There are a lot of excellent offensive security tools available online for free, thanks to open-source licenses and the security professionals who've created tools in an effort to give back to the community. But because they are created by individuals or open-source efforts without the marketing and promotion resources of a vendor, these tools may not be well known in the enterprise.
Two years ago I wrote a Tech Insight on offensive security tools that defenders can leverage to help find vulnerabilities and secure their environments. Today, I want to update that list with some currently available tools that should be included in every offensive and defensive security professional's toolbox.
I truly believe that a security professional focused on defense or offense must understand the tools and techniques used by the other side. Those who defend a network should be aware of the attacks they will face and the ways that attackers avoid detection. To become familiar with these approaches, they should try out some of these same attack methods.
Similarly, those focusing on offense must understand defensive strategies, different types of security controls, and the ways that defenders detect attacks. It's easier to detect an attack or evade detection when you know, firsthand, how the defenses work. If they understand offensive tools, defenders can proactively identify potential threats before they become a more serious problem.
A study of offensive methods also helps security teams find the easily exploitable vulnerabilities and fix them, so that future penetration tests can focus on scenario-based assessments tailored around the organization's specific threat profile.
Before we get into the latest tools specific to the four primary stages of penetration testing -- reconnaissance, mapping, vulnerability detection, and exploitation -- there are a couple of books and websites worth mentioning. The first is the Red Team Field Manual, or RTFM, which is essentially a "cheat sheet" of commands in printed form that can be a handy reference to keep in your backpack. If you like the cheat sheet format, then you'll probably like the RTFM book.
If you prefer a more detailed digital resource, I highly recommend the PwnWiki.io as an alternative. It can be accessed online or downloaded to your laptop. It has a wider breadth and depth of information compared to RTFM, is well organized, and is more likely to stay current. The PwnWiki is one of those GitHub repositories that I always update prior to going to a pen testing client site -- it ensures that I will have the most up-to-date content in case I need to reference it.
One book that definitely deserves mention is The Hacker Playbook: Practical Guide to Penetration Testing. It's the first book I've come across that has been written from the perspective of an actual penetration tester, and not someone who is simply repeating theory and listing tools with their main pages. While not an extensive guide on all the tools for every situation, it does a good job of taking the reader through the initial prep and on to the final goal.
Now let's look at some of the tools themselves. For the reconnaissance phase, the only tool I'll mention today is recon-ng. There are other tools and websites available, but recon–ng has matured quite a bit in the last year with updates and new modules (e.g., Facebook), making it one of the must-haves in an attacker's (and defender's) toolkit. When used head-to-head with similar tools, I've found that recon-ng discovers more valuable information. There is documentation available on the tool's site and a great presentation with live demonstrations from Tim Tomes's presentation at the 2013 DerbyCon conference.
During the mapping and vulnerability discovery phase, it's common to encounter a large number of web interfaces that need to be manually inspected. This can be time-consuming in a large environment, where you're likely to see 50 to 300+ HTTP servers. To expedite the process, PeepingTom and Eyewitness are two tools that can parse the XML output from Nmap and Nessus, connect to each identified HTTP(S) service, and take a screenshot.
Both tools will generate an HTML report that includes a screenshot, server headers, and a link to the website. It's quick and easy way to see what the interface looks like, and it provides more detail than simply searching Nmap output for http-title.
A common issue found in nearly every pen testing is a lack of controls around WPAD. WPAD is short for Web Proxy Autodiscovery Protocol and is how computers can automatically identify a web proxy and proxy configuration file on a local network. By default, Windows systems are configured to search for hosts named WPAD, making them easily susceptible to name-spoofing and man-in-the-middle attacks. Unless a company is using a proxy already and has disabled the automatic discovery, WPAD is almost always exploitable and has frustrated many a sysadmin.
Previously, I used Metasploit to spoof a WPAD host, serve up a wpad.dat file that pointed to my Burp proxy, and inject malicious code into HTTP traffic going to local machines. But that's all changed with the release of Trustwave Spiderlab's Responder tool. In addition to collecting password hashes that can be cracked or used as part of an SMB relay attack, Responder has full WPAD spoofing capabilities, the ability to steal cookies, can insert malicious HTML, and can replace EXE files being downloaded with a malicious executable file.
Another strong tool in the exploitation category is actually a suite of scripts for Windows Powershell. PowerSploit's scripts are designed to assist penetration testers with privilege escalation, bypassing antivirus, exfiltration, and code execution. Even in highly sensitive environments locked down with multiple layers of protection -- including antivirus and application whitelisting -- PowerSploit can be used because Powershell is a legitimate systems administration tool and rarely restricted.
With these tools -- as well as those I covered in the previous article -- enterprise defenders have a powerful arsenal to identify weak areas in their networks and demonstrate how these vulnerabilities can be exploited. Every tool listed is freely available and open-source. Security teams can easily take advantage of these tools to proactively find and fix potential vulnerabilities before a malicious attacker has a chance to exploit them.