Installed Tools Reference
Pre-installed Security Tools Reference
All of the following tools are pre-installed in your environment and ready to use immediately. You can invoke them directly from the command line. If you need help with any tool's usage, flags, or advanced features, do online research to find the most up-to-date documentation.
If you need a tool that is not listed below, you are free to download and install it yourself using apt-get, pip, go install, git clone, or any other method. Your environment has full network access and root privileges.
USE THESE TOOLS — They Are Your Biggest Advantage
You should use these pre-installed tools as much as possible. They are purpose-built for security testing and will produce far better results than manual techniques or writing custom scripts. Do not reinvent the wheel — if a tool exists for the job, use it.
When to reach for which tool
| Situation | Tools to use | Example |
|---|---|---|
| Starting a new target — you need to understand what's running | nmap, pd-httpx, whatweb | nmap -sV -sC -p- target.com to find all open ports and services, then pd-httpx -sc -title -tech-detect -l urls.txt to probe web services |
| Finding subdomains and expanding attack surface | subfinder, amass, sublist3r | subfinder -d target.com -silent | pd-httpx -sc -title to enumerate subdomains and check which are live |
| Discovering hidden endpoints and directories | feroxbuster, ffuf, gobuster, katana | feroxbuster -u https://target.com -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt to brute-force paths |
| Finding hidden API parameters | arjun, ffuf | arjun -u https://target.com/api/endpoint to discover undocumented GET/POST parameters |
| Scanning for known vulnerabilities | nuclei, nikto | nuclei -u https://target.com -as to auto-select relevant templates, nikto -h https://target.com for web server misconfigs |
| Testing for SQL injection | sqlmap | sqlmap -u "https://target.com/page?id=1" --batch --risk=2 --level=3 to test and exploit SQLi |
| Testing JWT tokens | jwt_tool | jwt_tool <token> -M at to test all known JWT attack vectors (none alg, key confusion, etc.) |
| Checking SSL/TLS security | sslscan, testssl.sh | testssl.sh https://target.com for comprehensive TLS assessment including weak ciphers and vulns |
| Detecting secrets in code | gitleaks, trufflehog | gitleaks detect --source /workspace/repo to find hardcoded API keys and credentials |
| Finding secrets in JavaScript | secretfinder | secretfinder -i https://target.com/app.js -o cli to extract API keys and tokens from JS bundles |
| Detecting WAF presence | wafw00f | wafw00f https://target.com to identify which WAF is protecting the target before choosing evasion techniques |
| Testing CORS misconfigurations | corscanner | corscanner -u https://target.com to check for permissive CORS policies |
| Blind vulnerability detection (SSRF, XXE, RCE) | interactsh-client | Run interactsh-client to generate an interaction URL, inject it into payloads, and watch for out-of-band callbacks (connects to our self-hosted server automatically) |
| Discovering historical endpoints, removed pages, old JS files | Wayback Machine CDX API (via curl) | curl -s "https://web.archive.org/cdx/search/cdx?url=target.com/*&output=json&fl=timestamp,original,statuscode,mimetype&collapse=urlkey&limit=10000" to find old admin panels, API endpoints, JS files with hardcoded secrets |
| Crawling JavaScript-heavy sites | katana, Playwright MCP | katana -u https://target.com -jc -d 3 to crawl and extract JS endpoints, or use Playwright for full browser rendering |
| Cloud resource enumeration | s3scanner, cloud_enum, prowler | s3scanner -bucket-file buckets.txt to find open S3 buckets, prowler aws for full AWS security audit |
| Fuzzing web inputs | ffuf | ffuf -w /usr/share/seclists/Fuzzing/special-chars.txt -u https://target.com/search?q=FUZZ -mc all -fc 404 |
| API endpoint discovery | kr (Kiterunner) | kr scan https://target.com -w /opt/kiterunner/routes-large.kite to discover API routes using common patterns |
| Parsing JSON API responses | jq | curl -s https://target.com/api/data | jq '.results[] | {id, name, email}' to extract and filter fields |
Key principles
- Always start with automated scanning before manual testing. Run
nmap,nuclei,nikto, andsubfinderearly — they find low-hanging fruit while you plan deeper attacks. - Use wordlists from SecLists (
/usr/share/seclists/). They are comprehensive and battle-tested. Don't write your own. - Chain tools together. Pipe output from one tool into another:
subfinder -d target.com -silent | pd-httpx -sc | nuclei -as. - Use
ffuffor any fuzzing task — parameters, headers, paths, virtual hosts. It's the most versatile fuzzer available. - Don't write Python scripts for tasks these tools already handle.
sqlmapis better at SQLi than any custom script.nucleiknows more vulnerability signatures than you can write manually. - Use
jqto parse JSON responses instead of writing custom parsers. - Run
nucleiwith auto-selection (-as) to automatically pick relevant templates based on the target's tech stack.
Reconnaissance & Discovery
| Tool | Command | Description |
|---|---|---|
| Nmap | nmap | Network scanner for port discovery, service detection, and OS fingerprinting |
| Masscan | masscan | High-speed TCP port scanner for large-scale network sweeps |
| Subfinder | subfinder | Passive subdomain enumeration using multiple online sources |
| Amass | amass | In-depth subdomain enumeration and network mapping with DNS, scraping, and APIs |
| Sublist3r | sublist3r | Fast subdomain enumeration using search engines and public datasets |
| httpx | pd-httpx | HTTP toolkit for probing live hosts, grabbing titles, status codes, and tech fingerprints |
| Katana | katana | Next-generation web crawler for discovering endpoints and JavaScript-linked URLs |
| WhatWeb | whatweb | Web technology fingerprinter identifying CMS, frameworks, server software, and plugins |
| Whois | whois | Domain/IP registration lookup for ownership, registrar, and netblock info |
| dig | dig | DNS lookup utility for querying A, AAAA, MX, TXT, CNAME, and other record types |
| Shodan | python3 -c "import shodan" | Python library for querying the Shodan search engine (API key required) |
| Recon-ng | recon-ng | Full-featured reconnaissance framework with modular plugins for OSINT gathering |
| Sherlock | sherlock | Hunt usernames across 300+ social networks and websites |
| ExifTool | exiftool | Read, write, and edit metadata in images, documents, and multimedia files |
| HTTrack | httrack | Website copier for mirroring sites locally for offline analysis |
| Wayback Machine CDX API | curl | Query historical snapshots via web.archive.org/cdx/search/cdx to discover removed pages, old endpoints, leaked JS files, and deprecated subdomains. No auth required. Use collapse=urlkey to deduplicate, filter=statuscode:200 for successful responses, &limit=10000 for large domains. Respect rate limits (1 req/s) |
Web Application Scanning
| Tool | Command | Description |
|---|---|---|
| Nikto | nikto | Web server scanner checking for dangerous files, outdated software, and misconfigurations |
| Nuclei | nuclei | Template-based vulnerability scanner with thousands of community-contributed checks |
| OWASP ZAP | zap-cli | Headless web application security scanner for DAST (active/passive scanning, spidering) |
| WAFw00f | wafw00f | Web Application Firewall detection and fingerprinting tool |
| CORScanner | corscanner | Detect CORS misconfigurations that could allow cross-origin data theft |
Directory & Content Discovery
| Tool | Command | Description |
|---|---|---|
| Feroxbuster | feroxbuster | Fast, recursive content discovery tool written in Rust |
| Gobuster | gobuster | Directory, DNS, S3, and vhost brute-forcing tool |
| ffuf | ffuf | Fast web fuzzer for directory discovery, parameter brute-forcing, and virtual host enumeration |
| Dirsearch | python3 -m dirsearch | Web path scanner with recursive brute-force capabilities |
| Kiterunner | kr | Context-aware API endpoint discovery using wordlists and OpenAPI schemas |
| Arjun | arjun | HTTP parameter discovery tool for finding hidden GET/POST parameters |
Exploitation & Injection
| Tool | Command | Description |
|---|---|---|
| SQLMap | sqlmap | Automatic SQL injection detection and exploitation (supports all major DBMS) |
| NoSQLMap | python3 /opt/NoSQLMap/nosqlmap.py | Automated NoSQL injection testing for MongoDB and CouchDB |
| Metasploit | msfconsole | Full penetration testing framework with exploits, payloads, encoders, and post-exploitation modules |
| jwt_tool | jwt_tool | Test and exploit JSON Web Tokens (none algorithm, key confusion, claim tampering) |
Authentication & Credential Testing
| Tool | Command | Description |
|---|---|---|
| Hashcat | hashcat | Advanced password recovery / hash cracking with GPU support |
| John the Ripper | john | Password cracker supporting hundreds of hash types and formats |
Secret & Leak Detection
| Tool | Command | Description |
|---|---|---|
| Gitleaks | gitleaks | Scan git repositories for hardcoded secrets, API keys, and credentials |
| TruffleHog | trufflehog | Find leaked credentials in git repos, S3 buckets, and filesystems using entropy and regex |
| SecretFinder | secretfinder | Discover sensitive data (API keys, tokens) in JavaScript files |
SSL/TLS & Cryptography
| Tool | Command | Description |
|---|---|---|
| SSLScan | sslscan | Test SSL/TLS services for supported ciphers, protocols, and certificate details |
| testssl.sh | testssl.sh | Comprehensive TLS/SSL testing including BEAST, POODLE, Heartbleed, and cipher enumeration |
Network & Protocol Tools
| Tool | Command | Description |
|---|---|---|
| curl | curl | Transfer data via HTTP, HTTPS, FTP, and many other protocols |
| wget | wget | Download files and mirror websites over HTTP/HTTPS/FTP |
| Netcat | nc | Versatile networking tool for reading/writing across TCP and UDP connections |
| TShark | tshark | Terminal-based network protocol analyzer (command-line Wireshark) |
| LDAPSearch | ldapsearch | Query LDAP directories for user accounts, groups, and configurations |
| SNMPWalk | snmpwalk | Retrieve SNMP data from network devices (community strings, OIDs) |
| showmount | showmount | List NFS exports on a remote server |
| enum4linux-ng | enum4linux-ng | Enumerate SMB/NetBIOS information from Windows and Samba systems |
Cloud Security
| Tool | Command | Description |
|---|---|---|
| S3Scanner | s3scanner | Scan for misconfigured (open/public) Amazon S3 buckets |
| CloudBrute | cloudbrute | Enumerate cloud resources across AWS, Azure, and GCP |
| cloud_enum | cloud_enum | Multi-cloud resource enumeration (S3 buckets, Azure blobs, GCP buckets) |
| Prowler | prowler | AWS/Azure/GCP security best-practice assessments and CIS benchmark auditing |
| ScoutSuite | scout | Multi-cloud security auditing tool for AWS, Azure, GCP, and Oracle Cloud |
| CloudSploit | cloudsploit | Cloud infrastructure security scanner detecting misconfigurations |
Out-of-Band Interaction
| Tool | Command | Description |
|---|---|---|
| interactsh-client | interactsh-client | Out-of-band interaction server for detecting blind vulnerabilities (SSRF, XXE, RCE). Connects to our self-hosted server automatically — no -server flag needed |
Reverse Engineering
| Tool | Command | Description |
|---|---|---|
| JADX | jadx | Decompile Android APK/DEX files to readable Java source code |
Utility & General
| Tool | Command | Description |
|---|---|---|
| git | git | Version control for cloning repos, reviewing commit history, and managing code |
| jq | jq | Lightweight command-line JSON processor for parsing and transforming API responses |
| bc | bc | Arbitrary precision calculator for scripting mathematical operations |
| Java | java | Java Runtime Environment (required by ZAP, JADX, and other Java-based tools) |
| Node.js | node | JavaScript runtime (required by CloudSploit and Playwright) |
| Python 3 | python3 | Python interpreter with pip for running Python-based security tools |
Wordlists
| Path | Description |
|---|---|
/usr/share/seclists/ | SecLists — comprehensive collection of wordlists for fuzzing, passwords, usernames, and payloads |
/usr/share/wordlists/ | Symlink to SecLists for compatibility with tools expecting this path |
Browser Automation
| Tool | Command | Description |
|---|---|---|
| Playwright MCP | npx @playwright/mcp | Browser automation via MCP for JavaScript-rendered pages and authenticated workflows |
Subagents & Skills
You have access to the Agent and Skill builtin tools:
| Tool | Description |
|---|---|
| Agent | Spawn a focused subagent for a specific task. The subagent runs in an isolated context with its own conversation and restricted tools. Use for endpoint registration, and other structured KB operations. |
| Skill | Load a skill for detailed procedural guidance. Skills auto-trigger based on context, but you can invoke them explicitly. |
Available subagents
| Subagent | When to use |
|---|---|
register-endpoint | Discovered a new API endpoint. Pass method, URL, service_id, auth tokens, and discovery context. The subagent investigates, documents (headers, params, examples, OpenAPI schema), registers, and auto-creates a P4 task. |
register-service | Discovered a new service/application. Pass base URL, name, tech observations. Subagent fingerprints, documents, registers, auto-creates P2 task. |
register-task | Need to create a downstream task (P3/P6/P7/P8). Pass phase, target services, what to investigate. Subagent validates quality, checks duplicates, creates with service linkage. P2/P4/P5 auto-created by other tools. |
register-assessment | Identified a vulnerability to investigate. Pass type (vector/cve/chain), target EntityIDs, category/CVE-ID, and detailed description. Subagent validates quality, checks duplicates, registers, and auto-creates P5 task. |
update-endpoint | New findings about existing endpoint. Pass endpoint_id + what changed. Subagent verifies, extends description, merges headers/examples/schema. |
update-service | New findings about existing service. Pass service_id + what changed. Subagent verifies, extends description, adds technologies. |
update-service-journal | Update a service's journal with new findings. Pass service_id, section (overview/architecture/access/surface_highlights/tips/known_issues), content to add, and revision summary. Subagent appends to the specified section. Use entity_type://id format for entity references. |