Ultimate Pentest Tools List (300+)

The following include a list of pentest tools available across the web. Many are free and even open source, others are premium tools and require a monthly or yearly subscription. We’ll note when pentest tools aren’t free. We interviewed Cyver pentester Mike Terhaar for his favorites and highlighted them in the text.

*Please note some tools were included more than once when they fit well into several categories. In addition, all tools are in alphabetical order and not ranked.

Attack / Adversary Simulation (Red teaming) (22 tools)

Atomic Red Team – Library of tests mapped to the MITRE ATT&CK Framework
APT Simulator – Script & toolset to simulate the appearance of an APT attack
ATT&CK Simulator – Automate adversary simulations for red/blue-purple teaming
BlindSpot – Adversary simulator with red-team, breach simulation, and purple team capabilities. (Not Free)
Caldera – A framework for adversary emulation by MITRE
Cobalt Strike – A VM & threat emulation framework for adversary simulation / red teaming
Cymulate – Security posture management platform with red teaming (Not Free)
Dumpsterfire – Menu-driven tool for building distributed security events for red/blue/purple team drills
GreyMatter – Security operations platform with red teaming (formerly Threatcare) (Not Free)
Infection Monkey – Open-source breach and attack simulation platform
Invoke Adversary – Script for automating adversary threats
Mandiant – Security validation and adversary simulation tool in Google Cloud (Not Free)
MATE – Attack Simulator offered by Microsoft as part of 365
Metta – Open-source tool for network adversarial simulation
NSAUnfetter – Attack simulator based on the MITRE ATT&CK framework
Pentera – Automate insider & outsider attacks for red-team/purple team exercises (Not Free)
Red Team Automation (RTA) – Scripts based on 50+ MITRE ATT&CK tactics for blue teams
SafeBreach – Breach and attack simulation platform (Not Free)
Scythe.io – Cloud adversary emulation platform for red-team/purple team (Not Free)
SimSpace – Simulated environment for cybersecurity exercises (Not Free)
Splunk Attack Range – Cloud and local environment builder for attack simulation
THC Hydra – Attack-simulator tool for unauthorized access

Distros / Distributions (13 tools)

Distros are operating systems packaged with components designed for ethical hacking or pentesting – many with more specific focuses, such as web pentesting.

“I like Parrot OS the most because it’s more flexible than Kali. Of course, that depends on what you need. Parrot is a default OS and you install what you need.” says Mike, “Kali is fixed. Kali is also fixed to their own update lists and patches, so if you change anything, it can break the system. I also like BlackArch’s OS a lot, but I have less experience with it because it needs more configuration, but I really like that you can do everything with one system.”

ArchStrike – Arch GNU/Linux repository closely following LInux Standards
AttifyOS – GNU/Linux distribution built around IoT pentesting
BackBox – Ubuntu-based distribution for penetration tests and security assessments.
BlackArch – Arch GNU/Linux-based distribution with 2,500+ tools
CAINE – Computer Aided Investigative Environment is a digital forensics and analysis framework
Fedora Security Lab – Test environment for security auditing, forensics, system rescue, etc.
Kali – GNU/Linux distro for digital forensics and pentesting
Linux Kodachi – A Debian-based distro, boot from CD/USB, filters traffic through TOR and attempts trace cleanup after use
Network Security Toolkit (NST) – Fedora-based bootable live operating system
ParrotOS – Distro featuring multiple architecture options and 100+ pentest tools
Pentoo – Security-focused live USB-based on Gentoo for 32/64-bit OS
Samurai Web Testing Framework – Distro for pentesting on the web
The Pentesters Framework – Distro is organized around Penetration Testing Execution Standard (PTES)

Frameworks (17 tools)

“I use both ReNgine and Metasploit. Metasploit a bit less because you need more infrastructure level data.” says Mike, “ ReNgine gives you an impression of the general hygiene of the application and implementation, open services, hardening, etc. Metasploit is flexible, old-school, and makes life a lot easier. But ReNgine replaces an expensive tool like Nessus, delivering a lot in a single application”

BetterCAP – Modular, portable, and easily extensible MITM framework.
Caldera – A framework for adversary emulation by MITRE
Canvas – An automated exploit system and exploit development framework. Costs $32,480 per year including third-party products.
Cobalt Strike – A Fortra VM & threat emulation framework
Dshell – Network forensic analysis framework
ExploitPack – Graphical tool with 39,000+ exploits for pentest automation
Empire – Post-exploitation adversary emulation framework
IronWASP – Framework for web-application vulnerability testing with tools & scanner capabilities
Jok3r – A network infrastructure and web security assessment framework with automation & pentest tools
Metasploit – Post-exploitation pentest tools to verify vulnerabilities, manage assessments, and more. Open Source and Pro available. Pro costs roughly $15,000 per year.
MobSF – An automated, mobile application pentesting, malware analysis and security assessment framework with static and dynamic analysis.
Pupy – Cross-platform remote administration and post-exploitation tool in Python & C
Recon-ng – A web-based reconnaissance framework
ReNgine – Open-source reconnaissance framework
routersploit – Open-source exploitation framework for embedded devices
shellsploit – Exploit development framework
WordPress Exploit Framework – Ruby framework for WordPress pentesting

Static and Dynamic Analyzers (15 tools)

“Snyk is a good one, I’m not much for it for pentesting, but for internal teams, it gives you insight and constant overview of your application vulnerabilities, changes, the impact of those based on vulnerabilities, etc.”

bandit – Python code analyzer with a focus on vulnerabilities
Brakeman – Static analysis security vulnerability scanner for Ruby on Rails applications.
cppcheck – Extensible C/C++ static analyzer and bug finder
Checkmarx –Full suite of sast, dast, and code scanning tools built for internal teams (Not Free)
Coverity – Free static analysis solution for open-source projects
Codacy – AI-driven SAST for 40+ programming languages (Not Free)
FindBugs – Free ava static analyzer with a focus on bugs
Forta WebInspect – Web scanner
Kiuwan – SAST and code analysis for vulnerability management (Not Free)
KlocWork – Compliance-based SAST (Not Free)
PMD – Source code analyzer for cross-language SaaS
sobelow – Phoenix Framework static analyzer focused on vulnerabilities
SonarQube – Static code analysis for 30+ languages, frameworks, and platforms (Not Free)
Snyk – Vulnerability database and code scanner (Not Free)
Veracode – Static analysis and vulnerability management (Not Free)

Hacking & Exploitation Tools (160)

Anonymity Tools (5 tools)

“normally when I do a test it’s in the open and the owner knows it so I don’t have to hide, but in case of red teaming, then you need the stealth”

I2P – Fully-encrypted private network layer
Nipe – Script to make Tor your default gateway
OnionScan – Discover vulnerabilities available through Onion-operated services
Tor – Onion-routed overlay network
What Every Browser Knows About You – Test your own Web browser’s configuration

CTF Tools (3 tools)

ctf-tools – Scripts to install various security research tools and deploy to new machines
Pwntools – Rapid exploit development framework for CTFs
RsaCtfTool – Attack and decrypts RSA tools

DDoS Tools (11 tools)

“It’s never my goal to deliberately cause an outage on a customer network, but, of course, when red teaming, or if it’s part of the engagement, you should use a tool like this and MHDDoS is a favorite.”

DDOS Ripper – DDOS attack server based on compromised computer systems
CC-attack – Socks4/5 proxy-based multithreading attack
HOIC – LOIC with countermeasure workarounds
JS LOIC – JavaScript in-browser version of LOIC.
LOIC – Open source network stress tool written in #C
MHDDoS – Python3 DDoS attack script with 56 methods
Nightmare Stresser – DDOS API for stress testing with up to 150 concurrent floods
Raven-Storm – DDoS Toolkit with multiple attack protocols
SlowLoris – Low bandwidth DDoS tool in Python
T50 – Network stress tool
UFONet – Denial of service toolkit with multifunctionality

Defense Evasion Tools (8 tools)

“I like Veil because it connects to Metasploit”, says Mike, “If you write code and want to pass it through antivirus, you need to use a tool like Veil, but in the old days, Veil was already being blocked by antivirus systems, so you’ll probably want a range of tools in case the current version doesn’t get through the AV.”

AntiVirus Evasion Tool (AVET) –Antivirus evasion tools
Fireprox – AWS API Gateway management tool for Ip rotation
Hyperion – Runtime encryptor for 32-bit portable executables (“PE .exes”).
peCloak.py – Hides malicious Windows executable from antivirus
peCloakCapstone – Multi-platform fork of peCloak.py
Proxybroker2 – Auto-rotate IP via proxy
UniByAv – Generates antivirus friendly executables from raw shellcode
Veil – Generate payloads to bypass common anti-virus solutions

Hash & Cracking Hacking Tools (12 tools)

“There are a lot of great tools for this. John the Ripper of course, Rainbow Tables, Cain and Abel. If you have a list and usernames and you know you’re working with a group of common users, you’re almost certain their password will fit in a list, so John the Ripper is your best option.”

AirCrack – Wifi Password retrieval with FMS
Brutus Password Cracker – Complex password retrieval with multi-stage authentication, brute force, dictionary, & more
BruteForce Wallet – Wallet password search
Cain and Abel – Sniffer and password cracking for forensics
CrackStation – Browser-based password hash-cracking
CeWL – Custom wordlists for spidering to feed password crackers
Hashcat – Hash cracking tool
John the Ripper – Password cracker
JWT Cracker – HS256 JWT token brute force cracker
Medusa – Brute-force parallel testing password cracker
Rainbow Crack – Hash cracker using large-scale time-memory technique
Rainbow Tables – Rainbow table generator with verification

Hex Editors (14 tools)

“You can use a custom hex editor, but I use the hex in Burp with an integrated translator”

Frhed – Binary file editor for Windows with partial file loading capabilities
FS Hex Editor – Hexadecimal and ASCII file editor
Hackman – Hex and binary editor with RAM viewer
HexEdit.js – Browser-based hex editing.
Hexinator – Hex tool with free and premium versions
Hexplorer – Hex editor with data mining tools
HxD Hex Editor – View, edit, and save hex and source code files
Kaitai Struct – Generate parsers and protocols
MiTeX Hexadecimal – Hex and Octal file editor with calculator
Open Freely – Hex viewer and editor
Tiny Hexer – Hex viewer, binary searcher, and octal viewer
Tyrannosaurus Hex – Open-source hex editor with color coding
UltraEdit – Text, code, and hex editor
Veles – Binary data visualization and analysis tool

IoT (3 tools)

“I still use the old school tools like Netcat and Nmap and nowadays, reNgine,” says Mike, “I start with NMap and follow up with NCat and that’s all I need.”

Praeda – Data harvester for multi-function printer assessments
Printer Exploitation Toolkit (PRET) – USB or network program for printer security mapping & exploitation
routersploit – Open-source exploitation framework for embedded devices

Network Tools (20 tools)

“Ettercap is an easy to use command line tool, you can write your filters on the go, you only get the information you actually want.” says Mike, “That’s good if you want specific traffic details, however, if you don’t know what you’re looking for, ettercap is unusable. Wireshark is the same but with a graphical interface, so you can easily filter – which makes it more commonly used”.

