My curated list of awesome links, resources and tools on infosec related topics
Go to file
2018-07-28 08:54:27 +00:00
.travis.yml Update awesome_bot options 2017-11-09 23:27:59 +07:00
CODE_OF_CONDUCT.md Create CODE_OF_CONDUCT.md 2017-12-14 15:43:06 +07:00
LICENSE Initial commit 2017-11-09 23:11:18 +07:00
README.md Add: The HIDeous parts of IOKit 2018-07-28 08:54:27 +00:00

My Awesome

Awesome travis-banner

My curated list of awesome links, resources and tools


Articles


Digital Forensics and Incident Response

Digital Forensics and Incident Response: Platform: Unix/Linux

Digital Forensics and Incident Response: Platform: IoT

Digital Forensics and Incident Response: Platform: MacOS/iOS

Digital Forensics and Incident Response: Platform: Windows


Exploitation

Exploitation: Platform: Android

Exploitation: Platform: Linux

Exploitation: Platform: MacOS/iOS

Exploitation: Platform: Windows

Exploitation: Technique: Bypassing ASLR

Any related techniques for ASLR bypassing

Exploitation: Technique: Format Strings

Exploitation: Technique: Heap Exploitation

Exploitation: Technique: Integer Overflow

Exploitation: Technique: Return Oriented Programming

Exploitation: Technique: return-to-libc

return-to-libc techniques

Exploitation: Technique: Shellcoding

Exploitation: Technique: Stack Exploitation

Exploitation: Technique Use-After-Free

https://twitter.com/bellis1000/status/930154591081070592

Exploitation: Vulnerability: Spectre and Meltdown


Malware Analysis

Process Injection Info Graphic by struppigel

Malware Analysis: Variant: ATM & POS

Malware Analysis: Variant: BadRabbit

Malware Analysis: Variant: Bankbot

Malware Analysis: Variant: CCleaner Backdoor

Malware Analysis: Variant: Emotet

Malware Analysis: Variant: Hajime

Malware Analysis: Variant: Locky

Malware Analysis: Variant: Kangaroo

Malware Analysis: Variant: MAN1

Malware Analysis: Variant: (Created by) NSIS

Malware Analysis: Variant: Poison Ivy

Malware Analysis: Variant: Rig Ek

Malware Analysis: Variant: Trickbot


Mobile Security


Post Exploitation

Post Exploitation Platform: Windows

DCShadow

Post Exploitation Platform: Unix/Linux


Privacy


Reverse Engineering


Tutorials

American Fuzzy Lop
Amazon Web Services (AWS)
Binary Ninja
BloodHound
Docker
Elasticsearch
Frida
IDA Pro
Masscan
Mimikatz
MISP
osquery
PCILeech
RunPE
Splunk
Sysmon
Radare2
Volatility
WinDBG

Web Application Security

Web Application Security: CORS

Web Application Security: Technique: Cross-site Request Forgery

Web Application Security: Technique: Cross-site Scripting

Web Application Security: Technique: Serialization/Deserialization

Web Application Security: Technique: SQL Injection


Tools


Adversary Emulation

alphasoc/flightsim A utility to generate malicious network traffic and evaluate controls
Blue Team Training Toolkit Blue Team Training Toolkit (BT3) is designed for network analysis training sessions, incident response drills and red team engagements. Based on adversary replication techniques, and with reusability in mind, BT3 allows individuals and organizations to create realistic computer attack scenarios, while reducing infrastructure costs, implementation time and risk.
Cyb3rWard0g/Invoke-ATTACKAPI A PowerShell script to interact with the MITRE ATT&CK Framework via its own API
endgameinc/RTA RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK
guardicore/monkey Infection Monkey - An automated pentest tool
jymchoeng/AutoTTP Automated Tactics Techniques & Procedures
mitre/caldera An automated adversary emulation system
NextronSystems/APTSimulator A toolset to make a system look as if it was the victim of an APT attack
n0dec/MalwLess Test blue team detections without running any attack
TryCatchHCF/DumpsterFire "Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequence…
redcanaryco/atomic-red-team Small and highly portable detection tests based on MITRE's ATT&CK.
redhuntlabs/RedHunt-OS Virtual Machine for Adversary Emulation and Threat Hunting
uber-common/metta An information security preparedness tool to do adversarial simulation.

AWS Security

Alfresco/prowler Tool for AWS security assessment, auditing and hardening. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark.
andresriancho/nimbostratus Tools for fingerprinting and exploiting Amazon cloud infrastructures
asecurityteam/spacecrab Bootstraps an AWS account with everything you need to generate, mangage, and distribute and alert on AWS honey tokens. Made with breakfast roti by the Atlassian security team.
airbnb/BinaryAlert BinaryAlert: Serverless, Real-time & Retroactive Malware Detection
airbnb/streamalert StreamAlert is a serverless, realtime data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using datasources and alerting logic you define.
awslabs/aws-security-benchmark Open source demos, concept and guidance related to the AWS CIS Foundation framework.
carnal0wnage/weirdAAL WeirdAAL [AWS Attack Library] wiki!
cloudsploit/scans AWS security scanning checks
cyberark/SkyArk SkyArk is a cloud security tool, helps to discover, assess and secure the most privileged entities in AWS
dagrz/aws_pwn A collection of AWS penetration testing junk
disruptops/cred_scanner A simple file-based scaner to look for potential AWS accesses and secret keys in files
duo-labs/cloudtracker CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
duo-labs/cloudmapper CloudMapper helps you analyze your Amazon Web Services (AWS) environments.
eth0izzle/bucket-stream Find interesting Amazon S3 Buckets by watching certificate transparency logs.
FishermansEnemy/bucket_finder Amazon bucket brute force tool
glen-mac/goGetBucket A penetration testing tool to enumerate and analyse Amazon S3 Buckets owned by a domain.
kromtech/s3-inspector Tool to check AWS S3 bucket permissions
jordanpotti/AWSBucketDump Security Tool to Look For Interesting Files in S3 Buckets
jordanpotti/CloudScraper CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.
lyft/metadataproxy A proxy for AWS's metadata service that gives out scoped IAM credentials from STS
MindPointGroup/cloudfrunt A tool for identifying misconfigured CloudFront domains
nccgroup/aws-inventory Discover resources created in an AWS account
nccgroup/PMapper A tool for quickly evaluating IAM permissions in AWS.
sendgrid/krampus The original AWS security enforcer™
nccgroup/Scout2 Security auditing tool for AWS environments
Netflix-Skunkworks/diffy Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT).
Netflix/security_monkey Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations.
prevade/cloudjack Route53/CloudFront Vulnerability Assessment Utility
sa7mon/S3Scanner Scan for open S3 buckets and dump
random-robbie/slurp Enumerate S3 buckets via certstream, domain, or keywords
RiotGames/cloud-inquisitor Enforce ownership and data security within AWS
toniblyx/prowler Tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark 1.1
SecurityFTW/cs-suite Cloud Security Suite - One stop tool for auditing the security posture of AWS infrastructure.
ThreatResponse/margaritashotgun Remote Memory Acquisition Tool
ThreatResponse/aws_ir Python installable command line utiltity for mitigation of host and key compromises.

Binary Analysis

avast-tl/retdec RetDec is a retargetable machine-code decompiler based on LLVM
enkomio/shed .NET runtine inspector. Shed - Inspect .NET malware like a Sir
fireeye/flare-floss FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware.
fireeye/flare-fakenet-ng FakeNet-NG - Next Generation Dynamic Network Analysis Tool
hasherezade/hollows_hunter A process scanner detecting and dumping hollowed PE modules.
hasherezade/hook_finder a small tool for investigating inline hooks (and other in-memory code patches)
LIEF Library to Instrument Executable Formats
pierrezurek/Signsrch tool for searching signatures inside files, extremely useful in reversing engineering for figuring or having an initial idea of what encryption/compression algorithm is used for a proprietary protocol or file. it can recognize tons of compression, multimedia and encryption algorithms and many other things like known strings and anti-debugging code which can be also manually added since it's all based on a text signature file read at runtime and easy to modify.
VisUAL A highly visual ARM emulator
williballenthin/python-idb Pure Python parser and analyzer for IDA Pro database files (.idb).

