How to use them
Metasploit, the Nessus Vulnerability Scanner, Nmap, Burp Suite, OWASP ZAP, SQLmap, Kali Linux, and Jawfish each have their uses. Most enterprises will need multiple tools. Metasploit offers both a Ruby interface and a CLI so your pen tester can opt for one or the other, depending on what you are trying to do. "The Ruby interface is more useful for testing a very large network because running commands in a CLI would be too tedious for that," says Saez.
Nessus Vulnerability Scanner checks computers and firewalls for open ports and for installations of potentially vulnerable software. "As far as pen testing, this tool is less useful as it is very noisy and goes in through the front door, communicating with the OS to determine vulnerabilities. This tool is normally used for compliance efforts to simply determine whether patches are up to date," says Garrett Payer, Lead Technologist, ICF International, a large technology solutions provider.
Apply Nmap to search for hosts, open ports, software versions, operating systems, hardware versions, and vulnerabilities--generally mapping the network's attack surface. It is useful at each stage of pen testing, wherever you have a new set of hosts, ports, and other resources to identify, such as when entering a new network segment. "This tool has a scripting feature and is useful for enumerating user access," says Payer.
Use Burp Suite with your web browser to map web applications. The tools inside Burp Suite discover application functionality and security holes and then launch custom attacks. Burp Suite automates repetitive functions while retaining user choice where the pen tester needs to have control of individualized options for testing. "This very feature rich tool investigates cross site scripting and other vulnerabilities using a proxy," says Payer; "it allows some transparency into what the website is actually sending to the server."
OWASP ZAP performs a variety of scans and tests including port scanning, brute force scanning, and fuzzing in order to identify unsecure code. Pen testers use an intuitive GUI similar to that of a Microsoft application or certain web design tools (such as Arachnophilia). Once you surf and perform activities on a website, you enter ZAP again to see the code and what transpired during those activities. When set as a proxy server, OWASP ZAP controls the web traffic that it processes. "This tool is newer than Burp Suite, is not as feature rich, but is free and open source. It provides a subset of features and a GUI that are useful for people who are just entering web application pen testing," says Payer.
Leverage SQLmap to test improperly coded sites and URLs attached to databases via python commands in a command line. If a malformed URL (link) to database information draws an error code, then the link is subject to attack. SQLmap installs on Ubuntu Linux, inside a VM. "Another script-friendly tool, SQLmap can determine such things as whether the programmer has parameterized the inputs," says Payer. If he hasn't, a pen tester or an attacker could forward a name, semi-colon, and an SQL command, for example, and run it on the database, gaining control, explains Payer.
Sign up for CIO Asia eNewsletters.