What is this?
HuntKit is a collection of penetration testing, bug bounty hunting, capture the flag, red teaming tools in a single Docker image. Simply run the image and start using the tools.
Why?
I got sick of waiting for VitualBox to start, Kali to boot, then dealing with the slugish-ness of operating in a VM. I still use Kali for certain tasks. But for a quick nmap scan (for example), using this container is a lot quicker.
Instructions
Run from DockerHub
docker run -it mcnamee/huntkit # - OR - # Advanced: # Line 2: maps ~/Projects to the Docker /root/projects # Line 3: Allows OpenVPN # Line 4: Opens and maps port 4444 (for listeners such as Metasploit) # Line 5: Sets the machine's hostname to huntkit docker run -it \ -v ~/Projects:/root/projects \ --cap-add=NET_ADMIN --device=/dev/net/tun \ -p 4444:4444 \ -h huntkit \ mcnamee/huntkit
Build
# 1. Clone the repo git clone https://github.com/mcnamee/huntkit.git && cd huntkit # 2. Build the image docker build . -t mcnamee/huntkit
Tools
Recon
Tool | Description & Example |
---|---|
amass | Network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.amass enum -v -src -ip -brute -min-for-recursive 2 -d kali.org |
brutespray | Service scanner by bruteforcing.brutespray --file nmap.gnmap |
cloudfail | CloudFail is a tool to find origin servers of websites protected by CloudFlare.cloudfail --target resound.ly |
cloudflair | CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don’t restrict network access to the CloudFlare IP ranges as they should.export CENSYS_API_ID=... && export CENSYS_API_SECRET=... cloudflair resound.ly |
commix | Command injection exploiter – used to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks.commix --url="http://192.168.0.23/commix-testbed/scenarios/referer/referer(classic).php" --level=3 |
dalfox | XSS Scanning and Parameter Analysis tool.dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123 -b https://hahwul.xss.ht |
dirb | Looks for existing (and/or hidden) Web Objects, by launching a dictionary based attack against a web server and analyzing the response.dirb https://kali.org $WORDLISTS/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt |
dnmasscan | dnmasscan is a bash script to automate resolving a file of domain names and subsequentlly scanning them using masscan.dnmasscan listofdomains.txt dns.log -p80,443 - oG masscan.log |
dnsx | Allows you to run multiple probers using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers.cat domains.txt |
ffuf | A fast web fuzzer. – ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401 |
gau | getallurls (gau) fetches known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain. – gau example.com |
httpx | Take a list of domains and probe for working http and https servers.cat domains.txt |
linkfinder | Discover endpoints and their parameters in JavaScript files.linkfinder -i https://example.com -d -o cli |
masscan | An Internet-scale port scanner.masscan -p1-65535 -iL listofips.txt --max-rate 1800 -oG masscan.log |
meg | A tool for fetching lots of URLs but still being ‘nice’ to servers.meg paths.txt hosts.txt |
nikto | Web server scanner which performs comprehensive tests against web servers for multiple items (dangerous files, outdated dependencies…).nikto -host=https://kali.org |
nmap | A utility for network discovery and security auditing.nmap -sV 192.168.0.1 |
nuclei | Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use..nuclei -l urls.txt -t $ADDONS/nuclei/ADDONS/nuclei/technologies/ -o ~/projects/results.txt |
pagodo | Passive Google dork script to collect potentially vulnerable web pages and applications on the Internet..pagodo -d $DOMAIN -g dorks/sensitive_directories.dorks -l 100 -s -e 35.0 -j 1.1 |
recon-ng | Web-based open source reconnaissance framework.recon-ng |
sherlock | Hunt down social media accounts by username across social networks.sherlock user1 user2 user3 |
subfinder | Subdomain discovery tool to find valid subdomains for websites by using passive online sources.subfinder -d kali.org -v |
subjs | Fetches javascript files from a list of URLS or subdomains. Analyzing javascript files can help you find undocumented endpoints, secrets, and more. `cat urls.txt |
subjack | A Subdomain Takeover tool.SJFP=$(find "${GOPATH}/pkg" -name fingerprints.json) subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -a -c $SJFP |
sublist3r | Enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and more.sublist3r -d kali.org |
sqlmap | Automates the process of detecting and exploiting SQL injection flaws and taking over of database serverssqlmap -u https://example.com --forms --crawl=10 --level=5 --risk=3 |
theharvester | Gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.theharvester -d kali.org -b "bing, certspotter, dnsdumpster, dogpile, duckduckgo, google, hunter, linkedin, linkedin_links, twitter, yahoo" |
wafw00f | Web Application Firewall Fingerprinting Tool.wafw00f resound.ly |
whatweb | Scans websites and highlights the CMS used, JavaScript libraries, web servers, version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.whatweb kali.org |
wpscan | WordPress Security Scanner.wpscan --url kali.org |
xsstrike | Advanced XSS Detection Suite.xsstrike -u="http://192.168.0.115" --data="query" |
Exploitation
Tool | Description & Example |
---|---|
breach-parse | A tool for parsing breached passwords.breach-parse @tesla.com tesla.txt "~/Downloads/BreachCompilation/data" |
crunch | Wordlist generator where you can specify a standard character set or a character set you specify.crunch 6 6 0123456789abcdef -o 6chars.txt |
cupp | Personal wordlist generator.cupp -i |
john | John the Ripper is a fast password cracker.zip2john filename.zip > hash.txt john hash.txt |
jwttool | A toolkit for validating, forging and cracking JWTs (JSON Web Tokens).jwttool eyJ0eXAiOiJ.eyJsb2dpbi.aqNCvShlN -A |
metasploit | A penetration testing platform that enables you to find, exploit, and validate vulnerabilities..msfconsole |
hydra | hydra -f -l email@admin.com -P $WORDLISTS/seclists/Passwords/darkweb2017-top1000.txt website.com http-post-form "/login:user=^USER^&pass=^PASS^:Failed" |
netcat | A networking utility which reads and writes data across network connections, using the TCP/IP protocol.nc -nvlp 1234 |
searchsploit | Searchable archive from The Exploit Database.searchsploit oracle windows remote |
setoolkit | Social Engineering Toolkit.setoolkit |
Other
Tool | Description |
---|---|
FTP | Connect to an FTP server.ftp ftp.google.com |
Go | The PHP programming language |
Interlace | Easily turn single threaded command line applications into a fast, multi-threaded application.interlace -tL targets.txt -threads 5 -c "gobuster dns -d _target_ -w wordlist.txt --noprogress --quiet >> _target_.txt" -v |
NodeJS | Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine. |
Oh My Zsh | Zsh is a framework for managing your zsh configuration, bundled with thousands of helpful functions, helpers, plugins, themes. |
OpenVPN | Connect to a VPN. Add --cap-add=NET_ADMIN --device=/dev/net/tun to the docker run to use OpenVPN. |
Perl | Perl is a highly capable, feature-rich programming language with over 30 years of development. |
PHP | The PHP scripting language. |
Proxychains | Redirects connections through SOCKS4a/5 or HTTP proxies. |
Python 2 & 3 | The Python programming language |
Ruby | A dynamic, open source programming language with a focus on simplicity and productivity. It has an elegant syntax that is natural to read and easy to write. |
smbclient | smbclient \\192.168.0.45\Media |
Tor | Browse Privately. |
tmux | tmux is a terminal multiplexer. It lets you switch easily between several programs in one terminal, detach them (they keep running in the background) and reattach them to a different terminal.CNTR+b c Create windowCNTR+b n Switch to next window |
unfurl | Pull out bits of URLs provided on stdin. `cat urls.txt |
zsh | Zsh is an extended Bourne shell with many improvements, including some features of Bash, ksh, and tcsh. |
Wordlists
- Amass
- Dirb
- Kali’s
rockyou.txt
- Metasploit
- The Harvester
- SecLists
Download: https://github.com/mcnamee/huntkit
Please follow and like us: