• Stars
    star
    2,978
  • Rank 15,189 (Top 0.3 %)
  • Language
    Python
  • Created about 8 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Awesome hacking is an awesome collection of hacking tools.

Awesome Hacking

Awesome hacking is a curated list of hacking tools for hackers, pentesters and security researchers. Its goal is to collect, classify and make awesome tools easy to find by humans, creating a toolset you can checkout and update with one command.

This is not only a curated list, it is also a complete and updated toolset you can download with one-command!

You can download all the tools with the following command:

git clone --recursive https://github.com/jekil/awesome-hacking.git

To update it run the following command:

git pull

Every kind of contribution is really appreciated! Follow the contribute.

If you enjoy this work, please keep it alive contributing or just sharing it! - @jekil

CTF Tools

  • CTFd - CTF in a can. Easily modifiable and has everything you need to run a jeopardy style CTF.
  • CTForge - The framework developed by the hacking team from University of Venice to easily host jeopardy and attack-defense CTF security competitions. It provides the software components for running the game, namely the website and the checkbot (optional).
  • FBCTF - Platform to host Capture the Flag competitions.
  • LibreCTF - CTF in a box. Minimal setup required.
  • Mellivora - A CTF engine written in PHP.
  • NightShade - A simple security CTF framework.
  • OneGadget - A tool for you easy to find the one gadget RCE in libc.so.6.
  • Pwntools - CTF framework and exploit development library.
  • Scorebot - Platform for CTFs by Legitbs (Defcon).
  • V0lt - Security CTF Toolkit.

Code Auditing

Static Analysis

  • Brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications.
  • Dr. Taint - A very WIP DynamoRIO module built on the Dr. Memory Framework to implement taint analysis on ARM.
  • Gitleaks - A SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
  • GoKart - A static analysis tool for Go that finds vulnerabilities using the SSA (single static assignment) form of Go source code.
  • Gosec - Inspects source code for security problems by scanning the Go AST.
  • Mariana Trench - Facebook's security focused static analysis tool for Android and Java applications.
  • STACK - A static checker for identifying unstable code.
  • ShellCheck - A static analysis tool for shell scripts.
  • StaCoAn - A crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications.

Cryptography

  • FeatherDuster - An automated, modular cryptanalysis tool.
  • RSATool - Generate private key with knowledge of p and q.
  • Stego-toolkit - This project is a Docker image useful for solving Steganography challenges as those you can find at CTF platforms like hackthebox.eu. The image comes pre-installed with many popular tools (see list below) and several screening scripts you can use check simple things (for instance, run check_jpg.sh image.jpg to get a report for a JPG file).
  • Xortool - A tool to analyze multi-byte xor cipher.

Docker

  • DVWA - Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable.
  • Docker Bench for Security - The Docker Bench for Security checks for all the automatable tests in the CIS Docker 1.6 Benchmark.
  • Kali Linux - This Kali Linux Docker image provides a minimal base install of the latest version of the Kali Linux Rolling Distribution.
  • Metasploit - Metasploit Framework penetration testing software (unofficial docker).
  • OWASP Juice Shop - An intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.
  • OWASP Mutillidae II - OWASP Mutillidae II Web Pen-Test Practice Application.
  • OWASP NodeGoat - An environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
  • OWASP Railsgoat - A vulnerable version of Rails that follows the OWASP Top 10.
  • OWASP Security Shepherd - A web and mobile application security training platform.
  • OWASP WebGoat - A deliberately insecure Web Application.
  • OWASP ZAP - Current stable owasp zed attack proxy release in embedded docker container.
  • Security Ninjas - An Open Source Application Security Training Program.
  • SpamScope - SpamScope (Fast Advanced Spam Analysis Tool) Elasticsearch.
  • Vulnerability as a service: Heartbleed - Vulnerability as a Service: CVE 2014-0160.
  • Vulnerability as a service: Shellshock - Vulnerability as a Service: CVE 2014-6271.
  • Vulnerable WordPress Installation - Vulnerable WordPress Installation.
  • WPScan - WPScan is a black box WordPress vulnerability scanner.

Forensics

File Forensics

  • Autopsy - A digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools.
  • Docker Explorer - A tool to help forensicate offline docker acquisitions.
  • Hadoop_framework - A prototype system that uses Hadoop to process hard drive images.
  • Mac_apt - A DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation. It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, ..)
  • OSXCollector - A forensic evidence collection & analysis toolkit for OS X.
  • RegRipper3.0 - Alternative to RegRipper
  • RegRippy - A framework for reading and extracting useful forensics data from Windows registry hives. It is an alternative to RegRipper developed in modern Python 3.
  • Scalpel - An open source data carving tool.
  • Shellbags - Investigate NT_USER.dat files.
  • SlackPirate - Slack Enumeration and Extraction Tool - extract sensitive information from a Slack Workspace.
  • Sleuthkit - A library and collection of command line digital forensics tools.
  • TVS_extractor - Extracts TeamViewer screen captures.
  • Telegram-extractor - Python3 scripts to analyse the data stored in Telegram.
  • Truehunter - The goal of Truehunter is to detect encrypted containers using a fast and memory efficient approach without any external dependencies for ease of portability.

Image Forensics

  • Bad Peggy - Scans JPEG images for damage and other blemishes, and shows the results and image instantly. It allows you to find such broken files quickly, inspect and then either delete or move them to a different location.
  • Depix - Recovers passwords from pixelized screenshots.

Incident Response

  • Chainsaw - Provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and MFTs. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.
  • DFIR4vSphere - Powershell module for VMWare vSphere forensics.
  • Event2Timeline - A free tool based on D3js to graph Microsoft Windows sessions events. It parses both EVTX event logs from post Vista systems (Vista, Windows 7, Windows 8), and CSV exports of the legacy EVT log files.
  • Hunter - A threat hunting / data analysis environment based on Python, Pandas, PySpark and Jupyter Notebook.
  • LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log.
  • Loki - Simple IOC and Incident Response Scanner.
  • Panorama - It was made to generate a wide report about Windows systems, support and tested on Windows XP SP2 and up.
  • Plaso - Plaso (Plaso Langar Að Safna Öllu), or super timeline all the things, is a Python-based engine used by several tools for automatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating more targeted timelines.
  • Snoopdigg - Simple utility to ease the process of collecting evidence to find infections.
  • TAPIR - Trustable Artifacts Parser for Incident Response is a multi-user, client/server, incident response framework based on the TAP project.
  • UAC - A Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
  • Untitled Goose Tool - A robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments. Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).

Live Analysis

  • OS X Auditor - OS X Auditor is a free Mac OS X computer forensics tool.
  • Windows-event-forwarding - A repository for using windows event forwarding for incident detection and response.

Memory Forensics

  • Rekall - Memory analysis framework developed by Google.
  • Volatility - Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Misc

  • Diffy - A digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT). Allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions.
  • HxD - A hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size.
  • Kube-forensics - Allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis.
  • Libfvde - Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes.
  • Mass_archive - A basic tool for pushing a web page to multiple archiving services at once.

Mobile

  • Android Forensic Toolkit - Allows you to extract SMS records, call history, photos, browsing history, and password from an Android phone.
  • Android backup extractor - Utility to extract and repack Android backups created with adb backup (ICS+). Largely based on BackupManagerService.java from AOSP.
  • Androidqf - Android Quick Forensics is a portable tool to simplify the acquisition of relevant forensic data from Android devices. It is the successor of Snoopdroid, re-written in Go and leveraging official adb binaries.
  • MVT - MVT is a forensic tool to look for signs of infection in smartphone devices.
  • Mem - Tool used for dumping memory from Android devices.
  • Snoopdroid - Extract packages from an Android device.
  • WhatsApp Media Decrypt - Decrypt WhatsApp encrypted media files.
  • iLEAPP - iOS Logs, Events, And Plist Parser.
  • iOSbackup - A Pyhotn 3 class that reads and extracts files from a password-encrypted iOS backup created by iTunes on Mac and Windows. Compatible with iOS 13.

Network Forensics

  • Dnslog - Minimalistic DNS logging tool.
  • Dshell - A network forensic analysis framework.
  • Passivedns - A network sniffer that logs all DNS server replies for use in a passive DNS setup.
  • Website Evidence Collector - The tool Website Evidence Collector (WEC) automates the website evidence collection of storage and transfer of personal data.

Hardware Hacking

Computer

  • Kbd-audio - Tools for capturing and analysing keyboard input paired with microphone capture.
  • LimeSDR-Mini - The LimeSDR-Mini board provides a hardware platform for developing and prototyping high-performance and logic-intensive digital and RF designs using Altera’s MAX10 FPGA and Lime Microsystems transceiver.
  • NSA-B-GONE - Thinkpad X220 board that disconnects the webcam and microphone data lines.

Intelligence

  • Attackintel - A python script to query the MITRE ATT&CK API for tactics, techniques, mitigations, & detection methods for specific threat groups.
  • DeepdarkCTI - The aim of this project is to collect the sources, present in the Deep and Dark web, which can be useful in Cyber Threat Intelligence contexts.
  • Dnstwist - Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation.
  • IntelOwl - Analyze files, domains, IPs in multiple ways from a single API at scale.
  • MISP-maltego - Set of Maltego transforms to inferface with a MISP Threat Sharing instance, and also to explore the whole MITRE ATT&CK dataset.
  • Masto - An OSINT tool written in python to gather intelligence on Mastodon users and instances.
  • Shodan-seeker - Command-line tool using Shodan API. Generates and downloads CSV results, diffing of historic scanning results, alerts and monitoring of specific ports/IPs, etc.
  • TorScrapper - Copy of Fresh Onions is an open source TOR spider / hidden service onion crawler.
  • VIA4CVE - An aggregator of the known vendor vulnerabilities database to support the expansion of information with CVEs.
  • Yeti - Your Everyday Threat Intelligence.
  • n6 - Automated handling of data feeds for security teams.

Library

C

  • Libdnet - Provides a simplified, portable interface to several low-level networking routines, including network address manipulation, kernel arp cache and route table lookup and manipulation, network firewalling, network interface lookup and manipulation, IP tunnelling, and raw IP packet and Ethernet frame transmission.

Go

  • Garble - Obfuscate Go builds.

