A list of useful payloads and bypass for Web Application Security and Pentest/CTF

The Big List of Naughty Strings is a list of strings which have a high probability of causing issues when used as user-input data.

Portable file server with accelerated resumable uploads, dedup, WebDAV, FTP, TFTP, zeroconf, media indexer, thumbnails++ all in one file, no deps

Tornado is a Python web framework and asynchronous networking library, originally developed at FriendFeed.

Typer, build great CLIs. Easy to code. Based on Python type hints.

A cd command that learns - easily navigate directories from the command line

Web path scanner

eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

Embrace the APIs of the future. Hug aims to make developing APIs as simple as possible, but no simpler.

Web application fuzzer

Hasklig - a code font with monospaced ligatures

my_first_calculator.py

Mythril is a symbolic-execution-based securty analysis tool for EVM bytecode. It detects security vulnerabilities in smart contracts built for Ethereum and other EVM-compatible blockchains.

Fancy reverse and bind shell handler

Fully featured and community-driven hacking environment

A tool to dump a git repository from a website

Programming Fonts with Ligatures added (& a script to add them to other fonts)

Uncover the true IP address of websites safeguarded by Cloudflare & Others

Scripts to replace the distribution behind Windows Subsystem for Linux with any other Linux distribution published on Docker Hub.

A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players.

Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling

Username enumeration and password spraying tool aimed at Microsoft O365.

Advanced Active Directory network topology analyzer with SMB validation, multiple authentication methods (password/NTLM/Kerberos), and comprehensive network discovery. Export results as BloodHound‑…

A list of methods to coerce a windows machine to authenticate to an attacker-controlled machine through a Remote Procedure Call (RPC) with various protocols.

Maximizing BloodHound. Max is a good boy.

Utility to download and extract document metadata from an organization. This technique can be used to identify: domains, usernames, software/version numbers and naming conventions.

Python flexible slugify function

Good For OSCP Training

A tool to query for the existence of pre-windows 2000 computer objects.