Open Source Penetration Testing Tools - Page 4
Sort By:
Penetration Testing Tools
View 130 business solutions-
MongoDB Atlas runs apps anywhereMongoDB Atlas gives you the freedom to build and run modern applications anywhere—across AWS, Azure, and Google Cloud. With global availability in over 115 regions, Atlas lets you deploy close to your users, meet compliance needs, and scale with confidence across any geography.
-
Full-stack observability with actually useful AI | Grafana CloudBuilt on open standards like Prometheus and OpenTelemetry, Grafana Cloud includes Kubernetes Monitoring, Application Observability, Incident Response, plus the AI-powered Grafana Assistant. Get started with our generous free tier today.
-
1
ShellTer is an iptables-based firewall. What sets it apart from the rest is that it has built-in SSH brute force protection. It is easy to configure and has an interactive CLI installer.
-
2
VPLE
Vulnerable Pentesting Lab Environment
VPLE (Linux) Vulnerable Pentesting Lab Environment VPLE is an Intentionally Vulnerable Linux Virtual Machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing Labs. In VPLE bunch of labs are Available. NOTE:- "Only run in VMWare Pls Don’t run in VirtualBox" The default login and password is administrator: password. List Of All Labs in one VM:- 1. Web-DVWA 2. Mutillidae 3. Webgoat 4. Bwapp 5. Juice-shop 6. Security-ninjas 7. WordPress We are adding more labs in few days🤗 -
3
Merlin HTTP/2
Merlin is a cross-platform post-exploitation HTTP/2 Command
Merlin is a cross-platform post-exploitation Command & Control server and agent written in Go. The Merlin server is a self-contained command line program that requires no installation. You just simply download it and run it. The command-line interface only works great if it will be used by a single operator at a time. The Merlin agent can be controlled through Mythic, which features a web-based user interface that enables multiplayer support, and a slew of other features inherent to the project. -
4
Offensive Reverse Shell
Collection of reverse shells for red team operations
The Offensive Reverse Shell Cheat Sheet is a compilation of reverse shell payloads useful for red team operations and penetration testing. It provides ready-to-use code snippets in various programming languages, facilitating the establishment of reverse shells during security assessments. -
Earn up to 16% annual interest with Nexo.Put idle assets to work with competitive interest rates, borrow without selling, and trade with precision. All in one platform. Geographic restrictions, eligibility, and terms apply.
-
5
Retire.js
Scanner detecting the use of JavaScript libraries
There is a plethora of JavaScript libraries for use on the web and in node.js apps out there. This greatly simplifies, but we need to stay updated on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 and insecure libraries can pose a huge risk for your web app. The goal of Retire.js is to help you detect the use of versions with known vulnerabilities. Scan a web app or node app for use of vulnerable JavaScript libraries and/or node modules. grunt-retire scans your grunt-enabled app for use of vulnerable JavaScript libraries and/or node modules. Scans visited sites for references to insecure libraries and puts warnings in the developer console. An icon on the address bar displays will also indicate if vulnerable libraries were loaded. Retire.js has been adapted as a plugin for the penetration testing tools Burp and OWASP ZAP. -
6
SSL Kill Switch 2
Blackbox tool to disable SSL certificate validation
Blackbox tool to disable SSL/TLS certificate validation - including certificate pinning - within iOS and macOS applications. Once loaded into an iOS or macOS application, SSL Kill Switch 2 will patch low-level functions responsible for handling SSL/TLS connections in order to override and disable the system's default certificate validation, as well as any kind of custom certificate validation (such as certificate pinning). It was successfully tested against various applications implementing certificate pinning including the Apple App Store. The first version of SSL Kill Switch was released at Black Hat Vegas 2012. Installing SSL Kill Switch 2 allows anyone on the same network as the device to easily perform man-in-the-middle attacks against any SSL or HTTPS connection. This means that it is trivial to get access to emails, websites viewed in Safari and any other data downloaded by any App running on the device. -
7
pydictor
powerful and useful hacker dictionary builder for a brute-force attack
A powerful and useful hacker dictionary builder for a brute-force attack. You can use pydictor to generate a general blast wordlist, a custom wordlist based on Web content, a social engineering wordlist, and so on; You can use the pydictor built-in tool to safe delete, merge, unique, merge and unique, count word frequency to filter the wordlist, besides, you also can specify your wordlist and use '-tool handler' to filter your wordlist. You can generate highly customized and complex wordlists by modifying multiple configuration files, adding your own dictionary, using leet mode, filter by length, char occur times, types of different char, regex, and even add customized encode scripts in /lib/encode/ folder, add your own plugin script in /plugins/ folder, add your own tool script in /tools/ folder. -
8
BerserkArch
A bleeding-edge, security-centric Arch-based Linux distribution.
BerserkArch is a security-focused, performance-tuned Linux operating system (OS) based on Arch Linux, designed for developers, hackers, and technical users. A bleeding-edge, security-centric Arch-based Linux distribution crafted for hackers, developers, and nerds alike. Following the Arch Linux philosophy, it is designed to be highly customizable, allowing users to build their environment with only the components they need, rather than having a lot of pre-installed software like some other security distributions (e.g., Kali Linux). As an Arch-based distribution, it benefits from the rolling release model, providing users with the latest software versions and kernel updates. BerserkArch is a dist "designed to make you powerful" for specific use cases like reverse-engineering binaries and automating exploits, rather than being an easy-to-use distribution for general beginners. -
9
blackhat-global
Blackhat-Global-Lite OS Debian Buster based custom distro
We are excited to announce the availability of Blackhat-Global OS Lite. We’ve condensed the full Blackhat-Global experience into a streamlined operating system that’s fast, user-friendly, desktop-oriented operating system based. Which is available immediately for download. Blackhat-Global Lite is a Debian (Buster) customized Linux-based distribution, built for Penetration Testers. The solution we’ve committed to is lightweight that provides users a perfect blend of power condensed into Blackhat-Global OS Lite without sacrificing our product's functionality. Blackhat-Global OS Lite is offered as XFCE4 desktop edition tailored to address the needs of a variety of pentesters users with more than 2000 penetration testing tools. Blackhat-Global OS Lite can be installed permanently as a robust and fully configurable operating system on a laptop or desktop system, or it can be run effectively as a live installer and supports the addition of persistent storage for thos -
AI-powered service management for IT and enterprise teamsGive your IT, operations, and business teams the ability to deliver exceptional services—without the complexity. Maximize operational efficiency with refreshingly simple, AI-powered Freshservice.
-
10
Hyenae is a highly flexible platform independent network packet generator. It allows you to reproduce several MITM, DoS and DDoS attack scenarios, comes with a clusterable remote daemon and an interactive attack assistant. *** Hyenae is back *** Hyenae will be continued here: https://sourceforge.net/p/hyenae-ng
-
11
SANTETIN
Santetin is a website stress test and DDOS simulation tool
Santetin is a powerful desktop application built with Electron to perform website stress tests, penetration testing simulations, DDOS attacks, and traffic jingling for testing and educational purposes. ⚠️ Disclaimer: This tool is intended for educational and testing purposes only. Do not use it against any website without explicit permission from the owner. -
12
Bruter is a parallel network login brute-forcer on Win32. This tool is intended to demonstrate the importance of choosing strong passwords. The goal of Bruter is to support a variety of services that allow remote authentication.
-
13
ISB
ISB (I'm so bored) is a network stress-testing application for Windows
ISB (I'm so bored) is a network stress-testing application for Windows created by byte[size] Software byte[size] Software: https://github.com/softbytesize Frontpage: https://softbytesize.github.io/ISB/ Support: https://softbytesize.github.io/ISB#cu Documentation: https://softbytesize.github.io/ISB/#helpstart Releases: https://github.com/softbytesize/ISB-Releases/releases Discord: https://discord.com/invite/9YNzrXDHxE -
14
JPassword Recovery Tool
Password recovery tool for compressed archives and md5, sha-1/2 hashes
This is a simple but sophisticated open source password recovery tool for M$ Windows, it can effectively 'crack' any password protected archive that can be decompressed by 7zip given enough time and resources. It can also bruteforce MD2, MD5, SHA-1 and SHA-2 hashes (SHA-256, SHA-384, SHA-512), CRC16, CRC32, CRC64 and Adler32 hashed passwords for both Windows, and Linux. It requires java 7u4 and above, and 7-zip v9.20 and up for archive recovery. Keeping these above applications up to date ensures peak performance. if you have any ideas, bugs, tips/improvements and/or suggestions please dont hesitate to contact me NB AS OF V1.07 PLEASE MAKE SURE 'resources' FOLDER IS IN THE SAME DIRECTORY AS THE JPasswordRecoveryTool.jar Known Bugs(v1.09): -although md2 was selceted by default for hash recovery if you did not slected another value and reselect md2 it would use md5 by default -
15
BHS Debian (Hades Update)
BHS debian (testing) jessie/sid
BHS (Debian) New BHS release Based on Debian jessie/sid Kermel 3.12 KDE 4.11 Debian style and look Custom scripts!! Defcon tools!! New wifi scripts Multiarch support Top tools username: root password: BHS note: Don't forget to run the script located on the desktop to install the missing tools,because without to run it the menu will not be functional,if you not see it just download from here in the file section..sorry for the delay the upload stack for 2 time... installall.sh fixed(metasploit and w3af bug) D4RkS-patcher : will install the kernel 3.13 and add aircrack-ng patch for you automatically!!! -
16
A pronounceable password generator plugin for KeePass. NOTE: This project has been discontinued. It hasn't been worth it to maintain the project for a while now, so no more updates will be made to the plugin. The algorithm this plugin uses is based off FIPS-181 which was withdrawn by NIST a while back. The proliferation of password managers that seamlessly run on multiple platforms (some of which are free) has also removed almost all advantages of using randomly generated pronounceable passwords. If you have a use case for this plugin, reconsider it. If you still think using randomly generated pronounceable passwords are worth it for your use case, reconsider it some more.
-
17
Cyborg Essentials
Cyborg Essenitals is Debian based Penetration Testing Distro
Cyborg Essenitals is all new series Debian based Penetration Testing Distro , a product of Cyborg Linux and cousin of Cyborg Hawk Linux . It is different from cyborg hawk as it is based on DEBIAN. It contains all the essentials tools a pro ethical hacker and security expert needs which makes it lightweight and half the size of Cyborg Hawk Linux. Its real strength comes from the understanding that a tester requires a strong and efficient system,that benefits from a strong selection of tools, integrated with a stable linux environment. Cyborg Essentials comes with full UEFI Support. It can also be upgraded over the air for upcoming versions as it has its own REPOSITORY. Cyborg Essentials also have Anonymous-Mode for hiding identity. -
18
A client-server multithreaded application for bruteforce cracking passwords. The more clients connected, the faster the cracking. Plugin-based. Supports only RAR passwords at the moment and only with encrypted filenames.
-
19
Hcon Security Testing Framework
Open Source Penetration Testing / Ethical Hacking Framework
HconSTF is Open Source Penetration Testing Framework based on different browser technologies, Which helps any security professional to assists in the Penetration testing or vulnerability scanning assessments.contains webtools which are powerful in doing xss(cross site scripting), Sql injection, siXSS, CSRF, Trace XSS, RFI, LFI, etc. Even useful to anybody interested in information security domain - students, Security Professionals,web developers, manual vulnerability assessments and much more. -
20
Armitage is a GUI frontend for Metasploit. Well known to Kali Linux fans, this is a port of it for Windows.. Tip: Enter these in the Armitage console: db_status if not connected enter: db_connect msf 127.0.0.1 4-19-26: Made a small tweak to the msfrpcd batch file that should help performance. 4-23-26: Upload speeds tend to be faster on the Linux version. 4-25-26: Better upload speeds with the Windows firewall disabled.
-
21
VanitySearch
VanitySearch is a Bitcoin address prefix lookup tool.
VanitySearch is a Bitcoin address prefix lookup tool. If you want to generate a secure private key, use the `-s` option to enter your passphrase, which will be used to generate the base key conforming to the BIP38 standard (e.g., `VanitySearch.exe -s "my passphrase" 1MyPrefix"`). You can also use `VanitySearch.exe -ps "my passphrase"`, which adds a cryptographically secure seed to your passphrase.Fixed custom address matching errors and private key conversion errors, changed the randomizer, added puzzles suitable for finite regions, added random and incremental modes, added -e to enable homomorphism, and optimized CPU using AVX2, etc.For additional tools or to provide feedback, please visit: https://gitlab.com/8891689 -
22
Atlantis iOS
A lightweight and powerful iOS framework for intercepting HTTP/HTTPS
Don't let cumbersome web debugging tools hold you back. With Proxyman's native macOS app, you can capture, inspect, and manipulate HTTP(s) traffic with ease. Intuitive, thoughtful, and built with meticulous attention to detail. Dive into the network level to diagnose and fix problems with reliable and powerful tools. Proxyman acts as a man-in-the-middle server that captures the traffic between your applications and SSL Web Server. With a built-in macOS setup, so you can inspect your HTTP/HTTPS Request and Responses in plain text with just one click. Narrow down your search with Proxyman's Multiple Filters. You can combine complex filtered criteria like Protocol, Content-Type, URL, Request Header, Response Header, Body, etc that find exact what you're looking for. -
23
Blackbone
Windows memory hacking library
Blackbone is a powerful Windows-focused memory manipulation and process interaction library intended for developers needing deep access to system internals, reverse engineering, or dynamic analysis tools. It provides a comprehensive API in C++ that allows allocation and management of virtual memory in local and remote processes, reading and writing remote process memory, enumerating loaded modules, creating and controlling threads, and performing complex pattern searches—all with support for both 32-bit and 64-bit architectures. Beyond basic memory operations, Blackbone includes advanced functionality for remote code execution, function hooking, and manual map features that let developers inject and manage modules in foreign processes without relying on the operating system’s loader mechanisms. It supports intricate use cases like injecting DLLs into target applications, performing remote hooks with hardware breakpoints, and handling cross-session thread creation. -
24
Chromepass
Hacking Chrome Saved Passwords
Chromepass is a python-based console application that generates a windows executable with the following features. Decrypt Google Chrome, Chromium, Edge, Brave, Opera and Vivaldi saved paswords and cookies. Send a file with the login/password combinations and cookies remotely (http server or email) Undetectable by AV if done correctly. Custom icon, custom error message, customize port. The new client build methodology practically ensures a 0% detection rate, even without AV-evasion tactics. If this becomes false in the future, some methods will be implemented to improve AV evasion. The dependencies are checked and installed automatically, so you can just skip to Usage. It's recommended that you use a clean VM, just to make sure there are no conflicts. If you don't have the dependencies and your internet isn't fast, this will take a while. -
25
Good Man in the Middle
Rule-based MITM engine. Rewriting, redirecting and rejecting on HTTP
Rule-based MITM engine. Rewriting, redirecting and rejecting on HTTP(S) requests and responses, supports JavaScript.
