If you’re new to using software for pentesting, here are some tools you need to know about.
The very best pentesting tools can be found in Pwnbox and Parrot OS. Pwnbox runs on Hack The Box’s infrastructure. You can also install Linux-based Parrot OS directly onto your PC.
As you get started learning how to use software tools to hack our boxes, it helps to know which tools you may want to try first. Well, here it is! Here are pentesting tools that you’ll use very frequently with Hack The Box and throughout your pentesting career.
Before we get started, I got some great advice from Parrot and Pwnbox developer Lorenzo "Palinuro" Faletra for new pentesters:
“When you are new to Linux and you discover the command line and the powerful capabilities its commands have, you want to know more about it. And since the first step is to learn the basic commands, the next step is the natural willingness to know more commands to do more stuff, while the reality is pretty different.
Once you learn a few shell commands to move around, copy or remove files, read their content and so on, the next step is not to learn more commands, but instead to learn how Linux works. Why is everything considered a file in a Linux system? How do file permissions work? What are pipelines and how to use them? How can you program in Bash?
New commands will join the game while you learn such things. It makes no sense to learn now what is grep or what tr does. You would not get it and it would only be a waste of time. But you would naturally know about them and be able to use them properly and consciously once you learn more about UNIX pipelines. Do you study regular expressions? Say welcome to sed. Do you study Linux networking and how to manually configure network connectivity? Say hello to ifconfig, iwconfig, netstat and ip.
It makes no sense to know that chown and chmod even exist if you don't know Linux permissions, and it is impossible to not know them without proper study.
The same thing happens with penetration testing tools. I am the founder of the Parrot Project, and hell, my own system is full of tools I have never used or heard of. I am a penetration tester and a sysadmin and I know the tools that I use at work or that I have been working with, all based on my needs and theoretical knowledge of the field.
I know Wireshark, Bettercap, Nmap and Metasploit because I needed them and they were the perfect solution to my issues. And because I encountered them while I was studying port mapping, network sniffing and exploitation. And even if I use them, they have some features that I don't know (especially Metasploit, that fat bastard). I believe I wouldn't even have had a career in cybersecurity if I had learned about such tools, because they were listed in the most comprehensive list of pentesting tools.
The problem is that, as a beginner, you can't really know what to consider necessary and what not, unless you have already mastered a topic. This is why building your practical skillset through theory is always the best strategy. No ‘Nmap’ featured on a list of tools would make you a port scanning Jedi. Only some good networking courses would.
Studying the proper theory behind a subject is like drawing a map of an unknown land. It is way easier to identify key points (tools, commands, techniques, hacks) when you know how they fit in that map when you are a beginner. You tend to believe that more is better, because the more tools you can remember the name of, the more you feel protected in your comfort zone. As you grow and build your skillset, the opposite trend will emerge, and as a senior you will start to understand why less is more.”
With that in mind, let’s get onto the tools!
If you ask any experienced red teamer, they will likely tell how rare it is for them to actually use an exploit. Most engagements start off with using a browser to perform some OSINT to build a username list, and then manually attempting to login with a few common passwords such as Summer2021!. Then using this account to read as much information about the company as possible. Not only are the emails of that user exposed but that user also likely has access to a lot of cloud resources such as Wiki’s, Sharepoint, Confluence, Helpdesks, etc. Without a web browser, it would be impossible to access all of these resources.
Additionally, when it comes to writing a report, oftentimes pentesters will take what they had done in tools such as “BurpSuite” and recreate the attack in Firefox or Chrome using the “Developer Tools”. It may sound silly but by showing that the attack can be pulled off without the use of third-party tools helps make the attack seem more simple and realistic. Additionally, it opens the conversation for talking about “insider threat” and the importance of centralized logging -- How would a company detect an attack if people didn’t need to load custom software to pull it off?
Metasploit Framework is a network pentesting platform, developed by Rapid7. It’s now one of the most popular network pentesting applications. With this software, you can test networks to see if specific exploits are successful. Very frequently, pentesters need to know if networks are susceptible to common, known exploits. Because all too often, they are! There are now a massive number of exploits in Metasploit’s collection, with new exploits added every so often.
Some of Metasploit’s most popular features.
- A large number of exploit
- Advanced Payloads
- Auxiliary functions
- Post Exploitation Modules
There is a negative mantra against using Metasploit, because it can make things too easy. However, since it is a large project each exploit module has more testing done to ensure it is reliable. In Dante, there is a host vulnerable to Eternal Blue, many people utilize the python script on github to exploit it which does get them a shell but also has a high chance of crashing the service, which would be devastating in a professional environment. The Metasploit module very rarely will crash the service.
If you’re pentesting wireless networks, such as through WiFi, low energy Bluetooth, or wireless HID devices, Bettercap is a very useful tool.
Bettercap is developed by a man who goes by evilsocket on the web. Here’s some of Bettercap’s best features:
- Super fast port scanning
- Simulate man-in-the-middle attacks on wireless networks with credential harvesting and network protocol fuzzing
- ARP, DHCPv6, NDP, and DNS spoofing to facilitate man-in-the-middle attacks
- WiFi network scanning with WPA/WPA2 handshake capture
- REST API support
- MouseJacking through HID technology
- Passive and active IP network host probing and reconnaissance
Lots of devices can be tested with Bettercap, such as wireless routers, wireless input devices like mice and keyboards, and Bluetooth devices and networks. Check it out!
Burp Suite is developed by PortSwigger. It’s a proxy-based tool used to evaluate the security of web-based applications. The paid versions have more features, but the Community Edition already has some pretty powerful features, including:
- A demo of Burp Intruder (for automating customized attacks against web applications)
- HTTP, HTTPS, and WebSockets proxy and history
- Repeater, Decoder, Sequencer, and Comparer
- Getting familiar with Burp Suite’s applications will help you on your web pentesting journey. There are two HTB Academy courses in particular that we really recommend to help you get the most out of Burp Suite and web pentesting in general. Check out Web Requests and also Using Web Proxies.
Nmap is easily the most popular tool of its kind. Its name simply means “network mapper,” and that’s what it does. With Nmap, you can fully explore a network with its networking infrastructure, servers, endpoints, and how everything is connected. That’s essential information for if you’re going to pentest a network. Even network administrators use Nmap to inventory their own networks, which is often a difficult task.
Here’s some of Nmap’s most notable features:
- Scan networks from a small LAN with a few devices, to huge networks with hundreds of thousands of devices
- Nmap can be operated from the command line or a GUI according to your personal preferences
- Because Nmap is so popular, there’s extensive documentation for it
- Fingerprint network devices for hosts, services, and operating systems
- Explore what kinds for firewalls and packet filtering a network has
- All network pentesters must use Nmap. Seriously! Considering how important this tool is, you should try our HTB Academy course Network Enumeration with Nmap to learn how to really master it.
Wireshark is a packet analyzer. Often, pentesters will switch back and forth between Nmap and Wireshark. Nmap to see the network, and then Wireshark to see the data in the network. But they’re completely separate applications and Wireshark can definitely be used on its own if you don’t need to do any network mapping for a particular task.
All data that’s sent through the network is sent in the form of TCP or UDP packets. If these packets aren’t encrypted in some way, or if the encryption is cracked or bypassed, packet analysis is easy. But Wireshark also has network decryption capabilities if you’re testing encrypted networks. Here are some of its features:
- Packet capturing (pcap)
- Both live capturing and offline analysis
- Use a GUI or TShark to browse captured network data
- Deep inspection of hundreds of protocols
- Decryption support for IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
Hashcat is a powerful password recovery tool. It may soon become your favorite tool for cracking passwords of many kinds, and it’s developed by Jens 'atom' Steube and Gabriele 'matrix' Gristina. Here are some of its many features:
- Brute force, combinator, dictionary, and rule-based password attacks
- Crack multiple hashes simultaneously
- Session support
- Distributed cracking network support
- Hex-salt and hex-charset support
- Works with over 350 hash types
- Pause and resume password cracking whenever you need to
- Automatic keyspace ordering markov-chain support
- Password cracking is CPU-intensive work, but Hashcat is up to the task! Check out our HTB Academy course Cracking Passwords with Hashcat if you want to really master this powerful tool.
Linux is often the operating system of choice for penetration testing. Out of the box Linux is not compatible with a lot of protocols utilized in Windows Environments. That’s where impacket comes in as it is a python library that not only enables hackers to utilize these protocols in the way they were intended, but also ways that were not intended! For example, one of the oldest attacks on Windows is the “Pass The Hash” attack, which enables attackers to authenticate with the password hash instead of the actual password. Windows doesn’t perform a user interface to perform this type of authentication, however since impacket is just a python library, hackers exposed this authentication method.
Some of the most popular impacket tools:
psexec: This is a clone of the Sysinternals PSExec Package, and provides a way to authenticate against a remote windows machine and get a command prompt back.
wmiexec: This is like psexec but instead of utilizing the method psexec does (dropping a file to disk, then creating a service to execute it), it will utilize WMI to run commands directly on the machine. PSexec will often get picked up by antivirus but WMI does not “touch disk”, so many AV’s will ignore it.
secretsdump: Have a domain administrator credential? This tool will dump every password out of Active Directory!
GetNPUsers: Ever hear about Kerberoasting? If a user has the Active Directory attribute: “Do not require Kerberos preauthentication”. This will extract a password hash that people can attempt to crack with Hashcat.
ntlmrelayx: This allows for users to perform NTLM Relay attacks against hosts that do not have SMB Signing enabled. Essentially, users force a “high privilege” server such as a Domain Controller to connect back to them (PetitPotam, Printerbug, etc), and then forward that connection to a different workstation and jump in on the session!
All of the above tools work magnificently out of the box. However, as we said before Impacket is a python library and experienced hackers are always tweaking it to do more. When the “PrintNightmare” vulnerability came out, there’s an in-depth technical blog post on adding functionality into impacket in order to create a program to perform this exploit.
If you’re pentesting Windows networks, give BloodHound a try. Networks with Windows servers and clients use Active Directory for administration, and that’s what BloodHound focuses on. So this tool will be a big help if you need to properly penetrate a Windows network through Active Directory.
Here’s what Bloodhound can do:
Thoroughly explore ACLs (access control lists), which is used by Active Directory to manage user account privileges
Acquire Active Directory configuration information which can help with privilege escalation
Outputs visual information of networks with Active Directory to explore relationships, connections, and Active Directory domain administrators
Windows networks with Active Directory are very common, so Bloodhood is a very useful tool for testing their security. And if you really want to get the most out of BloodHound, check out HTB Academy’s Active Directory BloodHound course.
Last but not least, one of the most used tools for attacks related to Link Local Multicast Name Resolution (LLMNR), NBT-NS, and MDNS poisoning that can be used in every infrastructure penetration testing engagement is the tool Responder. It’s still actively maintained by its creator Laurent Gaffie and is considered one of the easiest methods for a Red Teamer to obtain credentials both in clear text or password hashed and maybe one of the quickest paths for Domain administrator access. The Responder is simulating different services and offering them to the network in a manner that when a Windows machine tries mistakenly to communicate with those rogue servers to expose valid hashed passwords. It can also prompt for credentials and thus be able to capture them in clear-text format or in many cases automatically use the hashed passwords in a fashion of pass-the-hash attack in order to log the attacker into legitimate systems.
Some of its best features include:
- Built-in Auth servers like SMB, MSSQL, HTTP/HTTPS, LDAP, FTP, POP3, etc.
- Icmp redirect
- Rogue DHCP
- Analyze mode
- Browser Listener
More on our blog….