Module_3

MODULE 3



Tools used in Ethical Hacking


In this module, we shall discuss in brief some of famous tools that are used widely to prevent
hacking and getting unauthorized access to a computer or network system.
NMAP
Nmap stands for Network Mapper, an open source tool that is widely used for network
discovery and security auditing. Originally designed to scan large networks, it can work equally
well for single hosts. Network administrators also find it useful for tasks such as network
inventory, managing service upgrade schedules, as well as monitoring host or service uptime.
Nmap uses raw IP packets to determine:

what hosts are available on the network,
what services those hosts are offering,
what operating systems they are running on,
what type of firewalls are in use, and other such characteristics

Nmap runs on all major computer operating systems such as Windows, Mac OS X, and Linux.



Metasploit
Metasploit is one of the most powerful exploit tools. It’s a product of Rapid7 and most of its
resources can be found at: www.metasploit.com. It comes in two versions, commercial and free
edition. Metasploit can be used with command prompt or with Web UI.
You can perform the following operations with Metasploit:

Conduct basic penetration tests on small networks
Run spot checks on the exploitability of vulnerabilities
Discover the network or import scan data
Browse exploit modules and run individual exploits on hosts
Burp Suit

Burp Suite is a popular platform that is widely used for performing security testing of web
applications. It has various tools that work in collaboration to support the entire testing
process, from initial mapping and analysis of an application's attack surface, through to finding
and exploiting security vulnerabilities.

Burp Suite is simple to use and provides the administrators full control to combine advanced
manual techniques with automation for efficient testing. It can be easily configured and
contains features to assist even the most experienced testers with their work.

Angry IP Scanner

Angry IP scanner is a lightweight, cross-platform port and IP address scanner. It can scan IP
addresses in any range. It can be copied freely and used anywhere. In order to increase the
scanning speed, it uses multithreaded approach, wherein a separate scanning thread is created
for each scanned IP address.

Angry IP Scanner simply pings each IP address to check if it’s alive, and then resolves its
hostname, determines the MAC address, scans ports, and so on. The amount of gathered data
about each host can be saved to TXT, XML, CSV, or IP-Port list files. With help of plugins, Angry
IP Scanner can gather any information about scanned IPs.

Cain & Abel

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It helps in easy
recovery of various kinds of passwords by employing any of the following methods −

sniffing the network,
cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks,
recording VoIP conversations,
decoding scrambled passwords,
recovering wireless network keys,
revealing password boxes,
uncovering cached passwords and analyzing routing protocols.

Ettercap

Ettercap stands for Ethernet Capture. It is a network security tool for Man-in-the-Middle
attacks. It features include sniffing of live connections, content filtering on the fly and many
more interesting tricks. Ettercap has inbuilt features for network and host analysis. It supports
passive and active dissection of many protocols. It can run on all the popular operating systems
such as Windows, Linux, and Mac OS X.

EtherPeek

EtherPeek is a tool that simplifies network analysis in a multiprotocol heterogeneous network
environment. It can be easily installed in a matter of few minutes and is less than 2MB

It proactively sniffs traffic packets on a network. By default, EtherPeek supports protocols such
as AppleTalk, IP, IP Address Resolution Protocol (ARP), TCP, UDP, NetWare, NetBEUI, and NBT
packets.

SuperScan

SuperScan is a powerful tool for network administrators to scan TCP ports and resolve
hostnames. It has a user-friendly interface and is used to:

Perform ping scans and port scans using any IP range.
Scan any port range from a built-in list or any given range.
View responses from connected hosts.
Modify the port list and port descriptions using the built in editor.
Merge port lists to build new ones.
Connect to any discovered open port.
Assign a custom helper application to any port.

QualysGuard

QualysGuard is an integrated suite of tools that can be utilized to simplify security operations
and lower the cost of compliance. It includes a set of tools that can monitor, detect, and protect
global networks. It delivers critical security information on demand and automates the full
spectrum of auditing, compliance and protection for IT systems and web applications.









WebInspect

WebInspect is a web application security assessment tool that helps identify known and
unknown vulnerabilities within the Web application layer.

It can also help check that a Web server is configured properly, and attempts common web
attacks such as parameter injection, cross-site scripting, directory traversal, and more.

LC4

LC4 was formerly known as L0phtCrack. It is a password auditing and recovery application. It is
used to test password strength and sometimes to recover lost Microsoft Windows passwords,
by using dictionary, brute-force, and hybrid attacks.

LC4 recovers Windows user account passwords to streamline migration of users to another
authentication system or to access accounts whose passwords are lost.

