DigDeep is a Java‑based tool that efficiently extracts nearly one hundred types of high‑, medium‑, and low‑risk sensitive data from source files across cloud, mini‑program, app, and web environments, offering recursive scanning, risk‑level filtering, deduplication, and multi‑format export to aid security audits.
In a production‑environment penetration test, the researcher leveraged DeepSeek V4 Pro via a custom Claude Code bridge to craft an XML‑parsing‑error‑based Boolean blind SQL injection that evaded WAF keyword filters, allowing character‑by‑character extraction of all 19 database names within two hours at a cost of only ¥1.4.
The article details a step‑by‑step penetration test of an educational network, starting with a weak external credential on a virtual teaching lab, harvesting teacher IDs, exploiting default webvpn and SSLVPN logins, and ultimately reaching an internal WebLogic server, highlighting the danger of weak passwords in schools.
AutoPentestX is an open‑source, Linux‑focused automated penetration testing framework that integrates tools like Nmap, Nikto, SQLMap and Metasploit into a single command workflow, stores results in SQLite, generates detailed PDF reports, and includes installation, usage instructions, legal compliance notes, and future development plans.
CeWL 5.0, the Ruby‑based custom wordlist generator, now supports proxy configuration and HTTP Basic/Digest authentication, enabling penetration testers to crawl credential‑protected internal sites and extract targeted vocabulary for password‑cracking tools such as John the Ripper.
HackingTool is an open‑source all‑in‑one penetration‑testing toolbox that bundles over 185 security tools into a single interactive terminal menu, offering quick one‑command installation, Docker support, and categorized modules that streamline red‑team workflows.
Pentest‑AI is an MIT‑licensed, locally‑run framework that automates reconnaissance, authentication, vulnerability chaining, PoC validation, and report generation for web, AD, cloud, and more, delivering a client‑ready Markdown/HTML/PDF/SARIF report in about four minutes with a single command.
Phalanx is an open‑source, polyglot‑based automation framework for Kali Linux that coordinates Python, Bash and other scripts, provides a planner, engine and reporting modules, integrates with tools like Nmap and Metasploit, and generates traceable logs for efficient and flexible penetration testing.
This article details a step‑by‑step penetration test on a university’s web platform, covering XSS file uploads, JWT tampering for arbitrary login, massive personal data leakage, SQL injection payloads, and the exposure of several AK/SK secrets, all with concrete screenshots and commands.
DrozerForge is a Python tool that parses an app's AndroidManifest.xml, automatically discovers security‑relevant components such as risky global settings, exported activities, deep‑link URLs, services/receivers, and content providers, and then prints ready‑to‑run Drozer commands for each finding.
This article documents a complete penetration test on a newly deployed environment, detailing how weak credentials, unauthenticated services, and misconfigurations in MSSQL, Nacos, Oracle, Telnet, OA, NC, Redis, Spring, and frontend assets were systematically discovered and exploited, with step‑by‑step screenshots illustrating each compromise.
During an authorized penetration test of a financial institution’s website protected by Alibaba Cloud WAF, the author discovered a SQL injection point, used MySQL’s chain‑comparison feature to close the injection, identified the database type, and crafted boolean‑based payloads—including POSITION and binary tricks—to extract the current user name character by character.
It warns that over‑reliance on AI‑based automatic penetration tools erodes manual reverse‑engineering skills, jeopardizes national cyber defense, and endangers colleagues, urging security experts to retain hands‑on expertise and avoid becoming dependent on AI.
This article compiles the most frequently used Linux commands for security professionals, covering file handling, text processing, permission control, system monitoring, compression, file searching, other common utilities, and command combinations, each illustrated with clear screenshots for quick reference.
Kali Linux 2026.1 arrives with a Linux 6.18 kernel, a refreshed visual theme, a nostalgic BackTrack mode, eight new security tools, significant NetHunter mobile‑pentesting enhancements, and important cautions for SDR users, while offering multiple download options for various platforms.
This article walks through a real‑world mobile app penetration, covering how to detect and strip protection, unpack the APK, bypass root checks, exploit exported components, extract unencrypted backups and credentials, and harvest leaked OSS tokens, all illustrated with concrete commands and screenshots.
This article compiles over 700 high‑quality open‑source security projects from GitHub, categorised by functional scenarios such as automated reconnaissance, information gathering, vulnerability exploitation, internal network penetration, evasion, and incident response, providing a comprehensive practical toolkit for red‑team, blue‑team and security researchers.
Shannon is an AI‑driven penetration testing agent that automatically discovers, exploits, and reports vulnerabilities with zero false positives, achieving a 96.15% exploit success rate across OWASP Juice Shop and other benchmarks, while offering fully autonomous operation, code‑aware attacks, and parallel processing.
At RSAC 2026, ProjectDiscovery launched Neo, an AI‑powered, end‑to‑end autonomous penetration testing platform that integrates 30+ security agents, delivers verifiable exploits, and outperformed traditional scanners by finding 66 vulnerabilities—including 24 unseen by any other tool—in three AI‑generated full‑stack applications.
This article details a step‑by‑step penetration test where an AI Agent on Kali Linux, invoked via the OpenClaw framework, automatically performs environment checks, deep scanning, vulnerability discovery, bulk fingerprint searching, and report generation, highlighting both its efficiencies and remaining manual decision points.
The article details an authorized penetration test of a university campus app, revealing sensitive data leakage, horizontal and vertical privilege escalation, face‑photo tampering, and a stored XSS flaw, each demonstrated step‑by‑step with packet captures and screenshots.
Shannon Lite, an open-source AI-driven white-box penetration testing tool from Keygraph, automatically analyzes source code and performs real-world attacks on web applications and APIs, delivering exploitable vulnerability reports with a 96.15% success rate, and integrates seamlessly into CI/CD pipelines for rapid security testing.
Shannon, an autonomous AI-driven penetration testing agent, bridges the speed‑security gap created by rapid AI‑assisted coding by automatically analyzing source code, mapping attack paths, and executing real exploits, achieving a 96.15% success rate on the XBOW benchmark and uncovering over 20 critical flaws in the OWASP Juice Shop demo.
This article presents a thorough mobile app penetration‑testing guide covering objectives, scope, testing methods, step‑by‑step workflow, recommended tools, reporting structure, and remediation advice to help developers and security professionals secure their applications.
This article explains the core logic of internal firewalls, outlines compliant bypass techniques for boundary, segmentation, and host firewalls, and then details step‑by‑step lateral movement methods—including credential reuse, tunneling, and legitimate tool abuse—while emphasizing safe, authorized testing practices.
This guide compiles 100 high‑frequency native commands for Windows and Linux that cover internal network reconnaissance, host discovery, lateral movement, privilege escalation, domain enumeration, file searching, log cleaning and persistence, providing a practical reference for security professionals conducting penetration tests.
A joint study by Wiz and Irregular pits leading LLM agents against a senior pentester across ten real‑world vulnerability scenarios, revealing that AI can breach nine targets at under $10 per attack yet still lags in tool usage, creative reasoning, and prioritisation, offering crucial insights for security professionals.
This article systematically details the most frequently encountered privilege‑escalation flaws in penetration testing, covering Windows service misconfigurations, registry hijacking, kernel exploits, DLL hijacking, Linux SUID/SGID abuse, sudo misconfigurations, cron abuse, writable passwd files, and Docker escape techniques, along with step‑by‑step exploitation procedures and defensive recommendations.
The author walks through a penetration test of a corporate training platform, capturing plaintext login traffic, extracting captchas, enumerating user accounts, discovering shared passwords, and fuzzing a course‑id parameter that reveals absolute file paths, ultimately identifying only medium‑severity issues.
This article provides a step‑by‑step technical guide for gathering internal network credentials—including Windows memory dumping with Mimikatz, Linux /etc shadow extraction, network service scanning with SharpScan, Kerberoasting attacks, password‑spraying tactics, and defensive recommendations—targeted at authorized penetration‑testing scenarios.
This guide walks through 30 hands‑on web penetration testing techniques covering the full workflow—from information gathering and vulnerability discovery to privilege escalation, internal network pivoting, and defense evasion—providing concrete commands, tool recommendations, and real‑world tips for security engineers and testers.
This article explains the core logic of internal firewalls, outlines practical techniques for bypassing boundary, segmentation, and host firewalls—including legitimate‑port tunneling, rule‑configuration flaws, jump‑host exploitation, and tunneling methods—and then details step‑by‑step credential‑reuse and tool‑abuse strategies for stealthy lateral movement within a compromised network.
