Since I get asked a lot which tools I typically use for doing certain parts of testing, I’ve decided to compile a short list of stuff I might use in an engagement. They are….
Let me just say that I’m subject to use Backtrack in any phase.
Phase 1 Passive Reconnaissance
- Google (1st stop for passive recon), facebook, myspace, linkedin etc. (Find info on individuals)
- Netcraft (find passive info about web servers.
- Geo Spider
- Google Earth
- Wireshark (I use in almost every phase. I wanna see if their website is sending me any tracking goodies while I’m reconning it.)
- Paros (Same as above, plus I use it to study authentication methods, and other stuff on their sites)
Phase 2 Scanning
- Modem Scan
- THC Scan
- Tone Loc
Phase 3 Vulnerability Research
- (I pretty much go manual here, but there’s always Nessus, ISS and others).
- I usually try and build something that looks as close as possible to my target, and practice exploiting them. I count this as part of my vulnerability research.
- Places I check are Secunia, Seclist, Milw0rm, Eeye, Metasploit.com, Securiteam, and a few others.
- Vendor websites.
Phase 4 Penetration/Hacking
- Manual exploit code
- Core Impact (Large scale (5000 or more nodes to penetrate).
- Kerb Crack
- Cain & Able
- John the Ripper
- Rainbow Crack
Trojans & Rootkit
- I usually make my own. But some good POC ones are Poison Ivy, Nuclear RAT, Netbus.
Phase 5 Going Deeper
- Scapy (to trick devices and anything else which accepts or send packets)
- WebScarab (studying HTTPS and other secure authentication processes)
- IDA Pro (reversing any custom apps I find being used internally).
- Olly Debug (same as above).
- Yersinia (VLAN hopping, and other low stack level attacks)
Phase 6 Covering Tracks
- RM, delete, erase, etc (obviously).
- Wipe utility
- Winzapper (not a big fan, but when I have to…..)