Network tools, or where to start the pentester?

    Beginner Pentester Toolkit: Introducing a short digest of the main tools that will come in handy during the internal network Pentest. These tools are already actively used by a wide range of specialists, so it will be useful for everyone to know about their capabilities and to master perfectly.



    Nmap - opensource utility for scanning networks, is one of the most popular tools among security guards and system administrators. It is primarily used for port scanning, but, in addition, it has a huge mass of useful functions, which, in essence, makes Nmap a super-harvester for network research.

    In addition to checking open / closed ports, Nmap can identify the service listening on the open port and its version, and sometimes it helps to determine the OS. Nmap has scripting support for scanning (NSE - Nmap Scripting Engine). Using scripts, it is possible to check vulnerabilities for various services (unless, of course, there is a script for them, or you can always write your own) or tweak passwords from various services.

    Thus, Nmap allows you to draw up a detailed map of the network, get maximum information about running services on hosts on the network, and proactively check some vulnerabilities. Nmap also has flexible scan settings, it is possible to set the scan speed, number of streams, number of groups to scan, etc.

    Convenient for scanning small networks and indispensable for spot scanning of individual hosts.


    • Works quickly with a small range of hosts;
    • Flexibility of settings - you can combine options in such a way as to get the most informative data in a reasonable amount of time;
    • Parallel scanning - the list of target hosts is divided into groups, and then each group is scanned one by one, parallel scanning is used inside the group. Also, the division into groups is a small drawback (see below);
    • Predefined sets of scripts for different tasks - you can not spend a lot of time selecting specific scripts, but specify groups of scripts;
    • The output is 5 different formats, including XML, which can be imported into other tools.


    • Scanning a group of hosts - information about a host is not available until scanning of the entire group is complete. This is solved by setting the maximum group size and maximum time interval in the options during which a response to the request will be expected before stopping attempts or making another one;
    • When scanning, Nmap sends SYN packets to the target port and waits for any response packet or timeout when there is no response. This negatively affects the performance of the scanner as a whole, in comparison with asynchronous scanners (for example, Zmap or masscan);
    • When scanning large networks using flags to speed up scanning (--min-rate, --min-parallelism) can give false-negative results, skipping open ports on the host. Also, use these options with caution, given that a large packet-rate can lead to unintended DoS.


    Zmap (not to be confused with ZenMap) is also an open source scanner, created as a faster alternative to Nmap.

    Unlike Nmap - Zmap when sending SYN packets does not wait until the response is returned, but continues to scan, while waiting for responses from all hosts, so it actually does not support the connection status. When the response to the SYN packet arrives, Zmap will understand by the contents of the packet which port and on which host it was open. In addition, Zmap sends only one SYN packet to the port being scanned. It is also possible to use PF_RING to quickly scan large networks, if you suddenly had a 10-gigabit interface and a compatible network card at hand.


    • Scanning speed;
    • Zmap generates Ethernet frames bypassing the TCP / IP system stack;
    • Ability to use PF_RING;
    • ZMap randomizes targets for even load distribution on the scanned side;
    • Ability to integrate with ZGrab (a tool for collecting information about services at the application level L7).


    • It can cause a denial of service for network equipment, for example, disable intermediate routers, despite the distributed load, since all packets will pass through one router.


    Masscan - surprisingly, it is also an open source scanner that was created for one purpose - to scan the Internet even faster (in less than 6 minutes at a speed of ~ 10 million packets / s). In fact, it works almost the same as Zmap, only even faster.


    • The syntax is similar to Nmap, and the program also supports some Nmap-compatible options;
    • Speed ​​is one of the fastest asynchronous scanners.
    • A flexible scanning mechanism - the resumption of an interrupted scan, the distribution of load across multiple devices (as in Zmap).


    • Similarly to Zmap, the load on the network itself is extremely high, which can lead to DoS;
    • By default, it is not possible to scan at the application level L7.


    Nessus is a scanner for automating the verification and detection of known vulnerabilities in the system. The source code is closed, there is a free version of Nessus Home, which allows you to scan up to 16 IP addresses with the same speed and detailed analysis as in the paid version.

    Able to identify vulnerable versions of services or servers, detect errors in the system configuration, perform bruteforce dictionary passwords. It can be used to determine the correctness of service settings (mail, updates, etc.), as well as in preparation for PCI DSS audit. In addition, Nessus can transfer host credentials (SSH or a domain account in Active Directory), and the scanner will gain access to the host and conduct checks directly on it, this option is called credential scan. Convenient for companies conducting audits of their own networks.


    • Separate scenarios for each vulnerability, the base of which is constantly updated;
    • Output - plain text, XML, HTML and LaTeX;
    • API Nessus - allows you to automate the processes of scanning and obtaining results;
    • Credential Scan, you can use Windows or Linux credentials to check for updates or other vulnerabilities;
    • Ability to write your own embedded security modules - the scanner has its own scripting language NASL (Nessus Attack Scripting Language);
    • You can set the time for regular scanning of the local network - due to this, the Information Security Service will be aware of all changes in the security configuration, the emergence of new hosts and the use of dictionary passwords or default passwords.


    • There may be irregularities in the operation of scanned systems - with the safe checks option disabled, you need to work carefully;
    • The commercial version is not free.


    Net-Creds is a Python tool for collecting passwords and hashes, as well as other information, for example, visited URLs, downloaded files and other traffic information, both in real time during a MiTM attack and from previously saved PCAP files . It is suitable for quick and surface analysis of large volumes of traffic, for example, during MiTM network attacks, when time is limited, and manual analysis using Wireshark requires a lot of time.


