Penetration Testing Tools

By Mohammed AlSubayt
Information Gathering:
1. Nmap
• Description: Network exploration tool and security/port scanner.
• Example: nmap -A [Link]
2. Shodan
• Description: Search engine for internet-connected devices.
• Example: Use the Shodan website or CLI: shodan search "apache"
3. Maltego
• Description: Visual link analysis tool for gathering and connecting online information.
• Example: GUI-based; explore entities and relationships.
4. TheHarvester
• Description: E-mail, subdomain, and people names harvester from different public sources.
• Example: theHarvester -d [Link] -b google
5. Recon-NG
• Description: A full-featured Web Reconnaissance framework written in Python.
• Example: CLI-based; start with recon-ng , then marketplace search recon .

[Link]
1. Description: In-depth DNS enumeration, attack surface mapping, and external asset discovery.
2. Example: amass enum -d [Link] 
[Link]
1. Description: Search engine for discovering devices and networks across the internet.
2. Example: Use the Censys website or API: censys search "[Link]: 'Apache2 Ubuntu
Default Page'"
[Link] Framework
1. Description: A framework focused on gathering information from free tools or resources.
2. Example: Navigate through the framework online at [Link].
[Link]
1. Description: Directory/file, DNS, and VHost brute-forcing tool.
2. Example: gobuster dir -u [Link] -w [Link]


Exploitation:
1. Burp Suite
• Description: An integrated platform for performing security testing of web applications.
• Example: Use the Proxy and Intruder tools within the GUI.
2. Metasploit Framework
• Description: A tool for developing and executing exploit code against a remote target machine.
• Example: msfconsole , then use exploit/multi/handler
3. SQLmap
• Description: Automated detection and exploitation of SQL injection flaws.
• Example: sqlmap -u "[Link] --dbs
Password Cracking:
1. John The Ripper
• Description: Multi-purpose password recovery tool.
• Example: john --wordlist=[Link] [Link]
2. Hydra
• Description: Fast network logon cracker.
• Example: hydra -l user -P [Link] [Link]
3. Hashcat
• Description: World's fastest and most advanced password recovery utility.
• Example: hashcat -m 0 -a 0 [Link] [Link]
4. OPHCrack
• Description: Windows password cracker based on rainbow tables.
• Example: GUI-based; load the hashes and start cracking.

5. Medusa
1. Description: Speedy, parallel, and modular, login brute-forcer.
2. Example: medusa -h [Link] -u user -P [Link] -M ssh
6. THC-Hydra
1. Description: Another reference to the Hydra tool, emphasizing its versatility.
2. Example: See Hydra example.
7. Cain & Abel
1. Description: Windows password recovery tool.
2. Example: GUI-based; used for recovering passwords from captures or cracking encrypted passwords.
Vulnerability Scanning:
1. OpenVAS
• Description: Open-source vulnerability scanning and management framework.
• Example: GUI-based; configure and run scans through the Greenbone Security Assistant.
2. Nessus
• Description: Widely used vulnerability scanner with high-speed discovery, configuration auditing, and asset
profiling.
• Example: Proprietary; after setup, nessus -q -x [target IP] [port] [policy file] [results
file]
3. AppScan
• Description: Application security testing tool to identify and manage vulnerabilities in web, mobile, and desktop
applications.
• Example: Proprietary; typically GUI-driven, scan configurations are done through its interface.


4. Lynis
1. Description: Security auditing tool for Unix/Linux systems.
2. Example: lynis audit system
5. Retina
1. Description: Network security scanner that offers vulnerability assessment and remediation.
2. Example: Proprietary; GUI-based, scan configurations and scheduling through its interface.
6. Nexpose
1. Description: Vulnerability management solution, identifies risks across networks, endpoints, and cloud
environments.
2. Example: Proprietary; after setup, initiate scans via the web interface.
Software Engineering:
1. GoPhish
• Description: Open-source phishing toolkit designed for businesses and penetration testers.
• Example: GUI-based; configure campaigns and monitor results through the web interface.
2. HiddenEye
• Description: Modern phishing tool with advanced functionality.
• Example: Command-line; setup phishing pages and monitor through terminal.
3. SocialFish
• Description: Advanced phishing toolkit for simulating social engineering attacks.
• Example: Command-line; deploy using python [Link]

4. EvilURL
1. Description: Generate unicode evil domains for IDN Homograph Attack and detect them.
2. Example: Command-line; use python [Link] to generate.
5. Evilginx
1. Description: Man-in-the-middle attack framework used for phishing login credentials along with session cookies,
allowing for bypassing 2-factor authentication.
2. Example: Command-line; setup phishing pages with evilginx2 setup
Forensics:
1. Sleuth Kit
• Description: Collection of command-line tools to analyze disk images and recover files.
• Example: fls [Link] to list files and directories within an image.
2. Autopsy
• Description: Graphical interface to The Sleuth Kit and other digital forensics tools.
• Example: GUI-based; create a new case and add data sources to begin analysis.
3. Volatility
• Description: Advanced memory forensics framework.
• Example: volatility -f [Link] pslist
4. Guymager
• Description: Free forensic imager for media acquisition.
• Example: GUI-based; select a device and start acquisition to an image file.

5. Foremost
1. Description: Program to recover lost files based on their headers, footers, and internal data structures.
2. Example: foremost -i [Link]
6. Binwalk
1. Description: Tool for searching a given binary image for embedded files and executable code.
2. Example: binwalk [Link]
7. Wireshark
1. Description: Network protocol analyzer used for network analysis, troubleshooting, software and protocol
development.
2. Example: GUI-based; capture or open a packet capture file to analyze.
Wireless Hacking:
1. Aircrack-NG
• Description: Suite of tools for 802.11 wireless networks' auditing.
• Example: aircrack-ng [Link]
2. Wifite
• Description: Automated wireless attack tool.
• Example: wifite --kill
3. Kismet
• Description: Wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion
detection) framework.
• Example: kismet -c wlan0
4. TCPDump
• Description: Command-line packet analyzer.
• Example: tcpdump -i eth0

5. Airsnort
1. Description: Wireless LAN (WLAN) tool which cracks encryption keys on 802.11b WEP networks.
2. Example: GUI-based; capture packets and analyze.
6. NetStumbler
1. Description: Tool for Windows that facilitates detection of Wireless LANs using the 802.11b, 802.11a, and 802.11g
WLAN standards.
2. Example: GUI-based; scan for networks.
[Link]
1. Description: WPA/WPA2 security hole exploitation tool (attacks against WPS).
2. Example: reaver -i wlan0mon -b [Link] -vv
Web Application Assessment:
1. OWASP ZAP (Zed Attack Proxy)
• Description: Open-source web application security scanner.
• Example: GUI-based; automated and manual testing tools.
2. Burp Suite
• Description: Integrated platform for performing security testing of web applications.
• Example: GUI-based; intercepting proxy, scanner, and intruder tools.
3. Nikto
• Description: Web server scanner which performs comprehensive tests against web servers for multiple items.
• Example: Command-line; nikto -h [Link]
4. ZAP
• Already described under OWASP ZAP.

5. WPScan
1. Description: Black box WordPress vulnerability scanner.
2. Example: wpscan --url [Link]
6. Gobuster
1. Description: Tool used to brute-force URIs (directories and files) in web sites and DNS subdomains.
2. Example: gobuster dir -u [Link] -w [Link]
7. AppSpider
1. Description: Automatically crawls and scans all types of legacy and modern web applications.
2. Example: Proprietary; GUI-based, configure scans through its interface.