Top 14 open source penetration testing tools

Types of pen testing attacks

Common types of pen testing tools and attacks include the following:

• Port scanning is a technique that sends a series of messages to gather details about which network services a computer provides. It identifies which ports and services are open or closed on internet-connected devices.
• Network protocol analysis is the process of capturing, decrypting and analyzing network data packets. It is employed during the reconnaissance phase of pen testing to collect information about network devices and network traffic.
• Vulnerability scanning is the process of detecting security weaknesses in a network. It examines IT systems, networks and applications for unapplied patches, vulnerable software versions, misconfigurations, vulnerabilities in applications, and gaps in firewalls and other security controls.
• Packet crafting is a technique used to check firewall rules and find entry points into a network. It involves manually assembling the packets and sending them to target firewalls and networks to determine how the systems respond.
• Web application attacks, such as cross-site scripting and SQL injection attacks, are used to gain access into a system via vulnerabilities in a web app. For example, XSS attacks manipulate websites via malicious scripts, while SQL injection attacks manipulate database queries to enable unauthorized access.
• Password cracking is a technique that involves guessing a user's credentials to gain access to a system. Types of password cracking include brute-force, dictionary, credential stuffing and rainbow table attacks.
• Exploitation involves attempting to exploit identified security weaknesses to establish their severity or determine whether other controls render a vulnerability unexploitable.

Open source pen testing tools

No single pen testing tool contains all the aforementioned features or fits every use case. A comprehensive pen test that simulates the classic steps of an attack, reconnaissance, exploitation, privilege escalation, and command and control requires a combination of tools.

1. Nmap

Nmap is a network reconnaissance and port scanning tool. It is a command-line tool that scans networks for data and telemetry, including open ports, present devices, routes and more. Nmap is lightweight, versatile and ubiquitous -- it's included in default software repositories for most Linux distributions and is installed by default in most security-focused Linux distributions.

Beyond port scanning, you can use Nmap to fingerprint systems -- for example, to get information about the scanned hosts. It supports a lot of external scripts -- more than 600 of them -- and add-ons. If it involves services running on a remote host, there's a good chance Nmap can interrogate and retrieve data about it.

Nmap is valuable for many reasons. Beyond its key capability of network reconnaissance on external, on-premises and virtual private cloud networks within your scope, its versatility enables you to use the tool creatively.

In one use case, Nmap can scan subnets for expired or nearly expired certificates. The command nmap --script ssl-cert -p 443 192.168.1.0/24, for example, scans the /24 192.168.1.0 class C subnet and outputs certificate information for any certificate associated with web servers on port 443 on hosts in that subnet.

Learn how to use Nmap to scan network ports.

2. ZAP by Checkmarx

Zed Attack Proxy (ZAP), previously OWASP ZAP, is an application scanner, fuzzer, site crawler, proxy and more. Some of its more advanced application testing features -- for example, fuzzing or using proxy features to pen test an app -- might be challenging for newer security practitioners, but its automated scanning, crawling and discovery features make it valuable for professionals of all skill levels.

You can use ZAP to test web applications, APIs and pretty much any service or protocol that uses HTTP or HTTPS as a transport -- for example, Health Level Seven, GraphQL, Fast Healthcare Interoperability Resources, etc. You can also use the tool's automated scanning capabilities to get information about potential security issues on a site.

Those are ZAP's basic uses; it has some more creative ones, too. For example, ZAP can compare differences in application behavior and implementation over time. It lets you retain session files that contain both requests and responses associated with a given testing session. You'd be surprised how helpful it can be to examine website behavior from months or years ago at an HTTP stream level -- for example, to compare behavior before and after a given change was made, feature implemented or integration occurred.

3. SoapUI

SoapUI is an API testing tool. While you can use ZAP as a test harness for APIs, SoapUI is designed explicitly for this purpose. It is especially useful when investigating intra-application communication, particularly where there isn't a web UI front end or the front end is minimal due to no user interactivity.

SoapUI supports a variety of security testing use cases out of the box, such as fuzzing, SQL injection testing and XML-based attacks. You can also use it in tandem with ZAP or similar tools depending on the specific test case.

For pen testing, SoapUI's primary utilities are in exploring, mapping and manipulating APIs. Once you understand the basics, you can start using it for blue teaming. For example, SoapUI can set assertions -- i.e., define the expected vs. unexpected output for an API. This is helpful if you want to define a set of expected results for quick-and-dirty integration testing of security functionality in a product context when a new release is published.

4. BeEF

Browser Exploitation Framework (BeEF) is a web browser pen testing tool that enables you to weaponize client-side attack vectors in web browsers. For example, if you can create a situation where a client navigates to a site you control -- e.g., a watering hole attack -- you can open a tab within that browser and control it going forward. This lets you use the tab as you see fit -- for example, for tabnabbing-style attacks, using the captured tab to intercept and relay information about visited sites, or numerous other techniques.

