Welcome to the World of Infosec in Cybersecurity. An ongoing open collection infosec useful links, courses, learning tutorials, libaries, and training resources.
Information Security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management.
Information security and cybersecurity are often confused. InfoSec is a crucial part of cybersecurity, but it refers exclusively to the processes designed for data security. Cybersecurity is a more general term that includes InfoSec.
- Adversary Simulation & Emulation
- Application Security
- Binary Analysis
- Cloud Security
- Courses
- Cryptography
- Data Sets
- Digital Forensics and Incident Response
- Exploits
- Hardening
- Hardware
- Malware Analysis
- Mobile Security
- Network Security
- Open-source Intelligence (OSINT)
- Password Cracking and Wordlists
- Social Engineering
- Smart Contract
- Vulnerable
- Other Courses
- License
| Link | Description |
| activeshadow/go-atomicredteam | go-atomicredteam is a Golang application to execute tests as defined in the atomics folder of Red Canary's Atomic Red Team project |
| alphasoc/flightsim | A utility to generate malicious network traffic and evaluate controls |
| Attack Simulatorin Office 365 | Simulate realistic attacks on Office 365 environment |
| Azure/Cloud-Katana | Unlocking Serverless Computing to Assess Security Controls |
| blackbotinc/Atomic-Red-Team-Intelligence-C2 | ARTi-C2 is a post-exploitation framework used to execute Atomic Red Team test cases with rapid payload deployment and execution capabilities via .NET's DLR. |
| Blue Team Training Toolkit | Blue Team Training Toolkit (BT3) is designed for network analysis training sessions, incident response drills and red team engagements |
| center-for-threat-informed-defense/adversary_emulation_library | An open library of adversary emulation plans designed to empower organizations to test their defenses based on real-world TTPs. |
| Coalfire-Research/Red-Baron | Automate creating resilient, disposable, secure and agile infrastructure for Red Teams |
| Cyb3rWard0g/Invoke-ATTACKAPI | A PowerShell script to interact with the MITRE ATT&CK Framework via its own API |
| Cyb3rWard0g/mordor | Re-play Adversarial Techniques |
| chryzsh/DarthSidious | Building an Active Directory domain and hacking it |
| d3vzer0/reternal-quickstart | Repo containing docker-compose files and setup scripts without having to clone the individual reternal components |
| ElevenPaths/ATTPwn | ATTPwn is a computer security tool designed to emulate adversaries. |
| endgameinc/RTA | RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK |
| fozavci/tehsat | Tehsat Malware Traffic Generator |
| FSecureLABS/leonidas | Automated Attack Simulation in the Cloud, complete with detection use cases. |
| jymchoeng/AutoTTP | Automated Tactics Techniques & Procedures |
| lawrenceamer/0xsp-Mongoose | a unique framework for cybersecurity simulation and red teaming operations, windows auditing for newer vulnerabilities, misconfigurations and privilege escalations attacks, replicate the tactics and techniques of an advanced adversary in a network. |
| microsoft/restler-fuzzer | RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. |
| MiladMSFT/ThreatHunt | ThreatHunt is a PowerShell repository that allows you to train your threat hunting skills. |
| mitre/caldera | An automated adversary emulation system |
| mvelazc0/PurpleSharp | PurpleSharp is a C# adversary simulation tool that executes adversary techniques with the purpose of generating attack telemetry in monitored Windows environments |
| NextronSystems/APTSimulator | A toolset to make a system look as if it was the victim of an APT attack |
| n0dec/MalwLess | Test blue team detections without running any attack |
| OTRF/Microsoft-Sentinel2Go | Microsoft Sentinel2Go is an open source project developed to expedite the deployment of a Microsoft Sentinel research lab. |
| OTRF/SimuLand | Cloud Templates and scripts to deploy mordor environments |
| praetorian-code/purple-team-attack-automation | Praetorian's public release of our Metasploit automation of MITRE ATT&CK™ TTPs |
| qsecure-labs/overlord | Overlord - Red Teaming Infrastructure Automation |
| ReconInfoSec/adversary-emulation-map | Creates an ATT&CK Navigator map of an Adversary Emulation Plan |
| redcanaryco/atomic-red-team | Small and highly portable detection tests based on MITRE's ATT&CK. |
| redcanaryco/AtomicTestHarnesses | Public Repo for Atomic Test Harness |
| redcanaryco/chain-reactor | Chain Reactor is an open source framework for composing executables that simulate adversary behaviors and techniques on Linux endpoints. |
| redhuntlabs/RedHunt-OS | Virtual Machine for Adversary Emulation and Threat Hunting |
| scythe-io/community-threats | The GitHub of Adversary Emulation Plans in JSON. Share SCYTHE threats with the community. #ThreatThursday adversary emulation plans are shared here. |
| SecurityRiskAdvisors/VECTR | VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios |
| SpiderLabs/sheepl | Sheepl : Creating realistic user behaviour for supporting tradecraft development within lab environments |
| splunk/attack_range | A tool that allows you to create vulnerable instrumented local or cloud environments to simulate attacks against and collect the data into Splunk |
| swimlane/soc-faker | A python package for use in generating fake data for SOC and security automation. |
| TryCatchHCF/DumpsterFire | "Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. |
| uber-common/metta | An information security preparedness tool to do adversarial simulation. |
| Unfetter | Unfetter is a project designed to help network defenders, cyber security professionals, and decision makers identify and analyze defensive gaps in a more scalable and repeatable way |
| securityriskadvisors/vectr | VECTR is a tool that facilitates tracking of your red and blue team testing activities to measure detection and prevention capabilities across different attack scenarios |
| Link | Description |
| aboul3la/Sublist3r | Fast subdomains enumeration tool for penetration testers |
| Acheron-VAF/Acheron | Acheron is a RESTful vulnerability assessment and management framework built around search and dedicated to terminal extensibility. |
| ambionics/phpggc | PHPGGC is a library of unserialize() payloads along with a tool to generate them, from command line or programmatically. |
| anchore/grype | A vulnerability scanner for container images and filesystems |
| appsecco/spaces-finder | A tool to hunt for publicly accessible DigitalOcean Spaces |
| anatshri/svn-extractor | Simple script to extract all web resources by means of .SVN folder exposed over network. |
| aquasecurity/kube-hunter | Hunt for security weaknesses in Kubernetes clusters |
| aquasecurity/trivy | A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI |
| ARPSyndicate/kenzer | automated web assets enumeration & scanning |
| barrracud4/image-upload-exploits | This repository contains various media files for known attacks on web applications processing media files. Useful for penetration tests and bug bounty. |
| BishopFox/GitGot | Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets. |
| BishopFox/h2csmuggler | HTTP Request Smuggling over HTTP/2 Cleartext (h2c) |
| brannondorsey/dns-rebind-toolkit | A front-end JavaScript toolkit for creating DNS rebinding attacks. |
| bridgecrewio/checkov | Prevent cloud misconfigurations during build-time for Terraform, Cloudformation, Kubernetes, Serverless framework and other infrastructure-as-code-languages with Checkov by Bridgecrew. |
| brompwnie/botb | A container analysis and exploitation tool for pentesters and engineers. |
| Bug Bounty Recon | Bug Bounty Recon (bbrecon) is a Recon-as-a-Service for bug bounty hunters and security researchers. The API aims to provide a continuously up-to-date map of the Internet "safe harbor" attack surface, excluding out-of-scope targets. |
| Checkmarx/kics | Find security vulnerabilities, compliance issues, and infrastructure misconfigurations early in the development cycle of your infrastructure-as-code with KICS by Checkmarx. |
| chvancooten/BugBountyScanner | A Bash script and Docker image for Bug Bounty reconnaissance. Intended for headless use. |
| danmar/cppcheck | static analysis of C/C++ code |
| deepfence/SecretScanner | Find secrets and passwords in container images and file systems |
| deepfence/ThreatMapper | Identify vulnerabilities in running containers, images, hosts and repositories |
| DefectDojo/django-DefectDojo | DefectDojo is an open-source application vulnerability correlation and security orchestration tool. |
| doyensec/inql | InQL - A Burp Extension for GraphQL Security Testing |
| dstotijn/hetty | Hetty is an HTTP toolkit for security research. It aims to become an open source alternative to commercial software like Burp Suite Pro, with powerful features tailored to the needs of the infosec and bug bounty community. |
| EmYiQing/Gososerial | Dynamically Generates Ysoserial's Payload by Golang |
| facebook/pyre-check/ | Performant type-checking for python. |
| Findomain/Findomain | The fastest and cross-platform subdomain enumerator, do not waste your time. |
| fkie-cad/cwe_checker | cwe_checker finds vulnerable patterns in binary executables |
| google/atheris | Atheris is a coverage-guided Python fuzzing engine. It supports fuzzing of Python code, but also native extensions written for CPython. Atheris is based off of libFuzzer. When fuzzing native code, Atheris can be used in combination with Address Sanitizer or Undefined Behavior Sanitizer to catch extra bugs. |
| googleprojectzero/weggli | weggli is a fast and robust semantic search tool for C and C++ codebases. It is designed to help security researchers identify interesting functionality in large codebases. |
| HunterSuite | HunterSuite is the next generation offensive security suite. It will automate all the tedious tasks during a test just with few clicks. If you are a penetration tester, red teamer, bug bounty hunter, or you work as an offensive security engineer, you will love what HunterSuite has to offer. |
| IlluminateJs | IlluminateJs is a static javascript analysis engine (a deobfuscator so to say) aimed to help analyst understand obfuscated and potentially malicious JavaScript Code. |
| ismailtasdelen/xss-payload-list | Cross Site Scripting ( XSS ) Vulnerability Payload List |
| jonluca/Anubis | Subdomain enumeration and information gathering tool |
| LanikSJ/dfimage | Reverse-engineer a Dockerfile from a Docker image. |
| lelinhtinh/de4js | JavaScript Deobfuscator and Unpacker |
| mazen160/bfac | BFAC (Backup File Artifacts Checker): An automated tool that checks for backup artifacts that may disclose the web-application's source code. |
| microsoft/onefuzz | A self-hosted Fuzzing-As-A-Service platform |
| mindedsecurity/JStillery | Advanced JS Deobfuscation via Partial Evaluation. |
| mwrlabs/dref | DNS Rebinding Exploitation Framework |
| nccgroup/singularity | A DNS rebinding attack framework |
| nccgroup/whalescan | Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container |
| NetSPI/AutoDirbuster | Automatically run and save Dirbuster scans for multiple IPs |
| NetSPI/PowerUpSQL | PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server |
| NotSoSecure/SerializedPayloadGenerator | It's Web Interface to generate payload using various deserialization exploitation framework |
| ossf/allstar | GitHub App to set and enforce security policies |
| ossf/scorecard | Security Scorecards - Security health metrics for Open Source |
| OJ/gobuster | Directory/File, DNS and VHost busting tool written in Go |
| OWASP/Nettacker | Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management |
| OWASP/wstg | The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services. |
| OWASP Zed Attack Proxy Project | The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular free security tools and is actively maintained by hundreds of international volunteers |
| praetorian-inc/gokart | A static analysis tool for securing Go code |
| praetorian-inc/snowcat | a tool to audit the istio service mesh |
| presidentbeef/brakeman | A static analysis security vulnerability scanner for Ruby on Rails applications |
| Public WWW | Source Code Search Engine |
| pumasecurity/puma-scan | Puma Scan is a software security Visual Studio extension that provides real time, continuous source code analysis as development teams write code. Vulnerabilities are immediately displayed in the development environment as spell check and compiler warnings, preventing security bugs from entering your applications. |
| pwntester/ysoserial.net | Deserialization payload generator for a variety of .NET formatters |
| quarkslab/kdigger | kdigger is a context discovery tool for Kubernetes penetration testing. |
| redphx/localify | Effectively debug minified JS files |
| RedTeamPentesting/monsoon | Fast HTTP enumerator |
| RhinoSecurityLabs/IPRotate_Burp_Extension | Extension for Burp Suite which uses AWS API Gateway to rotate your IP on every request. |
| RhinoSecurityLabs/SleuthQL | Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap. |
| rpgeeganage/audit-node-modules-with-yara | Audit Node Module folder with YARA rules to identify possible malicious packages hiding in node_moudles |
| s0md3v/XSStrike | Most advanced XSS detection suite |
| salesforce/DazedAndConfused | DazedAndConfused is a tool to help determine dependency confusion exposure. |
| Screetsec/Sudomy | Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting |
| securego/gosec | Golang security checker |
| Snyk | Continuously find & fix vulnerabilities in your dependencies |
| sslab-gatech/Rudra | Rust Memory Safety & Undefined Behavior Detection |
| subfinder/subfinder | SubFinder is a subdomain discovery tool that discovers valid subdomains for websites. Designed as a passive framework to be useful for bug bounties and safe for penetration testing. |
| vchinnipilli/kubestriker | A Blazing fast Security Auditing tool for Kubernetes |
| visma-prodsec/confused | Tool to check for dependency confusion vulnerabilities in multiple package management systems |
| wallarm/gotestwaf | Go Test WAF project, a tool to test different WAF detects for apps and APIs |
| wagiro/BurpBounty | Burp Bounty (Scan Check Builder in BApp Store) is a extension of Burp Suite that allows you, in a quick and simple way, to improve the active and passive scanner by means of personalized rules through a very intuitive graphical interface. |
| wagoodman/dive | A tool for exploring each layer in a docker image |
| wpdc | Detect malicious dependencies, magecart, malvertising, and more on your web properties! |
| xmendez/wfuzz | Wfuzz has been created to facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload. |
| Yelp/detect-secrets | An enterprise friendly way of detecting and preventing secrets in code. |
| ZupIT/horusec | Horusec is an open source tool that improves identification of vulnerabilities in your project with just one command. |
| Link | Description |
| acsdavid97/DotNetHooker | API tracing and argument dumping to ease reverse engineering .NET malware. |
| Air14/HyperHide | Hypervisor based anti anti debug plugin for x64dbg |
| ajpc500/RelayRumbler | A proof-of-concept tool that attempts to retrieve the configuration from the memory dump of an F-Secure C3 Relay executable. |
| avast-tl/retdec | RetDec is a retargetable machine-code decompiler based on LLVM |
| binvis.io | visual analysis of binary files |
| blackberry/pe_tree | Python module for viewing Portable Executable (PE) files in a tree-view using pefile and PyQt5. Can also be used with IDA Pro to dump in-memory PE files and reconstruct imports. |
| BLint | BLint is a Binary Linter to check the security properties, and capabilities in your executables. It is powered by lief |
| bootleg/ret-sync | ret-sync is a set of plugins that helps to synchronize a debugging session (WinDbg/GDB/LLDB/OllyDbg2/x64dbg) with IDA/Ghidra disassemblers. |
| can1357/NoVmp | A static devirtualizer for VMProtect x64 3.x. powered by VTIL. |
| carbonblack/binee | Binee: binary emulation environment |
| Cisco-Talos/GhIDA | GhIDA is an IDA Pro plugin that integrates the Ghidra decompiler in IDA. |
| Cisco-Talos/Ghidraaas | Ghidraaas is a simple web server that exposes Ghidra analysis through REST APIs. The project includes three Ghidra plugins to analyze a sample, get the list of functions and to decompile a function. |
| certcc/kaiju | CERT Kaiju is a binary analysis framework extension for the Ghidra software reverse engineering suite |
| Comsecuris/gdbghidra | gdbghidra - a visual bridge between a GDB session and GHIDRA |
| Comsecuris/gdbida | gdbida - a visual bridge between a GDB session and IDA Pro's disassembler |
| Cutter | Free and Open Source RE Platform powered by radare2 |
| DarthTon/Blackbone | Windows memory hacking library |
| dr4k0nia/Unscrambler | Universal unpacker and fixer for a number of modded ConfuserEx protections |
| endgameinc/xori | Xori is an automation-ready disassembly and static analysis library for PE32, 32+ and shellcode |
| enkomio/shed | .NET runtine inspector. Shed - Inspect .NET malware like a Sir |
| FernandoDoming/r2diaphora | r2diaphora is a port of Diaphora to radare2 and MySQL. It also uses r2ghidra as decompiler by default, with support for other decompilers such as pdc. |
| flare-emu | flare-emu marries a supported binary analysis framework, such as IDA Pro or Radare2, with Unicorns emulation framework to provide the user with an easy to use and flexible interface for scripting emulation tasks. |
| fibratus | A modern tool for the Windows kernel exploration and observability |
| fireeye/capa | capa detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate. |
| fireeye/capa-rules | Standard collection of rules for capa: the tool for enumerating the capabilities of programs |
| fireeye/flare-floss | FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware. |
| fireeye/speakeasy | Speakeasy is a portable, modular, binary emulator designed to emulate Windows kernel and user mode malware. |
| fireeye/stringsifter | A machine learning tool that ranks strings based on their relevance for malware analysis. |
| forrest-orr/moneta | Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs |
| FuzzySecurity/Dendrobate | Managed code hooking template. |
| FuzzySecurity/Fermion | Fermion, an electron wrapper for Frida & Monaco. |
| gaasedelen/tenet | A Trace Explorer for Reverse Engineers |
| GaloisInc/reopt | A tool for analyzing x86-64 binaries. |
| GHIDRA | A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission |
| Go Reverse Engineering Toolkit | A Reverse Engineering Tool Kit for Go, Written in Go. |
| goretk/redress | Redress - A tool for analyzing stripped Go binaries |
| grimm-co/GEARSHIFT | GEARSHIFT is a tool that performs structure recovery for a specified function within a stripped binary. It also generates a fuzz harness that can be used to call functions in a shared object (.so) or dynamically linked library (.dll) file. |
| guelfoweb/peframe | PEframe is a open source tool to perform static analysis on Portable Executable malware and malicious MS Office documents. |
| hasherezade/hollows_hunter | A process scanner detecting and dumping hollowed PE modules. |
| hasherezade/hook_finder | a small tool for investigating inline hooks (and other in-memory code patches) |
| hasherezade/pe_to_shellcode | Converts PE into a shellcode |
| herosi/CTO | Call Tree Overviewer |
| HyperDbg/HyperDbg | The Source Code of HyperDbg Debugger 🐞 |
| hzqst/unicorn_pe | Unicorn PE is an unicorn based instrumentation project designed to emulate code execution for windows PE files. |
| Kaitai Struct | Kaitai Struct is a declarative language used to describe various binary data structures, laid out in files or in memory: i.e. binary file formats, network stream packet formats, etc. |
| LIEF | Library to Instrument Executable Formats |
| Martyx00/CollaRE | CollareRE is a tool for collaborative reverse engineering that aims to allow teams that do need to use more then one tool during a project to collaborate without the need to share the files on a separate locations. |
| Microsoft/binskim | A binary static analysis tool that provides security and correctness results for Windows portable executables |
| Microsoft/ProcDump-for-Linux | A Linux version of the ProcDump Sysinternals tool |
| MITRECND/malchive | Various capabilities for static malware analysis. |
| mrphrazer/obfuscation_detection | Collection of scripts to pinpoint obfuscated code |
| mxmssh/drltrace | Drltrace is a library calls tracer for Windows and Linux applications |
| NASA-SW-VnV/ikos | IKOS (Inference Kernel for Open Static Analyzers) is a static analyzer for C/C++ based on the theory of Abstract Interpretation |
| nsacyber/BAM | The Binary Analysis Metadata tool gathers information about Windows binaries to aid in their analysis. |
| nccgroup/WindowsMemPageDelta | A Microsoft Windows service to provide telemetry on Windows executable memory page changes to facilitate threat detection |
| OALabs/hashdb-ida | HashDB API hash lookup plugin for IDA Pro |
| osandov/drgn | Programmable debugger |
| pierrezurek/Signsrch | tool for searching signatures inside files, extremely useful in reversing engineering for figuring or having an initial idea of what encryption/compression algorithm is used for a proprietary protocol or file. it can recognize tons of compression, multimedia and encryption algorithms and many other things like known strings and anti-debugging code which can be also manually added since it's all based on a text signature file read at runtime and easy to modify. |
| Pinitor | An API Monitor Based on Pin |
| pygore | Python library for analyzing Go binaries |
| qilingframework/qiling | Qiling Advanced Binary Emulation Framework |
| revng/pagebuster | PageBuster - dump all executable pages of packed processes. |
| REW-sploit/REW-sploit | Emulate and Dissect MSF and *other* attacks |
| rizin | Free and Open Source Reverse Engineering Framework |
| secretsquirrel/recomposer | Randomly changes Win32/64 PE Files for 'safer' uploading to malware and sandbox sites. |
| sibears/IDAGolangHelper | Set of IDA Pro scripts for parsing GoLang types information stored in compiled binary |
| strazzere/golang_loader_assist | Making GO reversing easier in IDA Pro |
| taviso/loadlibrary | Porting Windows Dynamic Link Libraries to Linux |
| unipacker/unipacker | Automatic and platform-independent unpacker for Windows binaries based on emulation |
| utkonos/lst2x64dbg | Extract labels from IDA, Ghidra, Binary Ninja, and Relyze files and export x64dbg database. Including radare2 main address. |
| Veles | New open source tool for binary data analysis |
| VisUAL | A highly visual ARM emulator |
| vmp2/vmemu | VMProtect 2 Virtual Machine Handler Emulation |
| Wenzel/checksec.py | Checksec tool in Python, Rich output. Based on LIEF |
| WerWolv/ImHex | A Hex Editor for Reverse Engineers, Programmers and people that value their eye sight when working at 3 AM. |
| williballenthin/python-idb | Pure Python parser and analyzer for IDA Pro database files (.idb). |
| Link | Description |
| 0xsha/CloudBrute | A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode). The outcome is useful for bug bounty hunters, red teamers, and penetration testers alike. |
| Alfresco/prowler | Tool for AWS security assessment, auditing and hardening. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark. |
| andresriancho/nimbostratus | Tools for fingerprinting and exploiting Amazon cloud infrastructures |
| asecure.cloud | A free repository of customizable AWS security configurations and best practices |
| asecurityteam/spacecrab | Bootstraps an AWS account with everything you need to generate, mangage, and distribute and alert on AWS honey tokens. Made with breakfast roti by the Atlassian security team. |
| aws-cloudformation/cloudformation-guard | Guard offers a policy-as-code domain-specific language (DSL) to write rules and validate JSON- and YAML-formatted data such as CloudFormation Templates, K8s configurations, and Terraform JSON plans/configurations against those rules. |
| awslabs/aws-security-benchmark | Open source demos, concept and guidance related to the AWS CIS Foundation framework. |
| Azure/Stormspotter | Azure Red Team tool for graphing Azure and Azure Active Directory objects |
| BishopFox/iam-vulnerable | Use Terraform to create your own vulnerable by design AWS IAM privilege escalation playground. |
| BishopFox/smogcloud | Find cloud assets that no one wants exposed |
| BloodHoundAD/AzureHound | Azure Hound |
| bridgecrewio/cdkgoat | CdkGoat is Bridgecrew's "Vulnerable by Design" AWS CDK repository. CdkGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments. |
| bridgecrewio/cfngoat | Cfngoat is Bridgecrew's "Vulnerable by Design" Cloudformation repository. Cfngoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments. |
| carnal0wnage/weirdAAL | WeirdAAL [AWS Attack Library] wiki! |
| cisagov/Sparrow | Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment. |
| cloud-sniper/cloud-sniper | Cloud Security Operations Orchestrator |
| cloudquery/cloudquery | cloudquery transforms your cloud infrastructure into queryable SQL tables for easy monitoring, governance and security. |
| cloudsploit/scans | AWS security scanning checks |
| cr0hn/festin | FestIn is a tool for discovering open S3 Buckets starting from a domains. |
| CrowdStrike/CRT | This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard to find permissions and configuration settings in order to assist organizations in securing these environments. |
| cyberark/blobhunter | Find exposed data in Azure with this public blob scanner |
| cyberark/SkyArk | SkyArk is a cloud security tool, helps to discover, assess and secure the most privileged entities in AWS |
| cyberark/SkyWrapper | SkyWrapper helps to discover suspicious creation forms and uses of temporary tokens in AWS |
| dagrz/aws_pwn | A collection of AWS penetration testing junk |
| darkbitio/aws-recon | Multi-threaded AWS inventory collection tool with a focus on security-relevant resources and metadata. |
| darkquasar/AzureHunter | A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365 |
| disruptops/cred_scanner | A simple file-based scaner to look for potential AWS accesses and secret keys in files |
| duo-labs/cloudtracker | CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies. |
| duo-labs/cloudmapper | CloudMapper helps you analyze your Amazon Web Services (AWS) environments. |
| endgameinc/varna | Varna: Quick & Cheap AWS CloudTrail Monitoring with Event Query Language (EQL) |
| eth0izzle/bucket-stream | Find interesting Amazon S3 Buckets by watching certificate transparency logs. |
| FishermansEnemy/bucket_finder | Amazon bucket brute force tool |
| FSecureLABS/Azurite | Enumeration and reconnaissance activities in the Microsoft Azure Cloud. |
| glen-mac/goGetBucket | A penetration testing tool to enumerate and analyse Amazon S3 Buckets owned by a domain. |
| google/cloud-forensics-utils | Python library to carry out DFIR analysis on the Cloud |
| hausec/PowerZure | PowerShell framework to assess Azure security |
| initstring/cloud_enum | Multi-cloud OSINT tool. Enumerate public resources in AWS, Azure, and Google Cloud. |
| jonrau1/ElectricEye | Continuously monitor your AWS services for configurations that can lead to degradation of confidentiality, integrity or availability. All results will be sent to Security Hub for further aggregation and analysis. |
| jordanpotti/AWSBucketDump | Security Tool to Look For Interesting Files in S3 Buckets |
| jordanpotti/CloudScraper | CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space. |
| kromtech/s3-inspector | Tool to check AWS S3 bucket permissions |
| lyft/metadataproxy | A proxy for AWS's metadata service that gives out scoped IAM credentials from STS |
| MindPointGroup/cloudfrunt | A tool for identifying misconfigured CloudFront domains |
| nccgroup/aws-inventory | Discover resources created in an AWS account |
| nccgroup/azucar | Security auditing tool for Azure environments |
| nccgroup/PMapper | A tool for quickly evaluating IAM permissions in AWS. |
| nccgroup/s3_objects_check | Whitebox evaluation of effective S3 object permissions, in order to identify publicly accessible objects. |
| nccgroup/Scout2 | Security auditing tool for AWS environments |
| nccgroup/ScoutSuite | Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments |
| Netflix-Skunkworks/diffy | Diffy is a digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT). |
| Netflix/security_monkey | Security Monkey monitors your AWS and GCP accounts for policy changes and alerts on insecure configurations. |
| NetSPI/aws_consoler | A utility to convert your AWS CLI credentials into AWS console access. |
| NetSPI/MicroBurst | A collection of scripts for assessing Microsoft Azure security |
| NotSoSecure/cloud-service-enum | This script allows pentesters to validate which cloud tokens (API keys, OAuth tokens and more) can access which cloud service. |
| prevade/cloudjack | Route53/CloudFront Vulnerability Assessment Utility |
| projectdiscovery/cloudlist | Cloudlist is a tool for listing Assets from multiple Cloud Providers. |
| pumasecurity/serverless-prey | Serverless Functions for establishing Reverse Shells to Lambda, Azure Functions, and Google Cloud Functions |
| random-robbie/slurp | Enumerate S3 buckets via certstream, domain, or keywords |
| RhinoSecurityLabs/cloudgoat | CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool |
| RhinoSecurityLabs/pacu | Rhino Security Labs' AWS penetration testing toolkit |
| RiotGames/cloud-inquisitor | Enforce ownership and data security within AWS |
| sa7mon/S3Scanner | Scan for open S3 buckets and dump |
| salesforce/cloudsplaining | Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report with a triage worksheet |
| sendgrid/krampus | The original AWS security enforcer™ |
| SecurityFTW/cs-suite | Cloud Security Suite - One stop tool for auditing the security posture of AWS infrastructure. |
| soteria-security/365Inspect | A PowerShell script that automates the security assessment of Microsoft Office 365 environments. |
| spacesiren/spacesiren | A honey token manager and alert system for AWS. |
| swimlane/CLAW | A packer utility to create and capture DFIR Image for use AWS & Azure |
| theflakes/reg_hunter | Blueteam operational triage registry hunting/forensic tool |
| ThreatResponse/margaritashotgun | Remote Memory Acquisition Tool for AWS |
| ThreatResponse/aws_ir | Python installable command line utiltity for mitigation of host and key compromises. |
| toniblyx/prowler | Tool based on AWS-CLI commands for AWS account security assessment and hardening, following guidelines of the CIS Amazon Web Services Foundations Benchmark 1.1 |
| widdix/aws-s3-virusscan | Antivirus for Amazon S3 buckets |
| Link | Description |
| specterops/at-ps | Adversary Tactics - PowerShell Training |
| Link | Description |
| Balasys/dheater | D(HE)ater is a security tool can perform DoS attack by enforcing the DHE key exchange. |
| CERTCC/keyfinder | A tool for analyzing private (and public) key files, including support for Android APK files. |
| CertDB | Internet-wide search engine for digital certificates |
| Ciphey/Ciphey | Automatically decode encryptions without a key, decode encodings, and crack hashes |
| corkami/pocs | Proof of Concepts (PE, PDF...) |
| mpgn/BEAST-PoC | Poc of BEAST attack against SSL/TLS |
| mpgn/Padding-oracle-attack | Padding oracle attack against PKCS7 |
| mpgn/poodle-PoC | Poodle (Padding Oracle On Downgraded Legacy Encryption) attack |
| mxrch/evilize | Use md5-collisions to make evil executables looking like a good one. |
| salesforce/ja3 | JA3 is a standard for creating SSL client fingerprints in an easy to produce and shareable way. |
| Link | Description |
| BOTS 1.0 Dataset | The BOTS 1.0 dataset records two attacks perpetrated by a fictitious hacktivist group called po1s0n1vy targeting Wayne Corp of Batman mythology. There are many comic book references in the data; from heroes and villains to “Batman’s” street addresses. Not only does the dataset have many different types of data—everything from Sysmon to Suricata—but there are even file hashes that can be found in Virustotal.com and domains/IPs to hunt for in OSINT tools like PassiveTotal and Robtex! |
| DataPlane.org | DataPlane.org is a community-powered Internet data, feeds, and measurement resource for operators, by operators. We provide reliable and trustworthy service at no cost. |
| Google Dataset Search | Google Dataset Search |
| FiveDirections/OpTC-data | Operationally Transparent Cyber (OpTC) Data |
| intel/yarpgen | Yet Another Random Program Generator |
| Kitsune Network Attack Dataset | Nine labeled attacks with extracted features and the original network capture |
| nimrodpar/Labeled-Elfs | A collection of well labeled ELF binaries compiled from benign and malicious code in various ways. Great for exploring similarity in executables and training various ML models. |
| Security Datasets | The Security Datasets project is an open-source initiatve that contributes malicious and benign datasets, from different platforms, to the infosec community to expedite data analysis and threat research. |
| SecRepo.com - Samples of Security Related Data | Finding samples of various types of Security related can be a giant pain. This is my attempt to keep a somewhat curated list of Security related data I've found, created, or was pointed to. If you perform any kind of analysis with any of this data please let me know and I'd be happy to link it from here or host it here. Hopefully by looking at others research and analysis it will inspire people to add-on, improve, and create new ideas. |
| sophos-ai/SOREL-20M | Sophos-ReversingLabs 20 million sample dataset |
| splunk/attack_data | A Repository of curated datasets from various attacks |
| Link | Description |
| $I File Parser | Free Forensics Tool – \$I File Parser |
| 3CORESec/Automata | Automatic detection engineering technical state compliance |
| Accenture/docker-plaso | Docker container for plaso supertimlining tool |
| activecm/BeaKer | Beacon Kibana Executable Report. Aggregates Sysmon Network Events With Elasticsearch and Kibana |
| activecm/espy/ | Endpoint detection for remote hosts for consumption by RITA and Elasticsearch |
| ahmedkhlief/APT-Hunter | APT-Hunter is Threat Hunting tool for windows event logs which made by purple team mindset to provide detect APT movements hidden in the sea of windows event logs to decrease the time to uncover suspicious activity |
| AlienVault OSSIM | AlienVault OSSIM: The World’s Most Widely Used Open Source SIEM |
| andreafortuna/autotimeliner | Automagically extract forensic timeline from volatile memory dump |
| ANSSI-FR/bits_parser | Extract BITS jobs from QMGR queue and store them as CSV records |
| ANSSI-FR/bmc-tools | RDP Bitmap Cache Parser |
| ANSSI-FR/DFIR-O365RC | PowerShell module for Office 365 and Azure AD log collection |
| aquasecurity/tracee | Linux Runtime Security and Forensics using eBPF |
| Arsenal Recon Free Tools | Arsenal Recon Free Tools |
| bfuzzy/auditd-attack | A Linux Auditd rule set mapped to MITRE's Attack Framework |
| Broctets-and-Bytes/Darwin | This script is designed to be run against a mounted image, live system, or device in target disk mode. The script automates the collection of key files for MacOS investigations. |
| bromiley/olaf | Office365 Log Analysis Framework: OLAF is a collection of tools, scripts, and analysis techniques dealing with O365 Investigations. |
| BSI-Bund/RdpCacheStitcher | RdpCacheStitcher is a tool that supports forensic analysts in reconstructing useful images out of RDP cache bitmaps. |
| carmaa/inception | Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. |
| CCob/BeaconEye | Hunts out CobaltStrike beacons and logs operator command output |
| Cerebrate Project | Cerebrate is an open-source platform meant to act as a trusted contact information provider and interconnection orchestrator for other security tools (such as MISP). |
| chrisandoryan/Nethive-Project | Restructured and Collaborated SIEM and CVSS Infrastructure. Presented at Blackhat Asia Arsenal 2020. |
| cisagov/CHIRP | A forensic collection tool written in Python. |
| coinbase/dexter | Forensics acquisition framework designed to be extensible and secure |
| ComodoSecurity/openedr | Open EDR public repository |
| countercept/chainsaw | Rapidly Search and Hunt through Windows Event Logs |
| CrowdStrike/automactc | AutoMacTC: Automated Mac Forensic Triage Collector |
| CrowdStrike/Forensics | Scripts and code referenced in CrowdStrike blog posts |
| CrowdStrike/SuperMem | A python script developed to process Windows memory images based on triage type. |