LANguard Network Security Scanner

LANguard Network Scanner monitors a network by scanning connected machines and providing
information about each node. Information about each individual operating system can be
obtained. It can also detect registry issues and have a report set up in HTML format.

Network Stumbler

Network Stumbler is a Wi-Fi scanner and a monitoring tool for Windows. It allows network
professionals to detect WLANs. It is popular with networking enthusiasts and hackers as it helps
to find non-broadcasting wireless networks.

Network Stumbler can be used to verify if a network is well configured, its signal strength or
coverage as well as detect interference between one or more wireless networks. It can also be
used to non-authorized connections.

ToneLoc

ToneLoc stands for Tone Locator. Written for MS-DOS in the early 90’s, it was a popular war
dialing computer program. War dialing is a technique of using a modem to automatically scan a
list of telephone numbers, usually dialing every number in a local area code.

Malicious hackers use the resulting lists to breach computer security by guessing user accounts
or locating modems that might provide an entry-point into computer or other electronic
systems. It can also be used by security personnel to detect unauthorized devices on a network.







John the Ripper

Developed by Openwall, John the Ripper is a free password cracking software tool. Originally it
developed for Unix Operating Systems but later developed for other platforms as well. It is one
of the most popular password testing and breaking programs because it combines several
password crackers into one package, auto-detects password hash types, and includes a
customizable cracker. It can be run against various encrypted password formats including
several crypt password hash types commonly found in Linux or Windows. It can also be to crack
passwords of Compressed files like ZIP and also Documents files like PDF.

John the Ripper is designed to be both feature-rich and fast. Also, it is available for several
different platforms which enables you to use the same cracker everywhere. You can even
continue a cracking session which you started on another platform

John the Ripper works in 3 distinct modes to crack the passwords:

1. Single Crack Mode
2. Wordlist Crack Mode
3. Incremental Mode

John the Ripper Single Crack Mode: In this mode, John the ripper makes use of the information
available to it in the form of a username and other information.

John the Ripper Wordlist Crack Mode: In this mode, John the ripper uses a wordlist that can
also be called a Dictionary and it compares the hashes of the words present in the Dictionary
with the password hash. We can use any desired wordlist. John also comes in build with a
password list which contains most of the common passwords.

IronWASP

IronWASP stands for Iron web application advanced security testing platform. It is an open
source tool used is developed for performing security testing on web application to find
vulnerabilities. This tool is easy to use and good for beginners who want to gain an in-depth
knowledge about security testing.

It has a GUI interface which doesn’t require any installation and comes with Built-in Crawler,
Scan Manager & Proxy and embedded with modules & plugins. IronWASP is able to detect most
of the vulnerabilities with least number of "false positives" and enables the tester to define
custom Security Scanner in a very short time.

Though an advanced user with Python/Ruby scripting skills will be able to ensure a
comprehensive usage of this scanner, a majority of the tool's features are simple enough to be
used by absolute beginners.





The prime features of this tool being:

Simple UI interface offering ease of use, without much knowledge on in-depth
application security/testing aspects.
Powerful and effective scanning engine with automatic and manual crawling options.
Supports recording Login sequence.
Facilitates generation of reports in both HTML and RTF formats.

Checks for over 25+ varied & well-known web vulnerabilities across OWASP Top 10 and
SANS 25 Framework.
Support for False Positives detection Extensible via plug-ins or modules in Python, Ruby,
C# or VB.NET
In-built with modules from researchers in the security community.
Embedded interactive testing tools to test for:
- CSRF Protection
- Broken Authentication
- Hidden Parameters
- Privilege Escalation

Through Active Scanning, the tools help to find defects related to:

1. SQL Injection
2. Cross-site Scripting
3. Command Injection
4. Header Injection
5. Code Injection
6. LDAP Injection
7. XPATH Injection
8. Local File Include
9. Open Redirect
10. Remote File Include



Through Passive Scanning, the tools help to find defects related to:

Use of HTTP Basic Authentication
Cookies without Secure and HTTP-Only Flag
Cookies containing Sensitive Information
Insecurely Configured Cross Domain.xml file
Directory Listing Turned On
Potential Open Redirect Candidates
DOM XSS Sources and Sinks in the Page
Script, IFRAME and CSS Loaded from External Domains
Script, IFRAME and CSS Loaded over HTTP in an HTTPS & HTTP Page
HTML Form Contents Submitted to External Domains
HTML Form Contents from HTTPS Page Submitted to HTTP & HTTPS Page
HTML Form with Password Field Loaded Over HTTP
Password Sent in URL
Potential Session Fixation Candidates

Vulnerable Version of Web Server
Web Server Banner Grabbing
X-Header Analysis
§ Support both False Positives & False Negatives detection.
§ Extensible via plug-ins or modules in Python, Ruby, C# or VB.NET and bundled with a

growing number of modules built by researchers in the security community such as
WiHawk (WiFi Router Vulnerability Scanner), XmlChor (Automatic XPATH Injection
ExploitationTool), IronSAP (SAP Security Scanner), SSL Security Checker (Scanner to
discover vulnerabilities in SSL installations), OWASP Skanda (Automatic SSRF
Exploitation Tool) and CSRF PoC Generator (Tool for automatically generating
exploits for CSRF vulnerabilities).

