🌞 Awesome Security Tool List 🍀

This is a list of security tools & commands that I have used or recommend. I'm using Kali Linux VM with a Windows host computer. Welcome any contributions! 💪

& Wish you all good luck on your way of finding the hidden treasures. 😉

Author: Lee Ting Ting

Table of Contents

💎 Software Tools

💎 Common Commands & CLI

💎 Web Scripts

💎 Useful Python Libraries & Scripts

💎 Online Tools

💎 Learning / Practicing Websites

💎 Curated GitHub Repos / Toolkits

💎 Common Security Acronyms

💎 Special Thanks

🌞 Software Tools

1. Ghidra: Decompile binary files.
   • Satisfy the minimum requirements (Java 11 JDK) and download Ghidra from the above website.
   • After extracting the downloaded Ghidra package, open ghidraRun.bat to start.
   • Select New project > Import Files, then select your binary file to analyze.
   • In the Symbol Tree tab on the left, find and select main under Functions.
   • Then, select Windows > Decompile:main from the top menu to see readable code.
2. StegSolve: A java app that solves steganography by apply various filters.
   • Steganography is to conceal a message, image, or file within another message, image, or file.
   • Installation instruction is in the above link.
   • Reference: Wiki
3. Burp Suite Professional: A software that uses proxy (usually localhost:8080) to intercept HTTP requests.
   • You can edit and resend the intercepted HTTP requests.
   • The Community version is very slow.. don't use it. You should be able to find free professional licenses online:)
4. IDA Pro 32/64 bit: A software that generates assembly code from binary files.
   • Download IDA Pro 64-bit from the above link, and download IDA Pro 32-bit with pseudocode decompiler here.
   • Hotkeys:
     • F5: view pseudocode
     • tab: toggle between the disassembly code view and pseudocode view.
     • Shift+F12: view all strings in the program.
   • Note that 32-bit programs need to be opened with IDA Pro 32-bit, and vice versa.
   • Reference: IDA Pro Hotkey Cheatsheet
5. GIMP: The GNU Image Manipulation Platform
   • Install version 2.10.4 on Windows here (there is a known bug in the latest version by the time of writing)
   • GNU: A Unix-like operating system and a collection of free softwares. GNU means "GNU's Not Unix!" (wiki)
   • Can apply various filters to images for solving steganography problems

🌞 Common Commands & CLI

1. lsof -i -P -n | grep LISTEN: Show listening ports.

   • lsof: list open files and processes that opened them.
   • -i: list all network connections.
   • -P: list port number instead of port name.
   • -n: don't convert network number to hostname, this can make lsof run faster.
   • reference: manual

2. xdg-open .: Open current folder in GUI explorer.

   • This is useful for dragging and dropping files from Linux VM to host computer.
   • reference: StackExchange

3. kill $(lsof -t -i:8080): Kill any process listening on port 8080.

   • reference: StackOverflow

4. display <image_name>: Display image from terminal.

   • Make sure that imagemagick is installed before using this.
   • reference: StackExchange

5. nc -l -p 9000: Listen on port 9000

   • use nc <ip_address> 9000 to communicate with the host.

6. grep -rnw '/path/to/somewhere/' -e 'pattern': Find all files containing the pattern under the specified path.

   • -r: recursively search
   • -n: display the line number containing the pattern in the file.
   • -w: match the entire word of the pattern.
   • Reference: StackOverflow

7. strings <filename>: Print all strings in the file.

   • use strings <filename> | grep -E <some_regex> to find the strings that match the regular expression, FLAG{[a-zA-Z0-9_!@]+}, for example.
   • Test regular expressions online at https://regexr.com/.

8. strace <filename>: Print out system call details.

   • If not installed, run sudo apt-get install strace.
   • Use strace -s 50 <filename> to print out the strings with max length 50.
   • Reference: manual

9. objdump -M intel -d <filename> | less: Show the disassembled file.

   • -M intel: display the assembly in Intel syntax (see the differences between the default AT&T syntax and the Intel syntax in wiki).
   • -d: disassemble
   • -C: decode (demangle) low-level symbol names into readable names
   • The less command is for viewing the contents of the file, allow both forward and backward navigation. (The more command only allow forward navigation.)
   • Can also use grep to get specific data.
   • When using less to view the file, you can use /<anything_you_want_to_search> to search for specific strings. For example, use /main to locate the main function.
   • Reference: manual

10. binwalk -Mre <filename>: Firmware analysis & reverse engineering.

