nccgroup/Sniffle nccgroup/Sniffle

  • Stars
    star
    648
  • Rank 66,909 (Top 2 %)
  • Language
    C
  • License
    GNU General Publi...
  • Created over 4 years ago
  • Updated 11 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
nccgroup/Sniffle
github

nccgroup

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A sniffer for Bluetooth 5 and 4.x LE

Sniffle

Sniffle is a sniffer for Bluetooth 5 and 4.x (LE) using TI CC1352/CC26x2 hardware.

Sniffle has a number of useful features, including:

  • Support for BT5/4.2 extended length advertisement and data packets
  • Support for BT5 Channel Selection Algorithms #1 and #2
  • Support for all BT5 PHY modes (regular 1M, 2M, and coded modes)
  • Support for sniffing only advertisements and ignoring connections
  • Support for channel map, connection parameter, and PHY change operations
  • Support for advertisement filtering by MAC address and RSSI
  • Support for BT5 extended advertising (non-periodic)
  • Support for capturing advertisements from a target MAC on all three primary advertising channels using a single sniffer. This makes connection detection nearly 3x more reliable than most other sniffers that only sniff one advertising channel.
  • Easy to extend host-side software written in Python
  • PCAP export compatible with the Ubertooth
  • Wireshark compatible plugin

Prerequisites

If you don't want to go through the effort of setting up a build environment for the firmware, you can just flash prebuilt firmware binaries using UniFlash/DSLite. Prebuilt firmware binaries are attached to releases on the GitHub releases tab of this project. When using prebuilt firmware, be sure to use the Python code corresponding to the release tag rather than master to avoid compatibility issues with firmware that is behind the master branch.

Installing GCC

The arm-none-eabi-gcc provided through various Linux distributions' package manager often lacks some header files or requires some changes to linker configuration. For minimal hassle, I suggest using the ARM GCC linked above. You can just download and extract the prebuilt executables.

Installing the TI SDK

The TI SDK is provided as an executable binary that extracts a bunch of source code once you accept the license agreement. On Linux and Mac, the default installation directory is inside~/ti/. This works fine and my makefiles expect this path, so I suggest just going with the default here. The same applies for the TI SysConfig tool.

Once the SDK has been extracted, you will need to edit one makefile to match your build environment. Within ~/ti/simplelink_cc13xx_cc26xx_sdk_6_20_00_29 (or wherever the SDK was installed) there is a makefile named imports.mak. The only paths that need to be set here to build Sniffle are for GCC, XDC, and SysConfig. We don't need the CCS compiler. See the diff below as an example, and adapt for wherever you installed things.

diff --git a/imports.mak b/imports.mak
index b8a3713..e736e24 100644
--- a/imports.mak
+++ b/imports.mak
@@ -18,13 +18,13 @@
 # will build using each non-empty *_ARMCOMPILER cgtool.
 #
 
-XDC_INSTALL_DIR        ?= /home/username/ti/xdctools_3_62_01_15_core
-SYSCONFIG_TOOL         ?= /home/username/ti/ccs1120/ccs/utils/sysconfig_1.13.0/sysconfig_cli.sh
+XDC_INSTALL_DIR        ?= $(HOME)/ti/xdctools_3_62_01_15_core
+SYSCONFIG_TOOL         ?= $(HOME)/ti/sysconfig_1.13.0/sysconfig_cli.sh
 
 FREERTOS_INSTALL_DIR   ?= /home/username/FreeRTOSv202104.00
 
 TICLANG_ARMCOMPILER    ?= /home/username/ti/ccs1120/ccs/tools/compiler/ti-cgt-armllvm_2.1.0.LTS-0
-GCC_ARMCOMPILER        ?= /home/username/ti/ccs1120/ccs/tools/compiler/9.2019.q4.major-0
+GCC_ARMCOMPILER        ?= $(HOME)/arm_tools/arm-gnu-toolchain-11.3.rel1-x86_64-arm-none-eabi
 
