Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
-----------------------------------------------------------------------------------------------------------------------http://www.aircrack-ng.org/doku.php?id=Main
https://danielmiessler.com/study/tcpdump/
http://www.tcpdump.org/
https://forum.aircrack-ng.org/index.php/topic,890.0.html
https://forum.aircrack-ng.org/index.php/topic,796.0.html
https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.
htm
http://wiki.cacert.org/FAQ/ImportRootCert
http://blog.dornea.nu/2014/12/02/howto-proxy-non-proxy-aware-android-application
s-through-burp/
https://support.portswigger.net/customer/portal/articles/1841101-configuring-anandroid-device-to-work-with-burp
http://techblog.vsza.hu/tags/x509/
https://tools.ietf.org/html/rfc1918
http://www.cvedetails.com/product-list.php
https://code.google.com/p/android-sdk-tool/wiki/GettingStarted
http://www.rapid7.com/
http://www.coffer.com/mac_find/?string=00%3A90%3AE8%3A1B%3ADB%3AC6
https://www.jayschulman.com/securing-amazon-web-services/?utm_source=ActiveCampa
ign&utm_medium=email&utm_content=Security+Longreads+for+December+18%2C+2015&utm_
campaign=Security+Longreads+for+December+18%2C+2015#utm_source=rss&utm_medium=rs
s&utm_campaign=securing-amazon-web-services
https://isc.sans.edu/
https://guidovranken.files.wordpress.com/2015/12/https-bicycle-attack.pdf
http://www.mitls.org/pages/attacks/SLOTH
https://weakdh.org/imperfect-forward-secrecy-ccs15.pdf
https://blog.torproject.org/blog/tor-and-beast-ssl-attack
http://www.isg.rhul.ac.uk/tls/TLStiming.pdf
http://www.drdobbs.com/understanding-oracle-attacks-on-informat/184405917
Nakedsecurity.sophos.com
null-byte.wonderhowto.com
googleonlinesecurity.blogspot.com.au
https://securityheaders.io/
http://mxtoolbox.com/DNSLookup.aspx
https://haveibeenpwned.com/
http://www.uvrx.com/social.html
http://socialmention.com/
http://boardreader.com/
http://www.whostalkin.com/
http://onion.link/
http://deepweblinks.org/
https://ahmia.fi/
http://www.acunetix.com/blog/articles/elaborate-ways-exploit-xss-flash-parameter
-injection/
http://fossbytes.com/10-best-operating-systems-for-ethical-hacking-and-penetrati
on-testing-2016/
https://www.honeynet.org/
http://www.edgis-security.org/honeypot/dionaea/
http://www.oldapps.com/
http://svn.mozilla.org/projects/infrasec/are_we_secure/
http://www.monkey.org/~dugsong/dsniff/
https://www.vsp.com/register-profile.html
http://www.onlinehashcrack.com/
https://download.g0tmi1k.com/wordlists/large/
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2012/september/d
etails-on-the-crime-attack/
http://www.webappsec.org/
https://drownattack.com/
infosec584.wordpress.com
https://protonmail.com/
https://unseen.is/
https://app.wire.com/auth/
https://github.com/funkandwagnalls/ranger
http://mxtoolbox.com/
https://www.exploit-db.com/docs/39527.pdf1
http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
http://bernardodamele.blogspot.com/2011/09/reverse-shells-one-liners.html
https://www.veil-framework.com/framework/veil-evasion/
https://github.com/letsencrypt/letsencrypt
https://www.skillset.com/
http://phrack.org/issues/7/3.html
http://www.securityweek.com/
https://packetstormsecurity.com/
https://www.vulnhub.com/
https://www.linkedin.com/pulse/practical-xpath-injection-attack-defense-benjamin
-caudill?trk=hb_ntf_MEGAPHONE_ARTICLE_POST
http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/
http://www.w4rri0r.com/
http://www.ipaddressguide.com/cidr#range
https://github.com/robertdavidgraham/masscan
https://tails.boum.org/
https://www.whonix.org/
http://rachelbythebay.com/w/2016/04/17/unprotected//
https://www.qubes-os.org/doc/torvm/
http://distrowatch.com/table.php?distribution=wifislax
Pastebin.com
https://securityinabox.org/en
https://community.rapid7.com/community/metasploit/blog/2013/07/02/a-penetrationtesters-guide-to-ipmi
http://www.radare.org/r/
https://www.sharpmail.co.uk/
https://github.com/Synchro/PHPMailer
https://copperhead.co/android/
https://www.cs.cf.ac.uk/Dave/PERL/node175.html
http://www.9tut.com/
https://myowasp.force.com/apex/MN4__mnp_dashboard?sfdc.tabName=01rU00000009a7G
https://www.issa.org/
http://www.pentesteracademy.com/
Blogs worth it
Carnal0wnage
McGrew Security
Blog | GNUCITIZEN
Darknet
spylogic.net
TaoSecurity
Room362.com
SIPVicious
PortSwigger.net
Blog - pentestmonkey.net
Jeremiah Grossman
omg.wtf.bbq.
C (in)s u it
SkullSecurity
Metasploit
Security and Networking
Skeptikal.org
Digital Soapbox
tssci security
Blog - Gotham Digital Science
Reiners Weblog
Bernardo Damele A. G.
Laramies Corner
Attack and Defense Labs
Billy (BK) Rios
Common Exploits
extern blog SensePost;
Weapons of Mass Analysis
Exploit KB
Security Reliks
MadIrish.net
sirdarckcat
Reusable Security
Myne-us
www.notsosecure.com
SpiderLabs Anterior
Corelan Team | Peter Van Eeckhoutte (corelanc0d3r)
DigiNinja
Home Of PaulDotCom Security Podcast
Attack Vector
deviating.net
Alpha One Labs
SmashingPasswords.com
wirewatcher
gynvael.coldwind//vx.log
Nullthreat Security
Archangel Amael's BT Tutorials
memset's blog
ihasomgsecurityskills
punter-infosec
Security Ninja
Security and risk
GRM n00bs
Kioptrix
::eSploit::
PenTestIT Your source for Information Security Related information!
Your source for Information Security related information!
BackTrack Forums
EliteHackers.info
InterN0T forum
Government Security
Hack This Site Forum
iExploit Hacking Forum
Security Override
bright-shadows.net
ethicalhacker.net
sla.ckers.org
Magazines
(IN)SECURE Magazine
http://hakin9.org/
Video
net toolkit::index
IHS | GHDB
Exploits and Advisories
The Exploit Database
.:[ packet storm ]:.
SecurityFocus
SecurityForest
NIST
OSVDB: The Open Source Vulnerability Database
SecDocs IT Security and Hacking knowledge base
Nullbyte.Org.IL
CVE security vulnerability database
Secunia.com
CVE - Common Vulnerabilities and Exposures (CVE)
Cheat Sheets and Syntax
Big Port DB | Cirt
Cheat Sheet : All Cheat Sheets in one page
Security Advancements at the Monastery Blog Archive Whats in Your Folder: Securit
y Cheat Sheets
Information about developments at the Monastery
Agile Hacking
Agile Hacking: A Homegrown Telnet-based Portscanner | GNUCITIZEN
Command Line Kung Fu
Simple yet effective: Directory Bruteforcing
The Grammar of WMIC
Windows Command-Line Kung Fu with WMIC
Windows CMD Commands
running a command on every mac
Syn: Command-Line Ninjitsu
WMIC, the other OTHER white meat.
Hacking Without Tools: Windows - RST
Pentesting Ninjitsu 1
Pentesting Ninjitsu 2 Infrastructure and Netcat without Netcat
[PenTester Scripting]
windows-scripting-COM-tricks
Advanced-Command-Exploitation
OS & Scripts
IPv4 subnetting reference - Wikipedia, the free encyclopedia
All the Best Linux Cheat Sheets
SHELLdorado - Shell Tips & Tricks (Beginner)
Linux Survival :: Where learning Linux is easy
BashPitfalls - Greg s Wiki
Rubular: a Ruby regular expression editor and tester
http://www.iana.org/assignments/port-numbers
Useful commands for Windows administrators
All the Best Linux Cheat Sheets
Rubular: a Ruby regular expression editor
Tools
netcat cheat sheet (ed skoudis)
nessus/nmap (older)
hping3 cheatsheet
Nmap 5 (new)
MSF, Fgdump, Hping
Metasploit meterpreter cheat sheet reference
Netcat cheat sheet
Distros
BackTrack Linux
Matriux
nUbuntu
Samurai Web Testing Framework
http://visi.kenshoto.com/
radare
Offensive Computing | Community Malicious code research and analysis
Passwords and Hashes
Password Exploitation Class
Default Passwords Database
Sinbad Security Blog: MS SQL Server Password Recovery
Foofus Networking Services - Medusa::SMBNT
LM/NTLM Challenge / Response Authentication - Foofus.Net Security Stuff
MD5 Crackers | Password Recovery | Wordlist Downloads
Password Storage Locations For Popular Windows Applications
Online Hash Crack MD5 / LM / NTLM / SHA1 / MySQL - Passwords recovery - Reverse
hash lookup Online - Hash Calculator
Requested MD5 Hash queue
Virus.Org
Default Password List
Electric Alchemy: Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR
Wordlists
"Crack Me If You Can" - DEFCON 2011
Packet Storm Word Lists
Passwords - SkullSecurity
Index of /passwd/passwords
Pass the Hash
pass-the-hash-attacks-tools-mitigation_33283 (application/pdf Object)
crack-pass-hash_33219 (application/pdf Object)
MitM
Introduction to dsniff - GIAC Certified Student Practical
dsniff-n-mirror.pdf (application/pdf Object)
dsniff.pdf (application/pdf Object)
A Hacker s Story: Let me tell you just how easily I can steal your personal data
- Techvibes.com
ECCE101.pdf (application/pdf Object)
3.pdf (application/pdf Object)
Seven_Deadliest_UC_Attacks_Ch3.pdf (application/pdf Object)
cracking-air.pdf (application/pdf Object)
bh-europe-03-valleri.pdf (application/pdf Object)
Costa.pdf (application/pdf Object)
defcon-17-sam_bowne-hijacking_web_2.0.pdf (application/pdf Object)
Live_Hacking.pdf (application/pdf Object)
PasstheParcel-MITMGuide.pdf (application/pdf Object)
2010JohnStrandKeynote.pdf (application/pdf Object)
18.Ettercap_Spoof.pdf (application/pdf Object)
EtterCap ARP Spoofing & Beyond.pdf (application/pdf Object)
Fun With EtterCap Filters.pdf (application/pdf Object)
The_Magic_of_Ettercap.pdf (application/pdf Object)
arp_spoofing.pdf (application/pdf Object)
Ettercap(ManInTheMiddleAttack-tool).pdf (application/pdf Object)
ICTSecurity-2004-26.pdf (application/pdf Object)
ettercap_Nov_6_2005-1.pdf (application/pdf Object)
MadIrish.net Mallory is More than a Proxy
Thicknet: It does more than Oracle, Steve Ocepek securityjustice on USTREAM. Com
puters
Tools
OSINT
Edge-Security - theHarvester- Information Gathering
DNSTRACER man-page
Maltego 3
Metadata
document-metadata-silent-killer_32974 (application/pdf Object)
[strike out]
proxy
Social Engineering
Social Engineering Toolkit
Password
Ncrack
Medusa
JTR
Ophcrack
keimpx in action | 0x3f
keimpx - Project Hosting on Google Code
hashkill
Metasploit
markremark: Reverse Pivots with Metasploit - How NOT to make the lightbulb
WmapNikto - msf-hack - One-sentence summary of this page. - Project Hosting on G
oogle Code
markremark: Metasploit Visual Basic Payloads in action
Metasploit Mailing List
PaulDotCom: Archives
OpenSSH-Script for meterpreter available !
Metasploit: Automating the Metasploit Console
561
Deploying Metasploit as a Payload on a Rooted Box Tutorial
Metasploit/MeterpreterClient - Wikibooks, collection of open-content textbooks
SecTor 2010 - HD Moore - Beyond Exploits on Vimeo
XLSinjector Milo2012's Security Blog
Armitage - Cyber Attack Management for Metasploit
Nsploit
neurosurgery-with-meterpreter
(automating msf) UAV-slides.pdf
MSF Exploits or Easy
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
Tenable Network Security
(Other)
http://corelan.be4
http://phrack.org2
http://insecure.org2
http://www.winprog.org2
http://althing.cs.dartmouth.edu/local/shellcode.html3
https://securitycafe.ro/category/pentest-techniques/2
SSL / TLS / HTTPS
Is TLS fast yet A great site debunking the myths of SSL/TLS speed cost
Firesheep A watershed moment for SSL by demonstrating the ease with which unprot
ected traffic can be intercepted and sessions hijacked
Qualys SSL Labs Tests a variety of attributes of the SSL implementation by point
ing it at any URL
CloudFlare Get SSL for free on any website
Lets Encrypt Its coming, and it promises to fix the current mess that is CAs and c
onfiguring certs
Betsys free wifi Shows a young girl standing up a rogue wifi hot spot
Chromium HSTS preload list All the sites submitted for HTTP strict transport sec
urity preload (a depressingly small number of them)
HTTP Shaming Sensitive data sent insecurely? Name and shame!
DDoS
Kristas professional DDoS service Video of an innocent teenager promoting a DDoS
service
Norse Totally awesome real time map of DDoS attacks thats absolutely mesmerising
to watch
Booter promotional video Very professional advert for a booter service (complete w
ith Epic DDoS interface)
Fiddler extension for CSP Massively streamlines your creation of a CSP by buildi
ng the policy as you browse
SecurityHeaders.io Everything security header related and a great place to asses
s your current state
Report URI Analyse your CSP and HPKP headers plus log your exception reports the
re
Make any website do the Harlem Shake if you can run this in the console against
a website, they almost certainly dont have a CSP prohibiting arbitrary content fr
om being loaded into the site
Passwords
OWASP Password Storage Cheat Sheet There are plenty of bad ways of doing it, thi
s is a great resource documenting the good ways
Jimmy Kimmel What is your password video of interviewing people and engineering th
em into disclosing their password
Diceware A popular method of creating strong pass phrases suitable for use as a
password
Password managers
1Password Still my favourite password manager; client based, runs on all devices
and the keychain is syncable via multiple mechanisms
LastPass A web based password manager (albeit with rich clients as well), one of
the big players in password managers
KeePass A popular free alternative to commercial password managers
Account management
Adult Friend Finder password reset Enumeration done wrong; initiate a password r
eset for any email address and be told if theyre a member of a highly personal si
te
Entropay password reset A great example of not disclosing the existence of an ac
count (try resetting an account that isnt registered on their system)
Botnet brute force attack against GitHub I regularly use this as an example of h
ow hard it can be to defend against brute force
Personal security
F-Secures Freedome My VPN of choice with lots of exit nodes around the world and
a promise of no logging
mycreditfile.com.au This is an Aussie version so do find one local to you if your
e not down under, but identity protection and credit alerts is a must have today I
MHO
Googledorks
Google Hacking Database Great collection of Googledorks categorised by various c
lasses of exposed data
Google Hacking for Penetration Testers In case you prefer books over web pages
Other tools and links
Have I been pwned? How could I not include this?! My own tool, now being put to
particularly good use by large enterprises monitoring tens of millions of people
Mailinator create temporary email addresses for testing
Shodan Find devices connected to the web (cameras, SCADA systems, etc.)
Retire.js What you require you must also retire: Helps identify JavaScript librari
es with known vulnerabilities
urlQuery.net Analyses web-delivered malware by inspecting an individual URL and
identifying malicious behaviour
Phish5 Im yet to use them but I hear good things; phishing attacks are enormously
effective and these guys help you test your organisation for how well equipped
people are to recognise the attacks
Plain Text Offenders Been emailed your password? Name and shame!
Kaspersky Real Time Threat Map Very cool visualisation of the real time threat K
aspersky is seeing
Tor Browser Bundle Access the underwebs and browse anonymously
Security statistics reports
Verizon Data Breach Investigations Report The annual DBIR is based on real world
security incidents and is a great resource for evidence-based security metrics
WhiteHat Security Statistics Report Based on findings in the websites they monit
No Place to Hide: Edward Snowden, the NSA, and the U.S. Surveillance State
By Glenn Greenwald. As Howard notes in his review, No Place to Hide is part expos,
part autobiography, and part screed against the man. Greenwald is a columnist fo
r The Guardian and was one of Snowdens key contacts in the leaking of classified
U.S. government secrets. Named one of the Top 20 in Rick Howards Cyber Canon.
The Practice of Network Security Monitoring: Understanding Incident Detection an
d Response
By Richard Bejtlich. A great technical primer with step-by-step instructions on
how to deploy, build and run an NSM operation using open source software and ven
dor-neutral tools. Many reviewers comment on how readable it is compared to othe
r books. Named one of the Top 20 in Rick Howards Cyber Canon.
Secrets and Lies
By Bruce Schneier. Although it was first published in 2004, Schneiers warnings ar
e still relevant today. Security is a process, not a product, he reminds us, and p
eople are invariably the weakest link. Do we have to sacrifice privacy for bette
r security? Read Schneiers book to find out. Named one of the Top 20 in Rick Howa
rds Cyber Canon.
Security Engineering: A Guide to Building Dependable Distributed Systems
By Ross J. Anderson. A massive guide (900+ pages) thats worth every word. As one
of the top security experts in the world, Ross Anderson has seen it all. His boo
k covers everything from high-level policy to specialized protection mechanisms
to technical engineering basics. New security engineers will especially apprecia
te the real world case studies of success and failure. First published in 2001 a
nd updated in 2008.
Security Metrics: Replacing Fear, Uncertainty, and Doubt
By Andrew Jaquith. It is what it says a book about how to quantify, classify and
measure information security operations in modern enterprise environments. But,
as Rick Howard points out in his review, it will also help you unshackle yoursel
f from the chains of probabilistic risk assessments. It will turn you away from
the dark side and toward a more meaningful process to assess your enterprises sec
urity. Named one of the Top 20 in Rick Howards Cyber Canon.
Spam Nation: The Inside Story of Organized Cybercrime from Global Epidemic to Yo
ur Front Door
By Brian Krebs. An entertaining and detailed look at the seamy world of organize
d cybercrime. Krebs focuses on the period between 2007-2013 the rise of the Russ
ians, the development of the spam ecosystem and the proliferation of botnet engine
s, fast-flux obfuscation and underground forums. Read Rick Howards review.
Where Wizards Stay Up Late
By Katie Hafner and Matthew Lyon. One for the history buffs. Hafner and Lyons chr
onicle of the origins of the Internet includes interviews with some of the brill
iant and eccentric minds responsible. If you dont know the story about ARPANET an
d other post-WWII projects, you should. Named one of the Top 20 in Rick Howards C
yber Canon. Read Bob Clarks review.
Useful Websites
UTPA Center of Excellence in STEM Education
The U.S. Department of Defense awarded the University of Texas Pan American $3.7
million to establish the Center of Excellence in STEM Education. The Center foc
uses on challenge-based instruction, and has excellent resources for students of
all ages. For example, they hold a STEM summer camp, award scholarships, hold p
re-college programs for young adults, and much more.
CERIAS: Tools and Resources
Youll find a variety of helpful resources on Purdues Center for Education and Rese
arch in Information Assurance and Security website. These include an online coll
ection of reports and papers, training products, an FTP archive and the Cassandr
a Vulnerability Tracking System.
CVE: Common Vulnerabilities and Exposures
CVE is a widely used dictionary of common identifiers for publicly known informa
tion security vulnerabilities and exposures. MITRE Corporation handles the syste
m, with funding from the office of Cybersecurity and Communications at the U.S.
Department of Homeland Security.
g education and collaboration for the prevention and investigation of high tech
crimes.
ISF: Information Security Forum
Headquartered in London, ISF is a global non-profit organization focused on inve
stigating, clarifying and resolving key issues in information security and risk
management.
ISSA: Information Systems Security Association
ISSA is an international non-profit organization of IT security professionals an
d practitioners. It provides educational forums, publications and a wide variety
of networking opportunities.
NICCS: National Initiative for Cybersecurity Careers and Studies
Run under the auspices of the DHSs Office of Cybersecurity and Communications, NI
CCS is a useful one-stop-shop for info on cyber security careers and study. It h
as extensive listings of scholarship and internship opportunities, training opti
ons, competitions and much, much more.
NSI: National Security Institute
Founded in 1985, the NSI was created to protect some of the nations most sensitiv
e technology and business secrets. It is now the leading organization dedicated
to assisting cleared defense contractors in understanding threats to national se
curity.
NW3C: National White Collar Crime Center
NW3C is a non-profit U.S. organization committed to supporting the efforts of st
ate and local law enforcement to prevent, investigate and prosecute economic and
high-tech crime.
OWASP: Open Web Application Security Project
OWASP is a global not-for-profit charitable organization focused on improving th
e security of software. Its mission is to make software security visible and inf
orm individuals and organizations about software security risks.
SANS
The SANS Institute was established in 1989 as a cooperative research and educati
on organization for IT security professionals. It provides information security
training and security certification, maintains a free library of research docume
nts and operates the Internet Storm Center.
Training
Damn Vulnerable Web Application (DVWA)
DVWA is a PHP/MySQL web application that is, you guessed it, vulnerable. Its desi
gned as a teaching aid for security professionals, web developers and educators.
HackThisSite (HTS)
HTS is an online hacking and security website with a user base of over 1.8 milli
on. Here you can tackle basic and advanced hacking challenges in a legal environ
ment.
Metasploitable
This virtual machine is an intentionally vulnerable version of Ubuntu Linux desi
gned to be hacked by metasploit and other hacking tools.
Mutillidae
Mutillidae is a free, open source web application that you can use to pen-test a
nd hack a vulnerable web app.
NATAS
Created by OverTheWire, NATAS is a wargame intended to teach the basics of serve
rside web-security.
National Institute of Building Sciences
The National Institute of Building Sciences offers monthly cybersecurity worksho
ps for building owners and managers. Current workshops include Introduction to C
ybersecuring Building Control Systems and Advanced Cybersecuring Building Contro
l Systems.
SlaveHack
SlaveHack is a virtual hack simulation game. Defend your virtual PC against intr
uders while trying to hack as many other players and webservers as possible.
Local Security Groups
AFCEA Chapters
Hosted by Digital Bond, S4 addresses advanced ICS security topics. Its a technica
l event geared towards thought-leaders in the ICS security community.
Secure 360
The banner child for the Midwest, Secure 360 is an educational conference for th
e information risk management and security industry. It is held annually in St.
Paul, Minnesota.
SecureWorld Expo
Held in New England, SecureWorld Expo is an annual conference providing globally
relevant education, training and networking for cyber security professionals.
ShmooCon
Based on the East Coast, ShmooCon is a popular hacker convention organized by a
non-profit security think tank. It annually attracts 1000+ attendees interested
in computer security and cryptography.
SIN: International Conference on Security of Information and Networks
Founded in 2007, SIN Conf is a well-respected international forum for the presen
tation of research and applications of security in information and networks.
SOURCE Conference
Hosted in Boston, Dublin and Seattle, this annual computer security conference a
ttracts technology security experts, analysts, hackers, educators and business p
rofessionals.
Swiss Cyber Storm
Held annually in Lucerne, Swiss Cyber Storm is an international IT security conf
erence attended by researchers from around the world.
Thotcon
Chicagos single-day hacking conference is held at a different top secret location
every year. There are talks, workshops and live mixed hacker music.
TROOPERS IT Security Conference
TROOPERS is an IT security conference held annually in Germany. Leading IT secur
ity experts and professionals present their latest research and findings.
U.S. Cyber Crime Conference
Owned and produced by eventPower, the annual U.S. Cyber Crime Conference is inte
nded to provide hands-on digital forensics training and a networking forum for c
yber professionals.
USENIX Security Symposium
The Advanced Computing Systems Association hosts this popular annual event in a
variety of U.S. and Canadian cities. Researchers, practitioners, system administ
rators, system programmers and others interested in the latest advances in the s
ecurity and privacy of computer systems and networks are invited to attend.
VB: Virus Bulletin Conference
Sponsored by the publication Virus Bulletin, the VB conference has been in opera
tion since 1990. The program caters for both technical and corporate audiences,
covering a wide range of security-related subjects.
Stanford University - Computer Security
In this class you will learn how to design secure systems and write secure code.
You will learn how to find vulnerabilities in code and how to design software s
ystems that limit the impact of security vulnerabilities. We will focus on princ
iples for building secure systems and give many real world examples.
Stanford University - Computer Security
Stanford University - Cryptography I
This course explains the inner workings of cryptographic primitives and how to c
orrectly use them. Students will learn how to reason about the security of crypt
ographic constructions and how to apply this knowledge to real-world application
s. The course begins with a detailed discussion of how two parties who have a sh
ared secret key can communicate securely when a powerful adversary eavesdrops an
d tampers with traffic. We will examine many deployed protocols and analyze mist
akes in existing systems. The second half of the course discusses public-key tec
hniques that let two or more parties generate a shared secret key. We will cover
the relevant number theory and discuss public-key encryption and basic key-exch
ange. Throughout the course students will be exposed to many exciting open probl
ems in the field.
Stanford University - Cryptography I
Stanford University - Cryptography II
This course is a continuation of Crypto I and explains the inner workings of pub
lic-key systems and cryptographic protocols. Students will learn how to reason a
bout the security of cryptographic constructions and how to apply this knowledge
to real-world applications. The course begins with constructions for digital si
gnatures and their applications. We will then discuss protocols for user authent
ication and zero-knowledge protocols. Next we will turn to privacy applications
of cryptography supporting anonymous credentials and private database lookup. We
will conclude with more advanced topics including multi-party computation and e
lliptic curve cryptography.
Stanford University - Cryptography II
University of Maryland - Usable Security
This course focuses on how to design and build secure systems with a human-centr
ic focus. We will look at basic principles of human-computer interaction, and ap
ply these insights to the design of secure systems with the goal of developing s
ecurity measures that respect human performance and their goals within a system.
University of Maryland - Usable Security
University of Maryland - Software Security
This course we will explore the foundations of software security. We will consid
er important software vulnerabilities and attacks that exploit them -- such as b
uffer overflows, SQL injection, and session hijacking -- and we will consider de
fenses that prevent or mitigate these attacks, including advanced testing and pr
ogram analysis techniques. Importantly, we take a "build security in" mentality,
considering techniques at each phase of the development cycle that can be used
to strengthen the security of software systems.
University of Maryland - Software Security
University of Maryland - Cryptography
This course will introduce you to the foundations of modern cryptography, with a
n eye toward practical applications. We will learn the importance of carefully d
efining security; of relying on a set of well-studied "hardness assumptions" (e.
g., the hardness of factoring large numbers); and of the possibility of proving
security of complicated constructions based on low-level primitives. We will not
only cover these ideas in theory, but will also explore their real-world impact
. You will learn about cryptographic primitives in wide use today, and see how t
hese can be combined to develop modern protocols for secure communication.
University of Maryland - Cryptography
University of Maryland - Hardware Security
This course will introduce you to the foundations of modern cryptography, with a
n eye toward practical applications. We will learn the importance of carefully d
efining security; of relying on a set of well-studied hardness assumptions (e.g.,
the hardness of factoring large numbers); and of the possibility of proving secu
rity of complicated constructions based on low-level primitives. We will not onl
y cover these ideas in theory, but will also explore their real-world impact. Yo
u will learn about cryptographic primitives in wide use today, and see how these
can be combined to develop modern protocols for secure communication.
University of Maryland - Hardware Security
Cybrary - Online Cyber Security Training
Cyber Security jobs are growing three times faster than information technology j
obs. However, this rapidly growing and very exciting industry lacks the number o
f skilled professionals required to handle the jobs. Some common jobs within Cyb
er Security include information assurance, security analyst, penetration tester,
malware analyst/reverse engineering and Intel. With these types of opportunitie
s available, aspiring or growing Cyber Security professionals should focus on co
ntinually increasing their skill set, because the Cyber Security industry never
rests, it is continually changing. However, traditionally, Cyber Security classe
s are the most expensive training classes. As you know, that barrier to entry ha
s been removed.
CompTIA Security+
In this class you will gain a stable foundation of Cyber Security and Informatio
n Assurance as well as prepare for the security industry s most sought after ent
ry level certification.
Cryptography
Learn how to secure data communications through the use of cryptographic messagi
ng and practices.
Ethical Hacking and Penetration Testing
Learn the fundamentals of hacking and penetration testing. Think like a hacker,
so that you can stop them from intruding into your systems. This class will help
prepare you for the industries most sought after certification, EC-Council s CE
H.
Computer and Hacking Forensics
In order to catch cyber criminals, you have to learn how to retrace their steps
and correctly acquire and document the evidence. Also prepare for the industry l
eading CHFI certification from the EC-Council.
CompTIA Advanced Security Practitioner (CASP)
This advanced certification covers deep topics that span across both Cyber Secur
ity as well as Information Assurance.
ISACA Certified Information Systems Auditor (CISA)
Become an expert in information systems auditing and controlling with this leadi
ng auditor certification from ISACA.
Certified Information Systems Security Professional (CISSP)
The leading certification for Information Assurance management personnel. This c
ourse is both very deep, and very broad. Be ready to study hard!
Post Exploitation
Learn what to do to maintain your presence and to gather intelligence after you
have exploited the target system.
Social Engineering and Manipulation
Take a look inside the form, function and flow of a highly skilled social engine
ering cyber-attack. Learn to protect the human element.
Python for Security Professionals
Learn the commands and functions that every aspiring cyber security professional
must know from Python. This isn t a full programming course, but rather a cours
e designed for non-coders who are developing their career in security.
Metasploit
An in-depth look inside the Metasploit Framework intended to show you how to use
it to its full potential.
Malware Analysis and Reverse Engineering
An introduction to reverse engineering malware. This class is for experienced Cy
ber Security professionals, generally at least two to three years in the field i
s preferred.
Advanced Penetration Testing by Georgia Weidman
This class is for advanced Cyber Security professionals. You will learn in depth
, hands-on, advanced hacking techniques to help you target and penetrate almost
any highly secured environment.
SANS Cyber Aces
SANS Cyber Aces Online makes available, free and online, selected courses from t
he professional development curriculum offered by The SANS Institute, the global
leader in cyber security training. SANS goal in making these courses available
as open courseware is to help grow the talent pool and accelerate the rate at wh
ich skilled cyber professionals can enter the information security industry fill
ing mission critical jobs currently going unfilled.
SANS Cyber Aces Online Courses
SANS Cyber Aces Online Tutorials
Open Security Training
Android Forensics & Security Testing
This course will cover the most common issues facing mobile devices, and general
tips for securing mobile applications. Upon completion of general mobile securi
ty overview, the course will delve into a proven practice in Mobile Device Foren
sics and Mobile Application Penetration Testing for Android devices. Over the tw
o-day course, students will get hands-on time with open-source and commercial fo
rensics tools, setup and explore reverse engineering development environments, a
nd experience the process with which professional mobile security engineers have
successfully applied to several projects. Areas covered include, identifying ap
plication vulnerabilities, code analysis, memory & file system analysis, and ins
ecure storage of sensitive data.
Certified Information Systems Security Professional (CISSP) Common Body of Knowle
dge (CBK) Review
The CISSP CBK Review course is uniquely designed for federal agency information
assurance (IA) professionals in meeting NSTISSI-4011, National Training Standard
for Information Systems Security Professionals, as required by DoD 8570.01-M, I
nformation Assurance Workforce Improvement Program.
Flow Analysis & Network Hunting
This course focuses on network analysis and hunting of malicious activity from a
security operations center perspective. We will dive into the netflow strengths
, operational limitations of netflow, recommended sensor placement, netflow tool
s, visualization of network data, analytic trade craft for network situational a
wareness and networking hunting scenarios.
Hacking Techniques and Intrusion Detection
This course covers the most common methods used in computer and network hacking
with the intention of learning how to better protect systems from such intrusion
s. These methods include reconnaissance techniques, system scanning, accessing s
ystems by network and application level attacks, and denial of service attacks.
During the course students will complete many hands on exercises.
Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration
Intel processors have been a major force in personal computing for more than 30
years. An understanding of low level computing mechanisms used in Intel chips as
taught in this course serves as a foundation upon which to better understand ot
her hardware, as well as many technical specialties such as reverse engineering,
compiler design, operating system design, code optimization, and vulnerability
exploitation.
Introductory Intel x86-64: Architecture, Assembly, Applications, & Alliteration
Intel processors have been a major force in personal computing for more than 30
years. An understanding of low level computing mechanisms used in Intel chips as
taught in this course serves as a foundation upon which to better understand ot
her hardware, as well as many technical specialties such as reverse engineering,
compiler design, operating system design, code optimization, and vulnerability
exploitation.
Introduction to ARM
ARM processors are becoming ubiquitous in mobile devices today with RISC process
ors making a comeback for their applications in low power computing environments
. With major operating systems choosing to run on these processors including the
latest Windows RT, iOS and Android, understanding the low level operations of t
hese processors can serve to better understand, optimize and debug software stac
ks running on them. This class builds on the Intro to x86 class and tries to pro
vide parallels and differences between the two processor architectures wherever
possible while focusing on the ARM instruction set, some of the ARM processor fe
atures, and how software works and runs on the ARM processor.
Introduction to Cellular Security
This course is intended to demonstrate the core concepts of cellular network sec
urity. Although the course discusses GSM, UMTS, and LTE - it is heavily focused
on LTE. The course first introduces important cellular concepts and then follows
the evolution of GSM to LTE.
Introduction to Network Forensics
This is a mainly lecture based class giving an introduction to common network mo
nitoring and forensic techniques. This class is meant to be accompanied by lab e
xercises to demonstrate certain tools and technologies, but the lab exercises ar
e not absolutely necessary to convey the operating concepts.
Introduction to Secure Coding
The purpose of this course is to provide developers with a short, focused primer
related to secure coding. The hope is that each developer will leave the course
with a better understanding of how they can improve, from a security perspectiv
e, the code that they write. This course provides a look at some of the most pre
valent security related coding mistakes made in industry today. Each type of iss
ue is explained in depth including how a malicious user may attack the code, and
strategies for avoiding the issues are then reviewed. Knowledge of at least one
programming language is required, although the specific programming language is
not important as the concepts that will be discussed are language independent.
The course will cover many of the weaknesses within the context of a web applica
tion, but most of the concepts will apply to all application development.
Introduction to Vulnerability Assessment
This is a lecture and lab based class giving an introduction to vulnerability as
sessment of some common common computing technologies. Instructor-led lab exerci
ses are used to demonstrate specific tools and technologies.
Introduction to Trusted Computing
This course is an introduction to the fundamental technologies behind Trusted Co
mputing. You will learn what Trusted Platform Modules (TPMs) are and what capabi
lities they can provide both at an in-depth technical level and in an enterprise
context. You will also learn about how other technologies such as the Dynamic R
oot of Trust for Measurement (DRTM) and virtualization can both take advantage o
f TPMs and be used to enhance the TPM s capabilities. We will cover major use ca
ses for trusted computing, including machine authentication, data protection, an
d attestation. This course will also introduce you to the various software resou
rces that exist today to support TPMs, give a high-level overview of related res
earch and development projects, and briefly discuss other trusted computing stan
dards such as Trusted Network Connect which may be relevant to enterprise deploy
ment of TPMs and trusted computing.
Offensive, Defensive, and Forensic Techniques for Determining Web User Identity
This course looks at web users from a few different perspectives. First, we look
at identifying techniques to determine web user identities from a server perspe
ctive. Second, we will look at obfuscating techniques from a user whom seeks to
be anonymous. Finally, we look at forensic techniques, which, when given a hard
drive or similar media, we identify users who accessed that server.
Pcap Analysis & Network Hunting
Introduction to Packet Capture (PCAP) explains the fundamentals of how, where, a
nd why to capture network traffic and what to do with it. This class covers open
-source tools like tcpdump, Wireshark, and ChopShop in several lab exercises tha
t reinforce the material. Some of the topics include capturing packets with tcpd
ump, mining DNS resolutions using only command-line tools, and busting obfuscate
d protocols. This class will prepare students to tackle common problems and help
them begin developing the skills to handle more advanced networking challenges.
Malware Dynamic Analysis
This introductory malware dynamic analysis class is dedicated to people who are
starting to work on malware analysis or who want to know what kinds of artifacts
left by malware can be detected via various tools. The class will be a hands-on
class where students can use various tools to look for how malware is: Persisti
ng, Communicating, and Hiding. We will achieve the items above by first learning
the individual techniques sandboxes utilize. We will show how to capture and re
cord registry, file, network, mutex, API, installation, hooking and other activi
ty undertaken by the malware. We will create fake network responses to deceive m
alware so that it shows more behavior. We will also talk about how using MITRE s
Malware Attribute Enumeration & Characterization (MAEC - pronounced "Mike") sta
ndard can help normalize the data obtained manually or from sandboxes, and impro
ve junior malware analysts reports. The class will additionally discuss how to
take malware attributes and turn them into useful detection signatures such as S
nort network IDS rules, or YARA signatures.
Secure Code Review
This course is designed to help developers bring a secure coding mindset into ty
pical project peer reviews. The course briefly talks about the development lifec
ycle and the importance of peer reviews in delivering a quality product. How to
perform this review is discussed and how to keep secure coding a priority during
the review is stressed. A variety of hands-on exercises will address common cod
ing mistakes, what to focus on during a review, and how to manage limited time.
Throughout the course, the class will break out into pairs and perform example p
eer reviews on sample code. Perl will be used for the hands-on exercises; howeve
r every attempt will be made to generalize the code such that anyone with an und
erstanding of a coding language will be comfortable.
Smart Cards
This course shows how smart cards are different compared to other type of cards.
It is explained how smart cards can be used to realize confidentiality and inte
grity of information. Insight is given into the structure and operation of a sma
rt card, the functionality of a smart card operating system and commonly used se
curity mechanisms. In addition, an overview is given of developments in the fiel
d of chips (8, 16 and 32 bit architectures, co-processors), operating systems, v
irtual machines (Java Card, MULTOS), compatibility (PC / SC, Open Card, EMV) sec
urity evaluation (ITSEC, Common Criteria) and physical and logical attack method
s (probing, SEM, FIB, DFA, DPA). Biometric identification and authentication usi
ng smart cards is dealt along with a summary of developments and (im) possibilit
ies.
The Life of Binaries
Along the way we discuss the relevance of security at different stages of a bina
ry s life, from the tricks that can be played by a malicious compiler, to how vi
ruses really work, to the way which malware "packers" duplicate OS process execu
tion functionality, to the benefit of a security-enhanced OS loader which implem
ents address space layout randomization (ASLR).
Understanding Cryptology: Core Concepts
This is an introduction to cryptology with a focus on applied cryptology. It was
designed to be accessible to a wide audience, and therefore does not include a
rigorous mathematical foundation (this will be covered in later classes).
Understanding Cryptology: Cryptanalysis
A class for those who want to stop learning about building cryptographic systems
and want to attack them. This course is a mixture of lecture designed to introd
uce students to a variety of code-breaking techniques and python labs to solidif
y those concepts. Unlike its sister class, Core Concepts, math is necessary for
this topic. Don t have a math degree? A basic understanding of algebra is suffic
ient - the mathematical principles that are necessary for understanding are incl
uded in the lecture. Knowledge of programming is also necessary, and knowledge o
f python is very helpful.
Introduction to Software Exploits (Exploits 1)
Software vulnerabilities are flaws in program logic that can be leveraged by an
attacker to execute arbitrary code on a target system. This class will cover bot
h the identification of software vulnerabilities and the techniques attackers us
e to exploit them. In addition, current techniques that attempt to remediate the
threat of software vulnerability exploitation will be discussed.
Exploits 2: Exploitation in the Windows Environment
This course covers the exploitation of stack corruption vulnerabilities in the W
indows environment. Stack overflows are programming flaws that often times allow
an attacker to execute arbitrary code in the context of a vulnerable program. T
here are many nuances involved with exploiting these vulnerabilities in Windows.
Window s exploit mitigations such as DEP, ASLR, SafeSEH, and SEHOP, makes lever
aging these programming bugs more difficult, but not impossible. The course high
lights the features and weaknesses of many the exploit mitigation techniques dep
loyed in Windows operating systems. Also covered are labs that describe the proc
ess of finding bugs in Windows applications with mutation based fuzzing, and the
n developing exploits that target those bugs.
Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration
Building upon the Introductory Intel x86 class, this class goes into more depth
on topics already learned, and introduces more advanced topics that dive deeper
into how Intel-based systems work. Example applications include showing how hard
ware and memory mechanisms are used for software exploits, anti-debug techniques
, rootkit hiding, and direct hardware access for keystroke logging.
Advanced x86: Virtualization with Intel VT-x
The purpose of this course is to provide a hands on introduction to Intel hardwa
re support for virtualization. The first part will motivate the challenges of vi
rtualization in the absence of dedicated hardware. This is followed by a deep di
ve on the Intel virtualization "API" and labs to begin implementing a blue pill
/ hyperjacking attack made famous by researchers like Joanna Rutkowska and Dino
Dai Zovi et al. Finally a discussion of virtualization detection techniques.
Introduction to Reverse Engineering Software
Throughout the history of invention curious minds have sought to understand the
inner workings of their gadgets. Whether investigating a broken watch, or improv
ing an engine, these people have broken down their goods into their elemental pa
rts to understand how they work. This is Reverse Engineering (RE), and it is don
e every day from recreating outdated and incompatible software, understanding ma
licious code, or exploiting weaknesses in software.
Reverse Engineering Malware
This class picks up where the Introduction to Reverse Engineering Software cours
e left off, exploring how static reverse engineering techniques can be used to u
nderstand what a piece of malware does and how it can be removed.
Rootkits: What they are, and how to find them
Rootkits are a class of malware which are dedicated to hiding the attacker s pre
sence on a compromised system. This class will focus on understanding how rootki
ts work, and what tools can be used to help find them. This will be a very hands
-on class where we talk about specific techniques which rootkits use, and then d
o labs where we show how a proof of concept rootkit is able to hide things from
a defender.
The Adventures of a Keystroke: An in-depth look into keylogging on Windows
Windows is designed to be compatible with a lot of devices which is why there ar
e a lot of layers in the keystroke handling. The more layers a system has, the m
ore probable it could be compromised by bad guys. There are more than 30 methods
for capturing keystrokes from a Windows PC. Methods vary from simple user mode
techniques to advanced ones such as IRP hooking. Class currently covers most of
the user mode and kernel mode techniques including the undocumented ones which a
re not described anywhere else but there are still techniques which are not cove
red in the class such as Raw Input Devices. As for the hardware, we only cover P
S/2 keyboards for the moment but documenting USB keyboards is one of the planned
topics for near future.
Academic Courses
Florida State University s - Offensive Computer Security
The primary incentive for an attacker to exploit a vulnerability, or series of v
ulnerabilities is to achieve a return on an investment (his/her time usually). T
his return need not be strictly monetary, an attacker may be interested in obtai
ning access to data, identities, or some other commodity that is valuable to the
m. The field of penetration testing involves authorized auditing and exploitatio
n of systems to assess actual system security in order to protect against attack
ers. This requires thorough knowledge of vulnerabilities and how to exploit them
. Thus, this course provides an introductory but comprehensive coverage of the f
undamental methodologies, skills, legal issues, and tools used in white hat pene
tration testing and secure system administration.
Offensive Computer Security - Spring 2014
Offensive Computer Security - Spring 2013
Florida State University s - Offensive Network Security
This class allows students to look deep into know protocols (i.e. IP, TCP, UDP)
to see how an attacker can utilize these protocols to their advantage and how to
spot issues in a network via captured network traffic. The first half of this c
ourse focuses on know protocols while the second half of the class focuses on re
verse engineering unknown protocols. This class will utilize captured traffic to
allow students to reverse the protocol by using known techniques such as incorp
orating bioinformatics introduced by Marshall Beddoe. This class will also cover
Learn how to analyze malware, including computer viruses, trojans, and rootkits,
using disassemblers, debuggers, static and dynamic analysis, using IDA Pro, Oll
yDbg and other tools.
CNIT 127 - Exploit Development
Learn how to find vulnerabilities and exploit them to gain control of target sys
tems, including Linux, Windows, Mac, and Cisco. This class covers how to write t
ools, not just how to use them; essential skills for advanced penetration tester
s and software security professionals.
CNIT 128 - Hacking Mobile Devices
Mobile devices such as smartphones and tablets are now used for making purchases
, emails, social networking, and many other risky activities. These devices run
specialized operating systems have many security problems. This class will cover
how mobile operating systems and apps work, how to find and exploit vulnerabili
ties in them, and how to defend them. Topics will include phone call, voicemail,
and SMS intrusion, jailbreaking, rooting, NFC attacks, malware, browser exploit
ation, and application vulnerabilities. Hands-on projects will include as many o
f these activities as are practical and legal.
Violent Python and Exploit Development
In the exploit development section, students will take over vulnerable systems w
ith simple Python scripts.
Laboratories
Pentester Lab
There is only one way to properly learn web penetration testing: by getting your
hands dirty. We teach how to manually find and exploit vulnerabilities. You wil
l understand the root cause of the problems and the methods that can be used to
exploit them. Our exercises are based on common vulnerabilities found in differe
nt systems. The issues are not emulated. We provide you real systems with real v
ulnerabilities.
From SQL Injection to Shell
This exercise explains how you can, from a SQL injection, gain access to the adm
inistration console. Then in the administration console, how you can run command
s on the system.
From SQL Injection to Shell: PostgreSQL edition
This exercise explains how you can from a SQL injection gain access to the admin
istration console. Then in the administration console, how you can run commands
on the system.
From SQL Injection to Shell II
This exercise explains how you can, from a blind SQL injection, gain access to t
he administration console. Then in the administration console, how you can run c
ommands on the system.
Web for Pentester
This exercise is a set of the most common web vulnerabilities.
Web for Pentester II
This exercise is a set of the most common web vulnerabilities.
PHP Include And Post Exploitation
This exercice describes the exploitation of a local file include with limited ac
cess. Once code execution is gained, you will see some post exploitation tricks.
Linux Host Review
This exercice explains how to perform a Linux host review, what and how you can
check the configuration of a Linux server to ensure it is securely configured. T
he reviewed system is a traditional Linux-Apache-Mysql-PHP (LAMP) server used to
host a blog.
Electronic Code Book
This exercise explains how you can tamper with an encrypted cookies to access an
other user s account.
Rack Cookies and Commands injection
After a short brute force introduction, this exercice explains the tampering of
rack cookie and how you can even manage to modify a signed cookie (if the secret
is trivial). Using this issue, you will be able to escalate your privileges and
gain commands execution.
Online Resources
Penetration Testing Resources
Metasploit Unleashed - Free Offensive Security metasploit course
PTES - Penetration Testing Execution Standard
OWASP - Open Web Application Security Project
Exploit development
Shellcode Tutorial - Tutorial on how to write shellcode
Shellcode Examples - Shellcodes database
Exploit Writing Tutorials - Tutorials on how to develop exploits
GDB-peda - Python Exploit Development Assistance for GDB
shellsploit - New Generation Exploit Development Kit
Social Engineering Resources
Social Engineering Framework - An information resource for social engineers
Lock Picking Resources
Schuyler Towne channel - Lockpicking videos and security talks
/r/lockpicking - Resources for learning lockpicking, equipment recommendations.
Tools
Penetration Testing Distributions
Kali - A Linux distribution designed for digital forensics and penetration testi
ng
BlackArch - Arch Linux-based distribution for penetration testers and security r
esearchers
NST - Network Security Toolkit distribution
Pentoo - security-focused livecd based on Gentoo
BackBox - Ubuntu-based distribution for penetration tests and security assessmen
ts
Basic Penetration Testing Tools
Metasploit Framework - World s most used penetration testing software
Burp Suite - An integrated platform for performing security testing of web appli
cations
ExploitPack - Graphical tool for penetration testing with a bunch of exploits
BeeF - The Browser Exploitation Framework Project
faraday - Collaborative Penetration Test and Vulnerability Management Platform
evilgrade - The update explotation framework
commix - Automated All-in-One OS Command Injection and Exploitation Tool
Vulnerability Scanners
Netsparker - Web Application Security Scanner
Nexpose - Vulnerability Management & Risk Management Software
Nessus - Vulnerability, configuration, and compliance assessment
Nikto - Web application vulnerability scanner
OpenVAS - Open Source vulnerability scanner and manager
OWASP Zed Attack Proxy - Penetration testing tool for web applications
Secapps - Integrated web application security testing environment
w3af - Web application attack and audit framework
Wapiti - Web application vulnerability scanner
WebReaver - Web application vulnerability scanner for Mac OS X
DVCS Ripper - Rip web accessible (distributed) version control systems: SVN/GIT/
HG/BZR
arachni - Web Application Security Scanner Framework
Network Tools
nmap - Free Security Scanner For Network Exploration & Security Audits
pig - A Linux packet crafting tool
tcpdump/libpcap - A common packet analyzer that runs under the command line
Wireshark - A network protocol analyzer for Unix and Windows
Network Tools - Different network tools: ping, lookup, whois, etc
netsniff-ng - A Swiss army knife for for network sniffing
Intercepter-NG - a multifunctional network toolkit
SPARTA - Network Infrastructure Penetration Testing Tool
DNSDumpster - Online DNS recond and search service
Mass Scan - TCP port scanner, spews SYN packets asynchronously, scanning entire
Internet in under 5 minutes.
Zarp - Zarp is a network attack tool centered around the exploitation of local n
etworks
mitmproxy - An interactive SSL-capable intercepting HTTP proxy for penetration t
esters and software developers
mallory - HTTP/HTTPS proxy over SSH
DET - DET is a proof of concept to perform Data Exfiltration using either single
or multiple channel(s) at the same time
pwnat - punches holes in firewalls and NATs
dsniff - a collection of tools for network auditing and pentesting
tgcd - a simple Unix network utility to extend the accessibility of TCP/IP based
network services beyond firewalls
Wireless Network Tools
Aircrack-ng - a set of tools for auditing wireless network
Kismet - Wireless network detector, sniffer, and IDS
Reaver - Brute force attack against Wifi Protected Setup
Wifite - Automated wireless attack tool
wifiphisher - Automated phishing attacks against Wi-Fi networks
SSL Analysis Tools
SSLyze - SSL configuration scanner
sslstrip - a demonstration of the HTTPS stripping attacks
sslstrip2 - SSLStrip version to defeat HSTS
Web exploitation
WPScan - Black box WordPress vulnerability scanner
SQLmap - Automatic SQL injection and database takeover tool
weevely3 - Weaponized web shell
Wappalyzer - Wappalyzer uncovers the technologies used on websites
cms-explorer - CMS Explorer is designed to reveal the the specific modules, plug
ins, components and themes that various CMS driven web sites are running.
joomscan - Joomla CMS scanner
WhatWeb - Website Fingerprinter
BlindElephant - Web Application Fingerprinter
Hex Editors
HexEdit.js - Browser-based hex editing
Hexinator (commercial) - World s finest Hex Editor
Crackers
John the Ripper - Fast password cracker
Online MD5 cracker - Online MD5 hash Cracker
Hashcat - The more fast hash cracker
Windows Utils
Sysinternals Suite - The Sysinternals Troubleshooting Utilities
Windows Credentials Editor - security tool to list logon sessions and add, chang
e, list and delete associated credentials
mimikatz - Credentials extraction tool for Windows OS
PowerSpoit - A PowerShell Post-Exploitation Framework
Windows Exploit Suggester - Detects potential missing patches on the target
Responder - A LLMNR, NBT-NS and MDNS poisoner
Empire - Empire is a pure PowerShell post-exploitation agent
Linux Utils
Linux Exploit Suggester - Linux Exploit Suggester; based on operating system rel
ease number.
DDoS Tools
cations.
Android
Books and ebooks
SEI CERT Android Secure Coding Standard (2015)
Released: February 24, 2015
A community-maintained Wiki detailing secure coding standards for Android develo
pment.
C
Books and ebooks
SEI CERT C Coding Standard (2006)
Released: May 24, 2006
A community-maintained Wiki detailing secure coding standards for C programming.
Defensive Coding: A Guide to Improving Software Security by the Fedora Security
Team (2016)
Released: April 9, 2016
Provides guidelines for improving software security through secure coding. Cover
s common programming languages and libraries, and focuses on concrete recommenda
tions.
C++
Books and ebooks
SEI CERT C++ Coding Standard (2006)
Released: July 18, 2006
A community-maintained Wiki detailing secure coding standards for C++ programmin
g.
C Sharp
Books and ebooks
Security Driven .NET (2015)
Released: July 14, 2015
An introduction to developing secure applications targeting version 4.5 of the .
NET Framework, specifically covering cryptography and security engineering topic
s.
Java
Books and ebooks
SEI CERT Java Coding Standard (2007)
Released: January 12, 2007
A community-maintained Wiki detailing secure coding standards for Java programmi
ng.
Secure Coding Guidelines for Java SE (2014)
Released: April 2, 2014
Secure Java programming guidelines straight from Oracle.
Node.js
Articles
Node.js Security Checklist - Rising Stack Blog (2015)
Released: October 13, 2015
Covers a lot of useful information for developing secure Node.js applications.
Training
Security Training by ^Lift Security
Learn from the team that spearheaded the Node Security Project
PHP
Articles
It s All About Time (2014)
Released: November 28, 2014
A gentle introduction to timing attacks in PHP applications
Secure Authentication in PHP with Long-Term Persistence (2015)
Released: April 21, 2015
Discusses password policies, password storage, "remember me" cookies, and accoun
t recovery.
20 Point List For Preventing Cross-Site Scripting In PHP (2013)
Released: April 22, 2013
Padriac Brady s advice on building software that isn t vulnerable to XSS
Mailing lists
Securing PHP Weekly
A weekly newsletter about PHP, security, and the community.
Perl
Books and ebooks
SEI CERT Perl Coding Standard (2011)
Released: January 10, 2011
A community-maintained Wiki detailing secure coding standards for Perl programmi
ng.
Python
Books and ebooks
Python chapter of Fedora Defensive Coding Guide
Lists standard library features that should be avoided, and references sections
of other chapters that are Python-specific.
Violent Python
Violent Python shows you how to move from a theoretical understanding of offensi
ve computing concepts to a practical implementation.
Websites
OWASP Python Security Wiki (2014)
Released: June 21, 2014
A wiki maintained by the OWASP Python Security project.
Ruby
Books and ebooks
Secure Ruby Development Guide (2014)
Released: March 10, 2014
A guide to secure Ruby development by the Fedora Security Team. Also available o
n Github.
Malware Collection
Anonymizers
Web traffic anonymizers for analysts.
Anonymouse.org - A free, web based anonymizer.
OpenVPN - VPN software and hosting solutions.
Privoxy - An open source proxy server with some privacy features.
Tor - The Onion Router, for browsing the web without leaving traces of the clien
t IP.
Honeypots
Trap and collect your own samples.
Conpot - ICS/SCADA honeypot.
Cowrie - SSH honeypot, based on Kippo.
Dionaea - Honeypot designed to trap malware.
Glastopf - Web application honeypot.
Honeyd - Create a virtual honeynet.
HoneyDrive - Honeypot bundle Linux distro.
Mnemosyne - A normalizer for honeypot data; supports Dionaea.
Thug - Low interaction honeyclient, for investigating malicious websites.
Malware Corpora
Malware samples collected for analysis.
Clean MX - Realtime database of malware and malicious domains.
Contagio - A collection of recent malware samples and analyses.
Exploit Database - Exploit and shellcode samples.
Malshare - Large repository of malware actively scrapped from malicious sites.
maltrieve - Retrieve malware samples directly from a number of online sources.
MalwareDB - Malware samples repository.
theZoo - Live malware samples for analysts.
ViruSign - Malware database that detected by many anti malware programs except C
lamAV.
VirusShare - Malware repository, registration required.
Zeltser s Sources - A list of malware sample sources put together by Lenny Zelts
er.
Zeus Source Code - Source for the Zeus trojan leaked in 2011.
Open Source Threat Intelligence
Tools
Harvest and analyze IOCs.
AbuseHelper - An open-source framework for receiving and redistributing abuse fe
eds and threat intel.
Combine - Tool to gather Threat Intelligence indicators from publicly available
sources.
IntelMQ - A tool for CERTs for processing incident data using a message queue.
IOC Editor - A free editor for XML IOC files.
ioc_writer - Python library for working with OpenIOC objects, from Mandiant.
Massive Octo Spice - Previously known as CIF (Collective Intelligence Framework)
. Aggregates IOCs from various lists. Curated by the CSIRT Gadgets Foundation.
MISP - Malware Information Sharing Platform curated by The MISP Project.
PassiveTotal - Research, connect, tag and share IPs and domains.
PyIOCe - A Python OpenIOC editor.
threataggregator - Aggregates security threats from a number of sources, includi
ng some of those listed below in other resources.
ThreatCrowd - A search engine for threats, with graphical visualization.
ThreatTracker - A Python script to monitor and generate alerts based on IOCs ind
exed by a set of Google Custom Search Engines.
TIQ-test - Data visualization and statistical analysis of Threat Intelligence fe
eds.
Other Resources
Threat intelligence and IOC resources.
Autoshun (list) - Snort plugin and blocklist.
CI Army (list) - Network security blocklists.
Critical Stack- Free Intel Market - Free intel aggregator with deduplication fea
turing 90+ feeds and over 1.2M indicators.
CRDF ThreatCenter - List of new threats detected by CRDF anti-malware.
FireEye IOCs - Indicators of Compromise shared publicly by FireEye.
FireHOL IP Lists - Analytics for 350+ IP lists with a focus on attacks, malware
and abuse. Evolution, Changes History, Country Maps, Age of IPs listed, Retentio
n Policy, Overlaps.
hpfeeds - Honeypot feed protocol.
Internet Storm Center (DShield) - Diary and searchable incident database, with a
web API (unofficial Python library).
malc0de - Searchable incident database.
Malware Domain List - Search and share malicious URLs.
OpenIOC - Framework for sharing threat intelligence.
Palevo Blocklists - Botnet C&C blocklists.
Proofpoint Threat Intelligence (formerly Emerging Threats) - Rulesets and more.
STIX - Structured Threat Information eXpression - Standardized language to repre
sent and share cyber threat information. Related efforts from MITRE:
CAPEC - Common Attack Pattern Enumeration and Classification
CybOX - Cyber Observables eXpression
MAEC - Malware Attribute Enumeration and Characterization
TAXII - Trusted Automated eXchange of Indicator Information
threatRECON - Search for indicators, up to 1000 free per month.
Yara rules - Yara rules repository.
ZeuS Tracker - ZeuS blocklists.
Detection and Classification
Antivirus and other malware identification tools
AnalyzePE - Wrapper for a variety of tools for reporting on Windows PE files.
chkrootkit - Local Linux rootkit detection.
ClamAV - Open source antivirus engine.
ExifTool - Read, write and edit file metadata.
hashdeep - Compute digest hashes with a variety of algorithms.
Glenn @hiddenillusion
jekil @jekil
Jurriaan Bremer @skier_t
Lenny Zeltser @lennyzeltser
Liam Randall @hectaman
Mark Schloesser @repmovsb
Michael Ligh (MHL) @iMHLv2
Open Malware @OpenMalware
Richard Bejtlich @taosecurity
Volatility @volatility
Other
APT Notes - A collection of papers and notes related to Advanced Persistent Thre
ats.
File Formats posters - Nice visualization of commonly used file format (includin
g PE & ELF).
Honeynet Project - Honeypot tools, papers, and other resources.
Kernel Mode - An active community devoted to malware analysis and kernel develop
ment.
Malicious Software - Malware blog and resources by Lenny Zeltser.
Malware Analysis Search - Custom Google search engine from Corey Harrell.
Malware Analysis Tutorials - The Malware Analysis Tutorials by Dr. Xiang Fu are
a great resource for learning practical malware analysis.
Malware Samples and Traffic - This blog focuses on network traffic related to ma
lware infections.
RPISEC Malware Analysis - These are the course materials used in the Malware Ana
lysis course at at Rensselaer Polytechnic Institute during Fall 2015.
WindowsIR: Malware - Harlan Carvey s page on Malware.
Windows Registry specification - Windows registry file format specification.
/r/csirt_tools - Subreddit for CSIRT tools and resources, with a malware analysi
s flair.
/r/Malware - The malware subreddit.
/r/ReverseEngineering - Reverse engineering subreddit, not limited to just malwa
re.
Related Awesome Lists
Android Security
AppSec
CTFs
"Hacking"
Honeypots
Incident-Response
Infosec
PCAP Tools
Pentesting
Security
ONLINE ANALYZERS
AndroTotal
CopperDroid
Dexter
Sandroid
Tracedroid
Visual Threat
Mobile Malware Sandbox
MobiSec Eacus
IBM Security AppScan Mobile Analyzer - not free
NVISO ApkScan
AVC UnDroid
Fireeye- max 60MB 15/day
habo 10/day
Virustotal-max 128MB
Fraunhofer App-ray - not free
Stowaway
Anubis
Mobile app insight
Mobile-Sandbox
Ijiami
Comdroid
Android Sandbox
Foresafe
STATIC ANALYSIS TOOLS
Androwarn - detect and warn the user about potential malicious behaviours develo
pped by an Android application.
ApkAnalyser
APKInspector
Droid Intent Data Flow Analysis for Information Leakage
Several tools from PSU
Smali CFG generator
FlowDroid
Android Decompiler not free
PSCout - A tool that extracts the permission specification from the Android OS s
ource code using static analysis
Amandroid
SmaliSCA - Smali Static Code Analysis
CFGScanDroid - Scans and compares CFG against CFG of malicious applications
Madrolyzer - extracts actionable data like C&C, phone number etc.
SPARTA - verifies (proves) that an app satisfies an information-flow security po
licy; built on the Checker Framework
ConDroid - Performs a combination of symoblic + concrete execution of the app
APP VULNERABILITY SCANNERS
QARK - QARK by LinkedIn is for app developers to scan app for security issues
AndroBugs
DYNAMIC ANALYSIS TOOLS
Android DBI frameowork
Android Malware Analysis Toolkit - (linux distro) Earlier it use to be an online
analyzer
AppUse custom build for pentesting
Cobradroid custom image for malware analysis
ViaLab Community Edition
Droidbox
Mercury
Drozer
Taintdroid - requires AOSP compilation
Xposed - equivalent of doing Stub based code injection but without any modificat
ions to the binary
Android Hooker - API Hooking of java methods triggered by any Android applicatio
n (requires the Substrate Framework)
Android tamer - custom image
Droidscope - custom image for dynamic analysis
CuckooDroid - Android extension for Cuckoo sandbox
Mem - Memory analysis of Android (root required)
Crowdroid unable to find the actual tool
AuditdAndroid android port of auditd, not under active development anymore
Android Security Evaluation Framework - not under active development anymore
Android Reverse Engineering ARE (android reverse engineering) not under active d
evelopment anymore
Aurasium Practical security policy enforcement for Android apps via bytecode rew
riting and in-place reference monitor.
Android Linux Kernel modules *
Admire
MalGenome - contains 1260 malware samples categorized into 49 different malware
families, free for research purpose.
VirusTotal Malware Intelligence Service - powered by VirusTotal,not free
Reading material
Android Security (and Not) Internals
Android security related presentations
A good collection of static analysis papers
MARKET CRAWLERS
Google play crawler (Java)
Google play crawler (Python)
Google play crawler (Node) - get app details and download apps from official Goo
gle Play Store.
Aptoide downloader (Node) - download apps from Aptoide third-party Android marke
t
Appland downloader (Node) - download apps from Appland third-party Android marke
t
MISC TOOLS
smalihook
APK-Downloader
AXMLPrinter2 - to convert binary XML files to human-readable XML files
adb autocomplete
Dalvik opcodes
Opcodes table for quick reference
ExploitMe Android Labs - for practice
GoatDroid - for practice
mitmproxy
dockerfile/androguard
Android Vulnerability Test Suite - android-vts scans a device for set of vulnera
bilities
Good Tutorials
Android Reverse Engineering 101 by Daniele Altomare
Create
Tools used for creating CTF challenges
Forensics
Tools used for creating Forensics challenges
Registry Dumper - Dump your registry
Web
Tools used for creating Web challenges
JavaScript Obfustcators
Metasploit JavaScript Obfustcator
Uglify
Solve
Tools used for solving CTF challenges
Attacks
Tools used for performing various kinds of attacks
Bettercap - Framework to perform MITM (Man in the Middle) attacks.
Layer 2 attacks - Attack various protocols on layer 2
Crypto
Tools used for solving Crypto challenges
PkCrack - A tool for Breaking PkZip-encryption
RSATool - Generate private key with knowledge of p and q
XORTool - A tool to analyze multi-byte xor cipher
Bruteforcers
Tools used for various kind of bruteforcing (passwords etc.)
John The Jumbo - Community enhanced version of John the Ripper
John The Ripper - Password Cracker
Ophcrack - Windows password cracker based on rainbow tables.
Exploits
Tools used for solving Exploits challenges
binjitsu - CTF framework and exploit development library
Metasploit - Penetration testing software
pwntools - CTF Framework for writing exploits
qira - QEMU Interactive Runtime Analyser
ROP Gadget - Framework for ROP exploitation
Forensics
Tools used for solving Forensics challenges
Aircrack-Ng - Crack 802.11 WEP and WPA-PSK keys
apt-get install aircrack-ng
Audacity - Analyze sound files (mp3, m4a, whatever)
apt-get install audacity
bkhive and samdump2 - Dump SYSTEM and SAM files
apt-get install samdump2 bkhive
CFF Explorer - PE Editor
creddump - Dump windows credentials
DVCS Ripper - Rips web accessible (distributed) version control systems
Exif Tool - Read, write and edit file metadata
extundelete - Used for recovering lost data from mountable images
Foremost - Extract particular kind of files using headers
apt-get install foremost
fsck.ext4 - Used to fix corrupt filesystems
Malzilla - Malware hunting tool
NetworkMiner - Network Forensic Analysis Tool
PDF Streams Inflater - Find and extract zlib files compressed in PDF files
ResourcesExtract - Extract various filetypes from exes
Shellbags - Investigate NT_USER.dat files
UsbForensics - Contains many tools for usb forensics
Volatility - To investigate memory dumps
Wireshark - Analyze the network dumps
apt-get install wireshark
Registry Viewers
RegistryViewer - Used to view windows registries
Windows Registry Viewers - More registry viewers
Reversing
Tools used for solving Reversing challenges
Androguard - Reverse engineer Android applications
Apk2Gold - Yet another Android decompiler
ApkTool - Android Decompiler
BinUtils - Collection of binary tools
BinWalk - Analyze, reverse engineer, and extract firmware images.
Boomerang - Decompile x86 binaries to C
GDB - The GNU project debugger
IDA Pro - Most used Reversing software
Jadx - Decompile Android files
Krakatau - Java decompiler and disassembler
radare2 - A portable reversing framework
Uncompyle - Decompile Python 2.7 binaries (.pyc)
WinDbg - Windows debugger distributed by Microsoft
z3 - a theorem prover from Microsoft Research
JavaScript Deobfustcators
Detox - A Javascript malware analysis tool
Revelo - Analyze obfuscated Javascript code
SWF Analyzers
RABCDAsm - Collection of utilities including an ActionScript 3 assembler/disasse
mbler.
swftools - Collection of utilities to work with SWF files
xxxswf - A Python script for analyzing Flash files.
Services
Network
Scanning / Pentesting
OpenVAS - OpenVAS is a framework of several services and tools offering a compre
hensive and powerful vulnerability scanning and vulnerability management solutio
n.
Metasploit Framework - A tool for developing and executing exploit code against
a remote target machine. Other important sub-projects include the Opcode Databas
e, shellcode archive and related research.
Kali - Kali Linux is a Debian-derived Linux distribution designed for digital fo
rensics and penetration testing. Kali Linux is preinstalled with numerous penetr
ation-testing programs, including nmap (a port scanner), Wireshark (a packet ana
lyzer), John the Ripper (a password cracker), and Aircrack-ng (a software suite
for penetration-testing wireless LANs).
pig - A Linux packet crafting tool.
Pompem - Pompem is an open source tool, which is designed to automate the search
for exploits in major databases. Developed in Python, has a system of advanced
search, thus facilitating the work of pentesters and ethical hackers. In its cur
rent version, performs searches in databases: Exploit-db, 1337day, Packetstorm S
ecurity...
Monitoring / Logging
justniffer - Justniffer is a network protocol analyzer that captures network tra
ffic and produces logs in a customized way, can emulate Apache web server log fi
les, track response times and extract all "intercepted" files from the HTTP traf
fic.
httpry - httpry is a specialized packet sniffer designed for displaying and logg
ing HTTP traffic. It is not intended to perform analysis itself, but to capture,
parse, and log the traffic for later analysis. It can be run in real-time displ
aying the traffic as it is parsed, or as a daemon process that logs to an output
file. It is written to be as lightweight and flexible as possible, so that it c
an be easily adaptable to different applications.
ngrep - ngrep strives to provide most of GNU grep s common features, applying th
em to the network layer. ngrep is a pcap-aware tool that will allow you to speci
fy extended regular or hexadecimal expressions to match against data payloads of
packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw acros
s Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF
filter logic in the same fashion as more common packet sniffing tools, such as
tcpdump and snoop.
passivedns - A tool to collect DNS records passively to aid Incident handling, N
etwork Security Monitoring (NSM) and general digital forensics. PassiveDNS sniff
s traffic from an interface or reads a pcap-file and outputs the DNS-server answ
ers to a log file. PassiveDNS can cache/aggregate duplicate DNS answers in-memor
y, limiting the amount of data in the logfile without loosing the essens in the
DNS answer.
sagan - Sagan uses a Snort like engine and rules to analyze logs (syslog/event
log/snmptrap/netflow/etc).
OSSEC - OSSEC is an Open Source Host-based Intrusion Detection System that perfo
rms log analysis, file integrity checking, policy monitoring, rootkit detection,
real-time alerting and active response. It runs on most operating systems, incl
uding Linux, MacOS, Solaris, HP-UX, AIX and Windows.
ntopng - Ntopng is a network traffic probe that shows the network usage, similar
to what the popular top Unix command does.
IDS / IPS / Host IDS / Host IPS
Snort - Snort is a free and open source network intrusion prevention system (NIP
S) and network intrusion detection system (NIDS)created by Martin Roesch in 1998
. Snort is now developed by Sourcefire, of which Roesch is the founder and CTO.
In 2009, Snort entered InfoWorld s Open Source Hall of Fame as one of the "great
est [pieces of] open source software of all time".
Bro - Bro is a powerful network analysis framework that is much different from t
he typical IDS you may know.
Suricata - Suricata is a high performance Network IDS, IPS and Network Security
Monitoring engine. Open Source and owned by a community run non-profit foundatio
AutoShun - AutoShun is a Snort plugin that allows you to send your Snort IDS log
s to a centralized server that will correlate attacks from your sensor logs with
other snort sensors, honeypots, and mail filters from around the world.
DNS-BH - The DNS-BH project creates and maintains a listing of domains that are
known to be used to propagate malware and spyware. This project creates the Bind
and Windows zone files required to serve fake replies to localhost for any requ
ests to these, thus preventing many spyware installs and reporting.
AlienVault Open Threat Exchange - AlienVault Open Threat Exchange (OTX), to help
you secure your networks from data loss, service disruption and system compromi
se caused by malicious IP addresses.
Tor Bulk Exit List - CollecTor, your friendly data-collecting service in the Tor
network. CollecTor fetches data from various nodes and services in the public T
or network and makes it available to the world. If you re doing research on the
Tor network, or if you re developing an application that uses Tor network data,
this is your place to start. TOR Node List / DNS Blacklists / Tor Node List
leakedin.com - The primary purpose of leakedin.com is to make visitors aware abo
ut the risks of loosing data. This blog just compiles samples of data lost or di
sclosed on sites like pastebin.com.
FireEye OpenIOCs - FireEye Publicly Shared Indicators of Compromise (IOCs)
OpenVAS NVT Feed - The public feed of Network Vulnerability Tests (NVTs). It con
tains more than 35,000 NVTs (as of April 2014), growing on a daily basis. This f
eed is configured as the default for OpenVAS.
Project Honey Pot - Project Honey Pot is the first and only distributed system f
or identifying spammers and the spambots they use to scrape addresses from your
website. Using the Project Honey Pot system you can install addresses that are c
ustom-tagged to the time and IP address of a visitor to your site. If one of the
se addresses begins receiving email we not only can tell that the messages are s
pam, but also the exact moment when the address was harvested and the IP address
that gathered it.
virustotal - VirusTotal, a subsidiary of Google, is a free online service that a
nalyzes files and URLs enabling the identification of viruses, worms, trojans an
d other kinds of malicious content detected by antivirus engines and website sca
nners. At the same time, it may be used as a means to detect false positives, i.
e. innocuous resources detected as malicious by one or more scanners.
IntelMQ - IntelMQ is a solution for CERTs for collecting and processing security
feeds, pastebins, tweets using a message queue protocol. It s a community drive
n initiative called IHAP (Incident Handling Automation Project) which was concep
tually designed by European CERTs during several InfoSec events. Its main goal i
s to give to incident responders an easy way to collect & process threat intelli
gence thus improving the incident handling processes of CERTs. ENSIA Homepage.
CIFv2 - CIF is a cyber threat intelligence management system. CIF allows you to
combine known malicious threat information from many sources and use that inform
ation for identification (incident response), detection (IDS) and mitigation (nu
ll route).
Web
Organization
OWASP - The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwi
de not-for-profit charitable organization focused on improving the security of s
oftware.
Web Application Firewall
ModSecurity - ModSecurity is a toolkit for real-time web application monitoring,
logging, and access control.
NAXSI - NAXSI is an open-source, high performance, low rules maintenance WAF for
NGINX, NAXSI means Nginx Anti Xss & Sql Injection.
ironbee - IronBee is an open source project to build a universal web application
security sensor. IronBee as a framework for developing a system for securing we
b applications - a framework for building a web application firewall (WAF).
Scanning / Pentesting
sqlmap - sqlmap is an open source penetration testing tool that automates the pr
ocess of detecting and exploiting SQL injection flaws and taking over of databas
e servers. It comes with a powerful detection engine, many niche features for th
e ultimate penetration tester and a broad range of switches lasting from databas
e fingerprinting, over data fetching from the database, to accessing the underly
ing file system and executing commands on the operating system via out-of-band c
onnections.
ZAP - The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testin
g tool for finding vulnerabilities in web applications. It is designed to be use
d by people with a wide range of security experience and as such is ideal for de
velopers and functional testers who are new to penetration testing. ZAP provides
automated scanners as well as a set of tools that allow you to find security vu
lnerabilities manually.
w3af - w3af is a Web Application Attack and Audit Framework. The projects goal is
to create a framework to help you secure your web applications by finding and e
xploiting all web application vulnerabilities.
Recon-ng - Recon-ng is a full-featured Web Reconnaissance framework written in P
ython. Recon-ng has a look and feel similar to the Metasploit Framework.
PTF - The Penetration Testers Framework (PTF) is a way for modular support for u
p-to-date tools.
Big Data
data_hacking - Examples of using IPython, Pandas, and Scikit Learn to get the mo
st out of your security data.
hadoop-pcap - Hadoop library to read packet capture (PCAP) files.
Workbench - A scalable python framework for security research and development te
ams.
OpenSOC - OpenSOC integrates a variety of open source big data technologies in o
rder to offer a centralized tool for security monitoring and analysis.
binarypig - Scalable Binary Data Extraction in Hadoop. Malware Processing and An
alytics over Pig, Exploration through Django, Twitter Bootstrap, and Elasticsear
ch.
Other Awesome Lists
Other Security Awesome Lists
Android Security Awesome - A collection of android security related resources.
Awesome CTF - A curated list of CTF frameworks, libraries, resources and softwar
e.
Awesome Hacking - A curated list of awesome Hacking tutorials, tools and resourc
es.
Awesome Honeypots - An awesome list of honeypot resources.
Awesome Malware Analysis - A curated list of awesome malware analysis tools and
resources.
Awesome PCAP Tools - A collection of tools developed by other researchers in the
Computer Science area to process network traces.
Awesome Pentest - A collection of awesome penetration testing resources, tools a
nd other shiny things.
Awesome Linux Containers - A curated list of awesome Linux Containers frameworks
, libraries and software.
Awesome Incident Response - A curated list of resources for incident response.
Awesome Web Hacking - This list is for anyone wishing to learn about web applica
tion security but do not have a starting point.
Other Common Awesome Lists
Other amazingly awesome lists:
awesome-awesomeness - awesome-* or *-awesome lists.
lists - The definitive list of (awesome) lists curated on GitHub.
Honeypots
Database Honeypots
Elastic honey - A Simple Elasticsearch Honeypot
mysql - A mysql honeypot, still very very early stage
NoSQLpot - The NoSQL Honeypot Framework.
ESPot - ElasticSearch Honeypot
Web honeypots
Glastopf - Web Application Honeypot
Honeypot
Single-honeypot
Honeyd For Windows
IMHoneypot
Deception Toolkit
PDF document inspector
peepdf
Distribution system
Thug Distributed Task Queuing
HoneyClient Management
HoneyWeb
Network Analysis
HoneyProxy
Hybrid low/high interaction honeypot
HoneyBrid
Sebek on Xen
xebek
SSH Honeypot
Kojoney
Kojoney2 - low interaction SSH honeypot written in Python. Based on Kojoney by J
ose Antonio Coret
Cowrie - Cowrie SSH Honeypot (based on kippo)
sshlowpot - Yet another no-frills low-interaction ssh honeypot in Go.
sshhipot - High-interaction MitM SSH honeypot
DShield docker - Docker container running cowrie with DShield output enabled.
Glastopf data analysis
Glastopf Analytics
Distributed sensor project
DShield Web Honeypot Project
Distributed Web Honeypot Project
A pcap analyzer
Honeysnap
Client Web crawler
HoneySpider Network
Network traffic redirector
Honeywall
Honeypot Distribution with mixed content
HoneyDrive
Honeypot sensor
Dragon Research Group Distro
Honeeepi - Honeeepi is a honeypot sensor on Raspberry Pi which based on customiz
ed Raspbian OS.
File carving
TestDisk & PhotoRec
File and Network Threat Intelligence
VirusTotal
Data capture
Sebek
SSH proxy
HonSSH
Anti-Cheat
Minecraft honeypot
behavioral analysis tool for win32
Capture BAT
Live CD
DAVIX
Spamtrap
Spampot.py
Spamhole
spamd
Mail::SMTP::Honeypot - perl module that appears to provide the functionality of
a standard SMTP server
honeypot - The Project Honey Pot un-official PHP SDK
Commercial honeynet
Specter
Netbait
HONEYPOINT SECURITY SERVER - distributed honeypot, includes IT and SCADA emulato
rs
Server (Bluetooth)
Bluepot
Dynamic analysis of Android apps
Droidbox
Dockerized Low Interaction packaging
Manuka
Dockerized Thug
Dockerpot A docker based honeypot.
Docker honeynet Several Honeynet tools set up for Docker containers
Network analysis
Quechua
Sebek data visualization
Sebek Dataviz
SIP Server
Artemnesia VoIP
Botnet C2 monitoring
botsnoopd
low interaction
mysqlpot
Malware collection
Honeybow
IOT Honeypot
HoneyThing - TR-069 Honeypot
Active Directory
dcept - A tool for deploying and detecting use of Active Directory honeytokens
Honeyd Tools
Honeyd plugin
Honeycomb
Honeyd viewer
Honeyview
Honeyd to MySQL connector
Honeyd2MySQL
A script to visualize statistics from honeyd
Honeyd-Viz
Honeyd UI
Honeyd configuration GUI - application used to configure the honeyd daemon and g
enerate configuration files
Honeyd stats
Honeydsum.pl
Network and Artifact Analysis
Sandbox
RFISandbox - a PHP 5.x script sandbox built on top of funcall
dorothy2 - A malware/botnet analysis framework written in Ruby
COMODO automated sandbox
Argos - An emulator for capturing zero-day attacks
Sandbox-as-a-Service
malwr.com - free malware analysis service and community
detux.org - Multiplatform Linux Sandbox
Joebox Cloud - analyzes the behavior of malicious files including PEs, PDFs, DOC
s, PPTs, XLSs, APKs, URLs and MachOs on Windows, Android and Mac OS X for suspic
ious activities
Data Tools
Front Ends
Tango - Honeypot Intelligence with Splunk
Django-kippo - Django App for kippo SSH Honeypot
Wordpot-Frontend - a full featured script to visualize statistics from a Wordpot
honeypot -Shockpot-Frontend - a full featured script to visualize statistics fr
om a Shockpot honeypot
honeypotDisplay - A flask website which displays data I ve gathered with my SSH
Honeypot
honeyalarmg2 - Simplified UI for showing honeypot alarms
Visualization
HoneyMap - Real-time websocket stream of GPS events on a fancy SVG world map
HoneyMalt - Maltego tranforms for mapping Honeypot systems
Guides
T-Pot: A Multi-Honeypot Platform
Honeypot (Dionaea and kippo) setup script
Linux commands
Bmon: (Bandwidth Monitor) is a tool similar to nload that shows the traffic load
over all the network interfaces on the system. The output also consists of a gr
aph and a section with packet level details. Screenshot
Bwm-ng: (Bandwidth Monitor Next Generation) is another very simple real time net
work load monitor that reports a summary of the speed at which data is being tra
nsferred in and out of all available network interfaces on the system. Screensho
t
CBM: (Color Bandwidth Meter) A tiny little simple bandwidth monitor that display
s the traffic volume through network interfaces. No further options, just the tr
affic stats are display and updated in realtime. Screenshot
Collectl: reports system statistics in a style that is similar to dstat, and lik
e dstat it is gathers statistics about various different system resources like c
pu, memory, network etc. Over here is a simple example of how to use it to repor
t network usage/bandwidth. Screenshot
Dstat: is a versatile tool (written in python) that can monitor different system
statistics and report them in a batch style mode or log the data to a csv or si
milar file. This example shows how to use dstat to report network bandwidth Scre
enshot
Ifstat: reports the network bandwidth in a batch style mode. The output is in a
format that is easy to log and parse using other programs or utilities. Screensh
ot
Iftop: measures the data flowing through individual socket connections, and it w
orks in a manner that is different from Nload. Iftop uses the pcap library to ca
pture the packets moving in and out of the network adapter, and then sums up the
size and count to find the total bandwidth under use. Although iftop reports th
e bandwidth used by individual connections, it cannot report the process name/id
involved in the particular socket connection. But being based on the pcap libra
ry, iftop is able to filter the traffic and report bandwidth usage over selected
host connections as specified by the filter. Screenshot
Iptraf: is an interactive and colorful IP Lan monitor. It shows individual conne
ctions and the amount of data flowing between the hosts. Screenshot
Jnettop: Jnettop is a traffic visualiser, which captures traffic going through t
he host it is running from and displays streams sorted by bandwidth they use. Sc
reenshot
Nethogs: is a small net top tool that shows the bandwidth used by individual p
rocesses and sorts the list putting the most intensive processes on top. In the
event of a sudden bandwidth spike, quickly open nethogs and find the process res
ponsible. Nethogs reports the PID, user and the path of the program. Screenshot
Netload: displays a small report on the current traffic load, and the total numb
er of bytes transferred since the program start. No more features are there. Its
TTT: (Tele Traffic Tapper) is yet another descendant of tcpdump but it is capabl
e of real-time, graphical, and remote traffic-monitoring. ttt won t replace tcpd
ump, rather, it helps you find out what to look into with tcpdump. ttt monitors
the network and automatically picks up the main contributors of the traffic with
in the time window. The graphs are updated every second by default.
Yaf: It s a reliable piece of software, quite solid and able to generate flow re
cords from pcap. This is very nice for indexing huge pcap or even doing packet c
apture. The recent version can even extract payloads and put in the flow records
.
Traffic Analysis/Inspection
AIEngine: is a next generation interactive/programmable packet inspection engine
with capabilities of learning without any human intervention, NIDS functionalit
y, DNS domain classification, network collector and many others. AIEngine also h
elps network/security professionals to identify traffic and develop signatures f
or use them on NIDS, Firewalls, Traffic classifiers and so on.
Bro: is an open-source, Unix-based Network Intrusion Detection System (NIDS) tha
t passively monitors network traffic and looks for suspicious activity. Bro dete
cts intrusions by first parsing network traffic to extract its application- leve
l semantics and then executing event-oriented analyzers that compare the activit
y with patterns deemed troublesome. Its analysis includes detection of specific
attacks (including those defined by signatures, but also those defined in terms
of events) and unusual activities (e.g., certain hosts connecting to certain ser
vices, or patterns of failed connection attempts).
CapTipper: Malicious HTTP traffic explorer
Chopshop: is a MITRE developed framework to aid analysts in the creation and exe
cution of pynids based decoders and detectors of APT tradecraft.
CoralReef: is a software suite developed by CAIDA to analyze data collected by p
assive Internet traffic monitors. It provides a programming library libcoral, si
milar to libpcap with extensions for ATM and other network types, which is avail
able from both C and Perl.
DPDK: is a set of libraries and drivers for fast packet processing. It was desig
ned to run on any processors. The first supported CPU was Intel x86 and it is no
w extended to IBM Power 8, EZchip TILE-Gx and ARM. It runs mostly in Linux userl
and. A FreeBSD port is available for a subset of DPDK features.
DPKT: Python packet creation/parsing library.
ECap: (External Capture) is a distributed network sniffer with a web front- end.
Ecap was written many years ago in 2005, but a post on the tcpdump-workers mail
ing list requested a similar application... so here it is. It would be fun to up
date it and work on it again if there s any interest.
EtherApe: is a graphical network monitor for Unix modeled after etherman. Featur
ing link layer, ip and TCP modes, it displays network activity graphically. Host
s and links change in size with traffic. Color coded protocols display. It suppo
rts Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffi
c to be shown, and can read traffic from a file as well as live from the network
.
HttpSniffer: A multi-threading tool to sniff TCP flow statistics and embedded HT
TP headers from PCAP file. Each TCP flow carrying HTTP is exported to text file
in JSON format.
Ipsumdump: summarizes TCP/IP dump files into a self-describing ASCII format easi
ly readable by humans and programs. Ipsumdump can read packets from network inte
rfaces, from tcpdump files, and from existing ipsumdump files. It will transpare
ntly uncompress tcpdump or ipsumdump files when necessary. It can randomly sampl
e traffic, filter traffic based on its contents, anonymize IP addresses, and sor
t packets from multiple dumps by timestamp. Also, it can optionally create a tcp
dump file containing actual packet data. It s also convenient to work with CLICK
as a inserted module.
ITA: The Internet Traffic Archive is a moderated repository to support widesprea
d access to traces of Internet network traffic, sponsored by ACM SIGCOMM. The tr
aces can be used to study network dynamics, usage characteristics, and growth pa
tterns, as well as providing the grist for trace- driven simulations. The archiv
e is also open to programs for reducing raw trace data to more manageable forms,
for generating synthetic traces, and for analyzing traces.
Libcrafter: is a high level library for C++ designed to make easier the creation
and decoding of network packets. It is able to craft or decode packets of most
common network protocols, send them on the wire, capture them and match requests
and replies.
Libnet: is a collection of routines to help with the construction and handling o
f network packets. It provides a portable framework for low-level network packet
shaping, handling and injection. Libnet features portable packet creation inter
faces at the IP layer and link layer, as well as a host of supplementary and com
plementary functionality. Using libnet, quick and simple packet assembly applica
tions can be whipped up with little effort.
Libnids: designed by Rafal Wojtczuk, is an implementation of an E-component of N
etwork Intrusion Detection System. It emulates the IP stack of Linux 2.0.x. Libn
ids offers IP defragmentation, TCP stream assembly and TCP port scan detection.
The most valuable feature of libnids is reliability. A number of tests were cond
ucted, which proved that libnids predicts behaviour of protected Linux hosts as
closely as possible.
Multitail: now has a colorscheme included for monitoring the tcpdump output. It
can also filter, convert timestamps to timestrings and much more.
Netsniff-ng: Netsniff-ng is a toolkit of free Linux networking utilities, a Swis
s army knife for your daily Linux network plumbing if you will.
NetDude: (NETwork DUmp data Displayer and Editor). From their webpage, "it is a
GUI-based tool that allows you to make detailed changes to packets in tcpdump tr
acefiles."
Network Expect: is a framework that allows to easily build tools that can intera
ct with network traffic. Following a script, traffic can be injected into the ne
twork, and decisions can be taken, and acted upon, based on received network tra
ffic. An interpreted language provides branching and high-level control structur
es to direct the interaction with the network. Network Expect uses libpcap for p
acket capture and libwireshark (from the Wireshark project) for packet dissectio
n tasks. (GPL, BSD/Linux/OSX).
Ntop: Ntop is a network traffic probe that shows the network usage, similar to w
hat the popular top Unix command does. ntop is based on libpcap and it has been
written in a portable way in order to virtually run on every Unix platform and o
n Win32 as well.
Ntopng: Ntopng is the next generation version of the original ntop, a network tr
affic probe that shows the network usage, similar to what the popular top Unix c
ommand does. ntop is based on libpcap and it has been written in a portable way
in order to virtually run on every Unix platform, MacOSX and on Win32 as well.
Pcap2har: A program to convert .pcap network capture files to HTTP Archive files
using library dpkt.
pkt2flow: A simple utility to classify packets into flows. It s so simple that o
nly one task is aimed to finish. For Deep Packet Inspection or flow classificati
on, it s so common to analyze the feature of one specific flow. I have make the
attempt to use made-ready tools like tcpflows, tcpslice, tcpsplit, but all these
tools try to either decrease the trace volume (under requirement) or resemble t
he packets into flow payloads (over requirement). I have not found a simple tool
to classify the packets into flows without further processing.
potiron: Normalizes, indexes, enriches and visualizes network captures.
pyshark: A Python wrapper for tshark, allowing python packet parsing using wires
hark dissectors. There are quite a few python packet parsing modules, this one i
s different because it doesn t actually parse any packets, it simply uses tshark
s (wireshark command-line utility) ability to export XMLs to use its parsing.
Sanitize: Sanitize is a collection of five Bourne shell scripts for reducing tcp
dump traces in order to address security and privacy concerns, by renumbering ho
sts and stripping out packet contents. Each script takes as input a tcpdump trac
e file and generates to stdout a reduced, ASCII file in fixed-column format.
Scapy: Scapy is a powerful interactive packet manipulation program. It is able t
o forge or decode packets of a wide number of protocols, send them on the wire,
capture them, match requests and replies, and much more. It can easily handle mo
st classical tasks like scanning, tracerouting, probing, unit tests, attacks or
network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping,
tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other spe
cific tasks that most other tools can t handle, like sending invalid frames, inj
ecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poison
ing, VOIP decoding on WEP encrypted channel, ...), etc.
Sniff: Makes output from the tcpdump program easier to read and parse.
Snort: Snort is an open source network intrusion prevention and detection system
(IDS/IPS) developed by Sourcefire, now owned by Cisco. Combining the benefits o
f signature, protocol and anomaly- based inspection, Snort is the most widely de
ployed IDS/IPS technology worldwide. With millions of downloads and approximatel
y 500,000 registered users, Snort has become the de facto standard for IPS.
Socket Sentry: Socket Sentry is a real-time network traffic monitor for KDE Plas
ma in the same spirit as tools like iftop and netstat.
TCP-Reduce: TCP-Reduce is a collection of Bourne shell scripts for reducing tcpd
ump traces to one-line summaries of each TCP connection present in the trace. Th
e scripts look only at TCP SYN/FIN/RST packets. Connections without SYN packets
in the trace (such as those on- going at the beginning of the trace) will not ap
pear in the summary. Garbaged packets (those missing some of their contents) are
reported to stderr as bogon s and are discarded. Occasionally the script gets f
ooled by retransmissions with altered sequence numbers, and reports erroneous hu
ge connection sizes - always check large connections (say 100 MB or more) for pl
ausibility.
Tcpdpriv: Tcpdpriv is program for eliminating confidential information (user dat
a and addresses) from packets collected on a network interface (or, from trace f
iles created using the -w argument to tcpdump). Tcpdpriv removes the payload of
TCP and UDP, and the entire IP payload for other protocols. It implements severa
l address scrambling methods; the sequential numbering method and its variants,
and a hash method with preserving address prefix.
Tcpflow: A program that captures data transmitted as part of TCP connections (fl
ows), and stores the data in a way that is convenient for protocol analysis or d
ebugging. A program like tcpdump shows a summary of packets seen on the wire,
but usually doesn t store the data that s actually being transmitted. In contras
t, tcpflow reconstructs the actual data streams and stores each flow in a separa
te file for later analysis. Original link.
Tcplook: Tracelook is an Tcl/TK program for graphically viewing the contents of
trace files created using the -w argument to tcpdump. Tracelook should look at a
ll protocols, but presently only looks at TCP connections. The program is slow a
nd uses system resources prodigiously.
Tcpreplay: Replays a pcap file on an interface using libnet.
Tcpslice: Tcpslice is a tool for extracting portions of packet trace files gener
ated using tcpdump s -w flag. It can combine multiple trace files, and/or extrac
t portions of one or more traces based on time. From the tcpdump CVS server.
Tcpsplit: A tool to break a single libpcap packet trace into some number of subtraces, breaking the trace along TCP connection boundaries so that a TCP connec
tion doesn t end up split across two sub-traces. This is useful for making large
trace files tractable for in- depth analysis and for subsetting a trace for dev
eloping analysis on only part of a trace.
Tcpstat: Tcpstat reports certain network interface statistics much like vmstat d
oes for system statistics. tcpstat gets its information by either monitoring a s
pecific interface, or by reading previously saved tcpdump data from a file.
Tcptrace: A tool written by Shawn Ostermann at Ohio University, for analysis of
TCP dump files. It can take as input the files produced by several popular packe
t- capture programs, including tcpdump, snoop, etherpeek, HP Net Metrix, and Win
Dump. tcptrace can produce several different types of output containing informat
ion on each connection seen, such as elapsed time, bytes and segments sent and r
eceived, retransmissions, round trip times, window advertisements, throughput, a
nd more. It can also produce a number of graphs for further analysis.
TraceWrangler: TraceWrangler is a network capture file toolkit running on Window
s (or on Linux, using WINE) that supports PCAP as well as the new PCAPng file fo
rmat, which is now the standard file format used by Wireshark. The most prominen
t use case for TraceWrangler is the easy sanitization and anonymization of PCAP
and PCAPng files (sometimes called "trace files", "capture files" or "packet cap
tures"), removing or replacing sensitive data while being easy to use.
Tstat: A passive sniffer able to provide several insight on the traffic patterns
at both the network and transport levels with a tremendous set of flow features
.
WAND: A wonderful collection of tools built on libtrace to process network traff
ic, which is from The University of Waikato. I love this project!
WinPcap: An extract of a message from Guy Harris on state of WinPcap and WinDump
.
Wireshark suit: The well-known tool suit to support packet analyzer and protocol
decoder. It also includes a few practical tools and scripts to support most of
the common usage.
Xplot: The program xplot was written in the late 1980s to support the analysis o
f TCP packet traces.
yaraPcap: Process HTTP Pcaps With YARA
yaraprocessor: With yaraprocessor YARA can be run against individual packet payl
oads as well as a concatenation of some or all of the payloads. It was originall
y written for use in Chopshop, but can also be used without it.
DNS Utilities
dnsgram: dnsgram is a debugging tool for intermittent resolver failures. it take
s one or more input PCAP files and generates statistics on 5 second segments all
owing the study of intermittent resolver issues.
dnsreplay: Dnsreplay takes recorded questions and answers and replays them to th
e specified nameserver and reporting afterwards which percentage of answers matc
hed, were worse or better. Then compares the answers and some other metrics with
the actual ones with those found in the dumpfile.
dnsscan: dnsscan takes one or more INFILEs in PCAP format and generates a list o
f the number of queries per query type.
dnsscope: dnsscope takes an input PCAP and generates some simple statistics outp
uts these to console.
dnswasher: dnswasher takes an input file in PCAP format and writes out a PCAP fi
le, while obfuscating end-user IP addresses. This is useful to share data with t
hird parties while attempting to protect the privacy of your users.
File Extraction
Chaosreader: A freeware tool to trace TCP/UDP/... sessions and fetch application
data from snoop or tcpdump logs. This is a type of "any-snarf" program, as it w
ill fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, ...), SMT
P emails, ... from the captured data inside network traffic logs. A html index f
ile is created that links to all the session details, including realtime replay
programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as imag
e reports and HTTP GET/POST content reports.
Dsniff: Dsniff is a collection of tools for network auditing and penetration tes
ting. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively mon
itor a network for interesting data (passwords, e-mail, files, etc.). arpspoof,
dnsspoof, and macof facilitate the interception of network traffic normally unav
ailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm impl
ement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessi
ons by exploiting weak bindings in ad-hoc PKI.
Foremost: is a console program to recover files based on their headers, footers,
and internal data structures. This process is commonly referred to as data carv
ing. Foremost can work on image files, such as those generated by dd, Safeback,
Encase, etc, or directly on a drive. The headers and footers can be specified by
a configuration file or you can use command line switches to specify built-in f
ile types. These built-in types look at the data structures of a given file form
at allowing for a more reliable and faster recovery.
Justniffer: Justniffer is a network protocol analyzer that captures network traf
fic and produces logs in a customized way, can emulate Apache web server log fil
es, track response times and extract all "intercepted" files from the HTTP traff
ic.
NetworkMiner: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Window
s (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a
passive network sniffer/packet capturing tool in order to detect operating syste
ms, sessions, hostnames, open ports etc. without putting any traffic on the netw
ork. NetworkMiner can also parse PCAP files for off-line analysis and to regener
ate/ reassemble transmitted files and certificates from PCAP files.
pcapfex - Packet CAPture Forensic Evidence eXtractor (pcapfex) is a tool that fi
nds and extracts files from packet capture files. Its power lies in its ease of
use. Just provide it a pcap file, and it will try to extract all of the files. I
t is an extensible platform, so additional file types to recognize and extract c
an be added easily.
scalpel: Scalpel is an open source data carving tool.
Snort: is an open source network intrusion prevention and detection system (IDS/
IPS) developed by Sourcefire, now owned by Cisco. Combining the benefits of sign
ature, protocol and anomaly- based inspection, Snort is the most widely deployed
IDS/IPS technology worldwide.
Tcpick: is a textmode sniffer libpcap-based that can track, reassemble and reord
er tcp streams. Tcpick is able to save the captured flows in different files or
displays them in the terminal, and so it is useful to sniff files that are trans
mitted via ftp or http. It can display all the stream on the terminal, when the
connection is closed in different display modes like hexdump, hexdump + ascii, o
nly printable characters, raw mode and so on.
Tcpxtract: is a tool for extracting files from network traffic based on file sig
natures. Extracting files based on file type headers and footers (sometimes call
ed "carving") is an age old data recovery technique.
Xplico: The goal of Xplico is extract from an internet traffic capture the appli
cations data contained. For example, from a pcap file Xplico extracts each email
(POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP,
TFTP, and so on. Xplico isn t a network protocol analyzer. Xplico is an open sou
rce Network Forensic An alysis Tool (NFAT). Xplico is released under the GNU Gen
eral Public License and with some scripts under Creative Commons Attribution-Non
Commercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0) License.
Related Projects
BPF for Ultrix: A distribution of BPF for Ultrix 4.2, with both source code and
binary modules.
BPF+: Exploiting Global Data-flow Optimization in a Generalized Packet Filter Ar
chitecture By Andrew Begel, Steven McCanne, and Susan Graham.
FFT-FGN-C: is a program for synthesizing a type of self-similar process known as
fractional Gaussian noise. The program is fast but approximate. Fractional Gaus
sian noise is only one type of self-similar process. When using this program for
synthesizing network traffic, you must keep in mind that it may be that the tra
ffic you seek is better modeled using one of the other processes.
Haka: An open source security oriented language which allows to describe protoco
ls and apply security policies on (live) captured traffic. The scope of Haka lan
guage is twofold. First of all, it allows to write security rules in order to fi
lter/alter/drop unwanted packets and log and report malicious activities. Second
, Haka features a grammar enabling to specify network protocols and their underl
ying state machine.
RIPE-NCC Hadoop for PCAP: A Hadoop library to read packet capture (PCAP) files.
Bundles the code used to read PCAPs. Can be used within MapReduce jobs to native
ly read PCAP files. Also features a Hive Serializer/Deserializer (SerDe) to quer
y PCAPs using SQL like commands.
Traffic Data Repository at the WIDE Project: It becomes increasingly important f
or both network researchers and operators to know the trend of network traffic a
nd to find anomaly in their network traffic. This paper describes an on-going ef
fort within the WIDE project to collect a set of free tools to build a traffic d
ata repository containing detailed information of our backbone traffic. Traffic
traces are collected by tcpdump and, after removing privacy information, the tra
ces are made open to the public. We review the issues on user privacy, and then,
the tools used to build the WIDE traffic repository. We will report the current
status and findings in the early stage of our IPv6 deployment.
Usenix93 Paper on BPF: The libpcap interface supports a filtering mechanism base
d on the architecture in the BSD packet filter. BPF is described in the 1993 Win
ter Usenix paper "The BSD Packet Filter: A New Architecture for User-level Packe
t Capture".
ONLINE ANALYZERS
AndroTotal
CopperDroid
Dexter
Sandroid
Tracedroid
Visual Threat
Mobile Malware Sandbox
MobiSec Eacus
IBM Security AppScan Mobile Analyzer - not free
NVISO ApkScan
AVC UnDroid
Fireeye- max 60MB 15/day
habo 10/day
Virustotal-max 128MB
Fraunhofer App-ray - not free
Stowaway
Anubis
Mobile app insight
Mobile-Sandbox
Ijiami
Comdroid
Android Sandbox
Foresafe
STATIC ANALYSIS TOOLS
Androwarn - detect and warn the user about potential malicious behaviours develo
pped by an Android application.
ApkAnalyser
APKInspector
Droid Intent Data Flow Analysis for Information Leakage
Several tools from PSU
Smali CFG generator
FlowDroid
Android Decompiler not free
PSCout - A tool that extracts the permission specification from the Android OS s
ource code using static analysis
Amandroid
SmaliSCA - Smali Static Code Analysis
CFGScanDroid - Scans and compares CFG against CFG of malicious applications
Madrolyzer - extracts actionable data like C&C, phone number etc.
SPARTA - verifies (proves) that an app satisfies an information-flow security po
licy; built on the Checker Framework
ConDroid - Performs a combination of symoblic + concrete execution of the app
APP VULNERABILITY SCANNERS
QARK - QARK by LinkedIn is for app developers to scan app for security issues
AndroBugs
DYNAMIC ANALYSIS TOOLS
Android DBI frameowork
Android Malware Analysis Toolkit - (linux distro) Earlier it use to be an online
analyzer
Tools
Metasploit A computer security project that provides information about security
vulnerabilities and aids in penetration testing and IDS signature development.
mimikatz - A little tool to play with Windows security
General
Exploit database - An ultimate archive of exploits and vulnerable software
Reverse Engineering
Tutorials
Lenas Reversing for Newbies
Malware Analysis Tutorials: a Reverse Engineering Approach
Tools
IDA - IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler an
d debugger
OllyDbg - A 32-bit assembler level analysing debugger for Windows
dex2jar - Tools to work with android .dex and java .class files
JD-GUI - A standalone graphical utility that displays Java source codes of .class
files
androguard - Reverse engineering, Malware and goodware analysis of Android appli
cations
JAD - JAD Java Decompiler
dotPeek - a free-of-charge .NET decompiler from JetBrains
UPX - the Ultimate Packer for eXecutables
radare2 - A portable reversing framework
General
Open Malware
Web
Tools
sqlmap - Automatic SQL injection and database takeover tool
tools.web-max.ca - base64 base85 md4,5 hash, sha1 hash encoding/decoding
Network
Tools
Wireshark - A free and open-source packet analyzer
NetworkMiner - A Network Forensic Analysis Tool (NFAT)
tcpdump - a powerful command-line packet analyzer; and libpcap, a portable C/C++
library for network traffic capture
Paros - A Java based HTTP/HTTPS proxy for assessing web application vulnerabilit
y
pig - A Linux packet crafting tool
ZAP - The Zed Attack Proxy (ZAP) is an easy to use integrated penetration testin
g tool for finding vulnerabilities in web applications
mitmproxy - An interactive, SSL-capable man-in-the-middle proxy for HTTP with a
console interface
mitmsocks4j - Man in the Middle SOCKS Proxy for JAVA
nmap - Nmap (Network Mapper) is a security scanner
Aircrack-ng - An 802.11 WEP and WPA-PSK keys cracking program
Forensic
Tools
Autospy - A digital forensics platform and graphical interface to The Sleuth Kit
and other digital forensics tools
sleuthkit - A library and collection of command line digital forensics tools
EnCase - the shared technology within a suite of digital investigations products
by Guidance Software
malzilla - Malware hunting tool
PEview - a quick and easy way to view the structure and content of 32-bit Portab
le Executable (PE) and Component Object File Format (COFF) files
HxD - A hex editor which, additionally to raw disk editing and modifying of main
memory (RAM), handles files of any size
WinHex - A hexadecimal editor, helpful in the realm of computer forensics, data
recovery, low-level data processing, and IT security
BinText - A small, very fast and powerful text extractor that will be of particu