Open Source Python Penetration Testing Tools

Python Penetration Testing Tools

View 124 business solutions

Browse free open source Python Penetration Testing Tools and projects below. Use the toggles on the left to filter open source Python Penetration Testing Tools by OS, license, language, programming language, and project status.

  • Gen AI apps are built with MongoDB Atlas Icon
    Gen AI apps are built with MongoDB Atlas

    Build gen AI apps with an all-in-one modern database: MongoDB Atlas

    MongoDB Atlas provides built-in vector search and a flexible document model so developers can build, scale, and run gen AI apps without stitching together multiple databases. From LLM integration to semantic search, Atlas simplifies your AI architecture—and it’s free to get started.
    Start Free
  • Photo and Video Editing APIs and SDKs Icon
    Photo and Video Editing APIs and SDKs

    Trusted by 150 million+ creators and businesses globally

    Unlock Picsart's full editing suite by embedding our Editor SDK directly into your platform. Offer your users the power of a full design suite without leaving your site.
    Learn More
  • 1
    RouterSploit

    RouterSploit

    Exploitation Framework for Embedded Devices

    RouterSploit is an open-source exploitation framework focused on embedded devices such as routers, cameras, and IoT gadgets. It offers modules for exploits, scanners, and credentials testing, making it a valuable tool for security professionals and researchers. Inspired by Metasploit, it provides a CLI for executing attacks, testing device vulnerabilities, and simulating real-world exploitation scenarios in a legal and ethical manner.
    Downloads: 19 This Week
    Last Update:
    See Project
  • 2
    Web Security Dojo

    Web Security Dojo

    Virtual training environment to learn web app ethical hacking.

    Web Security Dojo is a virtual machine that provides the tools, targets, and documentation to learn and practice web application security testing. A preconfigured, stand-alone training environment ideal for classroom and conferences. No Internet required to use. Ideal for those interested in getting hands-on practice for ethical hacking, penetration testing, bug bounties, and capture the flag (CTF). A single OVA file will import into VirtualBox and VMware. There is also an Ansible script for those brave souls that want transform their stock Ubuntu into a virtual dojo. Bow to your sensei! username: dojo password: dojo
    Leader badge
    Downloads: 115 This Week
    Last Update:
    See Project
  • 3
    mitmproxy

    mitmproxy

    A free and open source interactive HTTPS proxy

    mitmproxy is an open source, interactive SSL/TLS-capable intercepting HTTP proxy, with a console interface fit for HTTP/1, HTTP/2, and WebSockets. It's the ideal tool for penetration testers and software developers, able to debug, test, and make privacy measurements. It can intercept, inspect, modify and replay web traffic, and can even prettify and decode a variety of message types. Its web-based interface mitmweb gives you a similar experience as Chrome's DevTools, with the addition of features like request interception and replay. Its command-line version mitmdump allows you to write powerful addons and script mitmproxy so it can automatically modify messages, redirect traffic, and perform many other custom commands.
    Downloads: 13 This Week
    Last Update:
    See Project
  • 4
    sqlmap

    sqlmap

    Automatic SQL injection and database takeover tool

    sqlmap is a powerful, feature-filled, open source penetration testing tool. It makes detecting and exploiting SQL injection flaws and taking over the database servers an automated process. sqlmap comes with a great range of features that along with its powerful detection engine make it the ultimate penetration tester. It offers full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, and many other database management systems. It also comes with a wide set of switches which include database fingerprinting, over data fetching from the database, accessing the underlying file system, and more.
    Downloads: 11 This Week
    Last Update:
    See Project
  • Deliver secure remote access with OpenVPN. Icon
    Deliver secure remote access with OpenVPN.

    Trusted by nearly 20,000 customers worldwide, and all major cloud providers.

