Top Related Projects
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
Directory/File, DNS and VHost busting tool written in Go
Fast web fuzzer written in Go
Fast and customizable vulnerability scanner based on simple YAML based DSL.
Quick Overview
The gwen001/pentest-tools repository is a collection of custom-made tools for penetration testing and bug bounty hunting. It contains various scripts and utilities written primarily in Python, designed to assist security professionals in their assessments and vulnerability discovery processes.
Pros
- Wide range of tools covering different aspects of penetration testing
- Regularly updated with new tools and improvements
- Most tools are lightweight and easy to use
- Provides a valuable resource for both beginners and experienced pentesters
Cons
- Some tools may require additional dependencies or setup
- Documentation for individual tools can be limited
- Not all tools may be actively maintained or updated
- Some tools may be specific to certain scenarios or platforms
Code Examples
Here are a few examples of how to use some of the tools in this repository:
- Using the
github-search.py
script to search for sensitive information on GitHub:
python3 github-search.py -t YOUR_GITHUB_TOKEN -s "password" -o results.txt
- Scanning subdomains with
subdomains_scanner.py
:
python3 subdomains_scanner.py -d example.com -o subdomains.txt
- Checking for open ports using
mass-port-scanner.py
:
python3 mass-port-scanner.py -f ip_list.txt -p 80,443,8080 -o open_ports.txt
Getting Started
To get started with the pentest-tools:
-
Clone the repository:
git clone https://github.com/gwen001/pentest-tools.git
-
Navigate to the cloned directory:
cd pentest-tools
-
Install any required dependencies (check individual tool requirements):
pip3 install -r requirements.txt
-
Run the desired tool with appropriate arguments (see examples above or refer to individual tool documentation).
Note: Some tools may require additional setup or API keys. Always review the tool's documentation before use.
Competitor Comparisons
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
Pros of SecLists
- Comprehensive collection of wordlists for various security testing scenarios
- Regularly updated with community contributions
- Well-organized directory structure for easy navigation
Cons of SecLists
- Primarily static data, lacking active scanning or exploitation tools
- May require additional tools or scripts to utilize the wordlists effectively
- Large repository size can be overwhelming for beginners
Code Comparison
SecLists is primarily a collection of wordlists and doesn't contain executable code. pentest-tools, on the other hand, includes various Python scripts for penetration testing. Here's an example from pentest-tools:
def testURL( url ):
time.sleep( 0.01 )
sys.stdout.write( 'progress: %d/%d\r' % (t_multiproc['n_current'],t_multiproc['n_total']) )
t_multiproc['n_current'] = t_multiproc['n_current'] + 1
try:
r = requests.get( url, timeout=2, verify=False )
return url
except Exception as e:
sys.stdout.write( "%s[-] error occurred: %s%s\n" % (fg('red'),e,attr(0)) )
return None
This code snippet demonstrates a function for testing URLs, which is not present in SecLists as it focuses on providing data rather than functionality.
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
Pros of PayloadsAllTheThings
- More comprehensive collection of payloads and techniques for various attack vectors
- Better organized with clear categorization of different security topics
- Regularly updated with contributions from the security community
Cons of PayloadsAllTheThings
- Lacks specific tools or scripts for direct use in penetration testing
- May be overwhelming for beginners due to the vast amount of information
Code Comparison
PayloadsAllTheThings (SQL Injection example):
' OR '1'='1
' OR 1 -- -
' OR '1'='1' #
pentest-tools (SQL Injection script excerpt):
def inject(url, data, headers):
for payload in payloads:
r = requests.post(url, data=data.replace("INJECT", payload), headers=headers)
if "error in your SQL syntax" in r.text:
print("Possible SQL Injection found!")
PayloadsAllTheThings focuses on providing a wide range of payload examples, while pentest-tools offers more practical scripts for active testing. PayloadsAllTheThings is better suited for reference and learning, whereas pentest-tools provides ready-to-use tools for penetration testers.
PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
Pros of PEASS-ng
- More comprehensive and actively maintained privilege escalation toolkit
- Supports multiple operating systems (Windows, Linux, macOS)
- Includes automated enumeration scripts for faster reconnaissance
Cons of PEASS-ng
- Larger codebase, potentially more complex to use or modify
- May generate more noise during scans, increasing detection risk
- Requires more setup and dependencies compared to simpler scripts
Code Comparison
PEASS-ng (LinPEAS example):
if [ "$MACPEAS" ]; then
print_2title "System Info"
system_info
else
print_2title "Operative system"
printf $ITALIC" Ubuntu\n"$NC
(cat /proc/version || uname -a ) 2>/dev/null | sed -E "s,$kernelDCW_Ubuntu_Precise_1,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Precise_2,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Trusty_1,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Trusty_2,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Xenial,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Bionic,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Focal,${C}[1;31;103m&${C}[0m," | sed -E "s,$kernelDCW_Ubuntu_Focal2,${C}[1;31;103m&${C}[0m,"
fi
pentest-tools (subdomain_finder.py example):
def get_subdomains(domain):
url = 'https://crt.sh/?q=%.{d}&output=json'.format(d=domain)
response = requests.get(url)
content = response.content.decode('utf-8')
data = json.loads(content)
return set([name_value['name_value'] for name_value in data])
The PEASS-ng code snippet shows a more complex system information gathering process, while the pentest-tools example demonstrates a simpler subdomain enumeration function.
