
: list all network connections.-P
: list port number instead of port name.-n
: don't convert network number to hostname, this can make lsof run faster.- reference: manual
-
xdg-open .
: Open current folder in GUI explorer.- This is useful for dragging and dropping files from Linux VM to host computer.
- reference: StackExchange
-
kill $(lsof -t -i:8080)
: Kill any process listening on port 8080.- reference: StackOverflow
-
display <image_name>
: Display image from terminal.- Make sure that imagemagick is installed before using this.
- reference: StackExchange
-
nc -l -p 9000
: Listen on port 9000- use
nc <ip_address> 9000
to communicate with the host.
- use
-
grep -rnw '/path/to/somewhere/' -e 'pattern'
: Find all files containing the pattern under the specified path.-r
: recursively search-n
: display the line number containing the pattern in the file.-w
: match the entire word of the pattern.- Reference: StackOverflow
-
strings <filename>
: Print all strings in the file.- use
strings <filename> | grep -E <some_regex>
to find the strings that match the regular expression,FLAG{[a-zA-Z0-9_!@]+}
, for example. - Test regular expressions online at https://regexr.com/.
- use
-
strace <filename>
: Print out system call details.- If not installed, run
sudo apt-get install strace
. - Use
strace -s 50 <filename>
to print out the strings with max length 50. - Reference: manual
- If not installed, run
-
objdump -M intel -d <filename> | less
: Show the disassembled file.-M intel
: display the assembly in Intel syntax (see the differences between the default AT&T syntax and the Intel syntax in wiki).-d
: disassemble-C
: decode (demangle) low-level symbol names into readable names- The
less
command is for viewing the contents of the file, allow both forward and backward navigation. (Themore
command only allow forward navigation.) - Can also use
grep
to get specific data. - When using
less
to view the file, you can use/<anything_you_want_to_search>
to search for specific strings. For example, use/main
to locate the main function. - Reference: manual
-
binwalk -Mre <filename>
: Firmware analysis & reverse engineering.-
Follow the installation instructions here.
-
-M
: recursively scan extracted files. -
-r
: delete carved file after extraction. (what is file carving?) -
-e
: extract known file types. -
Reference: GitHub
-
-
qemu-mipsel <filename>
: Execute MIPS programs on non-MIPS OS.- Installation instructions
- If you run into "No such file or directory", run
export QEMU_LD_PREFIX=<folder_location_of_the_missing_file>
and retry the above command to help the program find your file. - QEMU: Quick EMUlator
- mipsel: little-endian MIPS / mips: big-endian MIPS (little vs big endian?)
- Reference: Official Website
-
gdb ./<executable_program>
: The GNU Project Debugger.- Install:
sudo apt-get update
thensudo apt-get install gdb
. - Common commands in the gdb console:
r
: run the program until next breakpoint or errorc
: continue running the programf
: run the program until current function is finisheds
: step to the next line of the programn
: step to the next line of the program, but does not step into functionsb main
: set breakpoint at the main functiond
: delete all breakpointsjump *main+135
: jump to the address of the main function address with offset 135p/x $rax
: print the rax register in hexp/d <variable>
: print the variable as signed integerx/wx $esp
: print the memory address of the register esp in hex formatset $esi = 0x1
: set value of the registervmmap
: print out the memory address mapping to libraries and also the rwx (read, write, execute) permissions.q
: quit gdb
- Tips: Keep an eye on the
cmp
(compare) statement when looking at the assembly code because usually if you can pass the compare statement, you can guess the correct input of the program.- To bypass
cmp
statements, you can either modify the register value to the desired one or jump to the next memory address right after thecmp
statement.
- To bypass
- Reference: Official Website
- Install:
-
nc <ip> <port>
: Connect to remote server- nc stands for Netcat
- Use
ncat -vc $binary -kl $ip $port
to host the binary file on a remote server.
-
checksec ./<executable_binary>
: Check the security properties of a program- Properties checked:
Arch
: The architecture of the program.- For example,
amd64-64-little
means AMD64 architecture that uses little endian.
- For example,
RELRO
: Is partial or full binary sections read-only?- RELRO: Relocation Read-Only
- If full, "GOT(Global Offset Table) overwrite" attack is not possible.
STACK
: Does stack canary exist?- It is a technique to detect stack overflow by placing a number (named canary) before the stack return pointer, and check if the value has been changed.
- Reference: CTF Wiki
NX
: Is NX protection enabled?- NX: No eXecute
- If yes, we cannot use stack overflow to execute our customized shellcodes.
