SmbCrawler is a credentialed SMB share crawler for red teams that discovers misconfigured shares and hunts secrets across Windows networks.

Reconnoitre automates network reconnaissance and service enumeration for penetration testers and red teams using structured, repeatable workflows.

Scanners-Box is an open-source reconnaissance and scanning toolkit for red teams and security researchers. Curated collection of scanners and recon utilities.

gitlab-runner-research: PoC scripts demonstrating abuse of self-hosted GitLab runners and practical hardening and detection guidance.

Reaper – an open-source AppSec testing framework combining recon, proxying, fuzzing and AI-agent workflows for penetration testers and red teams.

NetExec provides multi-protocol network execution for Windows Active Directory environments. Install, run and use nxc for lateral movement, enumeration and command execution.

HoneyBee generates intentionally misconfigured Docker environments and Nuclei templates using LLMs so red teams can rehearse exploitation and validate detection.

Autoswagger finds and tests OpenAPI/Swagger specs to expose unauthenticated endpoints, PII leaks and secrets. Tooling, installation and an attack scenario included.

RustRedOps is a collection of Rust-based offensive security modules for post-exploitation, process injection and payload staging, useful for red teams and penetration testers.

HexStrike AI orchestrates LLM agents to run 150+ offensive security tools, automating reconnaissance, exploit selection and campaign execution.

thermoptic is a stealth proxy that makes curl and other clients look identical to Chrome across TCP, TLS and HTTP layers, bypassing JA3/JA4+ detection.

asnip maps domains and IPs to their Autonomous System Numbers (ASNs), retrieves CIDRs, and converts them into IPs for reconnaissance.

BlockEDRTraffic blocks Endpoint Detection and Response telemetry with Windows Firewall or Windows Filtering Platform to create brief stealth windows for red teams.

RedExt turns Chromium into a browser-based C2 agent, collect cookies, DOM, screenshots, clipboard, system data via a Flask server and Chrome extension.

AzureStrike is a red team toolkit for attacking Azure Active Directory, enabling reconnaissance, credential abuse, and persistence in cloud environments.

ChromeAlone turns Chromium into a stealthy C2 implant with credential capture, file access, and persistence. A browser-based alternative to Cobalt Strike.

MailSniper PowerShell tool for Microsoft Exchange. Search mailboxes for passwords, network intel, and harvest usernames in red team operations.

Self-hosted blind XSS hunter via Docker. Deploy xsshunter‑express in five minutes to capture stealthy XSS payloads with screenshots, DOM dumps, and full context.

Generate and stage encrypted payloads with BrainDamage, a flexible toolkit for red teamers focused on stealth, staging, and remote command delivery.

Argus reconnaissance toolkit simplifies offensive recon with modular OSINT, DNS, port scan, SSL, and leak detection in one tool.