Find secrets with Gitleaks 🔑

Find, verify, and analyze leaked credentials

Fast web fuzzer written in Go

Fast passive subdomain enumeration tool.

Adversary Emulation Framework

The Havoc Framework

syzkaller is an unsupervised coverage-guided kernel fuzzer

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.

Modlishka. Reverse Proxy.

Fetch all the URLs that the Wayback Machine knows about for a domain

An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.

A tool to perform Kerberos pre-auth bruteforcing

A tool to abuse Exchange services

Bruteforcing from various scanner output - Automatically attempts default creds on found services.

☁️ ⚡ Granular, Actionable Adversary Emulation for the Cloud

evilginx3 + gophish

Shikata ga nai (仕方がない) encoder ported into go with several improvements

Advanced Honeypot framework.

A wordlist framework to fullfill your kinks with your wordlists. For security researchers, bug bounty and hackers.

A repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.

SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion.

Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities.

raven is a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin.

Using TLS 1.3 to evade censors, bypass network defenses, and blend in with the noise

An Office365 User Attack Tool

Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.

Yet another tool to dump a git repository from a website, focused on as-complete-as-possible dumps and handling weird edge-cases.

Protected Process Dumper Tool

HTTP 403 bypass tool