Offline Security Toolkit — Tool Reference & Overview
All tools run client-side in any modern browser. No installs, no network required, no data transmitted. Drop the folder on a USB stick and work on any machine.
⌂ Open HUB Launcher
32
Tools Available
PENTEST 7 TOOLS — OFFENSIVE & ASSESSMENT
🐚
SHELLFORGE
Reverse shell one-liner generator — 20+ shell types across Unix and Windows, with optional Base64 encoding and listener command.
Open ↗
Features
  • Bash, Python (2/3), Perl, Ruby, PHP, PowerShell, Netcat, Socat, Java, Golang, Lua, Awk, Telnet, curl/wget variants
  • Windows-specific: PowerShell TCP, cmd.exe, mshta, certutil, regsvr32
  • Optional Base64 encoding for filter evasion
  • Generates matching nc / ncat listener command
  • Set LHOST and LPORT — all shells update live
Quick Tips
  • Use Base64 toggle if target filters on common keywords like /bin/bash
  • Python3 is the most reliable on modern Linux targets; Bash can break on restricted shells
  • PowerShell -EncodedCommand variant bypasses most PowerShell logging policies
  • Socat gives a full PTY — best for interactive work
💣
PAYLOADLIB
Web exploitation payload library — XSS, SQLi, LFI/Path Traversal, SSTI, XXE, SSRF, Command Injection, Open Redirect. Filter bypass variants included.
Open ↗
Coverage
  • XSS: basic, tag-breaking, event handlers, SVG, JS URL, encoded
  • SQLi: error-based, union, boolean blind, time blind, stacked
  • LFI/Path Traversal: Linux/Windows, encoded, null byte variants
  • SSTI: Jinja2, Twig, Freemarker, Velocity, Pebble
  • XXE: file read, SSRF, blind OOB, parameter entity
  • CMDi: semicolon, pipe, backtick, encoded, Windows variants
Quick Tips
  • Filter bypass variants are tagged — look for WAF evasion payloads when basic ones fail
  • SQLi time-based payloads are your first choice against blind injection with no output
  • SSRF payloads include internal metadata endpoints (AWS, GCP, Azure)
  • Copy button on each payload — paste directly into Burp repeater
🦜
LOLBINS
Living-off-the-land binary reference — Windows LOLBins and Linux GTFOBins. Filter by OS and technique type.
Open ↗
Coverage
  • Windows: certutil, bitsadmin, mshta, rundll32, regsvr32, wmic, powershell, schtasks, net, reg, sc, icacls, nltest, curl, forfiles, pcalua
  • Linux/Unix: bash, curl, wget, python, find, awk, vi, less, nc, sudo, cron, ssh, tar, openssl
  • Technique tags: Execute, Download, Read, Write, Bypass AV/UAC, PrivEsc, Creds
Quick Tips
  • Filter by use-type to quickly find what you need on a locked-down machine
  • certutil -urlcache is a classic for downloading files on Windows without PowerShell
  • forfiles is useful when cmd.exe is restricted but other execution still works
🔑
DEFAULTCREDS
Offline default credential database — ~100 vendors: routers, switches, cameras, NAS, printers, IoT, industrial/SCADA.
Open ↗
Features
  • Search by vendor, product name, protocol, or credential string
  • Category filter: Routers, Switches, Cameras, NAS, Printers, IoT, Industrial
  • One-click copy of username:password
  • Protocol column: HTTP, SSH, Telnet, FTP, SNMP
Quick Tips
  • Search the brand name first, then fall back to category if it's a white-label device
  • SNMP community string "public" is the most overlooked credential on network kit
  • Industrial/SCADA entries often have no auth at all — flagged in the table
🔎
DORKSMITH
Visual Google/Bing dork builder — operator chip picker, 12 pre-built templates, direct launch to search engine.
Open ↗
Features
  • Operators: site:, filetype:, inurl:, intitle:, intext:, ext:, cache:, link:
  • Templates: exposed config files, open directories, login panels, camera feeds, juicy PDFs, git repos, DB dumps, admin portals
  • Build dork visually — chips show operator + value
  • One-click open in Google or Bing
Quick Tips
  • site: + filetype:env is a strong combo for finding accidentally exposed .env files
  • intitle:"index of" with a software name often surfaces exposed directories
  • Target a specific org by combining site:company.com with inurl:/admin or filetype:sql
📡
PMKIDFORM
WPA PMKID and EAPOL handshake formatter — converts captured data to hashcat hc22000 format. 4 input modes, dedup, command generation.
