Web/API Pentesting Linux Distribution
Unlike Kali/Parrot that try to do everything, GoatOS focuses exclusively on Web & API security testing.
| Kali/Parrot | GoatOS | |
|---|---|---|
| Focus | Everything | Web/API only |
| Size | 3-4GB+ | ~2GB |
| Tools | 600+ (bloat) | Curated |
| Theme | Generic | GoatSecurity Dark |
| Category | Tools |
|---|---|
| Recon | subfinder, httpx, katana, dnsx |
| Scanning | nuclei, nikto, whatweb, nmap |
| Fuzzing | ffuf |
| SQLi/XSS | sqlmap |
| Proxy | Burp Suite, mitmproxy |
| API | Postman, httpie, jwt-hack |
| Dev | VSCodium, Docker, Obsidian |
/opt/wordlists/ - SecLists, PayloadsAllTheThings
/opt/cheatsheets/ - Offline guides
- Pure black (
#000000) background - Custom GNOME Shell, Plymouth, GRUB
- Chromium with uBlock Origin, Bitwarden, Dark Reader
goat-report # Interactive mode
goat-report -p "Client" -t "target.com"htb-vpn your-file.ovpn # HackTheBox
vuln-lab # Start DVWA
juice-shop # Start Juice Shop| Command | Description |
|---|---|
recon <domain> |
Subdomain enumeration |
webscan <url> |
Vulnerability scan |
fuzz <url>/FUZZ |
Directory fuzzing |
goat-update |
Update Go tools |
goat-report |
Generate report |
goat-usb <iso> |
Write ISO to USB |
📖 Full documentation available in docs/
sudo apt install live-build debootstrap
cd goatos && rm -f .build
sudo lb clean --purge
sudo lb config
sudo lb build| User | Password |
|---|---|
user |
live |
Made with 🐐 by GoatSecurity