After adopting AI coding tools like Claude Code and Codex, developers see productivity soar, but faster code introduces more vulnerabilities; the open‑source project Shannon, now topping GitHub Trending, acts as an autonomous AI penetration tester that attacks your web app, proves exploits, and reports only successful attacks, helping secure AI‑generated code.
The article compares penetration testing and internet exposure surface detection, outlining their definitions, processes, tools, typical use cases, distinct goals and methodologies, and recommends combining both for a comprehensive security assessment.
BugTrace‑AI is an open‑source suite that combines generative AI with SAST, DAST, and specialized reconnaissance and payload tools to automate vulnerability hypothesis generation, streamline scanning, and provide actionable reports, all delivered through a lightweight React interface and Docker deployment.
Kali Linux 2025.3 arrives with restored Nexmon wireless injection, a revamped VM image build process, removal of ARMEL support, Xfce desktop tweaks, mobile and automotive security upgrades, plus ten brand‑new penetration‑testing tools and detailed upgrade instructions.
Wireshark, the open‑source packet analyzer formerly known as Ethereal, captures live network traffic on Windows and UNIX systems and is widely used for network management, security analysis, troubleshooting, and especially penetration testing, offering capabilities such as data capture, unencrypted information detection, attack behavior analysis, vulnerability discovery, and real‑time monitoring.
This article explains what vulnerability scanning is and provides concise, step‑by‑step instructions for using four popular security scanners—Xray, X‑Scan, IBM AppScan, and Nessus—including download links, command‑line examples, plugin selection, and result export, while omitting promotional content.
This guide presents a comprehensive network security shell script library, outlining modular design principles, a categorized inventory of over 180 scripts for reconnaissance, vulnerability scanning, monitoring, incident response, credential management, automation, and utility tools, along with practical build strategies and usage tips for secure, portable deployments.
ZAP (Zed Attack Proxy) is an OWASP open-source web application security testing tool that offers proxy interception, active and passive scanning, integrates with CI/CD pipelines, and supports manual and automated testing to detect vulnerabilities such as SQL injection, XSS, SSRF, and compliance issues.
Explore comprehensive Docker container security from an attacker’s perspective to expert defenses, featuring real-world escape incidents, threat matrices, five detailed penetration testing scenarios, enterprise-grade protection frameworks, monitoring scripts, and actionable best practices for securing images, runtimes, networks, and access controls.
ZAP (Zed Attack Proxy), an OWASP open‑source web application security testing tool, offers proxy interception, active and passive scanning, CI/CD integration via Docker or command line, and is suited for penetration testing, DevSecOps, and compliance checks such as OWASP Top 10 and PCI DSS.
Tscanplus is a comprehensive network security and operations platform that quickly discovers and identifies assets, builds an asset database, and offers features such as port scanning, service detection, URL fingerprinting, POC validation, weak‑password guessing, encoding tools, privilege‑escalation aids, and more, with usage screenshots and a GitHub download link.
Explore the most common Kali Linux penetration testing utilities—including Nmap, Metasploit, Hydra, Wireshark, and more—organized by categories such as information gathering, vulnerability exploitation, password cracking, and network monitoring, with brief usage commands and guidance for each tool.
A comprehensive cheat sheet of high‑frequency Linux penetration‑testing commands covering system information, package management, user handling, compression, file operations, Samba access, shell bypass techniques, miscellaneous utilities, bash history clearing, filesystem permissions, and privilege‑escalation tips.
This article explains the structure of JSON Web Tokens, enumerates common attack vectors such as algorithm confusion, weak keys, replay, header injection, and provides practical mitigation steps and a step‑by‑step testing methodology with relevant tools and code examples.
This article introduces seven leading penetration testing tools—including Kali Linux, Metasploit, Wireshark, Nmap, Burp Suite, Acunetix, and Nessus—detailing their primary features and how they help security professionals identify and mitigate vulnerabilities effectively.
Web application penetration testing is a systematic security assessment that identifies vulnerabilities such as SQL injection, XSS, CSRF, insecure authentication, and file‑upload flaws, using methods ranging from black‑box to manual testing, and follows best practices like OWASP guidelines to protect data, privacy, and system integrity.
