Aircrack WLAN cracker
Aircrack is a password cracking program for use with both WEP and WPA networks. It needs a large enough database of packets from the target network for password cracking to begin. The four modules of this suite include airodump, a wireless packet capture utility; aireply, which performs packet injection for security testing; aircrack, which does password cracking using brute force and cryptographic methods; and airdecap, which decrypts WEP and WPA packet streams once the passwords are cracked.
Two new tools have been added to the suite recently that allow for encrypted packet creation and virtual tunnels. Aircrack may also be installed in a virtual machine.
Aircrack supports a wide range of wireless cards, though a new driver or patch may be required for your card. Combining both a Windows GUI and command line interfaces, Aircrack is nevertheless easy to navigate.
Aircrack is another tool that requires some time to master, but given the reliance of wireless networks in today's enterprise may prove invaluable to your team.
Cain and Abel password cracker
Cain and Abel is the top-ranked, Windows-specific password cracking tool for security testers. I think of this tool as my password cracker for a wide range of systems. After I’ve discovered a server via Nessus and broken in via Metasploit or Netcat, I’ll use Cain and Abel to break down the passwords to the operating system and applications.
Cain and Abel is well documented and supported by the community. It has a clean interface and provides for the cracking of a wide range of password types including Cisco, VNC, remote desktops, and many many more. It can do its cracking on the local machine or sniff passwords off the network via specific capture filters. Cain and Abel supports standard dictionary and brute force attacks as well as cryptanalysis attacks. It continues to evolve with the addition of VOIP and wireless password crackers. This tool has proved invaluable to my team for everything from a forgotten workstation password to forensic analysis.
Wikto Web server scanner
After finding a Web server using Nessus, you’ll want to run a Web server assessment tool against the system to find more specific security holes. A professional hammer for Web servers, Wikto is similar to the better-known Nikto Web server assessment tool. Both are well supported by the open source community with Wikto adding some extra functionality. For example, Wikto always starts with a Web scanning wizard (see screen image).
Wikto taps a vulnerability database specific to Web servers and associated elements (including Java apps, databases, forms, and images), and also makes full use of the Google Hacking Database. The Wikto spider crawls the target Web site and maps its directory structure, while the vulnerability scanner reviews possible security weaknesses. For vulnerability assessment, Wikto uses the Nikto vulnerability database. The one minor weakness is the use of the CSV format for exporting reports. CSV was never known as an easy way to view report data, though it gets the job done.
Metasploit exploit framework
Released in 2004, Metasploit is another must-have in your toolbox. Essentially a framework for building security tools and the exploits to launch with those tools, Metasploit is the easiest way to verify that a vulnerability identified by Nessus or Wikto is truly a security hole. Metasploit contains a module launcher to customize both the exploit and payload intended for a particular target. If the penetration is successful the tester is provided a shell to interact with the payload on the target system. There are around 350 different modules to choose from covering a wide range of hosts and operating systems. If the Metasploit repository doesn’t already have a canned exploit for the vulnerability in question, you can create one.
The true power of the framework is the ease of creation of new modules. Modules may be exploits, payloads, encoders, and no-ops. You can define an entirely new module or create variations of preexisting modules. Click for larger view. Documentation and forum support is broad, detailed, and comprehensive. Be prepared to spend some time learning the framework, but it will be time well spent.
A plan of action
Penetration testing is an invaluable process in assessing business risk via IT infrastructure. To make the process cohesive and efficient, however, you must put it in an organized system. I highly recommend using the OSSTMM framework to organize your testing and help you interpret the results. The OSSTMM covers several operational areas and provides templates and valuation of risk for each one.
Once the testing framework is in place you will need a wide range of tools for your toolbox. Vulnerability scanners, protocol analyzers, and wireless tools are but a few of the areas to consider. I have learned to trust the list at Sectools.org to provide most of the tools in my toolbox. Lastly, don't forget about researching the target before the test. Using search engines, you can develop important insight into a target with fairly little effort. The information gained here may save you countless hours testing operating systems and applications that don't exist in the target area.