This is the next entry in the series, aimed at providing depth to parts of
my "Hacking For A Living" presentation.
Further to the packed slide I gave during my presentation, here are the
tools you should have a passing familiarity with. Note that these aren't the
offensive tools, but the other programs you should be familiar with. Do bear in
mind my background is as an infrastructure tester, in my experience of web
application testing a lot of the information on the target was within a single
application - Burp Suite.
Also, do look at the functionality and integration between up to date
versions of Nmap, Nessus, and Metasploit - being able to easily transfer data
between all three will enable you to do more testing in less time, making you
more valuable as an employee, and more efficient as a tester.
The emphasis below is very much on Unix tooling, if you prefer to test from
a Windows system I'd still recommend installing Cygwin to give you access to
these, unless you're particularly adept at the Windows command prompt or
PowerShell.
System and network monitoring tools
These will help you understand what your own system is doing, any
bottlenecks or other issues that mean your system is slower than it should be,
or any local connectivity issues causing you problems:
htop, iotop, ip, lsof, netstat, ps
Interrogating remote services or networks
All of these programs are useful for determining that you're on the right
network, that you've got the right connection to your target systems, and so
on. Also some of them are useful in an elementary way for obtaining information
on whatever system or service it is you're attacking:
arp, arping, dig, host, hping2, netcat ( in all its forms ), nslookup, ping,
openssl, socat, tcptraceroute, telnet, tftp, tracepath, traceroute, wget,
Terminal multiplexers
These programs allow you to easily manage multiple programs simultaneously,
or to keep a session up on a remote system that will survive a break in
connectivity:
screen, tmux
Recording your output
These programs are useful for recording your tool output, or network traffic
- so you can grab entries from their logs for your report, or demonstrate to a
customer what was or was not happening on your testing system at a particular
time:
script, snoop, tcpdump, tshark
Sorting, searching, and manipulating output
There's a lot here, and I should stress that you don't need to know them
extensively, you just need to know *of* them, and have an idea of how to start
using them when necessary:
awk, sed, head, tail, strings, grep, egrep, findstr, cut, sort, uniq,
sponge, tee, pee
Recording your knowledge
You will learn a great deal as a penetration tester, and won't have access
to old machines or reports or notes when you change employer. For recording
wehat I learnt on a test, so I could easily reference it on a future test, I
always liked TiddlyWiki. Find something that suits you, but I'd strongly
recommend using something digital, rather than a paper notebook - that way you
can back up your notes, or easily search through them for a specific entry.
Programming Languages
You can arguably get by as a penetration tester with just a little bash
shell scripting, but to really get on with automating your penetration testing
workflow do look at advanced bash shell scripting, or Python. If you're going
to be attacking Windows systems a working knowledge of PowerShell is
increasingly required.
Others
A couple of commands it's worth familiarising yourself with, just so you can
ensure the output from your tools, or your notes, isn't accidentally
overwritten:
chmod, chattr
And also the text editor "vi", as you'll find it on any Unix system you have
access to.
One last thing, familiarise yourself with "man" pages. I always find man
pages useful reminders for how a tool or program works, but far less useful in
determining why or when I should use it.