Persistant shells from anywhere? Yes, please.

Have you ever wanted a persistant shell, easily spawnable, that connects from anywhere? Yes.

The Global Socket Tookit allows two users behind NAT/Firewall to establish a TCP connection with each other. Securely.
More on

Watch the video

Video 1: gs-netcat reverse login shell and EEElite-console
Video 2: Using gsocket to hijack OpenSSH
Video 3: Blitz files through firewalls


  • Uses the Global Socket Relay Network to connect TCP pipes
  • End-2-End encryption (using OpenSSL’s SRP / RFC 5054)
  • AES-256 & key exchange using 4096-bit Prime
  • No PKI required.
  • Perfect Forward Secrecy
  • TOR support (optional)

Abandon the thought of IP Addresses and Port Numbers. Instead start thinking that two programs should be able to communicate with each other as long as they know the same secret (rather than each other's IP Address and Port Number). The Global Socket library facilitates this: It locally derives temporary session keys and IDs and connects two programs through the Global Socket Relay Network (GSRN) regardless and independent of the local IP Address or geographical location. Once connected the library then negotiates a secure TLS connection(End-2-End). The secret never leaves your workstation. The GSRN sees only the encrypted traffic.

The GSRN is a free cloud service and is free to use by anyone.

The Global Socket Toolkit comes with a set of tools:

  • gsocket - Makes an existing program (behind firewall or NAT) accessible from anywhere in the world. It does so by analyzing the program and replacing the IP-Layer with its own Gsocket-Layer. A client connection to a hostname ending in ‘\.gsocket’* then gets automatically redirected (via the GSRN) to this program.
  • gs-netcat - Netcat on steroids. Turn gs-netcat into an AES-256 encrypted reverse backdoor via TOR (optional) with a true PTY/interactive command shell (gs-netcat -s MySecret -i), integrated file-transfer, spawn a Socks4/4a/5 proxy or forward TCP connections or give somebody temporary shell access.
  • gs-sftp - sftp server & client between two firewalled workstations (gs-sftp -s MySecret)
  • gs-mount - Access and mount a remote file system (gs-mount -s MySecret ~/mnt/warez)
  • blitz - Copy data from workstation to workstation (blitz -s MySecret /usr/share/*)
  • …many more examples and tools.


CTF tools!

This post contains most of the tools i´ve used/recommend using for doing CTFs and such.
This list is a collection from multiple lists mainly awesome-ctf and awesome-privilege-escalation.

Privilege escalation

Here is some of my personal favourites.


Escape restricted shells




  • AutoLocalPrivilegeEscalation: An automated script that download potential exploit for linux kernel from exploitdb, and compile them automatically.
  • BeRoot: BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.
  • exploit-suggester: This tool reads the output of “showrev -p” on Solaris machines and outputs a list of exploits that you might want to try.
    is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as word writable files, misconfigurations, clear-text password and applicable
  • kernelpop: kernelpop is a framework for performing automated kernel vulnerability enumeration and exploitation.
  • LES: LES: Linux privilege escalation auditing tool
  • LinEnum: Scripted local Linux enumeration & privilege escalation checks
  • LinPEAS: Linux Privilege Escalation Awesome Script
  • Linux Exploit Suggester 2: Next-generation exploit suggester based on Linux_Exploit_Suggester
  • Linux_Exploit_Suggester: Linux Exploit Suggester; based on operating system release number.
  • linux-kernel-exploits
  • This script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as world writable files, misconfigurations, clear-text passwords and applicable exploits.
  • Linux Privilege Escalation Check Script: Originally forked from the (Mike Czumak), this script is intended to be executed locally on a Linux box to enumerate basic system info and search for common privilege escalation vectors such as word writable files, misconfigurations, clear-text password and applicable exploits.
  • linux-smart-enumeration: Linux enumeration tools for pentesting and CTFs
  • linux-soft-exploit-suggester: linux-soft-exploit-suggester finds exploits for all vulnerable software in a system helping with the privilege escalation.
  • PrivEsc: A collection of Windows, Linux and MySQL privilege escalation scripts and exploits.
  • pspy: unprivileged Linux process snooping
  • traitor: Automatically exploit low-hanging fruit to pop a root shell. Linux privilege escalation made easy!
  • unix-privesc-check: Shell script to check for simple privilege escalation vectors on Unix systems
  • Unix-Privilege-Escalation-Exploits-Pack: Exploits for getting local root on Linux, BSD, AIX, HP-UX, Solaris, RHEL, SUSE etc.
  • uptux: Specialized privilege escalation checks for Linux systems.

Find CVEs

  • active-cve-check: Checks a list of packages against the “active” (not yet patched) CVE’s as listed in the Ubuntu CVE Tracker.
  • Arch-Audit: A tool to check vulnerable packages in Arch Linux.
  • cve-check-tool: Original Automated CVE Checking Tool.
  • LPVS: Linux Package Vulnerability Scanner for CentOS and Ubuntu.





DLL Hijacking


Unquoted services with spaces



  • JAWS - Just Another Windows (Enum) Script: JAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so ‘should’ run on every Windows version since Windows 7.
  • juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.
  • Potato: Potato Privilege Escalation on Windows 7, 8, 10, Server 2008, Server 2012.
  • PowerSploit: PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment.
  • PrivescCheck: Enumerate common Windows security misconfigurations which can be leveraged for privilege escalation and gather various information which might be useful for exploitation and/or post-exploitation, by itm4n
  • RoguePotato: Another Windows Local Privilege Escalation from Service Account to System by splinter_code/antonioCoco
  • RottenPotato: RottenPotato local privilege escalation from service account to SYSTEM. (No longer maintained)
  • RottenPotatoNG: New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
  • Seatbelt: Project that performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives.
  • SessionGopher: SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools.
  • Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities. (Deprecated)
  • SweetPotato: Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019 by CCob
  • Tater: Tater is a PowerShell implementation of the Hot Potato Windows Privilege Escalation exploit.
  • Watson: Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
  • WindowsEnum: A Powershell Privilege Escalation Enumeration Script.
  • Windows-Exploit-Suggester: This tool compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins. By AonCyberLabs
  • Windows Exploit Suggester - Next Generation (WES-NG): WES-NG is a tool based on the output of Windows’ systeminfo utility which provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities. Every Windows OS between Windows XP and Windows 10, including their Windows Server counterparts, is supported. By bitsadmin
  • windows-privesc-check: Standalone executable that runs on Windows systems. It tries to find misconfigurations that could allow local unprivileged users to escalate privileges to other users or to access local apps (e.g. databases).
  • winPEAS: Windows Privilege Escalation Awesome Scripts
  • WinPwnage: UAC bypass, Elevate, Persistence and Execution methods. The goal of this repo is to study the Windows penetration techniques.


Linux and Windows



  • CDK: CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency.
  • Deepce: Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE)
  • Dokcer-escape-tool: This tool will help identify if you’re in a Docker container and try some quick escape techniques to help assess the security of your containers.
  • PrivilegedDockerEscape: A bash script to create an interactive shell from a privileged docker container to the container host




  • Pacu: The AWS exploitation framework, designed for testing the security of Amazon Web Services environments. By RhinoSecurityLabs.



  • GCPBucketBrute: A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated. By RhinoSecurity.


Tools used for creating CTF challenges


Tools used for creating Forensics challenges


Projects that can be used to host a CTF

  • CTFd - Platform to host jeopardy style CTFs from ISISLab, NYU Tandon.
  • echoCTF.RED - Develop, deploy and maintain your own CTF infrastructure.
  • FBCTF - Platform to host Capture the Flag competitions from Facebook.
  • Haaukins- A Highly Accessible and Automated Virtualization Platform for Security Education.
  • HackTheArch - CTF scoring platform.
  • Mellivora - A CTF engine written in PHP.
  • MotherFucking-CTF - Badass lightweight plaform to host CTFs. No JS involved.
  • NightShade - A simple security CTF framework.
  • OpenCTF - CTF in a box. Minimal setup required.
  • PicoCTF - The platform used to run picoCTF. A great framework to host any CTF.
  • PyChallFactory - Small framework to create/manage/package jeopardy CTF challenges.
  • RootTheBox - A Game of Hackers (CTF Scoreboard & Game Manager).
  • Scorebot - Platform for CTFs by Legitbs (Defcon).
  • SecGen - Security Scenario Generator. Creates randomly vulnerable virtual machines.


Tools used to create stego challenges

Check solve section for steganography.


Tools used for creating Web challenges

JavaScript Obfustcators


Tools used for solving CTF challenges


Tools used for performing various kinds of attacks

  • Bettercap - Framework to perform MITM (Man in the Middle) attacks.
  • Yersinia - Attack various protocols on layer 2.


Tools used for solving Crypto challenges

  • CyberChef - Web app for analysing and decoding data.
  • FeatherDuster - An automated, modular cryptanalysis tool.
  • Hash Extender - A utility tool for performing hash length extension attacks.
  • padding-oracle-attacker - A CLI tool to execute padding oracle attacks.
  • PkCrack - A tool for Breaking PkZip-encryption.
  • QuipQuip - An online tool for breaking substitution ciphers or vigenere ciphers (without key).
  • RSACTFTool - A tool for recovering RSA private key with various attack.
  • RSATool - Generate private key with knowledge of p and q.
  • XORTool - A tool to analyze multi-byte xor cipher.


Tools used for various kind of bruteforcing (passwords etc.)

  • Hashcat - Password Cracker
  • Hydra - A parallelized login cracker which supports numerous protocols to attack
  • John The Jumbo - Community enhanced version of John the Ripper.
  • John The Ripper - Password Cracker.
  • Nozzlr - Nozzlr is a bruteforce framework, trully modular and script-friendly.
  • Ophcrack - Windows password cracker based on rainbow tables.
  • Patator - Patator is a multi-purpose brute-forcer, with a modular design.
  • Turbo Intruder - Burp Suite extension for sending large numbers of HTTP requests


Tools used for solving Exploits challenges

  • DLLInjector - Inject dlls in processes.
  • libformatstr - Simplify format string exploitation.
  • Metasploit - Penetration testing software.
  • one_gadget - A tool to find the one gadget execve('/bin/sh', NULL, NULL) call.
    • gem install one_gadget
  • Pwntools - CTF Framework for writing exploits.
  • Qira - QEMU Interactive Runtime Analyser.
  • ROP Gadget - Framework for ROP exploitation.
  • V0lt - Security CTF Toolkit.


Tools used for solving Forensics challenges

  • Aircrack-Ng - Crack 802.11 WEP and WPA-PSK keys.
    • apt-get install aircrack-ng
  • Audacity - Analyze sound files (mp3, m4a, whatever).
    • apt-get install audacity
  • Bkhive and Samdump2 - Dump SYSTEM and SAM files.
    • apt-get install samdump2 bkhive
  • CFF Explorer - PE Editor.
  • Creddump - Dump windows credentials.
  • DVCS Ripper - Rips web accessible (distributed) version control systems.
  • Exif Tool - Read, write and edit file metadata.
  • Extundelete - Used for recovering lost data from mountable images.
  • Fibratus - Tool for exploration and tracing of the Windows kernel.
  • Foremost - Extract particular kind of files using headers.
    • apt-get install foremost
  • Fsck.ext4 - Used to fix corrupt filesystems.
  • Malzilla - Malware hunting tool.
  • NetworkMiner - Network Forensic Analysis Tool.
  • PDF Streams Inflater - Find and extract zlib files compressed in PDF files.
  • Pngcheck - Verifies the integrity of PNG and dump all of the chunk-level information in human-readable form.
    • apt-get install pngcheck
  • ResourcesExtract - Extract various filetypes from exes.
  • Shellbags - Investigate NT_USER.dat files.
  • Snow - A Whitespace Steganography Tool.
  • USBRip - Simple CLI forensics tool for tracking USB device artifacts (history of USB events) on GNU/Linux.
  • Volatility - To investigate memory dumps.
  • Wireshark - Used to analyze pcap or pcapng files

Registry Viewers

  • OfflineRegistryView - Simple tool for Windows that allows you to read offline Registry files from external drive and view the desired Registry key in .reg file format.
  • Registry Viewer® - Used to view Windows registries.


Tools used for solving Networking challenges

  • Masscan - Mass IP port scanner, TCP port scanner.
  • Monit - A linux tool to check a host on the network (and other non-network activities).
  • Nipe - Nipe is a script to make Tor Network your default gateway.
  • Nmap - An open source utility for network discovery and security auditing.
  • Wireshark - Analyze the network dumps.
    • apt-get install wireshark
  • Zeek - An open-source network security monitor.
  • Zmap - An open-source network scanner.


