Network tools, or where should a pentester start?

Beginner Pentester's Toolkit: Here's a brief digest of the top tools that will come in handy when pentesting an internal network. These tools are already actively used by a wide range of specialists, so it will be useful for everyone to know about their capabilities and master them perfectly.

Contents:

• Nmap
• zmap
• Mascan
• Nessus
• Net Creds
• network miner
• mitm6
• Reply
• Evil_Foca
• Bettercap
• gateway_finder
• mitmproxy
• SEVEN
• yersinia
• proxychains

Nmap

Nmap - an open source network scanning utility, is one of the most popular tools among security experts and system administrators. Primarily used for port scanning, but other than that it has a huge amount of useful features, which is essentially what Nmap does. super harvester for network research.

In addition to checking open / closed ports, nmap can identify the service listening on an open port and its version, and sometimes helps determine the OS. Nmap has support for scanning scripts (NSE - Nmap Scripting Engine). Using scripts, it is possible to check vulnerabilities for various services (unless, of course, there is a script for them, or you can always write your own) or brute passwords for various services.

Thus, Nmap allows you to create a detailed network map, get maximum information about running services on hosts on the network, and also proactively check for some vulnerabilities. Nmap also has flexible scanning settings, it is possible to adjust the scanning speed, the number of streams, the number of groups to scan, etc.
Convenient for scanning small networks and indispensable for spot scanning of individual hosts.

Pros:

• Works fast with a small range of hosts;
• Flexibility of settings - you can combine options in such a way as to obtain the most informative data in a reasonable time;
• Parallel scanning - the list of target hosts is divided into groups, and then each group is scanned in turn, within the group, parallel scanning is used. Also the division into groups is a small disadvantage (see below);
• Predefined sets of scripts for different tasks - you can not spend a lot of time selecting specific scripts, but specify groups of scripts;
• Results output - 5 different formats, including XML, which can be imported into other tools;

Cons:

• Scanning a group of hosts - information about any host is not available until the scan of the entire group is completed. This is solved by setting in the options the maximum group size and the maximum time interval during which a response to the request will be expected before stopping attempts or making another one;
• When scanning, Nmap sends SYN packets to the target port and waits for any response packet or a timeout if there is no response. This negatively affects the performance of the scanner as a whole, compared to asynchronous scanners (for example, zmap or masscan);
• When scanning large networks using flags to speed up scanning (-min-rate, --min-parallelism) may give false-negative results, skipping open ports on the host. Also, use these options with caution, given that a large packet-rate can lead to unintended DoS.

zmap

zmap (not to be confused with ZenMap) - also an open source scanner, designed as a faster alternative to Nmap.

Unlike nmap, when sending SYN packets, Zmap does not wait until the response returns, but continues scanning, waiting for responses from all hosts in parallel, so it does not actually maintain the connection state. When the response to the SYN packet arrives, Zmap will understand by the contents of the packet which port and on which host it was opened. Also, Zmap only sends one SYN packet per scanned port. There is also the possibility of using PF_RING to quickly scan large networks if you suddenly happen to have a 10-gigabit interface and a compatible network card on hand.

Pros:

• Scanning speed;
• Zmap generates Ethernet frames bypassing the system's TCP/IP stack;
• Ability to use PF_RING;
• ZMap randomizes targets to evenly distribute the load on the scanned side;
• Ability to integrate with ZGrab (a tool for collecting information about services at the application layer L7).

Cons:

• May cause denial of service on network equipment, such as bringing down intermediate routers despite load balancing, since all packets will go through the same router.

Mascan

Mascan - surprisingly, also an open source scanner, which was created with one goal - to scan the Internet even faster (less than 6 minutes at a speed of ~ 10 million packets / s). In fact, it works almost the same as Zmap, only even faster.

Pros:

• The syntax is similar to Nmap, and the program also supports some Nmap-compatible options;
• The speed of work is one of the fastest asynchronous scanners.
• Flexible scanning mechanism - resuming interrupted scanning, load balancing across multiple devices (as in Zmap).

