pentest-tools.md

opensource pentest tools

A collection of open source pentest tools

3rd-party lists

• she11c0der/Scanners-Box - 安全从业人员常用工具及学习指引
• jivoi/awesome-osint - A curated list of amazingly awesome OSINT
• nullsecuritynet/tools - security and hacking tools, exploits, proof of concepts, shellcodes, scripts
• Awesome Hacking Tools
• V33RU/IoTSecurity101 - From IoT Pentesting to IoT Security
• Kinimiwar/Penetration-Testing - List of awesome penetration testing resources, tools and other shiny things
• infosecn1nja/Red-Teaming-Toolkit - A collection of open source and commercial tools that aid in red team operations
• infosecn1nja/AD-Attack-Defense - Active Directory Security For Red & Blue Team
• danielmiessler/SecLists - a collection of multiple types of lists used during security assessments, collected in one place
• AnonOpsecPrivacy - InfoSec Reference
• Red Teaming Experiments

Tools

Information gathering

• xorrior/RemoteRecon - provides the ability to execute post-exploitation capabilities against a remote host, without having to expose your complete toolkit/agent
• Moham3dRiahi/Th3inspector - Th3Inspector male_detective best tool for Information Gathering
• paulirish/github-email - Get a GitHub user's email. All sneaky-like
• dafthack/PowerMeta - searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches
• giovanifss/Gitmails - An information gathering tool to colect git commit emails in version control host services
• InQuest/omnibus - The OSINT Omnibus
• Pastebin
  • needmorecowbell/sniff-paste - Pastebin OSINT Harvester
• Geo
  • thewhiteh4t/seekere - Find GeoLocation with High Accuracy
• Social networks
  • HA71/Namechk - Osint tool based on namechk.com for checking usernames on more than 100 websites, forums and social networks
  • vysec/MaiInt - OSINT Organization Employee Profiling Tool for MaiMai
• Linkedin
  • 0x09AL/raven - a Linkedin information gathering tool that can be used by pentesters to gather information about an organization employees using Linkedin
  • initstring/linkedin2username - Generate username lists for companies on LinkedIn
  • dchrastil/ScrapedIn - A tool to scrape LinkedIn without API restrictions for data reconnaissance
  • mdsecactivebreach/LinkedInt - A LinkedIn scraper for reconnaissance during adversary simulation
• AD
  • skorov/ridrelay - Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv
  • NetSPI/goddi - goddi (go dump domain info) dumps Active Directory domain information
  • sid-500 编写的各种PowerShell脚本

Recon

• chrismaddalena/ODIN - Automated network asset, email, and social media profile discovery and cataloguing - 带neo4j图表，支持搜索
• woj-ciech/Danger-zone - Correlate data between domains, IPs and email addresses, present it as a graph
• LaNMaSteR53/recon-ng - a full-featured Web Reconnaissance framework written in Python
• smicallef/spiderfoot - open source footprinting and intelligence-gathering tool
• codingo/Reconnoitre - A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing
• nahamsec/lazyrecon - intended to automate your reconnaissance process in an organized fashion
• jobertabma/virtual-host-discovery - A script to enumerate virtual hosts on a server
• codingo/VHostScan - A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages
• Te-k/harpoon - CLI tool for open source and threat intelligence
• codingo/Reconnoitre - A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing. Included virtual host scanner
• Super68/networkrecon - a PowerShell script consisting of three functions that allow you to perform analysis of observable network protocols for vulnerabilities
• xillwillx/skiptracer - OSINT python webscaping framework
• laramies/theHarvester - E-mails, subdomains and names Harvester - OSINT
• RoliSoft/ReconScan - Network reconnaissance and vulnerability assessment tools
• SimplySecurity/SimplyEmail - Email recon made fast and easy
• themains/trusted - Use the trustedsource API to classify content of domains. comScore 2004 data included
• DataSploit - An #OSINT Framework to perform various recon techniques on Companies, People, Phone Number, Bitcoin Addresses, etc., aggregate all the raw data, and give data in multiple formats
• cea-sec/ivre - Network recon framework - https://ivre.rocks/ - 这个带统计图表
• hdm/nextnet - a pivot point discovery tool written in Go
• jobertabma/relative-url-extractor - A small tool that extracts relative URLs from a file
• s0md3v/ReconDog - Reconnaissance Swiss Army Knife
• yassineaboukir/asnlookup - Look up IP addresses (IPv4 & IPv6) registered and owned by a specific organization for reconnaissance purposes
• eldraco/domain_analyzer - Analyze the security of any domain by finding all the information possible
• jpf/domain-profiler - Given a domain, will tell you the decisions that the domain owner has made
• michenriksen/aquatone - A Tool for Domain Flyovers
• r3vn/badKarma - advanced network reconnaissance toolkit
• Active domain
  • sensepost/UserEnum - Domain user enumeration tool
• Metadata
  • ElevenPaths/FOCA - a tool used mainly to find metadata and hidden information in the documents its scans
  • laramies/metagoofil - Metadata harvester
  • FortyNorthSecurity/Just-Metadata - a tool that gathers and analyzes metadata about IP addresses
• Visual recon
  • sensepost/gowitness - a golang, web screenshot utility using Chrome Headless
  • maaaaz/webscreenshot - A simple script to screenshot a list of websites
  • FortyNorthSecurity/EyeWitness - designed to take screenshots of websites, provide some server header info, and identify default credentials if possible
• Parameter bruteforcing
  • UltimateHackers/Arjun - a python script for finding hidden GET & POST parameters
  • maK-/parameth - This tool can be used to brute discover GET and POST parameters

Online recon tools

• BinaryEdge - app.binaryedge.io
• Internet wide scan
  • criminalip.io - Criminalip Search
  • scans.io - Internet-Wide Scan Data Repository
  • shodan.io - Shodan Search
  • Censys.io - Censys Search
  • zoomeye.org - ZoomEye - Cyberspace Search Engine
  • archive.org - Internet Archive: Wayback Machine
  • HUNTER.how
• Passive DNS
  • Reverse DNS Lookup Online Tool - hackertarget.com/reverse-dns-lookup
  • Robtex - used for various kinds of research of IP numbers, Domain names
  • The World's Largest Repository of Historical DNS data - securitytrails.com
• Reputation tools
  • GreyNoise Intelligence - greynoise.io
  • FireHOL IP Lists/IP Blacklists/IP Blocklists/IP Reputation - iplists.firehol.org
• Reverse whois
  • whoxy.com
  • viewdns.info
• Email
  • hunter.io - Find email addresses in seconds • Hunter (Email Hunter)
  • pipl.com - is the place to find the person behind the email address, social username or phone number

Shodan tools

• woj-ciech/kamerka - Build interactive map of cameras from Shodan

Fingerprinting

• urbanadventurer/whatweb - Next generation web scanner
• tanjiti/FingerPrint - web应用指纹识别
• rootlabs/nWatch - Tool for - Host Discovery, Port Scanning and Operating System Fingerprinting
• boy-hack/gwhatweb - CMS识别 python gevent实现
• AliasIO/Wappalyzer - Cross-platform utility that uncovers the technologies used on websites
• HA71/WhatCMS - CMS Detection and Exploit Kit based on Whatcms.org API

DNS rebinding

• brannondorsey/whonow - A "malicious" DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)
• nccgroup/singularity - A DNS rebinding attack framework
• mwrlabs/dref - DNS Rebinding Exploitation Framework

Subdomain enumeration

• vysec/DomLink - A tool to link a domain with registered organisation names and emails, to other domains
• FeeiCN/ESD - Enumeration sub domains(枚举子域名)
• reconned/domained - Subdomain Enumeration
• caffix/amass - Subdomain Enumeration in Go
• aboul3la/Sublist3r - Fast subdomains enumeration tool for penetration testers
• TheRook/subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains
• ring04h/wydomain - to discover subdomains of your target domain
• blechschmidt/massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
• mandatoryprogrammer/cloudflare_enum - Cloudflare DNS Enumeration Tool for Pentesters
• lanrat/certgraph - An open source intelligence tool to crawl the graph of certificate Alternate Names
• sawzeeyy/Sanitiz3r - A python script that filters, checks the validity, generates clickable link(s) of subdomain(s), and reports their status
• guelfoweb/knock - a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled.
• Ice3man543/subfinder - a subdomain discovery tool that can enumerate massive amounts of valid subdomains for any target
• infosec-au/altdns - Generates permutations, alterations and mutations of subdomains and then resolves them
• darkoperator/dnsrecon - DNS Enumeration Script
• appsecco/the-art-of-subdomain-enumeration - This repository contains all the supplement material for the book "The art of sub-domain enumeration"
• nsonaniya2010/SubDomainizer - A tool to find subdomains hidden in inline and external Javascript files of page
• DNSSEC
  • anonion0/nsec3map - a tool to enumerate the resource records of a DNS zone using its DNSSEC NSEC or NSEC3 chain
• Certificate Transparency
  • UnaPibaGeek/ctfr - Abusing Certificate Transparency logs for getting HTTPS websites subdomains
  • christophetd/censys-subdomain-finder - Perform subdomain enumeration using the certificate transparency logs from Censys

Subdomain take over

• JordyZomer/autoSubTakeover - A tool used to check if a CNAME resolves to the scope adress. If the CNAME resolves to a non-scope adress it might be worth checking out if subdomain takeover is possible
• nahamsec/HostileSubBruteforcer - bruteforce for exisiting subdomains and check if the 3rd party host has been properly setup
• anshumanbh/tko-subs - A tool that can help detect and takeover subdomains with dead DNS records
• MindPointGroup/cloudfrunt - A tool for identifying misconfigured CloudFront domains
• mhmdiaa/second-order - Second-order subdomain takeover scanner
• Ice3man543/SubOver - A Powerful Subdomain Takeover Tool

Firewall

• trustedsec/egressbuster - a method to check egress filtering and identify if ports are allowed. If they are, you can automatically spawn a shell
• 3xp10it/bypass_waf - waf自动爆破(绕过)工具，包含一个演讲PPT
• fastly/ftw - Framework for Testing WAFs (FTW!)
• viperbluff/WAF_buster - Disrupt WAF by abusing SSL/TLS Ciphers
• vincentcox/bypass-firewalls-by-DNS-history - Firewall bypass script based on DNS history records. This script will search for DNS A history records and check if the server replies for that domain. Handy for bugbounty hunters
• Huawei
  • embedi/Huawei-firewall-tools

Network tools

• SSL
  • salesforce/ja3 - a standard for creating SSL client fingerprints in an easy to produce and shareable way
• RDP
  • linuz/Sticky-Keys-Slayer - Scans for accessibility tools backdoors via RDP
• SDN
  • smythtech/sdnpwn - An SDN penetration testing toolkit
  • OpenNetworkingFoundation/DELTA - SDN SECURITY EVALUATION FRAMEWORK
• SSDP
  • initstring/evil-ssdp - Spoof SSDP replies to phish for credentials and NetNTLM challenge/response. Creates a fake UPNP device, tricking users into visiting a malicious phishing page. Also detects and exploits XXE 0-day vulnerabilities in XML parsers for UPNP-enabled apps
• UPnP
  • dc414/Upnp-Exploiter - A Upnp exploitation tool - 开UPnP代理的
• DHCP
  • mschwager/dhcpwn - a tool used for testing DHCP IP exhaustion attacks. It can also be used to sniff local DHCP traffic
• RTSP
  • Ullaakut/cameradar - Cameradar hacks its way into RTSP videosurveillance cameras
  • googleprojectzero/Street-Party - a suite of tools that allows the RTP streams of video conferencing implementations to be viewed and modified
• SSH
  • ncsa/ssh-auditor - The best way to scan for weak ssh passwords on your network - 支持重新检查密码是否还能用，以及不同主机的hostkey是否相同
• Traffic analysis
  • lgandx/PCredz - extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface

Surveillance

• ggerganov/kbd-audio - Tools for capturing and analysing keyboard input paired with microphone capture

DDoS

• 649/Memcrashed-DDoS-Exploit - DDoS attack tool for sending forged UDP packets to vulnerable Memcached servers obtained using Shodan API
• OffensivePython/Saddam - DDoS Amplification Tool
• valyala/goloris - Slowloris for nginx DoS. Written in go
• jseidl/GoldenEye - GoldenEye Layer 7 (KeepAlive+NoCache) DoS Test Tool

SSRF

• swisskyrepo/SSRFmap - Automatic SSRF fuzzer and exploitation tool
• tarunkant/Gopherus - This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
• bcoles/ssrf_proxy - facilitates tunneling HTTP communications through servers vulnerable to Server-Side Request Forgery
• iamultra/ssrfsocks - Creates a SOCK proxy server that transmits data over an SSRF vulnerability
• D4Vinci/Cuteit - Make a malicious ip a bit cuter

JDWP

• IOActive/jdwp-shellifier - JDWP exploitation script

Antivirus Evasion

• CylanceVulnResearch/ReflectiveDLLRefresher - a standalone test harness for scanning the process's memory space and unhooking the currently loaded libraries，恢复AV钩子的
• secretsquirrel/SigThief - Stealing Signatures and Making One Invalid Signature at a Time
• Shellter - AV Evasion Artware
• Mr-Un1k0d3r/DKMC - DKMC - Dont kill my cat - Malicious payload evasion tool
• Mr-Un1k0d3r/UniByAv - a simple obfuscator that take raw shellcode and generate executable that are Anti-Virus friendly
• silentsignal/av-breaking - Bare Knuckled AV Breaking
• AbedAlqaderSwedan1/ASWCrypter - An Bash&Python Script For Generating Payloads that Bypasses All Antivirus so far FUD
• securemode/DefenderKeys - Quick PowerShell script to extract any exclusions configured for Windows Defender
• rootm0s/Protectors - Obfuscator, Encryption, Junkcode, Anti-Debug, PE protection/modification
• threatexpress/metatwin - a file resource cloner. Metadata, including digital signature, is extracted from one file and injected into another
• Fileless
  • DiabloHorn/cliramdisk - A reduced functionality cli client for the imdisk ram disk driver
• Signature identification
  • hegusung/AVSignSeek - Tool written in python3 to determine where the AV signature is located in a binary/payload
  • utds3lab/multiverse - A static binary rewriter that does not use heuristics
• bash
  • tokyoneon/Armor - Armor is a simple Bash script designed to create encrypted macOS payloads capable of evading antivirus scanners
  • Bashfuscator - A fully configurable and extendable Bash obfuscation framework
• csharp
  • two06/Inception - Provides In-memory compilation and reflective loading of C# apps for AV evasion
• VBScript
  • DoctorLai/VBScript_Obfuscator - The VBScript Obfuscator written in VBScript
• VBA
  • mwrlabs/wePWNise - generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software
  • itm4n/VBA-RunPE - A VBA implementation of the RunPE technique or how to bypass application whitelisting
• HTA
  • nccgroup/demiguise - HTA encryption tool
• Crawler redirect
  • violentlydave/mkhtaccess_red - Auto-generate an HTaccess for payload delivery -- automatically pulls ips/nets/etc from known sandbox companies/sources that have been seen before, and redirects them to a benign payload

Traffic analysis evasion

• rvrsh3ll/FindFrontableDomains - Search for potential frontable domains
• redteam-cyberark/Google-Domain-fronting - Domain fronting using Google app engine
• vysec/DomainFrontingLists - A list of Domain Frontable Domains by CDN

Restriction/whitelist bypass

• Powershell
  • p3nt4/PowerShdll - Run PowerShell with rundll32. Bypass software restrictions
  • Ben0xA/nps - Not PowerShell
  • bitsadmin/nopowershell - PowerShell rebuilt in C# for Red Teaming purposes
  • Cn33liz/CScriptShell - a Powershell Host running within cscript.exe
  • leechristensen/UnmanagedPowerShell - Executes PowerShell from an unmanaged process
  • Cn33liz/p0wnedLoader
• WMI
  • 0xbadjuju/WheresMyImplant - A Bring Your Own Land Toolkit that Doubles as a WMI Provider

Sandbox detection / evasion

• David-Reguera-Garcia-Dreg/anticuckoo - A tool to detect and crash Cuckoo Sandbox
• a0rtega/pafish - a demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do
• LordNoteworthy/al-khaser - Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection
• AlicanAkyol/sems - Virtualbox, VirtualMachine, Cuckoo, Anubis, ThreatExpert, Sandboxie, QEMU, Analysis Tools Detection Tools
• Arvanaghi/CheckPlease - Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust
• hacksysteam/WpadEscape - Sandbox escape using WinHTTP Web Proxy Auto-Discovery Service

Sandbox internal security

• googleprojectzero/sandbox-attacksurface-analysis-tools - Set of tools to analyze and attack Windows sandboxes

Additional metasploit tools

• Screetsec/TheFatRat - a massive exploiting tool
• nccgroup/Winpayloads - Undetectable Windows Payload Generation
• govolution/avet - AntiVirus Evasion Tool
• Screetsec/Brutal - a toolkit to quickly create various payload
• kkar/MSF-Undetector - Metasploit python-payload obfuscation, to allow penetration testers bypass Antivirus solutions
• ceh-tn/The-Axer - The axer will replace the manual procedure of creating your payloads with msfvenom , making it easier and a lot quicker
• DanMcInerney/msf-netpwn - Waits for MSF session then automatically gets domain admin
• trustedsec/nps_payload - generate payloads for basic intrusion detection avoidance
• Veil-Framework/Veil - a tool designed to generate metasploit payloads that bypass common anti-virus solutions
• wez3/msfenum - A Metasploit auto auxiliary script
• b4rtik/HiddenPowerShellDll - This project was created to explore the various evasion techniques involving PowerShell
• DanMcInerney/msf-autoshell - Feed the tool a .nessus file and it will automatically get you MSF shell
• b4rtik/metasploit-execute-assembly - Execute assembly via Meterpreter session

Post exploitation

• BeetleChunks/redsails - a Python based post-exploitation project aimed at bypassing host based security monitoring and logging
• ElevenPaths/ibombshell - a tool written in Powershell that allows you to have a prompt at any time with post-exploitation functionalities (and in some cases exploitation)
• HanseSecure/credgrap_ie_edge - Extract stored credentials from Internet Explorer and Edge
• ropnop/windows_sshagent_extract - PoC code to extract private keys from Windows 10's built in ssh-agent service
• TheSecondSun/Bashark - Bash post exploitation toolkit
• GhostPack/Seatbelt - a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives
• Windows
  • vysec/Invoke-ProcessScan - Gives context to a system - 识别主机里的进程，尤其是安全软件
  • 3gstudent/List-RDP-Connections-History - Use powershell to list the RDP Connections History of logged-in users or all users
• RAM tools
  • cryptolok/CryKeX - Linux Memory Cryptographic Keys Extractor
  • GhostPack/SafetyKatz - SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader
  • hoangprod/AndrewSpecial - dumping lsass' memory stealthily and bypassing "Cilence" since 2019 - procdump 替代品
• Information collecting
  • 411Hall/JAWS - Just Another Windows (Enum) Script
• HTML tools
  • D4Vinci/PasteJacker - Add PasteJacking to web-delivery attacks
• Linux
  • TheSecondSun/Bashark - Bash post exploitation toolkit
  • kacperszurek/gpg_reaper - Obtain/Steal/Restore GPG Private Keys from gpg-agent cache/memory
  • portcullislabs/linikatz - a tool to attack AD on UNIX
  • r3vn/punk.py - unix SSH post-exploitation 1337 tool - 枚举本机的私钥
  • JusticeRage/FFM - Freedom Fighting Mode: open source hacking harness
• Mac
  • n00py/pOSt-eX - Post-exploitation scripts for OS X persistence and privesc

Intranet tools

• MooseDojo/apt2 - automated penetration toolkit
• SpiderLabs/portia - aims to automate a number of techniques commonly performed on internal network penetration tests after a low privileged account has been compromised
• praetorian-inc/pentestly - a combination of expanding Python tools for use in penetration tests

Steganography

• Und3rf10w/boblobblob - hiding git blobs in plain sight
• peewpw/Invoke-PSImage - Embeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute

Source control tools

• michenriksen/gitrob - Reconnaissance tool for GitHub organizations
• peterjaric/archaeologit - Archaeologit scans the history of a user's GitHub repositories for a given pattern to find sensitive things
• dxa4481/truffleHog - Searches through git repositories for high entropy strings and secrets, digging deep into commit history
• UKHomeOffice/repo-security-scanner - CLI tool that finds secrets accidentally committed to a git repo, eg passwords, private keys
• zricethezav/gitleaks - Audit git repos for secrets
• Web tool
  • kost/dvcs-ripper - Rip web accessible (distributed) version control systems: SVN/GIT/HG...

WSL

• cervoise/Abuse-bash-for-windows - Pentest scripts for abuse Bash on Windows (Cygwin/WSL) - HackLu 2018

Sysmon tools

• mattifestation/PSSysmonTools - Sysmon Tools for PowerShell - SysmonRuleParser.ps1 可以列出本机sysmon的配置

Source code protection

• naneau/php-obfuscator - A parsing PHP obfuscator
• HikariObfuscator/Hikari - LLVM Obfuscator 停止维护，但支持 LLVM 6.X

Binary protection

• enkomio/sacara - A stack based intermediate language aimed at software protection by running in a software VM - VM壳
• UPX - the Ultimate Packer for eXecutables
• elfmaster/dsym_obfuscate - Obfuscates dynamic symbol table

Vulnerability assessments

• Network security
  • greenbone/openvas-scanner - OpenVAS remote network security scanner
  • UltimateHackers/Striker - Striker is an offensive information and vulnerability scanner
  • trimstray/sandmap - a tool supporting network and system reconnaissance using the massive Nmap engine. It provides a user-friendly interface, automates and speeds up scanning and allows you to easily use many advanced scanning techniques
• Web security
  • Wordpress
    • UltimateLabs/Zoom - Automatic & lightning fast wordpress vulnerability scanner
    • rastating/wordpress-exploit-framework - A Ruby framework designed to aid in the penetration testing of WordPress systems
    • wpscanteam/wpscan - black box WordPress vulnerability scanner
    • n00py/WPForce - Wordpress Attack Suite
  • Dionach/CMSmap - a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs
  • Xyntax/POC-T - 渗透测试插件化并发框架
  • ysrc/xunfeng - 巡风是一款适用于企业内网的漏洞快速应急，巡航扫描系统
  • Tuhinshubhra/CMSeeK - CMS (Content Management Systems) Detection and Exploitation suite
  • smallstep/cli - A zero trust swiss army knife for working with X509, OAuth, JWT, OATH OTP, etc
  • 0xInfection/TIDoS-Framework - The Offensive Web Application Penetration Testing Framework
• evyatarmeged/Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning
• taipan-scanner/Taipan - Web Application Security Scanner (带界面)
• viraintel/OWASP-Nettacker - Automated Penetration Testing Framework
• schubergphilis/Seccubus - Easy automated vulnerability scanning, reporting and analysis
• Moham3dRiahi/XAttacker - X Attacker Tool ☣ Website Vulnerability Scanner & Auto Exploiter
• owtf/owtf - Offensive Web Testing Framework (OWTF), is a framework which tries to unite great tools and make pen testing more efficient
• m4ll0k/WAScan - a Open Source web application security scanner
• YalcinYolalan/WSSAT - WEB SERVICE SECURITY ASSESSMENT TOOL
• toyakula/luna - luna webscanner
• m4ll0k/Spaghetti - Web Application Security Scanner
• fgeek/pyfiscan - Free web-application vulnerability and version scanner
• v3n0m-Scanner/V3n0M-Scanner - Popular Pentesting scanner in Python3.6 for SQLi/XSS/LFI/RFI and other Vulns
• Fuzzapi/fuzzapi - a tool used for REST API pentesting and uses API_Fuzzer gem
• owtf - Offensive Web Testing Framework (OWTF), is a framework which tries to unite great tools and make pen testing more efficient
• siberas/watobo - a security tool for testing web applications
• ring04h/weakfilescan - 动态多线程敏感信息泄露检测工具
• bugcrowd/hunt - a proxy extension
• 1N3/BlackWidow - A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website
• flipkart-incubator/astra - Automated Security Testing For REST API's
• Manisso/fsociety - fsociety Hacking Tools Pack – A Penetration Testing Framework
  • 2018最新款渗透测试框架，Fsociety搞定各种姿势脚本
• nccgroup/wssip - Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa
• CoolerVoid/0d1n - Web security tool to make fuzzing at HTTP/S, Beta
• gyoisamurai/GyoiThon - a growing penetration test tool using Machine Learning
• Arachni/arachni - Web Application Security Scanner Framework
• andresriancho/w3af - web application attack and audit framework, the open source web vulnerability scanner
• rvrsh3ll/OSGiScanner - Scan for OSGi Consoles
• xmendez/wfuzz - facilitate the task in web applications assessments and it is based on a simple concept: it replaces any reference to the FUZZ keyword by the value of a given payload
• sullo/nikto - Nikto web server scanner
• j3ssie/Osmedeus - Automatic Reconnaisance and Scanning in Penetration Testing
• dsopas/rfd-checker - security CLI tool to test Reflected File Download issues
• flipkart-incubator/watchdog - A Comprehensive Security Scanning and a Vulnerability Management Tool
• ticarpi/jwt_tool - A toolkit for testing, tweaking and cracking JSON Web Tokens
• m4ll0k/Galileo - Galileo - Web Application Audit Framework
• 1N3/HTTPoxyScan - HTTPoxy Exploit Scanner
• SSL
  • hahwul/a2sv - Auto Scanning to SSL Vulnerability
• IIS
  • WebBreacher/tilde_enum - Takes a URL and checks the system for the tilde enum vuln and then find the files

Spiders

• Nekmo/dirhunt - Find web directories without bruteforce - 有个index of自动识别功能
• segment-srl/htcap - a web application scanner able to crawl single page application (SPA) in a recursive manner by intercepting ajax calls and DOM changes
• GerbenJavado/LinkFinder - A python script that finds endpoints in JavaScript files - 支持burpsuite导出的文件
• nahamsec/JSParser - A python 2.7 script using Tornado and JSBeautifier to parse relative URLs from JavaScript files. Useful for easily discovering AJAX requests when performing security research or bug bounty hunting
• OWASP zaproxy - AJAX Spider site
• danielmiessler/RobotsDisallowed - A harvest of the Disallowed directories from the robots.txt files of the world's top websites
• milo2012/pathbrute - Pathbrute is a DirB/Dirbuster type of tool designed to brute force directories and files names on web/application servers
• maurosoria/dirsearche - Web path scanner
• s0md3v/Photon - Incredibly fast crawler which extracts urls, emails, files, website accounts and much more
• si9int/cc.py - Extracting URLs of a specific target based on the results of "commoncrawl.org"
• jordanpotti/CloudScraper - a Tool to spider and scrape targets in search of cloud resources
• facert/awesome-spider - 爬虫集合

Dll hijack identification

• sensepost/rattler - Automated DLL Enumerator
• MojtabaTajik/Robber - Robber is open source tool for finding executables prone to DLL hijacking

Privilege escalation

• Local - windows
  • pentestmonkey/windows-privesc-check - Standalone Executable to Check for Simple Privilege Escalation Vectors on Windows Systems
  • rasta-mouse/Sherlock - PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities
  • AlessandroZ/BeRoot - Privilege Escalation Project - Windows / Linux / Mac
  • Windows-Exploit-Suggester - compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target
  • PowerShellMafia/PowerSploit/Privesc - PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations
• Local - UAC/token tool
  • hfiref0x/UACME - Defeating Windows User Account Control - UAC绕过工具，持续更新
  • 0xbadjuju/Tokenvator - A tool to elevate privilege with Windows Tokens
• Local - linux
  • WazeHell/PE-Linux - Linux Privilege Escalation Tool By WazeHell
  • mzet-/linux-exploit-suggester - Linux privilege escalation auditing tool
  • spencerdodd/kernelpop - kernel privilege escalation enumeration and exploitation framework
  • rebootuser/LinEnum - Scripted Local Linux Enumeration & Privilege Escalation Checks
  • pentestmonkey/unix-privesc-check - Automatically exported from code.google.com/p/unix-privesc-check
  • reider-roque/linpostexp - linuxprivchecker.py - a Linux Privilege Escalation Check Script
  • nilotpalbiswas/Auto-Root-Exploit - Auto Root Exploit Tool
• Active domain
  • gdedrouas/Exchange-AD-Privesc - Exchange privilege escalations to Active Directory
  • hausec/ADAPE-Script - Active Directory Assessment and Privilege Escalation Script
  • fox-it/Invoke-ACLPwn - a tool that automates the discovery and pwnage of ACLs in Active Directory that are unsafe configured

