This is your work, valued
Super Papa
MobileApp-Pentest-Cheatsheet. The Mobile App Pentest cheat sheet was created to provide concise collection of high value information on specific mobile application penetration testing topics.
★ 5.2kOWASP-Testing-Checklist. OWASP based Web Application Security Testing Checklist is an Excel based checklist which helps you to track the status of completed and pending test cases.
★ 1.8kFridpa. An automated wrapper script for patching iOS applications (IPA files) and work on non-jailbroken device
★ 122sievePWN. An android application which exploits sieve through android components.
★ 44owasp-mstg. The Mobile Security Testing Guide (MSTG) is a manual for testing the security of mobile apps. It describes technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). The MSTG is meant to provide a baseline set of test cases for black-box and white-box security tests, and to help ensure completeness and consistency of the tests.
★ 35OWASP-Testing-Guide-v5. The OWASP Testing Guide includes a "best practice" penetration testing framework which users can implement in their own organizations and a "low level" penetration testing guide that describes techniques for testing most common web application and web service security issues.
★ 19CMS-XPL. CMS Exploit Scripts
★ 12webshell. This is a webshell open source project
★ 4RE-iOSapp.
★ 1GameBoy_GhidraSleigh. Ghidra Processor support for Nintendo Game Boy
★ 1ezhz-android. Kotlin
★ 17mitmproxy. An interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
★ 44kGDA-android-reversing-Tool. the fastest and most powerful android decompiler(native tool working without Java VM) for the APK, DEX, ODEX, OAT, JAR, AAR, and CLASS file. which supports malicious behavior detection, privacy leaking detection, vulnerability detection, path solving, packer identification, variable tracking, deobfuscation, python&java scripts, device memory extraction, data decryption, and encryption, etc.
★ 4.8khbctool. Hermes Bytecode Reverse Engineering Tool (Assemble/Disassemble Hermes Bytecode)
★ 625SprayingToolkit. Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
★ 1.6kroutersploit. Exploitation Framework for Embedded Devices
★ 13ktomcatWarDeployer. Apache Tomcat auto WAR deployment & pwning penetration testing tool.
★ 444WinPwn. Automation for internal Windows Penetrationtest / AD-Security
★ 3.7kPrivescCheck. Privilege Escalation Enumeration Script for Windows
★ 3.9kAvaloniaILSpy. Avalonia-based .NET Decompiler (port of ILSpy)
★ 1.8kGopherus. This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
★ 3.4kpspy. Monitor linux processes without root permissions
★ 6.1kPENTESTING-BIBLE. articles
★ 14kMagisk. The Magic Mask for Android
★ 62kbagbak. [deprecated] Yet another frida based iOS dumpdecrypted. Also decrypts app extensions
★ 1.5kRMS-Runtime-Mobile-Security. Runtime Mobile Security (RMS) 📱🔥 - is a powerful web interface that helps you to manipulate Android and iOS Apps at Runtime
★ 3kcodeql-intro. CodeQL
★ 2ghidra_scripts. Scripts for the Ghidra software reverse engineering suite.
★ 1.2kdsdump. An improved nm + Objective-C & Swift class-dump
★ 1.2khakrawler. Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application
★ 5.1kswiftshield. 🔒 Swift Obfuscator that protects iOS apps against reverse engineering attacks.
★ 2.5kgitrob. Reconnaissance tool for GitHub organizations
★ 6.2kFast-Google-Dorks-Scan. The OSINT project, the main idea of which is to collect all the possible Google dorks search combinations and to find the information about the specific web-site: common admin panels, the widespread file types and path traversal. The 100% automated.
★ 1.7krelative-url-extractor. A small tool that extracts relative URLs from a file.
★ 771PEASS-ng. PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
★ 20kCryptoSwift. CryptoSwift is a growing collection of standard and secure cryptographic algorithms implemented in Swift
★ 11kCVE-2019-2729-Exploit. CVE-2019-2729 Exploit Script
★ 45fuzzing_tutorial. Mutation Based Grey Box Fuzzing with AFL Tutorial
★ 6CVE-2019-1253. Poc for CVE-2019-1253
★ 153wastc. Secure-D Web Application Security Test Checklist summarizes well-known weaknesses, vulnerabilities and best practices into review topics with short description and recommendation. Its objective is to aid penetration tester to review the web application thoroughly.
★ 21Pentest-Tools.
★ 2.4kDVHMA. Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities.
★ 271Empire. Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers.
★ 5.2kmasvs. The OWASP MASVS (Mobile Application Security Verification Standard) is the industry standard for mobile app security.
