Authors: < nixawk >, < binarymist >, < bkimminich >
Exploitation is probably one of the most glamorous parts of a penetration test, yet it is often done with brute force rather than with precision. An exploit should be performed only when you know almost beyond a shadow of a doubt that a particular exploit will be successful. Of course, unforeseen protective measures might be in place on the target that prevent a particular exploit from working—but before you trigger a vulnerability, you should know that the system is vulnerable. Blindly firing off a mass onslaught of exploits and praying for a shell isn’t productive; it is noisy and provides little if any value to you as a penetration tester or to your client. Do your homework first, and then launch well-researched exploits that are likely to succeed.
- Kali - A Linux distribution designed for digital forensics and penetration testing
- ArchStrike - An Arch Linux repository for security professionals and enthusiasts
- BlackArch - Arch Linux-based distribution for penetration testers and security researchers
- NST - Network Security Toolkit distribution
- Pentoo - Security-focused livecd based on Gentoo
- BackBox - Ubuntu-based distribution for penetration tests and security assessments
- Parrot - A distribution similar to Kali, with multiple architecture
- Metasploit Framework - World's most used penetration testing software
- Burp Suite - An integrated platform for performing security testing of web applications
- ExploitPack - Graphical tool for penetration testing with a bunch of exploits
- BeeF - The Browser Exploitation Framework Project
- faraday - Collaborative Penetration Test and Vulnerability Management Platform
- evilgrade - The update explotation framework
- commix - Automated All-in-One OS Command Injection and Exploitation Tool
- routersploit - Automated penetration testing software for router
- exploit-database - Offensive Security’s Exploit Database Archive
docker pull kalilinux/kali-linux-dockerofficial Kali Linuxdocker pull owasp/zap2docker-stable- official OWASP ZAPdocker pull wpscanteam/wpscan- official WPScandocker pull pandrew/metasploit- docker-metasploitdocker pull citizenstig/dvwa- Damn Vulnerable Web Application (DVWA)docker pull wpscanteam/vulnerablewordpress- Vulnerable WordPress Installationdocker pull hmlio/vaas-cve-2014-6271- Vulnerability as a service: Shellshockdocker pull hmlio/vaas-cve-2014-0160- Vulnerability as a service: Heartbleeddocker pull opendns/security-ninjas- Security Ninjasdocker pull diogomonica/docker-bench-security- Docker Bench for Securitydocker pull ismisepaul/securityshepherd- OWASP Security Shepherddocker pull danmx/docker-owasp-webgoat- OWASP WebGoat Project docker imagedocker-compose build && docker-compose up- OWASP NodeGoatdocker pull citizenstig/nowasp- OWASP Mutillidae II Web Pen-Test Practice Applicationdocker pull bkimminich/juice-shop- OWASP Juice Shop
- Nexpose - Vulnerability Management & Risk Management Software
- Nessus - Vulnerability, configuration, and compliance assessment
- Nikto - Web application vulnerability scanner
- OpenVAS - Open Source vulnerability scanner and manager
- OWASP Zed Attack Proxy - Penetration testing tool for web applications
- Secapps - Integrated web application security testing environment
- w3af - Web application attack and audit framework
- Wapiti - Web application vulnerability scanner
- WebReaver - Web application vulnerability scanner for Mac OS X
- DVCS Ripper - Rip web accessible (distributed) version control systems: SVN/GIT/HG/BZR
- arachni - Web Application Security Scanner Framework
- nmap - Free Security Scanner For Network Exploration & Security Audits
- pig - A Linux packet crafting tool
- tcpdump/libpcap - A common packet analyzer that runs under the command line
- Wireshark - A network protocol analyzer for Unix and Windows
- Network Tools - Different network tools: ping, lookup, whois, etc
- netsniff-ng - A Swiss army knife for for network sniffing
- Intercepter-NG - a multifunctional network toolkit
- SPARTA - Network Infrastructure Penetration Testing Tool
- dnschef - A highly configurable DNS proxy for pentesters
- DNSDumpster - Online DNS recon and search service
- dnsenum - Perl script that enumerates DNS information from a domain, attempts zone transfers, performs a brute force dictionary style attack, and then performs reverse look-ups on the results
- dnsmap - Passive DNS network mapper
- dnsrecon - DNS Enumeration Script
- dnstracer - Determines where a given DNS server gets its information from, and follows the chain of DNS servers
- passivedns-client - Provides a library and a query tool for querying several passive DNS providers
- passivedns - A network sniffer that logs all DNS server replies for use in a passive DNS setup
- Mass Scan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
