Top penetration testing tools for 2023
Penetration testing is a manual process, but that doesn’t mean that many tasks can’t be automated with the right tools. In this article, we’ll look at how to use automated pentesting tools to provide continuous protection in between periodic, manual tests.
What is a penetration test?
A penetration test is a simulated attack against your network or systems by a security pro – sometimes known as an ethical hacker – to uncover vulnerabilities in your infrastructure. Their goal is to find out where and how a real hacker might enter and exploit your network, so you can fix any weaknesses before a real attack occurs.
Think of it like a bank hiring someone to try to break into their building and access the vault. If the ‘burglar’ succeeds, the bank can see how and where they need to tighten their security controls to prevent a real breach. Insights provided by the test can then be used to tune up their security policies and patch detected vulnerabilities.
Manual vs. automated testing
Not all vulnerabilities are created equal, while some can be detected automatically, some need the discerning eye (and mind) of a human to spot. For that reason, penetration tests involve a range of activities, some of which are manual and some of which can be automated.
While pen-testers use a huge variety of tools to speed up their work, one type of tool in particular is designed to automate all of the vulnerabilities that can be discovered easily by machine; these are called “vulnerability scanners”. Often when people go searching for an “automated penetration testing tool” what they are really looking for is a vulnerability scanner that is easy to use and can help them cover the important gap in between annual pen-tests.
A simple example of the difference would be that a vulnerability scanner might easily spot that the version of web server you are using has known security weaknesses, simply by looking at the version number and comparing it with lists of known vulnerabilities. While a pen-tester is more likely to find a more complex logic flaw like an online shopping cart that lets you add items and not pay for them.
If you’d like to get a deeper understanding, have a read of this blog post on the differences between vulnerabilities and penetration testing.
Which pentesting tools do I need?
This depends on what you want to achieve. Typically, we see two scenarios when people are looking for a penetration testing tool: they’re either businesses looking to automate their security efforts and get continuous protection, or pentesting professionals looking for specific tools to get their work done faster. As these tools require more expertise, in this article we’ll focus first on what you can automate with little or no previous security knowledge.
If you’re looking for automated tools
Most companies are unlikely to have the time or expertise to use most professional penetration testing tools, as only the largest companies have penetration testers in-house. But many tasks, like detecting known software flaws, misconfigurations, missing security patches or unintended exposure to the internet, can easily be automated.
These tools are sometimes called automated pentesting tools or online penetration testing tools – but are more often known as vulnerability scanners. They’re designed to be easy to use and provide year-round protection in between manual penetration tests.
For more in-depth info about automated penetration testing, read our explainer on the subject. Here are our top tips and recommendations for automated pentesting tools:
Intruder continuously monitors your evolving attack surface with proactive vulnerability scans so you can respond faster to new threats. It’s designed with simplicity in mind, but runs over 140,000 security checks across your internal and external perimeter infrastructure, including API and application-layer vulnerability checks for OWASP Top 10, XSS, SQL injection, CWE/SANS Top 25, remote code execution, OS command injection, and more. Its CloudBot also runs hourly checks for new IP addresses or hostnames in connected AWS, Google Cloud or Azure accounts.
Price: Free 14-day trial, price on website
Acunetix claims to offer the highest XSS and SQL injection rates to provide incredible reach to protect sensitive data. It uses a blend of dynamic application security testing (DAST) and interactive application security testing (IAST) to detect over 7,000 vulnerabilities. These include hard-to-scan places like password-protected areas and multi-level forms. High levels of automation make prioritizing high-risk areas easier.
Price: custom quote on application
Known for its broad scanning capabilities and flexibility, Qualys can scan multiple systems from a single console, including cloud environments and your internal network. You can create custom reports that segment and prioritize analytical data, and can be scheduled for more responsive vulnerability management. It can suffer from poor support and lack of integrations.
Price: free trial available, price on application
If you’re an IT professional looking for pentesting tools
When it comes to professional penetration testing, a human tester will use specialist software like network sniffers or password crackers. There are many to consider, but here are our top picks for IT professionals taking their first steps into manual pentesting:
Kali Linux is an operating system built specifically for penetration testers. It comes bundled with approximately 600 tools for reconnaissance, discovery and exploitation of vulnerabilities, post-exploitation, forensics and more. Having these tools pre-installed and automatically maintained means testers can spend more time focussed on their engagements.
Nmap, initially released 25 years ago, is the tried and tested tool for reconnaissance and network scanning. Nmap's probes let testers discover hosts and services within computer networks. Once identified, Nmap's scripting engine and version identification capabilities will give testers the ability to map out a network's attack surface, which will then direct exploitation efforts.
Metaploit is a platform of security tools and modules for conducting offensive operations. The framework allows testers to carry out vulnerability scans, search for and launch exploits, and manage compromised systems, including a wide array of post-exploitation helpers.
Sqlmap is a tool for automatically detecting and exploiting SQL injection vulnerabilities in web applications. It automates away the nitty-gritty complexities and lets testers focus on getting impactful results through the extraction, querying and modification of compromised databases.
Burp Suite is an attack proxy and vulnerability scanner used to carry out web application security assessments. Burp allows testers to map out applications, carry out brute force attacks and identify weaknesses through the interception and replaying of web traffic. Augmenting this is a wide library of free and paid for extensions which can be passively or actively used to help the tester discover vulnerabilities.
Try Intruder to automate your penetration testing
Some of these tools are virtual Swiss Army knives that run a range of different types of tests, while others are more specialized. Most testers will have several in their armoury, but a vulnerability scanner like Intruder is an ideal place to start. One customer describes it as "convenient but thorough penetration and vulnerability testing wrapped in an affordable package!” Why not try our scanner free for 14 days and put it through its paces? Or get in touch for more information.
- Raw CVE Coverage
- Risk Rating Coverage
- Remote Check Types
- Check Publication Lead Time
- Local/Authenticated vs Remote Check Prioritisation
- Software Vendor & Package Coverage
- Headline Vulnerabilities of 2021 Coverage
- Analysis Decisions
Red teamers, security researchers, detection engineers, threat actors have to actively research type of vulnerability, location in vulnerable software and build an associated exploit.
Tenable release checks for 47.43% of the CVEs they cover in this window, and Greenbone release 32.96%.
Red teamers, security researchers, detection engineers and threat actors now have access to some of the information they were previously having to hunt themselves, speeding up potential exploit creation.
Tenable release checks for 17.12% of the CVEs they cover in this window, and Greenbone release 17.69%.
The likelihood that exploitation in the wild is going to be happening is steadily increasing.
Tenable release checks for 10.9% of the CVEs they cover in this window, and Greenbone release 20.69%.
We’re starting to lose some of the benefit of rapid, automated vulnerability detection.
Tenable release checks for 9.58% of the CVEs they cover in this window, and Greenbone release 12.43%.
Any detection released a month after the details are publicly available is decreasing in value for me.
Tenable release checks for 14.97% of the CVEs they cover over a month after the CVE details have been published, and Greenbone release 16.23%.
With this information in mind, I wanted to check what is the delay for both Tenable and Greenbone to release a detection for their scanners. The following section will focus on vulnerabilities which:
- Have CVSSv2 rating of 10
- Are exploitable over the network
- Require no user interaction
These are the ones where an attacker can point their exploit code at your vulnerable system and gain unauthorised access.
We’ve seen previously that Tenable have remote checks for 643 critical vulnerabilities, and OpenVAS have remote checks for 450 critical vulnerabilities. Tenable release remote checks for critical vulnerabilities within 1 month of the details being made public 58.4% of the time, but Greenbone release their checks within 1 month 76.8% of the time. So, even though OpenVAS has fewer checks for those critical vulnerabilities, you are more likely to get them within 1 month of the details being made public. Let’s break that down further.
In Figure 10 we can see the absolute number of remote checks released on a given day after a CVE for a critical vulnerability has been published. What you can immediately see is that both Tenable and OpenVAS release the majority of their checks on or before the CVE details are made public; Tenable have released checks for 247 CVEs, and OpenVAS have released checks for 144 CVEs. Then since 2010 Tenable have remote released checks for 147 critical CVEs and OpenVAS 79 critical CVEs on the same day as the vulnerability details were published. The number of vulnerabilities then drops off across the first week and drops further after 1 week, as we would hope for in an efficient time-to-release scenario.
While raw numbers are good, Tenable have a larger number of checks available so it could be unfair to go on raw numbers alone. It’s potentially more important to understand the likelihood that OpenVAS or Tenable will release a check of a vulnerability on any given day after a CVE for a critical vulnerability is released. In Figure 11 we can see that Tenable release 61% their checks on or before the date that a CVE is published, and OpenVAS release a shade under 50% of their checks on or before the day that a CVE is published.
So, since 2010 Tenable has more frequently released their checks before or on the same day as the CVE details have been published for critical vulnerabilities. While Tenable is leading at this point, Greenbone’s community feed still gets a considerable percentage of their checks out on or before day 0.
I thought I’d go another step further and try and see if I could identify any trend in each organisations release delay, are they getting better year-on-year or are their releases getting later? In Figure 12 I’ve taken the mean delay for critical vulnerabilities per year and plotted them. The mean as a metric is particularly influenced by outliers in a data set, so I expected some wackiness and limited the mean to only checks released 180 days prior to a CVE being published and 31 days after a CVE being published. These seem to me like reasonable limits, as anything greater than 6 months prior to CVE details being released is potentially a quirk of the check details and anything after a 1-month delay is less important for us.
What can we take away from Figure 12?
- We can see that between 2011 and 2014 Greenbone’s release delay was better than that of Tenable, by between 5 and 10 days.
- In 2015 things reverse and for 3 years Tenable is considerably ahead of Greenbone by a matter of weeks.
- But, then in 2019 things get much closer and Greenbone seem to be releasing on average about a day earlier than Tenable.
- For both the trendline over an 11-year period is very close, with Tenable marginally beating Greenbone.
- We have yet to have any data for 2021 for OpenVAS checks for critical show-stopper CVEs.
With the larger number of checks, and still being able to release a greater percentage of their remote checks for critical vulnerabilities Tenable could win this category. However, the delay time from 2019 and 2020 going to OpenVAS, and the trend lines being so close, I am going to declare this one a tie. It’s a tie.
The takeaway from this is that both vendors are getting their checks out the majority of the time either before the CVE details are published or on the day the details are published. This is overwhelmingly positive for both scanning solutions. Over time both also appear to be releasing remote checks for critical vulnerabilities more quickly.