Penetration testing (pen testing) is a practice undertaken by professional hackers to find the vulnerabilities in your systems — before the attackers do. It requires clever thinking, patience, and a little bit of luck. In addition, most professional hackers will need a few specific tools to help get the job done.
CSO recently spoke to a few security experts – some who are full-time red team operators and developers themselves – and asked them to share their favorite tools.
The tools below are the ones that have helped during simple assessments, complex engagements, or they've made the list because they're something that gets used all the time in the field. Some of the tools in this list are free, while others will require license payments, but all are worth a look.
Nmap turned 20 years old on September 1, 2017. Since it was first released, Nmap has been the go-to tool for network discovery and attack surface mapping. From host discovery and port scanning, to OS detection and IDS evasion / spoofing, Nmap is an essential tool for gigs both large and small.
Like Nmap, Aircrack-ng is one of those tools that pen testers not only know, if they're assessing a wireless network, they're using it on a regular basis. Aircrack-ng is a full suite of wireless assessment tools, covering packet capture and attacking (including cracking WPA and WEP).
Wifiphisher is a rogue access point tool, enabling automated phishing attacks against Wi-Fi networks. Assessments using Wifiphisher can lead to credential harvesting or actual infection, depending on the scope of the job. A full overview is available in the documentation section on the Wifiphisher website.
4. Burp Suite
Used with a web browser to map applications, Burp Suite can discover a given app's functionality and security issues. From there, it's possible to launch custom attacks.
Currently, the free version is pretty limited, but the paid version ($349 per user) offers full crawling and scanning (supporting more than 100 vulnerabilities – including all of the OWASP Top 10); multiple attack points, and scope-based configurations). One of the most common remarks we heard about this tool is that it can be used to automate repetitive functions, and offers a decent view of what the app is doing with the server.
5. OWASP ZAP
OWASP Zed Attack Proxy (ZAP) was another application testing tool mentioned alongside Burp Suite. The general view is that ZAP is good for those that are just starting out with application security, while Burp Suite is the go to hardcore assessment tool. Those who are concerned about price lean towards ZAP because it is open source. OWASP recommends ZAP for application testing, and they've published a number of tutorials for making it work in a long-term security project.
As the website says, SQLmap is an "automatic SQL Injection and database takeover tool." This description really explains the heart of the tool itself. It supports all the common and widely used database platforms – MySQL, MSSQL, Access, DB2, PostgreSQL, Sybase, SQLite – and six different attacks.
7. CME (CrackMapExec)
CME is a post-exploitation tool that will help automate the task of assessing the security of large Active Directory networks. Its author, a hacker known as 'byt3bl33d3r' says the tool follows the concept of living off the land by "abusing built-in Active Directory features/protocols to achieve its functionality and allowing it to evade most endpoint protection/IDS/IPS solutions."
While the red team case for using CME is clear, blue teams can also use the tool to assess account privileges, simulate attacks, and find misconfigurations. CME also makes use of the PowerSploit Toolkit and the Impacket library.
Impacket, which is used by CME, is a collection of Python classes for low-level programmatic access to protocols like SMB1-3, or TCP, UDP, ICMP, IGMP, and ARP on IPv4 / IPv6. Packets can be constructed from scratch or parsed form raw data.
PowerSploit is a collection of modules that can be used during assessments. As the name suggests, the modules themselves are for PowerShell on Windows. Some of the features include persistence, AV bypasses, exfiltration, code execution, script modification, reconnaissance, and more.
Luckystrike, from curi0usJack, is a generator of malicious Excel (.xls) and Word (.doc) documents. Luckystrike can work with standard shell commands, PowerShell scripts, and EXEs. Additional information and usage details are available here.
11. BeEF (Browser Exploitation Framework)
BeEF is a handy tool to assess "actual security posture of a target environment by using client-side attack vectors." Several professionals mentioned BeEF in passing, and noted that it was rather easy to use given the number of features and options the tool offers. You can learn more about BeEF here.
THC-Hydra is a network login cracker that supports several services. In fact, it supports more than four dozen of them, including Cisco auth, Cisco enable, IMAP, IRC, LDAP, MS-SQL, MYSQL, Rlogin, Rsh, RTSP, and SSH (v1 & v2). The tool isn't overly complex, and the extensive README file covers plenty of detail to get users started.
13. Immunity Inc. – Debugger
The Immunity Debugger is a tool that will help security professionals write exploits, analyze malware, and reverse engineer binaries. There are a ton of features, but the two writeups that best cover a majority of them are an overview by Igor Novkovic and a SANS Reading Room paper on basic reverse engineering. If reversing or exploit writing are in your wheelhouse, this tool is likely something you're familiar with already, if it isn't – it's worth a look.
14. Social Engineer Toolkit (SET)
As the name suggests, SET is a pen testing framework geared towards social engineering. It's a popular tool, and has even been featured on television. Hackers were pleased to see some reality on TV when SET was actively used on USA Network's Mr. Robot.
There are two other tools from TrustedSec that are also worth mentioning: Unicorn, which is a tool for using PowerShell downgrade attacks and injecting code directly into memory (this works great with SET), and nps_payload, which generates payloads for intrusion detection avoidance.
The Metasploit Framework is so commonly used, we almost didn't add it to the list. However, it had more mentions than any other tool outside of Kali Linux. (Kali is a Linux distribution, and it has many of the tools mentioned here pre-installed.)
Metasploit has been the main tool for many pen testing professionals for years. Even after it was acquired by Rapid7, it remains fully supported as an open source project and is constantly being developed by an entire community of exploit developers and coders. If a vulnerability or exploit is in the news, Metasploit will have it. Need to assess the security of a network against older vulnerabilities? Metasploit can do that.
16. Penetration Testing Tools Cheat Sheet
The HighOn.Coffee blog's penetration tools cheat sheet offers a high-level reference for several common commands, from network configuration, to port scanning and attacking network services.
SecLists, as the name suggests, is a collection of lists (usernames, passwords, common data patterns, fuzzing payloads, shells, etc.) available on GitHub to help pen testers get a jump on their current assignment.
More on penetration testing:
- What makes a good application pen test? Metrics
- A pen test a day keeps hackers away
- 10 steps to managing a successful network penetration test