My Introductory Offensive Security Toolkit

# My Introductory Offensive Security Toolkit ### By: Elijah Flythe ##### LinkedIn - www.linkedin.com/in/emflythe03 --- ## Whoami My name is Elijah Flythe, I’m a college student with a passion for cybersecurity and I am on my learning journey just like you, I actually started just over a year ago. Many people have the potential, curiosity, and desire to break into the field, but they often don’t know where to begin. This comprehensive guide is designed to provide the foundational knowledge needed for self-taught learning and to build a strong base for red team proficiency. What sets you apart from your peers, and what stands between you and that internship or full-time role, is what you do when you get home. It’s the passion projects you build, the skills you develop, and your relentless love for learning. I am not going to spell absolutely everything out for you, but this will give you what you need to figure things out, lets get to it. --- ## 1. Terminology ### Basic Concepts **Offensive Security:** Actively testing and attacking systems to find vulnerabilities before attackers do. **Penetration Testing (Pentesting):** Simulating cyberattacks to identify and fix vulnerabilities before real attackers exploit them. **Vulnerability:** A weakness in a system that attackers can exploit to gain unauthorized access or perform malicious actions. **Exploit:** A method or code that takes advantage of a vulnerability to gain access or control. **Payload:** Malicious code that runs on a target system after exploiting a vulnerability. **Exploit Framework:** A collection of tools and scripts for finding and exploiting vulnerabilities. **Zero-Day Vulnerability:** A software flaw that is unknown to the vendor and has no available patch. **Post-Exploitation:** Activities performed after gaining access to a system, such as maintaining persistence or extracting valuable data. **Persistence:** Techniques to maintain access to a compromised system even after reboots or patches. **OSINT (Open Source Intelligence):** Collecting publicly available data (like social media profiles or online records) to gather information about a target. **IoT (Internet of Things):** A network of connected devices like smart thermostats, security cameras, and wearable fitness trackers that collect and exchange data over the internet. **Network:** A network is a system where multiple devices (like computers, phones, or servers) are connected to each other to share data and resources. It can be a local network (like in a home or office) or a larger network like the internet. **Vendor:** A vendor is a company or individual that sells products or services, particularly in tech. For example, a software company that sells antivirus programs or a cloud provider that offers storage services is a vendor. **Server:** A server is a computer or system that provides services, like storing files, running websites, or managing emails, to other devices (called clients) over a network. Servers handle multiple requests at once and are usually more powerful than regular personal computers. **Client-Side:** Client-side refers to operations or code that run on the user's device, like a computer or smartphone. In web development, client-side actions include things like rendering a webpage or running JavaScript in a browser. **Server-Side:** Server-side refers to operations or code that run on a server. This includes tasks like processing data, managing databases, and handling requests from client devices. Server-side code often sends information back to the client, like when you log in or view a webpage. ### Tools and Frameworks **Kali Linux:** A specialized Linux distribution designed for penetration testing and security research. **Nmap:** A tool used to scan networks and discover open ports, services, and vulnerabilities. **Metasploit:** A popular framework for finding and exploiting vulnerabilities, often described as a Swiss Army knife for hackers. **SQLMap:** An automated tool for detecting and exploiting SQL injection vulnerabilities. **Nikto:** A web server scanner that checks for outdated software and common vulnerabilities. **ProxyChains:** A tool that routes your network traffic through multiple proxies to hide your identity. **Tor:** A network that anonymizes your internet traffic by bouncing it through multiple nodes. **HPing3:** A tool for sending custom network packets, often used in Denial of Service (DoS) attacks. **Routersploit:** A toolkit designed for exploiting routers and IoT devices. **Bettercap:** A tool for network listening and manipulation, such as ARP spoofing and packet sniffing. ### Techniques and Methods **Reconnaissance:** Gathering information about a target system or network. **Enumeration:** Collecting detailed information about a target system, such as users, groups, and services. **Service Enumeration:** Identifying services running on open ports to understand the system’s configuration. **Port Scanning:** Checking which network ports are open and listening on a target system. **Credential Dumping:** Extracting stored usernames and passwords from a system. **Privilege Escalation:** Gaining higher-level access within a system after initial entry. **Brute-Force Attack:** Trying multiple combinations of usernames and passwords to gain access. **Credential Stuffing:** Using stolen login credentials from one site to gain access to another. **Exfiltration:** Extracting data from a compromised system. **Command Injection:** Injecting malicious commands into a vulnerable application to execute code on the server. **Packet Sniffing:** Capturing network traffic to analyze data packets and look for sensitive information. **Reverse Engineering:** Analyzing a program’s binary code to understand how it works or find vulnerabilities. ### Exploitation and Attacks **Reverse Shell:** Gaining remote command-line access to a compromised system. **Denial of Service (DoS) Attack:** Overwhelming a system or service with traffic to make it unavailable. **Remote Code Execution (RCE):** A vulnerability that allows attackers to execute arbitrary code on a remote system. **Command and Control (C2):** A server that attackers use to remotely control infected systems. **SQL Injection:** A code injection technique used to exploit vulnerabilities in SQL-based applications. **Blind SQL Injection:** An attack where the database does not show errors, but attackers can infer data by sending specific queries. **Time-Based SQL Injection:** An attack that uses time delays to detect vulnerabilities by observing response times. **ARP Spoofing:** Tricking a network into thinking your device is another trusted device, allowing you to intercept traffic. **DNS Spoofing:** Redirecting traffic from a legitimate site to a fake one by manipulating DNS responses. ### Useful Concepts **Hash:** A fixed-length string that represents data, often used for securely storing passwords. **Cracking:** Attempting to decode or break a hashed password to obtain the plaintext. **Social Engineering:** Manipulating people into giving up confidential information, like passwords or access codes. **The Cyber Kill Chain** A model used to describe the stages of a cyberattack. It helps organizations understand the steps attackers typically take to infiltrate a system and how they can defend against each phase. **APT (Advanced Persistent Threat):** An APT is a type of cyberattack where an attacker (or group) gains unauthorized access to a network and remains undetected for an extended period. The goal of an APT is typically espionage or data theft, rather than causing immediate damage. These attacks are often highly sophisticated, well-resourced, and target specific organizations or individuals, such as government agencies or large corporations. **Threat Actors:** Threat actors are individuals or groups responsible for carrying out cyberattacks. These can be hackers, cybercriminals, state-sponsored actors, hacktivists, or insiders. Threat actors have varying motivations, such as financial gain, political goals, espionage, or simply causing disruption. Understanding threat actors helps organizations prepare defenses against the specific methods and goals of different attackers. **Threat Surface:** The threat surface (also known as attack surface) refers to all the potential points of vulnerability in a system or network that could be exploited by attackers. This includes hardware, software, communication channels, users, and other entry points. The larger the attack surface, the more potential opportunities there are for an attacker to breach the system. Reducing the attack surface through proper security measures (like patching, firewalls, and access controls) helps minimize the risk of successful attacks. **Zero Day:** This refers to a security vulnerability in software or hardware that is unknown to the vendor or developer, and therefore has not yet been patched or fixed. The term "zero-day" comes from the fact that the vulnerability has existed "for zero days" without a fix being released—meaning the developers are unaware of it until it's discovered and exploited. ## 2. Setting Up Your Home Lab A **home lab** for red teaming is a personal, controlled environment where cybersecurity enthusiasts and professionals practice offensive security techniques. It’s used to simulate real-world cyberattacks and test the security of systems and networks without impacting live environments. Having one of these will keep you out of jail :) **Setting Up Kali Linux on VirtualBox - Quick Overview** To set up Kali Linux on **VirtualBox**, start by downloading VirtualBox from the official website. This software lets you create and manage virtual machines on your computer. Next, download the Kali Linux ISO from the Kali website, choosing the Installer (64-bit) version since it’s designed for penetration testing and comes preloaded with hacking tools. Open VirtualBox and create a new virtual machine, giving it around 2-4 GB of RAM and 20 GB of storage. Attach the Kali ISO to the virtual machine as a virtual CD/DVD, and then start the VM to begin the installation. Follow the basic setup process by selecting your language, creating a username and password, and letting the installer automatically partition the disk. Make sure to install the GRUB bootloader when