Open Source BSD Penetration Testing Tools
Sort By:
Penetration Testing Tools for BSD
Browse free open source Penetration Testing tools and projects for BSD below. Use the toggles on the left to filter open source Penetration Testing tools by OS, license, language, programming language, and project status.
-
Our Free Plans just got better! | Auth0You asked, we delivered! Auth0 is excited to expand our Free and Paid plans to include more options so you can focus on building, deploying, and scaling applications without having to worry about your security. Auth0 now, thank yourself later.
-
Try Google Cloud Risk-Free With $300 in CreditUse your credit across every product. Compute, storage, AI, analytics. When it runs out, 20+ products stay free. You only pay when you choose to.
-
1
PentestGPT
Automated Penetration Testing Agentic Framework Powered by LLMs
PentestGPT is an AI-powered autonomous penetration testing agent designed to perform intelligent, end-to-end security assessments using large language models. Published at USENIX Security 2024, it combines advanced reasoning with an agentic workflow to automate tasks traditionally handled by human pentesters. The platform supports multiple penetration testing categories, including web security, cryptography, reversing, forensics, privilege escalation, and binary exploitation. PentestGPT runs in a Docker-first environment, providing a secure, reproducible setup with built-in tooling and session persistence. It offers real-time feedback and live walkthroughs, allowing users to observe each step of the testing process as it unfolds. Built with a modular and extensible architecture, PentestGPT supports cloud and local LLMs, making it suitable for research, education, and authorized security testing. -
2
ophcrack
A Windows password cracker based on rainbow tables
Ophcrack is a Windows password cracker based on a time-memory trade-off using rainbow tables. This is a new variant of Hellman's original trade-off, with better performance. It recovers 99.9% of alphanumeric passwords in seconds. -
3
SeedCrackerX
Minecraft mod designed to reverse-engineer
SeedcrackerX is a Minecraft mod designed to reverse-engineer and determine a world’s seed by analyzing in-game structures and environmental data. It operates by collecting information from structures such as shipwrecks, temples, and monuments, then using that data to progressively narrow down possible seeds until the correct one is identified. The mod automates much of this process, initiating cracking procedures once sufficient data has been gathered, often requiring only exploration of specific structures. It includes a graphical configuration interface that allows users to control which structures are used and how data is collected. The system can also integrate with a shared database to contribute discovered seeds, enabling collaborative data gathering across users. Advanced features include brute-force algorithms that refine seed candidates based on structural patterns and hashed seed calculations. -
4
Flipper Zero BadUSB
Repository for my flipper zero badUSB payloads
The repository is a public GitHub collection of BadUSB payloads prepared to run from a Flipper Zero device; it’s presented as a plug-and-play library that bundles payload scripts, a README, and supporting files so users can pick and use payloads without heavy setup. The project is heavily PowerShell-oriented and organized into a payloads folder with documentation (README, FAQs) and helper scripts, and the author says they formatted the collection to be easy for others to use. The maintainer also set up short-URL infrastructure to simplify embedding webhooks or tokens into compact one-liners for payload configuration, and the repo includes social/contact links and acknowledgments to related projects. The repository is actively used by a community (many stars, forks and hundreds of commits), and the author explicitly warns about responsible use and includes guidance in the docs. -
Compliant and Reliable File Transfers Backed by Top Security CertificationsStop relying on non-certified, legacy file transfer tools that creak under the weight of modern security demands. Get full audit trails, advanced access controls and more supported by an award-winning team of experts. Start your free 25-day trial today.
-
5
bWAPP
an extremely buggy web app !
bWAPP, or a buggy web application, is a free and open source deliberately insecure web application. bWAPP helps security enthusiasts, developers and students to discover and to prevent web vulnerabilities. bWAPP prepares one to conduct successful penetration testing and ethical hacking projects. What makes bWAPP so unique? Well, it has over 100 web bugs! It covers all major known web vulnerabilities, including all risks from the OWASP Top 10 project. The focus is not just on one specific issue... bWAPP is covering a wide range of vulnerabilities! bWAPP is a PHP application that uses a MySQL database. It can be hosted on Linux/Windows with Apache/IIS and MySQL. It is supported on WAMP or XAMPP. Another possibility is to download bee-box, a custom VM pre-installed with bWAPP. This project is part of the ITSEC GAMES project. You can find more about the ITSEC GAMES and bWAPP projects on our blog. For security-testing and educational purposes only! Cheers Malik Mesellem -
6
DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers.
-
7
Ettercap is a multipurpose sniffer/interceptor/logger for switched LAN. It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis. Development has been moved to GitHub, https://github.com/Ettercap/ettercap
-
8
WiFi-Pumpkin
WiFi-Pumpkin - Framework for Rogue Wi-Fi Access Point Attack
The WiFi-Pumpkin is a rogue AP framework to easily create these fake networks, all while forwarding legitimate traffic to and from the unsuspecting target. It comes stuffed with features, including rogue Wi-Fi access points, deauth attacks on client APs, a probe request and credentials monitor, transparent proxy, Windows update attack, phishing manager, ARP Poisoning, DNS Spoofing, Pumpkin-Proxy, and image capture on the fly. moreover, the WiFi-Pumpkin is a very complete framework for auditing Wi-Fi security check the list of features is quite broad. -
9
Themis
Easy to use cryptographic framework for data protection
Cross-platform high-level cryptographic library. Themis helps to build simple and complex cryptographic features easily, quickly, and securely. It’s a perfect fit for multi-platform apps. Themis hides cryptographic details and eliminates popular mistakes. Themis provides ready-made building blocks (“cryptosystems”) for secure data storage, message exchange, socket connections, and authentication. Secure Cell is a multi-mode cryptographic container suitable for storing anything from encrypted files to database records. Use Secure Cell to encrypt data at rest. Secure Cell is built around AES-256-GCM, and AES-256-CTR. Secure Message is a simple encrypted messaging solution for the widest scope of applications. Use Secure Message to send encrypted and signed data from one user to another, from client to server, to prevent MITM attacks and avoid single secret leakage. Based on ECC + ECDSA / RSA + PSS + PKCS#7. -
Full-stack observability with actually useful AI | Grafana CloudBuilt on open standards like Prometheus and OpenTelemetry, Grafana Cloud includes Kubernetes Monitoring, Application Observability, Incident Response, plus the AI-powered Grafana Assistant. Get started with our generous free tier today.
-
10
lynis
Security auditing tool for Linux, macOS, and UNIX-based system
Lynis is a battle-tested security tool for systems running Linux, macOS, or Unix-based operating system. It performs an extensive health scan of your systems to support system hardening and compliance testing. The project is open source software with the GPL license and available since 2007. Since Lynis is flexible, it is used for several different purposes. Typical use cases for Lynis include security auditing, compliance testing (e.g. PCI, HIPAA, SOx), penetration testing, vulnerability detection, and system hardening. Test that Docker image, or improve the hardening of your deployed web application. Run daily health scans to discover new weaknesses. Show colleagues or clients what can be done to improve security. Discover security weaknesses on systems of your clients, that may eventually result in system compromise. Lynis runs on almost all UNIX-based systems and versions. -
11
SSHGuard
Intelligently block brute-force attacks by aggregating system logs
SSHGuard protects hosts from brute-force attacks against SSH and other services. It aggregates system logs and blocks repeat offenders using several firewall backends, including iptables, ipfw, and pf. -
12
Hyenae is a highly flexible platform independent network packet generator. It allows you to reproduce several MITM, DoS and DDoS attack scenarios, comes with a clusterable remote daemon and an interactive attack assistant. *** Hyenae is back *** Hyenae will be continued here: https://sourceforge.net/p/hyenae-ng
-
13
Ligolo-ng
An advanced, yet simple, tunneling/pivoting tool
Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS). When running the relay/proxy server, a tun interface is used, packets sent to this interface are translated and then transmitted to the agent's remote network. You need to download the Wintun driver (used by WireGuard) and place the wintun.dll in the same folder as Ligolo. You can listen to ports on the agent and redirect connections to your control/proxy server. You can easily hit more than 100 Mbits/sec. Here is a test using iperf from a 200Mbits/s server to a 200Mbits/s connection. -
14
JPassword Recovery Tool
Password recovery tool for compressed archives and md5, sha-1/2 hashes
This is a simple but sophisticated open source password recovery tool for M$ Windows, it can effectively 'crack' any password protected archive that can be decompressed by 7zip given enough time and resources. It can also bruteforce MD2, MD5, SHA-1 and SHA-2 hashes (SHA-256, SHA-384, SHA-512), CRC16, CRC32, CRC64 and Adler32 hashed passwords for both Windows, and Linux. It requires java 7u4 and above, and 7-zip v9.20 and up for archive recovery. Keeping these above applications up to date ensures peak performance. if you have any ideas, bugs, tips/improvements and/or suggestions please dont hesitate to contact me NB AS OF V1.07 PLEASE MAKE SURE 'resources' FOLDER IS IN THE SAME DIRECTORY AS THE JPasswordRecoveryTool.jar Known Bugs(v1.09): -although md2 was selceted by default for hash recovery if you did not slected another value and reselect md2 it would use md5 by default -
15
BlackMamba
C2/post-exploitation framework
Black Mamba is a Command and Control (C2) that works with multiple connections at same time. It was developed with Python and with Qt Framework and have multiple features for a post-exploitation step. -
16
Password Guessing Framework
A Framework for Comparing Password Guessing Strategies
The Password Guessing Framework is an open source tool to provide an automated and reliable way to compare password guessers. It can help to identify individual strengths and weaknesses of a guesser, its modes of operation or even the underlying guessing strategies. Therefor, it gathers information about how many passwords from an input file (password leak) have been cracked in relation to the amount of generated guesses. Subsequent to the guessing process an analysis of the cracked passwords is performed. In general though, any guesser that prints the password candidates via STDOUT can be used with the framework. The aforementioned password guessing / password cracking software is not part nor shipped with the framework and need to be installed separately. -
17
Teardroid
It's easy to use android botnet work without port forwarding
It's easy to use Android botnet work without port forwarding, VPS, and Android Studio. Run Shell Command ( use findphno command in a run shell command to get the device phone number and use findx:pdf to find all the pdf files on the device ) It will prompt you with your Control Panel url enter your deta space control panel url without /v4 or your own server URL (without/at the end of the URL). You will also be prompted for the title and text of the notification. Enter what you want to display on the notification. Using your own keystore it's not recommended to use the default keystore you can modify the values in the Config.py file to use your own keystore with Teardroid v4. -
18
Hcon Security Testing Framework
Open Source Penetration Testing / Ethical Hacking Framework
HconSTF is Open Source Penetration Testing Framework based on different browser technologies, Which helps any security professional to assists in the Penetration testing or vulnerability scanning assessments.contains webtools which are powerful in doing xss(cross site scripting), Sql injection, siXSS, CSRF, Trace XSS, RFI, LFI, etc. Even useful to anybody interested in information security domain - students, Security Professionals,web developers, manual vulnerability assessments and much more. -
19
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
-
20
HTTP Anti Flood/DoS Security Module
Detect Flooder IPs, Reduce Attack Surface against HTTP Flood Attacks
This module provides attack surface reduction enhancements against the HTTP Flood Attacks at the web application level. Massive crawling/scanning tools, HTTP Flood tools can be detected and blocked by this module via htaccess, firewall or iptables, etc. (like mod_evasive) You can use this module by including "iosec.php" to any PHP file which wants to be protected. You can test module here: http://www.iosec.org/test.php (demo) Watch the Proof of Concept video: http://goo.gl/dSiAL Hakin9 IT Security Magazine Article about IOSEC http://goo.gl/aQM4Di (different format -> http://goo.gl/JKMUPN) IJNSA Article at http://goo.gl/LLxRdX WP Plugin Page http://goo.gl/nF5nD CHANGES v.1.8.2 - Iptables Auto Ban Bash Script Included - Token Access via Implicit Deny - Reverse Proxy Support - reCAPTCHA Support Do you want more features? Check for third party addons http://sf.net/projects/iosecaddons Gökhan Muharremoğlu -
21
CSVHashCrack Suite
Multi hash crack suite
This script is capable of cracking multiple hashes from a CSV-file like e.g. dumps from sqlmap. Over 17.000 md5-hashes in a CSV-file get cracked with a 14.300.000 lines wordlist in less then 1 min. Lines wich cant get cracked with the wordlist get stored in a .leftToCrack-File to further process with another Wordlist or the bruteforce-tool. In addition to the wordlist-cracker I created also a bruteforce-tool named CSVHashBrutforcer. -
22
Inguma is a free penetration testing and vulnerability discovery toolkit entirely written in python. Framework includes modules to discover hosts, gather information about, fuzz targets, brute force usernames and passwords, exploits, and a disassembl
-
23
Greyhound-Ubuntu : Trident
An all purpose Distro for Pentesters
Greyhound Trident is a GNU/Linux, Ubuntu based security distribution designed for penetration testing and cyber forensic investigations. It is a distribution designed for security enthusiasts and professionals, can also be used normally as your default OS. >>Based on Ubuntu 12.04.2 LTS (32bit ) user/pass : root/toor >>Kernel version 3.5.0-45 (little modified to make some of unsupported tools to work, but still will able to get Ubuntu updates ) >>2 Desktop environment : Gnome3, Docky Desktop for different test >>Final release >> Around 300 tools for all-round pentest performance User friendly, all important plugins such as video codec, audio plugins added Above all, this is Ubuntu, specially Hackers Ubuntu. Have fun Credit List : Mahir Chowdhury Asif Iqbal (India) For XtreamDebugger Ashik Iqbal Chy (BGHH) Imam Vai (BGHH) Krad Xin (BGHH) Bd xtor (BBHH/Team Scannerzz) Pedro Ubuntu(Root Sector) For Netool.sh -
24
AESTextCrypt
Encrypt and decrypt text using AES 256 bit encryption
AESTextCrypt is an easy-to-use open source tool for text encryption and decryption. Primarily intended for use with email, use it wherever you need to protect text from prying eyes. The encrypted text can be copy/pasted into any text-handling application (e.g. email) instead of plain text. Convenience buttons are provided for clipboard operations. AESTextCrypt uses AES-256 bit encryption which is the strongest available encryption scheme. It also employs bcrypt, which implements key-stretching and an adaptive key setup phase, the complexity (number of rounds) of which is automatically set to match the processing power of the encrypting computer. This makes it highly resistant to dictionary attack. AESTextCrypt is written in Java, so can be run on all desktop platforms - Windows, Mac and Linux. -
25
An original bruteforce-based encryption/decryption system. BBE was originally conceived to chat with encrypted text on IRC. mIRC and X-Chat support BBE via script addon. BBE can also encrypt MIME encoded files. Blowfish encryption is currently supported.
