The following include a list of pentest tools available across the web. Many are free and even open source, others are premium tools and require a monthly or yearly subscription. We’ll note when pentest tools aren’t free. We interviewed Cyver pentester Mike Terhaar for his favorites and highlighted them in the text.

*Please note some tools were included more than once when they fit well into several categories. In addition, all tools are in alphabetical order and not ranked. 

Attack / Adversary Simulation (Red teaming) (22 tools)

  • Atomic Red Team – Library of tests mapped to the MITRE ATT&CK Framework 
  • APT Simulator – Script & toolset to simulate the appearance of an APT attack 
  • ATT&CK Simulator – Automate adversary simulations for red/blue-purple teaming 
  • BlindSpot – Adversary simulator with red-team, breach simulation, and purple team capabilities. (Not Free)
  • Caldera – A framework for adversary emulation by MITRE
  • Cobalt Strike – A VM & threat emulation framework for adversary simulation / red teaming
  • Cymulate – Security posture management platform with red teaming (Not Free)
  • Dumpsterfire – Menu-driven tool for building distributed security events for red/blue/purple team drills
  • GreyMatter – Security operations platform with red teaming (formerly Threatcare) (Not Free)
  • Infection Monkey – Open-source breach and attack simulation platform
  • Invoke Adversary – Script for automating adversary threats
  • Mandiant – Security validation and adversary simulation tool in Google Cloud (Not Free)
  • MATE – Attack Simulator offered by Microsoft as part of 365
  • Metta – Open-source tool for network adversarial simulation
  • NSAUnfetter – Attack simulator based on the MITRE ATT&CK framework
  • Pentera – Automate insider & outsider attacks for red-team/purple team exercises (Not Free)
  • Red Team Automation (RTA) – Scripts based on 50+ MITRE ATT&CK tactics for blue teams
  • SafeBreach – Breach and attack simulation platform (Not Free)
  • – Cloud adversary emulation platform for red-team/purple team (Not Free)
  • SimSpace – Simulated environment for cybersecurity exercises (Not Free) 
  • Splunk Attack Range – Cloud and local environment builder for attack simulation 
  • THC Hydra – Attack-simulator tool for unauthorized access

Distros / Distributions (13 tools)

Distros are operating systems packaged with components designed for ethical hacking or pentesting – many with more specific focuses, such as web pentesting. 

“I like Parrot OS the most because it’s more flexible than Kali. Of course, that depends on what you need. Parrot is a default OS and you install what you need.” says Mike, “Kali is fixed. Kali is also fixed to their own update lists and patches, so if you change anything, it can break the system. I also like BlackArch’s OS a lot, but I have less experience with it because it needs more configuration, but I really like that you can do everything with one system.” 

  • ArchStrike – Arch GNU/Linux repository closely following LInux Standards
  • AttifyOS – GNU/Linux distribution built around IoT pentesting
  • BackBox – Ubuntu-based distribution for penetration tests and security assessments.
  • BlackArch – Arch GNU/Linux-based distribution with 2,500+ tools
  • CAINE – Computer Aided Investigative Environment is a digital forensics and analysis framework
  • Fedora Security Lab – Test environment for security auditing, forensics, system rescue, etc.
  • Kali – GNU/Linux distro for digital forensics and pentesting
  • Linux Kodachi – A Debian-based distro, boot from CD/USB, filters traffic through TOR and attempts trace cleanup after use
  • Network Security Toolkit (NST) – Fedora-based bootable live operating system
  • ParrotOS – Distro featuring multiple architecture options and 100+ pentest tools
  • Pentoo – Security-focused live USB-based on Gentoo for 32/64-bit OS
  • Samurai Web Testing Framework – Distro for pentesting on the web
  • The Pentesters Framework – Distro is organized around Penetration Testing Execution Standard (PTES)

Frameworks (17 tools)

“I use both ReNgine and Metasploit. Metasploit a bit less because you need more infrastructure level data.” says Mike, “ ReNgine gives you an impression of the general hygiene of the application and implementation, open services, hardening, etc. Metasploit is flexible, old-school, and makes life a lot easier. But ReNgine replaces an expensive tool like Nessus, delivering a lot in a single application” 

