Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

08:10 AM
John H. Sawyer
John H. Sawyer

Tech Insight: Free Tools For Offensive Security

A professional penetration tester offers a look at the latest free and open-source tools available for pen testing and offensive tactics.

There are a lot of excellent offensive security tools available online for free, thanks to open-source licenses and the security professionals who've created tools in an effort to give back to the community. But because they are created by individuals or open-source efforts without the marketing and promotion resources of a vendor, these tools may not be well known in the enterprise.

Two years ago I wrote a Tech Insight on offensive security tools that defenders can leverage to help find vulnerabilities and secure their environments. Today, I want to update that list with some currently available tools that should be included in every offensive and defensive security professional's toolbox.

I truly believe that a security professional focused on defense or offense must understand the tools and techniques used by the other side. Those who defend a network should be aware of the attacks they will face and the ways that attackers avoid detection. To become familiar with these approaches, they should try out some of these same attack methods.

Similarly, those focusing on offense must understand defensive strategies, different types of security controls, and the ways that defenders detect attacks. It's easier to detect an attack or evade detection when you know, firsthand, how the defenses work. If they understand offensive tools, defenders can proactively identify potential threats before they become a more serious problem.

A study of offensive methods also helps security teams find the easily exploitable vulnerabilities and fix them, so that future penetration tests can focus on scenario-based assessments tailored around the organization's specific threat profile.

Before we get into the latest tools specific to the four primary stages of penetration testing -- reconnaissance, mapping, vulnerability detection, and exploitation -- there are a couple of books and websites worth mentioning. The first is the Red Team Field Manual, or RTFM, which is essentially a "cheat sheet" of commands in printed form that can be a handy reference to keep in your backpack. If you like the cheat sheet format, then you'll probably like the RTFM book.

If you prefer a more detailed digital resource, I highly recommend the PwnWiki.io as an alternative. It can be accessed online or downloaded to your laptop. It has a wider breadth and depth of information compared to RTFM, is well organized, and is more likely to stay current. The PwnWiki is one of those GitHub repositories that I always update prior to going to a pen testing client site -- it ensures that I will have the most up-to-date content in case I need to reference it.

One book that definitely deserves mention is The Hacker Playbook: Practical Guide to Penetration Testing. It's the first book I've come across that has been written from the perspective of an actual penetration tester, and not someone who is simply repeating theory and listing tools with their main pages. While not an extensive guide on all the tools for every situation, it does a good job of taking the reader through the initial prep and on to the final goal.

Now let's look at some of the tools themselves. For the reconnaissance phase, the only tool I'll mention today is recon-ng. There are other tools and websites available, but recon–ng has matured quite a bit in the last year with updates and new modules (e.g., Facebook), making it one of the must-haves in an attacker's (and defender's) toolkit. When used head-to-head with similar tools, I've found that recon-ng discovers more valuable information. There is documentation available on the tool's site and a great presentation with live demonstrations from Tim Tomes's presentation at the 2013 DerbyCon conference.

During the mapping and vulnerability discovery phase, it's common to encounter a large number of web interfaces that need to be manually inspected. This can be time-consuming in a large environment, where you're likely to see 50 to 300+ HTTP servers. To expedite the process, PeepingTom and Eyewitness are two tools that can parse the XML output from Nmap and Nessus, connect to each identified HTTP(S) service, and take a screenshot.

Both tools will generate an HTML report that includes a screenshot, server headers, and a link to the website. It's quick and easy way to see what the interface looks like, and it provides more detail than simply searching Nmap output for http-title.

A common issue found in nearly every pen testing is a lack of controls around WPAD. WPAD is short for Web Proxy Autodiscovery Protocol and is how computers can automatically identify a web proxy and proxy configuration file on a local network. By default, Windows systems are configured to search for hosts named WPAD, making them easily susceptible to name-spoofing and man-in-the-middle attacks. Unless a company is using a proxy already and has disabled the automatic discovery, WPAD is almost always exploitable and has frustrated many a sysadmin.

Previously, I used Metasploit to spoof a WPAD host, serve up a wpad.dat file that pointed to my Burp proxy, and inject malicious code into HTTP traffic going to local machines. But that's all changed with the release of Trustwave Spiderlab's Responder tool. In addition to collecting password hashes that can be cracked or used as part of an SMB relay attack, Responder has full WPAD spoofing capabilities, the ability to steal cookies, can insert malicious HTML, and can replace EXE files being downloaded with a malicious executable file.