PIE
: Prevents attackers by randomizing the memory address of the executable.- PIE: Position Independent Executable
- If enabled, we won't know the memory address until we run the program. Solution: Disable ASLR (Address Space Layout Randomization) on our OS to let the addresses remain the same.
- How to disable ASLR on Linux: StackOverflow
- Reference: GitHub
- Properties checked:
-
r2 ./<executable_binary>
: For reverse engineering and binary analysis.- r2 is short for Radare2
- Install & usage tutorial: frozenkp's Blog
- Common commands in the r2 console:
aa
: analyze all, usually we type this every time at startafl
: list all functions (analyze function list)s main
: move to main functions <memory_address>
: move to memory addressV
: switch from console to hex viewVV
: switch from console to visual mode (assembly code & graph): some_command
: enter commands in visual modeq
: return to the previous mode / quit
-
gcc test.c -fno-stack-protector -o test
: Compile C code to executable with disabled canary protection- By disabling canary protection, the program is subjected to BOF (Buffer Overflow) attack.
- Usually, if you see
Segmentation fault
after a very long input, it has BOF vulnerability.
-
file <filename>
: Prints out the type of the file.- Useful when you are not sure about the file type. For instance, an image file without a .jpg.
-
openssl rsa -pubin -in <path_to_public_key> -text -noout
: Find modulus from a RSA public key-pubin
: read the public key instead of private key (private key is read by default if not specified)-in
: specify the input file-text
: print the public / private key in plaintext-noout
: prevent printing the encoded version of the key- Reference: OpenSSL GitHub, OpenSSL RSA doc
-
nmap <ip_address>
: Scan ports of an IP address- You can see the protocol used of each port, whether the port is open or close, and the service of each port.
nmap -sU <ip_address> -p68
: UDP scan for port 68- Reference: official website, nmap options doc
-
theHarvester -d ntu.edu.tw -l 50 -b google
: Use open source intelligence (OSINT) to collect information of a specific domain-d
: domain to search-l
: limit the search result to this number-b
: data source (google, bing, linkedin, twitter, yahoo, etc)- GitHub
- Already installed in Kali Linux
-
wget -O 'name_of_file' <download_url>
: Download files with customized nameswget -r <website_url>
: Download the entire source code of the website
-
unzip -P <pwd> <filename>
: Unzip zip files with password -
arp -a
: Show all IP addresses connected to the same network -
net user /domain
: Show all usernames in the current domainnet groups /domain
: show all groups under current domainnet groups "<name_to_search>" /domain
: search for specific group name, for example:net groups "Domain Admins" /domain
-
nslookup <domain_name>
: See IP address of the domain -
whoami
: Find out which user you are currently logged inwhoami /priv
: see all privileges information and whether each of them is enabled or not
-
echo `nproc`
: See the number of CPU cores -
python GitHack.py http://your_url.git/
git clone https://github.com/lijiejie/GitHack.git
to download the scriptcd GitHack/
view-source:<your_url>
: View source code of a website"><svg/onload=alert(1)>
: [XSS] Popup Alert Basic"><iframe srcdoc="%3Csvg%2F%26%23x6f%3Bnload%3Dalert%281%29%3E"><"
: [XSS] Popup Alert Advancedsrcdoc
specifies the HTML content in iframe- insert
<svg/onload=alert(1)>
but found thato
will be replaced - change
o
too
with thehex(ord('o'))
Python command - url encode
<svg/onload=alert(1)>
at URLEncoder
<a href="your_url" target="<script>alert(1)</script>">click</a>
: [XSS] When thename
variable is in the html content- the value of the target attribute will be stored at
window.name
or thename
variable.
- the value of the target attribute will be stored at
- dirsearch: A CLI to brute force directories and files in websites.
git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
python3 dirsearch.py -u <URL> -e <EXTENSION>
- Pwn: Compromise a program by gaining ownership of it.
- Follow installation steps on Pwntools GitHub
- In most cases, the flag can be found in the interactive console by
ls
and thencat flag.txt
. - Example:
from pwn import *
# remember to change the values here
HOST = "<ip.address>"
PORT = <port_number>
# connect to the remote server and define our value to send
r = remote(HOST, PORT)
# For reading local binaries:
# r = process('./<executable_binary>')
something_to_send = 0xfaceb00c
# Usually there is a newline before the user input, so receive until '\n'
r.recvuntil('\n')
# stop and listen to user input in the console, press enter to continue
raw_input()
r.sendline(p32(something_to_send))
# use r.send() to send without a new line
# use p32 to encode the hex value as 32-bit char and p64 for 64-bit char
# enter the interactive console
r.interactive()
- Angr: A collection of binary analysis tools
- Install doc
- Symbolic Execution example:
- Symbolic execution can be used to find the input that can reach our desired program state (wiki).