BetterCAP – Modular, portable man-in-the-middle framework.
CrackMapExec – Suite of tools for network penetration
Ettercap – Comprehensive suite for machine-in-the-middle attacks.
evilgrade – Fake update injection
Dripcap – Caffeinated packet analyzer for multiple OS
dnschef – Highly configurable DNS proxy
dnsenum – Perl script with DNS enumeration, zone transfer, dictionary attack, and reverse lookup functionality
dsniff – Recon & infiltration tools for networks
impacket – Network protocol toolset focused on low-impact access
Intercepter-NG – Multifunctional network toolkit for recon & interception
Morpheus – Automated ettercap TCP/IP hijacking tool
Nginx – Graphical interface with scriptable access to network infrastructure scanning and enumeration tools
pig – Linux packet crafting tool with library of attack signatures
pwnat – Punches holes in firewalls/NATs without port or DMZ setup required
scapy – Python-based interactive packet manipulation program & library
Scap-workbench – A GUI tool with SCAP Scanner and tailoring functionality
tcpdump/libpcap – Command-line packet analyzer tool
Wireshark – A graphic interface surrounding tcpdump / network protocol analyzer
Yersina – A network tool for 2-layer attacks
Zarp – Network attack tool for the exploitation of protocols and stacks

Mobile Exploitation (8 tools)

Dex2Jar – Tool for Android “. dex” and Java “. class” files.
Drozer – A mobile app security testing framework
Frida “Universal” SSL Unpinner – Universal unpinner.
Frida – Dynamic instrumentation toolkit
Genymotion: – Cross-platform Android emulator for developers & QA engineers
Jadx – Command line and GUI tool for producing java source code from Android Dex and APK files
MobSF – A mobile application pentesting, malware analysis and security assessment framework with static and dynamic analysis.
Radare2 – Toolchain for forensics, software reverse engineering, exploiting, debugging, etc.

Reverse Engineering Tools (16 tools)

binwalk – Analyze, reverse engineer, and extract firmware images
Capstone – Lightweight multi-platform, multi-architecture disassembly framework
dnSpy – .Net debugger and assembly tool
Evan’s Debugger – DObugger for GNU/Linux.
Frida – A scriptable and portable dynamic reverse engineering toolkit
Immunity Debugger – Debugger with exploit and malware capabilities
Interactive Disassembler (IDA Pro) – A multi-processor disassembler and debugger with free/premium versions
Medusa – Open source, cross-platform interactive disassembler
peda – Python Exploit Development Assistance for GDB
plasma – Interactive disassembler for x86/ARM/MIPS
PyREBox – Python scriptable Reverse Engineering sandbox and framework
Radare2 – Open source, cross-platform reverse engineering framework
rVMI – Full system analysis via virtual machine introspection
Voltron – Debugger UK for hackers
WDK/WinDbg – Microsoft Windows Driver Kit and WinDbg.
x64dbg – Open source x64/x32 debugger

Social Engineering Tools (6 tools)

“Catfish and Kingfish are nice tools, you can create your own social media campaigns, build complete websites, copy them, make the receiving end believe what you’re writing if they don’t look well enough”

Beelogger – Tool for generating keyloggers for Windows
Catphish – Ruby fishing toolkit
Evilginx2 – MITM attack framework used for phishing credentials and session cookies with 2-factor bypass
King Phisher – Create and manage simultaneous phishing attacks with server and content tools
Social Engineer Toolkit (SET) – Social engineering toolkit with framework
wifiphisher – Automated phishing attacks against WiFi network for red teaming or WiFi investigations

Utilities

(Windows) (8 tools)

“Sysinternals is a must-have. You can enumerate Windows systems, learn more about the environment the network is connected to. Mimikatz is also great for extracting sensitive data from system memory”

DeathStar – Python script to gain Active Directory administrative rights
Fibratus – Windows kernel exploration and tracing tool
Magic Unicorn – Shellcode generator and injection tool
mimikatz – Extract windows credentials PowerSploit – PowerShell Post-Exploitation Framework
redsnarf – Post-exploitation tool to retrieving password hashes and credentials from Windows workstations, servers, and domain controllers.
Responder – LLMNR, NBT-NS and MDNS poisoner
Sysinternals Suite – Microsoft’s Sysinternals Troubleshooting Utilities
Windows Exploit Suggester – Scan for missing Windows patches and vulnerabilities

(GNU/Linux)

Linux Exploit Suggester – Heuristic reporting on potential exploits for GNU/Linux

(macOS) (8 tools)

“I always build my Mac machine from scratch and the tools I use are Linux. The tools listed here are mostly for breaking into Mac, but it’s not common for companies to have a complete Mac network”.

