Building the pentest toolkit means experimentation, getting to know different tools, and learning different interfaces. Eventually, you might prefer a stripped-down toolkit with a few solutions like ReNgine or Burp Suite to do most of the heavy lifting—or a tool-heavy approach with a unique tool to fit every scenario. Either way, your pentest tools have to fit into your workflows, approaches, and needs.
This list includes some of the best pentest tools out there, with insight from pentesters. But you’ll still have to try out options, see what you like, and figure out why. Mike Terhaar, a pentester with 20+ years of experience, weighs in on tools and what they’re good for with some personal recommendations.
This list of the top 10 pentest tools includes free and paid options, including open-source and SaaS solutions.
Burp Suite Pro is one of the largest and most popular AST tools. It’s good for recon and enumeration. However, with many add-ons, it can function as a complete platform for web application pentesting.
“ActiveScan ++, WSDL Wizard, and Retire.js are must-have add-ons” says Mike, “With those, you can replace many smaller tools for recon & enumeration and just simplify your whole workflow, because you’ll have to open fewer tools, export from fewer places, consolidate less data, etc.”
“Of course, Burp Suite is nowhere near cheap,” adds Mike, “If it’s not in your budget, the alternative is to build up the same capabilities with a larger toolset. If you do so, just make sure you have good post scan workflows in place, so you don’t spend too much extra time on that data export and consolidation. Of course, when Burp doesn’t work, I always turn to OWASP ZAP, you need that too”
ReNgine is something of a newcomer to the field, but with high functionality for OSINT and recon, it’s quickly becoming a pentester favorite. The tool goes head-to-head with big names like Nessus, but without the hefty pricetag. It’s also completely open source and free.
“It has the same capabilities as Nessus but with some extras,” says Mike Terhaar, “Of course, it doesn’t meet Nessus’ development quality – because obviously Nessus is a premium product – but you’ll get a lot of functionality out of it, especially with add-ons, like my personal favorite, Harvester.
You can check everything as part of your web recon, have it all presented in a single dashboard and be ready to go. It’s one platform with one button to push, and that will save you so much time. I’d say ReNgine is my go-to for basic hygiene and checking things like target hardening, patching, etc.”
Nessus Pro is so much a go-to that it hardly needs mentioning. Tenable’s Nessus is the standard solution for professional and internal pentest teams looking for recon tools and frameworks. And, it has everything from asset discovery to configuration auditing, target profiling, etc. – plus a significant scanner and compliance audit scanner built-in with the expert edition.
“Nessus is one of the best scanners in the industry,” says Mike, “If, of course, you can afford it”.
Metasploit is an open-source framework with a wide range of capabilities for post-exploitation tool management, assessment management, and (with the premium version) a web application scanner, automated exploitation, and reporting functionality.
The Metasploit framework is one of the best out there, although at the current price-tag of $15,000 per year, it’s not cheap. However, for big pentest teams, it’s a must-have. If you’re just starting out however, Mike recommends other options.
“Metasploit is flexible and old-school. If you’re using the free version, doing the recon upfront and having the infrastructure level data you need to get the most out of Metasploit just makes it a good tool.” says Mike, “However, if you’re looking at the premium version, many pentesters are still better off with an open-source tool like ReNgine.
Of course, Metasploit’s vulnerability scanning, takeover automation, etc., just make it a really valuable tool once you do go pro.”
If you know what you’re looking for, Ettercap is one of the best command line tools out there – great for writing filters and doing research after basic recon. The tool also comes equipped with sniffing, content filtering, and network/host analysis.
“It’s an easy-to-use command line tool and you can write filters on the go so you only get the information you need,” says Mike, “That makes it a perfect fit for pentesters who already know exactly what they’re looking for and basically unusable if you don’t.”
Netsparker has always been one of the best web and code vulnerability scanners out there. It’s rebrand to Invicti doesn’t change that. That’s especially true for internal pentest teams looking for compliance, proof of exploit, and API security testing – meaning that this is a perfect fit for teams working for corporations and looking to harden a single web application or domain.
“Of course, it’s still a great fit for general pentesters as well, if you need a list before pentesting, this is the go-to”, says Mike.
If you’re not using ReNgine and Harvester or something like Shodan, Maltego is a go-to for intelligence and forensics. It also offers graphical link analysis, insertion capabilities, etc. However, it’s not cheap.
“If it weren’t so expensive, it would be a favorite tool,” says Mike, “As it is, I normally look for other solutions like Harvester in ReNgine. However, Maltego is really really good and if you have the budget, it will make your life easier. However, you do need the paid version because the free version limits the information you see.”
NMap is the world’s most popular port scanner for a reason. You need this.
“it’s obvious to have this, you can’t not have it”, says Mike, “This is your basic level IP recon and everything else builds on it. My workflow is NMap followed by NCat as part of a standard network assessment, and every other tool I use follows up on those. NCat, is, of course, a swiss army knife with network and command line tools.”
SQLMap is one of the most popular injection and database tools on the market and for good reason. It also offers automation, with options to automate takeovers and exploit found vulnerabilities. That can give you a lot of functionality with very little investment – and it will save you a lot of time, even when you can easily do those same tasks by hand.
“SQLMap is just really powerful, even if you’re only working on a hunch, it will verify if SQL injection is possible and it’s easy to automate everything.” says Mike.
Cyver Core is another newcomer to the market, but it takes the place of multiple tools in your kit, including vulnerability library management, pentest report generation, and work management tooling. Much of the focus of pentest tooling is on doing the work – but saving time on overhead saves you as much time as something like automating SQL injection.
The tool is not free but offers a significant amount of workflow automation around your pentest. Plus, it replaces pentest delivery with online findings as tickets and a client portal and dashboard.
“Tools aren’t everything,” says Mike, “Especially if you’re just getting started, the best tool is insight into what kinds of mistakes people make, common vulnerabilities, and what you should be looking for. Often, that means doing more tests, learning to use recon as a starting point, and even just looking at Google and wayback tools as a starting point.
Manual insight is always going to be your best friend and tools like NMap will just add to that. Start with manual insight, use scanners to fill in the gaps, look at everything manually again, and figure out your approach that way – you won’t go wrong.”
“Of course, you need good tools, hopefully some of these fit your toolbox, although chances are, you’re already using a lot of them.
There are hundreds of tools out there and most of them are best-fit for very specific use-case scenarios. If you haven’t found the perfect tool, keep looking.
The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…
White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…
Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…
The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…
Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…
WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…