| cryps1s/DARKSURGEON | DARKSURGEON is a Windows packer project to empower incident response, digital forensics, malware analysis, and network defense. |
| cyb3rfox/Aurora-Incident-Response | Incident Response Documentation made easy. Developed by Incident Responders for Incident Responders |
| Cyb3rWard0g/HELK | A Hunting ELK (Elasticsearch, Logstash, Kibana) with advanced analytic capabilities. |
| Cyber Analytics Repository | The MITRE Cyber Analytics Repository (CAR) is a knowledge base of analytics developed by MITRE based on the MITRE ATT&CK adversary model. |
| CyberDefenseInstitute/CDIR | CDIR (Cyber Defense Institute Incident Response) Collector - live collection tool based on oss tool/library |
| D4stiny/PeaceMaker | PeaceMaker Threat Detection is a Windows kernel-based application that detects advanced techniques used by malware. |
| DamonMohammadbagher/ETWProcessMon2 | ETWProcessMon2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection etc. |
| davehull/Kansa | A Powershell incident response framework |
| deepalert/deepalert | Serverless SOAR (Security Orchestration, Automation and Response) framework for automatic inspection and evaluation of security alert |
| DFIR ORC | DFIR ORC, where ORC stands for “Outil de Recherche de Compromission” in French, is a collection of specialized tools dedicated to reliably parse and collect critical artefacts such as the MFT, registry hives or event logs. It can also embed external tools and their configurations. |
| DFIRKuiper/Kuiper | Digital Forensics Investigation Platform |
| DG Wingman | DG Wingman is a free community Windows tool designed to aid in the collection of forensic evidence in order to properly investigate and scope an intrusion. |
| dhondta/AppmemDumper | Forensics triage tool relying on Volatility and Foremost |
| draios/sysdig | Linux system exploration and troubleshooting tool with first class support for containers |
| drego85/meioc | Extracting IoC data from eMail |
| fireeye/ARDvark | ARDvark parses the Apple Remote Desktop (ARD) files to pull out application usage, user activity, and filesystem listings. |
| fireeye/SilkETW | SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. |
| fireeye/ThreatPursuit-VM | Threat Pursuit Virtual Machine (VM): A fully customizable, open-sourced Windows-based distribution focused on threat intelligence analysis and hunting designed for intel and malware analysts as well as threat hunters to get up and running quickly. |
| ForensicArtifacts/artifacts | Digital Forensics Artifact Repository |
| frikky/Shuffle | Shuffle: A general purpose security automation platform platform. We focus on accessibility for all. |
| FSecureLABS/LinuxCatScale | Incident Response collection and processing scripts with automated reporting scripts |
| G-Research/siembol | An open-source, real-time Security Information & Event Management tool based on big data technologies, providing a scalable, advanced security analytics framework. |
| gleeda/memtriage | Allows you to quickly query a Windows machine for RAM artifacts |
| google/docker-explorer | A tool to help forensicate offline docker acquisitions |
| google/GiftStick | 1-Click push forensics evidence to the cloud |
| google/grr | GRR is a python client (agent) that is installed on target systems, and python server infrastructure that can manage and talk to clients. |
| google/rekall | The Rekall Framework is a completely open collection of tools, implemented in Python under the Apache and GNU General Public License, for the extraction and analysis of digital artifacts computer systems. |
| google/turbinia | Automation and Scaling of Digital Forensics Tools |
| Graylog | Built to open standards, Graylog’s connectivity and interoperability seamlessly collects, enhances, stores, and analyzes log data. |
| hunters-forge/API-To-Event | A repo to document API functions mapped to security events across diverse platforms |
| hunters-forge/OSSEM | Open Source Security Events Metadata (OSSEM) |
| jimtin/IRCoreForensicFramework | Powershell 7 (Powershell Core)/ C# cross platform forensic framework. Built by incident responders for incident responders. |
| JPCERTCC/LogonTracer | Investigate malicious Windows logon by visualizing and analyzing Windows event log |
| JPCERTCC/SysmonSearch | Investigate suspicious activity by visualizing Sysmon's event log |
| IllusiveNetworks-Labs/HistoricProcessTree | An Incident Response tool that visualizes historic process execution evidence (based on Event ID 4688 - Process Creation Event) in a tree view. |
| intezer/linux-explorer | Easy-to-use live forensics toolbox for Linux endpoints |
| Invoke-IR/ACE | The Automated Collection and Enrichment (ACE) platform is a suite of tools for threat hunters to collect data from many endpoints in a network and automatically enrich the data. The data is collected by running scripts on each computer without installing any software on the target. ACE supports collecting from Windows, macOS, and Linux hosts. |
| Invoke-IR/PowerForensics | PowerForensics provides an all in one platform for live disk forensic analysis |
| ion-storm/sysmod-edr | Sysmon EDR Active Response |
| kacos2000/MFT_Browser | $MFT directory tree reconstruction & record info |
| Kaspersky IR's Artifacts Collector | Kaspersky IR's Artifacts Collector |
| Live Response Collection - Cedarpelta | Live Response Collection - Cedarpelta |
| log2timeline/plaso | log2timeline is a tool designed to extract timestamps from various files found on a typical computer system(s) and aggregate them. |
| MAGNET App Simulator | MAGNET App Simulator lets you load application data from Android devices in your case into a virtual environment, enabling you to view and interact with the data as the user would have seen it on their own device. |
| MalwareSoup/MitreAttack | Python wrapper for the Mitre ATT&CK framework API |
| markbaggett/srum-dump | A forensics tool to convert the data in the Windows srum (System Resource Usage Monitor) database to an xlsx spreadsheet. |
| markbaggett/werejugo | Identifies physical locations where a laptop has been based upon wireless profiles and wireless data recorded in event logs |
| microsoft/avml | AVML - Acquire Volatile Memory for Linux |
| miriamxyra/EventList | EventList is a tool to help improving your Audit capabilities and to help to build your Security Operation Center. |
| mitre-attack/bzar | A set of Zeek scripts to detect ATT&CK techniques. |
| monnappa22/HollowFind | Hollowfind is a Volatility plugin to detect different types of process hollowing techniques used in the wild to bypass, confuse, deflect and divert the forensic analysis techniques. The plugin detects such attacks by finding discrepancy in the VAD and PEB, it also disassembles the address of entry point to detect any redirection attempts and als… |
| mozilla/audit-go | Linux Audit Plugin for heka written using netlink Protocol in golang and Lua |
| mozilla/mig | Distributed & real time digital forensics at the speed of the cloud |
| mozilla/MozDef | MozDef: The Mozilla Defense Platform |
| nannib/Imm2Virtual | This is a GUI (for Windows 64 bit) for a procedure to virtualize your EWF(E01), DD(Raw), AFF disk image file without converting it, directly with VirtualBox, forensically proof. |
| Netflix/dispatch | All of the ad-hoc things you're doing to manage incidents today, done for you, and much more! |
| nshalabi/SysmonTools | Utilities for Sysmon (Sysmon View and Sysmon Shell) |
| NVISOsecurity/evtx-hunter | evtx-hunter helps to quickly spot interesting security-related activity in Windows Event Viewer (EVTX) files. |
| NXLog | The modern open source log collector. |
| omenscan/achoir | Windows Live Artifacts Acquisition Script |
| omenscan/achoirx | ReWrite of AChoir in Go for Cross PlatformReWrite of AChoir in Go for Cross Platform |
| opencybersecurityalliance/kestrel-lang | Kestrel Threat Hunting Language |
| OpenEx-Platform/openex | Open Crisis Exercises Planning Platform |
| orlikoski/CyLR | CyLR - Live Response Collection Tool |
| OSSEC | Open Source HIDS SECurity |
| OTRF/Azure-Sentinel2Go | Azure Sentinel2Go is an open source project developed to expedite the deployment of an Azure Sentinel lab. |
| ovotech/gitoops | GitOops is a tool to help attackers and defenders identify lateral movement and privilege escalation paths in GitHub organizations by abusing CI/CD pipelines and GitHub access controls. |
| philhagen/sof-elk | Configuration files for the SOF-ELK VM, used in SANS FOR572 |
| polylogyx/PolyMon | PolyLogyx Monitoring Agent (PolyMon) is a Windows software that leverages the osquery tool and the PolyLogyx Extension to osquery, to provide a view into detailed information about process creations, network connections, file system changes and many other activities on the system. |
| ptresearch/AttackDetection | The Attack Detection Team searches for new vulnerabilities and 0-days, reproduces it and creates PoC exploits to understand how these security flaws work and how related attacks can be detected on the network layer. Additionally, we are interested in malware and hackers’ TTPs, so we develop Suricata rules for detecting all sorts of such activities. |
| PUNCH-Cyber/stoq | An open source framework for enterprise level automated analysis. |
| PwC-IR/Office-365-Extractor | The Office 365 Extractor is a tool that allows for complete and reliable extraction of the Unified Audit Log (UAL) |
| rajiv2790/FalconEye | FalconEye: Real-time detection software for Windows process injections |
| refractionPOINT/limacharlie | LC is an Open Source, cross-platform (Windows, MacOS, Linux ++), realtime Endpoint Detection and Response sensor. The extra-light sensor, once installed on a system provides Flight Data Recorder type information (telemetry on all aspects of the system like processes, DNS, network IO, file IO etc). |
| RomanEmelyanov/CobaltStrikeForensic | Toolset for research malware and Cobalt Strike beacons |
| ROCK NSM | Response Operation Collection Kit - An open source Network Security Monitoring platform. |
| salesforce/bro-sysmon | Bro-Sysmon enables Bro to receive Windows Event Logs. This provide a method to associate Network Monitoring and Host Monitoring. The work was spurred by the need to associate JA3 and HASSH fingerprints with the application on the host. The example below shows the hostname, Process ID, connection information, JA3 fingerprints, Application Path, and binary hashes. |
| salesforce/jarm | JARM is an active Transport Layer Security (TLS) server fingerprinting tool. |
| sans-blue-team/DeepBlueCLI | DeepBlueCLI - a PowerShell Module for Threat Hunting via Windows Event Logs |
| Security Onion | Peel back the layers of your enterprise |
| SecurityRiskAdvisors/dredd | Automated detection rule analysis utility |
| SecurityRiskAdvisors/TALR | Threat Alert Logic Repository (TALR) - A public repository for the collection and sharing of detection rules in platform agnostic formats. Collected rules are appended with STIX required fields for simplified sharing over TAXII servers. |
| SekoiaLab/fastir_artifacts | Live forensic artifacts collector |
| SekoiaLab/Fastir_Collector | This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected. |
| shellster/DCSYNCMonitor | Monitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events. |
| SIEMonster | SIEMonster is an Affordable Security Monitoring Software Soulution |
| Sigma Rules Repository Mirror | Sigma rules repository mirror and translations |
| slackhq/go-audit | go-audit is an alternative to the auditd daemon that ships with many distros |
| s0md3v/Orbit | Blockchain Transactions Investigation Tool |
| splunk/melting-cobalt | A Cobalt Strike Scanner that retrieves detected Team Server beacons into a JSON object |
| sumeshi/evtx2es | A library for fast import of Windows Eventlogs into Elasticsearch. |
| swisscom/Invoke-Forensics | Invoke-Forensics provides PowerShell commands to simplify working with the forensic tools KAPE and RegRipper. |
| Sysinternals/SysmonForLinux | Sysmon For Linux install and build instructions |
| tclahr/uac | UAC (Unix-like Artifacts Collector) is a Live Response collection tool for Incident Reponse that makes use of built-in tools to automate the collection of Unix-like systems artifacts. Supported systems: AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris. |
| telekom-security/acquire-aws-ec2 | A python script to acquire multiple aws ec2 instances in a forensically sound-ish way |
| TestDisk | TestDisk is powerful free data recovery software! It was primarily designed to help recover lost partitions and/or make non-booting disks bootable again when these symptoms are caused by faulty software: certain types of viruses or human error (such as accidentally deleting a Partition Table). Partition table recovery using TestDisk is really easy. |
| The Sleuth Kit | sleuthkit.org is the official website for The Sleuth Kit®, Autopsy®, and other open source digital investigation tools. From here, you can find documents, case studies, and download the latest versions of the software. |
| thewhiteninja/ntfstool | Forensics tool for NTFS (parser, mft, bitlocker, deleted files) |
| THIBER-ORG/userline | Query and report user logons relations from MS Windows Security Events |
| threathunters-io/laurel | Transform Linux Audit logs for SIEM usage |
| TobySalusky/cont3xt | Cont3xt intends to centralize and simplify a structured approach to gathering contextual intelligence in support of technical investigations. |
| trustedsec/SysmonCommunityGuide | TrustedSec Sysinternals Sysmon Community Guide |
| ufrisk/LeechCore | LeechCore - Physical Memory Acquisition Library & The LeechAgent Remote Memory Acquisition Agent |
| Uncoder.io | Uncoder.IO is the online translator for SIEM saved searches, filters, queries, API requests, correlation and Sigma rules to help SOC Analysts, Threat Hunters and SIEM Engineers |
| VSCMount | Volume shadow copies mounter tool |
| Wazuh | Open Source Host and Endpoint Security |
| wagga40/Zircolite | A standalone SIGMA-based detection tool for EVTX. |
| williballenthin/EVTXtract | EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images. |
| williballenthin/INDXParse | Tool suite for inspecting NTFS artifacts |
| williballenthin/process-forest | process-forest is a tool that processes Microsoft Windows EVTX event logs that contain process accounting events and reconstructs the historical process heirarchies. |
| XForceIR/SideLoadHunter | SideLoadHunter is a PowerShell script and Sysmon configuration designed to aide defenders and incident responders identify evidence of DLL sideloading on Windows systems. |
| yampelo/beagle | Beagle is an incident response and digital forensics tool which transforms security logs and data into graphs. |
| zeronetworks/RPCFirewall | RPC is the underlying mechanism which is used for numerous lateral movement techniques, reconnaisense, relay attacks, or simply to exploit vulnerable RPC services. |
| zodiacon/ProcMonXv2 | Procmon-like tool that uses Event Tracing for Windows (ETW) instead of a kernel driver to provide event information. |
| Link | Description |
| externalist/exploit_playground | Analysis of public exploits or my 1day exploits |
| FriendsOfPHP/security-advisories | The PHP Security Advisories Database references known security vulnerabilities in various PHP projects and libraries. This database must not serve as the primary source of information for security issues, it is not authoritative for any referenced software, but it allows to centralize information for convenience and easy consumption. |
| gellin/TeamViewer_Permissions_Hook_V1 | A proof of concept injectable C++ dll, that uses naked inline hooking and direct memory modification to change your TeamViewer permissions. |
| HASecuritySolutions/VulnWhisperer | Create actionable data from your Vulnerability Scans |
| hasherezade/process_doppelganging | My implementation of enSilo's Process Doppelganging (PE injection technique) |
| itm4n/Perfusion | Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012) |
| itm4n/UsoDllLoader | Windows - Weaponizing privileged file writes with the Update Session Orchestrator service |
| jollheef/out-of-tree | out-of-tree kernel {module, exploit} development tool |
| nomi-sec/PoC-in-GitHub | 📡 PoC auto collect from GitHub. |
| opencve/opencve | CVE Alerting Platform |
| ScottyBauer/Android_Kernel_CVE_POCs | A list of my CVE's with POCs |
| smgorelik/Windows-RCE-exploits | The exploit samples database is a repository for **RCE** (remote code execution) exploits and Proof-of-Concepts for **WINDOWS**, the samples are uploaded for education purposes for red and blue teams. |
| Spajed/processrefund | An attempt at Process Doppelgänging |
| spencerdodd/kernelpop | Kernel privilege escalation enumeration and exploitation framework |
| tunz/js-vuln-db | A collection of JavaScript engine CVEs with PoCs |
| victims/victims-cve-db | This database contains information regarding CVE(s) that affect various language modules. We currently store version information corresponding to respective modules as understood by select sources. |
| VulnReproduction/LinuxFlaw | This repo records all the vulnerabilities of linux software I have reproduced in my local workspace |
| xairy/kernel-exploits | A bunch of proof-of-concept exploits for the Linux kernel |
| Link | Description |
| Benchmark: NIST SP 800-53 Revision 5 | NIST SP 800-53 Revision 5 represents a multi-year effort to develop the next generation of security and privacy controls needed to strengthen and support the U.S. federal government. These next generation controls offer a proactive and systematic approach to ensure that critical systems, components, and services are sufficiently trustworthy and have the necessary resilience to defend the economic and national security interests of the United States. |
| cisagov/cset | Cybersecurity Evaluation Tool |
| Linux Kernel Runtime Guard | Linux Kernel Runtime Guard (LKRG) is a out-of-tree security module for the Linux kernel developed by Openwall. It does run-time integrity checks in order to stop known, and unknown, security vulnerabilities in the Linux kernel. It can log detected intrusion attempts or stop them by causing a kernel panic - resulting in a frozen machine or a reboot depending on how the kernel is configured. |
| nccgroup/exploit_mitigations | Knowledge base of exploit mitigations available across numerous operating systems, architectures and applications and versions. |
