https://nmap.org/
Free
The Swiss Army Knife to do everything. NSE Scripts are very cool
https://www.tenable.com/products/nessus-vulnerability-scanner
$2,000/year for unlimited scanning. Free Trial
Or there is a free fork of it call OpenVAS - http://www.openvas.org/
https://portswigger.net/burp/
$350/year for Pro. Also have free version.
Best web application tool out there for the money. Can allow you to do just about everything you would want to do to test a web application.
https://www.metasploit.com/
https://github.com/rapid7/metasploit-framework
Free
Scanner, exploiter, and great tool for network penetration test. The site will push you towards the pro edition. The Metasploit Framework is what you want and can be installed via Penetration Test Framework tools (below)
https://www.offensive-security.com/information-security-training/penetration-testing-training-kali-linux/
$1,000 for course and 60 days of labs
Best training class you can take for the money. The material is great (and you get get to keep it forever) and the labs are great places to learn how to enumerate, how to xploit, how to priv esc, etc.
https://pentesterlab.com/pro
$25/month or $200/year
Great labs to play around in, learn web app skills along with netpen stuff.
https://www.amazon.com/dp/1118026470/ref=cm_sw_r_cp_dp_T2_d6DGzbC3D2QX5
A little date but a great reference material for web app testing
https://lists.sans.org/mailman/listinfo/gpwn-list
Best source for new problems real-world pentesters are running into
https://techbeacon.com/top-25-infosec-appsec-leaders-follow-twitter Some of the best sources for new attacks, techniques, etc. come from the security people on Twitter. Follow them. Follow the people they retweet and you will learn a lot.
https://blog.netspi.com/hacking-with-jsp-shells/
https://www.kali.org/
Linux distro with lots of security testing tools installed. If you'd rather add securtiy tools to your existing Linux install you can use... -> PTF
https://github.com/trustedsec/ptf
Use to install pentest tools on existing Linux distro
https://github.com/BloodHoundAD/BloodHound
Tool to query AD and map out the relationships between computers, users, and privileged users. Can create an attack plan for your pivots.
https://github.com/SpiderLabs/Responder
NBT-NS and LLMR DNS poisoner to grab AD user password hashes from the wire
https://www.powershellempire.com/
Post-exploitation agent with tons of modules to help you pass-the-hash, escalate privileges, drop cached credentials, etc.
https://www.aircrack-ng.org/
Suite of tools to put your (supported) wireless card in monitor mode, sniff the wireless traffic, capture the SSID, and crack the PSK.