BlackArch Arsenal

Design and evaluate social engineering campaigns including phishing, pretexting, vishing, and physical social engineering. Inspired by SET, GoPhish, and King Phisher.

• Phishing campaign design with customizable pretexts
• Employee susceptibility risk scoring
• MITRE ATT&CK Initial Access mapping (T1566, T1078)
• NIST 800-53 AT-2/AT-3 compliance evidence

Assess WiFi, Bluetooth, and RF security for enterprise environments. Inspired by Aircrack-ng, Wifite, Kismet, and Bettercap.

• Rogue AP and evil twin detection strategies
• WPA2/WPA3/Enterprise encryption assessment
• 802.1X/RADIUS configuration audit
• NIST 800-53 AC-18/SC-40 compliance

Comprehensive web application security assessments following OWASP Top 10 and ASVS methodologies. Inspired by Burp Suite, SQLmap, OWASP ZAP, and Nikto.

• Injection testing (SQL, NoSQL, LDAP, OS command)
• Authentication and session management audit
• XSS, CSRF, SSRF attack vector identification
• API security testing (BOLA, BFLA, mass assignment)

Assess password policies, credential storage, and authentication mechanisms. Inspired by Hashcat, John the Ripper, Hydra, and Mimikatz.

• NIST 800-63B password policy assessment
• Brute force resistance with estimated crack times
• Kerberoasting and AS-REP roasting analysis
• MFA implementation effectiveness review

Analyze how adversaries bypass security controls including AV/EDR, IDS/IPS, and application whitelisting. Inspired by Veil-Evasion, Shellter, and msfvenom.

• AV/EDR bypass risk analysis (fileless, LOLBins)
• AMSI and ETW bypass vulnerability assessment
• Network evasion (encrypted C2, DNS tunneling)
• Behavioral detection improvement recommendations

Discovers undocumented VLANs, VLAN hopping paths, and misconfigured trunk ports that network teams forgot about. Maps the "shadow network" — the actual topology vs. what's documented. Solves the #1 enterprise problem: stale network documentation.

• CDP/LLDP passive harvesting to map trunk links and native VLANs
• DTP negotiation testing for VLAN hopping via double-tagging (802.1Q)
• ARP sweep correlation across VLANs to find inter-VLAN leak paths
• Auto-generates corrected network topology diagrams vs. documented state

Simulates BGP prefix hijacking, route leaking, and OSPF/EIGRP neighbor spoofing in a controlled environment. Most organizations have zero visibility into whether their routing infrastructure would resist a state-level BGP attack. This tool creates safe simulations.

• BGP prefix hijack simulation with AS path prepending analysis
• RPKI/ROA validation coverage assessment for your prefixes
• OSPF LSA injection testing with area boundary analysis
• Generates MANRS compliance checklist and remediation plan

Mines Certificate Transparency logs to discover shadow infrastructure, staging servers, internal hostnames leaked in SANs, and wildcard cert misuse. Turns defensive CT logs into an offensive recon goldmine that most orgs don't realize they're exposing.

• CT log mining for subdomain discovery and infrastructure mapping
• Wildcard cert abuse detection — find shared certs across trust boundaries
• Certificate pinning bypass strategy generation per target
• Internal hostname leak detection from SAN/CN fields

Automates DNS rebinding attacks against internal services exposed to browsers. The forgotten attack vector — most WAFs, firewalls, and security tools completely ignore DNS rebinding because it bypasses network-layer controls by abusing browser trust.

• Automated DNS rebinding payload generation for internal service access
• Target IoT devices, printers, and IPMI/iLO interfaces on internal nets
• Browser-based port scanning through rebinding pivot chains
• Tests split-horizon DNS and DNS pinning effectiveness

Most enterprise networks have IPv6 enabled but unmonitored — a massive blind spot. This tool discovers IPv6-only services, dual-stack misconfigurations, SLAAC spoofing opportunities, and rogue RA (Router Advertisement) injection points that evade IPv4-focused security stacks.

• Rogue Router Advertisement injection for MITM via SLAAC
• DHCPv6 DNS takeover for credential harvesting
• IPv6 tunnel detection (6to4, Teredo, ISATAP) bypassing IPv4 firewalls
• Dual-stack firewall rule gap analysis — finds IPv6 paths around IPv4 ACLs

Maps every possible data exfiltration path from cloud environments — DNS-over-HTTPS, ICMP tunneling, steganography in allowed SaaS uploads, and cloud-native service abuse (S3, Azure Blob, GCS). Proves that perimeter firewalls are irrelevant in cloud-native architectures.

• DNS-over-HTTPS (DoH) exfil testing through corporate proxies
• ICMP tunneling and ping-based data channels
• Cloud storage service abuse (S3/GCS/Azure Blob cross-account)
• Measures DLP effectiveness with controlled exfil simulations

Tests whether your 802.1X/NAC implementation actually stops unauthorized devices. Most enterprises spend six figures on NAC but never validate it. This tool finds MAC bypass paths, 802.1X EAP downgrade attacks, and MAB (MAC Authentication Bypass) exploitation vectors.

• 802.1X EAP-TLS/PEAP/TTLS downgrade and relay attacks
• MAC Authentication Bypass (MAB) spoofing with learned addresses
• VLAN assignment manipulation after successful NAC auth
• Profiling bypass via device fingerprint spoofing (CDP/DHCP/HTTP UA)

Tests lateral movement paths that microsegmentation vendors claim to block. Most zero-trust deployments only enforce north-south controls. This tool maps actual east-west paths between workloads, finds segmentation gaps, and proves whether your microsegmentation actually works.

• Service mesh sidecar bypass testing (Istio/Linkerd/Consul Connect)
• Kubernetes network policy escape via hostNetwork/CNI misconfig
• Windows service account lateral movement chain mapping
• Generates microsegmentation gap heatmap with remediation priority

Deploys rogue network services (DHCP, DNS, WPAD, LLMNR, mDNS, NBNS) to test whether the network detects and blocks unauthorized protocol responses. The classic "Responder" attack upgraded for modern enterprise networks with relay and coercion chains.

• LLMNR/NBNS/mDNS poisoning with NTLMv2 hash capture
• Rogue DHCP server deployment with gateway hijacking
• WPAD proxy injection for credential interception
• NTLM relay chain mapping (PetitPotam/PrinterBug/ShadowCoerce)

Attacks the control plane of software-defined networks. Most SDN deployments (OpenFlow, VXLAN, Cisco ACI, VMware NSX) have management APIs that are poorly secured. This tool tests whether an attacker who compromises one server can reprogram the entire network fabric.

• OpenFlow controller exploitation and flow table manipulation
• VXLAN header injection to break network segmentation
• NSX/ACI management API credential discovery and abuse
• SDN controller DoS resilience testing

Fuzzes network protocols used by IoT and OT devices that traditional scanners ignore — Modbus, BACnet, MQTT, CoAP, Zigbee, and printer languages (PJL/PCL/IPP). These devices are on your network, rarely patched, and running protocols designed before security existed.

• Modbus TCP/RTU command injection and register manipulation
• MQTT broker authentication bypass and topic enumeration
• Printer exploitation (PJL/PCL directory traversal, firmware dump)
• BACnet/IP device discovery and property enumeration

Identifies malicious traffic patterns without breaking encryption — using packet timing, size distributions, TLS metadata, and JA4+ fingerprints. Proves whether your "encrypted = safe" assumption is wrong. Most C2 frameworks have detectable traffic fingerprints even over TLS 1.3.

• JA4+/JA3S fingerprint database for known C2 frameworks (Cobalt Strike, Sliver, Brute Ratel)
• Packet timing analysis for beaconing detection (jitter patterns)
• TLS certificate anomaly detection (self-signed, short-lived, Let's Encrypt staging)
• ESNI/ECH detection for DNS-based blocking strategy validation