Ultimate Tool Arsenal

From discovery to post-exploitation: one vault, every blade.

Recon • Subdomain Discovery

Subfinder

Passive subdomain enumeration—fast & reliable.

Amass

OWASP network-mapping powerhouse with graph DB output.

httpx

Probe live hosts; returns status, title, TLS, JARM & more.

Cariddi

All-in-one crawler for parameters, secrets & JS endpoints.

Photon

Lightning-fast crawler with exportable wordlists.

Sublist3r

Old-school Python subdomain enumerator—still handy offline.

Port • Service Scanning

Nmap

The Swiss Army knife—scripts, OS detection, NSE galore.

Masscan

10 M pps SYN blitz for Internet-wide surveys.

Naabu

Go-based port scanner with favicon hashing & TLS probe.

ecscan

Elastic Container Scan—cloud port sweeps via AWS APIs.

zgrab2

Banner grabber for 80/443 masscan outputs (TLS, SSH, SMTP).

hakrevdns

Reverse-DNS at scale—turn IP lists into hostnames.

Vulnerability Scanning • Fuzzing

Nuclei

Template-driven vuln scanner—6 K+ community checks.

OWASP ZAP

Automatic active/passive web fuzzer, API & HUD modes.

Burp Suite Pro

Gold-standard proxy with Turbo Intruder & Collaborator.

OSS-Fuzz

Continuous coverage fuzzing for open-source C/C++.

Katana

Programmable web crawler with JS parsing & headless mode.

Gobuster

Directory & DNS brute-forcer—wordlist-powered.

Web-Attack Suite

XSStrike

XSS detection with intelligent payload generator.

Corsy

Scan for misconfigured CORS headers at scale.

crlfuzz

CRLF injection & Log4Shell payload helper.

Interact-sh

Burp-like collaborator for OOB hits—self-host or cloud.

ffuf

Blazing directory & key-value fuzzer (<1k req s).

jwt_tool

Check signing flaws, brute secrets, automate none-alg.

Password • Hash Cracking

hashcat

GPU-accelerated cracking—250+ hash modes.

John the Ripper

The classic CPU cracker—jumbo version supports DPAPI.

feroxbuster

Recursion-aware HTTP dir brute—wordlist/regex filters.

HoboRules

RockYou on steroids—password-mutation rules for hashcat.

BruteShark

Network credential extractor from PCAP & live capture.

Responder

LLMNR/NBNS poisoner—harvest SMB/NTLMv2 hashes.

Post-Exploitation • C​2 Frameworks

Metasploit 6

2 k+ exploits, 1-click payload generation.

Empire (Python3)

Agent-based PowerShell & Python C2 for Windows/Linux.

FLOSS

Automatically extract & deobfuscate malware strings.

Covenant

.NET core C2 with Web UI & collaborative ops.

CrackMapExec

Swiss-army tool for AD lateral movement & loot.

Sliver

Go-based cross-platform implant w/ mTLS.

OSINT • Threat Intel

SpiderFoot

Automated OSINT with 200+ modules.

h8mail

Find leaked creds via HaveIBeenPwned & Dehashed.

theHarvester

Collect emails, subdomains, IPs from public sources.

Maltego CE

Link-analysis graphing for OSINT relationships.

Aquatone

Take screenshots of web hosts & generate reports.

DNSTwist

Detect look-alike phishing domains fast.

Wireless • RF Exploration

Aircrack-ng

WEP/WPA handshake capture & crack suite.

Bettercap

Versatile MITM + BLE & 2.4 GHz sniffer.

Rogue WiFi AP (Fluxion)

Evil-twin & captive-portal credential harvester.

HackRF Tools

Transmit/receive 1 MHz-6 GHz SDR experiments.

PoisonTap

Raspberry Pi-Zero ETH emulation to siphon web creds.

airodump-ng-oui

Fresh OUI DB for vendor detection in captures.

Cloud • Container Security

kube-hunter

Discover K8s misconfigs from inside or outside cluster.

Trivy

Vuln & IaC scanner for containers, SBOM, Git repos.

Pacu

Modular AWS exploitation framework.

ScoutSuite

Multi-cloud auditing & reporting.

kubectl-who-can

Identify RBAC that permits an action in cluster.

Checkov

IaC static analysis – Terraform, CloudFormation, K8s.