Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/jekil/awesome-hacking

Awesome hacking is an awesome collection of hacking tools.
https://github.com/jekil/awesome-hacking

List: awesome-hacking

curated-list forensics hacking hacking-tools malware penetration-testing security security-tools

Last synced: about 15 hours ago
JSON representation

Awesome hacking is an awesome collection of hacking tools.

Host: GitHub
URL: https://github.com/jekil/awesome-hacking
Owner: jekil
Created: 2016-11-03T21:51:08.000Z (about 8 years ago)
Default Branch: master
Last Pushed: 2024-07-02T09:43:40.000Z (5 months ago)
Last Synced: 2024-10-29T15:36:15.265Z (about 1 month ago)
Topics: curated-list, forensics, hacking, hacking-tools, malware, penetration-testing, security, security-tools
Language: Python
Homepage: https://awesomehacking.org
Size: 1.57 MB
Stars: 3,047
Watchers: 143
Forks: 558
Open Issues: 2
Metadata Files:
- Readme: Readme.rst
- Security: Security/Privacy/I2P.url

Awesome Lists containing this project

awesome-security-collection - **993**星
awesome-hacking-lists - jekil/awesome-hacking - Awesome hacking is an awesome collection of hacking tools. (Python)
project-awesome - jekil/awesome-hacking - Awesome hacking is an awesome collection of hacking tools. (Python)

README

=================
Awesome Hacking
=================

Awesome hacking is a curated list of **hacking tools** for hackers, pentesters and security researchers.
Its goal is to collect, classify and make awesome tools easy to find by humans, creating a **toolset** you can
checkout and update with one command.

This is not only a curated list, it is also a complete and updated toolset you can download with one-command!

You can download all the tools with the following command::

git clone --recursive https://github.com/jekil/awesome-hacking.git

To update it run the following command::

git pull

Every kind of **contribution** is really appreciated! Follow the `contribute `_.

*If you enjoy this work, please keep it alive contributing or just sharing it!* - `@jekil `_

.. contents:: Table of Contents
:depth: 2
:backlinks: entry

CTF Tools
=========

- `CTFd `_ - CTF in a can. Easily modifiable and has everything you need to run a jeopardy style CTF.
- `CTForge `_ - The framework developed by the hacking team from University of Venice to easily host jeopardy and attack-defense CTF security competitions. It provides the software components for running the game, namely the website and the checkbot (optional).
- `FBCTF `_ - Platform to host Capture the Flag competitions.
- `LibreCTF `_ - CTF in a box. Minimal setup required.
- `Mellivora `_ - A CTF engine written in PHP.
- `NightShade `_ - A simple security CTF framework.
- `OneGadget `_ - A tool for you easy to find the one gadget RCE in libc.so.6.
- `Pwntools `_ - CTF framework and exploit development library.
- `Scorebot `_ - Platform for CTFs by Legitbs (Defcon).
- `V0lt `_ - Security CTF Toolkit.

Code Auditing
=============

Static Analysis
---------------

- `Brakeman `_ - A static analysis security vulnerability scanner for Ruby on Rails applications.
- `Detekt `_ - A static code analysis tool for the Kotlin programming language.
- `Dr. Taint `_ - A very WIP DynamoRIO module built on the Dr. Memory Framework to implement taint analysis on ARM.
- `Gitleaks `_ - A SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks is an easy-to-use, all-in-one solution for detecting secrets, past or present, in your code.
- `GoKart `_ - A static analysis tool for Go that finds vulnerabilities using the SSA (single static assignment) form of Go source code.
- `Gosec `_ - Inspects source code for security problems by scanning the Go AST.
- `Mariana Trench `_ - Facebook's security focused static analysis tool for Android and Java applications.
- `STACK `_ - A static checker for identifying unstable code.
- `ShellCheck `_ - A static analysis tool for shell scripts.
- `StaCoAn `_ - A crossplatform tool which aids developers, bugbounty hunters and ethical hackers performing static code analysis on mobile applications.

Cryptography
============

- `FeatherDuster `_ - An automated, modular cryptanalysis tool.
- `RSATool `_ - Generate private key with knowledge of p and q.
- `Stego-toolkit `_ - This project is a Docker image useful for solving Steganography challenges as those you can find at CTF platforms like hackthebox.eu. The image comes pre-installed with many popular tools (see list below) and several screening scripts you can use check simple things (for instance, run check_jpg.sh image.jpg to get a report for a JPG file).
- `Xortool `_ - A tool to analyze multi-byte xor cipher.

Docker
======

- `DVWA `_ - Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable.
- `Docker Bench for Security `_ - The Docker Bench for Security checks for all the automatable tests in the CIS Docker 1.6 Benchmark.
- `Kali Linux `_ - This Kali Linux Docker image provides a minimal base install of the latest version of the Kali Linux Rolling Distribution.
- `Metasploit `_ - Metasploit Framework penetration testing software (unofficial docker).
- `OWASP Juice Shop `_ - An intentionally insecure webapp for security trainings written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws.
- `OWASP Mutillidae II `_ - OWASP Mutillidae II Web Pen-Test Practice Application.
- `OWASP NodeGoat `_ - An environment to learn how OWASP Top 10 security risks apply to web applications developed using Node.js and how to effectively address them.
- `OWASP Railsgoat `_ - A vulnerable version of Rails that follows the OWASP Top 10.
- `OWASP Security Shepherd `_ - A web and mobile application security training platform.
- `OWASP WebGoat `_ - A deliberately insecure Web Application.
- `OWASP ZAP `_ - Current stable owasp zed attack proxy release in embedded docker container.
- `Security Ninjas `_ - An Open Source Application Security Training Program.
- `SpamScope `_ - SpamScope (Fast Advanced Spam Analysis Tool) Elasticsearch.
- `Vulnerability as a service: Heartbleed `_ - Vulnerability as a Service: CVE 2014-0160.
- `Vulnerability as a service: Shellshock `_ - Vulnerability as a Service: CVE 2014-6271.
- `Vulnerable WordPress Installation `_ - Vulnerable WordPress Installation.
- `WPScan `_ - WPScan is a black box WordPress vulnerability scanner.

Forensics
=========

File Forensics
--------------

- `Autopsy `_ - A digital forensics platform and graphical interface to The Sleuth Kit and other digital forensics tools.
- `Docker Explorer `_ - A tool to help forensicate offline docker acquisitions.
- `Hadoop_framework `_ - A prototype system that uses Hadoop to process hard drive images.
- `Mac_apt `_ - A DFIR (Digital Forensics and Incident Response) tool to process Mac computer full disk images (or live machines) and extract data/metadata useful for forensic investigation. It is a python based framework, which has plugins to process individual artifacts (such as Safari internet history, Network interfaces, Recently accessed files & volumes, ..)
- `OSXCollector `_ - A forensic evidence collection & analysis toolkit for OS X.
- `RegRipper3.0 `_ - Alternative to RegRipper
- `RegRippy `_ - A framework for reading and extracting useful forensics data from Windows registry hives. It is an alternative to RegRipper developed in modern Python 3.
- `Scalpel `_ - An open source data carving tool.
- `Shellbags `_ - Investigate NT_USER.dat files.
- `SlackPirate `_ - Slack Enumeration and Extraction Tool - extract sensitive information from a Slack Workspace.
- `Sleuthkit `_ - A library and collection of command line digital forensics tools.
- `TVS_extractor `_ - Extracts TeamViewer screen captures.
- `Telegram-extractor `_ - Python3 scripts to analyse the data stored in Telegram.
- `Truehunter `_ - The goal of Truehunter is to detect encrypted containers using a fast and memory efficient approach without any external dependencies for ease of portability.

Image Forensics
---------------

- `Bad Peggy `_ - Scans JPEG images for damage and other blemishes, and shows the results and image instantly. It allows you to find such broken files quickly, inspect and then either delete or move them to a different location.
- `Depix `_ - Recovers passwords from pixelized screenshots.

Incident Response
-----------------

- `Chainsaw `_ - Provides a powerful ‘first-response’ capability to quickly identify threats within Windows forensic artefacts such as Event Logs and MFTs. Chainsaw offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in support for Sigma detection rules, and via custom Chainsaw detection rules.
- `DFIR4vSphere `_ - Powershell module for VMWare vSphere forensics.
- `Event2Timeline `_ - A free tool based on D3js to graph Microsoft Windows sessions events. It parses both EVTX event logs from post Vista systems (Vista, Windows 7, Windows 8), and CSV exports of the legacy EVT log files.
- `Hunter `_ - A threat hunting / data analysis environment based on Python, Pandas, PySpark and Jupyter Notebook.
- `LogonTracer `_ - Investigate malicious Windows logon by visualizing and analyzing Windows event log.
- `Loki `_ - Simple IOC and Incident Response Scanner.
- `Panorama `_ - It was made to generate a wide report about Windows systems, support and tested on Windows XP SP2 and up.
- `Plaso `_ - Plaso (Plaso Langar Að Safna Öllu), or super timeline all the things, is a Python-based engine used by several tools for automatic creation of timelines. Plaso default behavior is to create super timelines but it also supports creating more targeted timelines.
- `Snoopdigg `_ - Simple utility to ease the process of collecting evidence to find infections.
- `TAPIR `_ - Trustable Artifacts Parser for Incident Response is a multi-user, client/server, incident response framework based on the TAP project.
- `UAC `_ - A Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts.
- `Untitled Goose Tool `_ - A robust and flexible hunt and incident response tool that adds novel authentication and data gathering methods in order to run a full investigation against a customer’s Azure Active Directory (AzureAD), Azure, and M365 environments. Untitled Goose Tool gathers additional telemetry from Microsoft Defender for Endpoint (MDE) and Defender for Internet of Things (IoT) (D4IoT).

Live Analysis
-------------

- `OS X Auditor `_ - OS X Auditor is a free Mac OS X computer forensics tool.
- `Windows-event-forwarding `_ - A repository for using windows event forwarding for incident detection and response.

Memory Forensics
----------------

- `KeeFarce `_ - Extracts passwords from a KeePass 2.x database, directly from memory.
- `Rekall `_ - Memory analysis framework developed by Google.
- `Volatility `_ - Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.

Misc
----

- `Diffy `_ - A digital forensics and incident response (DFIR) tool developed by Netflix's Security Intelligence and Response Team (SIRT). Allows a forensic investigator to quickly scope a compromise across cloud instances during an incident, and triage those instances for followup actions.
- `HxD `_ - A hex editor which, additionally to raw disk editing and modifying of main memory (RAM), handles files of any size.
- `Kube-forensics `_ - Allows a cluster administrator to dump the current state of a running pod and all its containers so that security professionals can perform off-line forensic analysis.
- `Libfvde `_ - Library and tools to access FileVault Drive Encryption (FVDE) encrypted volumes.
- `Mass_archive `_ - A basic tool for pushing a web page to multiple archiving services at once.

Mobile
------

- `Android Forensic Toolkit `_ - Allows you to extract SMS records, call history, photos, browsing history, and password from an Android phone.
- `Android backup extractor `_ - Utility to extract and repack Android backups created with adb backup (ICS+). Largely based on BackupManagerService.java from AOSP.
- `Androidqf `_ - Android Quick Forensics is a portable tool to simplify the acquisition of relevant forensic data from Android devices. It is the successor of Snoopdroid, re-written in Go and leveraging official adb binaries.
- `MVT `_ - MVT is a forensic tool to look for signs of infection in smartphone devices.
- `Mem `_ - Tool used for dumping memory from Android devices.
- `Snoopdroid `_ - Extract packages from an Android device.
- `WhatsApp Media Decrypt `_ - Decrypt WhatsApp encrypted media files.
- `iLEAPP `_ - iOS Logs, Events, And Plist Parser.
- `iOSbackup `_ - A Pyhotn 3 class that reads and extracts files from a password-encrypted iOS backup created by iTunes on Mac and Windows. Compatible with iOS 13.

Network Forensics
-----------------

- `Dnslog `_ - Minimalistic DNS logging tool.
- `Dshell `_ - A network forensic analysis framework.
- `Joy `_ - A package for capturing and analyzing network flow data and intraflow data, for network research, forensics, and security monitoring.
- `Passivedns `_ - A network sniffer that logs all DNS server replies for use in a passive DNS setup.
- `Website Evidence Collector `_ - The tool Website Evidence Collector (WEC) automates the website evidence collection of storage and transfer of personal data.

Hardware Hacking
================

Computer
--------

- `Kbd-audio `_ - Tools for capturing and analysing keyboard input paired with microphone capture.
- `LimeSDR-Mini `_ - The LimeSDR-Mini board provides a hardware platform for developing and prototyping high-performance and logic-intensive digital and RF designs using Altera’s MAX10 FPGA and Lime Microsystems transceiver.
- `NSA-B-GONE `_ - Thinkpad X220 board that disconnects the webcam and microphone data lines.

Intelligence
============

- `Attackintel `_ - A python script to query the MITRE ATT&CK API for tactics, techniques, mitigations, & detection methods for specific threat groups.
- `DeepdarkCTI `_ - The aim of this project is to collect the sources, present in the Deep and Dark web, which can be useful in Cyber Threat Intelligence contexts.
- `Dnstwist `_ - Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation.
- `IntelOwl `_ - Analyze files, domains, IPs in multiple ways from a single API at scale.
- `MISP-maltego `_ - Set of Maltego transforms to inferface with a MISP Threat Sharing instance, and also to explore the whole MITRE ATT&CK dataset.
- `Masto `_ - An OSINT tool written in python to gather intelligence on Mastodon users and instances.
- `Shodan-seeker `_ - Command-line tool using Shodan API. Generates and downloads CSV results, diffing of historic scanning results, alerts and monitoring of specific ports/IPs, etc.
- `TorScrapper `_ - Copy of Fresh Onions is an open source TOR spider / hidden service onion crawler.
- `VIA4CVE `_ - An aggregator of the known vendor vulnerabilities database to support the expansion of information with CVEs.
- `Yeti `_ - Your Everyday Threat Intelligence.
- `n6 `_ - Automated handling of data feeds for security teams.

Library
=======

C
-

- `Libdnet `_ - Provides a simplified, portable interface to several low-level networking routines, including network address manipulation, kernel arp cache and route table lookup and manipulation, network firewalling, network interface lookup and manipulation, IP tunnelling, and raw IP packet and Ethernet frame transmission.

Go
--

- `Garble `_ - Obfuscate Go builds.

Java
----

- `Libsignal-service-java `_ - A Java/Android library for communicating with the Signal messaging service.

Python
------

- `Amodem `_ - Audio MODEM Communication Library in Python.
- `Dpkt `_ - Fast, simple packet creation / parsing, with definitions for the basic TCP/IP protocols.
- `Pcapy `_ - A Python extension module that interfaces with the libpcap packet capture library. Pcapy enables python scripts to capture packets on the network. Pcapy is highly effective when used in conjunction with a packet-handling package such as Impacket, which is a collection of Python classes for constructing and dissecting network packets.
- `Plyara `_ - Parse YARA rules and operate over them more easily.
- `PyBFD `_ - Python interface to the GNU Binary File Descriptor (BFD) library.
- `PyPDF2 `_ - A utility to read and write PDFs with Python.
- `Pynids `_ - A python wrapper for libnids, a Network Intrusion Detection System library offering sniffing, IP defragmentation, TCP stream reassembly and TCP port scan detection. Let your own python routines examine network conversations.
- `Pypcap `_ - This is a simplified object-oriented Python wrapper for libpcap.
- `Pyprotect `_ - A lightweight python code protector, makes your python project harder to reverse engineer.
- `Python-idb `_ - Pure Python parser and analyzer for IDA Pro database files (.idb).
- `Python-ptrace `_ - Python binding of ptrace library.
- `RDPY `_ - RDPY is a pure Python implementation of the Microsoft RDP (Remote Desktop Protocol) protocol (client and server side).
- `Scapy `_ - A python-based interactive packet manipulation program & library.

Ruby
----

- `Secureheaders `_ - Security related headers all in one gem.

Live CD - Distributions
=======================

- `Android Tamer `_ - Virtual / Live Platform for Android Security professionals.
- `ArchStrike `_ - An Arch Linux repository for security professionals and enthusiasts.
- `BOSSLive `_ - An Indian GNU/Linux distribution developed by CDAC and is customized to suit Indian's digital environment. It supports most of the Indian languages.
- `BackBox `_ - Ubuntu-based distribution for penetration tests and security assessments.
- `BlackArch `_ - Arch Linux-based distribution for penetration testers and security researchers.
- `DEFT Linux `_ - Suite dedicated to incident response and digital forensics.
- `Fedora Security Lab `_ - A safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies in universities and other organizations.
- `Kali `_ - A Linux distribution designed for digital forensics and penetration testing.
- `NST `_ - Network Security Toolkit distribution.
- `Ophcrack `_ - A free Windows password cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of the method. It comes with a Graphical User Interface and runs on multiple platforms.
- `Parrot `_ - Security GNU/Linux distribution designed with cloud pentesting and IoT security in mind.
- `Pentoo `_ - Security-focused livecd based on Gentoo.
- `REMnux `_ - Toolkit for assisting malware analysts with reverse-engineering malicious software.

Malware
=======

Dynamic Analysis
----------------

- `Androguard `_ - Reverse engineering, Malware and goodware analysis of Android applications.
- `CAPEv2 `_ - Malware Configuration And Payload Extraction.
- `Cuckoo Sandbox `_ - An automated dynamic malware analysis system.
- `CuckooDroid `_ - Automated Android Malware Analysis with Cuckoo Sandbox.
- `DECAF `_ - Short for Dynamic Executable Code Analysis Framework, is a binary analysis platform based on QEMU.
- `DRAKVUF Sandbox `_ - DRAKVUF Sandbox is an automated black-box malware analysis system with DRAKVUF engine under the hood, which does not require an agent on guest OS.
- `DroidBox `_ - Dynamic analysis of Android apps.
- `DroidDetective `_ - A Python tool for analysing Android applications (APKs) for potential malware related behaviour and configurations. When provided with a path to an application (APK file) Droid Detective will make a prediction (using it's ML model) of if the application is malicious.
- `Hooker `_ - An opensource project for dynamic analyses of Android applications.
- `Jsunpack-n `_ - Emulates browser functionality when visiting a URL.
- `LiSa `_ - Sandbox for automated Linux malware analysis.
- `Magento-malware-scanner `_ - A collection of rules and samples to detect Magento malware.
- `Malzilla `_ - Web pages that contain exploits often use a series of redirects and obfuscated code to make it more difficult for somebody to follow. MalZilla is a useful program for use in exploring malicious pages. It allows you to choose your own user agent and referrer, and has the ability to use proxies. It shows you the full source of webpages and all the HTTP headers. It gives you various decoders to try and deobfuscate javascript aswell.
- `Panda `_ - Platform for Architecture-Neutral Dynamic Analysis.
- `ProbeDroid `_ - A dynamic binary instrumentation kit targeting on Android(Lollipop) 5.0 and above.
- `PyEMU `_ - Fully scriptable IA-32 emulator, useful for malware analysis.
- `PyWinSandbox `_ - Python Windows Sandbox library. Create a new Windows Sandbox machine, control it with a simple RPyC interface.
- `Pyrebox `_ - Python scriptable Reverse Engineering Sandbox, a Virtual Machine instrumentation and inspection framework based on QEMU.
- `Qiling `_ - Advanced Binary Emulation framework.
- `Speakeasy `_ - A portable, modular, binary emulator designed to emulate Windows kernel and user mode malware.
- `Uitkyk `_ - Runtime memory analysis framework to identify Android malware.
- `WScript Emulator `_ - Emulator/tracer of the Windows Script Host functionality.

Honeypot
--------

- `Amun `_ - Amun was the first python-based low-interaction honeypot, following the concepts of Nepenthes but extending it with more sophisticated emulation and easier maintenance.
- `Basic-auth-pot `_ - HTTP Basic Authentication honeyPot.
- `Bluepot `_ - Bluetooth Honeypot.
- `CitrixHoneypot `_ - Detect and log CVE-2019-19781 scan and exploitation attempts.
- `Conpot `_ - ICS/SCADA honeypot.
- `Cowrie `_ - SSH honeypot, based on Kippo.
- `Dionaea `_ - Honeypot designed to trap malware.
- `Django-admin-honeypot `_ - A fake Django admin login screen to log and notify admins of attempted unauthorized access.
- `ESPot `_ - An Elasticsearch honeypot written in NodeJS, to capture every attempts to exploit CVE-2014-3120.
- `Elastichoney `_ - A Simple Elasticsearch Honeypot.
- `Endlessh `_ - An SSH tarpit that very slowly sends an endless, random SSH banner. It keeps SSH clients locked up for hours or even days at a time. The purpose is to put your real SSH server on another port and then let the script kiddies get stuck in this tarpit instead of bothering a real server.
- `Glastopf `_ - Web Application Honeypot.
- `Glutton `_ - All eating honeypot.
- `HFish `_ - A cross platform honeypot platform developed based on golang, which has been meticulously built for enterprise security.
- `Heralding `_ - Sometimes you just want a simple honeypot that collects credentials, nothing more. Heralding is that honeypot! Currently the following protocols are supported: ftp, telnet, ssh, rdp, http, https, pop3, pop3s, imap, imaps, smtp, vnc, postgresql and socks5.
- `HonTel `_ - A Honeypot for Telnet service. Basically, it is a Python v2.x application emulating the service inside the chroot environment. Originally it has been designed to be run inside the Ubuntu/Debian environment, though it could be easily adapted to run inside any Linux environment.
- `HoneyPy `_ - A low to medium interaction honeypot.
- `HoneyTrap `_ - Advanced Honeypot framework.
- `Honeyd `_ - Create a virtual honeynet.
- `Honeypot `_ - Low interaction honeypot that displays real time attacks.
- `Honeything `_ - A honeypot for Internet of TR-069 things. It's designed to act as completely a modem/router that has RomPager embedded web server and supports TR-069 (CWMP) protocol.
- `HonnyPotter `_ - A WordPress login honeypot for collection and analysis of failed login attempts.
- `Kippo `_ - A medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker.
- `Kippo-graph `_ - Visualize statistics from a Kippo SSH honeypot.
- `Log4Pot `_ - A honeypot for the Log4Shell vulnerability (CVE-2021-44228).
- `MTPot `_ - Open Source Telnet Honeypot.
- `Maildb `_ - Python Web App to Parse and Track Email and http Pcap Files.
- `Mailoney `_ - A SMTP Honeypot I wrote just to have fun learning Python.
- `Miniprint `_ - A medium interaction printer honeypot.
- `Mnemosyne `_ - A normalizer for honeypot data; supports Dionaea.
- `MongoDB-HoneyProxy `_ - A honeypot proxy for mongodb. When run, this will proxy and log all traffic to a dummy mongodb server.
- `MysqlPot `_ - A mysql honeypot, still very very early stage.
- `NoSQLPot `_ - The NoSQL Honeypot Framework.
- `Nodepot `_ - A nodejs web application honeypot.
- `OWASP-Honeypot `_ - An open source software in Python language which designed for creating honeypot and honeynet in an easy and secure way.
- `OpenCanary `_ - A daemon that runs several canary versions of services that alerts when a service is (ab)used.
- `Phoneyc `_ - Pure Python honeyclient implementation.
- `Phpmyadmin_honeypot `_ - A simple and effective phpMyAdmin honeypot.
- `Servletpot `_ - Web application Honeypot.
- `Shadow Daemon `_ - A modular Web Application Firewall / High-Interaction Honeypot for PHP, Perl & Python apps.
- `Shiva `_ - Spam Honeypot with Intelligent Virtual Analyzer, is an open but controlled relay Spam Honeypot (SpamPot), built on top of Lamson Python framework, with capability of collecting and analyzing all spam thrown at it.
- `Smart-honeypot `_ - PHP Script demonstrating a smart honey pot.
- `Snare `_ - Super Next generation Advanced Reactive honEypot
- `SpamScope `_ - Fast Advanced Spam Analysis Tool.
- `StrutsHoneypot `_ - Struts Apache 2 based honeypot as well as a detection module for Apache 2 servers.
- `T-Pot `_ - The All In One Honeypot Platform.
- `Tango `_ - Honeypot Intelligence with Splunk.
- `Tanner `_ - A remote data analysis and classification service to evaluate HTTP requests and composing the response then served by SNARE. TANNER uses multiple application vulnerability type emulation techniques when providing responses for SNARE. In addition, TANNER provides Dorks for SNARE powering its luring capabilities.
- `Thug `_ - Low interaction honeyclient, for investigating malicious websites.
- `Twisted-honeypots `_ - SSH, FTP and Telnet honeypots based on Twisted.
- `Wetland `_ - A high interaction SSH honeypot.
- `Wordpot `_ - A WordPress Honeypot.
- `Wp-smart-honeypot `_ - WordPress plugin to reduce comment spam with a smarter honeypot.

Intelligence
------------

- `CobaltStrikeParser `_ - Python parser for CobaltStrike Beacon's configuration.
- `Cobaltstrike `_ - Code and yara rules to detect and analyze Cobalt Strike.
- `GreedyBear `_ - The project goal is to extract data of the attacks detected by a TPOT or a cluster of them and to generate some feeds that can be used to prevent and detect attacks.
- `MISP Modules `_ - Modules for expansion services, import and export in MISP.
- `Misp-dashboard `_ - A dashboard for a real-time overview of threat intelligence from MISP instances.
- `Passivedns-client `_ - Provides a library and a query tool for querying several passive DNS providers.
- `Pybeacon `_ - A collection of scripts for dealing with Cobalt Strike beacons in Python.
- `Rt2jira `_ - Convert RT tickets to JIRA tickets.

Ops
---

- `Al-khaser `_ - Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
- `BASS `_ - BASS Automated Signature Synthesizer.
- `CSCGuard `_ - Protects and logs suspicious and malicious usage of .NET CSC.exe and Runtime C# Compilation.
- `CapTipper `_ - A python tool to analyze, explore and revive HTTP malicious traffic.
- `FLARE `_ - A fully customizable, Windows-based security distribution for malware analysis, incident response, penetration testing, etc.
- `FakeNet-NG `_ - A next generation dynamic network analysis tool for malware analysts and penetration testers. It is open source and designed for the latest versions of Windows.
- `Google-play-crawler `_ - Google-play-crawler is simply Java tool for searching android applications on GooglePlay, and also downloading them.
- `Googleplay-api `_ - An unofficial Python API that let you search, browse and download Android apps from Google Play (formerly Android Market).
- `Grimd `_ - Fast dns proxy that can run anywhere, built to black-hole internet advertisements and malware servers.
- `Hidden `_ - Windows driver with usermode interface which can hide objects of file-system and registry, protect processes and etc.
- `ImaginaryC2 `_ - A python tool which aims to help in the behavioral (network) analysis of malware. Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.
- `Irma `_ - IRMA is an asynchronous & customizable analysis system for suspicious files.
- `KLara `_ - A project is aimed at helping Threat Intelligence researchers hunt for new malware using Yara.
- `Kraken `_ - Cross-platform Yara scanner written in Go.
- `Malboxes `_ - Builds malware analysis Windows VMs so that you don't have to.
- `Mquery `_ - YARA malware query accelerator (web frontend).
- `Node-appland `_ - NodeJS tool to download APKs from appland.
- `Node-aptoide `_ - NodeJS to download APKs from aptoide.
- `Node-google-play `_ - Call Google Play APIs from Node.
- `Pafish `_ - A demonstration tool that employs several techniques to detect sandboxes and analysis environments in the same way as malware families do.

Source Code
-----------

- `Android-malware `_ - Collection of android malware samples.
- `AsyncRAT-C-Sharp `_ - Open-Source Remote Administration Tool For Windows C# (RAT).
- `BYOB `_ - An open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop counter-measures against these threats.
- `BlackHole `_ - C# RAT (Remote Administration Tool).
- `Carberp `_ - Carberp leaked source code.
- `Coldfire `_ - Golang malware development library.
- `Fancybear `_ - Fancy Bear Source Code.
- `LOLBAS `_ - Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts).
- `Maldev `_ - Aims to help malware developers, red teamers and anyone who is interested in cybersecurity. It uses native Golang code and some other useful packages like Hooka which I created to perform complex low-level red teaming stuff.
- `Mirai `_ - Leaked Mirai Source Code for Research/IoC Development Purposes.
- `Morris Worm `_ - The original Morris Worm source code.
- `Pegasus_spyware `_ - Decompiled pegasus spyware.
- `RDP_Backdoor `_ - Configured RDP backdoors via UTILMAN and SETHC (sticykeys), disables NLA and enabled RDP and firewall fules.
- `SubSeven `_ - SubSeven Legacy Official Source Code Repository.
- `SvcHostDemo `_ - Demo service that runs in svchost.exe.
- `TinyNuke `_ - Zeus-style banking trojan.
- `TripleCross `_ - A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
- `Zerokit `_ - Zerokit/GAPZ rootkit (non buildable and only for researching).
- `Zeus `_ - Zeus version 2.0.8.9, leaked in 2011.

Static Analysis
---------------

- `APKinspector `_ - A powerful GUI tool for analysts to analyze the Android applications.
- `Aa-tools `_ - Artifact analysis tools by JPCERT/CC Analysis Center.
- `Androwarn `_ - Detect and warn the user about potential malicious behaviours developed by an Android application.
- `ApkAnalyser `_ - A static, virtual analysis tool for examining and validating the development work of your Android app.
- `Argus-SAF `_ - Argus static analysis framework.
- `Arya `_ - The Reverse YARA is a unique tool that produces pseudo-malicious files meant to trigger YARA rules. You can think of it like a reverse YARA because it does exactly the opposite - it creates files that matches your rules.
- `CAPA `_ - The FLARE team's open-source tool to identify capabilities in executable files.
- `CFGScanDroid `_ - Control Flow Graph Scanning for Android.
- `ConDroid `_ - Symbolic/concolic execution of Android apps.
- `DroidLegacy `_ - Static analysis scripts.
- `FSquaDRA `_ - Fast detection of repackaged Android applications based on the comparison of resource files included into the package.
- `Floss `_ - FireEye Labs Obfuscated String Solver. Automatically extract obfuscated strings from malware.
- `Inspeckage `_ - Android Package Inspector - dynamic analysis with api hooks, start unexported activities and more.
- `Maldrolyzer `_ - Simple framework to extract "actionable" data from Android malware (C&Cs, phone numbers, etc).
- `PEfile `_ - Read and work with Portable Executable (aka PE) files.
- `PEview `_ - A quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files.
- `PScout `_ - Analyzing the Android Permission Specification.
- `Pdfminer `_ - A tool for extracting information from PDF documents.
- `Peepdf `_ - A Python tool to explore PDF files in order to find out if the file can be harmful or not. The aim of this tool is to provide all the necessary components that a security researcher could need in a PDF analysis without using 3 or 4 tools to make all the tasks.
- `Quark-engine `_ - A trust-worthy, practical tool that's ready to boost up your malware reverse engineering.
- `SmaliSCA `_ - Smali Static Code Analysis.
- `Sysinternals Suite `_ - The Sysinternals Troubleshooting Utilities.
- `Tlsh `_ - Trend Micro Locality Sensitive Hash is a fuzzy matching library. Given a byte stream with a minimum length of 50 bytes TLSH generates a hash value which can be used for similarity comparisons. Similar objects will have similar hash values which allows for the detection of similar objects by comparing their hash values. Note that the byte stream should have a sufficient amount of complexity. For example, a byte stream of identical bytes will not generate a hash value.
- `Yara `_ - Identify and classify malware samples.
- `Yobi `_ - Yara Based Detection Engine for web browsers.

Network
=======

Analysis
--------

- `Bro `_ - A powerful network analysis framework that is much different from the typical IDS you may know.
- `Fatt `_ - A pyshark based script for extracting network metadata and fingerprints from pcap files and live network traffic.
- `Nidan `_ - An active network monitor tool.
- `Pytbull `_ - A python based flexible IDS/IPS testing framework.
- `Sguil