I've been doing a lot of vulnerability and penetration testing for a customer who wants to see various simulated attacks and possible outcomes. I've been a penetration tester going on 10 years, and it is easily the most enjoyable task I can be asked to perform. Breaking in is fun -- and far easier to pull off when you use one of the many handy vulnerability-testing tools available today.
Overall, breaking in to a company isn't that hard once you know what you're doing. I've yet to find a company with perfect patching or with all the traditional security features from the last 20 years enabled sufficiently. Still, when you're asked to do it on a deadline in a particular way, it can take work. It isn't like the movies where pen testers can guess master passwords in 60 seconds before the bad guys arrive.
[ Master your security with InfoWorld's interactive Security iGuide. | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. | Get a dose of daily computer security news by following Roger Grimes on Twitter. ]
That's where vulnerability testing tools come in handy. I've long been a fan of the freeware program Cain & Abel. No tool makes it easier to perform ARP poisoning, password sniffing, man-in-the-middle attacks, or digital certificate spoofing. It doesn't get updated as frequently as many other tools, but what it can do is laudable.
Like any budget-minded pen tester, I love free Metasploit. It comes with hundreds of exploits and payloads, and it is available in a GUI and a command-line version. HD Moore, Metasploit's main original contributor, always garners the largest packed rooms at Las Vegas Black Hat conferences.
When it comes to professional penetration testing, using a professional-grade tool is always a smart choice. They simply do more and work better than free tools. Although there are dozens and dozens of professional testing tools, I've messed with only a handful. One day I need to do a thorough test review again.