• Top 10 Penetration Testing Tools
  • Penetration Testing Bootcamp
  • NMap Master Bootcamp
  • NMap Flags
  • Nmap Commands
  • Wireshark Bootcamp

Top 10 Penetration Testing Tools used by Industry Experts

Top 10 Penetration Testing Tools used by Industry Experts

Metasploit

Metasploit is a very vast tool, developed by rapid-7, it is based on CLI, meaning you can access and use the tool via the terminal in your machine. Metasploit has many features like scanning, enumeration, exploitation, and also post exploitation like privilege escalation. 

There are the following modules in Metasploit:

  1. Auxiliary
  2. Exploit
  3. Encoders
  4. Nops  
  5. Payloads
  6. Post

Let us discuss all these modules in brief.

i.) Auxiliary :

This module is something that you execute to gain information about your host, this is an active process that means we directly interact with the host to perform these actions, some of the features auxiliary modules provide are Scanning, fuzzing, sniffing, and much more. This module will not get you to shell i.e. it will not give you access to the machine. 

ii.) Exploit :

This module is used to exploit a certain vulnerability in the system, suppose there is a misconfiguration in SMB that leads to shell access in a windows environment, if you have found this and if this exploit is available within Metasploit you can use it and get the shell to the host/victim machine. You have to set certain options for that such as remote hosts, remote port, local port, local IP, and so on. Each payload in an exploit has its own set of options. 

iii.) Encoders :

Nowadays when we execute payload delivery in the real world many issues arise, first of all, the security systems like IDS, IPS, and Firewalls have evolved massively. They usually catch malicious activities of the adversary. The way around this is to encode our payload, encoding means converting the payload into a different language, machine understandable language, like XOR encoding, UTF, Eicar, and base64, etc.

iv.) Nops :

Nops are a little bit of an advanced concept, if you are aware of assembly languages and how memory works, understanding Nop becomes easier. Nop stands for NoOperation, it controls the size of the payload, why is it necessary to do so? Sometimes there is an inevitable limit on size when we upload a payload, so to control that size Nop is used.

v.) Payloads :

A payload, to put it in simpler words, is the code that gives you access to the machine. The malicious part of an exploitation code is called the payload. Everything depends on the right execution of the payload. 

vi.) Post :

This module is used after the shell is spawned. Post-exploitation is done with this module. When you have system access, but you are not an admin user, or there are multiple machines connected to the same network through NAT, Post saves you here, it can do privilege escalation, it can pivot around machine IPs, and much more.  

Nmap

Nmap is the shorter version of network mapper, developed by Gordon Lyon, is a very powerful tool in the market today for scanning & enumerating a host. N-map has many flags and features that make it unique from other scanning tools. 

Let us discuss more nmap. Nmap is an open-source tool anyone can edit its configuration to suit their needs. Nmap is very robust, effective and one of the best hacking tools available in the market as open-source software.

Nmap is very easy to use and has very easy options/flags so that anyone can memorize it with ease. Some of the most commonly used flags used in the nmap command are:

  • -A 🡪 Aggressive scan, scans for all the services, their versions, and also the OS running on the host system but this flag introduces a lot of noise while scanning, that may get caught by the system administrator or firewall and you can get blacklisted by the host.
  • -p 🡪 Port range, this flag specifies the port range you want to scan or a specific port. If you want to scan all the ports you can use –p- command. 
  • -T1/T2/T3/T4/T5 🡪 Threads, This flag decides how fast or slow your scan will go, generally T4 flag is used because it’s neither too slow nor very fast. 
  • -Pn 🡪 No Ping, This flag instructs nmap to never send ping probes to the host to check if it is alive/online, ports are not pinged first to check if they are open, they are considered open by default and then scanned for services
  • - -oN/-oX/-oS/-oG 🡪 This flag is used to save your scan output in various file formats like normal format, XML, s|<rIpt kIddi3 and Grepable format, respectively, to the given filename.
  • -sV 🡪 This flag is used to perform a version scan on the services running on the port, this flag is used when your goal is to make minimum noise in the network so that it doesn’t get caught by any agents like firewall and system administrators. 
  • -sS/-sT 🡪 these flags refer to SYN scan & TCP connect scan respectively. SYN scan refers to an incomplete 3-way handshake, where only a SYN packet is sent, TCP Connect is used to establish a whole TCP connection via a 3-way handshake. 
  • -O 🡪 This flag is used for OS recognition. Windows, Linux, IBM, Cisco IOS, etc. 

