cazador_unr: WebApp Pentest toolkit
- HTTP Server
- DNS Server
- TCP Server
- POSTMessage Hooker
- Websocket Hooker
- HTTP/JS-Files/Binary Analyze
- Analyze Files (Binary, Metadata, Text files, Js sinks)
- Get DNS Records
- Resolve Hosts
- Reverse IPs
- Passive DNS
- DNS History
- Text Processing
- Block construct
- Format generator
- pattern creation
- Encrypt/Decrypt data
- Hash Identification
- Payload Generators
- Poc Generators (Python, Bash, HTML)
- Get Websites ScreenShots
- GET Subdomains (Scrabbing, Minning, DNS-brute-force, Http-brute-force)
- Site categorizer
- s3/GC bucket enumeration
- Github Lister
- Ip History
- Detect Misconfiguration
- Port/vulnerability/ssl scanner
- Vulnerability Exploiters
- Waf Detection
- Download Android apps (APK)
- Travis-CI logs fetching
if the app is not working properly, Download this archive dlls.zip and extract the dll files, put them in the application folder, beside the executable file
- This tool is meant primarily for bug hunters (especially beginners).
- This tool is not backdoored with any malicious software/tracking.
- This tool contains bugs more than features so use it carefully.
- Connections are issued using the .Net (SystemDotWeb) which is slow and limited by design, consider using many threads, this will be replaced with another solution.
- Memory is not carefully managed so be careful, do not use all the tools at the same time.
- Do not use it illegally
- Tools starting with _ are not built yet, I added buttons to remember writing them so I could build them in future, hence no need to reverse engineer the tool in order to enable them, if you have time feel free to do it no problem.
- Many third-parties are used without permission no APIS used.
- The source code is not published because the tool is a beta and the code is ugly and worse than my handwriting.
- The project is planned to be open-source with the first release.
- Suggestions are deeply welcome.
- Credits are reserved for all authors and third-parties.
Tools discussed separately here