Cyver Core was designed by pentesters for pentesters. So, when we wanted to share a list of the top pentest tools, we obviously sat down with our chief pentester and co-founder Mike Terhaar to discuss his favorite tools for web application pentests.
This list of favorite tools is a personal opinion and not a ranking of those tools. You’ll have to try out and check your own tools to see what works for you. In addition, not all of these are free.
If you want to see more, check our ultimate list of pentest tools for 300+ options.
Burp Suite Pro
“Burp is a go-to” says Mike,“Not only does it offer a huge toolkit, it replaces many smaller tools like recon & enumeration, simplifying the number of places you have to check”.
“Of course, I load it with open source and private scripts, just to make my life easier. I use ActivveScan ++, WSDL Wizard, and Retire.js”.
Burp Suite Pro costs from 499 per year per user.
Postman for playing with an API
“I like this for playing with API. It’s also quite easy to add to your toolkit at $12 per month.”
ReNgine
“This is a go-to for basic hygiene checking and to get a clue in terms of target hardening, patching, etc.” Says Mike, “it’s also completely open source. It does the same things plus others as Nessus, but it’s open source. Of course quality differences exist, you don’t get the same development quality in an open source platform, but it is one platform that does everything.”
“It also has a dashboard where you can plug in tools like Harvester, and get everything, including screenshots, in one place”
NMAP
“it’s obvious to have this,” says Mike, “You can’t not have it. It’s a must-have that tells you basic Ip address information, so you can figure out what’s behind it. I always check for odd ports, e.g., port 0, because most scanners start at 1”
NCat
“NCat is a go-to in my toolbox, usually I use NMap followed by NCat as part of my standard network assessment. It’s a swiss army knife. But you can use it as a listener, to create a (reverse) tunnel, or to communicate directly with an open service, everyone should have this.”
SQLMap
“SQLMap is also really powerful if you have a hunch SQL injection is possible. It’s flexible and much faster than doing it by hand. Very fast and easy to automate”
Metasploit
“Metasploit is flexible, old-school, and makes life a lot easier”, says Mike, “But not everyone will find it’s worth the price and many pentesters are better off with an open source tool like ReNgine. However, the combination of vulnerability scanning like NMap makes it a really valuable tool. If there are exploits, you can automate trying to exploit them so you can take over and get user level access, etc., which just makes it a really valuable tool”
Tools Aren’t Everything
“Start with basic research, before you fire up any tools, try to figure out what you’re testing, what does it look like, is there anything strange there, etc., then, I’d start with an extensive NMAP query on all ports. People often don’t fill in details and they’re using a default configuration that includes a port 0, which is left out of most vulnerability scanners, so it’s vulnerable. I usually scan all ports from 0-65 then TCP and UDP.
Depending on your pentest, Google can be an extremely good tool. Using a wayback tool can also be surprisingly insightful. You can check what’s changed and if vulnerabilities are still there.
There’s a lot to pentesting – and manual insight is still the best way to start. From there, you can fill in the gaps with scanners – but you’ll always want to look at things yourself before you get started.”