Note: Some tools that are relevant to a specific topic, are listed under the topic and not here.
- Yersinia – layer 2 attacks tool in protocols such as: STP, CDP, DTP, DHCP, HSRP, etc. Built-in in kali
- pinfinder – Recovers the restrictions passcode on iOS devices from an iTunes backup
- XXEinjector – Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods
- HostileSubBruteforcer – bruteforcing dns subdomains
- wp-bruteforcer – A simply PHP CLI Tool / Lib to bruteforce WordPress XMLRPC using amplification
- PGPCrack-NG – program designed to brute-force symmetrically encrypted PGP files. It is a replacment for the long dead PGPCrack.
- Pixie-WPS – An offline WPS bruteforce utility
- SIMBL – cracking an objective-c app without modifying it using SIMBL + method swizzling. SIMBL injects code into an application during its load
- JexBoss – tool for testing and exploiting vulnerabilities in JBoss Application Server
- USB-Rubber-Ducky – The USB Rubber Ducky is a Human Interface Device programmable with a simple scripting language allowing penetration testers to quickly and easily craft and deploy security auditing payloads that mimic human keyboard input
- big list of available payloads:
- skipfish – old web security scanning tool but sounds cool:
* High performance: 500+ requests per second against responsive Internet
targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests
against local instances have been observed, with a very modest CPU, network,
and memory footprint. This can be attributed to:
* Multiplexing single-thread, fully asynchronous network I/O and data
processing model that eliminates memory management, scheduling, and IPC
inefficiencies present in some multi-threaded clients.
* Advanced HTTP/1.1 features such as range requests, content compression,
and keep-alive connections, as well as forced response size limiting, to
keep network-level overhead in check.
* Smart response caching and advanced server behavior heuristics are used to
minimize unnecessary traffic.
* Performance-oriented, pure C implementation, including a custom
HTTP stack.A nice list of stuff to check in web pentesting:
list of the security checks offered by the tool is outlined below.* High risk flaws (potentially leading to system compromise):
* Server-side query injection (including blind vectors, numerical parameters).
* Explicit SQL-like syntax in GET or POST parameters.
* Server-side shell command injection (including blind vectors).
* Server-side XML / XPath injection (including blind vectors).
* Format string vulnerabilities.
* Integer overflow vulnerabilities.
* Locations accepting HTTP PUT.* Medium risk flaws (potentially leading to data compromise):
* Stored and reflected XSS vectors in document body (minimal JS XSS support).
* Stored and reflected XSS vectors via HTTP redirects.
* Stored and reflected XSS vectors via HTTP header splitting.
* Directory traversal / LFI / RFI (including constrained vectors).
* Assorted file POIs (server-side sources, configs, etc).
* Attacker-supplied script and CSS inclusion vectors (stored and reflected).
* External untrusted script and CSS inclusion vectors.
* Mixed content problems on script and CSS resources (optional).
* Password forms submitting from or to non-SSL pages (optional).
* Incorrect or missing MIME types on renderables.
* Generic MIME types on renderables.
* Incorrect or missing charsets on renderables.
* Conflicting MIME / charset info on renderables.
* Bad caching directives on cookie setting responses.
* Low risk issues (limited impact or low specificity):
* Directory listing bypass vectors.
* Redirection to attacker-supplied URLs (stored and reflected).
* Attacker-supplied embedded content (stored and reflected).
* External untrusted embedded content.
* Mixed content on non-scriptable subresources (optional).
* HTTPS -> HTTP submission of HTML forms (optional).
* HTTP credentials in URLs.
* Expired or not-yet-valid SSL certificates.
* HTML forms with no XSRF protection.
* Self-signed SSL certificates.
* SSL certificate host name mismatches.
* Bad caching directives on less sensitive content.
* Internal warnings:
* Failed resource fetch attempts.
* Exceeded crawl limits.
* Failed 404 behavior checks.
* IPS filtering detected.
* Unexpected response variations.
* Seemingly misclassified crawl nodes.
* Non-specific informational entries:
* General SSL certificate information.
* Significantly changing HTTP cookies.
* Changing Server, Via, or X-… headers.
* New 404 signatures.
* Resources that cannot be accessed.
* Resources requiring HTTP authentication.
* Broken links.
* Server errors.
* All external links not classified otherwise (optional).
* All external e-mails (optional).
* All external URL redirectors (optional).
* Links to unknown protocols.
* Form fields that could not be autocompleted.
* Password entry forms (for external brute-force).
* File upload forms.
* Other HTML forms (not classified otherwise).
* Numerical file names (for external brute-force).
* User-supplied links otherwise rendered on a page.
* Incorrect or missing MIME type on less significant content.
* Generic MIME type on less significant content.
* Incorrect or missing charset on less significant content.
* Conflicting MIME / charset information on less significant content.
* OGNL-like parameter passing conventions.
Along with a list of identified issues, skipfish also provides summary
overviews of document types and issue types found; and an interactive
sitemap, with nodes discovered through brute-force denoted in a distinctive
NOTE: As a conscious design decision, skipfish will not redundantly complain
about highly non-specific issues, including but not limited to:
* Non-httponly or non-secure cookies,
* Non-HTTPS or autocomplete-enabled forms,
* HTML comments detected on a page,
* Filesystem path disclosure in error messages,
* Server of framework version disclosure,
* Servers supporting TRACE or OPTIONS requests,
* Mere presence of certain technologies, such as WebDAV.
- TagCube – Web security scanner
This command starts a web server at http://localhost:4200 that allows users to login with their username and password and to get access to their login shell.All client-server communications are encrypted, if SSL/TLS certificates have been installed.
- AVulnerabilityChecker – Tool to check if your computer is likely to be vulnerable to exploitable constant Read-Write-Execute (RWX) addresses (AVs vulnerability)
- anti-virus products allocate memory with RWX permissions at a predictable address http://breakingmalware.com/vulnerabilities/sedating-watchdog-abusing-security-products-bypass-mitigations/
- The tool – https://github.com/BreakingMalware/AVulnerabilityChecker
- Snyk – helps you find and fix known vulnerabilities in your Node.js dependencies
- Hook Analyzer – Malware Analysis and Cyber Threat Intelligence Software
- gcat – A fully featured backdoor that uses Gmail as a C&C server
- HawkEye – .Net Runtime object editor – Allows dynamically modifying .Net programs while they run
- JavaSnoop – Like HawkEye but for java. But it doesn’t let change GUI objects directly, it instead allows to execute code that will change them. This difference comes from the difference between the JVM compared to .Net CLR.
- ReFrameworker – like javasnoop just for android. It hooks the java framework of the android. Its open source inside AppUse android pentesting VM
- Hardware keylogger (dark web tutorial)
- Phishing powershell script
- Blackbone – Windows memory hacking library
- Script to reset the krbtgt account password and related keys to limit golden ticket life time
- SqlPerms – Simple command line tool that can monitor Microsoft SQL Server for a period of query activity and then return the smallest set of permissions necessary to execute all of the monitored queries
- Attack Surface Analyzer – Attack Surface Analyzer can help understand the changes in Windows systems’ attack surface resulting from the installation of an application. This tool essentially allows you to take a “snap shot” of a bunch of security related information on a system. Then after the system changes, you can take another “snap shot” and the tool will compare the before and after “snap shots” and show you what changed in an HTML report.
- SDL Regex Fuzzer – Allows to test a regular expression for ReDOS vulnerability
- SharePoint Configuration Analyzer
- Acunetix – website vulnerability scanner
- Evil Foca – MITM, DOS, hijacking attacks tool
- revtan – php dork scanner, password: hocib0.blogspot.com
- GooDork – command line google dorking tool
- BinGoo – scan website using google dorks and other techniques and also allows exploiting the vulnerabilities found
- xcodescanner – website vulnerability scanner
- Online Scanners:
- GameSec website scanner includes one free trial scan
- Xss and SQLI scanner
- Port scanner
- Website scanner