The Best Ethical Hacking Tools of 2021 (and their basic usage)

14 Mins Read

PureVPN UpdatesThe Best Ethical Hacking Tools of 2021 (and their basic usage)

Today, we’re talking about hacking tools.

Specifically, hacking tools that are being used most frequently by penetration testers and bug bounty hunters in 2020.

There are approximately 5 trillion new custom hacking tools on GitHub every day. Many of these tools are incredibly powerful and robust; others are terrible.

Some of the not-so-good tools disguise their not-so-goodness by implementing impressive ASCII art, interactive CLI-based menus, ANSI colors, etc.

Unfortunately, impressive-looking tools are not necessarily impressive in their functionality. In fact, some of the most average-looking tools are the most practical.

First, let’s cover a few caveats. When I started writing this blog, I was carried away listing so many tools that fitting them all into a single article would drive our team insane and might take weeks.

As a result, I decided to limit this to web and external hacking tools while leaving out a huge array of incredible tools that are great for things like popping internal Windows networks, binary exploitation, Wi-Fi hacking and more.

Also, the definition of “hacking tool” is a bit ambiguous, for example, are programming languages tools? For instance, we use programming languages every day, but listing “bash” or “golang” as a tool doesn’t really provide any actionable value to readers, so I decided to exclude them.

Without further ado, let’s get into it. First, the ultimate web hacking tool – Burp Suite.

1. Burp Suite

Burp Suite is so synonymous with web hacking that we are giving it its own section. To be honest, when I was learning to hack it took me a while to understand the awesomeness of Burp Suite.

I did my OSCP without really using it much, and I found it a bit confusing when I was starting out.

As I started consuming more hacking content online, I noticed that pretty much everyone would recommend it, so I forced myself to learn it properly. Now I have a hard time living without it!

Burp Suite is a web proxy and web vulnerability scanner. It sits between your browser and the web server that you are attacking, intercepting all HTTP(S) traffic.

It has the ability to analyze this traffic to passively discover vulnerabilities, or actively probe the target server, either manually or in an automated fashion.

Basic Usage

Burp Suite does so much stuff that even covering basic usage is really outside the scope of this blog, but I’ll give a rough overview.

When you start up Burp Suite, you’ll see something like the screen below.

The tabs along the top are different functionalities that Burp Suite has. The table below gives a brief description of each tab and the functionality behind it.

Tab NamePurpose
DashboardGives an overview of discovered issues, details on the progress of active vulnerability scans and an event log. Active vulnerability scanning is a feature of the paid professional version only, but it is one of the best web application scanners out there today. Like all automated scanners it will inevitably miss things, but I still use it to provide coverage on penetration tests and it still finds things that I miss manually at times!
TargetGives a hierarchical overview of all endpoints that have been accessed. This tab also allows you to define specific scopes to ensure that you don’t collect unnecessary out-of-scope data or attack the wrong target.
ProxyGives you a live view of incoming and outgoing web traffic. Traffic may be manually edited before being sent, or rules may be set up to find/replace specific text in each request on the fly.
IntruderIntruder is essentially a highly granular brute forcing tool. It allows you to build wordlists and replace any part of the HTTP request with each word in that list. This is extremely useful for content discovery, exfiltrating data from IDORs, brute forcing login forms, etc.
RepeaterRepeater is very simple, it allows you to build singular custom HTTP requests and send them. An existing request can be taken from the Proxy and sent to the Repeater tab. Once it is here, you can easily make manual edits to the request and then click “Send” to send the request and view the response. This is great for manually investigating exactly how a request works and attempting manual exploitation.
SequencerSequencer captures large amounts of seemingly random tokens and analyses them to check for similarities and patterns. The goal of Sequencer is to discover situations where a token that should be random (like a session token or a CSRF token) is actually not random. This sometimes results in serious vulnerabilities because it allows you to circumvent access controls.
DecoderDecoder allows you to encode and decode strings recursively. It supports the following encodings:URLHTMLBase64ASCII HexHexOctalBinaryGZip
ComparerComparer allows you to compare two blobs of text with a nice GUI. This is extremely helpful when analysing two requests (or responses) to figure out exactly how they differ.
ExtenderThe extender tab allows you to install Burp extensions. These extensions can be custom written by you, or downloaded directly from the BApp store. There are so many BApps that do some great stuff like assisting in exploitation, prettifying JSON, extending automated scanning capabilities, and much more.
Project Options and User OptionsThese tabs allow you to set your preferences either at a user level (persists across projects) or at a project level (specific to that project file). It’s worth going through these settings just to familiarise yourself with them so that you know what is possible.