Tools used for solving Reversing challenges

  • Androguard - Reverse engineer Android applications.
  • Angr - platform-agnostic binary analysis framework.
  • Apk2Gold - Yet another Android decompiler.
  • ApkTool - Android Decompiler.
  • Barf - Binary Analysis and Reverse engineering Framework.
  • Binary Ninja - Binary analysis framework.
  • BinUtils - Collection of binary tools.
  • BinWalk - Analyze, reverse engineer, and extract firmware images.
  • Boomerang - Decompile x86/SPARC/PowerPC/ST-20 binaries to C.
  • ctf_import – run basic functions from stripped binaries cross platform.
  • cwe_checker - cwe_checker finds vulnerable patterns in binary executables.
  • demovfuscator - A work-in-progress deobfuscator for movfuscated binaries.
  • Frida - Dynamic Code Injection.
  • GDB - The GNU project debugger.
  • GEF - GDB plugin.
  • Ghidra - Open Source suite of reverse engineering tools. Similar to IDA Pro.
  • Hopper - Reverse engineering tool (disassembler) for OSX and Linux.
  • IDA Pro - Most used Reversing software.
  • Jadx - Decompile Android files.
  • Java Decompilers - An online decompiler for Java and Android APKs.
  • Krakatau - Java decompiler and disassembler.
  • Objection - Runtime Mobile Exploration.
  • PEDA - GDB plugin (only python2.7).
  • Pin - A dynamic binary instrumentaion tool by Intel.
  • PINCE - GDB front-end/reverse engineering tool, focused on game-hacking and automation.
  • PinCTF - A tool which uses intel pin for Side Channel Analysis.
  • Plasma - An interactive disassembler for x86/ARM/MIPS which can generate indented pseudo-code with colored syntax.
  • Pwndbg - A GDB plugin that provides a suite of utilities to hack around GDB easily.
  • radare2 - A portable reversing framework.
  • Triton - Dynamic Binary Analysis (DBA) framework.
  • Uncompyle - Decompile Python 2.7 binaries (.pyc).
  • WinDbg - Windows debugger distributed by Microsoft.
  • Xocopy - Program that can copy executables with execute, but no read permission.
  • Z3 - A theorem prover from Microsoft Research.

JavaScript Deobfuscators

  • Detox - A Javascript malware analysis tool.
  • Revelo - Analyze obfuscated Javascript code.

SWF Analyzers

  • RABCDAsm - Collection of utilities including an ActionScript 3 assembler/disassembler.
  • Swftools - Collection of utilities to work with SWF files.
  • Xxxswf - A Python script for analyzing Flash files.


Various kind of useful services available around the internet

  • CSWSH - Cross-Site WebSocket Hijacking Tester.
  • Request Bin - Lets you inspect http requests to a particular url.


Tools used for solving Steganography challenges

  • AperiSolve - Aperi’Solve is a platform which performs layer analysis on image (open-source).
  • Convert - Convert images b/w formats and apply filters.
  • Exif - Shows EXIF information in JPEG files.
  • Exiftool - Read and write meta information in files.
  • Exiv2 - Image metadata manipulation tool.
  • Image Steganography - Embeds text and files in images with optional encryption. Easy-to-use UI.
  • Image Steganography Online - This is a client-side Javascript tool to steganographically hide images inside the lower “bits” of other images
  • ImageMagick - Tool for manipulating images.
  • Outguess - Universal steganographic tool.
  • Pngtools - For various analysis related to PNGs.
    • apt-get install pngtools
  • SmartDeblur - Used to deblur and fix defocused images.
  • Steganabara - Tool for stegano analysis written in Java.
  • SteganographyOnline - Online steganography encoder and decoder.
  • Stegbreak - Launches brute-force dictionary attacks on JPG image.
  • StegCracker - Steganography brute-force utility to uncover hidden data inside files.
  • stegextract - Detect hidden files and text in images.
  • Steghide - Hide data in various kind of images.
  • StegOnline - Conduct a wide range of image steganography operations, such as concealing/revealing files hidden within bits (open-source).
  • Stegsolve - Apply various steganography techniques to images.
  • Zsteg - PNG/BMP analysis.


Tools used for solving Web challenges

  • BurpSuite - A graphical tool to testing website security.
  • Commix - Automated All-in-One OS Command Injection and Exploitation Tool.
  • Hackbar - Firefox addon for easy web exploitation.
  • OWASP ZAP - Intercepting proxy to replay, debug, and fuzz HTTP requests and responses
  • Postman - Add on for chrome for debugging network requests.
  • Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning.
  • SQLMap - Automatic SQL injection and database takeover tool.
    pip install sqlmap
  • W3af - Web Application Attack and Audit Framework.
  • XSSer - Automated XSS testor.


