If you are involved in vulnerability research, reverse engineering or

penetration testing, I suggest to try out the

[Python](http://www.python.org) programming language. It has a rich set

of useful libraries and programs. This page lists some of them.

Most of the listed tools are written in Python, others are just Python

bindings for existing C libraries, i.e. they make those libraries easily

usable from Python programs.

Some of the more aggressive tools (pentest frameworks, bluetooth

smashers, web application vulnerability scanners, war-dialers, etc.) are

left out, because the legal situation of these tools is still a bit

unclear in Germany -- even after the [decision of the highest

court](http://www.bundesverfassungsgericht.de/entscheidungen/rk20090518_2bvr223307.html).

This list is clearly meant to help whitehats, and for now I prefer to

err on the safe side.

- [Scapy](http://secdev.org/projects/scapy): send, sniff and dissect

and forge network packets. Usable interactively or as a library

- [pypcap](http://code.google.com/p/pypcap/),

[Pcapy](http://oss.coresecurity.com/projects/pcapy.html) and

[pylibpcap](http://pylibpcap.sourceforge.net/): several different

Python bindings for libpcap

- [libdnet](http://code.google.com/p/libdnet/): low-level networking

routines, including interface lookup and Ethernet frame transmission

- [dpkt](http://code.google.com/p/dpkt/): fast, simple packet

creation/parsing, with definitions for the basic TCP/IP protocols

- [Impacket](http://oss.coresecurity.com/projects/impacket.html):

craft and decode network packets. Includes support for higher-level

protocols such as NMB and SMB

- [pynids](http://jon.oberheide.org/pynids/): libnids wrapper offering

sniffing, IP defragmentation, TCP stream reassembly and port scan

detection

- [Dirtbags py-pcap](http://dirtbags.net/py-pcap.html): read pcap

files without libpcap

- [flowgrep](http://monkey.org/~jose/software/flowgrep/): grep through

packet payloads using regular expressions

- [Knock Subdomain Scan](http://code.google.com/p/knock/), enumerate

subdomains on a target domain through a wordlist

- [Mallory](https://bitbucket.org/IntrepidusGroup/mallory), extensible

TCP/UDP man-in-the-middle proxy, supports modifying non-standard

protocols on the fly

- [Pytbull](http://pytbull.sourceforge.net/): flexible IDS/IPS testing

framework (shipped with more than 300 tests)

- [Paimei](https://github.com/OpenRCE/paimei): reverse engineering

framework, includes [PyDBG](https://github.com/OpenRCE/pydbg), PIDA,

pGRAPH

- [Immunity

Debugger](http://www.immunityinc.com/products-immdbg.shtml):

scriptable GUI and command line debugger

- [mona.py](https://www.corelan.be/index.php/2011/07/14/mona-py-the-manual/):

PyCommand for Immunity Debugger that replaces and improves on

pvefindaddr

- [IDAPython](http://d-dome.net/idapython/): IDA Pro plugin that

integrates the Python programming language, allowing scripts to run

in IDA Pro

- [PyEMU](http://code.google.com/p/pyemu/): fully scriptable IA-32

emulator, useful for malware analysis

- [pefile](http://code.google.com/p/pefile/): read and work with

Portable Executable (aka PE) files

- [pydasm](http://code.google.com/p/libdasm/source/browse/trunk/pydasm/pydasm.c):

Python interface to the [libdasm](http://code.google.com/p/libdasm/)

x86 disassembling library

- [PyDbgEng](http://pydbgeng.sourceforge.net/): Python wrapper for the

Microsoft Windows Debugging Engine

- [uhooker](http://oss.coresecurity.com/projects/uhooker.htm):

intercept calls to API calls inside DLLs, and also arbitrary

addresses within the executable file in memory

- [diStorm](http://www.ragestorm.net/distorm/): disassembler library

for AMD64, licensed under the BSD license

- [python-ptrace](http://bitbucket.org/haypo/python-ptrace/wiki/Home):

debugger using ptrace (Linux, BSD and Darwin system call to trace

processes) written in Python

- [vdb / vtrace](http://code.google.com/p/vdebug/): vtrace is a

cross-platform process debugging API implemented in python, and vdb

is a debugger which uses it

- [Androguard](http://code.google.com/p/androguard/): reverse

engineering and analysis of Android applications

- [Capstone](http://www.capstone-engine.org/): lightweight

multi-platform, multi-architecture disassembly framework with Python

bindings

- [PyBFD](https://github.com/Groundworkstech/pybfd/): Python interface

to the GNU Binary File Descriptor (BFD) library

- [Sulley](https://github.com/OpenRCE/sulley): fuzzer development and

fuzz testing framework consisting of multiple extensible components

- [Peach Fuzzing Platform](http://peachfuzz.sourceforge.net/):

extensible fuzzing framework for generation and mutation based

fuzzing (v2 was written in Python)

