Today’s post is on the crossroads between the realms of OSINT and penetration testing. It’s come to life as a result of my research and exploration of the pentesting methodologies, approaches, frameworks and tools.
Last year when discussing URL manipulation I briefly mentioned some techniques of web parameter tampering, which is not a strictly OSINT method, because it involves interaction with the target as opposed to passive open source research only.
Here are some tools that I have come across and tested (some more thoroughly, some less). If you have any interest in pentesting as a casual hobby (like I do), then you should enjoy this list.
PS. After the tools part, you’ll find my tips on passing the CompTIA Pentest+ certification.
Credentials harvesting / password cracking
NOTE: Data breach dumps research remains a huge area of interest for OSINT and an important source of intelligence (discussed here). Do remember however that there is a red line between collecting credentials and using them in an unauthorised manner to log into other people’s accounts. Dumped password and hash cracking is not illegal; but using those passwords and hashes to log in somewhere where you are not authorised to go – that can be against the law.
- Cain & Abel – legacy password cracking tool. It also had an ability to record VoIP calls. No longer supported, so only an honourable mention here rather than a real recommendation.
- CeWL (Custom Word List generator) – for creating word lists that can be used by password crackers listed here. Can also be used for creating usernames lists.
- DirBuster – a brute-forcing tool for enumerating files and directories on a web server.
- John the Ripper – password cracking tool, available in both free and premium versions.
- Hashcat – password recovery / password cracking tool. Remember, to be effective with it, you will need to have a powerful GPU (or several of them, if using a password cracking rig).
- Hydra – a login cracker that supports numerous protocols to attack.
- Medusa – another login brute forcer.
- Mimikatz – retrieves credentials from memory of Windows systems – plaintext Windows account logins and passwords.
- Patator – multi-purpose brute forcer.
Debugging
- GDB – debugger for Linux, supports multiple languages
- Immunity Debugger – pentesting support tool, useful for reverse engineering of malware.
- OllyDbg – Windows debugger, old software at this stage. The main page for the project states the development is currently frozen.
- WinDbg – a Windows debugging tool, created by Microsoft.
OSINT & passive reconnaissance
NOTE: Some of the tools and functionalities listed here (like Shodan, Nslookup, Whois, etc.) can be used in a browser or directly from the command line. Remember that often the results of using them in the terminal can vary from their web counterparts!
- Censys – a web-based tool that probes IP addresses and provides access to all this information through a search engine. Similar to Shodan, see below.
- FOCA (Fingerprinting Organizations with Collected Archives) – used to find metadata within documents and common file formats.
- Maltego – mainly a commercial product with some free features; used for visualisation of data gathered via OSINT. It can help with automation too.
- Nslookup – used to identify the IP addresses associated with an organisation.
- Recon-ng – a modular web reconnaissance framework for managing your OSINT work.
- Whois – information from public records about domain ownership.
- Wireshark – open source protocol analysis tool for packet sniffing & analysis; no interaction with the target is necessary, Wireshark simply inspects the bypassing wireless (or wired) network traffic.
- theHarvester – good for finding email addresses, employee names, virtual hosts, infrastructure details and more about an organisation of interest.
- TruffleHog – scans code repositories like Github for unintentionally disclosed information.
- Shodan – specialised search engine for many things online, from vulnerable IoT devices to servers, hosts, webcams and more. I covered many Shodan queries in detail here.
Vulnerability scanning
- Brakeman – static analysis tool used for code scanning of Ruby on Rails applications.
- Nessus – commercial product; vulnerability scanning tool used to scan various devices and environments.
- Nikto – vulnerability scanning tools for web servers.
- Open SCAP (Security Content Automation Protocol) – a set of tools from NIST; designed to help manage compliance and create baselines of security standards.
- OpenVAS – an open source vulnerability scanner. Easy to detect though if used to search broadly.
- ScoutSuite – for auditing the security posture of cloud environments.
- Sqlmap – used to automate SQL injection attacks against web applications containing databases.
- Wapiti – web app scanner for detecting vulnerabilities; heavily focused on the API testing.
- W3AF – open source web application vulnerability scanner.
- WPScan – designed to scan WordPress sites.
Tips for passing CompTIA Pentest+
- Having passed CySA+ last year, I found that knowledge and experience helpful. See my post on the CySA+ exam tips here – some of these tips apply to Pentest+ too in the same fashion.
- Simulation questions (I got 4 of those, bigger and longer ones) bring more points than the regular ones. I left them until the end. They require more focus and thinking; it might feel frustrating or counterproductive to start off with them, only to get bogged down with something at the very beginning of your exam. I took the same approach with the CySA+ simulation questions too.
- When doing practice tests, focus on understanding the answers and not just memorising them. Similar questions often get asked in a roundabout way.
- Certain questions test your understanding of things like situational awareness during a penetration test, the constraints of ROE (rules of engagement), the SOW (statement of work) and so on; as well as general methodologies such as OWASP or MITRE. Make sure to cover those in a way that gives you a working knowledge, without having to blindly memorise a lot of the content from the Planning and Scoping part of the exam objectives.
- Even a very general understanding of Windows and Linux command line (as well as some basic bash scripting methods) will go a long way.
- Cover your SQL injection attacks, their types and their remediation methods. You will most certainly be presented with specific examples during the simulation questions.
- Knowing Nmap flags is a must. The best way to practice with Nmap is hands on. As an additional help, I used the GUI version, Zenmap – you can easily build your scan commands there.
- Sign up to Try Hack Me and try to complete their excellent Pentest+ learning path. It’s a great way to combine theory with practice. It’s over 50h long – if you can’t do it all, focus your hands on practice on wherever you feel like you have knowledge gaps.
- For your prep, I would recommend the Sybex Pentest+ books, both the general study guide and the tests (they contain something like 1000 test questions).
- Dion Training on Udemy is very good as always, and his set of 6 practice tests is a solid resource; there will be several hundred of questions in those, worth practicing on.
Hope this helps. If you have tips or suggestions that I did not cover, add them in the comments below.