Pentesting Tools

I wanted to make a list of the tools or things that I find most useful in the day job. Especially useful in time limited engagements where your only option is to enumerate a large scope. The list will likely grow as tools are replaced or newly discovered. I’ll split it up into sections for ease of reference.

Some may gripe that I don’t use enough tools or the tools I’ve listed are noobish. All I can say is that they help get the job done.


Seclists – Github repo
An extremely useful repo full of wordlists, fuzzing strings and other crazy data that you do end up using on various engagements. I ended up just pushing all the password txt files into one big file in the end and sorting out the unique entries using the command below:

cat *.txt | sort -u > big.txt

Takes a while to run but it’s worth doing so you don’t have to keep passing wordlists to whatever you’re doing.

Sublime Text
I find this to be great for sorting out large amount of data and for creating my notes for tests in Markdown. Everyone has their thing, but for me, this saves time.

Linux Tools

  • sed
  • sort
  • cut
  • grep

Without these in built tools I would not be able to fill in the blanks of the tasks of data manipulation from tool outputs. Sometimes you don’t always get the data you need and in the way you need it so pasting the outputs into a text file and using sort, cut and sed just does the job perfectly. Everyone should learn how to manipulate data such as IP addresses, ports and hosts.

Internal Infrastructure Testing

Microsoft Excel – Need Licence or use Libre Office
Thee most useful tool I’ve ever used during testing. Some might wonder why, however, for keeping track of larger nmap scans CSV’s and being able to convert to a table and then sort the data is just so important.

EyeWitness – Github
This tool is one of the most useful I’ve used to date. Pass it a list of IP addresses from your nmap scan you  and it then it takes screenshots, banners and HTTP headers of the services found (WEB, RDP, VNC). Great for large internal engagements for evidence keeping. Keep in mind to check the output from EyeWitness as sometimes it is able to take a proper screenshot, especially ESXi.

Bettercap – apt install bettercap
I haven’t used Bettercap on an engagement yet, but, I have used it a lot at home and I think it’s great. Sniffing traffic coming from rogue devices or just simple ARP spoofing of your smart TV. It’s fun to use.

Wireshark – In Kali already
I’d use this to test for credentials being passed over clear-text protocols for evidence in a report. Loads of uses, but everyone is different.

Web App Testing

BurpSuite Pro
I think it goes without saying that the PRO version is a very popular option, however, for me it’s not because of the scanner as I don’t use it as much as I thought. It’s for the ability to save your state, projects and intruder things etc. Also the fact that your intruder queries are unlimited. Well worth it.

Spaghetti – Github Repo
I find this web scanner better than Nikto, and I mainly prefer it because it does a few other checks and the output is a lot neater.

Gobuster – apt install gobuster
Web directory brute force tool. I find it quicker than DIRB because you use multiple threads. It can also follow redirects too.

Sublist3r – Github repo
Sublister is very useful in bug bounties to search for subdomains. I never need to use it on tests, but for bug bounties it’s very useful, and fast too. I comes with the new version of Kali, bit it started life as a github repo.

iOS Testing

A bit old now I think, but it’s still a good bit of software to use for iOS testing. Loads of tutorials online on how to set it up.



There is going to be a load of other tools I’ll use in a day, however, the tools above are the most useful for filling in some blanks in the job. One of the most useful things I learned was the ability to manipulate data quickly using standard in built tools in Linux.

I do believe a lot of people are skipping the fundamentals of just operating a system from a command line interface. I don’t think there’s a quicker way to complete a task and if you understand what command you want to execute by looking at raw data, then you’re doing alright.