ATT&CK

  • Updated Contents of each section
  • Adversary Emulation Plans
    • To showcase the practical use of ATT&CK for offensive operators and defenders, MITRE created Adversary Emulation Plans. These are prototype documents of what can be done with publicly available threat reports and ATT&CK. The purpose of this activity is to allow defenders to more effectively test their networks and defenses by enabling red teams to more actively model adversary behavior, as described by ATT&CK. This is part of a larger process to help more effectively test products and environments, as well as create analytics for ATT&CK behaviors rather than detecting a specific indicator of compromise (IOC) or specific tool.
  • Plus other stuff

Anonymity/OpSec/Privacy

  • anonymouth

    • Document Anonymization Tool, Version 0.5
  • Spoiled Onions

    • In this research project, we were monitoring all exit relays for several months in order to expose, document, and thwart malicious or misconfigured relays. In particular, we monitor exit relays with two scanners we developed specifically for that purpose: exitmap and HoneyConnector. Since September 2013, we discovered 65 malicious or misconfigured exit relays which are listed in Table 1 and Table 2 in our research paper. These exit relays engaged in various attacks such as SSH and HTTPS MitM, HTML injection, SSL stripping, and traffic sniffing. We also found exit relays which were unintentionally interfering with network traffic because they were subject to DNS censorship.
  • A Guide to Law Enforcement Spying Technology - EFF

  • F⁠ingerprinting documents​ with steganography​

  • steganos

    • This is a library to encode bits into text.... steganography in text!
  • Content-preserving Text Watermarking through Unicode Homoglyph Substitution

    • Digital watermarking has become crucially important in authentication and copyright protection of the digital contents, since more and more data are daily generated and shared online through digital archives, blogs and social networks. Out of all, text watermarking is a more difficult task in comparison to other media watermarking. Text cannot be always converted into image, it accounts for a far smaller amount of data (eg. social network posts) and the changes in short texts would strongly affect the meaning or the overall visual form. In this paper we propose a text watermarking technique based on homoglyph characters substitution for latin symbols1. The proposed method is able to efficiently embed a password based watermark in short texts by strictly preserving the content. In particular, it uses alternative Unicode symbols to ensure visual indistinguishability and length preservation, namely content-preservation. To evaluate our method, we use a real dataset of 1.8 million New York articles. The results show the effectiveness of our approach providing an average length of 101 characters needed to embed a 64bit password based watermark.

Basic Security Info


BIOS/UEFI/Firmware/Low Level Attacks


Building a Lab


Car Hacking


Cheat Sheets


Conferences


Courses


Cryptography & Timing Attacks (& CryptoCurrencies)

  • Coinbase Insider Trading: Litecoin Edition

  • Deadpool

    • Repository of various public white-box cryptographic implementations and their practical attacks.
  • RSA-and-LLL-attacks

    • This repo host implementations and explanations of different RSA attacks using lattice reduction techniques (in particular LLL).
  • SHA1Collider

    • Build two PDFs that have different content but identical SHA1 sums.
  • robot-detect

    • Proof of concept attack and detection for ROBOT (Return Of Bleichenbacher's Oracle Threat).

CTF


Darknets


Data Analysis/Visualization


Defense

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction

  • ketshash

    • A little tool for detecting suspicious privileged NTLM connections, in particular Pass-The-Hash attack, based on event viewer logs.
  • So you want to beat the Red Team - sCameron Moore - Bsides Philly 2016

  • Grouper

    • A PowerShell script for helping to find vulnerable settings in AD Group Policy.
  • NorkNork - Tool for identifying Empire persistence payloads

  • Removing Backdoors – Powershell Empire Edition - n00py

  • Grouper

    • Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.
  • Detecting and Preventing PowerShell Downgrade Attacks - leeholmes

  • AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It - labofapenetrationtester

  • NtdsAudit

    • NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking.
  • CERT-NZ SSH Hardening

    • CERT NZ documentation for hardening SSH server and client configuration, and using hardware tokens to protect private keys
  • Windows Event Forwarding Guidance

    • Over the past few years, Palantir has a maintained an internal Windows Event Forwarding (WEF) pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. Once these events are collected and indexed, alerting and detection strategies (ADS) can be constructed not only on high-fidelity security events (e.g. log deletion), but also for deviations from normalcy, such as unusual service account access, access to sensitive filesystem or registry locations, or installation of malware persistence. The goal of this project is to provide the necessary building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. While WEF has become more popular in recent years, it is still dramatically underrepresented in the community, and it is our hope that this project may encourage others to adopt it for incident detection and response purposes. We acknowledge the efforts that Microsoft, IAD, and other contributors have made to this space and wish to thank them for providing many of the subscriptions, ideas, and techniques that will be covered in this post.
  • PoSH-R2

    • PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
  • CIRClean

    • CIRCLean is an independent hardware solution to clean documents from untrusted (obtained) USB keys / USB sticks. The device automatically converts untrusted documents into a readable but disarmed format and stores these clean files on a trusted (user owned) USB key/stick.
    • Github
  • Capirca

    • Capirca is a tool designed to utilize common definitions of networks, services and high-level policy files to facilitate the development and manipulation of network access control lists (ACLs) for various platforms. It was developed by Google for internal use, and is now open source.
  • Block or unblock external content in Office documents - support.office

  • Enable Attack surface reduction - docs.ms

    • Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
  • Windows Defender Exploit Guard: Reduce the attack surface against next-generation malware

  • Automating security with PowerShell, Jaap Brasser (@Jaap_Brasser)

    • There is no doubt that security has been in the spotlight over the last few years, recent events have been responsible for the increased demand for better and more secure systems. Security was often treated as an afterthought or something that could be implemented ‘later’. In this session, we will go over some best practices, using existing tools and frameworks to help you set up a more secure environment and to get a grasp of what is happening in your environment. We will leverage your existing automation skills to secure and automate these workflows. Expect a session with a lot of demos and resources that can directly be implemented.

