SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

The Pen Tester’s Toolkit for 2024: Schellman’s Arsenal

Penetration Testing

A question we receive frequently during scoping calls is “What tools does your team use during a penetration test?” The answer can depend on the scope, services, and situations we come across during the engagement. Additionally, there is constant industry and threat pressure to stay ahead of the curve. Our toolkit is constantly evolving to reflect the latest threats and techniques, ensuring we can simulate real-world attacks effectively.  

Please note: Due to a variety of factors, this list is intended to provide a general idea – it is not an exhaustive inventory.

Network Reconnaissance

Picture this: You’re on a network that you've never seen before. Your mission? Map it out and find the attack paths. Our go-to tools for network reconnaissance include:

  • Nmap: Not many security tools have been around for 27 years. Nmap is the undisputed king of network reconnaissance scanning – often used during the first phases of an engagement to get a picture of the attack surface.

  • Masscan: We love Nmap – but sometimes, even when properly configured, Nmap can’t complete large scopes in reasonable timeframes. Masscan offers a faster alternative for scanning large networks – it's even been used to scan the entirety of the IPv4 address space!

  • httpx: It’s no secret that web apps and web servers are a large attack surface. When we run into a large number of them, it helps to have a versatile tool available to help sift through the dirt. Functionality includes checking for live hosts, banner checks, taking screenshots, detangling HTTP/HTTPS, and more.

  • Gowitness: A large list of URLs won’t do much good – sometimes, you need to view all of them. This can be a hassle. Gowitness can be utilized to gain a big-picture view of identified web services, showing screenshots of each application, and helping the tester plan his attack.

  • Amass: If we are authorized to perform subdomain reconnaissance, it’s standard practice to enumerate root domains to identify subdomains. While there are many tools out there that serve this purpose, amass in particular supports a large but tailorable feature set.

  • BBOT: While amass is effective, sometimes we need to dig a little more to find all domains that could be reasonably tied to an organization. BBOT performs additional active checks that aren’t included within other enumeration tools. Most notably, BBOT is recursive, helping to maximize the identified attack surface.

  • Spoofy: Domain security can affect email security, allowing attackers to spoof emails from misconfigured domains. Spoofy performs deep-level checks against target domains, helping identify potential email spoofing issues. If there’s a DMARC issue – Spoofy should find it. 

Vulnerability Scanning 

Once we’ve mapped out the terrain, it’s time to look for cracks in the armor. This is where vulnerability scanning comes into play.

  • Nmap Scripting Engine (NSE): When we are looking for a specific vulnerability, it’s not uncommon for a NSE plugin to be readily available, helping us identify if the issue exists on a host.

  • Nessus: The de facto commercial network scanner. As of this writing, Nessus contains 219,951 plugins – a gargantuan amount of vulnerability checks.

  • Nuclei: This open-source tool is a rising star in the vulnerability scanning world. It’s fast, flexible, and community-driven. Increasingly, hot new vulnerability checks are being programmed into Nuclei before commercial scanners can!

Remember, it’s not just about running a tool and calling it a day. You need to know how to configure it, interpret the results, separate the false positives from the real issues, and chain multiple vulnerabilities together to maximize the impact and value you receive. You also need to know what vulnerabilities can’t be identified by scanners and those that require manual research and testing!

Web Application Testing 

Web apps are a prime target – they have gigantic attack surfaces. Finding a flaw in a web app could lead to a data breach or access to the underlying environment. Combined with a tester’s expertise, these tools are effective when it comes to finding and exploiting web app vulnerabilities:

  • Burp Suite Pro: Burp is at the top of every web app pen tester’s list. A few sentences won’t do it justice, as an entire encyclopedia could be written about Burp usage. In a nutshell: Burp provides tools for automated and manual web app pen testing, as well as a rich community plugin repository.

  • Webanalyze/Wappalyzer: This tool helps identify underlying technology used by the web app, helping the attacker familiarize themselves with what avenue of attack will work, as well as identify potential vulnerabilities in the stack.

