The 20 Most Popular Penetration Testing Tools of 2025#
001 Hijacker v1.5#
A multi-functional WiFi cracking tool for Android.
Project address: github.com/chrisk44/Hij
Features: View nearby WiFi and device lists, obtain access point information, disconnect others, capture packets, etc.
002 Findomain v0.9.3#
The fastest and cross-platform subdomain enumerator.
Project address: github.com/Edu4rdSHL/findomain
Features: Subdomain monitoring, API queries, DNS over TLS support, check if a domain resolves, output to file, etc.
003 EagleEye#
A friend tracker that uses image recognition and reverse image search to find their Instagram, Facebook, and Twitter profiles.
Project address: github.com/ThoughtfulDe/EagleEye
Features: Requires at least one photo of the friend (must be a .jpg file) and their name or nickname, often with less accurate information.
004 ANDRAX v4#
A penetration testing platform for Android.
Official website: andrax.thecrackertechnology.com
Features: Supports Android 5.0+, portable, over 900 open-source tools, over 1000 attack types.
005 CQTools#
The latest Windows hacking toolkit.
Documentation: cqureacademy.com/blog
Features: Comprehensive attacks starting from sniffing and spoofing activities, through information gathering, password extraction, custom shellcode generation, etc.
006 Sampler#
A tool for Shell command execution, visualization, and alerts (configured using a simple YAML file).
Project address: github.com/sqshq/sample
Official website: sampler.dev
Features: Can sample any dynamic process directly from the terminal, observe changes in the database, monitor MQ real-time messages, etc.
007 LOIC 1.0.8#
Network stress tester.
Address: sourceforge.net/project/LOIC
Features: Performs DoS attacks by sending TCP or UDP packets to the server.
008 EasySploit#
Metasploit automation tool.
Project address: github.com/KALILINUXTRI/EasySploit
Features: Scans targets for vulnerabilities to ms17_010, exploits Windows systems using only IP.
009 SQLMap#
An automated SQL injection and database takeover tool.
Project address: github.com/sqlmapproject/sqlmap
010 ScanQLi#
A simple SQL injection scanner.
Project address: github.com/bambish/ScanQLi
Features: Can only detect SQLi, cannot exploit.
011 OKadminFinder#
Admin panel scanner.
Project address: github.com/mIcHyAmRaNe/OKadminFinder
Features: Rich dictionary, self-updating proxy.
012 Shellphish#
Phishing tool for 18 social media platforms.
Project address: github.com/thelinuxchoi/Shellphish
013 DNS Shell#
Interactive shell over DNS channels.
Features: Executes queries via nslookup and queries new commands from the server.
014 QRLJacker v2.0#
A new social engineering attack surface.
Project address: github.com/OWASP/QRLJacker
Features: Phishing attacks via QR codes.
015 PhoneSploit#
Exploits Android devices using open ADB ports.
Project address: github.com/metachar/PhoneSploit
Features: Captures wpa_supplicant, toggles WiFi on/off, retrieves battery status, etc.
016 SocialBox#
A brute-force attack framework coded by Belahsan Ouerghi.
Project address: github.com/Cyb0r9/SocialBox
017 Instainsane#
A shell script that can perform multi-threaded brute-force attacks on Instagram.
Project address: github.com/thelinuxchoi/Instainsane
Features: Multi-threaded, saves/restores sessions, checks valid usernames anonymously via TOR.
018 Tool-X#
Kali Linux hacker tool installer.
Project address: github.com/Rajkumrdusad/Tool-X
Features: Installs nearly 370 hacking tools in termux and other Android terminals.
019 Hacktronian#
A multi-functional hacking tool for Linux and Android.
Official website: thehackingsage.github.io
Project address: github.com/thehackingsage/Hacktronian
Features: Information gathering, password cracking, wireless testing, etc.
020 Ultimate Facebook Scraper#
Can scrape almost all content from Facebook user profiles.
Project address: github.com/harismuneer/Facebook-Scraper
Features: Scrapes all public posts, photos, friend lists, etc., available on user timelines.