You may be wondering why we chose the top 10 best penetration testing tools instead of a smaller number like 5 or larger number like 20. We chose this list by first considering you the reader in mind in why you might want to know the top tools. Research tells us that the typical reader may be looking where to get started and moreover trying to figure out what professional pentesters use.
Most pentesters typically have several primary tools they use most often but they also don’t use an extreme number of different tools to get the job done either. Most importantly they are flexible though so when there indeed is a scenario where a new tool they haven’t used before is needed they can quickly learn it. This ability is all due to many pentester’s interest in always learning something new and because they’ve likely used something similar as well.
Our Top Penetration Testing Tools Methodology
We took a look at each primary pentesting category you might possibly need a tool for and then decided which tool was best in that category to create our list of the top penetration testing tools. While there are an unlimited number of tools to choose from it is likely you will start with that one go-to tool that will get the job done because you are most familiar with it.
We then decided to not only tell you what the top tools are but also give you a quick look at the tool and accompany it with evidence because what fun is it to be given a name but not have a chance to look under the hood.
What is pentesting?
Before we get to the tools though lets very quickly discuss what penetration testing is and isn’t. Pen-testing is simply a way for organizations to simulate attacks against their infrastructure before malicious attackers do so they find the vulnerabilities before someone with malicious intent does. It is the whole reason MITRE ATT&CK was created so that there is a standard knowledge base of the various attacks so that organizations can then more easily understand where they are most vulnerable.
Pentesting isn’t firing up the tools below and everything magically happens after that for you. It is learning the tools inside and out below and then using them like a scalpel instead of a sledgehammer as a professional would. After we go over the list take that knowledge and really learn why these tools are great to further your own skills, career and life.
If you pick these tools as the ones most likely to live in your toolbag that is excellent! However, everyone’s list can be completely different as well and you may absolutely disagree and that is great! All that said, use this as a guide but do what works best for you and create your own top penetration testing tools to use!
Kali Linux
Category: Operating System
Kali Linux is the first tool on our list for a very specific reason and that is because of the fact that Kali Linux will already have most of the tools below as it comes with over 600 tools already pre-installed and ready to use. In fact, only one of the tools below on our list (Nessus) does not already come pre-installed on Kali Linux. Keeping in mind that what you might want to do is get started quickly with the top penetration testing tools ready and at hand this was the most logical thing to do.
It was created for the intent of pentesting in mind so because of this hands down this is the best operating system you could possibly use. Sure, there are other cool operating systems such as BackBox and Parrot Security OS but these couldn’t replace the proven and most support operating system that is Kali Linux.
Take a second to think about what the premier pentesting certifications you can get are which are the Offensive Security Certified Professional (OSCP), for instance. And now the new Advanced Windows Exploitation (AWE) as well and who created those. That same organization is who created and supports Kali Linux and that tells you everything you need about why this is our top choice.
Take a look at the many different categories of penetration testing tools within this one operating system:
Nmap
Category: Port Scanning and Reconnaisance
When conducting a pentesting assessment that is not web or wireless after fingerprinting and conducting reconnaissance you will almost always then need to conduct some type of port scanning. Nmap or Network Mapper has been around since the beginning of time 22 years ago and it is still by far the best network scanner on the plant.
Just like the name it simply helps you map a network so you know then how to best go on and exploit it. So, what makes it the best as compared to any other scanner you might come across? The support is the reason why this is the best port scanner. Again, this has been around for eons and still to this day there are regular updates, documentation and even a scripting engine that you can use with the base model do go even further and get more details on a target such as vulnerability scanning.
Nmap at first glance can appear pretty boring but the awesome scripting engine that comes along with it makes it amazing and really fun to use. Here is just a sampling of what you can do:
- Traceroute Geolocation
- Detect CVEs (Common Vulerabilities and exposures)
- Launch Brute Force Attacks
- Extract GPS coordinates from images
- Launch Denial of Service Attacks (DOS)
- Detect Malware
- Multiple Types of Recon
Nmap Demo
Just look what happens when we scan the vulnerable Metasploitable 2 with Nmap to find all the open and possibly vulnerable services running:
root@kali:~# nmap -sV --top-ports 100 10.10.10.3
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-29 20:52 EST
Nmap scan report for 10.10.10.3
Host is up (0.00013s latency).
Not shown: 84 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
513/tcp open login OpenBSD or Solaris rlogind
514/tcp open shell Netkit rshd
2049/tcp open nfs 2-4 (RPC #100003)
2121/tcp open ftp ProFTPD 1.3.1
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)
MAC Address: 08:00:27:75:9F:F8 (Oracle VirtualBox virtual NIC)
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.65 seconds
Metasploit Penetration Testing Tool
Category: Exploitation
Even if you aren’t a pentester you’ve likely have heard of Metasploit and there is good reason for that. No penetration testing tools list you find is likely to have Metasploit missing from it. Metasploit primarily is used for finding exploits, exploiting targets and is the tool of choice for pentesters when going about the job of exploiting. Finding exploits and then finally exploiting a target happens after you’ve already conducted reconnaissance and have honed in on something you believe is vulnerable.
The reason it is the best is also for the support and the sheer vast library within it that you can pull upon. Metasploit has over 140,000 different vulnerabilities and 3000 actual exploits you can pull from and no that number is not a mistype. No need to scour the web, many of the vulnerabilities are right there within the tool if you know how to look for them.
It being the most used exploitation framework is also the reason that it integrates with just about any other popular tool including many we have on this list like Nmap and Nessus. What that means is that you aren’t starting over every time you go from one tool to the other and it makes the whole pentesting process seamless.
Why Metasploit is The Swiss Army Knife Of The Top Penetration Testing Tools
If you take part in some Capture the Flag (CTF) exercises or review some CTF walkthroughs you will notice that there are many different tools that help with the exploit process and it can be overwhelming if you are new. If you just get really good at Metasploit though you are likely to be able to carry out those same exploits with one tool without having to learn 100 others.
Metasploit will also do much of the work for you and really makes exploiting easier than it should be. I’m talking about they make it so easy to use that even script kiddies can use this tool without issue and if there was one thing about it that isn’t good that would be it but we can’t hold the ease of use against it.
Wireshark
Category: Packet Inspector and Network Traffic Sniffer
Imagine you are pentesting a client and need to view network traffic to look for vulnerabilities in real time. Maybe you want to take a look to see if usernames or passwords are being sent around the network unencrypted such as FTP, Telnet, TFTP and of course HTTP which happens a great deal. Just go to any coffee shop or hotel WIFI and with Wireshark running it will be as if you just entered the matrix.
You will undoubtedly if you aren’t already have a need to inspect packets and sniff network traffic if you are in the InfoSec space and more specifically if you are a pentester or want to be a pentester. You won’t find a better packet inspector than Wireshark and there is a reason that it is the most commonly used tool for this job since its release in 1998.
A close second to Wireshark though is a tool called Tcpdump and they both have the same sorts of features. What separates Wireshark into a category of its own and the reason why it edges out Tcpdump is the ease of use of the GUI interface. That interface makes it much easier to visualize specific TCP sessions and streams and the conversation as a whole leading to a quicker analysis.
Just like Nmap, Wireshark may feel somewhat boring but here is another sampling of what you can do with this tool:
- GeoIP will let you see exactly spot where an IP address is coming from
- Instantly generate a new firewall rule right in Wireshark based on the traffic you see
- Conduct extensive network forensics
- Replay VoIP conversations
John the Ripper
Category: Offline Password cracking
John the Ripper is in our opinion the best offline password cracker. Depending on the context of the password cracking you will need to do will determine the tool you use. You may be thinking about what about online password cracking and we will be getting to our favorite tool for that in just a bit.
If you are at a place where you’ve obtained a list of password hashes and need to decrypt these in order to obtain the actual password then there is no better tool thank John the Ripper. To be fair though there was a very close second in this category which is the tool Hashcat and there is some debate here on which is better. However, John the Ripper edged out Hashcat due to it appearing to crack more password hashes than Hashcat using the same lists.
John’s Flexibility
In addition to John the Ripper’s cracking power, it is also very flexible in that you can run it on either Windows or Linux and it is compatible with many different types of modules you will find online and if those don’t work for you can write your own. What this means is that you can make John do whatever you need it to with some custom code.
John can also automatically detect password hashes which saves you the step of first running some other tool to determine what type of hash it is. With so many penetration testing tools and options sometimes the simpler the better and John the Ripper fits that description.
Hydra Penetration Testing Tool
Category: Online Password cracking
Hydra is the best online brute force password cracker hands down and that is significant just because there are so many password crackers out there that it edges out. Brute Forcing passwords means that we are going to try as many different combinations of passwords as possible until at some point we find the one that works.
The Brute Force method of exploiting a system is very “Loud” but there are ways to conceal it a bit such as attempting to change and mask our IP or password spraying where you essentially try the same password over many different usernames so you don’t get blocked before you find a correct password that works. You wouldn’t believe how many times you might encounter a login with no lockout policy defined though!
Hydra supports an unbelievable amount of protocols which means that you can use it in almost every scenario whether you need to crack FTP, Telnet, HTTP and many other different types of technology. This is important because you might find a password login over many different protocols and you want to have something at the ready that has the ability to get to work and crack the password. It is well supported and on top of that it is one of the fastest password crackers there are.
Hydra Demo
root@kali:~# hydra
Hydra v9.0 (c) 2019 by van Hauser/THC – Please do not use in military or secret service organizations, or for illegal purposes.
Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-c TIME] [-ISOuvVd46]
[service://server[:PORT][/OPT]]
Options:
-l LOGIN or -L FILE login with LOGIN name, or load several logins from FILE
-p PASS or -P FILE try password PASS, or load several passwords from FILE
-C FILE colon separated “login:pass” format, instead of -L/-P options
-M FILE list of servers to attack, one entry per line, ‘:’ to specify port
-t TASKS run TASKS number of connects in parallel per target (default: 16)
-U service module usage details
-h more command line options (COMPLETE HELP)
server the target: DNS, IP or 192.168.0.0/24 (this OR the -M option)
service the service to crack (see below for supported protocols)
OPT some service modules support additional input (-U for module help)
Supported services: adam6500 asterisk cisco cisco-enable cvs firebird ftp[s] http[s]-{head|get|post} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] memcached mongodb mssql mysql nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres radmin2 rdp redis rexec rlogin rpcap rsh rtsp s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp
Hydra is a tool to guess/crack valid login/password pairs. Licensed under AGPL
v3.0. The newest version is always available at https://github.com/vanhauser-thc/thc-hydra
Don’t use in military or secret service organizations, or for illegal purposes.
Example: hydra -l user -P passlist.txt ftp://192.168.0.1
Burp Suite
Category: Web Application Pentesting
If there was a tool in the Web Application Pentesting space that should have a category of its own and stands far and above any competition it is PortSwigger’s Burp Suite. While there is competition there is not another tool that has rallied the support of professionals in the Web Application Pentesting category more than Burp Suite.
Yes, Burp Suite costs money if you want to use all of the features but you can absolutely get started with some of the features for free and those features are really enough when just getting started. If you look at any type of Web App Pentest training given by professionals they almost always choose Burp Suite. This is all for good reason because when it comes to Web Application Pentesting you can really do it all right there from inside of the tool and you would rarely need to use another tool to perform your application pentest.
In addition, the tool is more customizable to your needs than any other such as using custom plugins or integrating with popular tools such as SQLmap.
Did I mention this tool comes pre-installed on Kali Linux as well? In earlier versions of Kali even up until 2019 you could find it right on the desktop as soon as you start Kali up. That is how important Offensive Security and Kali Linux think Burp is. In addition to being able to completely map and crawl a website or automatically scan and find vulnerabilities there are MANY custom plugins and tools that have been created that you can use with Burp Suite to perform many different functions.
Aircrack-ng WiFi Penetration Testing Tool
Category: WIFI Pentesting
Aircrack-ng is our tool of choice when it comes to hacking WIFI. It really isn’t just one tool but rather a more than fifteen different tools packed into a nice neat package that is easy to use. This powerful suite of tools is really why it edges out many other Wifi pentesting tools.
It can do everything you might need when hacking WIFI such as setting up fake access points, sniffing and capturing packets in promiscuous mode, replay attacks, deauthentication attacks or cracking passwords. You need this when pentesting WIFI because depending on the scenario you might have to take a drastically different approach to finally crack it.
These days it is a serious of steps you need to go through to actually get to the point where you have passwords to crack and Aircrack-ng can help you go through those steps.
Say for example you are conducting a pentest onsite at an organization and you are trying first get yourself on the network so that you have somewhere to start. One attack you may want to do is see if you can kick users off of WIFI which is the deauthentication attack so that you can then sniff the handshake so you can proceed to crack the password. This is just one example but every WIFI pentesting tool may not have this feature or all the features and applications Aircrack-ng does.
Aircrack-ng Demo
Aircrack-ng 1.5.2 – (C) 2006-2018 Thomas d’Otreppe
usage: aircrack-ng [options] <input file(s)>
Common options:
-a <amode> : force attack mode (1/WEP, 2/WPA-PSK)
-e <essid> : target selection: network identifier
-b <bssid> : target selection: access point’s MAC
-p <nbcpu> : # of CPU to use (default: all CPUs)
-q : enable quiet mode (no status output)
-C <macs> : merge the given APs to a virtual one
-l <file> : write key to file. Overwrites file.
Static WEP cracking options:
-c : search alpha-numeric characters only
-t : search binary coded decimal chr only
-h : search the numeric key for Fritz!BOX
-d <mask> : use masking of the key (A1:XX:CF:YY)
-m <maddr> : MAC address to filter usable packets
-n <nbits> : WEP key length : 64/128/152/256/512
-i <index> : WEP key index (1 to 4), default: any
-f <fudge> : bruteforce fudge factor, default: 2
-k <korek> : disable one attack method (1 to 17)
-x or -x0 : disable bruteforce for last keybytes
-x1 : last keybyte bruteforcing (default)
-x2 : enable last 2 keybytes bruteforcing
-X : disable bruteforce multithreading
-y : experimental single bruteforce mode
-K : use only old KoreK attacks (pre-PTW)
-s : show the key in ASCII while cracking
-M <num> : specify maximum number of IVs to use
-D : WEP decloak, skips broken keystreams
-P <num> : PTW debug: 1: disable Klein, 2: PTW
-1 : run only 1 try to crack key with PTW
-V : run in visual inspection mode
WEP and WPA-PSK cracking options:
-w <words> : path to wordlist(s) filename(s)
-N <file> : path to new session filename
-R <file> : path to existing session filename
WPA-PSK options:
-E <file> : create EWSA Project file v3
-j <file> : create Hashcat v3.6+ file (HCCAPX)
-J <file> : create Hashcat file (HCCAP)
-S : WPA cracking speed test
-Z <sec> : WPA cracking speed test length of
execution.
-r <DB> : path to airolib-ng database
(Cannot be used with -w)
SIMD selection:
–simd-list : Show a list of the available
SIMD architectures, for this
machine.
–simd=<option> : Use specific SIMD architecture.
<option> may be one of the following, depending on
your platform:
generic
avx512
avx2
avx
sse2
altivec
power8
asimd
neon
Other options:
-u : Displays # of CPUs & SIMD support
–help : Displays this usage screen
root@kali:~#
Nessus
Category: Vulnerability Scanning
We’ve got an absolute winner in the Vulnerability Scanning category but we should let you know up front if you are vulnerability scanning you probably want to use more than one tool. This is simply because you are likely to come up with additional vulnerabilities by using another scanner in conjunction with your primary vulnerability scanner. That said, Nessus is hands down our favorite due to the support, ease of use and the fact that it is more likely to detect more vulnerabilities in our opinion than any other scanner.
The vulnerability scanner has been in action since 1998 and the database is constantly updated so that it detects un unbelievable amount of vulnerabilities. If you are conducting the type of test where you aren’t trying to go unnoticed then I would always use a vulnerability scanner like Nessus because you will just detect more vulnerabilities faster.
Say for example you are charged with not only conducting a pentest but also finding every vulnerability possible, and risk ranking those so that the company can then go and fix those based on priority. In addition to the pentest, vulnerability scanning with Nessus would be your insurance policy that you didn’t miss any issues and help you carry out that task. Or you may find something that you normally might have missed but now you have the ability to use that new knowledge to gain a foothold into the environment.
Noted earlier this is the only tool on our list that does not come pre-installed on Kali Linux. It is easy enough to install and get going though just follow these steps.
Social Engineering Toolkit (SET)
Category: Phishing
When looking at many top penetration testing tool lists you will often see the category of Phishing missing from the list. This doesn’t make sense as this category is a must because social engineering and the human is simply the most vulnerable part of any hack or pentest. Furthermore, this has always been the case going back to Kevin Mitnick and all his Social Engineering feats to today and this will never change.
There is a reason you get so much spam and are phished so often and that’s because it works. Humans are unpredictable and moreover easily tricked into clicking on links, attachments or entering passwords where they shouldn’t be. Social Engineering Toolkit or SET is the tool for the job if trying to conduct a phish or a spear phish.
Sure, there are more commercial and costly tools out there that might be better if you are say testing a large organization but if you are conducting a pentest where you are trying to craft a specific attack and trying to clone webpages that look exactly like the real thing you won’t find anything better than the Social Engineering Toolkit (SET).
A very common scenario when it comes to pentesting is a simple spear phish of an organization to several different employees. Imagine that you have found several login pages during the reconnaissance phase of a pentest but now you need credentials to go any further. One simple way would be to get creative and mimic that page that you found and trick employees to go to that similar page and enter their credentials, for instance.
Penetration Testing Tools Conclusion
In conclusion, your top penetration testing tools may be different but your categories are likely to be very similar as any tool is likely to fit into one of these primary categories mentioned above. You may agree or disagree with this list and that is a great thing either way. The point is to get you thinking.
Remember, the best tool you have is between your ears and if you aren’t using that it doesn’t matter which tools you have you will therefore fail. The good news is if you are learning and using your brain it also doesn’t matter which tools you have you will be successful.