PentestLog icon indicating copy to clipboard operation
PentestLog copied to clipboard

verified publisher icon f1ashine

Metadata

notes some projects in github

收集一些常用的工具及网站(武器库~)不定期更新...

其他收录平台或项目传送门:
开源扫描器收录地址:https://github.com/We5ter/Scanners-Box
T00ls论坛收集工具集 https://github.com/tengzhangchao/Sec-Box
渗透师导航:https://www.shentoushi.top/
信息收集工具集:https://github.com/redhuntlabs/Awesome-Asset-Discovery
K8工具集: https://github.com/k8gege/K8tools
APP测试:https://github.com/Brucetg/App_Security
红队资源链接合集(干货超多):https://github.com/hudunkey/Red-Team-links
红队实用工具 :https://github.com/Threekiii/Awesome-Redteam 另一个工具+EXP合集:https://github.com/Mr-xn/Penetration_Testing_POC/

以下为个人整理收集

杂项

  • java 无文件webshell:https://github.com/rebeyond/memShell
  • 瑞士军刀Bettercap:https://github.com/bettercap/bettercap
  • XSS批量扫描,源自先知:https://github.com/bsmali4/xssfork
  • 个人收集编写的POC:
  1. 跨站数据劫持POC https://github.com/nccgroup/CrossSiteContentHijacking
  2. 自动化测试工具,POC在script路径下 https://github.com/Xyntax/POC-T/tree/master
  • 收集各种语言的webshell:https://github.com/tennc/webshell
  • XXE注入工具 Ruby编写:https://github.com/enjoiz/XXEinjector
  • xxe 测试工具:https://github.com/TheTwitchy/xxer
  • burp AES加密插件:https://github.com/Ebryx/AES-Killer
  • XXE payload生成:https://github.com/BuffaloWill/oxml_xxe/
  • Nginx 路径穿越burp测试插件:https://github.com/bayotop/off-by-slash
  • 红队自动化部署:https://github.com/360-A-Team/LuWu
  • JS反混淆:https://github.com/mindedsecurity/JStillery

一些比较有用的burp插件

  • 基于规则匹配的高亮信息标记插件: https://github.com/gh0stkey/HaE
  • 添加一些burp右键菜单(Unicode解码、添加常用payload、筛除无关网站等) https://github.com/bit4woo/knife
  • HW打点资产管理 https://github.com/bit4woo/domain_hunter_pro
  • 配合被动漏扫的插件: https://github.com/c0ny1/passive-scan-client
  • 破解前端加密: https://github.com/c0ny1/jsEncrypter
  • 自动化扫描shiro漏洞: https://github.com/pmiaowu/BurpShiroPassiveScan
  • 结合API对验证码进行识别(可搭配muggle-ocr库食用) https://github.com/c0ny1/captcha-killer
  • 自动扫描网页中的链接(可在插件商店下载) https://github.com/GerbenJavado/LinkFinder
  • 针对webservice(wsdl接口)生成poc测试(插件商店有,在装不上时可以直接下载release版本) https://github.com/NetSPI/Wsdler
  • 方便筛选和记录burp流量的插件(可在插件商店下载):https://github.com/nccgroup/LoggerPlusPlus

自动化扫描

  • SN1PER(功能:扫描开放端口、waf、指纹识别、目录扫描):https://github.com/1N3/Sn1per
  • web页面直接调用工具(dirsearch、masscan、amass、patator)扫描:https://github.com/c0rvax/project-black
  • 自动化扫描网站的CORS配置的漏洞:https://github.com/chenjj/CORScanner
  • 长亭X-ray漏洞扫描器:https://github.com/chaitin/xray/
  • 美杜莎漏扫:https://github.com/Ascotbe/Medusa
  • w13scan:https://github.com/w-digital-scanner/w13scan
  • 利用github action 进行自动化扫描:https://github.com/inbug-team/InCloud
  • 集成了fofa、漏洞扫描、web指纹等多个扫描功能(也可在内网扫):https://github.com/P1-Team/AlliN

应急响应

  • 应急响应工具集:https://github.com/meirwah/awesome-incident-response
  • 应急实战笔记:https://github.com/Bypass007/Emergency-Response-Notes
  • 进程查看:
    • https://docs.microsoft.com/zh-cn/sysinternals/downloads/process-explorer
    • https://github.com/processhacker/processhacker

勒索病毒解密查询:

  • https://www.nomoreransom.org/crypto-sheriff.php
  • 奇安信:https://lesuobingdu.qianxin.com/
  • VenusEye:https://lesuo.venuseye.com.cn/
  • 深信服:https://edr.sangfor.com.cn/#/information/ransom_search
  • 360:https://lesuobingdu.360.cn/
  • 腾讯:https://guanjia.qq.com/pr/ls/
  • https://github.com/jiansiting/Decryption-Tools

字典payload、fuzz

  • 弱口令字典:https://weakpass.com/
  • https://github.com/7hang/Fuzz_dic
  • https://github.com/swisskyrepo/PayloadsAllTheThings
  • https://github.com/berzerk0/Probable-Wordlists
  • https://github.com/danielmiessler/SecLists
  • 文件上传时文件名fuzz:https://github.com/c0ny1/upload-fuzz-dic-builder
  • robots.txt 不允许访问的目录:https://github.com/danielmiessler/RobotsDisallowed
  • https://github.com/TheKingOfDuck/fuzzDicts
  • https://github.com/1N3/IntruderPayloads (burp_payload)
  • 网站暴破+xss+sqli:https://github.com/SilverPoision/a-full-list-of-wordlists/tree/master/Wordlists/burp_pack
  • 键盘组合、字母+数字混合密码暴破:https://github.com/huyuanzhi2/password_brute_dictionary
  • https://github.com/ppbibo/PentesterSpecialDict
  • https://github.com/r35tart/RW_Password
  • 假名生成器:https://github.com/joke2k/faker

信息收集

  • 在线协作markdown,可用于团队内部信息共享(可在离线环境搭建):https://github.com/hackmdio/codimd
  • FOFA浏览器插件:https://github.com/fofapro/fofa_view
  • WAF指纹识别及Bypass https://github.com/Ekultek/WhatWaf
  • 带截图go语言脚本扫描端口: https://github.com/michenriksen/aquatone
  • wfuzz:https://github.com/xmendez/wfuzz
  • 可用于host头碰撞或者各种fuzz:https://github.com/ffuf/ffuf
  • host头碰撞:https://github.com/fofapro/Hosts_scan
  • .git、.svn和.DS_Store利用:https://github.com/0xHJK/dumpall
  • 指纹识别(很多扫描工具都集成了,不列举了):
    • https://www.yunsee.cn/
    • https://github.com/EASY233/Finger
    • https://github.com/EdgeSecurityTeam/EHole
    • gitlab版本识别:https://github.com/righel/gitlab-version-nse
  • 集成了HaE的规则的浏览器插件:https://github.com/ResidualLaugh/FindSomething
  • 目录扫描工具:
    • https://github.com/maurosoria/dirsearch
    • caesar(自带扫描字典,原版已被删除):https://github.com/zhanglei/Caesar
  • 端口扫描:
    • RustScan(可以配置自动调用nmap):https://github.com/RustScan/RustScan
  • JSFinder:
    • https://github.com/Threezh1/JSFinder
    • 基于TamperMonkey的版本:https://github.com/Threezh1/Deconstruct/blob/main/DevTools_JSFinder/JSFinder.js
  • 子域名收集:
    • 基于企业备案信息查询:https://github.com/canc3s/cDomain
    • 根据SSL证书收集子域名:https://github.com/yassineaboukir/sublert
    • python脚本+mangodb实时监控:https://github.com/guimaizi/get_domain
    • 可发现二级、三级子域名:https://github.com/infosec-au/altdns
    • asyncio+aiodns大字典暴破子域名 https://github.com/ldbfpiaoran/subdns
    • 基于Python3.8,可以通过多种API来获取并验证子域名: https://github.com/shmilylty/OneForAll

WAF绕过

  • MYSQL_SQL注入: https://github.com/aleenzz/MYSQL_SQL_BYPASS_WIKI
  • waf指纹字典及绕过方式:https://github.com/0xInfection/Awesome-WAF
  • waf识别脚本:https://github.com/stamparm/identYwaf
  • 自动化绕WAF:https://github.com/khalilbijjou/WAFNinja
  • 绕过瑞数反爬:https://github.com/R0A1NG/Botgate_bypass

提权

  1. Windows

  • windows提权在线辅助:http://bugs.hacking8.com/tiquan/

  • windows内核提权EXP:https://github.com/SecWiki/windows-kernel-exploits

  • windows系统提权脚本:https://github.com/bitsadmin/wesng

  • windows exp提权:https://github.com/lyshark/Windows-exploits

  • potato:可能会被杀

    • JuicyPotato:
      • https://github.com/uknowsec/JuicyPotato
      • https://github.com/EddieIvan01/win32api-practice/tree/f6db1f800c411db1401d6f60eee708b038a60277/juicy-potato-webshell
    • https://github.com/uknowsec/SweetPotato
    • 域提权:https://github.com/antonioCoco/RemotePotato0
    • PipePotato
    • PrintNotifyPotato:https://github.com/BeichenDream/PrintNotifyPotato

  • 通过窃取system权限进程的token来创建一个具有system权限的进程来执行命令:https://github.com/uknowsec/getSystem

  1. Linux
  • Linux系统提权脚本:
    • https://github.com/mzet-/linux-exploit-suggester
    • https://github.com/rebootuser/LinEnum
  • linux 内核提权EXP:https://github.com/SecWiki/linux-kernel-exploits
  • 提权工具套件(win、linux):https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
  • 内核提权: https://github.com/bcoles/kernel-exploits
  • 非root权限监听Linux进程(监控定时任务比较有用):https://github.com/DominicBreuker/pspy

后渗透

解密

  • 针对获取权限后各种加密数据进行解密,包括oa等:https://github.com/wafinfo/DecryptTools
  • 用友nc数据库解密:https://github.com/jas502n/ncDecode

数据库利用

  • 基于redis主从复制无损上传文件:https://github.com/r35tart/RedisWriteFile
  • 带dll劫持的主从复制利用redis:https://github.com/0671/RabR
  • 数据库一键getshell:https://github.com/SafeGroceryStore/MDUT
  • 伪MySQL服务器读取任意文件:https://github.com/allyshka/Rogue-MySql-Server
  • mssql:
    • https://github.com/0x727/SqlKnife_0x727
    • https://github.com/uknowsec/SharpSQLTools

内网渗透

1. 杂项

  • 内网渗透tips :https://github.com/Ridter/Intranet_Penetration_Tips
  • powershell 红队内网渗透 https://github.com/samratashok/nishang
  • powershell 实现的一些工具:https://github.com/clymb3r/PowerShell
  • powershell 反弹tcpshell https://github.com/ZHacker13/ReverseTCPShell
  • powershell 混淆:
    • https://github.com/danielbohannon/Invoke-Obfuscation
    • https://github.com/tokyoneon/Chimera
  • 后门制作(kali已集成): https://github.com/secretsquirrel/the-backdoor-factory
  • RAT:https://github.com/Screetsec/TheFatRat
  • vSphere批量利用:https://github.com/RicterZ/PySharpSphere
  • 图形化的MSF:https://github.com/FunnyWolf/Viper
  • 白利用(lolbins):https://lolbas-project.github.io/

2. 内网隧道:

golang实现的支持多种场合的隧道代理工具:https://github.com/ginuerzh/gost

  1. http隧道:
  • 加密流量版的reGeorg,原生的regeorg已经能够被设备识别了:https://github.com/L-codes/Neo-reGeorg
  • node.js版的内网流量转发:https://github.com/johncant/node-http-tunnel
  • https://github.com/blackarrowsec/pivotnacci
  • 不出网上线cs:https://github.com/FunnyWolf/pystinger
  • 高性能的http代理,但只支持java,可植入内存马使用:https://github.com/zema1/suo5
  1. socks隧道
  • frp内网流量转发,支持tcp、udp,不支持正向:https://github.com/fatedier/frp
  • rust编写的类frp内网穿透工具:https://github.com/rapiz1/rathole
  • EarthWorm开启Socks5代理:https://github.com/idlefire/ew
  • 带Meterpreter的HTTP加密通道流量转发:https://github.com/nccgroup/ABPTTS
  • nps内网穿透:https://github.com/ehang-io/nps (nps使用教程
  • 端口转发:https://github.com/EddieIvan01/iox
  • 正向socks代理,支持设置用户名和密码:https://github.com/jqqjj/socks5
  • 多级代理(frp也支持多级代理):
    • https://github.com/ph4ntonn/Stowaway
    • https://github.com/3proxy/3proxy
  1. mssqlproxy:https://github.com/blackarrowsec/mssqlproxy
  2. pingtunnel:https://github.com/esrrhs/pingtunnel

3. 内网信息收集:

  • 密码暴力破解(可调用GPU破解,性能最强):https://github.com/hashcat/hashcat

  • mimikatz: https://github.com/gentilkiwi/mimikatz

  • 对Navicat,TeamViewer,FileZilla,WinSCP,Xmangager,Xshell等产品进行解密:

    • https://github.com/uknowsec/SharpDecryptPwd
    • https://github.com/sf197/GetPwd
    • https://github.com/JDArmy/SharpXDecrypt
    • dbeaver解密:https://github.com/lele8/SharpDBeaver
    • https://github.com/RowTeam/SharpDecryptPwd

  • python脚本获取系统软件各类密码:https://github.com/AlessandroZ/LaZagne

  • 浏览器相关信息搜集:

    • C#收集浏览器保存的密码信息(老版本SharpWeb):https://github.com/djhohnstein/SharpWeb
    • C#提取浏览器密码:https://github.com/QAX-A-Team/BrowserGhost
    • 跨平台提取浏览器密码 https://github.com/moonD4rk/HackBrowserData
    • C#提取浏览器密码(安恒星火实验室出品):https://github.com/StarfireLab/SharpWeb

  • 内网信息收集,支持cs扩展:https://github.com/Adminisme/ServerScan

  • 寻找内网核心网段(多网卡扫描):https://github.com/r35tart/GetIPinfo

  • 超级弱口令:https://github.com/shack2/SNETCracker

  • 内网端口扫描,部分自动指纹识别:

    • https://github.com/shadow1ng/fscan
    • https://github.com/k8gege/Ladon

  • cs插件:

    • https://github.com/gloxec/CrossC2
    • https://github.com/z1un/Z1-AggressorScripts
    • https://github.com/pandasec888/taowu-cobalt-strike
    • https://github.com/lintstar/LSTAR
    • https://github.com/k8gege/Aggressor/

  • NTLM Hash获取exchange 邮件:

    • https://github.com/cisp/GetMail
    • https://github.com/Jumbo-WJB/PTH_Exchange
    • https://github.com/RowTeam/SharpExchangeKing

4. 免杀相关

  • powershell混淆:https://github.com/danielbohannon/Invoke-Obfuscation
  • 掩日:https://github.com/1y0n/AV_Evasion_Tool
  • https://github.com/Hangingsword/HouQing
  • 搭配cs4.1新出的bof实现内存执行PE:https://github.com/phra/PEzor
  • windows api添加用户:https://github.com/lengjibo/NetUser

5. 域渗透

基础学习

  • https://github.com/JDArmy/DCSec
  • https://github.com/uknowsec/Active-Directory-Pentest-Notes

工具利用

  • powershell 内网利用脚本:https://github.com/PowerShellMafia/PowerSploit
  • 域内杀伤链:https://github.com/infosecn1nja/AD-Attack-Defense
  • AD CS audit:https://github.com/GhostPack/PSPKIAudit
  • https://github.com/GhostPack/Rubeus
  • https://github.com/C-Sto/gosecretsdump
  • ADFind:https://www.softpedia.com/get/Programming/Other-Programming-Files/AdFind.shtml
  • Inveigh: 实测比较有效是python2和powershell版本
    • exe版本:https://github.com/HamzaKHIATE/Toolbox/tree/master/Responder
    • python2:https://github.com/SpiderLabs/Responder/
    • powershell版本:https://github.com/Kevin-Robertson/Inveigh
    • C#版本,需要自己编译,未成功运行:InveighZero: https://github.com/Kevin-Robertson/InveighZero
  • bloodhound:https://github.com/BloodHoundAD/BloodHound
  • https://github.com/Ridter/noPac

6. 横向

  • 批量HASH传递:https://github.com/Kevin-Robertson/Invoke-TheHash
  • impacket横向(集成在examles中):https://github.com/SecureAuthCorp/impacket
  • impacket-binary(可执行文件):https://github.com/ropnop/impacket_static_binaries/releases/
  • vcenter后利用:https://github.com/horizon3ai/vcenter_saml_login

7. cs相关

  • 魔改cs4.4:https://github.com/TryGOTry/DogCs4.4
  • https://github.com/mandiant/SharPersist
  • https://github.com/JamesCooteUK/SharpSphere
  • https://github.com/BeichenDream/SharpToken

部分CVE POC

  • 经常更新很全的cve poc收集:https://github.com/nomi-sec/PoC-in-GitHub
  • https://github.com/fjserna/CVE-2015-7547
  • https://github.com/FiloSottile/CVE-2016-2107
  • CVE-2015-2426: https://github.com/vlad902/hacking-team-windows-kernel-lpe
  • https://github.com/RhinoSecurityLabs/CVEs
  • https://github.com/Libraggbond/CVE-2018-3191
  • https://github.com/gottburgm/Exploits
  • https://github.com/ym2011/POC-EXP
  • https://github.com/w1109790800/penetration (CMS居多,还有某些工具)
  • https://github.com/chompie1337/SMBGhost_RCE_PoC (CVE-2020-0796)
  • docker逃逸:https://github.com/Frichetten/CVE-2019-5736-PoC
  • https://github.com/nomi-sec/PoC-in-GitHub

云安全

  • 云安全学习:
    • Kubernetes攻防:https://github.com/neargle/my-re0-k8s-security
    • https://wiki.teamssix.com/
  • 容器渗透:https://github.com/cdk-team/CDK
  • https://github.com/dark-kingA/cloudTools

Java 安全

中间件/组件Exp

  • ysoserial:https://github.com/frohoff/ysoserial

  • JBOSS: https://github.com/joaomatosf/jexboss

  • struts2 Python2扫描脚本(使用时有中文乱码,需要在字符串前加u): https://github.com/Lucifer1993/struts-scan

  • weblogic

    • 漏扫脚本: https://github.com/dr0op/WeblogicScan
    • 密码解密:
      • https://github.com/NetSPI/WebLogicPasswordDecryptor
      • UI版:https://github.com/Ch1ngg/WebLogicPasswordDecryptorUi
      • T3解密(需上传jsp):https://github.com/pen4uin/JavaSec/tree/main/vulnerability-analysis/weblogic
    • EXP:
      • https://github.com/21superman/weblogic_exploit
      • https://github.com/shack2/javaserializetools
      • 深信服深蓝实验室研发:https://github.com/KimJun1010/WeblogicTool

  • SpringBootExploit:

    • https://github.com/LandGrey/SpringBootVulExploit
    • 自动化利用:https://github.com/0x727/SpringBootExploit
      • 需要用到的JNDI(原JNDI已被删除,需要自行编译):https://github.com/Jeromeyoung/JNDIExploit-1
    • 自动化查询heapdump:
      • https://github.com/wyzxxz/heapdump_tool

  • solr漏洞利用:https://github.com/Imanfeng/Apache-Solr-RCE

  • fastjson利用总结:

    • https://github.com/safe6Sec/Fastjson
    • https://github.com/su18/hack-fastjson-1.2.80

  • 集成了内存马和headr命令执行的JNDI:https://github.com/feihong-cs/JNDIExploit

  • fastjson 傻瓜化利用:https://github.com/wyzxxz/fastjson_rce_tool

  • shiro反序列化:

    • https://github.com/feihong-cs/ShiroExploit_GUI
    • https://github.com/fupinglee/ShiroScan
    • https://github.com/wyzxxz/shiro_rce
    • 集成内存shell和回显利用: - https://github.com/j1anFen/shiro_attack - shiro_attack改进版:https://github.com/SummerSec/ShiroAttack2
    • gadget检查:https://github.com/wyzxxz/shiro_rce_tool

  • 内存🐴:

    • springboot: https://github.com/threedr3am/ZhouYu
    • valve内存马:https://github.com/Ghost2097221/addMemShellsJSP
    • agent实现:https://github.com/ethushiroha/JavaAgentTools
    • 自动化生成内存马:https://github.com/pen4uin/java-memshell-generator-release
    • 哥斯拉插件注入Suo5内存马:https://github.com/TonyNPham/GodzillaPlugin-Suo5-MemProxy

  • 内存马查杀:

    • https://github.com/LandGrey/copagent
    • https://github.com/4ra1n/shell-analyzer

  • JDBC反序列化:

    • https://github.com/fnmsd/MySQL_Fake_Server
    • https://github.com/su18/JDBC-Attack
    • https://github.com/luelueking/Deserial_Sink_With_JDBC

  • Nacos反序列化:https://github.com/c0olw/NacosRce

  • JDWP(可回显、代码执行):https://github.com/l3yx/jdwp-codeifier

  • JMX枚举和利用:https://github.com/qtc-de/beanshooter

Java安全学习

  • 多个java库漏洞代码实践: https://github.com/threedr3am/learnjavabug/
  • Java RCE 回显测试代码 https://github.com/feihong-cs/Java-Rce-Echo
  • Java 反序列化cheat sheet: https://github.com/GrrrDog/Java-Deserialization-Cheat-Sheet
  • java 反序列化Gadget学习:https://github.com/0range228/Gadgets
  • 内存马:https://github.com/bitterzzZZ/MemoryShellLearn

代码审计/开发工具

  • mysql monitor:https://github.com/fupinglee/MySQLMonitor
  • .net反编译:
    • https://github.com/icsharpcode/ILSpy
    • https://github.com/dnSpy/dnSpy
  • java反编译:
    • https://github.com/Ppsoft1991/CodeReviewTools
    • https://github.com/Col-E/Recaf
    • https://github.com/Vineflower/vineflower
    • https://github.com/4ra1n/code-inspector
  • 代码混淆:
    • java代码混淆:https://github.com/jar-analyzer/jar-obfuscator

钓鱼

  • https://github.com/SkewwG/henggeFish
  • https://github.com/taielab/Taie-AutoPhishing

shell管理(c2)

  • 蚁剑:https://github.com/AntSwordProject/antSword
  • 冰蝎:https://github.com/rebeyond/Behinder
  • 哥斯拉(支持jsp和reGeorg内存版):https://github.com/BeichenDream/Godzilla
  • 天蝎(不再对外更新):https://github.com/shack2/skyscorpion
  • 反弹shell管理,可上传文件、建立隧道:https://github.com/WangYihang/Platypus
  • supershell:https://github.com/tdragon6/Supershell

APP 测试

  • 快速提取app中的资产信息:https://github.com/kelvinBen/AppInfoScanner
  • 安卓相关项目和文章合集 https://github.com/alphaSeclab/android-security
  • jadx 安卓apk代码逆向:https://github.com/skylot/jadx
  • app加解密数据包+burp插件 https://github.com/lyxhh/lxhToolHTTPDecrypt
  • APP动态测试框架 https://github.com/MobSF/Mobile-Security-Framework-MobSF
  • 完整adb用法:https://github.com/mzlogin/awesome-adb

资产扫描/收集

  • 灯塔(斗象出品,官方已下线):https://github.com/Aabyss-Team/ARL
  • https://github.com/hanc00l/nemo_go
  • https://github.com/Autumn-27/ScopeSentry

渗透辅助平台/工具

  • 知道创宇远程漏洞测试框架:https://github.com/knownsec/Pocsuite
  • python爬虫代理池:https://github.com/jhao104/proxy_pool
  • 自建无回显平台(DNS、HTTP、XSS) https://github.com/opensec-cn/vtest
  • OOB (dnslog):
    • https://github.com/projectdiscovery/interactsh
    • https://github.com/adrgs/requestrepo
  • XSS 自建平台:
  1. https://github.com/firesunCN/BlueLotus_XSSReceiver (原项目代码已撤销,可点击fork查看其他人保存的源码)
  2. https://github.com/mandatoryprogrammer/xsshunter
  3. https://github.com/78778443/xssplatform
  • tp漏洞扫描:https://github.com/Lotus6/ThinkphpGUI
  • 自动化SSRF测试:https://github.com/swisskyrepo/SSRFmap
  • 验证码AI训练识别:https://github.com/kerlomz/captcha_trainer
  • flash xss 测试:https://github.com/cure53/flashbang
  • JWT token破解:https://github.com/brendan-rius/c-jwt-cracker
  • 自动化扫描JS中的API: https://github.com/rtcatc/Packer-Fuzzer
  • 子域名接管指纹:https://github.com/EdOverflow/can-i-take-over-xyz
  • 火眼公司windows测试虚拟机:https://github.com/fireeye/commando-vm

甲方安全

  • 漏洞信息推送:https://github.com/zema1/watchvuln
  • 巡风漏洞扫描器:https://github.com/ysrc/xunfeng
  • 宜信洞察:https://github.com/creditease-sec/insight2
  • 陌陌风控:https://github.com/momosecurity/aswan
  • HIDS:https://github.com/ossec/ossec-hids
  • 以Nginx为核心高性能服务器Openresty:https://github.com/openresty/openresty
  • Nginx安全配置检查:https://github.com/yandex/gixy
  • github监控工具:
    • https://github.com/VKSRC/Github-Monitor
    • https://github.com/FeeiCN/GSIL
    • 携程云安全:https://security.ctrip.com/
  • 开源蜜罐合集:https://github.com/paralax/awesome-honeypots

其他知识整理

  • P牛整理安全思维脑图:https://github.com/phith0n/Mind-Map
  • 内网渗透知识tips:https://github.com/Ridter/Intranet_Penetration_Tips
  • 面试经验:https://github.com/Leezj9671/Pentest_Interview
  • 面试知识点: https://www.yuque.com/books/share/bd8433e2-3682-4bf9-bbf7-cb5070764079

一些师傅的博客

  • mi1k7ea: http://www.mi1k7ea.com/
  • evi1cg:https://evi1cg.me/
  • backlion:http://www.cnblogs.com/backlion
  • phith0n :https://www.leavesongs.com/
  • 黑白:https://www.heibai.org/
  • orange: http://blog.orange.tw/
  • c0ny1:https://gv7.me/
  • nMask: https://thief.one/
  • 冷白开:http://www.lengbaikai.net/
  • 三好学生: https://3gstudent.github.io/
  • y4tacker: https://y4tacker.github.io/
  • spoock:https://blog.spoock.com/
  • http://www.zerokeeper.com/
  • https://masterxsec.github.io/
  • https://www.hacking8.com/

Metadata

21
Stars
7
Forks
Watchers

Owner

verified publisher icon f1ashine

Metadata

notes some projects in github

Back