Hacker Software Developers

In this evergreen post, I place all the interviews I’ve done with real Hackers (‘Developers’) that created and maintain some pretty amazing tools that have had an impact on us all.

Most of their tools ship with Kali Linux, Backbox and all those other pentesting and forensic Linux Distro’s out there, and we use them all on an often daily basis.

This post and resource sprung to life when I realized that it was about time we showed some love to the folks that made the pentesting tools that we all use and love.

Legendary Hacking Tools

Some of these tools have legendary status.

Edward Snowden, for example, used Kismet (I interview the developer – see below).

He used it to make contact with journalists pre-whistleblowing; specifically, he used it whilst wardriving in Hawaii trying to find some random WiFi connection.

So, pretty cool when you think about it, well it is to me at least!

My favorite hacking tool is SN1PER.

I interviewed the developer at the end of last year, 2019, and listed as being one of the Best Hacker Tools Of 2020.

Other noteworthy mentions in this ever-growing list include SIPViscious, WPScan for WordPress Hacking, CowPAtty for WiFi Hacking and theHarvester for Email Scraping and Reconnaissance.

All these tools are used daily by Penetration Testers, so, let’s meet the crew!

List of Hackers I’ve Interviewed

These are the folks that make the hacking tools listed included in Kali Linux and other penetration testing Linux Distro’s.

FYI: Where possible I link to their project on GitHub.

* Many of them are looking for help to develop their hack tools so get in contact with them, and thank you for checking out this resource.

xer0dayz SN1PER	Joshua Wright KillerBee, KillerZee, Asleap, CoWPAtty	Matteo Cantoni snmpcheck	Elias Oenal multimon-ng
Filip Waeytens dnsenum	Davide Del Vecchio Bluesnarfer	Gil Dabah diStorm, diStormx	Mike Kershaw Kismet
Andrew Hortons WhatWeb, URLCrazy & Username Anarchy	Christophe Grenier TestDisk	Nikhil Mitta Kautilya	Francisco Rodriguez Plecost
Anders mfterm	Daniel Roethlisberger SSLsplit	Aldo Cortesi mitmproxy	Adam M. Swanda Intersect Framework
Ryan Dewhurst WPScan, DVWA	Sandro Gauci SIPVicious	Christian Navarrete DotDotPwn	Andres Riancho w3af & nimbostratus
Tasos Laskos CDPSnarf, raw2vmdk, Arachni	Lars Brinkhoff httptunnel	Emanuele “crossbower” Acri HexInject	Christian Martorella theHarvester
Andrew Smith Bluepot	Jose Miguel Esparza peepdf	Julio Gomez Ortega findmyhash, Oauzz & Iker	Robin Wood 40+ Tools!

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

I created Sn1per in 2014 to automate and leverage the latest pentesting tools and techniques. There really wasn’t a good “point and shoot” solution at the time, so I decided to make my own.

What language did you develop your tool in and why did you choose that particular language?

I built most of Sn1per myself, but there have also been a few developers on Github which have contributed along the way. Sn1per started out using mostly Bash scripting but has since become a hybrid of Bash, Python, and PHP with the development of Sn1per Professional.

Which is your favorite hacking tool? Is it a framework?

My favorite hacking tool of all time was created in the early/mid-’90s called “Aftermath 2000”. It is where I got my start in the world of hacking.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

The future of Sn1per will focus on Sn1per Professional and growing the XeroSecurity product line. We have a number of products that we’ll be releasing over the next few months that will further enhance Sn1per – so we’re excited about that. We’re always on the lookout for new tools and techniques that can be included in Sn1per, so if there’s a tool that can further enhance Sn1per, we’re always open to suggestions.

I published a Sn1per tutorial post here with an excellent video from SaintDrug.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

I develop tools if they don’t exist yet, or if the existing tools don’t do what I want or simply don’t have the functionality that I want. I started with dnsenum a long time ago and at that time there was no tool that did DNS enumeration. Of course, you can do most of the stuff with ‘dig’ or ‘nslookup’ and some bash-fu, but a good tool compiles what you need.

It took some years before similar tools showed up and I guess it wasn’t too bad since people seem to use it.

What language did you develop your tool in and why did you choose that particular language?

Perl: In 2003 it was still the most popular scripting language. It had libraries for DNS and I was familiar with the language. These days, if I had to redo it, it would probably be Python.

Which is your favorite hacking tool? Is it a framework?

Since I do mostly web app stuff lately, it’s Burpsuite Pro.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

It’s on GitHub and it’s opensource.

