Pentesting Basics: What Tools I Use — and Why

The process of pentesting (penetration test) is a part art and science. It’s the process of attempting to attack the systems legal and monitored to identify and repair vulnerabilities before attackers actually exploit them. Over time, I’ve created a toolkit to help me traverse the typical pentest phases: scanning, reconnaissance after-exploitation, and reporting with safety, repeatability as well as documentation in the forefront.

Below is a practical, beginner-to-intermediate friendly guide to the categories of tools I use, specific favorites in each category, why I pick them, and how I keep my work ethical and safe.

A quick note on ethics as well as legality

Prior to anything else, do not use any of these tools against systems that you do not have permission to run. Unauthorized testing could be harmful and illegal. Always seek an authorization and written scope and make use of isolated labs while studying.

The pentest workflow that I use (high niveau)

1. Scope and rules • You must have written authorization as well as specific objectives.

2. Reconnaissance — Passive information gathering (non-intrusive).

3. Scanning and an enumeration • Identify the open services, versions and a possible attack surface.

4. Exploitation / attack (ethical) — Validate vulnerabilities only in the scope of.

5. Post-exploitation and pivoting Check the impact of operations, but limit them within agreed limits.

6. Cleanup Remove any the artifacts, and restore systems when needed.

7. reporting -Evidence-based, clear findings and remediation actions.

Each step is mapped to tool categories listed below.

1.) Reconnaissance and OSINTMap the surface

The goal is to Discover what’s accessible about the target without having to touch their systems.

Why is it important: Good recon reduces the amount of effort wasted and can often uncover easy win-wins (misconfigured subdomains, lost assets, or leaked credentials).

Tools I use

• Shodan/Censys (web) — Find internet-connected devices and expose services.

• theHarvester • Get emails, domains as well as open data from publicly accessible sources.

• Amass Amass Amass – Robust subdomain enumeration, as well as passive footprinting.

• Google lurking — Specifically designed search queries to locate information that is not available (always inactive).

What is the reason for this?

• They show assets and contextual information with no active testing.

• Amass and Shodan offer contrasting perspectivesone focusing on DNS/OSINT and the other on services that are not publicly available.

Ethics advice: Prefer passive enumeration first, as it’s not disruptive and less likely to trigger alarms.

2.) Discovery & Scanning -Find live hosts and other services

The goal is to Find live hosts, open ports service versions, and the most basic weaknesses.

Tools I use

• Nmap — The Swiss knife of host discovery ports scanning, host discovery, and fingerprinting of services.

• masscan Extremely rapid network scanner that can cover huge ranges (use with caution).

• RustScan RustScanA faster port discovery tool that is integrated with Nmap.

• Nessus/OpenVAS vulnerability scanners that prioritize CVE identification.

What is the reason for this?

• Nmap is flexible and reliable for customised scans.

• masscan is a great option for scanning several addresses at once (in range and with the permission of).

• Nessus/OpenVAS convert findings into actionable CVE-based outcomes, which aids to prioritize.

Safety warning: Scanning can be loud. Coordinate scans with ops team and pick the scan’s intensities carefully.

3) Web Application Testing

Objective: Find flaws in OWASP-style (XSS, SQLi, auth issues and misconfigurations, insecure deserialization).

Tools I use

• Burp Suite (Community/Professional) — Intercepting proxy, scanner (Pro), repeater, intruder, extensible with plugins.

• OWASP ZAP OWASP ZAPFree alternative with active scanning and automated features.

• sqlmap -A computerized SQL detection and validation (use in a responsible manner).

• Nikto NiktoWeb server scanning for outdated and misconfigured software.

• Wappalyzer — Fingerprints web technologies.

What is the reason for this?

• Burp is the industry standard for manual testing of websites The process (proxy repeater -> proxy ->> intruder then scanner) is a powerful.

• ZAP ZAP HTML0 is perfect for automation and integrates in CI pipelines.

• sqlmap is an effective way of validating SQLi you’ve found manually.

Practice guidelines: Combine automated scanners and manual tests for logicAutomated tests find low-hanging fruit Manual tests uncover the business logic problems.

4) Exploitation & Post-Exploitation (Controlled)

Scope: Prove impact safely (not to cause harm) and gather evidence to support the remediation guidelines.

Tools I use

• Metasploit Framework Development of exploits and payloads and an extensive collection of modules. Ideal for PoC and for learning exploit mechanisms.

• Cobalt Strike (commercial and only used for authorized red-team conflicts) — Simulates advanced adversarial behavior (in strictly controlled, ethically regulated settings).

• Empire/ Covenant (awareness just) — Post-exploitation frameworks utilized by both defense and attackers. I am studying them to strengthen the blue-team defenses.

• CrackMapExec -Lateral movement / AD Assessment Tool (powerful for Windows Domain engagements).

• Mimikatz Mimikatz Tool for analyzing credential and passwords that is used to show credential exposure (use with extreme care and only when it is within your the scope).

Why are these?

• Metasploit allows you to stitch scan results into valid PoCs quickly.

• Post-exploitation frameworks assist in assessing the the impact (persistence or credential theft the movement of laterals) to ensure that defenders are prepared.

The most important safety rule to follow: Never leave persistence mechanisms or backdoors within an environment for clients unless signed off and documented as part of the agreement.

5) Active Directory & Enterprise Assessment

Objective: Assess the attack area inside Windows domains (Kerberos, Group Policy, inconsistencies).

Tools I use

• BloodHound –Visualizes relationships as well as attacks within AD.

• SharpHound (data collection for BloodHound) • Collects AD data to analyze.

• Impacket (collection of Python tools) It is useful to test protocol abuse and simulations of lateral movements.

• PowerView PowerView HTML0 — AD the enumeration of information and awareness of situations.

What is the reason for this?

• BloodHound assists security teams to see the routes to escalation of privileges that they may have not noticed.

• These tools provide’realistic attack chains’ that could be not detected due to surface scans.

Respecting the organization: AD enumeration can be extremely noisy and result in alarms. Coordinate and schedule.

6) Network & Packet Analysis

The goal is to Monitor traffic so that you can be aware of attacks, exfiltration or other misconfigurations.

Tools I use

• Wireshark -packet capture and deep analysis of the protocol.

• TCPdump -Lightweight packet capture on appliances or servers.

• Bro/Zeek Monitoring of networks and detection (used as a defensive measure but extremely useful to understand the behavior of networks).

Why are these?

• Visibility at the packet level is required to determine if an vulnerability is being exploited, and also to record the evidence needed to report it.

7) Wireless & IoT Testing

Objective: Assess Wi-Fi security and incorrectly configured IoT devices, as well as wireless attack areas.

Tools I use

• Aircrack-ng Suite -capture and analyze Wi-Fi network traffic (for reviewing security strength and detecting errors in configuration).

• Kismet Kismet HTML0Wireless network sniffer and detector.

What is the reason for this?

• Wireless is often overlooked. poor encryption or SSIDs that are not configured correctly make easy potential targets.

Legal warning: Testing Wi-Fi networks must be within the scope of their use and isolated. Listening passively is still invasive.

8) Password Cracking & Credential Analysis

Objective: Test the strength of your password and confirm the risk of exposure to credential.

Tools I use

• Hashcat Hashcat HTML0GPU-accelerated password cracking to assist in the purpose of auditing policies regarding passwords.

• John the Ripper A versatile cracker suitable for a variety of hash types.

• Have I been pwned? (service) –Find out if credentials are disclosed in public breach.

What is the reason for this?

• Passwords are often one of the most vulnerable links. A clear demonstration of the ease of cracking drives the need to change (mfa and passphrases).

Code of Ethics Don’t attempt to hack passwords for production accounts unless it is explicitly legally authorized and documented.

9) Reporting, Documentation & Collaboration

Objective: Convert technical findings into actionable solutions for the stakeholders.

Tools I use

• Dradis/ Serpico -Collaborative reporting and management of evidence tools.

• Faraday, KeepNote and CherryTree Recording evidence and note-taking.

• Markdown plus template — for easy, reproducible and lightweight reports.

• Screenshots/PCAPs/Logs — Always attach raw evidence to back up claims.

What is the reason for this?

• Pentests are only valuable as its report. The clearness of risk ratings as well as remediation actions and reproduction steps (for development/ops) are crucial for ensuring adoption.

10-) Lab & Learning Environment (where I can test)

What do I do locally

• Kali Linux -A pentest distribution that includes several of the tools mentioned above.

• Parrot OS — Alternative pentest distro.

• Vagrant Vagrant VMs (VirtualBox, VMware) A lab environment to allow secure experimentation.

• Targets: Metasploitable, DVWA, Juice Shop, AD lab VMs.

Why is this setup?

• Keeps experimentation contained.

• Let me practice attacks and defenses with no harm to production.

The reason I picked these tools -a quick summary

• Open source with Community support Instruments like Nmap and Burp Community Metasploit, Wireshark have large users and documentation. This is important when learning or troubleshooting.

• The adoption of the industry: Burp, BloodHound and Metasploit are extensively used by blue and red teams. They have excellent interoperability and knowledge sharing.

• Balance between manual and automated control: Automated scanners speed the process of finding information, but manual tools (proxy or analysis of packets) are required to validate and grasp the complexity of issues.

Practical advice and the best techniques

• Begin using recon and non-intrusive techniques. Save noisy scans for scheduled windows.

• Note everything including timestamps as well as commands (in your personal laboratory) Evidence files. Reproducibility increases trust.

• Use snapshots for lab machines so you can revert after destructive tests.

• Get involved with the defense experts and discuss results as well as signs of compromise (IOCs) and detachment recommendations.

• Prioritize the remediation -The severity, exploitability and the impact on business should be the primary factors driving the need for fixes.

• Continue to learn Learn more CVE reports written about exploits, writeups of exploits as well as defensive research can sharpen offensive and defensive skills.

Learning path & resources (safe, ethical)

• Learn about the OWASP The Top 10 for web app risk.

• Learn in legal settings: Hack The Box, TryHackMe or your local VM labs.

• The certifications that teach methodology include: OSCP, eJPT, CEH (choose one based on hands-on learning vs. theoretic emphasis).

• Check out reputable blogs and vendor advisories to stay up-to-date with exploits and patch information.

Final thoughts

Pentesting isn’t just about operating tools. It’s a disciplined procedure that involves the technical skills, reconnaissance clearly documented, and ethical conduct. The above tools form an effective toolkit that I refer to over and over They help me identify the real dangers, show the their impact, and provide clear instructions for resolving issues to ensure that systems are secure.