Call us:    +44 (0) 207 0439 349        Company      Contact us

Kali Tools Tutorials For Web App Testing

Posted by on Jul 31, 2016 in Security Blog1 comment

Learn how to use the tools available on Kali Linux when performing advanced web application assessments. Official version available on Kali Linux website.

1) apache-users Package Description

This Perl script will enumerate the usernames on any system that uses Apache with the UserDir module.

apache-users Homepage | Kali apache-users Repo

  • Author: Andy@Portcullis
  • License: GPLv2

tools included in the apache-users package

apache-users – Enumerate usernames on systems with Apache UserDir module

apache-users Usage Example

Run against the remote host (-h, passing a dictionary of usernames (-l /usr/share/wordlists/metasploit/unix_users.txt), the port to use (-p 80), disable SSL (-s 0), specify the HTTP error code (-e 403), using 10 threads (-t 10):

root@kali:~# apache-users -h -l /usr/share/wordlists/metasploit/unix_users.txt -p 80 -s 0 -e 403 -t 10

2) Arachni Package Description

Arachni is an Open Source, feature-full, modular, high-performance Ruby framework aimed towards helping penetration testers and administrators evaluate the security of web applications.

It is smart, it trains itself by learning from the HTTP responses it receives during the audit process and is able to perform meta-analysis using a number of factors in order to correctly assess the trustworthiness of results and intelligently identify false-positives.

It is versatile enough to cover a great deal of use cases, ranging from a simple command line scanner utility, to a global high performance grid of scanners, to a Ruby library allowing for scripted audits, to a multi-user multi-scan web collaboration platform.

Arachni Homepage | Kali Arachni Repo

  • Author: Tasos “Zapotek” Laskos
  • License: Apache-2.0

Tools included in the arachni package

arachni_web – The Arachni web scanner
root@kali:~# arachni_web -h
Usage: rackup [ruby options] [rack options] [rackup config]Ruby options:
-e, --eval LINE          evaluate a LINE of code
-b BUILDER_LINE,         evaluate a BUILDER_LINE of code as a builder script
-d, --debug              set debugging flags (set $DEBUG to true)
-w, --warn               turn warnings on for your script
-I, --include PATH       specify $LOAD_PATH (may be used more than once)
-r, --require LIBRARY    require the library, before executing your scriptRack options:
-s, --server SERVER      serve using SERVER (thin/puma/webrick/mongrel)
-o, --host HOST          listen on HOST (default:
-p, --port PORT          use PORT (default: 9292)
-O NAME[=VALUE],         pass VALUE to the server as option NAME. If no VALUE, sets it to true. Run '/usr/share/arachni/bin/../system/gems/bin/rackup -s SERVER -h' to get a list of options for SERVER
-E, --env ENVIRONMENT    use ENVIRONMENT for defaults (default: development)
-D, --daemonize          run daemonized in the background
-P, --pid FILE           file to store PID (default: options:
-h, -?, --help           Show this message
--version            Show version

arachni_web Usage Example

root@kali:~# arachni_web
 >> Thin web server (v1.5.1 codename Straight Razor)
 >> Maximum connections set to 1024
 >> Listening on, CTRL+C to stop

3) BBQSQL Package Description

Blind SQL injection can be a pain to exploit. When the available tools work they work well, but when they don’t you have to write something custom. This is time-consuming and tedious. BBQSQL can help you address those issues.

BBQSQL is a blind SQL injection framework written in Python. It is extremely useful when attacking tricky SQL injection vulnerabilities. BBQSQL is also a semi-automatic tool, allowing quite a bit of customization for those hard to trigger SQL injection findings. The tool is built to be database agnostic and is extremely versatile. It also has an intuitive UI to make setting up attacks much easier. Python gevent is also implemented, making BBQSQL extremely fast.

Similar to other SQL injection tools you provide certain request information.

Must provide the usual information:

  • URL
  • HTTP Method
  • Headers
  • Cookies
  • Encoding methods
  • Redirect behavior
  • Files
  • HTTP Auth
  • Proxies

Then specify where the injection is going and what syntax we are injecting.

BBQSQL Homepage | Kali BBQSQL Repo

  • Author: BBQSQL
  • License: BSD

Tools included in the bbqsql package

bbqsql – SQL Injection Exploitation Tool

The Blind SQL Injection Exploitation Tool.

bbqsql Usage Example

root@kali:~# bbqsql
 _______   _______    ______    ______    ______   __
 |       \ |       \  /      \  /      \  /      \ |  \
 | $$$$$$$\| $$$$$$$\|  $$$$$$\|  $$$$$$\|  $$$$$$\| $$
 | $$__/ $$| $$__/ $$| $$  | $$| $$___\$$| $$  | $$| $$
 | $$    $$| $$    $$| $$  | $$ \$$    \ | $$  | $$| $$
 | $$$$$$$\| $$$$$$$\| $$ _| $$ _\$$$$$$\| $$ _| $$| $$
 | $$__/ $$| $$__/ $$| $$/ \ $$|  \__| $$| $$/ \ $$| $$_____
 | $$    $$| $$    $$ \$$ $$ $$ \$$    $$ \$$ $$ $$| $$     \
 \$$$$$$$  \$$$$$$$   \$$$$$$\  \$$$$$$   \$$$$$$\ \$$$$$$$$
 \$$$                \$$$_.(-)._
 .'         '.
 / 'or '1'='1  \
 \    '='    /
 /   |   \
 []BBQSQL injection toolkit (bbqsql)
 Lead Development: Ben Toews(mastahyeti)
 Development: Scott Behrens(arbit)
 Menu modified from code for Social Engineering Toolkit (SET) by: David Kennedy (ReL1K)
 SET is located at:
 Version: 1.0The 5 S's of BBQ:
 Sauce, Spice, Smoke, Sizzle, and SQLiSelect from the menu:1) Setup HTTP Parameters
 2) Setup BBQSQL Options
 3) Export Config
 4) Import Config
 5) Run Exploit
 6) Help, Credits, and About99) Exit the bbqsql injection toolkit

4) BlindElephant Package Description

The BlindElephant Web Application Fingerprinter attempts to discover the version of a (known) web application by comparing static files at known locations against precomputed hashes for versions of those files in all all available releases. The technique is fast, low-bandwidth, non-invasive, generic, and highly automatable.

BlindElephant Homepage | Kali BlindElephant Repo

  • Author: Qualys
  • License: LGPL-3

Tools included in the blindelephant package – A generic web application fingerprinter
root@kali:~# -h
 Usage: [options] url appNameOptions:
 -h, --help            show this help message and exit
 Fingerprint version of plugin (should apply to web app
 given in appname)
 -s, --skip            Skip fingerprinting webpp, just fingerprint plugin
 Number of files to fetch (more may increase accuracy).
 Default: 15
 -w, --winnow          If more than one version are returned, use winnowing
 to attempt to narrow it down (up to numProbes
 additional requests).
 -l, --list            List supported webapps and plugins
 -u, --updateDB        Pull latest DB files from repo (Equivalent to svn
 update on blindelephant/dbs/). May require root if
 blindelephant was installed with root.Use "guess" as app or plugin name to attempt to attempt to
 discover which supported apps/plugins are installed.

BlindElephant Usage Example

Scan the remote host (, specifying the web application in use (wordpress):

root@kali:~# wordpress

 Loaded /usr/lib/python2.7/dist-packages/blindelephant/dbs/wordpress.pkl with 293 versions, 5389 differentiating paths, and 480 version groups.

 Starting BlindElephant fingerprint for version of wordpress at

 Possible versions based on result: 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IISHit

 Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit

 Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit

 File produced no match. Error: Failed to reach a server: Not FoundHit

 Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit

 Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit

 Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-beta1, 2.8-beta2, 2.8-IIS, 2.8-RC1Hit

 Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit

 Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1Hit

 Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-beta2, 2.8-IIS, 2.8-RC1

 Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1

 Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1

 Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-beta1, 2.8-beta2, 2.8-IIS, 2.8-RC1

 Possible versions based on result: 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.9-beta-1, 2.9-beta-1-IIS, 2.9-beta-2, 2.9-beta-2-IIS, 2.9-RC1, 2.9-RC1-IIS

 Possible versions based on result: 2.8, 2.8.1, 2.8.1-beta1, 2.8.1-beta2, 2.8.1-IIS, 2.8.1-RC1, 2.8.2, 2.8.2-IIS, 2.8.3, 2.8.3-IIS, 2.8.4, 2.8.4-IIS, 2.8.4a-IIS, 2.8.4b-IIS, 2.8.5, 2.8.5-beta1, 2.8.5-IIS, 2.8.6, 2.8.6-beta1, 2.8.6-beta1-IIS, 2.8.6-IIS, 2.8-IIS, 2.8-RC1

Fingerprinting resulted in:

Best Guess: 2.8.6

5) Burp Suite Package Description

Burp Suite is an integrated platform for performing security testing of web applications. Its various tools work seamlessly together to support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities.

Burp gives you full control, letting you combine advanced manual techniques with state-of-the-art automation, to make your work faster, more effective, and more fun.

Burp Suite Homepage | Kali Burp Suite Repo

  • Author: PortSwigger
  • License: Commercial

Tools included in the burpsuite package

burpsuite – Platform for security testing of web applications

Tool for security testing of web applications.

burpsuite Usage Example

root@kali:~# burpsuite

6) CutyCapt Package Description

CutyCapt is a small cross-platform command-line utility to capture WebKit’s rendering of a web page into a variety of vector and bitmap formats, including SVG, PDF, PS, PNG, JPEG, TIFF, GIF, and BMP.

CutyCapt Homepage | Kali CutyCapt Repo

  • Author: Björn Höhrmann
  • License: GPLv2

Tools included in the cutycapt package

cutycapt – Utility to capture WebKit’s rendering of a web page
root@kali:~# cutycapt --help
 Usage: CutyCapt --url= --out=localfile.png
 --help                         Print this help page and exit
 --url=<url>                    The URL to capture (http:...|file:...|...)
 --out=<path>                   The target file (.png|pdf|ps|svg|jpeg|...)
 --out-format=<f>               Like extension in --out, overrides heuristic
 --min-width=<int>              Minimal width for the image (default: 800)
 --min-height=<int>             Minimal height for the image (default: 600)
 --max-wait=<ms>                Don't wait more than (default: 90000, inf: 0)
 --delay=<ms>                   After successful load, wait (default: 0)
 --user-style-path=<path>       Location of user style sheet file, if any
 --user-style-string=<css>      User style rules specified as text
 --header=<name>:<value>        request header; repeatable; some can't be set
 --method=<get|post|put>        Specifies the request method (default: get)
 --body-string=<string>         Unencoded request body (default: none)
 --body-base64=<base64>         Base64-encoded request body (default: none)
 --app-name=<name>              appName used in User-Agent; default is none
 --app-version=<version>        appVers used in User-Agent; default is none
 --user-agent=<string>          Override the User-Agent header Qt would set
 --javascript=<on|off>          JavaScript execution (default: on)
 --java=<on|off>                Java execution (default: unknown)
 --plugins=<on|off>             Plugin execution (default: unknown)
 --private-browsing=<on|off>    Private browsing (default: unknown)
 --auto-load-images=<on|off>    Automatic image loading (default: on)
 --js-can-open-windows=<on|off> Script can open windows? (default: unknown)
 --js-can-access-clipboard=<on|off> Script clipboard privs (default: unknown)
 --print-backgrounds=<on|off>   Backgrounds in PDF/PS output (default: off)
 --zoom-factor=<float>          Page zoom factor (default: no zooming)
 --zoom-text-only=<on|off>      Whether to zoom only the text (default: off)
 --http-proxy=<url>             Address for HTTP proxy server (default: none)
 <f> is svg,ps,pdf,itext,html,rtree,png,jpeg,mng,tiff,gif,bmp,ppm,xbm,xpm
 ----------------------------------------------------------------------------- - (c) 2003-2010 Bjoern Hoehrmann -

cutycapt Usage Example

Take a capture of the URL (–url= and save it to disk (–out=kali.png):

root@kali:~# cutycapt --url= --out=kali.png
 QFont::setPixelSize: Pixel size <= 0 (0)
 QFont::setPixelSize: Pixel size <= 0 (0)

7) DAVTest Package Description

DAVTest tests WebDAV enabled servers by uploading test executable files, and then (optionally) uploading files which allow for command execution or other actions directly on the target. It is meant for penetration testers to quickly and easily determine if enabled DAV services are exploitable.

DAVTest supports:

  • Automatically send exploit files
  • Automatic randomization of directory to help hide files
  • Send text files and try MOVE to executable name
  • Basic and Digest authorization
  • Automatic clean-up of uploaded files
  • Send an arbitrary file

DAVTest Homepage | Kali DAVTest Repo

  • Author: Sunera, LLC.
  • License: GPLv3

Tools included in the davtest package

davtest – Testing tool for WebDAV servers
root@kali:~# davtest

ERROR: Missing -url

/usr/bin/davtest -url <url> [options]

-auth+     Authorization (user:password)
 -cleanup   delete everything uploaded when done
 -directory+    postfix portion of directory to create
 -debug+    DAV debug level 1-3 (2 & 3 log req/resp to /tmp/perldav_debug.txt)
 -move      PUT text files then MOVE to executable
 -nocreate  don't create a directory
 -quiet     only print out summary
 -rand+     use this instead of a random string for filenames
 -sendbd+   send backdoors:
 auto - for any succeeded test
 ext - extension matching file name(s) in backdoors/ dir
 -uploadfile+   upload this file (requires -uploadloc)
 -uploadloc+    upload file to this location/name (requires -uploadfile)
 -url+      url of DAV location

Example: /usr/bin/davtest -url http://localhost/davdir

davtest Usage Example

Scan the given WebDAV server (-url

root@kali:~# davtest -url
 Testing DAV connection
 NOTE    Random string for this session: B0yG9nhdFS8gox
 Creating directory
 MKCOL       SUCCEED:        Created
 Sending test files
 PUT aspx    FAIL
 PUT jhtml   SUCCEED:
 PUT html    SUCCEED:
 PUT shtml   FAIL
 Checking for test file execution
 EXEC    pl  FAIL
 EXEC    jsp FAIL
 EXEC    cfm FAIL
 EXEC    jhtml   FAIL
 EXEC    php FAIL
 EXEC    html    SUCCEED:********************************************************
 /usr/bin/davtest Summary:
 PUT File:
 PUT File:
 PUT File:
 PUT File:
 PUT File:
 PUT File:
 PUT File:

8) deblaze Package Description

Through the use of the Flex programming model and the ActionScript language, Flash Remoting was born. Flash applications can make request to a remote server to call server side functions, such as looking up accounts, retrieving additional data and graphics, and performing complex business operations. However, the ability to call remote methods also increases the attack surface exposed by these applications. This tool will allow you to perform method enumeration and interrogation against flash remoting end points. Deblaze came about as a necessity during a few security assessments of flash based websites that made heavy use of flash remoting. I needed something to give me the ability to dig a little deeper into the technology and identify security holes. On all of the servers I’ve seen so far the names are not case sensitive, making it much easier to bruteforce. Often times HTTP POST requests won’t be logged by the server, so bruteforcing may go unnoticed on poorly monitored systems.

Deblaze provides the following functionality:

  • Brute Force Service and Method Names
  • Method Interrogation
  • Flex Technology Fingerprinting

deblaze Homepage | Kali deblaze Repo

  • Author: Trustwave Holdings, Inc., Jon Rose
  • License: GPLv3

Tools included in the deblaze package – Performs testing against flash remoting endpoints
root@kali:~# -h
 Usage: deblaze [option]A remote enumeration tool for Flex ServersOptions:
 --version             show program's version number and exit
 -h, --help            show this help message and exit
 -u URL, --url=URL     URL for AMF Gateway
 -s SERVICE, --service=SERVICE
 Remote service to call
 -m METHOD, --method=METHOD
 Method to call
 -p PARAMS, --params=PARAMS
 Parameters to send pipe seperated
 -f SWF, --fullauto=SWF
 URL to SWF - Download SWF, find remoting services,
 methods,and parameters
 --fuzz                Fuzz parameter values
 -c CREDS, --creds=CREDS
 Username and password for service in u:p format
 -b COOKIE, --cookie=COOKIE
 Send cookies with request
 User-Agent string to send to the server
 File to load services for brute forcing (mutually
 exclusive to -s)
 File to load methods for brute forcing (mutually
 exclusive to -m)
 -d, --debug           Enable pyamf/AMF debugging
 -v, --verbose         Print http request/response
 -r, --report          Generate HTML report
 -n, --nobanner        Do not display banner
 -q, --quiet           Do not display messages Usage Example

root@kali:~# coming soon

9) DIRB Package Description

DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the response.

DIRB comes with a set of preconfigured attack wordlists for easy usage but you can use your custom wordlists. Also DIRB sometimes can be used as a classic CGI scanner, but remember is a content scanner not a vulnerability scanner.

DIRB main purpose is to help in professional web application auditing. Specially in security related testing. It covers some holes not covered by classic web vulnerability scanners. DIRB looks for specific web objects that other generic CGI scanners can’t look for. It doesn’t search vulnerabilities nor does it look for web contents that can be vulnerables.

DIRB Homepage | Kali DIRB Repo

  • Author: The Dark Raver
  • License: GPLv2

tools included in the dirb package

dirb – A web content scanner
root@kali:~# dirb

 DIRB v2.21
 By The Dark Raver

./dirb <url_base> [<wordlist_file(s)>] [options]

========================= NOTES =========================
 <url_base> : Base URL to scan. (Use -resume for session resuming)
 <wordlist_file(s)> : List of wordfiles. (wordfile1,wordfile2,wordfile3...)

======================== HOTKEYS ========================
 'n' -> Go to next directory.
 'q' -> Stop scan. (Saving state for resume)
 'r' -> Remaining scan stats.

======================== OPTIONS ========================
 -a <agent_string> : Specify your custom USER_AGENT.
 -c <cookie_string> : Set a cookie for the HTTP request.
 -f : Fine tunning of NOT_FOUND (404) detection.
 -H <header_string> : Add a custom header to the HTTP request.
 -i : Use case-insensitive search.
 -l : Print "Location" header when found.
 -N <nf_code>: Ignore responses with this HTTP code.
 -o <output_file> : Save output to disk.
 -p <proxy[:port]> : Use this proxy. (Default port is 1080)
 -P <proxy_username:proxy_password> : Proxy Authentication.
 -r : Don't search recursively.
 -R : Interactive recursion. (Asks for each directory)
 -S : Silent Mode. Don't show tested words. (For dumb terminals)
 -t : Don't force an ending '/' on URLs.
 -u <username:password> : HTTP Authentication.
 -v : Show also NOT_FOUND pages.
 -w : Don't stop on WARNING messages.
 -X <extensions> / -x <exts_file> : Append each word with this extensions.
 -z <milisecs> : Add a miliseconds delay to not cause excessive Flood.

======================== EXAMPLES =======================
 ./dirb http://url/directory/ (Simple Test)
 ./dirb http://url/ -X .html (Test files with '.html' extension)
 ./dirb http://url/ /usr/share/dirb/wordlists/vulns/apache.txt (Test with apache.txt wordlist)
 ./dirb https://secure_url/ (Simple Test with SSL)

html2dic – Generate a dictionary from HTML pages

root@kali:~# html2dic
 Uso: ./html2dic <file>

gendict – Generator for custom dictionaries

root@kali:~# gendict
 Usage: gendict -type pattern
 type: -n numeric [0-9]
 -c character [a-z]
 -C uppercase character [A-Z]
 -h hexa [0-f]
 -a alfanumeric [0-9a-z]
 -s case sensitive alfanumeric [0-9a-zA-Z]
 pattern: Must be an ascii string in which every 'X' character wildcard
 will be replaced with the incremental value.Example: gendict -n thisword_X

dirb Usage Example

Scan the web server ( for directories using a dictionary file (/usr/share/wordlists/dirb/common.txt):

root@kali:~# dirb /usr/share/wordlists/dirb/common.txt

 DIRB v2.21
 By The Dark Raver

START_TIME: Fri May 16 13:41:45 2014
 WORDLIST_FILES: /usr/share/wordlists/dirb/common.txt



---- Scanning URL: ----
 + (CODE:200|SIZE:2726)
 + (CODE:403|SIZE:1122)

10) DirBuster Package Description

DirBuster is a multi threaded java application designed to brute force directories and files names on web/application servers. Often is the case now of what looks like a web server in a state of default installation is actually not, and has pages and applications hidden within. DirBuster attempts to find these. However tools of this nature are often as only good as the directory and file list they come with. A different approach was taken to generating this. The list was generated from scratch, by crawling the Internet and collecting the directory and files that are actually used by developers! DirBuster comes a total of 9 different lists, this makes DirBuster extremely effective at finding those hidden files and directories. And if that was not enough DirBuster also has the option to perform a pure brute force, which leaves the hidden directories and files nowhere to hide.

DirBuster Homepage | Kali DirBuster Repo

  • Author: OWASP
  • License: LGPL-2

Tools included in the dirbuster package

dirbuster – Web server directory brute-forcer

The DirBuster-Application.

dirbuster Usage Example

root@kali:~# dirbuster

11) fimap Package Description

fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable.

fimap Homepage | Kali fimap Repo

  • Author: Iman Karim
  • License: GPLv2

Tools included in the fimap package

fimap – LFI and RFI exploitation tool
root@kali:~# fimap -h
 fimap v.09 (For the Swarm)
 :: Automatic LFI/RFI scanner and exploiter
 :: by Iman Karim ( ./ [options]
 ## Operating Modes:
 -s , --single                 Mode to scan a single URL for FI errors.
 Needs URL (-u). This mode is the default.
 -m , --mass                   Mode for mass scanning. Will check every URL
 from a given list (-l) for FI errors.
 -g , --google                 Mode to use Google to aquire URLs.
 Needs a query (-q) as google search query.
 -H , --harvest                Mode to harvest a URL recursivly for new URLs.
 Needs a root url (-u) to start crawling there.
 Also needs (-w) to write a URL list for mass mode.
 -4 , --autoawesome            With the AutoAwesome mode fimap will fetch all
 forms and headers found on the site you defined
 and tries to find file inclusion bugs thru them. Needs an
 URL (-u).
 ## Techniques:
 -b , --enable-blind           Enables blind FI-Bug testing when no error messages are printed.
 Note that this mode will cause lots of requests compared to the
 default method. Can be used with -s, -m or -g.
 -D , --dot-truncation         Enables dot truncation technique to get rid of the suffix if
 the default mode (nullbyte poison) failed. This mode can cause
 tons of requests depending how you configure it.
 By default this mode only tests windows servers.
 Can be used with -s, -m or -g. Experimental.
 -M , --multiply-term=X        Multiply terminal symbols like '.' and '/' in the path by X.
 ## Variables:
 -u , --url=URL                The URL you want to test.
 Needed in single mode (-s).
 -l , --list=LIST              The URL-LIST you want to test.
 Needed in mass mode (-m).
 -q , --query=QUERY            The Google Search QUERY.
 Example: 'inurl:include.php'
 Needed in Google Mode (-g)
 --skip-pages=X           Skip the first X pages from the Googlescanner.
 -p , --pages=COUNT            Define the COUNT of pages to search (-g).
 Default is 10.
 --results=COUNT          The count of results the Googlescanner should get per page.
 Possible values: 10, 25, 50 or 100(default).
 --googlesleep=TIME       The time in seconds the Googlescanner should wait befor each
 request to google. fimap will count the time between two requests
 and will sleep if it's needed to reach your cooldown. Default is 5.
 -w , --write=LIST             The LIST which will be written if you have choosen
 harvest mode (-H). This file will be opened in APPEND mode.
 -d , --depth=CRAWLDEPTH       The CRAWLDEPTH (recurse level) you want to crawl your target site
 in harvest mode (-H). Default is 1.
 -P , --post=POSTDATA          The POSTDATA you want to send. All variables inside
 will also be scanned for file inclusion bugs.
 --cookie=COOKIES         Define the cookie which should be send with each request.
 Also the cookies will be scanned for file inclusion bugs.
 Concatenate multiple cookies with the ';' character.
 --ttl=SECONDS            Define the TTL (in seconds) for requests. Default is 30 seconds.
 --no-auto-detect         Use this switch if you don't want to let fimap automaticly detect
 the target language in blind-mode. In that case you will get some
 options you can choose if fimap isn't sure which lang it is.
 --bmin=BLIND_MIN         Define here the minimum count of directories fimap should walk thru
 in blind mode. The default number is defined in the generic.xml
 --bmax=BLIND_MAX         Define here the maximum count of directories fimap should walk thru.
 --dot-trunc-min=700      The count of dots to begin with in dot-truncation mode.
 --dot-trunc-max=2000     The count of dots to end with in dot-truncation mode.
 --dot-trunc-step=50      The step size for each round in dot-truncation mode.
 --dot-trunc-ratio=0.095  The maximum ratio to detect if dot truncation was successfull.
 --dot-trunc-also-unix    Use this if dot-truncation should also be tested on unix servers.
 --force-os=OS            Forces fimap to test only files for the OS.
 OS can be 'unix' or 'windows'
 ## Attack Kit:
 -x , --exploit                Starts an interactive session where you can
 select a target and do some action.
 -T , --tab-complete           Enables TAB-Completation in exploit mode. Needs readline module.
 Use this if you want to be able to tab-complete thru remote
 files\dirs. Eats an extra request for every 'cd' command.
 ## Disguise Kit:
 -A , --user-agent=UA          The User-Agent which should be sent.
 --http-proxy=PROXY       Setup your proxy with this option. But read this facts:
 * The googlescanner will ignore the proxy to get the URLs,
 but the pentest\attack itself will go thru proxy.
 * PROXY should be in format like this:
 * It's experimental
 --show-my-ip             Shows your internet IP, current country and user-agent.
 Useful if you want to test your vpn\proxy config.
 ## Plugins:
 --plugins                List all loaded plugins and quit after that.
 -I , --install-plugins        Shows some official exploit-mode plugins you can install
 and\or upgrade.
 ## Other:
 --update-def             Checks and updates your definition files found in the
 config directory.
 --test-rfi               A quick test to see if you have configured RFI nicely.
 --merge-xml=XMLFILE      Use this if you have another fimap XMLFILE you want to
 include to your own fimap_result.xml.
 -C , --enable-color           Enables a colorful output. Works only in linux!
 --force-run              Ignore the instance check and just run fimap even if a lockfile
 exists. WARNING: This may erase your fimap_results.xml file!
 -v , --verbose=LEVEL          Verbose level you want to receive.
 LEVEL=3 -> Debug
 LEVEL=2 -> Info(Default)
 LEVEL=1 -> Messages
 LEVEL=0 -> High-Level
 --credits                Shows some credits.
 --greetings              Some greetings 😉
 -h , --help                   Shows this cruft.
 ## Examples:
 1. Scan a single URL for FI errors:
 ./ -u 'http://localhost/test.php?file=bang&id=23'
 2. Scan a list of URLS for FI errors:
 ./ -m -l '/tmp/urllist.txt'
 3. Scan Google search results for FI errors:
 ./ -g -q 'inurl:include.php'
 4. Harvest all links of a webpage with recurse level of 3 and
 write the URLs to /tmp/urllist
 ./ -H -u 'http://localhost' -d 3 -w /tmp/urllist

fimap Usage Example

Scan the web application (-u “”) for file inclusion issues:

root@kali:~# fimap -u ""
 fimap v.09 (For the Swarm)
 :: Automatic LFI/RFI scanner and exploiter
 :: by Iman Karim ( is testing URL: ''

12) FunkLoad Package Description

FunkLoad is a functional and load web tester, written in Python, whose main use cases are:

  • Functional testing of web projects, and thus regression testing as well.
  • Performance testing: by loading the web application and monitoring your servers it helps you to pinpoint bottlenecks, giving a detailed report of performance measurement.
  • Load testing tool to expose bugs that do not surface in cursory testing, like volume testing or longevity testing.
  • Stress testing tool to overwhelm the web application resources and test the application recoverability.
  • Writing web agents by scripting any web repetitive task.

funkload Homepage | Kali funkload Repo

  • Author: Benoit Delbosc, Nuxeo SAS
  • License: GPLv2

Tools included in the funkload package

fl-record – Launch a TCPWatch proxy and record activities
root@kali:~# fl-record -h
 fl-record [options] [test_name]fl-record launch a TCPWatch proxy and record activities, then output
 a FunkLoad script or generates a FunkLoad unit test if test_name is specified.The default proxy port is 8090.Note that executable must be accessible from your env.See for more information.Examples
 fl-record foo_bar
 Run a proxy and create a FunkLoad test case,
 generates and FooBar.conf file.
 To test it:  fl-run-test -dV
 fl-record -p 9090
 Run a proxy on port 9090, output script to stdout.
 fl-record -i /tmp/tcpwatch
 Convert a tcpwatch capture into a script.Options
 --version               show program's version number and exit
 --help, -h              show this help message and exit
 --verbose, -v           Verbose output
 --port=PORT, -p PORT    The proxy port.
 --tcp-watch-input=TCPWATCH_PATH, -i TCPWATCH_PATH
 Path to an existing tcpwatch capture.
 --loop=LOOP, -l LOOP    Loop mode.

fl-credential-ctl – Execute action on the XML/RPC server

root@kali:~# fl-credential-ctl -h
 fl-credential-ctl config_file actionaction can be: start|startd|stop|restart|status|testExecute action on the XML/RPC server.Options
 --version    show program's version number and exit
 --help, -h   show this help message and exit
 --quiet, -q  Verbose output

fl-run-test – Launch a FunkLoad unit test

root@kali:~# fl-run-test -h
 fl-run-test [options] file [class.method|class|suite] [...]fl-run-test launch a FunkLoad unit test.A FunkLoad unittest use a configuration file named [class].conf, this
 configuration is overriden by the command line options.See for more information.Examples
 Run all tests (including doctest with python2.4).
 fl-run-test test_suite
 Run suite named test_suite.
 fl-run-test MyTestCase.testSomething
 Run a single test MyTestCase.testSomething.
 fl-run-test MyTestCase
 Run all 'test*' test methods and doctest in MyTestCase.
 fl-run-test MyTestCase -u http://localhost
 Same against localhost.
 fl-run-test myDocTest.txt
 Run doctest from plain text file (requires python2.4).
 fl-run-test myDocTest.txt -d
 Run doctest with debug output (requires python2.4).
 fl-run-test -V
 Run default set of tests and view in real time each
 page fetch with firefox.
 fl-run-test MyTestCase.testSomething -l 3 -n 100
 Run MyTestCase.testSomething, reload one hundred
 time the page 3 without concurrency and as fast as
 possible. Output response time stats. You can loop
 on many pages using slice -l 2:4.
 fl-run-test -e [Ss]ome
 Run all tests that match the regex [Ss]ome.
 fl-run-test -e '!xmlrpc$'
 Run all tests that does not ends with xmlrpc.
 fl-run-test --list
 List all the test names.
 fl-run-test -h
 More options.Options
 --version               show program's version number and exit
 --help, -h              show this help message and exit
 --quiet, -q             Minimal output.
 --verbose, -v           Verbose output.
 --debug, -d             FunkLoad and doctest debug output.
 Debug level 3 is more verbose.
 --url=MAIN_URL, -u MAIN_URL
 Base URL to bench without ending '/'.
 Minumum sleep time between request.
 Maximum sleep time between request.
 Directory to dump html pages.
 --firefox-view, -V      Real time view using firefox, you must have a running
 instance of firefox in the same host.
 --no-color              Monochrome output.
 --loop-on-pages=LOOP_STEPS, -l LOOP_STEPS
 Loop as fast as possible without concurrency on pages,
 expect a page number or a slice like 3:5. Output some
 --loop-number=LOOP_NUMBER, -n LOOP_NUMBER
 Number of loop.
 --accept-invalid-links  Do not fail if css/image links are not reachable.
 --simple-fetch          Don't load additional links like css or images when
 fetching an html page.
 --stop-on-fail          Stop tests on first failure or error.
 --regex=REGEX, -e REGEX
 The test names must match the regex.
 --list                  Just list the test names.
 --pause                 Pause between request, press ENTER to continue.

fl-build-report – Analyze a FunkLoad bench xml result file and output a report

root@kali:~# fl-build-report -h
 fl-build-report [options] xmlfile [xmlfile...]orfl-build-report --diff REPORT_PATH1 REPORT_PATH2fl-build-report analyze a FunkLoad bench xml result file and output a report.
 If there are more than one file the xml results are merged.See for more information.Examples
 fl-build-report funkload.xml
 ReST rendering into stdout.
 fl-build-report --html -o /tmp funkload.xml
 Build an HTML report in /tmp
 fl-build-report --html node1.xml node2.xml node3.xml
 Build an HTML report merging test result from 3 nodes.
 fl-build-report --diff /tmp/test_reader-20080101 /tmp/test_reader-20080102
 Build a differential report to compare 2 bench reports,
 requires gnuplot.
 fl-build-report -h
 More options.Options
 --version               show program's version number and exit
 --help, -h              show this help message and exit
 --html, -H              Produce an html report.
 --with-percentiles, -P  Include percentiles in tables, use 10%, 50% and 90%
 for charts, default option.
 --no-percentiles        No percentiles in tables display min, avg and max in
 charts (gdchart only).
 --diff, -d              Create differential report.
 --output-directory=OUTPUT_DIR, -o OUTPUT_DIR
 Parent directory to store reports, the directoryname
 of the report will be generated automatically.
 --report-directory=REPORT_DIR, -r REPORT_DIR
 Directory name to store the report.
 --apdex-T=APDEX_T, -T APDEX_T
 Apdex T constant in second, default is set to 1.5s.
 Visit for more information.

fl-run-bench – Launch a FunkLoad unit test as load test

root@kali:~# fl-run-bench -h
 fl-run-bench [options] file class.methodfl-run-bench launch a FunkLoad unit test as load test.A FunkLoad unittest use a configuration file named [class].conf, this
 configuration is overriden by the command line options.See for more information.Examples
 fl-run-bench MyTestCase.testSomething
 Bench MyTestCase.testSomething using MyTestCase.conf.
 fl-run-bench -u http://localhost:8080 -c 10:20 -D 30 \
 Bench MyTestCase.testSomething on localhost:8080
 with 2 cycles of 10 and 20 users during 30s.
 fl-run-bench -h
 More options.Options
 --version               show program's version number and exit
 --help, -h              show this help message and exit
 --url=MAIN_URL, -u MAIN_URL
 Base URL to bench.
 Cycles to bench, this is a list of number of virtual
 concurrent users, to run a bench with 3 cycles with 5,
 10 and 20 users use: -c 2:10:20
 Duration of a cycle in seconds.
 Minimum sleep time between requests.
 Maximum sleep time between requests.
 --test-sleep-time=BENCH_SLEEP_TIME, -t BENCH_SLEEP_TIME
 Sleep time between tests.
 Startup delay between thread.
 --as-fast-as-possible, -f
 Remove sleep times between requests and between tests,
 shortcut for -m0 -M0 -t0
 --no-color              Monochrome output.
 --accept-invalid-links  Do not fail if css/image links are not reachable.
 --simple-fetch          Don't load additional links like css or images when
 fetching an html page.
 --label=LABEL, -l LABEL
 Add a label to this bench run for easier
 identification (it will be appended to the directory
 name for reports generated from it).
 --enable-debug-server   Instantiates a debug HTTP server which exposes an
 interface using which parameters can be modified at
 run-time. Currently supported parameters:
 /cvu?inc=<integer> to increase the number of CVUs,
 /cvu?dec=<integer> to decrease the number of CVUs,
 /getcvu returns number of CVUs
 Port at which debug server should run during the test

fl-monitor-ctl – Execute action on the XML/RPC server

root@kali:~# fl-monitor-ctl -h
 fl-monitor-ctl config_file actionaction can be: start|startd|stop|restart|status|testExecute action on the XML/RPC server.Options
 --version    show program's version number and exit
 --help, -h   show this help message and exit
 --quiet, -q  Verbose output

13) FunkLoad Usage Example

root@kali:~# coming soon

Grabber Package Description

Grabber is a web application scanner. Basically it detects some kind of vulnerabilities in your website. Grabber is simple, not fast but portable and really adaptable. This software is designed to scan small websites such as personals, forums etc. absolutely not big application: it would take too long time and flood your network.


  • Cross-Site Scripting
  • SQL Injection (there is also a special Blind SQL Injection module)
  • File Inclusion
  • Backup files check
  • Simple AJAX check (parse every JavaScript and get the URL and try to get the parameters)
  • Hybrid analysis/Crystal ball testing for PHP application using PHP-SAT
  • JavaScript source code analyzer: Evaluation of the quality/correctness of the JavaScript with JavaScript Lint
  • Generation of a file [session_id, time(t)] for next stats analysis.

Grabber Homepage | Kali Grabber Repo

  • Author: Romain Gaucher
  • License: BSD

Tools included in the grabber package

grabber – Web application vulnerability scanner
root@kali:~# grabber -h
 Usage: grabber [options]Options:
 -h, --help            show this help message and exit
 Adress to investigate
 -s, --sql             Look for the SQL Injection
 -x, --xss             Perform XSS attacks
 -b, --bsql            Look for blind SQL Injection
 -z, --backup          Look for backup files
 -d SPIDER, --spider=SPIDER
 Look for every files
 -i, --include         Perform File Insertion attacks
 -j, --javascript      Test the javascript code ?
 -c, --crystal         Simple crystal ball test.
 -e, --session         Session evaluations

grabber Usage Example

Spider the web application to a depth of 1 (–spider 1) and attempt SQL (–sql) and XSS (–xss) attacks at the given URL (–url

root@kali:~# grabber --spider 1 --sql --xss --url
 Start scanning...
 runSpiderScan @  |   # 1
 Start investigation...
 Method = GET
 [Cookie]    0   :   <Cookie PHPSESSID=2742cljd8u6aclfktf1sh284u7 for>
 [Cookie]    1   :   <Cookie security=high for>
 Method = GET
 [Cookie]    0   :   <Cookie PHPSESSID=2742cljd8u6aclfktf1sh284u7 for>
 [Cookie]    1   :   <Cookie security=high for>

14) jboss-autopwn Package Description

This JBoss script deploys a JSP shell on the target JBoss AS server. Once deployed, the script uses its upload and command execution capability to provide an interactive session.

Features include:

  • Multiplatform support – tested on Windows, Linux and Mac targets
  • Support for bind and reverse bind shells
  • Meterpreter shells and VNC support for Windows targets

jboss-autopwn Homepage | Kali jboss-autopwn Repo

  • Author: Christian G. Papathanasiou, Trustwave Holdings, Inc.
  • License: GPLv2

Tools included in the jboss-autopwn package

jboss-win – JBoss Windows autopwn
root@kali:~# root@kali:~# jboss-win
 [!] JBoss Windows autopwn
 [!] Usage: ./ server port
 [!] Christian Papathanasiou
 [!] Trustwave SpiderLabs

jboss-linux – JBoss *nix autopwn

root@kali:~# jboss-linux
 [!] JBoss *nix autopwn
 [!] Usage: ./ server port
 [!] Christian Papathanasiou
 [!] Trustwave SpiderLabs

jboss-autopwn Usage Example

Attack the target server ( on the specified port (8080), redirecting stderr (2> /dev/null):

root@kali:~# jboss-linux 8080 2> /dev/null
 [x] Retrieving cookie
 [x] Now creating BSH script...
 [!] Cound not create BSH script..
 [x] Now deploying .war file:

15) joomscan Package Description

Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few. So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity. It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites.

The following features are currently available:

  • Exact version Probing (the scanner can tell whether a target is running version 1.5.12)
  • Common Joomla! based web application firewall detection
  • Searching known vulnerabilities of Joomla! and its components
  • Reporting to Text & HTML output
  • Immediate update capability via scanner or svn

joomscan Homepage | Kali joomscan Repo

  • Author: Aung Khant,
  • License: GPLv3

Tools included in the joomscan package

joomscan – OWASP Joomla Vulnerability Scanner Project
root@kali:~# joomscan

..|''||   '|| '||'  '|'     |      .|'''.|  '||''|.
 .|'    ||   '|. '|.  .'     |||     ||..  '   ||   ||
 ||      ||   ||  ||  |     |  ||     ''|||.   ||...|'
 '|.     ||    ||| |||     .''''|.  .     '||  ||
 ''|...|'      |   |     .|.  .||. |'....|'  .||.