Hopefully that gives you a decent overview of the main Burp Suite features. The best way to learn it fully is to jump in and start using it. There are also a stack of great Burp Suite tutorials and courses online.

Brute Forcing, Fuzzing and Crawling

When blackbox testing applications, one of the first things you likely do is content discovery. It’s worth noting here that Burp Suite has a very good web crawler, but sometimes we would prefer to work on the command line.

The following tools are all command-line based tools that will help you with brute forcing, fuzzing and crawling.

2. Hakrawler

Full disclosure: I wrote this tool! It’s a fast CLI web crawler written in Golang that combines the power of gocolly, waybackurls (thanks tomnomnom!), robots.txt and sitemap.xml to quickly return a stack of endpoints belonging to the target application.

It also supports authenticated scanning, custom headers, scope specification and rudimentary JavaScript parsing.

Basic Usage

Hakrawler accepts a list of hostnames from stdin, so you can use it like this:

cat hosts.txt | hakrawler

It’s definitely worth checking out the readme for more usage tips and features that will help you to customize your crawling: https://github.com/hakluke/hakrawler

3. Ffuf

Ffuf (Fuzz Faster U Fool) is a very fast web fuzzer written in Golang. In terms of functionality, think of it like Burp Intruder on the command-line.

It is excellent for brute forcing web directories and files at speed, but there are also many other use cases for ffuf including virtual host discovery and general HTTP fuzzing (parameters, headers, etc.).

This is a relatively new tool and is still under active development. The most comprehensive guide for this tool’s usage is written by Codingo and it is available here:

https://codingo.io/tools/ffuf/bounty/2020/09/17/everything-you-need-to-know-about-ffuf.html

Basic Usage

The most basic usage for Ffuf is brute forcing files and directories, this can be achieved by running:

ffuf -w ./wordlist.txt -u https://example.com/FUZZ

Note that “FUZZ” is replaced with each word in the wordlist.

4. Dirsearch

Dirsearch is a web path brute forcer written by maurosoria. It is less feature-rich than ffuf because it only brute forces files and directories (it does not perform fuzzing). While this may seem like a disadvantage, the smaller feature set allows the output and workflow to be more catered to that specific use. As a result, I actually find myself reverting to dirsearch quite often when performing web path brute forcing. It has been under active development for 6 years and is still receiving upgrades.

Basic Usage

The most basic usage or dirsearch is to specify a base URL with -u and file extensions with -e. It is beneficial to use a lot of file extensions that might reveal backup files, older files or configuration files that are not supposed to be revealed.

python3 dirsearch.py -e aspx,asp,php,txt,db,bak,backup,old,conf,config,ini,yaml -u https://example.com

Subdomain Enumeration

With the rising popularity of open scope bug bounty programs, many security researchers have turned their attention towards subdomain enumeration techniques in order to gain an upper hand by discovering forgotten assets. There are a lot of tools that do this, but a couple of them stand out from the crowd.

5. Amass

Amass has been around since mid-2018. It is an excellent subdomain enumeration tool with more features than most people realize. It uses about 60 distinct techniques and services to gather organizational intel and assets. The results from each technique are then fed into other techniques recursively which can be quite time consuming, but results in more results.

