Search

SearchSearch

Tools I use for Pentesting 🌀

Nov 15, 202417 min read

Credits to arch3rPro

Information Gathering

Domain name

  • whois - Windows Whois performs the registration record for the domain name or IP address that you specify.
  • DNSrecon-gui - DNSrecon tool with GUI for Kali Linux
  • Dnsx - dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
  • WhoisFreaks - Perform a Whois lookup for any domain

Subdomain

  • subDomainsBrute - A fast sub domain brute tool for pentesters 
  • ksubdomain - Subdomain enumeration tool, asynchronous dns packets, use pcap to scan 1600,000 subdomains in 1 second 
  • Sublist3r - Fast subdomains enumeration tool for penetration testers 
  • OneForAll - OneForAll is a powerful subdomain integration tool
  • LayerDomainFinder - a subdomains enumeration tool by Layer
  • ct - Collect information tools about the target domain.
  • Subfinder - Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
  • Probable_subdomains - Subdomains analysis and generation tool. Reveal the hidden!
    • domains - Generate subdomains and wordlists Online.
  • MassDNS - High-performance DNS stub resolver targeting those who seek to resolve a massive amount of domain names in the order of millions or even billions.
  • altdns - Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
  • dnscan - Fast and lightweight dns bruteforcer with built-in wordlist and zone transfer checks.
  • dnsenum- Comprehensive DNS enumeration tool that supports dictionary and brute-force attacks for discovering subdomains.
  • fierce - User-friendly tool for recursive subdomain discovery, featuring wildcard detection and an easy-to-use interface.
  • dnsrecon - Versatile tool that combines multiple DNS reconnaissance techniques and offers customisable output formats.
  • amass - Actively maintained tool focused on subdomain discovery, known for its integration with other tools and extensive data sources.
  • assetfinder - Simple yet effective tool for finding subdomains using various techniques, ideal for quick and lightweight scans.
  • puredns - Powerful and flexible DNS brute-forcing tool, capable of resolving and filtering results effectively.
  • Censys - Powerful search engine for internet-connected devices, advanced filtering by domain, IP, certificate attributes.
  • crt.sh - User-friendly web interface, simple search by domain, displays certificate details, SAN entries.

Fingerprinting

  • Wappalyzer - Browser extension and online service for website technology profiling.
  • BuiltWith - Web technology profiler that provides detailed reports on a website’s technology stack.
  • WhatWeb - Command-line tool for website fingerprinting.
  • Netcraft - Offers a range of web security services, including website fingerprinting and security reporting.
  • wafw00f - Command-line tool specifically designed for identifying Web Application Firewalls (WAFs).

Google Hacking

  • GHDB - Google Hack Database 
  • SearchDiggity - SearchDiggity 3.1 is the primary attack tool of the Google Hacking Diggity Project
  • Katana - A Python Tool For google Hacking
  • GooFuzz - GooFuzz is a tool to perform fuzzing with an OSINT approach, managing to enumerate directories, files, subdomains or parameters without leaving evidence on the target’s server and by means of advanced Google searches (Google Dorking).
  • Pagodo - pagodo (Passive Google Dork) - Automate Google Hacking Database scraping and searching.
  • Google-Dorks - Useful Google Dorks for WebSecurity and Bug Bounty.

Github

  • GitHacker - A Git source leak exploit tool that restores the entire Git repository, including data from stash, for white-box auditing and analysis of developers’ mind. 
  • GitGraber - gitGraber is a tool developed in Python3 to monitor GitHub to search and find sensitive data in real time for different online services.
  • GitMiner - Tool for advanced mining for content on Github.
  • Gitrob - Reconnaissance tool for GitHub organizations.
  • GitGot Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
  • GitDump - A pentesting tool that dumps the source code from .git even when the directory traversal is disabled

SVN

  • svnExploit - Support for SVN source code disclosure of full version and Dump it.
  • SvnHack - SvnHack is a SVN folder disclosure exploit.

Port Scan

  • Nmap | Zenmap - Free and open source utility for network discovery and security auditing
  • Masscan - TCP port scanner, spews SYN packets asynchronously
  • Ports - Common service ports and exploitations
  • Goby - Attack surface mapping
  • Goscan - Interactive Network Scanner
  • NimScan - Fast Port Scanner
  • RustScan -The Modern Port Scanner
  • TXPortMap - Port Scanner & Banner Identify From TianXiang
  • Scaninfo - fast scan for redtools
  • SX - Fast, modern, easy-to-use network scanner
  • Yujianportscan A Fast Port Scanner GUI Tools Build by VB.NET + IOCP
  • Naabu - A fast port scanner written in go with a focus on reliability and simplicity.
  • Shodan.io - Shodan is the world’s first search engine for Internet-connected devices.