    OpenVPN's products provide scalable, secure remote access — giving complete freedom to your employees to work outside the office while securely accessing SaaS, the internet, and company resources.
    Get started — no credit card required.
  • 5
    CrackMapExec

    CrackMapExec

    A swiss army knife for pentesting networks

    CrackMapExec (CME) is a versatile post-exploitation and enumeration tool designed for pentesters and red teams to assess Active Directory environments. It supports credential spraying, command execution, file transfers, and module-based extensions across SMB, RDP, LDAP, and other protocols. CME provides automation and insight into Windows networks and is commonly used during lateral movement and domain enumeration phases.
    Downloads: 10 This Week
    Last Update:
    See Project
  • 6
    Wfuzz

    Wfuzz

    Web application fuzzer

    Wfuzz provides a framework to automate web applications security assessments and could help you to secure your web applications by finding and exploiting web application vulnerabilities. Wfuzz it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload. A payload in Wfuzz is a source of data. This simple concept allows any input to be injected in any field of an HTTP request, allowing to perform complex web security attacks in different web application components such as: parameters, authentication, forms, directories/files, headers, etc.
    Downloads: 8 This Week
    Last Update:
    See Project
  • 7
    Wifipumpkin3

    Wifipumpkin3

    Powerful framework for rogue access point attack

    wifipumpkin3 is powerful framework for rogue access point attack, written in Python, that allow and offer to security researchers, red teamers and reverse engineers to mount a wireless network to conduct a man-in-the-middle attack.
    Downloads: 8 This Week
    Last Update:
    See Project
  • 8
    proxy.py

    proxy.py

    Utilize all available CPU cores for accepting new client connections

    proxy.py is made with performance in mind. By default, proxy.py will try to utilize all available CPU cores to it for accepting new client connections. This is achieved by starting AcceptorPool which listens on configured server port. Then, AcceptorPool starts Acceptor processes (--num-acceptors) to accept incoming client connections. Alongside, if --threadless is enabled, ThreadlessPool is setup which starts Threadless processes (--num-workers) to handle the incoming client connections. Each Acceptor process delegates the accepted client connection to a threadless process via Work class. Currently, HttpProtocolHandler is the default work class. HttpProtocolHandler simply assumes that incoming clients will follow HTTP specification. Specific HTTP proxy and HTTP server implementations are written as plugins of HttpProtocolHandler.
    Downloads: 8 This Week
    Last Update:
    See Project
  • 9
    WiFi-Pumpkin

    WiFi-Pumpkin

    WiFi-Pumpkin - Framework for Rogue Wi-Fi Access Point Attack

    The WiFi-Pumpkin is a rogue AP framework to easily create these fake networks, all while forwarding legitimate traffic to and from the unsuspecting target. It comes stuffed with features, including rogue Wi-Fi access points, deauth attacks on client APs, a probe request and credentials monitor, transparent proxy, Windows update attack, phishing manager, ARP Poisoning, DNS Spoofing, Pumpkin-Proxy, and image capture on the fly. moreover, the WiFi-Pumpkin is a very complete framework for auditing Wi-Fi security check the list of features is quite broad.
    Downloads: 6 This Week
    Last Update:
    See Project
  • No-Nonsense Code-to-Cloud Security for Devs | Aikido Icon
    No-Nonsense Code-to-Cloud Security for Devs | Aikido

    Connect your GitHub, GitLab, Bitbucket, or Azure DevOps account to start scanning your repos for free.

    Aikido provides a unified security platform for developers, combining 12 powerful scans like SAST, DAST, and CSPM. AI-driven AutoFix and AutoTriage streamline vulnerability management, while runtime protection blocks attacks.
    Start for Free
  • 10
    dirsearch

    dirsearch

    Web path scanner

    An advanced command-line tool designed to brute force directories and files in webservers, AKA web path scanner. Wordlist is a text file, each line is a path. About extensions, unlike other tools, dirsearch only replaces the %EXT% keyword with extensions from -e flag. For wordlists without %EXT% (like SecLists), -f | --force-extensions switch is required to append extensions to every word in wordlist, as well as the /. To use multiple wordlists, you can separate your wordlists with commas. Example: wordlist1.txt,wordlist2.txt. Default values for dirsearch flags can be edited in the configuration file: default.conf. The thread number (-t | --threads) reflects the number of separated brute force processes. And so the bigger the thread number is, the faster dirsearch runs. By default, the number of threads is 30, but you can increase it if you want to speed up the progress.
    Downloads: 6 This Week
    Last Update:
    See Project
  • 11
    Pentest-Tools

    Pentest-Tools

    A collection of custom security tools for quick needs.

    Pentest-Tools is a collection of penetration testing scripts and utilities designed to help security professionals and ethical hackers perform vulnerability assessments. It includes a wide range of tools for tasks like web scraping, reconnaissance, data extraction, and network analysis. The suite is modular, allowing users to choose the tools that best fit their specific pentesting needs, from web application analysis to network penetration testing.
    Downloads: 4 This Week
    Last Update:
    See Project
  • 12
    <<Hack|Track GNU/Linux

    <<Hack|Track GNU/Linux

    Distro Penetrasing Live System Burn to USB Flash Disk & Run.

