OWASP ZAP (Zed Attack Proxy) - Proxy that allows for both automated and manual testing and identification of vulnerabilities. It has many components that allow for different tasks to be performed., Burp Suite Community Edition - Proxy with a wide range of options to test web applications for different vulnerabilities. Its components allow you to perform particular types of automated testing, manually modifying requests, and passive analysis., DirBuster - Web application brute-force finder for directories and files. Comes with 9 different lists, including default directories and common names given by developers. Also allows for brute-force., truffleHog - Git secrets search tool. It can automatically crawl through a repository looking for accidental commits of secrets. GitHub secrets allow code commits, this will allow an attacker to modify code in a repository., w3af - The Web Application Attack and Audit Framework allows you to identify and exploit a large set of web-based vulnerabilities, such as SQL injection and cross-site scripting., WPScan (WordPress Security Scanner)(Browser Exploit Framework) - Automatically gathers data about a WordPress site and compares findings such as plugins against a database of known vulnerabilities. Provides useful information on findings, including plugin version and references to the vulnerability such as CVE number and link., Wapiti - A web application vulnerability scanner which will automatically navigate a webapp looking for areas where it can inject data. Several modules can be enabled/disabled to target different vulnerabilities., Gobuster - Can discover subdomains, directories, and files by brute-forcing from a list of common names. This can provide information that was otherwise not available., CrackMapExec - Post-exploitation tool to identify vulnerabilities in active directory environments., BeEF (Browser Exploit Framework) - Focuses on web browser attacks by assessing the actual security posture of a target by using client-side attack vectors., Brakeman - Static code analysis security tool for Ruby on Rails applications. Checks for vulnerabilities and provides confidence level of finding (high, medium, weak)., SQLmap - SQL Injection scanner tool. Automates several of the attacks and supports many databases. Some of its features include database search, enumeration, and command execution., SearchSploit - Exploit finder that allows to search through the information found in Exploit-DB. It also supports Nmap outputs in XML format to search for exploits automatically., Reaver - Used to perform brute force attacks against WPS-enabled APs., Covenant - a .NET C2 framework that shows the attack surace of .NET to make attacks through this vector easier, EAPHammer - Python-based tookit used to launch attacks on WPA2-Enterprise 802.11a or 802.11n networks., Drozer - open-source software used for testing for vulnerabilities on Android devices., Snow - Used to hide and conceal activity within the whitespace of a text file that uses ASCII format., Empire - leverages PowerShell for common post-exploitation tasks on Windows, Mythic - a cross-platform C2 framework that contains payloads that can provide consistently good results., Bloodhound - used to investigate relationships in a network that uses AD. Explores AD trust relationships, abusable rights on AD objects, security group membership, SQL admin links, etc., Airmon-ng - will enable and disable monitor mode on wireless interface. Can switch an interface from managed to monitor mode., Steghide - used to conceal a payload in either an image or audio file., Postman - provides an interactive and automatic environment used to test and HTTP API., Airplay-ng - Used to force single clients or all clients from a WAP, Frida - open source, able to work with wide range of OS includes custom dev tools for app testing. Allows examining plaintext data being passed., Airodump-ng - Provides ability to capture 802.11 frames and use the output to identify the MAC address of the AP along with the MAC address of a victim client device., Mimikatz - an open-source tool with several modules, having the ability to create Microsoft Kerberos API, list active processes, and view credential information stored on a Windows computer., WMI - provides information about the status of hosts, configure security settines, and manipulate environment variables., Fern - Python Based, runs on Linux. Used to recover WEP/WPA/WPS keys,

Pentest+ Tools

さんの投稿です
印刷
埋め込み

リーダーボード

表示スタイル

オプション

テンプレートを切り替える

自動保存: を復元しますか?