First of all congratulations on finding the treasure. This project integrates excellent offensive and defensive weapons projects in the whole network, including information collection tools (automatic utilization tools, asset discovery tools, directory scanning tools, subdomain name collection tools…etc…), vulnerability exploitation tools (major CMS Utilization tools, middleware utilization tools, etc.), intranet penetration tools, emergency response tools, Party A’s operation and maintenance tools, and other security data items for use by both offensive and defensive parties. If you have better suggestions, you are welcome to make requests. This article includes excellent tools from the whole network, and you are welcome to submit them.
Semi/Fully Automated Exploitation Tool
| project name | project address | Project Description |
|---|---|---|
| ShuiZe_0x727 | https://github.com/0x727/ShuiZe_0x727 | One-stop service, you only need to enter the root domain name to collect relevant assets in all directions and detect vulnerabilities. You can also enter multiple domain names, C-segment IP, etc., see below for specific cases. |
| nemo_go | https://github.com/hanc00l/nemo_go | nemo_go automated information collection |
| cosint | https://github.com/1in9e/gosint | Distributed Asset Information Collection and Vulnerability Scanning Platform |
| ApolloScanner | https://github.com/b0bac/ApolloScanner | Automated cruise scan framework (available for red team assessment) |
| what colour is it | https://github.com/yogeshojha/rengine | Automated Detection Framework |
| Railgun | https://github.com/lz520520/railgun | GUI interface automation tool |
| online toolset | https://github.com/iceyhexman/onlinetools | Online cms identification|information leakage|industrial control|system|Internet of things security|cms vulnerability scan|nmap port scan|subdomain acquisition|to be continued.. |
| AlliN | https://github.com/P1-Team/AlliN | A comprehensive tool that assists ordinary penetration testing projects or quick management of offensive and defensive projects |
| AWVS-GUI | https://github.com/x364e3ab6/AWVS-13-SCAN-PLUS | Acunetix Web Vulnerability Scanner GUI Version] |
| vajra | https://github.com/r3curs1v3-pr0xy/vajra | A highly customizable web automated scanning framework |
| bayonet | https://github.com/CTF-MissFeng/bayonet | Integrated asset management system from subdomains, port services, vulnerabilities, crawlers, etc. |
| kscan | https://github.com/lcvvvv/kscan | Automatic port scanning, TCP fingerprinting and banner capture for specified IP segments, asset lists, and surviving network segments |
Asset Discovery Tool
| project name | project address | Project Description |
|---|---|---|
| linglong | https://github.com/awake1t/linglong | Asset Infinite Cruise Scanning System |
| LangSrcCurise | https://github.com/LangziFun/LangSrcCurise | SRC subdomain asset monitoring |
| ARL (Lighthouse) | https://github.com/TophantTechnology/ARL | Quickly scout Internet assets associated with targets and build a basic asset information base. |
| AppInfoScanner | https://github.com/kelvinBen/AppInfoScanner | Mobile terminal (Android, iOS, WEB, H5, static website) information collection scanning tool |
| Integrate GoogleHacking syntax for information collection | https://github.com/TebbaaX/GRecon | Grecon |
Subdomain Collection Tool
| Project Description | project address | project name |
|---|---|---|
| Online subdomain collection | https://rapiddns.io/subdomain | online collection |
| ssl certificate scan domain name | https://myssl.com/ | myssl |
| A powerful subdomain collection tool | https://github.com/shmilylty/OneForAll | oneforall |
| ksubdomain stateless subdomain blasting tool | https://github.com/knownsec/ksubdomain | ksubdomain |
| Easy-to-use and powerful subdomain scanning tool | https://github.com/yunxu1/dnsub | dnsub |
| Layer subdomain digger | https://github.com/euphrat1ca/LayerDomainFinder | Layer |
| src subdomain monitoring | https://github.com/LangziFun/LangSrcCurise | LangSrcCurise |
