{"id":461,"date":"2024-10-02T10:00:00","date_gmt":"2024-10-02T10:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=461"},"modified":"2024-10-02T10:00:00","modified_gmt":"2024-10-02T10:00:00","slug":"14-underrated-pentesting-tools-to-round-out-your-red-team-arsenal","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=461","title":{"rendered":"14 underrated pentesting tools to round out your red team arsenal"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The right tool can make or break a pentest or red team exercise. While many of the tools in Kali are tried and true, they are not always the best fit for every scenario. It is crucial to know where to turn for different needs, ensuring you\u2019re adequately equipped to meet a variety of objectives. Incorporating mainstream penetration testing tools<\/a> and<\/em> lesser-known, but just as powerful, tools can elevate your offensive maturity, helping cover more internal and external attack surfaces that you may have overlooked.<\/p>\n

There are many powerful, lesser-known tools that can help push the boundaries of pentesting, particularly around cloud and OSINT<\/a>. These tools may not get as much time in the spotlight, but they\u2019re just as potent (if not more so) in certain use cases.<\/p>\n

Here are 14 underrated pentesting tools that deserve a spot in your arsenal.<\/p>\n

Tool<\/strong>Ease of Use<\/strong>Output<\/strong>Main Competitors<\/strong>Capability Focus<\/strong>Available On<\/strong>Free\/Paid<\/strong>Caldera<\/strong>Easy to ModerateAdversary emulation, reports on attack success\/failureAtomic Red TeamAdversary emulation, MITRE ATT&CK simulationGitHubFreeSilent Trinity<\/strong>ModerateC2 framework for post-exploitationEmpire, Cobalt StrikePost-exploitation C2 via C# & .NET\u00a0GitHubFreePacu<\/strong>ModerateAWS vulnerability and configuration exploitationWeirdAAL, ScoutSuiteAWS misconfigurations and exploitationGitHubFreeScoutSuite<\/strong>EasyCloud misconfiguration and permission auditCloudSploitCloud security auditing (multi-cloud)GitHubFreeCookiebro<\/strong>Very EasyBrowser cookie management and tracking controlEditThisCookieCookie management, session replay attacksChrome\/Firefox Add-onsFreeWeirdAAL<\/strong>ModerateAWS privilege escalation and misconfiguration exploitsPacu, CloudSploitAWS privilege escalationGitHubFreeDigitalOcean<\/strong>EasyCloud infrastructure provisioning and testingAWS, GCPCloud infrastructure managementDigitalOceanPaidGoPhish<\/strong>EasyPhishing campaign metrics and success ratesPhishMe, King PhisherPhishing simulation and user interaction trackingGitHubFreeInfection Monkey<\/strong>EasyLateral movement, network attack simulationsCaldera, Atomic Red TeamBreach and attack simulation & Lateral MovementGitHubFreeAtomic Red Team<\/strong>Easy to ModerateIndividual MITRE ATT&CK techniquesCalderaMITRE ATT&CK technique simulationGitHubFreeStratus Red Team<\/strong>ModerateCloud-native attack techniques for AWSAtomic Red TeamAWS-specific adversary emulationGitHubFreeGD-Thief<\/strong>ModerateGoogle Drive enumerationLs commandGoogle Drive OSINT and misconfiguration enumerationGitHubFreeDVWA<\/strong>Easy to ModerateVulnerability exploitation in web apps (XSS, SQLi, RCE)OWASP Juice Shop, HackazonWeb application security testingGitHubFreeHackazon<\/strong>ModerateExploitation of modern web app vulnerabilities, including APIsDVWA, OWASP Juice ShopModern web app vulnerability simulationGitHubFree <\/div>\n

Caldera<\/h2>\n

By the same folks responsible for the ATT&CK<\/a> matrices, Caldera by MITRE gets the No.1 spot because it is the most undervalued tool in this article. Caldera is an automated adversary emulation platform that allows red teams and blue teams to simulate attacks based on real-world threat models. It\u2019s packed with powerful tools for testing defensive capabilities and even allows you to create custom adversary campaigns. It includes:<\/p>\n