OSINT

  • theHarvester- E-mails, subdomains and names Harvester - OSINT
  • SpiderFoot - SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
  • Recon-ng - Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources. 
  • FOCA - Tool to find metadata and hidden information in the documents.
  • Amass - In-depth Attack Surface Mapping and Asset Discovery
  • Censys-subdomain-finder - Perform subdomain enumeration using the certificate transparency logs from Censys.
  • EmailHarvester - Email addresses harvester
  • Finalrecon - The Last Web Recon Tool You’ll Need.
  • LittleBrother - Information gathering (OSINT) on a person (EU)
  • Octosuite - Advanced Github OSINT Framework
  • Kunyu - Kunyu, more efficient corporate asset collection
  • Glass - OSINT Framework with Fofa/ZoomEye/Shodan/360 API
  • BBOT - OSINT automation for hackers.
  • octosuite - Advanced Github OSINT Framework
  • GHunt - Offensive Google framework.
  • OSINT Framework - A collection of various tools and resources for open-source intelligence gathering. It covers a wide range of information sources, including social media, search engines, public records, and more.

Phishing

  • gophish - Open-Source Phishing Toolkit
  • AdvPhishing - This is Advance Phishing Tool ! OTP PHISHING
  • SocialFish - Educational Phishing Tool & Information Collector
  • Zphisher - An automated phishing tool with 30+ templates. This Tool is made for educational purpose only ! Author will not be responsible for any misuse of this toolkit !
  • Nexphisher - Advanced Phishing tool for Linux & Termux

Vulnerability Analysis

Fuzzing

  • httpX -httpx is a fast and multi-purpose HTTP toolkit that allows running multiple probes using the retryablehttp library.

Vulnerability Scanner

  • Struts-Scan - Struts2 vulnerability detection and utilization tools
  • Nikto - Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items
  • W3af - Web application attack and audit framework, the open source web vulnerability scanner
  • Openvas - The world’s most advanced Open Source vulnerability scanner and manager
  • Archery - Open Source Vulnerability Assessment and Management helps developers and pentesters to perform scans and manage vulnerabilities
  • Taipan - Web application vulnerability scanner
  • Arachni - Web Application Security Scanner Framework
  • Nuclei - Fast and customizable vulnerability scanner based on simple YAML based DSL
  • Xray - A passive-vulnerability-scanner Tool
  • Super-Xray - Web Vulnerability Scanner XRAY GUI Starter 
  • SiteScan - All in One Website Information Gathering Tools for pentest.
  • Banli - High-risk asset identification and high-risk vulnerability scanner. 
  • vscan - Open Source Vulnerability Scanner
  • Wapiti - Web vulnerability scanner written in Python3.
  • Scaninfo - fast scan for redtools
  • osv-scanner - Vulnerability scanner written in Go which uses the data provided by https://osv.dev
  • Afrog - A Vulnerability Scanning Tools For Penetration Testing
  • OpalOPC - A vulnerability and misconfiguration scanner for OPC UA applications

Web applications

CMS & Framework Identification

Offline

  • AngelSword - CMS vulnerability detection framework
  • WhatWeb - Next generation web scanner 
  • Wappalyzer - Cross-platform utility that uncovers the technologies used on websites 
  • Whatruns - A free browser extension that helps you identify technologies used on any website at the click of a button (Just for chrome)
  • WhatCMS - CMS Detection and Exploit Kit based on Whatcms.org API
  • CMSeeK - CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSs
  • EHole - CMS Detection for RedTeam 
  • ObserverWard - Cross platform community web fingerprint identification tool

Online

  • Yunsee - Online website for to find the CMS footprint 
  • Bugscaner - A simple online fingerprint identification system that supports hundreds of cms source code recognition 
  • WhatCMS online - CMS Detection and Exploit Kit website Whatcms.org
  • TideFinger - Fingerprinter Tool from TideSec Team
  • 360finger-p - Fingerprinter Tool from 360 Team

Web Application Proxies

  • Burpsuite - Burpsuite is a graphical tool for testing Web application security
  • ZAP One of the world’s most popular free security tools
  • Mitmproxy - An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
  • Broxy - An HTTP/HTTPS intercept proxy written in Go.
  • Hetty - An HTTP toolkit for security research.
  • Proxify - Swiss Army knife Proxy tool for HTTP/HTTPS traffic capture, manipulation, and replay on the go.

