Tooling Repository

Validating Scope

Find Email Addresses

  • - Identify the email schema used by an organization
  • - Lookup emails related to the organization
  • EmailHippo - Validate emails identified are in use by the organization
  • EmailHarvester - Find emails via search engines
  • theHarvester - Well known OSINT tool that can be used to gather names, email addresses, and more


  • GoPhish - An incredible open-source phishing framework
  • Evilginx2 - Man-in-the-middle attack framework for phishing login credentials and bypassing 2fa
  • Catphish - Generate similar looking domains for use in phishing attacks
  • Boobsnail - Generate malicious XLM documents for phishing
  • MacroPack - Automize obfuscation of Office documents
  • Pretext-Project - Collection of pretexts to use when crafting campaigns

External Penetration Testing

  • YAWAST - Amazing for performing initial reconnaissance on a website. Also has a PoC for Sweet32 built into it
  • Skipfish - Googles active web application security reconnaissance tool
  • Nuclei - Vulnerability scanner that is actively maintained and updated frequently
  • AutoDirBuster - Parse Nmap scans and run DirBuster against targets. Useful when covering a large scope$
  • FeroxBuster - My replacement for Dirb and other fuzzing tooling
  • Amass - In-depth attack surface mapping. Great for asset discovery and performing external reconnaissance
  • Dorkbot - Scan Google search results for vulnerabilities with dorks

Password Hunting

  • PwnDB - Searches for leaked credentials
  • DeHashed - Popular way to search for leaked credentials but requires payment
  • Snusbase - Alternative to DeHashed
  • Breach-Parse - TCM's script to parse databases and identify leaked credentials
  • pwnedOrNot - OSINT tool to identify if an account has appeared in a database leak

Scanning/Enumeration Tools

  • RustScan - Alternative to Nmap. Port scanning goes brrr
  • Nmap-Elasticsearch-NSE - NSE script for scanning Elasticsearch. Useful when identified in a penetration test.
  • Enum4Linux - Useful for gathering information from a host with anoymous access or authenticating to a DC to obtain a list of usernames
  • Autorecon - Automated enumeration of services
  • Aquatone - Visually inspect websites. Has the ability to parse Nmap scans
  • EyeWitness - Visually inspect websites. My preferred tool of choice. Has the ability to parse Nessus scans


  • Swagger-EZ - A tool geared towards pentesting APIs using OpenAPI definitions

LinkedIn Reconnaissance

  • LeakedInt - LinkedIn reconnaissance tool that provides output with picture, name, email, title, and location
  • WeakestLink - Reguarly updated LinkedIn recon tool (10/11/2021)
  • LinkedIn2Username - My favorite LinkedIn reconnaissance tool. It should be noted that this tool will not reliably identify all of the emails for a company.
  • BridgeKeeper - LinkedIn reconnaissance tool that works great in combination with LinkedIn2Username
  • EmailGen - Email Generation from Bing using LinkedIn Dorks

Passive Reconnaissance

  • BruteShark - Analyze PCAPs. Can extract useful data and create a network diagram
  • NetworkMiner - Analyze PCAPs. The free version is great but the professional is better (costs $$$)
  • PCredz - My favorite way to analyze PCAPs or live captures. Free, fast, and great for PCI tests


  • Responder - Abuse LLMNR and NBT-NS protocols (and more) to get a reliable foothold
  • mitm6 - Abuse IPv6 to obtain a foothold
  • Impacket - The options are endless with Impacket. Kerberoast until you drop!
  • Flamingo - Capture credentials sprayed across the network
  • SpoolSploit - Collection of Windows print spooler exploits. Great for obtaining a foothold or escalating privileges!
  • RouterSploit - Router exploitation framework
  • SIET - Smart Install Exploitation Tool

Credential Spraying and Bruteforce

  • SprayingToolkit - Spraying attacks against Lync/S4B, OWA, and O365
  • CrackMapExec - Spraying attacks against.. Everything
  • DomainPasswordSpray - Spraying attacks against a domain. Gathers account lockout windows which is nifty
  • Spray - Spraying against Active Directory
  • Patator - Multi-purpose brute-forcer. Takes a little reading of the manual but works incredibly
  • BruteSpray - Brute-Forcing from an Nmap output. One of my favorites for automating the assessment of a network
  • Crowbar - Brute-forcing tool that supports protocols not currently supported by Hydra

Default Credentials

  • nndefaccts - Updated Nmap default credential list
  • ChangeMe - Default credential scanner. I've had mixed results with this. When it works it's great!
  • DefaultCredsCheatsheet - List of common default credentials
  • HAT - Hashcat Automation Tool


Password Cracking

  • Hashcat - This should go without saying.. But Hashcat is amazing
  • PACK - Password Analysis and Cracking Toolkit. There's a lot of password goodies and resources here
  • Hate_Crack - TrustedSec's password cracking utility. Automates a lot
  • Pipal - Perform password analysis


  • DBeaver - One of the best tools I've used to interact with databases.
  • NOSQLBooster - Interact with NoSQL (DBeaver removed this in the community version)

Command and Control

  • Covenant - I used Covenant throughout the CRTO certification and fell in love. Free and easy to use
  • Sliver - Bishop Fox's C2 framework
  • Shad0w - Bats3c's C2. Used it a few times and it's a ton of fun!
  • Mythic - Cross-platform C2. Previously used while on an OSX engagement

Amazon Web Services (AWS)

  • Pacu - AWS exploitation fraemwork from RhinoSecurityLabs
  • Scour - AWS red teaming framework

Attacking Outlook / Similar Products

  • Ruler - A tool to abuse Exchange services
  • O365Spray - My goto when spraying Office 365
  • Msspray - Conduct password attacks against Azure AD and Office 365 endpoints
  • TeamsUserEnum - User enumeration with the Microsoft Teams API
  • Carnivore - Exchange Attack Tool



  • Bashark - Post exploitation toolkit in a bash script
  • Mimipenguin - Mimikatz for Unix
  • Emp3r0r - A customizable post exploitation Linux framework


Wireless Attacks

  • WiFite2 - Automate attack against WiFi
  • WifiPumpkin3 - Framework for rogue access point attacks

SSL/TLS Auditing

  • TestSSL - One of the more comprehensive SSL/TLS testing tools I've used
  • SSLScan - Useful when SSLyze doesn't work as intended
  • SSLyze - Useful when SSLScan doesn't work as intended

SSH Auditing

  • SSH-Audit - Comprehensive audit of SSH. Provides comprehensive information about the SSH server in use


  • - Automate the installation of additional tools
  • My Dotfiles - Any dotfiles work, make sure you're comfortable in your environment and log log log


  • Swaks - Swiss army knife for SMTP testing

Post Exploitation

  • Nisahng - Collection of offensive PowerShell scripts for use in penetration testing and red teaming
  • PowerSploit - Collection of offensive PowerShell scripts, useful in all phases of testing
  • BetterSafetyKatz - Runs Mimikatz but better
  • LdapDomainDump - Dump information about the domain. Incredibly useful for escalating privileges or gathering additional information for spraying attacks
  • Conf-Thief - Exfiltrate sensitive data from Confluence
  • BloodHound - Need I say more? Find attack paths and own the domain
  • Snaffler - Find delicious candy on a domain
  • Pwncat - Netcat on steroids. Post exploitation tool that has some neat tools built into it
  • KeeFarce - Extract passwords from a KeePass 2.x database from memory
  • PingCastle - Grab information about Active Directory (this tool does way more, check it out)
  • ADRecon - Gathers information about Active Directory
  • WinPwn - Collection of well known offensive scripts in one place
  • PowerShellArmoury - Similar collection to WinPwn but can be encrypted
  • RedRabbit - Same as the above, collection of red team PowerShell tools
  • ACLight - Script for advanced discovery of Privileged Accounts
  • Invoke-DNSDiscovery - Searches through DNS after compromising a machine to identify interesting assets

Penetration Testing Reports


  • SecureKali - Tips to secure Kali Linux installation


  • OffensivePipeline - Build tools within PowerShell
  • Depix - Recover information from pixelized screenshots
  • LDAPMonitor - Monitor changes throughout the environment during a penetration test

Penetration Testing Distros

  • Slingshot - Slingshot is an Ubuntu-based Linux distribution with the MATE Desktop Environment built for use in the SANS penetration testing curriculum and beyond.
  • Kali_Linux - Hopefully no explanation needed here
  • Commando_VM - A fully customizable Windows-based pentesting virtual machine distribution
  • Parrot_OS - GNU/Linux distribution based on Debian and designed with Security and Privacy in mind