Introducing Horangi’s New Whitepaper: Selecting A Cloud Security Posture Management (CSPM) Solution
logo
Penetration Testing

Pentesting Tools & Resources To Get You Started

Entering the world of penetration testing can be a daunting task but we've put together a guide on how you can familiarize yourself with platforms, security tools, and other useful resources to help you get started.

What is Penetration Testing?

Penetration Testing is a form of security assessment that tests a system, network or software application, with the objective of identifying security vulnerabilities. Penetration testing helps to assess the security posture of the target IT assets and its configurations. In short, penetration testing helps to identify potential loopholes that might be exploited by an attacker.

To explain more in detail, there are multiple benefits of conducting the penetration testing on the organization’s systems. Also, there are different penetration testing approaches that can be achieved, as we described in our previous articles.

Into the world of Penetration Testing: Where to start?

For those who want to check out the field of penetration testing or just want to get a feel of what penetration testing looks like, we recommend free online platforms to brush up your skills in penetration testing and cybersecurity. There are different targets and penetration testing scopes (e.g. web, network and mobile). It is recommended to start with the web because it is both familiar and also the easiest entry point. Note that conducting penetration tests without permission and authorization is illegal but there are platforms that permit the legal practice of pentesting. Besides free YouTube resources on problem solving across different hacking platforms, some other platforms that are gamified include:

For more advanced learning, check out these other practice grounds:

Penetration Testing Security Tools

Below are commonly used operating systems and security tools for various technical assessments.

Table of operating systems and security tools

Other Useful Resources

  • Infosec Institute Resource Center: A useful knowledge sharing area that provides news, updates, security tips, and technical information for penetration testing.
  • SecLists: SecLists is the security tester's companion. It is a collection of multiple lists used during security assessments. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, and web shells.
  • SANS Cyber Security Blog: Get the latest updates and news on penetration testing by SANS Institute.
  • Offensive Security Cheat Sheet by Red Teaming Experiments: A combination of exploit codes, network commands, and injection scripts that prove useful for penetration testing and red teaming.

Penetration Testing in a Structured Manner

If you are serious about pursuing the profession of a security practitioner, particularly as a penetration tester, it is important that we provide consistent coverage and quality of work for every engagement. Below are some reference frameworks to learn the standard methodology:

  • NIST SP 800-115 
  • NSA IAM
  • CREST
  • CESG CHECK
  • CREST Tiger Scheme 
  • The Cyber Scheme
  • PCI DSS
  • PTES
  • OWASP
  • ABS Penetration Testing Guidelines
  • OWASP Top 10
  • CWE Top 25 Most Dangerous Software Errors and 
  • CREST Test Methodology

While executing the penetration test using standardized methodology is important, we cannot emphasize enough the importance of being creative, curious, and needing to think out of the box. Your goal as a penetration tester is to find vulnerabilities and loopholes, that's why asking What If and Why questions is critical to identify scenarios beyond the imagination of developers and architects.

Want to meet and be connected to other security professionals like you? Check out Infosec Conferences for the latest events in cybersecurity.

Noppon Umnajwannaphan
Noppon Umnajwannaphan

Noppon Umnajwannaphan is a Cyber Operations Consultant at Horangi with expertise in Vulnerability Assessment, Penetration Testing, and Network Security. He holds a Bachelor's Degree from Kasetsart University, Thailand.

Subscribe to the Horangi Newsletter.

Hear from our Horangi tech experts as we go deep into up-and-coming cyber threats, new solutions, and talk about the future of cybersecurity.