Some of the industry leading penetration tools
- Metasploit
- BurpSuite
- Kali Linux
- Nessus
- Qualys Guard
- Powersploit
- Cobalt Strike
- Wireshark
- NMAP
The types of pentesting tools you chose significantly impact the quality and results of the test. A tool might be able to catch a vulnerability, or it could miss it altogether. Typically, a pentest leverages several types of tools to ensure visibility into a greater scope of vulnerabilities and weaknesses. Here are several tools commonly used for pentesting:
| Penetration Tool Type | What does it do | Why is it important |
|---|---|---|
| Vulnerability Scanner | Scans the environment and attempts to detect known vulnerabilities and configuration errors | Analyze the report generated by the scanner. The goal is to find an exploitable vulnerability to help penetrate the environment. |
| Web Proxy | An intermediary server that separates end users from the web pages they attempt to browse. | Intercept and modify traffic as it flows between the web server of the organization and the browser of the pentester. The goal is typically to detect and exploit HTML vulnerabilities and then use them to launch attacks. |
| Network Sniffer | Collects and analyzes network traffic. | Locate active applications. The goal is to hunt exposed credentials or sensitive data that is currently flowing across the network. |
| Port Scanner | Detects open ports. | Open ports provide information about applications and operating systems (OS) with network access. The goal is to identify potential attack vectors. |
| Password Cracker | A program that attempts to recover passwords that are either stored or transmitted in a scrambled form. | Find weak passwords that can provide access to the network. The goal is to leverage passwords to elevate or expand the level privileges and gain unauthorized access to the network and its assets. |