daker52/opensource-pentest-toolkit

## What is this repository? This is **not a single exploit framework** — it is a **structured handbook** for open-source penetration testing software hosted on GitHub. Each entry explains: 1. **Purpose** — which phase of a pentest it supports 2. **How it works** — architecture in plain English 3. **Installation** — typical setup on Linux/macOS 4. **Usage** — minimal commands to get first results 5. **When to use it** — and what to run next Use it to build a toolchain, prepare for certifications (e.g. OSCP, PNPT), or onboard junior testers. ### Related repositories | Repo | Role | |------|------| | **[Next.js App Router Security Lab](https://github.com/daker52/nextjs-app-router-security-lab)** | Hands-on Next.js flaws + fixes; maps tools from this guide to each module | | **[Next.js Security Shield](https://github.com/daker52/Next.js---Security-shield-list-help)** | Production-ready secure boilerplate after you complete the lab | ## 🧭 How to read this guide | Symbol | Meaning | |--------|---------| | 🔍 | Reconnaissance / OSINT | | 🌐 | Web application testing | | 📡 | Network / infrastructure | | 🏢 | Active Directory / internal | | 🔓 | Exploitation / C2 | | ☁️ | Cloud & containers | | 📱 | Mobile | | 🔑 | Secrets / supply chain | | 📊 | Reporting / automation | **Typical flow:** Recon → Scan → Enumerate → Exploit (proof) → Post-exploit → Report. Details in [docs/METHODOLOGY.md](./docs/METHODOLOGY.md). flowchart LR A[Planning & RoE] --> B[Recon] B --> C[Scanning] C --> D[Vuln Analysis] D --> E[Exploitation] E --> F[Post-Exploit] F --> G[Report] ## ⚡ Quick start git clone https://github.com/daker52/opensource-pentest-toolkit.git cd opensource-pentest-toolkit 1. Read [Legal & Ethics](./docs/LEGAL-AND-ETHICS.md) 2. Build a lab per [Lab Setup](./docs/LAB-SETUP.md) 3. Pick tools from the index below for your engagement type (web / network / AD / cloud) **Example — first web recon chain (authorized target only):** subfinder -d example.com -silent | httpx -silent -status-code -title -tech-detect -o alive.txt katana -u https://www.example.com -d 3 -o urls.txt nuclei -l alive.txt -severity medium,high,critical ## 📋 Tool index by category | # | Tool | Category | GitHub | |---|------|----------|--------| | 1 | Subfinder | 🔍 Recon | [projectdiscovery/subfinder](https://github.com/projectdiscovery/subfinder) | | 2 | httpx | 🔍 Recon | [projectdiscovery/httpx](https://github.com/projectdiscovery/httpx) | | 3 | Amass | 🔍 Recon | [owasp-amass/amass](https://github.com/owasp-amass/amass) | | 4 | theHarvester | 🔍 Recon | [laramies/theHarvester](https://github.com/laramies/theHarvester) | | 5 | Naabu | 📡 Network | [projectdiscovery/naabu](https://github.com/projectdiscovery/naabu) | | 6 | Katana | 🌐 Web | [projectdiscovery/katana](https://github.com/projectdiscovery/katana) | | 7 | Nuclei | 🌐 Web | [projectdiscovery/nuclei](https://github.com/projectdiscovery/nuclei) | | 8 | OWASP ZAP | 🌐 Web | [zaproxy/zaproxy](https://github.com/zaproxy/zaproxy) | | 9 | sqlmap | 🌐 Web | [sqlmapproject/sqlmap](https://github.com/sqlmapproject/sqlmap) | | 10 | ffuf | 🌐 Web | [ffuf/ffuf](https://github.com/ffuf/ffuf) | | 11 | feroxbuster | 🌐 Web | [epi052/feroxbuster](https://github.com/epi052/feroxbuster) | | 12 | Dalfox | 🌐 Web | [hahwul/dalfox](https://github.com/hahwul/dalfox) | | 13 | Commix | 🌐 Web | [commixproject/commix](https://github.com/commixproject/commix) | | 14 | Nikto | 🌐 Web | [sullo/nikto](https://github.com/sullo/nikto) | | 15 | mitmproxy | 🌐 Web | [mitmproxy/mitmproxy](https://github.com/mitmproxy/mitmproxy) | | 16 | Nmap | 📡 Network | [nmap/nmap](https://github.com/nmap/nmap) | | 17 | Masscan | 📡 Network | [robertdavidgraham/masscan](https://github.com/robertdavidgraham/masscan) | | 18 | NetExec | 🏢 AD / Internal | [Pennyw0rth/NetExec](https://github.com/Pennyw0rth/NetExec) | | 19 | Impacket | 🏢 AD / Internal | [fortra/impacket](https://github.com/fortra/impacket) | | 20 | BloodHound CE | 🏢 AD / Internal | [SpecterOps/BloodHound](https://github.com/SpecterOps/BloodHound) | | 21 | Responder | 🏢 AD / Internal | [lgandx/Responder](https://github.com/lgandx/Responder) | | 22 | evil-winrm | 🏢 AD / Internal | [Hackplayers/evil-winrm](https://github.com/Hackplayers/evil-winrm) | | 23 | PEASS-ng | 🔓 Post-exploit | [peass-ng/PEASS-ng](https://github.com/peass-ng/PEASS-ng) | | 24 | Sliver | 🔓 C2 | [BishopFox/sliver](https://github.com/BishopFox/sliver) | | 25 | Havoc | 🔓 C2 | [HavocFramework/Havoc](https://github.com/HavocFramework/Havoc) | | 26 | Metasploit Framework | 🔓 Exploit | [rapid7/metasploit-framework](https://github.com/rapid7/metasploit-framework) | | 27 | Hashcat | 🔑 Passwords | [hashcat/hashcat](https://github.com/hashcat/hashcat) | | 28 | THC-Hydra | 🔑 Passwords | [vanhauser-thc/thc-hydra](https://github.com/vanhauser-thc/thc-hydra) | | 29 | Trivy | ☁️ Cloud | [aquasecurity/trivy](https://github.com/aquasecurity/trivy) | | 30 | Prowler | ☁️ Cloud | [prowler-cloud/prowler](https://github.com/prowler-cloud/prowler) | | 31 | ScoutSuite | ☁️ Cloud | [NCCGroup/ScoutSuite](https://github.com/NCCGroup/ScoutSuite) | | 32 | Gitleaks | 🔑 Secrets | [gitleaks/gitleaks](https://github.com/gitleaks/gitleaks) | | 33 | TruffleHog | 🔑 Secrets | [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) | | 34 | MobSF | 📱 Mobile | [MobSF/Mobile-Security-Framework-MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF) | | 35 | Frida | 📱 Mobile | [frida/frida](https://github.com/frida/frida) | ## 🔍 Reconnaissance & OSINT ### 1. Subfinder — passive subdomain discovery | | | |---|---| | **Repo** | https://github.com/projectdiscovery/subfinder | | **Language** | Go | **What it does** — Enumerates subdomains using passive sources (certificate transparency, DNS archives, APIs). No packets sent to the target by default. **How it works** — Aggregates results from configured OSINT providers, deduplicates, and prints hostnames. Pair with `httpx` to find which hosts are live. **Install** go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest **Usage** subfinder -d example.com -all -recursive -o subs.txt cat subs.txt | httpx -silent -o live.txt **When to use** — First step of external web/network assessments; building scope lists for bug bounty programs (within program rules). ### 2. httpx — HTTP probing at scale | | | |---|---| | **Repo** | https://github.com/projectdiscovery/httpx | | **Language** | Go | **What it does** — Takes a list of URLs/hosts and returns status codes, titles, technologies, TLS info, and redirects. **How it works** — Concurrent HTTP client with filters; enriches responses using Wappalyzer-style fingerprinting. **Install** go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest **Usage** **When to use** — After subdomain discovery; before Nuclei, manual testing, or crawling. ### 3. OWASP Amass — deep attack surface mapping | | | |---|---| | **Repo** | https://github.com/owasp-amass/amass | | **Language** | Go | **What it does** — Maps organizations: subdomains, ASNs, netblocks, DNS records, and related infrastructure. **How it works** — Combines scraping, DNS brute force (optional), and API integrations into a graph-oriented data model. **Install** — See [INSTALL.md](https://github.com/owasp-amass/amass/blob/master/doc/install.md) (releases or Docker). **Usage** amass enum -d example.com -o amass.txt amass intel -org "Example Corp" **When to use** — Large-scope external assessments; red team discovery phase. ### 4. theHarvester — email & host OSINT | | | |---|---| | **Repo** | https://github.com/laramies/theHarvester | | **Language** | Python | **What it does** — Collects emails, subdomains, hosts, and URLs from search engines and public sources. **How it works** — Queries third-party sources (Bing, DuckDuckGo, Shodan with API key, etc.) and merges results. **Install** git clone https://github.com/laramies/theHarvester.git cd theHarvester pip install -r requirements.txt **Usage** python theHarvester.py -d example.com -b duckduckgo -l 500 **When to use** — Social engineering prep (with RoE), username/email lists for password spraying **only where authorized**. ## 📡 Network scanning ### 5. Naabu — fast port scanner | | | |---|---| | **Repo** | https://github.com/projectdiscovery/naabu | | **Language** | Go | **What it does** — Identifies open TCP/UDP ports on many hosts quickly. **How it works** — SYN/CONNECT scanning with optional integration to Nmap for service detection. **Usage** naabu -host 10.10.10.0/24 -top-ports 1000 -o ports.txt nmap -sV -iL ports.txt -oA services **When to use** — External or internal network discovery after host list is known. ### 6. Nmap — network discovery & service fingerprinting | | | |---|---| | **Repo** | https://github.com/nmap/nmap | | **Language** | C | **What it does** — Industry-standard scanner: live hosts, open ports, service versions, OS guesses, NSE scripts. **How it works** — Raw packets + probe signatures; **NSE** (Nmap Scripting Engine) runs Lua scripts for vuln checks. **Install** — `sudo apt install nmap` (Kali/Debian) or download from [nmap.org](https://nmap.org/). **Usage** nmap -sC -sV -oA scan 10.10.10.5 nmap --script vuln -p80,443 target.example **When to use** — Every infrastructure test; validate Naabu/Masscan results. ### 7. Masscan — Internet-scale port scanning | | | |---|---| | **Repo** | https://github.com/robertdavidgraham/masscan | | **Language** | C | **What it does** — Sends SYN packets at very high rate (millions of ports per second on suitable hardware). **How it works** — Stateless scanning; requires careful rate limits (`--rate`) to avoid network disruption. **Usage** masscan 10.10.10.0/24 -p1-65535 --rate 1000 -oL masscan.txt ## 🌐 Web application testing ### 8. Katana — web crawler | | | |---|---| | **Repo** | https://github.com/projectdiscovery/katana | | **Language** | Go | **What it does** — Crawls sites for URLs, JS endpoints, forms, and parameters (headless optional). **How it works** — Parses HTML/JS; respects depth; outputs unique endpoints for fuzzing and Nuclei. **Usage** katana -u https://app.example.com -d 5 -jc -o urls.txt **When to use** — Before `ffuf` / `nuclei` / manual Burp-style testing. ### 9. Nuclei — template-based vulnerability scanner | | | |---|---| | **Repo** | https://github.com/projectdiscovery/nuclei | | **Templates** | https://github.com/projectdiscovery/nuclei-templates | **What it does** — Runs YAML templates for CVEs, misconfigs, exposed panels, and technology-specific checks. **How it works** — HTTP/DNS/TCP requests defined in templates; matchers detect vulnerable responses at scale. **Install** go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest nuclei -update-templates **Usage** nuclei -l alive.txt -severity high,critical -o findings.txt nuclei -u https://app.example.com -t exposures/ **When to use** — Broad automated pass; **always manually verify** findings before reporting. ### 10. OWASP ZAP — DAST proxy & scanner | | | |---|---| | **Repo** | https://github.com/zaproxy/zaproxy | | **Language** | Java | **What it does** — Intercepts HTTP traffic, spiders apps, runs active/passive scans, supports automation (API, CI). **Usage** # Docker docker run -u zap -p 8080:8080 -p 8090:8090 zaproxy/zap-stable # Point browser proxy to localhost:8080; browse target app **When to use** — Manual web testing, CI pipelines, complementing Nuclei. ### 11. sqlmap — SQL injection automation | | | |---|---| | **Repo** | https://github.com/sqlmapproject/sqlmap | | **Language** | Python | **What it does** — Detects and exploits SQL injection; extracts data, files, OS shells (when possible). **How it works** — Sends crafted parameters; compares responses; supports many DBMS backends and tamper scripts. **Usage** sqlmap -u "https://app.example/item?id=1" --batch --risk 1 --level 1 sqlmap -r request.txt -p id --dbs **When to use** — Confirmed or suspected SQLi; **low risk/level in production** unless RoE allows aggressive tests. ### 12. ffuf — fast web fuzzer | | | |---|---| | **Repo** | https://github.com/ffuf/ffuf | | **Language** | Go | **What it does** — Brute-forces paths, parameters, vhosts, and headers. **How it works** — Concurrent requests with `FUZZ` keyword replacement; filters by size/status/words. **Usage** ffuf -w /usr/share/wordlists/dirb/common.txt -u https://app.example/FUZZ -mc 200,301,302 ffuf -w hosts.txt -u https://FUZZ.example.com -H "Host: FUZZ.example.com" **When to use** — Hidden directories, API versioning, virtual host discovery. ### 13. feroxbuster — recursive content discovery | | | |---|---| | **Repo** | https://github.com/epi052/feroxbuster | | **Language** | Rust | **What it does** — Directory/file brute force with automatic recursion into discovered folders. **How it works** — Async HTTP; configurable wordlists, extensions, status code filtering. **Usage** feroxbuster -u https://app.example -w wordlist.txt -x php,asp,aspx -C 404 **When to use** — Alternative/complement to `ffuf` for deep content discovery. ### 14. Dalfox — XSS parameter analyzer | | | |---|---| | **Repo** | https://github.com/hahwul/dalfox | | **Language** | Go | **What it does** — Finds reflected/stored/DOM XSS vectors in parameters and forms. **How it works** — Parameter mining + payload injection + verification of reflections in responses. **Usage** dalfox url "https://app.example/search?q=test" cat urls.txt | dalfox pipe **When to use** — After crawling; focused XSS passes before manual exploitation. ### 15. Commix — command injection exploitation | | | |---|---| | **Repo** | https://github.com/commixproject/commix | | **Language** | Python | **What it does** — Automates detection and exploitation of OS command injection flaws. **How it works** — Injects shell metacharacters into parameters; evaluates time-based/blind/output-based results. **Usage** python commix.py -u "https://app.example/ping?ip=127.0.0.1" --batch **When to use** — Parameters that pass input to system commands (ping, traceroute, image processors). ### 16. Nikto — web server scanner | | | |---|---| | **Repo** | https://github.com/sullo/nikto | | **Language** | Perl | **What it does** — Checks for outdated software, dangerous files, and common server misconfigurations. **Usage** nikto -h https://app.example -o nikto.html -Format html **When to use** — Quick server-level pass; expect noise — triage results manually. ### 17. mitmproxy — interactive HTTPS proxy | | | |---|---| | **Repo** | https://github.com/mitmproxy/mitmproxy | | **Language** | Python | **What it does** — Intercept, modify, and replay HTTP/2/WebSocket traffic; scriptable with Python. **How it works** — TLS MITM with trusted CA; CLI (`mitmproxy`), web (`mitmweb`), or dump mode. **Usage** mitmproxy --listen-port 8080 # Configure browser/system proxy; install mitmproxy CA cert **When to use** — Deep manual analysis, mobile app traffic (with device cert), custom automation. ## 🏢 Active Directory & internal networks ### 18. NetExec (nxc) — network service Swiss Army knife | | | |---|---| | **Repo** | https://github.com/Pennyw0rth/NetExec | | **Language** | Python | **What it does** — SMB, WinRM, MSSQL, LDAP enumeration; credential spraying; command execution (authorized tests). **How it works** — Modular protocol libraries; uses known creds/hashes across services (successor to CrackMapExec). **Usage** nxc smb 10.10.10.0/24 --shares -u '' -p '' nxc winrm 10.10.10.50 -u admin -p 'Password123!' -x whoami **When to use** — Internal Windows domains; post-initial-access lateral movement mapping. ### 19. Impacket — Python protocol implementations | | | |---|---| | **Repo** | https://github.com/fortra/impacket | | **Language** | Python | **What it does** — Scripts for SMB, Kerberos, MS-RPC (e.g. `secretsdump`, `psexec`, `GetNPUsers`). **How it works** — Pure Python implementations of Microsoft protocols; used by many other tools. **Usage** impacket-psexec corp/admin@10.10.10.50 impacket-secretsdump corp/admin@10.10.10.10 GetNPUsers.py corp.local/ -usersfile users.txt -no-pass ### 21. Responder — LLMNR/NBT-NS poisoner | | | |---|---| | **Repo** | https://github.com/lgandx/Responder | | **Language** | Python | **What it does** — Captures NTLMv1/v2 hashes when Windows hosts resolve names via broadcast protocols. **How it works** — Listens on LAN; answers name queries; relays or dumps hashes for offline cracking. **Usage** sudo python Responder.py -I eth0 -dwPv **When to use** — Internal assessments only; **disable if not in scope** (high impact on legacy networks). ### 22. evil-winrm — WinRM shell client | | | |---|---| | **Repo** | https://github.com/Hackplayers/evil-winrm | | **Language** | Ruby | **What it does** — Interactive WinRM sessions with upload/download and scripting helpers. **Usage** evil-winrm -i 10.10.10.50 -u administrator -p 'Password123!' **When to use** — When WinRM (5985/5986) is open and valid credentials are obtained. ## 🔓 Post-exploitation & C2 (authorized red team) ### 23. PEASS-ng — privilege escalation scripts | | | |---|---| | **Repo** | https://github.com/peass-ng/PEASS-ng | | **Includes** | LinPEAS, WinPEAS, lin/win enums | **What it does** — Enumerates misconfigs, weak permissions, and known privesc vectors on Linux/Windows/macOS. **Usage** # On target (lab), transfer script then: ./linpeas.sh # Or one-liner download in authorized lab only **When to use** — After foothold; before requesting kernel exploits or credential dumps. ### 24. Sliver — modern C2 framework | | | |---|---| | **Repo** | https://github.com/BishopFox/sliver | | **Language** | Go | **What it does** — Command & control for red team operations: implants, mTLS/WireGuard, multiplayer. **How it works** — Server generates implants; operators interact via CLI; supports BOF and extensions. **Usage** # Server sliver-server # Client sliver-client generate --http 10.10.10.1:80 --os windows --save /tmp/implant.exe **When to use** — **Approved red team** engagements only; never against unauthorized systems. ### 25. Havoc — flexible post-exploitation C2 | | | |---|---| | **Repo** | https://github.com/HavocFramework/Havoc | | **Language** | C / C++ / Python | **What it does** — Teamserver + cross-platform implants + demon agent for Windows. **When to use** — Alternative to Cobalt/Sliver in authorized adversary simulation. ### 26. Metasploit Framework — exploit & module platform | | | |---|---| | **Repo** | https://github.com/rapid7/metasploit-framework | | **Language** | Ruby | **How it works** — `msfconsole` selects modules; combines payload + handler; integrates with Nmap. **Usage** msfconsole -q -x "use exploit/...; set RHOSTS 10.10.10.5; run" **When to use** — Known CVE exploitation in labs; validate Metasploit modules against patched targets carefully. ## 🔑 Password attacks ### 27. Hashcat — GPU password recovery | | | |---|---| | **Repo** | https://github.com/hashcat/hashcat | | **Language** | C | **What it does** — Cracks NTLM, bcrypt, WPA, and hundreds of hash types using CPU/GPU. **Usage** hashcat -m 1000 ntlm_hashes.txt wordlist.txt -r rules/best64.rule **When to use** — Offline cracking of hashes captured **lawfully** during engagement. ### 28. THC-Hydra — online login brute force | | | |---|---| | **Repo** | https://github.com/vanhauser-thc/thc-hydra | | **Language** | C | **What it does** — Parallelized password guessing for SSH, RDP, HTTP forms, SMB, etc. **Usage** hydra -l admin -P passwords.txt ssh://10.10.10.50 ## ☁️ Cloud & containers ### 29. Trivy — vulnerability & misconfig scanner | | | |---|---| | **Repo** | https://github.com/aquasecurity/trivy | | **Language** | Go | **What it does** — Scans container images, filesystems, IaC (Terraform/K8s), and repos for CVEs and secrets. **Usage** trivy image myapp:latest trivy fs --scanners vuln,secret,misconfig . trivy k8s --report summary cluster **When to use** — DevSecOps, cloud pentests, CI gates. ### 30. Prowler — AWS/Azure/GCP security assessment | | | |---|---| | **Repo** | https://github.com/prowler-cloud/prowler | | **Language** | Python | **What it does** — Hundreds of checks against cloud APIs (CIS benchmarks, misconfigurations, logging gaps). **Usage** prowler aws --profile assessment prowler azure --az-cli-auth **When to use** — Cloud configuration reviews with read-only assessor credentials. ### 31. ScoutSuite — multi-cloud security auditing | | | |---|---| | **Repo** | https://github.com/NCCGroup/ScoutSuite | | **Language** | Python | **What it does** — HTML report of risky cloud settings across AWS, Azure, GCP, Oracle, etc. **Usage** scout aws --profile default --report-dir ./scout-report **When to use** — Executive-friendly cloud overview; pair with Prowler for depth. ## 🔑 Secrets & supply chain ### 32. Gitleaks — Git secret scanner | | | |---|---| | **Repo** | https://github.com/gitleaks/gitleaks | | **Language** | Go | **What it does** — Scans commits and files for API keys, tokens, and passwords. **Usage** gitleaks detect --source . -v gitleaks protect --staged **When to use** — Pre-commit hooks, CI, repo audits. ### 33. TruffleHog — high-entropy secret verification | | | |---|---| | **Repo** | https://github.com/trufflesecurity/trufflehog | | **Language** | Go | **What it does** — Scans Git history with **active verification** (calls provider APIs when possible). **Usage** trufflehog git file://. --only-verified **When to use** — Deep secret hunting in monorepos and org-wide GitHub scans (with permission). ## 📱 Mobile application security ### 34. MobSF — Mobile Security Framework | | | |---|---| | **Repo** | https://github.com/MobSF/Mobile-Security-Framework-MobSF | | **Language** | Python | **What it does** — Static + dynamic analysis of APK/IPA; API fuzzing; malware indicators. **Usage** # Docker recommended docker run -it --rm -p 8000:8000 opensecurity/mobile-security-framework-mobsf # Upload APK via http://localhost:8000 **When to use** — Android/iOS app assessments; complement with Frida for runtime hooks. ### 35. Frida — dynamic instrumentation toolkit | | | |---|---| | **Repo** | https://github.com/frida/frida | | **Language** | C / JS | **What it does** — Injects JavaScript into mobile/desktop apps to bypass SSL pinning, trace APIs, modify logic. **How it works** — `frida-server` on device + Python/CLI scripts hooking functions at runtime. **Usage** frida-ps -U frida -U -f com.app.example -l bypass_ssl.js **When to use** — Advanced mobile tests after MobSF static pass. ## 🛠️ Building your toolchain | Engagement | Suggested minimum stack | |------------|-------------------------| | **External web** | Subfinder → httpx → Katana → Nuclei → ZAP/mitmproxy → sqlmap | | **Internal AD** | Nmap → NetExec → BloodHound → Impacket → PEASS-ng | | **Cloud** | Prowler + ScoutSuite + Trivy on images/IaC | | **Mobile** | MobSF + Frida | | **Secrets audit** | Gitleaks + TruffleHog in CI | Keep a **engagement notebook** (commands, timestamps, scope IDs) for clean reporting. ## 📚 Additional learning resources | Resource | Link | |----------|------| | OWASP Web Security Testing Guide | https://owasp.org/www-project-web-security-testing-guide/ | | PTES Technical Guidelines | http://www.pentest-standard.org/index.php/PTES_Technical_Guidelines | | MITRE ATT&CK | https://attack.mitre.org/ | | HackTricks | https://book.hacktricks.xyz/ | | PayloadsAllTheThings | https://github.com/swisskyrepo/PayloadsAllTheThings | ## 👤 Maintainer **OndHa** ([@daker52](https://github.com/daker52)) · [wwwkkcode.cz](https://wwwkkcode.cz) ## 📝 License MIT — see [LICENSE](./LICENSE). Tool projects have their **own licenses**; always check each repository before use.