Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA PenTest+ Certification: A Comprehensive List of PenTest Tools
Source: https://www.fatskills.com/comptia-pentest-certification/chapter/comptia-pentest-certification-a-comprehensive-list-of-pentest-tools

CompTIA PenTest+ Certification: A Comprehensive List of PenTest Tools

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~32 min read

Aircrack-ng Suite
Aircrack-ng (https://www.aircrack-ng.org/) is a wireless testing suite comprising various command-line tools. It is discussed here. It can help capture wireless traffic; replay traffic; crack WPA, WPA2 PSK, and WEP; and perform attacks such as deauthentication attacks, creating fake access points, and injecting packets.

Some of the tools it includes are the following:
- airbase-ng can act as an ad hoc AP, capture, and filter packets.
- aircrack-ng is a WEP and WPA key cracking program that runs against capture files.
- airdrop-ng is a program for targeted deauthentication attacks.
- aireplay-ng can replay or inject frames. It is primarily used to generate traffic for cracking with aircrack-ng, but can also perform chopchop, deauthentication, and fragmentation attacks.
- airgraph-ng processes .csv files from airodump-ng into graphical visualizations of wireless networks.
- airmon-ng puts a wireless card in monitoring mode, which allows the device to capture wireless traffic without first connecting to a wireless network. This is often used for wireless reconnaissance and as a prerequisite step for other aircrack-ng suite tools that capture traffic.
- airodump-ng is used for capturing wireless traffic, and is very useful when collecting WEP initialization vector (IV) data for aircrack-ng. This can be combined with a GPS to map wireless signals geographically.
- besside-ng can be used to automatically crack WEP keys and log WPA handshakes for cracking.
- Dcrack enables distributed cracking for WPA/2 PSK across multiple servers.
- Mdk4 (see mdk4 entry).
- packetforge-ng can create encrypted packets for injection and replay on wireless networks if you have a pseudo-random generation algorithm (PRGA) file obtained from fragmentation attacks or a chopchop attack, for example.

Android SDK Tools
Android SDK (https://developer.android.com/studio/intro) tools are the official Android API tools, including an integrated development environment (IDE) for developing Android applications. They are useful for mobile application and device testing, including source code analysis.

APK Studio
APK Studio (https://github.com/vaibhavpandeyvpz/apkstudio) is an IDE designed with reverse engineering Android applications in mind. It allows you to decompile, recompile, sign, and install APKs for Android devices; edit and view code; and includes a hex editor for binary files. This is useful if you have a compiled Android application you need to reverse or need to bypass certificate pinning in order to intercept traffic between the application and a remote service. Additional functionality is explored here.

ApkX
ApkX (https://github.com/b-mueller/apkx) is a Python wrapper for multiple tools that extracts Java source code from APK files. This automates the process of extraction, decompilation, and conversion. Here is an example of usage:

This tool is useful when you need to examine the actual Java code within an APK for code tampering and reverse engineering. Refer to the OWASP Mobile Testing Guide section “Decompiling Java Code” for more information about usage: https://github.com/OWASP/owasp-mstg/blob/e6e3f113c44e76fc1481fff063fe44800d5bfcd5/Document/0x05c-Reverse-Engineering-and-Tampering.md#decompiling-java-code

Bash
Bash (https://www.gnu.org/software/bash/manual/bash.html) is a *NIX operating system shell: the command-line interface and command language interpreter for many *NIX systems. Scripts written in Bash can be used for pentest and system administration automation, including reverse and bind shells, shell escapes, and privilege escalation, among others. Bash is covered in more detail here.

BeEF (Browser Exploitation Framework)
BeEF (https://beefproject.com/) is an exploitation tool that focuses on client-side attacks (like XSS and session hijacking) against web browsers. You can use BeEF in web-based social engineering attacks by generating and injecting JavaScript hooks into web content that allow you to interact with the target browser via a console provided by the BeEF tool. This can be used to gain footholds on a hooked target, steal credentials or authentication materials, and execute other attacks within the context of the browser.

BloodHound
BloodHound (https://bloodhound.readthedocs.io/en/latest/) explores relationships between objects in Active Directory or Azure and displays them graphically. This is potentially useful for identifying privilege escalation opportunities along an attack path, but running the tool against an environment is typically very noisy and potentially disruptive. It should be scoped carefully during any assessment and used thoughtfully, or potentially avoided when stealth is a primary operational concern. Examples of BloodHound use are shown here.

Brakeman
If you need to perform static application security testing (SAST) against a Ruby on Rails application, Brakeman (https://brakemanscanner.org/) will take Rails source code, scan it, and produce a report of potential security issues. As with all automated code analysis tools, it may generate false positives, so its results should be manually reviewed. It will also miss issues that are introduced during runtime by interaction with other components, so it should be used with other tools and DAST methodologies to fully evaluate an application for pentesting. It is run from the command line using dashed options (-A, -n, etc.) to define its behavior and can either target a specific application and path or run against the application in the current directory.

