Docker – Ubuntu with a bunch of PenTesting tools and wordlists
What is this?
HuntKit is a collection of penetration testing, bug bounty hunting, capture the flag, red teaming tools in a single Docker image. Simply run the image and start using the tools.
Why?
I got sick of waiting for VitualBox to start, Kali to boot, then dealing with the slugish-ness of operating in a VM. I still use Kali for certain tasks. But for a quick nmap scan (for example), using this container is a lot quicker.
Instructions
Run from DockerHub
docker run -it mcnamee/huntkit
# - OR -
# Advanced:
# Line 2: maps ~/Projects to the Docker /root/projects
# Line 3: Allows OpenVPN
# Line 4: Opens and maps port 4444 (for listeners such as Metasploit)
# Line 5: Sets the machine's hostname to huntkit
docker run -it \
-v ~/Projects:/root/projects \
--cap-add=NET_ADMIN --device=/dev/net/tun \
-p 4444:4444 \
-h huntkit \
mcnamee/huntkit
Build
# 1. Clone the repo
git clone https://github.com/mcnamee/huntkit.git && cd huntkit
# 2. Build the image
docker build . -t mcnamee/huntkit
Tools
Recon
| Tool | Description & Example |
|---|---|
| amass | Network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.amass enum -v -src -ip -brute -min-for-recursive 2 -d kali.org |
| brutespray | Service scanner by bruteforcing.brutespray --file nmap.gnmap |
| cloudfail | CloudFail is a tool to find origin servers of websites protected by CloudFlare.cloudfail --target resound.ly |
| cloudflair | CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don’t restrict network access to the CloudFlare IP ranges as they should.export CENSYS_API_ID=... && export CENSYS_API_SECRET=...cloudflair resound.ly |
| commix | Command injection exploiter – used to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.commix --url="http://192.168.0.23/commix-testbed/scenarios/referer/referer(classic).php" --level=3 |
| dalfox | XSS Scanning and Parameter Analysis tool.dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123 -b https://hahwul.xss.ht |
| dirb | Looks for existing (and/or hidden) Web Objects, by launching a dictionary based attack against a web server and analyzing the response.dirb https://kali.org $WORDLISTS/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt |
| dnmasscan | dnmasscan is a bash script to automate resolving a file of domain names and subsequentlly scanning them using masscan.dnmasscan listofdomains.txt dns.log -p80,443 - oG masscan.log |
| dnsx | Allows you to run multiple probers using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers.cat domains.txt |
| ffuf | A fast web fuzzer. – ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401 |
| gau | getallurls (gau) fetches known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain. – gau example.com |
| httpx | Take a list of domains and probe for working http and https servers.cat domains.txt |
| linkfinder | Discover endpoints and their parameters in JavaScript files.linkfinder -i https://example.com -d -o cli |
| masscan | An Internet-scale port scanner.masscan -p1-65535 -iL listofips.txt --max-rate 1800 -oG masscan.log |
| meg | A tool for fetching lots of URLs but still being ‘nice’ to servers.meg paths.txt hosts.txt |
| nikto | Web server scanner which performs comprehensive tests against web servers for multiple items (dangerous files, outdated dependencies…).nikto -host=https://kali.org |
| nmap | A utility for network discovery and security auditing.nmap -sV 192.168.0.1 |
| nuclei | Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use..nuclei -l urls.txt -t $ADDONS/nuclei/ADDONS/nuclei/technologies/ -o ~/projects/results.txt |
| pagodo | Passive Google dork script to collect potentially vulnerable web pages and applications on the Internet..pagodo -d $DOMAIN -g dorks/sensitive_directories.dorks -l 100 -s -e 35.0 -j 1.1 |
| recon-ng | Web-based open source reconnaissance framework.recon-ng |
| sherlock | Hunt down social media accounts by username across social networks.sherlock user1 user2 user3 |
| subfinder | Subdomain discovery tool to find valid subdomains for websites by using passive online sources.subfinder -d kali.org -v |
| subjs | Fetches javascript files from a list of URLS or subdomains. Analyzing javascript files can help you find undocumented endpoints, secrets, and more. `cat urls.txt |
| subjack | A Subdomain Takeover tool.SJFP=$(find "${GOPATH}/pkg" -name fingerprints.json)subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -a -c $SJFP |
| sublist3r | Enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and more.sublist3r -d kali.org |
| sqlmap | Automates the process of detecting and exploiting SQL injection flaws and taking over of database serverssqlmap -u https://example.com --forms --crawl=10 --level=5 --risk=3 |
| theharvester | Gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.theharvester -d kali.org -b "bing, certspotter, dnsdumpster, dogpile, duckduckgo, google, hunter, linkedin, linkedin_links, twitter, yahoo" |
| wafw00f | Web Application Firewall Fingerprinting Tool.wafw00f resound.ly |
| whatweb | Scans websites and highlights the CMS used, JavaScript libraries, web servers, version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.whatweb kali.org |
| wpscan | WordPress Security Scanner.wpscan --url kali.org |
| xsstrike | Advanced XSS Detection Suite.xsstrike -u="http://192.168.0.115" --data="query" |
Exploitation
| Tool | Description & Example |
|---|---|
| breach-parse | A tool for parsing breached passwords.breach-parse @tesla.com tesla.txt "~/Downloads/BreachCompilation/data" |
| crunch | Wordlist generator where you can specify a standard character set or a character set you specify.crunch 6 6 0123456789abcdef -o 6chars.txt |
| cupp | Personal wordlist generator.cupp -i |
| john | John the Ripper is a fast password cracker.zip2john filename.zip > hash.txtjohn hash.txt |
| jwttool | A toolkit for validating, forging and cracking JWTs (JSON Web Tokens).jwttool eyJ0eXAiOiJ.eyJsb2dpbi.aqNCvShlN -A |
| metasploit | A penetration testing platform that enables you to find, exploit, and validate vulnerabilities..msfconsole |
| hydra | hydra -f -l email@admin.com -P $WORDLISTS/seclists/Passwords/darkweb2017-top1000.txt website.com http-post-form "/login:user=^USER^&pass=^PASS^:Failed" |
| netcat | A networking utility which reads and writes data across network connections, using the TCP/IP protocol.nc -nvlp 1234 |
| searchsploit | Searchable archive from The Exploit Database.searchsploit oracle windows remote |
| setoolkit | Social Engineering Toolkit.setoolkit |
Other
| Tool | Description |
|---|---|
| FTP | Connect to an FTP server.ftp ftp.google.com |
| Go | The PHP programming language |
| Interlace | Easily turn single threaded command line applications into a fast, multi-threaded application.interlace -tL targets.txt -threads 5 -c "gobuster dns -d _target_ -w wordlist.txt --noprogress --quiet >> _target_.txt" -v |
| NodeJS | Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine. |
| Oh My Zsh | Zsh is a framework for managing your zsh configuration, bundled with thousands of helpful functions, helpers, plugins, themes. |
| OpenVPN | Connect to a VPN. Add --cap-add=NET_ADMIN --device=/dev/net/tun to the docker run to use OpenVPN. |
| Perl | Perl is a highly capable, feature-rich programming language with over 30 years of development. |
| PHP | The PHP scripting language. |
| Proxychains | Redirects connections through SOCKS4a/5 or HTTP proxies. |
| Python 2 & 3 | The Python programming language |
| Ruby | A dynamic, open source programming language with a focus on simplicity and productivity. It has an elegant syntax that is natural to read and easy to write. |
| smbclient | smbclient \\192.168.0.45\Media |
| Tor | Browse Privately. |
| tmux | tmux is a terminal multiplexer. It lets you switch easily between several programs in one terminal, detach them (they keep running in the background) and reattach them to a different terminal.CNTR+b c Create windowCNTR+b n Switch to next window |
| unfurl | Pull out bits of URLs provided on stdin. `cat urls.txt |
| zsh | Zsh is an extended Bourne shell with many improvements, including some features of Bash, ksh, and tcsh. |
Wordlists
- Amass
- Dirb
- Kali’s
rockyou.txt - Metasploit
- The Harvester
- SecLists