  • Gobuster/Feroxbuster: Web servers will host whatever you want them to – even if it’s unintentionally placed data. Any time we encounter a web server, it’s standard practice to attempt file/folder enumeration to identify misplaced files, additional scope or attack surfaces.

  • Katana: To identify additional attack surface, crawling web applications is a must. Sometimes this isn’t practical to do within Burp Suite (such as when dealing with large external scopes) -- Katana can be used as an alternative.

  • Ffuf/Wfuzz: These fuzzers are excellent for certain scenarios in which we may not want to use Burp Suite, such as a large scope covering many hosts. They can be used to test specific endpoints, identify hidden files, directories, and even virtual host subdomains.

  • WPScan: WordPress allows for custom extensions – and, there’s a lot of them. As of this writing, about 64,600! These extensions can be written by anyone ranging from first time programmers to Fortune 500 companies. Therefore, for pen testers, this presents a unique challenge: a large number of extensions and a large variance in code quality. To help sift through this, WPScan can be utilized to help identify extensions and their versions to find CVEs or exploits.

  • SQLmap: SQLmap can assist with identifying SQL injection vulnerabilities in a semi-automated manner. Additionally, not all SQL injection vulnerabilities are simple to exploit. For example, time-based blind SQL injection can be difficult and time consuming to exploit manually. SQLmap can rapidly assist in exploitation – such as retrieving database tables or even outright remote command execution.

  • Dalfox: With large attack surfaces (such as on an external or internal pen test) that have a large number of web servers, it can be difficult to manually test for XSS on all web pages. Dalfox assists with this – it's an XSS scanner with a focus on automation through tool redirection. It also checks DOM XSS – so it’s a little more advanced than older CLI XSS scanners. 

Burp Suite Extensions:

Again – Burp Suite is a fantastic tool with a large amount of built-in functionality. However, in some scenarios, we utilize powerful extensions:  

  • Active Scan++: Created by James Kettle – one of PortSwigger’s lead researchers, this extension adds checks not covered by the core scanner of Burp Suite.

  • JS Miner/GAP: Deep inside of web app client-side code, there may be references to endpoints which aren’t discovered when manually crawling the web application. Some of these endpoints can be interesting to an attacker. For example – a JavaScript file may contain references to endpoints which should only be accessed by the application support team, and not the actual application user.

  • Autorize: Authentication and authorization testing are key categories of all authenticated web application assessments. Autorize assists in testing both of these by allowing “User A” requests to be automatically re-played as “User B”. The tester can then compare the server responses for discrepancies, indicating potential vulnerabilities.

  • JSON Web Tokens Attacker: Instead of an outright randomly generated token, increasingly, web apps and APIs are utilizing JWTs. Correctly implemented, JWTs are signed and validated by the web app. However, this isn’t always the case – leading to the attacker being able to construct their own JWT and potentially compromising an aspect of the application. This extension simplifies the JWT testing process.

  • SAML Raider: Many applications support SAML authentication. By manipulating the SAML workflow, an attacker may be able to masquerade as a different user, or even perform an XXE/XSLT attack. This extension simplifies the SAML testing process.

  • Retire.js: Vulnerabilities are continuously discovered in client-side JavaScript libraries. Pen testers will look into vulnerabilities identified by this plugin to ensure validity.

  • InQL - GraphQL Scanner: With GraphQL increasingly replacing REST endpoints, web app testers have had to adjust. This addon makes GraphQL testing easier by providing a “native feeling” tab within Burp Repeater. Additional scanning utilities exist that can dump the entire GraphQL schema, potentially revealing undocumented mutations or queries.

  • Schellman Custom Extensions: There are a few different scenarios where we will consider writing our own extensions:
    • Implementing an idea to help identify additional vulnerabilities.

    • Generally speaking, this is nonstandard and unusual, but some applications require the request to be signed at the HTTP protocol level with custom headers. This is performed using client-side JavaScript. Therefore, this increases the effort required by an attacker, as any requests that are manipulated by Burp will fail the signing check. To get around this, the same cryptographic signing scheme used in the client-side JavaScript is re-implemented within a Burp extension. The end result is that all requests sent by Burp are resigned, allowing for the tester to transparently test the application without fear of the signing requirements.

    • Some applications won’t play well with authenticated scanning and cause forced logouts. Normally, you are able to reauthenticate using functionality that already exists in Burp or using a browser tab reloader. However, in more complex scenarios, such as when a nonstandard header needs to be updated, or even MFA, a custom extension can sometimes be the only way to reliably force reauthentication.

Internal Network Assessment: The Assumed Breach Scenario 

Sometimes, we’re asked to test what happens if an attacker already has a foothold in the network. This “assumed breach” scenario is where things get really interesting. In assumed breach scenarios, we often start off without any credentials and escalate privileges attempting to move laterally around the network, documenting every exploitable misconfiguration along the way.

Here’s what we pack for these missions:

  • Responder: When we’re on a network with absolutely no credentials, Responder can be run from a Linux machine to catch authentication attempts to the machine. Normally, users probably won’t have a reason to authenticate to our box. However, when used with an Adversary in the Middle attack, we can coerce other machines on the network to attempt authentication via an attack such as LLMNR/mDNS spoofing. Provided this is feasible, we’d then receive a hash or some other form of credential, serving as the entry point into the authenticated portion of the assessment.

  • Impacket: A collection of Python scripts for working with network protocols typically within Windows/AD networks. Scripts such as psexec.py, smbclient,py, secretsdump.py can all be used for lateral movement.

  • BloodHound: Once we’ve gained credentials, we’re able to pull data from Active Directory. A special script, called a BloodHound ingestor, will query AD for a large dataset of all hosts, users, and policies. This data is then imported into BloodHound to create a visual graph. Combined with queries, it can then be used to identify vulnerabilities within the network.

  • BloodyAD/AutoBloody - These are similar tools used within Active Directory for privilege escalation. Used in conjunction with BloodHound attack paths.

  • PowerView: Some specific reconnaissance and attack steps require us to utilize PowerView. PowerView is flexible, allowing for basic reconnaissance all the way to performing privilege escalation via complicated ACLs.

  • PingCastle: There aren’t many commercial tools that scan for Active Directory misconfigurations – but PingCastle is one of them. When we’ve got access to an AD environment, we’ll use PingCastle to get an initial mapping of weak points within the domain.

  • NetExec/CrackMapExec: If credentials are found, we need to see what level of access they will get us on the network. These tools are fantastic for password-spraying internal network services such as SMB, LDAP, WINRM, MSSQL, SSH, FTP, RDP, and WMI.

  • Mimikatz: When you’ve gained access to a Windows machine, there’s a decent chance that others have used the machine before. Mimikatz can pull their credentials such as passwords, hashes, and tickets. This data can then be used to facilitate lateral movement.

  • Rubeus: Assists in extracting, passing, duplicating, and requesting Kerberos tickets. A ticket, while often not as desirable as a hash or password, can still be utilized by an attacker to obtain access to other systems or even create new credentials.

  • Certify/Certipy - These tools help with auditing Active Directory Certificate Services (ADCS). Lately, this is one of the top ways to elevate privileges within AD networks, as classic AD pen test methodologies did not look closely into ADCS.

  • Manspider: When you’ve identified access to a large number of SMB shares within a network, searching them for sensitive information or credentials can be a daunting task. This tool is designed to identify and parse documents for this information en masse.

  • Custom AV/EDR Evasion: A variety of custom tools have been created by our team to bypass AV/EDR, ranging from initial payloads to modified public tooling which would otherwise be detected by via signature or heuristics.

Privilege Escalation: Going Up... 

Once we’ve got a foothold, the next step is often increasing our privileges. After all, if user-level access is obtained to a system, obtaining admin-level access will help facilitate lateral movement. By and large, these tools all do the same thing, so we won’t dive into the specifics of each tool – but here’s what we use:

  • Windows:
    • WinPEAS
    • Seatbelt
    • JAWS
    • BeRoot
    • Sherlock
    • Windows Exploit Suggester
    • Metasploit Local Exploit Suggester
  • Linux / Mac / *nix:
    • LinPEAS
    • GTFOBins
    • BeRoot
    • Linux Exploit Suggester
    • Metasploit Local Exploit Suggester

Remember, privilege escalation is often about patience and perseverance. It’s not always about finding a single big vulnerability - sometimes it’s about chaining together several smaller issues to reach the goal.

