SSTImap SSTImap is a penetration testing software that can check websites for Code Injection and Server-Side Template Injection vulnerabilities and exploit them, giving access to the operating system itself. This tool was developed to...
exifLooter ExifLooter finds geolocation on all image urls and directories and also integrates with OpenStreetMap. Installation go install github.com/aydinnyunus/exifLooter@latest Exif Looter depends on exiftool, so make sure it is on your PATH. Use Analyze Image...
BloodHound Attack Research Kit BARK stands for BloodHound Attack Research Kit. It is a PowerShell script built to assist the BloodHound Enterprise team with researching and continuously validating abuse primitives. BARK currently focuses on...
Compromising an organization’s cloud infrastructure is like sitting on a gold mine for attackers. And sometimes, a simple misconfiguration or a vulnerability in web applications, is all an attacker needs to compromise the entire...
The HexStrike AI repository has released HexStrike AI MCP Agents v6.0—a powerful framework for automating penetration tests. The system integrates more than 150 security tools and 12 autonomous AI agents operating through the FastMCP...
A security researcher named Wayne has unveiled a new tool for Windows 11 that circumvents the PatchGuard protection mechanism in the system’s latest release (24H2). The project, called Kurasagi, has already been published on...
monkey365 Monkey365 is an Open Source security tool that can be used to easily conduct not only Microsoft 365 but also Azure subscriptions and Azure Active Directory security configuration reviews without the significant overhead...
SQLiDetector Simple python script supported with BurpBouty profile that helps you to detect SQL injection “Error based” by sending multiple requests with 14 payloads and checking for 152 regex patterns for different databases. The...
The Hashcat development team has unveiled a major update to its renowned password-cracking tool—version 7.0.0. This marks the first major release in over two years, encompassing hundreds of bug fixes, dozens of new features,...
GooFuzz GooFuzz is a script written in Bash Scripting that uses advanced Google search techniques to obtain sensitive information in files or directories without making requests to the web server. GooFuzz performs fuzzing with an OSINT...
Aced Aced is a tool to parse and resolve a single targeted Active Directory principal’s DACL. Aced will identify interesting inbound access allowed privileges against the targeted account, resolve the SIDS of the inbound...
AppShark Appshark is a static analysis tool for Android apps. Its goal is to analyze very large apps (Douyin currently has 1.5 million methods). Appshark supports the following features: JSON-based customized scanning rules to...
TeamFiltration TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts. See the Example Attack flow at the bottom of this readme for a general introduction into how TeamFiltration works! This tool has...
toxssin toxssin is an open-source penetration testing tool that automates the process of exploiting Cross-Site Scripting (XSS) vulnerabilities. It consists of an https server that works as an interpreter for the traffic generated by...
ProtectMyTooling A script that wraps around a multitude of packers, protectors, obfuscators, shellcode loaders, encoders, and generators to produce complex protected Red Team implants. Your perfect companion in Malware Development CI/CD pipeline, helping watermark...
jscythe jscythe abuses the node.js inspector mechanism in order to force any node.js/electron/v8 based process to execute arbitrary javascript code, even if their debugging capabilities are disabled. Tested and working against Visual Studio Code, Discord, any...