CompTIA Pentest+ PT0-002 – Section 24: Tool Round-up Part 1
March 22, 2023

227. Tool Round-up (OBJ 5.3)

In this section of the course, we’re going to perform a quick review and summary of all the different tools that are covered on the PenTest Plus exam. Now we’ve already covered a lot, if not all of these tools during our time together, but for the sake of completeness, and fully covering all of the exam objectives, I wanted to use this section to finish our coverage of Domain 5, Tools and Code Analysis with this review of all of the different tools. Now, as we move through this section, we’re going to be focused on which tools are used for which things during your engagements to fully cover Objective 5.3. This objective states that you must be able to explain use cases of the following tools during the phases of a penetration test. The objective then goes on to break down these tools into 12 different categories. OSINT tools, Scanning tools networking tools, wireless tools, social engineering tools, remote access tools, credential testing tools, web application tools, cloud tools, steganography tools, debuggers and miscellaneous tools. Now, each of these categories, there’s anywhere from two to 10 different tools listed, giving you a total of 77 different tools that you need to be able to explain their use cases for on the exam. So what does this mean come exam day? Well, it means you’re going to get multiple choice questions that ask you which tool you would select to accomplish a specific task during your engagement.

For example, if the question asks you, “Which tool could be used to collect frames, and packets sent over a wireless network?” You would then look at your four options. For example, John the Ripper. Nessus. Netcat. And Aircrack-ng. And then select the most appropriate tool for the use case. In this example, that would be Aircrack-ng because it contains a complete set of wireless security assessment, and exploitation tools including ones for monitoring the networks, and capturing the frames and packets into a PCAP file for later analysis. Now, John the Ripper on the other hand is well-known as a password cracking tool. While Netcat is a remote access tool. And Nessus is a vulnerability scanner. This is the level of depth that you need to answer the questions that come from objective 5.3 come exam day. So in this section, I’m going to spend one lesson on each category of the different tools listed in Objective 5.3. In each lesson, I’m first going to list out all the tools that we’re going to cover in that lesson, and then I’m going to give you the definition or use case for each tool. My goal here is not to show you how to use any of these tools, but instead just to help you associate the tool, and its use case during a penetration test. Many or most of these tools, we’ve already covered throughout this course.

This section is really just a quick review, and a way for us to give you a complete list of all the tools in one place inside your notes so that you’re well-prepared for these type of questions on the exam. All right. It’s time for us to finish up our coverage of Domain 5, Tools and Code Analysis with our tool roundup in this section of the course.

228. OSINT Tools (OBJ 5.3)

In this lesson, we’re going to do a quick review of the different Open Source Intelligence Tools that you need to know for the exam. Now, Open Source Intelligence Tools find actionable intelligence from various publicly-available sources. That’s why we call it open source. It’s not about the licensing agreement for the tool itself making it open source or not, it’s the type of data that you’re collect with it. Now, in this lesson, we’re going to talk about eight different Open Source Intelligence Tools. This includes WHOIS, Nslookup, FOCA, theHarvester, Shodan, Maltego, Recon-ng and Censys. First, we have WHOIS. Now, WHOIS is a query and response protocol that’s widely for querying databases that store registered users and assignees of an internet resource, things like a domain name, an IP address block or an autonomous system. Essentially, anybody who buys a domain name is going to be listed inside of the WHOIS system. To use it, you’re simply going to to use WHOIS and then the domain name that you want to look up and you’re going to get returned information about that domain, including the address, phone numbers and points of contact that are associated with that particular domain name. Second, we have Nslookup. Now, Nslookup is a network administration command-line tool that’s used for querying the domain name system to obtain the mapping between different domain names and IP address or other DNS records.

Now, when you use Nslookup, you’re going to get lots of good information about a particular domain. In its most basic form, Nslookup is used to find the IP address that’s associated with a given domain name. For example, if I use nslookup avg.com, I’m going to find out that there are IP addresses associated with avg.com. One starting with 212 and one starting with 185. Nslookup is a great tool to use when you’re doing reconnaissance against a given target. Third, we have FOCA. FOCA is fingerprinting organizations with collected archives and it’s a tool that’s used to find metadata and hidden information in collected documents from an organization. Essentially, FOCA is going to go out and find information and data about a particular organization that’s hidden inside the metadata of different files. Maybe I was doing a crawling of a website and I found a word document or a PDF or an Excel spreadsheet. I can put those into FOCA and then it will look through the metadata and collect that information into one place for me to analyze. Fourth, we have theHarvester. TheHarvester is a program for gathering emails, sub domains, hosts, employee names, email addresses, PGP key entries, open ports and service banners from various servers.