Where to discover about CTF

Operating Systems

Penetration testing and security lab Operating Systems

Malware analysts and reverse-engineering

Starter Packs

Collections of installer scripts, useful tools

  • CTF Tools - Collection of setup scripts to install various security research tools.
  • LazyKali - A 2016 refresh of LazyKali which simplifies install of tools and configuration.


Tutorials to learn how to play CTFs


Always online CTFs

  • Backdoor - Security Platform by SDSLabs.
  • Crackmes - Reverse Engineering Challenges.
  • CryptoHack - Fun cryptography challenges.
  • echoCTF.RED - Online CTF with a variety of targets to attack.
  • Exploit Exercises - Variety of VMs to learn variety of computer security issues.
  • Exploit.Education - Variety of VMs to learn variety of computer security issues.
  • Gracker - Binary challenges having a slow learning curve, and write-ups for each level.
  • Hack The Box - Weekly CTFs for all types of security enthusiasts.
  • Hack This Site - Training ground for hackers.
  • Hacker101 - CTF from HackerOne
  • Hacking-Lab - Ethical hacking, computer network and security challenge platform.
  • Hone Your Ninja Skills - Web challenges starting from basic ones.
  • IO - Wargame for binary challenges.
  • Microcorruption - Embedded security CTF.
  • Over The Wire - Wargame maintained by OvertheWire Community.
  • PentesterLab - Variety of VM and online challenges (paid).
  • PicoCTF - All year round ctf game. Questions from the yearly picoCTF competition.
  • PWN Challenge - Binary Exploitation Wargame.
  • - Pwn Game.
  • - Binary wargame.
  • - Binary Exploitation Wargame.
  • - Reversing challenge.
  • Ringzer0Team - Ringzer0 Team Online CTF.
  • Root-Me - Hacking and Information Security learning platform.
  • ROP Wargames - ROP Wargames.
  • SANS HHC - Challenges with a holiday theme
    released annually and maintained by SANS.
  • SmashTheStack - A variety of wargames maintained by the SmashTheStack Community.
  • Viblo CTF - Various amazing CTF challenges, in many different categories. Has both Practice mode and Contest mode.
  • VulnHub - VM-based for practical in digital security, computer application & network administration.
  • W3Challs - A penetration testing training platform, which offers various computer challenges, in various categories.
  • WebHacking - Hacking challenges for web.

Self-hosted CTFs


Various general websites about and on CTF


Various Wikis available for learning about CTFs

Writeups Collections

Collections of CTF write-ups

  • 0e85dc6eaf - Write-ups for CTF challenges by 0e85dc6eaf
  • Captf - Dumped CTF challenges and materials by psifertex.
  • CTF write-ups (community) - CTF challenges + write-ups archive maintained by the community.
  • CTFTime Scrapper - Scraps all writeup from CTF Time and organize which to read first.
  • HackThisSite - CTF write-ups repo maintained by HackThisSite team.
  • Mzfr - CTF competition write-ups by mzfr
  • pwntools writeups - A collection of CTF write-ups all using pwntools.
  • SababaSec - A collection of CTF write-ups by the SababaSec team
  • Shell Storm - CTF challenge archive maintained by Jonathan Salwan.
  • Smoke Leet Everyday - CTF write-ups repo maintained by SmokeLeetEveryday team.

Forensics/Security tools!

This post contains most of the tools i´ve used/recommend using for doing analysing of IT-security related items and such.
This list is a collection from multiple lists mainly awesome-forensics and awesome-pcaptools.





  • dff - Forensic framework
  • dexter - Dexter is a forensics acquisition framework designed to be extensible and secure
  • IntelMQ - IntelMQ collects and processes security feeds
  • Kuiper - Digital Investigation Platform
  • Laika BOSS - Laika is an object scanner and intrusion detection system
  • PowerForensics - PowerForensics is a framework for live disk forensic analysis
  • :star: The Sleuth Kit - Tools for low level forensic analysis
  • turbinia - Turbinia is an open-source framework for deploying, managing, and running forensic workloads on cloud platforms
  • IPED - Indexador e Processador de Evidências Digitais - Brazilian Federal Police Tool for Forensic Investigations
  • Wombat Forensics - Forensic gui tool

Live Forensics

  • grr - GRR Rapid Response: remote live forensics for incident response
  • Linux Expl0rer - Easy-to-use live forensics toolbox for Linux endpoints written in Python & Flask
  • mig - Distributed & real time digital forensics at the speed of the cloud
  • osquery - SQL powered operating system analytics
  • UAC - UAC (Unix-like Artifacts Collector) is a Live Response collection tool for Incident Reponse that makes use of built-in tools to automate the collection of Unix-like systems artifacts. Supported systems: AIX, FreeBSD, Linux, macOS, NetBSD, Netscaler, OpenBSD and Solaris.


  • artifactcollector - A customizable agent to collect forensic artifacts on any Windows, macOS or Linux system
  • ArtifactExtractor - Extract common Windows artifacts from source images and VSCs
  • AVML - A portable volatile memory acquisition tool for Linux
  • Belkasoft RAM Capturer - Volatile Memory Acquisition Tool
  • DFIR ORC - Forensics artefact collection tool for systems running Microsoft Windows
  • FastIR Collector - Collect artifacts on windows
  • LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD
  • Velociraptor - Velociraptor is a tool for collecting host based state information using Velocidex Query Language (VQL) queries


  • dc3dd - Improved version of dd
  • dcfldd - Different improved version of dd (this version has some bugs!, another version is on github adulau/dcfldd)
  • FTK Imager - Free imageing tool for windows
  • Guymager - Open source version for disk imageing on linux systems


  • bstrings - Improved strings utility
  • bulk_extractor - Extracts information such as email addresses, creditcard numbers and histrograms from disk images
  • floss - Static analysis tool to automatically deobfuscate strings from malware binaries
  • :star: photorec - File carving tool
  • swap_digger - A bash script used to automate Linux swap analysis, automating swap extraction and searches for Linux user credentials, Web form credentials, Web form emails, etc.

Memory Forensics

  • - High speed memory analysis framework
    developed in .NET supports all Windows x64, includes code integrity and write support
  • KeeFarce - Extract KeePass passwords from memory
  • MemProcFS - An easy and convenient way of accessing physical memory as files a virtual file system.
  • Rekall - Memory Forensic Framework
  • volatility - The memory forensic framework
  • VolUtility - Web App for Volatility framework

Windows Artifacts

  • Beagle - Transform data sources and logs into graphs
  • FRED - Cross-platform microsoft registry hive editor
  • LogonTracer - Investigate malicious Windows logon by visualizing and analyzing Windows event log
  • python-evt - Pure Python parser for classic Windows Event Log files (.evt)
  • RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis.

NTFS/MFT Processing

OS X Forensics

Mobile Forensics

  • ALEAPP - An Android Logs Events and Protobuf Parser
  • ArtEx - Artifact Examiner for iOS Full File System extractions
  • iLEAPP - An iOS Logs, Events, And Plists Parser
  • MEAT - Perform different kinds of acquisitions on iOS devices

Docker Forensics

Internet Artifacts

  • chrome-url-dumper - Dump all local stored infromation collected by Chrome
  • hindsight - Internet history forensics for Google Chrome/Chromium
  • unfurl - Extract and visualize data from URLs

Timeline Analysis

  • DFTimewolf - Framework for orchestrating forensic collection, processing and data export using GRR and Rekall
  • :star: plaso - Extract timestamps from various files and aggregate them
  • Timeline Explorer - Timeline Analysis tool for CSV and Excel files. Built for SANS FOR508 students
  • timeliner - A rewrite of mactime, a bodyfile reader
  • timesketch - Collaborative forensic timeline analysis

Disk image handling

  • Disk Arbitrator - A Mac OS X forensic utility designed to help the user ensure correct forensic procedures are followed during imaging of a disk device
  • imagemounter - Command line utility and Python package to ease the (un)mounting of forensic disk images
  • libewf - Libewf is a library and some tools to access the Expert Witness Compression Format (EWF, E01)
  • PancakeViewer - Disk image viewer based in dfvfs, similar to the FTK Imager viewer
  • xmount - Convert between different disk image formats



  • dfirtrack - Digital Forensics and Incident Response Tracking application, track systems
  • Incidents - Web application for organizing non-trivial security investigations. Built on the idea that incidents are trees of tickets, where some tickets are leads

Picture Analysis

  • sherloq - An open-source digital photographic image forensic toolset

Learn Forensics




more at Recommended Readings by Andrew Case

File System Corpora


Linux commands

  • Bmon: (Bandwidth Monitor) is a tool similar to nload that shows the traffic load over all the network interfaces on the system. The output also consists of a graph and a section with packet level details. Screenshot

  • Bwm-ng: (Bandwidth Monitor Next Generation) is another very simple real time network load monitor that reports a summary of the speed at which data is being transferred in and out of all available network interfaces on the system. Screenshot

  • CBM: (Color Bandwidth Meter) A tiny little simple bandwidth monitor that displays the traffic volume through network interfaces. No further options, just the traffic stats are display and updated in realtime. Screenshot

  • Collectl: reports system statistics in a style that is similar to dstat, and like dstat it is gathers statistics about various different system resources like cpu, memory, network etc. Over here is a simple example of how to use it to report network usage/bandwidth. Screenshot

  • Dstat: is a versatile tool (written in python) that can monitor different system statistics and report them in a batch style mode or log the data to a csv or similar file. This example shows how to use dstat to report network bandwidth Screenshot

  • Ifstat: reports the network bandwidth in a batch style mode. The output is in a format that is easy to log and parse using other programs or utilities. Screenshot

  • Iftop: measures the data flowing through individual socket connections, and it works in a manner that is different from Nload. Iftop uses the pcap library to capture the packets moving in and out of the network adapter, and then sums up the size and count to find the total bandwidth under use. Although iftop reports the bandwidth used by individual connections, it cannot report the process name/id involved in the particular socket connection. But being based on the pcap library, iftop is able to filter the traffic and report bandwidth usage over selected host connections as specified by the filter. Screenshot

  • Iptraf: is an interactive and colorful IP Lan monitor. It shows individual connections and the amount of data flowing between the hosts. Screenshot

  • Jnettop: Jnettop is a traffic visualiser, which captures traffic going through the host it is running from and displays streams sorted by bandwidth they use. Screenshot

  • Nethogs: is a small ‘net top’ tool that shows the bandwidth used by individual processes and sorts the list putting the most intensive processes on top. In the event of a sudden bandwidth spike, quickly open nethogs and find the process responsible. Nethogs reports the PID, user and the path of the program. Screenshot

  • Netload: displays a small report on the current traffic load, and the total number of bytes transferred since the program start. No more features are there. Its part of the netdiag. Screenshot

  • Netwatch: is part of the netdiag collection of tools, and it too displays the connections between local host and other remote hosts, and the speed at which data is transferring on each connection. Screenshot

  • Nload: is a commandline tool that allows users to monitor the incoming and outgoing traffic separately. It also draws outa graph to indicate the same, the scale of which can be adjusted. Easy and simple to use, and does not support many options. Screenshot

  • Pktstat: displays all the active connections in real time, and the speed at which data is being transferred through them. It also displays the type of the connection, i.e. tcp or udp and also details about http requests if involved. Screenshot

  • Slurm: is ‘yet’ another network load monitor that shows device statistics along with an ascii graph. It supports 3 different styles of graphs each of which can be activated using the c, s and l keys. Simple in features, slurm does not display any further details about the network load. Screenshot

  • Speedometer: Another small and simple tool that just draws out good looking graphs of incoming and outgoing traffic through a given interface. Screenshot

  • Tcptrack: is similar to iftop, and uses the pcap library to capture packets and calculate various statistics like the bandwidth used in each connection. It also supports the standard pcap filters that can be used to monitor specific connections. Screenshot

  • Trafshow: reports the current active connections, their protocol and the data transfer speed on each connection. It can filter out connections using pcap type filters. Screenshot

  • Vnstat: is bit different from most of the other tools. It actually runs a background service/daemon and keeps recording the size of data transfer all the time. Next it can be used to generate a report of the history of network usage. Screenshot

Traffic Capture

  • Libpcap/Tcpdump: The official site of tcpdump, a powerful command-line packet analyzer; and libpcap, a portable C/C++ library for network traffic capture.

  • Ngrep: strives to provide most of GNU grep’s common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes TCP, UDP and ICMP across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands bpf filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop.

  • clj-net-pcap: clj-net-pcap is a packet capturing library for Clojure. clj-net-pcap uses jNetPcap and adds convenience functionality around jNetPcap for easing the usability. A paper on clj-net-pcap was published in scope of COMPSACW 2014.

  • jNetPcap: jNetPcap is a packet capturing library for Java that is available for Linux and Windows. jNetPcap leverages libpcap respectively WinPcap and employs the Java Native Interface (JNI) for using the functionality provided by libpcap/WinPcap.

  • Moloch: Moloch is a open source large scale full PCAP capturing, indexing and database system.

