An automated bash installer that sets up a complete penetration testing and security research environment on Debian, Ubuntu, or Kali Linux. It handles everything from base dependencies and Go/Python toolchains to wordlists, recon frameworks, web exploitation tools, and active directory utilities — all in a single script run.
.
├── cybertoolbox-install.sh # Optimized installer (current version)
├── tool-installer.sh # Original installer (reference / archive)
└── README.md
- Debian, Ubuntu, or Kali Linux (amd64 or arm64)
- Root or sudo access
- Internet connection
- At least 20 GB of free disk space recommended (wordlists alone take several GB)
- Docker installed or installable via apt (the script handles this)
Clone the repository and run the installer as root.
git clone https://github.com/your-username/cybertoolbox.git
cd cybertoolbox
chmod +x cybertoolbox-install.sh
sudo ./cybertoolbox-install.shAfter the script completes, log out and back in so group changes (Docker, Wireshark) and PATH updates take effect.
The script supports four modes controlled by a flag passed at runtime. If no flag is given, it defaults to full.
sudo ./cybertoolbox-install.sh --full # Everything (default)
sudo ./cybertoolbox-install.sh --minimal # Base dependencies only
sudo ./cybertoolbox-install.sh --recon-only # Base + recon and OSINT tools
sudo ./cybertoolbox-install.sh --web-only # Base + web application testing toolsEach mode is strictly enforced. Passing --recon-only will not install exploitation frameworks, mobile tools, or AD utilities. This makes the script suitable for spinning up purpose-built VMs or cloud instances without unnecessary bloat.
Core system packages including curl, wget, git, tmux, zsh, build-essential, Python 3, Ruby, and Docker. These are installed regardless of the mode selected.
Go 1.22.4 is installed to /usr/local/go with the binary and workspace paths exported globally via /etc/profile.d/go.sh and appended to the invoking user's .bashrc and .zshrc. The tarball is verified against a SHA256 checksum before extraction.
subfinder, httpx, naabu, dnsx, katana, uncover, chaos, gau, waybackurls, assetfinder, gf, qsreplace, amass, rustscan, nmap, masscan, enum4linux, smbclient, EyeWitness, and the SecLists / PayloadsAllTheThings / fuzzdb wordlist collections.
nuclei (with auto-updated templates), ffuf, gobuster, feroxbuster, dalfox, sqlmap, wpscan, testssl.sh, wireshark, and Burp Suite Community (installed via snap).
responder, bettercap, kerbrute, chisel, impacket, mitm6, bloodhound.
hashcat and john.
MobSF pulled as a Docker image, objection installed into the Python virtual environment, and adb from apt.
A dedicated venv is created at /opt/pentest-venv. All Python tools are installed into it using the venv's own pip binary rather than the system pip, so there is no risk of breaking system packages. The packages installed depend on the selected mode.
evil-winrm (pinned to 3.5) and wpscan (pinned to 3.11.0) installed with explicit version pins to prevent silent breakage on upstream major releases.
Downloaded from the official Rapid7 installer URL. The script verifies a SHA256 checksum before executing the installer. See the Metasploit section below for setup instructions.
The script intentionally will not execute the Metasploit installer unless you supply a verified checksum. This prevents the classic curl-pipe-bash attack surface where a compromised remote file runs silently.
To get the current checksum, visit the Rapid7 metasploit-omnibus repository and download the msfupdate.erb wrapper script manually, then run:
sha256sum msfupdate.erbOpen cybertoolbox-install.sh and replace the placeholder on this line:
MSF_INSTALLER_SHA256="REPLACE_WITH_CURRENT_SHA256_FROM_RAPID7"Save and re-run the script. If the downloaded file does not match the checksum you provided, the install aborts and removes the file.
The script creates a standard working directory structure in the home folder of the invoking user (resolved correctly even when running via sudo).
~/tools general tool storage
~/labs lab environments and practice targets
~/loot captured data, credentials, hashes
~/reports pentest reports and findings
~/screenshots evidence screenshots
~/notes engagement notes
~/targets target scope files
Every line of output is written to /var/log/cybertoolbox-install.log in addition to being printed to the terminal. If the script fails, the log will show the exact line number and the last commands executed. Check it with:
cat /var/log/cybertoolbox-install.logThe script uses checkpoint files in /tmp (prefixed cybertoolbox_) to track which sections have completed. If the run is interrupted, simply re-run the script with the same flags and it will skip already-completed sections and resume from where it left off.
To force a full reinstall from scratch, clear the checkpoints first:
rm -f /tmp/cybertoolbox_*.done
sudo ./cybertoolbox-install.shAll Python tools are installed in /opt/pentest-venv. Activate it before using them:
source /opt/pentest-venv/bin/activateTo deactivate:
deactivateMobSF runs as a Docker container. Start it with:
docker run -it -p 8000:8000 opensecurity/mobile-security-framework-mobsf:latestThen open http://localhost:8000 in a browser.
The original script (cybertoolbox-install-v1.sh) served as the foundation. The current version addresses the following issues found in v1.
The --minimal, --recon-only, and --web-only flags were defined but never actually used. Every section ran unconditionally regardless of which flag was passed. The current version gates every section behind a should_install function that enforces mode selection properly.
The Python venv section in v1 used source to activate the venv and then called pip, which is unreliable in non-interactive bash. The current version calls the venv's pip binary directly by its full path, which always works.
The Metasploit installer in v1 piped a remote script directly to bash with no integrity check. The current version downloads the script first, verifies it against a SHA256 checksum, and only executes it if the checksum matches.
The Go tarball in v1 was downloaded and extracted with no verification. The current version checks it against a known SHA256 before extracting.
Ruby gems in v1 had no version pins, meaning a future upstream major release could silently install an incompatible version. The current version pins both evil-winrm and wpscan.
The amass tool was listed in the verification step of v1 but was never actually installed anywhere in the script. The current version installs it via apt with a go install fallback.
The home directory in v1 was resolved using $HOME, which points to root's home when running via sudo. The current version uses getent passwd to resolve the actual invoking user's home directory correctly.
The checkpoint namespace in v1 used bare names like system_update.done which could collide with other scripts. The current version prefixes all checkpoints with cybertoolbox_.
This toolbox is intended for use in authorized penetration testing engagements, CTF competitions, security research, and personal lab environments. Using these tools against systems you do not own or do not have explicit written permission to test is illegal. The authors take no responsibility for misuse.
Pull requests are welcome. If you add a new tool, please add it to the appropriate mode category, add a verify_tool call in the verification section, and update this README.