Security Tools
Complete arsenal of security testing tools — from reconnaissance to exploitation, with practical guides and ready-to-use commands
Recon & OSINT
Reconnaissance & Information Gathering
Subfinder
Fast passive subdomain enumeration tool
Amass
In-depth attack surface mapping and asset discovery
httpx
Fast HTTP probing and analysis tool
Arjun
API parameter discovery tool with smart brute-forcing
ParamSpider
Passive parameter extraction from web archives
x8
Very fast alternative to ffuf for parameter fuzzing
gf
Filter URLs by vulnerability type for efficient triaging
WhatWeb
Web technology identification and fingerprinting tool
Gau (GetAllUrls)
Fetch known URLs from AlienVault OTX, Wayback Machine, and Common Crawl
Katana
Next-gen web crawling and spidering tool by ProjectDiscovery
Naabu
Fast port scanner by ProjectDiscovery with service discovery and Nmap integration
theHarvester
theHarvester is a passive OSINT and reconnaissance tool designed to gather emails, subdomains, IP addresses, and URLs from publicly available sources. It is commonly used in the early stages of penetration testing and security assessments to map an organization's external footprint.
DNSRecon
Advanced DNS enumeration tool for querying various DNS record types and performing zone transfers
Sherlock
Search for usernames across hundreds of social networks and websites
Assetfinder
Find domains and subdomains by passive sources
Findomain
Fastest subdomain finder using multiple sources
Chaos
Chaos (ProjectDiscovery) subdomain enumeration API client
GitHub-Subdomains
Enumerate subdomains from GitHub repositories
Crobat
Subdomain enumeration using SonarDNS data
Sublist3r
Fast subdomain enumeration using search engines
OneForAll
Powerful subdomain enumeration tool
Dnsx
Fast DNS query tool by ProjectDiscovery
Shuffledns
Subdomain resolver using bruteforce and wildcard filtering
Massdns
High-performance DNS resolver for bulk lookups
Puredns
Fast domain resolver with wildcard detection
Altdns
Subdomain discovery via permutations
Dnsgen
DNS name generator from existing subdomains
Hakrevdns
Reverse DNS lookup tool
MapCIDR
Map CIDR ranges to IP addresses by ProjectDiscovery with expansion and filtering capabilities
Tlsx
Fast TLS/SSL scanner by ProjectDiscovery for certificate enumeration and cipher detection
RustScan
Fast port scanner written in Rust with Nmap integration for service detection
AutoRecon
Multi-threaded reconnaissance tool that automates port scanning, service enumeration, and vulnerability detection
Unicornscan
High-powered port scanner with asynchronous probing and service detection capabilities
Zmap
Internet-wide port scanner capable of scanning the entire IPv4 address space in minutes
Smap
Fast port scanner similar to Nmap written in Go with service detection and output in Nmap format
Feroxbuster
Fast content discovery tool written in Rust for directory and file brute-forcing
Wfuzz
Web fuzzer for content discovery supporting multiple injection points and authentication
Waybackurls
Fetch all URLs from Wayback Machine for a given domain by TomNomNom
Gauplus
Improved version of Gau (GetAllUrls) with additional providers and concurrent fetching
Uro
URL deduplicator and cleaner that removes duplicates and low-quality paths from URL lists
Hakrawler
Fast web crawler for endpoint discovery
xnLinkFinder
Find hidden endpoints in JS files
Parameth
Parameter discovery tool
Qsreplace
Replace query string parameters
Uniscan
Remote file include and directory traversal scanner
Kxss
Cross-site scripting detector
Gxss
Reflected XSS parameter detection
SecretFinder
Find sensitive data in JS files
LinkFinder
Extract endpoints from JavaScript files
JSParser
JavaScript parser for URL extraction
GetJS
Extract JavaScript files from a target
SubJS
Find JavaScript files from subdomains
Mantra
Fast JavaScript endpoint extractor — discovers API endpoints and URLs from JavaScript files
JSLuice
Extract URLs, secrets, and other interesting data from JavaScript files with pattern matching
Aquatone
Visual inspection and screenshot tool for discovering websites at scale
Gowitness
Web screenshot utility written in Go using Chrome Headless
EyeWitness
Take screenshots of web applications, desktops, and network services at scale
Webscreenshot
Simple Python script to take screenshots of websites from a list
WitnessMe
Web reconnaissance screenshot tool with built-in discovery and reporting
Webanalyze
Identify technologies used on websites with Wappalyzer integration
WAFW00F
Web application firewall fingerprinting and detection tool
mitmproxy
Interactive HTTPS proxy for security testing and traffic inspection
proxify
Swiss Army knife proxy by ProjectDiscovery for traffic interception
recon-ng
Full-featured reconnaissance framework with modular architecture
SpiderFoot
Automated OSINT and threat intelligence reconnaissance tool
Photon
Fast web crawler designed for OSINT and reconnaissance
Gitleaks
Detect secrets, API keys, and passwords in Git repositories
holehe
Check if an email is used on various online services
Maigret
Collect a dossier on a person by searching usernames across thousands of sites
IntelX (Intelligence X)
Darknet intelligence search engine and API client for OSINT investigations
Maltego
Powerful OSINT and link analysis tool for mapping relationships between entities
Web Vulnerabilities
Web Vulnerability Assessment
Nuclei
Fast vulnerability scanner with template-based detection
SQLMap
Automatic SQL injection detection and exploitation tool
XSStrike
Advanced XSS detection and exploitation suite
WPScan
WordPress security scanner for vulnerability detection and enumeration
Dalfox
Advanced XSS vulnerability scanner and parameter analysis tool
Nikto
Classic web server scanner that checks for outdated versions, dangerous files, misconfigurations, and common vulnerabilities
Methods
Security Testing Methods
Burp Suite
Industry-standard web security testing platform
Nmap
Network scanner for host and service discovery
ffuf
Fast web fuzzer for content discovery and parameter fuzzing
Gospider
Fast web crawler and content discovery tool written in Go
CeWL
Custom wordlist generator that crawls websites for targeted brute-forcing
Gobuster
Directory/file/DNS subdomain brute-forcing tool written in Go
Hydra
Fast online password brute-forcing tool supporting many protocols
Dirsearch
Advanced web path brute-forcing tool with recursive scanning
John the Ripper
Fast password cracking tool supporting many hash formats
Searchsploit
Exploit Database search tool for finding public exploits
Masscan
Mass IP port scanner — the fastest Internet-scale scanner, scanning the entire Internet in minutes
Hashcat
World's fastest password recovery tool with GPU acceleration and multiple attack modes
KiteRunner
Fast API endpoint and content discovery tool that uses JWT patterns, K8s service account tokens, and swagger specs to discover hidden API routes
Cloud & Assets
Cloud Security & Asset Discovery
CloudFox
AWS and Azure enumeration and privilege escalation tool
TruffleHog
Scan Git repositories and filesystems for leaked secrets, credentials, and API keys
S3Scanner
Find open AWS S3 buckets and dump their contents
LazyS3
Brute force AWS S3 bucket names using permutations and common patterns
Cloud_Enum
Multi-cloud enumeration tool for AWS, Azure, and GCP resources
AWSBucketDump
Security assessment tool for finding and dumping AWS S3 buckets
festin
Cloud bucket enumeration and discovery tool
GCPBucketBrute
Brute force GCP bucket names to find open storage
GrayhatWarfare
Grayhat Warfare API client for finding open cloud buckets
enumerate-iam
Enumerate IAM permissions on AWS using brute force
ScoutSuite
Multi-cloud security auditing tool for AWS, Azure, and GCP
Pacu
AWS exploitation framework for post-exploitation testing
Advanced Topics
Advanced Security Topics