Pentester Toolkit: a brief digest of the main tools that will be useful for internal network pentesting. These tools are already actively used by a wide range of specialists, so it will be useful for everyone to know about their capabilities and master them perfectly.
Nmap
Nmap - opensource utility for scanning networks, is one of the most popular tools for security guards and system administrators. It is primarily used for port scanning, but it also has a huge array of useful functions, which, in fact, makes Nmap a super-combine for network research.
In addition to checking open / closed ports, Nmap can identify the service listening on the open port and its version, and sometimes helps to determine the OS. Nmap has support for scanning scripts (NSE - Nmap Scripting Engine). Using scripts, you can check vulnerabilities for various services (if, of course, there is a script for them, or you can always write your own) or twist passwords for various services.
Thus, Nmap allows you to create a detailed network map, get maximum information about running services on hosts in the network, and also preemptively check some vulnerabilities. Nmap also has flexible scanning settings, you can configure the scanning speed, the number of threads, the number of groups to scan, and so on.
It is convenient for scanning small networks and is indispensable for spot scanning individual hosts.
Positive:
Disadvantages:
Zmap
Zmap (not to be confused with ZenMap) - also an open source scanner, was created as a faster alternative to Nmap.
Unlike Nmap-Zmap, when sending SYN packets, it does not wait for a response to be returned, but continues scanning, waiting for responses from all hosts in parallel, so it does not actually maintain the connection state. When a response to a SYN packet is received, Zmap will use the contents of the packet to determine which port was opened and on which host. In addition, Zmap sends only one SYN packet per scanned port. You can also use PF_RING to quickly scan large networks if you suddenly have a 10-Gigabit interface and a compatible network card at hand.
Positive:
Disadvantages:
Masscan
Masscan issurprisingly also an open source scanner, which was created with one goal-to scan the Internet even faster (in less than 6 minutes at a speed of ~10 million packets/s). In fact, it works almost the same as Zmap, only even faster.
Positive:
Disadvantages:
Nessus
Nessus - a scanner for automating the verification and detection of known vulnerabilities in the system. The source code is closed, there is a free version of Nessus Home, which allows you to scan up to 16 IP addresses with the same speed and detailed analysis as in the paid version.
It can detect vulnerable versions of services or servers, detect errors in the system configuration, and perform bruteforce dictionary passwords. You can use it to determine the correctness of service settings (mail, updates, etc.), as well as when preparing for a PCI DSS audit. In addition, you can pass credentials for a host (SSH or domain account in Active Directory) to Nessus, and the scanner will gain access to the host and perform checks directly on it, this option is calledcredential scan. It is convenient for companies that conduct audits of their own networks.
Positive:
Disadvantages:
Net-Creds
Net-Creds is a Python tool for collecting passwords and hashes, as well as other information, such as visited URLs, downloaded files, and other information from traffic, both in real time during a MiTM attack, and from pre-saved PCAP files. It is suitable for quick and cursory analysis of large volumes of traffic, for example, during network MiTM attacks, when time is limited and manual analysis using Wireshark requires a lot of time.
Positive:
network-miner
network-miner is an analog of Net-Creds in terms of operation, but it has more functionality, for example, it is possible to extract files transmitted over SMB protocols. Like Net-Creds, it is useful when you need to quickly analyze a large amount of traffic. It also has a user-friendly graphical interface.
Positive:
Disadvantages:
mitm6
mitm6-a tool for conducting attacks on IPv6 (SLAAC-attack). IPv6 is a priority in Windows OS (generally speaking, in other oss too), and in the default configuration, the IPv6 interface is enabled.This allows an attacker to install his DNS server to the victim using Router Advertisement packages, after which the attacker gets the opportunity to replace the victim's DNS. It is perfectly suitable for conducting a Relay attack together with the ntlmrelayx utility, which allows you to successfully attack Windows networks.
Positive:
Responder
Responderis a tool for spoofing broadcast name resolution protocols (LLMNR, NetBIOS, MDNS). An essential tool in Active Directory networks. In addition to spoofing, it can intercept NTLM authentication. The kit also includes a set of tools for collecting information and implementing NTLM-Relay attacks.
Positive:
Minuses:
Evil_Foca
Evil Foca is a tool for checking various network attacks in IPv4 and IPv6 networks. Scans the local network, identifying devices, routers and their network interfaces, and then you can perform various attacks on network participants.
