Cyber Security Resources

• NIST Cybersecurity Framework: A set of guidelines for private sector companies to follow to be better prepared in identifying, detecting, and responding to cyber attacks. (Resources Library, NIST CSF 2.0)
• CIS Controls: Prioritized set of actions to protect your organization and data from known cyber attack vectors. (Assessment Tool)
• NIST SP 800-53: Security and Privacy Controls for Information Systems and Organizations. (Machine Readable Data)
• PCI DSS: Payment Card Industry Data Security Standard for organizations that handle branded credit cards.
• SOC 2: Service Organization Control 2 - Trust Services Criteria for Service Organizations.
• COBIT: Control Objectives for Information and Related Technologies, a framework for IT management and governance. (Auditing COBIT 2019)
• ISO 27001/27002 Toolkit: A repository containing a comprehensive toolkit designed to help organizations implement the ISO 27001:2022 Information Security Management System (ISMS).
• ISF SOGP: The ISF Standard of Good Practice for Information Security (SOGP) is the leading authority on information security.

• Kali Linux: Offensive toolkit for scanning, exploitation, and red teaming. Run in a VM to scan/exploit other lab systems.
• Metasploitable 2: Vulnerable Linux VM for safe exploit practice. Pair with Kali to test exploits & document.
• Vulnerable-AD: Insecure Active Directory lab. Use with Windows Server to simulate AD attacks.
• WebGoat: OWASP vulnerable web app. Run locally/Docker & complete built-in lessons.
• Juice Shop: Modern OWASP vuln app. Host locally & attempt SQLi, XSS, more.
• GoPhish: Phishing simulation platform. Send test phishing emails to lab inboxes.
• PortSwigger: Free web security labs. Work through online exploit challenges.
• Vulnserver: Windows buffer overflow server. Run in Win7 VM & exploit with Immunity Debugger.
• Vulnerable WP: Exploitable WordPress site. Install locally & test WP-specific exploits.
• CTFlearn: CTF challenges for all levels. Solve puzzles to improve across domains.
• pfSense: Firewall/router for segmentation. Place between VMs to control & inspect traffic.
• Suricata: IDS/IPS. Deploy inline with pfSense to detect/block threats.
• Wazuh: SIEM/XDR. Collect & analyze logs from lab machines.
• OpenSearch: Search/visualization stack. Integrate with Wazuh for event dashboards.
• Security Onion: Threat detection suite. Ingest lab traffic for threat hunting.
• Cowrie: SSH/telnet honeypot. Deploy isolated to monitor login attempts.
• WireGuard: VPN. Securely connect to lab network remotely.
• Sysmon: Windows logging. Install to track security events.
• Ansible: Automation tool. Push configs to multiple lab VMs.
• MITRE Caldera: Adversary emulation. Simulate attacker behavior in test networks.
• Wireshark: Packet capture/analysis. Inspect traffic between lab hosts. (Download)
• Zeek: Network monitoring/logging. Run with Security Onion for deep analysis. (Download)
• REMnux: Malware analysis distro. Reverse-engineer safely in VM. (Download)
• Sigma: Detection rules. Write rules & test in Wazuh/Graylog.
• Proxmox VE: Virtualization platform for running your lab VMs.
• Docker: Platform for developing, shipping, and running applications in containers.
• Portainer: Universal container management environment.
• Pi-hole: Network-wide ad blocking via your own Linux hardware.
• T-Pot: The All In One Honeypot Platform.
• HELK: The Hunting ELK - A Hunting Platform.
• Ghidra: A software reverse engineering (SRE) suite of tools developed by NSA.
• FlareVM: Windows-based security distribution for malware analysis, incident response, penetration testing, etc.