    <<Hack|Track GNU/Linux is an open source operating system developed by the HTGL Project from Indonesia which provides penetration testing.
    Downloads: 49 This Week
    Last Update:
    See Project
  • 13
    ANDRAX Hacker's Platform

    ANDRAX Hacker's Platform

    Advanced Ethical Hacking and Penetration Testing Platform

    The most complete and Advanced Penetration Testing and Ethical Hacking Platform dedicated to Advanced Professionals. Developed to bring the power of Offensive Security in the anyone's pocket 100% OPEN SOURCE - ANDRAX is a independent solution for Security professionals who loves Linux
    Leader badge
    Downloads: 61 This Week
    Last Update:
    See Project
  • 14
    DracOS GNU/Linux Remastered
    What is DracOS GNU/Linux Remastered ? DracOS GNU/Linux Remastered ( https://github.com/dracos-linux ) is the Linux operating system from Indonesia , open source is built based on Debian live project under the protection of the GNU General Public License v3.0. This operating system is one variant of Linux distributions, which is used to perform security testing (penetration testing). Dracos linux in Arm by hundreds hydraulic pentest, forensics and reverse engineering. Use a GUI-based tools-tools the software using the CLI (command line interface) and GUI (graphical user interface) to perform its operations. Now Dracos currently already up to version 3.1.5 with the code name "KUNTILANAK WITH REMASTERED".
    Downloads: 21 This Week
    Last Update:
    See Project
  • 15
    Password Guessing Framework

    Password Guessing Framework

    A Framework for Comparing Password Guessing Strategies

    The Password Guessing Framework is an open source tool to provide an automated and reliable way to compare password guessers. It can help to identify individual strengths and weaknesses of a guesser, its modes of operation or even the underlying guessing strategies. Therefor, it gathers information about how many passwords from an input file (password leak) have been cracked in relation to the amount of generated guesses. Subsequent to the guessing process an analysis of the cracked passwords is performed. In general though, any guesser that prints the password candidates via STDOUT can be used with the framework. The aforementioned password guessing / password cracking software is not part nor shipped with the framework and need to be installed separately.
    Downloads: 2 This Week
    Last Update:
    See Project
  • 16
    pydictor

    pydictor

    powerful and useful hacker dictionary builder for a brute-force attack

    A powerful and useful hacker dictionary builder for a brute-force attack. You can use pydictor to generate a general blast wordlist, a custom wordlist based on Web content, a social engineering wordlist, and so on; You can use the pydictor built-in tool to safe delete, merge, unique, merge and unique, count word frequency to filter the wordlist, besides, you also can specify your wordlist and use '-tool handler' to filter your wordlist. You can generate highly customized and complex wordlists by modifying multiple configuration files, adding your own dictionary, using leet mode, filter by length, char occur times, types of different char, regex, and even add customized encode scripts in /lib/encode/ folder, add your own plugin script in /plugins/ folder, add your own tool script in /tools/ folder.
    Downloads: 2 This Week
    Last Update:
    See Project
  • 17
    BlackMamba

    BlackMamba

    C2/post-exploitation framework

    Black Mamba is a Command and Control (C2) that works with multiple connections at same time. It was developed with Python and with Qt Framework and have multiple features for a post-exploitation step.
    Downloads: 1 This Week
    Last Update:
    See Project
  • 18
    CTFd

    CTFd

    CTFs as you need them

    CTFd is a Capture The Flag framework focusing on ease of use and customizability. It comes with everything you need to run a CTF and it's easy to customize with plugins and themes. Create your own challenges, categories, hints, and flags from the Admin Interface. Dynamic Scoring Challenges. Unlockable challenge support. Challenge plugin architecture to create your own custom challenges. Static & Regex-based flags. Custom flag plugins. Unlockable hints. File uploads to the server or an Amazon S3-compatible backend. Limit challenge attempts & hide challenges. Automatic bruteforce protection. Individual and Team-based competitions. Have users play on their own or form teams to play together. Scoreboard with automatic tie resolution. Hide Scores from the public. Freeze Scores at a specific time. Scoregraphs comparing the top 10 teams and team progress graphs. Markdown content management system. SMTP + Mailgun email support. Email confirmation support. Forgot password support.
    Downloads: 1 This Week
    Last Update:
    See Project
  • 19
    MITMf

