What is this list?

I regularly get asked two questions. The first is “how do you get into penetration testing?” and the seconds is “Which tools do you use?”. Based off of the second question, I wanted to note down the 10 top tools I use on a daily basis, ordered by most used.

You should know that I am predominately a web application and infrastructure security consultant and thus this list leans more towards these test types. If you are looking for a Red Team Top 10 with C2 integrated tools and such, this is not for you. This is a good start for tools to know if you want to get into the industry, however. Some of these do get used for Red Teaming as well.

1. Kali Linux

This is an obvious one if you know even a little bit about penetration testing. Kali is a hacking based Linux distribution and comes packaged with hundreds of tools in which you can use to do a number of different hacking related things.

It’s a good option for starting out and I even still use it now almost every day, as it’s just easy. However, I also have other Linux virtual machines installed with various tools, as Kali can be notorious for causing issues with different tool dependencies when installing via GitHub and such like.

2. Burp Suite

As I mentioned, I mainly test web applications and APIs. This is why Burp Suite is so high up on my list. But also because it is the best proxy out there and has been for quite some time. Burp Suite allows you to halt web requests and then tamper with them before being sent off to the server.

You can send these halted requests to various Burp Suite internal tools for fuzzing, comparing, decoding and much more. It also has a very good API which allows developers to build Third Party tools, which enhance your testing experiance and quality.

3. NMAP

One of the most used tools by anyone in IT, it’s NMAP. I’m sure you know what NMAP is, but if you don’t. NMAP is a tool which scans networked computers for open ports and services and has various optional functionality to help conduct thorough enumeration, bypass firewalls and much more. It also has a scripting engine which allows third parties to write their own addons, which is a nice touch.

This of course is well up on my list, as the first thing you tend to do when looking at a host, is see what it presents to the network.

4. CrackMapExec

Described rightly so as a “Swiss Army Knife”, CrackMapExec is a great tool for interacting with various types of network host. I must use this tool on every engagement I am put on, from simple troubleshooting tasks all the way to dumping password hashes, it can do it all. It really is an amazing tool and you should be using it if you don’t already. I mainly use this tool to work with the SMB protocol and Windows, however it does support other protocols, but I tend not to use it for that.

5. Nessus

Nessus is a vulnerability scanner which you can point at a host or network of hosts to gain back potential issues which may exist. Some clients simply want a vulnerability assessment and this is what I use. Of course, I analyse the output and do not simply provide a Nessus export! Some people do actually do this and it’s terrible value for a client.

Typically, I would use Nessus to quickly find any low hanging fruit issues that are available to exploit on the in-scope hosts. However, you may get false positives too. You should be aware of that and this is why providing a Nessus export without validation to a client is not good value. They are paying for your analysis, not for you to run a tool.

6. Responder

Usually the first tool I will run on an internal security consultation engagement is Responder. Windows is notorious for using the LLMNR protocol as well as several others, which by default send out user hashes over the network. This makes Responder a goldmine for Windows hash collection

It is rare that these protocols have been configured to be secure and nearly always ends up with a local or domain administrator hash being gained at some point throughout the execution this tool. It’s incredibly powerful and I highly recommend you know how to use it!

7. Hashcat

This tool is a staple in a hackers repository. Hashcat will simply allow you to attempt cracking on several hash types, such as; NTLM, WPA2, Cisco, MD5 and so much more. Basically, you name it, Hashcat will crack it.

It is likely that you will use this tool mainly when you gain WPA2 handshakes or steal NTLM credentials from windows machines. But it is also useful when you access a Linux shadow file as well as various other use cases. If you don’t know about it, get to know about it!

8. Aircrack-ng

You are likely to come across two types of wireless network. The first is a WPA2-PSK network and the second is a WPA2 enterprise network. To be honest, I rarely see the latter being used, but if you do see it, you’ll need to conduct an Evil Twin attack.

Aircrack-ng is all about sniffing the airwaves to gain a sent handshake from a client connecting to a WPA2-PSK network. WPA2-PSK uses a pre-shared key and thus, it can be cracked. Aircrack-ng will steal handshakes from connecting clients and this can then be pumped into Hashcat to crack the hash. Once cracked, you’ll have access to the wireless network, simple.

9. Bloodhound

This tool is a “must use” if you are on an engagement and need to understand how a Windows domain is configured. Bloodhound will allow you to map out the Domain Administrators, Users, Groups, Computers and various other entities within a Windows domain. You can then use filters on this data to find quick routes to pwning the domain.

For example, if you needed access to a particular computer, you could query the data to find which groups or which user has access to the computer and then work towards owning a user or user in a group.

You do need to be careful with Bloodhound as this tool can be very loud on a network. When it comes to an organisation that has monitored logging or even a blue team, this will very likely get you caught.

10. MITM6

Possibly a unusual one to see on a top 10 list? I haven’t come across many testers that actually use Man-In-The-Middle 6. However, I will usually try to use this tool on any engagement should responder not be an effective way to gain hashes.

MITM6 acts as a DHCP6 server and provides all IPv6 enabled hosts with an IP Address. The benefit to this is as IPv6 takes precedence in a network over IPv4, this is a quick and easy way to intercept user traffic and therefore also gain password hashes. These can then be used with HashCat as mentioned above, and you will have access to a network as a legitimate user.

That’s my Top 10! Hopefully there are tools which you haven’t looked at before and if so, check them out.

You can see some of these tools in action here: https://www.youtube.com/c/MrTurvey