Burp Suite
Burp Suite (https://portswigger.net/burp) is a web security testing toolkit offered as a graphical application. It has both a Professional and a free Community edition. Burp Suite allows you to proxy and intercept, tamper with, replay, and inject web traffic. It offers various plugins (like DirBuster) via a community store that automate attacks such as brute force, SQL injection, and attacks against session management. It even contains a decoder to make it easier to transform and analyze web data. Burp Suite will show the request and the response for various web traffic and has an embedded browser for testing. It can passively or actively crawl sites and highlight potential security issues as it goes using a built-in vulnerability scanner.

Examples of Burp Suite usage can be found here, and additional use cases are discussed in detail at the portswigger website: https://portswigger.net/burp/documentation/desktop/penetration-testing

Cain
Cain (https://web.archive.org/web/20190603235413/http://www.oxid.it/cain.html) is the cracking component of the Cain & Abel tool. Cain was originally created as a GUI application for older versions of Windows (Windows 2000 and earlier). It can crack passwords using brute force and dictionary attacks, and it supports rainbow tables. Password targets include WEP, NTLM and LM hashes, NTLMv2 hashes, MD5 hashes, SHA-1 and SHA-2 hashes, Cisco IOS and PIX hashes, and RADIUS and IKE PSK hashes. The tool is older and well-known, and therefore recognized as malware by most host security products. It’s mainly useful when other crackers do not support the hash type or when rainbow tables would be faster than GPU-based attacks using dictionaries or rules-based brute force. Another tool that implements rainbow tables is RainbowCrack.

Call Spoofing Tools
Many tools aid in caller ID spoofing, and the Social-Engineer blog has a great list (https://www.social-engineer.org/framework/se-tools/phone/caller-id-spoofing/). Generally, the purpose is to hide the phone number you are calling from or make it appear as another number during phone-based social engineering attacks. Many business phones show the caller ID information, and it raises less suspicion if the source number appears familiar to the person answering the call. Local and regional laws may affect what is legally allowed when it pertains to caller ID spoofing, so be aware of these limitations as part of your scoping exercise.

Censys
Censys (https://censys.io/ and https://search.censys.io/) scans publicly exposed assets on the Internet and stores the details in a searchable database. The searchable database is useful for performing passive reconnaissance about a target using data gathered about ports and services listening on hosts and other data exposed in their certificates.

CeWL
The Custom Word List Generator (CeWL)
(https://github.com/digininja/CeWL) will crawl target websites and assemble a wordlist using interesting terms identified during the crawl, including e-mail addresses. These wordlists can then be used for further targeting, brute-forcing possible URLs, hostnames, or even as password cracking dictionaries. CeWL is written in Ruby and is designed to be run from the command line using flags (e.g., -w0) to govern its behavior. Options include controlling the depth of the crawl, output file, user agent to send, length of words that it collects, and whether or not to include e-mail addresses.

Cloud Custodian
Cloud Custodian
(https://cloudcustodian.io/docs/index.html) runs a series of scripts that are designed to audit the security of cloud environments. It uses YAML files with policies to define what it looks for and produces reports of likely issues found with permissions and other cloud configurations based on the policy used to run it. It runs from the command line using a mode to control its behavior. For instance, it can scan, do nothing but validate the YAML, or can attempt to remediate the target. For cloud environments with well-documented assumptions, this can identify low-hanging fruit or make recommendations across many cloud assets quickly. Examples of Cloud Custodian are documented here.

CloudBrute
CloudBrute (https://github.com/0xsha/CloudBrute) is an enumeration tool for cloud environments. It supports multiple cloud providers and can identify buckets, applications, and storage based on domain information or other target keys supplied at runtime from an unauthenticated perspective. It can also help enumerate exposed ports and HTTP/S services based on what it finds. It is designed to run from the command line, using option flags to modify its behavior. Examples of its usage can be found here.

Coagula
Coagula (https://www.abc.se/~re/Coagula/Coagula.html) takes images and turns them into sounds. This can be used as part of steganography to conceal data within sound files. This may be a useful mechanism for data exfiltration to bypass data loss prevention tools or other security controls designed to trigger based on malicious content. Files can be reassembled from the sound file using a tool such as Audacity, Spek, or Sonic Visualiser.

Covenant
Covenant (https://github.com/cobbr/Covenant) is a .NET C2 framework designed to allow pentesters to collaborate during an attack operation. The tool uses a web interface for orchestration of the components, including configuration of listeners, payload generation, and management of agents on compromised hosts called Grunts.

