Penetration testing

Keatron’s Penetration Tools List

July 31, 2010 by Keatron Evans

Since I get asked a lot which tools I typically use for doing certain parts of testing, I’ve decided to compile a short list of stuff I might use in an engagement. They are….

Let me just say that I’m subject to use Backtrack in any phase.

Phase 1 Passive Reconnaissance

  1. Google (1st stop for passive recon), facebook, myspace, linkedin etc. (Find info on individuals)
  2. Netcraft (find passive info about web servers.
  3. Whois
  4. Geo Spider
  5. Google Earth
  6. HTTrack
  7. Webripper
  8. Wireshark (I use in almost every phase. I wanna see if their website is sending me any tracking goodies while I’m reconning it.)
  9. Paros (Same as above, plus I use it to study authentication methods, and other stuff on their sites)

Phase 2 Scanning

  1. Nmap
  2. Firewalk
  3. Hping
  4. Modem Scan
  5. THC Scan
  6. Tone Loc
  7. p0f
  8. Solarwinds
  9. TCPTraceroute

Phase 3 Vulnerability Research

  1. (I pretty much go manual here, but there’s always Nessus, ISS and others).
  2. I usually try and build something that looks as close as possible to my target, and practice exploiting them. I count this as part of my vulnerability research.
  3. Places I check are Secunia, Seclist, Milw0rm, Eeye,, Securiteam, and a few others.
  4. Vendor websites.

Phase 4 Penetration/Hacking

Breaking in

  1. Manual exploit code
  2. Metasploit
  3. Core Impact (Large scale (5000 or more nodes to penetrate).

Password Cracking

  1. Kerb Crack
  2. Pwdump
  3. Cain & Able
  4. John the Ripper
  5. Rainbow Crack
  6. Hydra

Trojans & Rootkit

  1. I usually make my own. But some good POC ones are Poison Ivy, Nuclear RAT, Netbus.

Phase 5 Going Deeper

  1. Dsniff
  2. Tcpdump
  3. Arpspoof
  4. Putty
  5. Recub
  6. Scapy (to trick devices and anything else which accepts or send packets)
  7. WebScarab (studying HTTPS and other secure authentication processes)
  8. IDA Pro (reversing any custom apps I find being used internally).
  9. Olly Debug (same as above).
  10. Yersinia (VLAN hopping, and other low stack level attacks)

Phase 6 Covering Tracks

  1. RM, delete, erase, etc (obviously).
  2. Clearlogs
  3. Wipe utility
  4. ADS
  5. Winzapper (not a big fan, but when I have to…..)
Posted: July 31, 2010
Keatron Evans
View Profile

Keatron Evans is a cybersecurity and workforce development expert with over 17 years of experience in penetration testing, incident response and information security management for federal agencies and Fortune 500 organizations. He is Principal Cybersecurity Advisor at Infosec, where he empowers the human side of cybersecurity with cyber knowledge and skills to outsmart cybercrime. Keatron is an established researcher, instructor and speaker — and lead author of the best-selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish. He regularly speaks at major industry events like RSA and serves as a cybersecurity subject matter expert for major media outlets like CNN, Fox News, Information Security Magazine and more. Keatron holds a Bachelor of Science in Business Information Systems and dozens of cybersecurity certifications, including Certified Information Systems Security Professional (CISSP), Certified Ethical Hacker (CEH), Certified Cloud Security Professional (CCSP) and Licensed Penetration Tester (LTP). When not teaching, speaking or managing his incident response business, KM Cyber Security LLC, Keatron enjoys practicing various martial arts styles, playing piano and bass guitar, and spending time with his family.