The Pen Testing Tools We’re Thankful for This Season
by Britt Kemp, on Nov 28, 2019 8:30:00 AM
From the perspective of working at a security consultancy, a few of the things that we are grateful for this holiday season are: copious supplies of cold brew coffee, hacking alongside some brilliant folks, and of course, the tools we use daily that make our lives much easier.
And although this list isn’t the be-all and end-all, we’re grateful for them and believe that adding these solutions to your arsenal will amplify your hacking abilities.
Its Use: This hacking tool allows you to detect and take over subdomains with dead DNS records. You can check to see if a dangling CNAME is pointing to a CMS provider that can be taken over, a non-existent domain name, or nameserver records that can be used to gain control of a subdomain’s DNS records.
Why We Like It: One of our consultants shared: “TKO-SUBs is very high on my list as I’ve easily done ~400 subdomain takeovers with it.” Enough said.
Its Use: This open source application is designed for Active Directory reconnaissance and auditing. By leveraging the power of graph theory, the tool highlights the existing relationships in an Active Directory environment. You can use BloodHound to identify complex attack paths that would otherwise be difficult to pinpoint.
Why We Like It: If you’re not already using BloodHound and you work with Active Directory at all, you need to check out this tool immediately. Red teamers will find BloodHound useful for identifying and visualizing the potential attack paths to the desired target, such as access control lists, users, groups, trust relationships, and AD objects. Some uses even surpass Active Directory-related needs (like password analysis).
Its Use: Impacket is a collection of Python classes for working with network protocol. It allows Python developers to craft and decode network packets in a simple and consistent manner.
Why We Like It: When it comes to conducting internal network penetration tests, this Python library is a necessity. It comes with plenty of useful scripts that allow you to hit the ground running when you start testing a network. Given the ubiquity of Python in writing scripts, nearly every pen tester can benefit from adding Impacket to their arsenal.
Creator: Now Secure
Its Use: Frida is a framework that allows users to execute their own scripts in locked-down software. It is well known for its use with Android applications.
Why We Like It: “Like” cannot capture our feelings about Frida – “love” would be more accurate. It’s a Swiss Army Knife for monitoring and manipulating running programs on mobile and desktop platforms. Bishop Fox researcher Priyank Nigam recently leveraged Frida to reverse-engineer several mass transit ticketing mobile applications. (Read about it here).
Its Use: AttackForge is a penetration testing management and collaboration platform that helps teams easily coordinate large-scale pen testing programs.
Why We Like It: There are a few platforms that are meant for collaborative pen tests - AttackForge is a newer contender. Its interface is incredibly user-friendly, and it serves as an excellent liaison between the in-the-weeds security researcher and the big-picture-thinking executive. It also integrates with Jira, which makes it perfect for any agile organization.
Its Use: This semi-automated, feedback-driven hacker tool scrapes GitHub for sensitive secrets that may be accidentally exposed.
Why We Like It: GitGot augments the work of a scanner by mixing in human ingenuity. Often used to improve the workflow of gathering leaked secrets, GitGot yields more positive identifications in less time, which empowers testers to work more efficiently without the fatigue of working from a traditional scanner output.
Its Use: h8mail is a password-hunting tool, used for OSINT.
Why We Like It: If you need to do recon (let’s say for a red teaming engagement), this tool gives you access to password dumps and other information leaked during a breach. Frequently updated, it’s an immensely helpful tool to have in your back pocket. (Plus, it’s kind of fun to use.)
Its Use: Sliver is a general-purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. It currently is still in its alpha stages, with updates planned for the near future.
Why We Like It: Sliver creates implants that can run on numerous architectures. It’s ideal for red teams, circumventing detection by leveraging DNS canaries to flag file discovery. Sliver’s features (which many other C2 tools lack) include Windows user token manipulation, anti-anti-anti forensics, and Let’s Encrypt integration among others. You can also have multiple operators running Sliver, giving you a leg up on the blue team.