Free offensive security toolkit for your terminal — reverse shells, encoding, hashing, and more
Project description
>_ osk
Free offensive security toolkit for your terminal — reverse shells, encoding, hashing, JWT analysis, nmap building, XSS payloads, SQLi payloads, header security analysis, CVSS scoring, subnet calculation, terminal output formatting, wordlist generation, and more.
Part of OffSecKit — all tools also available as browser tools.
Install
pip install offseckit
Or clone and install locally:
git clone https://github.com/offseckit/osk.git
cd osk
pip install .
Quick Start
# Generate a reverse shell
osk revshell -i 10.10.10.10 -l python
# Encode text to Base64
osk encode -o base64-encode "Hello World"
# Identify a hash
osk hash id 5d41402abc4b2a76b9719d911017c592
# Decode a JWT token
osk jwt decode eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
# Build an nmap command
osk nmap build -t 10.10.10.0/24 --syn --top-ports 1000
# Generate XSS payloads
osk xss gen --context html-attr --action alert
# Generate SQLi payloads
osk sqli gen -d mysql -t union -c 3
# Analyze security headers
curl -sI https://example.com | osk headers analyze
# Calculate a CVSS score
osk cvss calc CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
# Calculate subnet details
osk subnet calc 192.168.1.0/24
# Generate a wordlist with mutations
osk wordlist gen password admin --leet --numbers
# Format terminal output with a styled frame
nmap -sV 10.10.10.10 | osk format render
Tools
| Command | Description |
|---|---|
osk revshell |
Generate reverse shell one-liners in 12+ languages |
osk encode |
Encode/decode text (Base64, URL, Hex, HTML, Unicode, Binary, ROT13, ...) |
osk hash |
Identify hash types and generate hashes (MD5, SHA1, SHA256, NTLM, ...) |
osk jwt |
Decode and analyze JWT tokens for security issues |
osk nmap |
Build nmap commands with scan types, scripts, timing, and evasion |
osk xss |
Generate context-aware XSS payloads with WAF bypass and encoding |
osk sqli |
Generate SQL injection payloads for MySQL, MSSQL, PostgreSQL, Oracle, SQLite |
osk headers |
Analyze HTTP response headers for security misconfigurations |
osk cvss |
Calculate CVSS 3.1 and 4.0 vulnerability scores |
osk subnet |
Calculate subnet details, split networks, check IP containment |
osk format |
Format and beautify terminal output with styled window frames |
osk wordlist |
Generate custom wordlists with leet speak, case mutations, and password patterns |
Reverse Shells
# Bash reverse shell
osk revshell -i 10.10.10.10 -p 4444
# Python reverse shell with Base64 encoding
osk revshell -i 10.10.10.10 -l python -e base64
# PowerShell reverse shell
osk revshell -i 10.10.10.10 -l powershell
# Show all netcat variants
osk revshell -i 10.10.10.10 -l netcat --all
# List all supported languages
osk revshell list
Options
| Flag | Description | Default |
|---|---|---|
-i, --ip |
Attacker IP address | (required) |
-p, --port |
Attacker port | 4444 |
-l, --lang |
Language | bash |
-v, --variant |
Specific variant | first available |
-e, --encoding |
raw, base64, url, double-url |
raw |
--all |
Show all variants | — |
--no-listener |
Hide listener command | — |
Encoding & Decoding
# Base64 encode
osk encode -o base64-encode "Hello World"
# URL decode
osk encode -o url-decode "%48%65%6C%6C%6F"
# Chain: Base64 then URL encode
osk encode -o base64-encode -o url-encode "test payload"
# Double URL encode for WAF bypass
osk encode -o url-encode -o url-encode "<script>alert(1)</script>"
# Show intermediate steps
osk encode -o base64-encode -o url-encode -o hex-encode "test" --steps
# Pipe from stdin
echo "secret" | osk encode -o hex-encode
# List all operations
osk encode list
Hash Identification & Generation
# Identify a hash
osk hash id 5d41402abc4b2a76b9719d911017c592
# Generate MD5 + SHA-256 + NTLM
osk hash generate -a md5 -a sha256 -a ntlm "password"
# Generate all default hashes
osk hash generate "hello"
# List supported algorithms
osk hash list
JWT Decoder & Analyzer
# Decode a JWT token
osk jwt decode eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U
# Analyze for security issues
osk jwt analyze eyJhbGciOiJIUzI1NiIs...
# List supported algorithms
osk jwt algorithms
Nmap Command Builder
# Quick recon scan
osk nmap preset quick-recon -t 10.10.10.0/24
# Full port SYN scan with service detection
osk nmap build -t 10.10.10.10 --syn --all-ports --service-version
# Stealth scan with evasion
osk nmap build -t 10.10.10.10 --syn --timing T2 --fragment
# List presets
osk nmap presets
# List scan types
osk nmap scans
XSS Payload Generator
# Generate payloads for HTML attribute context
osk xss gen --context html-attr --action alert
# Generate with WAF bypass encoding
osk xss gen --context js-string --waf cloudflare
# Generate with blocked characters
osk xss gen --context html-tag --block "<" --block ">"
# Show polyglot payloads
osk xss polyglots
# List all contexts
osk xss contexts
SQL Injection Payload Generator
# Generate UNION-based payloads for MySQL
osk sqli gen -d mysql -t union -c 3
# Generate error-based payloads for MSSQL
osk sqli gen -d mssql -t error-based
# Generate time-blind payloads for PostgreSQL
osk sqli gen -d postgresql -t time-blind
# Generate with WAF bypass (case swap)
osk sqli gen -d mysql -t union --waf case-swap
# Show authentication bypass payloads
osk sqli auth
# List supported databases
osk sqli dbs
HTTP Header Security Analyzer
# Fetch headers directly from a URL
osk headers analyze -u https://example.com
# Pipe headers from curl
curl -sI https://example.com | osk headers analyze
# Read from a file
osk headers analyze -f response-headers.txt
# Output as JSON for CI/CD
osk headers analyze -u https://example.com --json
# List all security headers checked
osk headers list
CVSS Calculator
# Calculate CVSS 3.1 score from a vector
osk cvss calc CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
# Calculate CVSS 4.0 score
osk cvss calc CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
# Output as JSON for CI/CD
osk cvss calc CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H --json
# Show common vulnerability presets
osk cvss presets
# Compare two vectors
osk cvss compare CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
Subnet Calculator
# Calculate subnet details from CIDR
osk subnet calc 192.168.1.0/24
# Calculate with JSON output for scripting
osk subnet calc 10.10.10.0/26 --json
# Split a network into equal subnets
osk subnet split 10.0.0.0/16 --into 4
# Check if an IP is within a CIDR range
osk subnet contains 192.168.1.0/24 192.168.1.100
# List all usable hosts in a subnet
osk subnet list 192.168.1.0/28
CLI Output Formatter
# Render terminal output with a styled window frame
nmap -sV 10.10.10.10 | osk format render
# Render from a file with a custom title
osk format render -f output.txt --title "Nmap Scan Results"
# Add line numbers
cat output.log | osk format render -n --title "Server Logs"
# Strip all ANSI escape codes
cat colored-output.log | osk format strip
# Get output statistics
cat output.log | osk format stats --json
Wordlist Generator
# Generate wordlist from base words with case variations
osk wordlist gen password admin
# Enable leet speak mutations
osk wordlist gen password --leet
# Append numbers (0-9) and symbols
osk wordlist gen company --numbers --symbols
# Full mutation suite and save to file
osk wordlist gen company admin john -o wordlist.txt --case --leet --numbers --symbols --suffixes
# Read base words from a file
osk wordlist gen -f base_words.txt --leet --numbers
# Append years instead of single digits
osk wordlist gen company --numbers --number-range years --year-start 2020 --year-end 2026
# Show leet speak mappings
osk wordlist leet
Requirements
- Python 3.8+
Related
- OffSecKit — free browser-based security toolkit
- Reverse Shell Generator — browser version
- Encoding Multi-Tool — browser version
- Hash Identifier — browser version
- JWT Decoder — browser version
- Nmap Builder — browser version
- XSS Generator — browser version
- Header Security Analyzer — browser version
- CVSS Calculator — browser version
- Subnet Calculator — browser version
- SQLi Payload Generator — browser version
- CLI Output Formatter — browser version
- Wordlist Generator — browser version
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
offseckit-0.1.0.tar.gz
(56.8 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
offseckit-0.1.0-py3-none-any.whl
(66.9 kB
view details)
File details
Details for the file offseckit-0.1.0.tar.gz.
File metadata
- Download URL: offseckit-0.1.0.tar.gz
- Upload date:
- Size: 56.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1b57374783bebe7f3a89c51ba312806c933ef3947e311a1fb3f45f91209a666e
|
|
| MD5 |
e598808abb0a069c1d0b35c6df6a0bc2
|
|
| BLAKE2b-256 |
f35b4c1de44b2fda5399d691992a08dbb05dfe836bc031f3bf6bb91fc10a84ef
|
File details
Details for the file offseckit-0.1.0-py3-none-any.whl.
File metadata
- Download URL: offseckit-0.1.0-py3-none-any.whl
- Upload date:
- Size: 66.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1ae3709caf289a50f285a175a8fdb5130cac40b31a104748b3df36242e0c1cef
|
|
| MD5 |
3e281c2a98f60e597c1ae70484209d8f
|
|
| BLAKE2b-256 |
18c05b819f397c768d9a5ff71b1b5664eb49936c2833e70bac617e46791f5449
|
