8 min read, 1474 words, last updated: 2025/8/25

Complete Vulnerability Assessment and Penetration Testing with Open Source Tools

Vulnerability assessment and penetration testing are critical components of any comprehensive cybersecurity program. While many organizations rely on expensive commercial solutions, it's entirely possible to build a robust testing framework using open source tools. This tutorial will guide you through setting up a complete vulnerability assessment and penetration testing toolkit that can rival commercial offerings.

Prerequisites

Before diving into the tools and methodologies, ensure you have:

Legal authorization: Always obtain explicit written permission before testing any systems
Linux environment: Most tools work best on Kali Linux or similar security distributions
Network access: Proper network connectivity to target systems
Basic security knowledge: Understanding of common vulnerabilities (OWASP Top 10, CVE database)
Documentation skills: Ability to create professional security reports

Understanding the Difference: Vulnerability Assessment vs Penetration Testing

Vulnerability Assessment

Focuses on discovering vulnerabilities through automated scanning and basic verification. It provides broad coverage but may include false positives.

Penetration Testing

Focuses on exploiting vulnerabilities through simulated attacks to demonstrate real-world impact. It has narrower scope but provides concrete proof of exploitability.

Step-by-Step Tool Setup and Implementation

1. Asset Discovery and Information Gathering

Nmap - Network Discovery and Port Scanning

# Basic port scan
nmap -sS -sV -O target.com
 
# Comprehensive scan with script scanning
nmap -sC -sV -A -T4 target.com
 
# Export results for further analysis
nmap -sV -oA scan_results target.com

Detection scope: Open ports, service versions, operating system detection

Amass - Asset Discovery

# Subdomain enumeration
amass enum -d target.com
 
# Active enumeration with additional techniques
amass enum -active -d target.com -o subdomains.txt
 
# Integration with multiple data sources
amass enum -config config.ini -d target.com

Detection scope: Subdomains, external assets, DNS information

theHarvester - OSINT Collection

# Email and subdomain harvesting
theHarvester -d target.com -l 500 -b google
 
# Multiple source harvesting
theHarvester -d target.com -l 100 -b all

Detection scope: Email addresses, subdomains, employee information

2. Network and System Vulnerability Scanning

OpenVAS (Greenbone) - Comprehensive Vulnerability Scanner

# Installation on Ubuntu/Debian
sudo apt update
sudo apt install openvas
 
# Initial setup
sudo gvm-setup
 
# Start services
sudo gvm-start
 
# Access web interface at https://localhost:9392

Detection scope: Known CVEs, system vulnerabilities, configuration issues, missing patches

Nikto - Web Server Scanner

# Basic web server scan
nikto -h http://target.com
 
# Scan with specific tuning options
nikto -h http://target.com -Tuning 1,2,3,4
 
# Output to file
nikto -h http://target.com -o nikto_results.html -Format html

Detection scope: Web server misconfigurations, default files, security headers, SSL/TLS issues

3. Web Application Security Testing

OWASP ZAP - Web Application Scanner

# Command line quick scan
zap-cli quick-scan http://target.com
 
# Baseline scan with reporting
zap-baseline.py -t http://target.com -r zap_report.html
 
# Full scan with authentication
zap-full-scan.py -t http://target.com -z "-config auth.context=mycontext"

Detection scope: XSS, SQL injection, CSRF, authentication flaws, session management issues

sqlmap - SQL Injection Testing

# Basic SQL injection testing
sqlmap -u "http://target.com/page.php?id=1"
 
# Test with specific parameters
sqlmap -u "http://target.com/login.php" --data="username=admin&password=test"
 
# Comprehensive database enumeration
sqlmap -u "http://target.com/page.php?id=1" --dbs --tables --columns

Detection scope: SQL injection vulnerabilities, database enumeration, data extraction

dirsearch - Directory and File Discovery

# Basic directory brute force
python3 dirsearch.py -u http://target.com
 
# Custom wordlist and extensions
python3 dirsearch.py -u http://target.com -w /path/to/wordlist -e php,asp,aspx
 
# Recursive scanning
python3 dirsearch.py -u http://target.com -r

Detection scope: Hidden directories, backup files, administrative interfaces

4. Manual Testing and Validation

Burp Suite Community - Web Application Testing

# Configure proxy (typically 127.0.0.1:8080)
# Set browser to use Burp as proxy
# Intercept and modify requests manually
 
# Key features to use:
# - Proxy: Intercept HTTP/HTTPS traffic
# - Repeater: Modify and resend requests
# - Intruder: Automated fuzzing
# - Scanner: Basic vulnerability detection (Pro version)

Detection scope: Input validation, business logic flaws, session management, manual verification of automated findings

5. Penetration Testing Tools

Metasploit Framework - Exploitation

# Start Metasploit console
msfconsole
 
# Search for exploits
search apache 2.4
 
# Use specific exploit
use exploit/linux/http/apache_mod_cgi_bash_env_exec
set RHOSTS target.com
set RPORT 80
exploit
 
# Post-exploitation modules
use post/linux/gather/enum_system

Detection scope: Exploit verification, privilege escalation, post-exploitation activities

