Scanners to test security


SPartan is a Frontpage and Sharepoint fingerprinting and attack tool. Features:

Sharepoint and Frontpage fingerprinting
Management of Friendly 404s
Default Sharepoint and Frontpage file and folder enumeration
Active Directory account enumeration
Download interesting files and documents, including detection of uninterpreted ASP and ASPX
Search for keywords in identified pages
Saves state from previous scans
Site crawling
Accepts NTLM creds and session cookies for authenticated scans

The Internet-Wide Scan Data Repository is a public archive of research data collected through active scans of the public Internet. The repository is hosted by the ZMap Team at the University of Michigan.


EyeWitness is designed to take a file, parse out the URLs, take a screenshot of the web pages, and generate a report of the screenshot along with some server header information. EyeWitness is able to parse three different types of files, a general text file with each url on a new line, the xml output from a NMap scan, or a .nessus file.

Peeping Tom

This tool allows the tester to feed in urls or ip addresses and it will go out and grab screenshots of the websites.


ZMap is a fast network scanner designed for Internet-wide network surveys. On a typical desktop computer with a gigabit Ethernet connection, ZMap is capable scanning the entire public IPv4 address space in under 45 minutes. With a 10gigE connection and PF_RING, ZMap can scan the IPv4 address space in under 5 minutes.

While previous network tools have been designed to scan small network segments, ZMap is specifically architected to scan the entire address space. It is built in a modular manner in order to allow incorporation with other network survey tools. ZMap operates on GNU/Linux and supports TCP SYN and ICMP echo request scanning out of the box.


This is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.

It produces results similar to nmap, the most famous port scanner. Internally, it operates more like scanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it's faster than these other scanners. In addition, it's more flexible, allowing arbitrary address ranges and port ranges.


theHarvester is a tool for gathering e-mail accounts, subdomain names, virtual
hosts, open ports/ banners, and employee names from different public sources
(search engines, pgp key servers).

Is a really simple tool, but very effective for the early stages of a penetration
test or just to know the visibility of your company in the Internet.

Penetration Testers Framework

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important.

PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It's all up to you.

The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It's super simple to configure and add them and only takes a few minute.

Cortana Scripts by Mudge

Cortana is a scripting language for Armitage and Cobalt Strike. This is a collection of Cortana scripts that can be used with Cobalt Strike and Armitage.


WhatWeb identifies websites. Its goal is to answer the question, “What is that Website?”.
WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices.
WhatWeb can be stealthy and fast, or thorough but slow.
WhatWeb supports an aggression level to control the trade off between speed and reliability.
When you visit a website in your browser, the transaction includes many hints of what web technologies are powering that website.
Sometimes a single webpage visit contains enough information to identify a website but when it does not, WhatWeb can interrogate the website further.
The default level of aggression, called ‘passive’, is the fastest and requires only one HTTP request of a website.
This is suitable for scanning public websites. More aggressive modes were developed for in penetration tests.
Most WhatWeb plugins are thorough and recognise a range of cues from subtle to obvious.
For example, most WordPress websites can be identified by the meta HTML tag, e.g. ‘‘, but a minority of WordPress websites remove this identifying tag but this does not thwart WhatWeb.
The WordPress WhatWeb plugin has over 15 tests, which include checking the favicon, default installation files, login pages, and checking for “/wp-content/” within relative links.

Example Usage
whatweb [options]
Using WhatWeb on a handful of websites, standard WhatWeb output is in colour.
backbox@backbox:~$ whatweb [301] X-XSS-Protection[1; mode=block], HTTPServer[gws],
RedirectLocation[1], UncommonHeaders[x-xss-protection], IP[],
Title[301 Moved], Country[UNITED STATES][US] [200] X-XSS-Protection[1; mode=block], HTTPServer[gws], UncommonHeaders[x-xss-protection], HTML5, IP[],
Cookies[NID,PREF], Title[Google], Country[UNITED STATES][US]

Verbose Output

Syndicate content