Dark Mode

Settings

Tools

The Tool Catalogue contains a list of tools that can be used to perform the Penetration Tests. Each tool is designed to execute a specific set of Attack Patterns that can be used to launch a real attack on a target asset. Each tool is associated with a particular Penetration Test Phase. Moreover, each tool is also associated with an Applicability Pattern that precisely identifies the assets it can be applied to. The Applicability Pattern is represented by a Cypher query that needs to be executed on the system model. Finally, each tool is associated with a concrete command that enables it to perform the attack.

Tools Table

Tool ID Name Capec ID Cypher Query Command Description Phase Is Executable

1

 SQLMap
7 66
match (target {type:'Service.Web'})-[:uses]->(b {type:'Service.DB'}) return target.component_id as component_id, target.parameters as parameters python sqlmap.py -u {url} -f --banner --dbs --users Enumeration of databases and users of DBMS.
System Access Exfiltration
False

2

 SQLMap
108
match (target {type:'Service.Web'})-[:uses]->(b {type:'Service.DB'}) return target.component_id as component_id, target.parameters as parameters python sqlmap.py -u {url} -f --os-shell This command is able to test if an RCE could be achieved.
System Access
False

3

 Dirbuster
87 139 597
match (target {type:'Service.Web'}) return target.component_id as component_id, target.parameters as parameters java -jar DirBuster-1.0-RC1.jar -H -u {url} Brute forcing directories and files names on web/application servers.
Enumeration (Collection)
False

4

 Nmap
300
MATCH (:Network)-[:connects|hosts*1..3]->(target) WHERE target.type IN ["SystemLayer.OS", "SystemLayer.Firmware"] RETURN target.component_id AS component_id, target.parameters AS parameters nmap -v -p- -Pn -oX {output_file} -T4 --min-parallelism 100 {ip} Discovery of open ports.
Discovery
True

5

 Nmap
292 309
match (target:Network) return target.component_id as component_id, target.parameters as parameters nmap -sV -O -oX {output_file} -T4 --min-parallelism 100 {ip_range} Discovery of active hosts.
Discovery
True

6

 Nmap
573 574
MATCH (:Network)-[:connects|hosts*1..3]->(target) WHERE target.type IN ["SystemLayer.OS", "SystemLayer.Firmware"] RETURN target.component_id AS component_id, target.parameters AS parameters nmap -sV -p- -oX {output_file} -T4 --min-parallelism 100 {ip} Discovery of services types.
Discovery
True

7

 JohnTheRipper
49
MATCH (target) WHERE target.type IN ['SystemLayer.OS'] RETURN target.component_id AS component_id, target.parameters AS parameters john --wordlist={wordlist_file} --rules {output_file} This command should be executed on the target machine.
Credential Access
False

8

 NoSQLMap
676
match (target)-[:uses]->(b {type:'Service.NoSQLDB'}) return target.component_id as component_id, target.parameters as parameters python NoSQLMap This is a guided tool, so the parameters have to be specified during its use.
System Access Exfiltration
False

9

 Binwalk
497
match (target {type:'SystemLayer.Firmware'}) return target.component_id as component_id, target.parameters as parameters binwalk {firmware_file} This command scans the firmware file for known signatures, data structures and contents
Discovery
False

10

 Binwalk
37 167
match (target {type:'SystemLayer.Firmware'}) return target.component_id as component_id, target.parameters as parameters binwalk -e {firmware_file} Extracting the filesystem from the firmware file
Exfiltration
False

11

 Firmwalker
497 682
match (target {type:'SystemLayer.Firmware'}) return target.component_id as component_id, target.parameters as parameters ./firmwalker.sh {path_to_ext-root} Detecting the presence of intersting files, such as password files, server configuration files, certificates, SSH files, files containing authorized keys for system access via key pairs, files related to active services, and much more
Discovery
False

12

 Ettercap
94 117 141 151 194
MATCH (target2)<-[:hosts]-(HW1:HW)<-[:connects]-(target1:Network) WHERE (target2.type = "SystemLayer.OS" OR target2.type = "SystemLayer.Firmware") AND target1.type <> 'Network.PAN' WITH target2, apoc.convert.fromJsonMap(target1.parameters) AS target1_params, apoc.convert.fromJsonMap(HW1.parameters) AS target2_params WITH [ { component_id: target2.component_id, parameters: apoc.convert.toJson({ ip_1: target1_params.ip, ip_2: target2_params.ip }) } ] AS combined_results UNWIND combined_results AS results RETURN DISTINCT results.component_id AS component_id, results.parameters AS parameters ettercap -T -q -i {interface_name} -M arp:remote -S /{ip_1}// /{ip_2}// This command runs Ettercap in text mode to perform a remote ARP spoofing attack between a target IP and the router, using the specified network interface, to intercept traffic.
Execution Exfiltration Denial of Services
False

13

 Ettercap
94 117 141 151 195
MATCH (target1)<-[:hosts]-(HW1:HW)<-[:connects]-(net:Network)-[:connects]->(HW2:HW)-[:hosts]->(target2) WHERE (target1.type = "SystemLayer.OS" OR target1.type = "SystemLayer.Firmware") AND (target2.type = "SystemLayer.OS" OR target2.type = "SystemLayer.Firmware") WITH target1, target2, apoc.convert.fromJsonMap(HW1.parameters) AS target1_params, apoc.convert.fromJsonMap(HW2.parameters) AS target2_params WITH [ { component_id: target1.component_id, parameters: apoc.convert.toJson({ ip_1: target1_params.ip, ip_2: target2_params.ip }) }, { component_id: target2.component_id, parameters: apoc.convert.toJson({ ip_1: target2_params.ip, ip_2: target1_params.ip }) } ] AS combined_results UNWIND combined_results AS result RETURN DISTINCT result.component_id AS component_id, result.parameters AS parameters ettercap -T -q -i {interface_name} -M arp:remote -S /{ip_1}// /{ip_2}// This command runs Ettercap in text mode to perform a remote ARP spoofing attack between two target IPs, using the specified network interface, to intercept traffic.
Execution Exfiltration Denial of Services
False

14

 Wireshark
94 117 157 158 651
match (target:Network) return target.component_id as component_id, target.parameters as parameters None Wireshark is a network protocol analyzer used to capture, inspect, and analyze network traffic for troubleshooting and security
Information Gathering Discovery Enumeration (Collection) Exfiltration
False

15

 Wireshark
593
match (target:Network) return target.component_id as component_id, target.parameters as parameters None Wireshark is a network protocol analyzer used to capture, inspect, and analyze network traffic for troubleshooting and security
Gaining Access (Initial Access)
False

16

 Polymorph
94 148
MATCH (broker)<-[:hosts|connects*1..4]-(net:Network)-[:hosts|connects*1..4]->(client)-[:uses]->(broker) WHERE broker.type = "Service.MQTTBroker" WITH client, broker WITH [ { component_id: client.component_id }, { component_id: broker.component_id } ] AS combined_results UNWIND combined_results AS result RETURN DISTINCT result.component_id AS component_id polymorph Polymorph is a Python 3 framework that enables real-time modification of network packets, providing users with extensive control over packet contents. It supports a wide range of protocols, including private ones without public specifications, and allows for complex processing of packet data.
Damage
False

17

 MQTT-Pwn
114 115 116 122 202
match (target {type: 'Service.MQTTBroker'}) return target.component_id as component_id, target.parameters as parameters python run.py mqtt-pwn is a security tool designed for testing and auditing MQTT protocol implementations. It supports fuzzing, sniffing, spoofing, and DoS attacks on MQTT brokers. Useful for penetration testers and IoT researchers, mqtt-pwn helps identify vulnerabilities and misconfigurations in MQTT communications across various devices and environments.
System Access Damage
False

18

 BurpSuite
18 19 28 31 32 62 63 72 76 85 86 87 101 126 127 140 147 170 261 588 592 650 664
match (target {type:'Service.Web'}) return target.component_id as component_id, target.parameters as parameters None Burp Suite is an integrated platform for performing security testing of web applications. It supports intercepting and modifying HTTP/S traffic, automated vulnerability scanning, spidering, session handling analysis, and manual testing through a suite of tools such as Repeater, Intruder, and Decoder. It is widely used in the phases of reconnaissance and exploitation during web application penetration tests.
Scanning Credential Access Exfiltration
False

19

 Hydra
16 49 112 600
match (target {type:'Service.SSH'}) return target.component_id as component_id, target.parameters as parameters hydra -l {username} -P {wordlist} -t ssh {ip} Hydra is an open-source tool used for performing brute-force attacks on various protocols and services to test authentication mechanisms. It supports multiple protocols, customizable wordlists, parallel attacks, and can be integrated with other security tools.
System Access Credential Access
False
Tool ID Name Capec ID Cypher Query Command Description Phase Is Executable

We use cookies to ensure you get the best experience on our website.