Cons:

• Just like with Zmap, the load on the network itself is extremely high, which can lead to DoS;
• By default, there is no option to scan at the L7 application layer;

Nessus

Nessus — a scanner for automating the check and detection of known vulnerabilities in the system. The source code is closed, there is a free version of Nessus Home that allows you to scan up to 16 IP addresses with the same speed and detailed analysis as the paid version.

Capable of identifying vulnerable versions of services or servers, detecting errors in system configuration, and bruteforce dictionary passwords. Can be used to determine the correctness of service settings (mail, updates, etc.), as well as in preparation for a PCI DSS audit. In addition, you can pass the credentials for the host (SSH or a domain account in Active Directory) to Nessus and the scanner will access the host and perform checks directly on it, this option is called credential scan. Convenient for companies conducting audits of their own networks.

Pros:

• Separate scenarios for each vulnerability, the database of which is constantly updated;
• Results output - plain text, XML, HTML and LaTeX;
• API Nessus - allows you to automate the processes of scanning and obtaining results;
• Credential Scan, you can use Windows or Linux credentials to check for updates or other vulnerabilities;
• Ability to write your own security plug-ins - the scanner has its own scripting language NASL (Nessus Attack Scripting Language);
• You can set the time for regular scanning of the local network - due to this, the Information Security Service will be aware of all changes in the security configuration, the appearance of new hosts and the use of dictionary or default passwords.

Cons:

• Violations in the operation of scanned systems are possible - you need to work carefully with the disabled safe checks option;
• The commercial version is not free.

Net Creds

Net Creds is a Python tool for collecting passwords and hashes, as well as other information, such as visited URLs, downloaded files, and other information from traffic, both in real time during a MiTM attack, and from pre-saved PCAP files. Suitable for quick and superficial analysis of large volumes of traffic, for example, during MiTM network attacks, when time is limited, and manual analysis using Wireshark is time consuming.

Pros:

• Service identification is based on packet sniffing instead of identifying the service by the port number used;
• Easy to use;
• A wide range of retrieved data - including logins and passwords for FTP, POP, IMAP, SMTP, NTLMv1 / v2 protocols, as well as information from HTTP requests, such as login forms and basic auth;

network miner

network miner - an analogue of Net-Creds in terms of the principle of operation, however, it has more functionality, for example, it is possible to extract files transferred via SMB protocols. Like Net-Creds, it is useful when you need to quickly analyze a large amount of traffic. It also has a user-friendly graphical interface.

Pros:

• Graphical interface;
• Visualization and classification of data into groups - simplifies traffic analysis and makes it fast.

Cons:

• The evaluation version has limited functionality.

mitm6

mitm6 - a tool for carrying out attacks on IPv6 (SLAAC-attack). IPv6 is a priority in Windows OS (generally, in other OS too), and in the default configuration, the IPv6 interface is enabled, this allows the attacker to install his own DNS server using Router Advertisement packets, after which the attacker gets the opportunity to replace the victim's DNS . Perfectly suited for conducting a Relay attack along with the ntlmrelayx utility, which allows you to successfully attack Windows networks.

Pros:

• Works great on many networks just because of the standard configuration of Windows hosts and networks;

Reply

Reply - a tool for spoofing broadcast name resolution protocols (LLMNR, NetBIOS, MDNS). An indispensable tool in Active Directory networks. In addition to spoofing, it can intercept NTLM authentication, it also comes with a set of tools for collecting information and implementing NTLM-Relay attacks.

Pros:

• By default, raises many servers with support for NTLM authentication: SMB, MSSQL, HTTP, HTTPS, LDAP, FTP, POP3, IMAP, SMTP;
• Allows DNS spoofing in case of MITM attacks (ARP spoofing, etc.);
• Fingerprint of the hosts that made the broadcast request;
• Analyze mode - for passive monitoring of requests;
• The format of intercepted hashes during NTLM authentication is compatible with John the Ripper and Hashcat.

