Vulnerability practice platform
WebGoat vulnerability practice platform:
https://github.com/WebGoat/WebGoat
webgoat-legacy vulnerability practice platform:
https://github.com/WebGoat/WebGoat-Legacy
zvuldirll vulnerability practice platform:
https://github.com/710leo/ZVulDrill
Vulapps vulnerability practice platform:
https://github.com/Medicean/VulApps
dvwa vulnerability practice platform:
https://github.com/RandomStorm/DVWA
Database injection practice platform:
https://github.com/Audi-1/sqli-labs
Vulnerability practice platform written in node, like OWASP NodeGoat:
https://github.com/cr0hn/vulnerable-node
A tool written in Ruby to generate virtual machines with vulnerabilities:
https://github.com/cliffe/secgen
Fancy scanner
Nmap port scanner:
https://github.com/nmap/nmap
Local Network Scanner:
https://github.com/SkyLined/LocalNetworkScanner
Subdomain scanner:
https://github.com/lijiejie/subDomainsBrute
https://github.com/aboul3la/Sublist3r
https://github.com/TheRook/subbrute
https://github.com/infosec-au/ altdns
Linux vulnerability scan:
https://github.com/future-architect/vuls
Based on port scanning and associated CVE:
https://github.com/m0nad/HellRaiser
Vulnerability route scanner:
https://github.com/jh00nbr/Routerhunter-2.0
Mini batch information leakage scanning script:
https://github.com/lijiejie/BBScan
Waf type detection tool:
https://github.com/EnableSecurity/wafw00f
Server port weak password scanner:
https://github.com/wilson9x1/fenghuangscanner_v3
Fox-scan scanner:
https://github.com/fengxuangit/Fox-scan/
Information gathering tools
Social work collector:
https://github.com/n0tr00t/Sreg
Github information collection:
https://github.com/sea-god/gitscan
github Repo information collection tool:
https://github.com/metac0rtex/GitHarvester
Information detection and scanning tool:
https://github.com/darryllane/Bluto
Internal network information scanner:
https://github.com/sowish/LNScan
Remote desktop login scanner:
https://github.com/linuz/Sticky-Keys-Slayer
Network infrastructure penetration tool
https://github.com/SECFORCE/sparta
SNMAP password cracking:
https://github.com/SECFORCE/SNMP-Brute
WEB
Webshell collection:
https://github.com/tennc/webshell
Infiltration and web attack script:
https://github.com/brianwrf/hackUtils
Collection of web penetration gadgets:
https://github.com/rootphantomer/hacktoolsfor_me
XSS data receiving platform:
https://github.com/firesunCN/BlueLotus_XSSReceiver
XSS and CSRF tools:
https://github.com/evilcos/xssor
xss multifunction scanner:
https://github.com/shawarkhanethicalhacker/BruteXSS
Web vulnerability scanner:
https://github.com/andresriancho/w3af
WEB vulnerability scanner:
https://github.com/sullo/nikto
Infiltration of commonly used gadget packages:
https://github.com/leonteale/pentestpackage
Web directory scanner:
https://github.com/maurosoria/dirsearch
Web command injection detection tool:
https://github.com/stasinopoulos/commix
Automated SQL injection check tool:
https://github.com/epinna/tplmap
SSL scanner:
https://github.com/rbsec/sslscan
Security tool collection:
https://github.com/codejanus/ToolSuite
Apache log analyzer:
https://github.com/mthbernardes/ARTLAS
PHP code audit tool:
https://github.com/pwnsdx/BadCode
Web fingerprint recognition scan:
https://github.com/urbanadventurer/whatweb
Check the website for malicious attacks:
https://github.com/ciscocsirt/malspider
wordprees vulnerability scanner:
https://github.com/wpscanteam/wpscan
Firmware vulnerability scanner:
https://github.com/misterch0c/firminator_backend
Database injection tool
https://github.com/sqlmapproject/sqlmap
Web proxy:
https://github.com/zt2/sqli-hunter
New version of Chinese kitchen knife:
https://github.com/Chora10/Cknife
Git leaked and exploited EXP:
https://github.com/lijiejie/GitHack
Browser attack framework:
https://github.com/beefproject/beef
Automated bypass of WAF script:
https://github.com/khalilbijjou/WAFNinja
https://github.com/owtf/wafbypasser
An open source WAF:
https://github.com/SpiderLabs/ModSecurity
http command line client:
https://github.com/jkbrzt/httpie
Browser debugging tool:
https://github.com/firebug/firebug
DISCUZ vulnerability scanner:
https://github.com/code-scan/dzscan
automated code audit tool
https://github.com/wufeifei/cobra
Browser attack framework:
https://github.com/julienbedard/browsersploit
Tomcat automatic backdoor deployment:
https://github.com/mgeeky/tomcatWarDeployer
Cyberspace fingerprint scanner:
https://github.com/nanshihui/Scan-T
J2EE scanning plug-in for burpsuit:
https://github.com/ilmila/J2EEScan
windows domain penetration tool
Mimikatz plaintext injection:
https://github.com/gentilkiwi/mimikatz
Powershell penetration library collection:
https://github.com/PowerShellMafia/PowerSploit
Powershell tools collection:
https://github.com/clymb3r/PowerShell
mimikittenz of powershell:
https://github.com/putterpanda/mimikittenz
Domain penetration tutorial:
https://github.com/l3m0n/pentest_study
Fuzz
Web to Fuzz tool
https://github.com/xmendez/wfuzz
HTTP brute force cracking, library collision attack script
https://github.com/lijiejie/htpwdScan
8. Vulnerability and attack framework
msf frame:
https://github.com/rapid7/metasploit-framework
Pocsscan attack framework:
https://github.com/erevus-cn/pocscan
Pocsuite attack framework:
https://github.com/knownsec/Pocsuite
Beebeeto attack framework:
https://github.com/n0tr00t/Beebeeto-framework
Vulnerability POC&EXP:
ExploitDB official git version:
https://github.com/offensive-security/exploit-database
php vulnerability code analysis:
https://github.com/80vul/phpcodz
CVE-2016-2107:
https://github.com/FiloSottile/CVE-2016-2107
CVE-2015-7547 POC:
https://github. com/fjserna/CVE-2015-7547
JAVA deserialization POC generation tool:
https://github.com/frohoff/ysoserial
JAVA deserialization EXP:
https://github.com/foxglovesec/JavaUnserializeExploits
Jenkins CommonCollections EXP:
https://github.com/CaledoniaProject/jenkins-cli-exploit
CVE-2015-2426 EXP (windows kernel privilege escalation ):
https://github.com/vlad902/hacking-team-...kernel-lpe
use docker to show web attack (php local file contains combined with phpinfo
getshell and ssrf combined with curl demonstration):
https://github.com/hxer/vulnapp
php7 cache overwrite vulnerability Demo and related tools:
https://github.com/GoSecure/php7-opcache-override
XcodeGhost Trojan sample:
https://github.com/XcodeGhostSource/XcodeGhost
Man-in-the-middle attack and phishing
Man-in-the-middle attack framework:
https://github.com/secretsquirrel/the-backdoor-factory
https://github.com/secretsquirrel/BDFProxy
https://github.com/byt3bl33d3r/MITMf
Inject code, jam wifi, and spy on wifi users:
https://github.com/DanMcInerney/LANs.py
Intermediary agent tool:
https://github.com/intrepidusgroup/mallory
wifi phishing:
https://github.com/sophron/wifiphisher
Password cracking
Password cracking tool:
https://github.com/shinnok/johnny
Various locally stored password extraction tools:
https://github.com/AlessandroZ/LaZagne
Binary and code analysis tools
Binary analysis tool
https://github.com/devttys0/binwalk
System scanner
https://github.com/quarkslab/binmap
rp:
https://github.com/0vercl0k/rp
Windows Exploit Development tool
https://github.com/lillypad/badger
Binary static analysis tool (python):
https://github.com/bdcht/amoco
Python Exploit Development Assistance for GDB:
https://github.com/longld/peda
Monitoring tool for BillGates Linux Botnet Trojan horse activities
https://github.com/ValdikSS/billgates-botnet-tracker
Trojan configuration parameter extraction tool:
https://github.com/kevthehermit/RATDecoders
Binary analysis tool written by Shellphish (CTF direction):
https://github.com/angr/angr
Static code analysis tool for python:
https://github.com/yinwang0/pysonar2
An automated script (shell) analysis tool to give warnings and suggestions:
https://github.com/koalaman/shellcheck
Simple Javascript anti-obfuscation auxiliary tool based on AST transformation:
https://github.com/ChiChou/etacsufbo
EXP writing framework and tools
Binary EXP writing tool:
https://github.com/t00sh/rop-tool
CTF Pwn topic scripting framework:
https://github.com/Gallopsled/pwntools
an easy-to-use io library for pwning development:
https://github.com/zTrix/zio
Cross-platform injection tool:
https://github.com/frida/frida
Hash length expansion attack EXP:
https://github.com/citronneur/rdpy
Steganography
Steganography detection tool
https://github.com/abeluck/stegdetect
Various safety information:
data_hacking collection:
https://github.com/ClickSecurity/data_hacking
mobile-security-wiki:
https://github.com/exploitprotocol/mobile-security-wiki
Book "reverse-engineering-for-beginners":
https://github.com/veficos/reverse-engin...-beginners
Some information security standards and equipment configuration:
https://github.com/luyg24/IT_security
APT related notes:
https://github.com/kbandla/APTnotes
Kcon information:
https://github.com/knownsec/KCon
"DO NOT FUCK WITH A HACKER":
https://github.com/citypw/DNFWAH
Various types of safe brain hole maps:
https://github.com/phith0n/Mind-Map
Information Security Flow Chart:
https://github.com/SecWiki/sec-chart/tre...5e90ed1428
Various CTF resources
Complete ctf writeup in recent years:
https://github.com/ctfs/write-ups-2016
https://github.com/ctfs/write-ups-2015
https://github.com/ctfs/write-ups-2014
Demo of fbctf competition platform:
https://github.com/facebook/fbctf
ctf Resources:
https://github.com/ctfs/resources
Collection of ctf and hacker resources:
https://github.com/bt3gl/My-Gray-Hacker-Resources
Collection of ctf and security tools:
https://github.com/zardus/ctf-tools
ctf to python toolkit
https://github.com/P1kachu/v0lt
Various programming resources
Big gift package (has everything):
https://github.com/bayandin/awesome-awesomeness
bash-handbook:
https://github.com/denysdovhan/bash-handbook
Python resource collection:
https://github.com/jobbole/awesome-python-cn
git learning materials:
https://github.com/xirong/my-git
Android open source code analysis
https://github.com/android-cn/android-open-project
A collection of python frameworks, libraries, and resources:
https://github.com/vinta/awesome-python
JS regular expression library (used to simplify the construction of complex JS regular expressions):
https://github.com/VerbalExpressions/JSV...xpressions
Python
Python regular expression library (used to simplify the construction of complex Python regular expressions):
https://github.com/VerbalExpressions/
Python task management and command execution library:
https://github.com/pyinvoke/invoke
python exe packaging library:
https://github.com/pyinstaller/pyinstaller
Veil-Evasion Free Kill Project:
https://github.com/Veil-Framework/Veil-Evasion
py3 crawler framework:
https://github.com/orf/cyborg
A python library that provides low-level interface data package programming and network protocol support:
https://github.com/CoreSecurity/impacket
python requests library:
https://github.com/kennethreitz/requests
Python utility collection:
https://github.com/mahmoud/boltons
Python crawler system:
https://github.com/binux/pyspider
welfare
WeChat automatic grab red envelope dynamic library
https://github.com/east520/AutoGetRedEnv
WeChat grab red envelope plugin (Android version)
https://github.com/geeeeeeeeek/WeChatLuckyMoney
Hardsed artifact:
https://github.com/yangyangwithgnu/hardseed
Party A's Safety Engineer Survival Guide
Web index and log search tool:
https://github.com/thomaspatzke/WASE
Open source log collector:
https://github.com/wgliang/logcool
Web debuger for scanning CS structure
https://github.com/Kozea/wdb
Recover the sqlite database and delete the registration information:
https://github.com/aramosf/recoversqlite/
GPS deception detection tool:
https://github.com/zxsecurity/gpsnitch
Emergency Response Framework:
https://github.com/biggiesmallsAG/nightHawkResponse
Web Security Development Guide:
https://github.com/FallibleInc/security-...developers
Vulnerability test report templates of various well-known vendors:
https://github.com/juliocesarfort/public...ng-reports
Malware detection package under linux:
https://github.com/rfxn/linux-malware-detect
Operating system operation indicator visualization framework:
https://github.com/facebook/osquery
Malicious code analysis system:
https://github.com/cuckoosandbox/cuckoo
Regularly search and store web applications:
https://github.com/Netflix/Scumblr
Incident response framework:
https://github.com/google/grr
Comprehensive host monitoring and detection platform:
https://github.com/ossec/ossec-hids
Distributed real-time digital forensics system:
https://github.com/mozilla/mig
Microsoft & Unix file system and hard disk forensics tool:
https://github.com/sleuthkit/sleuthkit
honey jar
SSH honeypot:
https://github.com/desaster/kippo
Honeypot collection resources:
https://github.com/paralax/awesome-honeypots
kippo advanced honeypot:
https://github.com/micheloosterhof/cowrie
SMTP honeypot:
https://github.com/awhitehatter/mailoney
Web application honeypot:
https://github.com/mushorg/glastopf
Database honeypot:
https://github.com/jordan-wright/elastichoney
web honeypot:
https://github.com/atiger77/Dionaea
Remote control
Use gmail as the backdoor of C&C server
https://github.com/byt3bl33d3r/gcat
Open source remote control:
https://github.com/UbbeLoL/uRAT
c#Remote Control:
https://github.com/hussein-aitlahcen/BlackHole
Tool collection
https://github.com/torque59/Nosql-Exploi...-Framework
(NoSQL scanning/blasting tool)
https://github.com/missDronio/blindy
(MySQL blind injection blasting tool)
https://github.com/fengxuangit/Fox-scan
(Vulnerability scanning based on SQLMAP active and passive resource discovery Tool)
https://github.com/NetSPI/PowerUpSQL
(powershell script for SQL Server audit)
https://github.com/JohnTroony/Blisqy
(tool for time blind injection blasting in http header, only for MySQL / MariaDB)
https://github.com/ron190/jsql-injection
(SQL injection tool written in Java)
https://github.com/Hadesy2k/sqliv
(Batch SQL injection vulnerability scanner based on search engine)
https:/ /github.com/s0md3v/sqlmate
(Added directory scanning and hash blasting functions based on sqlmap)
https://github.com/m8r0wn/enumdb
(Mysys and MSSQL blasting pants removal tool)
https://github.com /9tail123/wooscan
(Check whether the website has ignored sql injection vulnerabilities in Wuyun in batches and automatically call sqlmap to test)
https://github.com/lijiejie/htpwdScan
(a simple HTTP brute force cracking, library crashing attack script)
https://github.com/ysrc/F-Scrack
(a script for weak password detection for various services)
https ://github.com/Mebus/cupp
(Generate weak password detection dictionary script according to user habits)
https://github.com/netxfly/crack_ssh
(Coroutine version of ssh \redis\mongodb weak password cracking tool written in Go)
https://github.com/LandGrey/pydictor
(brute-breaking dictionary creation tool)
https://github.com/shengqi158/weak_password_detect
(multi-thread detection of weak passwords)
https://github.com/s0md3v/Blazy
(support testing CSRF, Clickjacking, Cloudflare and WAF weak password detector)
https://github.com/MooseDojo/myBFF
(a script for weak password detection for various services such as CiscoVPN, Citrix Gateway)
https://github.com/rapid7 /IoTSeeker
(The default password scanning detection tool for IoT devices)
https://github.com/shodan-labs/iotdb
(Use nmap to scan IoT devices)
https://github.com/googleinurl/RouterHunterBR
(Router device vulnerability scanning and exploitation)
https://github.com/scu-igroup/telnet-scanner
(Telnet service password collision database)
https://github.com/viraintel/ OWASP-Nettacker
(Automated information collection and penetration testing tool, more suitable for IoT scanning)
https://github.com/threat9/routersploit
(Embedded device vulnerability scanning and exploitation tool)
https://github.com/shawarkhanethicalhacker/BruteXSS
(An XSS scanner that can inject parameters brute force)
https://github.com/1N3/XSSTracer
(Small XSS scanner, can also detect CRLF, XSS, click hijacked)
https://github.com/0x584A/ fuzzXssPHP
(PHP version of reflective xss scan)
https://github.com/chuhades/xss_scan
(Python script for batch scanning XSS)
https://github.com/BlackHole1/autoFindXssAndCsrf
(Automatically detect whether the page has XSS and cross-site Browser plug-in requesting forgery vulnerabilities)
https://github.com/shogunlab/shuriken
(Use the command line for XSS batch detection)
https://github.com/s0md3v/XSStrike
(XSS scanning tool that can identify and bypass WAF)
https://github.com/stamparm/DSXS
(support GET, POST Efficient XSS scanner)
https://github.com/ysrc/xunfeng
(network asset identification engine, vulnerability detection engine)
https://github.com/laramies/theHarvester
(enterprise's sensitive asset information monitoring script included by search engines: employees Email, subdomain, host)
https://github.com/x0day/Multisearch-v2
(Bing, google, 360, zoomeye and other search engines aggregate search, which can be used to discover the sensitive asset information included in the search engine)
https: //github.com/Ekultek/Zeus-Scanner
(It can crawl the url hidden by the search engine and send it to sqlmap and nmap to scan)
https://github.com/0xbug/Biu-framework
(security scan of basic services in the enterprise intranet ) Framework)
https://github.com/metac0rtex/GitHarvester
(github Repo information collection tool)
https://github.com/shengqi158/svnhack
(.svn folder leak exploitation tool)
https://github.com/repoog/GitPrey
(GitHub sensitive information scanning tool)
https://github.com/0xbug/Hawkeye
(Corporate assets, sensitive information GitHub leakage monitoring system)
https://github.com/lianfeng30/ githubscan
(a tool for project retrieval based on corporate keywords and corresponding sensitive files and file content scanning)
https://github.com/UnkL4b/GitMiner
(github sensitive information search tool)
https://github.com/lijiejie/GitHack
( .git folder leak exploitation tool)
https://github.com/dxa4481/truffleHog
(GitHub sensitive information scanning tool, including detection submission, etc.)
https://github.com/1N3/Goohak
(Automatic Google hacking of specified domain names Search and collect information)
https://github.com/UKHomeOffice/repo-security-scanner
(a client tool used to search for sensitive information in git commitments, such as passwords, private keys, etc.)
https://github.com /FeeiCN/GSIL
(Github sensitive information leak scan)
https://github.com/MiSecurity/x-patrol
(Github leak cruise tool)
https://github.com/1N3/BlackWidow
(Web site information collection tool, including email, phone and other information)
https://github.com/anshumanbh/git-all-secrets
(collection of multiple open source GitHub sensitive information scanning Enterprise information disclosure cruise tool)
https://github.com/s0md3v/Photon
(a high-speed crawler that can extract URLs, emails, files, website accounts, etc.)
https://github.com/he1m4n6a/findWebshell
(a simple webshell detection tool)
https://github.com/Tencent/HaboMalHunter
(Hubble analysis system, LINUX system virus analysis and security detection)
https://github.com/PlagueScanner/PlagueScanner
(integrated ClamAV, ESET, Bitdefender's anti-virus engine)
https://github.com/nbs-system/php-malware-finder
(an efficient PHP-webshell scanning tool)
https://github.com/emposha/PHP-Shell-Detector/
( Webshell detection tool with a test efficiency of up to 99%)
https://github.com/erevus-cn/scan_webshell
(a simple webshell scanning tool)
https://github.com/emposha/Shell-Detector
(Webshell scanning tool, supports php / perl / asp / aspx webshell scanning)
https://github.com/m4rco-/dorothy2
(a Trojan horse, botnet analysis framework )
https://github.com/droidefense/engine
(Advanced Android Trojan horse virus analysis framework)
https://github.com/lcatro/network_backdoor_scanner
(Intranet detection framework based on network traffic)
https://github.com/fdiskyou /hunter
(Call Windows API to enumerate user login information)
https://github.com/BlackHole1/WebRtcXSS
(Automatically use XSS to invade the intranet)
https://github.com/ring04h/wyportmap
(target port scan + system service fingerprint) Identification)
https://github.com/ring04h/weakfilescan
(Dynamic multi-threaded sensitive information leakage detection tool)
https://github.com/EnableSecurity/wafw00f
(WAF product fingerprint identification)
https://github.com/rbsec/ sslscan
(SSL type recognition)
https://github.com/urbanadventurer/whatweb
(Web fingerprint recognition)
https://github.com/tanjiti/FingerPrint
(Web application fingerprint recognition)
https://github.com/nanshihui/Scan-T
(Web crawler Fingerprint recognition)
https://github.com/OffensivePython/Nscan
(Network scanner based on Masscan and Zmap)
https://github.com/ywolf/F-NAScan
(Network asset information scanning, ICMP survival detection, port scanning, Port fingerprint service identification)
https://github.com/ywolf/F-MiddlewareScan
(Middleware scanning)
https://github.com/maurosoria/dirsearch
(web path collection and scanning)
https://github.com/x0day /bannerscan
(C-segment banner and path scan)
https://github.com/RASSec/RASscan
(Port service scan)
https://github.com/3xp10it/bypass_waf
(waf automatic brute force )
https://github.com /3xp10it/xcdn
(try to find out the real ip behind the cdn )
https://github.com/Xyntax/BingC
(Based on the C section of the Bing search engine/side station query, multi-threaded, support API)
https://github.com/Xyntax/DirBrute
(Multi-threaded WEB directory blasting tool)
https ://github.com/zer0h/httpscan
(a crawler-style web host discovery tool for network segments)
https://github.com/lietdai/doom
(ip port vulnerability scanner for distributed task distribution implemented on Thorn)
https://github.com/chichou/grab.js
(Quick TCP fingerprint capture analysis tool similar to zgrab, supports more protocols)
https://github.com/Nitr4x/whichCDN
(CDN identification, detection)
https:/ /github.com/secfree/bcrpscan
(web path scanner based on crawler)
https://github.com/mozilla/ssh_scan
(server ssh configuration information scan)
https://github.com/18F/domain-scan
(for Asset data detection/scanning of the domain name and its subdomains, including http/https detection, etc.)
https://github.com/ggusoft/inforfinder
(domain name asset collection and fingerprint identification tool)
https://github.com/boy-hack/gwhatweb
(CMS recognizes python gevent implementation)
https://github.com/Mosuan/FileScan
(Sensitive file scanning/secondary judgment reduces false positive rate/scan content regularization/multiple Directory scanning)
https://github.com/Xyntax/FileSensor
(crawler-based dynamic sensitive file detection tool)
https://github.com/deibit/cansina
(web path scanning tool)
https://github.com/0xbug /Howl
(Network device web service fingerprint scanning and retrieval)
https://github.com/mozilla/cipherscan
(Target host service ssl type identification)
https://github.com/xmendez/wfuzz
(Web application fuzz tool, framework, It can be used for web path/service scanning at the same time)
https://github.com/s0md3v/Breacher
(multi-threaded background path scanner, which can also be used to execute after finding redirection vulnerabilities)
https://github.com/ztgrace/changeme
(Weak password scanner, not only supports ordinary login pages, but also ssh, mongodb and other components)
https://github.com/medbenali/CyberScan
(Penetration testing assistant tool, supports data packet analysis, decoding, port scanning, IP address analysis Wait)
https://github.com/m0nad/HellRaiser
(scanner based on nmap, associated with cve vulnerability)
https://github.com/scipag/vulscan
(advanced vulnerability scanner based on nmap, used in command line environment)
https: //github.com/jekyc/wig
(web application information collection tool)
https://github.com/eldraco/domain_analyzer
(Vulnerability scans such as information collection and "domain transfer" around the domain name of web services are also supported. Server port scanning, etc.)
https://github.com/cloudtracer/paskto
(Passive path scanning and information crawler based on Nikto scanning rules)
https://github.com/zerokeeper/WebEye
(Quickly identify WEB server type, CMS type, WAF type, WHOIS information, and language framework)
https://github.com/m3liot/shcheck
(used to check the security of the http header of web services)
https://github.com/aipengjie/sensitivefilescan
(an efficient and fast Sensitive file scanning tool)
https://github.com/fnk0c/cangibrina
(cross-platform background management path scanner through dictionary exhaustion, google, robots.txt, etc.)
https://github.com/n4xh4ck5/CMSsc4n
(general CMS fingerprint recognition)
https://github.com/Ekultek/WhatWaf
(WAF fingerprint recognition and automated bypass tool)
https://github.com/dzonerzy/goWAPT
( Network application obfuscation tool, framework, and can be used for network path/service scanning)
https://github.com/blackye/webdirdig
(web sensitive directory/information leakage scanning script)
https://github.com/GitHackTools/BillCipher
(use Information collection tool on website or IP address)
https://github.com/boy-hack/w8fuckcdn
(Automatic program to obtain real IP by scanning the entire network)
https://github.com/boy-hack/w11scan
(distributed Web fingerprint identification platform)
https://github.com/Nekmo/dirhunt
(crawler web directory scanning tool)
https://github.com/blackye/Jenkins
(Jenkins vulnerability detection, user crawling blasting)
https:// github.com/code-scan/dzscan
(the first integrated Discuz scanning tool)
https://github.com/chuhades/CMS-Exploit-Framework
(A simple and elegant CMS scanning and exploitation framework)
https://github.com/lijiejie/IIS_shortname_Scanner
(IIS short file name brute force enumeration exploit tool)
https://github.com/riusksk/FlashScanner
(flashxss scan)
https ://github.com/coffeehb/SSTIF
(a semi-automatic tool for raising server-side template injection vulnerabilities)
https://github.com/epinna/tplmap
(server-side template injection vulnerability detection and exploitation tool)
https://github .com/cr0hn/dockerscan (Docker scanning tool)
https://github.com/m4ll0k/WPSeku
(a streamlined wordpress scanning tool)
https://github.com/rastating/wordpress-e...-framework (integrated wordpress Vulnerability Exploitation Framework)
https://github.com/ilmila/J2EEScan
(a burpsuite plugin for scanning J2EE applications)
https://github.com/riusksk/StrutScan
(a historical vulnerability scanner based on perl strut2 )
https://github.com/D35m0nd142/LFISuite
(local file contains exploit and scanning tools, supports reverse shell)
https://github.com/0x4D31/salt-scanner
(Linux vulnerability scanner based on Salt Open and Vulners Linux Audit API, supports combined use with JIRA and slack platforms)
https://github.com/tijme/angularjs-csti -scanner
(Automatic detection of client-side AngularJS template injection vulnerability tool)
https://github.com/irsdl/IIS-ShortName-Scanner
(IIS short file name brute force enumeration exploit tool written in Java)
https://github.com /swisskyrepo/Wordpresscan
(Optimized wordpress scanner based on WPScan and WPSeku)
https://github.com/CHYbeta/cmsPoc
(CMS penetration testing framework)
https://github.com/rudSarkar/crlf-injector
(CRLF injection vulnerability Batch scanning)
https://github.com/3gstudent/Smbtouch-Scanner
(Automatically scan the intranet for the ETERNAL series of vulnerabilities leaked by the shadow broker)
https://github.com/utiso/dorkbot
(customized Google search engine to search and scan vulnerability pages)
https://github.com/OsandaMalith/LFiFreak
(The local file contains exploit and scanning tools, and supports reverse shell)
https://github.com/mak-/parameth
(used to enumerate GET / POST unknown parameter fields of scripts)
https://github.com/Lucifer1993/ struts-scan
(struts2's full version detection and exploitation tool)
https://github.com/hahwul/a2sv
(SSL vulnerability scanning, such as heart drip vulnerability, etc.)
https://github.com/NullArray/DorkNet
(based on Vulnerability web search for search engines)
https://github.com/NickstaDB/BaRMIe
(tool used to attack and blast the Java RemoteMethod Invocation service)
https://github.com/RetireJS/grunt-retire
(common to scan js extension libraries Vulnerability)
https://github.com/kotobukki/BDA
(Vulnerability detection tool for big data platforms such as hadoop/spark)
https://github.com/jagracey/Regex-DoS
(RegEx denial of service scanner)
https ://github.com/milesrichardson/docker-onion-nmap
(a hidden "onion" service on the Tor network scanned with NMAP)
https://github.com/Moham3dRiahi/XAttacker
(Web CMS Exploit tool, contains 66 different exploits for mainstream CMS)
https://github.com/lijiejie/BBScan
(a mini batch scanning script for information leakage)
https://github.com/almandin/fuxploider
(File upload vulnerability scanner and exploitation tool)
https://github.com/Ice3man543/SubOver
(Subdomain takes over vulnerability detection tool, supports 30+ cloud service hosting detection)
https: //github.com/Jamalc0m/wphunter
(Vulnerability scanner for WordPress, which also supports sensitive file leak scanning)
https://github.com/retirejs/retire.js
(Detects the known general-purpose JavaScript libraries that the website depends on Vulnerability)
https://github.com/3xp10it/xupload
(Automatically detect whether the upload function can upload webshell)
https://github.com/mobrine-mob/M0B-tool
(CMS fingerprint recognition and automated penetration testing framework)
https: //github.com/rezasp/vbscan
(Forum framework vBulletin black box vulnerability scanner)
https://github.com/MrSqar-Ye/BadMod
(CMS fingerprint recognition and automated penetration testing framework)
https://github.com/Tuhinshubhra/CMSeeK
(CMS vulnerability detection and exploitation kit)
https://github.com/cloudsploit/scans
(AWS security audit tool)
https:// github.com/radenvodka/SVScanner
(Vulnerability scanner and automatic exploitation tool for CMS such as wp, magento, joomla)
https://github.com/rezasp/joomscan
(joomla vulnerability scanning project under OWASP)
https://github. com/6IX7ine/djangohunter
(used to detect Django applications that expose sensitive information due to misconfiguration)
https://github.com/savio-code/fern-wifi-cracker/
(wireless security audit tool)
https://github .com/m4n3dw0lf/PytheM
(Python network/penetration testing tool)
https://github.com/P0cL4bs/WiFi-Pumpkin
(Wireless security penetration testing suite)
https://github.com/MisterBianco/BoopSuite
(wireless network audit tool) , Support 2-5GHZ frequency band)
https://github.com/DanMcInerney/LANs.py
(ARP spoofing, wireless network hijacking)
https://github.com/besimaltnok/PiFinger
(Check whether wifi is a hotspot opened by "Big Pineapple" and give a network score)
https://github.com/derv82/wifite2
( A reconstructed version of the automated wireless network attack tool wifite )
https://github.com/sowish/LNScan
(based on BBScan via.lijiejie's local network scanning)
https://github.com/SkyLined/LocalNetworkScanner
(JavaScript-based local Network scanning)
https://github.com/wufeifei/cobra
(White box code security audit system)
https://github.com/OneSourceCat/phpvulhunter
(Static PHP code audit)
https://github.com/Qihoo360/phptrace
(Tools for tracking and analyzing the operation of PHP)
https://github.com/ajinabraham/NodeJsScan
(NodeJS application code audit)
https://github.com/shengqi158/pyvulhunter
(Python application audit)
https://github. com/presidentbeef/brakeman
(Ruby on Rails application static code analysis)
https://github.com/python-security/pyt
(Python application static code audit)
https://github.com/m4ll0k/WPSploit
(WordPress plugin code security audit)
https:/ /github.com/emanuil/php-reaper
(used to scan ADOdb code for possible SQL vulnerabilities in PHP applications)
https://github.com/lowjoel/phortress
(PHP static code analysis tool for detecting potential security vulnerabilities )
https://github.com/az0ne/AZScanner
(automatic vulnerability scanner, subdomain blasting, port scanning, directory blasting, common framework vulnerability detection)
https://github.com/blackye/lalascan
(collection of owasp top10 vulnerability scanning A distributed web vulnerability scanning framework with edge asset discovery capabilities)
https://github.com/blackye/BkScanner
(BkScanner distributed, plug-in web vulnerability scanner)
https://github.com/ysrc/GourdScanV2
(produced by ysrc ) Passive vulnerability scanning tool)
https://github.com/netxfly/passive_scan
(web vulnerability scanner based on http proxy)
https://github.com/1N3/Sn1per
(Automated scanner, including middleware scanning and device fingerprint recognition)
https://github.com/RASSec/pentestEr_Full...ic-scanner
(Directed fully automated penetration testing tool)
https: //github.com/3xp10it/3xp10it
(Automated penetration testing framework, supports CDN real IP search, fingerprint recognition, etc.)
https://github.com/Lcys/lcyscan
(Python plug-in vulnerability scanner, supports generating scan reports)
https ://github.com/Xyntax/POC-T
(Plug-in testing concurrency framework)
https://github.com/v3n0m-Scanner/V3n0M-Scanner
(Scanner that supports detection of vulnerabilities such as SQLI/XSS/LFI/RFI )
https://github.com/Skycrab/leakScan
(Web graphical vulnerability scanning framework)
https://github.com/zhangzhenfeng/AnyScan
(A networked automated penetration testing framework)
https://github.com /Tuhinshubhra/RED_HAWK
(an all-in-one scanning tool integrating information collection, vulnerability scanning, fingerprint identification, etc.)
https://github.com/Arachni/arachni
(Highly integrated web application vulnerability scanning framework, supporting REST, RPC and other api calls)
https://github.com/infobyte/faraday
(Integrated penetration testing auxiliary platform and vulnerability management platform)
https://github.com/ juansacco/exploitpack
(integrated framework for penetration testing, including more than 38,000+ attacks)
https://github.com/swisskyrepo/DamnWebScanner
(passive vulnerability scanning based on chromium/opera plugin)
https://github.com/anilbaranyelken/tulpar
(support A variety of network vulnerability scanning, command line environment use)
https://github.com/m4ll0k/Spaghetti
(web application scanner, supports fingerprint recognition, file directory blasting, SQL / XSS / RFI and other vulnerability scanning, can also be used directly struts, ShellShock, etc.)
https://github.com/Yukinoshita47/Yuki-Ch...to-Pentest
(web application scanner integrating subdomain enumeration, nmap, waf fingerprint recognition and other modules)
https://github .com/0xsauby/yasuo
(using ruby to develop third-party web application service vulnerabilities in scanning hosts on the network)
https://github.com/hatRiot/clusterd
(web application automated scanning framework, supporting automated upload webshell)
https://github.com/erevus-cn/pocscan
(an open source Poc calling framework, you can easily call Pocsuite, Tangscan, Beebeeto, Knowsec old version POC, you can use docker deployment)
https://github.com/TophantTechnology/ osprey
(an open source vulnerability detection framework produced and maintained by Douxiang Competence Center)
https://github.com/yangbh/Hammer
(Web application vulnerability scanning framework)
https://github.com/Lucifer1993/AngelSword
(Web application vulnerability scanning Framework, based on python3)
https://github.com/secrary/EllaScanner
(passive vulnerability scanning, supports historical cve number vulnerability identification)
https://github.com/zaproxy/zaproxy
(Comprehensive penetration test produced by OWASP ZAP core project Tool)
https://github.com/sullo/nikto
(Web service comprehensive scanner, used for asset collection of specified targets, security configuration defects or security vulnerability scanning)
https://github.com/s0md3v/Striker
(one A multi-faceted information collection, fingerprint identification and vulnerability scanning tool)
https://github.com/dermotblair/webvulscan
(A web application vulnerability scanner, supports scanning reflection type and storage type xss, sql injection and other vulnerabilities, supports output pdf report)
https://github.com/alienwithin/OWASP-mth...-framework
(penetration testing auxiliary tool, comprehensive Utilization framework)
https://github.com/toyakula/luna
(automated web vulnerability scanning tool based on passive scanning framework)
https://github.com/Manisso/fsociety
(penetration testing auxiliary framework, including information collection, wireless penetration, Web application scanning and other functions)
https://github.com/boy-hack/w9scan
(web vulnerability scanning framework with built-in 1200+ plugins)
https://github.com/YalcinYolalan/WSSAT
(Web service security assessment tool, providing Simple .exe application of the windows operating system)
https://github.com/AmyangXYZ/AssassinGo
(using a scalable and high-concurrency penetration testing framework developed)
https://github.com/jeffzh3ng/InsectsAwake
(based on the Flask application framework Vulnerability scanning system)
https://github.com/m4ll0k/Galileo
(a web application security audit framework similar to metasploit in operation)
https://github.com/joker25000/Optiva-Framework
(A web application vulnerability scanner that supports scanning for reflection and storage xss, sql injection and other vulnerabilities)
https://github.com/theInfectedDrake/TIDoS-Framework
(Integrated web application penetration testing framework with 104 modules)
https ://github.com/Neo23x0/Loki
(APT intrusion trace scanner)
https://github.com/w3h/icsmaster/tree/master/nse
(ICS device nmap scanning script)
https://github.com /OpenNetworkingFoundation/DELTA
(SDN Security Assessment Framework)
WebGoat vulnerability practice platform:
https://github.com/WebGoat/WebGoat
webgoat-legacy vulnerability practice platform:
https://github.com/WebGoat/WebGoat-Legacy
zvuldirll vulnerability practice platform:
https://github.com/710leo/ZVulDrill
Vulapps vulnerability practice platform:
https://github.com/Medicean/VulApps
dvwa vulnerability practice platform:
https://github.com/RandomStorm/DVWA
Database injection practice platform:
https://github.com/Audi-1/sqli-labs
Vulnerability practice platform written in node, like OWASP NodeGoat:
https://github.com/cr0hn/vulnerable-node
A tool written in Ruby to generate virtual machines with vulnerabilities:
https://github.com/cliffe/secgen
Fancy scanner
Nmap port scanner:
https://github.com/nmap/nmap
Local Network Scanner:
https://github.com/SkyLined/LocalNetworkScanner
Subdomain scanner:
https://github.com/lijiejie/subDomainsBrute
https://github.com/aboul3la/Sublist3r
https://github.com/TheRook/subbrute
https://github.com/infosec-au/ altdns
Linux vulnerability scan:
https://github.com/future-architect/vuls
Based on port scanning and associated CVE:
https://github.com/m0nad/HellRaiser
Vulnerability route scanner:
https://github.com/jh00nbr/Routerhunter-2.0
Mini batch information leakage scanning script:
https://github.com/lijiejie/BBScan
Waf type detection tool:
https://github.com/EnableSecurity/wafw00f
Server port weak password scanner:
https://github.com/wilson9x1/fenghuangscanner_v3
Fox-scan scanner:
https://github.com/fengxuangit/Fox-scan/
Information gathering tools
Social work collector:
https://github.com/n0tr00t/Sreg
Github information collection:
https://github.com/sea-god/gitscan
github Repo information collection tool:
https://github.com/metac0rtex/GitHarvester
Information detection and scanning tool:
https://github.com/darryllane/Bluto
Internal network information scanner:
https://github.com/sowish/LNScan
Remote desktop login scanner:
https://github.com/linuz/Sticky-Keys-Slayer
Network infrastructure penetration tool
https://github.com/SECFORCE/sparta
SNMAP password cracking:
https://github.com/SECFORCE/SNMP-Brute
WEB
Webshell collection:
https://github.com/tennc/webshell
Infiltration and web attack script:
https://github.com/brianwrf/hackUtils
Collection of web penetration gadgets:
https://github.com/rootphantomer/hacktoolsfor_me
XSS data receiving platform:
https://github.com/firesunCN/BlueLotus_XSSReceiver
XSS and CSRF tools:
https://github.com/evilcos/xssor
xss multifunction scanner:
https://github.com/shawarkhanethicalhacker/BruteXSS
Web vulnerability scanner:
https://github.com/andresriancho/w3af
WEB vulnerability scanner:
https://github.com/sullo/nikto
Infiltration of commonly used gadget packages:
https://github.com/leonteale/pentestpackage
Web directory scanner:
https://github.com/maurosoria/dirsearch
Web command injection detection tool:
https://github.com/stasinopoulos/commix
Automated SQL injection check tool:
https://github.com/epinna/tplmap
SSL scanner:
https://github.com/rbsec/sslscan
Security tool collection:
https://github.com/codejanus/ToolSuite
Apache log analyzer:
https://github.com/mthbernardes/ARTLAS
PHP code audit tool:
https://github.com/pwnsdx/BadCode
Web fingerprint recognition scan:
https://github.com/urbanadventurer/whatweb
Check the website for malicious attacks:
https://github.com/ciscocsirt/malspider
wordprees vulnerability scanner:
https://github.com/wpscanteam/wpscan
Firmware vulnerability scanner:
https://github.com/misterch0c/firminator_backend
Database injection tool
https://github.com/sqlmapproject/sqlmap
Web proxy:
https://github.com/zt2/sqli-hunter
New version of Chinese kitchen knife:
https://github.com/Chora10/Cknife
Git leaked and exploited EXP:
https://github.com/lijiejie/GitHack
Browser attack framework:
https://github.com/beefproject/beef
Automated bypass of WAF script:
https://github.com/khalilbijjou/WAFNinja
https://github.com/owtf/wafbypasser
An open source WAF:
https://github.com/SpiderLabs/ModSecurity
http command line client:
https://github.com/jkbrzt/httpie
Browser debugging tool:
https://github.com/firebug/firebug
DISCUZ vulnerability scanner:
https://github.com/code-scan/dzscan
automated code audit tool
https://github.com/wufeifei/cobra
Browser attack framework:
https://github.com/julienbedard/browsersploit
Tomcat automatic backdoor deployment:
https://github.com/mgeeky/tomcatWarDeployer
Cyberspace fingerprint scanner:
https://github.com/nanshihui/Scan-T
J2EE scanning plug-in for burpsuit:
https://github.com/ilmila/J2EEScan
windows domain penetration tool
Mimikatz plaintext injection:
https://github.com/gentilkiwi/mimikatz
Powershell penetration library collection:
https://github.com/PowerShellMafia/PowerSploit
Powershell tools collection:
https://github.com/clymb3r/PowerShell
mimikittenz of powershell:
https://github.com/putterpanda/mimikittenz
Domain penetration tutorial:
https://github.com/l3m0n/pentest_study
Fuzz
Web to Fuzz tool
https://github.com/xmendez/wfuzz
HTTP brute force cracking, library collision attack script
https://github.com/lijiejie/htpwdScan
8. Vulnerability and attack framework
msf frame:
https://github.com/rapid7/metasploit-framework
Pocsscan attack framework:
https://github.com/erevus-cn/pocscan
Pocsuite attack framework:
https://github.com/knownsec/Pocsuite
Beebeeto attack framework:
https://github.com/n0tr00t/Beebeeto-framework
Vulnerability POC&EXP:
ExploitDB official git version:
https://github.com/offensive-security/exploit-database
php vulnerability code analysis:
https://github.com/80vul/phpcodz
CVE-2016-2107:
https://github.com/FiloSottile/CVE-2016-2107
CVE-2015-7547 POC:
https://github. com/fjserna/CVE-2015-7547
JAVA deserialization POC generation tool:
https://github.com/frohoff/ysoserial
JAVA deserialization EXP:
https://github.com/foxglovesec/JavaUnserializeExploits
Jenkins CommonCollections EXP:
https://github.com/CaledoniaProject/jenkins-cli-exploit
CVE-2015-2426 EXP (windows kernel privilege escalation ):
https://github.com/vlad902/hacking-team-...kernel-lpe
use docker to show web attack (php local file contains combined with phpinfo
getshell and ssrf combined with curl demonstration):
https://github.com/hxer/vulnapp
php7 cache overwrite vulnerability Demo and related tools:
https://github.com/GoSecure/php7-opcache-override
XcodeGhost Trojan sample:
https://github.com/XcodeGhostSource/XcodeGhost
Man-in-the-middle attack and phishing
Man-in-the-middle attack framework:
https://github.com/secretsquirrel/the-backdoor-factory
https://github.com/secretsquirrel/BDFProxy
https://github.com/byt3bl33d3r/MITMf
Inject code, jam wifi, and spy on wifi users:
https://github.com/DanMcInerney/LANs.py
Intermediary agent tool:
https://github.com/intrepidusgroup/mallory
wifi phishing:
https://github.com/sophron/wifiphisher
Password cracking
Password cracking tool:
https://github.com/shinnok/johnny
Various locally stored password extraction tools:
https://github.com/AlessandroZ/LaZagne
Binary and code analysis tools
Binary analysis tool
https://github.com/devttys0/binwalk
System scanner
https://github.com/quarkslab/binmap
rp:
https://github.com/0vercl0k/rp
Windows Exploit Development tool
https://github.com/lillypad/badger
Binary static analysis tool (python):
https://github.com/bdcht/amoco
Python Exploit Development Assistance for GDB:
https://github.com/longld/peda
Monitoring tool for BillGates Linux Botnet Trojan horse activities
https://github.com/ValdikSS/billgates-botnet-tracker
Trojan configuration parameter extraction tool:
https://github.com/kevthehermit/RATDecoders
Binary analysis tool written by Shellphish (CTF direction):
https://github.com/angr/angr
Static code analysis tool for python:
https://github.com/yinwang0/pysonar2
An automated script (shell) analysis tool to give warnings and suggestions:
https://github.com/koalaman/shellcheck
Simple Javascript anti-obfuscation auxiliary tool based on AST transformation:
https://github.com/ChiChou/etacsufbo
EXP writing framework and tools
Binary EXP writing tool:
https://github.com/t00sh/rop-tool
CTF Pwn topic scripting framework:
https://github.com/Gallopsled/pwntools
an easy-to-use io library for pwning development:
https://github.com/zTrix/zio
Cross-platform injection tool:
https://github.com/frida/frida
Hash length expansion attack EXP:
https://github.com/citronneur/rdpy
Steganography
Steganography detection tool
https://github.com/abeluck/stegdetect
Various safety information:
data_hacking collection:
https://github.com/ClickSecurity/data_hacking
mobile-security-wiki:
https://github.com/exploitprotocol/mobile-security-wiki
Book "reverse-engineering-for-beginners":
https://github.com/veficos/reverse-engin...-beginners
Some information security standards and equipment configuration:
https://github.com/luyg24/IT_security
APT related notes:
https://github.com/kbandla/APTnotes
Kcon information:
https://github.com/knownsec/KCon
"DO NOT FUCK WITH A HACKER":
https://github.com/citypw/DNFWAH
Various types of safe brain hole maps:
