Top 24 Penetration Tools in 2023(wireshark/nmap samples)
| Tool | Short Description |
|---|---|
| Wireshark: | Wireshark is a network packet analyzer. |
| Metasploit: | Essentially, metasploit helps the pentesting team to search for vulnerabilities in the network. |
| Burp Suite: | Burp Suite is integrated platform for performing security testing of web applications. (Alternative OWASP ZAP) |
| Nmap: | Network Mapper is the most famous scanning tool used by penetration testers. |
| Sqlmap: | Sqlmap automates the process of detecting and exploiting SQL injection and comes with a very powerful detection engine. |
| Intruder: | Intruder is a cloud-based software designed to help businesses automatically perform security scans to identify and remediate potential threats. |
| Nessus: | Nessus is a platform for scanning vulnerability in devices, applications, operating systems and cloud security. |
| Zed Attack Proxy: | OWASP ZAP (Zed Attack Proxy) is a free, open-source web application security scanner designed to be used during the development phase. |
| Nikto: | Nikto is a free software command-line vulnerability scanner that scans web servers for dangerous files/CGIs, outdated server software and other problems. |
| BeEF: | The Browser Exploitation Framework It is a penetration testing tool that focuses on the web browser. |
| Invicti: | Invicti is an automated web application security scanner that enables you to scan websites, web applications, and web services, and identify security flaws. |
| PowerShell-Suite: | Powershell is a collection of many scripts for quick access. |
| W3af: | Web Application Attack and Audit Framework is an open-source web application security scanner. |
| Wapiti: | Wapiti allows you to audit the security of your websites or web applications. It performs a black-box scan. |
| Radare: | Radare is a reverse engineering toolkit used to disassemble, analyze, emulate and debug applications and perform forensics on file systems on any modern operating system. |
| MobSF: | Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. |
| FuzzDB: | FuzzDB is an open source database of attack patterns, predictable resource names, regex patterns for identifying interesting server responses, and documentation resources. |
| Aircrack-ng: | Aircrack-ng is a software suite for analyzing and hacking WiFi networks. |
| SET: | Social Engineering Toolkit is a powerful collection of tools designed for social engineering. Penetration testers often use it to test an organization’s security by simulating social engineering attacks on employees. |
| Hexway: | Hexway is a pentest solution that simplifies reporting and saves pentesters time for better things. |
| Shodan: | Shodan makes it possible to detect devices that are connected to the internet at any given time, the locations of those devices and their current users. |
| DNSdumpster: | DNSdumpster is an online passive scanning tool to obtain all kinds of DNS related information. |
| Hunter: | Hunter ,email outreach platform, works by scraping the internet for results that contain the email you’re looking for. |
| URL Fuzzer: | The URL Fuzzer uses a custom-built wordlist for discovering hidden files and directories. |
What is Network Forensic?
Network Forensic examines the network and the traffic passing through it for suspicious activity.
📝 NOTE: Network Forensic not only covers the TCP/IP network protocol but also the GSM network.
So how can we listen to the network?
For this we have to use forensic tools such as Wireshark or tcpdump, known as network sniffers.
How wireshark works
Wireshark captures and monitors network traffic using promiscuous mode from networks such as Ethernet, wireless, etc.
📝 Note: Promiscuous mode is a mode for a wired NIC (network interface controller) that causes the controller to pass all traffic it receives to the CPU. Thus, in contrast to Monitoring mode, you can monitor all traffic without disconnecting from the network.
What we can do with wireshark?
Wireshark is a powerful tool used for various purposes. You can use it for troubleshooting web applications (to analyze HTTP traffic between client and server), security analysis (to detect suspicious activity), and even telephony traffic (to analyze VoIP calls and other telephony protocols).
Let’s do some examples with Wireshark and explain some terms…
First, I setup vsftpd server on my virtual machine.
Everythink okey.
💡 Tip: FTP (File Transfer Protocol) is used to communicate and transfer files between computers on a TCP/IP (Transmission Control Protocol/Internet Protocol) network, aka the internet.
And we can see the output of the nmap scan.
💡 Tip: The brute force attack method uses trial and error to crack the password.
We can use Hydra for brute force attack.
Let’s monitor this with wireshark.
If you want the see successfully login type following code:
ftp.response.code==230
Or incorrect login:
ftp.response.code==530
You can reach the ftp status code here.
If we want to see all commands sent from the client.
ftp.request.command
Maybe we want to see all of this stream. For this select the menu item Analyze → Follow → TCP Stream.
For see the flow graph. Select the menu item Statistics → Flow Graph.
💡 Tip: IP Spoofing is the creation of IP packets with a false source IP address, for the purpose of impersonating another computing system.
📝 Note: IP spoofing usually prefer with UDP protocol. Because UDP doesn’t establish a connection or maintain a session between the sender and receiver like TCP does.
We can see the nmap output, but one of these outputs is not correct. This is because FTP works with TCP and needs a connection via session. Keep in mind that!
But we can monitor this network traffic.