Mobile App Security

With mobile devices practically glued to our hands these days, mobile app security is more important than ever. Here’s what we use to make sure those iOS and Android apps can’t do something they shouldn't:

  • MobSF (Mobile Security Framework): This tool can perform static and dynamic testing of mobile applications. This includes decompilation, vulnerability identification, and runtime monitoring. Importantly, this tool supports not only Android but also the notoriously “difficult to test” iOS.

  • adb/idb: Command line tools used for communicating with Android and iOS devices, respectively. These tools help with obtaining a shell on the device, reading/writing files, and general device debugging.

  • Android Studio / Apple Xcode: For some assessments, a client may provide us with the full source code of an application. This assists in identifying additional vulnerabilities which may be difficult to find in a black box test. The correct IDE will assist with debugging code to prove the validity of a vulnerability, as well as provide tools to help traverse the codebase easily.

  • Burp Suite: Many mobile applications utilize a backend web API. At Schellman, we include the mobile backend API as in-scope (unless otherwise directed.)

  • Frida/Objection: In order to bypass certain restrictions – such as jailbreak detection, emulation detection, or SSL pinning – it’s often certain functions within the app need to be disabled via hooking or replacement. These tools help assist with this.

  • Apktool: Assists in properly unpacking and repacking APK files.

  • Drozer: Assists in testing specific components of Android applications, such as activities, broadcast receivers, content providers, and services.

Additional Specialized Tools

There are a number of tools that don’t fit any of the above scenarios:

  • Cobalt Strike/Mythic/etc.:  Full-featured remote access tools. These tools often serve as the initial foothold, serving as a great offloading point for continued reconnaissance and execution of post-exploitation tools. Additionally, we utilize heavily customized builds to avoid EDR/AV.

  • Aircrack-ng/EAPHammer/Reaver: These tools assist in assessing Wi-Fi networks. Aircrack has long been the industry standard for Wi-Fi reconnaissance and testing. EAPHammer assists with performing evil-twin attacks. Reaver is used for WPS pin brute forcing.

  • Hashcat: When we run across a hash, whether it be an NTLM or MD5, Hashcat is the de facto GPU password-cracking tool. Additionally, we utilize our own private physical hash cracking rig, complete with a large number of GPUs. We also utilize a tailored list of passwords and rulesets, as individuals vary their passwords widely.

  • Volatility: A memory forensics framework that we leverage for offensive operations such as private key extraction from memory. A post-exploitation tool that runs within the all-seeing eye of the Linux kernel via a loadable kernel module (LKM).

  • Foremost: The original file carver that reconstructs files from raw memory acquisitions. Allows us to rapidly close in on files of interest such as images, private keys, and configurations.

  • Ghidra: An advanced software reverse engineering (SRE) framework developed by the National Security Agency (NSA). It's designed to help security analysts and researchers analyze malicious code and vulnerable binaries more effectively than traditional methods. Useful during thick-client and hardware assessments.

  • GuardPhish: A custom internal tool for ensuring the success of a phishing campaign. There is a thriving industry built around preventing phishing attacks – in some cases, these will “burn” our campaigns which are legitimate tests in nature. To help fight this, this is our answer.

Balancing Tools with Expertise

And there you have it, folks - a whirlwind tour of our pen tester’s toolkit for 2024. But here’s the thing: all these fancy tools? They’re just that - tools. The real magic happens when you combine them with knowledge, experience, and a hefty dose of creative thinking.

At Schellman, we’re constantly evolving our toolkit and developing new techniques. Because in the end, it’s not just about having the best tools - it’s about knowing how to use them to keep your networks and applications secure.

Ready to talk penetration testing? Contact us today.

About Austin Bentley

Austin Bentley is a Manager with Schellman, based in Kansas City, Missouri. Prior to joining Schellman, Austin worked as a Penetration Tester for a large financial institution, specializing in Application Security and Internal Pentesting. Austin also led and supported various other projects, including security automation and code review.