How To Join Anonymous

Criteria

Anyone is theoretically free to proclaim themselves as a member of Anonymous, although practically most mainstream strands of the Anonymous movement are vehemently oppose against totalitarianism and fights for free speech, human rights and equality.

Technical skills

Useful instructions for those wishing to hack under the Anonymous mantle.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1- Keylogger

Most sources define a keylogger as a software program designed to secretly monitor and log all keystrokes. This definition is not altogether correct, since a keylogger doesn’t have to be software – it can also be a device. Keylogging devices are much rarer than keylogging software, but it is important to keep their existence in mind when thinking about information security.

You can use keyloggers to hack any account fast and easy.

It will basically sends you every single keystroke the victim does.

So you can see the passwords and emails they type in browsers or even read their written emails/ private messages.

There are also keylogger apps such as mSpy and iKeyMonitor which means it is possible to create one on nearly every system possible.

Here are some keylogger tools:

A Keylogger for Windows, Linux and Mac:

https://github.com/GiacomoLaw/Keylogger

Keylogger that sends strokes to G-Mail:

https://github.com/GiacomoLaw/Keylogger

Keylogger and surveillance app for IOS:

https://ikeymonitor.com

A Keylogger for Andriod:

https://github.com/maemresen/android-keylogger

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

2- Bruteforcing:

A brute-force-attack consists of an attacker submitting many passwords with the hope of eventually guessing correctly.

The attacker systematically checks all possible passwords and passphrases until the correct one is found.

Theoretically it is possible to hack every password on this earth possible since you could even brute-force 2fa codes.

But now comes up the question- Why does noone use this method?

The answer is simple: Time and Physical limits.

No matter how good your PC are some passwords are just so extremely complex that trying to get them by a brute-force attack would take billions of years to crack.

The brute-force method is only good when you know what the password MIGHT be so here are some tools incase you know what to do.

Bruteforcing tools:

Gobuster:

https://github.com/OJ/gobuster

All-in-One Bruter-forcer:

https://github.com/1N3/BruteX

Dirsearch:

https://github.com/maurosoria/dirsearch

Callow:

https://callow.vercel.app

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3- Dictionary attack

In contrast with a brute-force attack, where all possibilities are searched through exhaustively, a dictionary attack only tries possibilities which are most likely to succeed,

typically derived from a wordlist or a dictionary. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short, single words in a dictionary, or are simple variations that are easy to predict.

A lot of people use those combinations as their password:

Name + random number

Name + date of birth

Name + !§=)$ etc.

Family name + random number

Family name + date of birth

...

This is why collection information is important since you need to know how his full name is and the names of his family members or friends.

Maybe the name of the dog or the name of an old friend could be the solution to crack the password.

Tools:

Acccheck

https://labs.portcullis.co.uk/tools/acccheck/

Cain & Abel

https://cain-and-abel.de.malavida.com/windows/

Aircrack-ng

https://www.aircrack-ng.org

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

4- Pwned and leaked Data

It is possible hack people with only an E-Mail through that

"Have i been pwned" allows you to search across multiple data breaches to see if your email address, old password or phone number has been compromised.

You can put in the email of the victim or even an old password of them. It will display if any of their date ever got leaked to the public due to hacked/

leaked databases and mass hacking attacks.

If you see the warning "Oh no - pwned!" You basically won because the website will display you which kind of leak lead to the password of the victm

beeing publicly avaible. You can end up downloading the leaked database on different public forums and then end up using it for yourself.

There is even one for internet bankings so try it out yourself.

533 million Facebook users' phone numbers and personal data have been leaked online. Yaho had a big ass databreach in 2017 too.

You can download all of them on random forums and hope that your victims data are one of them.

This is how it would look like if the E-Mail/ Password already got leaked.

Here are the sites for this:

Have i been pwned:

https://haveibeenpwned.com

Internet banking:

https://www.ebas.ch/have-i-been-pwned/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

5- Phishing

Phishing is a common scam that attempts to lure you into giving up your username, password, or other sensitive information by using a replica of an original app/ login page/ Website.

This can be done to any device possible it is typcally spread by email.

The email may appear to come from ECSU or another company you do business with, and it often asks you to click a link, open an attachment, or reply with your account or personal information.

Social engineering isn't always simplest constrained to guessing passwords.

1. You can use the method to force your victim to a click on a phishing web page which you have in particular created to gather passwords.

1. You have to persuade the person to log of their account through your web page via social engineering.

1. You can to lure them on your web page with the promise of free money/ free leaks or more shit like that.

Full tutorial:

Phishing attacks are SCARY easy to do!! (let me show you!) // FREE Security+ // EP 2

How hackers create PHISHING sites!

Phishing tools:

• Known tool

• Preloaded

Download: https://github.com/xHak9x/SocialPhish

• Man-in-the-middle attack

• Allows bypassing 2-factor authentication protection

• Acts as a proxy between a browser and phished website

Download: https://github.com/kgretzky/evilginx2

• Designed for social engineering

• Multiple custom attack vectors

• Believable quick attack

Download: https://github.com/trustedsec/social-engineer-toolkit

• Wifi phishing

• Scans the victim stations for vulnerabilities

• Creates a fake wireless network that looks similar to a legitimate network

Download: https://github.com/wifiphisher/wifiphisher

• Open-source phishing toolkit

• Dead-simple

• For Windows too

Download: https://github.com/gophish/gophish

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

6- Password Reset

This method is pretty easy and must be combined with social engineering.

You need to have a physical access to the phone to simply request the victims account and request the following app for a password reset.

If you do not have phsyiscal access to the victims device you can simply request a new password with their account. The code will be sent to the person as an SMS.

It is possible to tell the person beforehand things like:

"My account needs a new number can i use yours?" or "I need to verify my account but my number does not work can i use yours?"

This method is also used to steal someone else’s Instagram account permanently.

Another Method is to ask the person a lot of personal questions like whats your mums name and dads name etc etc.

The kind of questions that you need to answer the security questions for.

Collect them all but let it seem like a normal conversation and thats how you do it!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

7- Linked accounts

A majority of Instagram users have linked their Facebook accounts on them. If you can hack someone’s Facebook account, you willl also get automatic access to

their Instagram account.

This kind of method works with a lot of other social media accounts too. Facebook accounts are also linked to tons of games which means you will also get

access to their game accounts for example Dragon City.

Works with Facebook Mobile Games:

• Daily Soduko

• Master Archer

• Draw Something

• Words with Friends

• 8 Ball Pool

• Super Dash

• Mahjong Trails Blitz

• Jewel Academy

• Tomb Runner

• Word Life

• Dragon Land

• World Chef

• Dragon Land

• Tasty Town

• Dragon City

• Monster Legends

(Finding those kind of Accounts IS EXTREMELY DIFFICULT AND THEY ARE AND EXPENSIVE AT THE SAME TIME

SO IT IS A PERFECT LOOT FOR SOMEONE WHO SELLS ACCOUNTS!!!!!!)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

8- Exploits and Vulnerabilities

An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in an application or a system to cause unwanted effects.

The name comes from the English verb to exploit, meaning “to use something to one’s own advantage”.

Basically, this means that the target of an attack suffers from a design flaw that allows people to create the means to access it and use it in his interest.

Among the most well-known web-based security vulnerabilities are: SQL injection attacks, cross-site scripting , cross-site request forgery and broken authentication code or security misconfigurations. In general, exploits can be clasified in two main categories: known and unknown (or zero-day vulnerabilities).

The zero-day vulnerabilities are by far the most dangerous, as they happen when a software contains a critical security vulnerability of which the programmer or the owner of the software is unaware of.

So now that you know what an exploit its let me show you how to abuse them and how to find them.

How to find exploits [ONLY FOR HIGHLY EXPERIENCED HACKERS]:

It’s not like every nth line of code has something exploitable. Software that tries to do certain things, fails in certain ways, over and over and over again.

So mostly we look for the old problems, and port them over to their new hosts.

There are three main strategies for finding bugs.

Design review

Basically just look at what it’s trying to do, and figure out if it did it wrong. Code review — look at how it’s built, either as source code or compiled binaries (both help, both matter). And Fuzzing.

Fuzzing

Fuzzing is basically throwing noise at software, and seeing what happens. Bugs might only show up one out of a million tests, but if you try things a hundred million times, you’re going to get a hundred bugs.

Fuzzing gets smarter each passing year. What that means is that instead of throwing random noise at code, we watch what happens as we talk to the software, and learn from it. Bugs are not random, because software is not random. You have to *reach* a bug, in order to find it.

Alternatively, if you’re twenty levels deep into a program and you find a problem, who knows if that problem is even exploitable. Anywhere along those 19 layers above you might be something that stops you. Often it’s a hassle to figure that out.

SAT and SMT solvers are technologies that automate figuring out if things are exploitable after all. They’re quite effective. These solvers of course are used in a variety of ways; they’re probably the most effective “machine learning” tech in security right now.

Finding Access Vulnerabilities

What generally happens is that an advanced or elite hacker writes a scanning tool that looks for well-known vulnerabilities, and the elite hacker makes it available over the Internet. Less experienced hackers, commonly called "script kiddies," then run the scanning tool 24 x 7, scanning large numbers of systems and finding many systems that are vulnerable. They typically run the tool against the name-spaces associated with companies they would like to get into.

The script kiddies use a list of vulnerable IP addresses to launch attacks, based on the vulnerabilities advertised by a machine, to gain access to systems. Depending on the vulnerability, an attacker may be able to create either a privileged or non-privileged account. Regardless, the attacker uses this initial entry (also referred to as a "toe-hold") in the system to gain additional privileges and exploit the systems the penetrated system has trust relationships with, shares information with, is on the same network with, and so on.

sources: https://www.quora.com/What-is-the-proces...rabilities

YOU DO NOT NEED TO FIND EXPLOITS TO USE THEM!

There are tons of exploits that are public and they are still not fixed because people do not update their system and websites do not pay for any kind of security most of the times. There are well known and legal databases that display every kind of exploit that is public yet.

There are tons of different exploits from different Softwares and Hardwares. Totally free to copy and abuuse.

So here is where you can find them.

The Exploit Database

• Exploits, Shellcode, 0days, Remote Exploits, Local Exploits, Web Apps, Vulnerability Reports, Security Articles, Tutorials and more

https://www.exploit-db.com/

Vulnerability and Exploit Database

• Technical details for over 180,000 vulnerabilities and 4,000 exploits are available for security professionals and researchers to review

https://www.rapid7.com/db/

CXSecurity

• Independent information about security is a huge collection of information on data communications safety

https://cxsecurity.com/

Vulnerability Lab

• Offers access to a large vulnerability database complete with exploits and PoCs for research purposes

https://www.vulnerability-lab.com/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

9- Create fake apps:

If you can already create a fake Instagram login page in Method 3 above, then why not create a fake Instagram app that looks exactly like the original and collect users’ data from the app? It is easy to create an Instagram clone app if you have the necessary skills or the patience and time to learn Android Application development. Once you have built your app, the remaining job is to make sure your victim downloads the fake app on their phone and uses it to log in to Instagram. Make sure the app redirects the targeted person to the real Instagram login page after you’ve collected their data in order to avoid raising any suspicion.

The basic concept in social engineering is to trick your victims to tell you their username and password indirectly. Social engineering has been around for years. It is an art of making people to actually give you specific information that you are looking for rather than use brute force or spy apps to get the information.

Most social engineering tricks are used to get the victim’s username and password combination for a specific website. You can apply the same social engineering skills to acquire the Instagram username and password from your targeted victim and use the data to gain access into their Instagram account. Most social engineering skills typically imitate a representative from the platform, in this case Instagram, who contacts you about a breach in the company’s security which has made it necessary for all users to change their passwords. They’ll even ask you to provide a unique password for your account.

Most Instagram social engineering tactics work 50% of the time in the real world. All it takes to succeed in social engineering is to have a good understanding of your victim’s typical behavior and what kind of password they’d set for their account. You’d be surprised by the number of people who use their names, their pet’s name, or girlfriend’s phone number as their password. Most people are quite predictable once you get to know them well.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

10- Malware/ Rats/ Trojan

HOW TO MAKE YOUR OWN RAT FILE

Tutorials:

How to get remote access to your hacking targets // reverse shells with netcat (Windows and Linux!!)

Remcos RAT Review - The Most Advanced Remote Access Tool

R.A.T (Hacking Software) Tier List! (Educational Purposes Only)

Tools:

AndroidSPY RAT

https://github.com/qH0sT/AndroSpy

TheFatRAT

https://github.com/screetsec/TheFatRat

EvilOSX

https://github.com/Marten4n6/EvilOSX

Malware collection:

https://github.com/vxunderground/MalwareSourceCode

Malware collection v2:

https://github.com/RamadhanAmizudin/malware

HOW TO SPREAD YOUR MALWARE:

1) Youtube Tutorials

This is literally one of the easiest ways to do it.

First step:

You can either create a new YouTube account which will accuire tons of work and advertising to get BARELY any views.

OR you can buy a YouTube channel with a high  amount of followers instead.

Those are Websites on where you could buy YouTube Accounts:

https://accs-market.com/youtube

(Best one in my opinion (PAY WITH PAYPAL SO YOU CAN RQUEST FOR A REFUND IINCASE YOU GET SCAMMED))

and

https://fameswap.com/browse-youtube-accounts-for-sale

(I HAD NO EXPERIENCE WITH THIS WEBSITE)

The titles on the videos you post should be looking like this:

CSGO HACK FREE NOW [WALLHACK, AIMBOT]

GTA V MOD MENU [UNDETECTED] 2.000.000 IN ONE SECOND!

DISCORD NITRO GENERATOR [100k CODES IN ONE SECOND]

DISCORD TOKEN GENERATOR ....

and so on

Second step:

Depending on how lazy you are you can either make your own tutorials or download videos from other YouTubers and change the description

with your malware infected tool.

In the description of the video you need to provide a link to download the Mod/Hack/Scriptin this case it's your own RAT/ Malware/ Miner or whatever you wanna use.

Third step:

This one is not really necessary but you can try to advertise your videos to other people on Discord or other platforms where you think people

might be intrested in your content. There are a lot of Discord servers where you are able to post your YouTube video in without getting banned nor muted.

Do it frequently and build up your own viewerbase.

This is it. This is how easy it is.

2) Phishing Emails

You can use opensource scripts to spam phishing Emails to tons of other people.

This will increase your chance in someone falling for the malware you are sending them.

Keep in mind:

People would rather open excel and word files than EXE files so you can also use files like "YOUR DATA.xls"

People would trust an email with a credible message (No spelling mistakes, professionality)

Try to pressure the victim to answer (This Link will only work for 24 hours... etc)

Here are some Emails for you

3) Pastebin/ Hastebin method

Spread your malware download links on Hate-/Pastebin.

This will help you since a lot of people use those Websites to upload their stuff. They ususally dork around on google to find new accounts or methods

and they will end up finding your Malware through your Keywords that you added to your post uploaded text and link.

Use those those Websites to get good Keywords:

https://keywordtool.io/

https://ahrefs.com/de/keyword-generator

https://www.internet-marketing-inside.de...-Tool.html

4) Hacking Forums

Those are one of the best tactics because nearly everyone does it.

All of those people do not use their brain and if there is a malware that did not get detected

by Virustotal EVERYONE would download it and the staff would also not notice it.

Threads are really easy to create and they have absolutely no limitations at all.

You can post whatever you want and as long as the malware isnt too obvious you are able to spread it for a long long time.

And if you get banned? Create a new account thats all it takes.

5) E-whoring

This Method is not only a good way to make tons of money but also an awesome way to get private information of people.

So you're first going to want to create a Snapchat/ Pintrest/ Instagram account with a spam email.

Make sure to add tons of details to the profile to make it look more believable. For example verify the E-Mail have some followers and posts etc.

Do not spam add or spam follow people because social media apps all restricted spam-like behaviour.

So if you wanna be careful: take it slow.

The best platforms to like spread your snapchat name is basically Yubo, Hoop or Omegle chat.

Use any E-Whoring leak you can find and send it to people after holding on a long conversation with them.

From there you are free to do with the person whatever you want. Because if she starts loving you you can send and tell them to do whatever you want.

You can even get them to send you money from there on and and even get them to spread your malware to more people.

6) Automated Methods

You can either leave an accuont e whoring for you through using multiple chat bots or automated spam scripts that spam the download link to other people.

Those are the typical spam messages or groupchats you get on Instagram. You would ignore it but trust me tons of other people do click on the links

without even hesitating.

Another method would be to basically inject the malware into a game or a well known app and let your close friend circle use it and get them to somehow spread it all around their

own friend-group too. You can use it for your own class you are in or a university.

A game app is hard to analyze and noone has the skill required to do it so you can abuse the lack of knowledge in here for you own advantage.

Get Discord Mass DM Scripts and advertise that malware with stolen or bought tokens.

Tokens are extremly cheap and you can buy 1k for barely 4 Euro. You can even buy token generators for like 60 Euro and they will work forever.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

7) Monetoring Apps

Paid:

https://www.dynatrace.com/

https://www.manageengine.com

Free:

https://mobile-tracker-free.de

https://www.mspy.com

https://www.clevguard.com

https://tmetric.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

8) Advanced Social Engeneering

Hack someones Camera through a Link:

https://github.com/hangetzzu/saycheese

The Social-Engineer Toolkit (SET):

https://github.com/trustedsec/social-engineer-toolkit

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

9) HQ Hacking Websites

Exploits Database

http://www.exploit-db.com/

http://www.intelligentexploit.com

http://www.shodanhq.com/

http://packetstormsecurity.com/

Vulnerabilities Database

https://cve.mitre.org/cve/

http://www.cvedetails.com/

https://nvd.nist.gov/

http://osvdb.org/

https://www.kb.cert.org/vuls/

https://secunia.com/community/advisories/search/

http://www.securityfocus.com/bid

http://lwn.net/Vulnerabilities/

http://denimgroup.com/resources-threadfix/

http://www.vulnerability-lab.com

http://www.secdocs.org/

Hacking Tutorials

https://www.offensive-security.com/

http://www.kalitutorials.net/2013/08/kali-linux.html

https://www.youtube.com/user/DEFCONConference

https://www.youtube.com/user/Hak5Darren

https://www.youtube.com/user/sansinstitute

https://en.wikibooks.org/wiki/Metasploit/VideoTutorials

http://www.hacking-tutorial.com/

http://breakthesecurity.cysecurity.org/

http://www.securitytube.net/

http://www.ehacking.net/

https://vimeo.com/channels/fullscopesecurity

http://www.spacerogue.net/wordpress/

Virus Scan

https://www.virustotal.com/nl/

http://anubis.iseclab.org/

http://virusscan.jotti.org/it

Not distribute to AV

http://v2.scan.majyx.net/?page=home

http://fuckingscan.me/

https://anonscanner.com/

http://nodistribute.com/

http://www.file2scan.net/

Tools Download

http://tools.kali.org/tools-listing

http://insecure.org/

http://www.hackersonlineclub.com/hacking-tools

https://www.concise-courses.com/hacking-tools/

http://www.darknet.org.uk/category/hacking-tools/

http://www.kitploit.com/

http://www.toolswatch.org/

http://www.blackarch.org/tools.html

https://pentest-tools.com/reconnaissance/google-hacking

https://gexos.github.io/Hacking-Tools-Repository/

http://www.romhacking.net/utilities/

Network Online Tools

http://www.yougetsignal.com/

http://www.dnswatch.info/

http://www.nirsoft.net/countryip/

http://www.tcpiputils.com/

http://www.coffer.com/mac_find/

http://bgp.he.net/

http://www.sockets.com/services.htm

http://services.ce3c.be/ciprg/

IP Lookup

http://ip-api.com/

http://www.my-ip-neighbors.com/

http://www.whatismyip.com/

http://www.ip2location.com/demo

http://freegeoip.net/static/index.html

http://whatstheirip.com

http://ipaddress.com

http://www.ip-adress.com/ipaddresstolocation/

Encrypt / Decrypt

http://crypo.in.ua/tools/

http://www.tools4noobs.com/online_tools/decrypt/

http://codebeautify.org/encrypt-decrypt

http://textmechanic.com/Encryption-Generator.html

http://www.yellowpipe.com/yis/tools/encrypter/

https://github.com/AlisamTechnology/ATSCAN

exploits.my.id

Web-Panel for Scanners & Other Tools

hostedscan.com

Web-based Vulnerability Scanner

hackertarget.com

Multiple Web-based Scanners

nmmapper.com

Nmap & Other Scanners/Tools

nmap.online

Namp Scanner Online

suip.biz

LOTS of Scanners & Other Tools

Recon

Subdomain Enumeration

• Sublist3r – Fast subdomains enumeration tool for penetration testers
• Amass – In-depth Attack Surface Mapping and Asset Discovery
• massdns – A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)
• Findomain – The fastest and cross-platform subdomain enumerator, do not waste your time.
• Sudomy – Sudomy is a subdomain enumeration tool to collect subdomains and analyzing domains performing automated reconnaissance (recon) for bug hunting / pentesting
• chaos-client – Go client to communicate with Chaos DNS API.
• domained – Multi Tool Subdomain Enumeration
• bugcrowd-levelup-subdomain-enumeration – This repository contains all the material from the talk “Esoteric sub-domain enumeration techniques” given at Bugcrowd LevelUp 2017 virtual conference
• shuffledns – shuffleDNS is a wrapper around massdns written in go that allows you to enumerate valid subdomains using active bruteforce as well as resolve subdomains with wildcard handling and easy input-output…
• censys-subdomain-finder – Perform subdomain enumeration using the certificate transparency logs from Censys.
• Turbolist3r – Subdomain enumeration tool with analysis features for discovered domains
• censys-enumeration – A script to extract subdomains/emails for a given domain using SSL/TLS certificate dataset on Censys
• tugarecon – Fast subdomains enumeration tool for penetration testers.
• as3nt – Another Subdomain ENumeration Tool
• Subra – A Web-UI for subdomain enumeration (subfinder)
• Substr3am – Passive reconnaissance/enumeration of interesting targets by watching for SSL certificates being issued
• domain – enumall.py Setup script for Regon-ng
• altdns – Generates permutations, alterations and mutations of subdomains and then resolves them
• brutesubs – An automation framework for running multiple open sourced subdomain bruteforcing tools (in parallel) using your own wordlists via Docker Compose
• dns-parallel-prober – his is a parallelised domain name prober to find as many subdomains of a given domain as fast as possible.
• dnscan – dnscan is a python wordlist-based DNS subdomain scanner.
• knock – Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist.
• hakrevdns – Small, fast tool for performing reverse DNS lookups en masse.
• dnsx – Dnsx is a fast and multi-purpose DNS toolkit allow to run multiple DNS queries of your choice with a list of user-supplied resolvers.
• subfinder – Subfinder is a subdomain discovery tool that discovers valid subdomains for websites.
• assetfinder – Find domains and subdomains related to a given domain
• crtndstry – Yet another subdomain finder
• VHostScan – A virtual host scanner that performs reverse lookups
• scilla – Information Gathering tool – DNS / Subdomains / Ports / Directories enumeration

Port Scanning

• masscan – TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
• RustScan – The Modern Port Scanner
• naabu – A fast port scanner written in go with focus on reliability and simplicity.
• nmap – Nmap – the Network Mapper. Github mirror of official SVN repository.
• sandmap – Nmap on steroids. Simple CLI with the ability to run pure Nmap engine, 31 modules with 459 scan profiles.
• ScanCannon – Combines the speed of masscan with the reliability and detailed enumeration of nmap

Screenshots

• EyeWitness – EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
• aquatone – Aquatone is a tool for visual inspection of websites across a large amount of hosts and is convenient for quickly gaining an overview of HTTP-based attack surface.
• screenshoteer – Make website screenshots and mobile emulations from the command line.
• gowitness – gowitness – a golang, web screenshot utility using Chrome Headless
• WitnessMe – Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
• eyeballer – Convolutional neural network for analyzing pentest screenshots
• scrying – A tool for collecting RDP, web and VNC screenshots all in one place
• Depix – Recovers passwords from pixelized screenshots
• httpscreenshot – HTTPScreenshot is a tool for grabbing screenshots and HTML of large numbers of websites.

Technologies

• wappalyzer – Identify technology on websites.
• webanalyze – Port of Wappalyzer (uncovers technologies used on websites) to automate mass scanning.
• python-builtwith – BuiltWith API client
• whatweb – Next generation web scanner
• retire.js – scanner detecting the use of JavaScript libraries with known vulnerabilities
• httpx – httpx is a fast and multi-purpose HTTP toolkit allows to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.

Content Discovery

• gobuster – Directory/File, DNS and VHost busting tool written in Go
• recursebuster – rapid content discovery tool for recursively querying webservers, handy in pentesting and web application assessments
• feroxbuster – A fast, simple, recursive content discovery tool written in Rust.
• dirsearch – Web path scanner
• dirsearch – A Go implementation of dirsearch.
• filebuster – An extremely fast and flexible web fuzzer
• dirstalk – Modern alternative to dirbuster/dirb
• dirbuster-ng – dirbuster-ng is C CLI implementation of the Java dirbuster tool
• gospider – Gospider – Fast web spider written in Go
• hakrawler – Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application

Links

• LinkFinder – A python script that finds endpoints in JavaScript files
• JS-Scan – a .js scanner, built in php. designed to scrape urls and other info
• LinksDumper – Extract (links/possible endpoints) from responses & filter them via decoding/sorting
• GoLinkFinder – A fast and minimal JS endpoint extractor
• BurpJSLinkFinder – Burp Extension for a passive scanning JS files for endpoint links.
• urlgrab – A golang utility to spider through a website searching for additional links.
• waybackurls – Fetch all the URLs that the Wayback Machine knows about for a domain
• gau – Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl.
• getJS – A tool to fastly get all javascript sources/files

Parameters

• parameth – This tool can be used to brute discover GET and POST parameters
• param-miner – This extension identifies hidden, unlinked parameters. It’s particularly useful for finding web cache poisoning vulnerabilities.
• ParamPamPam – This tool for brute discover GET and POST parameters.
• Arjun – HTTP parameter discovery suite.
• ParamSpider – Mining parameters from dark corners of Web Archives

Fuzzing

• wfuzz – Web application fuzzer
• ffuf – Fast web fuzzer written in Go
• fuzzdb – Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
• IntruderPayloads – A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
• fuzz.txt – Potentially dangerous files
• fuzzilli – A JavaScript Engine Fuzzer
• fuzzapi – Fuzzapi is a tool used for REST API pentesting and uses API_Fuzzer gem
• qsfuzz – qsfuzz (Query String Fuzz) allows you to build your own rules to fuzz query strings and easily identify vulnerabilities.

Exploitation

Command Injection

• commix – Automated All-in-One OS command injection and exploitation tool.

CORS Misconfiguration

• Corsy – CORS Misconfiguration Scanner
• CORStest – A simple CORS misconfiguration scanner
• cors-scanner – A multi-threaded scanner that helps identify CORS flaws/misconfigurations
• CorsMe – Cross Origin Resource Sharing MisConfiguration Scanner

CRLF Injection

• crlfuzz – A fast tool to scan CRLF vulnerability written in Go
• CRLF-Injection-Scanner – Command line tool for testing CRLF injection on a list of domains.
• Injectus – CRLF and open redirect fuzzer

CSRF Injection

• XSRFProbe -The Prime Cross Site Request Forgery (CSRF) Audit and Exploitation Toolkit.

Directory Traversal

• dotdotpwn – DotDotPwn – The Directory Traversal Fuzzer
• FDsploit – File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
• off-by-slash – Burp extension to detect alias traversal via NGINX misconfiguration at scale.
• liffier – tired of manually add dot-dot-slash to your possible path traversal? this short snippet will increment ../ on the URL.

File Inclusion

• liffy – Local file inclusion exploitation tool
• Burp-LFI-tests – Fuzzing for LFI using Burpsuite
• LFI-Enum – Scripts to execute enumeration via LFI
• LFISuite – Totally Automatic LFI Exploiter (+ Reverse Shell) and Scanner
• LFI-files – Wordlist to bruteforce for LFI

GraphQL Injection

• inql – InQL – A Burp Extension for GraphQL Security Testing
• GraphQLmap – GraphQLmap is a scripting engine to interact with a graphql endpoint for pentesting purposes.
• shapeshifter – GraphQL security testing tool
• graphql_beautifier – Burp Suite extension to help make Graphql request more readable
• clairvoyance – Obtain GraphQL API schema despite disabled introspection!

Header Injection

• headi – Customisable and automated HTTP header injection.

Insecure Deserialization

• ysoserial – A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
• GadgetProbe – Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
• ysoserial.net – Deserialization payload generator for a variety of .NET formatters
• phpggc – PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.

Insecure Direct Object References

• Autorize – Automatic authorization enforcement detection extension for burp suite written in Jython developed by Barak Tawily

Open Redirect

• Oralyzer – Open Redirection Analyzer
• Injectus – CRLF and open redirect fuzzer
• dom-red – Small script to check a list of domains against open redirect vulnerability
• OpenRedireX – A Fuzzer for OpenRedirect issues

Race Condition

• razzer – A Kernel fuzzer focusing on race bugs
• racepwn – Race Condition framework
• requests-racer – Small Python library that makes it easy to exploit race conditions in web apps with Requests.
• turbo-intruder – Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results.
• race-the-web – Tests for race conditions in web applications. Includes a RESTful API to integrate into a continuous integration pipeline.

Request Smuggling

• http-request-smuggling – HTTP Request Smuggling Detection Tool
• smuggler – Smuggler – An HTTP Request Smuggling / Desync testing tool written in Python 3
• h2csmuggler – HTTP Request Smuggling over HTTP/2 Cleartext (h2c)
• tiscripts – These scripts I use to create Request Smuggling Desync payloads for CLTE and TECL style attacks.

Server Side Request Forgery

• SSRFmap – Automatic SSRF fuzzer and exploitation tool
• Gopherus – This tool generates gopher link for exploiting SSRF and gaining RCE in various servers
• ground-control – A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
• SSRFire – An automated SSRF finder. Just give the domain name and your server and chill!  Also has options to find XSS and open redirects
• httprebind – Automatic tool for DNS rebinding-based SSRF attacks
• ssrf-sheriff – A simple SSRF-testing sheriff written in Go
• B-XSSRF – Toolkit to detect and keep track on Blind XSS, XXE & SSRF
• extended-ssrf-search – Smart ssrf scanner using different methods like parameter brute forcing in post and get…
• gaussrf – Fetch known URLs from AlienVault’s Open Threat Exchange, the Wayback Machine, and Common Crawl and Filter Urls With OpenRedirection or SSRF Parameters.
• ssrfDetector – Server-side request forgery detector
• grafana-ssrf – Authenticated SSRF in Grafana
• sentrySSRF – Tool to searching sentry config on page or in javascript files and check blind SSRF
• lorsrf – Bruteforcing on Hidden parameters to find SSRF vulnerability using GET and POST Methods
• singularity – A DNS rebinding attack framework.
• whonow – A “malicious” DNS server for executing DNS Rebinding attacks on the fly (public instance running on rebind.network:53)
• dns-rebind-toolkit – A front-end JavaScript toolkit for creating DNS rebinding attacks.
• dref – DNS Rebinding Exploitation Framework
• rbndr – Simple DNS Rebinding Service
• httprebind – Automatic tool for DNS rebinding-based SSRF attacks
• [dnsFookup](DNS rebinding toolkit) – https://github.com/makuga01/dnsFookup

SQL Injection

• sqlmap – Automatic SQL injection and database takeover tool
• NoSQLMap – Automated NoSQL database enumeration and web application exploitation tool.
• SQLiScanner – Automatic SQL injection with Charles and sqlmap api
• SleuthQL – Python3 Burp History parsing tool to discover potential SQL injection points. To be used in tandem with SQLmap.
• mssqlproxy – mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse
• sqli-hunter – SQLi-Hunter is a simple HTTP / HTTPS proxy server and a SQLMAP API wrapper that makes digging SQLi easy.
• waybackSqliScanner – Gather urls from wayback machine then test each GET parameter for sql injection.
• ESC – Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features.
• mssqli-duet – SQL injection script for MSSQL that extracts domain users from an Active Directory environment based on RID bruteforcing
• burp-to-sqlmap – Performing SQLInjection test on Burp Suite Bulk Requests using SQLMap
• BurpSQLTruncSanner – Messy BurpSuite plugin for SQL Truncation vulnerabilities.
• andor – Blind SQL Injection Tool with Golang
• Blinder – A python library to automate time-based blind SQL injection
• sqliv – massive SQL injection vulnerability scanner
• nosqli – NoSql Injection CLI tool, for finding vulnerable websites using MongoDB.

XSS Injection

• XSStrike – Most advanced XSS scanner.
• xssor2 – XSS’OR – Hack with JavaScript.
• xsscrapy – XSS spider – 66/66 wavsep XSS detected
• sleepy-puppy – Sleepy Puppy XSS Payload Management Framework
• ezXSS – ezXSS is an easy way for penetration testers and bug bounty hunters to test (blind) Cross Site Scripting.
• xsshunter – The XSS Hunter service – a portable version of XSSHunter.com
• dalfox – DalFox(Finder Of XSS) / Parameter Analysis and XSS Scanning tool based on golang
• xsser – Cross Site “Scripter” (aka XSSer) is an automatic -framework- to detect, exploit and report XSS vulnerabilities in web-based applications.
• XSpear – Powerfull XSS Scanning and Parameter analysis tool&gem
• weaponised-XSS-payloads – XSS payloads designed to turn alert(1) into P1
• tracy – A tool designed to assist with finding all sinks and sources of a web application and display these results in a digestible manner.
• ground-control – A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
• xssValidator – This is a burp intruder extender that is designed for automation and validation of XSS vulnerabilities.
• JSShell – An interactive multi-user web JS shell
• bXSS – bXSS is a utility which can be used by bug hunters and organizations to identify Blind Cross-Site Scripting.
• docem – Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
• XSS-Radar – XSS Radar is a tool that detects parameters and fuzzes them for cross-site scripting vulnerabilities.
• BruteXSS – BruteXSS is a tool written in python simply to find XSS vulnerabilities in web application.
• findom-xss – A fast DOM based XSS vulnerability scanner with simplicity.
• domdig – DOM XSS scanner for Single Page Applications
• femida – Automated blind-xss search for Burp Suite
• B-XSSRF – Toolkit to detect and keep track on Blind XSS, XXE & SSRF
• domxssscanner – DOMXSS Scanner is an online tool to scan source code for DOM based XSS vulnerabilities
• xsshunter_client – Correlated injection proxy tool for XSS Hunter
• extended-xss-search – A better version of my xssfinder tool – scans for different types of xss on a list of urls.
• xssmap – XSSMap 是一款基于 Python3 开发用于检测 XSS 漏洞的工具
• XSSCon – XSSCon: Simple XSS Scanner tool
• BitBlinder – BurpSuite extension to inject custom cross-site scripting payloads on every form/request submitted to detect blind XSS vulnerabilities
• XSSOauthPersistence – Maintaining account persistence via XSS and Oauth
• shadow-workers – Shadow Workers is a free and open source C2 and proxy designed for penetration testers to help in the exploitation of XSS and malicious Service Workers (SW)
• rexsser – This is a burp plugin that extracts keywords from response using regexes and test for reflected XSS on the target scope.
• xss-flare – XSS hunter on cloudflare serverless workers.
• Xss-Sql-Fuzz – burpsuite 插件对GP所有参数(过滤特殊参数)一键自动添加xss sql payload 进行fuzz
• vaya-ciego-nen – Detect, manage and exploit Blind Cross-site scripting (XSS) vulnerabilities.
• dom-based-xss-finder – Chrome extension that finds DOM based XSS vulnerabilities
• XSSTerminal – Develop your own XSS Payload using interactive typing
• xss2png – PNG IDAT chunks XSS payload generator
• XSSwagger – A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacks

XXE Injection

• ground-control – A collection of scripts that run on my web server. Mainly for debugging SSRF, blind XSS, and XXE vulnerabilities.
• dtd-finder – List DTDs and generate XXE payloads using those local DTDs.
• docem – Uility to embed XXE and XSS payloads in docx,odt,pptx,etc (OXML_XEE on steroids)
• xxeserv – A mini webserver with FTP support for XXE payloads
• xxexploiter – Tool to help exploit XXE vulnerabilities
• B-XSSRF – Toolkit to detect and keep track on Blind XSS, XXE & SSRF
• XXEinjector – Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.
• oxml_xxe – A tool for embedding XXE/XML exploits into different filetypes
• metahttp – A bash script that automates the scanning of a target network for HTTP resources through XXE

Miscellaneous

---

Passwords

• thc-hydra – Hydra is a parallelized login cracker which supports numerous protocols to attack.
• DefaultCreds-cheat-sheet – One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password
• changeme – A default credential scanner.
• BruteX – Automatically brute force all services running on a target.
• patator – Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.

Secrets

• git-secrets – Prevents you from committing secrets and credentials into git repositories
• gitleaks – Scan git repos (or files) for secrets using regex and entropy
• truffleHog – Searches through git repositories for high entropy strings and secrets, digging deep into commit history
• gitGraber – gitGraber: monitor GitHub to search and find sensitive data in real time for different online services
• talisman – By hooking into the pre-push hook provided by Git, Talisman validates the outgoing changeset for things that look suspicious – such as authorization tokens and private keys.
• GitGot – Semi-automated, feedback-driven tool to rapidly search through troves of public data on GitHub for sensitive secrets.
• git-all-secrets – A tool to capture all the git secrets by leveraging multiple open source git searching tools
• github-search – Tools to perform basic search on GitHub.
• git-vuln-finder – Finding potential software vulnerabilities from git commit messages
• commit-stream – #OSINT tool for finding Github repositories by extracting commit logs in real time from the Github event API
• gitrob – Reconnaissance tool for GitHub organizations
• repo-supervisor – Scan your code for security misconfiguration, search for passwords and secrets.
• GitMiner – Tool for advanced mining for content on Github
• shhgit – Ah shhgit! Find GitHub secrets in real time
• detect-secrets – An enterprise friendly way of detecting and preventing secrets in code.
• rusty-hog – A suite of secret scanners built in Rust for performance. Based on TruffleHog
• whispers – Identify hardcoded secrets and dangerous behaviours
• yar – Yar is a tool for plunderin’ organizations, users and/or repositories.
• dufflebag – Search exposed EBS volumes for secrets
• secret-bridge – Monitors Github for leaked secrets
• earlybird – EarlyBird is a sensitive data detection tool capable of scanning source code repositories for clear text password violations, PII, outdated cryptography methods, key files and more.
• Trufflehog-Chrome-Extension – Trufflehog-Chrome-Extension

Git

• GitTools – A repository with 3 tools for pwn’ing websites with .git repositories available
• gitjacker – Leak git repositories from misconfigured websites
• git-dumper – A tool to dump a git repository from a website
• GitHunter – A tool for searching a Git repository for interesting content
• dvcs-ripper – Rip web accessible (distributed) version control systems: SVN/GIT/HG…

Buckets

• S3Scanner – Scan for open AWS S3 buckets and dump the contents
• AWSBucketDump – Security Tool to Look For Interesting Files in S3 Buckets
• CloudScraper – CloudScraper: Tool to enumerate targets in search of cloud resources. S3 Buckets, Azure Blobs, Digital Ocean Storage Space.
• s3viewer – Publicly Open Amazon AWS S3 Bucket Viewer
• festin – FestIn – S3 Bucket Weakness Discovery
• s3reverse – The format of various s3 buckets is convert in one format. for bugbounty and security testing.
• mass-s3-bucket-tester – This tests a list of s3 buckets to see if they have dir listings enabled or if they are uploadable
• S3BucketList – Firefox plugin that lists Amazon S3 Buckets found in requests
• dirlstr – Finds Directory Listings or open S3 buckets from a list of URLs
• Burp-AnonymousCloud – Burp extension that performs a passive scan to identify cloud buckets and then test them for publicly accessible vulnerabilities
• kicks3 – S3 bucket finder from html,js and bucket misconfiguration testing tool
• 2tearsinabucket – Enumerate s3 buckets for a specific target.
• s3_objects_check – Whitebox evaluation of effective S3 object permissions, to identify publicly accessible files.
• s3tk – A security toolkit for Amazon S3
• CloudBrute – Awesome cloud enumerator
• s3cario – This tool will get the CNAME first if it’s a valid Amazon s3 bucket and if it’s not, it will try to check if the domain is a bucket name.
• S3Cruze – All-in-one AWS S3 bucket tool for pentesters.

CMS

• wpscan – WPScan is a free, for non-commercial use, black box WordPress security scanner
• WPSpider – A centralized dashboard for running and scheduling WordPress scans powered by wpscan utility.
• wprecon – WordPress Recon
• CMSmap – CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.
• joomscan – OWASP Joomla Vulnerability Scanner Project
• pyfiscan – Free web-application vulnerability and version scanner

JSON Web Token

• jwt_tool – A toolkit for testing, tweaking and cracking JSON Web Tokens
• c-jwt-cracker – JWT brute force cracker written in C
• jwt-heartbreaker – The Burp extension to check JWT (JSON Web Tokens) for using keys from known from public sources
• jwtear – Modular command-line tool to parse, create and manipulate JWT tokens for hackers
• jwt-key-id-injector – Simple python script to check against hypothetical JWT vulnerability.
• jwt-hack – jwt-hack is tool for hacking / security testing to JWT.
• jwt-cracker – Simple HS256 JWT token brute force cracker

postMessage

• postMessage-tracker – A Chrome Extension to track postMessage usage (url, domain and stack) both by logging using CORS and also visually as an extension-icon
• PostMessage_Fuzz_Tool – #BugBounty #BugBounty Tools #WebDeveloper Tool

Subdomain Takeover

• subjack – Subdomain Takeover tool written in Go
• SubOver – A Powerful Subdomain Takeover Tool
• autoSubTakeover – A tool used to check if a CNAME resolves to the scope address. If the CNAME resolves to a non-scope address it might be worth checking out if subdomain takeover is possible.
• NSBrute – Python utility to takeover domains vulnerable to AWS NS Takeover
• can-i-take-over-xyz – “Can I take over XYZ?” — a list of services and how to claim (sub)domains with dangling DNS records.
• cnames – take a list of resolved subdomains and output any corresponding CNAMES en masse.
• subHijack – Hijacking forgotten & misconfigured subdomains
• tko-subs – A tool that can help detect and takeover subdomains with dead DNS records
• HostileSubBruteforcer – This app will bruteforce for exisiting subdomains and provide information if the 3rd party host has been properly setup.
• second-order – Second-order subdomain takeover scanner
• takeover – A tool for testing subdomain takeover possibilities at a mass scale.

Vulnerability Scanners

• nuclei – Nuclei is a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.
• Sn1per – Automated pentest framework for offensive security experts
• metasploit-framework – Metasploit Framework
• nikto – Nikto web server scanner
• arachni – Web Application Security Scanner Framework
• jaeles – The Swiss Army knife for automated Web Application Testing
• retire.js – scanner detecting the use of JavaScript libraries with known vulnerabilities
• Osmedeus – Fully automated offensive security framework for reconnaissance and vulnerability scanning
• getsploit – Command line utility for searching and downloading exploits
• flan – A pretty sweet vulnerability scanner
• Findsploit – Find exploits in local and online databases instantly
• BlackWidow – A Python based web application scanner to gather OSINT and fuzz for OWASP vulnerabilities on a target website.
• backslash-powered-scanner – Finds unknown classes of injection vulnerabilities
• Eagle – Multithreaded Plugin based vulnerability scanner for mass detection of web-based applications vulnerabilities
• cariddi – Take a list of domains, crawl urls and scan for endpoints, secrets, api keys, file extensions, tokens and more…

Uncategorized

• JSONBee – A ready to use JSONP endpoints/payloads to help bypass content security policy (CSP) of different websites.
• CyberChef – The Cyber Swiss Army Knife – a web app for encryption, encoding, compression and data analysis
• –
• bountyplz – Automated security reporting from markdown templates (HackerOne and Bugcrowd are currently the platforms supported)
• PayloadsAllTheThings – A list of useful payloads and bypass for Web Application Security and Pentest/CTF
• bounty-targets-data – This repo contains hourly-updated data dumps of bug bounty platform scopes (like Hackerone/Bugcrowd/Intigriti/etc) that are eligible for reports
• android-security-awesome – A collection of android security related resources
• awesome-mobile-security – An effort to build a single place for all useful android and iOS security related stuff.
• awesome-vulnerable-apps – Awesome Vulnerable Applications
• XFFenum – X-Forwarded-For [403 forbidden] enumeration
• httpx – httpx is a fast and multi-purpose HTTP toolkit allow to run multiple probers using retryablehttp library, it is designed to maintain the result reliability with increased threads.

Feature:

After uploading an illegal file, only a pop-up window prompts, and it has not been verified by the server.

Bypass:

Burpsuite captures the packets and changes the file extension to jpg. Click UPLOAD to pre-check, then change the file suffix back to php in burpsuite, and finally upload the file to the server.

MIME standard:

It is mainly used for Internet mail extension types. Initially, mail only supports ascii code characters, and later supports data types such as images and videos. The MIME standard defines a symbolic method for representing various types of data.

The data type is judged by some character identifiers. The HTTP protocol also uses a MIME structure, which is embodied in the information content-type in the request header.

Request Header Information content-type automatically detected by the default browser, but we can change it ourselves.

Bypass:

First upload jpg type file, grab data packet and other browser detection and then change it to php.

1) confusion with uppercase and lowercase letters

Feature: Blacklist filtering .php .jsp .asp Bypass: .PHP, .pHP and other confusions

2) use a specific suffix

phtml and pht are suffixes of early mixed php, html files.

Apache config file will have regular expressions like .+.ph(p[345]?|t|tml), and the filename can be parsed as php if it satisfies the requirements.

Feature: Blacklist filtering .php .PHP .pHP etc. all case forms Bypass: Modify the file suffix to .php1 .php2 ... .php5 .phtml .pht

3) Windows filename .space related

Windows will automatically remove the dot (space) at the end of the filename. Bypass: Modify the file name to xx.php.space.

4) Double write::$DATA bypasses regex

Feature: Server not filtering ::$DATA or filtering incomplete Bypass: Bypass method: change file suffix to .php$::DATAto directly bypass the php blacklist. Or changes to .php::$DAT::$DATAAto bypass normal filtering ::$DATA

5) %00

magic_quotes_gpc is similar to the addlashes() function, which filters out carryable characters. The premise of this exploit is that the php version is below 5.3 and magic_quotes_gpc=Offin php.ini.

Assumes full filename after upload under normal conditions /upload/test151236.jpg

Change the path passed in the GET request to /upload/test.php%00

Then upload a normal legal image, the full filename will be /upload/test.php%00test151236.jpg

Characters after %00 are truncated so the full filename becomes :/upload/test.php

6) .htaccess file rewrite

.htaccess is an Apache server configuration file that allows you to customize 404 pages, allow/block user access to specific directories, etc. This file works with the current directory and its subdirectories.

Writing certain code in the .htaccess file will allow files with certain characters in the filename to be parsed as php files, regardless of the file suffix.

Prerequisite: Apache httpd.conf with AllowOverride=All

Feature: No disabling .htaccess files Bypass: First upload the .htaccess file, then upload the jpg file with the same name as the code in .htaccess, the server will treat the jpg file as a php file and execute it.

7) Server Parse Vulnerability

Apache Parse Vulnerability..... etc

Principle: Some websites temporarily get all uploaded files to a temporary directory and then judge one by one, remove files that don't meet the conditions, and move them to a new directory if they meet the conditions.

The file being accessed cannot be deleted

Under the premise of knowing the temporary directory and temporary file name, use the Intruder module of burpsuite to upload the file multiple times and access the file multiple times at the same time.

When the server is very strict about script file filtering and hard to bypass, we might consider using image upload + file include.