PenTest+ Tools
BloodHound
Explores relationships between objects in Active Directory or Azure and displays them graphically. This is potentially useful for identifying privilege escalation opportunities along an attack path, but running the tool against an environment is typically very noisy and potentially disruptive. It should be scoped carefully during any assessment and used thoughtfully, or potentially avoided when stealth is a primary operational concern. Post Exploitation Tool
Android SDK Tools
The official Android API tools, including an integrated development environment (IDE) for developing Android applications. They are useful for mobile application and device testing, including source code analysis. Mobile Device Tool
Medusa
This is a tool similar to Hydra, in that it performs password brute-force attacks against live services. It supports multiple protocols and can send requests in parallel from wordlists. During a pentest, you would use this tool in the same circumstances that you would use Hydra, with the choice being based on preference, performance in your environment, and protocol support. Credential Testing Tool
SearchSploit
This is a tool that is included with Kali Linux that can be used for searching exploit-db. This allows you to search for potential exploits based on identified target characteristics or specific vulnerabilities. Debugging Tool/Miscellaneous Tool
ProxyChains
This tool allows you to tunnel other traffic besides web traffic over a proxy. This is useful during a pentest when you need to access systems on a network that is inaccessible to your attack platform but accessible to a target you have compromised. Essentially, this tool allows you to bridge networks by creating a proxy tunnel for any other protocol. It determines what ports and targets to use for the tunnel using a config file (default: proxychains.conf). You could use it to run Nmap by doing the following, for example: $ ************** nmap -A 10.20.0.0/24 Remote Access Tool
SQLmap
This tool attempts to automatically identify and exploit SQL injection when supplied with a target URL. If you were performing a web application pentest and identified a potential SQL injection in a form using Burp Scanner, you could take the URL and give it to this tool. This tool would attempt to identify a working SQL injection string so that you could exploit the vulnerability and examine the impact or provide a proof of concept for exploitation during the pentest. Scanning Tool
Frida
This tool is a mobile testing toolkit that allows pentesters to inject scripts into black box processes and gain insight into the operations of APIs, private code, and running functions during security testing of mobile devices. Mobile Device Tool
ScoutSuite
This tool is a multiplatform cloud security auditing tool. It runs automatic checks via a command-line interface and produces a report to highlight potential flaws in configurations of cloud environments or other issues that should be manually investigated. This can be used as an initial quick identification of areas to look for large-scale cloud assessments. Scanning Tool/Cloud Tool
Patator
This tool is a password brute-forcing tool that works against live listening services. Similar to Hydra and Medusa, it is another solution that uses modules to target specific protocols and can perform host and user enumeration, as well as password guessing attacks based on files containing guessable items, such as hostnames, usernames, and passwords. Credential Testing Tool
Metasploit
This tool is a pentesting framework that includes many community-contributed modules for attack. It is useful for most phases of penetration testing, including reconnaissance, vulnerability identification, exploitation, and command and control. Miscellaneous Tool
EAPHammer
This tool is a pentesting tool designed for gaining access to wireless networks using evil twin attacks against WPA and WPA2 networks and networks using RADIUS. This tool can be installed in Kali Linux and is useful when you need to steal RADIUS credentials with a malicious AP or AD credentials with a hostile portal. It also supports karma attacks. Wireless Tool
Whois
This tool is a service for looking up domain registration information and is not only a tool included with Linux, as referenced here. The tool is the client for the service. The tool can be used to look up IP or hostname ownership information and can specify which whois server to use for the query. OSINT Tool
w3af
is a web application attack and audit framework designed to attempt to find and exploit vulnerabilities in web applications. Launching this tool at the command line will drop you into a (this type of tool) shell, where you can supply run parameters through context settings and execute scans. For example: $ ****** ******>>> target ******/config:target>>> set target http://derp.pro ******/config:http-settings>>> back ******>>> start You can use this to check a single directory for vulnerabilities according to all or a set of audit plugins, crawl to identify other URLs, or even ignore specific forms or URLs by creating exclusions. This tool is useful for scanning REST APIs, identifying endpoints, and attempting to automatically identify and exploit vulnerabilities using various payloads. Credential Testing Tool
CrackMapExec
This tool is a post-exploitation tool designed to stealthily automate security testing of Active Directory environments. It uses native tools to "live off the land" as part of its tactic to remain undetected and evade security controls that would otherwise block attack tools. It also uses Impacket and PowerSploit to assess privilege issues and perform attack actions. This tool is worth additional independent exploration, although the documentation in the URL provided will get you started. Miscellaneous Tool
CloudBrute
An enumeration tool for cloud environments. It supports multiple cloud providers and can identify buckets, applications, and storage based on domain information or other target keys supplied at runtime from an unauthenticated perspective. It can also help enumerate exposed ports and HTTP/S services based on what it finds. It is designed to run from the command line, using option flags to modify its behavior Cloud Tool
Bash
A *NIX operating system shell: the command-line interface and command language interpreter for many *NIX systems. Scripts written in this can be used for penitent and system administration automation, including reverse and bind shells, shell escapes, and privilege escalation, among others. Other Tool
ApkX
A Python wrapper for multiple tools that extracts Java source code from APK files. This automates the process of extraction, decompilation, and conversion. This tool is useful when you need to examine the actual Java code within an APK for code tampering and reverse engineering. Mobile Device Tool
Metagoofil
A Python-based tool that can search for metadata from public documents located on a target's website. Steganography Tool
PowerSploit
A collection of PowerShell modules that create an extensive exploitation framework for use against Windows systems. Miscellaneous Tool
TCPDump
A command-line protocol analysis tool that can conduct packet sniffing, decoding, and analysis. Network Tool
Online SSL Checkers
A web application that can be used to test the validity, strength, and security of an SSL or TLS digital certificate for a given web server. Steganography Tool
Burp Suite
A web security testing toolkit offered as a graphical application. It has both a Professional and a free Community edition. This tool allows you to proxy and intercept, tamper with, replay, and inject web traffic. It offers various plugins (like DirBuster) via a community store that automate attacks such as brute force, SQL injection, and attacks against session management. It even contains a decoder to make it easier to transform and analyze web data. This tool will show the request and the response for various web traffic and has an embedded browser for testing. It can passively or actively crawl sites and highlight potential security issues as it goes using a built-in vulnerability scanner. Web Application Tool/Mobile Device Tool
Wifite
A wireless auditing tool that can be used to conduct a site survey to locate rogue and hidden access points. Wireless Tool
Aircrack-ng Suite
A wireless testing suite comprising various command-line tools. It can help capture wireless traffic; replay traffic; crack WPA, WPA2 PSK, and WEP; and perform attacks such as deauthentication attacks, creating fake access points, and injecting packets. term-84 Wireless Tool
Postman
An API platform for building and using APIs that simplifies each step of the API lifecycle and streamlines collaboration. Mobile Device Tool
APK Studio
An IDE designed with reverse engineering Android applications in mind. It allows you to decompile, recompile, sign, and install APKs for Android devices; edit and view code; and includes a hex editor for binary files. This is useful if you have a compiled Android application you need to reverse or need to bypass certificate pinning in order to intercept traffic between the application and a remote service. Mobile Device Tool
BeEF (Browser Exploitation Framework)
An exploitation tool that focuses on client-side attacks (like XSS and session hijacking) against web browsers. You can use this tool in web-based social engineering attacks by generating and injecting JavaScript hooks into web content that allow you to interact with the target browser via a console provided by this tool. This can be used to gain footholds on a hooked target, steal credentials or authentication materials, and execute other attacks within the context of the browser. Social Engineering Tool
Needle
An open-source, modular framework used to streamline the security assessment process on iOS application (Has been decommissioned) Mobile Device Tool
Brakeman
If you need to perform static application security testing (SAST) against a Ruby on Rails application this tool will take Rails source code, scan it, and produce a report of potential security issues. As with all automated code analysis tools, it may generate false positives, so its results should be manually reviewed. It will also miss issues that are introduced during runtime by interaction with other components, so it should be used with other tools and DAST methodologies to fully evaluate an application for pentesting. It is run from the command line using dashed options (-A, -n, etc.) to define its behavior and can either target a specific application and path or run against the application in the current directory. Scanning Tool
Call Spoofing Tools
Many tools aid in caller ID spoofing, and the Social-Engineer blog has a great list. Generally, the purpose is to hide the phone number you are calling from or make it appear as another number during phone-based social engineering attacks. Many business phones show the caller ID information, and it raises less suspicion if the source number appears familiar to the person answering the call. Local and regional laws may affect what is legally allowed when it pertains to caller ID spoofing, so be aware of these limitations as part of your scoping exercise. Social Engineering Tool
Gobuster
This tool can be used to enumerate Amazon S3 buckets; virtual hostnames for web servers; and DNS entries using fuzzing, filters, and different protocols and HTTP methods. The tool is designed to run at the command line, with flags to modify its behavior at runtime. The tool observes four modes: dir (for directory bruting), dns (for DNS hostname enumeration), s3 (for AWS buckets), and vhost (for web servers). At runtime, you specify a wordlist and output file location, as well as necessary information for targeting. Web Application Tool
Interactive Disassembler (IDA)
This tool comes in various paid versions and a free version (IDA Free). The features that are available differ across versions, but it is a powerful code disassembly and debugging tool. It analyzes a compiled application and examines how the CPU processes the information and attempts to generate assembly code from that analysis, and it can support remote debugging for various types of fuzzing attacks. It has a variety of plugins (e.g., HexRays) that allow you to extract C code from a compiled binary for static code analysis. It is useful for code analysis, reverse engineering, vulnerability research, and exploit development. Debugging Tool
Sonic Visualiser
This tool has a graphical user interface and is designed to analyze the contents of audio files by showing the sound data graphically as waves or other patterns. It can be used to retrieve steganographic data from audio files hidden by tools like Coagula. Steganography Tool
mitm6
This tool intercepts DNS and DHCP queries from a selected target and operates as a rogue DNS/DHCP server. This can then be used to redirect victim traffic to other malicious resources or perform relay attacks when used with tools like ntlmrelayx in Impacket. Miscellaneous Tool
Covenant
This tool is a .NET C2 framework designed to allow pentesters to collaborate during an attack operation. The tool uses a web interface for orchestration of the components, including configuration of listeners, payload generation, and management of agents on compromised hosts called Grunts. Debugging Tool
Spooftooph
This tool is a Bluetooth testing tool that is designed to spoof or clone a Bluetooth device name, class, and address. This tool can log Bluetooth information, generate new Bluetooth profiles with random data, change the profile dynamically based on a time interval, and choose a device to clone from a scan log. It can be used to scan for Bluetooth devices in a range, clone a device, and gather information sent to it. Wireless Tool
Hashcat
This tool is a GPU-based cracking engine designed for brute-force and dictionary attacks using rules and filters. It's designed to target password hashes of various kinds, and it is considered to be the fastest method for password cracking. Use this when you have a hash that you cannot pass, or if you need to audit password strength based on a collection of hashes. Credential Testing Tool
DirBuster
This tool is a Java application that uses dictionaries and wordlists to attempt to guess directories and filenames on websites. For sites or files that are not shown in site indexes or otherwise linked from sites you have crawled, these files can't be automatically discovered and must be brute-forced. This tool is now an inactive project that has been integrated into OWASP ZAP, but you can read more about its ideal use cases at OWASP. Credential Testing Tool
Empire
This tool is a PowerShell exploitation framework that is no longer supported by its original authors. However, since many of the tools do still work, they are sometimes referenced by pentest blogs and are still used in practice. These tools have become well-known and are therefore more likely to be detected in advanced environments unless additional methods of concealment (such as using PowerPick or obfuscation techniques) are also applied. The framework includes many PowerShell scripts and modules designed for gathering credentials (running Mimikatz), discovery and reconnaissance, privilege escalation, lateral movement, and persistence, among others. Miscellaneous Tool
