Pentesting & OSINT tools (and tips for passing Pentest+)

by Maciej Makowski

Today’s post is on the crossroads between the realms of OSINT and penetration testing. It’s come to life as a result of my research and exploration of the pentesting methodologies, approaches, frameworks and tools.

Last year when discussing URL manipulation I briefly mentioned some techniques of web parameter tampering, which is not a strictly OSINT method, because it involves interaction with the target as opposed to passive open source research only.

Here are some tools that I have come across and tested (some more thoroughly, some less). If you have any interest in pentesting as a casual hobby (like I do), then you should enjoy this list.

PS. After the tools part, you’ll find my tips on passing the CompTIA Pentest+ certification.

Credentials harvesting / password cracking

NOTE: Data breach dumps research remains a huge area of interest for OSINT and an important source of intelligence (discussed here). Do remember however that there is a red line between collecting credentials and using them in an unauthorised manner to log into other people’s accounts. Dumped password and hash cracking is not illegal; but using those passwords and hashes to log in somewhere where you are not authorised to go – that can be against the law.

Cain & Abel – legacy password cracking tool. It also had an ability to record VoIP calls. No longer supported, so only an honourable mention here rather than a real recommendation.
CeWL (Custom Word List generator) – for creating word lists that can be used by password crackers listed here. Can also be used for creating usernames lists.
DirBuster – a brute-forcing tool for enumerating files and directories on a web server.
John the Ripper – password cracking tool, available in both free and premium versions.
Hashcat – password recovery / password cracking tool. Remember, to be effective with it, you will need to have a powerful GPU (or several of them, if using a password cracking rig).
Hydra – a login cracker that supports numerous protocols to attack.
Medusa – another login brute forcer.
Mimikatz – retrieves credentials from memory of Windows systems – plaintext Windows account logins and passwords.
Patator – multi-purpose brute forcer.

Debugging

GDB – debugger for Linux, supports multiple languages
Immunity Debugger – pentesting support tool, useful for reverse engineering of malware.
OllyDbg – Windows debugger, old software at this stage. The main page for the project states the development is currently frozen.
WinDbg – a Windows debugging tool, created by Microsoft.

OSINT & passive reconnaissance

NOTE: Some of the tools and functionalities listed here (like Shodan, Nslookup, Whois, etc.) can be used in a browser or directly from the command line. Remember that often the results of using them in the terminal can vary from their web counterparts!

Censys – a web-based tool that probes IP addresses and provides access to all this information through a search engine. Similar to Shodan, see below.
FOCA (Fingerprinting Organizations with Collected Archives) – used to find metadata within documents and common file formats.
Maltego – mainly a commercial product with some free features; used for visualisation of data gathered via OSINT. It can help with automation too.
Nslookup – used to identify the IP addresses associated with an organisation.
Recon-ng – a modular web reconnaissance framework for managing your OSINT work.
Whois – information from public records about domain ownership.
Wireshark – open source protocol analysis tool for packet sniffing & analysis; no interaction with the target is necessary, Wireshark simply inspects the bypassing wireless (or wired) network traffic.
theHarvester – good for finding email addresses, employee names, virtual hosts, infrastructure details and more about an organisation of interest.
TruffleHog – scans code repositories like Github for unintentionally disclosed information.
Shodan – specialised search engine for many things online, from vulnerable IoT devices to servers, hosts, webcams and more. I covered many Shodan queries in detail here.

Vulnerability scanning

Brakeman – static analysis tool used for code scanning of Ruby on Rails applications.
Nessus – commercial product; vulnerability scanning tool used to scan various devices and environments.
Nikto – vulnerability scanning tools for web servers.
Open SCAP (Security Content Automation Protocol) – a set of tools from NIST; designed to help manage compliance and create baselines of security standards.
OpenVAS – an open source vulnerability scanner. Easy to detect though if used to search broadly.
ScoutSuite – for auditing the security posture of cloud environments.
Sqlmap – used to automate SQL injection attacks against web applications containing databases.
Wapiti – web app scanner for detecting vulnerabilities; heavily focused on the API testing.
W3AF – open source web application vulnerability scanner.
WPScan – designed to scan WordPress sites.

Tips for passing CompTIA Pentest+

Having passed CySA+ last year, I found that knowledge and experience helpful. See my post on the CySA+ exam tips here – some of these tips apply to Pentest+ too in the same fashion.
Simulation questions (I got 4 of those, bigger and longer ones) bring more points than the regular ones. I left them until the end. They require more focus and thinking; it might feel frustrating or counterproductive to start off with them, only to get bogged down with something at the very beginning of your exam. I took the same approach with the CySA+ simulation questions too.
When doing practice tests, focus on understanding the answers and not just memorising them. Similar questions often get asked in a roundabout way.
Certain questions test your understanding of things like situational awareness during a penetration test, the constraints of ROE (rules of engagement), the SOW (statement of work) and so on; as well as general methodologies such as OWASP or MITRE. Make sure to cover those in a way that gives you a working knowledge, without having to blindly memorise a lot of the content from the Planning and Scoping part of the exam objectives.
Even a very general understanding of Windows and Linux command line (as well as some basic bash scripting methods) will go a long way.
Cover your SQL injection attacks, their types and their remediation methods. You will most certainly be presented with specific examples during the simulation questions.
Knowing Nmap flags is a must. The best way to practice with Nmap is hands on. As an additional help, I used the GUI version, Zenmap – you can easily build your scan commands there.
Sign up to Try Hack Me and try to complete their excellent Pentest+ learning path. It’s a great way to combine theory with practice. It’s over 50h long – if you can’t do it all, focus your hands on practice on wherever you feel like you have knowledge gaps.
For your prep, I would recommend the Sybex Pentest+ books, both the general study guide and the tests (they contain something like 1000 test questions).
Dion Training on Udemy is very good as always, and his set of 6 practice tests is a solid resource; there will be several hundred of questions in those, worth practicing on.

Hope this helps. If you have tips or suggestions that I did not cover, add them in the comments below.

Maciej Makowski - information security specialist with a strong background in criminal investigations and online safety. Spent nearly 13 years working as a police officer and cyber crime detective in An Garda Siochana, Ireland’s National Police and Security Service. Graduate of University College Dublin, also received professional qualification in data protection from the Law Society of Ireland. Experienced Axiom, Encase and FTK digital investigator, certified Cellebrite forensic mobile examiner. Author of osintme.com, a blog on open source intelligence and digital privacy.

The article was originally published at: https://www.osintme.com/index.php/2022/05/10/pentesting-osint-tools-and-tips-for-passing-pentest/

May 30, 2022