Skip to content


Folders and files

Last commit message
Last commit date

Latest commit


Repository files navigation

Awesome Stars Awesome

A curated list of my GitHub stars! Generated by starred.



  • ghostsecurity/reaper - 💀 Don't fear the Reaper 👻
  • The-Art-of-Hacking/h4cker - This repository is primarily maintained by Omar Santos (@santosomar) and includes thousands of resources related to ethical hacking, bug bounties, digital forensics and incident response (DFIR), artif


  • patrickfav/uber-apk-signer - A cli tool that helps signing and zip aligning single or multiple Android application packages (APKs) with either debug or provided release certificates. It supports v1, v2 and v3 Android signing sche
  • WithSecureLabs/drozer - The Leading Security Assessment Framework for Android.
  • androguard/androguard - Reverse engineering and pentesting for Android applications
  • AzeemIdrisi/PhoneSploit-Pro - An all-in-one hacking tool to remotely exploit Android devices using ADB and Metasploit-Framework to get a Meterpreter session.
  • iBotPeaches/Apktool - A tool for reverse engineering Android apk files
  • requestly/requestly - Requestly was built to save developers time by intercepting and modifying HTTP Requests. It has now developed into an open-source alternative to Charles Proxy and Telerik Fiddler that works directly i
  • wasabeef/awesome-android-ui - A curated list of awesome Android UI/UX libraries
  • Hack-with-Github/Awesome-Hacking - A collection of various awesome lists for hackers, pentesters and security researchers
  • appwrite/appwrite - Your backend, minus the hassle.
  • Solido/awesome-flutter - An awesome list that curates the best Flutter libraries, tools, tutorials, articles and more.
  • flutter/flutter - Flutter makes it easy and fast to build beautiful apps for mobile and beyond
  • skylot/jadx - Dex to Java decompiler
  • B3nac/InjuredAndroid - A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.
  • OWASP/owasp-mastg - The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls
  • n1nj4sec/pupy - Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C




  • bitwarden/server - Bitwarden infrastructure/backend (API, database, Docker, etc).






  • atuinsh/atuin - ✨ Magical shell history
  • MegaManSec/SSH-Snake - SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
  • stateful/vscode-runme - DevOps Notebooks Built with Markdown - VS Code extension
  • nvm-sh/nvm - Node Version Manager - POSIX-compliant bash script to manage multiple active node.js versions
  • royalapplications/toolbox - This repository contains various automation scripts for Royal TS (for Windows) and Royal TSX (for macOS). Also included are dynamic folder samples. This collection consists of scripts by the Royal App
  • RealityNet/ios_triage - Bash script to extract data from a "chekcra1ned" iOS device
  • hyperupcall/autoenv - Directory-based environments.
  • v1s1t0r1sh3r3/airgeddon - This is a multi-use bash script for Linux systems to audit wireless networks.
  • peass-ng/PEASS-ng - PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)





  • AlecBlance/S3BucketList - Chrome extension that lists Amazon S3 Buckets while browsing
  • requestly/requestly - Requestly was built to save developers time by intercepting and modifying HTTP Requests. It has now developed into an open-source alternative to Charles Proxy and Telerik Fiddler that works directly i
  • LasCC/HackTools - The all-in-one browser extension for offensive security professionals 🛠
  • altair-graphql/altair - ✨⚡️ A feature-rich GraphQL Client for all platforms.


  • gitleaks/gitleaks - Find secrets with Gitleaks 🔑
  • patrickfav/uber-apk-signer - A cli tool that helps signing and zip aligning single or multiple Android application packages (APKs) with either debug or provided release certificates. It supports v1, v2 and v3 Android signing sche
  • projectdiscovery/dnsx - dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
  • pypa/pipx - Install and Run Python Applications in Isolated Environments
  • projectdiscovery/katana - A next-generation crawling and spidering framework.
  • sharkdp/bat - A cat(1) clone with wings.
  • asciinema/asciinema - Terminal session recorder 📹
  • abhijithvijayan/stargazed - 📋 Creating your own Awesome List of GitHub stars!



