Professional penetration testers, or pen testers, are akin to “white hat” or ethical hackers, adversaries with an explicit authorization to attack a network. During this simulation of real-world conditions, they put an IT system to the test to identify vulnerabilities.
The goal is to patch these vulnerabilities to prevent cybercriminals from exploiting them. Such security audits require various techniques and tools to simulate classic steps of an attack, such as information gathering (reconnaissance), phishing, or privilege escalation.
Within the vast ecosystem of cybersecurity solutions, many beginners and professionals alike choose to use open-source solutions, such as Metasploit, Nmap, and Wireshark, over premium products. We’ve reviewed those better known open source names in our main pentesting tools article. Here we’re focusing on some lesser-known but still worthy open-source solutions that can be used separately for specific purposes or combined to run comprehensive penetration tests.
Also see our guides to:
- Breach and attack simulation tools
- Vulnerability scanning tools
- Vulnerability management solutions
- Patch management software
Best Scanning Tools
When choosing a pen testing tool, be sure it includes a scanning feature that can crawl your web-facing apps and servers and run known attacks against them.
The Open Web Application Security Project (OWASP) is a nonprofit foundation and an open community dedicated to security awareness. OWASP’s Zed Attack Proxy (ZAP) stands between the tester’s browser and the web application to intercept requests, modify contents, or forward packets among other tasks.
- Actively maintained by OWASP teams
- Very comprehensive and full of features, such as spider, passive and active scans, APIs, request editor, marketplace, plugins, and many more
- Supports multiple programming and scripting languages
- Provides graphical and command-line interfaces
- Great documentation and easy to learn
- Convenient for various levels, from beginners to security teams
- Can be harder to install and less comfortable than premium products such as the Burp Suite
- Needs additional plugins to provide some features
Nikto is a pretty light scanner that works with command lines to quickly identify most common web flaws, such as server misconfigurations. You can install it with Kali Linux or as a single package with the command sudo apt install nikto.
- Pretty straightforward and covers most common needs
- Can test IDS (intrusion detection systems)
- Supports files for input and output
- Very specific, beginners might get confused
- No GUI (graphical user interface)
- No known community or support
w3af, or Web Application Attack and Audit Framework, is a scanner with a tremendous framework to analyze applications and generate reports with its findings. Once the app is mapped, the tool sends crafted requests to trigger specific bugs in the code, such as SQL injections, and report positive cases.
- Easy to learn and use
- Generates helpful reports
- Automates many tasks
- Provides a complete documentation
- The GUI can be a bit challenging
WPScan is the most popular security tool for WordPress. You can either use it with pen testing distributions like Kali Linux, with Docker, or as a binary.
A quick scan can reveal typical flaws of WordPress installations such as the use of the XML-RPC protocol or outdated dependencies, but it can also perform brute-force attacks efficiently. Behind the scenes, the CLI (command line interface) tool uses the WordPress Vulnerability Database API to retrieve WordPress vulnerability data in real time.
- Very comprehensive and entirely built for WordPress
- Great documentation
- Free plan has very limited API quotas
- A lot of prerequisites if you don’t use Kali Linux
- No GUI
Best Exploitation Tools
While some of the following solutions integrate scanning and enumeration too, they are great for exploitation and post-exploitation.
This software provides testers a user-friendly GUI and practical client-side attack vectors to target different contexts and achieve various tasks, such as stealing credentials. BeEF also offers a user guide for anyone with questions from basic utilization to development.
You can find it in Kali Linux, but you can also install it as a package using the command sudo apt install beef-xss.
- Full of advanced features, such as fake password manager logins and redirect with iFrames
- Clever interface to visualize everything from the victim’s browser to the attacker’s logs
- Particularly convenient for demonstrations
- Provides prebuilt web pages for various traps such as fake login forms
- Can bypass a victim’s firewall
- Provides a comprehensive network module, such as for host discovery
- Basic phishing modules will hardly work with cybersecurity-aware employees
- Can detect various types of SQL injections
- Supports an extensive range of database systems
- Provides advanced features, especially for search and enumeration
- No GUI, command-line interface only, but there are third-party integrations
SET, or Social Engineer Toolkit, focuses on the human factor, as scanners won’t do social engineering pen tests. You will be able to create payloads, phishing pages (e.g. Google login), and other web attacks.
- The sets of command lines, used in place of a GUI, has a nice format
- Very comprehensive
- Pretty straightforward but still powerful
- Based on human mistakes, which is often the weakest link but some attacks don’t need this step
Best Sniffing Tools and Password Crackers
Sniffing packets is a great way to find and exploit weaknesses in a network. You get the finest details by analyzing network protocols and performing known attacks such as MITM (man-in-the-middle).
With crackers, you can assess how the system fights against known attacks and if it allows employees to use weak passwords.
Ettercap is a packet sniffer that allows users to modify data on the fly and run MITM attacks. A common usage is to intercept passwords with ARP (Address Resolution Protocol) poisoning or spoofing, which attackers place between the victim and router to divert the traffic.
You can use it with Kali Linux or install it as a standalone software on your pen-testing distribution using the command sudo apt install ettercap-common.
- A typical hacker’s tool
- Will put security systems such as EDR (endpoint detection and response) to the test
- GUI and command lines
- You need to be already inside the network to run the attack
- The interface could be more polished
- Can be hard to learn and master
Hashcat provides advanced password recovery features and lets testers crack Wi-Fi passwords or password-protected documents such as ZIP files. It’s already included in Kali Linux, but you can install it as a package using the command sudo apt install hashcat.
- A typical hacker’s tool
- Not limited to brute-force attacks
- No GUI, but there are third-party integrations
- Requires relatively advanced technical knowledge
Wfuzz is helpful to run brute-force attacks on various elements such as directories, scripts, or forms. Like many other tools in our list, you find it in Kali Linux, but you can run it with the command sudo apt install wfuzz.
- Accepts wordlists
- Allows customized configurations
- Significantly slow
- Requires more CPU and RAM