  • BetterCAP – Modular, portable, and easily extensible MITM framework.
  • Caldera – A framework for adversary emulation by MITRE
  • Canvas – An automated exploit system and exploit development framework. Costs $32,480 per year including third-party products.
  • Cobalt Strike – A Fortra VM & threat emulation framework
  • Dshell – Network forensic analysis framework
  • ExploitPack – Graphical tool with 39,000+ exploits for pentest automation
  • Empire – Post-exploitation adversary emulation framework 
  • IronWASP – Framework for web-application vulnerability testing with tools & scanner capabilities
  • Jok3r – A network infrastructure and web security assessment framework with automation & pentest tools
  • Metasploit – Post-exploitation pentest tools to verify vulnerabilities, manage assessments, and more. Open Source and Pro available. Pro costs roughly $15,000 per year. 
  • MobSF – An automated, mobile application pentesting, malware analysis and security assessment framework with static and dynamic analysis.
  • Pupy – Cross-platform remote administration and post-exploitation tool in Python & C
  • Recon-ng – A web-based reconnaissance framework  
  • ReNgine – Open-source reconnaissance framework 
  • routersploit – Open-source exploitation framework for embedded devices
  • shellsploit – Exploit development framework  
  • WordPress Exploit Framework – Ruby framework for WordPress pentesting 

Static and Dynamic Analyzers (15 tools)

“Snyk is a good one, I’m not much for it for pentesting, but for internal teams, it gives you insight and constant overview of your application vulnerabilities, changes, the impact of those based on vulnerabilities, etc.”

  • bandit – Python code analyzer with a focus on vulnerabilities
  • Brakeman – Static analysis security vulnerability scanner for Ruby on Rails applications.
  • cppcheck – Extensible C/C++ static analyzer and bug finder 
  • Checkmarx –Full suite of sast, dast, and code scanning tools built for internal teams (Not Free)
  • Coverity – Free static analysis solution for open-source projects
  • Codacy – AI-driven SAST for 40+ programming languages (Not Free)
  • FindBugs – Free ava static analyzer with a focus on bugs 
  • Forta WebInspect – Web scanner
  • Kiuwan – SAST and code analysis for vulnerability management (Not Free)
  • KlocWork – Compliance-based SAST (Not Free)
  • PMD – Source code analyzer for cross-language SaaS
  • sobelow – Phoenix Framework static analyzer focused on vulnerabilities 
  • SonarQube – Static code analysis for 30+ languages, frameworks, and platforms (Not Free)
  • Snyk – Vulnerability database and code scanner (Not Free)
  • Veracode – Static analysis and vulnerability management (Not Free)

Hacking & Exploitation Tools (160)

Anonymity Tools (5 tools)

“normally when I do a test it’s in the open and the owner knows it so I don’t have to hide, but in case of red teaming, then you need the stealth” 

  • I2P – Fully-encrypted private network layer 
  • Nipe – Script to make Tor your default gateway 
  • OnionScan – Discover vulnerabilities available through Onion-operated services
  • Tor – Onion-routed overlay network 
  • What Every Browser Knows About You – Test your own Web browser’s configuration

CTF Tools (3 tools)

  • ctf-tools – Scripts to install various security research tools and deploy to new machines
  • Pwntools – Rapid exploit development framework for CTFs
  • RsaCtfTool – Attack and decrypts RSA tools

DDoS Tools (11 tools)

“It’s never my goal to deliberately cause an outage on a customer network, but, of course, when red teaming, or if it’s part of the engagement, you should use a tool like this and MHDDoS is a favorite.” 

  • DDOS Ripper – DDOS attack server based on compromised computer systems 
  • CC-attack – Socks4/5 proxy-based multithreading attack
  • HOIC – LOIC with countermeasure workarounds 
  • JS LOIC – JavaScript in-browser version of LOIC.
  • LOIC – Open source network stress tool written in #C 
  • MHDDoS – Python3 DDoS attack script with 56 methods 
  • Nightmare Stresser – DDOS API for stress testing with up to 150 concurrent floods 
  • Raven-Storm – DDoS Toolkit with multiple attack protocols  
  • SlowLoris – Low bandwidth DDoS tool in Python 
  • T50 – Network stress tool
  • UFONet – Denial of service toolkit with multifunctionality 

Defense Evasion Tools (8 tools)

“I like Veil because it connects to Metasploit”, says Mike,  “If you write code and want to pass it through antivirus, you need to use a tool like Veil, but in the old days, Veil was already being blocked by antivirus systems, so you’ll probably want a range of tools in case the current version doesn’t get through the AV.” 

