Pentesting Tools (CloudMonk.io)

Pentesting Tools



Return to Pentesting, Ethical Hacking, DevSecOps

* What are the top 30 Pentesting tools for Pentesting. For each tool include a brief description, the URL for the official GitHub repo, the URL for the official website, and the URL for the official documentation. Answer using MediaWiki format.


Pentesting, or penetration testing, is a critical process in cybersecurity aimed at identifying, testing, and highlighting vulnerabilities in security systems. The tools used in pentesting can range from network analyzers to application scanners and exploit frameworks. Here’s a selection of top pentesting tools, including their primary function, GitHub repository (if available), official website, and documentation link.

Top 30 Pentesting Tools



This list encompasses a variety of tools used in penetration testing to assess the security of systems, networks, and applications.

1. Metasploit Framework


* Description: An advanced open-source platform for developing, testing, and executing exploits.
* GitHub: [https://github.com/rapid7/metasploit-framework]
* Website: [https://www.metasploit.com/]
* Documentation: [https://docs.rapid7.com/metasploit/]

2. Nmap


* Description: A network scanner used to discover hosts and services on a computer network, thus building a "map" of the network.
* GitHub: [https://github.com/nmap/nmap]
* Website: [https://nmap.org/]
* Documentation: [https://nmap.org/docs.html]

3. Wireshark


* Description: A network protocol analyzer that lets you see what’s happening on your network at a microscopic level.
* GitHub: [https://github.com/wireshark/wireshark]
* Website: [https://www.wireshark.org/]
* Documentation: [https://www.wireshark.org/docs/]

4. Burp Suite


* Description: An integrated platform for performing security testing of web applications.
* GitHub: N/A
* Website: [https://portswigger.net/burp]
* Documentation: [https://portswigger.net/burp/documentation]

5. Aircrack-ng


* Description: A complete suite of tools to assess WiFi network security, focusing on monitoring, attacking, testing, and cracking.
* GitHub: [https://github.com/aircrack-ng/aircrack-ng]
* Website: [https://www.aircrack-ng.org/]
* Documentation: [https://www.aircrack-ng.org/doku.php]

6. John the Ripper


* Description: A fast password cracker, currently available for many flavors of Unix, Windows, DOS, and OpenVMS.
* GitHub: [https://github.com/openwall/john]
* Website: [https://www.openwall.com/john/]
* Documentation: [https://www.openwall.com/john/doc/]

7. Nessus


* Description: A proprietary vulnerability scanner available for various platforms.
* GitHub: N/A
* Website: [https://www.tenable.com/products/nessus]
* Documentation: [https://docs.tenable.com/nessus/Content/NessusHome.htm]

8. OWASP ZAP (Zed Attack Proxy)


* Description: An open-source web application security scanner.
* GitHub: [https://github.com/zaproxy/zaproxy]
* Website: [https://www.zaproxy.org/]
* Documentation: [https://www.zaproxy.org/docs/]

9. sqlmap


* Description: An open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
* GitHub: [https://github.com/sqlmapproject/sqlmap]
* Website: [http://sqlmap.org/]
* Documentation: [https://github.com/sqlmapproject/sqlmap/wiki]

10. Hydra


* Description: A very fast network logon cracker which supports many different services.
* GitHub: [https://github.com/vanhauser-thc/thc-hydra]
* Website: [https://github.com/vanhauser-thc/thc-hydra]
* Documentation: [https://github.com/vanhauser-thc/thc-hydra]

11. Kali Linux


* Description: A Debian-derived Linux distribution designed for digital forensics and penetration testing.
* GitHub: [https://github.com/offensive-security/kali-linux-docker]
* Website: [https://www.kali.org/]
* Documentation: [https://www.kali.org/docs/]

12. Nikto


* Description: An open-source web server scanner which performs comprehensive tests against web servers for multiple items.
* GitHub:

[https://github.com/sullo/nikto]
* Website: [https://cirt.net/Nikto2]
* Documentation: [https://cirt.net/nikto2-docs/]

13. Snort


* Description: An open-source network intrusion prevention system (NIPS) and network intrusion detection system (NIDS).
* GitHub: [https://github.com/snort3/snort3]
* Website: [https://www.snort.org/]
* Documentation: [https://www.snort.org/documents]

14. Hashcat


* Description: The world’s fastest and most advanced password recovery utility.
* GitHub: [https://github.com/hashcat/hashcat]
* Website: [https://hashcat.net/hashcat/]
* Documentation: [https://hashcat.net/wiki/]

15. Gobuster


* Description: A tool used to brute-force URIs (directories and files) in web sites and DNS subdomains (with wildcard support).
* GitHub: [https://github.com/OJ/gobuster]
* Website: [https://github.com/OJ/gobuster]
* Documentation: [https://github.com/OJ/gobuster]

16. Parrot OS


* Description: A GNU/Linux distribution based on Debian and designed with Security, Development, and Privacy in mind.
* GitHub: [https://github.com/ParrotSec]
* Website: [https://www.parrotsec.org/]
* Documentation: [https://docs.parrotlinux.org/]

17. Wifiphisher


* Description: A security tool that mounts automated phishing attacks against WiFi networks in order to obtain secret passphrases.
* GitHub: [https://github.com/wifiphisher/wifiphisher]
* Website: [https://wifiphisher.org/]
* Documentation: [https://wifiphisher.org/documentation.html]

18. GitLeaks


* Description: A tool for finding secrets and sensitive information in git repositories.
* GitHub: [https://github.com/zricethezav/gitleaks]
* Website: [https://github.com/zricethezav/gitleaks]
* Documentation: [https://github.com/zricethezav/gitleaks/wiki]

19. BloodHound


* Description: Uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment.
* GitHub: [https://github.com/BloodHoundAD/BloodHound]
* Website: [https://bloodhound.readthedocs.io/en/latest/]
* Documentation: [https://bloodhound.readthedocs.io/en/latest/]

20. Mimikatz


* Description: A tool to play with Windows security - it can be used to extract plaintexts passwords, hash, PIN code, and kerberos tickets from memory.
* GitHub: [https://github.com/gentilkiwi/mimikatz]
* Website: [http://blog.gentilkiwi.com/mimikatz]
* Documentation: [https://github.com/gentilkiwi/mimikatz/wiki]

The remaining 10 tools are as follows, focusing on various aspects of penetration testing, from mobile security to advanced exploitation frameworks:

* 21. BeEF (Browser Exploitation Framework): For web browser exploitation.
* 22. OWASP ZSC (Zed ShellCoder): For generating shellcodes.
* 23. YARA: For malware researchers (and others) to identify and classify malware samples.
* 24. Frida: A dynamic code instrumentation toolkit.
* 25. Radare2: A portable reversing framework.
* 26. APKTool: For reverse engineering Android apk files.
* 27. Drozer: A comprehensive security and attack framework for Android.
* 28. Cuckoo Sandbox: An automated dynamic malware analysis system.
* 29. Moloch: Full packet capture and indexing.
* 30. OpenVAS: A full-featured vulnerability scanner.

Each tool provides unique capabilities for probing and securing systems, ranging from network defenses to application-level vulnerabilities, making them indispensable resources for penetration testers and cybersecurity professionals.

This list is designed to be a starting point for those looking to equip themselves with a comprehensive set of tools for penetration testing across a wide range of environments and scenarios.

----

Pentesting: Pentesting Kubernetes - Pentesting Docker - Pentesting Podman - Pentesting Containers, Pentesting Java, Pentesting Spring Boot, Vulnerability Assessment, Penetration Testing Frameworks, Ethical Hacking, Social Engineering Attacks, Network Penetration Testing, Web Application Penetration Testing, Wireless Network Penetration Testing, Physical Security Penetration Testing, Social Engineering Techniques, Phishing Techniques, Password Cracking Techniques, SQL Injection Attacks, Cross-Site Scripting (XSS) Attacks, Cross-Site Request Forgery (CSRF) Attacks, Security Misconfiguration Issues, Sensitive Data Exposure, Broken Authentication and Session Management, Insecure Direct Object References, Components with Known Vulnerabilities, Insufficient Logging and Monitoring, Mobile Application Penetration Testing, Cloud Security Penetration Testing, IoT Device Penetration Testing, API Penetration Testing, Encryption Flaws, Buffer Overflow Attacks, Denial of Service (DoS) Attacks, Distributed Denial of Service (DDoS) Attacks, Man-in-the-Middle (MitM) Attacks, Port Scanning Techniques, Firewall Evasion Techniques, Intrusion Detection System (IDS) Evasion Techniques, Penetration Testing Tools, Automated Penetration Testing Software, Manual Penetration Testing Techniques, Post-Exploitation Techniques, Privilege Escalation Techniques, Persistence Techniques, Security Patches and Updates Testing, Compliance Testing, Red Team Exercises, Blue Team Strategies, Purple Teaming, Threat Modeling, Risk Analysis, Vulnerability Scanning Tools, Exploit Development, Reverse Engineering, Malware Analysis, Digital Forensics in Penetration Testing



Mitre Framework, Common Vulnerabilities and Exposures (CVE), Pentesting by Programming Language (Angular Pentesting, Bash Pentesting, C Pentesting, C Plus Plus Pentesting | C++ Pentesting, C Sharp Pentesting | C# Pentesting, Clojure Pentesting, COBOL Pentesting, Dart Pentesting, Fortran Pentesting, Golang Pentesting, Java Pentesting, JavaScript Pentesting, Kotlin Pentesting, Python Pentesting, PowerShell Pentesting, React Pentesting, Ruby Pentesting, Rust Pentesting, Scala Pentesting, Spring Pentesting, Swift Pentesting - iOS Pentesting - macOS Pentesting, TypeScript Pentesting),



Pentesting by Cloud Provider, Pentesting GitHub - Pentesting GitHub Repositories, Pentesting by OS, Pentesting by Company, Awesome Pentesting, Pentesting Bibliography, Pentesting GitHub, Pentesting topics, Cybersecurity topics, Dictionary attack, Passwords, Hacking (Ethical hacking, White hat, Black hat, Grey hat), Pentesting, Rainbow table, Cybersecurity certifications (CEH), Awesome pentesting. (navbar_pentesting. See also navbar_passwords, navbar_passkeys, navbar_mfa, navbar_security, navbar_encryption, navbar_iam, navbar_devsecops)

Cybersecurity: DevSecOps - Security Automation, Cloud Security - Cloud Native Security (AWS Security - Azure Security - GCP Security - IBM Cloud Security - Oracle Cloud Security, Container Security, Docker Security, Podman Security, Kubernetes Security, Google Anthos Security, Red Hat OpenShift Security); CIA Triad (Confidentiality - Integrity - Availability, Authorization - OAuth, Identity and Access Management (IAM), JVM Security (Java Security, Spring Security, Micronaut Security, Quarkus Security, Helidon Security, MicroProfile Security, Dropwizard Security, Vert.x Security, Play Framework Security, Akka Security, Ratpack Security, Netty Security, Spark Framework Security, Kotlin Security - Ktor Security, Scala Security, Clojure Security, Groovy Security;



, JavaScript Security, HTML Security, HTTP Security - HTTPS Security - SSL Security - TLS Security, CSS Security - Bootstrap Security - Tailwind Security, Web Storage API Security (localStorage Security, sessionStorage Security), Cookie Security, IndexedDB Security, TypeScript Security, Node.js Security, NPM Security, Deno Security, Express.js Security, React Security, Angular Security, Vue.js Security, Next.js Security, Remix.js Security, PWA Security, SPA Security, Svelts.js Security, Ionic Security, Web Components Security, Nuxt.js Security, Z Security, htmx Security



Python Security - Django Security - Flask Security - Pandas Security,



Database Security (Database Security on Kubernetes, Database Security on Containers / Database Security on Docker, Cloud Database Security - DBaaS Security, Concurrent Programming and Database Security, Functional Concurrent Programming and Database Security, Async Programming and Databases Security, MySQL Security, Oracle Database Security, Microsoft SQL Server Security, MongoDB Security, PostgreSQL Security, SQLite Security, Amazon RDS Security, IBM Db2 Security, MariaDB Security, Redis Security (Valkey Security), Cassandra Security, Amazon Aurora Security, Microsoft Azure SQL Database Security, Neo4j Security, Google Cloud SQL Security, Firebase Realtime Database Security, Apache HBase Security, Amazon DynamoDB Security, Couchbase Server Security, Elasticsearch Security, Teradata Database Security, Memcached Security, Infinispan Security, Amazon Redshift Security, SQLite Security, CouchDB Security, Apache Kafka Security, IBM Informix Security, SAP HANA Security, RethinkDB Security, InfluxDB Security, MarkLogic Security, ArangoDB Security, RavenDB Security, VoltDB Security, Apache Derby Security, Cosmos DB Security, Hive Security, Apache Flink Security, Google Bigtable Security, Hadoop Security, HP Vertica Security, Alibaba Cloud Table Store Security, InterSystems Caché Security, Greenplum Security, Apache Ignite Security, FoundationDB Security, Amazon Neptune Security, FaunaDB Security, QuestDB Security, Presto Security, TiDB Security, NuoDB Security, ScyllaDB Security, Percona Server for MySQL Security, Apache Phoenix Security, EventStoreDB Security, SingleStore Security, Aerospike Security, MonetDB Security, Google Cloud Spanner Security, SQream Security, GridDB Security, MaxDB Security, RocksDB Security, TiKV Security, Oracle NoSQL Database Security, Google Firestore Security, Druid Security, SAP IQ Security, Yellowbrick Data Security, InterSystems IRIS Security, InterBase Security, Kudu Security, eXtremeDB Security, OmniSci Security, Altibase Security, Google Cloud Bigtable Security, Amazon QLDB Security, Hypertable Security, ApsaraDB for Redis Security, Pivotal Greenplum Security, MapR Database Security, Informatica Security, Microsoft Access Security, Tarantool Security, Blazegraph Security, NeoDatis Security, FileMaker Security, ArangoDB Security, RavenDB Security, AllegroGraph Security, Alibaba Cloud ApsaraDB for PolarDB Security, DuckDB Security, Starcounter Security, EventStore Security, ObjectDB Security, Alibaba Cloud AnalyticDB for PostgreSQL Security, Akumuli Security, Google Cloud Datastore Security, Skytable Security, NCache Security, FaunaDB Security, OpenEdge Security, Amazon DocumentDB Security, HyperGraphDB Security, Citus Data Security, Objectivity/DB). Database drivers (JDBC Security, ODBC), ORM (Hibernate Security, Microsoft Entity Framework), SQL Operators and Functions Security, Database IDEs (JetBrains DataSpell Security, SQL Server Management Studio Security, MySQL Workbench Security, Oracle SQL Developer Security, SQLiteStudio),





Programming Language Security ((1. Python Security, 2. JavaScript Security, 3. Java Security, 4. C Sharp Security | C# Security, 5. CPP Security | C++ Security, 6. PHP Security, 7. TypeScript Security, 8. Ruby Security, 9. C Security, 10. Swift Security, 11. R Security, 12. Objective-C Security, 13. Scala Security, 14. Golang Security, 15. Kotlin Security, 16. Rust Security, 17. Dart Security, 18. Lua Security, 19. Perl Security, 20. Haskell Security, 21. Julia Security, 22. Clojure Security, 23. Elixir Security, 24. F Sharp Security | F# Security, 25. Assembly Language Security, 26. Shell Script Security / bash Security, 27. SQL Security, 28. Groovy Security, 29. PowerShell Security, 30. MATLAB Security, 31. VBA Security, 32. Racket Security, 33. Scheme Security, 34. Prolog Security, 35. Erlang Security, 36. Ada Security, 37. Fortran Security, 38. COBOL Security, 39. Lua Security, 40. VB.NET Security, 41. Lisp Security, 42. SAS Security, 43. D Security, 44. LabVIEW Security, 45. PL/SQL Security, 46. Delphi/Object Pascal Security, 47. ColdFusion Security, 49. CLIST Security, 50. REXX);





OS Security, Mobile Security: Android Security - Kotlin Security - Java Security, iOS Security - Swift Security; Windows Security - Windows Server Security, Linux Security (Ubuntu Security, Debian Security, RHEL Security, Fedora Security), UNIX Security (FreeBSD Security), IBM z Mainframe Security (RACF Security), Passwords (Windows Passwords, Linux Passwords, FreeBSD Passwords, Android Passwords, iOS Passwords, macOS Passwords, IBM z/OS Passwords), Password alternatives (Passwordless, Personal Access Token (PAT), GitHub Personal Access Token (PAT), Passkeys), Hacking (Ethical Hacking, White Hat, Black Hat, Grey Hat), Pentesting (Red Team - Blue Team - Purple Team), Cybersecurity Certifications (CEH, GIAC, CISM, CompTIA Security Plus, CISSP), Mitre Framework, Common Vulnerabilities and Exposures (CVE), Cybersecurity Bibliography, Cybersecurity Courses, Firewalls, CI/CD Security (GitHub Actions Security, Azure DevOps Security, Jenkins Security, Circle CI Security), Functional Programming and Cybersecurity, Cybersecurity and Concurrency, Cybersecurity and Data Science - Cybersecurity and Databases, Cybersecurity and Machine Learning, Cybersecurity Glossary (RFC 4949 Internet Security Glossary), Awesome Cybersecurity, Cybersecurity GitHub, Cybersecurity Topics (navbar_security - see also navbar_aws_security, navbar_azure_security, navbar_gcp_security, navbar_k8s_security, navbar_docker_security, navbar_podman_security, navbar_mainframe_security, navbar_ibm_cloud_security, navbar_oracle_cloud_security, navbar_database_security, navbar_windows_security, navbar_linux_security, navbar_macos_security, navbar_android_security, navbar_ios_security, navbar_os_security, navbar_firewalls, navbar_encryption, navbar_passwords, navbar_iam, navbar_pentesting, navbar_privacy, navbar_rfc)



----



Cloud Monk is Retired (impermanence |for now). Buddha with you. Copyright | © Beginningless Time - Present Moment - Three Times: The Buddhas or Fair Use. Disclaimers



SYI LU SENG E MU CHYWE YE. NAN. WEI LA YE. WEI LA YE. SA WA HE.



----