Lateral movements

• maaaaz/impacket-examples-windows - The great impacket example scripts compiled for Windows
• securifera/serviceFu - Automates credential skimming from service accounts in Windows Registry，远程注册表 + SC
• Active domain
  • l0ss/Grouper - A PowerShell script for helping to find vulnerable settings in AD Group Policy - 很有用的离线组策略分析工具，列出定时任务、MSI下发、防火墙设置等等
    • Get-GPTrashFire - 介绍功能的PPT
  • sense-of-security/ADRecon - a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment
  • NetSPI/goddi - go dump domain info - dumps Active Directory domain information
  • the-useless-one/pywerview - A (partial) Python rewriting of PowerSploit's PowerView
  • sixdub/DomainTrustExplorer - Python script for analyis of the "Trust.csv" file generated by Veil PowerView. Provides graph based analysis and output - 结合 Invoke-MapDomainTrusts 一起使用
  • DanMcInerney/icebreaker - Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
  • Tylous/Vibe - A framework for stealthy domain reconnaissance
  • Arno0x/NtlmRelayToEWS - ntlm relay attack to Exchange Web Services
• Bloodhound series
  • fox-it/BloodHound.py - A Python based ingestor for BloodHound
  • BloodHoundAD/SharpHound - The BloodHound C# Ingestor
  • GoFetchAD/GoFetch - a tool to automatically exercise an attack plan generated by the BloodHound application
  • vysecurity/ANGRYPUPPY - Bloodhound Attack Path Automation in CobaltStrike
  • fox-it/aclpwn.py - Active Directory ACL exploitation with BloodHound
  • The Dog Whisperer’s Handbook - Bloodhound 详细说明 + neo4j测试数据库
• WMI
  • Cybereason/Invoke-WMILM - a PoC script for various methods to acheive authenticated remote code execution via WMI, without (at least directly) using the Win32_Process class
• LDAP
  • ropnop/windapsearch - Python script to enumerate users, groups and computers from a Windows domain through LDAP queries
  • shellster/LDAPPER - AD LDAP Command Line Searching that doesn't suck
• SMB
  • portcullislabs/enum4linux - a Linux alternative to enum.exe for enumerating data from Windows and Samba hosts
  • ShawnDEvans/smbmap - SMBMap is a handy SMB enumeration tool - 不要测试域控，sysvol默认可写不可删除
  • kavika13/RemCom - Remote Command Executor: A OSS replacement for PsExec and RunAs - or Telnet without having to install a server
• DCOM
  • codewhitesec/LethalHTA - Lateral Movement technique using DCOM and HTA
  • sud0woodo/DCOMrade - Powershell script for enumerating vulnerable DCOM Applications
• WMI
  • checkymander/Sharp-InvokeWMIExec - A native C# conversion of Kevin Robertsons Invoke-WMIExec powershell script.
  • packer-community/winrmcp - Copy files to a remote host using WinRM
  • FortyNorthSecurity/WMIOps - a powershell script which uses WMI for various purposes across a network
• Kerberos
  • GhostPack/Rubeus - Trying to tame the three-headed dog
  • cyberark/RiskySPN - Detect and abuse risky SPNs
  • ccache2john.py - ccache也可以爆破
• PTH
  • byt3bl33d3r/pth-toolkit - Modified version of the passing-the-hash tool collection (https://code.google.com/p/passing-the-hash/) made to work straight out of the box
  • Kevin-Robertson/Invoke-TheHash - PowerShell Pass The Hash Utils
  • mkellerman/Invoke-CommandAs - Invoke Command as System/User on Local/Remote computer using ScheduleTask
• Printer
  • vletoux/SpoolerScanner - Check if MS-RPRN is remotely available with powershell/c#
  • BusesCanFly/PRETty - "PRinter Exploitation Toolkit" LAN automation tool

Industrial Control System / SCADA

• dark-lbp/isf - ISF(Industrial Control System Exploitation Framework)，a exploitation framework based on Python
• scadastrangelove/SCADAPASS - SCADA StrangeLove Default/Hardcoded Passwords List

Mail system

• TKCERT/mail-security-tester - A testing framework for mail security and filtering solutions
• pwnsdx/Mailsploit - (Released in December 2017) Mailsploit is a collection of bugs in email clients that allow effective sender spoofing and code injection attacks

Java tools

• fmtn/a - ActiveMQ CLI testing and message management
• frohoff/ysoserial - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization
• mbechler/marshalsec - Java Unmarshaller Security - Turning your data into code execution
• matthiaskaiser/jmet - Java Message Exploitation Tool
• NickstaDB/SerializationDumper - A tool to dump Java serialization streams in a more human readable form
• siberas/sjet - siberas JMX exploitation toolkit
• NickstaDB/BaRMIe - Java RMI enumeration and attack tool
• hengyunabc/dumpclass - Dump classes from running JVM process
• quentinhardy/jndiat - JNDI Attacking Tool

Phishing

• drk1wi/Modlishka - Reverse Proxy. Phishing NG
• kgretzky/evilginx2 - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, alowing to bypass 2-factor authentication
• UndeadSec/SocialFish - Ultimate phishing tool with Ngrok integrated
• omergunal/PoT - Phishing on Twitter
• dutchcoders/ares - Phishing toolkit for red teams and pentesters
• ryhanson/phishery - An SSL Enabled Basic Auth Credential Harvester with a Word Document Template URL Injector
• threatexpress/domainhunter - Checks expired domains, bluecoat categorization, and Archive.org history to determine good candidates for phishing and C2 domain names
• enigma0x3/Invoke-LoginPrompt - Invokes a Windows Security Login Prompt and outputs the clear text password
• Mr-Un1k0d3r/CatMyFish - Search for categorized domain that can be used during red teaming engagement
• jofpin/trape - People tracker on the Internet: Learn to track the world, to avoid being traced
• L4bF0x/PhishingPretexts - A library of pretexts to use on offensive phishing engagements
• pentestgeek/phishing-frenzy - Ruby on Rails Phishing Framework
• BishopFox/spoofcheck - Simple script that checks a domain for email protections
• nccgroup/typofinder - A finder of domain typos showing country of IP address
• thelinuxchoice/blackeye - The most complete Phishing Tool, with 32 templates +1 customizable
• gophish - open-source phishing toolkit designed for businesses and penetration testers
• securestate/king-phisher - Phishing Campaign Toolkit
• Raikia/FiercePhish - a full-fledged phishing framework to manage all phishing engagements
• bhdresh/SocialEngineeringPayloads - a collection of social engineering tricks and payloads being used for credential theft and spear phishing attacks
• ustayready/CredSniper - a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens
• freeCodeCamp/mail-for-good - An open source email campaign management tool for nonprofits
• fox-it/Invoke-CredentialPhisher
• OAuth
  • fireeye/PwnAuth - A web application framework for launching and managing OAuth abuse campaigns
• Homograph
  • UndeadSec/EvilURL - Generate unicode evil domains for IDN Homograph Attack and detect them
• iOS
  • manwhoami/MMeTokenDecrypt - Decrypts and extracts iCloud and MMe authorization tokens on Apple macOS / OS X
• Email
  • SimplySecurity/SimplyTemplate - Phishing Template Generation Made Easy
• Form builder
  • Online Form Builder Tool | FormCrafts

Social engineering

• zizaltuntas/Camelishing - Social Engineering Tool
• trustedsec/social-engineer-toolkit - The Social-Engineer Toolkit (SET) repository from TrustedSec
• SpiderLabs/social_mapper - A Social Media Enumeration & Correlation Tool by Jacob Wilkin(Greenwolf) - 根据头像，自动识别fb/lnkd等不同平台的账号，是不是同一个人的

Dorks

• techgaun/github-dorks - Collection of github dorks and helper tool to automate the process of checking dorks
• Google dorks
  • exploit-db: Google Hacking Database (GHDB)
  • The definitive super list for "Google Hacking"

SSTI

• epinna/tplmap - Server-Side Template Injection and Code Injection Detection and Exploitation Tool

XSS

• s0md3v/AwesomeXSS - Awesome XSS stuff
• koto/xsschef - Chrome extension Exploitation Framework
• riusksk/FlashScanner - Flash XSS Scanner
• s0md3v/XSStrike - Most advanced XSS detection suite
• ssl/ezXSS - ezXSS is an easy way to test (blind) XSS
• LewisArdern/bXSS - a simple Blind XSS application adapted from https://cure53.de/m
• mandatoryprogrammer/xsshunter - The XSS Hunter service - a portable version of XSSHunter.com
• faizann24/XssPy - Web Application XSS Scanner
• ajinabraham/OWASP-Xenotix-XSS-Exploit-Framework - an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework 结合多种浏览器引擎
• Chrome plugins
  • bugbountyforum/XSS-Radar - a tool that detects parameters and fuzzes them for XSS
• raz-varren/xsshell - An XSS reverse shell framework
• beefproject/beef - The Browser Exploitation Framework Project

Browser tool

• PortSwigger/hackability - Probe a rendering engine for vulnerabilities and other features
• nettitude/Invoke-PowerThIEf - The PowerThIEf, an Internet Explorer Post Exploitation library

XXE

• BuffaloWill/oxml_xxe - A tool for embedding XXE/XML exploits into different filetypes
• TheTwitchy/xxer - A blind XXE injection callback handler. Uses HTTP and FTP to extract information
• enjoiz/XXEinjector - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods
• GDSSecurity/xxe-recursive-download - exploits XXE to retrieve files from a target server. It obtains directory listings and recursively downloads file contents

File upload

• almandin/fuxploider - File upload vulnerability scanner and exploitation tool
• 3xp10it/xupload - A tool for automatically testing whether the upload function can upload webshell
• c0ny1/upload-fuzz-dic-builder - 上传漏洞fuzz字典生成脚本

SQLi

• stamparm/DSSS - Damn Small SQLi Scanner
• WhitewidowScanner/whitewidow - SQL Vulnerability Scanner
• Coalfire-Research/sqlinator - Automatically forward HTTP GET & POST requests to SQLMap's API to test for SQLi and XSS
• 0x3curity/TheDoc - a simple but very useful SQLMAP automator with built in admin finder, hash cracker(using hashca) and more!
• jesuiscamille/AutoSQLi - An automatic SQL Injection tool which takes advantage of DorkNet Googler, Ddgr, WhatWaf and sqlmap

CMDi

• commixproject/commix - Automated All-in-One OS command injection and exploitation tool
• ewilded/shelling - SHELLING - a comprehensive OS command injection payload generator

Directory Traversal

• jcesarstef/dotdotslash - An tool to help you search for Directory Traversal Vulnerabilities
• D35m0nd142/LFISuite - Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner

CI Tools

• kacperszurek/pentest_teamcity - Pentest TeamCity using Metasploit

Splunk

• tevora-threat/splunk_pentest_app - Tevora Splunk Penetration Testing Applicaton

Captcha tools

• ecthros/uncaptcha2 - defeating the latest version of ReCaptcha with 91% accuracy

Office

• byt3bl33d3r/SprayingToolkit - Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient
• dafthack/MailSniper - a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms
• sensepost/ruler - A tool to abuse Exchange services
• Quickbreach/ExchangeRelayX - An NTLM relay tool to the EWS endpoint for on-premise exchange servers
• mikesiegel/ews-crack - EWS basic authentication bruteforce tool
• nccgroup/OutlookLeakTest - List of HTML tags that might send requests to other resources automatically or by user interaction
• sensepost/SPartan - Frontpage and Sharepoint fingerprinting and attack tool
• Office 365
  • vysec/checkO365 - a tool to check if a target domain is using O365
  • LMGsec/Magic-Unicorn-Tool - This is the beta release of our Office 365 Activities API report parsing tool
• Lync
  • mdsecresearch/LyncSniper - A tool for penetration testing Skype for Business and Lync deployments
  • nyxgeek/lyncsmash - locate and attack Lync/Skype for Business

VoIP

• Viproy VoIP Penetration Testing and Exploitation Kit
• jesusprubio/bluebox-ng - Pentesting framework using Node.js powers, focused in VoIP
• eurialo/vsaudit - VOIP Security Audit Framework

MITM

• Responder
  • NotMedic/NetNTLMtoSilverTicket - SpoolSample -> Responder w/NetNTLM Downgrade -> NetNTLMv1 -> NTLM -> Kerberos Silver Ticket - 需要用彩虹表还原NetNTLMv1，有免费在线服务
  • crack.sh | The World's Fastest DES Cracker
• infobyte/evilgrade - a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates
• Cisco-Talos/Decept - Decept Network Protocol Proxy
• samdenty99/injectify - Perform advanced MiTM attacks on websites with ease
• citronneur/rdpy - Remote Desktop Protocol in Twisted Python
• SySS-Research/Seth - Perform a MitM attack and extract clear text credentials from RDP connections
• LionSec/xerosploit - Efficient and advanced man in the middle framework
• bettercap - The state of the art network attack and monitoring framework
• whitel1st/GP_Hijack - Group Policy Hijacking
• pdjstone/wsuspect-proxy - Python tool to inject fake updates into unencrypted WSUS traffic
• Kevin-Robertson/Inveigh - a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool
• FluxionNetwork/fluxion - the future of MITM WPA attacks
• quickbreach/smbetray - a MiTM tool with a focus on attacking clients through file content swapping, lnk swapping, as well as compromising any data passed over the wire in cleartext
• LeonardoNve/edm - EDM proxy for infecting files on-the-fly
• fox-it/mitm6 - a pentesting tool that exploits the default configuration of Windows to take over the default DNS server
• mrexodia/haxxmap - Some simple go tools to perform a Man-in-the-middle (MITM) attack on your IMAP server in case you forgot your password
• DanMcInerney/LANs.py - Inject code and spy on wifi users - 停止维护了
• GoSecure/pyrdp - RDP man-in-the-middle and library for Python 3 with the ability to watch connections live or after the fact

Log/traffic disruption

• 1tayH/noisy - A simple python script that generates random HTTP/DNS traffic noise in the background while you go about your regular web browsing, to make your web traffic data less valuable for selling and for extra obscurity

Proxy

• realgam3/pymultitor - Python Multi Threaded Tor Proxy
• artkond/rpivot - socks4 reverse proxy for penetration testing
• txthinking/brook - Brook is a cross-platform(Linux/MacOS/Windows/Android/iOS) proxy software
• audibleblink/doxycannon - A poorman's proxycannon and botnet, using docker, ovpn files, and a dante socks5 proxy
• trimstray/multitor - A tool that lets you create multiple TOR instances with a load-balancing traffic between them by HAProxy
• fwon/electron-anyproxy - A http/https proxy client, using to analyze and mock
• proxpy 插件，请求来的时候自动获取ticket并增加头
• Hackplayers/4nonimizer - A bash script for anonymizing the public IP used to browsing Internet, managing the connection to TOR network and to different VPNs providers (OpenVPN)
• Pool
  • SpiderClub/haipproxy - High available ip proxy pool, powerd by Scrapy and Redis
  • constverum/ProxyBroker - Proxy [Finder | Checker | Server]. HTTP(S) & SOCKS
  • pry0cc/ProxyDock - a Dockerfile and Bash script that converts your OpenVPN files into local proxies
  • imWildCat/scylla - Intelligent proxy pool for Humans™，为人类设计的智能代理池
• Tunnel
  • WireGuard - an extremely simple yet fast and modern VPN
  • ntop/n2n - Peer-to-peer VPN
  • sshuttle - Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling
  • TarlogicSecurity/SaSSHimi - SSH Tunnelling in "RAW mode", via STDIN/OUT without using forwarding channels
  • fbkcs/ThunderDNS - forward TCP traffic over DNS protocol, with socks5 support
  • ginuerzh/gost - GO Simple Tunnel - 支持的协议非常多，但只是单向的
• Free proxy list
  • https://www.sslproxies.org/
• Anonymous network
  • I2P Anonymous Network
  • Tor: strength in numbers

Sniffer / packet manipulation

• CylanceSPEAR/SMBTrap - Tools developed to test the Redirect to SMB issue
• troglobit/nemesis - A command-line network packet crafting and injection utility
• shirosaidev/sharesniffer - a network analysis tool for finding open and closed file shares on your local network
• shramos/polymorph - Polymorph is a real-time network packet manipulation framework with support for almost all existing protocols
• nospaceships/raw-socket-sniffer - Packet capture on Windows without a kernel driver
• Packet analysis
  • DanMcInerney/net-creds - Sniffs sensitive data from interface or pcap
  • NytroRST/NetRipper - Smart traffic sniffing for penetration testers
• Wireshark addons
  • CoreSecurity/SAP-Dissection-plug-in-for-Wireshark - This Wireshark plugin provides dissection on SAP's NI, Message Server, Router, Diag and Enqueue protocols
  • pentesteracademy/patoolkit - PA Toolkit is a collection of traffic analysis plugins focused on security - LUA 插件

Router

• Gilks/hostscan-bypass - Generate OpenConnect CSD files to bypass Cisco AnyConnect hostscan requirements

VLAN

• commonexploits/vlan-hopping - Easy 802.1Q VLAN Hopping

IPv6

• dlrobertson/sylkie - IPv6 address spoofing with the Neighbor Discovery Protocol

Mobile

• nettitude/scrounger - Mobile application testing toolkit

Physical

• meitar/awesome-lockpicking - A curated list of awesome guides, tools, and other resources related to the security and compromise of locks, safes, and keys
• xpinclip - Bruteforce forensics solution for PIN & PatternLock

Burpsuite plugins (remove if uploaded to BApp's store)

• snoopysecurity/awesome-burp-extensions - A curated list of amazingly awesome Burp Extensions
• NetSPI/BurpExtractor - A Burp extension for generic extraction and reuse of data within HTTP requests and responses
• GoSecure/burp-ntlm-challenge-decoder - Burp extension to decode NTLM SSP headers and extract domain/host informatio
• yandex/burp-molly-scanner - Turn your Burp suite into headless active web application vulnerability scanner
• summitt/Burp-Non-HTTP-Extension - Non-HTTP Protocol Extension (NoPE) Proxy and DNS for Burp Suite
• tijme/graphwave - A Burp Suite extension that detects similar CFG-paths from HTTP responses in a black box manner
• lgrangeia/aesburp - Burp Extension to manipulate AES encrypted payloads
• bit4woo/reCAPTCHA - A Burp Suite Extender that recognize CAPTCHA and use for intruder payload
• wagiro/BurpBounty - is a extension of Burp Suite that improve an active and passive scanner by yourself
• romanzaikin/BurpExtension-WhatsApp-Decryption-CheckPoint
• federicodotta/Brida - The new bridge between Burp Suite and Frida!
  • when burpsuite meets frida
• bayotop/sink-logger - Transparently log all data passed into known JavaScript sinks - Sink Logger extension for Burp
• nccgroup/Extractor - Automating Repetitive Decoding and Re-Encoding Steps for Burp Suite
• 0x4D31/burpa - Burp-Automator: A Burp Suite Automation Tool with Slack Integration
• modzero/interestingFileScanner - extends Burp Suite's active scanner, with scans for interesting files and directories
• nccgroup/BurpSuiteHTTPSmuggler - bypass WAFs or test their effectiveness using a number of techniques
• technotame/dangerous-methods - finding the use of potentially dangerous methods/functions in Javascript, jQuery, AngularJS, and others
• Ebryx/AES-Killer - Burp plugin to decrypt AES Encrypted traffic of mobile apps on fly
• bayotop/off-by-slash - Burp extension to detect alias traversal via NGINX misconfiguration at scale
• destine21/ZIPFileRaider - Burp Extension for ZIP File Payload Testing
• Lopseg/Jspathextractor - Jsdir is an Burp Suite extension that extract hidden paths from js files and beatify it for futher reading

X11

• feexd/vbg - Visual Basic GUI: A Tool to Inject Keystrokes on a SSH Client via an X11 Forwarded Session - 利用XTEST反向攻击客户端

Persistence

• SECFORCE/Tunna - a set of tools which will wrap and tunnel any TCP communication over HTTP
• 0x00-0x00/ShellPop - Pop shells like a master
• emptymonkey/mimic - a tool for covert execution on Linux x86_64
• ulissescastro/linux-native-backdoors - Repository holding all alternatives of nix backdoors
• TestingPens/MalwarePersistenceScripts - A collection of scripts I've written to help red and blue teams with malware persistence techniques
• nettitude/PoshC2 - Powershell C2 Server and Implants
• WNF - Windows Notification Facilities
  • ustayready/CasperStager - PoC for persisting .NET payloads in Windows Notification Facility (WNF) state names using low-level Windows Kernel API calls
  • citronneur/volatility-wnf - Browse and dump Windows Notification Facilities
  • ionescu007/wnfun - WNF Utilities 4 Newbies (WNFUN)
• PE Patch
  • secretsquirrel/the-backdoor-factory - Patch PE, ELF, Mach-O binaries with shellcode (停止维护了)
  • xan7r/cypher - Simple tool to automate adding shellcode to PE files
• WebShell
  • epinna/weevely3 - Weaponized web shell
  • nil0x42/phpsploit - Stealth post-exploitation framework
  • rebeyond/Behinder - “冰蝎”动态二进制加密网站管理客户端
  • .NET
    • Ivan1ee/svcLessSpy - 探索基于.NET下实现一句话木马之SVC篇
    • Ivan1ee/ashxLessSpy - 探索基于.NET下实现一句话木马之ashx篇
    • Ivan1ee/asmxLessSpy - 探索基于.NET下实现一句话木马之asmx篇
    • Ivan1ee/NetDLLSpy - 探索基于.NET下实现一句话木马之DLL篇
• Reverse shells
  • emptymonkey/revsh - A reverse shell with terminal support, data tunneling, and advanced pivoting capabilities
  • mthbernardes/rsg - A tool to generate various ways to do a reverse shell
  • blacknbunny/mcreator - Encoded Reverse Shell Generator With Techniques To Bypass AV's
• RAT
  • byt3bl33d3r/SILENTTRINITY - A post-exploitation agent powered by Python, IronPython, C#/.NET - 内存加载方式，但是要求 .NET 4.5
  • orangetw/tsh - an open-source UNIX backdoor
  • zerosum0x0/koadic - Koadic C3 COM Command & Control - JScript RAT
  • TheM4hd1/Vayne-RaT - An Advanced C# .NET Rat
  • tiagorlampert/CHAOS - CHAOS allow generate payloads and control remote Windows systems
  • colental/byob - BYOB (Build Your Own Botnet)
  • Souhardya/Uboat - HTTP Botnet Project
  • audibleblink/gorsh - A Golang Implant and Tmux-driven C2 Interface
  • quasar/QuasarRAT - Remote Administration Tool for Windows （要求 DotNet 4.X）
  • Ne0nd0g/merlin - Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang
  • n1nj4sec/pupy - an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python
  • nathanlopez/Stitch - A Python Remote Administration Tool (RAT)
  • trustedsec/trevorc2 - a legitimate website (browsable) that tunnels client/server communications for covert command execution
  • maldevel/canisrufus - A stealthy Python based Windows backdoor that uses Github as a command and control server
  • Mr-Un1k0d3r/ThunderShell - Python / PowerShell based RAT
  • byt3bl33d3r/gcat - A PoC backdoor that uses Gmail as a C&C server
  • NYAN-x-CAT/Lime-RAT - Simple, yet powerful remote administration tool for Windows
  • OSX
    • Marten4n6/EvilOSX - An evil RAT (Remote Administration Tool) for macOS / OS X
    • neoneggplant/EggShell - iOS/macOS/Linux Remote Administration Tool
• WMI
  • Sw4mpf0x/PowerLurk - Malicious WMI Events using PowerShell
  • gist: Fileless WMI persistence payload template
  • n0pe-sled/WMI-Persistence - an adoption of @mattifestion's work
• Rootkit - Linux
  • milabs/awesome-linux-rootkits
  • mempodippy/vlany - Linux LD_PRELOAD rootkit (x86 and x86_64 architectures)
  • gianlucaborello/libprocesshider - Hide a process under Linux using the ld preloader
  • Screetsec/Vegile - simple LD_PRELOAD backdoor
  • iansus/hideproc-lkm - Linux 4.9 Loadable Kernel Module to hide processes from system utilities
  • f0rb1dd3n/Reptile - LKM Linux rootkit
  • maK-/maK_it-Linux-Rootkit - This is a linux rootkit using many techniques (2016 年的，太老了，只做个参考)
  • mncoppola/suterusu - An LKM rootkit targeting Linux 2.6/3.x on x86/x64/ARM - 用的ioctl hook方式
• Rootkit - Windows
  • 0xbaadf00d/deadlands-windows-dkom - Windows DKOM : Hide Processus
  • devoteam-fr/CERT - kernel process hiding POC
• ACL backdoors
  • HarmJ0y/DAMP - The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification
• CLSID hijack
  • gist: countercept/Get-LibraryMS.ps1 - Checks the %USERPROFILE% directory for any file with library-ms extension and extract the CLSID
  • darkw1z/Ps1jacker - Ps1jacker is a tool for generating COM Hijacking payload
• Package distrubition backdoors
  • mschwager/0wned - Code execution via Python package installation
• Java
  • airman604/jdbc-backdoor - A fake JDBC driver that allows OS command execution

