It doesn't matter how many of the latest security products are deployed throughout an IT environment -- you need to know they are working as expected and effectively detect and stop cyber attacks.
This is why penetration testing remains such an important aspect of any cybersecurity strategy. Pen testing enables security teams to test security controls, expose gaps in defenses and identify exploitable vulnerabilities in networks, applications and IoT devices.
Once a test is completed, security teams can take preventative actions before bad actors discover the vulnerabilities. Pen testing is also important because it is mandated by various industry standards and regulations, such as GDPR, HIPAA, PCI DSS, Financial Industry Regulatory Authority and System and Organization Controls 2.
Pen testing can be a labor-intensive task, however. Many security teams don't have the time nor staff to complete the job manually. Fortunately, security teams can use automated pen testing tools to close the gap. But, with many pen testing tasks to perform and a variety of tools to choose from, getting the right tool set in place can be challenging.
Pen testing attacks
Pen test teams should, at minimum, perform the following attacks:
- Port scanning is performed during reconnaissance to learn details about running services and to identify potential vulnerabilities on a device by sending packets to specific ports and analyzing responses.
- Network protocol analysis is used during reconnaissance to collect information about network devices and network traffic.
- Vulnerability scanning examines an environment for unapplied patches, vulnerable software versions, vulnerabilities in applications, and gaps in firewalls and other security controls.
- Packet crafting is used to check firewall rules and find potential entry points.
- Password cracking involves brute forcing password attempts to access remote services and privileged accounts.
- Exploitation includes attempts to exploit identified security weaknesses to establish their severity or determine whether other controls render a vulnerability unexploitable.
- Review and report involves collecting actionable information so the security team can make informed decisions on how to improve the organization's overall security posture.
No single pen test tool performs all these tasks or fits every use case. To complete a comprehensive pen test and simulate the classic steps of an attack, reconnaissance, exploitation, privilege escalation, and command and control, a combination of tools is needed.
Open source automated pen testing tools
A variety of simple and complex pen testing tools are available that conduct the aforementioned tasks. Many of them are open source, so any security team can use them to explore, attack and report on its IT environment.
Note, some previously open source scanning tools, such as Metasploit and Burp Suite, are now commercial products. Although they still do offer free versions, they have reduced functionality.
The following list of open source tools enables security teams to automate many of the above tasks and complete a thorough test. Most work on all major OSes, but always check compatibility with the systems and databases your organization uses.
For reconnaissance, Nmap is the go-to tool. It can quickly scan large networks and runs on all major OSes. It reports on the following:
- what hosts are available on the network;
- what services they are running;
- which OS versions they are running;
- what type of packet filter and firewalls are in use; and
- other useful intelligence needed prior to launching an attack.
Although Nmap offers a wide array of advanced features, the basic commands are quite easy to learn. The documentation is comprehensive, and plenty of tutorials are available that cover the command line and GUI versions.
Wireshark is a popular network protocol analyzer that runs on all the main OSes. Live capture, decryption support and offline analysis for every key network protocol are backed up by comprehensive documentation and video tutorials.
Legion is an extensible and semiautomated network penetration testing tool. The documentation is sparse, but the GUI has context menus and panels, making many tasks easy to complete. The modular functionality makes it customizable, and it automatically links discovered CVEs with exploits in the Exploit Database.
Another framework for network infrastructure and web pen testing is Jok3r. It is a compilation of more than 50 open source tools and scripts that can automatically run reconnaissance, CVE lookups, vulnerability scanning and exploitation attacks. Documentation is a work in progress, but its combination of modules makes it a powerful tool.
5. Zed Attack Proxy
OWASP's Zed Attack Proxy (ZAP) scans web applications for vulnerabilities. Acting as a man-in-the-middle proxy between the tester's browser and the web application, it can intercept requests, modify contents and forward packets. It offers lots of features, and add-ons are freely available in the ZAP Marketplace. Versions are available for each major OS, as well as Docker.
Nikto2 is a scanner that can identify the most common faults found in web servers. Run from the command line, it is fast but not stealthy. The documentation is not particularly detailed yet, but it isn't difficult to use.
The OpenSCAP ecosystem is a collection of open source tools for implementing and enforcing Security Content Automation Protocol (SCAP), a U.S. standard maintained by NIST that focuses on continuous monitoring, vulnerability management and security policy compliance. The tools offer automated configuration, vulnerability and patch checking, and continuous infrastructure evaluation for security compliance. Each tool is accompanied by comprehensive documentation and guidance.
SQL injection is a common attack vector against data-driven web applications that accept dynamic user-provided values, so a tool like sqlmap -- which can automate the process of detecting and exploiting SQL injection flaws -- is a must-have. It runs on Windows and Linux/Unix systems and has useful examples in its extensive documentation. It supports multiple database types and includes pen testing features, such as password cracking, user privilege escalation and arbitrary command execution.
Scapy is a packet crafter program that has particularly good documentation. An in-depth knowledge of protocol packet structures and network layers is required to make the most of the tool. It can forge or decode a wide number of protocol packets and can easily handle tasks such as scanning, tracerouting, probing, unit tests, attacks and network discovery.
Quite a few free password crackers are available, but CrackStation is one of the fastest as it uses pre-computed lookup tables consisting of more than 15 billion entries taken from various online resources.
Aircrack-ng is a complete suite of tools for pen testing Wi-Fi networks. It can monitor, attack, crack and test Wi-Fi cards, drivers and protocols.
How to select the right automated pen testing tools
To choose between tools, assess how each scores on the following six points:
- ease of implementation;
- level of automation;
- configurability to tune out false positives;
- compatibility with existing security tools;
- clarity and comprehensiveness of results and reports; and
- good support and technical documentation.
Whichever tool or tools are chosen, be sure they are still actively supported. It's also important to run more than just its basic commands and scans. While automating pen tests can ensure large networks are probed for low-hanging fruit, testers need to be creative -- just like a hacker -- and try different approaches to access networks, install malware and steal data. The most important thing, though, is to act on any findings that show vulnerabilities within the system and mitigate them as soon as possible.
For those security teams short on pen testing skills, the "Open Source Security Testing Methodology Manual" is a good place to start. It is a complete methodology for security and pen testing, security analysis and the measurement of operational security.