Prebuilt adversary profiles:<\/strong> Caldera comes pre-loaded with adversary profiles that simulate specific threat actors. These profiles replicate the tactics, techniques, and procedures (TTPs) used by real-world adversaries, allowing you to see how well your defenses stand up to different attack strategies. Meaning you can easily test how your environment would handle an attack like APT29 or FIN7 without needing to manually script attacks and without worrying about scope-creeping an APTs known tradecraft.<\/p>\n

Modular plugin architecture:<\/strong> Caldera is built on a plugin-based architecture, meaning you can extend its capabilities through various modules.<\/p>\n

Adversary emulation plans:<\/strong> You can build custom adversary campaigns by stringing together techniques from MITRE ATT&CK. These plans allow you to simulate everything from phishing attacks and initial compromise (often that harvest tactics to test for), through persistence, lateral movement, and exfiltration. Caldera also allows you to set specific attack goals<\/em>, such as gaining domain admin access or accessing sensitive files.<\/p>\n

Automated red and blue team exercises:<\/strong> Caldera can be used for both red and blue team exercises. As a red team tool, it automates attack sequences, while for blue teams, it generates reports and provides insights on which defenses were triggered and how effectively they responded. Allowing you to test your organization\u2019s detection and response capabilities in real-time without manual intervention.<\/p>\n

Reporting and visualization:<\/strong> After running a simulation, Caldera generates detailed reports that map your defense\u2019s success or failure against specific attack techniques. The tool provides clear, visual feedback, often showing which techniques were successfully blocked, which triggered alerts, and where there were gaps in coverage. This makes it invaluable for tuning detection and monitoring tools like SIEMs and EDRs.<\/p>\n

Real-time execution of ATT&CK techniques:<\/strong> Caldera allows you to execute specific ATT&CK techniques in real time. For example, if you wanted to test how your defenses to respond to PowerShell attacks, you could select the appropriate technique from the ATT&CK matrix and run it directly in your environment. Caldera will then show whether your defenses detected the technique, and if not, you can adjust and run it again. This gets red teams off the retest hamster wheel.<\/p>\n

Caldera also has an extremely user-friendly web interface. Even without deep knowledge of red-teaming tactics, you can build and execute complex attack chains through a drag-and-drop interface. Making it accessible for both technical\/non-technical and junior\/senior team members alike.<\/p>\n

Though many security teams are aware of Caldera, it doesn\u2019t get as much attention in pentesting circles compared to manual tools like Metasploit. Its automation and built-in adversary tactics make it perfect for saving time and increasing efficiency in red-team exercises. It\u2019s a great way to test defenses against real-world attack tactics based on the MITRE ATT&CK framework and drive home the impact part of the risk factor. It literally makes our pentesting lives easier in every conceivable way we ask for, yet many teams don\u2019t use it.<\/p>\n

Use case:<\/strong> Simulate CVE-2020-1472 (ZeroLogon) by using Caldera\u2019s automation to test defenses against privilege escalation on Windows Domain Controllers. Else; afraid of APT11? Use Caldera to mimic one of their campaigns and test your defense-in-depth.<\/p>\n

Silent Trinity<\/h2>\n

Silent Trinity is a post-exploitation command-and-control (C2) framework written in C# and .NET, allowing it to blend into Windows environments more easily than other C2 tools. It\u2019s a stealthy alternative to frameworks like Cobalt Strike, and its ability to leverage the .NET infrastructure makes it highly effective in bypassing defenses. It\u2019s also open source which means you don\u2019t need the thousand-dollar license to use it.<\/p>\n

While many pentesters rely on well-known C2 frameworks like Cobalt Strike and Covenant, Silent Trinity\u2019s integration with .NET makes it especially dangerous for post-exploitation activities in Windows systems because of its ability to pass as a native process.<\/p>\n

Use case:<\/strong> Use Silent Trinity to exploit CVE-2021-1675 (PrintNightmare) by gaining remote code execution on Windows systems and maintaining persistent access.<\/p>\n

