A list of useful payloads and bypass for Web Application Security and Pentest/CTF

🔒 Consolidating and extending hosts files from several well-curated sources. Optionally pick extensions for porn, social media, and other categories.

Impacket is a collection of Python classes for working with network protocols.

Most advanced XSS scanner.

The Rogue Access Point Framework

Daemon to ban hosts that cause multiple authentication errors

Web path scanner

Exploitation Framework for Embedded Devices

CTF framework and exploit development library

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the contr…

A repository of LIVE malwares for your own joy and pleasure. theZoo is a project created to make the possibility of malware analysis open and available to the public.

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C

Count the number of people around you 👨‍👨‍👦 by monitoring wifi signals 📡

📂 🐇 🎩 See what a program does before deciding whether you really want it to happen (NO LONGER MAINTAINED)

🐍 A toolkit for testing, tweaking and cracking JSON Web Tokens

WAFW00F allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Cowrie SSH/Telnet Honeypot https://cowrie.readthedocs.io

Automated All-in-One OS Command Injection Exploitation Tool.

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authenticat…

Veil 3.1.X (Check version info in Veil at runtime)

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique present…

Patch PE, ELF, Mach-O binaries with shellcode new version in development, available only to sponsors

Inject code and spy on wifi users

Automated Security Testing For REST API's

DEPRECATED - MozDef: Mozilla Enterprise Defense Platform

A very simple way to find out which SSL ciphersuites are supported by a target.

Veil Evasion is no longer supported, use Veil 3.0!

DNS Exfiltration tool for stealthily sending files over DNS requests.

A tool for automating cracking methodologies through Hashcat from the TrustedSec team.