Nettacker - Automated Pentesting Framework [Tutorial]


Ethical hacking

Reviewer: Deepak Prasad

Introduction to Nettacker

Nettacker is an open-source penetration testing tool that automates various network attacks and is part of the OWASP (Open Web Application Security Project) toolset. It is designed to assist ethical hackers and security professionals in identifying vulnerabilities and weaknesses in network infrastructure.

Nettacker can perform a wide range of tasks such as reconnaissance, vulnerability scanning, password cracking, and exploitation. Its reconnaissance capabilities include IP and DNS lookups, port scanning, and service detection. The tool also has the ability to perform vulnerability scanning, which can identify known vulnerabilities in systems and applications. Additionally, Nettacker can also perform password cracking using various techniques such as dictionary attacks and brute-force attacks. Furthermore, it supports exploitation modules for known vulnerabilities, allowing security professionals to identify and exploit weaknesses in the system.

One of the key features of Nettacker is its modular design, which allows users to customize and extend the tool according to their specific needs. The tool can be run in both command line and graphical user interface (GUI) mode, making it easy for both experienced and novice users. It also supports a wide range of operating systems, including Windows, Linux, and macOS.

 

Requirements

  1. PC running on Kali Linux.
  2. Have a target to perform a penetration test.
  3. Have Python

 

Install Nettacker

We can install nettacker on our PC to perform automated penetration testing in two ways. The first is by downloading nettacker files on our PC and running it directly and the second option is by running it on docker which is recommended when running on OS not compatible with nettacker.

In our case, we will not be installing the tool using docker. We begin by downloading the tool’s file from its official GitHub repository via the command.

git clone https://github.com/OWASP/Nettacker

We then navigate into the newly created folder to create a virtual environment on which we will install the dependencies required for the tool to run effectively.

cd Nettacker

Create a virtual environment.

virtualenv env

Activate the virtual environment.

source env/bin/activate

Install the required dependencies

pip3 install -r requirements.txt

Once installation is complete we are ready to run and use nettacker to perform penetration testing. We can check if nettacker is working as required by running the below command.

python3 nettacker -h

nettacker

 

Using Nettacker CLI

Nettacker has numerous modules which we can use to perform various penetration testing activities. In this guide, we will be exploring some of these tests but before we perform the test there are various input options we can use in the commands to ensure the tests are effective. Some of these flags include:

  • -i- used to specify a single target.
  • -l- specifies a list of targets usually stored in a file.
  • -L- specifies Nettacker’s language.
  • -h- used to show Nettacker’s help menu.
  • -m- specifies the module to use for penetration testing.
  • -t- specifies the number of threads per host.
  • -r , --range- used to indicate the range within which we will scan the IP.
  • -u- specifies the username to use while brute forcing.
  • -U- specifies the location of the file having the usernames.
  • -p- specifies the password to use for brute force attack.
  • -P- specifies the location of the file having possible passwords.
  • -x- used to specify the modules to exclude during a test.
  • --user-agent- used to select the user agent to send HTTP requests.

These are just some of the flags we can use as we go about penetration testing. Nettacker has numerous options we can use. To check more of these you can check the usage page of the tool.

 

Perform Port scan

Using Nettacker, we can perform a port scan on our target. The tool has a module to help us with the scan. We have the target system which is Metasploitable which is running on docker. To start the scan we run the below command inside the tool’s folder.

nettacker

 

Once the scan is complete, we will be able to view the report of the completed scan on the target system. In the image below we have a list of all the open ports. One advantage of using Nettacker is that the reports on the scan are well organized for further analysis and can be easily incorporated into the final pentest report.

nettacker

 

Access Nettacker GUI

Nettacker has the option to use the graphical user interface. Users have an option of either using the terminal or the GUI. To launch the GUI for the tool, we run the command shown below.

 python3 nettacker.py --start-api

 

nettacker

Once the server is up and running, we can access Nettacker GUI through the API link provided as shown on the screen above. On our favourite web browser, we open the provided link on the terminal. We may run into an error showing that the website we are about to visit is not secure since we have not yet added the SSL certificate and key.

When we first open the link, we are required to provide an API key as shown in the image below. The API key is automatically generated when we start the server and can be found in the terminal where we run the API as shown in the image above.

nettacker

 

We now have the GUI ready to perform penetration testing. To start scanning the target we navigate to the “New Scan” tab.

As shown in the image below, we can provide the targets we want to test. Under the profiles, we select the type of test we want to carry on the target system. When we select a profile, the related scan methods will be automatically selected. We are also required to provide the Graph version, the reporting language and the output file.

nettacker

 

On the Advanced tab, we can include the flags. Under engine options we can specify the number of threads, number of retries, the ports, socks proxy and usernames and passwords to try while performing tests such as brute force attacks on services such as VNC, SMTP, SSH and FTP.

nettacker

 

View Penetration Testing Reports

nettacker

Nettacker also provides a comprehensive reporting feature, which allows users to generate detailed reports of their findings. The report includes information such as the target IP address, open ports, and discovered vulnerabilities. This information can be used to identify and prioritize vulnerabilities that need to be addressed. The report can be downloaded as an HTML file from the results tab.

 

Conclusion

Overall, Nettacker is a powerful and versatile penetration testing tool that can help security professionals identify vulnerabilities and weaknesses in their network infrastructure. Its modular design, comprehensive reporting, and support for a wide range of operating systems make it an ideal tool for both experienced and novice users. It can be used to conduct reconnaissance, vulnerability scanning, password cracking, and exploitation, and it is a great tool to have in any security professional's toolkit.

 

Kennedy Muthii

Kennedy Muthii

He is an accomplished professional proficient in Python, ethical hacking, Linux, cybersecurity, and OSINT. With a track record including winning a national cybersecurity contest, launching a startup in Kenya, and holding a degree in information science, he is currently engaged in cutting-edge research in ethical hacking. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

Leave a Comment