Operating System

Kali Linux is an open source advanced penetration testing system. It comes preloaded with all the tools that you’ll need to carry out all types of pentesting.

Software

Nmap is a tool for network pentesting. It is used for network discovery and security auditing. It can scan a network for host machines and identify open ports, services and much more.

Metasploit is a penetration testing framework that is used to exploit vulnerabilities in a target system that have been identified by Nmap or other means. Exploits can be used to test the security of a target machine and gain entry.

Wireshark is a network sniffing tool/protocol analyser that can capture network traffic for analysis, troubleshooting and is widely used in education.

Burpsuite is for web application security and contains multiple tools that can be used for automated or manual penetration testing.

Maltego is a graphical open source intelligence tool for gathering data and connecting this data in a meaningful way using link analysis

Recon-ng is a free, open source web reconnaissance framework that is available on GitHub

Vulnerability Scanners

OpenVAS is a free vulnerability scanner with lots of features for detecting security issues

Nessus is another vulnerability scanner. They offer a free trial or various paid products

OWASP ZAP is a web application scanner that also offers vulnerability scanning

Vulnerable Resources

These are machines that are designed to be intentionally vulnerable for students to practice ethical hacking on. These are necessary as practicing active penetration testing on live machines is illegal. They require virtual machine software such as VMware Workstation Pro or the free alternative VirtualBox.

Metasploitable2 is a vulnerable Linux machine for network pentesting

Metasploitable3 has both a Linux and a Windows machine variant also for network pentesting

OWASP BWA – Broken Web Applications Project is a collection of vulnerable web applications to practice on

OWASP JuiceShop is an insecure web application that incorporates vulnerabilities from the OWASP Top Ten list of vulnerabilities

OWASP Webgoat is another insecure application that allows you to test for vulnerabilities found in Java applications

Penetration Testing Practice Lab – This page provides an extensive list of vulnerable links for all areas of pentesting. Each category represents a different challenge relating to penetration testing

© Copyright 2025 Pentesting101.net. Chankhe | Developed By Sparkle Themes. Powered by WordPress.