A variety of different free tools exist for Red Team operations, and, in many cases, a Red Team can get by just fine taking advantage of these free or open-source resources. However, a few commercial tools are available that might be worth the added expense to the Red Team.
Top paid Red Team tools
Acunetix is a web application vulnerability scanner that is designed to allow penetration testing. Features include the ability to scan for compliance against regulations and standards (PCI-DSS, OWASP Top 10 and so on) and to export discovered vulnerabilities to issue tracking tools or some firewalls to aid in remediation.
Acunetix has different features for its three pricing levels (Standard, Premium and Acunetix 360), but a major differentiator is the number of scans that can be performed at each level (Standard is capped at 20). In general, pricing is determined on a per-website basis.
Burp Suite is one of several tools on this list where there are both a free and a commercial version of the software. In the case of Burp Suite, the Red Team can choose from three different pricing options: Community, Professional, and Enterprise.
The Community edition of Burp Suite is the free option and is primarily intended for researchers and hobbyists. In this version of the tool, only the essential manual tools are available.
The Professional edition of Burp Suite has a yearly fee of $399 per user. It provides access to both the essential and advanced manual tools and the Burp Suite web security scanner, which can detect over 100 of the most common generic web application vulnerabilities.
The Enterprise edition of Burp Suite starts at $3,999 per year and provides complete access to the software’s functionality. This includes the web security scanner and provides options to make life easier for the Red Team (automated and scheduled scans, CI integration and built-in scalability).
Maltego is a commercial tool for managing searches of open-source intelligence. A lot of information about a customer and its employees can be found online without ever interacting with the target network. This can be invaluable for increasing the stealthiness of the Red Team’s initial reconnaissance. Maltego Classic starts at $999 and renews for $499, and the XL version starts at $1999 and renews for $999.
Metasploit is another example of a tool with both a free and a paid offering. However, the difference between the two versions of Metasploit is significant.
The Metasploit Framework is Rapid7’s free version of their tool. This open-source version of the tool is designed for developers and security researchers to develop and test new exploits for integration into the tool. It includes the ability to perform manual exploitation (with over 1500 exploits) and credential guessing, a basic CLI and the ability to import network scan data from tools like Wireshark.
The price of the Metasploit Professional edition is available upon request. It includes all of the functionality of the basic edition as well as a great deal of automation and advanced interfaces to make use easier. Additional features also include:
- Built-in network discovery
- Payloads designed to evade common antivirus features
- Integrated phishing and spearphishing functionality
- Web application testing (against OWASP Top Ten)
In general, while many of the features of the Metasploit Professional version can likely be found in other tools (network discovery with nmap, web application testing with Acunetix/Burp Suite and so on), the integration offered by Metasploit can save the Red Team significant time.
Nessus is an example of a security tool that started out free and open-source but later turned commercial. Nessus was started in 1998 but moved to a closed-source license under Tenable in 2005. Different security tools (like OpenVAS) are based off of the original Nessus code and remain open-source.
While Tenable offers a free version (called Nessus Essentials), its main offering for Red Teams is Nessus Professional. This tool allows scanning of unlimited IP addresses and has built-in templates for scanning for compliance, automated report generation and offline scans after updates to Nessus (to identify where previously unknown vulnerabilities may exist, based off of past scans). It retails for $2,390 per year with a premium for advanced support and a small discount for multi-year licenses.
Netsparker is a commercial web application and web API vulnerability scanner. It allows automated scanning of an organization’s web presence for common vulnerabilities and performs automated verification of any identified vulnerabilities to reduce the number of false positives that the Red Team needs to deal with.
Netsparker has three different pricing levels available: Standard, Team and Enterprise. However, a Red Team will probably need the Enterprise edition, since the Standard and Team versions are capped at scanning 20 and 50 websites respectively. The yearly price of Netsparker is based on the number of websites that the Red Team plans to scan.
When discussing tools for Red Team assessments, it’s important not to focus only on the technology. A significant part of most Red Team engagements is testing the physical security of the target as well as its network security.
Unlike digital security tools, physical security tools all cost money. Some examples of physical tools that might be useful on an assessment include:
- Lock picks (and similar tools like a shove knife or crash bar tool)
- USB keylogger
- Wi-Fi pineapple
- RFID cloner
When budgeting for Red Team engagements, it’s a good idea to price out and acquire the physical tools first. Afterwards, remaining budget can be spent on getting one or more of the commercial Red Teaming tools.
Conclusion: Commercial Red Team tools
The majority of the best commercial tools for Red Teaming provide many of the same features. Web application testing is a common focus, since the nature of a web application means that it is both publicly exposed and able to access sensitive data/functionality.
In Red Team engagements, you’ll be doing a lot of web application scans, so it’s probably worth getting a tool with a wide range of potential vulnerabilities to scan and a high level of automation. However, you probably won’t need more than one of these.
On the other hand, physical tools can make a big difference in the effectiveness of a Red Team assessment. The ability to get through a locked door in a hurry can mean the difference between getting caught and moving on to the next stage of the assessment. Dropped hardware can help with testing Wi-Fi security and social engineering, so picking up some goodies can be helpful when preparing for an engagement.