nmap - Nmap - the Network Mapper. Github mirror of official SVN repository.

•    Lua

Nmap is released under a custom license, which is based on (but not compatible with) GPLv2. The Nmap license allows free usage by end users, and we also offer a commercial license for companies that wish to redistribute Nmap technology with their products. See Nmap Copyright and Licensing for full details.Full documentation is also available on the Nmap.org website.

Reconnoitre - A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing

•    Python

A reconnaissance tool made for the OSCP labs to automate information gathering and service enumeration whilst creating a directory structure to store results, findings and exploits used for each host, recommended commands to execute and directory structures for storing loot and flags. This tool is based heavily upon the work made public in Mike Czumak's (T_v3rn1x) OSCP review (link) along with considerable influence and code taken from Re4son's mix-recon (link). Virtual host scanning is originally adapted from teknogeek's work which is heavily influenced by jobertabma's virtual host discovery script (link). Further Virtual Host scanning code has been adapted from a project by Tim Kent and I, available here (link).

Findsploit - Find exploits in local and online databases instantly

•    Shell

Findsploit is a simple bash script to quickly and easily search both local and online exploit databases. This repository also includes "copysploit" to copy any exploit-db exploit to the current directory and "compilesploit" to automatically compile and run any C exploit (ie. ./copysploit 1337.c && ./compilesploit 1337.c). This software is free to distribute, modify and use with the condition that credit is provided to the creator (1N3@CrowdShield) and is not for commercial use.

vulscan - Advanced vulnerability scanning with Nmap NSE

•    Lua

Vulscan is a module which enhances nmap to a vulnerability scanner. The nmap option -sV enables version detection per service which is used to determine potential flaws according to the identified product. The data is looked up in an offline version of VulDB. Just execute vulscan like you would by refering to one of the pre-delivered databases. Feel free to share your own database and vulnerability connection with me, to add it to the official repository.

Gorsair - Gorsair hacks its way into remote docker containers that expose their APIs.

•    Go

Gorsair is a penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers. Once it has access to the docker daemon, you can use Gorsair to directly execute commands on remote containers. Exposing the docker API on the internet is a tremendous risk, as it can let malicious agents get information on all of the other containers, images and system, as well as potentially getting privileged access to the whole system if the image uses the root user.

sandmap - Sandmap is a tool supporting network and system reconnaissance using the massive Nmap engine

•    Shell

Sandmap is a tool supporting network and system reconnaissance using the massive Nmap engine. It provides a user-friendly interface, automates and speeds up scanning and allows you to easily use many advanced scanning techniques. Before using the Sandmap read the Command Line introduction.

Seccubus - Easy automated vulnerability scanning, reporting and analysis

•    Javascript

Seccubus automates regular vulnerability scans with various tools and aids security people in the fast analysis of its output, both on the first scan and on repeated scans. On repeated scan delta reporting ensures that findings only need to be judged when they first appear in the scan results or when their output changes.

DotNMap

A type library that can be used to work with NMap scan results in .net.

docker-onion-nmap - Scan

•    Shell

Use nmap to scan hidden "onion" services on the Tor network. Minimal image based on alpine, using proxychains to wrap nmap. Tor and dnsmasq are run as daemons via s6, and proxychains wraps nmap to use the Tor SOCKS proxy on port 9050. Tor is also configured via DNSPort to anonymously resolve DNS requests to port 9053. dnsmasq is configured to with this localhost:9053 as an authority DNS server. Proxychains is configured to proxy DNS through the local resolver, so all DNS requests will go through Tor and applications can resolve .onion addresses. When the container boots, it launches Tor and dnsmasq as daemons. The tor_wait script then waits for the Tor SOCKS proxy to be up before executing your command.

nmap-erpscan - Nmap custom probes for better detecting SAP services

•    Python

This article aims at showing how to improve the capability of the nmap network scanner to detect SAP services. This is by no mean a complete and 100% exact way of doing service detection as a lot of corner cases exist that are not covered in this text. If you want a more comprehensive way to do SAP services detection and even much more, the ERPScan Monitoring Suite is a good starting point with its port scanner feature. Our goal is to detect every network service exposed by SAP servers. Those servers are complex beasts with numerous components exposed to the network by default and each of these components potentially has vulnerabilities. So we want to send specific network probes to detect the presence of these services and then better assess if a service is vulnerable or not.

nmap4j - A Java Nmap wrapper

•    Java

Nmap4j

node-libnmap - API to access nmap from node.js

•    Javascript

The example show shows the types of host ranges supported. In this example the default IANA range of reserved ports is scanned per host in each range (1024). The discover method requires nodejs < v0.11.2 and can be used to aquire information about neighbors per network interface.

docker_offensive_elk - Elasticsearch for Offensive Security

•    Python

Traditional “defensive” tools can be effectively used for Offensive security data analysis, helping your team collaborate and triage scan results. In particular, Elasticsearch offers the chance to aggregate a moltitude of disparate data sources, query them with a unifed interface, with the aim of extracting actionable knowledge from a huge amount of unclassified data.

goscan - Interactive Network Scanner

•    Go

GoScan is a project I developed in order to learn @golang. It is an interactive network scanner client, featuring auto-complete, which provides abstraction and automation over nmap. It can be used to perform host discovery, port scanning, and service enumeration in situations where being stealthy is not a priority, and time is limited (think at CTFs, OSCP, exams, etc.).

ansible-pentest-with-tor - Use Tor for anonymous scanning with nmap

•    Shell

Use Tor for anonymous scanning with nmap

sec-tools - Docker images for infosec tools

•    Perl

Docker images for infosec tools

port-scan-automation - Automate NMAP Scans and Generate Custom Nessus Policies Automatically

•    Shell

Automate NMAP scans and custom Nessus polices. Outputs all unique open ports in a Nessus ready format. Much faster to scan in Nessus.

searchscan - Search Nmap and Metasploit scanning scripts.

•    Go

Both Nmap and Metasploit are constantly adding new scanning capabilities. In addition, developers routinely create custom NSE scripts as well. Searchscan can help you find the script you need to scan what you want. Searchscan will search the local machine for installed Nmap NSE and MSF Auxiliary scripts. In addition, it will search GitHub for Nmap NSE scripts. Building Searchscan is easy and follows a similar pattern to most Golang scripts.

HellRaiser - Vulnerability Scanner

•    Ruby

Install redis-server and nmap. Install the foreman gem.

nmap-nse-info - Browse and search through nmap's NSE scripts.

•    Lua

NSEInfo is a tool to interactively search through nmap's NSE scripts. If your NSE scripts are not the standard location /usr/share/nmap/scripts/, you can use the -l or --location option to provide your customized path.