So the tools I will use in every web application tests are:

• Firefox – plugins foxy proxy,tampa data,
• Google Chrome
• Burpsuit
• SQLmap
• Hoppy
• Nikto
• sslScan

I tend to use firefox as my main testing browser this is because it had lots of plugins that make life easy and also does not have a built in feature like xss filtering like chrome. I then use Google chrome as another web browser that allows me to search and use the internet without having any of the search results show up in burpsuit or any other tools.

Burpsuit is the main tool I use, simply put it’s the best one to use. It has loads of features and if you have the pro version you can sometimes identify low hanging fruit. It allows you to scan the site, intercept requests and modify paramaters. You can use tampa data to modify requests but burpsuit has many more features that really does make life easier.

The next tool is sqlmap. I use this then when I need it, mainly if I identify an sql injection point. This allows me to easy dump the database without knowing every sql statement off by heart.

Hoppy and Nikto I tend to run after each other to try and gather more information about the web application. Hoppy is a fansatic little tool written in python and is a http options prober which checks the availability of http methods as well as probing them to see if they can be forced to disclose system information. Nikto again tries to identify directories and other information about the web applications. On many occasions it has helped me to find webdav directories which allows me to upload contents to the site.

Last but not least sslscan, this is great to determine the ciphers that are supported on a website. It identifes if it’s using sslv1 or sslv2 as well as if it is using encryption equal too or greater than 128b.

So what do you think am I missing? Anything you would add to the list? Most of the tools are free apart from burpsuit but you can get a free version of that too.

So, in no certain order, the eight tools I use in every pentest are…

1. Netcat
2. OpenSSL
3. Nmap
4. Ettercap
5. Tcpdump
6. Burp suite
7. Nikto
8. OpenVAS

To give reason to this list, let’s start with netcat and openSSL – these two tools are used to verify banners from vulnerability scans, as well as trying to identify unknown protocols. Pretty straight forward, but essential tasks.

I primarily use Nmap as a vulnerability scanner, not just to identify targets. The “-A” option is a must-use flag that adds additional depth to output from better-known vulnerability scanners, like openVAS (also on my list – seems to be more up-to-date than some of the others… plus I’m a firm believer in open source projects; they have propelled this industry farther along than any commercial software ever has).

I also use nikto and Burp Suite to find things missed. I cannot count how many times Burp Suite saved my butt during a pentest – the one commercial product I buy with my own money.

That leaves ettercap and tcpdump, which only belong in the list when conducting internal pentests. If you aren’t conducting ARP spoofing attacks, you aren’t doing an in-depth pentest. Soooo much traffic crosses the wire that it’s inevitable to capture sensitive data.

Naturally, there are some tools that I use most of the time (e.g. Metasploit, JTR, medusa, etc.), but not every time… hence the exclusion from the list.

Now that I listed my top eight, I have to say I’m stuck in my ways, and there are probably tools I’m ignoring. Let me know what you think should be added to this list of must-use hacker tools. I may be old, but I can still learn new tricks.

During an internal pentest, usernames and passwords are what make the magic happen. A lot of time is spent in hacker videos and courses on showing how to obtain access to systems through the use of metasploit or other exploits – but those types of attacks only work on low-hanging fruit, as the saying goes. Yes, looking for well-known exploits is part of the pentest, but once the hunt for usernames and passwords begins, that’s when things start to really happen. Due to password re-use (whether by the user or the domain), passwords are the primary method of going from a workspace PC to a production server.

Methods used to obtain passwords vary, but my personal favorite is through MITM attacks, especially ARP spoofing – it is fun to catch sensitive data flying across the network without any concern by users as to what that data is, especially when they surf the Internet. But as we see in the Nissan attack, usernames and passwords are valuable data; it will be interesting to see if Nissan reports any further exploits, now that a portion of their employee data is in the wild. Especially since we know that people are lazy and will undoubtedly reuse their old passwords again – even those that might have been harvested during this attack.

We have recently redesigned the web site for the Dojo. If you encounter any problems, please let us know. And for those who have been visiting the dojo in the past, you will also recognize that we are implementing some new features as well – specifically a blog and a newsletter. Since one of my core beliefs is that hackers should give back to the community, these two new features on the site will allow myself, the instructors, and even the students, to do just that.

So what kind of material will you find in the blogs and newsletter? Well, the blog will discussions instructional or informational tidbits about security tools, recent hacking events, and opinion articles, just to name a few. The newsletter, on the other hand, will cover more in-depth analysis of clever or effective hacks, useful to the professional pentester. The newsletter will also include updates of our open source projects, so make sure you sign up for the newsletter as well (the subscription link can be found on the Dojo’s front page).

Thanks, and I hope you enjoy the new features!