🛡️⚔️ 🔐 SecOps Toolkits

An Open Source web server scanner which performs comprehensive tests against web servers for multiple items including dangerous files, outdated server software, and other problems. Nikto combines libwhisker and databases of potentially dangerous files, CGI scripts, and problems with specific server versions. It's widely used by penetration testers and security auditors to identify vulnerabilities in web applications and servers, including checking for over 6700 potentially dangerous files, over 2000 server problems, and more than 1250 cgi scripts.

The open-source web server and CGI scanner that identifies potential security vulnerabilities in web applications and servers. Nikto performs comprehensive tests against web servers for dangerous files, outdated server software, and other problems. It combines libwhisker with databases of potentially dangerous files and CGI scripts to provide a detailed analysis of web application security. The scanner checks for over 6500 potentially dangerous files, 1300 CGI scripts, and over 2000 server problems, making it a valuable tool for security professionals conducting web application security assessments.

A Python-based web application scanner that performs OWASP testing, audits form inputs, crawls websites, and identifies potential vulnerabilities through automated analysis. BlackWidow automates the process of finding and testing web application vulnerabilities including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and other common web security issues. It provides detailed reports and helps security researchers efficiently identify potential security exposures in web applications. The tool combines crawling capabilities with security testing to give a comprehensive view of web application security vulnerabilities.

A fast and customizable vulnerability scanner based on a simple YAML-based template engine. Nuclei can send requests with predefined templates and detect potential vulnerabilities across various protocols including HTTP, DNS, SSL/TLS, and network services. It's designed to be efficient and fast while maintaining high accuracy in vulnerability detection. The template-based approach allows security professionals to create custom checks for specific vulnerabilities and test for known issues across their infrastructure. Nuclei supports various protocols beyond web applications, making it a versatile tool for comprehensive security assessments.

A fast web crawling framework designed to crawl web applications efficiently and discover hidden paths, parameters, and endpoints. Katana extracts links, forms, scripts, headers, and other points of interest from various sources and follows redirect chains to build an accurate map of the application's structure. It's particularly useful for security professionals who need to understand the full scope of a web application before conducting penetration testing or security assessments. The tool specializes in discovering hidden attack surfaces by combining intelligent crawling with parameter analysis and can be customized to fit specific reconnaissance requirements.

An integrated platform for performing security testing of web applications. Burp Suite includes various tools for different aspects of web application testing including interception proxy, scanner, intruder, repeater, and sequencer. It allows security professionals to map out the attack surface of an application, identify vulnerabilities, and exploit them to verify risk. The platform provides a comprehensive set of tools for manual and automated security testing of web applications, making it an essential component of many security professionals' toolkits.

The world's most widely used web application security scanner, maintained under the Open Web Application Security Project (OWASP). OWASP ZAP is an open-source tool that provides both automated and manual security testing capabilities for web applications. It includes a proxy for intercepting traffic, an automated scanner for identifying vulnerabilities, and various other tools for security testing. ZAP actively crawls web applications, identifies security vulnerabilities, and provides guidance on remediation. It's designed to be used by people with a wide range of security experience to find and fix security vulnerabilities in web applications.

The premier open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws. SQLMap supports various kinds of SQL injection techniques and can bypass many security measures. It provides access to an underlying database management system through the web application's database, taking advantage of insecure SQL query processing. SQLMap can fingerprint the back-end database, enumerate users, password hashes, privileges, roles, databases, tables, and columns. It can also dump entire database tables, execute arbitrary SQL queries, take over the database management system, and access the underlying file system through out-of-band connections.

A comprehensive WordPress security scanner that performs black box penetration testing specifically on WordPress installations. WPScan uses a database of known vulnerabilities to detect security issues in WordPress core, themes, and plugins. It can identify WordPress version, enumerate usernames, detect installed plugins and themes, and check them against a database of known vulnerabilities. The tool also identifies common configuration issues and provides detailed information about security weaknesses in WordPress installations. Security professionals use WPScan to assess the security posture of WordPress sites and ensure they are protected against known threats.

A powerful open-source XSS (Cross-Site Scripting) scanning and parameter analysis tool designed for security professionals. Dalfox performs both passive and active XSS scanning, supports headless browsing, and provides detailed analysis of parameters to identify potential XSS vulnerabilities. It can detect reflected, stored, and DOM-based XSS vulnerabilities, and includes features for parameter analysis, request/response handling, and custom payload injection. Dalfox is designed to be fast and accurate, with support for multiple browsers and various XSS evasion techniques.

