Automating REST Security Part 3: Practical Tests for Real-World APIs

If you have read our two previous blogposts, you should now have a good grasp on the structural components used in REST APIs and where there are automation potentials for security analysis. You've also learned about REST-Attacker, the analysis tool we implemented as a framework for automated analysis.

In our final blogpost, we will dive deeper into practical testing by looking at some of the automated analysis tests implemented in REST-Attacker. Particularly, we will focus on three test categories that are well-suited for automation. Additionally, we will look at test results we acquired, when we ran these tests on the real-world API implementation of the services GitHub, Gitlab, Microsoft, Spotify, YouTube, and Zoom.

Author

Christoph Heine

Overview

• Part 1: Challenges in Analyzing REST Security
• Part 2: Tool-based REST Analysis with REST-Attacker
• Part 3: Practical Tests for Real-World APIs

Undocumented Operations

The first test that we are going to look at is the search for undocumented operations. These encompass all operations that accessible to API clients despite not being listed in the API documentation. For public-facing APIs, undocumented operations are a security risk because they can expose functionality of the service that clients are not supposed to access. Consequences can range from information leakage to extensive modification or even destruction of the resources managed by the underlying service.

A good example for an operation that should not be available is write access to the product information of a webshop API. While read operations on stock amounts, prices, etc. of a product are perfectly fine, you probably don't want to give clients the ability to change said information.

In HTTP-based REST, operations are represented by the HTTP methods used in the API request (as explained in Part 1 of the blog series). Remember that API requests are essentially HTTP requests which consist of HTTP method (operation), URI path (resource address) and optional header or body data.

GET /api/shop/items 

We can use the fact that REST operations are components from the HTTP standard to our advantage. First of all, we know that the set of possible operations is the same for all HTTP-based REST APIs (no matter their service-specific context) since each operation should map to a standardized HTTP method. As a result, we also have a rough idea what each operation does when it's applied to a resource, since it's based on the assigned purpose of the HTTP method. For example, we can infer that the DELETE method performs a destructive action a resource or that GET provides a form of read access. It also helps that in practice most APIs only use the same 4 or 5 HTTP methods representing the CRUD operations: GET, POST, PUT, PATCH, and DELETE.

If we know a URI path to a resource in the API, we can thus enumerate all possible API requests, simply by combining the URI with all possible HTTP methods:

GET    /api/shop/items POST   /api/shop/items PUT    /api/shop/items PATCH  /api/shop/items DELETE /api/shop/items 

REST-Attacker's test case undocumented.TestAllowedHTTPMethod uses the same approach to find undocumented operations. With an OpenAPI description, the generation of API requests is extremely to automate as the description lists all defined URI paths. Since the API description also documents the officially supported operations, we can slightly optimize the search by only generating API requests for operations not documented for a path (which basically are the candicates for undocumented operations).

To find out whether an undocumented operation exist, we have to determine if the generated API requests are successful. Here, we can again rely on a standard HTTP components that are used across REST APIs. By checking the HTTP response code of the API, we can see whether the API request was rejected or accepted. Since the response codes are standardized like the HTTP methods, we can also make general assumptions based on the response code received. If the operation in the API request is not available, we would expect to get the dedicated response code 405 - Method Not Allowed in the response. Other 4XX response codes can also indicate that the API request was unsuccessful for other reasons. If the operation is accepted, we would expect the API response to contain a 2XX response code.

Using the same approach, we let REST-Attacker search for undocumented operations in all 6 APIs we tested. None of them exposed undocumented operations that could be identified by the tool, which means they would be considered safe in regards to this test. However, it's interesting to see that the APIs could responded very differently to the API requests sent by the tool, especially when considering the response codes.

API	Response Codes
GitHub	401, 404
Gitlab	400, 404
MS Graph	400, 401, 403, 404
Spotify	405
YouTube	404
Zoom	400, 401, 403, 404, 405

Spotify's API was the only one that used the 405 response code consistently. Other APIs returned 400, 401, 403, or 404, sometimes depending on the path used in the the API request. It should be noted that the APIs returned 401 - Unauthorized or 403 - Forbidden response codes even when supplying credentials with the highest possible level of authorization. An explanation for this behaviour could be that the internal access checks of the APIs work differently. Instead of checking whether an operation on a resource is allowed, they may check whether the client sending the request is authorized to access the resource.