People can contribute to it and fix bugs, make it more stable, add stuff … This is what has happened over time as well when I got contacted by tix, a hacker I didn’t know who I worked with to extend the functionality and who is a far better coder than I am.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

I developed WhatWeb to be a web scanner that would quickly and intelligently recognize websites. It is like Nmap for the web and now has over 1700 plugins. I developed it because I wanted to be able to scan the websites of an entire nation and no tools existed at the time.

URLCrazy is a domain name threat discovery tool. I built this to discover and defend against domain attacks including typo-squatting and bit-flipping.

This was the first open-source tool developed to study these attacks and is arguably still the most sophisticated. Username Anarchy is a tool to generate possible usernames.

I developed it so that I could find weak Windows domain accounts during external penetration tests. There’s always someone with the password of Welcome1 or Password1.

I have written other tools but WhatWeb and URLCrazy are the best known and are both included in Kali Linux.

What language did you develop your tool in and why did you choose that particular language?

I prefer to code in Ruby.

The language is designed according to a set of conventions that make coding a more natural and enjoyable experience. Ruby literally brings the coding closer to English.

Which is your favorite hacking tool? Is it a framework?

Rather than pick a favorite that everyone knows about, I’ll give a shoutout to MiTM attack tools. The weakest attack surfaces have shifted from the server-side in the early 2000s to the client-side, and now it is shifting to the network communications. For MiTM attacks, I use BetterCap, evilgrade, and yersinia.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

I’ve literally got more plans and ideas than I could achieve in a lifetime. I’m very interested in domain threat intelligence and am working on that at the moment and it may become a successor to URLCrazy.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

The tool is called mfterm which comes from the Mifare NFC tag type it can be used with and “term” from the terminal CLI UI.

When NFC tags started showing up everywhere, from public transport to key cards, I became interested in finding out how they worked. I soon discovered that Mifare 1k/4k tags were really common. I used tools like mfoc and mfcuk to recover keys, but didn’t find any convenient tool to edit and read the tags data. So I started developing mfterm for myself and my friends. I rely heavily on libnfc and couldn’t have done it without the work done by people in that project.

What language did you develop your tool in and why did you choose that particular language?

mfterm is written in C. It was convenient since the canonic library libnfc was a C library.

Which is your favorite hacking tool? Is it a framework?

Hackers are the MacGyver’s of the world and we try to not get hung up on particular tools, but instead, try to find the best tool for the task at hand (or create a new tool if we can’t find one). However, some tools that I keep coming back to are Nmap, burpsuite, sqlmap, Metasploit as well as the “basic” Linux programs nc, whois, traceroute, ping, ssh, curl, etc.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

mfterm is now a “mature” tool and active development has slowed down. Currently, I consider it a feature-complete for the use cases I have. However, I still fix bugs and some times merge requests from contributors that contact me. Recently it was added to homebrew by a person that contacted me and wanted to do it. That part is great! When someone finds your tool and contacts you with a suggestion or wants to contribute some little part.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

I’ve got over 40 tools published so far. The majority have been developed during testing to help make the test easier or to squeeze more data out for the report.

What language did you develop your tool in and why did you choose that particular language?

I use many languages. Always choose the one that is appropriate for the job, don’t try to get the language to fit the project.

Which is your favorite hacking tool? Is it a framework?

Firefox – the majority of my work is web app testing and so it all starts in the browser.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

I want to see the tools used. How they develop is up to the people using them and their feedback.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

WPScan back in 2009.

I was running my own WordPress blog and saw a vulnerability posted for WordPress on the Full Disclosure mailing list. I wrote a quick script to exploit the vulnerability. I started investigating what other issues affected WordPress.

This lead to adding additional code to the initial script and thinking of expanding the script into a more robust tool. I released the code, started getting feedback from users and other developers got involved. The other developers, now known as the WPScan Team, helped make the WPScan tool what it is today. Damn Vulnerable Web App (DVWA) – I wrote this tool when I was at university. The course did not cover web security until the later stages and I was eager to learn sooner. I thought the best way to teach myself web security was to write deliberately insecure code examples for specific vulnerabilities.

This way I knew what the insecure code looked like and could also practice exploiting vulnerabilities in a legal environment. I started to create a web application with all the vulnerable code, attempting to make the application a little realistic and not just a bunch of vulnerable pages. I released the code, which at the time was horrible, but soon someone came on board and helped me mature the project.

What language did you develop your tool in and why did you choose that particular language?

For WPScan I wrote it in Ruby from the beginning. It was a language I wanted to learn at the time. For DVWA, I wrote it in PHP as it was easy to learn and easy to implement vulnerabilities.

Which is your favorite hacking tool? Is it a framework?

Nikto, Burp Suite, cURL, Nmap.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

To have a commercial SaaS offering for non-technical users.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

CDPSnarf is a sniffer for the CDP (Cisco Discovery Protocol) and was created as an educational exercise during my BSc Network Computing studies. One of the courses included Cisco networking and at some point, we were studying the CDP protocol; in order to get a better understanding of it, I decided to write a packet sniffer for it. raw2vmdk is a forensic utility that generates VMDK files from ‘dd’ disk images to allow for those images to be loaded in a VM for analysis.

It was created around the same time as CDPSnarf and the reason for its creation was to help a friend analyze HDD dumps of a honeynet we had created as a means to gather attack data for his Ph.D. research. The honeynet nodes were real machines, once we were done we took HDD images using the ‘dd’ utility and raw2vmdk helped extract HDD geometry and other data needed to create a VMDK file in order to load those images in a VM for forensic analysis.

Arachni is a Web Application Security Scanner and was created shortly after raw2vmdk, as an educational exercise, in order to pass the time during a free summer.

I wanted to learn Ruby for quite some time and always had an interest in webapp scanners, so I decided to kill 2 birds with one stone by writing a webappsec scanner in Ruby.

The system and the problems it presented turned out to be very interesting, so I basically started working on it and never stopped.

What language did you develop your tool in and why did you choose that particular language?

CDPSnarf was developed in C because I was interested in C at the time and also that was the easiest way for me to access the pcap library which was necessary for the CDP packet capture. raw2vmdk was developed in Java because I wanted the utility to be platform-independent and because a supporting library that does most of the disk image analysis was written in Java. Arachni was developed in Ruby simply because I wanted to learn Ruby.

Which is your favorite hacking tool? Is it a framework?

Call me biased, but my favorite tool is Arachni and it’s also a framework. I’ve been exclusively dealing with web application security for a long time and Arachni provides a lot of functionality to help in that arena, not only as a scanner but also as a set of libraries that one can use to write their own pentesting scripts, tools or even custom scanners.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

I think that all aforementioned tools have reached their goals, especially CDPSnarf and raw2vmdk which have been done for a long time now. With Arachni there’s still a lot of room for improvement, especially when it comes to performance and I’m constantly working on that, but by and large, I’d say that the project has reached its goal. It’s feature complete and based on independent industry-wide benchmarks it provides the best crawl coverage, vulnerability identification and accuracy of any alternative; of course, YMMV in real-world cases, but based on the feedback I’ve received by and large it performs similarly well there too.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

The hacking tool’s name is Bluepot.

What language did you develop your tool in and why did you choose that particular language?

The tool was written in Java.

Which is your favorite hacking tool? Is it a framework?

Nmap would be my favorite tool.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

I’d like someone to help fix it!

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

All of the tools I’ve created were born from an opportunity to demonstrate a flaw or a weakness, fulfilling a gap where a tool did not already exist. Major tools include KillerBee, KillerZee, Asleap, and CoWPAtty.

What language did you develop your tool in and why did you choose that particular language?

I choose whichever language makes sense depending on the technique at hand. Sometimes it’s 8086 assemblers; sometimes it’s Python.

Which is your favorite hacking tool? Is it a framework?

My favorite tool is my brain.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

My end goal is to demonstrate a flaw, let people use my tools to reproduce the flaw on their own, then to let the community take over my source and continuing to develop the tools to make them better than I could have imagined.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

Bluesnarfer is a tool to basically exploit a vulnerability in the Bluetooth implementation of some mobile phones. The idea came out after the first vulnerabilities started to come out in the while. There was not a tool to exploit them easily.

What language did you develop your tool in and why did you choose that particular language?

The tool has been developed in C because it was the language I knew better at that time.

Which is your favorite hacking tool? Is it a framework?

I guess the old good Nmap is still one of my favorite so far.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

I think my tool will be just a “module” of somebody else tool one day.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

TestDisk has been created in 1998 to recover lost partitions.

Today it can recover data in a lot more situations. PhotoRec is born in 2002 when I bought my first digital camera to recover, if the need arose, my pictures. It can recover more than 400 file family.

I developed CmosPwd in 1998 to recover BIOS passwords stored in CMOS memory.

What language did you develop your tool in and why did you choose that particular language?

C language is good to deal with low-level disk access under MS-DOS, Windows, Linux, Mac OS X.

Which is your favorite hacking tool? Is it a framework?

pwntools is great to craft exploits to hack vulnerable binaries.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

More developers will be cool: a GUI for testdisk, a better Bruteforce mode in PhotoRec to recover fragmented jpg.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

I wrote the initial code that would later become SSLsplit to scratch an itch I had during my time as a pentester.

Later I polished and published it when I had the need to replace other tools that did not support modern TLS features, were not portable and abandoned by their original developers.

FakeIKEd I wrote much earlier to prove a point when I was studying at a university that at the time had an insecure group password setup.

In both cases, writing a tool not only provided me with the tool I needed but also proved to be a very valuable learning exercise.

This is also true for contributions to existing security tools that I had made in the past, such as SCTP support for Fyodor’s venerable Nmap.

What language did you develop your tool in and why did you choose that particular language?

Plain old C.

These days I also write a lot of Python and I have been developing in numerous other programming languages in the past.

For SSLsplit, the choice of using c was mostly because I wanted it to perform well, I needed to be as close to OpenSSL as possible in order to overcome some of its API design limitations from a MitM attacker perspective, and I needed to be able to access low-level APIs of different NAT engines on different platforms.

Which is your favorite hacking tool? Is it a framework?

There are so many awesome tools and frameworks out there, but I don’t have a favorite hacking tool.

Different tools are best suited for different tasks. I think it’s important to be flexible enough to pick up how to use new tools quickly, and if necessary, to be able to hack together your own if there is no tool that fits the job at hand.

If I had to name one tool that I would bring if I were to be stranded on a deserted island, it would be a Unix shell environment including a c compiler and a python interpreter.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

I hope to be able to support my tools, especially SSLsplit, for as long as possible, and implement some improvements, but there is no big development roadmap. They served their purpose and I hope to keep them working as long as they are useful.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

SIPVicious suite is a set of tools that can be used to audit SIP based mobile VoIP systems. It was created when I was testing some SIP-based PBX systems and noticed that the tools out there were not covering my needs. Various excellent friends helped me polish these tools, which were then collectively published as SIPVicious.

The aim was that other pentesters and security folks too can efficiently demonstrate basic security vulnerabilities that affect various SIP systems. WAFW00F is another tool that I, together with Wendel G. Henrique, published. It allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.

It was created since, as a pentester, I was often being told, that my attacks are not effective because of WAFs. I guess I just wanted to show how obviously detectable WAFs are so that security researchers could then bypass the WAF.

What language did you develop your tool in and why did you choose that particular language?

Python which is quite a neat language and makes it easy for pentesters to rapidly develop code to demonstrate a number of attacks.

Which is your favorite hacking tool? Is it a framework?

Nmap.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

Community support and contributions are welcome, especially for wafw00f.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

httptunnel

What language did you develop your tool in and why did you choose that particular language?

C

Which is your favorite hacking tool? Is it a framework?

Lisp

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

It’s quite stable, so there’s no pressing need for future development.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

The tool I developed is called peepdf and it is a tool to analyze PDF files.

It all started when I was attending a Black Hat Conference talk in 2008 about PDF analysis and the guys presenting told the audience that they would release a tool that they did not release at the end. Then I thought that it was a good idea to develop it myself.

However, for several reasons, it took me a while until I released it, in 2011, and there were already more tools out there. But still, I tried to do something different, putting together all the functionalities needed when you are analyzing a malicious PDF file so the users don´t need to use 5 different tools for that.

This plus the good feedback, the fact that it was developed in Python (cross-platform) and that it was doing some things other tools were not doing was a good motivation to continue dedicating time to it.

What language did you develop your tool in and why did you choose that particular language?

peepdf is written in Python. I chose that language because at that time I was more familiar with it, it was easy and fast to develop and there was a big community supporting it.

My tool did not need high performance at that time so it was a good option.

Which is your favorite hacking tool? Is it a framework?

That’s a difficult question…It really depends on the task you want to do. I am more familiar with tools related to the malware and threat analysis, so I tend to like debuggers and disassemblers like IDA Pro, radare, OllyDbg. If we are speaking about pen-testing and exploiting Metasploit is a great framework that can be extended with your own modules too, so I would choose that one.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

Maybe this sounds quite unrealistic, but I would like to reach a point where the tool is completely stable and robust, so just new features need to be added. There are a lot of things to do like improving the performance, support some more PDF specifications, full support for JSON and maybe in the future being able to extend the functionality with custom commands the users can develop.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

I developed snmpcheck, a tool useful to automate the process of gathering information on any devices with SNMP protocol during a penetration test.

What language did you develop your tool in and why did you choose that particular language?

At first in Perl, later it was rewritten in Ruby being more powerful.

Which is your favorite hacking tool? Is it a framework?

Metasploit.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

Keep it updated by incorporating new functions. The ideal goal is to become a valuable tool in every penetration test activity.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

diStorm and diStormx.

What language did you develop your tool in and why did you choose that particular language?

C. Because it’s a very strong language and can be easily ported to so many other platforms. As diStorm supports to be compiled to many target architectures. In hindsight, it could have been C++ also. C felt cleaner to me for this specific tool. Also, I wanted speed hence the choice.

Which is your favorite hacking tool? Is it a framework?

Probably IDA.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

I’m really past that tool already. I am happy to see people use it. I started it for fun to learn how the x86 and x64 architectures work, and it was a really great experiment.

After I finished the first version, I decided it’s time to publish it and I got great feedback and many people and companies around the world use it.

It was very important for me to have high standards there, like performance, memory and disk footprints, clean and documented code, lots of documentation and support for other platforms and bindings for many other languages. I wish more people have contributed to it with new instruction sets.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

Kautilya, which is a tool that makes it easy to use Human Interface Devices in penetration tests.

I created this tool during a red team engagement years ago when I was asked to run a social engineering campaign to test security awareness of a client’s employees. The client had mass storage devices blocked in its environment and that is when I created Kautilya.

Using HID for security testing was already public knowledge, I just created (hopefully) an easy to use tool for that. Nishang – A tool that makes it easy to use PowerShell during red team engagements and penetration tests.

I created this tool as most of my existing payloads were getting detected during penetration tests. I also wanted to have some custom post-exploitation scripts on Windows boxes outside the Metasploit framework.

What language did you develop your tool in and why did you choose that particular language?

I used Ruby for Kautilya as I was comfortable with it. I used PowerShell for Windows payloads of Kautilya and developed Nishang completely in PowerShell as it is available by default on all modern Windows boxes and provides access to Windows API, .Net, WMI, Registry, FileSystem and other boxes on the network.

Which is your favorite hacking tool? Is it a framework?

PowerShell. It is a Windows scripting language.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

Make the tools more useful for the community which enables me to learn new and interesting things.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

[I built] mitmproxy [which can] inspect and tamper with traffic from mobile and embedded devices. The tool has since grown to be useful in a wide variety of other circumstances too.

What language did you develop your tool in and why did you choose that particular language?

Python – it’s a good, general high-level programming language with a mature library ecosystem.

Which is your favorite hacking tool? Is it a framework?

Everything I do relates to or is underpinned by code.

My favorite hacking tool – the only thing without which I absolutely couldn’t do my job – is a good, productive programming language.

For quick scripts, I use Python, for network services and places where a bit more heft is required I use Go.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

The next steps for mitmproxy is to solidify general TCP interception, work on fostering an addon ecosystem, and mature our web interface.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

The tool’s name is DotDotPwn.

The idea behind the tool became a long time ago while I was performing pen testing on Web applications. I realized that some of the parameters passed to certain pages were including files and such files were requested from the file system to then later, being displayed on the screen.

I recall Directory Traversal vulnerabilities and then I decided to use some of the regular traversal payloads and luckily it worked. I started to think about how many other methods exist to take advantage of this vulnerability type and here is when I started researching Directory Traversal vulnerabilities in deep.

Sometime later, I came back to re-test the security fixes provided by the development team and of course, didn’t work, but when trying a different set of payloads it worked – again. Here is where I said. “Man, that was Dot-Dot Pwn!” and that’s why the name.

I was more interested in what’s next and then after more research on the topic, I realized that this type of vulnerability affected not only web-based applications but also network software – and even not-networked software – that can suffer from the same problem. After that. I was wondering how to perform – in an automated fashion – a complete (tons of payloads and customizations) discovery of Directory Traversal vulnerabilities in any software or web application that performs calls to the file system in any way.

My first attempt was to do it by supporting HTTP and FTP servers.

The first version (1.0) was released in August 2010, then after some talks with my friend Alejandro Hernandez (@nitr0usmx) he decided to join the coding effort and started to work on version 2.0, which was released soon after the previous one. 2.0 introduced new protocol support as well as flexible parameters to configure the scans.

After that, several enhancements and modules were included as well and then version 2.1 was released at the BugCon Security Conference in October 2010. For 3.0 we had two major dates, the first one was the BETA release which was at the Black Hat USA – Arsenal and a live demo at Campus Party in Mexico.

The official 3.0 release was at the BugCon Security Conference in February 2012. I thought that it would be very interesting to share the tool with the community and then I decided to contact the BackTrack Linux staff to request a tool added to the distro.

Voting for the tool was in place in the tool section of their forum and after a couple of days, we received their answer that the tool was accepted and that will be included soon and it was ready for BackTrack R2. Now, the tool is included in Kali Linux and recently also added to the BlackArch Linux, an Arch-based distro.

The feedback from many people was great and in March 2013 started more code contributions from some twitter followers and also the main repo was created on Github. Since then, new features and support were introduced thanks to such contributions that have been playing a crucial role in the evolution of the tool. The tool became very popular in the community and we started to find that some Internet magazines and a research paper mentioned the tool.

In September 2014, the OWASP Testing Guide v4.0 mentioned the tool under the tool section for Testing Directory traversal/file include (OTG-AUTHZ-001). During testing of the tool, we released 9 security advisories and we heard that many other people discovered vulnerabilities using this tool as well.

What language did you develop your tool in and why did you choose that particular language?

At that time, I was basically playing a lot with Perl, that was my first scripting language so I decided to write it using it. There’s no particular reason for the language, but we are planning to rewrite the tool in Python, which will be including new enhancements and fixes.

Which is your favorite hacking tool? Is it a framework?

I am a very very old school and I like such a way as of today.

My best “Framework” includes a HEX editor, ASCII table, Compiler/Interpreter, Disassembler, Debugger, the Internet and for sure a great brain. I usually don’t use frameworks or at least, I try to not rely entirely on them. I see Frameworks as a compliment, and for sure Metasploit will be on that list too. Nowadays, people rely too much on using Frameworks, but I think that there are cases where certain customization will be required at a certain point.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

We have had very good cooperation in the shape of code contributions and I think that with the upcoming additions to the tool will create more interest of more people to contribute to the project.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

HexInject and the Complemento Suite are both tools to manipulate networks at a very low level. HexInject makes it very easy to inject and sniff frames and packets on a network. It has been created to facilitate and extend the possibilities of the user: for example, it only deals with the annoying things of injecting packets on a network (such as calculating checksums for injected packets) leaving all the creativity of the user unconstrained.

It is also designed to easily cooperate with other tools the user may already use. Complemento is similar, but more focused on specific weaknesses of networks and OS’ protocol stacks. A different tool, but still reflecting my preference for the low-level, is Cymothoa.

It is a stealth backdooring tool, that injects backdoor’s shellcode into an existing process. It also allowed me to try some different approaches to backdooring, for example, the possibility of executing a parasite inside a process, without forking it but simulating an internal scheduler.

What language did you develop your tool in and why did you choose that particular language?

I do not have a favorite programming language, but I prefer languages that have a simple, but flexible core, C for example.

These languages tend to be portable to many systems, and do not have many dependencies. In the security fields, you often face very restricted and exotic systems, so you need languages that adapt easily.

Which is your favorite hacking tool? Is it a framework?

You do not need much more than a UNIX-like operating system, with a compiler and a scripting language, to carry out more of the 80% of the penetration testing work. There are of course some great tools out there, that really simplify many tasks. For example, I like sqlmap very much, because is a very smart tool, that learns a lot of things on the target, without asking too many questions to you.

It is a tool that extends your possibilities, without limiting your creativity. Metasploit is also great, but I find framework a bit overkill to me, and they force you to think in a constructed way. I tend to use smaller, more focused tools.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

The ideal is to develop a tool that is a perfect extension of the mind of the user. This is not easily done, but often involves not only the features that should be implemented but also those that should be left out. This quote is very inflationary, but nevertheless is true, especially in our over-complex today systems: “Perfection is finally attained not when there is no longer anything to add, but when there is no longer anything to take away.”

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

The three most important tools I’ve developed are findmyhash (a script that uses online resources to crack password hashes. The idea came when I was tired of wasting hundreds of hours brute forcing hashes and I thought about using commercial rainbow tables, some of them accessible from the Internet); Oauzz (a fuzzer to analyze the security of Oauth based applications); and iker (a script that automates most of the tests that are usually carried out during a IPSec assessment).

What language did you develop your tool in and why did you choose that particular language?

I use Python because it’s a multiplatform language and very easy to use in scripting.

Which is your favorite hacking tool? Is it a framework?

Nmap, sqlmap and Metasploit.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

Although I worked in version 2.0 of findmyhash (and it is almost finished), it never was published. The version 2.0 was a full framework of password cracking, implementing cracking algorithms and connecting with external tools such as John The Ripper.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

I started multimon-ng in 2012 when I first got into SDR (Software Defined Radio).

Scanning the spectrum for signals I noticed pager communications and was disappointed to learn there wasn’t an easy way to decode such data on Linux.

