Play this article
CTF Challenges & Walkthroughs
- 2600 Magazine — The most (in)famous hacker magazine.
- sixstars’ CTF writeups — Has CTF walkthroughs dating back to 2015 and includes nullctf, codegate, insomnihack, etc.
- carpedm20’s awesome-hacking repo — A curated list of awesome Hacking tutorials, tools and resources.
- Tenable’s RouterOS Bug Hunting Materials — The tools in this repository were originally presented at Derbycon 2018. The tools were written to aid in (or were the result of) bug hunting in RouterOS.
- apsdehal’s awesome-ctf — A curated list of CTF frameworks, libraries, resources and softwares.
- AD-Attack-Defense — Informational asset for those looking to understand the specific tactics, techniques, and procedures (TTPs) attackers are leveraging to compromise active directory.
- CTF Writeups — This has multiple repos in it that includes CTF walkthroughs from 2012 through 2018 as well as some other CTF resources.
- Gexos’s Hacking Tools Repository — A list of security/hacking tools that have been collected from the internet.
- lojikil’s bsideschs-ctf — Scripts to run the CryptoCTF from BSides Charleston.
- The Dark Knights CTF Writeups — picoCTF 2018 and GLUG CTF 2018 walkthroughs.
- w181496’s Web CTF Cheatsheet — Web CTF Cheatsheet.
- GreHack’s Official CTF Repo — All the challenges that were at GreHack CTF 2015 through 2018.
- TUCTF Tools — Tools used for various CTFs.
- OWASP’s Cheat Sheets — The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics. These cheat sheets were created by various application security professionals who have expertise in specific topics. We hope that the OWASP Cheat Sheet Series provides you with excellent security guidance in an easy to read format.
- Corelan Team Tutorials — Corelan Team is a group of IT Security researchers/enthusiasts/professionals/hobbyists who share the same interests, mainly focused on 3 things: Research, Education and Fun. They have a lot of articles about red teaming, blue teaming and general hacking.
- Crackmes — A simple place where you can download crackmes to improve your reverse engineering skills. If you want to submit a crackme or a solution to one of them, you must register.
- shell-storm — Jonathan Salwan of Quarkslab personal blog that contains links to CTF write-ups, reverse engineering tips, and other useful information.
- exploit.education — Provides a variety of resources that can be used to learn about vulnerability analysis, exploit development, software debugging, binary analysis, and general cyber security issues. This has a series of intentionally vulnerable VMs the contain multiple challenges. It supports a range of skill levels, everything from someone new to reverse engineer up through being an expert.
- Order of the Overflow (OOO) GitHub — OOO is the group that has hosted the CTF held at DEF CON since 2018. They have all their old challenges posted here, mostly for the qualifiers but there are some of the actual challenges that are from the main CTF held in Las Vegas during DEF CON.
- TokenUniverse — Token Universe is an advanced tool for experimenting and researching Windows security mechanisms. It exposes UI for creating, viewing, impersonating, and modifying access tokens, spawning processes, managing Local Security Authority, and more. The program can operate and (at least partially) provide valuable functionality under a wide range of privileges, from LPAC AppContainer sandbox to SYSTEM with SeTcbPrivilege and SeCreateTokenPrivilege.
- WarFox — is a software-based HTTPS beaconing Windows implant that uses a multi-layered proxy network for C2 communications. This kit was designed to emulate covert APT offensive operations. This kit includes WARFOX (Windows implant), HIGHTOWER (Listening Post), and other tools to build configs and set up a proxy network.
- pwndbg — is a GDB plug-in that makes debugging with GDB suck less, with a focus on features needed by low-level software developers, hardware hackers, reverse-engineers and exploit developers.
- Whisker — Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding “Shadow Credentials” to the target account.This tool is based on code from DSInternals by Michael Grafnetter (@MGrafnetter). For this attack to succeed, the environment must have a Domain Controller running on Windows Server 2016, and the Domain Controller must have a server authentication certificate to allow for PKINIT Kerberos authentication. More details are available at the post Shadow Credentials: Abusing Key Trust Account Mapping for Takeover.
- PKINIT tools — This repository contains some utilities for playing with PKINIT and certificates. The tools are built on minikerberos and impacket. Accompanying blogpost with more context: https://dirkjanm.io/ntlm-relaying-to-ad-certificate-services/.
- Jok3r — Jok3r is a Python3 CLI application which is aimed at helping penetration testers for network infrastructure and web black-box security tests. The goal is to save as much time as possible during network/web pentests by automating as many security tests as possible in order to quickly identify low-hanging fruits vulnerabilities, and then spend more time on more interesting and tricky stuff !
- Rapid7’s Metasploit Framework — The de-facto standard in exploitation frameworks.
- Rapid7’s Metasploit Vulnerable Services Emulator — Currently it supports over 100 emulated vulnerable services.
- Mimikatz — It’s now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.
- Veil — Veil is a tool designed to generate Metasploit payloads that bypass common anti-virus solutions.
- Armitage — A graphical wrapper around the Metasploit Framework.
- pupy — Pupy is an open source, cross-platform (Windows, Linux, macOS, Android) remote administration and post-exploitation tool mainly written in Python.
- AutoSploit — A wrapper around Metasploit where the targets are fed in using OSINT sources. Targets can be collected automatically through Shodan, Censys or Zoomeye.
- Empire — Empire is a PowerShell and Python post-exploitation agent.
- DeathStar — DeathStar is a Python script that uses Empire’s RESTful API to automate gaining Domain Admin rights in Active Directory environments using a variety of techniques.
- PowerSploit — A PowerShell Post-Exploitation Framework.
- SharpUp — A C# port of the PowerUp PowerShell script from PowerSploit which will scan the host for misconfigurations in order to elevate privileges.
- SILENTTRINITY — A post-exploitation agent powered by Python, IronPython, C# and .NET’s Dynamic Language Runtime (DLR).
- OffensiveDLR — Toolbox containing research notes & PoC code for weaponizing .NET’s Dynamic Language Runtime (DLR).
- EggShell — iOS/macOS/Linux Remote Administration Tool (RAT).
- SharpSploit — SharpSploit is a .NET post-exploitation library written in C#.
- Paul Clark’s RF Exfil Stack — An RF stack for building exfiltration systems.
- Covenant — Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
- Windows Exploit Suggester: Next Generation — WES-NG is a tool based on the output of Windows’
systeminfoutility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities.
- Seatbelt — a C# project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.
- FuzzySecurity’s PowerShell-Suite — A collection of pentesting related PowerShell scripts.
- PowerOPS — PowerShell Runspace Portable Post Exploitation Tool aimed at making Penetration Testing with PowerShell “easier”.
- GTFOBins — Curated list of Unix binaries that can be exploited to bypass system security restrictions.
- Living Off The Land Binaries And Scripts — A collection of scripts for using tools that are either a part of the operating system or are commonly installed and evade many antivirus programs.
- freevulnsearch — Free and open NMAP NSE script to query vulnerabilities via the cve-search.org API.
- Penetration Testing Framework — Made by TrustedSec The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools.
- chenerlich’s Fileless Command Lines — Known command lines of fileless malicious executions.
- Donut — Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters.
- Microsoft RSAT — Remote Server Administration Tools (RSAT) enables IT administrators to remotely manage roles and features in Windows Server from a computer that is running Windows 10, Windows 8.1, Windows 8, Windows 7, or Windows Vista.
- BloodHound — BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
- pwndrop — Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV. https://breakdev.org/pwndrop
Network Recon & Exploitation
- Subrake — A Subdomain Enumeration and Validation tool for Bug Bounty and Pentesters.
- Phantom — is a multi-platform HTTP(S) Reverse Shell server and client in Python 3. Binaries for Linux and Windows platforms can be built through an embedded script that executes PyInstaller. Reverse shells can be established through HTTP or HTTPS. The certificates used for HTTPS can be auto-generated by Phantom or supplied by the user. Phantom includes a helper shell script that enables fast generation of self-signed certificates for use of both servers and clients. After generation, the server and certificate authority certificates required for encrypted connections are bundled in the binaries for portability and ease of execution.
- Chisel — Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Written in Go (golang). Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network.
