Another year has come and gone, and for us, that means taking inventory of some of our favorite things about 2022. And in this case, that means pen testing tools. In the spirit of past lists like Pen Testing Tools We’re Thankful For, we present to you a selection of tools we enjoyed throughout this year. Although not definitive, we hope these tools can help you in your upcoming security engagements!
From the Fox Den
#1 Unredacter: When Redaction Goes Wrong
Creator: Dan Petro
Why We Like It: Unredacter is a cautionary tale about the dangers of pixelation, one of the most popular redaction techniques (along with other equally risky methods like blurring and swirling). Lead Researcher Dan Petro created this tool to showcase the pitfalls of using this redaction technique by “unredacting” redacted information. We hosted an Unredacter Challenge earlier this year where we asked people to unredact a mystery image, and you can watch the interviews with our winners on our YouTube Channel.
#2 Asminject: Code Injection Tool for Compromising Linux-Based Processes & Containers
Creator: Ben Lincoln
Why We Like It: Managing Security Consultant Ben Lincoln put together this tool that is originally based off a heavily modified fork of David Buchanan’s dlinject project. You can use asminject to perform an attack on Linux processes and containers using compromised administrative access to the host. It was the topic of our November 2022 Tool Talk, where you can watch Ben Lincoln demo it in action.
#3 CloudFox: A Resource to Gain Situational Awareness in Unfamiliar Cloud Environments
Creators: Seth Art and Carlos Vendramini
Why We Like It: CloudFox is a game changer for cloud security. It was built with the intent to help penetration testers and other offensive security professionals gain situational awareness in unfamiliar cloud environments. Use it to discover exploitable attack paths in cloud infrastructure; automate the “boring stuff” and get right to hacking! Watch the Tool Talk livestream dedicated to demonstrating CloudFox here.
#4: Spoofy: An Update on a Classic Bishop Fox Tool
Creators: Alex DeFreese and Matt Keeley
Why We Like It: In 2017, we released the email spoofing tool SpoofCheck. This tool was created by Fox Alex DeFreese to check domains for email spoofing protections, proving invaluable for social engineering and red teaming engagements. Last summer, former Fox (and avid member of our Discord server) Matt Keeley updated SpoofCheck into his own tool, Spoofy. Spoofy is a new-and-improved version of SpoofCheck, with enhanced capabilities such as authoritative lookup on all lookups with known good fallback (Cloudflare DNS), a SPF lookup counter, and more. Please note that Spoofy needs Python 3+ to function.
From the Infosec Community
#5: Htmlq: jq For HTML Environments
Creator: Michael Maclean
Why We Like It: A command-line interface (CLI) tool that has become popular with our team, htmlq is basically jq for HTML instead of JSON. And what is jq, exactly? It’s like sed, which is a stream editor. (This tool itself is reflective of the symbiotic nature of the open sourceopen-source community!) But returning to htmlq, you can use this tool to extract bits of content for HTML files, which makes it a great asset to have on hand during pen tests.
#6: sideloadr: Small Python Tool for DLL Sideloading
Creator: Pascal-0x90
Why We Like It: sideloadr is a modest Python tool that you can use to perform DLL sideloading or DLL hijacking via a Linux machine. DLL hijacking can be a devastating technique to unleash during a pen test, so expect impressive results if you can leverage it successfully. The DLLs compiled in sideloadr are to target Window systems. Plus, sideloadr is an easy-to-use tool, requiring only Poetry or Docker to get to work.
#7: hoaxshell: Windows Reverse Shell Payload Generator
Creator: Panagiotis Chartas
Why We Like It: If you have trouble popping a shell during your next security engagement, give hoaxshell a shot! This useful tool serves as a Windows reverse shell payload generator that uses http(s) to create the shell. An updated version of hoaxshell is also available right now, known as Villain, which is essentially the same tool but the “evolved, steroid-induced version of it.” A word to the wise: hoaxshell is now detectable by ASMI.
#8: Flying Carpet: Encrypted File Transfer
Creator: Theron Spiegl
Why We Like It: Data exfiltration over Wi-Fi made easy! Flying Carpet truly lives up to its name; it enables encrypted transfer over automatically configured ad hoc networking using nothing but two devices (computers or phones) in close proximity. No Bluetooth is needed; Flying Carpet relies solely on Wi-Fi. This tool is available for Linux, macOS, Windows, and iOS with an Android version coming (somewhat) soon.
#9: Nuclei v2.8.0: Vulnerability Scanning All Fuzzed Up
Creator: Project Discovery
Why We Like It: It’s no secret: We at Bishop Fox like to use the vulnerability scanner Nuclei from time to time (as evident in our Tool Talk with creator Sandeep Singh and the subsequent blog post). But we wanted to give special attention to the updates made to Nuclei in early December 2022. You can read the full array of updates made to the scanner here but some highlights include the addition of URL fuzzing, shared sessions/values between templates, and ASNMap integration. We are very proud of our friends at Project Discovery for this milestone update to Nuclei and look forward to seeing what the future holds!
What Are Your Favorites? We Want to Know!
These are just nine of the pen testing tools that came out this past year, and we’d love to hear your favorites, too! Connect with us on Discord or Mastodon to let us know what we missed. See you in 2023!
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.
Recommended Posts
You might be interested in these related posts.
Dec 12, 2024
Our Favorite Pen Testing Tools: 2024 Edition
Oct 15, 2024
Off the Fox Den Bookshelf: Security and Tech Books We Love
Sep 17, 2024
Navigating DORA Compliance: A Comprehensive Approach to Threat-Led Penetration Testing
Aug 28, 2024
Offensive Security Under the EU Digital Operational Resilience Act (DORA)