Cryptography

CERTCC/keyfinder A tool for analyzing private (and public) key files, including support for Android APK files.
CertDB Internet-wide search engine for digital certificates
mpgn/BEAST-PoC Poc of BEAST attack against SSL/TLS
mpgn/Padding-oracle-attack Padding oracle attack against PKCS7
mpgn/poodle-PoC Poodle (Padding Oracle On Downgraded Legacy Encryption) attack

Data Exfiltration

evilsocket/sg1 A wanna be swiss army knife for data encryption, exfiltration and covert communication.
pentestpartners/PTP-RAT Exfiltrate data over screen interfaces. For more information.
sensepost/DET DET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time.
SySS-Research/Seth Perform a MitM attack and extract clear text credentials from RDP connections

Data Sets

BOTS 1.0 Dataset The BOTS 1.0 dataset records two attacks perpetrated by a fictitious hacktivist group called po1s0n1vy targeting Wayne Corp of Batman mythology. There are many comic book references in the data; from heroes and villains to “Batmans” street addresses. Not only does the dataset have many different types of data—everything from Sysmon to Suricata—but there are even file hashes that can be found in Virustotal.com and domains/IPs to hunt for in OSINT tools like PassiveTotal and Robtex!
SecRepo.com - Samples of Security Related Data Finding samples of various types of Security related can be a giant pain. This is my attempt to keep a somewhat curated list of Security related data I've found, created, or was pointed to. If you perform any kind of analysis with any of this data please let me know and I'd be happy to link it from here or host it here. Hopefully by looking at others research and analysis it will inspire people to add-on, improve, and create new ideas.

Digital Forensics and Incident Response

$I File Parser Free Forensics Tool $I File Parser
ANSSI-FR/bits_parser Extract BITS jobs from QMGR queue and store them as CSV records
ANSSI-FR/bmc-tools RDP Bitmap Cache Parser
Broctets-and-Bytes/Darwin This script is designed to be run against a mounted image, live system, or device in target disk mode. The script automates the collection of key files for MacOS investigations.
bromiley/olaf Office365 Log Analysis Framework: OLAF is a collection of tools, scripts, and analysis techniques dealing with O365 Investigations.
carmaa/inception Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.
cryps1s/DARKSURGEON DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense.
Cyb3rWard0g/HELK A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities.
davehull/Kansa A Powershell incident response framework
draios/sysdig Linux system exploration and troubleshooting tool with first class support for containers
ForensicArtifacts/artifacts Digital Forensics Artifact Repository
gleeda/memtriage Allows you to quickly query a Windows machine for RAM artifacts
google/docker-explorer A tool to help forensicate offline docker **acquisitions**
google/grr GRR is a python client (agent) that is installed on target systems, and python server infrastructure that can manage and talk to clients.
google/rekall The Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems.
Hibernation Recon The tools and techniques used for many years to analyze Microsoft Windows® hibernation files have left digital forensics experts in the dark… until now!
Invoke-IR/ACE The Automated Collection and Enrichment (ACE) platform is a suite of tools for threat hunters to collect data from many endpoints in a network and automatically enrich the data. The data is collected by running scripts on each computer without installing any software on the target. ACE supports collecting from Windows, macOS, and Linux hosts.
JPCERTCC/LogonTracer Investigate malicious Windows logon by visualizing and analyzing Windows event log
IllusiveNetworks-Labs/HistoricProcessTree An Incident Response tool that visualizes historic process execution evidence (based on Event ID 4688 - Process Creation Event) in a tree view.
intezer/linux-explorer Easy-to-use live forensics toolbox for Linux endpoints
Invoke-IR/PowerForensics PowerForensics provides an all in one platform for live disk forensic analysis
Log Parser Log Parser 2.2 is a powerful, versatile tool that provides universal query access to text-based data such as log files, XML files and CSV files, as well as key data sources on the Windows operating system such as the Event Log, the Registry, the file system, and Active Directory
log2timeline/plaso log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them.
MalwareSoup/MitreAttack Python wrapper for the Mitre ATT&CK framework API
mozilla/mig Distributed & real time digital forensics at the speed of the cloud
mozilla/MozDef MozDef: The Mozilla Defense Platform
nannib/Imm2Virtual This is a GUI (for Windows 64 bit) for a procedure to virtualize your EWF(E01), DD(Raw), AFF disk image file without converting it, directly with VirtualBox, forensically proof.
OSSEC Open Source HIDS SECurity
williballenthin/INDXParse Tool suite for inspecting NTFS artifacts
nshalabi/SysmonTools Utilities for Sysmon (Sysmon View and Sysmon Shell)
refractionPOINT/limacharlie LC is an Open Source, cross-platform (Windows, MacOS, Linux ++), realtime Endpoint Detection and Response sensor. The extra-light sensor, once installed on a system provides Flight Data Recorder type information (telemetry on all aspects of the system like processes, DNS, network IO, file IO etc).
The Sleuth Kit sleuthkit.org is the official website for The Sleuth Kit®, Autopsy®, and other open source digital investigation tools. From here, you can find documents, case studies, and download the latest versions of the software.
THIBER-ORG/userline Query and report user logons relations from MS Windows Security Events
USN Analytics USN Analytics is a tool that specializes in USN Journal ($UsnJrnl:$J) analysis
williballenthin/EVTXtract EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.
williballenthin/process-forest process-forest is a tool that processes Microsoft Windows EVTX event logs that contain process accounting events and reconstructs the historical process heirarchies.

Exploits

CVE-2016-7255 The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."
CVE-2017-5123 The `waitid` implementation in upstream kernels did not restrict the target destination to copy information results. This can allow local users to write to otherwise protected kernel memory, which can lead to privilege escalation.
CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
CVE-2017-7089 A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management. Processing maliciously crafted web content may lead to universal cross site scripting.
CVE-2017-7115 The exploit achieves R/W access to the host's physical memory. The password for the archive is "one_ring". This exploit has been tested on the iPhone 7, iOS 10.2 (14C92). To run the exploit against different devices or versions, the symbols must be adjusted.
CVE-2017-8464 Windows Shell in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, 1607, 1703, and Windows Server 2016 allows local users or remote attackers to execute arbitrary code via a crafted .LNK file, which is not properly handled during icon display in Windows Explorer or any other application that parses the icon of the shortcut. aka "LNK Remote Code Execution Vulnerability."
CVE-2017-8750 Microsoft Office allows a remote code execution vulnerability due to the way that it handles objects in memory, aka "Microsoft Office Remote Code Execution Vulnerability". This CVE ID is unique from CVE-2017-0243.
CVE-2017-8759 Microsoft .NET Framework 2.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2 and 4.7 allow an attacker to execute code remotely via a malicious document or application, aka ".NET Framework Remote Code Execution Vulnerability."
CVE-2017-11882 Microsoft Office 2007 Service Pack 3, Microsoft Office 2010 Service Pack 2, Microsoft Office 2013 Service Pack 1, and Microsoft Office 2016 allow an attacker to run arbitrary code in the context of the current user by failing to properly handle objects in memory, aka "Microsoft Office Memory Corruption Vulnerability". This CVE ID is unique from CVE-2017-11884.
CVE-2017-13082 Wi-Fi Protected Access (WPA and WPA2) that supports IEEE 802.11r allows reinstallation of the Pairwise Transient Key (PTK) Temporal Key (TK) during the fast BSS transmission (FT) handshake, allowing an attacker within radio range to replay, decrypt, or spoof frames.
CVE-2017-15944 Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
CVE-2017-16995 The check_alu_op function in kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging incorrect sign extension.
CVE-2017-17215
CVE-2018-0743 Windows Subsystem for Linux in Windows 10 version 1703, Windows 10 version 1709, and Windows Server, version 1709 allows an elevation of privilege vulnerability due to the way objects are handled in memory, aka "Windows Subsystem for Linux Elevation of Privilege Vulnerability".
CVE-2018-0886 The Credential Security Support Provider protocol (CredSSP) in Microsoft Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1 and RT 8.1, Windows Server 2012 and R2, Windows 10 Gold, 1511, 1607, 1703, and 1709 Windows Server 2016 and Windows Server, version 1709 allows a remote code execution vulnerability due to how CredSSP validates request during the authentication process, aka "CredSSP Remote Code Execution Vulnerability".
CVE-2018-4878 A critical vulnerability (CVE-2018-4878) exists in Adobe Flash Player 28.0.0.137 and earlier versions. Successful exploitation could potentially allow an attacker to take control of the affected system.
CVE-2018-7600 Drupal before 7.58, 8.x before 8.3.9, 8.4.x before 8.4.6, and 8.5.x before 8.5.1 allows remote attackers to execute arbitrary code because of an issue affecting multiple subsystems with default or common module configurations.
CVE-2018-8897 A statement in the System Programming Guide of the Intel 64 and IA-32 Architectures Software Developer's Manual (SDM) was mishandled in the development of some or all operating-system kernels, resulting in unexpected behavior for #DB exceptions that are deferred by MOV SS or POP SS, as demonstrated by (for example) privilege escalation in Windows, macOS, some Xen configurations, or FreeBSD, or a Linux kernel crash. The MOV to SS and POP SS instructions inhibit interrupts (including NMIs), data breakpoints, and single step trap exceptions until the instruction boundary following the next instruction (SDM Vol. 3A; section 6.8.3). (The inhibited data breakpoints are those on memory accessed by the MOV to SS or POP to SS instruction itself.) Note that debug exceptions are not inhibited by the interrupt enable (EFLAGS.IF) system flag (SDM Vol. 3A; section 2.3). If the instruction following the MOV to SS or POP to SS instruction is an instruction like SYSCALL, SYSENTER, INT 3, etc. that transfers control to the operating system at CPL < 3, the debug exception is delivered after the transfer to CPL < 3 is complete. OS kernels may not expect this order of events and may therefore experience unexpected behavior when it occurs.
Eplox/TCP-Starvation The idea behind this attack is to close a TCP session on the attacker's side, while leaving it open for the victim. Looping this will quickly fill up the victims session limit, effectively denying other users to access the service.
externalist/exploit_playground Analysis of public exploits or my 1day exploits
FriendsOfPHP/security-advisories The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries. This database must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption.
https://github.com/hasherezade/process_doppelganging My implementation of enSilo's Process Doppelganging (PE injection technique)
gellin/TeamViewer_Permissions_Hook_V1 A proof of concept injectable C++ dll, that uses naked inline hooking and direct memory modification to change your TeamViewer permissions.
MSRC-41867 Local DoS on All Windows Version MSRC-41867 Local DoS on All Windows Version (Won't Fix)
ScottyBauer/Android_Kernel_CVE_POCs A list of my CVE's with POCs
Spajed/processrefund An attempt at Process Doppelgänging
spencerdodd/kernelpop Kernel privilege escalation enumeration and exploitation framework
tunz/js-vuln-db A collection of JavaScript engine CVEs with PoCs
victims/victims-cve-db This database contains information regarding CVE(s) that affect various language modules. We currently store version information corresponding to respective modules as understood by select sources.
xairy/kernel-exploits A bunch of proof-of-concept exploits for the Linux kernel

Hardening

Security Technical Implementation Guides (STIGs) The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems.
Strategies to Mitigate Cyber Security Incidents The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help technical cyber security professionals in all organisations mitigate cyber security incidents. This guidance addresses targeted cyber intrusions, ransomware and external adversaries with destructive intent, malicious insiders, 'business email compromise' and industrial control systems.
Windows Security Baseline A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Hardware

ufrisk/pcileech Direct Memory Access (DMA) Attack Software

Malware Analysis

activecm/rita Real Intelligence Threat Analytics
adamkramer/rapid_env Rapid deployment of Windows environment (files, registry keys, mutex etc) to facilitate malware analysis
APT Groups, Operations and Malware Search Engine APT Groups, Operations and Malware Search Engine
CAPE Sandbox Malware Configuration And Payload Extraction
Cryptam Document Scanner Encrypted/obfuscated malicious document analyzer
DAS MALWERK DAS MALWERK - your one stop shop for fresh malware samples
FAME FAME Automates Malware Evaluation
glmcdona/Process-Dump Windows tool for dumping malware PE files from memory back to disk for analysis.
hasherezade/libpeconv/runpe RunPE (aka Process Hollowing) is a well known technique allowing to injecting a new PE into a remote processes, imprersonating this process. The given implementation works for PE 32bit as well as 64bit.
hasherezade/pe-sieve Scans a given process, searching for the modules containing in-memory code modifications. When found, it dumps the modified PE.
hegusung/AVSignSeek Tool written in python3 to determine where the AV signature is located in a binary/payload
hlldz/SpookFlare Loader, dropper generator with multiple features for bypassing client-side and network-side countermeasures.
IRIS-H IRIS-H is an online digital forensics tool that performs automated static analysis of files stored in a directory-based or strictly structured formats.
jgamblin/Mirai-Source-Code Leaked Mirai Source Code for Research/IoC Development Purposes.
KasperskyLab/klara Klara project is aimed at helping Threat Intelligence researechers hunt for new malware using Yara.
katjahahn/PortEx Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness
Koodous Koodous is a collaborative platform that combines the power of online analysis tools with social interactions between the analysts over a vast APKs repository.
LordNoteworthy/al-khaser Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
Malpedia The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research.
malwareinfosec/EKFiddle A framework based on the Fiddler web debugger to study Exploit Kits, malvertising and malicious traffic in general.
Malwaretiverse maltiverse - Connect the dots - The definitive IoC search engine
Malwares Malware SRC Database
Neo23x0/APTSimulator A toolset to make a system look as if it was the victim of an APT attack
nsmfoo/antivmdetection Script to create templates to use with VirtualBox to make vm detection harder
OALabs/BlobRunner Quickly debug shellcode extracted during malware analysis
OALabs/PyIATRebuild Automatically rebuild Import Address Table for dumped PE file. With python bindings!
P4T12ICK/ypsilon Ypsilon is an Automated Security Use Case Testing Environment using real malware to test SIEM use cases in an closed environment. Different tools such as Ansible, Cuckoo, VirtualBox, Splunk and ELK are combined to determine the quality of a SIEM use case by testing any number of malware against a SIEM use case. Finally, a test report is generated giving insight to the quality of an use case.
phage-nz/ph0neutria ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability.
quasar/QuasarRAT Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface, Quasar is the perfect remote administration solution for you.
GoSecure/malboxes Builds malware analysis Windows VMs so that you don't have to.
SafeBreach-Labs/mkmalwarefrom Proof-of-concept two-stage dropper generator that uses bits from external sources
SEKOIA Dropper Analysis SEKOIA Dropper Analysis
UNIT 42: Playbook Viewver Viewing PAN Unit 42's adversary playbook via web interface

