This is your work, valued
πππ ππ¦π
RAU_crypto. Telerik UI for ASP.NET AJAX File upload and .NET deserialisation exploit (CVE-2017-11317, CVE-2017-11357, CVE-2019-18935)
β 181dp_crypto. Base64-based encryption oracle exploit for CVE-2017-9248 (Telerik UI for ASP.NET AJAX dialog handler)
β 178target-redirector. Target Redirector is a Burp Suite Extension written in Kotlin, which redirects all Burp requests destined for a chosen target to a different target of your choice. The hostname/IP, port and protocol (HTTP/HTTPS) can all be configured to an alternative destination.
β 26bmc_bladelogic. BMC Bladelogic RSCD exploits including remote code execution - CVE-2016-1542, CVE-2016-1543, CVE-2016-5063
β 20HexyRunner. Takes raw hex shellcode (e.g. msfvenom hex format) from a cmd line arg, text file, or URL download and runs it.
β 20waf-cookie-fetcher. WAF Cookie Fetcher is a Burp Suite extension written in Python, which uses a headless browser to obtain the values of WAF-injected cookies which are calculated in the browser by client-side JavaScript code and adds them to Burp's cookie jar. Requires PhantomJS.
β 16dell-emc_recoverpoint. Exploits for Dell EMC RecoverPoint enterprise data protection platform
β 13MixedUp. Mixed Mode Assembly PoC with sample payloads in DLLMain
β 12burp-extender-api-kotlin. Burp Extender API - Unofficial Kotlin version
β 11smooth-drop-shadow. Copies images, adding a smooth drop shadow, with enlargement to accommodate. Requires GIMP.
β 8nf_conntrack-for-scanners. Alters the nf_conntrack settings profile to make it suitable for scanners such as nmap, nessus, etc
β 7PortRanger. Converts an unordered (e.g. grepped) network ports to a condensed range/list that is suitable for nmap and other tools.
β 6redacterm. Edit terminal output ready for screenshots - highlight key areas and redact sensitive info.
β 6BurpelFish. BurpelFish - Adds Google Translate to Burp's Context Menu. "Babel Fish" language translation for app-sec testing in other languages.
β 5mx-direct-mail-sender. Sends a direct email, with no relay required, by looking up the MX record and delivering the message to one of the resulting mail servers.
β 3reGeorg. The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
β 2picelf. Embed shellcode directly into a minimally sized ELF file
β 1Keylogger. A simple keylogger for Windows, Linux and Mac
β 1JSONBee. A ready to use JSONP endpoints/payloads to help bypass content security policy (CSP) of different websites.
β 763penelope. Penelope Shell Handler
β 1.9kSysWhispers2. AV/EDR evasion via direct system calls.
β 1.8kCVE-2019-18935. RCE exploit for a .NET JSON deserialization vulnerability in Telerik UI for ASP.NET AJAX.
β 373public-pentesting-reports. A list of public penetration test reports published by several consulting firms and academic security groups.
β 9.6knrf-research-firmware. Firmware and research tools for Nordic Semiconductor nRF24LU1+ based USB dongles and breakout boards.
β 442EoPLoadDriver. Proof of concept for abusing SeLoadDriverPrivilege (Privilege Escalation in Windows)
β 170CVE-2020-1472. PoC for Zerologon - all research credits go to Tom Tervoort of Secura
β 1.3kSpoolSample. PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. This is possible via other protocols as well.
β 1.1kDamn_Vulnerable_C_Program. An example C program which contains vulnerable code for common types of vulnerabilities. It can be used to show fuzzing concepts.
β 723Awesome-CobaltStrike. List of Awesome CobaltStrike Resources
β 4.4kROADtools. A collection of Azure AD/Entra tools for offensive and defensive security purposes
β 2.7kaquatone. A Tool for Domain Flyovers
β 5.9kHIPS_LIPS. Community maintained list of most popular HIPS service and process names on a Windows Platform.
β 43puff. Clientside vulnerability / reflected xss fuzzer
β 149Macrome. Excel Macro Document Reader/Writer for Red Teamers & Analysts
β 524h1domains. HackerOne "in scope" domains
β 526dnSpy. .NET debugger and assembly editor
β 30kNetLoader. Loads any C# binary in mem, patching AMSI + ETW.
β 850frida-boot. Frida Boot π’- A binary instrumentation workshop, with Frida, for beginners!
β 318Octopus. Open source pre-operation C2 server based on python and powershell
β 764spoolsystem. Print Spooler Named Pipe Impersonation for Cobalt Strike
β 271x86-Instruction-Set-Reference. HTML
β 1HellsGate. Original C Implementation of the Hell's Gate VX Technique
β 1.2kbackdoorfactory. A from-scratch rewrite of The Backdoor Factory - a MitM tool for inserting shellcode into all types of binaries on the wire.
β 376DotNetDeserializationScanner. Scans for .NET Deserialization Bugs in .NET Assemblies
β 81BadBlood. BadBlood by @davidprowe, Secframe.com, fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory. Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different. Every. Single. Time.
β 2.3kInveighZero. .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers
β 817Active-Directory-Exploitation-Cheat-Sheet. A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
β 6.7kGTFOBLookup. Offline command line lookup utility for GTFOBins (https://github.com/GTFOBins/GTFOBins.github.io), LOLBAS (https://github.com/LOLBAS-Project/LOLBAS), WADComs (https://wadcoms.github.io), and HijackLibs (https://hijacklibs.net/).
β 289AWAE-PREP. This repository will serve as the "master" repo containing all trainings and tutorials done in preperation for OSWE in conjunction with the AWAE course. This repo will likely contain custom code by me and various courses.
β 946windows-syscalls. Windows System Call Tables (NT/2000/XP/2003/Vista/7/8/10/11)
β 2.6kWindowsRpcClients. This respository is a collection of C# class libraries which implement RPC clients for various versions of the Windows Operating System from 7 to Windows 10.
β 287PrintDemon. PrintDemon is a PoC for a series of issues in the Windows Print Spooler service, as well as potetial misuses of the functionality.
β 201faxhell. A Bind Shell Using the Fax Service and a DLL Hijack
β 333vim-gas. Advanced syntax highlighting for GNU As
β 154hostmap. Ruby
β 75go-shellcode. A repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.
β 1.2kdnscan. Python
β 1.3kapi-spec-converter. Convert API descriptions between popular formats such as OpenAPI(fka Swagger), RAML, API Blueprint, WADL, etc.
β 1.2kSystemToken. Steal privileged token to obtain SYSTEM shell
β 254HeapsOfFun. AMSI Bypass Via the Heap
β 107enumprocmodules. Get Amsi Function Addresses Using EnumProcessModules & Half a Peb walk
β 5MalwareDevTalk. C#
β 48PEASS-ng. PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
β 20kwin32k-bugs. Dump of win32k POCs for bugs I've found
β 379google-authenticator. A pure Python script that produces the same 2FA codes as the Google Authenticator App
β 81Android-Kitchen. A text-based kitchen for Android ROM customization. Uses shell scripts and works with Cygwin/OS X/Linux.
β 1.1kMobile-Security-Framework-MobSF. Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
β 21kRedTeamCSharpScripts. C# Script used for Red Team
β 718magnifier0day. Windows 10 Privilege Escalation (magnifier.exe) via Dll Search Order Hijacking
β 143CVE-2020-0796. CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhost
β 1.4kAwesome-Advanced-Windows-Exploitation-References. List of Awesome Advanced Windows Exploitation References
β 1.6kExploit-Development. Python
β 319awesome_windows_logical_bugs. collect for learning cases
β 598avscript. Avast JavaScript Interactive Shell
β 672CVE-2020-1938. Python
β 45Robber. Robber is open source tool for finding executables prone to DLL hijacking
β 797RedELK. Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
β 2.7kFocaccia-Board. Multipurpose Breakout for the FT232H
β 95spoofing-office-macro. :fish: PoC of a VBA macro spawning a process with a spoofed parent and command line.
β 383karkinos. A thorough library database to assist with binary exploitation tasks.
β 197Z0FCourse_ReverseEngineering. Reverse engineering focusing on x64 Windows.
