SECURITY RESEARCH, TOOLS |

16 Offensive Security Tools for SysAdmins

Security Professionals use Offensive security tools for testing and demonstrating security weaknesses. Systems Administrators and other IT professionals will benefit from having an understanding of the capabilities of these tools. Benefits include preparing systems to defend against these types of attacks and being able to identify the attacks in the case of an incident.

This selection of tools, when utilized by a moderately skilled attacker has the potential to wreak havoc on an organization's network.

If you are interested in testing these tools they are all available to download and use for FREE. Most are open-source with a couple of exceptions. Do not use against systems that you do not have permission to attack. You could end up in jail.

The mitigations listed for each tool are high-level pointers to techniques that a systems administrator should consider for defending against these powerful tools. Further information can be found at the project sites for each of the tools.

While some of the recommendations may appear to be common sense, far too often the basics are overlooked.

MetaSploit Framework
Metasploit Framework - an open source tool for exploit development and penetration testing. Metasploit is well known in the security community. Metasploit has exploits for both server and client based attacks; with feature packed communication modules (meterpreter) that make pwning systems fun! The framework now includes Armitage for point and click network exploitation. This is the go to tool if you want to break into a network or computer system.

Defending against Metasploit:

  • Keep all software updated with the latest security patches.
  • Use strong passwords on all systems.
  • Deploy network services with secure configurations.
Ettercap
Ettercap - a suite of tools for man in the middle attacks (MITM). Once you have initiated a man in the middle attack with Ettercap, use the modules and scripting capabilities to manipulate or inject traffic on the fly. Sniffing data and passwords are just the beginning; inject to exploit FTW!

Defending against Ettercap:

  • Understand that ARP poisoning is not difficult in a typical switched network.
  • Lock down network ports.
  • Use secure switch configurations and NAC if risk is sufficient.
SSLStrip
sslstrip - using HTTPS makes people feel warm, fuzzy, and secure. With sslstrip, this security can be attacked, reducing the connection to an unencrypted HTTP session, whereby all the traffic is readable. Banking details, passwords, and emails from your boss, all in the clear. Even includes a nifty feature where the favicon on the unencrypted connection is replaced with a padlock just to make the user keep that that warm fuzzy feeling.

Defending against sslstrip:

  • Be aware of the possibility of MITM attacks (arp, proxies / gateway, wireless).
  • Look for sudden protocol changes in browser bar. Not really a technical mitigation!
Evilgrade
evilgrade - another man in the middle attack. Everyone knows that keeping software updated is the way to stay secure. This little utility fakes the upgrade and provides the user with a not so good update. Can exploit the upgrade functionality on around 63 pieces of software including Opera, Notepad++, VMware, Virtualbox, itunes, quicktime and winamp! It really whips the llamas ass!

Defending against evilgrade:

  • Be aware of the possibility of MITM attacks (arp attacks, proxy / gateway, wireless).
  • Only perform updates to your system or applications on a trusted network.
Social Engineer Toolkit
Social Engineer Toolkit - makes creating a social engineered client side attack way too easy. Creates the spear phish, sends the email and serves the malicious exploit. SET is the open source client side attack weapon of choice.

Defending against SET:

  • User awareness training around spear phishing attacks.
  • Strong Email and Web filtering controls.
SQLmap
sqlmap - SQL Injection is an attack vector that has been around for over 10 years. Yet it is still the easiest way to get dumps of entire databases of information. Sqlmap is not only a highly accurate tool for detecting sql injection, but also has the capability to dump information from the database, and to even launch attacks that can result in operating system shell access on the vulnerable system.

Defending against sqlmap:

  • Filter all input on dynamic websites (secure the web applications).
  • Use mod_proxy or other web based filtering controls to help block malicious injection attacks (not ideal as often able to bypass these web application firewalls (WAF).
Aircrack-NG
aircrack-ng - breaking holes in wireless networks for fun and profit. A suite of tools that enables all manner of wireless network attacks.

