1. Directory Structure
2ăSoftware Installation
In the terminal, input: toolsmanager to install imagejs.
Launch the tool manager, where you can install/upgrade/uninstall software.
First, it will automatically update from the GitHub repository, then it will display the menu. If there is no internet connection, the script will wait for a period of time and then display the menu. As shown in the image below:
You can access the relevant module by selecting the corresponding number. For instance, if I chooseWeb ApplicationCategory, then press10It will display:
In this section, we can install the tools listed here. Now, if you want to install imagejs, just type install imagejs, and it will install it. Once installed,It seems like you want to translate the word âéĺŻ.â In English, it means âRestart.â If thereâs more context or content in a WordPress post that needs translation, please provide it, and I will assist accordingly.PentestBox, the tools you install will be effective.
List of software that can be installed using toolsmanager, see details heremodules.pentestbox.com
3. Software Update
Install the software like this. If you want to update, just enter the number 11 here.
Update all installed Modules This is where the update of already installed tools begins:
2. PentestBox is an open-source project that ensures all files used within PentestBox reside in its ownçŻĺ˘ä¸ăGithubIâm sorry, but the text provided cannot be translated as it appears to be in Chinese and does not provide enough context or content related to a WordPress post. Could you please provide more information or an excerpt from a WordPress post that youâd like translated?
In the terminal, type: update from itsGithubTo the repository, if there are any changes, the display menu will first update itself. If there is no internet connection, the script will wait for some time and then display the menu.
4ăSoftware Uninstallation
In the toolsmanager software directory, if we want to uninstall a previously installed software, simply type uninstall + the software name.
If we want to uninstall xssless here, we type uninstall xssless, and that will remove xssless.
5. Keyboard Shortcuts
CTRL + T: ToOpenNew Tab
CTRL + C: ToIt seems like youâve provided the word âĺ łé,â which in the context of a WordPress post might be related to actions like âcloseâ or âdisable.â If youâre looking to convert content from a WordPress post to American English while preserving HTML, feel free to share more of the content that requires translation!Script/Program Execution.
CTRL + w: This willCan you please provide the text that needs translation within the context of a WordPress post?Current active console.
ALT +Enter: Pentestbox will go toFullscreenă
6. Post-Installation Debugging
Because this is a foreign open-source project, some configurations donât align with our local cultural nuances. For instance:
The Atom editor encapsulated in PentestBox is unable to input Chinese characters, and some plugins may also encounter issues, such as the minimap needing to be reconfigured.
Solution: Translate the way you installed your original Atom software into English.
Replace the atom inside PentestBox with the file folder.
Apologies, the text seems to relate to a file path on a Windows OS rather than a WordPress post. If you have a WordPress post that needs translation, please provide the text content for further assistance.
2. PentestBox packages the Free version of Burp Suite, which naturally doesnât offer as many features as the domestic cracked professional versions of Burp Suite.
Solution MethodReplace the Professional Edition cracked Burp Suite file and rename it, and youâre done.
7, Add Your Own Tools
In many cases, your own toolstoolsmanagerOr PentestBox may not be installed by default. You can manually add your own tools by following the guide below:
Two things need to be done.
Download/Clone the tool files,
Set Alias
Aliases are essentially needed to pass through the PentestBox console, such as terminal commands.SqlMapThis is an alias to access sqlmap.
7.1. Tools Based on Python
First, copy the file to C:/PentestBox/bin/customtools/.
Add an alias: Edit the customaliases file located in the /PentestBox/bin/customtools/ directory.
For example, if you need to add a tool alias named hello, the alias would be hello=python â%pentestbox_ROOT%\bin\customtools\Hello.pyâ $*
Add the above line to customaliases and save the file.
Copy to the folder:
Next, edit the `customaliases` file.
7.2.Tools Based on EXE
Download/Clone the toolkit files.
To set up an alias, the method is the same as above. However, for the alias here, the format should be set as: tool=â%pentestbox_ROOT%\bin\customtools\tool.exeâ $*
Example: Letâs add a classic Xiaokui decryption tool.
The effects are as follows:
7.3 Ruby-Based Tools and Java-Based Tools
Syntax Rules:
Java: Tool execution command â Start using javaw to run the jar file located at â%pentestbox_ROOT%\bin\customtools\tool.jarâ with any additional arguments passed from the command line.
Ruby : wpscan=ruby â%pentestbox_ROOT%\bin\customtools\wpscan\wpscan.rbâ $*
To add your own Java and Ruby tools in PentestBox, the fundamental principle is the same. However, when editing the customaliases file, the syntax format differs slightly. For Java and Ruby tool formats, refer to the format mentioned above.
Below is the official command to correctly launch the tools, along with an introduction (list of built-in default tools):
8. Web Vulnerability Scanner
8.1 Burp Suite
An integrated platform for attacking web applications. It comprises numerous tools and has designed various interfaces for these tools to expedite the process of attacking applications. All the tools share a robust and extensible framework capable of handling and displaying HTTP messages, persistence, authentication, proxies, logs, and alerts.
|
12 |
C:\Users\Demon\Desktop>burpsuite |
|---|
8.2 Commix (Automated Testing Tools for Command Injection VulnerabilitiesIt seems like your message is incomplete. Could you please provide the WordPress post content that you would like me to translate?
There is a simple environment that can be used by web developers, penetration testers, and even security researchers to test web applications for the presence of errors, bugs, or vulnerabilities related to command injection attacks. (Similar to sqlmap, it is used to validate vulnerabilities.)
http://www.freebuf.com/sectool/64030.htmlManual link
|
12 |
C:\Users\Demon\Desktop>commix |
|---|
8.3 dotdotpwn (Directory Traversal Fuzzer)
This is an extremely flexible smart fuzzer discoveryTraverse DirectoryVulnerabilities in software like HTTP / FTP / TFTP servers, network platforms such as CMS, ERP, blogs, etc.
|
12 |
C:\Users\Demon\Desktop>dotdotpwn |
|---|
8.4 fimap (Local and Remote File Inclusion Vulnerabilities in Web Apps
fimap is a Python tool capable of finding, preparing, auditing, and exploiting local and remote file inclusion vulnerabilities, even automating Google searches in web applications. fimap is intended to be like sqlmap for LFI/RFI instead of SQL injection vulnerabilities. It is currently under development, but it is available for use.
|
12 |
C:\Users\Demon\Desktop>fimap |
|---|
8.5 Golismero
GoLismero Security Testing is an open-source framework. It is currently targeted at network security, but it can easily be extended to other types of scanning.
|
12 |
C:\Users\Demon\Desktop>golismero |
|---|
8.6 jSQL
jSQL Injection is a lightweight application used to find database information from a remote server. jSQL is free, open source, and cross-platform (Windows, Linux, Mac OS X, Solaris).
|
12 |
C:\Users\Demon\Desktop>jSQL |
|---|
8.7 Nikto
Nikto is an open-source web server (GPL) scanner that performs comprehensive tests on web servers for multiple items, including over 6,700 potentially dangerous files/programs, checks for outdated versions on more than 1,250 servers, and identifies over 270 server-specific issues.
|
12 |
C:\Users\Demon\Desktop>nikto |
|---|
8.8 PadBuster
Automating the execution of Padding Oracle attacks.
|
12 |
C:\Users\Demon\Desktop>padbuster |
|---|
8.9 Vega
Vega is a free and open-source scanner and testing platform for assessing the security of web applications. Vega can help you find and verify SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI-based, and runs on Linux, OS X, and Windows.
|
12 |
C:\Users\Demon\Desktop>vega |
|---|
8.10 Wpscan
WPScan is a black-box WordPress vulnerability scanner that can be used to scan remote WordPress installations to identify security issues.
|
12 |
C:\Users\Demon\Desktop>wpscan |
|---|
8.11 Yasuo
Yasuo is a Ruby script that scans vulnerable third-party web applications. During network security assessments (internal, external red team exercises, etc.), we often encounter vulnerable third-party web applications or front-ends, allowing us to compromise remote servers by exploiting publicly known vulnerabilities. Some common and favorite targets include the Apache Tomcat Application Manager interface and the JBoss JMX Console.
|
12 |
C:\Users\Demon\Desktop>yasuo |
|---|
8.12 Zaproxy
OWASP Zed Attack Proxy (ZAP) is a user-friendly, comprehensive penetration testing tool for identifying vulnerabilities in web applications. It is designed to cater to individuals with a wide range of security expertise, making it ideal for developers and functional testers. It also serves as a valuable addition to the toolkit of experienced penetration testers.
|
12 |
C:\Users\Demon\Desktop>zap |
|---|
9. Web Application Proxy
9.1 Zaproxy
OWASP Zed Attack Proxy (ZAP) is an easy-to-use integrated penetration testing tool used to identify vulnerabilities in web applications. It is designed for individuals with varying levels of security expertise, making it ideal for developers and functional testers as a valuable addition to the toolbox of experienced penetration testers.
|
12 |
C:\Users\Demon\Desktop>zap |
|---|
10. CMS Vulnerability Scanner
10.1 CMSmap
CMSmap is a Python-based open-source CMS scanning tool, particularly popular for the automatic detection of security vulnerabilities in the most widely used CMS platforms. The primary goal of CMSmap is to integrate common vulnerabilities across different types of CMS into a single tool.
|
12 |
C:\Users\Demon\Desktop>cmsmap |
|---|
10.2 install imagejs using droopescan
Plugin-based scanners aid security researchers in identifying vulnerabilities in Drupal, SilverStripe, and WordPress.
|
12 |
C:\Users\Demon\Desktop>droopescan |
|---|
10.3 OWASP Joomla
Vulnerability ScannerâJoomla! It might be the most widely used CMS due to its flexibility, user-friendliness, and scalability, to name a few. Therefore, monitoring its vulnerabilities and integrating vulnerabilities like KB into a Joomla scanner requires ongoing efforts. It will assist web developers and webmasters in identifying potential security weaknesses in the Joomla deployments they manage! No web security scanner is exclusively dedicated to a single CMS.
|
12 |
C:\Users\Demon\Desktop>joomscan |
|---|
10.4 Wpscan
WPScan is a black-box WordPress vulnerability scanner that can be used to scan remote WordPress installations to discover security issues.
|
12 |
C:\Users\Demon\Desktop>wpscan |
|---|
10.5 VbScan
VBScan, written in the Perl programming language, is an open-source project for detecting vulnerabilities in CMS link pages and performing analysis.
Author: Mohammad Reza Espargham
|
12 |
C:\Users\Demon\Desktop>vbscan |
|---|
11. Web Crawler Program
11.1 DirBuster
DirBuster is a multi-threaded Java application designed to perform brute-force enumeration of directories and filenames on web/application servers.
Author: OWASP.org
License: Apache 2.0
|
12 |
C:\Users\Demon\Desktop>dirbuster |
|---|
12. Information Gathering
12.1 Angry IP Scanner
Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and easy to use. It scans IP addresses and ports, along with many other features. It is widely used by network administrators, as well as curious users around the globe, including large and small enterprises, banks, and government agencies.
|
12 |
C:\Users\Demon\Desktop>ipscan |
|---|
12.2 dnsrecon
DNS Enumeration Script
License: GPLv2
|
12 |
C:\Users\Demon\Desktop>dnsrecon |
|---|
12.3 Golismero
GoLismero Security Testing is an open-source framework. It is currently focused on cybersecurity, but it can be easily extended to other types of scanning.
License: GPLv2
|
12 |
C:\Users\Demon\Desktop>golismero |
|---|
12.4 Instarecon
Automated foundational digital reconnaissance. Great targets get the initial footprint, discovering additional subdomains. What InstaRecon will do: DNS (Direct, PTR, MX, NS) lookups, domain name lookup services (for domains and IPs), Google search for subdomains, and perform Shodan searches on the entire CIDR, reverse DNS lookup. License: MIT License.
|
12 |
C:\Users\Demon\Desktop>instarecon |
|---|
12.5 Nmap
Nmap (âNetwork Mapperâ) is a free and open-source utility used for network discovery and security auditing. Many system and network administrators also find it useful for tasks like network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap employs raw IP packets in novel ways to determine which hosts are available on the network, which services (application name and version) those hosts are offering, what operating system (OS version) they are running, what kind of packet filters/firewalls are in use, and dozens of other characteristics. It is designed to rapidly scan large networks but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. Besides the classic Nmap command-line executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping). To use Nmap, you must first install the WinPcap packet capture library, which is available for download from Winpcap.org.
|
123 |
cmd.exeC:\Users\Demon\Desktop>nmap |
|---|---|
|
123 |
cmd.exeC:\Users\Demon\Desktop>ncat |
|
123 |
cmd.exeC:\Users\Demon\Desktop>ndiff |
|
123 |
cmd.exeC:\Users\Demon\Desktop>nping |
12.6 Responder
Responder is an LLMNR, NBT-NS, and MDNS poisoner, with embedded HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, extended security NTLMSSP, and HTTP Basic Authentication.
Author: SpiderLabs
License: GPLv3
|
123 |
cmd.exeC:\Users\Demon\Desktop>responder |
|---|
12.7 SnmpWalk
SnmpWalk allows you to detect a set of variables that can be read on a certain device. You can obtain a complete or partial list. By analyzing the results obtained from scanning network devices using SnmpWalk, you can develop a supported MIB list. In this way, you get a complete description of variables and possible values.
Author: SnmpSoft Company
|
123 |
cmd.exeC:\Users\Demon\Desktop>snmpwalk |
|---|
12.8 SpiderFoot
SpiderFoot is an open-source intelligence automation tool. Its purpose is to automate the process of gathering intelligence on a given target, which could be an IP address, domain name, hostname, or network subnet. SpiderFoot can be used offensively, as part of a black-box penetration test to collect information on a target, or defensively, to identify what information your organization freely provides to potential attackers.
|
123 |
cmd.exeC:\Users\Demon\Desktop>spiderfoot |
|---|
12.9 TestSSLServer
TestSSLServer is a simple command-line tool that connects to an SSL/TLS server (specified by name and port as parameters) to obtain some information.
Author: Thomas Pornin
|
123 |
cmd.exeC:\Users\Demon\Desktop>testsslserver |
|---|
12.10 SSlStrip
It will transparently hijack HTTP traffic on the network, paying attention to HTTPS connections and redirects, then map these links to similar HTTP links or homograph-similar HTTPS connections. It also supports schemes that provide a lock icon identifier, selective logging, denial, and session handling.
|
123 |
cmd.exeC:\Users\Demon\Desktop>sslstrip |
|---|
12.11 SSLyze
SSLyze is a Python tool that can analyze a serverâs SSL configuration to connect to it. Designed to be fast and comprehensive, it should assist organizations and testers in identifying SSL server configuration errors that impact them.
License: GPLv2
|
123 |
cmd.exeC:\Users\Demon\Desktop>sslyze |
|---|
12.12 SSLScan
SSLScan tests services enabled with SSL/TLS to discover supported cipher suites.
|
123 |
cmd.exeC:\Users\Demon\Desktop>sslscan |
|---|
12.13 Sublist3r
Sublist3r is a Python tool designed to enumerate subdomains of websites using search engines. It aids penetration testers and bug hunters in collecting and gathering subdomains for their target domains. Sublist3r currently supports the following search engines: Google, Yahoo, Bing, Baidu, Ask. More search engines may be added in the future. Sublist3r also collects subdomains using Netcraft and DNSdumpster.
|
123 |
cmd.exeC:\Users\Demon\Desktop>sublist3r |
|---|
12.14 SubbruteSubBrute
The objective of this community-driven project is to create the fastest and most precise subdomain enumeration tool. Some of the magic behind SubBrute is that it uses resolvers as an open proxy to bypass DNS poisoning. This design also offers a layer of anonymity, as SubBrute does not directly send traffic to the nameservers of the target.
|
123 |
cmd.exeC:\Users\Demon\Desktop>subbrute |
|---|
12.15 Tekdefense
Automater is a URL/domain, IP address, and MD5 hash OSINT tool designed to ease the analysis process for intrusion analysts. Given a target (URL, IP, or hash) or a file, Automater will automatically return relevant results from the following sources: IPvoid.com, Robtex.com, Fortiguard.com, Unshorten.me, Urlvoid.com, Labs.alienvault.com, ThreatExpert VxVault, and VirusTotal.
Author: TekDefense.com
|
123 |
cmd.exeC:\Users\Demon\Desktop>automater |
|---|
12.16UrlCrazy
Generate and test domain input errors and variations to detect and exploit typo-squatting, URL hijacking, phishing, and corporate espionage activities.
|
123 |
cmd.exeC:\Users\Demon\Desktop>urlcrazy |
|---|
12.17 The Harvester
The Harvester collects email accounts, subdomain names, virtual hosts, open ports/banners, and employee names from various public resources (search engines, PGP key servers).
|
123 |
cmd.exeC:\Users\Demon\Desktop>theharvester |
|---|
12.18 Wireshark
Wireshark is the worldâs foremost network protocol analyzer. It allows you to see whatâs happening on your network at a microscopic level. It is the de facto standard (and often de jure) across many industries and educational institutions. The development of Wireshark thrives through contributions from a global collection of networking experts.
|
123 |
cmd.exeC:\Users\Demon\Desktop>wireshark |
|---|
13. Development Tools
13.1Beef Project
Beef is a browser exploitation framework. It is a penetration testing tool that focuses on web browsers.
|
123 |
cmd.exeC:\Users\Demon\Desktop>beefproject |
|---|
13.2CrackMapExec
The Swiss army knife among Windows/Active Directory environments. Thanks to Thomas. The compiled version.
|
123 |
cmd.exeC:\Users\Demon\Desktop>crackmapexec |
|---|
13.3 Metasploit Framework
The worldâs best penetration testing framework. Please note that PentestBox has two versions, one with Metasploit and the other without. If you havenât completed the download of the Metasploit variant, get it here.
|
123 |
cmd.exeC:\Users\Demon\Desktop>msfconsole |
|---|---|
|
123 |
cmd.exeC:\Users\Demon\Desktop>msfvenom |
|
123 |
cmd.exeC:\Users\Demon\Desktop>msfelfscan |
|
123 |
cmd.exeC:\Users\Demon\Desktop>msfbinscan |
|
123 |
cmd.exeC:\Users\Demon\Desktop>msfpescan |
|
123 |
cmd.exeC:\Users\Demon\Desktop>msfd |
|
123 |
cmd.exeC:\Users\Demon\Desktop>msfmachscan |
13.4 SqlMap
sqlmap is an open-source penetration testing tool that automates the process of detecting and exploiting SQL injection vulnerabilities and taking over database servers. It features a powerful detection engine, many features aimed at the ultimate penetration tester, and numerous switches for continued fingerprint scanning of databases, retrieving data, accessing the underlying file system, and executing commands on the operating system via an out-of-band connection.
Author: Miroslav Stampar, Bernardo Damele Assumpcao Guimaraes
License: GPLv2
|
123 |
cmd.exeC:\Users\Demon\Desktop>sqlmap |
|---|