There's less defensive utility in this tool compared to others covered here, but BeEF is still noteworthy because it's unique in what it does and its capabilities for extending social engineering and watering hole-style attacks.

Learn how to use BeEF.

5. Hydra and 6. John the Ripper

Hydra and John the Ripper are two popular password-cracking pen testing tools. Hydra is best used for online brute-force attacks against network protocols, such as SSH, Remote Desktop Protocol and HTTP, as well as HTML forms. John the Ripper is ideal for offline password cracking -- for example, if you already obtained access to a shadow file, Windows Security Account Manager database or other non-plaintext password list.

From a utility point of view, the red team usage of these tools is straightforward -- you use them to crack passwords and gain access to things. But they have blue team utility as well. For example, you can use these tools to audit passwords, look for weak password entries set by users, find unsafe password hygiene and more.

Learn how to use Hydra.

Learn how to use John the Ripper.

7. Metasploit Framework

Metasploit Framework is a universal interface to exploit code. Anybody who has ever used a canned exploit to abuse a vulnerability knows the process can be difficult due to nonstandard inputs, the need to alter hardcoded variables, lack of cross-compatibility for shellcode payloads and numerous other factors. Metasploit simplifies these challenges by allowing exploits and shellcode to always function according to a defined and standard interface.

Because a default Metasploit install includes several of the more prevalent security issues, such as Log4Shell and EternalBlue, the tool offers red and blue team capabilities. For example, red teams can attempt to exploit a common vulnerability, while pen testing and blue teams can validate if that vulnerability has been remediated.

Learn how to use Metasploit Framework.

8. Grype and 9. Trivy

Anchore's Grype and Aqua Security's Trivy are container vulnerability scanners. While Grype and Trivy don't have identical features, conceptually their focus is similar: taking a Docker or Podman container and scanning it for vulnerabilities.

Consider, for example, using Grype to scan the "hello-world" container -- a container available to test the installation of the container engine. You wouldn't expect to find anything in such a simple container -- and, as expected, you don't -- but this shows how easy it is to use the tool to scan containers.

Grype and Trivy have many straightforward use cases. For example, you can periodically scan containers in use to validate that updates haven't introduced vulnerabilities via dependencies. More creatively, you can use Grype or Trivy to automate scanning as part of a toolchain to find and flag vulnerabilities before a container is pushed to production.

10. Aircrack-ng

Aircrack-ng is a suite of command-line tools targeted toward attacks against wireless networks. While attacking Wi-Fi might seem old school -- and, given how frequently such tools receive updates, it's not incorrect thinking -- there are still situations where knowing how to perform tasks such as sniffing, Wired Equivalent Privacy cracking and Wi-Fi Protected Access password brute force are beneficial.

For example, if you need to pen test a remote office, home network or brick-and-mortar location, you might come across an older wireless system. In these situations, Aircrack-ng is a useful tool.

Aircrack-ng remains a ubiquitous Wi-Fi tester that is included in most Linux distributions' default software repositories, is included out of the box in numerous security-focused distributions and can be run via Docker container.

11. OWASP Amass Project

OWASP Amass Project is an attack surface mapping and asset discovery tool designed for reconnaissance and information-gathering activities. It has several features to identify external-facing assets, IP address ranges, environments, subdomains and other relevant data points.

While open source intelligence gathering is valuable from a red teaming perspective, Amass also has blue team applications. For example, periodic gathering of externally visible environments or assets can help identify shadow IT, such as cloud test or development assets, unmanaged environments, etc.

12. Kali, 13. Parrot and 14. BlackArch

While not singular tools, Kali, Parrot and BlackArch are popular suites of tools that are special-purpose, security-focused Linux distributions with an emphasis on pen testing.

Practitioners just getting started in the pen testing world can benefit from these suites because they simplify the task of sourcing, gathering and installing individual tools and instead create a ready-to-use collection of tools that you can pick up and use right away. BlackArch is a suite of more than 2,800 separate tools, and the Kali and Parrot suites contain more than 600 tools each.

Learn how to use BlackArch.

How to select the right pen testing tools

When assessing open source pen testing tools, consider the following:

• Ease of implementation.
• Level of automation.
• Configurability to tune out false positives.
• Compatibility with existing security tools.
• Clarity and comprehensiveness of results and reports.
• Support and technical documentation.

Always make sure tools are still actively supported. It's also important to run more than just basic commands and scans when assessing tools. While automating aspects of pen tests can probe large networks for low-hanging fruit, you need to be creative -- just like a hacker -- and try different approaches to access networks, install malware and steal data.

If you're short on pen testing skills, the "The Open Source Security Testing Methodology Manual" is a good place to start. It is a complete methodology for security and pen testing, security analysis and the measurement of operational security.

Ed Moyle is a technical writer with more than 25 years of experience in information security. He is a partner at SecurityCurve, a consulting, research and education company.

Michael Cobb contributed to this article.