A comprehensive, curated collection of over 350 Red Team tools, techniques, and resources. Aggregated and expanded from top GitHub repos like A-poc/RedTeam-Tools, infosecn1nja/Red-Teaming-Toolkit, yeyintminthuhtut/Awesome-Red-Teaming, and more. All hyperlinks direct to reputable sources (mostly GitHub). Short descriptions. Categorized by MITRE ATT&CK for easy navigation.
- Reconnaissance
- Resource Development
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
- Command & Control
- Exfiltration
- Impact
| Tool | Description |
|---|---|
| SpiderFoot | OSINT automation tool integrating 100+ data sources. |
| reconFTW | Automates full recon: subdomains, vulns, info gathering. |
| RustScan | Ultra-fast port scanner with Nmap integration. |
| Amass | Attack surface mapping & asset discovery. |
| nuclei | Fast vuln scanner using YAML templates. |
| gobuster | Brute force directories/files on web servers. |
| feroxbuster | Fast content discovery (forced browsing). |
| dnsrecon | DNS enumeration (MX, SOA, NS, etc.). |
| S3Scanner | Scans for open S3 buckets & dumps contents. |
| cloud_enum | Multi-cloud OSINT for AWS/Azure/GCP. |
| Recon-ng | Web-based recon framework. |
| subzy | Subdomain takeover checker. |
| certSniff | Watches CT logs for keywords. |
| Gowitness | Screenshot web interfaces with report viewer. |
| Metabigor | OSINT without API keys. |
| Gitrob | Finds sensitive files in GitHub repos. |
| TruffleHog | Scans git for secrets/high-entropy strings. |
| gitleaks | Detects secrets in git repos. |
| BBOT | Recursive internet scanner. |
| dnscan | Wordlist-based DNS subdomain scanner. |
| AORT | Subdomains, DNS, WAF, WHOIS, ports. |
| spoofcheck | Checks domain spoofing via SPF/DMARC. |
| WitnessMe | Web inventory with screenshots. |
| buster | Advanced email reconnaissance tool. |
| linkedin2username | Generates username lists from LinkedIn companies. |
| pagodo | Automates Google Hacking Database scraping. |
| AttackSurfaceMapper | Automates reconnaissance process. |
| LinkedInt | LinkedIn recon tool. |
| Gato | Enumerates and attacks GitHub pipelines. |
| Aquatone | Visual inspection of websites across ports. |
| Subfinder | Fast passive subdomain enumeration. |
| Assetfinder | Finds domains and subdomains from sources. |
| Shodan | Searches for internet-connected devices. |
| Censys | Discovers internet assets via search engine. |
| Masscan | Fast TCP port scanner. |
| ZMap | Internet-wide network scanner. |
| Nmap | Network discovery and security auditing. |
| Fierce | DNS reconnaissance tool. |
| Dnsenum | Enumerates DNS information. |
| Knock | Subdomain scan tool. |
| Sublist3r | Fast subdomain enumeration. |
| Crt.sh | Certificate transparency search. |
| Censys-python | Python wrapper for Censys APIs. |
| TheHarvester | OSINT for emails and subdomains. |
| Maltego | Link analysis for OSINT. |
| ReconDog | Reconnaissance Swiss Army Knife. |
| Photon | Incredibly fast crawler for OSINT. |
| Raccoon | Offensive security recon tool. |
| Git-dumper | Dumps Git repositories. |
| GitGraber | Monitors GitHub for secrets. |
| Shhgit | Finds secrets in GitHub code. |
| Git-all-secrets | Scans for secrets in repos. |
| Git-secrets | Prevents committing secrets. |
| Dorks-collections-list | Google dorks collections. |
| Osintgram | Instagram OSINT tool. |
| Sherlock | Hunts usernames across sites. |
| Sn0int | Semi-automatic OSINT framework. |
| OSINT Framework | OSINT tools collection. |
| IntelOwl | OSINT analyzer. |
| Harpoon | CLI for OSINT. |
| Datasploit | OSINT framework. |
| ReconSpider | Advanced OSINT framework. |
(60+ tools)
| Tool | Description |
|---|---|
| Msfvenom | Creates obfuscated payloads for AV bypass. |
| Shellter | Dynamic shellcode injector for PE files. |
| Donut | In-memory execution of EXE/DLL/.NET. |
