Hacker Tools

Here’s a list of hacking and CTF related tools that I have found over the years.

Table of Contents

CTF Challenges & Walkthroughs

    • sixstars’ CTF writeups – Has CTF walkthroughs dating back to 2015 and includes nullctf, codegate, insomnihack, etc.
    • carpedm20’s awesome-hacking repoA curated list of awesome Hacking tutorials, tools and resources.
    • Tenable’s RouterOS Bug Hunting Materials – The tools in this repository were originally presented at Derbycon 2018. The tools were written to aid in (or were the result of) bug hunting in RouterOS.
    • apsdehal’s awesome-ctf – A curated list of CTF frameworks, libraries, resources and softwares.
    • AD-Attack-Defense – Informational asset for those looking to understand the specific tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory.
    • CTF Writeups – This has multiple repos in it that includes CTF walkthroughs from 2012 through 2018 as well as some other CTF resources.
    • Gexos’s Hacking Tools RepositoryA list of security/hacking tools that have been collected from the internet.
    • lojikil’s bsideschs-ctf – Scripts to run the CryptoCTF from BSides Charleston.
    • The Dark Knights CTF Writeups – picoCTF 2018 and GLUG CTF 2018 walkthroughs.
    • w181496’s Web CTF Cheatsheet – Web CTF Cheatsheet.
    • GreHack’s Official CTF Repo – All the challenges that were at GreHack CTF 2015 through 2018.
    • TUCTF Tools – Tools used for various CTFs.
    • OWASP’s Cheat Sheets – The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.
    • Corelan Team Tutorials – Corelan Team is a group of IT Security researchers/enthusiasts/professionals/hobbyists who share the same interests, mainly focused on 3 things: Research, Education and Fun. They have a lot of articles about red teaming, blue teaming and general hacking.
    • Crackmes – A simple place where you can download crackmes to improve your reverse engineering skills. If you want to submit a crackme or a solution to one of them, you must register.
    • shell-storm – Jonathan Salwan of Quarkslab personal blog that contains links to CTF write-ups, reverse engineering tips, and other useful information.
    • exploit.education – Provides a variety of resources that can be used to learn about vulnerability analysis, exploit development, software debugging, binary analysis, and general cyber security issues. This has a series of intentionally vulnerable VMs the contain multiple challenges. It supports a range of skill levels, everything from someone new to reverse engineer up through being an expert.
    • Order of the Overflow (OOO) GitHub – OOO is the group that has hosted the CTF held at DEF CON since 2018. They have all their old challenges posted here, mostly for the qualifiers but there are some of the actual challenges that are from the main CTF held in Las Vegas during DEF CON.

