5.0 Tools

Question 1

FOCA

Answer 1

Fingerprinting Organizations with Collected Archives is a OSINT software that finds metadata and hidden information in documents from an organization

Question 2

theHarvester also dns

Answer 2

A OSINT is program for gathering subdomains, hosts, employee names, email addresses, PGP key entries, open ports, and service banners from servers * DNS recon

Question 3

Shodan

Answer 3

Website search engine for devices that are considered part of the Internet of things

*Accessed through https://www.shodan.io OR CLI: ~ $shodan stats –facets port:100 country:US

Question 4

Maltego

Answer 4

A OSINT commercial software used to visually help connect relationships and automate the querying of data and compare it with other sources.

Question 5

Recon-ng think cross platform/ framework

Answer 5

OSINT cross-platform web reconnaissance framework with a system of modules
*To run > # recon-ng

Question 6

Censys

Answer 6

A OSINT website search engine used for finding hosts and networks with data about their configuration.

Question 7

SET

Answer 7

Social Engineering Toolkit - collection of tools and scripts, to conduct social engineering

Question 8

BeEF think posture

Answer 8

Browser Exploitation Framework - used to assess the security posture of a target environment using cross-site attack vectors

Question 9

Nikto

Answer 9

A web vulnerability scanner used to assess custom web applications 
*perl nikto.pl -h <IP></IP>

Question 10

OpenVAS 


Answer 10

An Open-Source Vulnerability Scanner - with the ability to assign a risk rating for targeted assets.

Question 11

Nessus 


Answer 11

Used to conduct basic, advanced and compliance vulnerability scans (such as PCI DSS audit) to measure the effectiveness of the system’s security controls

Question 12

SQLmap

Answer 12

open-source web application database scanner that searches for SQL injection vulnerabilities

*syntax # sqlmap -u “http://<ip>/cat.php?<pram></pram></ip>

Question 13

Open SCAP

Answer 13

Security Content Automation Protocol - creates a predetermined security baseline (by NIST)

Question 14

Wapiti


Answer 14

A web application vulnerability scanner that searches for areas where it can inject data

Question 15

WPScan

Answer 15

WordPress site vulnerability scanner identifies plugins used by the website against a database of known vulnerabilities

Question 16

Brakeman think rubies

Answer 16

Static code analysis security tool, used to identify vulnerabilities in applications written in Ruby on Rails

Question 17

ScoutSuite think how ?

Answer 17

Used to audit instances and policies created on multi-cloud platforms by collecting data using API calls

Question 18

OWASP ZAP

Answer 18

Zed Attack Proxy - free open-source application scanner

Question 19

Tcpdump

Answer 19

CLI protocol analysis tool that conducts packet sniffing and decoding

Question 20

Hping

Answer 20

Open-source packet crafting tool used to exploit vulnerable firewalls and IDS/IPS * TCP,UDP,ICMP,RAW-IP

Question 21

Aircrack-ng

Answer 21

Open-source wireless exploitation tool kit. Consist of:

*Airomon-NG (monitor wireless frequencies to identify access points and clients) *Airodump-NG - (capture network traffic and save it to a PCAP file) *Aireplay-NG (deauthentication attack by sending spoofed deauth requests to the access point) *Airocrack-NG (conduct protocol and password cracking of wireless encryption)

Question 22

Kismet

Answer 22

An open-source tool that contains a wireless sniffer, a network detector, and IDS

Question 23

Wifite 


Answer 23

Wireless auditing tool that conducts a site survey to locate rogue and hidden access points

Question 24

EAPHammer

Answer 24

A Python-based toolkit that can steal EAP authentication credentials used in a WPA2-Enterprise network

Question 25

mdk4

Answer 25

Wireless vulnerability exploitation toolkit that can conduct 10 different types of 802.11 exploitation techniques

Question 26

Spooftooph 


Answer 26

Automates the spoofing or cloning of a Bluetooth device’s name, class, and address

Question 27

Reaver

Answer 27

A tool that conducts a brute-force attack against Wi-Fi Protected Setup (WPS) PIN

Question 28

WiGLE

Answer 28

Wireless Geographic Logging Engine - tool that maps and index known wireless AP (consists of a website and database)

Question 29

Fern think recovery

Answer 29

Tests wireless networks by conducting password recovery (through brute force , dictionary attacks, as well as session hijacking, replay, and on-path attacks)

Question 30

Hashcat


Answer 30

Modern password and hash cracking tool that supports parallel processing (GPU)

Question 31

Medusa

Answer 31

A parallel brute-force tool. Used against network logins to attack services that support remote authentication

Question 32

Hydra 


Answer 32

A parallel brute-force tool that attempts passwords from a dictionary that meets the minimum password requirements (supports pw-inspect module)

Question 33

CeWL 


Answer 33

Automatically crawls a website to collect words and metadata to generate word lists

Question 34

John the Ripper 


Answer 34

A password cracking tool that supports large sets of hashes and dictionary and brute-force attacks

Question 35

Cain

Answer 35

Cain and Abel
, a legacy password cracking and hash dumping

Question 36

Mimikatz 


Answer 36

A tool that gathers credentials by extracting key elements from the memory *use case: Pass-the-hash, Pass-the-ticket, Golden ticket

Question 37

Patator

Answer 37


A multi-purpose brute-force tool (methods: ftp, ssh, smb, vnc, and zip password cracking)

Question 38

DirBuster

Answer 38


A brute-force tool to identify unlisted directories and file names that may be accessed on a web application or server

Question 39

W3af

Answer 39

Web Application Attack and Audit Framework - used to identify and exploit vulnerabilities

Question 40

Burp Suite


Answer 40

Used for raw traffic interception and modification. Use case: automated testing, manual request modification, and passive web application analysis

Question 41

Gobuster


Answer 41

Used to identify unlisted resources in a web application

Question 42

CloudBrute

Answer 42

Used to find a target’s infrastructure, files, and apps across the top cloud service providers

Question 43

Pacu 


Answer 43

Exploitation framework used to assess the security configuration of an AWS account

Question 44

CloudCustodian 


Answer 44

Open-source cloud security, governance, and management tool to help admins create policies based on resource types

Question 45

Snow

Answer 45

CLI steganography tool that conceals a payload within the whitespace of an ASCII formatted text file

Question 46

Coagula 


Answer 46

An image synthesizer tool - used to create a sound file (.wav) from image

Question 47

Sonic Visualiser


Answer 47

Open-source application for viewing and analyzing the contents of music audio files

Question 48

TinEye


Answer 48

A website that can be used to conduct reverse image searches using image recognition

Question 49

Metagoofil

Answer 49

Python-based tool that can search for metadata from public documents located on a target’s website

Question 50

Online SSL Checkers


Answer 50

Web application used to test the validity, strength, and security of an SSL or TLS digital certificate

Question 51

OllyDbg


Answer 51

Linux debugger used to analyze binary code found in 32-bit Windows applications

Question 52

Immunity Debugger


Answer 52

Uses Python scripts and APIs to write exploits, analyze malware, and reverse engineer binary files (*Debugger built for penetration testers ).

Question 53

GDB

Answer 53

GNU Debugger is a open-source, cross-platform debugger

Question 54

WinDbg


Answer 54

Free debugging tool that is distributed by Microsoft for use in the Windows operating system

Question 55

IDA

Answer 55

Interactive Disassembler is a commercial disassembler and cross-platform debugging tool (generates assembly language source code from machine-executable code)

Question 56

Covenant


Answer 56

An open-source .NET framework focused on penetration testing that also has a development and debugging component

Question 57

SearchSploit


Answer 57

A tool used to find exploits available in the Exploit-DB *install: https://www.exploit-db.com/searchsploit *CLI: # searchsploit such as # searchsploit vsftp

Question 58

PowerSploit


Answer 58

A collection of PowerShell modules that create an exploitation framework

Question 59

Responder


Answer 59

A Kali Linux CLI tool used to poison NetBIOS, LLMNR, and MDNS name resolution requests

Question 60

Impacket Tools

Answer 60

An open-source collection of python classes for working with network protocols and the exploitation of Windows systems * Remote Execution, Kerberos, Windows Secrets, MiTM Attacks, WMI, SMB/MSRPC

Question 61

Empire 


Answer 61

A C2 framework for common post-exploitation tasks can uses PowerShell or Python depending on the system * common use: lateral movement, escalate privileges, capture data, extract passwords, install persistent backdoors

Question 62

Metasploit 


Answer 62

A multi-purpose (computer security /penetration testing) framework that uses modularized attacks to exploit systems

Question 63

mitm6

Answer 63

An IPv6 DNS hijacking tool - sets the malicious actor as the DNS server by replying to DHCPv6 messages and redirecting the victim to another malicious host

Question 64

CrackMapExec

Answer 64

A post-exploitation tool to identify vulnerabilities in Active Directory environments

Question 65

TruffleHog

Answer 65

A Git search tool that crawls through a repository looking for accidental commits