- SSHPry — Let’s you spy on SSH session like it is your tty. As SSH is one of the most used protocols by hackers and admins when it comes to controlling a Linux machine remotely, the most dangerous part, is when you can spy on that session in real-time, record keystrokes, and even use phishing attacks from within the terminal.
- RustScan — RustScans only job is to reduce the friction between finding open ports and inputting them into nmap.
- Google Tsunami Security Scanner — Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
- Plugins for Tsunami Security Scanner — This project aims to provide a central repository for many useful Tsunami Security Scanner plugins.
- BruteShark — BruteShark is a Network Forensic Analysis Tool (NFAT) that performs deep processing and inspection of network traffic (mainly PCAP files). It includes: password extracting, building a network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack.
- nmap — The de-facto standard in network and vulnerability scanners.
- Wireshark — The de-facto standard in packet analysis. It has the ability to filter on the collection of network packets, the ability to filter out packets once they are captured, has a variety of built in parsers, etc.
- Bettercap — The Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks.
- Xerosploit -Is a penetration testing toolkit whose goal is to perform man in the middle attacks for testing purposes. It brings various modules that allow to realise efficient attacks, and also allows to carry out denial of service attacks and port scanning. Powered by bettercap and nmap.
- Responder — Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication (check out THIS article on how to disable it).
- ADRecon — ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.
- NTLM Scanner — Checks for various NTLM vulnerabilities over SMB. The script will establish a connection to the target host(s) and send an invalid NTLM authentication. If this is accepted, the host is vulnerable to the applied NTLM vulnerability and you can execute the relevant NTLM attack.
- SMBGhost [Scanner] — Simple scanner for CVE-2020–0796 — SMBv3 RCE. The scanner is for meant only for testing whether a server is vulnerable. It is not meant for research or development, hence the fixed payload. It checks for SMB dialect 3.1.1 and compression capability through a negotiate request.
- WhoNow — A “malicious” DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53).
- PcapXray — A Network Forensics Tool — To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction.
- AutoNSE — Massive NSE (Nmap Scripting Engine) AutoSploit and AutoScanner.
- ShareSearch — SMB and NFS shares spider and grepper.
- termshark — A terminal UI for tshark, inspired by Wireshark.
- Invoke-SocksProxy — Socks proxy server using Microsoft PowerShell.
- Real Intelligence Threat Analytics — Made by Active Countermeasures RITA is an open source framework for network traffic analysis.
- shellz — A small utility to track and control your ssh, telnet, web and custom shells and tunnels.
- thc-ipv6 — IPv6 attack toolkit.
- mitm6 — A pentesting tool that exploits the default configuration of Windows to take over the default DNS server via a malicious DHCP6 response.
- ipv666 — Golang IPv6 address enumeration.
Wi-Fi and RF Recon and Exploitation
- radioconda — A cross-platform package management system for dealing with software defined radios (SDRs) that includes Digital RF, GNU Radio, gqrx and gr-satellites and supports multiple SDR platforms.
- Aircrack-ng — Aircrack-ng is a complete suite of tools to assess WiFi network security. It focuses on different areas of WiFi security: Monitoring: Packet capture and export of data to text files for further processing by third party tools, Attacking: Replay attacks, deauthentication, fake access points and others via packet injection, Testing: Checking WiFi cards and driver capabilities (capture and injection), Cracking: WEP and WPA PSK (WPA 1 and 2).
- Universal Radio Hacker — Investigate wireless protocols like a boss.
- Paul Clark’s RF and SDR GitHub Projects — Paul Clark is the foremost RF cyber security expert and has multiple software defined radio and other RF projects.
- Pineapple AR150 — Turn a $30 GL.iNet GL-AR150 into a $100 Hak5 WiFi Pineapple!
- GNURadio — GNU Radio is a free & open-source software development toolkit that provides signal processing blocks to implement software radios. It can be used with readily-available low-cost external RF hardware to create software-defined radios, or without hardware in a simulation-like environment. It is widely used in research, industry, academia, government, and hobbyist environments to support both wireless communications research and real-world radio systems.
