Computer hackers are constantly searching for new ways to more easily find weaknesses in computer systems and break into them. The everlasting search for useful tools that are used by hacking groups and individual criminals will never end as utilities are being created every single day. In our article we present a list of the top 10 advanced hacking tools of 2019 which we believe that are used in complex coordinated attacks.
1. Legion
Legion is an open-source fork of another framework called Sparta and by definition is a a semi-automated network penetration testing framework. It incorporates in itself many tools which allow its operators to conduct large-scale attacks against whole networks or focus on a single host.
It can conduct automatic reconnaissance and scanning of vulnerabilities using various open-source tools like nmap and nikto and out-of-the-box comes with almost 100 auto-schedule scripts. Its functions are accessible via a graphical user interface which is based on a logical menu system. In addition to having a wide range of built-in functions and capabilities Legion is modular — it can easily be extended with third-party modules and it can interact with other scripts and tools.
Unlike other common tools it is able to perform custom stage scanning which can bypass most signature scans made by intrusion detection systems. It is able to automatically detect if there are any available weaknesses in a given network host by displaying the found CPE or CVE vulnerability.
2. King Phisher
King Phisher is an extensive suite that allows its operators to simulate real world phishing attacks — they can be planned in advance and set against a large number of hosts in real time. Its extensive number of features allows it run campaigns that can support only a few targets to extensive and complicated network analysis of whole systems.
What’s particularly useful about it is that it can generate detailed graphis and statistcs about the obtained results and it can customize the sent emails using embedded images for added legitimacy. Optionally two-factor authentication can be enabled as well.
The phishing messages can be constructed on the basis of a jinja2 engine which allows the hackers to make legitimate looking emails easily. The credentials can be captured automatically by the framework and in order to provide the maximum amount of information the visitors that have accessed the messages can be traced to their location. Emails can also be sent with calendar invitations or the King Phisher framework can copy (clone) existing web pages.
3. WiFi-Pumpkin
This is a popular rogue Wi-Fi access point which is used to divert traffic from wireless clients. The mechanism in which they are used is that they can impersonate existing networks by creating fake copies. Special network packets are then sent to the connected users which will disconnect them from the legitimate networks and automatically redirect them to the rogue ones. What’s great about this tool is that it includes the ability to view the probe requests. A list of some of the distinct features it supports include the following:
transparent proxy support, windows update attack, phishing manager, partial bypass HSTS protocol, beef hook, ARP poison, DNS spoof,TCP-Proxy and etc.
The fact that WiFi-Pumpkin can be used alongside phishing campaigns which can be used alongside other tools. Like other advanced tools it can easily be further expanded by using varous plugins and external scripts. The use of other programs and applications can allow the hackers to set post-exploitation behavior.
4. SCAVENGER
This is a multi-threaded post-exploitation scanning utility which is used to “scavenge” the compromised host for active services or specific files and folders. The tool can be easily configure to find the newest data that is accessed, created or modified by the users. All results can be stored and organized in a database file. It can be compared with scans made at regular intervals which will produce findings interesting findings.
The engine can be configured to look for certain data such as personal information or computer data. By design the program is designed to proactively scan the system for any payment card holder data and extract it as silently as possible. Future versions will probably add other useful parameters such as database connections, FTP or NFS connections.
5. Trape
Trape is an advanced research and analysis tool that allows hackers to track and execute social engineering attacks even in real-time. By design it is designed to extract a lot of information from web sessions or services without any apparent social interaction. Trape is designed to help organizations and researchers to track cyber criminals however it can be used by hackers as well. It is designed to be used in conjunction with a set service or host in order to execute the tracking. The sessions can be remotely recognized and tracked. In the current iteration of the program everything is controlled via a web interface which allows the operators to conduct operations in real-time.
If the operators desire further information about a certain victim they may launch a more direct and sophisticated attack. The behavior of every individual user can be tracked independently. Like other similar tools it can be used to launch phishing attacks as well, coordinate hooking attacks and capture a wide variety of credentials. A list of the sessions that are supported shows the following services:
Facebook, Twitter, VK, Reddit, Gmail, tumblr, Instagram, Github, Bitbucket, Dropbox, Spotify, PayPl, Amazon, Foursquare, Airbnb, Hackernews and Slack.