Design


DFIR

  • FIR
    • FIR (Fast Incident Response) is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents. FIR is for anyone needing to track cybersecurity incidents (CSIRTs, CERTs, SOCs, etc.). It's was tailored to suit our needs and our team's habits, but we put a great deal of effort into making it as generic as possible before releasing it so that other teams around the world may also use it and customize it as they see fit.

Disclosure


Documentation/Technical writing

  • Ronn

    • Ronn builds manuals. It converts simple, human readable textfiles to roff for terminal display, and also to HTML for the web. The source format includes all of Markdown but has a more rigid structure and syntax extensions for features commonly found in manpages (definition lists, link notation, etc.). The ronn-format(7) manual page defines the format in detail.
  • Bishop Fox Cybersecurity Style Guide


Drones


Embedded Devices/Hardware (Including Printers & PoS & IoS)

  • PCB-RE: Tools & Techniques

  • esp8266 wiki

  • dustcloud

    • Xiaomi Vacuum Robot Reverse Engineering and Hacking
  • Xiaomi Dafang hacks

    • This repository is a collection of information & software for the Xiaomi Dafang Camera
  • xiaomi-sensors-hacks

    • collection of xiaomi/aqara sensors hacks/modifications
  • nexmon

    • Nexmon is our C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection.
  • MonitorDarkly

    • This repo contains the exploit for the Dell 2410U monitor. It contains utilities for communicating with and executing code on the device. The research presented here was done in order to highlight the lack of security in "modern" on-screen-display controllers. Please check out our Recon 0xA presentation (included) for a detailed description of our research findings and process.
  • Firmware Analysis Toolkit

    • FAT is a toolkit built in order to help security researchers analyze and identify vulnerabilities in IoT and embedded device firmware.
  • Damn Vulnerable Router Firmware (DVRF) v0.5

    • The goal of this project is to simulate a real world environment to help people learn about other CPU architectures outside of the x86_64 space. This project is also for those who are curious about embedded research, but don't want to invest a lot of money.

Exfiltration

  • icmptunnel
    • 'icmptunnel' works by encapsulating your IP traffic in ICMP echo packets and sending them to your own proxy server. The proxy server decapsulates the packet and forwards the IP traffic. The incoming IP packets which are destined for the client are again encapsulated in ICMP reply packets and sent back to the client. The IP traffic is sent in the 'data' field of ICMP packets. RFC 792, which is IETF's rules governing ICMP packets, allows for an arbitrary data length for any type 0 (echo reply) or 8 (echo message) ICMP packets. So basically the client machine uses only the ICMP protocol to communicate with the proxy server. Applications running on the client machine are oblivious to this fact and work seamlessly.

Exploit Dev

  • MorphAES

    • IDPS & SandBox & AntiVirus STEALTH KILLER. MorphAES is the world's first polymorphic shellcode engine, with metamorphic properties and capability to bypass sandboxes, which makes it undetectable for an IDPS, it's cross-platform as well and library-independent.
  • OWASP ZSC

    • OWASP ZSC is open source software written in python which lets you generate customized shellcode and convert scripts to an obfuscated script. This software can be run on Windows/Linux/OSX with python.
  • Meltdown PoC for Reading Google Chrome Passwords

  • kernelpop

    • kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation on OSX and Linux
  • Vulnserver - my KSTET exploit (delivering the final stage shellcode through the active server socket) - ewilded.blogspot

  • CVE-2017-10271

    • Oracle WebLogic WLS-WSAT Remote Code Execution Exploit (CVE-2017-10271)
  • CVE-2018-0802

    • This repo contains a Proof of Concept exploit for CVE-2018-0802. To get round the limited command length allowed, the exploit uses the Packager OLE object to drop an embedded payload into the %TMP% directory, and then executes the file using a short command via a WinExec call, such as: cmd.exe /c%TMP%\file.exe.
  • IOHIDeous

    • A macOS kernel exploit based on an IOHIDFamily 0day.
    • Writeup

Forensics

  • PoSH-R2

    • PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
  • Vortessence

    • Vortessence is a tool, whose aim is to partially automate memory forensics analysis. Vortessence is a project of the Security Engineering Lab of the Bern University of Applied Sciences.
  • WMI_Forensics

    • This repository contains scripts used to find evidence in WMI repositories
  • Chrome Ragamuffin

    • Volatility plugin designed to extract useful information from Google Chrome's address space. The goal of this plugin is to make possible the analysis of a Google Chrome running instance. Starting from a memory dump, Chrome Ragamuffin can list which page was open on which tab and it is able to extract the DOM Tree in order to analyze the full page structure.
  • usbkill

