Free pentesting tools are staples in an ethical hacker’s toolkit. Here we showcase the best and most popular open-source ones on the internet. We have also found some useful pentesting tutorials to get you started, and some challenging online exercises to practice your ethical hacking skills.
- 1 What is pentesting?
- 2 Why do you need it?
- 3 Pros of pentesting
- 4 Cons of pentesting
- 5 The pentesting cycle
- 6 Why choose free pentesting tools?
- 7 What to look for in free pentesting tools
- 8 13 free pentesting tools
- 9 Free pentesting learning resources
- 10 The lighter side of pentesting
- 11 Where to next?
What is pentesting?
Pentesting – short for penetration testing – is an authorized simulated cyberattack against a computer system to check for exploitable vulnerabilities. The process, undertaken by ethical hackers, tries to mimic a potential unauthorized attack to see how a system handles it, and uncover any flaws and weaknesses.
Attacking oneself to locate weaknesses in one’s own defenses is a strategy that is thousands of years old. Sun Tzu (c. 6th century BCE), Chinese general, military strategist, and author of The Art of War, said: “It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”
The oft-quoted general’s contribution to attack-defense strategies has come under some fire in the 21st century. In an article titled “InfoSec, Sun Tsu and the Art of Whore“, authors Steve Tornio and Brian Martin complain, “Lately, you can’t swing a dead cat without hitting someone in InfoSecurity who is writing a blog post, participating in a panel or otherwise yammering on about what we can learn from Sun Tzu about Information Security.”
Penetration testers, the writers argue, conduct their “battles” within a limited scope, under supervision and governed by laws. “A pen test is absolutely NOT knowing your enemy. Turning your own people, or agents you employ, against your own networks to test their security tells you nothing about your attacker.”
Be that as it may, modern cybersecurity strategists and pentesters continue Sun Tsu’s tradition of self-analysis, less to understand their attackers and more to identify actual hardware and software security vulnerabilities in their systems. Today, white hat hackers use the latest technologies – including free pentesting tools – on a virtual battlefield, the internet, and one of these technologies is pentesting: simulated, planned battles on different system levels, from social engineering to API vulnerabilities.
Why do you need it?
By attempting to breach your own defenses, DIY pentesting can help you to fine-tune your existing security.
A pentest doesn’t only test vulnerabilities, it can identify the strengths in your system too, which can help you create a risk assessment for auditing purposes. For instance, the Payment Card Industry Data Security Standard (PCI DSS) requires that any organization that handles credit cards perform an annual penetration test as well as whenever the system changes. Performing DIY pentesting can help you to cost-effectively identify and correct system flaws before the auditors demand expensive changes or shut you down.
And, of course, pentesting can help you to prevent costly cyberattacks. Research conducted by the National Cyber Security Alliance found that 60 percent of small businesses fail within six months of a cybercrime attack. Regular DIY pentesting is significantly cheaper and, according to many ethical hackers, rather fun.
Pros of pentesting
- As a proactive strategy, it allows organizations to find potential weaknesses before cybercriminals do. It may expose risks and vulnerabilities that can be further explored and classified, i.e. in terms of real risk. For instance, sometimes a vulnerability that is pegged as high risk could be re-rated medium or low risk because of the actual difficulty of exploitation.
- Operates in real-time and enables automated testing using specialized software (including free pentesting tools)
- Can be used as a training tool for security teams
- Enables security compliance, e.g. the ISO 27001 standard requires system owners to conduct regular penetration tests and security reviews by skilled testers
- Can be used to support forensic investigations of data breaches by simulating possible ways hackers might have infiltrated a system
Cons of pentesting
- Can be disruptive to a business because it simulates a real world attack
- May give a false sense of security. It has been argued that if you do not know your enemy, you cannot really think like him. In addition, real attackers are not bound by company rules or specific instructions from up on high. And, if in-house security staff know about a test, they may prepare for it.
- Pentesting can be labor-intensive so you need to pencil in some extended time for your in-house white hat hacker to get up to speed
- Pentesting can potentially go spectacularly wrong. Consider the implication of pentesting medical or safety equipment and succeeding merely in damaging the software or hardware.
- There are legal issues associated with pentesting. There is a range of US laws that consider pentesting hacking whether or not both parties (pentester and target system) agree to the process; after all, it is an attempt to get “illegal” access to an application or system. However, it is generally agreed that as long as you have a signed consent form (a “get out of jail card”) with the owner of the system to be tested, you should be safe. But, it’s not guaranteed. If the owner of the hacked system (or your boss) decides they are not happy, for any reason, after a test, you could end up in hot water. The story goes that a pentester was sued after he conducted a test for child porn on an organization’s network. When porn was found on one computer, the employee denied it and the pentester was apparently arrested. He was cleared after spending thousands of dollars in legal bills to defend himself.The warningholds true even if you are pentesting your own system. If you find something you do not like on a staff device, you had better be prepared to justify your intrusion.
You can find a list (it is a work in progress) of hacking-related laws by state here.
The pentesting cycle
There are five basic stages in a pentest cycle:
- Information gathering (reconnaissance) – In this stage, like any military commander, your evil twin will want to gather as much information about your “enemy” (in this case, yourself, but let’s not split hairs) as possible. In this stage, you will want to scan all network ports and map its architecture. You may also want to gather information about system users if you plan to do any social engineering attacks. Currently, you are simply a cold spy; alert, detached, and invisible. A commonly used tool is Nmap.
- Scanning – The enemy is in your sights; you now need a more detailed map of what the target system looks like. This stage uses the information gathered in stage one to look for vulnerabilities like outdated software, weak passwords, and XSS errors. A commonly used tool is w3af, able to detect more than 200 vulnerabilities including the OWASP top ten.
- Exploitation – Having ascertained the weaknesses in the target, now is the time to take control and launch a few daring exploits. At this stage, you’re really still just exploring the true nature of your enemy’s defenses. You want to see how they react to an attack. You know that if you play your cards right, you’ll gain more than a few database records. An exploitation framework like Metasploit contains a database of ready-made exploits but also allows you to create your own.
- Maintaining access – This stage is vital to assess the true vulnerability of the enemy. One of the goals is to mimic advanced persistent threats (APT), those that can lay dormant in a system for years before launching an attack. An example of an APT is when hackers spend years friending Facebook users and integrating with online communities in order to later trick their “friends” into installing malware. On its own, pentesting cannot readily identify APTs but in conjunction with simulated social engineering attacks, it can help to uncover vulnerabilities. In this stage, you want to get into the enemy’s castle and find a place to hide your backdoors and rootkits to allow easy future access, and to spy on your enemy. Kali Linux will help you to entrench your evil twin in the enemy camp.
- Assessment and cover up – Finally, you can analyze the results and create a risk assessment report for your organization. Dradis is a free tool that can help you manage the outcomes of multiple tests. Don’t forget to clean up after yourself, e.g. the files you uploaded manually, non-existent users you added, or configuration settings you changed.
Why choose free pentesting tools?
Employing a professional can be expensive, as can be commercial tools. Free pentesting tools allow you to familiarize yourself with this powerful software at little cost except your time. Think of it as free training for a new security employee. The most popular free pentesting tools are well supported on forums and community interest groups on the internet, and most have extensive knowledge bases.
What to look for in free pentesting tools
- In an ideal world, you would have an all-in-one framework so you can run multiple exploits from one console, simultaneously manage your test plan, and then run reports without having to change applications. However, there may be times when you wish to test the efficacy of alternate tools or simply need a high-end tool to do a particular job. Approach the problem as you would assembling any other set of tools: embrace multi-purpose tools but include some heavy-duty ones for specialized work. The pentesting frameworks and platforms in this collection are all you need to get started.
- Many free pentesting tools come with multiple ready-made modules and exploits. But, there will be times when you want to be able to customize these exploits or create your own. The good news is that most of the tools listed here allow you to make adjustments.
- Efficiency is the key to a good pentest; after all, even if you’re saving on third party costs, your time is valuable too. Some of the simplest free pentesting tools in this collection have been highly rated by reviewers, so don’t underestimate their value—there’s plenty of power beneath the hood of a tool like sqlmap. It may well be that you don’t need all the bells and whistles. If you did, chances are you’d have gone with a commercial product in the first place.
Many ethical hackers agree that you do not need a very complicated setup to perform DIY pentesting. One professional pentester, when asked what three tools were typically in their arsenal, said, “The honest answer is a web browser to do the recon and information gathering, a project management tool for scheduling, and a database to track target data in.” For internet-based testing, this white hat hacker uses a port scanner such as Massscan, Nmap or Unicornscan, a vulnerability scanner such as OpenVas or Tenable Nessus, and an exploitation kit such as Core Impact Pro or Metasploit.
