Red Team OSINT part I

List of excellent OSINT tools useful for Penetration tests, Vulnerability assessments, Red/Blue Team operations, Bug Bounty
Servers​

• Shodan - Search Engine for the Internet of Everything
• Censys Search - Search Engine for every server on the Internet to reduce exposure and improve security
• Onyphe.io - Cyber Defense Search Engine for open-source and cyber threat intelligence data
• ZoomEye - Global cyberspace mapping
• GreyNoise - The source for understanding internet noise
• BinaryEdge - Scans large number of internet exposed assets
• Netlas - Discover, Research and Monitor any Assets Available Online
• FOFA - Cyberspace mapping
• Quake - Cyberspace surveying and mapping system
• Hunter - Internet Search Engines For Security Researchers
• ODIN - One of the most powerful search engines for Scanned Internet Assets
• Criminal - Search for info on everything that connected to the public Internet
• ThreatMiner - Threat Intel, shows ip that shodan didn't gave
• ibm - IBM X-FORCE
• IVRE - Network Recon
• alienvault - open threat intel
• leakix - find open ports, servers, and more

Attack Surface​

• FullHunt - Attack surface database of the entire Internet
• Talos Intel - The Talos Intelligence Center is the world’s most comprehensive real-time threat detection network
• RedHuntLabs - Discover your Attack Surface, Continuously
• SecurityTrails - The Total Internet Inventory
• IPInfo - The trusted source for IP address data
• IPData - IP Geolocation and Threat Intelligence API
• NetworksDB - Information about the public IPv4 and IPv6 addresses, networks and domains owned by companies and organisations across the world
• ASNlookup - Quickly lookup updated information about specific Autonomous System Number (ASN), Organization, CIDR, or registered IP addresses (IPv4 and IPv6) among other relevant data
• BGPtools - Browse the Internet ecosystem
• BGPview - Debug and investigate information about IP addresses, ASN, IXs, BGP, ISPs, Prefixes and Domain names
• BigDataCloud - The API provides comprehensive location and network data
• RADb - The world's largest public routing registry
• Deepinfo - Empower your security with the most comprehensive Internet data
• CloudFlare Radar - Global Internet traffic, attack, and technology trends and insights
• CanaryToken - creation Canary Token
• UrlScan - Scanner
• synapsint - OSINT domain
• domIQ - Find out everything about a domain name or IP address
• nerdy - builtWith/data about domain
• Rev.An - Reverse Analytics
• IDK - investigate what they download in torrent network
• redirect - redirect detective
• intelx - Open Source Intelligence & Forensic Tools
• ToS DR - find out what interesting privacy and confidentiality clauses are in the license agreements of popular websites and apps
• hacktarget - 14 tools for gathering information about domain using Hackerarget API
• Pidrila - Interactive Deepweb-oriented Rapid Intelligent Link Analyzer
• Adsenseosint - REVERSE GOOGLE ADSENSE
• SourceWolf - finds all the variables, endpoints and social media links mentioned in the code in just a few seconds
• CSP Validator - service for checking the headers and meta tags of websites for compliance with security standards. It can help determine if a site is vulnerable to common vulnerabilities (XSS, clickjacking, etc)
• Sputnik - Chrome extension for quick gathering info about IP, domain, hash or URL in dozens of different services: Censys, GreyNoise, VirusTotal, Shodan, ThreatMiner,...
• Source - Research 400m+ root domain information and all associated data, including records, IP address, page metadata
• Host Hunter - simple OSINT techniques to map IP addresses with virtual hostnames
• dnstwiste - Command line anti-phishing domain name search engine and DNS monitoring service
• PulseDive - Collects detailed information about IP, whois, ssl, dns, ports, threats reports, geolocation, cookies, metadata (fb app id etc)
• OpenSQUAT - Search newly registered phishing domain by keywords; Check it with VirusTotal and Quad9 DNS
• Argus - DNS history search by IP-adress or by domain name
• IP Investigation - type ip-adress once and gather information about it with 13 tools
• Miteru - Experimental phishing kit detection tool. It collects phishy URLs from phishing info feeds and checks each phishy URL whether it enables directory listing and contains a phishing kit (compressed file) or not
• Amass - In-depth attack surface mapping and asset discovery

• Cloudmare - Simple tool to find origin servers of websites protected by #Cloudflare, #Sucuri or #Incapsula with a misconfiguration DNS
• CloudPeler - CrimeFlare is a useful tool for bypassing websites protected by CloudFlare WAF, with this tool you can easily see the real IP of websites that have been protected by CloudFlare. The resulting information is certainly very useful for conducting further penetration testing, and analyzing websites with the same server
• clquest3r - Uncover the true IP address of websites safeguarded by Cloudflare & Others
• CloudUnflair - Reconnaissance Real IP address for Cloudflare Bypass

