| Link |
Description |
| alphasoc/flightsim |
A utility to generate malicious network traffic and evaluate controls |
| Attack Simulatorin Office 365 |
Simulate realistic attacks on Office 365 environment |
| Blue Team Training Toolkit |
Blue Team Training Toolkit (BT3) is designed for network analysis training sessions, incident response drills and red team engagements |
| Coalfire-Research/Red-Baron |
Automate creating resilient, disposable, secure and agile infrastructure for Red Teams |
| Cyb3rWard0g/Invoke-ATTACKAPI |
A PowerShell script to interact with the MITRE ATT&CK Framework via its own API |
| Cyb3rWard0g/mordor |
Re-play Adversarial Techniques |
| chryzsh/DarthSidious |
Building an Active Directory domain and hacking it |
| d3vzer0/reternal-quickstart |
Repo containing docker-compose files and setup scripts without having to clone the individual reternal components |
| endgameinc/RTA |
RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK |
| fireeye/capa |
capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate. |
| jymchoeng/AutoTTP |
Automated Tactics Techniques & Procedures |
| MiladMSFT/ThreatHunt |
ThreatHunt is a PowerShell repository that allows you to train your threat hunting skills. |
| mdsecactivebreach/CACTUSTORCH |
CACTUSTORCH: Payload Generation for Adversary Simulations |
| mitre/caldera |
An automated adversary emulation system |
| NextronSystems/APTSimulator |
A toolset to make a system look as if it was the victim of an APT attack |
| n0dec/MalwLess |
Test blue team detections without running any attack |
| praetorian-code/purple-team-attack-automation |
Praetorian's public release of our Metasploit automation of MITRE ATT&CK™ TTPs |
| TryCatchHCF/DumpsterFire |
"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. |
| redcanaryco/atomic-red-team |
Small and highly portable detection tests based on MITRE's ATT&CK. |
| redcanaryco/chain-reactor |
Chain Reactor is an open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints. |
| redhuntlabs/RedHunt-OS |
Virtual Machine for Adversary Emulation and Threat Hunting |
| SpiderLabs/sheepl |
Sheepl : Creating realistic user behaviour for supporting tradecraft development within lab environments |
| splunk/attack_range |
A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk |
| uber-common/metta |
An information security preparedness tool to do adversarial simulation. |
| Unfetter |
Unfetter is a project designed to help network defenders, cyber security professionals, and decision makers identify and analyze defensive gaps in a more scalable and repeatable way |
## Binary Analysis
| Link |
Description |
| avast-tl/retdec |
RetDec is a retargetable machine-code decompiler based on LLVM |
| binvis.io |
visual analysis of binary files |
| blackberry/pe_tree |
Python module for viewing Portable Executable (PE) files in a tree-view using pefile and PyQt5. Can also be used with IDA Pro to dump in-memory PE files and reconstruct imports. |
| carbonblack/binee |
Binee: binary emulation environment |
| bootleg/ret-sync |
ret-sync is a set of plugins that helps to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg2/x64dbg) with IDA/Ghidra disassemblers. |
| Cisco-Talos/GhIDA |
GhIDA is an IDA Pro plugin that integrates the Ghidra decompiler in IDA. |
| Cisco-Talos/Ghidraaas |
Ghidraaas is a simple web server that exposes Ghidra analysis through REST APIs. The project includes three Ghidra plugins to analyze a sample, get the list of functions and to decompile a function. |
| Comsecuris/gdbghidra |
gdbghidra - a visual bridge between a GDB session and GHIDRA |
| Comsecuris/gdbida |
gdbida - a visual bridge between a GDB session and IDA Pro's disassembler |
| Cutter |
Free and Open Source RE Platform powered by radare2 |
| endgameinc/xori |
Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode |
| enkomio/shed |
.NET runtine inspector. Shed - Inspect .NET malware like a Sir |
| fireeye/flare-floss |
FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware. |
| FuzzySecurity/Fermion |
Fermion, an electron wrapper for Frida & Monaco. |
| GHIDRA |
A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission |
| Go Reverse Engineering Toolkit |
A Reverse Engineering Tool Kit for Go, Written in Go. |
| hasherezade/hollows_hunter |
A process scanner detecting and dumping hollowed PE modules. |
| hasherezade/hook_finder |
a small tool for investigating inline hooks (and other in-memory code patches) |
| LIEF |
Library to Instrument Executable Formats |
| Microsoft/binskim |
A binary static analysis tool that provides security and correctness results for Windows portable executables |
| Microsoft/ProcDump-for-Linux |
A Linux version of the ProcDump Sysinternals tool |
| mxmssh/drltrace |
Drltrace is a library calls tracer for Windows and Linux applications |
| NASA-SW-VnV/ikos |
IKOS (Inference Kernel for Open Static Analyzers) is a static analyzer for C/C++ based on the theory of Abstract Interpretation |
| pierrezurek/Signsrch |
tool for searching signatures inside files, extremely useful in reversing engineering for figuring or having an initial idea of what encryption/compression algorithm is used for a proprietary protocol or file. it can recognize tons of compression, multimedia and encryption algorithms and many other things like known strings and anti-debugging code which can be also manually added since it's all based on a text signature file read at runtime and easy to modify. |
| Pinitor |
An API Monitor Based on Pin |
| pygore |
Python library for analyzing Go binaries |
| qilingframework/qiling |
Qiling Advanced Binary Emulation Framework |
| taviso/loadlibrary |
Porting Windows Dynamic Link Libraries to Linux |
| secretsquirrel/recomposer |
Randomly changes Win32/64 PE Files for 'safer' uploading to malware and sandbox sites. |
| Veles |
New open source tool for binary data analysis |
| VisUAL |
A highly visual ARM emulator |
|
williballenthin/python-idb
|
Pure Python parser and analyzer for IDA Pro database files (.idb).
|
## Cloud Security
| Link |
Description |
| Alfresco/prowler |
Tool for AWS security assessment, auditing and hardening. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark. |
| andresriancho/nimbostratus |
Tools for fingerprinting and exploiting Amazon cloud infrastructures |
| asecure.cloud |
A free repository of customizable AWS security configurations and best practices |
| asecurityteam/spacecrab |
Bootstraps an AWS account with everything you need to generate, mangage, and distribute and alert on AWS honey tokens. Made with breakfast roti by the Atlassian security team. |
| awslabs/aws-security-benchmark |
Open source demos, concept and guidance related to the AWS CIS Foundation framework. |
| Azure/Stormspotter |
Azure Red Team tool for graphing Azure and Azure Active Directory objects |
| carnal0wnage/weirdAAL |
WeirdAAL [AWS Attack Library] wiki! |
| cloudsploit/scans |
AWS security scanning checks |
| cyberark/SkyArk |
SkyArk is a cloud security tool, helps to discover, assess and secure the most privileged entities in AWS |
| dagrz/aws_pwn |
A collection of AWS penetration testing junk |
| disruptops/cred_scanner |
A simple file-based scaner to look for potential AWS accesses and secret keys in files |
| duo-labs/cloudtracker |
CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies. |
| duo-labs/cloudmapper |
CloudMapper helps you analyze your Amazon Web Services (AWS) environments. |
| endgameinc/varna |
Varna: Quick & Cheap AWS CloudTrail Monitoring with Event Query Language (EQL) |
| eth0izzle/bucket-stream |
Find interesting Amazon S3 Buckets by watching certificate transparency logs. |
| FishermansEnemy/bucket_finder |
Amazon bucket brute force tool |
| glen-mac/goGetBucket |
A penetration testing tool to enumerate and analyse Amazon S3 Buckets owned by a domain. |
| google/cloud-forensics-utils |
Python library to carry out DFIR analysis on the Cloud |
| kromtech/s3-inspector |
Tool to check AWS S3 bucket permissions |
| jordanpotti/AWSBucketDump |
Security Tool to Look For Interesting Files in S3 Buckets |
| jordanpotti/CloudScraper |
CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space. |
| lyft/metadataproxy |
A proxy for AWS's metadata service that gives out scoped IAM credentials from STS |
| MindPointGroup/cloudfrunt |
A tool for identifying misconfigured CloudFront domains |
| nccgroup/aws-inventory |
Discover resources created in an AWS account |
| nccgroup/PMapper |
A tool for quickly evaluating IAM permissions in AWS. |
| nccgroup/Scout2 |
Security auditing tool for AWS environments |
| nccgroup/ScoutSuite |
Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments |
| Netflix-Skunkworks/diffy |
Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT). |
| Netflix/security_monkey |
Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations. |
| NotSoSecure/cloud-service-enum |
This script allows pentesters to validate which cloud tokens (API keys, OAuth tokens and more) can access which cloud service. |
| prevade/cloudjack |
Route53/CloudFront Vulnerability Assessment Utility |
| random-robbie/slurp |
Enumerate S3 buckets via certstream, domain, or keywords |
| RhinoSecurityLabs/pacu |
Rhino Security Labs' AWS penetration testing toolkit |
| RiotGames/cloud-inquisitor |
Enforce ownership and data security within AWS |
| sa7mon/S3Scanner |
Scan for open S3 buckets and dump |
| salesforce/cloudsplaining |
Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet |
| sendgrid/krampus |
The original AWS security enforcer™ |
| SecurityFTW/cs-suite |
Cloud Security Suite - One stop tool for auditing the security posture of AWS infrastructure. |
| swimlane/CLAW |
A packer utility to create and capture DFIR Image for use AWS & Azure |
| ThreatResponse/margaritashotgun |
Remote Memory Acquisition Tool for AWS |
| ThreatResponse/aws_ir |
Python installable command line utiltity for mitigation of host and key compromises. |
| toniblyx/prowler |
Tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark 1.1 |
## Courses
| Link |
Description |
| $I File Parser |
Free Forensics Tool – $I File Parser |
| activecm/BeaKer |
Beacon Kibana Executable Report. Aggregates Sysmon Network Events With Elasticsearch and Kibana |
| AlienVault OSSIM |
AlienVault OSSIM: The World’s Most Widely Used Open Source SIEM |
| andreafortuna/autotimeliner |
Automagically extract forensic timeline from volatile memory dump |
| ANSSI-FR/bits_parser |
Extract BITS jobs from QMGR queue and store them as CSV records |
| ANSSI-FR/bmc-tools |
RDP Bitmap Cache Parser |
| bfuzzy/auditd-attack |
A Linux Auditd rule set mapped to MITRE's Attack Framework |
| Broctets-and-Bytes/Darwin |
This script is designed to be run against a mounted image, live system, or device in target disk mode. The script automates the collection of key files for MacOS investigations. |
| bromiley/olaf |
Office365 Log Analysis Framework: OLAF is a collection of tools, scripts, and analysis techniques dealing with O365 Investigations. |
| carmaa/inception |
Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. |
| coinbase/dexter |
Forensics acquisition framework designed to be extensible and secure |
| CrowdStrike/automactc |
AutoMacTC: Automated Mac Forensic Triage Collector |
| CrowdStrike/Forensics |
Scripts and code referenced in CrowdStrike blog posts |
| cryps1s/DARKSURGEON |
DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense. |
| Cyb3rWard0g/HELK |
A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities. |
| Cyber Analytics Repository |
The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model. |
| CyberDefenseInstitute/CDIR |
CDIR (Cyber Defense Institute Incident Response) Collector - live collection tool based on oss tool/library |
| davehull/Kansa |
A Powershell incident response framework |
| DFIR ORC |
DFIR ORC, where ORC stands for “Outil de Recherche de Compromission” in French, is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. It can also embed external tools and their configurations. |
| DG Wingman |
DG Wingman is a free community Windows tool designed to aid in the collection of forensic evidence in order to properly investigate and scope an intrusion. |
| draios/sysdig |
Linux system exploration and troubleshooting tool with first class support for containers |
| drego85/meioc |
Extracting IoC data from eMail |
| DFIRKuiper/Kuiper |
Kuiper is a digital investigation platform that provides a capabilities for the investigation team and individuals to parse, search, visualize collected evidences (evidences could be collected by fast traige script like Hoarder). |