So, the full-fledged command would somewhat look like this

``` nmap –A –p- -T4 –Pn <Host IP> -oN scan 

Nmap –sS –sV –p- -T4 –Pn –O <Host IP> > scan.txt ```

Another feature of nmap is its NSE, nmap Script Engine. This feature is very powerful and is invoked with the flag “–script=”. NSE is very powerful when used in the right way, there are many scripts one can use. 

Enroll in Cyberyami’s Free Nmap Master Bootcamp where we teach you the important flags of Nmap and how to successfully write your commands so that you can scan the host according to you. How to operate the NSE (script engine) of nmap and use it most effectively. Every command is explained with custom-formulated labs so that you can practice while learning.

SQLMap

SQLMap, also known as SQL Mapper, is a tool used to exploit and find SQLi vulnerabilities. SQLi, also known as SQL Injection, is an OWASP Top 10 vulnerability with a risk score of critical. If an application is suffering from SQLi, this tool will figure it out for you if used right. Apart from finding SQLi, we can also exploit the vulnerability. It can identify multiple database types and SQL used and configure itself for exploiting them. 

Types of SQLi which exist are as follows:

  • Time-Based SQLi
  • Blind SQLi
  • Error-based SQLi
  • Union-based SQLi 

SQLmap can exploit all of them with just one line of command. The base of SQLi is written in Python, so we can also use python to run the tool. It can dump databases, list tables, list columns, and schemas of databases connected to the website.

The basics of sqlmap look like this:

``` sqlmap -u http://website /test.php?id=1 -p id ```

Let’s break down this command and understand what is happening here. 

  • -u flag is for stating the URL you want to test on 
  • -p is for the parameter to test SQLi on. 

More detailed commands look like this:

``` sqlmap -u "http://website/login.php" --tor --tor-type=SOCKS5

sqlmap -u "http://website/login.php" -D site_db --tables ```

There are many more commands and flags we can use. 

  • --tor flag indicates SQLmap to use TOR(The Onion Router) anonymity network
  • --tor-type indicates what type of proxy settings to use
  • -D flag is for the database 
  • --tables is for listing the tables for that database

You can also spawn a shell if the vulnerability is of that nature by using the --os-shell flag.

AirCrack-ng 

This tool is a part of Aircrack-ng suite. This tool is primarily used in wireless penetration testing. It is mainly used for cracking the algorithms used in Wireless networks such as WEP, WPA/WPA2/WPA3. 

If you are aware of the cracking techniques performed in wireless networks then this would be easy to understand. So the WEP uses IV (initialization vector) which is sent with the password. Once we capture enough IVs then we can use aircrack-ng to crack the password. 

Many tools are used with aircrack-ng, such as airodump-ng, the task of airodump-ng is to capture and store the network packets but the question remains how do we interact with wireless packets? How do we store it? We do this via a wireless adapter that has monitor mode, there are 2 main modes in any wireless adapter, monitor mode and managed mode. Monitor mode is used to monitor the wireless packets, and managed mode is to connect to wireless access points. 

To know more about this tool refer to the documentation: aircrack-ng  

Hashcat

Hashcat is a very powerful tool when it comes to cracking hashes. There will be times when you will penetrate a website or network and will find hashed passwords or sensitive information. Hashcat will help you crack those hashes. 

Before going into hashcat let us understand what a hash is. Hash is a mathematical function that converts a set of strings into a fixed-sized garbage value. Let us take an example, “Helloworld” is a string that is to be converted into a hash, now there are many hashing algorithms available in the wild, I will take a very common hash MD5, so when I apply MD5 hashing function on that string, I will get “d73b04b0e696b0945283defa3eee4538”. It doesn’t matter how big the string is, we will get a particular set of characters only. Let us take another example, “Hello my name is dave, I am a security engineer” gives “30fa34f85b7f95530f47829d6699da80” in MD5. 

Hashes do not revert like encryptions. If you can encrypt something, you can decrypt it too but hashes don’t work like that. We have to compare the words and hashes together and then we can know what the hashed value is. So hashcat has 2 inputs, a wordlist and the type of hash you want to crack. A word list is a list from which you will compare your hash to. 

The main feature of hashcat is that it can use GPU to accelerate the cracking process. When you use the GPU as your main cracking processing system, the cracking is enhanced exponentially. GPUs are known for their efficiency in performing repeating tasks, and hash cracking are quite repetitive when you see how hashes are being compared to strings. 

Hydra

Hydra is used in brute force. The main job of hydra is to brute force various services like website login pages, SSH, SMB, etc. The syntax of hydra is pretty simple. Let us see some commands used:

Web-Page:

Hydra –l <username> -P <path to wordlist> <IP> HTTP-post-form “/:username=^USER^&password=^PASS^:F=incorrect” –V

  • -l is used when you know the username, -L is used when you want to use a wordlist
  • -p is used when you know the password, -P is used when you want to use a wordlist
  • the http-post-form command tells hydra to perform, web post brute forcing
  • We capture a response after sending the wrong credentials on the login page using burpsuite, and then that response is written after the HTTP-post-form command.
  • F is used to tell hydra that when the passwords and username don’t match this is the error that it throws. 
  • -V is used for verbose mode

SSH:

Hydra –l <username> -P <path to wordlist> <IP> -t 4 ssh

  • -t is used for threads, how many connections can hydra make simultaneously to perform brute forcing
  • ssh is used to tell hydra that we are attacking ssh 

Nessus

Nessus is a GUI tool/framework used for conducting automated tests on various platforms like web applications, networks, mobile applications, and much more. Nessus is a very powerful tool that has many features and utilities and the results are mostly precise and accurate. 

Installing Nessus is very easy and launching a test in it too. Some of the tasks performed by Nessus are:

i.) Discovery

  • Host Discovery

ii.) Vulnerabilities

  • Basic Network Scan
  • Advance Scan
  • Advance Dynamic Scan
  • Malware Scan
  • Mobile Device Scan
  • Web Application Tests
  • Credential Patch Audit
  • AD Starter Scan etc.

iii.) Compliance

  • Audit cloud Infrastructure
  • Internal PCI network scan
  • MDM Config Audit etc.

These utilities are very powerful. Point to note that not every tool is available in the free version of Nessus which is called Nessus Essentials. You have to upgrade to a subscription model to get the full benefit of Nessus.

Wireshark

  Wireshark is a network sniffer tool used widely in capturing and analyzing packets. Wireshark was developed and has been evolving since 1998 by Gerald Combs. It is an open-source project. It can sniff on all network types, wireless, Ethernet, local host, and much more. It can recognize packets and protocols used and list the headers and data in them in a structured manner so that one can evaluate them accordingly.

Wireshark 3 windows, when we start capturing packets, they look somewhat like this:

The first window is where the captured packets are listed and the second window consists of the headers/layers for that packet. The third window has the hex value of that packet. We can see in this example the layers for that particular packet are Ethernet, IP, TCP, and TLS. We can further drop down the menu and see headers for that particular layer. 

Like so. 

BurpSuite

BurpSuite is a tool used in web application penetration testing (WAPT). Many tabs provide different functions. These sub-parts of burpsuite are as follows:

  • Proxy
  • Intruder
  • Repeater
  • Sequencer
  • Decoder
  • Comparer
  • Logger
  • Extender

Let us discuss some of them in brief

i.) Proxy

A proxy is a tool that lets you analyze and modify any request, and any response exchanged between the HTTP client and server. It intercepts traffic sent, so first, the traffic is sent to the burpsuite and then you have an option to either forward or drop the request/response.

ii.) Intruder

The intruder is used to brute force. You have to capture a post-login request in burp proxy and then send it to the intruder, after this you have to set parameters and add username and password input parameters. It has 

  • Sniper
  • Cluster bomb
  • Pitchfork 
  • Battering Ram 

Settings for brute forcing according to your needs.

iii.) Repeater

The repeater is used to gather information about the response and request. The repeater functionality lies in its ability to end a request multiple times with or without modifications and analyze the responses. Repeater comes in handy when we have to try different bypassing methodologies. 

iv.) Decoder

The decoder is a very basic utility used to decode certain encodings. You can decode basic HTML-based encodings such as base64.

Maltego

Maltego is an information-gathering tool used by hackers/security professionals to find out links and information about an entity. If we dive deeper into the tool we can see there are many different types of plugins available in the tool. These plugins are used to invoke certain functions, such as email addresses associated with the entity, social media platforms, and much more. These plugins are very powerful but their functionality is limited in the free version of the Maltego.

The graph somewhat looks like this once you get to know and perform activities on Maltego. 

Maltego’s free version comes in a community edition. There are many editions of maltego available in the market and one can buy them according to their needs.