• CentralOps - IP and Domain search​
• iplookup - whois, reverse, database lookup​
• domainwhois - investigation, map infrastructure​
• greyhatshort - search URLs exposed by Shortener services​
• whoisology - reverse lookup​
• Pentesttools - Discover subdomains and determine the attack surface of an organization​
• bw - find out what websites are Built With​
• netcraft - search infrastructure and technologies used by any site​
• s3 buckets - from grey hat warfare​
• similarweb - find similar website search​
• AFRINIC - whois for AFRINIC​
• APNIC - whois for APNIC​
• ARIN - whois for ARIN​
• betterwhois - simple unified WHOIS search​
• completedns - Research domain nameserver changes and drops​
• Danger Zone - Correlate data between domains, IPs and email addresses, present it as a graph and store everything into Elasticsearch and JSON files​
• dns - dnssec analyzer​
• nstools -Domain name or IP address audit tools​
• dnsspy - Monitor, validate and verify your DNS configurations​
• Anubis - Subdomain enumeration and information gathering tool​
• DNSdumpster - domain research tool that can discover hosts related to a domain​
• domaincrawl - help digital researchers and investigators monitor the entire Internet analyze data, and discover threats and opportunities​
• dosyadom - reports from public records about domain names and IP addresses to help solve problems, investigate cybercrime, or just better understand how things are set up​
• Hudson Rock - cybercrime intelligence toolkit to check exposure in Infostealer malware infection​
• Intel Tamper - IntelliTamper is a tiny but very practical tool that you can use to scan a website in order to reveal all its files and folders, including the unlisted ones​
• sdb - Registered Domain Names Search​
• IPvoid - IP address toolset​
• Robtex - IP address and domain name based researching websites that offers multiple services such as Reverse DNS Lookup, Whois, and AS Macros​
• TinyScan - URL scan tool that provides comprehensive information about any given URL. Get insights into IP address, location, screenshots, technology stack, performance metrics,...​
• DNA - Unleash website insights! urldna.io analyzes url, monitors brands and track phishing sites​
• urlQuery - domain analysis​
• Validin - Website and API to search current and historical DNS records​
• dnsinfo - analysis dns​
• Web check - All-in-one tool for viewing website and server meta data​
• laundromatinfo - Information Laundromat is a lead generation tool used to determine if and how websites share architecture and content. It provides two core functions: content similarity and domain forensics matching​
• thingful - search engine for IoT​
• crt - cert fingerprinting​
• iana - The Root Zone Database represents the delegation details of top-level domains​
• Internet Census 2012 - Port scanning /0 using insecure embedded devices, MAP​
• techlookup - website built with​
• ipleak - ip analyses​
• shdn - domain ip analysis​
• rse - RSECloud search engine​
• scrap - web scarping for web crawling​
• octo - web scarp​
• dnsx - A fast and multi-purpose DNS toolkit designed for running DNS queries​
• massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)​
• reconftw - perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities​
• gau - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl​
• sublist3r - Fast subdomains enumeration tool for penetration testers​

Web History and Website Capture​

• stored.website
• Wayback Machine - Explore the history of a website.
• Wayback Machine Archiver
• waybackpy - Python package & CLI tool that interfaces the Wayback Machine APIs
• waybackurls - Fetch all the URLs that the Wayback Machine knows about for a domain

• Malpedia - Malpedia is to provide a resource for rapid identification and actionable context when investigating malware​
• anyrun - online malware analysis sandbox​
• hybrid - hybrid analysis sandbox​
• maltiverse - Intel IoC search​
• jotti m - malware scan​
• iobit - IObit Cloud is an advanced automated threat analysis system​
• zoo - A repository of LIVE malwares for your own joy and pleasure. the Zoo is a project created to make the possibility of malware analysis open and available to the public​
• vxug - malware collections, investigation papers/resources​
• exploit DB papers - Exploit Database's Papers​
• bin-exp - Exploit Database's Binary Exploits​
• exploit-db​
• Sploitus - Space to identify Newest Exploits!​
• ra7 - vuln & exploit database from rapid 7​
• vulmon - Vulnerability and exploit search engine​
• packetstorm - Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers​
• 0day today - Ultimate database of exploits and vulnerabilities​
• LOLBAS - Living Off The Land Binaries, Scripts and Libraries​
• GTFOBins - GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems​
• SWISSrepo - A list of useful payloads and bypasses for Web Application Security​
• h1 - see latest disclosed/undisclosed activity in h1​
• bugcrowd - Showcase of accepted and disclosed submissions on Bugcrowd programs / CrowdStream​
• GTFOArgs - GTFOArgs is a curated list of Unix binaries that can be manipulated for argument injection, possibly resulting in security vulnerabilities​
• shell-stormi - Shellcodes database for study cases​
• LOLDrivers - Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats​
• CVExploits - Your comprehensive database for CVE exploits from across the internet​
• VARIoT - IoT exploits database​
• LOOBins - Detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes​

• Coalition ExploitScoring System - Model that dynamically scores new and existing vulnerabilities to reflect their exploit likelihood​

• LOLAPPS - Compendium of applications that can be used to carry out day-to-day exploitation​

• LOTHardware - Resource collection that provides guidance on identifying and utilizing malicious hardware and malicious devices​

• LOTP - How development tools commonly used in CI/CD pipelines can be used to achieve arbitrary code execution​

• HACKYX - The aim of this project is to easily find any resource related to IT security like CTF writeups, articles or Bug Bounty reports​

• expobserver - The World's Largest Exploit & Vulnerability Intelligence Database and is freely accessible to all​

• vulnXDB - An index of exploit proof-of-concept code in Git repositories!​

• ARP Syndicate - Automated Reconnaissance & Pwning Syndicate​

Thank you for everyone. These resources I collected/tested/used(not all) years and was very helpful. I hope these resources will be help you also, and saves your time planning part II or not...​

• awesome
• OSINT Techniques
• osint-intel
• osint4all

• osint-intel
• osint4all
• libertyblog
• libertydoc - threat intel and other Intel resources

Hypno1' Alıntı:

Good tools!

Genişletmek için tıkla ...

Seraphbyte' Alıntı:

List of excellent OSINT tools useful for Penetration tests, Vulnerability assessments, Red/Blue Team operations, Bug Bounty​

Servers​

​

• Shodan - Search Engine for the Internet of Everything
• Censys Search - Search Engine for every server on the Internet to reduce exposure and improve security
• Onyphe.io - Cyber Defense Search Engine for open-source and cyber threat intelligence data
• ZoomEye - Global cyberspace mapping
• GreyNoise - The source for understanding internet noise
• BinaryEdge - Scans large number of internet exposed assets
• Netlas - Discover, Research and Monitor any Assets Available Online
• FOFA - Cyberspace mapping
• Quake - Cyberspace surveying and mapping system
• Hunter - Internet Search Engines For Security Researchers
• ODIN - One of the most powerful search engines for Scanned Internet Assets
• Criminal - Search for info on everything that connected to the public Internet
• ThreatMiner - Threat Intel, shows ip that shodan didn't gave
• ibm - IBM X-FORCE
• IVRE - Network Recon
• alienvault - open threat intel
• leakix - find open ports, servers, and more

Attack Surface​

​

• FullHunt - Attack surface database of the entire Internet
• Talos Intel - The Talos Intelligence Center is the world’s most comprehensive real-time threat detection network
• RedHuntLabs - Discover your Attack Surface, Continuously
• SecurityTrails - The Total Internet Inventory
• IPInfo - The trusted source for IP address data
• IPData - IP Geolocation and Threat Intelligence API
• NetworksDB - Information about the public IPv4 and IPv6 addresses, networks and domains owned by companies and organisations across the world
• ASNlookup - Quickly lookup updated information about specific Autonomous System Number (ASN), Organization, CIDR, or registered IP addresses (IPv4 and IPv6) among other relevant data
• BGPtools - Browse the Internet ecosystem
• BGPview - Debug and investigate information about IP addresses, ASN, IXs, BGP, ISPs, Prefixes and Domain names
• BigDataCloud - The API provides comprehensive location and network data
• RADb - The world's largest public routing registry
• Deepinfo - Empower your security with the most comprehensive Internet data
• CloudFlare Radar - Global Internet traffic, attack, and technology trends and insights
• CanaryToken - creation Canary Token
• UrlScan - Scanner
• synapsint - OSINT domain
• domIQ - Find out everything about a domain name or IP address
• nerdy - builtWith/data about domain
• Rev.An - Reverse Analytics
• IDK - investigate what they download in torrent network
• redirect - redirect detective
• intelx - Open Source Intelligence & Forensic Tools
• ToS DR - find out what interesting privacy and confidentiality clauses are in the license agreements of popular websites and apps
• hacktarget - 14 tools for gathering information about domain using Hackerarget API
• Pidrila - Interactive Deepweb-oriented Rapid Intelligent Link Analyzer
• Adsenseosint - REVERSE GOOGLE ADSENSE
• SourceWolf - finds all the variables, endpoints and social media links mentioned in the code in just a few seconds
• CSP Validator - service for checking the headers and meta tags of websites for compliance with security standards. It can help determine if a site is vulnerable to common vulnerabilities (XSS, clickjacking, etc)
• Sputnik - Chrome extension for quick gathering info about IP, domain, hash or URL in dozens of different services: Censys, GreyNoise, VirusTotal, Shodan, ThreatMiner,...
• Source - Research 400m+ root domain information and all associated data, including records, IP address, page metadata
• Host Hunter - simple OSINT techniques to map IP addresses with virtual hostnames
• dnstwiste - Command line anti-phishing domain name search engine and DNS monitoring service
• PulseDive - Collects detailed information about IP, whois, ssl, dns, ports, threats reports, geolocation, cookies, metadata (fb app id etc)
• OpenSQUAT - Search newly registered phishing domain by keywords; Check it with VirusTotal and Quad9 DNS
• Argus - DNS history search by IP-adress or by domain name
• IP Investigation - type ip-adress once and gather information about it with 13 tools
• Miteru - Experimental phishing kit detection tool. It collects phishy URLs from phishing info feeds and checks each phishy URL whether it enables directory listing and contains a phishing kit (compressed file) or not
• Amass - In-depth attack surface mapping and asset discovery

CLOUDFLARE​

• Cloudmare - Simple tool to find origin servers of websites protected by #Cloudflare, #Sucuri or #Incapsula with a misconfiguration DNS
• CloudPeler - CrimeFlare is a useful tool for bypassing websites protected by CloudFlare WAF, with this tool you can easily see the real IP of websites that have been protected by CloudFlare. The resulting information is certainly very useful for conducting further penetration testing, and analyzing websites with the same server
• clquest3r - Uncover the true IP address of websites safeguarded by Cloudflare & Others
• CloudUnflair - Reconnaissance Real IP address for Cloudflare Bypass

Domain & IP ​

• CentralOps - IP and Domain search​
• iplookup - whois, reverse, database lookup​
• domainwhois - investigation, map infrastructure​
• greyhatshort - search URLs exposed by Shortener services​
• whoisology - reverse lookup​
• Pentesttools - Discover subdomains and determine the attack surface of an organization​
• bw - find out what websites are Built With​
• netcraft - search infrastructure and technologies used by any site​
• s3 buckets - from grey hat warfare​
• similarweb - find similar website search​
• AFRINIC - whois for AFRINIC​
• APNIC - whois for APNIC​
• ARIN - whois for ARIN​
• betterwhois - simple unified WHOIS search​
• completedns - Research domain nameserver changes and drops​
• Danger Zone - Correlate data between domains, IPs and email addresses, present it as a graph and store everything into Elasticsearch and JSON files​
• dns - dnssec analyzer​
• nstools -Domain name or IP address audit tools​
• dnsspy - Monitor, validate and verify your DNS configurations​
• Anubis - Subdomain enumeration and information gathering tool​
• DNSdumpster - domain research tool that can discover hosts related to a domain​
• domaincrawl - help digital researchers and investigators monitor the entire Internet analyze data, and discover threats and opportunities​
• dosyadom - reports from public records about domain names and IP addresses to help solve problems, investigate cybercrime, or just better understand how things are set up​
• Hudson Rock - cybercrime intelligence toolkit to check exposure in Infostealer malware infection​
• Intel Tamper - IntelliTamper is a tiny but very practical tool that you can use to scan a website in order to reveal all its files and folders, including the unlisted ones​
• sdb - Registered Domain Names Search​
• IPvoid - IP address toolset​
• Robtex - IP address and domain name based researching websites that offers multiple services such as Reverse DNS Lookup, Whois, and AS Macros​
• TinyScan - URL scan tool that provides comprehensive information about any given URL. Get insights into IP address, location, screenshots, technology stack, performance metrics,...​
• DNA - Unleash website insights! urldna.io analyzes url, monitors brands and track phishing sites​
• urlQuery - domain analysis​
• Validin - Website and API to search current and historical DNS records​
• dnsinfo - analysis dns​
• Web check - All-in-one tool for viewing website and server meta data​
• laundromatinfo - Information Laundromat is a lead generation tool used to determine if and how websites share architecture and content. It provides two core functions: content similarity and domain forensics matching​
• thingful - search engine for IoT​
• crt - cert fingerprinting​
• iana - The Root Zone Database represents the delegation details of top-level domains​
• Internet Census 2012 - Port scanning /0 using insecure embedded devices, MAP​
• techlookup - website built with​
• ipleak - ip analyses​
• shdn - domain ip analysis​
• rse - RSECloud search engine​
• scrap - web scarping for web crawling​
• octo - web scarp​
• dnsx - A fast and multi-purpose DNS toolkit designed for running DNS queries​
• massdns - A high-performance DNS stub resolver for bulk lookups and reconnaissance (subdomain enumeration)​
• reconftw - perform automated recon on a target domain by running the best set of tools to perform scanning and finding out vulnerabilities​
• gau - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl​
• sublist3r - Fast subdomains enumeration tool for penetration testers​

Web History and Website Capture​

• stored.website
• Wayback Machine - Explore the history of a website.
• Wayback Machine Archiver
• waybackpy - Python package & CLI tool that interfaces the Wayback Machine APIs
• waybackurls - Fetch all the URLs that the Wayback Machine knows about for a domain

Malware and Exploits & Investigation​

• Malpedia - Malpedia is to provide a resource for rapid identification and actionable context when investigating malware​
• anyrun - online malware analysis sandbox​
• hybrid - hybrid analysis sandbox​
• maltiverse - Intel IoC search​
• jotti m - malware scan​
• iobit - IObit Cloud is an advanced automated threat analysis system​
• zoo - A repository of LIVE malwares for your own joy and pleasure. the Zoo is a project created to make the possibility of malware analysis open and available to the public​
• vxug - malware collections, investigation papers/resources​
• exploit DB papers - Exploit Database's Papers​
• bin-exp - Exploit Database's Binary Exploits​
• exploit-db​
• Sploitus - Space to identify Newest Exploits!​
• ra7 - vuln & exploit database from rapid 7​
• vulmon - Vulnerability and exploit search engine​
• packetstorm - Information Security Services, News, Files, Tools, Exploits, Advisories and Whitepapers​
• 0day today - Ultimate database of exploits and vulnerabilities​
• LOLBAS - Living Off The Land Binaries, Scripts and Libraries​
• GTFOBins - GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems​
• SWISSrepo - A list of useful payloads and bypasses for Web Application Security​
• h1 - see latest disclosed/undisclosed activity in h1​
• bugcrowd - Showcase of accepted and disclosed submissions on Bugcrowd programs / CrowdStream​
• GTFOArgs - GTFOArgs is a curated list of Unix binaries that can be manipulated for argument injection, possibly resulting in security vulnerabilities​
• shell-stormi - Shellcodes database for study cases​
• LOLDrivers - Living Off The Land Drivers is a curated list of Windows drivers used by adversaries to bypass security controls and carry out attacks. The project helps security professionals stay informed and mitigate potential threats​
• CVExploits - Your comprehensive database for CVE exploits from across the internet​
• VARIoT - IoT exploits database​
• LOOBins - Detailed information on various built-in macOS binaries and how they can be used by threat actors for malicious purposes​

• Coalition ExploitScoring System - Model that dynamically scores new and existing vulnerabilities to reflect their exploit likelihood​

• LOLAPPS - Compendium of applications that can be used to carry out day-to-day exploitation​

• LOTHardware - Resource collection that provides guidance on identifying and utilizing malicious hardware and malicious devices​

• LOTP - How development tools commonly used in CI/CD pipelines can be used to achieve arbitrary code execution​

• HACKYX - The aim of this project is to easily find any resource related to IT security like CTF writeups, articles or Bug Bounty reports​

• expobserver - The World's Largest Exploit & Vulnerability Intelligence Database and is freely accessible to all​

• vulnXDB - An index of exploit proof-of-concept code in Git repositories!​

• ARP Syndicate - Automated Reconnaissance & Pwning Syndicate​

Thank you for everyone. These resources I collected/tested/used(not all) years and was very helpful. I hope these resources will be help you also, and saves your time planning part II or not...​

Ref (not full)

• awesome
• OSINT Techniques
• osint-intel
• osint4all

as I don't have Refs from these resources, so If I will see reference that I used in the future, I will update and add here links

Genişletmek için tıkla ...

Red Team OSINT part II: ​

Arming your Forensia box​

Memory Analysis​

• AVML - A portable volatile memory acquisition tool for Linux
• Memoryze - Mandiant's Memoryze is memory forensic software that helps incident responders find "evil" in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis
• MemProcFS - The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system
• Volcano - A comprehensive, cross-platform, next-generation memory analysis solution, Volexity Volcano Professional's powerful core extracts, indexes, and correlates artifacts to provide unprecedented visibility into systems' runtime state and trustworthiness
• WinDbg - The Windows Debugger (WinDbg) can be used to debug kernel-mode and user-mode code, analyze crash dumps, and examine the CPU registers while the code executes
• Evolve - Web interface for the Volatility Memory Forensics Framework
• inVtero.net - Advanced memory analysis for Windows x64 with nested hypervisor support
• LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
• Redline - FireEye's premier endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile
• MalConfScan - MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers
• Memoryze - memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis
• Memoryze for Mac - Memoryze for Mac is Memoryze but then for Macs. A lower number of features, however
• [MemProcFS] (GitHub - ufrisk/MemProcFS: MemProcFS) - MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system
• KeeFarce - Extract KeePass passwords from memory
• Orochi - Orochi is an open source framework for collaborative forensic memory dump analysis
• Rekall - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples
• Volatility - Advanced memory forensics framework
• Volatility 3 - The volatile memory extraction framework (successor of Volatility)
• VolatilityBot - Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation
• VolDiff - Malware Memory Footprint Analysis based on Volatility
• Rekall - Memory Forensic Framework
• VolUtility - Web App for Volatility framework
• WindowsSCOPE - Memory forensics and reverse engineering tool used for analyzing volatile memory offering the capability of analyzing the Windows kernel, drivers, DLLs, and virtual and physical memory

Evidence Collection​

• WinTriage - Wintriage is a live response tool that extracts Windows artifacts. It must be executed with local or domain administrator privileges and recommended to be done from an external drive
• LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
• AVML - A portable volatile memory acquisition tool for Linux
• DFIR ORC - Forensics artefact collection tool for systems running Microsoft Windows
• Cyber Triage - Cyber Triage collects and analyzes host data to determine if it is compromised. It's scoring system and recommendation engine allow you to quickly focus on the important artifacts. It can import data from its collection tool, disk images, and other collectors (such as KAPE). It can run on an examiner's desktop or in a server model. Developed by Sleuth Kit Labs, which also makes Autopsy
• X-Ways Forensics - Forensics tool for Disk cloning and imaging. It can be used to find deleted files and disk analysis
• Dissect - is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group)
• The Sleuth Kit & Autopsy - Unix and Windows based tool which helps in forensic analysis of computers. It comes with various tools which helps in digital forensics. These tools help in analyzing disk images, performing in-depth analysis of file systems, and various other things
• Acquire - Acquire is a tool to quickly gather forensic artifacts from disk images or a live system into a lightweight container. This makes Acquire an excellent tool to, among others, speedup the process of digital forensic triage. It uses Dissect to gather that information from the raw disk, if possible
• Velociraptor - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries
• artifactcollector - The artifactcollector project provides a software that collects forensic artifacts on systems
• bulk_extractor - Computer forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures. Because of ignoring the file system structure, the program distinguishes itself in terms of speed and thoroughness
• FastIR Collector - Collect artifacts on windows
• Cold Disk Quick Response - Streamlined list of parsers to quickly analyze a forensic image file (dd, E01, .vmdk, etc) and output nine reports
• Doorman - osquery fleet manager that allows remote management of osquery configurations retrieved by nodes. It takes advantage of osquery's TLS configuration, logger, and distributed read/write endpoints, to give administrators visibility across a fleet of devices with minimal overhead and intrusiveness
• Belkasoft RAM Capturer - Volatile Memory Acquisition Tool
• ArtifactExtractor - Extract common Windows artifacts from source images and VSCs
• CyLR - The CyLR tool collects forensic artifacts from hosts with NTFS file systems quickly, securely and minimizes impact to the host
• Matano - Open source serverless security lake platform on AWS that lets you ingest, store, and analyze petabytes of security data into an Apache Iceberg data lake and run realtime Python detections as code
• Forensic Artifacts - Digital Forensics Artifact Repository
• ir-rescue - Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response
• Live Response Collection - Automated tool that collects volatile data from Windows, OSX, and *nix based operating systems
• Margarita Shotgun - Command line utility (that works with or without Amazon EC2 instances) to parallelize remote memory acquisition
• SPECTR3 - Acquire, triage and investigate remote evidence via portable iSCSI readonly access
• ForensicMiner - A PowerShell-based DFIR automation tool, for artifact and evidence collection on Windows machines
• nightHawk - Application built for asynchronous forensic data presentation using ElasticSearch as the backend. It's designed to ingest Redline collections
• UAC - UAC (Unix-like Artifacts Collector) is a Live Response collection script for Incident Response that makes use of native binaries and tools to automate the collection of AIX, Android, ESXi, FreeBSD, Linux, macOS, NetBSD, NetScaler, OpenBSD and Solaris systems artifacts
• unix_collector - A live forensic collection script for UNIX-like systems as a single script
• Magnet RAM Capture / DumpIt - A free imaging tool designed to capture the physical memory
• peepdf - Powerful Python tool to analyze PDF documents

NTFS/MFT Processing​

• MFT-Parsers - Comparison of MFT-Parsers
• MFTEcmd - MFT Parser by Eric Zimmerman
• MFTExtractor - MFT-Parser
• MFTMactime - MFT and USN parser that allows direct extraction in filesystem timeline format (mactime), dump all resident files in the MFT in their original folder structure and run yara rules over them all.
• NTFS journal parser
• NTFS USN Journal parser
• RecuperaBit - Reconstruct and recover NTFS data
• python-ntfs - NTFS analysis

Network Forensics & Traffic Capture​

​

• Impost - Network security auditing tool designed to analyze the forensics behind compromised and/or vulnerable daemons
• Kismet - A passive wireless sniffer
• n2disk - A multi-Gigabit network traffic recorder with indexing capabilities. n2disk is a network traffic recorder application. With n2disk you can capture full- sized network packets at multi-Gigabit rate (above 10 Gigabit/s on adequate hardware) from a live network interface, and write them into files without any packet loss
• OpenFPC - OpenFPC is a set of scripts that combine to provide a lightweight full-packet network traffic recorder & buffering tool. Its design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log tools
• sharppcap - Fully managed, cross platform (Windows, Mac, Linux) .NET library for capturing packets from live and file based devices. A realiable and robust wrapper of libpcap and npcap
• Libpcap/Tcpdump - The official site of tcpdump, a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture
• TTT - (Tele Traffic Tapper) is yet another descendant of tcpdump but it is capable of real-time, graphical, and remote traffic-monitoring. ttt won't replace tcpdump, rather, it helps you find out what to look into with tcpdump. ttt monitors the network and automatically picks up the main contributors of the traffic within the time window. The graphs are updated every second by default
• Netis Packet Agent - It is a remote data capture utility through GRE tunnel, which makes you easily capture packets from an NIC interface, encapsulate them with GRE and send them to a remote machine for monitoring and analysis
• Arkime - Arkime (formerly Moloch) is a large scale, open source, indexed packet capture and search tool
• Deepfence PacketStreamer - High-performance remote packet capture and collection tool, distributed tcpdump for cloud native environments
• Ngrep - strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop
• PF_RING - PF_RING is a new type of network socket that dramatically improves the packet capture speed. Available for Linux kernels 2.6.32 and newer. No need to patch the kernel. PF_RING-aware drivers for increased packet capture acceleration
• NetworkMiner - Network Forensic Analysis Tool
• Squey - Logs/PCAP visualization software designed to detect anomalies and weak signals in large amounts of data.
• WireShark - A network protocol analyzer