    • usbkill » is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.
  • firefox_decrypt

    • Firefox Decrypt is a tool to extract passwords from Mozilla (Firefox/Thunderbird/Seabird) profiles

Fuzzing/Bug Hunting

  • asadbg

    • asadbg is a framework of tools to aid in automating live debugging of Cisco ASA devices, as well as automating interaction with the Cisco CLI over serial/ssh to quickly perform repetitive tasks.
  • asatools - NCCGroup

    • Main repository to pull all Cisco ASA-related projects.
  • asafw

    • Set of scripts to deal with Cisco ASA firmware [pack/unpack etc.]
  • morph

    • an open source browser fuzzing framework for fun.
  • pcrappyfuzzer

    • Script to perform quick 'n dirty fuzzing of PCAPs with radamsa and Scapy.
  • android-afl

    • Fuzzing Android program with american fuzzy lop (AFL)

Game Hacking

  • VITA2PC

    • VITA2PC is a tool allowing to stream PSVITA/PSTV to your PC via WiFi.
  • psvd

  • henkaku

    • Homebrew enabler for PS Vita
  • vitadump

    • This homebrew can dump some PS Vita shared modules
  • vitastick

    • vitastick is a plugin and an application that lets you use a PSVita as a USB controller. It uses the UDCD (USB Device Controller Driver) infrastructure in the kernel to simulate such controller, and thus, the host thinks the PSVita is a legit USB gamepad.
  • The Homebrew Channel

    • The Homebrew Channel - open source edition
  • Dolphin

    • Dolphin is a GameCube / Wii emulator, allowing you to play games for these two platforms on PC with improvements. https://dolphin-emu.org/
  • WiiUse

    • Wiiuse is a library written in C that connects with several Nintendo Wii remotes. Supports motion sensing, IR tracking, nunchuk, classic controller, Balance Board, and the Guitar Hero 3 controller. Single threaded and nonblocking makes a light weight and clean API.
  • Nintendo_Switch_Reverse_Engineering - dekuNukem

    • A look at inner workings of Joycon and Nintendo Switch
  • soundhax

    • A heap overflow in tag processing leads to code execution when a specially- crafted m4a file is loaded by Nintendo 3DS Sound. This bug is particularly good, because as far as I can tell it is the first ever homebrew exploit that is free, offline, and works on every version of the firmware for which the sound app is available.
  • Awesome Gamedev

    • A collection of free software and free culture resources for making amazing games.

Honeypots


ICS/SCADA


Interesting Things/Miscellaneous

  • Apple’s Software “Problem” and “Fixing” It (via twitter)

  • Shadowbrokers

    • The Shadow Brokers "Lost In Translation" leak
  • Teach Yourself Demoscene in 14 Days

  • The Lounge

    • Modern web IRC client designed for self-hosting.
  • explainshell.com

    • explainshell is a tool (with a web interface) capable of parsing man pages, extracting options and explain a given command-line by matching each argument to the relevant help text in the man page.
  • Magic Wormhole

    • This package provides a library and a command-line tool named wormhole, which makes it possible to get arbitrary-sized files and directories (or short pieces of text) from one computer to another. The two endpoints are identified by using identical "wormhole codes": in general, the sending machine generates and displays the code, which must then be typed into the receiving machine.
  • Object-oriented HTML

    • HTML isn't a programming language as such, it's actually a markup language. This means that it misses out on a lot of the good stuff that real programming languages have, including the joys of object-oriented programming. This project brings inheritance, polymorphism, and public "methods" to HTML. With startling imagination, I've called it object-oriented HTML and chosen the file extension .oohtml.
  • Upspin

    • Upspin is an experimental project to build a framework for naming and sharing files and other data securely, uniformly, and globally: a global name system of sorts. It is not a file system, but a set of protocols and reference implementations that can be used to join things like file systems and other storage services to the name space. Performance is not a primary goal. Uniformity and security are. Upspin is not an official Google product
  • pewpew

    • Why should security vendors be the only ones allowed to use silly, animated visualizations to "compensate"? Now, you can have your very own IP attack map that's just as useful as everyone else's. IPew is a feature-rich, customizable D3 / javascript visualization, needing nothing more than a web server capable of serving static content and a sense of humor to operate.
  • My Canons on (ISC)² Ethics - Such as They Are(2011)


Lockpicking


Malware


Network Scanning and Attacks

  • GTScan

    • The Nmap Scanner for Telco. With the current focus on telecom security, there used tools in day to day IT side penetration testing should be extended to telecom as well. From here came the motivation for an nmap-like scanner but for telco. The current security interconnect security controls might fail against reconnaissance, although mobile operators might implement SMS firewalls/proxies, Interconnect firewalls, some of those leak information that could be used for further information gathering process. The motivation behind this project, first adding a new toolking into the arsenal of telecom penetration testers. Second give the mobile operators a way to test their controls to a primitive methodology such as information gathering and reconnaissance.
  • SNMPwn

    • SNMPwn is an SNMPv3 user enumerator and attack tool. It is a legitimate security tool designed to be used by security professionals and penetration testers against hosts you have permission to test. It takes advantage of the fact that SNMPv3 systems will respond with "Unknown user name" when an SNMP user does not exist, allowing us to cycle through large lists of users to find the ones that do.
  • blacksheepwall

    • blacksheepwall is a hostname reconnaissance tool written in Go. It can also be used as a stand-alone package in your tools.
  • IVRE

    • IVRE (Instrument de veille sur les réseaux extérieurs) or DRUNK (Dynamic Recon of UNKnown networks) is a network recon framework, including tools for passive recon (flow analytics relying on Bro, Argus, Nfdump, fingerprint analytics based on Bro and p0f and active recon (IVRE uses Nmap to run scans, can use ZMap as a pre-scanner; IVRE can also import XML output from Nmap and Masscan).
  • Microsoft NTLM - msdn

  • Anubis

    • Anubis is a subdomain enumeration and information gathering tool. Anubis collates data from a variety of sources, including HackerTarget, DNSDumpster, x509 certs, VirusTotal, Google, Pkey, and NetCraft. Anubis also has a sister project, AnubisDB, which serves as a centralized repository of subdomains.
  • Judas DNS

    • A DNS proxy server built to be deployed in place of a taken over nameserver to perform targeted exploitation. Judas works by proxying all DNS queries to the legitimate nameservers for a domain. The magic comes with Judas's rule configurations which allow you to change DNS responses depending on source IP or DNS query type. This allows an attacker to configure a malicious nameserver to do things like selectively re-route inbound email coming from specified source IP ranges (via modified MX records), set extremely long TTLs to keep poisoned records cached, and more.
    • Respect My Authority – Hijacking Broken Nameservers to Compromise Your Target
  • LTE-Cell-Scanner

    • This is a collection of tools to locate and track LTE basestation cells using very low performance RF front ends. For example, these tools work with RTL2832 based dongles (E4000, R820T, etc.) which have a noise figure of 20dB, only 8 bits in the A/D, and a crystal with a frequency error of about 100 ppm.
  • Sockstress

    • Sockstress is a Denial of Service attack on TCP services discovered in 2008 by Jack C. Louis from Outpost24 [1]. It works by using RAW sockets to establish many TCP connections to a listening service. Because the connections are established using RAW sockets, connections are established without having to save any per-connection state on the attacker's machine. Like SYN flooding, sockstress is an asymmetric resource consumption attack: It requires very little resources (time, memory, and bandwidth) to run a sockstress attack, but uses a lot of resources on the victim's machine. Because of this asymmetry, a weak attacker (e.g. one bot behind a cable modem) can bring down a rather large web server. Unlike SYN flooding, sockstress actually completes the connections, and cannot be thwarted using SYN cookies. In the last packet of the three-way handshake a ZERO window size is advertised -- meaning that the client is unable to accept data -- forcing the victim to keep the connection alive and periodically probe the client to see if it can accept data yet. This implementation of sockstress takes the idea a little further by allowing the user to specify a payload, which will be sent along with the last packet of the three-way handshake, so in addition to opening a connection, the attacker can request a webpage, perform a DNS lookup, etc.
  • Nili

    • Nili is a Tool for Network Scan, Man in the Middle, Protocol Reverse Engineering and Fuzzing.

Network/Endpoint Monitoring & Logging & Threat Hunting

  • Windows Event Forwarding Guidance

    • Over the past few years, Palantir has a maintained an internal Windows Event Forwarding (WEF) pipeline for generating and centrally collecting logs of forensic and security value from Microsoft Windows hosts. Once these events are collected and indexed, alerting and detection strategies (ADS) can be constructed not only on high-fidelity security events (e.g. log deletion), but also for deviations from normalcy, such as unusual service account access, access to sensitive filesystem or registry locations, or installation of malware persistence. The goal of this project is to provide the necessary building blocks for organizations to rapidly evaluate and deploy WEF to a production environment, and centralize public efforts to improve WEF subscriptions and encourage adoption. While WEF has become more popular in recent years, it is still dramatically underrepresented in the community, and it is our hope that this project may encourage others to adopt it for incident detection and response purposes. We acknowledge the efforts that Microsoft, IAD, and other contributors have made to this space and wish to thank them for providing many of the subscriptions, ideas, and techniques that will be covered in this post.
  • ElastAlert

    • ElastAlert is a simple framework for alerting on anomalies, spikes, or other patterns of interest from data in Elasticsearch.
  • Ninja Level Infrastructure Monitoring Workshop - Defcon24

    • This repository contains all the presentation, documentation and the configuration, sample logs, ansible playbook, customized dashboards and more.

OSINT

  • The Endorser
    • An OSINT tool that allows you to draw out relationships between people on LinkedIn via endorsements/skills.

OS X


Passwords

  • PACK (Password Analysis and Cracking Toolkit)

    • PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers.
  • mod0keecrack

    • mod0keecrack is a simple tool to crack/bruteforce passwords of KeePass 2 databases. It implements a KeePass 2 Database file parser for .kdbx files, as well as decryption routines to verify if a supplied password is correct. mod0keecrack only handles the encrypted file format and is not able to parse the resulting plaintext database. The only purpose of mod0keecrack is the brute-forcing of a KeePass 2 database password.
  • PassGAN

  • This repository contains code for the PassGAN: A Deep Learning Approach for Password Guessing paper. The model from PassGAN is taken from Improved Training of Wasserstein GANs and it is assumed that the authors of PassGAN used the improved_wgan_training tensorflow implementation in their work. For this reason, I have modified that reference implementation in this repository to make it easy to train (train.py) and sample (sample.py) from.

