Hacking Tools Arsenal

170 curated offensive security tools across 19 categories — the complete inventory, with links, descriptions, and cross-references to Shadow Protocol chapters.

Quick Navigation

🛡 Anonymity & Hiding Tools

// First law of operations: don't get caught on the approach. Route traffic through Tor, rotate identities, and leave no log chain back to your home IP. Attribution is a defensive superpower. Take it away.

Related Shadow Protocol chapters: Attack Infrastructure · Data Flow & Attribution · Anti-Forensics

Tool	What it does
Anonsurf	Forces all system traffic through Tor via iptables, with DNS leak protection. One-shot anonymity wrapper for Kali/Debian.
Multitor	Runs multiple Tor instances concurrently with HAProxy load-balancing, so you rotate across many circuits instead of one.

🔍 Information Gathering Tools

// Before you touch them, you learn them. Subdomains, employees, tech stack, exposed API keys in their GitHub. By the time you click Send on the first payload, you know their infrastructure better than their own ops team.

Related Shadow Protocol chapters: OSINT & Recon · Social Engineering

Tool	What it does
Nmap	The canonical network scanner. Host discovery, port scanning, version detection, NSE scripting. If you only learn one recon tool, learn this.
Dracnmap	Menu-driven wrapper around nmap that chains common scan profiles. Training wheels for nmap muscle memory.
Xerosploit	MITM framework for LAN attacks — ARP spoofing, sslstrip, traffic injection, driftnet. Lab-only.
RED HAWK	All-in-one PHP recon toolkit — WHOIS, DNS, subdomain scan, reverse IP lookup, CMS fingerprinting.
ReconSpider	OSINT aggregator spanning IPs, domains, emails, phone numbers, and username enumeration across services.
Infoga	Email information gathering — harvests emails for a domain and correlates with breaches and leaks.
ReconDog	Quick-hit recon — CMS detection, honeypot check, port scans, reverse IP. Fast first look.
Striker	Offensive recon tool — IP/DNS, subdomains, port scan, WAF detection, banner grabbing, SQLi surface scan.
SecretFinder	Finds API keys, tokens, and secrets hidden in JavaScript files. Burp extension and standalone.
Shodanfy	Shodan query wrapper — enrich IPs with open ports, banners, and known CVEs from Shodan's data.
rang3r	Multithreaded port scanner with color-coded output. Lightweight nmap alternative.
Breacher	Admin login panel finder — scans a domain for exposed admin/login/dashboard URLs.
theHarvester ★	Email, subdomain, and employee harvester that queries search engines, PGP, LinkedIn, Shodan, and dozens of OSINT sources.
Amass ★	OWASP's subdomain enumeration and attack-surface mapping tool. Passive + active, supports DNS, cert transparency, scraping, brute force.
Masscan ★	Internet-scale port scanner — can scan the entire IPv4 space in under 6 minutes with a fast link.
RustScan ★	Modern fast port scanner written in Rust — hands discovered ports to nmap for service detection. Best of both worlds.
Holehe ★	Checks if an email is registered on 100+ sites (Instagram, Twitter, Imgur, etc.) without sending password resets.
Maigret ★	Username enumeration across 3000+ sites. A Sherlock on steroids — also extracts profile data where available.
httpx ★	Fast HTTP toolkit for probing — status codes, titles, tech stack, CDN detection. Core of ProjectDiscovery's recon pipeline.
SpiderFoot ★	Automated OSINT platform — runs 200+ modules against a target to gather every reachable breadcrumb. Has a web UI.
Subfinder ★	Passive subdomain enumeration using 30+ sources (cert transparency, DNS APIs, search engines). Fast and quiet.
TruffleHog ★	Scans git history, S3 buckets, Docker images, and filesystems for leaked credentials with 800+ detectors.
Gitleaks ★	Finds hardcoded secrets in git repos. Pre-commit hook, CI integration, and historical scanning.

📚 Wordlist Generator

// A password list is only as good as your target model. Generic rockyou gets you the lazy users. A wordlist built from your target's public Facebook gets you the CEO.

