Redzone’s Penetration Tools List

-

Since I get asked a lot which tools I typically use for doing certain parts of testing, I’ve decided to compile a short list of stuff I might use in an engagement. They are….
Let me just say that I’m subject to use Backtrack in any phase.
Phase 1 Passive Reconnaissance
  1. Google (1st stop for passive recon), facebook, myspace, linkedin etc. (Find info on individuals)
  2. Netcraft (find passive info about web servers.
  3. Whois
  4. Geo Spider
  5. Google Earth
  6. HTTrack
  7. Webripper
  8. Wireshark (I use in almost every phase. I wanna see if their website is sending me any tracking goodies while I’m reconning it.)
  9. Paros (Same as above, plus I use it to study authentication methods, and other stuff on their sites)
Phase 2 Scanning
  1. Nmap
  2. Firewalk
  3. Hping
  4. Modem Scan
  5. THC Scan
  6. Tone Loc
  7. p0f
  8. Solarwinds
  9. TCPTraceroute
Phase 3 Vulnerability Research
  1. (I pretty much go manual here, but there’s always Nessus, ISS and others).
  2. I usually try and build something that looks as close as possible to my target, and practice exploiting them. I count this as part of my vulnerability research.
  3. Places I check are Secunia, Seclist, Milw0rm, Eeye, Metasploit.com, Securiteam, and a few others.
  4. Vendor websites.
Phase 4 Penetration/Hacking

Breaking in
  1. Manual exploit code
  2. Metasploit
  3. Core Impact (Large scale (5000 or more nodes to penetrate).
Password Cracking
  1. Kerb Crack
  2. Pwdump
  3. Cain & Able
  4. John the Ripper
  5. Rainbow Crack
  6. Hydra
Trojans & Rootkit
  1. I usually make my own. But some good POC ones are Poison Ivy, Nuclear RAT, Netbus.
Phase 5 Going Deeper
  1. Dsniff
  2. Tcpdump
  3. Arpspoof
  4. Putty
  5. Recub
  6. Scapy (to trick devices and anything else which accepts or send packets)
  7. WebScarab (studying HTTPS and other secure authentication processes)
  8. IDA Pro (reversing any custom apps I find being used internally).
  9. Olly Debug (same as above).
  10. Yersinia (VLAN hopping, and other low stack level attacks)
Phase 6 Covering Tracks
  1. RM, delete, erase, etc (obviously).
  2. Clearlogs
  3. Wipe utility
  4. ADS
  5. Winzapper (not a big fan, but when I have to…..)

Comments

Post a Comment

Popular posts from this blog

AntiCloud Trojan Reverse Engineering Analysis

-
Image
Introduction In this paper we are going to talk about the Anticloud Trojan, also know as the  TrojanDropper:Win32/Bohu.A and  B  variant. This malware originated in China and was designed to target the Cloud-Based Technology of major Chinese AntiVirus Vendors. For this reason, Bohu has also been called  AntiCloud Trojan . This is the first malware to specifically target cloud based technologies and will likely set a trend. As more corporations and governments move applications and services into the cloud, it will become an increasingly important target for malware developers. We can expect sophisticated malware that attacks clients and embeds itself into cloud-based apps, potentially without the user being able to determine that the cloud-based service is compromised. This trojan presents some interesting features, such as: Hash Check Evasion. Packet Interception via NDIS Filter. Cloud-Servers Access Lock via SPI network filter in order to Bypass antivirus Detection. So
Read more

SQL Injection: The Equal Opportunity Vulnerability

-
Image
Introduction In the  first installment of this series , we discussed application security within the Software Development Process by demystifying the adoption of security controls within the development organization. We also took a deeper dive into identifying potential vulnerabilities based on threats to attack surfaces exposed to the application, a process known as threat modeling. In this installment, we are going to take a technical dive into specific vulnerabilities that can be used to compromise the attack surfaces and discuss what is arguably one of the most prevalent attacks to applications and inflicts the most exposure of sensitive data: SQL Injection. Injection attacks attempt to infiltrate an application by injecting malicious content into the application through available input channels. Input channels can be in the form of form fields, uploads, 3 rd  party API, data access channels, configuration files, input files: essentially, any point at which the application r
Read more

Secure Sockets Layer (SSL)

-
Image
Secure Sockets Layer (SSL): How It Works What Happens When a Browser Encounters SSL > A browser attempts to connect to a website secured with SSL. > The browser requests that the web server identify itself. > The server sends the browser a copy of its SSL Certificate. > The browser checks whether it trusts the SSL Certificate. If so, it sends a    message to the server. > The server sends back a digitally signed acknowledgement to start an SSL encrypted session. > Encrypted data is shared between the browser and the server. Encryption Protects Data During Transmission Web servers and web browsers rely on the Secure Sockets Layer (SSL) protocol to help users protect their data during transfer by create a uniquely encrypted channel for private communications over the public Internet. Each SSL Certificate consists of a key pair as well as verified identification information. When a web browser (or client) points to a secured website, th
Read more