Wifite2
This tool is a Python script for attacking wireless networks. It can perform the offline pixie dust attacks and online PIN brute-forcing against WPS networks; capture WPA handshakes and PMKID hashes; and perform various WEP attacks, including fragmentation, chopchop, and replay attacks. It requires the aircrack-ng suite for wireless capture, relay, and cracking. Wireless Tool
Fern
This tool is a Python tool for Wi-Fi security auditing and cracking. It can recover WEP, WPA, and WPS keys, as well as perform several types of Wi-Fi attacks (Reaver, chopchop, fragmentation attacks, and more). It comes in a free version (GitHub) and a paid professional version. It requires the aircrack-ng suite, Scapy, and Reaver. Wireless Tool
Impacket
This tool is a Python tool suite used for network protocol manipulation. There are many valid uses for this tool during penetration tests, including interacting with Windows hosts from Linux attack platforms. One example might be to use an admin credential to DCsync a domain controller from a Linux box. Miscellaneous Tool
Reaver
This tool is a Wi-Fi brute-forcing tool designed to attack WPS registrar PINs to get WPA/WPA2 passphrases and can perform the offline pixie dust attack. Wireless Tool
WinDbg
This tool is a Windows-based debugging program. It has similar use cases to other debuggers such as OllyDbg and Immunity Debugger, although each has a different interface and output. For pentesting, it is sometimes preferred for Windows kernel debugging because of its kernel hooking capabilities. Debugging Tool
Wireless Geographic Logging Engine (WiGLE)
This tool is a collection of public wardriving data that you can use to look up SSIDs and BSSIDs to find out where they are according to GPS information in the search database. This is good for passive information gathering in preparation for a wireless or physical pentest assessment, as you can also look at maps to identify the wireless networks that have been observed during previous wardriving exercises, as reported by the community. Wireless Tool
TinEye
This tool is a reverse image search tool. You can load or reference an image and then search for it online. You can do the same thing with Google Images search, but this is sometimes useful in finding an original image in order to identify whether it has been manipulated with a steganography tool. For example, you can compare the image found with this tool to the copy you suspect has been manipulated with compare from the ImageMagick suite or something like XOR to attempt to derive the steganographic text. Steganography Tool
Security Content Automation Protocol (SCAP)
This tool is a collection of specifications for exchanging content from security automation. Specifications include resources for asset identification, asset reporting, NIST's Common Configuration Enumeration (CCE) and Common Platform Enumeration (CPE), Open Vulnerability Assessment Language (OVAL), Software Identification (SWID), and more. The idea is to provide content for configuration compliance checks and vulnerability identification that multiple tools can use in order to perform additional evaluation of security based on standards. This is most commonly referenced in environments requiring compliance according to U.S. government specifications. Scanning Tool
Hping
This tool is a command-line tool for generating TCP/IP packets. While its functionality has been implemented in Nmap, hping3 is scriptable in the Tcl scripting language, and it can render packets into strings-based, human-readable descriptions for ease of writing scripts to perform low-level packet manipulation and analysis. With this tool, you can also spoof the source IP address and generate large amounts of traffic in order to explore various DDoS techniques, the most common use case during pentesting. Networking Tool
Wapiti
This tool is a command-line tool that fuzzes web applications during a black box penetration test and attempts to identify SQL injections, XSS, file disclosure vulnerabilities, XXE, CRLF, and more. It can also attempt brute-forcing of files, directories, and login forms. The shortest way to use it is: $ ****** -u http://targeturl/ Scanning Tool
theHarvester
This tool is a command-line tool that helps pentesters perform OSINT gathering about a target during the early phases of a pentest engagement. Examples of data gathered include e-mails, names, subdomains, IP addresses, and URLs. It can perform both passive and active information gathering, and it also can perform DNS brute-forcing. OSINT Tool
Exploit Database
This tool is a database of known exploits contributed by the community that you can search to find proofs of concept and exploit examples for use during a pentest. Exploits may need to be additionally modified in order to be useful within the context of a specific penetration test.
