Resources · Reference

Red Team Tools

A reference directory of 49 offensive-security tools — what each one does, a representative command, and a link to the source. Grouped by where they fit in an engagement, from reconnaissance to command-and-control.

Recon & OSINT · 11

Amassosint

In-depth DNS enumeration and attack-surface mapping.

Subfinderosint

Passive subdomain discovery at scale.

dnsxdns

Fast, multi-purpose DNS toolkit for resolution and probing.

theHarvesterosint

Email, subdomain, and host OSINT gathering.

Metagoofilosint

Metadata extraction from public documents.

FOCAosint

Document metadata analysis for Windows.

GHuntosint

OSINT investigation of Google accounts.

SpiderFootosint

Automated OSINT reconnaissance engine.

Shodan CLIosint

Query the internet's connected devices from the terminal.

Recon-ngosint

Modular web reconnaissance framework.

Netdiscovernetwork

ARP-based host discovery on local networks.

Network Scanning · 2

Masscannetwork

Internet-scale asynchronous TCP port scanner.

RustScannetwork

Ultra-fast port scanner that pipes into Nmap.

Web Application · 5

SQLMapweb

Automated SQL injection and database takeover.

Commixweb

Automated command-injection exploitation.

ffufweb

Fast web fuzzer for content and parameter discovery.

FuzzDBweb

Attack-payload and discovery wordlist library.

BeEFweb

Browser exploitation framework.

Credential Access · 7

Hashcatcredentials

GPU-accelerated password cracking.

Hydracredentials

Fast online network login brute-forcer.

LaZagnecredentials

Local credential harvester.

Mimikatzcredentials

Extract Windows credentials from memory.

gpp-decryptcredentials

Decrypt Group Policy Preferences passwords.

KeeThiefcredentials

Extract KeePass keys and entries from memory.

PSKrackerwireless

Default WPA/WPS key and PIN generation.

Active Directory · 9

CrackMapExecad

Swiss-army knife for AD network post-exploitation.

Impacketad

Python toolkit of network-protocol scripts.

GetNPUsers.pyad

AS-REP roasting via Impacket.

enum4linux-ngad

SMB and Windows enumeration.

LDAPDomainDumpad

Dump Active Directory contents via LDAP.

SharpHoundad

BloodHound data collector for AD attack paths.

Seatbeltwindows

Local Windows security enumeration.

PowerSploitwindows

PowerShell post-exploitation module set.

Kerbrutead

Kerberos username enumeration and password spraying.

Command & Control · 9

Metasploitc2

The exploitation and post-exploitation framework.

Empirec2

PowerShell and Python C2 framework.

Covenantc2

.NET command-and-control framework.

Sliverc2

Cross-platform adversary-emulation C2.

Mythicc2

Collaborative, plugin-based C2 platform.

Merlinc2

HTTP/2 cross-platform C2 written in Go.

Koadicc2

Windows Script Host (JScript/VBScript) C2.

Pupyc2

Cross-platform Python RAT and C2.

Quasarwindows

Lightweight .NET Windows remote-administration tool.

Exploitation & Utilities · 6

Pwntoolsexploitation

CTF and exploit-development framework.

Ropperexploitation

ROP/JOP gadget finder for exploit chains.

Searchsploitexploitation

Offline command-line search of Exploit-DB.

RouterSploitiot

Embedded-device exploitation framework.

LinEnumlinux

Linux local privilege-escalation enumeration.

Chiselpivoting

Fast TCP/UDP tunnel over HTTP.

Skip the install. Scan from the browser.

VulnScanners runs Nmap, Nuclei, and OWASP ZAP on hosted infrastructure — point at a target, get a report. No setup.

Start scanning →See the scanners