| Discover valid subdomains of a website by using passive online sources | https://github.com/projectdiscovery/subfinder | subfinder |
Directory Scanning Tool
| Project Description | project address | project name |
|---|---|---|
| Web path scanner directory scanning tool | https://github.com/maurosoria/dirsearch | dirsearch |
| A fast, simple, recursive content discovery tool written in Rust | https://github.com/epi052/feroxbuster | feroxbuster |
| Fuzzing tool written in Go | https://github.com/ffuf/ffuf | ffuf |
| An advanced web directory and file scanning tool | https://github.com/H4ckForJob/dirmap | dirmap |
| Sensitive Directory Discovery Tool for Websites | https://github.com/deibit/cansina | tiresome |
| Edgeworth Backstage Scanning Tool Collector’s Edition | https://www.fujieace.com/hacker/tools/yujian.html | Edgeworth |
| Directory/subdomain scanner developed with GoLang | https://github.com/ReddyyZ/urlbrute | urlbrute |
Fingerprint Identification Tool
| Project Description | project address | project name |
|---|---|---|
| Red Team Key Attack System Fingerprint Detection Tool | https://github.com/EdgeSecurityTeam/EHole | EHole (edge hole) 2.0 |
| A full-featured web fingerprint identification and sharing platform with built-in more than 10,000 open source fingerprint information on the Internet. | https://github.com/b1ackc4t/14Finger | 14Finger |
| A web application fingerprinting tool | https://github.com/urbanadventurer/WhatWeb | Whatweb |
| Golang implements Wappalyzer fingerprint recognition | https://github.com/projectdiscovery/wappalyzergo | wappalyzergo |
| A fingerprint detection tool for red team survival detection and key attack systems in a large number of assets | https://github.com/EASY233/Finger | Finger |
| Glass is a quick fingerprinting tool for asset listings | https://github.com/s7ckTeam/Glass | Glass |
port scan tool
| Project Description | project address | project name |
|---|---|---|
| TXPortMap is a practical tool for port scanning and service identification | https://github.com/4dogs-cn/TXPortMap | TXPortMap |
| High-concurrency network scanning and service detection tools developed using Golang | https://github.com/Adminisme/ServerScan | serverScan |
| naabu Fast port scanner written in go | https://github.com/projectdiscovery/naabu | naabu |
| masnmapscan is a port scanner. Integrated masscan and nmap scanners | https://github.com/hellogoldsnakeman/masnmapscan-V1.0 | integrated scanner |
| gonmap is a go language nmap port scanning library | https://github.com/lcvvvv/gonmap | gonmap |
| Online Port Scan 1 | http://coolaf.com/tool/port | online tools |
| Online Port Scan 2 | http://tool.cc/port/ | Online Tools 2 |
| Xiaomi Fan | ||
Burp+ browser plugin
| Project Description | project address | project name |
|---|---|---|
| A collection of plugins (not stores), articles and tips for burpsuite | https://github.com/Mr-xn/BurpSuite-collections | BurpSuite-collections |
| A passive shiro detection plugin based on BurpSuite | https://github.com/pmiaowu/BurpShiroPassiveScan | BurpShiroPassiveScan |
| A passive FastJson detection plugin based on BurpSuite | https://github.com/pmiaowu/BurpFastJsonScan | BurpFastJsonScan |
| fastjson vulnerability burp plugin, detect fastjson less than 1.2.68 based on dnslog | https://github.com/zilong3033/fastjsonScan | fastjsonScan |
| Auxiliary BurpSuite plugin for HaE request highlighting and information extraction | https://github.com/gh0stkey/HaE | HaE |
| domain_hunter_pro is a Burp plugin for asset management | https://github.com/bit4woo/domain_hunter_pro | domain_hunter_pro |
| GadgetProbe Burp plugin is used to blast remote classes to find Java deserialization | https://github.com/BishopFox/GadgetProbe | GadgetProbe |
| BurpSuite plugin for HopLa autocomplete Payload | https://github.com/synacktiv/HopLa | HopLa |
| Identification codes | https://github.com/f0ng/captcha-killer-modified | captcha-killer-modified |
| fake ip address | https://github.com/TheKingOfDuck/burpFakeIP | burpFakeIP |
