Cazador is Web Application Penetration toolkit for bug bounty hunters.
- HTTP Server
- DNS Server
- TCP Server
- POSTMessage Hooker
- Websocket Hooker
- HTTP/JS-Files/Binary Analyze
- Analyze Files (Binary , Metadata, Text files, Js sinks)
- Get DNS Records
- Resolve Hosts
- Reverse IPs
- Passive DNS
- DNS History
- Text Processing
- Block construct
- Format generator
- pattern creation
- Encrypt/Decrypt data
- Hash Identification
- Payload Generators
- Poc Generators (Python , bash , HTML)
- Get Websites ScreenShots
- GET Subdomains (Scrabbing , Minning , DNS-brute-force,Http-brute-force)
- Site categorizer
- s3/GC bucket enumeration
- Github Lister
- Ip History
- Detect Misconfiguration
- Port/vulnerability/ssl scanner
- Vulnerability Exploiters
- Waf Detection
- Download Android apps (APK)
- Travis-CI logs fetching
Tools discussed separately here
if the app is not working proberly , Download this archive dlls.zip and extract the dll files , put them in application folder , beside the executable file
- This tool is meant primarily for bug hunnters (specially beginers).
- This tool is not backdoored with any malicious software/tracking .
- This tool contains bugs more than features so use it carefully.
- Connections are issued using the .Net (SystemDotWeb) which is slow and limited by design , consider using many threads, this will be replaced with another solution.
- Memory is not carefully managed so be carefull , do not use all the tools at the same time.
- Do not use it illegally
- Tools starting with _ are not built yet , i added buttons to remmember writing them so i could build them in future, hence no need to reverse engineer the tool in order to enable them , if you have time feel free to do it no problem.
- Many third-parties are used without permitssion no APIS used.
- The source code is not published because the tool is a beta and the code is uggly and worse than my hand writing.
- Project is planned to be open-source with the first release.
- Suggestions are deeply welcome.
- Credits are reserved for all authors and third-parties.