I’m preparing for my CEH exam and I want to build a modern home lab for practice. I know about Nmap and Metasploit, but what are the "must-have" tools that professional pentesters are using in 2024 for cloud environments and API security? Also, should I focus more on Kali Linux or are there better specialized distributions for modern web app hacking that I should be exploring right now?
3 answers
Kali Linux is still the gold standard, but for web apps, Burp Suite Professional is non-negotiable. In my 2023 engagements, I found that focusing on API security tools like Postman and OWASP ZAP was critical because so many breaches now happen via insecure endpoints. For cloud environments like AWS, you should definitely learn "Pacu"—it’s an exploitation framework specifically for AWS. Also, don't ignore "BloodHound" for active directory mapping; it’s incredibly powerful for visualizing attack paths in a corporate network that most other tools miss entirely.
Are you planning to incorporate any "Infrastructure as Code" (IaC) scanning tools like Checkov into your lab to practice DevSecOps?
Stick with Kali but learn how to use Docker for your tools. It makes it much easier to keep your environment clean and updated.
Andrew is right. Using Docker containers for specific tools like SQLMap prevents version conflicts that often break your whole Kali install.
Good call, Thomas. Modern hacking isn't just about finding an open port; it's about finding a misconfigured S3 bucket or a weak Terraform script. Checkov or Terrascan are great for that. To answer David's question: adding these to your lab will make you much more marketable. Pentesters who can read and secure code are in much higher demand than those who just run automated scanners.