8 penetration testing tools that will do the job


If the probability of your assets being prodded by attackers foreign and domestic doesn’t scare the bejesus out of you, don’t read this article. If you’re operating in the same realm of reality as the rest of us, here’s your shot at redemption via some solid preventive pen testing advice from a genuine pro.

CSO speaks with pen test tool designer/programmer/aficionado, Evan Saez, Cyber Threat Intelligence Analyst, LIFARS, about the latest and greatest of these tools and how to apply them.

Available pen test tools

The pen test tools for this discussion are Metasploit, the Nessus Vulnerability Scanner, Nmap, Burp Suite, OWASP ZAP, SQLmap, Kali Linux, and Jawfish (Evan Saez is a developer on the Jawfish project). These tools are key to securing your enterprise because these are the same kinds of tools that attackers use. If you don’t find your holes and seal them, they will exploit them.

[ ALSO ON CSO: Pen testing tool or exploit? 6 samples of ways hackers get in ]

Metasploit is a framework with a large programmer fan base that adds custom modules, test tools that test for weaknesses in operating systems and applications. People release these custom modules on GitHub and Bitbucket. Bitbucket, like GitHub is an online repository for coding projects. “Metasploit is the most popular pen test tool,” says Saez.

The Nessus Vulnerability Scanner is a popular, signature-based tool for locating vulnerabilities. “Nessus’ can only compare scans to a database of known vulnerability signatures,” says Saez.

The Nmap network scanner enables pen testers to determine the types of computers, servers, and hardware the enterprise has on its network. The fact that these machines are identifiable via these external probes is in itself a vulnerability. Attackers use this information to lay the ground work for attacks.

Burp Suite is another popular web application pen test tool. It maps and analyzes web applications, finding and exploiting vulnerabilities, according to Burp Suite web security tool vendor, PortSwigger.

OWASP ZAP (Zed Attack Proxy) is the web application pen test tool from nonprofit OWASP, the Open Web Application Security Project. ZAP offers automated and manual web application scanning in order to serve the novice and the established professional pen tester. ZAP is an open source tool now available on GitHub.

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022