Skip to content

XeyyzuV2/xtools.

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
docs
docs
 
 
linux/release
linux/release
 
 
CHANGELOG.md
CHANGELOG.md
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

XTOOLS - Professional Security Toolkit v2.4

By XeyyzuV2 | Forum: https://forum.html-5.me

73 Attack Modules | Login Protected | Premium Interface

⚠️ Disclaimer

FOR EDUCATIONAL & AUTHORIZED TESTING ONLY.

🚀 Installation

# Linux
./release/xtools

# Windows (Coming Soon)
xtools.exe

# Manual (Development)
pip install -r requirements.txt

Login: xeyyzu / xey2025

� Get License Key

To get your license key, join our Discord server:

  1. Join Discord - https://discord.gg/xtools
  2. Open ticket or contact admin
  3. Choose your tier:
    • 🆓 Guest - Free (limited modules)
    • 💎 User - Premium access
    • 👑 Root - Full access (all modules)
  4. Receive your key - Format: XTOOLS-XXXX-XXXX-XXXX

⚠️ Note: License key is locked to your device (HWID). Contact admin for HWID reset if you change hardware.

❓ Why Tier System?

We implement a tier-based access system to prevent abuse and misuse of powerful security tools.

  • 🛡️ Prevent DDoS abuse - DDoS & amplification modules require Root tier
  • 🔒 Responsible disclosure - Ensure tools are used for authorized testing only
  • ⚖️ Accountability - Track who has access to dangerous modules
  • 🚫 Stop script kiddies - Prevent unauthorized attacks on random targets

We believe in ethical hacking. These tools are meant for security professionals, bug bounty hunters, and authorized penetration testers only.

📊 Complete Module Reference (73 Modules)

🎯 Bug Bounty (26)

Module Description
xss XSS Scanner (DOM, Reflected, WAF bypass)
ssrf SSRF (cloud metadata, internal)
ssti Template Injection
sqli SQL Injection Scanner
xxe XXE (7 payloads, OOB)
lfi Local File Inclusion
idor IDOR Scanner
cors CORS Misconfiguration
jwt JWT Analyzer + Cracker
redirect Open Redirect
crlf CRLF Injection
clickjack Clickjacking + PoC
headers Security Headers
params Hidden Parameter Discovery
takeover Subdomain Takeover
smuggling HTTP Request Smuggling
cachepoisoning Web Cache Poisoning
racecondition Race Condition
deserialize Insecure Deserialization
hosthead Host Header Injection

🔍 Advanced (11)

Module Description
graphql GraphQL Introspection & DoS
nosql NoSQL Injection (MongoDB)
cmdi Command Injection
prototype Prototype Pollution
websocket WebSocket Security
vulnscan CVE Scanner (50+ CVEs)
wafdetect WAF Fingerprinting
sslscan SSL/TLS Analysis
apifuzz API Fuzzer
bruteforce Login Bruteforce
masscan Mass Target Scanner

💀 Exploit Tools (3)

Module Description
revshell Reverse Shell Generator (12+ types)
obfuscate Payload Obfuscator (10 encodings)
genpayload Payload Generator

🌐 Web Scanners (6)

Module Description
portscan TCP Port Scanner
subnum Subdomain Enumeration
dirscan Directory Bruteforce
apiscan API Endpoint Discovery
techscan Technology Fingerprint
report Report Generator (HTML/JSON/MD)

⚡ DDoS (9)

Module Description
http HTTP Flood (WAF bypass, 7 methods)
http2 HTTP/2 Rapid Reset
slowloris Slowloris
rudy R-U-Dead-Yet
udp UDP Flood
syn SYN Flood
tcp_ack TCP ACK Flood
icmp ICMP Flood
samp SA:MP Query Flood

📡 Amplification (7)

Module Amplification
dns 54x
ntp 556x
memcached 51,000x
ssdp 30x
snmp 6x
ldap 70x
chargen Variable

🔧 Recon (4)

Module Description
whois WHOIS Lookup
ipinfo IP Geolocation
dnsrecon DNS Enumeration
proxyfetch Proxy List Fetcher

🔥 New in v2.4

🆕 New Attack Modules (+8 Modules)

  • Blind XSS Platform (blindxss) - Callback-based XSS detection with webhook
  • OAuth Scanner (oauth) - OAuth/SSO misconfiguration, token leakage, PKCE bypass
  • SSRF Exploitation Chain (ssrfchain) - Cloud metadata extraction, internal recon
  • Reverse Shell Generator (revshell) - 12+ shell types, multi-encoding
  • DNS Rebinding (dnsrebind) - Bypass same-origin policy attacks
  • WAF Bypass Generator (wafbypass) - XSS/SQLi/LFI/RCE WAF evasion payloads
  • Subdomain Fuzzer (subfuzz) - High-speed permutation-based discovery
  • Zero-Day Scanner (zeroday) - CVE pattern detection (Log4Shell, Spring4Shell, etc.)