Exploitation/Post-Exploitation

    • Rapid7’s Metasploit Framework – The de-facto standard in exploitation frameworks.
    • Rapid7’s Metasploit Vulnerable Services Emulator – Currently it supports over 100 emulated vulnerable services.
    • Mimikatz – It’s now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.
    • Veil – Veil is a tool designed to generate Metasploit payloads that bypass common anti-virus solutions.
    • Armitage – A graphical wrapper around the Metasploit Framework.
    • pupy – Pupy is an open source, cross-platform (Windows, Linux, macOS, Android) remote administration and post-exploitation tool mainly written in Python.
    • AutoSploit – A wrapper around Metasploit where the targets are fed in using OSINT sources. Targets can be collected automatically through Shodan, Censys or Zoomeye.
    • EmpireEmpire is a PowerShell and Python post-exploitation agent.
    • DeathStar – DeathStar is a Python script that uses Empire’s RESTful API to automate gaining Domain Admin rights in Active Directory environments using a variety of techniques.
    • PowerSploitA PowerShell Post-Exploitation Framework.
    • SharpUp – A C# port of the PowerUp PowerShell script from PowerSploit which will scan the host for misconfigurations in order to elevate privileges.
    • SILENTTRINITY – A post-exploitation agent powered by Python, IronPython, C# and .NET’s Dynamic Language Runtime (DLR).
    • OffensiveDLR – Toolbox containing research notes & PoC code for weaponizing .NET’s Dynamic Language Runtime (DLR).
    • EggShelliOS/macOS/Linux Remote Administration Tool (RAT).
    • SharpSploitSharpSploit is a .NET post-exploitation library written in C#.
    • Paul Clark’s RF Exfil Stack – An RF stack for building exfiltration systems.
    • Covenant – Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
    • Windows Exploit Suggester: Next Generation – WES-NG is a tool based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities.
    • Seatbelt – a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.
    • FuzzySecurity’s PowerShell-Suite – A collection of pentesting related PowerShell scripts.
    • PowerOPS – PowerShell Runspace Portable Post Exploitation Tool aimed at making Penetration Testing with PowerShell “easier”.
    • GTFOBins – Curated list of Unix binaries that can be exploited to bypass system security restrictions.
    • Living Off The Land Binaries And Scripts – A collection of scripts for using tools that are either a part of the operating system or are commonly installed and evade many antivirus programs.
    • freevulnsearch – Free and open NMAP NSE script to query vulnerabilities via the cve-search.org API.
    • Penetration Testing Framework – Made by TrustedSec The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools.
    • chenerlich’s Fileless Command LinesKnown command lines of fileless malicious executions.
    • Donut – Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.
    • Microsoft RSAT – Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server from a computer that is running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
    • BloodHound – BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
    • pwndrop – Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV. https://breakdev.org/pwndrop

Network Recon & Exploitation

    • BruteShark – BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.
    • nmap – The de-facto standard in network and vulnerability scanners.
    • Wireshark – The de-facto standard in packet analysis. It has the ability to filter on the collection of network packets, the ability to filter out packets once they are captured, has a variety of built in parsers, etc.
    • Bettercap – The Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks.
    • Xerosploit -Is a penetration testing toolkit whose goal is to perform man in the middle attacks for testing purposes. It brings various modules that allow to realise efficient attacks, and also allows to carry out denial of service attacks and port scanning. Powered by bettercap and nmap.
    • ResponderResponder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication (check out THIS article on how to disable it).
    • ADRecon – ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.
    • NTLM Scanner – Checks for various NTLM vulnerabilities over SMB. The script will establish a connection to the target host(s) and send an invalid NTLM authentication. If this is accepted, the host is vulnerable to the applied NTLM vulnerability and you can execute the relevant NTLM attack.
    • SMBGhost [Scanner] – Simple scanner for CVE-2020-0796 – SMBv3 RCE. The scanner is for meant only for testing whether a server is vulnerable. It is not meant for research or development, hence the fixed payload. It checks for SMB dialect 3.1.1 and compression capability through a negotiate request.
    • DNS Rebind ToolkitA front-end JavaScript toolkit for creating DNS rebinding attacks.
    • WhoNow – A “malicious” DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53).
    • PcapXray – A Network Forensics Tool – To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction.
    • AutoNSE – Massive NSE (Nmap Scripting Engine) AutoSploit and AutoScanner.
    • ShareSearch – SMB and NFS shares spider and grepper.
    • termshark – A terminal UI for tshark, inspired by Wireshark.
    • Invoke-SocksProxy – Socks proxy server using Microsoft PowerShell.
    • Real Intelligence Threat Analytics – Made by Active Countermeasures RITA is an open source framework for network traffic analysis.
    • shellz – A small utility to track and control your ssh, telnet, web and custom shells and tunnels.
    • thc-ipv6 – IPv6 attack toolkit.
    • mitm6 – A pentesting tool that exploits the default configuration of Windows to take over the default DNS server via a malicious DHCP6 response.
    • ipv666 – Golang IPv6 address enumeration.

Wi-Fi and RF Recon and Exploitation

    • Aircrack-ng – Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security: Monitoring: Packet capture and export of data to text files for further processing by third party tools, Attacking: Replay attacks, deauthentication, fake access points and others via packet injection, Testing: Checking WiFi cards and driver capabilities (capture and injection), Cracking: WEP and WPA PSK (WPA 1 and 2).
    • Universal Radio Hacker – Investigate wireless protocols like a boss.
    • Paul Clark’s RF and SDR GitHub Projects – Paul Clark is the foremost RF cyber security expert and has multiple software defined radio and other RF projects.
    • Pineapple AR150 – Turn a $30 GL.iNet GL-AR150 into a $100 Hak5 WiFi Pineapple!
    • GNURadio – GNU Radio is a free & open-source software development toolkit that provides signal processing blocks to implement software radios. It can be used with readily-available low-cost external RF hardware to create software-defined radios, or without hardware in a simulation-like environment. It is widely used in research, industry, academia, government, and hobbyist environments to support both wireless communications research and real-world radio systems.
    • RTL-SDR – A great resource for RF hacking. It includes links to download SDR software, tutorials, articles, and other software define radios.
    • RFCrack – RFCrack is a RF test bench, it was developed for testing RF communications between any physical device that communicates over sub Ghz frequencies. IoT devices, Cars, Alarm Systems etc.
    • RfCat – The goals of the project are to reduce the time for security researchers to create needed tools for analyzing unknown targets, to aid in reverse-engineering of hardware, and to satiate my RF lust. Only compatible with Python 2.7 currently.
    • MouseJack – MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are ‘connected’ to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim’s computer by transmitting specially-crafted radio signals using a device which costs as little as $15.
    • ooktools – ooktools aims to help with the reverse engineering of on-off keying data sources such as wave files or raw frames captured using RfCat.

Implants & Backdoors

    • Cobalt Strike – Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training. This is a commercial tool.
    • WheresMyImplant A Bring Your Own Land Toolkit that Doubles as a WMI Provider.
    • Throwback – HTTP/S Beaconing ImplantCobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training.

