Defense Evasion
| Repository | Description |
|---|---|
| Amsi-Bypass-PowerShell | AMSI bypasses (most are patched, but can be obfuscated to bypass). |
| AMSITrigger | Finds which string(s) trigger AMSI. |
| chameleon | PowerShell script obfuscator. |
| Invisi-Shell | Used to bypass PowerShell security (logging, AMSI, etc). |
| Invoke-Obfuscation | PowerShell script obfuscator. |
| ISESteroids | PowerShell script obfuscator. |
| Invoke-Stealth | PowerShell script obfuscator. |
| UPX | PE packer. |
| Unprotect | Contains malware evasion techniques along with PoC. |
OSINT
| Repository | Description |
|---|---|
| Cloudmare | Cloudflare, Sucuri, Incapsula real IP tracker. |
| crt.sh | Find certificates based on a domain name. Can be used to find subdomains. |
| DorkSearch | Premade Google dork queries. |
| ExifTool | Read (and modify) metadata of files. |
| FaceCheck.ID | Reverse image lookup based on facial-recognition. |
| Hunter | Find company email format and list of employee email addresses. |
| osintframework | An online database of OSINT tools. |
| PimEyes | Reverse image lookup based on facial-recognition. |
| Recon-NG | Reconaissance and OSINT framework. Has many modules such as port scanning, subdomain finding, Shodan, etc. |
| ScrapeIn | Scrapes LinkedIn to create a list of employee email addresses (for use in Initial Access). |
| SecurityTrails | Extensive DNS information. |
| Shodan | Scans for all digital assets. |
| SpiderFoot | Automatic OSINT analysis. |
| TheHarvester | Collects names, emails, IPs, and subdomains of a target. |
Reconnaissance
| Repository | Description |
|---|---|
| altdns | Subdomain enumeration using mutated wordlists. |
| AWSBucketDump | Enumerate AWS S3 buckets to find interesting files. |
| burpsuite | An advanced web application testing suite that can be used to get info on how webpages work. |
| CameRadar | Cameradar hacks its way into RTSP videosurveillance cameraa |
| CloudBrute | Enumerates “the cloud” (Google, AWS, DigitalOcean, etc) to find infrastructure, files, and apps for a given target. |
| dirb | Web application directory / file fuzzer to find other pages. |
| DNSDumpster | Online tool for DNS information of a domain. |
| EyeWitness | Screenshots webpages. Supports multi-domain lists and Nmap output. |
| feroxbuster | Like dirb, but written in Rust. |
| gobuster | Like dirb, but written in Go. Also supports DNS busting (such as subdomains). |
| GoWitness | Like EyeWitness, but in Go. |
| Masscan | Like nmap, but faster (thus, not stealthy.) |
| Nikto | Web server scanner to perform security checks on a web server. |
| Nmap | Find running services on a network. |
| Raccoon | All-in-one Reconaissance. Port/service scans, dirbusting, and web application retrieval. |
| Recon-NG | Reconaissance and OSINT framework. Has many modules such as port scanning, subdomain finding, Shodan, etc. |
| Rustscan | A rust network scanner that is faster than Nmap, and sends open ports to Nmap for service/version detection. |
| subfinder | Passive subdomain discovery tool. |
| wappalyzer | Identify what frameworks a website runs |
| wpscan | Automatic WordPress scanner to identify information about a WordPress site and possible vulnerabilities. |
Social Engineering
| Repository | Description |
|---|---|
| evilginx | Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication |
| GoPhish | Phishing campaign framework to compromise user credentials. |
| msfvenom | Generate malicious payloads for social engineering (ie: VBA, .exe, etc) |
| Social Engineering Toolkit | Social engineering framework. |
| SpoofCheck | Checks if a domain can be spoofed. |
| zphisher | Phishing campaign framework to compromise user credentials. |
Leaked Credentials
| Repository | Description |
|---|---|
| Dehashed | Leaked credential search engine. |
| LeakCheck | Leaked credential search engine. |
| Snusbase | Leaked credential search engine. |
Web Exploitation
| Repository | Description |
|---|---|
| Arachni | Web Application Security Scanner Framework |
| burpsuite | Full web testing suite, including proxied requests. |
| Caido | Full web testing suite, including proxied requests. (Like Burp but written in Rust) |
| dirb | Web application directory/file fuzzer. |
| dotGit | A Firefox and Chrome extension that shows you if there is an exposed .git directory |
| feroxbuster | Web application directory/file fuzzer. |
| flask-unsign | Decode, bruteforce, and craft Flask session tokens. |
| gobuster | Web application directory/file/DNS/vhost fuzzing. |
| Nikto | Web server scanner to perform security checks on a web server. |
| nosqlmap | Performs automated NoSQL injection tests. |
| PayloadsAllTheThings | Useful payloads for a variety of attacks such as SQLi, IDOR, XSS, etc. |
| sqlmap | Performs automated SQL injection tests. |
| w3af | Web application attack and audit framework. |
| wappalyzer | Identify what frameworks a website runs. |
| wpscan | Automatic WordPress scanner to identify information about a WordPress site and possible vulnerabilities. |
Wireless
| Repository | Description |
|---|---|
| Aircrack-ng | Aircrack-ng is a complete suite of tools to assess WiFi network security. |
| Kismet | sniffer, WIDS, and wardriving tool for Wi-Fi, Bluetooth, Zigbee, RF, and more |
| Reaver | Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases |
| Wifite | Python script to automate wireless auditing using aircrack-ng tools |
| WifiPhisher | The Rogue Access Point Framework |
Initial Access
| Repository | Description |
|---|---|
| Easysploit | Automatic Metasploit payload generator and shell listener. |
| Impacket | A tool to perform Kerberos pre-auth bruteforcing (ASREP roast) via GetNPUsers.py |
| Kerbrute | A tool to perform Kerberos pre-auth bruteforcing (ASREP roast) |
| Medusa | Bruteforcer with multiple protocol support. |
| Metasploit | Exploit framework that can be used for intial access and/or post-exploitation. |
| NetExec | Bruteforce common Windows protocols (WinRM, LDAP, RDP, SMB, WMI, etc.). Try username null or '' and password '' for unauthenticated access. |
| Searchsploit | Search ExploitDB for exploits. |
| TeamFiltration | Cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts |
| THC-Hydra | Bruteforcer with multiple protocol support. |
| TREVORspray | Advanced password spraying tool for Active Directory environments. |
C2 Frameworks
C2 frameworks can be considered both initial access and post-exploitation, as they generate payloads to be used in phishing campaigns (initial access) and will provide access to the host machine when ran (post exploitation).
| Repository | Description |
|---|---|
| Cobalt Strike | Most robust and advanced C2 framework (also paid). |
| Pupy | Python and C C2 framework. |
| Sliver | Go C2 framework. |
| Villain | Python and Powershell C2 framework. |
Post Exploitation
| Repository | Description |
|---|---|
| BeRoot | Automated Windows, Linux, and Mac privilege escalation path discovery tool. |
| BloodHound | Active Directory visualizer, useful for finding misconfigurations and/or shortest path to Domain Admin. |
| BloodHound.py | Remote Python data ingestor for BloodHound. |
| GTFOBins | Unix binaries that can be used to bypass local security restrictions in misconfigured systems. |
| Impacket | A collection of Python scripts useful for Windows targets: psexec, smbexec, kerberoasting, ticket attacks, etc. |
| Invoke-PrivescCheck | Automated Windows privilege escalation path discovery tool. |
| LOLBAS | Microsoft-signed binaries to perform APT or red-team functions (ie: dumping process memory). |
| Mimikatz | Mimikatz is both an exploit on Microsoft Windows that extracts passwords stored in memory and software that performs that exploit. |
| nishang | Offensive PowerShell for red team, penetration testing and offensive security. |
| PEASS-ng | Automated Windows, Linux, and Mac privilege escalation path discovery tool. |
| PowerHub | Post-exploitation module for bypassing endpoint protection and running arbitrary files. |
| PowerSploit | A PowerShell post-exploitation framework with many modules: exfiltration, privelege escalation, etc. |
| PowerUp | Automated Windows privilege escalation path discovery tool. |
| SharpHound | C# data ingestor for BloodHound. |
| smbclient | Connect to SMB shares. |
| smbmap | Enumerates SMB shares. |
Exfiltration
| Repository | Description |
|---|---|
| DNSExfiltrator | Data exfiltration over DNS request covert channel |
| PowerSploit | A PowerShell post-exploitation framework with many modules: exfiltration, privelege escalation, etc. |
Credential Dumping
| Repository | Description |
|---|---|
| certsync | Dump NTDS with golden certificates and UnPAC the hash |
| Dumpert | LSASS memory dumper using direct system calls and API unhooking. |
| Impacket | Dump domain credentials via DCSync or from NTDS.DIT/SAM with secretsdump.py. |
| Mimikatz | Dump local and domain credentials with sekurlsa, lsadump modules. |
Password Cracking
| Repository | Description |
|---|---|
| CeWL | Scrape websites to generate wordlists. |
| crunch | Generate wordlists based on requirements such as minimum and maximum length, character sets, etc. |
| Cupp | Utilize OSINT to create password candidates for a specific person. |
| hashcat | Password cracking tool. |
| JohnTheRipper | Password cracking tool. |
| Mentalist | A GUI for wordlist generation based on rules such as appending, prepending, etc. |