Defending against aircrack-ng:

  • Never use WEP
  • When using WPA2 with pre-shared keys, ensure passwords are strong (10+ characters non-dictionary based passwords).
oclHashcat
oclHashcat - Need to get some passwords from the hashes you grabbed with sqlmap? Use this tool to bust them open. Over 48 different hashing algorithms supported. Will use the GPU (if supported) on your graphics card to find those hashes many times faster than your clunky old CPU.

Defending against oclHashcat:

  • Passwords are the weakest link. Enforce password complexity.
  • Protect the hashed passwords.
  • Salt the hashes.
ncrack
ncrack - Brute force network passwords with this tool from Fyodor the creator of Nmap. Passwords are the weakest link and Ncrack makes it easy to brute force passwords for RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, and telnet.

Defending against ncrack:

  • Use strong passwords everywhere.
  • Implement time based lockouts on network service password failures.
Cain and Abel
Cain and Abel - Cracking passwords, sniffing VOIP and Man in the Middle (MITM) attacks against RDP are just a few examples of the many features of this Windows only tool.

Defending against Cain and Abel:

  • Be aware of the possibility of MITM attacks (arp attacks, untrusted proxy / gateway, wireless).
  • Use strong passwords everywhere.
Tor Network
Tor - push your traffic through this onion network that is designed to provide anonymity to the user. Note your traffic from the exit node is not encrypted or secured. Make sure you understand what it does before using it, Tor provides anonymity not encrypted communication.

Defending against Tor:

  • It is possible to implement blocking of Tor exit nodes on your firewall, if Tor traffic is linked to a threat to your environment.
Binwalk
Binwalk - is a fast way to analyse firmware images. Using binwalk you are able to; extract files, identify compression, extract compressed files, and search binaries for strings. For an attacker it helps in the search for hard coded passwords, API keys, and other key pieces of information in firmware images.

Defending against Binwalk:

  • Don't leave plain text hard coded passwords, API keys and other back doors in your firmware.
Cobalt Strike
Cobalt Strike (Commercial) - Billed as software for adversary simulations and red team operations. It is essentially an exploitation tool such as Metasploit but with a focus on lateral movement (tunnelling commands through multiple pivot points) and C2 (command and control). Checkout the videos for interesting examples of Cobalt Strike in use.

Defending against Cobalt Strike:

  • Advanced attackers need to be discovered by advanced blue teams. Solid network analysis capabilities and well defended networks.
Canvas - Immunity
Canvas (Commercial) - Another exploitation framework with advanced capabilities for pivoting and lateral movement. Can be used with another Immunity product - Innuendo that is billed as a post compromise implant framework. With these tools an attacker can simulate an advanced adversary from initial compromise all the way to persistent network access and data ex-filtration.

Defending against Canvas:

  • Similar to Cobalt Strike, you will need to have your house in order as a blue team to detect an attacker using these tools.
Mimikatz
Mimikatz - A well known tool to extract passwords and NTLM hashes from Windows memory. This tool will be used by an attacker once they are able to execute code on the system.

Defending against Mimikatz:

  • There are a number of tweaks that can be made to Windows Local Security Policy and Active Directory to limit the effectiveness of Mimikatz. Like many things in infosec, these techniques often come down to an arms race between the attacker and the defenders.
Zmap & Masscan
Zmap & masscan - When it comes to Port Scanners, the one at the top is no doubt Nmap. It is a utility that everyone should have available. When it comes to large scale scanning Zmap and masscan are two newer tools that are crazy fast. Scanning the whole IPv4 internet fast.

Defending against Zmap & Masscan:

Conclusion

If you are interested in testing these offensive security tools, take a look at the Kali Linux distribution. It includes many of these and other tools pre-installed.

These tools are used by security professionals around the world to demonstrate security weakness.

Updated 11th December 2018. Now includes 16 offensive security tools.

Use caution
Only experiment on your local network where you have permission. Do not do anything stupid. You could end up in jail.