So, Let's start ...
1). Nmap
Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. While Nmap is commonly used for security audits, many systems and network administrators find it useful for routine tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.
The output from Nmap is a list of scanned targets, with supplemental information on each depending on the options used. Key among that information is the “interesting ports table”. That table lists the port number and protocol, service name, and state. The state is either open, filtered, closed, or unfiltered. Open means that an application on the target machine is listening for connections/packets on that port. Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed. Closed ports have no application listening on them, though they could open up at any time. Ports are classified as unfiltered when they are responsive to Nmap's probes, but Nmap cannot determine whether they are open or closed. Nmap reports the state combinations open|filtered and closed|filtered when it cannot determine which of the two states describe a port. The port table may also include software version details when version detection has been requested. When an IP protocol scan is requested (-sO), Nmap provides information on supported IP protocols rather than listening ports.
In addition to the interesting ports table, Nmap can provide further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses.
A typical Nmap scan is shown in below picture. The only Nmap arguments used in this example are -A, to enable OS and version detection, script scanning, and traceroute; -T4 for faster execution; and then the hostname.
2) Metasploit
Metasploit is a penetration testing framework that makes hacking easy. It's an essential tool for many attackers and defenders. Point Metasploit at your target, pick an exploit, what payload to drop, and hit Enter.
It's not quite as simple as that, of course, so let's begin at the beginning. Back in ye olden days of yore, pentesting involved a lot of repetitive labor that Metasploit now automates. Information gathering? Gaining access? Maintaining persistence? Evading detection? Metasploit is a hacker's Swiss army chainsaw (sorry, Perl!), and if you work in information security, you're probably already using it.
Better still, the core Metasploit Framework is both free and libre software and comes pre-installed in Kali Linux. (It's BSD-licensed, in case you're curious). The framework offers only a command-line interface, but those wanting GUI-based click-and-drag hacking — plus some other cool features — can drop a bundle for per-seat licenses to Metasploit Pro.
How to use Metasploit
During the information gathering phase of a pentest, Metasploit integrates seamlessly with Nmap, SNMP scanning and Windows patch enumeration, among others. There's even a bridge to Nessus, Tenable's vulnerability scanner. Pretty much every reconnaissance tool you can think of integrates with Metasploit, making it possible to find the chink in the armor you're looking for.
Once you've identified a weakness, hunt through Metasploit's large and extensible database for the exploit that will crack open that chink and get you in. For instance, NSA's EternalBlue exploit, released by the Shadow Brokers in 2017, has been packaged for Metasploit and is a reliable go-to when dealing with unpatched legacy Windows systems.
Like fine wine and cheese, pair the exploit with a payload to suit the task at hand. Since what most folks are wanting is a shell, a suitable payload when attacking Windows systems is the ever-popular Meterpreter, an in-memory-only interactive shell. Linux boxes get their own shellcode, depending on the exploit used.
Once on a target machine, Metasploit's quiver contains a full suite of post-exploitation tools, including privilege escalation, pass the hash, packet sniffing, screen capture, keyloggers, and pivoting tools. You can also set up a persistent backdoor in case the machine in question gets rebooted.
More and more features are being added to Metasploit every year, include a fuzzer to identify potential security flaws in binaries, as well as a long list of auxiliary modules too long to list here.
This is only a high-level view of what Metasploit can do. The framework is modular and easily extensible and enjoys an active community. If it doesn't do exactly what you want it to do, you can almost certainly tweak it to suit.
3). Burp Suite
Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features, we have created this useful page as a collection of Burp Suite knowledge and information.
In its simplest form, Burp Suite can be classified as an Interception Proxy. While browsing their target application, a penetration tester can configure their internet browser to route traffic through the Burp Suite proxy server. Burp Suite then acts as a (sort of) Man In The Middle by capturing and analyzing each request to and from the target web application so that they can be analyzed. Penetration testers can pause, manipulate and replay individual HTTP requests in order to analyze potential parameters or injection points. Injection points can be specified for manual as well as automated fuzzing attacks to discover potentially unintended application behaviors, crashes and error messages.
4). Angry IP Scanner
Angry IP scanner is a very fast IP address and port scanner.
It can scan IP addresses in any range as well as any their ports. It is cross-platform and lightweight. Not requiring any installations, it can be freely copied and used anywhere.
Angry IP scanner simply pings each IP address to check if it’s alive, then optionally it is resolving its hostname, determines the MAC address, scans ports, etc. The amount of gathered data about each host can be extended with plugins.
It also has additional features, like NetBIOS information (computer name, workgroup name, and currently logged in Windows user), favorite IP address ranges, web server detection, customizable openers, etc.
Scanning results can be saved to CSV, TXT, XML or IP-Port list files. With help of plugins, Angry IP Scanner can gather any information about scanned IPs. Anybody who can write Java code is able to write plugins and extend functionality of Angry IP Scanner.
In order to increase scanning speed, it uses multithreaded approach: a separate scanning thread is created for each scanned IP address.
5). Cain and Abel
Cain and Abel was a password recovery tool for Microsoft Windows. It could recover many kinds of passwords using methods such as network packet sniffing, cracking various password hashes by using methods such as dictionary attacks, brute force and cryptanalysis attacks. Cryptanalysis attacks were done via rainbow tables which could be generated with the winrtgen.exe program provided with Cain and Abel.
Features :-
a) WEP cracking
b) Speeding up packet capture speed by wireless c) packet injection
d) Ability to record VoIP conversations
e) Decoding scrambled passwords
f) Calculating hashes
g) Traceroute
h) Revealing password boxes
i) Uncovering cached passwords
j) Dumping protected storage passwords
6). Ettercap
Ettercap stands for Ethernet Capture.
Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
Features :-
Ettercap supports active and passive dissection of many protocols (including ciphered ones) and provides many features for network and host analysis. Ettercap offers four modes of operation:
IP-based: packets are filtered based on IP source and destination.
MAC-based: packets are filtered based on MAC address, useful for sniffing connections through a gateway.
ARP-based: uses ARP poisoning to sniff on a switched LAN between two hosts (full-duplex).
PublicARP-based: uses ARP poisoning to sniff on a switched LAN from a victim host to all other hosts (half-duplex).
7). EtherPeek
EtherPeek is a wonderful tool that simplifies network analysis in a multiprotocol heterogeneous network environment. EtherPeek is a small tool (less than 2 MB) that can be easily installed in a matter of few minutes.
EtherPeek proactively sniffs traffic packets on a network. By default, EtherPeek supports protocols such as AppleTalk, IP, IP Address Resolution Protocol (ARP), NetWare, TCP, UDP, NetBEUI, and NBT packets.
8). SuperScan
SuperScan is a free connect-based port scanning software designed to detect open TCP and UDP ports on a target computer, determine which services are running on those ports, and run queries such as whois, ping, ICMP traceroute, and Hostname lookups.
Superscan 4, which is a completely rewritten update to the other Superscan (version 3, released in 2000), features windows enumeration, which can list a variety of important information dealing with Microsoft Windows such as:
• NetBIOS information
• User and Group Accounts
• Network shares
• Trusted Domains
• Services – which are either running or stopped
Superscan is a tool used by both system administrators, crackers and script kiddies to evaluate a computer’s security. System administrators can use it to test for possible unauthorized open ports on their computer networks, whereas crackers use it to scan for a potentially insecure port in order to gain illegal access to a system.
It is a Powerful TCP port scanner, pinger, resolver and it is an update of the highly popular Windows port scanning tool, SuperScan.
key features:
• Superior scanning speed
• Support for unlimited IP ranges
• Improved host detection using multiple ICMP methods
• TCP SYN scanning
• UDP scanning (two methods)
• IP address import supporting ranges and CIDR formats
• Simple HTML report generation
• Source port scanning
• Fast hostname resolving
• Extensive banner grabbing
• Massive built-in port list description database
• IP and port scan order randomization
• A selection of useful tools (ping, traceroute, Whois etc)
• Extensive Windows host enumeration capability.
9). QualysGuard
QualysGuard is a web-based vulnerability management tool provided by Qualys, Inc, which was the first company to deliver vulnerability management services as a SaaS-based web-service.
From reviews, it seems like a competent tool with a low rate of false positives that is fairly easy to work with and keep the more ‘dangerous’ parts of vulnerability scanning out of the hands of users, but with the flexibility for expert users to do what they need.
It would be up against other tools like Nessus, Retina, nCircle, NeXpose and Tenable.
Features of QualysGuard Scanner The apps’ capabilities include:
Asset discovery and inventory
Vulnerability management
Remediation prioritization
Compliance monitoring
Container security
Web application scanning and firewall
File integrity monitoring Indication of compromise and more It can also handle internal scans using Qualys appliances which can communicate back the cloud-based system, which makes it very scalable.
10). WebInspect
WebInspect is a web application security scanning tool offered by HP. It helps the security professionals to assess the potential security flaws in the web application. WebInspect is basically a dynamic black box testing tool which detects the vulnerabilities by actually performing the attack. After initiating the scan on a web application, there are assessment agents that work on different areas of the application. They report their results to security engine which evaluates the results. It uses Audit engines to attack the application and determine the vulnerabilities. At the end of the scan you can generate a report called ‘Vulnerability Assessment Report’ which would list the security issues in desired format. Using this report, client can fix the issues and then go for validation scanning to confirm the same. HP WebInspect is a commercial tool and you need license to scan a web site. With the trail version you will be permitted to scan only zero.webappsecurity.com (HP demo site). So WebInspect basically comes into picture when the application is hosted in some environment (test/QA/production). As with every other tool there are both advantages and disadvantages associated with using WebInspect.
Advantages:
Saves time when dealing with large enterprise applications Simulates the attack, shows the results and presents you with a comprehensive view.
It is not dependent on the underlying language.
Disadvantages:
It’s hard for any tool to find logical flaws, weak cryptographic storage, severity of the disclosed information etc.
It has a list of payloads that it uses on every web application. It does not use any wisdom in generating payloads depending on the type of application.
There could be false positives among the listed vulnerabilities.
Main Features in WebInspect :-
The main features of WebInspect are :
Presents you with tree structure: By crawling the entire application WebInspect presents you with the hierarchical tree structure of the web application and lists all the available URLS.
Customizable Views: While viewing the results of a scan WebInspect offers different views as per your requirement.
Scanning Policies: WebInspect gives you the freedom to edit and customize the scanning policies to suit your requirements and thus offers great flexibility.
Manual Hacking Control: With this option you can actually simulate an attack environment and see what’s really going on during a particular attack.
Report Generation: You can generate customizable reports by including desired sections and in desired format.
Remediation: WebInspect would provide a summary and the necessary fixes required to fix the vulnerabilities detected during a particular scan.
Web Services Scan: Web services usage is growing at a rapid pace. You can assess web service vulnerabilities by using WebInspect.
Tools: There are lot many tools that come with WebInspect like web proxy, SQL Injector, web fuzzer, web macro recorder etc.
We will now move into the actual scanning part and will explore the tool and its features.
11). LC4
LC4 is the award-winning password auditing and recovery application, L0phtCrack. It provides two critical capabilities to Windows network administrators.
LC4 helps administrators secure Windows-authenticated networks through comprehensive auditing of Windows NT and Windows 2000 user account passwords.
LC4 recovers Windows user account passwords to streamline migration of users to another authentication system or to access accounts whose passwords are lost.
12) LANGuard Network Security Scanner
This is a security scanner that includes patch management. It can be used on its own or with Microsoft’s SUS, with SUS doing operating system updates while LANGuard deploys service packs, Microsoft Office patches and handles patch status reporting.
The system is agentless and uses integral Server Message Blocks services to query Windows and Unix systems. This allows access to the inventory for each machine. The user interface is split and scans list found resources in the discovery pane while scan progress is followed in the debug pane.
Scanning can be executed for a computer through its IP address or host name, but wider scans can cover IP address ranges, a list of computers, or a selection from specific domains. When a grouping is defined, it can be saved.
An updated list of patches and security bulletins is kept on the server (downloaded from Microsoft’s website; GFI keeps a list of BugTraq vulnerabilities for Unix).
The product, as well as patching, checks for services running on Windows machines, open ports and manages a password policy. It provides alerts and suggests actions for security issues relating to email services and registry issues.
Advanced users can use the script engine for customized security routines to automate scan schedules. The script editor includes a debugger and a syntax checker to help the developer. One feature is to package customized software to issue fixes for in-house software or adapt non-Microsoft updates and patches for deployment. Reports are generated in HTML and XML so they can be viewed with a browser, but LANGuard does not provide the necessary website structure.
13). Network Stumbler
Network stumbler is a WiFi scanner and monitoring tool for Windows. It allows network professionals to detect WLANs. It is widely used by networking enthusiasts and hackers because it helps you find non-broadcasting wireless networks.
Network Stumbler can be used to verify if a network is well configured, its signal strength or coverage, and detect interference between one or more wireless networks. It can also be used to non-authorized connections.
14) ToneLoc
ToneLoc stands for Tone Locator. It was a popular war dialling computer program written for MS-DOS in the early 90’s. War dialling is a technique of using a modem to automatically scan a list of telephone numbers, usually dialling every number in a local area code.
Malicious hackers use the resulting lists in breaching computer security - for guessing user accounts, or locating modems that might provide an entry-point into computer or other electronic systems.
It can be used by security personnel to detect unauthorized devices on a company’s telephone network.
Thanks For Reading !
You can also join us on :-
0 Comments