Penetration testing is ethical hacking to find security vulnerabilities that an attacker could exploit. It involves attacking your own system from the outside just an external attacker would. This type of security testing reveals vulnerabilities that can surprise teams that build and ship applications. To do this effectively, it takes tools that are sneaky and robust enough to elicit the attention of hackers themselves. Tools that can be used illegally to gain access into a system are precisely the kind of tools to be used for penetration testing.
Open-source penetration testing tools: The top seven
Let’s look at the top seven open-source penetration testing Python tools. Why Python? Because it is the most widely used language by hackers and is very versatile and capable. We’ll view these tools based on their GitHub stars — from the most popular to the least. Let’s get started.
SQL injection is one of the most common types of cyberattacks where attackers look to gain access to a database using SQL queries. They can even gain access to an underlying file system or operating system in some cases.
sqlmap is a very popular open-source tool that reveals these vulnerabilities. It supports pretty much any type of database and multiple types of SQL injection techniques. You can run multi-threaded HTTP requests and set the maximum number of requests to be run. sqlmap helps to automate attacks on a database.
sqlmap does generate a few false positives when looking for vulnerabilities — this is common with all penetration testing tools. It would take a manual check to weed out the false positives. But the tool returns a lot of useful information that far outweighs the false positives. There isn’t a GUI, and sqlmap is controlled purely from the command line. This may deter those who prefer a GUI. However, the commands are easy to pick up and get up and running with. For security testers, sqlmap is a must-have.
sqlmap is so popular that other open-source projects have emulated it. For example, NoSQLMap is a similar Python-based project that does the same thing for NoSQL databases. With the growing popularity of NoSQL databases in modern applications, this is a welcome addition. You may want to use both tools side-by-side.
sqlmap is part of many security projects like Kali Linux and Backbox. You can’t argue with the 18,500 stars it has on GitHub. With its diverse feature set, huge community, and open-source status, sqlmap is an essential tool to have in a security tester’s arsenal.
PuPy is a remote administration tool (RAT) that can be used to control machines remotely. On the good side, it can provide basic remote IT support, which is especially useful in these times of remote work. However, if this is your primary goal, you’ll likely need a paid tool with support and all the bells and whistles. On the other hand, PuPy can also be used maliciously by attackers to gain access to a system and execute tasks on the system. For this reason, it is commonly used by penetration testers to check how secure a system is and how vulnerable it is to external takeover.
PuPy can execute Python scripts in-memory without touching the disk. This means it can go undetected by antivirus apps. Once it makes its way into the host system, PuPy can install Python code and packages remotely and from memory. This is very powerful.
PuPy can run on all major operating systems but requires the Python library to be installed on the host device.
It’s is important to know the attack surface of your web application before an attack and during one. For this, you need to know the number of directories your web app currently has. Dirsearch helps with this. It finds hidden directories, sub-directories, and files. It reveals the true structure of a website or web app.
Dirsearch can be used to brute force directories and files, making for a great penetration testing tool. It can operate at scale by running multiple requests in multi-threaded processes. It can reveal hidden web pages and allows running delayed queries to avoid suspicion.
W3af (Web Application Attack and Audit Framework) checks web applications for SQL injection vulnerabilities and other issues. W3af is a wrapper around Python’s urllib2, which is a module that can fetch and open URLs.
W3af uses a plugin architecture where each plugin runs a Python script on a form or query string to check for vulnerabilities. For example, the discovery plugin finds URLs to be checked, and the audit plugin checks the URLs returned by the discovery plugin.
You can add payload to any part of an HTTP request, including Query string, POST-data, Headers, Cookie values, Multipart/form file content, URL filename, and URL path. Once a request is run, you need the output to analyze results. For this, W3af outputs logs can be viewed in the console, written to a file, or received via email.
Wfuzz is used to test web applications via HTTP requests. It replaces data in any field of the HTTP request with the payload you define. Wfuzz brute forces credentials in form fields. It checks for different types of injections like SQL, XSS, LDAP, and XXE. Wfuzz adopts a plugin architecture, and interestingly, it has made building a plugin extremely simple and easy. A Python developer can build a plugin in a few minutes. This approach can work wonders in the hands of an experienced security professional. Wfuzz is included in Kali Linux in the web apps section.
OneForAll checks for all existing subdomains. It was created in China, which means it uses Chinese data sources to check for unique entry points that may not be discovered by other similar tools. It can verify all subdomains, brute-force them, and even perform subdomain takeover. Similar to Dirsearch, it helps to show the real attack surface of a web application. It also checks for subdomain transfers, HTTPS certificates, robots files, and sitemaps.
OneForAll can process 350,000 domains per second. It can automatically deduplicate the list of subdomains, which is very useful when the number of subdomains increases.
Being a Chinese tool, though, the original docs are in Chinese, and many of the discussions on GitHub are in Chinese. This may be something to consider when using OneForAll — as well as whether you want to use a tool from China. Still, it has a lot to offer, and there are enough English-speaking users who can help out as well.
Though not the most used tool in this list, nogotofail is an interesting tool if you’d like to check TLS/SSL vulnerabilities on any device connected to the Internet. Nogotofail was created by Google way back in 2014 to check network traffic. It is useful to check traffic to any device and is often used for Android devices.
Penetration testing tools can make your apps bulletproof
Each of these penetration testing tools on their own is very powerful, but when used in combination, they’re incredibly effective at building a bulletproof online presence for your applications. Many of them are included in Kali Linux, which is a testament to their effectiveness as penetration testing tools.
The best part is that these tools are open source and free to use, each having a huge community for support. They will not lock you into any one security vendor, and they will constantly be updated to keep up with attackers. Include them in your cybersecurity toolkit today and get a hacker’s view of your applications.
Featured image: Shutterstock