This is the next entry in the series, aimed at providing depth to parts of my "Hacking For A Living" presentation.

Further to the packed slide I gave during my presentation, here are the tools you should have a passing familiarity with. Note that these aren't the offensive tools, but the other programs you should be familiar with. Do bear in mind my background is as an infrastructure tester, in my experience of web application testing a lot of the information on the target was within a single application - Burp Suite.

Also, do look at the functionality and integration between up to date versions of Nmap, Nessus, and Metasploit - being able to easily transfer data between all three will enable you to do more testing in less time, making you more valuable as an employee, and more efficient as a tester.

The emphasis below is very much on Unix tooling, if you prefer to test from a Windows system I'd still recommend installing Cygwin to give you access to these, unless you're particularly adept at the Windows command prompt or PowerShell.

System and network monitoring tools

These will help you understand what your own system is doing, any bottlenecks or other issues that mean your system is slower than it should be, or any local connectivity issues causing you problems:

htop, iotop, ip, lsof, netstat, ps

Interrogating remote services or networks

All of these programs are useful for determining that you're on the right network, that you've got the right connection to your target systems, and so on. Also some of them are useful in an elementary way for obtaining information on whatever system or service it is you're attacking:

arp, arping, dig, host, hping2, netcat ( in all its forms ), nslookup, ping, openssl, socat, tcptraceroute, telnet, tftp, tracepath, traceroute, wget,

Terminal multiplexers

These programs allow you to easily manage multiple programs simultaneously, or to keep a session up on a remote system that will survive a break in connectivity:

screen, tmux

Recording your output

These programs are useful for recording your tool output, or network traffic - so you can grab entries from their logs for your report, or demonstrate to a customer what was or was not happening on your testing system at a particular time:

script, snoop, tcpdump, tshark

Sorting, searching, and manipulating output

There's a lot here, and I should stress that you don't need to know them extensively, you just need to know *of* them, and have an idea of how to start using them when necessary:

awk, sed, head, tail, strings, grep, egrep, findstr, cut, sort, uniq, sponge, tee, pee

Recording your knowledge

You will learn a great deal as a penetration tester, and won't have access to old machines or reports or notes when you change employer. For recording wehat I learnt on a test, so I could easily reference it on a future test, I always liked TiddlyWiki. Find something that suits you, but I'd strongly recommend using something digital, rather than a paper notebook - that way you can back up your notes, or easily search through them for a specific entry.

Programming Languages

You can arguably get by as a penetration tester with just a little bash shell scripting, but to really get on with automating your penetration testing workflow do look at advanced bash shell scripting, or Python. If you're going to be attacking Windows systems a working knowledge of PowerShell is increasingly required.


A couple of commands it's worth familiarising yourself with, just so you can ensure the output from your tools, or your notes, isn't accidentally overwritten:

chmod, chattr

And also the text editor "vi", as you'll find it on any Unix system you have access to.

One last thing, familiarise yourself with "man" pages. I always find man pages useful reminders for how a tool or program works, but far less useful in determining why or when I should use it.