[IronWASP v0.9.7.5] Open Source Advanced Web Security Testing Platform

IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing. It is designed to be customizable to the extent where users can create their own custom security scanners using it. Though an advanced user with Python/Ruby scripting expertise would be able to make full use of the platform, a lot of the tool's features are simple enough to be used by absolute beginners. IronWASP...

Read More

[Directory Scanner v3.0] Remote Directory Server Fingerprinting Tool

Directory Scanner is the FREE Directory Server fingerprinting tool. It can help you to remotely detect the type of Directory servers (such as Microsoft Active Directory, Novell eDirectory etc) running on the local network as well as Internet. In addition to this, it can greatly help administrators to remotely keep tab on Directory Servers running in their network. At a time you can use it to scan  single...

Read More

[RouterPassView] Recover lost password from router backup file

Most modern routers allow you to backup the configuration of the router into a file, and then restore the configuration from the file when it's needed.The backup file of the router usually contains important data like your ISP user name/password, the login password of the router, and wireless network keys. If you lost one of these password/keys, but you still have a backup file of your router configuration, RouterPassView might help you to recover...

Read More

[Maltrieve] A tool to retrieve malware directly from the source for security researchers

Maltrieve originated as a fork of mwcrawler. It retrieves malware directly from the sources as listed at a number of sites, including:Malc0deMalware Black ListMalware Domain ListMalware PatrolSacour.cnVX VaultURLqeryCleanMXThese lists will be implemented if/when they return to activity.NovCon MinotaurOther improvements include:Proxy supportMultithreading for improved performanceLogging of source URLsMultiple user agent supportBetter error handlingVxCage and Cuckoo Sandbox supportDependenciesPython 2 (2.6 should be sufficient)BeautifulSoup version...

Read More

[Burp Co2] A collection of enhancements for Portswigger's popuplar Burp Suite web penetration testing tool

Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it's own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality. See the Co2Modules wiki page for descriptions of each of the modules...

Read More

[Gojira] Herramienta para facilitar las auditorías en entornos WordPress

Gojira es una herramienta para facilitar las auditorías en entornos WordPress. Está en pañales todavía ;). Por ahora:-Permite crear un diccionario con los plugins más populares.-Enumera plugins instalados a partir del diccionario.-Extrae los usuarios registrados.-Deduce la versión del WordPress a través de Readme.html, links del HTML y el meta generator.-Comprueba el archivo robots.txt y comprueba cada ruta.Download Goj...

Read More

[Dumb0] A simple tool to dump users in popular forums and CMS

A simple tool to dump users forums popular forums and CMS like:WordPressSMFvBulletinIP BoardXEN forumsmyBBuseBBvanillabbPressetc...Download Du...

Read More

[OutlookAttachView] View/Extract/Save Outlook Attachments

OutlookAttachView scans all messages stored in your Outlook, and displays the list of all attached files that it finds. You can easily select one or more attachments and save all of them into the desired folder, as well as you can delete unwanted large attachments that take too much disk space in your mailbox. You can also save the list of attachments into xml/html/text/csv file. System RequirementsWindows 2000/XP/Vista/7/2003/2008. Microsoft...

Read More

[ParameterFuzz v1.8] Parameter´s auditor for web applications

ParameterFuzz is a tool to check the level of fortification in web applications, try to cover the field more exploited by hackers, as the majority of known attacks are based on exploiting poorly filtered parameters. Just as SQL injection, Cross Site Scripting or RFI among others. This tool is designed to perform security audits manually, however it is possible to automate the audit process. It can be used for a lot of purposes such as: Dictionary...

Read More

[WAF-FLE v0.6.3] Web application firewall: fast log and event console

WAF-FLE is a OpenSource Console for ModSecurity, it allow the modsec admin to view and search events sent by mlogc (modsecurity event log handler).Features:Central event consoleSupport Modsecurity in “traditional” and “Anomaly Scoring”Able to receive events sent from mlogc (in real time or in batch using mlogc-batch-load.pl)No sensor number limitDashboard with recent events informationDrill down of events with filterEvery (almost) data is “clickable”...

Read More

[FacebookPasswordDump v2.0] Command-line Tool to Recover Facebook Password from Browsers and Messengers

Facebook Password Dump is the command-line tool to instantly recover your lost Facebook password from popular web browsers and messengers.Currently it can recover your Facebook password from following applications,Firefox Internet Explorer (v6.x - v10.x) Google Chrome Chrome Canary/SXS CoolNovo Browser Opera Browser Apple Safari Flock Browser SeaMonkey Browser Comodo Dragon Browser ...

Read More

[DVIA] Damn Vulnerable iOS Application

Damn Vulnerable iOS App (DVIA) is an iOS application that is damn vulnerable. Its main goal is to provide a platform to mobile security enthusiasts/professionals or students to test their iOS penetration testing skills in a legal environment.This application covers all the common vulnerabilities found in iOS applications (following OWASP top 10 mobile risks) and contains several challenges that the user can try.Vulnerabilities and Challenges...

Read More

[WebCacheImageInfo] Displays the software/camera model of images stored in the cache of your Web browser

WebCacheImageInfo is a simple tool that searches for JPEG images with EXIF information stored inside the cache of your Web browser (Internet Explorer, Firefox, or Chrome), and then it displays the list of all images found in the cache with the interesting information stored in them, like the software that was used to create the image, the camera model that was used to photograph the image, and the date/time that the image was created.System...

Read More

[Havij 1.17] Automated and Advanced SQL Injection

Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.It can take advantage of a vulnerable web application. By using this software, user can perform back-end database fingerprinting, retrieve DBMS login names and password hashes, dump tables and columns, fetch data from the database, execute SQL statements against the server, and even access the underlying file...

Read More

[GoLismero v2.0] Merge results of security tools (OpenVas, Wfuzz, SQLMap, DNS recon, robot analyzer...)

GoLismero is an Open Source security tools that can run their own security tests and manage a lot of well known security tools (OpenVas, Wfuzz, SQLMap, DNS recon, robot analyzer...) take their results, feedback to the rest of tools and merge all of results. And all of this automatically.Changelog v2.0 Beta 3Integration with SSLScan, SQLMap, XSSer, Shodan and PunkSPIDER.Completely rewritten HTML report.New report formats: OpenOffice, LaTeX, JSON,...

Read More

[FGscanner] Find hidden contents using dictionary-like attack

FGscanner is a completely rewritten version of littlescanner script.FGscanner is an opensource advanced web directory scanner to find hidden contents on a web server using dictionary-like attack with proxy and tor support.Quick reference for switchesUsage: ./fgscan.pl --host=hostname [--proxy=filepath] [--sec=n] [--dump] [--dirlist=filepath] [--wordlist=filepath] [--tor] [--tordns] [--debug] [--help]--debug : Print debug information--dirs : Specify the directory list file--pages : Specify the wordlist file--uarnd : Enable User Agent...

Read More

[Lynis 1.4.2] Security and System Auditing Tool to Harden Linux Systems

Lynis is an auditing tool for Unix/Linux. It performs a security scan and determines the hardening state of the machine. Any detected security issues will be provided in the form of a suggestion or warning. Beside security related information it will also scan for general system information, installed packages and possible configuration errors.This software aims in assisting automated auditing, hardening, software patch management, vulnerability...

Read More

[CGE] Cisco Global Exploiter

Cisco Global Exploiter (CGE), is an advanced, simple and fast security testing tool/ exploit engine, that is able to exploit 14 vulnerabilities in disparate Cisco switches and routers.  CGE is command-line driven perl script which has a simple and easy to use front-end.CGE can exploit the following 14 vulnerabilities:[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability[2] - Cisco IOS Router Denial of Service Vulnerability[3] - Cisco IOS...

Read More

[IPNetInfo v1.53] Retrieves IP Address Information

IPNetInfo is a small utility that allows you to easily find all available information about an IP address: The owner of the IP address, the country/state name, IP addresses range, contact information (address, phone, fax, and email), and more.This utility can be very useful for finding the origin of unsolicited mail. You can simply copy the message headers from your email software and paste them into IPNetInfo utility. IPNetInfo automatically extracts...

Read More

[Gmail Password Dump v.20] Command-line Tool to Recover Google Password from GTalk, Picasa, GDesktop, Browsers and Messengers

Gmail Password Dump is the command-line tool to instantly recover your lost gmail password from various Google applications as well as popular web browsers and messengers.Currently it can recover your Gmail password from following applications,Google Talk Google Picassa Google Desktop Seach Gmail Notifier Firefox Internet Explorer Google Chrome Chrome Canary/SXS CoolNovo Browser Opera...

Read More

[WhoisThisDomain] Domain Registration Lookup Utility

WhoisThisDomain is a domain registration lookup utility allows you to easily get information about a registered domain. It automatically connect to the right WHOIS server, according to the top-level domain name, and retrieve the WHOIS record of the domain. It support both generic domains and country code domains.Download WhoisThisDom...

Read More

[Haveged 1.9.1] A simple entropy daemon

The haveged project is an attempt to provide an easy-to-use, unpredictable random number generator based upon an adaptation of the HAVEGE algorithm. Haveged was created to remedy low-entropy conditions in the Linux random device that can occur under some workloads, especially on headless servers. Current development of haveged is directed towards improving overall reliablity and adaptability while minimizing the barriers to using haveged for other...

Read More

[Advanced Encryption Package 2014] Strong encryption algorithms to protect your confidential documents

Strong and proven encryption algorithms to protect your confidential documentsTo secure sensitive data AEP PRO file encryption software uses 20 proven and strong encryption algorithms including AES, Blowfish, Twofish, GOST, Serpent and others.Easy to use for novices. Integration with Windows context menu.Encryption technology is a difficult thing, especially if you are not technically savvy. How is an older family member supposed to figure out...

Read More

[Pac4Mac] Forensics Framework for Mac OS X

Pac4Mac (Plug And Check for Mac OS X) is a portable Forensics framework (to launch from USB storage) allowing extraction and analysis session informations in highlighting the real risks in term of information leak (history, passwords, technical secrets, business secrets, ...). Pac4Mac can be used to check security of your Mac OS X system or to help you during forensics investigation.Mindmap Pac4Mac features (PDF format)Features[*] Developed...

Read More

[Twitter Password Dump v2.0] Command-line Tool to Recover Twitter Password from Web Browsers

Twitter Password Dump is the command-line tool to instantly recover your lost Twitter password from all the popular web browsers.Currently it can recover your Twitter password from following applications, Firefox Internet Explorer (v6.x - v10.x) Google Chrome Chrome Canary/SXS CoolNovo Browser Opera Browser Apple Safari Flock Browser SeaMonkey Browser Comodo Dragon BrowserIt automatically...

Read More

[Azazel] Userland Anti-debugging & Anti-detection Rootkit

Azazel is a userland rootkit based off of the original LD_PRELOAD technique from Jynx rootkit. It is more robust and has additional features, and focuses heavily around anti-debugging and anti-detection.FeaturesAnti-debuggingAvoids unhide, lsof, ps, ldd detectionHides files and directoriesHides remote connectionsHides processesHides loginsPCAP hooks avoid local sniffingTwo accept backdoors with full PTY shells.Crypthook encrypted accept() backdoorPlaintext...

Read More

[Killtrojan Syslog] Tool to detect malware activity on a system

Killtrojan Syslog is a free application to create a report about characteristics of the system to further analyze and look for signs of malware, also is intended to put the report in a specialized forum for users to help.The tool has a very intuitive and easy to use for non-technical users to create their reports. Also useful for more advanced users who want to analyze a computer.With the support logs with BBCode mode, you can paste the log...

