Offensive Security Tools
Offensive security tools for penetration testing, red team exercises, exploit development, and ethical hacking activities.
Browse 246 offensive security tools
FEATURED
USE CASES
PwnAuth is an open-source tool for generating and managing authentication tokens across multiple protocols, designed for penetration testing and red team exercises.
Pupy is an open-source, cross-platform C2 framework that provides remote access and control capabilities for compromised systems across Windows, Linux, OSX, and Android platforms.
A proxy aware C2 framework for penetration testing, red teaming, post-exploitation, and lateral movement with modular format and highly configurable payloads.
An open-source shellcode and PE packer for creating and managing portable executable files.
A lightweight Command and Control (C2) implant written in Nim that provides remote access capabilities for penetration testing and red team operations.
A collaborative, multi-platform, red teaming framework for simulating attacks and testing defenses.
A macOS Initial Access Payload Generator for penetration testing and red teaming exercises.
MSBuildAPICaller is an offensive security tool that enables interaction with the MSBuild API to execute arbitrary scripts for red teaming and penetration testing purposes.
Mortar is an evasion technique to defeat and divert detection and prevention of security products, including AV, EDR, and XDR solutions.
Modlishka is a reverse proxy tool for intercepting and manipulating HTTP traffic, ideal for penetration testers, security researchers, and developers to analyze and test web applications.
A cross-platform HTTP/2 Command & Control framework written in Golang for post-exploitation activities and remote system management.
Macro_Pack automates the generation and obfuscation of Office documents and scripts for penetration testing and security assessments.
A LinkedIn reconnaissance tool for gathering information about companies and individuals on the platform.
An OSINT tool that generates username lists for companies on LinkedIn for social engineering attacks or security testing purposes.
A COM Command & Control framework that uses JScript to provide fileless remote access capabilities on Windows systems through a modular plugin architecture.
Ivy is a payload creation framework for executing arbitrary VBA source code directly in memory, utilizing programmatical access to load, decrypt, and execute shellcode.
InvisibilityCloak is a proof-of-concept C# code obfuscation toolkit designed for red teaming and penetration testing to conceal post-exploitation tools from detection.
A tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) for offensive security purposes.
A template-driven framework for creating custom evasion techniques to test Anti-Virus and EDR detection capabilities.
A tool that generates .NET serialized gadgets for triggering assembly load and execution through BinaryFormatter deserialization in JavaScript, VBScript, and VBA scripts.
A standalone man-in-the-middle attack framework used for phishing login credentials and bypassing 2-factor authentication.
EvilClippy is a cross-platform tool that creates malicious MS Office documents with hidden VBA macros and evasion techniques for penetration testing and red team operations.
A shellcode generator that creates position-independent code for loading and executing .NET Assemblies, PE files, and Windows payloads from memory.
A reconnaissance tool that analyzes expired domains for categorization, reputation, and Archive.org history to identify candidates suitable for phishing and C2 operations.
Offensive Security Tools FAQ
Common questions about Offensive Security tools, selection guides, pricing, and comparisons.
Penetration testing evaluates specific systems or applications for vulnerabilities within a defined scope and timeframe. Red teaming simulates a real adversary with minimal restrictions, attempting to achieve specific objectives (access CEO email, exfiltrate customer data) using any attack vector: technical exploitation, social engineering, and physical access. Red teaming tests your entire security program, not just your technology.
