Tools Commonly Used in Pen Testing

Pentest Tools

Scanning Tools

  • Nmap: An open source network scanner used for network discovery and auditing. It can discover hosts, scan ports, enumerate services, fingerprint operating systems, and run script-based vulnerability tests.
  • Nikto: An open source web server scanner that searches for potentially harmful files, checks for outdated web server software, and looks for problems that occur with some web server software versions. It is included with Kali Linux.
  • OpenVAS (Open Vulnerability Assessment System): An open source software framework for vulnerability scanning and management.
  • SQLmap: An open source database scanner that searches for and exploits SQL injection flaws. It is included with Kali Linux.
  • Nessus: A proprietary vulnerability scanner developed by Tenable Network Security. Initially open source, it scans for vulnerabilities, misconfigurations, default passwords, and susceptibility to denial of service (DoS) attacks. It can also be used for preparation for PCI DSS audits.

Credential Testing Tools

  • Hashcat: A free password recovery tool that is included with Kali Linux and is available for Linux, OS X, and Windows. It includes a very wide range of hashing algorithms and password cracking methods. Hashcat purports itself to be the fastest recovery tool available.
  • Medusa: A command-line-based free password cracking tool that is often used in brute force password attacks on remote authentication servers. It purports itself to specialize in parallel attacks, with the ability to locally test 2,000 passwords per minute.
  • THC-Hydra: A free network login password cracking tool that is included with Kali Linux. It supports a number of authentication protocols.
  • CeWL: A Ruby app that crawls websites to generate word lists that can be used with password crackers such as John the Ripper. It is included with Kali Linux.
  • John the Ripper: A free password recovery tool available for Linux, 11 versions of Unix, DOS, Win32, BeOS, and OpenVMS. It is included with Kali Linux.
  • Cain and Abel: A free password recovery tool available for Windows that is sometimes classified as malware by some antivirus software.
  • Mimikatz: An open source tool that enables you to view credential information stored on Microsoft Windows computers. It is also included with Kali Linux.
  • Patator: A brute force password cracking tool included with Kali Linux.
  • Dirbuster: A brute force tool included with Kali Linux that exposes directories and file names on web and application servers.
  • W3AF (Web Application Attack and Audit Framework):  A Python tool included in Kali Linux that tries to identify and exploit any web app vulnerabilities.

Debugging Tools

  • OLLYDBG: A reverse-engineering tool included with Kali Linux that analyzes binary code found in 32-bit Windows applications.
  • Immunity debugger: A reverse-engineering tool that includes both command-line and graphical user interfaces and that can load and modify Python scripts during runtime.
  • GDB (GNU Project Debugger):  An open source reverse-engineering tool that works on most Unix and Windows versions, along with macOS.
  • WinDBG (Windows Debugger): A free debugging tool created and distributed by Microsoft for Windows operating systems.
  • IDA (Interactive Disassembler): A reverse-engineering tool that generates source code from machine code for Windows, Mac OS X, and Linux applications.

Software Assurance Tools

  • Findbugs and findsecbugs: FindBugs is an open source static code analyzer or static application security testing (SAST) tool that detects possible bugs in Java programs. FindSecurityBugs is an open source plugin that detects security issues in Java web applications.
  • Peach: Peach Tech offers several dynamic application security testing (DAST) products for pen testing, including Peach API Security, which helps secure web APIs against the OWASP Top 10, and Peach Fuzzer, an automated security testing platform for prevention of zero-day attacks. Within Peach Fuzzer, modular test definitions called Peach Pits enable you to fully customize exploits against test targets.
  • AFL (American fuzzy lop): An open source DAST tool that feeds input to a program to test for bugs and possible security vulnerabilities.
  • SonarQube: An open source SAST platform that continuously inspects code quality to help discover bugs and security vulnerabilities.
  • YASCA (yet another source code analyzer): An open source SAST program that inspects source code for security vulnerabilities, code quality, and performance.


  • Whois: A protocol that queries databases that store registered users or assignees of an Internet resource, such as a domain name.
  • Nslookup: A Windows command-line utility that queries DNS and displays domain names or IP address mappings, depending on the options used.
  • FOCA: (Fingerprinting and Organization with Collected Archives) A network infrastructure mapping tool that analyzes metadata from many file types to enumerate users, folders, software and OS information, and other information.
  • theHarvester: A tool included with Kali Linux that gathers information such as email addresses, subdomains, host names, open ports, and banners from publicly available sources.
  • Shodan: A search engine that returns information about the types of devices connected to the Internet by inspecting the metadata included in service banners.
  • Maltego: A proprietary software tool that assists with gathering open source intelligence (OSINT) and with forensics by analyzing relationships between people, groups, websites, domains, networks, and applications. A community version named Maltego Teeth is included with Kali Linux.
  • Recon-ng: A web reconnaissance tool that is written in Python and is included with Kali Linux. It uses over 80 “modules” to automate OSINT. Some of its features include: search for files, discover hosts/contacts/email addresses, snoop DNS caches, look for VPNs, look up password hashes, and perform geolocation.
  • Censys: A search engine that returns information about the types of devices connected to the Internet.

Wireless Tools

  • Aircrack-ng: A suite of wireless tools, including airmon-ng, airodump-ng, aireplay-ng, and aircrack-ng. Included with Kali Linux, the suite can sniff and attack wireless connections, and crack WEP and WPA/WPA2-PSK keys.
  • Kismet: An 802.11 Layer 2 wireless network detector, sniffer, and intrusion detection system that is included with Kali Linux. It can be used to monitor wireless activity, identify device types, and capture raw packets for later password cracking.
  • WiFite: A wireless auditing tool included with Kali Linux that can attack multiple WEP, WPA, and WPS encrypted networks in a row.
  • WiFi-Pumpkin: A rogue wireless access point and man-in-the-middle tool used to snoop traffic and harvest credentials.

Web Proxy Tools

  • OWASP ZAP (Open Web Application Security Project Zed Attack Proxy): An open source web application security scanner.
  • Burp Suite: An integrated platform included with Kali Linux for testing the security of web applications. Acting as a local proxy, it allows the attacker to capture, analyze, and manipulate HTTP traffic.

Social Engineering Tools

  • SET (Social Engineer Toolkit): An open source pen testing framework included with Kali Linux that supports the use of social engineering to penetrate a network or system.
  • BeEF (Browser Exploitation Framework): A pen testing tool included with Kali Linux that focuses on web browsers and that can be used for XSS and injection attacks against a website.

Remote Access Tools

  • SSH (Secure Shell): A program that enables a user or an application to log on to another device over an encrypted network connection, run commands in a remote machine, and transfer files from one machine to the other.
  • Ncat: An open source command-line tool for reading, writing, redirecting, and encrypting data across a network. Ncat was developed as an improved version of Netcat.
  • Netcat: An open source networking utility for debugging and investigating the network, and that can be used for creating TCP/UDP connections and investigating them.
  • Proxychains: Included with Kali Linux, as well as any other version of Linux, a command-line tool that enables pen testers to mask their identity and/or source IP address by sending messages through intermediary or proxy servers.

Networking Tools

  • Wireshark: An open source network protocol analyzer that is included with Kali Linux. Can be used to sniff many traffic types, re-create entire TCP sessions, and capture copies of files transmitted on the network.
  • hping: A free packet generator and analyzer for TCP/IP networks. Often used for firewall testing and advanced network testing, hping3 is included with Kali Linux.

Mobile Tools

  • Drozer: A security testing framework for Android apps and devices.
  • APKX (Android Package Kit): A Python wrapper for dex converters and Java decompilers that is included in the OWASP Mobile Testing Guide.
  • APX Studio: A cross-platform IDE for reverse engineering Android applications.

Miscellaneous Tools

  • Searchsploit: A tool included in the exploitdb package on Kali Linux that enables you to search the Exploit Database archive.
  • Powersploit: A series of Microsoft PowerShell scripts that pen testers can use in post-exploit scenarios. This tool is included in Kali Linux.
  • Responder: A fake server and relay tool that is included with Kali Linux. It responds to LLMNR, NBT-NS, POP, IMAP, SMTP, and SQL queries in order to possibly recover sensitive information such as user names and passwords.
  • Impacket: A collection of Python classes that provide low-level program access to packets, as well as to protocols and their implementation.
  • Empire (PowerShell Empire): A post-exploitation framework for Windows devices. It allows the attacker to run PowerShell agents without needing powershell.exe. It is commonly used to escalate privileges, launch other modules to capture data and extract passwords, and install persistent backdoors.
  • Metasploit Framework: A command-line-based pen testing framework developed by Rapid 7 that is included with Kali Linux and that enables you to find, exploit, and validate vulnerabilities. Metasploit also has GUI-based commercial and community versions.

Command & Control Servers

Open Source

  • Apfell: cross-platform, post-exploit, red teaming framework built with python3, docker, docker-compose, and a web browser UI.
  • AsyncRat C#: Remote Access Tool designed to remotely monitor and control other computers through a secure encrypted connection.
  • Baby Shark: basic C2 generic server written in Python and Flask.
  • C3: framework that extends other red team tooling, such as the commercial Cobalt Strike (CS) product via ExternalC2, which is supported at release.
  • Caldera: built on the MITRE ATT&CK™ framework and an active research project at MITRE.
  • CHAOS: PoC that allow payloads generation and control remote operating systems
  • Dali: image-based C2 channel which utilizes Imgur to host images and task agents.
  • Empire: post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent
  • Covenant: .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
  • Silent Trinity: post-exploitation agent powered by Python, IronPython, C#/.NET.
  • Faction C2: C2 framework which use websockets based API that allows for interacting with agents and transports.
  • Flying A False Flag
  • FudgeC2: Powershell C2 platform designed to facilitate team collaboration and campaign timelining.
  • Godoh
  • iBombshell
  • HARS: HTTP/S Asynchronous Reverse Shell.
  • Koadic (or COM Command & Control): is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire.
  • MacShellSwift
  • Ninja: Open source C2 server created by Purple Team to do stealthy computer and Active directoty enumeration without being detected by SIEM and AVs.
  • NorthStarC2: open-source command and control framework developed for penetration testing and red teaming purposes.
  • EvilOSX: An evil RAT (Remote Administration Tool) for macOS / OS X.
  • Nuages
  • Octopus: open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S.
  • PoshC2: proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement
  • Powerhub: convenient post exploitation tool for PowerShell which aids a pentester in transferring data, in particular code which may get flagged by endpoint protection.
  • Prismatica: modular C2 Interface hooked into the Diagon Command and Control Toolkit.
  • QuasarRAT: fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface, Quasar is the perfect remote administration solution for you.
  • Merlin: cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
  • Sliver: general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS.
  • Throwback
  • Trevor C2: legitimate website (browsable) that tunnels client/server communications for covert command execution.
  • Metasploit Framework: computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development
  • Meterpreter
  • Pupy: opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.
  • PetaQ: malware which is being developed in .NET Core/Framework to use websockets as Command & Control (C2) channels.
  • Pinjectra: C/C++ library that implements Process Injection techniques (with focus on Windows 10 64-bit) in a “mix and match” style.
  • ReverseTCPShell
  • SHAD0W: modular C2 framework designed to use a range of methods to evade EDR and AV.
  • SharpC2
  • Gcat: stealthy Python based backdoor that uses Gmail as a command and control server.
  • DNScat2: tool is designed to create an encrypted command-and-control (C&C) channel over the DNS protocol.
  • EggShell: post exploitation surveillance tool written in Python. It gives you a command line session with extra functionality between you and a target machine.
  • EvilVM
  • Void-RAT: pretty basic RAT written in
  • WEASEL: small in-memory implant using Python 3 with no dependencies.


1 thought on “Tools Commonly Used in Pen Testing

  1. Very nice post. I just stumbled upon your blog and wanted to say that I’ve really enjoyed browsing your blog posts. In any case I’ll be subscribing to your feed and I hope you write again soon!

Leave a Reply

Your email address will not be published. Required fields are marked *