I barely scratched the surface of penetration testing in my own blogging, and I’ve already amassed a long list of resources. So rather than withhold any longer, I’ll spill the beans in this initial roundup.
As an IT person, you may already have some of these tools or software. In a sense, anything that helps you peek or poke into a system is a pen testing tool. And this is what makes defining pen testing software a little hazy.
For example, PowerShell can be used successfully as an attack vector. Pen testers such as Ed Skoudis rely on it in their system evaluations. The key point is that you have to think like a hacker.
So if PowerShell is available with a full slew of cmdlets — by the way, in Windows you can restrict execution of PS scripts — then as a pen tester, you use it!
I stuck to a more conservative view of pen testing software in this following run down:
Penetration Testing in a Box
Let’s get Metasploit out of the way first. This is the one-stop shop for pen testing. It’s not a single tool but a meta testing environment in which you can choose from specific exploits, payloads, and post exploitation modules. With Metasploit, testers can also load the Metapreter, which is a kind of a super remote access platform. It’s the approach Ed Skoudis favors over working directly with remote access trojans.
Metasploit is available from Rapid7. You can download a free version with limited features.
Networking and Web Vulnerabilities
While Metasploit provides the ultimate environment, you may want to first test for more specific vulnerabilities. The following tools are usually part of tester’s tool kit:
Nmap – It’s a free open-source tool for port scanning and host discovery and analysis. It was originally a command line tool, but now has a GUI through its Zenmap, which can help visualized topologies. Nmap is the work of Gordon “Fyodor” Lyon, who wrote a book on the subject. The first half of it is available here.
Powerfuzzer – There’s a whole category of fuzzing tools that generates random or malformed input as way to probe systems and software. Powerfuzzer is one such open source tool. It combines many different fuzzers, allowing pen testers to exploit SQL, code, and command injection.
Burp Suite – This is popular web application tester and fuzzer. It explores web sites and looks for vulnerabilities, including SQL injection and cross-site scripting – a complete list of tests can be found here. A free version (with limited features) is available from Portswigger.
OWASP ZAP – Similar to Burp Suite, ZAP (Zed Attack Proxy) combines port scanners, spiders, and fuzzers to search for web assets and then test vulnerabilities. Check out these tutorial videos for more details.
Sqlmap – SQL injection attacks are still all too common. Sqlmap finds the bad code in your web input entry that made it through your QA processes. If you want to focus just on SQL injection, then try this freebie software.
Post Exploitation Tools and References
You’ve broken into the system, now what? For pen testers, the main concerns are to continue network discovery and then find ways to move laterally.
Nmap (see above) — It’s also useful behind the firewall.
Wireshark – This one is a classic of the packet sniffing genre. It’s always helpful to see what’s be passed around on the wire, and that’s where Wireshark excels.
Cain and Abel – Referred to as a Windows password recovery tool, C&A can perform both brute force and crypto-analtyic attacks on encrypted password files. It’s a way for pen testers to collect more credentials, and also, of course, find weak passwords.
Mimikatz – The classic pass-the-hash (PtH) utility for collecting and reusing credentials. It’s able to pull out the hash of the Windows passwords from LSASS memory and then associate them with other apps. It will enable pen testers to open shells on other system for which they may not have had access to originally. And Mimikatz will tell IT which domain-level passwords are stored in users’ machines.
Ncat – Of course, ncat is a legitimate and powerful IT tool for connecting inputs and outputs, but it’s also a favorite of pen testers. You can place one ncat in client mode and connect to another in server mode, and then launch a remote shell. I did just that in my own pen testing experiment. Ncat, by the way, is bundled with the aforementioned nmap.
Trojans, APTs, and C2s – Many of the most devastating breaches have involved hackers depositing remote access trojans and other long lasting command-and-control (C2) software. This type of malware lets hackers monitor and access the target system remotely, making it difficult (but not impossible) to detect their activities
Pen testers can use Metasploit to load RATs and other remote control software as payloads. And then report on IT security response actions. Of course, you’ll need to do this ethically and work out rule of engagement with IT — check this sample document of pen testing rules from SANS.
SANS Penetration Testing – SANS is a terrific resource for all-things security. They also have a specialized penetration testing practice. I would first review their very high-quality content – white papers, videos, and blog posts—to get yourself on firm footing.