Top 10 Penetration Testing Tools
1. Kali Linux
Kali isn’t a tool per se. It’s an open-source distribution of the Linux operating system built for information security tasks such as security research, reverse engineering, computer forensics, and, you guessed it, penetration testing.
Kali contains several penetration testing tools, some of which you’d see on this list as you read on. These tools can do almost everything you want when it comes to pen-testing. Want to carry out an SQL injection attack, deploy a payload, crack a password? There are tools for that.
It used to be known as Backtrack before its current name, Kali. It is currently maintained by Offensive Security who release updates to the OS once in a while to add new tools, improve compatibility, and support more hardware.
One amazing thing about Kali is the wIde range of platforms it runs on. You can run Kali on Mobile devices, Docker, ARM, Amazon Web Services, Windows Subsystem for Linux, Virtual Machine, and bare metal.
A common practice of pen testers is to load up raspberry pis with Kali because of their small size. This makes it easy to plug it into a network at a target’s physical location. However, most pen testers use Kali on a VM or a bootable thumb drive.
Note that Kali’s default security is weak, so you need to bolster it before doing or storing anything confidential on it.
2. Metasploit
Bypassing the security of a target system isn’t always a given. Pen testers rely on vulnerabilities within a target system to exploit and gain access or control. As you can imagine, thousands of vulnerabilities have been discovered on a wide range of platforms over the years. It is impossible to know all these vulnerabilities and their exploits, as they are numerous.
This is where Metasploit comes in. Metasploit is an open-source security framework developed by Rapid 7. It is used to scan computer systems, networks, and servers for vulnerabilities to exploit them or document them.
Metasploit contains more than two thousand exploits across a wide range of platforms, such as Android, Cisco, Firefox, Java, JavaScript, Linux, NetWare, nodejs, macOS, PHP, Python, R, Ruby, Solaris, Unix, and of course, Windows.
Besides scanning for vulnerabilities, pentesters also use Metasploit for exploit development, payload delivery, information gathering, and maintaining access on a compromised system.
Metasploit supports some Windows and Linux operating systems and it is one of the pre-installed apps on Kali.
3. Wireshark
Before attempting to bypass the security of a system, pentesters try to gather as much information as they can about their target. Doing this allows them to decide on an optimal approach to testing the system. One of the tools pentesters use during this process is Wireshark.
Wireshark is a network protocol analyzer used to make sense of traffic going through a network. Network professionals usually use it to troubleshoot TCP/IP connection issues such as latency issues, dropped packets, and malicious activity.
However, pentesters use it to assess networks for vulnerabilities. Besides learning how to use the tool itself, you also need to be familiar with some networking concepts such as TCP/IP stack, reading and interpreting packet headers, understanding routing, port forwarding, and DHCP work to use it proficiently.
Some of its key features are:
- Can analyze large volumes of data.
- Support for analysis and decryption of hundreds of protocols.
- Real-time and offline analysis of networks.
- Powerful capture and display filters.
Wireshark is available on Windows, macOS, Linux, Solaris, FreeBSD, NetBSD, and many other platforms.
Sponsored Content:
4. Nmap
Pentesters use Nmap for gathering information and detecting vulnerabilities on a network. Nmap, short for network mapper, is a port scanner used for network discovery. Nmap was built to scan large networks with hundreds of thousands of machines, rapidly.
Such scans usually yield information such as the types of hosts on the network, services(application name and version) they offer, the name and version of the OS the hosts are running, packet filters and firewalls in use, and many other characteristics.
It is through Nmap scans that pentesters discover exploitable hosts. Nmap also lets you monitor host and service uptime on a network.
Nmap runs on major operating systems such as Linux, Microsoft Windows, Mac OS X, FreeBSD, OpenBSD, and Solaris. It also comes pre-installed on Kali like the penetration testing tools above.
5. Aircrack-ng
WiFi networks are probably one of the first systems you wished you could hack. After all, who wouldn’t want “free” WiFi? As a pentester, you should have a tool for testing WiFi security in your toolset. And what better tool to use than Aircrack-ng?
Aircrack-ng is an open-source tool pentesters use to deal with wireless networks. It contains a suite of tools used to assess a wireless network for vulnerabilities.
All Aircrack-ng tools are command-line tools. This makes it easy for pentesters to create custom scripts for advanced use. Some of its key features are:
- Monitoring network packets.
- Attacking via packet injection.
- Testing WiFi and driver capabilities.
- Cracking WiFi networks with WEP and WPA PSK (WPA 1 and 2) encryption protocols.
- Can capture and export data packets for further analysis by third-party tools.
Aircrack-ng works primarily on Linux(comes with Kali) but it’s also available on Windows, macOS, FreeBSD, OpenBSD, NetBSD, Solaris, and eComStation 2.
6. Sqlmap
An insecure database management system is an attack vector pentesters often use to get into a system. Databases are integral parts of modern applications, which means they’re ubiquitous. It also means that pentesters could get into a lot of systems through insecure DBMSs.
Sqlmap is a SQL injection tool that automates the detection and exploitation of SQL injection flaws in order to take over a database. Before Sqlmap, pentesters ran SQL injection attacks manually. This meant that executing the technique required prior knowledge.
Now, even beginners can use any of the six SQL injection techniques supported by Sqlmap(boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries, and out-of-band) to attempt getting into a database.
Sqlmap can carry out attacks on a wide range of DBMSs such as MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, and SQLite. Visit the website for a full list.
Some of its top features include:
- Executing commands on the OS of the target machine, via out-of-band connections.
- Accessing the underlying file system of the target machine.
- Can automatically recognize password hash formats, and crack them using a dictionary attack.
- Can establish a connection between the attacker machine and the underlying OS of the database server, allowing it to launch a terminal, a Meterpreter session, or a GUI session via VNC.
- Support for user privilege escalation via Metasploit’s Meterpreter.
Sqlmap is built with Python, which means it can run on any platform that has the Python interpreter installed.
Sponsored Content:
7. Hydra
It’s incredible how weak most people’s passwords are. An analysis of the most popular passwords used by LinkedIn users in 2012 revealed that more than 700,000 users had ‘123456’ as their passwords!
Tools like Hydra make it easy to detect weak passwords on online platforms by attempting to crack them. Hydra is a parallelized network login password cracker(well, that’s a mouthful) used to crack passwords online.
Hydra is usually used with third-party wordlist generators such as Crunch and Cupp, as it doesn’t generate wordlists itself. To use Hydra, all you need to do is specify the target you’d be pen testing, pass in a wordlist, and run.
Hydra supports a long list of platforms and network protocols such as Cisco auth, Cisco enable, FTP, HTTP(S)-(FORM-GET, FORM-POST, GET, HEAD), HTTP-Proxy, MS-SQL, MySQL, Oracle Listener, Oracle SID, POP3, PostgreSQL, SMTP, SOCKS5, SSH (v1 and v2), Subversion, Telnet, VMware-Auth, VNC, and XMPP.
Though Hydra comes pre-installed on Kali, it has been “tested to compile cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and MacOS”, according to its developers.
8. John The Ripper
Weird name aside, John The Ripper is a fast, open-source, offline password cracker. It contains several password crackers and also lets you create a custom cracker.
John The Ripper supports many password hash and cipher types making it a very versatile tool. The password cracker supports CPUs, GPUs, as well as FPGAs by Openwall, the developers of the password cracker.
To use the John The Ripper you choose from four different modes: word list mode, single crack mode, incremental mode, and external mode. Each mode has ways of cracking passwords that make it suitable for certain situations. John The Ripper attacks are mainly through brute force and dictionary attacks.
Although John The Ripper is open source, no official native build is available(for free). You can get that by subscribing for the Pro version, which also includes more features such as support for more hash types.
John The Ripper is available on 15 operating systems(at the time of writing this) including macOS, Linux, Windows, and even Android.
9. Burp Suite
So far, we have discussed testing networks, databases, WiFi, and operating systems, but what about web apps? The rise of SaaS has led to a lot of web apps popping up over the years.
The security of these apps is just as important, if not more than other platforms we’ve examined, considering many companies now build web apps instead of desktop apps.
When it comes to penetration testing tools for web apps, Burp Suite is probably the best one out there. Burp Suite is unlike any of the tools on this list, with its sleek user interface and heavy pricing.
Burp Suite is a web vulnerability scanner built by Portswigger Web Security to protect web applications by rooting out flaws and vulnerabilities. Although it has a free community edition, it lacks a huge chunk of its key features.
Burp Suite has a Pro version and an enterprise version. Features of the professional version can be grouped into three; Manual penetration testing features, advanced/custom automated attacks, and automated vulnerability scanning.
The enterprise version includes all of the Pro features and some other features such as CI integration, scan scheduling, enterprise-wide scalability. It cost a whole lot more as well at $6,995, whereas the Pro version costs just $399.
Burp Suite is available on Windows, Linux, and macOS.
Sponsored Content:
10. MobSF
More than 80% of the people in the world today have smartphones, so it is a reliable way for cybercriminals to attack people. One of the most common attack vectors they use is apps with vulnerabilities.
MobSF or Mobile Security Framework is a, well, mobile security assessment framework built to automate malware analysis, pen-testing, and static & dynamic analysis of mobile apps.
MobSF can be used to analyze Android, iOS, and Windows(mobile) app files. Once the app files are analyzed, MobSF prepares a report summarizing the functionality of the app, as well as detailing potential issues that could allow unauthorized access to information on a mobile phone.
MobSF performs two types of analysis on mobile apps: static(reverse engineering) and dynamic. During static analysis, a mobile is first decompiled. Its files are then extracted and analyzed for potential vulnerabilities.
Dynamic analysis is performed by running the app on an emulator or a real device and then observing it for sensitive data access, insecure requests, and hardcoded details. MobSF also includes a Web API fuzzer powered by CappFuzz.
MobSF runs on Ubuntu/Debian-based Linux, macOS, and Windows. It also has a pre-built Docker image.
In Conclusion…
If you already had Kali Linux installed before now, you would have seen most of the tools on this list. The rest you can install on your own). Once you’re done installing the tools you need, the next step is to learn how to use them. Most of the tools are pretty easy to use, and before you know it, you’d be on your way to improving your clients’ security with new skill sets.
