Penetration testing is a critical IT security practice for scanning systems, networks and applications for vulnerabilities and security holes that could lead to breaches and exploits. Pen tests are often performed by third parties, but as these outside tests can be expensive and become dated quickly, many organizations perform their own tests with pen testing tools.
Some of these tools scan ports or Wi-Fi, some test applications, and others focus on the web and web-facing applications as the biggest avenue for encroachment. Many of them work from lists of known vulnerabilities and potential problems and then attempt to penetrate an organization’s defenses. These tools are also used to audit organizations for security compliance, and to unearth problems lurking within the enterprise.
There can sometimes be confusion between vulnerability scanning and pen testing. The former is about finding potential vulnerabilities whereas the latter attempts to exploit them. However, these days, many of the tools and suites addressing this area perform both functions (see our picks for top vulnerability scanning tools and top vulnerability management solutions).
Penetration testing, though, is far from a one-tool-fits-all proposition. Few organizations rely on one tool only. Some use one for scanning and another to attempt penetration. Some use collections of tools, each dealing with a different aspect of security, such as port scanning, web application scanning, Wi-fi or direct penetration of the network. The reality is that most security professionals develop a kit of various tools they keep handy for penetration testing.
Top pen testing tools
Some pen test tools are proprietary, and others are freeware. Many security professionals use both. As a result, this guide provides a balance of paid and open source products. Here are some of the top ones cited by cybersecurity experts at KnowBe4 and Adrian Sanabria at Thinkst Applied Research, plus several honorable mentions too.
Burp by Portswigger Web Security is a top-rated web vulnerability scanner used in a great many organizations around the world. It is found in most penetration testing toolkits, though its strength is more on the scanning side than on penetration. Although there is a free version available, it is limited in functionality, with no automation capabilities. Those interested in the complete package for enterprise-wide scalability and automation should be prepared to pay well. Security professionals needing only a good automated vulnerability scanner for testing of code can make do with the Professional version, which is a lot cheaper.
Get an in-depth look at Burp
Metasploit covers the scanning and testing of vulnerabilities. Backed by a huge open-source database of known exploits, it provides IT security teams with an analysis of pen testing results so remediation steps can be done efficiently. However, it doesn’t scale up to enterprise level and some users say it is difficult to use at first.
Get an in-depth look at Metasploit
Nessus is a widely used paid vulnerability assessment tool. It is probably best for experienced security teams, as its interface can be a little tricky to master at first. It should be used in conjunction with pen testing tools, providing them with areas to target and potential weaknesses to exploit.
Get an in-depth look at Nessus
Fiddler is a useful collection of manual tools for dealing with web debugging, web session manipulation, and security/performance testing. However, it is probably most useful for those deploying the paid version on the .NET framework, as that comes with many automation features.
Get an in-depth look at Fiddler
Nmap is a port scanner more than a penetration testing tool. But it aids pen testing by flagging the best areas to target in an attack. That is useful for ethical hackers in determining network weaknesses. As it’s open source, it’s free. That makes it handy for those familiar with the open-source world, but it may be a challenge for someone new to such applications. Although it runs on all major OSes, Linux users will find it more familiar.
Get an in-depth look at Nmap
Wireshark is often found in the security toolkit. Pen testers use it to point out what is happening with the network and assess traffic for vulnerabilities in real time. By reviewing connection-level information as well as the constituents of data packets, it highlights their characteristics, origin, destination, and more. While it flags potential weaknesses, a pen testing tool is still required to exploit them.
Get an in-depth look at Wireshark
Aircrack-ng is the go-to tool for analysis and cracking of wireless networks. All the various tools within it use a command line interface and are set up for scripting. This is good news for veteran security professionals, but an open-source Linux orientation may challenge those more used to proprietary tools running on Windows platforms.
Get an in-depth look at Aircrack-ng
John the Ripper
John the Ripper is a fine tool for anyone seeking to check on password vulnerability. It should be viewed, however, as being more of a supplemental tool than the primary one in the penetration arsenal. As it combines several approaches to password cracking into one, it is well worth trying out.
Get an in-depth look at John the Ripper
There are a great many other vulnerability scanning and penetration testing products out there. Here are several worth looking at:
OSINT bundles tools into a Linux VM. These tools are used for any kind of OSINT (open source intelligence) research on targets.
wp-scan is a great tool for anyone using WordPress. It scans for known vulnerabilities, enumerating users and brute forcing logins.
wifite2 is a wireless network auditor that deals with current or legacy attacks against WEP and WPA2.
hashcat is used to crack hashes discovered during pen tests, including GPU and CPU cracking.
trufflehog searches through Git repositories for secrets (API tokens, hard-coded credentials, etc.)
SQLmap automates the detection and exploitation of SQL injection flaws and database server takeovers.
Kali Linux is an open source, Linux-based set of penetration test tools.
OWASP ZAP is a web application security scanner that is good for beginners.
Social Engineer Toolkit (SET) defends against human error in social engineering threats.
THC-Hydra is a network login cracker that supports Cisco auth, Cisco enable, IMAP, IRC, LDAP, MS-SQL, MYSQL, Rlogin, Rsh, RTSP, SSH and more.