Penetration testing tools have to evolve as newer threats are identified. It’s essential that penetration test tools be intelligent enough to understand and replicate sophisticated attack scenarios.
1. Metasploit (www.metasploit.com ; Open source)
Powered by PERL, Metasploit is the first choice in from among the available penetration testing tools. It provides many ready-to-use exploits, and allows the security tester to customize them or to create exploits.
When you use the Metasploit console as a penetration test tool, it builds Web-based support and a Java GUI. Metasploit supports hundreds of exploits and common payloads such as reverse shell to establish proof of concept. For almost all the zero day vulnerabilities, researchers and security professionals contribute Metasploit proof of concepts (which can be replicated in any environment with similar vulnerabilities). It has a built-in sniffer, DNS server and access point to mount and facilitate attacks.
Metasploit takes the following structured approach while mounting an attack:
i) Pick which exploit to use.
ii) Configure the exploit with remote IP address and remote port number.
iii) Pick a payload.
iv) Configure the payload with local IP address and local port number.
v) Execute the exploit.
Metasploit supports a built-in shell ‘Meterpreter’ for post-exploitation information. This makes it easier for the pen-tester to collect sensitive information like password hash dumps and remote key loggers to showcase the vulnerability’s severity.
2. Wireshark (www.wireshark.org; Freeware)
The next is Wireshark, a network protocol and packet analyzer that is important when it comes to penetration test tools. Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI and others. Decryption support for many protocols including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP and WPA/WPA2 is available for real-time analysis or replay capture with attack vector to replicate an attack scenario. Packet analysis is helpful in understanding unencrypted data and obtaining credentials sent over a network.
Penetration test tools like Wireshark come in handy for understanding and exploiting the data organization posted by forms or services to applications. Application vulnerabilities such as parameter pollution, SQL injection, lack of input validation, as well as buffer overflow can be easily detected and exploited using Wireshark. The success of these attacks may complement more sophisticated attacks to database or internal systems.
3. W3AF — Web Application Attack and Audit Framework (www.w3af.sourceforge.net ; Open source)
This is the latest (and by far one of the best) penetration test tools for application testing from the developers of Metasploit. W3AF is an easy to use (as well as extend) framework to find and exploit Web application vulnerabilities. This penetration testing tool’s features include proxy, user-agent faking, adding custom headers to requests, cookie handling, local DNS cache and fuzzer. Framework parameters can be saved to a file using the session manager which can be used to replicate attack scenarios.
W3AF has nice, user-friendly interface where the scan results are interpreted in both text and graphical formats. This penetration testing tool’s default configuration includes ready-to-run profiles for OWASP top attacks and full scans. It has a built-in exploit manager to mount attack vectors and demonstrate exploit.
4. Nipper (http://www.titania.co.uk ; community edition)
Pen-testers may have to invest significant amounts of time to understand device configuration, find a possible vulnerability, and perform an associated exploit to confirm that vulnerability. Nipper penetration test tools enable testers to perform automated comprehensive security audits of network switches, routers and firewalls without any specialist knowledge.
Nipper is easy to use. It provides detailed information about identified security issues and exploitable information. This penetration test tool also provides helpful advice on how to resolve weaknesses. It supports a wide range of devices from a variety of manufacturers including Cisco, Juniper, 3Com, McAfee, Nokia, HP and Checkpoint.
5. Nexpose (http://www.rapid7.com/products/nexpose-community-edition.jsp ; community edition)
This penetration testing tool leverages one of the largest databases to identify extremely dangerous vulnerabilities. Identifying vulnerabilities across networks, operating systems, databases, Web applications and a wide range of system platforms through an integrated, intelligent scan engine, the Nexpose penetration test tool prioritizes vulnerabilities using exploit risk scoring as well as asset criticality ratings.
About the Author: Tarun Gupta is the lead for information security at Sistema Shyam Teleservices - MTS India.
(As told to Anuradha Ramamirtham.)
This was first published in August 2010