[Owasp-leaders] list of good pen testing tools

Andre Gironda andreg at gmail.com
Fri Nov 18 11:33:35 EST 2011

On Fri, Nov 18, 2011 at 9:10 AM, Dennis Groves <dennis.groves at owasp.org> wrote:
> The only list you need:
> O2 is an Extensible Automated Application Security Testing Toolkit.

O2 is great, but it's heavily steeped in .NET and I'm not sure if it's
Mono friendly or not.

Basic tools such as VMware Workstation 8, BackTrack 5, Metasploit
Community Edition, NeXpose Community Edition, and the Web Exploitation
Framework are seriously really nice to have when they are all wrapped
in a nice Linux package. There might be some other tools to add into
that Linux mix, such as Esearchy-NG, Oedipus, Arachni, etc. Check out
http://securityaegis.com or http://zerocold.co.uk for the latest and
greatest pen-testing tools and methodologies.

If you have more money than just the cost of VMware Workstation 8,
then you probably also want to get Burp Suite Professional, IDA Pro,
Paros Pro, Netsparker Pro, or cool gear from HakShop. If you have a
ton of money, then consider Hex-Rays, some commercial SAST/IAST, and
some intelligence-oriented applications such as MaltEgo or i2
Analyst's Notebook. Also consider some expensive gear such as SILICA
from Immunity Security or some Xilinx-enabled gear from Ettus
Research. I would say don't bother with expensive commercial
vulnerability assessment or penetration-testing tools, such as Qualys,
CORE Impact, Metasploit Express/Pro, etc. Everybody uses those
already. I think nmap with the vulscan NSE script will get you better
results, especially once you start using your brainpower to mix in
some heavy-lifting with the open-source Metasploit and Web
Exploitation (wXf) Frameworks.

I find myself spending a lot of time in Eclipse, IntelliJ IDEA, and
Xcode for pen-testing recently. I don't think O2 is quite yet capable
of doing some things that these tools afford me, but I look forward to
that day.


More information about the OWASP-Leaders mailing list