Penetration Testing Tools : Top 55

July 16, 2019

---

Penetration Testing Tools: Complete Updated List 2019<

Penetration testing is a method of finding flaws in the software in terms of security loopholes. The aim is to force a planned attack on the system to verify whether the attacker is capable of gaining access into the system's local files and features. Penetration testing is also known as 'Pen testing'.Following is the list of penetration testing tools that are most widely used. These tools cater to different categories like application specific scanners, debuggers, encryption tools, packet sniffers, password crackers, traffic monitoring tools, vulnerability scanners, port scanners, web proxies and many more.

Vega:

Vega is an open source penetration tool aimed at testing security of web applications to track whether there's any loophole which might lead to some malicious attacks. Vega emphasises on the following features:
• Verifying if the website is prone to SQL injections which leads to mishandling of data
• Automated Scanner: The web crawler feature of Vega helps to crawl through the website to analyse the page’s content to capture links and form parameters to assess possible points of data injections and runs the script written in JavaScript to ensure its correctness
• Vega, when acting as a proxy, analyses the communication between the client and server thus applying SSL encryption for a website
• The proxy scanner can simultaneously run the modules that might attack the system while the user browses the target website through it
• The platform for Vega is written in Java that works across platforms like Windows, Linux, OS X.

Source:Vega

ZED Attack Proxy (ZAP):

An open source penetration testing tool developed by Open Web Application Security Project which intends to find vulnerabilities within a web application. Few major areas which ZAP emphasises on are:
• Intercepting Proxy: The term means intercepting or fetching the messages transferred between the browser and Web server. ZED hence tracks the destination server by tracking the intercepted messages.
• Automated Scanner: The scanning mechanism reads through the web page's content to assess presence of any loophole that could lead to malicious attack to the systems' confidential data
• Passive Scanner: A passive scanner is nothing but a way to capture the traffic between the browser and web server. Basically, the proxy server starts as we start ZAP and tracks the traffic for a secure connection
• Brute Force Scanner: Such a scanner mechanism helps to catch bugs in terms of authentication. Brute force implies attacking the authenticity and invading deep into the system's confidential information via GET and POST response-request.
• Fuzzer: Fuzzing in ZAP is a technique of injecting malformed data into the system with an intent to find bugs within the web application.
• Port Scanner:Port scanning is used to test the number of open ports on the target site.
• Spider:This feature is used to track new resources on a website and lists the URLs. It keeps traversing the URL’s until new resources are located.
• Web Sockets:Websockets are a TCP connection between the client and server and are intended to remove communication barriers while the client attempts to establish a connection with the server.

Source:ZAP

Wapiti:

• Test reports can be generated in different formats like HTML, XML, JSON etc.
• Supports various methods for validating authenticity - Basic, Digest, Kerberos, NTLM
• Removes parameters from URL's
• Enables activation/deactivation of SSL certificate verification
• Can extract URL's from Flash SWF files and JavaScript

Hence, Wapiti can detect the following vulnerabilities -

Remote and local file identification, injections into database, cross site scripting, backup configurations that could possibly be bypassed and so on.

Source:Wapiti

W3af:

The acronym stands for 'Web Application and Audit Framework' designed to guard our web applications against security vulnerabilities. The tool extends the following functionalities/ features that define its credibility in performing pen testing.
• With W3af's features we can capture security threats like SQL injection, cross-site scripting, credential authentication etc.
• The tool comes with a GUI and console user interface
• W3af is divided into core and plugin, where the core is responsible to coordinate with the system and offer features that are used by plugins to discover the vulnerabilities

Source:W3af

Iron Wasp:

• Iron Wasp is a GUI based tool which has an easy to use interface
• One may record Login sequence while testing
• Capable of checking a wide range of vulnerabilities
• Test reports can be generated in HTML and RTF formats
• Testers can write custom security scanner in a short span of time
• It has built-in crawler, scan manger and proxy
• Has a static analysis engine that runs on JavaScript

Source:Iron Wasp

SQLMap:

• A wide range of database management systems are supported - MySQL, Oracle, PostgreSQL, Microsoft SQL server and Informix
• One may apply a variety of SQL injection techniques such as Boolean based, time based, error based, UNION query based etc.
• Supports connectivity to the database by passing DBMS credentials, IP address, port number and database name
• Facilitates cracking password hashes with auto recognition of passwords
• We can download or upload any file by connecting to the database

Source:SQLMAP

BeEF (Browser Exploitation Framework):

• Enables capturing of vulnerabilities associated with any website, in real time.
• The tool is compatible with Kali Linux, hence can be started as a service and accessed on the localhost
• A cost friendly penetration testing tool
• Helps to counter vulnerabilities like cross-site scripting

Source:BeEF

Grabber:

• Performs JavaScript parsing to fetch the URL and get parameters
• Evaluates correctness of JavaScript with JavaScript Lint
• Facilitates SQL injection
• Generates file's session is and time to analyse statistics
• Back up file analysis and assess file inclusion vulnerabilities

Source:Grabber

WebScarab:

• A tool written in Java, is used for penetration testing HTTP(S) protocols
• WebScarab may act as an intercepting proxy thus it allows the operator review and modify browser requests before sending them to the server and review results returned by the server
• Bandwidth simulator helps the testers to assess a browser’s performance in case of a communication over a slower network
• Parameter fuzzing helps to check whether the browser is validating incomplete parameter validation that eventually leads to Cross Site Scripting and SQL injection

Source:WebScarab

Skipfish:

• Calls an application's methods in two ways - recursively and searching through the dictionary
• Highly optimised HTTP handling, minimum CPU footprint leads to higher processing speed leading to 2000 requests per second
• Offers a variety of checks that brings out the slightest flaws including blind injection vectors
• Auto wordlist creation/ form auto completion
• Supports a range of web technologies and websites composed of hybrid technologies

Source:Skipfish

Ratproxy:

• Capable of detecting intrusive interaction between domains
• Solves a lot of security issues like MIME type mismatch, charset issues, XSS and many more
• Ratproxy efficiently handles sea-surf (X SRF) attacks. While testing the application, the proxy will try to validate the XSRF protections, each time a request is received
• Identifies if HTTP and META redirectors are redirected to lesser known browsers
• Among all sorts of security problems some of the very basic aspects are met by this tool - alarming the JavaScript, directory indexing, server errors etc.

Source:Ratproxy

Wfuzz:

• Header Brute force attacks are used to enforce some attack mechanism by which we can decrypt the cipher text carried by the header (GET or POST method)
• Checks accuracy of URL encoding as well
• Proxy validates the request and response exchanged over HTTP
• Multithreading enables executing concurrent codes

Source:Wfuzz

Grendel-Scan:

• With Grendel scan's UI, testers simply identify the location for storing the scanned files and URL to begin with
• Once the scan begins the tester isn't required to do much with it
• Test report generated in HTML format so as to make it readable across all web browsers, the best part of the report being the type and degree of vulnerabilities are listed accordingly in the generated report

Source:Grendel Scan

Watcher:Watcher is a penetration tool or sometimes termed as a utility that scans the available wireless network available within a specific range and retrieves information like IP address, MAC address, NIC card name and name of the computer

• Watcher is a safer option for cloud infrastructure
• Unlike scanners and crawlers, this tool screens user interactions and reports its confidentiality
• Watcher has a built-in Check macro feature with which password protected pages can be verified easily
• The tool can convert PDF/ Word files into HTML files to make it readable as in a normal webpage

Source:Watcher

X5S:

• X5S is a Fiddler plugin that lets us insert test cases into a web application so as to figure out encoding issues. The idea is to analyse as to how an encoding issue leads to cross-site scripting
• It also helps to identify the areas to assess bypassing of XSS filters by injecting ASCII
• With X5S we can analyse whether the injected values in the input fields leads to an appropriate encoded output or does the character transform into something else
• X5S lays more emphasis on verify parameter and field values to assess their vulnerability to threats

Source:X5S

Arachni:

• Integrated browser environment of Arachni offers maximum coverage for a wide range of technologies like HTML5, JavaScript, DOM manipulation and many more

Metasploit:

• Supports a wide range of frameworks that helps with a quite a few major functionalities like configuring, logging, database storage, scripting etc.
• Metasploit provides auxiliary modules that can perform pre and post exploitation functionalities like scanning, launch attacks, OS detection, service detection etc.
• Metasploit can very well integrate with add-on packages that creates standalone payloads that can further be encrypted via database connectivity, GUI interface etc.
• Metasploit's open source feature makes it quite flexible to make it adaptable as per requirement

Source:Metasploit

Wireshark:

