├── .gitignore ├── AI_LLm.md ├── All.md ├── BinaryAnalysis.md ├── BlackHat2018.md ├── Defence.md ├── Meltdown_Spectre.md ├── PenetrationTest.md ├── Practice_CTF.md ├── ProofofConcept_Exploit.md ├── README.md ├── Scanner.md ├── SecurityDoucument.md ├── ThreatIntelligence_Honey.md ├── check.pl └── tool.sh /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | tool.pl 3 | renew.pl 4 | -------------------------------------------------------------------------------- /AI_LLm.md: -------------------------------------------------------------------------------- 1 | ## AI&LMM安全隐私 2 | 3 | agentic_security 大型语言模型 (LLM) 的开源漏洞扫描程序,保护人工智能系统免受越狱、模糊测试和多模式攻击。 https://github.com/msoedov/agentic_security 4 | 5 | Awesome-LM-SSP 大模型安全隐私集 https://github.com/ThuCCSLab/Awesome-LM-SSP 6 | 7 | agentic-radar 大模型代理端工作流安全扫描 https://github.com/splx-ai/agentic-radar 8 | 9 | llm-sp 大模型安全和隐私论文和资源集 https://github.com/chawins/llm-sp 10 | 11 | llm-security-101 大模型安全安全初步,包括攻防工具及其现状 https://github.com/Seezo-io/llm-security-101 12 | 13 | AIJack: 机器学习安全和隐私风险模拟器,支持大量攻防算法 https://github.com/Koukyosyumei/AIJack 14 | 15 | awesome-ai-security AI安全框架,标准,学习资源和工具集 https://github.com/ottosulin/awesome-ai-security 16 | 17 | PurpleLlama meta的评估和改善大模型安全的工具集 https://github.com/meta-llama/PurpleLlama 18 | 19 | llm-security Dropbox的Prompt注入方法 https://github.com/dropbox/llm-security 20 | 21 | llm-security 间接Prompt注入,一种模仿大模型进行钓鱼攻击 https://github.com/greshake/llm-security 22 | 23 | vulnhuntr 使用大模型和静态分析工具的远程仓库安全评估 https://github.com/protectai/vulnhuntr 24 | 25 | Awesome_GPT_Super_Prompting 大模型安全集,包括ChatGPT越狱、GPT 助手提示泄漏、GPTs提示注入、LLM提示安全、超级提示、Prompt 黑客、Prompt安全、AI Prompt工程、对抗性机器学习 、https://github.com/CyberAlbSecOP/Awesome_GPT_Super_Prompting 26 | 27 | Awesome-Jailbreak-on-LLMs 大模型越狱集,包括论文、代码、数据集以及评估分析方法 https://github.com/yueliu1999/Awesome-Jailbreak-on-LLMs 28 | 29 | LLM Hacker's Handbook 大模型黑客手册 https://github.com/forcesunseen/llm-hackers-handbook 30 | 31 | -------------------------------------------------------------------------------- /All.md: -------------------------------------------------------------------------------- 1 | 2 | ## 漏洞利用&实战练习平台: 3 | 4 | 信息安全初步集:包括信息安全博客、认证、课程、社区、播客、工具等 5 | https://github.com/gradiuscypher/infosec_getting_started 6 | 7 | WebGoat漏洞练习环境 8 | https://github.com/WebGoat/WebGoat 9 | 10 | https://github.com/WebGoat/WebGoat-Legacy 11 | 12 | https://github.com/RandomStorm/DVWA 13 | 14 | DoraBox,多拉盒 - 掌握常见漏洞攻防 15 | https://github.com/gh0stkey/DoraBox 16 | 17 | 一个功能很全的CTF平台 18 | https://github.com/zjlywjh001/PhrackCTF-Platform-Team 19 | 20 | 针对Pentest或者CTF的一个fuzz payload项目。 21 | https://github.com/zer0yu/Berserker 22 | 23 | Web安全实战:日安全-Web安全攻防小组关于Web安全的系列文章分享和HTB靶场 24 | https://github.com/hongriSec/Web-Security-Attack 25 | 26 | upload-labs很全的上传上传漏洞的靶场 27 | https://github.com/c0ny1/upload-labs 28 | 29 | 跟踪真实漏洞相关靶场环境搭建 30 | https://github.com/yaofeifly/Vub_ENV 31 | 32 | H1ve是一款自研CTF平台,同时具备解题、攻防对抗模式。 33 | https://github.com/D0g3-Lab/H1ve 34 | 35 | 使用docker快速搭建各大漏洞靶场,目前可以一键搭建17个靶场。 36 | https://github.com/c0ny1/vulstudy 37 | 38 | 🚀Vulfocus 是一个漏洞集成平台,将漏洞环境 docker 镜像,放入即可使用,开箱即用。 39 | https://github.com/fofapro/vulfocus 40 | 41 | 数据库注入练习平台 42 | https://github.com/Audi-1/sqli-labs 43 | 44 | 用node编写的漏洞练习平台,like OWASP Node Goat 45 | https://github.com/cr0hn/vulnerable-node 46 | 47 | 基于https://www.exploit-db.com/的漏洞场景还原 48 | https://github.com/havysec/vulnerable-scene 49 | 50 | Ruby编写的一款工具,生成含漏洞的虚拟机 51 | https://github.com/cliffe/secgen 52 | 53 | metasploitable3 54 | https://github.com/rapid7/metasploitable3/ 55 | 56 | pentesterlab渗透测试在线练习 57 | https://pentesterlab.com/exercises/ 58 | 59 | 轻量web漏洞演示平台 60 | https://github.com/stamparm/DSVW 61 | 62 | docker搭建的漏洞练习环境 63 | https://github.com/MyKings/docker-vulnerability-environment 64 | 65 | 黑客技术训练环境 66 | https://github.com/joe-shenouda/awesome-cyber-skills 67 | 68 | web及app渗透训练平台 69 | https://github.com/OWASP/SecurityShepherd 70 | 71 | DevSecOps技能训练营 72 | https://github.com/devsecops/bootcamp 73 | 74 | injectify 生成一个便捷的高级中间人攻击Web站点 75 | https://github.com/samdenty99/injectify 76 | 77 | 针对ctf线下赛流量抓取(php)、真实环境流量抓取分析的工具 78 | https://github.com/wupco/weblogger 79 | 80 | permeate:一个用于渗透透测试演练的WEB系统,用于提升寻找网站能力,也可以用于web安全教学 81 | https://github.com/78778443/permeate 82 | 83 | 基于Docker-Compose的漏洞预构建环境https://vulhub.org 84 | https://github.com/vulhub/vulhub 85 | 86 | Ackazon是一个免费的,漏洞测试在线web站点,其构建方式与当今的富客户端和移动应用程序中使用的技术相同。 87 | https://github.com/rapid7/hackazon 88 | 89 | ### 安全竞赛 (CTF夺标大赛) 90 | 91 | Google2019CTF web 解题思路 92 | https://xz.aliyun.com/t/5503 93 | 94 | 2018 第一届安洵杯 题目环境/源码 95 | https://github.com/D0g3-Lab/AXB-CTF 96 | 97 | google-ctf 包括2017和2018全部试题和答案 98 | https://github.com/google/google-ctf/ 99 | 100 | HCTF2017题目及解析 101 | https://github.com/vidar-team/HCTF2017 102 | 103 | CTF挑战平台 104 | https://github.com/CTFTraining 105 | 106 | CTF和安全工具大合集 107 | https://github.com/zardus/ctf-tools 108 | 109 | 近年CTF writeup大全 110 | https://github.com/ctfs/write-ups-2016 111 | 112 | HITB CTF 2017 Pwn题研究 113 | http://0x48.pw/2017/08/29/0x49 114 | 115 | 脸谱CTF竞赛平台Demo 116 | https://github.com/facebook/fbctf 117 | 118 | CTF框架、类库、资源、软件和教程列表 119 | https://github.com/apsdehal/awesome-ctf 120 | 121 | CTF的题集 122 | https://github.com/Hcamael/CTF_repo 123 | 124 | CTF资源 125 | https://github.com/ctfs/resources 126 | 127 | CTF从入门到了解各种工具 128 | https://github.com/SandySekharan/CTF-tool 129 | 130 | p4团队的CTF解决方案 https://p4.team 131 | https://github.com/p4-team/ctf 132 | 133 | ctftools 在线CTF信息网站,包括资源下载、在线工具、信息blog等 134 | https://www.ctftools.com 135 | 136 | 🔐 All Security Engineering Resources 137 | https://github.com/brianlam38/Sec-Dump 138 | 139 | ## OSCP&OSCE 140 | 141 | 备考 OSCP 的各种干货资料/渗透测试干货资料 142 | https://github.com/Jewel591/OSCP-Pentest-Methodologies 143 | 144 | OSCPRepo:This is a list of resources and scripts that I have been gathering (and continuing to gather) in preparation for the OSCP. 145 | https://github.com/rewardone/OSCPRepo 146 | 147 | Collection of things made during my OSCP journey 148 | https://github.com/ihack4falafel/OSCP 149 | 150 | A comprehensive guide/material for anyone looking to get into infosec or take the OSCP exam 151 | https://github.com/RustyShackleford221/OSCP-Prep 152 | 153 | Penetration Testing Reference Bank - OSCP / PTP & PTX Cheatsheet 154 | https://github.com/OlivierLaflamme/Cheatsheet-God 155 | 156 | A curated list of awesome OSCP resources 157 | https://github.com/0x4D31/awesome-oscp 158 | 159 | An archive of everything related to OSCP 160 | https://github.com/CyDefUnicorn/OSCP-Archives 161 | 162 | A list of the resources I use as I get ready for the exam 163 | https://github.com/burntmybagel/OSCP-Prep 164 | 165 | OSCP cheat sheet 166 | https://github.com/xMilkPowderx/OSCP 167 | 168 | OSCP-Human-Guide 169 | https://github.com/six2dez/OSCP-Human-Guide 170 | 171 | Good For OSCP Training 172 | https://github.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice 173 | 174 | https://github.com/so87/OSCP-PwK 175 | This is my cheatsheet and scripts developed while taking the Offensive Security Penetration Testing with Kali Linux course. 176 | 177 | OSCP-60daysOSCP (Offensive Security Certified Professional) 178 | https://github.com/anandkumar11u/OSCP-60days 179 | 180 | OSCP-Cheatsheet 181 | https://github.com/tagnullde/OSCP 182 | 183 | GitBook: OSCP RoadMap 184 | https://github.com/nairuzabulhul/RoadMap 185 | 186 | OSCP-Automation:A collection of personal scripts used in hacking excercises. 187 | https://github.com/C-Cracks/OSCP-Automation 188 | 189 | A random set of 5 machines for OSCP 190 | https://github.com/ajdumanhug/oscp-practice 191 | 192 | Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind 193 | https://github.com/M4ximuss/Powerless 194 | 195 | Collection of things made during my preparation to take on OSCE 196 | https://github.com/ihack4falafel/OSCE 197 | 198 | Some exploits, which I’ve created during my OSCE preparation. 199 | https://github.com/dhn/OSCE 200 | 201 | Used for the osce exam preparation 202 | https://github.com/73696e65/windows-exploits 203 | 204 | 📙 Markdown Templates for Offensive Security OSCP, OSWE, OSCE, OSEE, OSWP exam report 205 | https://github.com/noraj/OSCP-Exam-Report-Template-Markdown 206 | 207 | A list of freely available resources that can be used as a prerequisite before taking OSCE. 208 | https://github.com/snoopysecurity/OSCE-Prep 209 | 210 | ## 安全扫描器: 211 | 212 | ### 端口扫描器 213 | 214 | 扫描神器Nmap 215 | https://github.com/nmap/nmap 216 | 217 | Nmap NSE脚本推荐 218 | http://www.polaris-lab.com/index.php/archives/390/ 219 | 220 | Awesome Burp Extensions 221 | https://github.com/snoopysecurity/awesome-burp-extensions 222 | 223 | 基于WEB的内网扫描 224 | https://github.com/SkyLined/LocalNetworkScanner 225 | 226 | 子域名扫描工具 227 | https://github.com/lijiejie/subDomainsBrute 228 | 229 | OneForAll是一款功能强大的子域收集工具 230 | https://github.com/shmilylty/OneForAll 231 | 232 | BBScan是一个迷你的信息泄漏批量扫描脚本 233 | https://github.com/lijiejie/BBScan 234 | 235 | 探测Waf产品的指纹信息 236 | https://github.com/EnableSecurity/wafw00f 237 | 238 | 基于端口的漏扫及CVE关联 239 | https://github.com/m0nad/HellRaiser 240 | 241 | 分布式任务分发端口扫描器 242 | https://github.com/lietdai/doom 243 | 244 | 常见服务端口弱口令扫描器 245 | https://github.com/wilson9x1/fenghuangscanner_v3 246 | 247 | 内部网络扫描器 248 | https://github.com/sowish/LNScan 249 | 250 | 通过扫描全网绕过CDN获取网站IP地址 251 | https://github.com/boy-hack/w8fuckcdn 252 | 253 | 集成Nmap的一款端口扫描器 254 | https://github.com/screetsec/Dracnmap 255 | 256 | 便捷的自动化漏洞扫描,报告和分析工具 257 | https://github.com/schubergphilis/Seccubus 258 | 259 | 对公网IP列表进行端口服务扫描,发现周期内的端口服务变化情况和弱口令安全风险 260 | https://github.com/grayddq/PublicMonitors 261 | 262 | Burp Suite的自动化盲注搜索插件 263 | https://github.com/wish-i-was/femida 264 | 265 | 综合扫描工具,主要用来敏感文件探测(目录扫描与js泄露接口),WAF/CDN识别,端口扫描, 266 | 指纹/服务识别,操作系统识别,弱口令探测,POC扫描,SQL注入,绕过CDN,查询旁站等功能 267 | https://github.com/al0ne/Vxscan 268 | 269 | Nessus扫描自动化生成中文漏洞报告 270 | https://github.com/Bypass007/Nessus_to_report 271 | 272 | Tsunami谷歌开源的具有可扩展插件系统的通用网络安全扫描程序,可用于高置信度地检测高严重性漏洞。(java,基于nmap和ncrack) 273 | https://github.com/google/tsunami-security-scanner 274 | 275 | Golang开发的交互式网络扫描器, 276 | https://github.com/marco-lancini/goscan 277 | 278 | ### 子域名爆破扫描器 279 | 280 | https://github.com/aboul3la/Sublist3r 281 | 282 | https://github.com/TheRook/subbrute 283 | 284 | 信息探测及扫描工具(DNS及邮件枚举等) 285 | https://github.com/darryllane/Bluto 286 | 287 | 子域名扫描器 288 | https://github.com/ring04h/wydomain 289 | 290 | 子域名字典组合生成及暴力破解器 291 | https://github.com/infosec-au/altdns 292 | 293 | 固件漏洞扫描器 294 | https://github.com/misterch0c/firminator_backend 295 | 296 | 远程桌面登录扫描器 297 | https://github.com/linuz/Sticky-Keys-Slayer 298 | 299 | 网络基础设施渗透工具(集成nmap和hydra等) 300 | https://github.com/SECFORCE/sparta 301 | 302 | 快速地SNMP抢注,枚举,CISCO配置下载,密码攻击脚本 303 | https://github.com/SECFORCE/SNMP-Brute 304 | 305 | linux漏洞扫描器 306 | https://github.com/future-architect/vuls 307 | 308 | 被动式漏洞扫描系统 309 | https://github.com/ysrc/GourdScanV2 310 | 311 | MongoDB漏洞扫描器 312 | https://github.com/youngyangyang04/NoSQLAttack 313 | 314 | Automated script for performing Padding Oracle attacks 315 | https://github.com/GDSSecurity/PadBuster 316 | 317 | 利用ARP探测内网位置设备 318 | https://github.com/joarleymoraes/net_guard 319 | 320 | 自动漏扫 321 | https://github.com/az0ne/AZScanner 322 | 323 | WPScan 漏洞扫描系统的一个fork 324 | https://github.com/delvelabs/vane 325 | 326 | 安全行业从业人员自研开源扫描器合集 327 | https://github.com/We5ter/Scanners-Box 328 | 329 | 指纹服务,漏洞发现,WebDAV扫描 330 | https://github.com/Graph-X/davscan 331 | 332 | 快捷友好的网络扫描器 333 | https://github.com/angryziber/ipscan 334 | 335 | 扫描Tor exit relasy的模块 336 | https://github.com/NullHypothesis/exitmap 337 | 338 | DNS监控套件 339 | https://github.com/reyjrar/DreamCatcher 340 | 341 | AIRMASTER: 红蓝对抗中对过期域名发现和利用 342 | https://github.com/t94j0/AIRMASTER 343 | 344 | 基于SSH的穷人vpn 345 | https://github.com/ivanilves/xiringuito 346 | 347 | perl脚本评估远程服务的安全设置 (AKA Terminal Services) 348 | https://github.com/portcullislabs/rdp-sec-check 349 | 350 | Joy思科开源的网络包扑捉、网络流量分析、网络研究取证及安全监控的工具。 351 | https://github.com/cisco/joy 352 | 353 | web日志扫描工具 354 | https://github.com/apxar/xlog 355 | 356 | 自动扫描内网数据库扫描脚本(mysql、mssql、oracle、postgresql、redis、mongodb、memcached、elasticsearch),包含未授权访问及常规弱口令检测 357 | https://github.com/se55i0n/DBScanner 358 | 359 | A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI 360 | https://github.com/knqyf263/trivy 361 | 362 | 被动扫描器 Passive Security Scanner 363 | https://github.com/boy-hack/w13scan 364 | 365 | ### Web扫描器 366 | 367 | WEB应用攻击预防和审计框架,开源WEB漏洞扫描 368 | https://github.com/andresriancho/w3af 369 | 370 | WEB路径扫描 371 | https://github.com/maurosoria/dirsearch 372 | 373 | 网站指纹识别工具,用来检测网站CMS类型,所采用的博客系统类型,JS库,web服务器,甚至版本号,email地址,web框架等 374 | https://github.com/urbanadventurer/whatweb 375 | 376 | 一款爬虫框架,用来检测网站是否被恶意攻击过 377 | https://github.com/ciscocsirt/malspider 378 | 379 | AWVS10.5 data/script/目录下的脚本docode 380 | https://github.com/bollwarm/awvs_script_decode 381 | 382 | wordpress漏洞扫描器 383 | https://github.com/wpscanteam/wpscan 384 | 385 | discuz论坛漏洞扫描器 386 | https://github.com/code-scan/dzscan 387 | 388 | J2EE漏洞扫描器burp插件 389 | https://github.com/ilmila/J2EEScan 390 | 391 | Ruby on Rails应用静态分析工具 392 | https://github.com/presidentbeef/brakeman 393 | 394 | 网络空间指纹扫描器 395 | https://github.com/nanshihui/Scan-T 396 | 397 | xsec-proxy-scanner是一款速度超快、小巧的代理扫描器 398 | https://github.com/netxfly/xsec-proxy-scanner 399 | 400 | WEB服务扫描 401 | https://github.com/sullo/nikto 402 | 403 | WEB主机发现小工具 404 | https://github.com/zer0h/httpscan 405 | 406 | WEB扫描器 407 | https://github.com/golismero/golismero 408 | 409 | web应用安全扫描器 410 | https://github.com/taipan-scanner/Taipan 411 | 412 | 漏洞扫描:st2、tomcat、未授权访问等等 413 | https://github.com/SkewwG/VulScan 414 | 415 | 一个简单WEB中间件扫描 416 | https://github.com/maxlabelle/WebMalwareScanner 417 | 418 | ruby源码扫描工具 419 | https://github.com/thesp0nge/dawnscanner 420 | 421 | Get、Post参数扫描器 422 | https://github.com/maK-/parameth 423 | 424 | 路径扫描器 425 | https://github.com/stanislav-web/OpenDoor 426 | 427 | WEB路径扫描 428 | https://github.com/maurosoria/dirsearc 429 | 430 | FindBugs插件用于Java web应用和安卓应用的安全审计 431 | https://github.com/find-sec-bugs/find-sec-bugs 432 | 433 | GitHub敏感信息扫描工具 434 | https://github.com/repoog/GitPrey 435 | 436 | mozilla的GitHub配置信息检查工具和程序集 437 | https://github.com/mozilla-services/GitHub-Audit 438 | 439 | GitLeak 是一个从 Github 上查找密码信息的小工具 440 | https://github.com/5alt/GitLeak 441 | 442 | 一款兼容bugscan插件的扫描器 443 | https://github.com/boy-hack/w9scan 444 | 445 | Golang安全扫描 446 | https://github.com/securego/gosec 447 | 448 | Golang写的命令行工具发现git仓库中不小心泄露的密码,私有证书等 449 | https://github.com/UKHomeOffice/repo-security-scanner 450 | 451 | 侦察和信息收集安全工具 452 | https://github.com/evyatarmeged/Raccoon 453 | 454 | 问脉是一个扫描镜像内敏感信息、弱口令、恶意样本、异常历史命令、后门的检测工具集 https://github.com/chaitin/veinmind-tools 455 | 456 | ### SSL类型扫描器 457 | 458 | sslscan tests SSL/TLS enabled services to discover supported cipher suites 459 | https://github.com/rbsec/sslscan 460 | 461 | ## 安全防守: 462 | 463 | 安全项目列表 464 | https://github.com/zbetcheckin/Security_list 465 | 466 | web索引及日志搜索工具 467 | https://github.com/thomaspatzke/WASE 468 | 469 | 一款CS结构的web debuger 470 | https://github.com/Kozea/wdb 471 | 472 | sqlite注册数据删除的恢复 473 | https://github.com/aramosf/recoversqlite/ 474 | 475 | 自动化的模板注入攻击检测工具 476 | https://github.com/epinna/tplmap 477 | 478 | 简单的linux发行版安全监控脚本 479 | https://github.com/EgeBalci/The-Eye 480 | 481 | 百宝箱——工具集合 482 | https://github.com/starnightcyber/Miscellaneous 483 | 484 | CIDRAM (无类别域间路由访问管理器)是一个PHP脚本,旨在保护网站途经阻止请求该从始发IP地址视为不良的流量来源. 485 | https://github.com/Maikuolan/CIDRAM 486 | 487 | Android-Vulnerabilities-Overview - 已知安卓漏洞预览 488 | https://github.com/CHEF-KOCH/Android-Vulnerabilities-Overview 489 | 490 | Framework-agnostic包给Node.js提供强大的ACL能力 491 | https://github.com/Slynova-Org/node-fence 492 | 493 | 快速启动kolide Kolide https://kolide.co 494 | https://github.com/kolide/kolide-quickstart 495 | 496 | Vendor-Neutral Security Tool Automation Controller (over REST) 497 | https://github.com/hakbot/hakbot-origin-controller 498 | 499 | 全天候 DevOps - 安全监控和防御自动化架构(ELK + AWS Lambda) 500 | https://github.com/appsecco/alldaydevops-aism 501 | 502 | ARL(Asset Reconnaissance Lighthouse)资产侦察灯塔系统 503 | https://github.com/TophantTechnology/ARL 504 | 505 | 安全开发运维:devsecops.org社区贡献的权威devsecops工具列表 506 | https://github.com/devsecops/awesome-devsecops 507 | 508 | API安全检查清单:当你设计、测试、发布API时,需要核对的安全细节清单 509 | https://github.com/shieldfy/API-Security-Checklist/blob/master/README-zh.md 510 | 511 | Pcaptools:流量处理的命令集、捕获工具、分析检查、DNS配置等工具资源 512 | https://github.com/caesar0301/awesome-pcaptools 513 | 514 | Capturing, analysing and responding to cyber attacks 515 | https://github.com/cybermaggedon/cyberprobe 516 | 517 | 安卓安全加固列表 518 | https://github.com/AndroidTamer/KnowledgeBase/tree/master/Documents 519 | 520 | awesome-container-security 容器安全列表 521 | https://github.com/kai5263499/awesome-container-security#networking/runtime 522 | 523 | OS X和iOS安全:OS X和iOS安全工具集合 524 | https://github.com/ashishb/osx-and-ios-security-awesome 525 | 526 | Runtime Mobile Security (RMS):一个功能强大的Web界面,可帮助您在运行时操纵Android Java类和方法 527 | https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security 528 | 529 | 为日常搜集的勒索病毒解密工具的汇总 530 | https://github.com/jiansiting/Decryption-Tools 531 | 532 | 应急响应实战笔记 533 | https://github.com/Bypass007/Emergency-Response-Notes 534 | 535 | 一款开源WAF 536 | https://github.com/SpiderLabs/ModSecurity 537 | 538 | Useful for bug bounties, CTF-style challenges, penetration testing. 539 | https://github.com/brianlam38/Sec-Cheatsheets 540 | 541 | 开源WAF,基于web日志进行非法访问渗透探测,并进行统计分析,设置阈值封禁 542 | https://github.com/bollwarm/App-Waf 543 | 544 | 基于区块链的AUR安全层 545 | https://github.com/clawoflight/aursec 546 | 547 | Secure and fast microVMs for serverless computing. 548 | https://github.com/firecracker-microvm/firecracker 549 | 550 | Secrets bridge - Docker 构建时安全 551 | https://github.com/abourget/secrets-bridge 552 | 553 | Windows 2012 R2 兼容DevSec Windows基线的cookbook 554 | https://github.com/dev-sec/chef-windows-hardening 555 | 556 | Apache防御模块,支持漏洞扫描,防恶意软件,防广告, 防勒索软件, 防恶意站点, Wordpress主题探测和Fail2Ban Jail等。 557 | https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker 558 | 559 | Jenkins OWASP独立检查插件 560 | https://github.com/jeremylong/dependency-check-jenkins 561 | 562 | Joomla强注防止插件 563 | https://github.com/codeling/bfstop 564 | 565 | 使用aws KMs的命令行加密工具,加密一次,可以在多区域的aws多实例中解密 566 | https://github.com/aol/mrcrypt 567 | 568 | 互联网漏洞管理、资产管理、任务扫描、todoLIST 569 | https://github.com/RASSec/A_Scan_Framework 570 | 571 | Open-Source Security Architecture|开源安全架构 572 | https://github.com/bloodzer0/ossa 573 | 574 | 噪声协议的Rust语言实现 575 | https://github.com/mcginty/snow 576 | 577 | DigSig-ng 一个linux内核安全模块,为ELF可执行程序和共享库提供RSA数字签名验证 578 | https://github.com/digsig-ng/linux-digsig 579 | 580 | 开源安全项目清单 581 | https://github.com/Bypass007/Safety-Project-Collection 582 | 583 | DevSec MySQL安全基线 http://dev-sec.io/ 584 | https://github.com/dev-sec/mysql-baseline 585 | 586 | PowerShell脚本监控活动目录,当成员关系变更时候发邮件 587 | https://github.com/lazywinadmin/Monitor-ADGroupMembership 588 | 589 | 评估嵌入式设备CPU的安全性 590 | https://github.com/iadgov/Maplesyrup 591 | 592 | KeyGen 生成证书和密码 593 | https://github.com/offa/keygen 594 | 595 | AWS Big Brother 一个分析IAM用户的工具 596 | https://github.com/jae2/awsbigbrother 597 | 598 | sqli词法解析分析器 599 | https://github.com/client9/libinjection 600 | 601 | 非法IP每日跟新(with blacklist hit scores) 602 | https://github.com/stamparm/ipsum 603 | 604 | Windows事件日志分析及可视化,审计非法登陆 605 | https://github.com/JPCERTCC/LogonTracer 606 | 607 | GScan: 旨在为安全应急响应人员对Linux主机排查时提供便利,实现主机侧Checklist的自动全面化检测,根据检测结果自动数据聚合,进行黑客攻击路径溯源。 608 | https://github.com/grayddq/GScan 609 | 610 | CaptfEncoder 跨平台网络安全工具套件,提供网络安全相关编码转换、古典密码、密码学、特殊编码等工具,并聚合各类在线工具。 