Once the penetration tester has identified potential hosts to exploit, they need to find vulnerabilities that can possibly be exploited to gain access to the hosts. While this can be done manually, that is a very difficult and time-consuming process. Instead, there are a variety of tools that can be used to scan the host machines based on their purpose and software running on them.
The table below lists tools that can be used for vulnerability discovery.
| Tool | Description |
|---|---|
| Nikto | Nikto is a open-source web server scanner. It tests for outdated versions of more than 1,250 servers. It also scans for more than 6,000 files and programs that can be exploited. It checks for version-specific problems on more than 270 servers. Note that this tool creates a large footprint by leaving a high volume of entries in the web servers log files. |
| Greenbone/Open Vulnerability Assessment Scanner (OpenVAS) | OpenVAS is a vulnerability scanner that boasts more than 50,000 vulnerability tests with daily updates. It is capable of various high-level and low-level Internet and industrial protocols, as well as unauthenticated and authenticated testing. |
| Truffle Hog | TruffleHog is an open-source tool that scans code repositories and other developer tools for secrets, passwords, and sensitive keys. TruffleHog’s open-source engine scans over 800 credential types. |
| BloodHound | Bloodhound is an open-sourced tool that is used to scan Windows Active Directory (AD) and map out AD objects that an attacker can use to perform privilege escalation, lateral movement, and more. |
| Tenable Nessus | Nessus is a proprietary vulnerability scanner developed by Tenable. Nessus can perform vulnerability scans on a variety of systems; it scans for known vulnerabilities, malware, and misconfigurations. Nessus also provides reporting and remediation, as well as ongoing monitoring. This helps to reduce the potential attack surface and strengthen compliance. |
| PowerSploit | PowerSploit contains multiple PowerShell scripts that can be used for a variety of tasks including enumeration, collecting credentials, running malicious code, and much more. This is a powerful postexploitation tool. |
| Grype | Grype is an open-source vulnerability scanner for containers and file systems. Grype is able to find vulnerabilities in a wide variety of major operating system and programming language containers. |
| Trivy | Trivy is an open-source vulnerability scanner for containers, file systems, and Git repositories. Trivy also assists in identifying misconfigurations and vulnerabilities to artifacts. |
| Kube-Hunter | Kube-hunter is an open-source vulnerability scanner for Kubernetes clusters. Kube-hunter is able to probe a domain or address range for Kubernetes clusters and verify any found configuration issues. |
| vulnerabilityscanning tools overview |