• A network analyser which screens the network to do a micro analysis of what's going on. It can detect over a hundred protocols at a given point of time
• Wireshark captures live packet data from network interface
• Great features for VOIP analysis
• Can extract or import files from already capture file formats like tcpdump, Secure IDS iplog, Microsoft Network monitor, WAN/LAN analyser and so on.
• Supports network protocols such as IPSec, Kerberos, SNMPv3, SSL/TLS, WEP and WPA/WPA2
• The output thus generated can be stored CSV, XML or PostScript

Source:Wireshark

CORE Impact:CORE impact's advanced features include -

• Testers can pause and save the state of a test during a run, post which they can resume the window where they left the work undone
• Reports are customisable as users can export test report to a format say Microsoft Excel. Also they are free to make appropriate changes to the report
• Supports 'Kerberos' protocol with latest features like pass-the-ticket and pass-the-key
• Supports Windows Management Instrumentation (WMI)

Source:Core Impact

Back Track:

• Providing maximum and availability of data backup for any database and an easy recovery method
• Provides a way to archive logs of data which is a great way to manage and export data to local and remote hosts
• Extracting physical backups are easier
• While backing up a given piece of data, parallel streams of backup are created thereby improving performance to a great extent
• Test recoveries are done to ensure that all configurations, devices and data are in place before finally restoring data

Source:Back Track

Nessus:

• This penetration tool has the potential to identify vulnerabilities that may cause harm to sensitive information stored in the system
• Verifies whether a system has the latest software patches
• Verifies vulnerability of the system to get affected by malicious users by applying common passwords
• Tests with mobile devices to assess the degree of vulnerability

Source:Nessus

Burpsuite:

• Burp suite is a popular tool that lets us scan through any portion of a webpage and make changes wherever required
• Covers vulnerabilities such as SQL injection, cross-site scripting, file path manipulation, Server Side Includes (SSI) injection, XML injection and so on
• With this tool, while testing security vulnerability we can set 'attack insertion points' within parameters, cookies, HTTP headers or URL file path
• Testers have the option to filter configurations by choosing the appropriate URL’s or hosts are to be scanned
• Real time feedback enables better assessment of test results due to the ongoing active scan queue that reflects the progress of each scan

Source:Burpsuite

Cain & Abel:

• Password manager helps locate passwords of Outlook Express, Internet Explorer and so on
• Can fetch password for Enterprise as well as local credentials on Windows XP
• Dialup password decoder can reveal passwords stored by 'Dial-up' connections
• Can detect man-in-the middle attacks
• Can extract user names for Security Identifiers on remote systems
• Can monitor messages from a variety of protocols - VRRP, RIPv2, EIGRP etc.

Source:Cain & Abel

Acunetix:

• This penetration tool has the most powerful test methodology for SQL injection and cross site scripting
• HTML5 support
• Scanning single page applications and JavaScript based websites
• AcuMonitor service helps detect a wide range of vulnerabilities
• Supports advanced penetration testing tools such as HTTP Editor and HTTP Fuzzer

Source:Acunetix

John The Ripper:

• A password cracker tool that caters to needs of the tester and customisable according to a need
• The tool is primarily used for detection of passwords that could pose a security threat
• This password cracker can be run on any platform either locally or remotely
• We may use the command prompt to recover passwords

Source:John The Ripper

Retina:

• Identification of sensitive data across various environments
• Scans through a web page including technologies like AJAX, SOAP, REST/WADL, XML, JSON etc.
• Open Web Application Security Project list includes risks like SQL Injection, Cross-Site Scripting, Cross-site request forgery and so on
• Can audit web applications against huge volumes of database, theme and plugin vulnerabilities
• Deep scan technology enables accuracy as it crawls through client side web page's content such as HTML5, JavaScript and AJAX
• Improves vulnerability detection while limiting the number of false positives

Source:Retina

Social Engineer Toolkit:

• A Python driven testing tool that aims to detect human attacks on a system
• The tool can be combined with java driven attacks to send phish emails and buggy file formats
• SET supports both GUI and console based versions to deal with attacks

Sqlninja:

• Primarily aimed at detecting SQL injection vulnerabilities for web applications using Microsoft SQL Server
• SQL ninja can detect fingerprint of SQL server by its version, user queries, user privileges etc.
• Privilege escalation if the required password is found
• Create custom xp_cmdshell in case the original one is disabled
• To find an appropriate port that is permissible by the firewall, a TCP/UDP portscan from SQL Server to the attacking machine is done
• In a situation where no TCP/UDP ports are available for direct and reverse shell, DNS tunnelled pseudo shell are used