- [antiparser](http://antiparser.sourceforge.net/): fuzz testing and

fault injection API

- [TAOF](http://sourceforge.net/projects/taof/), (The Art of Fuzzing)

including ProxyFuzz, a man-in-the-middle non-deterministic network

fuzzer

- [untidy](http://untidy.sourceforge.net/): general purpose XML fuzzer

- [Powerfuzzer](http://www.powerfuzzer.com/): highly automated and

fully customizable web fuzzer (HTTP protocol based application

fuzzer)

- [SMUDGE](http://www.fuzzing.org/wp-content/SMUDGE.zip)

- [Mistress](http://www.packetstormsecurity.org/fuzzer/mistress.rar):

probe file formats on the fly and protocols with malformed data,

based on pre-defined patterns

- [Fuzzbox](https://isecpartners.com/tools/application-security/fuzzbox.aspx):

multi-codec media fuzzer

- [Forensic Fuzzing

Tools](https://isecpartners.com/tools/application-security/forensic-fuzzing-tools.aspx):

generate fuzzed files, fuzzed file systems, and file systems

containing fuzzed files in order to test the robustness of forensics

tools and examination systems

- [Windows IPC Fuzzing

Tools](https://isecpartners.com/tools/application-security/windows-ipc-fuzzing-tools.aspx):

tools used to fuzz applications that use Windows Interprocess

Communication mechanisms

- [WSBang](https://www.isecpartners.com/tools/application-security/wsbang.aspx):

perform automated security testing of SOAP based web services

- [Construct](http://construct.wikispaces.com/): library for parsing

and building of data structures (binary or textual). Define your

data structures in a declarative manner

- [fuzzer.py

(feliam)](http://sites.google.com/site/felipeandresmanzano/fuzzer.py?attredirects=0):

simple fuzzer by Felipe Andres Manzano

- [Fusil](https://bitbucket.org/haypo/fusil/wiki/Home): Python library

used to write fuzzing programs

- [Requests](http://python-requests.org/): elegant and simple HTTP

library, built for human beings

- [HTTPie](http://httpie.org): human-friendly cURL-like command line

HTTP client

- [ProxMon](https://www.isecpartners.com/tools/application-security/proxmon.aspx):

processes proxy logs and reports discovered issues

- [WSMap](https://www.isecpartners.com/tools/application-security/wsmap.aspx):

find web service endpoints and discovery files

- [Twill](http://twill.idyll.org/): browse the Web from a command-line

interface. Supports automated Web testing

- [Ghost.py](http://jeanphix.me/Ghost.py/): webkit web client written

in Python

- [Windmill](http://www.getwindmill.com/): web testing tool designed

to let you painlessly automate and debug your web application

- [FunkLoad](http://funkload.nuxeo.org/): functional and load web

tester

- [spynner](http://code.google.com/p/spynner/): Programmatic web

browsing module for Python with Javascript/AJAX support

- [python-spidermonkey](http://code.google.com/p/python-spidermonkey/):

bridge to the Mozilla SpiderMonkey JavaScript engine; allows for the

evaluation and calling of Javascript scripts and functions

- [mitmproxy](http://mitmproxy.org/): SSL-capable, intercepting HTTP

proxy. Console interface allows traffic flows to be inspected and

edited on the fly

- [pathod / pathoc](http://pathod.net/): pathological daemon/client

for tormenting HTTP clients and servers

- [Volatility](https://www.volatilesystems.com/default/volatility/):

extract digital artifacts from volatile memory (RAM) samples

- [LibForensics](http://code.google.com/p/libforensics/): library for

developing digital forensics applications

- [TrIDLib](http://mark0.net/code-tridlib-e.html), identify file types

from their binary signatures. Now includes Python binding

- [aft](http://code.google.com/p/aft/): Android forensic toolkit

- [pyew](http://code.google.com/p/pyew/): command line hexadecimal

editor and disassembler, mainly to analyze malware

- [Exefilter](http://www.decalage.info/exefilter): filter file formats

in e-mails, web pages or files. Detects many common file formats and

can remove active content

- [pyClamAV](http://xael.org/norman/python/pyclamav/index.html): add

virus detection capabilities to your Python software

- [jsunpack-n](https://code.google.com/p/jsunpack-n/), generic

JavaScript unpacker: emulates browser functionality to detect

exploits that target browser and browser plug-in vulnerabilities

- [yara-python](http://code.google.com/p/yara-project/source/browse/trunk/yara-python/README):

identify and classify malware samples

- [phoneyc](http://code.google.com/p/phoneyc/): pure Python

honeyclient implementation

- [Didier Stevens' PDF

tools](http://blog.didierstevens.com/programs/pdf-tools): analyse,

identify and create PDF files (includes

[PDFiD](http://blog.didierstevens.com/programs/pdf-tools/#pdfid),

[pdf-parser](http://blog.didierstevens.com/programs/pdf-tools/#pdf-parser)

and

[make-pdf](http://blog.didierstevens.com/programs/pdf-tools/#make-pdf)

and mPDF)

- [Opaf](http://code.google.com/p/opaf/): Open PDF Analysis Framework.

