Public tools

This article is an attempt at cataloging all the types of bitcoin transaction locking scripts, their prevalence and their security implications. The data presented in this article was lifted directly from the bitcoin blockchain, which required custom code to quickly iterate over the entire blockchain (over 450 GB at the…

Different forms of DNS rebinding attacks have been described as far back as 1996 for Java Applets and 2002 for JavaScript (Quick-Swap). It has been four years since our State of DNS Rebinding presentation in 2019 at DEF CON 27 (slides), where we introduced our DNS rebinding attack framework Singularity…

Readable Thrift makes binary Thrift protocol messages easy to work with by converting them to and from a human-friendly format. This makes manual analysis of and tampering with binary format Thrift messages just as easy as working with plaintext protocols like HTTP. The library is implemented in Java, enabling integration…

xendbg is a full-featured debugger for both HVM and PV Xen guests. It can act as a stub server for LLDB, allowing users to do their work in a familiar environment, and also provides a standalone REPL with all the standard comfort features of popular debuggers: contextual tab-completion, expressions, and variables.…

Singularity of Origin is a robust and easy-to-use tool to perform DNS rebinding attacks. It consists of a DNS and a web server, a web interface to configure and launch an attack, and sample attack payloads. We plan to support this tool and continue to add features and payloads. Singularity…

It has been known for a while that deserialisation of untrusted data can often lead to serious security issues such as code execution. However, finding such issues might not be a trivial task during time-limited penetration testing. As a result, NCC Group has developed a Burp Suite extension called Freddy [1]…

Sobelow, released in 2017, is the first security-focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points-of-interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. Over the last…

House is an open source web application that simplifies the testing process with Frida. With House, security researchers can easily generate Frida scripts to perform various tasks including enumeration, function hooking and intercepting. It also provides an easy-to-use web UI for researchers to generate, customise, and manage their Frida scripts. House…

How can we quickly identify which users and roles have access to a given action (and resource) in an AWS account? Erik Steringer built the Principal Mapper (pmapper) as the answer to that question. It uses the existing simulator APIs to determine which users and roles have access to each…

Over the past few months, we have put Mallory through its paces. Scores of mobile applications have had their network streams MiTMd by Mallory. It has become one of a few important tools that we use on a daily basis. Because we use it so often, we sometimes forget that it may seem…

Welcome to the home of Mallory! Mallory is a transparent TCP and UDP proxy. It can be used to get at those hard to intercept network streams, assess those tricky mobile web applications, or maybe just pull a prank on your friend. You are probably here to get Mallory up…

The CyberVillainsCA is a small Java library for on-the-fly generation, duplication and substitution of X.509 certificates. It is intended for use in building or extending security testing tools, for example, WebScarab (example included). Generates a Certification Authority certificate for importation as a Trusted Root Automatically generates standard SSL server certificates…

DECTbeacon is a war driving application for DECT that includes support for GPS tracking of DECT fixed points. DECTbeacon can augment a wireless security assessment by detecting the presence and location of DECT fixed points, which may then be analyzed further to determine points of vulnerability including a gaps in…

Fuzzbox is a multi-codec media fuzzer. Prerequisites: Python py-vorbis 1.4 mutagen 1.11 Download Tool

Gizmo is a graphical web proxy written in Java. It is designed to be speedy, with the user interfaced centered around keyboard use. It should do what you want, and then get out of your way. Pre-Requisites: Java 1.6 Download Gizmo from Google Code.

