Online Tools

Online Tools

编解码/加解密综合

  • CyberChef:编解码及加密,可本地部署 https://github.com/gchq/CyberChef
  • OK Tools在线工具:https://github.com/wangyiwy/oktools
  • CTF在线工具:http://www.hiencode.com/
  • XSSEE:在线综合编解码工具 https://evilcos.me/lab/xssee/
  • MeTools:在线综合编解码工具 http://www.metools.info/code/quotedprintable231.html

常见编解码/加解密

  • MD5 Hash:https://www.somd5.com/
  • CMD5:https://www.cmd5.com/
  • GB2312:http://code.mcdvisa.com/
  • Unicode字符表:https://www.52unicode.com/enclosed-alphanumerics-zifu
  • Unicode:https://www.compart.com/en/unicode/
  • UUencode:http://web.chacuo.net/charsetuuencode
  • Escape/Unescape:https://tool.chinaz.com/tools/escape.aspx
  • HTML实体编码:https://zh.rakko.tools/tools/21/

实用工具

  • Explain Shell:Shell命令解析 https://explainshell.com/
  • 反弹Shell生成:
    • 本地部署项目 https://github.com/0dayCTF/reverse-shell-generator
    • 棱角安全在线 https://forum.ywhack.com/reverse-shell/
  • 文件下载命令:
    • 本地部署项目 https://github.com/r0eXpeR/File-Download-Generator
    • 棱角安全在线 https://forum.ywhack.com/bountytips.php?tools
  • 在线正则表达式:https://c.runoob.com/front-end/854/
  • Webshell Chop:https://webshellchop.chaitin.cn/demo/
  • XSS Chop:https://xsschop.chaitin.cn/demo/
  • WebShell查杀:https://n.shellpub.com/
  • HTML5 Security Cheatsheet:XSS攻击向量学习/参考 https://html5sec.org/
  • 在线代码格式标准化:http://web.chacuo.net/formatsh
  • 免费接受手机验证码:https://www.supercloudsms.com/en/

威胁情报

  • Virustotal:https://www.virustotal.com/gui/home/upload
  • 腾讯哈勃分析系统:https://habo.qq.com/tool/index
  • 微步在线威胁情报:https://x.threatbook.cn/
  • 奇安信威胁情报:https://ti.qianxin.com/
  • 360威胁情报:https://ti.360.net/#/homepage
  • 安恒威胁情报:https://ti.dbappsecurity.com.cn/
  • 火线安全平台:https://www.huoxian.cn
  • 知道创宇漏洞平台:https://www.seebug.org/
  • Hacking8安全信息流:https://i.hacking8.com/

网络空间搜索

  • Fofa:https://fofa.info/
  • Shodan:https://www.shodan.io/
  • ZoomEye:https://www.zoomeye.org/
  • 谛听:https://www.ditecting.com/
  • 360网络空间测绘:https://quake.360.cn/quake/#/index
  • Google Hacking Database:https://www.exploit-db.com/google-hacking-database

公开知识库

  • 棱角社区工具集整理:https://forum.ywhack.com/bountytips.php?tools
  • 零组文库:零组已停运,非官方 https://0-wiki.com/
  • 先知社区:https://xz.aliyun.com/
  • 狼组公开知识库:https://wiki.wgpsec.org/
  • 404星链计划:知道创宇 404 实验室 https://github.com/knownsec/404StarLink
  • MITRE ATT&CK:网络攻击中使用的已知对抗战术和技术 https://attack.mitre.org/matrices/enterprise/

其他

  • Wayback Machine:网页历史缓存 https://archive.org/web

信息收集

IP/域名

确认真实IP地址

  • IP精准定位:https://www.ipuu.net/#/home
  • IP 138:https://site.ip138.com/
  • Security Trails:https://securitytrails.com/

多个地点Ping服务器

  • Chinaz:https://ping.chinaz.com/
  • Host Tracker:https://www.host-tracker.com/
  • Webpage Test:https://www.webpagetest.org/
  • DNS Check:https://dnscheck.pingdom.com/

IP反查域名

  • IP138 https://site.ip138.com/
  • 微步在线 https://x.threatbook.cn/
  • VirusTotal https://www.virustotal.com/

Whois注册信息反查

  • 站长之家 Whois:https://whois.chinaz.com/
  • 中国万网 Whois:https://whois.aliyun.com/
  • 国际 Whois:https://who.is/

DNS数据聚合查询

  • Hacker Target:https://hackertarget.com/find-dns-host-records
  • DNS Dumpster:https://dnsdumpster.com
  • DNS DB:https://dnsdb.io/zh-cn

TLS证书信息查询

  • Censys:https://censys.io
  • Certificate Search:https://crt.sh
  • 证书透明度监控:https://developers.facebook.com/tools/ct"

IP地址段收集

  • CNNIC中国互联网信息中心:http://ipwhois.cnnic.net.cn

指纹识别

  • Wapplyzer:Chrome插件 跨平台网站分析工具 https://github.com/AliasIO/Wappalyzer
  • TideFinger:提取了多个开源指纹识别工具的规则库并进行了规则重组 https://github.com/TideSec/TideFinger
  • fingerprint:各种工具指纹收集分享 https://github.com/r0eXpeR/fingerprint
  • Dismap:tcp/udp/tls 协议指纹和 4500+ Web 指纹规则 https://github.com/zhzyker/dismap
  • Finger:一款红队在大量的资产中存活探测与重点攻击系统指纹探测工具 https://github.com/EASY233/Finger
  • 御剑web指纹识别程序:https://www.webshell.cc/4697.html
  • 云悉指纹识别:http://www.yunsee.cn/

WAF识别

  • identYwaf:WAF识别工具 https://github.com/stamparm/identYwaf

扫描/爆破

  • dirsearch:目录扫描/爆破 https://github.com/maurosoria/dirsearch
  • dirmap:目录扫描/爆破 https://github.com/H4ckForJob/dirmap
  • Arjun:HTTP参数扫描器 https://github.com/s0md3v/Arjun
  • ksubdomain:子域名爆破 https://github.com/knownsec/ksubdomain
  • Gobuster:URI/DNS/WEB爆破 https://github.com/OJ/gobuster
  • Hydra:弱密码爆破 https://github.com/vanhauser-thc/thc-hydra
  • John the Ripper:https://github.com/openwall/john

爆破字典

  • Dictionary-Of-Pentesting:渗透测试、SRC漏洞挖掘、爆破、Fuzzing等常用字典 https://github.com/insightglacier/Dictionary-Of-Pentesting
  • fuzzDicts:Web渗透Fuzz字典 https://github.com/TheKingOfDuck/fuzzDicts
  • Web-Fuzzing-Box:Web 模糊测试字典与Payloads https://github.com/gh0stkey/Web-Fuzzing-Box
  • PentesterSpecialDict:渗透测试工程师精简化字典 https://github.com/ppbibo/PentesterSpecialDict
  • fuzz:https://github.com/Bo0oM/fuzz.txt
  • SuperWordlist:弱口令字典 https://github.com/fuzz-security/SuperWordlist
  • top25-parameter:top25参数字典 https://github.com/lutfumertceylan/top25-parameter

信息泄露

  • GitHack:.git泄露利用脚本 https://github.com/lijiejie/GitHack
  • ds_store_exp:.DS_Store 文件泄漏利用脚本 https://github.com/lijiejie/ds_store_exp
  • Hawkeye:GitHub 泄露监控系统 https://github.com/0xbug/Hawkeye

电子邮箱

  • Hunter:Chrome插件 查找网页暴露邮箱 https://hunter.io/chrome
  • Skymem:邮箱地址搜索 https://www.skymem.info/
  • 搜邮箱:邮箱域名搜索 https://souyouxiang.com/find-contact/
  • gophish:钓鱼邮件 https://github.com/gophish/gophish

综合信息收集

  • AlliN:https://github.com/P1-Team/AlliN
  • Kunyu:https://github.com/knownsec/Kunyu
  • OneForAll:https://github.com/shmilylty/OneForAll
  • ShuiZe:https://github.com/0x727/ShuiZe_0x727
  • Fofa Viewer:https://github.com/wgpsec/fofa_viewer

内网信息收集

  • fscan:内网综合扫描工具 https://github.com/shadow1ng/fscan
  • hping3:端口扫描 高速 发包量少 结果准确无蜜罐 https://github.com/antirez/hping
  • EHole:红队重点攻击系统指纹探测工具 https://github.com/EdgeSecurityTeam/EHole
  • ENScan_GO:国内企业信息收集 https://github.com/wgpsec/ENScan_GO
  • Ladon:用于大型网络渗透的多线程插件化综合扫描工具 https://github.com/k8gege/Ladon
  • HackBrowserData:浏览器数据导出工具 https://github.com/moonD4rk/HackBrowserData

