Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/V0rt3xS0urc3/RedTeam-Portfolio/llms.txt

Use this file to discover all available pages before exploring further.

Kali Portable Full ships with a complete red team arsenal built directly into the Docker image — no additional installation required. The toolset spans twelve operational categories aligned with CEH, eJPT, and eCPPT certification objectives and covers every phase of an engagement: reconnaissance, exploitation, lateral movement, post-exploitation, and reporting. Tools are sourced from Kali’s official APT repositories, GitHub releases, and PyPI, then wired together with shell aliases so you can move fast inside the container.

Scanning & Recon

Nmap, Masscan, RustScan, Nuclei, Gobuster, FFUF, httpx, subfinder, and more

Exploitation

Metasploit Framework, ExploitDB / searchsploit, Impacket protocol suite

Web Auditing

Burp Suite Community, SQLMap, tplmap, jwt_tool, Weevely, Wfuzz, wrk

WiFi & Cracking

Hashcat (GPU), Aircrack-ng, hcxdumptool, hcxtools, Wifite, Reaver, Hydra

Active Directory

Impacket, BloodHound, NetExec, CrackMapExec, Certipy, Kerbrute, Responder

Post-Exploitation

LinPEAS, WinPEAS, pspy, Pwncat, pwntools, Linux Exploit Suggester

Forensics

Volatility 3, Binwalk, Sleuth Kit, Autopsy, Steghide, Stegseek

OSINT

Maltego, theHarvester, recon-ng, Shodan CLI, SET, RouterSploit

Scanning & Reconnaissance

The reconnaissance layer combines fast network scanners with web discovery tools so you can map a target’s attack surface in a single container session.
ToolSourcePurpose
NmapAPT (nmap)Port scanning, service fingerprinting, NSE scripting
MasscanAPT (masscan)High-speed TCP port scanning across large ranges
RustScanGitHub .deb (v2.2.3)Blazing-fast pre-scanner that hands results to Nmap
NiktoAPT (nikto)Web server misconfiguration and vulnerability scanner
WhatWebAPT (whatweb)Web technology fingerprinting
WPScanAPT (wpscan)WordPress-specific vulnerability scanner
GobusterAPT (gobuster)Directory, DNS, and vHost brute-forcing
DirbAPT (dirb)Classic recursive web content scanner
FFUFAPT + GitHub (v2.1.0)Fast web fuzzer with full filter/match control
WfuzzAPT (wfuzz)Flexible web application fuzzer
SQLMapAPT (sqlmap)Automated SQL injection detection and exploitation
NucleiGitHub (v3.3.8)Template-based vulnerability scanning
httpxGitHub (v1.6.9)HTTP probing and web discovery at scale
subfinderGitHub (v2.6.7)Passive subdomain enumeration
enum4linux-ngAPTSMB/NetBIOS enumeration for Windows targets

Exploitation

Core exploitation frameworks and supporting libraries are installed system-wide and ready to launch from any working directory. Metasploit Framework is installed via APT from Kali’s official repository. The msfconsole alias msf lets you open it with two keystrokes. The database is pre-configured so search, info, and use work immediately. ExploitDB is installed alongside searchsploit for offline exploit lookup. Run searchsploit <CVE or term> to query the local database without leaving the container. Impacket (impacket-scripts) provides the full suite of Python scripts for interacting with Windows protocols — psexec.py, secretsdump.py, wmiexec.py, and the rest are all on $PATH.

Web Auditing

Web auditing tools are installed from multiple sources and pre-linked into /usr/local/bin so every tool is immediately accessible.
ToolSourcePurpose
Burp Suite CommunityAPT (burpsuite)Intercepting proxy, scanner, repeater, intruder
SQLMapAPT (sqlmap)SQL injection automation with tamper scripts
tplmapGitHub (/opt/tplmap)Server-Side Template Injection (SSTI) exploitation
jwt_toolGitHub (/opt/jwt_tool)JWT token analysis, forging, and algorithm confusion
WeevelyAPT (weevely)PHP webshell generator and manager
WfuzzAPT (wfuzz)HTTP parameter fuzzing with filter control
wrkAPT (wrk)HTTP benchmarking and stress testing
FFUFAPT + GitHubDirectory and parameter fuzzing
FoxyProxyGitHub .xpiSaved to /root/pentest/tools/browser-extensions/
tplmap and jwt_tool are cloned from GitHub and symlinked to /usr/local/bin/tplmap and /usr/local/bin/jwt_tool respectively, so they behave like any other system command.

WiFi & Password Cracking

WiFi auditing tools require a USB adapter that supports monitor mode and packet injection. Launch the container in wpa2 mode (./run-kali.sh wpa2) to enable the --privileged flag needed by hcxdumptool.
ToolSourcePurpose
HashcatAPT (hashcat)GPU-accelerated password cracking (WPA2, NTLM, MD5…)
John the RipperAPT (john)CPU-based cracker with format auto-detection
HydraAPT (hydra)Network protocol brute-forcer (SSH, FTP, HTTP…)
MedusaAPT (medusa)Parallel network login brute-forcer
Aircrack-ngAPT (aircrack-ng)WEP/WPA key recovery, monitor mode management
hcxdumptoolAPT (hcxdumptool)PMKID and EAPOL handshake capture
hcxtoolsAPT (hcxtools).pcapng.hc22000 conversion for Hashcat
WifiteAPT (wifite)Automated WiFi auditing framework
ReaverAPT (reaver)WPS PIN brute-force attack
PixiewpsAPT (pixiewps)Offline WPS Pixie Dust attack
# Full WPA2 capture → crack workflow
./run-kali.sh wpa2               # Start container with privileged access
setup-wifi.sh                    # Put adapter into monitor mode
hcxdumptool -i wlan0mon -o /root/pentest/handshakes/capture.pcapng --active -c 6
hcxpcapngtool -o capture.hc22000 capture.pcapng
hashcat -m 22000 capture.hc22000 /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule -O

Active Directory

The AD toolkit covers every phase of a Windows domain engagement — from initial enumeration through Kerberos attacks, certificate abuse, and credential extraction.
ToolSourcePurpose
ImpacketAPT (impacket-scripts)NTLM relay, Kerberos, SMB, WMI, LDAP
BloodHoundAPT (bloodhound)Attack path analysis and AD relationship graphing
NetExecPyPI (GitHub)Modern successor to CrackMapExec for lateral movement
CrackMapExecAPT (crackmapexec)SMB, WMI, LDAP enumeration and lateral movement
CertipyPyPI (certipy-ad)Active Directory Certificate Services (ADCS) attacks
KerbrutePyPI (kerbrute)Kerberos pre-auth user enumeration and brute-force
ResponderAPT (responder)LLMNR/NBT-NS/MDNS poisoning and credential capture
Evil-WinRMAPT (evil-winrm)WinRM shell with upload/download and PowerShell support
ldapdomaindumpPyPILDAP-based domain enumeration and HTML report generation
adidnsdumpPyPIActive Directory Integrated DNS zone enumeration
# Common AD workflow examples
nxe smb 10.10.10.0/24 -u admin -p 'Password123'   # Enum with NetExec
responder -I eth0 -A                                 # Passive LLMNR capture
secretsdump.py domain/user:pass@dc-ip               # Dump credentials
bloodhound-python -u user -p pass -d domain.local   # Collect BloodHound data

AV Evasion

These tools are installed under /opt/ and are designed for generating and testing evasive payloads in authorized environments.
ToolSourcePurpose
Veil FrameworkGitHub (/opt/Veil)AV-evasive payload generation in multiple languages
TheFatRatGitHub (/opt/TheFatRat)Backdoor generation with automatic encoding
Backdoor FactoryGitHub (/opt/backdoor-factory)Inject shellcode into existing PE/ELF binaries
AV evasion tools must only be used in authorized penetration tests or controlled lab environments. Generating malicious payloads for use against systems you do not own or have written permission to test is illegal in most jurisdictions.

Forensics

Digital forensics tools are installed system-wide and cover memory analysis, firmware inspection, disk examination, and steganography.
ToolSourcePurpose
Volatility 3PyPI (volatility3)Memory dump analysis and artifact extraction
BinwalkAPT (binwalk)Firmware signature scanning and file extraction
Sleuth KitAPT (sleuthkit)File system layer analysis and timeline generation
AutopsyAPT (autopsy)GUI front-end for Sleuth Kit investigations
SteghideAPT (steghide)Embed and extract hidden data in JPEG/BMP/WAV/AU files
StegseekGitHub .deb (v0.6)High-speed Steghide cracker using wordlists
# Memory forensics with Volatility 3
vol -f memory.dmp windows.pslist
vol -f memory.dmp windows.netscan
vol -f memory.dmp windows.dumpfiles --pid 1234

Post-Exploitation

Post-exploitation tooling focuses on privilege escalation enumeration, process surveillance, and scriptable shell management.
ToolSourcePurpose
LinPEASGitHub (PEASS-ng)/opt/PEAS/linpeas.sh — automated Linux privesc enumeration
WinPEASGitHub (PEASS-ng)/opt/PEAS/winPEASany.exe — Windows privesc enumeration
Linux Exploit SuggesterGitHub/opt/privesc/linux-exploit-suggester.sh — kernel exploit hints
LSE (Linux Smart Enum)GitHub/opt/privesc/lse.sh — detailed Linux environment enumeration
pspyGitHub (v1.2.1)/opt/privesc/pspy64 — unprivileged process and cron monitoring
PwncatPyPI (pwncat-cs)Enhanced reverse/bind shell with automatic TTY upgrade
pwntoolsPyPI (pwntools)CTF-focused exploit development framework
paramikoPyPISSH2 protocol library for Python automation
# Privilege escalation workflow
linpeas | tee /root/pentest/loot/linpeas_output.txt
les                                # Linux Exploit Suggester
/opt/privesc/pspy64               # Monitor processes without root

Networking & Tunneling

Full traffic analysis and tunneling stack for pivoting through multi-hop networks and routing traffic through compromised hosts.
ToolSourcePurpose
WiresharkAPT (wireshark) + X11Full GUI packet analysis (forwarded via $DISPLAY)
TCPDumpAPT (tcpdump)CLI packet capture with BPF filter support
NetcatAPT (netcat-openbsd)TCP/UDP Swiss army knife
SocatAPT (socat)Bidirectional relay with SSL/TLS support
Proxychains-ngAPT (proxychains-ng)Route tool traffic through SOCKS4/5 or HTTP proxies
ChiselAPT (chisel)HTTP-tunneled TCP port forwarding
Ligolo-ngGitHub (v0.6.2)Reverse tunnel agent for transparent network pivoting
SSHuttleAPT (sshuttle)VPN-over-SSH for full subnet routing
OpenVPNAPT (openvpn)Connect to TryHackMe and HackTheBox VPN configs
# TryHackMe / HackTheBox VPN
openvpn --config /root/pentest/vpn/your_config.ovpn --dev tun

# Pivot with Ligolo-ng agent
ligolo-ng_agent -connect <proxy-ip>:11601 -ignore-cert

# Chisel port forward
chisel client <server>:8080 R:3389:localhost:3389

OSINT & Social Engineering

Open-source intelligence tools and social engineering frameworks for information gathering and phishing simulation.
ToolSourcePurpose
MaltegoAPT (maltego)Visual link analysis and OSINT graph exploration
theHarvesterAPT (theharvester)Email, subdomain, and host discovery from public sources
recon-ngAPT (recon-ng)Modular web reconnaissance framework
Shodan CLIPyPI (shodan)Query Shodan’s internet scan database from the CLI
Social Engineer ToolkitGitHub (/opt/set)Phishing, credential harvesting, and payload delivery
RouterSploitGitHub (/opt/routersploit)Exploitation framework for embedded devices and SCADA

Mobile Hacking

Android reverse engineering and mobile security assessment tools for APK analysis and static/dynamic testing.
ToolSourcePurpose
APKToolAPT (apktool)Decompile, modify, and recompile APK files
Dex2JarAPT (dex2jar)Convert .dex bytecode to .jar for Java decompilers
JADXGitHub (v1.5.1)Decompile Dalvik bytecode to readable Java source
JADX-GUIGitHub (v1.5.1)Graphical APK explorer (via X11 forwarding)
MobSFGitHub (/opt/mobsf)Automated static/dynamic mobile security analysis
JADX and JADX-GUI are installed to /opt/jadx/ and symlinked at /usr/local/bin/jadx and /usr/local/bin/jadx-gui. GUI tools require X11 forwarding, which run-kali.sh enables automatically via xhost +local:docker.

Shell Aliases

The following aliases are written to /root/.bashrc during the image build, making frequently used tools instantly accessible:
AliasExpands ToTool
msfmsfconsoleMetasploit Framework console
nxenetexecNetExec (CrackMapExec successor)
cmecrackmapexecCrackMapExec
hchashcatHashcat password cracker
veil/opt/Veil/Veil.pyVeil Framework
fatratcd /opt/TheFatRat && ./fatratTheFatRat backdoor generator
volvolVolatility 3
setsetoolkitSocial Engineer Toolkit
rsfroutersploitRouterSploit
linpeas/opt/PEAS/linpeas.shLinPEAS privilege escalation enum
les/opt/privesc/linux-exploit-suggester.shLinux Exploit Suggester
The shell also adds /root/pentest/scripts to $PATH, so any custom scripts you drop into ./data/scripts/ on the host are immediately executable inside the container.

Build docs developers (and LLMs) love