Binary backdooring

• secretsquirrel/BDFProxy - Patch Binaries via MITM: BackdoorFactory + mitmProxy - 貌似停止更新了
• JonDoNym/peinjector - peinjector - MITM PE file infector
• awgh/binjection - Injects additional machine instructions into various binary formats

Empire addons

• byt3bl33d3r/DeathStar - Automate getting Domain Admin using Empire
• tearsecurity/firstorder - A traffic analyzer to evade Empire's communication from Anomaly-Based IDS

Driver loader - Windows

• SamLarenN/CPUZ-DSEFix - Exploiting CPU-Z Driver To Turn Load Unsigned Drivers
• hfiref0x/TDL - Driver loader for bypassing Windows x64 Driver Signature Enforcement
• tandasat/ExploitCapcom - a standalone exploit for a vulnerable feature in Capcom.sys
• notscimmy/libcapcom - Capcom driver exploit wrapper
• FuzzySecurity/Capcom-Rootkit - Capcom Rootkit Proof-Of-Concept
• Professor-plum/Reflective-Driver-Loader - a injection technique base off Reflective DLL injection by Stephen Fewer.

Nmap addons

• Scripts
  • cldrn/nmap-nse-scripts - My collection of nmap NSE scripts
  • vulnersCom/nmap-vulners - NSE script based on Vulners.com API
• Dashboard
  • Rev3rseSecurity/WebMap - Nmap Web Dashboard and Reporting

Radius

• ANSSI-FR/audit-radius - A RADIUS authentication server audit tool

Social media analysis

• vaguileradiaz/tinfoleak - The most complete open-source tool for Twitter intelligence analysis
• batuhaniskr/twitter-intelligence - Twitter Intelligence OSINT project performs tracking and analysis of the Twitter

Certificate tools

• trimstray/sslmerge - help you build a valid SSL certificate chain from the root certificate to the end-user certificate
• paranoidninja/Pandoras-Box - CarbonCopy.py - Creates a Spoofed Copy of a Signing Certificate

Uncategorized

• CyberChef - The Cyber Swiss Army Knife - 编码工具，单文件HTML实现
  • A list of cyber-chef recipes
• secgroundzero/warberry - Tactical Exploitation
• CIRCL/AIL-framework - AIL framework - Analysis Information Leak framework
• vysec/IPFuscator - A tool to automatically generate alternative IP representations
• mattifestation/BCD - a module to interact with boot configuration data (BCD) either locally or remotely using the ROOT/WMI:Bcd* WMI classes. The functionality of the functions in this module mirror that of bcdedit.exe
• NullArray/AutoSploit - Automated Mass Exploiter
• mar10/wsgidav - a generic WebDAV server written in Python and based on WSGI
• archerysec/archerysec - Open Source Vulnerability Assessment and Management helps developers and pentesters to perform scans and manage vulnerabilities
• 1N3/Sn1per - Automated Pentest Recon Scanner
• xdavidhu/lanGhost - A LAN dropbox chatbot controllable via Telegram
• guardicore/monkey - Infection Monkey - An automated pentest tool
• 0xSobky/HackVault - A container repository for my public web hacks!
• salesforce/hassh - a network fingerprinting standard which can be used to identify specific Client and Server SSH implementations
• mdsecactivebreach/Chameleon - Chameleon: A tool for evading Proxy categorisation
• ropnop/serverless_toolkit - A collection of useful Serverless functions I use when pentesting
• NotSoSecure/Blacklist3r - accumulate the secret keys / secret materials related to various web frameworks, that are publicly available and potentially used by developers
• GhostManager/DomainCheck - assist operators with monitoring changes related to their domain names. This includes negative changes in categorization, VirusTotal detections, and appearances on malware blacklists

Resources

Tutorials

• exploit-db: SAP Penetration Testing
• exploitdb: 44319 - Web Application penetration testing
• The Bug Hunters Methodology v2.1
• yeyintminthuhtut/Awesome-Red-Teaming - List of Awesome Red Teaming Resources
• Running Your Instance of Burp Collaborator Server
• A Journey Into a Red Tea - Charles F. Hamilton

Writeups

• List of bug bounty writeups (2012-2018)
• ngalongc/bug-bounty-reference - Inspired by https://github.com/djadmin/awesome-bug-bounty, a list of bug bounty write-up that is categorized by the bug nature

Wiki

• 0xRadi/OWASP-Web-Checklist - OWASP Web Application Security Testing Checklist

Whitepaper collections

• bl4de/security_whitepapers - Collection of misc IT Security related whitepapers, presentations, slides - hacking, bug bounty, web application security, XSS, CSRF, SQLi
• tpn/pdfs - PDF Collection

Bug bounty

• arkadiyt/bounty-targets-data - This repo contains hourly-updated data dumps of Hackerone/Bugcrowd scopes that are eligible for reports

Pentest reports

• juliocesarfort/public-pentesting-reports - Curated list of public penetration test reports released by several consulting firms and academic security groups