# App Pentest Toolkit

### Web Proxy and Scanner Tools

* [Burp Suite](https://portswigger.net/burp): Industry-standard web proxy for manual and automated web application security testing.
* [OWASP ZAP](https://www.zaproxy.org/): Open-source alternative to Burp Suite for web security scanning.
* [Caido](https://caido.io/): Modern, lightweight, open-source web security auditing platform for HTTP/S traffic inspection, request modification, endpoint mapping, and collaboration.

### Automated Vulnerability Scanners

* [w3af](https://w3af.org/): Open-source web application attack and audit framework.
* [Nikto](https://github.com/sullo/nikto): Web server scanner for finding vulnerabilities and misconfigurations.
* [Skipfish](https://github.com/spinkham/skipfish): Automated web application security scanner.

### Exploitation and Fuzzing

* [SQLMap](https://sqlmap.org/): Automated tool for detecting and exploiting SQL injection vulnerabilities.
* [WFuzz](https://github.com/xmendez/wfuzz): Flexible web application brute-forcer for fuzzing parameters.
* [Hydra](https://github.com/vanhauser-thc/thc-hydra): Fast and flexible network login cracker with web support.
* [Metasploit](https://github.com/rapid7/metasploit-framework): Comprehensive exploitation and payload framework.
* [Ratproxy](https://github.com/google/ratproxy): Passive web application security assessment tool.

### Reconnaissance and Surface Mapping

* [Nmap](https://nmap.org/): Powerful network scanner to map attack surfaces and discover open services.
* [Amass](https://github.com/owasp-amass/amass): Advanced external asset discovery and mapping for recon.

### Password and Hash Cracking

* [John the Ripper](https://www.openwall.com/john/): Widely used password cracker with broad hash support.
* [Hashcat](https://hashcat.net/hashcat/): GPU-accelerated password recovery utility.

### Network Traffic Analysis

* [Wireshark](https://www.wireshark.org/): Deep packet analyzer for inspecting and debugging network traffic.

### Wordlists and Payloads

* [SecLists](https://github.com/danielmiessler/SecLists): Extensive collection of wordlists for fuzzing and discovery.
* [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings): Curated catalog of attack payloads and exploitation cheat sheets.

### Operating Systems

* [Kali Linux](https://www.kali.org/): Popular Linux distro pre-installed with most major pentest tools.
* [Athena OS](https://athenaos.org/): Linux-based cybersecurity operating system, tailored for penetration testers, red teams, and researchers with a pre-packed pentesting toolkit.