Penetration Testers (aka ethical hackers) use a myriad of hacking tools depending on the nature and scope of the projects they’re working on. Every engagement is different. Are they testing external or internal networks? Perhaps web applications or configurations? Are they given credentials beforehand, including getting their own space in the client’s building? Or will they need to start from scratch, including infiltrating the client by means of unauthorized access or social engineering, before even getting started on the actual hacking?

There are many factors to account for.

Now, before we proceed, let’s clarify the definition of penetration testing first, and how it’s different from a vulnerability scan.

Vulnerability Scan – Automated means of identifying vulnerabilities present on a set of predefined assets, intended to identify areas of potential risk and overall patching posture.

Penetration Test – Manual testing methods augmented with automated scanning and reconnaissance performed against a predefined list of assets, intended to exploit risk to the maximum degree possible.

In a gist: Vulnerability Scan = pointing out vulnerabilities (automated) | Penetration Test = actually exploiting said vulnerabilities (manual)

[Note: This post is just a gist — To see these tools in action and for more robust information, we recommend you watch the on-demand video recording of this webcast with our Head of Security Research and Penetration Tester, Shawn Evans. Click here to watch the video.

As mentioned earlier, every engagement is different, so it only follows that different tools are used for different circumstances. Our expert Pentesters here at NopSec, however, has determined six tools that they use in virtually all their engagements. They determined the following as their top tools and consider them very useful according to the following (albeit informal) criteria:

Versatility Allows for creative applications in multiple scenarios Works across multiple platforms (We <3 Python)

Uses standard libraries and protocols to probe and test

Easy to use

Returns actionable results

Frequency of use in real world scenarios

And so, without further ado, here are the top 6 tools in their ethical hacking utility belt (of sorts):

1. Nmap – Nmap is easily the gold standard for service detection and port enumeration. That said, it is easy to use, but requires expertise to master. It has an incredibly deep scripting library and has fine grained manipulation of packets (flag flipping is not a SYN).

2. Enum4Linux – It’s a domain controller data exfiltration tool, but really just an incredibly clever wrapper for the standard command line tools smbclient, rpcclient, nmblookup. It exploits the presence of a NULL session on the domain controller and enables attackers to query domain users, group membership, password policies, and shared resources.

3. Responder – Responder is a Windows Proxy Auto-Discovery Protocol (WPAD) Man-in-the-Middle tool (MiTM). It serves up a proxy configuration file that pretty much says “i’m your proxy…trust me…it’s cool” and WPAD, which is a method used by clients to locate the URL of a proxy configuration file using DHCP, DNS, and NetBios.





4. SMBMap/CrackMapExec – Not an admin? Not a problem. This tool auto scans SMB shares for files like web.config or passwords.txt (not joking… these exist, and contain exactly what you’d expect). SMBMap help isolate systems where a compromised account has Admin rights and facilitates remote command execution. CrackMapExec excels at dumping clear-text Windows credentials and password hashes.





5. Metasploit Framework (MSF) – An extremely versatile exploitation framework, it is the gold standard (pipe down PowerShell Empire fans…PSE is also awesome). It’s best known for its repository of exploits against known vulnerabilities, however, it’s the handlers, auxiliary and post exploitation modules that are the crown jewels, and most frequently used during engagements. It also supports every useful protocol and application…or at least the ones you’d want to hack (VNC, SMB, HTTP, FTP, Tomcat, JBoss, MSSQL, etc).

6. Proxychains – So you’ve exploited a dual homed server, how do you attack the other segment? Proxychains “proxifies” almost any command line tool (I’m not talking about you, Java) and can link any number of SOCKS4/5 and HTTP proxies. That said, full connections only – thou shalt not SYN.

Okay, now that we have all six, if you put them together, you get a lovely kill chain. Below is a sample of how this will play out:

We hope you found this post information and helpful. As mentioned earlier, we highly recommend that you watch the on-demand video covering these tools, including more information on kill chains and how these tools are utilized to do so.

To learn more about NopSec’s Penetration Testing services and speak with our Pentesters, please feel free to reach out by filling out this form.