Pacu<\/h2>\n

Pacu is an AWS exploitation framework designed by Rhino Security Labs. With Pacu, pentesters can identify and exploit security misconfigurations in AWS environments, such as over-permissioned IAM roles or exposed S3 buckets. It can be used from both an external perspective (finding attack vectors without initial access) and an internal one (after obtaining credentials). It\u2019s broader in scope, covering multiple phases of AWS pentesting, from enumeration to exploitation.<\/p>\n

As cloud environments become more central to modern infrastructure, tools like Pacu should be in the limelight. Yet, it\u2019s often overshadowed by traditional, non-cloud-focused tools (again, like Metasploit- square peg, round hole). Pacu excels at finding and exploiting misconfigurations in AWS environments and exploits AWS-specific weaknesses that other tools miss. Its modular structure lets you customize tests to uncover everything from over-permissioned IAM roles to exposed EC2 instances.<\/p>\n

Use case:<\/strong> Exploit CVE-2019-10758 (unauthenticated access to AWS S3 buckets) by using Pacu to enumerate S3 buckets and access sensitive data.<\/p>\n

ScoutSuite<\/h2>\n

ScoutSuite is a multi-cloud security auditing tool that analyzes AWS, Azure, and GCP environments for misconfigurations. It provides a comprehensive view of cloud security risks by inspecting permissions, network setups, and policies. You\u2019d use ScoutSuite to enumerate\/do situational awareness and use Pacu to exploit.<\/p>\n

Though similar to CloudSploit, ScoutSuite\u2019s multi-cloud support and user-friendly reports make it a go-to for cloud audits.<\/p>\n

Use case:<\/strong> Use ScoutSuite to identify misconfigured AWS permissions that would allow an attacker to exploit CVE-2021-45046 (the dreaded Log4j) on an improperly secured server.<\/p>\n

Cookiebro<\/h2>\n

Cookiebro is a simple but powerful browser extension for managing cookies and tracking scripts. While not a pentesting tool in the traditional sense, Cookiebro gives you granular control over web tracking, helping you understand and analyze how a web app behaves.<\/p>\n

In the right hands, Cookiebro also allows you to steal and replay authenticated session cookies, effectively mimicking authenticated users and bypassing the need for credentials. This opens opportunities to escalate privileges and gain unauthorized access to web applications, SSO dashboards, and an infinite number of possibilities.<\/p>\n

Use case:<\/strong> Discover potential session hijacking opportunities by analyzing how session cookies are handled on a site vulnerable to CVE-2015-2080 (Jetty cookie vulnerability).<\/p>\n

WeirdAAL<\/h2>\n

WeirdAAL (AWS Attack Library) is a highly specialized tool that focuses on exploiting weaknesses in AWS environments. Now, this may sound eerily similar to Pacu because it automates privilege escalation techniques and leverages existing access to perform AWS attacks. But where WeirdAAL earns its spot is in exploiting AWS vulnerabilities and misconfigurations by leveraging pre-existing AWS access. Its primary function is to automate privilege escalation techniques and other internal AWS attacks. It\u2019s a great tool for red teams or pentesters who already have <\/em>a foothold in an AWS environment and want to escalate privileges or further their control.<\/p>\n

Use case:<\/strong> Use WeirdAAL to simulate privilege escalation techniques and exploit CVE-2020-10748 (improper S3 bucket configurations leading to privilege escalation).<\/p>\n

DigitalOcean<\/h2>\n

We\u2019re getting pretty fringe here, but I never executed a red team op without it. Though primarily a cloud provider, DigitalOcean is your one-stop server shop. Need to host an evilginx server to MiTM? Done. Need to phish 1,000 targets? No problem. DigitalOcean\u2019s simplicity makes it an ideal environment for not only hosting all your nefarious resource needs but also building pentesting labs and simulations.<\/p>\n

While AWS, Azure and GCP dominate the cloud space, I find DigitalOcean to be clean cut, low cost, and straightforward without 20 screens and 100 options to configure before launching resources. This allows pentesters to quickly spin up isolated environments to test tools like Pacu or WeirdAAL. It\u2019s also Terraform friendly.<\/p>\n

Use case:<\/strong> Use Terraform templates to quickly and easily spin up C2 infrastructure.<\/p>\n

