InfoSecurity & Penetration OpenSource Scanners/Tools List | 信息安全与渗透测试工具集锦

List of Security Archives Tools and software, generally for facilitate security & penetration research.


  • 2017-Scanners Box #Project#: Scanners Box is a collection of open source scanners which are from the github platform, including subdomain enumeration, database vulnerability scanners, weak passwords or information leak scanners, port scanners, fingerprint scanners, and other large scale scanners, modular scanner etc.

  • awesome-pentest #Project#: A collection of awesome penetration testing resources, tools and other shiny things

Universal Penetration Tools/Scanners

Exploitation Framework | 渗透框架

  • 2013-Kali #Project#: Kali Linux is constantly evolving with new features being added to the distribution all the time.

  • fsociety #Project#: A Penetration Testing Framework, you will have every script that a hacker needs.

  • AutoSploit #Project#: As the name might suggest AutoSploit attempts to automate the exploitation of remote hosts. Targets are collected automatically as well by employing the API.

  • Retire.js #Project#: The goal of Retire.js is to help you detect use of version with known vulnerabilities.

  • Metasploit #Project#: Metasploit helps security teams do more than just verify vulnerabilities, manage security assessments, and improve security awareness;

POC Framework | POC 框架

  • Pocsuite #Project#: Pocsuite is an open-sourced remote vulnerability testing framework developed by the Knownsec Security Team.

  • TrackRay #Project#: 溯光 (TrackRay) 3 Beta 版插件式渗透测试框架(资产扫描|指纹识别|暴力破解|网页爬虫|端口扫描|漏洞扫描|AWVS|NMAP|Metasploit)

Asset Management | 安全管理

  • TangScan #Project#: Tangscan(唐朝扫描器)是一个由社区众多安全研究人员维护的企业在线安全平台,我们希望能够以更简单更快捷更有效的方式帮助企业监控和发现安全问题。

  • 巡风 #Project#: 巡风是一款适用于企业内网的漏洞快速应急、巡航扫描系统,通过搜索功能可清晰的了解内部网络资产分布情况,并且可指定漏洞插件对搜索结果进行快速漏洞检测并输出结果报表。

  • 洞察 #Project#: 洞察-宜信集应用系统资产管理、漏洞全生命周期管理、安全知识库管理三位一体的平台。

  • 2018-Fuxi Scanner #Project#: Fuxi Scanner is an open source network security vulnerability scanner, it comes with multiple functions.

  • 2017-Wfuzz #Project#: Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload.

  • 2018-Tide #Project#: 目前实现了网络空间资产探测、指纹检索、漏洞检测、漏洞全生命周期管理、poc 定向检测、暗链检测、挂马监测、敏感字检测、DNS 监测、网站可用性监测、漏洞库管理、安全预警等等~

  • 2018-Archery #Project#: Centralize Vulnerability Assessment and Management for DevSecOps Team.



  • 驭龙 HIDS #Project#: 驭龙 HIDS 是一款由 YSRC 开源的入侵检测系统,由 Agent, Daemon, Server 和 Web 四个部分组成,集异常检测、监控管理为一体,拥有异常行为发现、快速阻断、高级分析等功能,可从多个维度行为信息中发现入侵行为。

  • ModSecurity #Project#: ModSecurity is an open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx that is developed by Trustwave's SpiderLabs.

  • Janusec #Project#: Janusec Application Gateway, a Golang based application security solution which provides WAF (Web Application Firewall), CC attack defense, unified web administration portal, private key protection, web routing and scalable load balancing.


  • Jump Server #Project#: Jumpserver 是全球首款完全开源的堡垒机,是符合 4A 的专业运维审计系统。



  • SecLists #Project#: SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.

  • 2019-PayloadsAllTheThings #Project#: A list of useful payloads and bypass for Web Application Security and Pentest/CTF

Vulnerability Environment | 漏洞环境

  • fbctf #Project#: The Facebook CTF is a platform to host Jeopardy and “King of the Hill” style Capture the Flag competitions.

  • Wargames #Project#: The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games.

  • vulhub #Project#: Docker-Compose file for vulnerability environment

  • VulApps #Project#: 收集各种漏洞环境,为方便使用,统一采用 Dockerfile 形式。同时也收集了安全工具环境。

  • NodeGoat #Project#: Being lightweight, fast, and scalable, Node.js is becoming a widely adopted platform for developing web applications.

Playground | 练习场

Web Security


  • Muffet #Project#: Muffet is a website link checker which scrapes and inspects all pages in a website recursively.

  • weakfilescan #Project#: 基于爬虫,动态收集扫描目标相关信息后进行二次整理形成字典规则,利用动态规则的多线程敏感信息泄露检测工具,支持多种个性化定制选项。

Sub Domain

Weak Passwd & Brute Force | 弱口令与暴力破解

  • hydra #Project#: Number one of the biggest security holes are passwords, as every password security study shows. This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system.

  • Medusa

  • Hydra

SQL Injection


  • XSStrike #Project#: XSS Scanner equipped with powerful fuzzing engine & intelligent payload generator.

Web Shell

  • Cknife #Project#: 方便已被授权的渗透测试人员进行渗透测试;


JS Libraries

  • Retire.js #Project#: Scanner detecting the use of JavaScript libraries with known vulnerabilities.




  • DNSLog #Project#: DNSLog 是一款监控 DNS 解析记录和 HTTP 访问记录的工具。


  • Deflect #Project#: Deflect 是一款开源服务,帮助非政府组织(NGO)、行动主义者和独立媒体公司免于受到分布式拒绝服务攻击(DDoS)。与商业 CDN 类似,它基于分布式反向代理缓存,隐藏真实服务器 IP 地址,同时能够阻止对后台的公开访问,并致力于抵抗针对独立言论的僵尸网络。

Proxy | 抓包代理


Mobile | 移动端工具

Hardware | 硬件