HTTP Profiler is a simple program that summarizes packet traces of HTTP traffic, to highlight performance problems caused by excessive network traffic. Many web sites and applications cost more than they should, due to unoptimized network behavior.The original goal of httprof was to help people understand that, of all the…

Intent Sniffer is a tool that can be used on any device using the Google Android operating system (OS). On the Android OS, an Intent is description of an action to be performed, such as startService to start a service. The Intent Sniffer tool performs monitoring of runtime routed broadcasts Intents.…

Intent Fuzzer is a tool that can be used on any device using the Google Android operating system (OS). Intent Fuzzer is exactly what is seems, which is a fuzzer. It often finds bugs that cause the system to crash or performance issues on the device. The tool can either…

Transport Layer Security (TLS), commonly called SSL, is one of the most widely used protocols to secure network communications. As costs fall and user security and privacy expectations rise companies are deploying it more widely every year. Attacks against the CA system, SSL implementation flaws and aging protocol versions have…

Jailbreak is a tool for exporting certificates marked as non-exportable from the Windows certificate store. This can help when you need to extract certificates for backup or testing. You must have full access to the private key on the filesystem in order for jailbreak to work. Prerequisites: Win32   Please…

Package Play is a tool that can be used on any device using the Google Android operating system (OS). Package Play shows the user all installed packages on the mobile device. This helps the user in the following ways: Easy way to start exported Activities Shows defined and used permissions…

Manifest Explorer is a tool that can be used on any device using the Google Android operating system (OS). On Android, every application must have an AndroidManifest.xml file in its root directory. The AndroidManifest.xml files does a few things, which is all explained  here. From a security perspective, the file is…

ProxMon is an extensible Python based framework that reduces testing effort, improves consistency and reduces errors. Its use requires limited additional effort as it processes the proxy logs that you’re already generating and reports discovered issues. In addition to penetration testing, ProxMon is useful in QA, developer testing and regression…

SAML Pummel is a BeanShell plug-in for WebScarab. It automates eight different injection attacks to assist in auditing the implementation of SAML 2.0 single sign-on systems. C14N Entity Expansion C14N Transforms Remote DTD Remote KeyInfo RetrievalMethod Remote KeyInfo WSSE Security Token Reference SignedInfo Remote Reference XSLT Transform URL Retrieval (Xalan)…

This is a modified version of Todd Whiteman’s PySimReader code. This modified version allows users to write out arbitrary raw SMS PDUs to a SIM card. Additionally, debugging output has been added to allow the user to view all APDUs that are sent between the SIM card and PySimReader. Usage:#…

SecureCisco is a product that analyzes several security settings of a Cisco Router. SecureCisco’s analyzer includes over 25 checks for security. Additionally, for each finding, SecureCisco will provide a detailed recommendation with the exact syntax to mitigate any insecure security setting. The product is able to evaluate both global security…

SecureBigIP is a command line tool to analyze the management security aspects of a F5 Big IP Load Balancer. Prerequisites: Win32 Download Tool

SecureIE.ActiveX is a tool to evaluate the ActiveX security settings on Internet Explorer. Prerequisites: Win32 Download Tool

SecureCookies is a tool to evaluate whether a given URL is utilizing the security options in the cookie. Prerequisites: Win32 Download Tool

WebRATS is an homage to RATS, a tool to scan code and flag the use of dangerous APIs, identified hazards, and provide secure coding alternatives (RATS was originally created by Secure Software). WebRATS is intended for today’s web-enabled, distributed development methodologies. It was designed to integrate transparently into ordinary code…

Overview AWS Inventory is a tool that scans an AWS account looking for AWS resources. There are constantly new services being added to AWS and existing ones are being expanded upon with new features. This ecosystem allows users to piece together many different services to form a customized cloud experience.…

Extractor is a Burp Suite tool that allows users to define one or more decode steps and automatically apply them to all requests and responses. Users can then alter the decoded payload to have it properly re-encoded and injected back into the request. (This applies to modifiable requests, such as in…

CMakerer is a small open source tool that was created to deal with the problem of tricky-to-load C/C++ codebases. CMakerer scans for C/C++ files and parses their #include directives to identify potential include paths. It then generates a CMakeLists.txt file for the entire codebase. While such files will not likely…

This is a collection of tools used to attack applications that use Windows Interprocess Communication mechanisms. This package includes tools to intercept and fuzz named pipes, as well as a shared memory section fuzzer. Prerequisites: Windows Python Download Tool

WSBang is a Python-based tool used to perform automated security testing of SOAP based web services. Takes URL of WSDL as input Fuzzes all methods and parameters in the service Identifies all methods and parameters, including complex parameters Fuzzes parameters based on type specified in WSDL Reports SOAP responses and…

WSMap is a Python-based tool that helps penetration testers find web service endpoints and discovery files. Parses WebScarab logs to find testing targets Tests URLs and implies URLs found in log Tests for WSDL and DISCO web service discovery formats Prerequisites: WebScarab Python 2.4 pyCurl Download Tool

Nerve is a cross platform scriptable debugger built using our Ragweed library. Nerve consumes your breakpoint configuration files and then executes the ruby scripts you specify as debugger events occur. Nerve scripts have been used to implement hit tracers, in memory fuzzers and code coverage tools. You can find detailed documentation on…

Ragweed is our native code debugging library written in Ruby. It runs on Win32, OSX and Linux. That’s right, we implemented a native code debugger from the ground up using nothing but Ruby and FFI. You read that right, no 3rd party dependencies! Ragweed can be used to build powerful…

These tools are useful for testing any program which processes binary file inputs such as archivers and image file viewers. FileP is a python-based file fuzzer. It generates mutated files from a list of source files and feeds them to an external program in batches. Prerequisites: Python 2.4 FileH is a haskell-based…

Kivlad is a decompiler for Android’s Dalvik binaries, with a highly customizable web-based navigation interface. Unlike existing decompilers for Dalvik, it works natively on Dalvik bytecode rather than converting back to Java bytecode; this means much higher quality results. Also unlike other tools having a static GUI, it takes in…

Android SSL Bypass is an Android debugging tool that can be used for bypassing SSL verification on network connections, even when certificate pinning is implemented – as well as other debugging tasks. It runs as an interactive console. The tool is based on a scriptable JDWP debugger using the JDI…

Hiccupy is a Jython binding for the PortSwigger Burp Suite’s BurpExtender interface. It is intended to facilitate realtime traffic analysis and modification of plain text protocols using simple plugins. The tool hooks BurpExtender::processProxyMessage and executes plugin modules on both requests and responses. Plugins are written in Python and can be…

When performing a black box assessment of an iOS App, one of the main tasks of the tester is to intercept the application’s network communications using a proxy. This gives the tester the ability to see what is happening behind the scenes and how the application and the server communicate…

Correct implementation of SSL is crucial to secure transmission of data between clients and servers. However, this crucial task is frequently done improperly, due to complex APIs and lack of understanding of SSL fundamentals. The SSL Conservatory is intended to be a clearinghouse for well-documented and secure sample code to…

TLSPretense is a framework for testing client-side SSL/TLS certificate validation. Software that uses HTTPS and TLS, such as mobile applications and web service clients, often make mistakes configuring and implementing client-side TLS code. These mistakes are usually severe enough to allow an attacker to intercept the supposedly protected network traffic.…

Tcpprox is a simple command line tcp proxy written in Python. It is designed to have very minimal requirements – it runs directly from Python (tested in Python 2.7) from a single source file (unless the auto-certificate option is used). When running, the proxy accepts incoming TCP connections and copies…

YoNTMA (You’ll Never Take Me Alive!) is a tool designed to enhance BitLocker’s data protection on Windows laptops. YoNTMA ensures that if your laptop is physically stolen while it is powered on, sensitive data (such as disk encryption keys) does not persist in memory for an attacker to recover via…

Welcome to the Intrepidus Group Tattler project information page. Tattler is aSkype power tool that lets users track and monitor message modification in Skype. Tattler also provides a shell to the raw Skype API commands to allow for the manipulation and monitoring of many other Skype behaviors and activities. Features:  …

PeachFarmer facilitates fuzz testing in the cloud. PeachFarmer is designed to be used in conjunction with the Peach fuzzing framework. Peach allows the user to split up a fuzzing job among many machines, but does not offer a built-in way to gather the logs and crash dumps from all these separate…

This tool disables signature and permission checks for Android IPCs. This can be useful to test internal or restricted IPCs in specific cases/scenarios. The tool is available on Github project page.

This extension makes all applications running on the device debuggable; once installed, any application will accept a debugger to attach to them. The tool is available on Github here.

This tool hooks various methods in order to disable SSL certificate pinning, by forcing the Android application to accept any SSL certificate. Once installed, it works across all applications on a device. The tool is available on Github here.

Introspy for Android is a tool designed to help penetration testers understand what an Android application does at runtime, and to greatly facilitate the process of reviewing the application’s security mechanisms. Further details can be found here

RtspFuzzer, an open-source fuzzer for the real-time streaming protocol (RTSP) is now available on our Github page here.

A new version of SSLyze is now available. SSLyze is a Python tool that can analyze the SSL configuration of a server by connecting to it. The tool is available on Github here.

enced by a constant “2131099692”, which cannot be dereferenced and this is where apktool is very helpful. Before we get into apktool, we will try to understand what is being passed. getAction() will get whatever was set using setAction() in the MainActivity class. putExtra() sends additional parameters in the form of a…

Tools Required:   Android SDK (ADT bundle). Will use adb mostly. Dex2jar. (Used for unpacking .apk file) jd-gui. (Java Decompiler) apktool Mercury. Link Extractor tool like Winrar. Burp Suite free Virtuous Ten Studio (optional but highly recommended)   Preparation for taking apart the app:   Get your hands on the apk…

This is a collection of scripts that can be used to generate fuzzed files, fuzzed file systems, and file systems containing fuzzed files. These can be used to test the robustness of forensics tools and examination systems. Prerequisites: Linux/Python Download Tool

Open Technology Fund (OTF) engaged iSEC Partners (iSEC) to perform a source code assisted white box security assessment of Security First’s Umbrella mobile application. One iSEC consultant performed the engagement remotely over two weeks, from June 15th, 2015 to June 26th, 2015. Security First provided iSEC access to the mobile…

How does it work? Autochrome is simply a script that fetches the latest version of Google’s Chromium, creates a number of test profiles, and installs it. Rather than do extensive modifications to the Chromium source, we rely on the base executable built by Google and only modified the profiles so…

WSSiP is a tool for viewing, interacting with, and manipulating WebSocket messages between a browser and web server. WebSockets themselves are a newer option for client-side JavaScript code that allows browsers to connect to the web server in order to signify that the connection should be a TCP connection. As defined…

Summary AssetHook is a tool that enables Android security researchers and pentesters to modify the asset portions of Android applications on the fly, without modifying the APK itself. Such modifications allow researchers to alter embedded data to better assess and test mobile applications. AssetHook is easier to use than existing methods…

Call Map is a tool for navigating call graphs in Python, with plans to support other languages. A call graph is a natural way to traverse code, where the nodes are procedures and directed edges connect procedures that call each other. Many editors and IDEs prioritize first the text, then…

Sobelow is the first security‐focused static analysis tool for the Phoenix framework. For security researchers, it is a useful tool for getting a quick view of points‐of‐interest. For project maintainers, it can be used to prevent the introduction of a number of common vulnerabilities. Currently Sobelow detects some types of…

G-Scout is a tool made to help assess the security of Google Cloud Platform (GCP) environment configurations. By leveraging the Google Cloud API, G-Scout automatically gathers a variety of configuration data, and analyzes this data to determine security risks. It produces HTML output, which allows for convenient browsing of results.…

Burp Suite’s built-in decoder component, while useful, is missing important features and cannot be extended. To remedy this, Justin Moore developed Decoder Improved, a drop-in replacement Burp Suite plugin. It includes all of decoder’s functionality while fixing bugs, adding tabs, and includes an improved hex editor. Additionally, the plugin’s functionality…