 OWASP Joomla! Vulnerability Scanner v0.0.4
 (c) Aung Khant, aungkhant]at[
 YGN Ethical Hacker Group, Myanmar,
 Update by: Web-Center, (2011)

Vulnerability Entries: 611
 Last update: February 2, 2012

Usage:  ./ -u <string> -x proxy:port
 -u <string>      = joomla Url


-x <string:int>  = proXy to tunnel
 -c <string>      = Cookie (name=value;)
 -g "<string>"    = desired useraGent string(within ")
 -nv              = No Version fingerprinting check
 -nf              = No Firewall detection check
 -nvf/-nfv        = No version+firewall check
 -pe          = Poke version only and Exit
 -ot              = Output to Text file (target-joexploit.txt)
 -oh              = Output to Html file (target-joexploit.htm)
 -vu              = Verbose (output every Url scan)
 -sp          = Show completed Percentage

~Press ENTER key to continue

Example:  ./ -u -x localhost:8080

Check:    ./ check
 - Check if the scanner update is available or not.

Update:   ./ update
 - Check and update the local database if newer version is available.

Download: ./ download
 - Download the scanner latest version as a single zip file -

Defense:  ./ defense
 - Give a defensive note.

About:    ./ story
 - A short story about joomscan.

Read:     ./ read DOCFILE
 DOCFILE - changelog,release_note,readme,credits,faq,owasp_project

joomscan Usage Example

Scan the Joomla installation at the given URL (-u for vulnerabilities:

root@kali:~# joomscan -u

..|''||   '|| '||'  '|'     |      .|'''.|  '||''|.
 .|'    ||   '|. '|.  .'     |||     ||..  '   ||   ||
 ||      ||   ||  ||  |     |  ||     ''|||.   ||...|'
 '|.     ||    ||| |||     .''''|.  .     '||  ||
 ''|...|'      |   |     .|.  .||. |'....|'  .||.

 OWASP Joomla! Vulnerability Scanner v0.0.4
 (c) Aung Khant, aungkhant]at[
 YGN Ethical Hacker Group, Myanmar,
 Update by: Web-Center, (2011)

Vulnerability Entries: 673
 Last update: October 22, 2012

Use "update" option to update the database
 Use "check" option to check the scanner update
 Use "download" option to download the scanner latest version package
 Use svn co to update the scanner and the database
 svn co joomscan


Server: Apache/2.2.22 (Debian)
 X-Powered-By: PHP/5.4.4-14+deb7u9

## Checking if the target has deployed an Anti-Scanner measure

[!] Scanning Passed ..... OK

## Detecting Joomla! based Firewall ...

[!] No known firewall detected!

## Fingerprinting in progress ...

Use of uninitialized value in pattern match (m//) at ./ line 1009.
 ~Unable to detect the version. Is it sure a Joomla?

## Fingerprinting done.

Vulnerabilities Discovered

# 1
 Info -> Generic: htaccess.txt has not been renamed.
 Versions Affected: Any
 Check: /htaccess.txt
 Exploit: Generic defenses implemented in .htaccess are not available, so exploiting is more likely to succeed.
 Vulnerable? Yes

16) jSQL Package Description

jSQL Injection is a lightweight application used to find database information from a distant server. jSQL is free, open source and cross-platform (Windows, Linux, Mac OS X, Solaris).

jSQL Homepage | Kali jSQL Repo

  • Author: ron190
  • License: GPLv3

Tools included in the jsql package

jsql – A lightweight application used to find database information

A lightweight application used to find database information from a distant server.

jsql Usage Example

root@kali:~# jsql

17) Maltego Teeth Package Description

Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet – whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his international visits, Maltego can locate, aggregate and visualize this information.

Maltego offers the user with unprecedented information. Information is leverage. Information is power. Information is Maltego.

What does Maltego do?

Maltego is a program that can be used to determine the relationships and real world links between:

  • People
  • Groups of people (social networks)
  • Companies
  • Organizations
  • Web sites
  • Internet infrastructure such as:
  • Domains
  • DNS names
  • Netblocks
  • IP addresses
  • Phrases
  • Affiliations
  • Documents and files
  • These entities are linked using open source intelligence.
  • Maltego is easy and quick to install – it uses Java, so it runs on Windows, Mac and Linux.
  • Maltego provides you with a graphical interface that makes seeing these relationships instant and accurate – making it possible to see hidden connections.
  • Using the graphical user interface (GUI) you can see relationships easily – even if they are three or four degrees of separation away.
  • Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements.

What can Maltego do for me?

  • Maltego can be used for the information gathering phase of all security related work. It will save you time and will allow you to work more accurately and smarter.
  • Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items.
  • Maltego provide you with a much more powerful search, giving you smarter results.
  • If access to “hidden” information determines your success, Maltego can help you discover it.

Maltego Homepage | Kali Maltego Teeth Repo

  • Author: Paterva
  • License: Commercial

Maltego Teeth README

root@kali:~# cat /opt/Teeth/README.txt
 NB NB: This runs on Kali Linux
 #Make directory /opt/Teeth/
 #Copy tgz to /opt/Teeth/
 #UntarLoad the config file called /opt/Teeth/etc/Maltego_config.mtz file into Maltego.
 This is painless:
 1) Open Maltego Tungsten (or Radium)
 2) Click top left globe/sphere (Application button)
 3) Import -> Import configuration, choose /opt/Teeth/etc/Maltego_config.mtzNotes
 Config file is in /opt/Teeth/etc/TeethConfig.txt
 Everything can be set in the config file.Log file is /var/log/Teeth.log, tail -f it while you running transforms for
 real time logs of what's happening.You can set DEBUG/INFO. DEBUG is useful for seeing progress - set in
 /opt/Teeth/units/ line 26Look in cache/ directory. Here you find caches of:
 1) Nmap results
 2) Mirrors
 3) SQLMAP resultsYou need to remove cache files by hand if you no longer want them.
 You can run housekeep/ but it removes EVERYTHING.The WP brute transform uses Metasploit.Start Metasploit server so:
 msfconsole -r /opt/Teeth/static/Teeth-MSF.rc
 It takes a while to start, so be patient.In /housekeep is - it's the same as killall python.

18) PadBuster Package Description

PadBuster is a Perl script for automating Padding Oracle Attacks. PadBuster provides the capability to decrypt arbitrary ciphertext, encrypt arbitrary plaintext, and perform automated response analysis to determine whether a request is vulnerable to padding oracle attacks.

PadBuster Homepage | Kali PadBuster Repo

  • Author: Brian Holyfield, Gotham Digital Science
  • License: Reciprocal Public License 1.5

Tools included in the padbuster package

padbuster – Script for performing Padding Oracle attacks
root@kali:~# padbuster

 | PadBuster - v0.3.3                        |
 | Brian Holyfield - Gotham Digital Science  |
 |                      |

Use: URL EncryptedSample BlockSize [options]

Where: URL = The target URL (and query string if applicable)
 EncryptedSample = The encrypted value you want to test. Must
 also be present in the URL, PostData or a Cookie
 BlockSize = The block size being used by the algorithm

 -auth [username:password]: HTTP Basic Authentication
 -bruteforce: Perform brute force against the first block
 -ciphertext [Bytes]: CipherText for Intermediate Bytes (Hex-Encoded)
 -cookies [HTTP Cookies]: Cookies (name1=value1; name2=value2)
 -encoding [0-4]: Encoding Format of Sample (Default 0)
 0=Base64, 1=Lower HEX, 2=Upper HEX
 3=.NET UrlToken, 4=WebSafe Base64
 -encodedtext [Encoded String]: Data to Encrypt (Encoded)
 -error [Error String]: Padding Error Message
 -headers [HTTP Headers]: Custom Headers (name1::value1;name2::value2)
 -interactive: Prompt for confirmation on decrypted bytes
 -intermediate [Bytes]: Intermediate Bytes for CipherText (Hex-Encoded)
 -log: Generate log files (creates folder PadBuster.DDMMYY)
 -noencode: Do not URL-encode the payload (encoded by default)
 -noiv: Sample does not include IV (decrypt first block)
 -plaintext [String]: Plain-Text to Encrypt
 -post [Post Data]: HTTP Post Data String
 -prefix [Prefix]: Prefix bytes to append to each sample (Encoded)
 -proxy [address:port]: Use HTTP/S Proxy
 -proxyauth [username:password]: Proxy Authentication
 -resume [Block Number]: Resume at this block number
 -usebody: Use response body content for response analysis phase
 -verbose: Be Verbose
 -veryverbose: Be Very Verbose (Debug Only)
padbuster Usage Example
root@kali:~# coming soon

19) Paros Package Description

A Java based HTTP/HTTPS proxy for assessing web application vulnerability. It supports editing/viewing HTTP messages on-the-fly. Other featuers include spiders, client certificate, proxy-chaining, intelligent scanning for XSS and SQL injections etc.

Paros Homepage | Kali Paros Repo

  • Author:
  • License: Clarified Artistic License

Tools included in the paros package

paros – Web application proxy

Lightweight web application testing proxy.

Paros Usage Example

root@kali:~# paros

20) Parsero Package Description

Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries tell the search engines what directories or files hosted on a web server mustn’t be indexed. For example, “Disallow: /portal/login” means that the content on it’s not allowed to be indexed by crawlers like Google, Bing, Yahoo… This is the way the administrator have to not share sensitive or private information with the search engines.

But sometimes these paths typed in the Disallows entries are directly accessible by the users without using a search engine, just visiting the URL and the Path, and sometimes they are not available to be visited by anybody… Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.

Also, the fact the administrator write a robots.txt, it doesn’t mean that the files or directories typed in the Dissallow entries will not be indexed by Bing, Google, Yahoo… For this reason, Parsero is capable of searching in Bing to locate content indexed without the web administrator authorization. Parsero will check the HTTP status code in the same way for each Bing result.

Parsero Homepage | Kali parsero Repo

  • Author: Javier Nieto
  • License: GPLv2

Tools included in the parsero package

parsero – robots.txt audit tool
root@kali:~# parsero -h

 | _ \ __ _ _ __ ___ ___ _ __ ___
 | |_) / _` | '__/ __|/ _ \ '__/ _ \
 | __/ (_| | | \__ \ __/ | | (_) |
 |_| \__,_|_| |___/\___|_| \___/

usage: parsero [-h] [-u URL] [-o] [-sb]

optional arguments:
 -h, --help show this help message and exit
 -u URL Type the URL which will be analyzed
 -o Show only the "HTTP 200" status code
 -sb Search in Bing indexed Disallows

parsero Usage Example

Search for results from a website (-u using Bing indexed Disallows (-sb):

root@kali:~# parsero -u -sb

 | _ \ __ _ _ __ ___ ___ _ __ ___
 | |_) / _` | '__/ __|/ _ \ '__/ _ \
 | __/ (_| | | \__ \ __/ | | (_) |
 |_| \__,_|_| |___/\___|_| \___/

Starting Parsero v0.75 ( at 06/09/14 12:48:25
 Parsero scan report for 301 Moved Permanently 301 Moved Permanently 301 Moved Permanently 404 Not Found 404 Not Found 302 Found 200 OK 404 Not Found 200 OK 301 Moved Permanently 404 Not Found 405 Method Not Allowed 301 Moved Permanently 200 OK

21) plecost Package Description

WordPress finger printer tool, plecost search and retrieve information about the plugins versions installed in WordPress systems. It can analyze a single URL or perform an analysis based on the results indexed by Google. Additionally displays CVE code associated with each plugin, if there. Plecost retrieves the information contained on Web sites supported by WordPress, and also allows a search on the results indexed by Google.

plecost Homepage | Kali plecost Repo

  • Author: Francisco Jesus Gomez, Daniel Garcia Garcia
  • License: GPLv3

Tools included in the plecost package

root@kali:~# plecost -h

 // ..................................DMI...
 // .............................:MMMM......
 // .........................$MMMMM:........
 // .........M.....,M,=NMMMMMMMMD...........
 // ........MMN...MMMMMMMMMMMM,.............
 // .......MMMMMMMMMMMMMMMMM~...............
 // .......MMMMMMMMMMMMMMM..................
 // ....?MMMMMMMMMMMMMMMN$I.................
 // .?.MMMMMMMMMMMMMMMMMMMMMM...............
 // .MMMMMMMMMMMMMMN........................
 // 7MMMMMMMMMMMMMON$.......................
 // ZMMMMMMMMMMMMMMMMMM.......plecost.......
 // .:MMMMMMMZ~7MMMMMMMMMO..................
 // ....~+:.................................
 // Plecost - WordPress finger printer Tool (with threads support) 0.2.2-9-beta
 // Developed by:
 //        Francisco Jesus Gomez aka (
 //        Daniel Garcia Garcia (
 // Info:
 // Bug report:

Usage: /usr/bin/plecost [options] [ URL | [-l num] -G]

Google search options:
 -l num    : Limit number of results for each plugin in google.
 -G        : Google search mode

 -n        : Number of plugins to use (Default all - more than 7000).
 -c        : Check plugins only with CVE associated.
 -R file   : Reload plugin list. Use -n option to control the size (This take several minutes)
 -o file   : Output file. (Default "output.txt")
 -i file   : Input plugin list. (Need to start the program)
 -s time   : Min sleep time between two probes. Time in seconds. (Default 10)
 -M time   : Max sleep time between two probes. Time in seconds. (Default 20)
 -t num    : Number of threads. (Default 1)
 -h        : Display help. (More info:


* Reload first 5 plugins list:
 plecost -R plugins.txt -n 5
 * Search vulnerable sites for first 5 plugins:
 plecost -n 5 -G -i plugins.txt
 * Search plugins with 20 threads, sleep time between 12 and 30 seconds for
 plecost -i plugin_list.txt -s 12 -M 30 -t 20 -o results.txt

plecost Usage Example

Use 100 plugins (-n 100), sleep for 10 seconds between probes (-s 10) but no more than 15 (-M 15) and use the plugin list (-i /usr/share/plecost/wp_plugin_list.txt) to scan the given URL (

root@kali:~# plecost -n 100 -s 10 -M 15 -i /usr/share/plecost/wp_plugin_list.txt
 [*] Num of checks set to: 100-------------------------------------------------
 [*] Input plugin list set to: /usr/share/plecost/wp_plugin_list.txt
 [*] Min sleep time set to: 10
 [*] Max sleep time set to: 15
 -------------------------------------------------==> Results for: <==[i] WordPress version found:  3.9.1
 [i] WordPress last public version: 3.9.1[*] Search for installed plugins[i] Plugin found: akismet
 |_Latest version:  2.4.0
 |_ Installed version: 3.0.0
 |_CVE list:
 |___CVE-2009-2334: (
 |___CVE-2007-2714: (
 |___CVE-2006-4743: (
 |___CVE-2009-2334: (
 |___CVE-2007-2714: (
 |___CVE-2006-4743: (

22) Powerfuzzer Package Description

Powerfuzzer is a highly automated and fully customizable web fuzzer (HTTP protocol based application fuzzer) based on many other Open Source fuzzers available and information gathered from numerous security resources and websites. It was designed to be user friendly, modern, effective and working.

Currently, it is capable of identifying these problems:

  • Cross Site Scripting (XSS)
  • Injections (SQL, LDAP, code, commands, and XPATH)
  • CRLF
  • HTTP 500 statuses (usually indicative of a possible misconfiguration/security flaw incl. buffer overflow)

Designed and coded to be modular and extendable. Adding new checks should simply entail adding new methods.

Powerfuzzer Homepage | Kali Powerfuzzer Repo

  • Author: Marcin Kozlowski
  • License: GPLv3

Tools included in the powerfuzzer package

powerfuzzer – Web Application Vulnerability Scanner

A Web Application Vulnerability Scanner.

Powerfuzzer Usage Example

root@kali:~# powerfuzzer

23) ProxyStrike Package Description

ProxyStrike is an active Web Application Proxy. It’s a tool designed to find vulnerabilities while browsing an application. It was created because the problems we faced in the pentests of web applications that depends heavily on Javascript, not many web scanners did it good in this stage, so we came with this proxy.

Right now it has available Sql injection and XSS plugins. Both plugins are designed to catch as many vulnerabilities as we can, it’s that why the SQL Injection plugin is a Python port of the great DarkRaver “Sqlibf”.

The process is very simple, ProxyStrike runs like a proxy listening in port 8008 by default, so you have to browse the desired web site setting your browser to use ProxyStrike as a proxy, and ProxyStrike will analyze all the paremeters in background mode. For the user is a passive proxy because you won’t see any different in the behaviour of the application, but in the background is very active. 🙂

Some features:

  • Plugin engine (Create your own plugins!)
  • Request interceptor
  • Request diffing
  • Request repeater
  • Automatic crawl process
  • Http request/response history
  • Request parameter stats
  • Request parameter values stats
  • Request url parameter signing and header field signing
  • Use of an alternate proxy (tor for example ;D )
  • Sql attacks (plugin)
  • Server Side Includes (plugin)
  • Xss attacks (plugin)
  • Attack logs
  • Export results to HTML or XML

ProxyStrike Homepage | Kali ProxyStrike Repo

  • Author: Carlos del ojo Elias
  • License: GPLv2

Tools included in the proxystrike package

proxystrike – Active web application proxy

An active Web Application Proxy.

ProxyStrike Usage Example(s)

root@kali:~# proxystrike

24) Recon-ng Package Description

Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.

Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, us the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng! See the Usage Guide for more information.

Recon-ng is a completely modular framework and makes it easy for even the newest of Python developers to contribute. Each module is a subclass of the “module” class. The “module” class is a customized “cmd” interpreter equipped with built-in functionality that provides simple interfaces to common tasks such as standardizing output, interacting with the database, making web requests, and managing API keys. Therefore, all the hard work has been done. Building modules is simple and takes little more than a few minutes. See the Development Guide for more information.

Recon-ng Homepage | Kali Recon-ng Repo

  • Author: Tim Tomes
  • License: GPLv3

Tools included in the recon-ng package

recon-ng – Web Reconnaissance framework written in Python

A full-featured Web Reconnaissance framework.

recon-ng Usage Example

Search for results on (use recon/hosts/enum/http/web/xssed) for the target domain (set DOMAIN

root@kali:~# recon-ng

_/_/_/    _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/
 _/    _/  _/        _/        _/      _/  _/_/    _/            _/_/    _/  _/
 _/_/_/    _/_/_/    _/        _/      _/  _/  _/  _/  _/_/_/_/  _/  _/  _/  _/  _/_/_/
 _/    _/  _/        _/        _/      _/  _/    _/_/            _/    _/_/  _/      _/
 _/    _/  _/_/_/_/    _/_/_/    _/_/_/    _/      _/            _/      _/    _/_/_/

 |  _                     ___    _                        __                 |
 | |_)| _  _|_  |_|.|| _   |  _ |_ _  _ _  _ _|_o _  _   (_  _  _    _o_|_   |
 | |_)|(_|(_|\  | ||||_\  _|_| || (_)| |||(_| | |(_)| |  __)(/_(_|_|| | | \/ |
 |                                                                        /  |
 |              Consulting | Research | Development | Training               |
 |                                 |

[recon-ng v3.5.1, Tim Tomes (@LaNMaSteR53)]

[65] Recon modules
 [6]  Discovery modules
 [4]  Reporting modules
 [3]  Import modules
 [2]  Exploitation modules

[recon-ng][default] > use recon/hosts/enum/http/web/xssed
 [recon-ng][default][xssed] > set DOMAIN
 [recon-ng][default][xssed] > run
 [*] URL:
 [*] Mirror:
 [*] Domain:
 [*] URL:
 [*] Date submitted: 16/02/2012
 [*] Date published: 16/02/2012
 [*] Category: Redirect
 [*] Status: UNFIXED
 [*] Mirror:
 [*] Domain:
 [*] URL:
 [*] Date submitted: 10/02/2012
 [*] Date published: 13/02/2012
 [*] Category: XSS
 [*] Status: UNFIXED

25) Skipfish Package Description

Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Key features:

  • High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint – easily achieving 2000 requests per second with responsive targets.
  • Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
  • Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

Skipfish Homepage | Kali Skipfish Repo

  • Author: Google Inc, Michal Zalewski, Niels Heinen, Sebastian Roschke
  • License: Apache-2.0

tools included in the skipfish package

skipfish – Fully automated, active web application security reconnaissance tool
root@kali:~# skipfish -h

 skipfish web application scanner - version 2.10b

 Usage: skipfish [ options ... ] -W wordlist -o output_dir start_url [ start_url2 ... ]Authentication and access options:-A user:pass      - use specified HTTP authentication credentials

 -F host=IP        - pretend that 'host' resolves to 'IP'

 -C name=val       - append a custom cookie to all requests

 -H name=val       - append a custom HTTP header to all requests

 -b (i|f|p)        - use headers consistent with MSIE / Firefox / iPhone

 -N                - do not accept any new cookies

 --auth-form url   - form authentication URL

 --auth-user user  - form authentication user

 --auth-pass pass  - form authentication password

 --auth-verify-url -  URL for in-session detectionCrawl scope options:-d max_depth     - maximum crawl tree depth (16)

 -c max_child     - maximum children to index per node (512)

 -x max_desc      - maximum descendants to index per branch (8192)

 -r r_limit       - max total number of requests to send (100000000)

 -p crawl%        - node and link crawl probability (100%)

 -q hex           - repeat probabilistic scan with given seed

 -I string        - only follow URLs matching 'string'

 -X string        - exclude URLs matching 'string'

 -K string        - do not fuzz parameters named 'string'

 -D domain        - crawl cross-site links to another domain

 -B domain        - trust, but do not crawl, another domain

 -Z               - do not descend into 5xx locations

 -O               - do not submit any forms

 -P               - do not parse HTML, etc, to find new linksReporting options:-o dir          - write output to specified directory (required)

 -M              - log warnings about mixed content / non-SSL passwords

 -E              - log all HTTP/1.0 / HTTP/1.1 caching intent mismatches

 -U              - log all external URLs and e-mails seen

 -Q              - completely suppress duplicate nodes in reports

 -u              - be quiet, disable realtime progress stats

 -v              - enable runtime logging (to stderr)Dictionary management options:-W wordlist     - use a specified read-write wordlist (required)

 -S wordlist     - load a supplemental read-only wordlist

 -L              - do not auto-learn new keywords for the site

 -Y              - do not fuzz extensions in directory brute-force

 -R age          - purge words hit more than 'age' scans ago

 -T name=val     - add new form auto-fill rule

 -G max_guess    - maximum number of keyword guesses to keep (256)-z sigfile      - load signatures from this filePerformance settings:-g max_conn     - max simultaneous TCP connections, global (40)

 -m host_conn    - max simultaneous connections, per target IP (10)

 -f max_fail     - max number of consecutive HTTP errors (100)

 -t req_tmout    - total request response timeout (20 s)

 -w rw_tmout     - individual network I/O timeout (10 s)

 -i idle_tmout   - timeout on idle HTTP connections (10 s)

 -s s_limit      - response size limit (400000 B)

 -e              - do not keep binary responses for reporting

Other settings:

-l max_req      - max requests per second (0.000000)
 -k duration     - stop scanning after the given duration h:m:s
 --config file   - load the specified configuration file

Send comments and complaints to <>.

skipfish Usage Example

Using the given directory for output (-o 202) , scan the web application URL (

root@kali:~# skipfish -o 202

skipfish version 2.10b by

- -

Scan statistics:

Scan time : 0:00:05.849
 HTTP requests : 2841 (485.6/s), 1601 kB in, 563 kB out (370.2 kB/s)
 Compression : 802 kB in, 1255 kB out (22.0% gain)
 HTTP faults : 0 net errors, 0 proto errors, 0 retried, 0 drops
 TCP handshakes : 46 total (61.8 req/conn)
 TCP faults : 0 failures, 0 timeouts, 16 purged
 External links : 512 skipped
 Reqs pending : 0

Database statistics:

Pivots : 13 total, 12 done (92.31%)
 In progress : 0 pending, 0 init, 0 attacks, 1 dict
 Missing nodes : 0 spotted
 Node types : 1 serv, 4 dir, 6 file, 0 pinfo, 0 unkn, 2 par, 0 val
 Issues found : 10 info, 0 warn, 0 low, 8 medium, 0 high impact
 Dict size : 20 words (20 new), 1 extensions, 202 candidates
 Signatures : 77 total

[+] Copying static resources...
 [+] Sorting and annotating crawl nodes: 13
 [+] Looking for duplicate entries: 13
 [+] Counting unique nodes: 11
 [+] Saving pivot data for third-party tools...
 [+] Writing scan description...
 [+] Writing crawl tree: 13
 [+] Generating summary views...
 [+] Report saved to '202/index.html' [0x7054c49d].
 [+] This was a great day for science!

26) sqlmap Package Description

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.


  • Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase and SAP MaxDB database management systems.
  • Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION query, stacked queries and out-of-band.
  • Support to directly connect to the database without passing via a SQL injection, by providing DBMS credentials, IP address, port and database name.
  • Support to enumerate users, password hashes, privileges, roles, databases, tables and columns.
  • Automatic recognition of password hash formats and support for cracking them using a dictionary-based attack.
  • Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. The user can also choose to dump only a range of characters from each column’s entry.
  • Support to search for specific database names, specific tables across all databases or specific columns across all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials where relevant columns’ names contain string like name and pass.
  • Support to download and upload any file from the database server underlying file system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to execute arbitrary commands and retrieve their standard output on the database server underlying operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server.
  • Support to establish an out-of-band stateful TCP connection between the attacker machine and the database server underlying operating system. This channel can be an interactive command prompt, a Meterpreter session or a graphical user interface (VNC) session as per user’s choice.
  • Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command.

sqlmap Homepage | Kali sqlmap Repo

  • Author: Bernardo Damele Assumpcao Guimaraes, Miroslav Stampar
  • License: GPLv2

Tools included in the sqlmap package

sqlmap – automatic SQL injection tool
root@kali:~# sqlmap -h

 Usage: python sqlmap [options]Options:

 -h, --help            Show basic help message and exit

 -hh                   Show advanced help message and exit

 --version             Show program's version number and exit

 -v VERBOSE            Verbosity level: 0-6 (default 1)Target:

 At least one of these options has to be provided to define the

 target(s)-u URL, --url=URL   Target URL (e.g. "")

 -g GOOGLEDORK       Process Google dork results as target URLsRequest:

 These options can be used to specify how to connect to the target URL--data=DATA         Data string to be sent through POST

 --cookie=COOKIE     HTTP Cookie header value

 --random-agent      Use randomly selected HTTP User-Agent header value

 --proxy=PROXY       Use a proxy to connect to the target URL

 --tor               Use Tor anonymity network

 --check-tor         Check to see if Tor is used properlyInjection:

 These options can be used to specify which parameters to test for,

 provide custom injection payloads and optional tampering scripts-p TESTPARAMETER    Testable parameter(s)

 --dbms=DBMS         Force back-end DBMS to this valueDetection:

 These options can be used to customize the detection phase--level=LEVEL       Level of tests to perform (1-5, default 1)

 --risk=RISK         Risk of tests to perform (0-3, default 1)Techniques:

 These options can be used to tweak testing of specific SQL injection

 techniques--technique=TECH    SQL injection techniques to use (default "BEUSTQ")

 These options can be used to enumerate the back-end database
 management system information, structure and data contained in the
 tables. Moreover you can run your own SQL statements

-a, --all           Retrieve everything
 -b, --banner        Retrieve DBMS banner
 --current-user      Retrieve DBMS current user
 --current-db        Retrieve DBMS current database
 --passwords         Enumerate DBMS users password hashes
 --tables            Enumerate DBMS database tables
 --columns           Enumerate DBMS database table columns
 --schema            Enumerate DBMS schema
 --dump              Dump DBMS database table entries
 --dump-all          Dump all DBMS databases tables entries
 -D DB               DBMS database to enumerate
 -T TBL              DBMS database table(s) to enumerate
 -C COL              DBMS database table column(s) to enumerate

Operating system access:
 These options can be used to access the back-end database management
 system underlying operating system

--os-shell          Prompt for an interactive operating system shell
 --os-pwn            Prompt for an OOB shell, Meterpreter or VNC

 These options can be used to set some general working parameters

--batch             Never ask for user input, use the default behaviour
 --flush-session     Flush session files for current target

 --wizard            Simple wizard interface for beginner users

[!] to see full list of options run with '-hh'

[*] shutting down at 15:52:48

sqlmap Usage Example

Attack the given URL (-u “”) and extract the database names (–dbs):

root@kali:~# sqlmap -u "" --dbs

sqlmap/1.0-dev - automatic SQL injection and database takeover tool

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 13:11:04

27) Sqlninja Package Description

Fancy going from a SQL Injection on Microsoft SQL Server to a full GUI access on the DB? Take a few new SQL Injection tricks, add a couple of remote shots in the registry to disable Data Execution Prevention, mix with a little Perl that automatically generates a debug script, put all this in a shaker with a Metasploit wrapper, shake well and you have just one of the attack modules of sqlninja!

Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.

Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered.

Sqlninja Homepage | Kali Sqlninja Repo

  • Author: icesurfer
  • License: GPLv3

Tools included in the sqlninja package

sqlninja – SQL server injection and takeover tool
root@kali:~# sqlninja -h
 Unknown option: h
 Usage: /usr/bin/sqlninja
 -m <mode> : Required. Available modes are:
 t/test - test whether the injection is working
 f/fingerprint - fingerprint user, xp_cmdshell and more
 b/bruteforce - bruteforce sa account
 e/escalation - add user to sysadmin server role
 x/resurrectxp - try to recreate xp_cmdshell
 u/upload - upload a .scr file
 s/dirshell - start a direct shell
 k/backscan - look for an open outbound port
 r/revshell - start a reverse shell
 d/dnstunnel - attempt a dns tunneled shell
 i/icmpshell - start a reverse ICMP shell
 c/sqlcmd - issue a 'blind' OS command
 m/metasploit - wrapper to Metasploit stagers
 -f <file> : configuration file (default: sqlninja.conf)
 -p <password> : sa password
 -w <wordlist> : wordlist to use in bruteforce mode (dictionary method
 -g : generate debug script and exit (only valid in upload mode)
 -v : verbose output
 -d <mode> : activate debug
 1 - print each injected command
 2 - print each raw HTTP request
 3 - print each raw HTTP response
 all - all of the above
 ...see sqlninja-howto.html for details

sqlninja Usage Example

Connect to the target in test mode (-m t) with the specified config file (-f /root/sqlninja.conf):

root@kali:~# sqlninja -m t -f /root/sqlninja.conf
 Sqlninja rel. 0.2.6-r1
 Copyright (C) 2006-2011 icesurfer <>
 [+] Parsing /root/sqlninja.conf...
 [+] Target is:
 [+] Trying to inject a 'waitfor delay'....

28) sqlsus Package Description

sqlsus is an open source MySQL injection and takeover tool, written in perl.

Via a command line interface, you can retrieve the database(s) structure, inject your own SQL queries (even complex ones), download files from the web server, crawl the website for writable directories, upload and control a backdoor, clone the database(s), and much more…
Whenever relevant, sqlsus will mimic a MySQL console output.

sqlsus focuses on speed and efficiency, optimizing the available injection space, making the best use (I can think of) of MySQL functions.
It uses stacked subqueries and an powerful blind injection algorithm to maximize the data gathered per web server hit.
Using multi-threading on top of that, sqlsus is an extremely fast database dumper, be it for inband or blind injection.

If the privileges are high enough, sqlsus will be a great help for uploading a backdoor through the injection point, and takeover the web server.

It uses SQLite as a backend, for an easier use of what has been dumped, and integrates a lot of usual features (see below) such as cookie support, socks/http proxying, https.

sqlsus Homepage | Kali sqlsus Repo

  • Author: Jérémy Ruffet
  • License: GPLv3

Tools included in the sqlsus package

sqlsus – MySQL injection tool
root@kali:~# sqlsus -h

sqlsus version 0.7.2

Copyright (c) 2008-2011 Jérémy Ruffet (sativouf)

 sqlsus [options] [config file]

 -h, --help                    brief help message
 -v, --version                 version information
 -e, --execute <commands>      execute commands and exit
 -g, --genconf <filename>      generate configuration file

sqlsus Usage Example

Generate a configuration file for the scan (-g sqlsus.cfg):

root@kali:~# sqlsus -g sqlsus.cfg

sqlsus version 0.7.2

Copyright (c) 2008-2011 Jérémy Ruffet (sativouf)

[+] Configuration successfully saved to sqlsus.cfg
 root@kali:~# nano sqlsus.cfg
root@kali:~# sqlsus sqlsus.cfg

sqlsus version 0.7.2

Copyright (c) 2008-2011 Jérémy Ruffet (sativouf)

[+] Session "" created
 sqlsus> start

29) ua-tester Package Description

This tool is designed to automatically check a given URL using a list of standard and non-standard User Agent strings provided by the user (1 per line). The results of these checks are then reported to the user for further manual analysis where required.

ua-tester Homepage | Kali ua-tester Repo

  • Author: Chris John Riley
  • License: BSD

Tools included in the ua-tester package

ua-tester – User agent string tester
root@kali:~# ua-tester

_/    _/  _/_/_/_/       _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/
 _/    _/  _/    _/          _/    _/       _/          _/    _/       _/    _/
 _/    _/  _/_/_/_/  _/_/_/  _/    _/_/_/   _/_/_/_/    _/    _/_/_/   _/_/_/_
 _/    _/  _/    _/          _/    _/             _/    _/    _/       _/    _/
 _/_/_/_/  _/    _/          _/    _/_/_/_/ _/_/_/_/    _/    _/_/_/_/ _/      _/ [v1.06]

_/ User-Agent Tester ?
 _/ AKA: Purple Pimp ?
 _/ ChrisJohnRiley ?
 _/ ?

This tool is designed to automatically check a given URL using a list of standard and non-
 standard User Agent strings provided by the user (1 per line).

The results of these checks are then reported to the user for further manual analysis where
 required. Gathered data includes Response Codes, resulting URL in the case of a 30x response,
 MD5 and length of response body, and select Server headers.

Results: When in non-verbose mode, only values that do not match the initial reference connection
 are reported to the user. If no results are shown for a specific useragent then all results match
 the initial reference connection. If you require a full output of all checks regardless of matches
 to the reference, please use the verbose setting.

Output:  [+] Added Headers, [-] Removed Headers, [!] Altered Headers, [ ] No Change

Usage .:
 -u / --url Complete URL
 -f / --file <Path to User Agent file> / If no file is provided, -d options must be present
 -s / --single provide single user-agent string (may need to be contained within quotes)
 -d / --default Select the UA String type(s) to check. Select 1 or more of the following ?
 catagories. (M)obile, (D)esktop, mis(C), (T)ools, (B)ots, e(X)treme [!])

-o / --output <Path to output file> CSV formated output (FILE WILL BE OVERWRITTEN[!])
 -v / --verbose results (Displays full headers for each check) >> Recommended
 --debug See debug messages (This isn't the switch you're looking for)

Example .:

./ -u -f ./useragentlist.txt -v
 ./ -u
 ./ -u -v --debug
 ./ -u -v -d MDBX
 ./ -u -s "MySpecialUserAgent"
 ./ -u -d MC -o ./output.csv

ua-tester Usage Example

Connect to the URL (-u and use mobile device User-Agent strings (-d M) to check for different content:

root@kali:~# ua-tester -u -d M

_/    _/  _/_/_/_/       _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/ _/_/_/_/
 _/    _/  _/    _/          _/    _/       _/          _/    _/       _/    _/
 _/    _/  _/_/_/_/  _/_/_/  _/    _/_/_/   _/_/_/_/    _/    _/_/_/   _/_/_/_
 _/    _/  _/    _/          _/    _/             _/    _/    _/       _/    _/
 _/_/_/_/  _/    _/          _/    _/_/_/_/ _/_/_/_/    _/    _/_/_/_/ _/      _/ [v1.06]

_/ User-Agent Tester ?
 _/ AKA: Purple Pimp ?
 _/ ChrisJohnRiley ?
 _/ ?

[>] Performing initial request and confirming stability
 [>] Using User-Agent string Mozilla/5.0

 [!] URL (FINAL):
 [!] Response Code: 301 Moved Permanently
 [ ] Date: Fri, 16 May 2014 20:25:31 GMT
 [ ] Server: Apache/2.2.22 (Debian)
 [ ] X-Powered-By: PHP/5.4.4-14+deb7u9
 [ ] Set-Cookie: c8af288c8bfe7241582aabcb2906ad43=kj3bm3h7vp9j4imdfi17h8c081; path=/; HttpOnly
 [ ] Expires: Mon, 1 Jan 2001 00:00:00 GMT
 [ ] Last-Modified: Fri, 16 May 2014 20:25:31 GMT
 [ ] Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 [ ] Pragma: no-cache
 [ ] Vary: Accept-Encoding
 [ ] Content-Length: 6005
 [ ] Connection: close
 [ ] Content-Type: text/html; charset=utf-8
 [ ] Data (MD5): d9febdb6fdb1874beae05dcbf410a95d

[1] Pass
 [2] Pass
 [3] Pass

[>] URL appears stable. Beginning test

[>] Using DEFAULT User-Agent Strings

[>] Using Mobile User-Agent Strings

[>] Output: [+] Added Headers, [-] Removed Headers, [!] Altered Headers, [ ] No Change

[>] User-Agent String : Mozilla/5.0 (iPhone; U; CPU like Mac OS X; en) AppleWebKit/420+ (KHTML, like Gecko)
 Version/3.0 Mobile/1A543a Safari/419.3

[!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT

[>] User-Agent String : Mozilla/5.0 (iPad; U; CPU iPhone OS 3_2 like Mac OS X; en-us) AppleWebKit/531.21.10
 (KHTML, like Gecko) Version/4.0.4 Mobile/7B314 Safari/531.21.10

[!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT

[>] User-Agent String : Mozilla/5.0 (Linux; U; Android 2.1-update1; en-at; HTC Hero Build/ERE27)
 AppleWebKit/530.17 (KHTML, like Gecko) Version/4.0 Mobile Safari/530.17

[!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT

[>] User-Agent String : jBrowser-WAP

[!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT

[>] User-Agent String : Nokia7650/1.0 Symbian-QP/6.1 Nokia/2.1

[!] Last-Modified: Fri, 16 May 2014 20:25:38 GMT

[>] That's all folks... Fo' Shizzle!

30) Uniscan Package Description

Uniscan is a simple Remote File Include, Local File Include and Remote Command Execution vulnerability scanner.

Uniscan Homepage | Kali Uniscan Repo

  • Author: Douglas Poerschke Rocha
  • License: GPLv3

Tools included in the uniscan package

uniscan – LFI, RFI, and RCE vulnerability scanner
root@kali:~# uniscan -h
 # Uniscan project                  #
 #  #
 -h  help
 -u  <url> example:
 -f  <file> list of url's
 -b  Uniscan go to background
 -q  Enable Directory checks
 -w  Enable File checks
 -e  Enable robots.txt and sitemap.xml check
 -d  Enable Dynamic checks
 -s  Enable Static checks
 -r  Enable Stress checks
 -i  <dork> Bing search
 -o  <dork> Google search
 -g  Web fingerprint
 -j  Server fingerprintusage:
 [1] perl ./ -u -qweds
 [2] perl ./ -f sites.txt -bqweds
 [3] perl ./ -i uniscan
 [4] perl ./ -i ""
 [5] perl ./ -o "inurl:test"
 [6] perl ./ -u -r

uniscan-gui – LFI, RFI, and RCE vulnerability scanner (GUI)

A simple Remote File Include, Local File Include and Remote Command Execution vulnerability scanner.

uniscan Usage Example

Scan the given URL (-u for vulnerabilities, enabling directory and dynamic checks (-qd):

root@kali:~# uniscan -u -qd
 # Uniscan project                  #
 #  #
 V. 6.2Scan date: 16-5-2014 16:29:48
 | Domain:
 | Server: Apache/2.2.22 (Debian)
 | IP:
 | Directory check:
 | [+] CODE: 200 URL:
 | [+] CODE: 200 URL:
 | Crawler Started:
 | Plugin name: FCKeditor upload test v.1 Loaded.
 | Plugin name: Web Backdoor Disclosure v.1.1 Loaded.
 | Plugin name: phpinfo() Disclosure v.1 Loaded.
 | Plugin name: E-mail Detection v.1.1 Loaded.
 | Plugin name: Timthumb <= 1.32 vulnerability v.1 Loaded.
 | Plugin name: Code Disclosure v.1.1 Loaded.
 | Plugin name: Upload Form Detect v.1.1 Loaded.
 | Plugin name: External Host Detect v.1.2 Loaded.
 | [+] Crawling finished, 27 URL's found!

uniscan-gui Usage Example

root@kali:~# uniscan-gui

31) Vega Package Description

Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript.

  • Automated Crawler and Vulnerability Scanner
  • Consistent UI
  • Website Crawler
  • Intercepting Proxy
  • Content Analysis
  • Extensibility through a Powerful Javascript Module API
  • Customizable alerts
  • Database and Shared Data Model

Vega Homepage | Kali Vega Repo

  • Author: Subgraph
  • License: Eclipse Public License 1.0

Tools included in the vega package

vega – Platform to test the security of web applications

The Open Source Web Application Security Platform.

vega Usage Example(s)

root@kali:~# vega

32) w3af Package Description

w3af is a Web Application Attack and Audit Framework which aims to identify and exploit all web application vulnerabilities. This package provides a graphical user interface (GUI) for the framework. If you want a command-line application only, install w3af-console. The framework has been called the “metasploit for the web”, but it’s actually much more than that, because it also discovers the web application vulnerabilities using black-box scanning techniques!. The w3af core and it’s plugins are fully written in Python. The project has more than 130 plugins, which identify and exploit SQL injection, cross site scripting (XSS), remote file inclusion and more.

w3af Homepage | Kali w3af Repo

  • Author: Andres Riancho
  • License: GPLv2

Tools included in the w3af package

w3af – Web Application Attack and Audit Framework

The Web Application Attack and Audit Framework.

w3af Usage Example

root@kali:~# w3af

33) WebScarab Package Description

WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.

WebScarab Homepage | Kali WebScarab Repo

  • Author: Rogan Dawes
  • License: GPLv2

Tools included in the webscarab package

webscarab – Web application review tool

WebScarab is a Web Application Review tool.

webscarab Usage Example

root@kali:~# webscarab

34) ebshag Package Description

Webshag is a multi-threaded, multi-platform web server audit tool. Written in Python, it gathers commonly useful functionalities for web server auditing like website crawling, URL scanning or file fuzzing.

Webshag can be used to scan a web server in HTTP or HTTPS, through a proxy and using HTTP authentication (Basic and Digest). In addition to that it proposes innovative IDS evasion functionalities aimed at making correlation between request more complicated (e.g. use a different random per request HTTP proxy server).

Webshag Homepage | Kali Webshag Repo

  • Author: ~SaD~, SCRT – Information Security
  • License: GPLv3

Tools included in the webshag package

webshag-cli – Multi-threaded web server audit tool (CLI)
root@kali:~# webshag-cli -h
 Usage: webshag-cli [-U | [options] target(s)]Options:
 --version       show program's version number and exit
 -h, --help      show this help message and exit
 -U              Update the URL scanner databases and exit
 -m MODULE       Use MODULE [pscan|info|spider|uscan|fuzz]. (default: uscan)
 -p PORT         Set target port to PORT. For modules uscan and fuzz PORT can
 be a list of ports [port1,port2,...]. (default: 80)
 -r ROOT         Set root directory to ROOT. For modules uscan and fuzz ROOT
 can be a list of directories [/root1/,/root2/,...].
 (default: /)
 -k SKIP         *uscan only* Set a false positive detection string
 -s SERVER       *uscan only* Bypass server detection and force server as
 -i SPIDER_INIT  *spider) only* Set spider initial crawling page (default: /)
 -n FUZZ_MODE    *fuzz only* Choose the fuzzing mode [list|gen]. (default:
 -e FUZZ_CFG     *fuzz / list only* Set the fuzzing parameters for list mode.
 11 = fuzz directories and files; 01 = fuzz files only; 10 =
 fuzz directories only; 00 = fuzz nothing. (default: 11)
 -g FUZZ_GEN     *fuzz / gen only* Set the filename generator expression.
 Refer to documentation for syntax reference. (default: )
 -x              Export a report summarizing results.
 -o OUTPUT       Set the format of the exported report. [xml|html|txt].
 (default: html)
 -f OUTPUT_FILE  Write report to FILE. (default: webshag_report.html)

webshag-gui – Multi-threaded web server audit tool (GUI)

A multi-threaded, multi-platform web server audit tool. The GUI-version.

webshag-cli Usage Example

Run a port scan (-m pscan) on the remote IP address (

root@kali:~# webshag-cli -m pscan
 ~~~~~~~~~~~~~~~~~~~~~~~~~~ ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 % webshag 1.10
 % Module: pscan
 % Host:
 ~~~~~~~~~~~~~~~~~~~~~~~~~~ ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 % PORT %    22 (tcp)
 % SRVC %    ssh
 % PROD %    OpenSSH
 % SYST %    Linux% PORT %    80 (tcp)
 % SRVC %    http
 % PROD %    Apache httpd% PORT %    9876 (tcp)
 % SRVC %    http
 % PROD %    Apache httpd~~~~~~~~~~~~~~~~~~~~~~~~~~ ## ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

webshag-gui Usage Example

root@kali:~# webshag-gui

35) WebSlayer Package Description

Webslayer is a tool designed for brute forcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts,files, etc), brute force GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc. The tools has a payload generator and an easy and powerful results analyzer.

You can perform attacks like:

  • Predictable resource locator, recursion supported (Discovery)
  • Login forms brute force
  • Session brute force
  • Parameter brute force
  • Parameter fuzzing and injection (XSS, SQL)
  • Basic and Ntml authentication brute forcing

Some features:

  • Recursion
  • Encodings: 15 encodings supported
  • Authentication: supports Ntml and Basic
  • Multiple payloads: you can use 2 payloads in different parts
  • Proxy support (authentication supported)
  • For predictable resource location it has: Recursion, common extensions, non standard code detection
  • Multiple filters for improving the performance and for producing cleaner results
  • Live filters
  • Multithreads
  • Session saving
  • Integrated browser (webKit)
  • Time delay between requests
  • Attack balancing across multiple proxies
  • Predefined dictionaries for predictable resource location, based on known servers

WebSlayer Homepage | Kali WebSlayer Repo

  • Author: OWASP
  • License: GPLv2

tools included in the webslayer package

webslayer – Web application bruteforcer

The web application bruteforcer.

webslayer Usage Example

root@kali:~# webslayer

36) WebSploit Package Description

WebSploit Is An Open Source Project For:

  • Social Engineering Works
  • Scan,Crawler & Analysis Web
  • Automatic Exploiter
  • Support Network Attacks
  • Autopwn – Used From Metasploit For Scan and Exploit Target Service
  • wmap – Scan,Crawler Target Used From Metasploit wmap plugin
  • format infector – inject reverse & bind payload into file format
  • phpmyadmin Scanner
  • CloudFlare resolver
  • LFI Bypasser
  • Apache Users Scanner
  • Dir Bruter
  • admin finder
  • MLITM Attack – Man Left In The Middle, XSS Phishing Attacks
  • MITM – Man In The Middle Attack
  • Java Applet Attack
  • MFOD Attack Vector
  • USB Infection Attack
  • ARP Dos Attack
  • Web Killer Attack
  • Fake Update Attack
  • Fake Access point Attack
  • Wifi Honeypot
  • Wifi Jammer
  • Wifi Dos
  • Bluetooth POD Attack

WebSploit Homepage | Kali WebSploit Repo

  • Author: Fardin Allahverdinazhand
  • License: GPLv3

Tools included in the websploit package

websploit – The Websploit Framework

The Websploit Framework.

websploit Usage Example

root@kali:~# websploit
 WARNING: No route found for IPv6 destination :: (no default route?)__          __  _               _       _ _
 \ \        / / | |             | |     (_) |
 \ \  /\  / /__| |__  ___ _ __ | | ___  _| |_
 \ \/  \/ / _ \ '_ \/ __| '_ \| |/ _ \| | __|
 \  /\  /  __/ |_) \__ \ |_) | | (_) | | |_
 \/  \/ \___|_.__/|___/ .__/|_|\___/|_|\__|
 | |
 |_|--=[WebSploit FrameWork
 +---**---==[Version :2.0.5 BETA
 +---**---==[Codename :We're Not Crying Wolf
 +---**---==[Available Modules : 19
 --=[Update Date : [r2.0.5-000 2.3.2014]wsf > use web/dir_scanner
 wsf:Dir_Scanner > set TARGET
 wsf:Dir_Scanner > run
 [*] Your Target :
 [*]Loading Path List ... Please Wait ...
 [index] ... [400 Bad Request]
 [images] ... [400 Bad Request]
 [download] ... [400 Bad Request]
 [2006] ... [400 Bad Request]
 [news] ... [400 Bad Request]
 [crack] ... [400 Bad Request]

37) Wfuzz Package Description

Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.

Some features:

  • Multiple Injection points capability with multiple dictionaries
  • Recursion (When doing directory bruteforce)
  • Post, headers and authentication data brute forcing
  • Output to HTML
  • Colored output
  • Hide results by return code, word numbers, line numbers, regex
  • Cookies fuzzing
  • Multi threading
  • Proxy support
  • SOCK support
  • Time delays between requests
  • Authentication support (NTLM, Basic)
  • All parameters bruteforcing (POST and GET)
  • Multiple encoders per payload
  • Payload combinations with iterators
  • Baseline request (to filter results against)
  • Brute force HTTP methods
  • Multiple proxy support (each request through a different proxy)
  • HEAD scan (faster for resource discovery)
  • Dictionaries tailored for known applications (Weblogic, Iplanet, Tomcat, Domino, Oracle 9i, Vignette, Coldfusion and many more

Wfuzz Homepage | Kali Wfuzz Repo

  • Author: Christian Martorella, Carlos del ojo, Xavier Mendez aka Javi
  • License: GPLv2

Tools included in the wfuzz package

wfuzz – Web application bruteforcer
root@kali:~# wfuzz

 * Wfuzz  2.0 - The Web Bruteforcer                     *

Usage: /usr/bin/wfuzz [options] <url>

 -c              : Output with colors
 -v              : Verbose information
 -o printer          : Output format by stderr

-p addr             : use Proxy (ip:port or ip:port-ip:port-ip:port)
 -x type             : use SOCK proxy (SOCKS4,SOCKS5)
 -t N                : Specify the number of threads (20 default)
 -s N                : Specify time delay between requests (0 default)

-e <type>           : List of available encodings/payloads/iterators/printers
 -R depth            : Recursive path discovery
 -I              : Use HTTP HEAD instead of GET method (No HTML body responses).
 --follow            : Follow redirections

-m iterator         : Specify iterator (product by default)
 -z payload          : Specify payload (type,parameters,encoding)
 -V alltype          : All parameters bruteforcing (allvars and allpost). No need for FUZZ keyword.

-X              : Payload within HTTP methods (ex: "FUZZ HTTP/1.0"). No need for FUZZ keyword.
 -b cookie           : Specify a cookie for the requests
 -d postdata             : Use post data (ex: "id=FUZZ&catalogue=1")
 -H headers              : Use headers (ex:",Cookie:id=1312321&user=FUZZ")

--basic/ntlm/digest auth    : in format "user:pass" or "FUZZ:FUZZ" or "domain\FUZ2Z:FUZZ"

--hc/hl/hw/hh N[,N]+        : Hide resposnes with the specified[s] code/lines/words/chars (Use BBB for taking values from baseline)
 --hs regex          : Hide responses with the specified regex within the response

Keyword: FUZZ,FUZ2Z  wherever you put these words wfuzz will replace them by the payload selected.

Example: - -c -z file,commons.txt --hc 404 -o html 2> res.html
 - -c -z file,users.txt -z file,pass.txt --hc 404
 - -c -z range,1-10 --hc=BBB{something}

More examples in the README.

wfuzz Usage Example

Use colour output (-c), a wordlist as a payload (-z file,/usr/share/wfuzz/wordlist/general/common.txt), and hide 404 messages (–hc 404) to fuzz the given URL(

root@kali:~# wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404

 * Wfuzz  2.0 - The Web Bruteforcer                     *

 Payload type: file,/usr/share/wfuzz/wordlist/general/common.txt

Total requests: 950
 ID  Response   Lines      Word         Chars          Request

00429:  C=200      4 L        25 W      177 Ch    " - index"
 00466:  C=301      9 L        28 W      319 Ch    " - javascript"

38) WPScan Package Description

WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

WPScan Homepage | Kali wpscan Repo

  • Author: The WPScan Team
  • License: Other

Tools included in the wpscan package

wpscan – WordPress vulnerability scanner
root@kali:~# wpscan  --help


__          _______   _____

\ \        / /  __ \ / ____|

\ \  /\  / /| |__) | (___   ___  __ _ _ __

\ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \

\  /\  /  | |     ____) | (__| (_| | | | |

\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team

Version 2.6

Sponsored by Sucuri -

@_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_

_______________________________________________________________Help :Some values are settable in a config file, see the example.conf.json--update                            Update to the database to the latest version.

--url       | -u <target url>       The WordPress URL/domain to scan.

--force     | -f                    Forces WPScan to not check if the remote site is running WordPress.

--enumerate | -e [option(s)]        Enumeration.

option :

u        usernames from id 1 to 10

u[10-20] usernames from id 10 to 20 (you must write [] chars)

p        plugins

vp       only vulnerable plugins

ap       all plugins (can take a long time)

tt       timthumbs

t        themes

vt       only vulnerable themes

at       all themes (can take a long time)

Multiple values are allowed : "-e tt,p" will enumerate timthumbs and plugins

If no option is supplied, the default is "vt,tt,u,vp"--exclude-content-based "<regexp or string>"

Used with the enumeration option, will exclude all occurrences based on the regexp or string supplied.

