Researcher Resources - Tools

This is a list of tools that can be helpful to researchers for various things they will need to do. Please let us know if you have any suggestions for resources that we should add to this post!

Tools

Web Application:

• Burp Suite - An integrated platform for performing security testing of web applications

• Sqlmap - An open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. How-to Tutorial

• SQLNinja - Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. How-to Tutorial

• Hackbar- This Firefox toolbar will help you in testing sql injections, XSS holes and site security. How-to Tutorial

• Knock - Enumerates subdomains on a target domain through a wordlist. How-to Tutorial

• The Zed Attack Proxy (ZAP) By OWASP

• Ratproxy By Google - How-to Tutorial

• OWASP SKANDA – SSRF Exploitation Framework

• man ascii - on most unices gives you the ASCII table with decimal, octal and hex codes for each character (thanks @justinsteven)

• DNS Discovery - A multithreaded subdomain bruteforcer. (thanks @Nahamsec)

• IronWASP - free & open source security scanner (thanks @cmaruti)

• WebSlayer - “One of the best free tools available” - (thanks @mazen160 )

• Wfuzz - (Thanks @mazen160)

• SubBrute - subdomain bruteforcer (Thanks @geekspeed)

• The SecList Project - collection of multiple lists using during security assessments (Thanks @geekspeed)

• NCrack & Hydra/Medusa - password bruteforcing (Thanks @jhaddix)

• XXE Recursive Download - This tool exploits XXE to retrieve files from a target server. It obtains directory listings and recursively downloads file contents (Thanks @Nahamsec)

• SQLiPY - SQLiPy is a Python plugin for Burp Suite that integrates SQLMap using the SQLMap API. Guide for this tool. (Thanks @jhaddix)

• Scans.io - use the latest scans.io data to find additional hosts that may be in scope for those *.target.com targets (Thanks @jstnkndy)

• httpscreenshot - Fantastic tool built by @jstnkndy and breenmachine. Quickly visually identify targets on internal or external targets. (thanks @jstnkndy)

Mobile:

• Dex2jar - Useful to convert dex files into jar to decompile the application. How-to tutorial

• Appium - Appium is an open-source tool for automating native, mobile web, and hybrid applications on iOS and Android platforms. How-to Tutorial

• iNalyzer - iOS Penetration testing framework

• Apktool - reverse engineering Android apk files (Thanks @planetzuda)

• NinjaDroid - Ninja Reverse Engineering on Android APK packages (Thanks @geekspeed)

Other:

• MITMproxy - How-to tutorial
• Mona.py - for Windows Exploiting (thanks @TheColonial)
• metasm_shell.rb & nasm_shell.rb - Both found in the tools folder in Metasploit (Thanks @TheColonial)
• GoBuster - dirbusting software for directory bruteforcing (Thanks @TheColonial)
• R Project for Statistical Computing - statistical computing and graphics, runs on UNIX, Win and MacOS. Check out the dds.ec package (Thanks @hrbrmstr)
• Apache Spark - large-scale data processing for statistical analysis and better visuals, for bigger data sets that R can’t handle (Thanks @hrbrmstr)
• PhantomJS - headless WebKit scriptable with the javascript API (Thanks @hrbrmstr)
• Hackvertor
• JSBeautifier

man ascii on most unices gives you the ASCII table with decimal, octal and hex codes for each character.

It changed my life when Joe McCray (IIRC) dropped that in a talk.

I haven’t heard about OWASP SKANDA before, I will be trying it. Thanks

my best partner in testing is live http header and knock. this time i want to try OWASP SKANDA

This will help a lot …

You can also add the ironwasp suite to the tools list under the web application category.

Any suggestions on a really good brute-force tool for passwords? We’ve been looking and while burpsuite intruder seems good, but are their better ones? We never have an interest in brute-force, but it has come up as a requirement in a pen-test.

WebSlayer is one of the best free tools available, and Wfuzz for command-line tests.

+1 for man ascii, that thing basically lives on a subsection of my desktop the whole time.

For the exploit devs out there metasm_shell.rb (a sister of nasm_shell.rb) is a real help. You can find them both in the tools folder in Metasploit.

mona.py should be in every Windows exploiter’s toolkit.

Shout out to gobuster as a replacement for other dirbusting software. Early days of its life, but suits me down to the ground for the directory bruteforcing I need to do.

subbrute (https://github.com/TheRook/subbrute) a bit faster than Knock and fierce.pl, and the included list is sorted by frequency of use vs just a dump of names … The SecList project ( https://github.com/danielmiessler/SecLists ) … recon-ng is awesome for osint… netcat…

Hey all!

I’ll be posting tips an tricks from my bug hunting methodology here on the forums over the next few weeks =)

Subdomains and Finding fresh in-scope Targets:

For the subdomain tools, its not really the script I care about, more the list. I usually cat > unique all of the major ones (fierce, subbrute,subdomainer, knock, etc, etc) into a list and use a tool that can take custom lists. Dont miss out on recon-ng either, using its Baidu, Google, Netcraft, and Shodan search modules to find subdomains. I wrote a wrapper script for this here:

http://www.securityaegis.com/recon-ng-creating-a-dynamic-resource-script-for-subdomain-discovery/

Another Tip, don’t forget port scanning on your targets. I see web hunters get to caught up in the application and forget some of these subdomains are redirects to entirely different boxes, and then miss very cool network level vulns. Keep your eye and ear to the Metasplolit community and what modules are new and exciting there, especially ones pertaining to internet facing services.

Keep checking back at targets who do not have a mobile version of the site, and when they add one (and if it is covered in the scope) test it thoroughly. In my experience mobile sites designed around phone viewing are rife with XSS, CSRF, etc, etc. A lot of the time they even lack security controls that the main site might use in favor of speed.

Now, for bug hunting in general, not just Bugcrowd or 3rd party hosted bounties, you want to watch Twitter and Wikipedia for acquisitions. Every acquisition brings in a plethora of new targets that could be covered under the bounty program. Make sure to check the bounty program though, some have a restriction to how soon these sites can be tested.

For bruteforcing web fields Burp will prob be your best best, combined with a good pass list.

For net level stuff, ncrack and hydra/medusa password bruting tools still remain the best imo. They support a variety of protocols with decent speed.

Thanks everyone! Just updated the OP with all of your suggestions

I actually run/co-created the seclists project. If anyone has any feedback or contributions we would welcome them!

@jhaddix awesome wrapper…I’ve written a few too…recon is a fun tool…

Hey @SamHouston, can you add apktool? http://ibotpeaches.github.io/Apktool/

@planetzuda Done!

@SamHouston you can throw up NinjaDroid https://github.com/rovellipaolo/NinjaDroid it takes all the fun of Apktool, Dex2jar and a few other tools and rolls them up into a nice python script and runs strings over everyting in the end…Fun way to start with a mobile app before you even install it…

@geekspeed - Updated. Thanks!!!

Pretty rad tool:
From its readme:
This tool exploits XXE to retrieve files from a target server. It obtains directory listings and recursively downloads file contents.