Open ↗
Features
  • Input modes: raw PMKID hex, EAPOL fields manual entry, hcxtools paste, bulk file
  • Outputs valid hc22000 format lines ready for hashcat -m 22000
  • Deduplication across ESSID and BSSID combinations
  • Generates ready-to-run hashcat command with wordlist placeholder
Quick Tips
  • hcxdumptool output can be pasted directly into bulk mode
  • Pair with CHANNELMAP for capture setup — know which channels to target first
  • hashcat -m 22000 handles both PMKID and EAPOL in the same format now
📊
CVSS
CVSS 3.1 score calculator — full metric selectors, live score and severity, vector string builder and importer.
Open ↗
Metrics Covered
  • Base: Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope
  • Impact: Confidentiality, Integrity, Availability
  • Live score 0.0–10.0 with severity label: None / Low / Medium / High / Critical
  • Vector string output (e.g. CVSS:3.1/AV:N/AC:L/…) and import from string
Quick Tips
  • AV:N + AC:L + PR:N is often the combination that tips a finding into Critical
  • Scope change (S:C) significantly raises the score — use it when the vuln affects components beyond the vulnerable one
  • Import a CVE vector from NVD and compare against your observed exploitability in context
🌐 NETWORK 5 TOOLS — RECON & ASSESSMENT
🔌
PORTREF
Port and service reference — 200+ curated ports with risk ratings, protocol, service descriptions and pentest context.
Open ↗
Features
  • Risk levels: CRITICAL / HIGH / MEDIUM / LOW / INFO
  • Categories: Remote Access, Web, Database, Mail, File Transfer, Network, Windows/AD, Industrial
  • Filterable by category and searchable by port number or service name
  • Pentest notes column — what to look for on each service
Quick Tips
  • Sort by Risk to quickly prioritise nmap output during a scan review
  • Filter by "Windows/AD" when working on an AD environment — shows LDAP/445/88/5985 cluster
  • Port 5985/5986 WinRM is often the overlooked lateral movement path when RDP is locked
🌐
NETSCOPE
IP/CIDR subnet calculator — binary visualisation, network/broadcast/host range, RFC classification, CIDR prefix table.
Open ↗
Features
  • Input: CIDR (192.168.1.0/24), IP + mask, or plain IP with auto /24
  • Outputs: network address, broadcast, first/last host, host count, wildcard mask
  • Binary bit view of address, network portion and host portion
  • RFC 1918 / RFC 5737 / loopback / link-local classification
  • Full /0–/32 prefix reference table
Quick Tips
  • Paste nmap target ranges directly in — it parses CIDR notation cleanly
  • /23 vs /24 — use the binary view to understand supernetting when scope docs are ambiguous
📶
CHANNELMAP
WiFi channel and frequency reference — 2.4GHz, 5GHz and 6GHz bands with DFS channels, UNII bands, overlap visualisation and recon notes.
Open ↗
Features
  • 2.4GHz: all 14 channels, 20/40MHz overlap canvas visualisation, non-overlapping (1/6/11) highlighted
  • 5GHz: 25 channels, DFS flagging, UNII-1/2/2e/3 bands, 40MHz bonded pairs
  • 6GHz Wi-Fi 6E: 59 channels, PSC channels, AFC/LPI notes
  • Recon Notes: AP observation → implication → action table, iw and hcxdumptool capture commands
Quick Tips
  • DFS channels (52–144) require radar detection — most client adapters won't capture on them without a workaround
  • iw dev wlan0 set channel N — use the Recon Notes tab for the ready-to-run command
  • Pair with PMKIDFORM — know which channels have traffic before starting capture
🔬
OUILOOKUP
MAC address OUI vendor decoder — 500+ vendor entries, batch lookup, auto-detects colon/dash/dot/raw formats.
Open ↗
Features
  • Format detection: AA:BB:CC:DD:EE:FF, AA-BB-CC, AABB.CCDD.EEFF, raw hex
  • Batch mode: paste multiple MACs, one per line
  • 500+ vendor entries covering all major networking, IoT, mobile, and embedded vendors
  • Highlights locally administered and multicast MACs
Quick Tips
  • Paste ARP table output or nmap -sn results directly — it parses out the MACs automatically
  • Locally administered bit (02:xx:xx) means the MAC has been spoofed or randomised
  • Identify unknown devices on a network segment quickly before running deeper scans
🛡️
HEADSEC
HTTP response header security analyser — paste headers, get an A–F grade with per-header findings and remediation guidance.
Open ↗
Checks
  • Content-Security-Policy: present, unsafe-inline, unsafe-eval, no-script-src
  • Strict-Transport-Security: max-age, includeSubDomains, preload
  • X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
  • Server/X-Powered-By leaking version info
  • Cookie flags: Secure, HttpOnly, SameSite
Quick Tips
  • curl -I https://target.com and paste the output directly — no reformatting needed
  • Missing CSP is the most commonly reportable finding — automatically flagged as High
  • Server: Apache/2.4.41 type responses are auto-detected and flagged as info leakage
🔐 CRYPTO 6 TOOLS — HASHING · ENCODING · KEYS
#️⃣
HASHID
Hash type identifier — 40+ hash types, confidence levels, hashcat -m mode numbers, john --format strings.
Open ↗
Identifies
  • MD5, SHA-1, SHA-256/384/512, SHA-3, NTLM, LM, bcrypt, Argon2, scrypt
  • MySQL, MSSQL, Oracle, PostgreSQL password hashes
  • WordPress, Drupal, phpBB, Joomla CMS hashes
  • WPA PMKID/EAPOL (hc22000), Kerberos AS-REP, NetNTLMv1/v2
  • Confidence ranking when multiple types match same length/pattern
Quick Tips
  • Paste multiple hashes — batch mode identifies each on a new line
  • $2y$ prefix = bcrypt — hashcat -m 3200, very slow to crack
  • NTLM (32 hex, no prefix) can look like MD5 — context matters, use the confidence column
  • NetNTLMv2 format from Responder is hashcat -m 5600
🔄
ENCODR
Multi-codec encoder/decoder — Base64, Hex, URL encoding, HTML entities, ROT-13/N, XOR, Binary, Morse code, and more.
Open ↗
Codecs
  • Base64 encode/decode (standard and URL-safe)
  • URL encode/decode (full and partial), double URL encode
  • HTML entity encode/decode
  • Hex encode/decode, binary, octal
  • ROT-13 and custom ROT-N, XOR with key
  • Morse code, punycode
Quick Tips
  • Double URL encoding (%2527 → %27 → ') bypasses many WAF/input filter patterns
  • HTML entity encoding of alert() can bypass XSS filters that block raw angle brackets
  • Chain operations — run output through a second encode for layered obfuscation
🧮
CRCPAD
Drag-and-drop file hasher — CRC32, SHA-1, SHA-256, side-by-side comparison, 64MB limit.
Open ↗
Features
  • Drop any file — computes CRC32, SHA-1, and SHA-256 simultaneously
  • Comparison field: paste expected hash and get instant MATCH/MISMATCH
  • Progress bar for large files
  • Copy each hash individually
Quick Tips
  • SHA-256 is the standard for verifying firmware downloads and tool integrity
  • Paste the vendor-provided hash into the comparison box and drop the file — instant go/no-go
  • CRC32 is fast and fine for non-security duplicate detection (see also FILECHECK)
🎫
JWTDECK
JWT decoder and security inspector — algorithm weakness detection, expiry check, claim inspection, none-algorithm test.
Open ↗
Security Checks
  • Algorithm: flags none, RS256→HS256 confusion, weak HS256
  • Expiry: checks exp claim against current time — shows if token is expired or expiry is missing
  • Sensitive claims: looks for password, secret, key, admin, role in payload
  • Generates alg:none bypass token for testing
  • Header + payload decoded side by side, raw base64 shown
Quick Tips
  • alg:none test — if the app accepts the generated none-token, it's a critical finding
  • RS256→HS256 confusion — if public key is accessible, test signing with HS256 using the public key as secret
  • No exp claim = non-expiring token, reportable as medium/high depending on sensitivity
📜
CERTVIEWNEW
X.509 certificate decoder — full client-side ASN.1/DER parser. No openssl needed. PEM, DER, and certificate chain support.
Open ↗
Decoded Fields
  • Subject and Issuer: CN, O, OU, C, ST, L with all RDN attributes
  • Validity: not-before, not-after, days remaining, expired/expiring-soon flag
  • Public key: type (RSA/EC), key size in bits, signature algorithm
  • SHA-256 and SHA-1 fingerprints (click to copy), serial number
  • SAN list with wildcard detection, Key Usage bits, Extended Key Usage OIDs
  • Basic Constraints: isCA flag, path length — identifies CA certs in a chain
Quick Tips
  • Load .crt, .pem, .cer, .der directly with the Load File button
  • Paste a chain (multiple PEM blocks) — all certs decoded and labelled End Entity / CA / Root
  • curl -k https://target.com | openssl x509 -text isn't available? Paste the PEM here instead
  • Wildcard SANs flagged in amber — note scope for client reporting
🎲
PASSGENNEW
Offline CSPRNG password and passphrase generator — configurable charset, entropy meter, EFF-style wordlist, bulk output, PIN mode.
Open ↗
Modes
  • Password: length 4–128, upper/lower/digits/symbols/safe-symbols/custom charset, exclude ambiguous chars, no-repeat mode, guaranteed minimum of each type
  • Passphrase: 3–12 words from a 512-word EFF-style list, custom separator, case variants, append number/symbol
  • Bulk: generate 1–100 passwords or passphrases, download as .txt
  • PIN: 4–16 digit decimal or hex
Quick Tips
  • Entropy meter shows bit strength — aim for 80+ bits for account passwords, 100+ for master passwords
  • 5-word passphrase gives ~54 bits — add a symbol and number to push past 60
  • Bulk mode useful for generating test account credential lists or temporary access tokens
  • Safe symbols only avoids characters that break shell commands or config files
🔬 ANALYSIS 6 TOOLS — INSPECT · COMPARE · PARSE
🔩
HEXVIEW
In-browser hex viewer — 64MB files, magic byte detection, pattern search, ASCII panel, colour-coded entropy visualisation.
Open ↗
Features
  • Classic hex editor layout: offset | hex | ASCII side panel
  • Magic byte detection: identifies 50+ file types by header bytes
  • Hex and ASCII search with offset jump
  • Drag-and-drop file loading up to 64MB
Quick Tips
  • Magic byte mismatch — if the extension says .jpg but magic bytes say PK (ZIP), investigate
  • Search for strings in binary files to find embedded credentials, URLs, or config fragments
  • Offset 0 magic bytes are shown in a banner at the top — no need to scroll
📝
DIFFPADNEW
Side-by-side text diff — Myers diff algorithm, split and unified views, context toggle, load files from disk, copy unified diff.
Open ↗
Features
  • Myers diff algorithm — minimal edit distance, accurate line-level diffing
  • Split view (side by side) and unified view (+/- lines)
  • Context toggle — shows only changed lines ± 3 lines of context, or all lines
  • Load files from disk or type/paste directly
  • Swap sides, copy as unified diff text, live as you type
Quick Tips
  • Compare config files before/after a change — spot accidental or malicious modifications
  • Context OFF is much faster to scan when comparing large files with few changes
  • Swap sides if you're unsure which is original vs modified — changes colour accordingly
  • Unified diff output can be pasted into a git patch or issue tracker
📋
LOGGREPNEW
Log file grep and filter — drag-drop any text log up to 50MB, level detection, regex filter, IP extraction, statistics, export.
Open ↗
Features
  • Auto-detects ERROR/WARN/INFO/DEBUG levels — colour coded by severity
  • Regex or text filter, case toggle, invert mode
  • Per-level toggle buttons to show/hide each level
  • IP addresses highlighted inline — click to copy
  • Statistics tab: level counts, top-10 IPs by occurrence
  • IP tab: sorted table of all unique IPs with hit counts
  • Export filtered lines to .txt
Quick Tips
  • Hide INFO/DEBUG first to see only errors/warnings in a noisy log
  • Regex filter on an IP to isolate all activity from a specific source quickly
  • IP tab sorted by hits — top entry is usually your scanner, attacker, or busiest client
  • Invert mode useful for excluding known-good IPs to focus on unknowns
REGEXPAD
Regex tester — live match highlighting, flag toggles, 20-pattern library, replace with capture groups.
Open ↗
Features
  • Live match highlighting overlay synced to textarea scroll
  • Flag toggles: g, i, m, s
  • Pattern library: IPv4, email, JWT, UUID, Windows FILETIME, SQL keywords, Base64, file paths, ISO 8601, HTTP methods, and more
  • Replace mode with $1 group substitution, match list with line numbers and positions
Quick Tips
  • Start from the library — pick the closest pattern and modify rather than writing from scratch
  • Replace with capture groups to reformat data, e.g. extract columns from log lines
🔧
JSONFORGENEW
JSON formatter, validator, tree viewer and converter — JSON↔CSV, JSON→XML, JSON→table, JSONPath query.
Open ↗
Tabs
  • Format/Validate: pretty print, minify, sort keys, live JSON validation with error position
  • Tree View: collapsible AST tree with type colouring — strings green, numbers amber, booleans cyan
  • Convert: JSON→CSV, CSV→JSON, JSON→XML, JSON→ASCII table, minify
  • JSONPath Query: $.path[*].key style extraction with result display
Quick Tips
  • API response inspection — paste raw JSON from Burp, pretty-print it, then use JSONPath to pull specific fields
  • Sort Keys before diffing two JSON responses to avoid false differences from key ordering
  • JSON→Table makes flat arrays very easy to read as a formatted grid
  • CSV→JSON useful for importing scan results into other tools
📁
FILECHECK
Duplicate file finder and bulk rename — SHA-256 hashing, wasted space report, bulk rename with preview, PowerShell/Bash/CMD script export.
Open ↗
Tabs
  • Duplicate Finder: drop files/folder, SHA-256 hash all, group exact duplicates, show wasted space
  • All Files: sortable table, hash-on-demand, TSV export
  • Bulk Rename: find+replace (text or regex), prefix/suffix add, sequential numbering, extension change, case transform
  • Script Export: generates rename script for PowerShell, Bash, or CMD — conflicts excluded and commented
Quick Tips
  • Browser can't delete files — use the Script Export tab to generate a deletion script and run it locally
  • Live rename preview shows final filenames before you commit anything
  • Conflict detection flags any rename that would produce duplicate filenames
🔌 HARDWARE 2 TOOLS — EMBEDDED & HID
🔌
PINOUT
Hardware pinout reference — UART, JTAG, SPI, I2C, USB, ESP32-S3, Pi Pico W, Raspberry Pi 4/5 GPIO. Protocol wiring guides and common commands.
Open ↗
Coverage
  • Protocol overview: signal names, voltage levels, use cases for UART/JTAG/SPI/I2C
  • UART: TX/RX wiring, baud rates, minicom and screen commands
  • JTAG: 20-pin ARM standard, SWD 10-pin, signal functions
  • SPI: SOIC-8 NOR flash layout, CH341A programmer wiring
  • I2C: common device addresses (RTC, OLED, IMU, ADC)
  • ESP32-S3: UART0/1, SPI, I2C, strapping pins, boot mode
  • Pi Pico W: all GPIO with UART/SPI/I2C/SWD/power assignments
  • Pi 4/5: 40-pin GPIO header complete reference
Quick Tips
  • Identify Unknown Ports tab — 4-step methodology for identifying mystery connectors on hardware targets
  • Strapping pins on ESP32-S3 must be correct at boot — check before wiring
  • UART is usually the easiest entry point on embedded devices — look for 3-4 pin headers on the PCB
  • CH341A + SOIC-8 clip wiring is shown — for reading SPI flash without desoldering
⌨️
HIDREF
HID keycode reference — USB HID hex codes, CircuitPython Keycode constants, DuckyScript key names, PS/2 scan codes. Searchable.
Open ↗
Coverage
  • Full keyboard: letters, numbers, F1–F24, numpad, navigation, media keys
  • USB HID usage page hex codes for direct HID descriptor work
  • CircuitPython adafruit_hid.keycode constants (Keycode.A, Keycode.CONTROL etc)
  • DuckyScript key names for payload scripts
  • PS/2 set-2 scan codes for legacy hardware interfacing
Quick Tips
  • Search by key name (e.g. "windows", "alt") to find all relevant codes at once
  • CircuitPython payloads — keep this open when writing BadUSB scripts on Pi Pico / Trinket
  • DuckyScript column matches Hak5 Rubber Ducky and compatible devices
🛠 UTILITIES 6 TOOLS — GENERAL PURPOSE
⏱️
TIMESTAMPCONV
Timestamp converter — auto-detects Unix (s/ms/µs), ISO 8601, RFC 2822, Windows FILETIME decimal and hex. Live clock. Date builder.
Open ↗
Formats
  • Unix timestamp: seconds (10-digit), milliseconds (13-digit), microseconds (16-digit)
  • ISO 8601: 2024-01-15T14:30:00Z and variants
  • RFC 2822: Mon, 15 Jan 2024 14:30:00 +0000 (email/HTTP format)
  • Windows FILETIME: 100ns intervals since Jan 1 1601, decimal and hex (registry format)
  • Date builder: set date/time fields, generate all formats
Quick Tips
  • Windows FILETIME hex appears in registry exports and Windows event logs — paste directly
  • Auto-detection means you can paste any timestamp format and it figures out the type
  • Click any result card to copy that specific format
🔗
URLPARSER
URL dissector — scheme, credentials, host, port, path, query params, fragment. Encode/decode section, URL builder.
Open ↗
Features
  • Colour-coded visual breakdown of every URL component
  • Query params table: key, raw value, decoded value
  • Encode/decode: URL encode, full encode (encode all chars), double encode
  • Origin extraction, credential detection (user:pass@host)
  • URL builder: compose a URL from component fields
Quick Tips
  • Paste from Burp repeater — quickly see all params as a clean table for testing
  • Double encode a payload param value to test WAF bypass
  • Credential in URL is flagged — useful for spotting auth tokens embedded in URLs in logs
💻
BASECALC
Number base calculator — HEX/DEC/BIN/OCT, 8/16/32/64-bit width, signed/unsigned, bitwise ops, shifts, bit viewer with popcount.
Open ↗
Features
  • BigInt engine — handles 64-bit values without precision loss
  • Live HEX/DEC/BIN/OCT conversion — type in any base
  • 8/16/32/64-bit width selector, signed/unsigned toggle, two's complement
  • Bitwise ops: AND, OR, XOR, NAND, NOR, XNOR — all computed simultaneously for two inputs
  • Shift left/right, NOT, byte-swap, arithmetic (+/-/×/÷/%) with all-base output
  • Bit viewer with individual bit positions, popcount, leading zeros
Quick Tips
  • Subnet mask work — XOR two addresses to find differences, AND with mask to get network address
  • Registry/FILETIME values — paste hex directly and see decimal equivalent
  • Bit viewer useful for checking flag registers in embedded debugging
👤
PERMUTATE
Username and email permutation generator — name-based patterns, separators, case variants, domain selection, bulk export.
Open ↗
Features
  • Input first/last name, generate: jsmith, john.smith, smithj, j.smith, smith_john, etc.
  • Separator options: dot, underscore, dash, none
  • Case variants: lower, upper, title
  • Email mode: appends @domain.com to each variant
  • Bulk input: process multiple names at once
Quick Tips
  • Use for credential spray lists — generate all likely username formats for a target org
  • Pair with DEFAULTCREDS for username patterns + known passwords during internal assessments
  • Export to txt for use with hydra, medusa, or Burp Intruder
🔒
NOTES
AES-256-GCM encrypted offline notepad — in-memory only, multi-note sidebar, search, .hylas file export/import, lock wipes memory.
Open ↗
Security Model
  • AES-256-GCM encryption via Web Crypto API — PBKDF2 key derivation, 310,000 iterations
  • Data is never written to disk — lives in JavaScript memory only
  • Lock button wipes all note content from memory immediately
  • Export to .hylas encrypted file — password required to re-import
  • Export to plain .txt (unencrypted) for sharing
Quick Tips
  • Export to .hylas at the end of each session — closing the tab permanently loses unsaved notes
  • Use during engagements for temporary credential, finding, and scope notes that shouldn't touch disk
  • Lock button immediately if you need to step away from the machine mid-session
  • Multi-note sidebar — create separate notes per target host or finding category
🖥️
NASHOST
NAS / homelab web hosting reference — Cloudflare Tunnel setup, Nginx Docker config, authentication options, TLS, hardening checklist.
Open ↗
Coverage
  • Cloudflare Tunnel: zero-config tunnel setup, cloudflared install, DNS routing
  • Nginx reverse proxy: Docker compose, virtual host config, proxy_pass templates
  • Auth options: Basic Auth, Cloudflare Access, Authelia
  • TLS: Let's Encrypt via Certbot or Cloudflare origin cert
  • Security hardening checklist: headers, rate limiting, fail2ban, access logs
Quick Tips
  • Cloudflare Tunnel is the fastest way to expose a service without opening ports on your router
  • Use as a field reference when setting up exfil infrastructure or C2 redirectors on a VPS