Pentesting times have certainly changed. Years ago, when this speciality in offensive security was taking off, there was a large shift away from manual techniques to relying on a variety of tools. Most of these were open source. Then pentesting itself divided up into several niches for everything from network to web app to social engineering to cloud.
As a pentester, identifying the top tools used across all niches was quite difficult as each pentester will have a dedicated set of tools applying to that particular platform. Pentesting involves, depending on the methodology, about nine phases including (but not limited to) reconnaissance, fingerprinting, gaining and maintaining access, defense evasion, covering tracks, privilege escalation, and data exfiltration. Each with their own dedicated tools.
Before diving into the tools, remember to pentest responsibly. Just because a target exists, doesn’t mean we can test it. These tools aren’t just cool toys for tech geeks; they’re legitimate weapons in their capabilities. If you’re anxious to fire these up and test drive them for yourself, make sure you’re doing it in a lab you control or against places like the Damn Vulnerable Web Application (DVWA) or Hackazon. These are created to be vulnerable on purpose so you can test your ability to find known weaknesses and exploit them.
Several enterprise-strength and automated tools have emerged recently but those require licenses and have a heftier price tag. I picked the 10 open-source tools below based on widest usage and recognition.
This honorable mention is the heavyweight champ of the wireless pentesting world. Aircrack-ng is also a suite of tools and functions and focuses on areas of Wi-Fi security like monitoring, launching stealthy attacks, rigorously testing defenses, and cracking those tough WPA keys like a master locksmith. The primary use of Aircrack-ng is to identify and exploit vulnerabilities in Wi-Fi networks, particularly targeting WEP and WPA/WPA2-PSK security protocols. It works by capturing network packets and then applying various algorithms to decipher the keys used to secure wireless networks.
It also includes Airmon-ng to put your wireless card into monitor mode, Airodump-ng for packet capturing, and Aireplay-ng to generate traffic and induce conditions favorable for network analysis and attacks. This tool is widely used by network administrators for security assessments and by cybersecurity professionals and ethical hackers to test the strength and resilience of wireless networks against unauthorized access and other security threats.
Think of SQLmap as the savvy old-timer in the pentesting game, not just surviving but thriving in a landscape filled with ever-evolving threats. It automates the process of detecting and exploiting SQL injection (SQLi) vulnerabilities in web applications. SQLmap works by sending various types of requests to the target web application and analyzing the responses to identify potential vulnerabilities. Once it finds a SQL injection flaw, SQLmap can be used to extract data from the database, gain administrative access to the database, or even execute remote commands on the server. It supports a wide range of databases and includes numerous features for advanced manipulation and customization of SQL injection attacks, making it a highly effective tool for assessing the security of web applications that interact with databases.
Sure, it might have a few years under its belt, but make no mistake, it’s still a big player on the pentesting field. Why, you ask? Because believe it or not, SQL injection (SQLi) still haunts the digital world in 2024, and this is one of those rare tools that tackle the SQLi challenge head-on, without needing you to dive into the deep end manually.
Welcome to the secret weapon of the web app pentesting world. ZAP, previously known as OWASP ZAP, might not have the household name status, but in the circles of web application warriors, it’s akin to what Nessus is in network security. It’s an open-source web application security scanner designed to help automatically find security vulnerabilities in web applications while you are developing and testing them. The tool functions as an intercepting proxy, sitting between your browser and the web application so it can inspect and manipulate the traffic going to and from the site. This allows ZAP to identify issues such as broken access control, insecure configurations, and other vulnerabilities.
Its rise in popularity comes from being both user-friendly and effective for both those new to application security as well as professional developers. Additionally, ZAP provides a range of tools and features, including automated scanners, a set of tools for manual testing, and various add-ons for extended functionality, making it a comprehensive solution for web application security testing.
Wireshark gets a basic reputation for just doing “packet sniffing” but it’s a tool so versatile and powerful that it almost feels like cheating. Wireshark is a network protocol analyzer widely used for network troubleshooting, analysis, development, and education. It captures and displays the data traveling back and forth on a network in real-time, making it possible to examine detailed information about network protocols, packet data, and network traffic.
Wireshark allows users to see the granular details of network activities at both the micro and macro levels. It’s used to diagnose network problems, inspect network security issues, debug protocol implementations, learn network protocol internals, and even evaluate firewalls rules. With its powerful filtering and search capabilities, Wireshark enables users to isolate and analyze specific packets of interest from a network traffic stream. This makes it an indispensable tool for network administrators, security professionals, and anyone who needs to understand the flow of data on a network. Sure, it might play second fiddle in my toolkit, given my focus on cloud and web app pentesting, but when it comes to the art of network pivot, Wireshark is in a league of its own.
Now, John the Ripper might not be my everyday tool in the pentesting toolbox, but let’s face it – no pentesting tool roundup is complete without a nod to the classic art of password cracking. Most experienced pentesters have learned to rely on robust tables they’ve custom built over time for dictionary and rainbow table attacks, but sans that- John the Ripper will most often get the job done. A powerful tool for password cracking, it’s widely used to test password strength and can be used to crack various types of passwords. It’s particularly effective in testing the resilience of passwords in a network environment.
If you’re on team Hashcat, you’re not wrong either. Certain certification tests ask which is the “best” password cracking tool and list both of these but it really comes down to preference. Kind of like Vim versus Nano.