Let’s check how secure the vpn is…
📝 Note: We use VPNs to protect against hackers during public Wi-Fi connections. The biggest problem is the possibility of data leaking out. One of this leak is WebRTC leaks,DNS leaks and IP address leaks.
💡 Tip: WebRTC enables real-time communication for web browsers and mobile applications, such as sending audio, video or general data. So it can reveal the IP address of the end user.
💡 Tip: DNS returns an IP address and IP addresses can be monitored if there is a DNS leak.
After connecting to the VPN, wireshark looks like this:
And then I navigate around.
So let’s try to monitor these pages.
There’s nothing!
Let’s try for DNS too…
Still nothing.
Finally, try to observe our public IP.
📝 **Note: You can see the public IP address on your terminal using the code below or type “What is my public IP address” in your browser.*
$ curl ifconfig.co
$ curl ifconfig.me
$ curl icanhazip.com
And still nothing.
Now we will use dirb. For this I first start the apache server in my virtual machine.
Now select the menu item Statistics → HTTP → Packet Counter
We can see all HTTP request method is “GET”.
If we want to list all directory and folder request from the client. Select the menu item Statistics → HTTP → Requests
Of course we can also see the HTTP Stream. Select the menu item Analyze → Follow → HTTP Stream
Now type http.response.code==200 for listing all available pages.
Now let’s try a brute force attack on the login page. But first we need to create a login page. I ask chatgpt to help me with this.
<!DOCTYPE html>
<html>
<head>
<title>Login Page</title>
</head>
<body>
<h1>Login Page</h1>
<form method="post" action="welcome.php">
<label for="username">Username:</label>
<input type="text" id="username" name="username" required><br><br>
<label for="password">Password:</label>
<input type="password" id="password" name="password" required><br><br>
<input type="submit" value="Login">
<p id="error-message" style="color: red;"><?php echo isset($_GET["error"]) ? $_GET["error"] : ""; ?></p>
</form>
</body>
</html>
💡 Tip: The file name of the code above is login.html
<!DOCTYPE html>
<html>
<head>
<title>Welcome Page</title>
</head>
<body>
<h1>Welcome Page</h1>
<?php
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$username = $_POST["username"];
$password = $_POST["password"];
// Check if the provided username and password are correct
if ($username === "test" && $password === "test") {
echo "Logged in successfully";
} else {
header("Location: login.html?error=Invalid%20password");
exit;
}
}
?>
</body>
</html>
💡 Tip: The file name of the above code is welcome.php
Everythink great!
Now let’s start a brute force attack using the Burp Suite. First, I captured the request using the Proxy tab, then I sent it to the Intruder tab.
The attack started.
And then I sort by status code to find the http response code 200.
And finally, let’s monitor all this network traffic with wireshark.
What is nmap?
Nmap stands for network mapper. Nmap is used to discover hosts and services on a computer network. Also ,it is an open source.
Let’s start with TCP SYN and then explain.
We can observe this on wireshark.
The Nmap TCP SYN scan starts by sending a TCP packet with the SYN flag set. Then it waits for a reply packet with SYN/ACK flags set. If it receives a packet with the SYN/ACK flags set, it sends a packet with the RST flag set. And ends the connection.
Let’s do it with another example for clarity.
The following line explains these options:
- -r: By default, Nmap randomizes the scanned port order. This option is used for sequential port scanning order.
- -p: This option specifies which ports you want to scan. You can use it like 1-1111 to scan from 1 to 1111(e.g. nmap -p 1-1111 192.168.122.212)
If this confuses you. You can check the Flow Graph.
This perspective makes it more understandable what happens during a TCP/SYN scan.
So, how OS detection with nmap?
Basically, nmap checks how they respond to a TCP/IP packet. And it creates a nmap TCP/IP fingerprint. Then nmap checks this fingerprint against its own database.
If I scan for OS detection on my virtual system using nmap -O 192.168.122.1/24.
📝 Note: This scan returns me fingerprint because this is virtual machine.
- –mtu(Maximum Transmission Unit): We use this option to split the TCP header into small packets.
Now talk about NSE… What is it?
The Nmap Scripting Engine (NSE) is one of nmap’s most powerful features. NSE allows you to write a simple script to use in your nmap scan.
We used the auth NSE category in nmap.
- –script: We can use it to scan with one or more scripts. In the example above we used it with the vuln category but we can also do it with
ftp-anon.nse.
You can find all NSE categories here.
Sometimes we want to save this output, if we want to do it in xml format then we can use the -oX option.
The output will look like this…
Of course you may want to use another output option such as -oN.
📝 Note: However, if you want to use the ndiff tool, you should use the xml format.
What is ndiff?
Ndiff helps to compare two nmap scans. It takes two Nmap XML output files and prints the differences between them.
I will show you with zenmap but you can also use it with the command line.(Here is the ndiff guide.)
📝 Note: Zenmap is the GUI for Nmap.
💡Tip: - means that the line was in the first scan but not in the second.
💡Tip: + means it was in the second but not the first.
💡Tip: If it is blank, it means that nothing has changed.