Tools Inventory¶
All tools run inside Docker unless explicitly noted. Invocation pattern:
Docker-Only Execution
ALL pentest tools MUST run inside Docker. The ONLY exceptions are git, gh, docker itself, and text editors/IDE commands. If a tool is not in Docker, add it to the Dockerfile first -- NEVER pip install or go install on host. Python inside Docker: ALWAYS use /opt/pentest-venv/bin/python3.
Recon & Discovery¶
| Tool | Description | Usage Context |
|---|---|---|
| subfinder | Passive subdomain enumeration from multiple sources | Phase 1 recon -- discovers subdomains via APIs (Shodan, SecurityTrails, etc.) |
| httpx | HTTP probe and technology fingerprinting | Phase 1 recon -- validates live hosts, extracts titles, status codes, tech stack |
| dnsx | DNS resolution and record enumeration | Phase 1 recon -- resolves discovered subdomains, checks DNS records |
| naabu | Port scanning | Phase 1 recon -- discovers open ports on target hosts |
| katana | Web crawler with headless browser support | Phase 2 discovery -- crawls endpoints, follows links, extracts parameters. Use -kf all (not bare -kf) |
| Playwright + Chromium | Headless browser automation | Phase 0.5 walkthrough -- navigates SPAs, handles JS rendering, captures API calls |
| waybackurls | Fetches URLs from Wayback Machine | Phase 1 recon -- discovers historical endpoints and parameters |
| gau | GetAllURLs -- fetches known URLs from multiple sources | Phase 1 recon -- complements waybackurls with AlienVault, CommonCrawl |
| waymore | Advanced archived URL and response retrieval (7 sources) | Phase 1 recon -- use -mode B for archived responses. Most comprehensive URL collector |
| ffuf | Fast web fuzzer for content discovery | Phase 2 discovery -- directory brute-forcing, parameter fuzzing. Use -fs <size> for SPAs |
| ffufai | AI-enhanced ffuf with smart wordlist selection | Phase 2 discovery -- uses AI to select optimal wordlists based on target technology |
Vulnerability Scanning¶
| Tool | Description | Usage Context |
|---|---|---|
| nuclei | Template-based vulnerability scanner (9000+ templates) | Phase 3 scanning -- CVEs, misconfigs, exposures, defaults, tech detection |
| nikto | Web server vulnerability scanner | Phase 3 scanning -- server misconfigs, dangerous files, outdated software |
| sqlmap | Automated SQL injection detection and exploitation | Phase 4 testing -- SQL injection with --level 5 --risk 3. Requires user confirmation before running |
| dalfox | XSS scanner with DOM analysis | Phase 4 testing -- reflected/stored/DOM XSS with WAF bypass payloads |
| ssrfmap | SSRF exploitation framework | Phase 4 testing -- SSRF payload generation and cloud metadata access |
| commix | Command injection exploiter | Phase 4 testing -- OS command injection detection and exploitation |
| arjun | HTTP parameter discovery | Phase 2 discovery -- finds hidden parameters on endpoints. Run on ALL endpoints |
| nomore403 | 403 bypass toolkit (40+ techniques) | Phase 4 testing -- used in test-access B2b for authorization bypass |
| garak | LLM vulnerability scanner (NVIDIA) | Phase 4 testing -- 20+ probe categories for prompt injection. Use with --model_type rest. Requires --llm flag |
JS Analysis Pipeline¶
The JS analysis pipeline runs in sequence for maximum coverage: AST-based extraction, then regex fallback, then secret scanning, then deobfuscation.
| Tool | Description | Usage Context |
|---|---|---|
| jsluice | AST-based JavaScript analysis (best accuracy) | Phase 2 discovery -- extracts endpoints, secrets, and interesting strings from JS files |
| linkfinder | Regex-based endpoint extraction from JS | Phase 2 discovery -- catches endpoints jsluice may miss with pattern matching |
| secretfinder | API key and JWT discovery in JS | Phase 2 discovery -- finds hardcoded API keys, JWTs, AWS keys in JavaScript |
| jshunter | JS deobfuscation and entropy analysis | Phase 2 discovery -- handles obfuscated JS, finds high-entropy strings (potential secrets) |
| subjs | JavaScript file collector | Phase 2 discovery -- collects all JS file URLs from a target for pipeline input |
| getJS | JavaScript file downloader | Phase 2 discovery -- downloads JS files for local analysis by the pipeline |
Secrets & OOB (Out-of-Band)¶
| Tool | Description | Usage Context |
|---|---|---|
| interactsh-client | Out-of-band interaction server | Phase 4 testing -- generates unique callback URLs for blind SSRF, XXE, RCE verification |
| trufflehog | Secret detection in git repos and files | Phase 2 discovery -- scans for leaked credentials, API keys, private keys |
| gitleaks | Git repository secret scanner | Phase 2 discovery -- finds secrets in git history and current files |
| pip-audit | Python dependency vulnerability scanner | Phase 4 testing -- checks for known CVEs in Python dependencies |
| wfuzz | Web application fuzzer | Phase 4 testing -- flexible fuzzing with filters, encoders, and payload processors |
Bug Bounty Only¶
These tools are only enabled with the --bug-bounty flag for expanded reconnaissance scope.
