I'd start with metasploit. You'll be hard-pressed to find a modern server with holes metaspolit can find, though, and the professional version is expensive.
Beyond metasploit, there are plenty of port scanners that can tell you what ports are open (google 'port scanner', maybe Zed Attack Proxy, or ZAP.)
Wireshark is free and can tell you what is happening 'on the wire'; Chrome Developer tools can help too.
For SQL Injection you might try SQLMap. For Cross-Site Scripting, JS and HTML injection consider acunetix.
Finally, I'd suggest burpsuite to observe what is going on over the wire, or another proxy like charles or fiddler for internet explorer. With burpsuite, you can intercept the message going over, change and resubmit it, and also do things like session hijacking - so you can take the session ID, start at 0, increment by 1 in a for loop and eventually see if you can find other open/valid sessions - all over SSL!