Traffic Analysis & Inspection​

​

• Brim - Brim blends together the richness of Zeek logs with the details of packets. It's the best of both worlds. While Zeek logs can answer most all of your questions quickly, you still have fast access to packets when you need to drill down into the details. Wireshark is always just a click away ()
• Suricata - Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing
• TCP-Reduce - TCP-Reduce is a collection of Bourne shell scripts for reducing tcpdump traces to one-line summaries of each TCP connection present in the trace. The scripts look only at TCP SYN/FIN/RST packets. Connections without SYN packets in the trace (such as those on- going at the beginning of the trace) will not appear in the summary. Garbaged packets (those missing some of their contents) are reported to stderr as bogon's and are discarded. Occasionally the script gets fooled by retransmissions with altered sequence numbers, and reports erroneous huge connection sizes - always check large connections (say 100 MB or more) for plausibility
• Tcpflow - A program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like 'tcpdump' shows a summary of packets seen on the wire, but usually doesn't store the data that's actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis. Yet, optionally, it can isolate pcap flows per tcp flow for granularized inspection. Original link
• Tcptrace - A tool written by Shawn Ostermann at Ohio University, for analysis of TCP dump files. It can take as input the files produced by several popular packet- capture programs, including tcpdump, snoop, etherpeek, HP Net Metrix, and WinDump. tcptrace can produce several different types of output containing information on each connection seen, such as elapsed time, bytes and segments sent and received, retransmissions, round trip times, window advertisements, throughput, and more. It can also produce a number of graphs for further analysis
• TraceWrangler - TraceWrangler is a network capture file toolkit running on Windows (or on Linux, using WINE) that supports PCAP as well as the new PCAPng file format, which is now the standard file format used by Wireshark. The most prominent use case for TraceWrangler is the easy sanitization and anonymization of PCAP and PCAPng files (sometimes called "trace files", "capture files" or "packet captures"), removing or replacing sensitive data while being easy to use
• Tstat - A passive sniffer able to provide several insight on the traffic patterns at both the network and transport levels with a tremendous set of flow features
• WAND - A wonderful collection of tools built on libtrace to process network traffic
• WinPcap - An extract of a message from Guy Harris on state of WinPcap and WinDump
• Network Expect - is a framework that allows to easily build tools that can interact with network traffic. Following a script, traffic can be injected into the network, and decisions can be taken, and acted upon, based on received network traffic. An interpreted language provides branching and high-level control structures to direct the interaction with the network. Network Expect uses libpcap for packet capture and libwireshark (from the Wireshark project) for packet dissection tasks. (GPL, BSD/Linux/OSX)
• Snort - Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire, now owned by Cisco. Combining the benefits of signature, protocol and anomaly- based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and approximately 500,000 registered users, Snort has become the de facto standard for IPS
• Netsniff-ng - Netsniff-ng is a toolkit of free Linux networking utilities, a Swiss army knife for your daily Linux network plumbing if you will
• CoralReef - is a software suite developed by CAIDA to analyze data collected by passive Internet traffic monitors. It provides a programming library libcoral, similar to libpcap with extensions for ATM and other network types, which is available from both C and Perl
• BruteShark - Is an open-source, cross-platform network forensic analysis tool with many features. It includes: password extracting, displaying a visual network map, reconstruct TCP sessions, extract hashes of encrypted passwords and even convert them to a Hashcat format in order to perform an offline Brute Force attack
• NetDude - (NETwork DUmp data Displayer and Editor). From their webpage, "it is a GUI-based tool that allows you to make detailed changes to packets in tcpdump tracefiles."
• AIEngine - is a next generation interactive/programmable packet inspection engine with capabilities of learning without any human intervention, NIDS functionality, DNS domain classification, network collector and many others. AIEngine also helps network/security professionals to identify traffic and develop signatures for use them on NIDS, Firewalls, Traffic classifiers and so on
• CapAnalysis - CapAnalysis is a web visual tool for information security specialists, system administrators and everyone who needs to analyze large amounts of captured network traffic. A live web demo is available for testing
• CapTipper - Malicious HTTP traffic explorer
• Chopshop - is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft
• DPDK - is a set of libraries and drivers for fast packet processing. It was designed to run on any processors. The first supported CPU was Intel x86 and it is now extended to IBM Power 8, EZchip TILE-Gx and ARM. It runs mostly in Linux userland. A FreeBSD port is available for a subset of DPDK features
• ECap - (External Capture) is a distributed network sniffer with a web front- end. Ecap was written many years ago in 2005, but a post on the tcpdump-workers mailing list requested a similar application... so here it is. It would be fun to update it and work on it again if there's any interest
• EtherApe - is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network
• HttpSniffer - A multi-threading tool to sniff TCP flow statistics and embedded HTTP headers from PCAP file. Each TCP flow carrying HTTP is exported to text file in JSON format
• Pcap2har - A program to convert .pcap network capture files to HTTP Archive files using library dpkt
• Tcpreplay - Replays a pcap file on an interface using libnet
• pkt2flow - A simple utility to classify packets into flows. It's so simple that only one task is aimed to finish. For Deep Packet Inspection or flow classification, it's so common to analyze the feature of one specific flow. I have make the attempt to use made-ready tools like tcpflows, tcpslice, tcpsplit, but all these tools try to either decrease the trace volume (under requirement) or resemble the packets into flow payloads (over requirement). I have not found a simple tool to classify the packets into flows without further processing
• ITA - The Internet Traffic Archive is a moderated repository to support widespread access to traces of Internet network traffic, sponsored by ACM SIGCOMM. The traces can be used to study network dynamics, usage characteristics, and growth patterns, as well as providing the grist for trace- driven simulations. The archive is also open to programs for reducing raw trace data to more manageable forms, for generating synthetic traces, and for analyzing traces
• Joy - joy is a traffic analysis and parsing tool that was developed. In part to assist in classifying encrypted traffic streams, such as HTTPS traffic. It is able to parse pcap files into usable json files that contain details on the capture statistics and features
• Sanitize - Sanitize is a collection of five Bourne shell scripts for reducing tcpdump traces in order to address security and privacy concerns, by renumbering hosts and stripping out packet contents. Each script takes as input a tcpdump trace file and generates to stdout a reduced, ASCII file in fixed-column format
• Ostinato - Ostinato is a versatile packet crafter, pcap editor/player and traffic generator with an intuitive GUI. Add-ons include high-speed 10/25/40G traffic generation and scripting/ automation Python APIs. Works on all platforms - Windows, MacOS, Linux and the labbing platforms - CML, EVE-NG and GNS3
• PacketQ - A tool that provides a basic SQL-frontend to PCAP-files. Outputs JSON, CSV and XML and includes a build-in webserver with JSON-api and a nice looking AJAX GUI
• PcapPlusPlus - PcapPlusPlus a multiplatform C++ network sniffing and packet parsing and manipulation framework. It's meant to be lightweight, efficient and easy to use. It's a C++ wrapper for popular engines like libpcap, WinPcap, DPDK and PF_RING. It also contains parsing and edit capabilities for many protocols including Ethernet, IPv4, IPv6, ARP, VLAN, MPLS, PPPoE, GRE, TCP, UDP, ICMP, DNS as well as layer 7 protocols like HTTP and SSL/TLS
• Scapy - Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc.
• Tcplook - Tracelook is an Tcl/TK program for graphically viewing the contents of trace files created using the -w argument to tcpdump. Tracelook should look at all protocols, but presently only looks at TCP connections. The program is slow and uses system resources prodigiously
• Tcpxtract - is a tool for extracting files from network traffic based on file signatures. Extracting files based on file type headers and footers (sometimes called "carving") is an age old data recovery technique
• WireEdit - WireEdit is a free desktop WYSIWYG editor for network packets. It allows editing any stack layer as "rich text" without having any knowledge of packets syntax and encoding rules. The input and output file format is Pcap
• Haka - An open source security oriented language which allows to describe protocols and apply security policies on (live) captured traffic. The scope of Haka language is twofold. First of all, it allows to write security rules in order to filter/alter/drop unwanted packets and log and report malicious activities. Second, Haka features a grammar enabling to specify network protocols and their underlying state machine
• Xplico - The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn't a network protocol analyzer. Xplico is an open source Network Forensic An alysis Tool (NFAT). Xplico is released under the GNU General Public License and with some scripts under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0) License

