What is penetration testing?
Penetration testing (or pentesting) is a simulated cyber attack
where professional ethical hackers break into corporate networks to find
weaknesses ... before attackers do.
It's like in the movie
Sneakers, where hacker-consultants break into your corporate networks to find
weaknesses before attackers do. It’s a simulated cyber attack where the
pentester or ethical hacker uses the tools and techniques available to
malicious hackers.
What is penetration testing ? 11 Best Tools for Penetration
Testing
Why you need to do pentesting
Again, pentesting shows you where and how a malicious attacker
might exploit your network.This allows you to mitigate any weaknesses before a
real attack occurs.
According to recent research from Positive
Technologies, pretty much every company has weaknesses that attackers can
exploit. In 93% of cases, pentesters were able to breach the network perimeter
and access the network. The average amount of time needed to do so was four
days. At 71% of the companies, an unskilled hacker would have been able to
penetrate the internal network. How to become a penetration tester?
Top pentesting tools
Back in ye olde days of yore, hacking was hard and required a lot
of manual bit fiddling. Today, though, a full suite of automated testing tools
turn hackers into cyborgs, computer-enhanced humans who can test far more than
ever before.
Why use a horse and buggy to cross the country when
you can fly in a jet plane? Here's a list of the supersonic tools that make a
modern pentester's job faster, better, and smarter.
1. Kali Linux
If you're not using Kali as your base pentesting operating system, you either
have bleeding-edge knowledge and a specialized use case or you're doing it
wrong. Formerly known as BackTrack Linux and maintained by the good folks at
Offensive Security (OffSec, the same folks who run the OSCP certification),
Kali is optimized in every way for offensive use as a penetration tester.
While
you can run Kali on its own hardware, it's far more common to see pentesters
using Kali virtual machines on OS X or Windows.
Kali ships with
most of the tools mentioned here and is the default pentesting operating
system for most use cases. Be warned, though--Kali is optimized for offense,
not defense, and is easily exploited in turn. Don't keep your super-duper
extra secret files in your Kali VM. Is 'Brute Force Attack' legal or illegal?
2. nmap
The granddaddy of port scanners, nmap--short for network
mapper--is a tried-and-true pen testing tool few can live without. What ports
are open? What's running on those ports? This is indispensable information for
the pentester during recon phase, and nmap is often the best tool for the
job.
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services(application name and version) those hosts are offering, what operating systems (and OS versions)they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
Despite the occasional hysteria from a non-technical C-suite
exec that some unknown party is port scanning the enterprise, nmap by itself
is completely legal to use, and is akin to knocking on the front door of
everyone in the neighborhood to see if someone is home.
Many
legitimate organizations such as insurance agencies, internet cartographers
like Shodan and Censys, and risk scorers like BitSight scan the entire IPv4
range regularly with specialized port-scanning software (usually nmap
competitors masscan or zmap) to map the public security posture of enterprises
both large and small. That said, attackers who mean malice also port scan, so
it's something to log for future reference. How does the SQLMap penetration testing tool work?
3. Metasploit
Why exploit when you can meta-sploit? This appropriately named
meta-software is like a crossbow: Aim at your target, pick your exploit,
select a payload, and fire. Indispensable for most pentesters, metasploit
automates vast amounts of previously tedious effort and is truly "the world's
most used penetration testing framework," as its website trumpets. An
open-source project with commercial support from Rapid7, Metasploit is a
must-have for defenders to secure their systems from attackers. What are the best tools for testing IOT devices?
4. Wireshark
Wireshark doo doo doo doo doo doo... now that we've hacked your
brain to hum that tune (see how easy that engagement was?), this network
protocol analyzer will be more memorable. Wireshark is the ubiquitous tool to
understand the traffic passing across your network. While commonly used to
drill down into your everyday TCP/IP connection issues, Wireshark supports
analysis of hundreds of protocols including real-time analysis and decryption
support for many of those protocols. If you're new to pentesting, Wireshark is
a must-learn tool.
