Penetration-Testing Tools — Complete List, Detailed Usage & Practice
(Meta Description: A practical, tool-focused penetration testing guide listing the essential tools (Nmap, Metasploit, Burp, Wireshark, sqlmap, John/Hashcat, Aircrack-ng, Nikto, Nikto, OWASP ZAP, Kali tools) with step-by-step usage, example commands and a safe lab practice. English and Hindi sections included separately.)
Essential Penetration Testing Tools, How to Use Them & Practical Lab
Quick intro (what this post covers)
This guide lists the most-used penetration-testing tools, explains why and when to use each, gives practical commands, and finishes with a safe lab exercise so you can practice legally. Use these tools only in authorized environments (your lab or written permission).
1) Recon & Discovery
Nmap (Network Mapper) — the de-facto port/host discovery and version detection tool. Use for initial host discovery, service/version detection and NSE scripts. Example:
-sC runs default scripts; -sV probes service versions. Nmap’s official docs remain the best reference.
Masscan — ultra-fast internet-scale port scanner (useful for large ranges). Use it when you need speed; follow up with Nmap for accuracy.
2) Web Application Testing
Burp Suite (PortSwigger) — intercepting proxy with tools: Proxy, Repeater, Intruder, Scanner (Pro) and Extensions. Typical flow: proxy browser → capture request → use Repeater to tweak → use Intruder/Scanner for automated payloads. Example: intercept login request, use Repeater to test inputs, then run Intruder for credential stuffing. Burp docs have step-by-step guides for Intruder and Repeater.
OWASP ZAP — open-source alternative (automation friendly for CI pipelines). Use ZAP for passive scanning and scripted crawling.
sqlmap — automated SQL injection scanner/exploiter:
Use --batch to run non-interactive; --dump extracts DB contents.
Nikto / Wfuzz / Dirb — quick web server/vuln scanning and content discovery.
3) Exploitation Frameworks
Metasploit Framework — powerful exploit framework (msfconsole) for privilege escalation, payloads and post-exploitation. Typical use:
Metasploit docs explain msfconsole workflows and module options.
Impacket — collection for SMB/NTLM relay, lateral movement and scripting (psexec-like tools).
4) Network & Packet Analysis
Wireshark / tcpdump — capture and analyze packets. Use tcpdump -w capture.pcap on the attacker or switch span port; analyze with Wireshark for protocol anomalies and credential leaks.
Responder — LLMNR/NBT-NS/MDNS poisoner to capture NetNTLM hashes on Windows networks.
5) Password Cracking & Hash Tools
John the Ripper & Hashcat — offline cracking tools. Example Hashcat command:
Hashcat uses GPUs and large wordlists for speed. OWASP references these for brute-force and password auditing.
6) Wireless & RF Testing
Aircrack-ng suite — monitor, capture handshakes, crack WPA/WPA2 with wordlists. Typical pipeline: airodump-ng → aireplay-ng (deauth) → capture handshake → aircrack-ng to crack.
7) Post-exploitation & Privilege Escalation
Mimikatz — extract credentials and hashes from memory on Windows (use only in lab with permissions).
PowerSploit / Empire / Covenant — post-exploitation frameworks for persistence and lateral movement. Always document and isolate artifacts.
8) Forensics & Evidence
Volatility / Rekall — memory forensics to analyze artifacts in RAM after compromise. Useful for incident response.
9) Automation, Reporting & Orchestration
Kali Linux / Parrot OS — distributions bundling numerous pentest tools; Kali’s tool list and community resources are helpful for staying current. StationX and Kali resource lists summarize essential tools in one place.
Burp + Jenkins + ZAP — integrate scanning into CI for app security.
Practical Lab — Step-by-Step (Safe & Legal)
Goal: Perform a full small-scope test on a vulnerable VM (DVWA or Metasploitable) inside an isolated lab.
Setup
-
Host machine → VirtualBox/VMware.
-
Create two VMs: Kali (attacker) and Metasploitable/DVWA (target). Network: Host-only or internal. Snapshot both VMs.
Phase A — Recon
Analyze open services (SSH, HTTP, FTP).
Phase B — Web Test
Point browser through Burp proxy, browse web app. Use Burp Repeater to tamper parameters and Burp Scanner (or ZAP) for automated checks. Try sqlmap where input looks injectable.
Phase C — Exploit & Gain
If you find an upload or RCE, use Metasploit exploit module to gain a shell; capture evidence (screenshots, commands used). Example:
Phase D — Post-Exploit
Run whoami, uname -a, gather config files, look for SUID binaries, weak sudoers. Use linpeas/winpeas scripts for quick local enumeration.
Phase E — Report
Create an Executive Summary, reproduce steps (with commands and screenshots), CVSS score per finding, and prioritized remediation steps.
Best Practices & Ethics
-
Always get written permission (scope & ROE). Follow PTES/OWASP guidance. OWASP Foundation
-
Combine automated scanning with manual validation to avoid false positives.
-
Isolate labs, snapshot before/after, and never run exploits on production without authorization.