Skip to content

Latest commit

 

History

History
164 lines (138 loc) · 12.6 KB

README.md

File metadata and controls

164 lines (138 loc) · 12.6 KB
HuntKit

version license

What is this?   —   Instructions   —   Tools


What is this?

HuntKit is a collection of [penetration testing, bug bounty hunting, capture the flag, red teaming] tools in a single Docker image. Simply run the image and start using the tools.

Why?

I got sick of waiting for VitualBox to start, Kali to boot, then dealing with the slugish-ness of operating in a VM. I still use Kali for certain tasks. But for a quick nmap scan (for example), using this container is a lot quicker.

  • The tool run very quick (opposed to running inside a VM for example)
  • Simpler to keep the tools up to date
  • Disposable - Something broken? Simply prune and start again

Instructions

Run from DockerHub

docker run -it mcnamee/huntkit
Advanced usage
# Advanced:
# Line 2: maps ~/Loot to the Docker's /root/loot
# Line 3: Allows OpenVPN usage
# Line 4: Opens and maps port 4444 (for listeners such as Metasploit)
# Line 5: Sets the machine's hostname to huntkit
docker run -it \
  -v ~/Loot:/root/loot \
  --cap-add=NET_ADMIN --device=/dev/net/tun \
  -p 4444:4444 \
  -h huntkit \
  mcnamee/huntkit
(Update) Pull the latest from Docker Hub
docker pull mcnamee/huntkit
Build it yourself
# 1. Clone the repo
git clone https://github.com/mcnamee/huntkit.git && cd huntkit

# 2. Build the image
docker build . -t mcnamee/huntkit

asciicast

Tools

Recon

Tool Description & Example
amass Network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
amass enum -v -src -ip -brute -min-for-recursive 2 -d kali.org
brutespray Service scanner by bruteforcing.
brutespray --file nmap.gnmap
cloudflair CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don't restrict network access to the CloudFlare IP ranges as they should.
export CENSYS_API_ID=... && export CENSYS_API_SECRET=...
cloudflair resound.ly
commix Command injection exploiter - used to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.
commix --url="http://192.168.0.23/commix-testbed/scenarios/referer/referer(classic).php" --level=3
dalfox XSS Scanning and Parameter Analysis tool.
dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123 -b https://hahwul.xss.ht
dirb Looks for existing (and/or hidden) Web Objects, by launching a dictionary based attack against a web server and analyzing the response.
dirb https://kali.org $WORDLISTS/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
dnmasscan dnmasscan is a bash script to automate resolving a file of domain names and subsequentlly scanning them using masscan.
dnmasscan listofdomains.txt dns.log -p80,443 - oG masscan.log
dnsx Allows you to run multiple probers using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers.
cat domains.txt | dnsx
ffuf A fast web fuzzer.
- ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401
gau getallurls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain.
- gau example.com
httpx Take a list of domains and probe for working http and https servers.
cat domains.txt | httpx
linkfinder Discover endpoints and their parameters in JavaScript files.
linkfinder -i https://example.com -d -o cli
masscan An Internet-scale port scanner.
masscan -p1-65535 -iL listofips.txt --max-rate 1800 -oG masscan.log
meg A tool for fetching lots of URLs but still being 'nice' to servers.
meg paths.txt hosts.txt
nikto Web server scanner which performs comprehensive tests against web servers for multiple items (dangerous files, outdated dependencies...).
nikto -host=https://kali.org
nmap A utility for network discovery and security auditing.
nmap -sV 192.168.0.1
nuclei Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use..
nuclei -l urls.txt -t $ADDONS/nuclei/ADDONS/nuclei/technologies/ -o ~/projects/results.txt
pagodo Passive Google dork script to collect potentially vulnerable web pages and applications on the Internet..
pagodo -d $DOMAIN -g dorks/sensitive_directories.dorks -l 100 -s -e 35.0 -j 1.1
recon-ng Web-based open source reconnaissance framework.
recon-ng
sherlock Hunt down social media accounts by username across social networks.
sherlock user1 user2 user3
subfinder Subdomain discovery tool to find valid subdomains for websites by using passive online sources.
subfinder -d kali.org -v
subjs Fetches javascript files from a list of URLS or subdomains. Analyzing javascript files can help you find undocumented endpoints, secrets, and more.
cat urls.txt | subjs
sublist3r Enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and more.
sublist3r -d kali.org
sqlmap Automates the process of detecting and exploiting SQL injection flaws and taking over of database servers
sqlmap -u https://example.com --forms --crawl=10 --level=5 --risk=3
theharvester Gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.
theharvester -d kali.org -b "bing, certspotter, dnsdumpster, dogpile, duckduckgo, google, hunter, linkedin, linkedin_links, twitter, yahoo"
wafw00f Web Application Firewall Fingerprinting Tool.
wafw00f resound.ly
whatweb Scans websites and highlights the CMS used, JavaScript libraries, web servers, version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
whatweb kali.org
wpscan WordPress Security Scanner.
wpscan --url kali.org
xsstrike Advanced XSS Detection Suite.
xsstrike -u="http://192.168.0.115" --data="query"

Exploitation

Tool Description & Example
breach-parse A tool for parsing breached passwords.
breach-parse @tesla.com tesla.txt "~/Downloads/BreachCompilation/data"
crunch Wordlist generator where you can specify a standard character set or a character set you specify.
crunch 6 6 0123456789abcdef -o 6chars.txt
cupp Personal wordlist generator.
cupp -i
john John the Ripper is a fast password cracker.
zip2john filename.zip > hash.txt
john hash.txt
jwttool A toolkit for validating, forging and cracking JWTs (JSON Web Tokens).
jwttool eyJ0eXAiOiJ.eyJsb2dpbi.aqNCvShlN -A
metasploit A penetration testing platform that enables you to find, exploit, and validate vulnerabilities..
msfconsole
hydra hydra -f -l [email protected] -P $WORDLISTS/seclists/Passwords/darkweb2017-top1000.txt website.com http-post-form "/login:user=^USER^&pass=^PASS^:Failed"
netcat A networking utility which reads and writes data across network connections, using the TCP/IP protocol.
nc -nvlp 1234
searchsploit Searchable archive from The Exploit Database.
searchsploit oracle windows remote
setoolkit Social Engineering Toolkit.
setoolkit

Other

Tool Description
FTP Connect to an FTP server.
ftp ftp.google.com
Go The Go programming language
Interlace Easily turn single threaded command line applications into a fast, multi-threaded application.
interlace -tL targets.txt -threads 5 -c "gobuster dns -d _target_ -w wordlist.txt --noprogress --quiet >> _target_.txt" -v
NodeJS Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine.
Oh My Zsh Zsh is a framework for managing your zsh configuration, bundled with thousands of helpful functions, helpers, plugins, themes.
OpenVPN Connect to a VPN.
Add --cap-add=NET_ADMIN --device=/dev/net/tun to the docker run to use OpenVPN.
Perl Perl is a highly capable, feature-rich programming language with over 30 years of development.
PHP The PHP scripting language.
Proxychains Redirects connections through SOCKS4a/5 or HTTP proxies.
Python 3 The Python programming language
Ruby A dynamic, open source programming language with a focus on simplicity and productivity. It has an elegant syntax that is natural to read and easy to write.
smbclient smbclient \\192.168.0.45\Media
Tor Browse Privately.
tmux tmux is a terminal multiplexer. It lets you switch easily between several programs in one terminal, detach them (they keep running in the background) and reattach them to a different terminal.
CNTR+b c Create window
CNTR+b n Switch to next window
unfurl Pull out bits of URLs provided on stdin.
cat urls.txt | unfurl --unique domains
zsh Zsh is an extended Bourne shell with many improvements, including some features of Bash, ksh, and tcsh.

Wordlists

  • Amass
  • Dirb
  • Kali's rockyou.txt
  • Metasploit
  • The Harvester
  • SecLists