There are a wide variety of tools that are used in penetration testing. These tools are of two main types; reconnaissance or vulnerability testing tools and exploitation tools. While penetration testing is more directly tied to the exploitation tools, the initial scanning and reconnaissance is often done using less intrusive tools. Then once the targets have been identified the exploitation attempts can begin.
What are Penetration Testing Tools
The most important and effictive tools that are related to penetration testing is:
Nmap
Nmap is a popular port scanning tool. Port scanning is typically a part of the reconnaissance phase of a pen- etration test or an attack. Sometimes attackers will limit their testing to a few ports while other times they will scan all available ports. To do a thorough job, a vulnerability scanner should scan all port and, in most cases, a penetration tester will scan all ports. An actual attacker may chose to not scan all ports if he finds a vulnerability that can be exploited because of the “noise” (excess traffic) a port scanner creates.
https://nmap.org
Nessus
Nessus is a popular vulnerability scanner that many security professionals use regularly. Nessus has a huge library of vulnerabilities and tests to identify them. In many cases, Nessus relies on the responses from the target computer without actually trying to exploit the system. Depending on the scope of a vulnerability assessment, the security tester may choose an exploitation tool to verify that reported vulnerabilities are exploitable. Nessus includes port scanning and OS detection, so sometimes a vulnerability assessment will just use Nessus and let Nessus call nmap or other scanners for these components of the test. For a stealthy scan, a security professional or an attacker may choose to run these tools separately to avoid detection.
http://www.tenable.com/products/nessus/select-your-operating-system
Exploitation Tools
Exploitation tools are used to verify that an actual vulnerability exists by exploiting it. It’s one thing to have vulnerability testing software or banners indicate the possibility of an exploitable service, but quite anoth- er to exploit that vulnerability. Some of the tools in this category are used by both attackers and penetra- tion testers. There are many more exploitation tools than the ones listed here. Many tools in this category are single-purpose tools that are designed to exploit one vulnerability on a particular hardware platform running a particular version of an exploitable system. The tools that we’ve highlighted here are unique in the fact that they have the ability to exploit multiple vulnerabilities on a variety of hardware and software platforms.
Metasploit
Metasploit is a relatively new addition to the penetration tester’s tool belt. It provides attack libraries attack payloads that can be put together in a modular manner. The main purpose of Metasploit is to get to a com- mand prompt on the target computer. Once a security tester has gotten to a command-line, it is quite pos- sible that the target computer will be under his total control in a short time.
https://www.metasploit.com
OWASP has very strong tools:
- 1 Penetration Testing Tools
- Information Gathering Tools
- Configuration Management Testing Tools
- Authentication Testing Tools
- Session Management Testing Tools
- Authorization Testing Tools
- Data Validation Testing Tools
- Denial of Service Testing Tools
- Web Services Testing Tools
- Ajax Testing Tools
- HTTP Traffic Monitoring
- Encoders / Decoders
- Web Testing Frameworks
Information Gathering Tools
you can use one of these tools listed
Whois
WHOIS (pronounced as the phrase who is) is a query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information.
http://whois.domaintools.com
Maltego
Maltego is a forensics and data mining application. It is capable of querying various public data sources and graphically depicting the relationships between entities such as people, companies, web sites, and documents. Maltego is an open source intelligence too, but isn't open source software.
http://www.paterva.com/web7/
Vega
Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.
https://subgraph.com/vega/index.en.html
httprint
httprint is a web server fingerprinting tool. It relies on web server characteristics to accurately identify web servers, despite the fact that they may have been obfuscated by changing the server banner strings, or by plug-ins such as mod_security or servermask. httprint can also be used to detect web enabled devices which do not have a server banner string, such as wireless access points, routers, switches, cable modems, etc. httprint uses text signature strings and it is very easy to add signatures to the signature database.
http://www.net-square.com/httprint.html
httprecon
The httprecon project is doing some research in the field of web server fingerprinting, also known as http fingerprinting. The goal is the highly accurate identification of given httpd implementations. This is very important within professional vulnerability analysis.
http://www.computec.ch/projekte/httprecon/
Netcraft
Internet Security and Data Mining, Netcraft provide internet security services including anti-fraud and anti-phishing services, application testing and PCI scanning. We also analyse many aspects of the internet, including the market share of web servers, operating systems, hosting providers and SSL certificate authorities.
