Penetration testing is a fascinating subject. Learning how to ethically hack a system in order to find vulnerabilities and prevent malicious hackers from taking advantage of an exploit is a dream for those who love to make money hacking but prefer not to wear orange jumpsuits in an 8’x10’ cell. Let’s take a look at some of the tools of the trade for the penetration tester, most of which are freely available for you to tinker with.
PLEASE NOTE: There are laws restricting port scanning in many areas, even if it’s not malicious. Know that if you you use these tools on a system that you do not have permission to be on you will be subject to penalties.
Metasploit is a free open-source security vulnerability scanner. In the Metasploit framework you can actually develop and execute exploit code against a machine or network.
The basic steps for exploiting a system using Metasploit (from Source)
- 1. Choosing and configuring an exploit (code that enters a target system by taking advantage of one of its bugs; about 300 different exploits for Windows, Unix/Linux and Mac OS X systems are included).
2. Checking whether the intended target system is susceptible to the chosen exploit (optional).
3. Choosing and configuring a payload (code that will be executed on the target system upon successful entry, for instance a remote shell or a VNC server).
4. Choosing the encoding technique to encode the payload so that the intrusion-prevention system (IPS) will not catch the encoded payload.
5. Executing the exploit.
The two most common payloads generated from Metasploit are:
1. Command shell that enables users to run scripts and commands against the host.
2. Meterpreter enables users to control the screen of a host machine using VNC.
Metasploit can also import vulnerability scan data and compare the identified vulnerabilities to existing exploit modules for accurate exploitation.
Armitage is a graphical interface front-end to the Metasploit framework that makes it easier to carry out security attacks.
2. NMap (Network Mapper)
NMap is another great penetration testing tool. It is an open-source network scanner (port scanner) that finds host, services, and port information. You can use NMap to scan a network for open and insecure ports, host systems, and servers. It can also be used for simple network inventory and maintenance by detecting operating systems, versions, and even hardware information. It’s fairly simple to use, yet very powerful in the hands of an experienced technician/hacker.
Nessus is a proprietary vulnerability scanner. They offer a free version for personal and non-commercial use. Commercial and enterprise usage requires a license fee. Nessus can be used for auditing a network, vulnerability discovery, compliance verification, misconfiguration, and more. The software can also launch third party tools to hack passwords (Hydra) and scan ports (NMap).
Wireshark is free and open-source packet analyser (commonly known as a packet sniffer). Basically it will report and capture any traffic within a network. Data can be captured and read later or you can watch packets in real-time. Wireshark is a great tool to assess network bog-downs, malicious/suspicious traffic, protocol analysis, and even capturing raw USB traffic (currently available only in Linux).
Cain and Abel is a password recovery tools (password cracker) for Windows. It uses dictionary attacks, brute-force, and cryptanalysis as well as methods to decode encrypted passwords.
John the Ripper is a password cracker that will run on Linux/UNIX, Mac OSX, and Windows. It is free and open source software.
Snort is a free and open source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS). Snort uses signature, protocol, and anomaly-based inspection methods to detect malicious traffic trying to enter or probe a network. It can also be used as a packet sniffer and a packet logger. Snort will run in a Linux/UNIX and Windows environment.
Kismet is a powerful packet sniffer, and intrusion detection system for 802.11 wireless LANs.
“Kismet identifies networks by passively collecting packets and detecting standard named networks, detecting (and given time, decloaking) hidden networks, and inferring the presence of nonbeaconing networks via data traffic.” – http://www.kismetwireless.net/
HPing3 is a supercharged version of the Ping command utility. HPing3 can use TCP, UDP, ICMP and RAW-IP protocols other that just ICMP (as ping). It also has a built in traceroute mode.
“This tool is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities.” -http://sectools.org/