- Zarp - Zarp is a network attack tool centered around the exploitation of local networks
- mitmproxy - An interactive SSL-capable intercepting HTTP proxy for penetration testers and software developers
- mallory - HTTP/HTTPS proxy over SSH
- Netzob - Reverse engineering, traffic generation and fuzzing of communication protocols
- DET - DET is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time
- pwnat - punches holes in firewalls and NATs
- dsniff - a collection of tools for network auditing and pentesting
- tgcd - a simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls
- smbmap - a handy SMB enumeration tool
- scapy - a python-based interactive packet manipulation program & library
- Dshell - Network forensic analysis framework
- Debookee (MAC OS X) - Intercept traffic from any device on your network
- Dripcap - Caffeinated packet analyzer
- Aircrack-ng - a set of tools for auditing wireless network
- Kismet - Wireless network detector, sniffer, and IDS
- Reaver - Brute force attack against Wifi Protected Setup
- Wifite - Automated wireless attack tool
- wifiphisher - Automated phishing attacks against Wi-Fi networks
- SSLyze - SSL configuration scanner
- sslstrip - a demonstration of the HTTPS stripping attacks
- sslstrip2 - SSLStrip version to defeat HSTS
- tls_prober - fingerprint a server's SSL/TLS implementation
- WPScan - Black box WordPress vulnerability scanner
- SQLmap - Automatic SQL injection and database takeover tool
- weevely3 - Weaponized web shell
- Wappalyzer - Wappalyzer uncovers the technologies used on websites
- cms-explorer - CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running.
- joomscan - Joomla CMS scanner
- WhatWeb - Website Fingerprinter
- BlindElephant - Web Application Fingerprinter
- fimap - Find, prepare, audit, exploit and even google automatically for LFI/RFI bugs
- Kadabra - Automatic LFI exploiter and scanner
- Kadimus - LFI scan and exploit tool
- liffy - LFI exploitation tool
- HexEdit.js - Browser-based hex editing
- Hexinator (commercial) - World's finest Hex Editor
- John the Ripper - Fast password cracker
- Online MD5 cracker - Online MD5 hash Cracker
- Hashcat - The more fast hash cracker
- Sysinternals Suite - The Sysinternals Troubleshooting Utilities
- Windows Credentials Editor - security tool to list logon sessions and add, change, list and delete associated credentials
- mimikatz - Credentials extraction tool for Windows OS
- PowerSploit - A PowerShell Post-Exploitation Framework
- Windows Exploit Suggester - Detects potential missing patches on the target
- Responder - A LLMNR, NBT-NS and MDNS poisoner
- Empire - Empire is a pure PowerShell post-exploitation agent
- Fibratus - Tool for exploration and tracing of the Windows kernel
- Linux Exploit Suggester - Linux Exploit Suggester; based on operating system release number.
- LOIC - An open source network stress tool for Windows
- JS LOIC - JavaScript in-browser version of LOIC
- T50 - The more fast network stress tool
- SET - The Social-Engineer Toolkit from TrustedSec
- Maltego - Proprietary software for open source intelligence and forensics, from Paterva.
- theHarvester - E-mail, subdomain and people names harvester
- creepy - A geolocation OSINT tool
- metagoofil - Metadata harvester
- Google Hacking Database - a database of Google dorks; can be used for recon
- Censys - Collects data on hosts and websites through daily ZMap and ZGrab scans
- Shodan - Shodan is the world's first search engine for Internet-connected devices
- recon-ng - A full-featured Web Reconnaissance framework written in Python
- github-dorks - CLI tool to scan github repos/organizations for potential sensitive information leak
- vcsmap - A plugin-based tool to scan public version control systems for sensitive information
- ZoomEye - ZoomEye is a search engine for cyberspace that lets the user find specific network components(ip, services, etc.).
- Tor - The free software for enabling onion routing online anonymity
- I2P - The Invisible Internet Project
- Nipe - Script to redirect all traffic from the machine to the Tor network.
- IDA Pro - A Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
- IDA Free - The freeware version of IDA v5.0
- WDK/WinDbg - Windows Driver Kit and WinDbg
- OllyDbg - An x86 debugger that emphasizes binary code analysis
- Radare2 - Opensource, crossplatform reverse engineering framework
- x64_dbg - An open-source x64/x32 debugger for windows
- Immunity Debugger - A powerful new way to write exploits and analyze malware
- Evan's Debugger - OllyDbg-like debugger for Linux
- Medusa disassembler - An open source interactive disassembler
- plasma - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code
- peda - Python Exploit Development Assistance for GDB
- Pwntools - CTF framework for use in CTFs