    • The identification of services is based on the analysis of packets instead of determining the service by the number of the port used;
    • Easy to use;
    • A wide range of retrieved data - including logins and passwords for FTP, POP, IMAP, SMTP, NTLMv1 / v2 protocols, as well as information from HTTP requests, for example login forms and basic auth.


    network-miner is an analog of Net-Creds according to the principle of operation, but it has great functionality, for example, it is possible to extract files transmitted via SMB protocols. Like Net-Creds, it is convenient when you need to quickly analyze a large amount of traffic. Also has a convenient graphical interface.


    • Graphical interface;
    • Visualization and classification of data by groups - simplifies traffic analysis and makes it fast.


    • The trial version has some functionality.


    mitm6 is a tool for conducting attacks on IPv6 (SLAAC-attack). IPv6 is a priority in Windows (generally speaking, in other OSs too), and the IPv6 interface is enabled in the default configuration, this allows an attacker to set his own DNS server for the victim using Router Advertisement packets, after which the attacker gets the opportunity to replace the victim’s DNS . Perfect for conducting a Relay attack with the ntlmrelayx utility, which allows you to successfully attack Windows networks.


    • It works great in many networks just because of the standard configuration of Windows hosts and networks;


    Responder is a tool for spoofing broadcast name resolution protocols (LLMNR, NetBIOS, MDNS). An indispensable tool in Active Directory networks. In addition to spoofing, it can intercept NTLM authentication, it also comes with a set of tools for collecting information and implementing NTLM-Relay attacks.


    • By default, it raises many servers that support NTLM authentication: SMB, MSSQL, HTTP, HTTPS, LDAP, FTP, POP3, IMAP, SMTP;
    • Allows replacing DNS in case of MITM attacks (ARP spoofing, etc.);
    • Fingerprint of hosts that have made a broadcast request;
    • Analyze mode - for passive monitoring of requests;
    • The NTLM authentication hashed intercept format is compatible with John the Ripper and Hashcat.


    • When running under Windows, port 445 bind (SMB) is fraught with some difficulties (it is necessary to stop the corresponding services and reboot).


    Evil Foca is a tool for checking various network attacks on IPv4 and IPv6 networks. It scans the local network, identifying devices, routers and their network interfaces, after which it is possible to carry out various attacks on network participants.


    • Convenient for MITM attacks (ARP spoofing, DHCP ACK injection, SLAAC attack, DHCP spoofing);
    • You can conduct DoS attacks - with ARP spoofing for IPv4 networks, with SLAAC DoS in IPv6 networks;
    • You can implement DNS hijacking;
    • Easy to use, user friendly graphical interface.


    • It works only under Windows.


    Bettercap is a powerful framework for analyzing and attacking networks, and here we are also talking about attacks on wireless networks, BLE (bluetooth low energy) and even MouseJack attacks on wireless HID devices. In addition, it contains functionality for collecting information from traffic (similar to net-creds). In general, a Swiss knife (all in one). Recently, it still has a graphical web-based interface .


    • Credential sniffer - you can catch visited URLs and HTTPS hosts, HTTP authentication, credentials using many different protocols;
    • Many built-in MITM attacks;
    • Modular HTTP (S) transparent proxy - you can control traffic depending on your needs;
    • Built-in HTTP server;
    • Support for caplets - files that allow you to describe complex and automated attacks with a scripting language.


    • Some modules - for example, ble.enum - are partially not supported by macOS and Windows, some are designed only for Linux - packet.proxy.


    gateway finder - a Python script that helps identify possible gateways on the network. It is convenient for checking segmentation or searching for hosts that can route to the required subnet or Internet. Suitable for internal pentests, when you need to quickly check for unauthorized routes or routes to other internal LANs.


    • Easy to use and customize.


    mitmproxy is an opensource tool for analyzing SSL / TLS protected traffic. mitmproxy is convenient for intercepting and modifying protected traffic, of course, with some caveats; the tool does not carry out attacks on decryption of SSL / TLS. It is used when it is necessary to intercept and record changes in traffic protected by SSL / TLS. It consists of Mitmproxy - for traffic proxying, mitmdump - similar to tcpdump, but for HTTP (S) traffic, and mitmweb - a web interface for Mitmproxy.


    • It works with various protocols, and also supports modification of various formats, from HTML to Protobuf;
    • API for Python - allows you to write scripts for non-standard tasks;
    • It can work in transparent proxy mode with traffic interception.


    • The dump format is not compatible with anything - it is difficult to use grep, you have to write scripts.


    SIET is a tool for exploiting the capabilities of the Cisco Smart Install protocol. It is possible to obtain and modify the configuration, as well as take control of the Cisco device. If you were able to get the configuration of the Cisco device, then you can verify it using CCAT , this tool is useful for analyzing the security of the configuration of Cisco devices.


    Using the Cisco Smart Install protocol, you can:

    • Change the address of the tftp server on the client device by sending one distorted TCP packet;
    • Copy device configuration file;
    • Replace device configuration, for example, adding a new user;
    • Update the iOS image on the device;
    • Run an arbitrary set of commands on the device. This is a new feature that only works in versions 3.6.0E and 15.2 (2) E iOS.


    • It works with a limited set of Cisco devices, you also need a “white” IP to receive a response from the device, or you must be on the same network with the device.


    yersinia is a framework for L2 attacks designed to exploit security flaws in various L2 network protocols.


    • Allows attacks on the protocols STP, CDP, DTP, DHCP, HSRP, VTP and others.


    • Not the most convenient interface.


    proxychains is a tool that allows you to redirect application traffic through a specified SOCKS proxy.


    • Helps redirect traffic to some applications that, by default, do not know how to work with proxies.

    In this article, we briefly examined the advantages and disadvantages of the basic tools for the Pentest internal network. Stay tuned, we plan to upload such collections further: Web, databases, mobile applications - we will also write about this.

    Share your favorite utilities in the comments!

    Also popular now: