Active exploits, research notebooks, and weaponized tools from the MultiHAT arsenal. All projects are for educational and ethical purposes only.
Open-source security tools and development projects.
PoliteWebScanner is a learning-grade web vulnerability scanner plus AI-assisted report viewer. It crawls safely (queue-based, robots-aware, rate-limited), detects common issues (security headers, cookie flags, reflected XSS heuristics, SQL error patterns), and exports human-friendly JSON/HTML reports with optional AI help for triage and remediation
View repo: Web Vulnerability Scanner Tooling + CyberSecuritySagar is a Python-based command-line virtual assistant for CSE students and cybersecurity learners. It supports single-line and multi-line commands to open trusted websites, play curated music links, and answer questions using an AI model—designed for safe automation, learning, and terminal-first exploration.
View repo: A Pythonic Hackathon CyberSecurity AssistantA production-focused CLI utility for Linux that inspects, sets, randomizes, and restores MAC addresses with strict validation and safe backup/restore. Designed for engineers, students, and security practitioners needing predictable networking in labs or authorized workflows.
View repo: MacChanger Blog: Wi-Fi Security Alert; MAC Blocking Isn't Enough, What to Do Instead? NetworkingA local Python desktop assistant (Tkinter) that runs Groq AI queries, maps natural commands to quick web actions (Google, YouTube, GitHub), and persists session history. Lightweight, customizable GUI, easy to extend with new shortcuts and offline session recall for fast personal workflows.
View repo: BlackHAT AI-Assistant CyberSecurityWinTempCleaner is a lightweight batch utility that instantly clears common temp locations %TEMP%, %WINDIR%\Temp, %USERPROFILE%\AppData\Local\Temp, Prefetch. Interactive confirmation, forces read-only deletions, suppresses noisy errors and shows a visual progress color. Run as Administrator to clean system folders; files only, directories preserved.
View repo: WinTempCleaner Blog: Why Attackers Like the Temp Folder System AdministrationWebSource Harvester is an educational web-source harvester that crawls a site (BFS, depth-controlled), downloads browser-visible assets (HTML, CSS, JS, images, fonts, PDFs), and rewrites paths so pages work offline, including nested routes. It enforces same-origin limits and is designed for learning, offline analysis, and safe portfolio demos.
View repo: WebSource Harvester WebTechEmail Harvester; a production-ready CLI that finds publicly visible business emails from category keywords. Pluggable search backends (SerpApi, Bing, DuckDuckGo), robots-aware crawling, contact/link traversal, MX + optional Hunter.io verification, deterministic scoring, CSV outputs, CI-tested and extensible for lead-gen workflows.
View repo: Email Harvester OSINTWiFi Dictionary Attack is a compact, Python-based Wi-Fi security testing script. It scans nearby networks, targets a specified SSID, loads a password wordlist from passwords.txt, attempts WPA/WPA2 connections using pywifi, and reports successes or failures. For authorized, educational security audits only.
View repo: WiFi Dictionary Attack Blog: Wi-Fi Security Alert; MAC Blocking Isn't Enough, What to Do Instead? OffensiveA privacy-first phone-number OSINT toolkit (CLI + minimal GUI). Parses and normalizes numbers (E.164), enriches with deterministic metadata, runs optional async adapters (DuckDuckGo, Google, public datasets), computes explainable risk scores and owner intelligence, and exports JSON/CSV/PDF reports.
View repo: Phoneint OSINT Toolkit OSINTA secure, production-ready Python CLI wrapper for Nmap that makes powerful scans easy and repeatable. Includes 12 built-in profiles (SYN, aggressive, OS detection, vulnerability/NSE checks), interactive and non-interactive modes, strict input validation, Docker support, CI, and script-friendly flags for automation.
View repo: Nmap Scanning Tool ReconResolve domains, URLs, and IP literals to IPv4/IPv6 addresses with a production-ready CLI and library-safe API. Supports IDNs, URL inputs, concurrent lookups, JSON output, optional dnspython timeouts, and file/bulk mode—ideal for network tooling, automation, and reproducible tests.
View repo: domain2ip ReconA Python script demonstrating automated email sending via Gmail SMTP for educational and testing purposes. Supports email format validation, secure password input using getpass, HTML-formatted messages, and controlled loop-based delivery with delays. Intended to teach SMTP authentication and email automation—not for spamming or abuse.
View repo: EmailBomber OffensiveA safe, browser-based brute-force simulator for defensive learning. Configure PIN length and charset, set rate limits, captcha penalties, lockout thresholds, and jitter—then watch live attempts/sec, ETA, entropy, and a visual chart. Export JSON reports or test a local API. Pure front-end demo for teaching infosec and defenses.
View repo: BruteforceLab1 CyberSecurityAn educational Python toolkit demonstrating secure password hashing (Argon2id, bcrypt, scrypt) and common failure modes (MD5, rainbow tables). Includes reusable library hash_password_cracker, attack demos (dictionary/rainbow/hybrid), CLI tools, and unit tests — for defensive learning on data you own or are authorized to test.
View repo: HashAttackDemos CyberSecurityA simple multi-client TCP, compact, cross-platform Python multi-client chat toolkit for learning and LAN testing. Includes host.py (server), clint.py (client), and net_utils.py utilities; supports optional TLS with password-protected message encryption, CLI flags for scripted use, and unit tests for core validation.
View repo: TCP-Playground Blog: Understanding OSI Layers Through Real Attack Examples NetworkingBruteforceLab2 is a self-contained, hands-on web security lab that demonstrates credential brute-force attacks and basic defenses. It includes a Flask login app, a CLI attacker simulator, optional in-memory rate limiting and lockout, automated tests and CI, and configuration knobs (rate window/max, enforce regex). Run locally to observe attacks, to
View repo: BruteforceLab2 CyberSecurityA lightweight, offline-capable voice assistant that listens for a wake phrase, converts speech to text, runs local or API-based intent handling, and replies with natural-sounding TTS. Built for quick local deployment, it supports configurable wake words, microphone I/O, and easy integration with custom actions or LLMs.
View repo: Speech-to-Speech AI Assistant AIA clean Flask-based URL shortener that converts long links into short, shareable URLs with optional custom aliases, expiration support, and TinyURL mirroring. Uses SQLite for persistence, includes copy helpers, rate limiting, and a simple REST API. Ideal for learning backend fundamentals and deployment.
View repo: SharpLink URL Shortener Web DevPhoto PDF Bidirectional Converter is a lightweight Windows converter that turns photos into high-quality PDFs and extracts PDF pages to images. It preserves EXIF rotation, supports multi-page or per-photo PDFs, offers DPI/format/embedding controls (jpeg_high, keep_original, lossless_png), and prefers img2pdf for best fidelity. Runs locally—no upload required.
View repo: Photo-PDF-Bidirectional-Converter Conversion | SecureA beginner-friendly Node/Express + Vanilla JS authentication demo that implements a complete sign-up/sign-in lifecycle: email verification (4-digit OTP), optional 2FA (email OTP, TOTP authenticator, backup codes), password reset, account settings, session handling, and deploy-ready email fallback (Brevo → SMTP → debug).
View repo: Multi-FA-Auth SecurityAn educational phishing simulation login page demonstrating how fake UIs capture user credentials. It logs inputs, stores them locally, and emails the captured data for awareness training. Intended strictly for controlled, ethical use to teach URL verification and phishing prevention.
View repo: Fake Facebook Login Page (Educational) Securitya small, cross-platform Python utility for responsibly automating repeated keystrokes or clipboard pastes. Supports interactive and CLI modes, dry-run verification, clipboard paste for long messages, confirm + countdown, robust input validation, and PyAutoGUI failsafe (move mouse to top-left to abort).
View repo: Text Bombing Toolkit OffensiveSagar is a Python-based command-line virtual assistant for CSE students and cybersecurity learners. It supports single-line and multi-line commands to open trusted websites, play curated music links, and answer questions using an AI model—designed for safe automation, learning, and terminal-first exploration.
View repo: PythonicHackathon-CLI CyberSecurity Assistant | CLIvirusNewFolder; A safe, cross-platform CLI that creates predictable, persistent directories inside your OS temporary folder for demos, tests, and automation. Supports create/detect/cleanup, --dry-run, --overwrite/--yes, customizable prefixes/instances, startup automation helpers, clear logging, and unit tests.
View repo: virusNewFolder (Educational) Cybersecurity | OSMinimal PHP MVC learning project demonstrating the Model-View-Controller pattern end-to-end. Uses plain PHP with PDO, a front controller, simple routing, and CRUD student management. Designed to teach separation of concerns, prepared statements, and typical MVC structure without frameworks.
View repo: Student Management MVC Learning Project DevA production-quality C++17 command-line tool that captures customer details, computes discounts and totals, prints a clean receipt, and atomically persists records to CSV and JSONL. Cross-platform CMake build, unit tests, and export utilities make it durable, scriptable, and POS-friendly.
CustomerSlip-CLI DevLocal PHP/MySQL e-wallet application combined with a hands-on cybersecurity demo lab. Implements user/admin auth, balances, transfers, CSRF protection, session timeouts, login lockout, and hashing. Includes a toggleable Vulnerable/Secure lab to demonstrate XSS and session hijacking with real code and mitigations.
View repo: SecurePay_E-Wallet-V1 Security | DevA local-first Flask web app that analyzes PDF/DOCX resumes using a Groq/OpenAI-compatible LLM. Extracts text, returns structured feedback with ratings, keyword gaps, prioritized fixes, and rewrite examples, and renders results in a clean UI with copy/download tools. Designed for fast, actionable resume improvements.
View repo: Ai-Resume-Analyzer AI | DevGenerate Wi‑Fi QR codes instantly in your browser, no backend required. Supports WPA/WPA2, WEP, and open networks; hidden SSIDs; adjustable size and error correction; export PNG or SVG; copy raw Wi‑Fi payload; offline-friendly (local QR lib). Privacy-first: nothing leaves your device.
View repo: WiFi QR-Generator QR | Wi-FiA lightweight, game-like phishing-awareness trainer. It presents short AI-generated or stored messages with a 10-second timer, tracks score and attempts, captures feedback, and grows a labeled dataset. Runs locally (Flask), validates AI outputs, and suits workshops, demos, and security training.
View repo: Ai-Phishy-Playground Phishy CatcherA client-side web security tool that sanitizes potentially malicious HTML and JavaScript input by stripping unsafe tags and event attributes. Designed to demonstrate XSS prevention concepts, safe input handling, and frontend security practices using pure HTML, CSS, and JavaScript in a beginner-friendly interface.
View repo: XSS-WebGuard XSS LabA polished, accessible client-side password strength checker that estimates entropy, detects weak patterns, and provides actionable suggestions. Includes a built-in password generator, works fully offline with no network calls, and uses ARIA live updates for accessibility. Ideal for demos, portfolios, or frontend components.
View repo: Password Strength Checker Security | DevEducational security research notes documenting USB HID (BadUSB/Rubber Ducky) concepts from a defensive perspective. The repository preserves historical filenames while emphasizing detection, prevention, user awareness, and ethical lab use. No payloads, automation scripts, or actionable exploits are provided.
View repo: BAD-USB Codes Offensive | Arduino ScriptsCurated, practical repositories chosen for learners and practitioners.
Behavioral Fingerprinting-Augmented Embedded IDS on Raspberry Pi 4 + ESP32. Detects zero-day attacks by learning per-device traffic profiles using Isolation Forest; no signatures needed. Features distributed MQTT nodes, real-time Flask dashboard, iptables auto-blocking, and GPIO alerts.
View repo: BF-IDS Project Proposal Live: BF-IDS_Project_Proposal Cybersecurity | Project ProposalBeginner-friendly, notebook-style guide to installing WSL2, Kali Linux, and Win-KeX GUI on Windows. Covers prerequisites, GPU support, command walkthroughs, installer prompt decisions, and real-world error recovery for a stable Kali-on-WSL setup.
View repo: WSL2-Kali-Setup-Guide Blog: WSL2 + Kali Linux + Win-KeX (GUI) Installation Guide Linux | Setup GuidesA curated collection of three cybersecurity learning roadmaps covering web penetration testing, ethical hacking, and foundational security skills. Each roadmap breaks learning into clear stages, tools, labs, and resources, helping beginners progress step-by-step from basics to hands-on offensive security practice.
View repo: Web Penetration Testing Roadmap Roadmapsinfosec-vocabulary is a bilingual (English ↔ Bangla) cybersecurity glossary with concise definitions, synonyms, real-world examples, and short educational notes for each term. Alphabetized and workshop-friendly, it's ideal for learners, translators, SOC trainees, and security educators; docs-ready and GitHub Pages compatible.
View repo: Infosec Vocabulary CyberSecurity | Slangs + VocabularyA free, no-paywall cybersecurity self-study library covering foundations, pentesting, web security, exploit development, malware analysis, cryptography, defense, and programming. Books are organized by domain and difficulty with a guided learning path so beginners can progress to advanced security skills independently.
View repo: Library of Cybersecurity Books CyberSecurity | BooksMore operations: Explore the full arsenal on GitHub — SagarBiswas-MultiHAT.
Educational use only: All tools are for learning, research, and defensive purposes. Do not use for malicious activity.