CrackMapExec
CrackMapExec (CME)
(https://github.com/byt3bl33d3r/CrackMapExec) is a post-exploitation tool designed to stealthily automate security testing of Active Directory environments. It uses native tools to “live off the land” as part of its tactic to remain undetected and evade security controls that would otherwise block attack tools. It also uses Impacket and PowerSploit to assess privilege issues and perform attack actions. This tool is worth additional independent exploration, although the documentation in the URL provided will get you started.

DirBuster
DirBuster (https://wiki.owasp.org/index.php/Category:OWASP_DirBuster_Project) is a Java application that uses dictionaries and wordlists to attempt to guess directories and filenames on websites. For sites or files that are not shown in site indexes or otherwise linked from sites you have crawled, these files can’t be automatically discovered and must be brute-forced. DirBuster is now an inactive project that has been integrated into OWASP ZAP, but you can read more about its ideal use cases at OWASP: https://owasp.org/www-community/attacks/Brute_force_attack

Drozer
Drozer (https://github.com/FSecureLABS/drozer and https://labs.f-secure.com/tools/drozer/) is an Android security assessment framework, which acts as a third-party application that interacts with IPC endpoints for other applications and the underlying OS. This allows you to search for security vulnerabilities by interacting with the target via provided modules. Additional functionality is explored here.

EAPHammer
EAPHammer (https://github.com/s0lst1c3/eaphammer) is a pentesting tool designed for gaining access to wireless networks using evil twin attacks against WPA and WPA2 networks and networks using RADIUS. This tool can be installed in Kali Linux and is useful when you need to steal RADIUS credentials with a malicious AP or AD credentials with a hostile portal. It also supports karma attacks.

Empire
Empire (https://www.powershellempire.com/ and https://github.com/BC-SECURITY/Empire) is a PowerShell exploitation framework that is no longer supported by its original authors. However, since many of the tools do still work, they are sometimes referenced by pentest blogs and are still used in practice. These tools have become well-known and are therefore more likely to be detected in advanced environments unless additional methods of concealment (such as using PowerPick or obfuscation techniques) are also applied. The framework includes many PowerShell scripts and modules designed for gathering credentials (running Mimikatz), discovery and reconnaissance, privilege escalation, lateral movement, and persistence, among others. Some examples of Empire components are discussed here.

Ettercap
Ettercap (https://www.ettercap-project.org/) is an on-path tool for network traffic. It can perform ARP spoofing attacks, sniff network traffic over a live connection, and apply filters to modify that traffic in real time. It is a command-line tool that supports being run in Linux, BSD, and some versions of macOS. Ettercap is useful if you have access to a network but need to intercept or modify traffic between other network endpoints on the same subnet in order to further your access. Examples might be if you needed to attempt to steal credentials or hijack web traffic.

Exploit Database
Exploit Database (https://www.exploit-db.com/) is a database of known exploits contributed by the community that you can search to find proofs of concept and exploit examples for use during a pentest. Exploits may need to be additionally modified in order to be useful within the context of a specific penetration test.

Fern
Fern (http://www.fern-pro.com/ and https://github.com/savio-code/fern-wifi-cracker) is a Python tool for Wi-Fi security auditing and cracking. It can recover WEP, WPA, and WPS keys, as well as perform several types of Wi-Fi attacks (Reaver, chopchop, fragmentation attacks, and more). It comes in a free version (GitHub) and a paid professional version. It requires the aircrack-ng suite, Scapy, and Reaver.

FOCA
FOCA (Fingerprinting Organizations with Collected Archives)
(https://github.com/ElevenPaths/FOCA) is a tool to mine documents for metadata and other hidden information. This information may be useful in the context of reconnaissance and discovery in preparation for social engineering attacks. For example, this can help extract author information, e-mail addresses, or even account information for the generation of pretexts and creating targeting lists.

Frida
Frida (https://frida.re/) is a mobile testing toolkit that allows pentesters to inject scripts into black box processes and gain insight into the operations of APIs, private code, and running functions during security testing of mobile devices. Frida and its use cases are discussed here.

GDB
The GNU Debugger (https://www.gnu.org/software/gdb/) is a free debugger. Debuggers allow you to interact with applications as they run in order to analyze their behavior by doing things like pausing execution at specific breakpoints and analyzing what has happened during a failure or change in execution. Debuggers do not disassemble code from the compiled format to source code, but they can allow insight into how the code runs based on changes to execution they inject during runtime. These are useful for vulnerability research, reverse engineering, and exploit development. One example would be if you are trying to bypass authentication in an application by changing the value sent from an authentication function to the rest of the program manually in a debugger.