β 5.9kx86-manpages. x86 and amd64 instruction reference manual pages
β 268CollaboratorPlusPlus. Java
β 148MSBuildAPICaller. MSBuild Without MSBuild.exe
β 155fuzzowski. the Network Protocol Fuzzer that we will want to use.
β 792cve-2017-12945. Exploit for CVE-2017-12945.
β 4WindowsEnum. A Powershell Privilege Escalation Enumeration Script.
β 314jwt_tool. :snake: A toolkit for testing, tweaking and cracking JSON Web Tokens
β 6.7kSharpDomainSpray. Basic password spraying tool for internal tests and red teaming
β 90flarequench. Burp Suite plugin that adds additional checks to the passive scanner to reveal the origin IP(s) of Cloudflare-protected web applications.
β 65WordAmsiBypass.
β 37redsnarf. RedSnarf is a pen-testing / red-teaming tool for Windows environments
β 1.2kSharpSniper. Find specific users in active directory via their username and logon IP address
β 387Covenant. Covenant is a collaborative .NET C2 framework for red teamers.
β 4.7kpinjectra. Pinjectra is a C/C++ OOP-like library that implements Process Injection techniques (with focus on Windows 10 64-bit)
β 828CallObfuscator. Obfuscate specific windows apis with different apis
β 1kkompromat. Private keys that have become public ...
β 185redsnarf. RedSnarf is a pen-testing / red-teaming tool for Windows environments
β 1redtest. PowerShell
β 15donut. Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
β 4.7kWDExtract. Extract Windows Defender database from vdm files and unpack it
β 488threadfire. PoC Thread Execution Hijacking for Win32 Code Injection
β 176CVE-2019-0841. PoC code for CVE-2019-0841 Privilege Escalation vulnerability
β 239DefenderCheck. Identifies the bytes that Microsoft Defender flags on.
β 2.6koxml_xxe. A tool for embedding XXE/XML exploits into different filetypes
β 1.2kkris-vm. Python
β 12mXtract. mXtract - Memory Extractor & Analyzer
β 585Winpayloads. Undetectable Windows Payload Generation
β 1.6kwesng. Windows Exploit Suggester - Next Generation
β 4.9kdirty_sock. Linux privilege escalation exploit via snapd (CVE-2019-7304)
β 683net.tcp-proxy. A python based library to interact with .net webservices with net.tcp binding. Supports MC-NMF, MC-NMFTB and MS-NNS and contains a proxy for reading communications with webservices which require the negotiate encryption.
β 58PrivExchange. Exchange your privileges for Domain Admin privs by abusing Exchange
β 1.1kSMBLibrary. Free, Open Source, User-Mode SMB 1.0/CIFS, SMB 2.0, SMB 2.1 and SMB 3.0 server and client library
β 873SharpPack. An Insider Threat Toolkit
β 157boofuzz. A fork and successor of the Sulley Fuzzing Framework
β 2.3kFSharp-Shellcode. F# Implementation to spawn shellcode
β 47blackboxprotobuf. Blackbox Protobuf is a set of tools for working with encoded Protocol Buffers (protobuf) without the matching protobuf definition.
β 731Rubeus. Trying to tame the three-headed dog.
β 5.1kDDer. Generic ASN.1 decoder/encoder to a structured text syntax
β 52SharpDump. SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
β 666go-out. βοΈ go-out - A Golang egress buster.
β 128egressbuster. Egressbuster is a method to check egress filtering and identify if ports are allowed. If they are, you can automatically spawn a shell.
β 375poc_CVE-2018-1002105. PoC for CVE-2018-1002105.
β 222OffensiveDLR. Toolbox containing research notes & PoC code for weaponizing .NET's DLR
β 528dnscat2-powershell. A Powershell client for dnscat2, an encrypted DNS command and control tool.
β 437dnscat2. PHP
β 3.9kscavenger. scavenger : is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as "interesting" files containing sensitive information.
