Awesome Hacking

Awesome hacking is a curated list of hacking tools for hackers, pentesters and security researchers. Its goal is to collect, classify and make awesome tools easy to find by humans, creating a toolset you can checkout and update with one command.

This is not only a curated list, it is also a complete and updated toolset you can download with one-command!

You can download all the tools with the following command:

git clone --recursive https://github.com/jekil/awesome-hacking.git

To update it run the following command:

git pull

Every kind of contribution is really appreciated! Follow the contribute.

If you enjoy this work, please keep it alive contributing or just sharing it! - @jekil

CTF Tools

  • CTFd - CTF in a can. Easily modifiable and has everything you need to run a jeopardy style CTF.

  • CTForge - The framework developed by the hacking team from University of Venice to easily host jeopardy and attack-defense CTF security competitions. It provides the software components for running the game, namely the website and the checkbot (optional).

  • FBCTF - Platform to host Capture the Flag competitions.

  • LibreCTF - CTF in a box. Minimal setup required.

  • Mellivora - A CTF engine written in PHP.

  • NightShade - A simple security CTF framework.

  • OneGadget - A tool for you easy to find the one gadget RCE in libc.so.6.

  • Pwntools - CTF framework and exploit development library.

  • Scorebot - Platform for CTFs by Legitbs (Defcon).

  • V0lt - Security CTF Toolkit.

Code Auditing

Static Analysis

  • Brakeman - A static analysis security vulnerability scanner for Ruby on Rails applications.

  • Dr. Taint - A very WIP DynamoRIO module built on the Dr. Memory Framework to implement taint analysis on ARM.

  • ShellCheck - A static analysis tool for shell scripts.

Cryptography

  • FeatherDuster - An automated, modular cryptanalysis tool.

  • RSATool - Generate private key with knowledge of p and q.

  • Xortool - A tool to analyze multi-byte xor cipher.

Docker

  • DVWA - Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable.

  • Docker Bench for Security - The Docker Bench for Security checks for all the automatable tests in the CIS Docker 1.6 Benchmark.

  • Kali Linux - This Kali Linux Docker image provides a minimal base install of the latest version of the Kali Linux Rolling Distribution.

  • Metasploit - Metasploit Framework penetration testing software (unofficial docker).

  • OWASP Juice Shop - An intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.

  • OWASP Mutillidae II - OWASP Mutillidae II Web Pen-Test Practice Application.

  • OWASP NodeGoat - An environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

  • OWASP Railsgoat - A vulnerable version of Rails that follows the OWASP Top 10.

  • OWASP Security Shepherd - A web and mobile application security training platform.

  • OWASP WebGoat - A deliberately insecure Web Application.

  • OWASP ZAP - Current stable owasp zed attack proxy release in embedded docker container.

  • Security Ninjas - An Open Source Application Security Training Program.

  • SpamScope - SpamScope (Fast Advanced Spam Analysis Tool) Elasticsearch.

  • Vulnerability as a service: Heartbleed - Vulnerability as a Service: CVE 2014-0160.

  • Vulnerability as a service: Shellshock - Vulnerability as a Service: CVE 2014-6271.

  • Vulnerable WordPress Installation - Vulnerable WordPress Installation.

  • WPScan - WPScan is a black box WordPress vulnerability scanner.

Forensics

File Forensics

  • Autopsy - A digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools.

  • DFF - A Forensics Framework coming with command line and graphical interfaces. DFF can be used to investigate hard drives and volatile memory and create reports about user and system activities.

  • Docker Explorer - A tool to help forensicate offline docker acquisitions.

  • Hadoop_framework - A prototype system that uses Hadoop to process hard drive images.

  • OSXCollector - A forensic evidence collection & analysis toolkit for OS X.

  • RegRipper3.0 - Alternative to RegRipper

  • RegRippy - A framework for reading and extracting useful forensics data from Windows registry hives. It is an alternative to RegRipper developed in modern Python 3.

  • Scalpel - An open source data carving tool.

  • Shellbags - Investigate NT_USER.dat files.

  • SlackPirate - Slack Enumeration and Extraction Tool - extract sensitive information from a Slack Workspace.

  • Sleuthkit - A library and collection of command line digital forensics tools.

  • Telegram-extractor - Python3 scripts to analyse the data stored in Telegram.

  • Truehunter - The goal of Truehunter is to detect encrypted containers using a fast and memory efficient approach without any external dependencies for ease of portability.

Incident Response

  • Hunter - A threat hunting / data analysis environment based on Python, Pandas, PySpark and Jupyter Notebook.

  • Loki - Simple IOC and Incident Response Scanner.

  • Panorama - It was made to generate a wide report about Windows systems, support and tested on Windows XP SP2 and up.

  • Snoopdigg - Simple utility to ease the process of collecting evidence to find infections.

Live Analysis

  • OS X Auditor - OS X Auditor is a free Mac OS X computer forensics tool.

  • Windows-event-forwarding - A repository for using windows event forwarding for incident detection and response.

Memory Forensics

  • Rekall - Memory analysis framework developed by Google.

  • Volatility - Extract digital artifacts from volatile memory (RAM) samples.

Misc

  • Diffy - A digital forensics and incident response (DFIR) tool developed by Netflix’s Security Intelligence and Response Team (SIRT). Allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions.

  • HxD - A hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size.

  • Libfvde - Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes.

  • Mass_archive - A basic tool for pushing a web page to multiple archiving services at once.

Mobile

  • Android Forensic Toolkit - Allows you to extract SMS records, call history, photos, browsing history, and password from an Android phone.

  • Android backup extractor - Utility to extract and repack Android backups created with adb backup (ICS+). Largely based on BackupManagerService.java from AOSP.

  • Mem - Tool used for dumping memory from Android devices.

  • Snoopdroid - Extract packages from an Android device.

  • WhatsApp Media Decrypt - Decrypt WhatsApp encrypted media files.

  • iLEAPP - iOS Logs, Events, And Plist Parser.

  • iOSbackup - A Pyhotn 3 class that reads and extracts files from a password-encrypted iOS backup created by iTunes on Mac and Windows. Compatible with iOS 13.

Network Forensics

  • Dnslog - Minimalistic DNS logging tool.

  • Dshell - A network forensic analysis framework.

  • Passivedns - A network sniffer that logs all DNS server replies for use in a passive DNS setup.

  • Website Evidence Collector - The tool Website Evidence Collector (WEC) automates the website evidence collection of storage and transfer of personal data.

Hardware Hacking

Computer

  • Kbd-audio - Tools for capturing and analysing keyboard input paired with microphone capture.

  • LimeSDR-Mini - The LimeSDR-Mini board provides a hardware platform for developing and prototyping high-performance and logic-intensive digital and RF designs using Altera’s MAX10 FPGA and Lime Microsystems transceiver.

  • NSA-B-GONE - Thinkpad X220 board that disconnects the webcam and microphone data lines.

Intelligence

  • Attackintel - A python script to query the MITRE ATT&CK API for tactics, techniques, mitigations, & detection methods for specific threat groups.

  • IntelOwl - Analyze files, domains, IPs in multiple ways from a single API at scale.

  • MISP-maltego - Set of Maltego transforms to inferface with a MISP Threat Sharing instance, and also to explore the whole MITRE ATT&CK dataset.

  • Shodan-seeker - Command-line tool using Shodan API. Generates and downloads CSV results, diffing of historic scanning results, alerts and monitoring of specific ports/IPs, etc.

  • VIA4CVE - An aggregator of the known vendor vulnerabilities database to support the expansion of information with CVEs.

  • Yeti - Your Everyday Threat Intelligence.

  • n6 - Automated handling of data feeds for security teams.

Library

C

  • Libdnet - Provides a simplified, portable interface to several low-level networking routines, including network address manipulation, kernel arp cache and route table lookup and manipulation, network firewalling, network interface lookup and manipulation, IP tunnelling, and raw IP packet and Ethernet frame transmission.

Go

  • Garble - Obfuscate Go builds.

Java

Python

  • Amodem - Audio MODEM Communication Library in Python.

  • Dpkt - Fast, simple packet creation / parsing, with definitions for the basic TCP/IP protocols.

  • Pcapy - A Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network. Pcapy is highly effective when used in conjunction with a packet-handling package such as Impacket, which is a collection of Python classes for constructing and dissecting network packets.

  • Plyara - Parse YARA rules and operate over them more easily.

  • PyBFD - Python interface to the GNU Binary File Descriptor (BFD) library.

  • PyPDF2 - A utility to read and write PDFs with Python.

  • Pynids - A python wrapper for libnids, a Network Intrusion Detection System library offering sniffing, IP defragmentation, TCP stream reassembly and TCP port scan detection. Let your own python routines examine network conversations.

  • Pypcap - This is a simplified object-oriented Python wrapper for libpcap.

  • Pyprotect - A lightweight python code protector, makes your python project harder to reverse engineer.

  • Python-idb - Pure Python parser and analyzer for IDA Pro database files (.idb).

  • Python-ptrace - Python binding of ptrace library.

  • RDPY - RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client and server side).

  • Scapy - A python-based interactive packet manipulation program & library.

Ruby

Live CD - Distributions

  • Android Tamer - Virtual / Live Platform for Android Security professionals.

  • ArchStrike - An Arch Linux repository for security professionals and enthusiasts.

  • BOSSLive - An Indian GNU/Linux distribution developed by CDAC and is customized to suit Indian’s digital environment. It supports most of the Indian languages.

  • BackBox - Ubuntu-based distribution for penetration tests and security assessments.

  • BlackArch - Arch Linux-based distribution for penetration testers and security researchers.

  • DEFT Linux - Suite dedicated to incident response and digital forensics.

  • Fedora Security Lab - A safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies in universities and other organizations.

  • Kali - A Linux distribution designed for digital forensics and penetration testing.

  • NST - Network Security Toolkit distribution.

  • Ophcrack - A free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.

  • Parrot - Security GNU/Linux distribution designed with cloud pentesting and IoT security in mind.

  • Pentoo - Security-focused livecd based on Gentoo.

  • REMnux - Toolkit for assisting malware analysts with reverse-engineering malicious software.

Malware

Dynamic Analysis

  • Androguard - Reverse engineering, Malware and goodware analysis of Android applications.

  • CAPEv2 - Malware Configuration And Payload Extraction.

  • Cuckoo Sandbox - An automated dynamic malware analysis system.

  • CuckooDroid - Automated Android Malware Analysis with Cuckoo Sandbox.

  • DECAF - Short for Dynamic Executable Code Analysis Framework, is a binary analysis platform based on QEMU.

  • DRAKVUF Sandbox - DRAKVUF Sandbox is an automated black-box malware analysis system with DRAKVUF engine under the hood, which does not require an agent on guest OS.

  • DroidBox - Dynamic analysis of Android apps.

  • Hooker - An opensource project for dynamic analyses of Android applications.

  • Jsunpack-n - Emulates browser functionality when visiting a URL.

  • LiSa - Sandbox for automated Linux malware analysis.

  • Magento-malware-scanner - A collection of rules and samples to detect Magento malware.

  • Malzilla - Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell.

  • Panda - Platform for Architecture-Neutral Dynamic Analysis.

  • ProbeDroid - A dynamic binary instrumentation kit targeting on Android(Lollipop) 5.0 and above.

  • PyEMU - Fully scriptable IA-32 emulator, useful for malware analysis.

  • PyWinSandbox - Python Windows Sandbox library. Create a new Windows Sandbox machine, control it with a simple RPyC interface.

  • Pyrebox - Python scriptable Reverse Engineering Sandbox, a Virtual Machine instrumentation and inspection framework based on QEMU.

  • Qiling - Advanced Binary Emulation framework.

  • Speakeasy - A portable, modular, binary emulator designed to emulate Windows kernel and user mode malware.

  • Uitkyk - Runtime memory analysis framework to identify Android malware.

  • WScript Emulator - Emulator/tracer of the Windows Script Host functionality.

Honeypot

  • Amun - Amun was the first python-based low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance.

  • Basic-auth-pot - HTTP Basic Authentication honeyPot.

  • Bluepot - Bluetooth Honeypot.

  • CitrixHoneypot - Detect and log CVE-2019-19781 scan and exploitation attempts.

  • Conpot - ICS/SCADA honeypot.

  • Cowrie - SSH honeypot, based on Kippo.

  • Dionaea - Honeypot designed to trap malware.

  • Django-admin-honeypot - A fake Django admin login screen to log and notify admins of attempted unauthorized access.

  • ESPot - An Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120.

  • Elastichoney - A Simple Elasticsearch Honeypot.

  • Endlessh - An SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server.

  • Glastopf - Web Application Honeypot.

  • Glutton - All eating honeypot.

  • HFish - A cross platform honeypot platform developed based on golang, which has been meticulously built for enterprise security.

  • Heralding - Sometimes you just want a simple honeypot that collects credentials, nothing more. Heralding is that honeypot! Currently the following protocols are supported: ftp, telnet, ssh, rdp, http, https, pop3, pop3s, imap, imaps, smtp, vnc, postgresql and socks5.

  • HonTel - A Honeypot for Telnet service. Basically, it is a Python v2.x application emulating the service inside the chroot environment. Originally it has been designed to be run inside the Ubuntu/Debian environment, though it could be easily adapted to run inside any Linux environment.

  • HoneyPy - A low to medium interaction honeypot.

  • HoneyTrap - Advanced Honeypot framework.

  • Honeyd - Create a virtual honeynet.

  • Honeypot - Low interaction honeypot that displays real time attacks.

  • Honeything - A honeypot for Internet of TR-069 things. It’s designed to act as completely a modem/router that has RomPager embedded web server and supports TR-069 (CWMP) protocol.

  • HonnyPotter - A WordPress login honeypot for collection and analysis of failed login attempts.

  • Kippo - A medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.

  • Kippo-graph - Visualize statistics from a Kippo SSH honeypot.

  • MHN - Multi-snort and honeypot sensor management, uses a network of VMs, small footprint SNORT installations, stealthy dionaeas, and a centralized server for management.

  • MTPot - Open Source Telnet Honeypot.

  • Maildb - Python Web App to Parse and Track Email and http Pcap Files.

  • Mailoney - A SMTP Honeypot I wrote just to have fun learning Python.

  • Mnemosyne - A normalizer for honeypot data; supports Dionaea.

  • MongoDB-HoneyProxy - A honeypot proxy for mongodb. When run, this will proxy and log all traffic to a dummy mongodb server.

  • MysqlPot - A mysql honeypot, still very very early stage.

  • NoSQLPot - The NoSQL Honeypot Framework.

  • Nodepot - A nodejs web application honeypot.

  • OWASP-Honeypot - An open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way.

  • OpenCanary - A daemon that runs several canary versions of services that alerts when a service is (ab)used.

  • Phoneyc - Pure Python honeyclient implementation.

  • Phpmyadmin_honeypot - A simple and effective phpMyAdmin honeypot.

  • Servletpot - Web application Honeypot.

  • Shadow Daemon - A modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl & Python apps.

  • Shiva - Spam Honeypot with Intelligent Virtual Analyzer, is an open but controlled relay Spam Honeypot (SpamPot), built on top of Lamson Python framework, with capability of collecting and analyzing all spam thrown at it.

  • Smart-honeypot - PHP Script demonstrating a smart honey pot.

  • Snare - Super Next generation Advanced Reactive honEypot

  • SpamScope - Fast Advanced Spam Analysis Tool.

  • StrutsHoneypot - Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers.

  • T-Pot - The All In One Honeypot Platform.

  • Tango - Honeypot Intelligence with Splunk.

  • Tanner - A remote data analysis and classification service to evaluate HTTP requests and composing the response then served by SNARE. TANNER uses multiple application vulnerability type emulation techniques when providing responses for SNARE. In addition, TANNER provides Dorks for SNARE powering its luring capabilities.

  • Thug - Low interaction honeyclient, for investigating malicious websites.

  • Twisted-honeypots - SSH, FTP and Telnet honeypots based on Twisted.

  • Wetland - A high interaction SSH honeypot.

  • Wordpot - A WordPress Honeypot.

  • Wp-smart-honeypot - WordPress plugin to reduce comment spam with a smarter honeypot.

Intelligence

  • MISP Modules - Modules for expansion services, import and export in MISP.

  • Passivedns-client - Provides a library and a query tool for querying several passive DNS providers.

  • Rt2jira - Convert RT tickets to JIRA tickets.

Ops

  • Al-khaser - Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.

  • BASS - BASS Automated Signature Synthesizer.

  • CSCGuard - Protects and logs suspicious and malicious usage of .NET CSC.exe and Runtime C# Compilation.

  • CapTipper - A python tool to analyze, explore and revive HTTP malicious traffic.

  • FLARE - A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.

  • FakeNet-NG - A next generation dynamic network analysis tool for malware analysts and penetration testers. It is open source and designed for the latest versions of Windows.

  • Google-play-crawler - Google-play-crawler is simply Java tool for searching android applications on GooglePlay, and also downloading them.

  • Googleplay-api - An unofficial Python API that let you search, browse and download Android apps from Google Play (formerly Android Market).

  • Grimd - Fast dns proxy that can run anywhere, built to black-hole internet advertisements and malware servers.

  • Hidden - Windows driver with usermode interface which can hide objects of file-system and registry, protect processes and etc.

  • ImaginaryC2 - A python tool which aims to help in the behavioral (network) analysis of malware. Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.

  • Irma - IRMA is an asynchronous & customizable analysis system for suspicious files.

  • KLara - A project is aimed at helping Threat Intelligence researchers hunt for new malware using Yara.

  • Kraken - Cross-platform Yara scanner written in Go.

  • Malboxes - Builds malware analysis Windows VMs so that you don’t have to.

  • Mquery - YARA malware query accelerator (web frontend).

  • Node-appland - NodeJS tool to download APKs from appland.

  • Node-aptoide - NodeJS to download APKs from aptoide.

  • Node-google-play - Call Google Play APIs from Node.

  • Pafish - A demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.

Source Code

  • Android-malware - Collection of android malware samples.

  • AsyncRAT-C-Sharp - Open-Source Remote Administration Tool For Windows C# (RAT).

  • BYOB - An open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop counter-measures against these threats.

  • BlackHole - C# RAT (Remote Administration Tool).

  • Carberp - Carberp leaked source code.

  • Fancybear - Fancy Bear Source Code.

  • LOLBAS - Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts).

  • Mirai - Leaked Mirai Source Code for Research/IoC Development Purposes.

  • Morris Worm - The original Morris Worm source code.

  • SvcHostDemo - Demo service that runs in svchost.exe.

  • TinyNuke - Zeus-style banking trojan.

  • Zerokit - Zerokit/GAPZ rootkit (non buildable and only for researching).

  • Zeus - Zeus version 2.0.8.9, leaked in 2011.

Static Analysis

  • APKinspector - A powerful GUI tool for analysts to analyze the Android applications.

  • Androwarn - Detect and warn the user about potential malicious behaviours developed by an Android application.

  • ApkAnalyser - A static, virtual analysis tool for examining and validating the development work of your Android app.

  • Argus-SAF - Argus static analysis framework.

  • CAPA - The FLARE team’s open-source tool to identify capabilities in executable files.

  • CFGScanDroid - Control Flow Graph Scanning for Android.

  • ConDroid - Symbolic/concolic execution of Android apps.

  • DroidLegacy - Static analysis scripts.

  • FSquaDRA - Fast detection of repackaged Android applications based on the comparison of resource files included into the package.

  • Floss - FireEye Labs Obfuscated String Solver. Automatically extract obfuscated strings from malware.

  • Inspeckage - Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more.

  • Maldrolyzer - Simple framework to extract “actionable” data from Android malware (C&Cs, phone numbers, etc).

  • PEfile - Read and work with Portable Executable (aka PE) files.

  • PEview - A quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files.

  • PScout - Analyzing the Android Permission Specification.

  • Pdfminer - A tool for extracting information from PDF documents.

  • Peepdf - A Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks.

  • Quark-engine - A trust-worthy, practical tool that’s ready to boost up your malware reverse engineering.

  • Smali-CFGs - Smali Control Flow Graph’s.

  • SmaliSCA - Smali Static Code Analysis.

  • Sysinternals Suite - The Sysinternals Troubleshooting Utilities.

  • Yara - Identify and classify malware samples.

Network

Analysis

  • Bro - A powerful network analysis framework that is much different from the typical IDS you may know.

  • Fatt - A pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic.

  • Nidan - An active network monitor tool.

  • Pytbull - A python based flexible IDS/IPS testing framework.

  • Sguil - Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil’s main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures.

  • Winshark - A wireshark plugin to instrument ETW.

Fake Services

  • DNSChef - DNS proxy for Penetration Testers and Malware Analysts.

  • DnsRedir - A small DNS server that will respond to certain queries with addresses provided on the command line.

Packet Manipulation

  • Pig - A Linux packet crafting tool.

  • Yersinia - A network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.

Sniffer

  • Cloud-pcap - Web PCAP storage and analytics.

  • Dnscap - Network capture utility designed specifically for DNS traffic.

  • Dsniff - A collection of tools for network auditing and pentesting.

  • Justniffer - Just A Network TCP Packet Sniffer. Justniffer is a network protocol analyzer that captures network traffic and produces logs in a customized way, can emulate Apache web server log files, track response times and extract all “intercepted” files from the HTTP traffic.

  • Moloch - Moloch is a open source large scale full PCAP capturing, indexing and database system.

  • Net-creds - Sniffs sensitive data from interface or pcap.

  • Netsniff-ng - A Swiss army knife for your daily Linux network plumbing.

  • NetworkMiner - A Network Forensic Analysis Tool (NFAT).

  • OpenFPC - OpenFPC is a set of scripts that combine to provide a lightweight full-packet network traffic recorder and buffering tool. Its design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log tools.

  • Openli - Open Source ETSI compliant Lawful Intercept software.

  • PF_RING - PF_RING™ is a Linux kernel module and user-space framework that allows you to process packets at high-rates while providing you a consistent API for packet processing applications.

  • Termshark - A terminal UI for tshark, inspired by Wireshark.

  • WebPcap - A web-based packet analyzer (client/server architecture). Useful for analyzing distributed applications or embedded devices.

  • Wireshark - A free and open-source packet analyzer.

Penetration Testing

DoS

  • DHCPig - DHCP exhaustion script written in python using scapy network library.

  • LOIC - Low Orbit Ion Cannon - An open source network stress tool, written in C#. Based on Praetox’s LOIC project.

  • Memcrashed - DDoS attack tool for sending forged UDP packets to vulnerable Memcached servers obtained using Shodan API.

  • Sockstress - Sockstress (TCP DoS) implementation.

  • T50 - The more fast network stress tool.

  • Torshammer - Tor’s hammer. Slow post DDOS tool written in python.

  • UFONet - Abuses OSI Layer 7-HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multithreading, proxies, origin spoofing methods, cache evasion techniques, etc.

Exploiting

  • AttackSurfaceAnalyzer - Attack Surface Analyzer can help you analyze your operating system’s security configuration for changes during software installation.

  • Bashfuscator - A fully configurable and extendable Bash obfuscation framework. This tool is intended to help both red team and blue team.

  • BeEF - The Browser Exploitation Framework Project.

  • BugId - Detect, analyze and uniquely identify crashes in Windows applications.

  • CCAT - Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.

  • Commix - Automated All-in-One OS Command Injection and Exploitation Tool.

  • DLLInjector - Inject dlls in processes.

  • DefenderCheck - Identifies the bytes that Microsoft Defender flags on.

  • Donut - Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.

  • Drupwn - Drupal enumeration & exploitation tool.

  • EfiGuard - Disable PatchGuard and DSE at boot time.

  • Evilgrade - The update explotation framework.

  • Exe2hex - Inline file transfer using in-built Windows tools (DEBUG.exe or PowerShell).

  • Fathomless - A collection of different programs for network red teaming.

  • Gorsair - Gorsair hacks its way into remote docker containers that expose their APIs.

  • Kube-hunter - Hunt for security weaknesses in Kubernetes clusters.

  • LAVA - Large-scale Automated Vulnerability Addition.

  • Linux Exploit Suggester - Linux Exploit Suggester; based on operating system release number.

  • Linux-exploit-suggester - Linux privilege escalation auditing tool.

  • Macrome - Excel Macro Document Reader/Writer for Red Teamers & Analysts

  • Metasploit Framework - Exploitation framework.

  • MeterSSH - A way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter’s listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.

  • Nessus - Vulnerability, configuration, and compliance assessment.

  • Nexpose - Vulnerability Management & Risk Management Software.

  • Nishang - Offensive PowerShell for red team, penetration testing and offensive security.

