Tooling

Exploit DBs & Cheat Sheets

HackTricks, GTFOBins, LOLBAS, PayloadsAllTheThings, Exploit-DB, OWASP Cheat Sheets.

The "where do I look this up fast" reference layer. These are the resources you'll bookmark and revisit weekly. For training labs see Security Training Platforms. For CTF tools see CTF Tools (pwntools). For active scanning see Vulnerability Scanners (Nuclei).

Mega-references

  • ★ ★ HackTricks (Carlos Polop) — vast offensive-security wiki; per-port, per-tech walkthroughs; AD, cloud, mobile, web, binary, ICS. The single most-cited reference 2024–26. Free; donations welcome.
  • ★ ★ PayloadsAllTheThings (swisskyrepo) — the canonical payload + technique cheatsheets for every web vuln. Free.
  • OWASP Cheat Sheet Series — defender-side, the reference for how to do crypto / auth / sessions / XSS-prevention / GraphQL / etc. correctly. Free.
  • WebGoat / Juice Shop / DVWA — vulnerable apps for hands-on; see Security Training Platforms.

Living-off-the-land catalogues

  • GTFOBins — Unix binaries that can be abused for privesc, file write/read, shell, suid, sudo, capabilities. Free.
  • LOLBAS (Living Off The Land Binaries And Scripts) — the Windows equivalent; binaries / scripts / libraries shipped with Windows that attackers (ab)use. Free.
  • WTFBins — Windows oddities.
  • LOLDrivers — vulnerable signed Windows drivers (BYOVD attacks).
  • LOLAPPs — third-party apps with attack potential.
  • LOOBins — macOS equivalent.
  • LOLOL.farm / LOLBAS-style umbrella site.

Public exploits / CVE references

  • Exploit-DB (Offensive Security) — searchable archive of public exploits + shellcode + papers. Free.
  • searchsploit — Exploit-DB CLI; ships with Kali.
  • Packet Storm Security — older but vast archive.
  • GitHub PoC reposnomi-sec/PoC-in-GitHub aggregates them; many CVEs first appear as awesome-cve-poc repos.
  • CVE Trends / cvetrends.com — what's hot right now.
  • NVD / MITRE CVE — official; see Threat Intelligence (MISP).
  • EPSS (FIRST.org) — exploit-likelihood scoring.
  • VulnCheck — paid; high-quality CVE-with-PoC enrichment.
  • Trickest CVE PoC scraper — automated PoC pulls.
  • Vulmon — search engine.
  • CVE Crowd (community discussions).

Wordlists / payload-lists

  • SecLists (danielmiessler) — passwords, usernames, fuzzing payloads, web content discovery, shells. Free.
  • AssetNote wordlists — best-of-breed by tech.
  • PayloadBox — XSS / SQLi / SSTI / SSRF / NoSQLi / LDAPi payload sets.
  • fuzzdb / Brutas / Probable-Wordlists — older corpora.
  • OneListForAll (six2dez) — combined.

OWASP top references

  • OWASP Top 10 (web), API Security Top 10, Mobile Top 10, LLM Top 10 (2024 v2), Cloud-Native Top 10.
  • OWASP MASTG (Mobile App Security Testing Guide) — see Mobile Pentesting.
  • OWASP ASVS (Application Security Verification Standard).
  • OWASP WSTG (Web Security Testing Guide).
  • OWASP Cheat Sheet Series — see above.

Specific technique references

  • AD-attacks / The-Hacker-Recipes (TH3R3CIP3S) — broad pentest cookbook; AD-heavy. Free.
  • Internal-AllTheThings — internal-network cheatsheet.
  • Active Directory Exploitation Cheat Sheet — many GitHub repos with this exact name.
  • PEASS-ng cheatsheets (privesc).
  • Pentestmonkey reverse-shell cheatsheet — old but eternal.
  • ired.team (M Mertens) — red-team techniques wiki; thorough Windows post-ex.
  • adsecurity.org (Sean Metcalf) — AD security blog / reference.
  • specterops.io blog / Posts on BloodHound / Cobalt Strike.

Cloud / infra

  • HackTricks Cloud — free dedicated section.
  • Bishop Fox / NetSPI / Datadog Stratus blog — practical write-ups.
  • AWS / Azure / GCP threat matrices — Microsoft / Cloud-Native CNCF.
  • CIS Benchmarks — see Server Hardening.
  • NIST CSF / 800-53 / 800-171 — government posture.

Dev secure-code references

  • Snyk Learn — free; tutorial-style.
  • Hacksplaining — paid + free.
  • SecureFlag — paid.
  • OWASP Cheat Sheets — see above.
  • Mozilla Web Security Guidelines — free.
  • Google's Secure-Coding Library.

Search engines for offensive recon

  • GHDB (Google Hacking Database; Exploit-DB) — dorks. Free.
  • Pagodo — automate GHDB.
  • Shodan / Censys / FOFA — see OSINT & Recon.

Pick this if…

  • Default offensive reference: HackTricks + PayloadsAllTheThings.
  • Default defender reference: OWASP Cheat Sheets + ASVS.
  • Privilege escalation: GTFOBins (Unix) + LOLBAS (Windows).
  • Public exploits: Exploit-DB / searchsploit / nomi-sec PoC-in-GitHub.
  • AD techniques: The-Hacker-Recipes + adsecurity.org + ired.team.
  • CVE intel feed: Vulmon / CVE Trends / EPSS.

On this page