What is this?
HuntKit is a collection of [penetration testing, bug bounty hunting, capture the flag, red teaming] tools in a single Docker image. Simply run the image and start using the tools.
Why?
I got sick of waiting for VitualBox to start, Kali to boot, then dealing with the slugish-ness of operating in a VM. I still use Kali for certain tasks. But for a quick nmap scan (for example), using this container is a lot quicker.
- The tool run very quick (opposed to running inside a VM for example)
- Simpler to keep the tools up to date
- Disposable - Something broken? Simply prune and start again
Instructions
Run from DockerHub
docker run -it mcnamee/huntkitAdvanced usage
# Advanced:
# Line 2: maps ~/Loot to the Docker's /root/loot
# Line 3: Allows OpenVPN usage
# Line 4: Opens and maps port 4444 (for listeners such as Metasploit)
# Line 5: Sets the machine's hostname to huntkit
docker run -it \
-v ~/Loot:/root/loot \
--cap-add=NET_ADMIN --device=/dev/net/tun \
-p 4444:4444 \
-h huntkit \
mcnamee/huntkit(Update) Pull the latest from Docker Hub
docker pull mcnamee/huntkitBuild it yourself
# 1. Clone the repo
git clone https://github.com/mcnamee/huntkit.git && cd huntkit
# 2. Build the image
docker build . -t mcnamee/huntkit
Tools
Recon
| Tool | Description & Example |
|---|---|
| amass | Network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques. amass enum -v -src -ip -brute -min-for-recursive 2 -d kali.org |
| brutespray | Service scanner by bruteforcing. brutespray --file nmap.gnmap |
| cloudflair | CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don't restrict network access to the CloudFlare IP ranges as they should. export CENSYS_API_ID=... && export CENSYS_API_SECRET=... cloudflair resound.ly |
| commix | Command injection exploiter - used to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. commix --url="http://192.168.0.23/commix-testbed/scenarios/referer/referer(classic).php" --level=3 |
| dalfox | XSS Scanning and Parameter Analysis tool. dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123 -b https://hahwul.xss.ht |
| dirb | Looks for existing (and/or hidden) Web Objects, by launching a dictionary based attack against a web server and analyzing the response. dirb https://kali.org $WORDLISTS/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt |
| dnmasscan | dnmasscan is a bash script to automate resolving a file of domain names and subsequentlly scanning them using masscan. dnmasscan listofdomains.txt dns.log -p80,443 - oG masscan.log |
| dnsx | Allows you to run multiple probers using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers. cat domains.txt | dnsx |
| ffuf | A fast web fuzzer. - ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401 |
| gau | getallurls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain. - gau example.com |
| httpx | Take a list of domains and probe for working http and https servers. cat domains.txt | httpx |
| linkfinder | Discover endpoints and their parameters in JavaScript files. linkfinder -i https://example.com -d -o cli |
| masscan | An Internet-scale port scanner. masscan -p1-65535 -iL listofips.txt --max-rate 1800 -oG masscan.log |
| meg | A tool for fetching lots of URLs but still being 'nice' to servers. meg paths.txt hosts.txt |
| nikto | Web server scanner which performs comprehensive tests against web servers for multiple items (dangerous files, outdated dependencies...). nikto -host=https://kali.org |
| nmap | A utility for network discovery and security auditing. nmap -sV 192.168.0.1 |
| nuclei | Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.. nuclei -l urls.txt -t $ADDONS/nuclei/ADDONS/nuclei/technologies/ -o ~/projects/results.txt |
| pagodo | Passive Google dork script to collect potentially vulnerable web pages and applications on the Internet.. pagodo -d $DOMAIN -g dorks/sensitive_directories.dorks -l 100 -s -e 35.0 -j 1.1 |
| recon-ng | Web-based open source reconnaissance framework. recon-ng |
| sherlock | Hunt down social media accounts by username across social networks. sherlock user1 user2 user3 |
| subfinder | Subdomain discovery tool to find valid subdomains for websites by using passive online sources. subfinder -d kali.org -v |
| subjs | Fetches javascript files from a list of URLS or subdomains. Analyzing javascript files can help you find undocumented endpoints, secrets, and more. cat urls.txt | subjs |
| subjack | A Subdomain Takeover tool. SJFP=$(find "${GOPATH}/pkg" -name fingerprints.json) subjack -w subdomains.txt -t 100 -timeout 30 -o results.txt -a -c $SJFP |
| sublist3r | Enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and more. sublist3r -d kali.org |
| sqlmap | Automates the process of detecting and exploiting SQL injection flaws and taking over of database servers sqlmap -u https://example.com --forms --crawl=10 --level=5 --risk=3 |
| theharvester | Gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. theharvester -d kali.org -b "bing, certspotter, dnsdumpster, dogpile, duckduckgo, google, hunter, linkedin, linkedin_links, twitter, yahoo" |
| wafw00f | Web Application Firewall Fingerprinting Tool. wafw00f resound.ly |
| whatweb | Scans websites and highlights the CMS used, JavaScript libraries, web servers, version numbers, email addresses, account IDs, web framework modules, SQL errors, and more. whatweb kali.org |
| wpscan | WordPress Security Scanner. wpscan --url kali.org |
| xsstrike | Advanced XSS Detection Suite. xsstrike -u="http://192.168.0.115" --data="query" |
Exploitation
| Tool | Description & Example |
|---|---|
| breach-parse | A tool for parsing breached passwords.breach-parse @tesla.com tesla.txt "~/Downloads/BreachCompilation/data" |
| crunch | Wordlist generator where you can specify a standard character set or a character set you specify. crunch 6 6 0123456789abcdef -o 6chars.txt |
| cupp | Personal wordlist generator. cupp -i |
| john | John the Ripper is a fast password cracker. zip2john filename.zip > hash.txtjohn hash.txt |
| jwttool | A toolkit for validating, forging and cracking JWTs (JSON Web Tokens). jwttool eyJ0eXAiOiJ.eyJsb2dpbi.aqNCvShlN -A |
| metasploit | A penetration testing platform that enables you to find, exploit, and validate vulnerabilities.. msfconsole |
| hydra | hydra -f -l [email protected] -P $WORDLISTS/seclists/Passwords/darkweb2017-top1000.txt website.com http-post-form "/login:user=^USER^&pass=^PASS^:Failed" |
| netcat | A networking utility which reads and writes data across network connections, using the TCP/IP protocol. nc -nvlp 1234 |
| searchsploit | Searchable archive from The Exploit Database. searchsploit oracle windows remote |
| setoolkit | Social Engineering Toolkit. setoolkit |
Other
| Tool | Description |
|---|---|
| FTP | Connect to an FTP server. ftp ftp.google.com |
| Go | The Go programming language |
| Interlace | Easily turn single threaded command line applications into a fast, multi-threaded application. interlace -tL targets.txt -threads 5 -c "gobuster dns -d _target_ -w wordlist.txt --noprogress --quiet >> _target_.txt" -v |
| NodeJS | Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. |
| Oh My Zsh | Zsh is a framework for managing your zsh configuration, bundled with thousands of helpful functions, helpers, plugins, themes. |
| OpenVPN | Connect to a VPN. Add --cap-add=NET_ADMIN --device=/dev/net/tun to the docker run to use OpenVPN. |
| Perl | Perl is a highly capable, feature-rich programming language with over 30 years of development. |
| PHP | The PHP scripting language. |
| Proxychains | Redirects connections through SOCKS4a/5 or HTTP proxies. |
| Python 3 | The Python programming language |
| Ruby | A dynamic, open source programming language with a focus on simplicity and productivity. It has an elegant syntax that is natural to read and easy to write. |
| smbclient | smbclient \\192.168.0.45\Media |
| Tor | Browse Privately. |
| tmux | tmux is a terminal multiplexer. It lets you switch easily between several programs in one terminal, detach them (they keep running in the background) and reattach them to a different terminal. CNTR+b c Create window CNTR+b n Switch to next window |
| unfurl | Pull out bits of URLs provided on stdin. cat urls.txt | unfurl --unique domains |
| zsh | Zsh is an extended Bourne shell with many improvements, including some features of Bash, ksh, and tcsh. |
Wordlists
- Amass
- Dirb
- Kali's
rockyou.txt - Metasploit
- The Harvester
- SecLists