  • AntiVirus Evasion Tool (AVET) –Antivirus evasion tools 
  • Fireprox – AWS API Gateway management tool for Ip rotation 
  • Hyperion – Runtime encryptor for 32-bit portable executables (“PE .exes”).
  • – Hides malicious Windows executable from antivirus 
  • peCloakCapstone – Multi-platform fork of
  • Proxybroker2 – Auto-rotate IP via proxy
  • UniByAv – Generates antivirus friendly executables from raw shellcode 
  • Veil – Generate payloads to bypass common anti-virus solutions

Hash & Cracking Hacking Tools (12 tools)

“There are a lot of great tools for this. John the Ripper of course, Rainbow Tables, Cain and Abel. If you have a list and usernames and you know you’re working with a group of common users, you’re almost certain their password will fit in a list, so John the Ripper is your best option.” 

  • AirCrack – Wifi Password retrieval with FMS 
  • Brutus Password Cracker – Complex password retrieval with multi-stage authentication, brute force, dictionary, & more 
  • BruteForce Wallet – Wallet password search 
  • Cain and Abel – Sniffer and password cracking for forensics  
  • CrackStation – Browser-based password hash-cracking
  • CeWL – Custom wordlists for spidering to feed password crackers 
  • Hashcat – Hash cracking tool 
  • John the Ripper – Password cracker 
  • JWT Cracker – HS256 JWT token brute force cracker
  • Medusa – Brute-force parallel testing password cracker
  • Rainbow Crack – Hash cracker using large-scale time-memory technique
  • Rainbow Tables –  Rainbow table generator with verification

Hex Editors (14 tools)

“You can use a custom hex editor, but I use the hex in Burp with an integrated translator”  

  • Frhed – Binary file editor for Windows with partial file loading capabilities 
  • FS Hex Editor – Hexadecimal and ASCII file editor 
  • Hackman – Hex and binary editor with RAM viewer
  • HexEdit.js – Browser-based hex editing.
  • Hexinator – Hex tool with free and premium versions
  • Hexplorer – Hex editor with data mining tools  
  • HxD Hex Editor – View, edit, and save hex and source code files 
  • Kaitai Struct – Generate parsers and protocols 
  • MiTeX Hexadecimal – Hex and Octal file editor with calculator 
  • Open Freely – Hex viewer and editor 
  • Tiny Hexer – Hex viewer, binary searcher, and octal viewer  
  • Tyrannosaurus Hex – Open-source hex editor with color coding 
  • UltraEdit – Text, code, and hex editor 
  • Veles – Binary data visualization and analysis tool

IoT (3 tools)

“I still use the old school tools like Netcat and Nmap and nowadays, reNgine,” says Mike, “I start with NMap and follow up with NCat and that’s all I need.” 

Network Tools (20 tools) 

“Ettercap is an easy to use command line tool, you can write your filters on the go, you only get the information you actually want.” says Mike,  “That’s good if you want specific traffic details, however, if you don’t know what you’re looking for, ettercap is unusable. Wireshark is the same but with a graphical interface, so you can easily filter – which makes it more commonly used”.

  • BetterCAP – Modular, portable man-in-the-middle framework.
  • CrackMapExec – Suite of tools for network penetration 
  • Ettercap – Comprehensive suite for machine-in-the-middle attacks.
  • evilgrade – Fake update injection
  • Dripcap – Caffeinated packet analyzer for multiple OS
  • dnschef – Highly configurable DNS proxy
  • dnsenum – Perl script with DNS enumeration, zone transfer, dictionary attack, and reverse lookup functionality 
  • dsniff – Recon & infiltration tools for networks
  • impacket – Network protocol toolset focused on low-impact access 
  • Intercepter-NG – Multifunctional network toolkit for recon & interception 
  • Morpheus – Automated ettercap TCP/IP hijacking tool
  • Nginx – Graphical interface with scriptable access to network infrastructure scanning and enumeration tools
  • pig – Linux packet crafting tool with library of attack signatures 
  • pwnat – Punches holes in firewalls/NATs without port or DMZ setup required 
  • scapy – Python-based interactive packet manipulation program & library
  • Scap-workbench – A GUI tool with SCAP Scanner and tailoring functionality
  • tcpdump/libpcap – Command-line packet analyzer tool
  • Wireshark – A graphic interface surrounding tcpdump / network protocol analyzer 
  • Yersina – A network tool for 2-layer attacks 
  • Zarp – Network attack tool for the exploitation of protocols and stacks

Mobile Exploitation (8 tools)

  • Dex2Jar – Tool for Android “. dex” and Java “. class” files. 
  • Drozer – A mobile app security testing framework 
  • Frida “Universal” SSL Unpinner – Universal unpinner. 
  • Frida – Dynamic instrumentation toolkit
  • Genymotion: – Cross-platform Android emulator for developers & QA engineers
  • Jadx – Command line and GUI tool for producing java source code from Android Dex and APK files 
  • MobSF – A mobile application pentesting, malware analysis and security assessment framework with static and dynamic analysis.
  • Radare2 – Toolchain for forensics, software reverse engineering, exploiting, debugging, etc. 

Reverse Engineering Tools (16 tools)

  • binwalk – Analyze, reverse engineer, and extract firmware images
  • Capstone – Lightweight multi-platform, multi-architecture disassembly framework
  • dnSpy – .Net debugger and assembly tool 
  • Evan’s Debugger – DObugger for GNU/Linux.
  • Frida – A scriptable and portable dynamic reverse engineering toolkit
  • Immunity Debugger – Debugger with exploit and malware capabilities 
  • Interactive Disassembler (IDA Pro) – A multi-processor disassembler and debugger with free/premium versions 
  • Medusa – Open source, cross-platform interactive disassembler
  • peda – Python Exploit Development Assistance for GDB
  • plasma – Interactive disassembler for x86/ARM/MIPS
  • PyREBox – Python scriptable Reverse Engineering sandbox and framework 
  • Radare2 – Open source, cross-platform reverse engineering framework
  • rVMI – Full system analysis via virtual machine introspection 
  • Voltron – Debugger UK for hackers 
  • WDK/WinDbg – Microsoft Windows Driver Kit and WinDbg.
  • x64dbg – Open source x64/x32 debugger

Social Engineering Tools (6 tools)

“Catfish and Kingfish are nice tools, you can create your own social media campaigns, build complete websites, copy them, make the receiving end believe what you’re writing if they don’t look well enough” 

  • Beelogger – Tool for generating keyloggers for Windows
  • Catphish – Ruby fishing toolkit 
  • Evilginx2 – MITM attack framework used for phishing credentials and session cookies with 2-factor bypass 
  • King Phisher – Create and manage simultaneous phishing attacks with server and content tools
  • Social Engineer Toolkit (SET) – Social engineering toolkit with framework 
  • wifiphisher – Automated phishing attacks against WiFi network for red teaming or WiFi investigations 


(Windows) (8 tools)

“Sysinternals is a must-have. You can enumerate Windows systems, learn more about the environment the network is connected to. Mimikatz is also great for extracting sensitive data from system memory”

  • DeathStar – Python script to gain Active Directory administrative rights 
  • Fibratus – Windows kernel exploration and tracing tool 
  • Magic Unicorn – Shellcode generator and injection tool 
  • mimikatz – Extract windows credentials PowerSploit – PowerShell Post-Exploitation Framework
  • redsnarf – Post-exploitation tool to retrieving password hashes and credentials from Windows workstations, servers, and domain controllers.
  • Responder – LLMNR, NBT-NS and MDNS poisoner 
  • Sysinternals Suite – Microsoft’s Sysinternals Troubleshooting Utilities
  • Windows Exploit Suggester – Scan for missing Windows patches and vulnerabilities 


(macOS) (8 tools)

“I always build my Mac machine from scratch and the tools I use are Linux. The tools listed here are mostly for breaking into Mac, but it’s not common for companies to have a complete Mac network”. 