http://www.netcraft.com
WebRecon
With the prevalence of frame-busting scripts or X-Frame-Options header, our web-based Recon page is likely to be unusable soon in the future. So, we've coded a small Windows-based application that does the same.
http://yehg.net/lab/#tools
Configuration Management Testing Tools
SSL Testing
OpenSSL
OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library.
https://www.openssl.org
SSLDigger
SSLDigger v1.02 is a tool to assess the strength of SSL servers by testing the ciphers supported. Some of these ciphers are known to be insecure.
http://www.mcafee.com/us/downloads/free-tools/ssldigger.aspx
DB Listener Testing
TNS Listener
nscmd can be used to speak, on a very simple level, with Oracle's TNS listener.
The TNS listener (aka tnslsnr) is the network interface between a database client and the database server. tnslsnr listens on port 1521/tcp, but the DBA can change this (I've seen listeners on port 1541/tcp as well.) fwiw, nmap-services lists these as ncube-lm and rds2, respectively.
http://www.jammed.com/
Toad
Automate development and database management tasks to increase productivity, optimize database performance, and reduce administrative costs. Leverage tools with built-in expertise to develop optimal application code. Monitor multiple, heterogeneous databases from a single view and analyze transactions.
https://software.dell.com/solutions/database-development-and-management/
Authentication Testing Tools
Password Brute Force Testing
Burp Intruder
Burp Intruder is a tool for automating customized attacks against web applications, to identify and exploit all kinds of security vulnerabilities. Burp Intruder is exceptionally powerful and configurable, and its potential is limited only by your skill and imagination in using it.
https://portswigger.net/burp/intruder.html
Brutus
Brutus is one of the fastest, most flexible remote password crackers you can get your hands on - it's also free. It is available for Windows 9x, NT and 2000, there is no UN*X version available although it is a possibility at some point in the future. Brutus was first made publicly available in October 1998 and since that time there have been at least 70,000 downloads and over 175,000 visitors to this page. Development continues so new releases will be available in the near future. Brutus was written originally to help me check routers etc. for default and common passwords.
http://www.hoobie.net/brutus/
Cain & Abel
Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.
http://www.oxid.it/cain.html
John the Ripper
John the Ripper is free and Open Source software, distributed primarily in source code form. If you would rather use a commercial product tailored for your specific operating system, please consider John the Ripper Pro, which is distributed primarily in the form of "native" packages for the target operating systems and in general is meant to be easier to install and use while delivering optimal performance.
http://www.openwall.com/john/
Ophcrack
Ophcrack is a free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.
http://ophcrack.sourceforge.net
THC Hydra
Hydra is born more than 10 years ago, this page is used as a recap of the functionalities it provides, but also the differences in feature sets, services coverage and code between the most popular network authentication cracker tools available. Each feature is compared against Hydra as of the current version. This table is updated as new features are added to the project. If you find any inaccuracies on this page please do not hesitate to contact us.
https://www.thc.org/thc-hydra/
Session Management Testing Tools
CookieDigger
CookieDigger helps identify weak cookie generation and insecure implementations of session management by web applications. The tool works by collecting and analyzing cookies issued by a web application for multiple users. The tool reports on the predictability and entropy of the cookie and whether critical information, such as user name and password, are included in the cookie values.
http://www.mcafee.com/us/downloads/free-tools/cookiedigger.aspx
Authorization Testing Tools
Data Validation Testing Tools
- Fuzzers
- SQL Injection Testing
- XSS Testing
- Buffer Overflow Testing
Skipfish
Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.
https://code.google.com/archive/p/skipfish/
w3af
w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities.
http://w3af.org
Denial of Service Testing Tools
Web Services Testing Tools
Ajax Testing Tools
HTTP Traffic Monitoring
Web Proxies
Burp Suite
Burp Suite helps you secure your web applications by finding the vulnerabilities they contain. Cutting-edge tools let you combine automated and manual techniques to make your security testing more effective and thorough than ever before.
https://portswigger.net
Paros Proxy
A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.
https://sourceforge.net/projects/paros/
Webscarab
WebScarab is a framework for analysing applications that communicate using the HTTP and HTTPS protocols. It is written in Java, and is thus portable to many platforms. WebScarab has several modes of operation, implemented by a number of plugins. In its most common usage, WebScarab operates as an intercepting proxy, allowing the operator to review and modify requests created by the browser before they are sent to the server, and to review and modify responses returned from the server before they are received by the browser. WebScarab is able to intercept both HTTP and HTTPS communication. The operator can also review the conversations (requests and responses) that have passed through WebScarab.
https://www.owasp.org/index.php/OWASP_WebScarab_Project
TamperIE
TamperIE is a simple Internet Explorer Browser Helper Object which allows lightweight tampering of HTTP requests from Internet Explorer 5 and above.
