Tool Round Up

Question 1

WHOIS

Answer 1

TAG: OSINT

A query and response protocol that’s widely used for querying databases that store the registered users or assigness of an internet resource
* Anyone who buys a domain name is listed in WHOIS

USE
whois domain

Question 2

Nslookup

Answer 2

TAG: OSINT
A network admin CLI tool for querying DNS to obtain the mapping between domain names and IPs, or other DNS records
* Most basic form finds IP with a given domain name

Use
nslookup domain

Question 3

FOCA

Answer 3

TAG: OSINT
Fingerprinting Organizations with Collected Archives
* Used to find metadata and hidden information in collected documents from an org

Question 4

theHarvester

Answer 4

TAG: OSINT
A program for gathering emails, subdomains, hosts, employee names, emails, PGP key entries, open ports, and service baners from servers

Use
theharvester -d domain[.]com -l 500 -b google

Question 5

Shodan

Answer 5

TAG: OSINT
A website search engine for web cams, routers, servers, and other devices that are considered part of the IoT
* Search for anything that’s a vulnerable asset online

Question 6

Maltego

Answer 6

TAG: OSINT
A piece of commercial software used for OSINT that visually connects the relationships between data points
* What things are linked to other things
* It can automate the querying of public sources of data and then compare it with other information from various sources

Question 7

Recon-ng

Answer 7

TAG: OSINT
A system of modules to add additional features and functions for your use
* Cross-platform web recon framework
* Like metasploit but for recon shit

Question 8

Censys

Answer 8

TAG: OSINT
A website search engine used for finding hosts and networks acros the internet with data about their configuration
* Like Shodan
* Cloud, shared, and other infrastructure used
* Finding vulns associated with targets you go after

Question 8

Nikto

Answer 8

TAG: Scanning
A web vulnerability scanner that’s used to assess custom web apps that a company may have coded themselves
* Identifies outdated versions or server misconfigurations
* Vuln scanner for web servers

Use
perl nikto.pl -h [ IP address of target ]

Question 9

OpenVAS

Answer 9

TAG: Scanning
Open-source vulnerability scanner that’s used to identify vulns and assign a risk rating for the targeted assets
* Scans entire network and shows results in a chart
* Very noisy and easy to detect
* Select just vulns you want to verify

Question 10

Nessus

Answer 10

TAG: Scanning
A proprietary vulnerability scanner used to conduct basic, advanced, and compliance vuln scans to measure the effectiveness of the system’s security controls
* A lot like OpenVAS
* Commercial product with many plugins

Question 11

Open SCAP

Answer 11

TAG: Scanning
Security Content Automation Protocol
* A tool created by NIST that’s used to create a predetermined security baseline that can be used to determine vulnerabilities or deviations in a system
* Choose baseline you want or create your own

Question 11

SQLmap

Answer 11

TAG: Scanning
Open-source database scanner that searches for SQL injection vulnerabilities that can be exploited
* This is a Python script
* Focus is the SQL database beneath the website to see if vulnerable to injection

Use
python sqlmap.py -u website –batch

Question 12

Wapiti

Answer 12

TAG: Scanning
A web app vulnerability scanner which automatically navigates a web app looking for areas it can inject data to target different vulnerabilities
* It runs various modules against a given web app
* Tests APIs more than anything inside web apps

Use
wapiti -u target

Question 13

Brakeman

Answer 13

TAG: Scanning
Static code analysis security tool that’s used to identify vulnerabilities in apps written in Ruby on Rails
* Load code into the tool, then it assesses
* Helpful with known environment test

Question 13

WPScan

Answer 13

TAG: Scanning
A WordPress site vulnerability scanner that identifies the plugins used by the website against a database of known vulnerabilities

Question 14

Wireshark

Answer 14

TAG: Networking
Open-source protocol analysis tool that can conduct packet sniffing, decoding, and analysis
* Capture packets thru wireless or wired network and cap all traffic
* If plaintext, you’ve got it now

Question 15

ScoutSuite

Answer 15

TAG: Scanning
Open-source tool written in Python that can be used to audit instances and policies created on multicloud platforms by collecting data with API calls
* Scans cloud servers
* Also relevant for cloud tools section

Question 16

Tcpdump

Answer 16

TAG: Networking
A CLI protocol analysis tool that can conduct packet sniffing, decoding, and analysis
* Basically like wireshark but CLI
* Can filter through all the input easily to search with Python and grep
* Can be faster than wireshark with automation and scripting to find specific things in the traffic

Question 17

Hping

Answer 17

TAG: Scanning
Open-source packet crafting tool used to exploit vulnerable firewall and IDS/IPS
* Can craft TCP, UDP, ICPM, or RAW-IP protocols
* Used during enumeration for fingerprinting
* Change the way you send packets and analyze the way they’re sent back, which helps identify which services and versions are being run

Question 18

Aircrack-ng

Answer 18

TAG: Wireless
Open-source wireless exploitation toolkit that has
* airomon-ng: Monitor wireless frequencies to identify access points and clients
* airodump-ng: Captures network traffic and safe to pcap file
* aireplay-ng: Conducts deauth attack by sending spoofed deauth requests to the access point
* airocrack-ng: Conducts protocol and password cracking of wireless encrypting (brute forcing)

Question 19

Kismet

Answer 19

TAG: Wireless
Open-source tool that contains a wireless sniffer, network detector, and IDS
* Works passively and doesn’t send packets into the network
* Stealthy for recon
* Cross-platform for all OS

Question 20

Wifite

Answer 20

TAG: Wireless
Wireless auditing tool that can be used to conduct a site survey to locate rogue and hidden access points
* Audits WEP or WAP encrypted networks
* Also audits WPS
* Uses tools like aircrack-ng and Reaver in the background
* Automated wireless attack tool

Use
wifite
* Puts card in monitor mode, scans, and has you pick a number based on what it finds

Question 21

Rogue Access Point

Answer 21

TAG: Scanning
Any wireless access point that’s been installed on a secure network without explicit authorization from a local network admin
* Wi-Fi pineapple can do this and cap all traffic

Question 22

EAPHammer

Answer 22

TAG: Wireless
Python based toolkit that can be used to steal EAP authentication credentials used in a WPA2-Enterprise network
* Executes credential theft evil twin attacks against WPA and WPA2 EAP networks
* Goal is to steal victim RADIUS credentials by creating evil twin attack
* Pretend to be victimized client and auth to the trusted network

Question 23

mdk4

Answer 23

TAG: Wireless
Wireless vulnerability exploitation toolkit that can conduct 10 typs fo 802.11 exploitation techniques
* Injects frames in order to exploit
* Used against 2.4 and 5 ghz bands
* Beacon flooding
* Auth DoS
* SSID probing and brute forcing
* Deauth and disassociation
* Michael countermeasures exploit
* EAPOL start and logoff packet injection
* Attacks for IEEE 802.11s mesh networks
* WIDS confusion confuse/abuse
* Packet fuzzer
* POC of WiFi protocol implementation vulnerability testing

Question 24

Spooftooph

Answer 24

TAG: Wireless
Automates the spoofing or cloning of a Bluetooth device’s name, class, and address
* Can be used by attacker to pretend to be victim so the attacker’s BT device can hid in plain sight
* BT scanning software will only list one of each device it finds with same name

Question 25

Reaver

Answer 25

TAG: Wireless
Tool that conducts brute force attack against an access point’s WPS PIN to recover the WPA PSK
* Once pin is found, PSK can be found easily
* Can reconfigure AP settings once it’s in

Question 26

WiGLE

Answer 26

TAG: Wireless
Wireless Geographic Logging Engine
* A wireless OSINT tool that consists of a website and database dedicated to mapping and indexing all known wireless access points

Question 27

Fern

Answer 27

TAG: Wireless
Tests wireless networks by conducting password recovery through brute force and dictionary attacks, as well as session hijacking, replay, and on-path attacks
* WEP, WPA, and WPS keys
* GUI based

Question 28

SET

Answer 28

TAG: Social Engineering
Social Engineering Toolkit
* Python-based collection of tools and scripts that are used to conduct social engineering during a pentest
* Menu-driven selection for modules like zphisher, metasploit, etc, etc
* EXAM NOTE: Helps automate the process of technical social engineering attacks