Recon-ng
This tool is a framework for conducting reconnaissance. The tool implements a Metasploit-like shell from which you can run modules to perform reconnaissance. Modules can be downloaded from a marketplace from within the tool. It uses API keys for web systems such as VirusTotal, GitHub, Censys, or Shodan to gather OSINT as part of the passive information gathering process. This can help you find target hostnames, social media data from targeted users, leaked credentials, contact information, and more. OSINT Tool
OllyDbg
This tool is a free Windows-based debugger. It's useful in performing code analysis by tracing registers and recognizing strings, constants, API calls, procedures, and more. As many tools in the debugging space cost money, this is often an alternative for pentesters with limited budget or resources. Debugging is helpful for vulnerability identification, exploit development, and dynamic application analysis. Load an application into a debugger, and you can manipulate inputs and outputs for various functions during runtime by using execution breakpoints in order to identify flaws in application logic or other bugs. Debugging Tool
GNU Debugger (GDB)
This tool is a free debugger. Debuggers allow you to interact with applications as they run in order to analyze their behavior by doing things like pausing execution at specific breakpoints and analyzing what has happened during a failure or change in execution. Debuggers do not disassemble code from the compiled format to source code, but they can allow insight into how the code runs based on changes to execution they inject during runtime. These are useful for vulnerability research, reverse engineering, and exploit development. One example would be if you are trying to bypass authentication in an application by changing the value sent from an authentication function to the rest of the program manually in a debugger. Debugging Tool
Nmap
This tool is a free pentest tool for network discovery and security testing. It is typically run from the command line, but a GUI version (Zenmap) does exist. This tool has a robust scripting engine and a sizable collection of scripts to perform various activities, including everything from brute force and enumeration to database hash dumping and form fuzzing. Vulnerability Scanning Tool
Open Vulnerability Assessment Scanner (OpenVAS)
This tool is a free vulnerability scanner and an open-source alternative to Nessus. The library of vulnerabilities and tests that it uses are community contributed, and it may have different findings than other vulnerability scanners such as Nessus, but it provides a free and open-source alternative to other options for fast vulnerability identification and attack surface enumeration. Scanning Tool
OWASP Zed Attack Proxy (ZAP)
This tool is a free web application scanner. Its functional purpose is very similar to Burp Suite, but it offers a different array of features. This tool does not offer as extensive a list of community contributed plugins as are available with Burp Suite, for example, and it does not offer an integrated browser for testing. However, it does allow many of the same attacks that Burp Suite does—for example, injection of web content, proxying of web content, crawling, and viewing requests and responses from web servers. However, with this tool, vulnerability identification is more manual than with Burp Suite, which leverages a built-in vulnerability scanner. Web Application Tool
Wireshark
This tool is a graphical network traffic analyzer. It can be used against packet captures across many kinds of networks and enables deep protocol inspection, the ability to perform live packet captures, and analyze PCAPs from other sources. This tool has many uses during a pentest, including the ability to extract files from captured network streams, extract conversations from VoIP traffic, deconstruct decrypted communications, and analyze network communications for insecurely transmitted sensitive data. However, capturing data requires access to the network in question. This is often first accomplished with some form of on-path attack or access to one party of the network communication. Otherwise, only broadcast traffic may be visible. Networking Tool
Objection
This tool is a mobile exploitation toolkit that aids in runtime security testing without needing to jailbreak the device. By using a patched application to hook Objection calls, you can remotely interact with the device to explore security issues. Mobile Device Tool
Mobile Security Framework (MobSF)
This tool is a mobile pentesting framework that can target Android, iOS, and Windows devices. Mobile Device Tool
Steghide
