3 Must Have Tools For Penetration Testers

October 20, 2017

Welcome folks. In the previous posts, we have been talking about web application penetration testing in depth. But in this post, we will look at the 3 most useful tools which many bug bounty hunters and penetration testers use for their daily testing and bug hunting.

Why only 3 tools?

This post is totally based on our own opinion after talking to many professionals in this field. If you see the Kali distribution itself, you will find a lot of tools for penetration testing. But it isn’t mandatory to use each and every tool. If we start talking about all the tools, then it will be a never-ending post because there are hundreds of tools available and one person’s choices may differ from the other. But there are some tools which come above all the rest and you can say that they are used "Generally and most of the times" by penetration testers and bug hunters.

And the Hall of Fame goes to

  • SubBrute
  • Nmap
  • BURP SUITE

Let’s discuss them one by one.

SubBrute

You must have come across the term Scope in penetration testing and in bug bounty programs. Most of the times it will be a target site like http://www.target.com But nowadays, many companies are going with the all domains penetration testing approach. Now, what does it mean?

If you are new to penetration testing, did you ever come across a Scope such as *.target.com? Maybe yes maybe no? So how do you find the whole scope in this case?
For targets like this, you will need a subdomain enumeration tool. That’s where a tool like Subbrute comes into play.

“SubBrute is a community-driven project with the goal of creating the fastest, and most accurate subdomain enumeration tool.” You can download SubBrute from this Github page. There are many ways to use SubBrute but the command which I use personally the most is:

./subbrute.py target.com

This is the most basic command and it will give out all (not really) the subdomains of the domain http://www.target.com. It will give out the subdomains like:
sales.target.com
blog.target.com
users.target.com

In this way, you will get all the hosts on which you are required to do a penetration test. There are other tools also available for doing subdomain enumeration like Knockpy and Google Dorks. Feel free to use them also, and while testing use all the three to check which one works the best for you.

NMAP

Nmap(Network Mapper) is a security scanner which is used to discover hosts and services on a computer network. It’s one of the most common tools used by penetration testers as it gives out a lot of information on the application.

Aside from telling which ports are open and which are closed, Nmap also provides further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses. These are very useful information for a penetration tester. Once known, they can use this information to then exploit the vulnerability.

Also, take a look at the Nmap Scripting Engine. It is one of the Nmap’s most powerful features.Vulnerability Detection and Exploitation both are important features of the Nmap scripting engine. Learn more about this from here.

Nmap is such a big topic that it will need a post on itself. I have already done that. Check out this post if you want to learn different scan types for Nmap.

Moreover, there is no place better than the official documentation itself for in-depth learning. When you are done with all the above references, keep in mind to check out the Official page to have a solid understanding of how to use Nmap.

Burp Suite

Here comes the best one. If you ask most of the bug bounty hunters on their favorite tool for bug hunting, almost 90% of them will say that it’s Burp Suite. Burp Suite is considered to be the best tool (not official data, but we believe it’s true) for web application penetration testing.
Burp Suite comes in two editions: Free and Professional. If you are new to Burp Suite, download the Free edition and play along with it. There are many useful features like the Proxy, Spider, Repeater, and Intruder. Features like Active and Passive scanning of the target comes with the Professional version of Burp Suite. Go with the Professional version only when you have practiced on the free version because it’s quite expensive but useful at the same time.

For Burp Suite to work, you will have to change the proxy settings in your favorite browser(Recommended Firefox) for Burp Suite to work. You can do that with an add-on like FoxyProxy. Get it from here. Just choose the target as 127.0.0.1 and Port as 8080 and you will be good to go. You can also do it manually by changing the proxy in Network Proxy Settings in Firefox preferences. Take a look at this page for instructions on how to do that.

Here is a screenshot when you first open Burp Suite:

This is what you will get with a new installation of Burp Suite. Burp Suite comes for all the major operating systems and pre-installed in Kali Linux.

Don’t get overwhelmed with a lot of information here.
The main thing you have to do now is:

  • Download and install Burp Suite.
  • Setup BurpSuite by changing the proxy and check that the proxy works for https:// sites also (import the Burp’s SSL cert inside the browser).
  • Then learn the 4 most used features in Burpsuite Proxy, Spider, Intruder, and Repeater.

This tool is highly recommended if you are thinking of a career in bug hunting or penetration testing. There are a whole lot of tutorials and videos available on the internet which can give you a head start.
Meanwhile, the official documentation is also a great place to start learning Burp Suite. Check the documentation here.

If you are thinking why we are focussing so much on this one tool, then first learn and use this and you will see it can do miracles for you.

Learn Burp Suite: Swiss Army Knife for penetration testers and bug bounty hunters here

Final points

There will always be alternatives. As we told before, we can use Knockpy in place of SubBrute. Similarly, you can also opt for OWASP ZAP in place of Burp Suite for intercepting the Request-Response and doing other things like vulnerability scanning. The only thing which matters is which one is easiest for you to use and how well does it perform the task at hand. So check out all of them and then refine your arsenal of tools.

We may have left out many people’s favorite tools. We wanted to make this post to tell you about the general tools which are required most of the times. There are other tools like SqlMap, WebSlayer, Wfuzz which are very helpful in penetration testing. Bugcrowd has got an awesome thread mentioning different tools used by bug bounty hunters and their references. Have a look at the thread here.

Meanwhile, if you think that another tool will better fit here, do write in the comment section. We are open to suggestions and will keep updating this post with time. In case of any problems regarding installation or something which you can’t understand, don’t be shy to comment because we will be always there for your help.

Till then, Keep learning and Start hacking now..:)