- RTL-SDR — A great resource for RF hacking. It includes links to download SDR software, tutorials, articles, and other software define radios.
- RFCrack — RFCrack is a RF test bench, it was developed for testing RF communications between any physical device that communicates over sub Ghz frequencies. IoT devices, Cars, Alarm Systems etc.
- RfCat — The goals of the project are to reduce the time for security researchers to create needed tools for analyzing unknown targets, to aid in reverse-engineering of hardware, and to satiate my RF lust. Only compatible with Python 2.7 currently.
- MouseJack — MouseJack is a class of vulnerabilities that affects the vast majority of wireless, non-Bluetooth keyboards and mice. These peripherals are ‘connected’ to a host computer using a radio transceiver, commonly a small USB dongle. Since the connection is wireless, and mouse movements and keystrokes are sent over the air, it is possible to compromise a victim’s computer by transmitting specially-crafted radio signals using a device which costs as little as $15.
- ooktools — ooktools aims to help with the reverse engineering of on-off keying data sources such as wave files or raw frames captured using RfCat.
Implants & Backdoors
- SillyRAT — A cross platform RAT written in pure Python. The RAT accept commands alongside arguments to either perform as the server who accepts connections or to perform as the client/target who establish connections to the server. The generate command uses the module pyinstaller to compile the actual payload code. So, in order to generate payload file for your respective platform, you need to be on that platform while generating the file. Moreover, you can directly get the source file as well.
- Sliver — Is an open source, cross-platform adversary emulation/red team platform, it can be used by organizations of all sizes to perform security testing. Sliver’s implants support C2 over Mutual TLS (mTLS), WireGuard, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority generated when you first run the binary. The server and client support MacOS, Windows, and Linux. Implants are supported on MacOS, Windows, and Linux (and possibly every Golang compiler target but we’ve not tested them all).
- Cobalt Strike — Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training. This is a commercial tool.
- WheresMyImplant — A Bring Your Own Land Toolkit that Doubles as a WMI Provider.
- Throwback — HTTP/S Beaconing ImplantCobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. Malleable C2 lets you change your network indicators to look like different malware each time. These tools complement Cobalt Strike’s solid social engineering process, its robust collaboration capability, and unique reports designed to aid blue team training.
Reverse Engineering, Exploit Dev & Fuzzing
- Ghidra — A software reverse engineering (SRE) suite of tools developed by NSA’s Research Directorate in support of the Cybersecurity mission.
- IDA Pro — The IDA Disassembler and Debugger is an interactive, programmable, extensible, multi-processor disassembler hosted on Windows, Linux, or Mac OS X. IDA has become the de-facto standard for the analysis of hostile code, vulnerability research and commercial-off-the-shelf validation. This is a commercial product with a large price tag.
- Hex-Rays Decompiler — The Hex-Rays Decompiler brings binary software analysis within reach of millions of programmers. It converts native processor code into a readable C-like pseudocode text. This is a commercial product with a large price tag.
- Binary Ninja — An IDA Pro clone done by Vector 35. It is a cheaper alternative to the crazy expensive IDA Pro. This is a commercial product.
- Ghidra — NSA’s recently open sourced version of an IDA Pro clone.
- volatility — An advanced memory forensics framework.
- Radare2 — unix-like reverse engineering framework and commandline tools.
- Pwntools — Pwntools is a CTF framework and exploit development library. Written in Python, it is designed for rapid prototyping and development, and intended to make exploit writing as simple as possible. The most recent version supports Python 3.
- Zeratool — Automatic Exploit Generation (AEG) and remote flag capture for exploitable CTF problems.
- Binary Ninja community plugins — Repository for community provided Binary Ninja plugins.
- BinNavi — BinNavi is a binary analysis IDE that allows to inspect, navigate, edit and annotate control flow graphs and call graphs of disassembled code.
- angrgdb — Use angr inside GNU DeBugger (GDB). Create an angr state from the current debugger state.
- pwndbg — Exploit Development and Reverse Engineering with GNU DeBugger (GDB) Made Easy.
- GDB Enhanced Features (GEF) — GNU DeBugger (GDB) Enhanced Features for exploit devs & reversers.
