PENTEST TOOLS ARCHIVE

HANDY OPEN SOURCE PENETRATION TESTING TOOLS AND FRAMEWORKS

In this section, I am just listing all open source penetration testing tools for your day to day pentest activity. Always use the combination of tools rather than relying on a single tool. It gives best possible result and moreover covers all 360 degrees of your target environment.





OSINT / RED TEAM PENETRATION TESTING
  • Infoga - Infoga is a tool for gathering e-mail accounts information (ip,hostname,country,...) from different public sources (search engines, pgp key servers). - Download
  • gOSINT - OSINT framework in Go. - Download
  • Gasmask Information gathering tool - OSINTDownload
  • Metadata-attacker A tool to generate media files with malicious metadataDownload
  • Infog Information gathering toolDownload
  • PatrOwl - Open Source, Free And Scalable Security Operations Orchestration Platform - Download
  • Mitaka- A browser extension for OSINT search - Download

    WEB APP PENTEST

    • Nikto - Nikto is a web server assessment tool. It is designed to find various default and insecure files, configurations and programs on any type of web server. - Download
    • Dirb - File and directory bruteforcing tool. - Download
    • Uniscan - Comprehensive web vulnerability scanner with directory bruteforcing, common vulnerability checking, open ports, default files, folder and pluging enumeration etc. - Download
    • Blackwidow - A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website. - Download
    • CrawlBox - Easy way to brute-force web directory. - Download
    • WAScan - Web application scanner - Download
    • Taipan - Web Application security scanner - Download
    • WhatCMS - CMS Detection and Exploit Kit based on Whatcms.org API  - Download
    • Pyfiscan - Free web-application vulnerability and version scanner - Download
    • Astra - Automated security testing for REST API - Download
    • Galileo - Web Application Audit Framework - Download
    • BurpBounty - Burp Bounty is an extension of Burp Suite that improves an active and passive scanner by yourself. This extension requires Burp Suite Pro. - Download
    • Defectdojo - DefectDojo is an open-source application vulnerability correlation and security orchestration application - Download
    • CMSeeK - CMS (Content Management Systems) Detection and Exploitation suite - Download
    • Joomscan - OWASP Joomla Vulnerability Scanner Project - Download
    • TWA- Tiny web auditor with strong opinions - Download
    • TIDoS Framework - Offensive web application security testing framework - Download
    • SyHunt Framework - Hybrid web application security scanner (DAST & SAST) - Download
    • Atlas - Quick SQLMap tamper suggester - Download
    • XSStrike - Most advanced XSS detection suite. - Download
    NETWORK / INFRASTRUCTURE PENTEST
    • Wavecrack - Wavestone's web interface for password cracking with hashcat. - Download
    • Routersploit - Wavestone's web interface for password cracking with hashcat. - Download 
    • Domain Analyser - Domain analyzer is a security analysis tool which automatically discovers and reports information about the given domain. Its main purpose is to analyze domains in an unattended way. - Download
    • AutoSploit - As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets are collected automatically as well by employing the Shodan.io API. The program allows the user to enter their platform specific search query such as; Apache, IIS, etc, upon which a list of candidates will be retrieved. - Download
    • Passhunt - Passhunt is a simple tool for searching of default credentials for network devices, web applications and more. Search through 523 vendors and their 2084 default passwords. - Download
    • Knocker - Knocker Endpoint Security Assessment Framework - Download
    • Wifite2 - Rewrite of the popular wireless network auditor, "wifite". Automated wirelss network auditing framework - Download
    • rogue - The Rogue Toolkit: An extensible toolkit aimed at providing penetration testers an easy-to-use platform to deploy Access Points for the purpose of conducting penetration testing and red team engagements. - Download
    • linkedin2username - OSINT Tool: Generate username lists for companies on LinkedIn - Download
    • SpiderFoot - SpiderFoot automates OSINT to find out everything possible about your target. - Download
    • ODIN - Tool for automating penetration testing tasks  - Download
    • subfinder - SubFinder is a subdomain discovery tool that can discover massive amounts of valid subdomains for any target. It has a simple modular architecture and has been aimed as a successor to sublist3r project.  - Download
    • Sn1per - Automated Pentest Recon Scanner - Download
    • Archery - Archery is an opensource vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities. Archery uses popular opensource tools to perform comprehensive scanning for web application and network. It also performs web application dynamic authenticated scanning and covers the whole applications by using selenium. The developers can also utilize the tool for implementation of their DevOps CI/CD environment. - Download
    • Gyoithon - GyoiThon is a growing penetration test tool using Machine Learning. - Download
    • Vulners - Complete Vulnerability DataBase & Security Scanner - Download
    • Pentest-Machine - Automates some pentest jobs via nmap xml file - Download
    • CloudBunny - CloudBunny is a tool to capture the real IP of the server that uses a WAF as a proxy or protection. - Download
    • WebMap - Nmap Web Dashboard and Reporting. - Download
    • Aquatone - A Tool for Domain Flyovers. - Download


    MOBILE APP PENTEST

    • MobSF - Mobile Security Framework (MobSF) is an intelligent, all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework capable of performing static and dynamic analysis. - Download
    • droidstatx - Python tool that generates an Xmind map with all the information gathered and any evidence of possible vulnerabilities identified via static analysis. - Download
    • Apktool - A tool for reverse engineering Android apk files - Download
    • Brida - Brida is a Burp Suite Extension that, working as a bridge between Burp Suite and Frida, lets you use and manipulate applications’ own methods while tampering the traffic exchanged between the applications and their back-end services/servers. It supports all platforms supported by Frida (Windows, macOS, Linux, iOS, Android, and QNX). - Download
    • ReverseAPK - Quickly analyze and reverse engineer Android packages. - Download
    • Andrax - Android penetration testing framework. - Download

    IoT/SMART DEVICES PENTEST

    • BleahA BLE scanner for "smart" devices hacking based on the bluepy library, dead easy to use because retarded devices should be dead easy to hack.  - Download 

    CLOUD SECURITY ASSESSMENT

    • ProwlerAWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark - Download 
    MALWARE ANALYSIS


    • Malwoverview - Malwoverview.py is a first response tool to perform an initial and quick triage on either a directory containing malware samples or a specific malware sample. - Download 

    MICS PENTEST

    • Grouper - A PowerShell script for helping to find vulnerable settings in AD Group Policy.  - Download
    • PrithviA report generation tool for security assessment - Download
    • EagleEye - Stalk your Friends. Find their Instagram, FB and Twitter Profiles using Image Recognition and Reverse Image Search. - Download

    No comments: