All tools

Active Directory attack workflow: enumeration, Kerberoasting, AS-REP roasting, credential dumping, and lateral movement on authorized engagements.

Wi-Fi security auditing suite — capture with airodump-ng, deauth with aireplay-ng, crack WPA with aircrack-ng.

In-depth attack surface mapping and subdomain enumeration via passive and active techniques.

HTTP parameter discovery tool for finding hidden GET and POST parameters.

Find domains and subdomains related to a given domain using passive sources (Tom Hudson).

GUI digital forensics platform built on The Sleuth Kit for disk images, timelines, keyword search, and artifact parsing.

Command-line interface for AWS enumeration, credential validation, and misconfiguration discovery during cloud assessments.

Microsoft Azure command-line tool for subscription, VM, storage, and Entra ID enumeration in cloud pentests.

Bash scripting syntax and one-liners — variables, loops, conditionals, and text processing for automation and pentesting.

Modern network attack and monitoring framework for ARP/DNS spoofing, sniffing, and credential attacks on authorized LANs.

Firmware and file analysis tool that scans for embedded files and extracts hidden archives.

Map Active Directory attack paths from SharpHound/SharpHound data collectors.

Stack-based buffer overflow workflow: fuzz, find the offset, control EIP, find bad chars, locate a JMP ESP, and get a shell.

Integrated web proxy and testing platform for intercepting, modifying, and automating HTTP traffic.

Internet-wide scan data and certificate intelligence for hosts, services, and attack surface research.

Spider a site and build a custom wordlist from discovered words.

Quick report of binary security mitigations (RELRO, stack canary, NX, PIE, Fortify).

Fast TCP/UDP tunnel over HTTP(S) for pivoting through compromised hosts when SSH is unavailable.

OS command injection payloads, separators, blind detection, and filter bypasses for achieving RCE on authorized targets.

Automated command injection detection and exploitation in web parameters and headers.

Swiss-army SMB/WinRM/LDAP/MSSQL tool for AD enumeration and credential testing.

Cron syntax reference and commands for scheduling jobs on Linux — plus persistence and privesc angles for pentesters.

Generate custom wordlists from charset and length rules.

Versatile CLI for HTTP(S), file transfer, headers, and scripting web/API tests during pentests.

Fast parameter-based XSS scanner and proof-of-concept generator for web apps.

DNS lookup utility for querying record types, tracing resolution, and debugging DNSSEC.

Classic web content scanner using wordlists to discover hidden directories and files.

Perl DNS enumerator for zone transfers, subdomain brute force, reverse lookups, and WHOIS.

Python DNS enumeration tool for records, zone transfers, brute force, and cache snooping.

Container runtime CLI for building images, inspecting deployments, and testing container breakout and misconfiguration paths.

CMS scanner focused on Drupal, Silverstripe, and WordPress plugin enumeration.

Modern SMB/LDAP/RPC enumerator for Windows and Samba hosts—users, groups, shares, and policies.

LAN MITM framework for ARP poisoning, sniffing, and filter-based traffic manipulation on authorized networks.

WinRM shell and file transfer for post-exploitation on Windows hosts.

Read and write metadata in images, documents, and media — GPS, camera info, author fields, and hidden tags.

Recursive content discovery tool with smart filtering, backups, and automatic extraction of new URLs.

Fast web fuzzer for directories, parameters, vhosts, and header injection with flexible matchers.

DNS reconnaissance tool that locates non-contiguous IP space near target domains.

Identify file types from magic bytes — essential before choosing exploit, extraction, or analysis tools.

Move files to and from compromised Linux and Windows hosts — HTTP, SMB, netcat, base64, and living-off-the-land binaries.

File carving tool that recovers files from disk images by header/footer signatures when filesystem metadata is missing.

GNU debugger for binary analysis with GEF or Pwndbg for heap, registers, and exploit-oriented views.

Version control CLI for cloning repos, hunting exposed secrets in history, and recovering source during web assessments.

Fast directory, DNS, vhost, and S3 bucket brute-forcer written in Go.

GCP command-line tool for project enumeration, IAM review, compute instances, and storage access testing.

GnuPG commands for encrypting files, signing, and managing keys — symmetric and public-key workflows.

Interactive helper to guess hash type for cracking tools.

GPU-accelerated offline password and hash recovery.

Custom TCP/UDP/ICMP packet crafting for firewall testing, traceroute, and port probing on authorized hosts.

Fast HTTP probe for live URLs, status codes, titles, and tech fingerprinting from host lists.

Parallelized online login brute-forcer for many protocols.

Python toolkit for SMB, Kerberos, and Windows protocol attacks.

Versatile offline password cracker with automatic format detection.

Joomla CMS vulnerability scanner and version or component enumerator.

jq command-line JSON processor — filter, transform, and extract fields from API responses and tool output.

JSON Web Token attacks: alg=none, weak secret cracking, key confusion (RS256→HS256), and claim tampering on authorized targets.

JSON Web Token testing for algorithm confusion, weak secrets, and claim tampering.

Fast Kerberos user enumeration and password spraying without LDAP.

Kubernetes CLI for cluster enumeration, secret access, and pod exec during authorized K8s penetration tests.

Dump and HTML-report Active Directory LDAP data for offline review.

Local file inclusion and directory traversal payloads, PHP wrappers, and log-poisoning RCE for authorized testing.

Advanced pivoting via TUN interface and agent — cleaner routing than SOCKS for multi-host internal scans.

Essential Linux command-line reference — files, permissions, processes, networking, and search for everyday and pentest use.

Enumeration and escalation paths to go from a low-privilege shell to root on Linux during authorized engagements.

Generate candidate passwords from Hashcat-style mask syntax.

High-speed Internet-scale port scanner for rapid discovery before deeper nmap enumeration.

Fast, modular parallel login brute-forcer (Foofus Medusa).

Modular exploitation framework for scanning, exploiting, and post-exploitation with msfconsole, handlers, and msfvenom.

Windows credential extraction and Kerberos manipulation (lab-only).

Interactive TLS-capable HTTP proxy for intercepting, replaying, and scripting web traffic.

Generate and encode standalone payloads (reverse shells, shellcode, MSI/EXE/ELF) for authorized exploitation.

TCP/UDP connect, listen, and port relay for banners, shells, and file transfer on authorized networks.

Modern CrackMapExec successor for AD protocol abuse and automation.

Expose local services to the internet for reverse shells, webhooks, and phishing callbacks during authorized tests.

Web server scanner for dangerous files, misconfigurations, and outdated software indicators.

Network mapper for host discovery, port scanning, service/version detection, and NSE scripting.

Interactive and non-interactive DNS query tool available on Linux and Windows for basic record lookups.

Template-based fast scanner for CVEs, misconfigs, and exposures across HTTP, DNS, and more.

Disassemble ELF binaries, inspect sections, symbols, and relocations for exploit development.

Cryptography toolkit for certificate inspection, TLS testing, and encoding/hashing in pentests and forensics.

Windows NTLM/LM rainbow-table cracker with GUI and live CD heritage.

Open-source intelligence workflow: domains, emails, people, breaches, and infrastructure using Google dorks and free OSINT tools.

Open-source web app security proxy with passive/active scanning and automation API.

AWS exploitation framework with modules for privilege escalation, persistence, and data exfiltration after key compromise.

Mines archived URLs to extract unique parameters for a domain from web archives.

Password cracking workflow: identify the hash, pick the right mode, and crack offline (hashcat/john) or online (hydra) on authorized targets.

Multi-purpose brute-forcer with flexible modules and conditions.

SSH tunneling, port forwarding, SOCKS proxies, and pivoting with chisel/ligolo to reach internal networks during authorized engagements.

PowerShell commands for Windows enumeration, download/execution, and offensive one-liners during authorized engagements.

AWS (and multi-cloud) security assessment tool with hundreds of checks mapped to CIS, PCI, and custom compliance frameworks.

Force TCP connections through SOCKS4/5 or HTTP proxies for pivoting during authorized internal assessments.

Python library for exploit development, remote/local process interaction, and ROP/shellcode workflows.

Modular reconnaissance framework with workspaces, modules, and API-driven OSINT collectors.

Regular expression syntax reference plus ready-to-use patterns for grepping IPs, hashes, emails, and secrets.

LLMNR/NBT-NS/mDNS poisoner and rogue authentication server for capturing NetNTLM hashes on authorized Windows networks.

One-liners and staged payloads for bash, Python, and PowerShell reverse shells during authorized penetration tests.

Classic ROP gadget finder with --ropchain auto-generation for simple execve/sh chains.

ROP gadget search tool supporting ELF/PE with semantic filtering and chain building helpers.

MS-RPC client for SAMR/LSA enumeration and user management via null or authenticated sessions on authorized domains.

Kerberos abuse toolkit for ticket requests, roasting, and delegation attacks.

Fast port scanner that pipes discovered ports directly into Nmap for scripting and version detection.

Multi-cloud security auditing tool that generates HTML reports highlighting misconfigurations and risky permissions.

Command-line search of Exploit-DB for public exploits, shellcode, and papers by keyword or CVE.

Search engine for Internet-connected devices, banners, ports, and exposed services via CLI and web.

Enumerate SMB: shares, null sessions, users, and versions with nmap, netexec, smbclient, and enum4linux on authorized networks.

SMB/CIFS client for share enumeration, file access, and null-session testing on authorized Windows hosts.

Bidirectional data relay for shells, port forwarding, and protocol bridging on authorized networks.

OSINT automation platform correlating IPs, domains, emails, breaches, and social data from 200+ modules.

Manual SQL injection payloads and techniques for detection, UNION extraction, blind, and authentication bypass on authorized targets.

Automated SQL injection detection and exploitation for web parameters, headers, and cookies.

Secure shell for remote access, port forwarding, SOCKS proxies, and file transfer during authorized engagements.

Transparent proxy/VPN over SSH — route subnets through a compromised SSH host without modifying sshd config.

Server-side request forgery payloads: cloud metadata access, internal port scanning, filter bypasses, and blind SSRF detection.

SSRF exploitation framework with modules for cloud metadata, port scan, and shell.

Steganography and hidden-data extraction for CTF and forensics: images, audio, files, and embedded archives.

Extract printable strings from binaries and dumps to find URLs, flags, passwords, and error messages.

Find subdomains via passive sources, DNS brute force, certificate transparency, and permutation — then probe which are live.

Fast passive subdomain discovery using curated OSINT sources and API integrations.

Command-line packet capture and filtering for authorized network analysis and troubleshooting.

CLI forensic toolkit to analyze disk images — partition tables, inode listing, and file carving without GUI.

OSINT gathering for emails, subdomains, hosts, and employee names from public sources.

Terminal multiplexer for persistent sessions, split panes, and windows — keep shells alive across SSH drops.

Server-Side Template Injection detection and exploitation for multiple template engines.

Scanner for container images, filesystems, and IaC (Terraform, K8s) for CVEs and misconfigurations.

CLI Wireshark for capture, display filters, and protocol field extraction on authorized traffic.

Endpoint visibility and digital forensic platform with VQL for hunting, collections, and incident response at scale.

Vim editor commands — modes, motions, editing, search/replace, and the survival basics for editing files on remote shells.

Memory forensics framework for extracting processes, credentials, and malware artifacts from RAM dumps.

Identifies Web Application Firewalls in front of targets to tune bypass and testing strategy.

Python web fuzzer for brute-forcing parameters, directories, and headers with flexible filters.

Non-interactive downloader for mirroring sites, retrieving payloads, and recursive cloning during recon.

Web technology fingerprinter identifying CMS, frameworks, plugins, and server headers.

Wireless attack workflow: monitor mode, recon, WPA/WPA2 handshake capture, deauth, and offline cracking on authorized networks.

Windows CMD command reference — files, users, networking, services, and enumeration commands for admins and pentesters.

Enumeration and escalation paths from a low-privilege Windows user to SYSTEM or Administrator on authorized engagements.

Wireshark display and capture filter syntax for slicing packet captures during analysis and forensics.

WordPress security scanner for users, plugins, themes, and known vulnerabilities.

Hidden parameter discovery via response status, body, and reflection diffing.

Cross-site scripting payloads and filter bypasses for reflected, stored, and DOM-based XSS on authorized targets.

Advanced XSS detection with context analysis, fuzzing, and WAF-aware payload generation.

XML External Entity payloads for file read, SSRF, blind out-of-band exfiltration, and denial of service on authorized targets.

Pattern matching language to identify malware families, IOCs, and suspicious byte sequences in files and memory.