Step aside for the titan of vulnerability scanners, Nessus is the one tool that’s become almost synonymous with the very concept of uncovering network weak spots. In my experience, this is probably the most downloaded, utilized, and recognized vulnerability scanner of all time. Nessus is used to scan for network vulnerabilities, configuration issues, insufficient benchmarks, and missing patches, among other issues. It’s the kind of tool that doesn’t just work on the surface; it digs deeper, offering insights and findings that are as valuable as they are comprehensive.
Once systems have been fingerprinted, we want to identify which types of exploits that system may be vulnerable to and this gives us a great place to start. After this step is when MEtasploit and other exploitation tools step in to finish the job.
Now we’re getting to the crown jewel in my pentesting toolkit, especially when it comes to the world of web application security, BURP Suite is indispensable for anyone serious about diving deep into the intricacies of web app pentesting.
Sure, it might not boast the same download numbers as Nessus, but BURP Suite is the sturdy steed that’s got the back of web application security researchers. It’s a complete package, an integrated platform that’s all about versatility and depth. From scanning and spidering to attacking and exploiting, BURP can intercept, manipulate, it can URL-encode payloads, change delivery methods, and it can send requests right to a website. As a bonus they have one of the most respected free training academies available in all the ways their tool can be leveraged in a myriad of situations and objectives.
Claiming a well-deserved spot in my top three is offensive distributions, specialized operating systems for pentesting. These often work as a one-stop shop that includes as many tools as possible in one download for every phase of pentesting — from recon and OSINT all the way to exfiltration. It even includes fringe functions like forensics, reverse engineering, and simple security auditing tools.
For a long time Kali Linux was the only name in this space because it neatly categorizes tools to align with the various phases of a penetration test. You can literally go to the start menu > pick phase: OSINT/Exploit/Data Exfil/Forensics > select tool > and launch. But Kali isn’t the only sheriff in town anymore. Take, for instance, Parrot OS, which is gaining notoriety against Kali especially with institutions like EC-Council endorsing it for their CEH certification modules and exams. Parrot OS is carving out its niche, appealing to a broader audience with its user-friendly interface and a lightweight environment that doubles down on performance and security. Parrot runs leaner and doesn’t have so much overload.
It’s important to note that this shift isn’t about one being better than the other; it’s about choice and the right fit for different styles and preferences in the pentesting community. In this red teamer’s opinion you should find the tools that work for you and snapshot them into an image of your own distro.
While it may no longer be the sole monarch of the exploitation kingdom, thanks to emerging challengers like Atomic Red Team, Metasploit continues to command respect and high regard in the pentesting arena. A tool with a formidable force in the exploit and post-exploit phases – a true friend, especially for those just cutting their teeth in the world of pentesting.
What we continue to love about Metasploit is that it isn’t just a tool; it’s the entire go-to toolkit for developing, testing, and executing exploit code against remote targets. Metasploit isn’t just about finding vulnerabilities; it’s about testing them, executing on them, and understanding how they can be exploited in real-world scenarios. Even if you’re a Cobalt Strike convert, you’ll more than likely have started with this first, because it’s free and user-friendly.
Topping my list at the No. 1 spot is Nmap. It’s the undisputed champion in the reconnaissance and fingerprinting arena, a critical stage in any pentesting operation. This tool isn’t just a part of the pentester’s toolkit; it’s the starting point of nearly every security adventure.
Nmap is this incredible blend of a powerful network discovery tool and a meticulous security auditor. It will uncover every little secret from open ports and running services to system versions and missing patches. It’s no wonder that it’s equally revered by both network and system administrators for its versatility and depth. What truly sets Nmap apart is its astounding customizability. You can tailor its scans to be as broad or as pinpointed as you need. I rarely go for the kitchen sink (the all-encompassing open scan) because honestly, it’s like opening a firehose of data. Instead, I opt for the surgical approach, targeting specific aspects like filtered ports or OS versions, and Nmap handles it like a pro.
For us pentesters, Nmap is our first foray into actively engaging with a system after the passive recon dance, and it’s usually a stealthy one at that. Chances are, no intrusion detection system is going to flag you while Nmap does its thing.
Maril Vernon, known as the “One Woman Purple Team’,’ is an ethical hacker, co-founder and host of The Cyber Queens Podcast, senior offensive security engineer and proven program manager and pioneer in the purple teaming space — a niche in offensive security testing that has recently gained popularity demonstrating cyber resilience in the cyber threat landscape. Maril has built and tested purple teaming operations across multiple industries, from start-ups to FAANG-sized, most recently for Zoom Video Communications as a member of the dedicated red team. Maril’s expertise on red team best practices was recently featured on CSO Online and at the Red Team Roundup hosted by the Wild West Hackin’ Fest. Her knowledge and skill pioneering purple team operations has been featured on numerous webinars with the Plextrac CEO and Scythe CTO and at the subsequent Purple Team Roundup by WWHF. She has also been named one of the ‘Epic Women in Cyber’ and has interviews published with NIST and The Hacker Factory and is a contributing editor of the latest MITRE ATT&CKv11 Enterprise Matrix for Linux TTPs. Maril’s passion for closing the gender gap in cyber is highlighted in her affiliations with The Cyber Guild, The Diana Initiative, BBWIC, and WiCyS.