Credentials Exposure

Excessive Data Exposure from OWASP's Top 10 API Security Issues is concerned with harmful "verbosity" of APIs. In other words, it describes a problem where API responses contain more information than they should return (hence excessive exposure). Examples for excessive data exposure include leaks of private user data, confidential data about the underlying service, or security parameters of the API. What counts as excessive exposure can also depend on the application context of the underlying service.

Since the definition of excessive data exposure is very broad, we will focus on a particular type of data for our practical test: Credentials. Not only do credentials exist in some form for almost any service, their exposure would also have a significant impact on the security of the API and its underlying service. Exposed credentials may be used to gain higher privileges or even account takeovers. Therefore, they are a lucrative target for attacks.

There are several credential types that can be interesting for attackers. Generally, they fit into these categories:

• long-term credentials (e.g., passwords)
• short-term credentials (e.g., session IDs, OAuth2 tokens)
• service-specific credentials for user content (e.g., passwords for files on a file-hosting service)

Long- and short-term credentials should probably never be returned under any circumstances. Service-specific credentials may be less problematic in some specific circumstances, but should still be handled with care as they could be used to access resources that would otherwise be inaccessible to an API client.

The question is: Where can we start looking for exposed credentials? Since they would be part of the API responses, we could scrape the parameters in the response content. However, we may not actually need to look at any response values. Instead, we can examine the parameter names and check for association with credentials. For example, a parameter names "password" would likely contain a type of credential. The reason this can work is that parameter names in APIs are generally descriptive and human-readable, a side effect of APIs often being intended to be used by (third-party) developers.

In REST-Attacker, credentials parameter search is implemented by the resources.FindSecurityParameters test case. The test case actually only implements an offline search using the OpenAPI description, as the response parameter names can also be found there. The implementation iterates through the response parameter names of each API endpoint and matches them to keywords associated with credentials such as "pass", "auth" or "token". This naive approach is not very accurate and can produce a number of false-positives, so the resulting list of parameters has to be manually checked. However, the number of candidates is usually small enough to be searched in a small amount of time, even if the API defines thousands of unique response parameters.

API	Parameter Count	Candidates	long-term	short-term	service-specific
GitHub	2110	39	0	0	0
Gitlab	1291	0	0	0	0
MS Graph	32199	117	0	0	0
Spotify	290	6	0	0	0
YouTube	703	6	0	0	0
Zoom	800	96	0	0	2

5 out of 6 APIs we tested had no problems with exposed credentials.

Zoom's API was the only one which showed signs of problematic exposure of service-specific credentials by returning the default meeting password for meetings created via the API at an endpoint. It should be noted that this information was only available to approved clients and an required authorized API request. However, the credentials could be requested with few priviledges. Another problem was that Zoom did not notify users that this type of information was accessible to third-party clients.

Default Access Priviledges

The last test category that we are going to look at addresses the access control mechanisms of REST APIs. Modern access control methods such as OAuth2 allow APIs to decide what minimum priviledges they require for each endpoint, operation, or resource. In the same way, it gives them fine-grained control on what priviledges are assigned to API clients. However, for fine-grained control to be impactful, APIs need to carefully decide which priviledges they delegate to clients by default.

But why is it important that APIs assigned do not grant too many priviledges by default? The best practice for authorization is to operate on the so-called least priviledge principle. Basically, this means that a client or user should only get the minimum necessary priviledges required for the respective task they want to do. For default priviledges, the task is usually unspecified, so there are no necessary priviledges. In that case, we would expect an API to grant either no priviledges or the overall lowest functional priviledge level.

If the API uses OAuth2 as its access control method, we can easily test what the API considers default priviledges. In OAuth2, clients can request a specific level of priviledge via the scope parameter in the initial authorization request.

Including the scope parameter in the request is optional. If it's omitted, the API can deny the authorization request or - and that's what we are interested in - decide which scope it assigns to the authorization token returned to the client. By analyzing the default scope value, we can see whether the API adheres to the least priviledge principle.

REST-Attacker can automatically retrieve this information for configured OAuth2 clients with the scopes.TestTokenRequestScopeOmit test case. For every configured OAuth2 client, an authorization request without the scope parameter is sent to the OAuth2 authorzation endpoints of the API. The tool then extracts the scope that is assigned to the returned OAuth2 token. This scope value then has to be manually analyzed.

Out of the 6 APIs we tested, 2 (MS Graph and YouTube) denied requests without a scope parameter. The other 4 APIs (GitHub, Gitlab, Spotify, and Zoom) allowed omitting the scope parameter. Therefore, only the latter 4 APIs assigned default prviledges that could be analyzed.

API	Assigned Scope	Least Priviledge?
GitHub	(none)	Yes
Gitlab	api	No
Spotify	(default)	Yes*
Zoom	all approved	No

* OAuth2 scope with least priviledges

Interestingly, the extent to which a least priviledge principle was followed varied between APIs.

GitHub's API assigned the overall lowest possible priviledges by default via the (none) scope. With this scope, a client could only access API endpoints that were already publicly accessible (without providing authorization). While the scope does not grant more priviledges than a public client would get, the (none) scope had other benefits such as an increased rate limit.

In comparison, the Spotify API had no publicly accessible API endpoints and required authorization for every request. By default, tokens were assigned a "default" scope which was the OAuth2 scope with the lowest available priviledges and allowed clients to access several basic API endpoints.

Gitlab's and Zoom's API went into the opposite direction and assigned the highest priviledge to their clients by default. In Gitlab's case, this was the api scope which allowed read and write access to all API endpoints. Zoom required a pre-approval of scopes that the client wants to access during client registration. After registration, Zoom returned all approved scopes by default.

Conclusion

We've seen that while REST is not a clarly defined standard, this does not result in REST APIs being too complex for a generalized automated analysis. The usage of standardized HTTP components allows the design of simple yet effective tests that work across APIs. This also applies to other components that are used across APIs such as access control mechanisms like OAuth2. The practical tests we discussed worked on all APIs we tested, even if their underlying application contexts were different. However, we've also seen that most of the APIs were generally safe against these tests.

Tool-based automation could certainly play a much larger role in REST security, not only for finding security issues but also for filtering results and streamlining otherwise manual tasks. In the long run, this will hopefully also result in an increase in security.

Acknowledgement

The REST-Attacker project was developed as part of a master's thesis at the Chair of Network & Data Security of the Ruhr University Bochum. I would like to thank my supervisors Louis Jannett, Christian Mainka, Vladislav Mladenov, and Jörg Schwenk for their continued support during the development and review of the project.

Related posts

• Hacker Tools Mac
• Hacks And Tools
• Hacker Hardware Tools
• New Hack Tools
• Hacker Techniques Tools And Incident Handling
• Physical Pentest Tools
• Easy Hack Tools
• Hacking Tools For Games
• Hacker Techniques Tools And Incident Handling
• Pentest Tools List
• Pentest Tools Windows
• Hacker Tools Free
• Hack Tools For Pc
• Blackhat Hacker Tools
• Hackers Toolbox
• Pentest Tools Website Vulnerability
• Hacking Tools Online
• Free Pentest Tools For Windows
• Pentest Tools Website
• Hacker Tools 2020
• Nsa Hack Tools
• Physical Pentest Tools
• Pentest Recon Tools
• Hacks And Tools
• Hack Tools
• Pentest Tools Url Fuzzer
• Hack Apps
• Hack App
• Hacking Tools Free Download
• Hacking Tools For Windows
• Hacker Tools For Mac
• Computer Hacker
• Hack Tools For Pc
• Hacking Tools For Windows 7
• Pentest Tools Website Vulnerability
• Hacking Tools
• Nsa Hack Tools
• Hacker Tools Hardware
• Hack Website Online Tool
• Hacker Tools
• Hack Tools Download
• Pentest Tools Subdomain
• Hacker Tools Github
• Hack App
• Pentest Tools Port Scanner
• Hacking Tools Pc
• Easy Hack Tools
• Bluetooth Hacking Tools Kali
• Hacking Tools Online
• Hacking Tools Mac
• Hack Tools
• Hacking Tools Windows
• Hacking Tools For Windows
• Pentest Tools Find Subdomains
• Pentest Tools Kali Linux
• Hack App
• Hack Rom Tools
• Hack Tools
• Pentest Tools Online
• Hackrf Tools
• Pentest Tools Nmap
• Hacker Tools 2019
• Hacking Tools For Kali Linux

Linux Command Line Hackery Series: Part 2

Welcome back to Linux Command Line Hackery, yes this is Part 2 and today we are going to learn some new skills. Let's rock

Let us first recap what we did in Part 1, if you are not sure what the following commands do then you should read Part 1.

mkdir myfiles                                                # make a directory (folder) with myfiles as name
cd myfiles                                                      # navigate to myfiles folder
touch file1 file2 file3                                    # create three empty files file1, file2, file3
ls -l                                                                   # view contents of current directory
echo This is file1 > file1                               # write a line of text to file1
cat file1                                                           # display contents of file1
echo This is another line in file1 >> file1    # append another line of text to file1
cat file1                                                          # display the modified content of file1

Command:  cp
Syntax:        cp source1 [source2 ...] destination
Function:     cp stands for copy. cp is used to copy a file from source to destination. Some important flags are mentioned below
Flags:          -r copy directories recursively
                     -f if an existing destination file cannot be opened, remove it and try  again

Let us make a copy of file1 using the new cp command:

cp file1 file1.bak

what this command is going to do is simply copy file1 to another file named file1.bak. You can name the destination file anything you want.
Say, you have to copy file1 to a different folder maybe to home directory how can we do that? well we can do that like this:

cp file /home/user/

I've used the absolute path here you can use whatever you like.

[Trick: ~ has a special meaning, it stands for logged in user's directory. You could have written previous command simply as
cp file1 ~/
and it would have done the same thing.]

Now you want to create a new directory in myfiles directory with the name backup and store all files of myfiles directory in the backup directory. Let's try it:

mkdir backup
cp file1 file2 file3 backup/

this command will copy file1 file2 file3 to backup directory.
We can copy multiple files using cp by specifying the directory to which files must be copied at the end.
We can also copy whole directory and all files and sub-directories in a directory using cp. In order to make a backup copy of myfiles directory and all of it's contents we will type:

cd ..                                           # navigate to previous directory
cp -r myfiles myfiles.bak       # recursively copy all contents of myfiles directory to myfiles.bak directory

This command will copy myfiles directory to myfiles.bak directory including all files and sub-directories

Command: mv
Syntax:       mv source1 [source2 ...] destination
Function:    mv stands for move. It is used for moving files from one place to another (cut/paste in GUI) and also for renaming the files.

If we want to rename our file1 to  file1.old in our myfiles folder we'll do the follow:

cd myfiles                                      # navigate first to myfiles folder
mv file1 file1.old

this command will rename the file1 to file1.old (it really has got so old now). Now say we want to create a new file1 file in our myfiles folder and move the file1.old file to our backup folder:

mv file1.old backup/                    # move (cut/paste) the file1.old file to backup directory
touch file1                                    # create a new file called file1
echo New file1 here > file1         # echo some content into file1

Command:  rmdir
Syntax: rmdir directory_name
Function: rmdir stands for remove directory. It is used for removing empty directories.

Let's create an empty directory in our myfiles directory called 'garbage' and then remove it using rmdir:

mkdir garbage
rmdir  garbage

Good practice keep it doing. (*_*)
But wait a second, I said empty directory! does it mean I cannot delete a directory which has contents in it (files and sub-directories) with rmdir? Yes!, you cannot do that with rmdir. 
So how am I gonna do that, well keep reading...

Command:  rm
Syntax:        rm FILE...
Function:     rm stands for remove. It is used to remove files and directories. Some of it's important flags are enlisted below.
Flags:          -r remove directories and their contents recursively
                     -f ignore nonexistent files and arguments, never prompt

Now let's say we want to delete the file file1.old in backup folder. Here is how we will do that:

rm backup/file1.old                # using relative path here

Boom! the file is gone. Keep in mind one thing when using rm "IT IS DESTRUCTIVE!". No I'm not yelling at you, I'm just warning you that when you use rm to delete a file it doesn't go to Trash (or Recycle Bin). Rather it is deleted and you cannot get it back (unless you use some special tools quickly). So don't try this at home. I'm just kidding but yes try it cautiously otherwise you are going to loose something important.

Did You said that we can delete directory as well with rm? Yes!, I did. You can delete a directory and all of it's contents with rm by just typing:

rm -r directory_name

Maybe we want to delete backup directory from our myfiles directory, just do this:

rm -r backup

And it is gone now.
Remember what I said about rm, use it with cautious and use rm -r more cautiously (believe me it costs a lot). -r flag will remove not just the files in directory it will also remove any sub-directories in that directory and there respective contents as well.

That is it for this article. I've said that I'll make each article short so that It can be learned quickly and remembered for longer time. I don't wanna bore you.

Related posts

1. Hacker Tools For Mac
2. Pentest Tools Website
3. Hacking Tools Mac
4. Pentest Tools Linux
5. Hacker Tools Linux
6. Pentest Tools Linux
7. Pentest Tools Apk
8. Hack Website Online Tool
9. Hacker Security Tools
10. Tools For Hacker
11. Hacker Techniques Tools And Incident Handling
12. Hack Tools
13. Nsa Hacker Tools
14. Hacking App
15. Hacking Tools Pc
16. Hacker Tools Apk
17. Hack Website Online Tool
18. Pentest Tools Port Scanner
19. Hacking Tools For Windows 7
20. Install Pentest Tools Ubuntu
21. Hacker Tools List
22. Hack Rom Tools
23. Pentest Reporting Tools
24. Hacker Tools 2020
25. Hack Tools For Mac
26. Hacker Tools Hardware
27. Hacker Tools Free
28. Pentest Tools List
29. Pentest Tools Android
30. Pentest Tools Bluekeep
31. Pentest Tools Apk
32. Hacking Tools For Beginners
33. Pentest Recon Tools
34. Pentest Tools For Ubuntu
35. Underground Hacker Sites
36. Hacker Tools Mac
37. Pentest Tools For Android
38. Install Pentest Tools Ubuntu
39. Best Pentesting Tools 2018
40. Hack App
41. Growth Hacker Tools
42. Hackrf Tools
43. New Hacker Tools
44. What Is Hacking Tools
45. Hacker Tools Free Download
46. Github Hacking Tools
47. Hack Tools
48. Hacking Tools For Mac
49. Hacker Tools Linux
50. Easy Hack Tools
51. Hacker Techniques Tools And Incident Handling
52. Hacker Tools Free
53. Hacking Tools Name
54. Pentest Tools Free
55. Pentest Reporting Tools
56. Hacker Hardware Tools
57. Free Pentest Tools For Windows
58. Pentest Tools Website
59. Pentest Tools Free
60. Hacker Tools Free Download
61. Hack Tools For Games
62. Pentest Box Tools Download
63. Hack Apps
64. Pentest Tools For Android
65. Pentest Tools Free
66. Pentest Tools For Windows
67. Pentest Tools For Mac
68. Pentest Tools For Android
69. Hacking Tools For Games
70. Hacker Tools For Pc
71. Hacking Tools Name
72. Hak5 Tools
73. How To Make Hacking Tools
74. Hacking Tools For Kali Linux
75. Pentest Tools Website Vulnerability
76. Hacker Hardware Tools
77. Hacker Tools List
78. Hacker Tools 2020
79. Hacking Tools For Windows
80. Best Pentesting Tools 2018
81. How To Make Hacking Tools
82. Tools For Hacker
83. Hacks And Tools
84. Hacker Tools Online
85. Hacker Tools Free Download
86. Hacking Tools For Beginners
87. Hacking Tools Windows
88. Hacking Tools Windows
89. Hacks And Tools
90. Hacker Tools List
91. Kik Hack Tools
92. Hacking Tools For Windows
93. Hacker Tools Mac
94. Nsa Hacker Tools
95. Pentest Tools For Ubuntu
96. Github Hacking Tools
97. Pentest Tools Bluekeep
98. Pentest Tools Find Subdomains
99. Black Hat Hacker Tools
100. Hacker Tools Software
101. Pentest Tools Tcp Port Scanner
102. Hack Tools For Games
103. Hacking Tools Online
104. Hacking Tools 2019
105. Hacker Tools List
106. How To Hack
107. Black Hat Hacker Tools
108. Pentest Tools Alternative
109. Hacking Tools Github
110. Best Hacking Tools 2020
111. Hacking Tools Download

Networking | Switching And Routing | Tutorial 1 | 2018

Welcome to my new series of tutorials about networking. Moreover in this series I'll discuss briefly each and every thing related to routing and switching. After that you will able to pass an exam of HCNA, CCNA etc. First of all you have to know which software is used by which company such as Huawei used its own software named eNSP while Cisco used its own software named Cisco Packet Tracer. After that you have to know that how to download and install both of the software in your computer systems. So the purpose of this blog is to give you people an overview about how to download and install both of them.

What is a Network? 

First of all we must have to know about what is a network. So the network is the interconnection of two or more than two devices in such a way that they can communicate each other. In computer networks we can say that the interconnection of two or more than two end devices (computer, laptops, printers etc) for the sake of sending and receiving some amount of data is known as computer network.

What is Internet?  

The very simple and easily understandable definition of a internet is "The network of networks". Now what is meant by that? When different networks from the different areas or at the same areas wanna communicate with each other then internet formed. So we can say that "Internet is the interconnection of different networks in such a way that networks can communicate with each other".

More information

1. Pentest Tools Github
2. Hacker Tools Apk Download
3. Hacker Tools List
4. Hacker Tools
5. Hacking Tools Name
6. Hacker Tools Linux
7. Pentest Tools Windows
8. Tools 4 Hack
9. Hacking Tools Free Download
10. Hacker Tools Mac
11. Pentest Tools For Windows
12. Hacking Tools Pc
13. Beginner Hacker Tools
14. Tools Used For Hacking
15. Pentest Tools Website
16. Hacking Tools Software
17. Pentest Tools For Windows
18. Hacker Hardware Tools
19. Pentest Automation Tools
20. Hacking Tools Pc
21. Pentest Box Tools Download
22. Pentest Reporting Tools
23. Pentest Tools Website Vulnerability
24. Pentest Tools Website
25. Hack Tools 2019
26. Top Pentest Tools
27. Tools For Hacker
28. Hacking Tools Free Download
29. Pentest Tools Free
30. Hacker Tools Github
31. Nsa Hack Tools
32. Wifi Hacker Tools For Windows
33. Hack Tools
34. Hack Tools For Mac
35. Best Hacking Tools 2020
36. Hacker
37. Pentest Tools Free
38. Black Hat Hacker Tools
39. Hacking Tools For Beginners
40. Hacker Tools For Mac
41. Hak5 Tools
42. Pentest Tools Subdomain
43. Hacker Security Tools
44. Hacker Tools Online
45. How To Hack
46. Hack Tools For Windows
47. Black Hat Hacker Tools
48. Pentest Tools Kali Linux
49. How To Hack
50. Hacking Apps
51. Hacking Tools 2019
52. Hacking Tools Software
53. Hack Tools
54. What Is Hacking Tools
55. Pentest Tools List
56. Pentest Tools Bluekeep
57. Hack Tool Apk No Root
58. Hacker Techniques Tools And Incident Handling
59. How To Install Pentest Tools In Ubuntu
60. Hacking Tools Kit
61. Best Hacking Tools 2019
62. Hack Tool Apk No Root
63. Pentest Tools For Windows
64. Tools 4 Hack
65. Pentest Tools Apk
66. Hacker Tools Software
67. Pentest Tools Bluekeep
68. Hack Tools Online
69. Pentest Tools Subdomain
70. Pentest Recon Tools
71. Pentest Tools Github
72. Hacking Tools Mac
73. Physical Pentest Tools
74. Growth Hacker Tools
75. Hacking Tools Hardware
76. Hacker Tools For Windows
77. Pentest Tools Github
78. Pentest Tools Nmap
79. Pentest Reporting Tools
80. Hacker Tools Hardware
81. Pentest Tools Framework
82. Hacking Tools
83. Pentest Tools For Windows
84. Nsa Hack Tools
85. Pentest Tools Android
86. Pentest Reporting Tools
87. Hack Tools For Pc
88. World No 1 Hacker Software
89. Tools For Hacker
90. Hacker Tools Hardware
91. Nsa Hack Tools
92. Hacker Tools Apk
93. Hackers Toolbox
94. Pentest Tools Kali Linux
95. Hacking Tools For Games
96. Hack Tools Mac
97. Pentest Tools Android
98. Hacking Tools For Pc
99. Pentest Tools Website
100. Hacker Tools For Windows
101. Pentest Tools Bluekeep
102. Easy Hack Tools
103. Hackrf Tools
104. Pentest Tools Tcp Port Scanner
105. Hacking Tools Pc
106. Pentest Recon Tools
107. Pentest Tools Windows
108. Pentest Tools
109. Usb Pentest Tools
110. Black Hat Hacker Tools
111. Hacker Tools For Mac
112. Bluetooth Hacking Tools Kali
113. World No 1 Hacker Software
114. Hacker Tools Software
115. Pentest Tools List
116. Pentest Tools Alternative
117. Hacking Tools Windows
118. Hacker Tool Kit
119. Hacking Tools For Beginners
120. Hacking Tools
121. Nsa Hack Tools Download
122. Nsa Hack Tools Download
123. Hacking Tools Online
124. Blackhat Hacker Tools
125. Hacking Tools Free Download
126. Hacker Tools Mac
127. Hacking Tools For Windows
128. Hacking Tools For Mac
129. Hack Tools For Ubuntu
130. Underground Hacker Sites
131. Pentest Tools For Android
132. Hacking Tools For Beginners
133. Nsa Hack Tools Download