In A History of Western Philosophy, Bertrand Russell said: “Facts have to be discovered by observation, not by reasoning.” His argument is that establishing something as a fact can only be done empirically. Direct observation is the most expedient way to figure out what is going on.
The same is true in the cybersecurity realm. If you want to understand the degree to which your networks, applications, hosts and employees are protected, the best way is empirical testing. This involves conducting a penetration test designed to simulate an attacker’s tools, techniques and procedures.
While many organizations outsource pen testing, it can be valuable for practitioners to understand the testing tools used throughout the process. This lets you negotiate more effectively with testing providers when you understand how the sausage is made. Even though you might not be an expert, testing things yourself can help you knock low-hanging fruit off your list.
A few quick caveats: All the open source security testing tools listed can be used both lawfully and unlawfully. Make sure that you stay on the right side of the law. If you’re not sure whether a given usage is legal or not, talk to a lawyer. If you’re still not sure after that, don’t do it. Also, when using applications or systems in unexpected ways, sometimes, downtime can occur. Have a plan in case something important goes offline. Lastly, testing well requires a lot of training and practice. Don’t expect internal efforts to have the same results as a specialist.
That said, let’s look at 10 security testing tools routinely used by testers. Since it isn’t possible to cover the thousands of tools out there, the focus here is on tools that do the following:
- are open source and, therefore, accessible to everyone;
- are well known, so there’s plenty of support resources; and
- span a wide variety of niches and types of tests.
1. Kali, Parrot and BlackArch
Kali is a full Linux distribution composed of hundreds of tools. Other pen testing distributions worth considering are Parrot and BlackArch. Kali, due to its popularity, has the advantage of ubiquity and a large user base. As such, there are numerous instructional videos, usage…