After sharing our favorite fuzzers and cloud pen testing tools, we thought it was about time we explored some of our picks for top network penetration testing tools (and besides, a few of you requested it!) So, let’s get on with it; below are eight of our favorite tools to lean on when conducting network pen tests.
#1 Nmap: Discovering Networks and Auditing Security
Creator: Gordon Fyodor Lyon
Why We Like It: The most fitting way to kick off is with arguably the most valuable of all network pen testing tools: Nmap AKA Network Mapper, this is an extremely flexible pen testing tool that can be used to scan both large and small networks on a wide range of operating systems. Nmap is versatile and easy to use, and provides a quick, simple way to uncover information.
#2 Pompem: Finding Exploits and Vulnerabilities
Creator: Rafael Francischini
Why We Like It: Because Pompem was developed in Python, it can perform advanced searches in a variety of databases. It helps to alleviate the more manual work that pen testers and ethical hackers do to find vulnerabilities and exploits in their respective databases, saving time and energy.
#3 NP: Combining Different Pen Testing Tools
Creator: Liam Somerville
Why We Like It: This open-source tool makes it easy to summarize and query the output of multiple different port scanners so you can spend more time hacking and less time grepping. And as a bonus – the creator is one of Bishop Fox’s own!
#4 Arp-Scan: Scanning for IP Hosts
Creator: Roy Hills
Why We Like It: Arp-Scan is a command line tool that makes discovering and detecting the characteristics of IP hosts much more accessible. The main benefits of using Arp-Scan according to the Kali Team include discovery of all IPV4 connected devices, its quick identification and mapping of IP addresses to MAC addresses, identification of duplicate IP addresses, isolation and location of rogue devices, and device identification by NIC vendor. Additionally, Arp-Scan works well in tandem with the other tools that the Kali Team has created, like Arpwatch.
#5 Wifite2: Auditing Encrypted Wireless Networks
Why We Like It: This tool is a rewrite of the network pen testing tool Wifite. Use Wifite2 to retrieve a router’s password via several different methods, such as by way of Offline Pixie-Dust attacks or the Online Brute-Force PIN attacks. Compared to the (slightly) older Wifite, this iteration offers less bugs, better speed, and increased accuracy.
#6 Aireplay-ng and Aircrack-ng: Leveraging This Tool Duo
Why We Like It: These wireless network pen testing tools go together like two peas in a pod. The aireplay tool works to generate traffic that the aircrack tool can later use to discover any network insecurities as well as to craft APR injections.
#7 Evilgophish: Building Upon Previous Resources
Creator: Dylan Evans
Why We Like It: Dylan Evans had the spectacular idea to combine the best of both worlds in Evilgophish. Evilginx is a tool by Kuba Gretzky and GoPhish is a toolkit currently maintained by Jordan Wright (equally amazing tools in their own right). Both tools serve different and highly useful purposes; Evilginx is a proxy man-in-the-middle framework that can be used to circumvent 2FA. Meanwhile, GoPhish is a popular open-source social engineering framework. When they are together as Evilgophish, you can truly elevate your red teaming or pen testing engagements! Unlike the OG GoPhish, Evilgophish has SMS phishing capabilities and comes with a blacklist that contains IP addresses/blocks owned by the likes of ProofPoint, Microsoft, and Trend Micro.
#8 CloudFox: Automating the Enumeration Process for Cloud Pen Tests
Why We Like It: This tool straight from the Fox Den – inspired by existing tools like PowerView – helps hackers find attack paths in cloud environments that would otherwise be difficult to navigate. We love that this tool provides a different service than other popular tools that analyze cloud environments. Watch the creators themselves demo CloudFox in our Tool Talk recording from September 2022!
What Are Your Favorites? We Want to Know!
Tell us on Discord or at Mastodon which network pen testing tools you personally can’t live without that didn’t make this particular list. And make sure to check out our annual year-end recap blog covering our favorite tools of 2022!
Special thanks to our Discord server and Marketing intern Jane Acuff for the help with this blog post!
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.