| PEzor | Open-source PE packer. |
| GadgetToJScript | Generates .NET gadgets for JS/VBS. |
| Ivy | VBA macro payload framework. |
| macro_pack | Obfuscates Office docs/VBS for pentests. |
| xlsGen | Embeds macros in Excel BIFF8. |
| EvilClippy | Creates malicious Office docs. |
| OfficePurge | Purges VBA P-code from Office docs. |
| remoteinjector | Injects remote Word template into doc. |
| Chimera | PowerShell obfuscation for AV bypass. |
| Freeze | Bypasses EDRs with suspended processes. |
| WordSteal | Captures NTLM hashes via remote image in Word. |
| NTInternals | Undocumented Windows internals info. |
| Kernel Callback Functions | Lists Windows kernel callback APIs. |
| OffensiveVBA | Offensive VBA techniques and scripts. |
| WSH | Windows Script Host for payloads. |
| HTA | HTML Application for payloads. |
| VBA | Visual Basic for Applications macros. |
| Mystikal | macOS initial access payload generator. |
| charlotte | Undetected C++ shellcode launcher. |
| InvisibilityCloak | Obfuscation for C# post-exploitation tools. |
| Dendrobate | Hooks unmanaged code via .NET. |
| darkarmour | Windows AV evasion toolkit. |
| InlineWhispers | Direct syscalls in Cobalt Strike BOFs. |
| SharpSploit | .NET post-exploitation library. |
| MSBuildAPICaller | Executes MSBuild without exe. |
| inceptor | Template-driven AV/EDR evasion framework. |
| mortar | Evasion for AV/EDR/XDR. |
| ProtectMyTooling | Multi-packer for red team weaponry. |
| Shhhloader | Shellcode loader bypassing AV/EDR. |
| DllShimmer | Weaponizes DLL hijacking. |
| Veil | Metasploit payload obfuscator. |
| Shellcode Reflective DLL Injection | Reflective DLL injection technique. |
| Nimcrypt | Shellcode loader in Nim. |
| OffensiveNim | Offensive security with Nim. |
| NimlineWhispers | Syscalls in Nim. |
| Cranium | C2 framework in Nim. |
| OffensiveRust | Offensive security with Rust. |
| OffensiveGo | Offensive security with Go. |
| OffensiveDLR | Offensive Dynamic Language Runtime. |
(40+ tools)
| Tool | Description |
|---|---|
| Evilginx2 | MITM for phishing credentials/cookies. |
| Gophish | Open-source phishing toolkit. |
| Modlishka | Reverse proxy for advanced phishing. |
| SprayingToolkit | Password spraying for OWA/O365/Lync. |
| o365recon | Enumerates O365 with valid creds. |
| Ruler | Exploits Exchange MAPI/RPC for RCE. |
| BeEF | Browser exploitation framework. |
| CredMaster | Password spraying with IP rotation. |
| TREVORspray | Modular password sprayer with proxies. |
| EvilQR | QR code phishing for account takeover. |
| CUPP | Creates personalized wordlists for brute force. |
| Bash Bunny | USB attack tool for payloads. |
| evilgophish | Combines Evilginx2 and Gophish. |
| SET | Social engineering toolkit for phishing. |
| hydra | Parallelized login cracker. |
| SquarePhish | Phishing via OAuth and QR codes. |
| King Phisher | Phishing campaign toolkit. |
| o365-attack-toolkit | Attacks Office365 environments. |
| PwnAuth | Framework for OAuth abuse campaigns. |
| Phishery | Basic auth credential harvester. |
| ReelPhish | Real-time 2FA phishing tool. |
| Phishing Frenzy | Phishing campaign manager. |
| GoPhish | Open-source phishing framework. |
| CredSniper | Modular phishing framework. |
| FiercePhish | Full-fledged phishing framework. |
| Lure | Lures for phishing campaigns. |
| PhishingKitHunter | Detects phishing kits. |
| BlackPhish | Super lightweight phishing server. |
(30+ tools)
| Tool | Description |
|---|---|
| PowerLessShell | Executes PS via MSBuild.exe. |
| SharpShooter | Retrieves/executes C# payloads. |
| InlineWhispers | Direct syscalls in Cobalt Strike BOFs. |
| MSBuildAPICaller | MSBuild without exe. |
| Responder | LLMNR/NBT-NS/MDNS poisoner. |
| secretsdump | Dumps secrets from SAM/NTDS. |