Java

Python

  • Amodem - Audio MODEM Communication Library in Python.
  • Dpkt - Fast, simple packet creation / parsing, with definitions for the basic TCP/IP protocols.
  • Pcapy - A Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network. Pcapy is highly effective when used in conjunction with a packet-handling package such as Impacket, which is a collection of Python classes for constructing and dissecting network packets.
  • Plyara - Parse YARA rules and operate over them more easily.
  • PyBFD - Python interface to the GNU Binary File Descriptor (BFD) library.
  • PyPDF2 - A utility to read and write PDFs with Python.
  • Pynids - A python wrapper for libnids, a Network Intrusion Detection System library offering sniffing, IP defragmentation, TCP stream reassembly and TCP port scan detection. Let your own python routines examine network conversations.
  • Pypcap - This is a simplified object-oriented Python wrapper for libpcap.
  • Pyprotect - A lightweight python code protector, makes your python project harder to reverse engineer.
  • Python-idb - Pure Python parser and analyzer for IDA Pro database files (.idb).
  • Python-ptrace - Python binding of ptrace library.
  • RDPY - RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client and server side).
  • Scapy - A python-based interactive packet manipulation program & library.

Ruby

Live CD - Distributions

  • Android Tamer - Virtual / Live Platform for Android Security professionals.
  • ArchStrike - An Arch Linux repository for security professionals and enthusiasts.
  • BOSSLive - An Indian GNU/Linux distribution developed by CDAC and is customized to suit Indian's digital environment. It supports most of the Indian languages.
  • BackBox - Ubuntu-based distribution for penetration tests and security assessments.
  • BlackArch - Arch Linux-based distribution for penetration testers and security researchers.
  • DEFT Linux - Suite dedicated to incident response and digital forensics.
  • Fedora Security Lab - A safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies in universities and other organizations.
  • Kali - A Linux distribution designed for digital forensics and penetration testing.
  • NST - Network Security Toolkit distribution.
  • Ophcrack - A free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.
  • Parrot - Security GNU/Linux distribution designed with cloud pentesting and IoT security in mind.
  • Pentoo - Security-focused livecd based on Gentoo.
  • REMnux - Toolkit for assisting malware analysts with reverse-engineering malicious software.

Malware

Dynamic Analysis

  • Androguard - Reverse engineering, Malware and goodware analysis of Android applications.
  • CAPEv2 - Malware Configuration And Payload Extraction.
  • Cuckoo Sandbox - An automated dynamic malware analysis system.
  • CuckooDroid - Automated Android Malware Analysis with Cuckoo Sandbox.
  • DECAF - Short for Dynamic Executable Code Analysis Framework, is a binary analysis platform based on QEMU.
  • DRAKVUF Sandbox - DRAKVUF Sandbox is an automated black-box malware analysis system with DRAKVUF engine under the hood, which does not require an agent on guest OS.
  • DroidBox - Dynamic analysis of Android apps.
  • Hooker - An opensource project for dynamic analyses of Android applications.
  • Jsunpack-n - Emulates browser functionality when visiting a URL.
  • LiSa - Sandbox for automated Linux malware analysis.
  • Magento-malware-scanner - A collection of rules and samples to detect Magento malware.
  • Malzilla - Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell.
  • Panda - Platform for Architecture-Neutral Dynamic Analysis.
  • ProbeDroid - A dynamic binary instrumentation kit targeting on Android(Lollipop) 5.0 and above.
  • PyEMU - Fully scriptable IA-32 emulator, useful for malware analysis.
  • PyWinSandbox - Python Windows Sandbox library. Create a new Windows Sandbox machine, control it with a simple RPyC interface.
  • Pyrebox - Python scriptable Reverse Engineering Sandbox, a Virtual Machine instrumentation and inspection framework based on QEMU.
  • Qiling - Advanced Binary Emulation framework.
  • Speakeasy - A portable, modular, binary emulator designed to emulate Windows kernel and user mode malware.
  • Uitkyk - Runtime memory analysis framework to identify Android malware.
  • WScript Emulator - Emulator/tracer of the Windows Script Host functionality.

Honeypot

  • Amun - Amun was the first python-based low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance.
  • Basic-auth-pot - HTTP Basic Authentication honeyPot.
  • Bluepot - Bluetooth Honeypot.
  • CitrixHoneypot - Detect and log CVE-2019-19781 scan and exploitation attempts.
  • Conpot - ICS/SCADA honeypot.
  • Cowrie - SSH honeypot, based on Kippo.
  • Dionaea - Honeypot designed to trap malware.
  • Django-admin-honeypot - A fake Django admin login screen to log and notify admins of attempted unauthorized access.
  • ESPot - An Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120.
  • Elastichoney - A Simple Elasticsearch Honeypot.
  • Endlessh - An SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server.
  • Glastopf - Web Application Honeypot.
  • Glutton - All eating honeypot.
  • HFish - A cross platform honeypot platform developed based on golang, which has been meticulously built for enterprise security.
  • Heralding - Sometimes you just want a simple honeypot that collects credentials, nothing more. Heralding is that honeypot! Currently the following protocols are supported: ftp, telnet, ssh, rdp, http, https, pop3, pop3s, imap, imaps, smtp, vnc, postgresql and socks5.
  • HonTel - A Honeypot for Telnet service. Basically, it is a Python v2.x application emulating the service inside the chroot environment. Originally it has been designed to be run inside the Ubuntu/Debian environment, though it could be easily adapted to run inside any Linux environment.
  • HoneyPy - A low to medium interaction honeypot.
  • HoneyTrap - Advanced Honeypot framework.
  • Honeyd - Create a virtual honeynet.
  • Honeypot - Low interaction honeypot that displays real time attacks.
  • Honeything - A honeypot for Internet of TR-069 things. It's designed to act as completely a modem/router that has RomPager embedded web server and supports TR-069 (CWMP) protocol.
  • HonnyPotter - A WordPress login honeypot for collection and analysis of failed login attempts.
  • Kippo - A medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
  • Kippo-graph - Visualize statistics from a Kippo SSH honeypot.
  • Log4Pot - A honeypot for the Log4Shell vulnerability (CVE-2021-44228).
  • MHN - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management.
  • MTPot - Open Source Telnet Honeypot.
  • Maildb - Python Web App to Parse and Track Email and http Pcap Files.
  • Mailoney - A SMTP Honeypot I wrote just to have fun learning Python.
  • Miniprint - A medium interaction printer honeypot.
  • Mnemosyne - A normalizer for honeypot data; supports Dionaea.
  • MongoDB-HoneyProxy - A honeypot proxy for mongodb. When run, this will proxy and log all traffic to a dummy mongodb server.
  • MysqlPot - A mysql honeypot, still very very early stage.
  • NoSQLPot - The NoSQL Honeypot Framework.
  • Nodepot - A nodejs web application honeypot.
  • OWASP-Honeypot - An open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way.
  • OpenCanary - A daemon that runs several canary versions of services that alerts when a service is (ab)used.
  • Phoneyc - Pure Python honeyclient implementation.
  • Phpmyadmin_honeypot - A simple and effective phpMyAdmin honeypot.
  • Servletpot - Web application Honeypot.
  • Shadow Daemon - A modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl & Python apps.
  • Shiva - Spam Honeypot with Intelligent Virtual Analyzer, is an open but controlled relay Spam Honeypot (SpamPot), built on top of Lamson Python framework, with capability of collecting and analyzing all spam thrown at it.
  • Smart-honeypot - PHP Script demonstrating a smart honey pot.
  • Snare - Super Next generation Advanced Reactive honEypot
  • SpamScope - Fast Advanced Spam Analysis Tool.
  • StrutsHoneypot - Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers.
  • T-Pot - The All In One Honeypot Platform.
  • Tango - Honeypot Intelligence with Splunk.
  • Tanner - A remote data analysis and classification service to evaluate HTTP requests and composing the response then served by SNARE. TANNER uses multiple application vulnerability type emulation techniques when providing responses for SNARE. In addition, TANNER provides Dorks for SNARE powering its luring capabilities.
  • Thug - Low interaction honeyclient, for investigating malicious websites.
  • Twisted-honeypots - SSH, FTP and Telnet honeypots based on Twisted.
  • Wetland - A high interaction SSH honeypot.
  • Wordpot - A WordPress Honeypot.
  • Wp-smart-honeypot - WordPress plugin to reduce comment spam with a smarter honeypot.

Intelligence

  • CobaltStrikeParser - Python parser for CobaltStrike Beacon's configuration.
  • Cobaltstrike - Code and yara rules to detect and analyze Cobalt Strike.
  • GreedyBear - The project goal is to extract data of the attacks detected by a TPOT or a cluster of them and to generate some feeds that can be used to prevent and detect attacks.
  • MISP Modules - Modules for expansion services, import and export in MISP.
  • Misp-dashboard - A dashboard for a real-time overview of threat intelligence from MISP instances.
  • Passivedns-client - Provides a library and a query tool for querying several passive DNS providers.
  • Pybeacon - A collection of scripts for dealing with Cobalt Strike beacons in Python.
  • Rt2jira - Convert RT tickets to JIRA tickets.

Ops

  • Al-khaser - Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
  • BASS - BASS Automated Signature Synthesizer.
  • CSCGuard - Protects and logs suspicious and malicious usage of .NET CSC.exe and Runtime C# Compilation.
  • CapTipper - A python tool to analyze, explore and revive HTTP malicious traffic.
  • FLARE - A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.
  • FakeNet-NG - A next generation dynamic network analysis tool for malware analysts and penetration testers. It is open source and designed for the latest versions of Windows.
  • Google-play-crawler - Google-play-crawler is simply Java tool for searching android applications on GooglePlay, and also downloading them.
  • Googleplay-api - An unofficial Python API that let you search, browse and download Android apps from Google Play (formerly Android Market).
  • Grimd - Fast dns proxy that can run anywhere, built to black-hole internet advertisements and malware servers.
  • Hidden - Windows driver with usermode interface which can hide objects of file-system and registry, protect processes and etc.
  • ImaginaryC2 - A python tool which aims to help in the behavioral (network) analysis of malware. Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.
  • Irma - IRMA is an asynchronous & customizable analysis system for suspicious files.
  • KLara - A project is aimed at helping Threat Intelligence researchers hunt for new malware using Yara.
  • Kraken - Cross-platform Yara scanner written in Go.
  • Malboxes - Builds malware analysis Windows VMs so that you don't have to.
  • Mquery - YARA malware query accelerator (web frontend).
  • Node-appland - NodeJS tool to download APKs from appland.
  • Node-aptoide - NodeJS to download APKs from aptoide.
  • Node-google-play - Call Google Play APIs from Node.
  • Pafish - A demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.

Source Code

  • Android-malware - Collection of android malware samples.
  • AsyncRAT-C-Sharp - Open-Source Remote Administration Tool For Windows C# (RAT).
  • BYOB - An open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop counter-measures against these threats.
  • BlackHole - C# RAT (Remote Administration Tool).
  • Carberp - Carberp leaked source code.
  • Coldfire - Golang malware development library.
  • Fancybear - Fancy Bear Source Code.
  • LOLBAS - Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts).
  • Mirai - Leaked Mirai Source Code for Research/IoC Development Purposes.
  • Morris Worm - The original Morris Worm source code.
  • Pegasus_spyware - Decompiled pegasus spyware.
  • RDP_Backdoor - Configured RDP backdoors via UTILMAN and SETHC (sticykeys), disables NLA and enabled RDP and firewall fules.
  • SubSeven - SubSeven Legacy Official Source Code Repository.
  • SvcHostDemo - Demo service that runs in svchost.exe.
  • TinyNuke - Zeus-style banking trojan.
  • TripleCross - A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
  • Zerokit - Zerokit/GAPZ rootkit (non buildable and only for researching).
  • Zeus - Zeus version 2.0.8.9, leaked in 2011.

Static Analysis

  • APKinspector - A powerful GUI tool for analysts to analyze the Android applications.
  • Aa-tools - Artifact analysis tools by JPCERT/CC Analysis Center.
  • Androwarn - Detect and warn the user about potential malicious behaviours developed by an Android application.
  • ApkAnalyser - A static, virtual analysis tool for examining and validating the development work of your Android app.
  • Argus-SAF - Argus static analysis framework.
  • Arya - The Reverse YARA is a unique tool that produces pseudo-malicious files meant to trigger YARA rules. You can think of it like a reverse YARA because it does exactly the opposite - it creates files that matches your rules.
  • CAPA - The FLARE team's open-source tool to identify capabilities in executable files.
  • CFGScanDroid - Control Flow Graph Scanning for Android.
  • ConDroid - Symbolic/concolic execution of Android apps.
  • DroidLegacy - Static analysis scripts.
  • FSquaDRA - Fast detection of repackaged Android applications based on the comparison of resource files included into the package.
  • Floss - FireEye Labs Obfuscated String Solver. Automatically extract obfuscated strings from malware.
  • Inspeckage - Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more.
  • Maldrolyzer - Simple framework to extract "actionable" data from Android malware (C&Cs, phone numbers, etc).
  • PEfile - Read and work with Portable Executable (aka PE) files.
  • PEview - A quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files.
  • PScout - Analyzing the Android Permission Specification.
  • Pdfminer - A tool for extracting information from PDF documents.
  • Peepdf - A Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks.
  • Quark-engine - A trust-worthy, practical tool that's ready to boost up your malware reverse engineering.
  • SmaliSCA - Smali Static Code Analysis.
  • Sysinternals Suite - The Sysinternals Troubleshooting Utilities.
  • Tlsh - Trend Micro Locality Sensitive Hash is a fuzzy matching library. Given a byte stream with a minimum length of 50 bytes TLSH generates a hash value which can be used for similarity comparisons. Similar objects will have similar hash values which allows for the detection of similar objects by comparing their hash values. Note that the byte stream should have a sufficient amount of complexity. For example, a byte stream of identical bytes will not generate a hash value.
  • Yara - Identify and classify malware samples.
  • Yobi - Yara Based Detection Engine for web browsers.

Network

Analysis

  • Bro - A powerful network analysis framework that is much different from the typical IDS you may know.
  • Fatt - A pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic.
  • Nidan - An active network monitor tool.
  • Pytbull - A python based flexible IDS/IPS testing framework.
  • Sguil - Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures.
  • Winshark - A wireshark plugin to instrument ETW.

Fake Services

  • DNSChef - DNS proxy for Penetration Testers and Malware Analysts.
  • DnsRedir - A small DNS server that will respond to certain queries with addresses provided on the command line.

Packet Manipulation

  • Pig - A Linux packet crafting tool.
  • Yersinia - A network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

Sniffer

  • Cloud-pcap - Web PCAP storage and analytics.
  • Dnscap - Network capture utility designed specifically for DNS traffic.
  • Dsniff - A collection of tools for network auditing and pentesting.
  • Justniffer - Just A Network TCP Packet Sniffer. Justniffer is a network protocol analyzer that captures network traffic and produces logs in a customized way, can emulate Apache web server log files, track response times and extract all "intercepted" files from the HTTP traffic.
  • Moloch - Moloch is a open source large scale full PCAP capturing, indexing and database system.
  • Net-creds - Sniffs sensitive data from interface or pcap.
  • Netsniff-ng - A Swiss army knife for your daily Linux network plumbing.
  • NetworkMiner - A Network Forensic Analysis Tool (NFAT).
  • OpenFPC - OpenFPC is a set of scripts that combine to provide a lightweight full-packet network traffic recorder and buffering tool. Its design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log tools.
  • Openli - Open Source ETSI compliant Lawful Intercept software.
  • PF_RING - PF_RING™ is a Linux kernel module and user-space framework that allows you to process packets at high-rates while providing you a consistent API for packet processing applications.
  • Termshark - A terminal UI for tshark, inspired by Wireshark.
  • WebPcap - A web-based packet analyzer (client/server architecture). Useful for analyzing distributed applications or embedded devices.
  • Wireshark - A free and open-source packet analyzer.

Penetration Testing

DoS

  • DHCPig - DHCP exhaustion script written in python using scapy network library.
  • LOIC - Low Orbit Ion Cannon - An open source network stress tool, written in C#. Based on Praetox's LOIC project.
  • Memcrashed - DDoS attack tool for sending forged UDP packets to vulnerable Memcached servers obtained using Shodan API.
  • Sockstress - Sockstress (TCP DoS) implementation.
  • T50 - The more fast network stress tool.
  • Torshammer - Tor's hammer. Slow post DDOS tool written in python.
  • UFONet - Abuses OSI Layer 7-HTTP to create/manage 'zombies' and to conduct different attacks using; GET/POST, multithreading, proxies, origin spoofing methods, cache evasion techniques, etc.

Exploiting

  • AttackSurfaceAnalyzer - Attack Surface Analyzer can help you analyze your operating system's security configuration for changes during software installation.
  • Bashfuscator - A fully configurable and extendable Bash obfuscation framework. This tool is intended to help both red team and blue team.
  • BeEF - The Browser Exploitation Framework Project.
  • BugId - Detect, analyze and uniquely identify crashes in Windows applications.
  • CALDERA - A cyber security framework designed to easily automate adversary emulation, assist manual red-teams, and automate incident response.
  • CCAT - Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.
  • Commix - Automated All-in-One OS Command Injection and Exploitation Tool.
  • DLLInjector - Inject dlls in processes.
  • DefenderCheck - Identifies the bytes that Microsoft Defender flags on.
  • Donut - Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.
  • Drupwn - Drupal enumeration & exploitation tool.
  • EfiGuard - Disable PatchGuard and DSE at boot time.
  • EtherSploit-IP - Exploiting Allen-Bradley E/IP PLCs.
  • Evilgrade - The update explotation framework.
  • Exe2hex - Inline file transfer using in-built Windows tools (DEBUG.exe or PowerShell).
  • Fathomless - A collection of different programs for network red teaming.
  • Gorsair - Gorsair hacks its way into remote docker containers that expose their APIs.
  • Infection Monkey - An open source security tool for testing a data center's resiliency to perimeter breaches and internal server infection. The Monkey uses various methods to self propagate across a data center and reports success to a centralized Monkey Island server.
  • Jir-thief - A Red Team tool for exfiltrating sensitive data from Jira tickets.
  • Kube-hunter - Hunt for security weaknesses in Kubernetes clusters.
  • LAVA - Large-scale Automated Vulnerability Addition.
  • Linux Exploit Suggester - Linux Exploit Suggester; based on operating system release number.
  • Linux-exploit-suggester - Linux privilege escalation auditing tool.
  • LoRaWAN Auditing Framework - IoT deployments just keep growing and one part of that significant grow is composed of millions of LPWAN (low-power wide-area network) sensors deployed at hundreds of cities (Smart Cities) around the world, also at industries and homes. One of the most used LPWAN technologies is LoRa for which LoRaWAN is the network standard (MAC layer). LoRaWAN is a secure protocol with built in encryption but implementation issues and weaknesses affect the security of most current deployments.
  • MSDAT - Microsoft SQL Database Attacking Tool is an open source penetration testing tool that tests the security of Microsoft SQL Databases remotely.
  • Macrome - Excel Macro Document Reader/Writer for Red Teamers & Analysts
  • Malicious-pdf - Generate ten different malicious pdf files with phone-home functionality. Can be used with Burp Collaborator.
  • Metasploit Framework - Exploitation framework.
  • MeterSSH - A way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter's listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.
  • Nessus - Vulnerability, configuration, and compliance assessment.
  • Nexpose - Vulnerability Management & Risk Management Software.
  • Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
  • OpenVAS - Open Source vulnerability scanner and manager.
  • PEzor - Open-Source PE Packer.
  • PRET - Printer Exploitation Toolkit. The tool that made dumpster diving obsolete.
  • PSKernel-Primitives - Exploit primitives for PowerShell.
  • Peirates - A Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service accounts, obtain further code execution, and gain control of the cluster.
  • PowerSploit - A PowerShell Post-Exploitation Framework.
  • ProxyLogon - ProxyLogon is the formally generic name for CVE-2021-26855, a vulnerability on Microsoft Exchange Server that allows an attacker bypassing the authentication and impersonating as the admin. We have also chained this bug with another post-auth arbitrary-file-write vulnerability, CVE-2021-27065, to get code execution.
  • ROP Gadget - Framework for ROP exploitation.
  • Ropper - Display information about files in different file formats and find gadgets to build rop chains for different architectures (x86/x86_64, ARM/ARM64, MIPS, PowerPC, SPARC64). For disassembly ropper uses the awesome Capstone Framework.
  • Routersploit - Automated penetration testing software for router.
  • Rupture - A framework for BREACH and other compression-based crypto attacks.
  • SPARTA - Network Infrastructure Penetration Testing Tool.
  • Shark - Turn off PatchGuard in real time for win7 (7600) ~ win10 (18950).
  • SharpBlock - A method of bypassing EDR's active projection DLL's by preventing entry point execution.
  • SharpShooter - Payload Generation Framework.
  • ShellcodeCompiler - A program that compiles C/C++ style code into a small, position-independent and NULL-free shellcode for Windows (x86 and x64) and Linux (x86 and x64). It is possible to call any Windows API function or Linux syscall in a user-friendly way.
  • Shellen - Interactive shellcoding environment to easily craft shellcodes.
  • Shellsploit - Let's you generate customized shellcodes, backdoors, injectors for various operating system. And let's you obfuscation every byte via encoders.
  • Spoodle - A mass subdomain + poodle vulnerability scanner.
  • SysWhispers - AV/EDR evasion via direct system calls.
  • Unicorn - Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
  • Veil Framework - A tool designed to generate metasploit payloads that bypass common anti-virus solutions.
  • Vuls - Vulnerability scanner for Linux/FreeBSD, agentless, written in Go.
  • Windows Exploit Suggester - Detects potential missing patches on the target.
  • Ysoserial.net - Deserialization payload generator for a variety of .NET formatters.
  • Zarp - Network Attack Tool.
  • expdevBadChars - Bad Characters highlighter for exploit development purposes supporting multiple input formats while comparing.

Exploits

  • Apache-uaf - Apache use after free bug infos / ASAN stack traces.
  • BlueGate - PoC (DoS + scanner) for CVE-2020-0609 & CVE-2020-0610 - RD Gateway RCE.
  • Bluedroid - PoCs of Vulnerabilities on Bluedroid.
  • Broadpwn - Broadpwn bug (CVE-2017-9417).
  • CVE-2016-5195 - A CVE-2016-5195 exploit example.
  • CVE-2018-8120 - CVE-2018-8120.
  • CVE-2018-8897 - Implements the POP/MOV SS (CVE-2018-8897) vulnerability by bugchecking the machine (local DoS).
  • CVE-2019-0604 - cve-2019-0604 SharePoint RCE exploit.
  • CVE-2019-18935 - RCE exploit for a .NET deserialization vulnerability in Telerik UI for ASP.NET AJAX.
  • CVE-2019-6453 - Proof of calc for CVE-2019-6453 (Mirc exploit).
  • CVE-2020-10560 - OSSN Arbitrary File Read
  • CVE-2020-11651 - PoC for CVE-2020-11651.
  • CVE-2020-1301 - POC exploit for SMBLost vulnerability (CVE-2020-1301)
  • CVE-2020-1350 - Bash Proof-of-Concept (PoC) script to exploit SIGRed (CVE-2020-1350). Achieves Domain Admin on Domain Controllers running Windows Server 2003 up to Windows Server 2019.
  • CVE-2020-1350-DoS - A denial-of-service proof-of-concept for CVE-2020-1350.
  • CVE-2020-1472 - Exploit Code for CVE-2020-1472 aka Zerologon.
  • CVE-2020-1472_2 - PoC for Zerologon
  • CVE-2021-1965 - CVE-2021-1965 WiFi Zero Click RCE Trigger PoC
  • CVE-2021-26855_PoC - SSRF payloads (CVE-2021-26855) over Exchange Server 2019.
  • CVE-2021-31166 - Proof of concept for CVE-2021-31166, a remote HTTP.sys use-after-free triggered remotely.
  • CVE-2021-34473 - CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability.
  • CVE-2022-21894 - Baton drop (CVE-2022-21894): Secure Boot Security Feature Bypass Vulnerability
  • CVE-2022-25636 - Exploit for CVE-2022-25636.
  • Chakra-2016-11 - Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201).
  • Chimay-Red - Working POC of Mikrotik exploit from Vault 7 CIA Leaks.
  • Desharialize - Easy mode to Exploit CVE-2019-0604 (Sharepoint XML Deserialization Unauthenticated RCE).
  • Dirty-cow-golang - Dirty Cow implement in Go
  • Dirtycow - This exploit uses the pokemon exploit of the dirtycow vulnerability as a base and automatically generates a new passwd line. The user will be prompted for the new password when the binary is run. The original /etc/passwd file is then backed up to /tmp/passwd.bak and overwrites the root account with the generated line. After running the exploit you should be able to login with the newly created user.
  • Dirtycow-vdso - PoC for Dirty COW (CVE-2016-5195). This PoC relies on ptrace (instead of /proc/self/mem) to patch vDSO.
  • Dirtycow.cr - CVE-2016-5195 exploit written in Crystal
  • Dirtycow.fasm - Fast dirtycow implementation with privilege escalation for amd64 in flatassembler.
  • ES File Explorer Open Port Vulnerability - ES File Explorer Open Port Vulnerability - CVE-2019-6447.
  • EfsPotato - Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).
  • Exchange_SSRF - Some Attacks of Exchange SSRF ProxyLogon&ProxyShell.
  • HolicPOC - CVE-2015-2546, CVE-2016-0165, CVE-2016-0167, CVE-2017-0101, CVE-2017-0263, CVE-2018-8120.
  • Jira-Scan - Jira scanner for CVE-2017-9506.
  • Kernel Exploits - Various kernel exploits.
  • MS17-010 - Exploits for MS17-010.
  • Proxyshell-Exchange - Poc script for ProxyShell exploit chain in Exchange Server.
  • Proxyshell-auto - Automatic ProxyShell Exploit.
  • Proxyshell-poc - Proxyshell POC
  • Qemu-vm-escape - This is an exploit for CVE-2019-6778, a heap buffer overflow in slirp:tcp_emu().
  • Ruby-advisory-db - A database of vulnerable Ruby Gems.
  • The Exploit Database - The official Exploit Database repository.
  • Tpwn - Xnu local privilege escalation via cve-2015-???? & cve-2015-???? for 10.10.5, 0day at the time
  • XiphosResearch Exploits - Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.
  • cve-2020-1054 - LPE for CVE-2020-1054 targeting Windows 7 x64

Fuzzing

  • AFL++ - AFL 2.56b with community patches, AFLfast power schedules, qemu 3.1 upgrade + laf-intel support, MOpt mutators, InsTrim instrumentation, unicorn_mode, Redqueen and a lot more.
  • AndroFuzz - A fuzzing utility for Android that focuses on reporting and delivery portions of the fuzzing process.
  • Boofuzz - A fork and successor of the Sulley Fuzzing Framework.
  • Construct - Declarative data structures for python that allow symmetric parsing and building.
  • Deepstate - A unit test-like interface for fuzzing and symbolic execution.
  • Driller - Augmenting AFL with symbolic execution.
  • Eclipser - Grey-box Concolic Testing on Binary Code.
  • Frankenstein - Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging.
  • Fusil - A Python library used to write fuzzing programs. It helps to start process with a prepared environment (limit memory, environment variables, redirect stdout, etc.), start network client or server, and create mangled files.
  • Fuzzbox - A multi-codec media fuzzing tool.
  • Fuzzlyn - Fuzzer for the .NET toolchains, utilizes Roslyn to generate random C# programs.
  • Fuzzotron - A TCP/UDP based network daemon fuzzer.
  • Honggfuzz - Security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (sw and hw).
  • InsTrim - Lightweight Instrumentation for Coverage-guided Fuzzing.
  • KleeFL - Seeding Fuzzers With Symbolic Execution.
  • MFFA - Media Fuzzing Framework for Android.
  • Melkor-android - An Android port of the melkor ELF fuzzer.
  • Netzob - Netzob is an opensource tool for reverse engineering, traffic generation and fuzzing of communication protocols.
  • Neuzz - A neural-network-assisted fuzzer.
  • OneFuzz - Project OneFuzz enables continuous developer-driven fuzzing to proactively harden software prior to release. With a single command, which can be baked into CICD, developers can launch fuzz jobs from a few virtual machines to thousands of cores.
  • Python-AFL - American fuzzy lop fork server and instrumentation for pure-Python code.
  • RPCForge - Windows RPC Python fuzzer.
  • Radamsa-android - An Android port of radamsa fuzzer.
  • Razzer - A Kernel fuzzer focusing on race bugs.
  • Retrowrite - Retrofitting compiler passes though binary rewriting.
  • SecLists - A collection of multiple types of lists used during security assessments.
  • Sienna-locomotive - A user-friendly fuzzing and crash triage tool for Windows.
  • Sulley - Fuzzer development and fuzz testing framework consisting of multiple extensible components.
  • T-Fuzz - A fuzzing tool based on program transformation.
  • TAOF - The Art of Fuzzing, including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer.
  • Tlspuffin - A symbolic-model-guided fuzzer for TLS.
  • Unicorefuzz - Fuzzing the Kernel Using Unicornafl and AFL++.
  • Unicornafl - Unicorn CPU emulator framework (ARM, AArch64, M68K, Mips, Sparc, X86) adapted to afl++.
  • VUzzer - This Project depends heavily on a modeified version of DataTracker, which in turn depends on LibDFT pintool. It has some extra tags added in libdft.
  • Vfuzz - I don't claim superiority over other engines in performance or efficiency out of the box, but this does implement some features that I felt where lacking elsewhere.
  • Winafl - A fork of AFL for fuzzing Windows binaries.
  • Winafl_inmemory - WINAFL for blackbox in-memory fuzzing (PIN).
  • Windows IPC Fuzzing Tools - A collection of tools used to attack applications that use Windows Interprocess Communication mechanisms.
  • Zulu - A fuzzer designed for rapid prototyping that normally happens on a client engagement where something needs to be fuzzed within tight timescales.

