Pamusoro 10 Penetration Testing Tools

Shandisa GoPhish Phishing Platform paUbuntu 18.04 muAWS

1. Kali Linux

Kali haisi chishandiso pase. Iyo yakavhurika-sosi kugovera yeLinux inoshanda sisitimu yakavakirwa ruzivo mabasa ekuchengetedza akadai sekutsvagisa kuchengetedza, reverse engineering, komputa forensics, uye, iwe wakazvifungidzira, kuyedza kupinda.

Kali ine akati wandei ekupinda maturusi ekuyedza, mamwe acho aunoona pane ino runyorwa paunenge uchiverenga. Zvishandiso izvi zvinogona kuita zvinenge zvese zvaunoda kana zvasvika pakuyedza-peni. Unoda kuita SQL jekiseni kurwisa, kuendesa mubhadharo, kupaza password? Pane maturusi ezvo.

Yaimbozivikanwa seBacktrack pamberi pezita rayo razvino, Kali. Parizvino inochengetwa neOffensive Security inoburitsa zvigadziriso kuOS kamwe nechinguva kuwedzera maturusi matsva, kugadzirisa kuenderana, uye kutsigira zvimwe hardware.

Chimwe chinhu chinoshamisa pamusoro peKali ndeye wIde huwandu hwemapuratifomu ayo inomhanya pairi. Unogona kumhanya Kali paMafoni midziyo, Docker, ARM, Amazon Web Services, Windows Subsystem yeLinux, Virtual Machine, uye isina simbi.

Chiitiko chakajairika chevanoedza peni ndechekuisa raspberry pis neKali nekuda kwehukuru hwavo hudiki. Izvi zvinoita kuti zvive nyore kuibatanidza munetiweki panzvimbo yenzvimbo yechinangwa. Nekudaro, vazhinji vanoedza peni vanoshandisa Kali paVM kana bootable chigunwe drive.

Ziva kuti Kali's default chengetedzo haina simba, saka unofanirwa kuisimbisa usati waita kana kuchengeta chero chakavanzika pairi.

2. Metasploit

Kupfuura chengetedzo yegadziriro yaunonangwa hakusi kupihwa nguva dzose. Peni testers vanovimba nekusagadzikana mukati meinotarirwa sisitimu yekushandisa uye kuwana mukana kana kutonga. Sezvaunogona kufungidzira, zviuru zvekusagadzikana zvakawanikwa pamapuratifomu mazhinji mumakore apfuura. Hazvigoneke kuziva zvese izvi zvisizvo uye mabasa azvo, sezvo akawanda.

Apa ndipo panouya Metasploit. Metasploit is an open-source security framework yakagadzirwa neRapid 7. Inoshandiswa kuongorora macomputer masystem, network, uye maseva kune zinyekenyeke kuti azvishandise kana kuzvinyora.

Metasploit ine zvinopfuura zviuru zviviri zvekushandisa munzvimbo dzakasiyana siyana dzemapuratifomu, senge Android, Cisco, Firefox, Java, JavaScript, Linux, NetWare, nodejs, macOS, PHP, Python, R, Ruby, Solaris, Unix, uye hongu, Windows.

Kunze kwekutarisa kusasimba, mapentester anoshandisawo Metasploit yekusimudzira kusimudzira, kuendesa mubhadharo, kuunganidza ruzivo, uye kuchengetedza kuwana pane yakakanganisika system.

Metasploit inotsigira mamwe maWindows neLinux anoshanda masisitimu uye ndeimwe yeasati aiswa maapplication paKali.

3. Wireshark

Vasati vaedza kunzvenga chengetedzo yehurongwa, mapentesters anoedza kuunganidza ruzivo rwakawanda sezvavanogona nezve chinangwa chavo. Kuita izvi kunovabvumira kuti vasarudze nzira yakakwana yekuyedza sisitimu. Imwe yemidziyo inoshandiswa nepentester panguva iyi ndeye Wireshark.

Wireshark ndeye network protocol analyzer inoshandiswa kuita pfungwa yetraffic inopfuura nepanetiweki. Netiweki nyanzvi dzinowanzoishandisa kugadzirisa TCP/IP nyaya dzekubatanidza senge latency nyaya, akadonhedza mapaketi, uye kuita kwakashata.