| Evil-WinRM | WinRM shell for hacking/pentesting. |
| donut | In-memory execution of scripts/EXEs. |
| PowerSploit | Post-exploitation framework. |
| Rubeus | Kerberos abuse toolkit. |
| Empire | Post-exploitation agent. |
| Covenant | .NET C2 framework. |
| Sliver | Implant framework. |
| Nimplant | Lightweight Nim implant. |
| Havoc | Modern C2 framework. |
| Brute Ratel | Customizable C2 framework. |
| Merlin | Cross-platform post-exploitation HTTP/2 C2. |
| PoshC2 | Proxy-aware C2 framework in PowerShell. |
| Mythic | Collaborative multi-platform C2. |
| Koadic | COM C2 framework. |
| SilentTrinity | Post-exploitation agent in Python. |
| Apfell | macOS JavaScript for red teaming. |
| Faction | C2 framework. |
| SHARP-KATZ | .NET port of Mimikatz. |
(25+ tools)
| Tool | Description |
|---|---|
| SharPersist | Windows persistence toolkit. |
| SharpStay | .NET persistence tool. |
| Empire Persistence | Persistence modules in Empire. |
| Backdoor Factory | Patches executables with shellcode. |
| Regsvr32 | DLL registration for persistence. |
| Bitsadmin | BITS for scheduled tasks. |
| Schtasks | Schedules tasks for persistence. |
| Startup Folder | Adds to user startup. |
| Registry Run Keys | Run keys for auto-start. |
| AnyDesk | Remote desktop for persistence. |
| TeamViewer | Remote access tool. |
| LogMeIn | Remote access software. |
| Golden Ticket | Kerberos persistence. |
| Silver Ticket | Service ticket forgery. |
| Skeleton Key | Implants key in DC. |
| DSRM Persistence | Directory Services Restore Mode. |
| ACL Persistence | Abuses ACLs for backdoors. |
| Security Support Provider | Custom SSP for persistence. |
| SID History Injection | Injects SID for access. |
(20+ tools)
| Tool | Description |
|---|---|
| WinPEAS | Windows/Linux privesc enum. |
| Sherlock | Windows privesc checker. |
| Linux Exploit Suggester | Suggests Linux kernel exploits. |
| PowerUp | Windows privesc via PowerSploit. |
| JAWS | Just Another Windows Script for privesc. |
| PrivescCheck | Windows privesc checker in PS. |
| Windows Exploit Suggester | Suggests Windows exploits. |
| wesng | Windows Exploit Suggester Next Gen. |
| Seatbelt | Situational awareness tool. |
| BeRoot | Privesc tool for Windows/Linux. |
| SharpUp | .NET port of PowerUp. |
| PEASS-ng | Privilege Escalation Awesome Scripts Suite. |
| LinPEAS | Linux privesc checker. |
| unix-privesc-check | Unix privesc auditor. |
| LinEnum | Linux enumeration & privesc. |
| LES | Linux Exploit Suggester. |
| SUID3NUM | SUID binaries enumerator. |
| GTFOBins | Unix binaries for privesc. |
| LOLBAS | Living Off The Land Binaries. |
| Windows-Privesc-Check | Windows privesc auditor. |
| AccessChk | Checks access permissions. |
| PowerSploit Privesc | PowerShell privesc modules. |
| Juicy Potato | Abuses SeImpersonatePrivilege. |
| RogueWinRM | WinRM backdoor exploit. |
| PrintSpoofer | Abuses SeImpersonate on Win10. |
| GodPotato | Local privesc tool. |
| BadPotato | Windows privesc via named pipes. |
(25+ tools)
| Tool | Description |
|---|---|
| Invoke-Obfuscation | PowerShell obfuscator. |
| Veil | Generates undetectable payloads. |
| SharpBlock | EDR bypass via entry point prevention. |
| Alcatraz | x64 binary obfuscator. |
| Mangle | Manipulates compiled executables. |
| AMSI.fail | Generates AMSI bypass snippets. |
| ScareCrow | Payload framework for EDR bypass. |
| moonwalk | Clears traces on Unix systems. |
| Invoke-Phant0m | Kills event logging threads. |
| DefenderCheck | Identifies Defender detections. |
| Invisi-Shell | Hides PowerShell from AMSI. |
| PSObfuscation | Obfuscates PowerShell scripts. |
| Chimera | PowerShell obfuscation script. |
| Nimcrypt | PE/Shellcode crypter in Nim. |
| ConfuserEx | .NET obfuscator. |
| Obscure | Obfuscates strings in binaries. |
