The comprehensive Intruder alternative for VAPT work

With Intruder, the story ends at exploitation and reporting.

Pentest-Tools.com’s Sniper Auto Exploiter deploys automation to reinforce your experience-driven exploitation and post-exploitation activities. So, if you already have access to the target’s login credentials, then you can combine the power of our Network Vulnerability Scanner with chained, custom testing flows using our pentest robots to discover hidden directories, open ports, outdated technologies, and all running endpoints behind a domain.

Intruder is promoted as an external scanner that mimics the actions of a malicious hacker and internal vulnerability scanner (network and agent-based). And it’s known for prioritizing results from its perimeter-specific scanning functionality, to help users distinguish the vulnerabilities to tackle immediately from the ‘noise’ found in typical vulnerability reports. Intruder’s reports also explicitly aim to help non-experts understand them.

Our Network Vulnerability Scanner coupled with the ready-to-use VPN Agent offers an encrypted VPN tunnel for internal scans straight from your browser, enabling you to operate like an on-site penetration tester:

• Avoid spending time traveling to client sites, compiling scripts or laboring on precise configurations
• From this encrypted and secure VPN connection, run our Port Scanner for perimeter searches or our Website Scanner
• Conduct a full network vulnerability assessment using our comprehensive range of penetration testing tools
• Automatically map the entire Attack Surface of locally running software, open ports, weak credentials, missing security patches, out of date services and software, and other misconfigurations that can lead to privilege escalation or unauthorized access to company data

All the usual types of scan are available, just as if you were running external scans.

Pentest-Tools.com’s external scanning tools, on the other hand, allows you to operate with the perspective of a malicious hacker:

• Swiftly pinpoint vulnerabilities that pose the most serious business risks, such as those identified in the OWASP Top 10 (2021), to which Pentest-Tools.com contributed
• Check items from your compliance list for regulations like the PCI DSS, which place a particular emphasis on network intrusions
• Combine and chain Sniper Auto Exploiter with pentest robots to find insecure configurations across the Attack Surface
• Watch as the Attack Surface is automatically populated with a full overview of the landscape to be ventured
• Gather an overview of locally running software and context that helps indicate potential business logic vulnerabilities that other scanners miss
• Satisfy known cybersecurity industry benchmarks, such as the NIST 800-115, CWE, STIG, and CIS

If there is a way in which unauthorized users can gain and exploit illegal access to your network, web applications, local software, servers, services, users, and data, this dashboard will expose forgotten and hidden, vulnerable access points. Then, once you pursue all security issues and evidence of exploits, you can relax while scan findings are populated and ready for automatic compilation in a professionally designed report.

Regardless of the approach, scheduled scans continue to populate the Attack Surface. For both internal and external scans, you can customize scheduled, parallel and bulk scans, credentialed or authenticated scans, and have a choice between Light and Deep Scans. This information can then be integrated into the SDLC so that the development team can continuously work on hardening the security posture on each point.

Intruder bills itself as ‘developer-friendly’, and it even has a neat Emerging Threat Scans automation that scans website applications for known vulnerabilities as soon as they are identified, whether you have a scan scheduled for that day or not. This can save developers who are genuinely busy with other remediation responsibilities much time and effort.

Pentest-Tools.com, however, is designed from the ground up with seasoned security professionals in mind – those who prefer to configure their penetration testing tools before setting off on an adventure. So, while Pentest-Tools.com operates as a unified platform, it is no less a toolkit of powerful tools you can also deploy individually to burrow below the surface in a defined direction.

We’ve grouped our Reconnaissance Tools for quick access, because we know you’ll sometimes want to get oriented before mapping out the next part of your engagement. And, you can also run a full Website Recon to pick up on all the issues with server-side and client-side technologies deployed across multiple hosts. Informed with a complete map of the Attack Surface discoveries on domains, subdomains, hosts, and ports, you’ll be in a better position to explore purposefully across web apps, CMSes and networks.

If you simply need to scan for web application security, you can jump straight to our Website Vulnerability Scanner. And, you can delve deeper with our pre-configured, proprietary tools that tackle the biggest web application security threats face-on, XSS and SQLi. Our XSS Scanner pinpoints Cross-Site Scripting vulnerabilities, enabling you to rapidly collate information, scan websites and networks, then exploit specific XSS weaknesses and report on them. Similarly, our proprietary SQLi Scanner provides you with solid proof for SQLi risk PoCs.

On this next part of your engagement, you may prefer the agility afforded by our precision Web CMS Scanners. If your client’s technology is built on modern CMSes, you can opt to assemble scans using our dedicated WordPress , Drupal, Joomla, or SharePoint scanners to identify platform-specific misconfigurations and out-of-date plugins, templates, themes, and other components.

Finally, our Network Scanners get regular updates to track down the remaining security weakness with an infrastructure-wide scan to test internal network security as if you were on-site:

• You will identify high risk CVEs such as Log4Shell, ProxyShell, and ProxyLogon
• And you can also conduct security checks that will discharge your responsibilities under industry compliance standards and benchmarks such as:
  • PCI DSS
  • SOCII
  • HIPAA
  • GDPR
  • ISO
  • the NIS Directive and others

Using a combination of our passive and non-intrusive Light scans and endlessly-configurable Deep scans with additional active checks, you can opt to automate repetitive manual work, such as attack surface mapping and rescanning across web applications, networks, and individual CMSes. We keep a public change log, so your scheduled scans automatically assimilate and test for all the latest vulnerabilities, such as:

• Oracle WebLogic Server CVE-2022-21371
• Zabbix Unsafe Session Storage (CVE-2022-23131)
• Spring4Shell (CVE-2022-22965)

This frees up more of your time to plan for lateral movement or achieve RCE.

Play "Get RCE evidence for Confluence CVE-2022-26134 - ethical exploitation with Sniper Auto-Exploiter" video

To stimulate your appetite for a deep dive, first you can reconfigure scan templates and settings to run additional, precision checks. Further custom exploration at depth is possible by using our thorough offensive tools.

Sniper Network Graph – shortlisted in the Excellence Award, Industry Leadership in the SC Awards Europe 2022 – is the latest new functionality available in Sniper Auto Exploiter, providing:

• A panoramic summary of the entire topology of the target’s network configuration
• A view of all the connections between your target and other hosts, including exploit paths that show how the target can be compromised
• A list of all the communication protocols for each connection
• A list of hosts from nearby network subnets

These features help you demonstrate how malicious actors could gain Remote Code Execution through critical, known CVEs.

Play "Sniper Network Graph – Automatic vulnerability exploitation with network visualization capabilities" video

If you really want to unearth the bottom feeders, you can get your hands dirty with a drag and drop visual editor to piece together our expert written, pre-compiled automated testing sequences and assemble your own pentest robots. This will simultaneously reduce 80% of your manual pentesting work and liberate you to explore without limits. You can use your own logic to:

• Chain our tools together to suit your own pentesting workflow
• Build automated testing flows to suit your own, preferred methodologies
• Maintain control over multiple stages of testing
• View the progress of our safe and non-invasive methods with the script from which you can gauge results

Plus, if you need to offload extensive engagements, our team of pentesters are certified by the National Cyber Security Directorate.

While Intruder’s key selling point is on saving you time, Pentest-Tools.com’s focus is on giving you the leverage to use that time wisely.

Here are the features that ensure your valuable time is directed on the right things: