Tool Round Up Flashcards

Question

EAPHammer

Answer 1

**TAG: Wireless** Python based toolkit that can be used to steal EAP authentication credentials used in a WPA2-Enterprise network * Executes credential theft evil twin attacks against WPA and WPA2 EAP networks * Goal is to steal victim RADIUS credentials by creating evil twin attack * Pretend to be victimized client and auth to the trusted network

Answer 2

**TAG: Wireless** Wireless vulnerability exploitation toolkit that can conduct 10 typs fo 802.11 exploitation techniques * Injects frames in order to exploit * Used against 2.4 and 5 ghz bands * Beacon flooding * Auth DoS * SSID probing and brute forcing * Deauth and disassociation * Michael countermeasures exploit * EAPOL start and logoff packet injection * Attacks for IEEE 802.11s mesh networks * WIDS confusion confuse/abuse * Packet fuzzer * POC of WiFi protocol implementation vulnerability testing

Answer 3

**TAG: Wireless** Automates the spoofing or cloning of a Bluetooth device's name, class, and address * Can be used by attacker to pretend to be victim so the attacker's BT device can hid in plain sight * BT scanning software will only list one of each device it finds with same name

Answer 4

**TAG: Wireless** Tool that conducts brute force attack against an access point's WPS PIN to recover the WPA PSK * Once pin is found, PSK can be found easily * Can reconfigure AP settings once it's in

Answer 5

**TAG: Wireless** Wireless Geographic Logging Engine * A wireless OSINT tool that consists of a website and database dedicated to mapping and indexing all known wireless access points

Answer 6

**TAG: Wireless** Tests wireless networks by conducting password recovery through brute force and dictionary attacks, as well as session hijacking, replay, and on-path attacks * WEP, WPA, and WPS keys * GUI based

Answer 7

**TAG: Social Engineering** Social Engineering Toolkit * Python-based collection of tools and scripts that are used to conduct social engineering during a pentest * Menu-driven selection for modules like zphisher, metasploit, etc, etc * EXAM NOTE: Helps automate the process of technical social engineering attacks

Answer 8

**TAG: Social Engineering** Browser Exploitation Framework * Used to access the security posture of a target environment using cross-site attack vectors * Tool that's focused on the victim's web browser * Can attack DOM based exploits * Hooks a web browser for launching command modules against the given browser * Can do clickjacking, XSS, and other attacks * Great tool for testing browsers and associated web servers and apps

Answer 9

**TAG: Remote Access** Secure Shell * CLI tool that's used to remotely control another workstation over a LAN or WAN * Encrypted secure tunnel between cient and server

Answer 10

**TAG: Remote Access** Netcat: A CLI utility used to read from or write to TCP, UDP, or Unix domain socket network connections * Can sweep a network to find machines it contains, enumeration, banner grabbing, fingerprinting, etc * Best use is that it's an access tool that lets us read, write, redirect, and encrypt data over the network * BIND SHELL: Set up listener on one machine and connect from our target machine * REVERSE SHELL: Victim machine calls back to listener set up on attacker machine, can answer the call and take remote control

Answer 11

**TAG: Remote Access** An improved version of netcat which can also act as a proxy, launch executables, transfer files, and encrypt all comms to and from the victim machine **Use** ncat -C domain 90 * Banner grab Can also use this for remote C2 just like with netcat

Answer 12

**TAG: Remote Access** A CLI tool that enables pentesters to mask their identity and/or source IP by sending messages through proxy servers or other intermediaries * Often used on attacking machine as it conducts tests * Forces all TCP connections to run through a given proxy * Can also chain together multiple proxies

Answer 13

**TAG: Credential Testing** A modern password and hash cracking tool that supports the use GPUs for parallel processing when conducting dictionary, brute force, and hybrid attacks * One of the fastest tools available

Answer 14

**TAG: Credential Testing** A parallel brute force tool that's used against network logins to attack services that support remote authentication * Supports logins and remote auth protocols like rlogin, SSH, Telnet, HTTP, and many more * Supports mutli-threaded operations and can attempt a lot of simultaneous logins

Answer 15

**TAG: Credential Testing** A parallel brute force tool that also supports a pw-inspect module to only attempt password from a dictionary that meets the minimum password requirements for a given system * Defenders will see the attempts in logs as it runs * This is an online password cracker

Answer 16

**TAG: Credential Testing** Used to generate word lists based on the automatic crawling of a website to collect words and metadata from the site * Search a target website, crawl through it for however long it needs, however deep we tell it, and search for keywords * Makes wordlist based on what it finds which can be used for brute force