| Gargoyle | Memory scanner evasion. |
| AVET | Anti-Virus Evasion Tool. |
| UniByAv | Universal bypass AV tool. |
| Shellter | Dynamic PE injector. |
| Donut | Shellcode generator for in-memory exec. |
| PeCloak | PE file obfuscator. |
| Themida | Advanced software protector. |
| VMProtect | Virtual machine-based protector. |
| Hyperion | Runtime PE crypter. |
| BackdoorMan | Python backdoor evasion. |
| Ebowla | Genetic malware obfuscator. |
(25+ tools)
| Tool | Description |
|---|---|
| Mimikatz | Extracts plaintexts passwords, hash, PIN code and kerberos tickets from memory. |
| LaZagne | Retrieves stored passwords from software. |
| Hashcat | Advanced password recovery utility. |
| John the Ripper | Fast password cracker. |
| SCOMDecrypt | Decrypts SCOM RunAs credentials. |
| nanodump | Dumps LSASS minidump. |
| eviltree | Searches files for keywords/regex. |
| SeeYouCM-Thief | Extracts SSH creds from Cisco phones. |
| MailSniper | Searches Exchange for terms. |
| SharpChromium | Extracts data from Chromium browsers. |
| dploot | DPAPI loot tool. |
| PCredz | Extracts creds from PCAP/live interface. |
| Kerbrute | Enumerates AD accounts via Kerberos. |
| lsassy | Dumps LSASS remotely. |
| Dumpert | LSASS dumper using syscalls. |
| SharpDump | Creates minidump of LSASS. |
| SafetyKatz | Dynamically patched Mimikatz. |
| Forkatz | Credential dumper for Windows. |
| SharpKatz | .NET port of Mimikatz features. |
| Pypykatz | Mimikatz in pure Python. |
| DonPAPI | Dumps DPAPI creds remotely. |
| DPAPick | Offline DPAPI decryption toolkit. |
| Net-GPPPassword | Retrieves GPP passwords. |
| kekeo | Kerberos manipulation tool. |
| CrackMapExec | Swiss army knife for pentesting networks. |
| Impacket | Network protocols in Python. |
| BloodHound | AD attack path visualization. |
(25+ tools)
| Tool | Description |
|---|---|
| PCredz | Credential discovery from PCAP/live. |
| PingCastle | Active Directory assessor. |
| Seatbelt | Local vulnerability scanner. |
| ADRecon | Active Directory recon. |
| adidnsdump | Dumps AD Integrated DNS. |
| scavenger | Scans for interesting files. |
| SharpHound | Data collector for BloodHound. |
| ADAPE | Active Directory assessment script. |
| Grouper | Finds vulns in AD group policy. |
| ADCollector | Lightweight AD info collector. |
| Semperis DSP | AD security assessment. |
| PurpleSharp | Adversary simulation for detection. |
| PingCastle Cloud | Cloud AD security scanner. |
| RiskySPN | Detects risky SPNs in AD. |
| ROADtools | Azure AD exploration framework. |
| AzureHound | Data collector for Azure AD. |
| StormSpotter | Azure red team tool. |
| MicroBurst | Azure security assessment. |
| AADInternals | Azure AD security toolkit. |
| PowerZure | PowerShell for Azure exploitation. |
| Sparrow | Detects suspicious Azure behavior. |
| Hawk | PowerShell for O365 intrusion. |
| o365creeper | Email address creeper for O365. |
| TEAMSScanner | Enumerates MS Teams info. |
| o365enum | Enumerates users in O365. |
(25+ tools)
| Tool | Description |
|---|---|
| CrackMapExec | Swiss army knife for AD attacks. |
| WMIOps | Performs actions via WMI. |
| PowerLessShell | Executes PS via MSBuild. |
| PsExec | Executes processes remotely. |
| Liquid Snake | Lateral movement via WMI subscription. |
| ADFSpoof | Forges AD FS security tokens. |
| Coercer | Coerces Windows auth via RPC. |
| Impacket | Network protocols for lateral movement. |
| SMBExec | Executes via SMB. |
| PSExec.py | Impacket PSEXEC equivalent. |
| Kerberos | Pass-the-ticket attacks. |
| DCOM | Lateral via DCOM. |
| WMIExec | Executes via WMI. |
| Invoke-WMI | WMI command execution. |
| SMBMap | Enumerates SMB shares. |
| NetView | Enumerates domain machines. |
| BloodHound | Maps AD for lateral paths. |
| DeathStar | Automates DA privilege gain. |
