Toolbox Reference

Install commands for the full toolchain, plus a mapping from the tools Arsenic originally automated to what I use now.

This is the install-and-cheat-sheet companion to the handbook. It lists every tool the methodology uses, where it fits, and — where the original Arsenic tooling has aged out — what I replaced it with.

Original → current tool mapping

Arsenic was built around a late-2010s OSCP-era toolchain. Most of it still holds up; a few tools have been superseded. The handbook uses the right-hand column.

PhaseJobArsenic originally usedWhat I use now
DiscoverySubdomain enum (passive)amass, crt.shsubfinder + amass + crt.sh
DiscoverySubdomain bruteamass -brute, gobuster dnsdnsx / puredns
DiscoveryMass DNS resolutionfast-resolvdnsx (or puredns/massdns)
DiscoveryHost livenessnmap -snnmap -sn + naabu
ReconPort scannmapnmap + naabu (masscan for huge ranges)
ReconService/versionnmap -sV -sC -Asame
ReconHTTP probehttpxhttpx
ReconScreenshotsaquatone (archived)gowitness (or httpx -screenshot)
ReconContent discoveryffuf, gobuster, dirbffuf + feroxbuster
HuntingVuln templatesnucleinuclei
HuntingKnown exploitssearchsploit (Exploit-DB)same
HuntingSubdomain takeoveraquatone tagssubzy / nuclei takeover templates
GlueScope ingestmlr (miller), jqsame
GlueDedup/diff listscustom sort/commanew
ReportingScreenshotsflameshot/maim + xclipsame
ReportingReport sitehugo + arsenic-hugosame

Install

ProjectDiscovery suite (Go)

Most of the modern recon flow runs on these. Install Go first and make sure $(go env GOPATH)/bin is on your $PATH.

go install github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install github.com/projectdiscovery/dnsx/cmd/dnsx@latest
go install github.com/projectdiscovery/naabu/v2/cmd/naabu@latest
go install github.com/projectdiscovery/httpx/cmd/httpx@latest
go install github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
nuclei -update-templates

naabu needs libpcap (sudo apt install libpcap-dev).

Fuzzing & content discovery

go install github.com/ffuf/ffuf/v2@latest
# feroxbuster
curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/main/install-nix.sh | bash
# gobuster (optional)
go install github.com/OJ/gobuster/v3@latest

Screenshots

go install github.com/sensepost/gowitness@latest
# gowitness needs a Chromium/Chrome browser present

Classics & glue (Debian/Kali)

sudo apt install -y nmap amass exploitdb jq miller curl whois dnsutils \
                    flameshot maim xclip
# anew
go install github.com/tomnomnom/anew@latest

Takeover & DNS helpers

go install github.com/PentestPad/subzy@latest
# puredns (needs massdns) — optional, a really good resolver
go install github.com/d3mondev/puredns/v2@latest

Wordlists

git clone https://github.com/danielmiessler/SecLists /opt/SecLists

The SecLists paths this handbook references:

  • Discovery/Web-Content/ — content discovery wordlists.
  • Discovery/DNS/ — subdomain brute-force wordlists.
  • Fuzzing/ — injection payload lists (SQLi, XSS).

nmap unprivileged setup

sudo setcap cap_net_raw,cap_net_admin,cap_net_bind_service+eip "$(command -v nmap)"

Passive discovery yield roughly doubles with API keys. Add them to:

  • ~/.config/subfinder/provider-config.yaml
  • ~/.config/amass/config.ini

Providers worth setting up (free or cheap): Censys, SecurityTrails, Shodan, VirusTotal, GitHub, Chaos, BeVigil. Never commit these keys to your engagement repo.

Last modified July 4, 2026: Post/mobi (#71) (ff64902)