Arachni alternatives

Looking for a better tool, or simply want to learn about alternatives? There is typically more than one option.

Alternatives (by tag)

68

Alternative: arch-audit

Utility like pkg-audit for Arch Linux to find vulnerable packages on the system

The arch-audit utility scans the system for known vulnerabilities. It does so by looking at the version of installed packages and compare them with a database of known vulnerable versions.

Project details

arch-audit is written in Rust.

Strengths

  • + The source code of this software is available

Typical usage

  • vulnerability scanning

arch-audit project page

52

Alternative: Glastopf

Glastopf is a honeypot for web applications. It is written in Python and collects all kind of attacks against it for further analysis.

Glastopf emulates vulnerabilities in a generic way. Instead of emulating specific vulnerabilities, it mimics being vulnerable for more attacks within that area (e.g. Remote File Inclusion). The tool is modular and allows to be extended with different logging capabilities.

This project is replaced by SNARE.

100

Alternative: Lynis

Security auditing tool for systems running Linux or Unix-based to perform an in-depth health check.

Lynis is an open source security auditing tool that is available since 2007 and created by Michael Boelen. Its primary goal is to evaluate the security defenses of systems running Linux or other flavors of Unix. It provides suggestions to install, configure, or correct any security measures.

Project details

Lynis is written in shell script.

Strengths

  • + Commercial support available
  • + More than 50 contributors
  • + More than 3000 GitHub stars
  • + Used language is shell script
  • + Very low number of dependencies
  • + Project is mature (5+ years)
  • + The source code of this software is available

Typical usage

  • IT audit
  • penetration test
  • security assessment
  • system hardening

Lynis project page

74

Alternative: Nikto

Nikto is an open source security scanner which tests web servers for potential vulnerabilities.

Nikto helps with performing security scans against web servers and to search for vulnerabilities in web applications.

Note: the data files of Nikto are not released under GPL. Embedding them in your projects may require permission of the author.

Project details

Nikto is written in Perl.

Strengths

  • + The source code of this software is available
  • + Well-known tool

Typical usage

  • penetration test
  • security assessment
  • web application analysis

Nikto project page

85

Alternative: OpenVAS

OpenVAS is a framework of several services and tools offering a vulnerability scanning and vulnerability management solution.

OpenVAS is an open source vulnerability scanner that emerged from when Nessus became closed source in October of 2005.

Project details

OpenVAS is written in C.

Strengths

  • + The source code of this software is available
  • + Well-known tool

Typical usage

  • penetration test
  • security assessment
  • vulnerability scanning

OpenVAS project page

64

Alternative: Pompem

Pompem is an open source security tool to automate the search for exploits and vulnerabilities in public databases.

Pompem is written in Python and helps pentesters to search public sources for vulnerability information and a related exploit.

Sources

  • CXSecurity
  • National Vulnerability Database
  • PacketStorm security
  • Vulners
  • WPScan Vulnerability Database
  • ZeroDay

Project details

Pompem is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • vulnerability scanning

Pompem project page

78

Alternative: SearchSploit

Exploit-DB's CLI search tool to find any exploits from the database. The tool is written in shell script and maintained by Offensive Security.

This little utility can search for exploits and related data in the Exploit-DB.

Project details

SearchSploit is written in shell script.

Strengths

  • + Used language is shell script

Weaknesses

  • - Full name of author is unknown
  • - Unknown project license

Typical usage

  • information gathering

SearchSploit project page

97

Alternative: Seccubus

Seccubus automates vulnerability scanning with support for Nessus, OpenVAS, NMap, SSLyze, Medusa, SkipFish, OWASP ZAP, and SSLlabs.

Supported engines and tools:

  • Nessus
  • OpenVAS
  • Nmap
  • Nikto
  • Medusa
  • Qualys SSL labs
  • SkipFish
  • SSLyze
  • testssl.sh
  • ZAP

100

Alternative: vFeed

vFeed is a set of tools around correlated vulnerability and threat intelligence. It provides a database, API, and supporting tools to store vulnerability data.

vFeed consists of a database and utilities to store vulnerability data. It uses third-party references and data, which then can be used to see if a software component has a known vulnerability. The data itself is enriched by cross-checking it and store additional details about the vulnerabilities.

The vFeed tooling has an API available with JSON output. It can be used by security researchers and practitioners to validate vulnerabilities and retrieve all available details.

Project details

vFeed is written in Python.

Strengths

  • + Commercial support available

Typical usage

  • security assessment
  • vulnerability scanning

vFeed project page

81

Alternative: Vulnreport

Vulnreport is a tool to automate and manage all the data involved security reviews. In particular, it focuses on discovered vulnerabilities.

Project details

Vulnreport is written in Ruby.

Strengths

  • + The source code of this software is available

Typical usage

  • security reviews
  • vulnerability management
  • vulnerability scanning

Vulnreport project page

100

Alternative: WPScan

WPScan is a security tool to perform black box WordPress vulnerability scans, including enumeration of used plugins

Project details

WPScan is written in Ruby.