RTTI can be an extremely helpful way to gain insight about a C++ binary during reverse engineering, and Python Class Informer’s visualization of the class hierarchies can strengthen these insights even further. We hope reverse engineers’ lives will become a little easier using the visualizations produced by this plugin. Currently,…

Burp Suite is an intercepting HTTP Proxy, and it is the defacto tool for performing web application security testing. While Burp Suite is a very useful tool, using it to perform authorization testing is often a tedious effort involving a “change request and resend” loop, which can miss vulnerabilities and…

TPM Genie is an Arduino-based man-in-the-middle (“interposer”) for the Trusted Platform Module I2C serial bus. This tool has been designed to aid in the security research of TPM hardware as well as the host-side drivers that communicate the with them. In its simplest usage scenario, TPM Genie is capable of…

Scenester – a tool to visually snapshot a website by supplying multiple user-agent. Designed to aid in discovery of different entry points into an application. For more information and to download the tool, visit our GitHub page here.

Automate NMAP scans and custom Nessus polices. Features include:  Discovers live devices Auto launches port scans on only the discoverd live devices Can run mulitple instances on multiple adaptors at once Creates client Ref directory for each scan Outputs all unique open ports in a Nessus ready format. Much faster…

A collection of tools to enumerate and analyse Windows DACLs: Tool 1: Process Perms Tool 2: Windows Stations and Desktops  Tool 3: Services  Tool 4: File Sytem  Tool 5 Registry   For more information and to download the tool visit our GitHub page here. 

umap is a USB host security assessment tool, based on Facedancer by Travis Goodspeed.  For more information and to download the tool visit our GitHub page here.

A tool to find and exploit servers vulnerable to Shellshock. To download the tool, please visit our Github page here.

Zulu is an interactive GUI based fuzzer. The tool is input and output agnostic, therefore when you are happy with using the fuzzing engine that’s driven by the GUI you are only limited by the input and output modules that have been developed for it. To download the tool, please…

This proto-type was originally designed a developed during Christmas 2008 / 2009 to show how a non signature based AV could reliably detect malicious code. For more information and to download the tool, visit our GitHub page here. 

vlan-hopping is a simple VLAN enumeration and hopping script, developed by Daniel Compton.  For more information and to download the tool, visit our GitHub page here. 

Tybocer is a new view on code review. When presented with a new piece of code to review it is useful to search through for common terms, or to hunt down specific definitions of particular functions. For more information and to download the tool visit our GitHub page here.

A network data locator using credentials obtained during penetration tests. Xcavator is a tool that scans a range of IP addresses for services that host files (FTP, FTPS and SMB at the moment) and for given credentials it will try to download everything it can and scan within the files…

A Microsoft Windows Process Lockdown Tool using Job Objects, developed by Ollie Whitehouse.  To download the tool visit our GitHub page here.

Azucar is a multi-threaded plugin-based tool to help assess the security of Azure Cloud environment subscription. By leveraging the Azure API , Azucar automatically gathers a variety of configuration data and analyses all data relating to a particular subscription in order to determine security risks. The script will not change…

The rise of blockchain technology has brought about the invention of Ethereum. The Ethereum Virtual Machine (EVM) is a trustless, distributed computer that stores its state on a blockchain. Developers can define logic in the form of smart contracts, which are pieces of code that can be executed by the…

BLEBoy is a great resource for learning about BLE security and provides a single BLE peripheral that can be used to experiment with each BLE pairing method. This release of BLEBoy includes a parts list, instructions for how to construct the device, source code that needs to be compiled and…

A memory searching utility across multiple processes, that allows you to: Opens each process. Works out the valid memory pages. Search for ascii and unicode incarnation of the string. To download the tool, visit our GitHub page here.

