This tip is a part of the SearchSecurityChannel.com mini learning guide, Penetration testing tutorial: Guidance...
for effective pen tests
During the last 5-10 years, security penetration testing has become a core component of a successful vulnerability management program. Drivers for penetration testing (the process of intentionally trying to find and exploit security weaknesses in IT systems) range from compliance to general validation of system and application vulnerabilities, and can include physical facility testing, social engineering, wireless testing and “war dialing” for rogue and poorly configured modems.
Many security solution providers perform a wide variety of penetration tests for their customers. This tip will review the pen testing tools available to solution providers, ranging from sophisticated vulnerability scanners and application-scanning and code-analysis tools, to all-in-one penetration suites and products for specific tasks such as password cracking.
The first major category of tools include network-based vulnerability scanners, all of which assess systems for missing patches, software and processes running, and any known vulnerabilities that match a list of signatures.
- Nessus from Tenable Network Security is a well-known and inexpensive vulnerability scanner that can be run from local systems, as a physical or virtual appliance, or from Tenable’s cloud-based service. Nessus has a long history of reliable signatures and scanning flexibility.
- Vulnerability Manager from McAfee Inc. scans hundreds or thousands of nodes, and presents a single view of the results along with a risk score.
- Retina tools from eEye Digital Security include vulnerability scanners that perform a wide variety of scans and can produce numerous compliance-focused reports.
- NeXpose from Rapid7 is a relatively new scanner that boasts a huge database of vulnerability signatures and comes in both enterprise (for internal scans) and consultant models.
Web application scanners
A number of robust pen testing tools are now available for performing Web application penetration tests. Some are application-focused scanning tools that detect known flaws in code, where others can perform more rigorous code analysis and actual penetration attempts.
- Hailstorm from Cenzic Inc. is a Web application scanner that comes in enterprise and single-user models, offering detailed risk reporting and prioritized vulnerability results.
- WebInspect from Hewlett-Packard Co. can perform detailed analysis of client-side scripts and application source code, as well as performing highly automated application attack scenarios, including SQL injection, cross-site scripting (XSS) and many others.
- AppScan from IBM is another application scanning toolkit with numerous specific editions available, ranging from source code analysis to development and QA integration, as well as the more common single-user and enterprise application vulnerability scanning and penetration testing options. AppScan can also detect embedded malware within Web applications.
Several integrated suites are available that offer scanning, vulnerability assessment and penetration testing capabilities for both Web applications and network systems and services.
- IMPACT Pro from Core Security Technologies can be used to scan, penetrate and retain access, all within a single console.
- SAINT products from Saint Corp. include scanning tools and full-blown penetration testing suites that can largely automate many penetration testing tasks. Saint has full support for IPv6 exploits and many Web application exploits, as well.
- Rapid7 has integrated the open source Metasploit project into its product line, and now offers Metasploit Pro and Express versions with testing workflows, graphic interface capabilities and detailed reports.
Single purpose tools
Quite a few focused single-purpose tools are available for penetration testing, too.
- Scuba from Imperva Inc. is a free scanner for database security testing.
- NGS SQuirreL from NGS Secure can automate vulnerability assessments and aid in focused penetration testing efforts with in-depth, database-specific reporting.
- L0phtCrack from L0pht Holdings is a commercial password cracking utility that has recently been re-released and can be used by penetration testers and auditors for assessing password strength.
- PhoneSweep from Niksun Inc. is a commercial telephone and modem scanner that can automate vulnerability scans for telephony components, performing password guessing and cracking attempts and other dial-in compromise attempts.
As penetration testing becomes more commonplace, the range and capabilities of commercial tools will only continue to grow. Most tools now readily support compliance reporting, as this is a primary driver for many organizations’ penetration testing efforts. In addition, internal security teams are looking for tools that can help them perform more automated penetration testing activities year-round, allowing them to identify and remediate vulnerabilities as quickly as possible.
About the author
Dave Shackleford is the founder and principal consultant with Voodoo Security, as well as a SANS analyst, instructor, and course author and GIAC technical director. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.