漏洞研究

SRC

  • HackerOne:https://www.hackerone.com/

开源文库

  • cve:收录了几乎所有公开的CVE https://github.com/trickest/cve
  • Vulhub:基于Docker的漏洞复现环境 https://vulhub.org/
  • PeiQi:面向网络安全从业者的知识文库 http://wiki.peiqi.tech/
  • Vulnerability:棱角社区公布漏洞 https://github.com/EdgeSecurityTeam/Vulnerability
  • 乌云镜像:http://wooyun.2xss.cc/
  • 未授权访问漏洞总结:http://luckyzmj.cn/posts/15dff4d3.html

靶机平台

  • DVWA:https://github.com/digininja/DVWA
  • HackTheBox:https://www.hackthebox.com/
  • OWASP Top10:https://owasp.org/www-project-juice-shop/
  • WebGoat:https://github.com/WebGoat/WebGoat
  • Sqli-labs:SQL注入 https://github.com/Audi-1/sqli-labs
  • Xss-labs:XSS注入 https://github.com/do0dl3/xss-labs
  • Upload-labs:上传漏洞 https://github.com/c0ny1/upload-labs
  • Vulstudy:docker快速搭建共17个漏洞靶场 https://github.com/c0ny1/vulstudy
  • Vulfocus:漏洞集成平台 https://github.com/fofapro/vulfocus

漏洞利用

综合POC

  • Exploit Database:https://www.exploit-db.com/
  • POChouse:https://github.com/DawnFlame/POChouse
  • Some-PoC-oR-ExP:各种漏洞PoC、ExP的收集或编写 https://github.com/coffeehb/Some-PoC-oR-ExP
  • Library-POC:基于Pocsuite3、goby编写的漏洞poc&exp存档 https://github.com/luck-ying/Library-POC
  • Penetration_Testing_POC:https://github.com/Mr-xn/Penetration_Testing_POC
  • PoC-in-GitHub:https://github.com/nomi-sec/PoC-in-GitHub
  • 0day:https://github.com/helloexp/0day

综合工具

  • Xray:安全评估工具 https://github.com/chaitin/xray
  • Vulmap:漏洞扫描和验证工具 https://github.com/zhzyker/vulmap
  • Artillery:插件化 JAVA 漏洞扫描器 https://github.com/Weik1/Artillery
  • Aazhen-v3.1:JavaFX图形化漏洞扫描工具 https://github.com/zangcc/Aazhen-v3.1

辅助工具

  • ysoserial:Java反序列化 https://github.com/frohoff/ysoserial
  • Ceye DNS:在线平台 http://ceye.io/
  • Dnslog:在线平台 http://dnslog.cn/
  • Fuzz.Red:在线平台 https://github.com/AlphabugX/Alphalog
  • DNSLog-GO:自建私有平台 https://github.com/lanyi1998/DNSlog-GO
  • JNDI-Injection-Exploit:https://github.com/welk1n/JNDI-Injection-Exploit
  • JNDIExploit:功能更强 冰蝎内存马 https://github.com/WhiteHSBG/JNDIExploit

操作系统

  • Windows-Exploit-Suggester:https://github.com/AonCyberLabs/Windows-Exploit-Suggester
  • Linux_Exploit_Suggester:https://github.com/InteliSecureLabs/Linux_Exploit_Suggester

中间件

  • shiro_attack:https://github.com/j1anFen/shiro_attack
  • shiro_rce_tool:https://github.com/wyzxxz/shiro_rce_tool
  • ShiroExploit:https://github.com/feihong-cs/ShiroExploit-Deprecated
  • ShiroExp:https://github.com/safe6Sec/ShiroExp
  • shiro_key:shiro key 收集 目前 1k+ https://github.com/yanm1e/shiro_key
  • Struts2VulsTools:https://github.com/shack2/Struts2VulsTools
  • ThinkphpGUI:https://github.com/Lotus6/ThinkphpGUI
  • thinkphp_gui_tools:https://github.com/bewhale/thinkphp_gui_tools
  • WeblogicScan:https://github.com/dr0op/WeblogicScan
  • weblogicScanner:https://github.com/0xn0ne/weblogicScanner
  • weblogic-framework:https://github.com/sv3nbeast/weblogic-framework
  • SpringBootVulExploit:https://github.com/LandGrey/SpringBootVulExploit

