Skip to content

Latest commit

 

History

History
1336 lines (636 loc) · 70.2 KB

xiaoxiaoleo.md

File metadata and controls

1336 lines (636 loc) · 70.2 KB
Raw

Awesome Stars Awesome

A curated list of my GitHub stars! Generated by starred

Contents

ASP

AutoHotkey

  • OneQuick - windows快捷键工具(屏幕边缘操作, 剪贴板增强). Autohotkey tool (screen border operation, clipboard manager).

Batchfile

  • WinSystemHelper - A tool that checks and downloads scripts that will aid with privilege escalation on a Windows system.

C

  • audisp-cef - CEF plugin for audisp (Linux Audit)

  • audit-cef - Auditd CEF support via Audispd plugin

  • snoopy - Log every executed command to syslog (a.k.a. Snoopy Logger).

  • HSEVD-ArbitraryOverwriteGDI - HackSys Extreme Vulnerable Driver - ArbitraryOverwrite Exploit using GDI

  • Atlas - A high-performance and stable?proxy for MySQL, it is developed by Qihoo's DBA and infrastructure team

  • mysql-proxy - MySQL Proxy is a simple program that sits between your client and MySQL server(s) and that can monitor, analyze or transform their communication. Its flexibility allows for a wide variety of uses, including load balancing, failover, query analysis, query filtering and modification, and many more.

  • eventlog-to-syslog - This is a fork of the codebase over at http://code.google.com/p/eventlog-to-syslog/ at revision 42. I've made some changes to bring some timestamp compliance with RFC5424.

  • 0d1n - Web security tool to make fuzzing at HTTP, Beta

  • tpm-luks - LUKS support for storing keys in TPM NVRAM

  • TheFatRat - Thefatrat a massive exploiting tool revealed >> An easy tool to generate backdoor and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most AV software protection .

  • ssl-kill-switch2 - Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and OS X Apps

  • t50 - mixed packet injector tool

  • Watson - A lightweight packet capture application

  • tls-fingerprinting - TLS Fingerprinting

  • duo_unix - Duo two-factor authentication for Unix systems

  • proxenet - The REAL^WONLY Hacker-Friendly proxy for web application pentests.

  • redis - THIS PROJECT IS OBSOLETE. This is an older version of the Redis key-value store (Win32 / Win64 port with Windows service and installer/setup).

  • raptor_waf - Raptor - WAF - Web application firewall using DFA [ Current version ] - Beta

  • Scan-T - a new crawler based on python with more function including Network fingerprint search

  • phptrace - A tracing and troubleshooting tool for PHP scripts.

  • ossec-hids - OSSEC is an Open Source Host-based Intrusion Detection System that performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.

C#

C++

  • firesheep - A Firefox extension that demonstrates HTTP session hijacking attacks.

  • Remote - 远程控制项目

  • sedutil - DTA sedutil Self encrypting drive software

  • IDAplugins-1 - ida插件

  • HTTP-Over-Protocol - HOP: A proxy server to enable arbitrary protocols behind an HTTP proxy

  • ssf - Secure Socket Funneling - Network tool and toolkit - TCP and UDP port forwarding, SOCKS, relay protocol, cross platform shell, standalone and cross platform

  • network_backdoor_scanner - This is a backdoor about discover network device ,and it can hidden reverse connecting the hacker's server with encrypt commuication 后渗透后门程序,适合在已经攻陷的内网中做下一步的网络信息扫描..

  • hardseed - SEX IS ZERO (0), so, who wanna be the ONE (1), aha?

  • binmap - system scanner

  • vuln_javascript - 模拟一个存在漏洞的JavaScript 运行环境,用来学习浏览器漏洞原理和练习如何编写Shellcode (a JavaScript Execute Envirment which study browser vuln and how to write Shellcode ) ..

  • shadowd - The Shadow Daemon web application firewall server

  • SimpleBackdoor - Remote Windows shell

  • Sethc_BackDoor - SHIFT后门,适用于windows xp\2003 server\2008 server

  • sofa-pbrpc - A light-weight RPC implement of google protobuf RPC framework.

  • fibjs - JavaScript on Fiber (based on Chrome V8 engine)

CSS

  • Fido-doc - Fido 协议的一些文档

  • chromebackdoor - Chromebackdoor is a pentest tool, this tool use a MITB technique for generate a windows executable ".exe" after launch run a malicious extension or script on most popular browsers, and send all DOM datas on command and control.

  • celeryproject - The official Celery Project website

  • ZVulDrill - Web漏洞演练平台

  • ArtistWebsite - This is a website for Artists to manage their own on-line presence. The objective is to enable them to simply and easily upload images, tag them with metadata, and edit text, news, cv etc. Written using Mongo-db, Bootstrap, Node.js and Express the intention is that this should be very easy to deploy, customise and run.

