Open-source penetration testing tools are freely available software solutions that help pentest teams identify system and network weaknesses. Teams often need a variety of tools to perform a full penetration test, so using open source pentesting tools can help keep costs down. Many of the tools below are included in the operating system Kali Linux. We’ve compiled a comprehensive list of open-source products, as well as mentioning available paid services.
Table of Contents
Top Penetration Testing Categories
We’ve grouped the tools below according to their function in a pentest exercise. Some fall into multiple categories, and there’s some overlap between categories, but this list represents our assessment of the main function performed by each specific tool. Here are the major categories, with links you can use to skip down to the best tools in each category:
- Best web app scanning tools: ZAP, Nikto2, W3af, WPScan
- Best password crackers: John the Ripper, Medusa, Rubeus
- Best pentesting frameworks: Burp, Metasploit, Fiddler
- Best wireless network scanning tools: Hashcat, Aircrack-ng, wifite
- Best exploitation tools: BeEF, SQLmap, SET
- Best sniffing tools: Ettercap, Tcpdump, Wfuzz
- Best network scanners and enumeration tools: Nmap, Wireshark, Gobuster, Amass
4 Best Web App Scanning Tools
These open-source penetration testing tools help professionals test the security of web-facing applications, servers, and other assets. The top four options include OWASP, Nikto2, W3af, and WPScan.
OWASP
The Open Web Application Security Project (OWASP) maintains Zed Attack Proxy (ZAP), which stands between the tester’s browser and a web application to intercept requests, modify contents, or forward packets, among other tasks. OWASP teams actively maintain it and support multiple programming and scripting languages. OWASP is comprehensive and full of features, such as spider, passive and active scans, a request editor, a marketplace, and plug-ins.
Pros
- Actively maintained by OWASP teams
- Comprehensive and full of features, such as spider, passive and active scans, application programming interfaces (APIs), and request editor
- Supports multiple programming and scripting languages
- Provides graphical and command-line interfaces (CLIs) as well as good documentation
- Convenient for various levels of experience, from beginners to enterprise security teams
Cons
- Can be harder to install and offers a less friendly UX than premium products such as the Burp Suite
- Needs additional plugins to provide some features
Nikto2
Nikto is a light web server scanner that works with command lines to identify common web flaws, such as server misconfigurations. It can be installed with Kali Linux or as a single package with the command sudo apt install nikto. It performs tests against multiple items, including thousands of potentially dangerous files and common gateway interfaces (CGIs), and checks for outdated versions of servers and version-specific problems on hundreds of servers.
Pros
- Straightforward tool covers common needs
- Can test intrusion detection systems (IDS)
- Supports files for input and output
Cons
- Beginners might get confused
- No graphical user interface (GUI)
- No known community or support
W3af
w3af, or Web Application Attack and Audit Framework, is a scanner with a framework to analyze applications and generate reports with its findings. Once the app is mapped, the tool sends crafted requests to trigger specific bugs in the code, such as SQL injections, and to report positive cases.
Pros
- Easy to learn and use
- Generates helpful reports
- Automates many tasks
- Provides thorough documentation
Cons
- The GUI can be challenging
WPScan
WPScan is a popular security tool for WordPress. It can be used with pentesting distributions like Kali Linux, with Docker, or as a binary. A quick scan can reveal typical flaws of WordPress installations, such as the use of the XML-RPC protocol or outdated dependencies, but it can also perform brute-force attacks efficiently. Behind the scenes, the CLI tool uses the WordPress Vulnerability Database API to retrieve WordPress vulnerability data in real-time.
Pros
- Comprehensive, offering good documentation
- Entirely built for WordPress
Cons
- Free plan has limited API quotas
- A lot of prerequisites if users don’t use Kali Linux
- No GUI
Pricing upgrades: The CLI tool is free but limited; premium small business and enterprise versions are available.
If your business is trying to start its own pentesting initiative, check out our guide to developing a pentesting program, which includes steps like setting specific priorities and scheduling tests.
3 Best Password Crackers
Password cracking consists of retrieving passwords stored in computer systems. System administrators and security teams as well as hackers can use these tools to spot weak passwords. John the Ripper, Medusa, and Rubeus are the top password crackers.
John the Ripper
John the Ripper is one of the most popular free password crackers included in Kali Linux; it also has a premium version. It combines several approaches to password cracking into one package. It also supports hundreds of hash and cipher types, including macOS, Windows, web apps, groupware, database servers, network traffic captures, encrypted private keys, filesystems and disks, archives, and document files.