    • Follow the installation instructions here.

    • -M: recursively scan extracted files.

    • -r: delete carved file after extraction. (what is file carving?)

    • -e: extract known file types.

    • Reference: GitHub

11. qemu-mipsel <filename>: Execute MIPS programs on non-MIPS OS.

    • Installation instructions
    • If you run into "No such file or directory", run export QEMU_LD_PREFIX=<folder_location_of_the_missing_file> and retry the above command to help the program find your file.
    • QEMU: Quick EMUlator
    • mipsel: little-endian MIPS / mips: big-endian MIPS (little vs big endian?)
    • Reference: Official Website

12. gdb ./<executable_program>: The GNU Project Debugger.

    • Install: sudo apt-get update then sudo apt-get install gdb.
    • Common commands in the gdb console:
      • r: run the program until next breakpoint or error
      • c: continue running the program
      • f: run the program until current function is finished
      • s: step to the next line of the program n: step to the next line of the program, but does not step into functions
      • b main: set breakpoint at the main function
      • d: delete all breakpoints
      • jump *main+135: jump to the address of the main function address with offset 135
      • p/x $rax: print the rax register in hex
      • p/d <variable>: print the variable as signed integer
      • x/wx $esp: print the memory address of the register esp in hex format
      • set $esi = 0x1: set value of the register
      • vmmap: print out the memory address mapping to libraries and also the rwx (read, write, execute) permissions.
      • q: quit gdb
    • Tips: Keep an eye on the cmp (compare) statement when looking at the assembly code because usually if you can pass the compare statement, you can guess the correct input of the program.
      • To bypass cmp statements, you can either modify the register value to the desired one or jump to the next memory address right after the cmp statement.
    • Reference: Official Website

13. nc <ip> <port>: Connect to remote server

    • nc stands for Netcat
    • Use ncat -vc $binary -kl $ip $port to host the binary file on a remote server.

14. checksec ./<executable_binary>: Check the security properties of a program

    • Properties checked:
      • Arch: The architecture of the program.
        • For example, amd64-64-little means AMD64 architecture that uses little endian.
      • RELRO: Is partial or full binary sections read-only?
        • RELRO: Relocation Read-Only
        • If full, "GOT(Global Offset Table) overwrite" attack is not possible.
      • STACK: Does stack canary exist?
        • It is a technique to detect stack overflow by placing a number (named canary) before the stack return pointer, and check if the value has been changed.
        • Reference: CTF Wiki
      • NX: Is NX protection enabled?
        • NX: No eXecute
        • If yes, we cannot use stack overflow to execute our customized shellcodes.
      • PIE: Prevents attackers by randomizing the memory address of the executable.
        • PIE: Position Independent Executable
        • If enabled, we won't know the memory address until we run the program. Solution: Disable ASLR (Address Space Layout Randomization) on our OS to let the addresses remain the same.
        • How to disable ASLR on Linux: StackOverflow
    • Reference: GitHub

15. r2 ./<executable_binary>: For reverse engineering and binary analysis.

    • r2 is short for Radare2
    • Install & usage tutorial: frozenkp's Blog
    • Common commands in the r2 console:
      • aa: analyze all, usually we type this every time at start
      • afl: list all functions (analyze function list)
      • s main: move to main function
      • s <memory_address>: move to memory address
      • V: switch from console to hex view
      • VV: switch from console to visual mode (assembly code & graph)
      • : some_command: enter commands in visual mode
      • q: return to the previous mode / quit

16. gcc test.c -fno-stack-protector -o test: Compile C code to executable with disabled canary protection

    • By disabling canary protection, the program is subjected to BOF (Buffer Overflow) attack.
    • Usually, if you see Segmentation fault after a very long input, it has BOF vulnerability.

17. file <filename>: Prints out the type of the file.

    • Useful when you are not sure about the file type. For instance, an image file without a .jpg.