| Automatically send requests | https://github.com/nccgroup/AutoRepeater | AutoRepeater |
| Hack-Tools Browser Extension for Red Teams | https://github.com/LasCC/Hack-Tools | Hack-Tools |
| Proxy plugin for SwitchyOmega browser | https://github.com/FelisCatus/SwitchyOmega | SwitchyOmega |
| Chrome plugin. Find DOM XSS with DevTools | https://github.com/filedescriptor/untrusted-types | untrusted-types |
| FOFA Pro view is a FOFA Pro asset display browser plugin | https://github.com/fofapro/fofa_view | fofa_view |
| mitaka Chrome and Firefox extension for OSINT search | https://github.com/ninoseki/mitaka | mitaka |
| Git History View the history of git repository files | https://githistory.xyz/ | Git History |
Exploit tool
Information disclosure tool
| Project Description | project address | project name |
|---|---|---|
| swagger-exp Swagger REST API information disclosure tool | https://github.com/lijiejie/swagger-exp | swagger-exp |
| swagger-hack automatically crawls and tests all swagger-ui.html interfaces | https://github.com/jayus0821/swagger-hack | swagger-hack |
| Packer Fuzzer is a scanning tool for detecting websites constructed by front-end packaging tools such as Webpack | https://github.com/rtcatc/Packer-Fuzzer | Packer-Fuzzer |
| SvnExploit supports SVN source code leaking the full version of Dump source code | https://github.com/admintony/svnExploit | svnExploit |
| git-dumper Tool to dump git repositories from websites | https://github.com/arthaud/git-dumper | git-dumper |
| GitDorker scrapes sensitive information from GitHub by using the large dorks repository | https://github.com/obheda12/GitDorker | GitDorker |
| Extract sensitive information from JavaScript files | https://github.com/m4ll0k/SecretFinder | SecretFinder |
| A JavaScript detection automation script with more functions | https://github.com/KathanP19/JSFScan.sh | JSFScan |
Vulnerability Scanning Frameworks/Tools
| Project Description | project address | project name |
|---|---|---|
| A framework for accurate detection and deep exploitation of high-risk vulnerabilities | https://github.com/woodpecker-framework/woodpecker-framwork-release | woodpecker-framwork |
| Web Vulnerability Attack Framework | https://github.com/Anonymous-ghost/AttackWebFrameworkTools | AttackWebFrameworkTools |
| Open source remote vulnerability testing framework | https://github.com/knownsec/pocsuite3 | pocsuite3 |
| Brand new open source online poc testing framework | https://github.com/jweny/pocassist | pocassist |
| A powerful security assessment tool | https://github.com/chaitin/xray | Xray |
| Network Security Testing Tool | https://github.com/gobysec/Goby | Goby |
| is a web vulnerability scanning and verification tool | https://github.com/zhzyker/vulmap | Vulmap |
Middleware exploit tool
| Project Description | project address | project name |
|---|---|---|
| Comprehensive high-risk exploit tools | https://github.com/Liqunkit/LiqunKit_ | LiqunKit |
| Spring series of exploit tools | https://github.com/SummerSec/SpringExploit | SpringExploit |
| Comprehensive utilization of shiro deserialization vulnerability, including (echo execution command / memory injection) to fix the problem of NoCC in the original version | https://github.com/SummerSec/ShiroAttack2 | ShiroAttack2 |
| Comprehensive utilization of shiro deserialization vulnerability, including (echo execution command / memory injection) | https://github.com/j1anFen/shiro_attack | shiro_attack |
| FastjonExploit | Fastjson Vulnerability Rapid Exploitation Framework | https://github.com/c0ny1/FastjsonExploit | FastjsonExploit |
| fastjson_rce_tool fastjson command executes automated exploitation tool | https://github.com/wyzxxz/fastjson_rce_tool | fastjson_rce_tool |
| fastjson one-click command execution | https://github.com/mrknow001/fastjson_rec_exploit | fastjson_rec_exploit |
| Jboss (and Java Deserialization Vulnerability) Validation and Exploitation Tool | https://github.com/joaomatosf/jexboss | exBoss |
