Defense Evasion
OSINT
Repository Description Cloudmare Cloudflare, Sucuri, Incapsula real IP tracker. crt.sh Find certificates based on a domain name. Can be used to find subdomains. DorkSearch Premade Google dork queries. ExifTool Read (and modify) metadata of files. FaceCheck.ID Reverse image lookup based on facial-recognition. Hunter Find company email format and list of employee email addresses. osintframework An online database of OSINT tools. PimEyes Reverse image lookup based on facial-recognition. Recon-NG Reconaissance and OSINT framework. Has many modules such as port scanning, subdomain finding, Shodan, etc. ScrapeIn Scrapes LinkedIn to create a list of employee email addresses (for use in Initial Access). SecurityTrails Extensive DNS information. Shodan Scans for all digital assets. SpiderFoot Automatic OSINT analysis. TheHarvester Collects names, emails, IPs, and subdomains of a target.
Reconaissance
Repository Description altdns Subdomain enumeration using mutated wordlists. AWSBucketDump Enumerate AWS S3 buckets to find interesting files. CameRadar Cameradar hacks its way into RTSP videosurveillance cameraa CloudBrute Enumerates “the cloud” (Google, AWS, DigitalOcean, etc) to find infrastructure, files, and apps for a given target. dirb Web application directory / file fuzzer to find other pages. DNSDumpster Online tool for DNS information of a domain. feroxbuster Web application directory / file fuzzer to find other pages. gobuster Web application directory / file fuzzer to find other pages, and support for DNS and vhost fuzzing. GoWitness Screenshots webpages. Supports multi-domain lists and Nmap output. Masscan Like nmap, but faster (thus, not stealthy.) Nikto Web server scanner to perform security checks on a web server. Nmap Finds open ports on a network. Additionally can detect version, OS, and more. Raccoon All-in-one reconaissance. port/service scans, dirbusting, and web application retrieval. Recon-NG Reconaissance and OSINT framework. Has many modules such as port scanning, subdomain finding, Shodan, etc. subfinder Passive subdomain discovery tool. wappalyzer Identify what frameworks a website runs wpscan Automatic WordPress scanner to identify information about a WordPress site and possible vulnerabilities.
Social Engineering
Repository Description evilginx Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication GoPhish Phishing campaign framework to compromise user credentials. msfvenom Generate malicious payloads for social engineering (ie: VBA, .exe, etc) Social Engineering Toolkit Social engineering framework. SpoofCheck Checks if a domain can be spoofed. zphisher Phishing campaign framework to compromise user credentials.
Leaked Credentials
Web Exploitation
Repository Description Arachni Web Application Security Scanner Framework burpsuite Full web testing suite, including proxied requests. Caido Full web testing suite, including proxied requests. (Like Burp but written in Rust) dirb Web application directory/file fuzzer. dotGit A Firefox and Chrome extension that shows you if there is an exposed .git directory feroxbuster Web application directory/file fuzzer. flask-unsign Decode, bruteforce, and craft Flask session tokens. gobuster Web application directory/file/DNS/vhost fuzzing. Nikto Web server scanner to perform security checks on a web server. nosqlmap Performs automated NoSQL injection tests. PayloadsAllTheThings Useful payloads for a variety of attacks such as SQLi, IDOR, XSS, etc. sqlmap Performs automated SQL injection tests. w3af Web application attack and audit framework. wappalyzer Identify what frameworks a website runs. wpscan Automatic WordPress scanner to identify information about a WordPress site and possible vulnerabilities.
Wireless
Repository Description Aircrack-ng Aircrack-ng is a complete suite of tools to assess WiFi network security. Kismet sniffer, WIDS, and wardriving tool for Wi-Fi, Bluetooth, Zigbee, RF, and more Reaver Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases Wifite Python script to automate wireless auditing using aircrack-ng tools WifiPhisher The Rogue Access Point Framework
Initial Access
Repository Description Easysploit Automatic Metasploit payload generator and shell listener. Impacket A tool to perform Kerberos pre-auth bruteforcing (ASREP roast) via GetNPUsers.py Kerbrute A tool to perform Kerberos pre-auth bruteforcing (ASREP roast) Medusa Bruteforcer with multiple protocol support. Metasploit Exploit framework that can be used for intial access and/or post-exploitation. NetExec Bruteforce common Windows protocols (WinRM, LDAP, RDP, SMB, WMI, etc.). Try username null or '' and password '' for unauthenticated access. Searchsploit Search ExploitDB for exploits. TeamFiltration Cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts THC-Hydra Bruteforcer with multiple protocol support. TREVORspray Advanced password spraying tool for Active Directory environments.
C2 Frameworks
C2 frameworks can be considered both initial access and post-exploitation, as they generate payloads to be used in phishing campaigns (initial access) and will provide access to the host machine when ran (post exploitation).
Repository Description Cobalt Strike Most robust and advanced C2 framework (also paid). Pupy Python and C C2 framework. Sliver Go C2 framework. Villain Python and Powershell C2 framework.
Post Exploitation
Modules for lateral movement, exfiltration, system enumeration, and more.
Repository Description BloodHound Active Directory visualizer, useful for finding misconfigurations and/or shortest path to Domain Admin. BloodHound.py Remote Python data ingestor for BloodHound. Impacket A collection of Python scripts useful for Windows targets: psexec, smbexec, kerberoasting, ticket attacks, etc. Mimikatz Mimikatz is both an exploit on Microsoft Windows that extracts passwords stored in memory and software that performs that exploit. nishang Offensive PowerShell for red team, penetration testing and offensive security. PowerHub Post-exploitation module for bypassing endpoint protection and running arbitrary files. PowerSploit A PowerShell post-exploitation framework with many modules: exfiltration, privelege escalation, etc. SharpHound C# data ingestor for BloodHound. (Recommend SharpHound.ps1 for Bloodhound Kali version)
Privilege Escalation
These tools automatically enumerate current user privileges and try to find misconfigurations that would allow escalation to root and/or NT AUTHORITY\SYSTEM.
Repository Description BeRoot Automated Windows, Linux, and Mac privilege escalation path discovery tool. GTFOBins Unix binaries that can be used to bypass local security restrictions in misconfigured systems. Invoke-PrivescCheck Automated Windows privilege escalation path discovery tool. PEASS-ng Automated Windows, Linux, and Mac privilege escalation path discovery tool. PowerUp Automated Windows privilege escalation path discovery tool.
Exfiltration
Data exfiltration
Repository Description DNSExfiltrator Data exfiltration over DNS request covert channel
Credential Dumping
These tools help dump cached credentials from a system.
Repository Description certsync Dump NTDS with golden certificates and UnPAC the hash Dumpert LSASS memory dumper using direct system calls and API unhooking. Impacket Dump domain credentials via DCSync or from NTDS.DIT/SAM with secretsdump.py. Mimikatz Dump local and domain credentials with sekurlsa, lsadump modules.
Password Cracking
These tools assist in uncovering passwords, whether it be for a hash or for password spraying attempts.
Repository Description CeWL Scrape websites to generate wordlists. crunch Generate wordlists based on requirements such as minimum and maximum length, character sets, etc. Cupp Utilize OSINT to create password candidates for a specific person. hashcat Password cracking tool. JohnTheRipper Password cracking tool. Mentalist A GUI for wordlist generation based on rules such as appending, prepending, etc.
AI / LLM
This section will probably be outdated quick.
Repository Description HarmBench A standardized evaluation framework for automated red teaming and robust refusal. Adversarial Suffix Jailbreak based on prepending a potentially malicious query. AutoDAN-Turbo Black-box jailbreak method that can automatically discover as many jailbreak strategies as possible from scratch. Best-of-N Black-box algorithm that jailbreaks frontier AI systems across modalities (text, image, vision) by mutating the original query.