Penetration Testing Tools
Often cited as network mapper, Nmap is a free open-source tool that enables specialists to scan the system for vulnerabilities. Usually, with the assistance of NMAP, we are able to check that devices are connected with a specific system, scanning ports to work out whether or not they are open or closed, and sight loopholes. Nmap is wide utilized by network directors to scan for:
Open ports and services
Discover services together with their versions
Guess the software running on a target machine
Get correct packet routes until the target machine
Nmap Scan Types
A variety of scans will be performed exploitation Nmap. Below are the categories of scans:
A transmission control protocol scan is mostly used to check and complete a three-way handshake between you and a selected target system. A transmission control protocol scan is mostly terribly buzzing and may be detected with virtually very little to no effort. This is “noisy” as a result of the services can log the sender IP address and would possibly trigger Intrusion Detection Systems.
UDP scans are used to check whether or not there’s any UDP port up and listening for incoming requests on the target machine. Unlike TCP, UDP has no mechanism to reply with a positive acknowledgment, therefore there’s perpetually an opportunity for a false positive within the scan results. However, UDP scans are used to reveal Trojan horses which may be running on UDP ports or perhaps reveal hidden RPC services. this sort of scan tends to be quite slow as a result of machines, in general, tend to cut down their responses to the present reasonably traffic as a preventive live.
This is another sort of transmission control protocol scan. The distinction is in contrast to a standard transmission control protocol scan, nmap itself crafts a syn packet, that is that the initial packet that’s sent to determine a transmission control protocol affiliation. what’s vital to notice here is that the affiliation is rarely formed; rather the responses to those specially crafted packets are analyzed by Nmap to provide scan results.
ACK scans are used to verify whether or not a specific port is filtered or not. This proves to be very useful once making an attempt to hunted for firewalls and their existing set of rules. Simple packet filtering can permit established connections (packets with the ACK bit set), whereas a a lot of refined stateful firewall won’t.
Also a concealed scan, just like the SYN scan, however sends a communications protocol FIN packet instead. Most however not all computers can send RST packet (reset packet) back if they get this input, therefore the FIN scan will show false positives and negatives, however it’s going to get beneath the measuring device of some IDS programs and alternative countermeasures.
Null scans are very concealed scan; they set all the header fields to null. Generally, this is often not a sound packet and many targets won’t knowledge to agitate such a packet. Such targets are usually some version of windows and scanning them with NULL packets might find yourself manufacturing unreliable results.
Just like null scans, these are concealed in nature. Computers running windows won’t answer to Xmas scans because of the method their communications protocol stack is enforced. The scan derives its name from the set of flags that are turned on at intervals the packet that’s sent out for scanning. Xmas scans are used to manipulate the PSH, URG and FIN flags that may be found within the communications protocol header.
Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools. It is one of the many vulnerability scanners used during vulnerability assessments and penetration testing engagements, including malicious attacks. This tool that checks computers to find vulnerabilities that hackers could exploit.
It works by testing each port on a computer, determining what service it is running, and then testing this service to make sure there are no vulnerabilities in it that could be used by a hacker to carry out a malicious attack.
It can scan these vulnerabilities and exposures:
Vulnerabilities that could allow unauthorized control or access to sensitive data on a system
Misconfiguration (e.g. open mail relay)
Denials of service (Dos) vulnerabilities, Default passwords, a few common passwords, and blank/absent passwords on some system accounts
Significant capabilities of Nessus include:
Scheduled security audits
Detection of security holes in local or remote hosts
Simulated attacks to pinpoint vulnerabilities
Detection of missing security updates and patches
Nessus Professional performs internal network scans as required by the PCI DSS 11.2.1 requirement.
This tool is good for checking web-based applications. There square measure tools to map the tack surface and analyze requests between a browser and destination servers. The framework uses web Penetration Testing on the Java platform and is an industry-standard tool utilized by the bulk of knowledge security professionals.
The tools offered by BurpSuite are:
Spider: It’s a web spider/crawler that is used to map the target web application. The target of the mapping is to urge a listing of endpoints in order that their practicality are often ascertained and potential vulnerabilities are often found. Spidering is finished for a straightforward reason that the additional endpoints you gather throughout your recon method, the additional attack surfaces you possess throughout your actual testing.
Proxy: BurpSuite contains intercepting proxy that lets the user see and modify the contents of requests and responses whereas they’re in transit. It additionally lets the user send the request/response underneath watching to a different relevant tool in BurpSuite, removing the burden of copy-paste. The proxy server are often adjusted to run on a particular loop-back IP and a port. The proxy may also be organized to separate out specific styles of request-response pairs.
Intruder: It’s a fuzzer. this is often used to run a group of values through input point. The values square measure run and therefore the output is ascertained for success/failure and content length. Usually, an anomaly leads to a modification in response code or content length of the response. BurpSuite permits brute-force, lexicon file and single values for its payload position.
The intruder is used for:
Brute-force attacks on password forms, pin forms, and alternative such forms.
The dictionary attack on password forms, fields that are suspected of being prone to XSS or SQL injection.
Testing and attacking rate limiting on the web-app.
Decoder: Decoder lists the common secret writing ways like URL, HTML, Base64, Hex, etc. This tool comes handy once trying to find chunks of information in values of parameters or headers. It’s additionally used for payload construction for varied vulnerability categories. It is used to uncover primary cases of IDOR and session hijacking.
Extender: BurpSuite supports external parts to be integrated into the tools suite to reinforce its capabilities. These external parts square measure referred to as BApps. These work rather like browser extensions. These are often viewed, modified, installed, and uninstalled within the Extender window.
Kali Linux advanced penetration testing software is a Linux distribution used for penetration testing. Many experts believe this is the best tool for both injecting and password snipping. However, you will need skills in both TCP/IP protocol to gain the most benefit. An open-source project, Kali Linux, provides tool listings, version tracking, and meta-packages. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering.
Below is a list of some tools that come pre-installed for ethical hacking using Kali Linux:
Aircrack-ng is a suite of tools used to assess Wi-Fi network security. It focuses on key areas of Wi-Fi security:
Monitoring: Packet capture and export of data to text files for further processing by third-party tools
Attacking: Replay attacks, de-authentication, fake access points, and others via packet injection
Testing: Checking Wi-Fi cards and driver capabilities (capture and injection)
Cracking: WEP and WPA PSK (WPA 1 and 2)
THC Hydra: When you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, FTP, HTTP, HTTPs, SMB, several databases, and much more. it can be used to crack into web scanners, wireless networks, packet crafters, etc.
Wireshark: It is an open-source packet analyzer that you can use free of charge. With it, you can see the activities on a network from a microscopic level coupled with pcap file access, customizable reports, advanced triggers, alerts, etc. It is reportedly the world’s most widely-used network protocol analyzer for Linux.
Wireshark Main features:
Saves analysis for offline inspection
Rich VoIP analysis
Inspects and decompresses gzip files
Reads other capture files formats including Sniffer Pro, Tcpdump, Microsoft network monitor, Cisco Secure IDS IPlog, etc.
Exports results to XML, PostScript, CSV, or plain text
John the Ripper Password Cracker
Passwords are one in all the foremost distinguished vulnerabilities. Attackers could use passwords to steal credentials and enter sensitive systems. John the Ripper is one in all the foremost common secret buggy of all time. It’s conjointly one in all the simplest security tools on the market to check password strength in your software system, or for auditing one remotely. This password cracker is in a position to auto-detect the sort of secret writing employed in nearly any secret and can amendment its secret check algorithmic program consequently, creating it one in all the foremost intelligent password cracking tool ever.
This tool uses brute force technology to decipher passwords and algorithms such as:
DES, MD5, Blowfish
Hash LM (Lan Manager), the system used in Windows NT / 2000 / XP / 2003
MD4, LDAP, MySQL (using third-party modules)