[Ten years of network security engineers finishing] - 100 penetration testing tools introduction

Penetration testing refers to the use of various means by penetration personnel in different locations (such as from the internal network, from the external network, etc.).

A specific network is tested in order to discover and excavate the vulnerabilities existing in the system, and then output a penetration test report,

and submitted to the network owner. Based on the penetration test report provided by the infiltrator, the network owner,

You can clearly know the security risks and problems existing in the system.

Therefore, today I will introduce some commonly used penetration testing tools and how to use them:

It is recommended to collect and practice slowly.

dmitry	collect message	whois query/subdomain collection/port scan	whois is not straightforward; subdomains and mailboxes rely on google; port scanning speed is average
dnmap	collect message	Used to form distributed nmap, dnmap_server is the server; dnmap_client is the client	It's not so convenient to use, it's not really impossible, it's not necessary
ike-scan	collect message	Collect ipsec vpn server fingerprint information	It seems to be used to attack vpn, I don't understand
maltegoce	collect message	gui	Domain name/account and other correlation collection and display	The correlation display function is really good, but the effect may not be so ideal, especially for domestic
netdiscover	collect message	Actively issue arp packets and intercept arp packets	As far as arp detection is concerned, the function itself does a good job
nmap	collect message	cmd-line	Port service detection and port vulnerability scanning	Port scan master
p0f	collect message	cmd-line	Monitor the data packets sent and received by the network card, and read information such as the operating system version of the remote machine from the data packets	After all, it is only to intercept the version information in the data package, and the effect is not expected to be great.
regon-ng	collect message	shell	Information detection framework imitating msf	Similar to the command line of webmaster tools and other things, the idea is good, but it does not feel so intuitive to use
sparta	Brute force	gui	Graphical version of hydra, with port service scanning added	Ok GUI is better than nothing
zenmap	collect message	gui	GUI version of nmap	Ok GUI is better than nothing
golismero	web scan	cmd-line	It is a text version of a web scanner similar to awvs	Feels like a better understanding of how scanners work
lynis	system audit	It feels a bit like the "immediate experience" of the 360 homepage, but just scanning the alarm cannot be repaired with one click	It's fun to write shell scripts
nobody	web scan	web scanner	I like this kind of scanner that reports vulnerabilities directly (but in fact there are very few usable vulnerabilities)
unix-watch-check	system audit	Check whether the key file permissions in the audit system are abnormal	Still no summary display and repair function
bed	system scan	Tool to test buffer overflow vulnerabilities of multiple services by sending various fuzzed data	probably not bad
burpsuite	web proxy	Common web proxy packet interception tool	Powerful can't ask for more
mingling	Injection detection	sqlmap detects sql injection This tool detects system command injection	The two-phase combination basically covers the injection.
httrack	website clone	Clone the website locally	fishing dark clouds etc may be useful
owasp-zap	web proxy	gui	Tools developed by the owasp organization	Compared with burpsuite, it weakens the packet interception function and strengthens the web vulnerability scanning function, but I don't feel that anything has been swept out.
paros	web scan	gui	A web crawling and leak scanning tool	Similar to owasp-zap
skipfish	web scan	cmd-line	A fully automated web vulnerability scanning tool	Its job is to crawl the website pages, then analyze the page vulnerabilities, and finally generate an html report
sqlmap	sql injection scan	cmd-line	A powerful sql injection scanning tool
w3af	web scan	shell/gui	A web vulnerability scanning framework	The so-called framework is a bunch of scanning modules, and then you select some of them to scan the website; it doesn't feel as good as it sounds.
webscarab	http proxy	gui	More professional website tree structure analysis tool
wpscan	web scan	Vulnerability scanner for wordpress
bbqsql	blind scan	shell	A highly configurable interactive blind SQL injection tool
hexorbase	database management	gui	A client that supports multiple databases has password cracking capabilities for multiple databases	It can only be used as a client. To break the password, you need to prepare your own dictionary
jsql	Database Probing	gui	Detect database type based on url/parameter injection test/detect background page and/detect important files
mdb-sql	database management	cmd-line	Can be used to connect to the access database file (mdb) and then query data through sql statements
oscan	database guess	cmd-line	Use the dictionary to check whether the oracle database is listening and guess the service name	There are few parameters. It is possible to test sid and default user, but the default dictionary is basically unreadable or you have to write your own dictionary
sidguesser	database guess	cmd-line	Use dictionary to detect sid existing in oracle database	参数很少。测试验证如果字典里有sid，可以探测出sid。基于字典的工具还是得自己准备字典
sqllite database	数据库管理	gui	sqlite数据库客户端
sqlinja	数据库猜解	cmd-line	用于猜解ms sql
sqlsus	sql注入检测	cmd-line	用于mysql的盲注检测
tnscmd10g	数据库探测	cmd-line	用于探测oracle是否监听及其他一些信息
cewl	口令文件制作	cmd-line	爬取给定的URL并依据限制条件截取网页中的单词生成口令集合	这种想法是可取的。但有点遗憾只是截取网页中的单词，没有a转@等等智能变换
crunch	口令文件制作	cmd-line	依据限定的条件生成口令集合
hashcat	hash爆破	cmd-line	多种hash的爆力猜解工具，速度快所耗CPU小（相对）
john	系统口令破解	cmd-line	用于对系统口令文件的破解（如/etc/passwd）还原出密码明文
johnny	系统口令破解	gui	john的gui版本
medusa	口令猜解	cmd-line	可对IMAP, rlogin, SSH等进行口令猜解，类似hydra
ncrack	口令猜解	cmd-line	可对IMAP, rlogin, SSH等进行口令猜解，类似hydra
ophcrack	系统口令破解	gui	基于彩虹表的windows口令破解工具
pyrit	wifi破解	cmd-line	WPA/WPA2加密的wifi的密码破解工具
rainbowcrack	hash破解	cmd-line	具有彩虹表的生成、排序和使用排序好换彩虹表进行破解的功能
rcracki_mt	hash破解	cmd-line	基于彩虹表的hash破解工具，可能蚲rainbowcrack一部份
wordlist	口令文件	cmd-line	打印kali自带的一些口令文件存放的位置
aircrack-ng	wifi破解	cmd-line	针对WEP、 WPA加密方式的wifi密码破解套件
chirp	无线电拦截	gui	各种无线电数据包的拦截工具（？）
cowpatty	wifi破解	cmd-line	基于已捕获握手包和密码字典的WPA-PSK加密的wifi密码的猜解	不能自己拦截数据包也只能破解WPA-PSK类加密方式功能有点弱
Fern WIFI Cracker	wifi破解	gui	基于字典的WEP和WPA加密的wifi破解工具	能自动发现wifi能拦截数据包，图形界面操作，简单易用
Ghost Phiser	AP假冒	gui	能发现AP并使与AP连接的设备断开连接然后假冒AP让设备重新连接	图形界面除了AP外还有假冒DNS、http服务器等，较为好用
giskismet	可视化	gui	Kismet输出结果的可视化工具，即较成text、html等各种格式
kismet	AP发现	shell	交互式的AP发现工具，列出周围AP的各种信息
MDK3	AP扰乱	cmd-line	可向AP发送大量连接、断开请求，可向周围设备告知存在根本不存在的大量AP	这工具的攻击方法简直是发了疯

[Ten years of network security engineers finishing] - 100 penetration testing tools introduction

推荐阅读

Guess you like