Attackflow

https://www.attackflow.com/

IDENTIFY ALL VULNERABILITIES IN YOUR SOURCE CODE

audit

https://github.com/linux-audit/audit-userspace

Linux audit userspace repository

Central Authentication Service

https://wiki.jasig.org/display/CAS/Home

CAS is an enterprise Single Sign-On solution for web services. Single Sign-On (SSO) means a better user experience when running a multitude of web services, each with its own means of authentication. With a SSO solution, different web services may authenticate to one authorative source of trust, that the user needs to log in to, instead of requiring the end-user to log in into each separate service.

Cobra

https://github.com/WhaleShark-Team/cobra

Cobra是一款源代码安全审计工具,支持检测多种开发语言源代码中的大部分显著的安全问题和漏洞。

Crackpy

https://github.com/j3ers3/Crackpy

🌀 弱口令爆破和未授权访问工具,Weak password bursts and unauthorized access tools

Cscan

https://github.com/j3ers3/Cscan

🐝 C段快速扫描工具 Cscan

Dirscan

https://github.com/j3ers3/Dirscan

🎃 目录扫描工具 Dirscan ,A simple and fast directory scanning tool for pentesters

DumpsterDiver

https://github.com/securing/DumpsterDiver

DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions (e.g. report only csv files including at least 10 email addresses). The main idea of this tool is to detect any potential secret leaks.

ESAPI

https://github.com/ESAPI/esapi-java-legacy

ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library that makes it easier for programmers to write lower-risk applications. https://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API

Find Security Bugs

https://find-sec-bugs.github.io/

The SpotBugs plugin for security audits of Java web applications. It can detect 135 different vulnerability types with over 816 unique API signatures.

GnuPG

https://gnupg.org/

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows to encrypt and sign your data and communication, features a versatile key management system as well as access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. Version 2 of GnuPG also provides support for S/MIME and Secure Shell (ssh).

go-audit

https://github.com/slackhq/go-audit

go-audit is an alternative to the auditd daemon that ships with many distros. After having created an auditd audisp plugin to convert audit logs to json, I became interested in creating a replacement for the existing daemon.

GraphQLmap

https://github.com/swisskyrepo/GraphQLmap

GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.

Grapl

https://github.com/grapl-security/grapl

Grapl is a Graph Platform for Detection and Response with a focus on helping Detection Engineers and Incident Responders stop fighting their data and start connecting it. Grapl leverages graph data structures at its core to ensure that you can query and connect your data efficiently, model complex attacker behaviors for detection, and easily expand suspicious behaviors to encompass the full scope of an ongoing intrusion.

KALI

https://www.kali.org/

Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. In addition to Kali Linux, Offensive Security also maintains the Exploit Database and the free online course, Metasploit Unleashed.

KeePassX

https://www.keepassx.org/

KeePassX is an application for people with extremly high demands on secure personal data management. It has a light interface, is cross platform and published under the terms of the GNU General Public License.

Kunlun-M

https://github.com/LoRexxar/Kunlun-M

Kunlun-Mirror 专注于安全研究员使用的审计辅助工具

Lynis

https://github.com/CISOfy/lynis

Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional. https://cisofy.com/lynis/

Medusa

http://h.foofus.net/?page_id=51
https://github.com/jmk-foofus/medusa

Medusa is a speedy, parallel, and modular, login brute-forcer. The goal is to support as many services which allow remote authentication as possible.

nmap

https://nmap.org/

Nmap (“Network Mapper”) is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).

OpenSSH

https://www.openssh.com/

OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.

OpenSSL

https://www.openssl.org/

OpenSSL is an open source project that provides a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. It is also a general-purpose cryptography library. For more information about the team and community around the project, or to start making your own contributions, start with the community page. To get the latest news, download the source, and so on, please see the sidebar or the buttons at the top of every page.

osquery

https://github.com/osquery/osquery

osquery is a SQL powered operating system instrumentation, monitoring, and analytics framework.

OSSEC

https://ossec.github.io/

OSSEC is a scalable, multi-platform, open source Host-based Intrusion Detection System (HIDS). It has a powerful correlation and analysis engine, integrating log analysis, file integrity checking, Windows registry monitoring, centralized policy enforcement, rootkit detection, real-time alerting and active response.It runs on most operating systems, including Linux, OpenBSD, FreeBSD, MacOS, Solaris and Windows.

OSS-Fuzz

https://github.com/google/oss-fuzz - OSS-Fuzz - continuous fuzzing of open source software

Fuzz testing is a well-known technique for uncovering programming errors in software. Many of these detectable errors, like buffer overflow, can have serious security implications. Google has found thousands of security vulnerabilities and stability bugs by deploying guided in-process fuzzing of Chrome components, and we now want to share that service with the open source community.

OWASP Dependency Check

https://www.owasp.org/index.php/OWASP_Dependency_Check
https://github.com/jeremylong/DependencyCheck

Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.