Question 29

BeEF

Answer 29

TAG: Social Engineering
Browser Exploitation Framework
* Used to access the security posture of a target environment using cross-site attack vectors
* Tool that’s focused on the victim’s web browser
* Can attack DOM based exploits
* Hooks a web browser for launching command modules against the given browser
* Can do clickjacking, XSS, and other attacks
* Great tool for testing browsers and associated web servers and apps

Question 30

SSH

Answer 30

TAG: Remote Access
Secure Shell
* CLI tool that’s used to remotely control another workstation over a LAN or WAN
* Encrypted secure tunnel between cient and server

Question 31

nc

Answer 31

TAG: Remote Access
Netcat: A CLI utility used to read from or write to TCP, UDP, or Unix domain socket network connections
* Can sweep a network to find machines it contains, enumeration, banner grabbing, fingerprinting, etc
* Best use is that it’s an access tool that lets us read, write, redirect, and encrypt data over the network
* BIND SHELL: Set up listener on one machine and connect from our target machine
* REVERSE SHELL: Victim machine calls back to listener set up on attacker machine, can answer the call and take remote control

Question 32

Ncat

Answer 32

TAG: Remote Access
An improved version of netcat which can also act as a proxy, launch executables, transfer files, and encrypt all comms to and from the victim machine

Use
ncat -C domain 90
* Banner grab

Can also use this for remote C2 just like with netcat

Question 33

ProxyChains

Answer 33

TAG: Remote Access
A CLI tool that enables pentesters to mask their identity and/or source IP by sending messages through proxy servers or other intermediaries
* Often used on attacking machine as it conducts tests
* Forces all TCP connections to run through a given proxy
* Can also chain together multiple proxies

Question 34

Hashcat

Answer 34

TAG: Credential Testing
A modern password and hash cracking tool that supports the use GPUs for parallel processing when conducting dictionary, brute force, and hybrid attacks
* One of the fastest tools available

Question 35

Medusa

Answer 35

TAG: Credential Testing
A parallel brute force tool that’s used against network logins to attack services that support remote authentication
* Supports logins and remote auth protocols like rlogin, SSH, Telnet, HTTP, and many more
* Supports mutli-threaded operations and can attempt a lot of simultaneous logins

Question 36

Hydra

Answer 36

TAG: Credential Testing
A parallel brute force tool that also supports a pw-inspect module to only attempt password from a dictionary that meets the minimum password requirements for a given system
* Defenders will see the attempts in logs as it runs
* This is an online password cracker

Question 37

CeWL

Answer 37

TAG: Credential Testing
Used to generate word lists based on the automatic crawling of a website to collect words and metadata from the site
* Search a target website, crawl through it for however long it needs, however deep we tell it, and search for keywords
* Makes wordlist based on what it finds which can be used for brute force

Question 38

John the Ripper

Answer 38

TAG: Credential Testing
Password cracking tool that supports large sets of hashes, dictionary, and brute force attacks
* Offline tool

Question 39

Cain

Answer 39

TAG: Credential Testing
Legacy password cracking and hash dumping toolthat can conduct network sniffing to identify hashes that may be vulnerable to cracking
* Windows based tool with GUI

Question 40

Mimikatz

Answer 40

TAG: Credential Testing
Tool that gathers credentials by extracting key elements like cleartext passwords, hashes, and PIN codes from the memory of a system
* Critical tool to use against Windows
* Pass the hash, pass the ticket, and golden ticket
* Focused on Kerberos protocol

Question 41

Patator

Answer 41

TAG: Credential Testing
Multi-purpose brute force tool that supports several methods including ftp, ssh, smb, vnc, and zip password cracking
* Similar to Medusa and Hydra
* Remember this is just another password cracker

Question 42

DirBuster

Answer 42

TAG: Credential Testing
Brute force tool that runs against a web app or server to identify unlisted directories and file names that may be accessed
* GUI based tool
* Finds files and folders that aren’t supposed to be publically visible, but are

Question 43

w3af

Answer 43

TAG: Credential Testing
Web Application Attack and Audit Framework
* Tool used to identify and exploit a large set of web-based vulnerabilities like SQL injection and XSS
* Think of it like Nessus, Nikto, or OpenVAS but for web apps
* Has an embedded plugin to brute force and crack or bypass authentication credentials in a web app
* EXAM NOTE: Considered password cracking tool for web apps

Question 44

OWASP ZAP

Answer 44

TAG: Web Applications
OWASP Zed Attack Proxy
* An open-source web app security scanner and attack proxy used in automated and manual testing and identification of web app vulnerabilities
* Connect our browser to the ZAP proxy, and then out to the victim server
* We can then manipulate traffic running through the proxy, even HTTPS sessions
* Can change session IDs, parameters, and other variables

Question 45

Burp Suite

Answer 45

TAG: Web Applications
Used in raw traffic interception, inspection, and modification during automated testing, manual request modification, and passive web app analysis
* Most commonly used by pentesters
* Allows for interception, inspection, and modification of raw traffic passing through, much like ZAP
* But Burp is more heavily used by pentesters because we can modify all the different factors like session keys, passwords, hidden forms, etc
* Easier to use than ZAP

Question 46

Gobuster

Answer 46

TAG: Web Applications
Brute force dictionary, file, and DNS identification tool used to identify unlisted resources in a web app
* Text-based tool installed by default on Kali
* Scans websites or web apps to identify any hidden directories, files, or subdomains that exist
* Used heavily in recon and enumeration phase

Question 47

ScoutSuite

Answer 47

TAG: Cloud
Open-source tool written in Python that can be used to audit instances and policies created on multicloud platforms by collecting data using API calls
* Suite of cloud based tools that can be used across multiple clouds like MS, Google, AWS, etc
* Other cloud tools are focused on single cloud

Question 48

CloudBrute

Answer 48

TAG: Cloud
Used to find a target’s infrastructure, files, and apps across the top cloud service providers including Amazon, Google, MS, DigitalOcean, Alibaba, Vultr, and Linode
* Covers more cloud types that ScoutSuite
* CLI tool

Question 49

Pacu

Answer 49

TAG: Cloud
Exploitation framework used to assess the security configuration of an AWS account
* Includes several modules that helps focus on things like gaining API keys or taking control of different VM instances
* Focuses on post-compromise phase
* Drill into the system, escalate privileges, launch additional attacks, and install backdoors
* Dion thinks of this as a tool used during attack and exploit phase

Question 50

Cloud Custodian

Answer 50

TAG: Cloud
Open-source cloud security, governance, and management tool designed to help admins create policies based on different resource types
* Stateless rules engine that manages AWS instances
* EXAM NOTE: Think governance and policy inside the AWS environment

Question 51

OpenStego

Answer 51

TAG: Steganography
Free steganography solution to conduct data hiding within a file and watermarking of files with invisible signatures to detect unauthorized file copying
* GUI-based
* Can encrypt contents while embedding in the file

Question 52

Steghide

Answer 52

TAG: Steganography
Open-source steganography tool used to conceal a payload by compressing, concealing, and encrypting its data in an image or audio file
* GUI
* Can also encrypt

Question 52

Snow

Answer 52

TAG: Steganography
CLI tool that conceals a payload within the whitespace of an ASCII formatted text file in plaintext or encrypted format
* Purely based on text files

Question 53

Coagula

Answer 53

TAG: Steganography
An image synthesizer tool that can be used to create a sound file (.wav) from a given image
* You want to hide a picture, which is turned into an audio file
* Can view the wav visualizer to see the secret words

Question 54

Sonic Visualizer

Answer 54

TAG: Steganography
Open-source application for viewing and analyzing the contents of music audio files
* This could read the data you compress in Coagula

Question 55

TinEye

Answer 55

TAG: Steganography
A website that can be used to conduct reverse iage searches using image recognition

Question 56

Metagoofil

Answer 56

TAG: Steganography
A Python tool that can search for metadata from public documents located on a target’s website
* Metadata is a form of steganography because data will be hidden in here some times

Question 57

Online SSL Checker

Answer 57

TAG: Steganography
Web application that can be used to test the validity, strength, and security of an SSL or TLS digital certificate for a given web server
* Not sure why it’s in steganography, but it is
* SSL labs website

Question 58

OllyDbg

Answer 58

TAG: Debuggers
Linux debugger that can be used to analyze binary code foundin 32-bit Windows apps
* If you don’t have access to source code this is helpful
* Can reverse engineer malware
* Can develop custom exploits based on binaries found in the wild