CoffeeScript

Go

HTML

  • Secure-Host-Baseline - Configuration guidance and files in support of the DoD Windows 10 Secure Host Baseline. iadgov

  • HoneyDB-Legacy - Database and web interface for HoneyPy honeypot logs

  • honeypy - A simple web app honeypot project which leverages SimpleHTTPServer and has a classic theme from the 80's

  • vulnreport - Open-source pentesting management and automation platform by Salesforce Product Security

  • shapps - Another uliweb app collection project

  • styleguide - Style guides for Google-originated open-source projects

  • docs.sintheticlabs.com - 0day hacker documents stolen from the cia

  • AutoSqli - This is a web manager of sqlmapapi

  • online-passive-scanner - The passive online scanner makes OWTF passive testing through third party websites more accessible for everyone.

  • Hospital - OpenPower工作组收集汇总的医院开放数据

  • w3af-moth - A set of vulnerable PHP scripts used to test w3af's vulnerability detection features.

  • LocalNetworkScanner - PoC Javascript that scans your local network when you open a webpage

  • OWASP-mth3l3m3nt-framework - OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. It fosters a principle of attack the web using the web as well as pentest on the go through its responsive interface.

  • fuzzdb - 一个fuzzdb扩展库

  • pinax-theme-bootstrap - A theme for Pinax based on Twitter's Bootstrap

  • HTMLFuzzer -

  • BroDomain - 兄弟域名查询

  • CTFd - CTFs as you need them

Hack

  • fbctf - Platform to host Capture the Flag competitions

IDL

Java

  • ledger-javacard - Ledger Unplugged - Java Card implementation of Ledger Bitcoin Hardware Wallet

  • git-plugin - Git plugin for Jenkins

  • SecurityShepherd - Web and mobile application security training platform

  • HuobiRobot - 火币网自动交易机器人

  • druid - ♨️ 为监控而生的数据库连接池!

  • medusa-gui - A graphical user interface for the medusa brute forcing utility. http://wiki.taksmind.com//index.php?title=Medusa-gui

  • spring-cloud-microservice-example - An example project that demonstrates an end-to-end cloud native application using Spring Cloud for building a practical microservices architecture.

  • diva-android - DIVA Android - Damn Insecure and vulnerable App for Android

  • chaincloud-v -

  • JustTrustMe - An xposed module that disables SSL certificate checking for the purposes of auditing an app with cert pinning

  • DingDingUnrecalled - 防止钉钉撤回

  • FakeXX - Make fake location information to wechat using xposed framework

  • burp-extension - A BurpSuite extension for lair

  • BurpShare - an extension to Burp Suite that allows for real-time target sharing

  • pentestdb - WEB渗透测试数据库

  • BurpSuiteLoggerPlusPlus - Burp Suite Logger++: Log activities of all the tools in Burp Suite

  • pcap-burp - Pcap importer for Burp

  • XXEBugFind - A tool for detecting XML External Entity (XXE) vulnerabilities in Java applications

  • CoyoteReader2 - I'm learning about Android apps by developing an RSS reader for Inoreader

  • ysoserial - A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

  • Flym - Flym News Reader is a light and modern Android feed reader, based on Sparse rss.

  • OWASP-WebScarab - OWASP WebScarab

  • android-vts - Android Vulnerability Test Suite - In the spirit of open data collection, and with the help of the community, let's take a pulse on the state of Android security. NowSecure presents an on-device app to test for recent device vulnerabilities.

  • JavaPayload - JavaPayload is a collection of pure Java payloads to be used for post-exploitation from pure Java exploits or from common misconfigurations (like not password protected Tomcat manager or debugger port).

  • crawljax - Crawljax: Crawling JavaScript-based Ajax Web Applications

  • MSpider - 基于词频密度过滤、利用百度、谷歌、搜搜、360搜索4个引擎为种子来源的多线程爬虫,结果存入mysql。

  • BurpSentinel - GUI Burp Plugin to ease discovering of security holes in web applications

  • storm-crawler - Web crawler SDK based on Apache Storm

  • brother-share - 介绍:这个是用来分享大家学习中使用的资料的,一个人学习,不如大家一起学习 基于adobe提供的一个文件帐号,来达到共享学习资料的模式,建议都传pdf的文档上来 国内登录,有些慢,需要一点耐心,但是能实现各个终端同步阅读pdf,同时又不用泄漏其他比较隐私的账号 网址:https://files.acrobat.com/ 账号:[email protected] 密码:just978060500 每次上传了文件之后 建议 都更新一下根目录下面的update.log文件 文件每个条目大概如下: ---------------------------------------------------------------------------------- 时间:(上传文件的时间) 上传人:(分享文件的人,最好是用名字拼音,比如tuanwang.liu,linfeng.xu) 文件目录:(上传的文件目录,用/代表根目录,目录创建规则,可以后续讨论) 文件名列表:(上传的什么文件名,多个之间请用明显分割符分隔开) 阅读进度:(你的阅读进度,建议是自己真的阅读,或者这个文档解决了你的问题的时候上传) 理解:(自己对于这个文件的理解,你因为什么找到了这个文档,同时又是因为什么要把这个文档分享给大家) ---------------------------------------------------------------------------------- 每个条目之间用分隔符分开,每个条目在文件开头创建

JavaScript

  • WebshellManager - w8ay 一句话WEB端管理工具

  • ansibleUI -

  • GeniXCMS - Simple and Lightweight CMS Framework

  • nozes - Pentest cmd manager- ALpha

  • JudasDNS - Nameserver DNS poisoning attacks made easy

  • HoneyProxy - This project is now part of @mitmproxy.

