Tools for CTF

Below you will find a list of tools I frequently use(d) during CTF’s, including links to specific tools described in the walkthroughs.

ADsecurity.org

Amazing site on all things related to Active Directory security (or lack thereof).

http://adsecurity.org/

Autorecon

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. It is intended as a time-saving tool for use in CTFs and other penetration testing environments (e.g. OSCP). It may also be useful in real-world engagements.

The tool works by firstly performing port scans / service detection scans. From those initial results, the tool will launch further enumeration scans of those services using a number of different tools. For example, if HTTP is found, nikto will be launched (as well as many others).

Everything in the tool is highly configurable. The default configuration performs no automated exploitation to keep the tool in line with OSCP exam rules. If you wish to add automatic exploit tools to the configuration, you do so at your own risk. The author will not be held responsible for negative actions that result from the mis-use of this tool.

https://github.com/Tib3rius/AutoRecon

Awesome CTF Page

A curated list of Capture The Flag (CTF) frameworks, libraries, resources, softwares and tutorials. This list aims to help starters as well as seasoned CTF players to find everything related to CTFs at one place.

https://github.com/apsdehal/awesome-ctf

Awesome list Windows Server Hardening

Overview of what you can do to harden Windows servers (especially domain controllers) and how to attack them.

https://github.com/PaulSec/awesome-windows-domain-hardening

Bloodhound

BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.

https://github.com/BloodHoundAD/BloodHound

Good walkthrough and data-set can be found at https://insinuator.net/2018/11/the-dog-whisperers-handbook/

Cherrytree

If you want to have great CTF’s, taking notes is of the essence. It allows you to capture what you have found and prevent you from visiting the same technique or commands twice. My favorite note taker is Cherrytree. It can act as both a no nonsense text editor or can be a full blown word processor.

https://www.giuspen.com/cherrytree/

Crackstation

CrackStation uses massive pre-computed lookup tables to crack password hashes. These tables store a mapping between the hash of a password, and the correct password for that hash. The hash values are indexed so that it is possible to quickly search the database for a given hash. If the hash is present in the database, the password can be recovered in a fraction of a second.

https://crackstation.net/

Cyberchef – A Cyber Swiss Army Knife

Need to to 13 iterations of base64 encoding? Need something encrypted through AES? Build a decrypt set? Cyberchef has your back.

CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.

The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms.

https://gchq.github.io/CyberChef/

ExploitDB

Great resource for finding exploits, especially proof-of-concept (POC) ones.

The Exploit Database is maintained by Offensive Security, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by Offensive Security.

Kali has an offline version of ExploitDB available by default, which you can use by triggering: searchsploit

The offline version is updated every Wednesday.

https://www.exploit-db.com/

Fuzzysecurity Windows Prvilege Escalation Tutorials

Great source for Windows privlege escaltion, including interactive tutorials.

https://www.fuzzysecurity.com/tutorials/16.html

Fimap

fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection.

https://github.com/kurobeats/fimap

g0tmi1k Linux Basic Enumeration & Privilege Escalation guides

With every CTF you will play, enumeration is key. Enumeration is a fancy term for exploring and poking around the system. As which user am I logged on? What privileges do I have as that user? What files are on the machine? What services are running? Who is the owner of those services? And so on. g0tmi1k made an extensive list of things to check on Linux systems. If you get stuck, check if you did all of these steps. g0tmi1k also created Vulnhub, which can be found under CTF sites.

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Google Hacking Database

Search the Google Hacking Database or browse GHDB categories

https://www.exploit-db.com/google-hacking-database/

Hashkiller

HashKiller’s purpose is to serve as a meeting place for computer hobbyists, security researchers and penetration testers. It serves as a central location to promote greater security on the internet by demonstrating the weakness of using weak hash based storage / authentication.

https://hashkiller.co.uk/

HighonCofee.net Penetration Testing Cheat Sheet

Still my go to cheat sheets when I am stuck on a machine. He has several others as well that are awesome.

https://highon.coffee/blog/penetration-testing-tools-cheat-sheet/

HighonCofee.net Reverse Shell Cheat Sheet

Still my go to cheat sheets when I am stuck on a machine. He has several others as well that are awesome.

https://highon.coffee/blog/reverse-shell-cheat-sheet/

Impacket

Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.

https://github.com/CoreSecurity/impacket

IppSec’s Youtube Channel

This guy makes the most informative and complete video’s for a large number of CTF’s. Definitely recommend looking at some of his work, since you will always learn something!

https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA

Kerberoasting

Tim Medin presented at DerbyCon 2014 where he released a tool he called Kerberoast which cracks Kerberos TGS tickets, He determined that possession of a TGS service ticket encrypted with RC4 provides the opportunity to take the ticket to a password cracking computer (or cloud system) and attempt to crack the service account’s password. How does this work? Since the TGS Kerberos ticket is encrypted with RC4 encryption, that means the service account’s password hash is used to encrypt the ticket. The cracking system only needs to have a dictionary list of words and common passwords which the cracking system loops through, converts to NTLM, and attempts to open the TGS ticket. If the TGS ticket is opened, we know the clear text password and the NTLM password hash for the account.

More on ADsecurity.org

Great how-to: https://www.blackhillsinfosec.com/a-toast-to-kerberoast/

Initial presentation: https://files.sans.org/summit/hackfest2014/PDFs/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin(1).pdf

LinEnum

Awesome work by rebootuser. This script gives you all the info you need to do local enumeration. Should be staple in every CTF you do.

https://github.com/rebootuser/LinEnum

Linux Exploit Suggester

Often a leads to nothing, but good to run none the less.

Next-generation exploit suggester based on Linux_Exploit_Suggester

Key Improvements Include:

  • More exploits! (Last updated: April 15, 2018)
  • Accurate wildcard matching. This expands the scope of searchable exploits.
  • Output colorization for easy viewing.
  • And more to come!

https://github.com/jondonas/linux-exploit-suggester-2

linuxprivchecker.py

This script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text passwords and applicable exploits.

https://gist.github.com/sh1n0b1/e2e1a5f63fbec3706123

Metasploit Unleashed

Metasploit is the world’s most used penetration testing software. It comes standard with most pentesting OS’es, such as ParrotOS or Kali. The unleased guide gives you a quick-start on how to use it.

https://www.offensive-security.com/metasploit-unleashed/

Meterpreter Privilege Escalation Guide

Setup guide made by Offensive Security, creators of Meterpreter and Metasploit. It gives insight into how escalate privileges when you’ve got a nice meterpreter shell.

https://www.offensive-security.com/metasploit-unleashed/privilege-escalation/

Mimikatz

mimikatz is a tool I’ve made to learn C and make somes experiments with Windows security.

It’s well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory.
mimikatz can also perform pass-the-hashpass-the-ticket, build Golden tickets, play with certificates or private keys, vault, … maybe make coffee?

https://github.com/gentilkiwi/mimikatz

MITM6

mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server. As DNS server, mitm6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine instead of the legitimate server. For a full explanation of the attack, see our blog about mitm6. Mitm6 is designed to work together with ntlmrelayx from impacket for WPAD spoofing and credential relaying.

https://github.com/fox-it/mitm6

MSFVenom

MSFVenom is part of the Metasploit toolset. MSFVenom allows you to generate your own custom payloads. You can incorporate either exploits from the Metasploit universe, ExploitDB or just add your own.

https://www.offensive-security.com/metasploit-unleashed/msfvenom/

Netcat for Windows

Read and write TCP and UDP Packets, useful for creating reverse shells and transferring files on Windows machines since they often don’t allow meterpreter

https://joncraton.org/blog/46/netcat-for-windows/

Nmap discovery scripts

Default scripts used by Nmap to retrieve information.

https://nmap.org/nsedoc/categories/discovery.html

Nmap exploit scripts

Default scripts used by Nmap to exploit identified services.

https://nmap.org/nsedoc/categories/exploit.html

Nmap Vuln scannig

Default vulnerability scanning options in Nmap.

https://nmap.org/nsedoc/categories/vuln.html

NodeJS security course

Great script to help you get NOdeJS reverse scripts. Includes a ready-to-go reverse shell generator.

https://github.com/ajinabraham/Node.Js-Security-Course

OSCP Surival guide by lduck11007

Awesome summary of often used techniques while doing the OSCP exam. Lots of these tools are also found on this page.

https://github.com/lduck11007/OSCP-survival-guide

Payload all the things

A list of useful payloads and bypasses for Web Application Security.

https://github.com/swisskyrepo/PayloadsAllTheThings

Pentestmonkey Reverse Shell Cheat Sheet

Very nice overview of several reverse shells that you can use once you gain entry to a machine through an exploit.

