In this article 3B Data Security provides the answer to the question, ‘What Tools do Penetration Testers use?’
Pen Testing Tools
Some people may ask, ‘what is the best Penetration Testing tool?’ Penetration testers use many tools, and which tool they select depends entirely on what they are trying to achieve. There is no “best” tool, but some tools do excel at particular tasks.
For instance: A Penetration Tester may be performing an Internal Penetration test. They use a vulnerability scanner such as Nessus or Qualys to discover vulnerabilities that exists in software installed on systems within the network. The vulnerability scanner may highlight that a system is vulnerable to a Remote Code Execution vulnerability due to a buffer or stack overflow in a piece of software installed on that system. The attacker would then look for a public exploit for this vulnerability and may end up using the exploitation framework Metasploit or a Python or Ruby script they find in an exploit database such as https://www.exploit-db.com/
For the Reconnaissance (OSINT) stage of Penetration Testing, tools such as theHarvester, SpiderFoot and FOCA are commonly used by Penetration Testers. These tools help a Penetration Tester create a custom user list for an organisation that can be used in brute force and phishing attacks in order to test that lockout mechanisms are in place, and the employees of an organisation have received security awareness training.
Nmap is the most commonly used tool to map a network, discover open ports and services in use. (Remember Trinity using it to break into the energy grid in the Matrix?). Although that scenario is a little far-fetched, its a very handy tool to begin External and Internal Penetration Tests with. Custom written Fuzzing tools would be the go-to for SCADA Penetration Testing (Matrix style hacking!).
The most commonly used vulnerability scanners used for External and Internal testing as mentioned above are Nessus and Qualys. These products excel in this area but come at a cost. For people starting out in the Penetration Testing field there is a free, open source vulnerability scanner called OpenVAS. This is part of the Kali Linux Operating System and what Nessus was originally built upon. The OpenVAS feed is updated daily so the scanner has a fairly good coverage. Nessus and Qualys should be used commercially though as they have better coverage than OpenVAS.
When it comes to Mobile Penetration Testing the most commonly used tool is a HTTP intercepting proxy called Burp Suite. The professional edition has BAPP Store where Security Consultants can download Burp extensions written by others in the security community and can also get their extensions featured. These extensions are written in mainly Python but sometimes in Ruby. There is a free, open source HTTP intercepting proxy called ZAP. This is developed and published by members of the OWASP project. Although many prefer to use Burp, ZAP is good for those starting out in the field. This is because Burp Suite Professional comes at a cost.
Cloud Penetration Testing has recently become something that is in much higher demand. This is due to organisations moving their infrastructure from on-premises to the cloud in order to cut costs. There are various tools that can be used to test AWS, Azure and GCP. One that stands out is a tool called ScoutSuite. This tool will make API calls to ensure the configuration of cloud environments are secure by pointing out potential vulnerabilities.
There are many types of Penetration Testing hardware such as Rogue Access Points i.e. the WiFi Pineapple, Keyloggers BadUSB and Network taps. Quality hardware can be bought online from the Hak5 store.
Hardware implants such as the O.MG Cable have got a lot of media attention recently. The O.MG cable looks and behaves like a normal charging cable. However, it can also be controlled wirelessly to hack the system it is plugged into as it has a built in wireless adapter. It is also a USB HID keyboard emulator.
Obviously, we recommend that if you want security testing done that you talk to a professional penetration testing provider. In the UK, we have an organisation called CREST which approves penetration testing companies methodologies – approved status is always recommended.