18. openssl rsa -pubin -in <path_to_public_key> -text -noout: Find modulus from a RSA public key

    • -pubin: read the public key instead of private key (private key is read by default if not specified)
    • -in: specify the input file
    • -text: print the public / private key in plaintext
    • -noout: prevent printing the encoded version of the key
    • Reference: OpenSSL GitHub, OpenSSL RSA doc

19. nmap <ip_address>: Scan ports of an IP address

    • You can see the protocol used of each port, whether the port is open or close, and the service of each port.
    • nmap -sU <ip_address> -p68: UDP scan for port 68
    • Reference: official website, nmap options doc

20. theHarvester -d ntu.edu.tw -l 50 -b google: Use open source intelligence (OSINT) to collect information of a specific domain

    • -d: domain to search
    • -l: limit the search result to this number
    • -b: data source (google, bing, linkedin, twitter, yahoo, etc)
    • GitHub
    • Already installed in Kali Linux

21. wget -O 'name_of_file' <download_url>: Download files with customized names

    • wget -r <website_url>: Download the entire source code of the website

22. unzip -P <pwd> <filename>: Unzip zip files with password

23. arp -a: Show all IP addresses connected to the same network

24. net user /domain: Show all usernames in the current domain

    • net groups /domain: show all groups under current domain
    • net groups "<name_to_search>" /domain: search for specific group name, for example: net groups "Domain Admins" /domain

25. nslookup <domain_name>: See IP address of the domain

26. whoami: Find out which user you are currently logged in

    • whoami /priv: see all privileges information and whether each of them is enabled or not

27. echo `nproc` : See the number of CPU cores

28. python GitHack.py http://your_url.git/

    • git clone https://github.com/lijiejie/GitHack.git to download the script
    • cd GitHack/

🌞 Web Scripts

1. view-source:<your_url>: View source code of a website
2. "><svg/onload=alert(1)>: [XSS] Popup Alert Basic
3. "><iframe srcdoc="%3Csvg%2F%26%23x6f%3Bnload%3Dalert%281%29%3E"><": [XSS] Popup Alert Advanced
   • srcdoc specifies the HTML content in iframe
   • insert <svg/onload=alert(1)> but found that o will be replaced
   • change o to o with the hex(ord('o')) Python command
   • url encode <svg/&#x6f;nload=alert(1)> at URLEncoder
4. <a href="your_url" target="<script>alert(1)</script>">click</a>: [XSS] When the name variable is in the html content
   • the value of the target attribute will be stored at window.name or the name variable.

🌞 Useful Python Libraries & Scripts

1. dirsearch: A CLI to brute force directories and files in websites.

git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
python3 dirsearch.py -u <URL> -e <EXTENSION>

2. Pwn: Compromise a program by gaining ownership of it.

• Follow installation steps on Pwntools GitHub
• In most cases, the flag can be found in the interactive console by ls and then cat flag.txt.
• Example:

from pwn import *

# remember to change the values here
HOST = "<ip.address>"
PORT = <port_number>

# connect to the remote server and define our value to send
r = remote(HOST, PORT)
# For reading local binaries:
# r = process('./<executable_binary>')

something_to_send = 0xfaceb00c

# Usually there is a newline before the user input, so receive until '\n'
r.recvuntil('\n')

# stop and listen to user input in the console, press enter to continue
raw_input()

r.sendline(p32(something_to_send))
# use r.send() to send without a new line
# use p32 to encode the hex value as 32-bit char and p64 for 64-bit char

# enter the interactive console
r.interactive()

3. Angr: A collection of binary analysis tools

• Install doc
• Symbolic Execution example:
  • Symbolic execution can be used to find the input that can reach our desired program state (wiki).

import angr
import claripy # Angr's constraint solver engine

# replace this with the binary you want to analyze
# disable auto_load_libs to improve performance
project = angr.Project("./<binary>", auto_load_libs=False)

# create a symbolic object with 25 bytes
# BV stands for BitVector (bit array)
argv1 = claripy.BVS("argv1", 25*8)

# specify the entry point of the program and our input parameter
initial_state = project.factory.entry_state(args=["./<binary>", argv1])

# generate a simulation manager object for solving our parameter later
sm = project.factory.simulation_manager(initial_state)

# symbolically execute until we find a state with address = find_addr
find_addr = 0x400602
sm.explore(find=find_addr)

# find the state that meets the above condition
found = sm.found[0]

# return the input value to get to this state and cast it to bytes
solution = found.solver.eval(argv1, cast_to=bytes)

# repr: returns a printable representation of the input object
print(repr(solution))

4. Z3-solver: An efficient SMT solver

• Install via pip install
• SMT: satisfiability modulo theories (wiki)
• Documentation
• Example:
  • Steps
    1. define the variables
    2. add constraints
    3. solve the equations

from z3 import *

x = Int('x')
y = Int('y')

solve(x > 2, y < 10, x + 2*y == 7)
# output: [y = 0, x = 7]

from z3 import *

p = Bool('p')
q = Bool('q')
r = Bool('r')

solve(Implies(p, q), r == Not(q), Or(Not(p), r))
# output: [q = False, p = False, r = True]
# Implies: Logical Implication

from z3 import *

x, y, z = Reals('x y z') # real numbers

# add constraints
s = Solver()
s.add(x > 1, y > 1, x + y > 3, z - x < 10)

# check if the constraints can be satisfied (output: sat / unsat)
print(s.check())

# use model to specify multiple constraints and make each of them true
m = s.model()

# print the value of x
print("x = %s" % m[x])
# output: x = 3/2

5. SymPy: For symbolic mathematics

• Install doc
• Example:

import sympy

# inverse function
def inv(x, m):
   return sympy.invert(x, m)

print(inv(11, 26))
# output: 19

6. Crypto.Util.number: Contains lots of utilities for numbers

• Example for solving RSA:

from Crypto.Util.number import inverse

p =  <some_number>
q =  <some_number>
e =  <some_number>
c =  <some_number>
n = p*q

phi = (p-1) * (q-1)
d = inverse(e, phi)

# c^d % n (c to the power of d, modulus n)
m = pow(c, d, n)

print(m)

7. Install all modules

• requirements.txt: pip3 install -r requirements.txt (or pip install)
• setup.py: python3 setup.py install

🌞 Online Tools

1. HexDecode: Convert hex to text
2. URLDecoder: URL decode and encode
3. FactorDB: Factorize any number
4. XSS Cheat Sheet: Copy-and-paste cross-site scripting cheat sheet
5. CMD5: Hash to plaintext using a large dictionary

🌞 Learning / Practicing Websites

1. PortSwigger: Its web security lab covers topics across SQL injection, Cross-site scripting, Cross-site request forgery (CSRF), Cross-origin resource sharing (CORS), Server-side request forgery (SSRF), etc.
2. OWASP Juice Shop: An insecure web application for you to attack! (reference solutions)
3. MITRE ATT&CK Matrix: A list of attack techniques based on real world observations.
4. Prompt.ml: A XSS practicing website. Solutions are available here.

🌞 Curated GitHub Repos / Toolkits

1. XS-Leaks: XS-leak example code, past exploits explanation, link to xs-leak wiki and related materials.
2. Gophish: Phishing toolkit to launch and tracking phishing campaigns (official website).

🌞 Common Security Acronyms

1. RDP: Remote Desktop Protocol
2. IIS: Internet Information Services
3. WAF: Web Application Firewall
4. OT: Operation Technology
5. AD: Active Directory
6. LPE: Local Privilege Escalation
7. RCE: Remote Code Execution
8. SMB: Server Message Block
9. LFI: Local File Inclusion
10. SAM: Security Account Manager
11. VNC: Virtual Network Computing
12. OSINT: Open-source Intelligence
13. ASHX: ASP.NET Web Handler File, file extension of an ASP.NET web app
14. NTLM: New Technology LAN Manager, used by Windows to hash passwords (wiki)
15. EDR: Endpoint Detection and Response
16. IDS: Intrusion Detection System
17. DC: Domain Controller (AD vs DC: AD is a type of domain, DC is an important server on that domain)
18. APT: Advanced Persistent Threat, hackers gain unauthorized access to a computer network and remains undetected for an extended period (wiki).
19. CVE: Common Vulnerabilities and Exposures
20. PPA: Personal Package Archive

🌞 Special Thanks

• Learned a lot from the course "EE5188 Practicum of Attacking and Defense of Network Security" at National Taiwan University & AIS3.
• Cute emojis from here! 😊