Skip to content

Pentesting & OSINT tools (and tips for passing Pentest+)

  • by
CompTIA Pentest+ OSINT

Today’s post is on the crossroads between the realms of OSINT and penetration testing. It’s come to life as a result of my research and exploration of the pentesting methodologies, approaches, frameworks and tools.

Last year when discussing URL manipulation I briefly mentioned some techniques of web parameter tampering, which is not a strictly OSINT method, because it involves interaction with the target as opposed to passive open source research only.

Here are some tools that I have come across and tested (some more thoroughly, some less). If you have any interest in pentesting as a casual hobby (like I do), then you should enjoy this list.

PS. After the tools part, you’ll find my tips on passing the CompTIA Pentest+ certification.

Credentials harvesting / password cracking

NOTE: Data breach dumps research remains a huge area of interest for OSINT and an important source of intelligence (discussed here). Do remember however that there is a red line between collecting credentials and using them in an unauthorised manner to log into other people’s accounts. Dumped password and hash cracking is not illegal; but using those passwords and hashes to log in somewhere where you are not authorised to go – that can be against the law.

  • Cain & Abel – legacy password cracking tool. It also had an ability to record VoIP calls. No longer supported, so only an honourable mention here rather than a real recommendation.
  • CeWL (Custom Word List generator) – for creating word lists that can be used by password crackers listed here. Can also be used for creating usernames lists.
  • DirBuster – a brute-forcing tool for enumerating files and directories on a web server.
  • John the Ripper – password cracking tool, available in both free and premium versions.
  • Hashcat – password recovery / password cracking tool. Remember, to be effective with it, you will need to have a powerful GPU (or several of them, if using a password cracking rig).
  • Hydra – a login cracker that supports numerous protocols to attack.
  • Medusa – another login brute forcer.
  • Mimikatz – retrieves credentials from memory of Windows systems – plaintext Windows account logins and passwords.
  • Patator – multi-purpose brute forcer.


  • GDB – debugger for Linux, supports multiple languages
  • Immunity Debugger – pentesting support tool, useful for reverse engineering of malware.
  • OllyDbg – Windows debugger, old software at this stage. The main page for the project states the development is currently frozen.
  • WinDbg – a Windows debugging tool, created by Microsoft.

OSINT & passive reconnaissance

NOTE: Some of the tools and functionalities listed here (like Shodan, Nslookup, Whois, etc.) can be used in a browser or directly from the command line. Remember that often the results of using them in the terminal can vary from their web counterparts!

  • Censys – a web-based tool that probes IP addresses and provides access to all this information through a search engine. Similar to Shodan, see below.
  • FOCA (Fingerprinting Organizations with Collected Archives) – used to find metadata within documents and common file formats.
  • Maltego – mainly a commercial product with some free features; used for visualisation of data gathered via OSINT. It can help with automation too.
  • Nslookup – used to identify the IP addresses associated with an organisation.
  • Recon-ng – a modular web reconnaissance framework for managing your OSINT work.
  • Whois – information from public records about domain ownership.
  • Wireshark – open source protocol analysis tool for packet sniffing & analysis; no interaction with the target is necessary, Wireshark simply inspects the bypassing wireless (or wired) network traffic.
  • theHarvester – good for finding email addresses, employee names, virtual hosts, infrastructure details and more about an organisation of interest.
  • TruffleHog – scans code repositories like Github for unintentionally disclosed information. 
  • Shodan – specialised search engine for many things online, from vulnerable IoT devices to servers, hosts, webcams and more. I covered many Shodan queries in detail here.

Vulnerability scanning

  • Brakeman – static analysis tool used for code scanning of Ruby on Rails applications.
  • Nessus – commercial product; vulnerability scanning tool used to scan various devices and environments.
  • Nikto – vulnerability scanning tools for web servers.
  • Open SCAP (Security Content Automation Protocol) – a set of tools from NIST; designed to help manage compliance and create baselines of security standards.
  • OpenVAS – an open source vulnerability scanner. Easy to detect though if used to search broadly.
  • ScoutSuite – for auditing the security posture of cloud environments.
  • Sqlmap – used to automate SQL injection attacks against web applications containing databases.
  • Wapiti – web app scanner for detecting vulnerabilities; heavily focused on the API testing.
  • W3AF – open source web application vulnerability scanner.
  • WPScan – designed to scan WordPress sites.

Tips for passing CompTIA Pentest+

  • Having passed CySA+ last year, I found that knowledge and experience helpful. See my post on the CySA+ exam tips here – some of these tips apply to Pentest+ too in the same fashion.
  • Simulation questions (I got 4 of those, bigger and longer ones) bring more points than the regular ones. I left them until the end. They require more focus and thinking; it might feel frustrating or counterproductive to start off with them, only to get bogged down with something at the very beginning of your exam. I took the same approach with the CySA+ simulation questions too.
  • When doing practice tests, focus on understanding the answers and not just memorising them. Similar questions often get asked in a roundabout way.
  • Certain questions test your understanding of things like situational awareness during a penetration test, the constraints of ROE (rules of engagement), the SOW (statement of work) and so on; as well as general methodologies such as OWASP or MITRE. Make sure to cover those in a way that gives you a working knowledge, without having to blindly memorise a lot of the content from the Planning and Scoping part of the exam objectives.
  • Even a very general understanding of Windows and Linux command line (as well as some basic bash scripting methods) will go a long way.
  • Cover your SQL injection attacks, their types and their remediation methods. You will most certainly be presented with specific examples during the simulation questions.
  • Knowing Nmap flags is a must. The best way to practice with Nmap is hands on. As an additional help, I used the GUI version, Zenmap – you can easily build your scan commands there.
  • Sign up to Try Hack Me and try to complete their excellent Pentest+ learning path. It’s a great way to combine theory with practice. It’s over 50h long – if you can’t do it all, focus your hands on practice on wherever you feel like you have knowledge gaps.
  • For your prep, I would recommend the Sybex Pentest+ books, both the general study guide and the tests (they contain something like 1000 test questions).
  • Dion Training on Udemy is very good as always, and his set of 6 practice tests is a solid resource; there will be several hundred of questions in those, worth practicing on.

Hope this helps. If you have tips or suggestions that I did not cover, add them in the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *