- Metaspoit: Penetration testing software
- BeEF: The Browser Exploitation Framework
- PTF: Penetration Testers Framework
- Bettercap: MITM framework
- Nessus: Vulnerability scanner
- AutoNessus: Auto Nessus
- BDFProxy: Patch Binaries via MITM (BackdoorFactory)
- Xplico: Network Forensic Analysis Tool (eg. parse pcap file)
- Sqlmap: Automatic SQL injection and database takeover tool
- jsql-injection: Java application for automatic SQL database injection
- HoneyProxy: MITM
- Gophish: Open-Source Phishing Framework
- SET: Social-Engineer Toolkit
- USBRubberDucky: USB Rubber Ducky
- USB Wifi Ducky: Upload, save and run keystroke injection payloads with an ESP8266 + ATMEGA32U4
- WHID: WiFi HID Injector for Fun & Profit - An USB Rubberducky On Steroids.
- SimplyEmail: Email recon framework
- WiFI pineapple: WiFI pineapple (mitm)
- makeMyCSRF: makeMyCSRF is a tool that can be used to automate auto-submit HTML form creation
- Weeman: HTTP Server for phishing
- PlugBot: The PlugBot: Hardware Botnet Research Project
- Pwn Phone: Portable pentesting device
- EmPyre: A post-exploitation OS X/Linux agent written in Python 2.7
- Mimikatz: A little tool to play with Windows security (videos)
- Acunetix: Scanner to check for XSS, SQL Injection and other web vulnerabilities
- Burp Suite: The leading toolkit for web application security testing
- Burp NoPE Proxy: Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
- ntopng: High-speed web-based traffic analysis
- nethogs: Linux 'net top' tool
- jnettop: traffic visualiser
- Lynis: Security auditing tool for Linux, macOS, and UNIX-based systems
- Volatility: An advanced memory forensics framework
- Radare: portable reversing framework
- Android Fallible: Secrets leak in Android apps
- XssPy: Web Application XSS Scanner
- Unicorn: Tool for using a PowerShell downgrade attack and inject shellcode straight into memory
- changeme: A default credential scanner
- Mercure: Tool for security managers who want to train their collaborators to phishing
- catphish: For phishing and corporate espionage
- Security Checklist: The SaaS CTO Security Checklist
- cgPwn: A lightweight VM for hardware hacking, RE (fuzzing, symEx, exploiting etc) and wargaming tasks
- pwlist: Password lists obtained from strangers attempting to log in to my server
- howmanypeoplearearound: Count the number of people around you by monitoring wifi signals
- xss-listener: XSS Listener is a penetration tool for easy to steal data with various XSS
- owasp-mstg: The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security testing and reverse engineering
- KeychainCracker: macOS keychain cracking tool
- Microsploit: Fast and easy create backdoor office exploitation using module metasploit packet
- InjectProc: Process Injection Techniques
- expdevBadChars: Bad Characters highlighter for exploit development
- massExpConsole: Collection of Tools and Exploits with a CLI UI
- getsploit: Command line utility for searching and downloading exploits
- Findsploit: Find exploits in local and online databases instantly
- vulscan: Advanced vulnerability scanning with Nmap NSE
- psychoPATH: a blind webroot file upload & LFI detection tool
- repo-supervisor: Scan your code for security misconfiguration, search for passwords and secrets
- xssor: Hack with Javascript (online tool)
- xray: XRay is a tool for recon, mapping and OSINT gathering from public networks
- Frida: Inject JavaScript to explore native apps on Windows, macOS, Linux, iOS, Android, and QNX
- objection: runtime mobile exploration (based on Frida)
- pwnbox: Docker container with tools for binary reverse engineering and exploitation
- backdoor-apk: shell script that simplifies the process of adding a backdoor to any Android APK file
- Attify OS: Distro for pentesting IoT devices
- Zeus: AWS Auditing & Hardening Tool
- EvilAbigail: Automated Linux evil maid attack (backdoors initrd)
- mitm-router: Man-in-the-middle wireless access point inside a docker container
- Dracnmap: Exploit Network and Gathering Information with Nmap
- RastLeak: Tool To Automatic Leak Information Using Hacking With Engine Searches
- pupy: remote administration and post-exploitation tool (python)
- pwndsh: Post-exploitation framework (bash) (presentation)
- kwetza: Python script to inject existing Android applications with a Meterpreter payload
- zmap: ZMap Internet Scanner
- zgrab: Application layer scanner that operates with ZMap
- OpenVAS: The world's most advanced Open Source vulnerability scanner and manager
- Vulny-Code-Static-Analysis: Basic script to detect vulnerabilities into a PHP source code
- knockpy: Knock Subdomain Scan
- BoopSuite: A Suite of Tools written in Python for wireless auditing and security testing (demo)
- DataSploit: An OSINT Framework to perform various recon techniques
- domain_analyzer: Analyze the security of any domain by finding all the information possible
- Luckystrike: A PowerShell based utility for the creation of malicious Office macro documents (demo)
- sqlcheck: Automatically identify anti-patterns in SQL queries
- SSRF Testing: https://github.com/cujanovic/SSRF-Testing/
- XFLTReaT: Tunnelling Framework (kitploit)
- rudra: Framework for exhaustive analysis of (PCAP and PE) files
- https://github.com/eset/malware-ioc: Indicators of Compromises (IOC) of our various investigations
- Emutag: Mifare ultralight and ntag2x3 emulator
- WiFi deauther OLED V2
- Mobile Hack Gear
- bully-vanilla: Bully is a new implementation of the WPS brute force attack
- boxon: Détecteur box vulnérables à la brèche PIN NULL (topic)
- NullWpsPinAuto: Simple bash script intended to exploit the Null Wps Pin breach automatically
- The definitive guide to form-based website authentication
- Improved Persistent Login Cookie Best Practice
- Nmap Cheat Sheet
- XSS Cheat Sheet
- https://github.com/zbetcheckin/Security_list
- https://github.com/Hack-with-Github/Awesome-Hacking
- https://github.com/enaqx/awesome-pentest
- https://github.com/shieldfy/API-Security-Checklist
- https://github.com/forter/security-101-for-saas-startups
- https://github.com/carpedm20/awesome-hacking
- https://github.com/sobolevn/awesome-cryptography
- https://github.com/secfigo/Awesome-Fuzzing