Penetration Testing also known as Ethical Hacking is the practice of testing a computer system, network or web application to find security vulnerabilities that an attacker could exploit. It can either be automated with software applications or performed manually.
FSociety is an open source penetration testing framework that consists of a variety of hacking tools which range from information gathering to post-exploitation.
If you are passionate about cyber security, you must have heard of the famous Mr Robot series. Fsociety is a framework that has been used in the series to carry out the various hacking attacks featured in the series. I don’t want to give you any spoilers but for those who have not watched this TV show, I would highly recommend it.
Advantages of Fsociety framework.
1) It comes with a complete tool set for all the penetration testing stages.
2) It can be used in platforms such as Windows, Linux and Android.
3) It is super easy to get started.
4) It is automated, It therefore gets you a moment to sip over a cup of tea.
Getting started with Fsociety
Steps on how to install and get started with Fsociety:
FSOCIETY can be cloned from github https://github.com/Manisso/fsociety.
- To clone from github run
git clone https://github.com/Manisso/fsociety.git
- Navigate to the directory where you have cloned fsociety.
- Provide executable permission on install.sh by running this command on the terminal
chmod +x install.sh
- Finally execute
./install.sh to install
- To run just type :
The following screen will appear:
You can now use tools from each category above by typing in the number of the type of attack you want to use. These include:
● Information Gathering
● Password Attacks
● Wireless Testing
● Exploitation Tools
● Sniffing & Spoofing
● Web Hacking
● Private Web Hacking
Let me briefly point out some of the tools Mentioned above.
1. Information Gathering
This is the first and most important phase of any penetration testing. The pen tester gathers all the publicly available information about their target and seeks ways in which they can be exploited.
Fsociety covers the following tools for information gathering:
● Host To IP
● CMS Scanner
● Dork — Google Dorks Passive Vulnerability Auditor
● Scan A server’s Users
So, what next after getting the user information? I would try to attack the passwords and Fsociety got us covered at number 2.
2. Password Attacks
For password attack, Fsociety uses:
● Cupp: (Common User Passwords Profiler), is tool to generate wordlist from common user profiler.
In case we wish to attack the system from the wireless side, we can test the target’s wireless infrastructure using Tools provided for us in number 3.
3. Wireless Testing
For wireless testing, the following tools are available:
● Bluetooth Honeypot
After testing the target’s wireless infrastructure, we then move to the fun part, where we attempt to exploit and take advantage of the target’s system. Luckily enough, Fsociety got us covered on that too at number 4.
4. Exploitation Tools
These are the tools That will allow you to take advantage of the vulnerabilities You discovered. The following tools are provided to help you with that task:
● FTP Auto Bypass
● JBoss Autopwn
Once we succeed or even if we don’t, we can try sniffing and spoofing to get what we want using our number 5.
5. Sniffing and Spoofing
Just to note: Spoofing and Sniffing are types of cyber-attacks. In simple words, Spoofing means to pretend to be someone else. Sniffing means to illegally listen into another’s conversation.
The tools used for sniffing and spoofing in Fsociety are:
● SMTP Mailer
If our entry point happens to be the web, we have tools to help us with this at number 6 and 7.
6. Web Hacking
It consists of tools used for web penetration testing and also CMS (Content Management System).
Tools available include:
● Drupal Hacking
● WordPress & Joomla Scanner
● Gravity Form Scanner
● File Upload Checker
● WordPress Exploit Scanner
● WordPress Plugins Scanner
● Shell and Directory Finder
● Joomla! 1.5–3.4.5 remote code execution
● Vbulletin 5.X remote code execution
● BruteX — Automatically brute force all services running on a target
● Arachni — Web Application Security Scanner Framework
7. Private Web Hacking
Under private web hacking the following tools are available:
● Get all websites
● Get joomla websites
● Get wordpress websites
● Control Panel Finder
● Zip Files Finder
● Upload File Finder
● Get server users
● SQli Scanner
● Ports Scan (range of ports)
● Ports Scan (common ports)
● Get server Info
● Bypass Cloudflare
We are also provided with some post-exploitation tools as an option at number 8.
8. Post Exploitation
The following are tools available for post exploitation:
● Shell Checker
Thank you for stopping by.
DISCLAIMER: This article is for learning purposes only. I am not responsible for any harm caused while referring to it.
Article by Restercuter Nyawira, a SheHacks KE member, trainer and cybersecurity enthusiast. Find her on LinkedIn (Restercuter Nyawira) and Twitter @Restercuter1.
I will appreciate it, if you take 10 seconds of your time to check out my donations page and donate to the blog and other causes. 40% of the donation goes to buying this blog an official domain name, the rest goes to charity eg supporting children homes. Any amount received will be shown, from whom and to where it went. I will also include screenshots of inflow and outflow. So go check it out: Donations and donate! You can also buy me something via the wishing list. Thank you and have a wonderful day.