Arsenal: A Command Injection Hack That Makes Penetration Testing Actually Manageable
Hook
Arsenal doesn’t execute commands for you—it literally types them into your terminal using Linux TTY manipulation (specifically the TIOCSTI ioctl), preserving shell history and working across bash, zsh, and fish. It’s a hack that’s both brilliant and increasingly problematic.
Context
Penetration testers face a peculiar productivity problem: they need to remember syntax for dozens of specialized tools—nmap, hashcat, impacket scripts, bloodhound queries, sqlmap flags—across engagements that might last weeks. Copy-pasting from notes loses context. Memorization is unrealistic when you’re juggling 30+ tools. Traditional cheatsheet managers like tldr or cheat.sh help with recall, but they still require manual copying, and you lose the command in your shell history.
Arsenal emerged from Orange Cyberdefense to solve this specific workflow problem. Inspired by navi (a Rust-based cheatsheet tool), Arsenal was created because ‘the original version was in bash and too hard to understand to add features.’ Arsenal is designed for penetration testing workflows—it’s an inventory and launcher for pentest commands. The key innovation is how it puts commands into your terminal: instead of copying to clipboard or executing in a subprocess, Arsenal emulates real user input through TTY manipulation (using TTY arguments and IOCTL).
Technical Insight
Arsenal’s core trick is the TIOCSTI ioctl operation. When you select a command from Arsenal’s fuzzy-search interface (which supports fzf with ctrl+t), it doesn’t execute the command or copy it. Instead, Arsenal uses TTY manipulation to inject each character into the terminal’s input buffer as if you’d physically typed it. The README confirms this: ‘arsenal emulates real user input (with TTY arguments and IOCTL) so arsenal works with all shells and your commands will be in the history.’
This approach makes Arsenal completely shell-agnostic. Bash, zsh, fish—they all receive the same TTY input stream. No shell-specific integration code needed.
Cheatsheets are stored as MarkDown (.md) and RestructuredText (.rst) files organized by category. Each command supports argument placeholders with default values using the format <argument|default_value>. When you select a command, Arsenal presents the template, you fill in specifics, and it injects the final string.
The global variable system is where Arsenal gets powerful during actual engagements. Set a variable once:
>set ip=10.10.10.10Now every cheatsheet command referencing that variable auto-fills with that value. During a pentest, you’re constantly targeting the same host across different tools—nmap, then impacket, then bloodhound. Global variables eliminate repetitive typing.
The tmux integration (arsenal -t) splits your terminal pane and sends selected commands to the adjacent pane without closing Arsenal. The README explains: ‘if you launch arsenal in a tmux window with one pane, it will split the window and send the command to the other pane without quitting arsenal.’ For iterative testing—running variations of commands—this eliminates constant tool reopening. There’s also a -t -e mode for direct execution.
Arsenal includes visual mindmaps for Active Directory attack paths, Exchange exploitation, and Active Directory ACEs. These are reference diagrams showing attack methodology.
The README includes an extensive TODO list showing cheatsheet coverage: reverse shells (msfvenom, php, python, perl, powershell, java, ruby) are marked complete, as are major tools like impacket, bloodhound, nmap, sqlmap, and hydra. The TODO shows gaps in areas like PowerView, shadow credentials attacks, sAMAccountName attacks, nuclei, and several other tools. You can add custom cheatsheets in the my_cheats folder, ~/.cheats folder, or configure additional paths in the config.py file.
Arsenal also supports command prefixing via the arsenal_prefix_cmd variable and -f flag—useful for routing commands through proxychains or similar tools.
Gotcha
Arsenal’s TTY injection trick broke on Linux kernel 6.2+. The kernel developers disabled TIOCSTI by default for security reasons. The README’s troubleshooting section explicitly addresses this: ‘If you encounter an exception similar to the following (contains TIOCSTI in strace) when running Arsenal… Then you may need to re-enable TIOCSTI.’ The fix requires root access: sysctl -w dev.tty.legacy_tiocsti=1 (or adding it to /etc/sysctl.conf to survive reboots). This explicitly weakens your system’s security posture by re-enabling a mechanism that could be exploited. For pentest-specific distributions, this might be acceptable. For daily-driver systems, it’s a significant concern.
The cheatsheet maintenance burden is real. The extensive TODO list in the README shows that Arsenal’s coverage has gaps: PowerView cmdlets, shadow credentials attacks, sAMAccountName attacks, several RPC and database tools, nuclei, and others are either incomplete or missing. The tool is only as current as its contributors keep it. You can add custom cheatsheets in ~/.cheats or other configured paths, but then you’re maintaining your own knowledge base—which is part of what Arsenal was supposed to avoid.
The README also documents other potential issues: color initialization problems requiring export TERM='xterm-256color', and PyYAML import errors requiring pip install -U PyYAML.
Verdict
Use Arsenal if you’re conducting penetration tests on Linux systems where you control the kernel configuration (or can re-enable TIOCSTI), work in tmux with split-pane workflows, and struggle to remember syntax for tools like impacket, bloodhound, and nmap during engagements. The global variable substitution genuinely accelerates repetitive targeting tasks, and the mindmaps provide useful methodology references. The TTY injection preserving shell history is legitimately valuable for post-engagement reporting when you need to reconstruct your command timeline. Skip Arsenal if you’re on kernel 6.2+ without root access to modify sysctl settings (the tool won’t work without re-enabling TIOCSTI), prefer automated frameworks over manual command execution, or need comprehensive coverage of cutting-edge techniques (the README’s TODO list shows documented gaps in PowerView, shadow credentials, sAMAccountName attacks, and other areas). Also skip if you want result tracking or report generation—Arsenal is purely a command launcher and inventory, not an engagement platform. The README describes it as ‘just a quick inventory, reminder and launcher for pentest commands’—it’s a productivity tool for experienced pentesters who know what commands they need but want faster access to syntax, not a comprehensive methodology framework.
