Pentest+ Tools

Question 1

Nikto

Answer 1

An opensource vulnerability scanner

Question 2

Open vulnerability assessment
scanner (Open VAS)

Answer 2

An opensource vulnerability scanner

Question 3

SQLmap

Answer 3

A tool used to find and automate SQLinjection in webapplications

Question 4

Nessus

Answer 4

Propitiatory Vulnerability Scanner

Question 5

Open Security Content
Automation Protocol (SCAP)

Answer 5

Comprises a number of open standards that are widely used to enumerate software flaws and configuration issues related to security.

Question 6

Wapiti

Answer 6

Opensource web-application vulnerability scanner

Question 7

WPScan

Answer 7

WordPress security scanner

Question 8

Brakeman

Answer 8

Open-source Static Analysis Security Tool designed for apps running on Ruby on Rails

Question 9

Scout Suite

Answer 9

Cloud Security Auditing Tool. Assess security posture of cloud environments.

Question 10

Hashcat

Answer 10

Password cracker. Can be used to perform dictionary attacks against hashes to find a password.

Question 11

Medusa

Answer 11

Password Brute forcing tool

Question 12

Hydra

Answer 12

Password Brute forcing tool, can also be used against some webapp logins.

Question 13

CeWL

Answer 13

Tool used to build wordlist that can be used in a dictionary password attack

Question 14

Cain

Answer 14

Cain and Abel (often abbreviated to Cain) was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks.

Question 15

Mimikatz

Answer 15

A tool that can be used to pull password hashes from memory.

Question 16

Patator

Answer 16

Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

Question 17

DirBuster

Answer 17

A tool that can be used to find hidden directories on websites.

Question 18

W3af

Answer 18

w3af is an open source web application security scanner which helps developers and penetration testers identify and exploit vulnerabilities in their web applications.

Question 19

OllyDb

Answer 19

OllyDbg was an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries

Question 20

Immunity Debugger

Answer 20

Debugger for Windows

Question 21

GNU Debugger (GDB)

Answer 21

The GNU Debugger is a portable debugger that runs on many Unix-like systems and works for many programming languages, including Ada, Assembly, C, C++, D, Fortran, Haskell, Go, Objective-C, OpenCL C, Modula-2, Pascal, Rust, and partially others

Question 22

WinDbg

Answer 22

Debbuger; Ships with Windows systems

Question 23

Interactive Disassembler (IDA)

Answer 23

The Interactive Disassembler is a disassembler for computer software which generates assembly language source code from machine-executable code.

Question 24

Covenant

Answer 24

C2 is very helpful for maintaining persistent access between attacker and compromised machine and easy to exfiltrate data. Run on ASP.NET Core.

Question 25

SearchSploit

Answer 25

A tool that can be used to find exploits available from multiple sources. This tool can also be used offline, assuming it is installed and up to date.

Question 26

WHOIS

Answer 26

Whois records are available for most domains, can be used to gather information such as who is the hosting the domain or who administrates it.

Question 27

Nslookup

Answer 27

A tool to lookup DNS records. Can be used to get the IP of a domain name. If the PTR record is setup, it can also be used to find a domain name from an IP. This tool can also search mail (MX records) and txt records as well.

Question 28

Fingerprinting Organization
with Collected Archives (FOCA)

Answer 28

Fingerprinting Organizations with Collected Archives

FOCA is a tool used mainly to find metadata and hidden information in the documents it scans. These documents may be on web pages, and can be downloaded and analyses with FOCA.

Question 29

theHarvester

Answer 29

An OSINT tool to collect data from multiple sources.

Question 30

Shodan

Answer 30

Provides detailed information about each device, including IP address, operating system, software and open ports.

Question 31

Maltego

Answer 31

OSINT tool. Can be used to map relationships or emails, domains, etc.

Question 32

Recon-ng

Answer 32

Popular OSINT tool with multiple modules

Question 33

Censys

Answer 33

Very similar to shodan: provides detailed information about each device, including IP address, operating system, software and open ports. Unlike Shodan, Censys also focuses on device security and provides information about known vulnerabilities and SSL certificates

Question 34

BeEF

Answer 34

BeEfF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Asses and can exploit vulnerabilities within web browsers.

Question 35

SSH

Answer 35

Secure shell - Encrypted remote access tool. Port 22

Question 36

Ncat

Answer 36

Ncat is an enhanced version of the traditional netcat utility developed as a part of the Nmap project. It aims to combine the best features of different netcat versions into one advanced tool.