Mobile Security

ac-pm/Inspeckage Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
Apktool A tool for reverse engineering Android apk files
chaitin/passionfruit Simple iOS app blackbox assessment tool. Powered by frida.re and vuejs.
dpnishant/appmon AppMon is an automated framework for monitoring and tampering system API calls of native macOS, iOS and android apps. It is based on Frida.
Cycript Cycript allows developers to explore and modify running applications on either iOS or Mac OS X using a hybrid of Objective-C++ and JavaScript syntax through an interactive console that features syntax highlighting and tab completion
dmayer/idb idb is a tool to simplify some common tasks for iOS pentesting and research
Drozer Comprehensive security and attack framework for Android
frida/frida Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers.
iSECPartners/Android-SSL-TrustKiller Bypass SSL certificate pinning for most applications
KJCracks/Clutch Fast iOS executable dumper
linkedin/qark Tool to look for several security related Android application vulnerabilities
MobSF/Mobile-Security-Framework-MobSF Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing
mwrlabs/needle The iOS Security Testing Framework
nccgroup/house A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.
nygard/class-dump Generate Objective-C headers from Mach-O files
pxb1988/dex2jar Tools to work with android .dex and java .class files
sensepost/objection objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device.
skylot/jadx Dex to Java decompiler
stefanesser/dumpdecrypted Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk. This tool is necessary for security researchers to be able to look under the hood of encryption.
swdunlop/AndBug Android Debugging Library
tcurdt/iProxy Let's you connect your laptop to the iPhone to surf the web.

Network Security

aol/moloch Moloch is an open source, large scale, full packet capturing, indexing, and database system
byt3bl33d3r/MITMf Framework for Man-In-The-Middle attacks
DNSDB Global DNS Search Engine
eldraco/domain_analyzer Analyze the security of any domain by finding all the information possible. Made in python.
infobyte/evilgrade Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set.
michenriksen/aquatone AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.
NetworkScan Mon NetworkScan Monitor by Netlab 360
PacketTotal A free, online PCAP analysis engine
USArmyResearchLab/Dshell An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.
WiGLE Maps and database of 802.11 wireless networks, with statistics, submitted by wardrivers, netstumblers, and net huggers.
WireEdit First-Of-A-Kind And The Only Full Stack WYSIWYG Pcap Editor
The ZMap Project The ZMap Project is a collection of open source tools that enable researchers to perform large-scale studies of the hosts and services that compose the public Internet.

Password Cracking and Wordlists

berzerk0/Probable-Wordlists Wordlists sorted by probability originally created for password generation and testing - make sure your passwords aren't popular!
fireeye/gocrack GoCrack provides APIs to manage password cracking tasks across supported cracking engines.
sc0tfree/mentalist Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper.
danielmiessler/SecLists SecLists is the security tester's companion. It is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.

