Building offensive security tools — one wave at a time
Lightweight C2 — ECDH P-256 forward secrecy, AES-256-GCM encryption, uTLS fingerprinting 
|
Linux post-exploitation — kernel namespace isolation, polymorphic beacons, 36 stealth modules
|
Collaborative browser terminal — real-time sync, credential vault, variable substitution
|
Encrypted reverse shell + Hell's Gate process injector in pure x86_64 NASM assembly
|
| Tool | What It Does | Language |
|---|---|---|
| Kraken | OPSEC-first C2 — X25519 ECDH, AES-256-GCM, modular implant with runtime-loadable modules, mesh networking, multi-transport (HTTP/HTTPS/TCP/SMB/DNS), BOF compatibility |  |
| Aquifer | Linux post-exploitation — kernel namespace isolation, multi-channel C2, polymorphic beacons, 36 stealth modules |  |
| Siphon | Lightweight C2 — ECDH P-256 forward secrecy, AES-256-GCM transport, uTLS Chrome fingerprinting | |
| Wellspring | Payload delivery server — 12 delivery methods, token-gated access, AES-256-GCM at rest, memory zeroing. Single binary. | |
| Spillway | Reverse/bind/dormant FUSE mount — browse remote filesystems locally over TLS 1.3 with mutual PSK auth | |
| Tool | What It Does | Language |
|---|---|---|
| Flux | Swiss Army Netcat — replaces nc/ncat/socat/pwncat. TLS + Noise encryption, auto-PTY shells, file transfer with SHA256, SOCKS5 pivoting, TCP scanning. Single static binary. | |
| Neap | Static SSH server — reverse/bind shells with full PTY, SFTP, local/remote/dynamic port forwarding, TLS with SNI spoofing | |
| Undertow | Static SSH server — reverse/bind shells, SFTP, port forwarding, TLS wrapping with SNI spoofing. Under 1.5 MB. | |
| Slipstream | Drop-in SSH wrapper — tunnel management, file transfers, passive filesystem mapping, per-command logging, fingerprint identity | |
| Conduit | SOCAT relay with kernel-level process masquerading — prctl/setproctitle stealth, argument hiding, 50+ channel types |  |
| Culvert | Pivot under the obstruction — one-command ligolo-ng tunnel setup with TUN, routing, magic 240/4 localhost CIDR, and WebUI |  |
| Depth | Full SSH-2.0 in pure assembly — ChaCha20-Poly1305, Ed25519, X25519, SFTP, PTY, port forwarding. 94 KB static ELF, no libc. |  |
| Tool | What It Does | Language |
|---|---|---|
| Vapor | Encrypted reverse shell + process injector in pure x86_64 NASM — ChaCha20-Poly1305 AEAD, Hell's Gate syscalls, zero deps | |
| Grotto | Encrypted netcat in pure assembly — ChaCha20-Poly1305, Linux ELF + Windows PE, ~8 KB, zero dependencies | |
| Dew | HTTPS reverse shell — XChaCha20-Poly1305 over TLS, ~37 KB binary, zero dependencies | |
| Droplet | HTTPS reverse shell for Windows — ~50 KB C implant, AES-256 encryption, interactive Python listener | |
| Undercurrent | io_uring stealth loader in pure assembly — ChaCha20-Poly1305, ~4.2 KB, invisible to syscall monitoring | |
| Tool | What It Does | Language |
|---|---|---|
| Abyss | Offensive forensic analysis — credentials, keys, persistence from disk/memory images. SAM, NTDS.dit, LSA, DPAPI, browser passwords, SSH keys, LSASS minidumps. Raw/E01/VMDK with NTFS/ext4. | |
| Flood | Async web fuzzer — directory enum, VHost discovery, parameter fuzzing. Recursive scanning, clusterbomb mode, auto-throttle on 429s, JSON/CSV/Hashcat output. | |
| Riptide | Collaborative browser terminal — real-time sync, credential vault, variable substitution, session recording, playbook workspace |  |
| Runoff | AD security audit — extract quick wins, attack paths, and misconfigurations from BloodHound CE |  |
| Maelstrom | NetExec wrapper — 35+ AD enumeration modules in one command, multi-target scanning, actionable recommendations | |
| Rapids | Credential spraying framework — 28 native protocol modules, adaptive skipping, pass-the-hash support | |
| Lure | SMB hash bait — drops poisoned .url/.scf/.xml payloads on writable shares to coerce NTLM auth via Responder |
|
| Seep | Windows privesc enumeration — 16 checks, 97 tools, MITRE ATT&CK mapping, fileless agent, single-file HTML reports | |
| Whirlpool | Privesc reasoning engine — parses LinPEAS/WinPEAS output, generates ranked exploitation playbooks | |
| Tool | What It Does | Language |
|---|---|---|
| Shallows | Browser-native Linux terminals — x86 emulation in the browser. No servers, no installs, no accounts. | |
| Ripple | Browser-based Vim editor — full keybindings via CodeMirror 6, split panes, tabs, virtual filesystem, zero dependencies | |
| Deluge | Nmap & RustScan parser — color-coded terminal reports, multi-format export, interactive scanning, Catppuccin styling | |
| Surge | Markdown-to-command-reference — fuzzy search, variable substitution, offline-first PWA, Catppuccin themes | |
| Fathom | Offline man pages browser — TLDR summaries, instant search, Catppuccin themes. PWA, works without internet. | |
| Cascade | Native markdown editor — real-time collaboration, live preview, wiki-links, canvas whiteboard, 21+ themes. Tauri + Rust. |  |
| Sunken-Archive | Personal knowledge base — digital garden with interconnected notes, graph view, full-text search. Built on Quartz. | |
| HydroShot | Screenshot capture & annotation — region select, drawing tools, copy/save. Built with Rust, winit, tiny-skia. | |
| Tidepool | Interactive terminal portfolio — explore a developer profile through real shell commands in the browser via xterm.js | |
| Deadwater | Research publication platform — index, search, and serve computational papers. Full-text search, citation graph, API. | |
| x86-assembly-lab | Interactive x86 assembly lab — simulator, stack visualizer, register quiz, tutorials from fundamentals to reverse engineering |  |
| Tool | What It Does | Language |
|---|---|---|
| armsforge | AI-powered security platform — intelligent automation, Claude Code integration, workflow orchestration for offensive operations | |
A sail-themed quartet — same idea (BusyBox-style single-binary shell toolkits), four different languages, four different size/portability tradeoffs.
| Tool | What It Does | Language |
|---|---|---|
| Rill | BusyBox-style multi-call binary in pure x86_64 NASM — 41 Unix utilities, ~34 KB static ELF, direct syscalls, no libc | |
| Topsail | Single-file BusyBox-like multi-call binary in Go — ~3.4 MB per platform (Linux/macOS/Windows × amd64/arm64), .deb/.rpm/.apk packages too | |
| Jib | BusyBox-style multi-call binary in Rust — 73 Unix utilities + jq/http/dig, ~2.4 MB avg (1.4 MB slim → 3.7 MB full) across 11 platform builds |
|
| Mainsail | BusyBox-style multi-call binary in Python — 73 Unix utilities, ~5.5 MB native bundles (or ~110 KB .pyz with system Python), Linux/Windows/macOS | |
| Tool | What It Does | Language |
|---|---|---|
| Tidemark | Obsidian plugin — variable substitution in markdown via YAML frontmatter. Copy, replace, rename in one command. | |
| Tool | What It Does | Language |
|---|---|---|
| Blueprint | Browser-based incremental factory game — build, automate, prestige, publish. Zero-dependency vanilla HTML/CSS/JS. | |
| Crownfall | Pixel-art medieval wave-defense incremental built as a single HTML file. Hold the wall, bank Crowns, return stronger. | |
| Tower-Defense | Cyberpunk neon tower defense — 6 elements, 14 towers, procedural campaign, endless mode, roguelite unlocks. Phaser 3 + TypeScript + Vite. | |
All tools are built for authorized security testing and educational purposes.