| weblogic utilizes the tool weblogic-framework | https://github.com/0nise/weblogic-framework | weblogic-framework |
| woodpecker framework weblogic information detection plugin | https://github.com/woodpecker-appstore/weblogic-infodetector | weblogic-infodetector |
| One-click quick attack test tool for Dubbo deserialization | https://github.com/threedr3am/dubbo-exp | dubbo-exp |
| jenkins-attack-framework Attack framework for Jenkins | https://github.com/Accenture | jenkins-attack-framework |
| Jiraffe is a semi-automatic security tool written for leveraging Jira instances. | https://github.com/0x48piraj/Jiraffe | Giraffe |
| STS2G Struts2 Vulnerability Scanning Tool – Golang version | https://github.com/xwuyi/STS2G | STS2G |
| Struts2-Scan Struts2 full vulnerability scanning tool | https://github.com/HatBoy/Struts2-Scan | Struts2-Scan |
| Spring boot Fat Jar arbitrary write file vulnerability to stable RCE exploit skills | https://github.com/LandGrey/spring-boot-upload-file-lead-to-rce-tricks | Fat Jar |
Key cms utilization tool
| Project Description | project address | project name |
|---|---|---|
| Zhiyuan OA comprehensive utilization tool | https://github.com/Summer177/seeyon_exp | seeyon_exp |
| Tongda OA comprehensive utilization tool | https://github.com/xinyu2428/TDOA_RCE | TDOA_RCE |
| Bluelink OA exploit tool/front-end unconditional RCE/file write | https://github.com/yuanhaiGreg/LandrayExploit | LandrayExploit |
| Panwei OA vulnerability comprehensive utilization script | https://github.com/z1un/weaver_exp | weaver_exp |
| Ruijie Networks EG Easy Gateway RCE Batch Security Inspection | https://github.com/Tas9er/EgGateWayGetShell | EgGateWayGetShell |
| CMSmap A tool for security scanning of popular CMS | https://github.com/Dionach/CMSmap | CMSmap |
| WordPress Vulnerability Scanner developed with Go | https://github.com/blackbinn/wprecon | wprecon |
| A Ruby framework designed to help with penetration testing of WordPress systems | https://github.com/rastating/wordpress-exploit-framework | wordpress-exploit-framework |
| WPScan WordPress Security Scanner | https://github.com/wpscanteam/wpscan | wpscan |
| WPForce WordPress Attack Kit | https://github.com/n00py/WPForce | WPForce |
General exploit tool
| Project Description | project address | project name |
|---|---|---|
| DOM-based fast XSS vulnerability scanner | https://github.com/dwisiswant0/findom-xss | findom-xss |
| Very common XSS platform | https://github.com/beefproject/beef | beef |
Database utilization tool
| Project Description | project address | project name |
|---|---|---|
| MDUT 2.0 Database Utilization Tool | https://github.com/SafeGroceryStore/MDUT | MDUT |
| Comprehensive high-risk exploit tools (including major databases) | https://github.com/Liqunkit/LiqunKit_ | LiqunKit |
| sqlserver exploit tool | https://github.com/uknowsec/SharpSQLTools | SharpSQLTools |
| Perform lateral movement in constrained environments via a compromised Microsoft SQL Server via socket reuse | https://github.com/blackarrowsec/mssqlproxy | mssqlproxy |
| ODAT: Oracle Database Attack Tool | https://github.com/quentinhardy/odat | ODAT |
blasting tool
| Project Description | project address | project name |
|---|---|---|
| A scanning blasting tool that combines excellent tool functions such as fscan and kscan. | https://github.com/i11us0ry/goon | goon |
| Super weak password check tool is a weak password audit tool for Windows platform | https://github.com/shack2/SNETCracker | Super weak password checker |
| Web-Brutator middleware interface blasting | https://github.com/koutto/web-brutator | Web-Brutator |
| WebCrack is a web background weak password/universal password batch detection tool | https://github.com/yzddmr6/WebCrack | WebCrack |
| zero-crack Web application (webapps) brute force cracking gadget | https://github.com/0-sec/zero-crack | zero-crack |
| WordPress super fast brute force tool | https://github.com/22XploiterCrew-Team/WordPress-Brute-Force | WordPress-Brute-Force |
| ssb A faster and simpler tool for blasting SSH servers | https://github.com/kitabisa/ssb | ssh blast |
| rsync weak password scanning (blasting) | https://github.com/hi-unc1e/some_scripts/blob/master/EXPs/rsync_weakpass.py | rsync |
dictionary collection
| Project Description | project address | project name |
|---|---|---|
| – Some common default device/app passwords organized online | https://forum.ywhack.com/bountytips.php?password | EdgeTeam |
| – Some default password tables for Huawei series devices organized online | https://forum.ywhack.com/bountytips.php?huawei | EdgeTeam |
| – Dictionaries collection items such as penetration testing, SRC vulnerability mining, blasting, and Fuzzing | https://github.com/insightglacier/Dictionary-Of-Pentesting | Dictionary-Of-Pentesting |
| Fuzz dictionary, one is enough | https://github.com/TheKingOfDuck/fuzzDicts | Web Pentesting |
| – Web fuzzing dictionary with some payloads | https://github.com/gh0stkey/Web-Fuzzing-Box | Web Fuzzing Box |
| Upload vulnerability fuzz dictionary generation script | https://github.com/c0ny1/upload-fuzz-dic-builder | upload-fuzz-dic-builder |
| Collection of multiple types of lists used during security assessments | https://github.com/danielmiessler/SecLists | SecLists |
| Payload library for penetration testers and bug bounty hunters | https://github.com/sh377c0d3/Payloads | Payloads |
| Various weak password dictionaries based on actual combat precipitation | https://github.com/fuzz-security/SuperWordlist | SuperWordlist |
| TOP25 parameter dictionary of various vulnerabilities | https://github.com/lutfumertceylan/top25-parameter | top25-parameter |
| Extract and collect qualified strong and weak passwords from previously leaked passwords | https://github.com/r35tart/RW_Password | RW_Password |
Intranet penetration tool
webshell hosting tool
| Project Description | project address | project name |
|---|---|---|
| Godzilla | https://github.com/BeichenDream/Godzilla | Godzilla |
| “Ice Scorpion” dynamic binary encryption website management client | https://github.com/rebeyond/Behinder | Behinder |
| China Ant Sword is an open source cross-platform website management tool | https://github.com/AntSwordProject/antSword | antSword |
| One-sentence web management tool | https://github.com/boy-hack/WebshellManager | WebshellManager |
| Cross-Platform Chinese Kitchen Knife | https://github.com/Chora10/Cknife | cknife |
password extraction tool
| Project Description | project address | project name |
|---|---|---|
| Various password extraction | https://github.com/kerbyj/goLazagne | goLazagne |
| Used to read common program passwords, such as Navicat, TeamViewer, FileZilla, WinSCP, etc. | https://github.com/RowTeam/SharpDecryptPwd | SharpDecryptPwd |
| Xshell, Xftp password decryption tool | https://github.com/JDArmy/SharpXDecrypt | SharpXDecrypt |
| An export tool for decrypting browser data (password|history|cookie|bookmark|credit card|download record), supporting mainstream browsers on all platforms. | https://github.com/moonD4rk/HackBrowserData/ | HackBrowserData |
| An identification code and verification code extraction tool for sunflower | https://github.com/wafinfo/Sunflower_get_Password | Sunflower_get_Password |
| One-click CobaltStrike script to assist in grabbing 360 secure browser passwords and decryption gadgets | https://github.com/hayasec/360SafeBrowsergetpass | 360SafeBrowsergetpass |
| BrowserGhost tool to grab browser passwords | https://github.com/QAX-A-Team/BrowserGhost | BrowserGhost |
| win-brute-logon cracks any Microsoft Windows user password without permission | https://github.com/DarkCoderSc/win-brute-logon | win-brute-logon |
| TeamViewer: Bypass anti-software tool to obtain Teamview password | https://github.com/wafinfo/TeamViewer | TeamViewer |
| Xdecrypt Xshell Xftp password decryption | https://github.com/dzxs/Xdecrypt | Xdecrypt |
Lateral movement tool
| Project Description | project address | project name |
|---|---|---|
| Mimikatz Windows Password Grabber | https://github.com/gentilkiwi/mimikatz | mimikatz |
| sharpwmi rpc-based lateral movement tool with upload and execute command functions | https://github.com/QAX-A-Team/sharpwmi | sharpwmi |
| File download command is generated quickly | https://forum.ywhack.com/bountytips.php?download | shortcut command |
| One-click generation of rebound shell commands | https://forum.ywhack.com/shell.php | bounce shell |
| ATT&CK Lateral Movement Summary Tips | https://attack.mitre.org/tactics/TA0008/ | attack |
| Pass hash to named pipe for token impersonation | https://github.com/S3cur3Th1sSh1t/NamedPipePTH | NamedPipePTH |
| Common lateral movement and domain control authority maintenance methods | https://xz.aliyun.com/t/9382 | Methodology |
Tunnel proxy tool
| Project Description | project address | project name |
|---|---|---|
| A full-platform proxy tool that supports a variety of socks protocols | https://www.proxifier.com/ | proxifier |
| High-performance reverse proxy application focusing on intranet penetration | https://github.com/fatedier/frp | frp |
| Lightweight, high-performance, powerful intranet penetration proxy server | https://github.com/ehang-io/nps | nps |
| Improved reGeorg version | https://github.com/L-codes/Neo-reGeorg | Neo-reGeorg |
| It is a tool that uses the dns protocol to transmit tcp data | https://github.com/alex-sector/dns2tcp | dns2tcp |
| is a DNS tunneling tool | https://github.com/iagox86/dnscat2 | dnscat2 |
| Intranet penetration proxy, port forwarding tool | http://rootkiter.com/Termite/ | Termite |
| A simple reverse ICMP shell | https://github.com/inquisb/icmpsh | icmpsh |
| Forward/reverse proxy, intranet penetration, port forwarding | https://github.com/inconshreveable/ngrok | skirt |
| Pingtunnel is a tool for forwarding tcp/udp/sock5 traffic disguised as icmp traffic | https://github.com/esrrhs/pingtunnel | ping tunnel |
| pystinger – An out-of-network tool that uses webshell for traffic forwarding | https://github.com/FunnyWolf/pystinger | pystinger |
| goproxy is a lightweight, powerful, high-performance proxy tool | https://github.com/snail007/goproxy | goproxy |
| A tool that can perform reverse proxy and cs online without going online | https://github.com/Daybr4ak/C2ReverseProxy | C2ReverseProxy |
O&M & Party A & Defender Tools
emergency response tool
| Project Description | project address | project name |
|---|---|---|
| Automatic and comprehensive detection script of the host-side Checklist | https://github.com/grayddq/GScan | Gscan |
| Practical notes on emergency response, self-cultivation of a safety engineer | https://github.com/Bypass007/Emergency-Response-Notes | Bypass007 |
| Linux information collection/emergency response/common backdoor/mining detection/webshell detection script | https://github.com/al0ne/LinuxCheck | LinuxCheck |
| APT-Hunter Windows log event emergency tool | https://github.com/ahmedkhlief/APT-Hunter | APT-Hunter |
| uroboros – A GNU/Linux monitoring and profiling tool that focuses on a single process | https://github.com/evilsocket/uroboros | uroboros |
| A powerful emergency response tool under whohk linux | https://github.com/heikanet/whohk | whohk |
| Malwoverview is a first responder tool for threat hunting | https://github.com/alexandreborges/malwoverview | malwoverview |
| Attack Surface Analyzer can help you analyze the security configuration of your operating system | https://github.com/Microsoft/AttackSurfaceAnalyzer | AttackSurfaceAnalyzer |
| A tool for real-time detection of malicious web traffic based on IP reputation information | https://github.com/CRED-CLUB/ARTIF | ARTIF |
| Rootkit Hunter Rootkit Hunter | http://rkhunter.sourceforge.net/ | Rootkit |
| SHELPUB.COM focuses on killing hippo webshell killing | https://www.shellpub.com/ | hippo webshell |
| Fire Kylin-Network Security Emergency Response Tool (System Trace Collection) | https://github.com/MountCloud/FireKylin | FireKylin |
| Log analysis library, another usage of nuclei | https://github.com/ffffffff0x/LOG-HUB | LOG-HUB |
The Defense Tool is a github repository by L0una