611 | https://github.com/guyoung/CaptfEncoder 612 | 613 | PowerShell模糊处理检测框架 614 | https://github.com/danielbohannon/Revoke-Obfuscation 615 | 616 | Symfon安全组件子库 617 | https://github.com/symfony/security 618 | 619 | CSRF保护库: php预防CSRF类库 620 | https://github.com/mebjas/CSRF-Protector-PHP 621 | 622 | VirusTotal公共,私有,网络接口 623 | https://github.com/blacktop/virustotal-api 624 | 625 | 新服务器的最初5分钟,用单行命令加固你的服务器 - Ansible playbook 626 | https://github.com/chhantyal/5minutes 627 | 628 | Red Team SIEM - easy deployable tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations. 629 | 630 | https://github.com/outflanknl/RedELK 631 | 632 | 扩多GCP项目的防火墙加强工具集 633 | https://github.com/spotify/gcp-firewall-enforcer 634 | 635 | 3600Kee团队的域安全入侵感知系统 636 | https://github.com/0Kee-Team/WatchAD 637 | 638 | Linux安全基线,支持puppet、chef和Ansible做安全加固 - InSpec Profile http://dev-sec.io/ 639 | https://github.com/dev-sec/linux-baseline 640 | 641 | Nginx配置分析工具,防止错误配置,并实现自动缺陷检测 642 | https://github.com/yandex/gixy 643 | 644 | GPS欺骗检测工具 645 | https://github.com/zxsecurity/gpsnitch 646 | 647 | CloudFront域名误配置检查工具 648 | https://github.com/MindPointGroup/cloudfrunt 649 | 650 | Cyber瑞士军刀:加解密、编码、压缩以及数据分析的web应用。 651 | https://github.com/gchq/CyberChef 652 | 653 | 应急处置响应框架 654 | https://github.com/biggiesmallsAG/nightHawkResponse 655 | 656 | secure-ls 高水平加密和数据压缩的本地安全存储 657 | https://github.com/softvar/secure-ls 658 | 659 | 容器安全镜像Liter,帮助构建最好的Docker镜像 660 | https://github.com/goodwithtech/dockle 661 | 662 | 有关linux容器安全,命名空间,cgroups等等的gitbook 663 | https://github.com/makash/linux-container-security-docs 664 | 665 | python写的运行在树莓派上安防系统,可以进行运动检测,并通过手机告警 666 | https://github.com/FutureSharks/rpi-security 667 | 668 | airgeddon -- linux下多用户的bash脚本无线网络审计 669 | https://github.com/v1s1t0r1sh3r3/airgeddon 670 | 671 | Laravel网页认证访问 672 | https://github.com/spatie/laravel-littlegatekeeper 673 | 674 | nginx安全配置chef bookbook 675 | https://github.com/dev-sec/chef-nginx-hardening 676 | 677 | proxy poc implementation of STARTTLS stripping attacks 678 | https://github.com/tintinweb/striptls 679 | 680 | web安全开发指南 681 | https://github.com/FallibleInc/security-guide-for-developers 682 | 683 | 自动化代码审计工具 684 | https://github.com/wufeifei/cobra 685 | 686 | 白盒源代码审计工具(cobra分支) 687 | https://github.com/LoRexxar/Cobra-W 688 | 689 | Grep rough audit - 源码审计工具 http://www.justanotherhacker.com 690 | https://github.com/wireghoul/graudit 691 | 692 | AWS云基础设施安全审计工具 693 | https://github.com/SecurityFTW/cs-suite 694 | 695 | python编写的离线网络数据包分析器 696 | https://github.com/HatBoy/Pcap-Analyzer 697 | 698 | 渗透测试常见小工具打包 699 | https://github.com/leonteale/pentestpackage 700 | 701 | 各知名厂商渗透测试报告模板 702 | https://github.com/juliocesarfort/public-pentesting-reports 703 | 704 | 安全工具合集 705 | https://github.com/codejanus/ToolSuite 706 | 707 | 巡风 --一款适用于企业内网的漏洞快速应急,巡航扫描系统。 708 | https://github.com/ysrc/xunfeng 709 | 710 | Fuxi-Scanner 是一款开源的网络安全检测工具,适用于中小型企业对企业信息系统进行安全巡航检测 711 | https://github.com/jeffzh3ng/Fuxi-Scanner 712 | 713 | Elasticsearch API安全发布到公网插件 714 | https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin 715 | 716 | apache实时日志分析器(on Telegram, Zabbix and Syslog/SIEM) 717 | https://github.com/mthbernardes/ARTLAS 718 | 719 | PHP代码审计扫描器 720 | https://github.com/pwnsdx/BadCode 721 | 722 | PHP代码审计sublime插件:🐛 AFind-PHP-Vulnerabilities 723 | https://github.com/WangYihang/Find-PHP-Vulnerabilities 724 | 725 | linux恶意代码检测包 726 | https://github.com/rfxn/linux-malware-detect 727 | 728 | 操作系统运行指标可视化框架 729 | https://github.com/facebook/osquery 730 | 731 | Log-Killer 服务器日志清理工具,支持window(bat)和linux(php)脚本 732 | https://github.com/Rizer0/Log-killer 733 | 734 | Mac OS下取证工具 735 | https://github.com/jipegit/OSXAuditor 736 | 737 | 六道 —— 实时业务风控系统 738 | https://github.com/ysrc/Liudao 739 | 740 | Aswan——陌陌风控系统静态规则引擎,零基础简易便捷的配置多种复杂规则,实时高效管控用户异常行为。 741 | https://github.com/momosecurity/aswan 742 | 743 | 360数据库流量审计MySQL Sniffer 744 | https://github.com/Qihoo360/mysql-sniffer 745 | 746 | 强大的mongodb数据库审计和渗透工具 747 | https://github.com/stampery/mongoaudit 748 | 749 | 基于Inception开发的MySQL数据库审核平台,支持审核、执行、备份、回滚、钉钉推送、mysql、redis、mongodb查询等功能 750 | https://github.com/lazzyfu/AuditSQL 751 | 752 | 恶意代码分析系统 753 | https://github.com/cuckoosandbox/cuckoo 754 | 755 | 定期搜索及存储web应用,可搜漏洞讨论等等 756 | https://github.com/Netflix/Scumblr 757 | 758 | 事件响应框架(focus on 远程取证) 759 | https://github.com/google/grr 760 | 761 | Mozilla防守平台 762 | https://github.com/mozilla/MozDef 763 | 764 | 企业内网安全管理平台,包含资产管理,漏洞管理,账号管理,知识库管、安全扫描自动化功能 765 | https://github.com/qianniaoge/-SecurityManageFramwork 766 | 767 | win内网_域控安全 768 | https://github.com/renzu0/nw-tips 769 | 770 | 静态代码审计系统 771 | https://github.com/zsdlove/Hades 772 | 773 | 强大的观察分析引擎 https://thehive-project.org 774 | https://github.com/CERT-BDF/Cortex 775 | 776 | iptables 防火墙规则集分析验证 777 | https://github.com/diekmann/Iptables_Semantics 778 | 779 | 综合主机监控检测平台(包含主机防火墙,日志监控,SIEM等) 780 | https://github.com/ossec/ossec-hids 781 | 782 | OS X远程取证与分析工具包 783 | https://github.com/Yelp/osxcollector 784 | 785 | 分布式实时数字取证系统 786 | https://github.com/mozilla/mig 787 | 788 | Microsoft及Unix文件系统及硬盘取证工具 789 | https://github.com/sleuthkit/sleuthkit 790 | 791 | 开源安全合规解决方案 792 | https://github.com/OpenSCAP/openscap 793 | 794 | JVM沙箱容器,一种JVM的非侵入式运行期AOP解决方案 795 | https://github.com/alibaba/jvm-sandbox 796 | 797 | 开源准实时日志采集器 798 | https://github.com/wgliang/logcool 799 | 800 | windows实时ETW事件处理工具 801 | https://github.com/goldshtn/etrace 802 | 803 | CPU及内存相关性能分析工具 804 | https://github.com/Microsoft/perfview 805 | 806 | SSH服务审计工具 807 | https://github.com/arthepsy/ssh-audit 808 | 809 | Python库和命令行工具,提供交互式日志可视化 810 | https://github.com/keithjjones/visualize_logs 811 | 812 | OSCP推出安全侦察工具,实现自动化信息收集和服务枚举,创建目录结构以存储用于每个主机的结果,发现和利用工具。 813 | https://github.com/codingo/Reconnoitre 814 | 815 | 一个僵尸网络分析框架 816 | https://github.com/m4rco-/dorothy2 817 | 818 | WAFS审计工具 819 | https://github.com/lightbulb-framework/lightbulb-framework 820 | 821 | 1000个php代码审计案例 822 | https://github.com/Xyntax/1000php 823 | 824 | 基于Python的Linux ssh跳板机/堡垒机设置工具 825 | https://github.com/aker-gateway/Aker 826 | 827 | Linux常见命令及部分安全软件使用命令列表 828 | https://github.com/andrewjkerr/security-cheatsheets 829 | 830 | ssrfDetector ssrf探测器 831 | https://github.com/JacobReynolds/ssrfDetector 832 | 833 | fwd 用go开发的网络端口代理 834 | https://github.com/kintoandar/fwd 835 | 836 | dev-sec安全基线和加固脚本 837 | https://github.com/dev-sec 838 | 839 | 使用AngularJS和AJA的Symfony应用CSRF自动探测工具 840 | https://github.com/dunglas/DunglasAngularCsrfBundle 841 | 842 | 设计用于CDN的高性能DNS缓存 843 | https://github.com/jedisct1/edgedns 844 | 845 | BleachBit Windows和Linux系统清理器https://www.bleachbit.org 846 | https://github.com/bleachbit/bleachbit 847 | 848 | Universal Radio Hacker: 无线协议分析 849 | https://github.com/jopohl/urh 850 | 851 | PHP后门检测工具 852 | https://github.com/yassineaddi/BackdoorMan.git 853 | 854 | Unix系操作系统安全审计和加固工具 855 | https://github.com/CISOfy/lynis 856 | 857 | 利用vulners.com漏洞数据库的包审计套件 858 | https://github.com/kreon/freeaudit 859 | 860 | 垃圾邮件分析工具 861 | https://github.com/SpamScope/spamscope 862 | 863 | 恶意代码,php shell检测工具 864 | https://github.com/yassineaddi/BackdoorMan 865 | 866 | 一款精简版github信息泄露搜集工具 867 | https://github.com/dongfangyuxiao/github_dis/ 868 | 869 | 安全程序和漏洞管理工具 870 | https://github.com/OWASP/django-DefectDojo 871 | 872 | HaboMalHunter是哈勃分析系统 (https://habo.qq.com) 的开源子项目, 873 | 用于Linux平台下进行自动化分析、文件安全性检测的开源工具 874 | https://github.com/Tencent/HaboMalHunte 875 | 876 | 混淆代码检测工具 877 | https://github.com/Neohapsis/NeoPI 878 | 879 | webshell检测工具 880 | https://github.com/emposha/Shell-Detector 881 | 882 | 社区驱动的Rails安全检查列表 883 | https://github.com/eliotsykes/rails-security-checklist 884 | 885 | radius-audit - A RADIUS authentication server audit tool 886 | https://github.com/ANSSI-FR/audit-radius 887 | 888 | Fathom——基于golang和Preact的简单可信的站点分析 889 | https://github.com/usefathom/fathom 890 | 891 | GO HTTP中间件来推进快速安全开发 892 | https://github.com/unrolled/secure 893 | 894 | InSpec: 测试和审计框架 895 | https://github.com/chef/inspec 896 | 897 | retire.js的自动扫描器,扫描探测常见的JS库漏洞 898 | https://github.com/RetireJS/grunt-retire 899 | 900 | Suricata 一个自由开源地,成熟、快速自动化的网络威胁探测引擎 901 | https://github.com/inliniac/suricata 902 | 903 | AWS安全扫描检查 904 | https://github.com/cloudsploit/scans 905 | 906 | aws-security-viz -- aws安全组可视化工具 907 | https://github.com/anaynayak/aws-security-viz 908 | 909 | 使用NACL和Go的安全交互密码管理 910 | https://github.com/johnathanhowell/masterkey 911 | 912 | Hound Git插件通过探测阻止敏感信息被push到远程公有仓库导致信息泄密 913 | https://github.com/ezekg/git-hound 914 | 915 | GitHub敏感信息泄露监控 916 | https://github.com/FeeiCN/GSIL 917 | 918 | HULK DoS工具从Python迁移到Golang 919 | https://github.com/grafov/hulk 920 | 921 | 大数据安全检测工具 922 | https://github.com/kotobukki/BigDataAudit 923 | 924 | 个人安全checklist 925 | https://github.com/Lissy93/personal-security-checklist 926 | 927 | SQL 审核查询平台 928 | https://github.com/hhyo/Archery 929 | 930 | pick -- Linux和OS X最小化密码管理工具 931 | https://github.com/bndw/pick 932 | 933 | 一个基于浏览器端 JS 实现的在线代理 https://jsproxy.tk 934 | https://github.com/EtherDream/jsproxy 935 | 936 | 基于EK的K8s安全监控方案 937 | https://github.com/k8scop/k8s-security-dashboard 938 | 939 | CloudWalker(牧云)是长亭推出的一款开源服务器安全管理平台。根据项目计划会逐步覆盖服务器资产管理、威胁扫描、Webshell 查杀、基线检测等各项功能。 940 | https://github.com/chaitin/cloudwalker 941 | 942 | 可搜索、标签化,加密的云存储 943 | https://tryingtobeawesome.com/cryptag/ 944 | 945 | MITRE攻击框架对应的Linux Auditd 审计规则 946 | https://github.com/bfuzzy/auditd-attack 947 | 948 | ⭐️ An anomaly-based intrusion detection system. 949 | https://github.com/alexfrancow/A-Detector 950 | 951 | AntiRansom:Fighting against ransomware using honeypots 952 | https://github.com/YJesus/AntiRansom 953 | 954 | 悟空API网关 开源版 955 | https://github.com/eolinker/GoKu-API-Gateway 956 | 957 | Hamburglar -- collect useful information from urls, directories, and files 958 | https://github.com/needmorecowbell/Hamburglar 959 | 960 | ElkarBackup 一个基于RSync/RSnapshot的开源备份方案 961 | https://github.com/elkarbackup/elkarbackup 962 | 963 | SSH服务端和客户端安全配置的chef cookbook 964 | https://github.com/dev-sec/chef-ssh-hardening 965 | 966 | Nextcloud 双因子TOTP (RFC 6238) 967 | https://github.com/nextcloud/twofactor_totp 968 | 969 | WireGuard — 快速、现代、linux内核只带的安全VPN通道 970 | https://github.com/WireGuard/WireGuard 971 | 972 | BoringTun WireGuard® 协议的兼容性和速度性实现,支持window 973 | https://github.com/cloudflare/boringtun 974 | 975 | wireguard一键安装脚本 976 | https://github.com/atrandys/wireguard 977 | 978 | Nixarmor Linux自动安全加固项目 979 | https://github.com/emirozer/nixarmor 980 | 981 | SaaS型初创企业安全101 982 | https://github.com/forter/security-101-for-saas-startups/tree/chinese 983 | 984 | phpMusse 这是一个根据ClamAV的签名和其他签名对上传文件自动检测的PHP脚本 985 | https://github.com/Maikuolan/phpMussel/ 986 | ## 渗透测试 987 | 988 | Black Hat Arsenal 官方工具仓库 989 | https://github.com/toolswatch/blackhat-arsenal-tools 990 | 991 | windows渗透工具集合 992 | https://github.com/Hack-with-Github/Windows 993 | 994 | windows最佳渗透指南 995 | https://github.com/yeyintminthuhtut/Awesome-Advanced-Windows-Exploitation-References 996 | 997 | 从内存中提取敏感信息的工具 998 | https://github.com/putterpanda/mimikittenz 999 | 1000 | fireeye红军渗透工具 1001 | 1002 | https://github.com/Raikia/CredNinja 1003 | 1004 | https://github.com/ChrisTruncer/WMIOps 1005 | 1006 | https://github.com/ChrisTruncer/EyeWitness 1007 | 1008 | https://github.com/ChrisTruncer/Egress-Assess 1009 | 1010 | windows渗透神器 1011 | https://github.com/gentilkiwi/mimikatz 1012 | 1013 | 在线渗透测试资源、Shellcode开发、开源情报资源、社会工程资源等 1014 | https://github.com/enaqx/awesome-pentest 1015 | 1016 | frp 是一个可用于内网穿透的高性能的反向代理应用,支持 tcp, udp, http, https 协议。 1017 | https://github.com/fatedier/frp 1018 | 1019 | hideNsneak: 临时渗透测试架构明亮行 1020 | https://github.com/rmikehodges/hideNsneak 1021 | 1022 | Powershell渗透库合集 1023 | https://github.com/PowerShellMafia/PowerSploit 1024 | 1025 | Powershell tools合集 1026 | https://github.com/clymb3r/PowerShell 1027 | 1028 | 资产狩猎框架-AssetsHunter,信息收集是一项艺术~ 1029 | https://github.com/rabbitmask/AssetsHunter 1030 | 1031 | Nishang PowerShell下脚本和渗透和POC框架和集合,Nishang在渗透测试的所有阶段都非常有用。 1032 | https://github.com/samratashok/nishang 1033 | 1034 | MSF--最强大的渗透平台 1035 | https://github.com/rapid7/metasploit-framework 1036 | 1037 | Poc调用框架,可加载Pocsuite,Tangscan,Beebeeto等 1038 | https://github.com/erevus-cn/pocscan 1039 | 1040 | Pocsuite -开源的远程漏洞测试框架 1041 | https://github.com/knownsec/Pocsuite 1042 | 1043 | fsociety黑客工具集——渗透测试框架 1044 | https://github.com/Manisso/fsociety 1045 | 1046 | YAWAST Web应用安全套件 1047 | https://github.com/adamcaudill/yawast 1048 | 1049 | A Bind9 server for pentesters to use for Out-of-Band vulnerabilities 1050 | https://github.com/JuxhinDB/OOB-Server 1051 | 1052 | Beebeeto是由众多安全研究人员所共同维护的一个规范化POC/EXP平台 1053 | https://github.com/n0tr00t/Beebeeto-framework 1054 | 1055 | cloudflare基于nmap打包的一个轻量漏洞扫描系统 1056 | https://github.com/cloudflare/flan 1057 | 1058 | 一个用Node.js编写的Web安全测试框架 1059 | https://github.com/zhuyingda/veneno 1060 | 1061 | Orc is a post-exploitation framework for Linux written in Bash 1062 | https://github.com/zMarch/Orc 1063 | 1064 | 常见的渗透测试/安全Cheatsheet 1065 | https://github.com/jshaw87/Cheatsheets 1066 | 1067 | 渗透脚本集合包括backdoor,exploit,fuzzing,note,misc,powershell 1068 | https://github.com/Ridter/Pentest 1069 | 1070 | 消息队列和中间人注入工具,可以用于攻击 Redis, RabbitMQ和ZeroMQ。 1071 | https://github.com/cr0hn/enteletaor 1072 | 1073 | WPA2 KRACK攻击验证脚本集 1074 | https://github.com/vanhoefm/krackattacks-scripts 1075 | 1076 | 越过(WAF)和 XSS过滤的pyton脚本集 1077 | https://github.com/frizb/Bypassing-Web-Application-Firewalls 1078 | 1079 | 渗透测试用到的东东 1080 | https://github.com/ring04h/pentest 1081 | 1082 | DNS rebinding toolkit 1083 | https://github.com/makuga01/dnsFookup 1084 | 1085 | A scripted pipeline of tools to streamline the bug bounty/penetration test reconnaissance phase, so you can focus on chomping bugs. 1086 | https://github.com/SolomonSklash/chomp-scan 1087 | 1088 | Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications 1089 | https://github.com/rapid7/hackazon 1090 | 1091 | MSTG-手机应用安全开发、测试、反向工程详细手册。 1092 | https://github.com/OWASP/owasp-mstg 1093 | 1094 | Venom是一款为渗透测试人员设计的使用Go开发的多级代理工具 1095 | https://github.com/Dliv3/Venom 1096 | 1097 | A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting 1098 | https://github.com/hahwul/WebHackersWeapons 1099 | 1100 | ### Fuzz测试: 1101 | 1102 | DotDotPwn - 目录遍历Fuzzer(http://dotdotpwn.blogspot.com/) 1103 | https://github.com/wireghoul/dotdotpwn 1104 | 1105 | FuzzLabs Fuzzing框架 https://dcnws.com 1106 | https://github.com/keymandll/FuzzLabs 1107 | 1108 | 谷歌出品强大分析配置项目fuzzing组件 1109 | https://github.com/google/honggfuzz 1110 | 1111 | 谷歌fuzzing引擎测试集 1112 | https://github.com/google/fuzzer-test-suite 1113 | 1114 | 可扩展地Fuzzing框架 1115 | https://github.com/IOActive/XDiFF 1116 | 1117 | Fuzzinator随机测试框架 1118 | https://github.com/renatahodovan/fuzzinator 1119 | 1120 | 各种fuzzing图书、课程、工具、教程和易受攻击应用集合 1121 | https://github.com/secfigo/Awesome-Fuzzing 1122 | 1123 | Linux内核fuzzing和缺陷相关的资源 1124 | https://github.com/xairy/linux-kernel-exploitation 1125 | 1126 | fuzzing框架 1127 | https://github.com/MozillaSecurity/peach 1128 | 1129 | fuddly: fuzzing和数据处理框架 1130 | https://github.com/k0retux/fuddly 1131 | 1132 | 基础fuzzer工具 1133 | https://github.com/RootUp/BFuzz 1134 | 1135 | Kitty fuzzing框架扩展库 1136 | https://github.com/cisco-sas/katnip 1137 | 1138 | Fuzzer API接口,通过可以用通用的渗透技术和漏洞列表进行fuzz请求 1139 | https://github.com/lalithr95/API-fuzzer 1140 | 1141 | Java的fuzz测试覆盖率指导 1142 | https://github.com/fuzzitdev/javafuzz 1143 | 1144 | 找出文件系统存存储的加密文件 1145 | https://github.com/antagon/TCHunt-ng 1146 | 1147 | 安卓媒体Fuzzing框架 1148 | https://github.com/fuzzing/MFFA 1149 | 1150 | 安卓fuzz工具 1151 | https://github.com/MindMac/IntentFuzzer 1152 | 1153 | Fuzzing数据集 1154 | https://github.com/MozillaSecurity/fuzzdata 1155 | 1156 | WebFuzz工具 1157 | https://github.com/xmendez/wfuzz 1158 | 1159 | coverage guided fuzz testing for javascript 1160 | https://github.com/fuzzitdev/jsfuzz 1161 | 1162 | web fuzz 1163 | https://github.com/henshin/filebuster 1164 | 1165 | AFL的Android移植版本 1166 | https://github.com/ele7enxxh/android-afl 1167 | 1168 | Fuzzing results for various interpreters. 1169 | https://github.com/dyjakan/interpreter-bugs 1170 | 1171 | Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem 1172 | https://github.com/lalithr95/fuzzapi 1173 | 1174 | Test Blue Team detections without running any attack. 1175 | https://github.com/n0dec/MalwLess 1176 | 1177 | bring your .bashrc, .vimrc, etc. with you when you ssh 1178 | https://github.com/Russell91/sshrc 1179 | 1180 | Chat over SSH 1181 | https://github.com/shazow/ssh-chat 1182 | 1183 | AFL—支持源码插桩的代码覆盖引导的Fuzzer,绝对是fuzzer领域的一大里程碑,虽然它也支持基于QEMU的闭源程序,但效果不好,且容易出错,由它衍生出来非常多afl分支版本,借助它已经被挖出非常多的漏洞,但它的变异策略其实有待提高。 1184 | http://lcamtuf.coredump.cx/afl/ 1185 | 1186 | WinAFL—windows版本的afl,使用DynamoRIO去插桩闭源程序以获取代码覆盖率信息,同时支持硬件PT获取覆盖率信息,但PT获取覆盖率其实并没有插桩获取得全,但速度可能会快一些。 1187 | https://github.com/googleprojectzero/winafl 1188 | 1189 | AFLFast—加速版的AFL,Fuzzing速度确实会比原版快一些。 1190 | https://github.com/mboehme/aflfast 1191 | 1192 | Vuzzer—支持闭源程序的覆盖引导Fuzzer,使用LibDFT的pin工具实现数据流追踪,结合动静态分析,以获取更多的代码路径,比如比较语句中的比较值,它会先作记录,再未来变异时使用。 1193 | https://github.com/vusec/vuzzer 1194 | 1195 | PTfuzzer—Linux平台下的采用 Interl PT硬件支持的覆盖引导Fuzzer,所以它支持闭源程序。 1196 | https://github.com/hunter-ht-2018/ptfuzzer 1197 | 1198 | afl-unicorn—采用Unicorn模拟指令的AFL,支持Linux闭源程序 1199 | https://github.com/tigerpuma/Afl_unicorn 1200 | 1201 | pe-afl—通过静态插桩实现针对Windows闭源程序的覆盖引导的AFL Fuzzer,支持用户层应用和内核驱动 1202 | https://github.com/wmliang/pe-afl 1203 | 1204 | kAFL—支持QEMU虚拟机下的系统内核Fuzzing的AFL,适用于Linux、macOS与Windows 1205 | https://github.com/RUB-SysSec/kAFL/ 1206 | 1207 | TriforceAFL—基于QEMU全系统模拟的AFL,借助系统仿真器实现分支信息跟踪,支持Linux内核Fuzzing 1208 | https://github.com/nccgroup/TriforceAFL 1209 | 1210 | ClusterFuzzer—Google开源的可扩展的Fuzzing基础设施 1211 | https://github.com/google/clusterfuzz 1212 | 1213 | LibFuzzer—进程内覆盖率引导的开源的fuzz引擎库,属于llvm的一部分,在各大主流开源库中,以及Google内部最经常用的安全测试工具 1214 | https://llvm.org/docs/LibFuzzer.html 1215 | 1216 | OSS-Fuzz—基于LibFuzzer的开源软件Fuzzer集合,实现docker下自动下载、编译安装及运行 1217 | https://github.com/google/oss-fuzz 1218 | 1219 | honggfuzz—Google开发的基于软硬件的覆盖驱动型Fuzzer,单纯暴力Fuzz的效果也挺好的,支持多平台,包括Linux\macOS\Windows\Android 1220 | https://github.com/google/honggfuzz 1221 | 1222 | KernelFuzzer—跨平台内核Fuzzer框架,不开源策略,只在其paper中提及变异策略,需要自己实现,支持Windows、OSX和QNX系统,但只提供Windows编译脚本 1223 | https://github.com/mwrlabs/KernelFuzzer 1224 | 1225 | OSXFuzzer—基于Kernel Fuzzer的macOS内核Fuzzer 1226 | https://github.com/mwrlabs/OSXFuzz.git 1227 | 1228 | PassiveFuzzFrameworkOSX—通过Hook实现被动式的OSX内核Fuzzer 1229 | https://github.com/SilverMoonSecurity/PassiveFuzzFrameworkOSX 1230 | 1231 | Bochspwn—基于Boch插桩API实现Double Fetches内核漏洞的检测 1232 | https://github.com/googleprojectzero/bochspwn 1233 | 1234 | Bochspwn-reloaded—基于Boch插桩API实现内核信息泄露的检测 1235 | https://github.com/googleprojectzero/bochspwn-reloaded 1236 | 1237 | syzkaller—基于覆盖率引导的Linux内核Fuzzer,需要基于其模板语法实现API调用模板,提供给syzkaller进行数据变异,也曾被移植到其它平台 1238 | https://github.com/google/syzkaller 1239 | 1240 | dharma—基于语法模板生成的Fuzzer,由Mozilla开源的用于Fuzz Firefox JS引擎 1241 | https://github.com/MozillaSecurity/dharma 1242 | 1243 | domator—Project Zero团队开源的DOM Fuzzer,用python实现基于模板生成的Fuzzer 1244 | https://github.com/googleprojectzero/domato 1245 | 1246 | Fuzzilli—基于语法变异的JavaScript引擎Fuzzer,先通过语法模板生成测试用例,再生成中间语法进行变异,结合覆盖率引导以触发更多代码路径 1247 | https://github.com/googleprojectzero/fuzzilli 1248 | 1249 | Razzer—内核竞争条件漏洞Fuzzer 1250 | https://github.com/compsec-snu/razzer 1251 | 1252 | ViridianFuzzer—用于Fuzzing Hyper-V hypercalls的内核驱动,由MWRLabs公司出品 1253 | https://github.com/mwrlabs/ViridianFuzzer 1254 | 1255 | ChromeFuzzer—基于grinder语法生成器改装的Chrome浏览器Fuzzer 1256 | https://github.com/demi6od/ChromeFuzzer 1257 | 1258 | funfuzz—Mozilla开源的JS fuzzer工具集合,主要用于Fuzz SpiderMonkey 1259 | https://github.com/MozillaSecurity/funfuzz 1260 | 1261 | ### WEB渗透: 1262 | 1263 | webshell大合集 1264 | https://github.com/tennc/webshell 1265 | 1266 | 渗透以及web攻击脚本 1267 | https://github.com/brianwrf/hackUtils 1268 | 1269 | web渗透小工具大合集 1270 | https://github.com/rootphantomer/hack_tools_for_me 1271 | 1272 | web敏感目录、信息泄漏批量扫描脚本,结合爬虫、目录深度遍历。 1273 | https://github.com/blackye/webdirdig 1274 | 1275 | detectem - detect software and its version on websites. 1276 | https://github.com/spectresearch/detectem 1277 | 1278 | Hydra is a penetration testing tool exclusively focused on dictionary-attacking web-based login forms. 1279 | https://github.com/opennota/hydra 1280 | 1281 | 数据库注入工具 1282 | https://github.com/sqlmapproject/sqlmap 1283 | 1284 | 通过控制台管理网站 1285 | https://github.com/WangYihang/Webshell-Sniper 1286 | 1287 | SQLiScanner -- Automatic SQL injection with Charles and sqlmap api 1288 | https://github.com/0xbug/SQLiScanner 1289 | 1290 | Web代理,通过加载sqlmap api进行sqli实时检测 1291 | https://github.com/zt2/sqli-hunter 1292 | 1293 | 新版中国菜刀 1294 | https://github.com/Chora10/Cknife 1295 | 1296 | .git泄露利用EXP 1297 | https://github.com/lijiejie/GitHack 1298 | 1299 | 浏览器攻击框架 1300 | https://github.com/beefproject/beef 1301 | 1302 | 自动化绕过WAF脚本 1303 | https://github.com/khalilbijjou/WAFNinja 1304 | 1305 | http命令行客户端,可以从命令行构造发送各种http请求(类似于Curl) 1306 | https://github.com/jkbrzt/httpie 1307 | 1308 | 浏览器调试利器 1309 | https://github.com/firebug/firebug 1310 | 1311 | WAF绕过检测工具 1312 | https://github.com/owtf/wafbypasser 1313 | 1314 | 浏览器攻击框架 1315 | https://github.com/julienbedard/browsersploit 1316 | 1317 | web端webshell管理器 1318 | https://github.com/guillotines/WebShell 1319 | 1320 | tomcat自动后门部署 1321 | https://github.com/mgeeky/tomcatWarDeployer 1322 | 1323 | TomcatBrute tool 1324 | https://github.com/WallbreakerTeam/TomcatBrute 1325 | 1326 | 通过调用sqlmap api,自动检测sqli的代理 1327 | https://github.com/fengxuangit/Fox-scan/ 1328 | 1329 | CMS探测和利用套件,能探测20多种cms,同时对wp,Joomla, Drupadl进行深度渗透 1330 | https://github.com/Tuhinshubhra/CMSeeK 1331 | 1332 | 免杀payload生成器 1333 | https://github.com/Veil-Framework/Veil-Evasion 1334 | 1335 | 用gmail充当C&C服务器的后门 1336 | https://github.com/byt3bl33d3r/gcat 1337 | 1338 | burp教学payloads集合 1339 | https://github.com/1N3/IntruderPayloads 1340 | 1341 | SQL盲注利用工具 1342 | https://github.com/Neohapsis/bbqsql 1343 | 1344 | Script for doing evil stuff to Redis servers (for education purposes only). 1345 | https://github.com/matiasinsaurralde/evilredis 1346 | 1347 | dnscat2的Powershell客户端,加密的DNS命令和控制工具 1348 | https://github.com/lukebaggett/dnscat2-powershell 1349 | 1350 | burp插件收集项目 1351 | https://github.com/xl7dev/BurpSuite/tree/master/Extender 1352 | 1353 | Burp-Suite-collections:BurpSuite相关收集项目,插件主要是非BApp Store(商店) 1354 | https://github.com/Mr-xn/BurpSuite-collections 1355 | 1356 | 一个用来辅助WP渗透测试的ruby框架 1357 | https://github.com/rastating/wordpress-exploit-framework/ 1358 | 1359 | .DS_store文件泄露利用脚本 1360 | https://github.com/lijiejie/ds_store_exp 1361 | 1362 | Short for command injection exploiter,web向命令注入检测工具 1363 | https://github.com/stasinopoulos/commix 1364 | 1365 | XSS数据接收平台 1366 | https://github.com/firesunCN/BlueLotus_XSSReceiver 1367 | 1368 | 一个快速的TLS扫描器( non-blocking, event-driven ) https://prbinu.github.io/tls-scan 1369 | https://github.com/prbinu/tls-scan 1370 | 1371 | 一个Python RESTful接口框架,用于提供在线恶意软件和URL分析服务 1372 | https://github.com/diogo-fernan/malsub 1373 | 1374 | XSS与CSRF工具 1375 | https://github.com/evilcos/xssor 1376 | 1377 | 暴力攻击字典生成工具 1378 | https://github.com/LandGrey/pydictor 1379 | 1380 | 利用深度神经网络tensorflow 对14亿文本密码分析 1381 | https://github.com/philipperemy/tensorflow-1.4-billion-password-analysis 1382 | 1383 | ModSecurity—Web应用程序防火墙(支持nginx、iis、apache) 1384 | https://github.com/SpiderLabs/ModSecurity 1385 | 1386 | Astra:REST API的自动安全测试 1387 | https://github.com/flipkart-incubator/Astra 1388 | 1389 | Burp Replicator:自动化复杂漏洞的复制 1390 | https://github.com/PortSwigger/replicator 1391 | 1392 | OWASP进攻性Web测试框架 1393 | https://github.com/owtf/owtf 1394 | 1395 | OWASP JoomScan项目 1396 | https://github.com/rezasp/joomscan 1397 | 1398 | WSSAT Web服务安全评估工具 1399 | https://github.com/YalcinYolalan/WSSAT 1400 | 1401 | ### 中间人攻击 1402 | 1403 | 中间人攻击框架 1404 | https://github.com/secretsquirrel/the-backdoor-factory 1405 | 1406 | https://github.com/secretsquirrel/BDFProxy 1407 | 1408 | https://github.com/byt3bl33d3r/MITMf 1409 | 1410 | 代码注入,wifi jam以及wifi用户探测 1411 | https://github.com/DanMcInerney/LANs.py 1412 | 1413 | 可扩展的中间人代理工具 1414 | https://github.com/intrepidusgroup/mallory 1415 | 1416 | wifi钓鱼 1417 | https://github.com/sophron/wifiphisher 1418 | 1419 | XSS数据接收平台 1420 | https://github.com/firesunCN/BlueLotus_XSSReceiver 1421 | 1422 | XSS与CSRF工具 1423 | https://github.com/evilcos/xssor 1424 | 1425 | Vegile - Ghost In The Shell 进程隐藏和防止被杀的工具 1426 | https://github.com/Screetsec/Vegile 1427 | 1428 | ### 暴力破解 1429 | 1430 | 密码破解工具 1431 | https://github.com/shinnok/johnny 1432 | 1433 | 本地存储的各类密码提取利器 1434 | https://github.com/AlessandroZ/LaZagne 1435 | 1436 | HTTP暴力破解,撞库攻击脚本 1437 | https://github.com/lijiejie/htpwdScan 1438 | 1439 | 超过80GB密码库总结出的字典项目 1440 | https://github.com/berzerk0/Probable-Wordlists 1441 | ## 漏洞库及利用工具(POC,EXP) 1442 | 1443 | ### Meltdown(熔毁)和Spectre(幽灵)相关 1444 | 1445 | Local Exploit for Meltdown 1446 | https://github.com/dendisuhubdy/meltdown 1447 | 1448 | Meltdown Spectre PoC 1449 | https://github.com/paboldin/meltdown-exploit 1450 | 1451 | Meltdown/Spectre PoC 源码集合 1452 | https://github.com/turbo/KPTI-PoC-Collection 1453 | 1454 | meltdownspectre补丁 1455 | https://github.com/hannob/meltdownspectre-patches 1456 | 1457 | SpecuCheck meltdownspectre win下检查工具 1458 | https://github.com/ionescu007/SpecuCheck 1459 | 1460 | Linux本地root提权 1461 | https://github.com/5H311-1NJ3C706/local-root-exploits 1462 | 1463 | 漏洞研究集合 1464 | https://github.com/sergey-pronin/Awesome-Vulnerability-Research 1465 | 1466 | CVE Details是通过读取NVD提供的CVE xml信息并添加exploit-db和metasploit相关模块重新排版布局的网站。 1467 | 旨在使用户能快速查找到自己要找的漏洞,如按厂商查找按产品查找等。 1468 | https://www.cvedetails.com/ 1469 | 1470 | Snyk漏洞库 1471 | https://github.com/snyk/vulndb 1472 | 1473 | 按小时更新的保存使用JSON格式设置的CVE列表信息 1474 | https://github.com/CVEProject/cvelist 1475 | 1476 | 哈希长度扩展攻击EXP 1477 | https://github.com/citronneur/rdpy 1478 | 1479 | JAVA反序列化漏洞相关资源列表 1480 | https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet 1481 | 1482 | JBOSS verify & exp tool 1483 | https://github.com/joaomatosf/jexboss 1484 | 1485 | 些 APT 组(APT28、APT29、APT32、Emotet...)所使用的恶意软件样本 1486 | https://github.com/Cherishao/APT-Sample 1487 | 1488 | 安卓十月漏洞POC 1489 | https://github.com/jiayy/android_vuln_poc-exp 1490 | 1491 | 在sebug提交的漏洞详情及poc 1492 | https://github.com/ganliuzhuo/Sebug 1493 | 1494 | PacketWhisper:使用DNS查询和文本隐藏技术 1495 | https://github.com/TryCatchHCF/PacketWhisper 1496 | 1497 | ExploitDB官方git版本 1498 | https://github.com/offensive-security/exploit-database 1499 | 1500 | Vulncode-DB is a database for vulnerabilities and their corresponding source code 1501 | https://github.com/google/vulncode-db 1502 | 1503 | php漏洞代码分析 1504 | https://github.com/80vul/phpcodz 1505 | 1506 | Parse: PHP安全扫码器 1507 | https://github.com/psecio/parse 1508 | 1509 | NodeJsScan-Node.js应用静态安全代码扫码器 1510 | https://github.com/ajinabraham/NodeJsScan 1511 | 1512 | proof-of-concept exploits developed by the Semmle Security Research Team. 1513 | https://github.com/Semmle/SecurityExploits 1514 | 1515 | CVE-2016-2107简单test程序 1516 | https://github.com/FiloSottile/CVE-2016-2107 1517 | 1518 | CVE-2015-7547 POC 1519 | https://github.com/fjserna/CVE-2015-7547 1520 | 1521 | pocassist:全新的开源漏洞测试框架,实现poc在线编辑、运行、批量测试。 1522 | https://github.com/jweny/pocassist 1523 | 1524 | 一些漏洞和0day的blog 1525 | https://github.com/pierrekim/pierrekim.github.io 1526 | JAVA反序列化POC生成工具 1527 | https://github.com/frohoff/ysoserial 1528 | 1529 | JAVA反序列化EXP 1530 | https://github.com/foxglovesec/JavaUnserializeExploits 1531 | 1532 | Jenkins cli漏洞 1533 | https://github.com/CaledoniaProject/jenkins-cli-exploit 1534 | 1535 | CVE-2015-2426 EXP (windows内核提权) 1536 | https://github.com/vlad902/hacking-team-windows-kernel-lpe 1537 | 1538 | web攻击的范例docker环境(php本地文件包含结合phpinfo getshell 以及ssrf结合curl的利用演示) 1539 | https://github.com/hxer/vulnapp 1540 | 1541 | php7缓存覆写漏洞Demo及相关工具 1542 | https://github.com/GoSecure/php7-opcache-override 1543 | 1544 | An exploit for Apache Struts CVE-2018-11776 1545 | https://github.com/mazen160/struts-pwn_CVE-2018-11776 1546 | 1547 | Struts2 S2-045-Nmap NSE script 1548 | https://github.com/Z-0ne/ScanS2-045-Nmap 1549 | 1550 | SS payloads designed to turn alert(1) into P1 1551 | https://github.com/hakluke/weaponised-XSS-payloads 1552 | 1553 | XcodeGhost木马样本 1554 | https://github.com/XcodeGhostSource/XcodeGhost 1555 | 1556 | scap安全指导 1557 | https://github.com/OpenSCAP/scap-security-guide 1558 | 1559 | 相对偏学术方向,有不少书籍、会议、报告等推荐 1560 | https://github.com/re-pronin/awesome-vulnerability-research 1561 | 1562 | 偏Web向的常见漏洞类型案例指导 1563 | https://github.com/ngalongc/bug-bounty-reference 1564 | 1565 | 13年到现在数十个CVE漏洞的PoC 1566 | https://github.com/qazbnm456/awesome-cve-poc 1567 | 1568 | 恶意软件脚本集 1569 | https://github.com/seifreed/malware-scripts 1570 | 1571 | Awesome XSS stuff 1572 | https://github.com/s0md3v/AwesomeXSS 1573 | 1574 | 一大波常见Web攻击Payloads 1575 | https://github.com/foospidy/payloads 1576 | 1577 | 后门仓库,包括各语言直接绑定和反射式的后门,后门加密以及Stager 1578 | https://github.com/0x00-0x00/ShellPop 1579 | 1580 | 常见Web攻击Payloads 1581 | https://github.com/swisskyrepo/PayloadsAllTheThings 1582 | 1583 | OS X命令行、PowerShell命令行、Google Dorks、Shodan、exploit开发、Java反序列化等列表 1584 | https://github.com/coreb1t/awesome-pentest-cheat-sheets 1585 | 1586 | 雷石安全实验室出品Shiro命令执行工具 V2.0 1587 | https://github.com/tangxiaofeng7/Shiroexploit 1588 | 1589 | Java反序列化技术分享 1590 | https://github.com/Y4er/WebLogic-Shiro-shell 1591 | 1592 | ### EXP编写框架及工具: 1593 | 1594 | 漏洞赏金计划集合和著名赏金猎人博客列表 1595 | https://github.com/djadmin/awesome-bug-bounty 1596 | 1597 | Exploit开发学习资源 1598 | https://github.com/FabioBaroni/awesome-exploit-development 1599 | 1600 | mimic is a tool for covert execution on Linux x86_64. 1601 | https://github.com/emptymonkey/mimic 1602 | 1603 | 二进制EXP编写工具 1604 | https://github.com/t00sh/rop-tool 1605 | 1606 | CTF Pwn 类题目脚本编写框架 1607 | https://github.com/Gallopsled/pwntools 1608 | 1609 | python写的pwning开发IO库 1610 | https://github.com/zTrix/zio 1611 | 1612 | 跨平台注入工具( Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android.) 1613 | https://github.com/frida/frida 1614 | 1615 | 收集或编写各种漏洞PoC、ExP 1616 | https://github.com/bollwarm/POC-EXP 1617 | 1618 | xray:一款完善的安全评估工具,支持常见 web 安全问题扫描和POC自定义 1619 | https://github.com/chaitin/xray 1620 | 1621 | redteam_vu:红队作战中比较常遇到的一些重点系统漏洞整理。 1622 | https://github.com/r0eXpeR/redteam_vul 1623 | 1624 | 渗透测试有关的POC、EXP、脚本、提权、小工具等,欢迎补充、完善 1625 | https://github.com/Mr-xn/Penetration_Testing_POC 1626 | 1627 | 基于Docker-Compose的漏洞预构建环境https://vulhub.org 1628 | https://github.com/vulhub/vulhub 1629 | 1630 | Java安全相关的漏洞和技术demo,原生Java、Fastjson、Jackson、Hessian2、XML反序列化漏洞利用和Dubbo、Shiro、CAS、Tomcat、RMI等框架\中间件\功能的exploits以及Java Security Manager绕过、Dubbo-Hessian2安全加固等等实践代码。 1631 | https://github.com/threedr3am/learnjavabug 1632 | 1633 | CNVD-2020-10487(CVE-2020-1938), tomcat ajp 文件读取漏洞poc 1634 | https://github.com/nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC 1635 | 1636 | python3批量poc检测工具 1637 | https://github.com/saucer-man/saucerframe 1638 | 1639 | AJPy aims to craft AJP requests in order to communicate with AJP connectors. 1640 | https://github.com/hypn0s/AJPy 1641 | ## 二进制及代码分析工具: 1642 | 1643 | 吾爱破解论坛【爱盘】3.0 在线破解工具包 1644 | https://github.com/ganlvtech/down_52pojie_cn 1645 | 1646 | Angr 1647 | http://angr.io/ 1648 | 1649 | BAP 1650 | https://github.com/BinaryAnalysisPlatform/bap 1651 | 1652 | Binary Ninja 1653 | https://binary.ninja/ 1654 | 1655 | Bistro 1656 | http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.309.105&rep=rep1&type=pdf 1657 | 1658 | Diablo 1659 | http://diablo.elis.ugent.be/ 1660 | 1661 | EEL 1662 | http://pages.cs.wisc.edu/~larus/eel.html 1663 | 1664 | libdetox 1665 | https://github.com/HexHive/libdetox 1666 | 1667 | Macaw 1668 | https://github.com/GaloisInc/macaw 1669 | 1670 | McSema 1671 | https://github.com/trailofbits/mcsema 1672 | 1673 | MultiVerse 1674 | https://github.com/utds3lab/multiverse 1675 | 1676 | Pharos 1677 | https://github.com/cmu-sei/pharos 1678 | 1679 | PSI 1680 | http://seclab.cs.stonybrook.edu/seclab/pubs/vee14.pdf 1681 | 1682 | Reins 1683 | https://www.utdallas.edu/~zhiqiang.lin/file/ACSAC12.pdf 1684 | 1685 | Shuffler 1686 | https://www.usenix.org/system/files/conference/osdi16/osdi16-williams-king.pdf 1687 | 1688 | IRDB 1689 | https://git.zephyr-software.com/opensrc/irdb-cookbook-examples 1690 | 1691 | Uroboros 1692 | https://github.com/s3team/uroboros 1693 | 1694 | shellcode分析工具 1695 | https://github.com/suraj-root/smap/ 1696 | 1697 | Shellcode/Obfuscate Code Generator 1698 | https://github.com/zscproject/OWASP-ZSC 1699 | 1700 | linux下逆向工具 1701 | https://github.com/korcankaraokcu/PINCE 1702 | 1703 | Reverse Shell and Post Exploitation Tool 1704 | https://github.com/panagiks/RSPET 1705 | 1706 | 跨平台二进制分析及逆向工具 1707 | https://github.com/programa-stic/barf-project 1708 | 1709 | 恶意ELF二进制文件相似度比较及可视化 1710 | https://github.com/CymaticsCC/elf_similarity 1711 | 1712 | 二进制分析工具 1713 | https://github.com/devttys0/binwalk 1714 | 1715 | 关于软件虚拟化保护(如VMProtect)的资料 1716 | https://github.com/lmy375/awesome-vmp 1717 | 1718 | 系统扫描器,用于寻找程序和库然后收集他们的依赖关系,链接等信息 1719 | https://github.com/quarkslab/binmap 1720 | 1721 | A Qt and C++ GUI for radare2 reverse engineering framework 1722 | https://github.com/radareorg/cutter 1723 | 1724 | rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O. 1725 | https://github.com/0vercl0k/rp 1726 | 1727 | Windows Exploit Development工具 1728 | https://github.com/lillypad/badger 1729 | 1730 | 二进制静态分析工具(python) 1731 | https://github.com/bdcht/amoco 1732 | 1733 | Python Exploit Development Assistance for GDB 1734 | https://github.com/longld/peda 1735 | 1736 | 对BillGates Linux Botnet系木马活动的监控工具 1737 | https://github.com/ValdikSS/billgates-botnet-tracker 1738 | 1739 | Adhrit开源的安卓APK逆向和分析工具 1740 | https://github.com/abhi-r3v0/Adhrit/ 1741 | 1742 | Assesses CPU security of embedded devices. iadgov 1743 | https://github.com/iadgov/Maplesyrup 1744 | 1745 | pypacker: The fast and simple packet creation and parsing lib for Python. 1746 | https://github.com/mike01/pypacker 1747 | 1748 | Windows driver and usermode interface which can hide objects of file-system and registry, protect processes and etc 1749 | https://github.com/JKornev/hidden 1750 | 1751 | IoTSecurityNAT IoT安全测试系统,方便快速接入各种设备,进行安全测试。 1752 | https://github.com/3rdbody/IoTSecurityNAT 1753 | 1754 | 木马配置参数提取工具 1755 | https://github.com/kevthehermit/RATDecoders 1756 | 1757 | Shellphish编写的二进制分析工具(CTF向) 1758 | https://github.com/angr/angr 1759 | 1760 | 针对python的静态代码分析工具 1761 | https://github.com/yinwang0/pysonar2 1762 | 1763 | 一个自动化的脚本(shell)分析工具,用来给出警告和建议 1764 | https://github.com/koalaman/shellcheck 1765 | 1766 | 基于AST变换的简易Javascript反混淆辅助工具 1767 | https://github.com/ChiChou/etacsufbo 1768 | 1769 | 隐写检测工具 1770 | https://github.com/abeluck/stegdetect 1771 | 1772 | 针对各种编程语言的静态分析工具、linters、代码质量检查等 1773 | https://github.com/mre/awesome-static-analysis 1774 | 1775 | 关于逆向的图书、培训、实战、工具等 1776 | https://github.com/tylerhalfpop/awesome-reversing 1777 | 1778 | 常见软件、类库、书籍、技术分析、开发等 1779 | https://github.com/onethawt/reverseengineering-reading-list 1780 | 1781 | awesome-firmware-security是一个平台固件资源的列表,立足于安全和测试 1782 | https://github.com/PreOS-Security/awesome-firmware-security 1783 | 1784 | nary Analysis Platform 1785 | https://github.com/BinaryAnalysisPlatform/bap 1786 | 1787 | libsodium for Universal Windows Platform (UWP) - A secure cryptographic library 1788 | https://github.com/charlesportwoodii/libsodium-uwp 1789 | 1790 | oletools - python tools to analyze MS OLE2 files 1791 | https://github.com/decalage2/oletools 1792 | 1793 | chipwhisperer -- toolchain for side-channel power analysis and glitching attacks 1794 | https://github.com/newaetech/chipwhisperer 1795 | 1796 | OCI (Open Containers Initiative) compatible runtime for Intel® Architectur 1797 | https://github.com/01org/cc-oci-runtime 1798 | 1799 | ICS Security Tools, Tips, and Trade 1800 | https://github.com/ITI/ICS-Security-Tools 1801 | 1802 | ### 移动APP安全扫描 1803 | 1804 | Mobile Security Framework 是一个自动化的移动app安全测试工具,支持Android、iOS和Windows应用,能够进行静态、动态分析以及web API测试 1805 | https://github.com/MobSF/Mobile-Security-Framework-MobSF 1806 | 1807 | MobSF HackingLab定制中文版 1808 | https://github.com/HackingLab/MobileSF 1809 | 1810 | APEiD 用于安卓应用编译,打包,封隔器,保护器,混淆器等 1811 | https://github.com/rednaga/APKiD 1812 | 1813 | QARK linkedin 开源的安卓应用程序源代码安全漏洞分析工具 1814 | https://github.com/linkedin/qark 1815 | 1816 | Drozer FSecureLABS开源的一个全面的Android安全评估框架 1817 | https://github.com/FSecureLABS/drozer 1818 | ## 威胁情报&蜜罐: 1819 | 1820 | 威胁情报资源 1821 | https://github.com/hslatman/awesome-threat-intelligence 1822 | 1823 | 常见IOC资源、工具 1824 | https://github.com/sroberts/awesome-iocs 1825 | 1826 | 数字取证的常见工具资源 1827 | https://github.com/Cugu/awesome-forensics 1828 | 1829 | Ethereum Scam Database诈骗数据库溯新查询 1830 | https://github.com/MrLuit/EtherScamDB 1831 | 1832 | 开源情报:各种开源情报来源 1833 | https://github.com/jivoi/awesome-osint 1834 | 1835 | 帮助安全分析师和数字取证人员 1836 | https://github.com/meirwah/awesome-incident-response 1837 | 1838 | ThreatHunter攻略-帮助安全分析师利用Sysmon和Windows Events日志来进行事件分析,涉及Splunk、ELK、Sigma、GrayLog等工具 1839 | https://github.com/VVard0g/ThreatHunter-Playbook 1840 | 1841 | 社工插件,可查找以email、phone、username的注册的所有网站账号信息 1842 | https://github.com/n0tr00t/Sreg 1843 | 1844 | Github信息搜集,可实时扫描查询git最新上传有关邮箱账号密码信息 1845 | https://github.com/sea-god/gitscan 1846 | 1847 | People tracker on the Internet: OSINT analysis and research tool 1848 | https://github.com/jofpin/trape 1849 | 1850 | 用于MISP分类系统。 1851 | https://github.com/MISP/misp-taxonomies 1852 | 1853 | RegEx 拒绝服务(ReDos)扫描器 https://github.com/jagracey/Regex-DoS 1854 | https://github.com/jagracey/RegEx-DoS 1855 | 1856 | dataShark 构建在Apache Spark的安全和网络事件分析框架 1857 | https://github.com/makemytrip/dataShark 1858 | 1859 | github Repo信息搜集工具 1860 | https://github.com/metac0rtex/GitHarvester 1861 | 1862 | CIF v3 -- 安全威胁情报最快获取 1863 | https://github.com/csirtgadgets/bearded-avenger 1864 | 1865 | 使用CNN进行样本恶意动态行为检测 1866 | https://github.com/zwq0320/malicious_dynamic_behavior_detection_by_cnn 1867 | 1868 | 屏蔽广告,恶意扫描和非法域名的工具(hosts) 1869 | https://github.com/zant95/hBlock 1870 | 1871 | Dradis Framework: IT安全团队协作和报告工具 1872 | https://github.com/dradis/dradis-ce 1873 | 1874 | EggShell (也被正式称为NeonEggShell) 用python写的iOS,OS X 监控工具 1875 | https://github.com/neoneggplant/EggShell 1876 | 1877 | HMAC 时序攻击统计分析 http://eggie5.com/45-hmac-timing-attacks 1878 | https://github.com/eggie5/hmac-timing-attacks 1879 | 1880 | AIL framework - 弱点信息分析框架 1881 | https://github.com/CIRCL/AIL-framework 1882 | 1883 | w11scan是一款分布式的WEB指纹识别系统(包括CMS识别、js框架、组件容器、代码语言、WAF等等) 1884 | https://github.com/boy-hack/w11scan 1885 | 1886 | OWASP依赖扫描报告转为SonarQube 1887 | https://github.com/stevespringett/dependency-check-sonar-plugin 1888 | 1889 | SBT插件用来进行OWASP依赖扫描 1890 | https://github.com/albuch/sbt-dependency-check 1891 | 1892 | Maltrail——非法流量检测系统 1893 | https://github.com/stamparm/maltrail 1894 | 1895 | Seebug、structs、cve漏洞实时监控推送系统🔦 1896 | https://github.com/FortuneC00kie/bug-monitor 1897 | 1898 | Logstash 日志安全攻击分析插件 1899 | https://github.com/anbai-inc/AttackFilter 1900 | 1901 | net-creds:从网络嗅探或Pcap 文件提取敏感数据的工具 1902 | https://github.com/DanMcInerney/net-creds 1903 | 1904 | 开源的恶意代码查杀引擎,模式匹配是瑞士军刀(支持二进制) 1905 | https://github.com/VirusTotal/yara 1906 | 1907 | Klara 基于Rara引擎的威胁情报恶意代码发现辅助项目 1908 | https://github.com/KasperskyLab/klara 1909 | 1910 | awesome-yara YARA规则、工具和相关信息集。 1911 | https://github.com/InQuest/awesome-yara 1912 | 1913 | scylla: 人性化智能IP代理池 1914 | https://github.com/imWildCat/scylla 1915 | 1916 | 用于机器学习模型的对抗鲁棒性工具箱 1917 | https://github.com/IBM/adversarial-robustness-toolbox 1918 | 1919 | 射箭:开源漏洞评估和管理 1920 | https://github.com/archerysec/archerysec 1921 | 1922 | A fork and successor of the Sulley Fuzzing Framework 1923 | https://github.com/jtpereyda/boofuzz 1924 | 1925 | BTA is an open-source Active Directory security audit framework 1926 | https://github.com/airbus-seclab/bta 1927 | 1928 | Graph platform for Detection and Response 1929 | https://github.com/insanitybit/grapl 1930 | 1931 | Open Cyber Threat Intelligence Platform https://www.opencti.io 1932 | https://github.com/OpenCTI-Platform/opencti 1933 | 1934 | 深度利用 1935 | https://github.com/13o-bbr-bbq/machine_learning_security/tree/master/DeepExploit 1936 | 1937 | Halcyon IDE:Nmap脚本开发IDE 1938 | https://github.com/s4n7h0/Halcyon 1939 | 1940 | SimpleRisk资源 1941 | https://github.com/simplerisk 1942 | 1943 | TROMMEL:Sift Through Embedded Device Files to Identify Potential Vulnerable Indicators 1944 | https://github.com/CERTCC/trommel 1945 | 1946 | IoT Pentesting 101 && IoT security 101 1947 | https://github.com/V33RU/IoTSecurity101 1948 | 1949 | Deep and Dark Web OSINT Tool 1950 | https://github.com/DedSecInside/TorBot 1951 | 1952 | ### 蜜罐集 1953 | 1954 | 蜜罐资源合集 1955 | https://github.com/paralax/awesome-honeypots 1956 | 1957 | SSH蜜罐 1958 | https://github.com/desaster/kippo 1959 | 1960 | kippo进阶版 1961 | https://github.com/micheloosterhof/cowrie 1962 | 1963 | SMTP蜜罐 1964 | https://github.com/awhitehatter/mailoney 1965 | 1966 | Web应用蜜罐 1967 | https://github.com/mushorg/glastopf 1968 | 1969 | 数据库蜜罐 1970 | https://github.com/jordan-wright/elastichoney 1971 | 1972 | Web蜜罐 1973 | https://github.com/atiger77/Dionaea 1974 | 1975 | ICS/SCADA蜜罐 1976 | https://github.com/mushorg/conpot 1977 | 1978 | MongoDB代理蜜罐 1979 | https://github.com/Plazmaz/MongoDB-HoneyProxy 1980 | 1981 | T-Pot:多蜜罐平台,可视化分析。 1982 | https://github.com/dtag-dev-sec/tpotce/ 1983 | 1984 | opencanary_web:蜜罐的网络管理平台。 1985 | https://github.com/p1r06u3/opencanary_web 1986 | 1987 | Honeyd:一个小型守护进程,可以在网络上创建虚拟主机。 1988 | http://www.honeyd.org/ 1989 | 1990 | Glastopf Python Web应用程序蜜罐。 1991 | https://github.com/mushorg/glastopf 1992 | 1993 | Cowrie :一种中等交互式SSH和Telnet蜜罐,用于记录暴力攻击和攻击者执行的shell交互。 1994 | https://github.com/cowrie/cowrie 1995 | 1996 | Kippo:一个中等交互式SSH蜜罐,用于记录暴力攻击,最重要的是,攻击者执行的整个shell交互。 1997 | https://github.com/desaster/kippo 1998 | 1999 | Dionaea:一个低交互的蜜罐,能够模拟FTP/HTTP/MSSQL/MYSQL/SMB等服务。 2000 | https://github.com/DinoTools/dionaea 2001 | 2002 | onpot:一个ICS蜜罐,其目标是收集有关针对工业控制系统的敌人的动机和方法的情报。 2003 | https://github.com/mushorg/conpot 2004 | 2005 | 扩展企业安全测试主动诱导型蜜罐框架系统 2006 | https://github.com/hacklcx/HFish 2007 | 2008 | Wordpot:一个Wordpress蜜罐,可以检测用于指纹wordpress安装的插件,主题,timthumb和其他常用文件的探针。 2009 | https://github.com/gbrindisi/wordpot 2010 | 2011 | Shockpot:针对CVE-2014-6271的一个Web应蜜罐,用于发现针对Bash远程代码漏洞的攻击者。 2012 | https://github.com/threatstream/shockpot 2013 | 2014 | 对开源蜜罐的学习研究与理解 2015 | https://github.com/XiaoXiaoGuaiXiaShi/OpenSource-HoneyPot 2016 | # 安全文档资料 2017 | 2018 | Awesome-Hacking黑客、渗透,安全研究文档集 2019 | https://github.com/Hack-with-Github/Awesome-Hacking 2020 | 2021 | 黑客必读电子书 2022 | https://github.com/Hack-with-Github/Free-Security-eBooks 2023 | 2024 | 黑客成长技术清单 2025 | https://github.com/carpedm20/awesome-hacking 2026 | 2027 | snowden-archive -- NSA承包商Edward Snowden泄露文档合集 2028 | https://github.com/iamcryptoki/snowden-archive 2029 | 2030 | Awesome-Vehicle-Security 汽车安全合集包括文档、软硬件应用 2031 | https://github.com/jaredthecoder/awesome-vehicle-security 2032 | 2033 | Awesome-Security——一个社区驱动的知名安全资源分类集合 2034 | https://github.com/sbilly/awesome-security 2035 | 2036 | 应用程序安全的资源列表 2037 | https://github.com/paragonie/awesome-appsec 2038 | 2039 | 安全公众号推荐 2040 | https://github.com/bollwarm/awesome-security-weixin-official-accounts 2041 | 2042 | DFTimewolf A framework for orchestrating forensic collection, processing and data export. 2043 | https://github.com/log2timeline/dftimewolf 2044 | 2045 | 安全脑图合集 2046 | https://github.com/phith0n/Mind-Map 2047 | 2048 | 有关信息安全的一些流程图收集 2049 | https://github.com/SecWiki/sec-chart/tree/294d7c1ff1eba297fa892dda08f3c05e90ed1428 2050 | 2051 | 在学习Software安全的过程中整合的一些资料 2052 | https://github.com/CHYbeta/Software-Security-Learning 2053 | 2054 | 有关cryptography, security, OPSEC以及其他工程的演讲集 2055 | https://github.com/freddymartinez9/securitytalks 2056 | 2057 | cis-benchmarks 常用服务器、数据库、中间件安全配置基线(英文pdf下载) 2058 | https://www.cisecurity.org/cis-benchmarks/ 2059 | 2060 | Kinda useful notes collated together publicly 2061 | https://github.com/unprovable/PentestHardware 2062 | 2063 | 一个验证密码JS库,通过对比常见密码,提示密码问题 2064 | https://github.com/kn9ts/dumb-passwords 2065 | 2066 | 网络安全AI信息:相关研究的数据集、论文、书籍、演讲等 2067 | https://github.com/jivoi/awesome-ml-for-cybersecurity 2068 | 2069 | ACM CCS 2017 会议集 2070 | https://dl.acm.org/citation.cfm?id=3133956 2071 | 2072 | 2017 IEEE Cybersecurity Development (SecDev大会录用论文) 2073 | http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=8071083 2074 | 2075 | Golang for Security Professionals 2076 | https://github.com/parsiya/Hacking-with-Go 2077 | 2078 | 域渗透教程 2079 | https://github.com/l3m0n/pentest_study 2080 | 2081 | python security教程(原文链接http//www.primalsecurity.net/tutorials/python-tutorials/) 2082 | https://github.com/smartFlash/pySecurity 2083 | 2084 | 域渗透学习笔记 2085 | https://github.com/uknowsec/Active-Directory-Pentest-Notes 2086 | 2087 | 渗透测试文档https://ptestmethod.readthedocs.io/en/latest/ 2088 | https://github.com/Maximevilla/PtestMethod 2089 | 2090 | data_hacking合集 2091 | https://github.com/ClickSecurity/data_hacking 2092 | 2093 | 手机安全wiki 2094 | https://github.com/exploitprotocol/mobile-security-wiki 2095 | 2096 | windows 内网协议学习:erbeos,ntlm,smb,ldap 2097 | https://github.com/daikerSec/windows_protocol 2098 | 2099 | Web安全入门各种书籍、文档、工具 2100 | https://github.com/infoslack/awesome-web-hacking 2101 | 2102 | 各种Android工具、报告/研究/书籍、漏洞/利用代码等资源 2103 | https://github.com/ashishb/android-security-awesome 2104 | 2105 | 恶意软件集、开源威胁情报、检测、沙箱等 2106 | https://github.com/rshipp/awesome-malware-analysis 2107 | 2108 | 书籍《reverse-engineering-for-beginners》 2109 | https://github.com/veficos/reverse-engineering-for-beginners 2110 | 2111 | 一些信息安全标准及设备配置 2112 | https://github.com/luyg24/IT_security 2113 | 2114 | PENTESTING-BIBLE:数百项道德黑客与渗透测试,红色团队,网络安全和计算机科学资源 2115 | https://github.com/blaCCkHatHacEEkr/PENTESTING-BIBLE 2116 | 2117 | 分享在建设安全管理体系、ISO27001、等级保护、安全评审过程中的点点滴滴 2118 | https://github.com/ym2011/SecurityManagement 2119 | 2120 | 2013-2017年各类安全大会演讲视频集 2121 | https://github.com/PaulSec/awesome-sec-talks 2122 | 2123 | ⚡️ 极棒的有关安全手册、黑客,单行脚本,cli/web工具等的列表。 2124 | https://github.com/trimstray/the-book-of-secret-knowledge 2125 | 2126 | 关于网络安全相关的RSS订阅,情报来源和日常知识库更新: 2127 | https://github.com/zer0yu/CyberSecurityRSS 2128 | 2129 | 社工资源集——仅供网络安全人员、渗透测试人员在受控环境用于教育用途 2130 | https://github.com/v2-dev/awesome-social-engineering 2131 | 2132 | 密码学的理论、工具、框架、资源等 2133 | https://github.com/sobolevn/awesome-cryptography 2134 | 2135 | APT相关笔记 2136 | https://github.com/kbandla/APTnotes 2137 | 2138 | Kcon资料 2139 | https://github.com/knownsec/KCon 2140 | 2141 | Micro8安全渗透十年经验集合:括但不限制于代码审计,web渗透,内网渗透,域渗透,隧道介绍,日志溯源与暴力溯源等 2142 | https://github.com/Micropoor/Micro8 2143 | 2144 | Install and Configure Common Car Hacking Tools. https://carhacking.tools 2145 | https://github.com/jgamblin/CarHackingTools 2146 | 2147 | 安全大礼包(大杂烩) 2148 | https://github.com/bayandin/awesome-awesomeness 2149 | 2150 | 各种信息安全公开课、培训信息 2151 | https://github.com/onlurking/awesome-infosec 2152 | 2153 | 零碎的GitHub安全项目汇总,涉及PWND、PowerShell、CTF、恶意软件等 2154 | https://github.com/FuzzySecurity/Resource-List 2155 | 2156 | Gera安全例程镜像 2157 | https://github.com/deadbits/InsecureProgramming 2158 | 2159 | That Doesnt Suck安全指南 2160 | https://github.com/rmusser01/Infosec_Reference 2161 | 2162 | Shell命令行、工具、指南列表集 2163 | https://github.com/alebcay/awesome-shell 2164 | 2165 | <>电子杂志,分享同领域黑客关注的东西和黑客生活,已出版4期(截止2015) 2166 | https://github.com/citypw/DNFWAH 2167 | 2168 | 安全知识库,包括网络分析、Web应用、开源情报、漏洞分析、编程开发等 2169 | https://github.com/nixawk/pentest-wiki 2170 | 2171 | ThatDoesntSuck安全指南 2172 | https://github.com/rmusser01/Infosec_Reference 2173 | 2174 | 安全测试人员进行评估检查需要用到的技能 2175 | https://github.com/danielmiessler/SecLists 2176 | 2177 | WeReport: 渗透报告自动化生成平台 2178 | https://github.com/bugsafe/WeReport 2179 | 2180 | 射频资源集合,包括SDR、GSM、3G、4G LTE、NFC、RFID、ZigBee等 2181 | https://github.com/cn0xroot/RFSec-ToolKit 2182 | 2183 | 学习Web/Cloud/Docker 安全、渗透测试、安全建设笔记 2184 | https://github.com/JnuSimba/MiscSecNotes 2185 | 2186 | 安全文章收集 2187 | https://github.com/tom0li/collection-document 2188 | 2189 | Linux 安全时记录笔记 2190 | https://github.com/JnuSimba/LinuxSecNotes 2191 | 2192 | 信息安全从业者书单推荐 2193 | https://github.com/riusksk/secbook 2194 | 2195 | Android 安全笔记 2196 | https://github.com/JnuSimba/AndroidSecNotes 2197 | 2198 | 安全技能树小密圈2017精选 2199 | https://github.com/h4ck0ne/security_circle_2017 2200 | 2201 | Android应用安全的众测list 2202 | https://github.com/B3nac/Android-Reports-and-Resources 2203 | 2204 | 车辆安全的学习资源、项目、软硬件、汽车黑客案例、Twitter follower列表等 2205 | https://github.com/jaredmichaelsmith/awesome-vehicle-security 2206 | 2207 | 聚合大量IoT破解案例,如RFID、门铃、中控、可穿戴等 2208 | https://github.com/nebgnahz/awesome-iot-hacks 2209 | 2210 | 包括工具、蜜罐、数据、警报和新闻、会议各种工控安全等 2211 | https://github.com/hslatman/awesome-industrial-control-system-security 2212 | 2213 | 数字取证论文集合(摄像头特征) 2214 | https://github.com/NetSecLab/Paper_for_Digital_Forensics 2215 | 2216 | 渗透测试技巧 2217 | https://github.com/xssfile/Attack-data 2218 | 2219 | 以太坊合约审计checkList @知道创宇404区块链安全研究团队 2220 | https://github.com/knownsec/Ethereum-Smart-Contracts-Security-CheckList 2221 | 2222 | Spring Security provides security services for the Spring IO Platform. Spring Security 5.0 requires Spring 5.0 as a minimum and also requires Java 8. 2223 | https://github.com/spring-projects/spring-security 2224 | 2225 | Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications. 2226 | https://github.com/spring-projects/spring-security-oauth 2227 | 2228 | Iptables Essentials: Common Firewall Rules and Commands. 2229 | https://github.com/trimstray/iptables-essentials#manuals-howtos-tutorials 2230 | 2231 | Curated list of awesome cloud security blogs, podcasts, standards, projects, and examples. 2232 | https://github.com/Funkmyster/awesome-cloud-security 2233 | 2234 | List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc. 2235 | https://github.com/toniblyx/my-arsenal-of-aws-security-tools 2236 | 2237 | Cloud Custodian is a rules engine for managing public cloud accounts and resources 2238 | https://github.com/capitalone/cloud-custodian 2239 | 2240 | scripts, tools, extensions, automations, for Azure subscription and resource security 2241 | https://github.com/azsk/DevOpsKit-docs 2242 | 2243 | 甲方企业安全建设开源之路 2244 | https://github.com/bloodzer0/Enterprise_Security_Build--Open_Source/ 2245 | 2246 | 初创企业安全起步 2247 | https://devd.me/log//posts/startup-security/ 2248 | 2249 | ## 学习资料 2250 | 2251 | 📚 List of awesome university courses for learning Computer Science! 2252 | https://github.com/prakhar1989/awesome-courses 2253 | 2254 | 💻 An awesome & curated list of best applications and tools for Windows. 2255 | https://github.com/Awesome-Windows/Awesome 2256 | 2257 | Curated list of awesome lists 2258 | https://github.com/sindresorhus/awesome 2259 | 2260 | Awesome & Interesting Talks concerning Programming 2261 | https://github.com/hellerve/programming-talks#creative-coding 2262 | 2263 | 生信,大数据,机器学习,各种程序语言等等资源集合 2264 | https://github.com/shenwei356/awesome 2265 | 2266 | 中文公开聊天语料库 2267 | https://github.com/codemayq/chaotbot_corpus_Chinese 2268 | 2269 | 图书配套代码 精通渗透测试机器学习 2270 | https://github.com/PacktPublishing/Mastering-Machine-Learning-for-Penetration-Testing 2271 | 2272 | awesome cheatsheet 2273 | https://github.com/detailyang/awesome-cheatsheet 2274 | 2275 | 机器学习和安全 2276 | https://github.com/13o-bbr-bbq/machine_learning_security 2277 | 2278 | iOS hack资料 2279 | https://github.com/Siguza/ios-resources 2280 | 2281 | Green-hat-suite is a tool to make meterpreter evade antivirus 2282 | https://github.com/Green-m/green-hat-suite 2283 | 2284 | 慢雾安全团队知识库 2285 | https://github.com/slowmist/Knowledge-Base/ 2286 | 2287 | BlockChain-Security-List 区块链加密币安全列表 (reverse, exploit, fuzz..) 2288 | https://github.com/im-bug/BlockChain-Security-List 2289 | 2290 | 比特币的最佳集合 2291 | https://github.com/kennethreitz/awesome-coins 2292 | 2293 | 知道创宇研发技能表 2294 | https://github.com/knownsec/RD_Checklist 2295 | 2296 | architect-awesome:后端架构师技术图谱 2297 | https://github.com/xingshaocheng/architect-awesome 2298 | 2299 | Git学习资料 2300 | https://github.com/xirong/my-git 2301 | 2302 | 计算机科学视频教程集 2303 | https://github.com/Developer-Y/cs-video-courses 2304 | 2305 | 安卓开源代码解析 2306 | https://github.com/android-cn/android-open-project-analysis 2307 | 2308 | JS 正则表达式库(用于简化构造复杂的JS正则表达式) 2309 | https://github.com/VerbalExpressions/JSVerbalExpressions 2310 | 2311 | PHP生成安全随机数、加密数据、检查漏洞等类库 2312 | https://github.com/ziadoz/awesome-php#security 2313 | 2314 | 科学上网工具 2315 | https://github.com/XX-net/XX-Net 2316 | 2317 | 全功能私有云云平台 2318 | https://github.com/zelon88/HRCloud2 2319 | 2320 | 亚马逊云服务AWS实践指南 2321 | https://github.com/open-guides/og-aws 2322 | 2323 | 撰写安全代码最小备忘单子 2324 | https://github.com/GoSecure/security-cheat-sheet 2325 | 2326 | 关于系统、数据库、IDE、编程语言等方面的免费书 2327 | https://github.com/EbookFoundation/free-programming-books/ 2328 | 2329 | 一个爬取国内技术站点的技术文章 2330 | https://github.com/smile0304/Technical_Article_Spider/ 2331 | 2332 | 渗透和开发小技巧 2333 | https://github.com/3gstudent/Pentest-and-Development-Tips 2334 | 2335 | 🚀苹果macOS 开源应用集 2336 | https://github.com/serhii-londar/open-source-mac-os-apps#games 2337 | 2338 | ### Python工具: 2339 | 2340 | Python应用安全框架 2341 | https://github.com/YosaiProject/yosai 2342 | 2343 | python安全和代码审计相关资料收集 2344 | https://github.com/bit4woo/python_sec 2345 | 2346 | pyc反编译脚本 2347 | https://github.com/gstarnberger/uncompyle 2348 | 2349 | pycipher python加解密库 2350 | https://github.com/jameslyons/pycipher 2351 | 2352 | 可视化python性能分析工具 2353 | https://github.com/nvdv/vprof 2354 | 2355 | Flask认证 2356 | https://github.com/miguelgrinberg/Flask-HTTPAuth 2357 | 2358 | ViperMonkey,VBA解析和模拟机,用来分析非法宏代码 2359 | https://github.com/decalage2/ViperMonkey 2360 | 2361 | XLearning是一款支持多种机器学习、深度学习框架调度系统. 2362 | https://github.com/Qihoo360/XLearning/ 2363 | 2364 | 一些资源和工具里list 2365 | https://github.com/pe3zx/my-awesome 2366 | 2367 | Tensorflow实战学习笔记 2368 | https://github.com/MachineLP/Tensorflow- 2369 | 2370 | 声音可视化工具集 2371 | https://github.com/willianjusten/awesome-audio-visualization 2372 | 2373 | ### 代码审计 2374 | 2375 | 安全代码审计工具 2376 | https://github.com/hardenedlinux/srcinv 2377 | 2378 | ### 编程资料 2379 | 2380 | 多个语言简明教程 2381 | http://xahlee.info/comp/comp_lang_tutorials_index.html 2382 | 2383 | An extensive list of interesting open source projects written in С, C++, Clojure, Lisp, Elixir, Erlang, Elm, Golang, Haskell, JavaScript, Lua, OCaml, Python, R, Ruby, Rust, Scala etc. 2384 | https://github.com/lk-geimfari/awesomo 2385 | 2386 | A curated list of Rust code and resources. 2387 | https://github.com/rust-unofficial/awesome-rust 2388 | 2389 | python 正则表达式库(用于简化构造复杂的python正则表达式) 2390 | https://github.com/VerbalExpressions/PythonVerbalExpressions 2391 | 2392 | python任务管理以及命令执行库 2393 | https://github.com/pyinvoke/invoke 2394 | 2395 | python exe打包库 2396 | https://github.com/pyinstaller/pyinstaller 2397 | 2398 | py3 爬虫框架 2399 | https://github.com/orf/cyborg 2400 | 2401 | 一个提供底层接口数据包编程和网络协议支持的python库 2402 | https://github.com/CoreSecurity/impacket 2403 | 2404 | python requests 库 2405 | https://github.com/kennethreitz/requests 2406 | 2407 | python 实用工具合集 2408 | https://github.com/mahmoud/boltons 2409 | 2410 | python爬虫系统 2411 | https://github.com/binux/pyspider 2412 | 2413 | ScrapedIn,LinkedIn爬虫 2414 | https://github.com/dchrastil/ScrapedIn 2415 | 2416 | ctf向 python工具包 2417 | https://github.com/P1kachu/v0lt 2418 | 2419 | python框架,库,资源大合集 2420 | https://github.com/vinta/awesome-python 2421 | 2422 | python资源大全 2423 | https://github.com/jobbole/awesome-python-cn 2424 | 2425 | ## AI&LMM安全隐私 2426 | 2427 | agentic_security 大型语言模型 (LLM) 的开源漏洞扫描程序,保护人工智能系统免受越狱、模糊测试和多模式攻击。 https://github.com/msoedov/agentic_security 2428 | 2429 | Awesome-LM-SSP 大模型安全隐私集 https://github.com/ThuCCSLab/Awesome-LM-SSP 2430 | 2431 | agentic-radar 大模型代理端工作流安全扫描 https://github.com/splx-ai/agentic-radar 2432 | 2433 | llm-sp 大模型安全和隐私论文和资源集 https://github.com/chawins/llm-sp 2434 | 2435 | llm-security-101 大模型安全安全初步,包括攻防工具及其现状 https://github.com/Seezo-io/llm-security-101 2436 | 2437 | AIJack: 机器学习安全和隐私风险模拟器,支持大量攻防算法 https://github.com/Koukyosyumei/AIJack 2438 | 2439 | awesome-ai-security AI安全框架,标准,学习资源和工具集 https://github.com/ottosulin/awesome-ai-security 2440 | 2441 | PurpleLlama meta的评估和改善大模型安全的工具集 https://github.com/meta-llama/PurpleLlama 2442 | 2443 | llm-security Dropbox的Prompt注入方法 https://github.com/dropbox/llm-security 2444 | 2445 | llm-security 间接Prompt注入,一种模仿大模型进行钓鱼攻击 https://github.com/greshake/llm-security 2446 | 2447 | vulnhuntr 使用大模型和静态分析工具的远程仓库安全评估 https://github.com/protectai/vulnhuntr 2448 | 2449 | Awesome_GPT_Super_Prompting 大模型安全集,包括ChatGPT越狱、GPT 助手提示泄漏、GPTs提示注入、LLM提示安全、超级提示、Prompt 黑客、Prompt安全、AI Prompt工程、对抗性机器学习 、https://github.com/CyberAlbSecOP/Awesome_GPT_Super_Prompting 2450 | 2451 | Awesome-Jailbreak-on-LLMs 大模型越狱集,包括论文、代码、数据集以及评估分析方法 github.com/yueliu1999/Awesome-Jailbreak-on-LLMs 2452 | 2453 | LLM Hacker's Handbook 大模型黑客手册 https://github.com/forcesunseen/llm-hackers-handbook 2454 | -------------------------------------------------------------------------------- /BinaryAnalysis.md: -------------------------------------------------------------------------------- 1 | ## 二进制及代码分析工具: 2 | 3 | 吾爱破解论坛【爱盘】3.0 在线破解工具包 4 | https://github.com/ganlvtech/down_52pojie_cn 5 | 6 | Angr 7 | http://angr.io/ 8 | 9 | BAP 10 | https://github.com/BinaryAnalysisPlatform/bap 11 | 12 | Binary Ninja 13 | https://binary.ninja/ 14 | 15 | Bistro 16 | http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.309.105&rep=rep1&type=pdf 17 | 18 | Diablo 19 | http://diablo.elis.ugent.be/ 20 | 21 | EEL 22 | http://pages.cs.wisc.edu/~larus/eel.html 23 | 24 | libdetox 25 | https://github.com/HexHive/libdetox 26 | 27 | Macaw 28 | https://github.com/GaloisInc/macaw 29 | 30 | McSema 31 | https://github.com/trailofbits/mcsema 32 | 33 | MultiVerse 34 | https://github.com/utds3lab/multiverse 35 | 36 | Pharos 37 | https://github.com/cmu-sei/pharos 38 | 39 | PSI 40 | http://seclab.cs.stonybrook.edu/seclab/pubs/vee14.pdf 41 | 42 | Reins 43 | https://www.utdallas.edu/~zhiqiang.lin/file/ACSAC12.pdf 44 | 45 | Shuffler 46 | https://www.usenix.org/system/files/conference/osdi16/osdi16-williams-king.pdf 47 | 48 | IRDB 49 | https://git.zephyr-software.com/opensrc/irdb-cookbook-examples 50 | 51 | Uroboros 52 | https://github.com/s3team/uroboros 53 | 54 | shellcode分析工具 55 | https://github.com/suraj-root/smap/ 56 | 57 | Shellcode/Obfuscate Code Generator 58 | https://github.com/zscproject/OWASP-ZSC 59 | 60 | linux下逆向工具 61 | https://github.com/korcankaraokcu/PINCE 62 | 63 | Reverse Shell and Post Exploitation Tool 64 | https://github.com/panagiks/RSPET 65 | 66 | 跨平台二进制分析及逆向工具 67 | https://github.com/programa-stic/barf-project 68 | 69 | 恶意ELF二进制文件相似度比较及可视化 70 | https://github.com/CymaticsCC/elf_similarity 71 | 72 | 二进制分析工具 73 | https://github.com/devttys0/binwalk 74 | 75 | 关于软件虚拟化保护(如VMProtect)的资料 76 | https://github.com/lmy375/awesome-vmp 77 | 78 | 系统扫描器,用于寻找程序和库然后收集他们的依赖关系,链接等信息 79 | https://github.com/quarkslab/binmap 80 | 81 | A Qt and C++ GUI for radare2 reverse engineering framework 82 | https://github.com/radareorg/cutter 83 | 84 | rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O. 85 | https://github.com/0vercl0k/rp 86 | 87 | Windows Exploit Development工具 88 | https://github.com/lillypad/badger 89 | 90 | 二进制静态分析工具(python) 91 | https://github.com/bdcht/amoco 92 | 93 | Python Exploit Development Assistance for GDB 94 | https://github.com/longld/peda 95 | 96 | 对BillGates Linux Botnet系木马活动的监控工具 97 | https://github.com/ValdikSS/billgates-botnet-tracker 98 | 99 | Adhrit开源的安卓APK逆向和分析工具 100 | https://github.com/abhi-r3v0/Adhrit/ 101 | 102 | Assesses CPU security of embedded devices. iadgov 103 | https://github.com/iadgov/Maplesyrup 104 | 105 | pypacker: The fast and simple packet creation and parsing lib for Python. 106 | https://github.com/mike01/pypacker 107 | 108 | Windows driver and usermode interface which can hide objects of file-system and registry, protect processes and etc 109 | https://github.com/JKornev/hidden 110 | 111 | IoTSecurityNAT IoT安全测试系统,方便快速接入各种设备,进行安全测试。 112 | https://github.com/3rdbody/IoTSecurityNAT 113 | 114 | 木马配置参数提取工具 115 | https://github.com/kevthehermit/RATDecoders 116 | 117 | Shellphish编写的二进制分析工具(CTF向) 118 | https://github.com/angr/angr 119 | 120 | 针对python的静态代码分析工具 121 | https://github.com/yinwang0/pysonar2 122 | 123 | 一个自动化的脚本(shell)分析工具,用来给出警告和建议 124 | https://github.com/koalaman/shellcheck 125 | 126 | 基于AST变换的简易Javascript反混淆辅助工具 127 | https://github.com/ChiChou/etacsufbo 128 | 129 | 隐写检测工具 130 | https://github.com/abeluck/stegdetect 131 | 132 | 针对各种编程语言的静态分析工具、linters、代码质量检查等 133 | https://github.com/mre/awesome-static-analysis 134 | 135 | 关于逆向的图书、培训、实战、工具等 136 | https://github.com/tylerhalfpop/awesome-reversing 137 | 138 | 常见软件、类库、书籍、技术分析、开发等 139 | https://github.com/onethawt/reverseengineering-reading-list 140 | 141 | awesome-firmware-security是一个平台固件资源的列表,立足于安全和测试 142 | https://github.com/PreOS-Security/awesome-firmware-security 143 | 144 | nary Analysis Platform 145 | https://github.com/BinaryAnalysisPlatform/bap 146 | 147 | libsodium for Universal Windows Platform (UWP) - A secure cryptographic library 148 | https://github.com/charlesportwoodii/libsodium-uwp 149 | 150 | oletools - python tools to analyze MS OLE2 files 151 | https://github.com/decalage2/oletools 152 | 153 | chipwhisperer -- toolchain for side-channel power analysis and glitching attacks 154 | https://github.com/newaetech/chipwhisperer 155 | 156 | OCI (Open Containers Initiative) compatible runtime for Intel® Architectur 157 | https://github.com/01org/cc-oci-runtime 158 | 159 | ICS Security Tools, Tips, and Trade 160 | https://github.com/ITI/ICS-Security-Tools 161 | 162 | ### 移动APP安全扫描 163 | 164 | Mobile Security Framework 是一个自动化的移动app安全测试工具,支持Android、iOS和Windows应用,能够进行静态、动态分析以及web API测试 165 | https://github.com/MobSF/Mobile-Security-Framework-MobSF 166 | 167 | MobSF HackingLab定制中文版 168 | https://github.com/HackingLab/MobileSF 169 | 170 | APEiD 用于安卓应用编译,打包,封隔器,保护器,混淆器等 171 | https://github.com/rednaga/APKiD 172 | 173 | QARK linkedin 开源的安卓应用程序源代码安全漏洞分析工具 174 | https://github.com/linkedin/qark 175 | 176 | Drozer FSecureLABS开源的一个全面的Android安全评估框架 177 | https://github.com/FSecureLABS/drozer 178 | -------------------------------------------------------------------------------- /BlackHat2018.md: -------------------------------------------------------------------------------- 1 | 2 | ## 2018 Blackhat 工具列表 3 | 4 | ### Android,iOS和移动黑客 5 | 6 | 易受攻击的iOS应用程序:Swift版 7 | https://github.com/prateek147/DVIA-v2 8 | 9 | ### 代码评估 10 | 11 | OWASP依赖性检查 12 | https://github.com/jeremylong/DependencyCheck 13 | 14 | 美洲狮扫描 15 | https://github.com/pumasecurity/puma-scan 16 | 17 | ### 加密 18 | 19 | DeepViolet:SSL/TLS扫描API和工具 20 | https://github.com/spoofzu/DeepViolet 21 | 22 | ### 数据取证和事件响应 23 | 24 | 初学者到专家 25 | https://github.com/bro/bro 26 | 27 | CyBot:开源威胁情报聊天机器人 28 | https://github.com/CylanceSPEAR/CyBot 29 | 30 | LogonTracer 31 | https://github.com/JPCERTCC/LogonTracer 32 | 33 | rastrea2r(重新加载!):用Gusto和Style收集和狩猎IOC 34 | https://github.com/rastrea2r/rastrea2r 35 | 36 | RedHunt OS(VM):用于对手仿真和威胁搜索的虚拟机 37 | https://github.com/redhuntlabs/RedHunt-OS 38 | 39 | ### 剥削与道德黑客 40 | 41 | AVET:AntiVirus Evasion Tool 42 | https://github.com/govolution/avet 43 | 44 | DSP:Docker安全游乐场 45 | https://github.com/giper45/DockerSecurityPlayground 46 | 47 | hideNsneak:攻击混淆框架 48 | https://github.com/rmikehodges/hideNsneak 49 | 50 | 梅林 51 | https://github.com/Ne0nd0g/merlin 52 | 53 | RouterSploit 54 | https://github.com/threat9/routersploit 55 | 56 | ### 硬件/嵌入式 57 | 58 | ChipWhisperer 59 | https://github.com/newaetech/chipwhisperer 60 | 61 | JTAGulator :揭开硬件安全的致命弱点 62 | https://github.com/grandideastudio/jtagulator 63 | 64 | Micro-Renovator:将处理器固件带入代码 65 | https://github.com/syncsrc/MicroRenovator 66 | 67 | TumbleRF:RF模糊变得容易 68 | https://github.com/riverloopsec/tumblerf 69 | 70 | Walrus:充分利用您的卡片克隆设备 71 | https://github.com/TeamWalrus/Walrus 72 | 73 | ### 物联网 74 | 75 | 物联网设备的可扩展动态分析框架 76 | https://github.com/sycurelab/DECAF 77 | 78 | BLE CTF项目 79 | https://github.com/hackgnar/ble_ctf 80 | 81 | WHID注射器和WHID Elite:新一代HID攻击性设备 82 | https://github.com/whid-injector/WHID 83 | 84 | ### 恶意软件防御 85 | 86 | 为每位安全研究人员提供高级深度学习分析平台 87 | https://github.com/intel/Resilient-ML-Research-Platform 88 | 89 | EKTotal 90 | https://github.com/nao-sec/ektotal 91 | 92 | 固件审计:Blue Teams和DFIR的平台固件安全自动化 93 | https://github.com/PreOS-Security/fwaudit 94 | 95 | MaliceIO 96 | https://github.com/maliceio/malice 97 | 98 | 目标 – 参见MacOS安全工具 99 | https://github.com/ob jective-see 100 | 101 | ### 恶意软件进攻 102 | 103 | BloodHound 1.5 104 | https://github.com/BloodHoundAD/BloodHound 105 | 106 | ### 网络攻击 107 | 108 | 军械库 109 | https://github.com/depthsecurity/armory 110 | 111 | Chiron:一种先进的IPv6安全评估和渗透测试框架 112 | https://github.com/aatlasis/Chiron 113 | 114 | DELTA:SDN安全评估框架 115 | https://github.com/OpenNetworkingFoundation/DELTA 116 | 117 | Mallet:任意协议的拦截代理 118 | https://github.com/sensepost/mallet 119 | 120 | PowerUpSQL:用于在企业环境中攻击SQL Server的PowerShell工具包 121 | https://github.com/NetSPI/PowerUpSQL 122 | 123 | WarBerryPi 124 | https://github.com/secgroundzero/warberry 125 | 126 | ### 网络防御 127 | 128 | ANWI(全新无线IDS):5美元的WIDS 129 | https://github.com/SanketKarpe/anwi 130 | 131 | CHIRON:基于家庭的网络分析和机器学习威胁检测框架 132 | https://github.com/jzadeh/chiron-elk 133 | 134 | 云安全套件:AWS / GCP / Azure安全审计的一站式工具 135 | https://github.com/SecurityFTW/cs-suite 136 | 137 | DejaVu:一个开源欺骗框架 138 | https://github.com/bhdresh/Dejavu 139 | 140 | ### OSINT – 开源智能 141 | 142 | DataSploit 2.0 143 | https://github.com/DataSploit/datasploit 144 | 145 | Dradis 框架:了解如何将报告时间缩短一半 146 | https://github.com/dradis/dradis-ce 147 | 148 | ### 逆向工程 149 | 150 | Snake:恶意软件存储动物园 151 | https://github.com/countercept/snake 152 | 153 | ### 智能电网/工业安全 154 | 155 | GRFICS :工业控制模拟的图形现实主义框架 156 | https://github.com/djformby/GRFICS 157 | 158 | 用于机器学习模型的对抗鲁棒性工具箱 159 | https://github.com/IBM/adversarial-robustness-toolbox 160 | 161 | Android动态分析工具(ADA) 162 | https://github.com/ANELKAOS/ada 163 | 164 | 射箭:开源漏洞评估和管理 165 | https://github.com/archerysec/archerysec 166 | 167 | boofuzz 168 | https://github.com/jtpereyda/boofuzz 169 | 170 | BTA 171 | https://github.com/airbus-seclab/bta 172 | 173 | 深度利用 174 | https://github.com/13o-bbr-bbq/machine_learning_security/tree/master/DeepExploit 175 | 176 | Halcyon IDE:适用于Nmap脚本开发人员 177 | https://github.com/s4n7h0/Halcyon 178 | 179 | SimpleRisk 180 | https://github.com/simplerisk 181 | 182 | TROMMEL 183 | https://github.com/CERTCC/trommel 184 | -------------------------------------------------------------------------------- /Defence.md: -------------------------------------------------------------------------------- 1 | ## 安全防守: 2 | 3 | 安全项目列表 4 | https://github.com/zbetcheckin/Security_list 5 | 6 | web索引及日志搜索工具 7 | https://github.com/thomaspatzke/WASE 8 | 9 | 一款CS结构的web debuger 10 | https://github.com/Kozea/wdb 11 | 12 | sqlite注册数据删除的恢复 13 | https://github.com/aramosf/recoversqlite/ 14 | 15 | 自动化的模板注入攻击检测工具 16 | https://github.com/epinna/tplmap 17 | 18 | 简单的linux发行版安全监控脚本 19 | https://github.com/EgeBalci/The-Eye 20 | 21 | 百宝箱——工具集合 22 | https://github.com/starnightcyber/Miscellaneous 23 | 24 | CIDRAM (无类别域间路由访问管理器)是一个PHP脚本,旨在保护网站途经阻止请求该从始发IP地址视为不良的流量来源. 25 | https://github.com/Maikuolan/CIDRAM 26 | 27 | Android-Vulnerabilities-Overview - 已知安卓漏洞预览 28 | https://github.com/CHEF-KOCH/Android-Vulnerabilities-Overview 29 | 30 | Framework-agnostic包给Node.js提供强大的ACL能力 31 | https://github.com/Slynova-Org/node-fence 32 | 33 | 快速启动kolide Kolide https://kolide.co 34 | https://github.com/kolide/kolide-quickstart 35 | 36 | Vendor-Neutral Security Tool Automation Controller (over REST) 37 | https://github.com/hakbot/hakbot-origin-controller 38 | 39 | 全天候 DevOps - 安全监控和防御自动化架构(ELK + AWS Lambda) 40 | https://github.com/appsecco/alldaydevops-aism 41 | 42 | ARL(Asset Reconnaissance Lighthouse)资产侦察灯塔系统 43 | https://github.com/TophantTechnology/ARL 44 | 45 | 安全开发运维:devsecops.org社区贡献的权威devsecops工具列表 46 | https://github.com/devsecops/awesome-devsecops 47 | 48 | API安全检查清单:当你设计、测试、发布API时,需要核对的安全细节清单 49 | https://github.com/shieldfy/API-Security-Checklist/blob/master/README-zh.md 50 | 51 | Pcaptools:流量处理的命令集、捕获工具、分析检查、DNS配置等工具资源 52 | https://github.com/caesar0301/awesome-pcaptools 53 | 54 | Capturing, analysing and responding to cyber attacks 55 | https://github.com/cybermaggedon/cyberprobe 56 | 57 | 安卓安全加固列表 58 | https://github.com/AndroidTamer/KnowledgeBase/tree/master/Documents 59 | 60 | awesome-container-security 容器安全列表 61 | https://github.com/kai5263499/awesome-container-security#networking/runtime 62 | 63 | OS X和iOS安全:OS X和iOS安全工具集合 64 | https://github.com/ashishb/osx-and-ios-security-awesome 65 | 66 | Runtime Mobile Security (RMS):一个功能强大的Web界面,可帮助您在运行时操纵Android Java类和方法 67 | https://github.com/m0bilesecurity/RMS-Runtime-Mobile-Security 68 | 69 | 为日常搜集的勒索病毒解密工具的汇总 70 | https://github.com/jiansiting/Decryption-Tools 71 | 72 | 应急响应实战笔记 73 | https://github.com/Bypass007/Emergency-Response-Notes 74 | 75 | 一款开源WAF 76 | https://github.com/SpiderLabs/ModSecurity 77 | 78 | Useful for bug bounties, CTF-style challenges, penetration testing. 79 | https://github.com/brianlam38/Sec-Cheatsheets 80 | 81 | 开源WAF,基于web日志进行非法访问渗透探测,并进行统计分析,设置阈值封禁 82 | https://github.com/bollwarm/App-Waf 83 | 84 | 基于区块链的AUR安全层 85 | https://github.com/clawoflight/aursec 86 | 87 | Secure and fast microVMs for serverless computing. 88 | https://github.com/firecracker-microvm/firecracker 89 | 90 | Secrets bridge - Docker 构建时安全 91 | https://github.com/abourget/secrets-bridge 92 | 93 | Windows 2012 R2 兼容DevSec Windows基线的cookbook 94 | https://github.com/dev-sec/chef-windows-hardening 95 | 96 | Apache防御模块,支持漏洞扫描,防恶意软件,防广告, 防勒索软件, 防恶意站点, Wordpress主题探测和Fail2Ban Jail等。 97 | https://github.com/mitchellkrogza/apache-ultimate-bad-bot-blocker 98 | 99 | Jenkins OWASP独立检查插件 100 | https://github.com/jeremylong/dependency-check-jenkins 101 | 102 | Joomla强注防止插件 103 | https://github.com/codeling/bfstop 104 | 105 | 使用aws KMs的命令行加密工具,加密一次,可以在多区域的aws多实例中解密 106 | https://github.com/aol/mrcrypt 107 | 108 | 互联网漏洞管理、资产管理、任务扫描、todoLIST 109 | https://github.com/RASSec/A_Scan_Framework 110 | 111 | Open-Source Security Architecture|开源安全架构 112 | https://github.com/bloodzer0/ossa 113 | 114 | 噪声协议的Rust语言实现 115 | https://github.com/mcginty/snow 116 | 117 | DigSig-ng 一个linux内核安全模块,为ELF可执行程序和共享库提供RSA数字签名验证 118 | https://github.com/digsig-ng/linux-digsig 119 | 120 | 开源安全项目清单 121 | https://github.com/Bypass007/Safety-Project-Collection 122 | 123 | DevSec MySQL安全基线 http://dev-sec.io/ 124 | https://github.com/dev-sec/mysql-baseline 125 | 126 | PowerShell脚本监控活动目录,当成员关系变更时候发邮件 127 | https://github.com/lazywinadmin/Monitor-ADGroupMembership 128 | 129 | 评估嵌入式设备CPU的安全性 130 | https://github.com/iadgov/Maplesyrup 131 | 132 | KeyGen 生成证书和密码 133 | https://github.com/offa/keygen 134 | 135 | AWS Big Brother 一个分析IAM用户的工具 136 | https://github.com/jae2/awsbigbrother 137 | 138 | sqli词法解析分析器 139 | https://github.com/client9/libinjection 140 | 141 | 非法IP每日跟新(with blacklist hit scores) 142 | https://github.com/stamparm/ipsum 143 | 144 | Windows事件日志分析及可视化,审计非法登陆 145 | https://github.com/JPCERTCC/LogonTracer 146 | 147 | GScan: 旨在为安全应急响应人员对Linux主机排查时提供便利,实现主机侧Checklist的自动全面化检测,根据检测结果自动数据聚合,进行黑客攻击路径溯源。 148 | https://github.com/grayddq/GScan 149 | 150 | CaptfEncoder 跨平台网络安全工具套件,提供网络安全相关编码转换、古典密码、密码学、特殊编码等工具,并聚合各类在线工具。 151 | https://github.com/guyoung/CaptfEncoder 152 | 153 | PowerShell模糊处理检测框架 154 | https://github.com/danielbohannon/Revoke-Obfuscation 155 | 156 | Symfon安全组件子库 157 | https://github.com/symfony/security 158 | 159 | CSRF保护库: php预防CSRF类库 160 | https://github.com/mebjas/CSRF-Protector-PHP 161 | 162 | VirusTotal公共,私有,网络接口 163 | https://github.com/blacktop/virustotal-api 164 | 165 | 新服务器的最初5分钟,用单行命令加固你的服务器 - Ansible playbook 166 | https://github.com/chhantyal/5minutes 167 | 168 | Red Team SIEM - easy deployable tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations. 169 | 170 | https://github.com/outflanknl/RedELK 171 | 172 | 扩多GCP项目的防火墙加强工具集 173 | https://github.com/spotify/gcp-firewall-enforcer 174 | 175 | 3600Kee团队的域安全入侵感知系统 176 | https://github.com/0Kee-Team/WatchAD 177 | 178 | Linux安全基线,支持puppet、chef和Ansible做安全加固 - InSpec Profile http://dev-sec.io/ 179 | https://github.com/dev-sec/linux-baseline 180 | 181 | Nginx配置分析工具,防止错误配置,并实现自动缺陷检测 182 | https://github.com/yandex/gixy 183 | 184 | GPS欺骗检测工具 185 | https://github.com/zxsecurity/gpsnitch 186 | 187 | CloudFront域名误配置检查工具 188 | https://github.com/MindPointGroup/cloudfrunt 189 | 190 | Cyber瑞士军刀:加解密、编码、压缩以及数据分析的web应用。 191 | https://github.com/gchq/CyberChef 192 | 193 | 应急处置响应框架 194 | https://github.com/biggiesmallsAG/nightHawkResponse 195 | 196 | secure-ls 高水平加密和数据压缩的本地安全存储 197 | https://github.com/softvar/secure-ls 198 | 199 | 容器安全镜像Liter,帮助构建最好的Docker镜像 200 | https://github.com/goodwithtech/dockle 201 | 202 | 有关linux容器安全,命名空间,cgroups等等的gitbook 203 | https://github.com/makash/linux-container-security-docs 204 | 205 | python写的运行在树莓派上安防系统,可以进行运动检测,并通过手机告警 206 | https://github.com/FutureSharks/rpi-security 207 | 208 | airgeddon -- linux下多用户的bash脚本无线网络审计 209 | https://github.com/v1s1t0r1sh3r3/airgeddon 210 | 211 | Laravel网页认证访问 212 | https://github.com/spatie/laravel-littlegatekeeper 213 | 214 | nginx安全配置chef bookbook 215 | https://github.com/dev-sec/chef-nginx-hardening 216 | 217 | proxy poc implementation of STARTTLS stripping attacks 218 | https://github.com/tintinweb/striptls 219 | 220 | web安全开发指南 221 | https://github.com/FallibleInc/security-guide-for-developers 222 | 223 | 自动化代码审计工具 224 | https://github.com/wufeifei/cobra 225 | 226 | 白盒源代码审计工具(cobra分支) 227 | https://github.com/LoRexxar/Cobra-W 228 | 229 | Grep rough audit - 源码审计工具 http://www.justanotherhacker.com 230 | https://github.com/wireghoul/graudit 231 | 232 | AWS云基础设施安全审计工具 233 | https://github.com/SecurityFTW/cs-suite 234 | 235 | python编写的离线网络数据包分析器 236 | https://github.com/HatBoy/Pcap-Analyzer 237 | 238 | 渗透测试常见小工具打包 239 | https://github.com/leonteale/pentestpackage 240 | 241 | 各知名厂商渗透测试报告模板 242 | https://github.com/juliocesarfort/public-pentesting-reports 243 | 244 | 安全工具合集 245 | https://github.com/codejanus/ToolSuite 246 | 247 | 巡风 --一款适用于企业内网的漏洞快速应急,巡航扫描系统。 248 | https://github.com/ysrc/xunfeng 249 | 250 | Fuxi-Scanner 是一款开源的网络安全检测工具,适用于中小型企业对企业信息系统进行安全巡航检测 251 | https://github.com/jeffzh3ng/Fuxi-Scanner 252 | 253 | Elasticsearch API安全发布到公网插件 254 | https://github.com/sscarduzio/elasticsearch-readonlyrest-plugin 255 | 256 | apache实时日志分析器(on Telegram, Zabbix and Syslog/SIEM) 257 | https://github.com/mthbernardes/ARTLAS 258 | 259 | PHP代码审计扫描器 260 | https://github.com/pwnsdx/BadCode 261 | 262 | PHP代码审计sublime插件:🐛 AFind-PHP-Vulnerabilities 263 | https://github.com/WangYihang/Find-PHP-Vulnerabilities 264 | 265 | linux恶意代码检测包 266 | https://github.com/rfxn/linux-malware-detect 267 | 268 | 操作系统运行指标可视化框架 269 | https://github.com/facebook/osquery 270 | 271 | Log-Killer 服务器日志清理工具,支持window(bat)和linux(php)脚本 272 | https://github.com/Rizer0/Log-killer 273 | 274 | Mac OS下取证工具 275 | https://github.com/jipegit/OSXAuditor 276 | 277 | 六道 —— 实时业务风控系统 278 | https://github.com/ysrc/Liudao 279 | 280 | Aswan——陌陌风控系统静态规则引擎,零基础简易便捷的配置多种复杂规则,实时高效管控用户异常行为。 281 | https://github.com/momosecurity/aswan 282 | 283 | 360数据库流量审计MySQL Sniffer 284 | https://github.com/Qihoo360/mysql-sniffer 285 | 286 | 强大的mongodb数据库审计和渗透工具 287 | https://github.com/stampery/mongoaudit 288 | 289 | 基于Inception开发的MySQL数据库审核平台,支持审核、执行、备份、回滚、钉钉推送、mysql、redis、mongodb查询等功能 290 | https://github.com/lazzyfu/AuditSQL 291 | 292 | 恶意代码分析系统 293 | https://github.com/cuckoosandbox/cuckoo 294 | 295 | 定期搜索及存储web应用,可搜漏洞讨论等等 296 | https://github.com/Netflix/Scumblr 297 | 298 | 事件响应框架(focus on 远程取证) 299 | https://github.com/google/grr 300 | 301 | Mozilla防守平台 302 | https://github.com/mozilla/MozDef 303 | 304 | 企业内网安全管理平台,包含资产管理,漏洞管理,账号管理,知识库管、安全扫描自动化功能 305 | https://github.com/qianniaoge/-SecurityManageFramwork 306 | 307 | win内网_域控安全 308 | https://github.com/renzu0/nw-tips 309 | 310 | 静态代码审计系统 311 | https://github.com/zsdlove/Hades 312 | 313 | 强大的观察分析引擎 https://thehive-project.org 314 | https://github.com/CERT-BDF/Cortex 315 | 316 | iptables 防火墙规则集分析验证 317 | https://github.com/diekmann/Iptables_Semantics 318 | 319 | 综合主机监控检测平台(包含主机防火墙,日志监控,SIEM等) 320 | https://github.com/ossec/ossec-hids 321 | 322 | OS X远程取证与分析工具包 323 | https://github.com/Yelp/osxcollector 324 | 325 | 分布式实时数字取证系统 326 | https://github.com/mozilla/mig 327 | 328 | Microsoft及Unix文件系统及硬盘取证工具 329 | https://github.com/sleuthkit/sleuthkit 330 | 331 | 开源安全合规解决方案 332 | https://github.com/OpenSCAP/openscap 333 | 334 | JVM沙箱容器,一种JVM的非侵入式运行期AOP解决方案 335 | https://github.com/alibaba/jvm-sandbox 336 | 337 | 开源准实时日志采集器 338 | https://github.com/wgliang/logcool 339 | 340 | windows实时ETW事件处理工具 341 | https://github.com/goldshtn/etrace 342 | 343 | CPU及内存相关性能分析工具 344 | https://github.com/Microsoft/perfview 345 | 346 | SSH服务审计工具 347 | https://github.com/arthepsy/ssh-audit 348 | 349 | Python库和命令行工具,提供交互式日志可视化 350 | https://github.com/keithjjones/visualize_logs 351 | 352 | OSCP推出安全侦察工具,实现自动化信息收集和服务枚举,创建目录结构以存储用于每个主机的结果,发现和利用工具。 353 | https://github.com/codingo/Reconnoitre 354 | 355 | 一个僵尸网络分析框架 356 | https://github.com/m4rco-/dorothy2 357 | 358 | WAFS审计工具 359 | https://github.com/lightbulb-framework/lightbulb-framework 360 | 361 | 1000个php代码审计案例 362 | https://github.com/Xyntax/1000php 363 | 364 | 基于Python的Linux ssh跳板机/堡垒机设置工具 365 | https://github.com/aker-gateway/Aker 366 | 367 | Linux常见命令及部分安全软件使用命令列表 368 | https://github.com/andrewjkerr/security-cheatsheets 369 | 370 | ssrfDetector ssrf探测器 371 | https://github.com/JacobReynolds/ssrfDetector 372 | 373 | fwd 用go开发的网络端口代理 374 | https://github.com/kintoandar/fwd 375 | 376 | dev-sec安全基线和加固脚本 377 | https://github.com/dev-sec 378 | 379 | 使用AngularJS和AJA的Symfony应用CSRF自动探测工具 380 | https://github.com/dunglas/DunglasAngularCsrfBundle 381 | 382 | 设计用于CDN的高性能DNS缓存 383 | https://github.com/jedisct1/edgedns 384 | 385 | BleachBit Windows和Linux系统清理器https://www.bleachbit.org 386 | https://github.com/bleachbit/bleachbit 387 | 388 | Universal Radio Hacker: 无线协议分析 389 | https://github.com/jopohl/urh 390 | 391 | PHP后门检测工具 392 | https://github.com/yassineaddi/BackdoorMan.git 393 | 394 | Unix系操作系统安全审计和加固工具 395 | https://github.com/CISOfy/lynis 396 | 397 | 利用vulners.com漏洞数据库的包审计套件 398 | https://github.com/kreon/freeaudit 399 | 400 | 垃圾邮件分析工具 401 | https://github.com/SpamScope/spamscope 402 | 403 | 恶意代码,php shell检测工具 404 | https://github.com/yassineaddi/BackdoorMan 405 | 406 | 一款精简版github信息泄露搜集工具 407 | https://github.com/dongfangyuxiao/github_dis/ 408 | 409 | 安全程序和漏洞管理工具 410 | https://github.com/OWASP/django-DefectDojo 411 | 412 | HaboMalHunter是哈勃分析系统 (https://habo.qq.com) 的开源子项目, 413 | 用于Linux平台下进行自动化分析、文件安全性检测的开源工具 414 | https://github.com/Tencent/HaboMalHunte 415 | 416 | 混淆代码检测工具 417 | https://github.com/Neohapsis/NeoPI 418 | 419 | webshell检测工具 420 | https://github.com/emposha/Shell-Detector 421 | 422 | 社区驱动的Rails安全检查列表 423 | https://github.com/eliotsykes/rails-security-checklist 424 | 425 | radius-audit - A RADIUS authentication server audit tool 426 | https://github.com/ANSSI-FR/audit-radius 427 | 428 | Fathom——基于golang和Preact的简单可信的站点分析 429 | https://github.com/usefathom/fathom 430 | 431 | GO HTTP中间件来推进快速安全开发 432 | https://github.com/unrolled/secure 433 | 434 | InSpec: 测试和审计框架 435 | https://github.com/chef/inspec 436 | 437 | retire.js的自动扫描器,扫描探测常见的JS库漏洞 438 | https://github.com/RetireJS/grunt-retire 439 | 440 | Suricata 一个自由开源地,成熟、快速自动化的网络威胁探测引擎 441 | https://github.com/inliniac/suricata 442 | 443 | AWS安全扫描检查 444 | https://github.com/cloudsploit/scans 445 | 446 | aws-security-viz -- aws安全组可视化工具 447 | https://github.com/anaynayak/aws-security-viz 448 | 449 | 使用NACL和Go的安全交互密码管理 450 | https://github.com/johnathanhowell/masterkey 451 | 452 | Hound Git插件通过探测阻止敏感信息被push到远程公有仓库导致信息泄密 453 | https://github.com/ezekg/git-hound 454 | 455 | GitHub敏感信息泄露监控 456 | https://github.com/FeeiCN/GSIL 457 | 458 | HULK DoS工具从Python迁移到Golang 459 | https://github.com/grafov/hulk 460 | 461 | 大数据安全检测工具 462 | https://github.com/kotobukki/BigDataAudit 463 | 464 | 个人安全checklist 465 | https://github.com/Lissy93/personal-security-checklist 466 | 467 | SQL 审核查询平台 468 | https://github.com/hhyo/Archery 469 | 470 | pick -- Linux和OS X最小化密码管理工具 471 | https://github.com/bndw/pick 472 | 473 | 一个基于浏览器端 JS 实现的在线代理 https://jsproxy.tk 474 | https://github.com/EtherDream/jsproxy 475 | 476 | 基于EK的K8s安全监控方案 477 | https://github.com/k8scop/k8s-security-dashboard 478 | 479 | CloudWalker(牧云)是长亭推出的一款开源服务器安全管理平台。根据项目计划会逐步覆盖服务器资产管理、威胁扫描、Webshell 查杀、基线检测等各项功能。 480 | https://github.com/chaitin/cloudwalker 481 | 482 | 可搜索、标签化,加密的云存储 483 | https://tryingtobeawesome.com/cryptag/ 484 | 485 | MITRE攻击框架对应的Linux Auditd 审计规则 486 | https://github.com/bfuzzy/auditd-attack 487 | 488 | ⭐️ An anomaly-based intrusion detection system. 489 | https://github.com/alexfrancow/A-Detector 490 | 491 | AntiRansom:Fighting against ransomware using honeypots 492 | https://github.com/YJesus/AntiRansom 493 | 494 | 悟空API网关 开源版 495 | https://github.com/eolinker/GoKu-API-Gateway 496 | 497 | Hamburglar -- collect useful information from urls, directories, and files 498 | https://github.com/needmorecowbell/Hamburglar 499 | 500 | ElkarBackup 一个基于RSync/RSnapshot的开源备份方案 501 | https://github.com/elkarbackup/elkarbackup 502 | 503 | SSH服务端和客户端安全配置的chef cookbook 504 | https://github.com/dev-sec/chef-ssh-hardening 505 | 506 | Nextcloud 双因子TOTP (RFC 6238) 507 | https://github.com/nextcloud/twofactor_totp 508 | 509 | WireGuard — 快速、现代、linux内核只带的安全VPN通道 510 | https://github.com/WireGuard/WireGuard 511 | 512 | BoringTun WireGuard® 协议的兼容性和速度性实现,支持window 513 | https://github.com/cloudflare/boringtun 514 | 515 | wireguard一键安装脚本 516 | https://github.com/atrandys/wireguard 517 | 518 | Nixarmor Linux自动安全加固项目 519 | https://github.com/emirozer/nixarmor 520 | 521 | SaaS型初创企业安全101 522 | https://github.com/forter/security-101-for-saas-startups/tree/chinese 523 | 524 | phpMusse 这是一个根据ClamAV的签名和其他签名对上传文件自动检测的PHP脚本 525 | https://github.com/Maikuolan/phpMussel/ 526 | -------------------------------------------------------------------------------- /Meltdown_Spectre.md: -------------------------------------------------------------------------------- 1 | ## Meltdown(熔毁)和Spectre(幽灵)相关 2 | 3 | Local Exploit for Meltdown 4 | https://github.com/dendisuhubdy/meltdown 5 | 6 | Meltdown Spectre PoC 7 | https://github.com/paboldin/meltdown-exploit 8 | 9 | Meltdown/Spectre PoC 源码集合 10 | https://github.com/turbo/KPTI-PoC-Collection 11 | 12 | meltdownspectre补丁 13 | https://github.com/hannob/meltdownspectre-patches 14 | 15 | SpecuCheck meltdownspectre win下检查工具 16 | https://github.com/ionescu007/SpecuCheck 17 | 18 | Spectre & Meltdown 漏洞shell检查脚本 19 | https://github.com/speed47/spectre-meltdown-checker 20 | 21 | Windows Meltdown and Spectre 漏洞状态检查脚本(包括系统,浏览器,虚拟设备等) 22 | https://github.com/vrdse/MeltdownSpectreReport 23 | 24 | Intel i5和Intel Xeon Spectre漏洞攻击恶意窃取内存信息再现 25 | https://github.com/Pl4gue/spectre-attack-demo 26 | 27 | 360 现代CPU中的预测执行和乱序执行相关机制漏洞通告 28 | https://mp.weixin.qq.com/s/e_ASsDJAZ9m6wFTF865yXA 29 | 30 | CPU漏洞集 31 | https://github.com/houjingyi233/CPU-vulnerabiility-collections 32 | -------------------------------------------------------------------------------- /PenetrationTest.md: -------------------------------------------------------------------------------- 1 | ## 渗透测试 2 | 3 | Black Hat Arsenal 官方工具仓库 4 | https://github.com/toolswatch/blackhat-arsenal-tools 5 | 6 | windows渗透工具集合 7 | https://github.com/Hack-with-Github/Windows 8 | 9 | windows最佳渗透指南 10 | https://github.com/yeyintminthuhtut/Awesome-Advanced-Windows-Exploitation-References 11 | 12 | 从内存中提取敏感信息的工具 13 | https://github.com/putterpanda/mimikittenz 14 | 15 | fireeye红军渗透工具 16 | 17 | https://github.com/Raikia/CredNinja 18 | 19 | https://github.com/ChrisTruncer/WMIOps 20 | 21 | https://github.com/ChrisTruncer/EyeWitness 22 | 23 | https://github.com/ChrisTruncer/Egress-Assess 24 | 25 | windows渗透神器 26 | https://github.com/gentilkiwi/mimikatz 27 | 28 | 在线渗透测试资源、Shellcode开发、开源情报资源、社会工程资源等 29 | https://github.com/enaqx/awesome-pentest 30 | 31 | frp 是一个可用于内网穿透的高性能的反向代理应用,支持 tcp, udp, http, https 协议。 32 | https://github.com/fatedier/frp 33 | 34 | hideNsneak: 临时渗透测试架构明亮行 35 | https://github.com/rmikehodges/hideNsneak 36 | 37 | Powershell渗透库合集 38 | https://github.com/PowerShellMafia/PowerSploit 39 | 40 | Powershell tools合集 41 | https://github.com/clymb3r/PowerShell 42 | 43 | 资产狩猎框架-AssetsHunter,信息收集是一项艺术~ 44 | https://github.com/rabbitmask/AssetsHunter 45 | 46 | Nishang PowerShell下脚本和渗透和POC框架和集合,Nishang在渗透测试的所有阶段都非常有用。 47 | https://github.com/samratashok/nishang 48 | 49 | MSF--最强大的渗透平台 50 | https://github.com/rapid7/metasploit-framework 51 | 52 | Poc调用框架,可加载Pocsuite,Tangscan,Beebeeto等 53 | https://github.com/erevus-cn/pocscan 54 | 55 | Pocsuite -开源的远程漏洞测试框架 56 | https://github.com/knownsec/Pocsuite 57 | 58 | fsociety黑客工具集——渗透测试框架 59 | https://github.com/Manisso/fsociety 60 | 61 | YAWAST Web应用安全套件 62 | https://github.com/adamcaudill/yawast 63 | 64 | A Bind9 server for pentesters to use for Out-of-Band vulnerabilities 65 | https://github.com/JuxhinDB/OOB-Server 66 | 67 | Beebeeto是由众多安全研究人员所共同维护的一个规范化POC/EXP平台 68 | https://github.com/n0tr00t/Beebeeto-framework 69 | 70 | cloudflare基于nmap打包的一个轻量漏洞扫描系统 71 | https://github.com/cloudflare/flan 72 | 73 | 一个用Node.js编写的Web安全测试框架 74 | https://github.com/zhuyingda/veneno 75 | 76 | Orc is a post-exploitation framework for Linux written in Bash 77 | https://github.com/zMarch/Orc 78 | 79 | 常见的渗透测试/安全Cheatsheet 80 | https://github.com/jshaw87/Cheatsheets 81 | 82 | 渗透脚本集合包括backdoor,exploit,fuzzing,note,misc,powershell 83 | https://github.com/Ridter/Pentest 84 | 85 | 消息队列和中间人注入工具,可以用于攻击 Redis, RabbitMQ和ZeroMQ。 86 | https://github.com/cr0hn/enteletaor 87 | 88 | WPA2 KRACK攻击验证脚本集 89 | https://github.com/vanhoefm/krackattacks-scripts 90 | 91 | 越过(WAF)和 XSS过滤的pyton脚本集 92 | https://github.com/frizb/Bypassing-Web-Application-Firewalls 93 | 94 | 渗透测试用到的东东 95 | https://github.com/ring04h/pentest 96 | 97 | DNS rebinding toolkit 98 | https://github.com/makuga01/dnsFookup 99 | 100 | A scripted pipeline of tools to streamline the bug bounty/penetration test reconnaissance phase, so you can focus on chomping bugs. 101 | https://github.com/SolomonSklash/chomp-scan 102 | 103 | Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications 104 | https://github.com/rapid7/hackazon 105 | 106 | MSTG-手机应用安全开发、测试、反向工程详细手册。 107 | https://github.com/OWASP/owasp-mstg 108 | 109 | Venom是一款为渗透测试人员设计的使用Go开发的多级代理工具 110 | https://github.com/Dliv3/Venom 111 | 112 | A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting 113 | https://github.com/hahwul/WebHackersWeapons 114 | 115 | ### Fuzz测试: 116 | 117 | DotDotPwn - 目录遍历Fuzzer(http://dotdotpwn.blogspot.com/) 118 | https://github.com/wireghoul/dotdotpwn 119 | 120 | FuzzLabs Fuzzing框架 https://dcnws.com 121 | https://github.com/keymandll/FuzzLabs 122 | 123 | 谷歌出品强大分析配置项目fuzzing组件 124 | https://github.com/google/honggfuzz 125 | 126 | 谷歌fuzzing引擎测试集 127 | https://github.com/google/fuzzer-test-suite 128 | 129 | 可扩展地Fuzzing框架 130 | https://github.com/IOActive/XDiFF 131 | 132 | Fuzzinator随机测试框架 133 | https://github.com/renatahodovan/fuzzinator 134 | 135 | 各种fuzzing图书、课程、工具、教程和易受攻击应用集合 136 | https://github.com/secfigo/Awesome-Fuzzing 137 | 138 | Linux内核fuzzing和缺陷相关的资源 139 | https://github.com/xairy/linux-kernel-exploitation 140 | 141 | fuzzing框架 142 | https://github.com/MozillaSecurity/peach 143 | 144 | fuddly: fuzzing和数据处理框架 145 | https://github.com/k0retux/fuddly 146 | 147 | 基础fuzzer工具 148 | https://github.com/RootUp/BFuzz 149 | 150 | Kitty fuzzing框架扩展库 151 | https://github.com/cisco-sas/katnip 152 | 153 | Fuzzer API接口,通过可以用通用的渗透技术和漏洞列表进行fuzz请求 154 | https://github.com/lalithr95/API-fuzzer 155 | 156 | Java的fuzz测试覆盖率指导 157 | https://github.com/fuzzitdev/javafuzz 158 | 159 | 找出文件系统存存储的加密文件 160 | https://github.com/antagon/TCHunt-ng 161 | 162 | 安卓媒体Fuzzing框架 163 | https://github.com/fuzzing/MFFA 164 | 165 | 安卓fuzz工具 166 | https://github.com/MindMac/IntentFuzzer 167 | 168 | Fuzzing数据集 169 | https://github.com/MozillaSecurity/fuzzdata 170 | 171 | WebFuzz工具 172 | https://github.com/xmendez/wfuzz 173 | 174 | coverage guided fuzz testing for javascript 175 | https://github.com/fuzzitdev/jsfuzz 176 | 177 | web fuzz 178 | https://github.com/henshin/filebuster 179 | 180 | AFL的Android移植版本 181 | https://github.com/ele7enxxh/android-afl 182 | 183 | Fuzzing results for various interpreters. 184 | https://github.com/dyjakan/interpreter-bugs 185 | 186 | Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem 187 | https://github.com/lalithr95/fuzzapi 188 | 189 | Test Blue Team detections without running any attack. 190 | https://github.com/n0dec/MalwLess 191 | 192 | bring your .bashrc, .vimrc, etc. with you when you ssh 193 | https://github.com/Russell91/sshrc 194 | 195 | Chat over SSH 196 | https://github.com/shazow/ssh-chat 197 | 198 | AFL—支持源码插桩的代码覆盖引导的Fuzzer,绝对是fuzzer领域的一大里程碑,虽然它也支持基于QEMU的闭源程序,但效果不好,且容易出错,由它衍生出来非常多afl分支版本,借助它已经被挖出非常多的漏洞,但它的变异策略其实有待提高。 199 | http://lcamtuf.coredump.cx/afl/ 200 | 201 | WinAFL—windows版本的afl,使用DynamoRIO去插桩闭源程序以获取代码覆盖率信息,同时支持硬件PT获取覆盖率信息,但PT获取覆盖率其实并没有插桩获取得全,但速度可能会快一些。 202 | https://github.com/googleprojectzero/winafl 203 | 204 | AFLFast—加速版的AFL,Fuzzing速度确实会比原版快一些。 205 | https://github.com/mboehme/aflfast 206 | 207 | Vuzzer—支持闭源程序的覆盖引导Fuzzer,使用LibDFT的pin工具实现数据流追踪,结合动静态分析,以获取更多的代码路径,比如比较语句中的比较值,它会先作记录,再未来变异时使用。 208 | https://github.com/vusec/vuzzer 209 | 210 | PTfuzzer—Linux平台下的采用 Interl PT硬件支持的覆盖引导Fuzzer,所以它支持闭源程序。 211 | https://github.com/hunter-ht-2018/ptfuzzer 212 | 213 | afl-unicorn—采用Unicorn模拟指令的AFL,支持Linux闭源程序 214 | https://github.com/tigerpuma/Afl_unicorn 215 | 216 | pe-afl—通过静态插桩实现针对Windows闭源程序的覆盖引导的AFL Fuzzer,支持用户层应用和内核驱动 217 | https://github.com/wmliang/pe-afl 218 | 219 | kAFL—支持QEMU虚拟机下的系统内核Fuzzing的AFL,适用于Linux、macOS与Windows 220 | https://github.com/RUB-SysSec/kAFL/ 221 | 222 | TriforceAFL—基于QEMU全系统模拟的AFL,借助系统仿真器实现分支信息跟踪,支持Linux内核Fuzzing 223 | https://github.com/nccgroup/TriforceAFL 224 | 225 | ClusterFuzzer—Google开源的可扩展的Fuzzing基础设施 226 | https://github.com/google/clusterfuzz 227 | 228 | LibFuzzer—进程内覆盖率引导的开源的fuzz引擎库,属于llvm的一部分,在各大主流开源库中,以及Google内部最经常用的安全测试工具 229 | https://llvm.org/docs/LibFuzzer.html 230 | 231 | OSS-Fuzz—基于LibFuzzer的开源软件Fuzzer集合,实现docker下自动下载、编译安装及运行 232 | https://github.com/google/oss-fuzz 233 | 234 | honggfuzz—Google开发的基于软硬件的覆盖驱动型Fuzzer,单纯暴力Fuzz的效果也挺好的,支持多平台,包括Linux\macOS\Windows\Android 235 | https://github.com/google/honggfuzz 236 | 237 | KernelFuzzer—跨平台内核Fuzzer框架,不开源策略,只在其paper中提及变异策略,需要自己实现,支持Windows、OSX和QNX系统,但只提供Windows编译脚本 238 | https://github.com/mwrlabs/KernelFuzzer 239 | 240 | OSXFuzzer—基于Kernel Fuzzer的macOS内核Fuzzer 241 | https://github.com/mwrlabs/OSXFuzz.git 242 | 243 | PassiveFuzzFrameworkOSX—通过Hook实现被动式的OSX内核Fuzzer 244 | https://github.com/SilverMoonSecurity/PassiveFuzzFrameworkOSX 245 | 246 | Bochspwn—基于Boch插桩API实现Double Fetches内核漏洞的检测 247 | https://github.com/googleprojectzero/bochspwn 248 | 249 | Bochspwn-reloaded—基于Boch插桩API实现内核信息泄露的检测 250 | https://github.com/googleprojectzero/bochspwn-reloaded 251 | 252 | syzkaller—基于覆盖率引导的Linux内核Fuzzer,需要基于其模板语法实现API调用模板,提供给syzkaller进行数据变异,也曾被移植到其它平台 253 | https://github.com/google/syzkaller 254 | 255 | dharma—基于语法模板生成的Fuzzer,由Mozilla开源的用于Fuzz Firefox JS引擎 256 | https://github.com/MozillaSecurity/dharma 257 | 258 | domator—Project Zero团队开源的DOM Fuzzer,用python实现基于模板生成的Fuzzer 259 | https://github.com/googleprojectzero/domato 260 | 261 | Fuzzilli—基于语法变异的JavaScript引擎Fuzzer,先通过语法模板生成测试用例,再生成中间语法进行变异,结合覆盖率引导以触发更多代码路径 262 | https://github.com/googleprojectzero/fuzzilli 263 | 264 | Razzer—内核竞争条件漏洞Fuzzer 265 | https://github.com/compsec-snu/razzer 266 | 267 | ViridianFuzzer—用于Fuzzing Hyper-V hypercalls的内核驱动,由MWRLabs公司出品 268 | https://github.com/mwrlabs/ViridianFuzzer 269 | 270 | ChromeFuzzer—基于grinder语法生成器改装的Chrome浏览器Fuzzer 271 | https://github.com/demi6od/ChromeFuzzer 272 | 273 | funfuzz—Mozilla开源的JS fuzzer工具集合,主要用于Fuzz SpiderMonkey 274 | https://github.com/MozillaSecurity/funfuzz 275 | 276 | ### WEB渗透: 277 | 278 | webshell大合集 279 | https://github.com/tennc/webshell 280 | 281 | 渗透以及web攻击脚本 282 | https://github.com/brianwrf/hackUtils 283 | 284 | web渗透小工具大合集 285 | https://github.com/rootphantomer/hack_tools_for_me 286 | 287 | web敏感目录、信息泄漏批量扫描脚本,结合爬虫、目录深度遍历。 288 | https://github.com/blackye/webdirdig 289 | 290 | detectem - detect software and its version on websites. 291 | https://github.com/spectresearch/detectem 292 | 293 | Hydra is a penetration testing tool exclusively focused on dictionary-attacking web-based login forms. 294 | https://github.com/opennota/hydra 295 | 296 | 数据库注入工具 297 | https://github.com/sqlmapproject/sqlmap 298 | 299 | 通过控制台管理网站 300 | https://github.com/WangYihang/Webshell-Sniper 301 | 302 | SQLiScanner -- Automatic SQL injection with Charles and sqlmap api 303 | https://github.com/0xbug/SQLiScanner 304 | 305 | Web代理,通过加载sqlmap api进行sqli实时检测 306 | https://github.com/zt2/sqli-hunter 307 | 308 | 新版中国菜刀 309 | https://github.com/Chora10/Cknife 310 | 311 | .git泄露利用EXP 312 | https://github.com/lijiejie/GitHack 313 | 314 | 浏览器攻击框架 315 | https://github.com/beefproject/beef 316 | 317 | 自动化绕过WAF脚本 318 | https://github.com/khalilbijjou/WAFNinja 319 | 320 | http命令行客户端,可以从命令行构造发送各种http请求(类似于Curl) 321 | https://github.com/jkbrzt/httpie 322 | 323 | 浏览器调试利器 324 | https://github.com/firebug/firebug 325 | 326 | WAF绕过检测工具 327 | https://github.com/owtf/wafbypasser 328 | 329 | 浏览器攻击框架 330 | https://github.com/julienbedard/browsersploit 331 | 332 | web端webshell管理器 333 | https://github.com/guillotines/WebShell 334 | 335 | tomcat自动后门部署 336 | https://github.com/mgeeky/tomcatWarDeployer 337 | 338 | TomcatBrute tool 339 | https://github.com/WallbreakerTeam/TomcatBrute 340 | 341 | 通过调用sqlmap api,自动检测sqli的代理 342 | https://github.com/fengxuangit/Fox-scan/ 343 | 344 | CMS探测和利用套件,能探测20多种cms,同时对wp,Joomla, Drupadl进行深度渗透 345 | https://github.com/Tuhinshubhra/CMSeeK 346 | 347 | 免杀payload生成器 348 | https://github.com/Veil-Framework/Veil-Evasion 349 | 350 | 用gmail充当C&C服务器的后门 351 | https://github.com/byt3bl33d3r/gcat 352 | 353 | burp教学payloads集合 354 | https://github.com/1N3/IntruderPayloads 355 | 356 | SQL盲注利用工具 357 | https://github.com/Neohapsis/bbqsql 358 | 359 | Script for doing evil stuff to Redis servers (for education purposes only). 360 | https://github.com/matiasinsaurralde/evilredis 361 | 362 | dnscat2的Powershell客户端,加密的DNS命令和控制工具 363 | https://github.com/lukebaggett/dnscat2-powershell 364 | 365 | burp插件收集项目 366 | https://github.com/xl7dev/BurpSuite/tree/master/Extender 367 | 368 | Burp-Suite-collections:BurpSuite相关收集项目,插件主要是非BApp Store(商店) 369 | https://github.com/Mr-xn/BurpSuite-collections 370 | 371 | 一个用来辅助WP渗透测试的ruby框架 372 | https://github.com/rastating/wordpress-exploit-framework/ 373 | 374 | .DS_store文件泄露利用脚本 375 | https://github.com/lijiejie/ds_store_exp 376 | 377 | Short for command injection exploiter,web向命令注入检测工具 378 | https://github.com/stasinopoulos/commix 379 | 380 | XSS数据接收平台 381 | https://github.com/firesunCN/BlueLotus_XSSReceiver 382 | 383 | 一个快速的TLS扫描器( non-blocking, event-driven ) https://prbinu.github.io/tls-scan 384 | https://github.com/prbinu/tls-scan 385 | 386 | 一个Python RESTful接口框架,用于提供在线恶意软件和URL分析服务 387 | https://github.com/diogo-fernan/malsub 388 | 389 | XSS与CSRF工具 390 | https://github.com/evilcos/xssor 391 | 392 | 暴力攻击字典生成工具 393 | https://github.com/LandGrey/pydictor 394 | 395 | 利用深度神经网络tensorflow 对14亿文本密码分析 396 | https://github.com/philipperemy/tensorflow-1.4-billion-password-analysis 397 | 398 | ModSecurity—Web应用程序防火墙(支持nginx、iis、apache) 399 | https://github.com/SpiderLabs/ModSecurity 400 | 401 | Astra:REST API的自动安全测试 402 | https://github.com/flipkart-incubator/Astra 403 | 404 | Burp Replicator:自动化复杂漏洞的复制 405 | https://github.com/PortSwigger/replicator 406 | 407 | OWASP进攻性Web测试框架 408 | https://github.com/owtf/owtf 409 | 410 | OWASP JoomScan项目 411 | https://github.com/rezasp/joomscan 412 | 413 | WSSAT Web服务安全评估工具 414 | https://github.com/YalcinYolalan/WSSAT 415 | 416 | ### 中间人攻击 417 | 418 | 中间人攻击框架 419 | https://github.com/secretsquirrel/the-backdoor-factory 420 | 421 | https://github.com/secretsquirrel/BDFProxy 422 | 423 | https://github.com/byt3bl33d3r/MITMf 424 | 425 | 代码注入,wifi jam以及wifi用户探测 426 | https://github.com/DanMcInerney/LANs.py 427 | 428 | 可扩展的中间人代理工具 429 | https://github.com/intrepidusgroup/mallory 430 | 431 | wifi钓鱼 432 | https://github.com/sophron/wifiphisher 433 | 434 | XSS数据接收平台 435 | https://github.com/firesunCN/BlueLotus_XSSReceiver 436 | 437 | XSS与CSRF工具 438 | https://github.com/evilcos/xssor 439 | 440 | Vegile - Ghost In The Shell 进程隐藏和防止被杀的工具 441 | https://github.com/Screetsec/Vegile 442 | 443 | ### 暴力破解 444 | 445 | 密码破解工具 446 | https://github.com/shinnok/johnny 447 | 448 | 本地存储的各类密码提取利器 449 | https://github.com/AlessandroZ/LaZagne 450 | 451 | HTTP暴力破解,撞库攻击脚本 452 | https://github.com/lijiejie/htpwdScan 453 | 454 | 超过80GB密码库总结出的字典项目 455 | https://github.com/berzerk0/Probable-Wordlists 456 | -------------------------------------------------------------------------------- /Practice_CTF.md: -------------------------------------------------------------------------------- 1 | 2 | ## 漏洞利用&实战练习平台: 3 | 4 | 信息安全初步集:包括信息安全博客、认证、课程、社区、播客、工具等 5 | https://github.com/gradiuscypher/infosec_getting_started 6 | 7 | WebGoat漏洞练习环境 8 | https://github.com/WebGoat/WebGoat 9 | 10 | https://github.com/WebGoat/WebGoat-Legacy 11 | 12 | https://github.com/RandomStorm/DVWA 13 | 14 | DoraBox,多拉盒 - 掌握常见漏洞攻防 15 | https://github.com/gh0stkey/DoraBox 16 | 17 | 一个功能很全的CTF平台 18 | https://github.com/zjlywjh001/PhrackCTF-Platform-Team 19 | 20 | 针对Pentest或者CTF的一个fuzz payload项目。 21 | https://github.com/zer0yu/Berserker 22 | 23 | Web安全实战:日安全-Web安全攻防小组关于Web安全的系列文章分享和HTB靶场 24 | https://github.com/hongriSec/Web-Security-Attack 25 | 26 | upload-labs很全的上传上传漏洞的靶场 27 | https://github.com/c0ny1/upload-labs 28 | 29 | 跟踪真实漏洞相关靶场环境搭建 30 | https://github.com/yaofeifly/Vub_ENV 31 | 32 | H1ve是一款自研CTF平台,同时具备解题、攻防对抗模式。 33 | https://github.com/D0g3-Lab/H1ve 34 | 35 | 使用docker快速搭建各大漏洞靶场,目前可以一键搭建17个靶场。 36 | https://github.com/c0ny1/vulstudy 37 | 38 | 🚀Vulfocus 是一个漏洞集成平台,将漏洞环境 docker 镜像,放入即可使用,开箱即用。 39 | https://github.com/fofapro/vulfocus 40 | 41 | 数据库注入练习平台 42 | https://github.com/Audi-1/sqli-labs 43 | 44 | 用node编写的漏洞练习平台,like OWASP Node Goat 45 | https://github.com/cr0hn/vulnerable-node 46 | 47 | 基于https://www.exploit-db.com/的漏洞场景还原 48 | https://github.com/havysec/vulnerable-scene 49 | 50 | Ruby编写的一款工具,生成含漏洞的虚拟机 51 | https://github.com/cliffe/secgen 52 | 53 | metasploitable3 54 | https://github.com/rapid7/metasploitable3/ 55 | 56 | pentesterlab渗透测试在线练习 57 | https://pentesterlab.com/exercises/ 58 | 59 | 轻量web漏洞演示平台 60 | https://github.com/stamparm/DSVW 61 | 62 | docker搭建的漏洞练习环境 63 | https://github.com/MyKings/docker-vulnerability-environment 64 | 65 | 黑客技术训练环境 66 | https://github.com/joe-shenouda/awesome-cyber-skills 67 | 68 | web及app渗透训练平台 69 | https://github.com/OWASP/SecurityShepherd 70 | 71 | DevSecOps技能训练营 72 | https://github.com/devsecops/bootcamp 73 | 74 | injectify 生成一个便捷的高级中间人攻击Web站点 75 | https://github.com/samdenty99/injectify 76 | 77 | 针对ctf线下赛流量抓取(php)、真实环境流量抓取分析的工具 78 | https://github.com/wupco/weblogger 79 | 80 | permeate:一个用于渗透透测试演练的WEB系统,用于提升寻找网站能力,也可以用于web安全教学 81 | https://github.com/78778443/permeate 82 | 83 | 基于Docker-Compose的漏洞预构建环境https://vulhub.org 84 | https://github.com/vulhub/vulhub 85 | 86 | Ackazon是一个免费的,漏洞测试在线web站点,其构建方式与当今的富客户端和移动应用程序中使用的技术相同。 87 | https://github.com/rapid7/hackazon 88 | 89 | 从零实例学习内网渗透,包括方法步骤和工具 90 | https://github.com/l3m0n/pentest_study 91 | 92 | 渗透工具 93 | https://github.com/l3m0n/pentest_tools 94 | 95 | ### 安全竞赛 (CTF夺标大赛) 96 | 97 | Google2019CTF web 解题思路 98 | https://xz.aliyun.com/t/5503 99 | 100 | 2018 第一届安洵杯 题目环境/源码 101 | https://github.com/D0g3-Lab/AXB-CTF 102 | 103 | google-ctf 包括2017和2018全部试题和答案 104 | https://github.com/google/google-ctf/ 105 | 106 | HCTF2017题目及解析 107 | https://github.com/vidar-team/HCTF2017 108 | 109 | CTF挑战平台 110 | https://github.com/CTFTraining 111 | 112 | CTF和安全工具大合集 113 | https://github.com/zardus/ctf-tools 114 | 115 | 近年CTF writeup大全 116 | https://github.com/ctfs/write-ups-2016 117 | 118 | HITB CTF 2017 Pwn题研究 119 | http://0x48.pw/2017/08/29/0x49 120 | 121 | 脸谱CTF竞赛平台Demo 122 | https://github.com/facebook/fbctf 123 | 124 | CTF框架、类库、资源、软件和教程列表 125 | https://github.com/apsdehal/awesome-ctf 126 | 127 | CTF的题集 128 | https://github.com/Hcamael/CTF_repo 129 | 130 | CTF资源 131 | https://github.com/ctfs/resources 132 | 133 | CTF从入门到了解各种工具 134 | https://github.com/SandySekharan/CTF-tool 135 | 136 | p4团队的CTF解决方案 https://p4.team 137 | https://github.com/p4-team/ctf 138 | 139 | ctftools 在线CTF信息网站,包括资源下载、在线工具、信息blog等 140 | https://www.ctftools.com 141 | 142 | 🔐 All Security Engineering Resources 143 | https://github.com/brianlam38/Sec-Dump 144 | 145 | ## OSCP&OSCE 146 | 147 | 备考 OSCP 的各种干货资料/渗透测试干货资料 148 | https://github.com/Jewel591/OSCP-Pentest-Methodologies 149 | 150 | OSCPRepo:This is a list of resources and scripts that I have been gathering (and continuing to gather) in preparation for the OSCP. 151 | https://github.com/rewardone/OSCPRepo 152 | 153 | Collection of things made during my OSCP journey 154 | https://github.com/ihack4falafel/OSCP 155 | 156 | A comprehensive guide/material for anyone looking to get into infosec or take the OSCP exam 157 | https://github.com/RustyShackleford221/OSCP-Prep 158 | 159 | Penetration Testing Reference Bank - OSCP / PTP & PTX Cheatsheet 160 | https://github.com/OlivierLaflamme/Cheatsheet-God 161 | 162 | A curated list of awesome OSCP resources 163 | https://github.com/0x4D31/awesome-oscp 164 | 165 | An archive of everything related to OSCP 166 | https://github.com/CyDefUnicorn/OSCP-Archives 167 | 168 | A list of the resources I use as I get ready for the exam 169 | https://github.com/burntmybagel/OSCP-Prep 170 | 171 | OSCP cheat sheet 172 | https://github.com/xMilkPowderx/OSCP 173 | 174 | OSCP-Human-Guide 175 | https://github.com/six2dez/OSCP-Human-Guide 176 | 177 | Good For OSCP Training 178 | https://github.com/freddiebarrsmith/Buffer-Overflow-Exploit-Development-Practice 179 | 180 | https://github.com/so87/OSCP-PwK 181 | This is my cheatsheet and scripts developed while taking the Offensive Security Penetration Testing with Kali Linux course. 182 | 183 | OSCP-60daysOSCP (Offensive Security Certified Professional) 184 | https://github.com/anandkumar11u/OSCP-60days 185 | 186 | OSCP-Cheatsheet 187 | https://github.com/tagnullde/OSCP 188 | 189 | GitBook: OSCP RoadMap 190 | https://github.com/nairuzabulhul/RoadMap 191 | 192 | OSCP-Automation:A collection of personal scripts used in hacking excercises. 193 | https://github.com/C-Cracks/OSCP-Automation 194 | 195 | A random set of 5 machines for OSCP 196 | https://github.com/ajdumanhug/oscp-practice 197 | 198 | Windows privilege escalation (enumeration) script designed with OSCP labs (legacy Windows) in mind 199 | https://github.com/M4ximuss/Powerless 200 | 201 | Collection of things made during my preparation to take on OSCE 202 | https://github.com/ihack4falafel/OSCE 203 | 204 | Some exploits, which I’ve created during my OSCE preparation. 205 | https://github.com/dhn/OSCE 206 | 207 | Used for the osce exam preparation 208 | https://github.com/73696e65/windows-exploits 209 | 210 | 📙 Markdown Templates for Offensive Security OSCP, OSWE, OSCE, OSEE, OSWP exam report 211 | https://github.com/noraj/OSCP-Exam-Report-Template-Markdown 212 | 213 | A list of freely available resources that can be used as a prerequisite before taking OSCE. 214 | https://github.com/snoopysecurity/OSCE-Prep 215 | 216 | -------------------------------------------------------------------------------- /ProofofConcept_Exploit.md: -------------------------------------------------------------------------------- 1 | ## 漏洞库及利用工具(POC,EXP) 2 | 3 | ### Meltdown(熔毁)和Spectre(幽灵)相关 4 | 5 | Local Exploit for Meltdown 6 | https://github.com/dendisuhubdy/meltdown 7 | 8 | Meltdown Spectre PoC 9 | https://github.com/paboldin/meltdown-exploit 10 | 11 | Meltdown/Spectre PoC 源码集合 12 | https://github.com/turbo/KPTI-PoC-Collection 13 | 14 | meltdownspectre补丁 15 | https://github.com/hannob/meltdownspectre-patches 16 | 17 | SpecuCheck meltdownspectre win下检查工具 18 | https://github.com/ionescu007/SpecuCheck 19 | 20 | Linux本地root提权 21 | https://github.com/5H311-1NJ3C706/local-root-exploits 22 | 23 | 漏洞研究集合 24 | https://github.com/sergey-pronin/Awesome-Vulnerability-Research 25 | 26 | CVE Details是通过读取NVD提供的CVE xml信息并添加exploit-db和metasploit相关模块重新排版布局的网站。 27 | 旨在使用户能快速查找到自己要找的漏洞,如按厂商查找按产品查找等。 28 | https://www.cvedetails.com/ 29 | 30 | Snyk漏洞库 31 | https://github.com/snyk/vulndb 32 | 33 | 按小时更新的保存使用JSON格式设置的CVE列表信息 34 | https://github.com/CVEProject/cvelist 35 | 36 | 哈希长度扩展攻击EXP 37 | https://github.com/citronneur/rdpy 38 | 39 | JAVA反序列化漏洞相关资源列表 40 | https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet 41 | 42 | JBOSS verify & exp tool 43 | https://github.com/joaomatosf/jexboss 44 | 45 | 些 APT 组(APT28、APT29、APT32、Emotet...)所使用的恶意软件样本 46 | https://github.com/Cherishao/APT-Sample 47 | 48 | 安卓十月漏洞POC 49 | https://github.com/jiayy/android_vuln_poc-exp 50 | 51 | 在sebug提交的漏洞详情及poc 52 | https://github.com/ganliuzhuo/Sebug 53 | 54 | PacketWhisper:使用DNS查询和文本隐藏技术 55 | https://github.com/TryCatchHCF/PacketWhisper 56 | 57 | ExploitDB官方git版本 58 | https://github.com/offensive-security/exploit-database 59 | 60 | Vulncode-DB is a database for vulnerabilities and their corresponding source code 61 | https://github.com/google/vulncode-db 62 | 63 | php漏洞代码分析 64 | https://github.com/80vul/phpcodz 65 | 66 | Parse: PHP安全扫码器 67 | https://github.com/psecio/parse 68 | 69 | NodeJsScan-Node.js应用静态安全代码扫码器 70 | https://github.com/ajinabraham/NodeJsScan 71 | 72 | proof-of-concept exploits developed by the Semmle Security Research Team. 73 | https://github.com/Semmle/SecurityExploits 74 | 75 | CVE-2016-2107简单test程序 76 | https://github.com/FiloSottile/CVE-2016-2107 77 | 78 | CVE-2015-7547 POC 79 | https://github.com/fjserna/CVE-2015-7547 80 | 81 | pocassist:全新的开源漏洞测试框架,实现poc在线编辑、运行、批量测试。 82 | https://github.com/jweny/pocassist 83 | 84 | 一些漏洞和0day的blog 85 | https://github.com/pierrekim/pierrekim.github.io 86 | JAVA反序列化POC生成工具 87 | https://github.com/frohoff/ysoserial 88 | 89 | JAVA反序列化EXP 90 | https://github.com/foxglovesec/JavaUnserializeExploits 91 | 92 | Jenkins cli漏洞 93 | https://github.com/CaledoniaProject/jenkins-cli-exploit 94 | 95 | CVE-2015-2426 EXP (windows内核提权) 96 | https://github.com/vlad902/hacking-team-windows-kernel-lpe 97 | 98 | web攻击的范例docker环境(php本地文件包含结合phpinfo getshell 以及ssrf结合curl的利用演示) 99 | https://github.com/hxer/vulnapp 100 | 101 | php7缓存覆写漏洞Demo及相关工具 102 | https://github.com/GoSecure/php7-opcache-override 103 | 104 | An exploit for Apache Struts CVE-2018-11776 105 | https://github.com/mazen160/struts-pwn_CVE-2018-11776 106 | 107 | Struts2 S2-045-Nmap NSE script 108 | https://github.com/Z-0ne/ScanS2-045-Nmap 109 | 110 | SS payloads designed to turn alert(1) into P1 111 | https://github.com/hakluke/weaponised-XSS-payloads 112 | 113 | XcodeGhost木马样本 114 | https://github.com/XcodeGhostSource/XcodeGhost 115 | 116 | scap安全指导 117 | https://github.com/OpenSCAP/scap-security-guide 118 | 119 | 相对偏学术方向,有不少书籍、会议、报告等推荐 120 | https://github.com/re-pronin/awesome-vulnerability-research 121 | 122 | 偏Web向的常见漏洞类型案例指导 123 | https://github.com/ngalongc/bug-bounty-reference 124 | 125 | 13年到现在数十个CVE漏洞的PoC 126 | https://github.com/qazbnm456/awesome-cve-poc 127 | 128 | 恶意软件脚本集 129 | https://github.com/seifreed/malware-scripts 130 | 131 | Awesome XSS stuff 132 | https://github.com/s0md3v/AwesomeXSS 133 | 134 | 一大波常见Web攻击Payloads 135 | https://github.com/foospidy/payloads 136 | 137 | 后门仓库,包括各语言直接绑定和反射式的后门,后门加密以及Stager 138 | https://github.com/0x00-0x00/ShellPop 139 | 140 | 常见Web攻击Payloads 141 | https://github.com/swisskyrepo/PayloadsAllTheThings 142 | 143 | OS X命令行、PowerShell命令行、Google Dorks、Shodan、exploit开发、Java反序列化等列表 144 | https://github.com/coreb1t/awesome-pentest-cheat-sheets 145 | 146 | 雷石安全实验室出品Shiro命令执行工具 V2.0 147 | https://github.com/tangxiaofeng7/Shiroexploit 148 | 149 | Java反序列化技术分享 150 | https://github.com/Y4er/WebLogic-Shiro-shell 151 | 152 | ### EXP编写框架及工具: 153 | 154 | 漏洞赏金计划集合和著名赏金猎人博客列表 155 | https://github.com/djadmin/awesome-bug-bounty 156 | 157 | Exploit开发学习资源 158 | https://github.com/FabioBaroni/awesome-exploit-development 159 | 160 | mimic is a tool for covert execution on Linux x86_64. 161 | https://github.com/emptymonkey/mimic 162 | 163 | 二进制EXP编写工具 164 | https://github.com/t00sh/rop-tool 165 | 166 | CTF Pwn 类题目脚本编写框架 167 | https://github.com/Gallopsled/pwntools 168 | 169 | python写的pwning开发IO库 170 | https://github.com/zTrix/zio 171 | 172 | 跨平台注入工具( Inject JavaScript to explore native apps on Windows, Mac, Linux, iOS and Android.) 173 | https://github.com/frida/frida 174 | 175 | 收集或编写各种漏洞PoC、ExP 176 | https://github.com/bollwarm/POC-EXP 177 | 178 | xray:一款完善的安全评估工具,支持常见 web 安全问题扫描和POC自定义 179 | https://github.com/chaitin/xray 180 | 181 | redteam_vu:红队作战中比较常遇到的一些重点系统漏洞整理。 182 | https://github.com/r0eXpeR/redteam_vul 183 | 184 | 渗透测试有关的POC、EXP、脚本、提权、小工具等,欢迎补充、完善 185 | https://github.com/Mr-xn/Penetration_Testing_POC 186 | 187 | 基于Docker-Compose的漏洞预构建环境https://vulhub.org 188 | https://github.com/vulhub/vulhub 189 | 190 | Java安全相关的漏洞和技术demo,原生Java、Fastjson、Jackson、Hessian2、XML反序列化漏洞利用和Dubbo、Shiro、CAS、Tomcat、RMI等框架\中间件\功能的exploits以及Java Security Manager绕过、Dubbo-Hessian2安全加固等等实践代码。 191 | https://github.com/threedr3am/learnjavabug 192 | 193 | CNVD-2020-10487(CVE-2020-1938), tomcat ajp 文件读取漏洞poc 194 | https://github.com/nibiwodong/CNVD-2020-10487-Tomcat-ajp-POC 195 | 196 | python3批量poc检测工具 197 | https://github.com/saucer-man/saucerframe 198 | 199 | AJPy aims to craft AJP requests in order to communicate with AJP connectors. 200 | https://github.com/hypn0s/AJPy 201 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## sectoolset -- Github安全相关工具集合 2 | 3 | ## 主要内容: 4 | 5 | [0x00 漏洞利用实战练习&CTF安全竞赛](Practice_CTF.md) 6 | 7 | [0x01 安全扫描器](Scanner.md) 8 | 9 | [0x02 安全防守](Defence.md) 10 | 11 | [0x03 渗透测试](PenetrationTest.md) 12 | 13 | [0x04 漏洞库及利用工具(POC,EXP)](ProofofConcept_Exploit.md) 14 | 15 | [0x05 二进制及代码分析工具](BinaryAnalysis.md) 16 | 17 | [0x06 威胁情报&蜜罐](ThreatIntelligence_Honey.md) 18 | 19 | [0x07 安全文档资料](SecurityDoucument.md) 20 | 21 | [0x10 AI&大模型安全](AI_LLm.md) 22 | 23 | [0x11 所有内容](All.md) 24 | 25 | ## 乌云镜像 26 | 27 | [乌云镜像,已挂](http://wooyun.webbaozi.com) 28 | 29 | [乌云镜像,已挂](http://wy.hx99.net/) 30 | 31 | ## 近期安全热点 32 | 33 | [GitHub MCP漏洞:劫持MCP服务访问私有仓库数据](https://www.toutiao.com/article/7509043289170084388/) 34 | 35 | [glibc iconv()中的缓冲区溢出导致PHP RCE攻击CNEXT(CVE-2024-2961)](https://www.ambionics.io/blog/iconv-cve-2024-2961-p1) 36 | 37 | [论文:红队中AI生成式模型使用调查](https://arxiv.org/pdf/2404.00629.pdf) 38 | 39 | [关于xz后门详解](http://jfrog.com/blog/xz-backdoor-attack-cve-2024-3094-all-you-need-to-know/) 40 | 41 | [ZenHammer:Rowhammer适用于AMD Zen的平台攻击 ](https://comsec.ethz.ch/research/dram/zenhammer/) 42 | 43 | [五眼联盟国家网络安全技术指导书](https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf) 44 | 45 | [2018 Blackhat 工具集](BlackHat2018.md) 46 | 47 | [Meltdown & Spectre](Meltdown_Spectre.md) 48 | 49 | ## License 50 | 51 | Licensed under [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0.html). 52 | -------------------------------------------------------------------------------- /Scanner.md: -------------------------------------------------------------------------------- 1 | ## 安全扫描器: 2 | 3 | ### 端口扫描器 4 | 5 | 扫描神器Nmap 6 | https://github.com/nmap/nmap 7 | 8 | Nmap NSE脚本推荐 9 | http://www.polaris-lab.com/index.php/archives/390/ 10 | 11 | Awesome Burp Extensions 12 | https://github.com/snoopysecurity/awesome-burp-extensions 13 | 14 | 基于WEB的内网扫描 15 | https://github.com/SkyLined/LocalNetworkScanner 16 | 17 | 子域名扫描工具 18 | https://github.com/lijiejie/subDomainsBrute 19 | 20 | OneForAll是一款功能强大的子域收集工具 21 | https://github.com/shmilylty/OneForAll 22 | 23 | BBScan是一个迷你的信息泄漏批量扫描脚本 24 | https://github.com/lijiejie/BBScan 25 | 26 | 探测Waf产品的指纹信息 27 | https://github.com/EnableSecurity/wafw00f 28 | 29 | 基于端口的漏扫及CVE关联 30 | https://github.com/m0nad/HellRaiser 31 | 32 | 分布式任务分发端口扫描器 33 | https://github.com/lietdai/doom 34 | 35 | 常见服务端口弱口令扫描器 36 | https://github.com/wilson9x1/fenghuangscanner_v3 37 | 38 | 内部网络扫描器 39 | https://github.com/sowish/LNScan 40 | 41 | 通过扫描全网绕过CDN获取网站IP地址 42 | https://github.com/boy-hack/w8fuckcdn 43 | 44 | 集成Nmap的一款端口扫描器 45 | https://github.com/screetsec/Dracnmap 46 | 47 | 便捷的自动化漏洞扫描,报告和分析工具 48 | https://github.com/schubergphilis/Seccubus 49 | 50 | 对公网IP列表进行端口服务扫描,发现周期内的端口服务变化情况和弱口令安全风险 51 | https://github.com/grayddq/PublicMonitors 52 | 53 | Burp Suite的自动化盲注搜索插件 54 | https://github.com/wish-i-was/femida 55 | 56 | 综合扫描工具,主要用来敏感文件探测(目录扫描与js泄露接口),WAF/CDN识别,端口扫描, 57 | 指纹/服务识别,操作系统识别,弱口令探测,POC扫描,SQL注入,绕过CDN,查询旁站等功能 58 | https://github.com/al0ne/Vxscan 59 | 60 | Nessus扫描自动化生成中文漏洞报告 61 | https://github.com/Bypass007/Nessus_to_report 62 | 63 | Tsunami谷歌开源的具有可扩展插件系统的通用网络安全扫描程序,可用于高置信度地检测高严重性漏洞。(java,基于nmap和ncrack) 64 | https://github.com/google/tsunami-security-scanner 65 | 66 | Golang开发的交互式网络扫描器, 67 | https://github.com/marco-lancini/goscan 68 | 69 | ### 子域名爆破扫描器 70 | 71 | https://github.com/aboul3la/Sublist3r 72 | 73 | https://github.com/TheRook/subbrute 74 | 75 | 信息探测及扫描工具(DNS及邮件枚举等) 76 | https://github.com/darryllane/Bluto 77 | 78 | 子域名扫描器 79 | https://github.com/ring04h/wydomain 80 | 81 | 子域名字典组合生成及暴力破解器 82 | https://github.com/infosec-au/altdns 83 | 84 | 固件漏洞扫描器 85 | https://github.com/misterch0c/firminator_backend 86 | 87 | 远程桌面登录扫描器 88 | https://github.com/linuz/Sticky-Keys-Slayer 89 | 90 | 网络基础设施渗透工具(集成nmap和hydra等) 91 | https://github.com/SECFORCE/sparta 92 | 93 | 快速地SNMP抢注,枚举,CISCO配置下载,密码攻击脚本 94 | https://github.com/SECFORCE/SNMP-Brute 95 | 96 | linux漏洞扫描器 97 | https://github.com/future-architect/vuls 98 | 99 | 被动式漏洞扫描系统 100 | https://github.com/ysrc/GourdScanV2 101 | 102 | MongoDB漏洞扫描器 103 | https://github.com/youngyangyang04/NoSQLAttack 104 | 105 | Automated script for performing Padding Oracle attacks 106 | https://github.com/GDSSecurity/PadBuster 107 | 108 | 利用ARP探测内网位置设备 109 | https://github.com/joarleymoraes/net_guard 110 | 111 | 自动漏扫 112 | https://github.com/az0ne/AZScanner 113 | 114 | WPScan 漏洞扫描系统的一个fork 115 | https://github.com/delvelabs/vane 116 | 117 | 安全行业从业人员自研开源扫描器合集 118 | https://github.com/We5ter/Scanners-Box 119 | 120 | 指纹服务,漏洞发现,WebDAV扫描 121 | https://github.com/Graph-X/davscan 122 | 123 | 快捷友好的网络扫描器 124 | https://github.com/angryziber/ipscan 125 | 126 | 扫描Tor exit relasy的模块 127 | https://github.com/NullHypothesis/exitmap 128 | 129 | DNS监控套件 130 | https://github.com/reyjrar/DreamCatcher 131 | 132 | AIRMASTER: 红蓝对抗中对过期域名发现和利用 133 | https://github.com/t94j0/AIRMASTER 134 | 135 | 基于SSH的穷人vpn 136 | https://github.com/ivanilves/xiringuito 137 | 138 | perl脚本评估远程服务的安全设置 (AKA Terminal Services) 139 | https://github.com/portcullislabs/rdp-sec-check 140 | 141 | Joy思科开源的网络包扑捉、网络流量分析、网络研究取证及安全监控的工具。 142 | https://github.com/cisco/joy 143 | 144 | web日志扫描工具 145 | https://github.com/apxar/xlog 146 | 147 | 自动扫描内网数据库扫描脚本(mysql、mssql、oracle、postgresql、redis、mongodb、memcached、elasticsearch),包含未授权访问及常规弱口令检测 148 | https://github.com/se55i0n/DBScanner 149 | 150 | A Simple and Comprehensive Vulnerability Scanner for Containers, Suitable for CI 151 | https://github.com/knqyf263/trivy 152 | 153 | 被动扫描器 Passive Security Scanner 154 | https://github.com/boy-hack/w13scan 155 | 156 | ### Web扫描器 157 | 158 | WEB应用攻击预防和审计框架,开源WEB漏洞扫描 159 | https://github.com/andresriancho/w3af 160 | 161 | WEB路径扫描 162 | https://github.com/maurosoria/dirsearch 163 | 164 | 网站指纹识别工具,用来检测网站CMS类型,所采用的博客系统类型,JS库,web服务器,甚至版本号,email地址,web框架等 165 | https://github.com/urbanadventurer/whatweb 166 | 167 | 一款爬虫框架,用来检测网站是否被恶意攻击过 168 | https://github.com/ciscocsirt/malspider 169 | 170 | AWVS10.5 data/script/目录下的脚本docode 171 | https://github.com/bollwarm/awvs_script_decode 172 | 173 | wordpress漏洞扫描器 174 | https://github.com/wpscanteam/wpscan 175 | 176 | discuz论坛漏洞扫描器 177 | https://github.com/code-scan/dzscan 178 | 179 | J2EE漏洞扫描器burp插件 180 | https://github.com/ilmila/J2EEScan 181 | 182 | Ruby on Rails应用静态分析工具 183 | https://github.com/presidentbeef/brakeman 184 | 185 | 网络空间指纹扫描器 186 | https://github.com/nanshihui/Scan-T 187 | 188 | xsec-proxy-scanner是一款速度超快、小巧的代理扫描器 189 | https://github.com/netxfly/xsec-proxy-scanner 190 | 191 | WEB服务扫描 192 | https://github.com/sullo/nikto 193 | 194 | WEB主机发现小工具 195 | https://github.com/zer0h/httpscan 196 | 197 | WEB扫描器 198 | https://github.com/golismero/golismero 199 | 200 | web应用安全扫描器 201 | https://github.com/taipan-scanner/Taipan 202 | 203 | 漏洞扫描:st2、tomcat、未授权访问等等 204 | https://github.com/SkewwG/VulScan 205 | 206 | 一个简单WEB中间件扫描 207 | https://github.com/maxlabelle/WebMalwareScanner 208 | 209 | ruby源码扫描工具 210 | https://github.com/thesp0nge/dawnscanner 211 | 212 | Get、Post参数扫描器 213 | https://github.com/maK-/parameth 214 | 215 | 路径扫描器 216 | https://github.com/stanislav-web/OpenDoor 217 | 218 | WEB路径扫描 219 | https://github.com/maurosoria/dirsearc 220 | 221 | FindBugs插件用于Java web应用和安卓应用的安全审计 222 | https://github.com/find-sec-bugs/find-sec-bugs 223 | 224 | GitHub敏感信息扫描工具 225 | https://github.com/repoog/GitPrey 226 | 227 | mozilla的GitHub配置信息检查工具和程序集 228 | https://github.com/mozilla-services/GitHub-Audit 229 | 230 | GitLeak 是一个从 Github 上查找密码信息的小工具 231 | https://github.com/5alt/GitLeak 232 | 233 | 一款兼容bugscan插件的扫描器 234 | https://github.com/boy-hack/w9scan 235 | 236 | Golang安全扫描 237 | https://github.com/securego/gosec 238 | 239 | Golang写的命令行工具发现git仓库中不小心泄露的密码,私有证书等 240 | https://github.com/UKHomeOffice/repo-security-scanner 241 | 242 | 侦察和信息收集安全工具 243 | https://github.com/evyatarmeged/Raccoon 244 | 245 | 问脉是一个扫描镜像内敏感信息、弱口令、恶意样本、异常历史命令、后门的检测工具集 https://github.com/chaitin/veinmind-tools 246 | 247 | ### SSL类型扫描器 248 | 249 | sslscan tests SSL/TLS enabled services to discover supported cipher suites 250 | https://github.com/rbsec/sslscan 251 | 252 | -------------------------------------------------------------------------------- /SecurityDoucument.md: -------------------------------------------------------------------------------- 1 | # 安全文档资料 2 | 3 | Awesome-Hacking黑客、渗透,安全研究文档集 4 | https://github.com/Hack-with-Github/Awesome-Hacking 5 | 6 | 黑客必读电子书 7 | https://github.com/Hack-with-Github/Free-Security-eBooks 8 | 9 | 黑客成长技术清单 10 | https://github.com/carpedm20/awesome-hacking 11 | 12 | snowden-archive -- NSA承包商Edward Snowden泄露文档合集 13 | https://github.com/iamcryptoki/snowden-archive 14 | 15 | Awesome-Vehicle-Security 汽车安全合集包括文档、软硬件应用 16 | https://github.com/jaredthecoder/awesome-vehicle-security 17 | 18 | Awesome-Security——一个社区驱动的知名安全资源分类集合 19 | https://github.com/sbilly/awesome-security 20 | 21 | 应用程序安全的资源列表 22 | https://github.com/paragonie/awesome-appsec 23 | 24 | 安全公众号推荐 25 | https://github.com/bollwarm/awesome-security-weixin-official-accounts 26 | 27 | DFTimewolf A framework for orchestrating forensic collection, processing and data export. 