In this blog, we will explore some of the most common tools used by penetration testers when performing an assessment. A penetration test is designed to emulate an attacker trying to breach your network or gain access to sensitive data. So while some of these tools cost money, all are readily available on the Internet. These are the same tools an attacker might use when trying to hack into your organization, and that’s the primary reason we use them. Each of these tools is designed to give us more insight into what services and versions of software are running or allow us to interact with the network or applications in ways that a typical user wouldn’t.
Nmap is a free, publicly available, network scanner. As such it is one of the most popular tools used by penetration testers. Typically nmap would be used early in an assessment to scan the range of IP addresses and determine what ports are open, and some light enumeration of services. Using nmap, our engineer will run custom scans designed to identify what hosts are listening on the network. Once a list of discovered hosts are identified, nmap can be used to scan all 65 thousand TCP ports as well as the common UDP ports. Additionally, nmap has some built in capabilities to enumerate what versions of software are listening on these ports. Finally, nmap can do some light vulnerability checking. For example, if nmap finds an FTP service listening, it can check whether that FTP server allows anonymous logins.
A penetration test, by default, includes a vulnerability scan. At Triaxiom Security, we are not just trying to find a way to break into your network or application, but rather to enumerate all of the vulnerabilities that may allow an attacker to do so in the future. This distinction separates a penetration test from an actual attack. In an actual attack, it is unlikely a vulnerability scan will be used, simply because it causes a lot of network traffic and is likely to be detected. However, we feel it is important to enumerate as many vulnerabilities as possible within the time we have allotted for a test in order to better assist you in protecting your network. A vulnerability scanner checks every service against a database of known vulnerabilities to see if there are any matches, and if so, reports them. Using that information, Triaxiom will then perform manual inspection of any identified vulnerabilities, verify they exist, and attempt to exploit them. Triaxiom Security uses Nessus Professional, but there are several different vulnerability scanners to choose from.
Metasploit is another free, widely available tool used by penetration testers. Metasploit is a database of exploits that all fit inside a defined framework. By using Metasploit with a known vulnerability, Triaxiom can potentially gain remote code execution on the underlying host and implant a backdoor that can call back to our machine, among other things. This is typically used throughout the assessment for a variety of different tasks, primarily due to its ease of use and ability to speed up some complex penetration testing tasks. There are other tools available for exploiting known vulnerabilities, such as Powershell Empire. In some cases, a penetration tester needs to write their own exploits to take advantage of a known weakness. With that being said, Metasploit is much easier to use, maintains a list of connections and captured loot, and allows us to pivot from one machine to another, making it extremely useful.
Burp Suite Professional
Whenever we are evaluating the security of a web application, we use Burp Suite Professional. Burp Suite Professional is an extremely popular tool used by penetration testers for this purpose. Burp allows us to intercept all traffic coming to/from a web server and modify the data, allowing us to check for vulnerabilities such as parameter tampering, injection attacks, etc. In addition to manually checking each request, Burp includes a tool that will assist in repeating traffic multiple times with a pre-defined pattern called Intruder. This can be used to try to enumerate valid userIDs, fuzz input with a list of possible XSS injection techniques, or launch password attacks against a logon portal. Finally, Burp includes a web application vulnerability scanner that can look for known vulnerabilities. Because of its rich feature-set, Burp is one of the best tools on the market for web application penetration tests.
Finally, we would be remiss if we did not mention custom scripts as one of the most popular tools used by penetration testers. Every engineer will have their favorite scripts that they have developed over time to help them enumerate software versions, perform password attacks, or attempt exploits. By custom writing scripts, we are able to make them more efficient, give us the output we want to see, and/or evade detection. A lot of the time, these are based off of publicly used tools, but with some custom modifications for the environment we are testing. As an example, you can read more about one of my favorite custom scripts that we use to perform offline password attacks here.