EggShell – Remote administration tool for OSX
EmPyre – Post exploitation OS X agent
EvilOSX – Remote Administration tool for OS X
Kemon – Open source kernel monitoring
Keychain dump – Searches for unlocked keychain master keys
Machotools – Retrieve and change machotool data
MOSL – Audit MacOS security settings
PassiveFuzzFramework OSX – Fuzzing tool for OSX kernel vulnerabilities

Web Testing (21 tools)

“DIrbuster only works if you have a good list. I sometimes use Zed, SQLMap, and those are my go-to with Burp.” Says Mike, “SQLMap is also really powerful if you have a hunch SQL injection is possible. It’s flexible and much faster than doing it by hand. Very fast and easy to automate”

Burp Suite – An integrated platform for web-application pentesting (Free edition available) (Enterprise from $1,999 – Unlimited costs $49,999 per year). Some addons include:
- ActiveScan++ –Active & passive scanning extending basic capabilities
- BurpSentinel –Web application security hole discovery
- Autorepeater Burp – Automated HTTP request repeating
- Autorize – Detect authorization vulnerabilities
- Flow – Logging and history for tools, for troubleshooting
- Headless Burp – Run Burp Suite’s Spider and Scanner tools via command-line
- Logger++ – A multi-threaded logging extension with filtering
- WSDL Wizard – Scan target servers for WSDL files
- Retire.js – Scan for outdated Javascript Libraries
- TurboIntruder – Fast and scalable HTTP requests via python scripts
- ParamMiner – Discover hidden web application parameters
- Co2 – SQL mapper, scanner, SAML encoder, JWT decoder, hasher
Browser Exploitation Framework (BeEF) – Command and control server for delivering exploits
DirBuster – Brute-force over directories and web application server tool with hidden directory search
Commix – Command-line injection & exploitation tool
fimap – Python tool to find, prepare, audit, & exploit LFI/RFI bugs.
Kadimus – LFI scan and exploit tool.
Lazys3 – Ruby script to brute-force for AWS s3 buckets
liffy – LFI exploitation tool
LFI Suite – LFI exploiter and scanner
NoSQLMap d –Audit for and automate injection attacks, exploit configuration weaknesses, and clone data
OWASP Zed Attack Proxy (ZAP) – Scriptable HTTP intercepting proxy and fuzzer for web applications
Payloads All The Things – Payloads and bypasses for Web Application Security.
sslstrip2 – SSL stripping tool
SSRFTest – Server Site Request Forgery tool
SQLNinja – An SQL server injection and takeover tool
SQLMap – SQL injection detection, exploitation, and takeover tool
Subjack – Subdomain identification and takeover tool written in Go
tplmap – Server-side template injection, detection, and takeover tool
weevely3 – Weaponized web shell for post exploitation
WPSploit – Exploit WordPress websites with Metasploit
YsoSerial – Payload generation tool to exploit unsafe Java serialization

Wireless Network Hacking Tools (5 tools)

Aircrack-ng – Testing & auditing tools for wireless networks
Fluxion – Suite of automated social engineering-based WPA attacks and analysis
Kismet – Wireless network detector, sniffer, and WIDS
Reaver – Brute force attack against WiFi Protected Setup.
Wifite2 – Python script to audit wireless networks

Pentest Management Platforms

Cyver Core – A full-service pentest collaboration and management platform with report generation and team collaboration (Not Free)
AttackForge – A pentest management and reporting tool (Not Free)
Reconmap – A pentest collaboration platform (Not Free)
Faraday – Multiuser integrated pentesting environment for red teams performing cooperative penetration tests, security audits, and risk assessments. (Not Free)

Pentest Report Generation Tools

(all of the above pentest management platforms also offer report generation)

Dradis – Ruby-based open-source report generation tool (not free)
PwnDoc– Pentest report generation tool
Serpico – Pentest report automation tool
MagicTree – Pentest report generation and streamlining tool with Nmap integration
Metagoofil – Autofills metadata into reports
PeTeReport – Python and Django tool to write markdown reports

Recon & Enumeration Tools (104)

Generic Recon & Enumeration

“These are all tools that can help make your life easier, but if you’re using something like Burp, you don’t need them anymore.” says Mike, “Or if you don’t trust Burp is complete, you can add to your toolbox to validate”.

Asnlookup – ASN Information tool
BlindElephant – Web application identifier and fingerprinter.
Chaos – Internet-wide asset data for research and recon
cms-explorer – Reveal the specific modules, plugins, components, and themes run by CMS websites + associated vulnerabilities
DET – Data exfiltration tool for DLP configuration errors
EyeWitness – Screenshot, server header, and default credentials tool
FuzzDB – Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery
Recon_profile – Alias creation tool
Skipfish – An active web-application security reconnaissance tool
smbmap – SMB enumeration too
Teh_s3_bucketeers – Discover S3 buckets on Amazon’s AWS platform.
Transformations – Browser-based data obscurity detection tool
Spiderfoot – Automated OSINT and data collection
Splunk – A threat detection and management platform
Retire.JS – Browser plugin for finding vulnerable js libraries
Virtual-host-discovery – Enumerate virtual hosts on an IP / HTTP scanner
VHostScan – Virtual host scanner that performs reverse lookups
Wappalyzer – A browser extension to identify technologies used on websites
wafw00f – Identifies and fingerprints Web Application Firewall (WAF)
webscreenshot – Screenshot script
WhatWeb – Web scanner and fingerprinter
XSS hunter – Cross-site scripting vulnerability detection and probing
zmap – Open source network scanner with 13+ tools for further research & scans

URl / Subdomain Finders (8 tools)

“We always work on an assignment, and then the target is scope information and not more than that, so we rarely use these. But Rengine also has a URl and subdomain finder”.

Dirsearch – Command line tool to brute force directories and files
Dnsgen – This tool generates a combination of domain names from the provided input
Gau – Getallurls (gau) fetches known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl
JSParser – A python script to parse relative URLs from JavaScript files
Subfinder – ASubdomain discovery tool that discovers valid subdomains for websites by using passive online sources
Unfurl – Analyze URLs and estimate entropies to find URLs that might be vulnerable to attack
Waybackurls – Accept line-delimited domains on stdin, fetch known URLs from the Wayback Machine for *.domain and output them on stdout

Meg – URL fetching tool

OSINT Tools (16 tools)

“I like Shodan the most, theHarvester as well but it’s part of reNgine”, adds Mike, “ I always look at Shodan for known information about a particular target when I do a web application pentest, because it can point you in the right direction from the start. Maltego would be my number one if it were cheaper, but as-is, I think it’s way too expensive”.

AQUATONE – Create attack surface maps of subdomains with pre-compiled binaries
Censys – Threat intelligence and mapping platform
creepy – Geolocation gathering via social media platforms
C99.nl – Subdomain scanning tool
DataSploit – OSINT framework based around corporate espionage
Etherape – A graphical network monitor for Unix with graphic network activity display
Google Hacking Database – Google dorks database
Maltego – Open-source intelligence and graphical link analysis tool for gathering and connecting information for intelligence and forensics. (€ 999 per year)
metagoofil – Metadata harvester with email extraction functions
Seclists – Security testing data repository
Shodan – Search for Internet-connected devices
theHarvester – Harvest E-mail, subdomain and names via OSINT
Debookee – Network traffic interception and analysis for Mac
NetCat – Go-to network research tool
Nipper – Network configuration & audit tool for internal teams
XRay – Recon, mapping, OSINT for public networks
ZoomEye – Network component search engine