    MITMf

    Framework for Man-In-The-Middle attacks

    MITMf aims to provide a one-stop-shop for Man-In-The-Middle and network attacks while updating and improving existing attacks and techniques. Originally built to address the significant shortcomings of other tools (e.g Ettercap, Mallory), it's been almost completely rewritten from scratch to provide a modular and easily extendible framework that anyone can use to implement their own MITM attack. The framework contains a built-in SMB, HTTP and DNS server that can be controlled and used by the various plugins, it also contains a modified version of the SSLStrip proxy that allows for HTTP modification and a partial HSTS bypass. As of version 0.9.8, MITMf supports active packet filtering and manipulation (basically what better filters did, only better), allowing users to modify any type of traffic or protocol. The configuration file can be edited on-the-fly while MITMf is running, the changes will be passed down through the framework.
    Downloads: 1 This Week
    Last Update:
    See Project
  • 20
    Sippts

    Sippts

    Set of tools to audit SIP based VoIP Systems

    Sippts is a set of tools to audit VoIP servers and devices using SIP protocol. Sippts is programmed in Python and it allows us to check the security of a VoIP server using SIP protocol. You can freely use, modify and distribute. If modified, please put a reference to this site. Most security tools can be used for illegal purposes, but the purpose of this tool is to check the security of your own servers and not to use to do bad things. I am not responsible for the misuse of this tool. Sippts is a set of tools to audit VoIP servers and devices using SIP protocol. Sipscan is a fast scanner for SIP services that uses multithread. Sipscan can check several IPs and port ranges and it can work over UDP or TCP. Sipexten identifies extensions on a SIP server. Also tells you if the extension line requires authentication or not. Sipexten can check several IPs and port ranges.
    Downloads: 1 This Week
    Last Update:
    See Project
  • 21
    Splunk Attack Range

    Splunk Attack Range

    A tool that allows you to create vulnerable environments

    The Splunk Attack Range is an open-source project maintained by the Splunk Threat Research Team. It builds instrumented cloud (AWS, Azure) and local environments (Virtualbox), simulates attacks, and forwards the data into a Splunk instance. This environment can then be used to develop and test the effectiveness of detections.
    Downloads: 1 This Week
    Last Update:
    See Project
  • 22
    sqlmap
    sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.
    Downloads: 2 This Week
    Last Update:
    See Project
  • 23
    netool toolkit 4.6

    netool toolkit 4.6

    MitM pentesting opensource toolkit

    Operative Systems Suported are: Linux-ubuntu, kali-linux, backtack-linux (un-continued), freeBSD, Mac osx (un-continued) Netool its a toolkit written using 'bash, python, ruby' that allows you to automate frameworks like Nmap, Driftnet, Sslstrip, Metasploit and Ettercap MitM attacks. this toolkit makes it easy tasks such as SNIFFING tcp/udp traffic, Man-In-The-Middle attacks, SSL-sniff, DNS-spoofing, D0S attacks in wan/lan networks, TCP/UDP packet manipulation using etter-filters, and gives you the ability to capture pictures of target webbrowser surfing (driftnet), also uses macchanger to decoy scans changing the mac address. Rootsector module allows you to automate some attacks over DNS_SPOOF + MitM (phishing - social engineering) using metasploit, apache2 and ettercap frameworks. Like the generation of payloads, shellcode, backdoors delivered using dns_spoof and MitM method to redirect a target to your phishing webpage. recent as introducted the scanner inurlbr (by cleiton)
    Downloads: 2 This Week
    Last Update:
    See Project
  • 24
    Inguma is a free penetration testing and vulnerability discovery toolkit entirely written in python. Framework includes modules to discover hosts, gather information about, fuzz targets, brute force usernames and passwords, exploits, and a disassembl
    Downloads: 4 This Week
    Last Update:
    See Project
  • 25
    cracking-actions

    cracking-actions

    a bruteforcer that can crack variety of files such as zip,rar & more

    cracking-actions is an open source software that allows you to crack passwords, files, etc... ,it targets windows and linux
    Downloads: 5 This Week
    Last Update:
    See Project
  • Previous
  • You're on page 1
  • 2
  • 3
  • 4
  • Next
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.