| certifications | security - David Zomaya
10 Best Tools to Start Pen Testing
A big part of penetration testing is using the right tools. Being able to automate scans, crack passwords, and sniff packets can make you more effective at identifying vulnerabilities.
Like most jobs, getting familiar with pen testing requires getting familiar with the tools of the trade. To help you do that, we've compiled a list of 10 of the best tools for pen testers.
However, Before We Dive In, a Few Notes:
Hack responsibly! Pen testers and hackers have a lot of power in a digital world. That means they can do a lot of good, or a lot of bad. Aim to do good. As a popular Marvel superhero taught us: with great power comes great responsibility. Also be careful not to accidentally get yourself into legal trouble with unauthorized scans. We'd recommend reading Nmap's "Legal Issues" article early on in your pen testing career.
There's more to pen testing than tools. Tools are definitely a big part of the job, but they are not all you need. Knowledge, experience, and outside-the-box thinking go a long way. Despite the powers of automation and software, the individual is still one of the most important aspects of pen testing. Be sure to invest the time and effort in understanding different aspects of InfoSec practically and conceptually along with learning about tools.
Aim for depth not just breadth. We have 10 tools, an operating system, and a bit on hacking hardware here. That alone is a lot to wrap your head around. Pen testers with a deep understanding of a few tools can do better than those with a shallow understanding of 100. Make sure you're taking deep dives with the tools you choose. Doing so can make a huge difference. After all, a big part of effective hacking is catching someone else's oversight or omission.
With that out of the way, let's jump into our list of penetration tools.
Nmap for Port Scanning
The open source Nmap (short for "network mapper") is one of the most popular port scanners available. If you need a quick way to check open ports on a host or across a network, Nmap is a great tool. However, Nmap is much more than just a simple port scanner. It is a robust security auditing and network discovery tool. For example, Nmap's Network Scripting Engine (NSE) enables in-depth network discovery and version detection, as well as a way to check for known vulnerabilities.
Nmap itself is a command line utility. However, Zenmap provides users with a Graphical User Interface (GUI) for nmap. For pen testing we'd recommend getting comfortable with the command line, but a GUI can help early on.
Given its power, extensibility, and ease of use, Nmap is an excellent addition to the aspiring pen tester's tool kit. It's available on a wide variety of *nix, Windows, and Mac OS X operating systems. You can download Nmap here.
WireShark for Packet Analysis
You may already know we're big proponents of WireShark. As one of the most popular packet analyzers, WireShark a great tool for pen testers. In fact, Kali Linux has called WireShark the de facto standard for packet analysis in many industries.
The reason WireShark is such a great tool is simple: packet analysis makes it possible for you to take deep dives. It is one of the best ways to learn how a system, protocol, or network work. Similarly, it's also a great way to identify vulnerabilities during penetration tests.
As with most tools on the list, WireShark has a robust CLI (command line interface). However, one of the things I like about WireShark is that for such a powerful tool, it has an intuitive GUI. In addition to capturing packets directly, I've found it helpful when parsing through .pacp files created by tcpdump.
Like Nmap, WireShark is capable of running on a variety of operating systems including *nix, Windows, and OS X. You can download WireShark here.
Want to learn how to use WireShark effectively? Check out our WireShark video training!
Metasploit for Running Exploits
Metasploit is a pen testing framework collaboratively maintained by the open source community and Rapid7. Metasploit has gained popularity because it helps simplify advanced penetration testing. It integrates with tools like Nmap and scanners like Tenable's Nessus.
Metasploit's platform makes it possible to automate vulnerability detection and have the tools to exploit them all in one place. The project also benefits from a very active support and development. The Metasploit team regularly releases updates with new modules and the Pro version receives patches with fixes and enhancements bi-weekly. To get an example of just how powerful Metasploit is, check out their EternalBlue module.
Metasploit is supported on Windows, Linux, and Mac OS X. The free open source edition and commercially supported "Pro" edition can be downloaded here.
Aircrack-ng for Wifi Cracking
Wi-Fi cracking and password cracking are important aspects of penetration testing. Aircrack-ng is a suite of Wi-Fi security and cracking tools that has gained popularity in the InfoSec industry. Some of the things Aircrack-ng's suite of tools enables pen testers to do are:
- Decrypt WEP/WPA/WPA2 Packet Captures
- Inject Frames Into Wireless Traffic
- Attack Wi-Fi Clients
- Graph Wi-Fi Networks
- Perform WEP, WPA, and WPA2-PSK Key Cracking
- Deauthenticate users based on MAC addresses or type of hardware
Aircrack-ng is CLI-based, but various applications have incorporated it into GUIs. It is most commonly used on Linux, but also runs on Windows, Mac OS X, and OpenBSD. You can download source code and pre-complied binaries here.
Fun fact: Aircrack-ng has appeared in multiple movies. It was even used correctly in the film Redes de Ambição.
BeEF for Client-Side Attacks
This BeEF (Browser Exploitation Framework) is a pen testing tool focused on web browsers. One of the biggest security concerns today is web-based attacks. Vulnerabilities in client browsers provide an attack surface for hackers to gain access to otherwise protected machines and networks.
If you're looking to assess and exploit browser vulnerabilities like cross-site scripting (XSS), BeEF may be just the tool you need. BeEF supports Mac OS X and Linux (no Windows support). You can download BeEF from their GitHub page.
Fiddler for Web Proxies
Fiddler is a multi-platform web proxy and debugger. It enables penetration testers to manipulate web sessions, decrypt HTTPS traffic, and record HTTP(S) traffic flows. In addition to testing for XXS, SQL injections, and buffer overflows, Fiddler (with the aid of the intruder21 add-on) can perform fuzz-testing against a website.
Fiddler supports most major browsers as well as most major desktop and mobile operating systems. You can download Fiddler here.
John the Ripper for Password Cracking
Password cracking is a one of the textbook forms of hacking and an important aspect of pen testing. John the Ripper is one of the most popular password cracking tools available today. It started as a way to check for weak UNIX passwords, but has grown to become a more robust tool. Today, penetration testers can use John the Ripper to crack hundreds of password hashes and ciphers.
While John the Ripper itself is a CLI tool, Johnny provides a cross-platform GUI for it.
John the Ripper's free and open source software is meant to be compiled from source code. It supports a variety of platforms including Windows, macOS, and Linux. The commercial John the Ripper Pro provides native installers if your looking for a streamlined install process. You can find links to source code and native installers on John the Ripper's homepage.
Kismetfor Packet Sniffing
Kismet is a wireless packet sniffer that is used for detection, wardiving, and wireless intrusion detection. In addition to Wi-Fi, Kismet works with Bluetooth interfaces and select software defined radio interfaces. Some of the most common uses for Kismet include Wi-Fi traffic sniffing and hidden wireless network discovery. As it is a passive sniffer, Kismet helps a tester remain hidden while sniffing.
Kismet is supported by Linux and Mac OS X. It is also possible to use Kismet's remote capture functionality Windows 10 with Windows Subsystem for Linux (WSL). You can download Kismet here.
ZAP for Web App Vulnerabilities
Zed Attack Proxy (ZAP) is a free and open source tool used to find vulnerabilities in web apps. It is also one of The Open Web Application Security Project's (OWASP) flagship projects. ZAP is designed to be useful to beginners, but also powerful enough for professional pen testers. For beginners, that means you can hit the ground running with a professional grade tool.
Functionality ZAP provides includes:
- Passive Vulnerability Scanning
- Active Vulnerability Scanning
- A spider to find web pages manual testing may miss
- Port Scanning
- Fuzzing (i.e. Performing Fuzz-Attacks)
In addition to a GUI, ZAP offers an API for scripting and automation. ZAP works on Windows, Linux, and Mac. You can download ZAP from GitHub.
Burp Suite for Traffic Interception
Burp Suite is a popular suite of vulnerability scanning and security tools from PortSwigger. It is offered in 3 discrete tiers:
- Community edition. This is the free version of Burp Suite that includes only "essential" manual tools.
- Professional edition. The pro version includes essential and advanced manual tools as well as a vulnerability scanner.
- Enterprise edition. The enterprise version of Burp Suite does not have any manual tools. It includes: vulnerability scanning, scheduling of scans, and integration with CI (continuous integration) platforms.
Trusted by big names like SalesForce, Google, Amazon, and Twitter, it's clear Burp Suite is a major player in the InfoSec world. It is designed to enable end-to-end testing. From the initial attack surface detection to exploiting vulnerabilities. Burp Suite is available for Windows, Linux, and Mac OS X. You can download the community edition here.
Best Operating System for Pen Testing
Having a particular operating system isn't required for pen testing. As we've seen, pen testing tools are available for most operating systems. However, there is a security-focused Linux distro that many professional penetration testers prefer. That operating system is Kali Linux. Kali comes bundled with many of the tools pen testers need and is designed with InfoSec in mind.
In fact, just installing Kali as-is would give you access to a robust pen testing toolbox. As an added bonus, Kali has been used in the popular Mr. Robot series.
Hardware for Hacking?
One thing that those new to pen testing may overlook is the need for the right hardware. Beyond the software tools we've mentioned here, there's plenty of hardware used in penetration tests. Everything from special Wi-Fi adapters to lock picks to Raspberry Pis can be used to enable penetration testing.
For specific suggestions, WeLiveSecurity put together a top 10 list of hardware devices you may find interesting.
The tools listed here are great options for getting started with penetration testing. They're also suitable for the seasoned pro. Wherever you're at in your pen testing journey, remember tools are just part of the job. A big part of being an effective pen tester is skill and creative thinking. With practice and experience, even a basic toolset can prove effective.