1. Planning and Scoping Penetration Tests

W3AF (Web Application Attack and Audit Framework)

A Python tool included in Kali Linux that tries to identify and exploit any web app vulnerabilities.

APKX (Android Package Kit)

A Python wrapper for dex converters and Java decompilers that is included in the OWASP Mobile Testing Guide

CeWL

A Ruby app that crawls websites to generate word lists that can be used with password crackers such ass John the Ripper. It is included with Kali Linux.

Nslookup

A Windows command-line utility that queries DNS and displays domain names or IP address mappings, depending on the options used.

Patator

A brute force password cracking tool included with Kali Linux

Dirbuster

A brute force tool included with Kali Linux that exposes directories and file names on web and application servers

Statement of Work (SOW)

A business document that defines the highest level of expectations for a contractual arrangement. It typically includes a list of deliverables, responsibilities of both parties, payment milestones and schedules, and other terms. Because this document details what the client is paying for, it has a direct impact on team activities. It also can be used by the pen test team to charge for out-of-scope requests and additional client-incurred costs.

Non-Disclosure Agreement (NDA)

A business document that stipulates the parties will not share confidential information, knowledge, or materials with unauthorized third parties.

Point-in-time assessment clause

A clause in the pentest plan stating that the pen test results have a limited life cycle and are not to be interpreted as a security guarantee.

Impacket

A collection of Python classes that provide low-level program access to packets, as well as to protocols and their implementation

Medusa

A command-line-based free password cracking tool that is often used in brute force password attacks on remote authentication servers. It purports itself to specialize in parallel attacks, with the ability to locally test 2,000 passwords per minute.

Metasploit framework

A command-line-based pen testing framework developed by Rapid 7 that is included with Kali Linux and that enables you to find, exploit, and validate vulnerabilities. Metasploit also has GUI-based commercial and community versions.

Empire (PowerShell Empire)

A post-exploitation framework for Windows devices. It allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data and extract passwords, and install persistent backdoors.

SSH (Secure Shell)

A program that enables a user or an application to log on to another device over an encrypted network connection, run commands in a remote machine, and transfer files from one machine to the other.

Maltego

A proprietary software tool that assists with gathering open source intelligence (OSINT) and with forensics by analyzing relationships between people, groups, websites, domains, networks, and applications. A community version named * Teeth is included with Kali Linux

Nessus

A proprietary vulnerability scanner developed by Tenable Network Security. Initially open source, it scans for vulnerabilities, misconfigurations, default passwords, and susceptibility to denial of service (DoS) attacks. It can also be used for preparation for PCI DSS audits.

Whois

A protocol that queries databases that store registered users or assignees of an Internet resource, such as a domain name

IDA (Interactive Disassembler)

A reverse engineering tool that generates source code from machine code for Windows, Mac OS X, and Linux applications

OLLYDBG

A reverse-engineering tool included with Kali Linux that analyzes binary code found in 32-bit Windows applications

Immunity debugger

A reverse-engineering tool that includes both command-line and graphical user interfaces and that can load and modify Python scripts during runtime

WiFi-Pumpkin

A rogue wireless access point and man-in-the-middle tool used to snoop traffic and harvest credentials.

Shodan

A search engine that returns information about the types of devices connected to the Internet by inspecting the metadata included in service banners.

Censys

A search engine that returns information about the types of devices connected to the Internet.

Drozer

A security testing framework for Android apps and devices.

Powersploit

A series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. This tool is included in Kali Linux

Aircrack-ng

A suite of wireless tools, including airmon-ng, airodump-ng, aireplay-ng, and aircrack-ng. Included with Kali Linux, the suite can sniff and attack wireless connections, and crack, WEP and WPA/WPA2-PSK keys

Searchsploit

A tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive

theHarvester

A tool included with Kali Linux that gathers information such as email addresses, subdomains, host names, open ports, and banners form publicly available sources.

Recon-ng

A web reconnaissance tool that is written in Python and is included with Kali Linux. It uses over 80 "modules" to automate OSINT. Some of its features include: search for files, discover hosts/contacts/email addresses, snoop DNS caches, look for VPNs, look up password hashes, and perform geolocation.

WiFite

A wireless auditing tool included with Kali Linux that can attack multiple WEP, WPA, and WPS encrypted networks in a row.

Kismet

An 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system that is included with Kali Linux. It can be used to monitor wireless activity, identify device types, and capture raw packets for later password cracking.

Master Service Agreement (MSA)

An agreement that establishes precedence and guidelines for any business documents that are executed between two parties. It can be used to cover recurring costs and foreseen additional charges during a project without the need for an additional contract.

Threat actor

An entity that is partially or wholly responsible for an incident that affects or has the potential to affect an organization's security.

Burp Suite

An integrated platform included with Kali Linux for testing the security of web applications. Acting as a local proxy, it allows the attacker to capture, analyze, and manipulate HTTP traffic.

AFL (American Fuzzy Lop)

An open source DAST tool that feeds input to a program to test for bugs and possible security vulnerabilities.

SonarQube

An open source SAST platform that continuously inspects code quality to help discover bugs and security vulnerabilities.

YASCA (Yet Another Source Code Analyzer)

An open source SAST program that inspects source code for security vulnerabilities, code quality, and performance.

Ncat

An open source command-line tool for reading, writing, redirecting, and encrypting data across a network. Ncat was developed as an improved version of Netcat

SQLmap

An open source database scanner that searches for and exploits SQL injection flaws. It is included with Kali Linux

Wireshark

An open source network protocol analyzer that is included with Kali Linux. Can be used to sniff many traffic types, re-create entire TCP sessions, and capture copies of files transmitted on the network.

Nmap

An open source network scanner used for network discovery and auditing. It can discover hosts, scan ports, enumerate services, fingerprint operating systems, and run script-based vulnerability tests.

Netcat

An open source networking utility for debugging and investigating the network, and that can be used for creating TCP/UDP connections and investigating them.

SET (Social Engineer Toolkit)

An open source pen testing framework included with Kali Linux that supports the use of social engineering to penetrate a network or system

findsecbugs

An open source plugin that detects security issues in Java web applications

GDB (GNU Project Debugger)

An open source reverse-engineering tool that works on most Unix and Windows versions, along with macOS

OpenVAS (Open Vulnerability Assessment System)

An open source software framework for vulnerability scanning and management

Findbugs

An open source static code analyzer or static application security testing (SAST) tool that detects possible bugs in Java programs

Mimikatz

An open source tool that enables you to view credential information stored on Microsoft Windows computers. It is also included with Kali Linux.

OWASP ZAP (Open Web Application Security Project Zed Attack Proxy)

An open source web application security scanner

Nikto

An open source web server scanner that searches for potentially harmful files, checks for outdated web server software, and looks for problems that occur with some web server software versions. It is included with Kali Linux

Proxychains

Included with Kali Linux, as well as any other version of Linux, a command-line tool that enables pen testers to masks their identity and/or source IP address by sending messages through intermediary or proxy servers.

Sample application requests

Like test code or code snippets, * can assist pen testers in gaining access to resources

Industrial Control Systems (ICSs)

Networked systems that control critical infrastructure such as water, electrical, transportation, and telecommunication services

Script kiddie

Novice or inexperienced hackers with limited technical knowledge who rely on automated tools to hack into targets

WSDL and/or WADL

Web Services Description Language and Web Application Description Language files are XML documents that describe SOAP-based or RESTful web services

Risk mitigation

Where an organization implements controls and countermeasures to reduce the likelihood and impact of risk, with the goal of reducing the potential effects so that they are below the organization's risk threshold.

Risk transference

Where an organization moves the responsibility for managing risk to another organization, such as an insurance company, cloud service provider, or other outsourcing provider.

Risk avoidance

Where an organization takes steps to ensure that risk has been completely eliminated, or reduced to zero, by terminating the process, activity, or application that is the source of the risk.

Risk acceptance

Where, after an organization identifies and analyzes a risk, it determines that the risk is within acceptable limits, so no additional action is required.

Rules of engagement

a document or section of a document that outlines how the pen testing is to be conducted

fragile systems

systems that are inherently unstable and have a tendency to crash, and systems that need to run older, unpatched versions of operating systems to support legacy applications

Planning

the part of the pentesting process that includes identifying the scope of the engagement, documenting logistical details, and other preliminary activities that need to occur before the commencement of the pentest.

FOCA (Fingerprinting and Organization with Collected Archives)

A network infrastructure mapping tool that analyzes metadata from many file types to enumerate users, folders, software and OS information, and other information.

BeEF (Browser Exploitation Framework)

A pen testing tool included with Kali Linux that focuses on web browsers and that can be used for XSS and injection attacks against a website.

APK Studio

A cross-platform IDE for reverse engineering Android applications

XSD file

A document that defines the structure and data types for an XML schema

Responder

A fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries in order to possibly recover sensitive information such as user names and passwords.

SOAP project file

A file that enables you to test SOAP-based web services. These files often are created from the information in a Web Services Description Language (WSDL) file or service

WinDBG (Windows Debugger)

A free debugging tool created and distributed by Microsoft for Windows operating systems

THC-Hydra

A free network login password cracking tool that is included with Kali Linux. It supports a number of authentication protocols

hping

A free packet generator and analyzer for TCP/IP networks. Often used for firewall testing and advanced network testing, *3 is included with Kali Linux

John the Ripper

A free password recovery tool available for Linux, 11 versions of Unix, DOS, Win32, BeOS, and OpenVMS. It is included with Kali Linux.

Cain and Abel

A free password recovery tool available for Windows that is sometimes classified as malware by some antivirus software.

Hashcat

A free password recovery tool that is included with KAli Linux and is available for Linux, OS X, and Windows. It includes a very wide range of hashing algorithms and password cracking methods. Purports itself to be the fastest recovery tool available.

Embedded systems

Computer hardware and software that have a specific function within a larger system such as a home appliance or an industrial machine

SDK documentation

Documentation for a collection of development tools that support the creation of applications for a certain platform

Supervisory control and data acquisition (SCADA) systems

ICSs that send and receive remote-control signals to and from embedded systems.

Peach

Offers several dynamic application security testing (DAST) products for pen testing, including * API Security, which helps secure web APIs against the OWASP Top 10, and * Fuzzer, an automated security testing platform for prevention of zero-day attacks. Within * Fuzzer, modular test definitions called * Pits enable you to fully customize exploits against test targets

Penetration testing (pentesting)

Seeking to exploit vulnerabilities and produce evidence of success as part of its report. Often includes social engineering and testing of physical controls, as well as testing technical weaknesses

Real-time operating systems (RTOSs)

Specialized operating systems that feature a predictable and consistent processor scheduler

Swagger document

The REST API equivalent of a WSDL document

scope

The basis for the Statement of Work

Covering tracks

The part of the pentesting process where pen testers concentrate on obliterating evidence that proves an exploit occurred. Generally consists of two facets: avoiding real-time incident response efforts and avoiding post-exploit forensic liability.

Gaining access

The part of the pentesting process where the actual exploit begins, by applying the information gained by recon and scanning to begin to attack target systems

Reporting

The part of the pentesting process where the information from testing and analysis are officially communicated to the stakeholders. Included in this communication are: Vulnerabilities detected Vulnerabilities exploited Sensitive data accessed How long the pen tester had access Suggestions and techniques to counteract vulnerabilities.

Analysis

The part of the pentesting process where the pen tester gathers all the information collected, identifies root causes for any vulnerabilities detected, and develops recommendations for mitigation.

Maintaining access

The part of the pentesting process where the pen testers install mechanisms allowing them to continue to access the system. Also where pen testers reach deeper in to the network by accessing other network systems

Reconnaissance

The part of the pentesting process where the tester gathers information about the target organization and systems prior to the start of the pen test. This can include both passive information gathering, such as collecting publicly available information about the organization, and deliberate acts, such as scanning ports to detect possible vulnerabilities

Scanning

The part of the pentesting process where the vulnerability assessment begins. Generally a bit more in depth than the recon phase

Black box test

The pen tester is provided virtually no information about the systems or networks being tested, thus simulating an outside attacker who knows little about the target other than what can be determined through basic reconnaissance techniques

White box test

The pen tester is provided with knowledge about all aspects of the target systems and networks, to simulate an internal attacker who has extensive knowledge of the system sand networks that are being targeted.

Gray box test

The pen tester is provided with some knowledge and insight of internal architectures and systems, along with other preliminary information about the target and its assets, to simulate an internal attacker who knows some but not all information about the target systems and networks.

Vulnerability Assessment

The practice of evaluating a computer system, a network, or an application to identify potential weaknesses.

Export controls

These regulate the shipment or transfer of certain items outside of the US

Organized Crime Perpetrators

Threat actors who engage in criminal activity, including cyber crimes, most commonly for monetary profit

Hacktivists

Threat actors who gain unauthorized access to and cause disruption in computer systems in an attempt to achieve political or social change

Insider threats

Threat actors who involve someone from within or related to the target organization. Insiders include present and past employees, contractors, partners, and any entity that has access to proprietary or confidential information.

Competitor organizations

Threat actors who might try to gain unauthorized access to a business rival's sensitive information

Nation states / Advanced Persistent Threats (APTs)

Threat actors who use cyber crimes to achieve political and military goals. * commonly use several attack vectors to ensure their success in gaining unauthorized access to information

Architectural diagrams

Visual representation of an application's architecture can reveal points of weakness in the app's construction, while network maps can help identify those hosts that might be good potential access points