This is more of a suite then an actual tool but if you are going to do any testing whether it is infrastructure, web app or red teaming this image will have what you need. Also if you don’t know linux this is a good way to get started, learning basic command line functions is essential. It can be run in a VM, off a USB stick and even on a Raspberry Pi!
This is the premier infrastructure testing tool, not only is it powerful but once you learn how to use it you will be able to customize it to fit your needs. A lot of other tools out there use a very similar framework to Metasploit so learning this will help you understand other tools down the road. It contains numerous features for discovery, exploits, brute forcing, payloads etc. And it is included in Kali Linux.
This is the simplest and easiest way to do recon on a system, you will always want to see what is going on with a system before starting your tests. The tool in it’s most basic use allows you to find what ports are open. It can go beyond that but we will save this for another time. The most important part of any penetration test is to understand your attack surface. Also you can import this data directly into your metasploit workspace for ease of use. It is included in most OS distributions.
Exploitable Virtual Machines
The most important part of your toolset for testing is to always test against systems you’re authorized to. You do not want to use the above tools against public domains or your company without express permission, it can get you into a lot of trouble. So how do you learn? Stand up virtual machines using VM software such as Virtual Box or VMWare Fusion and then go to town on your own private network. You can make it as complex or vulnerable as you want. A good one to start with for fun is the Metasploitable image, it is extremely vulnerable and ready to test.