β 342GTRS. GTRS - Google Translator Reverse Shell
β 625curl. A command line tool and library for transferring data with URL syntax, supporting DICT, FILE, FTP, FTPS, GOPHER, GOPHERS, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, MQTT, MQTTS, POP3, POP3S, RTSP, SCP, SFTP, SMB, SMBS, SMTP, SMTPS, TELNET, TFTP, WS and WSS. libcurl offers a myriad of powerful features
β 42kAggressorScripts. Various Aggressor Scripts I've Created.
β 150DCOMrade. Powershell script for enumerating vulnerable DCOM Applications
β 267MemProcFS. MemProcFS
β 4.2kInvisi-Shell. Hide your Powershell script in plain sight. Bypass all Powershell security features
β 1.3kruse. a secure and highly-portable reverse proxy (redirector) for your Red Team infrastructure.
β 34oleviewdotnet. A .net OLE/COM viewer and inspector to merge functionality of OleView and Test Container
β 1.4kWindowsRuntimeSecurityDemos. Demos for Presentation on Windows Runtime Security
β 71AD-Attack-Defense. Attack and defend active directory using modern post exploitation adversary tradecraft activity
β 4.8kvirtualbox_e1000_0day. VirtualBox E1000 Guest-to-Host Escape
β 1.4kAwesomeXSS. Awesome XSS stuff
β 5.1kSharpCompile. SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike. The project aims to make it easier to move away from adhoc PowerShell execution instead creating a temporary assembly and executing using beacon's 'execute-assembly' in seconds.
β 289frida. Clone this repo to build Frida
β 21knmap-vulners. NSE script based on Vulners.com API
β 3.4kCasperStager. PoC for persisting .NET payloads in Windows Notification Facility (WNF) state names using low-level Windows Kernel API calls.
β 152red_team_telemetry. Python
β 98WheresMyImplant. A Bring Your Own Land Toolkit that Doubles as a WMI Provider
β 289AJPy. AJPy aims to craft AJP requests in order to communicate with AJP connectors. Reference documentation: https://tomcat.apache.org/connectors-doc/ajp/ajpv13a.html
β 6nndefaccts. nnposter's alternate fingerprint dataset for Nmap script http-default-accounts
β 256Inveigh. .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers
β 3ksmbaudit. Perform various SMB-related attacks, particularly useful for testing large Active Directory environments.
β 42CeWL. CeWL is a Custom Word List Generator
β 2.7kwindows-attacksurface-workshop. Workshop material for a Windows Attack Surface Analysis Workshop
β 68PadBuster. Automated script for performing Padding Oracle attacks
β 813angryFuzzer. Tools for information gathering
β 361fuzzdb. Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
β 1.4ksectaskbars. Security Product Taskbar Icons (to identify from screenshots)
β 58Aggressor-scripts. Aggressor scripts I've made for Cobalt Strike
β 415Invoke-ACLPwn. PowerShell
β 526juice-shop. OWASP Juice Shop: Probably the most modern and sophisticated insecure web application
β 13kStarFighters. A JavaScript and VBScript Based Empire Launcher, which runs within their own embedded PowerShell Host.
β 321unicorn. Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
β 3.9kxvwa. XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security.
β 1.8kmy-pentesting-repo. This is a set of tips and reminders for pentesting processes and scripts/programs. Initially for personal use, but if anyone else finds the reminders useful, then enjoy! A few links for useful tools and files. Some tools written by me.
β 53wirespy. Framework designed to automate various wireless networks attacks (the project was presented on Pentester Academy TV's toolbox in 2017).
β 659ExchangeRelayX. An NTLM relay tool to the EWS endpoint for on-premise exchange servers. Provides an OWA for hackers.
β 306Telewreck. A Burp extension to detect and exploit versions of Telerik Web UI vulnerable to CVE-2017-9248.
β 97mimikittenz. A post-exploitation powershell tool for extracting juicy info from memory.
β 1.9kgscript. framework to rapidly implement custom droppers for all three major operating systems
β 707windows-kernel-exploits. windows-kernel-exploits WindowsεΉ³ε°ζζζΌζ΄ιε
β 8.7khackability. Probe a rendering engine for vulnerabilities and other features
β 365vuLnDAP. A vulnerable LDAP based web app written in Golang
β 83Internal-Monologue. Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
β 2ManagedInjection. A proof of concept for dynamically loading .net assemblies at runtime with only a minimal convention pre-knowledge
β 164psportfwd. a simple portforwarder in ps1 with embeded c# code
β 90WeBaCoo. Web Backdoor Cookie Script-Kit
β 187ntlmv1-multi. NTLMv1 Multitool
β 667pathbrute. Pathbrute
β 455CVE-2018-2894. CVE-2018-2894 WebLogic Unrestricted File Upload Lead To RCE Check Script
β 140Keylogger. A simple keylogger for Windows, Linux and Mac
β 2.4kTokenvator. A tool to elevate privilege with Windows Tokens
β 1.1kRed-Team-Infrastructure-Wiki. Wiki to collect Red Team infrastructure hardening resources
β 4.5kasm_prog_material. x86 Assembly Adventures code snippets
β 124asm_prog_ex. Exercises for Assembly language course
β 353h4cker. This repository is maintained by Omar Santos (@santosomar) and includes thousands of resources related to ethical hacking, bug bounties, digital forensics and incident response (DFIR), AI security, vulnerability research, exploit development, reverse engineering, and more. π₯ Also check: https://hackertraining.org
β 28kReconnoitre. A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.
β 2.2kXFLTReaT. XFLTReaT tunnelling framework
β 332scripts. PowerShell
β 424google-authenticator. Burp Suite plugin that dynamically generates Google 2FA codes for use in session handling rules (approved by PortSwigger for inclusion in their official BApp Store).
β 30archerysec. ASOC, ASPM, DevSecOps, Vulnerability Management Using ArcherySec.
β 2.5kpypykatz. Mimikatz implementation in pure Python
β 3.3kProcessHider. Post-exploitation tool for hiding processes from monitoring applications
β 747GTFOBins.github.io. GTFOBins is a curated list of Unix-like executables that can be used to bypass local security restrictions in misconfigured systems.
β 13kloadlibrayy. x64 manualmapper with kernel elevation and thread hijacking capabilities
β 424minidump. Python library to parse and read Microsoft minidump file format
β 303Red-Teaming-Toolkit. This repository contains cutting-edge open-source security tools (OST) for a red teamer and threat hunter.
β 10kGreatSCT. The project is called Great SCT (Great Scott). Great SCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team.
β 1.1kWinPwnage. UAC bypass, Elevate, Persistence methods
β 2.8kExploit-Challenges. A collection of vulnerable ARM binaries for practicing exploit development
β 952HTTP-Header-Fuzzer. A multithreaded Python3 program that fuzzes HTTP headers and values and outputs the results to a CSV file.
β 21Empire-GUI. Empire client application
β 502CACTUSTORCH. CACTUSTORCH: Payload Generation for Adversary Simulations
β 1kLOLBAS. Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
β 1.6kCredKing. Password spraying using AWS Lambda for IP rotation
β 666credssp. A code demonstrating CVE-2018-0886
β 268UltimateAppLockerByPassList. The goal of this repository is to document the most common techniques to bypass AppLocker.
β 2.1kInfectPE. InfectPE - Inject custom code into PE file [This project is not maintained anymore]
β 325DPAT. Domain Password Audit Tool for Pentesters
β 1.1kstenographer. Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. Discussion/announcements at stenographer@googlegroups.com
β 1.8kSharpShooter. Payload Generation Framework
β 2kPowerDNS. PowerDNS: Powershell DNS Delivery
β 218Exchange-AD-Privesc. Exchange privilege escalations to Active Directory
β 819shellen. :cherry_blossom: Interactive shellcoding environment to easily craft shellcodes
β 908kernel_rop. C
β 90ADRecon. ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.
β 1.9ksour16. Toy version of the sweet32 attack
β 16Invoke-Piper. Forward local or remote tcp ports through SMB pipes.
β 298lpeworkshop. Windows / Linux Local Privilege Escalation Workshop
β 1kCTF-2017. BSidesPDX CTF 2017
β 11sshLooter. Script to steal passwords from ssh.
β 489