I tried multimon which came bundled with Debian, yet the project had been unmaintained for many years and the 64-bit builds were completely non-functional. In turn, the initial work was focused on fixing bugs and porting it to different operating systems, like Windows and macOS X. Once I got the basics working again, others joined the development and helped me to extend the functionality greatly.

What language did you develop your tool in and why did you choose that particular language?

I’m not sure whether I have a favorite, but working with a lot of hardware I am quite fond of the open-source signal analysis software sigrok.

Which is your favorite hacking tool? Is it a framework?

I will say Vim and GCC, with those you can do what you need…

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

I never had particular plans for multimon-ng, but I really like how it seems to develop naturally according to people’s demands. It has been used for anything from decoding firing sequences of professional pyrotechnics to satellite communications.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

[I created] Kismet, [which is a] wireless packet capture, IDS tool – Kismet started as a fork of the original Airsnort, hacked to display SSIDs.

There were only a handful of wireless cards at the time (2001/2002) and they had incompatible packet formats, so it made sense to write a tool with a common processing layer and multiple input layers, and it’s just grown since then.

After some time off while being swamped with Real Work, Kismet development has kicked back up, with new methods for storing the data and a new shiny web UI and scriptable REST interface, and the ability to easily capture other protocols that aren’t 802.11 based.

Which is your favorite hacking tool? Is it a framework?

Kismet is written in C++ – at the time, the processing and memory cost incurred by a fully interpreted system would have been too high (originally running on 200 – 500mhz systems with 64 or 128 meg of RAM). C++ incurred a memory cost as well (template expansion and C++ runtime) but much less than a fully dynamic scripting language of the day.

Today, Kismet is still in C++, but has adopted a much more flexible model for storing data with the tradeoff of some additional processing and memory, and by exporting data over REST with JSON or msgpack formats, the user interface duties can be easily moved to a web-based system, or any other scripting language presenting the UI.

Which is your favorite hacking tool? Is it a framework?

When it comes to packet analysis, Wireshark has to be the number one go-to tool.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

At this point, Kismet is old enough to get its learners a permit to drive – but the biggest changes have come in the past year with the transition to a web UI and a much more flexible system. Ultimately, I’d like Kismet to handle anything wireless – now that SDRs have become cheap, monitoring non-Wi-Fi wireless is affordable and sometimes even trivial.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

Plecost is a WordPress vulnerabilities finder.

In early 2010, WordPress was growing rapidly.

Every day new blogs were creating and plugins count increasing every hour. In the same way, bugs and vulnerabilities were discovered, we needed a tool to scan new WordPress installations in order to detect vulnerable versions, those days we performed penetration testing in a Tiger Team and the reconnaissance phase is fundamental. The first version of Plecost was just a proof of concept developed in a few hours, Plecost first release came a few weeks later thanks to my co-worker @ggdaniel.

It included a global scan across Google looking for vulnerable WordPress plugins (this feature is no longer available).

What language did you develop your tool in and why did you choose that particular language?

Plecost is coding in Python because we were familiar with this language and we used to use it.

Which is your favorite hacking tool? Is it a framework?

Scapy

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

The ideal goal for Plecost is to create a collaborative framework to create a huge knowledge database about WordPress installations.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

At the time there was a large gap in tools that covered this area of penetration testing even though the actual tasks are something every penetration tester needs to do.

I built the tool [Intersect] with the idea that if I could help others automate the Linux post-exploitation process, make it freely available, and hopefully get feedback and input from the community then the professional and up-and-coming pentesting community would be better off for it.

It was also very much my way of giving back to a community that has given me some great tools I’ve used, and contributing is one of the best ways to get involved and keep the innovation and contributions going.

What language did you develop your tool in and why did you choose that particular language?

Intersect is developed in Python, primarily due to it being the language I had the most experience with at the time, and the language is very widely used among professional developers, adhoc scripters, and it is easy for beginners to understand and extend upon.

The framework itself was designed to be modular and Python seemed to allow that the best way possible.

Which is your favorite hacking tool? Is it a framework?

Veil Framework.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

Intersect has not been actively developed publicly for a few years now, but ideally, I was hoping for it to be a pure Python framework for payload building, post-exploitation tasks, and provide users with a variety of communication mechanisms in a “plug and play” fashion. In 2016, I restarted the project privately from the ground up to entirely revamp the project and take my coding knowledge from the past several years to make that truly happen. Perhaps sometime in 2017 we will see this finished and released publicly.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

I created two very interesting tools: w3af and nimbostratus.

w3af was my first open-source tool, a web application scanner with exploitation capabilities. It was created when there were no good open source solutions for web scanning and I worked full-time doing application security testing.