This guide lists the most common Kali Linux penetration testing utilities—including Nmap, Metasploit, Hydra, Wireshark, and many others—explaining their primary functions and providing concise command‑line examples for quick reference.
The article explains how Python's simplicity, extensive ecosystem, versatility, and strong automation capabilities make it a preferred language for cybersecurity professionals, outlining five key reasons and showcasing typical use cases such as network scanning, penetration testing, malware analysis, security auditing, and tool development.
This guide details multiple traffic‑proxy and port‑forwarding techniques—FRP, reGeorg + Proxifier, SSH dynamic tunnels, Earthworm with SocksCap, and proxychains-ng—providing step‑by‑step commands, configuration files, and practical examples for penetrating isolated internal networks.
Learn how to bypass internal network restrictions during penetration testing by using frp port forwarding, reGeorg with Proxifier, SSH dynamic tunnels, and Earthworm/Ew tools, complete with step‑by‑step commands, configuration files, and practical examples for establishing reliable internal proxies.
Kali Linux, a Debian‑based distribution maintained by Offensive Security, bundles over 600 penetration‑testing and digital‑forensics tools such as Metasploit, Nmap, Wireshark, Aircrack‑ng and John the Ripper, making it a preferred platform for security professionals in testing, forensics, and network defense.
jws-cli is a Python‑based, extensible one‑click information collection and scanning tool that automates subdomain discovery, CDN and WAF detection, port and C‑segment scanning, and integrates third‑party vulnerability scanners, offering visual reports and email delivery for rapid penetration testing workflows.
This article provides a detailed, step‑by‑step tutorial for installing and activating Burp Suite Professional, covering file extraction, PowerShell script execution, license entry, manual activation, and final verification, complemented by screenshots for each major step.
This article provides a detailed curriculum for a penetration testing training program, covering operating system basics, web services, database setup, Kali Linux installation, various hacking tools, common web vulnerabilities, SQL injection techniques, command execution, file upload and inclusion flaws, XSS, CSRF, SSRF, privilege escalation, and internal network exploitation.
This guide explains why penetration testers need a target’s true IP, how to detect CDN usage, and provides step‑by‑step techniques—including same‑country queries, sub‑domain probing, DNS history checks, FOFA searches, email reverse lookup, and full‑network scanning—to uncover the real server address.
This guide introduces Watchdog, an upgraded, web-based security platform derived from Bayonet, and provides step-by-step instructions for installing, configuring, and deploying it across multiple Ubuntu nodes, including database setup, Flask service launch, and activation of sub-domain, port, URL, and Xray scanning modules.
This guide explains why CDNs hide a site's true IP, how to determine if a website uses a CDN, and outlines practical techniques—including DNS queries, online tools, sub‑domain analysis, email reverse lookup, and scanning scripts—to bypass the CDN and discover the real server address.
siusiu is a Docker‑based penetration testing toolbox that bundles more than 50 security utilities, offers an interactive console for listing, downloading, and running tools, supports non‑interactive mode, and can be installed via binary, Git, or Go with detailed usage commands.
siusiu is a Docker‑based penetration testing toolbox that bundles dozens of security utilities as Docker images, offering an easy‑to‑use console, multiple installation methods, and a rich command set for both interactive and scripted security assessments.
This article explains why cloud platforms rely on access keys, describes common scenarios where AK/SK credentials are exposed, provides practical examples such as heapdump and JavaScript leaks, and shows how attackers can hijack storage buckets or execute commands on compromised cloud hosts.
Kevin Mitnick, once dubbed the world’s most famous hacker and the first to be pursued by the FBI, transformed from a teenage social‑engineering prodigy into a celebrated information‑security consultant, author, and founder of Mitnick Security, leaving a lasting impact on computer security after his 2023 death.
This tutorial walks beginners through the entire process of compromising a WordPress website, from initial information gathering and DNS enumeration to vulnerability scanning, exploitation with tools like sqlmap and nmap, privilege escalation, and establishing persistent backdoors.
An in‑depth comparison of Kali Linux and Parrot OS examines their origins, pre‑installed security tools, customization options, hardware requirements, user interfaces, and performance, helping security professionals and enthusiasts choose the most suitable Linux distribution for penetration testing and privacy‑focused work.
This article reviews the ten most popular vulnerability scanning tools—including OpenVAS, Tripwire IP360, Nessus, and others—detailing their key features, scanning capabilities, deployment options, and typical use cases to help security professionals choose the right solution for network and application vulnerability assessment.
This guide reviews the ten leading vulnerability scanning solutions, detailing each tool's key features, deployment options, and how they help organizations detect and remediate security weaknesses across networks, servers, cloud and container environments.
This step‑by‑step guide shows how to enable monitor mode, capture WPA2 handshakes, and perform a dictionary attack using Aircrack‑ng on a Kali Linux system, covering device detection, network scanning, packet capture, and password cracking commands.
This guide compiles essential Linux and Windows commands—including wget, curl, PowerShell, and Netcat—that enable attackers to download files to compromised hosts when direct transfer is unavailable, covering usage, options, and practical examples for each tool.
This article compiles a thorough list of Android security testing resources, covering online analysis platforms, static and dynamic analysis utilities, vulnerability scanners, reverse‑engineering tools, fuzzers, app‑repackaging detectors, market crawlers, miscellaneous aids, and references to academic publications and bug‑bounty programs.
This article provides concise answers to 24 common questions about white‑hat hacking, covering definitions, tools, attack techniques such as footprinting, brute‑force, DoS, SQL injection, ARP spoofing, XSS, and practical defenses like input validation, firewalls, encryption, and secure coding practices.
The article explains the importance of security testing within DevSecOps, outlines key testing methods such as SAST, DAST, IAST, and SCA, discusses penetration testing, and describes Huawei Cloud's comprehensive security testing framework and practices for ensuring software safety in modern development pipelines.
This comprehensive guide explains what white‑hat hackers are, the differences between IP and MAC addresses, common hacking tools, hacker types, footprinting methods, brute‑force and DoS attacks, SQL injection, network sniffing, ARP spoofing, MAC flooding, rogue DHCP, XSS, Burp Suite, domain pharming, prevention tactics, keyloggers, enumeration, NTP, MIB, password‑cracking techniques, attack phases, and CSRF protection, offering a solid foundation for cybersecurity awareness.
This comprehensive FAQ explains key information‑security concepts, covering white‑hat hacking, IP vs MAC addresses, common penetration‑testing tools, hacker types, footprinting methods, brute‑force, DoS, SQL injection, sniffing, ARP spoofing, MAC flooding, rogue DHCP, XSS, Burp Suite, pharming, defacement, website protection, keyloggers, enumeration, NTP, MIB, password‑cracking techniques, attack stages, and CSRF mitigation.
This article reviews the ten most popular vulnerability scanning tools, describing their key features, deployment options, and how they help identify and remediate security weaknesses across servers, networks, cloud and container environments.
This step‑by‑step guide demonstrates how to enumerate a vulnerable host, identify and fingerprint its Web Application Firewall, apply multiple WAF‑bypass techniques—including fuzzing, command injection, binary abuse and URL‑encoding tricks—to obtain a stable shell, perform privilege escalation, decode a JWT token and finally retrieve the root flag.txt.
This article introduces ethical hacking and presents nine widely used security tools—including Nmap, Nessus, Nikto, Kismet, NetStumbler, Acunetix, Netsparker, Intruder, and Metasploit—detailing their main features, platforms, and how they help professionals identify vulnerabilities and protect networks.
This article introduces concise penetration testing dictionaries and shares a high‑efficiency brute‑force wordlist, providing free resources for security engineers seeking effective attack payloads and encouraging community access to valuable cybersecurity tools.
This article introduces several widely used internal network penetration and tunneling tools—including NPS, FRP, EW, and Ngrok—explains their core principles, features, and provides step‑by‑step installation and configuration commands for exposing services such as HTTP, SSH, RDP, and file sharing to the public internet.
This article compiles common file download commands and tools used in penetration testing for both Linux and Windows environments, covering utilities such as wget, curl, axel, aria2, PowerShell, certutil, bitsadmin, and others, with example syntax for direct, background, and resumable transfers.
This article details a step‑by‑step penetration testing process where the author captures network traffic from a mobile app, enumerates hidden API endpoints, exploits injection flaws to retrieve backend credentials, examines upload validation, and ultimately gains admin access while highlighting the challenges faced.
The author recounts a step‑by‑step penetration test against a fraudulent reseller, detailing OSINT gathering, port scanning, FTP brute‑forcing, JavaScript injection, location tracking, domain hijacking, and the deployment of custom Python scripts for each stage.
This article provides a comprehensive analysis of SQL injection vulnerabilities, covering their principles, testing tools, repair methods, and defense strategies, with practical implementation guidance for secure web application development.
This comprehensive guide explains how to improve penetration testing efficiency by focusing on port enumeration, banner grabbing, service identification, default port knowledge, and a variety of attack techniques—including brute‑force, exploitation of known vulnerabilities, and protocol‑specific tricks—across common network services and applications.
This guide walks you through creating a Docker‑powered environment that includes a graphical Kali Linux workstation and a web target machine with MySQL and Tomcat, covering Docker installation, image preparation, container configuration, remote desktop setup, and database integration for hands‑on information‑security practice.
This article presents a curated list of network security utilities—including anti‑malware, scanners, encryption, IDS, port scanners, exploit frameworks, monitoring, proxies, wireless, rootkit detectors, and packet sniffers—each with brief descriptions and download links for aspiring security practitioners.
This article explains how attackers discover vulnerable internet‑connected cameras by using searchable databases like ZoomEye and Shodan, as well as by scanning IP ranges for common camera ports, and highlights the ethical considerations of such techniques.
This tutorial walks you through a complete web penetration test on the fictional site hack‑test.com, covering DNS enumeration, server fingerprinting, vulnerability scanning with Nikto and w3af, exploiting SQL injection via sqlmap, uploading a PHP webshell, gaining a reverse shell, and finally escalating to root privileges on a Linux server.
An in‑depth walkthrough demonstrates how to identify, analyze, and attack a QQ phishing website—revealing its URL, POST parameters, using Python to flood it with fake credentials, performing WHOIS, ping, nmap, and w3af scans, uncovering backend details, and discussing mitigation strategies.
The article details a step‑by‑step penetration test of a seemingly empty financial web application, describing how hidden JavaScript files and a discovered /xxxapi/file/pdf/view endpoint were leveraged to craft an SSRF payload that accessed internal services such as Elasticsearch, illustrating practical web security exploitation techniques.
This article explains how to employ Burp Suite to conduct comprehensive penetration testing on the ZhiXin mobile app, covering setup, proxy configuration, detection of sensitive data leaks, privilege escalation, XSS, and SQL injection vulnerabilities, and provides remediation recommendations.
This article lists the ten most popular Linux distributions used for penetration testing and ethical hacking, describing each distro's base, key features, target audience, and providing official download links for quick access.
This article explains what Kali Linux is, provides the official download link, and walks you through creating a VirtualBox VM, configuring settings, performing a graphical installation, and highlights important security warnings for using this penetration‑testing distribution.
This article presents a curated list of the ten most popular Linux distributions used for penetration testing and ethical hacking, detailing each distro's base system, key features, toolsets, and where to download them, helping security professionals choose the right platform for their needs.
This guide lists the most popular Linux distributions used for ethical hacking and penetration testing, describing each distro's base, key features, toolsets, and providing download links for quick setup on various platforms.
After gathering reconnaissance data in a penetration test, this article reviews seven popular web vulnerability scanners, outlining their core capabilities, typical usage scenarios, and visual screenshots to help security professionals choose the right tool for detecting SQL injection, XSS, file inclusion, and other common web flaws.
This article provides a detailed walkthrough of web penetration testing steps, extensive Q&A on common vulnerabilities such as SQL injection, XSS, CSRF, SSRF, file inclusion, privilege escalation methods, mitigation strategies, and interview preparation tips for security professionals.
This article compiles a comprehensive, categorized collection of penetration testing resources—including anonymity tools, antivirus evasion utilities, books, CTF frameworks, Docker containers, network analysis tools, OSINT platforms, and more—providing security professionals and researchers with a valuable reference for offensive security engagements.
This article explains the fundamentals of web security, outlines typical web architecture, classifies penetration testing approaches, enumerates common vulnerabilities such as SQL injection, XSS, file upload and deserialization, and discusses how attackers combine these flaws to launch advanced exploits.
This guide walks through installing Drozer, configuring port forwarding, connecting the console, and using a variety of commands to enumerate packages, activities, content providers, services, and broadcast receivers on Android devices, while also addressing common errors and demonstrating vulnerability scans such as SQL injection and directory traversal.
