The job of a penetration tester, sometimes known as an ethical hacker, is to mimic assaults on a client’s network or systems to identify security flaws.
Pen testing aims to determine the effectiveness of an organization’s security measures and identify any weaknesses that an actual attacker could exploit (source).
In this piece, we’ll focus on one facet of the pen tester’s job description: their methods to breach their clients’ defenses. In other words, these are the same kinds of resources that criminal hackers use.
A lot of manual bit tinkering was required for hacking back in the stone age.
The availability of a comprehensive set of automated testing tools has transformed modern hackers into cyborgs, computer-enhanced individuals capable of performing extensive testing.
If you need to travel across the nation, why use a horse and buggy when you can take a jet plane?
These lightning-fast resources make a pen tester’s work more accessible, effective, and efficient in the modern world.
Best software for penetration testing
1. Kali Linux
It is the de facto standard for penetration testers, and anyone who isn’t using it is either not performing pen testing properly or is working at the cutting edge.
Kali, formerly known as BackTrack Linux, is a distribution explicitly developed for offensive use as a penetration tester.
It is maintained by the same team at Offensive Security (OffSec) responsible for the OSCP certification.
Kali can be run on dedicated hardware, although most penetration testers use OS X or Windows computers with virtual machines to do their tests instead.
When it comes to pen testing, most people prefer Kali because it comes pre-installed with most of the tools discussed here.
A word of caution, though: Kali is built for offense, not defense, and can be readily abused in return. Don’t save any top-secret documents in your Kali virtual machine.
Nmap (short for “network mapper”) is a time-tested port scanner that has proven to be an indispensable part of any penetration testing arsenal.
Do you know what ports are available? I’m curious about the software that’s being used on those ports.
The pen tester will need this data during the recon phase, and nmap is usually the ideal tool for the job.
Despite the odd hysteria from a non-technical C-level executive that some unknown party is port scanning the enterprise, nmap is lawful to use and is analogous to knocking on everyone’s front door in the neighborhood to see if anyone is home.
To map the public security posture of businesses big and small, many legitimate organizations, such as insurance agencies, internet cartographers like Shodan and Censys, and risk scorers like BitSight, routinely scan the entire IPv4 range with specialized port-scanning software (usually nmap competitors masscan or zmap).
However, malicious attackers also perform port scans, so it’s essential to keep track of this activity for analysis.
Instead of exploiting, why not meta-exploit?
Like a crossbow, all you have to do with this clever meta-program is the aim, select an exploit, decide on a payload, and fire.
Metasploit is true, “the world’s most used penetration testing framework,” as its website boasts because it automates a massive amount of labor that was previously tiresome.
To protect their networks from intrusion, defenders need Rapid7’s commercially supported open-source project, Metasploit.
After we’ve successfully hacked your brain to hum “Wireshark doo doo doo doo doo doo,” you’ll be much more likely to remember this network protocol analyzer.
Wireshark is the go-to program for analyzing network traffic.
Wireshark is most well-known for its ability to investigate common TCP/IP connection problems. Still, it also supports the analysis of hundreds of other protocols, including real-time analysis and decryption.
Starting with penetration testing, you should familiarize yourself with Wireshark.
5. John the Ripper
In contrast to its namesake, John the Ripper will gladly crack encryption as quickly as your GPU will allow.
This free and open-source tool is designed to hack passwords when users are away from an internet connection. John can either utilize a word list of potential passwords and alter them by replacing “a” with “@” and “s” with “5” and so on, or it can run for an infinite amount of time with powerful hardware.
John is usually effective at breaking encryption since most individuals choose simple, short passwords.
The developers of Hashcat, who call it the “world’s fastest and most powerful password recovery utility,” aren’t shy about their product’s superiority.
Compared to Hashcat, John the Ripper is no match.
Hashcat is the go-to pen testing tool for cracking hashes and supports various brute-force techniques for guessing passwords.
Extraction of hashed passwords is a standard part of pen testing, and exploitation of these credentials typically requires running a tool like hashcat offline in the hopes of guessing or brute-forcing at least some of them.
A modern GPU is recommended for Hashcat (sorry, Kali VM users). Hash cracking on the CPU is still supported by legacy hashcat, but users are warned that it is much slower than GPU.
Hydra, John the Ripper’s buddy, is useful when breaking a password for an online service like SSH, FTP, IMAP, IRC, RDP, and many more.
Put Hydra on target, feed it a list of words if you like, and fire away at the service you want to penetrate.
Attack tools like Hydra highlight the importance of implementing defensive measures like rate-limiting password attempts and disconnecting users after multiple failed login attempts.
8. Burp Suite
Burp Suite, a web vulnerability scanner, is an expensive tool used by professionals but often omitted from discussing pen-testing tools because it is neither free nor libre.
While a free community edition of Burp Suite is available, it lacks many of the features of the paid enterprise edition, which can be had for an excellent $3,999 annually (that psychological pricing doesn’t make it seem that much cheaper, folks).
But there’s a good reason they can charge such exorbitant charges.
Weaknesses in a website can be quickly and easily detected by using Burp Suite.
Aim it at the website you wish to check, and release the shot when ready.
There is an alternative to Burp that is just as good and costs the same, called Nessus.
9. Zed Attack Proxy
If you don’t have the funds to buy Burp Suite, don’t worry; OWASP’s Zed Attack Proxy (ZAP) is open source and just as powerful. ZAP, short for “Zed Attack Proxy,” is a tool that acts as a “man in the middle” between your browser and the website you’re evaluating.
Although it lacks many of Burp’s features, it is a good starting point for learning how susceptible web traffic truly is, and it’s open-source licensing makes large-scale deployment easier and cheaper.
Nikto, an alternative to ZAP, also provides a similar open-source instrument.
What is this I hear about SQL injection? Howdy there, sqlmap.
With its open-source nature, this SQL injection tool “automates the process of finding and exploiting SQL injection problems and taking over of database servers,” as its website puts it.
Sqlmap works with all the standard database systems.
This includes MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, HSQLDB, and H2.
Old-school SQL injection techniques involved applying heat to a hard drive. Today’s pen testers can eliminate eye strain by using sqlmap.
How safe is using your client’s (or your own) wireless network? The tool aircrack-ng can help you find out. You’ll have to buy your own Pringles can, but this wifi security auditing program is free/libre.
Poor configuration, weak passwords, or antiquated encryption algorithms make cracking Wi-Fi networks common.
Many prefer aircrack-ng to other methods, with or without a Pringles cantenna.