CMS

  • CMS-Hunter:CMS漏洞测试用例集合 https://github.com/SecWiki/CMS-Hunter
  • 若依CMS https://github.com/thelostworldFree/Ruoyi-All

OA

  • OA综合 https://github.com/achuna33/MYExploit

Bypass

  • CVE-2021-44228-PoC-log4j-bypass-words:https://github.com/Puliczek/CVE-2021-44228-PoC-log4j-bypass-words

内网渗透

Payloads

  • PayloadsAllTheThings:https://github.com/swisskyrepo/PayloadsAllTheThings
  • java.lang.Runtime.exec() Payload:java Payload在线生成 https://www.bugku.net/runtime-exec-payloads/
  • PHP Generic Gadget Chains:PHP反序列化Payload https://github.com/ambionics/phpggc

WebShell

  • Webshell收集项目:https://github.com/tennc/webshell

  • TomcatMemShell:Tomcat内存马 https://github.com/ce-automne/TomcatMemShell

  • wsMemShell:WebSocket 内存马 https://github.com/veo/wsMemShell

  • Behinder 冰蝎:

    https://github.com/rebeyond/Behinder

    • Behinder4已经发布
    • Behinder3:kali + java 11.0.14windows10 + java 1.8.0_91,注意,该环境下Behinder2无法正常运行,Behinder3代理经测试php无法成功穿透,jsp可以成功穿透
    • Behinder2:windows10 + java 1.8.0_91
  • Godzilla 哥斯拉:https://github.com/BeichenDream/Godzilla

  • Skyscorpion:https://github.com/shack2/skyscorpion

Bypass

  • PHPFuck:https://github.com/splitline/PHPFuck
  • JSFuck:http://www.jsfuck.com/
  • Gopherus:生成gopher链接 https://github.com/tarunkant/Gopherus

免杀

  • bypassAV:免杀shellcode加载器 过火绒不过360 https://github.com/pureqh/bypassAV

  • GolangBypassAV:https://github.com/safe6Sec/GolangBypassAV

  • BypassAntiVirus:远控免杀系列文章及配套工具

    https://github.com/TideSec/BypassAntiVirus

    • BypassAntiVirus2022年部分免杀复现:Threekiii/Awesome-Redteam
  • AV_Evasion_Tool:掩日 - 适用于红队的综合免杀工具 https://github.com/1y0n/AV_Evasion_Tool

  • shellcodeloader:Windows平台的shellcode免杀加载器 https://github.com/knownsec/shellcodeloader

  • 杀软比对:https://www.shentoushi.top/av/av.php

  • 在线免杀:免杀方式为原生webshell随机字符修改、Java反射、垃圾字符填充、函数名称变形 http://bypass.tidesec.com/web/

内网穿透

  • NPS:通过web端管理,无需配置文件 https://github.com/ehang-io/nps
  • FRP:55k star项目 https://github.com/fatedier/frp
  • Neo-reGeorg:tunnel快速部署 https://github.com/L-codes/Neo-reGeorg
  • Proxifier:windows代理工具 https://www.proxifier.com/
  • Proxychains:kali代理工具 https://github.com/haad/proxychains
  • iodine:dns隧道 https://github.com/yarrick/iodine
  • dnscat2:dns隧道 https://github.com/iagox86/dnscat2
  • icmpsh:icmp隧道 https://github.com/bdamele/icmpsh

密码获取

  • 密码猜解:猜测目标可能使用的密码 https://www.hacked.com.cn/pass.html
  • Responder:实现获取NTLM Hash等功能 https://github.com/SpiderLabs/Responder
  • HackBrowserData:浏览器数据导出工具 https://github.com/moonD4rk/HackBrowserData

开源蜜罐

  • HFish:一款安全、简单可信赖的跨平台蜜罐软件,允许商业和个人用户免费使用 https://github.com/hacklcx/HFish

容器安全

  • CDK:容器渗透 https://github.com/cdk-team/CDK
  • veinmind-tools:容器安全工具集 https://github.com/chaitin/veinmind-tools