Related Shadow Protocol chapters: Credential Access · Password Attacks

Tool	What it does
Cupp	Common User Password Profiler — builds a targeted wordlist from personal details (name, DOB, pet, spouse) via interactive prompts.
WordlistCreator	Simple wordlist builder — character sets, length ranges, and mutation rules.
Goblin WordGenerator	Generates permutations of input words with leet-speak and numeric suffix mutations.
Password list (1.4B)	Bundled 1.4-billion-password breach compilation — the "SecLists meets Collection #1" starter corpus.
Hashcat ★	World's fastest GPU-accelerated hash cracker. 300+ hash types, rule-based attacks, mask attacks, distributed cracking.
John the Ripper ★	CPU-focused password cracker with aggressive rule mutations. Still the best for weird hash formats hashcat doesn't do.
haiti ★	Hash type identifier — tells you what algorithm produced a given hash so you know which cracker mode to use.

📶 Wireless Attack Tools

// WiFi is physics. Physics doesn't care about your firewall. Put an antenna in the right place and the corporate network is just another SSID in a list.

Related Shadow Protocol chapters: Wireless & Network

Tool	What it does
WiFi-Pumpkin	Rogue AP framework — creates a fake access point and captures credentials, runs MITM modules, DNS spoofing.
pixiewps	Offline brute-force of WPS PINs using the Pixie Dust attack on weak router entropy.
Bluetooth Honeypot (bluepot)	Bluetooth honeypot for capturing malicious Bluetooth connections and analyzing attacker behavior.
Fluxion	Evil twin WiFi attack with captive portal — deauths clients, they reconnect to your rogue AP, you phish their WPA key.
Wifiphisher	Rogue-AP phishing framework with templated captive portals (router firmware update, OAuth, corporate WiFi).
Wifite	Automated wireless auditor — picks attack mode per target (WEP/WPA/WPS), runs it, saves the captured handshake.
EvilTwin	Scripted evil-twin access-point setup — DHCP, DNS, captive portal out of the box.
Fastssh	Multi-threaded SSH brute-forcer over WiFi reachable hosts.
Airgeddon ★	Multi-use bash framework — WPA/WPA2, Evil Twin, WPS, PMKID, WEP, handshake capture, DoS. One script to rule all WiFi attacks.
hcxdumptool ★	Modern WiFi capture — PMKID and handshake extraction without client deauth. Faster and quieter than aircrack.
hcxtools ★	Conversion suite — turns hcxdumptool pcapng files into hashcat-ready .22000 format. Pairs with hcxdumptool.
Bettercap ★	Swiss-army knife for WiFi, BLE, HID, and wired network attacks. MITM, sniffing, spoofing, scripting — all modern protocols.

🧩 SQL Injection Tools

// SQL injection is the bug that refuses to die. 25 years old and still paying rent for half the bug bounty hunters on HackerOne.

Related Shadow Protocol chapters: Web App Attacks

Tool	What it does
sqlmap	The king. Automated SQLi detection and exploitation across MySQL, Postgres, MSSQL, Oracle, SQLite and more. Dumps DBs, executes OS commands.
NoSqlMap	sqlmap for NoSQL — MongoDB, CouchDB injection auditor and auto-exploitation framework.
DSSS	Damn Small SQLi Scanner — ~100-line sqlmap alternative for when you need something portable and embeddable.
Explo	YAML-based web security scanner — define exploit flows as steps, replay against targets.
Blisqy	Time-based blind SQLi through HTTP headers — the attack surface people forget to sanitize.
Leviathan	Mass audit toolkit — service discovery, brute-force, and SQLi scanning across IP ranges.
SQLScan	Quick Google-dork-driven SQLi scanner — finds vulnerable endpoints in bulk for verification.

🎣 Phishing Attack Tools

// The reason phishing still works: humans are predictable. A convincing login page + urgency + a domain that's one character off = credentials. Every. Single. Time.