Question 37

Netcat (NC)

Answer 37

a versatile networking utility that can perform a wide range of tasks, including establishing and managing network connections, transferring files, and conducting network diagnostics. We can use it for fulfilling diverse objectives involving TCP, UDP, or UNIX-domain sockets.

Commonly used for bind or reverse shells.

Question 38

ProxyChains

Answer 38

ProxyChains is a UNIX program, that hooks network-related libc functions in dynamically linked programs via a preloaded DLL and redirects the connections through SOCKS4a/5 or HTTP proxies.

Question 39

Wireshark

Answer 39

Packet analyzer or packet sniffing tool. Has a GUI.

Question 40

Hping

Answer 40

hping is an open-source packet generator and analyzer for the TCP/IP protocol created by Salvatore Sanfilippo. It is one of the common tools used for security auditing and testing of firewalls and networks, and was used to exploit the idle scan scanning technique

Question 41

PowerSploit

Answer 41

Exploitation Framework, build for Powershell

Question 42

Responder

Answer 42

Responder an LLMNR, NBT-NS and MDNS poisoner. It will answer to specific NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answer to File Server Service request, which is for SMB.

The concept behind this is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option via command line if you want to answer to the Workstation Service request name suffix.

Question 43

Impacket Tools

Answer 43

mpacket is a collection of Python3 classes focused on providing access to network packets. Impacket allows Python3 developers to craft and decode network packets in simple and consistent manner. It includes support for low-level protocols such as IP, UDP and TCP, as well as higher-level protocols such as NMB and SMB.

Python tools that can be used for Kerberos attacks

Question 44

Empire

Answer 44

Exploitation Framework build in PowerShell

Question 45

Metasploit

Answer 45

Multi-platform exploitation framework. Build in Ruby.

Question 46

mitm6

Answer 46

mitm6 is a pentesting tool that exploits the default configuration of Windows to take over the default DNS server. It does this by replying to DHCPv6 messages, providing victims with a link-local IPv6 address and setting the attackers host as default DNS server. As DNS server, mitm6 will selectively reply to DNS queries of the attackers choosing and redirect the victims traffic to the attacker machine instead of the legitimate server.

Question 47

CrackMapExec

Answer 47

This package is a swiss army knife for pentesting Windows/Active Directory environments.

From enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more.

The biggest improvements over the above tools are:

Pure Python script, no external tools required
Fully concurrent threading
Uses ONLY native WinAPI calls for discovering sessions, users, dumping SAM hashes etc…
Opsec safe (no binaries are uploaded to dump clear-text credentials, inject shellcode etc…)

Additionally, a database is used to store used/dumped credentals. It also automatically correlates Admin credentials to hosts and vice-versa allowing you to easily keep track of credential sets and gain additional situational awareness in large environments.

Question 48

TruffleHog

Answer 48

TruffleHog is a free security tool designed to root around for sensitive information exposure within version control systems, CI, cloud assets, and file systems. Specifically, it helps identify and mitigate security risks related to the inadvertent storage of credentials, secrets, and other sensitive data.

Question 49

Open steg

Answer 49

Steganography tool to hide or extract information hidden in images

Question 50

Steghide

Answer 50

Steganography tool to hide or extract information hidden in images

Question 51

Snow

Answer 51

SNOW exploits the Steganographic Nature Of Whitespace. Locating trailing whitespace in text is like finding a polar bear in a snowstorm

Question 52

Coagula

Answer 52

Tool to make sounds form images

Question 53

Sonic Visualizer

Answer 53

Analyze music files

Question 54

TinEye

Answer 54

Reverse image search

Question 55

Metagoofil

Answer 55

Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company.

Metagoofil will perform a search in Google to identify and download the documents to local disk. Metagoofil does no longer extract the metadata. See /usr/share/doc/metagoofil/README.md.gz.

Question 56

Online SSL Checkers

Answer 56

Tools that can inspect SSL certificates

Question 57

CloudBrute

Answer 57

A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode). The outcome is useful for bug bounty hunters, red teamers, and penetration testers alike.

Question 58

Pacu

Answer 58

Aws exploitation framework

Question 59

Cloud Custodian

Answer 59

Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that’s both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting.

Question 60

Aircrack-ng suite

Answer 60

Aircrack-ng is a complete suite of tools to assess WiFi network security.

It focuses on different areas of WiFi security:

Monitoring: Packet capture and export of data to text files for further processing by third party tools
Attacking: Replay attacks, deauthentication, fake access points and others via packet injection
Testing: Checking WiFi cards and driver capabilities (capture and injection)
Cracking: WEP and WPA PSK (WPA 1 and 2)

Question 61

Kismet

Answer 61

Kismet is a sniffer, WIDS, and wardriving tool for Wi-Fi, Bluetooth, Zigbee, RF, and more, which runs on Linux and macOS.

Question 62

Wifite

Answer 62

Wifite is a tool to audit WEP or WPA encrypted wireless networks. It uses aircrack-ng, pyrit, reaver, tshark tools to perform the audit.

This tool is customizable to be automated with only a few arguments and can be trusted to run without supervision.

Question 63

Rogue access point

Answer 63

A rogue access point — or rogue AP — is a wireless access point plugged into an organization’s network that the security team does not know exists

Question 64

EAPHammer

Answer 64

EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks

Question 65

mdk4

Answer 65

This package contains a proof-of-concept tool to exploit common IEEE 802.11 protocol weaknesses.

MDK4 is a new version of MDK3. MDK4 is a Wi-Fi testing tool from E7mer of 360PegasusTeam, ASPj of k2wrlz, it uses the osdep library from the aircrack-ng project to inject frames on several operating systems.

Question 66

Spooftooph

Answer 66

Spooftooph is designed to automate spoofing or cloning Bluetooth device Name, Class, and Address. Cloning this information effectively allows Bluetooth device to hide in plain site. Bluetooth scanning software will only list one of the devices if more than one device in range shares the same device information when the devices are in Discoverable Mode (specificaly the same Address).

Question 67

Reaver

Answer 67

Reaver performs a brute force attack against an access point’s Wi-Fi Protected Setup pin number. Once the WPS pin is found, the WPA PSK can be recovered and alternately the AP’s wireless settings can be reconfigured. This package also provides the Wash executable, an utility for identifying WPS enabled access points

Question 68

Wireless Geographic
Logging Engine (WiGLE)

Answer 68

Wifi heatmap ontop of a map

Question 69

Fern

Answer 69

Wifi Cracker
The program is able to crack and recover WEP/WPA/WPS keys and also run other network based attacks on wireless or ethernet based networks

Question 70

OWASP ZAP

Answer 70

Similar to Burpsuite, this is a web testing toolkit.

Question 71

Social Engineering Toolkit (SET)

Answer 71

The Social-Engineer Toolkit is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly.

Question 72

Burp Suite

Answer 72

Webtesting toolkit

Question 73

Drozer

Answer 73

Android security framework

Question 74

Needle

Answer 74

Needle is an open source, modular framework to streamline the process of conducting security assessments of iOS apps.

NOTE: This tool has been decomissioned and is no longer maintained. We are leaving the original project up for archival purposes.

Question 75

Mobile Security Framework (MobSF)

Answer 75

Mobile Security Framework (MobSF) is a security research platform for mobile applications in Android, iOS and Windows Mobile. Pentesting, malware analysis, and security assessments. Static and dynamic analysis.

Question 76

Postman

Answer 76

The Postman API client is the foundational tool of Postman, and it enables you to explore, debug, and test your APIs while also enabling you to define complex API requests for HTTP, REST, SOAP, GraphQL, and WebSockets.

Question 77

Ettercap

Answer 77

Ettercap is a free and open source network security tool for man-in-the-middle attacks on a LAN. It can be used for computer network protocol analysis and security auditing

Question 78

Frida

Answer 78

Opensource; Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.

Question 79

Objection

Answer 79

Objection is a runtime mobile exploration toolkit, powered by Frida. Assess security posture of mobile apps.

Question 80

Android SDK tools

Answer 80

Android SDK Platform-Tools is a component for the Android SDK. It includes tools that interface with the Android platform, primarily adb and fastboot.

Question 81

ApkX

Answer 81

A Python wrapper to popular free dex converters and Java decompilers. Extracts Java source code directly from the APK. Useful for experimenting with different converters/decompilers without having to worry about classpath settings and command line args.

Question 82

APK Studio

Answer 82

Open-source, cross platform Qt based IDE for reverse-engineering Android application packages. It features a friendly IDE-like layout including code editor with syntax highlighting support for *.smali code files.