  • OpenVAS - Open Source vulnerability scanner and manager.

  • PSKernel-Primitives - Exploit primitives for PowerShell.

  • Peirates - A Kubernetes penetration tool, enables an attacker to escalate privilege and pivot through a Kubernetes cluster. It automates known techniques to steal and collect service accounts, obtain further code execution, and gain control of the cluster.

  • PowerSploit - A PowerShell Post-Exploitation Framework.

  • ROP Gadget - Framework for ROP exploitation.

  • Routersploit - Automated penetration testing software for router.

  • Rupture - A framework for BREACH and other compression-based crypto attacks.

  • SPARTA - Network Infrastructure Penetration Testing Tool.

  • Shark - Turn off PatchGuard in real time for win7 (7600) ~ win10 (18950).

  • SharpBlock - A method of bypassing EDR’s active projection DLL’s by preventing entry point execution.

  • SharpShooter - Payload Generation Framework.

  • ShellcodeCompiler - A program that compiles C/C++ style code into a small, position-independent and NULL-free shellcode for Windows (x86 and x64) and Linux (x86 and x64). It is possible to call any Windows API function or Linux syscall in a user-friendly way.

  • Shellen - Interactive shellcoding environment to easily craft shellcodes.

  • Shellsploit - Let’s you generate customized shellcodes, backdoors, injectors for various operating system. And let’s you obfuscation every byte via encoders.

  • Spoodle - A mass subdomain + poodle vulnerability scanner.

  • SysWhispers - AV/EDR evasion via direct system calls.

  • Unicorn - Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber’s powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

  • Veil Framework - A tool designed to generate metasploit payloads that bypass common anti-virus solutions.

  • Vuls - Vulnerability scanner for Linux/FreeBSD, agentless, written in Go.

  • Windows Exploit Suggester - Detects potential missing patches on the target.

  • Ysoserial.net - Deserialization payload generator for a variety of .NET formatters.

  • Zarp - Network Attack Tool.

Exploits

  • Apache-uaf - Apache use after free bug infos / ASAN stack traces.

  • BlueGate - PoC (DoS + scanner) for CVE-2020-0609 & CVE-2020-0610 - RD Gateway RCE.

  • Bluedroid - PoCs of Vulnerabilities on Bluedroid.

  • Broadpwn - Broadpwn bug (CVE-2017-9417).

  • CVE-2018-8120 - CVE-2018-8120.

  • CVE-2018-8897 - Implements the POP/MOV SS (CVE-2018-8897) vulnerability by bugchecking the machine (local DoS).

  • CVE-2019-0604 - cve-2019-0604 SharePoint RCE exploit.

  • CVE-2019-18935 - RCE exploit for a .NET deserialization vulnerability in Telerik UI for ASP.NET AJAX.

  • CVE-2019-6453 - Proof of calc for CVE-2019-6453 (Mirc exploit).

  • CVE-2020-10560 - OSSN Arbitrary File Read

  • CVE-2020-11651 - PoC for CVE-2020-11651.

  • CVE-2020-1301 - POC exploit for SMBLost vulnerability (CVE-2020-1301)

  • CVE-2020-1472 - Exploit Code for CVE-2020-1472 aka Zerologon.

  • CVE-2020-1472_2 - PoC for Zerologon

  • Chakra-2016-11 - Proof-of-Concept exploit for Edge bugs (CVE-2016-7200 & CVE-2016-7201).

  • Chimay-Red - Working POC of Mikrotik exploit from Vault 7 CIA Leaks.

  • Desharialize - Easy mode to Exploit CVE-2019-0604 (Sharepoint XML Deserialization Unauthenticated RCE).

  • ES File Explorer Open Port Vulnerability - ES File Explorer Open Port Vulnerability - CVE-2019-6447.

  • HolicPOC - CVE-2015-2546, CVE-2016-0165, CVE-2016-0167, CVE-2017-0101, CVE-2017-0263, CVE-2018-8120.

  • Jira-Scan - Jira scanner for CVE-2017-9506.

  • Kernel Exploits - Various kernel exploits.

  • MS17-010 - Exploits for MS17-010.

  • Qemu-vm-escape - This is an exploit for CVE-2019-6778, a heap buffer overflow in slirp:tcp_emu().

  • Ruby-advisory-db - A database of vulnerable Ruby Gems.

  • The Exploit Database - The official Exploit Database repository.

  • Tpwn - Xnu local privilege escalation via cve-2015-???? & cve-2015-???? for 10.10.5, 0day at the time

  • XiphosResearch Exploits - Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.

  • cve-2020-1054 - LPE for CVE-2020-1054 targeting Windows 7 x64

Fuzzing

  • AFL++ - AFL 2.56b with community patches, AFLfast power schedules, qemu 3.1 upgrade + laf-intel support, MOpt mutators, InsTrim instrumentation, unicorn_mode, Redqueen and a lot more.

  • AndroFuzz - A fuzzing utility for Android that focuses on reporting and delivery portions of the fuzzing process.

  • Boofuzz - A fork and successor of the Sulley Fuzzing Framework.

  • Construct - Declarative data structures for python that allow symmetric parsing and building.

  • Deepstate - A unit test-like interface for fuzzing and symbolic execution.

  • Driller - Augmenting AFL with symbolic execution.

  • Eclipser - Grey-box Concolic Testing on Binary Code.

  • Frankenstein - Broadcom and Cypress firmware emulation for fuzzing and further full-stack debugging.

  • Fusil - A Python library used to write fuzzing programs. It helps to start process with a prepared environment (limit memory, environment variables, redirect stdout, etc.), start network client or server, and create mangled files.

  • Fuzzbox - A multi-codec media fuzzing tool.

  • Fuzzlyn - Fuzzer for the .NET toolchains, utilizes Roslyn to generate random C# programs.

  • Fuzzotron - A TCP/UDP based network daemon fuzzer.

  • Honggfuzz - Security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (sw and hw).

  • InsTrim - Lightweight Instrumentation for Coverage-guided Fuzzing.

  • KleeFL - Seeding Fuzzers With Symbolic Execution.

  • MFFA - Media Fuzzing Framework for Android.

  • Melkor-android - An Android port of the melkor ELF fuzzer.

  • Netzob - Netzob is an opensource tool for reverse engineering, traffic generation and fuzzing of communication protocols.

  • Neuzz - A neural-network-assisted fuzzer.

  • OneFuzz - Project OneFuzz enables continuous developer-driven fuzzing to proactively harden software prior to release. With a single command, which can be baked into CICD, developers can launch fuzz jobs from a few virtual machines to thousands of cores.

  • Python-AFL - American fuzzy lop fork server and instrumentation for pure-Python code.

  • RPCForge - Windows RPC Python fuzzer.

  • Radamsa-android - An Android port of radamsa fuzzer.

  • Razzer - A Kernel fuzzer focusing on race bugs.

  • Retrowrite - Retrofitting compiler passes though binary rewriting.

  • SecLists - A collection of multiple types of lists used during security assessments.

  • Sienna-locomotive - A user-friendly fuzzing and crash triage tool for Windows.

  • Sulley - Fuzzer development and fuzz testing framework consisting of multiple extensible components.

  • T-Fuzz - A fuzzing tool based on program transformation.

  • TAOF - The Art of Fuzzing, including ProxyFuzz, a man-in-the-middle non-deterministic network fuzzer.

  • Unicorefuzz - Fuzzing the Kernel Using Unicornafl and AFL++.

  • Unicornafl - Unicorn CPU emulator framework (ARM, AArch64, M68K, Mips, Sparc, X86) adapted to afl++.

  • VUzzer - This Project depends heavily on a modeified version of DataTracker, which in turn depends on LibDFT pintool. It has some extra tags added in libdft.

  • Vfuzz - I don’t claim superiority over other engines in performance or efficiency out of the box, but this does implement some features that I felt where lacking elsewhere.

  • Winafl - A fork of AFL for fuzzing Windows binaries.

  • Winafl_inmemory - WINAFL for blackbox in-memory fuzzing (PIN).

  • Windows IPC Fuzzing Tools - A collection of tools used to attack applications that use Windows Interprocess Communication mechanisms.

  • Zulu - A fuzzer designed for rapid prototyping that normally happens on a client engagement where something needs to be fuzzed within tight timescales.

Info Gathering

  • ATSCAN - Advanced dork Search & Mass Exploit Scanner.

