🐐 GoatOS

Web/API Pentesting Linux Distribution

Unlike Kali/Parrot that try to do everything, GoatOS focuses exclusively on Web & API security testing.

Documentation | Getting Started | Tools

---

Why GoatOS?

	Kali/Parrot	GoatOS
Focus	Everything	Web/API only
Size	3-4GB+	~2GB
Tools	600+ (bloat)	Curated
Theme	Generic	GoatSecurity Dark

---

Features

🔧 Pre-installed Tools

Category	Tools
Recon	subfinder, httpx, katana, dnsx
Scanning	nuclei, nikto, whatweb, nmap
Fuzzing	ffuf
SQLi/XSS	sqlmap
Proxy	Burp Suite, mitmproxy
API	Postman, httpie, jwt-hack
Dev	VSCodium, Docker, Obsidian

📚 Wordlists & Cheatsheets

/opt/wordlists/     - SecLists, PayloadsAllTheThings
/opt/cheatsheets/   - Offline guides

🎨 GoatSecurity Theme

• Pure black (#000000) background
• Custom GNOME Shell, Plymouth, GRUB
• Chromium with uBlock Origin, Bitwarden, Dark Reader

📝 Report Generator

goat-report                    # Interactive mode
goat-report -p "Client" -t "target.com"

🌐 VPN & Labs Ready

htb-vpn your-file.ovpn         # HackTheBox
vuln-lab                       # Start DVWA
juice-shop                     # Start Juice Shop

---

Quick Commands

Command	Description
recon <domain>	Subdomain enumeration
webscan <url>	Vulnerability scan
fuzz <url>/FUZZ	Directory fuzzing
goat-update	Update Go tools
goat-report	Generate report
goat-usb <iso>	Write ISO to USB

---

Documentation

📖 Full documentation available in docs/

• Getting Started
• Web Pentesting Guide
• API Testing Guide
• Reporting Guide
• Tools Reference

---

Building

sudo apt install live-build debootstrap
cd goatos && rm -f .build
sudo lb clean --purge
sudo lb config
sudo lb build

---

Default Credentials

User	Password
user	live

---

Made with 🐐 by GoatSecurity