Info Gathering

  • ATSCAN - Advanced dork Search & Mass Exploit Scanner.
  • Amass - The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
  • BigBountyRecon - Utilises 58 different techniques using various Google dorks and open source tools to expedite the process of initial reconnaissance on the target organisation.
  • Bluto - DNS Recon | Brute Forcer | DNS Zone Transfer | DNS Wild Card Checks | DNS Wild Card Brute Forcer | Email Enumeration | Staff Enumeration | Compromised Account Checking
  • Bundler-audit - Patch-level verification for Bundler.
  • Checksec.rs - Fast multi-platform (ELF/PE/MachO) binary checksec written in Rust.
  • CloudFail - Utilize misconfigured DNS and old database records to find hidden IP's behind the CloudFlare network.
  • CloudFlair - Find origin servers of websites behind CloudFlare by using Internet-wide scan data from Censys.
  • Cloudflare_enum - Cloudflare DNS Enumeration Tool for Pentesters.
  • Cloudmare - A simple tool to find the origin servers of websites protected by Cloudflare, Sucuri, or Incapsula with a misconfiguration DNS.
  • Commando-vm - Complete Mandiant Offensive VM (Commando VM), the first full Windows-based penetration testing virtual machine distribution. The security community recognizes Kali Linux as the go-to penetration testing platform for those that prefer Linux. Commando VM is for penetration testers that prefer Windows.
  • Dnsenum - A perl script that enumerates DNS information.
  • Dnsmap - Passive DNS network mapper.
  • Dnsrecon - DNS Enumeration Script.
  • Dnsspy - Performs various DNS enumeration attacks.
  • Dorkify - Google dorking is a hacker technique that uses Google Search to find security holes in the configuration and computer code that websites use. Google Dorking involves using advanced operators in the Google search engine to locate specific strings of text within search results such as finding specific versions of vulnerable Web applications. Users can utilize commands to get other specific search results.
  • EgressCheck Framework - Used to check for TCP and UDP egress filtering on both windows and unix client systems.
  • Egressbuster - A method to check egress filtering and identify if ports are allowed. If they are, you can automatically spawn a shell.
  • EyeWitness - EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
  • Ffuf - Fuzz Faster U Fool - Fast web fuzzer written in Go.
  • HostHunter - A tool to efficiently discover and extract hostnames providing a large set of target IP addresses. HostHunter utilises simple OSINT techniques to map IP addresses with virtual hostnames. It generates a CSV or TXT file containing the results of the reconnaissance.
  • IVRE - An open-source framework for network recon. It relies on open-source well-known tools to gather data (network intelligence), stores it in a database, and provides tools to analyze it.
  • Knock - A python tool designed to enumerate subdomains on a target domain through a wordlist.
  • Log4jscanlinux - This shell script intends to collect necessary details and help detect CVE-2021-44228 and CVE-2021-45046 vulnerabilities reported in Log4j.
  • Log4jscanwin - The Log4jScanner.exe utility helps to detect CVE-2021-44228 and CVE-2021-45046 vulnerabilities. The utility will scan the entire hard drive(s) including archives (and nested JARs) for the Java class that indicates the Java application contains a vulnerable log4j library. The utility will output its results to a console.
  • Operative-framework - This is a framework based on fingerprint action, this tool is used for get information on a website or a enterprise target with multiple modules (Viadeo search,Linkedin search, Reverse email whois, Reverse ip whois, SQL file forensics ...).
  • Recon-ng - A full-featured Web Reconnaissance framework written in Python.
  • SMBMap - A handy SMB enumeration tool.
  • SPartan - Frontpage and Sharepoint fingerprinting and attack tool.
  • SSLMap - TLS/SSL cipher suite scanner.
  • Secretz - A tool that minimizes the large attack surface of Travis CI. It automatically fetches repos, builds, and logs for any given organization.
  • Shhgit - Helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security breach.
  • Sparty - MS Sharepoint and Frontpage Auditing Tool.
  • Spyse.py - Python API wrapper and command-line client for the tools hosted on spyse.com.
  • SubFinder - A subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.
  • SubQuest - Fast, Elegant subdomain scanner using nodejs.
  • Subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains.
  • TravisLeaks - A tool to find sensitive keys and passwords in Travis logs.
  • TruffleHog - Searches through git repositories for high entropy strings, digging deep into commit history.
  • URLextractor - Information gathering & website reconnaissance.
  • VHostScan - A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
  • Wmap - Information gathering for web hacking.
  • XRay - A tool for recon, mapping and OSINT gathering from public networks.

MITM

  • Bettercap - A powerful, flexible and portable tool created to perform various types of MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials and much more.
  • Caplets - Bettercap scripts (caplets) and proxy modules.
  • Dnsspoof - DNS spoofer. Drops DNS responses from the router and replaces it with the spoofed DNS response.
  • Ettercap - A comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.
  • MITMf - Framework for Man-In-The-Middle attacks.
  • Mallory - An extensible TCP/UDP man in the middle proxy that is designed to be run as a gateway. Unlike other tools of its kind, Mallory supports modifying non-standard protocols on the fly.
  • Mitmproxy - An interactive, SSL-capable man-in-the-middle proxy for HTTP with a console interface.
  • Mitmsocks4j - Man in the Middle SOCKS Proxy for JAVA.
  • Nogotofail - An on-path blackbox network traffic security testing tool.
  • Responder - A LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
  • Ssh-mitm - An SSH/SFTP man-in-the-middle tool that logs interactive sessions and passwords.

Mobile

  • AFE - Android Framework for Exploitation, is a framework for exploiting android based devices.
  • AndroBugs - An efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications.
  • Android-vts - Android Vulnerability Test Suite - In the spirit of open data collection, and with the help of the community, let's take a pulse on the state of Android security.
  • Androl4b - A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis.
  • Apk-mitm - A CLI application that automatically prepares Android APK files for HTTPS inspection. Inspecting a mobile app's HTTPS traffic using a proxy is probably the easiest way to figure out how it works. However, with the Network Security Configuration introduced in Android 7 and app developers trying to prevent MITM attacks using certificate pinning, getting an app to work with an HTTPS proxy has become quite tedious.
  • Apk.sh - A Bash script that makes reverse engineering Android apps easier, automating some repetitive tasks like pulling, decoding, rebuilding and patching an APK.
  • CobraDroid - A custom build of the Android operating system geared specifically for application security analysts and for individuals dealing with mobile malware.
  • Drozer - The Leading Security Assessment Framework for Android.
  • Idb - A tool to simplify some common tasks for iOS pentesting and research.
  • Introspy-iOS - Security profiling for blackbox iOS.
  • JAADAS - Joint Advanced Defect assEsment for android applications.
  • Keychain-Dumper - A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken.
  • Mobile Security Framework - An intelligent, all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework capable of performing static, dynamic analysis and web API testing.
  • Objection - A runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak.
  • QARK - QARK by LinkedIn is for app developers to scan app for security issues.
  • RootAVD - Rooting the Android Studio AVDs.
  • SUPER Android Analyzer - A command-line application that can be used in Windows, MacOS X and Linux, that analyzes .apk files in search for vulnerabilities. It does this by decompressing APKs and applying a series of rules to detect those vulnerabilities.
  • SafetyNet Fix - Google SafetyNet attestation workarounds for Magisk.
  • Uber Apk Signer - A tool that helps signing, zip aligning and verifying multiple Android application packages (APKs) with either debug or provided release certificates (or multiple). It supports v1, v2 and v3 Android signing scheme. Easy and convenient debug signing with embedded debug keystore. Automatically verifies signature and zipalign after every signing.
  • Uncertify - A tool written in Python that allows to bypass, in an automated way, the most common mechanisms used in Android apps to implement certificate pinning. In addition to that Uncertify can also bypass other OkHttp configuration settings.

Password Cracking

  • BozoCrack - A silly & effective MD5 cracker in Ruby.
  • Common-substr - Simple awk script to extract the most common substrings from an input text. Built for password cracking.
  • Haklistgen - Turns any junk text into a usable wordlist for brute-forcing.
  • HashCat - World's fastest and most advanced password recovery utility.
  • Hashcrack - Guesses hash types, picks some sensible dictionaries and rules for hashcat.
  • Hob0Rules - Password cracking rules for Hashcat based on statistics and industry patterns.
  • John the Ripper - A fast password cracker.
  • Kwprocessor - Advanced keyboard-walk generator with configureable basechars, keymap and routes.
  • Mentalist - A graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper.
  • NPK - A mostly-serverless distributed hash cracking platform.
  • Patator - Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
  • RSMangler - It will take a wordlist and perform various manipulations on it similar to those done by John the Ripper with a few extras.
  • SharpDomainSpray - Basic password spraying tool for internal tests and red teaming.
  • THC-Hydra - A very fast network logon cracker which support many different services.

Port Scanning

  • Angry IP Scanner - Fast and friendly network scanner.
  • Evilscan - NodeJS Simple Network Scanner.
  • Flan - A pretty sweet vulnerability scanner.
  • Masscan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
  • Nmap - Free Security Scanner For Network Exploration & Security Audits.
  • RustScan - The Modern Port Scanner. Find ports quickly (3 seconds at its fastest). Run scripts through our scripting engine (Python, Lua, Shell supported).
  • Watchdog - A Comprehensive Security Scanning and a Vulnerability Management Tool.
  • ZGrab - Go Application Layer Scanner.
  • Zmap - An open-source network scanner that enables researchers to easily perform Internet-wide network studies.

Post Exploitation

  • 3snake - Tool for extracting information from newly spawned processes.
  • ABPTTS - A Black Path Toward The Sun uses a Python client script and a web application server page/package to tunnel TCP traffic over an HTTP/HTTPS connection to a web application server. In other words, anywhere that one could deploy a web shell, one should now be able to establish a full TCP tunnel. This permits making RDP, interactive SSH, Meterpreter, and other connections through the web application server.
  • ADFSDump - A C# tool to dump all sorts of goodies from AD FS.
  • Apfell - A collaborative, multi-platform, red teaming framework.
  • Backdoorme - Powerful auto-backdooring utility.
  • Boopkit - Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.
  • CatTails - Raw socket library/framework for red team events.
  • Cloudy-kraken - AWS Red Team Orchestration Framework.
  • Covenant - Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
  • CrackMapExec - A post-exploitation tool that helps automate assessing the security of large Active Directory networks.
  • CredCrack - A fast and stealthy credential harvester.
  • Creddump - Dump windows credentials.
  • DBC2 - DropboxC2 is a modular post-exploitation tool, composed of an agent running on the victim's machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication.
  • DET - (extensible) Data Exfiltration Toolkit (DET).
  • DNSlivery - Easy files and payloads delivery over DNS.
  • Dnsteal - DNS Exfiltration tool for stealthily sending files over DNS requests.
  • Empire - Empire is a pure PowerShell post-exploitation agent.
  • Enumdb - MySQL and MSSQL brute force and post exploitation tool to search through databases and extract sensitive information.
  • EvilOSX - A pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX.
  • Fireaway - Next Generation Firewall Audit and Bypass Tool.
  • FruityC2 - A post-exploitation (and open source) framework based on the deployment of agents on compromised machines. Agents are managed from a web interface under the control of an operator.
  • GTFONow - Automatic privilege escalation for misconfigured capabilities, sudo and suid binaries.
  • GetVulnerableGPO - PowerShell script to find 'vulnerable' security-related GPOs that should be hardended.
  • Ghost In The Logs - Evade sysmon and windows event logging.
  • HoneyBadger - A collection of Metasploit modules with a plugin to help automate Post-Exploitation actions on target systems using the Metasploit Framework.
  • HoneypotBuster - Microsoft PowerShell module designed for red teams that can be used to find honeypots and honeytokens in the network or at the host.
  • Iodine - Lets you tunnel IPv4 data through a DNS server.
  • Lsassy - Extract credentials from lsass remotely.
  • Mallory - HTTP/HTTPS proxy over SSH.
  • MicroBackdoor - C2 tool for Windows targets with easy customizable code base and small footprint. Micro Backdoor consists from server, client and dropper. It wasn't designed as replacement for your favorite post-exploitation tools but rather as really minimalistic thing with all of the basic features in less than 5000 lines of code.
  • Mimikatz - A little tool to play with Windows security.
  • Mimikittenz - A post-exploitation powershell tool for extracting juicy info from memory.
  • NoPowerShell - PowerShell rebuilt in C# for Red Teaming purposes.
  • Orc - A post-exploitation framework for Linux written in Bash.
  • P0wnedShell - PowerShell Runspace Post Exploitation Toolkit.
  • PEASS-ng - Privilege Escalation Awesome Scripts SUITE (with colors).
  • PacketWhisper - Stealthily Transfer Data & Defeat Attribution Using DNS Queries & Text-Based Steganography, without the need for attacker-controlled Name Servers or domains; Evade DLP/MLS Devices; Defeat Data- & DNS Name Server Whitelisting Controls. Convert any file type (e.g. executables, Office, Zip, images) into a list of Fully Qualified Domain Names (FQDNs), use DNS queries to transfer data. Simple yet extremely effective.
  • Paragon - Red Team engagement platform with the goal of unifying offensive tools behind a simple UI.
  • Pivoter - A proxy tool for pentesters to have easier lateral movement.
  • Poet - Post-exploitation tool.
  • PoshC2 - A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.
  • ProcessHider - Post-exploitation tool for hiding processes from monitoring applications.
  • Pupy - An opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.
  • Pwnat - Punches holes in firewalls and NATs allowing any numbers of clients behind NATs to directly connect to a server behind a different NAT.
  • Pypykatz - Mimikatz implementation in pure Python.
  • RedGhost - Linux post exploitation framework written in bash designed to assist red teams in persistence, reconnaissance, privilege escalation and leaving no trace.
  • RemCom - Remote Command Executor: A OSS replacement for PsExec and RunAs - or Telnet without having to install a server.
  • RemoteRecon - Remote Recon and Collection.
  • RottenPotatoNG - New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
  • Rpc2socks - Post-exploit tool that enables a SOCKS tunnel via a Windows host using an extensible custom RPC proto over SMB through a named pipe.
  • SafetyKatz - SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Load.
  • Sam-the-admin - Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user.
  • Shad0w - A post exploitation framework designed to operate covertly on heavily monitored environments.
  • SocksOverRDP - Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services.
  • SpYDyishai - A Gmail credential harvester.
  • SprayWMI - An easy way to get mass shells on systems that support WMI. Much more effective than PSEXEC as it does not leave remnants on a system.
  • Static-binaries - Various *nix tools built as statically-linked binaries.
  • Tgcd - A simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls.
  • TheFatRat - An easy tool to generate backdoor with msfvenom (a part from metasploit framework). This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most AV software protection.
  • WCE - Windows Credentials Editor (WCE) is a security tool to list logon sessions and add, change, list and delete associated credentials.
  • Weasel - DNS covert channel implant for Red Teams.

Reporting

  • APTRS - Automated Penetration Testing Reporting System is an automated reporting tool in Python and Django. The tool allows Penetration testers to create a report directly without using the Traditional Docx file. It also provides an approach to keeping track of the projects and vulnerabilities.
  • Cartography - A Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
  • DefectDojo - An open-source application vulnerability correlation and security orchestration tool.
  • Dradis - Colllaboration and reporting for IT Security teams.
  • Faraday - Collaborative Penetration Test and Vulnerability Management Platform.
  • PwnDoc - A pentest reporting application making it simple and easy to write your findings and generate a customizable Docx report.

The main goal is to have more time to Pwn and less time to Doc by mutualizing data like vulnerabilities between users. - VECTR - A tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios. - WriteHat - A reporting tool which removes Microsoft Word (and many hours of suffering) from the reporting process. Markdown --> HTML --> PDF. Created by penetration testers, for penetration testers - but can be used to generate any kind of report.

Services

  • SSLyze - SSL configuration scanner.
  • Sslstrip - A demonstration of the HTTPS stripping attacks.
  • Sslstrip2 - SSLStrip version to defeat HSTS.
  • Tls_prober - Fingerprint a server's SSL/TLS implementation.

Training

  • Android-InsecureBankv2 - Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities.
  • BadBlood - Fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory.
  • DIVA Android - Damn Insecure and vulnerable App for Android.
  • DVCP-TE - Damn Vulnerable Chemical Process - Tennessee Eastman.
  • DVWA - Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable.
  • DVWS - Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication.
  • Don't Panic - Training linux bind shell with anti-reverse engineering techniques.
  • GRFICS - A graphical realism framework for industrial control simulations that uses Unity 3D game engine graphics to lower the barrier to entry for industrial control system security. GRFICS provides users with a full virtual industrial control system (ICS) network to practice common attacks including command injection, man-in-the-middle, and buffer overflows, and visually see the impact of their attacks in the 3D visualization. Users can also practice their defensive skills by properly segmenting the network with strong firewall rules, or writing intrusion detection rules.
  • Hackazon - A modern vulnerable web app.
  • Insecure-deserialization-net-poc - A small webserver vulnerable to insecure deserialization.
  • JuliaRT - Automated AD Pentest Lab Deployment in the Cloud: IaC Terraform and Ansible Playbook templates for deploying an Active Directory Domain in Azure.
  • Kubernetes Goat - Designed to be intentionally vulnerable cluster environment to learn and practice Kubernetes security.
  • Metasploitable3 - A VM that is built from the ground up with a large amount of security vulnerabilities. It is intended to be used as a target for testing exploits with metasploit.
  • OWASP Juice Shop - An intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.
  • OWASP NodeGoat - An environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
  • OWASP Railsgoat - A vulnerable version of Rails that follows the OWASP Top 10.
  • OWASP Security Shepherd - A web and mobile application security training platform.
  • OWASP WebGoat - A deliberately insecure Web Application.
  • OWASP WrongSecrets - With this app, we have packed various ways of how to not store your secrets. These can help you to realize whether your secret management is ok. The challenge is to find all the different secrets by means of various tools and techniques.
  • OWASP-SKF - The OWASP Security Knowledge Framework is an open source web application that explains secure coding principles in multiple programming languages.
  • RopeyTasks - Deliberately vulnerable web application.
  • Sadcloud - A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure.
  • Sqli-labs - SQLI labs to test error based, Blind boolean based, Time based.
  • WackoPicko - A vulnerable web application used to test web application vulnerability scanners.
  • Xvwa - XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.

Web

  • Arachni - Web Application Security Scanner Framework.
  • Argumentinjectionhammer - A Burp Extension designed to identify argument injection vulnerabilities.
  • Autowasp - A Burp Suite extension that integrates Burp issues logging, with OWASP Web Security Testing Guide (WSTG), to provide a streamlined web security testing flow for the modern-day penetration tester! This tool will guide new penetration testers to understand the best practices of web application security and automate OWASP WSTG checks.
  • BlackBox Protobuf Burp Extension - A Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition.
  • BlindElephant - Web Application Fingerprinter.
  • Brosec - An interactive reference tool to help security professionals utilize useful payloads and commands.
  • Burp Suite - An integrated platform for performing security testing of web applications.
  • CloudScraper - Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.
  • Cms-explorer - CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running.
  • Crlfuzz - A fast tool to scan CRLF vulnerability written in Go.
  • Dirble - Fast directory scanning and scraping tool.
  • Dvcs-ripper - Rip web accessible (distributed) version control systems.
  • Fimap - Find, prepare, audit, exploit and even google automatically for LFI/RFI bugs.
  • Gobuster - Directory/file & DNS busting tool written in Go.
  • Jok3r - Network and Web Pentest Framework.
  • Joomscan - Joomla CMS scanner.
  • Jwt_tool - A toolkit for testing, tweaking and cracking JSON Web Tokens.
  • Kadabra - Automatic LFI Exploiter and Scanner, written in C++ and a couple extern module in Python.
  • Kadimus - LFI scan and exploit tool.
  • Liffy - LFI exploitation tool.
  • LinkFinder - A python script that finds endpoints in JavaScript files.
  • Mitmproxy2swagger - Automagically reverse-engineer REST APIs via capturing traffic. A tool for automatically converting mitmproxy captures to OpenAPI 3.0 specifications. This means that you can automatically reverse-engineer REST APIs by just running the apps and capturing the traffic.
  • Netsparker - Web Application Security Scanner.
  • Nikto2 - Web application vulnerability scanner.
  • NoSQLMap - Automated Mongo database and NoSQL web application exploitation tool.
  • OWASP Xenotix - XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework.
  • Paros - A Java based HTTP/HTTPS proxy for assessing web application vulnerability.
  • PayloadsAllTheThings - A list of useful payloads and bypass for Web Application Security and Pentest/CTF.
  • Php-jpeg-injector - Injects php payloads into jpeg images.
  • Pyfiscan - Free web-application vulnerability and version scanner.
  • Ratproxy - A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems.
  • RecurseBuster - Rapid content discovery tool for recursively querying webservers, handy in pentesting and web application assessments.
  • Relative-url-extractor - A small tool that extracts relative URLs from a file.
  • SQLMap - Automatic SQL injection and database takeover tool.
  • SQLNinja - SQL Server injection & takeover tool.
  • Scout2 - Security auditing tool for AWS environments.
  • Skipfish - An active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes.
  • TPLMap - Automatic Server-Side Template Injection Detection and Exploitation Tool.
  • Tracy - A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.
  • Tsunami - General purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
  • W3af - Web application attack and audit framework.
  • WPScan - WPScan is a black box WordPress vulnerability scanner.
  • WPSploit - Exploiting Wordpress With Metasploit.
  • WS-Attacker - A modular framework for web services penetration testing.
  • WStalker - An easy proxy.
  • Wapiti - Web application vulnerability scanner.
  • Wappalyzer - Cross-platform utility that uncovers the technologies used on websites.
  • Weevely3 - Weaponized web shell.
  • Wfuzz - Web application fuzzer.
  • WhatWeb - Website Fingerprinter.
  • Wordpress Exploit Framework - A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
  • Wuzz - Interactive cli tool for HTTP inspection
  • XSS-keylogger - A keystroke logger to exploit XSS vulnerabilities in a site.
  • XSS-payload-list - XSS Payload list.
  • XSpear - Powerfull XSS Scanning and Parameter analysis tool&gem.
  • Yasuo - A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network.
  • Zed Attack Proxy (ZAP) - The OWASP ZAP core project.
  • x8-Burp - Hidden parameters discovery suite wrapper.

Wireless

  • Aircrack-ng - An 802.11 WEP and WPA-PSK keys cracking program.
  • Airgeddon - This is a multi-use bash script for Linux systems to audit wireless networks.
  • Kismet - Wireless network detector, sniffer, and IDS.
  • Krackattacks-scripts - Scripts to test if clients or access points (APs) are affected by the KRACK attack against WPA2.
  • LANs.py - Inject code, jam wifi, and spy on wifi users.
  • Mass-deauth - A script for 802.11 mass-deauthentication.
  • Reaver - Brute force attack against Wifi Protected Setup.
  • Sniffle - A sniffer for Bluetooth 5 and 4.x (LE) using TI CC1352/CC26x2 hardware.
  • WiFiDuck - Wireless keystroke injection attack platform.
  • Wifijammer - Continuously jam all wifi clients/routers.
  • Wifikill - A python program to kick people off of wifi.
  • Wifiphisher - Automated phishing attacks against Wi-Fi networks.
  • Wifite - Automated wireless attack tool.

Reverse Engineering

  • APKiD - Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android.
  • AndBug - A debugger targeting the Android platform's Dalvik virtual machine intended for reverse engineers and developers.
  • Angr - A platform-agnostic binary analysis framework developed by the Computer Security Lab at UC Santa Barbara and their associated CTF team, Shellphish.
  • AngryGhidra - Angr plugin for Ghidra.
  • Apk2Gold - Yet another Android decompiler.
  • ApkTool - A tool for reverse engineering Android apk files.
  • Avscript - Avast JavaScript Interactive Shell.
  • B2R2 - A collection of useful algorithms, functions, and tools for binary analysis.
  • Barf - Binary Analysis and Reverse engineering Framework.
  • BinText - A small, very fast and powerful text extractor.
  • BinWalk - Analyze, reverse engineer, and extract firmware images.
  • Binaryanalysis-ng - Binary Analysis Next Generation is a framework for unpacking files (like firmware) recursively and running checks on the unpacked files. Its intended use is to be able to find out the provenance of the unpacked files and classify/label files, making them available for further analysis.
  • Binee - A complete binary emulation environment that focuses on introspection of all IO operations.
  • Boomerang - Decompile x86/SPARC/PowerPC/ST-20 binaries to C.
  • Bytecode-viewer - A Java 8 Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More).
  • Bytecode_graph - Module designed to modify Python bytecode. Allows instructions to be added or removed from a Python bytecode string.
  • CHIPSEC - Platform Security Assessment Framework.
  • Capstone - Lightweight multi-platform, multi-architecture disassembly framework with Python bindings.
  • ClassNameDeobfuscator - Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines.
  • Coda - Coredump analyzer.
  • Ctf_import - Run basic functions from stripped binaries cross platform.
  • DBI - Dynamic Binary Instrumentation plugins.
  • Dex2jar - Tools to work with android .dex and java .class files.
  • Distorm - Powerful Disassembler Library For x86/AMD64.
  • DotPeek - A free-of-charge .NET decompiler from JetBrains.
  • Dotnet-netrace - Collects network traces of .NET applications.
  • Dragondance - Binary code coverage visualizer plugin for Ghidra.
  • Dwarf - A gui for mobile reverse engineers, crackers and security analyst. Or damn, what a reversed fluffy or yet, duck warrios are rich as fuck. Whatever you like! Built on top of pyqt5, frida and some terrible code.
  • DynStruct - Reverse engineering tool for automatic structure recovering and memory use analysis based on DynamoRIO and Capstone.
  • EDB - A debugger(like gdb and dlv) for eBPF programs. Normally eBPF programs are loaded into the Linux kernel and then executed, this makes it difficult to understand what is happening or why things go wrong. For normal applications we can use gdb or dlv to inspect programs, but these don't work for the eBPF due to the way eBPF is loaded into the kernel.
  • EFI DXE Emulator - An EFI DXE phase binaries emulator based on Unicorn.
  • Edb - A cross platform x86/x86-64 debugger.
  • Enjarify - A tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.
  • Fibratus - Tool for exploration and tracing of the Windows kernel.
  • Fino - An Android Dynamic Analysis Tool.
  • Flare-emu - It marries a supported binary analysis framework, such as IDA Pro or Radare2, with Unicorn’s emulation framework to provide the user with an easy to use and flexible interface for scripting emulation tasks. It is designed to handle all the housekeeping of setting up a flexible and robust emulator for its supported architectures so that you can focus on solving your code analysis problems.re
  • Flare-ida - IDA Pro utilities from FLARE team.
  • Frida - Inject JavaScript to explore native apps on Windows, macOS, Linux, iOS, Android, and QNX.
  • Frida-scripts - These scripts will help in security research and automation.
  • GEF - Multi-Architecture GDB Enhanced Features for Exploiters & Reverse-Engineers.
  • Gdb-dashboard - Modular visual interface for GDB in Python.
  • Gdbstub - A simple, dependency-free GDB stub that can be easily dropped in to your project.
  • Ghidra - A software reverse engineering (SRE) framework.
  • GhidraChatGPT - A plugin that brings the power of ChatGPT to Ghidra!
  • Ghidra_kernelcache - A Ghidra framework for iOS kernelcache reverse engineering.
  • Ghidra_scripts - Scripts for the Ghidra software reverse engineering suite.
  • Golang_loader_assist - Making GO reversing easier in IDA Pro.
  • Granary - A kernel space dynamic binary translation framework. The main goal of Granary is to enable flexible and efficient instrumentation of Linux kernel modules, while imposing no overhead to non-module kernel code.
  • Grap - Define and match graph patterns within binaries.
  • HVMI - Hypervisor Memory Introspection Core Library.
  • Haybale - Symbolic execution of LLVM IR with an engine written in Rust.
  • Heap-viewer - An IDA Pro plugin to examine the glibc heap, focused on exploit development.
  • HexRaysCodeXplorer - Hex-Rays Decompiler plugin for better code navigation
  • Hopper - A OS X and Linux Disassembler/Decompiler for 32/64 bit Windows/Mac/Linux/iOS executables.
  • ICSREF - A tool for reverse engineering industrial control systems binaries.
  • IDA Free - The freeware version of IDA.
  • IDA Patcher - IDA Patcher is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's ability to patch binary files and memory.
  • IDA Pomidor - IDA Pomidor is a plugin for Hex-Ray's IDA Pro disassembler that will help you retain concentration and productivity during long reversing sessions.
  • IDA Pro - A Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger.
  • IDA Sploiter - IDA Sploiter is a plugin for Hex-Ray's IDA Pro disassembler designed to enhance IDA's capabilities as an exploit development and vulnerability research tool.
  • IDAPython - An IDA plugin which makes it possible to write scripts for IDA in the Python programming language.
  • IDAwasm - IDA Pro loader and processor modules for WebAssembly.
  • IRPMon - The goal of the tool is to monitor requests received by selected device objects or kernel drivers. The tool is quite similar to IrpTracker but has several enhancements. It supports 64-bit versions of Windows (no inline hooks are used, only modifications to driver object structures are performed) and monitors IRP, FastIo, AddDevice, DriverUnload and StartIo requests.
  • Idaemu - Is an IDA Pro Plugin, use for emulating code in IDA Pro.
  • IlluminateJs - A static javascript deobfuscator aimed to help analyst understand obfuscated and potentially malicious JavaScript Code. Consider it like JSDetox (the static part), but on steroids.
  • Ilo4_toolbox - Toolbox for HPE iLO4 & iLO5 analysis.
  • Immunity Debugger - A powerful new way to write exploits and analyze malware.
  • JAD - JAD Java Decompiler.
  • JD-GUI - Aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions.
  • Jadx - Decompile Android files.
  • Keystone Engine - A lightweight multi-platform, multi-architecture assembler framework.
  • Krakatau - Java decompiler, assembler, and disassembler.
  • LIEF - The purpose of this project is to provide a cross platform library which can parse, modify and abstract ELF, PE and MachO formats.
  • Levitate - Reverse Engineering and Static Malware Analysis Platform.
  • Linux_injector - A simple ptrace-less shared library injector for x64 Linux
  • MARA Framework - A Mobile Application Reverse engineering and Analysis Framework.
  • Manticore - Prototyping tool for dynamic binary analysis, with support for symbolic execution, taint analysis, and binary instrumentation.
  • Medusa - A disassembler designed to be both modular and interactive.
  • MegaDumper - Dump native and .NET assemblies.
  • Minhook - The Minimalistic x86/x64 API Hooking Library for Windows.
  • Mona.py - PyCommand for Immunity Debugger that replaces and improves on pvefindaddr.
  • OllyDbg - An x86 debugger that emphasizes binary code analysis.
  • PEDA - Python Exploit Development Assistance for GDB.
  • Paimei - Reverse engineering framework, includes PyDBG, PIDA, pGRAPH.
  • Pigaios - A tool for matching and diffing source codes directly against binaries.
  • Plasma - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
  • Ponce - An IDA Pro plugin that provides users the ability to perform taint analysis and symbolic execution over binaries in an easy and intuitive fashion. With Ponce you are one click away from getting all the power from cutting edge symbolic execution. Entirely written in C/C++.
  • Procyon - A modern open-source Java decompiler.
  • Protobuf-inspector - Tool to reverse-engineer Protocol Buffers with unknown definition.
  • Pwndbg - Exploit Development and Reverse Engineering with GDB Made Easy.
  • Pyew - Command line hexadecimal editor and disassembler, mainly to analyze malware.
  • QBDI - A Dynamic Binary Instrumentation framework based on LLVM.
  • Qira - QEMU Interactive Runtime Analyser.
  • R2MSDN - R2 plugin to add MSDN documentation URLs and parameter names to imported function calls.
  • RABCDAsm - Robust ABC (ActionScript Bytecode) [Dis-]Assembler.
  • Radare2 - Opensource, crossplatform reverse engineering framework.
  • Radare2-bindings - Bindings of the r2 api for Valabind and friends.
  • Rarvmtools - This is a basic toolchain for the RarVM, a virtual machine included with the popular WinRAR compression suite. Rar includes a VM to support custom data transformations to improve data redundancy, and thus improve compression ratios. However, it also represents a widely deployed machine architecture about which very little is known...that is just too tempting a target for exploration to ignore.
  • Redexer - A reengineering tool that manipulates Android app binaries.
  • Rizin - A fork of the radare2 reverse engineering framework with a focus on usability, working features and code cleanliness.
  • ScratchABit - Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API.
  • Shed - .NET runtime inspector.
  • Simplify - Generic Android Deobfuscator.
  • SimplifyGraph - IDA Pro plugin to assist with complex graphs.
  • Smali - Smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation.
  • Sojobo - An emulator for the B2R2 framework. It was created to easier the analysis of potentially malicious files. It is totally developed in .NET so you don't need to install or compile any other external libraries.
  • Swiffas - SWF parser and AVM2 (Actionscript 3) bytecode parser.
  • Swift-frida - Frida library for interacting with Swift programs.
  • Synchrony - Javascript-obfuscator cleaner & deobfuscator.
  • Toolbag - The IDA Toolbag is a plugin providing supplemental functionality to Hex-Rays IDA Pro disassembler.
  • Triton - Triton is a Dynamic Binary Analysis (DBA) framework. It provides internal components like a Dynamic Symbolic Execution (DSE) engine, a dynamic taint engine, AST representations of the x86, x86-64, ARM32 and AArch64 Instructions Set Architecture (ISA), SMT simplification passes, an SMT solver interface and, the last but not least, Python bindings.
  • UPX - The Ultimate Packer for eXecutables.
  • Ufgraph - A simple script which parses the output of the uf (un-assemble function) command in windbg and uses graphviz to generate a control flow graph as a PNG/SVG/PDF/GIF (see -of option) and displays it.
  • Uncompyle - Decompile Python 2.7 binaries (.pyc).
  • Unicorn Engine - A lightweight, multi-platform, multi-architecture CPU emulator framework based on QEMU.
  • Unlinker - Unlinker is a tool that can rip functions out of Visual C++ compiled binaries and produce Visual C++ COFF object files.
  • VMX_INTRINSICS - VMX intrinsics plugin for Hex-Rays decompiler.
  • VT-IDA Plugin - Official VirusTotal plugin for IDA Pro.
  • Voltron - An extensible debugger UI toolkit written in Python. It aims to improve the user experience of various debuggers (LLDB, GDB, VDB and WinDbg) by enabling the attachment of utility views that can retrieve and display data from the debugger host.
  • WinDbg - Windows Driver Kit and WinDbg.
  • WinHex - A hexadecimal editor, helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security.
  • WinIPT - The Windows Library for Intel Process Trace (WinIPT) is a project that leverages the new Intel Processor Trace functionality exposed by Windows 10 Redstone 5 (1809), through a set of libraries and a command-line tool.
  • X64_dbg - An open-source x64/x32 debugger for windows.
  • Xxxswf - A Python script for analyzing Flash files.
  • Xyntia - A standalone tool which takes I/O example as input and synthesize a corresponding expression. Still, in practice, you do not want to give these I/O examples by hand. Thus we give scripts to automatically sample them from a given binary.
  • YaCo - An Hex-Rays IDA plugin. When enabled, multiple users can work simultaneously on the same binary. Any modification done by any user is synchronized through git version control.
  • dnSpy - .NET debugger and assembly editor
  • r2-dirtycow - Radare2 IO plugin for Linux and Android. Modifies files owned by other users via dirtycow Copy-On-Write cache vulnerability.
  • uEmu - Tiny cute emulator plugin for IDA based on unicorn.

Security

Asset Management

Cloud Security

  • Aws-nuke - Nuke a whole AWS account and delete all its resources.
  • Azucar - Security auditing tool for Azure environments.
  • CloudMapper - CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
  • Dorothy - A tool to help security teams test their monitoring and detection capabilities for their Okta environment. Dorothy has several modules to simulate actions that an attacker might take while operating in an Okta environment and actions that security teams should be able to audit. The modules are mapped to the relevant MITRE ATT&CK® tactics, such as persistence, defense evasion, and discovery.
  • Hammer - Dow Jones Hammer : Protect the cloud with the power of the cloud(AWS).
  • IAMFinder - Enumerates and finds users and IAM roles in a target AWS account. With only the AWS account number of the targeted account, IAMFinder is able to identify users and roles in that environment. Upon successfully identifying an IAM role, IAMFinder can also check if this role can be assumed anonymously.
  • Parliament - An AWS IAM linting library. It reviews policies looking for problems.
  • Patrolaroid - An instant camera for capturing cloud workload risks. It’s a prod-friendly scanner that makes finding security issues in AWS instances and buckets less annoying and disruptive for software engineers and cloud admins.
  • PurplePanda - This tool fetches resources from different cloud/saas applications focusing on permissions in order to identify privilege escalation paths and dangerous permissions in the cloud/saas configurations. Note that PurplePanda searches both privileges escalation paths within a platform and across platforms.
  • Security Monkey - Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
  • Varna - Quick & Cheap AWS CloudTrail Monitoring with Event Query Language (EQL)

Resources - s3cr3t - Serve files securely from an S3 bucket with expiring links and other restrictions.

DevOps

  • Trivy - A simple and comprehensive vulnerability scanner for containers and other artifacts. A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System. Trivy detects vulnerabilities of OS packages (Alpine, RHEL, CentOS, etc.) and application dependencies (Bundler, Composer, npm, yarn, etc.). Trivy is easy to use.

Endpoint Security

  • AIDE - Advanced Intrusion Detection Environment is a file and directory integrity checker.
  • Duckhunt - Prevent RubberDucky (or other keystroke injection) attacks.
  • Hardentools - A utility that disables a number of risky Windows features.
  • Limacharlie - An endpoint security platform. It is itself a collection of small projects all working together to become the LC platform.
  • Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
  • OpenEDR - A full blown EDR capability. It is one of the most sophisticated, effective EDR code base in the world and with the community’s help it will become even better.
  • Osx-config-check - Verify the configuration of your OS X machine.
  • ProcMon-for-Linux - A Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system.
  • Xnumon - Monitor macOS for malicious activity.

Identity

Network Security

  • AdGuardHome - Network-wide ads & trackers blocking DNS server.
  • EveBox - A web based Suricata "eve" event viewer for Elastic Search.
  • Pi-hole - A DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.
  • Scirius - A web application for Suricata ruleset management.

Orchestration

  • Stoq - An open source framework for enterprise level automated analysis.

Phishing

  • Miteru - An experimental phishing kit detection tool.
  • PhishDetect - A library and a platform to detect potential phishing pages. It attempts doing so by identifying suspicious and malicious properties both in the domain names and URL provided, as well as in the HTML content of the page opened.
  • StreamingPhish - Python-based utility that uses supervised machine learning to detect phishing domains from the Certificate Transparency log network.

Privacy

  • Git-crypt - Transparent file encryption in git.
  • GoSecure - An easy to use and portable Virtual Private Network (VPN) system built with Linux and a Raspberry Pi.
  • I2P - The Invisible Internet Project.
  • Nipe - A script to make Tor Network your default gateway.
  • SecureDrop - Open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources.
  • Sshuttle - Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.
  • Tomb - A minimalistic commandline tool to manage encrypted volumes aka The Crypto Undertaker.
  • Tor - The free software for enabling onion routing online anonymity.
  • Toriptables2 - A python script alternative to Nipe. Makes Tor Network your default gateway.

Social Engineering

Framework

  • SET - The Social-Engineer Toolkit from TrustedSec.

Harvester

  • Creepy - A geolocation OSINT tool.
  • Datasploit - A tool to perform various OSINT techniques, aggregate all the raw data, visualise it on a dashboard, and facilitate alerting and monitoring on the data.
  • Email-enum - Searches mainstream websites and tells you if an email is registered.
  • Github-dorks - CLI tool to scan github repos/organizations for potential sensitive information leak.
  • Maltego - Proprietary software for open source intelligence and forensics, from Paterva.
  • Metagoofil - Metadata harvester.
  • SpiderFoot - Automates OSINT collection so that you can focus on analysis.
  • TTSL - Tool to scrape LinkedIn.
  • TheHarvester - E-mail, subdomain and people names harvester.

Phishing

  • BlackPhish - Super lightweight with many features and blazing fast speeds.
  • CredSniper - A phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens.
  • FiercePhish - A full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more.
  • GoPhish - Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training.
  • Microsoft365_devicePhish - A proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow.
  • Modlishka - Reverse Proxy. Phishing NG.
  • Muraena - An almost-transparent reverse proxy aimed at automating phishing and post-phishing activities.
  • Phishing-frenzy - Ruby on Rails Phishing Framework.
  • Pompa - Fully-featured spear-phishing toolkit - web front-end.
  • Whatsapp-phishing - The best tool for whatsapp-phishing with otp provider.

Wardialing