Pros
- Highly flexible configurations
- Can crack common variations such as mangling rules (e.g., Pa$$w0rd)
- Combines the best aspects of various password crackers in one package
Cons
- Can be hard to learn, set up, and configure
- Has the same privileges as the user running it, so cannot read shadow passwords
- Only penetrates passwords, nothing else
To learn how to use John the Ripper and hear more about its pros and cons, read John the Ripper: Password Cracking Tutorial and Review.
Medusa
Medusa is a powerful brute-force tool with interesting features included in Kali Linux. This command-line tool can also be installed as a Linux package using the command sudo apt install medusa. It supports thread-based parallel testing like simultaneous brute-force attacks and offers the ability to resume an interrupted Medusa scan.
Pros
- Easy to learn and use
- Fast and concurrent
- Can be extended easily
Cons
- Supports fewer operating systems and platforms than other tools
- Lack of documentation
Rubeus
Open-source and licensed under the BSD 3-Clause license, Rubeus is a C# toolset for raw Kerberos interaction and abuses. It is especially aimed at ever-more popular Kerberos use cases, which is a ticket-based network authentication protocol used in Active Directory (AD) that’s commonly misconfigured. Rubeus exploits the resulting vulnerabilities and performs functions such as crafting keys and granting access using forged certificates.
Pros
- Good for Kerberos flaws
- Includes modifications to Rubeus’ approach to Kerberoasting
- Versatile and dropped on the victim’s machine to perform various AD-related attacks
Cons
- Can be detected using several methods, either from the host, network, or domain perspectives
- Can be caught during the initial weaponization of the code itself through the use of sensitive APIs
For an explanation on how to test your organization’s security services using Rubeus and other pentesting tools, read Testing & Evaluating SIEM Systems: A Review of Rapid7 InsightIDR.
3 Best Pentesting Frameworks
Pentesting frameworks are collections of security tools that can be used to run penetration tests. The best ones, including the Burp Suite, Metasploit, and Fiddler, cover both scanning and exploits.
Burp Suite
Burp is a top-rated software suite for attacking found in the Kali Linux community edition. It’s a tremendous tool in the pentesting arsenal that can do advanced scans, but one of its best-known uses is traffic interception, such as for HTTP requests. Burp Suite’s web vulnerability scanner uses research from PortSwigger to help users automatically find web app vulnerabilities. It can handle dynamic content and unstable internet connections.
Pros
- Used by most security teams, researchers, and professionals as well as attackers
- Comprehensive
- Easy to use and configure
- Its embedded Chromium browser renders and crawls JavaScript
- A crawling algorithm builds up a profile of its target in a similar way to a tester
- Uses location fingerprinting techniques to identify hidden areas
Cons
- Harder to learn and master than other scanners
- Many features aren’t available in the community edition (free), and the enterprise edition is relatively expensive
- An all-in-one solution with tons of features that some businesses won’t use
- Tries to be everything, but should be viewed as primarily a vulnerability scanner with some penetration tools
Pricing upgrades: In addition to the free community tools, PortSwigger offers pro and enterprise versions of Burp.
Read our pentesting tutorial on getting started with Burp Suite for more details.
Metasploit
Metasploit, developed by Rapid7, is a well-known exploitation framework that’s also included in Kali Linux. It provides useful modules and scanners to exploit vulnerabilities. This modular exploitation approach combines a particular vulnerability with a user-selected payload module and an automatically selected encoder module. Upon success, users can customize their workflow using one of the Metasploit Framework’s post-exploitation modules.
Pros
- Used by most security teams, researchers, and professionals as well as attackers
- Convenient to emulate compromised machines
- Users can create infected payloads with a graphical interface with the payloads GUI or in the pro version
- Can be easily combined with Nmap
- Tests can be automated
Cons
- Makes hacking significantly easier, including for beginners and script kiddies
- Paid versions are expensive
- Can be challenging to use at first
- May occasionally have scaling challenges in very large environments
Pricing upgrades: In addition to the open-source framework, Rapid7 also offers a professional version.
Fiddler
Fiddler is a useful collection of manual tools for dealing with web debugging, web session manipulation, and security and performance testing. These tools include Watcher, which observes browser interactions with a website, and x5s, which evaluates website vulnerabilities that arise from cross-site scripting bugs. Another tool, intruder21, allows fuzz testing of web applications, generating fuzzed payloads and launching them against a website.
Pros
- Good web debugging proxy
- Can automate SSL decryption
- Users can choose to either decrypt all processes, only browser traffic, only non-browser traffic or remote clients
Cons
- Not designed to be a pentest tool but helps to scan for vulnerabilities
- Probably most useful for those deploying the paid version on the .NET framework, as that comes with many automation features
Pricing upgrades: While Fiddler is free, Telerik can integrate a paid version into .NET applications.
3 Best Wireless Network Scanning Tools
Wireless network scanning tools test the security of wireless networks by cracking network passwords and testing the strength of encryption protocols. The top wireless network scanning platforms are Hashcat, Aircrack-ng, and wifite.
Hashcat
Hashcat provides advanced password recovery features and lets testers crack Wi-Fi passwords or password-protected documents such as ZIP files. It’s already included in Kali Linux, but users can install it as a package using the command sudo apt install hashcat.
Pros
- A typical hacker’s tool
- Not limited to brute-force attacks
Cons
- No GUI, but there are third-party integrations
- Requires relatively advanced technical knowledge
Aircrack-ng
Aircrack-ng is the go-to tool for analyzing and cracking wireless networks. All of its various tools use a command-line interface and are set up for scripting. Aircrack-ng’s main focuses include checking Wi-Fi cards, replay attacks through packet injection, and packet capture and exporting data to text files for third-party processing.
Pros
- Good tool for 802.11 wireless local area networks (LANs) to sniff wireless packets, intercept them, and log traffic passing through
- Has been extended beyond Linux to include Windows, OS X, FreeBSD, OpenBSD, NetBSD, Solaris, and eComStation 2
Cons
- Cannot monitor or conduct pentesting on non-wireless networks
wifite
Wifite is a wireless network auditor that deals with current or legacy attacks against WEP and WPA2. It can be used as an automated wireless attack tool.
Pros
- Good for retrieving the password of a wireless access point such as a router
Cons
- Mainly designed for use with pentesting distributions of Linux
- Wifite must be run as root by the suite of programs it uses
- Difficult to run downloaded scripts
Read more about the different types of network security solutions if your business needs additional help protecting your networks.
3 Best Exploitation Tools
Exploitation tools can test everything from user susceptibility to phishing and spoofing to application and database security. BeEF, SQLmap, and SET are the most useful exploitation tools available.
BeEF
As many apps are web-based, adversaries use browser exploitation. The Browser Exploitation Framework (BeEF) makes classic tasks such as enumeration, phishing, or social engineering seamless. This software provides testers with a user-friendly GUI and practical client-side attack vectors to target different contexts and achieve various tasks, such as stealing credentials. BeEF also offers a user guide for anyone with utilization and development questions.
Pros
- Full of advanced features, such as fake password manager logins and redirects with iFrames
- Clever interface to visualize everything from the victim’s browser to the attacker’s logs
- Particularly convenient for demonstrations
- Provides prebuilt web pages for various traps such as fake login forms
- Provides a comprehensive network module, such as for host discovery
Cons
- Basic phishing modules will perform poorly with cybersecurity-aware employees
SQLmap
SQLmap is included in Kali Linux but can also be installed from its GitHub repository. It automates the process of detecting and exploiting SQL injection flaws and database server takeovers. SQLmap provides advanced features, especially for search and enumeration.
Pros
- Can detect various types of SQL injections
- Supports an extensive range of databases
Cons
- No GUI; it’s CLI-only, but there are third-party integrations
SET
SET, or Social Engineer Toolkit, focuses on the human factor, as scanners won’t do social engineering pentests. Users can create payloads, phishing pages like Google login, and other web attacks.
Pros
- The sets of command lines, used in place of a GUI, have a nice format
- Comprehensive
- Straightforward but powerful
Cons
- Based on human mistakes, which is often the weakest link, but some attacks don’t need this step
- Unclear whether GUI is available
3 Best Sniffing Tools
Packet sniffers can analyze and intercept network traffic to steal data and passwords and launch man-in-the-middle attacks. When searching for a top sniffing tool, consider Ettercap, Tcpdump, and Wfuzz.
Ettercap
Ettercap is a packet sniffer that allows users to modify data on the fly and run man-in-the-middle (MITM) attacks. A common use is intercepting passwords with ARP (Address Resolution Protocol) poisoning or spoofing, which attackers place between the victim and router to divert traffic. Ettercap can be used with Kali Linux, or you can install it as stand-alone software on a pen-testing distribution using the command sudo apt install ettercap-common.