Gobuster
Gobuster (https://github.com/OJ/gobuster) can be used to enumerate Amazon S3 buckets; virtual hostnames for web servers; and DNS entries using fuzzing, filters, and different protocols and HTTP methods. The tool is designed to run at the command line, with flags to modify its behavior at runtime. The tool observes four modes: dir (for directory bruting), dns (for DNS hostname enumeration), s3 (for AWS buckets), and vhost (for web servers). At runtime, you specify a wordlist and output file location, as well as necessary information for targeting.

Hashcat
Hashcat (https://hashcat.net/hashcat/) is a GPU-based cracking engine designed for brute-force and dictionary attacks using rules and filters. It’s designed to target password hashes of various kinds, and it is considered to be the fastest method for password cracking. Use this when you have a hash that you cannot pass, or if you need to audit password strength based on a collection of hashes.

Hping
Hping (http://www.hping.org/) is a command-line tool for generating TCP/IP packets. While its functionality has been implemented in Nmap, hping3 is scriptable in the Tcl scripting language, and it can render packets into strings-based, human-readable descriptions for ease of writing scripts to perform low-level packet manipulation and analysis. With Hping, you can also spoof the source IP address and generate large amounts of traffic in order to explore various DDoS techniques, the most common use case during pentesting.

Hydra
Hydra (https://github.com/vanhauser-thc/thc-hydra) is a tool for password spraying and brute-forcing against live services, including HTTP, Oracle, Cisco, POP3, VNC, and more. Its highly parallelized approach to attacking live services across multiple protocols, as opposed to offline password cracking, makes it very useful for pentesters to evaluate password security and effective attack detection and mitigation during purple team exercises. It is typically used as a command-line tool that will run in various operating systems, using -flags to modify its behavior. Example usage is described here.

IDA
IDA (https://hex-rays.com/ida-pro/) comes in various paid versions and a free version (IDA Free). The features that are available differ across versions, but it is a powerful code disassembly and debugging tool. It analyzes a compiled application and examines how the CPU processes the information and attempts to generate assembly code from that analysis, and it can support remote debugging for various types of fuzzing attacks. It has a variety of plugins (e.g., HexRays) that allow you to extract C code from a compiled binary for static code analysis. It is useful for code analysis, reverse engineering, vulnerability research, and exploit development.

Immunity Debugger
Immunity Debugger (https://www.immunityinc.com/products/debugger/) is useful for exploit development, malware analysis, and reverse engineering. It allows you to graphically render functions and program flows, facilitates heap analysis, and implements a Python API for scriptability. The Mona Python plugin, for example, will allow you to easily figure out offsets for buffer overflows, identify ROP chains, and explore other gadgets that are useful for exploitation.

Impacket
Impacket (https://github.com/SecureAuthCorp/impacket) is a Python tool suite used for network protocol manipulation. There are many valid uses for Impacket during penetration tests, including interacting with Windows hosts from Linux attack platforms. One example might be to use an admin credential to DCsync a domain controller from a Linux box. Usage examples are discussed here.

John the Ripper
John the Ripper (JtR) (https://www.openwall.com/john/) is an offline password cracking tool. For CPU-based cracking, JtR is one of the fastest tools for password recovery. So, if GPU cracking is unavailable, you would use JtR. However, JtR also implements different rule sets than other cracking tools, and these rule sets may recover passwords where other cracking tools fail, so it is a good supplement to other cracking tools for large password lists.

Kismet
Kismet (https://www.kismetwireless.net/) is a wireless security assessment tool that can detect devices, sniff wireless traffic, and aid with wardriving. It supports Bluetooth as well as traditional wireless networks. It is most commonly used for wireless reconnaissance and supports graphical mapping of wireless data based on supplemental GPS data. Read this guide for more details about wireless attacks.

Maltego
Maltego (https://www.maltego.com/) uses transforms to automatically retrieve reconnaissance data from open-source and paid data sources based on search seeds, such as an e-mail address or domain name. This is a powerful reconnaissance tool that can quickly identify relationships between targets, such as e-mails, web servers, or other infrastructure (e.g., IP ranges) that are very useful in constructing and confirming target lists, building pretexts, and identifying other potentially interesting areas for research about your target.

mdk4
mdk4 (https://github.com/aircrack-ng/mdk4 and https://en.kali.tools/?p=864) is a wireless testing tool used to inject frames on several operating systems. This allows you to perform numerous attack types, including beacon flooding, denial of service and deauth attacks, SSID probe and brute-forcing, packet fuzzing, and more. An example of performing a beacon flooding attack on the wireless interface wlan0 using nonprintable characters and long SSIDs (-a) with valid MAC addresses according to the embedded OUI database (-m) at a rate of 200 packets per second (-s) might look like this:
$ sudo mdk4 wlan0 b -a -m -s 200

Medusa
Medusa (https://github.com/jmk-foofus/medusa and http://foofus.net/goons/jmk/medusa/medusa.html) is a tool similar to Hydra, in that it performs password brute-force attacks against live services. It supports multiple protocols and can send requests in parallel from wordlists. During a pentest, you would use Medusa in the same circumstances that you would use Hydra, with the choice being based on preference, performance in your environment, and protocol support.

Metasploit
Metasploit (https://www.metasploit.com/) is a pentesting framework that includes many community-contributed modules for attack. It is useful for most phases of penetration testing, including reconnaissance, vulnerability identification, exploitation, and command and control. Metasploit is discussed mainly in the context of post-exploitation here.

Mimikatz
Mimikatz (https://github.com/gentilkiwi/mimikatz) is a tool used to extract authentication information from Windows systems. This includes Kerberos tickets, plaintext passwords, password hashes, PIN codes, and more. It can help pentesters perform pass-the-hash and pass-the-ticket attacks, as well as Kerberoasting attacks by building golden tickets. During a pentest you would use Mimikatz during post-exploitation, such as if you have access to a system and wanted to gather additional credentials for lateral movement or privilege escalation. This is discussed here.

mitm6
mitm6 (https://github.com/dirkjanm/mitm6) intercepts DNS and DHCP queries from a selected target and operates as a rogue DNS/DHCP server. This can then be used to redirect victim traffic to other malicious resources or perform relay attacks when used with tools like ntlmrelayx in Impacket. Further information, including examples of usage and output, are available in the Fox-IT blog article “mitm6 – compromising IPv4 networks via IPv6,” which can be found here: https://blog.fox-it.com/2018/01/11/mitm6-compromising-ipv4-networks-via-ipv6/

MobSF
The Mobile Security Framework (MobSF)
(https://github.com/MobSF/Mobile-Security-Framework-MobSF) is a mobile pentesting framework that can target Android, iOS, and Windows devices. It provides tools for static and dynamic code analysis and is discussed here.

Ncat
Ncat (https://nmap.org/ncat/) is an implementation of the Netcat (nc) tool for Nmap. It allows you to read and write data across networks using the command line. It can be used to redirect TCP and UDP ports to other sites, and it supports SSL and proxy implementations with SOCKS. Ncat is integrated into Nmap and is downloaded with it. The detailed usage guide with examples can be found on the Nmap site at https://nmap.org/ncat/guide/index.html.

Nessus
Nessus (https://www.tenable.com/products/nessus) is a vulnerability scanner. It can perform network discovery using port scans and enumerate services from either an authenticated or nonauthenticated context. From an unauthenticated context, it attempts to connect to exposed services and use banner and installation information or differences in protocol responses to attempt to identify listening services and versions. It can then compare that information to an extensive internal database of known vulnerabilities to highlight potential or confirmed vulnerabilities on the identified services. This is useful for identifying potential paths for exploitation and quickly performing mass discovery when stealth is not a concern during a pentest.

Netcat
Netcat (nc) (https://linux.die.net/man/1/nc) is a tool that is distributed with many Linux distributions that allows you to send and receive TCP and UDP traffic, listen on arbitrary TCP and UDP ports, and do many other tasks with TCP or UDP. It is highly scriptable using Bash, for example, and can be used during a pentest to transfer files to or from target machines, implement bind or reverse shells, or directly test a service using a raw connection. Examples of usage are included here.

Nikto
Nikto (https://cirt.net/Nikto2andhttps://github.com/sullo/nikto/wiki) is a web server vulnerability scanner. It tests for known vulnerabilities against target web URLs you provide. An example of using Nikto was given here, but you would use it to find known vulnerabilities pertaining to outdated plugin versions or other web software in cases where stealth is not a concern.

Nmap
Nmap (https://nmap.org/) is a free pentest tool for network discovery and security testing. It is typically run from the command line, but a GUI version (Zenmap) does exist. Nmap has a robust scripting engine and a sizable collection of scripts to perform various activities, including everything from brute force and enumeration to database hash dumping and form fuzzing. 

nslookup
nslookup (https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/nslookup and https://linux.die.net/man/1/nslookup) is a utility that is included with multiple operating systems that allows you to make DNS queries to find hostnames from IP addresses and IP addresses from hostnames on a network. That is its most primitive use, however. Various command-line and usage modes make it useful for reconnaissance and troubleshooting of DNS. Check out this guide for more use cases involving information gathering and reconnaissance.

Objection
Objection (https://github.com/sensepost/objection and https://github.com/sensepost/objection/wiki/Using-objection) is a mobile exploitation toolkit that aids in runtime security testing without needing to jailbreak the device. By using a patched application to hook Objection calls, you can remotely interact with the device to explore security issues. Objection is discussed in more detail with usage examples here.