Related Shadow Protocol chapters: Social Engineering · Payloads

Tool	What it does
Autophisher	Automated phishing toolkit with templated login pages and Ngrok tunneling.
PyPhisher	80+ templated phishing pages with built-in tunneling. Low-effort credential capture for lab demonstrations.
AdvPhishing	Phishing kit that can bypass OTP by forwarding captured codes in real time.
SET (Social-Engineer Toolkit)	TrustedSec's flagship. Spear phishing, website cloning, payload delivery, SMS/email spoofing. Industry standard for SE engagements.
SocialFish	Phishing education tool with Django UI — clones login pages and logs submitted credentials to a dashboard.
HiddenEye	Modern phishing toolkit with keylogger, location tracking, and 40+ page templates.
Evilginx3	Reverse-proxy phishing framework — steals session cookies instead of passwords, defeats most MFA. The real-world adversary's tool.
I-See-You	Geolocation grabber via shared link — target clicks, browser requests location permission.
SayCheese	Grabs webcam snapshots via malicious link using browser camera API.
QR Code Jacking	Generates malicious QR codes that point to phishing pages or exploit URLs.
BlackEye	Phishing toolkit with 30+ templated login pages. Tunnels via Serveo/Ngrok.
ShellPhish	Phishing tool covering 18 social media platforms with pre-built clones.
Thanos	All-in-one phishing and info grabber with multiple attack modes.
QRLJacking	OWASP framework — hijacks login sessions that use QR code authentication (WhatsApp Web, Discord, etc.).
Maskphish	Masks phishing URLs to look like legitimate domains (e.g., https://google.com@evil.link).
BlackPhish	BlackEye fork with modernized templates and tunneling fixes.
dnstwist	Finds lookalike domains (typosquat, homograph, bitsquat) for a given target — defensive and offensive use.

🌐 Web Attack Tools

// The web is the attack surface most likely to get you in. Every company has a web app. Every web app has a bug somewhere. These tools find it before the bad guys do — or first.

Related Shadow Protocol chapters: Web App Attacks · API Security

Tool	What it does
Web2Attack	Web vulnerability auditor — brute force, SQLi, LFI, RCE checks against a target URL.
Sublist3r	Classic subdomain enumeration via search engines — predecessor to Amass/Subfinder. Still handy.
CheckURL	Phishing URL detector — checks if a URL exists in known malicious databases.
Sub-Domain TakeOver	Identifies subdomains pointing to dangling services (S3, Heroku, GitHub Pages) that you can claim.
Dirb	Classic directory brute-forcer — predecessor to dirsearch/gobuster. Still useful for simple scans.
Nuclei ★	Template-driven vulnerability scanner — 8,000+ community templates for CVEs, misconfigs, and exposures. The modern go-to.
ffuf ★	Fast Go-based fuzzer — directory brute-forcing, parameter discovery, virtual host enumeration. Elegant and insanely fast.
Feroxbuster ★	Rust-based recursive content discovery tool. Faster than dirb, deeper recursion than gobuster.
Nikto ★	Web server scanner — checks for 7,000+ known vulns, outdated software, dangerous files, and config issues.
wafw00f ★	Identifies which WAF is protecting a target (Cloudflare, Akamai, AWS WAF, F5, etc.) so you know what to bypass.
Katana ★	Next-gen web crawler — supports headless browser mode to crawl SPAs, extracts endpoints, params, subdomains.
Gobuster ★	Directory, vhost, DNS and S3 brute-forcer in Go. Clean CLI, multi-threaded, reliable.
Dirsearch ★	Python-based directory brute-forcer with smart wildcard detection and flexible output.
OWASP ZAP ★	Free Burp Suite alternative — intercepting proxy, active scanner, fuzzer, spider. OWASP-maintained.
testssl.sh ★	Checks TLS/SSL configuration — supported ciphers, protocol versions, CVEs (Heartbleed, POODLE, etc.), cert chain.
Arjun ★	HTTP parameter discovery — finds hidden query/POST parameters that aren't documented, often leading to IDOR/SQLi.
Caido ★	Modern web pentesting IDE — Burp-alike with cleaner UI, project-based workflow, TypeScript scripting.
mitmproxy ★	Interactive MITM proxy for HTTP/HTTPS/HTTP2/WebSocket. Scriptable in Python. Perfect for mobile and API traffic inspection.

🔧 Post-Exploitation Tools

// First you get in. Then the real work starts. Enumerate, escalate, pivot, persist, loot. The difference between a shell and a breach is what you do in the 30 minutes after the first beacon.