Reverse Engineering, Exploit Dev & Fuzzing

    • IDA Pro – The IDA Disassembler and Debugger is an interactive, programmable, extensible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. IDA has become the de-facto standard for the analysis of hostile code, vulnerability research and commercial-off-the-shelf validation. This is a commercial product with a large price tag.
    • Hex-Rays Decompiler – The Hex-Rays Decompiler brings binary software analysis within reach of millions of programmers. It converts native processor code into a readable C-like pseudocode text.  This is a commercial product with a large price tag.
    • Binary Ninja – An IDA Pro clone done by Vector 35. It is a cheaper alternative to the crazy expensive IDA Pro. This is a commercial product.
    • Ghidra – NSA’s recently open sourced version of an IDA Pro clone.
    • volatilityAn advanced memory forensics framework.
    • Radare2unix-like reverse engineering framework and commandline tools.
    • Pwntools – Pwntools is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible. The most recent version supports Python 3.
    • ZeratoolAutomatic Exploit Generation (AEG) and remote flag capture for exploitable CTF problems.
    • Binary Ninja community plugins – Repository for community provided Binary Ninja plugins.
    • BinNaviBinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code.
    • angrgdb – Use angr inside GNU DeBugger (GDB). Create an angr state from the current debugger state.
    • pwndbg – Exploit Development and Reverse Engineering with GNU DeBugger (GDB) Made Easy.
    • GDB Enhanced Features (GEF) – GNU DeBugger (GDB) Enhanced Features for exploit devs & reversers.
    • Python Exploit Development Assistance (PEDA) – A GNU DeBugger (GDB) plugin that assists with exploit development.
    • Rocket-Shot – Uses angr to concolically analyze basic blocks in a given program, running from the start of the block to the end, looking for interactions with a file descriptor.
    • Rubeus – Rubeus is a C# toolset for raw Kerberos interaction and abuses.
    • Flare VM – A VM by FireEye that is a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.
    • PinCTFUsing Intel’s PIN tool to solve CTF problems.
    • Virtuailor – IDAPython tool for creating automatic C++ virtual tables in IDA Pro.
    • DetectionLab – Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices.
    • Cuckoo Sandbox – Cuckoo Sandbox is an automated dynamic malware analysis system.
    • MemProcFS – The Memory Process File System for Windows.
    • American Fuzzy Lop for Windows – Google Project Zero’s fork of AFL for fuzzing Windows binaries.
    • American Fuzzy Lop (AFL) Training – Exercises to learn how to fuzz with American Fuzzy Lop.
    • Grimm’s KillerbeezA distributed fuzzer which aims to pull in the best technologies, make them play nicely together, and run on multiple O/Ses. It’s built on top of American Fuzzy Lop (AFL), debuggers and other instrumentation.
    • Boofuzz – Boofuzz is a fork of and the successor to the venerable Sulley fuzzing framework. Besides numerous bug fixes, boofuzz aims for extensibility. The goal: fuzz everything. This is available as a Python package and can be installed using pip.
    • Sulley – A pure-python fully automated and unattended fuzzing framework.
    • secfigo’s Awesome FuzzingA curated list of fuzzing resources ( Books, courses – free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis.
    • shellphish’s Driller – American Fuzzy Lop (AFL) with symbolic execution!
    • shellphish’s how2heap – A repository for learning various heap exploitation techniques.
    • Lain – A fuzzer made by Microsoft and is written in Rust.
    • ClusterFuzz – A fuzzer made by Google ClusterFuzz is a scalable fuzzing infrastructure that finds security and stability issues in software.
    • PEpper – An open source tool to perform malware static analysis on Windows Portable Executables. It currently performs the following functions: Suspicious entropy ratio, Suspicious name ratio, Suspicious code size, Suspicious debugging time-stamp, Number of export, Number of anti-debugging calls, Number of virtual-machine detection calls, Number of suspicious API calls, Number of suspicious strings, Number of YARA rules matches, Number of URL found, Number of IP found, Cookie on the stack (GS) support, Control Flow Guard (CFG) support, Data Execution Prevention (DEP) support, Address Space Layout Randomization (ASLR) support, Structured Exception Handling (SEH) support, Thread Local Storage (TLS) support, Presence of manifest, Presence of version, Presence of digital certificate, Packer detection, VirusTotal database detection and Importing a DLL using a hash.

Password Cracking & OSINT

    • hashcat – World’s fastest and most advanced password recovery utility. This uses GPU and CPU resources to crack password hashes. It supports pretty much every hash type used.
    • hashtopolis – A hashcat wrapper for distributed password hash cracking.
    • NotSoSecure’s OneRuleToRuleThemAll Hashcat Rule – Ultimate password cracking hashcat rule made by NotSoSecure.
    • pwnedOrNotOSINT Tool to Find Passwords for Compromised Email Addresses.
    • domainhunter – Checks expired domains for categorization/reputation and Archive.org history to determine good candidates for phishing and C2 domain names.
    • DyMerge – A dynamic dictionary merger for successful dictionary based attacks.
    • OWASP Amass – The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.
    • hashcobra – This tool uses a new method to crack hashes. With the help of rainbow tables concept this tool generates rainbow tables from wordlists to heavily optimize the cracking process.