  • EggShell – Remote administration tool for OSX 
  • EmPyre – Post exploitation OS X agent 
  • EvilOSX – Remote Administration tool for OS X
  • Kemon – Open source kernel monitoring 
  • Keychain dump – Searches for unlocked keychain master keys
  • Machotools – Retrieve and change machotool data 
  • MOSL – Audit MacOS security settings 
  • PassiveFuzzFramework OSX – Fuzzing tool for OSX kernel vulnerabilities 

Web Testing (21 tools)

“DIrbuster only works if you have a good list. I sometimes use Zed, SQLMap, and those are my go-to with Burp.” Says Mike, “SQLMap is also really powerful if you have a hunch SQL injection is possible. It’s flexible and much faster than doing it by hand. Very fast and easy to automate” 

  • Burp Suite – An integrated platform for web-application pentesting (Free edition available) (Enterprise from $1,999 – Unlimited costs $49,999 per year). Some addons include: 
    • ActiveScan++ –Active & passive scanning extending basic capabilities 
    • BurpSentinel –Web application security hole discovery 
    • Autorepeater Burp – Automated HTTP request repeating
    • Autorize – Detect authorization vulnerabilities
    • Flow – Logging and history for tools, for troubleshooting 
    • Headless Burp – Run Burp Suite’s Spider and Scanner tools via command-line
    • Logger++ – A multi-threaded logging extension with filtering
    • WSDL Wizard – Scan target servers for WSDL files 
    • Retire.js – Scan for outdated Javascript Libraries 
    • TurboIntruder – Fast and scalable HTTP requests via python scripts 
    • ParamMiner – Discover hidden web application parameters 
    • Co2 – SQL mapper, scanner, SAML encoder, JWT decoder, hasher 
  • Browser Exploitation Framework (BeEF) – Command and control server for delivering exploits 
  • DirBuster – Brute-force over directories and web application server tool with hidden directory search 
  • Commix – Command-line injection & exploitation tool 
  • fimap – Python tool to find, prepare, audit, & exploit LFI/RFI bugs.
  • Kadimus – LFI scan and exploit tool.
  • Lazys3 – Ruby script to brute-force for AWS s3 buckets
  • liffy – LFI exploitation tool
  • LFI Suite – LFI exploiter and scanner
  • NoSQLMap d –Audit for and automate injection attacks, exploit configuration weaknesses, and clone data 
  • OWASP Zed Attack Proxy (ZAP) – Scriptable HTTP intercepting proxy and fuzzer for web applications 
  • Payloads All The Things – Payloads and bypasses for Web Application Security.
  • sslstrip2 – SSL stripping tool 
  • SSRFTest – Server Site Request Forgery tool
  • SQLNinja – An SQL server injection and takeover tool 
  • SQLMap – SQL injection detection, exploitation, and takeover too
  • Subjack – Subdomain identification and takeover tool written in Go 
  • tplmap – Server-side template injection, detection, and takeover tool 
  • weevely3 – Weaponized web shell for post exploitation 
  • WPSploit – Exploit WordPress websites with Metasploit
  • YsoSerial – Payload generation tool to exploit unsafe Java serialization

Wireless Network Hacking Tools (5 tools)

  • Aircrack-ng – Testing & auditing tools for wireless networks
  • Fluxion – Suite of automated social engineering-based WPA attacks and analysis
  • Kismet – Wireless network detector, sniffer, and WIDS
  • Reaver – Brute force attack against WiFi Protected Setup.
  • Wifite2 – Python script to audit wireless networks 

Pentest Management Platforms 

  • Cyver Core –  A full-service pentest collaboration and management platform with report generation and team collaboration (Not Free)
  • AttackForge –  A pentest management and reporting tool (Not Free)
  • Reconmap –  A pentest collaboration platform (Not Free)
  • Faraday – Multiuser integrated pentesting environment for red teams performing cooperative penetration tests, security audits, and risk assessments. (Not Free)

Pentest Report Generation Tools 

(all of the above pentest management platforms also offer report generation)

  • Dradis – Ruby-based open-source report generation tool (not free) 
  • PwnDoc– Pentest report generation tool 
  • Serpico – Pentest report automation tool 
  • MagicTree – Pentest report generation and streamlining tool with Nmap integration 
  • Metagoofil – Autofills metadata into reports 
  • PeTeReport –  Python and Django tool to write markdown reports 

Recon & Enumeration Tools (104)

Generic Recon & Enumeration

“These are all tools that can help make your life easier, but if you’re using something like Burp, you don’t need them anymore.” says Mike, “Or if you don’t trust Burp is complete, you can add to your toolbox to validate”. 

  • Asnlookup – ASN Information tool
  • BlindElephant – Web application identifier and fingerprinter.
  • Chaos – Internet-wide asset data for research and recon
  • cms-explorer – Reveal the specific modules, plugins, components, and themes run by CMS websites + associated vulnerabilities
  • DET – Data exfiltration tool for DLP configuration errors
  • EyeWitness – Screenshot, server header, and default credentials tool  
  • FuzzDB – Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery  
  • Recon_profile – Alias creation tool 
  • Skipfish – An active web-application security reconnaissance tool 
  • smbmap – SMB enumeration too
  • Teh_s3_bucketeers – Discover S3 buckets on Amazon’s AWS platform.   
  • Transformations  – Browser-based data obscurity detection tool
  • Spiderfoot – Automated OSINT and data collection  
  • Splunk – A threat detection and management platform 
  • Retire.JS – Browser plugin for finding vulnerable js libraries  
  • Virtual-host-discovery – Enumerate virtual hosts on an IP / HTTP scanner  
  • VHostScan – Virtual host scanner that performs reverse lookups
  • Wappalyzer  – A browser extension to identify technologies used on websites  
  • wafw00f – Identifies and fingerprints Web Application Firewall (WAF)  
  • webscreenshot – Screenshot script  
  • WhatWeb – Web scanner and fingerprinter
  • XSS hunter – Cross-site scripting vulnerability detection and probing  
  • zmap – Open source network scanner with 13+ tools for further research & scans

URl / Subdomain Finders (8 tools)

“We always work on an assignment, and then the target is scope information and not more than that, so we rarely use these. But Rengine also has a URl and subdomain finder”.

  • Dirsearch – Command line tool to brute force directories and files 
  • Dnsgen – This tool generates a combination of domain names from the provided input
  • Gau – Getallurls (gau) fetches known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl 
  • JSParser – A python script to parse relative URLs from JavaScript files
  • Subfinder – ASubdomain discovery tool that discovers valid subdomains for websites by using passive online sources
  • Unfurl – Analyze URLs and estimate entropies to find URLs that might be vulnerable to attack
  • Waybackurls – Accept line-delimited domains on stdin, fetch known URLs from the Wayback Machine for *.domain and output them on stdout

Meg – URL fetching tool 

OSINT Tools (16 tools)

“I like Shodan the most, theHarvester as well but it’s part of reNgine”, adds Mike, “ I always look at Shodan for known information about a particular target when I do a web application pentest, because it can point you in the right direction from the start. Maltego would be my number one if it were cheaper, but as-is, I think it’s way too expensive”. 

  • AQUATONE – Create attack surface maps of subdomains with pre-compiled binaries 
  • Censys – Threat intelligence and mapping platform
  • creepy – Geolocation gathering via social media platforms
  • – Subdomain scanning tool 
  • DataSploit – OSINT framework based around corporate espionage 
  • Etherape – A graphical network monitor for Unix with graphic network activity display
  • Google Hacking Database – Google dorks database 
  • Maltego – Open-source intelligence and graphical link analysis tool for gathering and connecting information for intelligence and forensics. (€ 999 per year)
  • metagoofil – Metadata harvester with email extraction functions 
  • Seclists – Security testing data repository 
  • Shodan – Search for Internet-connected devices
  • theHarvester – Harvest E-mail, subdomain and names via OSINT 
  • Debookee – Network traffic interception and analysis for Mac
  • NetCat –  Go-to network research tool
  • Nipper –  Network configuration & audit tool for internal teams  
  • XRay – Recon, mapping, OSINT for public networks
  • ZoomEye – Network component search engine 

