Top 23 Python Pentesting Projects

• SQLMap

  40 30,560 8.7 Python

  Automatic SQL injection and database takeover tool

  

Project mention: Best Hacking Tools for Beginners 2024 | dev.to | 2024-02-01

sqlmap

• Ciphey

  27 17,000 2.9 Python

  ⚡ Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes ⚡

  

Project mention: CyberChef from GCHQ: The Cyber Swiss Army Knife | news.ycombinator.com | 2024-02-01

I also discovered Ciphey. Neat little tool indeed, but it's being deprecated. It's mentioned in this issue[1] and being replaced with Ares[2]. Neither could decipher this strange encryption[3] I used it on :(

[1] https://github.com/Ciphey/Ciphey/issues/764

[2] https://github.com/bee-san/Ares

[3] "dEFLWWFKQWxRQW16RnkvbTZML0lsdz09" original text is "hacker"

• WorkOS

  workos.com sponsored

  The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  

• spiderfoot

  19 11,723 6.6 Python

  SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.

• owasp-mastg

  22 11,272 8.3 Python

  The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).

  

Project mention: More ways to identify independently security tested apps on Google Play | news.ycombinator.com | 2023-11-03

• dirsearch

  12 11,213 7.9 Python

  Web path scanner

Project mention: Looking for some help with this Python package | /r/learnpython | 2023-08-19

I am new to Python. With the help of several users (thanks u/Diapolo10 and u/shiftybyte)I've been able to install Python and the dirsearch package. Dirsearch (https://github.com/maurosoria/dirsearch) allows for checking website paths with a wordlist. For example, I have a wordlist file with words like "dog", "cat", "bird", etc and I want to check the validity of those words as extensions on a website. Something like "example.com/bird", "example.com/cat", etc. I have a test wordlist in the same directory as dirsearch, but I am confused on how to proceed with the commands. I want to have it check my wordlist as extensions on the example.com website and then save output on if the webpath is valid or not. Just need a little bit of help.

• hacktricks

  6 8,166 9.7 Python

  Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news.

  

Project mention: Where do you look for help when doing ctf | /r/Hacking_Tutorials | 2023-06-08

• pupy

  3 8,129 3.7 Python

  Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C

• InfluxDB

  www.influxdata.com sponsored

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• rengine

  4 6,685 9.6 Python

  reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface. reNgine makes it easy for penetration testers to gather reconnaissance with minimal configuration and with the help of reNgine's correlation, it just makes recon effortless.

Project mention: Any self-host FOSS suites for running phishing testing campaigns? | /r/selfhosted | 2023-05-21

I couldn't find anything named reEngine, but I found reNgine ( https://yogeshojha.github.io/rengine/ ) which I think is what you meant.

• DefaultCreds-cheat-sheet

  2 5,269 7.4 Python

  One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️

• androguard

  1 4,933 8.6 Python

  Reverse engineering and pentesting for Android applications

  

• faraday

  8 4,615 5.0 Python

  Open Source Vulnerability Management Platform (by infobyte)

  

• commix

  4 4,327 8.8 Python

  Automated All-in-One OS Command Injection Exploitation Tool.

  

• PhoneSploit-Pro

  1 4,177 6.2 Python

  An all-in-one hacking tool to remotely exploit Android devices using ADB and Metasploit-Framework to get a Meterpreter session.

• drozer

  2 3,610 8.2 Python

  The Leading Security Assessment Framework for Android.

  

• Villain

  2 3,563 7.7 Python

  Villain is a C2 framework that can handle multiple TCP socket & HoaxShell-based reverse shells, enhance their functionality with additional features (commands, utilities etc) and share them among connected sibling servers (Villain instances running on different machines).

• bbot

  5 3,506 9.9 Python

  A recursive internet scanner for hackers.

  

Project mention: [GitHub Action]: Wrappers for sqlmap, bbot and nikto | /r/cybersecurity | 2023-05-29

Its not that much of a tool than wrappers of few awesome tools that most of you probably know and use today - sqlmap, bbot and nikto.

• pocsuite3

  2 3,496 8.4 Python

  pocsuite3 is an open-sourced remote vulnerability testing framework developed by the Knownsec 404 Team.

  

• Raccoon

  4 2,993 0.0 Python

  A high performance offensive security tool for reconnaissance and vulnerability scanning

• malicious-pdf

  13 2,585 0.0 Python

  💀 Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator or Interact.sh

Project mention: Securing PDF Generators Against SSRF Vulnerabilities | /r/netsec | 2023-05-30

Wrote a tool two years ago that does some of the PDF-tests. But more could be added: https://github.com/jonaslejon/malicious-pdf

• slowloris

  3 2,333 2.8 Python

  Low bandwidth DoS tool. Slowloris rewrite in Python.

• blackbird

  7 2,261 3.0 Python

  An OSINT tool to search for accounts by username in social networks. (by p1ngul1n0)

• EvilOSX

  5 2,171 0.0 Python

  An evil RAT (Remote Administration Tool) for macOS / OS X.

• CloudFail

  1 2,120 2.0 Python

  Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network

• SaaSHub

  www.saashub.com sponsored

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

Python Pentesting related posts

• SSH-Snake: Automated SSH-Based Network Traversal
  5 projects | news.ycombinator.com | 5 Jan 2024
• Google Play rolls out an "Independent security review" badge for apps
  2 projects | news.ycombinator.com | 3 Nov 2023
• Code from the book “Black Hat Python” refactored and ported to Python 3
  1 project | news.ycombinator.com | 15 Jun 2023
• Where do you look for help when doing ctf
  1 project | /r/Hacking_Tutorials | 8 Jun 2023
• Securing PDF Generators Against SSRF Vulnerabilities
  1 project | /r/netsec | 30 May 2023
• The 36 tools that SaaS can use to keep their product and data safe from criminal hackers (manual research)
  18 projects | /r/SaaS | 22 May 2023
• web2shell - Automate converting webshells into reverse shells
  1 project | /r/opensourcesecurity | 16 May 2023
• A note from our sponsor - WorkOS
  workos.com | 25 Apr 2024

  The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning. Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com

Do not miss the trending Python projects with our weekly report!