It seems like every week, we hear about another new hacking attack that has leaked the personal information of millions of people. I recently attended DEF CON 26 in Las Vegas, where an estimated 28,000 information security researchers gathered to share knowledge and practice our skills. The tools we use in this field can be difficult to learn, as they lack the same level of training systems, such as there are for Microsoft products, for example, or for learning a programming language, like C or Python. A lot of this knowledge must be gained from practice, trial and error, and asking questions of the community.
So, what are some of the tools hackers and InfoSec researchers use? Many of these tools touch on concepts complex enough to have entire books and courses built around them, but i will do my best to give quick explanations here.
What started as a way to gather public exploits into one place by a single researcher, HD Moore, has now blossomed into a commercial suite from Rapid7 as Metasploit Pro. However, the open source version, also known as the Metasploit Framework, is still available for use by all. Essentially, it is a one-stop shop for being able to do reconnaissance, build exploits, remotely control them and exfiltrate data, and maintain a collection of compromised computers and devices.
Nessus is a popular tool for doing internal and external vulnerability assessments. It also started out as open source, and now has a professional version available by parent company Tenable. The use of Nessus is often one of the first steps used when doing reconnaissance and enumeration of a target environment. It is not a bad idea to run this (carefully) against your own environment, to see what issues you or your client may have.
Nmap is used by system administrators and foes alike. It is a tool that is used to map out network devices and can report what ports are open, even providing some details, such as what manufacturer, version and operating system is being used. It can also be used to test network traffic responses. This open source tool was first released back in 1997, but is still in wide use today.
John the Ripper, Cain and Abel, THC Hydra and Hashcat
These are all examples of tools commonly used to crack passwords and hashes. Password verification commonly relies on cryptographic hashes. If one stores all user passwords as cleartext, a massive security breach can occur if the password file is compromised. One way to reduce this danger is to only store the hash digest of each password. To authenticate a user, the password presented by the user is hashed and compared with the stored hash. A password reset method is required when password hashing is performed because original passwords cannot be recalculated from the stored hash value.
Aircrack-NG and Airodump-ng
The tools above, used in conjunction with something like Aircrack-NG, make it very easy to test the security of a wireless network. Using Aircrack-NG along with Airodump-ng, one can force a de-authentication attack on a standard WPA2 network. Once the device starts spamming the Access Point or wireless controller to reauthenticate, the WPA2 hash is transmitted during the 4-way handshake. Once we have the hash, we can try matching it against password lists, or run it against rainbow tables. A rainbow table is a practical example of a space-time tradeoff, using less computer processing time and more storage than a brute-force attack which calculates a hash on every attempt, but more processing time and less storage than a simple lookup table with one entry per hash. Use of a key derivation function that employs a salt makes this attack infeasible.
OWASP Zed Attack Proxy (ZAP) and Nikto
The OWASP ZAP and Nikto are both examples of commonly used tools to search for and exploit web applications. Now that so much of what we do occurs in a web app, use of these tools by the internal security teams is critical.
Finally, tying just about all of the above together is Kali Linux. Previously known as Backtrack, this Linux distribution contains the most commonly used tools by security researchers in one place, all prepared and configured to work “out of the box.”
This is only a partial list, and there are many, many more tools out there besides these. Ultimately, no matter the tool, nothing beats good training of both security researchers, as well as end users. Learn more about careers in cybersecurity.
Ken May is a certified ethical hacker, information security and compliance auditor, network penetration tester, cybersecurity analytics professional, CEO, and owner of Swift Chip, a managed IT security services provider, based in Southern California.