Windows Tools For Penetration Testing

07 Jan

Most penetration testers are using either a Mac or a Linux-based platform in order to perform their penetration testing activities.However it is always a good practice to have and a Windows virtual machine with some tools ready to be used for the engagement.The reason for this is that although Windows cannot be used as a main platform for penetration testing some of the utilities and tools can still help us to extract information from our windows targets.So in this post we will see some of the tools that we can use in our windows system.

HashCheck Shell Extension

The HashCheck Shell Extension makes it easy for anyone to calculate and verify checksums and hashes from Windows Explorer. In addition to integrating file checksumming functionality into Windows, HashCheck can also create and verify SFV files (and other forms of checksum files, such as .md5 files).


Netcat is often referred to as a “Swiss-army knife for TCP/IP”. Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

Metasploit Framework

The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

RealVNC Viewer

Remote access software for desktop and mobile platforms.


SNMP tool that allows you to collect information about SNMP devices.

Cain & Abel

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols.


Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development.


PuTTY is an SSH and telnet client for the Windows platform.

Pass The Hash Toolkit

The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services), and also change in runtime the current username, domain name, and NTLM hashes.


Recovering Windows Password Cache Entries.


Identify unknown open ports and their associated applications.


This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares.

Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.


Winfo uses null sessions to remotely try to retrieve lists of and information about user accounts, workstation/interdomain/server trust accounts, shares (also hidden), sessions, logged in users, and password/lockout policy, from Windows NT/2000/XP. It also identifies the built-in Administrator and Guest accounts, even if their names have been changed.


ClearLogs clears the event log (Security, System or Application) that you specify. You run it from the Command Prompt, and it can also clear logs on a remote computer.


SQLdict is a dictionary attack tool for SQL Server.


PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process.


GrabItAll performs traffic redirection by sending spoofed ARP replies. It can redirect traffic from one computer to the attackers computer, or redirect traffic between two other computers through the attackers computer. In the last case you need to enable IP Forwarding which can be done with GrabItAll too.


DumpUsers is able to dump account names and information even though RestrictAnonymous has been set to 1.


BrowseList retrieves the browse list. The output list contains computer names, and the roles they play in the network. For example you can see which are PDC, BDC, stand-alone servers and workstations. You can also see the system comments (which can be very interesting reading).


Remoxec executes a program using RPC (Task Scheduler) or DCOM (Windows Management Instrumentation).


Brute-force tool for Windows Management Instrumentation (WMI).


Venom is a tool to run dictionary password attacks against Windows accounts by using the Windows Management Instrumentation (WMI) service. This can be useful in those cases where the server service has been disabled.


The SMB Auditing Tool is a password auditing tool for the Windows-and the SMB-platform. It makes it possible to exploit the timeout architecture bug in Windows 2000/XP, making it extremly fast to guess passwords on these platforms.


RPCScan v2.03 is a Windows based detection and analysis utility that can quickly and accurately identify Microsoft operating systems that are vulnerable to the multiple buffer overflow vulnerabilities released in the MS03-026 and MS03-039 bulletins.


LSASecretsDump is a small console application that extract the LSA secrets from the Registry, decrypt them, and dump them into the console window.


SQL Ping is a nice little command line enumerator that specifically looks for SQL servers and requires no authentication whatsoever.


The Oracle Auditing Tools is a toolkit that could be used to audit security within Oracle database servers.


Extract password hashes from local user accounts.


The PsTools package provides a set of command line utilities that allow you to manage local and remote systems.


Incognito is a tool for manipulating windows access tokens and is intended for use by penetration testers, security consultants and system administrators.


DumpSec is a security auditing program for Microsoft Windows® NT/XP/200x. It dumps the permissions (DACLs) and audit settings (SACLs) for the file system, registry, printers and shares in a concise, readable format, so that holes in system security are readily apparent. DumpSec also dumps user, group and replication information.


X-Deep/32 is an X Window Server for Windows NT/2000/9X/ME/XP that can be used to connect to host systems running UNIX, LINUX, IBM AIX etc.


Windows password cracker.


Ophcrack is a free Windows password cracker based on rainbow tables.


SiVus is the first publicly available vulnerability scanner for VoIP networks that use the SIP protocol. It provides powerful features to assess the security and robustness of VoIP implementations.



Posted by on January 7, 2013 in General Lab Notes


Tags: , ,

12 responses to “Windows Tools For Penetration Testing

  1. anujsecuritytester

    January 7, 2013 at 2:31 pm

    Hi, what do you mean when you say that windows cannot be used as a main platform for penetration ? (I am a novice in penetration testing)

    Thanks for sharing this list.

  2. netbiosX

    January 7, 2013 at 2:58 pm

    It means that most of the security tools are written for Linux and Mac platforms.If you use Windows environment as a main platform there will be activities that you cannot perform as you will not have the right tool.

    • y2h4ck

      February 5, 2013 at 3:41 pm

      I think that this is just a point of view when you talk about Pentest. I work as penetration tester for about 7 years, and most of corporate environment are running through Microsoft Windows, so the most indicated platform to work on is Windows. You need to have deep knowledge and native tools to use on this platform, so use *unix to pentest on microsoft are waste of time🙂

  3. Bryan Miller

    January 8, 2013 at 11:37 am

    FYI……you can always run a virtual guest with Linux and still use Windows as your major platform. There are many, many tools available in Windows that actually work much better than trying to use a framework tool. I use Windows, Linux and OSX platforms using a combination of VMware and Fusion.

  4. modnet

    January 9, 2013 at 10:41 am

    *NIX based systems have been built with network in mind.For example if you chose Wireshark It will use WinPcap library in Windows and Libpcap in Unix based systems like Linux or MacOS(which have a BSD kernel inside).WinPcap is the Windows version of the Libpcap but is still a ported code.”In software engineering, porting is the process of adapting software so that an executable program can be created for a computing environment that is different from the one for which it was originally designed”.So you may say OK, Wireshark work’s very well under Windows but I think It will work better where he was born cause porting code across different platform will slow down performance.If you are a *NIX kernel coder you will laugh If someone tells you that you need to port some core Kernel modules in some NT environment.

  5. Mayank Bhandari

    March 14, 2013 at 10:37 am

    This is extremely helpfull for me and my career…………

  6. Kris Edison

    August 7, 2013 at 2:12 pm

    Thanks for sharing these collection. There are also lots of pentest software for windows. The problem is, you have to pay for most of them..

  7. rock

    June 7, 2014 at 3:11 am

    where is acuitnix man???

  8. netbiosX

    July 14, 2014 at 12:02 pm

    @rock This list contains only tools that are open source. Unfortunately Acunetix is a tool that you need to pay so this is reason for not having it on the list.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: