Share this page!

hakluke πŸ‘¨β€πŸ’»πŸš€ Profile picture
Twitter logo
May 11 β€’ 14 tweets β€’ 5 min read
I have created a lot of useful little hacking tools over the last few years, sometimes I tweet about them, sometimes I don't.

Here's a list of some of the most useful ones, and a brief explanation of what they do! πŸ§΅πŸ‘‡
Hakrawler is a simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application.

github.com/hakluke/hakraw…
hakip2host uses a few different techniques to find hostnames associated with an IP address. It works en masse - great for discovering hostnames of a company with dedicated public IP ranges.

github.com/hakluke/hakip2…
hakoriginfinder bypasses WAFs by making use of the Levenshtein algorithm to uncover origin hosts. I only released this a few days ago, but have plans to extend the tool to also suggest likely IP addresses based on ASN/historical DNS/Shodan, etc.

github.com/hakluke/hakori…
haktrails is the unofficial command-line client for SecurityTrails. I use this alllll the time for bug bounty recon.

github.com/hakluke/haktra…
hakcheckurl is a simple tool that takes a list of URLs, visits them, and shows you the response code. Unlike httpx this works with URLs, not hostnames, which has been handy on occasion!

github.com/hakluke/hakche…
hakjoke literally just prints jokes from icanhazdadjoke.com

github.com/hakluke/hakjoke
hakfindinternaldomains takes a list of hostnames and tells you which ones resolve to internal IP addresses. Sometimes useful for exploiting SSRFs or just mapping an internal network from an external perspective.

github.com/hakluke/hakfin…
haklistgen takes any junk data as input and turns it into a list that is usable for brute forcing. There are some good examples of how it might be used on the readme.

github.com/hakluke/haklis…
hakurlencode is a really simple one, all it does is URL encodes/decodes on the command line.

github.com/hakluke/hakurl…
hakcertstream is a basic implementation of certstream so that you can monitor a firehose of new SSL registrations from the CLI.

github.com/hakluke/hakcer…
hakrevshell creates reverse and bind shells. It works on Windows, Linux and Mac!

github.com/hakluke/hakrev…
hakcron allows you to use plain english to run a command at set intervals. For example "daily", "hourly" or "every 5s".

github.com/hakluke/hakcron
I hope you found something useful in there! If you did, I'd love for you to share it.

If you like newsletters, I also have one of those, pop your email in here: getrevue.co/profile/hakluke

β€’ β€’ β€’

Missing some Tweet in this thread? You can try to force a refresh
γ€€

Keep Current with hakluke πŸ‘¨β€πŸ’»πŸš€

hakluke πŸ‘¨β€πŸ’»πŸš€ Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @hakluke

hakluke πŸ‘¨β€πŸ’»πŸš€ Profile picture
May 9
🚨 I wrote a new tool! 🚨

This tool is designed to bypass WAFs by discovering the origin web server IP. I'm sure someone has come up with this technique before, but I haven't seen it...

This is how it works πŸ§΅πŸ‘‡
First it makes a HTTP request to the hostname that you provide and stores the response, then it makes a request to a list of IP addresses that you provide via HTTP (80) and HTTPS (443), with the Host header set to the original host. πŸ§΅πŸ‘‡
Each HTTP response is then compared to the original using the Levenshtein algorithm to determine similarity. If the response is similar, it will be deemed a match.

The "similarity" is important here because direct matches will often return false negatives. πŸ§΅πŸ‘‡
Read 5 tweets
hakluke πŸ‘¨β€πŸ’»πŸš€ Profile picture
Apr 11
I got hacked really badly once 😬. Here's the story.

I was a musician, and I was on tour, staying in a motel somewhere in the middle of nowhere, in NSW, Australia.

I got back to the motel late at night after a performance and parked my car in the Motel parking lot. πŸ‘‡πŸ§΅
I left a backpack in the car which had some music-related stuff in it, along with my iPad. I used an iPad for all of my sheet music on stage because it was easier than carrying paper around, and owning a printer. πŸ‘‡πŸ§΅
It was important that the iPad never turned the screen off automatically, and also that I could quickly turn it on and off by pressing the power button. There's nothing worse then when you are halfway through a song in a performance and the screen turns off. πŸ‘‡πŸ§΅
Read 16 tweets
hakluke πŸ‘¨β€πŸ’»πŸš€ Profile picture
Apr 5
I want to keep track of the latest cybersecurity news.

I also don't want to spend all my time on Twitter.

Here are 5 great cybersecurity news outlets that I rely on!

πŸ§΅πŸ‘‡
I find /r/netsec to be the most informative cybersecurity news stream, if anything big is going on in cybersecurity it's typically within the top few posts on this subreddit.
reddit.com/r/netsec
An absolute legend in cybersecurity content creation, @DanielMiessler's blogs inspire me at least once a week!
danielmiessler.com
Read 7 tweets
hakluke πŸ‘¨β€πŸ’»πŸš€ Profile picture
Mar 14
It's 9am and I'm 2 coffees deep on a Monday morning.

Time for a thread about starting and building your cybersecurity career.

πŸ‘‡πŸ§΅
First let's talk about the hardest part - landing your first job.

You need two things:

🧠 Knowledge
πŸ“’ Demonstration of knowledge
Getting the knowledge is the fun part. Most of your learning will be self-directed, and all of the information you need is available for free.

Even though the information is available for free, paying for resources can be an excellent way to give more direction to your learning.
Read 17 tweets
hakluke πŸ‘¨β€πŸ’»πŸš€ Profile picture
Jan 20
Years ago, I walked into a last minute on-site pentest. It was a tech startup mostly funded by a single large customer. ~20 staff.

I walked in and it was tense AF from the start. I found out that their AWS environment got popped and someone had spun up a stack of crypto-mining
infra. They didn't even notice until they got the bill.

They had no idea how it happened. Their idea was to get a pentest that might uncover the same hole.

I ran a nmap NSE scan on all their external hosts - it turned up an open HTTP proxy on one of their web servers.
I could connect to the proxy and use it to connect to the AWS metadata endpoint and dump AWS creds.

They almost lost their biggest client, which would have sent the company broke - all 20 staff nearly lost their jobs.
Read 4 tweets
hakluke πŸ‘¨β€πŸ’»πŸš€ Profile picture
Sep 1, 2021
This huge Twitter thread contains what I think are all of the best resources for learning to hack in 2021.

Buckle up!

Here we goooo! πŸ‘‡
Firstly, here are some other repositories containing lists of resources:

Nahamsec's Resources for beginners: github.com/nahamsec/Resou…

Codingo's search bar: codingo.com/search/

@s0cm0nkeysec's gitbook: s0cm0nkey.gitbook.io/s0cm0nkeys-sec…

@InfoSecComm's blog infosecwriteups.com
Hands-on Labs:

@PentesterLab: pentesterlab.com

@PortSwigger labs: portswigger.net/web-security/a…

@RealTryHackMe: tryhackme.com

HTB: hackthebox.eu

For devs: application.security

@Hacker0x01 101: hacker101.com

Vulnhub: vulnhub.com
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(