Question 59

Immunity Debugger

Answer 59

TAG: Debuggers
A debugger built specifically for pentesters to write exploits, analyze malware, and reverse engineer binary files using Python scripts and APIs
* Difference between OllyDbg is that Immunity uses a Python API plugin that allows execution of Python code from within the debugger
* This allows pentesters to work more quickly
* Favorite for pentesters who do custom coding

Question 60

GNU Debugger (GDB)

Answer 60

TAG: Debuggers
Open-source, cross-platform debugger for Unix, Windows, and MacOS
* Supports Ada, C, C++, Objective-C, Pascal, Fortran, Go, Java, and many other languages
* Text based that works inside Linux console, not very user friendly

Question 61

WinDbg

Answer 61

TAG: Debuggers
Free debugging tool that’s distributed by Microsoft for use in the Windows OS
* Can debug kernel-mode and user-mode code, analyze crash dumps, and examine the CPU registers while the code is executing on a Windows host

Question 62

IDA

Answer 62

TAG: Debuggers
The Interactive Disassembler
* A commercial disassembler and debugging tool that generates assembly language source code from machine-executable code
* GUI can map out the program and what function calls go where
* Can read exe from multiple OS, even though it’s used in Windows

Question 63

Covenant

Answer 63

TAG: Debuggers
An open-source .NET framework focused on pentesting that also has a dev and debugging component
* More of a .NET C2 framework written in C#
* Aims to highlight the attack surface of the .NET code and to make the use of offensive .NET tradecraft easier for pentesters
* Has a debugger built in, but way more capabilities beyond that

Question 64

SearchSploit

Answer 64

TAG: Debuggers
A tool used to find exploits available on Exploit-DB
* Often used while reading different malware in a debugger so we can understand what a particulare piece of exploit code might be doing
* Not a debugger, but used with debuggers
* Can carry an offline copy of the database with you so you can do offline searches through a local repository

Question 65

PowerSploit

Answer 65

TAG: Misc
A collection of PowerShell modules that create an extensive exploitation framework for use against Windows systems
* Post-exploit framework
* You can use the scripts to further exploit a machine once you break in
* LOTL technique that uses pre-built ps1 scripts

Question 66

Responder

Answer 66

TAG: Misc
CLI tool in Kali that’s used to poison NetBIOS, LLMNR, and MDNS name resolution requests
* If you break into a Windows network it uses LLMNR, NetBIOS, or local DNS for name resolution
* Responder listens for when people call out for a certain machine, like the AD server
* Poisons the DNS call or the nameserver call
* Instead of going to the AD server, they come to attacker instead
* On-path, and allows for other exploits against victims

Question 67

Impacket Tools

Answer 67

TAG: Misc
Open-source collection of Python classes for working with network protocols and the exploitation of Windows systems, lets you do things like
* Remote execution
* Kerberos attacks
* Windows Secrets
* On-path attacks
* Interacting with WMI
* Taking advantage of SMB/MSRPC protocols
* Useful tool to create your own exploits inside of Python
* Focuses on low level program access to the different functions and services used by the network you need to call while using your tools

Question 68

Empire

Answer 68

TAG: Misc
C2 framework that uses PowerShell for common post-exploitation tasks on Windows systems and Python for post-exploitation tasks on Linux systems
* Post-exploit framework

Question 69

Metasploit

Answer 69

TAG: Misc
Multipurpose computer security and pentesting framework that uses modularized attacks against known software vulnerabilities to exploit systems
* Post-exploit framework

Question 70

mitm6

Answer 70

TAG: Misc
An IPv6 DNS hijacking tool that attempts to set the malicious actor as the DNS server by replying to DHCPv6 messages and then redirecting the victim to another malicious host
* Exploits the default configuration of a Windows system to take over the default DNS server

Question 71

CrackMapExec

Answer 71

TAG: Misc
A post-exploitation tool to identify vulnerabilities in AD environments
* Helps automate the security assessment of large AD networks
* LOTL by using built in AD features and protocols

Question 72

TruffleHog

Answer 72

TAG: Misc
Git secrets search tool that automatically crawls through a repo looking for accidental commits of secrets to the GIt repo
* Runs behind the scenes to scan for private keys and credentials
* Goes through the entire commit history of each branch and checking each Git for each commit
* Checks for secrets with regex and entropy checks