Our Favorite Tools of the Year: 2022 Edition

Another year has come and gone, and for us, that means taking inventory of some of our favorite things about 2022. And in this case, that means pen testing tools. In the spirit of past lists like Pen Testing Tools We’re Thankful For, we present to you a selection of tools we enjoyed throughout this year. Although not definitive, we hope these tools can help you in your upcoming security engagements!

From the Fox Den

#1 Unredacter: When Redaction Goes Wrong

Creator: Dan Petro

Why We Like It: Unredacter is a cautionary tale about the dangers of pixelation, one of the most popular redaction techniques (along with other equally risky methods like blurring and swirling). Lead Researcher Dan Petro created this tool to showcase the pitfalls of using this redaction technique by “unredacting” redacted information. We hosted an Unredacter Challenge earlier this year where we asked people to unredact a mystery image, and you can watch the interviews with our winners on our YouTube Channel.

Go To The Tool >>

#2 Asminject: Code Injection Tool for Compromising Linux-Based Processes & Containers

Creator: Ben Lincoln

Why We Like It: Managing Security Consultant Ben Lincoln put together this tool that is originally based off a heavily modified fork of David Buchanan’s dlinject project. You can use asminject to perform an attack on Linux processes and containers using compromised administrative access to the host. It was the topic of our November 2022 Tool Talk, where you can watch Ben Lincoln demo it in action.

Go To the Tool >>>

#3 CloudFox: A Resource to Gain Situational Awareness in Unfamiliar Cloud Environments

Creators: Seth Art and Carlos Vendramini

Why We Like It: CloudFox is a game changer for cloud security. It was built with the intent to help penetration testers and other offensive security professionals gain situational awareness in unfamiliar cloud environments. Use it to discover exploitable attack paths in cloud infrastructure; automate the “boring stuff” and get right to hacking! Watch the Tool Talk livestream dedicated to demonstrating CloudFox here.

Go To The Tool >>>

#4: Spoofy: An Update on a Classic Bishop Fox Tool

Creators: Alex DeFreese and Matt Keeley

Why We Like It: In 2017, we released the email spoofing tool SpoofCheck. This tool was created by Fox Alex DeFreese to check domains for email spoofing protections, proving invaluable for social engineering and red teaming engagements. Last summer, former Fox (and avid member of our Discord server) Matt Keeley updated SpoofCheck into his own tool, Spoofy. Spoofy is a new-and-improved version of SpoofCheck, with enhanced capabilities such as authoritative lookup on all lookups with known good fallback (Cloudflare DNS), a SPF lookup counter, and more. Please note that Spoofy needs Python 3+ to function.

Go To The Tool >>>

From the Infosec Community

#5: Htmlq: jq For HTML Environments

Creator: Michael Maclean

Why We Like It: A command-line interface (CLI) tool that has become popular with our team, htmlq is basically jq for HTML instead of JSON. And what is jq, exactly? It’s like sed, which is a stream editor. (This tool itself is reflective of the symbiotic nature of the open sourceopen-source community!) But returning to htmlq, you can use this tool to extract bits of content for HTML files, which makes it a great asset to have on hand during pen tests.

Go To The Tool >>>

#6: sideloadr: Small Python Tool for DLL Sideloading

Creator: Pascal-0x90

Why We Like It: sideloadr is a modest Python tool that you can use to perform DLL sideloading or DLL hijacking via a Linux machine. DLL hijacking can be a devastating technique to unleash during a pen test, so expect impressive results if you can leverage it successfully. The DLLs compiled in sideloadr are to target Window systems. Plus, sideloadr is an easy-to-use tool, requiring only Poetry or Docker to get to work.

Go To The Tool >>>

#7: hoaxshell: Windows Reverse Shell Payload Generator

Creator: Panagiotis Chartas

Why We Like It: If you have trouble popping a shell during your next security engagement, give hoaxshell a shot! This useful tool serves as a Windows reverse shell payload generator that uses http(s) to create the shell. An updated version of hoaxshell is also available right now, known as Villain, which is essentially the same tool but the “evolved, steroid-induced version of it.” A word to the wise: hoaxshell is now detectable by ASMI.

Go To The Tool >>>

#8: Flying Carpet: Encrypted File Transfer

Creator: Theron Spiegl

Why We Like It: Data exfiltration over Wi-Fi made easy! Flying Carpet truly lives up to its name; it enables encrypted transfer over automatically configured ad hoc networking using nothing but two devices (computers or phones) in close proximity. No Bluetooth is needed; Flying Carpet relies solely on Wi-Fi. This tool is available for Linux, macOS, Windows, and iOS with an Android version coming (somewhat) soon.

Go To The Tool >>>

#9: Nuclei v2.8.0: Vulnerability Scanning All Fuzzed Up

Creator: Project Discovery

Why We Like It: It’s no secret: We at Bishop Fox like to use the vulnerability scanner Nuclei from time to time (as evident in our Tool Talk with creator Sandeep Singh and the subsequent blog post). But we wanted to give special attention to the updates made to Nuclei in early December 2022. You can read the full array of updates made to the scanner here but some highlights include the addition of URL fuzzing, shared sessions/values between templates, and ASNMap integration. We are very proud of our friends at Project Discovery for this milestone update to Nuclei and look forward to seeing what the future holds!

Go To The Tool >>>

What Are Your Favorites? We Want to Know!

These are just nine of the pen testing tools that came out this past year, and we’d love to hear your favorites, too! Connect with us on Discord or Mastodon to let us know what we missed. See you in 2023!