Nekudaro, mapentesters anoishandisa kuongorora network yekusagadzikana. Kunze kwekudzidza mashandisiro echishandiso pachacho, iwe unofanirwawo kujairana nedzimwe pfungwa dzetiweki dzakadai seTCP/IP stack, kuverenga nekuturikira misoro yepakiti, kunzwisisa mafambiro, kutumira chiteshi, uye DHCP basa kuti uishandise zvine hungwaru.

Zvimwe zvezvimiro zvayo zvakakosha ndezvi:

Inogona kuongorora mavhoriyamu makuru e data.
Tsigiro yekuongorora uye decryption yemazana emaprotocol.
Real-time uye offline ongororo yemanetiweki.
Kubata nesimba uye kuratidza mafirita.

Wireshark inowanikwa paWindows, macOS, Linux, Solaris, FreeBSD, NetBSD, uye mamwe akawanda mapuratifomu.

4. Nmap

MaPentesters anoshandisa Nmap kuunganidza ruzivo uye kuona kusagadzikana pane network. Nmap, ipfupi kunetiweki mepu, ichiteshi chengarava chinoshandiswa kuwana network. Nmap yakavakwa kuti itarise mahombe network nemazana ezviuru zvemichina, nekukurumidza.

Ma scans akadai anowanzo buritsa ruzivo senge mhando dzevatambi panetiweki, masevhisi (zita rekunyorera uye vhezheni) yavanopa, zita uye shanduro yeOS iyo mauto ari kushanda, packet mafirita uye firewall ari kushandiswa, uye zvimwe zvakawanda hunhu.

Kuburikidza neNmap scans uko mapentesters anowana mabhii anoshandisika. Nmap zvakare inoita kuti iwe utarise host uye sevhisi uptime pane network.

Nmap inomhanya pane makuru anoshanda masisitimu akadai seLinux, Microsoft Windows, Mac OS X, FreeBSD, OpenBSD, uye Solaris. Iyo inouyawo pre-yakamisikidzwa paKali senge maturusi ekupinda ekupinda pamusoro.

5. Aircrack-ng

Manetiweki eWiFi angangove mamwe ekutanga masisitimu awakashuvira kuti ugone kubira. Mushure mezvose, ndiani asingade "yemahara" WiFi? Semupentester, iwe unofanirwa kuve uine chishandiso chekuyedza chengetedzo yeWiFi mumudziyo wako wekushandisa. Uye ndeipi chishandiso chiri nani chekushandisa kupfuura Aircrack-ng?

Aircrack-ng ndeye yakavhurika-sosi chishandiso pentesters anoshandisa kubata neasina waya network. Iyo ine sutu yezvishandiso zvinoshandiswa kuongorora isina waya network yekusagadzikana.

Maturusi ese eAircrack-ng maturusi ekuraira-mutsetse. Izvi zvinoita kuti zvive nyore kune pentesters kugadzira zvinyorwa zvetsika zvekushandisa kwepamusoro. Zvimwe zvezvimiro zvayo zvakakosha ndezvi:

Monitoring network packets.
Kurwisa kuburikidza nejekiseni repakiti.
Kuedza WiFi uye mutyairi kugona.
Kupwanya WiFi network neWEP uye WPA PSK (WPA 1 uye 2) encryption protocol.
Inogona kutora uye kutumira kunze data mapaketi kuti awedzere kuongororwa nevechitatu-bato maturusi.

Aircrack-ng inoshanda zvakanyanya paLinux (inouya neKali) asi inowanikwawo paWindows, macOS, FreeBSD, OpenBSD, NetBSD, Solaris, uye eComStation 2.

6. SQLmap

Iyo isina kuchengetedzeka dhatabhesi manejimendi system ndeye kurwisa vector pentesters inowanzo shandisa kupinda muhurongwa. Databases zvikamu zvakakosha zvemazuva ano maapplication, zvinoreva kuti ari kwese kwese. Zvinoreva zvakare kuti mapentester anogona kupinda mune akawanda masisitimu kuburikidza nekusachengeteka maDBMS.

Sqlmap ndeye SQL jekiseni chishandiso chinogadzirisa kuona uye kushandiswa kweSQL jekiseni kukanganisa kuitira kutora dhatabhesi. Pamberi peSqlmap, mapentesters akamhanyisa SQL jekiseni kurwisa pamaoko. Izvi zvaireva kuti kuita hunyanzvi hwaida ruzivo rwekare.

Ikozvino, kunyangwe vanotanga vanogona kushandisa chero yeaya matanhatu eSQL jekiseni matekiniki anotsigirwa neSqlmap (boolean-based bofu, nguva-yakavakirwa bofu, kukanganisa-yakavakirwa, UNION mubvunzo-yakavakirwa, akaturikidzana mibvunzo, uye kunze-kwe-bhendi) kuyedza kupinda mukati. database.

Sqlmap inogona kuita kurwisa kwakasiyana siyana kweDBMS dzakadai seMySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, uye SQLite. Shanyira webhusaiti kuti uwane runyorwa ruzere.

Zvimwe zvezvimiro zvayo zvepamusoro zvinosanganisira:

Kuita mirairo pane OS yemuchina wakanangwa, kuburikidza nekunze-kwe-bhendi yekubatanidza.
Kuwana iyo yepasi faira system yemuchina wakanangwa.
Inogona kuona otomatiki password hash mafomati, uye kuapwanya uchishandisa kurwisa kweduramazwi.
Inogona kumisikidza chinongedzo pakati pemushini wekurwisa uye neiyo OS yedatabase server, ichiibvumira kuvhura terminal, Meterpreter sesheni, kana GUI chikamu kuburikidza neVNC.
Tsigiro yekukwira kwemushandisi ropafadzo kuburikidza neMetasploit's Meterpreter.

Sqlmap inovakwa nePython, zvinoreva kuti inogona kumhanya pane chero chikuva chine muturikiri wePython akaiswa.

7. Hydra

Zvinoshamisa kuti mapassword evanhu vazhinji haana simba sei. Kuongororwa kweanonyanya kufarirwa mapassword anoshandiswa nevashandisi veLinkedIn muna 2012 kwakaratidza izvozvo vanopfuura 700,000 vashandisi vaive ne'123456' semapassword avo!

Zvishandiso zvakaita seHydra zvinoita kuti zvive nyore kuona mapassword asina simba pamapuratifomu epamhepo nekuyedza kuapwanya. Hydra is a parallelized network login password cracker (zvakanaka, iyo muromo) inoshandiswa kupaza mapassword online.

Hydra inowanzo shandiswa neyechitatu-bato remazwi majenareta akadai seCrunch uye Cupp, sezvo isingaburitse mazwi ega. Kuti ushandise Hydra, chaunofanirwa kuita kudoma chinangwa chaungave uchiyedza chinyoreso, pfuura mune yemazwi, uye mhanya.

Hydra inotsigira rondedzero refu yemapuratifomu uye network protocol seCisco auth, Cisco inogonesa, FTP, HTTP(S)-(FORM-GET, FORM-POST, GET, HEAD), HTTP-Proxy, MS-SQL, MySQL, Oracle. Mutereri, Oracle SID, POP3, PostgreSQL, SMTP, SOCKS5, SSH (v1 uye v2), Subversion, Telnet, VMware-Auth, VNC, uye XMPP.

Kunyangwe Hydra inouya isati yaiswa paKali, "yakaedzwa kuti iunganidze zvakachena paLinux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) uye MacOS", maererano nevagadziri vayo.

8. Johane Mupambi

Weird zita parutivi, John The Ripper inokurumidza, yakavhurika-sosi, isina pasiwedhi password cracker. Iyo ine akati wandei password crackers uye zvakare inoita kuti iwe ugadzire tsika cracker.

John Iyo Ripper inotsigira akawanda password hashi uye cipher marudzi achiita kuti ive chishandiso chinogoneka. Iyo password cracker inotsigira CPUs, GPUs, pamwe neFPGAs neOpenwall, ivo vanogadzira password cracker.

Kuti ushandise iyo John The Ripper iwe unosarudza kubva kune ina dzakasiyana modes: mazwi ezita modhi, imwe chete crack mode, incremental mode, uye ekunze modhi. Imwe neimwe modhi ine nzira dzekupwanya mapassword anoita kuti ive yakakodzera kune mamwe mamiriro. John Iyo Ripper kurwiswa kunonyanya kuburikidza nechisimba uye kurwisa kweduramazwi.

Kunyangwe John The Ripper ari akavhurika sosi, hapana yepamutemo yekuzvarwa kuvaka inowanikwa (yemahara). Iwe unogona kuwana izvo nekunyorera iyo Pro vhezheni, iyo inosanganisirawo zvimwe zvinhu zvakaita serutsigiro rwemamwe marudzi ehashi.

John The Ripper inowanikwa pane gumi neshanu masisitimu anoshanda (panguva yekunyora izvi) kusanganisira macOS, Linux, Windows, uye kunyange Android.

9. Burp Suite

Parizvino, takurukura nezvekuyedza network, dhatabhesi, WiFi, uye masisitimu anoshanda, asi zvakadini newebhu maapplication? Kusimuka kweSaaS kwakatungamira kune akawanda ewebhu maapplication ari kubuda pamusoro pemakore.

Chengetedzo yeaya maapuro kwakakosha, kana isingapfuure mamwe mapuratifomu atakaongorora, tichifunga nezvemakambani mazhinji ave kuvaka mawebhusaiti pane desktop desktop.

Kana zvasvika kune maturusi ekuyedza kupinda ewebhu maapplication, Burp Suite ndiyo yakanakisa kunze uko. Burp Suite haina kufanana nechero yezvishandiso pane iyi runyorwa, ine yakapfava mushandisi interface uye inorema mitengo.

Burp Suite iwebhu vulnerability scanner yakavakwa nePortswigger Web Chengetedzo kuchengetedza maapplication ewebhu nekubvisa zvikanganiso uye kusagadzikana. Kunyangwe iine yemahara nharaunda edition, inoshaya hombe chunk yeayo akakosha maficha.

Burp Suite ine Pro vhezheni uye bhizinesi vhezheni. Zvimiro zvehunyanzvi vhezheni zvinogona kuiswa muzvikamu zvitatu; Manual yekupinda yekuyedza maficha, yepamusoro / tsika otomatiki kurwiswa, uye otomatiki vulnerability scanning.

Iyo bhizinesi vhezheni inosanganisira ese ePro maficha uye zvimwe zvinhu zvakaita seCI kubatanidzwa, scan kuronga, bhizinesi-yakakura scalability. Inodhura yakawanda yakawanda pamwe nemadhora mazana matanhatu nemakumi mapfumbamwe nemashanu, nepo Pro vhezheni inongodhura madhora mazana matatu nemakumi mapfumbamwe nemashanu.

Burp Suite inowanikwa paWindows, Linux, uye macOS.

10. MobSF

Vanopfuura 80% yevanhu vari munyika nhasi vane smartphones, saka inzira yakavimbika ye cybercrosec kurwisa vanhu. Imwe yeanowanzo kurwisa mavekita avanoshandisa maapplication ane hurema.

MobSF kana Mobile Security Framework ndeye, zvakanaka, nharembozha yekuongorora dhizaini yakavakirwa kuti iite otomatiki kuongororwa kwemalware, peni-yekuyedza, uye static & dynamic ongororo yenharembozha.

MobSF inogona kushandiswa kuongorora Android, iOS, uye Windows(mobile) mafaera eapp. Kana mafaera eapp achinge aongororwa, MobSF inogadzirira mushumo unopfupikisa mashandiro eapp, pamwe nekudonongodza zvingangoitika zvinogona kubvumira kuwana kusingatenderwe ruzivo parunhare mbozha.

MobSF inoita mhando mbiri dzekuongorora panharembozha: static (reverse engineering) uye ine simba. Panguva yekuongorora kwakamira, nharembozha inotanga kuparara. Mafaira ayo anobva atorwa oongororwa kuti angangove nekusagadzikana.

Kuongorora kwesimba kunoitwa nekumhanyisa app pane emulator kana mudziyo chaiwo wobva waitarisa kuti iwane ruzivo rwekuwana data, zvikumbiro zvisina kuchengeteka, uye hardcoded data. MobSF inosanganisirawo Webhu API fuzzer inofambiswa neCappFuzz.

MobSF inomhanya paUbuntu/Debian-based Linux, macOS, uye Windows. Iyo zvakare ine pre-yakavakwa Docker mufananidzo.

Mukupedzisa…

Dai wanga watove neKali Linux yakaiswa pamberi ikozvino, ungadai wakaona akawanda ezvishandiso pane iyi runyorwa. Zvimwe zvacho unogona kuzviisa wega). Kana wapedza kuisa maturusi aunoda, chinhanho chinotevera kudzidza mashandisirwo acho. Zvizhinji zvezvishandiso zviri nyore kushandisa, uye usati wazviziva, unenge uri munzira yekuvandudza kuchengetedzeka kwevatengi vako nehunyanzvi seti.

Shandisa ShadowSocks Proxy Server paUbuntu 20.04 muAWS