Security Awesome

• https://github.com/zmap
• jtesta/ssh-audit
  • ssh-audit.com
• ycd/dstp
• SentryPeer/SentryPeer
  • peer to peer list of bad actor IP addresses and phone numbers collected via a SIP Honeypot
• undergroundwires/privacy.sexy
  • Open-source tool to enforce privacy & security best-practices on Windows and macOS
  • HN
• google/osv.dev
  • vulnerability DB and triage service
• soxoj/maigret
  • Collect a dossier on a person by username from thousands of sites
• ocsf/ocsf-schema
• vanhauser-thc/thc-hydra
  • Apache-2.0
• danielmiessler/SecLists
• DPI bypass
  • ValdikSS/GoodbyeDPI
    • bypasss DPI for windows
  • bol-van/zapret
    • for Linux
• Linux
  • liamg/traitor
    • MIT, Go
    • Linux privilege escalation
• Web/滑块验证/机器人
  • pavlealeksic/puppeteer-afp
    • stop sites from fingerprinting your puppeteer
  • https://www.zhihu.com/question/287191234/answer/3521005150

Topic

en	cn
Anti-Bot Verification	反机器人验证
Authentication	认证
Security Verification	安全验证
CAPTCHA	图像验证码

• CAPTCHA - Completely Automated Public Turing test to tell Computers and Humans Apart
  • by Luis von Ahn 2000

Algorithm

• https://csrc.nist.gov/Projects/Post-Quantum-Cryptography
• CRYSTALS-Kyber
• https://signal.org/blog/pqxdh/
• iMessage with PQ3
  • https://news.ycombinator.com/item?id=39453660

Service

• smicallef/spiderfoot
  • MIT, Python
  • automates OSINT for threat intelligence and mapping your attack surface
  • OSINT - Open-source intelligence

Library

• google/tink
  • Java/Android, C++, Obj-C, Go, Python
  • 基于 BoringSSL
• jedisct1/libsodium
  • portable, easy to use crypto library
• NaCl - Networking and Cryptography library
  • wikipedia NaCl
• google/paranoid_crypto
  • checks for well known weaknesses on cryptographic
• Idov31/Sandman
• 参考
  • Comparison of cryptography libraries

SSL

impl	license	written in	by	adopted by
BoringSSL	ISC	C, C++, Go	Google
Botan	BSD	C++
Bouncy Castle	MIT	Java,C#
JSSE	GPLv2	Java	Oracle
LibreSSL	Apache-2.0, BSD, ISC	C	OpenBSD	macOS,OpenBSD,DragonflyBSD
MbedTLS	Apache-2.0, GPLv2+	C	ARM	PowerDNS,OpenVPN
NSS	MPL-2.0	C	Mozilla...
OpenSSL	Apache-2.0	C	OpenSSL
s2n	Apache-2.0, GPLv2+	Amazon
Secure Transport	APSL-2.0	Apple
GnuTLS	LGPLv2.1	C	FSF
wolfssl	GPLv2+	C

• Botan
• MbedTLS
  • 适用于嵌入式场景
• LibreSSL
  • 2014-04 - OpenBSD fork OpenSSL
• BoringSSL
  • 2014-06 Google fork OpenSSL
  • Tink - based on BoringSSL
• JSSE - Java Secure Socket Extension
• NSS - Network Security Services

info

• 使用最多的是 OpenSSL - OpenSSL 3.0 变动较大
• 2014-04 OpenSSL Heartbleed 事件

• Comparison of TLS implementations

Private PKI

• Keyfactor/ejbca-ce
  • LPLv2.1, Java
  • https://hub.docker.com/r/keyfactor/ejbca-ce
• letsencrypt/boulder
• dogtagpki/pki
  • GPLv2, Java
• step ca
• hakwerk/labca
  • MPLv2+CC, Go
  • WebUI
• cloudflare/cfssl
  • BSD-2, Go
• Vault Hashicorp
• https://github.com/xipki/xipki
• https://github.com/viralpoetry/awesome-pki

AV

• https://www.av-comparatives.org/tests/performance-test-april-2022/
• Cisco-Talos/clamav
  • GPLv2, C, C++
  • 唯一广泛使用的开源杀毒软件
• Tlaster/YourAV
• Comparison of antivirus software

Index

• https://fofa.so/

Password

• project-rainbowcrack

Crack

• Geetest
  • yanglbme/geetest-crack
  • https://github.com/topics/geetest

Firewall

• shorewall

Tools

• samuel-lucas6/Kryptor
• FiloSottile/age
  • file encryption tool
  • HN
• FiloSottile/yubikey-agent
• str4d/rage
  • 类似 age，但 rust 实现
  • 依然还不支持 ssh-agent
• woodruffw/kbs2
  • secret manager backed by age
• Ex0dIa-dev/ssh-honeypot-go
• sairson/Yasso
• geemion/Khepri
• carlospolop/PEASS-ng
  • PEASS - Privilege Escalation Awesome Scripts SUITE
• Repo
  • StackExchange/blackbox
  • git-secret
  • AGWA/git-crypt
    • GPLv3, C++
  • slok/agebox
    • Apache-2.0, Golang
    • 基于 age
    • .ageboxreg.yml
• pgp
  • encryption, signing services, key management, web-of-trust, smartcard compat

Reference

• scaredos/cfresearch research from CloudFlare's Anti-DDoS challenges.

Web

• jptosso/coraza-waf

AES

• 建议 Key 至少 256
• CBC/CTR/GCM/CCM/EAX
• 不要使用 ECB
• used by
  • US Government to protect their own files - FIPS 197

Block cipher mode

• https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation

ECB should not be used if encrypting more than one block of data with the same key.

CBC, OFB and CFB are similar, however OFB/CFB is better because you only need encryption and not decryption, which can save code space.

• CTR 并行效率高于 CBC/OFB/CFB
• https://stackoverflow.com/a/1220869/1870054
• https://stackoverflow.com/questions/1220751

Spam

• cobaltdisco/Google-Chinese-Results-Blocklist

Scan

• future-architect/vuls
  • GPLv3, Golang
  • Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
• robertdavidgraham/masscan
• projectdiscovery
  • nuclei
    • vulnerability scanner
    • nuclei-templates
  • subfinder
    • subdomain discovery
  • interactsh
    • OOB
  • naabu
    • port scanner
• aquasecurity/trivy
  • Apache-2.0, Go
  • Scanner for vulnerabilities in container images, file systems, and Git
• 服务
  • https://www.shodan.io/search?query=clickhouse
• ivre/ivre
  • GPLv3, Python
  • Network recon framework
  • https://ivre.rocks/
• https://www.arachni-scanner.com/
• https://ecsypno.com/
• https://github.com/Arachni
• https://github.com/qadron/
• https://github.com/ecsypno
• https://github.com/scnr/
• laramies/theHarvester
  • E-mails, subdomains and names Harvester - OSINT

---

• Nmap
  • 端口扫描 + 指纹探测 + 简单的漏洞扫描
• AWVS - Acunetix Web Vulnerability Scanner
  • Web 漏洞扫描
• AppScan
• Nessus
  • 系统安全漏洞扫描
• Goby
  • 资产探测和漏洞检查
• NetSparker
• Xray
  • 被动 Web 漏洞检查
• fscan
  • 内网渗透
• burpsuite
• msf sqlmap
• IAST
• https://ipchaxun.com/

参考

• wikipedia DAST
  • Dynamic application security testing
• Reverse Engineering Crypto Functions: AES
• klezVirus/vortex
  • VPN Overall Reconnaissance, Testing, Enumeration and Exploitation Toolkit