.svg){kind=icon}
High Performance Distributed Observability Platform.
No Code Distributed Observability Platform.
Performance Impact Analysis Software.
The Swiss Army knife for 802.11, BLE, IPv4 and IPv6 networks reconnaissance and MITM attacks.
bettercap is a powerful, easily extensible and portable framework written in Go which aims to offer to security researchers, red teamers and reverse engineers an easy to use, all-in-one solution with all the features they might possibly need for performing reconnaissance and attacking WiFi networks, Bluetooth Low Energy devices, wireless HID devices and Ethernet networks.
Stowaway is a Multi-hop proxy tool for security researchers and pentesters
Users can easily proxy their network traffic to intranet nodes (multi-layer),break the restrction and manipulate all the nodes that under your control XD
This script allows you to do recognition around a domain name.
AORT makes it possible to detect the sub-domains, the DNS, the possibility of a domain name transfer, the type of WAF in place (firewall application), the Whois information, the open ports, as well as various endpoints or mailboxes.
Application Security Testing Software.
Free, lightweight web application security scanning for CI/CD.
manual tools to start web security testing.
A fast tool to scan CRLF vulnerability written in Goc
The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.
XSRFProbe is an advanced Cross Site Request Forgery (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a powerful crawling engine and numerous systematic checks, it is able to detect most cases of CSRF vulnerabilities, their related bypasses and futher generate (maliciously) exploitable proof of concepts with each found vulnerability. For more info on how XSRFProbe works, see XSRFProbe Internals on wiki.
Most advanced XSS scanner.
XSStrike is a Cross Site Scripting detection suite equipped with four hand written parsers, an intelligent payload generator, a powerful fuzzing engine and an incredibly fast crawler.
A Burp Extension for GraphQL Security Testing.
A security testing tool to facilitate GraphQL technology security auditing efforts.
Automated All-in-One OS Command Injection Exploitation Tool.
Commix (short for [comm]and [i]njection e[x]ploiter) is an open source penetration testing tool, written by Anastasios Stasinopoulos (@ancst), that automates the detection and exploitation of command injection vulnerabilities.
Software for Adversary Simulations and Red Team Operations.
Adversary Simulations and Red Team Operations are security assessments that replicate the tactics and techniques of an advanced adversary in a network. While penetration tests focus on unpatched vulnerabilities and misconfigurations, these assessments benefit security operations and incident response.
The Burp extension helps you to find authorization bugs. Just navigate through the web application with a high privileged user and let the Auth Analyzer repeat your requests for any defined non-privileged user. With the possibility to define Parameters the Auth Analyzer is able to extract and replace parameter values automatically. With this for instance, CSRF tokens or even whole session characteristics can be auto extracted from responses and replaced in further requests. Each response will be analyzed and tagged on its bypass status.
EDRSandBlast is a tool written in C that weaponize a vulnerable signed driver to bypass EDR detections (Notify Routine callbacks, Object Callbacks and ETW TI provider) and LSASS protections. Multiple userland unhooking techniques are also implemented to evade userland monitoring.
As of release, combination of userland (--usermode) and Kernel-land (--kernelmode) techniques were used to dump LSASS memory under EDR scrutiny, without being blocked nor generating "OS Credential Dumping"-related events in the product (cloud) console. The tests were performed on 3 distinct EDR products and were successful in each case.
Impacket is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB1-3 and MSRPC) the protocol implementation itself. Packets can be constructed from scratch, as well as parsed from raw data, and the object-oriented API makes it simple to work with deep hierarchies of protocols. The library provides a set of tools as examples of what can be done within the context of this library.
WebGoat is a deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components.
Welcome to RasPwn OS, The intentionally vulnerable image for the Raspberry Pi.
Raspwn OS is a GNU/Linux distro in the spirit of Damn Vulnerable Linux and uses a Raspberry Pi 2B or 3 to emulate a vulnerable Linux Server. RasPwn was designed as a training tool and exists only to be attacked and pwned. Everything from the OS itself to the daemons and services to the web applications installed are all vulnerable to some degree. The idea is to provide a 'safe' (relatively) and affordable training environment and playground for hackers and pen-testers. By loading Raspwn OS and connecting to the Raspberry Pi via WiFi, one can practice pen-testing as well as both offensive and defensive hacking techniques without ever even getting on the internet for only around $50.
AutoPWN Suite is a project for scanning vulnerabilities and exploiting systems automatically.
The world's most widely used web app scanner. Free and open source. Actively maintained by a dedicated international team of volunteers.
Cloud oriented pentesting distribution
Hackazon is a free, vulnerable test site that is an online storefront built with the same technologies used in today’s rich client and mobile applications. Hackazon has an AJAX interface, strict workflows and RESTful API’s used by a companion mobile app providing uniquely-effective training and testing ground for IT security professionals. And, it’s full of your favorite vulnerabilities like SQL Injection, cross-site scripting and so on.