GoPhish<\/h2>\n

GoPhish is an open-source phishing framework that allows you to simulate phishing attacks, gather metrics, and track user interactions. It\u2019s easy to set up and run campaigns providing detailed reports on how many were delivered to user inboxes (and which errored out), users opened emails, clicked links, and entered credentials.<\/p>\n

Red teams may bypass GoPhish due to its perceived lack of sophistication compared to more complex commercial tools, but its lightweight, open-source nature makes it perfect for rapid deployment and minimal resource requirements. It\u2019s also great for teams who want to scale phishing campaigns without<\/em> the overhead of larger frameworks. The fact that it\u2019s underrated is more a matter of preference and perception \u2014 teams assume \u201cmore robust\u201d means \u201cbetter,\u201d but in this red teamer\u2019s opinion, GoPhish strikes a sweet balance between simplicity and efficiency.<\/p>\n

Use case:<\/strong> Run a simulated phishing campaign containing a malicious word doc with a macro that will execute when it\u2019s opened.<\/p>\n

Infection Monkey<\/h2>\n

Infection Monkey by Guardicore is a breach and attack simulation tool that tests your network\u2019s ability to handle one thing: lateral movement. It doesn\u2019t mimic malware, it is malware, which makes it both scary and exciting. But it\u2019s malware with just one goal: move and copy. So, it will test a number of lateral movement and privilege escalation techniques, propagate, and do it again.<\/p>\n

Infection Monkey is hands down one of the best worms I\u2019ve ever seen in action. It\u2019s user-friendly, quick to spin up, and to my knowledge, there\u2019s nothing else like it out there \u2014 but I don\u2019t hear anyone talking about it. This tool is a beast for a few reasons: it builds an attack tree as it moves through your environment, showing each hop and compromise in real-time. You can literally watch the path it takes and know exactly which technique succeeded at each step, which makes targeted remediation a breeze. And when it comes to reporting, it doesn\u2019t just stop at MITRE ATT&CK, it also aligns with zero trust principles. That\u2019s a big deal because with so many organizations diving headfirst into zero trust without really understanding it, Infection Monkey lets you actually test granular access controls and segmentation, giving you definitive baselines.<\/p>\n

Use case:<\/strong> Set it off on literally one box anywhere in the environment and watch it do its frightening magic.<\/p>\n

Atomic Red Team<\/h2>\n

Atomic Red Team (ART), developed by Red Canary, is a collection of scripted tests that map directly to MITRE ATT&CK techniques. It can be run in PowerShell or bash and allows pentesters (or defenders) to simulate specific attack behaviors, but its power is in the sheer number of tests available. There are over 900 known techniques baked into the framework.<\/p>\n

I don\u2019t hear many pentesters using Atomic Red Team, but almost every purple teamer I know relies on it. The reason? Even though it\u2019s scripted and signature-based, plenty of EDR solutions still miss these techniques \u2014 despite them being well-known and published. The beauty of Atomic Red Team is that you can throw a whole arsenal of techniques at a system and quickly gauge how well your controls are holding up. Or you can zoom in on individual techniques and sub-techniques, and because it\u2019s modular, you can run these over and over to fine-tune detection, tweak rules, and make sure things are blocked, alerting properly, or showing up in your telemetry.<\/p>\n

Use case:<\/strong> Use Atomic Red Team to emulate CVE-2018-8174 (Double Kill) by running T1203 \u2013 Exploitation for Client Execution, T1176 \u2013 Browser Extensions, T1068 \u2013 Exploitation for Privilege Escalation, and T1133 \u2013 External Remote Services, to test browser exploit defenses.<\/p>\n

Stratus Red Team<\/h2>\n

Stratus Red Team by DataDog focuses on cloud-native adversary emulation, particularly in AWS environments. Atomic Red Team, mentioned above, covers a wide array of environments, but Stratus hones in on the unique challenges posed by cloud-native architectures, making it an attractive option for organizations embedded in AWS.<\/p>\n