| Tool | Description | Usage Context |
|---|---|---|
| asnmap | ASN to CIDR mapping | Bug bounty recon Wave C -- maps target ASN to IP ranges |
| alterx | Subdomain wordlist generation | Bug bounty recon Wave C -- generates permutation-based subdomain wordlists |
| puredns | DNS bruteforcing and resolution | Bug bounty recon Wave C -- mass DNS resolution with wildcard filtering |
| uncover | Search engine for exposed services | Bug bounty recon Wave C -- queries Shodan, Censys, FOFA for target assets |
Proxy & Network¶
| Tool | Description | Usage Context |
|---|---|---|
| Burp Suite Pro + burp-ai-agent | Intercepting proxy with AI agent (53 MCP tools) | Manual testing -- traffic interception, request modification, scanning |
| Caido + caido-mode | Modern intercepting proxy (47 CLI commands) | Manual testing -- lightweight alternative to Burp Suite |
| curl | HTTP client | Throughout -- raw HTTP requests, PoC verification, API testing |
| httpie | User-friendly HTTP client | Throughout -- human-readable HTTP requests for quick testing |
| openssl | TLS/SSL toolkit | Phase 1 recon + Phase 4 crypto testing -- certificate inspection, cipher enumeration |
| testssl.sh | TLS/SSL testing script | Phase 4 crypto testing -- comprehensive TLS configuration audit |
Mobile Testing¶
Mobile tools are only enabled with the --mobile ios|android flag.
| Tool | Description | Usage Context |
|---|---|---|
| apktool | APK decompiler and rebuilder | Android -- decompile APK, analyze smali, repackage |
| jadx | DEX to Java decompiler | Android -- reverse engineer APK to readable Java source |
| dex2jar | DEX to JAR converter | Android -- converts Dalvik bytecode for analysis |
| frida | Dynamic instrumentation toolkit | Android/iOS -- runtime hooking, SSL pinning bypass, method tracing |
| objection | Frida-based mobile exploration | Android/iOS -- runtime security assessment, built on frida |
| androguard | Android application analysis | Android -- static analysis, permissions, API calls |
| adb | Android Debug Bridge | Android -- device communication, app installation, log capture |
| uber-apk-signer | APK signing tool | Android -- sign repackaged APKs for installation |
| plistutil | Apple plist parser | iOS -- parse and convert property list files |
| mobsf | Mobile Security Framework | Android/iOS -- automated static and dynamic analysis |
MCP Plugins¶
Optional plugins that enhance automation when available. These run outside Docker as MCP server integrations.
| Plugin | Description | Usage Context |
|---|---|---|
| Playwright MCP | Browser automation via MCP protocol | Interactive verification -- XSS payload confirmation, DOM inspection, dialog detection, CORS console errors |
| Fetch MCP | HTTP requests via MCP protocol | Quick HTTP verification -- avoids Docker container startup overhead for simple requests |
| Sequential Thinking MCP | Multi-step reasoning engine | Attack analysis -- multi-step reasoning for attack chain analysis, business logic exploitation, WAF bypass strategy planning |
| Tavily Search MCP | Web search and research | OSINT and CVE research -- searching CVEs for discovered software versions, finding public leaks/pastes, Google dorking equivalents, researching framework-specific exploits. Free tier: 1000 queries/month |
Tool Execution Examples¶
Running a single tool:
Running Python scripts:
docker run --rm -v $(pwd):/work pentest-tools /opt/pentest-venv/bin/python3 /work/browser/crawler.py --url https://target.com
Interactive session:
With proxy routing:
Windows Heredoc Limitation
docker run ... python3 << 'PYEOF' fails silently on Git Bash Windows -- stdin heredoc is not piped into the container. Write a .py file on the host, then run it via docker run --rm -v $(pwd):/work pentest-tools /opt/pentest-venv/bin/python3 /work/path/to/script.py.