Source:Sqlninja

Nmap:

• The tool can identify hosts on a network to list the hosts responding to TCP and ICMP requests
• Scanning the number of open ports on a target host
• Network services on remote devices are detected to capture an application's name and version number
• Detecting an operating system and characteristics of hardware of any network device

Source:Nmap

Dradis:

• Report sharing is much easier with this tool as it's prime objective is information sharing during security assessment
• Attachments are supported in order to enable sharing of any file
• Dradis is platform independent
• Has built-in plugins to read and collect output of a variety of network tools, be it NMap, BurpSuite or Nikto

Source:Dradis/

Ettercap:

• The tool is meant to perform man-in-the-middle attacks by injecting random characters into a live connection thus imitating commands sent or received by the client to the server
• TCP/UDP packets are automatically filtered and replaced by searching for any ASCII or hexadecimal string and replacing it with our own choice of a string
• Auto collection of information from protocols like TELNET, FTP, POP3, SSH1 and many more
• The tool enables inserting into HTTP SSL session
• Using PPTP tunnels we can perform man-in-the-middle attacks

Source:Ettercap

Hydra:

• A password cracking tool that aims to guess passwords from databases using Brute Force methodology
• It works well with almost all major operating systems - Linux, Windows, Solaris, FreeBSD/OpenBSD, and OSX

Source:Hydra

SHODAN:

• SHODAN is a search engine that uses web crawlers to traverse a website
• The tool can detect all connected devices to the system

Aircrack-ng:

• A tool that monitors Wi-Fi network security by capturing and sending data packets to text files which will then be processed by third party tools
• Detects fake access points and de-authentication via packet injection
• Verifying Wi-Fi driver capabilities
• Has the potential to crack WEP and WPA PSK connections

Source:Aircrack-ng

PunkSPIDER(scanner powered by PunkSCAN):

• It can perform a huge number of vulnerability scans
• There are specific scans performed by the tool are SQL injection, and cross-site scripting

Source:PunkSPIDER

IBM AppScan:

• Integrates well with other tools as well as other activities like application development, build integration, security monitoring
• Offers security in terms of better regulatory compliance thereby minimising application's risk
• With features such as Intelligent Finding Analytics, time and effort is reduced to a great extent to determine and find a remedy to a certain vulnerability
• Security status can be shared among the team members with enhanced reporting and compliance features
• Stronger and cost-effective security with source code analysis

Source:IBM AppScan

Nagios:

• Monitors network protocols such as SMTP, POP3, HTTP, ICMP and so on
• Nagios monitors host resources – processor load, disk space, system logs as well as hardware
• The tool can be used to perform remote monitoring that is supported through SSH or SSL
• Plugins allows user to develop their service checks with their choice of tools - shell scripts, C++, Perl, Ruby etc.
• Notify the users when a service or host problem occurs and get resolved

Source:Nagios

Nikto:

• Provides SSL support - OpenSSL for Unix
• Proxy support for HTTP
• We can save reports in HTML, XML, CSV or text format
• It can scan a more than one port on a server using an input file
• Basic and NTLM are used to perform host authentication

Source:Nitko

OpenVAS:

• OpenVAS scanner scans a number of hosts concurrently, provides OpenVAS transfer protocol, SSL support for OTP and so on
• OpenVAS manager includes OpenVAS management protocol, SQL database for scan results, SSL support, scheduled scans etc.
• GreenBone Security Assistant feature consists of client for OMP and OAP, HTTP and HTTPS, web server, online integrated help system

Source:OpenVAS

Secunia PSI:

• Secunia PSI is available in 5 languages - English, French, German, Spanish and Danish
• A better and simplified user interface has an organised way of presenting security status of a software
• Automatic patching helps to auto scan them at the background along with updating programs while carrying on with day to day activities
• Can verify vulnerabilities in applications and plugins
• Warning is issued if there's any chance of threat occurrence

Source:Secunia PSI

Appspider:

• Universal translator: this feature allows to comprehend everything be it any specific type of format, protocols and development technologies pertaining to modern browsers
• Vulnerability validator: with an efficient reporting system, developers can validate threats or vulnerabilities and reproduce them in real time
• AppSpider scales up the process of identifying security issues through integrations with Continuous Integration, WAF (Web Application Firewall), bug tracking, thus enabling developers to resolve defects

Source:AppSpider

Brakeman:

An ideal security testing tool to uncover vulnerabilities in Ruby on Rails application code, that includes-
• Cross site scripting.
• SQL injection.
• File accessibility.
• Unsafe code evaluation.
• Cross site forgery.
• Unsafe deserialization.
• Session manipulation.

Sitedigger:

• Handles vulnerabilities such as privacy, backup files, configuration errors, remote administrator interface etc.
• SiteDigger uses Google API that makes it stand out among other tools
• Automatically tests 26 SSL ciphers thereby assigning them a certain degree of security vulnerability
• It has signature update functionality and offers a dynamic GUI

Source:SiteDigger

Netsparker:

• Netsparker's proof based scanning lets uncover various hidden vulnerabilities, in a read-only format so that a summary of such security issues are reported and solved on time
• Easy 'URL Configuration' let testers replace erroneous GET parameters with more correct or readable URL path segments
• Custom URL Rewrite enables configuring scanner by providing URL rewrite patterns for the target website
• The tool has capabilities to counter vulnerabilities like SQL injection, cross site scripting across all types of platforms and technology
• Web service scanning eases communication between network and web based devices

Source:Netsparker

OWASP:

It is termed as 'Open Web Application Security Project' that provides a list of documents, articles, methodologies and so on for a variety of security testing tools.
• Provides free and open source security tools and standards
• Complete documentation for secure code development, security code review and various aspects involved in an application's security testing
• Standards for libraries and security elements

Source:OWASP

Scrawlr:

• Is capable of finding SQL injection vulnerabilities in dynamic web pages
• Identifies unnecessary content in URL parameters
• We may configure Scrawlr as a proxy for accessing a website
• Determine the type of server used for an application
• Scans across different host names and subdomains

Source:Scrawlr

Websecurify:

• The GUI is easy to use and user-friendly
• Advanced test and scan techniques
• Detects URL's automatically
• Detects vulnerabilities like cross site scripting, cross site forgery, SQL injection, HTTP response splitting, session cookie issues, URL redirection etc.
• Available for all major platforms like JavaScript, python, C, C++, Java

Source:Websecurify

N Stalker:

• Parallel web crawling
• HTTP fingerprinting
• Discovers server side technology
• Custom web navigation Macro reader to navigate through the site and replay the test
• Supports OWASP Top10, PCI, SANS/FBI

Source:N Stalker

Safe3 Scanner:

• Basic, Digest, NTLM and certificate authentications
• Database support for Sybase, DB2, Access, Postgresql etc.
• Supports SQL injection, XSS, upload vulnerability etc.
• Scans SQL injection state in spite of the presence of WAF and HIPS

Samurai Framework:

• A virtual machine for penetration testing supported on VirtualBox and VMWare
• The framework offers some of the best open source tools aimed at testing security vulnerabilities of a website
• The tools that come under this framework are webscarab, w3af, BeEF etc.

Source:Samurai framework







HP Webinspect:

• Offers an advanced client side scripting to assess JavaScript, Flash and alike
• Faster scanning with more accurate results
• Dynamic analysis to retrieve vulnerabilities in order to fix them
• The tool organises the list of vulnerabilities such that the user can view and filter results for further analysis
• Detailed analysis of code with actionable information like line of code and SQL queries

Source:HP Webinspect

Kiuwan Security:

• Prepare action plans
• Tracks progress of security tests
• We can customise reports as per our requirement
• Provides code metrics to asses code's quality
• With Kiuwan security, we can export and import various rulesets

Source:Kiuwan Security

Nsiqcppstyle:

• Capable of checking more than 47 rule validations
• Not much difficulty in configuring pre-processing settings
• It is quite simple to add custom rules
• Supports various IDE integrations - Visual studio, Eclipse, Emacs and so on
• Nsiqcppstyle support CI (Continuous Integration) server

Paros:

• Presents all types of session ID's
• It has a built-in Fuzzer wherein we can generate our own Fuzzer library
• It crawls through the website, performing vulnerability tests

Source:Paros

Veracode:

• Veracode's advanced features provides developers a chance to analyse security threats even faster than before
• It has custom cleaners that performs cleaning functions for SQL injection, URL redirection, log forging and header injection
• Developers do not need to scan a saved file as the tool performs an auto scan

Source:Veracode

Conclusion:

The list of tools available for security/penetration testing are many, out which the ones mentioned in this article have gained a considerable attention and has become a favourite choice for many hackers and security engineers.