Dorks (5 tools)

BinGoo – GNU/Linux bash-based Bing and Google Dorking Tool
dork-bot– Command line Google dork tool
fast-recon – Script to perform Google dorks against a domain
GooDork – Command line Google dorking tool
snitch – Scripts to use dorks to gather information

Fuzzers (4 tools)

Dirb – Web content scanner and fuzzer
Ffuf – Web fuzzer
Netzob – Reverse engineer, model, and fuzz networks
Wfuzz – web application fuzzer

Mapping & Asset Discovery (5 tools)

Amass – Attack-surface mapping and external asset discovery
Lazyrecon – Script for recon and forensics for identifying first targets in a pentest
Sn1per – Automated scanner to enumerate and scan for vulnerabilities, best as recon tool and attack surface management. Community and Pro versions available.
Tripwire IP360 – Full network and asset discovery vulnerability scanner (Not Free)
Altair – GraphQL query and implementation debugging

Github Grabbers/Rippers (7 tools)

DVCS Ripper – Version control system ripper for web-accessible systems
gitGraber – Python tool to search and find GitHub data
Commit-stream – Extract commit logs from the Github event API
github-dorks – CLI tool to scan Github repos/organizations for sensitive information leaks
GitTools – Rip Web-accessible .git repositories
Shhgit – Search GitHub for sensitive data via the API
vcsmap – Plugin-based tool to scan public version control systems (GitHub) for sensitive information

Transport Layer Security Tools (6 tools)

“SSLScan is a go-to, it’s a quick way to look at general information for SSL certificates, which I use to advise customers to update their cyphers to TLS 1.3, and I check which versions they use”

Httprobe – Probes for working HTTP/HTTPS servers
SSLyze – TLS/SSL library to identify misconfigurations
SSLScan – Scans SSL certificates highlighting relevant information
Sublert – Python tool to leverage certificate transparency to monitor subdomains
testssl.sh – Command line tool to check ports for SSL/TLS protocols / services
tls_prober – Identify TLS/SSL implementations

DNS Mappers/Subdomain Finders (20 tools)

“I normally use Qualys, if it’s part of the test, there’s a lot more to it than just this so if yo use these, you’ll need a larger toolkit”

AltDNS – Recon tool for DNS subdomain discovery using generated patterns and resolution. Exports to brute forcing tools
BroadbandSearch – Suite of tools for network recon
CloudFail – Unmask server IP addresses using old database records and detecting misconfigured DNS.
DNSDumpster – DNS records research for recon
dnsmap – Simple DNS mapper
Dnsgrep – DNS lookup using Rapid7 rdns & fdns datasets
DNSSec Analyzer – Gives a good impression of environment and site situation
dnstracer – Traces DNS server information to source
Dnsprobe – DNS lookup with user-supplied resolvers
dnsrecon – DNS enumeration script in Python
FindDomain – Domain monitoring and recon tool with alerts and API
Knockpy – Python tool to enumerate subdomains via word list with DNS zone transfer & wildcard DNS record bypass
Netsniff-ng – Linux network plumbing & recon tool
Massdns – Stub-resolver for bulk DNS lookup & enumeration
Mass Scan – SYN packet port scanner
passivedns-client – Library and query tool for passive DNS databases
passivedns – Network sniffer to create log files of DNS server answers
Rapid7 Forward DNS (FDNS) – DNS request responses for all forward DNS names in Rapid7’s Project Sonar
Shuffledns – Subdomain scanner using active bruteforce
Sublist3r – Enumerate subdomains using OSINT

Proxies (6 tools)

“I have a separate browser I connect directly to my applications and use foxyproxy for that, and then Burp itself is a proxy. Foxyproxy is just a management tool”.

