While testing the exploitability of your target and mapping out vulnerabilities it is important to gain access inside the targets defenses so that you can establish an internal foothold like a owned box or switch. This is so you can use a tool to discover the packet-filtering being used, and literally map out the firewall/IDS rules. Needless to say that really provides you with a lot more complete vulnerability assessment to help discover more weak spots in the system.


  • Socat
    Socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (terminal or modem, etc.), socket (Unix, IP4, IP6 - raw, UDP, TCP), SSL, a client for SOCKS4, or proxy CONNECT. It supports broadcasts and multicasts, abstract Unix sockets, Linux tun/tap, GNU readline, and PTYs. It provides forking, logging, and dumping and different modes for interprocess communication. Many options are available for tuning socat and its channels. Socat can be used, for example, as a TCP relay (one-shot or daemon), as a daemon-based socksifier, as a shell interface to Unix sockets, as an IP6 relay, or for redirecting TCP-oriented programs to a serial line.
  • Samplicator
    UDP Samplicator receives UDP datagrams on a given port and resends those datagrams to a specified set of receivers. In addition, a sampling divisor N may be specified individually for each receiver, which will then only receive one in N of the received packets.
ftester - for master pentesters only--get the lowdown on your packetfiltering rwhois - really great addition to using whois. Get additional info not on whois, query rwhois servers. lft - useful alternative method of tracerouteing. oppleman packit - define (spoof) nearly all TCP, UDP, ICMP, IP, ARP, RARP, and Ethernet header options etherape - really cool graphical program that displays connections and protocols similar to cheops. amap - fingerprinting xprobe2 - fingerprinting p0f2 - really exceptional fingerprinting. can be passively run in the BG. firewalk - good packetfiltering enumerator BGPview - bgp anyone? icmpenum - icmp fingerprinting dnstracer - awesome and creative graphical output of dns ssldump - not really that useful but impressive in a report mtr - alternative traceroute MRTG - favorite tool of ISPs, many uses here host - don't forget this one ike-scan - scan for vpns upnpscan - scan for upnp devices ftp-spider - get info on ftp server traceproto - very nice alternative to traceroute/firewalk

Also see: Vulnerability Scanner Review


  • sing
  • netleak
  • dmitry
  • isic
  • dnsa
  • nemesis
  • sara
  • zodiacdns
  • fragroute
  • sentry 2.0
  • Caecus
  • C-Parse
  • pchar
  • nmbscan
  • nbtscan
  • admsmb