| Security Technical Implementation Guides (STIGs) | The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. |
| securitywithoutborders/hardentools | Hardentools simply reduces the attack surface on Microsoft Windows computers by disabling low-hanging fruit risky features. |
| Strategies to Mitigate Cyber Security Incidents | The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help technical cyber security professionals in all organisations mitigate cyber security incidents. This guidance addresses targeted cyber intrusions, ransomware and external adversaries with destructive intent, malicious insiders, 'business email compromise' and industrial control systems. |
| ukncsc/Device-Security-Guidance-Configuration-Packs | This repository contains policy packs which can be used by system management software to configure device platforms (such as Windows 10 and iOS) in accordance with NCSC device security guidance. These configurations are aimed primarily at government and other medium/large organisations. |
| Windows Security Baseline | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers. |
| Link | Description |
| tothi/usbgadget-tool | Dumb USB HID gadget creator for Android (for triggering device driver install on Windows for LPE) |
| ufrisk/pcileech | Direct Memory Access (DMA) Attack Software |
| Link | Description |
| accidentalrebel/mbcscan | Scans a malware file and lists down the related MBC (Malware Behavior Catalog) details. |
| activecm/rita | Real Intelligence Threat Analytics |
| adamkramer/rapid_env | Rapid deployment of Windows environment (files, registry keys, mutex etc) to facilitate malware analysis |
| advanced-threat-research/DarkSide-Config-Extract | DarkSide & BlackMatter Config Extractor by ValthekOn & S2 (@sisoma2) |
| advanced-threat-research/IOCs | Repository containing IOCs, MISP and Expert rules from our blogs |
| akamai/luda | Malicious actors often reuse code to deploy their malware, phishing website or CNC server. As a result, similiaries can be found on URLs path by inspecting internet traffic. Moreover, deep learning models or even regular ML model do not fit for inline deployment in terms of running performance. However, regexes ( or YARA rules ) can be deployed … |
| alexandreborges/malwoverview | Malwoverview.py is a simple tool to perform an initial and quick triage on either a directory containing malware samples or a specific malware sample |
| APT Groups, Operations and Malware Search Engine | APT Groups, Operations and Malware Search Engine |
| ashishb/android-malware | Collection of android malware samples |
| AVCaesar | AVCaesar is a malware analysis engine and repository |
| blackorbird/APT_REPORT | Interesting apt report collection and some special ioc express |
| CapacitorSet/box-js | A tool for studying JavaScript malware |
| captainGeech42/ransomwatch | Ransomware leak site monitoring |
| CERT-Polska/drakvuf-sandbox | DRAKVUF Sandbox - automated hypervisor-level malware analysis system |
| CERT-Polska/karton | Distributed malware processing framework based on Python, Redis and MinIO. |
| CERT-Polska/mwdb-core | Malware repository component for samples & static configuration with REST API interface. |
| CheckPointSW/showstopper | ShowStopper is a tool for helping malware researchers explore and test anti-debug techniques or verify debugger plugins or other solutions that clash with standard anti-debug methods. |
| Contagio | Malwarre dump |
| CRED-CLUB/ARTIF | An advanced real time threat intelligence framework to identify threats and malicious web traffic on the basis of IP reputation and historical data. |
| CriticalPathSecurity/Zeek-Intelligence-Feeds | Zeek-Formatted Threat Intelligence Feeds |
| cmu-sei/cyobstract | A tool to extract structured cyber information from incident reports. |
| CRXcavator | CRXcavator automatically scans the entire Chrome Web Store every 3 hours and produces a quantified risk score for each Chrome Extension based on several factors. |
| countercept/snake | snake - a malware storage zoo |
| CybercentreCanada/CCCS-Yara | YARA rule metadata specification and validation utility / Spécification et validation pour les règles YARA |
| D4stiny/spectre | A Windows kernel-mode rootkit that abuses legitimate communication channels to control a machine. |
| DAS MALWERK | DAS MALWERK - your one stop shop for fresh malware samples |
| DoctorWebLtd/malware-iocs | This repository contains Indicators of Compromise (IOCs) related to our investigations. |
| Dragonfly | An automated sandbox to emulate and analyze malware |
| droidefense/engine | Droidefense: Advance Android Malware Analysis Framework |
| dsnezhkov/racketeer | Racketeer Project - Ransomware emulation toolkit |
| ecstatic-nobel/Analyst-Arsenal | Phishing kits hunting |
| EFForg/yaya | Yet Another Yara Automaton - Automatically curate open source yara rules and run scans |
| eset/malware-ioc | Indicators of Compromises (IOC) of our various investigations |
| FAME | FAME Automates Malware Evaluation |
| fireeye/flashmingo | Automatic analysis of SWF files based on some heuristics. Extensible via plugins. |
| fireeye/iocs | FireEye Publicly Shared Indicators of Compromise (IOCs) |
| felixweyne/imaginaryC2 | Imaginary C2 is a python tool which aims to help in the behavioral (network) analysis of malware. Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads. |
| FortyNorthSecurity/WMImplant | This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based. |
| godaddy/procfilter | A YARA-integrated process denial framework for Windows |
| gen0cide/gscript | Framework to rapidly implement custom droppers for all three major operating systems |
| glmcdona/Process-Dump | Windows tool for dumping malware PE files from memory back to disk for analysis. |
| google/vxsig | Automatically generate AV byte signatures from sets of similar binaries. |
| GoSecure/malboxes | Builds malware analysis Windows VMs so that you don't have to. |
| GreatSCT/GreatSCT | The project is called Great SCT (Great Scott). Great SCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team |
| Have I Been Emotet | Check if your email address or domain is involved in the Emotet malspam (name@domain.ext or domain.ext). Your address can be marked as a SENDER (FAKE or REAL), as a RECIPIENT or any combination of the three. |
| hasherezade/libpeconv/runpe | RunPE (aka Process Hollowing) is a well known technique allowing to injecting a new PE into a remote processes, imprersonating this process. The given implementation works for PE 32bit as well as 64bit. |
| hasherezade/mal_unpack | Dynamic unpacker based on PE-sieve |
| hasherezade/pe-sieve | Scans a given process, searching for the modules containing in-memory code modifications. When found, it dumps the modified PE. |
| Hatching Triage | Triage is our state-of-the-art malware analysis sandbox designed for cross-platform support (Windows, Android, Linux, and macOS), high-volume malware analysis capabilities, and configuration extraction for numerous malware families. |
| hegusung/AVSignSeek | Tool written in python3 to determine where the AV signature is located in a binary/payload |
| hejelylab/easeYARA | C# Desktop GUI application that either performs YARA scan locally or prepares the scan in Active Directory domain environment with a few clicks. |
| hlldz/SpookFlare | Loader, dropper generator with multiple features for bypassing client-side and network-side countermeasures. |
| Hybrid-Analysis | Free Automated Malware Analysis Service |
| InQuest/ThreatIngestor | An extendable tool to extract and aggregate IOCs from threat feeds. |
| ips-bph-framework | BLACKPHENIX is an open source malware analysis automation framework composed of services, scripts, plug-ins, and tools and is based on a Command-and-Control (C&C) architecture |
| IRIS-H | IRIS-H is an online digital forensics tool that performs automated static analysis of files stored in a directory-based or strictly structured formats. |
| jgamblin/Mirai-Source-Code | Leaked Mirai Source Code for Research/IoC Development Purposes. |
| jgamblin/JPCERTCC/MalConfScan | Volatility plugin for extracts configuration data of known malware |
| JohnHammond/vbe-decoder | A Python3 script to decode an encoded VBScript file, often seen with a .vbe file extension |
| JohnLaTwC/PyPowerShellXray | Python script to decode common encoded PowerShell scripts |
| jstrosch/malware-samples | Malware samples, analysis exercises and other interesting resources. |
| KasperskyLab/klara | Klara project is aimed at helping Threat Intelligence researechers hunt for new malware using Yara. |
| katjahahn/PortEx | Java library to analyse Portable Executable files with a special focus on malware analysis and PE malformation robustness |
| kevoreilly/CAPEv2 | Malware Configuration And Payload Extraction |
| kirk-sayre-work/VBASeismograph | A tool for detecting VBA stomping. |
| Koodous | Koodous is a collaborative platform that combines the power of online analysis tools with social interactions between the analysts over a vast APKs repository. |
| LordNoteworthy/al-khaser | Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection. |
| Mac Malware | Mac Malware by Objective-See |
| Malc0de database | Malc0de database |
| mandiant/apooxml | Generate YARA rules for OOXML documents. |
| marcosd4h/memhunter | Live hunting of code injection techniques |
| maliceio/malice | Malice's mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company. |
| Malpedia | The primary goal of Malpedia is to provide a resource for rapid identification and actionable context when investigating malware. Openness to curated contributions shall ensure an accountable level of quality in order to foster meaningful and reproducible research. |
| MalShare | A free Malware repository providing researchers access to samples, malicous feeds, and Yara results |
| MalwareBazaar Database | MalwareBazaar is a project operated by abuse.ch. The purpose of the project is to collect and share malware samples, helping IT-security researchers and threat analyst protecting their constituency and customers from cyber threats. |
| MalwareCantFly/Vba2Graph | Vba2Graph - Generate call graphs from VBA code, for easier analysis of malicious documents. |
| malwaredllc/byob | BYOB (Build Your Own Botnet) |
| malwareinfosec/EKFiddle | A framework based on the Fiddler web debugger to study Exploit Kits, malvertising and malicious traffic in general. |
| Malwaretiverse | maltiverse - Connect the dots - The definitive IoC search engine |
| Malwares | Malware SRC Database |
| Malware Static Analysis | The following interface stands in front of a live engine which takes binary files and runs them against a pletora of hundreds YARA rules. |
| marcoramilli/PhishingKitTracker | An extensible and freshly updated collection of phishingkits for forensics and future analysis topped with simple stats |
| matterpreter/DefenderCheck | Identifies the bytes that Microsoft Defender flags on. |
| mindcollapse/MalwareMultiScan | Self-hosted VirusTotal / MetaDefender wannabe with API, demo UI and Scanners running in Docker. |
| MinervaLabsResearch/Mystique | Mystique may be used to discover infection markers that can be used to vaccinate endpoints against malware. It receives as input a malicious sample and automatically generates a list of mutexes that could be used to as "vaccines" against the sample |
| mitchellkrogza/Phishing.Database | Phishing Domains, urls websites and threats database. We use the PyFunceble testing tool to validate the status of all known Phishing domains and provide stats to reveal how many unique domains used for Phishing are still active |
| mohamedaymenkarmous/alienvault-otx-api-html | AlienVault OTX API-based project with HTML (pure HTML or mixed PNG screenshots) reports pages that looks like the real AlienVault OTX website |
| NavyTitanium/Fake-Sandbox-Artifacts | This script allows you to create various artifacts on a bare-metal Windows computer in an attempt to trick malwares that looks for VM or analysis tools |
| nbeede/BoomBox | Automatic deployment of Cuckoo Sandbox malware lab using Packer and Vagrant |
| nbulischeck/tyton | Linux Kernel-Mode Rootkit Hunter for 4.4.0-31+ |
| Neo23x0/APTSimulator | A toolset to make a system look as if it was the victim of an APT attack |
| Neo23x0/exotron | Sandbox feature upgrade with the help of wrapped samples |
| nsmfoo/antivmdetection | Script to create templates to use with VirtualBox to make vm detection harder |
| ntddk/virustream | A script to track malware IOCs with OSINT on Twitter. |
| OALabs/BlobRunner | Quickly debug shellcode extracted during malware analysis |
| OALabs/PyIATRebuild | Automatically rebuild Import Address Table for dumped PE file. With python bindings! |
| oasis-open/cti-stix-generator | OASIS Cyber Threat Intelligence (CTI) TC: A tool for generating STIX content for prototyping and testing. |
| ohjeongwook/PowerShellRunBox | Dynamic PowerShell analysis framework |
| outflanknl/EvilClippy | A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows. |
| P4T12ICK/ypsilon | Ypsilon is an Automated Security Use Case Testing Environment using real malware to test SIEM use cases in an closed environment. Different tools such as Ansible, Cuckoo, VirtualBox, Splunk and ELK are combined to determine the quality of a SIEM use case by testing any number of malware against a SIEM use case. Finally, a test report is generated giving insight to the quality of an use case. |
| pan-unit42/iocs | Indicators from Unit 42 Public Reports |
| phage-nz/ph0neutria | ph0neutria is a malware zoo builder that sources samples straight from the wild. Everything is stored in Viper for ease of access and manageability. |
| PwCUK-CTO/rtfsig | A tool to help malware analysts signature unique parts of RTF documents |
| python-iocextract | Advanced Indicator of Compromise (IOC) extractor |
| quarkslab/irma | IRMA is an asynchronous & customizable analysis system for suspicious files. |
| quasar/QuasarRAT | Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface, Quasar is the perfect remote administration solution for you. |
| rastrea2r/rastrea2r | Collecting & Hunting for IOCs with gusto and style |
| SafeBreach-Labs/mkmalwarefrom | Proof-of-concept two-stage dropper generator that uses bits from external sources |
| SentineLabs/SentinelLabs_RevCore_Tools | The Windows Malware Analysis Reversing Core Tools |
| SEKOIA Dropper Analysis | SEKOIA Dropper Analysis |
| slaughterjames/excelpeek | ExcelPeek is a tool designed to help investigate potentially malicious Microsoft Excel files. |
| sophos-ai/yaraml_rules | Security ML models encoded as Yara rules |
| SpamScope/spamscope | Fast Advanced Spam Analysis Tool |
| SpiderLabs/IOCs-IDPS | This repository will hold PCAP IOC data related with known malware samples (owner: Bryant Smith) |
| strozfriedberg/cobaltstrike-config-extractor | Cobalt Strike Beacon configuration extractor and parser. |
| t4d/PhishingKitHunter | Find phishing kits which use your brand/organization's files and image. |
| target/halogen | Automatically create YARA rules from malicious documents. |
| ThisIsLibra/MalPull | A CLI interface to search for a MD-5/SHA-1/SHA-256 hash on multiple malware databases and download the sample from the first hit |
| ThreatShare | ThreatShare is an advanced threat tracker that publicly tracks command & control servers for malware. |
| tklengyel/drakvuf | DRAKVUF Black-box Binary Analysis |
| tomchop/malcom | Malcom - Malware Communications Analyzer |
| UNIT 42: Playbook Viewver | Viewing PAN Unit 42's adversary playbook via web interface |
| UNPACME | An automated malware unpacking service from OpenAnalysis |
| uqcyber/ColdPress | Extensible Platform for Malware Analysis |
| ytisf/theZoo | A repository of LIVE malwares for your own joy and pleasure |
| VirusBay | VirusBay is a web-based, collaboration platform that connects security operations center (SOC) professionals with relevant malware researchers |
| VirusShare | VirusShare.com is a repository of malware samples to provide security researchers, incident responders, forensic analysts, and the morbidly curious access to samples of live malicious code |
| VX Vault | VX Vault |
| W3ndige/aurora | Malware similarity platform with modularity in mind. |
| xorhex/mlget | A golang CLI tool to download malware from a variety of sources. |
| zerofox-oss/phishpond | Because phishtank was taken.. explore phishing kits in a contained environment! |
| zerosum0x0/smbdoor | kernel backdoor via registering a malicious SMB handler |
| Link | Description |
| ac-pm/Inspeckage | Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more. (Xposed Module) |
| AIR GO | AIR GO detects obfuscation, vulnerabilities, open-source license issues, and malware by analyzing mobile apps and websites. It uses industry-leading technology to detect security threats and provide an improvement plan. |
| apkdetect | Android malware analysis and classification platform |
| Apktool | A tool for reverse engineering Android apk files |
| as0ler/r2flutch | Tool to decrypt iOS apps using r2frida |
| chaitin/passionfruit | Simple iOS app blackbox assessment tool. Powered by frida.re and vuejs. |
| charles2gan/GDA-android-reversing-Tool | GDA is a new fast and powerful decompiler in C++(working without Java VM) for the APK, DEX, ODEX, OAT, JAR, AAR, and CLASS file. which supports malicious behavior detection, privacy leaking detection, vulnerability detection, path solving, packer identification, variable tracking, deobfuscation, python&java scripts, device memory extraction, dat |
| dpnishant/appmon | AppMon is an automated framework for monitoring and tampering system API calls of native macOS, iOS and android apps. It is based on Frida. |
| dmayer/idb | idb is a tool to simplify some common tasks for iOS pentesting and research |
| Drozer | Comprehensive security and attack framework for Android |
| dwisiswant0/apkleaks | Scanning APK file for URIs, endpoints & secrets. |
| facebook/mariana-trench | Our security focused static analysis tool for Android and Java applications. |
| frida/frida | Dynamic instrumentation toolkit for developers, reverse-engineers, and security researchers. |
| iSECPartners/Android-SSL-TrustKiller | Bypass SSL certificate pinning for most applications |
| KJCracks/Clutch | Fast iOS executable dumper |
| linkedin/qark | Tool to look for several security related Android application vulnerabilities |
| m0bilesecurity/RMS-Runtime-Mobile-Security | Runtime Mobile Security (RMS) is a powerful web interface that helps you to manipulate Android Java Classes and Methods at Runtime |
| MobSF/Mobile-Security-Framework-MobSF | Mobile Security Framework is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing framework capable of performing static analysis, dynamic analysis, malware analysis and web API testing |
| mvt-project/mvt | MVT is a forensic tool to look for signs of infection in smartphone devices |
| mwrlabs/needle | The iOS Security Testing Framework |
| nccgroup/house | A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python. |
| nygard/class-dump | Generate Objective-C headers from Mach-O files |
| Pithus | Pithus is a free and open-source mobile threat intelligence platform for activists, journalists, NGOs, researchers... |
| pxb1988/dex2jar | Tools to work with android .dex and java .class files |
| quark-engine/quark-engine | An Obfuscation-Neglect Android Malware Scoring System |
| RealityNet/kobackupdec | Huawei backup decryptor |
| securing/IOSSecuritySuite | iOS platform security & anti-tampering Swift library |
| sensepost/objection | objection is a runtime mobile exploration toolkit, powered by Frida. It was built with the aim of helping assess mobile applications and their security posture without the need for a jailbroken or rooted mobile device. |
| skylot/jadx | Dex to Java decompiler |
| stefanesser/dumpdecrypted | Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk. This tool is necessary for security researchers to be able to look under the hood of encryption. |
| swdunlop/AndBug | Android Debugging Library |
| tcurdt/iProxy | Let's you connect your laptop to the iPhone to surf the web. |
| Link | Description |
| Arkime | Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search tool. |
| aol/moloch | Moloch is an open source, large scale, full packet capturing, indexing, and database system |
| austin-taylor/flare | An analytical framework for network traffic and behavioral analytics |
| Ben0xA/HoneyCreds | HoneyCreds network credential injection to detect responder and other network poisoners. |
| certego/PcapMonkey | PcapMonkey will provide an easy way to analyze pcap using the latest version of Suricata and Zeek. |
| crowdsecurity/crowdsec/ | Crowdsec - An open-source, lightweight agent to detect and respond to bad behaviours. It also automatically benefits from our global community-wide IP reputation database. |
| blechschmidt/massdns | A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration) |
| byt3bl33d3r/MITMf | Framework for Man-In-The-Middle attacks |
| cisco/mercury | Mercury: network metadata capture and analysis |
| ddosify/ddosify | High-performance load testing tool, written in Golang. |
| dhoelzer/ShowMeThePackets | Useful network monitoring, analysis, and active response tools used or mentioned in the SANS SEC503 course |
| DNSdumpster.com | dns recon & research, find & lookup dns records |
| eciavatta/caronte | A tool to analyze the network flow during attack/defence capture the flag competitions |
| eldraco/domain_analyzer | Analyze the security of any domain by finding all the information possible. Made in python. |
| fireeye/flare-fakenet-ng | FakeNet-NG - Next Generation Dynamic Network Analysis Tool |
| qeeqbox/chameleon | Customizable honeypots for monitoring network traffic, bots activities and username\password credentials (DNS, HTTP Proxy, HTTP, HTTPS, SSH, POP3, IMAP, STMP, RDP, VNC, SMB, SOCKS5, Redis, TELNET, Postgres and MySQL) |
| infobyte/evilgrade | Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates. It comes with pre-made binaries (agents), a working default configuration for fast pentests, and has it's own WebServer and DNSServer modules. Easy to set up new settings, and has an autoconfiguration when new binary agents are set. |
| joswr1ght/cowpatty | coWPAtty: WPA2-PSK Cracking |
| joswr1ght/nm2lp | Convert Windows Netmon Monitor Mode Wireless Packet Captures to Libpcap Format |
| michenriksen/aquatone | AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface. |
| nesfit/NetfoxDetective | NFX Detective is a novel Network forensic analysis tool that implements methods for extraction of application content from communication using supported protocols. |
| NetworkScan Mon | NetworkScan Monitor by Netlab 360 |
| odedshimon/BruteShark | BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files) |
| PacketTotal | A free, online PCAP analysis engine |
| Phenomite/AMP-Research | Research on UDP/TCP amplification vectors, payloads and mitigations against their use in DDoS Attacks |
| PolarProxy | PolarProxy is a transparent SSL/TLS proxy created for incident responders and malware researchers. PolarProxy is primarily designed to intercept and decrypt TLS encrypted traffic from malware. PolarProxy decrypts and re-encrypts TLS traffic, while also saving the decrypted traffic in a PCAP file that can be loaded into Wireshark or an intrusion detection system (IDS). |
| secureworks/dalton | Suricata and Snort IDS rule and pcap testing system |
| sensepost/routopsy | Routopsy is a toolkit built to attack often overlooked networking protocols. Routopsy currently supports attacks against Dynamic Routing Protocols (DRP) and First-Hop Redundancy Protocols (FHRP). |
| USArmyResearchLab/Dshell | An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures. |
| WiGLE | Maps and database of 802.11 wireless networks, with statistics, submitted by wardrivers, netstumblers, and net huggers. |
| WireEdit | First-Of-A-Kind And The Only Full Stack WYSIWYG Pcap Editor |
| The ZMap Project | The ZMap Project is a collection of open source tools that enable researchers to perform large-scale studies of the hosts and services that compose the public Internet. |
| Link | Description |
| althonos/InstaLooter | Another API-less Instagram pictures and videos downloader. |
| americanexpress/earlybird | EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more. |
| arch4ngel/peasant | LinkedIn reconnaissance tool |
| Bellingcat's Online Investigation Toolkit | Welcome to Bellingcats freely available online open source investigation toolkit. |
| byt3bl33d3r/WitnessMe | Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier. |
| CellID Finder | Find GSM base stations cell id coordinates |
| CellMapper | Cellular Coverage and Tower Map |
| Certificate Search | crt.sh | Certificate |
| CSE Utopia | CSE Utopia |
| danieleperera/onioningestor | An extendable tool to Collect, Crawl and Monitor onion sites on tor network and index collected information on Elasticsearch |
| Dargle | Dargle serves as a data aggregation platform for dark web domains. Hidden services on the dark web prove difficult to navigate, but by crawling the clear web, one can accumulate a directory of sorts for these hidden services. |
| dark.fail: Is a darknet site online? | dark.fail: Is a darknet site online? |
| DarkSearch | The 1st Real Dark Web Search Engine |
| DomainBigData | DomainBigData is a big database of domains and whois records |
| danieliu/play-scraper | A web scraper to retrieve application data from the Google Play Store. |
| DataSploit/datasploit | An #OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats. |
| felix83000/Watcher | Watcher - Open Source Cybersecurity Threat Hunting Platform. Developed with Django & React JS. |
| Epieos Tools - Google Account Finder | An online tool to retrieve sensitive information like google maps reviews, public photos, displayed name, usage of google services such as YouTube, Hangouts |
| FOFA Pro | The Cyberspace Search Engine, Security Situation Awareness |
| grep.app | Search across a half million git repos |
| GreyNoise Visualizer | GreyNoise Visualizer |
| haccer/twint | An advanced Twitter scraping & OSINT tool written in Python that doesn't use Twitter's API, allowing you to scrape a user's followers, following, Tweets and more while evading most API limitations. |
| hessman/gcert | Retrieves information about a given domain from the Google Transparency Report |
| I Know What You Download | Torrent downloads and distributions for IP |
| ImmuniWeb | Domain Security Test | Detect Dark Web Exposure, Phishing, Squatting and Trademark Infringement |
| IntelligenceX | Search Tor, I2P, data leaks, public web.| |
| InQuest/omnibus | The OSINT Omnibus |
| intelowlproject/IntelOwl | Intel Owl: analyze files, domains, IPs in multiple ways from a single API at scale |
| iptv-org/iptv | Collection of 8000+ publicly available IPTV channels from all over the world |
| jofpin/trape | People tracker on the Internet: OSINT analysis and research tool. |
| khast3x/h8mail | Email OSINT & Password breach hunting tool, locally or using premium services. Supports chasing down related email |
| knownsec/Kunyu | Kunyu, more efficient corporate asset collection |
| lanrat/certgraph | An open source intelligence tool to crawl the graph of certificate Alternate Names |
| LeakIX | This project goes around the internet and finds services to index them. |
| Leak-Lookup | Data Breach Search Engine |
| leapsecurity/InSpy | A python based LinkedIn enumeration tool |
| Lookyloo | Web forensics tool |
| loseys/Oblivion | Data leak checker & OSINT Tool |
| Malfrats/xeuledoc | Fetch information about a public Google document. |
| medialab/minet | A webmining CLI tool & library for python. |
| megadose/holehe | holehe allows you to check if the mail is used on different sites like twitter, instagram and will retrieve information on sites with the forgotten password function. |
| mxrch/ghunt | GHunt is an OSINT tool to extract a lot of informations of someone's Google Account email. |
| nccgroup/scrying | A tool for collecting RDP, web and VNC screenshots all in one place |
| ninoseki/mihari | A helper to run OSINT queries & manage results continuously |
| ninoseki/mikata | A browser extension for OSINT search |
| OCCRP Data | Search 102m public records and leaks from 179 sources |
| OpenCelliD | OpenCelliD - Largest Open Database of Cell Towers & Geolocation - by Unwired Labs |
| OSINT.SH | ALL IN ONE INFORMATION GATHERING TOOLS |
| OWASP/Amass | In-depth Attack Surface Mapping and Asset Discovery |
| PaperMtn/gitlab-watchman | Monitoring GitLab for sensitive data shared publicly |
| Pastebin dump collection | Pastebin dump collection |
| Patrowl/PatrowlHears | PatrowlHears - Vulnerability Intelligence Center / Exploits |
| Phonebook.cz | Phonebook lists all domains, email addresses, or URLs for the given input domain. |
| qeeqbox/social-analyzer | API, CLI & Web App for analyzing & finding a person's profile across 350+ social media websites (Detections are updated regularly) |
| Recon-NG | Recon-ng is a reconnaissance tool with an interface similar to Metasploit. Running recon-ng from the command line you enter a shell like environment where you can configure options, perform recon and output results to different report types. |
| s-rah/onionscan | OnionScan is a free and open source tool for investigating the Dark Web. |
| same.energy | Tweet Search Engine |
| Shade Map | View Shade on Map |
| SnusBase | The longest standing data breach search engine. |
| sshell/reddit-analyzer | find out when and where someone is posting to reddit |
| SpiderFoot | SpiderFoot - Opensource Intelligence Automation |
| sundowndev/PhoneInfoga | Advanced information gathering & OSINT framework for phone numbersAdvanced information gathering & OSINT framework for phone numbers |
| superhedgy/AttackSurfaceMapper | AttackSurfaceMapper is a tool that aims to automate the reconnaissance process. |
| thewhiteh4t/nexfil | OSINT tool for finding profiles by username |
| vysecurity/LinkedInt | LinkedIn Recon Tool |
| WebBreacher/WhatsMyName | This repository has the unified data required to perform user enumeration on various websites. Content is in a JSON file and can easily be used in other projects. |
| WhatsMyName Web | This tool allows you to enumerate usernames across many websites |
| woj-ciech/kamerka | Build interactive map of cameras from Shodan |
| woj-ciech/SocialPath | Track users across social media platform |
| yogeshojha/rengine | reNgine is an automated reconnaissance framework meant for information gathering during penetration testing of web applications. reNgine has customizable scan engines, which can be used to scan the websites, endpoints, and gather information. |
| berzerk0/Probable-Wordlists | Wordlists sorted by probability originally created for password generation and testing - make sure your passwords aren't popular! |
| byt3bl33d3r/SprayingToolkit | Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient |
| c6fc/npk | A mostly-serverless distributed hash cracking platform |
| f0cker/crackq | CrackQ: A Python Hashcat cracking queue system |
| fireeye/gocrack | GoCrack provides APIs to manage password cracking tasks across supported cracking engines. |
| JoelGMSec/Cloudtopolis | Zero Infrastructure Password Cracking |
| l0phtcrack/l0phtcrack | L0phtCrack Password Auditor |
| sc0tfree/mentalist | Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper. |
| trustedsec/hate_crack | A tool for automating cracking methodologies through Hashcat from the TrustedSec team. |
| danielmiessler/SecLists | SecLists is the security tester's companion. It is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more. |
| Link | Description |
| AlteredSecurity/365-Stealer/ | 365-Stealer is the tool written in python3 which steals data from victims office365 by using access_token which we get by phishing. It steals outlook mails, attachments, OneDrive files, OneNote notes and injects macros. |
| bitsadmin/fakelogonscreen | Fake Windows logon screen to steal passwords |
| BiZken/PhishMailer | Generate Professional Phishing Emails Fast And Easy |
| boxug/trape | People tracker on the Internet: Learn to track the world, to avoid being traced. |
| dafthack/MailSniper | MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain. |
| drk1wi/Modlishka | Modlishka. Reverse Proxy. Phishing NG. |
| certsocietegenerale/swordphish-awareness | Swordphish is a plateform allowing to create and manage fake phishing campaigns. |
| curtbraz/Phishing-API | Comprehensive Web Based Phishing Suite of Tools for Rapid Deployment and Real-Time Alerting! |
| Simple Email Reputation | Illuminate the "reputation" behind an email address |
| fireeye/ReelPhish | ReelPhish: A Real-Time Two-Factor Phishing Tool |
| fkasler/phishmonger | Phishing Framework for Pentesters |
| GemGeorge/SniperPhish/ | SniperPhish - The Web-Email Spear Phishing Toolkit |
| gophish/gophish | Gophish is an open-source phishing toolkit designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training |
| htr-tech/zphisher | An automated phishing tool with 30+ templates. |
| kgretzky/evilginx2 | Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication |
| Mailsploit | TL;DR: Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks. The spoofing is not detected by Mail Transfer Agents (MTA) aka email servers, therefore circumventing spoofing protection mechanisms such as DMARC (DKIM/SPF) or spam filters. |
| mdsecactivebreach/o365-attack-toolkit | o365-attack-toolkit allows operators to perform an OAuth phishing attack and later on use the Microsoft Graph API to extract interesting information. |
| Mr-Un1k0d3r/CatMyPhish | Search for categorized domain |
| muraenateam/muraena | Muraena is an almost-transparent reverse proxy aimed at automating phishing and post-phishing activities. |
| optiv/Microsoft365_devicePhish | A proof-of-concept script to conduct a phishing attack abusing Microsoft 365 OAuth Authorization Flow |
| PoFish | A new docker for phishing (PoFish) |
| Pretext Project | Open-Source Collection of Social Engineering Pretexts |
| Raikia/UhOh365 | A script that can see if an email address is valid in Office365 (user/email enumeration). This does not perform any login attempts, is unthrottled, and is incredibly useful for social engineering assessments to find which emails exist and which don't. |
| ralphte/build_a_phish | Ansible playbook to deploy a phishing engagement in the cloud. |
| Rices/Phishious | An open-source Secure Email Gateway (SEG) evaluation toolkit designed for red-teamers. |
| ring0lab/catphish | Generate similar-looking domains for phishing attacks. Check expired domains and their categorized domain status to evade proxy categorization. Whitelisted domains are perfect for your C2 servers. |
| sebastian-mora/awsssome_phish | AWS SSO serverless phishing API. |
| securestate/king-phisher | Phishing Campaign Toolkit |
| secureworks/PhishInSuits | PhishInSuits: OAuth Device Code Phishing with Verified Apps |
| thelinuxchoice/blackeye | The most complete Phishing Tool, with 32 templates +1 customizable |
| thelinuxchoice/shellphish | Phishing Tool for 18 social media: Instagram, Facebook, Snapchat, Github, Twitter, Yahoo, Protonmail, Spotify, Netflix, Linkedin, Wordpress, Origin, Steam, Microsoft, InstaFollowers, Gitlab, Pinterest |
| threatexpress/domainhunter | Checks expired domains for categorization/reputation and Archive.org history to determine good candidates for phishing and C2 domain names |
| Undeadsec/EvilURL | An unicode domain phishing generator for IDN Homograph Attack |
| UndeadSec/SocialFish | Ultimate phishing tool. Socialize with the credentials |
| ustayready/CredSniper | CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens. |
| xiecat/goblin | Goblin for Phishing Exercise Tools |
| Yaxser/SharpPhish | Using outlook COM objects to create convincing phishing emails without the user noticing. This project is meant for internal phishing. |
| Link | Description |
| breadcrumbs | Breadcrumbs is a blockchain analytics platform accessible to everyone. It offers a range of tools for investigating, monitoring, tracking and sharing relevant information on blockchain transactions. |
| cleanunicorn/karl | Monitor smart contracts deployed on blockchain and test against vulnerabilities with Mythril |
| ConsenSys/mythril | Security analysis tool for EVM bytecode. Supports smart contracts built for Ethereum, Hedera, Quorum, Vechain, Roostock, Tron and other EVM-compatible blockchains. |
| Contract list | Ethereum Contract Library by Dedaub |
| ConsenSys/smart-contract-best-practices | A guide to smart contract security best practices |
| crytic/echidna | Ethereum smart contract fuzzer |
| csienslab/ProMutator | ProMutator: Detecting Vulnerable Price Oracles in DeFi by Mutated Transactions |
| crytic/slither | Static Analyzer for Solidity |
