Internet-connected device search engine. Query by IP, port, banner, technology, or organization. Find exposed services, ICS devices, default credentials, and certificate data before ever touching the target.

Harvest emails, subdomains, hosts, and employee names from Google, LinkedIn, Bing, Shodan, Censys, and more. Excellent first-pass recon before active engagement.

OWASP-maintained DNS enumeration tool. Passive mode uses APIs (Shodan, Censys, VirusTotal) without touching target. Active mode performs zone transfers, brute force, and certificate transparency lookups.

Modular web reconnaissance framework. Similar in UX to Metasploit — install modules for different data sources (LinkedIn, Shodan, HaveIBeenPwned), run workspaces, and export results as reports.

Automated OSINT collection with 200+ modules and a web UI. Good for initial broad recon — run against an IP, domain, or email and let it spider through linked intelligence automatically.

The standard port scanner. TCP SYN (-sS), version detection (-sV), OS detection (-O), and scripted enumeration via NSE. Blue: generates IDS alerts — tune timing with -T0 to -T5. → Blue: NGFW Logs → Blue: SIEM IDS Alerts

Internet-scale port scanner — can scan the full IPv4 range in under 6 minutes at 10M packets/sec. Use for wide-area discovery, then hand off to Nmap for detailed enum. Very noisy — not for stealth engagements.

Template-based vulnerability scanner with a community-maintained library of 9,000+ checks. Run against a host list after nmap discovery to identify specific CVEs, misconfigs, exposed panels, and default credentials.

Fast, recursive content discovery for web applications. Brute-forces directories and files against a wordlist with multi-threading. Better than gobuster for recursive scanning. Use SecLists wordlists.

Web server misconfiguration scanner. Checks for dangerous files, outdated software, common vulnerabilities, and server header disclosure. Very noisy — do not use if stealth is required. Good for internal web server audits.

The de facto exploitation framework. Module library covers thousands of CVEs, payloads (Meterpreter, shells), and post-exploitation modules. Msfconsole for interactive use; msfvenom for payload generation. Blue: Metasploit traffic has distinct signatures — most EDRs detect Meterpreter staging.

Automated SQL injection detection and exploitation. Supports all major injection types (boolean, time-based, union, error-based) and can dump databases, read/write files, and escalate to OS shell when the DB engine allows it.

The essential web application testing platform. Proxy intercepts browser traffic for manual analysis, Repeater for crafting requests, Intruder for fuzzing, Scanner for automated vuln detection (Pro). Required for any web application engagement.

AD attack path visualization. Run SharpHound (Windows) or BloodHound.py (Linux) to collect domain data, then load into the BloodHound UI to map shortest paths to Domain Admin. Essential for any AD engagement — run this before anything else.

Python library for Windows network protocols. GetUserSPNs (Kerberoasting), secretsdump (NTDS/SAM), psexec, wmiexec, atexec — entire AD attack suite from Linux. The backbone of many red team operations.

C# Kerberos toolkit for Windows — Kerberoasting, AS-REP roasting, ticket extraction (dump), Pass-the-Ticket, S4U delegation abuse, and more. Run in-memory via Cobalt Strike or as a standalone executable.

Active Directory Certificate Services (ADCS) attack tool. Finds misconfigured certificate templates (ESC1–ESC8), requests rogue certificates, and authenticates as domain admin via PKINIT — devastating when ADCS is present and misconfigured.

Swiss army knife for Active Directory environments. Password spraying, credential validation, SMB enumeration, command execution via WMI/WinRM, and secret dumping. CME / netexec is its actively maintained fork. → Blue: SIEM IRON CHIMNEY → Blue: EDR Timeline

Poisoner for LLMNR, NBT-NS, and mDNS — captures NTLM challenge-response hashes from misconfigured Windows hosts. Pair with hashcat for offline cracking or ntlmrelayx for relay attacks without cracking.

The credential harvesting standard. Dumps NTLM hashes and plaintext passwords from LSASS memory, SAM, NTDS.dit, and credential manager. Also performs Golden/Silver Ticket attacks and DCSync. Blue: LSASS access triggers most modern EDRs immediately.

Windows Privilege Escalation Awesome Scripts. Comprehensive enumeration of misconfigurations, writable paths, unquoted service paths, weak registry permissions, scheduled tasks, and more. Run first on any new Windows host.

Linux Privilege Escalation Awesome Scripts — SUID binaries, sudo misconfigs, world-writable cron jobs, readable sensitive files, kernel exploits, and container escapes. Essential for any Linux post-exploitation phase.

PowerShell AD enumeration — Get-DomainUser, Get-DomainComputer, Find-LocalAdminAccess, Get-DomainTrust. Part of PowerSploit / PowerSharpPack. Maps the domain from inside without external tools.

C# security-oriented host survey — enumerates local users, browser creds, network shares, installed software, AV products, Windows Defender exclusions, GPOs, and environment configuration. Excellent first-run on a new foothold.

GPU-accelerated password cracker — supports 350+ hash types. Use -m 1000 for NTLM, -m 13100 for Kerberoast (TGS-REP), -m 5600 for NTLMv2. Pair with rule sets (OneRuleToRuleThemAll) for best results.

CPU-based password cracker, JtR community edition (jumbo) adds many hash formats. Better than hashcat for certain hash types (bcrypt, ZIP, SSH keys). Use --wordlist + --rules for efficient cracking.

Online password spraying and brute-force tool. Supports SSH, FTP, HTTP, RDP, SMTP, and many more protocols. For spraying: use a small wordlist and slow timing to avoid lockouts — not suitable for aggressive bruting.

Industry-standard commercial C2 used by both red teams and APT groups. Beacon implant with malleable C2 profiles, post-ex modules, lateral movement, pivoting, and team server. ~$5,500/yr — cracked versions are widely used by threat actors.

Open-source Cobalt Strike alternative from Bishop Fox. Go-based implant (harder to detect than Meterpreter), mTLS / WireGuard C2 channels, SOCKS5 proxy, process injection. Actively maintained and increasingly used by APTs.

Modern open-source C2 framework with a clean UI. Demon implant, sleep obfuscation, PPID spoofing, and token manipulation. Good EDR evasion techniques built in. Popular choice when Cobalt Strike licensing is not available.

Commercial C2 designed specifically around EDR evasion. Custom payload format, indirect syscalls, and in-memory execution. Leaked version widely abused by ransomware groups. Blue teams should build detections for BRC4 Badger IOCs.