This tool is a steganography program that can hide or retrieve data hidden inside image or audio files. The resulting file looks and sounds exactly like the original file from a human perspective. Data can be encrypted when hidden. An example of usage is: $****** -cf myimage.jpg -ef secretfile.txt -sf newimage.jpg This hides the file "secretfile.txt" (the embedded file) inside a new file called newimage.jpg (a stego file) that is based on the file myimage.jpg (a cover file). This will prompt for a passphrase at runtime. To recover the file, you would have to use the -xf flag to extract the data from the newimage.jpg file back into the secretfile.txt and supply the passphrase: $****** -sf newimage.jpg -xf secretfile.txt Steganography Tool
Snow
This tool is a steganography tool that allows you to test security controls evasion by hiding data using the white space of ASCII messages. This is useful for data exfiltration testing. Since trailing white space characters are not typically visible to the human eye, this tool takes data to be hidden, a passphrase, a file in which to hide the data, and an output file to place the result. It can compress the data to hide it, or uncompress it if it is recovering it. Here is an example: $ stegsnow -C -f hideme.txt -p "Super strong passphrase" innocent.txt hidden.txt The output file will look identical to the original innocent.txt to the human eye. Steganography Tool
OpenStego
This tool is a steganography tool that can hide and recover hidden data from files. This tool takes a source file (e.g., what you are hiding) and an image where you would like to hide the file and supplies both values via a graphical user interface. This tool outputs an image file that appears visually to be the same as the original image, but it contains the full contents of the source file encoded within the image. This information can optionally be encrypted to prevent unauthorized recovery of the data. These types of tools are useful for data exfiltration and security control evasion. Steganography Tool
Hydra
This tool is a tool for password spraying and brute-forcing against live services, including HTTP, Oracle, Cisco, POP3, VNC, and more. Its highly parallelized approach to attacking live services across multiple protocols, as opposed to offline password cracking, makes it very useful for pentesters to evaluate password security and effective attack detection and mitigation during purple team exercises. It is typically used as a command-line tool that will run in various operating systems, using -flags to modify its behavior. Credential Testing Tool
Responder
This tool is a tool for responding to LLMNR, NBT-NS, and MDNS requests and intercepting the resulting data from that exchange. It can be used to gather Windows challenge hashes resulting from requests to nonexistent services or other maliciously redirected requests. The tool has multiple uses, but this is the primary use you will likely see on the exam. Miscellaneous Tool
Netcat (nc)
This tool is a tool that is distributed with many Linux distributions that allows you to send and receive TCP and UDP traffic, listen on arbitrary TCP and UDP ports, and do many other tasks with TCP or UDP. It is highly scriptable using Bash, for example, and can be used during a pentest to transfer files to or from target machines, implement bind or reverse shells, or directly test a service using a raw connection. Remote Access Tool
FOCA (Fingerprinting Organizations with Collected Archives)
This tool is a tool to mine documents for metadata and other hidden information. This information may be useful in the context of reconnaissance and discovery in preparation for social engineering attacks. For example, this can help extract author information, e-mail addresses, or even account information for the generation of pretexts and creating targeting lists. OSINT Tool
Mimikatz
This tool is a tool used to extract authentication information from Windows systems. This includes Kerberos tickets, plaintext passwords, password hashes, PIN codes, and more. It can help pentesters perform pass-the-hash and pass-the-ticket attacks, as well as Kerberoasting attacks by building golden tickets. During a pentest you would use this tool during post-exploitation, such as if you have access to a system and wanted to gather additional credentials for lateral movement or privilege escalation. Credential Testing Tool
nslookup
This tool is a utility that is included with multiple operating systems that allows you to make DNS queries to find hostnames from IP addresses and IP addresses from hostnames on a network. That is its most primitive use, however. Various command-line and usage modes make it useful for reconnaissance and troubleshooting of DNS. OSINT Tool
Nessus
This tool is a vulnerability scanner. It can perform network discovery using port scans and enumerate services from either an authenticated or nonauthenticated context. From an unauthenticated context, it attempts to connect to exposed services and use banner and installation information or differences in protocol responses to attempt to identify listening services and versions. It can then compare that information to an extensive internal database of known vulnerabilities to highlight potential or confirmed vulnerabilities on the identified services. This is useful for identifying potential paths for exploitation and quickly performing mass discovery when stealth is not a concern during a pentest. Scanning Tool
WPScan
This tool is a web application security scanner that focuses on WordPress installations. It attempts to identify insecure WordPress configurations and plugins based on versioning data, username enumeration, known default passwords, exposed files, and a database of known vulnerabilities. The tool requires a license to be used commercially. Scanning Tool
Nikto
This tool is a web server vulnerability scanner. It tests for known vulnerabilities against target web URLs you provide. You would use it to find known vulnerabilities pertaining to outdated plugin versions or other web software in cases where stealth is not a concern. Scanning Tool
Kismet
This tool is a wireless security assessment tool that can detect devices, sniff wireless traffic, and aid with wardriving. It supports Bluetooth as well as traditional wireless networks. It is most commonly used for wireless reconnaissance and supports graphical mapping of wireless data based on supplemental GPS data. Wireless Tool
mdk4
This tool is a wireless testing tool used to inject frames on several operating systems. This allows you to perform numerous attack types, including beacon flooding, denial of service and deauth attacks, SSID probe and brute-forcing, packet fuzzing, and more. An example of performing a beacon flooding attack on the wireless interface wlan0 using nonprintable characters and long SSIDs (-a) with valid MAC addresses according to the embedded OUI database (-m) at a rate of 200 packets per second (-s) might look like this: $ sudo ****** wlan0 b -a -m -s 200 Wireless Tool
Pacu
This tool is an AWS security testing toolkit created by Rhino Security Labs. It uses modules to perform various actions, including testing permissions, injecting backdoors via credentials, and conducting automated privilege escalation attacks. Cloud Tool
Drozer
This tool is an Android security assessment framework, which acts as a third-party application that interacts with IPC endpoints for other applications and the underlying OS. This allows you to search for security vulnerabilities by interacting with the target via provided modules. Mobile Device Tool
Secure Shell (SSH)
This tool is an encrypted remote access protocol. It's often found natively in Linux systems, but may be installed in Windows. In addition to being able to be used for remote administration, this tool can be used to tunnel traffic across networks. Remote Access Tool
Ncat
This tool is an implementation of the Netcat (nc) tool for Nmap. It allows you to read and write data across networks using the command line. It can be used to redirect TCP and UDP ports to other sites, and it supports SSL and proxy implementations with SOCKS. This tool is integrated into Nmap and is downloaded with it. Remote Access Tool
John the Ripper (JtR)
This tool is an offline password cracking tool. For CPU-based cracking, this tool is one of the fastest tools for password recovery. So, if GPU cracking is unavailable, you would use this tool. However, this tool also implements different rule sets than other cracking tools, and these rule sets may recover passwords where other cracking tools fail, so it is a good supplement to other cracking tools for large password lists. Credential Testing Tool
Ettercap
This tool is an on-path tool for network traffic. It can perform ARP spoofing attacks, sniff network traffic over a live connection, and apply filters to modify that traffic in real time. It is a command-line tool that supports being run in Linux, BSD, and some versions of macOS. This tool is useful if you have access to a network but need to intercept or modify traffic between other network endpoints on the same subnet in order to further your access. Examples might be if you needed to attempt to steal credentials or hijack web traffic. Mobile Device Tool
Social-Engineer Toolkit (SET)
This tool is an open-source Python toolkit for pentesting using social engineering. It has integrations with Ettercap, Metasploit, and other tools. Among other capabilities, this tool can generate and host web-based payloads for social engineering attacks and create and send spoofed e-mails. Social Engineering Tool
Cain
This tool is the cracking component of another tool. This tool was originally created as a GUI application for older versions of Windows (Windows 2000 and earlier). It can crack passwords using brute force and dictionary attacks, and it supports rainbow tables. Password targets include WEP, NTLM and LM hashes, NTLMv2 hashes, MD5 hashes, SHA-1 and SHA-2 hashes, Cisco IOS and PIX hashes, and RADIUS and IKE PSK hashes. The tool is older and well-known, and therefore recognized as malware by most host security products. It's mainly useful when other crackers do not support the hash type or when rainbow tables would be faster than GPU-based attacks using dictionaries or rules-based brute force. Another tool that implements rainbow tables is RainbowCrack Credential Testing Tool
Immunity Debugger
This tool is useful for exploit development, malware analysis, and reverse engineering. It allows you to graphically render functions and program flows, facilitates heap analysis, and implements a Python API for scriptability. The Mona Python plugin, for example, will allow you to easily figure out offsets for buffer overflows, identify ROP chains, and explore other gadgets that are useful for exploitation. Debugging Tool
Cloud Custodian
This tool runs a series of scripts that are designed to audit the security of cloud environments. It uses YAML files with policies to define what it looks for and produces reports of likely issues found with permissions and other cloud configurations based on the policy used to run it. It runs from the command line using a mode to control its behavior. For instance, it can scan, do nothing but validate the YAML, or can attempt to remediate the target. For cloud environments with well-documented assumptions, this can identify low-hanging fruit or make recommendations across many cloud assets quickly. Cloud Tool
Censys
This tool scans publicly exposed assets on the Internet and stores the details in a searchable database. The searchable database is useful for performing passive reconnaissance about a target using data gathered about ports and services listening on hosts and other data exposed in their certificates. OSINT Tool/Miscellaneous Tool
truffleHog
This tool searches GitHub repositories for secrets (such as SSH or API keys), examining commit history and branches for accidental leaks of important information. Searches can be limited by depth, target repository, and with regex filters. During a pentest, these can be useful for identifying potential leaks of credentials or keys to establish an initial access point for cloud or authentication service targets, for example. Miscellaneous Tool
Shodan
This tool strength is aiding pentesters in gathering information about a target using passive techniques. This tool scans Internet-facing assets and gathers information about open ports and identifiable services and allows you to search the results of those scans without touching the targets yourself. OSINT Tool
Coagula
This tool takes images and turns them into sounds. This can be used as part of steganography to conceal data within sound files. This may be a useful mechanism for data exfiltration to bypass data loss prevention tools or other security controls designed to trigger based on malicious content. Files can be reassembled from the sound file using a tool such as Audacity, Spek, or Sonic Visualiser. Steganography Tool
Maltego
This tool uses transforms to automatically retrieve reconnaissance data from open-source and paid data sources based on search seeds, such as an e-mail address or domain name. This is a powerful reconnaissance tool that can quickly identify relationships between targets, such as e-mails, web servers, or other infrastructure (e.g., IP ranges) that are very useful in constructing and confirming target lists, building pretexts, and identifying other potentially interesting areas for research about your target. OSINT Tool
CeWL
This tool will crawl target websites and assemble a wordlist using interesting terms identified during the crawl, including e-mail addresses. These wordlists can then be used for further targeting, brute-forcing possible URLs, hostnames, or even as password cracking dictionaries. This tool is written in Ruby and is designed to be run from the command line using flags (e.g., -w0) to govern its behavior. Options include controlling the depth of the crawl, output file, user agent to send, length of words that it collects, and whether or not to include e-mail addresses. Credential Testing Tool
Airodump-NG
Used to capture network traffic and save it to a PCAP file Wireless Tool
Aireplay-NG
Used to conduct a deauthentication attack by sending spoofed deauth requests to the access point Wireless Tool
Airocrack-NG
Used to conduct protocol and password cracking of wireless encryption Wireless Tool
Airomon-NG
Used to monitor wireless frequencies to identify access points and clients Wireless Tool
Rogue Access Points
Wireless security testing tools may be able to act as a rogue AP. This can entice wireless supplicants to connect, enabling the tester to acquire credentials or other information from the victim systems. Wireless Tool