  • Mebius - 基于saltapi的使用django开发的CMDB资产管理平台

  • 3xp10it - 一个自动化渗透框架

  • AtEar - Wireless Hacking, WiFi Security, Vulnerability Analyzer, Pentestration

  • OSXAuditor - OS X Auditor is a free Mac OS X computer forensics tool

  • TiddlyDesktop - A custom browser for TiddlyWiki, based on nw.js

  • sslcloud -

  • raptor - Web-based Source Code Vulnerability Scanner

  • Pcap-Analyzer - Python编写的简单的离线数据包分析器

  • Dionaea - 基于Docker的蜜罐系统

  • baidu-ocr-api - 👓 Baidu OCR Api For Node

  • xss.io -

  • sleepy-puppy - Sleepy Puppy XSS Payload Management Framework

  • WSSAT - WEB SERVICE SECURITY ASSESSMENT TOOL

  • vulnerabilitydb - Snyk's public vulnerability database

  • w3af-webui - Django Web UI contributed by Yandex for w3af.

  • Nodejs-SSRF-App - Nodejs application intentionally vulnerable to SSRF

  • ntrace - Command-line security tool to detect Cross-Site Tracing vulnerabilities, written in node.

  • renette - Nettools R web services

  • sniffly - Sniffing browser history using HSTS

  • scirius - Scirius is a web application for Suricata ruleset management.

  • Wappalyzer - Cross-platform utility that uncovers the technologies used on websites.

  • cookiehacker - Chrome extension, very easy to use. Cookies from: JavaScript document.cookie/Wireshark Cookies etc.

  • phodaldev - person website

  • react-demos - a collection of simple demos of React.js

  • hexo-theme-next - Elegant theme for Hexo.

  • BurpSuite - BurpSuite using the document and some extensions

  • windmill - Windmill is a web testing tool designed to let you painlessly automate and debug your web application.

  • Blog - 一个基于java EE(SSH)+tomcat+mysql的博客

  • WebGoat - WebGoat 8.0

  • BlueLotus_XSSReceiver - XSS平台 CTF工具 Web安全工具

  • sandcrawler - sandcrawler.js - the server-side scraping companion.

  • chrome-remote-interface - Chrome Debugging Protocol interface for Node.js

  • casperjs - Navigation scripting and testing utility for PhantomJS and SlimerJS

  • picoCTF-Platform-1 - A genericized version of picoCTF 2013 that can be easily adapted to host CTF or programming competitions.

  • livepool - Fiddler like cross platform debugging proxy for web developers base on NodeJS

  • awesome-ctf - A curated list of CTF frameworks, libraries, resources and softwares

  • PhantomjsFetcher - A python web fetcher using phantomjs to mock browser

  • lair - Lair is a reactive attack collaboration framework and web application built with meteor.

  • luv.js - Minimal HTML5 game development lib

  • faraday - Collaborative Penetration Test and Vulnerability Management Platform

  • blog - Thisa is my blog written on web.py with mongodb as db

  • blog - blog powered by web.py and mongodb

  • cms - 社工库

  • ChromeExtensionDocument - chrome插件中文开发文档(非官方)

  • rssSpider - Rss spider by nodejs , rss 爬虫,正文抓取

  • FlapperNews - Reddit/Hacker News clone using the MEAN stack (MongoDB, Express.js, AngularJS, and Node.js).

  • pcap-analyzer - online pcap forensic

Lua

  • ngx_lua_waf - ngx_lua_waf是一个基于lua-nginx-module(openresty)的web应用防火墙

Makefile

Objective-C

  • Introspy-iOS - Security profiling for blackbox iOS

  • NewsBlur - NewsBlur is a personal news reader that brings people together to talk about the world. A new sound of an old instrument.

  • DamnAlipay - 支付宝手势密码.....

Others

PHP

  • phpcms - 一个基于phpcms仿新京网的新闻系统

  • topic-weekly - 新闻热点话题的CMS

  • AssetsView - Assets View资产发现、网络拓扑管理系统

  • Scanners-Box - [Project-Kob-6]The toolbox of open source scanners - 安全行业从业人员自研开源扫描器合集??

  • exploits -

  • xss_payloads - Exploitation for XSS

  • php-fpm-httpoxy-poc - A PoC for exploiting Guzzle's HTTP_PROXY untrusted read

  • AwvScan - New On Live Web Vul Scan

  • xss_fucker - Fuck You XSS

  • expweb-v1.0 - Expweb project is a php+python based on the development of bulk getshell scanning platform. ----------------------QQ Group:485281743

  • discuz_crack01 - discuz_crack01

  • Bugscan - Bugscan Web Vulnerability Scaner Online System

  • webshellSample - webshell sample for WebShell Log Analysis

  • GourdScan -

  • testenv - A collection of web pages vulnerable to SQL injection flaws

  • exp - 收集各种各样的exp

  • GetDataReport - Get information client with getdatareport (Plugin)

  • PHPIDS - PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application

  • DVWA - Damn Vulnerable Web Application (DVWA)

  • typecho - A PHP Blogging Platform. Simple and Powerful.

  • fuzzdb - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.

  • w3a_SOC - Web日志审计与网络监控集合一身的平台

  • doom - DOOM是在thorn上实现的分布式任务分发的ip端口漏洞扫描器

  • sqli-labs - SQLI labs to test error based, Blind boolean based, Time based.

  • redisrpc - Lightweight RPC using Redis

  • LazyPHP4 - LazyPHP4 , an API first framework for php developer

  • xvwa - XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.

  • SimpleZoomeye - A simple Zoomeye written by python,more details click this link: http://blog.csdn.net/u011721501/article/details/41967847

  • phpvulhunter - A tool that can scan php vulnerabilities automatically using static analysis methods

  • ym_oauth - qq,weibo,facebook等接口实现

  • AllAuth - PHP Oauth Library for qq,twitter,facebook,linkedin,weibo,sina,yahoo

  • news - This is a simple PHP news portal, I will code it for fun and to sharpen my skills.

  • Newscoop - Newscoop is the open content management system for professional journalists. Features for the modern newsroom include multiple author management, issue-and-section based publishing, geolocation and multilingual content management. The enterprise-standard journalist’s dashboard and a templating engine supporting anything from HTML5 to mobile complete this fast production and publishing system.

  • rssmonster - RSS Monster is an easy to use web-based RSS aggregator and reader compatible with the Fever API, created as an alternative for Google Reader.

  • phpspider - 《我用爬虫一天时间“偷了”知乎一百万用户,只为证明PHP是世界上最好的语言 》所使用的程序

  • lavacharts - Lavacharts is a graphing / charting library for PHP 5.4+ that wraps Google's Javascript Chart API.

  • SCANNER-INURLBR - Advanced search in search engines, enables analysis provided to exploit GET / POST capturing emails & urls, with an internal custom validation junction for each target / url found.

  • Sn1per - Automated Pentest Recon Scanner

  • Php-MongoDB-DemoBlog - a demo blog to show how to use mongodb with PHP

  • BlogMi - a blog base on BlogMi

  • PHPMailer - The classic email sending library for PHP - this is my personal fork, please post issues on the upstream project

  • humbug - Humbug is a Mutation Testing framework for PHP to measure the real effectiveness of your test suites and assist in their improvement. It eats Code Coverage for breakfast.

  • kunai - pwning & info gathering via user browser

  • alienvault-ossim - Alienvault ossim

Perl

PostScript

PowerShell

  • Powershell-Payload-Excel-Delivery - Uses Invoke-Shellcode to execute a payload and persist on the system.

  • Invoke-LoginPrompt - Invokes a Windows Security Login Prompt and outputs the clear text password.

  • nishang - Nishang - PowerShell for penetration testing and offensive security.

  • MimikatzHoneyToken - This is a logon script used to detect the theft of credentials by tools such as Mimikatz

  • Invoke-SchmappLocker - Bypass AppLocker EXE file policies

  • dvta - Damn Vulnerable Thick Client App

  • NetRipper - NetRipper - Smart traffic sniffing for penetration testers

  • CrackMapExec - A swiss army knife for pentesting networks

  • HackSql - PowerShell: Take sysadmin of most local SQL Server instances without a restart

  • Javascript-Backdoor - Learn from Casey Smith @subTee

  • PowerSploit - PowerSploit - A PowerShell Post-Exploitation Framework

Python

  • munki - Managed software installation for OS X ?

  • ansible-profile - An Ansible plugin for timing tasks

  • RHEL7-CIS - Ansible role for Red Hat 7 CIS Baseline

  • hardened-centos7-kickstart - DVD embedded Kickstart for CentOS 7 utilizing SCAP Security Guide (SSG) as a hardening script.

  • aws-security-benchmark - Open source demos, concept and guidance related to the AWS CIS Foundation framework.

  • bluewall - Bluewall is a firewall framework designed for offensive and defensive cyber professionals.

  • Responder - Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

  • DbDat - Db Database Assessment Tool

  • bips - Bitcoin Improvement Proposals

  • PoC - Various PoCs

  • Stitch - Python Remote Administration Tool (RAT)

  • ZeroNet - ZeroNet - Decentralized websites using Bitcoin crypto and BitTorrent network

  • ActiveScanPlusPlus - ActiveScan++ Burp Suite Plugin

  • boa-diminish-restricted-shell - A shell where you whitelist commands and only those commands can be executed. Either via ssh, as an interactive shell or launched with commands. Logs everything and escapes "dangerous" characters.

  • gatecrasher - Network auditing and analysis tool developed in Python.

  • fake2db - create custom test databases that are populated with fake data

  • clilib - A library of emulated command line commands.

  • HoneyPy - A low interaction honeypot.

  • WMD - Python framework for IT security tools

  • flare-floss - FireEye Labs Obfuscated String Solver - Automatically extract obfuscated strings from malware.

  • TPLINKKEY - 根据TPLINK系列路由器存在的漏洞批量扫描获取wifi密码

  • awesome-honeypots - an awesome list of honeypot resources

  • HEVD-Python-Solutions - Python solutions for the HackSysTeam Extreme Vulnerable Driver

  • ddos-dos-tools - some sort of ddos-tools

  • threebody - 比特币板砖系统-Bitcoin/Litecoin Arbitrage System

  • Github_Nuggests - 自动爬取Github上文件敏感信息泄露,抓取邮箱密码并自动登录邮箱验证,支持126,qq,sina,163邮箱

  • AutoLocalPrivilegeEscalation - An automated script that download potential exploit for linux kernel from exploitdb, and compile them automatically

  • the-backdoor-factory - Patch PE, ELF, Mach-O binaries with shellcode

  • BitcoinStrategy - bitcoin arbitrage between Huobi and Okcoin

  • BitcoinExchangeFH - Cryptocurrency exchange market data feed handler (Bitstamp, BTCC, Bitfinex, BitMEX, Gatecoin, GDAX, Huobi, Kraken, OkCoin, Quoine)

  • HUOBILTCTRADE -

  • pentestEr_Fully-automatic-scanner - 定向全自动化渗透测试

  • RASscan - 内网端口极速扫描器

  • mitmAP - ?? A python program to create a fake AP and sniff data.

  • fakeAP - Create fake AP in Kali with 1 command

  • xunfeng - 巡风是一款适用于企业内网的漏洞快速应急,巡航扫描系统。

  • aws-waf-sample - Lambda script that blocks IP addresses based on the number of requests.

  • wifiphisher - Automated victim-customized phishing attacks against Wi-Fi clients

  • PyJFuzz - PyJFuzz - Python JSON Fuzzer

  • Responder - Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

  • bitcoin-abe - Abe: block browser for Bitcoin and similar currencies

  • usbkill - ? usbkill ? is an anti-forensic kill-switch that waits for a change on your USB ports and then immediately shuts down your computer.

  • httpstat - curl statistics made simple

  • Radium-Keylogger - Python keylogger with multiple features.

  • chipsec - Platform Security Assessment Framework

  • wePWNise - WePWNise generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software.

  • mooder - Mooder是一款开源、安全、简洁、强大的团队内部知识分享平台。

  • Pentest-Tools - Penetration Testing Tools Developed by AppSec Consulting.

  • pycoin - Python-based Bitcoin and alt-coin utility library.

  • pycoinnet - Python code that speaks the Bitcoin protocol, for use with pycoin

  • Jetleak-Testing-Script - Script to test if a server is vulnerable to the JetLeak vulnerability

  • SQLiScanner - Automatic SQL injection with Charles and sqlmap api

  • DPress - A simple blog powered by Django

  • python-libnmap - libnmap is a python library to run nmap scans, parse and diff scan results. It supports python 2.6 up to 3.4. It's wonderful.

  • pwntools - CTF framework and exploit development library

  • glastopf - Web Application Honeypot

  • BBScan - A tiny Batch weB vulnerability Scanner

  • pshtt - Scan domains and return data based on HTTPS best practices

  • D-TECT - D-TECT - Pentesting the Modern Web

  • kisskissie - XXE attack tool

  • selenium_xss_testcase - Selenium XSS Testcase

  • nmapdb - Parse nmap's XML output files and insert them into an SQLite database

  • pentest-scripts -

  • LHF - A modular recon tool for pentesting

  • Xssive - Xss Vulnerability Demonstration framework.

  • scantastic-tool - It's bloody scantastic

  • V3n0M-Scanner - Popular Pentesting scanner in Python3.6 for SQLi/XSS/LFI/RFI and other Vulns

  • myBFF - myBFF - a Brute Force Framework

  • apt2 - automated penetration toolkit

  • autoDANE - Auto Domain Admin and Network Exploitation.

  • crawlpy - Scrapy python crawler/spider with post/get login (handles CSRF), variable level of recursions and optionally save to disk

  • a2sv - Auto Scanning to SSL Vulnerability

  • rescan - Redis Unauthorized

  • MyScript -

  • Some-PoC-oR-ExP - 各种漏洞poc、Exp的收集或编写

  • SSTIF - 一个Fuzzing服务器端模板注入漏洞的半自动化工具

  • python-paddingoracle - A portable, padding oracle exploit API

  • QRLJacking - QRLJacking or Quick Response Code Login Jacking is a simple-but-nasty attack vector affecting all the applications that relays on “Login with QR code” feature as a secure way to login into accounts which aims for hijacking users session by attackers.

  • autoscan - 漏洞扫描系统

  • wooyun_public - 乌云公开漏洞、知识库爬虫和搜索 crawl and search for wooyun.org public bug(vulnerability) and drops

  • tplmap - Code and Server-Side Template Injection Detection and Exploitation Tool

  • banner-scan - Http title scan

  • burp-sqlmapapi -

  • webDisco - Web discovery and screenshot tool

  • drone-hashdump -

  • csrfpocmaker - A Simple & Handy tool.

