Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

awesome-nodejs-pentest

:skull_and_crossbones: Delightful Node.js packages useful for penetration testing, exploiting, reverse engineer, cryptography ...
https://github.com/jesusprubio/awesome-nodejs-pentest

Last synced: 3 days ago
JSON representation

  • Fingerprint

    • Web

      • snap-shot-it - Smarter snapshot utility.
      • Harvester - Web crawling and document processing through a usable interface.
      • Paskto - Passive web scanner.
      • Squidwarc - High fidelity, user scriptable, archival crawler that uses Chrome or Chromium with or without a head.
    • Network map

      • evilscan - Simple network scanner.
      • nmap - Wrapper interfacing with local Nmap installation.
      • tcpie - CLI tool to ping any TCP port.
      • wifi - Tool to manage connections, scans, etc.
    • IP

      • is-reachable - Check if servers are reachable.
      • is-online - Check if the internet connection is up.
      • public-ip - Get your public IP address - very fast!.
      • internal-ip - Get your internal IP address.
      • ipaddr.js - IP address manipulation library.
      • is-local-ip - Check that a given ip address is private.
      • ip-ptr - Get the PTR name for a given IPv4 or IPv6 address.
    • Port

      • get-port - Get an available port.
      • port-numbers - Get information on network port numbers and services, based on IANA's public listing.
      • tcp-port-used - Simple module to check if a TCP port is already bound.
    • CIDR

      • cidr - Library for manipulating IP addresses and subnets using CIDR notation.
      • cidr-tools - Tools to work with IPv4 and IPv6 CIDR network lists.
      • is-cidr - Check if a string is an IP address in CIDR.
    • ARP

      • arp-scan - Simple apr-scan wrapper.
      • oui - Look up MAC addresses for their vendor in the IEEE OUI.
      • getmac - Get the computer MAC address.
    • DHCP

      • net-ping - Ping and trace route to many hosts at once.
      • dhcp - DHCP client and server.
  • Exploitation

    • Network

      • slowloris.js - DDoS script
      • mitm - Intercept and mock outgoing network TCP connections and HTTP requests.
      • toxy - Hackable HTTP proxy for resiliency testing and simulated network conditions.
    • DHCP

      • text2cpe - Reversed sorta implementation of CPE Name detection in ShoVAT based on research paper.
      • PegaSwitch - Exploit toolkit for the Nintendo Switch.
    • DNS

      • whonow - Malicious DNS server for executing DNS Rebinding attacks on the fly.
  • Code review

    • Reverse shell

      • eslint-plugin-security - This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
      • electronegativity - Static analysis tool to identify misconfigurations and security anti-patterns in Electron applications.
      • repo-supervisor - Scan your code for security misconfiguration, search for passwords and secrets.
      • vuln-regex-detector - Detect vulnerable regexes. REDOS, catastrophic backtracking.
      • eslint-plugin-security - This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
    • Dependencies

      • run-npm-audit - Use npm audit programmatically.
      • npm-check-updates - Find newer versions of package dependencies than what your package.json or bower.json allows.
      • auditjs - Audits a package.json using the OSS Index v3 REST API to identify known vulnerabilities and outdated package versions.
      • npm-check-updates - Find newer versions of package dependencies than what your package.json or bower.json allows.
      • depcheck - Check your npm module for unused dependencies.
      • auditjs - Audits a package.json using the OSS Index v3 REST API to identify known vulnerabilities and outdated package versions.
  • Cryptography

    • Dependencies

      • Qiskit.js - True random numbers generation through quantum computing.
      • crypto-js - Library of crypto standards.
      • rsa - Pure JavaScript RSA library.
      • seedrandom - Seeded random number generator for JavaScript.
      • upash - Unified API for all password hashing algorithms.
  • Malware

    • Dependencies

      • nodeCrypt - Linux Ransomware written in NodeJs that encrypt predefined files.
      • malware-jail - Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction.
      • virustotal-api - [Virustotal](https://www.virustotal.com) API v2.0 wrapper.
      • MalwareWorld - System based on +500 blacklists and 5 external intelligences to detect internet potencially malicious hosts.
      • box.js - Utility to analyze malicious JavaScript.
  • Reverse engineering

    • radare

      • r2pipe - Pipe bindings for radare2.
      • frida-node - Bindings for Frida.
      • r2Frida - Radare2 and Frida better together.
  • Extra

    • Checklists

    • Vulnerable apps

      • OWASP Juice Shop - Probably the most modern and sophisticated insecure web application.
      • DVNA - Damn Vulnerable Application is a simple application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities.
      • OWASP NodeGoat - Provides an environment to learn how OWASP Top 10 security risks and how to effectively address them.
      • OWASP Juice Shop - Probably the most modern and sophisticated insecure web application.
  • Misc

      • Pown.js - Security testing an exploitation toolkit.
      • Brosec - Interactive reference tool to help security professionals utilize useful payloads and commands.
      • netcat - Netcat port in pure JS.
      • Honeypot - Low interaction honeypot that displays real time attacks.
      • default-gateway - Get the default network gateway, cross-platform.
    • Web

      • ZAP API - Implementation to access the OWASP ZAP API.
      • got - Simplified HTTP requests.
  • OSINT

    • Web

      • Sherlock.js - Find usernames across over 75 social networks - Remake of sdushantha/sherlock.
      • whois - Whois protocol client.
    • Exposed

      • censys - Unofficial wrapper for the Censys API.
    • Geolocation

      • iplocation - Get IP location information using various providers.
      • ipify - Get your public IP address.
  • Brute-force

    • DHCP

      • nodebuster - Yet another DirBuster clone, to brute-force directories and files on HTTP(S) servers.
      • subquest - Fast, Elegant subdomain DNS scanner.
  • Fuzzing

    • DHCP

      • octo - Standard library for fuzzing.
      • eslump - Fuzz testing JavaScript parsers and suchlike programs.
      • sinkdweller - A simple wrapper for radamsa.
      • Faker.js - Generate massive amounts of realistic fake data.
  • Post-exploitation

    • Reverse shell

      • Reverse Shell aaS - Easy to remember reverse shell that should work on most Unix-like systems.
      • alveare - Multi-client, multi-threaded reverse shell handler.