  • Bundler-audit - Patch-level verification for Bundler.

  • Commando-vm - Complete Mandiant Offensive VM (Commando VM), the first full Windows-based penetration testing virtual machine distribution. The security community recognizes Kali Linux as the go-to penetration testing platform for those that prefer Linux. Commando VM is for penetration testers that prefer Windows.

  • Dnsenum - A perl script that enumerates DNS information.

  • Dnsmap - Passive DNS network mapper.

  • Dnsrecon - DNS Enumeration Script.

  • Dnsspy - Performs various DNS enumeration attacks.

  • EgressCheck Framework - Used to check for TCP and UDP egress filtering on both windows and unix client systems.

  • Egressbuster - A method to check egress filtering and identify if ports are allowed. If they are, you can automatically spawn a shell.

  • EyeWitness - EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

  • IVRE - An open-source framework for network recon. It relies on open-source well-known tools to gather data (network intelligence), stores it in a database, and provides tools to analyze it.

  • Knock - A python tool designed to enumerate subdomains on a target domain through a wordlist.

  • Operative-framework - This is a framework based on fingerprint action, this tool is used for get information on a website or a enterprise target with multiple modules (Viadeo search,Linkedin search, Reverse email whois, Reverse ip whois, SQL file forensics …).

  • Recon-ng - A full-featured Web Reconnaissance framework written in Python.

  • SMBMap - A handy SMB enumeration tool.

  • SPartan - Frontpage and Sharepoint fingerprinting and attack tool.

  • SSLMap - TLS/SSL cipher suite scanner.

  • Secretz - A tool that minimizes the large attack surface of Travis CI. It automatically fetches repos, builds, and logs for any given organization.

  • Sparty - MS Sharepoint and Frontpage Auditing Tool.

  • Spyse.py - Python API wrapper and command-line client for the tools hosted on spyse.com.

  • SubFinder - A subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing.

  • SubQuest - Fast, Elegant subdomain scanner using nodejs.

  • Subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains.

  • TravisLeaks - A tool to find sensitive keys and passwords in Travis logs.

  • TruffleHog - Searches through git repositories for high entropy strings, digging deep into commit history.

  • URLextractor - Information gathering & website reconnaissance.

  • VHostScan - A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.

  • Wmap - Information gathering for web hacking.

  • XRay - A tool for recon, mapping and OSINT gathering from public networks.

MITM

  • Bettercap - A powerful, flexible and portable tool created to perform various types of MITM attacks against a network, manipulate HTTP, HTTPS and TCP traffic in realtime, sniff for credentials and much more.

  • Caplets - Bettercap scripts (caplets) and proxy modules.

  • Dnsspoof - DNS spoofer. Drops DNS responses from the router and replaces it with the spoofed DNS response.

  • Ettercap - A comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.

  • MITMf - Framework for Man-In-The-Middle attacks.

  • Mallory - An extensible TCP/UDP man in the middle proxy that is designed to be run as a gateway. Unlike other tools of its kind, Mallory supports modifying non-standard protocols on the fly.

  • Mitmproxy - An interactive, SSL-capable man-in-the-middle proxy for HTTP with a console interface.

  • Mitmsocks4j - Man in the Middle SOCKS Proxy for JAVA.

  • Nogotofail - An on-path blackbox network traffic security testing tool.

  • Responder - A LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

  • Ssh-mitm - An SSH/SFTP man-in-the-middle tool that logs interactive sessions and passwords.

Mobile

  • AFE - Android Framework for Exploitation, is a framework for exploiting android based devices.

  • AndroBugs - An efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications.

  • Android-vts - Android Vulnerability Test Suite - In the spirit of open data collection, and with the help of the community, let’s take a pulse on the state of Android security.

  • Androl4b - A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis.

  • CobraDroid - A custom build of the Android operating system geared specifically for application security analysts and for individuals dealing with mobile malware.

  • Drozer - The Leading Security Assessment Framework for Android.

  • Idb - A tool to simplify some common tasks for iOS pentesting and research.

  • Introspy-iOS - Security profiling for blackbox iOS.

  • JAADAS - Joint Advanced Defect assEsment for android applications.

  • Keychain-Dumper - A tool to check which keychain items are available to an attacker once an iOS device has been jailbroken.

  • Mobile Security Framework - An intelligent, all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework capable of performing static, dynamic analysis and web API testing.

  • Objection - A runtime mobile exploration toolkit, powered by Frida, built to help you assess the security posture of your mobile applications, without needing a jailbreak.

  • QARK - QARK by LinkedIn is for app developers to scan app for security issues.

Password Cracking

  • BozoCrack - A silly & effective MD5 cracker in Ruby.

  • Common-substr - Simple awk script to extract the most common substrings from an input text. Built for password cracking.

  • HashCat - World’s fastest and most advanced password recovery utility.

  • Hashcrack - Guesses hash types, picks some sensible dictionaries and rules for hashcat.

  • Hob0Rules - Password cracking rules for Hashcat based on statistics and industry patterns.

  • John the Ripper - A fast password cracker.

  • Kwprocessor - Advanced keyboard-walk generator with configureable basechars, keymap and routes.

  • NPK - A mostly-serverless distributed hash cracking platform.

  • Patator - Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

  • THC-Hydra - A very fast network logon cracker which support many different services.

Port Scanning

  • Angry IP Scanner - Fast and friendly network scanner.

  • Evilscan - NodeJS Simple Network Scanner.

  • Flan - A pretty sweet vulnerability scanner.

  • Masscan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.

  • Nmap - Free Security Scanner For Network Exploration & Security Audits.

  • Watchdog - A Comprehensive Security Scanning and a Vulnerability Management Tool.

  • ZGrab - Go Application Layer Scanner.

  • Zmap - An open-source network scanner that enables researchers to easily perform Internet-wide network studies.

Post Exploitation

  • Apfell - A collaborative, multi-platform, red teaming framework.

  • Backdoorme - Powerful auto-backdooring utility.

  • CatTails - Raw socket library/framework for red team events.

  • Cloudy-kraken - AWS Red Team Orchestration Framework.

  • Covenant - Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.

  • CrackMapExec - A post-exploitation tool that helps automate assessing the security of large Active Directory networks.

  • CredCrack - A fast and stealthy credential harvester.

  • Creddump - Dump windows credentials.

  • DBC2 - DropboxC2 is a modular post-exploitation tool, composed of an agent running on the victim’s machine, a controler, running on any machine, powershell modules, and Dropbox servers as a means of communication.

  • DET - (extensible) Data Exfiltration Toolkit (DET).

  • DNSlivery - Easy files and payloads delivery over DNS.

  • Dnsteal - DNS Exfiltration tool for stealthily sending files over DNS requests.

  • Empire - Empire is a pure PowerShell post-exploitation agent.

  • Enumdb - MySQL and MSSQL brute force and post exploitation tool to search through databases and extract sensitive information.

  • EvilOSX - A pure python, post-exploitation, RAT (Remote Administration Tool) for macOS / OSX.

  • Fireaway - Next Generation Firewall Audit and Bypass Tool.

  • FruityC2 - A post-exploitation (and open source) framework based on the deployment of agents on compromised machines. Agents are managed from a web interface under the control of an operator.

  • GetVulnerableGPO - PowerShell script to find ‘vulnerable’ security-related GPOs that should be hardended.

  • Ghost In The Logs - Evade sysmon and windows event logging.

  • HoneyBadger - A collection of Metasploit modules with a plugin to help automate Post-Exploitation actions on target systems using the Metasploit Framework.

  • HoneypotBuster - Microsoft PowerShell module designed for red teams that can be used to find honeypots and honeytokens in the network or at the host.

  • Iodine - Lets you tunnel IPv4 data through a DNS server.

  • Koadic - Koadic C3 COM Command & Control - JScript RAT.

  • Mallory - HTTP/HTTPS proxy over SSH.

  • Mimikatz - A little tool to play with Windows security.

  • Mimikittenz - A post-exploitation powershell tool for extracting juicy info from memory.

  • NoPowerShell - PowerShell rebuilt in C# for Red Teaming purposes.

  • Orc - A post-exploitation framework for Linux written in Bash.

  • P0wnedShell - PowerShell Runspace Post Exploitation Toolkit.

  • PacketWhisper - Stealthily Transfer Data & Defeat Attribution Using DNS Queries & Text-Based Steganography, without the need for attacker-controlled Name Servers or domains; Evade DLP/MLS Devices; Defeat Data- & DNS Name Server Whitelisting Controls. Convert any file type (e.g. executables, Office, Zip, images) into a list of Fully Qualified Domain Names (FQDNs), use DNS queries to transfer data. Simple yet extremely effective.

  • Paragon - Red Team engagement platform with the goal of unifying offensive tools behind a simple UI.

  • Pivoter - A proxy tool for pentesters to have easier lateral movement.

  • Poet - Post-exploitation tool.

  • PoshC2 - A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.

  • PowerOPS - PowerShell Runspace Portable Post Exploitation Tool aimed at making Penetration Testing with PowerShell “easier”.

  • ProcessHider - Post-exploitation tool for hiding processes from monitoring applications.

  • Pupy - An opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python.

  • Pwnat - Punches holes in firewalls and NATs allowing any numbers of clients behind NATs to directly connect to a server behind a different NAT.

  • Pypykatz - Mimikatz implementation in pure Python.

  • RedGhost - Linux post exploitation framework written in bash designed to assist red teams in persistence, reconnaissance, privilege escalation and leaving no trace.

  • RemoteRecon - Remote Recon and Collection.

  • RottenPotatoNG - New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.

  • Rpc2socks - Post-exploit tool that enables a SOCKS tunnel via a Windows host using an extensible custom RPC proto over SMB through a named pipe.

  • SafetyKatz - SafetyKatz is a combination of slightly modified version of @gentilkiwi’s Mimikatz project and @subTee’s .NET PE Load.

  • Shad0w - A post exploitation framework designed to operate covertly on heavily monitored environments.

  • SharpC2 - .NET Command & Control Framework

  • SocksOverRDP - Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services.

  • SpYDyishai - A Gmail credential harvester.

  • SprayWMI - An easy way to get mass shells on systems that support WMI. Much more effective than PSEXEC as it does not leave remnants on a system.

  • Tgcd - A simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls.

  • TheFatRat - An easy tool to generate backdoor with msfvenom (a part from metasploit framework). This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most AV software protection.

  • WCE - Windows Credentials Editor (WCE) is a security tool to list logon sessions and add, change, list and delete associated credentials.

  • Weasel - DNS covert channel implant for Red Teams.

Reporting

  • Cartography - A Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.

  • DefectDojo - An open-source application vulnerability correlation and security orchestration tool.

  • Dradis - Colllaboration and reporting for IT Security teams.

  • Faraday - Collaborative Penetration Test and Vulnerability Management Platform.

  • VECTR - A tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios.

Services

  • SSLyze - SSL configuration scanner.

  • Sslstrip - A demonstration of the HTTPS stripping attacks.

  • Sslstrip2 - SSLStrip version to defeat HSTS.

  • Tls_prober - Fingerprint a server’s SSL/TLS implementation.

Training

  • Android-InsecureBankv2 - Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities.

  • BadBlood - Fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory.

  • DIVA Android - Damn Insecure and vulnerable App for Android.

  • DVCP-TE - Damn Vulnerable Chemical Process - Tennessee Eastman.

  • DVWA - Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable.

  • DVWS - Damn Vulnerable Web Sockets (DVWS) is a vulnerable web application which works on web sockets for client-server communication.

  • Don’t Panic - Training linux bind shell with anti-reverse engineering techniques.

  • GRFICS - A graphical realism framework for industrial control simulations that uses Unity 3D game engine graphics to lower the barrier to entry for industrial control system security. GRFICS provides users with a full virtual industrial control system (ICS) network to practice common attacks including command injection, man-in-the-middle, and buffer overflows, and visually see the impact of their attacks in the 3D visualization. Users can also practice their defensive skills by properly segmenting the network with strong firewall rules, or writing intrusion detection rules.

  • Hackazon - A modern vulnerable web app.

  • Insecure-deserialization-net-poc - A small webserver vulnerable to insecure deserialization.

  • JuliaRT - Automated AD Pentest Lab Deployment in the Cloud: IaC Terraform and Ansible Playbook templates for deploying an Active Directory Domain in Azure.

  • Kubernetes Goat - Designed to be intentionally vulnerable cluster environment to learn and practice Kubernetes security.

  • OWASP Juice Shop - An intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.

  • OWASP NodeGoat - An environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.

  • OWASP Railsgoat - A vulnerable version of Rails that follows the OWASP Top 10.

  • OWASP Security Shepherd - A web and mobile application security training platform.

  • OWASP WebGoat - A deliberately insecure Web Application.

  • RopeyTasks - Deliberately vulnerable web application.

  • Sadcloud - A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure.

  • Sqli-labs - SQLI labs to test error based, Blind boolean based, Time based.

  • WackoPicko - A vulnerable web application used to test web application vulnerability scanners.

  • Xvwa - XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.

Web

  • Arachni - Web Application Security Scanner Framework.

  • Argumentinjectionhammer - A Burp Extension designed to identify argument injection vulnerabilities.

  • BlackBox Protobuf Burp Extension - A Burp Suite extension for decoding and modifying arbitrary protobuf messages without the protobuf type definition.

  • BlindElephant - Web Application Fingerprinter.

  • Brosec - An interactive reference tool to help security professionals utilize useful payloads and commands.

  • Burp Suite - An integrated platform for performing security testing of web applications.

  • CloudScraper - Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.

  • Cms-explorer - CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running.

  • Crlfuzz - A fast tool to scan CRLF vulnerability written in Go.

  • Dirble - Fast directory scanning and scraping tool.

  • Dvcs-ripper - Rip web accessible (distributed) version control systems.

  • Fimap - Find, prepare, audit, exploit and even google automatically for LFI/RFI bugs.

  • Gobuster - Directory/file & DNS busting tool written in Go.

  • Jok3r - Network and Web Pentest Framework.

  • Joomscan - Joomla CMS scanner.

  • Jwt_tool - A toolkit for testing, tweaking and cracking JSON Web Tokens.

  • Kadabra - Automatic LFI Exploiter and Scanner, written in C++ and a couple extern module in Python.

  • Kadimus - LFI scan and exploit tool.

  • Konan - An advanced open source tool designed to brute force directories and files names on web/application servers.

  • Liffy - LFI exploitation tool.

  • LinkFinder - A python script that finds endpoints in JavaScript files.

  • Netsparker - Web Application Security Scanner.

  • Nikto2 - Web application vulnerability scanner.

  • NoSQLMap - Automated Mongo database and NoSQL web application exploitation tool.

  • OWASP Xenotix - XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework.

  • Paros - A Java based HTTP/HTTPS proxy for assessing web application vulnerability.

  • PayloadsAllTheThings - A list of useful payloads and bypass for Web Application Security and Pentest/CTF.

  • Php-jpeg-injector - Injects php payloads into jpeg images.

  • Pyfiscan - Free web-application vulnerability and version scanner.

  • Ratproxy - A semi-automated, largely passive web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems.

  • RecurseBuster - Rapid content discovery tool for recursively querying webservers, handy in pentesting and web application assessments.

  • Relative-url-extractor - A small tool that extracts relative URLs from a file.

  • SQLMap - Automatic SQL injection and database takeover tool.

  • SQLNinja - SQL Server injection & takeover tool.

  • Scout2 - Security auditing tool for AWS environments.

  • Skipfish - An active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes.

  • TPLMap - Automatic Server-Side Template Injection Detection and Exploitation Tool.

  • Tracy - A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.

  • Tsunami - General purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.

  • W3af - Web application attack and audit framework.

  • WPScan - WPScan is a black box WordPress vulnerability scanner.

  • WPSploit - Exploiting Wordpress With Metasploit.

  • WS-Attacker - A modular framework for web services penetration testing.

  • WStalker - An easy proxy.

  • Wapiti - Web application vulnerability scanner.

  • Wappalyzer - Cross-platform utility that uncovers the technologies used on websites.

  • Weevely3 - Weaponized web shell.

  • Wfuzz - Web application fuzzer.

  • WhatWeb - Website Fingerprinter.

  • Wordpress Exploit Framework - A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.

  • Wuzz - Interactive cli tool for HTTP inspection

  • XSS-keylogger - A keystroke logger to exploit XSS vulnerabilities in a site.

  • XSS-payload-list - XSS Payload list.

  • XSpear - Powerfull XSS Scanning and Parameter analysis tool&gem.