Converts PDF to an XML tree that can be analyzed and modified.

- [Origapy](http://www.decalage.info/python/origapy): Python wrapper

for the Origami Ruby module which sanitizes PDF files

- [pyPDF](http://pybrary.net/pyPdf/): pure Python PDF toolkit: extract

info, spilt, merge, crop, encrypt, decrypt...

- [PDFMiner](http://www.unixuser.org/~euske/python/pdfminer/index.html):

extract text from PDF files

- [python-poppler-qt4](http://code.google.com/p/python-poppler-qt4/):

Python binding for the Poppler PDF library, including Qt4 support

- [InlineEgg](http://oss.coresecurity.com/projects/inlineegg.html):

toolbox of classes for writing small assembly programs in Python

- [Exomind](http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=Exomind):

framework for building decorated graphs and developing open-source

intelligence modules and ideas, centered on social network services,

search engines and instant messaging

- [RevHosts](http://www.securityfocus.com/tools/3851): enumerate

virtual hosts for a given IP address

- [simplejson](https://github.com/simplejson/simplejson/): JSON

encoder/decoder, e.g. to use [Google's AJAX

API](http://dcortesi.com/2008/05/28/google-ajax-search-api-example-python-code/)

- [PyMangle](http://code.google.com/p/pymangle/): command line tool

and a python library used to create word lists for use with other

penetration testing tools

- [Hachoir](https://bitbucket.org/haypo/hachoir/wiki/Home): view and

edit a binary stream field by field

- [py-mangle](http://code.google.com/p/pymangle/): command line tool

and a python library used to create word lists for use with other

penetration testing tools

- [IPython](http://ipython.scipy.org/): enhanced interactive Python

shell with many features for object introspection, system shell

access, and its own special command system

- [Beautiful Soup](http://www.crummy.com/software/BeautifulSoup/):

HTML parser optimized for screen-scraping

- [matplotlib](http://matplotlib.sourceforge.net/): make 2D plots of

arrays

- [Mayavi](http://code.enthought.com/projects/mayavi/): 3D scientific

data visualization and plotting

- [RTGraph3D](http://www.secdev.org/projects/rtgraph3d/): create

dynamic graphs in 3D

- [Twisted](http://twistedmatrix.com/): event-driven networking engine

- [Suds](https://fedorahosted.org/suds/): lightweight SOAP client for

consuming Web Services

- [M2Crypto](http://chandlerproject.org/bin/view/Projects/MeTooCrypto):

most complete OpenSSL wrapper

- [NetworkX](http://networkx.lanl.gov/): graph library (edges, nodes)

- [Pandas](http://pandas.pydata.org/): library providing

high-performance, easy-to-use data structures and data analysis

tools

- [pyparsing](http://pyparsing.wikispaces.com/): general parsing

module

- [lxml](http://lxml.de/): most feature-rich and easy-to-use library

for working with XML and HTML in the Python language

- [Whoosh](https://bitbucket.org/mchaput/whoosh/): fast, featureful

full-text indexing and searching library implemented in pure Python

- [Pexpect](http://www.noah.org/wiki/Pexpect): control and automate

other programs, similar to Don Libes \`Expect\` system

- [Sikuli](http://groups.csail.mit.edu/uid/sikuli/), visual technology

to search and automate GUIs using screenshots. Scriptable in

[Jython](http://www.jython.org/)

- [PyQt](http://www.riverbankcomputing.co.uk/software/pyqt) and

[PySide](http://www.pyside.org/): Python bindings for the Qt

application framework and GUI library

The [Python Arsenal for Reverse

Engineering](http://pythonarsenal.erpscan.com/) is a large collection of

tools related to reverse engineering.

There is a SANS paper about Python libraries helpful for forensic

analysis

[(PDF)](http://www.sans.org/reading_room/whitepapers/incident/grow-forensic-tools-taxonomy-python-libraries-helpful-forensic-analysis_33453).

For more Python libaries, please have a look at

[PyPI](http://pypi.python.org/pypi), the Python Package Index.