What Are Some of the Best Penetration Testing Tools You Should be Using?
Alec Auer, Falanx Cyber, conducts various types of penetration and compliance testing, including web application, internal infrastructure, email phishing, and Cyber Essentials. He has also achieved the Offensive Security Certified Professional (OSCP) qualification and is a CREST Registered Tester. Alec shares some of his top penetration testing tools.
The number of penetration testing tools, both open-source and commercial, is vast. However, over the years I have narrowed them down to the necessary essentials which can be used for almost any penetration test.
Each tool can serve multiple purposes and have a variety of uses; however, they stand out in certain categories and are my first option for penetration tests as a result. While other options are available, these are the ones I’ve personally found effective and easy-to-use.
The first stage of a penetration test is to determine the attack surface and for this I like to use the Nmap port scanner.
Not only can it perform different port scans, it has an added scripting engine that gives a significant amount of information about open services.
The output of scans is also in several useful formats that can be manipulated and combined with other tools, and since it’s quite popular there are lots of additional plugins that have been developed for increased functionality.
To help make penetration tests more time-efficient, a vulnerability scanner is essential. I tend to choose Nessus as it is straightforward to use and has different vulnerability scans for an added level of flexibility, depending on the test.
The scan is quick, provides an easy-to-read output and also has a good coverage of vulnerability plugins. This, plus Nmap, will be my first stage of a penetration test to find some juicy targets ripe for exploitation.
Once I have found the perfect target, I will look to the Metasploit Framework to exploit it. While there is a paid version, I’ve found the free Community edition is more than enough for my needs.
It’s updated on a regular basis, which ensures I have the most up-to-date public exploits to hand, along with a reliability rating to ensure I don’t crash client systems. The Metasploit database is a nice extra feature which helps me keep track of targets during large infrastructure tests.
Once again it’s Metasploit for this one, as it has some great plugins to further your privileges on a compromised host.
Meterpreter is a flexible shell which has additional modules for stealing passwords, which can then be fed into additional post-exploitation modules within Metasploit itself.
Popular tools, such as the password cracker John, have connected functionality within Metasploit to make the post-exploitation phase even smoother.
Arguably the most important part of any penetration test is being able to clearly present your findings to the client.
I like to use Dradis for my reports, as it has a vulnerability database to ensure that I’m not spending hours searching around previous reports for vulnerabilities. Additionally, it’s possible to upload the output from other tools (such as Nmap and Nessus) and match these to vulnerabilities, which makes the reporting process even simpler!
BurpSuite Pro is an absolutely essential tool on web application tests. Not only is it a web proxy, it has a vulnerability scanner packed in to help search for injection vulnerabilities like SQL.
Additional features include a brute-force tool and its very own App Store where users can publish plugins to test for a wide spectrum of vulnerabilities.