★ 2.4kwstg. The Web Security Testing Guide is a comprehensive Open Source guide to testing the security of web applications and web services.
★ 9.6kexploit-0x41-buffer-overflow. Exploit Development 0x41: Buffer Overflooooooooooow
★ 6jnitrace. A Frida based tool that traces usage of the JNI API in Android apps.
★ 1.9kbfinject. Dylib injection for iOS 11.0 - 11.1.2 with LiberiOS and Electra jailbreaks
★ 641apkstudio. Open-source, cross platform Qt6 based IDE for reverse-engineering Android application packages. It features a friendly IDE-like layout including code editor with syntax highlighting support for *.smali code files.
★ 4.3kfridump. A universal memory dumper using Frida
★ 855BlueCrawl. Frida (Android) Script for extracting bluetooth information
★ 67pidcat. Colored logcat script which only shows log entries for a specific application package.
★ 4.9kie11_vbscript_exploit. Exploit Generator for CVE-2018-8174 & CVE-2019-0768 (RCE via VBScript Execution in IE11)
★ 9apk-anal. Android APK analyzer based on radare2 and others.
★ 154h8mail. Email OSINT & Password breach hunting tool, locally or using premium services. Supports chasing down related email
★ 5.1kCheatSheetSeries. The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
★ 33kRE-iOS-Apps. A completely free, open source and online course about Reverse Engineering iOS Applications.
★ 2.9kfrida-snippets. Hand-crafted Frida examples
★ 2.5kawesome-radare2. A curated list of awesome projects, articles and the other materials powered by Radare2
★ 738Intranet_Penetration_Tips. 2018年初整理的一些内网渗透TIPS,后面更新的慢,所以整理出来希望跟小伙伴们一起更新维护~
★ 4.6kTokenvator. A tool to elevate privilege with Windows Tokens
★ 1.1kInveigh. .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers
★ 3kwifiphisher. The Rogue Access Point Framework
★ 15kSniffAir. A framework for wireless pentesting.
★ 1.2kguide-aws-hacking. This is an offensive guide to securing AWS infrastructures. The hope is that by knowing how to take advantage of various types of AWS weaknesses you will be verse enough to provide the correct countermeasures.
★ 174p0wnedShell. PowerShell Runspace Post Exploitation Toolkit
★ 1.6knano. Nano is a family of PHP web shells which are code golfed for stealth.
★ 449caldera. Automated Adversary Emulation Platform
★ 7.1kprowler. Prowler is the world’s most widely used open-source cloud security platform that automates security and compliance across any cloud environment.
★ 14kSecLists. SecLists is the security tester's companion. It's a collection of multiple types of lists used during security assessments, collected in one place. List types include usernames, passwords, URLs, sensitive data patterns, fuzzing payloads, web shells, and many more.
★ 72kCheatsheet-God. Penetration Testing Reference Bank - OSCP / PTP & PTX Cheatsheet
★ 5.6kWAF-bypass-Cheat-Sheet. Another way to bypass WAF Cheat Sheet (draft)
★ 435MagiskFrida. Runs frida-server on boot as root with magisk.
★ 221BeRoot. Privilege Escalation Project - Windows / Linux / Mac
★ 2.6kPayloadsAllTheThings. A list of useful payloads and bypass for Web Application Security and Pentest/CTF
★ 79kDarthSidious. Building an Active Directory domain and hacking it
★ 666fuxploider. File upload vulnerability scanner and exploitation tool.
★ 3.3kAstra. Automated Security Testing For REST API's
★ 2.7kawesome-iot-hacks. A Collection of Hacks in IoT Space so that we can address them (hopefully).
★ 2.4kVibe. A framework for stealthy domain reconnaissance
★ 303Practical-Reverse-Engineering-using-Radare2. Training Materials of Practical Reverse Engineering using Radare2
★ 107windows-kernel-exploits. windows-kernel-exploits Windows平台提权漏洞集合
★ 8.7kwssip. Application for capturing, modifying and sending custom WebSocket data from client to server and vice versa.
★ 453awesome-pentest. A collection of awesome penetration testing resources, tools and other shiny things
★ 27kknockpy. Knock Subdomain Scan
★ 4.2khouse. A runtime mobile application analysis toolkit with a Web GUI, powered by Frida, written in Python.
★ 1.5kmastg. The OWASP Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes technical processes for verifying the OWASP Mobile Security Weakness Enumeration (MASWE) weaknesses, which are in alignment with the OWASP MASVS.
★ 13kbfdecrypt. Utility to decrypt App Store apps on jailbroken iOS 11.x
★ 488WaTF-Bank. WaTF Bank - What a Terrible Failure Mobile Banking Application for Android and iOS
★ 144replicator. Burp extension to help developers replicate findings from pen tests
★ 71AutoSploit. Automated Mass Exploiter
★ 5.2kMetasploit_termux. Ruby
★ 828Responder. Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
★ 6.5kbytecode-viewer. A Java 8+ Jar & Android APK Reverse Engineering Suite (Decompiler, Editor, Debugger & More)
★ 16kgeth-vanitygen. Ethereum address generator with specific prefix or suffix.
★ 3iProxy. Let's you connect your laptop to the iPhone to surf the web.
★ 1.2kfrida-scripts. A collection of my Frida instrumentation scripts to reverse engineer mobile apps and more.
★ 1.6kpassionfruit. [WIP] Crappy iOS app analyzer
★ 1.7kobjection. 📱 objection - runtime mobile exploration
★ 9.3kmisc. Miscellaneous programs/scripts to make your life a little less painful
★ 157appmon. Documentation:
★ 1.6ksecure-mobile-development. A Collection of Secure Mobile Development Best Practices
★ 560frida-cycript. Cycript fork powered by Frida.
★ 394hopperscripts. Collection of scripts I use in the Hopper disassembler
★ 110androguard. Reverse engineering and pentesting for Android applications
★ 6.1kneedle. The iOS Security Testing Framework
★ 1.4kdiff-gui. GUI for Frida -Scripts
★ 182MASTG-Hacking-Playground. Java
★ 685Inspeckage. Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more. (Xposed Module)
★ 3kandroid-backup-extractor. Android backup extractor
★ 2.6ktrustme. Disable certificate trust checks on iOS devices.
★ 119ssl-kill-switch2. Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS and macOS applications.
★ 3.3kIntrospy-iOS. Security profiling for blackbox iOS
★ 739weak_classdump. Cycript real-time classdump . An alternative for encrypted binaries
★ 249dumpdecrypted. Dumps decrypted mach-o files from encrypted iPhone applications from memory to disk. This tool is necessary for security researchers to be able to look under the hood of encryption.
★ 3kAndroidPinning. A standalone library project for certificate pinning on Android.
★ 630JustTrustMe. An xposed module that disables SSL certificate checking for the purposes of auditing an app with cert pinning
★ 5.3kdvws. Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities. NOTE: This project is out of date, please use https://github.com/snoopysecurity/dvws-node
★ 459Android-InsecureBankv2. Vulnerable Android application for developers and security enthusiasts to learn about Android insecurities
★ 1.5kjadx. Dex to Java decompiler
★ 50kAndBug. Android Debugging Library
★ 599sign. Sign.jar automatically signs an apk with the Android test certificate.
★ 428logcat-color. A colorful and highly configurable alternative to the standard "adb logcat" command from the Android SDK
★ 559SSLUnpinning_Xposed. Android Xposed Module to bypass SSL certificate validation (Certificate Pinning).
★ 899android-ssl-bypass. Black box tool to bypass SSL verification on Android, even when pinning is used.
★ 335Android-KillPermAndSigChecks. Bypass signature and permission checks for IPCs
★ 86ios-ssl-kill-switch. Blackbox tool to disable SSL certificate validation - including certificate pinning - within iOS Apps
★ 914Android-SSL-TrustKiller. Bypass SSL certificate pinning for most applications
★ 721ClassNameDeobfuscator. Simple script to parse through the .smali files produced by apktool and extract the .source annotation lines.
★ 81AndroBugs_Framework. AndroBugs Framework is an efficient Android vulnerability scanner that helps developers or hackers find potential security vulnerabilities in Android applications. No need to install on Windows.
★ 1.2kdiva-android. DIVA Android - Damn Insecure and vulnerable App for Android
★ 1.1kAndrol4b. A Virtual Machine For Assessing Android applications, Reverse Engineering and Malware Analysis
★ 1.2ktestssl.sh. Testing TLS/SSL encryption anywhere on any port
★ 9.1kidb. idb is a tool to simplify some common tasks for iOS pentesting and research
★ 954IIS-ShortName-Scanner. latest version of scanners for IIS short filename (8.3) disclosure vulnerability
★ 1.7ksqlmap. Automatic SQL injection and database takeover tool
★ 38kqark. Tool to look for several security related Android application vulnerabilities
★ 3.4kMobile-Security-Framework-MobSF. Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
★ 21k