A penetration test, or pen test, is the simulation of a cyber attack. The goal is to assess a network’s security to improve it and thus prevent exploits by real threat actors by fixing vulnerabilities.
This critical IT security practice isn’t the same as a vulnerability assessment or vulnerability scanning, though, as pen testing involves an actual attack similar to what hackers would do in real-world conditions.
Pen tests are often performed by third parties, but as these outside tests can be expensive and become dated quickly, many organizations perform their own tests with pen testing tools, using their own IT personnel for their red teams (attackers).
When shopping for a penetration testing tool, be aware that you will likely need several components to perform a complete penetration test. Some software solutions let users define custom rules according to a specific use case.
There are a number of complementary technologies often used by organizations to address security holes. Breach and attack simulation, for example, can be something of an automated, continuous pen testing tool. Others include vulnerability scanning tools and vulnerability management solutions. And IT asset management and patch management are important tools for staying on top of known vulnerabilities.
A significant number of the tools below are included in Kali Linux, a dedicated operating system for pen testing and ethical hacking. Installing Kali can remove the hassle of downloading and installing these tools separately.
- Penetration Testing: How to Start a Pen testing Program
- How to Conduct a Vulnerability Assessment: 5 Steps toward Better Cybersecurity
- Vulnerability Scanning Guide: What It Is and How to Do It Right
Best Penetration Testing Tools & Software
Here are our picks for the best pen testing tools, broken down by network scanners, password crackers, and pen testing frameworks. It’s a big market, though, so we also have a second article on the Top Open Source Penetration Testing Tools.
- John the Ripper
- Burp Suite
- Other pen test tools
Best Network Scanning and Enumeration Tools
Nmap Free Security Scanner
Nmap, included in Kali Linux, is a free package of command lines you can run in a terminal to achieve various tasks, such as discovering open ports, which ultimately allows you to detect vulnerabilities.
This tool is pretty helpful for scanning large networks fast. Behind the scenes, it uses raw IP packets to identify available hosts and services on the network.
- A very comprehensive, free, and open-source solution
- Can be combined with a graphical user interface (GUI) such as Zenmap
- Full of advanced networking features
- Accepts custom scripts
- Can be hard to configure and master
- The extensive range of commands and options can overwhelming
- Detection tools will likely spot and log Nmap scans
- Read our in-depth look at Nmap
- See our tutorial on some practical uses of Nmap
Wireshark is probably the most popular network protocol analyzer. It’s a packer scanner (or sniffer) you can find in Kali Linux, but you can also install it as a standalone software or package in most operating systems.
- Rich interface with lots of panels and removable tabs
- Very precise as you can see the finest details
- You assess traffic vulnerabilities in real time
- Can be used to assess wireless networks
- Totally free
- Significantly harder to learn and master than other mappers
- Captures all requests on the network, so you have to know how to fine-tune it and use filters
- Get an in-depth look at Wireshark
Gobuster Directory Scanner
Gobuster can be used with Kali Linux, but you can also install it as a package using the command sudo apt install gobuster.
It’s an efficient software that can be used to enumerate hidden directories and files quickly. Many web apps use default directories and filenames that are relatively easy to spot. As a result, the tool can use brute force techniques to discover them.
- Accepts Wordlists and additional packages (sudo apt install seclists)
- Can extract lots of information such as directories, subdomains, and virtual hosts
- Can hide status and process (e.g., with proxies, user agents)
- Can spot backup and configuration files
- Can save output results in files
- Some Gobuster modules have very limited options
- Robust installations will likely make enumeration more difficult or perhaps block it
Amass is an open-source network mapper that is particularly efficient for DNS (Domain Name System) and subdomain enumeration.
- Actively maintained and updated to keep up with the latest techniques and methodologies
- Backed by OWASP
- Great documentation
- Combines various reconnaissance and gathering techniques
- Similar features as Nmap, even on the scripting language
- While the commands are pretty straightforward, analyzing the data will be hard for beginners
Best Password Crackers
Password cracking consists of retrieving passwords stored in computer systems. System administrators and security teams (and hackers) can use them to spot weak passwords.
John the Ripper
John the Ripper is probably one of the most popular free password crackers included in Kali Linux, but it also has a premium version. The software combines various techniques to crack passwords.
- Supports multiple hash and cipher types
- Highly flexible and configurations
- Can crack common variations such as mangling rules (e.g., Pa$$w0rd)
- Can be hard to learn, set up, and configure
- Has the same privileges of the user running it, so it cannot read shadow passwords
Medusa is a powerful brute-force tool with pretty interesting features included in Kali Linux. This command-line tool can also be installed as a Linux package using the command sudo apt install medusa.
- Easy to learn and use
- Speed and concurrency
- Supports thread-based parallel testing (simultaneous brute-force attacks)
- You can resume an interrupted Medusa scan
- Can be extended easily
- Supports fewer operating systems and platforms than other tools
- Lack of documentation
- Check out Medusa’s GitHub Repository page.
This software, included in Kali Linux, can test all hosts and devices in a network for weak passwords. It’s a set of command lines that can scan large networks, allowing sophisticated brute-force attacks.
- Very light yet powerful
- One of the most widely used by professionals
- Can be easily used along with Nmap (also maintained by the same creators)
- Can save output in files
- Can resume an interrupted attackers with the –resume option
- Can attack multiple hosts
- No known graphical interface
- Learn more about Ncrack
Best Pen Testing Frameworks
There are tools that are, in fact, collections of security tools you can use to run penetration tests. It can cover both the scanning part and the exploit.
The Burp suite
Burp is a top-rated software suite for attacking. You can find it in the Kali Linux community edition. It’s a tremendous tool in the arsenal that can do advanced scans, but one of the most classic uses is traffic interception (e.g., HTTP requests).
- Used by most security teams, researchers, and professionals (and also attackers)
- Very comprehensive
- Easy to use and configure
- Significantly harder to learn and master than other scanners
- Many features aren’t available in the community edition (free), and the enterprise edition is relatively expensive
- An “all-in-one” solution with tons of features you probably won’t use
- Get an in-depth look at Burp.
- See our Burp tutorial.
Metasploit, developed by Rapid7, is a well-known exploitation framework that’s also included in Kali Linux. It provides useful modules and scanners to exploit vulnerabilities.
- Used by most security teams, researchers and professionals (and also attackers)
- Very comprehensive
- Very convenient to emulate compromised machines
- You can create infected payloads with a graphical interface (with payloads GUI or in the pro version)
- Can be easily combined with Nmap
- Include post-exploitation tools such as keyloggers, packets sniffers, or persistent backdoors
- Tests can be automated
- It makes hacking a lot easier (including for beginners and script kiddies)
- Paid versions are expensive (Pro edition is $15,000 per year)
- Get an in-depth look at Metasploit.
- See our Metasploit tutorial.
Other Pen Test and Scanning Tools
We’ve given you our picks for the top pen test tools, but there are a number of others out there you may want to consider.
Nessus is a widely used paid vulnerability assessment tool that’s probably best for experienced security teams.
Fiddler is a useful collection of manual tools for dealing with web debugging, web session manipulation, and security/performance testing. However, it is probably most useful for those deploying the paid version on the .NET framework, as that comes with many automation features.
Aircrack-ng is the go-to tool for analysis and cracking of wireless networks. All the various tools within it use a command line interface and are set up for scripting.
wp-scan is a great tool for anyone using WordPress. It scans for known vulnerabilities, enumerating users and brute forcing logins.
wifite is a wireless network auditor that deals with current or legacy attacks against WEP and WPA2.
hashcat is used to crack hashes discovered during pen tests, including GPU and CPU cracking.
trufflehog searches through Git repositories for secrets (API tokens, hard-coded credentials, etc.).
SQLmap automates the detection and exploitation of SQL injection flaws and database server takeovers.
OWASP ZAP is a web application security scanner that is good for beginners.
Social Engineer Toolkit (SET) defends against human error in social engineering threats.
THC-Hydra is a network login cracker that supports Cisco auth, Cisco enable, IMAP, IRC, LDAP, MS-SQL, MYSQL, Rlogin, Rsh, RTSP, SSH and more
Drew Robb also contributed to this guide