Top 5 recon hack tools

I like lists. I tend to break down many different topics into a list format. Mentally, it is in CSS format and without a doubt marketing speak is equal to a SQL injection attack in my ole gourd. Be that as it may, (I love using that statement, makes me feel like a literary type person) I keep a top five list on the best places to eat in all the cities I visit often, top five best fishing holes, top five best Star Trek episodes and of course top five reasons to avoid going to my mother in laws.

To me, a list is not carved in stone, it should be dynamic and always in flux. If you asked me my top five hacking tools last year, 30% of them would have changed between then and now. Some stick around like relatives after you win the lottery. To get the party the started, let me share with you my top five hacking tools today. From the home office in Iron City, Tennessee this is the Top...oh wait, that is another gap toothed Dudes intro, anyway... The Top Five Recon Hack Favs!

1: Observation: This is a hack tool that needs no boot time, but the most training to use. I have found the majority of security holes (Mainly Web Apps) just by observing the URLs. For example:

I went to a site the other day and noticed the following URL:

Converting 147666142 to binary I get 01011000000001000001000010101100. That looks like 32 bits to me! Lets divide by four and covert each to a decimal number: 01011000:88, 00000100:4, 00010000:16, 10101100:172. How about that!

or Google search strings like this: intitle:"Index of" intitle:login test

or even analyzing error pages. I'll send a HTTP request for a bogus page like and look at what the 404 error tells me about the hosting server. Even status code 500 pages can tell you a whoooooole lot about the internal hosting agent.

2. NMAP on Linux: Fyodor created a real gem here. Especially with the new and improved version 4.75. New OS detection sigs and graphic network mapping. NMAP is THE tool of choice for recon right behind observation. I love using NMAP in conjunction with AMAP. Hey, that is a perfect lead into to tool number three.

3. AMAP: This is a seriously awesome application mapper. AMAP uses the results from NMAP to mine for more info. This makes it nearly silent on the wire. To use AMAP correctly run NMAP with the following tag set:

nmap -sS -O oM target1rslts.nmap -oX target1rslts.xml -p l-65535 -v

(the -oX is a best practice and purely optional. It saves the results also in xml so I can use other xml tools to mine that data). Now just run AMAP with the following tag set:

amap -i target1rslts.nmap -o target1rslts.amap -m

You will be amazed at what it finds!

4. Scanrand: All good target assessments start with a port scan. But where do you start? Scanning all 65535 ports will light off every IDS alarm from here to Madagascar plus it will seem longer then watching 8mm home movies with your mother in law. This is where scanrand comes in. This tool can scan all 65K sockets with hits in around four seconds! scanrand is part of the Paketto Keiretsu tool set wrote by good ole Dan Kaminsky. Fantastic piece of code that works great! Inverse Syn Cookies rule!

5. ParaTrace: This is a toss up for me, but I have been using ParaTrace in my recon activities over the past few months. Nearly all networks have a firewall installed. How do I get beyond that and map the network behind it? ParaTrace is the answer! ParaTrace is what tracert dreams about becoming in it's sleep state. Basically, it listens for outbound connections leaving the network and quickly inserts a few TCP segments with an incrementing TTL value starting at 1, of course then all routers legally respond back along the path with ICMP TTL Exceeded...

Please understand that hacking is not just using the same software over and over. Ever see a Professional Mechanics tool box? it is huge and full of the RIGHT tools for the RIGHT time. Same with network security. You should have a top five recon tool set to determine what course of action you should take in your security auditing. Just like life, One size never ever fits all...

What tools did I leave off that you believe should have made the list?

Jimmy Ray Purser

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)