You do not need to provide the regexp delimiters, but you must write the quotes (simple or double).

--config-file  | -c <config file>   Use the specified config file, see the example.conf.json.

--user-agent   | -a <User-Agent>    Use the specified User-Agent.

--cookie <String>                   String to read cookies from.

--random-agent | -r                 Use a random User-Agent.

--follow-redirection                If the target url has a redirection, it will be followed without asking if you wanted to do so or not

--batch                             Never ask for user input, use the default behaviour.

--no-color                          Do not use colors in the output.

--wp-content-dir <wp content dir>   WPScan try to find the content directory (ie wp-content) by scanning the index page, however you can specified it.

Subdirectories are allowed.

--wp-plugins-dir <wp plugins dir>   Same thing than --wp-content-dir but for the plugins directory.

If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed

--proxy <[protocol://]host:port>    Supply a proxy. HTTP, SOCKS4 SOCKS4A and SOCKS5 are supported.

If no protocol is given (format host:port), HTTP will be used.

--proxy-auth <username:password>    Supply the proxy login credentials.

--basic-auth <username:password>    Set the HTTP Basic authentication.

--wordlist | -w <wordlist>          Supply a wordlist for the password brute forcer.

--username | -U <username>          Only brute force the supplied username.

--usernames     <path-to-file>      Only brute force the usernames from the file.

--threads  | -t <number of threads> The number of threads to use when multi-threading requests.

--cache-ttl       <cache-ttl>       Typhoeus cache TTL.

--request-timeout <request-timeout> Request Timeout.

--connect-timeout <connect-timeout> Connect Timeout.

--max-threads     <max-threads>     Maximum Threads.

--help     | -h                     This help screen.

--verbose  | -v                     Verbose output.

--version                           Output the current version and exit.Examples :-Further help ...

ruby ./wpscan.rb --help-Do 'non-intrusive' checks ...

ruby ./wpscan.rb --url wordlist password brute force on enumerated users using 50 threads ...

ruby ./wpscan.rb --url --wordlist darkc0de.lst --threads 50-Do wordlist password brute force on the 'admin' username only ...

ruby ./wpscan.rb --url --wordlist darkc0de.lst --username admin-Enumerate installed plugins ...

ruby ./wpscan.rb --url --enumerate p

-Enumerate installed themes ...
 ruby ./wpscan.rb --url --enumerate t

-Enumerate users ...
 ruby ./wpscan.rb --url --enumerate u

-Enumerate installed timthumbs ...
 ruby ./wpscan.rb --url --enumerate tt

-Use a HTTP proxy ...
 ruby ./wpscan.rb --url --proxy

-Use a SOCKS5 proxy ... (cURL >= v7.21.7 needed)
 ruby ./wpscan.rb --url --proxy socks5://

-Use custom content directory ...
 ruby ./wpscan.rb -u --wp-content-dir custom-content

-Use custom plugins directory ...
 ruby ./wpscan.rb -u --wp-plugins-dir wp-content/custom-plugins

-Update the DB ...
 ruby ./wpscan.rb --update

-Debug output ...
 ruby ./wpscan.rb --url --debug-output 2>debug.log

See README for further information.

WPScan Usage Example

Scan a target WordPress URL and enumerate any plugins that are installed:

root@kali:~# wpscan --url http://wordpress.local --enumerate p
 __          _______   _____
 \ \        / /  __ \ / ____|
 \ \  /\  / /| |__) | (___   ___  __ _ _ __
 \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
 \  /\  /  | |     ____) | (__| (_| | | | |
 \/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan Team
 Version 2.6
 Sponsored by Sucuri -
 @_WPScan_, @ethicalhack3r, @erwan_lr, pvdl, @_FireFart_
 _______________________________________________________________[+] URL: http://wordpress.local/
 [+] Started: Mon Jan 12 14:07:40 2015[+] robots.txt available under: 'http://wordpress.local/robots.txt'
 [+] Interesting entry from robots.txt: http://wordpress.local/search
 [+] Interesting entry from robots.txt: http://wordpress.local/support/search.php
 [+] Interesting entry from robots.txt: http://wordpress.local/extend/plugins/search.php
 [+] Interesting entry from robots.txt: http://wordpress.local/plugins/search.php
 [+] Interesting entry from robots.txt: http://wordpress.local/extend/themes/search.php
 [+] Interesting entry from robots.txt: http://wordpress.local/themes/search.php
 [+] Interesting entry from robots.txt: http://wordpress.local/support/rss
 [+] Interesting entry from robots.txt: http://wordpress.local/archive/
 [+] Interesting header: SERVER: nginx
 [+] Interesting header: X-FRAME-OPTIONS: SAMEORIGIN
 [+] Interesting header: X-NC: HIT lax 249
 [+] XML-RPC Interface available under: http://wordpress.local/xmlrpc.php[+] WordPress version 4.2-alpha-31168 identified from rss generator[+] Enumerating installed plugins  ...Time: 00:00:35 <======================================================> (2166 / 2166) 100.00% Time: 00:00:35[+] We found 2166 plugins:

39) XSSer Package Description

Cross Site “Scripter” (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications. It contains several options to try to bypass certain filters, and various special techniques of code injection.

XSSer Homepage | Kali XSSer Repo

  • Author: psy (epsylon)
  • License: GPLv3

Tools included in the xsser package

xsser – XSS testing framework
root@kali:~# xsser -h

 Usage:xsser [OPTIONS] [-u <url> |-i <file> |-d <dork>] [-g <get> |-p <post> |-c <crawl>] [Request(s)] [Vector(s)] [Bypasser(s)] [Technique(s)] [Final Injection(s)]Cross Site "Scripter" is an automatic -framework- to detect, exploit and

 report XSS vulnerabilities in web-based applications.Options:

 --version             show program's version number and exit

 -h, --help            show this help message and exit

 -s, --statistics      show advanced statistics output results

 -v, --verbose         active verbose mode output results

 --gtk                 launch XSSer GTK Interface (Wizard included!)*Special Features*:

 You can choose Vector(s) and Bypasser(s) to inject code with this

 extra special features:--imx=IMX           create a false image with XSS code embedded

 --fla=FLASH         create a false .swf file with XSS code embedded*Select Target(s)*:

 At least one of these options has to be specified to set the source to

 get target(s) urls from. You need to choose to run XSSer:-u URL, --url=URL   Enter target(s) to audit

 -i READFILE         Read target urls from a file

 -d DORK             Process search engine dork results as target urls

 --De=DORK_ENGINE    Search engine to use for dorking (bing, altavista,

 yahoo, baidu, yandex, youdao, webcrawler, google, etc.

 See file to check for available engines)*Select type of HTTP/HTTPS Connection(s)*:

 These options can be used to specify which parameter(s) we want to use

 like payload to inject code.-g GETDATA          Enter payload to audit using GET (ex: '/menu.php?q=')

 -p POSTDATA         Enter payload to audit using POST (ex: 'foo=1&bar=')

 -c CRAWLING         Number of urls to crawl on target(s): 1-99999

 --Cw=CRAWLER_WIDTH  Deeping level of crawler: 1-5

 --Cl                Crawl only local target(s) urls (default TRUE)*Configure Request(s)*:

 These options can be used to specify how to connect to target(s)

 payload(s). You can choose multiple:--cookie=COOKIE     Change your HTTP Cookie header

 --drop-cookie       Ignore Set-Cookie header from response

 --user-agent=AGENT  Change your HTTP User-Agent header (default SPOOFED)

 --referer=REFERER   Use another HTTP Referer header (default NONE)

 --xforw             Set your HTTP X-Forwarded-For with random IP values

 --xclient           Set your HTTP X-Client-IP with random IP values

 --headers=HEADERS   Extra HTTP headers newline separated

 --auth-type=ATYPE   HTTP Authentication type (Basic, Digest, GSS or NTLM)

 --auth-cred=ACRED   HTTP Authentication credentials (name:password)

 --proxy=PROXY       Use proxy server (tor: http://localhost:8118)

 --ignore-proxy      Ignore system default HTTP proxy

 --timeout=TIMEOUT   Select your timeout (default 30)

 --retries=RETRIES   Retries when the connection timeouts (default 1)

 --threads=THREADS   Maximum number of concurrent HTTP requests (default 5)

 --delay=DELAY       Delay in seconds between each HTTP request (default 0)

 --tcp-nodelay       Use the TCP_NODELAY option

 --follow-redirects  XSSer will follow server redirection responses (302)

 --follow-limit=FLI  Set how many times XSSer will follow redirections

 (default 50)

*Checker Systems*:
 This options are usefull to know if your target(s) have some filters
 against XSS attacks, to reduce 'false positive' results and to perform
 more advanced tests:

--no-head           NOT verify the stability of the url (codes: 200|302)
 with a HEAD pre-check request
 --alive=ISALIVE     set limit of every how much errors XSSer must to
 verify that target is alive
 --hash              send an unique hash, without vectors, to pre-check if
 target(s) repeats all content recieved
 --heuristic         launch a heuristic testing to discover which
 parameters are filtered on target(s) code: ;\/<>"'=
 --checkaturl=ALT    check for a valid XSS response from target(s) at an
 alternative url. 'blind XSS'
 --checkmethod=ALTM  check responses from target(s) using a different
 connection type: GET or POST (default: GET)
 --checkatdata=ALD   check responses from target(s) using an alternative
 payload (default: same than first injection)
 --reverse-check     establish a reverse connection from target(s) to XSSer
 to certificate that is 100% vulnerable

*Select Vector(s)*:
 These options can be used to specify a XSS vector source code to
 inject in each payload. Important, if you don't want to try to inject
 a common XSS vector, used by default. Choose only one option:

--payload=SCRIPT    OWN  - Insert your XSS construction -manually-
 --auto              AUTO - Insert XSSer 'reported' vectors from file
 (HTML5 vectors included!)

*Select Bypasser(s)*:
 These options can be used to encode selected vector(s) to try to
 bypass possible anti-XSS filters on target(s) code and possible IPS
 rules, if the target use it. Also, can be combined with other
 techniques to provide encoding:

--Str               Use method String.FromCharCode()
 --Une               Use Unescape() function
 --Mix               Mix String.FromCharCode() and Unescape()
 --Dec               Use Decimal encoding
 --Hex               Use Hexadecimal encoding
 --Hes               Use Hexadecimal encoding, with semicolons
 --Dwo               Encode vectors IP addresses in DWORD
 --Doo               Encode vectors IP addresses in Octal
 --Cem=CEM           Try -manually- different Character Encoding Mutations
 (reverse obfuscation: good) -> (ex: 'Mix,Une,Str,Hex')

*Special Technique(s)*:
 These options can be used to try to inject code using different type
 of XSS techniques. You can choose multiple:

--Coo               COO - Cross Site Scripting Cookie injection
 --Xsa               XSA - Cross Site Agent Scripting
 --Xsr               XSR - Cross Site Referer Scripting
 --Dcp               DCP - Data Control Protocol injections
 --Dom               DOM - Document Object Model injections
 --Ind               IND - HTTP Response Splitting Induced code
 --Anchor            ANC - Use Anchor Stealth payloader (DOM shadows!)
 --Phpids            PHP - Exploit PHPIDS bug (0.6.5) to bypass filters

*Select Final injection(s)*:
 These options can be used to specify the final code to inject in
 vulnerable target(s). Important, if you want to exploit on-the-wild
 your discovered vulnerabilities. Choose only one option:

--Fp=FINALPAYLOAD   OWN    - Insert your final code to inject -manually-
 --Fr=FINALREMOTE    REMOTE - Insert your final code to inject -remotelly-
 --Doss              DOSs   - XSS Denial of service (server) injection
 --Dos               DOS    - XSS Denial of service (client) injection
 --B64               B64    - Base64 code encoding in META tag (rfc2397)

*Special Final injection(s)*:
 These options can be used to execute some 'special' injection(s) in
 vulnerable target(s). You can select multiple and combine with your
 final code (except with DCP code):

--Onm               ONM - Use onMouseMove() event to inject code
 --Ifr               IFR - Use <iframe> source tag to inject code

 --silent            inhibit console output results
 --update            check for XSSer latest stable version
 --save              output all results directly to template (XSSlist.dat)
 --xml=FILEXML       output 'positives' to aXML file (--xml filename.xml)
 --short=SHORTURLS   display -final code- shortered (tinyurl,
 --launch            launch a browser at the end with each XSS discovered
 --tweet             publish each XSS discovered into the 'Grey Swarm!'
 --tweet-tags=TT     add more tags to your XSS discovered publications
 (default: #xss) - (ex: #xsser #vulnerability)

xsser Usage Example

root@kali:~# xsser --gtk

40) zaproxy Package Description

The OWASP Zed Attack Proxy (ZAP) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen testers toolbox.

zaproxy Homepage | Kali zaproxy Repo

  • Author:
  • License: Apache 2.0

Tools included in the zaproxy package

zaproxy – OWASP Zed Attack Proxy

The OWASP Zed Attack Proxy.

zaproxy Usage Example(s)

root@kali:~# zaproxy

Registered Memberships and Partners:

OWASP - Open Web Applications Security Project
ISSA UK - Information Systems Security Association UK
NIST - Computer Security Division of NIST
UKITA - UK Information Technology Association
ISF - Information Security Forum
ISACA - Information Security Audit & Control Association

  • Latest Tweets

    • Britain's security has been threatened by 188 high-level cyber attacks in the last three months, according to a government security chief.

    • Libraries across the city of St Louis are gradually regaining control of their computer systems, following a malware attack on 17 Libraries.

This website uses cookies to improve user experience. By using our website you consent to all cookies issued by this website.
I agree Disagree