TheHarvester is a great open source intelligence tool. To use it, you’re going to type in TheHarvester -d, the domain name, -l, the number of entries you want, -b, and the search you want to conduct. In this case, I’m going to search the domain kali.org. I’m going to find 500 entries and I’m going to use Google to do it. As it goes out, it’s going to find all the information it can and bring those results back to me so I can analyze them as part of my reconnaissance and information gathering. Fifth, we have Shodan. Shodan is a website search engine for web cameras, routers, servers and other devices that are considered part of the internet of things. When you go to Shodan, you can search for anything that is a vulnerable asset online. For example, I might look at the webcam category and I can find there are over 10,000 vulnerable webcams sitting there online that I can click on and then access their feed and look at them. If I can identify a webcam and associate that with my target organization, I can then have eyes inside of their facility by using their own webcams against them. This is one of the great uses for Shodan as you’re doing your open source intelligence. Sixth, we have Maltego. Maltego is a piece of commercial software that’s used for conducting open source intelligence that visually helps connect all the relationships between the different pieces of data you’ve been collecting. When you open up Maltego, you’re going to be able to identify what things are linked to what other things. For example, if I found an email address, I might be able to link that to a LinkedIn account. I can then link that LinkedIn account to another person on their Facebook account or their Twitter account, and maybe I can use that information to figure out how I can get from a singular employee through a business email compromise, up to the CEO, to get other actions taken on the network. All this can be done by using Maltego.

The bottom line when it comes to Maltego, is that it can help you automate the querying of public sources of data and then compare it with other info from different sources you’ve already put into Maltego and help you make those connections and those associations. Seventh, Recon-ng. Now, Recon-ng is a tool that uses a system of modules to add additional features and functions for your use. Recon-ng is a cross-platform web reconnaissance framework that’s made up of lots of different modules and tools. To learn more about Recon-ng and how to use it, simply enter recon-ng -h at your command prompt. If you want to load Recon-ng, simply type recon-ng and hit ENTER. This will bring up the basic framework and bring its own shell. As you can see here, we are in the default shell of Recon-ng and there are no modules installed or enabled yet. As you load up different modules, you’ll be able to do different searches and different information gathering using the different modules inside of Recon-ng. Eighth, we have Censys. Censys is a website search engine that’s used for finding hosting networks across the internet with data about their configuration. This is a lot like Shodan. When you open up Censys, you’re going to be able to see all the different cloud, shared infrastructures and other infrastructures that they’ve identified. The goal with Censys is to be able to do open source intelligence where you’re not touching those systems yourself during your scanning and instead, you’re relying on Censys and its scans of the entire internet to find vulnerabilities associated with the target organization you’re going after.

229. Scanning Tools (OBJ 5.3)

In this lesson, we’re going to talk about scanning tools. Scanning tools are used to identify potential vulnerabilities in a system, server, network software, service, or application. In this particular lesson we are going to cover nine tools that are covered by the exam under the scanning category. This includes Nikto, OpenVas, Nessus, SQLmap, Open SCAP, Wapiti, WPScan, Brakeman and ScoutSuite. First we have Nikto. Nikto is a web vulnerability scanner. That’s used to assess custom web applications that a company may have coded themselves. Nikto is going to be used to scan a web server for vulnerabilities and identify any outdated versions and server misconfigurations such as multiple index files and HTTP server options that may exist. We can simply run it as a perl script by entering perl nikto.pl-h and then have the IP address of the server that you want to scan . At that point Nikto is going to take over and it’s going to come back with a text based output that tells us all the issues it finds on that server. Basically, it’s a vulnerability scanning tool for web servers.