Directory/File, DNS and VHost busting tool written in Go
Pros of gobuster
- Focused tool for directory/file, DNS, and vhost bruteforcing
- Written in Go, offering better performance and cross-platform compatibility
- Active development with regular updates and community support
Cons of gobuster
- Limited to specific bruteforcing tasks, less versatile than pentest-tools
- Requires Go runtime environment for compilation and execution
- Steeper learning curve for users unfamiliar with Go-based tools
Code comparison
pentest-tools (Python):
def bruteforce_dir(url, wordlist):
for word in wordlist:
full_url = f"{url}/{word}"
response = requests.get(full_url)
if response.status_code == 200:
print(f"Found: {full_url}")
gobuster (Go):
func bruteforceDir(url string, wordlist []string) {
for _, word := range wordlist {
fullURL := fmt.Sprintf("%s/%s", url, word)
resp, err := http.Get(fullURL)
if err == nil && resp.StatusCode == 200 {
fmt.Printf("Found: %s\n", fullURL)
}
}
}
Both repositories offer valuable tools for penetration testing, but they cater to different needs. pentest-tools provides a diverse set of Python scripts for various pentesting tasks, while gobuster focuses on efficient bruteforcing operations implemented in Go. The choice between them depends on the specific requirements of the penetration testing project and the user's familiarity with the respective programming languages and ecosystems.
Fast web fuzzer written in Go
Pros of ffuf
- Focused tool for web fuzzing with high performance
- Written in Go, offering cross-platform compatibility and easy installation
- Actively maintained with frequent updates and improvements
Cons of ffuf
- Limited to web fuzzing, unlike pentest-tools' broader scope
- Steeper learning curve for users new to fuzzing tools
- Less variety in functionality compared to pentest-tools' diverse script collection
Code Comparison
ffuf (main fuzzing functionality):
for scanner.Scan() {
if err := ffuf.NewJob(scanner.Text()).RunJob(); err != nil {
errs <- err
}
}
pentest-tools (example script):
def scan_port(ip, port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((ip, port))
sock.close()
return result == 0
Summary
ffuf is a specialized, high-performance web fuzzing tool written in Go, while pentest-tools is a collection of various penetration testing scripts in Python. ffuf excels in its specific domain but has a narrower focus, whereas pentest-tools offers a broader range of functionalities for different penetration testing tasks. The choice between them depends on the specific needs of the penetration tester and the scope of the assessment.
Fast and customizable vulnerability scanner based on simple YAML based DSL.
Pros of Nuclei
- More comprehensive and actively maintained vulnerability scanner
- Extensive template library for various security checks
- Supports multiple protocols (HTTP, DNS, TCP, etc.)
Cons of Nuclei
- Steeper learning curve due to its more complex architecture
- Requires writing custom templates for specific use cases
Code Comparison
Nuclei (YAML-based template):
id: example-template
info:
name: Example Template
severity: info
requests:
- method: GET
path:
- "{{BaseURL}}/example"
pentest-tools (Python script):
import requests
def check_vulnerability(url):
response = requests.get(url + "/example")
if "vulnerable" in response.text:
print("Vulnerability found!")
Key Differences
- Nuclei uses a template-based approach, while pentest-tools consists of individual Python scripts
- Nuclei offers more flexibility and extensibility for various security checks
- pentest-tools provides simpler, standalone tools for specific pentesting tasks
Use Cases
Nuclei:
- Comprehensive vulnerability scanning
- Automated security assessments
- Custom security checks using templates
pentest-tools:
- Quick, targeted pentesting tasks
- Simple script-based approach for specific security checks
- Easier integration into existing Python-based workflows
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual CopilotREADME
pentest-tools
A collection of custom security tools for quick needs.
Important note
â¼ A big clean occured in 2022-11 â¼
Some useless/not working scripts have been archived and some others have been moved to their own repository to get more visibility, feel free to check them:
- apk-analyzer
- cloudflare-origin-ip
- csp-analyzer
- detectify-cves
- extract-endpoints
- favicon-hashtrick
- google-search
- graphql-introspection-analyzer
- keyhacks.sh
- related-domains
Install
git clone https://github.com/gwen001/pentest-tools
cd pentest-tools
pip3 install -r requirements.txt
arpa.sh
Converts IP address in arpa
format to classical format.
bbhost.sh
Performs host
command on a given hosts list using parallel
to make it fast.
codeshare.php
Performs a string search on codeshare.io.
cors.py
Test CORS issue on a given list of hosts.
crlf.py
Test CRLF issue on a given list of hosts.
crtsh.php
Grabs subdomains of a given domain from crt.sh.
detect-vnc-rdp.sh
Tests if ports 3389
and 5900
are open on a given IP range using netcat
.
dnsenum-brute.sh
Performs brute force through wordlist to find subdomains.
dnsenum-bruten.sh
Performs brute force through numeric variation to find subdomains.
dnsenum-reverse.sh
Apply reverse DNS method on a given IP range to find subdomains.
dnsenum-reverserange.sh
Same thing but IP ranges are read from an input file.
dnsenum-zonetransfer.sh
Tests Zone Transfer of a given domain.
dnsreq-alltypes.sh
Performs all types of DNS requests for a given (sub)domain.
extract-domains.py
Extracts domain of a given URL or a list of URLs.
extract_links.php
Extracts links from a given HTML file.
filterurls.py
Classifies and displays URLs by vulnerability types.
flash-regexp.sh
Performs regexps listed in flash-regexp.txt
for Flash apps testing purpose.
gdorks.php
Generates Google dorks for a given domain (searches are not performed).
hashall.php
Uses about 40 algorithms to hash a given string.
ip-converter.php
Converts a given IP address to different format, see Nicolas Grégoire presentation.
ip-listing.php
Generates a list of IPs addresses from the given start to the given end, range and mask supported.
mass_axfr.sh
Mass test zone transfer on a given list of domains.
mass-smtp-user-enum-bruteforce.sh
Performs SMTP user enumeration on a given list of IP address using smtp-user-enum.
mass-smtp-user-enum-check.sh
Tests if SMTP user enumeration is possible on a given list of IP address using smtp-user-enum.
myutils.sh
Just few common Bash functions.
node-uuid.js
Encode/Decode UUID using base36.
nrpe.sh
Test Nagios Remote Plugin Executor Arbitrary Command Execution on a given host using Metasploit.
openredirect.py
Test Open Redirect issue on a given list of hosts.
pass-permut.php
Creates words permutation with different separators and output the hashes using about 40 algorithms.
pastebin.php
Performs a string search on pastebin.com.
phantom-xss.js
See xss.py
.
ping-sweep-nc.sh
Determines what IPs are alive in a given range of IPs addresses using netcat
.
ping-sweep-nmap.sh
Determines what IPs are alive in a given range of IPs addresses using nmap
.
ping-sweep-ping.sh
Determines what IPs are alive in a given range of IPs addresses using ping
.
portscan-nc.sh
Determines the open ports of a given IP address using netcat
.
quick-hits.php
Tests a given list of path on a given list of hosts.
quickhits.py
Same but the Python version. Tests a given list of path on a given list of hosts.
rce.py
Test RCE issue on a given list of hosts.
resolve.py
Resolves a give list of hosts to check which ones are alive and which ones are dead.
screensite.sh
Takes screenshots of a given url+port using xvfb
.
shodan.php
Performs searches on Shodan using their API.
smuggler.py
Test HTTP request smuggling issue on a given list of hosts.
srv_reco.sh
Perform very small tests of a given IP address.
ssh-timing-b4-pass.sh
Tries to guess SSH users using timing attack.
ssrf-generate-ip.php
Generate random IP address:port inside private network range for SSRF scans.
subalt.py
Generates subdomains alterations and permutations.
test-ip-wordlist.sh
Brute force a wordlist on IPs range and ports list.
testhttp.php
Tries to determine if an url (subdomain+port) is a web thing.
testnc.sh
Performs fuzzing on a given IP address+port using netcat
.
Utils.php
Just few common PHP functions.
webdav-bruteforce.sh
Perform brute force on a given url that use WebDav
using Davtest.
xss.py
Test XSS issue on a given list of hosts using phantomjs
.
Feel free to open an issue if you have any problem with the script.
Top Related Projects
SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
A list of useful payloads and bypass for Web Application Security and Pentest/CTF
PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
Directory/File, DNS and VHost busting tool written in Go
Fast web fuzzer written in Go
Fast and customizable vulnerability scanner based on simple YAML based DSL.
Convert designs to code with AI
Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.
Try Visual Copilot