Hacking Tools
Tools and hackers, these days it seems like you can’t have one without the other. We can all agree that tools make repetitive tasks simpler and more efficient. It allows us to focus on the interesting parts of our jobs and that is to find vulnerabilities in complex processes!
It’s often really difficult to get a good index of which tools are useful in certain situations. The following list was created to help you with that!
📜 Overview
🧰 Tool index
🔎 Active Reconnaisance
Reconnaisance is the act of discovering and collecting information on a system. This information can consist of subdomains, endpoints, machines, IP ranges, mobile applications, but even employees, user account information and more.
FFuF
If you’ve never heard of FFuF, get ready to have your mind blown. This tool will help you fuzz any type of webapplication in no time!
Check out our video on FFuF below or follow this link to visit the written article.
GoBuster
GoBuster is an active content enumeration tools that specializes in directory enumeration, but is not limited to that. It also includes modules to scan for subdomains, s3 buckets, vhosts and even general fuzzing.
Check out our video on GoBuster below or follow this link to visit the written article.
GoSpider
Spidering is the act of recursively fuzzing websites for endpoints and the tool to do that with is GoSpider. It makes endpoint reconnaisance simple and easy!
Check out our video on GoSpider below or follow this link to visit the written article.
Arjun
HTTP Parameters in GET and POST requests can be hard to enumerate BUT Arjun makes this simple! It can enumerate over 25000 parameters in just 30 requests!
Check out our video on Arjun below or follow this link to visit the written article.
KiteRunner
API’s are everywhere and they can yield some great vulnerabilities, however due to their structure, some basic recon bruteforcing techniques are terribly ineffective. KiteRunner attempts to solve these issues!
Check out our video on KiteRunner below or follow this link to visit the written article.
ReNgine
Want a tool that can seemingly do everything? ReNgine is the tool for you! It can automate the entire recon process and help you organize all your assets.
Check out our video on ReNgine below or follow this link to visit the written article.
👓 Passive Reconnaisance
Passive reconnaisance is the act of finding information on a target without actively connecting to it. The power in this kind of reconnaisance comes from the fact that the victim often has no clue that someone is gathering information on them!
Waybackurls
This tool queries databases that hold information about the history of websites. They can expose API endpoints, credentials in URLs, subdomains and much more!
Check out our video on Waybackurls below or follow this link to visit the written article.
🐜 Vulnerability Exploitation
This range of tools will help you find, and more particularly, exploit some crazy vulnerabilities! Buckle up because these are the tools you are going to want to know about!
NoSQLMap
This tool is for you if you’ve ever scratched your head at the sight of a MongoDB or any other NoSQL database. Why do the heavy lifting when NoSQLMap can do that for you!
Check out our video on NoSQLMap below or follow this link to visit the written article.
CRLFuzz
CRLF injections have been around for decades but can still result in some interesting bugs. They’re hard to find tho! Let’s see how CRLFuzz can help us with that!
Check out our video on CRLFuzz below or follow this link to visit the written article.
🐛 Vulnerability Scanning
These days, there are millions of public vulnerabilities out there. This makes it incredibly difficult for blue teams to protect everything, but also makes it hard for bug bounty hunters to uncover every vulnerability. Luckily, some incredible vulnerability scanners have appeared in the past couple of years that can make our lives easier. Take note that adhering to the scope and rate limiting rules of the program is very important with these scanners.
Nuclei
Nuclei is a template based scanning engine that allows you to easily define your own templates scanning for vulnerabilities whilst maintaining a big database filled with community-made templates.
Check out our video on Nuclei below or follow this link to visit the written article.
XSSHunter
XSSHunter is a webapplication you can host locally or use remotely. It gives you some payloads to paste around in the wild and will alert you once one of them gets triggered! Intrigued? Keep reading/watching!
Check out our video on XSSHunter below or follow this link to visit the written article.
Dalfox
XSS is one of the most common vulnerabilities, but how do you effectively scan thousands of pages for XSS? Dalfox could provide us an answer to that question!
Check out our video on Dalfox below or follow this link to visit the written article.
WPScan
Ever seen a WordPress page? Of course you have, they’re everywhere! Want to hack them? WPScan is a must have!
Check out our video on WPScan below or follow this link to visit the written article.
📚 Organisation
Bug bounty experts handle a lot of data and tons of endpoints, subdomains, you-name-it. This is why all the great bug bounty hunters have their organization methodology be at least as complicated as their hunting methodology. The tools covered below can help you with organizing that hot mess of data!
Aquatone
This tool will take in a list of subdomains and output a nice webinterface with screenshots of all your targets. It can graph out the relations between them and this way you can easily find shared codebases and most importantly: which targets are interesting to hunt on next!
Check out our video on Aquatone below or follow this link to visit the written article.
Eyewitness
This tool will take a bunch of URLs and take screenshots of them all. You’ll then get a nice overview categorizing all the endpoints for you. This way you can quickly prioritize what to check first!
Check out our video on ReNgine below or follow this link to visit the written article.
ReNgine
Want a tool that can seemingly do everything? ReNgine is the tool for you! It can automate the entire recon process and help you organize all your assets.
Check out our video on ReNgine below or follow this link to visit the written article.
🌊 Data analysis
As an ethical hacker, we often come in contact with data streams that we can’t seem to identify or find logic in. The tools discussed below can attempt to help you in finding out what in the world you are looking at!