6. Social Mapper
This is a open-source intelligence tool which compares socal media profiles and the input photos by leveraging facial recognition technology. This means that it can easily automate these searches across a variety of web platforms. It is done by taking certain photos and differentiating the individuals from groups. The program supports the following web services from wherein it can pull and process information: LinkedIn, Facebook, Twitter, Google+, Instagram, VK, Weibo and Douban.
The input files can be either an organization name, a folder of images or an organized CSV file with names and addresses. The program is primarily designed to be used by Penetration testers in order to profile their targets and link them to their social media profiles. However there are several scenarios which can be used by the attackers:
- The creation of fake social media profiles that can befriend the targets and send them links with malware, phishing or ads. This is useful as the victims are more likely to interact with malware payloads sent via social media channels rather than emails from strangers.
- Using the obtained information the hackers can manipulate their targets into disclosing their emails and numbers. The gathered information can then be used further for phishing purposes.
- Creating custom phishing campaigns for each separate social media account that the users have.
- Viewing the target photos and getting to know certain environments like offices, buildings and homes.
7. Ghost Tunnel
Ghost Tunnel is a backdoor method which comes in the form of a script. It is an advanced covert tool which allows criminals to attack devices in isolated environments. This is done via special network probe requests when within range of the intended victim. The connection is made without regular Wi-Fi protocol. It can spread specific payloads using these beacon and probe requests. The agent application can be launched without elevated privileges. By design the operators only require to setup the server and one or two Wi-Fi cards that support monitor mode. They will be run in order to send out the probe requests.
What’s distinct about Ghost Tunnel is that it requires practically no established Wi-Fi connection with the attacker’s network. When the attack is performed it can succesfully bypass firewalls and it can be used against isolated networks. The current versions is reported to be effective from a range of 50 meters to the target. By design the Ghost Tunnel server can be used against practically any device that contains a Wi-Fi card. By using code injection techniques practically all vulnerabilities can be delivered.
8. Build Your Own Botnet: BYOB
Build Your Own Botnet or BYOB for short is a security research tool which is open-source and is made to allow users to understand better how botnets function and to what extent they can be leveraged with malicious intent. By itself it is not designed to be used for criminal purposes however as it is open-source technology it can easily be used as a weapon in custom attacks.
The BYOB package contains a list of all required modules in order to create a botnet that is capable of causing enough damage to the intended victims. Its command and control (C&C) center can be accessed via a shell interface allowing the operators to carry out large-scale attacks. It is packed with all essential features including a remote import of third-party packages and silent installation of the malicious code — no data is written to the hard drive in order to avoid detection by anti-virus engines.
An unlimited number of third-party modules can be loaded and run against the victim machines, a list of the post-exploit components includes the following:
keylogger, screenshot grabber, webcam stream, ransomware delivery, Microsoft Outlook data harvesting, packet sniffing, persistent installation, privileges escalation, port scanner and process control.
9. AutoSploit
This tool is designed to automate the exploitation of remote hosts. It offers a modern approach by automatically collecting its victims and supporting the Shodan API. The operators can add certain strings that will return the specific hosts. When the list of target hosts is populated the operators can continue with the exploitation process. The program utilizes Metasploit modules which are installed as a depedency. The reason why they are used is because there is a large number of extensions which cover almost all services which are commonly targeted. The included selection is set to enable remote code execution flaws and gain access to the target computers. AutoSploit is very convenient to use by independent hackers or small collectives who want to break into systems without resorting to manual actions.
10. Nishang
Nishang is a suite of PowerShell scripts and payloads that can be used during penetration tests and post-exploitation. This is a feature-rich platform that enables attackers to carry out extensive hacking operations. The collections can be dynamically modified including user-made scripts.
The complete repository of Nishang allows the hackers to carry out an extensive list of modules. This includes all steps of the intrusion process. This includes web shell remote code execution, Backdoor delivery and all kinds of escalations and bypasses for common services. The Nishang collection also includes an extensive list of information gathering scripts and man-in-the-middle attacks.
Martin Beltov
Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.
Follow Me: