awesome-pentest is a curated list of penetration testing tools, books, training resources, and online references covering the full offensive security lifecycle — from initial OSINT and reconnaissance through exploitation, lateral movement, and exfiltration.
Why I starred it
Penetration testing tooling is sprawling and poorly documented at the ecosystem level. Individual tools have their own docs, but if you're standing up a red team environment or doing a security audit on an unfamiliar stack, you end up chasing links across blog posts, Discord threads, and Kali package lists. This repo is an attempt to solve that navigation problem.
What stood out when I opened it: the taxonomy is actually good. Most "awesome lists" are flat dumps. This one groups tools by attack phase — network recon, privilege escalation, AV evasion, exfiltration, OSINT — which mirrors how an engagement actually runs. You can follow the structure as a rough mental model of the attack lifecycle, not just a lookup table.
It's been active since 2014 and had its last commit pushed in January 2026. 25,800+ stars. That's not a stale bookmark dump.
How it works
There's no code to run here — this is a markdown reference document. But reading the structure as an artifact tells you something.
The README is organized into ~30 top-level sections, most with subsections:
- Network Tools
- DDoS Tools
- Network Reconnaissance Tools
- Protocol Analyzers and Sniffers
- Proxies and MITM Tools
- TLS Tools
- Wireless Network Tools
- OSINT
- Dorking Tools
- Email Search and Analysis
- Metadata Harvesting
- Network Device Discovery
- Web Exploitation
- Intercepting Web Proxies
- Web File Inclusion Tools
- Web Injection Tools
- Path Discovery and Bruteforcing
- Web Shells and C2 FrameworksThe section ordering loosely maps to a kill chain: discover the target (OSINT, network recon) → gain access (web exploitation, multi-paradigm frameworks) → escalate (privilege escalation, password spraying) → persist and exfiltrate (C2, exfiltration tools). That structure makes it usable as a workflow checklist, not just an index.
A few areas I looked at closely:
Exfiltration section is one of the more unusual entries. It includes dnscat2 for encrypted C2 over DNS, Iodine for tunneling IPv4 through DNS, and QueenSono for ICMP-based data exfiltration. These aren't common tools in most security lists — they reflect actual post-exploitation tradecraft for environments where HTTP egress is blocked.
AV Evasion lists tools like Veil, Shellter, and peCloakCapstone. These are practical red team tools for payload staging against endpoint security, not theoretical research — and they have direct links to usable project pages rather than dead academic references.
OSINT subsections are particularly dense. The dorking tools section alone has 10+ entries ranging from dorkbot (automates Google search vulnerability scanning) to github-dorks (scans repos for leaked credentials). The metadata harvesting section includes FOCA, which extracts internal organizational structures from document metadata.
One honest observation from browsing the commit history: link rot is a real problem. A recent commit specifically fixed a cSploit URL that had been hijacked by adware/parking pages. The maintainer is catching these, but in a list of 300+ tools, some dead links are inevitable.
Using it
This is a reference list, so "using it" means knowing how to navigate it. A few practical patterns:
Phase-based lookup during an engagement:
# You're at post-exploitation on a Linux box with SSH access
# Jump to: GNU/Linux Utilities -> Privilege Escalation Tools
# Hwacha: execute payloads via SSH across multiple hosts
git clone https://github.com/n00py/Hwacha
# Linux Exploit Suggester: heuristic detection of viable local exploits
git clone https://github.com/PenturaLabs/Linux_Exploit_Suggester
./Linux_Exploit_Suggester.pl -k 4.15.0
OSINT recon workflow:
# From the OSINT section: network device discovery
# Shodan CLI for finding exposed devices
shodan search "product:nginx port:8443 country:US"
# theHarvester for email and subdomain enumeration
python theHarvester.py -d target.com -b google,bing,shodanCTF setup using ctf-tools:
# From the CTF Tools section
git clone https://github.com/zardus/ctf-tools
cd ctf-tools
# Install specific tools for a competition
bin/install pwndbg angr radare2The Multi-paradigm Frameworks section is where the heavier platforms live — Metasploit, Cobalt Strike, Empire, Covenant. These are the actual command-and-control platforms that would orchestrate a full engagement, with the rest of the list covering their supporting tooling.
Rough edges
The list has real gaps and inconsistencies worth knowing about:
- No versioning or date stamps on entries. A tool added in 2016 looks identical to one added in 2025. Some listed projects are unmaintained; you need to click through and check individually.
- Link rot is ongoing. With 300+ links, some percentage are dead or redirected at any given time. The maintainer actively cleans these up but can't catch everything.
- No installation instructions or usage notes. Every entry is a one-liner description. For someone learning offensive security, this is a map with no terrain — you know what's out there but not how to use it. That's probably intentional (it's a reference list, not a tutorial), but it does mean the list has limited value beyond navigation.
- Coverage is uneven. Web exploitation has 8 subsections with deep coverage. Container security and Kubernetes attack tooling are largely absent. Cloud attack tools exist as a single flat section. For modern infrastructure testing, the list is visibly more traditional-IT-focused.
- No severity or quality ranking. A well-maintained, actively developed tool sits next to an abandoned PoC with no distinction between them.
Bottom line
If you're building out a security lab, onboarding onto a red team, or working through a CTF and need to find the right tool for a specific attack phase, this list is the fastest starting point that exists. Treat individual entries as leads to verify, not endorsements.