A pentest, short-name for penetration test, is a software attack which looks for security weaknesses in a system. Penetration tests are a component of a full security audit. For example, the Payment Card Industry Data Security Standard requires penetration testing on a regular schedule, and after system changes.
In this article, we will talk about five open source pentest tools, but remember that their use against systems not owned by you could lead to legal troubles. Keep it in mind!
OSWAP ZAP can help a system administrator find malicious codes embedded in a Web application. This software lets an admin choose between automated and manual scanning. When starting the session for the first time, admin will be asked whether he wants the session to be persisted.
Maybe you already know Nmap, a security scanner used to discover hosts and services on a computer network. Commands given to this program are processed sequentially. This makes more difficult for the administrator to track which commands were erroneously entered in previous steps. Zenmap tries to solve this problem, implementing a GUI, and an interface for saving profiles and creating sets of Nmap commands.
Scapy is a tool which permits to interactively decode and inject packets and get answers. Scapy module can also be imported inside a Python program. There are also optional packages for plotting, 3D graphics, WEP encryption and Web application fingerprinting.
BeEF (Browser Exploitation Framework) it’s a GUI-based open source tool, which examines how someone could use the Web browser to exploit vulnerabilities. It can hook one or more Web browsers and use them as beachheads for launching further attacks against the system
sqlmap is a CLI software designed for automating the process of detecting and exploiting SQL injection flaws and taking over of database servers. It as full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB database management systems.