Without further ado …
13 free pentesting tools
Most website security tools work best with other types of security tools. A good example is the area of penetration testing where administrators normally employ vulnerability scanners before utilizing a penetration testing tool for specific targets, e.g. network ports or applications. For instance, Wireshark is both a network analyzer and penetration testing tool.
An open source project maintained by Offensive Security and billed as the highest-rated and most popular Linux security distribution available. In a word, it is comprehensive but perhaps too much so. It is not the best choice for an absolute beginner. It comprises a suite of other popular security tools, including:
- Burp Suite – web applications pentesting
- Wireshark – network protocol analyzer
- Hydra – online brute-forcing of passwords
- Owasp-zap – finds vulnerabilities in web applications
- Nmap – a security scanner used for network scanning
- Sqlmap – for exploiting SQL injection vulnerabilities
A recently discovered wifi vulnerability had Kali Linux users a little jittery. The flaw, known as KRACK, affects WPA2, a security protocol used in most modern wifi devices. The vulnerability can be used to inject malware or ransomware into websites. Kali Linux has made it clear that an updated version of its software is not vulnerable to this attack and there is a script you can run to test your access points’ vulnerability to attack. The lesson: always keep all software up-to-date.
- Available in 32 bit, 64 bit, and ARM flavors
- 300+ pre-installed security and forensic tools
- Multi-language Linux documentation that includes scenarios and “recipes” so you can create custom complex ISO images
- Active community forums
- One of several Offensive Security projects – funded, developed and maintained as a free and open-source penetration testing platform
- Ability to create completely customized live-boot installations to store on a USB drive
- Provides a plethora of related pentesting tools, including metapackages for wireless, web applications, forensics, software defined radio, and more
Open source Tails has been touted as a Kali Linux alternative.
Self-billed as the most advanced and popular framework that can be used for pentesting, Metasploit is a top-rated tool for developing and executing exploit code against a remote target machine. There has been some criticism of the tool (and others), namely that it enables malicious hackers to create and reengineer exploits. One example cited was the 2005 Windows zero-day exploit that was available in Metasploit before any patch was publicly released by Microsoft.
- The Metasploit developer community is constantly at work creating new exploit modules but the great thing about the framework is that you can easily build your own. At the time of writing, Metaspolit had around 3000 exploits and multiple payloads for each. The underlying exploit for the WannaCry ransomware worm that caused some chaos in 2017 is also available in Metasploit.
- Metasploit is built into the Kali Linux suite of tools. Metasploit, like Kali Linux, is also part of the Offensive Security project network.
- The framework can record data in its own internal database, i.e. on your system
- Integrated with Nmap (see below)
One of the most popular alternatives to Metasploit is Nessus, a commercial product.
Scanning security kit comprising various services and tools. The scanner itself doesn’t work on Windows machines but there is a client for Windows. The scanner receives a feed, updated daily, of Network Vulnerability Tests (NVT). The German Federal Office for Information Security (BSI) supported various features of the OpenVAS software framework as well as various network vulnerability tests.
- Massive vulnerabilities database
- Concurrent scan tasks capability
- Scheduled scans
- False positive management
Claims to be, and certainly looks to be, the de facto standard for network protocol analyzing across many commercial and non-profit enterprises. The most frequently asked question about Wireshark is whether it is legal. Yes, it is. It only becomes illegal when you monitor a network that you don’t have authorization to monitor. Wireshark works by grabbing and examining data packets for every single request between host and server; however, while it can measure data, it cannot manipulate data. Wireshark is top of Insecure.org’s list of top-rated package sniffers. However, it has in the past had its own share of security vulnerabilities, so make sure you have the latest version.
- Supports wide range of protocols ranging from IP and DHCP to AppleTalk and BitTorrent
- With more than 500,000 downloads a month, Wireshark is probably the most popular choice in the industry for network troubleshooting
- Extensive documentation and training tutorials
- Underlying Wireshark software is the pcap (package capture) tool that comprises an application programming interface (API) for capturing network traffic
- Promiscuous Mode enables the capturing of packets across a network whether they are associated with the “correct” address in a network or not
For a simpler alternative, try tcpdump.
A Web Application Attack and Audit Framework and dubbed the web-focused version of Metasploit, this is a popular and easy-to-use pentesting tool. But it can be what detractors call “buggy”. On the official website, w3af recently admitted to noticing a few “nasty bugs”. Apparently these issues have been addressed in the latest version. The creator of w3af is Andres Riancho, former director of Rapid7, which in turn is a current supporter of Metasploit.
- Vulnerabilities are identified using plugins, which are short pieces of Python code that send HTTP requests to forms and query string parameters to identify errors and misconfigurations
- Easy to use for novice users with a simple output manager and a simple GUI
- Enables the discovery of web application vulnerabilities using black-box scanning techniques
- W3af is a recommended tool on the Kali Linux website
Zed Attack Proxy (see below) is a viable alternative.
Zed Attack Proxy (ZAP)
It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Can be used by inputting a URL to perform scanning, or you can use this tool as an intercepting proxy to manually perform tests on specific pages. It is supported by OWASP and an army of volunteers.
- Written in Java, it is platform independent so testers who do not want to work on Linux can comfortably use ZAP on Windows
- Sensitivity to false positives can be configured (low, medium or high)
- Tests can be saved and resumed at a later stage
An open source pentesting tool that automates the process of detecting and exploiting SQL injection flaws and the taking over of back-end database servers. One reviewer commented: “I normally use it for exploitation only because I prefer manual detection in order to avoid stressing the web server or being blocked by IPS/WAF devices.” In online forums this tool gets very enthusiastic reviews. You can read more about the careers of the two talented developers of this tool – Miroslav Stampar and Bernado Damele A.G. – on LinkedIn.
SQLNinja is an also-ran alternative.
- Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, HSQLDB and Informix database management systems.
- Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query-based, stacked queries and out-of-band.
A hacking variant of the Android Open Source Project (AOSP), an initiative launched to guide development of the Android mobile platform. It’s used as a base by anyone who wants to build or customize an Android ROM (essentially a custom version of the Android operating system). The AOPP enabled the development of Pwnix, the first Android ROM built from the ground up specifically for network hacking and pentesting. It’s a free, lightweight tool that assists hackers in pentesting on-the-go from Android front-ends. The software was built on DEBIAN and comprises a number of common pentesting tools including Netcat, Wireshark, Kismet, Cryptcat, and others. AOPP enables developers to create their own mobile penetration testing platforms: custom Pwn phones or tablets.
- Real-time bluetooth and wireless discovery
- Hosts the latest Kali Linux (Rolling Edition) environment
- Fine-grained permission control for all Android apps and services
The Samurai Web Testing Framework is a virtual machine, supported on VirtualBox and VMWare, that has been pre-configured to function as a web pentesting environment. The kit includes reconnaissance tools such as the Fierce domain scanner and Maltego. Mapping tools include WebScarab and ratproxy. W3af and Burp are the tools of choice for discovery. For exploitation, the final stage, BeEF and AJAXShell are included. Wrote one reviewer: “Very powerful, and free from the usual commercial nonsense associated with similar software.”
- The VM includes a pre-configured wiki, set up to be the central information store during your pentest
Designed to perform advanced attacks against the human element, it includes a number of custom attack vectors that allow you to make a believable attack quickly. Its main purpose is to automate and improve on many social engineering attacks happening every day. Tools can create a malicious website, send e-mails with a malicious file as payload, create and send SMSs, and generate a QRCode to a specific URL.
According to creator Dave Kennedy, “As simulated adversaries for companies, as pen testers, we always try to run the latest and greatest and sexiest software exploits out there. But now when I do a pen test, I don’t even run exploits anymore. The techniques that are built within the social engineering toolkit don’t leverage exploits. They utilize legitimate ways that Java works, legitimate ways that email works, to attack a victim.” Kennedy claims its software is downloaded one million times whenever a new version is released.
Once you’ve installed it, go to TrustedSec for help on using it.
- While the tool is easy to use, it’s command line only
- Aligned with The PenTesters Framework (PTF), which is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a familiar distribution for pentesting
- Github provides a number of tutorials for working with SET
Network Mapper has been around since the 90s. Not strictly for pentesting, it is a great network discovery and security auditing tool for ethical hackers to explore their targets. Nmap provides a comprehensive map of a target network. For each port scanned, you can see what OS is running, what services and the version of that service, what firewall is used, etc. These features are extensible by scripts that provide more advanced service detection. You can find a full list of Nmap scripts here and our guide to Nmap here.
- Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles.
- Most operating systems are supported, including Linux, Microsoft Windows, FreeBSD, OpenBSD, Solaris, IRIX, Mac OS X, HP-UX, NetBSD, Sun OS, Amiga, and more.
- Both traditional command line and graphical (GUI) versions are available
- Well documented and supported. NMap recommends that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter.
- Nmap has won numerous awards, including “Information Security Product of the Year” by Linux Journal, Info World, and Codetalker Digest.
The Browser Exploitation Framework is a unique penetration testing tool that focuses on web browsers (as opposed to OSs or applications). It uses client-side attack vectors to assess the vulnerability of that one open door in the system, the browser, as opposed to the protected network perimeter and client system. What is does is “hook” one or more web browsers and uses them as beachheads for launching directed command modules and further attacks against the system from within the browser context. Once a victim’s browser has been hooked, a number of commands can be executed, e.g. Get Visited Domains, Get Visited URLs, Get All Cookies, Webcam, or Grab Google Contacts. The Webcam command displays the Adobe Flash “Allow Webcam?” dialog box to a user and after they affirm, the software will start sending you pictures of the user’s screen
- Built into Kali Linux
- Easy-to-use GUI
- Great knowledge base
- Extensive selection of modules from social engineering to tunneling, from network discovery to information gathering
- Allows you to include Metasploit modules directly in the BeEF command modules tree
- Straightforward explanations on how to create your own modules
An open source framework and reporting tool to enable effective sharing of information and collaboration among participants in a pen test. It provides a centralized repository of information to manage your pentesting project and keep track of where you are in the process.
- Platform independent
- Combine the output of different tools and generate reports
- Connects with 19+ different tools including Burp, Nessus, Nmap, Qualys; alternatively, create your own connector
- Community forum
Free pentesting learning resources
PicoCTF (High school level) – The world’s largest hacking competition with hacking challenges students can explore alone or in teams.
Veronis (Beginner) – A seven part guide to ethical hacking for absolute beginners, covering the art of pentesting from risk assessment to exploitation basics.
Tutorials Point (Beginner) – A quick start guide to core concepts, e.g. the difference between ethical hacking and penetration testing. You can download the tutorial as a PDF.
PenTest Guru (Intermediate) – This is a work in progress, starting with network fundamentals. The articles are very detailed, and presented well with images and illustrations. This learning site can help you to steadily grow your technical knowledge in regular bite-sized chunks.
Cybrary (Advanced) – Excellent resource featuring well-presented free videos. The Advanced Penetration Testing course, for instance, covers “how to attack from the web using cross-site scripting, SQL injection attacks, remote and local file inclusion and how to understand the defender of the network.” To give you an idea of what to expect, the modules include Linux, programming, Metasploit, information gathering, exploitation, traffic capture, passwords, and scanning. Tests and certifications must be paid for.
Web Goat (Intermediate) – A deliberately insecure J2EE web application maintained by OWASP designed to teach web application security lessons. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat application. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The developers call WebGoat a teaching and hacking platform.
Open Web Application Security Project (OWASP) – An open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. Keep a copy of their Web Application Testing Guide at your side. It includes a section on penetration testing.
The lighter side of pentesting
Pentesters are members of a group usually referred to as white hat hackers. To the man on the street, there is something rather mad, bad, and dangerous about them, but also something distinctly attractive. Hollywood’s penchant for portraying hacking as a rather glamorous occupation has not helped, e.g. Algorithm, War Games, Black Hat, The Matrix, and Hacker. Takedown is a must-see, based as it is on the story of the capture of computer hacker Kevin Mitnick.
Where to next?
The ultimate source of free pentesting tools and resources has to be GitHub. However, the wealth of available information can be a bit daunting for beginners. Instead, first try some fun online penetration testing labs and challenges where you can practice your pentesting skills:
- Aman Hardikar (there are a couple of dead links here but some good ones too)
- Check Marx
- Hack this Site
- Hack the Box
You can read more about other free security tools for your ethical hacking toolbox here.
Happy (ethical) hacking with our free pentesting tools!
“Ethical hacking” by Snnysrma licensed under CC BY 2.0