Toolbox Reference
This is the install-and-cheat-sheet companion to the handbook. It lists every tool the methodology uses, where it fits, and — where the original Arsenic tooling has aged out — what I replaced it with.
Original → current tool mapping
Arsenic was built around a late-2010s OSCP-era toolchain. Most of it still holds up; a few tools have been superseded. The handbook uses the right-hand column.
| Phase | Job | Arsenic originally used | What I use now |
|---|---|---|---|
| Discovery | Subdomain enum (passive) | amass, crt.sh | subfinder + amass + crt.sh |
| Discovery | Subdomain brute | amass -brute, gobuster dns | dnsx / puredns |
| Discovery | Mass DNS resolution | fast-resolv | dnsx (or puredns/massdns) |
| Discovery | Host liveness | nmap -sn | nmap -sn + naabu |
| Recon | Port scan | nmap | nmap + naabu (masscan for huge ranges) |
| Recon | Service/version | nmap -sV -sC -A | same |
| Recon | HTTP probe | httpx | httpx |
| Recon | Screenshots | aquatone (archived) | gowitness (or httpx -screenshot) |
| Recon | Content discovery | ffuf, gobuster, dirb | ffuf + feroxbuster |
| Hunting | Vuln templates | nuclei | nuclei |
| Hunting | Known exploits | searchsploit (Exploit-DB) | same |
| Hunting | Subdomain takeover | aquatone tags | subzy / nuclei takeover templates |
| Glue | Scope ingest | mlr (miller), jq | same |
| Glue | Dedup/diff lists | custom sort/comm | anew |
| Reporting | Screenshots | flameshot/maim + xclip | same |
| Reporting | Report site | hugo + arsenic-hugo | same |
Install
ProjectDiscovery suite (Go)
Most of the modern recon flow runs on these. Install Go
first and make sure $(go env GOPATH)/bin is on your $PATH.
go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest
go install github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
nuclei -update-templates
naabu needs libpcap (sudo apt install libpcap-dev).
Fuzzing & content discovery
go install github.com/ffuf/ffuf/v2@latest
# feroxbuster
curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | bash
# gobuster (optional)
go install github.com/OJ/gobuster/v3@latest
Screenshots
go install github.com/sensepost/gowitness@latest
# gowitness needs a Chromium/Chrome browser present
Classics & glue (Debian/Kali)
sudo apt install -y nmap amass exploitdb jq miller curl whois dnsutils \
flameshot maim xclip
# anew
go install github.com/tomnomnom/anew@latest
Takeover & DNS helpers
go install github.com/PentestPad/subzy@latest
# puredns (needs massdns) — optional, a really good resolver
go install github.com/d3mondev/puredns/v2@latest
Wordlists
git clone https://github.com/danielmiessler/SecLists /opt/SecLists
The SecLists paths this handbook references:
Discovery/Web-Content/— content discovery wordlists.Discovery/DNS/— subdomain brute-force wordlists.Fuzzing/— injection payload lists (SQLi, XSS).
nmap unprivileged setup
sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip "$(command -v nmap)"
API keys (recommended)
Passive discovery yield roughly doubles with API keys. Add them to:
~/.config/subfinder/provider-config.yaml~/.config/amass/config.ini
Providers worth setting up (free or cheap): Censys, SecurityTrails, Shodan, VirusTotal, GitHub, Chaos, BeVigil. Never commit these keys to your engagement repo.