🔧 Improvements

  • Enhanced shell integration
  • Better tier enforcement

🎨 Dual-Mode Interface

  • Interactive Menu - Original numbered category selection
  • Command Line Mode - XTOOLS > prompt with commands: help, list, use, info, menu, exit

👑 Tier Animations

  • ROOT - Crown banner, GOD MODE effects, "Welcome Elite Operator"
  • USER - VIP diamond banner, module access list
  • GUEST - Basic banner with upgrade notice

🔐 Security Enhancements

  • No license cache - Keys stored in memory only (not saved to disk)
  • GUEST key auto-expire - Free keys deleted 5 minutes after creation
  • Mandatory internet - Version check requires online connection
  • Forced updates - Outdated versions blocked until updated

🤖 Discord Bot Updates

  • !genkey @user [tier] [duration] - Flexible format: 30m, 12h, 7d, 1y
  • Help embed when no arguments provided

🐛 Bug Fixes

  • Fixed license tier resetting to 'guest' after login
  • Fixed proxy/evasion status always showing OFF
  • Fixed SESSION TERMINATED after removing license cache
  • Fixed startup delay from API calls (reduced timeout)
  • Fixed HWID mismatch not properly exiting program

🔥 New in v2.3

� Tier System

  • Guest Tier - Basic reconnaissance & info gathering modules
  • User Tier - Full access to scanning & bug bounty modules
  • Root Tier - Complete access including DDoS, exploits & amplification
  • Tier-based Access Control - Modules locked based on license tier
  • Dynamic Menu - Only shows accessible modules for your tier

�📦 Pre-built Binaries

  • Linux Binary - Just run ./release/xtools - no Python required!
  • Windows Binary - xtools.exe (Coming Soon)
  • Simplified Installation - No more dependency hell

🛠️ Improvements

  • Faster startup - Optimized module loading
  • Better error handling - More descriptive error messages
  • Code cleanup - Refactored core modules

🔥 New in v2.2

🔐 HWID License System (VIP Protection)

  • Hardware-based authentication - Key locked to device
  • Vercel API - Serverless license validation
  • Discord Bot - !genkey @user for admins
  • Anti-sharing - HWID mismatch = access denied

🎯 Bug Bounty Modules

  • Cloud Bucket Scanner (bucketscan) - AWS S3, GCS, Azure, DO Spaces
  • JS Secret Hunter (jssecrets) - Extract API keys, tokens from JS files
  • WordPress Scanner (wpscan) - Version detect, user enum, plugin CVE check
  • Wordlist Generator (wordgen) - CeWL-like context-aware wordlists

⚡ Enhanced Load Testing

  • Aggressive Mode - 3x threads, no delays
  • Flood Mode - 500 max threads, minimal timeout
  • Turbo Option - Bypass all safety limits
  • HEAD/OPTIONS - Additional HTTP methods

🕵️ Stealth Mode

  • Random Delays - 2-15 seconds between requests
  • UA Rotation - 25+ browser User-Agents
  • Log Evasion - Avoid detection by admin log analysis

🔧 Improvements

  • Auto-Fetch Proxy - Automatic proxy loading when enabled
  • Version bump - v2.2 across all files

🔥 New in v2.1

  • Login Protection with animated intro
  • SQLi Scanner - Error/Union/Blind/Time-based
  • IDOR Scanner - Access control testing
  • Bruteforce - Multi-threaded login attack
  • Reverse Shell Generator - 12+ shell types
  • Payload Obfuscator - 10 encoding methods
  • Mass Scanner - Multi-target scanning
  • Host Header Injection - Password reset poisoning
██╗  ██╗████████╗ ██████╗  ██████╗ ██╗     ███████╗
╚██╗██╔╝╚══██╔══╝██╔═══██╗██╔═══██╗██║     ██╔════╝
 ╚███╔╝    ██║   ██║   ██║██║   ██║██║     ███████╗
 ██╔██╗    ██║   ██║   ██║██║   ██║██║     ╚════██║
██╔╝ ██╗   ██║   ╚██████╔╝╚██████╔╝███████╗███████║
╚═╝  ╚═╝   ╚═╝    ╚═════╝  ╚═════╝ ╚══════╝╚══════╝
                v2.4 By XeyyzuV2

73+ Modules | HWID Protected | Premium Security Toolkit

About

No description, website, or topics provided.

Resources

Readme

License

CC0-1.0 license
Activity

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published