Alex - stock.adobe.com
In A History of Western Philosophy, Bertrand Russell said: "Facts have to be discovered by observation, not by reasoning." His argument is that establishing something as a fact can only be done empirically. Direct observation is the most expedient way to figure out what is going on.
The same is true in the cybersecurity realm. If you want to understand the degree to which your networks, applications, hosts and employees are protected, the best way is empirical testing. This involves conducting a penetration test designed to simulate an attacker's tools, techniques and procedures.
While many organizations outsource pen testing, it can be valuable for practitioners to understand the testing tools used throughout the process. This lets you negotiate more effectively with testing providers when you understand how the sausage is made. Even though you might not be an expert, testing things yourself can help you knock low-hanging fruit off your list.
A few quick caveats: All the open source security testing tools listed can be used both lawfully and unlawfully. Make sure that you stay on the right side of the law. If you're not sure whether a given usage is legal or not, talk to a lawyer. If you're still not sure after that, don't do it. Also, when using applications or systems in unexpected ways, sometimes, downtime can occur. Have a plan in case something important goes offline. Lastly, testing well requires a lot of training and practice. Don't expect internal efforts to have the same results as a specialist.
That said, let's look at 10 security testing tools routinely used by testers. Since it isn't possible to cover the thousands of tools out there, the focus here is on tools that do the following:
- are open source and, therefore, accessible to everyone;
- are well known, so there's plenty of support resources; and
- span a wide variety of niches and types of tests.
1. Kali, Parrot and BlackArch
Kali is a full Linux distribution composed of hundreds of tools. Other pen testing distributions worth considering are Parrot and BlackArch. Kali, due to its popularity, has the advantage of ubiquity and a large user base. As such, there are numerous instructional videos, usage guides, user communities and other information available to help users.
One of the reasons why Kali and these other distributions are listed first is that many of the individual tools here are included. This means that, if you want to experiment, they'll help get you up and running quickly.
2. Metasploit Framework
When it comes to interfacing with exploits, there is perhaps no better-known and more accessible tool than Metasploit Framework. Metasploit provides a consistent method to use, package, and even write and distribute exploits. For those who wish to test their susceptibility to well-known exploits, Metasploit can be a readily and rapidly accessible path to doing so. There are a number of included exploits and payloads to mix and match from for specific test conditions, as well as auxiliary modules that provide functionality without a defined payload.
3. Zed Attack Proxy
Testing an application is different than host and network-level testing. One essential tool for testing applications is a proxy that enables you to intercept, view, modify, replay and automate web application -- i.e., HTTP and HTTPS -- requests. OWASP's Zed Attack Proxy (ZAP) does exactly this.
At its most basic usage, ZAP acts as an HTTP forward proxy that sits in between your browser and the site you're testing. The main difference between it and any other HTTP forward proxy, such as Squid in Explicit mode, is it terminates and proxies -- rather than letting the browser tunnel -- TLS connections.
More advanced features include automated spidering, WebSocket monitoring and control, automated detection of issues and fuzzing.
4. Browser Exploitation Framework
Depending on the type of test, subterfuge against users may not be in scope. If the user population is in scope, you need a way to get your traffic from outside the network to the inside. One option is Browser Exploitation Framework (BeEF), which enables testers to employ a user's browser as a launchpad for attacks. BeEF lets you establish a hook on the user's browser -- for example, by tricking them into clicking a link you control -- and then provides capabilities to you, such as control over their browser tabs, ability to tunnel traffic through their browser, etc. If you don't already have access to the internal network, this can help get you there.
5. Hydra, John the Ripper and Hashcat
Sometimes, you just need to crack a password: Windows passwords, Linux and Unix passwords, SSH passwords, application passwords, etc. A number of password crackers are available. A few to consider are the following:
Mimikatz is designed to extract secrets from Windows memory. If you find yourself with access to a Windows host, you may desire to extract secret information from it for use elsewhere -- for example, to accomplish the following:
- establish permanence on that device or others -- for example, by obtaining password hashes for later offline cracking;
- expand your beachhead -- e.g., by extracting Kerberos tickets; or
- otherwise use the Windows host to gain more or longer access.
7. Wireshark and TShark
The Wireshark network protocol analyzer is a terrific way to understand exactly what is going on traffic-wise between your device and the remote location. If you need to snoop on network traffic in a remote location -- for example, after you've established a beachhead on internal systems -- TShark and tcpdump enable you to capture packets via the command line.
It's helpful to have specialized tools to help detect SQL injection issues. Sqlmap is a command-line utility that helps automate the SQL injection process. It can determine which parameters, headers or data elements are susceptible to SQL injection, as well as which types of exploits are possible.
Most websites are built based on APIs that implement functionality and business logic in a stateless, often asynchronous way. While that's great for flexible site design and modularization, it means the security of underlying APIs is intrinsic to the security of the overall site. How do you test the security of APIs? Application testing tools can help, but having an API-specific testing tool can be beneficial.
SoapUI provides an interface for testing of APIs. It lets you intercept and modify requests in flight, supports techniques such as parameter fuzzing and natively understands different data formats -- e.g., JSON and GraphQL.
10. Apktool and MobSF
Testing a mobile application is heavily dependent on testing the online services -- webpages and APIs -- used by the application. But getting more information about the mobile application itself can be advantageous. Some examples are the following:
- looking for secrets buried in the application, such as keys, passwords, etc.;
- understanding API endpoints used by the mobile application; or
- understanding the overall flow of operation.