  • BruteXSS - BruteXSS - Cross-Site Scripting Bruteforcer

  • tomcatWarDeployer - Apache Tomcat auto WAR deployment & pwning penetration testing tool.

  • swarm - A modular distributed penetration testing tool.

  • sqlinj-ant - 伪分布式SQL注入自动扫描

  • sqli-proxy -

  • ARTLAS - Apache Real Time Logs Analyzer System

  • owtf - Offensive Web Testing Framework (OWTF), is an OWASP+PTES focused try to unite great tools and make pen testing more efficient, written mostly in Python @owtfp http://owtf.org

  • PytheM - Multi-purpose pentest framework

  • SimpleEmailSpoofer - A simple Python CLI to spoof emails.

  • malspider - Malspider is a web spidering framework that detects characteristics of web compromises.

  • svn_git_scanner - 用于扫描git,svn泄露

  • data - User, contributor and developer friendly vulnerability database

  • pyfiscan - Free web-application vulnerability and version scanner

  • LL-Fuzzer - An automated NFC fuzzing framework for Android devices.

  • django-api-rest-and-angular - An example repository of combining Django Rest Framework with AngularJS

  • DirBrute - 多线程WEB目录爆破工具 [Multi-thread WEB directory blasting tool(with dics inside) ]

  • elite-proxy-finder - Finds public elite anonymity proxies and concurrently tests them

  • toolbox - Some simple tools I developed

  • peda - PEDA - Python Exploit Development Assistance for GDB

  • xmppmitm - XMPP Man-in-the-Middle, quick & dirty

  • ssrfsocks - Creates a SOCK proxy server that transmits data over an SSRF vulnerability

  • w3af - w3af: web application attack and audit framework, the open source web vulnerability scanner.

  • jdwp-shellifier -

  • PocCollect - a plenty of poc based on python

  • vulcan - A gevent spider ,support webkit for dom parsing.

  • PenTestScripts - Scripts that are useful for me on pen tests

  • EyeWitness - EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.

  • CUS - 多引擎网址安全监测系统,Multi engine website security detection system

  • Bank - 工控安全

  • normal_hack - based on search engine and get the valid infomation to test the vulnerability

  • scripts -

  • XssPy - XssPy - Web Application XSS Scanner

  • ptf - The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools.

  • jexboss - JexBoss: Jboss (and Java Deserialization Vulnerabilities) verify and EXploitation Tool

  • cyberbot - A lightweight batch scanning framework based on gevent.

  • my-tools - 自己使用的一些脚本,大概和乌云(wooyun)有关

  • mwebfp - LNHG - Mass Web Fingerprinter

  • VirusTotal_API_Tool - A Tool To Leverage Virus Total's Private API Key

  • wooyun_rank - 采集乌云已确认漏洞和已公开漏洞的状态、厂商、Rank等数据用于分析哪些是良心厂商

  • drops_offline - 抓取 wooyun drops 文章,并且按照规则生成 PDF 文档

  • flower - Real-time monitor and web admin for Celery distributed task queue

  • normal_hark_lite - 通用的POC检测框架,有足够的POC,就可以找出相应的漏洞

  • Bugscan_exploits -

  • docopt - Pythonic command line arguments parser, that will make you smile

  • fierce - A DNS reconnaissance tool for locating non-contiguous IP space.

  • hiccup - Hiccup is a framework that allows the Burp Suite (a web application security testing tool, http://portswigger.net/burp/) to be extended and customized, through the interface provided by Burp Extender (http://portswigger.net/burp/extender/). Its aim is to allow for the development and integration of custom testing functionality into the Burp tool using Python request/response handler plugins.

  • Hash-Algorithm-Identifier - A python tool to identify different Hash Function Algorithms

  • ipdb -

  • wand - The ctypes-based simple ImageMagick binding for Python

  • DSSS - Damn Small SQLi Scanner

  • tsusen - Network traffic sensor

  • htcap - htcap is a web application scanner able to crawl single page application (SPA) in a recursive manner by intercepting ajax calls and DOM changes.

  • gdog - A fully featured Windows backdoor that uses Gmail as a C&C server

  • InsightScan - A single file multithread portscanner in python

  • pathod - NOTICE: This repository has been integrated into the main repository!

  • rtcp2udp - Reverse TCP Port to UDP Forwarding Tools

  • Tarot -

  • htpwdScan - A python HTTP weak pass scanner

  • POC-T - 渗透测试插件化并发框架

  • django-angularjs-blog - A simple blog site powered by django + angularjs

  • FuzSub - A Tool For Fuzzing Sub-domain.

  • portscan - push

  • shscan - ssh discovery

  • clusterd - application server attack toolkit

  • smbmap - SMBMap is a handy SMB enumeration tool

  • AutoNessus - This script communicates with the Nessus API in an attempt to help with automating scans. Depending on the flag issued with the script, you can list all scans, list all policies, start, stop, pause, and resume a scan.

  • Routerhunter-2.0 - Testing vulnerabilities in devices and routers connected to the Internet.

  • F-NAScan - Scanning a network asset information script

  • impacket - Impacket is a collection of Python classes for working with network protocols.

  • Blasting_dictionary - 爆破字典

  • ScanSql - 利用sqlmap和URL去重的爬虫写的一个刷rank的脚本

  • F-MiddlewareScan - A vulnerability detection scripts for middleware services

  • autoSqlmap - Sqlmap 批量操作

  • PortScan - Port Scan By Nmap

  • XPortScan - Easy PyQt port scanner

  • MultiProxies - penetration testing framework that can use socks4/socks5 proxy.

  • shocker - A tool to find and exploit servers vulnerable to Shellshock

  • hackUtils - It is a hack tool kit for pentest and web security research.

  • awesome-python - A curated list of awesome Python frameworks, libraries, software and resources

  • dirfuzz - 多线程网站目录穷举扫描

  • weakfilescan - 动态多线程敏感信息泄露检测工具

  • pocscan - Will to be a niubility scan-framework

  • BkScanner - BkScanner 分布式、插件化web漏洞扫描器

  • UnitScan - A Web Scanner

  • WVS_Patcher - Script to run wvs in queue, and send mails to you on ending.

  • SecScript -

  • splinter - splinter - python test framework for web applications

  • crawler -

  • mitmproxy - An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers

  • spynner - Programmatic web browsing module with AJAX support for Python

  • pyphantomjs - Headless WebKit with JavaScript API .. but reimplemented in python

  • Nscan - Nscan: Fast internet-wide scanner

  • pupy - Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

  • MSpider - Spider

  • Ares - Python botnet and backdoor

  • splash - Lightweight, scriptable browser as a service with an HTTP API

  • thorns - thorns_project 分布式异步队列系统

  • subDomainsBrute - A simple and fast sub domain brute tool for pentesters

  • wyportmap - 目标端口扫描+系统服务指纹识别

  • KatanaFramework - The New Hacking Framework

  • exserial - Java Untrusted Deserialization Exploits Tools

  • VulScritp - 内网渗透脚本

  • picoCTF-web -

  • genpAss - 中国特色的弱口令生成器

  • HQLmap - (Deprecated) HQLmap, Automatic tool to exploit HQL injections

  • wfuzz - Web application fuzzer

  • My-SQL-boolean-based-injection-tools -

  • Structured-query-Language-injection - SQL injection Automatic tools

  • My-SQL-boolean-based-injection-tools -

  • eventlog-audit - Windows事件日志审计系统,支持以WEB的方式审计日志

  • passive_scan - 基于http代理的web漏洞扫描器的实现

  • passive_scan - 基于http代理的web漏洞扫描器的实现

  • Blasting_dictionary - 爆破字典

  • BBScan - A tiny Batch weB vulnerability Scanner

  • Jenkins - Jenkins漏洞探测、用户抓取爆破

  • Django-Celery-Rabbitmq-full-example - A full (very basic) example of using django, celery and rabbitmq to distribute tasks/jobs.

  • pika - Pure Python RabbitMQ/AMQP 0-9-1 client library

  • Zeek - Python distributed web scrapper and dynamic crawler

  • gearnado - Experimental Distributed Web Crawling with Python + Gearman

  • distribute_crawler - 使用scrapy,redis, mongodb,graphite实现的一个分布式网络爬虫,底层存储mongodb集群,分布式使用redis实现,爬虫状态显示使用graphite实现

  • cola - A high-level distributed crawling framework.

  • spiderfoot - SpiderFoot, the open source footprinting and intelligence-gathering tool.

  • Mobile-Security-Framework-MobSF - Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS/Windows) automated pen-testing framework capable of performing static, dynamic analysis and web API testing.

  • ftxproxy - 不到100行代码实现代理服务,并穿透腾讯TGW进行tcp代理,项目借用国外大神代码 http://voorloopnul.com/blog/a-python-proxy-in-less-than-100-lines-of-code/

  • Elric - Elric: A Simple Distributed Job Scheduler

  • fabric - Simple, Pythonic remote execution and deployment.

  • gcat - A fully featured backdoor that uses Gmail as a C&C server

  • pr0bescan - a website probe for python

  • ivre - Network recon framework.

  • sqli-proxy -

  • scan-framework - A framework used for Vulnerability scanning

  • feedstore-3.0 - MagicCube FeedStore 3.0 是一款集RSS聚合服务端、Web 客户端和iOS移动客户端为一体的私人定制阅读解决方案。

  • jieba - 结巴中文分词

  • dzscan - Dzscan

  • subDomainsBrute - A simple and fast sub domain brute tool for pentesters

  • event2timeline - Simple Microsoft Windows sessions event logs visualization

  • event2timeline - Simple Microsoft Windows sessions event logs visualization

  • shodan-python - The official Python library for Shodan

  • creddump - Automatically exported from code.google.com/p/creddump

  • 3102 - A domain/ip fuzzing tool for vulnerability mining

  • riXSS - A Open Source XSS test platform powered by web.py <img/src=1 onerror=alert/:P/

  • Panoptic - Panoptic is an open source penetration testing tool that automates the process of search and retrieval of content for common log and config files through path traversal vulnerabilities.

