Tooling Repository

Validating Scope
​Hurricane Electric Internet Services - Find out who owns an IP Address
​NetBlockTool - Find IP addresses owned by a company
Find Email Addresses
​Hunter.io - Identify the email schema used by an organization
Phonebook.cz - Lookup emails related to the organization
​EmailHippo - Validate emails identified are in use by the organization
​EmailHarvester - Find emails via search engines
​theHarvester - Well known OSINT tool that can be used to gather names, email addresses, and more
Phishing
​GoPhish - An incredible open-source phishing framework
​Evilginx2 - Man-in-the-middle attack framework for phishing login credentials and bypassing 2fa
​Catphish - Generate similar looking domains for use in phishing attacks
​Boobsnail - Generate malicious XLM documents for phishing
​MacroPack - Automize obfuscation of Office documents
​Pretext-Project - Collection of pretexts to use when crafting campaigns
External Penetration Testing
​YAWAST - Amazing for performing initial reconnaissance on a website. Also has a PoC for Sweet32 built into it
​Skipfish - Googles active web application security reconnaissance tool
​Nuclei - Vulnerability scanner that is actively maintained and updated frequently
​AutoDirBuster - Parse Nmap scans and run DirBuster against targets. Useful when covering a large scope$
​FeroxBuster - My replacement for Dirb and other fuzzing tooling
​Amass - In-depth attack surface mapping. Great for asset discovery and performing external reconnaissance
​Dorkbot - Scan Google search results for vulnerabilities with dorks
Password Hunting
​PwnDB - Searches for leaked credentials
​DeHashed - Popular way to search for leaked credentials but requires payment
​Snusbase - Alternative to DeHashed
​Breach-Parse - TCM's script to parse databases and identify leaked credentials
​pwnedOrNot - OSINT tool to identify if an account has appeared in a database leak
Scanning/Enumeration Tools
​RustScan - Alternative to Nmap. Port scanning goes brrr
​Nmap-Elasticsearch-NSE - NSE script for scanning Elasticsearch. Useful when identified in a penetration test.
​Enum4Linux - Useful for gathering information from a host with anoymous access or authenticating to a DC to obtain a list of usernames
​Autorecon - Automated enumeration of services
​Aquatone - Visually inspect websites. Has the ability to parse Nmap scans
​EyeWitness - Visually inspect websites. My preferred tool of choice. Has the ability to parse Nessus scans
APIs
​Swagger-EZ - A tool geared towards pentesting APIs using OpenAPI definitions
LinkedIn Reconnaissance
​LeakedInt - LinkedIn reconnaissance tool that provides output with picture, name, email, title, and location
​WeakestLink - Reguarly updated LinkedIn recon tool (10/11/2021)
​LinkedIn2Username - My favorite LinkedIn reconnaissance tool. It should be noted that this tool will not reliably identify all of the emails for a company.
​BridgeKeeper - LinkedIn reconnaissance tool that works great in combination with LinkedIn2Username
​EmailGen - Email Generation from Bing using LinkedIn Dorks
Passive Reconnaissance
​BruteShark - Analyze PCAPs. Can extract useful data and create a network diagram
​NetworkMiner - Analyze PCAPs. The free version is great but the professional is better (costs $$$)
​PCredz - My favorite way to analyze PCAPs or live captures. Free, fast, and great for PCI tests
Footholds
​Responder - Abuse LLMNR and NBT-NS protocols (and more) to get a reliable foothold
​mitm6 - Abuse IPv6 to obtain a foothold
​Impacket - The options are endless with Impacket. Kerberoast until you drop!
​Flamingo - Capture credentials sprayed across the network
​SpoolSploit - Collection of Windows print spooler exploits. Great for obtaining a foothold or escalating privileges!
​RouterSploit - Router exploitation framework
​SIET - Smart Install Exploitation Tool
Credential Spraying and Bruteforce
​SprayingToolkit - Spraying attacks against Lync/S4B, OWA, and O365
​CrackMapExec - Spraying attacks against.. Everything
​DomainPasswordSpray - Spraying attacks against a domain. Gathers account lockout windows which is nifty
​Spray - Spraying against Active Directory
​Patator - Multi-purpose brute-forcer. Takes a little reading of the manual but works incredibly
​BruteSpray - Brute-Forcing from an Nmap output. One of my favorites for automating the assessment of a network
​Crowbar - Brute-forcing tool that supports protocols not currently supported by Hydra
Default Credentials
​nndefaccts - Updated Nmap default credential list
​ChangeMe - Default credential scanner. I've had mixed results with this. When it works it's great!
​DefaultCredsCheatsheet - List of common default credentials
​HAT - Hashcat Automation Tool
Wordlists
​OneRuleToRuleThemAll - My favorite rule list
​ProbableWordlists - Probable wordlists to use in password attacks
Password Cracking
​Hashcat - This should go without saying.. But Hashcat is amazing
​PACK - Password Analysis and Cracking Toolkit. There's a lot of password goodies and resources here
​Hate_Crack - TrustedSec's password cracking utility. Automates a lot
​Pipal - Perform password analysis
Database
​DBeaver - One of the best tools I've used to interact with databases.
​NOSQLBooster - Interact with NoSQL (DBeaver removed this in the community version)
Command and Control
​Covenant - I used Covenant throughout the CRTO certification and fell in love. Free and easy to use
​Sliver - Bishop Fox's C2 framework
​Shad0w - Bats3c's C2. Used it a few times and it's a ton of fun!
​Mythic - Cross-platform C2. Previously used while on an OSX engagement
Amazon Web Services (AWS)
​Pacu - AWS exploitation fraemwork from RhinoSecurityLabs
​Scour - AWS red teaming framework
Attacking Outlook / Similar Products
​Ruler - A tool to abuse Exchange services
​O365Spray - My goto when spraying Office 365
​Msspray - Conduct password attacks against Azure AD and Office 365 endpoints
​TeamsUserEnum - User enumeration with the Microsoft Teams API
​Carnivore - Exchange Attack Tool
Obfuscation
​Darkarmour - Bats3c's obfuscation tool.
​PEzor - Shellcode and PE packer
​PowerShellArmoury - Store obfuscated pentesting tools in one place
​Invoke-Obfuscation - PowerShell script obfuscator
​Chameleon - PowerShell obfuscator. I've had a lot of success using this tool
​Powerglot - Powershell obfuscator using polyglots
​Phantom-Evasion - Python obfuscation tool
Unix
​Bashark - Post exploitation toolkit in a bash script
​Mimipenguin - Mimikatz for Unix
​Emp3r0r - A customizable post exploitation Linux framework
MacOS
​Mystikal - Payload generator for MacOS
​MacOSRedTeaming - Mac red teaming resources
Wireless Attacks
​WiFite2 - Automate attack against WiFi
​WifiPumpkin3 - Framework for rogue access point attacks
SSL/TLS Auditing
​TestSSL - One of the more comprehensive SSL/TLS testing tools I've used
​SSLScan - Useful when SSLyze doesn't work as intended
​SSLyze - Useful when SSLScan doesn't work as intended
SSH Auditing
​SSH-Audit - Comprehensive audit of SSH. Provides comprehensive information about the SSH server in use
Setup
​WeaponizeKali.sh - Automate the installation of additional tools
​My Dotfiles - Any dotfiles work, make sure you're comfortable in your environment and log log log
SMTP
​Swaks - Swiss army knife for SMTP testing
Post Exploitation
​Nisahng - Collection of offensive PowerShell scripts for use in penetration testing and red teaming
​PowerSploit - Collection of offensive PowerShell scripts, useful in all phases of testing
​BetterSafetyKatz - Runs Mimikatz but better
​LdapDomainDump - Dump information about the domain. Incredibly useful for escalating privileges or gathering additional information for spraying attacks
​Conf-Thief - Exfiltrate sensitive data from Confluence
​BloodHound - Need I say more? Find attack paths and own the domain
​Snaffler - Find delicious candy on a domain
​Pwncat - Netcat on steroids. Post exploitation tool that has some neat tools built into it
​KeeFarce - Extract passwords from a KeePass 2.x database from memory
​PingCastle - Grab information about Active Directory (this tool does way more, check it out)
​ADRecon - Gathers information about Active Directory
​WinPwn - Collection of well known offensive scripts in one place
​PowerShellArmoury - Similar collection to WinPwn but can be encrypted
​RedRabbit - Same as the above, collection of red team PowerShell tools
​ACLight - Script for advanced discovery of Privileged Accounts
​Invoke-DNSDiscovery - Searches through DNS after compromising a machine to identify interesting assets
Penetration Testing Reports
​PublicPentestingResources - Repository of public pentesting resources
Hardening
​SecureKali - Tips to secure Kali Linux installation
Miscellanious
​OffensivePipeline - Build tools within PowerShell
​Depix - Recover information from pixelized screenshots
​LDAPMonitor - Monitor changes throughout the environment during a penetration test
Penetration Testing Distros
​Slingshot - Slingshot is an Ubuntu-based Linux distribution with the MATE Desktop Environment built for use in the SANS penetration testing curriculum and beyond.
​Kali_Linux - Hopefully no explanation needed here
​Commando_VM - A fully customizable Windows-based pentesting virtual machine distribution
​Parrot_OS - GNU/Linux distribution based on Debian and designed with Security and Privacy in mind
Resources - Previous
Offensive Security Notes
Last modified 5mo ago