https://github.com/phith0n/Mind-Map
Information Security Flow Chart:
https://github.com/SecWiki/sec-chart/tre...5e90ed1428
Various CTF resources
Complete ctf writeup in recent years:
https://github.com/ctfs/write-ups-2016
https://github.com/ctfs/write-ups-2015
https://github.com/ctfs/write-ups-2014
Demo of fbctf competition platform:
https://github.com/facebook/fbctf
ctf Resources:
https://github.com/ctfs/resources
Collection of ctf and hacker resources:
https://github.com/bt3gl/My-Gray-Hacker-Resources
Collection of ctf and security tools:
https://github.com/zardus/ctf-tools
ctf to python toolkit
https://github.com/P1kachu/v0lt
Various programming resources
Big gift package (has everything):
https://github.com/bayandin/awesome-awesomeness
bash-handbook:
https://github.com/denysdovhan/bash-handbook
Python resource collection:
https://github.com/jobbole/awesome-python-cn
git learning materials:
https://github.com/xirong/my-git
Android open source code analysis
https://github.com/android-cn/android-open-project
A collection of python frameworks, libraries, and resources:
https://github.com/vinta/awesome-python
JS regular expression library (used to simplify the construction of complex JS regular expressions):
https://github.com/VerbalExpressions/JSV...xpressions
Python
Python regular expression library (used to simplify the construction of complex Python regular expressions):
https://github.com/VerbalExpressions/
Python task management and command execution library:
https://github.com/pyinvoke/invoke
python exe packaging library:
https://github.com/pyinstaller/pyinstaller
Veil-Evasion Free Kill Project:
https://github.com/Veil-Framework/Veil-Evasion
py3 crawler framework:
https://github.com/orf/cyborg
A python library that provides low-level interface data package programming and network protocol support:
https://github.com/CoreSecurity/impacket
python requests library:
https://github.com/kennethreitz/requests
Python utility collection:
https://github.com/mahmoud/boltons
Python crawler system:
https://github.com/binux/pyspider
welfare
WeChat automatic grab red envelope dynamic library
https://github.com/east520/AutoGetRedEnv
WeChat grab red envelope plugin (Android version)
https://github.com/geeeeeeeeek/WeChatLuckyMoney
Hardsed artifact:
https://github.com/yangyangwithgnu/hardseed
Party A's Safety Engineer Survival Guide
Web index and log search tool:
https://github.com/thomaspatzke/WASE
Open source log collector:
https://github.com/wgliang/logcool
Web debuger for scanning CS structure
https://github.com/Kozea/wdb
Recover the sqlite database and delete the registration information:
https://github.com/aramosf/recoversqlite/
GPS deception detection tool:
https://github.com/zxsecurity/gpsnitch
Emergency Response Framework:
https://github.com/biggiesmallsAG/nightHawkResponse
Web Security Development Guide:
https://github.com/FallibleInc/security-...developers
Vulnerability test report templates of various well-known vendors:
https://github.com/juliocesarfort/public...ng-reports
Malware detection package under linux:
https://github.com/rfxn/linux-malware-detect
Operating system operation indicator visualization framework:
https://github.com/facebook/osquery
Malicious code analysis system:
https://github.com/cuckoosandbox/cuckoo
Regularly search and store web applications:
https://github.com/Netflix/Scumblr
Incident response framework:
https://github.com/google/grr
Comprehensive host monitoring and detection platform:
https://github.com/ossec/ossec-hids
Distributed real-time digital forensics system:
https://github.com/mozilla/mig
Microsoft & Unix file system and hard disk forensics tool:
https://github.com/sleuthkit/sleuthkit
honey jar
SSH honeypot:
https://github.com/desaster/kippo
Honeypot collection resources:
https://github.com/paralax/awesome-honeypots
kippo advanced honeypot:
https://github.com/micheloosterhof/cowrie
SMTP honeypot:
https://github.com/awhitehatter/mailoney
Web application honeypot:
https://github.com/mushorg/glastopf
Database honeypot:
https://github.com/jordan-wright/elastichoney
web honeypot:
https://github.com/atiger77/Dionaea
Remote control
Use gmail as the backdoor of C&C server
https://github.com/byt3bl33d3r/gcat
Open source remote control:
https://github.com/UbbeLoL/uRAT
c#Remote Control:
https://github.com/hussein-aitlahcen/BlackHole
Tool collection
https://github.com/torque59/Nosql-Exploi...-Framework
(NoSQL scanning/blasting tool)
https://github.com/missDronio/blindy
(MySQL blind injection blasting tool)
https://github.com/fengxuangit/Fox-scan
(Vulnerability scanning based on SQLMAP active and passive resource discovery Tool)
https://github.com/NetSPI/PowerUpSQL
(powershell script for SQL Server audit)
https://github.com/JohnTroony/Blisqy
(tool for time blind injection blasting in http header, only for MySQL / MariaDB)
https://github.com/ron190/jsql-injection
(SQL injection tool written in Java)
https://github.com/Hadesy2k/sqliv
(Batch SQL injection vulnerability scanner based on search engine)
https:/ /github.com/s0md3v/sqlmate
(Added directory scanning and hash blasting functions based on sqlmap)
https://github.com/m8r0wn/enumdb
(Mysys and MSSQL blasting pants removal tool)
https://github.com /9tail123/wooscan
(Check whether the website has ignored sql injection vulnerabilities in Wuyun in batches and automatically call sqlmap to test)
https://github.com/lijiejie/htpwdScan
(a simple HTTP brute force cracking, library crashing attack script)
https://github.com/ysrc/F-Scrack
(a script for weak password detection for various services)
https ://github.com/Mebus/cupp
(Generate weak password detection dictionary script according to user habits)
https://github.com/netxfly/crack_ssh
(Coroutine version of ssh \redis\mongodb weak password cracking tool written in Go)
https://github.com/LandGrey/pydictor
(brute-breaking dictionary creation tool)
https://github.com/shengqi158/weak_password_detect
(multi-thread detection of weak passwords)
https://github.com/s0md3v/Blazy
(support testing CSRF, Clickjacking, Cloudflare and WAF weak password detector)
https://github.com/MooseDojo/myBFF
(a script for weak password detection for various services such as CiscoVPN, Citrix Gateway)
https://github.com/rapid7 /IoTSeeker
(The default password scanning detection tool for IoT devices)
https://github.com/shodan-labs/iotdb
(Use nmap to scan IoT devices)
https://github.com/googleinurl/RouterHunterBR
(Router device vulnerability scanning and exploitation)
https://github.com/scu-igroup/telnet-scanner
(Telnet service password collision database)
https://github.com/viraintel/ OWASP-Nettacker
(Automated information collection and penetration testing tool, more suitable for IoT scanning)
https://github.com/threat9/routersploit
(Embedded device vulnerability scanning and exploitation tool)
https://github.com/shawarkhanethicalhacker/BruteXSS
(An XSS scanner that can inject parameters brute force)
https://github.com/1N3/XSSTracer
(Small XSS scanner, can also detect CRLF, XSS, click hijacked)
https://github.com/0x584A/ fuzzXssPHP
(PHP version of reflective xss scan)
https://github.com/chuhades/xss_scan
(Python script for batch scanning XSS)
https://github.com/BlackHole1/autoFindXssAndCsrf
(Automatically detect whether the page has XSS and cross-site Browser plug-in requesting forgery vulnerabilities)
https://github.com/shogunlab/shuriken
(Use the command line for XSS batch detection)
https://github.com/s0md3v/XSStrike
(XSS scanning tool that can identify and bypass WAF)
https://github.com/stamparm/DSXS
(support GET, POST Efficient XSS scanner)
https://github.com/ysrc/xunfeng
(network asset identification engine, vulnerability detection engine)
https://github.com/laramies/theHarvester
(enterprise's sensitive asset information monitoring script included by search engines: employees Email, subdomain, host)
https://github.com/x0day/Multisearch-v2
(Bing, google, 360, zoomeye and other search engines aggregate search, which can be used to discover the sensitive asset information included in the search engine)
https: //github.com/Ekultek/Zeus-Scanner
(It can crawl the url hidden by the search engine and send it to sqlmap and nmap to scan)
https://github.com/0xbug/Biu-framework
(security scan of basic services in the enterprise intranet ) Framework)
https://github.com/metac0rtex/GitHarvester
(github Repo information collection tool)
https://github.com/shengqi158/svnhack
(.svn folder leak exploitation tool)
https://github.com/repoog/GitPrey
(GitHub sensitive information scanning tool)
https://github.com/0xbug/Hawkeye
(Corporate assets, sensitive information GitHub leakage monitoring system)
https://github.com/lianfeng30/ githubscan
(a tool for project retrieval based on corporate keywords and corresponding sensitive files and file content scanning)
https://github.com/UnkL4b/GitMiner
(github sensitive information search tool)
https://github.com/lijiejie/GitHack
( .git folder leak exploitation tool)
https://github.com/dxa4481/truffleHog
(GitHub sensitive information scanning tool, including detection submission, etc.)
https://github.com/1N3/Goohak
(Automatic Google hacking of specified domain names Search and collect information)
https://github.com/UKHomeOffice/repo-security-scanner
(a client tool used to search for sensitive information in git commitments, such as passwords, private keys, etc.)
https://github.com /FeeiCN/GSIL
(Github sensitive information leak scan)
https://github.com/MiSecurity/x-patrol
(Github leak cruise tool)
https://github.com/1N3/BlackWidow
(Web site information collection tool, including email, phone and other information)
https://github.com/anshumanbh/git-all-secrets
(collection of multiple open source GitHub sensitive information scanning Enterprise information disclosure cruise tool)
https://github.com/s0md3v/Photon
(a high-speed crawler that can extract URLs, emails, files, website accounts, etc.)
https://github.com/he1m4n6a/findWebshell
(a simple webshell detection tool)
https://github.com/Tencent/HaboMalHunter
(Hubble analysis system, LINUX system virus analysis and security detection)
https://github.com/PlagueScanner/PlagueScanner
(integrated ClamAV, ESET, Bitdefender's anti-virus engine)
https://github.com/nbs-system/php-malware-finder
(an efficient PHP-webshell scanning tool)
https://github.com/emposha/PHP-Shell-Detector/
( Webshell detection tool with a test efficiency of up to 99%)
https://github.com/erevus-cn/scan_webshell
(a simple webshell scanning tool)
https://github.com/emposha/Shell-Detector
(Webshell scanning tool, supports php / perl / asp / aspx webshell scanning)
https://github.com/m4rco-/dorothy2
(a Trojan horse, botnet analysis framework )
https://github.com/droidefense/engine
(Advanced Android Trojan horse virus analysis framework)
https://github.com/lcatro/network_backdoor_scanner
(Intranet detection framework based on network traffic)
https://github.com/fdiskyou /hunter
(Call Windows API to enumerate user login information)
https://github.com/BlackHole1/WebRtcXSS
(Automatically use XSS to invade the intranet)
https://github.com/ring04h/wyportmap
(target port scan + system service fingerprint) Identification)
https://github.com/ring04h/weakfilescan
(Dynamic multi-threaded sensitive information leakage detection tool)
https://github.com/EnableSecurity/wafw00f
(WAF product fingerprint identification)
https://github.com/rbsec/ sslscan
(SSL type recognition)
https://github.com/urbanadventurer/whatweb
(Web fingerprint recognition)
https://github.com/tanjiti/FingerPrint
(Web application fingerprint recognition)
https://github.com/nanshihui/Scan-T
(Web crawler Fingerprint recognition)
https://github.com/OffensivePython/Nscan
(Network scanner based on Masscan and Zmap)
https://github.com/ywolf/F-NAScan
(Network asset information scanning, ICMP survival detection, port scanning, Port fingerprint service identification)
https://github.com/ywolf/F-MiddlewareScan
(Middleware scanning)
https://github.com/maurosoria/dirsearch
(web path collection and scanning)
https://github.com/x0day /bannerscan
(C-segment banner and path scan)
https://github.com/RASSec/RASscan
(Port service scan)
https://github.com/3xp10it/bypass_waf
(waf automatic brute force )
https://github.com /3xp10it/xcdn
(try to find out the real ip behind the cdn )
https://github.com/Xyntax/BingC
(Based on the C section of the Bing search engine/side station query, multi-threaded, support API)
https://github.com/Xyntax/DirBrute
(Multi-threaded WEB directory blasting tool)
https ://github.com/zer0h/httpscan
(a crawler-style web host discovery tool for network segments)
https://github.com/lietdai/doom
(ip port vulnerability scanner for distributed task distribution implemented on Thorn)
https://github.com/chichou/grab.js
(Quick TCP fingerprint capture analysis tool similar to zgrab, supports more protocols)
https://github.com/Nitr4x/whichCDN
(CDN identification, detection)
https:/ /github.com/secfree/bcrpscan
(web path scanner based on crawler)
https://github.com/mozilla/ssh_scan
(server ssh configuration information scan)
https://github.com/18F/domain-scan
(for Asset data detection/scanning of the domain name and its subdomains, including http/https detection, etc.)
https://github.com/ggusoft/inforfinder
(domain name asset collection and fingerprint identification tool)
https://github.com/boy-hack/gwhatweb
(CMS recognizes python gevent implementation)
https://github.com/Mosuan/FileScan
(Sensitive file scanning/secondary judgment reduces false positive rate/scan content regularization/multiple Directory scanning)
https://github.com/Xyntax/FileSensor
(crawler-based dynamic sensitive file detection tool)
https://github.com/deibit/cansina
(web path scanning tool)
https://github.com/0xbug /Howl
(Network device web service fingerprint scanning and retrieval)
https://github.com/mozilla/cipherscan
(Target host service ssl type identification)
https://github.com/xmendez/wfuzz
(Web application fuzz tool, framework, It can be used for web path/service scanning at the same time)
https://github.com/s0md3v/Breacher
(multi-threaded background path scanner, which can also be used to execute after finding redirection vulnerabilities)
https://github.com/ztgrace/changeme
(Weak password scanner, not only supports ordinary login pages, but also ssh, mongodb and other components)
https://github.com/medbenali/CyberScan
(Penetration testing assistant tool, supports data packet analysis, decoding, port scanning, IP address analysis Wait)
https://github.com/m0nad/HellRaiser
(scanner based on nmap, associated with cve vulnerability)
https://github.com/scipag/vulscan
(advanced vulnerability scanner based on nmap, used in command line environment)
https: //github.com/jekyc/wig
(web application information collection tool)
https://github.com/eldraco/domain_analyzer
(Vulnerability scans such as information collection and "domain transfer" around the domain name of web services are also supported. Server port scanning, etc.)
https://github.com/cloudtracer/paskto
(Passive path scanning and information crawler based on Nikto scanning rules)
https://github.com/zerokeeper/WebEye
(Quickly identify WEB server type, CMS type, WAF type, WHOIS information, and language framework)
https://github.com/m3liot/shcheck
(used to check the security of the http header of web services)
https://github.com/aipengjie/sensitivefilescan
(an efficient and fast Sensitive file scanning tool)
https://github.com/fnk0c/cangibrina
(cross-platform background management path scanner through dictionary exhaustion, google, robots.txt, etc.)
https://github.com/n4xh4ck5/CMSsc4n
(general CMS fingerprint recognition)
https://github.com/Ekultek/WhatWaf
(WAF fingerprint recognition and automated bypass tool)
https://github.com/dzonerzy/goWAPT
( Network application obfuscation tool, framework, and can be used for network path/service scanning)
https://github.com/blackye/webdirdig
(web sensitive directory/information leakage scanning script)
https://github.com/GitHackTools/BillCipher
(use Information collection tool on website or IP address)
https://github.com/boy-hack/w8fuckcdn
(Automatic program to obtain real IP by scanning the entire network)
https://github.com/boy-hack/w11scan
(distributed Web fingerprint identification platform)
https://github.com/Nekmo/dirhunt
(crawler web directory scanning tool)
https://github.com/blackye/Jenkins
(Jenkins vulnerability detection, user crawling blasting)
https:// github.com/code-scan/dzscan
(the first integrated Discuz scanning tool)
https://github.com/chuhades/CMS-Exploit-Framework
(A simple and elegant CMS scanning and exploitation framework)
https://github.com/lijiejie/IIS_shortname_Scanner
(IIS short file name brute force enumeration exploit tool)
https://github.com/riusksk/FlashScanner
(flashxss scan)
https ://github.com/coffeehb/SSTIF
(a semi-automatic tool for raising server-side template injection vulnerabilities)
https://github.com/epinna/tplmap
(server-side template injection vulnerability detection and exploitation tool)
https://github .com/cr0hn/dockerscan (Docker scanning tool)
https://github.com/m4ll0k/WPSeku
(a streamlined wordpress scanning tool)
https://github.com/rastating/wordpress-e...-framework (integrated wordpress Vulnerability Exploitation Framework)
https://github.com/ilmila/J2EEScan
(a burpsuite plugin for scanning J2EE applications)
https://github.com/riusksk/StrutScan
(a historical vulnerability scanner based on perl strut2 )
https://github.com/D35m0nd142/LFISuite
(local file contains exploit and scanning tools, supports reverse shell)
https://github.com/0x4D31/salt-scanner
(Linux vulnerability scanner based on Salt Open and Vulners Linux Audit API, supports combined use with JIRA and slack platforms)
https://github.com/tijme/angularjs-csti -scanner
(Automatic detection of client-side AngularJS template injection vulnerability tool)
https://github.com/irsdl/IIS-ShortName-Scanner
(IIS short file name brute force enumeration exploit tool written in Java)
https://github.com /swisskyrepo/Wordpresscan
(Optimized wordpress scanner based on WPScan and WPSeku)
https://github.com/CHYbeta/cmsPoc
(CMS penetration testing framework)
https://github.com/rudSarkar/crlf-injector
(CRLF injection vulnerability Batch scanning)
https://github.com/3gstudent/Smbtouch-Scanner
(Automatically scan the intranet for the ETERNAL series of vulnerabilities leaked by the shadow broker)
https://github.com/utiso/dorkbot
(customized Google search engine to search and scan vulnerability pages)
https://github.com/OsandaMalith/LFiFreak
(The local file contains exploit and scanning tools, and supports reverse shell)
https://github.com/mak-/parameth
(used to enumerate GET / POST unknown parameter fields of scripts)
https://github.com/Lucifer1993/ struts-scan
(struts2's full version detection and exploitation tool)
https://github.com/hahwul/a2sv
(SSL vulnerability scanning, such as heart drip vulnerability, etc.)
https://github.com/NullArray/DorkNet
(based on Vulnerability web search for search engines)
https://github.com/NickstaDB/BaRMIe
(tool used to attack and blast the Java RemoteMethod Invocation service)
https://github.com/RetireJS/grunt-retire
(common to scan js extension libraries Vulnerability)
https://github.com/kotobukki/BDA
(Vulnerability detection tool for big data platforms such as hadoop/spark)
https://github.com/jagracey/Regex-DoS
(RegEx denial of service scanner)
https ://github.com/milesrichardson/docker-onion-nmap
(a hidden "onion" service on the Tor network scanned with NMAP)
https://github.com/Moham3dRiahi/XAttacker
(Web CMS Exploit tool, contains 66 different exploits for mainstream CMS)
https://github.com/lijiejie/BBScan
(a mini batch scanning script for information leakage)
https://github.com/almandin/fuxploider
(File upload vulnerability scanner and exploitation tool)
https://github.com/Ice3man543/SubOver
(Subdomain takes over vulnerability detection tool, supports 30+ cloud service hosting detection)
https: //github.com/Jamalc0m/wphunter
(Vulnerability scanner for WordPress, which also supports sensitive file leak scanning)
https://github.com/retirejs/retire.js
(Detects the known general-purpose JavaScript libraries that the website depends on Vulnerability)
https://github.com/3xp10it/xupload
(Automatically detect whether the upload function can upload webshell)
https://github.com/mobrine-mob/M0B-tool
(CMS fingerprint recognition and automated penetration testing framework)
https: //github.com/rezasp/vbscan
(Forum framework vBulletin black box vulnerability scanner)
https://github.com/MrSqar-Ye/BadMod
(CMS fingerprint recognition and automated penetration testing framework)
https://github.com/Tuhinshubhra/CMSeeK
(CMS vulnerability detection and exploitation kit)
https://github.com/cloudsploit/scans
(AWS security audit tool)
https:// github.com/radenvodka/SVScanner
(Vulnerability scanner and automatic exploitation tool for CMS such as wp, magento, joomla)
https://github.com/rezasp/joomscan
(joomla vulnerability scanning project under OWASP)
https://github. com/6IX7ine/djangohunter
(used to detect Django applications that expose sensitive information due to misconfiguration)
https://github.com/savio-code/fern-wifi-cracker/
(wireless security audit tool)
https://github .com/m4n3dw0lf/PytheM
(Python network/penetration testing tool)
https://github.com/P0cL4bs/WiFi-Pumpkin
(Wireless security penetration testing suite)
https://github.com/MisterBianco/BoopSuite
(wireless network audit tool) , Support 2-5GHZ frequency band)
https://github.com/DanMcInerney/LANs.py
(ARP spoofing, wireless network hijacking)
https://github.com/besimaltnok/PiFinger
(Check whether wifi is a hotspot opened by "Big Pineapple" and give a network score)
https://github.com/derv82/wifite2
( A reconstructed version of the automated wireless network attack tool wifite )
https://github.com/sowish/LNScan
(based on BBScan via.lijiejie's local network scanning)
https://github.com/SkyLined/LocalNetworkScanner
(JavaScript-based local Network scanning)
https://github.com/wufeifei/cobra
(White box code security audit system)
https://github.com/OneSourceCat/phpvulhunter
(Static PHP code audit)
https://github.com/Qihoo360/phptrace
(Tools for tracking and analyzing the operation of PHP)
https://github.com/ajinabraham/NodeJsScan
(NodeJS application code audit)
https://github.com/shengqi158/pyvulhunter
(Python application audit)
https://github. com/presidentbeef/brakeman
(Ruby on Rails application static code analysis)
https://github.com/python-security/pyt
(Python application static code audit)
https://github.com/m4ll0k/WPSploit
(WordPress plugin code security audit)
https:/ /github.com/emanuil/php-reaper
(used to scan ADOdb code for possible SQL vulnerabilities in PHP applications)
https://github.com/lowjoel/phortress
(PHP static code analysis tool for detecting potential security vulnerabilities )
https://github.com/az0ne/AZScanner
(automatic vulnerability scanner, subdomain blasting, port scanning, directory blasting, common framework vulnerability detection)
https://github.com/blackye/lalascan
(collection of owasp top10 vulnerability scanning A distributed web vulnerability scanning framework with edge asset discovery capabilities)
https://github.com/blackye/BkScanner
(BkScanner distributed, plug-in web vulnerability scanner)
https://github.com/ysrc/GourdScanV2
(produced by ysrc ) Passive vulnerability scanning tool)
https://github.com/netxfly/passive_scan
(web vulnerability scanner based on http proxy)
https://github.com/1N3/Sn1per
(Automated scanner, including middleware scanning and device fingerprint recognition)
https://github.com/RASSec/pentestEr_Full...ic-scanner
(Directed fully automated penetration testing tool)
https: //github.com/3xp10it/3xp10it
(Automated penetration testing framework, supports CDN real IP search, fingerprint recognition, etc.)
https://github.com/Lcys/lcyscan
(Python plug-in vulnerability scanner, supports generating scan reports)
https ://github.com/Xyntax/POC-T
(Plug-in testing concurrency framework)
https://github.com/v3n0m-Scanner/V3n0M-Scanner
(Scanner that supports detection of vulnerabilities such as SQLI/XSS/LFI/RFI )
https://github.com/Skycrab/leakScan
(Web graphical vulnerability scanning framework)
https://github.com/zhangzhenfeng/AnyScan
(A networked automated penetration testing framework)
https://github.com /Tuhinshubhra/RED_HAWK
(an all-in-one scanning tool integrating information collection, vulnerability scanning, fingerprint identification, etc.)
https://github.com/Arachni/arachni
(Highly integrated web application vulnerability scanning framework, supporting REST, RPC and other api calls)
https://github.com/infobyte/faraday
(Integrated penetration testing auxiliary platform and vulnerability management platform)
https://github.com/ juansacco/exploitpack
(integrated framework for penetration testing, including more than 38,000+ attacks)
https://github.com/swisskyrepo/DamnWebScanner
(passive vulnerability scanning based on chromium/opera plugin)
https://github.com/anilbaranyelken/tulpar
(support A variety of network vulnerability scanning, command line environment use)
https://github.com/m4ll0k/Spaghetti
(web application scanner, supports fingerprint recognition, file directory blasting, SQL / XSS / RFI and other vulnerability scanning, can also be used directly struts, ShellShock, etc.)
https://github.com/Yukinoshita47/Yuki-Ch...to-Pentest
(web application scanner integrating subdomain enumeration, nmap, waf fingerprint recognition and other modules)
https://github .com/0xsauby/yasuo
(using ruby to develop third-party web application service vulnerabilities in scanning hosts on the network)
https://github.com/hatRiot/clusterd
(web application automated scanning framework, supporting automated upload webshell)
https://github.com/erevus-cn/pocscan
(an open source Poc calling framework, you can easily call Pocsuite, Tangscan, Beebeeto, Knowsec old version POC, you can use docker deployment)
https://github.com/TophantTechnology/ osprey
(an open source vulnerability detection framework produced and maintained by Douxiang Competence Center)
https://github.com/yangbh/Hammer
(Web application vulnerability scanning framework)
https://github.com/Lucifer1993/AngelSword
(Web application vulnerability scanning Framework, based on python3)
https://github.com/secrary/EllaScanner
(passive vulnerability scanning, supports historical cve number vulnerability identification)
https://github.com/zaproxy/zaproxy
(Comprehensive penetration test produced by OWASP ZAP core project Tool)
https://github.com/sullo/nikto
(Web service comprehensive scanner, used for asset collection of specified targets, security configuration defects or security vulnerability scanning)
https://github.com/s0md3v/Striker
(one A multi-faceted information collection, fingerprint identification and vulnerability scanning tool)
https://github.com/dermotblair/webvulscan
(A web application vulnerability scanner, supports scanning reflection type and storage type xss, sql injection and other vulnerabilities, supports output pdf report)
https://github.com/alienwithin/OWASP-mth...-framework
(penetration testing auxiliary tool, comprehensive Utilization framework)
https://github.com/toyakula/luna
(automated web vulnerability scanning tool based on passive scanning framework)
https://github.com/Manisso/fsociety
(penetration testing auxiliary framework, including information collection, wireless penetration, Web application scanning and other functions)
https://github.com/boy-hack/w9scan
(web vulnerability scanning framework with built-in 1200+ plugins)
https://github.com/YalcinYolalan/WSSAT
(Web service security assessment tool, providing Simple .exe application of the windows operating system)
https://github.com/AmyangXYZ/AssassinGo
(using a scalable and high-concurrency penetration testing framework developed)
https://github.com/jeffzh3ng/InsectsAwake
(based on the Flask application framework Vulnerability scanning system)
https://github.com/m4ll0k/Galileo
(a web application security audit framework similar to metasploit in operation)
https://github.com/joker25000/Optiva-Framework
(A web application vulnerability scanner that supports scanning for reflection and storage xss, sql injection and other vulnerabilities)
https://github.com/theInfectedDrake/TIDoS-Framework
(Integrated web application penetration testing framework with 104 modules)
https ://github.com/Neo23x0/Loki
(APT intrusion trace scanner)
https://github.com/w3h/icsmaster/tree/master/nse
(ICS device nmap scanning script)
https://github.com /OpenNetworkingFoundation/DELTA
(SDN Security Assessment Framework)