Specifically I am looking to pentest a few networks so anything that exploits apache or bitlocker (windows) would be a great help.
I haven't used Kali (Backtrack in fact) for long time but there is a tool called
metasploit-framework which contains a searchable internal database of a ton of exploits ready to launch at any target that offers online services .
Normally this would be your own server ofc. if you're testing security of your server.
For instance if you want to pentest to take control of your own apache web server you would search the database for "apache" exploits and then from the list try each one to see if any one of them succeeds.
(you'll be amazed by how easy it is to take control of un-patched services)
Usually each exploit takes common and unique parameters which you need to supply before executing it.
The database is nothing but a collection of shellcodes usually imported into ruby project (because that's what the framework works with (or at least did before)) or shellcodes made by compiled languages ex. bytecode usable by ruby, that works against specific CVE's.
If you're not developer then the "Problem" with the database is that it's not cutting edge, you'll find exploits only for already known CVE's, for instance you won't find the one for which there is already no security patch deployed by OS and package maintainers.
If that's not good enough for you, you can expand the database by either downloading more shellcodes (exploits) and integrating them from specific sites, or you could write your own by inspecting source code of the service you're targeting and finding vulnerabilities yourself, for this to work you'd need to know the language of the service being inspected and ruby at a minimum for implementation, although it's possible to write it in C\C++ or ASM and then importing shellcode to ruby module that works with the framework. (basic ruby knowledge should work) for this.
Of course before doing any of this as always
nmap is first step, you want o master using
nmap to be able to detect exact service version of the target as that's needed to figure out which exploit to use, search for or develop or to know which commit of the service to inspect source code.
edit:
An example of a exploit written in ruby for metasploit:
Metasploit Framework. Contribute to rapid7/metasploit-framework development by creating an account on GitHub.
github.com
You'll normaly have it installed already and don't need to bother reading the code, but these are only against known CVE's that are well known and shared by the community.
therefore not very useful for attack except against lazy people, but rather for defense, that is, to find holes in your apache server to fix them.
but it is an interesting journey.
