Pentesting Tools
Personal collection of scripts and pen testing tools
Interesting Links
gtfobins
List of UNIX binaries that can be used to escape low privileged shells. Website can be used to search for interesting binaries and includes code snippets.
LOLBAS
List of Windows based exe and dlls that can be used to perform certain actions of a Windows system.
PayloadAllTheThings
Github repo containing a organised set of payloads. Very usful to find expolits for an enumerated service.
Pentesting Cheat Sheet
Cheat sheet containing the enumeration basic.
CyberChef
List of 'recipes' used to convert and minipulate text.
Ippsec Rocks
Search tool to look through historic boxes covered by Ippsec.
Reverse Shell Cheat Sheets
List of reverse shell commands for various languages.
HighOnCoffee
Pentest Monkey
Static binaries
List of static binaries that can be used to easily place on a target system.
https://github.com/andrew-d/static-binaries/tree/master/binaries
Creating my own python static binaries with pyinstaller:
pyinstaller --onefile <script>.py
Note: any missing imports can be added using --hidden-import
. This may be required for some large scripts
Web-based Tools
Enumeration
Wappalyzer
Browser extension used to discover tech used on a website.
Passwords
Zip Cracker
Attempts to crack zip files protected with weak passwords
CrackStation
Used to search a huge online records of hashes. Used to quickly crack hashes of weak passwords.
Crypto
Wordpress Password Hasher
Used to create hashes for any provided string. This is useful when write access is avaliable for the database of a Wordpress service.
PEM file decoder
Breaks down a cert file into its key file parts
Stego (More useful in CTFs)
Forensicly
Web image forensice investigation tool
Sonic Visualiser
Non-web based tool used for viewing and analysing the contents of music audio files.
Hidden Unicode
Used to display non-visible unicode characters
OSINT
Leaked Passwords
Used to search online records for leaked password email combinations. Can exploit common re-use of passwords between accounts.
Phishing
Tool allows easy SMTP header spoofing to impersonate any sender. This is normally filtered out by spam filters but can be used on smaller targets.
Infrastructure
PostBin
Tool that allows easy viewing of all redirected requests. This can be used as the endpoint of an XSS attack to view authentication cookies etc.
Temporary Email
Useful mostly for signing up to services but can be used a temporary email endpoint.
Temporary SMS
Similary use-case for temporary email.
Misc
Online OCR
Used to convert an assortment of documents to a editable text format.
Shodan
Search engine for vulnerable IoT devices.