That is its primary goal and primary purpose. Second, we have OpenVAS. OpenVAS is an open source vulnerability scanner that’s used to identify vulnerabilities and assign a risk rating for the targeted assets. When you run OpenVAS, it’s going to scan the entire network and produce a chart and a report with all the details for each of the identified vulnerabilities. OpenVAS is an excellent tool, but as a pen tester you have careful using it because it is extremely noisy and easy to detect. If you’re running a scan across the entire network looking for every possible vulnerability, instead you need to select just the vulnerabilities you want to verify on a particular system when you’re running OpenVAS and only run it against a single target with that single vulnerability to avoid detection. Third, we have Nessus. Nessus is a proprietary vulnerability scanner that’s used to conduct basic, advanced and compliance vulnerability scans to measure the effectiveness of the system security controls. Now, Nessus is a lot like OpenVAS. In fact, Nessus came out before OpenVAS and OpenVAS is an open source variant of Nessus designed to do the same types of things. When you’re using Nessus, remember it is a commercial product and it’s used to conduct vulnerability scanning.

Now Nessus has multiple different plugins that can be used and this can allow you to conduct specialized scans for different purposes. For example, if you come in to do an internal vulnerability assessment or compliance scan for PCI DSS or HIPAA you’ll probably going to use something like Nessus to do that work. Fourth, we have SQLmap. Now SQLmap is an open-source database scanner that searches for SQL injection vulnerabilities that you can exploit during your engagements. SQL map is essentially a python script and you’re going to run it using pythonsqlmap.py-u and the website that you want to go and test. When you do this, it’s going to go and run a series of tests to look for vulnerability that can be exploited. The big focus of SQLmap though is the SQL database underlying that web application or website. And so that’s really what it’s going to be focused on as it goes and runs its different scans. It’s going to try doing joints and unions and lots of other kinds of SQL injections automatically for you when you’re using SQLmap. Fifth Open SCAP. Open SCAP or the security content automation protocol is a tool created by NIST that is used to create a predetermined security baseline that you can use to determine vulnerabilities or deviations in a given system. When you use Open SCAP you’re going to be able to choose the baseline that you want or create your own and run it against a system or a series of systems to get the results back of whether they’re in compliance or not. Open SCAP does a really great job of comparing a system against a known baseline and identifying any outliers. Those will be shown up in red as you can see here. Six we have Wapiti, Wapiti is a web application vulnerabilities scanner which can automatically be used to navigate a web app looking for areas where it can inject data to target different vulnerabilities. It may find on that site. Now, when you run Wapiti, it’s going to run various modules against that given web application to determine what vulnerabilities exist. Think about the thing that’s right inside the name API. Really what we’re testing here is your application programming interfaces inside of those web apps. By doing that, we’re going to be able to find vulnerabilities that we can exploit during our engagements and our penetration tests.

Seventh WPScan. Now WPScan is a WordPress site vulnerability scanner that identifies the plugins used by the website against a database of known vulnerabilities. When you’re dealing with WPScan, you’re actually looking only at WordPress sites. Now you may be wondering how many WordPress sites are out there. Why is this that important? Well about 40% of the internet runs on WordPress these days. So it is really important, especially if you’re dealing with small media at even some large size businesses. So if you’ve identified that your target organization is using WordPress during your reconnaissance then taking the time to run WPScan against it can really identify a lot of vulnerabilities for you.

 Eighth Brakeman. Brakeman is a static code analysis security tool that is used to identify vulnerabilities and applications that are written in Ruby on Rails. Now notice this is a static code analysis tool. That means you’re going to load up the code into this tool and then it’s going to run the assessment on that. This is really helpful if you’re part of a DevSecOps team, or you’re working as part of a known environment test where you are going to have access to the source code. Eighth, ScoutSuite ScoutSuite is an open source tool written in Python that can be used to audit instances and policies created on multicloud platforms such as AWS, Microsoft Azure and Google cloud by collecting data using API calls. Now it may seem odd that we’re talking about ScoutSuite here inside of the scanning tools but CompTIA puts it in this category because it is a tool that’s scanning for security permissions and resources on a given cloud server. Now that said, we are going to revisit ScoutSuite again when we get cloud tools in a different lesson.

Leave a Reply

How It Works

img
Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
img
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
img
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!