> ## Documentation Index
> Fetch the complete documentation index at: https://docs.withgiga.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Toolkit

> Every tool pre-installed in the darkops sandbox

# Toolkit

Each audit runs in a fresh **darkops sandbox** — a hardened Ubuntu desktop with the offensive security toolkit pre-installed and ready. GigaOps has full bash access to all of these tools.

The sandbox is provisioned per-audit, used for the duration of the engagement, and destroyed at completion. No state leaks between engagements.

## Reconnaissance & scanning

| Tool        | Purpose                                                                            |
| ----------- | ---------------------------------------------------------------------------------- |
| `nmap`      | Port and service scanning. Default `-T2` for stealth, configurable per engagement. |
| `masscan`   | High-speed port scanning across wide IP ranges                                     |
| `httpx`     | HTTP probing, fingerprinting, status discovery                                     |
| `whatweb`   | Web application fingerprinting                                                     |
| `wafw00f`   | WAF identification                                                                 |
| `subfinder` | Active subdomain discovery (used after passive OSINT)                              |
| `dnsx`      | DNS resolution and validation                                                      |

## Content discovery

| Tool          | Purpose                                           |
| ------------- | ------------------------------------------------- |
| `feroxbuster` | Recursive content discovery                       |
| `ffuf`        | Web fuzzer for endpoints, parameters, and headers |
| `gobuster`    | Directory and DNS brute force                     |
| `katana`      | Web crawler for endpoint discovery                |

## Vulnerability scanning

| Tool       | Purpose                                                     |
| ---------- | ----------------------------------------------------------- |
| `nuclei`   | Templated vulnerability scanning with curated template sets |
| `dalfox`   | XSS scanner with DOM and reflected payload coverage         |
| `xsstrike` | Advanced XSS detection with payload mutation                |
| `wfuzz`    | Parameter fuzzing for injection points                      |
| `jwt_tool` | JWT vulnerability scanner                                   |

## Exploitation

| Tool          | Purpose                                                                              |
| ------------- | ------------------------------------------------------------------------------------ |
| `sqlmap`      | SQL injection detection and exploitation. Deep mode: `--level 5 --risk 3 --delay 2`. |
| `commix`      | Command injection scanner and exploiter                                              |
| `tplmap`      | Server-side template injection exploitation                                          |
| `XXEinjector` | XML External Entity exploitation                                                     |
| `ssrfmap`     | Server-side request forgery exploitation                                             |

## Authentication attacks

| Tool      | Purpose                                               |
| --------- | ----------------------------------------------------- |
| `hydra`   | Network service brute force (rate-limited by default) |
| `hashcat` | Hash cracking                                         |
| `john`    | Password cracking                                     |
| `CeWL`    | Custom wordlist generation from target content        |
| `cupp`    | Common user password profiler                         |

## Post-exploitation (Deep & Autonomous only)

| Tool             | Purpose                                                                 |
| ---------------- | ----------------------------------------------------------------------- |
| `linpeas`        | Linux privilege escalation enumeration                                  |
| `pspy`           | Linux process snooping                                                  |
| `impacket` suite | Windows / Active Directory toolset (secretsdump, smbexec, psexec, etc.) |
| `bloodhound`     | Active Directory attack path analysis                                   |
| `crackmapexec`   | Multi-protocol AD attack tool (SMB, WinRM, RDP, LDAP, etc.)             |
| `evil-winrm`     | Interactive WinRM shells                                                |

## Cloud

| Tool         | Purpose                                                |
| ------------ | ------------------------------------------------------ |
| `pacu`       | AWS exploitation framework                             |
| `awscli`     | AWS CLI for resource enumeration and access testing    |
| `s3scanner`  | S3 bucket enumeration and access checking              |
| `cloud_enum` | Multi-cloud (AWS, Azure, GCP) public asset enumeration |

## Exfiltration testing

| Tool      | Purpose                                 |
| --------- | --------------------------------------- |
| `dnscat2` | DNS tunneling for exfil path validation |
| `iodine`  | IP-over-DNS tunneling                   |

## Wordlists

Standard offensive wordlists are pre-loaded:

* `rockyou.txt`
* `common.txt`
* SecLists collection
* API endpoint wordlists
* Subdomain wordlists

GigaOps generates target-specific wordlists with `CeWL` for engagements that benefit from custom dictionaries.

## Browser

The sandbox includes a full Chromium installation for any web target interaction that requires a real browser — JavaScript-heavy SPAs, complex auth flows, CSRF token handling, etc.

## Adding your own tools

The sandbox runs Ubuntu with full apt access. GigaOps can install additional tools on demand within an engagement — for example, fetching the latest version of `nuclei`'s template set, or installing a CVE-specific PoC repo from GitHub.

For Autonomous engagements, you can specify required tooling in your brief:

```
Tooling: Install Kerbrute before phase 7 for Kerberos enumeration.
```

## Tool versions

Tools are kept on the current stable release. The sandbox image is rebuilt regularly to keep `nuclei` templates, `metasploit` modules, and exploitation tooling up to date.

## Next steps

<Columns cols={2}>
  <Card title="Methodology" icon="crosshairs" href="/how-it-works/methodology">
    How GigaOps uses these tools across the 10 phases.
  </Card>

  <Card title="The Agent" icon="brain" href="/how-it-works/gigaops-agent">
    How the agent decides which tool to reach for.
  </Card>
</Columns>