| fireeye/ARDvark |
ARDvark parses the Apple Remote Desktop (ARD) files to pull out application usage, user activity, and filesystem listings. |
| fireeye/SilkETW |
SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. |
| ForensicArtifacts/artifacts |
Digital Forensics Artifact Repository |
| gleeda/memtriage |
Allows you to quickly query a Windows machine for RAM artifacts |
| google/docker-explorer |
A tool to help forensicate offline docker acquisitions |
| google/GiftStick |
1-Click push forensics evidence to the cloud |
| google/grr |
GRR is a python client (agent) that is installed on target systems, and python server infrastructure that can manage and talk to clients. |
| google/rekall |
The Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems. |
| Graylog |
Built to open standards, Graylog’s connectivity and interoperability seamlessly collects, enhances, stores, and analyzes log data. |
| hunters-forge/API-To-Event |
A repo to document API functions mapped to security events across diverse platforms |
| hunters-forge/OSSEM |
Open Source Security Events Metadata (OSSEM) |
| Kaspersky IR's Artifacts Collector |
Kaspersky IR's Artifacts Collector |
| Hibernation Recon |
The tools and techniques used for many years to analyze Microsoft Windows® hibernation files have left digital forensics experts in the dark… until now! |
| Invoke-IR/ACE |
The Automated Collection and Enrichment (ACE) platform is a suite of tools for threat hunters to collect data from many endpoints in a network and automatically enrich the data. The data is collected by running scripts on each computer without installing any software on the target. ACE supports collecting from Windows, macOS, and Linux hosts. |
| jimtin/IRCoreForensicFramework |
Powershell 7 (Powershell Core)/ C# cross platform forensic framework. Built by incident responders for incident responders. |
| JPCERTCC/LogonTracer |
Investigate malicious Windows logon by visualizing and analyzing Windows event log |
| JPCERTCC/SysmonSearch |
Investigate suspicious activity by visualizing Sysmon's event log |
| IllusiveNetworks-Labs/HistoricProcessTree |
An Incident Response tool that visualizes historic process execution evidence (based on Event ID 4688 - Process Creation Event) in a tree view. |
| intezer/linux-explorer |
Easy-to-use live forensics toolbox for Linux endpoints |
| Invoke-IR/PowerForensics |
PowerForensics provides an all in one platform for live disk forensic analysis |
| Live Response Collection - Cedarpelta |
Live Response Collection - Cedarpelta |
| log2timeline/plaso |
log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. |
| MAGNET App Simulator |
MAGNET App Simulator lets you load application data from Android devices in your case into a virtual environment, enabling you to view and interact with the data as the user would have seen it on their own device. |
| MalwareSoup/MitreAttack |
Python wrapper for the Mitre ATT&CK framework API |
| mozilla/audit-go |
Linux Audit Plugin for heka written using netlink Protocol in golang and Lua |
| mozilla/mig |
Distributed & real time digital forensics at the speed of the cloud |
| mozilla/MozDef |
MozDef: The Mozilla Defense Platform |
| nannib/Imm2Virtual |
This is a GUI (for Windows 64 bit) for a procedure to virtualize your EWF(E01), DD(Raw), AFF disk image file without converting it, directly with VirtualBox, forensically proof. |
| Netflix/dispatch |
All of the ad-hoc things you're doing to manage incidents today, done for you, and much more! |
| nshalabi/SysmonTools |
Utilities for Sysmon (Sysmon View and Sysmon Shell) |
| NXLog |
The modern open source log collector. |
| omenscan/achoir |
Windows Live Artifacts Acquisition Script |
| orlikoski/CyLR |
CyLR - Live Response Collection Tool |
| OSSEC |
Open Source HIDS SECurity |
| philhagen/sof-elk |
Configuration files for the SOF-ELK VM, used in SANS FOR572 |
| ptresearch/AttackDetection |
