The Pen Testing Tools We’re Thankful for in 2021
It’s become something of a tradition – like turkey and cranberry sauce – the past few Novembers for us to publish a list of pen testing tools we’ve found useful. November 2021 is no different than 2019 (see that year’s pen testing tool list) or 2020 (see that year’s pen testing tool list). We are back with yet another list right in time for the end of the year.
One caveat before we go any further: Not all of the tools we included in this list were released in 2021, some of them predate that. Nonetheless, all of the below pen testing tools came in use for us during recent security assessments. We hope you’ll find a new tool (or maybe a few) that you can add to your arsenal!
This Year's Pen Testing Tool Picks
“A fast, simple, recursive content discovery tool written in Rust.”
Creator: Ben 'epi' Risher (@epi052)
Why We Like It: We’ve written about GoBuster before, and this forced browsing tool is similar (forced browsing is a type of an attack where you seek out resources that the targeted web application does not display or reference). But unlike GoBuster, this tool uses Rust instead of Go, which makes it a bit different. And unlike GoBuster, Feroxbuster is a recursive tool. Lastly, Feroxbuster is super simple to install and use, and those features alone make it an invaluable asset.
“An AI-powered, open source tool designed to help penetration testers assess large-scale external perimeters.”
Creators: Dan Petro (@2600AltF4) and Gavin Stroy (both of Bishop Fox)
Why We Like It: If you want to cut down on time on your security engagements spent scrolling through screenshots for something promising that could yield a vulnerability or two, then check out Eyeballer. We just released an updated version of this award-winning tool with a cleaner, easier-to-use web interface, so there’s no time like the present to give it a shot.
See a demo of how Eyeballer works:
“A fast directory scanning and scraping tool.”
Creator: NCC Group
Why We Like It: What really stands out for us is the ability to use Dirble to quickly scan APIs – that makes it quite the resource to have on an engagement. Dirble also allows you to use a list of targets to allow for passive enumeration.
“Provides simple, performant, intuitive, internet-scale IP network simulation empowering Cyber Range administrators and virtual Red Teamers to provide unprecedented realism in adversary emulation for "Red vs. Blue" cyber exercises and competitions.”
Why We Like It: The description gives the gist, but here’s a slightly more in-depth overview. Autovnet will help you to shore up your red team skills in a simulation environment. Use it to practice scenarios to build both red team and blue team techniques. As a bonus, if you’re into CTFs, this tool is great for improving your skills on that front, too.
“A tool for quickly evaluating IAM permissions in AWS.”
Creator: NCC Group (again)
Why We Like It: Our researchers found this cloud security tool to be the most comprehensive in its class. Seth Art writes about it in “IAM Vulnerable: Assessing the AWS Assessment Tools,” providing a deep dive into its features.
“An open source tool designed to help penetration testers and security practitioners better understand how to identify and exploit common IAM misconfigurations that allow for privilege escalation.”
Creator: Seth Art of Bishop Fox (@sethsec)
Why We Like It: Besides being the product of Bishop Fox research, IAM Vulnerable is an excellent way to try out AWS privilege escalation techniques in a low-risk environment. Want to level up your cloud pen testing skills? Then this is a tool you must check out ASAP.
“A collection of manifests that will create pods with elevated privileges.”
Creator: Seth Art
Why We Like It: Bad Pods is the collection of Kubernetes privilege escalation manifests from Seth Art. Get a better sense of what can go wrong with common Kubernetes misconfigurations – something that can benefit both penetration testers and security administrators.
“A subdomain discovery tool that discovers valid subdomains for websites.”
Creator: ProjectDiscovery (@pdiscoveryio)
Why We Like It: ProjectDiscovery has some amazing tools – last year’s pen testing tools blog included the vulnerability scanner Nuclei, which remains a great tool you should try if you haven’t already. Subfinder comes in handy for quickly discovering additional attack surface, which is always a good thing when you’re hunting for vulnerabilities.
See a demo of how Subfinder works:
“A fast, open source, static analysis tool for finding bugs and enforcing code standards at editor, commit, and CI time.”
Creator: r2c (@r2cdev)
Why We Like It: We chose this powerful yet lightweight tool because of its speed and flexibility. Spend more time exploiting impactful bugs and less time searching for them in the first place. Plus, Semgrep makes it easy to write custom rules to detect client-specific code patterns that could prove problematic. It might be easy to assume this tool is merely a glorified version of Grep. However, Semgrep understands the code it’s examining so it’s incredibly useful when you’re searching for complicated patterns.
“An advanced valid phone number generator.”
Creator: Martin Vigo (@martin_vigo)
Why We Like It: Last month, we shared a list of OSINT tools on our blog. Martin Vigo was the creator of one of those tools and he directed our attention to Phonerator, which is another useful OSINT resource of his. We haven’t played around with it too much, but it seems promising for a social engineering engagement or phishing campaign.
Watch a demo of Phonerator in action from Vigo himself:
Tell Us What You Think!
So there you have it – our 2021 list of pen testing tools we’re thankful for is in the books. Have any feedback for us? Vehemently disagree with our choices or simply want to offer up suggestions for a different tool list? Let us know on Twitter, Discord, or Reddit.
Like This List? Check Out Our Other Pen Testing Tools Lists:
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.