OllyDbg
OllyDbg (https://www.ollydbg.de/) is a free Windows-based debugger. It’s useful in performing code analysis by tracing registers and recognizing strings, constants, API calls, procedures, and more. As many tools in the debugging space cost money, this is often an alternative for pentesters with limited budget or resources. Debugging is helpful for vulnerability identification, exploit development, and dynamic application analysis. Load an application into a debugger, and you can manipulate inputs and outputs for various functions during runtime by using execution breakpoints in order to identify flaws in application logic or other bugs.

Open VAS
Open Vulnerability Assessment Scanner (OpenVAS)
(https://www.openvas.org/) is a free vulnerability scanner and an open-source alternative to Nessus. The library of vulnerabilities and tests that it uses are community contributed, and it may have different findings than other vulnerability scanners such as Nessus, but it provides a free and open-source alternative to other options for fast vulnerability identification and attack surface enumeration.

OpenStego
OpenStego (https://www.openstego.com/) is a steganography tool that can hide and recover hidden data from files. OpenStego takes a source file (e.g., what you are hiding) and an image where you would like to hide the file and supplies both values via a graphical user interface. OpenStego outputs an image file that appears visually to be the same as the original image, but it contains the full contents of the source file encoded within the image. This information can optionally be encrypted to prevent unauthorized recovery of the data. These types of tools are useful for data exfiltration and security control evasion.

OWASP ZAP
OWASP Zed Attack Proxy (ZAP) (https://www.zaproxy.org/docs/) is a free web application scanner. Its functional purpose is very similar to Burp Suite, but it offers a different array of features. ZAP does not offer as extensive a list of community contributed plugins as are available with Burp Suite, for example, and it does not offer an integrated browser for testing. However, it does allow many of the same attacks that Burp Suite does—for example, injection of web content, proxying of web content, crawling, and viewing requests and responses from web servers. However, with ZAP, vulnerability identification is more manual than with Burp Suite, which leverages a built-in vulnerability scanner.

Pacu
Pacu (https://rhinosecuritylabs.com/aws/pacu-open-source-aws-exploitation-framework/) is an AWS security testing toolkit created by Rhino Security Labs. It uses modules to perform various actions, including testing permissions, injecting backdoors via credentials, and conducting automated privilege escalation attacks. Pacu is discussed here.

Patator
Patator (https://github.com/lanjelot/patator) is a password brute-forcing tool that works against live listening services. Similar to Hydra and Medusa, it is another solution that uses modules to target specific protocols and can perform host and user enumeration, as well as password guessing attacks based on files containing guessable items, such as hostnames, usernames, and passwords.

ProxyChains
ProxyChains (https://github.com/haad/proxychains) allows you to tunnel other traffic besides web traffic over a proxy. This is useful during a pentest when you need to access systems on a network that is inaccessible to your attack platform but accessible to a target you have compromised. Essentially, this tool allows you to bridge networks by creating a proxy tunnel for any other protocol. It determines what ports and targets to use for the tunnel using a config file (default: proxychains.conf).

You could use it to run Nmap by doing the following, for example:
$ proxychains nmap -A 10.20.0.0/24

The proxychains.conf will have an entry similar to this, which designates which system you are proxying through. So, assume that our attack host can’t reach 10.20.0.6, but we can reach 10.10.0.6, and 10.10.0.6 can reach 10.20.0.6. The proxychains.conf file could specify this to make the earlier <code>nmap</code> command work.


Or, you could run a bash shell with SSH using SOCKS:


This command tells SSH to run in the background after it connects without executing anything remotely (-fN) and to dynamically forward port 8675 (-D).

Reaver
Reaver (https://github.com/t6x/reaver-wps-fork-t6x) is a Wi-Fi brute-forcing tool designed to attack WPS registrar PINs to get WPA/WPA2 passphrases and can perform the offline pixie dust attack. Examples are covered in here.

Recon-ng
Recon-ng (https://github.com/lanmaster53/recon-ng and https://github.com/lanmaster53/recon-ng/wiki) is a framework for conducting reconnaissance. The tool implements a Metasploit-like shell from which you can run modules to perform reconnaissance. Modules can be downloaded from a marketplace from within the tool. It uses API keys for web systems such as VirusTotal, GitHub, Censys, or Shodan to gather OSINT as part of the passive information gathering process. This can help you find target hostnames, social media data from targeted users, leaked credentials, contact information, and more. Recon-ng usage examples are covered in more detail here.

Responder
Responder (https://github.com/lgandx/Responder) is a tool for responding to LLMNR, NBT-NS, and MDNS requests and intercepting the resulting data from that exchange. It can be used to gather Windows challenge hashes resulting from requests to nonexistent services or other maliciously redirected requests. The tool has multiple uses, but this is the primary use you will likely see on the exam.