Panther

https://github.com/panther-labs/panther

Detect threats with log data and improve cloud security posture

pfff

https://github.com/returntocorp/pfff - pfff is mainly an OCaml API to write static analysis, dynamic analysis, code visualizations, code navigations, or style-preserving source-to-source transformations such as refactorings on source code

pfff is a set of tools and APIs to perform static analysis, code visualizations, code navigations, or style-preserving source-to-source transformations such as refactorings on source code. There is good support for Javascript, Python, C, Java, Go, and PHP. There is also preliminary support for other languages such as C++, Ruby, Rust, C#, Html, CSS, Erlang, Lisp, Haskell, Skip, and SQL. There is also very good support for OCaml code so that the framework can be used on the code of pfff itself.

proxychains-ng

https://github.com/rofl0r/proxychains-ng

$ brew install proxychains-ng

proxychains ng (new generation) - a preloader which hooks calls to sockets in dynamically linked programs and redirects it through one or more socks/http proxies. continuation of the unmaintained proxychains project.

Rootkit Hunter

http://rkhunter.sourceforge.net/

Rootkit Hunter project.

securityheaders.io

https://securityheaders.io/

semgrep

https://github.com/returntocorp/semgrep

Lightweight static analysis for many languages. Find and block bug variants with rules that look like source code.

sqlmap

http://sqlmap.org/

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

SS

SS socks5

SSRFmap

https://github.com/swisskyrepo/SSRFmap

SSRF are often used to leverage actions on other services, this framework aims to find and exploit these services easily. SSRFmap takes a Burp request file as input and a parameter to fuzz.

Suricata

https://github.com/OISF/suricata

Suricata git repository maintained by the OISF

TLS-Attacker

https://github.com/RUB-NDS/TLS-Attacker

TLS-Attacker is a Java-based framework for analyzing TLS libraries. It is able to send arbitrary protocol messages in an arbitrary order to the TLS peer, and define their modifications using a provided interface. This gives the developer an opportunity to easily define a custom TLS protocol flow and test it against his TLS library.

Tor

https://www.torproject.org/

Tor is free software and an open network that helps you defend against traffic analysis, a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security.

TrueCrypt

https://truecrypt.ch/

TrueCrypt.ch is the gathering place for all up-to-date information. Unfortunately TrueCrypt.org is dead. But, we (the pure-privacy people) will help organize a future.

VeraCrypt

https://veracrypt.codeplex.com/

VeraCrypt is a free disk encryption software brought to you by IDRIX (https://www.idrix.fr) and that is based on TrueCrypt 7.1a.

VulnyCode

https://github.com/swisskyrepo/Vulny-Code-Static-Analysis

Basic script to detect vulnerabilities into a PHP source code, it is using Regular Expression to find sinkholes.

watchdog

https://github.com/flipkart-incubator/watchdog

Watchog is an integration of open source security tools aimed to provide a holistic security view for a given domain/IP. The way Watchdog is built, it can be used by product security teams, red teams and also by bug bounty hunters to get a 360° view of any Internet property it scans. Given a list of domains/IP's it has the capability to perform a network scan, feed the output to open source web app scanners like Google's skip-fish and wapiti, perform tech stack analysis and determine if the stack has any known CVE’s.

Whalescan

https://github.com/nccgroup/whalescan

Whalescan is a vulnerability scanner for Windows containers, which performs several benchmark checks, as well as checking for CVEs/vulnerable packages on the container

Whispers

https://github.com/Skyscanner/whispers

Whispers is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and dangerous functions. Whispers can run in the CLI or you can integrate it in your CI/CD pipeline.

Wordpresscan

https://github.com/swisskyrepo/Wordpresscan

A simple Wordpress scanner written in python based on the work of WPScan (Ruby version), some features are inspired by WPSeku.

xray

https://github.com/chaitin/xray

一款完善的安全评估工具,支持常见 web 安全问题扫描和自定义 poc | 使用之前务必先阅读文档

Yara

https://virustotal.github.io/yara/
https://yara.readthedocs.io/en/v3.4.0/writingrules.html
https://github.com/Yara-Rules/rules
https://bruteforce.gr/yara-a-beginners-guide.html
https://github.com/InQuest/awesome-yara

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns.

Yasca

https://scovetta.github.io/yasca/

Yasca is an open source program which looks for security vulnerabilities, code-quality, performance, and conformance to best practices in program source code. It leverages external open source programs, such as FindBugs, PMD, JLint, JavaScript Lint, PHPLint, Cppcheck, ClamAV, Pixy, and RATS to scan specific file types, and also contains many custom scanners developed for Yasca.

Zeek

https://github.com/zeek/zeek

Zeek is a powerful network analysis framework that is much different from the typical IDS you may know.

  1. http://sectools.org/ - SECTOOLS.ORG
  2. https://www.hkcert.org/security-tools - Security Tools
  3. http://tools.kali.org/tools-listing - Kali Linux Tools Listing
  4. https://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html - Source Code Security Analyzers [Snapshot]
  5. https://blog.runpanther.io/open-source-cloud-security-tools/ - 7 Open Source Cloud Security Tools You Should Know
  6. https://cloudberry.engineering/tool/ - Cloud Security Tools