Links to useful free security related tools.
Tools that don’t fit elsewhere.
- GCHQ CyberChef – The Cyber Swiss Army Knife.
- hash-id – hash-id is a command line program for identifying hash types based on Zion3R’s implementation.
- socialhunter – Crawls the given URL and finds broken social media links that can be hijacked.
Tools for looking up file hashes.
- CIRCL Hash Lookup – Lookup hash against databases of known files. API available.
Malware sandboxes, virus scanners and more.
- Virus Total – Upload a file or submit a URL for checking against multiple AV products.
- Hybrid Analysis – Malware sandbox.
- ANY.RUN – Malware sandbox. Free lookups subject to limitations.
- CAPE Sandbox – Malware sandbox. Service seems to be down currently.
- Dragonfly – Automated malware sandbox. Dragonfly is unique in that it is built over different emulation engines and allows customization of entire operating systems and the rules used to hunt malware.
Post Exploitation Tools
- LaZagne (Windows) – Dump various passwords such as from web browsers, email clients and more.
- Chainsaw (Windows) – Quickly identify threats using event logs with Sigma detection rules.
- The Logfile Navigator (lnav) – The Log File Navigator, lnav for short, is an advanced log file viewer for the small-scale. It is a terminal application that can understand your log files and make it easy for you to find problems with little to no setup.
- Angle Grinder – Angle-grinder allows you to parse, aggregate, sum, average, min/max, percentile, and sort your data. You can see it, live-updating, in your terminal. Angle grinder is designed for when, for whatever reason, you don’t have your data in graphite/honeycomb/kibana/sumologic/splunk/etc. but still want to be able to do sophisticated analytics.
- Sysmon for Linux – Linux version of sysmon tool by Microsoft to aid in discovering compromised systems. Released very recently.
- OWASP Amass Project – The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
- Smap – Drop in replacement for nmap using the free Shodan API.
- Smithproxy – Smithproxy is highly configurable, fast and transparent TCP/UDP/TLS (SSL) proxy written in C++17.
- Linux Cat Scale – Linux CatScale is a bash script that uses live of the land tools to collect extensive data from Linux based hosts. The data aims to help DFIR professionals triage and scope incidents. An Elk Stack instance also is configured to consume the output and assist the analysis process.
- dnstwister – Search for typo squatting, potential phishing domains and potential IP violations of your domains.
- dnstwist – Similar to the above dnstwister web based tool.
- Cert Eagle – Monitor certificate transparency logs for domains/subdomains and receive alerts.
- Certstream – Monitor certificates being issued from certificate transparency logs in real time
- nrich – A command-line tool to quickly analyze all IPs in a file and see which ones have open ports/ vulnerabilities. Can also be fed data from stdin to be used in a data pipeline.
- ipinfo-cli – Command line tool to make lookups to the ipinfo API.
- subfinder – DNS subdomain discovery tool.
- Brida – Brida is a Burp Suite Extension that, working as a bridge between Burp Suite and Frida, lets you use and manipulate applications’ own methods while tampering the traffic exchanged between the applications and their back-end services/servers. It supports all platforms supported by Frida (Windows, macOS, Linux, iOS, Android, and QNX).
- Interactsh – Interactsh is an Open-Source Solution for Out of band Data Extraction, A tool designed to detect bugs that cause external interactions, For example – Blind SQLi, Blind CMDi, SSRF, etc.
- HOUDINI – Collection of various Docker images for penetration testing and auditing.
Exfil, C&C and Connectivity
- dnscat2 – Tunnel traffic via DNS. Unlike Iodine and other such tools its primary purpose is for C&C.
- Global Socket (gsocket) – Establish an encrypted TCP connection between two endpoints even with one or both endpoints being behind a firewall or NAT.
- Fast Reverse Proxy (frp) – Expose a server behind NAT and/or a firewall to the internet. Supports both TCP and UDP.