其他收录平台或项目传送门:
开源扫描器收录地址:https://github.com/We5ter/Scanners-Box
T00ls论坛收集工具集 https://github.com/tengzhangchao/Sec-Box
渗透师导航:https://www.shentoushi.top/
信息收集工具集:https://github.com/redhuntlabs/Awesome-Asset-Discovery
K8工具集: https://github.com/k8gege/K8tools
漏洞复现知识库: https://wiki.0-sec.org/
APP测试:https://github.com/Brucetg/App_Security
红队资源链接合集(干货超多):https://github.com/hudunkey/Red-Team-links
以下为个人整理收集
- 蚁剑:菜刀的替代版:https://github.com/AntSwordProject/antSword
- 冰蝎:加密shell连接 https://github.com/rebeyond/Behinder
- java 无文件webshell:https://github.com/rebeyond/memShell
- 瑞士军刀Bettercap:https://github.com/bettercap/bettercap
- XSS批量扫描,源自先知:https://github.com/bsmali4/xssfork
- 个人收集编写的POC:
- 跨站数据劫持POC https://github.com/nccgroup/CrossSiteContentHijacking
- 自动化测试工具,POC在script路径下 https://github.com/Xyntax/POC-T/tree/master
- 收集各种语言的webshell:https://github.com/tennc/webshell
- XXE注入工具 Ruby编写:https://github.com/enjoiz/XXEinjector
- xxe 测试工具:https://github.com/TheTwitchy/xxer
- burp AES加密插件:https://github.com/Ebryx/AES-Killer
- XXE payload生成:https://github.com/BuffaloWill/oxml_xxe/
- Nginx 路径穿越burp测试插件:https://github.com/bayotop/off-by-slash
- 红队自动化部署:https://github.com/360-A-Team/LuWu
- JS反混淆:https://github.com/mindedsecurity/JStillery
- JWT token破解:https://github.com/brendan-rius/c-jwt-cracker
- SN1PER(功能:扫描开放端口、waf、指纹识别、目录扫描):https://github.com/1N3/Sn1per
- web页面直接调用工具(dirsearch、masscan、amass、patator)扫描:https://github.com/c0rvax/project-black
- 自动化扫描网站的CORS配置的漏洞:https://github.com/chenjj/CORScanner
- 长亭X-ray漏洞扫描器:https://github.com/chaitin/xray/
- 美杜莎漏扫:https://github.com/Ascotbe/Medusa
- w13scan:https://github.com/w-digital-scanner/w13scan
- Burp插件搭配被动式漏扫使用:https://github.com/c0ny1/passive-scan-client
- 应急响应工具集:https://github.com/meirwah/awesome-incident-response
- 应急实战笔记:https://github.com/Bypass007/Emergency-Response-Notes
- 进程查看:
- https://www.nomoreransom.org/crypto-sheriff.php
- 奇安信:https://lesuobingdu.qianxin.com/
- VenusEye:https://lesuo.venuseye.com.cn/
- 深信服:https://edr.sangfor.com.cn/#/information/ransom_search
- 360:https://lesuobingdu.360.cn/
- 腾讯:https://guanjia.qq.com/pr/ls/
- https://github.com/jiansiting/Decryption-Tools
- 弱口令字典:https://weakpass.com/
- https://github.com/swisskyrepo/PayloadsAllTheThings
- https://github.com/berzerk0/Probable-Wordlists
- https://github.com/danielmiessler/SecLists
- 文件上传时文件名fuzz:https://github.com/c0ny1/upload-fuzz-dic-builder
- robots.txt 不允许访问的目录:https://github.com/danielmiessler/RobotsDisallowed
- https://github.com/TheKingOfDuck/fuzzDicts
- https://github.com/1N3/IntruderPayloads (burp_payload)
- 网站暴破+xss+sqli:https://github.com/SilverPoision/a-full-list-of-wordlists/tree/master/Wordlists/burp_pack
- 键盘组合、字母+数字混合密码暴破:https://github.com/huyuanzhi2/password_brute_dictionary
- WAF指纹识别及Bypass https://github.com/Ekultek/WhatWaf
- 带截图go语言脚本扫描端口 https://github.com/michenriksen/aquatone
- wfuzz:https://github.com/xmendez/wfuzz
- 目录扫描工具dirsearch:https://github.com/maurosoria/dirsearch
- 子域名收集:
- 根据SSL证书收集子域名:https://github.com/yassineaboukir/sublert
- python脚本+mangodb实时监控:https://github.com/guimaizi/get_domain
- 可发现二级、三级子域名:https://github.com/infosec-au/altdns
- asyncio+aiodns大字典暴破子域名 https://github.com/ldbfpiaoran/subdns
- 基于Python3.8,可以通过多种API来获取并验证子域名: https://github.com/shmilylty/OneForAll
- MYSQL_SQL注入: https://github.com/aleenzz/MYSQL_SQL_BYPASS_WIKI
- 极光无限在线检测:https://detect.secwx.com/
- Windows
- windows提权在线辅助:http://bugs.hacking8.com/tiquan/
- windows内核提权EXP:https://github.com/SecWiki/windows-kernel-exploits
- windows系统提权脚本: https://github.com/AonCyberLabs/Windows-Exploit-Suggester
- windows exp提权:https://github.com/lyshark/Windows-exploits
- Windows本地提取工具(执行后会弹出系统权限的cmd):https://github.com/ohpe/juicy-potato
- window webshell 提权:https://github.com/uknowsec/SweetPotato
- 通过窃取
system
权限进程的token来创建一个具有system
权限的进程来执行命令:https://github.com/uknowsec/getSystem
- Linux
- Linux系统提权脚本:https://github.com/mzet-/linux-exploit-suggester
- linux 内核提权EXP:https://github.com/SecWiki/linux-kernel-exploits
- 提权工具套件(win、linux):https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
- 内核提权: https://github.com/bcoles/kernel-exploits
- Windows密码暴力破解:https://github.com/shinnok/johnny
- mimikatz: https://github.com/gentilkiwi/mimikatz
- powershell 内网利用脚本:https://github.com/PowerShellMafia/PowerSploit
- powershell 红队内网渗透 https://github.com/samratashok/nishang
- powershell 实现的一些工具:https://github.com/clymb3r/PowerShell
- powershell 反弹tcpshell https://github.com/ZHacker13/ReverseTCPShell
- powershell混淆:
- 域渗透分析工具BloodHound:https://github.com/BloodHoundAD/BloodHound
- 内网渗透tips :https://github.com/Ridter/Intranet_Penetration_Tips
- 后门制作(kali已集成): https://github.com/secretsquirrel/the-backdoor-factory
- RAT:https://github.com/Screetsec/TheFatRat
- 批量HASH传递:https://github.com/Kevin-Robertson/Invoke-TheHash
- frp内网流量转发,支持tcp、udp:https://github.com/fatedier/frp
- EarthWorm开启Socks5代理:https://github.com/idlefire/ew
- reGeorg适用于公网只开放了80端口的情况: https://github.com/sensepost/reGeorg
- 加密流量版的reGeorg:https://github.com/L-codes/Neo-reGeorg
- nps内网穿透:https://github.com/ehang-io/nps
- .net环境收集浏览器保存的密码信息:https://github.com/djhohnstein/SharpWeb
- python脚本获取系统软件各类密码:https://github.com/AlessandroZ/LaZagne
- C#提取浏览器密码:https://github.com/QAX-A-Team/BrowserGhost
- https://github.com/fjserna/CVE-2015-7547
- https://github.com/FiloSottile/CVE-2016-2107
- CVE-2015-2426: https://github.com/vlad902/hacking-team-windows-kernel-lpe
- https://github.com/RhinoSecurityLabs/CVEs
- https://github.com/Libraggbond/CVE-2018-3191
- https://github.com/gottburgm/Exploits
- https://github.com/ym2011/POC-EXP
- https://github.com/w1109790800/penetration (CMS居多,还有某些工具)
- https://github.com/chompie1337/SMBGhost_RCE_PoC (CVE-2020-0796)
- Java反序列化POC生成工具:https://github.com/frohoff/ysoserial
- Java 反序列化利用和验证工具: https://github.com/joaomatosf/jexboss
- struts2 Python2扫描脚本(使用时有中文乱码,需要在字符串前加u): https://github.com/Lucifer1993/struts-scan
- weblogic 漏扫脚本: https://github.com/dr0op/WeblogicScan
- weblogic 密码解密: https://github.com/NetSPI/WebLogicPasswordDecryptor
- SpringBootExploit: https://github.com/LandGrey/SpringBootVulExploit
- shiro反序列化:
- 蚁剑:https://github.com/AntSwordProject/antSword
- 冰蝎:https://github.com/rebeyond/Behinder
- 哥斯拉(支持jsp内存shell):https://github.com/BeichenDream/Godzilla
- 天蝎:https://github.com/shack2/skyscorpion
- 安卓相关项目和文章合集 https://github.com/alphaSeclab/android-security
- jadx 安卓apk逆向代码分析:https://github.com/skylot/jadx
- app加解密数据包+burp插件 https://github.com/lyxhh/lxhToolHTTPDecrypt
- APP动态测试框架 https://github.com/MobSF/Mobile-Security-Framework-MobSF
- 知道创宇远程漏洞测试框架:https://github.com/knownsec/Pocsuite
- python爬虫代理池:https://github.com/jhao104/proxy_pool
- XSS 自建平台:
- 假名生成器:https://github.com/joke2k/faker
- 伪MySQL服务器读取任意文件:https://github.com/allyshka/Rogue-MySql-Server
- waf指纹字典及绕过方式:https://github.com/0xInfection/Awesome-WAF
- waf识别脚本:https://github.com/stamparm/identYwaf
- 自动化绕WAF:https://github.com/khalilbijjou/WAFNinja
- 自动化SSRF测试:https://github.com/swisskyrepo/SSRFmap
- 验证码AI训练识别:https://github.com/luyishisi/Anti-Anti-Spider
- flash xss 测试:https://github.com/cure53/flashbang
- CMS识别:
- 子域名接管指纹:https://github.com/EdOverflow/can-i-take-over-xyz
- 火眼公司windows测试虚拟机:https://github.com/fireeye/commando-vm
- 巡风漏洞扫描器:https://github.com/ysrc/xunfeng
- 宜信洞察 https://github.com/creditease-sec/insight
- 陌陌风控 https://github.com/momosecurity/aswan
- HIDS:https://github.com/ossec/ossec-hids
- 以Nginx为核心高性能服务器Openresty:https://github.com/openresty/openresty
- Nginx安全配置检查:https://github.com/yandex/gixy
- github监控工具:
- 开源蜜罐合集:https://github.com/paralax/awesome-honeypots
- P牛整理安全思维脑图:https://github.com/phith0n/Mind-Map
- 内网渗透知识tips:https://github.com/Ridter/Intranet_Penetration_Tips
- 面试经验:https://github.com/Leezj9671/Pentest_Interview
- 面试知识点: https://www.yuque.com/books/share/bd8433e2-3682-4bf9-bbf7-cb5070764079
- evi1cg:https://evi1cg.me/
- backlion:http://www.cnblogs.com/backlion
- phith0n :https://www.leavesongs.com/
- 黑白:https://www.heibai.org/
- orange: http://blog.orange.tw/
- c0ny1:https://gv7.me/
- nMask: https://thief.one/
- 冷白开:http://www.lengbaikai.net/
- 三好学生: https://3gstudent.github.io/
- spoock:https://blog.spoock.com/
- http://www.zerokeeper.com/
- https://masterxsec.github.io/
- https://www.hacking8.com/