Penetration Testing Tools
Penetration testing tools and frameworks for manual security testing, exploit development, and vulnerability validation.
Browse 272 penetration testing tools
FEATURED
USE CASES
PEDA is a Python extension for GDB that enhances debugging with colorized displays and specialized commands for exploit development and binary security analysis.
A full-featured reconnaissance framework for web-based reconnaissance with a modular design.
Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ...
Boofuzz is a network protocol fuzzing tool that aims to fuzz everything
A penetration testing tool that intercepts SSH connections by patching OpenSSH source code to act as a proxy and log plaintext passwords and sessions.
A Linux exploit suggestion tool that identifies potential privilege escalation vulnerabilities by analyzing kernel versions and matching them against a database of known exploits.
A modular and script-friendly multithread bruteforcer for managing task parameters in Python scripts.
Hash Extender is a command-line tool that automates length extension attacks against various hashing algorithms including MD5, SHA-1, SHA-256, and others.
A Python library that simplifies format string vulnerability exploitation by providing tools for payload generation, memory manipulation, and automated parameter detection.
A fuzzing framework for Android that creates corrupt media files to identify potential vulnerabilities
FuzzDB is an open-source dictionary of attack patterns and predictable resource locations for dynamic application security testing and vulnerability discovery.
A tool to profile web applications based on response time discrepancies.
Exploiting WordPress With Metasploit, containing 45 modules for exploits and auxiliaries.
OneGadget is a CTF-focused tool that uses symbolic execution to find RCE gadgets in binaries that can execute shell commands through execve('/bin/sh', NULL, NULL).
Open source penetration testing tool for detecting and exploiting command injection vulnerabilities.
A virtual host scanner with the ability to detect catch-all scenarios, aliases, and dynamic default pages, presented at SecTalks BNE in September 2017.
NoSQLMap is an open source Python tool that automates NoSQL injection attacks and exploits configuration weaknesses in NoSQL databases to disclose or clone data.
A next generation version of enum4linux with enhanced features for enumerating information from Windows and Samba systems.
Script to find exploits for vulnerable software packages on Linux systems using an exploit database.
BeEF is a penetration testing framework that exploits web browsers to assess client-side security vulnerabilities and launch attacks from within the browser context.
AFE Android Framework for Exploitation is a framework that provides tools and techniques for exploiting vulnerabilities in Android devices and applications.
WackoPicko is an intentionally vulnerable web application used for security testing, penetration testing practice, and vulnerability scanner evaluation.
Sublist3r is a python tool for enumerating subdomains using OSINT and various search engines.
A collection of precompiled Windows exploits for privilege escalation.
Penetration Testing Tools FAQ
Common questions about Penetration Testing tools, selection guides, pricing, and comparisons.
A pen tester toolkit typically includes: reconnaissance tools (subdomain enumeration, port scanning, OSINT), vulnerability scanners (web, network, cloud), exploitation frameworks (for validating vulnerabilities), post-exploitation tools (privilege escalation, lateral movement), password cracking and credential testing tools, and reporting tools to document findings with remediation guidance.