The Attack Detection Team searches for new vulnerabilities and 0-days, reproduces it and creates PoC exploits to understand how these security flaws work and how related attacks can be detected on the network layer. Additionally, we are interested in malware and hackers’ TTPs, so we develop Suricata rules for detecting all sorts of such activities. |
| PUNCH-Cyber/stoq |
An open source framework for enterprise level automated analysis. |
| ROCK NSM |
Response Operation Collection Kit - An open source Network Security Monitoring platform. |
| salesforce/bro-sysmon |
Bro-Sysmon enables Bro to receive Windows Event Logs. This provide a method to associate Network Monitoring and Host Monitoring. The work was spurred by the need to associate JA3 and HASSH fingerprints with the application on the host. The example below shows the hostname, Process ID, connection information, JA3 fingerprints, Application Path, and binary hashes. |
| sans-blue-team/DeepBlueCLI |
DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs |
| Security Onion |
Peel back the layers of your enterprise |
| SecurityRiskAdvisors/TALR |
Threat Alert Logic Repository (TALR) - A public repository for the collection and sharing of detection rules in platform agnostic formats. Collected rules are appended with STIX required fields for simplified sharing over TAXII servers. |
| SekoiaLab/fastir_artifacts |
Live forensic artifacts collector |
| SekoiaLab/Fastir_Collector |
This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected. |
| SIEMonster |
SIEMonster is an Affordable Security Monitoring Software Soulution |
| Sigma Rules Repository Mirror |
Sigma rules repository mirror and translations |
| slackhq/go-audit |
go-audit is an alternative to the auditd daemon that ships with many distros |
| s0md3v/Orbit |
Blockchain Transactions Investigation Tool |
| refractionPOINT/limacharlie |
LC is an Open Source, cross-platform (Windows, MacOS, Linux ++), realtime Endpoint Detection and Response sensor. The extra-light sensor, once installed on a system provides Flight Data Recorder type information (telemetry on all aspects of the system like processes, DNS, network IO, file IO etc). |
| RomanEmelyanov/CobaltStrikeForensic |
Toolset for research malware and Cobalt Strike beacons |
| The Sleuth Kit |
sleuthkit.org is the official website for The Sleuth Kit®, Autopsy®, and other open source digital investigation tools. From here, you can find documents, case studies, and download the latest versions of the software. |
| THIBER-ORG/userline |
Query and report user logons relations from MS Windows Security Events |
| trustedsec/SysmonCommunityGuide |
TrustedSec Sysinternals Sysmon Community Guide |
| ufrisk/LeechCore |
LeechCore - Physical Memory Acquisition Library & The LeechAgent Remote Memory Acquisition Agent |
| Uncoder.io |
Uncoder.IO is the online translator for SIEM saved searches, filters, queries, API requests, correlation and Sigma rules to help SOC Analysts, Threat Hunters and SIEM Engineers |
| USN Analytics |
USN Analytics is a tool that specializes in USN Journal ($UsnJrnl:$J) analysis |
| VSCMount |
Volume shadow copies mounter tool |
| Wazuh |
Open Source Host and Endpoint Security |
| williballenthin/EVTXtract |
EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images. |
| williballenthin/INDXParse |
Tool suite for inspecting NTFS artifacts |
| williballenthin/process-forest |
process-forest is a tool that processes Microsoft Windows EVTX event logs that contain process accounting events and reconstructs the historical process heirarchies. |
| yampelo/beagle |
Beagle is an incident response and digital forensics tool which transforms security logs and data into graphs. |
## Exploits
| Link |
Description |
| ac-pm/Inspeckage |
Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more. (Xposed Module) |
| AIR GO |
AIR GO detects obfuscation, vulnerabilities, open-source license issues, and malware by analyzing mobile apps and websites. It uses industry-leading technology to detect security threats and provide an improvement plan. |
| apkdetect |
Android malware analysis and classification platform |
| Apktool |
A tool for reverse engineering Android apk files |
| chaitin/passionfruit |
Simple iOS app blackbox assessment tool. Powered by frida.re and vuejs. |
| dpnishant/appmon |
AppMon is an automated framework for monitoring and tampering system API calls of native macOS, iOS and android apps. It is based on Frida. |
| Cycript |
Cycript allows developers to explore and modify running applications on either iOS or Mac OS X using a hybrid of Objective-C++ and JavaScript syntax through an interactive console that features syntax highlighting and tab completion |
| dmayer/idb |
idb is a tool to simplify some common tasks for iOS pentesting and research |
| Drozer |
Comprehensive security and attack framework for Android |
| frida/frida |
Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. |
| iSECPartners/Android-SSL-TrustKiller |
Bypass SSL certificate pinning for most applications |
| KJCracks/Clutch |
Fast iOS executable dumper |
| linkedin/qark |
Tool to look for several security related Android application vulnerabilities |
| m0bilesecurity/RMS-Runtime-Mobile-Security |
Runtime Mobile Security (RMS) is a powerful web interface that helps you to manipulate Android Java Classes and Methods at Runtime |
| MobSF/Mobile-Security-Framework-MobSF |
Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing |
| mwrlabs/needle |
The iOS Security Testing Framework |
| nccgroup/house |
A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python. |
| nygard/class-dump |
Generate Objective-C headers from Mach-O files |
| pxb1988/dex2jar |
Tools to work with android .dex and java .class files |
| sensepost/objection |
objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device. |
| skylot/jadx |
Dex to Java decompiler |
| stefanesser/dumpdecrypted |
Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk. This tool is necessary for security researchers to be able to look under the hood of encryption. |
| swdunlop/AndBug |
Android Debugging Library |
| tcurdt/iProxy |
Let's you connect your laptop to the iPhone to surf the web. |
## Network Security
| Link |
Description |
| althonos/InstaLooter |
Another API-less Instagram pictures and videos downloader. |
| arch4ngel/peasant |
LinkedIn reconnaissance tool |
| CellID Finder |
Find GSM base stations cell id coordinates |
| CellMapper |
Cellular Coverage and Tower Map |
| Certificate Search |
crt.sh | Certificate |
| danieleperera/onioningestor |
An extendable tool to Collect, Crawl and Monitor onion sites on tor network and index collected information on Elasticsearch |
| dark.fail: Is a darknet site online? |
dark.fail: Is a darknet site online? |
| DomainBigData |
DomainBigData is a big database of domains and whois records |
| danieliu/play-scraper |
A web scraper to retrieve application data from the Google Play Store. |
| DataSploit/datasploit |
An #OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats. |
| FOFA Pro |
The Cyberspace Search Engine, Security Situation Awareness |
| GreyNoise Visualizer |
GreyNoise Visualizer |
| haccer/twint |
An advanced Twitter scraping & OSINT tool written in Python that doesn't use Twitter's API, allowing you to scrape a user's followers, following, Tweets and more while evading most API limitations. |
| I Know What You Download |
Torrent downloads and distributions for IP |
| ImmuniWeb |
Domain Security Test | Detect Dark Web Exposure, Phishing, Squatting and Trademark Infringement |
| IntelligenceX |
Search Tor, I2P, data leaks, public web.| |
| InQuest/omnibus |
The OSINT Omnibus |
| iptv-org/iptv |
Collection of 8000+ publicly available IPTV channels from all over the world |
| jofpin/trape |
People tracker on the Internet: OSINT analysis and research tool. |
| lanrat/certgraph |
An open source intelligence tool to crawl the graph of certificate Alternate Names |
| leapsecurity/InSpy |
A python based LinkedIn enumeration tool |
| OCCRP Data |
Search 102m public records and leaks from 179 sources |
| OpenCelliD |
OpenCelliD - Largest Open Database of Cell Towers & Geolocation - by Unwired Labs |
| OWASP/Amass |
In-depth Attack Surface Mapping and Asset Discovery |
| Pastebin dump collection |
Pastebin dump collection |
| Phonebook.cz |
Phonebook lists all domains, email addresses, or URLs for the given input domain. |
| s-rah/onionscan |
OnionScan is a free and open source tool for investigating the Dark Web. |
| sshell/reddit-analyzer |
find out when and where someone is posting to reddit |
| SpiderFoot |
SpiderFoot - Opensource Intelligence Automation |
| superhedgy/AttackSurfaceMapper |
AttackSurfaceMapper is a tool that aims to automate the reconnaissance process. |
| Recon-NG |
Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line you enter a shell like environment where you can configure options, perform recon and output results to different report types. |
| WhatsMyName Web |
This tool allows you to enumerate usernames across many websites |
| woj-ciech/kamerka |
Build interactive map of cameras from Shodan |
## Password Cracking and Wordlists
| 0xbadjuju/Tokenvator |
A tool to elevate privilege with Windows Tokens |
| 3xpl01tc0d3r/Callidus |
It is developed using .net core framework in C# language. Allows operators to leverage O365 services for establishing command & control communication channel. It usages Microsoft Graph APIs for communicating with O365 services. |
| 411Hall/JAWS |
JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7. |
| api0cradle/LOLBAS |
Living Off The Land Binaries and Scripts (and now also Libraries) |
| api0cradle/UltimateAppLockerByPassList |
The goal of this repository is to document the most common techniques to bypass AppLocker. |
| Arvanaghi/SessionGopher |
SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally. |
| BC-SECURITY/Empire |
Empire is a PowerShell and Python post-exploitation agent. |
| bohops/GhostBuild |
GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects |
| cobbr/Covenant |
Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. |
| cobbr/SharpSploit |
SharpSploit is a .NET post-exploitation library written in C# |
| Cn33liz/p0wnedShell |
p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET) |
| Cybellum/DoubleAgent |
DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run). |
| danielbohannon/Invoke-DOSfuscation |
Cmd.exe Command Obfuscation Generator & Detection Test Harness |
| danielbohannon/Invoke-Obfuscation |
Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator |
| DanMcInerney/icebreaker |
Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment |
| DefensiveOrigins/PlumHound |
Bloodhound for Blue and Purple Teams |
| eladshamir/Internal-Monologue |
Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS |
| FSecureLABS/physmem2profit |
Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely |
| fbkcs/ThunderDNS |
This tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support. |
| fireeye/SharPersist |
Windows persistence toolkit written in C#. |
| FuzzySecurity/PowerShell-Suite |
There are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind. |
| FuzzySecurity/Sharp-Suite |
My musings with C# |
| GhostPack/Seatbelt |
Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. |
| google/sandbox-attacksurface-analysis-tools |
This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated. |
| hlldz/dazzleUP |
A tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems. |
| hlldz/Invoke-Phant0m |
Windows Event Log Killer |
| huntresslabs/evading-autoruns |
Slides and reference material from Evading Autoruns presentation at DerbyCon 7 (September 2017) |
| JohnLaTwC/PyPowerShellXray |
Python script to decode common encoded PowerShell scripts |
| jonatan1024/clrinject |
Injects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process. |
| Kevin-Robertson/Inveigh |
Windows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool |
| mattifestation/PoCSubjectInterfacePackage |
A PoC subject interface package (SIP) provider designed to educate about the required components of a SIP provider. |
| OmerYa/Invisi-Shell |
Hide your Powershell script in plain sight. Bypass all Powershell security features |
| putterpanda/mimikittenz |
A post-exploitation powershell tool for extracting juicy info from memory. |
| mdsecactivebreach/Chameleon |
Chameleon: A tool for evading Proxy categorisation |
| mdsecactivebreach/SharpShooter |
SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. |
| monoxgas/sRDI |
Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode |
| nccgroup/demiguise |
HTA encryption tool for RedTeams |
| nccgroup/GTFOBLookup |
Offline command line lookup utility for GTFOBins |
| Ne0nd0g/merlin |
Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. |
| NetSPI/ESC |
Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting Active Directory domain joined SQL Servers during penetration tests and red team engagements. |
| NetSPI/goddi |
goddi (go dump domain info) dumps Active Directory domain information |
| outflanknl/Recon-AD |
Recon-AD, an AD recon tool based on ADSI and reflective DLL’s |
| peewpw/Invoke-PSImage |
Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute |
| peewpw/Invoke-WCMDump |
PowerShell Script to Dump Windows Credentials from the Credential Manager |
| Plazmaz/LNKUp |
Generates malicious LNK file payloads for data exfiltration |
| secretsquirrel/SigThief |
Stealing Signatures and Making One Invalid Signature at a Time |
| sensepost/goDoH |
godoh - A DNS-over-HTTPS C2 |
| sevagas/macro_pack |
macro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify antimalware bypass and automatize the process from vba generation to final Office document generation. |
| shellster/DCSYNCMonitor |
Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events. |
| SpiderLabs/DoHC2 |
DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH). |
| stephenfewer/ReflectiveDLLInjection |
Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process |
| sud0woodo/DCOMrade |
Powershell script for enumerating vulnerable DCOM Applications |
| TheSecondSun/Bashark |
Bash post exploitation toolkit |
| trustedsec/unicorn |
Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. |
## Social Engineering
| Link |
Description |
| boxug/trape |
People tracker on the Internet: Learn to track the world, to avoid being traced. |
| dafthack/MailSniper |
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain. |
| drk1wi/Modlishka |
Modlishka. Reverse Proxy. Phishing NG. |
| certsocietegenerale/swordphish-awareness |
Swordphish is a plateform allowing to create and manage fake phishing campaigns. |
| curtbraz/Phishing-API |
Comprehensive Web Based Phishing Suite of Tools for Rapid Deployment and Real-Time Alerting! |
| Simple Email Reputation |
Illuminate the "reputation" behind an email address |
| fireeye/ReelPhish |
ReelPhish: A Real-Time Two-Factor Phishing Tool |
| gophish/gophish |
Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training |
| kgretzky/evilginx2 |
Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication |
| Mailsploit |
TL;DR: Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters. |
| mdsecactivebreach/o365-attack-toolkit |
o365-attack-toolkit allows operators to perform an OAuth phishing attack and later on use the Microsoft Graph API to extract interesting information. |
| muraenateam/muraena |
Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities. |
| Phishing Frenzy |
Phishing Frenzy is an Open Source Ruby on Rails application that is leveraged by penetration testers to manage email phishing campaigns |
| Raikia/UhOh365 |
A script that can see if an email address is valid in Office365 (user/email enumeration). This does not perform any login attempts, is unthrottled, and is incredibly useful for social engineering assessments to find which emails exist and which don't. |
| ring0lab/catphish |
Generate similar-looking domains for phishing attacks. Check expired domains and their categorized domain status to evade proxy categorization. Whitelisted domains are perfect for your C2 servers. |
| securestate/king-phisher |
Phishing Campaign Toolkit |
| thelinuxchoice/blackeye |
The most complete Phishing Tool, with 32 templates +1 customizable |
| thelinuxchoice/shellphish |
Phishing Tool for 18 social media: Instagram, Facebook, Snapchat, Github, Twitter, Yahoo, Protonmail, Spotify, Netflix, Linkedin, Wordpress, Origin, Steam, Microsoft, InstaFollowers, Gitlab, Pinterest |
| Undeadsec/EvilURL |
An unicode domain phishing generator for IDN Homograph Attack |
| UndeadSec/SocialFish |
Ultimate phishing tool. Socialize with the credentials |
| ustayready/CredSniper |
CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens. |
## Vulnerable