Nimbostratus was the result of an AWS hacking research I did in 2014 and presented at various conferences. The tool allows an attacker to extract AWS credentials from EC2 instance meta-data and escalate privileges in the AWS account to gain root.

What language did you develop your tool in and why did you choose that particular language?

Python is my language of choice. It’s easy to code in Python, there are plenty of libraries and you can write C extensions if performance is a requirement.

Which is your favorite hacking tool? Is it a framework?

Nmap and w3af.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

I would like to see w3af grow into being an “nmap for the web”.

---

Can you tell us the name of the tool(s) you developed and why you had the idea to create them?

I have a few tools, but the main ones are theHarvester, a tool to perform Information Gathering about a company.

I came up with the idea a long time ago, when I was doing Penetration tests and I decided that would be good to have a tool that can search in multiple sources for data that will provide me interesting information about my target that will help me in the Pentest, like servers, hostnames, e-mail addresses, etc. and that’s how I started with the Harvester, by collecting mainly information from Google, Bing, PGP key servers, LinkedIn, DNS, Shodan, etc. The tool can be used also by the companies to see what information is on the Internet about their servers, services, and employees.

Another tool related to Information Gathering is the Metagoofil.

Here the idea came after reading a document about Metadata in Office documents, and I thought wouldn’t be nice if I could search for all public documents belonging to a company that is available on the Internet and extract their Metadata? And that’s what Metagoofil does, it performs a search in Google for Office and PDF documents in the target domain, downloads them and extracts metadata like Users that created/modified the documents, servers where the document was stored, etc, pretty interesting findings for a Penetration tester.

Finally, another tool that I created is Wfuzz. Wfuzz (currently maintained and modified by Xavier Mendez), this tool is a web application brute forcer. It basically lets you brute force any part of an HTTP request using dictionaries, ranges, etc. I decided to create this tool after using Dirb (by Ramon Pinuaga) and Burp suite Intruder; I needed something more custom and flexible than those two, and that is when I started developing my own tool for that purpose.

One of the main reasons I wrote my own tools, is that I wanted to learn in the process, understand how other tools worked and give back something to the community.

What language did you develop your tool in and why did you choose that particular language?

I started programming my tools with Perl, but soon after I discovered Python and it has been my language of choice, due to its simplicity to learn it and the number of libraries that you can find that will save you a lot of time in new projects.

Which is your favorite hacking tool? Is it a framework?

It depends on the task at hand, lately, I have been focusing on Web Application security, so my favorites in this area are Burp suite, SQLmap, Zap Proxy, and Wfuzz.

Other tools I like are Nmap and Metasploit.

How would you like to see your tool develop over time, in other words, what is the ‘ideal goal’?

Currently, my tools are in Business as usual mode, I am not creating new features at the moment, I am just maintaining them, making sure they work as expected, and maybe adding some small additions.

Ideally, I would like to see them moving to the cloud in a SaaS model.

---

In Summary

Let’s round everything up.

What Skills Do You Need To Develop Hacking Tools?

Computer Language (Coding) Skills

There are some clear skills that are required to develop hacking tools like the ones listed below. For example, it really helps to have some sort of programming language like the following:

• Python definitely helps;
• C Programming language would be a massive help.

Interestingly it seems that C is the most popular language to build these tools.

Identify A “Problem”

Another skill that you’ll need when it comes to developing tools is the ability to identify “problems” that need automated scripting. For example, if you’re a Penetration Tester and you’re on an assignment, and you notice that there’s a lack of, for example, a Social Engineering methodology or a WiFi Hacking Scan then that’s great – look at ways to create a tool that will efficiently and effectively help you with your job.

How To Make Money From Creating A Tool

The easiest way to do this is to have two versions of the tool, so you go after the “freemium” and “premium” model.

Many hacking tools follow this model; for example Metasploit and Sn1per.

Before you can start to commercialize your project though you’ll have to have a solid bug-free product that does exactly what it will say it will do. Forking the freemium project on GitHub would be quite a wise move in the sense that you can work with other developers to further improve your product and get it ready for show-time.

What Are The Benefits Of Making A Tool?

There are huge benefits to creating a popular and successful tool.

The first benefit that jumps out is the credibility-factor. Having your name associated with a popular tool, for example, one that ships with Kali Linux or another pentesting (or forensics) distro would propel your career and allow you to network with the best of them out there. Furthermore, many hacker conferences, etc all encourage presentations for the latest tools that hackers have developed.

Go for it!