Related Shadow Protocol chapters: Execution · Persistence · Privilege Escalation · Lateral Movement

Tool	What it does
Vegile	Post-exploitation persistence wrapper — hides processes, survives reboots, makes meterpreter stickier.
Chrome Keylogger	Malicious Chrome extension that logs keystrokes across all pages. Educational concept.
pwncat-cs ★	Upgraded netcat with automatic Linux privilege escalation, persistence mechanisms, and post-exploit modules.
Sliver ★	BishopFox's open-source C2 — cross-platform implants, mTLS/WireGuard/HTTP transports. The modern Cobalt Strike alternative.
Havoc ★	Modern C2 framework with sleek GUI — modular, evasion-focused, actively developed for red team use.
PEASS-ng (LinPEAS/WinPEAS) ★	The post-exploit enumeration scripts everyone runs first. Finds privesc paths, creds, misconfigs across Linux/Windows/macOS.
Ligolo-ng ★	Advanced tunneling/pivoting tool — turns a compromised host into a TUN interface for full-network access.
Chisel ★	Fast TCP/UDP tunnel over HTTP with SSH-style reverse port forwarding. Small binary, great for constrained networks.
Evil-WinRM ★	Windows remote management shell with built-in file upload, AMSI bypass, PowerShell loading. Essential AD tool.
Mythic ★	Multi-agent C2 framework with Docker-based payloads, web UI, and operator-friendly workflow.

🕵 Forensic Tools

// Forensics is offensive and defensive at once. Blue team finds the breach; red team studies what they'll find to avoid leaving it. Memory analysis, file carving, timeline reconstruction — the science of looking at rubble and describing the building.

Related Shadow Protocol chapters: Forensics & IR · Anti-Forensics

Tool	What it does
Bulk Extractor	Scans disk images for emails, URLs, credit cards, exif data, and other artifacts without parsing the filesystem.
Guymager	Forensic disk imager — creates E01/AFF/dd images with MD5/SHA1/SHA256 hashing. Courtroom-defensible acquisition.
Toolsley	Web-based forensic utility suite — hash checks, binary ID, strings, entropy, password strength tests.
Volatility 3 ★	The memory forensics standard — extract processes, network connections, registry, malware from RAM dumps.
Binwalk ★	Firmware analysis — identifies and extracts embedded files, filesystems, and signatures from binary blobs.
pspy ★	Watches Linux processes without root — reveals cron jobs, scheduled tasks, and other users' command arguments.

📦 Payload Creation Tools

// The delivery vehicle matters as much as the exploit. A perfect reverse shell inside a macro that AV blocks in 200ms is a blocked reverse shell. Craft, obfuscate, test against defenders.

Related Shadow Protocol chapters: Payloads · Advanced Techniques

Tool	What it does
TheFatRat	Generates undetected payloads — binds to legitimate EXEs/APKs with AV-bypass wrappers. Aging but still referenced.
Brutal	Teensy/Arduino HID payload generator — keystroke injection attacks via USB.
Stitch	Python-based cross-platform RAT builder — Windows/Linux/macOS payloads with modular features.
MSFvenom Payload Creator	Interactive wrapper around msfvenom that drops you to a payload with zero argument-Googling.
Venom	Shellcode generator/compiler supporting multiple targets and encoders for AV evasion experiments.
Spycam	Android payload that captures webcam photos silently — lab concept for mobile spyware analysis.
Mob-Droid	Android meterpreter payload generator — wraps msfvenom for APK delivery.
Enigma	Multi-platform payload generator with encoder options for teaching AV evasion.

🧰 Exploit Frameworks

// Metasploit is the elephant in the room — and it's handled in the main chapters. These are the specialists: embedded devices, web-framework-focused, command injection corner cases.

Related Shadow Protocol chapters: Initial Access · IoT & Embedded

Tool	What it does
RouterSploit	Metasploit for embedded devices — routers, cameras, and IoT with a module library of known vendor exploits.
WebSploit	MITM, wifi, and web attack framework with modular Metasploit-style interface.
Commix	Automated command-injection exploitation — detects and weaponizes RCE via injection in a variety of contexts.
Web2Attack	All-in-one web vulnerability scanner with brute force, SQLi, LFI, RCE modules.

🔁 Reverse Engineering Tools

// Malware analysis, mobile app teardown, firmware unpacking. When static analysis isn't enough, you open the binary and read its soul.

Related Shadow Protocol chapters: Mobile Attacks · Advanced Techniques

Tool	What it does
Androguard	Python library for Android APK analysis — static analysis of manifest, bytecode, and resources.
Apk2Gold	CLI APK decompiler wrapping apktool/jadx for quick source extraction.
JADX	Dex-to-Java decompiler with a GUI. The standard first-look tool for any APK.
Ghidra ★	NSA's open-source SRE suite — disassembler, decompiler, scripting. The free IDA Pro alternative that rivals the paid tool.
Radare2 ★	Command-line reverse engineering framework — disassembly, debugging, binary patching, scripting. Steep learning curve, huge power.

⚡ DDoS Attack Tools

// DDoS is loud, illegal against anything you don't own, and a guaranteed trip through 18 USC §1030. These tools exist for lab stress-testing and understanding attack patterns for defense.

Related Shadow Protocol chapters: Web App Attacks

Tool	What it does
DDoS Script	Educational multi-vector DDoS script bundle — HTTP, TCP, UDP stress generators.
SlowLoris	Low-bandwidth HTTP DoS — holds many incomplete connections open, exhausts server threads.
Asyncrone	SYN flood DDoS tool — async TCP handshake flooding.
UFOnet	Open-source DDoS research tool leveraging Open Redirect vulnerabilities as reflection/amplification points.
GoldenEye	HTTP/HTTPS Layer-7 DoS — keep-alive abuse and cache-bypass request floods.

🖥 Remote Administration Tools (RAT)

// Remote administration = post-exploitation with a GUI. Useful for authorized red-team engagement, deeply illegal otherwise.

Related Shadow Protocol chapters: C2 Setup · Beaconing

Tool	What it does
Pyshell	Multiplatform Python-based reverse shell with file transfer, keylogger, and webcam modules.

💥 XSS Attack Tools

// XSS is the web's eternal vulnerability. One reflection point, one stored script, and you're riding the victim's session.

Related Shadow Protocol chapters: Web App Attacks · Browser Security

Tool	What it does
DalFox	Fast Go-based XSS scanner with smart payload mutation, DOM-based detection, and pipeline integration.
XSS Payload Generator	Bulk generator of XSS payloads across contexts — HTML, attribute, JS, URL, SVG.
Extended XSS Searcher	Crawl-and-test XSS scanner using extended payload lists and response reflection checks.
XSS-Freak	Python-based XSS scanner that deeply crawls and tests all inputs.
XSpear	Ruby XSS scanner with static + dynamic analysis, reporting, and custom-payload support.
XSSCon	Simple Python-based crawler + XSS scanner with multi-thread support.
XanXSS	Reflected-XSS tool built on top of dork searching for vulnerable endpoints.
XSStrike	Advanced XSS detection — context-aware payload generation, fuzzer, crawler, WAF detection.
RVuln	Multi-bug web vulnerability scanner with XSS modules.

🖼 Steganography Tools

// Hide data in data. A payload in an image. A C2 channel in comments. Defenders look for weird; stego is mundane that isn't.

Related Shadow Protocol chapters: Exfiltration

Tool	What it does
StegoCracker	Hides and extracts data in images/audio and brute-forces stego passwords.
Whitespace (snow)	Hides data in trailing whitespace of text files — invisible to the eye, trivially readable with the key.

🏢 Active Directory Tools

// Enterprise networks = Active Directory. AD pentesting isn't a feature — it's the core of every internal assessment. These tools are the career-makers.

Related Shadow Protocol chapters: Active Directory · Credential Access

Tool	What it does
BloodHound ★	Graph-based AD attack path analysis — ingests LDAP + SMB data, shows exactly which principal can reach Domain Admin and how.
NetExec (nxc) ★	Successor to CrackMapExec — network pentest Swiss-army knife for AD: SMB, LDAP, MSSQL, WinRM, RDP with 100+ modules.
Impacket ★	Python suite of protocol libraries (SMB, Kerberos, MSRPC, DCERPC) with ready-made attack scripts: secretsdump, psexec, wmiexec, GetNPUsers.
Responder ★	LLMNR/NBT-NS/mDNS poisoner — captures NTLMv2 hashes from Windows hosts. First move in every internal engagement.
Certipy ★	Active Directory Certificate Services (AD CS) attack tool — enumerates and exploits ESC1-ESC11 misconfigurations.
Kerbrute ★	Kerberos pre-auth username enumeration and password spray without triggering Windows lockout events.

☁ Cloud Security Tools

// Cloud is someone else's computer — with your configuration mistakes on it. These tools find the public S3 buckets, the overprivileged IAM roles, the exposed secrets in container images.

Related Shadow Protocol chapters: Cloud Attacks · Containers & K8s

Tool	What it does
Prowler ★	Multi-cloud security auditor — AWS, Azure, GCP, Kubernetes. Hundreds of checks aligned to CIS, HIPAA, PCI, GDPR benchmarks.
ScoutSuite ★	NCC Group's multi-cloud security posture assessor. Generates HTML reports of every misconfiguration across your tenant.
Pacu ★	Open-source AWS exploitation framework by Rhino Security — offensive modules for privesc, persistence, data exfil across AWS services.
Trivy ★	Container/IaC/filesystem scanner — finds CVEs, misconfigs, secrets, and license issues. De facto standard in CI pipelines.

📱 Mobile Security Tools

// Mobile apps ship with the keys to the cloud API. Decompile, hook, instrument — the app's secrets become yours.

Related Shadow Protocol chapters: Mobile Attacks

Tool	What it does
MobSF ★	Mobile Security Framework — automated static + dynamic analysis of Android, iOS, and Windows Mobile apps. Web UI.
Frida ★	Dynamic instrumentation toolkit — inject JavaScript into any process to hook functions, modify behavior at runtime. Android/iOS/desktop.
Objection ★	Mobile runtime exploration built on Frida — bypass SSL pinning, jailbreak/root detection, explore iOS/Android app internals without custom scripts.

✨ Other Tools

// Miscellaneous specialists. Each solves a specific problem the big frameworks don't.

Social Media Brute Force

All-in-One SocialMedia Attack	Brute-force module set targeting Instagram, Facebook, Twitter, Gmail, Hotmail, Netflix, PayPal login APIs.
Facebook Attack	Facebook-specific brute-force module from the Brute_Force toolkit.
Application Checker	Reconnaissance tool for identifying exposed mobile and web applications on a target.

Android Hacking

Related: Mobile Attacks

Keydroid	Android keylogger payload — captures keystrokes in a rooted test device.
MySMS	SMS sending/spoofing tool for lab scenarios.
Lockphish	Phishes lock screen PINs/patterns via malicious URL opened on Android.
DroidCam / WishFish	Android front-camera snapshot grabber via malicious link.
EvilApp	Android session-hijacking APK — works as a proxy for target's browser sessions.

IDN Homograph Attack

EvilURL

Generates Unicode-lookalike domains (Cyrillic vs Latin characters) for homograph phishing research.

Email Verification

Knockmail

Verifies whether an email address exists on a given SMTP server without sending an email.

Hash Cracking

Related: Password Attacks · Cryptographic Attacks

Hash Buster

Queries online rainbow-table services (MD5, SHA1, etc.) to crack common hashes without local compute.

WiFi Deauthentication

WifiJammer-NG	Continuous deauth of all clients within range — denial-of-service for WiFi.
KawaiiDeauther	Menu-driven WiFi deauth/jamming script.

Social Media Finder

Related: OSINT & Recon

Find SocialMedia By Facial Recognition	Trend Micro's social-mapper — correlates a face across Facebook, LinkedIn, Instagram, Twitter profile photos.
Find SocialMedia By UserName	Username enumerator across major social platforms.
Sherlock	The benchmark username-enumeration tool — queries 400+ sites for a given handle.
SocialScan	Checks email/username availability across 200+ sites by querying registration APIs (not just URL guessing).

Payload Injector

Debinject	Injects malicious code into legitimate .deb packages for Linux payload delivery research.
Pixload	Embeds payloads in image files (JPG/PNG/GIF/BMP) for polyglot-file research.

Web Crawling

Gospider

Fast Go-based web crawler — extracts URLs, JS file refs, form parameters, subdomains.

Mix Tools

Crivo

Multi-purpose security utility — hash tools, encoders, basic scanning functions in one bundle.

The Standard Toolkit

If you're starting fresh and need a minimum viable kit, this is the short list — the ★ starred tools plus a few non-negotiables most pros install on day one: