Skip to main content
8 min read Beginner

PentestingEverything

A complete, searchable penetration-testing knowledge base across 23 security domains.

Live website: pentesting.m14r41.in

Live Website · PentestingChecklist · Contribute · Report an Issue

License Stars Forks Last commit

Read it online at pentesting.m14r41.in: fully searchable, with 108 documentation pages, 104 reference PDFs, and 212+ topics across 23 domains. The website turns this repository into a fast, structured, and readable knowledge base.

New in v2.0.0: the project is now a full website with instant full-text search, a filterable reference PDF library, learning paths for common engagements, and a companion checklist at checklist.m14r41.in. Full notes in the changelog.

PentestingEverything is an open-source, comprehensive penetration-testing knowledge base. It brings together methodology, checklists, payloads, commands, and field-tested references across 23 domains: web, API, mobile, network, cloud, Active Directory, OSINT, and more. The goal is simple: give you the concise, practical knowledge to assess any target, from scoping an engagement to hunting a specific vulnerability class to writing the report.

Practical companion: PentestingChecklist. This project is the knowledge base. The checklist is the hands-on, tick-as-you-go companion. A structured checklist across 23 platforms (web, API, mobile, cloud, AD and more) with progress tracking, notes, and export. Use them side by side.

Upcoming New Resources soon!
Your ideas, suggestions, and contributions are always welcome!
  • New Module: Leveraging AI in Pentesting
Recently Updated Content : 2026
  • iOS Pentesting Module
  • Android Pentesting
  • API Pentesting Module
  • SAST / Source Code Review
  • DevSecOps & SCA
  • Thick Client Pentesting
  • OWASP Top 10:2025 Web Application
  • Threat Modeling, Design Review, Idea Review, Architecture Review
  • New Module : LLMs OWASP Top 10
  • New Module : MCP Pentesting
  • New Module : Firewall (In progress)
Improvements and advance technique
  • More methods for SSL Pinning bypass and exploitation
  • Intercepting mobile TCP traffic using iptables and invisible proxying
  • Comprehensive enumeration with Frida and object analysis (Local Storage, Classes, Methods, Activities, Services, Intents, Receivers, etc.)
  • Exploiting Android components using ADB and Drozer
  • Advanced SAST beyond MobSF
Currently Exploring & Seeking Collaboration

Contributions and knowledge sharing are welcome from professionals experienced in Cloud and Enterprise Infrastructure Pentesting.

  • Cloud Pentesting
  • Enterprise Pentesting (Network, Firewall, WiFi & Configuration Review)

0.1. Table of Contents

No.Types of PentestingNo.Types of Pentesting
1Web Application Pentesting13MCP Security Assessment
2API Pentesting14LLM Security Assessment
3Mobile Pentesting15Threat Modeling
4Thick Client Pentesting16Configuration Review
5Secure Code Review17Container & Kubernetes Assessment
6Cloud Pentesting18CI/CD Pentesting
7DevSecOps19IoT Pentesting
8Network Pentesting20BlockChain Pentesting
9Wi-Fi Pentesting21Phishing Assessment
10Firewall Penetration22OSINT
11Active Directory Pentesting23Forensic
12Infrastructure Security

Pentesting & Tools

40 Plus Type of Security Assessment Tools

1. Penetration Testing and Tools

CategoryTools
Web Application PentestingAcunetix, Burp Suite Professional, Dirb, FFUF, Nmap, Nikto, Nuclei, OWASP ZAP, SQLMap, WhatWeb, WPScan, Invicti (Netsparker), Fortify WebInspect
Android Securityadb, APKTool, Apkscan, AndroBugs, Android Studio / Genymotion, AppMon, Dexter/Objection (Objection), Drozer, Frida, Magisk, MITMProxy, MobSF, Quark Engine, JADX
iOS Securitycheckra1n, Class-dump, Frida, iMazing, iOS-decrypt, iOS-Hook, MobSF, Needle, Objection, Palera1n, Passionfruit, SSL Kill Switch 2, Cycript
API PentestingBurp Suite Professional, GraphQL Raider, GraphQL Voyager, Insomnia, Kite Runner, Postman, Swagger UI
Secure Code ReviewBandit, Checkmarx, CodeQL, FindSecBugs, Gitleaks, Semgrep, SonarQube, Snyk, Veracode, Fortify Static (Workbench/Audit)
Thick-Client SecurityBurp Suite Professional, dnSpy, de4dot, Fiddler, Ghidra, IDA Pro, OllyDbg, Process Explorer, x64dbg, CFF Explorer, Sysinternals Suite, Wireshark
Network PentestingBettercap, CrackMapExec, Metasploit, Netcat, Nessus, Nmap, OpenVAS, Responder, Wireshark

2. Extended version

CategoryTools
Active Directory PentestingBloodHound, Mimikatz, CrackMapExec, Impacket, Kerbrute, Rubeus, LDAPDomainDump, SharpHound, PowerView, ADRecon
Cloud SecurityProwler, ScoutSuite, CloudSploit, Pacu, Steampipe, CloudMapper, NCC Scout, kube-bench, Terrascan, KICS
IoT SecurityFirmwalker, Binwalk, Firmware-Mod-Kit, Shodan, RIOT, JTAGulator, Qiling, Ghidra, Avatar2, Firmadyne
Firewall Pentestinghping3, NPing, Scapy, Zmap, firewalk, FTester, Nmap (Firewall Bypass), Packet Sender, T50, Ettercap, TCPReplay
Firmware AnalysisBinwalk, Firmware Analysis Toolkit (FAT), QEMU, Ghidra, IDA Pro, Firmware-Mod-Kit, Radare2, Firmadyne
Container SecurityTrivy, Aqua Microscanner, Clair, Anchore, Docker Bench, kube-hunter, Falco, Sysdig, Snyk, Grype
WiFi PentestingAircrack-ng, Kismet, Bettercap, Reaver, Fluxion, Wireshark, hcxtools, Fern WiFi Cracker, Wifiphisher, Hashcat
DevSecOpsGitHub Advanced Security, Trivy, Snyk, Anchore, OWASP Dependency-Check, Jenkins, Checkmarx, Veracode, Dagda, Sysdig Secure, Cloud Custodian, Bridgecrew, Kubescape
OSINTtheHarvester, Maltego, SpiderFoot, Recon-ng, Shodan, FOCA, Google Dorks, OSINT Framework, GHunt, Sherlock, PhoneInfoga
Configuration ReviewLynis, OpenSCAP, Auditd, Tripwire, cis-cat Pro, Chef InSpec, Prowler, Kubescape
Phishing SimulationGoPhish, SET, Evilginx2, Phishery, King Phisher, Modlishka, Phishing Frenzy
ForensicsAutopsy, Volatility, Sleuth Kit, FTK Imager, Redline, Magnet AXIOM, X-Ways, Bulk Extractor, ExifTool
Blockchain SecurityMythril, Slither, Manticore, Remix IDE, Oyente, SmartCheck, Echidna, Tenderly
Threat ModelingMicrosoft TMT, OWASP Threat Dragon, IriusRisk, SeaSponge, Draw.io, Pytm
Red Team ToolsCobalt Strike, Sliver, Mythic, Empire, Metasploit, Brute Ratel, Koadic, FudgeC2, Nishang, PowerShell Empire
Blue Team ToolsVelociraptor, Wazuh, OSQuery, GRR, Sysmon, CrowdStrike Falcon, Elastic Security, Sigma Rules
SIEM & Log AnalysisSplunk, ELK Stack, Graylog, Wazuh, AlienVault OSSIM, SIEMonster, Logstash, Fluentd, Loki, Falco, Humio, Kibana, Loggly, Logz.io
Password CrackingHashcat, John the Ripper, Hydra, CrackStation, Cain & Abel, Medusa, THC-Hydra
Reverse EngineeringGhidra, IDA Pro, x64dbg, OllyDbg, Binary Ninja, Radare2, Cutter
Hardware HackingChipWhisperer, Saleae Logic, OpenOCD, JTAGulator, Bus Pirate, Flashrom, Arduino, Raspberry Pi, RTL-SDR
Social EngineeringSET, BeEF, King Phisher, Evilginx / Evilginx2, Modlishka, EyeWitness, PhishToolkit, PhishX, Psychological Frameworks (Pretexting, Elicitation)
SCADA/ICS SecuritySnort, Wireshark, ModScan, ModbusPal, Scadafence, OpenPLC, GasPot, Conpot, PLCScan
Supply Chain SecuritySnyk, OWASP Dependency-Check, Trivy, Syft, Grype, CycloneDX, Whitesource, Anchore Engine
Email Security TestingGoPhish, Modlishka, SMTPTester, MailSniper, Evilginx2, Phish5, Email Header Analyzer
Mobile Malware AnalysisAPKTool, MobSF, Jadx, Frida, VirusTotal Mobile, Droidbox, Bytecode Viewer, Drozer, Quark-Engine
AI/ML SecurityAdversarial Robustness Toolbox (ART), TextAttack, Foolbox, IBM AI Explainability 360, CleverHans, Alibi Detect, SecML, DeepExploit
Security Automation / SOARStackStorm, Cortex XSOAR, Shuffle, DFIR-IR-Playbook, Phantom Cyber, Tines
Bug Bounty ToolkitAmass, Sublist3r, Nuclei, HTTPX, Naabu, FFUF, GF, Dalfox, Kiterunner, Hakrawler, JSParser, ParamSpider
Credential Dumping & CrackingLaZagne, Mimikatz, Hashcat, John the Ripper, Windows Credential Editor, CrackMapExec, GetNPUsers.py
Payload GenerationMSFVenom, Unicorn, Shellter, Veil, Nishang, Empire, Obfuscation.io, Metasploit, Donut
Honeypots / DeceptionCowrie, Dionaea, Kippo, Honeyd, T-Pot, Conpot, Canarytokens, Artillery
MacOS SecurityKnockKnock, BlockBlock, OSXCollector, Objective-See Suite, MacMonitor, Little Snitch, Dylib Hijack Scanner
Windows Post-ExploitationPowerView, Seatbelt, SharpUp, WinPEAS, Sherlock, Empire, FireEye Red Team Tools, SharpHound
Linux Post-ExploitationLinPEAS, Linux Exploit Suggester, pspy, Chkrootkit, rkhunter, bashark, GTFOBins, Sudomy
Browser Security TestingBeEF, XSStrike, XSSer, Burp Collaborator, NoScript, uBlock Origin, Chrome Developer Tools

2.1. Contributors

I appreciate your interest in contributing! please read Contribution Guidelines.

A heartfelt thanks to the amazing individuals for their contributions to this project. You can view emoji key to see the various ways you can contribute!

Marko Živanović
Marko Živanović
🔧		 m14r41
m14r41
💻		 0xanon
0xanon
💻		 InfoBugs
InfoBugs
💻		 Ratnesh kumar
Ratnesh kumar
💻		 Chandrabhushan Kumar
Chandrabhushan Kumar
💻		 Satya Prakash
Satya Prakash
💻 👀
Wei Lin
Wei Lin
🌍

2.2. Star History

Star History Chart

Content and Attribution

This project is open source (MIT) and includes third-party material such as PDFs and documents that belong to their original owners. It is shared in good faith for education only. If any of it is yours and you want it credited differently or removed, just ask and it will be handled promptly. See CONTENT_REMOVAL.md.

Support:

m14r41