How to fit tools in a Vulnerability Assessment & Penetration Testing ?

When we were attending conferences on IT security, we usually asked and learn many things.
Here is one of my question regarding VA/PT to expert in IT security, hope you like it and learn from it too, Because sharing is caring (Its time to Share now)

Student:

How to fit tools in a VA/PT?
Student:

Behalf of Learners – i would like to ask one question – so that beginners also can understand the first basic of penetration testing..
In most cases student attend hacking workshops or classes have basic understanding of few security tools. Typically students have used port-scanner, Wireshark, Metasploit etc etc.. Unfortunately most beginners do not understand how these tools fit into the PT. or it may cause the knowledge of beginners or its incomplete knowledge.. or lack of knowledge..

so according to Expert of Penetration Testing – What is the best way to Fit such kind of tools in manner – so that it will define one kind of framework of penetration testing officially.. ???
( just like i read one cycle of PT (A)Reco->Scanning->Exploitation->Maintaining Access->(A) )
IT Security Expert:
Not an expert – but from my viewpoint, VA/PT is not just about tools. A training should include the following:

  • Why we do VA/PT?
  • VA/PT Process and Framework (Which is not just about tools)

The main problem is that generally these are the theoratical part of the trainings and most of the students are not interested in the theory. Most of the beginners are interested in the “exploit” or “shell” part of it.

As part of the trainings, the tools should be covered in such a way that the students should know:

  • Whey we need to use tool?
  • Which tool to use?
  • When to use a particular?
  • What information should be gatherred or collected?
  • How to use the tool? (Various options and parameters)
  • Advantages and Disadvantages of using tools
  • How to create your own custom tools, etc.

To summarize, a good VA/PT training should balance both the Theory and Practial Hands-on equally and also at the same time give importance to the Technial and Management side of VA/PT.

(Thanks Manu Zacharia for such beautiful guidance on IT Security )