Almost nobody outside heavy cloud CI\/CD has heard of it, but the pros doing a lot of cloud-native and containerized workloads (Kubernetes) especially in DevOps-heavy organizations, rely on it frequently because it provides insight into cloud-specific attack vectors that are often overlooked by traditional security tools. It\u2019s no secret that misconfigurations in cloud resources are the leading cause of breaches, and Stratus helps narrow the focus by targeting these vulnerabilities directly.<\/p>\n

Use case:<\/strong> Simulate adversary behavior targeting Amazon EKS clusters, particularly focusing on T1543.003 (Create or Modify System Process: Kubernetes). This technique involves exploiting misconfigurations in EKS clusters to gain unauthorized access or escalate privileges by modifying or creating new Kubernetes pods and was contributed by community user Dakota Riley.<\/p>\n

GD-Thief<\/h2>\n

Ever been lost in the maze of Google Drive, overwhelmed by endless files, folders, and subfolders, wishing you could just \u201cls -l\u201d them all? Enter GD-Thief. It is an open-source tool that enumerates and scrapes Google Drive for publicly accessible files. It\u2019s ideal for discovery and SA on documents, spreadsheets, or other sensitive data left in shared drives.<\/p>\n

For cloud OSINT, Google Drive is a treasure trove of information, if you can find it. While tools like SpiderFoot provide broader OSINT capabilities, GD-Thief gives pentesters a targeted way to enumerate specific cloud storage assets.<\/p>\n

Use case:<\/strong> Use GD-Thief to scrape publicly accessible files that could reveal credentials or internal documents, potentially leading to further exploitation.<\/p>\n

DVWA (Damn Vulnerable Web Application)<\/h2>\n

DVWA is a deliberately vulnerable web application designed to provide a safe space for security professionals and aspiring pentesters to practice and refine their web application penetration testing skills. It has multiple levels of vulnerability (low, medium, high, and impossible) to help users test a wide range of skills including SQL injection, cross-site scripting (XSS), file inclusion, and command injection.<\/p>\n

While widely known in boot camps and training classes, DVWA is often overlooked by more experienced pentesters who turn to more complex tools. However, it remains a relevant platform for testing and refining skills from script kiddies to advanced operators. DVWA is also self-hosted, lessening the likelihood you\u2019ll scope creep or test something you\u2019re not permitted to touch (BBP\/VDPs anyone?). Any hypervisor can help you partition resources necessary to host it.<\/p>\n

Use case:<\/strong> Pentesters can practice exploiting CVE-2018-6574 (Remote Code Execution via improper input validation). In DVWA\u2019s \u201ccommand execution\u201d module, you can inject shell commands via a form input and elevate to remote command execution. This exercise allows pentesters to better understand the techniques attackers use to gain remote control over web servers.<\/p>\n

Hackazon<\/h2>\n

Hackazon is another vulnerable web application designed to simulate a real-world e-commerce site with modern web technologies. Developed by Rapid7, it provides a realistic environment for security professionals to test vulnerabilities commonly found in dynamic web applications, including RESTful API misconfigurations, SQL injection, XSS, and client-side vulnerabilities. Hackazon is excellent for mimicking the complexity of modern web apps used by organizations today.<\/p>\n

Hackazon replicates a full, real-world dynamic shopping site with various modern vulnerabilities that aren\u2019t always found in other training environments, but it\u2019s often overshadowed by DVWA and other vulnerable web apps due to its more complex setup. But if you\u2019re looking to beef up on API and client-side skills, it\u2019s a great place to start.\u00a0<\/p>\n

Use case:<\/strong> Hackazon can be used to test for SQL injection vulnerabilities (CVE-2019-12384) by targeting the application\u2019s product search feature. Pentesters can inject malicious SQL queries via the search form to retrieve sensitive customer data like payment details. Additionally, the inclusion of an API makes it an ideal platform for API-based testing and exploiting improper authorization or input validation.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The right tool can make or break a pentest or red team exercise. While many of the tools in Kali are tried and true, they are not always the best fit for every scenario. It is crucial to know where to turn for different needs, ensuring you\u2019re adequately equipped to meet a variety of objectives. […]<\/p>\n","protected":false},"author":0,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-461","post","type-post","status-publish","format-standard","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/461"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=461"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/461\/revisions"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=461"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=461"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=461"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}