Penetration Testing Tools
Packet
Shaper:
- Nemesis:
a command line packet shaper - Packit:
The Packet Toolkit – A network packet shaper. - Hping
by Antirez: a command line TCP/IP packet shaper - Sing:
stands for ‘Send ICMP Nasty Garbage’; sends fully customizeable ICMP
packets - Scapy:
a new python-based packet generator
Password
Cracker/Login Hacker:
- John
the Ripper: a well-known
password cracker for Windows and *nix Systems - Djohn:
a distributed password cracker based on "John
the Ripper" - Cain
& Abel: an advanced
password recovery tool for windows systems. It sniffs the network
packets an cracks authentication brute-force or with dictionary
attacks. - Project
RainbowCrack: Advanced instant
NT password cracker - Rainbowtables: The
shmoo group provides pre-generated rainbow tables for bittorrent
download. The tables are generated with RainbowCrack (see above). - Windows
NT
password recovery tool by Peter
Nordahl - THC-Dialup
Login Hacker by THC. It tries to
guess username and password against the modem carrier. As far as I know
the only available dialup password guesser for *NIX. - Hydra
by THC: a multi-protocol login hacker. Hydra is also integrated with Nessus. - Medusa: parallel network login auditor
- THC
imap bruter: a very fast imap
password brute forcer - x25bru:
a login/password bruteforcer for x25 pad - Crowbar: a generic web brute force tool (Windows only; requires .NET Framework)
- MDCrack-NG: a very fast MD4/MD5/NTLMv1 hash cracker; works optionally with precomputed hash tables
Advanced
Sniffers:
- Wireshark (formerly known as Ethereal): an open source network protocol analyzer
- Dsniff
by Dug Song: a combination of very useful sniffer and man-in-the-middle
attack tools - Ettercap:
a multipurpose sniffer/interceptor/logger for switched LAN environments - aimsniffer:
monitors AOL instant messager communication on the network - 4G8:
a tool ,similar to ettercap, to capture network traffic in switched
environments - cdpsniffer:
Cisco discovery protocol (CDP) decoding sniffer
Port
Scanner / Information Gathering:
- nmap:
the currently most well-known port scanner. Since version 3.45 it
supports version
scans. Have a look at PBNJ for diffing different nmap scans. - ISECOM
released their nmap wrapper NWRAP,
which shows all known protocols for the discovered ports form the Open
Protocol Resource Database - Nmap::Scanner:
Perl output parser for nmap - Amap
by THC: An advanced portscanner which determines the application behind
a network port by its application handshake. Thus it detects well-known
applications on non-standard ports or unknown applications on
well-known ports. - vmap
by THC: version mapper to determine the version (sic!) of scanned daemons - Unicornscan:
a information gathering and correlation engine - DMitry (Deepmagic Information Gathering Tool): a host information gathering tool for *nix systems
- Athena:
a search engine query tool for passive information gathering
Security
Scanner:
- Nessus
- In version 2 an OpenSource network scanner. Version 3 is only available in binary form and under a proprietary license. - OpenVAS: a fork of Nessus 2.2.5 (formerly known as GNessUs)
- Nessj: a java based nessus (and compatibles) client (formerly known as Reason)
- Paul
Clip from @stake released AUSTIN,
a security scanner for Palm OS 3.5+.
Webserver:
- Nikto:
a web server scanner with anti IDS features. Based on Rain Forest
Puppies libwhisker
library. - Wikto: a webserver assessment tool (Windows only; requires .NET framework)
- WSDigger:
a black box web pen testing tool from Foundstone (Windows based) - Metis:
a java based information gathering tool for web sites
Fingerprinting:
- SinFP: a fingerprinting tool which requires only an open tcp port and sends maximum 3 packets
- Winfingerprint:
much more than a simple fingerprinting tool.It scans for Windows
shares, enumerates usernames, groups, sids and much more. - p0f
2: Michal Zalewski announced his
new release of p0f 2, a passive OS fingerprinting tool. p0f 2 is a
completely rewrite of the old p0f code. - xprobe2:
a remote active operating system fingerprinting tool from Ofir Arkin
and the xprobe2 team - Cron-OS:
an active OS fingerprinting tool based on TCP timeout behavior. This
project was formerly known as "RING" and is now published as a nmap
addon.
Proxy
Server:
- Burp
proxy: an interactive HTTP/S
proxy server for attacking and debugging web-enabled applications - Screen-scraper:
a http/https-proxy server with a scripting engine for data manipulation
and searching - Paros:
a man-in-the-middle proxy and application vulnerability scanner - WebScarab: a framework for analyzing web applications. One of it’s basic functionality is the usage as intercepting proxy.
War Dialers:
- IWar: a classic war dialer. One of a few wardialers for *nix operation systems, and the only with VOIP functionality (to my knowledge)
- THC-Scan: a war dialer for DOS, Windows and DOS emulators
Malware / Exploit Collections:
- packetstormsecurity.org:
Huge collections of tools and exploits - ElseNot Project: The project tries to publish an exploit for each MS Security Bulltin. A script kiddie dream come true.
