PTF alternatives

Looking for an alternative tool to replace PTF? During the review of PTF we looked at other open source tools. Based on their category, tags, and text, these are the ones that have the best match.

Top 3

  1. fsociety (penetration testing framework)
  2. Exploit Pack (penetration testing framework)
  3. Social-Engineer Toolkit (social engineering toolkit)

These tools are ranked as the best alternatives to PTF.

Alternatives (by score)

64

fsociety

Introduction

The fsociety toolkit is a penetration framework containing other security tools. The project states that is includes all the tools that are used in the Mr. Robot tv series.

Project details

fsociety is written in Python.

Strengths and weaknesses

  • + More than 10 contributors
  • + More than 2000 GitHub stars
  • + The source code of this software is available
  • - Full name of author is unknown

Typical usage

  • Penetration testing
  • Security assessment

fsociety review

78

Exploit Pack

Introduction

Penetration testing has a lot of repeating tasks, especially when doing similar assignments for clients. For this reason, tools like Exploit Pack help with automating repeating activities. This framework contains over 38.000 exploits, probably much more than one might ever need.

Project details

Exploit Pack is written in Java, Python.

Strengths and weaknesses

  • + Project is mature (10+ years)
  • + The source code of this software is available
  • - No releases on GitHub available

Typical usage

  • Penetration testing

Exploit Pack review

78

Social-Engineer Toolkit (SET)

Introduction

The Social-Engineer Toolkit (SET) is an open source penetration testing framework. SET is written in Python and helps with assignments that require social engineering. The toolkit has been presented at large-scale conferences like Black Hat and DEF CON and covered in several books. This publicity definitely helped to make it more familiar in the information security community.

Project details

Social-Engineer Toolkit is written in Python.

Strengths and weaknesses

  • + More than 50 contributors
  • + More than 3000 GitHub stars
  • + The source code of this software is available

    Typical usage

    • Social engineering

    Social-Engineer Toolkit review

    64

    CMSeeK

    Introduction

    CMSeeK is a security scanner for content management systems (CMS). It can perform a wide range of functions starting from the detection of the CMS, up to vulnerability scanning. The tool claims to support over 100 different CMS tools, with extensive support for the commonly used ones like Drupal, Joomla, and WordPress.

    The scans performed by CMSeeK include version detection. It can also do enumeration of users, plugins, and themes. This might be useful to see what users or components are available. The tool includes admin page discovery, file discovery, and directory listing. Anything that might be useful to a penetration test or security assessment, might be displayed.

    Project details

    CMSeeK is written in Python.

    Strengths and weaknesses

    • + The source code of this software is available
    • - Full name of author is unknown

    Typical usage

    • Penetration testing
    • Software exploitation
    • Software identification
    • Vulnerability scanning

    CMSeeK review

    44

    Pacman

    Introduction

    Pacman is the default package manager for Arch Linux. The main differences with other package managers include the focus on a binary package format and the underlying build system for software. Its goal is to keep the system up-to-date, especially as Arch Linux is considered to be a 'rolling release'. By using a server/client model it synchronizes package lists and allows the user to install the latest available packages.

    Project details

    Pacman is written in C.

    Strengths and weaknesses

    • + Project is mature (10+ years)
    • + The source code of this software is available

      Pacman review

      60

      arch-audit

      Introduction

      Arch-audit is a small utility that scans the system for known vulnerabilities on Arch Linux. It can be used by users of the Linux distribution to know when to update and what packages have weaknesses. With Arch Linux being a rolling distribution, this may improve the interval or timing of software patching.

      Project details

      arch-audit is written in Rust.

      Strengths and weaknesses

      • + The source code of this software is available

        Typical usage

        • Software management
        • Vulnerability scanning

        arch-audit review

        60

        Gitrob

        Introduction

        Especially open source developers may share their code in a public repository like GitHub. This is a great way to collaborate between the developer(s) and the community. The risk of sharing code is that sensitive data is part of the repository and uploaded by accident. GitRob helps to detect this kind of accidental leaks.

        Project details

        Gitrob is written in Ruby.

        Strengths and weaknesses

        • + More than 1000 GitHub stars
        • + The source code of this software is available

          Typical usage

          • Data leak prevention
          • Information gathering
          • Penetration testing
          • Security assessment

          Gitrob review

          100

          ZAP (Zed Attack Proxy)

          Introduction

          ZAP is an intercepting proxy of web traffic. You will need to configure your browser to connect to the web application you wish to test through ZAP.

          Note: Zed Attack Proxy, or ZAP, is also known as zaproxy.

          Project details

          ZAP is written in Java.

          Strengths and weaknesses

          • + More than 50 contributors
          • + More than 8000 GitHub stars
          • + Many maintainers
          • + The source code of this software is available
          • - Many reported issues are still open

          Typical usage

          • Penetration testing
          • Security assessment
          • Software testing
          • Web application analysis

          ZAP review

          60

          APT2 (apt2)

          Introduction

          APT2 stands for Automated Penetration Testing Toolkit.

          APT2 performs a scan with Nmap or can import the results of a scan from Nexpose or Nessus. The processed results will be used in the second phase. This phase launches exploit and enumeration modules. It helps pentesters to automate assessments and tasks.

          Suggested components to have installed: convert, dirb, hydra, java, john, ldapsearch, msfconsole, nmap, nmblookup, phantomjs, responder, rpcclient, secretsdump.py, smbclient, snmpwalk, sslscan, xwd

          Project details

          APT2 is written in Python.

          Strengths and weaknesses

          • + The source code of this software is available

            Typical usage

            • Penetration testing
            • Security assessment

            APT2 review

            70

            BeEF

            Introduction

            BeEF is used by penetration testers to assess the security of a system by leveraging the web browser. This makes the tool different to many other tools, as it ignores the security on network or system level. It uses command modules from within the web browser to perform requested attacks against the system.

            Project details

            100

            Faraday

            Introduction

            Faraday helps teams to collaborate when working on penetration tests or vulnerability management. It stores related security information in one place, which can be easily tracked and tested by other colleagues.

            Project details

            Faraday is written in Python.

            Strengths and weaknesses

            • + Commercial support available
            • + More than 1000 GitHub stars
            • + The source code of this software is available

              Typical usage

              • Collaboration
              • Penetration testing
              • Security assessment
              • Vulnerability scanning

              Faraday review

              60

              InstaRecon

              Introduction

              InstaRecon is a security tool that can help with the reconnaissance phase of a penetration test. It can collect a number of data points with limited input.

              Project details

              InstaRecon is written in Python.

              Strengths and weaknesses

              • + The source code of this software is available

                Typical usage

                • Penetration testing
                • Reconnaissance

                InstaRecon review

                74

                Metasploit Framework

                Introduction

                Metasploit is a framework that consists of tools to perform security assignments. It focuses on the offensive side of security and leverages exploit modules.

                Project details

                Metasploit Framework is written in Ruby.

                Strengths and weaknesses

                • + More than 400 contributors
                • + More than 9000 stars
                • + Many maintainers
                • + The source code of this software is available
                • + Supported by a large company
                • + Well-known tool

                  Typical usage

                  • Penetration testing
                  • Security assessment
                  • Vulnerability scanning

                  Metasploit Framework review

                  64

                  OWTF (Offensive Web Testing Framework)

                  Introduction

                  OWTF is short for Offensive Web Testing Framework and it is one of the many OWASP projects to improve security.

                  Project details

                  OWTF is written in Python.

                  Strengths and weaknesses

                  • + More than 25 contributors
                  • + More than 500 GitHub stars
                  • + The source code of this software is available

                    Typical usage

                    • Penetration testing
                    • Security assessment

                    OWTF review

                    74

                    SearchSploit

                    Introduction

                    SearchSploit is a small by OffensiveSecurity to search for exploits and related data in the exploit database (Exploit-DB). This may help penetration testers in their security assignments.

                    Project details

                    SearchSploit is written in shell script.

                    Strengths and weaknesses

                    • + The source code is easy to read and understand
                    • + Tool is easy to use
                    • + Used language is shell script
                    • - Full name of author is unknown

                    Typical usage

                    • Information gathering
                    • Penetration testing
                    • Service exploitation
                    • System exploitation
                    • Vulnerability testing

                    SearchSploit review

                    52

                    Sn1per

                    Introduction

                    Sn1per is security scanner that can be used during a penetration test to enumerate and scan for vulnerabilities.

                    Project details

                    Sn1per is written in Python, shell script.

                    Strengths and weaknesses

                    • + More than 10 contributors
                    • + More than 1000 GitHub stars
                    • + The source code of this software is available
                    • - Unknown project license

                    Typical usage

                    • Penetration testing
                    • Reconnaissance

                    Sn1per review

                    60

                    TheDoc

                    Introduction

                    TheDoc is a tool written in shell-script to automate the usage of sqlmap. It comes with a built-in admin finder and hash cracker, using the Hashcat tool.

                    Project details

                    TheDoc is written in shell script.

                    Strengths and weaknesses

                    • + Used language is shell script
                    • + Very low number of dependencies
                    • + The source code of this software is available
                    • - Full name of author is unknown
                    • - Unknown project license

                    Typical usage

                    • Penetration testing

                    TheDoc review

                    64

                    WarBerryPi

                    Introduction

                    WarBerryPi is a toolkit to provide a hardware implant during Physical penetration testing or red teaming. The primary goal of the tool is to obtain as much information as possible, in a short period of time. The secondary goal is to be stealthy to avoid detection. As the name implies, the tool can be used on a small device like a RaspberryPi.

                    Another use-case of WarBerryPi is to be an entry point to the network. In that case, a 3G connection is suggested, to avoid the outgoing network filtering (egress rules).

                    Project details

                    WarBerryPi is written in Python.

                    Strengths and weaknesses

                    • + More than 2000 GitHub stars
                    • + The source code of this software is available
                    • - Minimal or no documentation available
                    • - No releases on GitHub available

                    Typical usage

                    • Information gathering
                    • Information snooping
                    • Penetration testing
                    • Red teaming

                    WarBerryPi review

                    56

                    domain

                    Introduction

                    Domain is a Python script written by Jason Haddix to combine the tools Recon-ng and altdns. It allows to use the two tool one multiple domains within the same session.

                    Project details

                    domain is written in Python.

                    Strengths and weaknesses

                    • + More than 500 GitHub stars
                    • + The source code of this software is available
                    • - Unknown project license

                    Typical usage

                    • Subdomain enumeration

                    domain review

                    56

                    p0f

                    Introduction

                    This tool is a great addition to nmap, especially if that reveals not reliable data or none at all. Due to the passive way of working, it won't be detected nor influences any connection.

                    - Version 3 of p0f is a full rewrite
                    - The idea for p0f dates back to June 10, 2000
                    - Tool can run in foreground or as a daemon process

                    Common uses for p0f include reconnaissance during penetration tests; routine network monitoring; detection of unauthorized network interconnects in corporate environments; providing signals for abuse-prevention tools; and miscellaneous forensics.

                    Project details

                    Strengths and weaknesses

                    • + Project is mature (10+ years)
                    • + The source code of this software is available
                    • + Well-known tool

                      p0f review

                      Some relevant tool missing as an alternative to PTF? Please contact us with your suggestion.