A curated list of awesome cybersecurity tools for both red, blue, and purple team operations.
Contributions are welcome! The goal of this repository is to be an up-to-date source of tools for all facets of cybersecurity. The landscape changes constantly and so do the tools. It's hard keeping track of everything! If you want to add (or remove outdated) tools, feel free to create an issue or a PR.
| OS | Description |
|---|---|
| FlareVM | Windows distribution for malware analysis and incident response. |
| Kali | Open-source, Debian-based Linux distribution geared towards various information security tasks, such as Penetration Testing. |
| Parrot | Parrot Security (ParrotOS, Parrot) is a Free and Open source GNU/Linux distribution based on Debian Stable designed for security experts, developers and privacy aware people. |
| REMnux | Linux toolkit for reverse engineering malware. |
This repository is just a brief (and generalized) list of resources and tools for both sides of cyber: blue and red team operations. As such, this is not meant to be in-depth resources. If you are looking for more specific information and/or tools, this contains a list of resource collections.
| Repository | Description |
|---|---|
| awesome-reversing | A curated list of awesome reversing resources. |
| awesome-hacking | A list of hacking resources and tools: RE, web, forensics, etc. |
| awesome-osint | A curated list of amazingly awesome OSINT. |
| awesome-pentest | A collection of awesome penetration testing resources, tools and other shiny things. |
| awesome-social-engineering | A curated list of awesome social engineering resources. |
| awesome-asset-discovery | List of Awesome Asset Discovery Resources. |
| awesome-incident-response | A curated list of tools for incident response. |
| awesome-red-teaming | List of Awesome Red Teaming Resources. |
| awesome-malware-analysis | A curated list of awesome malware analysis tools and resources. |
| awesome-ida-x64-olly-plugin | A list of plugins for IDA, Ghidra, GDB, OllyDBG, etc. |
| awesome-forensics | A curated list of awesome forensic analysis tools and resources |
| awesome-pcaptools | Tools for PCAP files |
| awesome-windows-post-exploitation | Windows post-exploitation tools, resources, techniques and commands to use during post-exploitation phase of penetration test. |
| Repository | Description |
|---|---|
| Amsi-Bypass-PowerShell | AMSI bypasses (Most are patched, but can be obfuscated to bypass) |
| AMSITrigger | Finds which string(s) trigger AMSI. |
| chameleon | PowerShell Script Obfuscator |
| Invisi-Shell | Used to bypass PowerShell security (logging, AMSI, etc). |
| Invoke-Obfuscation | PowerShell module for obfuscating PowerShell scripts to bypass AV/EDR solutions. |
| ISESteroids | Powerful extension for the built-in ISE PowerShell editor (has obfuscation module) |
| Invoke-Stealth | Simple & Powerful PowerShell Script Obfuscator |
| UPX | PE packer. |
| Unprotect | Contains malware evasion techniques along with PoC. |
| Repository | Description |
|---|---|
| Cloudmare | Cloudflare, Sucuri, Incapsula real IP tracker. |
| crt.sh | Find certificates based on a domain name. Can be used to find subdomains. |
| DorkSearch | Premade Google dork queries. |
| ExifTool | Read (and modify) metadata of files. |
| FaceCheck.ID | Reverse image lookup based on facial-recognition. |
| Hunter | Find company email format and list of employee email addresses. |
| osintframework | An online database of OSINT tools. |
| PimEyes | Reverse image lookup based on facial-recognition. |
| Recon-NG | Reconaissance and OSINT framework. Has many modules such as port scanning, subdomain finding, Shodan, etc. |
| ScrapeIn | Scrapes LinkedIn to create a list of employee email addresses (for use in Initial Access). |
| SecurityTrails | Extensive DNS information. |
| Shodan | Scans for all digital assets. |
| SpiderFoot | Automatic OSINT analysis. |
| TheHarvester | Collects names, emails, IPs, and subdomains of a target. |
| Repository | Description |
|---|---|
| altdns | Subdomain enumeration using mutated wordlists. |
| AWSBucketDump | Enumerate AWS S3 buckets to find interesting files. |
| burpsuite | An advanced web application testing suite that can be used to get info on how webpages work. |
| CameRadar | Cameradar hacks its way into RTSP videosurveillance cameraa |
| CloudBrute | Enumerates "the cloud" (Google, AWS, DigitalOcean, etc) to find infrastructure, files, and apps for a given target. |
| dirb | Web application directory / file fuzzer to find other pages. |
| DNSDumpster | Online tool for DNS information of a domain. |
| EyeWitness | Screenshots webpages. Supports multi-domain lists and Nmap output. |
| feroxbuster | Like dirb, but written in Rust. |
| gobuster | Like dirb, but written in Go. Also supports DNS busting (such as subdomains). |
| GoWitness | Like EyeWitness, but in Go. |
| Masscan | Like nmap, but faster (thus, not stealthy.) |
| Nikto | Web server scanner to perform security checks on a web server. |
| Nmap | Find running services on a network. |
| Raccoon | All-in-one Reconaissance. Port/service scans, dirbusting, and web application retrieval. |
| Recon-NG | Reconaissance and OSINT framework. Has many modules such as port scanning, subdomain finding, Shodan, etc. |
| Rustscan | A rust network scanner that is faster than Nmap, and sends open ports to Nmap for service/version detection. |
| subfinder | Passive subdomain discovery tool. |
| wappalyzer | Identify what frameworks a website runs |
| wpscan | Automatic WordPress scanner to identify information about a WordPress site and possible vulnerabilities. |
| Repository | Description |
|---|---|
| evilginx | Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication |
| GoPhish | Phishing campaign framework to compromise user credentials. |
| Social Engineering Toolkit | Social engineering framework. |
| SpoofCheck | Checks if a domain can be spoofed. |
| zphisher | An automated phishing tool with 30+ templates. |
| Repository | Description |
|---|---|
| BreachDirectory | Leaked credential search engine to find passwords based on username, email, etc. |
| Dehashed | Leaked credential search engine to find passwords based on username, email, etc. |
| IntelligenceX | Leaked credential search engine to find passwords based on username, email, domain, etc. |
| LeakCheck | Leaked credential search engine to find passwords based on username, email, domain, etc. |
| Snusbase | Leaked credential search engine to find passwords based on username, email, etc. |
| Repository | Description |
|---|---|
| Arachni | Web Application Security Scanner Framework |
| burpsuite | Full web testing suite, including proxied requests |
| Caido | Like Burp but written in Rust |
| dirb | Web application directory/file fuzzer to find other pages or files worth looking at. |
| dotGit | A Firefox and Chrome extension that shows you if there is an exposed .git directory |
| feroxbuster | Web application directory/file fuzzer to find other pages or files worth looking at. Written in Rust. |
| flask-unsign | Command line tool to fetch, decode, brute-force and craft session cookies of a Flask application |
| gobuster | Web application directory/file fuzzer to find other pages or files worth looking at. Also supports DNS busting (such as subdomains). Written in Go. |
| Nikto | Web server scanner to perform security checks on a web server. |
| nosqlmap | Like sqlmap, but for NoSQL. |
| PayloadsAllTheThings | Useful payloads for a variety of attacks such as SQLi, IDOR, XSS, etc. |
| sqlmap | Performs automated SQL injection tests on GET and POST requests. |
| w3af | Web application attack and audit framework. |
| wappalyzer | Identify what frameworks a website runs |
| wpscan | Automatic WordPress scanner to identify information about a WordPress site and possible vulnerabilities. |
| Repository | Description |
|---|---|
| Aircrack-ng | Aircrack-ng is a complete suite of tools to assess WiFi network security. |
| Kismet | sniffer, WIDS, and wardriving tool for Wi-Fi, Bluetooth, Zigbee, RF, and more |
| Reaver | Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases |
| Wifite | Python script to automate wireless auditing using aircrack-ng tools |
| WifiPhisher | The Rogue Access Point Framework |
| Repository | Description |
|---|---|
| Easysploit | Automatic Metasploit payload generator and shell listener. |
| Impacket | A collection of Python scripts useful for Windows targets: psexec, smbexec, kerberoasting, ticket attacks, etc. |
| Kerbrute | A tool to perform Kerberos pre-auth bruteforcing |
| Medusa | Bruteforcer with multiple protocol support. |
| Metasploit | Exploit framework that can be used for intial access and/or post-exploitation. |
| Searchsploit | Search ExploitDB for exploits. Useful if you identify a service version. |
| TeamFiltration | Cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts |
| THC-Hydra | Bruteforcer with multiple protocol support. |
| TREVORspray | Advanced password spraying tool for Active Directory environments. |
C2 frameworks can be considered both initial access and post-exploitation, as they generate payloads to be used in phishing campaigns (initial access) and will provide access to the host machine when ran (post exploitation).
| Repository | Description |
|---|---|
| Cobalt Strike | Most robust and advanced C2 framework (also paid). |
| Pupy | Python and C C2 framework. |
| Sliver | Go C2 framework. |
| Villain | Python and Powershell C2 framework. |
| Repository | Description |
|---|---|
| BeRoot | Automated Windows, Linux, and Mac privilege escalation path discovery tool. |
| BloodHound | Active Directory visualizer, useful for finding misconfigurations and/or shortest path to Domain Admin. |
| CrackmapExec | Post-exploitation tool that helps automate assessing the security of large Active Directory networks |
| GTFOBins | Unix binaries that can be used to bypass local security restrictions in misconfigured systems. |
| Impacket | A collection of Python scripts useful for Windows targets: psexec, smbexec, kerberoasting, ticket attacks, etc. |
| Invoke-PrivescCheck | Automated Windows privilege escalation path discovery tool. |
| LOLBAS | Microsoft-signed binaries to perform APT or red-team functions (ie: dumping process memory). |
| Metasploit | Exploit framework that can be used for intial access and/or post-exploitation. |
| Mimikatz | Mimikatz is both an exploit on Microsoft Windows that extracts passwords stored in memory and software that performs that exploit. |
| nishang | Offensive PowerShell for red team, penetration testing and offensive security. |
| PEASS-ng | Automated Windows, Linux, and Mac privilege escalation path discovery tool. |
| PowerHub | Post-exploitation module for bypassing endpoint protection and running arbitrary files. |
| PowerSploit | A PowerShell post-exploitation framework with many modules: exfiltration, privelege escalation, etc. |
| PowerUp | Automated Windows privilege escalation path discovery tool. |
| Searchsploit | Search ExploitDB for exploits. Useful if you identify a service version. |
| SharpHound | Data ingestor for BloodHound. |
| smbclient | Allows connection to the SMB protocol. |
| smbmap | Enumerates SMB shares. |
| Repository | Description |
|---|---|
| DNSExfiltrator | Data exfiltration over DNS request covert channel |
| PowerSploit | A PowerShell post-exploitation framework with many modules: exfiltration, privelege escalation, etc. |
| Repository | Description |
|---|---|
| certsync | Dump NTDS with golden certificates and UnPAC the hash |
| Dumpert | LSASS memory dumper using direct system calls and API unhooking. |
| Mimikatz | Mimikatz is both an exploit on Microsoft Windows that extracts passwords stored in memory and software that performs that exploit. |
| nishang | Offensive PowerShell for red team, penetration testing and offensive security. |
| PowerSploit | A PowerShell post-exploitation framework with many modules: exfiltration, privelege escalation, etc. |
| Repository | Description |
|---|---|
| CeWL | Scrape a website to generate a wordlist |
| crunch | Generate wordlists based on requirements such as minimum and maximum length, character sets, etc. |
| Cupp | Utilize OSINT to create password candidates for a specific person |
| hashcat | Password cracking tool with multiple different supported formats |
| JohnTheRipper | Password cracking tool (slower than Hashcat) but supports more formats with the Jumbo version |
| Mentalist | A GUI for wordlisst generation |
| Repository | Description |
|---|---|
| Angle-Grinder | Slice and dice logs on the command line |
| Autopsy | Investigate disk images |
| Chainsaw | Rapidly Search and Hunt through Windows Forensic Artefacts |
| FTK Imager | Investigate disk images |
| Magika | Detect file content types with deep learning |
| Velociraptor | Velociraptor is a tool for collecting host based state information using The Velociraptor Query Language (VQL) queries. |
| Volatility | An advanced memory forensics framework |
| Wireshark | Network traffic packet analyzer |
| ZimmermanTools | Eric Zimmerman's toolset for Windows forensics. EVTX, registry, ShellBags, ShimCache, and more. |
| Repository | Description |
|---|---|
| cfxc-deobf | ConfuserEx unpacker. |
| de4dot-cex | ConfuserEx unpacker. |
| de4dot | .NET deobfuscator and unpacker. |
| FLOSS | Automatically extract obfuscated strings from malware. |
| NoFuserEx | ConfuserEx unpacker. |
| Packer-specific Unpackers | List of unpackers for specific packers. |
| PSDecode | PowerShell deobfuscator. |
| UnconfuserExTools | ConfuserEx deobfuscation toolkit (old). |
| Repository | Description |
|---|---|
| awesome-ida-x64-olly-plugin | A list of plugins for IDA, Ghidra, GDB, OllyDBG, etc. |
| Cerberus | A Python tool to unstrip Rust/Go binaries on Linux |
| cutter | Disassembler and decompiler for multiple executable formats, based on Rizin. |
| Detect-It-Easy | Detect file type and packer used. |
| dnSpy | .NET debugger and editor. |
| dotPeak | .NET Decompiler and assembly browser |
| FLOSS | Automatically extract obfuscated strings from malware. |
| GDB | Debugging tool for C, C++, Go, Rust, and more. |
| GEF | GDB addon with advanced features -- GDB Enhanced Features. |
| ghidra | Disassembler and decompiler for multiple executable formats. |
| hexedit | View file hexadecimal. |
| JADX | decompilation tool that can decompile JAR, APK, DEX, AAR, AAB, ZIP files |
| IDA | Disassembler and decompiler for multiple executable formats. |
| PEiD | detects most common packers, cryptors and compilers for PE files. |
| rizin | CLI disassembler. |
| XPEViewer | PE file viewer (headers, libraries, strings, etc). |
| Repository | Description |
|---|---|
| Cuckoo | Automated dynamic malware analysis. |
| Wireshark | View incoming and outgoing network connections. |
| Repository | Description |
|---|---|
| BLUESPAWN | An Active Defense and EDR software to empower Blue Teams |
| CISBenchmarks | Benchmark for security configuration best practices |
| HardeningKitty | HardeningKitty and Windows Hardening settings and configurations |
| Linux Hardening | Linux Hardening |
| SteamRoller | Automating basic security configurations across an Active Directory environment |
Coming soon?