CHAPTER 12

Tools and Programming

 Old Episode 4.02

Episode 12.01 - Pen Testing Toolbox

Objective 5.3 Explain use cases of the following tools during

the phases of a penetration test
RECONNAISSANCE

• For reconnaissance, use:

- Nmap • Kismet
- Whois • WiFite
- Nslookup • SET
- Theharvester• Wireshark
- Shodan • Hping
• Metasploit
- Recon-NG framework
- Censys
- Aircrack-NG
ENUMERATION
• To list targets, use:
- Nmap
- Nslookup
- Wireshark
- Hping
VULNERABILITY SCANNING
• To scan for vulnerabilities, use:
- Nmap
- Nikto
- OpenVAS
- SQLmap
- Nessus
- W3AF
- OWASP ZAP
- Metasploit framework
CREDENTIAL ATTACKS
• For offline password cracking, use:
- Hashcat
- John the Ripper
- Cain and Abel
- Mimikatz
- Aircrack-NG
CREDENTIAL ATTACKS
• For brute-forcing services, use:
- SQLmap
- Medusa
- Hydra
- Cain and Abel
- Mimikatz
- Patator
- W3AF
- Aircrack-NG
PERSISTENCE
• Once you have exploited a target, use these
to make sure you can get back in:
- SET • Drozer
• Powersploit
- BeEF
• Empire
- SSH • Metasploit framework
- NCAT
- NETCAT
CONFIGURATION COMPLIANCE
• To evaluate a configuration to determine if
it’s compliant with a standard or regulation,
use:
- Nmap
- Nikto
- OpenVAS
- SQLmap
- Nessus
EVASION
• To evade detection, use:
- SET
- Proxychains
- Metasploit framework
DECOMPILATION
• To decompile executables, use:
- Immunity debugger
- APKX
- APK studio
PENETRATION TESTING USE
CASES
• Forensics
- To carry out digital forensics, use:
• Immunity debugger
• Debugging
- To debug code, use:
• OLLYDBG
• Immunity debugger
• GDB
• WinDBG
• IDA
SOFTWARE ASSURANCE
• For general software assurance, use:
- Findsecbugs
- SonarQube
- YASCA
• For fuzzing, use:
- Peach
- AFL
PENETRATION TESTING USE
CASES
• Forensics – Immunity debugger
• Debugging – OLLYDBG, Immunity
debugger, GDB, WinDBG, IDA
• Software assurance – Findsecbugs,
SonarQube, YASCA
- Fuzzing – Peach, AFL
- SAST (Static Application Security Testing)
- DAST (Dynamic Application Security Testing)
• Know what each of the tools listed in the
objectives are commonly used for
• Some tools, such as nmap, can fit into multiple
use cases
• It’s more important to understand the purpose of a
tool than to memorize categories
 Old Episode 4.03

Episode 12.02 - Using Kali Linux

Objective 5.3 Explain use cases of the following tools during

the phases of a penetration test
KALI LINUX DEMO
• Kali Linux demo
• Kali Linux is only one open source Linux
distribution targeted at penetration testing
• Don't limit a pen testing toolbox to just Kali Linux
• Briefly launch each tool in Kali Linux listed in the
exam objectives to explore their uses
• Remember that knowing Kali Linux is not a
PenTest+ objective
 Old Episode 4.04

Episode 12.03 - Scanners and Credential

Tools
Objective 5.3 Explain use cases of the following tools during
the phases of a penetration test
SCANNERS
Tool Notes URL
Nikto Web server vulnerability scanner https://github.com/sullo/nikto
OpenVAS (Open Open Source vulnerability scanner https://www.openvas.org/
Vulnerability Assessment and manager
System)
SQLmap (Structured Query Automatic SQL injection and https://sqlmap.org/
Language) database takeover tool
Nessus Commercial vulnerability scanner https://www.tenable.com/products
(free for non-professional use) /nessus/nessus-professional
CREDENTIAL TESTING TOOLS

Tool Category Notes URL

Hashcat Offline Advanced password recovery https://hashcat.net/hashcat/
(world’s fastest)
Medusa Online Parallel network login auditor https://foofus.net/goons/jmk/medu
sa/medusa.html
Hydra Online Parallelized login cracker https://sectools.org/tool/hydra/
Cewl Custom wordlist generator https://digi.ninja/projects/cewl.php
John the Offline Password cracker https://www.openwall.com/john/
Ripper
 CREDENTIAL TESTING TOOLS,
CONT’D
Tool Category Notes URL
Cain and Online/offline Windows password recovery tool https://www.oxid.it/cain.html
Abel
Mimikatz Online/offline A little tool to play with https://github.com/gentilkiwi/mimikatz
Windows security
Patator Online Multi-purpose brute-forcer https://github.com/lanjelot/patator
Dirbuster Multi-threaded app to brute https://www.owasp.org/index.php/Categ
force directories and file names ory:OWASP_DirBuster_Project
on web servers
W3AF Online Web Application Attack and https://w3af.org/
Audit framework
Analyze tool output
• Password cracking – demo John the Ripper
Analyze tool output
• Pass the hash – demo Mimikatz
• Scanners are "meta" tools that provide several levels
of output
• Scanners are powerful, but very noisy and using
them risks being detected
• Credential cracking tools run either in online or offline
modes
• Effective dictionary attacks depend on good
user/password lists
 Old Episode 4.05

Episode 12.04 - Code Cracking Tools

Objective 5.3 Explain use cases of the following tools during

the phases of a penetration test
DEBUGGERS
Tool Notes URL
OLLYDBG Windows 32-bit https://www.ollydbg.de/
Immunity Write exploits, analyze malware, https://www.immunityinc.com/products/debugger/
debugger and reverse engineer binary files
GDB GNU project debugger https://www.gnu.org/software/gdb/
WinDBG Windows debugger https://docs.microsoft.com/en-us/windows-
hardware/drivers/debugger/debugger-download-
tools
IDA Cross platform debugger https://www.hex-
rays.com/products/ida/debugger/index.shtml
SOFTWARE ASSURANCE TOOLS
Tool Notes URL
Findbugs/findsecbug Auditor of Java web https://find-sec-bugs.github.io/
s applications
Peach Fuzzer – automated testing https://www.peach.tech/products/peach-
fuzzer/
AFL American Fuzzy Lop - fuzzer https://lcamtuf.coredump.cx/afl/
SonarQube Continuous inspection – https://www.sonarqube.org/
automated testing
YASCA Yet Another Source Code https://github.com/scovetta/yasca
Analyzer
• Debuggers are advanced tools and can reveal how a
program works
• Debuggers can also allow testers to modify data as
the program is running
• Software assurance tools can help to identify
vulnerabilities in applications
 Old Episode 4.06

Episode 12.05 – Open-Source Research

Tools
Objective 5.3 Explain use cases of the following tools during
the phases of a penetration test
OPEN SOURCE INTELLIGENCE
(OSINT) TOOLS
Tool Notes URL
Whois Domain details (contacts, name servers, https://whois.icann.org/en (and many more)
etc.)
Nslookup DNS information Installed or available on most OSs
Foca Fingerprint Organizations with https://github.com/ElevenPaths/FOCA
Collected Archives – finds document
metadata
Theharvester Gathers info from many sources (email, https://github.com/laramies/theHarvester
hosts, open ports, etc.)
Shodan Finds Internet connected devices https://www.shodan.io/
Maltego Data mining for investigations https://www.paterva.com/web7/buy/malteg
o-clients/maltego-ce.php
Recon-NG Web reconnaissance https://bitbucket.org/LaNMaSteR53/recon-
ng
Censys Finds Internet connected devices https://censys.io/
ANALYZE TOOL OUTPUT
• Whois demo
• Nslookup demo
• OSINT data can help fill in information gaps
• Some information is not based on IP addresses or
domain names
• Be creative when exploring attack vectors for targets
• Targets can be devices, people, user accounts, and
even facilities
 Old Episode 4.07

Episode 12.06 – Wireless and Web Pen

Testing Tools
Objective 5.3 Explain use cases of the following tools during
the phases of a penetration test
WIRELESS TOOLS
Tool Notes URL
Aircrack-NG Monitoring, attacking, testing, cracking https://www.aircrack-ng.org/
Kismet Wireless detector, sniffer and intrusion https://www.kismetwireless.net/
detection system
WiFite Wrapper for other wireless tools https://github.com/derv82/wifite2
(current version is WiFite2)
WEB PROXIES AND SOCIAL
ENGINEERING TOOLS
Web proxies

Tool Notes URL

OWASP ZAP Zed Attack Proxy – Web application https://www.owasp.org/index.php/OWASP
security scanner _Zed_Attack_Proxy_Project
Burp Suite Graphical tool for testing web https://portswigger.net/burp
application security

Social engineering tools

Tool Notes URL
SET Social Engineering Toolkit – https://www.trustedsec.com/social-
penetration testing using social engineer-toolkit-set/
engineering
BeEF Browser Exploitation Framework – http://beefproject.com/
focus is on web browser
ANALYZE TOOL OUTPUT
• Proxying a connection - demo
• Wireless attackers can intercept traffic easier than
wired network traffic
• The rapid IoT (Internet of Things) growth has
resulted in lots of unsecure wireless devices
• Web applications are often fertile grounds for finding
vulnerabilities
 Old Episode 4.08

Episode 12.07 – Remote Access Tools

Objective 5.3 Explain use cases of the following tools during

the phases of a penetration test
REMOTE ACCESS TOOLS
Tool Notes URL
SSH Secure shell Included or available in most OSs
NCAT Similar to nc, but from Nmap https://nmap.org/ncat/
developers
NETCAT Same as nc Included or available in most OSs
Proxychains Forces TCP connections through a https://github.com/haad/proxychains
proxy
ANALYZE TOOL OUTPUT
• Setting up a bind shell - demo
ANALYZE TOOL OUTPUT
• Getting a reverse shell - demo
• There are multiple ways to leverage remote
connections
• The PenTest+ exam focuses on command-line tools
for remote access
• Remote access is often followed by privilege
escalation attacks and/or preceded by credential
attacks
 Old Episode 4.09

Episode 12.08 – Analyzers and Mobile Pen

Testing Tools
Objective 5.3 Explain use cases of the following tools during
the phases of a penetration test
NETWORKING AND MOBILE TOOLS
Networking Tools

Tool Notes URL

Wireshark Packet sniffer/protocol analyzer https://www.wireshark.org/
Hping Packet assembler/analyzer https://www.hping.org/

Mobile Tools
Tool Notes URL
Drozer Android security and attack framework https://labs.mwrinfosecurity.com/tools/droz
er/
APKX Android APK decompiler https://github.com/b-mueller/apkx
APK Studio Android app decompiler https://vaibhavpandey.com/apkstudio/
• Sniffers show the contents of network packets (may
be encrypted)
• Some tools allow packets to be changed before
sending them to the recipient
• A proxy allows testers to launch man-in-the-middle
exploits
 Old Episode 4.10

Episode 12.09 – Other Pen Testing Tools

Objective 5.3 Explain use cases of the following tools during

the phases of a penetration test
MISCELLANEOUS TOOLS
Tool Notes URL
Searchsploit Search tool for exploit database https://www.exploit-db.com/searchsploit/
Powersploit Post-exploitation framework (MS https://github.com/PowerShellMafia/PowerSploit
PowerShell)
Responder Microsoft network poisoner https://github.com/SpiderLabs/Responder
Impacket Python classes for working with https://github.com/CoreSecurity/impacket
network protocols
Empire PowerShell/Python post- https://github.com/EmpireProject/Empire
exploitation agent
Metasploit Comprehensive penetration https://www.metasploit.com/
framework testing framework
• Searchsploit easily searches out exploits using
keywords
• Powersploit and Empire are tools that can be used
for post-exploitation activities
• Responder is a network poisoner that can
compromise Microsoft networks
• Metasploit is comprehensive pen testing framework
with a number of useful tools within it
 New episode

Episode 12.10 – Labtainers Lab

(Metasploit Framework)
Objective 5.3 Explain use cases of the following tools during
the phases of a penetration test
 SLATE
Clip: Roll 03 Clip 006
Chapter Name: 12 Tools Inventory
Proposed Episode #: 12.11
Episode Name: Labtainers Lab (Metasploit
Framework)
Date: 3/10/22
 SLATE ***NOTE: This episode
was shot in 2 Camtasia
Roll 03 Clip 007 clips
Clip:
Chapter Name: 12 Tools Inventory
Proposed Episode #: 12.11
Episode Name: Labtainers Lab (Metasploit
Framework)
Date: 3/10/22
 Lab Software Vulnerabilities:
metasploit
•Intro lab (Metasploit framework)
•Lab requires download and setup time
• All automatic
• No Qr for this
 New episode

Episode 12.11 – Labtainers Lab

(Wireshark Packet Inspection)
Objective 5.3 Explain use cases of the following tools during
the phases of a penetration test
 SLATE
Clip: Roll 03 Clip 008
Chapter Name: 12 Tools Inventory
Proposed Episode #: 12.12
Episode Name: Labtainers Lab (Wireshark Packet
Inspection)
Date: 3/10/22
 Lab Network Traffic Analysis: packet-
introspection
•Intro lab (Using Wireshark for more advanced packet
analysis)
• No Qr for this
 New episode

Episode 12.12 - Labtainers Lab (SSH)

Objective 5.3 Explain use cases of the following tools during

the phases of a penetration test
 SLATE
Clip: Roll 03 Clip 009
Chapter Name: 12 Tools Inventory
Proposed Episode #: 12.13
Episode Name: Labtainers Lab (SSH)
Date: 3/10/22
 Lab Crypto Labs: sshlab
•Intro lab (Secure remote access with SSH)
• No Qr for this