Basic Usage

The most basic usage to discover subdomains of a root domain is:
amass enum -d example.com

Note that in order to better utilise amass, you really need to spend some time configuring the configuration file to add API keys for various services, and also spend some time investigating the more advanced features of the tool.

For a more in depth view of amass, I wrote a fairly comprehensive guide here: https://medium.com/@hakluke/haklukes-guide-to-amass-how-to-use-amass-more-effectively-for-bug-bounties-7c37570b83f7

6. Subfinder

Subfinder is another great subdomain enumeration tool. It advertises less techniques/sources than amass but the list of techniques that they do use is well curated, and I’ve found subfinder to be quite fast when I’ve used it. I tend to use both for full coverage.

Basic Usage

The most basic usage of subfinder to enumerate subdomains from a root domain is:

subfinder -d example.com

Scanning

7. Nmap

The first version of Nmap was publicly released in 1997 in Phrack. Here’s the craziest thing though, it is still under active development. The most recent code commit at the time of writing this blog was 3 days ago, and the full source is available here: https://github.com/nmap/nmap.

Nmap is truly an incredible tool. It has been maintained and improved by many different people for decades, making it extremely robust, accurate and feature rich. At its core, it is a TCP/UDP port scanner, but it can also identify the services running on ports, identify the operating system running on the target, and even perform vulnerability scanning. It also boasts an extensible scripting engine that can be used to add your own custom scanning functionality.

Basic Usage

The most basic usage to determine open TCP ports is simply:

nmap example.com

This default does have a lot of drawbacks though, it doesn’t even scan all 65535 TCP ports, instead it just scans the most popular 1000 ports. A better default scan might be something like:

nmap -A -p- -v host

This will enable OS detection, service version detection, script scanning, traceroute, verbosity, and it will scan all 65535 TCP ports.

8. Nuclei

Essentially, Nuclei sends probes to servers, then analyses the responses. If the response contains something that you are looking for, it will alert you. The exact way in which the target is probed, along with the method of analysing the response, is defined within a yaml file called a “template”.

This tool is excellent for checking large quantities of targets for specific vulnerabilities. The team that wrote Nuclei (dubbed Project Discovery) also offer a repository of nuclei templates to get you started: https://github.com/projectdiscovery/nuclei-templates

Basic Usage

The most basic usage of nuclei is:

cat urls.txt | nuclei -t template.yaml

In the example above, urls.txt is a list of URLs, and template.yaml is any nuclei template. Every URL on the list would be scanned using the technique defined in template.yaml.

9. SQLMap

SQLMap is a tool for detecting and exploiting SQL injection (SQLi) vulnerabilities. It has been around since 2006 and is still actively maintained. Of all the automated SQLi detection tools I’ve tried, I’ve found SQLMap to be the one that discovers them most effectively. The real magic comes in when you actually need to exploit the vulnerability though. SQLMap can take a SQLi vulnerability that is extremely time-consuming and laborious to exploit manually (like a time-based blind boolean), and then exploit it with ease.

Basic Usage

The most basic usage of SQLMap is to simply pass it a URL:

sqlmap -u “http://example.com/vuln.php?id=1

SQLMap will automatically attempt SQLi on all parameters by default. In this case, it will attempt SQLi on the “id” parameter. Keep in mind that there are way more features to SQLMap. I would recommend checking the official usage guide here: https://github.com/sqlmapproject/sqlmap/wiki/Usage


Grep,sed,awk,xargs

Productivity

10. Text Manipulation Utilities

I’m specifically referring to linux command-line utilities that are designed to manipulate strings in some way, like awk, sed, sort and grep. I know these aren’t hacking tools, but I use them multiple times every day for performing tasks that are related to hacking. It’s difficult to overstate the importance of being familiar with these tools, the amount of time they can save you on everyday tasks is unbelievable.

Basic Usage

It’s difficult to provide a single basic use case of these utilities because many of them are very diverse in their nature, and have a lot of different useful features. That said, I am just going to provide one common usage for each tool.

Awk
To print the third word of every line in ./example.txt:

awk ‘{print $3}’ ./example.txt

Sed
Add “http://” to the start of every line in subdomains.txt:

sed ‘s/^/http:\/\//g’ subdomains.txt

Sort
Sort all of the lines in subdomains.txt in alphabetical order and remove duplicates:

sort -u ./subdomains.txt

Grep
Print only the lines ending in “.bugcrowd.com” from subdomains.txt:
grep “\.bugcrowd\.com$” ./subs.txt
Vim

vim is the most powerful text editor that I have ever used. I cannot begin to explain the features here, but I would recommend spending at least a day or two at least learning the basics to increase your productivity!

Speeding Up Your Scans

11. GNU Parallel

Parallel is a GNU command-line tool that can multithread any command. Using this tool effectively will require a bit of a learning curve, but it’s worth it. You can get a full tutorial here: https://www.gnu.org/software/parallel/parallel_tutorial.html

Example Usage

Run an nmap scan against all hosts in hosts.txt with 20 threads.

parallel -j 20 nmap :::: ./hosts.txt

Interlace

Interlace is a recently released tool. It has similar functionality to parallel, except it is designed to be used to run hacking tools against targets. It has some useful features for that specific use case such as support for CIDR notation, blockers (in case one task needs to finish before another starts), and it also supports the ability to take in a list of commands from a file, meaning that you can easily build out a full workflow of commands to run on multiple hosts.

Example Usage

Run nikto over all of the targets in ./targets.txt with 20 threads.

interlace -tL ./targets.txt -threads 20 -c “nikto –host _target_ > ./_target_-nikto.txt” -v

Note-Taking

12. Obsidian

Obsidian is a markdown-based note taking tool. It is very simple and powerful. Each note, or “node” is simply a markdown file. The coolest thing about Obsidian is that it supports relationships between notes. This means that you can link all of your notes together either in a hierarchical manner, or more of a messy graph. Once you link notes together, obsidian also has a graph view where you can visualise the relationships between all your notes. I have found Obsidian to be very helpful when mapping out assets on targets.

The screenshot below is an example graph that I put together for *.hakluke.com, the data is fake.

13. Notion

This is a recent addition to my repertoire but it’s one that a lot of hackers (and just people in general) swear by. Notion is a cloud-based general productivity and note-taking tool. It is perfect for todo lists, notes, and project management. I find it better than Obsidian for managing my time and tasks because it has more comprehensive note taking features and templates, but I find Obsidian better for keeping notes about targets because of its simplicity and graphed relationship support.

Keep an Eye out 👀

I couldn’t write a 2020 hacking tools article without a shout out to Tomnomnom and Project Discovery. Anything released by these guys is absolute gold. I’d recommend going through every tool that they have released on Github and checking out the functionality.

Conclusion

I’m about 3000 words deep into this article and I feel like I have barely scratched the surface. All of the tools that I have mentioned are either free, or have a free option.

Most of them are also open source. This wasn’t on purpose, I just feel that many of these tools are the best for the job. With that said, if you find any of these open source tools useful I would encourage you to sponsor the creator on Github, or by any other means.

If you are able, helping to code new features or fix bugs on these projects is also generally appreciated by the maintainers.

Disclaimer: PureVPN doesn’t endorse or use any of the aforementioned hacking tools. You can use these hacking tools at your own discretion. This blog is only for informational purposes and the inclusion of links does not imply that PureVPN endorses or approves any tool. The opinions and views expressed by the author are purely his own and doesn’t reflect the view of our brand.

PureVPN PureVPN is a leading VPN service provider that excels in providing easy solutions for online privacy and security. With 6500+ servers in 141+ countries, It helps consumers and businesses in keeping their online identity secured.

Have Your Say!!

Join 3 million+ users to embrace internet freedom

Signup for PureVPN to get complete online security and privacy with a hidden IP address and encrypted internet traffic.