Strengths

  • + More than 25 contributors
  • + More than 2000 GitHub stars
  • + The source code of this software is available

Weaknesses

  • - Software usage is restricted (e.g. commercially)

Typical usage

  • penetration test
  • security assessment
  • vulnerability scanning

WPScan project page

60

Alternative: Parsero

Parsero is a Python script to analyze robots.txt on web servers. It specifically looks for the Disallow entries and checks which entries might be accessible.

Entries that should not be crawled by a web spider, are typically placed in a Disallow entry in the robots.txt file. This file is read by a crawl tool and any of the Disallow entries are skipped for indexing. These entries are interesting, as sometimes they reveal a lot of information about the web server. This tool helps to quickly check which entries are accessible.

Project details

Parsero is written in Python.

Strengths

  • + The source code of this software is available

Parsero project page

97

Alternative: Commix

Commit is a security tool to test web applications and find vulnerabilities related to command injection attacks. It can be used during security assignments.

Commix is short for COMMand Injection eXploiter.

Project details

Commix is written in Python.

Strengths

  • + More than 10 contributors
  • + More than 1000 GitHub stars
  • + The source code of this software is available

Commix project page

85

Alternative: django-axes

Django-axes is a reusable app for Django to limit the brute force login attempts for your web application.

Project details

django-axes is written in Python.

Strengths

  • + More than 50 contributors
  • + The source code of this software is available

Typical usage

  • application security

django-axes project page

64

Alternative: DorkNet

DorkNet helps with the discovery of vulnerable web apps. It is a script written in Python that leverages Selenium.

Project details

DorkNet is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • security assessment
  • vulnerability scanning
  • web application analysis

DorkNet project page

85

Alternative: hsecscan (hsecscan)

hsecscan performs a security scan of a website and analyses any discovered HTTP headers. For each header, it will provide details and recommendations.

The hsecscan utility is written in Python and opens a connection (via HTTP or HTTPS) to the related web server. It will return all headers found and includes an explanation of what each header does. Any security recommendations are listed as well.

Project details

hsecscan is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • information gathering
  • learning
  • penetration test
  • security assessment
  • web application analysis

hsecscan project page

64

Alternative: Jackhammer

Jackhammer is a collaboration tool to get security and developer teams together. Focus is on static code analysis and dynamic analysis vulnerability discovery.

The tool uses RBAC (Role Based Access Control) with different levels of access. Jackhammer uses several tools to do dynamic and static code analysis (e.g. for Java, Ruby, Python, and Nodejs). It checks also for vulnerabilities in libraries. Due to its modular architecture, it can use several scanners out of the box, with options to add your own.

The Jackhammer project was initially added to GitHub on the 8th of May, 2017.

Project details

Jackhammer is written in Ruby.

Strengths

  • + The source code of this software is available

Typical usage

  • collaboration
  • information sharing

Jackhammer project page

64

Alternative: Jawfish

Jawfish is a security tool to test web applications. It can find related exploits and update according to an internal database.

Project details

Jawfish is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • penetration test
  • security assessment
  • vulnerability scanning
  • web application analysis

Jawfish project page

74

Alternative: Suhosin

Suhosin is a security extension for PHP and consists of two parts that enhance PHP. It helps with protecting against known and unknown attacks.

Project details

Suhosin is written in C.

Strengths

  • + The source code of this software is available

Weaknesses

  • - Well-known tool

Typical usage

  • application security

Suhosin project page

64

Alternative: Susanoo

Susanoo is a security tool to test the security of a REST API. With this focus, it goes beyond the typical attack surface of a web application.

Project details

Susanoo is written in Python.

Strengths

  • + The source code of this software is available

Typical usage

  • API testing
  • application testing

Susanoo project page

64

Alternative: Yasuo

Yasuo is a Ruby script that scans for vulnerable and exploitable third-party web applications.

Project details

Strengths

  • + The source code of this software is available

Typical usage

  • penetration test
  • vulnerability scanning
  • web application analysis

Yasuo project page

56

Alternative: Admin Page Finder (PHP)

Admin Page Finder is a tool written in PHP to find admin sections within a website. It can be used during pentesting and security assessments.

Project details

Admin Page Finder (PHP) is written in PHP.

Strengths

  • + The source code of this software is available

Weaknesses

  • - Unknown project license

Typical usage

  • penetration test
  • reconnaissance

Admin Page Finder (PHP) project page

59

Alternative: BlindElephant

BlindElephant is a security tool to perform fingerprinting of web applications. It can discover the name and version of known web applications.

100

Alternative: ZAP (zaproxy)

The OWASP Zed Attack Proxy (ZAP) helps to find security vulnerabilities in web applications during development and testing.

ZAP is an intercepting proxy of web traffic. You will need to configure your browser to connect to the web application you wish to test through ZAP.

Note: Zed Attack Proxy, or ZAP, is also known as zaproxy.

Project details

ZAP is written in Java.

Strengths

  • + More than 50 contributors
  • + More than 2000 GitHub stars
  • + Many maintainers
  • + The source code of this software is available

Weaknesses

  • - Many reported issues are still open

Typical usage

  • penetration test
  • security assessment
  • software testing

ZAP project page