Positive:
Disadvantages:
Bettercap
Bettercap is a powerful framework for analyzing and attacking networks, and we are also talking about attacks on wireless networks, BLE (bluetooth low energy), and even MouseJack attacks on wireless HID devices. It also contains functionality for collecting information from traffic (similar to net-creds). In general, a Swiss Army knife (all in one). Recently, it still has a graphical web-based interface.
Positive:
Disadvantages:
gateway_finder
gateway finder-a Python script that helps you identify possible gateways on the network. It is useful for checking segmentation or searching for hosts that can route to the required subnet or Internet. It is suitable for internal pentests, when you need to quickly check for unauthorized routes or routes to other internal local networks.
Positive:
mitmproxy
mitmproxy is an opensource tool for analyzing traffic protected by SSL/TLS. mitmproxy is convenient for intercepting and modifying protected traffic, of course, with some caveats; the tool does not perform attacks on SSL/TLS decryption. Used when you need to intercept and capture changes in SSL/TLS-protected traffic. It consists of Mitmproxy - for proxying traffic, mitmdump-similar to tcpdump, but for HTTP (S) traffic, and mitmweb-a web interface for Mitmproxy.
Positive:
Disadvantages:
SIET
SIET is a tool for exploiting the capabilities of the Cisco Smart Install protocol. You can get and modify the configuration, as well as take control of the Cisco device. If you were able to get the configuration of a Cisco device, you can check it using CCAT. This tool is useful for analyzing the security of the configuration of Cisco devices.
Positive:
Using the Cisco Smart Install protocol, you can:
yersinia
yersinia is an L2 attack framework designed to exploit security flaws in various L2 network protocols.
proxychains
proxychains is a tool that allows you to redirect app traffic through the specified SOCKS proxy.
Positive:
In this article, we briefly reviewed the advantages and disadvantages of the main tools for internal network pentest. Stay tuned for more updates, and we plan to continue publishing such collections: Web, databases, and mobile apps - we will definitely write about this as well.
Nmap
Nmap - opensource utility for scanning networks, is one of the most popular tools for security guards and system administrators. It is primarily used for port scanning, but it also has a huge array of useful functions, which, in fact, makes Nmap a super-combine for network research.
In addition to checking open / closed ports, Nmap can identify the service listening on the open port and its version, and sometimes helps to determine the OS. Nmap has support for scanning scripts (NSE - Nmap Scripting Engine). Using scripts, you can check vulnerabilities for various services (if, of course, there is a script for them, or you can always write your own) or twist passwords for various services.
Thus, Nmap allows you to create a detailed network map, get maximum information about running services on hosts in the network, and also preemptively check some vulnerabilities. Nmap also has flexible scanning settings, you can configure the scanning speed, the number of threads, the number of groups to scan, and so on.
It is convenient for scanning small networks and is indispensable for spot scanning individual hosts.
Positive:
- Works quickly with a small range of hosts;
- Flexible settings - you can combine options in such a way as to get the most informative data in a reasonable time;
- Parallel scanning - the list of target hosts is divided into groups, and then each group is scanned in turn, using parallel scanning within the group. Also, the division into groups is a small drawback (see below);
- Predefined sets of scripts for different tasks - you don't have to spend a lot of time selecting specific scripts, but you can specify groups of scripts;
- Output of results - 5 different formats, including XML, which can be imported into other tools.
Disadvantages:
- Host Group Scan - information about any host is not available until the entire group is scanned. This is solved by setting the maximum size of the group and the maximum time interval during which a response to the request will be expected in the options before stopping attempts or making another one;
- When scanning, Nmap sends SYN packets to the target port and waits for any response packet or timeout when there is no response. This negatively affects the overall performance of the scanner, compared to asynchronous scanners (for example, Zmap or masscan);
- When scanning large networks using flags to speed up scanning (--min-rate, --min-parallelism), it can give false-negative results, skipping open ports on the host. You should also use these options with caution, given that a large packet-rate can lead to unintentional DoS.
Zmap
Zmap (not to be confused with ZenMap) - also an open source scanner, was created as a faster alternative to Nmap.
Unlike Nmap-Zmap, when sending SYN packets, it does not wait for a response to be returned, but continues scanning, waiting for responses from all hosts in parallel, so it does not actually maintain the connection state. When a response to a SYN packet is received, Zmap will use the contents of the packet to determine which port was opened and on which host. In addition, Zmap sends only one SYN packet per scanned port. You can also use PF_RING to quickly scan large networks if you suddenly have a 10-Gigabit interface and a compatible network card at hand.
