Penetration testing tools

This article provides a quick overview of the penetration testing tools I used the most during my 4+ years as a penetration tester. The tools are divided in three categories based on their targets - web applications, AD and everything else.

Web applications

Burp Suite Pro

Burp was my favourite tool for web app testing, even if the reports it produces are a little harder to work with. Some of its most useful features are not immediately obvious to a new user. If that's you, check out the plethora of plugins available and the 'Discover content' feature. If you export vulnerabilities to XML, you can upload them to HaxHQ.

Acunetix

Acunetix is arguably the best web app vulnerability scanner out there. I found the authenticated scanning feature harder to work with than Netsparker (now called Invicti) but it is very fast in general and with decent detection rates. False positives are quite common so verify everything of some significance manually with Burp. Export to XML to import to HaxHQ.

Nessus

Nessus is primarily an infrastructure scanner, but it does web apps as well. It was useful when I wanted to cover dosens of apps in a very short time, as it doesn't have the target count limitation that Acunetix has. It did not discover as much as Acunetix, possibly because it's default settings are more focused on speed than thoroughness. Go through the settings for web application testing and make sure they are optimised for what your goals are. Export to a .nessus file to import to HaxHQ

Active Directory

PingCastle

A vulnerability scanner for AD and awesome tool for initial information gathering. Check out the scanners available with it, one of the most useful features was it's ability to quickly find accessible network shares. The report texts may need some proofreading and updating, we used HaxHQ's library autoupdate feature extensively for PingCastle. The HTML reports you get from it can be imported into HaxHQ.

BloodHound

BloodHound can be a little harder to learn to use but provides a wealth of information on the AD domain, as well as vulnerabilities and even specific attack routes. The data collection tools are separate, we used SharpHound among others. They produce an archive which is then imported into BloodHound. This tool does not produce a report so nothing to import to HaxHQ but you can take screenshots and use them in your report.

Leo4j's various PowerShell tools

There are plenty of PowerShell scripts and frameworks that can be used to test AD. In my team Rob was the AD guru and I just lasily used his scripts and tools which made me look a lot better at AD testing than I really was :D. Check out his GitHub at https://github.com/Leo4j

General

Metasploit

Super useful tool for general testing. Plenty of exploits are built into it and fairly straightforward to use. Generating payloads with msfvenom is not what it was though as they are almost always picked up by the antivirus. You would need to get creative with it to get the level of obfuscation needed.

Hashcat

The hash cracking tool of choice. If you have a decent GPU it will squeese lots of performance from it to crack those hashes faster.

Nessus

Nessus is great at collecting tons of information about reachable network services and any vulnerabilities on them. Much easier to work with than Qualys and a gold standard in vulnerability scanning. Export results to a .nessus file to import to HaxHQ.

Nmap

A port scanner which I primarily used when I didn't have time to wait for Nessus results. You can do some basic attacks with it using the --script flag