Cyber Security Resources

• NIST Cybersecurity Framework Free: A set of guidelines for private sector companies to follow to be better prepared in identifying, detecting, and responding to cyber attacks. (Resources Library, NIST CSF 2.0)
• CIS Controls Free: Prioritized set of actions to protect your organization and data from known cyber attack vectors. (Assessment Tool)
• NIST SP 800-53 Free: Security and Privacy Controls for Information Systems and Organizations. (Machine Readable Data)
• PCI DSS Free: Payment Card Industry Data Security Standard for organizations that handle branded credit cards.
• SOC 2 Free: Service Organization Control 2 - Trust Services Criteria for Service Organizations.
• COBIT Free: Control Objectives for Information and Related Technologies, a framework for IT management and governance. (Auditing COBIT 2019)
• ISO 27001/27002 Toolkit Open Source: A repository containing a comprehensive toolkit designed to help organizations implement the ISO 27001:2022 Information Security Management System (ISMS).
• ISF SOGP Free: The ISF Standard of Good Practice for Information Security (SOGP) is the leading authority on information security.

• Kali Linux Free: Offensive toolkit for scanning, exploitation, and red teaming. Run in a VM to scan/exploit other lab systems.
• Metasploitable 2 Open Source: Vulnerable Linux VM for safe exploit practice. Pair with Kali to test exploits & document.
• Vulnerable-AD Open Source: Insecure Active Directory lab. Use with Windows Server to simulate AD attacks.
• WebGoat Free: OWASP vulnerable web app. Run locally/Docker & complete built-in lessons.
• Juice Shop Free: Modern OWASP vuln app. Host locally & attempt SQLi, XSS, more.
• GoPhish Open Source: Phishing simulation platform. Send test phishing emails to lab inboxes.
• PortSwigger Commercial: Free web security labs. Work through online exploit challenges.
• Vulnserver Open Source: Windows buffer overflow server. Run in Win7 VM & exploit with Immunity Debugger.
• Vulnerable WP Open Source: Exploitable WordPress site. Install locally & test WP-specific exploits.
• CTFlearn Open Source: CTF challenges for all levels. Solve puzzles to improve across domains.
• pfSense Free: Firewall/router for segmentation. Place between VMs to control & inspect traffic.
• Suricata Free: IDS/IPS. Deploy inline with pfSense to detect/block threats.
• Wazuh Free: SIEM/XDR. Collect & analyze logs from lab machines.
• OpenSearch Free: Search/visualization stack. Integrate with Wazuh for event dashboards.
• Security Onion Open Source: Threat detection suite. Ingest lab traffic for threat hunting.
• Cowrie Open Source: SSH/telnet honeypot. Deploy isolated to monitor login attempts.
• WireGuard Free: VPN. Securely connect to lab network remotely.
• Sysmon Free: Windows logging. Install to track security events.
• Ansible Open Source: Automation tool. Push configs to multiple lab VMs.
• MITRE Caldera Free: Adversary emulation. Simulate attacker behavior in test networks.
• Wireshark Free: Packet capture/analysis. Inspect traffic between lab hosts. (Download)
• Zeek Free: Network monitoring/logging. Run with Security Onion for deep analysis. (Download)
• REMnux Free: Malware analysis distro. Reverse-engineer safely in VM. (Download)
• Sigma Open Source: Detection rules. Write rules & test in Wazuh/Graylog.
• Proxmox VE Open Source: Virtualization platform for running your lab VMs.
• Docker Free: Platform for developing, shipping, and running applications in containers.
• Portainer Free: Universal container management environment.
• Pi-hole Free: Network-wide ad blocking via your own Linux hardware.
• T-Pot Open Source: The All In One Honeypot Platform.
• HELK Open Source: The Hunting ELK - A Hunting Platform.
• Ghidra Free: A software reverse engineering (SRE) suite of tools developed by NSA.
• FlareVM Open Source: Windows-based security distribution for malware analysis, incident response, penetration testing, etc.

• MITRE ATT&CK Free: A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
• Cyber Kill Chain Free: Developed by Lockheed Martin, this framework identifies what the adversaries must complete in order to achieve their objective.
• Diamond Model Free: A cognitive model for intrusion analysis.
• STRIDE Free: A threat modeling methodology developed by Microsoft (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).
• PASTA Free: Process for Attack Simulation and Threat Analysis, a risk-centric threat modeling methodology.
• LINDDUN Free: Privacy threat modeling framework (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance). (PILLAR AI Tool)
• OCTAVE Free: Operationally Critical Threat, Asset, and Vulnerability Evaluation, a risk-based strategic assessment and planning technique.
• Trike Free: A risk-based threat modeling methodology and tool. (GitHub Repo)
• Attack Trees Free: Conceptual diagrams showing how an asset, or target, might be attacked. (ATTop Analysis Tool)

• OWASP Threat Dragon Open Source: An open source threat modeling tool from OWASP.
• pytm Open Source: A Pythonic framework for threat modeling.
• Threagile Open Source: Agile Threat Modeling Toolkit.
• Threat Composer Open Source: A simple threat modeling tool to help humans to reduce time-to-value when threat modeling.
• Microsoft Threat Modeling Tool Free: A tool to create data flow diagrams to identify threats.

Security Monitoring & SIEM

• Sysmon Free: Windows system monitor that tracks system activity and logs it to the Windows event log.
• Wazuh Free: Free and open source security platform that unifies XDR and SIEM capabilities.
• Security Onion Open Source: A free and open platform for threat hunting, enterprise security monitoring, and log management.
• Elastic Security (ELK) Free: Unified protection for everyone.
• Velociraptor Open Source: Endpoint visibility and collection tool.
• SysmonSearch Open Source: Aggregates event logs generated by Microsoft's Sysmon.

Incident Response & Forensics

• TheHive Free: A scalable, open source and free Security Incident Response Platform.
• Cortex Open Source: Powerful Observable Analysis and Active Response Engine.
• SANS SIFT Free: SANS Investigative Forensic Toolkit.
• Autopsy Open Source: Digital forensics platform and graphical interface to The Sleuth Kit.
• Volatility Open Source: Advanced memory forensics framework.
• KAPE Open Source: Kroll Artifact Parser and Extractor.
• EnCase Commercial: Digital forensics and incident response software.
• FTK Commercial: Forensic investigation software.
• X-Ways Forensics Commercial: Forensic software with advanced file carving.
• Helix3 Pro Commercial: Incident response and forensic live CD.
• Foremost Open Source: File recovery tool for forensic analysis.
• Scalpel Open Source: Fast file carver based on Foremost.
• CAINE Open Source: Linux-based digital forensics environment.

Threat Intelligence

• MISP Free: Malware Information Sharing Platform and Threat Sharing.
• OpenCTI Open Source: Open Cyber Threat Intelligence Platform.
• YARA Open Source: The pattern matching swiss knife for malware researchers.

Analysis & Sandboxing

• Cuckoo Sandbox Free: Automated Malware Analysis System.
• CyberChef Open Source: The Cyber Swiss Army Knife.
• VirusTotal Free: Analyze suspicious files, domains, IPs and URLs.
• OpenSSL Open Source: Security toolkit for SSL and TLS cryptography.
• Pcredz Open Source: Extracts different credential types from packet capture files.

Application Security

• SafeLine Open Source: Lightweight web application firewall (WAF) offering layer 7 protection.
• Medusa Open Source: Multi-Language Security Scanner with AI-first architecture.

• Sigma Open Source: Generic Signature Format for SIEM Systems.
• Unprotect Project Open Source: Malware evasion techniques knowledge base.
• LOLBAS Open Source: Living Off The Land Binaries, Scripts and Libraries.
• GTFOBins Open Source: List of Unix binaries that can be used to bypass local security restrictions.

Reconnaissance is the first phase of the Cyber Kill Chain, involving research, identification, and selection of targets.

Tools

Scanners & Frameworks

• Argus Open Source: Python-powered toolkit for information gathering and reconnaissance.
• RustScan Open Source: The Modern Port Scanner. Find ports quickly (3 seconds at its fastest). Run scripts through our scripting engine (Python, Lua, Shell supported).
• Amass Open Source: In-depth Attack Surface Mapping and Asset Discovery.
• Nmap Free: The "Network Mapper", free and open source utility for network discovery and security auditing.
• nmapUnleashed Open Source: A powerful CLI wrapper enhancing Nmap’s capabilities with multithreading and a dashboard.
• Masscan Open Source: Internet-scale port scanner, transmitting 10 million packets per second.
• Naabu Open Source: A fast port scanning tool written in Go that enumerates valid ports in a reliable manner.
• OpenVAS Free: Full-featured vulnerability scanner with extensive testing capabilities.
• Nikto Open Source: Open Source web server scanner for over 6700 potentially dangerous files/programs.
• Sn1per Open Source: Automated scanner for enumeration and vulnerability scanning.
• Osmedeus Open Source: Workflow engine for offensive security, running awesome tools for recon and vulnerability scanning.
• D0rkerR3con Framework Open Source: Offensive Recon toolkit to discover exposed files, secrets, and launch weaponized Google Dorks.
• Recon-ng Open Source: Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.
• Scanners-Box Open Source: A powerful and open-source toolkit for hackers and security automation.
• Reconness Open Source: ReconNess helps you to run and keep all your recon in the same place.
• Lazyrecon Open Source: Script written in Bash to automate tedious tasks of reconnaissance and information gathering.
• reconFTW Open Source: A powerful automated reconnaissance tool designed for security researchers.
• axiom Open Source: A distributed dynamic infrastructure framework for offensive security operations.
• Trivy Open Source: Comprehensive and versatile security scanner for vulnerabilities and misconfigurations.

Domain & DNS

• Subfinder Open Source: Subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.
• Puredns Open Source: Fast, professional DNS resolver. Replaces Altdns/Massdns for many workflows.
• Chaos Open Source: Actively scans and maintains internet-wide assets' data.
• Dnsprobe Open Source: Tool built on top of retryabledns that allows you to perform multiple DNS queries.
• Shuffledns Open Source: Wrapper around massdns that allows you to enumerate valid subdomains using active bruteforce.
• Findomain Open Source: Offers dedicated monitoring service for target domains and alerts.
• Dnsgen Open Source: Generates a combination of domain names from the provided input.
• Gotator Open Source: Powerful permutation generation for subdomains.
• Massdns Open Source: High-performance DNS stub resolver.
• Sublert Open Source: Security and reconnaissance tool to leverage certificate transparency for monitoring new subdomains.
• Subjack Open Source: Subdomain Takeover tool written in Go.
• dnscan Open Source: A python wordlist-based DNS subdomain scanner.

Web & OSINT

• X-osint Open Source: OSINT tool which gathers useful and credible valid information about a phone number, user's email address and ip address.
• Wappalyzer Free: Browser extension that uncovers the technologies used on websites.
• BuiltWith Free: Helps find out what technologies web pages are using.
• WhatWeb Open Source: Recognizes web technologies including CMS, blogging platforms, statistic/analytics packages, etc.
• Gau Open Source: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
• Waybackurls Open Source: Fetch known URLs from the Wayback Machine.
• Meg Open Source: Tool for fetching lots of URLs without taking a toll on the servers.
• Katana Open Source: A next-generation crawling and spidering framework.
• Feroxbuster Open Source: A Rust-based content discovery tool. Faster, smarter, and more modern than Dirb/DirBuster.
• Dirsearch Open Source: A simple command line tool designed to brute force directories and files in websites.
• Ffuf Open Source: A fast web fuzzer written in Go.
• httpx Free: Fast and multi-purpose HTTP toolkit that allows running multiple probes.
• EyeWitness Open Source: Designed to take screenshots of websites, provide some server header info, and identify default credentials.
• Gowitness Open Source: Website screenshot utility written in Golang using Chrome Headless.
• SpiderFoot Open Source: Open source intelligence (OSINT) automation tool.
• Maltego Commercial: OSINT and graphical link analysis tool for gathering and connecting information.
• Shodan Commercial: Search engine for Internet-connected devices.
• Censys Commercial: Scans the most ports and houses the biggest certificate database in the world.
• Jsluice Open Source: Extract URLs, paths, secrets, and other interesting data from JavaScript source code.
• Unfurl Open Source: Parse URLs and pull out content based on criteria.
• Asnlookup Free: Displays information about an IP address's Autonomous System Number (ASN).
• Virtual-host-discovery Open Source: Enumerates virtual hosts on a given IP address.
• WitnessMe Open Source: Web Inventory tool, takes screenshots of webpages using Pyppeteer.
• BBOT Open Source: Recursive internet scanner designed to be faster and more reliable.
• ENScan_GO Open Source: Tool based on major enterprise information APIs to solve problems in collecting domestic enterprise information (ICP, APP, WeChat, etc.).
• dismap Open Source: Asset discovery and identification tool for rapid web fingerprint recognition.

Cloud & Git

• gitGraber Open Source: Monitor GitHub to search and find sensitive data in real time.
• Shhgit Open Source: Finds secrets and sensitive files across GitHub code and Gists in real-time.
• gitleaks Open Source: SAST tool for detecting hardcoded secrets in git repos.
• cloud_enum Open Source: Multi-cloud OSINT tool.
• S3Scanner Open Source: Scan for open S3 buckets and dump the contents.
• Gato (Github Attack TOolkit) Open Source: Enumeration and attack tool for GitHub organizations.
• apk2url Open Source: OSINT tool to extract IP and URL endpoints from APKs.
• Checkov Open Source: Static analysis tool for Infrastructure as Code (IaC) security and compliance.

Social Media

• buster Open Source: An advanced tool for email reconnaissance.
• linkedin2username Open Source: Generate username lists for companies on LinkedIn.
• LinkedInt Open Source: LinkedIn Recon Tool.

Weaponization involves coupling a remote access trojan with an exploit into a deliverable payload.

Tools (Payload Development)

• Ysoserial Open Source: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
• Payloads All The Things Open Source: A list of useful payloads and bypasses for Web Application Security.
• GhostStrike Open Source: Deploy stealthy reverse shells using advanced process hollowing.
• Ivy Open Source: Payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory.
• PEzor Open Source: Open-Source PE Packer.
• GadgetToJScript Open Source: Generates .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized.
• ScareCrow Open Source: Payload creation framework designed around EDR bypass.
• Donut Open Source: Position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.
• Mystikal Open Source: macOS Initial Access Payload Generator.
• charlotte Open Source: C++ fully undetected shellcode launcher.
• InvisibilityCloak Open Source: Obfuscation toolkit for C# post-exploitation tools.
• Dendrobate Open Source: Framework that facilitates the development of payloads that hook unmanaged code through managed .NET code.
• Offensive VBA and XLS Entanglement Open Source: Examples of how VBA can be used for offensive purposes.
• xlsGen Open Source: Tiny Excel BIFF8 Generator, to Embedded 4.0 Macros in *.xls.
• darkarmour Open Source: Windows AV Evasion.
• InlineWhispers Open Source: Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF).
• EvilClippy Open Source: Assistant for creating malicious MS Office documents.
• OfficePurge Open Source: VBA purge your Office documents.
• ThreatCheck Open Source: Identifies the bytes that Microsoft Defender / AMSI Consumer flags on.
• CrossC2 Open Source: Generate CobaltStrike's cross-platform payload.
• Ruler Open Source: Tool that allows you to interact with Exchange servers remotely.
• DueDLLigence Open Source: Shellcode runner framework for application whitelisting bypasses and DLL side-loading.
• RuralBishop Open Source: P/Invoke calls replaced with D/Invoke.
• TikiTorch Open Source: Spawns a new process, allocates memory, then uses CreateRemoteThread to run shellcode.
• SharpShooter Open Source: Payload creation framework for the retrieval and execution of arbitrary CSharp source code.
• SharpSploit Open Source: .NET post-exploitation library written in C#.
• MSBuildAPICaller Open Source: MSBuild Without MSBuild.exe.
• macro_pack Open Source: Tool used to automatize obfuscation and generation of MS Office documents, VB scripts, etc.
• inceptor Open Source: Template-Driven AV/EDR Evasion Framework.
• mortar Open Source: Evasion technique to defeat and divert detection and prevention of security products.
• ProtectMyTooling Open Source: Multi-Packer wrapper letting us daisy-chain various packers, obfuscators.
• Freeze Open Source: Payload toolkit for bypassing EDRs using suspended processes, direct syscalls.
• Shhhloader Open Source: Shellcode loader that compiles a C++ stub to bypass AV/EDR.
• DllShimmer Open Source: Weaponize DLL hijacking easily.
• moonwalk Open Source: Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.

Delivery is the transmission of the weapon to the targeted environment.

Phishing Tools

• Gophish Open Source: Open-source phishing toolkit designed for businesses and penetration testers.
• Evilginx2 Open Source: Man-in-the-middle attack framework used for phishing credentials and session cookies.
• Modlishka Open Source: Flexible and powerful reverse proxy for ethical phishing campaigns.
• o365-attack-toolkit Open Source: A toolkit to attack Office365.
• PwnAuth Open Source: Web application framework for launching and managing OAuth abuse campaigns.
• goblin Open Source: A simulation phishing system suitable for red-blue confrontation.
• Social-Engineer Toolkit (SET) Open Source: Open-source penetration testing framework designed for social engineering.
• King Phisher Open Source: Phishing campaign toolkit.
• ReelPhish Open Source: Automated tool for two-factor authentication phishing.
• Ghost Phisher Open Source: Wireless and ethernet phishing tool.
• Credential Harvester Attack Open Source: Tool in SET for credential theft.

Other Delivery & Interaction Tools

• Interactsh Open Source: ProjectDiscovery's OOB interaction server. Critical for blind SSRF/XXE/RCE testing.
• BeEF Open Source: The Browser Exploitation Framework. Focuses on the web browser.

Exploitation triggers the attackers' code. This phase targets vulnerabilities to gain control or execute code.

Exploitation Frameworks & Tools

• Metasploit Framework Open Source: The world's most used penetration testing framework.
• Burp Suite Commercial: The quintessential web app hacking tool.
• Caido.io Open Source: The lightweight, Rust-based alternative to Burp Suite.
• sqlmap Open Source: Automates the process of detecting and exploiting SQL injection flaws.
• W3AF Open Source: Web Application Attack and Audit Framework.
• Routersploit Open Source: Exploitation framework for embedded devices.
• Commix Open Source: Automated all-in-one OS command injection and exploitation tool.
• Pacu Open Source: The "Metasploit for Cloud." An exploitation framework specifically for AWS.
• ExploitDB Open Source: The official repository of The Exploit Database.
• traitor Open Source: Automatic Linux privesc via exploitation of low-hanging fruit.
• yakit Open Source: Cyber Security ALL-IN-ONE Platform (Exploit, Scanner, Hacking).
• Shannon Open Source: Fully autonomous AI pentester that delivers actual exploits, not just alerts.
• SploitScan Open Source: Tool designed to streamline the process of identifying exploits for known vulnerabilities and their respective exploitation probability.
• Core Impact Commercial: Penetration testing and vulnerability assessment tool.
• PowerSploit Open Source: Penetration testing framework containing PowerShell scripts.
• Armitage Open Source: Graphical cyber attack management tool.

Web & API Exploitation

• ZAP (Zed Attack Proxy) Free: Integrated penetration testing tool for finding vulnerabilities in web applications.
• OWASP PenTest Kit (PTK) Open Source: Browser extension integrating DAST, IAST, SAST, and SCA capabilities directly into the browser, with findings mapped as native alerts in ZAP.
• Acunetix Commercial: Automated web application and API security platform.
• Invicti Commercial: Enterprise-grade web application and API security platform.
• Kiterunner Open Source: The best tool for API endpoint discovery (finding hidden/shadow routes).
• Arjun Open Source: Specialized in finding hidden HTTP parameters that other scanners miss.
• Dalfox Open Source: Fast, modern XSS scanner.
• SSRFTest Open Source: SSRF testing tool.
• Jsluice Open Source: Extract URLs, paths, secrets, and other interesting data from JavaScript source code.
• ActiveScan++ Commercial: Burp Suite extension that extends active and passive scanning capabilities.
• Autorize Commercial: Burp Suite extension to detect authorization vulnerabilities.
• Logger++ Commercial: Multi-threaded logging extension for Burp Suite.
• Wpscan Open Source: Black box WordPress security scanner.
• Infection Monkey Open Source: A semi automatic pen testing tool for mapping/pen-testing networks.
• ACSTIS Open Source: AngularJS Client-Side Template Injection scanner.
• padding-oracle-attacker Open Source: CLI tool to execute padding oracle attacks.
• is-website-vulnerable Open Source: Finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.
• PhpSploit Open Source: Full-featured C2 framework which silently persists on webserver via evil PHP oneliner.
• Fortify WebInspect Commercial: Scans and assesses web applications for vulnerabilities.
• Skipfish Open Source: Web application security reconnaissance tool.
• Grendel-Scan Open Source: Automated web application scanning tool.
• Vega Open Source: Web vulnerability scanner and testing platform.
• WebScarab Open Source: Web application vulnerability testing tool.
• IronWASP Open Source: Web application security testing platform.

Initial Access & Privilege Escalation

• PEASS-ng Open Source: Privilege Escalation Awesome Scripts SUITE.
• NetExec (nxc) Free: The successor to CrackMapExec. The #1 tool for network pentesting (SMB/WinRM spraying, AD enumeration).
• SprayingToolkit Open Source: Scripts to make password spraying attacks.
• CredMaster Open Source: Refactored & improved CredKing password spraying tool.
• Kraken Open Source: All-in-One Toolkit for BruteForce Attacks.
• SweetPotato Open Source: Collection of various native Windows privilege escalation techniques.
• GodPotato Open Source: Privilege escalation using ImpersonatePrivilege.
• PrivKit Open Source: Detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.
• Watson Open Source: Enumerate missing KBs and suggest exploits.
• SharpUp Open Source: C# port of various PowerUp functionality.
• dazzleUP Open Source: Detects privilege escalation vulnerabilities caused by misconfigurations.

Installation allows the adversary to maintain persistence inside the environment.

Persistence Tools

• SharPersist Open Source: Windows persistence toolkit written in C#.
• SharpStay Open Source: .NET project for installing Persistence.
• SharpHide Open Source: Tool to create hidden registry keys.
• ScheduleRunner Open Source: C# tool to customize scheduled task for persistence.
• SharpEventPersist Open Source: Persistence by writing/reading shellcode from Event Log.
• IIS-Raid Open Source: A native backdoor module for Microsoft IIS.
• SharPyShell Open Source: Tiny and obfuscated ASP.NET webshell for C# web applications.
• Kraken Open Source: Modular multi-language webshell.
• HiddenDesktop Open Source: HVNC for Cobalt Strike.
• DAMP Open Source: The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.
• reGeorg Open Source: The successor to reDuh, pwn a bastion webserver and create SOCKS proxies.
• ABPTTS Open Source: TCP tunneling over HTTP for web application servers.
• pivotnacci Open Source: A tool to make socks connections through HTTP agents.

Command and Control (C2) channels allow the attacker to issue instructions to the compromised devices.

Remote Access Tools (RAT) & C2 Frameworks

• Cobalt Strike Commercial: Software for Adversary Simulations and Red Team Operations.
• Villain Open Source: High level stage 0/1 C2 framework that can handle multiple reverse TCP & HoaxShell-based shells.
• Kubesploit Open Source: Cross-platform post-exploitation HTTP/2 Command & Control server and agent focused on containerized environments.
• Sliver Open Source: General purpose cross-platform implant framework.
• Havoc Open Source: Modern and malleable post-exploitation command and control framework.
• Empire Open Source: Post-exploitation framework that includes a pure-PowerShell Windows agent.
• PoshC2 Open Source: Proxy aware C2 framework.
• Covenant Open Source: .NET command and control framework.
• Mythic Open Source: Cross-platform, post-exploit, red teaming framework.
• Brute Ratel C4 Commercial: Advanced Red Team & Adversary Simulation Software.
• merlin Open Source: Cross-platform post-exploitation C2 server and agent written in Go.
• shad0w Open Source: Post exploitation framework designed to operate covertly.
• Pupy Open Source: Cross-platform remote administration and post-exploitation tool.
• NimPlant Open Source: Light first-stage C2 implant written in Nim and Python.
• SharpC2 Open Source: C2 framework written in C#.
• Nimhawk Open Source: Powerful, modular, lightweight and efficient command & control framework written in Nim.
• AdaptixC2 Open Source: Extensible post-exploitation and adversarial emulation framework.
• Loki Open Source: Node.js Command & Control for Script-Jacking Vulnerable Electron Applications.
• SILENTTRINITY Open Source: Asynchronous, collaborative post-exploitation agent powered by Python and .NET.

Legitimate Remote Access Tools

• ManageEngine Remote Access Plus Commercial: Comprehensive remote desktop tool offering advanced troubleshooting.
• VNC Connect Commercial: Cross-platform remote access solution.
• ISL Online Commercial: Cloud-based remote desktop solution.
• Remote Desktop Manager Commercial: Centralizes remote connections and credentials.
• Supremo Commercial: Lightweight, secure remote control software.
• SolarWinds Dameware Remote Support Commercial: Robust remote support tool.
• AnyDesk Commercial: Fast and lightweight remote desktop application.
• Zoho Assist Commercial: Cloud-based remote support and remote access tool.
• Citrix DaaS Commercial: Desktop-as-a-service solution offering secure remote access.
• Microsoft Quick Assist Free: Simple Windows-based tool for remote assistance.
• NinjaOne Commercial: IT management platform with remote access.
• Atera Commercial: Remote monitoring and management (RMM) platform.

Staging & Redirectors

• RedWarden Open Source: Flexible CobaltStrike Malleable Redirector.
• AzureC2Relay Open Source: Azure Function that validates and relays Cobalt Strike beacon traffic.
• C2concealer Open Source: Generates randomized C2 malleable profiles.
• FindFrontableDomains Open Source: Search for potential frontable domains.
• Domain Hunter Open Source: Checks expired domains for reputation.
• pwndrop Open Source: Self-deployable file hosting service for red teamers.
• C3 Open Source: Custom Command and Control tool.
• Chameleon Open Source: Tool for evading Proxy categorisation.
• redirect.rules Open Source: Dynamic redirect.rules generator.
• SourcePoint Open Source: C2 profile generator for Cobalt Strike.
• RedGuard Open Source: C2 front flow control tool.
• skyhook Open Source: Round-trip obfuscated HTTP file transfer setup.
• GraphStrike Open Source: Cobalt Strike HTTPS beaconing over Microsoft Graph API.

Actions on Objectives is the final phase where intruders take actions to achieve their original goals, such as data exfiltration or lateral movement.

Exfiltration

• SharpExfiltrate Open Source: Modular C# framework to exfiltrate loot over secure channels.
• DNSExfiltrator Open Source: Data exfiltration over DNS request covert channel.
• Egress-Assess Open Source: Tool used to test egress data detection capabilities.
• VeilTransfer Open Source: Data exfiltration utility designed to test and enhance detection capabilities.

Credential Dumping

• NetExec (nxc) Free: The successor to CrackMapExec. The #1 tool for network pentesting (SMB/WinRM spraying, AD enumeration).
• TruffleHog Free: The modern standard for finding secrets (API keys, creds) in code. Replaces gitGraber/Shhgit.
• Hashcat Free: The industry standard for password cracking (GPU-based).
• John the Ripper Free: Free and Open Source software, distributed primarily in a source code form.
• Mimikatz Open Source: Allows users to view and save authentication credentials.
• LaZagne Open Source: Retrieve lots of passwords stored on a local computer.
• Dumpert Open Source: LSASS memory dumper using direct system calls and API unhooking.
• CredBandit Open Source: BOF to perform a complete in memory dump of a process.
• CloneVault Open Source: Export and import entries from Windows Credential Manager.
• SharpLAPS Open Source: Retrieve LAPS password from LDAP.
• SharpDPAPI Open Source: C# port of some DPAPI functionality from Mimikatz.
• KeeThief Open Source: Extraction of KeePass 2.X key material from memory.
• SafetyKatz Open Source: Combination of Mimikatz and .NET PE Loader.
• forkatz Open Source: Credential dump using forshaw technique.
• PPLKiller Open Source: Tool to bypass LSA Protection.
• AndrewSpecial Open Source: Dumping lsass' memory stealthily.
• Net-GPPPassword Open Source: .NET implementation of Get-GPPPassword.
• SharpChromium Open Source: Retrieve Chromium data, such as cookies, history and saved logins.
• Chlonium Open Source: Application designed for cloning Chromium Cookies.
• SharpCloud Open Source: Simple C# utility for checking for the existence of credential files.
• pypykatz Open Source: Mimikatz implementation in pure Python.
• nanodump Open Source: A Beacon Object File that creates a minidump of the LSASS process.
• Koh Open Source: C# and BOF toolset to capture user credential material.
• PPLBlade Open Source: Protected Process Dumper Tool.
• TrickDump Open Source: Dump lsass using only NTAPIS.
• RemoteMonologue Open Source: Windows credential harvesting technique leveraging Interactive User RunAs key.
• Cain and Abel Free: Password recovery tool for Windows.
• RainbowCrack Free: Hash cracker using rainbow tables.
• THC Hydra Open Source: Parallelized network login cracker.
• L0phtCrack Open Source: Password auditing and recovery tool.

Lateral Movement

• Ligolo-ng Open Source: The new standard for pivoting/tunneling. Replaces clunky VPN/proxychains setups.
• Responder Open Source: Essential for poisoning LLMNR/NBT-NS protocols to capture hashes.
• Liquid Snake Open Source: Fileless lateral movement using WMI Event Subscriptions.
• PowerUpSQL Open Source: PowerShell Toolkit for Attacking SQL Server.
• SQLRecon Open Source: C# MS SQL toolkit designed for offensive reconnaissance.
• SCShell Open Source: Fileless lateral movement tool that relies on ChangeServiceConfigA.
• SharpRDP Open Source: RDP Console Application for Authenticated Command Execution.
• MoveKit Open Source: Extension of built in Cobalt Strike lateral movement.
• SharpNoPSExec Open Source: File less command execution for lateral movement.
• impacket Open Source: Collection of Python classes for working with network protocols.
• Farmer Open Source: Project for collecting NetNTLM hashes.
• CIMplant Open Source: C# port of WMImplant.
• PowerLessShell Open Source: Rely on MSBuild.exe to remotely execute PowerShell scripts.
• SharpGPOAbuse Open Source: Take advantage of a user's edit rights on a Group Policy Object.
• kerbrute Open Source: Quickly bruteforce and enumerate valid Active Directory accounts.
• mssqlproxy Open Source: Toolkit to perform lateral movement through Microsoft SQL Server.
• Invoke-TheHash Open Source: PowerShell Pass The Hash Utils.
• InveighZero Open Source: .NET IPv4/IPv6 machine-in-the-middle tool.
• SharpSpray Open Source: Password spraying attack against all users of a domain.
• CrackMapExec Open Source: A swiss army knife for pentesting networks.
• SharpAllowedToAct Open Source: C# implementation of a computer object takeover through RBCD.
• SharpRDPHijack Open Source: RDP session hijack utility for disconnected sessions.
• CheeseTools Open Source: Tools based on MiscTool.
• LatLoader Open Source: Automated lateral movement with Havoc C2.
• MalSCCM Open Source: Abuse local or remote SCCM servers.
• Coercer Open Source: Coerce a Windows server to authenticate on an arbitrary machine.
• orpheus Open Source: Bypassing Kerberoast Detections.
• goexec Open Source: Remote execution on Windows devices.
• BitlockMove Open Source: Lateral Movement via Bitlocker DCOM interfaces & COM Hijacking.

Tunneling

• Chisel Open Source: Fast TCP/UDP tunnel, transported over HTTP, secured via SSH.
• frp Open Source: Fast reverse proxy.
• SockTail Open Source: Joins a device to a Tailscale network and exposes a local SOCKS5 proxy.

Network & Analysis

• Wireshark Free: Network protocol analyzer.
• Ettercap Free: Open-source network security tool for man-in-the-middle attacks.
• Bettercap Free: The "Swiss Army knife" for network attacks and monitoring.
• FoxyProxy Free: Advanced proxy management tool.
• CyberChef Open Source: The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis.
• tcpdump Open Source: Command-line network packet analyzer.
• Snort Open Source: Intrusion detection and prevention system.
• Ngrep Open Source: Network packet analyzer that uses grep-like patterns.
• NetworkMiner Open Source: Network forensic analysis tool.
• Hping3 Open Source: Command-line packet crafting and analysis tool.
• Nemesis Open Source: Packet crafting and injection tool.