Positive:
- Scan Speed;
- Zmap generates Ethernet frames bypassing the TCP/IP system stack;
- Ability to use PF_RING;
- ZMap randomizes targets to evenly distribute the load on the scanned side;
- Ability to integrate with ZGrab (a tool for collecting information about services at the L7 application layer).
Disadvantages:
- This can cause network equipment to be denied service, for example, by disabling intermediate routers despite the distributed load, since all packets will pass through a single router.
Masscan
Masscan is
Positive:
- The syntax is similar to Nmap, and the program also supports some Nmap-compatible options;
- Speed of operation - one of the fastest asynchronous scanners.
- Flexible scanning mechanism-resuming an interrupted scan, distributing the load across multiple devices (as in Zmap).
Disadvantages:
- Similarly, as with Zmap, the load on the network itself is extremely high, which can lead to DoS;
- By default, there is no option to scan at the L7 application layer.
Nessus
Nessus - a scanner for automating the verification and detection of known vulnerabilities in the system. The source code is closed, there is a free version of Nessus Home, which allows you to scan up to 16 IP addresses with the same speed and detailed analysis as in the paid version.
It can detect vulnerable versions of services or servers, detect errors in the system configuration, and perform bruteforce dictionary passwords. You can use it to determine the correctness of service settings (mail, updates, etc.), as well as when preparing for a PCI DSS audit. In addition, you can pass credentials for a host (SSH or domain account in Active Directory) to Nessus, and the scanner will gain access to the host and perform checks directly on it, this option is called
Positive:
- Separate scenarios for each vulnerability, the database of which is constantly updated;
- Output of results - plain text, XML, HTML, and LaTeX;
- Nessus API-allows you to automate the processes of scanning and getting results;
- Credential Scan, you can use your Windows or Linux credentials to check for updates or other vulnerabilities;
- Ability to write your own embedded security modules - the scanner has its own NASL scripting language (Nessus Attack Scripting Language);
- You can set a time for regular scanning of the local network - This means that the Information Security Service will be aware of all changes in the security configuration, the appearance of new hosts, and the use of dictionary passwords or default passwords.
Disadvantages:
- Possible malfunctions in the scanned systems - you need to work carefully with the safe checks option disabled;
- The commercial version is not free.
Net-Creds
Net-Creds is a Python tool for collecting passwords and hashes, as well as other information, such as visited URLs, downloaded files, and other information from traffic, both in real time during a MiTM attack, and from pre-saved PCAP files. It is suitable for quick and cursory analysis of large volumes of traffic, for example, during network MiTM attacks, when time is limited and manual analysis using Wireshark requires a lot of time.
Positive:
- Service identification is based on packet analysis instead of identifying the service by the port number used;
- Easy to use;
- A wide range of retrievable data - including usernames and passwords for FTP, POP, IMAP, SMTP, NTLMv1/v2 protocols, as well as information from HTTP requests, such as login forms and basic auth.
network-miner
network-miner is an analog of Net-Creds in terms of operation, but it has more functionality, for example, it is possible to extract files transmitted over SMB protocols. Like Net-Creds, it is useful when you need to quickly analyze a large amount of traffic. It also has a user-friendly graphical interface.
Positive:
- Graphical interface;
- Visualization and classification of data into groups-simplifies the analysis of traffic and makes it fast.
Disadvantages:
- The trial version has some limited functionality.
mitm6
mitm6-a tool for conducting attacks on IPv6 (SLAAC-attack). IPv6 is a priority in Windows OS (generally speaking, in other oss too), and in the default configuration, the IPv6 interface is enabled.This allows an attacker to install his DNS server to the victim using Router Advertisement packages, after which the attacker gets the opportunity to replace the victim's DNS. It is perfectly suitable for conducting a Relay attack together with the ntlmrelayx utility, which allows you to successfully attack Windows networks.
Positive:
- It works perfectly in many networks just because of the standard configuration of Windows hosts and networks;
Responder
Responderis a tool for spoofing broadcast name resolution protocols (LLMNR, NetBIOS, MDNS). An essential tool in Active Directory networks. In addition to spoofing, it can intercept NTLM authentication. The kit also includes a set of tools for collecting information and implementing NTLM-Relay attacks.
Positive:
- By default, it raises many servers that support NTLM authentication: SMB, MSSQL, HTTP, HTTPS, LDAP, FTP, POP3, IMAP, SMTP;
- Allows you to replace DNS in case of MITM attacks (ARP spoofing, etc.);
- Fingerprint of hosts that made the broadcast request;
- Analyze mode-for passive monitoring of requests;
- The format of intercepted hashes for NTLM authentication is compatible with John the Ripper and Hashcat.
Minuses:
- When running under Windows, port 445 binding (SMB) is fraught with some difficulties (you need to stop the corresponding services and restart).
Evil_Foca
Evil Foca is a tool for checking various network attacks in IPv4 and IPv6 networks. Scans the local network, identifying devices, routers and their network interfaces, and then you can perform various attacks on network participants.
Positive:
- It is convenient for performing MITM attacks (ARP spoofing, DHCP ACK injection, SLAAC attack, DHCP spoofing);
- You can conduct DoS attacks - with ARP spoofing for IPv4 networks, with SLAAC DoS in IPv6 networks;
- You can perform DNS hijacking;
- Easy to use, user-friendly graphical interface.
Disadvantages:
- It works only under Windows.
Bettercap
Bettercap is a powerful framework for analyzing and attacking networks, and we are also talking about attacks on wireless networks, BLE (bluetooth low energy), and even MouseJack attacks on wireless HID devices. It also contains functionality for collecting information from traffic (similar to net-creds). In general, a Swiss Army knife (all in one). Recently, it still has a graphical web-based interface.
Positive:
- Credential sniffer - you can capture visited URLs and HTTPS hosts, HTTP authentication, and credentials using a variety of different protocols;
- Many built-in MITM attacks;
- Modular HTTP (S) transparent proxy - you can manage traffic depending on your needs;
- Built-in HTTP server;
- Support for caplets files that allow you to use scripting language to describe complex and automated attacks.
Disadvantages:
- Some modules - for example, ble. enum-are partially unsupported by macOS and Windows, and some are designed only for Linux-packet. proxy.
gateway_finder
gateway finder-a Python script that helps you identify possible gateways on the network. It is useful for checking segmentation or searching for hosts that can route to the required subnet or Internet. It is suitable for internal pentests, when you need to quickly check for unauthorized routes or routes to other internal local networks.
Positive:
- Easy to use and customize.
mitmproxy
mitmproxy is an opensource tool for analyzing traffic protected by SSL/TLS. mitmproxy is convenient for intercepting and modifying protected traffic, of course, with some caveats; the tool does not perform attacks on SSL/TLS decryption. Used when you need to intercept and capture changes in SSL/TLS-protected traffic. It consists of Mitmproxy - for proxying traffic, mitmdump-similar to tcpdump, but for HTTP (S) traffic, and mitmweb-a web interface for Mitmproxy.
Positive:
- It works with various protocols, and also supports modification of various formats, from HTML to Protobuf;
- Python API-allows you to write scripts for non-standard tasks;
- It can work in transparent proxy mode with traffic interception.
Disadvantages:
- The dump format is not compatible with anything - it is difficult to use grep, you have to write scripts.
SIET
SIET is a tool for exploiting the capabilities of the Cisco Smart Install protocol. You can get and modify the configuration, as well as take control of the Cisco device. If you were able to get the configuration of a Cisco device, you can check it using CCAT. This tool is useful for analyzing the security of the configuration of Cisco devices.
Positive:
Using the Cisco Smart Install protocol, you can:
- Change the address of the tftp server on the client device by sending a single garbled TCP packet;
- Copy the device configuration file;
- Replace the device configuration, for example, by adding a new user;
- Update the iOS image on your device;
- Run an arbitrary set of commands on the device. This is a new feature that only works in iOS versions 3.6.0 E and 15.2 (2) E.
Disadvantages:
- It works with a limited set of Cisco devices. You also need a “white” IP address to receive a response from the device, or you need to be on the same network with the device;
yersinia
yersinia is an L2 attack framework designed to exploit security flaws in various L2 network protocols.
Positive:
- Allows attacks on STP, CDP, DTP, DHCP, HSRP, VTP, and other protocols.
Minuses:
- Not the most user-friendly interface.
proxychains
proxychains is a tool that allows you to redirect app traffic through the specified SOCKS proxy.
Positive:
- It helps you redirect traffic from some apps that don't work with proxies by default.
In this article, we briefly reviewed the advantages and disadvantages of the main tools for internal network pentest. Stay tuned for more updates, and we plan to continue publishing such collections: Web, databases, and mobile apps - we will definitely write about this as well.