其他

  • Impacket:其中的psexec.py通过用户名和密码远程连接到目标服务器 https://github.com/SecureAuthCorp/impacket
  • PsTools:PsExec.exe功能同Impacket中的psexec.py https://docs.microsoft.com/en-us/sysinternals/downloads/pstools

新一代信息技术

移动端/物联网

  • CrackMinApp:反编译微信小程序 https://github.com/Cherrison/CrackMinApp
  • AppInfoScanner:移动端信息收集 https://github.com/kelvinBen/AppInfoScanner
  • wxappUnpacker:小程序解包 https://github.com/xuedingmiaojun/wxappUnpacker
  • IoT-vulhub: IoT 版固件漏洞复现环境 https://github.com/firmianay/IoT-vulhub

云服务

  • aliyun-accesskey-Tools:阿里云accesskey利用工具 https://github.com/mrknow001/aliyun-accesskey-Tools
  • cosbrowser:腾讯云COS客户端 https://github.com/TencentCloud/cosbrowser
  • 行云管家:云存储图形化管理平台 https://yun.cloudbility.com/

大数据

  • DruidCrack:Druid密文解密工具 https://github.com/rabbitmask/DruidCrack

逆向分析

  • 逆向分析工具集:https://pythonarsenal.com/
  • PEiD:查壳工具 https://www.aldeid.com/wiki/PEiD
  • Py2exe:Python打包工具 https://www.py2exe.org/
  • PyInstaller:Python打包工具 https://github.com/pyinstaller/pyinstaller

云上攻防

  • AWSGoat:https://github.com/ine-labs/AWSGoat
  • TerraformGoat:https://github.com/HuoCorp/TerraformGoat
  • ATT&CK Cloud矩阵:https://attack.mitre.org/matrices/enterprise/cloud/

工具赋能

Metasploit

  • Metasploit:https://github.com/rapid7/metasploit-framework
  • https://attack.mitre.org/matrices/enterprise/cloud/

Yakit

  • Yakit:网络安全单兵工具 对标Burpsuite https://github.com/yaklang/yakit

Cobaltstrike

  • Awesome CobaltStrike:CobaltStrike知识库 https://github.com/zer0yu/Awesome-CobaltStrike
  • Erebus:后渗透测试插件 https://github.com/DeEpinGh0st/Erebus
  • LSTAR:综合后渗透插件 https://github.com/lintstar/LSTAR
  • ElevateKit:提权插件 https://github.com/rsmudge/ElevateKit

Burpsuite

  • HaE:高亮标记与信息提取辅助型插件 https://github.com/gh0stkey/HaE
  • Log4j2Scan:Log4j主动扫描插件 https://github.com/whwlsfb/Log4j2Scan
  • RouteVulScan:检测脆弱路径插件 https://github.com/F6JO/RouteVulScan

Chrome crx

  • Proxy SwitchyOmega:快速切换代理 https://github.com/FelisCatus/SwitchyOmega
  • Wappalyzer:识别网站技术/框架/语言 https://www.wappalyzer.com/
  • EditThisCookie:修改Cookie https://www.editthiscookie.com/
  • FindSomething:在网页的源代码或js中寻找有用信息 https://github.com/ResidualLaugh/FindSomething
  • Disable JavaScript:禁用JavaScript绕过弹窗 https://github.com/dpacassi/disable-javascript
  • Hack Bar:渗透神器No.1 https://github.com/0140454/hackbar

其他优秀项目

  • oh my zsh:命令行工具集 好用 推荐 https://github.com/ohmyzsh/ohmyzsh
  • The art of command line:快速掌握命令行 https://github.com/jlevy/the-art-of-command-line
  • PySimpleGUI:https://github.com/PySimpleGUI/PySimpleGUI
  • f8x:红/蓝队环境自动化部署工具 https://github.com/ffffffff0x/f8x
  • mate-translate:一个翻译神器 https://gikken.co/mate-translate
  • cloudreve:私有云盘部署 https://github.com/cloudreve/Cloudreve

先mark待测试项目

  • AsamF:集成多个网络资产测绘平台的一站式企业信息资产收集工具 https://github.com/Kento-Sec/AsamF
  • ThunderSearch:支持Fofa、Zoomeye、360Quake的GUI界面的信息搜集工具 https://github.com/xzajyjs/ThunderSearch

文章来源:
作者: Threekiii
来源:https://github.com/Threekiii/Awesome-Redteam

你可能感兴趣的:(安全)