Dorks (5 tools)

  • BinGoo – GNU/Linux bash-based Bing and Google Dorking Tool
  • dork-bot– Command line Google dork tool
  • fast-recon – Script to perform Google dorks against a domain
  • GooDork – Command line Google dorking tool
  • snitch – Scripts to use dorks to gather information

Fuzzers (4 tools)

  • Dirb  – Web content scanner and fuzzer
  • Ffuf – Web fuzzer  
  • Netzob – Reverse engineer, model, and fuzz networks
  • Wfuzz – web application fuzzer

Mapping & Asset Discovery (5 tools)

  • Amass –  Attack-surface mapping and external asset discovery
  • Lazyrecon – Script for recon and forensics for identifying first targets in a pentest
  • Sn1per – Automated scanner to enumerate and scan for vulnerabilities, best as recon tool and attack surface management. Community and Pro versions available.
  • Tripwire IP360 – Full network and asset discovery vulnerability scanner (Not Free)
  • Altair – GraphQL query and implementation debugging

Github Grabbers/Rippers (7 tools)

  • DVCS Ripper – Version control system ripper for web-accessible systems  
  • gitGraber – Python tool to search and find GitHub data  
  • Commit-stream – Extract commit logs from the Github event API
  • github-dorks – CLI tool to scan Github repos/organizations for sensitive information leaks
  • GitTools – Rip Web-accessible .git repositories
  • Shhgit – Search GitHub for sensitive data via the API  
  • vcsmap – Plugin-based tool to scan public version control systems (GitHub) for sensitive information

Transport Layer Security Tools (6 tools)

“SSLScan is a go-to, it’s a quick way to look at general information for SSL certificates, which I use to advise customers to update their cyphers to TLS 1.3, and I check which versions they use”  

  • Httprobe –  Probes for working HTTP/HTTPS servers
  • SSLyze – TLS/SSL library to identify misconfigurations 
  • SSLScan – Scans SSL certificates highlighting relevant information 
  • Sublert – Python tool to leverage certificate transparency to monitor subdomains  
  • – Command line tool to check ports for SSL/TLS protocols / services
  • tls_prober – Identify TLS/SSL implementations 

DNS Mappers/Subdomain Finders (20 tools)

“I normally use Qualys, if it’s part of the test, there’s a lot more to it than just this so if yo use these, you’ll need a larger toolkit”

  • AltDNS – Recon tool for DNS subdomain discovery using generated patterns and resolution. Exports to brute forcing tools
  • BroadbandSearch – Suite of tools for network recon 
  • CloudFail – Unmask server IP addresses using old database records and detecting misconfigured DNS.
  • DNSDumpster – DNS records research for recon
  • dnsmap – Simple DNS mapper
  • Dnsgrep – DNS lookup using Rapid7 rdns & fdns datasets
  • DNSSec Analyzer – Gives a good impression of environment and site situation 
  • dnstracer – Traces DNS server information to source
  • Dnsprobe – DNS lookup with user-supplied resolvers
  • dnsrecon – DNS enumeration script in Python
  • FindDomain – Domain monitoring and recon tool with alerts and API 
  • Knockpy – Python tool to enumerate subdomains via word list with DNS zone transfer & wildcard DNS record bypass  
  • Netsniff-ng – Linux network plumbing & recon tool 
  • Massdns – Stub-resolver for bulk DNS lookup & enumeration
  • Mass Scan – SYN packet port scanner
  • passivedns-client – Library and query tool for passive DNS databases
  • passivedns – Network sniffer to create log files of DNS server answers
  • Rapid7 Forward DNS (FDNS) –  DNS request responses for all forward DNS names in Rapid7’s Project Sonar   
  • Shuffledns – Subdomain scanner using active bruteforce  
  • Sublist3r – Enumerate subdomains using OSINT

Proxies (6 tools)

“I have a separate browser I connect directly to my applications and use foxyproxy for that, and then Burp itself is a proxy. Foxyproxy is just a management tool”. 

