The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning. Learn more →
Top 23 Python Pentesting Projects
-
Ciphey
⚡ Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes ⚡
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
owasp-mastg
The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
-
hacktricks
Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news.
-
pupy
Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
rengine
reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous monitoring, backed by a database, and simple yet intuitive User Interface. reNgine makes it easy for penetration testers to gather reconnaissance with minimal configuration and with the help of reNgine's correlation, it just makes recon effortless.
-
DefaultCreds-cheat-sheet
One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️
-
PhoneSploit-Pro
An all-in-one hacking tool to remotely exploit Android devices using ADB and Metasploit-Framework to get a Meterpreter session.
-
Villain
Villain is a C2 framework that can handle multiple TCP socket & HoaxShell-based reverse shells, enhance their functionality with additional features (commands, utilities etc) and share them among connected sibling servers (Villain instances running on different machines).
-
pocsuite3
pocsuite3 is an open-sourced remote vulnerability testing framework developed by the Knownsec 404 Team.
-
malicious-pdf
💀 Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator or Interact.sh
-
CloudFail
Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
sqlmap
Project mention: CyberChef from GCHQ: The Cyber Swiss Army Knife | news.ycombinator.com | 2024-02-01I also discovered Ciphey. Neat little tool indeed, but it's being deprecated. It's mentioned in this issue[1] and being replaced with Ares[2]. Neither could decipher this strange encryption[3] I used it on :(
[1] https://github.com/Ciphey/Ciphey/issues/764
[2] https://github.com/bee-san/Ares
[3] "dEFLWWFKQWxRQW16RnkvbTZML0lsdz09" original text is "hacker"
Project mention: More ways to identify independently security tested apps on Google Play | news.ycombinator.com | 2023-11-03
I am new to Python. With the help of several users (thanks u/Diapolo10 and u/shiftybyte)I've been able to install Python and the dirsearch package. Dirsearch (https://github.com/maurosoria/dirsearch) allows for checking website paths with a wordlist. For example, I have a wordlist file with words like "dog", "cat", "bird", etc and I want to check the validity of those words as extensions on a website. Something like "example.com/bird", "example.com/cat", etc. I have a test wordlist in the same directory as dirsearch, but I am confused on how to proceed with the commands. I want to have it check my wordlist as extensions on the example.com website and then save output on if the webpath is valid or not. Just need a little bit of help.
Project mention: Any self-host FOSS suites for running phishing testing campaigns? | /r/selfhosted | 2023-05-21I couldn't find anything named reEngine, but I found reNgine ( https://yogeshojha.github.io/rengine/ ) which I think is what you meant.
Project mention: [GitHub Action]: Wrappers for sqlmap, bbot and nikto | /r/cybersecurity | 2023-05-29Its not that much of a tool than wrappers of few awesome tools that most of you probably know and use today - sqlmap, bbot and nikto.
Wrote a tool two years ago that does some of the PDF-tests. But more could be added: https://github.com/jonaslejon/malicious-pdf
Python Pentesting related posts
- SSH-Snake: Automated SSH-Based Network Traversal
- Google Play rolls out an "Independent security review" badge for apps
- Code from the book “Black Hat Python” refactored and ported to Python 3
- Where do you look for help when doing ctf
- Securing PDF Generators Against SSRF Vulnerabilities
- The 36 tools that SaaS can use to keep their product and data safe from criminal hackers (manual research)
- web2shell - Automate converting webshells into reverse shells
-
A note from our sponsor - WorkOS
workos.com | 25 Apr 2024
Index
What are some of the best open-source Pentesting projects in Python? This list will help you:
Project | Stars | |
---|---|---|
1 | SQLMap | 30,560 |
2 | Ciphey | 17,000 |
3 | spiderfoot | 11,723 |
4 | owasp-mastg | 11,272 |
5 | dirsearch | 11,213 |
6 | hacktricks | 8,166 |
7 | pupy | 8,129 |
8 | rengine | 6,685 |
9 | DefaultCreds-cheat-sheet | 5,269 |
10 | androguard | 4,933 |
11 | faraday | 4,615 |
12 | commix | 4,327 |
13 | PhoneSploit-Pro | 4,177 |
14 | drozer | 3,610 |
15 | Villain | 3,563 |
16 | bbot | 3,506 |
17 | pocsuite3 | 3,496 |
18 | Raccoon | 2,993 |
19 | malicious-pdf | 2,585 |
20 | slowloris | 2,333 |
21 | blackbird | 2,261 |
22 | EvilOSX | 2,171 |
23 | CloudFail | 2,120 |
Sponsored