Read More

[pMap v1.10] Passive Discovery, Scanning, and Fingerprinting

Discovery, Scanning, and Fingerprinting via Broadcast and Multicast TrafficFeaturesReveals open TCP and UDP portsUses UDP, mDNS, and SSDP to identify PCs, NAS, Printers, Phones, Tablets, CCTV, DVR, and OthersDevice Type, Make, and ModelOperating Systems and VersionService Versions and ConfigurationStand-Alone (Nmap-like output) or Agent Mode (SYSLOG)Metasploit Script IncludedDownload pMap v1...

Read More

[Browser Password Dump v2.0] Command-line Tool to Recover Login Password from Web Browsers

Browser Password Dump is the free command-line tool to instantly recover your lost password from all the popular web browsers.Currently it can recover stored web login passwords from following browsers.Firefox Internet Explorer Google Chrome Chrome Canary/SXS CoolNovo Browser Opera Browser Apple Safari Flock Browser SeaMonkey Browser Comodo Dragon BrowserIt automatically discovers installed...

Read More

OWASP Xenotix XSS Exploit Framework v5

OWASP Xenotix XSS Exploit Framework is an advanced Cross Site Scripting (XSS) vulnerability detection and exploitation framework. It provides Zero False Positive scan results with its unique Triple Browser Engine (Trident, WebKit, and Gecko) embedded scanner. It is claimed to have the world’s 2nd largest XSS Payloads of about 1600+ distinctive XSS Payloads for effective XSS vulnerability detection and WAF Bypass. Xenotix Scripting Engine...

Read More

[Charles] Web Debugging Proxy Application

Charles is a web proxy (HTTP Proxy / HTTP Monitor) that runs on your own computer. Your web browser (or any other Internet application) is then configured to access the Internet through Charles, and Charles is then able to record and display for you all of the data that is sent and received.In Web and Internet development you are unable to see what is being sent and received between your web browser / client and the server. Without this visibility...

Read More

[OWASP iGoat] Security learning tool for iOS developers

The OWASP iGoat project is a security learning tool for iOS developers to learn about security weaknesses in iOS -- by breaking things as well as fixing them. iGoat is available ONLY in source code format, and this is the official repository for that code. On the Downloads tab here, you will find the full iGoat source tree in tar format, or you can go to the Source tab for instructions on using Mercurial to grab (or clone) the source tree. Be sure to also check out the Wiki tab here for useful documents related to the iGoat project. Download...

Read More

[Introspy] Security profiling for blackbox iOS

Blackbox tool to help understand what an iOS application is doing at runtime and assist in the identification of potential security issues.The tracer can be installed on a jailbroken device to hook and log security-sensitive iOS APIs called by applications running on the device. The tool records details of relevant API calls, including arguments and return values and persists them in a database. Additionally, the calls are also sent to the Console...

Read More

[Wi-Fi Password Dump] Command-line Tool to Recover Wireless Passwords

WiFi Password Dump is the free command-line tool to quickly recover all the Wireless account passwords stored on your system.It automatically recovers all type of Wireless Keys/Passwords (WEP/WPA/WPA2 etc) stored by Windows Wireless Configuration Manager. For each recovered WiFi account, it displays following informationWiFi Name (SSID) Security Settings (WEP-64/WEP-128/WPA2/AES/TKIP)Password TypePassword in Hex formatPassword in clear textBy default...

Read More

[SecLists] Collection of multiple types of lists used during security assessments

SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.The goal is to enable a security tester to pull this repo onto a new testing box and have access to every type of list that may be needed.If you have any ideas for things we should include, please send them to daniel.miessler@owasp.org or jason.haddix@owasp.org....

Read More

[Mail Password Sniffer] Email Password Recovery and Sniffing Software

Mail Password Sniffer is the free Email Password Sniffing and Recovery Software to recover mail account passwords passing through the network.It automatically detects the Email authentication packets passing through network and decodes the passwords for all Mail Protocols including POP3, IMAP, SMTP.It can recover mail account passwords from all the Email applications such as Outlook, Thunderbird, Foxmail etc. For each recovered Email Account,...

Read More