  • hcxtools

    • Small set of tools to capture and convert packets from wlan devices (h = hash, c = capture, convert and calculate candidates, x = different hashtypes) for the use with latest hashcat or John the Ripper. The tools are 100% compatible to hashcat and John the Ripper and recommended by hashcat. This branch is pretty closely synced to hashcat git branch (that means: latest hcxtools matching on latest hashcat beta) and John the Ripper git branch ( "bleeding-jumbo").

Phishing

  • Ares

    • Phishing toolkit for red teams and pentesters. Ares allows security testers to create a landing page easily, embedded within the original site. Ares acts as a proxy between the phised and original site, and allows (realtime) modifications and injects. All references to the original site are being rewritten to the new site. Users will use the site like they'll normally do, but every step will be recorded of influenced. Ares will work perfect with dns poisoning as well.
  • PhishingKitHunter

    • PhishingKitHunter (or PKHunter) is a tool made for identifying phishing kits URLs used in phishing campains targeting your customers and using some of your own website files (as CSS, JS, ...). This tool - write in Python 3 - is based on the analysis of referer's URL which GET particular files on the legitimate website (as some style content) or redirect user after the phishing session. Log files (should) contains the referer URL where the user come from and where the phishing kit is deployed. PhishingKitHunter parse your logs file to identify particular and non-legitimate referers trying to get legitimate pages based on regular expressions you put into PhishingKitHunter's config file.
  • SocialFish

    • Ultimate phishing tool with Ngrok integrated.
  • Excel DDE Walkthrough

  • backdoorppt

    • transform your payload.exe into one fake word doc (.ppt)

Physical Security


Policy


Post Exploitation/Privilege Escalation/Pivoting

  • [Skeleton Key Malware Analysis - SecureWorks](https://www.secureworks.com/research/skeleton-key-malware-analysis )

  • A Critique of Logging Capabilities in PowerShell v6

    • Introduces 'PowerShell Upgrade Attack'
  • Bypass for PowerShell ScriptBlock Warning Logging of Suspicious Commands - cobbr.io

  • PowerShell ScriptBlock Logging Bypass - cobbr.io

  • Oneliner-izer

    • Convert any Python file into a single line of code which has the same functionality.
  • Grouper

    • A PowerShell script for helping to find vulnerable settings in AD Group Policy.
  • reposcanner

    • Python script to scan Git repos for interesting strings
  • Doubletap

    • A very loud but fast recon scan and pentest template creator for use in CTF's/OSCP/Hackthebox...
  • Brutal

    • Brutal is a toolkit to quickly create various payload,powershell attack , virus attack and launch listener for a Human Interface Device
  • LinEnum

  • psgetsystem

    • getsystem via parent process using ps1 & embeded c#
  • Grouper

    • Grouper is a slightly wobbly PowerShell module designed for pentesters and redteamers (although probably also useful for sysadmins) which sifts through the (usually very noisy) XML output from the Get-GPOReport cmdlet (part of Microsoft's Group Policy module) and identifies all the settings defined in Group Policy Objects (GPOs) that might prove useful to someone trying to do something fun/evil.
  • nullinux

    • nullinux is an internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB. If no username and password are provided, nullinux will attempt to connect to the target using an SMB null session. Unlike many of the enumeration tools out there already, nullinux can enumerate multiple targets at once and when finished, creates a users.txt file of all users found on the host(s). This file is formatted for direct implementation and further exploitation.This program assumes Python 2.7, and the smbclient package is installed on the machine. Run the setup.sh script to check if these packages are installed.
  • Meltdown PoC for Reading Google Chrome Passwords

  • Invoke-PSImage

    • Invoke-PSImage takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a oneliner for executing either from a file of from the web (when the -Web flag is passed). The least significant 4 bits of 2 color values in each pixel are used to hold the payload. Image quality will suffer as a result, but it still looks decent. The image is saved as a PNG, and can be losslessly compressed without affecting the ability to execute the payload as the data is stored in the colors themselves. It can accept most image types as input, but output will always be a PNG because it needs to be lossless. Each pixel of the image is used to hold one byte of script, so you will need an image with at least as many pixels as bytes in your script. This is fairly easy—for example, Invoke-Mimikatz fits into a 1920x1200 image.
  • Cloak

    • Cloak generates a python payload via msfvenom and then intelligently injects it into the python script you specify.
  • AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It - labofapenetrationtester

  • NtdsAudit

    • NtdsAudit is an application to assist in auditing Active Directory databases. It provides some useful statistics relating to accounts and passwords. It can also be used to dump password hashes for later cracking.
  • lonelypotato

    • Modified version of RottenPotatoNG C++
    • Blogpost
  • Abusing Token Privileges For EoP

    • This repository contains all code and a Phrack-style paper on research into abusing token privileges for escalation of privilege. Please feel free to ping us with questions, ideas, insults, or bugs.
  • Wireless_Query

    • Query Active Directory for Workstations and then Pull their Wireless Network Passwords. This tool is designed to pull a list of machines from AD and then use psexec to pull their wireless network passwords. This should be run with either a DOMAIN or WORKSTATION Admin account.
  • shootback

    • shootback is a reverse TCP tunnel let you access target behind NAT or firewall
  • backdoorme

    • Tools like metasploit are great for exploiting computers, but what happens after you've gained access to a computer? Backdoorme answers that question by unleashing a slew of backdoors to establish persistence over long periods of time. Once an SSH connection has been established with the target, Backdoorme's strengths can come to fruition. Unfortunately, Backdoorme is not a tool to gain root access - only keep that access once it has been gained.
  • One-Lin3r

    • Gives you one-liners that aids in penetration testing operations
  • DCShadow explained: A technical deep dive into the latest AD attack technique - Luc Delsalle

  • Jugaad - Thread Injection Kit

    • Jugaad is an attempt to create CreateRemoteThread() equivalent for *nix platform. The current version supports only Linux operating system. For details on what is the methodology behind jugaad and how things work under the hood visit http://null.co.in/section/projects for a detailed paper.
  • linux-injector

    • Utility for injecting executable code into a running process on x86/x64 Linux. It uses ptrace() to attach to a process, then mmap()'s memory regions for the injected code, a new stack, and space for trampoline shellcode. Finally, the trampoline in the target process is used to create a new thread and execute the chosen shellcode, so the main thread is allowed to continue. This project borrows from a number of other projects and research, see References below.
  • linux-inject

    • Tool for injecting a shared object into a Linux process
  • injectso64

    • This is the x86-64 rewrite of Shaun Clowes' i386/SPARC injectso which he presented at Blackhat Europe 2001.
  • DoubleAgent

    • DoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run).
    • Technical Writeup
  • swap_digger

    • swap_digger is a bash script used to automate Linux swap analysis for post-exploitation or forensics purpose. It automates swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, HTTP basic authentication, WiFi SSID and keys, etc.
  • Digging passwords in Linux swap

  • nextnet

    • nextnet is a pivot point discovery tool written in Go.

Programming/AppSec


Red Team/Adversary Simulation/Pentesting

  • Red Team Powershell Scripts - Mr-Un1k0d3r

  • 10 common mistakes aspiring/new pentesters make - PentesterLab

  • Windows Alternate Data Streams - winitor

  • Windows Remote Management (WinRM) for Ruby

    • This is a SOAP library that uses the functionality in Windows Remote Management(WinRM) to call native object in Windows. This includes, but is not limited to, running batch scripts, powershell scripts and fetching WMI variables.
  • Merlin

    • Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
  • Red Team Gut Check - Tim MalcomVetter

  • Red Baron

    • Red Baron is a set of modules and custom/third-party providers for Terraform which tries to automate creating resilient, disposable, secure and agile infrastructure for Red Teams.
  • Injectify

    • Perform advanced MiTM attacks on websites with ease.
  • APTSimulator

    • A toolset to make a system look as if it was the victim of an APT attack
  • Stitch

    • This is a cross platform python framework which allows you to build custom payloads for Windows, Mac OSX and Linux as well. You are able to select whether the payload binds to a specific IP and port, listens for a connection on a port, option to send an email of system info when the system boots, and option to start keylogger on boot. Payloads created can only run on the OS that they were created on.
  • Trusted Attack Platform - TrustedSec

    • TAP is a remote penetration testing platform builder. For folks in the security industry, traveling often times becomes a burden and adds a ton of cost to the customer. TAP was designed to make the deployment of these boxes super simple and create a self-healing and stable platform to deploy remote penetration testing platforms. Essentially the concept is simple, you pre-configure a brand new box and run the TAP setup file. This will install a service on Linux that will be configured the way you want. What it will do is establish a reverse SSH tunnel back to a machine thats exposed on the Internet for you. From there you can access the box locally from the server it connects back to. TAP automatically detects when an SSH connection has gone stale and will automatically rebuild it for you.
  • QuasarRAT

    • Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface, Quasar is the perfect remote administration solution for you.
  • And THIS is Why Penetration Testing Sucks - Ronin Chang

  • Empire-mod-Hackplayers

    • Collection of custom Empire Modules
  • aggressor_scripts_collection - invokethreatguy

    • Collection of various aggressor scripts for Cobalt Strike from awesome people. Will be sure to update this repo with credit to each person.
  • AggressorScripts - ramen0x3f

  • AggressorScripts - bluescreenofjeff

    • Aggressor scripts for use with Cobalt Strike 3.0+
  • Agressor Script - rasta-mouse

    • Collection of Aggressor Scripts for Cobalt Strike
  • World's Worst Penetration Test Report - rant

  • APT Simulator

    • APT Simulator is a Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised

Reverse Engineering

  • Snowman decompiler

  • BinCAT

    • BinCAT is a static Binary Code Analysis Toolkit, designed to help reverse engineers, directly from IDA.
  • [YaCo])(https://github.com/DGA-MI-SSI/YaCo)

    • YaCo is an Hex-Rays IDA plugin. When enabled, multiple users can work simultaneously on the same binary. Any modification done by any user is synchronized through git version control.
  • UPX - the Ultimate Packer for eXecutables

    • UPX is an advanced executable file compressor. UPX will typically reduce the file size of programs and DLLs by around 50%-70%, thus reducing disk space, network load times, download times and other distribution and storage costs.
  • cutter

    • A Qt and C++ GUI for radare2 reverse engineering framework
  • What are the methods to find hooked functions and APIs?

