taken from TinkerSec's answer on https://www.peerlyst.com/posts/pentestez-iso-creating-a-new-pentest-instance-christopher-gebhardt?trk=profile_page_overview_panel_posts#comment-65ugaE4YQaQeQXbbc
OpenVAS - http://www.openvas.org/ Vulnerability Scanner. Easy to use. Web App Based. Point and Run. Great for high level vulnerability scan. Shows common "bad things" that could be exploited by malicious hackers. Good for Asset awareness (We don't have an Apache server in our environment?! Where did that come from?) Zenmap - https://nmap.org/zenmap/ Host and Service Scanner. Good for Asset and Service Awareness. Put in an IP Address Range and sit back. Burp Suite Community - https://portswigger.net/burp/communitydownload Web Application Scanner. Good for going through web applications and spidering content. Has basic vulnerability scanner that goes into detail on how each vuln can be exploited by malicious hackers. Armitage - http://fastandeasyhacking.com/ Graphical interface for metasploit. This is what many people think of when they think of "hacking" or pentesting". A lot of good tutorials on how to use this. Click on "Armitage Hailmary" for auto-pentesting (or auto-denial of service!) Maltego Community Edition - https://www.paterva.com/web7/buy/maltego-clients/maltego-ce.php Reconnaissance Tool for Open Source Intelligence (OSINT). Stalk companies or people - Great for demonstrations on what individuals leave out in the open. Good for gaining information on a target before hacking it. Fern Wifi Cracker (Free Version) - http://www.fern-pro.com Graphical Wifi and Wireless cracker. Can hack into WEP, WPS, WPA, WPA2 wireless access points. Johnny - GUI for John the Ripper Password Hash Cracker - http://openwall.info/wiki/john/johnny Get a hash? Crack the hash. Great for "offline" password attacks SPARTA - Network Enumeration and Brute Force - http://sparta.secforce.com/ Great for "online" password attacks and brute forcing. Can integrate with other tools well. Wireshark - Network Packet Sniffer - https://www.wireshark.org/ Good to see what's talking on your local subnet or anything within broadcast. Good to see what's beaconing out from your own system. Good to demonstrate network communications and analysis. IDA Debugger - Freeware - https://www.hex-rays.com/products/ida/support/download_freeware.shtml More of an advanced tool, but good for initial demos. Load up a binary (e.g. executable) and reverse engineer it. Good for malware reverse engineering or vulnerability research.