Plugins

Burp Suite
1N3/IntruderPayloads A collection of Burpsuite Intruder payloads, fuzz lists and file uploads
nccgroup/freddy Automatically identify deserialisation issues in Java and .NET applications by using active and passive scans
lightbulb-framework/lightbulb-framework LightBulb is an open source python framework for auditing web application firewalls and filters.
summitt/Burp-Non-HTTP-Extension Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
GDB
cs01/gdbgui Browser-based frontend to gdb (gnu debugger). Add breakpoints, view the stack, visualize data structures, and more in C, C++, Go, Rust, and Fortran. Run gdbgui from the terminal and a new tab will open in your browser.
cyrus-and/gdb-dashboard Modular visual interface for GDB in Python
longld/peda PEDA - Python Exploit Development Assistance for GDB
Frida
0xdea/frida-scripts A collection of my Frida.re instrumentation scripts to facilitate reverse engineering of mobile apps.
brompwnie/uitkyk Uitkyk is a custom Android Frida libary which provides an API to analyze Android applications for malicious activity. This is a PoC library to illustrate the capabilities of performing runtime analysis on Android. Additionally Uitkyk is a collection of resources to assist in the identification of malicious Android applications at runtime.
Frida Codeshare The Frida CodeShare project is comprised of developers from around the world working together with one goal - push Frida to its limits in new and innovative ways.
IDA Pro
airbus-seclab/bincat Binary code static analyser, with IDA integration. Performs value and taint analysis, type reconstruction.
CrowdStrike/CrowdDetox The CrowdDetox plugin for Hex-Rays automatically removes junk code and variables from Hex-Rays function decompilations.
fireeye/SimplifyGraph IDA Pro plugin to assist with complex graphs
IDAConnect/IDAConnect [WIP] Collaborative Reverse Engineering plugin for IDA Pro & Hex-Rays
gaasedelen/lighthouse Lighthouse is a code coverage plugin for IDA Pro. The plugin leverages IDA as a platform to map, explore, and visualize externally collected code coverage data when symbols or source may not be available for a given binary.
hasherezade/ida_ifl IFL - Interactive Functions List (plugin for IDA Pro)
joxeankoret/diaphora Diaphora, a Free and Open Source program diffing tool
OALabs/FindYara IDA python plugin to scan binary with Yara rules
onethawt/idaplugins-list A list of IDA Plugins
tintinweb/ida-batch_decompile *Decompile All the Things- - IDA Batch Decompile plugin and script for Hex-Ray's IDA Pro that adds the ability to batch decompile multiple files and their imports with additional annotations (xref, stack var size) to the pseudocode .c file
Riscure/DROP-IDA-plugin Experimental opaque predicate detection for IDA Pro
osquery
trailofbits/osquery-extensions Trail of Bits osquery Extensions
Radare2
radareorg/cutter A Qt and C++ GUI for radare2 reverse engineering framework
wargio/r2dec-js radare2 plugin - converts asm to pseudo-C code. (experimental)
WinDBG
comaeio/SwishDbgExt Incident Response & Digital Forensics Debugging Extension
Microsoft/DbgShell A PowerShell front-end for the Windows debugger engine.
swwwolf/wdbgark WinDBG Anti-RootKit Extension

Post Exploitation

0xbadjuju/Tokenvator A tool to elevate privilege with Windows Tokens
411Hall/JAWS JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
api0cradle/LOLBAS Living Off The Land Binaries and Scripts (and now also Libraries)
api0cradle/UltimateAppLockerByPassList The goal of this repository is to document the most common techniques to bypass AppLocker.
caseysmithrc/Inject.cs DotNetToJScript Build Walkthrough
Cybellum/DoubleAgent DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run).
danielbohannon/Invoke-DOSfuscation Cmd.exe Command Obfuscation Generator & Detection Test Harness
danielbohannon/Invoke-Obfuscation Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator
DanMcInerney/icebreaker Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
eladshamir/Internal-Monologue Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
FuzzySecurity/PowerShell-Suite There are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind.
google/sandbox-attacksurface-analysis-tools This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
hlldz/Invoke-Phant0m Windows Event Log Killer
huntresslabs/evading-autoruns Slides and reference material from Evading Autoruns presentation at DerbyCon 7 (September 2017)
JohnLaTwC/PyPowerShellXray Python script to decode common encoded PowerShell scripts
jonatan1024/clrinject Injects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process.
mattifestation/PoCSubjectInterfacePackage A PoC subject interface package (SIP) provider designed to educate about the required components of a SIP provider.
putterpanda/mimikittenz A post-exploitation powershell tool for extracting juicy info from memory.
sevagas/macro_pack macro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify antimalware bypass and automatize the process from vba generation to final Office document generation.
mdsecactivebreach/SharpShooter SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code.
monoxgas/sRDI Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
nccgroup/demiguise HTA encryption tool for RedTeams
NetSPI/goddi goddi (go dump domain info) dumps Active Directory domain information
peewpw/Invoke-PSImage Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute
peewpw/Invoke-WCMDump PowerShell Script to Dump Windows Credentials from the Credential Manager
Plazmaz/LNKUp Generates malicious LNK file payloads for data exfiltration
shellster/DCSYNCMonitor Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events.
secretsquirrel/SigThief Stealing Signatures and Making One Invalid Signature at a Time
stephenfewer/ReflectiveDLLInjection Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process
trustedsec/unicorn Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