  • Fiddler – Web debugging proxy suitable for recon  
  • Foxyproxy – Browser plugin to offer enhanced proxy management in Firefox  
  • mallory – HTTP/HTTPS proxy over SSH.
  • mitmproxy – SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. Web and command line versions available
  • Burp – Includes a full proxy 
  • ZAP – An intercepting capable proxy 

Port Scanners (4 tools)

  • Naabu – Port scanner for attack surface discovery and enumeration
  • NMap – Extremely popular port scanner 

Misc. Tools (7 tools)

  • NCat  – swissarmy knife for pentesters 
  • Osmedeus –A workflow engine to put together scanners and tools for reconnaissance
  • Reconness – Script to schedule tools and keep recon information in one place
  • Swiftness X –  A note taking tool for BB and pentesting.
  • tgcd – Unix network extensibility for listening, port forwarding, and logging
  • scanless – Utility for finding third-party websites to do port scans on your behalf
  • SSH MITM – SSH connection interceptor over proxy with plaintext logs

Vulnerability Scanners (34 tools) 

“Rengine, of course, because it’s open source and the interface is simple and easy to use. You can add tools yourself if you’d like more functionality. You can also create reports there.” 

  • ACSTIS – Client-side template injection scanner 
  • Acunetix – Web application vulnerability scanner with DAS/IAST and SCA + 7,000+ vulnerabilities in library (Not Free)
  • Astra – Continuous scanning platform for web apps, API, network, mobile app, & cloud infrastructure (Not Free)
  • Amazon Inspector – Scanner and risk management platform (Not Free)
  • BurpSuite Pro – A web vulnerability scanner used by over 16,000 organizations as part of a larger suite of vulnerability assessment tools. (Not Free)
  • Checkmarx –Full suite of sast, dast, and code scanning tools built for internal teams
  • Codename SCNR – A zero-dependency scriptable framework and web application scanner (Not Free)
  • Comodo HacckerProof – Schedulable scanner with PCI options (Not Free)
  • Core Impact – Vulnerability scanner with pentesting environment
  • Detectify – Automated vulnerability scanner with 2,000+ vulnerabilities in the library
  • Dnscan – Wordlist-based DNS subdomain scanner with zone-transfer functionality
  • HCL AppScan – Cloud-based application scanner with code review (Not Free)
  • –Vulnerability management and scanner intended for internal teams (Not Free)
  • Invicti – (Formerly Netsparker) Web and code vulnerability scanner designed for internal teams
  • joomscan – Open-source joomla vulnerability scanner
  • Nexpose – Vulnerability and risk management assessment tool by Rapid7 and integrated with Rapid7’s other tooling (Metasploit) (Not Free)
  • Nessus – Vulnerability management, configuration, and compliance assessment platform with target profiling, malware discover, and integrated PCI DSS (Free and Pro available)
  • Nikto – Open-source black box web server and web application vulnerability scanner with large database.
  • NMap – Free security scanner for network exploration & security audits scripts
  • NodeZero –Asset discovery and vulnerability scanner for internal and external pentest teams
  • Nuclei – Templated vulnerability scanner  
  • OpenVAS – Free implementation of the Nessus vulnerability assessment system with scheduling, authorized credential scans, and IP targeting
  • Probely – Web application and API vulnerability scanner
  • ReNgine – Open-source vulnerability scanner and reconnaissance tool 
  • Qualys – Vulnerability detection and management platform for compliance and internal security
  • Rapid7 – Platform with a range of products for vulnerability and threat insights 
  • SecApps – In-browser web application security testing suite.
  • Sophos – Endpoint and web application scanning and threat prevention with anti-phishing tools intended for internal teams (Not Free)
  • Vulnerability Manager Plus – Scanner designed for internal pentest teams with security recommendations and patch management integrated.
  • Vuls – Agentless vulnerability scanner for GNU/Linux and FreeBSD, written in Go.
  • w3af – Hacking Tools for Web application attack and audit framework.
  • Wapiti – Black box web application vulnerability scanner with built-in fuzzer and injection tools.
  • WPScan – Hacking Tools of Black Box WordPress vulnerability scanner.
  • ZAP – OWASP’s web app scanner

Did we miss any tools? Email them to us at (email) and we’ll be happy to update the list.