  • Cyber-Buddy/APKHunt - APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers,


  • microsoft/vcpkg - C++ Library Manager for Windows, Linux, and MacOS
  • Ciphey/Ciphey - ⚡ Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes ⚡


  • bitwarden/server - Bitwarden infrastructure/backend (API, database, Docker, etc).
  • dnSpyEx/dnSpy - Unofficial revival of the well known .NET debugger and assembly editor, dnSpy
  • Aetsu/OffensivePipeline - OfensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises.
  • peass-ng/PEASS-ng - PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)



  • flutter/flutter - Flutter makes it easy and fast to build beautiful apps for mobile and beyond
  • rustdesk/rustdesk - An open-source remote desktop application designed for self-hosting, as an alternative to TeamViewer.





  • bitwarden/server - Bitwarden infrastructure/backend (API, database, Docker, etc).
  • dnSpyEx/dnSpy - Unofficial revival of the well known .NET debugger and assembly editor, dnSpy






  • macosui/macos_ui - Flutter widgets and themes implementing the current macOS design language.
  • appwrite/appwrite - Your backend, minus the hassle.
  • Solido/awesome-flutter - An awesome list that curates the best Flutter libraries, tools, tutorials, articles and more.
  • flutter/flutter - Flutter makes it easy and fast to build beautiful apps for mobile and beyond
  • B3nac/InjuredAndroid - A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.
  • rustdesk/rustdesk - An open-source remote desktop application designed for self-hosting, as an alternative to TeamViewer.







  • MegaManSec/SSH-Snake - SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
  • summitt/Nope-Proxy - TCP/UDP Non-HTTP Proxy Extension (NoPE) for Burp Suite.
  • six2dez/pentest-book -
  • t3l3machus/Villain - Villain is a high level stage 0/1 C2 framework that can handle multiple reverse TCP & HoaxShell-based shells, enhance their functionality with additional features (commands, utilities) and share them
  • infosecn1nja/Red-Teaming-Toolkit - This repository contains cutting-edge open-source security tools (OST) for a red teamer and threat hunter.
  • AzeemIdrisi/PhoneSploit-Pro - An all-in-one hacking tool to remotely exploit Android devices using ADB and Metasploit-Framework to get a Meterpreter session.
  • ghostsecurity/reaper - 💀 Don't fear the Reaper 👻
  • LasCC/HackTools - The all-in-one browser extension for offensive security professionals 🛠
  • Hack-with-Github/Awesome-Hacking - A collection of various awesome lists for hackers, pentesters and security researchers
  • dolevf/Black-Hat-GraphQL - The Black Hat GraphQL Book Repository
  • t3l3machus/toxssin - An XSS exploitation command-line interface and payload generator.
  • nahamsec/Resources-for-Beginner-Bug-Bounty-Hunters - A list of resources for those interested in getting started in bug bounties
  • OWASP/owasp-mastg - The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls
  • codingo/NoSQLMap - Automated NoSQL database enumeration and web application exploitation tool.
  • trimstray/the-book-of-secret-knowledge - A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more.
  • chenjj/espoofer - An email spoofing testing tool that aims to bypass SPF/DKIM/DMARC and forge DKIM signatures.🍻
  • BiZken/PhishMailer - Generate Professional Phishing Emails Fast And Easy
  • yogeshojha/rengine - reNgine is an automated reconnaissance framework for web applications with a focus on highly configurable streamlined recon process via Engines, recon data correlation and organization, continuous mon
  • j3ssie/osmedeus - A Workflow Engine for Offensive Security
  • HackTricks-wiki/hacktricks - Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news.
  • SpiderLabs/HostHunter - HostHunter a recon tool for discovering hostnames using OSINT techniques.
  • Ciphey/Ciphey - ⚡ Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes ⚡
  • diego-treitos/linux-smart-enumeration - Linux enumeration tool for pentesting and CTFs with verbosity levels
  • Hackplayers/evil-winrm - The ultimate WinRM shell for hacking/pentesting
  • maurosoria/dirsearch - Web path scanner
  • v1s1t0r1sh3r3/airgeddon - This is a multi-use bash script for Linux systems to audit wireless networks.
  • samratashok/nishang - Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
  • RustScan/RustScan - 🤖 The Modern Port Scanner 🤖
  • juice-shop/juice-shop - OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
  • The-Art-of-Hacking/h4cker - This repository is primarily maintained by Omar Santos (@santosomar) and includes thousands of resources related to ethical hacking, bug bounties, digital forensics and incident response (DFIR), artif
  • 0x00-0x00/ShellPop - Pop shells like a master.
  • swisskyrepo/PayloadsAllTheThings - A list of useful payloads and bypass for Web Application Security and Pentest/CTF
  • mitre/caldera - Automated Adversary Emulation Platform





  • rofl0r/proxychains-ng - proxychains ng (new generation) - a preloader which hooks calls to sockets in dynamically linked programs and redirects it through one or more socks/http proxies. continuation of the unmaintained prox
  • vapor/vapor - 💧 A server-side Swift HTTP web framework.
  • projectdiscovery/interactsh - An OOB interaction gathering server and client library
  • carlospolop/fuzzhttpbypass - This tool use fuuzzing to try to bypass unknown authentication methods, who knows...


  • palera1n/palera1n - Jailbreak for A8 through A11, T2 devices, on iOS/iPadOS/tvOS 15.0, bridgeOS 5.0 and higher.
  • RealityNet/ios_triage - Bash script to extract data from a "chekcra1ned" iOS device
  • requestly/requestly - Requestly was built to save developers time by intercepting and modifying HTTP Requests. It has now developed into an open-source alternative to Charles Proxy and Telerik Fiddler that works directly i
  • vsouza/awesome-ios - A curated list of awesome iOS ecosystem, including Objective-C and Swift Projects
  • appwrite/appwrite - Your backend, minus the hassle.
  • Solido/awesome-flutter - An awesome list that curates the best Flutter libraries, tools, tutorials, articles and more.
  • flutter/flutter - Flutter makes it easy and fast to build beautiful apps for mobile and beyond
  • noobpk/frida-ios-hook - A tool that helps you easy trace classes, functions, and modify the return values of methods on iOS platform
  • airsquared/blobsaver - A cross-platform GUI and CLI app for automatically saving SHSH blobs
  • AloneMonkey/frida-ios-dump - pull decrypted ipa from jailbreak device
  • nabla-c0d3/ssl-kill-switch2 - Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and macOS applications.
  • OWASP/owasp-mastg - The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls
  • ChiChou/grapefruit - (WIP) Runtime Application Instruments for iOS. Previously Passionfruit
  • libimobiledevice/libimobiledevice - A cross-platform protocol library to communicate with iOS devices
  • utmapp/UTM - Virtual machines for iOS and macOS




  • just-the-docs/just-the-docs - A modern, high customizable, responsive Jekyll theme for documentation with built-in search.
  • jekyll/jekyll-seo-tag - A Jekyll plugin to add metadata tags for search engines and social networks to better index and display your site's content.


  • B3nac/InjuredAndroid - A vulnerable Android application that shows simple examples of vulnerabilities in a ctf style.


  • openappsec/openappsec - open-appsec is a machine learning security engine that preemptively and automatically prevents threats against Web Application & APIs. This repo include the main code and logic.




  • shellhub-io/shellhub - 💻 Get seamless remote access to any Linux device. Centralized SSH for the edge and cloud computing
  • royalapplications/toolbox - This repository contains various automation scripts for Royal TS (for Windows) and Royal TSX (for macOS). Also included are dynamic folder samples. This collection consists of scripts by the Royal App
  • n1nj4sec/pupy - Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C
  • rustdesk/rustdesk - An open-source remote desktop application designed for self-hosting, as an alternative to TeamViewer.
  • trimstray/the-book-of-secret-knowledge - A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more.
  • htr-tech/nexphisher - Advanced Phishing tool
  • calebstewart/pwncat - Fancy reverse and bind shell handler
  • mzfr/gtfo - Search gtfobins and lolbas files from your terminal
  • v1s1t0r1sh3r3/airgeddon - This is a multi-use bash script for Linux systems to audit wireless networks.
  • CISOfy/lynis - Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
  • future-architect/vuls - Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
  • GTFOBins/ - GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems
  • peass-ng/PEASS-ng - PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)



  • SoftDesLab/PIRANHA - Project for Software Design Laboratory -- Topic: Detecting Phishing Website with Machine Learning


  • jordanbaird/Ice - Powerful menu bar manager for macOS
  • sieren/WidgetToggler - macOS Sonoma Widget Toggler for the Tray Bar - Easily Show and Hide Widgets
  • Hammerspoon/hammerspoon - Staggeringly powerful macOS desktop automation with Lua
  • royalapplications/toolbox - This repository contains various automation scripts for Royal TS (for Windows) and Royal TSX (for macOS). Also included are dynamic folder samples. This collection consists of scripts by the Royal App
  • macosui/macos_ui - Flutter widgets and themes implementing the current macOS design language.
  • jaywcjlove/awesome-mac -  Now we have become very big, Different from the original idea. Collect premium software in various categories.
  • flutter/flutter - Flutter makes it easy and fast to build beautiful apps for mobile and beyond
  • nabla-c0d3/ssl-kill-switch2 - Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and macOS applications.
  • sickcodes/Docker-OSX - Run macOS VM in a Docker! Run near native OSX-KVM in Docker! X11 Forwarding! CI/CD for OS X Security Research! Docker mac Containers.
  • sethmlarson/truststore - Verify certificates using OS trust stores
  • utmapp/UTM - Virtual machines for iOS and macOS
  • macports/macports-ports - The MacPorts ports tree




  • WithSecureLabs/drozer - The Leading Security Assessment Framework for Android.
  • Solido/awesome-flutter - An awesome list that curates the best Flutter libraries, tools, tutorials, articles and more.
  • flutter/flutter - Flutter makes it easy and fast to build beautiful apps for mobile and beyond
  • ChiChou/grapefruit - (WIP) Runtime Application Instruments for iOS. Previously Passionfruit





  • nvm-sh/nvm - Node Version Manager - POSIX-compliant bash script to manage multiple active node.js versions
  • sindresorhus/awesome-nodejs - ⚡ Delightful Node.js packages and resources
  • q-nick/npm-gui - Tired of the package.json dependency juggle? Meet npm-gui! We seamlessly integrate with npm, pnpm, or yarn. Managing, installing, and updating dependencies is as easy as it gets. Try npm-gui today and
  • expressjs/express - Fast, unopinionated, minimalist web framework for node.
  • abhijithvijayan/stargazed - 📋 Creating your own Awesome List of GitHub stars!
  • lmammino/jwt-cracker - Simple HS256, HS384 & HS512 JWT token brute force cracker.



  • q-nick/npm-gui - Tired of the package.json dependency juggle? Meet npm-gui! We seamlessly integrate with npm, pnpm, or yarn. Managing, installing, and updating dependencies is as easy as it gets. Try npm-gui today and



  • gitleaks/gitleaks - Find secrets with Gitleaks 🔑
  • t3l3machus/Villain - Villain is a high level stage 0/1 C2 framework that can handle multiple reverse TCP & HoaxShell-based shells, enhance their functionality with additional features (commands, utilities) and share them
  • requestly/requestly - Requestly was built to save developers time by intercepting and modifying HTTP Requests. It has now developed into an open-source alternative to Charles Proxy and Telerik Fiddler that works directly i
  • commixproject/commix - Automated All-in-One OS Command Injection Exploitation Tool.
  • SpiderLabs/HostHunter - HostHunter a recon tool for discovering hostnames using OSINT techniques.



  • fatedier/frp - A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.
  • rustdesk/rustdesk - An open-source remote desktop application designed for self-hosting, as an alternative to TeamViewer.
  • syncthing/syncthing - Open Source Continuous File Synchronization


  • microsoft/vcpkg - C++ Library Manager for Windows, Linux, and MacOS
  • q-nick/npm-gui - Tired of the package.json dependency juggle? Meet npm-gui! We seamlessly integrate with npm, pnpm, or yarn. Managing, installing, and updating dependencies is as easy as it gets. Try npm-gui today and
  • macports/macports-ports - The MacPorts ports tree


  • royalapplications/toolbox - This repository contains various automation scripts for Royal TS (for Windows) and Royal TSX (for macOS). Also included are dynamic folder samples. This collection consists of scripts by the Royal App





  • MattKeeley/Spoofy - Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records.
  • vmware/vsphere-automation-sdk-python - Python samples, language bindings, and API reference documentation for vSphere, VMC, and NSX-T using the VMware REST API
  • byt3bl33d3r/WitnessMe - Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
  • SoftDesLab/PIRANHA - Project for Software Design Laboratory -- Topic: Detecting Phishing Website with Machine Learning
  • Liodeus/swaggerHole - A python3 script searching for secret on swaggerhub
  • get-get-get-get/PowerProxy - PowerShell SOCKS proxy with reverse proxy capabilities


  • shellhub-io/shellhub - 💻 Get seamless remote access to any Linux device. Centralized SSH for the edge and cloud computing


  • ant-design/ant-design - An enterprise-class UI design language and React UI library
  • q-nick/npm-gui - Tired of the package.json dependency juggle? Meet npm-gui! We seamlessly integrate with npm, pnpm, or yarn. Managing, installing, and updating dependencies is as easy as it gets. Try npm-gui today and
  • styled-components/styled-components - Visual primitives for the component age. Use the best bits of ES6 and CSS to style your apps without stress 💅
  • appwrite/appwrite - Your backend, minus the hassle.
  • rahuldkjain/github-profile-readme-generator - 🚀 Generate GitHub profile README easily with the latest add-ons like visitors count, GitHub stats, etc using minimal UI.



  • dsternlicht/RESTool - RESTool is an open source UI tool for managing RESTful APIs. It could save you time developing your own internal tools. A live example:


  • kyleboe/zoom_rb - Ruby REST API Wrapper for API
  • dsternlicht/RESTool - RESTool is an open source UI tool for managing RESTful APIs. It could save you time developing your own internal tools. A live example:




