Huntkit

<div align="center"> <img src="https://github.com/mcnamee/huntkit/raw/master/docs/hero.png" alt="HuntKit" style="width:100%" /> <p></p> ^{<a href="https://hub.docker.com/r/mcnamee/huntkit"> <img src="https://img.shields.io/docker/v/mcnamee/huntkit?style=flat-square" alt="version" /> </a> <a href="/LICENSE"> <img src="https://img.shields.io/github/license/mcnamee/huntkit?style=flat-square" alt="license" /> </a>} <br /> <p align="center"> <a href="#intro"><b>What is this?</b></a> &nbsp;&nbsp;&mdash;&nbsp;&nbsp; <a href="#instructions"><b>Instructions</b></a> &nbsp;&nbsp;&mdash;&nbsp;&nbsp; <a href="#tools"><b>Tools</b></a> </p> <br /> </div>

What is this?

HuntKit is a collection of [penetration testing, bug bounty hunting, capture the flag, red teaming] tools in a single Docker image. Simply run the image and start using the tools.

Why?

I got sick of waiting for VitualBox to start, Kali to boot, then dealing with the slugish-ness of operating in a VM. I still use Kali for certain tasks. But for a quick nmap scan (for example), using this container is a lot quicker.

• The tool run very quick (opposed to running inside a VM for example)
• Simpler to keep the tools up to date
• Disposable - Something broken? Simply prune and start again

Instructions

Run from DockerHub

docker run -it mcnamee/huntkit

<details> <summary>Advanced usage</summary>

# Advanced:
# Line 2: maps ~/Loot to the Docker's /root/loot
# Line 3: Allows OpenVPN usage
# Line 4: Opens and maps port 4444 (for listeners such as Metasploit)
# Line 5: Sets the machine's hostname to huntkit
docker run -it \
  -v ~/Loot:/root/loot \
  --cap-add=NET_ADMIN --device=/dev/net/tun \
  -p 4444:4444 \
  -h huntkit \
  mcnamee/huntkit

</details> <details> <summary>(Update) Pull the latest from Docker Hub</summary>

docker pull mcnamee/huntkit

</details> <details> <summary>Build it yourself</summary>

# 1. Clone the repo
git clone https://github.com/mcnamee/huntkit.git && cd huntkit

# 2. Build the image
docker build . -t mcnamee/huntkit

</details> <details> <summary>Push to Docker Hub</summary>

# 1. Build the image
docker build . -t mcnamee/huntkit

# 2. Login to Docker Hub
docker login --username=supergates

# 3. Push the image
docker push mcnamee/huntkit

# 4. Delete all local images to start from scratch
docker image prune -a

</details>

Tools

Recon

| Tool | Description & Example | | --- | --- | | amass | Network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques. <br>amass enum -v -src -ip -brute -min-for-recursive 2 -d kali.org | | brutespray | Service scanner by bruteforcing. <br>brutespray --file nmap.gnmap | | commix | Command injection exploiter - used to test web applications with the view to find bugs, errors or vulnerabilities related to command injection attacks. <br> commix --url="http://192.168.0.23/commix-testbed/scenarios/referer/referer(classic).php" --level=3 | | dalfox | XSS Scanning and Parameter Analysis tool. <br> dalfox url http://testphp.vulnweb.com/listproducts.php\?cat\=123 -b https://hahwul.xss.ht | | dirb | Looks for existing (and/or hidden) Web Objects, by launching a dictionary based attack against a web server and analyzing the response. <br> dirb https://kali.org $WORDLISTS/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt | | dnmasscan | dnmasscan is a bash script to automate resolving a file of domain names and subsequentlly scanning them using masscan. <br> dnmasscan listofdomains.txt dns.log -p80,443 - oG masscan.log | | dnsx | Allows you to run multiple probers using retryabledns library, that allows you to perform multiple DNS queries of your choice with a list of user supplied resolvers. <br> <code>cat domains.txt | dnsx</code> | | ffuf | A fast web fuzzer. <br> - ffuf -w /path/to/postdata.txt -X POST -d "username=admin\&password=FUZZ" -u https://target/login.php -fc 401 | | gau | getallurls (gau) fetches known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl for any given domain. <br> - gau example.com | | httpx | Take a list of domains and probe for working http and https servers. <br> <code>cat domains.txt | httpx</code> | | linkfinder | Discover endpoints and their parameters in JavaScript files. <br> linkfinder -i https://example.com -d -o cli | | masscan | An Internet-scale port scanner. <br> masscan -p1-65535 -iL listofips.txt --max-rate 1800 -oG masscan.log | | meg | A tool for fetching lots of URLs but still being 'nice' to servers. <br> meg paths.txt hosts.txt | | nikto | Web server scanner which performs comprehensive tests against web servers for multiple items (dangerous files, outdated dependencies...). <br> nikto -host=https://kali.org | | nmap | A utility for network discovery and security auditing. <br> nmap -sV 192.168.0.1 | | nuclei | Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.. <br> nuclei -l urls.txt -t $ADDONS/nuclei/ADDONS/nuclei/technologies/ -o ~/projects/results.txt | | pagodo | Passive Google dork script to collect potentially vulnerable web pages and applications on the Internet.. <br> pagodo -d $DOMAIN -g dorks/sensitive_directories.dorks -l 100 -s -e 35.0 -j 1.1 | | recon-ng | Web-based open source reconnaissance framework. <br> recon-ng | | sherlock | Hunt down social media accounts by username across social networks. <br> sherlock user1 user2 user3 | | subfinder | Subdomain discovery tool to find valid subdomains for websites by using passive online sources. <br> subfinder -d kali.org -v | | subjs | Fetches javascript files from a list of URLS or subdomains. Analyzing javascript files can help you find undocumented endpoints, secrets, and more. <br> <code>cat urls.txt | subjs</code> | | sublist3r | Enumerates subdomains using many search engines such as Google, Yahoo, Bing, Baidu and more. <br> sublist3r -d kali.org | | sqlmap | Automates the process of detecting and exploiting SQL injection flaws and taking over of database servers <br> sqlmap -u https://example.com --forms --crawl=10 --level=5 --risk=3 | | theharvester | Gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. <br> <code>theharvester -d kali.org -b "bing, certspotter, dnsdumpster, dogpile, duckduckgo, google, hunter, linkedin, linkedin_links, twitter, yahoo"</code> | | wafw00f | Web Application Firewall Fingerprinting Tool. <br> wafw00f resound.ly | | whatweb | Scans websites and highlights the CMS used, JavaScript libraries, web servers, version numbers, email addresses, account IDs, web framework modules, SQL errors, and more. <br> whatweb kali.org | | wpscan | WordPress Security Scanner. <br> wpscan --url kali.org | | xsstrike | Advanced XSS Detection Suite. <br> xsstrike -u="http://192.168.0.115" --data="query" |

Exploitation

| Tool | Description & Example | | --- | --- | | breach-parse | A tool for parsing breached passwords.<br> breach-parse @tesla.com tesla.txt "~/Downloads/BreachCompilation/data" | | crunch | Wordlist generator where you can specify a standard character set or a character set you specify. <br> crunch 6 6 0123456789abcdef -o 6chars.txt | | cupp | Personal wordlist generator. <br> cupp -i | | john | John the Ripper is a fast password cracker. <br> zip2john filename.zip > hash.txt<br> john hash.txt | | jwttool | A toolkit for validating, forging and cracking JWTs (JSON Web Tokens). <br> jwttool eyJ0eXAiOiJ.eyJsb2dpbi.aqNCvShlN -A | | metasploit | A penetration testing platform that enables you to find, exploit, and validate vulnerabilities.. <br> msfconsole | | hydra | <code>hydra -f -l email@admin.com -P $WORDLISTS/seclists/Passwords/darkweb2017-top1000.txt website.com http-post-form "/login:user=^