A list of useful payloads and bypass for Web Application Security and Pentest/CTF

ALL IN ONE Hacking Tool For Hackers

Automatic SQL injection and database takeover tool

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.

Impacket is a collection of Python classes for working with network protocols.

Prowler is the world’s most widely used open-source cloud security platform that automates security and compliance across any cloud environment.

📱 objection - runtime mobile exploration

PEDA - Python Exploit Development Assistance for GDB

The FLARE team's open-source tool to identify capabilities in executable files.

Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug b…

The Network Execution Tool

This tool lets you search your gadgets on your binaries to facilitate your ROP exploitation. ROPgadget supports ELF, PE and Mach-O format on x86, x64, ARM, ARM64, PowerPC, SPARC, MIPS, RISC-V 64, a…

Arsenal is just a quick inventory and launcher for hacking programs

Tool for Active Directory Certificate Services enumeration and abuse

Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.

Mimikatz implementation in pure Python

A collection of Azure AD/Entra tools for offensive and defensive security purposes

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

A Python based ingestor for BloodHound

MS17-010

Extract credentials from lsass remotely

A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.

BloodyAD is an Active Directory Privilege Escalation Framework

SMBMap is a handy SMB enumeration tool

Kerberos relaying and unconstrained delegation abuse toolkit

Active Directory information dumper via LDAP

A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)

PoC for Zerologon - all research credits go to Tom Tervoort of Secura