Cons:

• When running under Windows, binding port 445 (SMB) is fraught with some difficulties (requires stopping the relevant services and rebooting);

Evil_Foca

Evil Focus - a tool for checking various network attacks in IPv4 and IPv6 networks. Scans the local network, identifying devices, routers and their network interfaces, after which you can perform various attacks on network members.

Pros:

• Convenient for MITM attacks (ARP spoofing, DHCP ACK injection, SLAAC attack, DHCP spoofing);
• You can carry out DoS attacks - with ARP spoofing for IPv4 networks, with SLAAC DoS in IPv6 networks;
• You can implement DNS hijacking;
• Easy to use, user friendly GUI.

Cons:

• Works only under Windows.

Bettercap

Bettercap is a powerful framework for analyzing and attacking networks, and we are also talking about attacks on wireless networks, BLE (bluetooth low energy) and even MouseJack attacks on wireless HID devices. In addition, it contains functionality for collecting information from traffic (similar to net-creds). In general, the Swiss knife (all in one). More recently has graphical web-based interface.

Pros:

• Credential sniffer - you can catch visited URLs and HTTPS hosts, HTTP authentication, credentials over many different protocols;
• Many built-in MITM attacks;
• Modular HTTP(S) transparent proxy - you can manage traffic depending on your needs;
• Built-in HTTP server;
• Support for caplets - files that allow you to describe complex and automated attacks in a scripting language.

Cons:

• Some modules - for example, ble.enum - are partially not supported by macOS and Windows, some are designed only for Linux - packet.proxy.

gateway_finder

gateway finder - a Python script that helps determine possible gateways on the network. Useful for checking segmentation or finding hosts that can route to a desired subnet or Internet. Suitable for internal penetration tests when you need to quickly check for unauthorized routes or routes to other internal local networks.

Pros:

• Easy to use and customize.

mitmproxy

mitmproxy is an opensource tool for analyzing traffic protected with SSL/TLS. mitmproxy is convenient for intercepting and modifying secure traffic, of course, with some reservations; the tool does not attack SSL/TLS decryption. It is used when it is necessary to intercept and fix changes in traffic protected by SSL/TLS. It consists of Mitmproxy - for proxying traffic, mitmdump - similar to tcpdump, but for HTTP (S) traffic, and mitmweb - a web interface for Mitmproxy.

Pros:

• Works with various protocols, and also supports the modification of various formats, from HTML to Protobuf;
• API for Python - allows you to write scripts for non-standard tasks;
• It can work in transparent proxy mode with traffic interception.

Cons:

• The dump format is incompatible with anything - it's hard to use grep, you have to write scripts;

SEVEN

SEVEN - a tool for exploiting the capabilities of the Cisco Smart Install protocol. It is possible to obtain and modify the configuration, as well as take control of the Cisco device. If you were able to get the Cisco device configuration, then you can check it with CCAT, this tool is useful for analyzing the security configuration of Cisco devices.

Pros:

Using the Cisco Smart Install protocol allows you to:

• Change the address of the tftp server on the client device by sending one malformed TCP packet;
• Copy the device configuration file;
• Change the device configuration, for example by adding a new user;
• Update the iOS image on the device;
• Execute an arbitrary set of commands on the device. This is a new feature that only works in versions 3.6.0E and 15.2(2)E of iOS;

Cons:

• Works with a limited set of Cisco devices, you also need a “white” ip to receive a response from the device, or you need to be on the same network with the device;

yersinia

yersinia is an L2 attack framework designed to exploit security flaws in various L2 network protocols.

Pros:

• Allows attacks on STP, CDP, DTP, DHCP, HSRP, VTP and others protocols.

Cons:

• Not the most user friendly interface.

proxychains

proxychains - a tool that allows you to redirect application traffic through the specified SOCKS proxy.

Pros:

• Helps to redirect the traffic of some applications that do not know how to work with a proxy by default;

In this article, we briefly reviewed the advantages and disadvantages of the main internal network penetration testing tools. Stay tuned, we plan to post such collections in the future: Web, databases, mobile applications - we will definitely write about this too.

Share your favorite utilities in the comments!

Source: habr.com