Pentesters use a variety of tools but what are the most commonly-used ones? Here is a list of top 10 tools pros can’t work without.
Related post: What to Know Before Conducting a Pentest
Nmap is the holy grail of port scanners. It's used by everyone from students to veteran pentesters on all types of engagements.
It isn't exactly a "scanner" since it doesn't probe for vulnerabilities in the way a typical scanner does. However, it is often used in the initial steps of an assessment to determine which ports are open on a system and which services are running. Nmap can also run custom scripts which will look for specific vulnerabilities and perform other reconnaissance tests. It's safe to say that the tool is extremely precise, customizable and efficient to use.
Related post: Penetration Tests vs Vulnerability Assessments
Burp Suite is the main web application tool used by all pentesters. It acts as a proxy tool to intercept web traffic between the client (your browser) and the web server. This traffic is in the form of HTTP requests and responses which can be analyzed, modified, and re-sent to observe and test for various application or server responses. There are multiple tabs which serve different functions for various testing capabilities. Additionally, Burp Suite supports custom extensions which can be added or created in different languages including Java, Python and Ruby.
There is a free version and a pro version which comes with additional features. "Intruder" is one of the main pro features which is used for exploitation and automated attacks such as fuzzing inputs. "Scanner" is another pro feature which runs automated scans on applications and can be easily fine-tuned. Most pentesters can't live without the pro version and it's easy to understand why.
Metasploit is the ultimate hacker's framework. It has been used by every ethical hacker out there at one point or another. It is more of an automated tool and doesn't require much technical capabilities, so it is easy to use yet very powerful. In essence, Metasploit is a testing framework which is used for scanning, finding, testing and exploiting vulnerabilities via a very large database of easy-to-load pre-written scripts. There are separate "modules" which are used for various purposes including scanning, exploiting, payload generation and post-exploitation.
The post-exploitation module is extremely handy after gaining an initial foothold on a system and can be used for further enumeration, privilege escalation and lateral movement. The payload module is handy for simply creating a multitude of different payloads for tasks such as a reverse-shell, which can later be used on unsuspecting victims and received via Metasploit. It contains an ever-growing open-source database of exploits and modules which is constantly being updated and has the most recent exploits available shortly after they're released.
Netcat is constantly called the "Swiss army knife" of security and for good reason. It is a networking utility for making and receiving networking connections via TCP or UDP. Security folks frequently rely upon it as a network testing tool to probe for open ports on a system by sending specific commands to a service or just to test various requests and responses. At the same time, Netcat can be used as a lightweight port scanner or as a proxy tool to redirect traffic.
Python is a typical hacker’s go-to scripting language. It's a very powerful scripting language yet also readable and easy to use with the right knowledge to produce quick scripts for automation. There are many Python scripts already out there which can be utilized for pentesting, or they can be modified and re-purposed to accomplish exactly what you are looking for.
Python is extremely flexible in the sense that it can run on all major operating systems to help make your life much simpler when it comes to task automation. Pentesters can utilize Python in all phases of a pentest, ranging from information gathering and reconnaissance to automated report creation.
Some examples of useful Python features include port scanning, packet creation and capturing, wireless pentesting, automated brute-forcing of applications and much more.
PowerShell is another scripting language which comes installed on all modern Windows systems. In some cases, it may not be enabled in certain environments, but for now it's safe to assume that you can depend on it for your pentesting needs. It is one of the most powerful scripting languages out there. If used properly, it can give you full control to all aspects of a Windows system. This is of course something a hacker would be interested in, so it is widely used across the community.
PowerSploit is a collection of PowerShell modules used throughout different phases of a pentest. Scripts for each module can be uploaded separately onto a target server as a stand-alone script and run individually depending on the hacker’s needs. The availability of PowerShell on Windows targets should be taken advantage of and PowerSploit is one of the main tools to do so. Some of the more popular tools include bypassing antivirus, the PowerUp tool which contains a large variety of privilege escalation checks and Persistence for continuous control of a target.
A network scanner is a tool that should be used in all infrastructure assessments to get a baseline overview of the environment. Typical network scanners include Nessus, Qualys, Nexpose and OpenVAS (free). A scanner will discover security vulnerabilities, configuration issues and other types of exposure in a network which can be saved to reports.
In most pentests, it is recommended to use a network scanner on the infrastructure in scope to determine the exposed vulnerabilities which can later be manually probed and tested for exploitation later. A scanner will miss some things of course, and produce some false positives, but it's much faster than manually assessing every target on a network. It should be noted that it is to be used with manual testing to get the benefit from both automated and manual assessments.
Scans will occur in one of two ways: authenticated or unauthenticated.
Responder is a very easy-to-use tool but can be one of the most beneficial. It is a Python script which acts as a Link-Local Multicast Name Resolution (LLMNR), NetBIOS Name Service (NBT-NS) and multicast DNS (mDNS) protocol prisoner. In non-technical terms, Responder will take advantage of the way Windows clients resolve hostnames using the mentioned protocols above and can inject its own IP address as the destination for these requests and replying to the queries. This process allows the tool to potentially receive sensitive information (e.g. hashed credentials) from replying to these queries. It is malleable in the sense that it can be used to poison a pre-configured set of protocols that are to be tested. The end result is very powerful because it can receive hashed credentials which can later be uncovered with a password cracking tool and result in a full compromise of targets.
Wireshark is a network protocol and packet analyzer frequently used for pentesting purposes. It is primarily used for deep-level packet inspection of network and wireless traffic and supports a variety of protocols. In many cases, it is utilized for wireless security assessments to aid in the capturing of live over-the-air wireless traffic for further analysis. This can help determine if wireless traffic is being sent in an encrypted format or not.
Even further, hackers can use it to sniff traffic on a network to determine what sort of traffic is being sent and if any of it is in a readable and unencrypted format. This information can be used to aid in further attacks such as logging into an application via sniffed credentials. Wireshark can also be useful for thick-client pentests to capture traffic sent by the application for further analysis.
Cobalt Strike is more of a red teaming framework, but it's included in here since it is THE main tool for the job when it comes to red team assessments. Cobalt Strike is a commercial penetration testing kit which markets itself as "threat emulation software". It's an extremely powerful, versatile and interactive toolkit which can be used from start to finish in penetration tests or red team assessments. Everything can be accomplished within the tool itself such as network scans, running scripts on exploited systems, cloning web applications to use in social engineering campaigns and so much more.
It acts as a "Command and Control" (C2) server to issue commands to affected systems compromised by the pentesters. This allows remote servers to easily be controlled by Cobalt Strike and directed to fit the needs of the attackers.