  • Taking a Snapshot and Viewing Processes - msdn.ms

  • Etnaviv

    • Project Etnaviv is an open source user-space driver for the Vivante GCxxx series of embedded GPUs. This repository contains reverse-engineering and debugging tools, and rnndb register documentation. It is not necessary to use this repository when building the driver.
  • Shed

    • Shed is an application that allow to inspect the .NET runtime of a program in order to extract useful information. It can be used to inspect malicious applications in order to have a first general overview of which information are stored once that the malware is executed.

Rootkits

  • HORSE PILL
    • Horse Pill is a PoC of a ramdisk based containerizing root kit. It resides inside the initrd, and prior to the actual init running, it puts it into a mount and pid namespace that allows it to run covert processes and covert storage. This also allows it run covert networking systems, such as dns tunnels.

SCADA / Heavy Machinery


Social Engineering


System Internals

NTFS Alternate Data Streams - winitor

AD


Threat Modeling & Analysis


UI


Web:

  • Browser as Botnet - Brannon Dorsey - Radical Networks 2017

    • When surfing the web, browsers download and execute arbitrary JavaScript code they receive from websites they visit. What if high-traffic websites served obfuscated code that secretly borrowed clock cycles from their client’s web browser as a means of distributed computing? In this talk I present research on the topic of using web browsers as zero-configuration, trojan-less botnets. The presentation includes a brief history of botnets, followed by an overview of techniques to build and deploy command-and-control botnet clients that run in-browser.
  • CloudFlair: Bypassing Cloudflare using Internet-wide scan data

  • Exposing Server IPs Behind CloudFlare - chokepoint

  • CloudFlair

    • CloudFlair is a tool to find origin servers of websites protected by CloudFlare who are publicly exposed and don't restrict network access to the CloudFlare IP ranges as they should. The tool uses Internet-wide scan data from Censys to find exposed IPv4 hosts presenting an SSL certificate associated with the target's domain name.
  • Burp-molly-pack

    • Burp-molly-pack is Yandex security checks pack for Burp. The main goal of Burp-molly-pack is to extend Burp checks. Plugins contains Active and Passive security checks.
  • LinkFinder

    • LinkFinder is a python script written to discover endpoints and their parameters in JavaScript files. This way penetration testers and bug hunters are able to gather new, hidden endpoints on the websites they are testing. Resulting in new testing ground, possibility containing new vulnerabilities. It does so by using jsbeautifier for python in combination with a fairly large regular expression. The regular expressions consists of four small regular expressions. These are responsible for finding:
  • WhatWaf

    • WhatWaf is an advanced firewall detection tool who's goal is to give you the idea of "There's a WAF?". WhatWaf works by detecting a firewall on a web application, and attempting to detect a bypass (or two) for said firewall, on the specified target.
  • blacksheepwall

    • blacksheepwall is a hostname reconnaissance tool
  • LightBulb

    • LightBulb is an open source python framework for auditing web application firewalls and filters.
  • slurp

    • Enumerate S3 buckets via certstream, domain, or keywords
  • Java Deserialization Exploits

    • A collection of curated Java Deserialization Exploits
  • BeEF

    • Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.
  • Brakeman

    • Brakeman is an open source static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
  • WAF Bypass Cheatsheet/gitbook

  • Java Unmarshaller Security - Turning your data into code execution

    • This paper presents an analysis, including exploitation details, of various Java open-source marshalling libraries that allow(ed) for unmarshalling of arbitrary, attacker supplied, types and shows that no matter how this process is performed and what implicit constraints are in place it is prone to similar exploitation techniques.
  • Websockets - An Introduction - subudeepak

  • WAFNinja

    • WAFNinja is a tool which contains two functions to attack Web Application Firewalls.
  • Web Application Firewall (WAF) Evasion Techniques - secjuice

  • fuxploider

    • File upload vulnerability scanner and exploitation tool.

SAP

  • Perfect SAP Penetration testing. Part 3: The Scope of Vulnerability Search
  • PowerSAP
    • PowerSAP is a simple powershell re-implementation of popular & effective techniques of all public tools such as Bizploit, Metasploit auxiliary modules, or python scripts available on the Internet. This re-implementation does not contain any new or undisclosed vulnerability.
  • pysap
    • This Python library provides modules for crafting and sending packets using SAP's NI, Message Server, Router, RFC, SNC, Enqueue and Diag protocols.
  • SAP_exploit
    • CVE-2016-2386 SQL injection; CVE-2016-2388 Information disclosure; CVE-2016-1910 Crypto issue
  • mySapAdventures
    • A quick methodology on testing/hacking SAP Applications for n00bz and bug bounty hunters
  • SAP Penetration Testing Using Metasploit

(https://github.com/davehardy20/SAP-Stuff * a script to semi-automate Bizploit

  • SAP NetWeaver ABAP security configuration part 3: Default passwords for access to the application

  • List of ABAP-transaction codes related to SAP security

  • Breaking SAP Portal

  • Top 10 most interesting SAP vulnerabilities and attacks

  • Assessing the security of SAP ecosystems with bizploit: Discovery

  • Developing Burp Suite Extensions - DOYENSEC

    • Material for the training "Developing Burp Suite Extensions – From Manual Testing to Security Automation"
  • NoPE Proxy

    • Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite.
  • AutoRepeater

    • Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. While Burp Suite is a very useful tool, using it to perform authorization testing is often a tedious effort involving a "change request and resend" loop, which can miss vulnerabilities and slow down testing. AutoRepeater, an open source Burp Suite extension, was developed to alleviate this effort. AutoRepeater automates and streamlines web application authorization testing, and provides security researchers with an easy-to-use tool for automatically duplicating, modifying, and resending requests within Burp Suite while quickly evaluating the differences in responses.
  • API Security Checklist

    • Checklist of the most important security countermeasures when designing, testing, and releasing your API
  • Testing stateful web application workflows - SANS - András Veres-Szentkirályi

    • Most web applications used for complex business operations and/or employing advanced GUI frameworks have stateful functionality. Certain workflows, for example, might require completing certain steps before a transaction is committed, or a request sent by a client-side UI element might need several preceding requests that all contribute to the session state. Most automated tools focus on a request and maybe a redirection, thus completely missing the point in these cases, where resending a request gets ignored by the target application. As a result, while these tools are getting better day by day, using them for testing such execution paths are usually out of the question. Since thorough assessment is cumbersome without such tools, there's progress, but we are far from plug- and-play products. This paper focuses on the capabilities of currently available solutions, demonstrating their pros and cons, along with opportunities for improvement.

https://github.com/toddmotto/public-apis

https://github.com/grafscan/GraFScaN/blob/master/README.md

  • Exploiting CORS Misconfigurations For Bitcoins And Bounties by James Kettle
    • Cross-Origin Resource Sharing (CORS) is a mechanism for relaxing the Same Origin Policy to enable communication between websites via browsers. It's already widely understood that certain CORS configurations are dangerous. In this presentation, I'll skim over the old knowledge then coax out and share with you an array of under-appreciated but dangerous subtleties and implications buried in the CORS specification. I'll illustrate each of these with recent attacks on real websites, showing how I could have used them to steal bitcoins from two different exchanges, partially bypass Google's use of HTTPS, and requisition API keys from numerous others. I'll also show how CORS blunders can provide an invaluable link in crafting exploit chains to pivot across protocols, exploit the unexploitable via server and client-side cache poisoning, and even escalate certain open redirects into vulnerabilities that are actually notable.
  • CORStest
    • A simple CORS misconfiguration scanner
  • Uniqueness plugin for Burp Suite
    • Makes requests unique based on regular expressions. Handy for registration forms and any other endpoint that requires unique values upon every request.

Wireless Stuff

  • bluepot

    • Bluepot is a Bluetooth Honeypot written in Java, it runs on Linux.
  • BlueHydra

    • BlueHydra is a Bluetooth device discovery service built on top of the bluez library. BlueHydra makes use of ubertooth where available and attempts to track both classic and low energy (LE) bluetooth devices over time.
  • hdfm

    • hdfm displays weather and traffic maps received from iHeartRadio HD radio stations. It relies on nrsc5 to decode and dump the radio station data for it to process and display.
  • nexmon

    • Nexmon is our C-based firmware patching framework for Broadcom/Cypress WiFi chips that enables you to write your own firmware patches, for example, to enable monitor mode with radiotap headers and frame injection.
  • wifijammer

    • Continuously jam all wifi clients and access points within range. The effectiveness of this script is constrained by your wireless card. Alfa cards seem to effectively jam within about a block radius with heavy access point saturation. Granularity is given in the options for more effective targeting.
  • Nzyme

    • Nzyme collects 802.11 management frames directly from the air and sends them to a Graylog (Open Source log management) setup for WiFi IDS, monitoring, and incident response. It only needs a JVM and a WiFi adapter that supports monitor mode.
  • Dissecting Industrial Wireless Implementations - DEF CON 25

    • https://github.com/vortessence/vortessence
  • Predicting, Decrypting, and Abusing WPA2/802.11 Group Keys

    • Attacks against weak 802.11 Random Number Generators
  • Wiegotcha: Long Range RFID Thieving

    • Wiegotcha is the next evolution of Long Range RFID badge capturing. Based on previous work by Fran Brown and Bishop Fox (Tastic RFID Thief), Wiegotcha uses a Raspberry Pi in place of an Arduino for the added capabilities and ease of customization. One of the immediate benefits of using an RPi is quick and easy wireless communication with the badge reader.
  • RTLSDR Scanner

    • A cross platform Python frequency scanning GUI for the OsmoSDR rtl-sdr library.
    • Details
    • Manual
  • Rogue Toolkit

    • The Rogue Toolkit: An extensible toolkit aimed at providing penetration testers an easy-to-use platform to deploy Access Points for the purpose of conducting penetration testing and red team engagements.

Container Security

  • nsjail
    • A light-weight process isolation tool, making use of Linux namespaces and seccomp-bpf syscall filters (with help of the kafel bpf language)
  • docker-bench-security
    • The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.