A list of useful payloads and bypass for Web Application Security and Pentest/CTF

Automatic SQL injection and database takeover tool

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

Web path scanner

The OWASP Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the OWA…

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C

One place for all the default credentials to assist the Blue/Red teamers identifying devices with default password 🛡️

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authenticat…

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services.

"Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.

An advanced cross-platform tool that automates the process of detecting and exploiting SQL injection security flaws

Tool for Active Directory Certificate Services enumeration and abuse

Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.

BloodyAD is an Active Directory Privilege Escalation Framework

GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes. - Do not use for illegal testing ;)

A pentest reporting tool written in Python. Free yourself from Microsoft Word.

Generates millions of keyword-based password mutations in seconds.

TREVORspray is a modular password sprayer with threading, clever proxying, loot modules, and more!

SploitScan is a sophisticated cybersecurity utility designed to provide detailed information on vulnerabilities and associated exploits.

Nuclei Templates Collection

Patch Binaries via MITM: BackdoorFactory + mitmProxy.

Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation

smbclient-ng, a fast and user friendly way to interact with SMB shares.

Just another Powerview alternative but on steroids

Scanner for CVE-2020-0796 - SMBv3 RCE

A script that helps you understand why your E-Mail ended up in Spam

The OWASP OFFAT tool autonomously assesses your API for prevalent vulnerabilities, though full compatibility with OAS v3 is pending. The project remains a work in progress, continuously evolving to…

Search for potential frontable domains