| Empire | Lateral movement modules. |
| Covenant | .NET agent for lateral. |
| WMIC | Command-line WMI. |
| PowerShell Remoting | Remote command execution. |
| Jenkins Script Console | Executes Groovy scripts. |
| RDP | Remote Desktop Protocol. |
| WinRM | Windows Remote Management. |
(25+ tools)
| Tool | Description |
|---|---|
| BloodHound | Active Directory visualization. |
| Snaffler | Active Directory credential collector. |
| linWinPwn | AD enumeration and vuln checks. |
| SharpHound | Collects data for BloodHound. |
| AzureHound | Collects Azure AD data. |
| ROADrecon | Collects Azure AD info. |
| Stormspotter | Creates Azure attack graph. |
| Hawk | Collects O365 data. |
| o365-attack-toolkit | Collects from Office365. |
| MailSniper | Searches email for terms. |
| DataExfiltrator | Exfiltrates data via protocols. |
| SharpCloud | Enumerates cloud services. |
| Farm | Collects hashes from domain. |
| DCSync | Replicates AD data. |
| PyGPOAbuse | Abuses GPO for collection. |
| LDAPFragger | LDAP command channel. |
| ADCollector | Collects AD info. |
| Group3r | Finds GPO vulns. |
(20+ tools)
| Tool | Description |
|---|---|
| Covenant | .NET C2 framework with web UI. |
| Empire | PowerShell and Python agent C2. |
| PoshC2 | Proxy-aware C2 in PowerShell/C#. |
| Merlin | Cross-platform HTTP/2 C2. |
| Havoc | Modern malleable C2 framework. |
| Brute Ratel C4 | Customizable C2 with EDR bypass. |
| NimPlant | Lightweight first-stage implant in Nim. |
| hoaxshell | Reverse shell via HTTP(S). |
| Sliver | Adversary emulation framework. |
| Mythic | Collaborative cross-platform C2. |
| Cobalt Strike | Commercial adversary simulation. |
| Koadic | COM-based C2. |
| SILENTTRINITY | Modern Python C2. |
| Apfell | macOS eBPF C2. |
| Faction | C2 framework in C#. |
| Pupy | Cross-platform Python C2. |
| C2concealer | Creates randomized C2 malleable profiles. |
| TrevorC2 | Client/server for tunneling. |
| DNSCat2 | DNS tunneling tool. |
| Malleable C2 | Cobalt Strike malleable profiles. |
| Empire DNS | DNS C2 in Empire. |
| Redirect.rules | Nginx redirector for C2. |
| Apache2ModRewrite | Apache mod_rewrite for C2. |
| Chameleon | Customizable honeypot for C2. |
(25+ tools)
| Tool | Description |
|---|---|
| dnscat2 | DNS tunneling for data exfil. |
| Cloakify | Transforms data into harmless strings. |
| PyExfil | Data exfiltration techniques in Python. |
| Powershell-RAT | Exfils data via Gmail. |
| GD-Thief | Exfils from Google Drive via API. |
| DET | Data Exfiltration Toolkit. |
| Iodine | IPv4 over DNS tunnel. |
| DNSCat | DNS C2 and exfil. |
| Living Off The Cloud | Exfil via cloud services. |
| Rclone | Syncs files to cloud storage. |
| Exfil-Dropbox | Exfils via Dropbox API. |
| Onedrive-Exfil | Exfils via OneDrive. |
| Gcat | Backdoor using Gmail. |
| TgCat | Backdoor using Telegram. |
| DNSExfiltrator | Exfils files over DNS. |
| Pigeon | DNS request exfil tool. |
| Living Off The Land | Uses legit bins for exfil. |
| SharpExfil | .NET data exfil tool. |
(20+ tools)
| Tool | Description |
|---|---|
| Conti Pentester Guide Leak | Leaked Conti ransomware guide. |
| Slowloris | Low-bandwidth DoS tool. |
| USBkill | Anti-forensic kill-switch for USB changes. |
| Keytap | Guesses keys from audio. |
| Lockphish | Phishing for Android PIN. |
| EvilUSB | USB-based attacks. |
| Ransomwhere | Tracks ransomware payments. |
| PyCryptoMiner | Python cryptominer. |
| DDospot | DDoS honeypot. |
| Torshammer | Slow post DoS tool. |
| LOIC | Low Orbit Ion Cannon DoS. |
| HOIC | High Orbit Ion Cannon. |
| R-U-Dead-Yet | Slow HTTP DoS. |
| GoldenEye | HTTP/S Layer 7 DoS. |
| HULK | HTTP Unbearable Load King. |
| PyLoris | Python Slowloris variant. |
| OWASP ZSC | Shellcode generator. |
| Memcrashed | Memcached DDoS exploit. |
(20+ tools)