Another strong tool in the exploitation category is actually a suite of scripts for Windows Powershell. PowerSploit's scripts are designed to assist penetration testers with privilege escalation, bypassing antivirus, exfiltration, and code execution. Even in highly sensitive environments locked down with multiple layers of protection -- including antivirus and application whitelisting -- PowerSploit can be used because Powershell is a legitimate systems administration tool and rarely restricted.

With these tools -- as well as those I covered in the previous article -- enterprise defenders have a powerful arsenal to identify weak areas in their networks and demonstrate how these vulnerabilities can be exploited. Every tool listed is freely available and open-source. Security teams can easily take advantage of these tools to proactively find and fix potential vulnerabilities before a malicious attacker has a chance to exploit them.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
5/21/2014 | 3:05:58 PM
Thanks for the great interview and live chat, JohnSawyer
For anyone who wants to get some additional insight about what it takes to be a penetration tester be sure to checkout Tim Wilson's Dark Reading radio interview with John: Day In The Life of a Penetration Tester. Lots of really interesting commentary from DR community members in the live chat that followed the broadcost. Here's the link.
User Rank: Moderator
5/21/2014 | 1:15:10 PM
Re: prevalence?
Hi, Kelly.

Thank you for the question. Which clients use the tools? Well, if they're a client, then they've likely been subjected to all the tools as part of the testing we've performed for them. Whether or not they're actually using them is hard to say. I know of several specific examples where client's security teams perform regular recon looking for compromised credentials, defaced sites, employees posting sensitive information, etc. For that, they use recon-ng.

The rest of the tools I've seen used during specific demonstrations to show other IT groups within the company vulnerabilities and to prompt the other groups to fix those issues. A lot of this depends on the size of the team, how mature the team is (and the company), are they stuck in reactive mode or do they have time for proactive tasks, and other similar team attributes.

I'd like to see more security teams taking advantage of these tools as I think it would open their eyes to issues they're vulnerable to and help them fix issues before having a 3rd party tester coming in so the 3rd party's time can be focused on critical, high risk areas.

User Rank: Moderator
5/21/2014 | 1:00:19 PM
Re: PwnWiki!
Hey, Ed. Thanks for the comment. PwnWiki is a great resource. It's definitely come in handy on a few different pen tests. I need to get my updates sent in sometime soon but just haven't had the time to sort through my notes and get them into a pull request.

Ed Moyle
Ed Moyle,
User Rank: Apprentice
5/20/2014 | 9:49:54 AM
Just wanted to say thanks for getting this started.  Nice to see PwnWiki getting some love.  
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
5/19/2014 | 6:46:46 PM
John, do many of your enterprise clients use these tools today? 
User Rank: Apprentice
5/19/2014 | 1:22:16 PM
Very Helpful!
This article is very helpful i must say! Keep up the goof work!
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-07-15
A Reflected Cross-site Scripting (XSS) vulnerability exists in Apache Roller. Roller's Math Comment Authenticator did not property sanitize user input and could be exploited to perform Reflected Cross Site Scripting (XSS). The mitigation for this vulnerability is to upgrade to the latest version of ...
PUBLISHED: 2019-07-15
A CWE-119 Buffer Errors vulnerability exists in Modicon M580 CPU - BMEP582040, all versions before V2.90, and Modicon Ethernet Module BMENOC0301, all versions before V2.16, which could cause denial of service on the FTP service of the controller or the Ethernet BMENOC module when it receives a FTP C...
PUBLISHED: 2019-07-15
A Use After Free: CWE-416 vulnerability exists in Zelio Soft 2, V5.2 and earlier, which could cause remote code execution when opening a specially crafted Zelio Soft 2 project file.
PUBLISHED: 2019-07-15
A CWE-94: Code Injection vulnerability exists in ProClima (all versions prior to version 8.0.0) which could allow an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.
PUBLISHED: 2019-07-15
A CWE-119: Buffer Errors vulnerability exists in ProClima (all versions prior to version 8.0.0) which allows an unauthenticated, remote attacker to execute arbitrary code on the targeted system in all versions of ProClima prior to version 8.0.0.