  • gitleaks/gitleaks - Find secrets with Gitleaks 🔑
  • GitGuardian/ggshield - Find and fix 400+ types of hardcoded secrets and 70+ types of infrastructure-as-code misconfigurations.
  • praetorian-inc/noseyparker - Nosey Parker is a command-line program that finds secrets and sensitive information in textual data and Git history.
  • netwrix/pingcastle - PingCastle - Get Active Directory Security at 80% in 20% of the time
  • WithSecureLabs/drozer - The Leading Security Assessment Framework for Android.
  • MegaManSec/SSH-Snake - SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
  • six2dez/pentest-book -
  • MattKeeley/Spoofy - Spoofy is a program that checks if a list of domains can be spoofed based on SPF and DMARC records.
  • infobyte/faraday - Open Source Vulnerability Management Platform
  • sensepost/gowitness - 🔍 gowitness - a golang, web screenshot utility using Chrome Headless
  • EdOverflow/can-i-take-over-xyz - "Can I take over XYZ?" — a list of services and how to claim (sub)domains with dangling DNS records.
  • ghostsecurity/reaper - 💀 Don't fear the Reaper 👻
  • AlecBlance/S3BucketList - Chrome extension that lists Amazon S3 Buckets while browsing
  • pwndoc/pwndoc - Pentest Report Generator
  • marksowell/Clickjacking-POC - A Python package for creating a clickjacking proof of concept (POC).
  • OWASP/API-Security - OWASP API Security Project
  • inonshk/31-days-of-API-Security-Tips - This challenge is Inon Shkedy's 31 days API Security Tips.
  • HolyBugx/HolyTips - A Collection of Notes, Checklists, Writeups on Bug Bounty Hunting and Web Application Security.
  • akto-api-security/tests-library - Community generated list of API security tests to find OWASP top10, HackerOne top 10 vulnerabilities
  • akto-api-security/akto - Proactive, Open source API security → API discovery, Testing in CI/CD, Test Library with 150+ Tests, Add custom tests, Sensitive data exposure
  • Hack-with-Github/Awesome-Hacking - A collection of various awesome lists for hackers, pentesters and security researchers
  • Cyber-Buddy/APKHunt - APKHunt is a comprehensive static code analysis tool for Android apps that is based on the OWASP MASVS framework. Although APKHunt is intended primarily for mobile app developers and security testers,
  • jeremylong/DependencyCheck - OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies.
  • radareorg/radare2 - UNIX-like reverse engineering framework and command-line toolset
  • nabla-c0d3/ssl-kill-switch2 - Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and macOS applications.
  • dradis/dradis-ce - Dradis Framework: Collaboration and reporting for IT Security teams
  • byt3bl33d3r/WitnessMe - Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
  • trufflesecurity/trufflehog - Find, verify, and analyze leaked credentials
  • shieldfy/API-Security-Checklist - Checklist of the most important security countermeasures when designing, testing, and releasing your API
  • uber-common/metta - An information security preparedness tool to do adversarial simulation.
  • hahwul/dalfox - 🌙🦊 Dalfox is a powerful open-source XSS scanner and utility focused on automation.
  • haccer/subjack - Subdomain Takeover tool written in Go
  • nccgroup/ScoutSuite - Multi-Cloud Security Auditing Tool
  • trimstray/the-book-of-secret-knowledge - A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more.
  • projectdiscovery/nuclei - Nuclei is a fast, customizable vulnerability scanner powered by the global security community and built on a simple YAML-based DSL, enabling collaboration to tackle trending vulnerabilities on the int
  • chenjj/espoofer - An email spoofing testing tool that aims to bypass SPF/DKIM/DMARC and forge DKIM signatures.🍻
  • CanIPhish/Phishious - An open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers.
  • noraj/rawsec-cybersecurity-inventory - An inventory of tools and resources about CyberSecurity that aims to help people to find everything related to CyberSecurity.
  • OWASP/Nettacker - Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management
  • j3ssie/osmedeus - A Workflow Engine for Offensive Security
  • evilsocket/xray - XRay is a tool for recon, mapping and OSINT gathering from public networks.
  • MojtabaTajik/Robber - Robber is open source tool for finding executables prone to DLL hijacking
  • projectdiscovery/interactsh - An OOB interaction gathering server and client library
  • cisagov/log4j-scanner - log4j-scanner is a project derived from other members of the open-source community by CISA to help organizations identify potentially vulnerable web services affected by the log4j vulnerabilities.
  • google/oss-fuzz - OSS-Fuzz - continuous fuzzing for open source software.
  • OWASP/CheatSheetSeries - The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
  • WithSecureLabs/chainsaw - Rapidly Search and Hunt through Windows Forensic Artefacts
  • threat9/routersploit - Exploitation Framework for Embedded Devices
  • lc/gau - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
  • lmammino/jwt-cracker - Simple HS256, HS384 & HS512 JWT token brute force cracker.
  • zaproxy/zap-extensions - ZAP Add-ons
  • cddmp/enum4linux-ng - A next generation version of enum4linux (a Windows/Samba enumeration tool) with additional features like JSON/YAML export. Aimed for security professionals and CTF players.
  • EnableSecurity/sipvicious - SIPVicious OSS is a VoIP security testing toolset. It helps security teams, QA and developers test SIP-based VoIP systems and applications. This toolset is useful in simulating VoIP hacking attacks ag
  • wpscanteam/wpscan - WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via [email protected]
  • maurosoria/dirsearch - Web path scanner
  • andresriancho/w3af - w3af: web application attack and audit framework, the open source web vulnerability scanner.
  • v1s1t0r1sh3r3/airgeddon - This is a multi-use bash script for Linux systems to audit wireless networks.
  • gophish/gophish - Open-Source Phishing Toolkit
  • samratashok/nishang - Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
  • RustScan/RustScan - 🤖 The Modern Port Scanner 🤖
  • michenriksen/aquatone - A Tool for Domain Flyovers
  • juice-shop/juice-shop - OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
  • scipag/vulscan - Advanced vulnerability scanning with Nmap NSE
  • future-architect/vuls - Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
  • swisskyrepo/PayloadsAllTheThings - A list of useful payloads and bypass for Web Application Security and Pentest/CTF
  • secdev/scapy - Scapy: the Python-based interactive packet manipulation program & library.




  • atuinsh/atuin - ✨ Magical shell history
  • MegaManSec/SSH-Snake - SSH-Snake is a self-propagating, self-replicating, file-less script that automates the post-exploitation task of SSH private key and host discovery.
  • stateful/vscode-runme - DevOps Notebooks Built with Markdown - VS Code extension
  • nvm-sh/nvm - Node Version Manager - POSIX-compliant bash script to manage multiple active node.js versions
  • zsh-users/zsh-autosuggestions - Fish-like autosuggestions for zsh
  • n1nj4sec/pupy - Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C
  • hyperupcall/autoenv - Directory-based environments.
  • Hackplayers/evil-winrm - The ultimate WinRM shell for hacking/pentesting
  • CISOfy/lynis - Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
  • 0x00-0x00/ShellPop - Pop shells like a master.
  • peass-ng/PEASS-ng - PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)




  • projectdiscovery/notify - Notify is a Go-based assistance package that enables you to stream the output of several tools (or read from a file) and publish it to a variety of supported platforms.



  • puppeteer/puppeteer - JavaScript API for Chrome and Firefox
  • sinfulz/JustTryHarder - JustTryHarder, a cheat sheet which will aid you through the PWK course & the OSCP Exam. (Inspired by PayloadAllTheThings)



  • dnSpyEx/dnSpy - Unofficial revival of the well known .NET debugger and assembly editor, dnSpy


  • uber-common/metta - An information security preparedness tool to do adversarial simulation.




  • HolyBugx/HolyTips - A Collection of Notes, Checklists, Writeups on Bug Bounty Hunting and Web Application Security.


  • microsoft/vcpkg - C++ Library Manager for Windows, Linux, and MacOS
  • royalapplications/toolbox - This repository contains various automation scripts for Royal TS (for Windows) and Royal TSX (for macOS). Also included are dynamic folder samples. This collection consists of scripts by the Royal App
  • flutter/flutter - Flutter makes it easy and fast to build beautiful apps for mobile and beyond
  • bitsadmin/wesng - Windows Exploit Suggester - Next Generation
  • n1nj4sec/pupy - Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C
  • sethmlarson/truststore - Verify certificates using OS trust stores
  • byt3bl33d3r/CrackMapExec - A swiss army knife for pentesting networks
  • calebstewart/pwncat - Fancy reverse and bind shell handler
  • WithSecureLabs/chainsaw - Rapidly Search and Hunt through Windows Forensic Artefacts
  • itm4n/PrivescCheck - Privilege Escalation Enumeration Script for Windows
  • mzfr/gtfo - Search gtfobins and lolbas files from your terminal
  • ohpe/juicy-potato - A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.
  • SecWiki/windows-kernel-exploits - windows-kernel-exploits Windows平台提权漏洞集合
  • Aetsu/OffensivePipeline - OfensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises.
  • peass-ng/PEASS-ng - PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)


  • wpscanteam/wpscan - WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via [email protected]



To the extent possible under law, marksowell has waived all copyright and related or neighboring rights to this work.


A curated list of my GitHub stars!







No releases published


No packages published