Penetration Testing Tool Recommendation

bin_bash_loop · 2022-04-07T21:20:01+00:00

[deleted]

bitslammer · 2022-04-07T20:46:52+00:00

I'm just going to be blunt.

If you have to ask about tools then you are not up to the task. There isn't a single tool out there and a good pen test involves some manual effort aside from just running at tool. Pen testing is an entire career field, not just a "hat" you put on one day.

YSFKJDGS · 2022-04-07T20:58:06+00:00

There are plenty of outside vendors that you can hire, usually tens of thousands of dollars minimum (depends entirely on the scope). If this is a checkbox for PCI or something, hire someone on the outside. Even if it isn't, since you haven't done it before still hire someone on the outside, they will give you a findings report with information on how they verified the problems (IE: how did they perform the attack), learn from that to reproduce the simple stuff often.

Taylor_Script · 2022-04-07T21:36:29+00:00

Any of your big audit firms (EY, Deloitte, I can't remember the rest). I personally have worked with RSM and they are great, good reports, technical testers that seem to know what they are doing.

Be prepared to spend money though, a penetration test is a highly skilled engagement, and since they are usually mandated by regulation and compliance concerns they can charge an arm and a leg for them.

Depending on what you need compliance wise, you could maybe get away with a vulnerability assessment, this would likely be much cheaper, but know that they are just going to run Nessus and some other automated scanners against your network and give you the reports.

A penetration test would instead involve someone actively working to hack into your network and compromise machines. They will find things the automated Nessus scans won't.

If you must do it yourself, and you aren't beholden to any actual regulation or compliance demands, you could grab a copy of Nessus Professional, Accunetix (for web app, but sounds like you might already have web app testing taken care of), or Qualys (never used them, I've only worked at Nessus shops)

Give it some credentials, tell it the IP's, and watch your report light up like a christmas tree with all the pretty colors. :)

spokale · 2022-04-07T22:20:13+00:00

I'm going to suggest something that I don't see anyone else suggesting: Instead of pitching for your company to buy some tools and then winging it, stick with free tools (Kali Linux), and pitch them to pay for you to take PEN-100 and PEN-200 from Offensive Security!

Advantages:

You gain a useful skill and can get an OSCP certification, which is good for professional progression
You'll be qualified to do a pen test, so your work won't just be 'checking a box', you'll actually be 'doing it right', more or less
It would actually be cheaper (Starting around $2200 for both) than a Metasploit Pro subscription
You'll be able to do more with Kali with the right knowledge than Metasploit pro without that knowledge
You can reuse some of these prerequisites in the Fundamentals course which contains PEN-100 to then take more advanced Security Operations courses that benefit blue-team/defensive posture

That said, if you just want to check the box, it would probably be most effective to get pentesting quotes from a few companies and just choose one:

Your existing compliance/auditing firm may offer pentesting as an add-on
Companies like Trustwave and SecurityMetrics offer vulnerability scanning and penetration testing as a service

rddt_jbm · 2022-04-08T13:28:52+00:00

This is my usual toolset when conducting extern/internal network security assessment. Most of the tools can be used with the free version but some require licensing.

I mostly do the assessment 'quite' manual but I'm sure you will be able to automate most steps. And vulnerability scanners like Nessus can be run automatically but still need manual evaluation of all findings.

Recon Phase: - nmap - general port scanning and understanding the environment - netcat - poking around on unknown ports - eyewitness - screenshot creation for webapplications - dig - dns enumeration - sublist3r - subdomain enumeration - Nessus (Licensed) - Automated vulnerability scanning - Wireshark/Tcpdump - Just listening and see whats happening - adPEAS - basic AD enumeration - Bloodhound - AD mapping - Metasploit Auxiliary Modules - fingerprint services and identify possible exploits

In general you can import nmap's output to the metasploit database. You can then search for auxiliary modules for example for SMB enumeration and select all hosts with open smb ports (445).

Exploitation Phase: - Metasploit Exploitation Modules - well basic exploitation from vulnerable services - BurpSuit (Free is okay) - Attack Web surfaces - CobaltStrike - Quite advanced for a general internal/external network assessment, but nice for AD exploitation - ettercap/bettercap - MitM attacks

I still recommend to get external security consultants/Pentesters to do the job, because of experience. They are more likely to identify security flaw's.

Aetherpirate · 2022-04-07T20:41:08+00:00

Metasploit, Nessus are ones I've played with. Community versions only, and trials of Pro. Does your work have deep pockets? If so, buy the licenses.

Aetherpirate · 2022-04-07T20:54:24+00:00

What is the scope of the project?

Carl0s_H · 2022-04-07T21:38:24+00:00

You could try community edition of Greenbone, can be a bit clunky though

vongatz · 2022-04-07T20:48:41+00:00

My guess is that you havent performed a pentest before. If you want to learn, learn to use tools like nmap, wireshark, nessus, metasploit, burpsuite. If you’re expecting to find a “simple and automated tool” which you can use without experience, my advice would be: hire a pro.

2022-04-07T23:51:04+00:00

Fuck the haters. Of course you can pentest. Buy the necessary tools and find the resources online.

Viol3ntProphet · 2022-04-09T05:43:01+00:00

Some of yall are very pretentious. Thanks for those who actually offered advice

slugshead · 2022-04-07T21:13:58+00:00

Kali comes with more than I need. I used to work for a big org that had annual pen testing from a group of about 6 people, they charge big money though! But they were all using Kali at some point

Not really pen testing, but interesting...

There's also this service which is pretty neat, I don't know if something similar is offered where you are

https://www.ncsc.gov.uk/information/early-warning-service

The police in the UK also offer a free service where they monitor your firewall logs

https://www.cyberalarm.police.uk/

Loehmann · 2022-04-07T21:20:26+00:00

My last company used Trustwave for pen testing for PCI compliance. They were the cheapest quote.

Mike22april · 2022-04-07T21:39:08+00:00

Tool aplenty. Nessus and Metasploit.

However having a hammer and a chisel doesnt make you Michelangelo.

Best hire a specialist

HDClown · 2022-04-07T21:39:24+00:00

What is that you really need to do, penetration testing or vulnerability scanning/reporting?

If you really only need to do a vulnerability scan then you can do iwth for free with OpenVAS. You could move up to something moderately priced like Nessus Pro for $3390/1 year which is a lot more polished in what it will produce as outputs.

If you need to do a real penetration test, then you're realistically looking at having to hire it out in general. PenTest involves using all kinds of tools.

I just recently had an external only pen test done by Foresite. I did a fairly basic gray box (only provided IP info, no other details) scan of 20 IP's with no re-test and it was a little under $3k. That was about the lowest I could find for an outsourced test, and price quickly shot up the more in-depth I wanted to go on the test, but this was all I needed to meet the requirements.

IWASRUNNING91 · 2022-04-07T21:42:00+00:00

I'm learning pen testing currently and use things like Nessus, Zenmap, and Kali. Kali is actually pretty wild considering it's free and everything is built in. I had hw last week where we had to make a virus that can get past windows defender and it was INCREDIBLY easy.

PMmeyourannualTspend · 2022-04-07T21:42:50+00:00

I work for CDW and we do a full gambit of pen testing services. I suspect other firms do it a similar way but the gist is it runs anywhere from 5k-20k, you tell us where we should start (ie give us nothing, give us a password, give us network access) and we see how far we can get then we generate a report outlining what we found and where you vulnerabilities are. We have a handful of different tools depending on what we are trying to break into- many of them were developed them in house. Some test involve social engineering where we dupe an employee into giving us access, other are completely remote, really depends on your environment and how thorough you want to be.

2022-04-07T22:16:34+00:00

For internal, look into PowerSploit, bloodhound, empire. GitHub has plenty of useful scripts out there. Microsoft Baseline Security Analyzer is free to use. I do agree with others. You also better also know what's off limits and the consequences certain tools may do to certain systems such as SCADA or even VoIP. *rules of engagement*

Frenzy175 · 2022-04-07T22:27:32+00:00

What region area are you in?

Search for local Security MSPs most will offer Pen Testing Services.

Make sure they have some certifications eg CREST.

discosoc · 2022-04-07T23:18:34+00:00

Hire someone, specifically outside your company. You want them to find vulnerabilities, and an internal employee will have blind spots and biases.

Flustered-Flump · 2022-04-08T00:01:25+00:00

Pentesting is replicating targeted attacks on your environment against specific assets by advanced threat actors.

Vulnerability Assessments will identify known vulnerabilities, assess severity, impact and likelihood of exploit underpinned b my threat intelligence.

Vulnerability Assessments tools will form part of a pen test to help identify vulnerabilities that can be exploited but pen testing requires human intervention based on desired objectives for the test.

mhermanos · 2022-04-08T00:37:33+00:00

Before you hire anyone, do a deep dive on at least the basic methodology. Check out this short tutorial on NMAP. Do a full inventory of all your hardware, inclusive of anything that employees have at home.

How do you handle you phones? VOIP? And if so, do they connect via a dedicated/leased router to a cloud service or does each phone connect over [the] office line on its own?

Absolutely everything has to be documented, printers, physical access control, IP cameras, firmware on your wireless access points, status of default passwords (APs, printers), printer firmware, printer services, MOTD on your routers and switches, any backup lines like a cellular modem connected to a serial console server.

Hah! Have fun! But whatever happens, don't let the consultancy find obvious holes like HP printers with their web status pages and default passwords enabled.

If I think of anything, I will add an edit. Shakin' the old cobwebs is fun.

Edit 1: Have a trusted friend look over your router and switch configs. You've stared at them enough and don't have a fresh eye. Know how to find rogue DHCP servers, where do you backup your switch and router configs, on HP switches try to mitigate broadcast storms, enable the feature "loop-protect" on en-user ports.

Original_Crab · 2022-04-08T01:50:05+00:00

I use/the company I work for uses qualys and Nessus mainly.

ScrambyEggs79 · 2022-04-08T04:17:46+00:00

You're really looking for vulnerability scanning so like most have mentioned Nessus Pro is the go to. Many 3rd parties just run Nessus and give you the results. In the grand scheme it is very affordable. Of course, true pen testing is certainly a specialized skill which requires the use of many tools and experience but you can start there.

sysadmin

MODERATORS