CyberChef
CyberChef is the Swiss army knife when it comes to handling data. Using its convenient recipes, you can create yourself a set of actions that decode strings, carve out files, make HTTP requests and more. This tool is a must have in every bug bounty experts’ toolbox!
Check out our video on CyberChef below or follow this link to visit the written article.
Ciphey
Ever seen a hash, cookie, value, string or anything else and wondered: Hmm what could that be? Wonder no more, because Ciphey is here! This little tool packs all the data to help you answer the age old question of “What am I looking at?”.
Check out our video on Ciphey below or follow this link to visit the written article.
🔐 Cryptography
This area is commonly disregarded by a lot of bug bounty hunters but can yield some very interesting results. Cryptographic issues can often have many consequences leading to high severity vulnerabilities.
JWT_Tool
JWT_Tool is a tool that was created to do one thing, and to do that one thing really well. As the name implies, this tool is going to be your one-stop-shop for anything JWT related.
Check out our video on JWT_Tool below or follow this link to visit the written article.
Old:
Recon
Subdomain Enumeration
OWASP Amass
Amass is an in-depth attack surface mapping tool designed by OWASP. It is great for asset discovery! Amass also has some build in functionality for graphic visualisation.
Httprobe
This tool is perfect for finding working HTTP and HTTPS servers. It just needs a list of domains and it’s ready to go.
Subfinder
Subfinder is a tool optimized for a single task, subdomain enumeration. It is lightweight and very fast, perfect for people who want a great tool specific for a single action.
Massdns
If you ever have to scan a big amount of domain names then you might consider Massdns. It is capable of resolving a massive amount of names per second.
Gospider
Gospider is a realy fast web spider written in go. This tool is perfect for quickly finding assets.
Sublist3r
A very light weight python tool for subdomain enumeration. Perfect for adding to your own enumeration scripts.
Content Discovery
Dirsearch
Dirsearch is a web path scanner tool. It brute forces URL’s to find as much directories and files as possible in a website.
Dirhunt
Like Dirsearch dirhunt is designed to find directories and files. However Dirhunt takes a different approach and does not brute force. Instead it crawls the web in search for content.
Ffuf
Ffuf is a very fast webfuzzer written in go. It is perfect for quickly finding subdirectories. Ffuf has some other great functionalities. It can also be used to fuzz GET or POST parameters.
Visual Recon
Aquatone
Aquatone is a tool for visual inspection of websites on a large amount of hosts. This tool takes screenshots so the attacker can quickly gain an overview of the HTTP-based attack surface.
EyeWitness
Like aquatone, this tool also takes screenshots of websites but it has some other cool functionalities. If the tool finds a login form, it will try to identify the default login credentials if known.
Subdomain Takeover
Subjack
A subdomain takeover tool designed to scan a list of subdomains and identify ones that are able to be hijacked.
Monitoring
Gitgraber
Gitgraber is a tool that monitors Github for a period of time. It searches for sensitive data (access tokens, API keys, …). When something interesting appears it will be send to you Slack workspace.
Port scanning
Nmap
This tool doesn’t need much of an introduction. It has been the default port scanning, ping-sweeping tool for years and for good reason.
Masscan
Like nmap this tool is designed for port scanning and ping sweeping. The reason Masscan is in this list is because Masscan is able to scan a large amount of targets way faster than nmap.
Automation
LazyRecon
This is a tool designed for those who like to sit back and let the tool do all the work. This tool automates a lot of the tools we have covered up until this point. It is one of the most complete recon tools we have come across but be cautious when using this as it can be quite heavy on the server side.
Rock-ON
Another great automated recon tool written in Go. Like LazyRecon, be cautious when using for it can be heavy.
Vulnerability Assessment
Inception
You need to test on specific vulnerability or misconfigurations on any number of hosts? Inception can help you with that. All given domains are scanned and checked against a list of items
CORScanner
CORScanner is a python tool designed for finding CORS misconfigurations vulnerabilities of websites.
Apktool
Is there a mobile application in your targets scope? Then you can use this tool. Apktool is a reverse engineering tool for reading apk files.
XSShunter
XSShunter is an automated tool that makes your life easier in finding XSS. It can either be used as an online service or downloaded and run as a standalone server.
XSStrike
XSStrike is an advanced XSS scanner written in python. It is verry easy to use. XSStrike has an intelligent payload generator, powerful fuzzing engine and a incredibly fast crawler.
DOM Invader
DOM Invader is the most advanced tool to quickly identify DOM-based cross-site scripting vulnerabilities. It comes pre-shipped with Burp Suite (even with the community edition)
Hidden data
Goca
Goca is a tool written in Go. Its goal is to find hidden information and metadata. This can either be on web pages or on downloaded files
Exiftool
Exiftool is a simple tool designed for reading and writing metadata of files.
MITM Proxy
Burp Suite
This is the go-to tool for every hacker. Burp is like a Swiss army knife and has options for about every situation. While the free version is great, the upgrade to Burp suite professional is well worth the money.
OWASP ZAP
For people who don’t want to use Burp Suite there is this tool. OWASP Zed Attack Proxy is a free and open source web security tool with a large array of options. Definetly worth looking into.
Password Crackers
Hydra
Hydra is a versatile password cracking tool with support for a lot of different protocols. It is available to use on every platform.
Medusa
This thread-based parallel login brute forcer works really fast and can be used against multiple host at the same time. But it can also test multiple users and passwords concurrently.