  • Yasuo - A ruby script that scans for vulnerable & exploitable 3rd-party web applications on a network.

  • Zed Attack Proxy (ZAP) - The OWASP ZAP core project.

Wireless

  • Aircrack-ng - An 802.11 WEP and WPA-PSK keys cracking program.

  • Airgeddon - This is a multi-use bash script for Linux systems to audit wireless networks.

  • Kismet - Wireless network detector, sniffer, and IDS.

  • Krackattacks-scripts - Scripts to test if clients or access points (APs) are affected by the KRACK attack against WPA2.

  • LANs.py - Inject code, jam wifi, and spy on wifi users.

  • Mass-deauth - A script for 802.11 mass-deauthentication.

  • Reaver - Brute force attack against Wifi Protected Setup.

  • Sniffle - A sniffer for Bluetooth 5 and 4.x (LE) using TI CC1352/CC26x2 hardware.

  • WiFiDuck - Wireless keystroke injection attack platform.

  • Wifijammer - Continuously jam all wifi clients/routers.

  • Wifikill - A python program to kick people off of wifi.

  • Wifiphisher - Automated phishing attacks against Wi-Fi networks.

  • Wifite - Automated wireless attack tool.

Reverse Engineering

  • APKiD - Android Application Identifier for Packers, Protectors, Obfuscators and Oddities - PEiD for Android.

  • AndBug - A debugger targeting the Android platform’s Dalvik virtual machine intended for reverse engineers and developers.

  • Angr - A platform-agnostic binary analysis framework developed by the Computer Security Lab at UC Santa Barbara and their associated CTF team, Shellphish.

  • AngryGhidra - Angr plugin for Ghidra.

  • Apk2Gold - Yet another Android decompiler.

  • ApkTool - A tool for reverse engineering Android apk files.

  • Avscript - Avast JavaScript Interactive Shell.

  • B2R2 - A collection of useful algorithms, functions, and tools for binary analysis.

  • Barf - Binary Analysis and Reverse engineering Framework.

  • BinText - A small, very fast and powerful text extractor.

  • BinWalk - Analyze, reverse engineer, and extract firmware images.

  • Binaryanalysis-ng - Binary Analysis Next Generation is a framework for unpacking files (like firmware) recursively and running checks on the unpacked files. Its intended use is to be able to find out the provenance of the unpacked files and classify/label files, making them available for further analysis.

  • Binee - A complete binary emulation environment that focuses on introspection of all IO operations.

  • Boomerang - Decompile x86/SPARC/PowerPC/ST-20 binaries to C.

  • Bytecode-viewer - A Java 8 Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More).

  • Bytecode_graph - Module designed to modify Python bytecode. Allows instructions to be added or removed from a Python bytecode string.

  • CHIPSEC - Platform Security Assessment Framework.

  • Capstone - Lightweight multi-platform, multi-architecture disassembly framework with Python bindings.

  • ClassNameDeobfuscator - Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines.

  • Coda - Coredump analyzer.

  • Ctf_import - Run basic functions from stripped binaries cross platform.

  • DBI - Dynamic Binary Instrumentation plugins.

  • Dex2jar - Tools to work with android .dex and java .class files.

  • Distorm - Powerful Disassembler Library For x86/AMD64.

  • DotPeek - A free-of-charge .NET decompiler from JetBrains.

  • Dotnet-netrace - Collects network traces of .NET applications.

  • Dragondance - Binary code coverage visualizer plugin for Ghidra.

  • Dwarf - A gui for mobile reverse engineers, crackers and security analyst. Or damn, what a reversed fluffy or yet, duck warrios are rich as fuck. Whatever you like! Built on top of pyqt5, frida and some terrible code.

  • DynStruct - Reverse engineering tool for automatic structure recovering and memory use analysis based on DynamoRIO and Capstone.

  • EFI DXE Emulator - An EFI DXE phase binaries emulator based on Unicorn.

  • Edb - A cross platform x86/x86-64 debugger.

  • Enjarify - A tool for translating Dalvik bytecode to equivalent Java bytecode. This allows Java analysis tools to analyze Android applications.

  • Fibratus - Tool for exploration and tracing of the Windows kernel.

  • Fino - An Android Dynamic Analysis Tool.

  • Flare-emu - It marries a supported binary analysis framework, such as IDA Pro or Radare2, with Unicorn’s emulation framework to provide the user with an easy to use and flexible interface for scripting emulation tasks. It is designed to handle all the housekeeping of setting up a flexible and robust emulator for its supported architectures so that you can focus on solving your code analysis problems.re

  • Flare-ida - IDA Pro utilities from FLARE team.

  • Frida - Inject JavaScript to explore native apps on Windows, macOS, Linux, iOS, Android, and QNX.

  • Frida-scripts - These scripts will help in security research and automation.

  • GEF - Multi-Architecture GDB Enhanced Features for Exploiters & Reverse-Engineers.

  • Gdb-dashboard - Modular visual interface for GDB in Python.

  • Gdbstub - A simple, dependency-free GDB stub that can be easily dropped in to your project.

  • Ghidra - A software reverse engineering (SRE) framework.

  • Ghidra_kernelcache - A Ghidra framework for iOS kernelcache reverse engineering.

  • Ghidra_scripts - Scripts for the Ghidra software reverse engineering suite.

  • Golang_loader_assist - Making GO reversing easier in IDA Pro.

  • Granary - A kernel space dynamic binary translation framework. The main goal of Granary is to enable flexible and efficient instrumentation of Linux kernel modules, while imposing no overhead to non-module kernel code.

  • Grap - Define and match graph patterns within binaries.

  • HVMI - Hypervisor Memory Introspection Core Library.

  • Haybale - Symbolic execution of LLVM IR with an engine written in Rust.

  • Heap-viewer - An IDA Pro plugin to examine the glibc heap, focused on exploit development.

  • HexRaysCodeXplorer - Hex-Rays Decompiler plugin for better code navigation

  • Hopper - A OS X and Linux Disassembler/Decompiler for 32/64 bit Windows/Mac/Linux/iOS executables.

  • IDA Free - The freeware version of IDA.

  • IDA Patcher - IDA Patcher is a plugin for Hex-Ray’s IDA Pro disassembler designed to enhance IDA’s ability to patch binary files and memory.

  • IDA Pomidor - IDA Pomidor is a plugin for Hex-Ray’s IDA Pro disassembler that will help you retain concentration and productivity during long reversing sessions.

  • IDA Pro - A Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger.

  • IDA Sploiter - IDA Sploiter is a plugin for Hex-Ray’s IDA Pro disassembler designed to enhance IDA’s capabilities as an exploit development and vulnerability research tool.

  • IDAPython - An IDA plugin which makes it possible to write scripts for IDA in the Python programming language.

  • IDAwasm - IDA Pro loader and processor modules for WebAssembly.

  • IRPMon - The goal of the tool is to monitor requests received by selected device objects or kernel drivers. The tool is quite similar to IrpTracker but has several enhancements. It supports 64-bit versions of Windows (no inline hooks are used, only modifications to driver object structures are performed) and monitors IRP, FastIo, AddDevice, DriverUnload and StartIo requests.

  • Idaemu - Is an IDA Pro Plugin, use for emulating code in IDA Pro.

  • Immunity Debugger - A powerful new way to write exploits and analyze malware.

  • JAD - JAD Java Decompiler.

  • JD-GUI - Aims to develop tools in order to decompile and analyze Java 5 “byte code” and the later versions.

  • Jadx - Decompile Android files.

  • Keystone Engine - A lightweight multi-platform, multi-architecture assembler framework.

  • Krakatau - Java decompiler, assembler, and disassembler.

  • Levitate - Reverse Engineering and Static Malware Analysis Platform.

  • MARA Framework - A Mobile Application Reverse engineering and Analysis Framework.

  • Manticore - Prototyping tool for dynamic binary analysis, with support for symbolic execution, taint analysis, and binary instrumentation.

  • Medusa - A disassembler designed to be both modular and interactive.

  • MegaDumper - Dump native and .NET assemblies.

  • Minhook - The Minimalistic x86/x64 API Hooking Library for Windows.

  • Mona.py - PyCommand for Immunity Debugger that replaces and improves on pvefindaddr.

  • OllyDbg - An x86 debugger that emphasizes binary code analysis.

  • PEDA - Python Exploit Development Assistance for GDB.

  • Paimei - Reverse engineering framework, includes PyDBG, PIDA, pGRAPH.

  • Pigaios - A tool for matching and diffing source codes directly against binaries.

  • Plasma - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.

  • Ponce - An IDA Pro plugin that provides users the ability to perform taint analysis and symbolic execution over binaries in an easy and intuitive fashion. With Ponce you are one click away from getting all the power from cutting edge symbolic execution. Entirely written in C/C++.

  • Procyon - A modern open-source Java decompiler.

  • Protobuf-inspector - Tool to reverse-engineer Protocol Buffers with unknown definition.

  • Pwndbg - Exploit Development and Reverse Engineering with GDB Made Easy.

  • Pyew - Command line hexadecimal editor and disassembler, mainly to analyze malware.

  • QBDI - A Dynamic Binary Instrumentation framework based on LLVM.

  • Qira - QEMU Interactive Runtime Analyser.

  • R2MSDN - R2 plugin to add MSDN documentation URLs and parameter names to imported function calls.

  • RABCDAsm - Robust ABC (ActionScript Bytecode) [Dis-]Assembler.

  • Radare2 - Opensource, crossplatform reverse engineering framework.

  • Radare2-bindings - Bindings of the r2 api for Valabind and friends.

  • Redexer - A reengineering tool that manipulates Android app binaries.

  • ScratchABit - Easily retargetable and hackable interactive disassembler with IDAPython-compatible plugin API.

  • Shed - .NET runtime inspector.

  • Simplify - Generic Android Deobfuscator.

  • SimplifyGraph - IDA Pro plugin to assist with complex graphs.

  • Smali - Smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android’s Java VM implementation.

  • Sojobo - An emulator for the B2R2 framework. It was created to easier the analysis of potentially malicious files. It is totally developed in .NET so you don’t need to install or compile any other external libraries.

  • Swiffas - SWF parser and AVM2 (Actionscript 3) bytecode parser.

  • Swift-frida - Frida library for interacting with Swift programs.

  • Toolbag - The IDA Toolbag is a plugin providing supplemental functionality to Hex-Rays IDA Pro disassembler.

  • Triton - Triton is a Dynamic Binary Analysis (DBA) framework. It provides internal components like a Dynamic Symbolic Execution (DSE) engine, a dynamic taint engine, AST representations of the x86, x86-64, ARM32 and AArch64 Instructions Set Architecture (ISA), SMT simplification passes, an SMT solver interface and, the last but not least, Python bindings.

  • UPX - The Ultimate Packer for eXecutables.

  • Ufgraph - A simple script which parses the output of the uf (un-assemble function) command in windbg and uses graphviz to generate a control flow graph as a PNG/SVG/PDF/GIF (see -of option) and displays it.

  • Uncompyle - Decompile Python 2.7 binaries (.pyc).

  • Unicorn Engine - A lightweight, multi-platform, multi-architecture CPU emulator framework based on QEMU.

  • Unlinker - Unlinker is a tool that can rip functions out of Visual C++ compiled binaries and produce Visual C++ COFF object files.

  • VMX_INTRINSICS - VMX intrinsics plugin for Hex-Rays decompiler.

  • VT-IDA Plugin - Official VirusTotal plugin for IDA Pro.

  • Voltron - An extensible debugger UI toolkit written in Python. It aims to improve the user experience of various debuggers (LLDB, GDB, VDB and WinDbg) by enabling the attachment of utility views that can retrieve and display data from the debugger host.

  • WinDbg - Windows Driver Kit and WinDbg.

  • WinHex - A hexadecimal editor, helpful in the realm of computer forensics, data recovery, low-level data processing, and IT security.

  • WinIPT - The Windows Library for Intel Process Trace (WinIPT) is a project that leverages the new Intel Processor Trace functionality exposed by Windows 10 Redstone 5 (1809), through a set of libraries and a command-line tool.

  • X64_dbg - An open-source x64/x32 debugger for windows.

  • Xxxswf - A Python script for analyzing Flash files.

  • YaCo - An Hex-Rays IDA plugin. When enabled, multiple users can work simultaneously on the same binary. Any modification done by any user is synchronized through git version control.

  • uEmu - Tiny cute emulator plugin for IDA based on unicorn.

Security

Asset Management

Cloud Security

  • Aws-nuke - Nuke a whole AWS account and delete all its resources.

  • Azucar - Security auditing tool for Azure environments.

  • CloudMapper - CloudMapper helps you analyze your Amazon Web Services (AWS) environments.

  • Hammer - Dow Jones Hammer : Protect the cloud with the power of the cloud(AWS).

  • Panther - A Cloud-Native SIEM for the Modern Security Team

  • Parliament - An AWS IAM linting library. It reviews policies looking for problems.

  • Security Monkey - Security Monkey monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.

  • Varna - Quick & Cheap AWS CloudTrail Monitoring with Event Query Language (EQL)

Resources - s3cr3t - Serve files securely from an S3 bucket with expiring links and other restrictions.

Endpoint Security

  • AIDE - Advanced Intrusion Detection Environment is a file and directory integrity checker.

  • Duckhunt - Prevent RubberDucky (or other keystroke injection) attacks.

  • Hardentools - A utility that disables a number of risky Windows features.

  • Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.

  • Osx-config-check - Verify the configuration of your OS X machine.

  • ProcMon-for-Linux - A Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows. Procmon provides a convenient and efficient way for Linux developers to trace the syscall activity on the system.

  • Xnumon - Monitor macOS for malicious activity.

Network Security

  • EveBox - A web based Suricata “eve” event viewer for Elastic Search.

  • Pi-hole - A DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.

  • Scirius - A web application for Suricata ruleset management.

Orchestration

  • Stoq - An open source framework for enterprise level automated analysis.

Phishing

  • Miteru - An experimental phishing kit detection tool.

  • StreamingPhish - Python-based utility that uses supervised machine learning to detect phishing domains from the Certificate Transparency log network.

Privacy

  • Git-crypt - Transparent file encryption in git.

  • GoSecure - An easy to use and portable Virtual Private Network (VPN) system built with Linux and a Raspberry Pi.

  • I2P - The Invisible Internet Project.

  • Nipe - A script to make Tor Network your default gateway.

  • SecureDrop - Open-source whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources.

  • Sshuttle - Transparent proxy server that works as a poor man’s VPN. Forwards over ssh. Doesn’t require admin. Works with Linux and MacOS. Supports DNS tunneling.

  • Tomb - A minimalistic commandline tool to manage encrypted volumes aka The Crypto Undertaker.

  • Tor - The free software for enabling onion routing online anonymity.

  • Toriptables2 - A python script alternative to Nipe. Makes Tor Network your default gateway.

Social Engineering

Framework

  • SET - The Social-Engineer Toolkit from TrustedSec.

Harvester

  • Creepy - A geolocation OSINT tool.

  • Datasploit - A tool to perform various OSINT techniques, aggregate all the raw data, visualise it on a dashboard, and facilitate alerting and monitoring on the data.

  • Email-enum - Searches mainstream websites and tells you if an email is registered.

  • Github-dorks - CLI tool to scan github repos/organizations for potential sensitive information leak.

  • Maltego - Proprietary software for open source intelligence and forensics, from Paterva.

  • Metagoofil - Metadata harvester.

  • SpiderFoot - Automates OSINT collection so that you can focus on analysis.

  • TTSL - Tool to scrape LinkedIn.

  • TheHarvester - E-mail, subdomain and people names harvester.

Phishing

  • BlackPhish - Super lightweight with many features and blazing fast speeds.

  • Blackeye - The most complete Phishing Tool, with 32 templates +1 customizable.

  • CredSniper - A phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens.

  • FiercePhish - A full-fledged phishing framework to manage all phishing engagements. It allows you to track separate phishing campaigns, schedule sending of emails, and much more.

  • GoPhish - Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training.

  • Lockphish - Lockphish it’s the first tool for phishing attacks on the lock screen, designed to grab Windows credentials, Android PIN and iPhone Passcode using a https link.

  • Modlishka - Reverse Proxy. Phishing NG.

  • Phishing-frenzy - Ruby on Rails Phishing Framework.

  • Pompa - Fully-featured spear-phishing toolkit - web front-end.

  • Whatsapp-phishing - The best tool for whatsapp-phishing with otp provider.

Wardialing