- Offensive Computing: Another malware collection site
- Securityforest: try the ExploitTree to get a collection of exploit code; have a look at the ToolTree for a huge list of pentest stuff
Databases / SQL:
- sqlninja: a tool to exploit sql injection vulnerabilities in web applications with MS SQL Servers (alpha stage)
- CIS
Oracle Database Scoring Tool:
scans Oracle 8i for compliance with the CIS Oracle Database
Benchmark - SQLRecon:
an active and passive scanner for MSSQL server. Works on Windows 2000,
XP and 2003. - absinthe: a
gui-based tool that automates the process of downloading the schema
& contents of a database that is vulnerable to Blind SQL Injection
(see here
and here). - SQL Power Injector: a GUI based SQL injector for web pages (Windows, .Net Framework 1.1 required, Internet Explorer 5.0+ required)
Voice over IP (VOIP):
- vomit (voice over misconfigured internet telephones): converts Cisco IP phone conversations into wave files
- SiVuS: a VOIP vulnerability scanner – SIP protocol (beta, Windows only)
- Cain & Abel: mostly a password cracker, can also record VOIP conversations (Windows only)
- sipsak (SIP swis army knife): a SIP packet generator
- SIPp: a SIP test tool and packet generator
- Nastysip: a SIP bogus message generator
- voipong: dumps G711 encoded VOIP communications to wave files. Supports: SIP, H323, Cisco Skinny Client Protocol, RTP and RTCP
- Perl based tools by Thomas Skora: sip-scan, sip-kill, sip-redirectrtp, rtpproxy and ipq_rules
- rtptools: a toolset for rtp recording and playing
Networkbased Tools:
- yersinia: a network tool
designed to take advantage of some weakeness in different network
protocols (STP, CDP, DTP, DHCP, HSRP, 802.1q, VTP) -
Netsed:
alters content of network packets while
forwarding the packets - ip6sic:
a IPv6 stack integrity tester
VPN:
- ike-scan:
an IPSec enumeration and fingerprinting tool - ikeprobe:
ike scanning tool - ipsectrace:
a tool for profiling ipsec traffic in a dump file. Initial alpha release - VPNMonitor:
a Java application to observer network traffic. It graphically
represents network connections and highlights all VPN connections. Nice
for demonstrations, if somewhat of limited use in a real pen test. - IKECrack:an IKE/IPSec cracker for pre-shared keys (in aggressive mode authentication [RFC2409])
DNSA:
DNS Auditing tool by Pierre Betouin
Hunt:
a session hijacking tool with curses GUI
SMAC:
a Windows MAC Address Modifying Utility. Supports Windows 2000 and XP.
The
WebGoat Project: a web
application written in Java with intentional vulnerabilities. Supports
an interactive learning environment with individual lessons.
TSCrack:
a Windows Terminal Server brute forcer
Ollie
Whitehouse from @stake released some new cellular phone based
pentesting tools for scanning
(NetScan,
MobilePenTester).
All tools
require a Sony Ericsson P800 mobile phone. Unfortunately, @stake seems
no longer to support much of their free
security tools. So, use instead the alternativ download links above.
THC-FuzzyFingerprint:
generates fuzzy fingerprints that look almost nearly equal to a given
fingerprint/hash-sum. Very useful for MITM attacks.
BeatLM,
a password finder for LM/NTLM hashes. Currently, there is no support
for NTLM2 hashes. In order to get the hashes from network traffic, try ScoopLM.
THC
vlogger: a linux kernel based
keylogger
The
Metasploit Framework: an
"advanced open-source platform for developing, testing, and using
exploit code".
ATK (Attack Tool Kit): a comination of security scanner and exploit framework (Windows only)
Pirana: an exploitation framework to test the security of email content filters. See also the whitepaper
PassLoc:
a tool which provides the means to locate keys within a buffer. Based
on the article "Playing
hide and seek with stored keys"
by Adi Shamir.
Dl-Hell:
identifies an executables dynamic link library (DLL) files
DHCPing:
a security tool for testing dhcp security
ldapenum:
a perl
script for enumeration against ldap servers.
Checkpwd: a dictionary based password checker for oracle databases
NirCmd from NirSoft: a windows command line tool to manipulate the registry, initiate a dialup connection and much more
Windows Permission Identifier: a tools for auditing user permissions on a windows system
MSNPawn: a toolset for footprinting, profiling and assesment via the MSN Search. Windows-only, .NET required
snmpcheck:a tool to gather information via snmp. Works on Linux, *BSD and Windows systems.
pwdump6: extract NTLM and LanMan hashes from Windows targets
Did you enjoy this post? Why not leave a comment below and continue the conversation, or subscribe to my feed and get articles like this delivered automatically to your feed reader.
Comments
No comments yet.
Leave a comment