  • bbqsql - SQL Injection Exploitation Tool

  • SubDomain-Analyzer - Subdomain Analyzer

  • pelican - Static site generator that supports Markdown and reST syntax. Powered by Python.

  • pr0cks - python script setting up a transparent proxy to forward all TCP and DNS traffic through a SOCKS / SOCKS5 or HTTP(CONNECT) proxy using iptables -j REDIRECT target

  • knock - Knock Subdomain Scan

  • subbrute - A DNS meta-query spider that enumerates DNS records, and subdomains.

  • weakfilescan - 动态多线程敏感信息泄露检测工具

  • sqlpy - a short Python script that tries to sql inject into login forms

  • DarkSQL - DarkSQL is a sql injector and automatic database takeover tool.

  • check_sql_injection - auto check sql injection

  • duncan - Duncan - Blind SQL injector skeleton

  • wydomain - to discover subdomains of your target domain

  • QcoreCMS - 基于 tornado 的 cms

  • rss-to-mongodb - Python app to pull rss feeds, parse them, and insert them into mongodb. Mostly just messing around at this point.

  • pyspider - A Powerful Spider(Web Crawler) System in Python.

Ruby

  • cis-docker-benchmark - CIS Docker Benchmark - InSpec Profile

  • ansible-os-hardening - This Ansible role provides numerous security-related configurations, providing all-round base protection.

  • wordpress-exploit-framework - A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.

  • OMS-Agent-for-Linux -

  • hardsploit-gui - HARDSPLOIT GUI : The essential security auditing tool for Internet of Things devices you'll need in your toolbox

  • yawast - The YAWAST Antecedent Web Application Security Toolkit

  • brisket - Brisket is a collection of frontend scripts for masscan, zmap, and nmap, in addition data manipulation scripts

  • vunlink - Auto Web Vulnerability Scanning Framework

  • droid-hunter - Android application vulnerability analysis and Android pentest tool

  • whitewidow - SQL Vulnerability Scanner

  • XXEinjector - Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.

  • capybara-webkit - A Capybara driver for headless WebKit to test JavaScript web apps

  • WhatWeb - Website Fingerprinter

  • wyquery - Wooyun查询系统

  • fofa - fofa website

  • lamernews - Lamer News -- an HN style social news site written in Ruby/Sinatra/Redis/JQuery

Scala

  • codepulse - Code Pulse is a real-time code coverage tool for penetration testing activities

Shell

  • mimipenguin - A tool to dump the login password from the current linux user

  • ansible-grub - Manage GRUB configuration

  • hardening-script-el6 - DISA STIG/USGCB/NSA SNAC Hardening Scripts for Red Hat Enterprise Linux 6

  • ansible-examples - A few starter examples of ansible playbooks, to show features and how they work together. See http://galaxy.ansible.com for example roles from the Ansible community for deploying many popular applications.

  • bash-logging -

  • backdoorppt - transform your payload.exe into one fake word doc (.ppt)

  • tpotce - T-Pot Image Creator

  • lunar - A UNIX security auditing tool based on several security frameworks

  • Scripts -

  • Linux_Workstation_Harden_Security - Library of bash scripts that allow to harden security of Linux workstation and fingerprint essential files

  • HardeningONE - Scripts-Scanner de hardening de SO (Linux, OpenBSD, FreeBSD, apache, PHP e outros)

  • check_server_init - ansible批量检查线上机器配置,固件信息等( 实际检查项目可根据添加定制检查脚本添加)

  • logkeys - A GNU/Linux keylogger that worked!

  • EayunOS-building - EayunOS产品构建(编译、生成安装包及安装光盘等)

  • qubes-antievilmaid - Qubes component: antievilmaid

  • backdoor-apk - backdoor-apk is a shell script that simplifies the process of adding a backdoor to any Android APK file. Users of this shell script should have working knowledge of Linux, Bash, Metasploit, Apktool, the Android SDK, smali, etc. This shell script is provided as-is without warranty of any kind and is intended for educational purposes only.

  • hack_tools_for_me - 自己为了方便收集的小工具

  • creep-web-app-scanner - A web app scanner

  • port-scan-automation - Automate NMAP Scans and Generate Custom Nessus Policies Automatically

  • SELKS - A Suricata based IDS/IPS distro

  • pentestpackage - a package of Pentest scripts I have made or commonly use

  • IT_security -

  • RootHelper - A Bash script that downloads and unzips scripts that will aid with privilege escalation on a Linux system.

  • BruteX - Automatically brute force all services running on a target.

  • discover - For use with Kali Linux. Custom bash scripts used to automate various pentesting tasks.

Smali

Swift

Vim script

  • vimrc - The ultimate Vim configuration: vimrc

XSLT

License

CC0

To the extent possible under law, xiaoxiaoleo has waived all copyright and related or neighboring rights to this work.