5. John the Ripper
Unlike the software's namesake, John doesn't serially kill people
in Victorian London, but instead will happily crack encryption as fast as your
GPU can go. This password cracker is open-source and is meant for offline
password cracking. John can use a word list of likely passwords and mutate
them to replace “a” with “@” and “s” with “5” and so forth, or it can run for
an infinity with muscular hardware until a password is found. Considering that
the vast majority of people use short passwords of little complexity, John is
frequently successful at breaking encryption.
6. Hashcat
Hashcat is the world’s fastest CPU-based password recovery tool. While it's not as fast as its GPU counterpart oclHashcat, large lists can be easily split in half with a good dictionary and a bit of knowledge of the command switches.
Hashcat is the self-proclaimed world’s fastest CPU-based password recovery tool, Examples of hashcat supported hashing algorithms are Microsoft LM Hashes, MD4, MD5, SHA-family, Unix Crypt formats,MySQL, Cisco PIX.
Pentesting commonly involves exfiltration of hashed
passwords, and exploiting those credentials means turning a program like
hashcat loose on them offline in the hope of guessing or brute-forcing at
least some of those passwords.
Hashcat runs best on a modern GPU
(sorry, Kali VM users). Legacy hashcat still supports hash cracking on the
CPU, but warns users it is significantly slower than harnessing your graphics
card's processing power.
7. Hydra
John the Ripper's companion, Hydra, comes into play when you need
to crack a password online, such as an SSH or FTP login, IMAP, IRC, RDP and
many more. Point Hydra at the service you want to crack, pass it a word list
if you like, and pull the trigger. Tools like Hydra are a reminder why
rate-limiting password attempts and disconnecting users after a handful of
login attempts can be successful defensive mitigations against attackers. What is the best security testing tool (open source)?
8. Burp Suite
No discussion of pentesting tools is complete without mentioning
web vulnerability scanner Burp Suite, which, unlike other tools mentioned so
far, is neither free nor libre, but an expensive tool used by the pros. While
there is a Burp Suite community edition, it lacks much of the functionality,
and the Burp Suite enterprise edition goes for a cool $3,999 a year (that
psychological pricing doesn't make it seem that much cheaper, guys).
There's
a reason they can get away with those kind of nosebleed prices, though. Burp
Suite is an incredibly effective web vulnerability scanner. Point it at the
web property you want to test, and fire when ready. Burp competitor Nessus
offers a similarly effective (and similarly priced) product.
9. Zed Attack Proxy
Those without the cash to pay for a copy of Burp Suite will find
OWASP's Zed Attack Proxy (ZAP) to be almost as effective, and it is both free
and libre software. Like the name suggests, ZAP sits between your browser and
the website you're testing and allows you to intercept (aka man in the middle)
the traffic to inspect and modify. It lacks many of Burp's bells and whistles,
but its open-source license makes it easier and cheaper to deploy at scale,
and it makes a fine beginner's tool to learn how vulnerable web traffic really
is. ZAP competitor Nikto offers a similar open-source tool.
10. sqlmap
Did somebody say SQL injection? Well hello, sqlmap. This
incredibly effective SQL injection tool is open-source and "automates the
process of detecting and exploiting SQL injection flaws and taking over of
database servers," just like its website says. Sqlmap supports all the usual
targets, including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft
Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, Informix, HSQLDB and H2.
Old-timers used to have to craft their SQL injection with a hot needle to
their hard drive. These days sqlmap will take the squinty-eyed work out of
your pentesting gig.
11. aircrack-ng
It can recover the WEP key once enough encrypted packets have been captured with airodump-ng. This part of the aircrack-ng suite determines the WEP key using two fundamental methods. The first method is via the PTW approach (Pyshkin, Tews, Weinmann). The main advantage of the PTW approach is that very few data packets are required to crack the WEP key. The second method is the FMS/KoreK method.
The FMS/KoreK method incorporates various statistical attacks to discover the WEP key and uses these in combination with brute forcing.
Additionally, the program offers a dictionary method for determining the WEP key. For cracking WPA/WPA2 pre-shared keys, a wordlist (file or stdin) or an airolib-ng has to be used.
some credit goes to cssonline.com
I hope you liked this post, then you should not forget to share this post at all.
Thank you so much :-)