| ethereum-lists/contracts | List of contracts from known projects (work in progress) |
| EthTx Transaction Decoder | EthTx is an open source decoder of blockchain transactions that is made freely available to the Ethereum Community as a Python library in public PyPi index |
| enzymefinance/oyente | An Analysis Tool for Smart Contracts |
| ETH.Build | An Educational Sandbox For Web3... And Much More. |
| flashloan-monitor | BlockSec Flashloan Monitor |
| fravoll/solidity-patterns | A compilation of patterns and best practices for the smart contract programming language Solidity |
| IC3Hydra/Hydra | Framework for cryptoeconomic contract security, decentralized security bounties. Live on Ethereum. |
| Lossless | The first DeFi hack mitigation tool for token creators. |
| mikedeshazer/bricks | Bricks is a sandbox and instruction manual collection for building smart contract exploits for Ethereum blockchains, designed to help developers think like hackers in a safe, fun environment. |
| Mytx | Smart contract security service for Ethereum |
| nccgroup/GOATCasino | This is an intentionally vulnerable smart contract truffle deployment aimed at allowing those interested in smart contract security to exploit a wide variety of issues in a safe environment. |
| OpenZeppelin/contracts-wizard | Interactive smart contract generator based on OpenZeppelin Contracts. |
| OpenZeppelin/damn-vulnerable-defi | A set of challenges to hack implementations of DeFi in Ethereum. Featuring flash loans, oracles, governance, NFTs, lending pools, and more! |
| raineorshine/solgraph | Visualize Solidity control flow for smart contract security analysis. 💵 ⇆ 💵 |
| Robsonsjre/FlashloanUsecases | DeFi 201 - Lets hack Flash Loans |
| sigp/beacon-fuzz | Differential Fuzzer for Ethereum 2.0 |
| smartbugs/smartbugs | SmartBugs: A Framework to Analyze Solidity Smart Contracts |
| The Ethernaut | The Ethernaut is a Web3/Solidity based wargame inspired on overthewire.org, played in the Ethereum Virtual Machine. Each level is a smart contract that needs to be 'hacked'. |
| Link | Description |
| appsecco/VyAPI | VyAPI - A cloud based vulnerable hybrid Android App |
| atxsinn3r/VulnCases | Vulnerability examples. |
| AutomatedLab/AutomatedLab | AutomatedLab is a provisioning solution and framework that lets you deploy complex labs on HyperV and Azure with simple PowerShell scripts. It supports all Windows operating systems from 2008 R2 to 2016 including Nano Server and various products like AD, Exchange, PKI, IIS, etc. |
| avishayil/caponeme | Repository demonstrating the Capital One breach on your AWS account |
| Azure/Convex | Cloud Open-source Network Vulnerability Exploitation eXperience (CONVEX) spins up Capture The Flag environments in your Azure tenant for participants to play through. |
| Azure/SimuLand | Understand adversary tradecraft and improve detection strategies |
| Billy-Ellis/Exploit-Challenges | A collection of vulnerable ARM binaries for practicing exploit development |
| bkerler/exploit_me | Very vulnerable ARM application (CTF style exploitation tutorial) |
| bkimminich/juice-shop | OWASP Juice Shop is an intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. |
| brant-ruan/metarget | Framework providing automatic constructions of vulnerable infrastructures |
| bridgecrewio/terragoat | TerraGoat is Bridgecrew's "Vulnerable by Design" Terraform repository. TerraGoat is a learning and training project that demonstrates how common configuration errors can find their way into production cloud environments. |
| clong/DetectionLab | Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices |
| cliffe/SecGen | SecGen creates vulnerable virtual machines so students can learn security penetration testing techniques. |
| CodeShield-Security/Serverless-Goat-Java | Java version of the deliberately vulnerable serverless application Serverless-Goat from https://github.com/OWASP/Serverless-Goat |
| detectify/vulnerable-nginx | An intentionally vulnerable NGINX setup |
| dolevf/Damn-Vulnerable-GraphQL-Application | Damn Vulnerable GraphQL Application is an intentionally vulnerable implementation of Facebook's GraphQL technology, to learn and practice GraphQL Security. |
| Flangvik/DeployPrinterNightmare | C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc! |
| globocom/secDevLabs | A laboratory for learning secure web and mobile development in a practical manner. |
| google/google-ctf | This repository lists most of the challenges used in the Google CTF 2017. The missing challenges are not ready to be open-sourced, or contain third-party code. |
| kmcquade/owasp-youtube-2021 | Deliberately vulnerable AWS resources for security assessment demos |
| Lenas Reversing for Newbies | Nice collection of tutorials aimed particularly for newbie reverse enginners... |
| InsiderPhD/Generic-University | Vulnerable API |
| madhuakula/kubernetes-goat | Kubernetes Goat is "Vulnerable by Design" Kubernetes Cluster. Designed to be an intentionally vulnerable cluster environment to learn and practice Kubernetes security. |
| nccgroup/sadcloud | A tool for standing up (and tearing down!) purposefully insecure cloud infrastructure |
| OWASP/iGoat-Swift | OWASP iGoat (Swift) - A Damn Vulnerable Swift Application for iOS |
| quarkslab/minik8s-ctf | A beginner-friendly CTF about Kubernetes security. |
| rapid7/hackazon | A modern vulnerable web app |
| rewanth1997/Damn-Vulnerable-Bank | Vulnerable Banking Application for Android |
| Reverse Engineering | Welcome to the Reverse Engineering open course! This course is a journey into executable binaries and operating systems from 3 different angles: 1) Malware analysis, 2) Bug hunting and 3) Exploit writing. Both Windows and Linux x86/x86_64 platforms are under scope. |
| sagishahar/lpeworkshop | Windows / Linux Local Privilege Escalation Workshop |
| SEED Labs | Various labs from SEED Project |
| shellphish/how2heap | A repository for learning various heap exploitation techniques. |
| Vulnerable Docker VM | Ever fantasized about playing with docker misconfigurations, privilege escalation, etc. within a container? |
| vulhub/vulhub | Pre-Built Vulnerable Environments Based on Docker-Compose |
In this class you will learn how to design secure systems and write secure code. You will learn how to find vulnerabilities in code and how to design software systems that limit the impact of security vulnerabilities. We will focus on principles for building secure systems and give many real world examples.
This course explains the inner workings of cryptographic primitives and how to correctly use them. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with a detailed discussion of how two parties who have a shared secret key can communicate securely when a powerful adversary eavesdrops and tampers with traffic. We will examine many deployed protocols and analyze mistakes in existing systems. The second half of the course discusses public-key techniques that let two or more parties generate a shared secret key. We will cover the relevant number theory and discuss public-key encryption and basic key-exchange. Throughout the course students will be exposed to many exciting open problems in the field.
This course is a continuation of Crypto I and explains the inner workings of public-key systems and cryptographic protocols. Students will learn how to reason about the security of cryptographic constructions and how to apply this knowledge to real-world applications. The course begins with constructions for digital signatures and their applications. We will then discuss protocols for user authentication and zero-knowledge protocols. Next we will turn to privacy applications of cryptography supporting anonymous credentials and private database lookup. We will conclude with more advanced topics including multi-party computation and elliptic curve cryptography.
This course focuses on how to design and build secure systems with a human-centric focus. We will look at basic principles of human-computer interaction, and apply these insights to the design of secure systems with the goal of developing security measures that respect human performance and their goals within a system.
This course we will explore the foundations of software security. We will consider important software vulnerabilities and attacks that exploit them -- such as buffer overflows, SQL injection, and session hijacking -- and we will consider defenses that prevent or mitigate these attacks, including advanced testing and program analysis techniques. Importantly, we take a "build security in" mentality, considering techniques at each phase of the development cycle that can be used to strengthen the security of software systems.
This course will introduce you to the foundations of modern cryptography, with an eye toward practical applications. We will learn the importance of carefully defining security; of relying on a set of well-studied "hardness assumptions" (e.g., the hardness of factoring large numbers); and of the possibility of proving security of complicated constructions based on low-level primitives. We will not only cover these ideas in theory, but will also explore their real-world impact. You will learn about cryptographic primitives in wide use today, and see how these can be combined to develop modern protocols for secure communication.
This course will introduce you to the foundations of modern cryptography, with an eye toward practical applications. We will learn the importance of carefully defining security; of relying on a set of well-studied “hardness assumptions” (e.g., the hardness of factoring large numbers); and of the possibility of proving security of complicated constructions based on low-level primitives. We will not only cover these ideas in theory, but will also explore their real-world impact. You will learn about cryptographic primitives in wide use today, and see how these can be combined to develop modern protocols for secure communication.
This course will introduce you to the cybersecurity, ideal for learners who are curious about the world of Internet security and who want to be literate in the field. This course will take a ride in to cybersecurity feild for beginners.
There are 5-6 major job roles in industry for cybersecurity enthusiast. In This course you will Learn about different career pathways in cybersecurity and complete a self-assessment project to better understand the right path for you.
This course is good for beginner It contains introduction to cybersecurity, The CISO's view, Helps you building cybersecurity toolKit and find your cybersecurity career path.
Developed from the materials of NYU Tandon's old Penetration Testing and Vulnerability Analysis course, Hack Night is a sobering introduction to offensive security. A lot of complex technical content is covered very quickly as students are introduced to a wide variety of complex and immersive topics over thirteen weeks.
The primary incentive for an attacker to exploit a vulnerability, or series of vulnerabilities is to achieve a return on an investment (his/her time usually). This return need not be strictly monetary, an attacker may be interested in obtaining access to data, identities, or some other commodity that is valuable to them. The field of penetration testing involves authorized auditing and exploitation of systems to assess actual system security in order to protect against attackers. This requires thorough knowledge of vulnerabilities and how to exploit them. Thus, this course provides an introductory but comprehensive coverage of the fundamental methodologies, skills, legal issues, and tools used in white hat penetration testing and secure system administration.
This class allows students to look deep into know protocols (i.e. IP, TCP, UDP) to see how an attacker can utilize these protocols to their advantage and how to spot issues in a network via captured network traffic. The first half of this course focuses on know protocols while the second half of the class focuses on reverse engineering unknown protocols. This class will utilize captured traffic to allow students to reverse the protocol by using known techniques such as incorporating bioinformatics introduced by Marshall Beddoe. This class will also cover fuzzing protocols to see if the server or client have vulnerabilities. Overall, a student finishing this class will have a better understanding of the network layers, protocols, and network communication and their interaction in computer networks.
This course will introduce students to modern malware analysis techniques through readings and hands-on interactive analysis of real-world samples. After taking this course students will be equipped with the skills to analyze advanced contemporary malware using both static and dynamic analysis.
This course will start off by covering basic x86 reverse engineering, vulnerability analysis, and classical forms of Linux-based userland binary exploitation. It will then transition into protections found on modern systems (Canaries, DEP, ASLR, RELRO, Fortify Source, etc) and the techniques used to defeat them. Time permitting, the course will also cover other subjects in exploitation including kernel-land and Windows based exploitation.
Reverse engineering techniques for semiconductor devices and their applications to competitive analysis, IP litigation, security testing, supply chain verification, and failure analysis. IC packaging technologies and sample preparation techniques for die recovery and live analysis. Deprocessing and staining methods for revealing features bellow top passivation. Memory technologies and appropriate extraction techniques for each. Study contemporary anti-tamper/anti-RE methods and their effectiveness at protecting designs from attackers. Programmable logic microarchitecture and the issues involved with reverse engineering programmable logic.
-
CNIT 40: DNS Security
DNS is crucial for all Internet transactions, but it is subject to numerous security risks, including phishing, hijacking, packet amplification, spoofing, snooping, poisoning, and more. Learn how to configure secure DNS servers, and to detect malicious activity with DNS monitoring. We will also cover DNSSEC principles and deployment. Students will perform hands-on projects deploying secure DNS servers on both Windows and Linux platforms. -
CNIT 120 - Network Security
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs). -
CNIT 121 - Computer Forensics
The class covers forensics tools, methods, and procedures used for investigation of computers, techniques of data recovery and evidence collection, protection of evidence, expert witness skills, and computer crime investigation techniques. Includes analysis of various file systems and specialized diagnostic software used to retrieve data. Prepares for part of the industry standard certification exam, Security+, and also maps to the Computer Investigation Specialists exam. -
CNIT 123 - Ethical Hacking and Network Defense
Students learn how hackers attack computers and networks, and how to protect systems from such attacks, using both Windows and Linux systems. Students will learn legal restrictions and ethical guidelines, and will be required to obey them. Students will perform many hands-on labs, both attacking and defending, using port scans, footprinting, exploiting Windows and Linux vulnerabilities, buffer overflow exploits, SQL injection, privilege escalation, Trojans, and backdoors. -
CNIT 124 - Advanced Ethical Hacking
Advanced techniques of defeating computer security, and countermeasures to protect Windows and Unix/Linux systems. Hands-on labs include Google hacking, automated footprinting, sophisticated ping and port scans, privilege escalation, attacks against telephone and Voice over Internet Protocol (VoIP) systems, routers, firewalls, wireless devices, Web servers, and Denial of Service attacks. -
CNIT 126 - Practical Malware Analysis
Learn how to analyze malware, including computer viruses, trojans, and rootkits, using disassemblers, debuggers, static and dynamic analysis, using IDA Pro, OllyDbg and other tools. -
CNIT 127 - Exploit Development
Learn how to find vulnerabilities and exploit them to gain control of target systems, including Linux, Windows, Mac, and Cisco. This class covers how to write tools, not just how to use them; essential skills for advanced penetration testers and software security professionals. -
CNIT 128 - Hacking Mobile Devices
Mobile devices such as smartphones and tablets are now used for making purchases, emails, social networking, and many other risky activities. These devices run specialized operating systems have many security problems. This class will cover how mobile operating systems and apps work, how to find and exploit vulnerabilities in them, and how to defend them. Topics will include phone call, voicemail, and SMS intrusion, jailbreaking, rooting, NFC attacks, malware, browser exploitation, and application vulnerabilities. Hands-on projects will include as many of these activities as are practical and legal. -
CNIT 129S: Securing Web Applications
Techniques used by attackers to breach Web applications, and how to protect them. How to secure authentication, access, databases, and back-end components. How to protect users from each other. How to find common vulnerabilities in compiled code and source code. -
CNIT 140: IT Security Practices
Training students for cybersecurity competitions, including CTF events and the Collegiate Cyberdefense Competition (CCDC). This training will prepare students for employment as security professionals, and if our team does well in the competitions, the competitors will gain recognition and respect which should lead to more and better job offers. -
Violent Python and Exploit Development
In the exploit development section, students will take over vulnerable systems with simple Python scripts.
Hands-On course coverings topics such as mobile ecosystem, the design and architecture of mobile operating systems, application analysis, reverse engineering, malware detection, vulnerability assessment, automatic static and dynamic analysis, and exploitation and mitigation techniques. Besides the slides for the course, there are also multiple challenges covering mobile app development, reversing and exploitation.
OpenSecurityTraining.info is dedicated to sharing training material for computer security classes, on any topic, that are at least one day long.
-
Android Forensics & Security Testing
This class serves as a foundation for mobile digital forensics, forensics of Android operating systems, and penetration testing of Android applications. -
Certified Information Systems Security Professional (CISSP)®
Common Body of Knowledge (CBK)® Review
The CISSP CBK Review course is uniquely designed for federal agency information assurance (IA) professionals in meeting NSTISSI-4011, National Training Standard for Information Systems Security Professionals, as required by DoD 8570.01-M, Information Assurance Workforce Improvement Program. -
Flow Analysis & Network Hunting
This course focuses on network analysis and hunting of malicious activity from a security operations center perspective. We will dive into the netflow strengths, operational limitations of netflow, recommended sensor placement, netflow tools, visualization of network data, analytic trade craft for network situational awareness and networking hunting scenarios. -
Hacking Techniques and Intrusion Detection
The course is designed to help students gain a detailed insight into the practical and theoretical aspects of advanced topics in hacking techniques and intrusion detection. -
Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration
This class serves as a foundation for the follow on Intermediate level x86 class. It teaches the basic concepts and describes the hardware that assembly code deals with. It also goes over many of the most common assembly instructions. Although x86 has hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30 instructions and their variations. -
Introductory Intel x86-64: Architecture, Assembly, Applications, & Alliteration
This class serves as a foundation for the follow on Intermediate level x86 class. It teaches the basic concepts and describes the hardware that assembly code deals with. It also goes over many of the most common assembly instructions. Although x86 has hundreds of special purpose instructions, students will be shown it is possible to read most programs by knowing only around 20-30 instructions and their variations. -
Introduction to ARM
This class builds on the Intro to x86 class and tries to provide parallels and differences between the two processor architectures wherever possible while focusing on the ARM instruction set, some of the ARM processor features, and how software works and runs on the ARM processor. -
Introduction to Cellular Security
This course is intended to demonstrate the core concepts of cellular network security. Although the course discusses GSM, UMTS, and LTE - it is heavily focused on LTE. The course first introduces important cellular concepts and then follows the evolution of GSM to LTE. -
Introduction to Network Forensics
This is a mainly lecture based class giving an introduction to common network monitoring and forensic techniques. -
Introduction to Secure Coding
This course provides a look at some of the most prevalent security related coding mistakes made in industry today. Each type of issue is explained in depth including how a malicious user may attack the code, and strategies for avoiding the issues are then reviewed. -
Introduction to Vulnerability Assessment
This is a lecture and lab based class giving an introduction to vulnerability assessment of some common common computing technologies. Instructor-led lab exercises are used to demonstrate specific tools and technologies. -
Introduction to Trusted Computing
This course is an introduction to the fundamental technologies behind Trusted Computing. You will learn what Trusted Platform Modules (TPMs) are and what capabilities they can provide both at an in-depth technical level and in an enterprise context. You will also learn about how other technologies such as the Dynamic Root of Trust for Measurement (DRTM) and virtualization can both take advantage of TPMs and be used to enhance the TPM's capabilities. -
Offensive, Defensive, and Forensic Techniques for Determining Web User Identity
This course looks at web users from a few different perspectives. First, we look at identifying techniques to determine web user identities from a server perspective. Second, we will look at obfuscating techniques from a user whom seeks to be anonymous. Finally, we look at forensic techniques, which, when given a hard drive or similar media, we identify users who accessed that server. -
Pcap Analysis & Network Hunting
Introduction to Packet Capture (PCAP) explains the fundamentals of how, where, and why to capture network traffic and what to do with it. This class covers open-source tools like tcpdump, Wireshark, and ChopShop in several lab exercises that reinforce the material. Some of the topics include capturing packets with tcpdump, mining DNS resolutions using only command-line tools, and busting obfuscated protocols. This class will prepare students to tackle common problems and help them begin developing the skills to handle more advanced networking challenges. -
Malware Dynamic Analysis
This introductory malware dynamic analysis class is dedicated to people who are starting to work on malware analysis or who want to know what kinds of artifacts left by malware can be detected via various tools. The class will be a hands-on class where students can use various tools to look for how malware is: Persisting, Communicating, and Hiding -
Secure Code Review
The course briefly talks about the development lifecycle and the importance of peer reviews in delivering a quality product. How to perform this review is discussed and how to keep secure coding a priority during the review is stressed. A variety of hands-on exercises will address common coding mistakes, what to focus on during a review, and how to manage limited time. -
Smart Cards
This course shows how smart cards are different compared to other type of cards. It is explained how smart cards can be used to realize confidentiality and integrity of information. -
The Life of Binaries
Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR). -
Understanding Cryptology: Core Concepts
This is an introduction to cryptology with a focus on applied cryptology. It was designed to be accessible to a wide audience, and therefore does not include a rigorous mathematical foundation (this will be covered in later classes). -
Understanding Cryptology: Cryptanalysis
A class for those who want to stop learning about building cryptographic systems and want to attack them. This course is a mixture of lecture designed to introduce students to a variety of code-breaking techniques and python labs to solidify those concepts. Unlike its sister class, Core Concepts, math is necessary for this topic.
-
Exploits 1: Introduction to Software Exploits
Software vulnerabilities are flaws in program logic that can be leveraged by an attacker to execute arbitrary code on a target system. This class will cover both the identification of software vulnerabilities and the techniques attackers use to exploit them. In addition, current techniques that attempt to remediate the threat of software vulnerability exploitation will be discussed. -
Exploits 2: Exploitation in the Windows Environment
This course covers the exploitation of stack corruption vulnerabilities in the Windows environment. Stack overflows are programming flaws that often times allow an attacker to execute arbitrary code in the context of a vulnerable program. There are many nuances involved with exploiting these vulnerabilities in Windows. Window's exploit mitigations such as DEP, ASLR, SafeSEH, and SEHOP, makes leveraging these programming bugs more difficult, but not impossible. The course highlights the features and weaknesses of many the exploit mitigation techniques deployed in Windows operating systems. Also covered are labs that describe the process of finding bugs in Windows applications with mutation based fuzzing, and then developing exploits that target those bugs. -
Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration
Building upon the Introductory Intel x86 class, this class goes into more depth on topics already learned, and introduces more advanced topics that dive deeper into how Intel-based systems work.
-
Advanced x86: Virtualization with Intel VT-x
The purpose of this course is to provide a hands on introduction to Intel hardware support for virtualization. The first part will motivate the challenges of virtualization in the absence of dedicated hardware. This is followed by a deep dive on the Intel virtualization "API" and labs to begin implementing a blue pill / hyperjacking attack made famous by researchers like Joanna Rutkowska and Dino Dai Zovi et al. Finally a discussion of virtualization detection techniques. -
Advanced x86: Introduction to BIOS & SMM
We will cover why the BIOS is critical to the security of the platform. This course will also show you what capabilities and opportunities are provided to an attacker when BIOSes are not properly secured. We will also provide you tools for performing vulnerability analysis on firmware, as well as firmware forensics. This class will take people with existing reverse engineering skills and teach them to analyze UEFI firmware. This can be used either for vulnerability hunting, or to analyze suspected implants found in a BIOS, without having to rely on anyone else. -
Introduction to Reverse Engineering Software
Throughout the history of invention curious minds have sought to understand the inner workings of their gadgets. Whether investigating a broken watch, or improving an engine, these people have broken down their goods into their elemental parts to understand how they work. This is Reverse Engineering (RE), and it is done every day from recreating outdated and incompatible software, understanding malicious code, or exploiting weaknesses in software. -
Reverse Engineering Malware
This class picks up where the Introduction to Reverse Engineering Software course left off, exploring how static reverse engineering techniques can be used to understand what a piece of malware does and how it can be removed. -
Rootkits: What they are, and how to find them
Rootkits are a class of malware which are dedicated to hiding the attacker’s presence on a compromised system. This class will focus on understanding how rootkits work, and what tools can be used to help find them. -
The Adventures of a Keystroke: An in-depth look into keylogging on Windows
Keyloggers are one of the most widely used components in malware. Keyboard and mouse are the devices nearly all of the PCs are controlled by, this makes them an important target of malware authors. If someone can record your keystrokes then he can control your whole PC without you noticing.
-
CompTIA A+
This course covers the fundamentals of computer technology, basic networking, installation and configuration of PCs, laptops and related hardware, as well as configuring common features for mobile operation systems Android and Apple iOS. -
CompTIA Linux+
Our free, self-paced online Linux+ training prepares students with the knowledge to become a certified Linux+ expert, spanning a curriculum that covers Linux maintenance tasks, user assistance and installation and configuration. -
CompTIA Cloud+
Our free, online Cloud+ training addresses the essential knowledge for implementing, managing and maintaining cloud technologies as securely as possible. It covers cloud concepts and models, virtualization, and infrastructure in the cloud. -
CompTIA Network+
In addition to building one’s networking skill set, this course is also designed to prepare an individual for the Network+ certification exam, a distinction that can open a myriad of job opportunities from major companies -
CompTIA Advanced Security Practitioner
In our free online CompTIA CASP training, you’ll learn how to integrate advanced authentication, how to manage risk in the enterprise, how to conduct vulnerability assessments and how to analyze network security concepts and components. -
CompTIA Security+
Learn about general security concepts, basics of cryptography, communications security and operational and organizational security. With the increase of major security breaches that are occurring, security experts are needed now more than ever. -
ITIL Foundation
Our online ITIL Foundation training course provides baseline knowledge for IT service management best practices: how to reduce costs, increase enhancements in processes, improve IT productivity and overall customer satisfaction. -
Cryptography
In this online course we will be examining how cryptography is the cornerstone of security technologies, and how through its use of different encryption methods you can protect private or sensitive information from unauthorized access. -
Cisco CCNA
Our free, online, self-paced CCNA training teaches students to install, configure, troubleshoot and operate LAN, WAN and dial access services for medium-sized networks. You’ll also learn how to describe the operation of data networks. -
Virtualization Management
Our free, self-paced online Virtualization Management training class focuses on installing, configuring and managing virtualization software. You’ll learn how to work your way around the cloud and how to build the infrastructure for it. -
Penetration Testing and Ethical Hacking
If the idea of hacking as a career excites you, you’ll benefit greatly from completing this training here on Cybrary. You’ll learn how to exploit networks in the manner of an attacker, in order to find out how protect the system from them. -
Computer and Hacking Forensics
Love the idea of digital forensics investigation? That’s what computer forensics is all about. You’ll learn how to; determine potential online criminal activity at its inception, legally gather evidence, search and investigate wireless attacks. -
Web Application Penetration Testing
In this course, SME, Raymond Evans, takes you on a wild and fascinating journey into the cyber security discipline of web application pentesting. This is a very hands-on course that will require you to set up your own pentesting environment. -
CISA - Certified Information Systems Auditor
In order to face the dynamic requirements of meeting enterprise vulnerability management challenges, this course covers the auditing process to ensure that you have the ability to analyze the state of your organization and make changes where needed. -
Secure Coding
Join industry leader Sunny Wear as she discusses secure coding guidelines and how secure coding is important when it comes to lowering risk and vulnerabilities. Learn about XSS, Direct Object Reference, Data Exposure, Buffer Overflows, & Resource Management. -
NIST 800-171 Controlled Unclassified Information Course
The Cybrary NIST 800-171 course covers the 14 domains of safeguarding controlled unclassified information in non-federal agencies. Basic and derived requirements are presented for each security domain as defined in the NIST 800-171 special publication. -
Advanced Penetration Testing
This course covers how to attack from the web using cross-site scripting, SQL injection attacks, remote and local file inclusion and how to understand the defender of the network you’re breaking into to. You’ll also learn tricks for exploiting a network. -
Intro to Malware Analysis and Reverse Engineering
In this course you’ll learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries. -
Social Engineering and Manipulation
In this online, self-paced Social Engineering and Manipulation training class, you will learn how some of the most elegant social engineering attacks take place. Learn to perform these scenarios and what is done during each step of the attack. -
Post Exploitation Hacking
In this free self-paced online training course, you’ll cover three main topics: Information Gathering, Backdooring and Covering Steps, how to use system specific tools to get general information, listener shells, metasploit and meterpreter scripting. -
Python for Security Professionals
This course will take you from basic concepts to advanced scripts in just over 10 hours of material, with a focus on networking and security. -
Metasploit
This free Metasploit training class will teach you to utilize the deep capabilities of Metasploit for penetration testing and help you to prepare to run vulnerability assessments for organizations of any size. -
ISC2 CCSP - Certified Cloud Security Professional
The reality is that attackers never rest, and along with the traditional threats targeting internal networks and systems, an entirely new variety specifically targeting the cloud has emerged.
Executive
-
CISSP - Certified Information Systems Security Professional
Our free online CISSP (8 domains) training covers topics ranging from operations security, telecommunications, network and internet security, access control systems and methodology and business continuity planning. -
CISM - Certified Information Security Manager
Cybrary’s Certified Information Security Manager (CISM) course is a great fit for IT professionals looking to move up in their organization and advance their careers and/or current CISMs looking to learn about the latest trends in the IT industry. -
PMP - Project Management Professional
Our free online PMP training course educates on how to initiate, plan and manage a project, as well as the process behind analyzing risk, monitoring and controlling project contracts and how to develop schedules and budgets. -
CRISC - Certified in Risk and Information Systems Control
Certified in Risk and Information Systems Control is for IT and business professionals who develop and maintain information system controls, and whose job revolves around security operations and compliance. -
Risk Management Framework
The National Institute of Standards and Technology (NIST) established the Risk Management Framework (RMF) as a set of operational and procedural standards or guidelines that a US government agency must follow to ensure the compliance of its data systems. -
ISC2 CSSLP - Certified Secure Software Life-cycle Professional
This course helps professionals in the industry build their credentials to advance within their organization, allowing them to learn valuable managerial skills as well as how to apply the best practices to keep organizations systems running well. -
COBIT - Control Objectives for Information and Related Technologies
Cybrary’s online COBIT certification program offers an opportunity to learn about all the components of the COBIT 5 framework, covering everything from the business end-to-end to strategies in how effectively managing and governing enterprise IT. -
Corporate Cybersecurity Management
Cyber risk, legal considerations and insurance are often overlooked by businesses and this sets them up for major financial devastation should an incident occur.
Hopper's Roppers is a community dedicated to providing free training to beginners so that they have the best introduction to the field possible and have the knowledge, skills, and confidence required to figure out what the next ten thousand hours will require them to learn.
-
Introduction to Computing Fundamentals
A free, self-paced curriculum designed to give a beginner all of the foundational knowledge and skills required to be successful. It teaches security fundamentals along with building a strong technical foundation that students will build on for years to come. Learning Objectives: Linux, Hardware, Networking, Operating Systems, Power User, Scripting Pre-Reqs: None -
Introduction to Capture the Flags
Free course designed to teach the fundamentals required to be successful in Capture the Flag competitions and compete in the picoCTF event. Our mentors will track your progress and provide assistance every step of the way. Learning Objectives: CTFs, Forensics, Cryptography, Web-Exploitation Pre-Reqs: Linux, Scripting -
Introduction to Security
Free course designed to teach students security theory and have them execute defensive measures so that they are better prepared against threats online and in the physical world. Learning Objectives: Security Theory, Practical Application, Real-World Examples Pre-Reqs: None -
Practical Skills Bootcamp
Our free course to introduce students to Linux fundamentals and Python scripting so that they "Learn Just Enough to be Dangerous". Fastest way to get a beginner up to speed on practical knowledge. Learning Objectives: Linux, Scripting Pre-Reqs: None
Started in 2002, funded by a total of 1.3 million dollars from NSF, and now used by hundreds of educational institutes worldwide, the SEED project's objective is to develop hands-on laboratory exercises (called SEED labs) for computer and information security education and help instructors adopt these labs in their curricula.
These labs cover some of the most common vulnerabilities in general software. The labs show students how attacks work in exploiting these vulnerabilities.
-
Buffer-Overflow Vulnerability Lab
Launching attack to exploit the buffer-overflow vulnerability using shellcode. Conducting experiments with several countermeasures. -
Return-to-libc Attack Lab
Using the return-to-libc technique to defeat the "non-executable stack" countermeasure of the buffer-overflow attack. -
Environment Variable and Set-UID Lab
This is a redesign of the Set-UID lab (see below). -
Set-UID Program Vulnerability Lab
Launching attacks on privileged Set-UID root program. Risks of environment variables. Side effects of system(). -
Race-Condition Vulnerability Lab
Exploiting the race condition vulnerability in privileged program. Conducting experiments with various countermeasures. -
Format-String Vulnerability Lab
Exploiting the format string vulnerability to crash a program, steal sensitive information, or modify critical data. -
Shellshock Attack Lab
Launch attack to exploit the Shellshock vulnerability that is discovered in late 2014.
These labs cover topics on network security, ranging from attacks on TCP/IP and DNS to various network security technologies (Firewall, VPN, and IPSec).