Rogue Access Points
Wireless security testing tools may be able to act as a rogue AP. This can entice wireless supplicants to connect, enabling the tester to acquire credentials or other information from the victim systems. Wireless pentesting is covered here.

SCAP
Security Content Automation Protocol (SCAP)
(https://csrc.nist.gov/projects/security-content-automation-protocol) is a collection of specifications for exchanging content from security automation. Specifications include resources for asset identification, asset reporting, NIST’s Common Configuration Enumeration (CCE) and Common Platform Enumeration (CPE), Open Vulnerability Assessment Language (OVAL), Software Identification (SWID), and more. The idea is to provide content for configuration compliance checks and vulnerability identification that multiple tools can use in order to perform additional evaluation of security based on standards. This is most commonly referenced in environments requiring compliance according to U.S. government specifications.

ScoutSuite
ScoutSuite (https://github.com/nccgroup/ScoutSuite) is a multiplatform cloud security auditing tool. It runs automatic checks via a command-line interface and produces a report to highlight potential flaws in configurations of cloud environments or other issues that should be manually investigated. This can be used as an initial quick identification of areas to look for large-scale cloud assessments. Usage examples are here.

SearchSploit
SearchSploit (https://www.exploit-db.com/searchsploit) is a tool that is included with Kali Linux that can be used for searching exploit-db. This allows you to search for potential exploits based on identified target characteristics or specific vulnerabilities.

SET
The Social-Engineer Toolkit (SET)
(https://github.com/trustedsec/social-engineer-toolkit and https://github.com/trustedsec/social-engineer-toolkit/raw/master/readme/User_Manual.pdf) is an open-source Python toolkit for pentesting using social engineering. It has integrations with Ettercap, Metasploit, and other tools. Among other capabilities, SET can generate and host web-based payloads for social engineering attacks and create and send spoofed e-mails. An example of usage can be found here.

Shodan
Shodan’s (https://www.shodan.io/) strength is aiding pentesters in gathering information about a target using passive techniques. Shodan scans Internet-facing assets and gathers information about open ports and identifiable services and allows you to search the results of those scans without touching the targets yourself.

Snow
Snow (http://manpages.ubuntu.com/manpages/bionic/man1/stegsnow.1.html) is a steganography tool that allows you to test security controls evasion by hiding data using the white space of ASCII messages. This is useful for data exfiltration testing. Since trailing white space characters are not typically visible to the human eye, Snow takes data to be hidden, a passphrase, a file in which to hide the data, and an output file to place the result. It can compress the data to hide it, or uncompress it if it is recovering it.

Here is an example:
$ stegsnow -C -f hideme.txt -p “Super strong passphrase” innocent.txt hidden.txt
The output file will look identical to the original innocent.txt to the human eye.

Sonic Visualiser
Sonic Visualiser (https://www.sonicvisualiser.org/) has a graphical user interface and is designed to analyze the contents of audio files by showing the sound data graphically as waves or other patterns. It can be used to retrieve steganographic data from audio files hidden by tools like Coagula. A detailed writeup of one such use case can be found here: https://www.okiok.com/cyber-beats-nsec-2020-write-up/

Spooftooph
Spooftooph (https://gitlab.com/kalilinux/packages/spooftooph and https://www.kali.org/tools/spooftooph/) is a Bluetooth testing tool that is designed to spoof or clone a Bluetooth device name, class, and address. This tool can log Bluetooth information, generate new Bluetooth profiles with random data, change the profile dynamically based on a time interval, and choose a device to clone from a scan log. It can be used to scan for Bluetooth devices in a range, clone a device, and gather information sent to it.

SQLmap
SQLmap (https://sqlmap.org/) attempts to automatically identify and exploit SQL injection when supplied with a target URL. If you were performing a web application pentest and identified a potential SQL injection in a form using Burp Scanner, you could take the URL and give it to SQLmap. SQLmap would attempt to identify a working SQL injection string so that you could exploit the vulnerability and examine the impact or provide a proof of concept for exploitation during the pentest. Examples are given here

SSH
Secure Shell (SSH) (https://www.openssh.com/) is an encrypted remote access protocol. It’s often found natively in Linux systems, but may be installed in Windows. In addition to being able to be used for remote administration, SSH can be used to tunnel traffic across networks. This is discussed here.

