| No. | Types of Pentesting | No. | Directory Name |
|---|---|---|---|
| 1 | Web Application Security | 11 | Active Directory Security |
| 2 | API Security | 12 | Infrastructure Security |
| 3 | Mobile Application Security | 13 | Threat Modeling |
| 4 | Thick Client Application Security | 14 | IoT Security |
| 5 | Source Code Review | 15 | OSINT (Open Source Intelligence) |
| 6 | Network Security | 16 | Blockchain Security |
| 7 | Wi-Fi Security | 17 | CI/CD Pipeline Security |
| 8 | Cloud Security | 18 | Docker Container Security |
| 9 | DevSecOps | 19 | Phishing Penetration Testing |
| 10 | Configuration Review | 20 | Forensic Analysis |
| No. | Types of Pentesting | Description |
|---|---|---|
| 1 | Web Application Security | Assess and secure web applications for vulnerabilities. |
| 2 | API Security | Test and enhance the security of APIs and microservices. |
| 3 | Mobile Application Security | Evaluate the security of mobile apps and devices. |
| 4 | Thick Client Application Security | Assess thick client applications for security issues. |
| 5 | Source Code Review | Analyze source code to identify and rectify vulnerabilities. |
| 6 | Network Security | Secure networks by identifying and addressing weaknesses. |
| 7 | Wi-Fi Network Security | Evaluate the security of Wi-Fi networks and access points. |
| 8 | Cloud Security | Assess the security of cloud-based systems and services. |
| 9 | Active Directory Security | Evaluate the security of Active Directory environments. |
| 10 | Infrastructure Security | Secure the underlying IT infrastructure and assets. |
| 11 | Threat Modeling | Model and assess threats to enhance system security. |
| 12 | IoT Security | Identify and mitigate vulnerabilities in IoT devices. |
| 13 | OSINT (Open Source Intelligence) | Gather intelligence from open sources for security analysis. |
| 14 | Blockchain Security | Assess blockchain systems for security and compliance. |
| 15 | CI/CD Pipeline Security | Evaluate the security of continuous integration pipelines. |
| 16 | Docker Container Security | Secure Docker containers and containerized applications. |
| 17 | DevSecOps | Integrate security practices throughout the DevOps lifecycle. |
| 18 | Phishing Penetration Testing | Simulate and analyze phishing attacks for awareness training. |
| 19 | Configuration Review | Examine and verify system configurations for security issues. |
| 20 | Forensic Analysis | Investigate and analyze digital evidence post-incident. |
| Category | Tools |
|---|---|
| Web Application Pentesting | Burp Suite Pro 🌐, Acunetix 🌐, HCL-AppScan 🌐, Invicti Netsparker 🌐, Fortify WebInspect 🌐, WPScan 🌐, Nikto 🌐, Nuclei 🌐, SQLMap 🌐, OWASP ZAP 🌐, Nmap 🌐, Dirb 🌐, FFUF 🌐, WhatWeb 🌐 |
| Android Security | MobSF 📱, Frida 📱, APKTool 📱, JADX-gui 📱, Android Studio/Genymotion 📱, Drozer 📱, Magisk Root 📱, Xposed Framework 📱, APKX 📱, mitmproxy 📱, Objection 📱, adb 📱, AndroBugs 📱, Quark Engine 📱, AppMon 📱, ApkScan 📱 |
| iOS Security | MobSF 📲, Frida 📲, Objection 📲, Chakar1n 📲, palera1n 📲, Cycript 📲, iOS Hook 📲, Needle 📲, Class-dump 📲, SSL Kill Switch 2 📲, iMazing 📲, Passionfruit 📲, ios-decrypt 📲 |
| API Pentesting | Postman 📡, Burp Suite Pro 📡, Swagger UI 📡, Kite Runner 📡, Insomnia 📡, GraphQL Voyager 📡, GraphQL Raider 📡 |
| Secure Code Review | SonarQube 🔐, Snyk 🔐, Semgrep 🔐, Fortify-Workbench Audit 🔐, Checkmarx 🔐, Veracode 🔐, CodeQL 🔐, Bandit 🔐, FindSecBugs 🔐, Gitleaks 🔐 |
| Thick Client Pentesting | Fiddler 💻, Sysinternals Suite 💻, dnSpy 💻, de4dot 💻, IDA Pro 💻, Process Explorer 💻, CFF Explorer 💻, OllyDbg 💻, x64dbg 💻, Ghidra 💻, Burp Suite Pro 💻, Wireshark 💻 |
| Network Pentesting | Nmap 🌐, Wireshark 🌐, Metasploit 🌐, Nessus 🌐, OpenVAS 🌐, Responder 🌐, CrackMapExec 🌐, Netcat 🌐, Bettercap 🌐 |
| Category | Tools |
|---|---|
| Active Directory Pentesting | BloodHound 🏢, Mimikatz 🔑, CrackMapExec 🏢, Impacket 📂, Kerbrute 🎭, Rubeus 🔓, LDAPDomainDump 📜, SharpHound 🕵️, PowerView 👀, ADRecon 📊 |
| Cloud Security | Prowler ☁️, ScoutSuite ☁️, CloudSploit ☁️, Pacu ☁️, Steampipe ☁️, CloudMapper ☁️, NCC Scout ☁️, kube-bench ☁️, Terrascan ☁️, KICS ☁️ |
| IoT Security | Firmwalker 🔌, Binwalk 🔌, Firmware-Mod-Kit 🔌, Shodan 🔌, RIOT 🔌, JTAGulator 🔌, Qiling 🔌, Ghidra 🔌, Avatar2 🔌, Firmadyne 🔌 |
| Firewall Pentesting | hping3 🔥, NPing 🔥, Scapy 🔥, Zmap 🔥, firewalk 🔥, FTester 🔥, Nmap (Firewall Bypass) 🔥, Packet Sender 🔥, T50 🔥, ETTERCAP 🔥, TCPReplay 🔥 |
| Firmware Analysis | Binwalk 🔍, Firmware Analysis Toolkit (FAT) 🔍, QEMU 🔍, Ghidra 🔍, IDA Pro 🔍, Firmware-Mod-Kit 🔍, Radare2 🔍, Firmadyne 🔍 |
| Container Security | Trivy 🐳, Aqua Microscanner 🐳, Clair 🐳, Anchore 🐳, Docker Bench 🐳, kube-hunter 🐳, Falco 🐳, Sysdig 🐳, Snyk 🐳, Grype 🐳 |
| WiFi Pentesting | Aircrack-ng 📶, Kismet 📶, Bettercap 📶, Reaver 📶, Fluxion 📶, Wireshark 📶, hcxtools 📶, Fern WiFi Cracker 📶, Wifiphisher 📶, Hashcat 📶 |
| DevSecOps | GitHub Advanced Security 🔧, Trivy 🔧, Snyk 🔧, Anchore 🔧, OWASP DC 🔧, Jenkins 🔧, Checkmarx 🔧, Veracode 🔧, Dagda 🔧, Sysdig Secure 🔧, Cloud Custodian 🔧, Bridgecrew 🔧, Kubescape 🔧 |
| OSINT | theHarvester 🕵️, Maltego 🕵️, SpiderFoot 🕵️, Recon-ng 🕵️, Shodan 🕵️, FOCA 🕵️, Google Dorks 🕵️, OSINT Framework 🕵️, GHunt 🕵️, Sherlock 🕵️, PhoneInfoga 🕵️ |
| Configuration Review | Lynis ⚙️, OpenSCAP ⚙️, Auditd ⚙️, Tripwire ⚙️, cis-cat Pro ⚙️, Chef InSpec ⚙️, Prowler ⚙️, Kubescape ⚙️ |
| Phishing Simulation | GoPhish 🎯, SET 🎯, Evilginx2 🎯, Phishery 🎯, King Phisher 🎯, Modlishka 🎯, Phishing Frenzy 🎯 |
| Forensics | Autopsy 🔍, Volatility 🔍, Sleuth Kit 🔍, FTK Imager 🔍, Redline 🔍, Magnet AXIOM 🔍, X-Ways 🔍, Bulk Extractor 🔍, ExifTool 🔍 |
| Blockchain Security | Mythril ⛓️, Slither ⛓️, Manticore ⛓️, Remix IDE ⛓️, Oyente ⛓️, SmartCheck ⛓️, Echidna ⛓️, Tenderly ⛓️ |
| Threat Modeling | Microsoft TMT 🧠, OWASP Threat Dragon 🧠, IriusRisk 🧠, SeaSponge 🧠, Draw.io 🧠, Pytm 🧠 |
| Red Team Tools | Cobalt Strike 💣, Sliver 💣, Mythic 💣, Empire 💣, Metasploit 💣, Brute Ratel 💣, Koadic 💣, FudgeC2 💣, Nishang 💣, PowerShell Empire 💣 |
| Blue Team Tools | Velociraptor 🛡️, Wazuh 🛡️, OSQuery 🛡️, GRR 🛡️, Sysmon 🛡️, CrowdStrike Falcon 🛡️, Elastic Security 🛡️, Sigma Rules 🛡️ |
| SIEM & Log Analysis | Splunk 📊, ELK Stack 📊, Graylog 📊, Wazuh 📊, AlienVault OSSIM 📊, SIEMonster 📊 |
| Password Cracking | Hashcat 🔓, John the Ripper 🔓, Hydra 🔓, CrackStation 🔓, Cain & Abel 🔓, Medusa 🔓, THC-Hydra 🔓 |
| Reverse Engineering | Ghidra 🧬, IDA Pro 🧬, x64dbg 🧬, OllyDbg 🧬, Binary Ninja 🧬, Radare2 🧬, Cutter 🧬 |
| Hardware Hacking | ChipWhisperer 🔌, Saleae Logic 🔌, OpenOCD 🔌, JTAGulator 🔌, Bus Pirate 🔌, Flashrom 🔌, Arduino 🔌, Raspberry Pi 🔌, RTL-SDR 🔌 |
| Social Engineering | SET 🎭, BeEF 🎭, King Phisher 🎭, Evilginx 🎭, MSF Social Engineering Toolkit 🎭, Psychological Frameworks (Pretexting, Elicitation) 🎭 |
| SCADA/ICS Security | Snort ⚙️, Wireshark ⚙️, ModScan ⚙️, ModbusPal ⚙️, Scadafence ⚙️, OpenPLC ⚙️, GasPot ⚙️, Conpot ⚙️, PLCScan ⚙️ |
| Social Engineering (Extended) | SET 🎭, BeEF 🎭, King Phisher 🎭, Modlishka 🎭, Evilginx2 🎭, EyeWitness 🎭, PhishToolkit 🎭, PhishX 🎭 |
| Supply Chain Security | Snyk 🛠️, OWASP Dependency-Check 🛠️, Trivy 🛠️, Syft 🛠️, Grype 🛠️, CycloneDX 🛠️, Whitesource 🛠️, Anchore Engine 🛠️ |
| Email Security Testing | GoPhish 📧, Modlishka 📧, SMTPTester 📧, MailSniper 📧, Evilginx2 📧, Phish5 📧, Email Header Analyzer 📧 |
| Mobile Malware Analysis | APKTool 🐛, MobSF 🐛, Jadx 🐛, Frida 🐛, VirusTotal Mobile 🐛, Droidbox 🐛, Bytecode Viewer 🐛, Drozer 🐛, Quark-Engine 🐛 |
| AI/ML Security | Adversarial Robustness Toolbox (ART) 🤖, TextAttack 🤖, Foolbox 🤖, IBM AI Explainability 360 🤖, CleverHans 🤖, Alibi Detect 🤖, SecML 🤖, DeepExploit 🤖 |
| Security Automation / SOAR | StackStorm 🤖, Cortex XSOAR 🤖, Shuffle 🤖, DFIR-IR-Playbook 🤖, Phantom Cyber 🤖, Tines 🤖 |
| Bug Bounty Toolkit | Amass 🪲, Sublist3r 🪲, Nuclei 🪲, HTTPX 🪲, Naabu 🪲, FFUF 🪲, GF 🪲, Dalfox 🪲, Kiterunner 🪲, Hakrawler 🪲, JSParser 🪲, ParamSpider 🪲 |
| Credential Dumping & Cracking | LaZagne 🔐, Mimikatz 🔐, Hashcat 🔐, JohnTheRipper 🔐, Windows Credential Editor 🔐, CrackMapExec 🔐, GetNPUsers.py 🔐 |
| Payload Generation | MSFVenom 💉, Unicorn 💉, Shellter 💉, Veil 💉, Nishang 💉, Empire 💉, Obfuscation.io 💉, Metasploit 💉, Donut 💉 |
| Honeypots / Deception | Cowrie 🐝, Dionaea 🐝, Kippo 🐝, Honeyd 🐝, T-Pot 🐝, Conpot 🐝, Canarytokens 🐝, Artillery 🐝 |
| MacOS Security | KnockKnock 🍏, BlockBlock 🍏, OSXCollector 🍏, Objective-See Suite 🍏, MacMonitor 🍏, Little Snitch 🍏, Dylib Hijack Scanner 🍏 |
| SIEM/Log Analysis (More) | Logstash 📊, Fluentd 📊, Loki 📊, Graylog 📊, Falco 📊, Humio 📊, Kibana 📊, Loggly 📊, Logz.io 📊 |
| Windows Post-Exploitation | PowerView 🪟, Seatbelt 🪟, SharpUp 🪟, WinPEAS 🪟, Sherlock 🪟, Empire 🪟, FireEye Red Team Tools 🪟, SharpHound 🪟 |
| Linux Post-Exploitation | LinPEAS 🐧, Linux Exploit Suggester 🐧, pspy 🐧, Chkrootkit 🐧, rkhunter 🐧, bashark 🐧, GTFOBins 🐧, Sudomy 🐧 |
| Browser Security Testing | BeEF 🌐, XSStrike 🌐, XSSer 🌐, Burp Collaborator 🌐, NoScript 🌐, Ublock Origin 🌐, Chrome Developer Tools 🌐 |
I appreciate your interest in contributing! please read Contribution Guidelines.
A heartfelt thank you to these amazing individuals for their contributions to this project. You can view emoji key to see the various ways you can contribute!
 Marko Živanović 🔧 |
 Madhurendra kumar 💻 |
 0xanon 💻 |
 InfoBugs 💻 |
 Ratnesh kumar 💻 |
 Chandrabhushan Kumar 💻 |
 Satya Prakash 💻 👀 |
 Wei Lin 🌍 |