The NCC Group Game from 44CON 2013 – a knowledge based multiple choice game for conferences.  For more information and to download the game, visit our GitHub page here. 

A primitive website scanner currently under development by an NCC Group employee and University graduate with 20% research time. creep currently crawls a site, and searches for potentially interesting information within each page. creep will crawl your (HTTP only) target and pull interesting info on the site, including: Source code…

NCC Code Navi the Text Viewer and Searcher for Code Reviewers, which allows: Easily search across code Ability to have multiple instances of the same file / search queries open concurrently Inbuilt note keeper Send different aspects of filenames, path, code to the note keep easily Select a word or…

Raw bytes manipulation utility, able to apply well known and less well-known transformations. For more information and to download the tool, visit our GitHub page here. 

A web service written in Python designed to identify registered yet mistyped DNS domains. This utility will check if web server, mobile and mail handling DNS records have also been registered. In addition geo IP is used to locate the country that the registered IPv4 and IPv4 addresses are present…

This tool encompasses two distinct features. It guesses the IOCTL values that the driver accepts and also their valid size limitations and store the results are in a file for future reuse. The second feature is comprised of 3 dumb fuzzers: a pure random fuzzer, a sliding DWORD fuzzer and…

IODIDE – The IOS Debugger and Integrated Disassembler Environment Released as open source by NCC Group Plc Developed by Andy Davis, andy dot davis at nccgroup dot com To download visit: https://github.com/nccgroup/IODIDE Released under AGPL see LICENSE for more information Includes the PowerPC disassembler from cxmon by Christian Bauer, Marc…

CECSTeR is the Consumer Electronics Control Security Testing Resource – a GUI-based tool to perform security testing against the HDMI CEC (Consumer Electronics Control) and HEC (HDMI Ethernet Channel) protocols.  For more information and to download the tool visit our GitHub page here.

Cisco SNMP enumeration, brute force, config downloader and password cracking script. For more information and to download the tool, visit our GitHub page here.

Small script to check if the .NET web application is vulnerable to padding Oracle. This script actually verify if the oracle is present and exploitable, not just if the patch has been installed. For more information and to download the tool, visi out GitHub page here.

NCC Code Navi the Text Viewer and Searcher for Code Reviewers. For more information and to download the tool, visit our GitHub page here. 

This tool is an Easy Windows Domain Access Script which finds common password hashes on Windows networks (pass the hash), and Locates logged in Domain Administrator accounts.  For more information and to download the tool, vist our GitHub page here. 

A tool for fuzzing Enhanced Display Identification Data, developed by Andy Davis. For more information and to download the tool visit our GitHub page here.

Fat-Finger extends the original finger.nse and attempts to enumerate current logged on users through a full match of the username and a partial match of the GECOS field in /etc/passwd.  For more information and to download the tool, visit our GitHub page here. 

firstexecution is a collection of different ways to execute code outside of the expected entry points.  For more information and to download the tool, visit our GitHub page here. 

Grepify the GUI Regex Text Scanner for Code Reviewers.  For more information and to download the tool, visit our GitHub page here.

FrisbeeLite is a GUI-based USB device fuzzer, developed by Andy Davis.  For more information and to download the tool, visit our GitHub page here.

A Windows application to help out with external infrastructure scans that can be used for the following: Convert a file of IP addresses to hostnames (output a straight list of hostnames or comma separated list of IP Address, Hostname) Convert a file of hostnames to IP addresses (output a straight…

Lapith is a Python GUI tool that presents Nessus results in a format more useful for penetration testers. Results can be viewed by issue as opposed to by host. It is therefore easier to report all the hosts affected by an issue, rather than all of the issues affecting the…

Metasploit payload generator that avoids most Anti-Virus products. For more information and to download the tool, visit our GitHub page here.

A tool to generate Snort rules or Cisco IDS signatures based on public IP/domain reputation data.  For more information and to download the tool, visit our GitHub page here.