Tools Overview

When it comes to information security, there is no shortage of tools for the job. It can easily be overwhelming when you are just starting off, and one important thing to try and avoid is decision paralysis. While some tools are certainly more effective than others, it can be a good idea to simply find one for what you are wanting to do and stick with it for long enough to learn how to use it. This way you have ONE solution to a problem, even if it’s not always the best solution. As you gain more experience and learn what each tool is actually doing, you will naturally begin to switch your tools out for ones that work better for you.

I will save the deeper dive into the tools for individual posts, but for now I want to specify the tools that I use currently and classify them according to what I use them for.

Passive Discovery

An important step in any test is identifying the attack surface. Barring any details specified in the engagement scoping document, you generally want to start off with passive information gathering. You want to learn things like what IP addresses belong to your target, what domain names are associated with them, what technologies they use, etc..

  • Job Boards
    • Sites like LinkedIn, Indeed and ZipRecruiter will often list the technologies used by the company in IT and Developer job posting requirements. This will shed some light on the environment that you are about to start working against.
  • Stackshare.io
    • This site shows most of the technologies used for a lot of companies, especially bigger ones. This includes things like ticketing systems and project management technologies that wouldn’t be listed in job postings, and is a great resource for targeting attacks like blind XSS where your payload is going to execute on back-end systems rather than the main site.
  • BuiltWith
    • Website and browser extension that identifies technologies used in a web site. The extension is probably better classified as active discovery since you will browse to the site from your system.
  • Google
    • Google’s advance operators (Google Dorking) can help find sensitive information like search a domain for file types, admin login panels, etc…
  • Amass
    • Amass queries a lot of public DNS servers to identify subdomains associated with the domain provided. When you provide a target’s top level domain, it will attempt to discover any associated subdomains that can be output to a file and fed into other tools.
  • Subfinder
    • Subfinder fills a similar purpose as amass however has some different sources. It’s a good idea to use both in order to discover as much of the attack surface as possible. I have a bash script that takes the root domain, runs both Amass and Subfinder against it, aggregates the results then runs dig against each to also output a file with unique IP addresses that are able to be port scanned during the active discovery phase.
  • Wireshark
    • While not applicable in every engagement, sometimes you want to be able to watch all the visible traffic on a network. Wireshark allows you to do just that, all the way down to the frame level. You can follow data streams to rebuild conversations, recover unencrypted information, and even build your own protocol dissectors to reverse engineer custom network protocols.

Active Discovery

Active discovery is the next phase of enumerating your attack surface. These methods actually interact with the target’s systems, and will leave a footprint in their logs and monitoring systems. Sometimes generating a LOT of noise, you always want to think about the possible consequences of running these tools against a client’s system. It’s not always as simple as worrying about getting noticed either, especially when things like Industrial Control Systems are involved. With SCADA and ICS systems, even something as simple as a port scan can have disastrous results with large financial or personal safety consequences.

  • Nmap
    • Nmap is the de-facto port scanning utility. It has an elaborate scripting engine that can check for various possible vulnerabilities, perform service detection and various scanning techniques including TCP connect scans, SYN scans (colloquially known as stealth scans) and zombie scans that avoid filters restricting IP communications.
  • Masscan
    • Masscan is also a port scanner, similar to Nmap, however with some notable differences. It is heavily threaded, so it can scan a large number of hosts significantly faster than Nmap, but the scan capabilities aren’t as thorough. As such, I typically use Masscan first to identify the open ports from a large list of hosts, then use Nmap to scan those open ports and perform things like version detection.
  • EyeWitness
    • EyeWitness is an excellent python utility that can read a file of URLs, such as the output from Amass and Subfinder, and generate an HTML formatted report with screenshots of the HTTP page, RDP, and VNC. This is really good for quickly zeroing in on interesting domains when you have a potential target list of dozens or hundreds of domains
  • WFuzz
    • WFuzz is an outstanding tool that can be used to locate hidden directories, unknown parameters and API endpoints, brute forcing parameter values and just about any other input against a web endpoint.
  • GoBuster
    • Directory and subdomain brute forcing tool written in Go. This is an alternative to the widely used tool Dirbuster. I prefer it over Dirbuster as it seems to have better performance in my experience, generating fewer errors while still providing at least the same amount of functionality.

Vulnerability Scanning

Vulnerability scanning is loud and slow, and should be done with great care regarding your scope and target. I typically only use these tools on networks I own or CTF-like events. I would use it in a corporate environment if I was on that corporations official security team or if I was hired to perform a private assessment, however never run them on public bounty programs like the ones found on Bugcrowd or HackerOne. In situations like those, you are running against production systems that can cause a lot of damage and financial loss if something bad happens, and they will rarely find anything since other bounty hunters or the companies own security team have likely already leveraged these tools before opening a public program. Always maintain the ‘Trust but Verify’ mentality when reviewing the results, as false positives are common with automated tools.

