Penetration testing

Keatron’s Penetration Tools List

July 31, 2010 by Keatron Evans

Since I get asked a lot which tools I typically use for doing certain parts of testing, I’ve decided to compile a short list of stuff I might use in an engagement. They are….

Let me just say that I’m subject to use Backtrack in any phase.

Phase 1 Passive Reconnaissance

  1. Google (1st stop for passive recon), facebook, myspace, linkedin etc. (Find info on individuals)
  2. Netcraft (find passive info about web servers.
  3. Whois
  4. Geo Spider
  5. Google Earth
  6. HTTrack
  7. Webripper
  8. Wireshark (I use in almost every phase. I wanna see if their website is sending me any tracking goodies while I’m reconning it.)
  9. Paros (Same as above, plus I use it to study authentication methods, and other stuff on their sites)

Phase 2 Scanning

  1. Nmap
  2. Firewalk
  3. Hping
  4. Modem Scan
  5. THC Scan
  6. Tone Loc
  7. p0f
  8. Solarwinds
  9. TCPTraceroute

Phase 3 Vulnerability Research

  1. (I pretty much go manual here, but there’s always Nessus, ISS and others).
  2. I usually try and build something that looks as close as possible to my target, and practice exploiting them. I count this as part of my vulnerability research.
  3. Places I check are Secunia, Seclist, Milw0rm, Eeye,, Securiteam, and a few others.
  4. Vendor websites.

Phase 4 Penetration/Hacking

Breaking in

  1. Manual exploit code
  2. Metasploit
  3. Core Impact (Large scale (5000 or more nodes to penetrate).

Password Cracking

  1. Kerb Crack
  2. Pwdump
  3. Cain & Able
  4. John the Ripper
  5. Rainbow Crack
  6. Hydra

Trojans & Rootkit

  1. I usually make my own. But some good POC ones are Poison Ivy, Nuclear RAT, Netbus.

Phase 5 Going Deeper

  1. Dsniff
  2. Tcpdump
  3. Arpspoof
  4. Putty
  5. Recub
  6. Scapy (to trick devices and anything else which accepts or send packets)
  7. WebScarab (studying HTTPS and other secure authentication processes)
  8. IDA Pro (reversing any custom apps I find being used internally).
  9. Olly Debug (same as above).
  10. Yersinia (VLAN hopping, and other low stack level attacks)

Phase 6 Covering Tracks

  1. RM, delete, erase, etc (obviously).
  2. Clearlogs
  3. Wipe utility
  4. ADS
  5. Winzapper (not a big fan, but when I have to…..)
Posted: July 31, 2010
Keatron Evans
View Profile

Keatron Evans is regularly engaged in training, consulting, penetration testing and incident response for government, Fortune 50 and small businesses. In addition to being the lead author of the best-selling book, Chained Exploits: Advanced Hacking Attacks from Start to Finish, you will see Keatron on major news outlets such as CNN, Fox News and others on a regular basis as a featured analyst concerning cybersecurity events and issues. For years, Keatron has worked regularly as both an employee and consultant for several intelligence community organizations on breaches and offensive cybersecurity and attack development. Keatron also provides world-class training for the top training organizations in the industry, including Infosec Skills live boot camps and on-demand training.

21 responses to “Keatron’s Penetration Tools List”

  1. Rick Hoang says:

    Thanks Keatron! Had a great time in your class last week and learnt ALOT!

  2. Rick. Glad to have you and congrats again on obtaining your CPT and CEH certifications. Keep up the good work!


  3. YaKhOo says:

    just the steps title make sens to how begin
    thanks sir 4 sharing

  4. Denny says:

    Nice list, what advice would you give to someone who would be doing self study of CEH and wants to do more security stuff.

  5. Marcus says:

    i am impres by your presentation. Ilook forward for more of it.

  6. ‘@YakhOo. Thanks for reading. Sharing information is something of a passion of mine.

    @Denny. While self study of some certifications is highly recommended, CEH is not really one of those. There is a ton of material, and you really need someone who is 1. Skilled in pentesting and knows security, and 2. Have the ability to relay LOTS of technical information in an easy to digest way in a short amount of time. But if I had to give a single recommendation, I would say spend time here, and ask questions. You’ll have access to me and several other VERY skilled instructors and security professionals. Dan Hasted, Jeremy Martin, and Jack Koziol are all the best in the business, and they all three teach this course as well for Infosec Institute.

    @Marcus. Much more coming my friend, we are just getting started!

  7. Denny says:

    Thanks for the information Keatron, look forward to more posts.

  8. Bushman says:

    Interesting stuff, Keatron!!
    However, what really defferentiate your infosec from sans institute? Is it your tools, skills, location??

    How about the certs vs GIAC, for example GPEN? WHich one is the best in the sec field or have best ROI?

    Your clarification would be very much appreciated since your one of the most recongnize figures.

  9. ‘@Bushman. We offer the best training from real world instructors who are actually professionals performing penetration tests and forensics investigations in real life.  We specialize in smaller, directed and effective classroom logistics, for example you’d never see us have more than 15 to 18 people in a single class.  I know all of our instructors personally, and we are all PASSIONATE about what we do.  This shows up in our classes. Additionally are labs are very technical and require each student to do their labs. A good class for us is when a student says “Wow, I learned a lot and I can actually DO the things I learned about and saw the instructor do”. A lot of students in other places come away saying “I saw a lot and was impressed, but I can’t actually do any of the stuff I saw”

  10. Aravind.M says:

    I read your views and i am really impressed.If you don’t have any serious technical knowledge and you have started a career in security testing/penetration testing then how to start yourself and what are the things to learn first before going deep into testing.I have landed myself in security testing and I would like to know what is technical knowledge required in this field?Also I don’t have a lot of programming knowledge but to some extent.


  11. ‘@Aravind.M
    Well, my friend you already made a good first move by coming here. Start with this link.

  12. surya singh says:

    what is the brief need if IPV6 in ceh chapter scinario,what so special with the combination of these 2 with 3 g chemistry

  13. Keatron says:

    Surya, I don’t really get your question. Can you elaborate?

  14. thanks a lot for providing this information. thanks

  15. sean cita says:

    am really interested in ceh though dont have much knowledge on security just got my ccna certification so am thinkin of followin the path of security to strengthen my IT knowledge but the constraint am having is gettin the tutor in my country is quite expensive!1 so i want to know if i can get ebooks to study on my own so as to prepare myself for the exam….

  16. Keatron Evans says:

    Sean. Self study is certainly an option. As I eluded to in this post <a href=""How to Learn Pentesting Skills

    Just know that it’ll take more time.

    Good luck.

  17. Mitch says:

    Greetings Keaton,

    What is the best defense from penetrating tools? what I mean, is there a specific firewall, anti-virus, or hips that you would recommend?

    Thank You

  18. Jay says:

    Hey Keatron, great list. Any updates to the toolkit???

  19. Paul Lin says:

    Hi Keatron, just finished your ceh class. Excellent class, learned a lot, and now going through your postings to reinforce some of the stuff from class. I now have a greater appreciation of what the tools on the list can do and their limitations. My suggestion to those others reading this post is to not only understand what these tools can do, but also learn what they can’t. It’s like using a sledge hammer to drive in a nail, it’ll get the job done, but why go through all that wasted effort.

  20. Anonymous says:

    I have taken other security courses outside of InfoSec and needless to say I will never make that mistake again. The other courses offered by other vendors I often felt like I knew more than the instructors. Keatron is the real deal and has a lot to offer from an education standpoint. He practices what he preaches and is that rare blend between technical and business savy that is critical to being a true success in this market place.

    Really inspiring class ( Advanced Ethical Hacking)

  21. Alagu Jeeva M says:

    Hi I want to learn about setting up a complete lab for CEHv8 can you help me in please?

Leave a Reply

Your email address will not be published.