San Diego, CA

Chris Frohoff

Elite
@frohoff

building things, breaking things, building things that break things. ysoserial night janitor. journeyman ctf plumber. he/him

ysoserial. A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.

9k

jdk8u-jdk. Java

210

ciphr. CLI crypto swiss-army knife for performing and composing encoding, decoding, encryption, decryption, hashing, and other various cryptographic operations on streams of data from the command line; mostly intended for ad hoc, infosec-related uses.

119

inspector-gadget. Primitive tool for exploring/querying Java classes via the Tinkerpop Gremlin graph traversal language

109

grepcidr. from http://www.pc-tools.net/unix/grepcidr/

89

marshalsec. Java

76

jdk8u-dev-jdk. Java

67

jdeserialize. From https://code.google.com/p/jdeserialize/

35

rails_exploits. Ruby

22

serialysis. from http://weblogs.java.net/blog/emcmanus/archive/2007/06/disassembling_s.html

11

pd-buddy-wye. From https://git.clarahobbs.com/pd-buddy/pd-buddy-wye.git

11

extract-ssl-secrets. Decrypt HTTPS/SSL/TLS connections on the fly with Wireshark

9

appseccali-java. Java

9

ctfd-trektheme. Star Trek LCARS inspired pure CSS theme for CTFd (v2.1.1) used during the 2019 LayerOne CTF and ToorCon CTF.

8

bocker. Docker implemented in around 100 lines of bash

7

inyourface. From http://www.synacktiv.com/ressources/inyourface-0.2.tar.gz

7

appseccali-marshalling-pickles. Slide deck from AppSecCali 2015 Talk "Marshalling Pickles: how deserializing objects will ruin your day"

7

sleepyhead. imported from https://sourceforge.net/projects/sleepyhead/

7

owaspsd-deserialize-my-shorts. Slide deck from OWASP SD Talk "Deserialize My Shorts: Or How I Learned to Start Worrying and Hate Java Object Deserialization"

6

grepcidr2. from http://www.taugh.com/grepcidr-2/

5

Java-Deserialization-Cheat-Sheet. The cheat sheet about Java Deserialization vulnerabilities

5

revsh. A remote access tool for pentesters designed for advanced pivoting.

4

jimmix. From http://www.synacktiv.com/ressources/jimmix-0.3.tar.gz

4

burp-plugin-requestutils. Plugin for manipulating requests in PortSwigger Burp Suite Pro v1.5+

4

jdk7u. Java

3

security_monkey. Security Monkey

3

CTFd. CTFs as you need them

3

shellshock-pocs. Perl

2

d3-profile-viewer. Java

2

rest-client. Simple HTTP and REST client for Ruby, inspired by microframework syntax for specifying actions.

2

jsdetox. A Javascript malware analysis tool

2

self-compile-Android. Autonomous smartphone app. Capable of self-compilation, mutation, and viral spreading. World-first proof-of-principle to bypass Internet kill switches.

2

reverse-proxy-auth-plugin. Java

2

pacemaker. Heartbleed (CVE-2014-0160) client exploit

2

gitlabhq. Project management and code hosting application. Follow us on twitter @gitlabhq

2

Empire. Empire is a PowerShell and Python post-exploitation agent.

2

pupy. Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

2

jdk6. Java

2

jmitm2. From http://www.david-guembel.de/uploads/media/jmitm2-0.1.0-source.tar.gz

2

multiplexd. run ssh, https, and openvpn on the same port

2

Top10. Official OWASP Top 10 Document Repository

2

Hurl. Choose the browser on the click of a link

1

frohoff.github.io. Github Pages Site

1

JavaPayload. JavaPayload is a collection of pure Java payloads to be used for post-exploitation from pure Java exploits or from common misconfigurations (like not password protected Tomcat manager or debugger port).

1

libbf. Library for binary file manipulation

1

lambda-zip-test. docker run -v [homedir]/.aws/:/root/.aws/ -e AWS_DEFAULT_PROFILE=[profilename] [containerid]

1

sparring. Network simulation for malware analysis.

1

javascript-playlist-parser. Parse m3u, pls, and asx in JavaScript

1

pwnableweb-scoreboard. Scoreboard for CTF Competitions

1

ghidra. Ghidra is a software reverse engineering (SRE) framework

1

pwdagent. A barebones CLI utility to prompt for and cache a password in memory, then hand it out over HTTP or raw TCP

1

cloudwatch-logs-subscription-consumer. A specialized Amazon Kinesis stream reader (based on the Amazon Kinesis Connector Library) that can help you deliver data from Amazon CloudWatch Logs to any other system in near real-time using a CloudWatch Logs Subscription Filter.

1

git. Git Source Code Mirror - This is a publish-only repository and all pull requests are ignored. Please follow Documentation/SubmittingPatches procedure for any of your improvements.

1

dotfiles. Shell

1

ircbots. Scala

1

appseccali-rails-redis. Ruby

1

JMD. Java bytecode analysis/deobfuscation tool

1

burp-debug. Java

1
58
Apply