Tooling

Exploitation Frameworks (Metasploit, etc.)

Metasploit, exploit dev kits, and post-exploitation frameworks.

Once you have a vuln, you need a payload, a delivery, and a way to keep a foothold. Exploitation frameworks bundle modules, payloads, and post-ex tooling. For dedicated red-team C2 platforms see Red Team C2 (Sliver, Mythic). For AD-specific post-ex see Active Directory Pentesting. On the defensive side, alerts come from Runtime Security (Falco, Tetragon) and EDR / OSQuery.

The reference framework

  • ★ ★ Metasploit Framework (Rapid7) — the universal exploitation framework; 2,300+ exploits, 1,400+ auxiliary modules, Meterpreter post-ex agent. Free / OSS; Pro paid adds GUI, reporting, evasion. Still the entrance ramp every pentester learns. Free CE.
    • msfvenom — payload generator (msfvenom -p windows/x64/meterpreter/reverse_https LHOST=… -f exe).
    • msfconsole — the interactive REPL.
    • Resource scripts (.rc) — automate setups.
    • Note: Meterpreter is loud against modern EDR; for stealth use Sliver / Mythic (Red Team C2).

Open-source modern alternatives

  • Sliver (BishopFox) — modern Go / mTLS C2; multi-protocol (mTLS, WireGuard, HTTPS, DNS); dynamic compilation per-implant; cross-platform implants. The mainstream FOSS replacement for Cobalt Strike. Free.
  • Mythic (its-a-feature) — agnostic C2 framework; many community agents (Apollo, Athena, Poseidon, Medusa); Docker-deployed. Free.
  • Havoc (C5pider) — modern C2 written in C++ / Qt; Cobalt-Strike-like UX; popular 2023–26. Free.
  • AdaptixC2 — newer C2 (2024); pluggable extenders; gaining traction.
  • Empire / Starkiller (BC-Security fork) — PowerShell + Python post-ex framework; Starkiller is the web GUI. Free.
  • Covenant — .NET C2; Elite agent; less active 2024+.
  • Merlin — HTTP/2 C2; legacy.
  • NimPlant — Nim-language stealthy implant; fun for AV evasion training.

Commercial / paid

  • Cobalt Strike (Fortra) — the industry incumbent for red teams; ~$5,900/seat/yr; Beacon implant, Malleable C2 profiles. Heavily fingerprinted by EDR vendors at this point.
  • Brute Ratel C4 (Chetan Nayak) — paid (~$2,500/yr); newer, IR-evasion focused.
  • Outflank Security Tooling (OST) — paid; curated red-team kits.
  • Manjaro Tactical — community Cobalt-style ops-platform.

Exploit development / shellcode

  • pwntools — Python exploit-dev framework; ROP, formatstring, gadget search, remote/local glue. The CTF / binary-exploit standard. Free. See CTF Tools (pwntools).
  • Pwndbg / GEF / PEDA — gdb extensions for exploit dev.
  • ROPgadget / Ropper / one_gadget — ROP gadget hunters.
  • angr — symbolic execution; CTF binary auto-solver toolkit.
  • Shellcoder's handbook toolingmsfvenom, shellnoob, scdbg, xc.

Web exploit / browser

  • BeEF (Browser Exploitation Framework) — XSS-to-browser-control; legacy but still funny.
  • XSStrike, Dalfox — XSS scanners + payload helpers.
  • SQLMap — automated SQL injection / DB takeover. The reference for SQLi.
  • NoSQLMap — NoSQL injection.
  • Commix — command-injection framework.

Privilege escalation helpers

  • WinPEAS / LinPEAS (PEASS-ng) — privesc enumeration scripts; the default first-thing-after-shell.
  • PowerUp / PrivescCheck — Windows privesc.
  • GTFOBins + LOLBAS — see Exploit DB & Cheatsheets.
  • Linux Smart Enumeration (LSE) — quieter than LinPEAS.
  • BeRoot — Win/Linux privesc.

Payload generation / encoding

  • msfvenom — Metasploit's payload tool.
  • Donut — generate position-independent shellcode from .NET / EXE.
  • PEzor / scarecrow / freeze — modern payload obfuscation / EDR-evasion (loud territory; expect detection).
  • Shellter — PE injector.
  • Veil (legacy) — payload encoder.

Loaders / post-exploitation tooling

  • Cobalt Strike Beacon, Sliver implants, Havoc demons — covered above.
  • NimPlant, GoMet — language-experiment implants for AV-evasion learning.
  • PowerShell Empire / Starkiller — see above.
  • PE-sieve / Moneta / Hollows Hunter — defender side; detect injected modules.

Pick this if…

  • Default learning / pentest framework: Metasploit Framework (free).
  • Modern open-source C2, Cobalt Strike alternative: Sliver.
  • Highly customizable C2 with many agents: Mythic.
  • Cobalt-Strike-like UX, FOSS: Havoc.
  • Exploit dev / CTF binary work: pwntools + GEF/Pwndbg.
  • Authorized red team with budget, mature ops: Cobalt Strike or Brute Ratel.
  • AD-specific post-ex: see Active Directory Pentesting.

On this page