Fiddler – Web debugging proxy suitable for recon
Foxyproxy – Browser plugin to offer enhanced proxy management in Firefox
mallory – HTTP/HTTPS proxy over SSH.
mitmproxy – SSL/TLS-capable intercepting proxy with a console interface for HTTP/1, HTTP/2, and WebSockets. Web and command line versions available
Burp – Includes a full proxy
ZAP – An intercepting capable proxy

Port Scanners (4 tools)

Naabu – Port scanner for attack surface discovery and enumeration
NMap – Extremely popular port scanner

Misc. Tools (7 tools)

NCat – swissarmy knife for pentesters
Osmedeus –A workflow engine to put together scanners and tools for reconnaissance
Reconness – Script to schedule tools and keep recon information in one place
Swiftness X – A note taking tool for BB and pentesting.
tgcd – Unix network extensibility for listening, port forwarding, and logging
scanless – Utility for finding third-party websites to do port scans on your behalf
SSH MITM – SSH connection interceptor over proxy with plaintext logs

Vulnerability Scanners (34 tools)

“Rengine, of course, because it’s open source and the interface is simple and easy to use. You can add tools yourself if you’d like more functionality. You can also create reports there.”

ACSTIS – Client-side template injection scanner
Acunetix – Web application vulnerability scanner with DAS/IAST and SCA + 7,000+ vulnerabilities in library (Not Free)
Astra – Continuous scanning platform for web apps, API, network, mobile app, & cloud infrastructure (Not Free)
Amazon Inspector – Scanner and risk management platform (Not Free)
BurpSuite Pro – A web vulnerability scanner used by over 16,000 organizations as part of a larger suite of vulnerability assessment tools. (Not Free)
Checkmarx –Full suite of sast, dast, and code scanning tools built for internal teams
Codename SCNR – A zero-dependency scriptable framework and web application scanner (Not Free)
Comodo HacckerProof – Schedulable scanner with PCI options (Not Free)
Core Impact – Vulnerability scanner with pentesting environment
Detectify – Automated vulnerability scanner with 2,000+ vulnerabilities in the library
Dnscan – Wordlist-based DNS subdomain scanner with zone-transfer functionality
HCL AppScan – Cloud-based application scanner with code review (Not Free)
Intruder.io –Vulnerability management and scanner intended for internal teams (Not Free)
Invicti – (Formerly Netsparker) Web and code vulnerability scanner designed for internal teams
joomscan – Open-source joomla vulnerability scanner
Nexpose – Vulnerability and risk management assessment tool by Rapid7 and integrated with Rapid7’s other tooling (Metasploit) (Not Free)
Nessus – Vulnerability management, configuration, and compliance assessment platform with target profiling, malware discover, and integrated PCI DSS (Free and Pro available)
Nikto – Open-source black box web server and web application vulnerability scanner with large database.
NMap – Free security scanner for network exploration & security audits scripts
NodeZero –Asset discovery and vulnerability scanner for internal and external pentest teams
Nuclei – Templated vulnerability scanner
OpenVAS – Free implementation of the Nessus vulnerability assessment system with scheduling, authorized credential scans, and IP targeting
Probely – Web application and API vulnerability scanner
ReNgine – Open-source vulnerability scanner and reconnaissance tool
Qualys – Vulnerability detection and management platform for compliance and internal security
Rapid7 – Platform with a range of products for vulnerability and threat insights
SecApps – In-browser web application security testing suite.
Sophos – Endpoint and web application scanning and threat prevention with anti-phishing tools intended for internal teams (Not Free)
Vulnerability Manager Plus – Scanner designed for internal pentest teams with security recommendations and patch management integrated.
Vuls – Agentless vulnerability scanner for GNU/Linux and FreeBSD, written in Go.
w3af – Hacking Tools for Web application attack and audit framework.
Wapiti – Black box web application vulnerability scanner with built-in fuzzer and injection tools.
WPScan – Hacking Tools of Black Box WordPress vulnerability scanner.
ZAP – OWASP’s web app scanner

Did we miss any tools? Email them to us at (email) and we’ll be happy to update the list.