WARNING: This tool makes it simple to do very bad things to poorly-written code. Malicious use of this tool against third-parties is a violation of federal, state, and local laws. Be smart.
TamperIE is a useful tool for security testing your web applications, in order to ensure you don't make foolish assumptions about the data sent by client browsers. Since the tool exposes and allows tampering with otherwise inconvenient input, many user-input security flaws immediately become apparent.
TamperIE works inside IE itself, before data is placed on the wire; this means that it works fine even against HTTPS-secured sites.
http://www.bayden.com/TamperIE/
Tamper-Data
Use tamperdata to view and modify HTTP/HTTPS headers and post parameters. Trace and time http response/requests. Security test web applications by modifying POST parameters. FYI current version of Google Web Accelerator is incompatible with the tampering function of TamperData. Your browser will crash.
https://addons.mozilla.org/en-US/firefox/addon/tamper-data/
SPIKE Proxy
SPIKE Proxy is part of the SPIKE Application Testing Suite, It functions as an HTTP and HTTPS proxy, and allows the web developer or web application auditor low level access to the entire web application interface, while also providing a bevy of automated tools and techniques for discovering common problems.
www.immunitysec.com/downloads/SP148.zip
Suru Web Proxy
Suru is a Man In The Middle (MITM) proxy that sits between the user's browser and the web application. It receives all the requests made by a the browser and records it. The requests can be modified in any way and replayed. Suru not only catches requests that were made by the user, but also requests that use the IE object, such as rich applications using web services, MSN ads, Google Earth requests, application auto-updates etc. The proxy understands multi part POSTs (MPPs) and XML POSTs (used for web services).
https://github.com/sensepost/Suru
Charles
Charles is an HTTP proxy / HTTP monitor / Reverse Proxy that enables a developer to view all of the HTTP and SSL / HTTPS traffic between their machine and the Internet. This includes requests, responses and the HTTP headers (which contain the cookies and caching information).
http://www.charlesproxy.com
BeEF
BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors.
http://beefproject.com
JS Commander
JS Commander (jscmd for short) is an HTTP proxy server with a JavaScript console. It lets you evaluate JavaScript code in most browsers that support XmlHttpRequest. It is tested with Firefox 2, IE 6/7, Safari 2.0.4 and Opera 9 (including Wii). The JavaScript console and the web browser can be run on different machines, so it’s especially useful if you want to debug/run JavaScript code in embedded browsers with poor keyboard support and small screens such as iPhone, iPod Touch and Wii.
http://jscmd.rubyforge.org
ratproxy
A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex web 2.0 environments.
https://code.google.com/archive/p/ratproxy/
Sniffers
Encoders / Decoders
CAPTCHA Decoders
PWNtcha
PWNtcha stands for "Pretend We’re Not a Turing Computer but a Human Antagonist", as well as PWN capTCHAs. This project’s goal is to demonstrate the inefficiency of many captcha implementations.
http://caca.zoy.org/wiki/PWNtcha
The Captcha Breaker
Captcha Breaker ALL software unless otherwise noted is distributed under the GPL-3 License (c) 2006-2007 Abram Hindle see GPL-3.0, LICENSE and/or HACKING You will need ocaml to compile this For ubuntu/debian install the following packages: libcamlimages-ocaml libcamlimages-ocaml-dev libocamlgsl-ocaml libocamlgsl-ocaml-dev ocaml-findlib ocaml-native-compilers m4 make Ocaml 3.09.2 is recommended m4 is needed Make is needed make phpbb digg seedpeer piratebay Should build the captcha breakers, they need fonts though. PHPBB comes with an example font file The captcha breakers expect a: segments directory fonts directory in their current directory I can't distribute copyrighted captchas so I just show the font skeleton.
http://churchturing.org/captcha-dist/
Web Testing Frameworks
Websecurify
Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies. For downloads and more information.
http://www.websecurify.com
EmoticonEmoticon