ENNAENNA
|ENNA

Week 4: 50 New Tools, 3 Workflows, and a Massive Reverse Engineering Expansion

weekly-updatenew-toolsworkflowsreverse-engineeringoffensive-opsfeatures

Another big week. We added 50 tools across 11 categories, shipped 3 new workflows, and now have 426 tools indexed. Here is everything.

50 New Tools (426 Total)

This week we focused on filling two major gaps: reverse engineering and offensive ops. We also finally added some tools that should have been here from the start (looking at you, mitmproxy and ZAP).

Reverse Engineering (11 new tools)

The biggest category expansion this week. Bytecode Viewer is a full Java and Android RE suite with decompiler, editor, and debugger in one package. JD-GUI and dex2jar round out the Java reversing story — dex2jar converts Android DEX to CLASS files, JD-GUI lets you read them. pyinstxtractor pulls Python bytecode out of PyInstaller executables, which comes up constantly in malware analysis.

Kaitai Struct takes a completely different approach to binary analysis — you describe binary formats declaratively and it generates parsers in 12+ languages. PEDA and Voltron give you better GDB interfaces for exploit development, with PEDA providing exploit-dev helpers and Voltron working across LLDB, GDB, and WinDbg.

On the malware analysis side, FLARE FLOSS from Mandiant automatically extracts obfuscated strings that static analysis misses. FakeNet-NG (also Mandiant) intercepts all network traffic from malware samples so you can analyze C2 comms without letting anything phone home. al-khaser is a reference implementation of every evasion technique malware uses — VM detection, debugger detection, sandbox escape — which is invaluable for building better analysis environments. PCILeech does direct memory access attacks over PCIe, useful for firmware research and forensics.

Offensive Ops (13 new tools)

The biggest single-category addition. We added a full Active Directory attack toolkit: PingCastle assesses AD security posture and gives you a health score. PrivescCheck enumerates Windows privilege escalation paths. DomainPasswordSpray does exactly what the name says across an entire domain. Inveigh handles LLMNR/NBNS/mDNS spoofing and relay attacks from .NET. MailSniper searches Exchange mailboxes for credentials and sensitive data. Ruler abuses Exchange features for remote code execution.

Empire (the BC-Security fork) is back and actively maintained — the post-exploitation framework with PowerShell, Python, and C# agents. Merlin is a Go-based HTTP/2 C2 that is harder to detect than traditional C2 channels. emp3r0r takes it further with a self-healing gossip mesh architecture. SSH-Snake is a self-propagating script that discovers SSH keys and pivots through networks automatically — terrifyingly effective for demonstrating lateral movement risk.

WinPwn automates the boring parts of internal Windows pentests. Weevely is a weaponized PHP web shell with 30+ post-exploitation modules. Commando VM from Mandiant installs 140+ tools on a fresh Windows VM — think of it as Kali for Windows.

Web Scanning (5 new tools)

OWASP ZAP is the most widely used open-source web app scanner and it was embarrassingly absent until now. Kiterunner from Assetnote does API-aware content discovery, bruteforcing routes using knowledge of common API patterns rather than generic wordlists. Tplmap automates server-side template injection detection and exploitation across multiple engines. Brakeman is the go-to SAST scanner for Ruby on Rails. BunkerWeb is an open-source WAF you can drop in front of any web application.

Network Recon (6 new tools)

mitmproxy (this week's Tool of the Week) is the 43k-star HTTP proxy that should need no introduction. Tsunami is Google's network security scanner built for scale with high-confidence detection. IVRE is a self-hosted alternative to Shodan and Censys — run your own internet-scale recon platform. Smap is a clever tool that queries Shodan instead of sending packets, giving you Nmap-style output without touching the target. Dshell from the US Army Research Lab dissects captured network traffic. pwnat punches through NATs and firewalls without any third-party infrastructure.

Cloud Recon (3 new tools)

aws-vault securely stores AWS credentials in your OS keychain instead of plaintext config files. CloudGoat from Rhino Security is a vulnerable-by-design AWS environment for practicing cloud pentesting. KICS from Checkmarx scans Terraform, CloudFormation, and Kubernetes manifests for security misconfigurations.

OSINT (3 new tools)

changedetection.io monitors websites for changes — useful for tracking target infrastructure modifications, job postings, or content updates. OnionScan investigates dark web hidden services for operational security failures. waybackpack downloads the entire Wayback Machine archive for a URL, which is invaluable for finding deleted content and historical site states.

Other Additions

Ciphey uses AI to automatically identify and decode ciphertexts without knowing the algorithm — point it at an encoded string and it figures out the rest. hate_crack automates Hashcat with intelligent rule and wordlist chaining. git-dumper extracts source code from exposed .git directories. CAPEv2 is a malware sandbox focused on configuration and payload extraction. Fibratus does Windows kernel event tracing for threat hunting. Cowrie is a medium-to-high interaction SSH/Telnet honeypot. garak from NVIDIA scans LLMs for vulnerabilities and jailbreaks. Osmedeus orchestrates automated recon workflows. IntelMQ processes security feeds with message queuing for automated incident handling.

3 New Workflows (17 Total)

We added three workflows that fill practical gaps:

Supply Chain Security Audit

A structured approach to assessing software supply chain risk. Walks you through SBOM generation with Syft, dependency vulnerability scanning with Grype and OSV-Scanner, secrets detection with Gitleaks and TruffleHog, container image hardening with Trivy and Dockle, infrastructure-as-code review with Checkov and KICS, and static analysis with Semgrep and Bandit. Seven steps from inventory to remediation report.

Threat Hunting with Honeypots

Covers the full lifecycle: deploying Cowrie SSH honeypots, configuring network deception with Suricata, capturing and analyzing attacker sessions, correlating findings with threat intelligence via IntelMQ and Wazuh, building Sigma detection rules from observed behavior, and iterating on your deception strategy. Practical tips on placement and avoiding honeypot fingerprinting.

Active Directory Password Audit

Starts with hash extraction via Impacket and CrackMapExec, moves through password policy assessment with PingCastle, wordlist preparation with hate_crack, offline cracking campaigns with Hashcat and John, pattern analysis for password reuse, spray resilience testing with DomainPasswordSpray and Kerbrute, and closes with policy recommendations. Every step includes specific commands and tips.

5 New Features

We shipped five features this week that change how you interact with the site.

Cmd+K Global Search

Press Cmd+K (or Ctrl+K) from any page to open a search modal. It uses fuzzy matching across all 426 tools, so typos and partial matches work. Arrow keys to navigate, Enter to go. When the search is empty it shows featured tools sorted by stars. This works from tool pages, blog posts, workflows, everywhere.

Tool Health Badges

Every tool card now has a colored dot showing maintenance status. Green means the last commit was within 90 days, yellow means 3-12 months, red means over a year. You can immediately see which tools are actively maintained without clicking through to GitHub. Hover for the label.

Surprise Me

New button in the hero section. Click it, get a random tool page. With 426 tools, most people only see the top featured ones. This drives discovery into the long tail.

Stats Dashboard

New /stats page with live metrics computed from the index. Category distribution bar charts, top 10 languages with colored indicators, health overview (how many tools are active vs stale), top 10 most-starred tools, and platform coverage. All data, no external dependencies.

Shareable Tool Stacks

Build your own tool selection at /stack. Pick tools by category with checkboxes, search to filter, and get a shareable URL like en-na.com/stack/nmap,nuclei,hashcat. Send it to a colleague and they see your exact selection with aggregate stats. Edit and copy buttons built in.

Stats

  • -426 tools across 19 categories
  • -17 workflows with step-by-step guidance
  • -12 tool chains for common pipelines
  • -10 cheat sheets for quick reference

What is Coming

We are working on tool comparison pages (ZAP vs Burp vs Caido, Sliver vs Mythic vs Havoc), expanding the guides section, and adding more starter kits. The browser extension is in alpha testing.

See you next week!

Tool of the Week

mitmproxy

Python · 43.3k stars · network-recon

mitmproxy is one of those tools that should have been in ENNA from day one. With over 43,000 GitHub stars, it is the gold standard for intercepting, inspecting, and modifying HTTP/HTTPS traffic. Unlike Burp Suite, it is fully open source and scriptable in Python, which means you can write custom addons that modify traffic on the fly, log specific requests, or inject payloads programmatically. It works as a CLI tool, a web interface, or a library you import into your own scripts. Whether you are debugging API calls, testing authentication flows, or building automated security tests in CI, mitmproxy belongs in your toolkit.

View mitmproxy on ENNA

Weekly Newsletter

New tools, updates, and changes delivered every Monday morning.

Subscribe on Substack