A complete, searchable penetration-testing knowledge base across 23 security domains.
Live website: pentesting.m14r41.in
Live Website · PentestingChecklist · Contribute · Report an Issue
Read it online at pentesting.m14r41.in: fully searchable, with 108 documentation pages, 104 reference PDFs, and 212+ topics across 23 domains. The website turns this repository into a fast, structured, and readable knowledge base.
New in v2.0.0: the project is now a full website with instant full-text search, a filterable reference PDF library, learning paths for common engagements, and a companion checklist at checklist.m14r41.in. Full notes in the changelog.
PentestingEverything is an open-source, comprehensive penetration-testing knowledge base. It brings together methodology, checklists, payloads, commands, and field-tested references across 23 domains: web, API, mobile, network, cloud, Active Directory, OSINT, and more. The goal is simple: give you the concise, practical knowledge to assess any target, from scoping an engagement to hunting a specific vulnerability class to writing the report.
Practical companion: PentestingChecklist. This project is the knowledge base. The checklist is the hands-on, tick-as-you-go companion. A structured checklist across 23 platforms (web, API, mobile, cloud, AD and more) with progress tracking, notes, and export. Use them side by side.
Upcoming New Resources soon!
Your ideas, suggestions, and contributions are always welcome!- New Module: Leveraging AI in Pentesting
Recently Updated Content : 2026
- iOS Pentesting Module
- Android Pentesting
- API Pentesting Module
- SAST / Source Code Review
- DevSecOps & SCA
- Thick Client Pentesting
- OWASP Top 10:2025 Web Application
- Threat Modeling, Design Review, Idea Review, Architecture Review
- New Module : LLMs OWASP Top 10
- New Module : MCP Pentesting
- New Module : Firewall (In progress)
Improvements and advance technique
- More methods for SSL Pinning bypass and exploitation
- Intercepting mobile TCP traffic using iptables and invisible proxying
- Comprehensive enumeration with Frida and object analysis
(Local Storage, Classes, Methods, Activities, Services, Intents, Receivers, etc.) - Exploiting Android components using ADB and Drozer
- Advanced SAST beyond MobSF
Currently Exploring & Seeking Collaboration
Contributions and knowledge sharing are welcome from professionals experienced in Cloud and Enterprise Infrastructure Pentesting.
- Cloud Pentesting
- Enterprise Pentesting (Network, Firewall, WiFi & Configuration Review)
| No. | Types of Pentesting | No. | Types of Pentesting |
|---|---|---|---|
| 1 | Web Application Pentesting | 13 | MCP Security Assessment |
| 2 | API Pentesting | 14 | LLM Security Assessment |
| 3 | Mobile Pentesting | 15 | Threat Modeling |
| 4 | Thick Client Pentesting | 16 | Configuration Review |
| 5 | Secure Code Review | 17 | Container & Kubernetes Assessment |
| 6 | Cloud Pentesting | 18 | CI/CD Pentesting |
| 7 | DevSecOps | 19 | IoT Pentesting |
| 8 | Network Pentesting | 20 | BlockChain Pentesting |
| 9 | Wi-Fi Pentesting | 21 | Phishing Assessment |