Web browser extensions

  • Hack-Tools - The all-in-one Red Team extension for Web Pentester
  • Wappalyzer - Wappalyzer is a browser extension that uncovers the technologies used on websites. It detects content management systems, web shops, web servers, JavaScript frameworks, analytics tools and many more.
  • FoxyProxy - Proxy changer tool

Web Crawlers & Directory Brute Force

  • Dirbrute - Multi-thread WEB directory blasting tool (with dics inside)
  • Dirb - DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the responses.
  • ffuf - Fast web fuzzer written in Go.
  • Dirbuster - DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.
  • Dirsearch - Web path scanner.
  • Gobuster Directory/File, DNS and VHost busting tool written in Go. 
  • WebPathBrute - Web path Bruter.
  • wfuzz - Web application fuzzer
  • Dirmap - An advanced web directory & file scanning tool that will be more powerful than DirBuster, Dirsearch, cansina, and Yu Jian.
  • YJdirscan - Yujian dirscan Gui Pro

Docker scanners

  • Fuxi-Scanner - open source network security vulnerability scanner, it comes with multiple functions. 
  • Xunfeng - The patrol is a rapid emergency response and cruise scanning system for enterprise intranets. 
  • WebMap - Nmap Web Dashboard and Reporting.
  • Pentest-Collaboration-Framework - Opensource, cross-platform and portable toolkit for automating routine processes when carrying out various works for testing!

Database Assesment

  • Enumdb - Relational database brute force and post exploitation tool for MySQL and MSSQL
  • MDUT - Multiple Database Utilization Tools
  • Sylas - Multiple Database Exploitation Tools
  • ODAT - Oracle Database Attacking Tool
  • MSDAT - Microsoft SQL Database Attacking Tool

Password attacks

  • Hydra - Hydra is a parallelized login cracker which supports numerous protocols to attack
  • Medusa - Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer
  • Sparta - Network Infrastructure Penetration Testing Tool. 
  • Hashcat - World’s fastest and most advanced password recovery utility
  • Patator - Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
  • HackBrowserDat - Decrypt passwords/cookies/history/bookmarks from the browser
  • John - John the Ripper jumbo - advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs.
  • crowbar - brute forcing tool that can be used during penetration tests. Supports OpenVPN, RDP (with NLA), ssh and VNC.

Wordlists

  • wordlists - Real-world infosec wordlists, updated regularly
  • SecLists - It’s a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
  • psudohash - Password list generator that focuses on keywords mutated by commonly used password creation patterns
  • wister - A wordlist generator tool, that allows you to supply a set of words, giving you the possibility to craft multiple variations from the given words, creating a unique and ideal wordlist to use regarding a specific target.
  • Rockyou - wordlists packaging for Kali Linux.
  • Weakpass - For any kind of bruteforce find wordlists.

Wireless Attacks

Wireless Tools

  • Fern Wifi cracker - Fern-Wifi-Cracker is designed to be used in testing and discovering flaws in ones own network with the aim of fixing the flaws detected
  • EAPHammer - EAPHammer is a toolkit for performing targeted evil twin attacks against WPA2-Enterprise networks.
  • Wifite2 - Wifite is designed to use all known methods for retrieving the password of a wireless access point.
  • JackIt - Implementation of Bastille’s MouseJack exploit. Easy entry point through wireless keyboards and mices during redteam engagement.

Reverse engineering

  • Ollydbg - OllyDbg is a 32-bit assembler level analysing debugger for Microsoft Windows
  • IDA - The free binary code analysis tool to kickstart your reverse engineering experience.
  • Ghidra - A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission
  • Shell Storm - A website that contains such interesting articles about reversing

Exploitation Tools

  • SPLOITUS - Sploitus is а convenient central place for identifying the newest exploits and finding attacks that exploit known vulnerabilities
  • SearchSploit - The official Exploit Database repository
  • Getsploit - Command line utility for searching and downloading exploits
  • Houndsploit - An advanced graphical search engine for Exploit-DB
  • OSV - Open source vulnerability DB and triage service.

Cross-site Scripting (XSS)

  • BeeF - The Browser Exploitation Framework Project
  • BlueLotus_XSSReceiver - XSS Receiver platform without SQL
  • XSStrike - Most advanced XSS scanner.
  • xssor2 - XSS’OR - Hack with JavaScript.
  • Xsser-Varbaek - From XSS to RCE 2.75 - Black Hat Europe Arsenal 2017 + Extras
  • Xsser-Epsylon - Cross Site “Scripter” (aka XSSer) is an automatic framework to detect, exploit and report XSS vulnerabilities in web-based applications.
  • Xenotix - An advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework
  • PwnXSS - PwnXSS: Vulnerability (XSS) scanner exploit
  • dalfox - DalFox is an powerful open source XSS scanning tool and parameter analyzer, utility
  • ezXSS - ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.

Sql Injection

  • Sqlmap - Automatic SQL injection and database takeover tool
  • SSQLInjection - SSQLInjection is a SQL injection tool , support Access/MySQL/SQLServer/Oracle/PostgreSQL/DB2/SQLite/Informix Database.
  • Jsql-injection jSQL Injection is a Java application for automatic SQL database injection.
  • NoSQLMap - Automated NoSQL database enumeration and web application exploitation tool.
  • Sqlmate - A friend of SQLmap which will do what you always expected from SQLmap
  • SQLiScanner - Automatic SQL injection with Charles and sqlmap api
  • sql-injection-payload-list - SQL Injection Payload List
  • Advanced-SQL-Injection-Cheatsheet - A cheat sheet that contains advanced queries for SQL Injection of all types.

Command Injection

  • Commix - Automated All-in-One OS command injection and exploitation tool

File Inclusion

  • LFIsuite - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
  • Lfi-Space - Lfi Scan Tool
  • Kadimus - Kadimus is a tool to check sites to lfi vulnerability , and also exploit it
  • Shellfire - Exploitation shell for exploiting LFI, RFI, and command injection vulnerabilities
  • LFIter2 - LFIter2 Local File Include (LFI) Tool - Auto File Extractor & Username Bruteforcer
  • FDsploit - File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.

File Upload

  • Fuxploider - File upload vulnerability scanner and exploitation tool

XML External Entity Attack (XXE)

  • XXEinjector - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods
  • Oxml_xxe - A tool for embedding XXE/XML exploits into different filetypes

Cross-site request forgery (CSRF)

  • Deemon - Deemon is a tool to detect CSRF in web application

Deserialization exploit framework

  • Ysomap - A helpful Java Deserialization exploit framework.

Exploit framework

  • POC-T - Pentest Over Concurrent Toolkit
  • Pocsuite3 - pocsuite3 is an open-sourced remote vulnerability testing framework developed by the Knownsec 404 Team.
  • Metasploit - The world’s most used penetration testing framework
  • Venom - Shellcode generator/compiler/handler (metasploit)
  • Empire - Empire is a PowerShell and Python post-exploitation agent
  • Starkiller - Starkiller is a Frontend for PowerShell Empire.
  • Koadic - Koadic C3 COM Command & Control - JScript RAT
  • Viper - metasploit-framework UI manager Tools
  • MSFvenom-gui - gui tool to create normal payload by msfvenom
  • MYExploit - A GUI Tools for Scanning OA vulnerabilities

Sniffing & Spoofing

  • WireShark - Wireshark is a network traffic analyzer, or “sniffer”, for Unix and Unix-like operating systems.
  • Cain & abel - Cain & Abel is a password recovery tool for Microsoft Operating Systems.
  • Responder - Responder is an LLMNR, NBT-NS and MDNS poisoner.
  • bettercap - ARP, DNS, NDP and DHCPv6 spoofers for MITM attacks on IPv4 and IPv6 based networks
  • EvilFOCA - Evil Foca is a tool for security pentesters and auditors whose purpose it is to test security in IPv4 and IPv6 data networks.

Maintaining Access

Shell

  • Goshell - Generate reverse shells in command line with Go !
  • Print-My-Shell - Python script wrote to automate the process of generating various reverse shells.
  • Reverse-shell-generator - Hosted Reverse Shell generator with a ton of functionality. — (Great for CTFs)
  • Girsh - Automatically spawn a reverse shell fully interactive for Linux or Windows victim
  • Blueshell - Generate a reverse shells for RedTeam
  • Clink - Powerful Bash-style command line editing for cmd.exe
  • Natpass - A new RAT Tools, Support Web VNC and Webshell
  • Platypus 🔨 A modern multiple reverse shell sessions manager written in go
  • shells - Script for generating revshells
  • Reverse_ssh - SSH based reverse shell
  • Hoaxshell - A Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell.

Listener

  • Netcat - Netcat is a featured networking utility which reads and writes data across network connections, using the TCP/IP protocol.
  • Rustcat - Rustcat(rcat) - The modern Port listener and Reverse shell.
  • Rlwrap - A readline wrapper.
  • Pwncat - Fancy reverse and bind shell handler.
  • Powercat - netshell features all in version 2 powershell.
  • Socat - Socat is a flexible, multi-purpose relay tool.

Privilege Escalation Auxiliary

  • windows-exploit-suggester - This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target
  • Windows-kernel-exploits - windows-kernel-exploits
  • linux-exploit-suggester-2 - Next-Generation Linux Kernel Exploit Suggester
  • Linux-kernel-exploits - linux-kernel-exploits Linux
  • BeRoot - Privilege Escalation Project - Windows / Linux / Mac
  • PE-Linux - Linux Privilege Escalation Tool By WazeHell
  • Portia - Portia aims to automate a number of techniques commonly performed on internal network penetration tests after a low privileged account has been compromised.
  • PEASS-ng - PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
  • GTFOBins - GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
  • LOLBAS - Living Off The Land Binaries, Scripts and Libraries.
  • WADComs - WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.
  • HijackLibs - DLL Hijacking is, in the broadest sense, tricking a legitimate/trusted application into loading an arbitrary DLL.
  • GTFOBLookup - Offline command line lookup utility for GTFOBins、LOLBAS and WADComs.
  • PrintNotifyPotato - PrintNotifyPotato

Command & Control (C2)

  • DeimosC2 - DeimosC2 is a Golang command and control framework for post-exploitation.
  • Sliver - Implant framework
  • PHPSploit - Full-featured C2 framework which silently persists on webserver via evil PHP oneliner
  • Shad0w - A post exploitation framework designed to operate covertly on heavily monitored environments (Win8、Win10)
  • Covenant - Covenant is a collaborative .NET C2 framework for red teamers.
  • Emp3r0r - linux post-exploitation framework made by linux user
  • C3 - Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits.
  • byob - An open-source post-exploitation framework for students, researchers and developers.
  • Havoc - Havoc is a modern and malleable post-exploitation command and control framework.
  • Villain - Villain is a Windows & Linux backdoor generator and multi-session handler that allows users to connect with sibling servers (other machines running Villain) and share their backdoor sessions, handy for working as a team.

Bypass AV

  • Shellcodeloader - ShellcodeLoader of windows can bypass AV.
  • AV_Evasion_Tool - AntiVirus Shellcode generation tool.
  • BypassAntiVirus - Remote control anti-kill series articles and supporting tools.
  • MateuszEx - Bypass AV generation tool
  • FourEye - AV Evasion Tool For Red Team Ops
  • Phantom-Evasion - Python antivirus evasion tool
  • Terminator - Terminating all EDR/XDR/AVs processes by abusing the zam64.sys driver
  • foolavc - Obscures your executable for file checks and executes it in memory.

Code Audit

  • Cloc - cloc counts blank lines, comment lines, and physical lines of source code in many programming languages
  • Cobra - Source Code Security Audit
  • Cobra-W - Cobra for white hat
  • Graudit - Grep rough audit - source code auditing tool
  • Rips - A static source code analyser for vulnerabilities in PHP scripts
  • Kunlun-M - KunLun-M is a static code analysis system that automates the detecting vulnerabilities and security issue.
  • Semgrep - Semgrep is a fast, open-source, static analysis engine for finding bugs, detecting vulnerabilities in third-party dependencies, and enforcing code standards.

Intranet penetration

Service detection

  • Netspy - A tool to quickly detect the reachable network segments of the intranet.
  • Cube - Intranet penetration testing tools, weak password blasting, information collection and vulnerability scanning.

Port forwarding & Proxies

  • EarthWorm - Tool for tunnel
  • Termite - Tool for tunnel (Version 2)
  • Frp - A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet
  • Nps - A lightweight, high-performance, powerful intranet penetration proxy server, with a powerful web management terminal.
  • Goproxy - A high-performance, full-featured, cross platform proxy server
  • ReGeorg - The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn
  • Neo-reGeorg - Neo-reGeorg is a project that seeks to aggressively refactor reGeorg
  • Venom - A Multi-hop Proxy for Penetration Testers
  • Stowaway - Stowaway — Multi-hop Proxy Tool for pentesters
  • rport - Manage remote systems with ease.
  • PortForward - The port forwarding tool developed by Golang solves the problem that the internal and external networks cannot communicate in certain scenarios.
  • Suo5 - A high-performance http proxy tunneling tool

Rootkit

  • Beurk - BEURK Experimental Unix RootKit
  • Bedevil - LD_PRELOAD Linux rootkit (x86 & ARM)

Graph View

Backlinks