Privacy

agherzan/yubikey-full-disk-encryption Use YubiKey to unlock a LUKS partition
Outline Making it safer to break the news
Security Planner Improve your online safety with advice from experts
securitywithoutborders/hardentools Hardentools is a utility that disables a number of risky Windows features

Social Engineering and OSINT

boxug/trape People tracker on the Internet: Learn to track the world, to avoid being traced.
dafthack/MailSniper MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.
Dark Web Map Dark Web Map - A visualization of 6.6k Tor onion services
DataSploit/datasploit An #OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats.
fireeye/ReelPhish ReelPhish: A Real-Time Two-Factor Phishing Tool
haccer/twint An advanced Twitter scraping & OSINT tool written in Python that doesn't use Twitter's API, allowing you to scrape a user's followers, following, Tweets and more while evading most API limitations.
Mailsploit TL;DR: Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters.
OCCRP Data Search 102m public records and leaks from 179 sources
securestate/king-phisher Phishing Campaign Toolkit
SpiderFoot SpiderFoot - Opensource Intelligence Automation
Undeadsec/EvilURL An unicode domain phishing generator for IDN Homograph Attack
ustayready/CredSniper CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens.

Vulnerable

Billy-Ellis/Exploit-Challenges A collection of vulnerable ARM binaries for practicing exploit development
bkerler/exploit_me Very vulnerable ARM application (CTF style exploitation tutorial)
bkimminich/juice-shop OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.
clong/DetectionLab Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices
cliffe/SecGen SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques.
Lenas Reversing for Newbies Nice collection of tutorials aimed particularly for newbie reverse enginners...
google/google-ctf This repository lists most of the challenges used in the Google CTF 2017. The missing challenges are not ready to be open-sourced, or contain third-party code.
OWASP/iGoat-Swift OWASP iGoat (Swift) - A Damn Vulnerable Swift Application for iOS
rapid7/hackazon A modern vulnerable web app
Reverse Engineering Welcome to the Reverse Engineering open course! This course is a journey into executable binaries and operating systems from 3 different angles: 1) Malware analysis, 2) Bug hunting and 3) Exploit writing. Both Windows and Linux x86/x86_64 platforms are under scope.
sagishahar/lpeworkshop Windows / Linux Local Privilege Escalation Workshop
SEED Labs Various labs from SEED Project
Vulnerable Docker VM Ever fantasized about playing with docker misconfigurations, privilege escalation, etc. within a container?

Web Application Security

ambionics/phpggc PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically.
appsecco/spaces-finder A tool to hunt for publicly accessible DigitalOcean Spaces
anatshri/svn-extractor Simple script to extract all web resources by means of .SVN folder exposed over network.
brannondorsey/dns-rebind-toolkit A front-end JavaScript toolkit for creating DNS rebinding attacks.
IlluminateJs IlluminateJs is a static javascript analysis engine (a deobfuscator so to say) aimed to help analyst understand obfuscated and potentially malicious JavaScript Code.
ismailtasdelen/xss-payload-list Cross Site Scripting ( XSS ) Vulnerability Payload List
IRONWASP IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners
jonluca/Anubis Subdomain enumeration and information gathering tool
mazen160/bfac BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code.
mindedsecurity/JStillery Advanced JS Deobfuscation via Partial Evaluation.
mwrlabs/dref DNS Rebinding Exploitation Framework
NetSPI/PowerUpSQL PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
Oracle EBS Penetration testing tool ERPScan EBS Pentesting Tool is a freeware for pentesters and security professionals. With the help of it, you can conduct penetration testing and vulnerability assessment of Oracle E-Business Suite systems using Black Box testing methodologies.
OWASP Zed Attack Proxy Project The OWASP Zed Attack Proxy (ZAP) is one of the worlds most popular free security tools and is actively maintained by hundreds of international volunteers*. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. Its also a great tool for experienced pentesters to use for manual security testing
Public WWW Source Code Search Engine
pwntester/ysoserial.net Deserialization payload generator for a variety of .NET formatters
RhinoSecurityLabs/SleuthQL Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
Snyk Continuously find & fix vulnerabilities in your dependencies