Mobile Hacking

IoT & Embedded Systems Recon and Exploitation

    • Binwalk – The de facto firmware extraction tool for embedded systems and IoT devices. Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
    • routersploit – Exploitation Framework for Embedded Devices.
    • Firmware Mod Kit – This kit is a collection of scripts and utilities to extract and rebuild linux based firmware images. This is written by Google.
    • PlatformIO – An open source ecosystem for IoT development Cross-platform IDE and unified debugger. Remote unit testing and firmware updates.
    • Rapid7’s IoTSeeker – This scanner will scan a network for specific types of IoT devices to detect if they are using the default, factory set credentials.
    • PlatformIO – An advanced IDE for working with embedded devices. This includes the ability to debug over serial, code completion and support for over 700 embedded boards.
    • Arduino IDE – Is a cross-platfrom open-source physical computing platform based on a simple I/O board and a development environment that implements the Processing/Wiring language. Arduino can be used to develop stand-alone interactive objects or can be connected to software on your computer (e.g. Flash, Processing and MaxMSP). The boards can be assembled by hand or purchased preassembled.
    • HomePwn – Is a framework that provides features to audit and pentesting devices that company employees can use in their day-to-day work and inside the same working environment. It is designed to find devices in the home or office, take advantage of certain vulnerabilities to read or send data to those devices. With a strong library of modules you can use this tool to load new features and use them in a vast variety of devices.

Web Recon & Exploitation

    • Burp Suite Community Edition – The de-facto standard in intercepting proxies. This is a cross-platform tool that works on Linux, macOS and Windows.
    • snoopysecurity’s awesome-burp-extensions – A curated list of amazingly awesome Burp Suite Extensions.
    • zaproxy – The OWASP ZAP core project. This is an open source competitor to Burp Suite and is also an intercepting proxy. This is a cross-platform tool that works on Linux, macOS and Windows.
    • sqlmapAutomatic SQL injection and database takeover tool. This is a cross-platform tool that works on Linux, macOS and Windows.
    • SocialFish – Ultimate phishing tool. Socialize with the credentials.
    • evilginx2 – Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication.
    • CredKing – Made by Black Hills Infosec this tool does password spraying using AWS Lambda for IP rotation.
    • Konan – Advanced Web Application Dir Scanner.
    • stretcher – Tool designed to help identify open Amazon Elasticsearch servers that are exposing sensitive information.
    • Web Application Scan – Is a Open Source web application security scanner.
    • GadgetProbe – Is a Burp Suite plug-in that enumerates Java remote classpaths. GadgetProbe takes a wordlist of Java classes, outputs serialized DNS callback objects, and reports what’s lurking in the remote classpath.
    • Default HTTP Login Hunter – Is a tool capable of checking more then 380 different web interfaces for default credentials. It is based on the NNdefaccts alternate fingerprint dataset maintained by nnposter.

Offensive OS Distros

    • Kali Linux – de facto standard Linux distro for pentesters and red teamers. It is the most advanced penetration testing platform we have ever made. Available in 32 bit, 64 bit, and ARM flavors, as well as a number of specialized builds for many popular hardware platforms. Kali can always be updated to the newest version without the need for a new download.
    • Samurai WTF – Is a VM containing the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
    • Parrot OS – Professional tools for security testing, software development and privacy defense, all in one place.
    • Commando VM – a fully customizable, Windows-based security distribution for penetration testing and red teaming made by FireEye.
    • DragonOS – DragonOS LTS an out-of-the-box Lubuntu 18.04 based x86_64 operating system for anyone interested in software defined radios. All source installed software is located in the /usr/src directory while the remaining software was installed by package managers. This is a brief summary of the software included, while not complete, it covers the bigger named packages and some of the drivers installed for the various supported SDRs such as the HackRF One, RTL-SDR, and LimeSDR. This distro includes the following SDR related tools: Universal Radio Hacker, GNU Radio, Aircrack-ng, GQRX, Kalibrate-hackrf, wireshare, gr-gsm, rtl-sdr, HackRF, IMSI-catcher, Zenmap, inspectrum, qspectrumanalyzer, LTE-Cell-Scanner, CubicSDR, Limesuite, ShinySDR, SDRAngel, SDRTrunk, Kismet, BladeRF
    • Gorizont-rtlsdr – This distribution contains only RTL2832U chipset family rtl_sdr drivers and modules, and concentrates on providing terrestial HF/VHF/UHF signal processing and portable DAB+ reception with the cheapest and most available equipment. No other devices are supported. This distribution is intended for experimentation and legal listening purposes only. NOTE: No TETRA or similar trunked system decoders are included in this distribution for legal reasons.