Top 23 Python Infosec Projects
Exploitation Framework for Embedded DevicesProject mention: My neighbor is causing trouble in the neighborhood | reddit.com/r/hacking | 2022-06-18
Also check the routersploit, they have some scanners, to check for vulnerabilities. https://github.com/threat9/routersploit
Web path scannerProject mention: Release dirsearch v0.4.2 - Web Path Scanner | reddit.com/r/netsec | 2021-09-12
Clean code begins in your IDE with SonarLint. Up your coding game and discover issues early. SonarLint is a free plugin that helps you find & fix bugs and security issues from the moment you start writing code. Install from your favorite IDE marketplace today.
SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.Project mention: Social media | reddit.com/r/OSINT | 2022-06-10
Spiderfoot is good https://github.com/smicallef/spiderfoot
Collaborative Penetration Test and Vulnerability Management Platform (by infobyte)Project mention: Recommendation for Vulnerability Management Solution | reddit.com/r/netsecstudents | 2022-04-08
Says it's inspired by "LinkFinder", which was useful in dredging up what the original purpose of the tool was: https://gerbenjavado.com/discovering-hidden-content-using-li...
Scan for open S3 buckets and dump the contentsProject mention: S3 Scanner: A utility for identifying insecure bucket permissions | reddit.com/r/aws | 2022-05-18
I am not sure if this is open source and if it isn't, why would you give your bucket name into it? say you did have an insecure bucket, how do you know this site won't download all the contents of it? There are a number of open source tool that do the same thing, here's one https://github.com/sa7mon/S3Scanner
Snoop — инструмент разведки на основе открытых данных (OSINT world)Project mention: Tool das alle mit E-Mail verknüpfte Accounts auflistet? | reddit.com/r/de_EDV | 2022-06-22
Less time debugging, more time building. Scout APM allows you to find and fix performance issues with no hassle. Now with error monitoring and external services monitoring, Scout is a developer's best friend when it comes to application development.
🔥 A powerful MongoDB auditing and pentesting tool 🔥
🔗 Don't know what type of hash it is? Name That Hash will name that hash type! 🤖 Identify MD5, SHA256 and 300+ other hashes ☄ Comes with a neat web app 🔥Project mention: Need some information about a password hash | reddit.com/r/Hacking_Tutorials | 2021-09-11
This is what I use to identify hashes I am unfamiliar with. https://github.com/HashPals/Name-That-Hash
🔎Searches Hash APIs to crack your hash quickly🔎 If hash is not found, automatically pipes into HashCat⚡
A Blazing fast Security Auditing tool for KubernetesProject mention: Top 200 Kubernetes Tools for DevOps Engineer Like You | dev.to | 2022-01-15
TerraScan - Detect compliance and security violations across Infrastructure as Code to mitigate risk before provisioning cloud native infrastructure. klum - Kubernetes Lazy User Manager Kyverno - Kubernetes Native Policy Management https://kyverno.io kiosk - kiosk office Multi-Tenancy Extension For Kubernetes - Secure Cluster Sharing & Self-Service Namespace Provisioning kube-bench - CIS Kubernetes Benchmark tool kube-hunter - Pentesting tool - Hunts for security weaknesses in Kubernetes clusters kube-who-can - Show who has RBAC permissions to perform actions on different resources in Kubernetes starboard - Kubernetes-native security toolkit Simulator - Kubernetes Security Training Platform - Focussing on security mitigation RBAC Lookup - Easily find roles and cluster roles attached to any user, service account, or group name in your Kubernetes cluster https://fairwinds.com Kubeaudit - kubeaudit helps you audit your Kubernetes clusters against common security controls Gangway - An application that can be used to easily enable authentication flows via OIDC for a kubernetes cluster Audit2rbac - Autogenerate RBAC policies based on Kubernetes audit logs Chartsec - Helm Chart security scanner kubestriker - Security Auditing tool Datree - CLI tool to prevent K8s misconfigurations by ensuring that manifests and Helm charts follow best practices as well as your organization’s policies Krane - Kubernetes RBAC static Analysis & visualisation tool Flaco - The Falco Project - Cloud-Native runtime security Clair - Vulnerability Static Analysis for Containers Anchore Cli - Coomand Line Interface built on top of anchore engine to manage and inspect images, policies, subscriptions and registries Project Quay - Container image registry designed to boost the security of your repositories via vulnerability scanning and tight access control Kubescape - Tool to test if Kubernetes is deployed securely according to multiple frameworks: regulatory, customized company policies and DevSecOps best practices, such as the NSA-CISA and the MITRE ATT&CK®
"Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.Project mention: How to keep a SOC on their toes | reddit.com/r/AskNetsec | 2021-11-18
Passphrase wordlist and hashcat rules for offline cracking of long, complex passwordsProject mention: Kio faras bonan pasvorton (tago 25) | reddit.com/r/WriteStreakEsperanto | 2021-12-22
Mi diris al vi pri Diceware hieraŭ. Direware estas bona, sed mi pensas ke oni povus fari ŝanĝiĝojn de pasfrazo el similaj programoj. Ekzemple, misliterumu unu aŭ du vortojn, kompletigi vorton aŭ preni parton de la pasvorto el libro. Ĉi tiu frazo povas esti romano, poemo, matematika libro, ktp. Se oni volas, oni povus preni unu vorto el libro po. Nur uzi pasfrazojn el Diceware ne estas tiel sekura kiel oni eble pensas. Do mi rekomendas ĉiuj ajn fari malgrandaj ŝanĝiĝojn de pasfrazoj el programoj kiel Diceware.
WebMap-Nmap Web Dashboard and ReportingProject mention: nmap xsl stylesheet ... but pretty? | reddit.com/r/nmap | 2022-04-13
What kind of info do you need to display? Zenmap can import Nmap scan results and shows the results in several different tabular formats. There are lots of programming language libraries and plugins for loading and processing Nmap results. Ndiff is one for Python 2, but you can usually find one in any language you are comfortable with. Loading the results into a database might be better if you want to be able to produce reports based on the results. Tools like Dradis and WebMap can do this automatically.
Scaling Network Scanning. Changes prior to 1.0 may cause difficult to avoid backwards incompatibilities. You've been warned.Project mention: Passive network device discovery | reddit.com/r/cybersecurity | 2021-11-02
Natlas was basically built for exactly this use case. Docker-compose file in the repo so you can set up as containers in Windows. https://github.com/natlas/natlas
OSINT Project (by kennbroorg)Project mention: Trying to find out if this small program will run on Windows and I'm not sure where to ask. Documentation only has linux commands in it, but I got it mostly working, with some issues, so I'm not sure. Can anyone help? | reddit.com/r/techsupport | 2022-04-20
StalkPhish - The Phishing kits stalker, harvesting phishing kits for investigations.Project mention: How to Iidentify zero day phishing URLs | reddit.com/r/phishing | 2022-04-15
Using Stalkphish.io, or the OSS version https://github.com/t4d/StalkPhish
Decode All Bases - Base Scheme DecoderProject mention: basecrack VS python-codext - a user suggested alternative | libhunt.com/r/basecrack | 2022-02-06
Notes Taken for HTB Machines & InfoSec Community.
[PoC] Atlassian Confluence (CVE-2022-26134) - Unauthenticated OGNL injection vulnerability (RCE) (by Nwqda)Project mention: CVE-2022-26134 – Confluence Zero Day Remote Code Execution - live threat | reddit.com/r/blueteamsec | 2022-06-04
Find exposed API keys based on RegEx and get exploitation methods for some of keys that are foundProject mention: Created a tool to find exposed API keys based on RegEx and get exploitation methods for some of keys that are found | reddit.com/r/HowToHack | 2021-12-19
Monitoring GitLab for sensitive data shared publicly
Pandora is an analysis framework to discover if a file is suspicious and conveniently show the results (by pandora-analysis)Project mention: Pandora is an analysis framework to discover if a file is suspicious | news.ycombinator.com | 2022-05-30
It appears to hash the file locally, then look it up on a number of aggregators (or local scanner such as clamav), see: https://github.com/pandora-analysis/pandora/tree/main/pandor... for list.
You will need to be subscribed to those services that are not free and have API keys for each one.
Python Infosec related posts
2 projects | news.ycombinator.com | 27 Jun 2022
My neighbor is causing trouble in the neighborhood
1 project | reddit.com/r/hacking | 18 Jun 2022
1 project | reddit.com/r/hacking | 15 Jun 2022
Pandora is an analysis framework to discover if a file is suspicious
2 projects | news.ycombinator.com | 30 May 2022
S3 Scanner: A utility for identifying insecure bucket permissions
1 project | reddit.com/r/aws | 18 May 2022
nmap xsl stylesheet ... but pretty?
3 projects | reddit.com/r/nmap | 13 Apr 2022
[OC] Data Exfiltration using RedDrop - A Python Webserver for file and data exfiltration which automatically detects, decodes, decrypts, and transforms data.
2 projects | reddit.com/r/redteamsec | 29 Mar 2022
What are some of the best open-source Infosec projects in Python? This list will help you:
Are you hiring? Post a new remote job listing for free.