-
TCP/IP Attack Lab
Launching attacks to exploit the vulnerabilities of the TCP/IP protocol, including session hijacking, SYN flooding, TCP reset attacks, etc. -
Heartbleed Attack Lab
Using the heartbleed attack to steal secrets from a remote server. -
Local DNS Attack Lab
Using several methods to conduct DNS pharming attacks on computers in a LAN environment. -
Remote DNS Attack Lab
Using the Kaminsky method to launch DNS cache poisoning attacks on remote DNS servers. -
Packet Sniffing and Spoofing Lab
Writing programs to sniff packets sent over the local network; writing programs to spoof various types of packets. -
Linux Firewall Exploration Lab
Writing a simple packet-filter firewall; playing with Linux's built-in firewall software and web-proxy firewall; experimenting with ways to evade firewalls. -
Firewall-VPN Lab: Bypassing Firewalls using VPN
Implement a simple vpn program (client/server), and use it to bypass firewalls. -
Virtual Private Network (VPN) Lab
Design and implement a transport-layer VPN system for Linux, using the TUN/TAP technologies. This project requires at least a month of time to finish, so it is good for final project. -
Minix IPSec Lab
Implement the IPSec protocol in the Minix operating system and use it to set up Virtual Private Networks. -
Minix Firewall Lab
Implementing a simple firewall in Minix operating system.
These labs cover some of the most common vulnerabilities in web applications. The labs show students how attacks work in exploiting these vulnerabilities.
Elgg is an open-source social-network system. We have modified it for our labs.
-
Cross-Site Scripting Attack Lab
Launching the cross-site scripting attack on a vulnerable web application. Conducting experiments with several countermeasures. -
Cross-Site Request Forgery Attack Lab
Launching the cross-site request forgery attack on a vulnerable web application. Conducting experiments with several countermeasures. -
Web Tracking Lab
Experimenting with the web tracking technology to see how users can be checked when they browse the web. -
SQL Injection Attack Lab
Launching the SQL-injection attack on a vulnerable web application. Conducting experiments with several countermeasures.
Collabtive is an open-source web-based project management system. We have modified it for our labs.
-
Cross-site Scripting Attack Lab
Launching the cross-site scripting attack on a vulnerable web application. Conducting experiments with several countermeasures. -
Cross-site Request Forgery Attack Lab
Launching the cross-site request forgery attack on a vulnerable web application. Conducting experiments with several countermeasures. -
SQL Injection Lab
Launching the SQL-injection attack on a vulnerable web application. Conducting experiments with several countermeasures. -
Web Browser Access Control Lab
Exploring browser's access control system to understand its security policies.
PhpBB is an open-source web-based message board system, allowing users to post messages. We have modified it for our labs.
-
Cross-site Scripting Attack Lab
Launching the cross-site scripting attack on a vulnerable web application. Conducting experiments with several countermeasures. -
Cross-site Request Forgery Attack Lab
Launching the cross-site request forgery attack on a vulnerable web application. Conducting experiments with several countermeasures. -
SQL Injection Lab
Launching the SQL-injection attack on a vulnerable web application. Conducting experiments with several countermeasures. -
ClickJacking Attack Lab
Launching the ClickJacking attack on a vulnerable web site. Conducting experiments with several countermeasures.
These labs cover the security mechanisms in operating system, mostly focusing on access control mechanisms in Linux.
-
Linux Capability Exploration Lab
Exploring the POSIX 1.e capability system in Linux to see how privileges can be divided into smaller pieces to ensure the compliance with the Least Privilege principle. -
Role-Based Access Control (RBAC) Lab
Designing and implementing an integrated access control system for Minix that uses both capability-based and role-based access control mechanisms. Students need to modify the Minix kernel. -
Encrypted File System Lab
Designing and implementing an encrypted file system for Minix. Students need to modify the Minix kernel.
These labs cover three essential concepts in cryptography, including secrete-key encryption, one-way hash function, and public-key encryption and PKI.
-
Secret Key Encryption Lab
Exploring the secret-key encryption and its applications using OpenSSL. -
One-Way Hash Function Lab
Exploring one-way hash function and its applications using OpenSSL. -
Public-Key Cryptography and PKI Lab
Exploring public-key cryptography, digital signature, certificate, and PKI using OpenSSL.
These labs focus on the smartphone security, covering the most common vulnerabilities and attacks on mobile devices. An Android VM is provided for these labs.
-
Android Repackaging Lab
Insert malicious code inside an existing Android app, and repackage it. -
Android Device Rooting Lab
Develop an OTA (Over-The-Air) package from scratch to root an Android device.
There is only one way to properly learn web penetration testing: by getting your hands dirty. We teach how to manually find and exploit vulnerabilities. You will understand the root cause of the problems and the methods that can be used to exploit them. Our exercises are based on common vulnerabilities found in different systems. The issues are not emulated. We provide you real systems with real vulnerabilities.
-
From SQL Injection to Shell
This exercise explains how you can, from a SQL injection, gain access to the administration console. Then in the administration console, how you can run commands on the system. -
From SQL Injection to Shell II
This exercise explains how you can, from a blind SQL injection, gain access to the administration console. Then in the administration console, how you can run commands on the system. -
From SQL Injection to Shell: PostgreSQL edition
This exercise explains how you can from a SQL injection gain access to the administration console. Then in the administration console, how you can run commands on the system. -
Web for Pentester
This exercise is a set of the most common web vulnerabilities. -
Web for Pentester II
This exercise is a set of the most common web vulnerabilities. -
PHP Include And Post Exploitation
This exercice describes the exploitation of a local file include with limited access. Once code execution is gained, you will see some post exploitation tricks. -
Linux Host Review
This exercice explains how to perform a Linux host review, what and how you can check the configuration of a Linux server to ensure it is securely configured. The reviewed system is a traditional Linux-Apache-Mysql-PHP (LAMP) server used to host a blog. -
Electronic Code Book
This exercise explains how you can tamper with an encrypted cookies to access another user's account. -
Rack Cookies and Commands injection
After a short brute force introduction, this exercice explains the tampering of rack cookie and how you can even manage to modify a signed cookie (if the secret is trivial). Using this issue, you will be able to escalate your privileges and gain commands execution. -
Padding Oracle
This course details the exploitation of a weakness in the authentication of a PHP website. The website uses Cipher Block Chaining (CBC) to encrypt information provided by users and use this information to ensure authentication. The application also leaks if the padding is valid when decrypting the information. We will see how this behavior can impact the authentication and how it can be exploited. -
XSS and MySQL FILE
This exercise explains how you can use a Cross-Site Scripting vulnerability to get access to an administrator's cookies. Then how you can use his/her session to gain access to the administration to find a SQL injection and gain code execution using it. -
Axis2 Web service and Tomcat Manager
This exercice explains the interactions between Tomcat and Apache, then it will show you how to call and attack an Axis2 Web service. Using information retrieved from this attack, you will be able to gain access to the Tomcat Manager and deploy a WebShell to gain commands execution. -
Play Session Injection
This exercise covers the exploitation of a session injection in the Play framework. This issue can be used to tamper with the content of the session while bypassing the signing mechanism. -
Play XML Entities
This exercise covers the exploitation of a XML entities in the Play framework. -
CVE-2007-1860: mod_jk double-decoding
This exercise covers the exploitation of CVE-2007-1860. This vulnerability allows an attacker to gain access to unaccessible pages using crafted requests. This is a common trick that a lot of testers miss. -
CVE-2008-1930: Wordpress 2.5 Cookie Integrity Protection Vulnerability
This exercise explains how you can exploit CVE-2008-1930 to gain access to the administration interface of a Wordpress installation. -
CVE-2012-1823: PHP CGI
This exercise explains how you can exploit CVE-2012-1823 to retrieve the source code of an application and gain code execution. -
CVE-2012-2661: ActiveRecord SQL injection
This exercise explains how you can exploit CVE-2012-2661 to retrieve information from a database. -
CVE-2012-6081: MoinMoin code execution
This exercise explains how you can exploit CVE-2012-6081 to gain code execution. This vulnerability was exploited to compromise Debian's wiki and Python documentation website. -
CVE-2014-6271/Shellshock
This exercise covers the exploitation of a Bash vulnerability through a CGI.
Learn the fundamentals of Binary Auditing. Know how HLL mapping works, get more inner file understanding than ever. Learn how to find and analyse software vulnerability. Dig inside Buffer Overflows and learn how exploits can be prevented. Start to analyse your first viruses and malware the safe way. Learn about simple tricks and how viruses look like using real life examples.
Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled class room environment.
Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. The aim of this project is to help security professionals learn about Web Application Security through the use of a practical lab environment.
OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiest. With dozens of vulns and hints to help the user; this is an easy-to-use web hacking environment designed for labs, security enthusiast, classrooms, CTF, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, corporate web sec training courses, and as an "assess the assessor" target for vulnerability assessment software.
Open Web Application Security Project (OWASP) Broken Web Applications Project, a collection of vulnerable web applications that is distributed on a Virtual Machine in VMware format compatible with their no-cost and commercial VMware products.
Bricks is a web application security learning platform built on PHP and MySQL. The project focuses on variations of commonly seen application security issues. Each 'Brick' has some sort of security issue which can be leveraged manually or using automated software tools. The mission is to 'Break the Bricks' and thus learn the various aspects of web application security.
The Hackademic Challenges implement realistic scenarios with known vulnerabilities in a safe and controllable environment. Users can attempt to discover and exploit these vulnerabilities in order to learn important concepts of information security through an attacker's perspective.
The Web Attack and Exploitation Distro (WAED) is a lightweight virtual machine based on Debian Distribution. WAED is pre-configured with various real-world vulnerable web applications in a sandboxed environment. It includes pentesting tools that aid in finding web application vulnerabilities. The main motivation behind this project is to provide a practical environment to learn about web application's vulnerabilities without the hassle of dealing with complex configurations. Currently, there are around 18 vulnerable applications installed in WAED.
XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose. How you use these skills and knowledge base is not our responsibility.
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.
SQLi-LABS is a comprehensive test bed to Learn and understand nitti gritty of SQL injections and thereby helps professionals understand how to protect.
This pentester training platform/lab is full of machines (boxes) to hack on the different difficulty level. Majority of the content generated by the community and released on the website after the staff's approval. Besides boxes users also can pick static challenges or work on advanced tasks like Fortress or Endgame.
We all learn in different ways: in a group, by yourself, reading books, watching/listening to other people, making notes or things out for yourself. Learning the basics & understanding them is essential; this knowledge can be enforced by then putting it into practice.
Over the years people have been creating these resources and a lot of time has been put into them, creating 'hidden gems' of training material. However, unless you know of them, its hard to discover them.
So VulnHub was born to cover as many as possible, creating a catalogue of 'stuff' that is (legally) 'breakable, hackable & exploitable' - allowing you to learn in a safe environment and practice 'stuff' out. When something is added to VulnHub's database it will be indexed as best as possible, to try and give you the best match possible for what you're wishing to learn or experiment with.
-
CTF Resources
A general collection of information, tools, and tips regarding CTFs and similar security competitions. -
CTF write-ups 2016
Wiki-like CTF write-ups repository, maintained by the community. (2015) -
CTF write-ups 2015
Wiki-like CTF write-ups repository, maintained by the community. (2015) -
CTF write-ups 2014
Wiki-like CTF write-ups repository, maintained by the community. (2014) -
CTF write-ups 2013
Wiki-like CTF write-ups repository, maintained by the community. (2013)
-
captf
This site is primarily the work of psifertex since he needed a dump site for a variety of CTF material and since many other public sites documenting the art and sport of Hacking Capture the Flag events have come and gone over the years. -
shell-storm
The Jonathan Salwan's little corner.
- Hopper's Roppers CTF Course
Free course designed to teach the fundamentals of Forensics, Cryptography, and Web-Exploitation required to be successful in Capture the Flag competitions. At the end of the course, students compete in the picoCTF event with guidance from instructors.
Security Tube hosts a large range of video tutorials on IT security including penetration testing , exploit development and reverse engineering.
-
SecurityTube Metasploit Framework Expert (SMFE)
This video series covers basics of Metasploit Framework. We will look at why to use metasploit then go on to how to exploit vulnerbilities with help of metasploit and post exploitation techniques with meterpreter. -
Wireless LAN Security and Penetration Testing Megaprimer
This video series will take you through a journey in wireless LAN (in)security and penetration testing. We will start from the very basics of how WLANs work, graduate to packet sniffing and injection attacks, move on to audit infrastructure vulnerabilities, learn to break into WLAN clients and finally look at advanced hybrid attacks involving wireless and applications. -
Exploit Research Megaprimer
In this video series, we will learn how to program exploits for various vulnerabilities published online. We will also look at how to use various tools and techniques to find Zero Day vulnerabilities in both open and closed source software. -
Buffer Overflow Exploitation Megaprimer for Linux
In this video series, we will understand the basic of buffer overflows and understand how to exploit them on linux based systems. In later videos, we will also look at how to apply the same principles to Windows and other selected operating systems.
Comes with everything you need to understand complete systems such as SSL/TLS: block ciphers, stream ciphers, hash functions, message authentication codes, public key encryption, key agreement protocols, and signature algorithms. Learn how to exploit common cryptographic flaws, armed with nothing but a little time and your favorite programming language. Forge administrator cookies, recover passwords, and even backdoor your own random number generator.
This book is about constructing practical cruptosystems for which we can argue security under plausible assumptions. The book covers many constructions for different tasks in cryptography. For each task we define the required goal. To analyze the constructions, we develop a unified framework for doing cryptographic proofs. A reader who masters this framework will capable of applying it to new constructions that may not be covered in this book. We describe common mistakes to avoid as well as attacks on real-world systems that illustratre the importance of rigor in cryptography. We end every chapter with a fund application that applies the ideas in the chapter in some unexpected way.
The world has changed radically since the first edition of this book was published in 2001. Spammers, virus writers, phishermen, money launderers, and spies now trade busily with each other in a lively online criminal economy and as they specialize, they get better. In this indispensable, fully updated guide, Ross Anderson reveals how to build systems that stay dependable whether faced with error or malice. Here?s straight talk on critical topics such as technical engineering basics, types of attack, specialized protection mechanisms, security psychology, policy, and more.
This book offers a primer on reverse-engineering, delving into disassembly code-level reverse engineering and explaining how to decipher assembly language for those beginners who would like to learn to understand x86 (which accounts for almost all executable software in the world) and ARM code created by C/C++ compilers.
The focus areas that CTF competitions tend to measure are vulnerability discovery, exploit creation, toolkit creation, and operational tradecraft.. Whether you want to succeed at CTF, or as a computer security professional, you'll need to become an expert in at least one of these disciplines. Ideally in all of them.
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
This guide arose out of the need for system administrators to have an updated, solid, well re-searched and thought-through guide for configuring SSL, PGP,SSH and other cryptographic tools in the post-Snowdenage. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security officers saw the need to strengthen their encryption settings.This guide is specifically written for these system administrators.
The penetration testing execution standard cover everything related to a penetration test - from the initial communication and reasoning behind a pentest, through the intelligence gathering and threat modeling phases where testers are working behind the scenes in order to get a better understanding of the tested organization, through vulnerability research, exploitation and post exploitation, where the technical security expertise of the testers come to play and combine with the business understanding of the engagement, and finally to the reporting, which captures the entire process, in a manner that makes sense to the customer and provides the most value to it.
- Application security - Application security is a broad topic that covers software vulnerabilities in web and mobile applications and application programming interfaces (APIs). These vulnerabilities may be found in authentication or authorization of users, integrity of code and configurations, and mature policies and procedures. Application vulnerabilities can create entry points for significant InfoSec breaches. Application security is an important part of perimeter defense for InfoSec.
- Cloud Security - Cloud security focuses on building and hosting secure applications in cloud environments and securely consuming third-party cloud applications. “Cloud” simply means that the application is running in a shared environment. Businesses must make sure that there is adequate isolation between different processes in shared environments.
- Cryptography - Encrypting data in transit and data at rest helps ensure data confidentiality and integrity. Digital signatures are commonly used in cryptography to validate the authenticity of data. Cryptography and encryption has become increasingly important. A good example of cryptography use is the Advanced Encryption Standard (AES). The AES is a symmetric key algorithm used to protect classified government information.
- Infrastructure security - Infrastructure security deals with the protection of internal and extranet networks, labs, data centers, servers, desktops, and mobile devices.
- Incident response - Incident response is the function that monitors for and investigates potentially malicious behavior. In preparation for breaches, IT staff should have an incident response plan for containing the threat and restoring the network. In addition, the plan should create a system to preserve evidence for forensic analysis and potential prosecution. This data can help prevent further breaches and help staff discover the attacker.
- Vulnerability Management - Vulnerability management is the process of scanning an environment for weak points (such as unpatched software) and prioritizing remediation based on risk. In many networks, businesses are constantly adding applications, users, infrastructure, and so on. For this reason, it is important to constantly scan the network for potential vulnerabilities. Finding a vulnerability in advance can save your businesses the catastrophic costs of a breach.
MIT License & cc license
This work is licensed under a Creative Commons Attribution 4.0 International License.
To the extent possible under law, Paul Veillard has waived all copyright and related or neighboring rights to this work.