Steghide
Steghide (http://steghide.sourceforge.net/) is a steganography program that can hide or retrieve data hidden inside image or audio files. The resulting file looks and sounds exactly like the original file from a human perspective. Data can be encrypted when hidden. An example of usage is:
$ steghide -cf myimage.jpg -ef secretfile.txt -sf newimage.jpg


This hides the file “secretfile.txt” (the embedded file) inside a new file called newimage.jpg (a stego file) that is based on the file myimage.jpg (a cover file). This will prompt for a passphrase at runtime. To recover the file, you would have to use the <code>-xf</code> flag to extract the data from the newimage.jpg file back into the secretfile.txt and supply the passphrase:
<code>$ steghide -sf newimage.jpg -xf secretfile.txt</code>

theHarvester
theHarvester (https://github.com/laramies/theHarvester) is a command-line tool that helps pentesters perform OSINT gathering about a target during the early phases of a pentest engagement. Examples of data gathered include e-mails, names, subdomains, IP addresses, and URLs. It can perform both passive and active information gathering, and it also can perform DNS brute-forcing. Examples of theHarvester usage are covered here.

TinEye
TinEye (https://tineye.com/) is a reverse image search tool. You can load or reference an image and then search for it online. You can do the same thing with Google Images search, but this is sometimes useful in finding an original image in order to identify whether it has been manipulated with a steganography tool. For example, you can compare the image found with TinEye to the copy you suspect has been manipulated with compare from the ImageMagick suite or something like XOR to attempt to derive the steganographic text.

truffleHog
truffleHog (https://github.com/trufflesecurity/truffleHog) searches GitHub repositories for secrets (such as SSH or API keys), examining commit history and branches for accidental leaks of important information. Searches can be limited by depth, target repository, and with regex filters. During a pentest, these can be useful for identifying potential leaks of credentials or keys to establish an initial access point for cloud or authentication service targets, for example.

w3af
w3af (https://github.com/andresriancho/w3af/ and http://w3af.org/) is a web application attack and audit framework designed to attempt to find and exploit vulnerabilities in web applications. Launching w3af at the command line will drop you into a w3af shell, where you can supply run parameters through context settings and execute scans. For example:


You can use this to check a single directory for vulnerabilities according to all or a set of audit plugins, crawl to identify other URLs, or even ignore specific forms or URLs by creating exclusions. W3af is useful for scanning REST APIs, identifying endpoints, and attempting to automatically identify and exploit vulnerabilities using various payloads.

Wapiti
Wapiti (https://wapiti.sourceforge.io/ and https://owasp.org/www-community/Automated_Audit_using_WAPITI) is a command-line tool that fuzzes web applications during a black box penetration test and attempts to identify SQL injections, XSS, file disclosure vulnerabilities, XXE, CRLF, and more. It can also attempt brute-forcing of files, directories, and login forms.

The shortest way to use it is:
$ wapiti -u http://targeturl/

An example of Wapiti scan results is available here: https://wapiti.sourceforge.io/example.txt

Whois
Whois (https://linux.die.net/man/1/whois) is a service for looking up domain registration information and is not only a tool included with Linux, as referenced here. The tool is the client for the service. The whois tool can be used to look up IP or hostname ownership information and can specify which whois server to use for the query. These concepts are addressed here.

Wifite2
Wifite (https://github.com/derv82/wifite2) is a Python script for attacking wireless networks. It can perform the offline pixie dust attacks and online PIN brute-forcing against WPS networks; capture WPA handshakes and PMKID hashes; and perform various WEP attacks, including fragmentation, chopchop, and replay attacks. It requires the aircrack-ng suite for wireless capture, relay, and cracking. Example videos are included within the GitHub repository.

WiGLE
WiGLE (https://wigle.net/) is a collection of public wardriving data that you can use to look up SSIDs and BSSIDs to find out where they are according to GPS information in the search database. This is good for passive information gathering in preparation for a wireless or physical pentest assessment, as you can also look at maps to identify the wireless networks that have been observed during previous wardriving exercises, as reported by the community.

WinDbg
WinDbg (https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools) is a Windows-based debugging program. It has similar use cases to other debuggers such as OllyDbg and Immunity Debugger, although each has a different interface and output. For pentesting, it is sometimes preferred for Windows kernel debugging because of its kernel hooking capabilities.

Wireshark
Wireshark (https://www.wireshark.org/) is a graphical network traffic analyzer. It can be used against packet captures across many kinds of networks and enables deep protocol inspection, the ability to perform live packet captures, and analyze PCAPs from other sources. This tool has many uses during a pentest, including the ability to extract files from captured network streams, extract conversations from VoIP traffic, deconstruct decrypted communications, and analyze network communications for insecurely transmitted sensitive data. However, capturing data requires access to the network in question. This is often first accomplished with some form of on-path attack or access to one party of the network communication. Otherwise, only broadcast traffic may be visible.

WPScan
WPScan is a web application security scanner that focuses on WordPress installations. It attempts to identify insecure WordPress configurations and plugins based on versioning data, username enumeration, known default passwords, exposed files, and a database of known vulnerabilities. The tool requires a license to be used commercially.
- https://github.com/wpscanteam/wpscan
- https://wpscan.com/wordpress-security-scanner
- https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation
 



ADVERTISEMENT