• MITRE ATT&CK: A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
• Cyber Kill Chain: Developed by Lockheed Martin, this framework identifies what the adversaries must complete in order to achieve their objective.
• Diamond Model: A cognitive model for intrusion analysis.
• STRIDE: A threat modeling methodology developed by Microsoft (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).
• PASTA: Process for Attack Simulation and Threat Analysis, a risk-centric threat modeling methodology.
• LINDDUN: Privacy threat modeling framework (Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance). (PILLAR AI Tool)
• OCTAVE: Operationally Critical Threat, Asset, and Vulnerability Evaluation, a risk-based strategic assessment and planning technique.
• VAST: Visual, Agile, and Simple Threat modeling, a scalable framework for DevOps and Agile.
• Trike: A risk-based threat modeling methodology and tool. (GitHub Repo)
• Attack Trees: Conceptual diagrams showing how an asset, or target, might be attacked. (ATTop Analysis Tool)

• OWASP Threat Dragon: An open source threat modeling tool from OWASP.
• pytm: A Pythonic framework for threat modeling.
• Threagile: Agile Threat Modeling Toolkit.
• Threat Composer: A simple threat modeling tool to help humans to reduce time-to-value when threat modeling.
• Microsoft Threat Modeling Tool: A tool to create data flow diagrams to identify threats.

Security Monitoring & SIEM

• Sysmon: Windows system monitor that tracks system activity and logs it to the Windows event log.
• Wazuh: Free and open source security platform that unifies XDR and SIEM capabilities.
• Security Onion: A free and open platform for threat hunting, enterprise security monitoring, and log management.
• Elastic Security (ELK): Unified protection for everyone.
• Velociraptor: Endpoint visibility and collection tool.
• SysmonSearch: Aggregates event logs generated by Microsoft's Sysmon.

Incident Response & Forensics

• TheHive: A scalable, open source and free Security Incident Response Platform.
• Cortex: Powerful Observable Analysis and Active Response Engine.
• SANS SIFT: SANS Investigative Forensic Toolkit.
• Autopsy: Digital forensics platform and graphical interface to The Sleuth Kit.
• Volatility: Advanced memory forensics framework.
• KAPE: Kroll Artifact Parser and Extractor.

Threat Intelligence

• MISP: Malware Information Sharing Platform and Threat Sharing.
• OpenCTI: Open Cyber Threat Intelligence Platform.
• YARA: The pattern matching swiss knife for malware researchers.

Analysis & Sandboxing

• Cuckoo Sandbox: Automated Malware Analysis System.
• CyberChef: The Cyber Swiss Army Knife.
• VirusTotal: Analyze suspicious files, domains, IPs and URLs.

Application Security

• SafeLine: Lightweight web application firewall (WAF) offering layer 7 protection.
• Medusa: Multi-Language Security Scanner with AI-first architecture.

• Sigma: Generic Signature Format for SIEM Systems.
• Unprotect Project: Malware evasion techniques knowledge base.
• LOLBAS: Living Off The Land Binaries, Scripts and Libraries.
• GTFOBins: List of Unix binaries that can be used to bypass local security restrictions.

Reconnaissance is the first phase of the Cyber Kill Chain, involving research, identification, and selection of targets.

Tools

Scanners & Frameworks

• Argus: Python-powered toolkit for information gathering and reconnaissance.
• RustScan: The Modern Port Scanner. Find ports quickly (3 seconds at its fastest). Run scripts through our scripting engine (Python, Lua, Shell supported).
• Amass: In-depth Attack Surface Mapping and Asset Discovery.
• Nmap: The "Network Mapper", free and open source utility for network discovery and security auditing.
• Masscan: Internet-scale port scanner, transmitting 10 million packets per second.
• Naabu: A fast port scanning tool written in Go that enumerates valid ports in a reliable manner.
• OpenVAS: Full-featured vulnerability scanner with extensive testing capabilities.
• Nikto: Open Source web server scanner for over 6700 potentially dangerous files/programs.
• Sn1per: Automated scanner for enumeration and vulnerability scanning.
• Osmedeus: Workflow engine for offensive security, running awesome tools for recon and vulnerability scanning.
• D0rkerR3con Framework: Offensive Recon toolkit to discover exposed files, secrets, and launch weaponized Google Dorks.
• Recon-ng: Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.
• Scanners-Box: A powerful and open-source toolkit for hackers and security automation.
• Reconness: ReconNess helps you to run and keep all your recon in the same place.
• Lazyrecon: Script written in Bash to automate tedious tasks of reconnaissance and information gathering.
• reconFTW: A powerful automated reconnaissance tool designed for security researchers.
• axiom: A distributed dynamic infrastructure framework for offensive security operations.
• Trivy: Comprehensive and versatile security scanner for vulnerabilities and misconfigurations.

Domain & DNS

• Subfinder: Subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.
• Puredns: Fast, professional DNS resolver. Replaces Altdns/Massdns for many workflows.
• Chaos: Actively scans and maintains internet-wide assets' data.
• Dnsprobe: Tool built on top of retryabledns that allows you to perform multiple DNS queries.
• Shuffledns: Wrapper around massdns that allows you to enumerate valid subdomains using active bruteforce.
• Findomain: Offers dedicated monitoring service for target domains and alerts.
• Dnsgen: Generates a combination of domain names from the provided input.
• Gotator: Powerful permutation generation for subdomains.
• Massdns: High-performance DNS stub resolver.
• Sublert: Security and reconnaissance tool to leverage certificate transparency for monitoring new subdomains.
• Subjack: Subdomain Takeover tool written in Go.
• dnscan: A python wordlist-based DNS subdomain scanner.

Web & OSINT

• Wappalyzer: Browser extension that uncovers the technologies used on websites.
• BuiltWith: Helps find out what technologies web pages are using.
• WhatWeb: Recognizes web technologies including CMS, blogging platforms, statistic/analytics packages, etc.
• Gau: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
• Waybackurls: Fetch known URLs from the Wayback Machine.
• Meg: Tool for fetching lots of URLs without taking a toll on the servers.
• Katana: A next-generation crawling and spidering framework.
• Feroxbuster: A Rust-based content discovery tool. Faster, smarter, and more modern than Dirb/DirBuster.
• Dirsearch: A simple command line tool designed to brute force directories and files in websites.
• Ffuf: A fast web fuzzer written in Go.
• httpx: Fast and multi-purpose HTTP toolkit that allows running multiple probes.
• EyeWitness: Designed to take screenshots of websites, provide some server header info, and identify default credentials.
• Gowitness: Website screenshot utility written in Golang using Chrome Headless.
• SpiderFoot: Open source intelligence (OSINT) automation tool.
• Maltego: OSINT and graphical link analysis tool for gathering and connecting information.
• Shodan: Search engine for Internet-connected devices.
• Censys: Scans the most ports and houses the biggest certificate database in the world.
• Jsluice: Extract URLs, paths, secrets, and other interesting data from JavaScript source code.
• Unfurl: Parse URLs and pull out content based on criteria.
• Asnlookup: Displays information about an IP address's Autonomous System Number (ASN).
• Virtual-host-discovery: Enumerates virtual hosts on a given IP address.
• WitnessMe: Web Inventory tool, takes screenshots of webpages using Pyppeteer.
• BBOT: Recursive internet scanner designed to be faster and more reliable.
• ENScan_GO: Tool based on major enterprise information APIs to solve problems in collecting domestic enterprise information (ICP, APP, WeChat, etc.).
• dismap: Asset discovery and identification tool for rapid web fingerprint recognition.

Cloud & Git

• gitGraber: Monitor GitHub to search and find sensitive data in real time.
• Shhgit: Finds secrets and sensitive files across GitHub code and Gists in real-time.
• gitleaks: SAST tool for detecting hardcoded secrets in git repos.
• cloud_enum: Multi-cloud OSINT tool.
• S3Scanner: Scan for open S3 buckets and dump the contents.
• Gato (Github Attack TOolkit): Enumeration and attack tool for GitHub organizations.
• apk2url: OSINT tool to extract IP and URL endpoints from APKs.
• Checkov: Static analysis tool for Infrastructure as Code (IaC) security and compliance.

Social Media

• buster: An advanced tool for email reconnaissance.
• linkedin2username: Generate username lists for companies on LinkedIn.
• LinkedInt: LinkedIn Recon Tool.

Weaponization involves coupling a remote access trojan with an exploit into a deliverable payload.

Tools (Payload Development)

• Ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
• Payloads All The Things: A list of useful payloads and bypasses for Web Application Security.
• GhostStrike: Deploy stealthy reverse shells using advanced process hollowing.
• Ivy: Payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory.
• PEzor: Open-Source PE Packer.
• GadgetToJScript: Generates .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized.
• ScareCrow: Payload creation framework designed around EDR bypass.
• Donut: Position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.
• Mystikal: macOS Initial Access Payload Generator.
• charlotte: C++ fully undetected shellcode launcher.
• InvisibilityCloak: Obfuscation toolkit for C# post-exploitation tools.
• Dendrobate: Framework that facilitates the development of payloads that hook unmanaged code through managed .NET code.
• Offensive VBA and XLS Entanglement: Examples of how VBA can be used for offensive purposes.
• xlsGen: Tiny Excel BIFF8 Generator, to Embedded 4.0 Macros in *.xls.
• darkarmour: Windows AV Evasion.
• InlineWhispers: Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF).
• EvilClippy: Assistant for creating malicious MS Office documents.
• OfficePurge: VBA purge your Office documents.
• ThreatCheck: Identifies the bytes that Microsoft Defender / AMSI Consumer flags on.
• CrossC2: Generate CobaltStrike's cross-platform payload.
• Ruler: Tool that allows you to interact with Exchange servers remotely.
• DueDLLigence: Shellcode runner framework for application whitelisting bypasses and DLL side-loading.
• RuralBishop: P/Invoke calls replaced with D/Invoke.
• TikiTorch: Spawns a new process, allocates memory, then uses CreateRemoteThread to run shellcode.
• SharpShooter: Payload creation framework for the retrieval and execution of arbitrary CSharp source code.
• SharpSploit: .NET post-exploitation library written in C#.
• MSBuildAPICaller: MSBuild Without MSBuild.exe.
• macro_pack: Tool used to automatize obfuscation and generation of MS Office documents, VB scripts, etc.
• inceptor: Template-Driven AV/EDR Evasion Framework.
• mortar: Evasion technique to defeat and divert detection and prevention of security products.
• ProtectMyTooling: Multi-Packer wrapper letting us daisy-chain various packers, obfuscators.
• Freeze: Payload toolkit for bypassing EDRs using suspended processes, direct syscalls.
• Shhhloader: Shellcode loader that compiles a C++ stub to bypass AV/EDR.
• DllShimmer: Weaponize DLL hijacking easily.
• moonwalk: Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.

Delivery is the transmission of the weapon to the targeted environment.

Phishing Tools

• Gophish: Open-source phishing toolkit designed for businesses and penetration testers.
• Evilginx2: Man-in-the-middle attack framework used for phishing credentials and session cookies.
• Modlishka: Flexible and powerful reverse proxy for ethical phishing campaigns.
• o365-attack-toolkit: A toolkit to attack Office365.
• PwnAuth: Web application framework for launching and managing OAuth abuse campaigns.
• goblin: A simulation phishing system suitable for red-blue confrontation.
• Social-Engineer Toolkit (SET): Open-source penetration testing framework designed for social engineering.

Other Delivery & Interaction Tools

• Interactsh: ProjectDiscovery's OOB interaction server. Critical for blind SSRF/XXE/RCE testing.
• BeEF: The Browser Exploitation Framework. Focuses on the web browser.

Exploitation triggers the attackers' code. This phase targets vulnerabilities to gain control or execute code.

Exploitation Frameworks & Tools

• Metasploit Framework: The world's most used penetration testing framework.
• Burp Suite: The quintessential web app hacking tool.
• Caido.io: The lightweight, Rust-based alternative to Burp Suite.
• sqlmap: Automates the process of detecting and exploiting SQL injection flaws.
• W3AF: Web Application Attack and Audit Framework.
• Routersploit: Exploitation framework for embedded devices.
• Commix: Automated all-in-one OS command injection and exploitation tool.
• Pacu: The "Metasploit for Cloud." An exploitation framework specifically for AWS.
• ExploitDB: The official repository of The Exploit Database.
• traitor: Automatic Linux privesc via exploitation of low-hanging fruit.
• yakit: Cyber Security ALL-IN-ONE Platform (Exploit, Scanner, Hacking).

Web & API Exploitation

• ZAP (Zed Attack Proxy): Integrated penetration testing tool for finding vulnerabilities in web applications.
• Acunetix: Automated web application and API security platform.
• Invicti: Enterprise-grade web application and API security platform.
• Kiterunner: The best tool for API endpoint discovery (finding hidden/shadow routes).
• Arjun: Specialized in finding hidden HTTP parameters that other scanners miss.
• Dalfox: Fast, modern XSS scanner.
• SSRFTest: SSRF testing tool.
• Jsluice: Extract URLs, paths, secrets, and other interesting data from JavaScript source code.
• ActiveScan++: Burp Suite extension that extends active and passive scanning capabilities.
• Autorize: Burp Suite extension to detect authorization vulnerabilities.
• Logger++: Multi-threaded logging extension for Burp Suite.
• Wpscan: Black box WordPress security scanner.
• Infection Monkey: A semi automatic pen testing tool for mapping/pen-testing networks.
• ACSTIS: AngularJS Client-Side Template Injection scanner.
• padding-oracle-attacker: CLI tool to execute padding oracle attacks.
• is-website-vulnerable: Finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.
• PhpSploit: Full-featured C2 framework which silently persists on webserver via evil PHP oneliner.

Initial Access & Privilege Escalation

• PEASS-ng: Privilege Escalation Awesome Scripts SUITE.
• NetExec (nxc): The successor to CrackMapExec. The #1 tool for network pentesting (SMB/WinRM spraying, AD enumeration).
• SprayingToolkit: Scripts to make password spraying attacks.
• CredMaster: Refactored & improved CredKing password spraying tool.
• Kraken: All-in-One Toolkit for BruteForce Attacks.
• SweetPotato: Collection of various native Windows privilege escalation techniques.
• GodPotato: Privilege escalation using ImpersonatePrivilege.
• PrivKit: Detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.
• Watson: Enumerate missing KBs and suggest exploits.
• SharpUp: C# port of various PowerUp functionality.
• dazzleUP: Detects privilege escalation vulnerabilities caused by misconfigurations.

Installation allows the adversary to maintain persistence inside the environment.

Persistence Tools

• SharPersist: Windows persistence toolkit written in C#.
• SharpStay: .NET project for installing Persistence.
• SharpHide: Tool to create hidden registry keys.
• ScheduleRunner: C# tool to customize scheduled task for persistence.
• SharpEventPersist: Persistence by writing/reading shellcode from Event Log.
• IIS-Raid: A native backdoor module for Microsoft IIS.
• SharPyShell: Tiny and obfuscated ASP.NET webshell for C# web applications.
• Kraken: Modular multi-language webshell.
• HiddenDesktop: HVNC for Cobalt Strike.
• DAMP: The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.
• reGeorg: The successor to reDuh, pwn a bastion webserver and create SOCKS proxies.
• ABPTTS: TCP tunneling over HTTP for web application servers.
• pivotnacci: A tool to make socks connections through HTTP agents.

Command and Control (C2) channels allow the attacker to issue instructions to the compromised devices.

Remote Access Tools (RAT) & C2 Frameworks

• Cobalt Strike: Software for Adversary Simulations and Red Team Operations.
• Villain: High level stage 0/1 C2 framework that can handle multiple reverse TCP & HoaxShell-based shells.
• Kubesploit: Cross-platform post-exploitation HTTP/2 Command & Control server and agent focused on containerized environments.
• Sliver: General purpose cross-platform implant framework.
• Havoc: Modern and malleable post-exploitation command and control framework.
• Empire: Post-exploitation framework that includes a pure-PowerShell Windows agent.
• PoshC2: Proxy aware C2 framework.
• Covenant: .NET command and control framework.
• Mythic: Cross-platform, post-exploit, red teaming framework.
• Brute Ratel C4: Advanced Red Team & Adversary Simulation Software.
• merlin: Cross-platform post-exploitation C2 server and agent written in Go.
• shad0w: Post exploitation framework designed to operate covertly.
• Pupy: Cross-platform remote administration and post-exploitation tool.
• NimPlant: Light first-stage C2 implant written in Nim and Python.
• SharpC2: C2 framework written in C#.
• Nimhawk: Powerful, modular, lightweight and efficient command & control framework written in Nim.
• AdaptixC2: Extensible post-exploitation and adversarial emulation framework.
• Loki: Node.js Command & Control for Script-Jacking Vulnerable Electron Applications.
• SILENTTRINITY: Asynchronous, collaborative post-exploitation agent powered by Python and .NET.

Legitimate Remote Access Tools

• ManageEngine Remote Access Plus: Comprehensive remote desktop tool offering advanced troubleshooting.
• VNC Connect: Cross-platform remote access solution.
• ISL Online: Cloud-based remote desktop solution.
• Remote Desktop Manager: Centralizes remote connections and credentials.
• Supremo: Lightweight, secure remote control software.
• SolarWinds Dameware Remote Support: Robust remote support tool.
• AnyDesk: Fast and lightweight remote desktop application.
• Zoho Assist: Cloud-based remote support and remote access tool.
• Citrix DaaS: Desktop-as-a-service solution offering secure remote access.
• Microsoft Quick Assist: Simple Windows-based tool for remote assistance.
• NinjaOne: IT management platform with remote access.
• Atera: Remote monitoring and management (RMM) platform.

Staging & Redirectors

• RedWarden: Flexible CobaltStrike Malleable Redirector.
• AzureC2Relay: Azure Function that validates and relays Cobalt Strike beacon traffic.
• C2concealer: Generates randomized C2 malleable profiles.
• FindFrontableDomains: Search for potential frontable domains.
• Domain Hunter: Checks expired domains for reputation.
• pwndrop: Self-deployable file hosting service for red teamers.
• C3: Custom Command and Control tool.
• Chameleon: Tool for evading Proxy categorisation.
• redirect.rules: Dynamic redirect.rules generator.
• SourcePoint: C2 profile generator for Cobalt Strike.
• RedGuard: C2 front flow control tool.
• skyhook: Round-trip obfuscated HTTP file transfer setup.
• GraphStrike: Cobalt Strike HTTPS beaconing over Microsoft Graph API.

Actions on Objectives is the final phase where intruders take actions to achieve their original goals, such as data exfiltration or lateral movement.

Exfiltration

• SharpExfiltrate: Modular C# framework to exfiltrate loot over secure channels.
• DNSExfiltrator: Data exfiltration over DNS request covert channel.
• Egress-Assess: Tool used to test egress data detection capabilities.
• VeilTransfer: Data exfiltration utility designed to test and enhance detection capabilities.

Credential Dumping

• NetExec (nxc): The successor to CrackMapExec. The #1 tool for network pentesting (SMB/WinRM spraying, AD enumeration).
• TruffleHog: The modern standard for finding secrets (API keys, creds) in code. Replaces gitGraber/Shhgit.
• Hashcat: The industry standard for password cracking (GPU-based).
• John the Ripper: Free and Open Source software, distributed primarily in a source code form.
• Mimikatz: Allows users to view and save authentication credentials.
• LaZagne: Retrieve lots of passwords stored on a local computer.
• Dumpert: LSASS memory dumper using direct system calls and API unhooking.
• CredBandit: BOF to perform a complete in memory dump of a process.
• CloneVault: Export and import entries from Windows Credential Manager.
• SharpLAPS: Retrieve LAPS password from LDAP.
• SharpDPAPI: C# port of some DPAPI functionality from Mimikatz.
• KeeThief: Extraction of KeePass 2.X key material from memory.
• SafetyKatz: Combination of Mimikatz and .NET PE Loader.
• forkatz: Credential dump using forshaw technique.
• PPLKiller: Tool to bypass LSA Protection.
• AndrewSpecial: Dumping lsass' memory stealthily.
• Net-GPPPassword: .NET implementation of Get-GPPPassword.
• SharpChromium: Retrieve Chromium data, such as cookies, history and saved logins.
• Chlonium: Application designed for cloning Chromium Cookies.
• SharpCloud: Simple C# utility for checking for the existence of credential files.
• pypykatz: Mimikatz implementation in pure Python.
• nanodump: A Beacon Object File that creates a minidump of the LSASS process.
• Koh: C# and BOF toolset to capture user credential material.
• PPLBlade: Protected Process Dumper Tool.
• TrickDump: Dump lsass using only NTAPIS.
• RemoteMonologue: Windows credential harvesting technique leveraging Interactive User RunAs key.

Lateral Movement

• Ligolo-ng: The new standard for pivoting/tunneling. Replaces clunky VPN/proxychains setups.
• Responder: Essential for poisoning LLMNR/NBT-NS protocols to capture hashes.
• Liquid Snake: Fileless lateral movement using WMI Event Subscriptions.
• PowerUpSQL: PowerShell Toolkit for Attacking SQL Server.
• SQLRecon: C# MS SQL toolkit designed for offensive reconnaissance.
• SCShell: Fileless lateral movement tool that relies on ChangeServiceConfigA.
• SharpRDP: RDP Console Application for Authenticated Command Execution.
• MoveKit: Extension of built in Cobalt Strike lateral movement.
• SharpNoPSExec: File less command execution for lateral movement.
• impacket: Collection of Python classes for working with network protocols.
• Farmer: Project for collecting NetNTLM hashes.
• CIMplant: C# port of WMImplant.
• PowerLessShell: Rely on MSBuild.exe to remotely execute PowerShell scripts.
• SharpGPOAbuse: Take advantage of a user's edit rights on a Group Policy Object.
• kerbrute: Quickly bruteforce and enumerate valid Active Directory accounts.
• mssqlproxy: Toolkit to perform lateral movement through Microsoft SQL Server.
• Invoke-TheHash: PowerShell Pass The Hash Utils.
• InveighZero: .NET IPv4/IPv6 machine-in-the-middle tool.
• SharpSpray: Password spraying attack against all users of a domain.
• CrackMapExec: A swiss army knife for pentesting networks.
• SharpAllowedToAct: C# implementation of a computer object takeover through RBCD.
• SharpRDPHijack: RDP session hijack utility for disconnected sessions.
• CheeseTools: Tools based on MiscTool.
• LatLoader: Automated lateral movement with Havoc C2.
• MalSCCM: Abuse local or remote SCCM servers.
• Coercer: Coerce a Windows server to authenticate on an arbitrary machine.
• orpheus: Bypassing Kerberoast Detections.
• goexec: Remote execution on Windows devices.
• BitlockMove: Lateral Movement via Bitlocker DCOM interfaces & COM Hijacking.

Tunneling

• Chisel: Fast TCP/UDP tunnel, transported over HTTP, secured via SSH.
• frp: Fast reverse proxy.
• SockTail: Joins a device to a Tailscale network and exposes a local SOCKS5 proxy.

Network & Analysis

• Wireshark: Network protocol analyzer.
• Ettercap: Open-source network security tool for man-in-the-middle attacks.
• Bettercap: The "Swiss Army knife" for network attacks and monitoring.
• FoxyProxy: Advanced proxy management tool.
• CyberChef: The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis.