Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jesusprubio/awesome-nodejs-pentest
:skull_and_crossbones: Delightful Node.js packages useful for penetration testing, exploiting, reverse engineer, cryptography ...
https://github.com/jesusprubio/awesome-nodejs-pentest
List: awesome-nodejs-pentest
Last synced: about 1 month ago
JSON representation
:skull_and_crossbones: Delightful Node.js packages useful for penetration testing, exploiting, reverse engineer, cryptography ...
- Host: GitHub
- URL: https://github.com/jesusprubio/awesome-nodejs-pentest
- Owner: jesusprubio
- Archived: true
- Created: 2019-03-10T17:05:19.000Z (almost 6 years ago)
- Default Branch: master
- Last Pushed: 2021-06-19T06:20:42.000Z (over 3 years ago)
- Last Synced: 2024-05-20T03:39:24.709Z (7 months ago)
- Homepage:
- Size: 46.9 KB
- Stars: 410
- Watchers: 15
- Forks: 50
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Contributing: .github/CONTRIBUTING.md
- Code of conduct: .github/CODE_OF_CONDUCT.md
- Codeowners: .github/CODEOWNERS
Awesome Lists containing this project
- awesome-rainmana - jesusprubio/awesome-nodejs-pentest - :skull_and_crossbones: Delightful Node.js packages useful for penetration testing, exploiting, reverse engineer, cryptography ... (Others)
- awesome-security-collection - **222**星
README
# Awesome Node.js for pentesters
:skull_and_crossbones: Delightful [Node.js](https://nodejs.org) packages useful for penetration testing, exploiting, reverse engineer, cryptography ...
## Contents
- [Awesome Node.js for penetration testers](#awesome-nodejs-for-penetration-testers)
- [Contents](#contents)
- [Misc](#misc)
- [Web](#web)
- [OSINT](#osint)
- [Exposed](#exposed)
- [Geolocation](#geolocation)
- [Fingerprint](#fingerprint)
- [Web](#web-1)
- [Network map](#network-map)
- [IP](#ip)
- [Port](#port)
- [CIDR](#cidr)
- [ARP](#arp)
- [DHCP](#dhcp)
- [Brute-force](#brute-force)
- [Fuzzing](#fuzzing)
- [Exploitation](#exploitation)
- [DNS](#dns)
- [Network](#network)
- [Post-exploitation](#post-exploitation)
- [Reverse shell](#reverse-shell)
- [Code review](#code-review)
- [Dependencies](#dependencies)
- [Cryptography](#cryptography)
- [Malware](#malware)
- [Reverse engineering](#reverse-engineering)
- [radare](#radare)
- [Extra](#extra)
- [Checklists](#checklists)
- [Vulnerable apps](#vulnerable-apps)
- [Contribute](#contribute)
- [License](#license)## Misc
- [Pown.js](https://github.com/pownjs/pown) - Security testing an exploitation toolkit.
- [Brosec](https://github.com/gabemarshall/Brosec) - Interactive reference tool to help security professionals utilize useful payloads and commands.
- [netcat](https://github.com/roccomuso/netcat) - Netcat port in pure JS.
- [Honeypot](https://github.com/Shmakov/Honeypot) - Low interaction honeypot that displays real time attacks.
- [default-gateway](https://github.com/silverwind/default-gateway) - Get the default network gateway, cross-platform.### Web
- [ZAP API](https://github.com/zaproxy/zap-api-nodejs) - Implementation to access the OWASP ZAP API.
- [got](https://github.com/sindresorhus/got) - Simplified HTTP requests.## OSINT
- [Sherlock.js](https://github.com/GitSquared/sherlock-js) - Find usernames across over 75 social networks - Remake of sdushantha/sherlock.
- [whois](https://github.com/FurqanSoftware/node-whois) - Whois protocol client.### Exposed
- [Shodan client](https://github.com/jesusprubio/shodan-client.js) - Library for accessing the new Shodan API.
- [censys](https://github.com/b4dnewz/node-censys) - Unofficial wrapper for the Censys API.### Geolocation
- [geoip](https://github.com/bluesmoon/node-geoip) - Native NodeJS implementation of MaxMind's GeoIP API.
- [iplocation](https://github.com/roryrjb/iplocation) - Get IP location information using various providers.
- [ipify](https://github.com/sindresorhus/ipify) - Get your public IP address.## Fingerprint
### Web
- [Harvester](https://github.com/TransparencyToolkit/Harvester) - Web crawling and document processing through a usable interface.
- [Paskto](https://github.com/cloudtracer/paskto) - Passive web scanner.
- [Squidwarc](https://github.com/N0taN3rd/Squidwarc) - High fidelity, user scriptable, archival crawler that uses Chrome or Chromium with or without a head.
- [snap-shot-it](https://www.npmjs.com/package/snap-shot-it) - Smarter snapshot utility.### Network map
- [evilscan](https://github.com/eviltik/evilscan) - Simple network scanner.
- [nmap](https://github.com/Johnhhorton/node-nmap) - Wrapper interfacing with local Nmap installation.
- [tcpie](https://github.com/silverwind/tcpie) - CLI tool to ping any TCP port.
- [wifi](https://github.com/friedrith/node-wifi) - Tool to manage connections, scans, etc.### IP
- [is-reachable](https://github.com/sindresorhus/is-reachable) - Check if servers are reachable.
- [is-online](https://github.com/sindresorhus/is-online) - Check if the internet connection is up.
- [public-ip](https://github.com/sindresorhus/public-ip) - Get your public IP address - very fast!.
- [internal-ip](https://github.com/sindresorhus/internal-ip) - Get your internal IP address.
- [ipaddr.js](https://github.com/whitequark/ipaddr.js) - IP address manipulation library.
- [is-local-ip](https://github.com/DylanPiercey/is-local-ip) - Check that a given ip address is private.
- [ip-ptr](https://github.com/silverwind/ip-ptr) - Get the PTR name for a given IPv4 or IPv6 address.### Port
- [get-port](https://github.com/sindresorhus/get-port) - Get an available port.
- [port-numbers](https://github.com/silverwind/port-numbers) - Get information on network port numbers and services, based on IANA's public listing.
- [tcp-port-used](https://github.com/stdarg/tcp-port-used) - Simple module to check if a TCP port is already bound.### CIDR
- [cidr](https://github.com/arminhammer/node-cidr) - Library for manipulating IP addresses and subnets using CIDR notation.
- [cidr-tools](https://github.com/silverwind/cidr-tools) - Tools to work with IPv4 and IPv6 CIDR network lists.
- [is-cidr](https://github.com/silverwind/is-cidr) - Check if a string is an IP address in CIDR.### ARP
- [arp-scan](https://github.com/goliatone/arpscan) - Simple apr-scan wrapper.
- [oui](https://github.com/silverwind/oui) - Look up MAC addresses for their vendor in the IEEE OUI.
- [getmac](https://github.com/bevry/getmac) - Get the computer MAC address.### DHCP
- [net-ping](https://github.com/nospaceships/node-net-ping) - Ping and trace route to many hosts at once.
- [dhcp](https://github.com/infusion/node-dhcp) - DHCP client and server.## Brute-force
- [nodebuster](https://github.com/phra/nodebuster) - Yet another DirBuster clone, to brute-force directories and files on HTTP(S) servers.
- [subquest](https://github.com/skepticfx/subquest) - Fast, Elegant subdomain DNS scanner.## Fuzzing
- [octo](https://github.com/mozillasecurity/octo) - Standard library for fuzzing.
- [eslump](https://github.com/lydell/eslump) - Fuzz testing JavaScript parsers and suchlike programs.
- [sinkdweller](https://github.com/rarecoil/sinkdweller) - A simple wrapper for radamsa.
- [Faker.js](https://github.com/marak/Faker.js) - Generate massive amounts of realistic fake data.## Exploitation
- [text2cpe](https://github.com/cloudtracer/text2cpe) - Reversed sorta implementation of CPE Name detection in ShoVAT based on research paper.
- [PegaSwitch](https://github.com/reswitched/pegaswitch) - Exploit toolkit for the Nintendo Switch.### DNS
- [whonow](https://github.com/brannondorsey/whonow) - Malicious DNS server for executing DNS Rebinding attacks on the fly.
- [dref](https://github.com/mwrlabs/dref) - DNS Rebinding Exploitation Framework.### Network
- [mitm](https://github.com/moll/node-mitm) - Intercept and mock outgoing network TCP connections and HTTP requests.
- [toxy](https://github.com/h2non/toxy) - Hackable HTTP proxy for resiliency testing and simulated network conditions.
- [slowloris.js](https://gist.github.com/ktfth/f24ff4cf7f23d87f56d02485c8f678f4) - DDoS script## Post-exploitation
### Reverse shell
- [Reverse Shell aaS](https://github.com/lukechilds/reverse-shell) - Easy to remember reverse shell that should work on most Unix-like systems.
- [alveare](https://github.com/roccomuso/alveare) - Multi-client, multi-threaded reverse shell handler.## Code review
- [electronegativity](https://github.com/doyensec/electronegativity) - Static analysis tool to identify misconfigurations and security anti-patterns in Electron applications.
- [eslint-plugin-security](https://github.com/nodesecurity/eslint-plugin-security) - This project will help identify potential security hotspots, but finds a lot of false positives which need triage by a human.
- [repo-supervisor](https://github.com/auth0/repo-supervisor) - Scan your code for security misconfiguration, search for passwords and secrets.
- [vuln-regex-detector](https://github.com/davisjam/vuln-regex-detector) - Detect vulnerable regexes. REDOS, catastrophic backtracking.### Dependencies
- [run-npm-audit](https://www.npmjs.com/package/run-npm-audit) - Use npm audit programmatically.
- [npm-check-updates](https://github.com/tjunnone/npm-check-updates) - Find newer versions of package dependencies than what your package.json or bower.json allows.
- [depcheck](https://github.com/depcheck/depcheck) - Check your npm module for unused dependencies.
- [auditjs](https://github.com/OSSIndex/auditjs) - Audits a package.json using the OSS Index v3 REST API to identify known vulnerabilities and outdated package versions.## Cryptography
- [crypto-js](https://github.com/brix/crypto-js) - Library of crypto standards.
- [rsa](https://github.com/rzcoder/node-rsa) - Pure JavaScript RSA library.
- [seedrandom](https://github.com/davidbau/seedrandom) - Seeded random number generator for JavaScript.
- [Qiskit.js](https://github.com/Qiskit/qiskit-js/tree/master/packages/qiskit-devs) - True random numbers generation through quantum computing.
- [upash](https://github.com/simonepri/upash) - Unified API for all password hashing algorithms.## Malware
- [nodeCrypt](https://github.com/atmoner/nodeCrypto) - Linux Ransomware written in NodeJs that encrypt predefined files.
- [malware-jail](https://github.com/HynekPetrak/malware-jail) - Sandbox for semi-automatic Javascript malware analysis, deobfuscation and payload extraction.
- [virustotal-api](https://github.com/yousefvand/virustotal-api) - [Virustotal](https://www.virustotal.com) API v2.0 wrapper.
- [MalwareWorld](https://github.com/carlospolop/MalwareWorld) - System based on +500 blacklists and 5 external intelligences to detect internet potencially malicious hosts.
- [box.js](https://github.com/CapacitorSet/box-js) - Utility to analyze malicious JavaScript.## Reverse engineering
### radare
- [r2pipe](https://github.com/radare/radare2-r2pipe/tree/master/nodejs/r2pipe) - Pipe bindings for radare2.
- [frida-node](https://github.com/frida/frida-node) - Bindings for Frida.
- [r2Frida](https://github.com/nowsecure/r2frida) - Radare2 and Frida better together.## Extra
### Checklists
- [Strong Node.js](https://github.com/jesusprubio/strong-node) - More than 100 security checks for your Node.js API.
- [Security checklist](https://blog.risingstack.com/node-js-security-checklist) - Quick list to cover the most critical risks.
- [npm security cheat sheet](https://snyk.io/blog/ten-npm-security-best-practices) - 10 npm Security Best Practices.
- [Best Practices](https://github.com/i0natan/nodebestpractices#6-security-best-practices) - Security section of this general list.### Vulnerable apps
- [OWASP NodeGoat](https://github.com/OWASP/NodeGoat) - Provides an environment to learn how OWASP Top 10 security risks and how to effectively address them.
- [OWASP Juice Shop](https://github.com/bkimminich/juice-shop) - Probably the most modern and sophisticated insecure web application.
- [DVNA](https://github.com/appsecco/dvna) - Damn Vulnerable Application is a simple application to demonstrate OWASP Top 10 Vulnerabilities and guide on fixing and avoiding these vulnerabilities.## Contribute
:sunglasses: If you'd like to help please take a look to our [contribution guidelines](.github/CONTRIBUTING.md).
## License
[![Creative Commons License](https://mirrors.creativecommons.org/presskit/buttons/88x31/svg/by.svg)](http://creativecommons.org/licenses/by/4.0)
:penguin: This work is licensed under a [Creative Commons Attribution 4.0 International License](http://creativecommons.org/licenses/by/4.0).