Wapiti

Wapiti is a free open-source command-line based vulnerability scanner written in Python.

While it’s not the most popular tool in this field, it does a good job of finding security flaws in
many web applications.

Maltego

Maltego is an open source intelligence and forensics application offering timeous mining and
gathering of information as well as the representation of this information in an easy to
understand format.

Maltego is the perfect tool for intel gathering and data reconnaissance while performing the
first analysis of your target. It can be used to correlate and determine relationships between
people, names, phone numbers, email addresses, companies, organizations and social network
profiles.

AIRCRACK-ng

Aircrack-ng is a suite of tools used by beginners as well as experts for Wireless sniffing, cracking
and creating rogue AP’s. In technical terms, it is an 802.11 WEP and WPA-PSK keys cracking
program that can recover keys once enough data packets have been captured

Aircrack-ng suite include tools like:

Airmon-ng
Airodump-ng
Airbase-ng
Aireplay-ng
Airolib-ng
Aircrack-ng, and many more

Reaver

Reaver is a free, open-source WPS cracking tool which exploits a security hole in wireless
routers and can crack WPS-Enabled router’s current password with relative ease. It comes pre-
installed in Kali Linux and can be installed on other Linux distros via source code. Reaver
performs a brute force attack against an access point’s WiFi Protected Setup pin number. Once
the WPS pin is found, the WPA PSK can be recovered

Reaver-wps targets the external registrar functionality mandated by the WiFi Protected Setup
specification. Access points will provide authenticated registrars with their current wireless
configuration (including the WPA PSK), and also accept a new configuration from the registrar.

In order to authenticate as a registrar, the registrar must prove it’s knowledge of the AP’s 8-
digit pin number. Registrars may authenticate themselves to an AP at any time without any
user interaction. Because the WPS protocol is conducted over EAP, the registrar need only be
associated with the AP and does not need any prior knowledge of the wireless encryption or
configuration.

Reaver-wps performs a brute force attack against the AP, attempting every possible
combination in order to guess the AP’s 8 digit pin number. Since the pin numbers are all
numeric, there are 10^8 (100,000,000-1 = 99,999,999) possible values for any given pin
number, considering 00,000,000 is not the key. However, because the last digit of the pin is a
checksum value which can be calculated based on the previous 7 digits, that key space is
reduced to 10^7 (10,000,000-1 = 9,999,999) possible values, again as checksum of first 6 zero’s
will be zero, we remove 0,000,000 to be brute-forced.

The key space is reduced even further due to the fact that the WPS authentication protocol cuts
the pin in half and validates each half individually. That means that there are (10^4 )-1
i.e 9,999 possible values for the first half of the pin and (10^3)-1 i.e 999 possible values for the
second half of the pin, with the last digit of the pin being a checksum.

Reaver-wps brute forces the first half of the pin and then the second half of the pin, meaning
that the entire key space for the WPS pin number can be exhausted in 10,999 attempts. The
speed at which Reaver can test pin numbers is solely limited by the speed at which the AP can
process WPS requests. Some APs are fast enough that one pin can be tested every second while
others are slower and only allow one pin every ten seconds. Statistically, it will only take half of
that time to guess the correct pin number.



Canvas

Canvas is a commercial vulnerability exploitation tool from Dave Aitel's ImmunitySec. It includes
more than 370 exploits and is less expensive than Core Impactor the commercial versions
of Metasploit. It comes with full source code, and occasionally even includes zero-day exploits.

References:

What are some ethical hacking tools? – Quora

https://www.quora.com/What-are-some-ethical-hacking-tools
Ethical Hacking Tools – Tutorials Point
https://www.tutorialspoint.com/ethical_hacking/ethical_hacking_tools

Cracking Wi-Fi WPA/WPA2 passwords using Reaver-WPS

http://www.darkmoreops.com/2014/08/08/cracking-wifi-wpawpa2-passwords-using-reaver-

wps/