An HTTP Request Smuggling detection tool specifically designed to identify and exploit HTTP desync vulnerabilities. Smuggler detects various types of HTTP Request Smuggling vulnerabilities including CL.TE, TE.CL, and other desynchronization attacks. The tool is designed to bypass WAFs and other security controls that fail to parse HTTP requests properly. HTTP Request Smuggling can lead to serious security issues including bypassing access controls, web cache poisoning, and gaining unauthorized access to sensitive data. Smuggler helps security professionals identify these complex vulnerabilities.

The Network Mapper, a powerful open-source utility for network discovery and security auditing. Nmap discovers hosts and services on a computer network, creates a map of the network, and identifies open ports, running services, operating systems, and potential vulnerabilities. It is widely used by network administrators and security professionals for inventory, managing service upgrade schedules, and monitoring host or service uptime.

An extremely fast and lightweight port scanner capable of scanning the entire Internet in under 6 minutes from a single machine. Masscan uses asynchronous transmission to achieve high speeds while maintaining accuracy, making it suitable for large-scale network reconnaissance. It supports custom network interfaces, configurable timing, and can output results in various formats for further analysis. Security professionals use Masscan to identify which ports are open across a range of IP addresses, providing valuable information about the attack surface of target networks. The tool can scan at rates exceeding 10 million packets per second, making it ideal for Internet-wide scanning projects.

A website fingerprinter that identifies web technologies used by sites, including content management systems, blogging platforms, statistics and analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1,800 plugins to recognize different web technologies and can be used to profile websites during the reconnaissance phase of penetration testing. The tool provides detailed information about web technologies, version numbers, and can help security professionals understand what technologies they're dealing with before beginning an assessment. It includes various plugins for recognizing different technologies and can operate in stealth mode to avoid detection by intrusion detection systems.

A tool designed to check if HTTP/HTTPS servers are responding. Httprobe takes a list of potential URLs and verifies which ones have active HTTP services running, making it ideal for reconnaissance after domain enumeration or port scanning. The tool is lightweight and efficient, making it excellent for checking large numbers of potential web servers. Httprobe can be seamlessly integrated into larger reconnaissance workflows, helping security professionals focus their efforts on services that are actually accessible before launching more intensive web security assessments. It supports various configuration options for timeouts, redirects, and custom headers to tailor the probing behavior to specific requirements.

A powerful and flexible open-source password security auditing tool that is available for multiple operating systems. John the Ripper is designed for detecting weak passwords and employs various password cracking techniques including dictionary attacks, brute force, and hybrid approaches. It supports a wide range of hash formats and can audit password security by attempting to crack password hashes extracted from various systems. The tool has both a robust built-in wordlist and extensive support for custom dictionaries and rule-based attacks, making it highly configurable for specific cracking requirements. Security professionals use John the Ripper to identify weak passwords in their systems as part of security audits and penetration tests.

The world's fastest and most advanced password recovery utility that supports a wide range of hashing algorithms and features. Hashcat is renowned for its GPU acceleration capabilities, making it significantly faster than CPU-based crackers. It supports over 300 different hash types including LM hashes, NTLM, MD5, SHA-family, bcrypt, and more complex algorithms. The tool provides various attack modes including brute-force, dictionary, combination, and rule-based attacks. Hashcat also features a distributed cracking capability that allows multiple systems to work together on the same cracking job, making it ideal for large-scale password recovery operations. Security professionals rely on Hashcat for auditing password strength and testing the resilience of authentication systems.

A complete suite of tools for auditing wireless network security. Aircrack-ng includes tools for monitoring, attacking, testing, and cracking WiFi networks. It can capture packets and export data to text files for further analysis, crack WEP and WPA/WPA2-PSK keys, and includes utilities for injecting frames and replaying captures. The suite has tools for discovering wireless networks, monitoring traffic, testing password strength, and performing various security assessments on WiFi infrastructure. It supports numerous wireless chipsets and drivers across different operating systems, making it an essential toolkit for wireless security professionals and penetration testers. The tools are particularly effective for evaluating the security of wireless networks and demonstrating potential vulnerabilities.

A fast and flexible network logon cracker that supports numerous protocols for brute-force attacks against network services. Hydra is capable of performing rapid dictionary and brute-force attacks against more than 50 protocols including FTP, HTTP, HTTPS, SMB, Telnet, SSH, Oracle, and many others. It's designed to be efficient and customizable, with support for various authentication methods and error handling for different services. Security professionals use Hydra to audit password strength and authentication implementations across network services. The tool allows for custom username and password lists, timeout configuration, and rate limiting to optimize attack effectiveness while avoiding detection. Hydra's modular architecture enables support for new protocols and maintains its status as one of the most widely-used network authentication crackers.

A PowerShell Post-Exploitation Framework consisting of a collection of PowerShell modules and scripts that aid in penetration testing and red team operations. PowerSploit enables security professionals to perform various post-exploitation tasks including code execution, persistence, privilege escalation, and data theft using PowerShell. The framework includes modules for PowerShell-based malware development, execution of reflective DLLs, bypassing software restrictions, and performing token manipulation. It provides tools for keylogging, credential theft, file manipulation, and registry interactions, all executed through PowerShell. Security researchers and penetration testers use PowerSploit as part of their offensive security toolset to simulate advanced persistent threats and test organizational defenses. The framework is particularly effective in Windows environments where PowerShell is enabled, allowing for stealthy operations that leverage trusted system components.

A PowerShell and Python 3 post-exploitation agent that operates over HTTP/S and includes a robust plugin and detection evasion architecture. Empire provides a sophisticated command and control (C2) framework that enables security teams to conduct post-exploitation activities after gaining initial access to systems. The framework features a cross-platform agent that uses AES encryption for command and control communications, PowerShell and Python stagers for initial access, and an extensive library of modules for various post-exploitation tasks. Empire includes modules for credential harvesting, privilege escalation, persistence mechanisms, and lateral movement techniques. It also provides detection evasion capabilities, including obfuscated PowerShell commands, proxy-aware communication, and AMSI bypass techniques. The web-based interface allows operators to manage agents, execute commands, and coordinate complex attack scenarios. Security professionals use Empire for red team exercises, penetration testing, and adversarial simulation to test organizational defenses against advanced persistent threats.

A .NET command and control (C2) framework that provides a collaborative interface for red teamers and defenders to perform post-exploitation activities. Covenant is designed as an ASP.NET-based web application that offers a web-based interface for managing implants and executing commands during penetration testing and red team operations. The framework includes features for creating implants in multiple languages (C#, PowerShell, and Python), defining listeners for different communication protocols, and executing post-exploitation tasks through a user-friendly dashboard. It provides built-in payloads and activities for common exploitation tasks, including PowerShell implant functionality, shellcode execution, and various lateral movement techniques. Covenant also offers integration with other offensive security tools and frameworks. The platform aims to support all stages of the attack lifecycle and provides a collaborative environment for offensive security teams to coordinate their operations. Security professionals use Covenant to simulate advanced attack scenarios and test their organization's ability to detect and respond to C2 communications.

A .NET tool designed for Active Directory Certificate Services (ADCS) enumeration and abuse. Certify helps security professionals identify misconfigured certificate templates that could be exploited for privilege escalation in Active Directory environments. The tool enumerates certificate authorities, certificate templates, and enrollment permissions to identify templates that may be vulnerable to abuse. It can identify certificate templates that allow for authentication certificate requests based on user attributes, potentially allowing an attacker to request certificates for other users, including domain admins. Certify also provides checks for specific ADCS attacks like ESC1 (misconfigured certificate templates) and ESC8 (misconfigured PKI certificate templates) vulnerabilities. During enumeration, Certify identifies certificate authorities, lists available templates, checks which principals have enrollment permissions, and determines if authentication certificates can be requested for other users. This tool is essential for both red teamers looking to exploit ADCS misconfigurations and blue teamers assessing the security of their certificate infrastructure.

A collection of Python classes for working with network protocols that provides both lower layer access and high-level protocol implementations. Impacket is essential for security professionals performing penetration tests and security assessments on networks, as it enables direct interaction with various network protocols including SMB, DCE/RPC, MS-DCERPC, Windows Authenticated (NTLMv1/v2/LMv2), Kerberos, LDAP, and other related services. The framework includes command-line tools for common attacks against these protocols, such as secretsdump for extracting secrets from remote machines, smbexec for executing commands via SMB, wmiexec for WMI-based command execution, and ticketer for creating Kerberos tickets. Impacket is widely used for implementing and testing security vulnerabilities related to network protocols, particularly in Active Directory environments. Key tools include GetNPUsers for identifying users with Kerberos pre-authentication disabled, GetUserSPNs for requesting TGS tickets against users with SPNs set, and ntlmrelayx for NTLM relay attacks. Impacket is invaluable for security professionals looking to assess the security of network protocols and Active Directory authentication mechanisms, providing both offensive and defensive capabilities for security testing.