└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # CTF Tools 2 | This repository is a place where I want to keep all the useful *resources/websites/tools* to solve CTF challenges. All the tools will be divided by category, in order to better organize them. 3 | 4 | It will contain even some "obvious" links, like the ASCII table and so on, because it is a page indended to be kept open during CTFs: you never know what will come in handy! 5 | 6 | This repo is for me but also for my CTF team, and why not for whoever will get to this page. 7 | 8 | ## Want to contribute? 9 | 1. **Fork the repository** - Create your own fork on GitHub 10 | 2. **Create a feature branch** - Create a new branch for your feature: 11 | ```bash 12 | git checkout -b feature/description 13 | ``` 14 | 4. **Make your changes** - Write your contribution 15 | 7. **Commit and push your changes** - Use clear commit messages and push your branch 16 | 9. **Create a pull request** - Submit a PR against this repository 17 | 18 | Any question or no time to make your own changes? _**Feel free to create an issue on this repository!**_ 19 | 20 | ## Training 🚩 21 | > A list of useful websites to train our skills and knowledge. 22 | - [picoCTF](https://picoctf.org/) 23 | - [capturetheflag](https://capturetheflag.it/risorse/come-imparo) 24 | - [overthewire](https://overthewire.org/wargames/) 25 | - [pwnable](http://pwnable.kr/) 26 | 27 | ## General πŸ“‹ 28 | #### Tools 29 | - [John Hammond - Katana](https://github.com/JohnHammond/ctf-katana): **huge repo of very useful CTF tools**, thank you John, my repo now looks useless 30 | - [Cyberchef](https://gchq.github.io/CyberChef/): huge tool to perform **every type of calculation of any category** 31 | - [Hex Editor](https://hexed.it/): online **hex editor** for files 32 | - [Online Converter](https://www.rapidtables.com/convert/number/ascii-hex-bin-dec-converter.html): **ASCII/Hex/Dec/Bin/b64 converter** tool online 33 | - [XOR Calculator](http://xor.pw/) 34 | - [Resource Saver](https://chrome.google.com/webstore/detail/save-all-resources/abpdnfjocnmdomablahdcfnoggeeiedb?hl=en-US): Chrome extension to **download all the res of a website** 35 | - [Github Secrets](https://github.com/neodyme-labs/github-secrets): search for **dangling or force-pushed commits** in a Github repo 36 | - [Zip Password Cracker](https://passwordrecovery.io/zip-file-password-removal/): a realy useful and free **online zip password finder** 37 | - [Regex Check](https://www.debuggex.com/): check **regular expressions** online 38 | #### Resources 39 | - [ASCII Table](http://www.asciitable.com/) 40 | 41 | ## Cryptography πŸ”’ 42 | #### Tools 43 | - [dCode](https://www.dcode.fr): **crypto heaven** 44 | - [QuipQuip](https://quipqiup.com/): online **substitution cipher solver** with frequency analysis, also allows to insert frequency hints 45 | - [Big Numbers Calculator 1](http://www.javascripter.net/math/calculators/100digitbigintcalculator.htm): an online **calculator for huge integers** 46 | - [Big Numbers Calculator 2](https://defuse.ca/big-number-calculator.htm): an online **calculator for huge integers**, worse UI but maybe better performance 47 | - [RSA Calculator](https://www.cryptool.org/en/cto/highlights/rsa-step-by-step): online **RSA parameters calculator with encryption/decryption**, works also with big numbers 48 | - [Inverse mod N Calculator](https://www.dcode.fr/modular-inverse): compute the **modular inverse of a number**, even with big numbers 49 | - [RsaCtfTool](https://github.com/Ganapati/RsaCtfTool): Python tool to perform **RSA attacks** 50 | - [FactorDB](http://factordb.com/): find **well-known integer factorization** 51 | - [CrackStation](https://crackstation.net/): online **hash cracker** (md5, sha, ...) 52 | - [Vigenere Solver](https://www.guballa.de/vigenere-solver): very good online **Vigenere Cipher solver** with bruteforce 53 | - [Substitution Solver](https://www.guballa.de/substitution-solver): very good online **Substitution Cipher solver** with bruteforce 54 | - [Sage Math](https://sagecell.sagemath.org/): online Sage environment to **perform Crypto calculations** 55 | - [Crunch](https://tools.kali.org/password-attacks/crunch): Linux tool to **create custom dictionaries** for attacks (hash, pd, ..) 56 | - [Online Hash Crack](https://www.onlinehashcrack.com/): big website to **perform hash/pwd cracking and identification** on various files 57 | - [Hash Identifier](https://tools.kali.org/password-attacks/hash-identifier): Linux tool to **perform hash identification** 58 | - [Morse Code Translator](https://morsecode.world/international/translator.html) 59 | - [Dual Tone Decoder](http://dialabc.com/sound/detect/): find **DTMF tones** within audio clips 60 | - [gmpy2](https://gmpy2.readthedocs.io/en/latest/intro.html): Python library for **multiple-precision arithmetic** 61 | #### Resources 62 | - [Weird Ciphers](http://www.quadibloc.com/crypto/intro.htm): a list of some **strange cryptography algorithms** 63 | - [Symbolic Ciphers](https://www.dcode.fr/symbols-ciphers): another list of **strange cryptography algorithms** 64 | 65 | ## Steganography 🎨 66 | #### Tools 67 | - [Aperi'Solve](https://aperisolve.fr/): **one of the best online tools**, with static analysis and also running zsteg, steghide, exiftool, binwalk, foremost, .. 68 | - [StegOnline](https://stegonline.georgeom.net): big stego tool, upload image and **modify/extract data** 69 | - [Stegsolve](https://github.com/eugenekolo/sec-tools/tree/master/stego/stegsolve/stegsolve): JAR file to view **hidden text in images** 70 | - [Steg 1](https://stylesuxx.github.io/steganography/): online **encoder/decoder of files in images** 71 | - [Steg 2](https://futureboy.us/stegano/decinput.html): online **encoder/decoder of files in images**, maybe more powerful 72 | - [Images Color picker](https://imagecolorpicker.com/): get **colors from websites/images in Hex/RGB** 73 | - [Stegseek](https://github.com/RickdeJager/stegseek): lightning fast **steghide cracker** that can be used to extract hidden data from files. 74 | #### Resources 75 | - [steghide](http://steghide.sourceforge.net/documentation/manpage.php): manual website of the **Steghide** tool 76 | - [zsteg](https://github.com/zed-0xff/zsteg): Ruby tool for steganography purposes 77 | 78 | ## Web πŸ•ΈοΈ 79 | #### Tools 80 | - [CSP Evaluator](https://csp-evaluator.withgoogle.com/): Google **CSP evaluator** with bypass possibilities 81 | - [Subdomain Finder](https://subdomainfinder.c99.nl/index.php): website to **find subdomains of URLs**, even hidden ones 82 | - [Google Certificates](https://transparencyreport.google.com/https/certificates): search certificates of a website by domain 83 | - [Traversal Archives](https://github.com/jwilk/traversal-archives): samples of archive files in various formats that attempt to exploit (hypothetical) directory travesal bugs 84 | #### Resources 85 | - [CSP Cheatsheet](https://six2dez.gitbook.io/pentest-book/enumeration/web/csp): list of **CSPs and relative bypass** possibilities 86 | - [JSONP Endpoints](https://github.com/zigoo0/JSONBee/blob/master/jsonp.txt): list of **well-known JSONP Endpoints** 87 | - [Web Payloads](https://github.com/swisskyrepo/PayloadsAllTheThings): list of **Web Payloads** of various techniques 88 | 89 | ## Pwn πŸ› 90 | ### Tools 91 | - [Syscall Reference](https://syscalls.w3challs.com/): **x86 / x64 syscalls manual** with registers value 92 | - [Asm/Disasm](https://defuse.ca/online-x86-assembler.htm#disassembly): online **x86 / x64 assembler and disassembler** 93 | - [LibC Check](https://libc.blukat.me/?q=puts%3A0x7f51bf2ee9c0&l=libc6_2.27-3ubuntu1_amd64): find all the **possible libc versions** with symbol name and entry address 94 | - [BinaryNinja](https://cloud.binary.ninja/): online **binary file decompiler** 95 | - [DogBolt](https://dogbolt.org/): online **binary file decompiler** with different options like Ghidra and BinaryNinja 96 | ### Resources 97 | 98 | ## Forensics πŸ•΅οΈβ€β™‚οΈ 99 | ### Tools 100 | - [Forensically](https://29a.ch/photo-forensics/#forensic-magnifier): **online forensic analysis tool** to extract cool data from images, .. 101 | - [Autopsy](https://www.sleuthkit.org/autopsy/): **file recovery tool** with data carving, .. 102 | - [Foremost](https://tools.kali.org/forensics/foremost): **file recovery tool** based on their magic bytes, headers, .. 103 | ### Resources 104 | 105 | ## OSINT 🌐 106 | - [Mail from LinkedIn](https://skrapp.io/tutorials/linkedin-email-finder): Chrome extension to **find email addresses from Linkedin page** 107 | - [Wayback Machine](https://archive.org/web/): **webpage archive at a certain time** 108 | - [Sherlock](https://github.com/sherlock-project/sherlock): hunt down **social media accounts by username** 109 | - [Email lookup](https://epieos.com/): tool to **retrieve information linked to an email address** 110 | 111 | ## Reversing ↩️ 112 | ### Tools 113 | - [Online Decompiler](http://www.javadecompilers.com/): online tool to decompile **Java classes, APKs,...** 114 | - [MobSF](https://github.com/MobSF/Mobile-Security-Framework-MobSF): tool to **decompile and reverse APK** files 115 | - [JADX](https://github.com/skylot/jadx): tools for producing Java source code from **Android Dex and APK** files 116 | - NB: strings is useful also on APK files 117 | ### Resources 118 | --------------------------------------------------------------------------------