HomeToolsDocsPricingGalleryExtensionContact Get the App
// tools & library

Offline Reference Library

What's included

Legion has a built-in reference library with cheat sheets, tools, and resources that work completely offline. Everything is searchable and available without an internet connection, which matters when you're working in an air-gapped or restricted environment.

GTFOBins Unix binaries that can be used for privilege escalation, shell spawning, and file read/write bypass
LOLBAS Living-off-the-land Windows binaries and scripts for post-exploitation on Windows targets
WADComs Windows and Active Directory offensive command cheat sheets for common AD attack techniques
Reverse Shells Reverse shell generator across languages and platforms, plus a one-click netcat listener
Payloads & Dorks Injection payloads for XSS, SQLi, and SSTI, plus Google dork templates
CVE Browser Search CVEs by keyword or product name without leaving the app
CyberChef Lite Encode, decode, and hash data offline without an internet connection

GTFOBins

GTFOBins is a curated list of Unix binaries that can be used to break out of restricted environments or escalate privileges. If you land on a box and need to escalate, look up the binaries available to you and GTFOBins will show you exactly how to use them. Common examples include find, vim, python, awk, and tar. Each entry shows the specific command needed for shell spawning, file read, file write, SUID exploitation, and more.

LOLBAS

LOLBAS stands for Living Off The Land Binaries and Scripts. It covers the Windows equivalent of GTFOBins. If you're on a Windows target and need to download a file, run a payload, or move laterally without dropping custom tools, LOLBAS shows you which built-in Windows binaries can do it. Things like certutil, mshta, rundll32, and wmic all have documented abuse cases here. Useful for staying within what's already on the machine.

WADComs

WADComs is a cheat sheet focused on Windows and Active Directory attacks. It covers the commands you need for common AD techniques like Kerberoasting, AS-REP roasting, Pass-the-Hash, DCSync, and BloodHound enumeration. Each entry shows the exact command syntax for the relevant tool, whether that's Impacket, CrackMapExec, Rubeus, or others. It's the fastest way to look up a command mid-task without stopping to search.

Reverse Shells

The reverse shell generator builds a ready-to-use reverse shell command based on the OS and language you pick. Select your target platform, choose from options like bash, Python, PHP, PowerShell, Ruby, or netcat, enter your IP and port, and it gives you the full command to paste. You can also start a netcat listener directly from the same screen with one click so both sides are ready at the same time.

Payloads & Dorks

This section has injection payloads for web application testing. XSS payloads, SQL injection strings, SSTI templates, and path traversal sequences are all here organized by type. It also includes Google dork templates for finding exposed login pages, open directories, and sensitive files indexed by search engines. Useful for manual web app testing when you want a quick reference without switching out of the app.

CVE Browser

The CVE browser lets you search for known vulnerabilities by keyword or product name. It pulls from the NVD (National Vulnerability Database) at nvd.gov, which is updated regularly so you're working with current data. If you identify a specific software version during recon, you can look it up here to see what CVEs exist for it without needing a browser. Results show the CVE ID, severity score, and a description of the vulnerability.

To use the CVE browser, add your NVD API key in the Settings menu. You can get a free key at nvd.nist.gov. Without a key it still works, but requests are rate limited.

CyberChef Lite

CyberChef Lite is a stripped-down version of the CyberChef data transformation tool that runs entirely offline inside Legion. You can encode and decode base64, URL-encode strings, compute MD5, SHA1, and SHA256 hashes, convert hex, and run basic transforms on data you collect during a task. It covers the operations you reach for most often without needing the full browser-based tool.

Using the library

Open the Library section from the left sidebar. Use the search bar to find what you need across all categories at once, or browse by section. Everything is formatted for quick scanning rather than reading top to bottom.

All library content is bundled inside the app. You do not need a connection to look up GTFOBins entries, generate a shell, or browse CVEs.
Next: Red Team / Blue Team Mode Back to Docs