| 10 | Firewall Penetration | 22 | OSINT |
| 11 | Active Directory Pentesting | 23 | Forensic |
| 12 | Infrastructure Security |
| Category | Tools |
|---|---|
| Web Application Pentesting | Acunetix, Burp Suite Professional, Dirb, FFUF, Nmap, Nikto, Nuclei, OWASP ZAP, SQLMap, WhatWeb, WPScan, Invicti (Netsparker), Fortify WebInspect |
| Android Security | adb, APKTool, Apkscan, AndroBugs, Android Studio / Genymotion, AppMon, Dexter/Objection (Objection), Drozer, Frida, Magisk, MITMProxy, MobSF, Quark Engine, JADX |
| iOS Security | checkra1n, Class-dump, Frida, iMazing, iOS-decrypt, iOS-Hook, MobSF, Needle, Objection, Palera1n, Passionfruit, SSL Kill Switch 2, Cycript |
| API Pentesting | Burp Suite Professional, GraphQL Raider, GraphQL Voyager, Insomnia, Kite Runner, Postman, Swagger UI |
| Secure Code Review | Bandit, Checkmarx, CodeQL, FindSecBugs, Gitleaks, Semgrep, SonarQube, Snyk, Veracode, Fortify Static (Workbench/Audit) |
| Thick-Client Security | Burp Suite Professional, dnSpy, de4dot, Fiddler, Ghidra, IDA Pro, OllyDbg, Process Explorer, x64dbg, CFF Explorer, Sysinternals Suite, Wireshark |
| Network Pentesting | Bettercap, CrackMapExec, Metasploit, Netcat, Nessus, Nmap, OpenVAS, Responder, Wireshark |
| Category | Tools |
|---|---|
| Active Directory Pentesting | BloodHound, Mimikatz, CrackMapExec, Impacket, Kerbrute, Rubeus, LDAPDomainDump, SharpHound, PowerView, ADRecon |
| Cloud Security | Prowler, ScoutSuite, CloudSploit, Pacu, Steampipe, CloudMapper, NCC Scout, kube-bench, Terrascan, KICS |
| IoT Security | Firmwalker, Binwalk, Firmware-Mod-Kit, Shodan, RIOT, JTAGulator, Qiling, Ghidra, Avatar2, Firmadyne |
| Firewall Pentesting | hping3, NPing, Scapy, Zmap, firewalk, FTester, Nmap (Firewall Bypass), Packet Sender, T50, Ettercap, TCPReplay |
| Firmware Analysis | Binwalk, Firmware Analysis Toolkit (FAT), QEMU, Ghidra, IDA Pro, Firmware-Mod-Kit, Radare2, Firmadyne |
| Container Security | Trivy, Aqua Microscanner, Clair, Anchore, Docker Bench, kube-hunter, Falco, Sysdig, Snyk, Grype |
| WiFi Pentesting | Aircrack-ng, Kismet, Bettercap, Reaver, Fluxion, Wireshark, hcxtools, Fern WiFi Cracker, Wifiphisher, Hashcat |
| DevSecOps | GitHub Advanced Security, Trivy, Snyk, Anchore, OWASP Dependency-Check, Jenkins, Checkmarx, Veracode, Dagda, Sysdig Secure, Cloud Custodian, Bridgecrew, Kubescape |
| OSINT | theHarvester, Maltego, SpiderFoot, Recon-ng, Shodan, FOCA, Google Dorks, OSINT Framework, GHunt, Sherlock, PhoneInfoga |
| Configuration Review | Lynis, OpenSCAP, Auditd, Tripwire, cis-cat Pro, Chef InSpec, Prowler, Kubescape |
| Phishing Simulation | GoPhish, SET, Evilginx2, Phishery, King Phisher, Modlishka, Phishing Frenzy |
| Forensics | Autopsy, Volatility, Sleuth Kit, FTK Imager, Redline, Magnet AXIOM, X-Ways, Bulk Extractor, ExifTool |
| Blockchain Security | Mythril, Slither, Manticore, Remix IDE, Oyente, SmartCheck, Echidna, Tenderly |
| Threat Modeling | Microsoft TMT, OWASP Threat Dragon, IriusRisk, SeaSponge, Draw.io, Pytm |
| Red Team Tools | Cobalt Strike, Sliver, Mythic, Empire, Metasploit, Brute Ratel, Koadic, FudgeC2, Nishang, PowerShell Empire |
| Blue Team Tools | Velociraptor, Wazuh, OSQuery, GRR, Sysmon, CrowdStrike Falcon, Elastic Security, Sigma Rules |
| SIEM & Log Analysis | Splunk, ELK Stack, Graylog, Wazuh, AlienVault OSSIM, SIEMonster, Logstash, Fluentd, Loki, Falco, Humio, Kibana, Loggly, Logz.io |
| Password Cracking | Hashcat, John the Ripper, Hydra, CrackStation, Cain & Abel, Medusa, THC-Hydra |
| Reverse Engineering | Ghidra, IDA Pro, x64dbg, OllyDbg, Binary Ninja, Radare2, Cutter |
| Hardware Hacking | ChipWhisperer, Saleae Logic, OpenOCD, JTAGulator, Bus Pirate, Flashrom, Arduino, Raspberry Pi, RTL-SDR |
| Social Engineering | SET, BeEF, King Phisher, Evilginx / Evilginx2, Modlishka, EyeWitness, PhishToolkit, PhishX, Psychological Frameworks (Pretexting, Elicitation) |
| SCADA/ICS Security | Snort, Wireshark, ModScan, ModbusPal, Scadafence, OpenPLC, GasPot, Conpot, PLCScan |
| Supply Chain Security | Snyk, OWASP Dependency-Check, Trivy, Syft, Grype, CycloneDX, Whitesource, Anchore Engine |
| Email Security Testing | GoPhish, Modlishka, SMTPTester, MailSniper, Evilginx2, Phish5, Email Header Analyzer |
| Mobile Malware Analysis | APKTool, MobSF, Jadx, Frida, VirusTotal Mobile, Droidbox, Bytecode Viewer, Drozer, Quark-Engine |
| AI/ML Security | Adversarial Robustness Toolbox (ART), TextAttack, Foolbox, IBM AI Explainability 360, CleverHans, Alibi Detect, SecML, DeepExploit |
| Security Automation / SOAR | StackStorm, Cortex XSOAR, Shuffle, DFIR-IR-Playbook, Phantom Cyber, Tines |
| Bug Bounty Toolkit | Amass, Sublist3r, Nuclei, HTTPX, Naabu, FFUF, GF, Dalfox, Kiterunner, Hakrawler, JSParser, ParamSpider |
| Credential Dumping & Cracking | LaZagne, Mimikatz, Hashcat, John the Ripper, Windows Credential Editor, CrackMapExec, GetNPUsers.py |
| Payload Generation | MSFVenom, Unicorn, Shellter, Veil, Nishang, Empire, Obfuscation.io, Metasploit, Donut |
| Honeypots / Deception | Cowrie, Dionaea, Kippo, Honeyd, T-Pot, Conpot, Canarytokens, Artillery |
| MacOS Security | KnockKnock, BlockBlock, OSXCollector, Objective-See Suite, MacMonitor, Little Snitch, Dylib Hijack Scanner |
| Windows Post-Exploitation | PowerView, Seatbelt, SharpUp, WinPEAS, Sherlock, Empire, FireEye Red Team Tools, SharpHound |
| Linux Post-Exploitation | LinPEAS, Linux Exploit Suggester, pspy, Chkrootkit, rkhunter, bashark, GTFOBins, Sudomy |
| Browser Security Testing | BeEF, XSStrike, XSSer, Burp Collaborator, NoScript, uBlock Origin, Chrome Developer Tools |
I appreciate your interest in contributing! please read Contribution Guidelines.
A heartfelt thanks to the amazing individuals for their contributions to this project. You can view emoji key to see the various ways you can contribute!
 Marko Živanović 🔧 |
 m14r41 💻 |
 0xanon 💻 |
 InfoBugs 💻 |
 Ratnesh kumar 💻 |
 Chandrabhushan Kumar 💻 |
 Satya Prakash 💻 👀 |
 Wei Lin 🌍 |
This project is open source (MIT) and includes third-party material such as PDFs and documents that belong to their original owners. It is shared in good faith for education only. If any of it is yours and you want it credited differently or removed, just ask and it will be handled promptly. See CONTENT_REMOVAL.md.