28 | https://github.com/log2timeline/dftimewolf 29 | 30 | 安全脑图合集 31 | https://github.com/phith0n/Mind-Map 32 | 33 | 有关信息安全的一些流程图收集 34 | https://github.com/SecWiki/sec-chart/tree/294d7c1ff1eba297fa892dda08f3c05e90ed1428 35 | 36 | 在学习Software安全的过程中整合的一些资料 37 | https://github.com/CHYbeta/Software-Security-Learning 38 | 39 | 有关cryptography, security, OPSEC以及其他工程的演讲集 40 | https://github.com/freddymartinez9/securitytalks 41 | 42 | cis-benchmarks 常用服务器、数据库、中间件安全配置基线(英文pdf下载) 43 | https://www.cisecurity.org/cis-benchmarks/ 44 | 45 | Kinda useful notes collated together publicly 46 | https://github.com/unprovable/PentestHardware 47 | 48 | 一个验证密码JS库,通过对比常见密码,提示密码问题 49 | https://github.com/kn9ts/dumb-passwords 50 | 51 | 网络安全AI信息:相关研究的数据集、论文、书籍、演讲等 52 | https://github.com/jivoi/awesome-ml-for-cybersecurity 53 | 54 | ACM CCS 2017 会议集 55 | https://dl.acm.org/citation.cfm?id=3133956 56 | 57 | 2017 IEEE Cybersecurity Development (SecDev大会录用论文) 58 | http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=8071083 59 | 60 | Golang for Security Professionals 61 | https://github.com/parsiya/Hacking-with-Go 62 | 63 | 域渗透教程 64 | https://github.com/l3m0n/pentest_study 65 | 66 | python security教程(原文链接http//www.primalsecurity.net/tutorials/python-tutorials/) 67 | https://github.com/smartFlash/pySecurity 68 | 69 | 域渗透学习笔记 70 | https://github.com/uknowsec/Active-Directory-Pentest-Notes 71 | 72 | 渗透测试文档https://ptestmethod.readthedocs.io/en/latest/ 73 | https://github.com/Maximevilla/PtestMethod 74 | 75 | data_hacking合集 76 | https://github.com/ClickSecurity/data_hacking 77 | 78 | 手机安全wiki 79 | https://github.com/exploitprotocol/mobile-security-wiki 80 | 81 | windows 内网协议学习:erbeos,ntlm,smb,ldap 82 | https://github.com/daikerSec/windows_protocol 83 | 84 | Web安全入门各种书籍、文档、工具 85 | https://github.com/infoslack/awesome-web-hacking 86 | 87 | 各种Android工具、报告/研究/书籍、漏洞/利用代码等资源 88 | https://github.com/ashishb/android-security-awesome 89 | 90 | 恶意软件集、开源威胁情报、检测、沙箱等 91 | https://github.com/rshipp/awesome-malware-analysis 92 | 93 | 书籍《reverse-engineering-for-beginners》 94 | https://github.com/veficos/reverse-engineering-for-beginners 95 | 96 | 一些信息安全标准及设备配置 97 | https://github.com/luyg24/IT_security 98 | 99 | PENTESTING-BIBLE:数百项道德黑客与渗透测试,红色团队,网络安全和计算机科学资源 100 | https://github.com/blaCCkHatHacEEkr/PENTESTING-BIBLE 101 | 102 | 分享在建设安全管理体系、ISO27001、等级保护、安全评审过程中的点点滴滴 103 | https://github.com/ym2011/SecurityManagement 104 | 105 | 2013-2017年各类安全大会演讲视频集 106 | https://github.com/PaulSec/awesome-sec-talks 107 | 108 | ⚡️ 极棒的有关安全手册、黑客,单行脚本,cli/web工具等的列表。 109 | https://github.com/trimstray/the-book-of-secret-knowledge 110 | 111 | 关于网络安全相关的RSS订阅,情报来源和日常知识库更新: 112 | https://github.com/zer0yu/CyberSecurityRSS 113 | 114 | 社工资源集——仅供网络安全人员、渗透测试人员在受控环境用于教育用途 115 | https://github.com/v2-dev/awesome-social-engineering 116 | 117 | 密码学的理论、工具、框架、资源等 118 | https://github.com/sobolevn/awesome-cryptography 119 | 120 | APT相关笔记 121 | https://github.com/kbandla/APTnotes 122 | 123 | Kcon资料 124 | https://github.com/knownsec/KCon 125 | 126 | Micro8安全渗透十年经验集合:括但不限制于代码审计,web渗透,内网渗透,域渗透,隧道介绍,日志溯源与暴力溯源等 127 | https://github.com/Micropoor/Micro8 128 | 129 | Install and Configure Common Car Hacking Tools. https://carhacking.tools 130 | https://github.com/jgamblin/CarHackingTools 131 | 132 | 安全大礼包(大杂烩) 133 | https://github.com/bayandin/awesome-awesomeness 134 | 135 | 各种信息安全公开课、培训信息 136 | https://github.com/onlurking/awesome-infosec 137 | 138 | 零碎的GitHub安全项目汇总,涉及PWND、PowerShell、CTF、恶意软件等 139 | https://github.com/FuzzySecurity/Resource-List 140 | 141 | Gera安全例程镜像 142 | https://github.com/deadbits/InsecureProgramming 143 | 144 | That Doesnt Suck安全指南 145 | https://github.com/rmusser01/Infosec_Reference 146 | 147 | Shell命令行、工具、指南列表集 148 | https://github.com/alebcay/awesome-shell 149 | 150 | <>电子杂志,分享同领域黑客关注的东西和黑客生活,已出版4期(截止2015) 151 | https://github.com/citypw/DNFWAH 152 | 153 | 安全知识库,包括网络分析、Web应用、开源情报、漏洞分析、编程开发等 154 | https://github.com/nixawk/pentest-wiki 155 | 156 | ThatDoesntSuck安全指南 157 | https://github.com/rmusser01/Infosec_Reference 158 | 159 | 安全测试人员进行评估检查需要用到的技能 160 | https://github.com/danielmiessler/SecLists 161 | 162 | WeReport: 渗透报告自动化生成平台 163 | https://github.com/bugsafe/WeReport 164 | 165 | 射频资源集合,包括SDR、GSM、3G、4G LTE、NFC、RFID、ZigBee等 166 | https://github.com/cn0xroot/RFSec-ToolKit 167 | 168 | 学习Web/Cloud/Docker 安全、渗透测试、安全建设笔记 169 | https://github.com/JnuSimba/MiscSecNotes 170 | 171 | 安全文章收集 172 | https://github.com/tom0li/collection-document 173 | 174 | Linux 安全时记录笔记 175 | https://github.com/JnuSimba/LinuxSecNotes 176 | 177 | 信息安全从业者书单推荐 178 | https://github.com/riusksk/secbook 179 | 180 | Android 安全笔记 181 | https://github.com/JnuSimba/AndroidSecNotes 182 | 183 | 安全技能树小密圈2017精选 184 | https://github.com/h4ck0ne/security_circle_2017 185 | 186 | Android应用安全的众测list 187 | https://github.com/B3nac/Android-Reports-and-Resources 188 | 189 | 车辆安全的学习资源、项目、软硬件、汽车黑客案例、Twitter follower列表等 190 | https://github.com/jaredmichaelsmith/awesome-vehicle-security 191 | 192 | 聚合大量IoT破解案例,如RFID、门铃、中控、可穿戴等 193 | https://github.com/nebgnahz/awesome-iot-hacks 194 | 195 | 包括工具、蜜罐、数据、警报和新闻、会议各种工控安全等 196 | https://github.com/hslatman/awesome-industrial-control-system-security 197 | 198 | 数字取证论文集合(摄像头特征) 199 | https://github.com/NetSecLab/Paper_for_Digital_Forensics 200 | 201 | 渗透测试技巧 202 | https://github.com/xssfile/Attack-data 203 | 204 | Security-operation-book 覆盖116个TID,353个技术点,主要涵盖Web、Windows AD、Linux,涉及ATT&CK技术、模拟测试、检测思路、检测所需数据源等。 205 | https://github.com/0x783kb/Security-Operation-Book 206 | 207 | 以太坊合约审计checkList @知道创宇404区块链安全研究团队 208 | https://github.com/knownsec/Ethereum-Smart-Contracts-Security-CheckList 209 | 210 | Spring Security provides security services for the Spring IO Platform. Spring Security 5.0 requires Spring 5.0 as a minimum and also requires Java 8. 211 | https://github.com/spring-projects/spring-security 212 | 213 | Support for adding OAuth1(a) and OAuth2 features (consumer and provider) for Spring web applications. 214 | https://github.com/spring-projects/spring-security-oauth 215 | 216 | Iptables Essentials: Common Firewall Rules and Commands. 217 | https://github.com/trimstray/iptables-essentials#manuals-howtos-tutorials 218 | 219 | Curated list of awesome cloud security blogs, podcasts, standards, projects, and examples. 220 | https://github.com/Funkmyster/awesome-cloud-security 221 | 222 | List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc. 223 | https://github.com/toniblyx/my-arsenal-of-aws-security-tools 224 | 225 | Cloud Custodian is a rules engine for managing public cloud accounts and resources 226 | https://github.com/capitalone/cloud-custodian 227 | 228 | scripts, tools, extensions, automations, for Azure subscription and resource security 229 | https://github.com/azsk/DevOpsKit-docs 230 | 231 | 甲方企业安全建设开源之路 232 | https://github.com/bloodzer0/Enterprise_Security_Build--Open_Source/ 233 | 234 | 初创企业安全起步 235 | https://devd.me/log//posts/startup-security/ 236 | 237 | ## 学习资料 238 | 239 | 📚 List of awesome university courses for learning Computer Science! 240 | https://github.com/prakhar1989/awesome-courses 241 | 242 | 💻 An awesome & curated list of best applications and tools for Windows. 243 | https://github.com/Awesome-Windows/Awesome 244 | 245 | Curated list of awesome lists 246 | https://github.com/sindresorhus/awesome 247 | 248 | Awesome & Interesting Talks concerning Programming 249 | https://github.com/hellerve/programming-talks#creative-coding 250 | 251 | 生信,大数据,机器学习,各种程序语言等等资源集合 252 | https://github.com/shenwei356/awesome 253 | 254 | 中文公开聊天语料库 255 | https://github.com/codemayq/chaotbot_corpus_Chinese 256 | 257 | 图书配套代码 精通渗透测试机器学习 258 | https://github.com/PacktPublishing/Mastering-Machine-Learning-for-Penetration-Testing 259 | 260 | awesome cheatsheet 261 | https://github.com/detailyang/awesome-cheatsheet 262 | 263 | 机器学习和安全 264 | https://github.com/13o-bbr-bbq/machine_learning_security 265 | 266 | iOS hack资料 267 | https://github.com/Siguza/ios-resources 268 | 269 | Green-hat-suite is a tool to make meterpreter evade antivirus 270 | https://github.com/Green-m/green-hat-suite 271 | 272 | 慢雾安全团队知识库 273 | https://github.com/slowmist/Knowledge-Base/ 274 | 275 | BlockChain-Security-List 区块链加密币安全列表 (reverse, exploit, fuzz..) 276 | https://github.com/im-bug/BlockChain-Security-List 277 | 278 | 比特币的最佳集合 279 | https://github.com/kennethreitz/awesome-coins 280 | 281 | 知道创宇研发技能表 282 | https://github.com/knownsec/RD_Checklist 283 | 284 | architect-awesome:后端架构师技术图谱 285 | https://github.com/xingshaocheng/architect-awesome 286 | 287 | Git学习资料 288 | https://github.com/xirong/my-git 289 | 290 | 计算机科学视频教程集 291 | https://github.com/Developer-Y/cs-video-courses 292 | 293 | 安卓开源代码解析 294 | https://github.com/android-cn/android-open-project-analysis 295 | 296 | JS 正则表达式库(用于简化构造复杂的JS正则表达式) 297 | https://github.com/VerbalExpressions/JSVerbalExpressions 298 | 299 | PHP生成安全随机数、加密数据、检查漏洞等类库 300 | https://github.com/ziadoz/awesome-php#security 301 | 302 | 科学上网工具 303 | https://github.com/XX-net/XX-Net 304 | 305 | 全功能私有云云平台 306 | https://github.com/zelon88/HRCloud2 307 | 308 | 亚马逊云服务AWS实践指南 309 | https://github.com/open-guides/og-aws 310 | 311 | 撰写安全代码最小备忘单子 312 | https://github.com/GoSecure/security-cheat-sheet 313 | 314 | 关于系统、数据库、IDE、编程语言等方面的免费书 315 | https://github.com/EbookFoundation/free-programming-books/ 316 | 317 | 一个爬取国内技术站点的技术文章 318 | https://github.com/smile0304/Technical_Article_Spider/ 319 | 320 | 渗透和开发小技巧 321 | https://github.com/3gstudent/Pentest-and-Development-Tips 322 | 323 | 🚀苹果macOS 开源应用集 324 | https://github.com/serhii-londar/open-source-mac-os-apps#games 325 | 326 | ### Python工具: 327 | 328 | Python应用安全框架 329 | https://github.com/YosaiProject/yosai 330 | 331 | python安全和代码审计相关资料收集 332 | https://github.com/bit4woo/python_sec 333 | 334 | pyc反编译脚本 335 | https://github.com/gstarnberger/uncompyle 336 | 337 | pycipher python加解密库 338 | https://github.com/jameslyons/pycipher 339 | 340 | 可视化python性能分析工具 341 | https://github.com/nvdv/vprof 342 | 343 | Flask认证 344 | https://github.com/miguelgrinberg/Flask-HTTPAuth 345 | 346 | ViperMonkey,VBA解析和模拟机,用来分析非法宏代码 347 | https://github.com/decalage2/ViperMonkey 348 | 349 | XLearning是一款支持多种机器学习、深度学习框架调度系统. 350 | https://github.com/Qihoo360/XLearning/ 351 | 352 | 一些资源和工具里list 353 | https://github.com/pe3zx/my-awesome 354 | 355 | Tensorflow实战学习笔记 356 | https://github.com/MachineLP/Tensorflow- 357 | 358 | 声音可视化工具集 359 | https://github.com/willianjusten/awesome-audio-visualization 360 | 361 | ### 代码审计 362 | 363 | 安全代码审计工具 364 | https://github.com/hardenedlinux/srcinv 365 | 366 | ### 编程资料 367 | 368 | 多个语言简明教程 369 | http://xahlee.info/comp/comp_lang_tutorials_index.html 370 | 371 | An extensive list of interesting open source projects written in С, C++, Clojure, Lisp, Elixir, Erlang, Elm, Golang, Haskell, JavaScript, Lua, OCaml, Python, R, Ruby, Rust, Scala etc. 372 | https://github.com/lk-geimfari/awesomo 373 | 374 | A curated list of Rust code and resources. 375 | https://github.com/rust-unofficial/awesome-rust 376 | 377 | python 正则表达式库(用于简化构造复杂的python正则表达式) 378 | https://github.com/VerbalExpressions/PythonVerbalExpressions 379 | 380 | python任务管理以及命令执行库 381 | https://github.com/pyinvoke/invoke 382 | 383 | python exe打包库 384 | https://github.com/pyinstaller/pyinstaller 385 | 386 | py3 爬虫框架 387 | https://github.com/orf/cyborg 388 | 389 | 一个提供底层接口数据包编程和网络协议支持的python库 390 | https://github.com/CoreSecurity/impacket 391 | 392 | python requests 库 393 | https://github.com/kennethreitz/requests 394 | 395 | python 实用工具合集 396 | https://github.com/mahmoud/boltons 397 | 398 | python爬虫系统 399 | https://github.com/binux/pyspider 400 | 401 | ScrapedIn,LinkedIn爬虫 402 | https://github.com/dchrastil/ScrapedIn 403 | 404 | ctf向 python工具包 405 | https://github.com/P1kachu/v0lt 406 | 407 | python框架,库,资源大合集 408 | https://github.com/vinta/awesome-python 409 | 410 | python资源大全 411 | https://github.com/jobbole/awesome-python-cn 412 | -------------------------------------------------------------------------------- /ThreatIntelligence_Honey.md: -------------------------------------------------------------------------------- 1 | ## 威胁情报&蜜罐: 2 | 3 | 威胁情报资源 4 | https://github.com/hslatman/awesome-threat-intelligence 5 | 6 | 常见IOC资源、工具 7 | https://github.com/sroberts/awesome-iocs 8 | 9 | 数字取证的常见工具资源 10 | https://github.com/Cugu/awesome-forensics 11 | 12 | Ethereum Scam Database诈骗数据库溯新查询 13 | https://github.com/MrLuit/EtherScamDB 14 | 15 | 开源情报:各种开源情报来源 16 | https://github.com/jivoi/awesome-osint 17 | 18 | 帮助安全分析师和数字取证人员 19 | https://github.com/meirwah/awesome-incident-response 20 | 21 | ThreatHunter攻略-帮助安全分析师利用Sysmon和Windows Events日志来进行事件分析,涉及Splunk、ELK、Sigma、GrayLog等工具 22 | https://github.com/VVard0g/ThreatHunter-Playbook 23 | 24 | 社工插件,可查找以email、phone、username的注册的所有网站账号信息 25 | https://github.com/n0tr00t/Sreg 26 | 27 | Github信息搜集,可实时扫描查询git最新上传有关邮箱账号密码信息 28 | https://github.com/sea-god/gitscan 29 | 30 | People tracker on the Internet: OSINT analysis and research tool 31 | https://github.com/jofpin/trape 32 | 33 | 用于MISP分类系统。 34 | https://github.com/MISP/misp-taxonomies 35 | 36 | RegEx 拒绝服务(ReDos)扫描器 https://github.com/jagracey/Regex-DoS 37 | https://github.com/jagracey/RegEx-DoS 38 | 39 | dataShark 构建在Apache Spark的安全和网络事件分析框架 40 | https://github.com/makemytrip/dataShark 41 | 42 | github Repo信息搜集工具 43 | https://github.com/metac0rtex/GitHarvester 44 | 45 | CIF v3 -- 安全威胁情报最快获取 46 | https://github.com/csirtgadgets/bearded-avenger 47 | 48 | 使用CNN进行样本恶意动态行为检测 49 | https://github.com/zwq0320/malicious_dynamic_behavior_detection_by_cnn 50 | 51 | 屏蔽广告,恶意扫描和非法域名的工具(hosts) 52 | https://github.com/zant95/hBlock 53 | 54 | Dradis Framework: IT安全团队协作和报告工具 55 | https://github.com/dradis/dradis-ce 56 | 57 | EggShell (也被正式称为NeonEggShell) 用python写的iOS,OS X 监控工具 58 | https://github.com/neoneggplant/EggShell 59 | 60 | HMAC 时序攻击统计分析 http://eggie5.com/45-hmac-timing-attacks 61 | https://github.com/eggie5/hmac-timing-attacks 62 | 63 | AIL framework - 弱点信息分析框架 64 | https://github.com/CIRCL/AIL-framework 65 | 66 | w11scan是一款分布式的WEB指纹识别系统(包括CMS识别、js框架、组件容器、代码语言、WAF等等) 67 | https://github.com/boy-hack/w11scan 68 | 69 | OWASP依赖扫描报告转为SonarQube 70 | https://github.com/stevespringett/dependency-check-sonar-plugin 71 | 72 | SBT插件用来进行OWASP依赖扫描 73 | https://github.com/albuch/sbt-dependency-check 74 | 75 | Maltrail——非法流量检测系统 76 | https://github.com/stamparm/maltrail 77 | 78 | Seebug、structs、cve漏洞实时监控推送系统🔦 79 | https://github.com/FortuneC00kie/bug-monitor 80 | 81 | Logstash 日志安全攻击分析插件 82 | https://github.com/anbai-inc/AttackFilter 83 | 84 | net-creds:从网络嗅探或Pcap 文件提取敏感数据的工具 85 | https://github.com/DanMcInerney/net-creds 86 | 87 | 开源的恶意代码查杀引擎,模式匹配是瑞士军刀(支持二进制) 88 | https://github.com/VirusTotal/yara 89 | 90 | Klara 基于Rara引擎的威胁情报恶意代码发现辅助项目 91 | https://github.com/KasperskyLab/klara 92 | 93 | awesome-yara YARA规则、工具和相关信息集。 94 | https://github.com/InQuest/awesome-yara 95 | 96 | scylla: 人性化智能IP代理池 97 | https://github.com/imWildCat/scylla 98 | 99 | 用于机器学习模型的对抗鲁棒性工具箱 100 | https://github.com/IBM/adversarial-robustness-toolbox 101 | 102 | 射箭:开源漏洞评估和管理 103 | https://github.com/archerysec/archerysec 104 | 105 | A fork and successor of the Sulley Fuzzing Framework 106 | https://github.com/jtpereyda/boofuzz 107 | 108 | BTA is an open-source Active Directory security audit framework 109 | https://github.com/airbus-seclab/bta 110 | 111 | Graph platform for Detection and Response 112 | https://github.com/insanitybit/grapl 113 | 114 | Open Cyber Threat Intelligence Platform https://www.opencti.io 115 | https://github.com/OpenCTI-Platform/opencti 116 | 117 | 深度利用 118 | https://github.com/13o-bbr-bbq/machine_learning_security/tree/master/DeepExploit 119 | 120 | Halcyon IDE:Nmap脚本开发IDE 121 | https://github.com/s4n7h0/Halcyon 122 | 123 | SimpleRisk资源 124 | https://github.com/simplerisk 125 | 126 | TROMMEL:Sift Through Embedded Device Files to Identify Potential Vulnerable Indicators 127 | https://github.com/CERTCC/trommel 128 | 129 | IoT Pentesting 101 && IoT security 101 130 | https://github.com/V33RU/IoTSecurity101 131 | 132 | Deep and Dark Web OSINT Tool 133 | https://github.com/DedSecInside/TorBot 134 | 135 | ### 蜜罐集 136 | 137 | 蜜罐资源合集 138 | https://github.com/paralax/awesome-honeypots 139 | 140 | SSH蜜罐 141 | https://github.com/desaster/kippo 142 | 143 | kippo进阶版 144 | https://github.com/micheloosterhof/cowrie 145 | 146 | SMTP蜜罐 147 | https://github.com/awhitehatter/mailoney 148 | 149 | Web应用蜜罐 150 | https://github.com/mushorg/glastopf 151 | 152 | 数据库蜜罐 153 | https://github.com/jordan-wright/elastichoney 154 | 155 | Web蜜罐 156 | https://github.com/atiger77/Dionaea 157 | 158 | ICS/SCADA蜜罐 159 | https://github.com/mushorg/conpot 160 | 161 | MongoDB代理蜜罐 162 | https://github.com/Plazmaz/MongoDB-HoneyProxy 163 | 164 | T-Pot:多蜜罐平台,可视化分析。 165 | https://github.com/dtag-dev-sec/tpotce/ 166 | 167 | opencanary_web:蜜罐的网络管理平台。 168 | https://github.com/p1r06u3/opencanary_web 169 | 170 | Honeyd:一个小型守护进程,可以在网络上创建虚拟主机。 171 | http://www.honeyd.org/ 172 | 173 | Glastopf Python Web应用程序蜜罐。 174 | https://github.com/mushorg/glastopf 175 | 176 | Cowrie :一种中等交互式SSH和Telnet蜜罐,用于记录暴力攻击和攻击者执行的shell交互。 177 | https://github.com/cowrie/cowrie 178 | 179 | Kippo:一个中等交互式SSH蜜罐,用于记录暴力攻击,最重要的是,攻击者执行的整个shell交互。 180 | https://github.com/desaster/kippo 181 | 182 | Dionaea:一个低交互的蜜罐,能够模拟FTP/HTTP/MSSQL/MYSQL/SMB等服务。 183 | https://github.com/DinoTools/dionaea 184 | 185 | onpot:一个ICS蜜罐,其目标是收集有关针对工业控制系统的敌人的动机和方法的情报。 186 | https://github.com/mushorg/conpot 187 | 188 | 扩展企业安全测试主动诱导型蜜罐框架系统 189 | https://github.com/hacklcx/HFish 190 | 191 | Wordpot:一个Wordpress蜜罐,可以检测用于指纹wordpress安装的插件,主题,timthumb和其他常用文件的探针。 192 | https://github.com/gbrindisi/wordpot 193 | 194 | Shockpot:针对CVE-2014-6271的一个Web应蜜罐,用于发现针对Bash远程代码漏洞的攻击者。 195 | https://github.com/threatstream/shockpot 196 | 197 | 对开源蜜罐的学习研究与理解 198 | https://github.com/XiaoXiaoGuaiXiaShi/OpenSource-HoneyPot 199 | -------------------------------------------------------------------------------- /check.pl: -------------------------------------------------------------------------------- 1 | my $key=shift; 2 | 3 | open my $F,'<','All.md'; 4 | 5 | while(<$F>) { 6 | print "$_\n" if /$key/; 7 | 8 | } 9 | -------------------------------------------------------------------------------- /tool.sh: -------------------------------------------------------------------------------- 1 | my $key=shift; 2 | die "请给出commit消息" unless $key; 3 | 4 | `git add .`; 5 | `git commit -m "$key"`; 6 | 7 | `git push && git push `; 8 | `git push && git push gitee`; 9 | 10 | 11 | --------------------------------------------------------------------------------