Hydra - Password Attack Testing

# SSH brute force
hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://target.com
 
# HTTP form brute force
hydra -l admin -P passwords.txt target.com http-post-form "/login.php:username=^USER^&password=^PASS^:Invalid"
 
# Multiple service testing
hydra -L users.txt -P passwords.txt target.com ssh ftp telnet

Detection scope: Weak passwords, brute force vulnerabilities, authentication bypass

Minimal Viable Tool Combination

For individual security professionals or small teams, here's a streamlined toolkit:

Essential Tools (6-tool MVP)

Nmap - Port scanning and service detection
OpenVAS - Comprehensive vulnerability scanning
OWASP ZAP - Web application security testing
sqlmap - SQL injection testing
Burp Suite Community - Manual web testing
dirsearch - Directory enumeration

Testing Workflow

# 1. Asset Discovery
nmap -sS -sV target.com
amass enum -d target.com
 
# 2. Vulnerability Scanning
# Launch OpenVAS scan via web interface
 
# 3. Web Application Testing
zap-baseline.py -t http://target.com
python3 dirsearch.py -u http://target.com
sqlmap -u "http://target.com/page.php?id=1"
 
# 4. Manual Verification
# Use Burp Suite to verify findings
 
# 5. Reporting
# Compile results into comprehensive report

CI/CD Integration Considerations

Suitable for Automated Testing

Nmap: Quick port scans to detect configuration changes
Nikto: Web server configuration testing
dirsearch: Directory enumeration for exposed files
OWASP ZAP: Baseline scans with limited scope

Example CI/CD Pipeline Configuration

# GitHub Actions example
name: Security Scan
on:
  push:
    branches: [main]
  
jobs:
  security_scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      
      - name: Run ZAP Baseline Scan
        uses: zaproxy/action-baseline@v0.7.0
        with:
          target: 'http://your-app.com'
          
      - name: Run Nikto Scan
        run: |
          nikto -h http://your-app.com -Format json -output nikto-results.json
          
      - name: Directory Enumeration
        run: |
          python3 dirsearch.py -u http://your-app.com -e php,asp --simple-report=dirs.txt

Tools NOT Suitable for Every CI Run

OpenVAS: Too resource-intensive and time-consuming
sqlmap: Risk of affecting production databases
Metasploit: Actual exploitation inappropriate for CI

Re-testing After Application Changes

When new pages or APIs are added to applications:

Must Re-run

Asset Discovery: Update endpoint inventory
Web Application Scanning: Test new attack surfaces
Manual Verification: Focus testing on new functionality

Code Example for Targeted Re-testing

#!/bin/bash
# Script for testing new endpoints
 
NEW_ENDPOINTS="$1"  # File containing new URLs/APIs
 
echo "Testing new endpoints..."
while IFS= read -r endpoint; do
    echo "Testing: $endpoint"
    
    # Directory enumeration
    python3 dirsearch.py -u "$endpoint"
    
    # Basic vulnerability scan
    zap-cli quick-scan "$endpoint"
    
    # SQL injection testing
    sqlmap -u "$endpoint" --batch --level=1 --risk=1
    
done < "$NEW_ENDPOINTS"

Reporting and Documentation

Automated Report Generation with Dradis

# Install Dradis
bundle install
bundle exec rails server
 
# Import scan results
# Navigate to web interface and import:
# - Nmap XML files
# - OpenVAS XML files  
# - ZAP XML files
# - Burp Suite XML files
 
# Generate unified report
# Export to PDF/HTML format

Essential Report Sections

Executive Summary: High-level findings and business impact
Methodology: Tools and techniques used
Findings: Detailed vulnerability descriptions with evidence
Risk Assessment: CVSS scores and business impact analysis
Remediation: Specific fix recommendations with timelines

Best Practices and Legal Considerations

Technical Best Practices

Test in isolated environments first
Maintain current tool versions to avoid false negatives
Cross-validate findings between multiple tools
Document everything with screenshots and proof-of-concept code
Use version control for custom scripts and configurations

Legal and Compliance Requirements

Written authorization required before any testing
Scope limitations must be clearly defined
Professional liability insurance recommended for commercial services
Compliance certifications (ISMS, PCI DSS) often required for enterprise clients
Data handling procedures must follow local privacy laws

Summary

Building a comprehensive vulnerability assessment and penetration testing capability with open source tools is not only feasible but can be highly effective. The key is to:

Start with the minimal viable toolkit of 6 essential tools
Establish clear testing procedures that separate discovery from exploitation
Implement appropriate CI/CD integration for continuous security testing
Maintain proper documentation and reporting standards
Ensure legal compliance and proper authorization for all testing activities

While individual practitioners can certainly master these tools for technical purposes, providing commercial security testing services typically requires proper business licensing, insurance, and compliance certifications. The technical foundation provided by these open source tools, however, forms the backbone of professional security testing capabilities.

Remember that security testing is both an art and a science - while automated tools provide broad coverage, human expertise is essential for interpreting results, identifying complex vulnerabilities, and providing meaningful remediation guidance.