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Powershell Empire

When you’re  testing/attacking a Windows machine, sometimes Powershell is all you need.Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.

https://github.com/EmpireProject/Empire

PowerSploit modules

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.

https://github.com/PowerShellMafia/PowerSploit

Reverse Engineering Malware 101 by Endgame Inc. (malwareunicorn)

Very down-to-earth 101 on how to look at malware: what is does, how to pull it apart and understand how to make/prevent it.

https://securedorg.github.io/RE101/

Ropnop Cheat Sheet on upgrading simple shells

Sometimes it is not possible to get a full shell after the initial exploitation. Ropnop has a very nice and complete cheat sheet on how to upgrade your simple shell.

https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

SecLists

SecLists is the security tester’s companion. It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more. The goal is to enable a security tester to pull this repo onto a new testing box and have access to every type of list that may be needed.

This project is maintained by Daniel Miessler and Jason Haddix.

https://github.com/danielmiessler/SecLists

ShellPop

Shellpop is all about popping shells. With this tool you can generate easy and sophisticated reverse or bind shell commands to help you during penetration tests.

https://github.com/0x00-0x00/shellpop

Sherlock PowerShell script

PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

https://github.com/rasta-mouse/Sherlock

SMBMap

SMBMap allows users to enumerate samba share drives across an entire domain. List share drives, drive permissions, share contents, upload/download functionality, file name auto-download pattern matching, and even execute remote commands. This tool was designed with pen testing in mind, and is intended to simplify searching for potentially sensitive data across large networks.

Some of the features have not been thoroughly tested, so changes will be forth coming as bugs are found. I only really find and fix the bugs while I’m on engagements, so progress is a bit slow. Any feedback or bug reports would be appreciated. It’s definitely rough around the edges, but I’m just trying to pack in features at the moment. Version 2.0 should clean up the code a lot….whenever that actually happens ;). Thanks for checking it out!! Planned features include simple remote shell (instead of the god awful powershell script in the examples), actual logging, shadow copying ntds.dit automation (Win7 and up only..for now), threading, other things….

https://github.com/ShawnDEvans/smbmap

Sploitspren Windows Privilege Escalation Guide

Same as g0tmi1k named above, but for Windows. Still a work in progress but already quite good!

https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/

SSH to Meterpreter

If you’ve managed to obtain some ssh credentials, and can ssh over to the target system, but want a Meterpreter shell, then use the following to upgrade my shell.

https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/

SSL analyzer (Qualsys)

This free online service performs a deep analysis of the configuration of any SSL web server on the public Internet. Please note that the information you submit here is used only to provide you the service.

https://www.ssllabs.com/ssltest/analyze.html

SQLmap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

https://github.com/sqlmapproject/sqlmap

Terminator

During a CTF, you will probably need to run several tools and commands at the same time. While screen can get you quite far, I prefer a multi-window terminal to do my business. I landed on Terminator for both its easy of use and its awesome name.

https://gnometerminator.blogspot.com/

tomcatWarDeployer

This is a penetration testing tool intended to leverage Apache Tomcat credentials in order to automatically generate and deploy JSP Backdoor, as well as invoke it afterwards and provide nice shell (either via web gui, listening port binded on remote machine or as a reverse tcp payload connecting back to the adversary).

In practice, it generates JSP backdoor WAR package on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid HTTP Authentication credentials that pentester provided (or custom ones, in the end, we all love tomcat:tomcat )

https://github.com/mgeeky/tomcatWarDeployer

Unicorn

Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber’s powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Usage is simple, just run Magic Unicorn (ensure Metasploit is installed if using Metasploit methods and in the right path) and magic unicorn will automatically generate a powershell command that you need to simply cut and paste the powershell code into a command line window or through a payload delivery system. Unicorn supports your own shellcode, cobalt strike, and Metasploit.

https://github.com/trustedsec/unicorn

Veil-Framework

Veil-Evasion is a tool designed to generate metasploit payloads that bypass common anti-virus solutions.

https://github.com/Veil-Framework/Veil-Evasion

Volatility

The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

https://github.com/volatilityfoundation/volatility

Windows / Linux Local Priviledge Escalation Workshop

The workshop is based on the attack tree below, which covers all known (at the time) attack vectors of local user privilege escalation on both Linux and Windows operating systems.

https://github.com/sagishahar/lpeworkshop

Windows Privilege Escalation Fundamentals (Fuzzy Security)

Very thorough, beginner-friendly explanation of how to start with Windows Priv Esc.

http://www.fuzzysecurity.com/tutorials/16.html