kOaDT/awesome-pentest-tools

# Awesome Pentest Tools [](https://awesome.re) [](LICENSE) [](https://github.com/kOaDT/awesome-pentest-tools/commits/main) [](CONTRIBUTING.md) [](https://github.com/kOaDT/awesome-pentest-tools/actions/workflows/link-check.yml) [](https://github.com/kOaDT/awesome-pentest-tools/actions/workflows/markdown-lint.yml) This is not an exhaustive dump of every security tool on GitHub. ## Disclaimer These tools are intended for **authorized security testing, research, and education only**. You are responsible for complying with all applicable laws and only using them against systems you own or have explicit written permission to test. The author assumes no liability for misuse. ## Using this list with AI assistants The repository ships an interactive **pentest engagement agent** in [agents/](agents/). It walks an authorized engagement through scoping, reconnaissance, vulnerability identification, exploitation, and reporting, recommending only tools that appear in this list — no hallucinated tool names or invented flags. The agent prompt is vendor-agnostic and works with any AI assistant that can read repository files. A Claude Code slash command (`/pentest-guide`) is bundled for convenience; copy-paste instructions for any other AI assistant are documented in [agents/README.md](agents/README.md). The [disclaimer](#disclaimer) above applies in full to anything the agent suggests. ## Contents - [Distributions & Environments](#distributions--environments) - [Reconnaissance & OSINT](#reconnaissance--osint) - [Network Scanning & Enumeration](#network-scanning--enumeration) - [Web Application Testing](#web-application-testing) - [Wordlists & Payloads](#wordlists--payloads) - [Vulnerability Scanning](#vulnerability-scanning) - [Exploitation Frameworks](#exploitation-frameworks) - [Password Attacks & Cracking](#password-attacks--cracking) - [Active Directory & Windows](#active-directory--windows) - [Post-Exploitation & Lateral Movement](#post-exploitation--lateral-movement) - [Wireless](#wireless) - [Mobile](#mobile) - [Cloud Security](#cloud-security) - [Container & Kubernetes](#container--kubernetes) - [Reverse Engineering & Binary Analysis](#reverse-engineering--binary-analysis) - [Forensics & DFIR](#forensics--dfir) - [Honeypots & Deception](#honeypots--deception) - [Payload Generation & Obfuscation](#payload-generation--obfuscation) - [C2 Frameworks](#c2-frameworks) - [Reporting & Collaboration](#reporting--collaboration) - [Methodology & Checklists](#methodology--checklists) - [Learning Platforms & Labs](#learning-platforms--labs) - [CVE Proof-of-Concepts](#cve-proof-of-concepts) - [Contributing](#contributing) ## Supply chain warning This list is **only an aggregator of links** to third-party GitHub repositories. The author of this list does not audit, vet, or vouch for the code in any linked project. Repositories can contain bugs, outdated dependencies, or in worst cases malicious code (intentional backdoors, malware in build artifacts, typosquatted forks, compromised maintainer accounts). **DYOR before running anything from this list.** A link here is **not** an endorsement of safety. Use your own judgement. The same applies to commands suggested by the bundled AI agent (or any other AI assistant): read every command before you run it, understand what it does, confirm the flags against the tool's documentation, and never paste a payload into a production system on the agent's say-so. ## Distributions & Environments ## Reconnaissance & OSINT - [amass](https://github.com/owasp-amass/amass) — In-depth attack surface mapping and asset discovery from OWASP. - [assetfinder](https://github.com/tomnomnom/assetfinder) — Find domains and subdomains related to a given domain. - [gospider](https://github.com/jaeles-project/gospider) — Fast web spider written in Go for crawling and recon. - [known-breaches](https://github.com/notdls/known-breaches) — Daily-updated tracker of leaked data search engines and breach aggregators. - [recon-ng](https://github.com/lanmaster53/recon-ng) — Modular reconnaissance framework with a Metasploit-like interface. - [sherlock](https://github.com/sherlock-project/sherlock) — Hunt down social media accounts by username across hundreds of networks. - [spiderfoot](https://github.com/smicallef/spiderfoot) — Automated OSINT collection with 200+ modules. - [subfinder](https://github.com/projectdiscovery/subfinder) — Fast passive subdomain enumeration tool. - [theHarvester](https://github.com/laramies/theHarvester) — Gather emails, names, subdomains, and hosts from public sources. ## Network Scanning & Enumeration - [ettercap](https://github.com/Ettercap/ettercap) — Comprehensive suite for man-in-the-middle attacks with live sniffing and protocol dissection. - [masscan](https://github.com/robertdavidgraham/masscan) — Internet-scale port scanner, capable of scanning the entire IPv4 space in minutes. - [naabu](https://github.com/projectdiscovery/naabu) — Fast SYN/CONNECT port scanner written in Go. - [nmap](https://github.com/nmap/nmap) — The de facto network scanner with extensive NSE scripting support. - [rustscan](https://github.com/RustScan/RustScan) — Modern port scanner that pipes results into nmap for deeper analysis. ## Web Application Testing - [bxss](https://github.com/ethicalhackingplayground/bxss) — Blind XSS scanner for finding stored XSS in web applications. - [CMSmap](https://github.com/dionach/CMSmap) — Python CMS scanner that automates detection of flaws in popular CMSs. - [dirsearch](https://github.com/maurosoria/dirsearch) — Web path scanner with sensible defaults and rich output formats. - [feroxbuster](https://github.com/epi052/feroxbuster) — Recursive content discovery tool written in Rust. - [ffuf](https://github.com/ffuf/ffuf) — Fast web fuzzer for content, parameter, and vhost discovery. - [gobuster](https://github.com/OJ/gobuster) — Directory, DNS, and vhost brute-forcer. - [jwt_tool](https://github.com/ticarpi/jwt_tool) — Toolkit for testing, tweaking, and cracking JSON Web Tokens. - [katana](https://github.com/projectdiscovery/katana) — Next-generation crawling and spidering framework. - [nuclei](https://github.com/projectdiscovery/nuclei) — Template-based vulnerability scanner with a massive community template library. - [PwnFox](https://github.com/yeswehack/PwnFox) — Firefox extension with Burp Suite integration and audit helpers. - [rogue](https://github.com/faizann24/rogue) — Automated web vulnerability scanning driven by LLM agents. - [shannon](https://github.com/KeygraphHQ/shannon) — Autonomous web/API pentesting framework combining source code analysis with LLM-driven exploitation. - [sqlmap](https://github.com/sqlmapproject/sqlmap) — Automatic SQL injection detection and exploitation. - [SSTImap](https://github.com/vladko312/SSTImap) — Automatic server-side template injection detection and exploitation. - [testssl.sh](https://github.com/testssl/testssl.sh) — Tests a server's TLS/SSL configuration on any port from the command line. - [wpscan](https://github.com/wpscanteam/wpscan) — WordPress vulnerability scanner. - [xsscrapy](https://github.com/DanMcInerney/xsscrapy) — XSS spider with strong detection on the wavsep benchmark. - [ZAP](https://github.com/zaproxy/zaproxy) — OWASP's open-source web app scanner and proxy. ## Vulnerability Scanning - [nikto](https://github.com/sullo/nikto) — Web server scanner that checks for thousands of misconfigurations and known issues. - [OpenVAS / Greenbone](https://github.com/greenbone/openvas-scanner) — Full-featured network vulnerability scanner. See also: [nuclei](#web-application-testing) under Web Application Testing. ## Exploitation Frameworks - [BeEF](https://github.com/beefproject/beef) — Browser Exploitation Framework for client-side attacks via hooked browsers. - [metasploit-framework](https://github.com/rapid7/metasploit-framework) — The industry-standard exploitation framework. - [mythic](https://github.com/its-a-feature/Mythic) — Multiplayer, web-based C2 and post-exploitation framework. - [sliver](https://github.com/BishopFox/sliver) — Cross-platform adversary emulation/red team framework from Bishop Fox. ## Password Attacks & Cracking - [hashcat](https://github.com/hashcat/hashcat) — World's fastest GPU-based password cracker. - [hydra](https://github.com/vanhauser-thc/thc-hydra) — Network logon cracker supporting numerous protocols. - [john](https://github.com/openwall/john) — John the Ripper jumbo, the classic CPU-based password cracker. - [netexec](https://github.com/Pennyw0rth/NetExec) — Maintained successor to CrackMapExec for AD/SMB/WinRM/etc. lateral movement. ## Active Directory & Windows - [adidnsdump](https://github.com/dirkjanm/adidnsdump) — Enumerate and dump AD-integrated DNS records. - [bloodhound](https://github.com/SpecterOps/BloodHound) — Six-degrees-of-Domain-Admin graph analysis for Active Directory. - [certipy](https://github.com/ly4k/Certipy) — Enumerate and abuse Active Directory Certificate Services (ADCS). - [impacket](https://github.com/fortra/impacket) — Collection of Python classes and scripts for working with network protocols (smbexec, secretsdump, psexec, etc.). - [kerbrute](https://github.com/ropnop/kerbrute) — Pre-auth user enumeration and password spraying against Kerberos. - [ldapdomaindump](https://github.com/dirkjanm/ldapdomaindump) — Dump