A list of useful payloads and bypass for Web Application Security and Pentest/CTF

Automatic SQL injection and database takeover tool

The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.

🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.

🕵️‍♂️ Offensive Google framework.

Most advanced XSS scanner.

Web path scanner

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C

A swiss army knife for pentesting networks

🐸 Identify anything. pyWhat easily lets you identify emails, IP addresses, and more. Feed it a .pcap file or some text and it'll tell you what it is! 🧙‍♀️

One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authenticat…

AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services.

Scanning APK file for URIs, endpoints & secrets.

A cross-platform python based utility to download courses from udemy for personal offline use.

A curated list of bugbounty writeups (Bug type wise) , inspired from https://github.com/ngalongc/bug-bounty-reference

Multi-vendor library to simplify Paramiko SSH connections to network devices

SSH server & client security auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)

Patch PE, ELF, Mach-O binaries with shellcode new version in development, available only to sponsors

Automatic SSRF fuzzer and exploitation tool

Mimikatz implementation in pure Python

Tool for Active Directory Certificate Services enumeration and abuse

A PowerDNS web interface with advanced features

All In One Web Recon

Full-featured C2 framework which silently persists on webserver with a single-line PHP backdoor

Stealing Signatures and Making One Invalid Signature at a Time

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

Gives you one-liners that aids in penetration testing operations, privilege escalation and more

Run PowerShell command without invoking powershell.exe

BloodyAD is an Active Directory Privilege Escalation Framework