- Python Exploit Development Assistance (PEDA) — A GNU DeBugger (GDB) plugin that assists with exploit development.
- Rocket-Shot — Uses angr to concolically analyze basic blocks in a given program, running from the start of the block to the end, looking for interactions with a file descriptor.
- Rubeus — Rubeus is a C# toolset for raw Kerberos interaction and abuses.
- Flare VM — A VM by FireEye that is a fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.
- PinCTF — Using Intel’s PIN tool to solve CTF problems.
- Virtuailor — IDAPython tool for creating automatic C++ virtual tables in IDA Pro.
- DetectionLab — Vagrant & Packer scripts to build a lab environment complete with security tooling and logging best practices.
- Cuckoo Sandbox — Cuckoo Sandbox is an automated dynamic malware analysis system.
- MemProcFS — The Memory Process File System for Windows.
- American Fuzzy Lop for Windows — Google Project Zero’s fork of AFL for fuzzing Windows binaries.
- American Fuzzy Lop (AFL) Training — Exercises to learn how to fuzz with American Fuzzy Lop.
- Grimm’s Killerbeez — A distributed fuzzer which aims to pull in the best technologies, make them play nicely together, and run on multiple O/Ses. It’s built on top of American Fuzzy Lop (AFL), debuggers and other instrumentation.
- Boofuzz — Boofuzz is a fork of and the successor to the venerable Sulley fuzzing framework. Besides numerous bug fixes, boofuzz aims for extensibility. The goal: fuzz everything. This is available as a Python package and can be installed using pip.
- Sulley — A pure-python fully automated and unattended fuzzing framework.
- secfigo’s Awesome Fuzzing — A curated list of fuzzing resources ( Books, courses — free and paid, videos, tools, tutorials and vulnerable applications to practice on ) for learning Fuzzing and initial phases of Exploit Development like root cause analysis.
- shellphish’s Driller — American Fuzzy Lop (AFL) with symbolic execution!
- shellphish’s how2heap — A repository for learning various heap exploitation techniques.
- Lain — A fuzzer made by Microsoft and is written in Rust.
- ClusterFuzz — A fuzzer made by Google ClusterFuzz is a scalable fuzzing infrastructure that finds security and stability issues in software.
- PEpper — An open source tool to perform malware static analysis on Windows Portable Executables. It currently performs the following functions: Suspicious entropy ratio, Suspicious name ratio, Suspicious code size, Suspicious debugging time-stamp, Number of export, Number of anti-debugging calls, Number of virtual-machine detection calls, Number of suspicious API calls, Number of suspicious strings, Number of YARA rules matches, Number of URL found, Number of IP found, Cookie on the stack (GS) support, Control Flow Guard (CFG) support, Data Execution Prevention (DEP) support, Address Space Layout Randomization (ASLR) support, Structured Exception Handling (SEH) support, Thread Local Storage (TLS) support, Presence of manifest, Presence of version, Presence of digital certificate, Packer detection, VirusTotal database detection and Importing a DLL using a hash.
Password Cracking & OSINT
- rockyou2021.txt — rockyou2021.txt is a compilation of dictionaries, breached words, and probable passwords, released by kys234 on RaidForums (a forum often catering to cybercrime).
- Name-That-Hash — Features:
? Popularity Ratings — Name that hash will show you the most popular hashes first. In older systems it would prioritise Skype Hash the same as Active Directory’s NTLM! Which makes as much sense as saying that my GitHub is as popular as VSCode ?
- Hash Summaries — no more wondering whether it’s MD5 or NTLM. Name-that-hash will summarise the main usage of each hash, allowing you to make an informed & decisive choice
- ? Colour Output — Don’t worry, the colours were hand-selected with a designer to be 100% accessible and gnarly ?
? JSON output && API — Want to use Name-That-Hash in your project? We are API first, CLI second. Use JSON output or import us as a Python module! ?
? Updated! — HashID was last updated in 2015. Hash-Identifier in 2011! Name-That-Hash is a 2021 project ?
- Accessible — We are 100% committed to making this an accessible hacking tool ?
? Extensible — Add new hashes as quickly as you can edit this README. No, seriously — it’s that easy! ?
- hashcat — World’s fastest and most advanced password recovery utility. This uses GPU and CPU resources to crack password hashes. It supports pretty much every hash type used.
- hashtopolis — A hashcat wrapper for distributed password hash cracking.
- NotSoSecure’s OneRuleToRuleThemAll Hashcat Rule — Ultimate password cracking hashcat rule made by NotSoSecure.
- pwnedOrNot — OSINT Tool to Find Passwords for Compromised Email Addresses.
- domainhunter — Checks expired domains for categorization/reputation and Archive.org history to determine good candidates for phishing and C2 domain names.
- DyMerge — A dynamic dictionary merger for successful dictionary based attacks.
- OWASP Amass — The OWASP Amass Project has developed a tool to help information security professionals perform network mapping of attack surfaces and perform external asset discovery using open source information gathering and active reconnaissance techniques.
- hashcobra — This tool uses a new method to crack hashes. With the help of rainbow tables concept this tool generates rainbow tables from wordlists to heavily optimize the cracking process.
- Mobile Application Penetration Testing Cheat Sheet — The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics and checklist, which is mapped OWASP Mobile Risk Top 10 for conducting pentest.
- jadx — Command line and GUI tools for produce Java source code from Android DEX and APK files.
- NotSoSecure’s Android Application Analyzer — The tool is used to analyze the content of the android application in local storage.
IoT & Embedded Systems Recon and Exploitation
- FirmAE — FirmAE is a fully-automated framework that performs emulation and vulnerability analysis. FirmAE significantly increases the emulation success rate (From Firmadyne‘s 16.28% to 79.36%) with five arbitration techniques. We tested FirmAE on 1,124 wireless-router and IP-camera firmware images from top eight vendors.
- firmwalker — A simple bash script for searching the extracted or mounted firmware file system.
- Firmware Analysis Toolkit — FAT is a toolkit built in order to help security researchers analyze and identify vulnerabilities in IoT and embedded device firmware.
- Binwalk — The de facto firmware extraction tool for embedded systems and IoT devices. Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
- QEMU — Quick Emulator is a generic and open source machine & userspace emulator and
- routersploit — Exploitation Framework for Embedded Devices.
- PlatformIO — An open source ecosystem for IoT development Cross-platform IDE and unified debugger. Remote unit testing and firmware updates.
- Rapid7’s IoTSeeker — This scanner will scan a network for specific types of IoT devices to detect if they are using the default, factory set credentials.
- PlatformIO — An advanced IDE for working with embedded devices. This includes the ability to debug over serial, code completion and support for over 700 embedded boards.
- Arduino IDE — Is a cross-platfrom open-source physical computing platform based on a simple I/O board and a development environment that implements the Processing/Wiring language. Arduino can be used to develop stand-alone interactive objects or can be connected to software on your computer (e.g. Flash, Processing and MaxMSP). The boards can be assembled by hand or purchased preassembled.
- HomePwn — Is a framework that provides features to audit and pentesting devices that company employees can use in their day-to-day work and inside the same working environment. It is designed to find devices in the home or office, take advantage of certain vulnerabilities to read or send data to those devices. With a strong library of modules you can use this tool to load new features and use them in a vast variety of devices.
- Firmware Mod Kit — Abandoned and no longer relevant. This kit is a collection of scripts and utilities to extract and rebuild linux based firmware images. This is written by Google.
Web Recon & Exploitation
- Burp Suite Community Edition — The de-facto standard in intercepting proxies. This is a cross-platform tool that works on Linux, macOS and Windows.
- snoopysecurity’s awesome-burp-extensions — A curated list of amazingly awesome Burp Suite Extensions.
- zaproxy — The OWASP ZAP core project. This is an open source competitor to Burp Suite and is also an intercepting proxy. This is a cross-platform tool that works on Linux, macOS and Windows.
- sqlmap — Automatic SQL injection and database takeover tool. This is a cross-platform tool that works on Linux, macOS and Windows.
- SocialFish — Ultimate phishing tool. Socialize with the credentials.
- evilginx2 — Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication.
- CredKing — Made by Black Hills Infosec this tool does password spraying using AWS Lambda for IP rotation.
- Konan — Advanced Web Application Dir Scanner.
- stretcher — Tool designed to help identify open Amazon Elasticsearch servers that are exposing sensitive information.
- Web Application Scan — Is a Open Source web application security scanner.
- GadgetProbe — Is a Burp Suite plug-in that enumerates Java remote classpaths. GadgetProbe takes a wordlist of Java classes, outputs serialized DNS callback objects, and reports what’s lurking in the remote classpath.
- Default HTTP Login Hunter — Is a tool capable of checking more then 380 different web interfaces for default credentials. It is based on the NNdefaccts alternate fingerprint dataset maintained by nnposter.
Offensive OS Distros
- Kali Linux — de facto standard Linux distro for pentesters and red teamers. It is the most advanced penetration testing platform we have ever made. Available in 32 bit, 64 bit, and ARM flavors, as well as a number of specialized builds for many popular hardware platforms. Kali can always be updated to the newest version without the need for a new download.
- Samurai WTF — Is a VM containing the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test.
- Parrot OS — Professional tools for security testing, software development and privacy defense, all in one place.
- Commando VM — a fully customizable, Windows-based security distribution for penetration testing and red teaming made by FireEye.
- DragonOS — DragonOS LTS an out-of-the-box Lubuntu 18.04 based x86_64 operating system for anyone interested in software defined radios. All source installed software is located in the /usr/src directory while the remaining software was installed by package managers. This is a brief summary of the software included, while not complete, it covers the bigger named packages and some of the drivers installed for the various supported SDRs such as the HackRF One, RTL-SDR, and LimeSDR. This distro includes the following SDR related tools: Universal Radio Hacker, GNU Radio, Aircrack-ng, GQRX, Kalibrate-hackrf, wireshare, gr-gsm, rtl-sdr, HackRF, IMSI-catcher, Zenmap, inspectrum, qspectrumanalyzer, LTE-Cell-Scanner, CubicSDR, Limesuite, ShinySDR, SDRAngel, SDRTrunk, Kismet, BladeRF
- Gorizont-rtlsdr — This distribution contains only RTL2832U chipset family rtl_sdr drivers and modules, and concentrates on providing terrestial HF/VHF/UHF signal processing and portable DAB+ reception with the cheapest and most available equipment. No other devices are supported. This distribution is intended for experimentation and legal listening purposes only. NOTE: No TETRA or similar trunked system decoders are included in this distribution for legal reasons.
- MalwareBazaar — MalwareBazaar is a project from abuse.ch with the goal of sharing malware samples with the infosec community, AV vendors and threat intelligence providers.
- LimeGroupYT’s Malware Database — Live Malware samples (All Passwords: mysubsarethebest, infected, 123456789). Some files or archives have no password.
- linux-malware — A collection of Linux malware that is found in the wild.
- vxunderground’s Malware Source Archive — This repo contains various pieces of malware supporting multiple operating systems. This is a great resource for those that want to reverse engineer and study these samples.
- theZoo: A Live Malware Repository — theZoo is a project created to make the possibility of malware analysis open and available to the public. Since we have found out that almost all versions of malware are very hard to come by in a way which will allow analysis, we have decided to gather all of them for you in an accessible and safe way. theZoo was born by Yuval tisf Nativ and is now maintained by Shahak Shalev.
- MalShare — A free Malware repository providing researchers access to samples, malicious feeds, and Yara results.
- VirusShare — Because Sharing is Caring. This is another malware database.
- Lenny Zeltser’s Malware Samples — Lenny Zeltser is a SANS instructor for the malware reversing series of classes and he has collected samples for his students.
Pentest Reporting Tools
- WriteHat — WriteHat is a reporting tool which removes Microsoft Word (and many hours of suffering) from the reporting process. Markdown –> HTML –> PDF. Created by penetration testers, for penetration testers — but can be used to generate any kind of report. Written in Django (Python 3).
Wanna say Hi to me ? Here is my linkedin .
Did you find this article valuable?
Support Cyber Aeronautycs Ltd. Blog by becoming a sponsor. Any amount is appreciated!