  • OpenVAS
    • There are a number of vulnerability scanning solutions like Nessus, Qualys, etc.. but the main one I use is OpenVAS because it is free and it comes preinstalled on Parrot OS which is the flavor of Linux that I currently favor. It scans a range of hosts specified, and generates a decent report of ranked security issues that it discovers with a good amount of detail, including CVE numbers when available.
  • Nikto
    • Nikto is a web application specific scanner that can help find issues. It’s relatively fast and I find it useful to run in situations where automated scanners in general are appropriate.
  • WP Scan
    • Similar to Nikto but specifically targeted to WordPress sites. When assessing a WordPress site, this is a handy tool to leverage.

Web Application Testing

  • Burp Suite
    • The industry standard web proxy, Burp has a lot of tools and plugins to allow monitoring and manipulation of web traffic. Unfortunately, a lot of that is locked behind the professional license which isn’t really cost prohibitive to individuals at around $300 a year, but I haven’t scraped up the money for that yet since I am prioritizing certain certifications over a tool like this that has a free alternative.
  • OWASP Zed Attack Proxy (ZAP)
    • The aforementioned free alternative to Burp Suite. While it was a little bit of an adjustment to learn coming from Burp, there is a lot that I like about it over the free version of Burp. It allows for the same interception and manipulation of web traffic, has the site spider tool included (which was recently removed from the free version of Burp from what I can tell) and has a pretty good scanner to identify possible security issues in the sites you browse. This scanner has a passive mode which only reviews the server responses that you generate through your normal browsing, as well as an active attack mode that will automatically generate malicious traffic to try and find attack vectors. The issues it finds are ranked and categorized in the alerts tab, and provides information on what request was made to identify it, the payload, a description of the vulnerability type, and what to do to fix it with links to the OWASP site that are relevant to the issue. It has also recently included a HUD that overlays all the capabilities and information onto the browser so you don’t need to keep switching windows.
  • SQLmap
    • SQLmap is an automated tool that can actively attack a web application looking for SQL injection vulnerabilities, with the ability to exploit any found to dump database data and even spawn a shell. It can be told to test a single request or crawl an entire site and test everything. It can also be told to output the payloads used so you can see what it is actually doing which is really nice for advancing your own understanding of SQLi.

Authentication Attacks

There are many services and protocols that allow for remote authentication, and each of these represent an attack vector. There are several tools available to check these surfaces for weak or known passwords, but one tool reigns supreme.

  • Hydra
    • Hydra supports a lot of different network protocols, including but not limited to: SSH, Telnet, FTP and HTTP. You can provide it dictionary files containing usernames and passwords and it will attempt to log in to the designated service with the information you provided.

Exploitation and Post Exploitation

While a lot of the exploitation phase is done manually, writing or using existing bespoke scripts, there are a few tools that are useful.

  • Metasploit
    • Possibly the most commonly used exploitation framework, Metasploit is a tool that contains hundreds of scanners, listeners and exploits. You can select and launch exploits with custom options set that can usually spawn a shell or meterpreter session on your target. Once you have a session, you can launch various post exploitation modules to gain persistence, download data from the target, as well as route other traffic through your compromised target in order to pivot to other devices that may only be reachable from the internal network.
  • Social Engineering Toolkit (SET)
    • Works a lot like Metasploit, but is used to launch various social engineering attacks. You can clone websites and embed malicious payloads into them in order to compromise clients you convince to visit your new site. You can craft and launch different types of phishing email attacks, and supposedly send phishing text messages although I can’t confirm that this functionality still works.
  • MsfVenom
    • Technically part of the Metasploit framework, MsfVenom allows you to build payloads from Metasploit into external files in order to deliver and execute them through other channels. You can run them through multiple levels of various encoding schemes to help avoid antivirus detection.
  • Hyperion
    • Used to encode malicious files to help avoid antivirus detection. Similar to MsfVenom but I have had some success with it where MsfVenoms encoding were still detected, possibly due to how well known MsfVenom/Metasploit is.

Hash Cracking

Once you get a foothold on a target system, it’s not uncommon to recover password hashes or encrypted password. Occasionally these can be used as-is for pass-the-hash type attacks, but more commonly you will want to recover the plain text passwords associated with the credentials.

  • John The Ripper
    • John is a tool that can crack a lot of different hash and encryption types given the time to do so. It is an offline attack, meaning you would transfer the credentials to your own system and crack them at your leisure. This has the benefit of utilizing the more-than-likely greater resources available to your system over the target system as well as not generating any additional noise in the target logs or monitoring systems past the exfiltration of the credentials.
  • Hashcat
    • Hashcat fills a similar role as John the Ripper. It performs offline hash cracking of many different types and can be configured to utilize your GPU to achieve an enormous performance boost.
  • Unshadow
    • Unshadow is a command that takes a Linux /etc/passwd file and a /etc/shadow file and outputs a single file with the usernames and passwords associated and in a format that tools like John the Ripper can crack.
  • Samdump2
    • What unshadow is to Linux password files is, samdump2 is for Window’s passwords. It takes in the recovered SAM file and the SYSTEM hive file recovered from the target Window’s machine and outputs a single file that contains the usernames and hashes in a format that can be cracked by John or Hashcat.

Conclusion

This is far from an exhaustive list. There is seemingly an infinite list of tools for any individual task, with new ones being developed all the time. I am planning on writing up more comprehensive posts on each individual tool listed here, so stay tuned.

If you found this content helpful, please consider donating your favorite cryptocurrency below.

  • Bitcoin
  • Ethereum
  • Cardano
  • Xrp
  • Litecoin
  • Stellar
  • Bitcoin cash
  • Dogecoin
  • Usdcoin
  • Aave
  • Uniswap
  • Wrappedbitcoin
  • Eos
  • Cosmos
  • Synthetix
  • Dash
  • Maker
  • Dai
  • Ethereum classic
Scan to Donate Bitcoin to 3ENZABkzJ8V2u3ewaHGFmsWx3i7pdy47Nr

Donate Bitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin

Scan to Donate Ethereum to 0x0a7B929203F77353DDBF9419Fc0d50a50932010c

Donate Ethereum to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum

Scan to Donate Cardano to DdzFFzCqrhsuy6avGUazSq2S5VKEBS6rTxo1Cy71DKwozED8nXFwtzAZda4u5GbE3B4oKFwKVNw3fbAfCrkRdpv8pma83rsgokDk1CTy

Donate Cardano to this address

Scan the QR code or copy the address below into your wallet to send some Cardano

Scan to Donate Xrp to rw2ciyaNshpHe7bCHo4bRWq6pqqynnWKQg:::ucl:::2447425404

Donate Xrp to this address

Scan the QR code or copy the address below into your wallet to send some Xrp

Scan to Donate Litecoin to LXQcKbXSemXnF3VNH5Ez7n4SDUFTkh1uJp

Donate Litecoin to this address

Scan the QR code or copy the address below into your wallet to send some Litecoin

Scan to Donate Stellar to GDQP2KPQGKIHYJGXNUIYOMHARUARCA7DJT5FO2FFOOKY3B2WSQHG4W37:::ucl:::639763260

Donate Stellar to this address

Scan the QR code or copy the address below into your wallet to send some Stellar

Scan to Donate Bitcoin cash to 17iu6o47bdYRbGoxV3WeWUCUBcYZsrXYeG

Donate Bitcoin cash to this address

Scan the QR code or copy the address below into your wallet to send some Bitcoin cash

Scan to Donate Dogecoin to DNserpUCc77Q9EvoU2BePPMnB2nJzJcbRW

Donate Dogecoin to this address

Scan the QR code or copy the address below into your wallet to send some Dogecoin

Scan to Donate Usdcoin to 0xC8354d47Df616EbEb9E91b65C64F352Ce2457215

Donate Usdcoin to this address

Scan the QR code or copy the address below into your wallet to send some Usdcoin

Scan to Donate Aave to 0x268a1fc2eF33c37c0f6D593C17886c2105456f7C

Donate Aave to this address

Scan the QR code or copy the address below into your wallet to send some Aave

Scan to Donate Uniswap to 0xf83FA7Ef077fDA536029EC1F6B73CC87d1D33a54

Donate Uniswap to this address

Scan the QR code or copy the address below into your wallet to send some Uniswap

Scan to Donate Wrappedbitcoin to 0xac7C2A4a700a3c6B341658960C7e99BcC7A93387

Donate Wrappedbitcoin to this address

Scan the QR code or copy the address below into your wallet to send some Wrappedbitcoin

Scan to Donate Eos to coinbasebase:::ucl:::2151882130

Donate Eos to this address

Scan the QR code or copy the address below into your wallet to send some Eos

Scan to Donate Cosmos to cosmos1scwcfre6h4c7epkyrdfegpeaz8umqldl50gn8w

Donate Cosmos to this address

Scan the QR code or copy the address below into your wallet to send some Cosmos

Tag/Note:- 102476592
Scan to Donate Synthetix to 0x89Ee88FdD6B30f72a8e6E6BF3F948Ac3B45e16A8

Donate Synthetix to this address

Scan the QR code or copy the address below into your wallet to send some Synthetix

Scan to Donate Dash to XoMHNXYDx37sDq4bij96cTEpcBznLsbaab

Donate Dash to this address

Scan the QR code or copy the address below into your wallet to send some Dash

Scan to Donate Maker to 0xF72Ace0DdCa3b8e2F691700d8a78282b5d628E12

Donate Maker to this address

Scan the QR code or copy the address below into your wallet to send some Maker

Scan to Donate Dai to 0x22675f754c285bCD7fF8D411Eca32348021a4162

Donate Dai to this address

Scan the QR code or copy the address below into your wallet to send some Dai

Scan to Donate Ethereum classic to 0x03DC1DeFBaFD17Ebf77827faEAc5E50AB90e3b52

Donate Ethereum classic to this address

Scan the QR code or copy the address below into your wallet to send some Ethereum classic

Leave a Reply