 # The IAR compiler is not supported on Linux
 # IAR_ARMCOMPILER      ?=

Obtaining DSLite

DSLite is TI's command line programming and debug server tool for XDS110 debuggers. The CC26xx and CC13xx Launchpad boards both include XDS110 debuggers. Unfortunately, TI does not provide a standalone command line DSLite download. The easiest way to obtain DSLite is to install UniFlash from TI. It's available for Linux, Mac, and Windows. The DSLite executable will be located at deskdb/content/TICloudAgent/linux/ccs_base/DebugServer/bin/DSLite relative to the UniFlash installation directory. On Linux, the default UniFlash installation directory is inside ~/ti/.

You should place the DSLite executable directory within your $PATH.

Building and Installation

Once the GCC, DSLite, and the SDK is installed and operational, building Sniffle should be straight forward. Just navigate to the fw directory and run make. If you didn't install the SDK to the default directory, you may need to edit SIMPLELINK_SDK_INSTALL_DIR in the makefile.

To install Sniffle on a (plugged in) CC26x2 Launchpad using DSLite, run make load within the fw directory. You can also flash the compiled sniffle.out binary using the UniFlash GUI.

If building for or installing on a some variant of Launchpad orhter than CC26x2R, you must specify PLATFORM=xxx, either as an argument to make, or by defining it as an environment variable prior to invoking make. Supported values for PLATFORM are CC2642R1F, CC2652R1F, CC1352R1F3, CC2652RB1F, and CC1352P1F3. Be sure to perform a make clean before building for a different platform.

Sniffer Usage

[skhan@serpent python_cli]$ ./sniff_receiver.py --help
usage: sniff_receiver.py [-h] [-s SERPORT] [-c {37,38,39}] [-p] [-r RSSI] [-m MAC]
                         [-i IRK] [-a] [-e] [-H] [-l] [-q] [-Q PRELOAD] [-o OUTPUT]

Host-side receiver for Sniffle BLE5 sniffer

optional arguments:
  -h, --help            show this help message and exit
  -s SERPORT, --serport SERPORT
                        Sniffer serial port name
  -c {37,38,39}, --advchan {37,38,39}
                        Advertising channel to listen on
  -p, --pause           Pause sniffer after disconnect
  -r RSSI, --rssi RSSI  Filter packets by minimum RSSI
  -m MAC, --mac MAC     Filter packets by advertiser MAC
  -i IRK, --irk IRK     Filter packets by advertiser IRK
  -a, --advonly         Sniff only advertisements, don't follow connections
  -e, --extadv          Capture BT5 extended (auxiliary) advertising
  -H, --hop             Hop primary advertising channels in extended mode
  -l, --longrange       Use long range (coded) PHY for primary advertising
  -q, --quiet           Don't display empty packets
  -Q PRELOAD, --preload PRELOAD
                        Preload expected encrypted connection parameter changes
  -n, --nophychange     Ignore encrypted PHY mode changes
  -o OUTPUT, --output OUTPUT
                        PCAP output file name

The XDS110 debugger on the Launchpad boards creates two serial ports. On Linux, they are typically named ttyACM0 and ttyACM1. The first of the two created serial ports is used to communicate with Sniffle. By default, the Python CLI communicates using the first CDC-ACM device it sees matching the TI XDS110 USB VID:PID combo. You may need to override this with the -s command line option if you are using a different USB serial adapter or have additional USB CDC-ACM devices connected.

For the -r (RSSI filter) option, a value of -40 tends to work well if the sniffer is very close to or nearly touching the transmitting device. The RSSI filter is very useful for ignoring irrelevant advertisements in a busy RF environment. The RSSI filter is only active when capturing advertisements, as you always want to capture data channel traffic for a connection being followed. You probably don't want to use an RSSI filter when MAC filtering is active, as you may lose advertisements from the MAC address of interest when the RSSI is too low.

To hop along with advertisements and have reliable connection sniffing, you need to set up a MAC filter with the -m option. You should specify the MAC address of the peripheral device, not the central device. To figure out which MAC address to sniff, you can run the sniffer with RSSI filtering while placing the sniffer near the target. This will show you advertisements from the target device including its MAC address. It should be noted that many BLE devices advertise with a randomized MAC address rather than their "real" fixed MAC written on a label.

For convenience, there is a special mode for the MAC filter by invoking the script with -m top instead of -m with a MAC address. In this mode, the sniffer will lock onto the first advertiser MAC address it sees that passes the RSSI filter. The -m top mode should thus always be used with an RSSI filter to avoid locking onto a spurious MAC address. Once the sniffer locks onto a MAC address, the RSSI filter will be disabled automatically by the sniff receiver script (except when the -e option is used).

Most new BLE devices use Resolvable Private Addresses (RPAs) rather than fixed static or public addresses. While you can set up a MAC filter to a particular RPA, devices periodically change their RPA. RPAs can can be resolved (associated with a particular device) if the Identity Resolving Key (IRK) is known. Sniffle supports automated RPA resolution when the IRK is provided. This avoids the need to keep updating the MAC filter whenever the RPA changes. You can specify an IRK for Sniffle with the -i option; the IRK should be provided in hexadecimal format, with the most significant byte (MSB) first. Specifying an IRK allows Sniffle to channel hop with an advertiser the same way it does with a MAC filter. The IRK based MAC filtering feature (-i) is mutually exclusive with the static MAC filtering feature (-m).

To enable following auxiliary pointers in Bluetooth 5 extended advertising, enable the -e option. To improve performance and reliability in extended advertising capture, this option disables hopping on the primary advertising channels, even when a MAC filter is set up. If you are unsure whether a connection will be established via legacy or extended advertising, you can enable the -H flag in conjunction with -e to perform primary channel hopping with legacy advertisements, and scheduled listening to extended advertisement auxiliary packets. When combining -e and -H, the reliability of connection detection may be reduced compared to hopping on primary (legacy) or secondary (extended) advertising channels alone.

To sniff the long range PHY on primary advertising channels, specify the -l option. Note that no hopping between primary advertising channels is supported in long range mode, since all long range advertising uses the BT5 extended mechanism. Under the extended mechanism, auxiliary pointers on all three primary channels point to the same auxiliary packet, so hopping between primary channels is unnecessary.

To not print empty data packets on screen while following a connection, use the -q flag. This makes it easier to observe meaningful communications in real time, but may obscure when connection following is flaky or lost.

For encrypted connections, Sniffle supports detecting connection parameter updates even when the encryption key is unknown, and it attempts to measure the new parameters. However, if you know the new connection interval and Instant delta to expect in encrypted connection parameter updates, you can specify them with the --preload/-Q option to improve performance/reliability. The expected Interval:DeltaInstant pair should be provided as colon separated integers. Interval is an integer representing multiples of 1.25 ms (as defined in LL_CONNECTION_UPDATE_IND). DeltaInstant is the number of connection events between when the connection update packet is transmitted and when the new parameters are applied. DeltaInstant must be greater than or equal to 6, as per the Bluetooth specification's requirements for master devices. If multiple encrypted parameter updates are expected, you can provide multiple parameter pairs, separated by commas (eg. 6:7,39:8). If you have a device that issues encrypted PHY update PDUs that don't change the PHY, or puts out encrypted LE power control PDUs without any PHY changes, you can use the --nophychange/-n option.

If for some reason the sniffer firmware locks up and refuses to capture any traffic even with filters disabled, you should reset the sniffer MCU. On Launchpad boards, the reset button is located beside the micro USB port.

Scanner Usage

usage: scanner.py [-h] [-s SERPORT] [-c {37,38,39}] [-r RSSI] [-l]

Scanner utility for Sniffle BLE5 sniffer

optional arguments:
  -h, --help            show this help message and exit
  -s SERPORT, --serport SERPORT
                        Sniffer serial port name
  -c {37,38,39}, --advchan {37,38,39}
                        Advertising channel to listen on
  -r RSSI, --rssi RSSI  Filter packets by minimum RSSI
  -l, --longrange       Use long range (coded) PHY for primary advertising

The scanner command line arguments work the same as the sniffer. The purpose of the scanner utility is to gather a list of nearby devices advertising, and actively issue scan requests for observed devices, without having the deluge of fast scrolling data you get with the sniffer utility. The hardware/firmware will enter an active scanning mode where it will report received advertisements, issue scan requests for scannable ones, and report received scan responses. The scanner utility will record and report observed MAC addresses only once without spamming the display. Once you're done capturing advertisements, press Ctrl-C to stop scanning and report the results. The scanner will show the last advertisement and scan response from each target. Scan results will be sorted by RSSI in descending order.

Usage Examples

Sniff all advertisements on channel 38, ignore RSSI < -50, stay on advertising channel even when CONNECT_REQs are seen.

./sniff_receiver.py -c 38 -r -50 -a

Sniff advertisements from MAC 12:34:56:78:9A:BC, stay on advertising channel even when CONNECT_REQs are seen, save advertisements to data1.pcap.

./sniff_receiver.py -m 12:34:56:78:9A:BC -a -o data1.pcap

Sniff advertisements and connections for the first MAC address seen with RSSI >= -40. The RSSI filter will be disabled automatically once a MAC address has been locked onto. Save captured data to data2.pcap.

./sniff_receiver.py -m top -r -40 -o data2.pcap

Sniff advertisements and connections from the peripheral with big endian IRK 4E0BEA5355866BE38EF0AC2E3F0EBC22. Preload two expected encrypted connection parameter updates; the first with an Interval of 6, occuring at an instant 6 connection events after an encrypted LL_CONNECTION_UPDATE_IND is observed by the sniffer. The second expected encrypted connection update has an Interval of 39, and DeltaInstant of 6 too.

./sniff_receiver.py -i 4E0BEA5355866BE38EF0AC2E3F0EBC22 -Q 6:6,39:6

Sniff BT5 extended advertisements and connections from nearby (RSSI >= -55) devices.

./sniff_receiver.py -r -55 -e

Sniff legacy and extended advertisements and connections from the device with the specified MAC address. Save captured data to data3.pcap.

./sniff_receiver.py -eH -m 12:34:56:78:9A:BC -o data3.pcap

Sniff extended advertisements and connections using the long range primary PHY on channel 38.

./sniff_receiver.py -le -c 38

Actively scan on channel 39 for advertisements with RSSI greater than -50.

./scanner.py -c 39 -r -50

Obtaining the IRK

If you have a rooted Android phone, you can find IRKs (and LTKs) in the Bluedroid configuration file. On Android 8.1, this is located at /data/misc/bluedroid/bt_config.conf. The LE_LOCAL_KEY_IRK specifies the Android device's own IRK, and the first 16 bytes of LE_KEY_PID for every bonded device in the file indicate the bonded device's IRK. Be aware that keys stored in this file are little endian, so the byte order of keys in this file will need to be reversed. For example, the little endian IRK 22BC0E3F2EACF08EE36B865553EA0B4E needs to be changed to 4E0BEA5355866BE38EF0AC2E3F0EBC22 (big endian) when being passed to Sniffle with the -i option.

Wireshark Plugin

Sniffle includes a Wireshark plugin that makes it possible to launch Sniffle automatically from the Wireshark GUI by selecting the 'Sniffle' capture interface.

To install the Sniffle plugin, first find the location of your Personal Extcap folder in the 'About Wireshark' dialog (Help > About Wireshark > Folders > Personal Extcap path). On Unix systems, this folder is typically located at ~/.config/wireshark/extcap. Under Windows, it can be found at %USERPROFILE%\AppData\Roaming\Wireshark\extcap.

Copy the following files from the python_cli directory into your Personal Extcap folder:

python_cli/pcap.py
python_cli/packet_decoder.py
python_cli/sniffle_hw.py
python_cli/sniffle_extcap.py
python_cli/sniffle_extcap.bat (Windows only)

On Unix systems, ensure that the main plugin script is marked executable:

chmod +x ~/.config/wireshark/extcap/sniffle_extcap.py

On Windows, it may be necessary to edit sniffle_extcap.bat to specify the location of the python interpreter if the installation directory is not included in the PATH, e.g.:

@echo off
C:\my_python_install\python.exe "%~dp0sniffle_extcap.py" %*

Once the plugin has been installed, restart Wireshark or choose Capture > Refresh Interfaces to enable the Sniffle interface.

As an alternative to copying files into the extcap folder, on Unix systems you can place a single symbolic link in the extcap folder pointing to a copy of the plugin script stored elsewhere:

mkdir -p ~/.config/wireshark/extcap
ln -s ~/sniffle/python_cli/sniffle_extcap.py ~/.config/wireshark/extcap

On Mac OS, Wireshark may try to use the system Python included in Xcode rather than the Python in your PATH specified by your shell profile. Thus, the Sniffle plugin may fail to show up in extcap interfaces if PySerial is not installed for the Xcode Python. To fix this, you can install PySerial for the Xcode Python as such:

cd /Applications/Xcode.app/Contents/Developer/Library/Frameworks/Python3.framework/Versions/Current/Resources/Python.app/Contents/MacOS
./Python -m ensurepip --default-pip
./Python -m pip install --user pyserial

More Repositories

1

ScoutSuite

Multi-Cloud Security Auditing Tool
Python
6,173
star
2

Scout2

Security auditing tool for AWS environments
Python
1,728
star
3

sobelow

Security-focused static analysis for the Phoenix Framework
Elixir
1,601
star
4

Winpayloads

Undetectable Windows Payload Generation
Python
1,519
star
5

demiguise

HTA encryption tool for RedTeams
Python
1,326
star
6

house

A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.
JavaScript
1,321
star
7

PMapper

A tool for quickly evaluating IAM permissions in AWS.
Python
1,279
star
8

redsnarf

RedSnarf is a pen-testing / red-teaming tool for Windows environments
PowerShell
1,182
star
9

featherduster

An automated, modular cryptanalysis tool; i.e., a Weapon of Math Destruction
Python
1,074
star
10

SocksOverRDP

Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services / Citrix / XenApp / XenDesktop
C++
990
star
11

singularity

A DNS rebinding attack framework.
JavaScript
962
star
12

exploit_mitigations

Knowledge base of exploit mitigations available across numerous operating systems, architectures and applications and versions.
812
star
13

AutoRepeater

Automated HTTP Request Repeating With Burp Suite
Java
742
star
14

fuzzowski

the Network Protocol Fuzzer that we will want to use.
Python
702
star
15

aws-inventory

Discover resources created in an AWS account.
Python
690
star
16

BurpSuiteHTTPSmuggler

A Burp Suite extension to help pentesters to bypass WAFs or test their effectiveness using a number of techniques
Java
654
star
17

nmap-nse-vulnerability-scripts

NMAP Vulnerability Scanning Scripts
Lua
618
star
18

TriforceAFL

AFL/QEMU fuzzing with full-system emulation.
C
615
star
19

LoggerPlusPlus

Advanced Burp Suite Logging Extension
Java
608
star
20

nccfsas

Information released publicly by NCC Group's Full Spectrum Attack Simulation (FSAS) team.
C
598
star
21

sadcloud

A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure
HCL
593
star
22

freddy

Automatically identify deserialisation issues in Java and .NET applications by using active and passive scans
Java
570
star
23

phantap

Phantom Tap (PhanTap) - an ‘invisible’ network tap aimed at red teams
C
560
star
24

tracy

A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.
JavaScript
549
star
25

azucar

Security auditing tool for Azure environments
PowerShell
546
star
26

VCG

VisualCodeGrepper - Code security scanning tool.
Visual Basic .NET
506
star
27

Cyber-Defence

Information released publicly by NCC Group's Cyber Incident Response Team
Python
470
star
28

autochrome

This tool downloads, installs, and configures a shiny new copy of Chromium.
HTML
431
star
29

scrying

A tool for collecting RDP, web and VNC screenshots all in one place
Rust
425
star
30

wssip

Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
JavaScript
425
star
31

blackboxprotobuf

Blackbox protobuf is a Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition.
Python
380
star
32

autopwn

Specify targets and run sets of tools against them
Python
374
star
33

idahunt

idahunt is a framework to analyze binaries with IDA Pro and hunt for things in IDA Pro
Python
373
star
34

CrossSiteContentHijacking

Content hijacking proof-of-concept using Flash, PDF and Silverlight
HTML
372
star
35

Solitude

Solitude is a privacy analysis tool that enables anyone to conduct their own privacy investigations. Whether a curious novice or a more advanced researcher, Solitude makes the process of evaluating user privacy within an app accessible for everyone.
CSS
370
star
36

vlan-hopping---frogger

Easy 802.1Q VLAN Hopping
Shell
346
star
37

DriverBuddy

DriverBuddy is an IDA Python script to assist with the reverse engineering of Windows kernel drivers.
Python
331
star
38

shocker

A tool to find and exploit servers vulnerable to Shellshock
Python
330
star
39

WMIcmd

A command shell wrapper using only WMI for Microsoft Windows
C#
319
star
40

acCOMplice

Tools for discovery and abuse of COM hijacks
PowerShell
272
star
41

umap

The USB host security assessment tool
Python
265
star
42

keimpx

Check for valid credentials across a network over SMB
Python
260
star
43

SusanRTTI

Another RTTI Parsing IDA plugin
Python
258
star
44

metasploitavevasion

Metasploit AV Evasion Tool
Shell
257
star
45

UPnP-Pentest-Toolkit

UPnP Pentest Toolkit for Windows
C#
244
star
46

umap2

Umap2 is the second revision of NCC Group's python based USB host security assessment tool.
Python
240
star
47

GTFOBLookup

Offline command line lookup utility for GTFOBins (https://github.com/GTFOBins/GTFOBins.github.io), LOLBAS (https://github.com/LOLBAS-Project/LOLBAS), WADComs (https://wadcoms.github.io), and HijackLibs (https://hijacklibs.net/).
Python
238
star
48

G-Scout

Google Cloud Platform Security Tool
Python
232
star
49

asatools

Main repository to pull all NCC Group Cisco ASA-related tool projects.
Shell
220
star
50

cisco-SNMP-enumeration

Automated Cisco SNMP Enumeration, Brute Force, Configuration Download and Password Cracking
Shell
216
star
51

depthcharge

A U-Boot hacking toolkit for security researchers and tinkerers
Python
212
star
52

thetick

A simple embedded Linux backdoor.
Python
195
star
53

AWS-recipes

A number of Recipes for AWS
Python
195
star
54

kube-auto-analyzer

Kubernetes Auto Analyzer
HTML
192
star
55

TPMGenie

TPM Genie is an I2C bus interposer for discrete Trusted Platform Modules
C++
189
star
56

BinProxy

BinProxy is a proxy for arbitrary TCP connections. You can define custom message formats using the BinData gem.
Ruby
172
star
57

DetectWindowsCopyOnWriteForAPI

Enumerate various traits from Windows processes as an aid to threat hunting
C++
168
star
58

TriforceLinuxSyscallFuzzer

A linux system call fuzzer using TriforceAFL
C
167
star
59

BKScan

BlueKeep scanner supporting NLA
Shell
167
star
60

pybeacon

A collection of scripts for dealing with Cobalt Strike beacons in Python
Python
167
star
61

typofinder

A finder of domain typos showing country of IP address
Python
166
star
62

BLESuite

BLESuite is a Python package that provides an easier way to test Bluetooth Low Energy (BLE) device
Python
165
star
63

tcpprox

A small command-line TCP proxy utility written in Python
Python
156
star
64

libslub

Python
155
star
65

LazyDroid

bash script to facilitate some aspects of an Android application assessment
Shell
151
star
66

chuckle

An automated SMB relay exploitation script.
Shell
151
star
67

requests-racer

Small Python library that makes it easy to exploit race conditions in web apps with Requests.
Python
150
star
68

whalescan

Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container
Python
143
star
69

gitpwnd

GitPwnd is a network penetration tool that lets you use a git repo for command and control of compromised machines
Python
139
star
70

CollaboratorPlusPlus

Java
139
star
71

Carnivore

Tool for assessing on-premises Microsoft servers authentication such as ADFS, Skype, Exchange, and RDWeb
C#
139
star
72

Change-Lockscreen

Offensive tool to trigger network authentications as SYSTEM
C#
134
star
73

Decoder-Improved

Improved decoder for Burp Suite
Java
134
star
74

Wubes

Qubes containerization on Windows
Python
131
star
75

OutlookLeakTest

The Outlook HTML Leak Test Project
C#
131
star
76

port-scan-automation

Automate NMAP Scans and Generate Custom Nessus Policies Automatically
Shell
128
star
77

Hodor

Hodor! Fuzzer..
Python
126
star
78

Zulu

The Zulu fuzzer
Python
125
star
79

WinShareEnum

Windows Share Enumerator
C#
121
star
80

memscan

Searches for strings, regex, credit card numbers of magnetic stripe card tracks in a Windows process's memory space
C#
120
star
81

ebpf

eBPF - extended Berkeley Packet Filter tooling
Python
116
star
82

cq

Python
115
star
83

argumentinjectionhammer

A Burp Extension designed to identify argument injection vulnerabilities.
Python
114
star
84

DroppedConnection

Python
113
star
85

SCOMDecrypt

SCOMDecrypt is a tool to decrypt stored RunAs credentials from SCOM servers
C#
112
star
86

GOATCasino

This is an intentionally vulnerable smart contract truffle deployment aimed at allowing those interested in smart contract security to exploit a wide variety of issues in a safe environment.
JavaScript
112
star
87

OneLogicalMyth_Shell

A HTA shell to assist with breakout assessments.
HTML
111
star
88

BLE-Replay

BLE-Replay is a Bluetooth Low Energy (BLE) peripheral assessment tool
Python
110
star
89

ccs

Python
107
star
90

web3-decoder

Python
106
star
91

WindowsDACLEnumProject

A collection of tools to enumerate and analyse Windows DACLs
C++
105
star
92

DIBF

Windows NT ioctl bruteforcer and modular fuzzer
C++
103
star
93

raccoon

Salesforce object access auditor
Python
103
star
94

go-pillage-registries

Pentester-focused Docker registry tool to enumerate and pull images
Go
103
star
95

cloud_ip_ranges

Identify IP addresses owned by public cloud providers
Python
101
star
96

DatajackProxy

Datajack Proxy allows you to intercept TLS traffic in native x86 applications across platforms
JavaScript
100
star
97

pcap-burp

Pcap importer for Burp
Java
100
star
98

jwt-reauth

Java
100
star
99

KilledProcessCanary

A canary designed to minimize the impact from certain Ransomware actors
C#
99
star
100

Berserko

Burp Suite extension to perform Kerberos authentication
Java
99
star