prompted. Once the installation is complete, log in as root and update the system using the `sudo apt update && sudo apt upgrade -y `command. To improve performance and get a better screen resolution, install VirtualBox Guest Additions by running sudo apt install `sudo apt-get install -y virtualbox-guest-x11` and then rebooting the system. Your Kali Linux VM is now ready for red teaming practice!!! > #### Wait, But What Is Kali? Kali Linux is a specialized operating system designed for cybersecurity tasks like penetration testing, ethical hacking, and digital forensics. It’s built on Debian and comes preloaded with hundreds of powerful tools for testing the security of systems, networks, and applications. The reason Kali Linux is so useful for red teaming is because it consolidates all the essential hacking tools into one place. Instead of installing each tool manually on a regular operating system, Kali has everything ready to go right after installation. This makes it super efficient for conducting simulated attacks, vulnerability assessments, and exploit testing. Kali is also highly customizable and works well in both virtual machines and physical installations, so you can set up controlled environments to practice without affecting real systems. It’s maintained by Offensive Security, so the tools and features stay up to date with the latest security trends and exploits. In short, Kali Linux is the go-to platform for red teamers because it’s purpose-built for hacking and security testing, with all the necessary tools in one package. Since your Kali will be through VirtualBox, it is assigned its own IP address which Identifies it as its own device on the network. This is valuabe because it allows you to simulate attacks on your host device for proof of concept! ## 3. Cyber Kill Chain: Understanding the Process. **Reconnaissance (Information Gathering)** This is the initial phase where the attacker gathers intelligence about the target to identify potential entry points. This phase can be passive (observing from a distance) or active (interacting with the target system to gather information). Some techniques used are: • **OSINT (Open-Source Intelligence):** Attackers leverage publicly available information from social media, company websites, job postings, WHOIS records, and data breaches. • **Network Scanning:** Tools like Nmap help identify live hosts, open ports, and running services. • **Social Engineering:** Phishing, pretexting, baiting, and other manipulative tactics are used to extract information from employees or users. • **Google Dorking:** Special Google search queries help uncover exposed files, misconfigured servers, or hidden vulnerabilities. **Example Attack:** • An attacker uses Shodan to find internet-exposed devices with known vulnerabilities, then searches LinkedIn for employees who might have access to those systems. **Weaponization (Preparing the Attack)** After gathering enough information, the attacker builds an exploit or payload to take advantage of discovered vulnerabilities. Some techniques used are: • **Custom Malware Development**: Attackers use tools like Metasploit, MSFVenom, or Cobalt Strike to craft malware or exploit payloads. • **Macro-Based Payloads:** Attackers embed malicious scripts in documents (Word, Excel, PDFs) that execute upon opening. • **Exploit Kits:** Automated tools that detect and exploit vulnerabilities in software and web applications. **Example Attack:** • A hacker creates a malicious Excel spreadsheet with a VBA macro that, when enabled, downloads and runs a remote access trojan (RAT) on the victim’s machine. **Delivery (Transmitting the Exploit)** The attacker delivers the weaponized payload to the target through various methods. Some techniques used are: • **Phishing Emails:** Sending deceptive emails containing malicious links or attachments. • **Drive-By Downloads:** Placing malware on compromised or malicious websites that exploit browser vulnerabilities. • **Watering Hole Attacks:** Compromising a frequently visited website to infect its visitors. • **USB Drops:** Leaving infected USB drives in public places, hoping a curious person plugs it into their computer. **Example Attack:** • An attacker sends a phishing email disguised as a job offer with a fake PDF attachment that exploits an Adobe Reader vulnerability to execute a reverse shell. **Exploitation (Gaining Initial Access)** Once the malicious payload is delivered, the attacker executes it to compromise the target system. Some techniques used are: • **Exploiting Unpatched Vulnerabilities:** Using known software vulnerabilities to gain unauthorized access. • **Credential Stuffing & Brute-Forcing**: Using stolen or weak passwords to gain entry. • **Privilege Escalation: **Exploiting weak permissions to gain higher-level access. **Example Attack:** • The attacker exploits a remote code execution (RCE) vulnerability in an unpatched web server to deploy a backdoor shell. **Installation (Establishing Persistence)** The attacker installs backdoors, rootkits, or malware to maintain access to the compromised system. Some techniques used are: • **Rootkits & Trojans:** These tools help attackers hide their presence and maintain control. • **Scheduled Tasks & Registry Modifications:** Attackers create persistent processes that execute on reboot. • **Living Off the Land (LOL) Attacks:** Using built-in system tools like PowerShell, WMI, and Task Scheduler to avoid detection. **Example Attack:** • The attacker creates a registry key to execute a malicious PowerShell script every time the user logs in. **Command and Control (C2) Communication** The attacker establishes a communication channel with the compromised system to issue commands, move laterally, and exfiltrate data. Some techniques used are: • **C2 Frameworks:** Tools like Cobalt Strike, Empire, and Metasploit provide remote access. • **DNS Tunneling & Covert Channels:** Hiding malicious traffic inside normal network traffic. • **Encrypted Communications:** Using HTTPS, Tor, or VPNs to avoid detection. **Example Attack:** • The malware connects to a C2 server via DNS tunneling, allowing the attacker to remotely control the infected machine. **Actions on Objectives (Executing the Final Goal)** The attacker carries out their ultimate objective, which could involve data theft, system disruption, ransomware deployment, or espionage. Some techniques used are: • **Data Exfiltration:** Using tools like Rclone to steal sensitive files. • **Lateral Movement:** Expanding control by exploiting network trusts and misconfigurations. • **Destroying Evidence:** Attackers may delete logs, disable security tools, or deploy ransomware. **Example Attack:** • The attacker uses Mimikatz to dump credentials, moves laterally to the domain controller, and extracts sensitive financial data before deploying ransomware. Hopefully this can help you visualize the workflow of a full scale targeted attack! ## **4. Handy Tools** --- ### Nmap Nmap (Network Mapper) is a powerful open-source tool for network discovery and security auditing. It can detect live hosts, open ports, running services, and their versions. It also supports script-based scanning to identify vulnerabilities. **Aggressive Scan** `nmap -A <target>` This command Performs OS detection, version detection, script scanning, and traceroute. It's Ideal for comprehensive scanning when you need detailed information about the target. **Stealth Scan (SYN Scan)** `nmap -sS <target>` This command sends SYN packets to detect open ports without completing the TCP handshake, reducing the chances of detection. Useful for stealthy reconnaissance. **Top Ports Scan** `nmap --top-ports 1000 <target>` This command scans the most commonly open ports (out of 65,535 total). Extremely Efficient for quick scans when you want to focus on the most likely open ports. **HTTP Script Scans** `nmap --script=http-* <target>` This command uses Nmap scripting to identify web vulnerabilities, configurations, and potential exploits. Great for web application security assessments. **Vulnerability Scanning (with CVE checking)** `nmap -sV --script vulners --script-args mincvss=7.0 <target>` This script scans for known vulnerabilities with a CVSS score of 7.0 or higher, although you can adjust that number depending on personal preference. Useful for identifying critical vulnerabilities in a target system. **Ping Scan (Discover Live Hosts)** `nmap -sn <target>` This command sends ICMP ping requests to identify live hosts without port scanning, which provides quick network discovery to find active devices. **UDP Scan** `nmap -sU <target>` This command scans for open UDP ports, which are often overlooked but can be critical for security. Essential for identifying UDP-based services like DNS, DHCP, and SNMP. **OS Detection** `nmap -O <target>` This command attempts to determine the operating system of the target. Useful for fingerprinting the target's OS. **Service Version Detection** `nmap -sV <target>` This command detects the version of services running on open ports. This helps in identifying outdated or vulnerable software. **Full Port Scan** `nmap -p- <target>` This command scans all 65,535 ports on the target, which provides comprehensive scanning when you need to ensure no ports are missed. ![image](https://hackmd.io/_uploads/r1l3u492yg.png) **Script Scanning** `nmap --script=<script-name> <target>` This command runs specific Nmap scripts to detect vulnerabilities or gather additional information. Gives you customizable scanning based on specific needs. **Save Output to a File** `nmap -oN output.txt <target>` Description: Saves the scan results to a text file. Very useful for documentation and further analysis of scan results. ________________________________________ ### **Web Vulnerability Scan (Nikto)** `nikto -h https://example.com` This command scans web servers for outdated software, configuration issues, and vulnerabilities, Good for quick web server security assessment. Nikto is an open-source web server scanner that detects vulnerabilities, outdated software, and security misconfigurations in web applications. ________________________________________ ### **ProxyChains Setup** ProxyChains is a tool that routes your network traffic through proxy servers, like Tor, to mask your IP address and anonymize your connection. It supports different proxy types (like HTTP, SOCKS4, and SOCKS5) and allows you to chain multiple proxies together. This makes it harder for your traffic to be traced back to you, which is useful for anonymous web browsing or testing network security. **Install ProxyChains** `sudo apt-get install proxychains` **Configure ProxyChains** Open the config file: `sudo nano /etc/proxychains.conf` Uncomment dynamic_chain to make it use available proxies in sequence, and add your proxy: `socks5 127.0.0.1 9050` **Install and Start Tor (Optional)** `sudo apt-get install tor` `sudo service tor start` Tor is a network that anonymizes your internet activity by routing it through multiple volunteer-operated servers. **Run Applications through ProxyChains** `proxychains curl http://example.com` **Test with a web browser:** `proxychains firefox www.whatismyip.com` This will route your Firefox traffic through the Tor network, showing a different IP address. ________________________________________ ### SQLMap Commands SQLMap is an automated tool used to detect and exploit SQL injection vulnerabilities in web applications. It can extract databases, tables, and even user credentials from vulnerable websites. SQL injection happens when an attacker manipulates SQL queries through user input, allowing unauthorized database access. **Basic Usage (Test for SQL Injection)** `sqlmap -u "http://example.com/index.php?id=1"` This command scans the target URL for possible SQL injection points. **Enumerate Databases** `sqlmap -u "http://example.com/index.php?id=1" --dbs` This command lists all databases that the application has access to. **Password Cracking** `sqlmap -u "http://example.com/index.php?id=1" --passwords` This command extracts and attempts to crack password hashes stored in the database. **Extract Tables from a Database** `sqlmap -u "http://example.com/index.php?id=1" -D <dbname> --tables` This command lists all tables within the specified database. ### Burp Suite Burp Suite is a comprehensive web vulnerability scanner and testing toolkit commonly used by security professionals for identifying and exploiting security flaws in web applications. It's developed by PortSwigger, the same company behind the Web Security Academy. Burp Suite provides a suite of tools for web application security testing, I put them below for you. **Proxy:** The core of Burp Suite, allowing you to intercept, modify, and inspect traffic between your browser and the target web application. This is essential for analyzing requests and responses in real-time. **Spider:** A web crawling tool that helps map out the structure of a website by automatically following links and discovering resources, which can later be tested for vulnerabilities. **Scanner:** An automated tool that scans web applications for a wide range of common vulnerabilities, such as SQL injection, XSS, and more. **Intruder:** A tool used for automating customized attacks, such as brute forcing or fuzzing, to discover vulnerabilities like weak passwords or input validation flaws. **Repeater:** Allows you to manually send HTTP requests and modify parameters to test how the web application responds. This is useful for exploiting vulnerabilities in a controlled manner. **Decoder:** A tool for encoding and decoding data to make it easier to analyze and manipulate payloads. **Comparer:** Allows you to compare two pieces of data to identify differences, which might indicate vulnerabilities. ## Utilizing Open Source Intelligence for Reconnaisance Simply put, the world wide web is your best friend. Open Source Intelligence (OSINT) is a powerful way to gather information about a target by using publicly available resources. It’s like being a digital detective, piecing together clues from the internet to understand a target’s vulnerabilities and weaknesses. Here’s how you can use OSINT for recon. ### 1. **Domain and Subdomain Discovery** - **What to Look For**: Start by identifying the target’s main domain and any subdomains. Subdomains can reveal additional services or systems that might be less secure. - **Tools/Examples**: Use tools like **Sublist3r** or **Amass** to enumerate subdomains. For example, if the target is `example.com`, you might find subdomains like `mail.example.com` or `dev.example.com`, which could be running different services. ### 2. **IP Address and Network Range** - **What to Look For**: Find the IP addresses associated with the target’s domain. This helps map out their network infrastructure. - **Tools/Examples**: Use **DNS lookup tools** (like `dig` or `nslookup`) or services like **Shodan** to find IP ranges. For instance, searching for `example.com` on Shodan might reveal IP addresses and open ports tied to their servers. ### 3. **Website and Web Application Analysis** - **What to Look For**: Examine the technologies used on the target’s website, such as CMS platforms, frameworks, or plugins. Look for outdated versions or misconfigurations. - **Tools/Examples**: Use **BuiltWith** or **Wappalyzer** to identify technologies. For example, you might discover that `example.com` is running an outdated version of WordPress, which could have known vulnerabilities. ### 4. **Social Media and Employee Information** - **What to Look For**: Employees often share sensitive information on social media, such as job roles, technologies they use, or even internal tools. - **Tools/Examples**: Search LinkedIn, Twitter, or GitHub for employees of the target organization. For instance, an employee might post about using a specific tool like Jira or Slack, which could give you insights into their internal systems. ### 5. **Public Databases and Archives** - **What to Look For**: Look for leaked data, old versions of websites, or exposed documents that might reveal sensitive information. - **Tools/Examples**: Use **Wayback Machine** (archive.org) to view historical versions of the target’s website. You might find old pages that accidentally exposed sensitive data. Also, check databases like **Have I Been Pwned** to see if the target’s email domains have been involved in data breaches. ### 6. **Job Postings and Company Information** - **What to Look For**: Job postings often list the technologies and tools a company uses, which can give you clues about their infrastructure. - **Tools/Examples**: Search job boards like Indeed or Glassdoor for postings from the target company. For example, a job posting might mention that the company uses AWS for cloud hosting, which could help you focus your reconnaissance on their cloud environment. ### 7. **Publicly Exposed Services** - **What to Look For**: Look for misconfigured services, such as open databases, FTP servers, or cloud storage buckets. - **Tools/Examples**: Use **Shodan** or **Censys** to search for exposed services. For instance, you might find an open Elasticsearch database tied to the target’s domain that’s publicly accessible without authentication. ### 8. **Error Messages and Metadata** - **What to Look For**: Error messages or file metadata can reveal sensitive information, such as server versions, file paths, or internal IPs. - **Tools/Examples**: Inspect the target’s website for error messages (404 pages) or use tools like **ExifTool** to extract metadata from publicly available files (PDFs or images). ### 9. **Forums and Community Posts** - **What to Look For**: Employees or users might discuss issues or share information on forums, which could reveal vulnerabilities or internal tools. - **Tools/Examples**: Search forums like Stack Overflow or Reddit for mentions of the target’s domain. For example, an employee might post a question about troubleshooting a specific server configuration, revealing details about their setup. ### 10. **Leaked Credentials and Password Dumps** - **What to Look For**: Check if the target’s email domains or employees’ credentials have been leaked in data breaches. - **Tools/Examples**: Use **DeHashed** or **BreachParse** to search for leaked credentials. For instance, you might find that an employee’s email and password were exposed in a breach, which could be used in further attacks. ### Google Dorking Google Dorking, also known as Google Hacking, is like using Google as a super-smart detective tool to find hidden or sensitive information on the internet. It’s not about hacking into systems illegally it’s about using advanced search techniques to uncover information that isn’t easily visible through regular searches. Think of it as using Google’s search bar to dig deeper and find things that people or organizations might not realize are publicly accessible. **How It Works:** Google Dorking involves using special search operators (like commands) to refine your search and find specific types of information. These operators help you narrow down results to uncover things like exposed files, unprotected directories, login pages, or even sensitive data that shouldn’t be publicly available. For example, instead of just searching for “company reports,” you could use a Google Dork to search for PDF files on a specific website that contain the word “password” or “confidential.” This might reveal documents that were accidentally made public. **Here are some examples of operators you can use.** `site::` Limits your search to a specific website. `Example:` site:example.com will only show results from example.com. `filetype::` Searches for specific file types, like PDFs, Excel sheets, or Word documents. `Example:` filetype:pdf will show only PDF files. `intitle::` Searches for pages with specific words in the title. `Example:` intitle:"login" will find pages with “login” in the title. `inurl::` Searches for specific words in the URL. `Example:` inurl:admin will find URLs containing “admin.” `intext::` Searches for specific words within the text of a page. `Example: `intext:"password" will find pages containing the word “password.” `cache::` Shows the cached version of a page (useful if the page has been taken down). `Example:` cache:example.com will show Google’s cached version of the site. > Here is a little cheatsheet if you want to have some fun:) ![image](https://hackmd.io/_uploads/HkTYqN9nyg.png) ### Why OSINT is Powerful OSINT is non intrusive and relies on publicly available information, making it a safe and legal way to gather intelligence. By combining these techniques, you can build a detailed picture of the target’s digital footprint, identify potential vulnerabilities, and plan your next steps, whether you’re defending your own systems or conducting an ethical penetration test. For example if you discover that a company’s subdomain is running an outdated version of a CMS, you could focus your efforts on exploiting known vulnerabilities in that software. OSINT is the foundation of effective recon and is essential for understanding your target before taking any further action. ________________________________________ ## 5. Simple At Home Attack Methods > In this section, we will go over a couple real world exercises using popular tools that you can attempt! ### **Bettercap for Network Manipulation** Bettercap is a powerful and flexible tool for network monitoring, traffic manipulation, and attack automation. It’s useful for conducting MITM attacks, sniffing network data, and performing ARP/DNS spoofing. #### **Start Bettercap** `sudo bettercap -iface wlan0` This launches Bettercap on the specified network interface. **Network Discovery** ``` net.probe on net.show ``` These commands detect devices on the network and displays their IP and MAC addresses. **ARP Spoofing** ``` set arp.spoof.fullduplex true set arp.spoof.targets <target-ip> arp.spoof on ``` These commands set up the scene for the attack. Setting fullduplex as true allows for bidirectional interception which intercepts traffic both ways. we then set the target which will be the IP address of the device you want to take advantage of, followed by turning the spoof on which allows for the interception of communication. **Network Sniffing** `net.sniff on` This command captures and analyzes network packets to view credentials or other sensitive information when it is unencrpyted. To explain what just happened, this is where an attacker secretly intercepts and potentially alters the communication between two parties (like a client and a server) without them knowing. It’s like a "spy" sitting between two people who are having a private conversation, listening to what they’re saying, and possibly even changing the messagees?!?! ---- ### Using routersploit to test routers and IoT devices Routersploit is a tool designed to help security professionals test the security of routers and other embedded devices. Think of it as a Swiss Army knife for finding and exploiting vulnerabilities in these devices. Here's a simple breakdown. **What is Routersploit?** Purpose: It helps identify and exploit weaknesses in routers and similar devices. Users: Primarily used by cybersecurity experts and ethical hackers to ensure devices are secure. **Key Features** Exploits: Pre-written code to take advantage of known vulnerabilities. Scanners: Tools to check if a device has specific vulnerabilities. Credential Checkers: Tests default or weak usernames and passwords. Payloads: Code that can be executed on a vulnerable device. Generic Attacks: Methods that work against a wide range of devices. **How It Works** Setup: Install Routersploit on a system (like Kali Linux). Target Selection: Identify the router or device you want to test. Scanning: Use scanners to find vulnerabilities. Exploitation: If a vulnerability is found, use an exploit to test it. Reporting: Document findings to help fix the issues. **Installation** ``` git clone https://www.github.com/threat9/routersploit cd routersploit pip install -r requirements.txt ./rsf.py ``` **Scanning** ``` use scanners/autopwn set target 192.168.1.1 run ``` **Exploitation** ``` use exploits/generic/exploit_name set target 192.168.1.1 run ``` ________________________________________ ## 6. Test Your Skills > In this section I will go over multiple sources to hone in on your attacking skills. ### **Juice Shop** OWASP Juice Shop is a deliberately vulnerable web application created for security training and penetration testing practice. It’s great for practicing common vulnerabilities like SQL injection, XSS, and authentication flaws. It can be launched directly from your Kali terminal with the provided commands **Start Juice Shop** `juice-shop -h` This command launches the Juice Shop application. **Stop Juice Shop** `juice-shop-stop -h` This command stops the running Juice Shop instance. ### VulnWeb VulnWeb (by Acunetix) is a purposely vulnerable web application for ethical hacking practice. It allows testing of SQL Injection, XSS, authentication flaws, and more in a safe environment. **Access:** https://testphp.vulnweb.com/ #### **Basic Testing Steps** * **Reconnaissance** Use nmap, whois, or Burp Suite for information gathering. * **Scanning** Run `nikto -h testphp.vulnweb.com` to detect vulnerabilities. * **Exploitation** SQL Injection:` admin' OR '1'='1' --` XSS: `<script>alert('XSS')</script>` Brute Force: Use Hydra to test weak credentials. `hydra -l admin -P rockyou.txt testphp.vulnweb.com http-post-form "/login.php:user=^USER^&pass=^PASS^:Invalid login"` ### HackThisSite HackThisSite is a free, legal, and ethical hacking training platform designed for security enthusiasts to test and improve their cybersecurity skills. It provides a variety of challenges that simulate real world hacking scenarios, helping users learn about web security, cryptography, network security, and programming. Features of HackThisSite **Basic & Realistic Missions** – Simulated challenges for beginners and advanced users. **Application Security Challenges** – Learn about code auditing, exploit development, and vulnerabilities. **Cryptography & Programming Challenges** – Test your skills in encryption and scripting. **CTF (Capture The Flag) Events** – Engage in cybersecurity competitions. **Community Forums & IRC** – Interact with other ethical hackers and security professionals. ### Portswigger PortSwigger's Web Security Academy is an online platform designed to teach web application security through practical, hands-on exercises. It's a great resource for anyone looking to enhance their skills in web vulnerability identification and exploitation. The academy covers a wide range of security topics, from basic web security concepts to advanced vulnerability exploitation techniques. It features interactive labs that simulate real-world scenarios where users can practice identifying and exploiting common web vulnerabilities, such as SQL injection, cross-site scripting, cross-site request forgery, and more. These labs are guided with step by step instructions and solutions, making it accessible for both beginners and more advanced learners. The academy also has an emphasis on understanding security best practices, mitigation strategies, and how to secure web applications effectively. It's a useful resource for anyone preparing for security certifications like the Offensive Security Web Expert or simply looking to improve their web application security knowledge. ### TryHackMe TryHackMe is an online platform designed to make learning cybersecurity accessible and engaging for people of all skill levels. It offers a variety of interactive lessons and hands on challenges that simulate real-world scenarios, allowing users to practice and develop their skills in a safe, legal environment. The platform is structured around "rooms," which are individual learning modules focused on specific topics such as penetration testing, network security, web application vulnerabilities, and more. Each room provides step by step instructions and often includes virtual machines that users can interact with to apply what they've learned. One of the standout features of TryHackMe is its gamified approach. Users earn points and achievements as they complete tasks and challenges, which helps track progress and maintain motivation. The platform also offers structured learning paths, such as the "Complete Beginner" or "Offensive Pentesting" paths, which guide users through a series of rooms to build specific skill sets systematically. TryHackMe is particularly valuable because it combines theoretical knowledge with practical experience. Users can practice hacking techniques, secure systems, and solve problems in a controlled environment, which is crucial for understanding real world cybersecurity challenges. ### PicoCTF PicoCTF is like a fun, interactive game designed to teach you the basics of cybersecurity in a hands on way. Imagine it as a series of puzzles or challenges that help you learn how to think like a hacker, but in a safe and legal environment. It’s perfect for beginners, especially students, because it breaks down complex concepts into smaller, manageable tasks that feel more like solving a mystery than studying. How It Works: Challenges: PicoCTF offers a variety of challenges that cover different areas of cybersecurity, such as cryptography (solving secret codes), web exploitation (finding vulnerabilities in websites), reverse engineering (figuring out how software works), and forensics (analyzing data to find hidden clues). Practical Experience: Instead of just reading about cybersecurity, you get to practice real skills. For example, you might be given a piece of encrypted text and asked to decode it, or you might need to find a hidden flag in a website by exploiting a vulnerability. Progressive Difficulty: The challenges start off easy, so even if you’re new to cybersecurity, you can jump right in. As you solve more challenges, they get harder, helping you build your skills step by step. Teamwork: While you can do PicoCTF on your own, it’s also designed for teams. This makes it a great way to learn with friends or classmates, as you can work together to solve tougher challenges. Competition: PicoCTF often runs as a competition, where you can earn points for solving challenges and see how you rank against others. This adds a fun, competitive element that keeps things exciting. # Thank you, additions coming soon. > Well... why should I do any of this > Using these tools consistently and testing your skills in real world instances provides you with marketable experience, as well as reinforcing your conceptual knowledge of cybersecurity. These resources have signifigantly increased my learning retention, along with the ability to pass knowledge as I am doing now. If you are passionate about cybersecurity the most important thing is to just try things, always be curious, and most importantly, fall in love with learning... because it never stops.