AD information via LDAP into HTML/JSON/grep-able output. - [mimikatz](https://github.com/gentilkiwi/mimikatz) — The classic Windows credential extraction tool. - [responder](https://github.com/lgandx/Responder) — LLMNR/NBT-NS/MDNS poisoner and credential capture. - [rubeus](https://github.com/GhostPack/Rubeus) — Toolset for raw Kerberos interaction and abuse. ## Post-Exploitation & Lateral Movement - [evil-winrm](https://github.com/Hackplayers/evil-winrm) — WinRM shell with built-in tooling for post-exploitation. - [LinPEAS / WinPEAS](https://github.com/peass-ng/PEASS-ng) — Privilege escalation enumeration scripts for Linux and Windows. - [linux-smart-enumeration](https://github.com/diego-treitos/linux-smart-enumeration) — Linux enumeration script with severity-graded output. - [pspy](https://github.com/DominicBreuker/pspy) — Unprivileged Linux process snooping (catches cron jobs and short-lived procs). - [SharpHound](https://github.com/SpecterOps/SharpHound) — BloodHound's C# data collector. ## Wireless - [aircrack-ng](https://github.com/aircrack-ng/aircrack-ng) — Complete suite for 802.11 WEP/WPA/WPA2 auditing. - [hcxtools](https://github.com/ZerBea/hcxtools) — Capture and convert WPA/WPA2 traffic for hashcat. - [kismet](https://github.com/kismetwireless/kismet) — Wireless sniffer, wardriving, and IDS. - [wifite2](https://github.com/kimocoder/wifite2) — Automated wireless auditor wrapping aircrack-ng, hashcat, and friends. ## Mobile - [frida](https://github.com/frida/frida) — Dynamic instrumentation toolkit for iOS, Android, and more. - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) — Automated mobile app static and dynamic analysis. - [objection](https://github.com/sensepost/objection) — Frida-based runtime mobile exploration toolkit. ## Cloud Security - [cloudsploit](https://github.com/aquasecurity/cloudsploit) — Multi-cloud configuration security scanner. - [pacu](https://github.com/RhinoSecurityLabs/pacu) — AWS exploitation framework for offensive cloud security testing. - [prowler](https://github.com/prowler-cloud/prowler) — Multi-cloud security assessment for AWS, Azure, GCP, and Kubernetes. - [scoutsuite](https://github.com/nccgroup/ScoutSuite) — Multi-cloud security auditing tool from NCC Group. ## Container & Kubernetes - [kube-bench](https://github.com/aquasecurity/kube-bench) — CIS benchmark checker for Kubernetes clusters. - [kube-hunter](https://github.com/aquasecurity/kube-hunter) — Hunts for security weaknesses in Kubernetes clusters. - [peirates](https://github.com/inguardians/peirates) — Kubernetes penetration testing tool focused on in-cluster attacks. - [trivy](https://github.com/aquasecurity/trivy) — Comprehensive scanner for containers, IaC, and dependencies. ## Reverse Engineering & Binary Analysis - [cutter](https://github.com/rizinorg/cutter) — Qt/C++ GUI for rizin (the radare2 fork). - [gef](https://github.com/bata24/gef) — GDB Enhanced Features for exploit dev and reverse engineering. - [ghidra](https://github.com/NationalSecurityAgency/ghidra) — NSA's open-source reverse engineering suite. - [pwndbg](https://github.com/pwndbg/pwndbg) — GDB plugin focused on exploitation and CTF workflows. - [radare2](https://github.com/radareorg/radare2) — Portable reversing framework with a steep but rewarding learning curve. ## Forensics & DFIR - [autopsy](https://github.com/sleuthkit/autopsy) — Digital forensics platform built on top of The Sleuth Kit. - [sleuthkit](https://github.com/sleuthkit/sleuthkit) — Library and command-line tools for filesystem forensics. - [volatility3](https://github.com/volatilityfoundation/volatility3) — Memory forensics framework, rewritten for Python 3. ## Honeypots & Deception - [beelzebub](https://github.com/beelzebub-labs/beelzebub) — Low-code deception runtime framework leveraging AI for system virtualization. - [T-Pot](https://github.com/telekom-security/tpotce) — All-in-one multi-honeypot platform from Telekom Security. ## Payload Generation & Obfuscation - [donut](https://github.com/TheWover/donut) — Generate position-independent shellcode from .NET assemblies, DLLs, and EXEs. - [nimcrypt2](https://github.com/icyguider/Nimcrypt2) — Nim-based PE/raw shellcode loader with multiple evasion techniques. - [php-reverse-shell](https://github.com/ivan-sincek/php-reverse-shell) — PHP reverse shells that work on Linux, macOS, and Windows. - [reverse-shell-generator](https://github.com/0dayCTF/reverse-shell-generator) — Hosted reverse shell generator with extensive payload options. - [SharpCollection](https://github.com/Flangvik/SharpCollection) — Nightly builds of common offensive C# tooling. ## C2 Frameworks - [covenant](https://github.com/cobbr/Covenant) — .NET-based collaborative C2 framework. - [havoc](https://github.com/HavocFramework/Havoc) — Modern, modular C2 framework with a Qt UI. - [mythic](https://github.com/its-a-feature/Mythic) — Multi-user, web-based C2 with pluggable agents and payloads. - [sliver](https://github.com/BishopFox/sliver) — Production-grade adversary emulation framework with cross-platform implants. ## Reporting & Collaboration - [dradis-ce](https://github.com/dradis/dradis-ce) — Collaboration and reporting platform for security teams. - [pwndoc](https://github.com/pwndoc/pwndoc) — Pentest report generator with reusable vulnerability templates. - [Reconmap](https://github.com/reconmap/reconmap) — Collaboration-first SecOps platform for end-to-end engagement management and reporting. - [sysreptor](https://github.com/Syslifters/sysreptor) — Customizable, markdown/HTML/PDF pentest reporting platform. ## Methodology & Checklists - [OWASP Testing Checklist](https://github.com/tanprathan/OWASP-Testing-Checklist) — Excel-based checklist for tracking OWASP web app pentest progress. - [PentestingEverything](https://github.com/m14r41/PentestingEverything) — Broad VAPT/AppSec reference covering web, mobile, API, network, and source code review. ## Learning Platforms & Labs Self-hostable vulnerable apps and lab environments to practice safely on your own infrastructure. ### Self-hostable - [Damn Small Vulnerable Web (DSVW)](https://github.com/stamparm/DSVW) — Single-script Python web app covering 100+ common vulnerabilities. - [Damn Vulnerable Java App (DVJA)](https://github.com/appsecco/dvja) — Intentionally vulnerable Java EE application for AppSec training. - [Damn Vulnerable RESTaurant](https://github.com/theowni/Damn-Vulnerable-RESTaurant-API-Game) — Gamified vulnerable REST API for learning API security. - [DetectionLab](https://github.com/clong/DetectionLab) — Vagrant/Packer-built lab with Windows AD, ELK, and detection-engineering instrumentation. - [DVWA](https://github.com/digininja/DVWA) — Damn Vulnerable Web Application, the classic PHP/MySQL training app. - [GOAD](https://github.com/Orange-Cyberdefense/GOAD) — Game of Active Directory: pre-built vulnerable AD lab for practicing AD attacks. - [govwa](https://github.com/0c34/govwa) — Go-based vulnerable web app for practicing common web flaws. - [OSS - OopsSec Store](https://github.com/kOaDT/oss-oopssec-store) — Security training for the apps you actually ship. Open your browser and start hacking. - [OWASP Juice Shop](https://github.com/juice-shop/juice-shop) — Modern JavaScript-based vulnerable web app covering the OWASP Top 10. - [OWASP Mutillidae II](https://github.com/webpwnized/mutillidae) — Deliberately vulnerable PHP web app with dozens of vulnerability classes. - [OWASP Vulnerable Web Application](https://github.com/OWASP/Vulnerable-Web-Application) — OWASP-curated vulnerable web app for hands-on training. - [SSRF Vulnerable Lab](https://github.com/incredibleindishell/SSRF_Vulnerable_Lab) — PHP lab with sample code vulnerable to Server-Side Request Forgery. - [VAmPI](https://github.com/erev0s/VAmPI) — Vulnerable REST API designed to teach OWASP API Top 10. - [Vulhub](https://github.com/vulhub/vulhub) — Pre-built Docker environments for CVEs and known vulnerabilities. - [VulnHub](https://www.vulnhub.com/) — Downloadable vulnerable VMs for offline practice. - [WebGoat](https://github.com/WebGoat/WebGoat) — OWASP's deliberately insecure Java web app for hands-on training. ### Online platforms - [HackTheBox](https://www.hackthebox.com/) — Active machines, challenges, and Pro Labs. - [OverTheWire](https://overthewire.org/wargames/) — Classic wargames covering Linux, networking, and crypto fundamentals. - [PentesterLab](https://pentesterlab.com/) — Hands-on exercises focused on web exploitation. - [PicoCTF](https://picoctf.org/) — Year-round and seasonal CTFs from CMU, beginner-friendly. - [PortSwigger Web Security Academy](https://portswigger.net/web-security) — Free, high-quality web security labs from the makers of Burp. - [Root-Me](https://www.root-me.org/) — Massive collection of challenges across all security domains. - [TryHackMe](https://tryhackme.com/) — Guided rooms and learning paths, friendlier on-ramp than HTB. ## CVE Proof-of-Concepts A curated index of CVE POCs lives in [cve-pocs/](cve-pocs/). It's kept separate from this list to avoid bloating the main README. ## Maintainer Maintained by [@kOaDT](https://github.com/kOaDT). Contact: [koadt@proton.me](mailto:koadt@proton.me). ## License [](LICENSE) To the extent possible under law, the author has waived all copyright and related or neighboring rights to this work.