import angr
import claripy # Angr's constraint solver engine
# replace this with the binary you want to analyze
# disable auto_load_libs to improve performance
project = angr.Project("./<binary>", auto_load_libs=False)
# create a symbolic object with 25 bytes
# BV stands for BitVector (bit array)
argv1 = claripy.BVS("argv1", 25*8)
# specify the entry point of the program and our input parameter
initial_state = project.factory.entry_state(args=["./<binary>", argv1])
# generate a simulation manager object for solving our parameter later
sm = project.factory.simulation_manager(initial_state)
# symbolically execute until we find a state with address = find_addr
find_addr = 0x400602
sm.explore(find=find_addr)
# find the state that meets the above condition
found = sm.found[0]
# return the input value to get to this state and cast it to bytes
solution = found.solver.eval(argv1, cast_to=bytes)
# repr: returns a printable representation of the input object
print(repr(solution))
- Z3-solver: An efficient SMT solver
- Install via pip install
- SMT: satisfiability modulo theories (wiki)
- Documentation
- Example:
- Steps
- define the variables
- add constraints
- solve the equations
- Steps
from z3 import *
x = Int('x')
y = Int('y')
solve(x > 2, y < 10, x + 2*y == 7)
# output: [y = 0, x = 7]
from z3 import *
p = Bool('p')
q = Bool('q')
r = Bool('r')
solve(Implies(p, q), r == Not(q), Or(Not(p), r))
# output: [q = False, p = False, r = True]
# Implies: Logical Implication
from z3 import *
x, y, z = Reals('x y z') # real numbers
# add constraints
s = Solver()
s.add(x > 1, y > 1, x + y > 3, z - x < 10)
# check if the constraints can be satisfied (output: sat / unsat)
print(s.check())
# use model to specify multiple constraints and make each of them true
m = s.model()
# print the value of x
print("x = %s" % m[x])
# output: x = 3/2
- SymPy: For symbolic mathematics
- Install doc
- Example:
import sympy
# inverse function
def inv(x, m):
return sympy.invert(x, m)
print(inv(11, 26))
# output: 19
- Crypto.Util.number: Contains lots of utilities for numbers
- Example for solving RSA:
from Crypto.Util.number import inverse
p = <some_number>
q = <some_number>
e = <some_number>
c = <some_number>
n = p*q
phi = (p-1) * (q-1)
d = inverse(e, phi)
# c^d % n (c to the power of d, modulus n)
m = pow(c, d, n)
print(m)
- Install all modules
- requirements.txt:
pip3 install -r requirements.txt
(or pip install) - setup.py:
python3 setup.py install
- HexDecode: Convert hex to text
- URLDecoder: URL decode and encode
- FactorDB: Factorize any number
- XSS Cheat Sheet: Copy-and-paste cross-site scripting cheat sheet
- CMD5: Hash to plaintext using a large dictionary
- PortSwigger: Its web security lab covers topics across SQL injection, Cross-site scripting, Cross-site request forgery (CSRF), Cross-origin resource sharing (CORS), Server-side request forgery (SSRF), etc.
- OWASP Juice Shop: An insecure web application for you to attack! (reference solutions)
- MITRE ATT&CK Matrix: A list of attack techniques based on real world observations.
- Prompt.ml: A XSS practicing website. Solutions are available here.
- XS-Leaks: XS-leak example code, past exploits explanation, link to xs-leak wiki and related materials.
- Gophish: Phishing toolkit to launch and tracking phishing campaigns (official website).
- RDP: Remote Desktop Protocol
- IIS: Internet Information Services
- WAF: Web Application Firewall
- OT: Operation Technology
- AD: Active Directory
- LPE: Local Privilege Escalation
- RCE: Remote Code Execution
- SMB: Server Message Block
- LFI: Local File Inclusion
- SAM: Security Account Manager
- VNC: Virtual Network Computing
- OSINT: Open-source Intelligence
- ASHX: ASP.NET Web Handler File, file extension of an ASP.NET web app
- NTLM: New Technology LAN Manager, used by Windows to hash passwords (wiki)
- EDR: Endpoint Detection and Response
- IDS: Intrusion Detection System
- DC: Domain Controller (AD vs DC: AD is a type of domain, DC is an important server on that domain)
- APT: Advanced Persistent Threat, hackers gain unauthorized access to a computer network and remains undetected for an extended period (wiki).
- CVE: Common Vulnerabilities and Exposures
- PPA: Personal Package Archive
- Learned a lot from the course "EE5188 Practicum of Attacking and Defense of Network Security" at National Taiwan University & AIS3.
- Cute emojis from here! π