Pros
- A typical hacker’s tool
- Will put security systems such as EDR (endpoint detection and response) to the test
- GUI and command lines
Cons
- Users need to be already inside the network to run the attack
- The interface could be more polished
- Can be hard to learn and master
Tcpdump
Tcpdump is a powerful command-line packet analyzer developed by the same people who developed libpcap, a portable C/C++ library for network traffic capture. It prints out a description of the contents of packets on a network interface, preceded by a timestamp.
Pros
- Can save packet data to a file for later analysis
- Reads from a saved packet file rather than reading packets from a network interface
- Can read a list of saved packet files
Cons
- Command line only
- Can impact performance at times
Wfuzz
Wfuzz is helpful to run brute-force attacks on various elements such as directories, scripts, or forms. Like many other tools in our list, it can be found in Kali Linux, but users can run it with the command sudo apt install wfuzz.
Pros
- Accepts wordlists
- Allows customized configurations
- Documented
Cons
- Significantly slower than other options
- Requires more central processing unit (CPU) power and random access memory (RAM)
4 Best Network Scanning & Enumeration Tools
Network scanning and enumeration tools probe networks and traffic for weaknesses and vulnerabilities. Nmap Free Security Scanner, Wireshark, Gobuster Directory Scanner, and Gobuster Directory Scanner are leading network scanning and enumeration tools.
Nmap Free Security Scanner
Nmap, included in Kali Linux and available via nmap.org, is a free package of command lines that can be run in a terminal to accomplish various tasks, such as discovering open ports and allowing users to detect vulnerabilities. This tool helps scan large networks fast.
Behind the scenes, Nmap uses raw IP packets to identify available hosts and services on the network. It aids ethical hackers by flagging the best areas to target in an attack.
Pros
- A comprehensive, free, and open-source solution
- Can be combined with a GUI such as Zenmap
- Full of advanced networking features
- Accepts custom scripts
- Can scale to scan huge networks but can also be deployed against single hosts
Cons
- Can be hard to configure and master, especially for those not familiar with Linux
- The extensive range of commands and options can be overwhelming
- Detection tools will likely spot and log Nmap scans
- Although Nmap is a scanner, it doesn’t probe for and penetrate vulnerabilities, although it does point out where weaknesses might lie
Wireshark
Wireshark is probably the most popular network protocol analyzer. It’s a packer scanner, or sniffer, that can be found in Kali Linux, but users can also install it as a stand-alone software or package on most operating systems. Wireshark is often used to pinpoint what is happening with the network and assess traffic for vulnerabilities in real-time. It highlights connection-level information and data packets’ characteristics, origin, and destination.
Pros
- Rich interface with lots of panels and removable tabs
- Can see the finest details
- Assesses traffic vulnerabilities in real time
- Can be used to assess wireless networks
- Runs on Windows, Linux, Mac, and most other OSes
- Output can be exported to XML, PostScript, CSV, or plain text
Cons
- Harder to learn and master than other mappers
- Captures all requests on the network, so you have to know how to fine-tune it and use filters
- While it flags potential weaknesses, a pentesting tool is still required to exploit them
Gobuster Directory Scanner
Gobuster can be used with Kali Linux, but users can also install it as a package using the sudo apt install gobuster command. It can be used to enumerate hidden directories and files quickly. Many web apps use default directories and relatively easy-to-spot filenames. As a result, the tool can use brute-force techniques to discover them.
Pros
- Accepts wordlists and additional packages via the command sudo apt install seclists
- Can extract lots of information such as directories, subdomains, and virtual hosts
- Able to hide status and process such as with proxies and user agents
- Spots backup and configuration files
- Can save output results in files
Cons
- Some Gobuster modules have limited options
- Robust installations will likely make enumeration more difficult or perhaps block it
Amass
Amass is an open-source network mapper that’s particularly efficient for DNS (Domain Name System) and subdomain enumeration. It’s actively maintained and updated to keep up with the latest techniques and methodologies, and it has similar features as Nmap, even in the scripting language.
Pros
- Backed by OWASP
- Good documentation
- Combines various reconnaissance and gathering techniques
Cons
- While the commands are straightforward, analyzing the data will be hard for beginners
Bottom Line: Open-Source Penetration Testing Tools
Penetration testing is a critically important practice for keeping networks safe from intruders. While there are some comprehensive paid offerings, many pentesting teams prefer the widely used open-source tools with which they’re already familiar. With a wide range of free and open-source tools to choose from, pentesters can accomplish comprehensive testing of their environments without breaking the bank.
If you’re looking for a full-featured, paid product, read our guide to the best business pentesting software next.
This updates a February 2022 article by Julien Maury.
Jenna Phipps contributed to this article.