Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

08:10 AM
John H. Sawyer
John H. Sawyer

Tech Insight: Free Tools For Offensive Security

A professional penetration tester offers a look at the latest free and open-source tools available for pen testing and offensive tactics.

There are a lot of excellent offensive security tools available online for free, thanks to open-source licenses and the security professionals who've created tools in an effort to give back to the community. But because they are created by individuals or open-source efforts without the marketing and promotion resources of a vendor, these tools may not be well known in the enterprise.

Two years ago I wrote a Tech Insight on offensive security tools that defenders can leverage to help find vulnerabilities and secure their environments. Today, I want to update that list with some currently available tools that should be included in every offensive and defensive security professional's toolbox.

I truly believe that a security professional focused on defense or offense must understand the tools and techniques used by the other side. Those who defend a network should be aware of the attacks they will face and the ways that attackers avoid detection. To become familiar with these approaches, they should try out some of these same attack methods.

Similarly, those focusing on offense must understand defensive strategies, different types of security controls, and the ways that defenders detect attacks. It's easier to detect an attack or evade detection when you know, firsthand, how the defenses work. If they understand offensive tools, defenders can proactively identify potential threats before they become a more serious problem.

A study of offensive methods also helps security teams find the easily exploitable vulnerabilities and fix them, so that future penetration tests can focus on scenario-based assessments tailored around the organization's specific threat profile.

Before we get into the latest tools specific to the four primary stages of penetration testing -- reconnaissance, mapping, vulnerability detection, and exploitation -- there are a couple of books and websites worth mentioning. The first is the Red Team Field Manual, or RTFM, which is essentially a "cheat sheet" of commands in printed form that can be a handy reference to keep in your backpack. If you like the cheat sheet format, then you'll probably like the RTFM book.

If you prefer a more detailed digital resource, I highly recommend the PwnWiki.io as an alternative. It can be accessed online or downloaded to your laptop. It has a wider breadth and depth of information compared to RTFM, is well organized, and is more likely to stay current. The PwnWiki is one of those GitHub repositories that I always update prior to going to a pen testing client site -- it ensures that I will have the most up-to-date content in case I need to reference it.

One book that definitely deserves mention is The Hacker Playbook: Practical Guide to Penetration Testing. It's the first book I've come across that has been written from the perspective of an actual penetration tester, and not someone who is simply repeating theory and listing tools with their main pages. While not an extensive guide on all the tools for every situation, it does a good job of taking the reader through the initial prep and on to the final goal.

Now let's look at some of the tools themselves. For the reconnaissance phase, the only tool I'll mention today is recon-ng. There are other tools and websites available, but recon–ng has matured quite a bit in the last year with updates and new modules (e.g., Facebook), making it one of the must-haves in an attacker's (and defender's) toolkit. When used head-to-head with similar tools, I've found that recon-ng discovers more valuable information. There is documentation available on the tool's site and a great presentation with live demonstrations from Tim Tomes's presentation at the 2013 DerbyCon conference.

During the mapping and vulnerability discovery phase, it's common to encounter a large number of web interfaces that need to be manually inspected. This can be time-consuming in a large environment, where you're likely to see 50 to 300+ HTTP servers. To expedite the process, PeepingTom and Eyewitness are two tools that can parse the XML output from Nmap and Nessus, connect to each identified HTTP(S) service, and take a screenshot.

Both tools will generate an HTML report that includes a screenshot, server headers, and a link to the website. It's quick and easy way to see what the interface looks like, and it provides more detail than simply searching Nmap output for http-title.

A common issue found in nearly every pen testing is a lack of controls around WPAD. WPAD is short for Web Proxy Autodiscovery Protocol and is how computers can automatically identify a web proxy and proxy configuration file on a local network. By default, Windows systems are configured to search for hosts named WPAD, making them easily susceptible to name-spoofing and man-in-the-middle attacks. Unless a company is using a proxy already and has disabled the automatic discovery, WPAD is almost always exploitable and has frustrated many a sysadmin.

Previously, I used Metasploit to spoof a WPAD host, serve up a wpad.dat file that pointed to my Burp proxy, and inject malicious code into HTTP traffic going to local machines. But that's all changed with the release of Trustwave Spiderlab's Responder tool. In addition to collecting password hashes that can be cracked or used as part of an SMB relay attack, Responder has full WPAD spoofing capabilities, the ability to steal cookies, can insert malicious HTML, and can replace EXE files being downloaded with a malicious executable file.

Another strong tool in the exploitation category is actually a suite of scripts for Windows Powershell. PowerSploit's scripts are designed to assist penetration testers with privilege escalation, bypassing antivirus, exfiltration, and code execution. Even in highly sensitive environments locked down with multiple layers of protection -- including antivirus and application whitelisting -- PowerSploit can be used because Powershell is a legitimate systems administration tool and rarely restricted.

With these tools -- as well as those I covered in the previous article -- enterprise defenders have a powerful arsenal to identify weak areas in their networks and demonstrate how these vulnerabilities can be exploited. Every tool listed is freely available and open-source. Security teams can easily take advantage of these tools to proactively find and fix potential vulnerabilities before a malicious attacker has a chance to exploit them.


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
5/21/2014 | 3:05:58 PM
Thanks for the great interview and live chat, JohnSawyer
For anyone who wants to get some additional insight about what it takes to be a penetration tester be sure to checkout Tim Wilson's Dark Reading radio interview with John: Day In The Life of a Penetration Tester. Lots of really interesting commentary from DR community members in the live chat that followed the broadcost. Here's the link.
User Rank: Moderator
5/21/2014 | 1:15:10 PM
Re: prevalence?
Hi, Kelly.

Thank you for the question. Which clients use the tools? Well, if they're a client, then they've likely been subjected to all the tools as part of the testing we've performed for them. Whether or not they're actually using them is hard to say. I know of several specific examples where client's security teams perform regular recon looking for compromised credentials, defaced sites, employees posting sensitive information, etc. For that, they use recon-ng.

The rest of the tools I've seen used during specific demonstrations to show other IT groups within the company vulnerabilities and to prompt the other groups to fix those issues. A lot of this depends on the size of the team, how mature the team is (and the company), are they stuck in reactive mode or do they have time for proactive tasks, and other similar team attributes.

I'd like to see more security teams taking advantage of these tools as I think it would open their eyes to issues they're vulnerable to and help them fix issues before having a 3rd party tester coming in so the 3rd party's time can be focused on critical, high risk areas.

User Rank: Moderator
5/21/2014 | 1:00:19 PM
Re: PwnWiki!
Hey, Ed. Thanks for the comment. PwnWiki is a great resource. It's definitely come in handy on a few different pen tests. I need to get my updates sent in sometime soon but just haven't had the time to sort through my notes and get them into a pull request.

Ed Moyle
Ed Moyle,
User Rank: Apprentice
5/20/2014 | 9:49:54 AM
Just wanted to say thanks for getting this started.  Nice to see PwnWiki getting some love.  
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
5/19/2014 | 6:46:46 PM
John, do many of your enterprise clients use these tools today? 
User Rank: Apprentice
5/19/2014 | 1:22:16 PM
Very Helpful!
This article is very helpful i must say! Keep up the goof work!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version may allow an authenticated user to potentially enable denial of service via local access.