• crossd - demonstration of deanonymization of a user of Tor using cross-device tracking
• Timing attack
• Deanonymization via the Cache Side Channel - detailed article
• Cross-device tracking. Deanonymization of users of Tor, VPN, proxy using sound beacons
• JavaScript Browser Information
• see your Canvas fingerprint here and WebGL here
• VT - VirusTotal, it only connects to the server and thereby sends the IP address of the cybercriminal to it
• Deanonymization of Tor users through bait files

Seraphbyte' Alıntı:

Forensics: Deanonimization intro | Threat Intel

Genişletmek için tıkla ...

• A little investigation process of malware which is uploaded in VT (Virus Total) ?
• Or analyzing process of identification of User behind PhaaS (Phishing-as-a-Service) Store ?

felix_04' Alıntı:

wow thats a lot of tools mate, thanks for that

Genişletmek için tıkla ...

Seraphbyte' Alıntı:

I wanted to add some practical approach info under this section & planned to share with some investigation process, which I hope it'll be helpful and informational for newbie threat hunters (as me).
Initially, I wanted to know what kind of threat hunting process will be more interesting and useful:

• A little investigation process of malware which is uploaded in VT (Virus Total) ?
• Or analyzing process of identification of User behind PhaaS (Phishing-as-a-Service) Store ?

Genişletmek için tıkla ...

ancients123' Alıntı:

Very nice and simple explanations, you do not get tired while reading, you can find what you want, thanks for the article
also in the blackarch repos there are a lot of tools like these, I suggest you look there too

Genişletmek için tıkla ...

Seraphbyte' Alıntı:

thanks for recommendation

Genişletmek için tıkla ...