Answer 17

**TAG: Credential Testing** Password cracking tool that supports large sets of hashes, dictionary, and brute force attacks * Offline tool

Answer 18

**TAG: Credential Testing** Legacy password cracking and hash dumping toolthat can conduct network sniffing to identify hashes that may be vulnerable to cracking * Windows based tool with GUI

Answer 19

**TAG: Credential Testing** Tool that gathers credentials by extracting key elements like cleartext passwords, hashes, and PIN codes from the memory of a system * Critical tool to use against Windows * Pass the hash, pass the ticket, and golden ticket * Focused on Kerberos protocol

Answer 20

**TAG: Credential Testing** Multi-purpose brute force tool that supports several methods including ftp, ssh, smb, vnc, and zip password cracking * Similar to Medusa and Hydra * Remember this is just another password cracker

Answer 21

**TAG: Credential Testing** Brute force tool that runs against a web app or server to identify unlisted directories and file names that may be accessed * GUI based tool * Finds files and folders that aren't supposed to be publically visible, but are

Answer 22

**TAG: Credential Testing** Web Application Attack and Audit Framework * Tool used to identify and exploit a large set of web-based vulnerabilities like SQL injection and XSS * Think of it like Nessus, Nikto, or OpenVAS but for web apps * Has an embedded plugin to brute force and crack or bypass authentication credentials in a web app * EXAM NOTE: Considered password cracking tool for web apps

Answer 23

**TAG: Web Applications** OWASP Zed Attack Proxy * An open-source web app security scanner and attack proxy used in automated and manual testing and identification of web app vulnerabilities * Connect our browser to the ZAP proxy, and then out to the victim server * We can then manipulate traffic running through the proxy, even HTTPS sessions * Can change session IDs, parameters, and other variables

Answer 24

**TAG: Web Applications** Used in raw traffic interception, inspection, and modification during automated testing, manual request modification, and passive web app analysis * Most commonly used by pentesters * Allows for interception, inspection, and modification of raw traffic passing through, much like ZAP * But Burp is more heavily used by pentesters because we can modify all the different factors like session keys, passwords, hidden forms, etc * Easier to use than ZAP

Answer 25

**TAG: Web Applications** Brute force dictionary, file, and DNS identification tool used to identify unlisted resources in a web app * Text-based tool installed by default on Kali * Scans websites or web apps to identify any hidden directories, files, or subdomains that exist * Used heavily in recon and enumeration phase

Answer 26

**TAG: Cloud** Open-source tool written in Python that can be used to audit instances and policies created on multicloud platforms by collecting data using API calls * Suite of cloud based tools that can be used across multiple clouds like MS, Google, AWS, etc * Other cloud tools are focused on single cloud

Answer 27

**TAG: Cloud** Used to find a target's infrastructure, files, and apps across the top cloud service providers including Amazon, Google, MS, DigitalOcean, Alibaba, Vultr, and Linode * Covers more cloud types that ScoutSuite * CLI tool

Answer 28

**TAG: Cloud** Exploitation framework used to assess the security configuration of an AWS account * Includes several modules that helps focus on things like gaining API keys or taking control of different VM instances * Focuses on post-compromise phase * Drill into the system, escalate privileges, launch additional attacks, and install backdoors * Dion thinks of this as a tool used during attack and exploit phase

Answer 29

**TAG: Cloud** Open-source cloud security, governance, and management tool designed to help admins create policies based on different resource types * Stateless rules engine that manages AWS instances * EXAM NOTE: Think governance and policy inside the AWS environment

Answer 30

**TAG: Steganography** Free steganography solution to conduct data hiding within a file and watermarking of files with invisible signatures to detect unauthorized file copying * GUI-based * Can encrypt contents while embedding in the file

Answer 31

**TAG: Steganography** Open-source steganography tool used to conceal a payload by compressing, concealing, and encrypting its data in an image or audio file * GUI * Can also encrypt

Answer 32

**TAG: Steganography** CLI tool that conceals a payload within the whitespace of an ASCII formatted text file in plaintext or encrypted format * Purely based on text files

Answer 33

**TAG: Steganography** An image synthesizer tool that can be used to create a sound file (.wav) from a given image * You want to hide a picture, which is turned into an audio file * Can view the wav visualizer to see the secret words

Answer 34

**TAG: Steganography** Open-source application for viewing and analyzing the contents of music audio files * This could read the data you compress in Coagula

Answer 35

**TAG: Steganography** A website that can be used to conduct reverse iage searches using image recognition

Answer 36

**TAG: Steganography** A Python tool that can search for metadata from public documents located on a target's website * Metadata is a form of steganography because data will be hidden in here some times

Answer 37

**TAG: Steganography** Web application that can be used to test the validity, strength, and security of an SSL or TLS digital certificate for a given web server * Not sure why it's in steganography, but it is * SSL labs website

Answer 38

**TAG: Debuggers** Linux debugger that can be used to analyze binary code foundin 32-bit Windows apps * If you don't have access to source code this is helpful * Can reverse engineer malware * Can develop custom exploits based on binaries found in the wild

Answer 39

**TAG: Debuggers** A debugger built specifically for pentesters to write exploits, analyze malware, and reverse engineer binary files using Python scripts and APIs * Difference between OllyDbg is that Immunity uses a Python API plugin that allows execution of Python code from within the debugger * This allows pentesters to work more quickly * Favorite for pentesters who do custom coding

Answer 40

**TAG: Debuggers** Open-source, cross-platform debugger for Unix, Windows, and MacOS * Supports Ada, C, C++, Objective-C, Pascal, Fortran, Go, Java, and many other languages * Text based that works inside Linux console, not very user friendly

Answer 41

**TAG: Debuggers** Free debugging tool that's distributed by Microsoft for use in the Windows OS * Can debug kernel-mode and user-mode code, analyze crash dumps, and examine the CPU registers while the code is executing on a Windows host

Answer 42

**TAG: Debuggers** The Interactive Disassembler * A commercial disassembler and debugging tool that generates assembly language source code from machine-executable code * GUI can map out the program and what function calls go where * Can read exe from multiple OS, even though it's used in Windows

Answer 43

**TAG: Debuggers** An open-source .NET framework focused on pentesting that also has a dev and debugging component * More of a .NET C2 framework written in C# * Aims to highlight the attack surface of the .NET code and to make the use of offensive .NET tradecraft easier for pentesters * Has a debugger built in, but way more capabilities beyond that

Answer 44

**TAG: Debuggers** A tool used to find exploits available on Exploit-DB * Often used while reading different malware in a debugger so we can understand what a particulare piece of exploit code might be doing * Not a debugger, but used with debuggers * Can carry an offline copy of the database with you so you can do offline searches through a local repository

Answer 45

**TAG: Misc** A collection of PowerShell modules that create an extensive exploitation framework for use against Windows systems * Post-exploit framework * You can use the scripts to further exploit a machine once you break in * LOTL technique that uses pre-built ps1 scripts

Answer 46

**TAG: Misc** CLI tool in Kali that's used to poison NetBIOS, LLMNR, and MDNS name resolution requests * If you break into a Windows network it uses LLMNR, NetBIOS, or local DNS for name resolution * Responder listens for when people call out for a certain machine, like the AD server * Poisons the DNS call or the nameserver call * Instead of going to the AD server, they come to attacker instead * On-path, and allows for other exploits against victims

Answer 47

**TAG: Misc** Open-source collection of Python classes for working with network protocols and the exploitation of Windows systems, lets you do things like * Remote execution * Kerberos attacks * Windows Secrets * On-path attacks * Interacting with WMI * Taking advantage of SMB/MSRPC protocols * Useful tool to create your own exploits inside of Python * Focuses on low level program access to the different functions and services used by the network you need to call while using your tools

Answer 48

**TAG: Misc** C2 framework that uses PowerShell for common post-exploitation tasks on Windows systems and Python for post-exploitation tasks on Linux systems * Post-exploit framework

Answer 49

**TAG: Misc** Multipurpose computer security and pentesting framework that uses modularized attacks against known software vulnerabilities to exploit systems * Post-exploit framework

Answer 50

**TAG: Misc** An IPv6 DNS hijacking tool that attempts to set the malicious actor as the DNS server by replying to DHCPv6 messages and then redirecting the victim to another malicious host * Exploits the default configuration of a Windows system to take over the default DNS server

Answer 51

**TAG: Misc** A post-exploitation tool to identify vulnerabilities in AD environments * Helps automate the security assessment of large AD networks * LOTL by using built in AD features and protocols

Answer 52

**TAG: Misc** Git secrets search tool that automatically crawls through a repo looking for accidental commits of secrets to the GIt repo * Runs behind the scenes to scan for private keys and credentials * Goes through the entire commit history of each branch and checking each Git for each commit * Checks for secrets with regex and entropy checks