  • n2disk (Commercial): A multi-Gigabit network traffic recorder with indexing capabilities. n2disk is a network traffic recorder application. With n2disk you can capture full- sized network packets at multi-Gigabit rate (above 10 Gigabit/s on adequate hardware) from a live network interface, and write them into files without any packet loss.

  • Netis Packet Agent: It is a remote data capture utility through GRE tunnel, which makes you easily capture packets from an NIC interface, encapsulate them with GRE and send them to a remote machine for monitoring and analysis.

  • OpenFPC: OpenFPC is a set of scripts that combine to provide a lightweight full-packet network traffic recorder & buffering tool. Its design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log tools.

  • PF_RING: PF_RING is a new type of network socket that dramatically improves the packet capture speed. Available for Linux kernels 2.6.32 and newer. No need to patch the kernel. PF_RING-aware drivers for increased packet capture acceleration.

  • TTT: (Tele Traffic Tapper) is yet another descendant of tcpdump but it is capable of real-time, graphical, and remote traffic-monitoring. ttt won’t replace tcpdump, rather, it helps you find out what to look into with tcpdump. ttt monitors the network and automatically picks up the main contributors of the traffic within the time window. The graphs are updated every second by default.

  • Yaf: It’s a reliable piece of software, quite solid and able to generate flow records from pcap. This is very nice for indexing huge pcap or even doing packet capture. The recent version can even extract payloads and put in the flow records.

Traffic Analysis/Inspection

  • AIEngine: is a next generation interactive/programmable packet inspection engine with capabilities of learning without any human intervention, NIDS functionality, DNS domain classification, network collector and many others. AIEngine also helps network/security professionals to identify traffic and develop signatures for use them on NIDS, Firewalls, Traffic classifiers and so on.

  • Bro: is an open-source, Unix-based Network Intrusion Detection System (NIDS) that passively monitors network traffic and looks for suspicious activity. Bro detects intrusions by first parsing network traffic to extract its application- level semantics and then executing event-oriented analyzers that compare the activity with patterns deemed troublesome. Its analysis includes detection of specific attacks (including those defined by signatures, but also those defined in terms of events) and unusual activities (e.g., certain hosts connecting to certain services, or patterns of failed connection attempts).

  • CapAnalysis - CapAnalysis is a web visual tool for information security specialists, system administrators and everyone who needs to analyze large amounts of captured network traffic. A live web demo is available for testing.

  • CapTipper: Malicious HTTP traffic explorer

  • Chopshop: is a MITRE developed framework to aid analysts in the creation and execution of pynids based decoders and detectors of APT tradecraft.

  • CoralReef: is a software suite developed by CAIDA to analyze data collected by passive Internet traffic monitors. It provides a programming library libcoral, similar to libpcap with extensions for ATM and other network types, which is available from both C and Perl.

  • DPDK: is a set of libraries and drivers for fast packet processing. It was designed to run on any processors. The first supported CPU was Intel x86 and it is now extended to IBM Power 8, EZchip TILE-Gx and ARM. It runs mostly in Linux userland. A FreeBSD port is available for a subset of DPDK features.

  • DPKT: Python packet creation/parsing library.

  • ECap: (External Capture) is a distributed network sniffer with a web front- end. Ecap was written many years ago in 2005, but a post on the tcpdump-workers mailing list requested a similar application… so here it is. It would be fun to update it and work on it again if there’s any interest.

  • EtherApe: is a graphical network monitor for Unix modeled after etherman. Featuring link layer, ip and TCP modes, it displays network activity graphically. Hosts and links change in size with traffic. Color coded protocols display. It supports Ethernet, FDDI, Token Ring, ISDN, PPP and SLIP devices. It can filter traffic to be shown, and can read traffic from a file as well as live from the network.

  • HttpSniffer: A multi-threading tool to sniff TCP flow statistics and embedded HTTP headers from PCAP file. Each TCP flow carrying HTTP is exported to text file in JSON format.

  • Ipsumdump: summarizes TCP/IP dump files into a self-describing ASCII format easily readable by humans and programs. Ipsumdump can read packets from network interfaces, from tcpdump files, and from existing ipsumdump files. It will transparently uncompress tcpdump or ipsumdump files when necessary. It can randomly sample traffic, filter traffic based on its contents, anonymize IP addresses, and sort packets from multiple dumps by timestamp. Also, it can optionally create a tcpdump file containing actual packet data. It’s also convenient to work with CLICK as a inserted module.

  • ITA: The Internet Traffic Archive is a moderated repository to support widespread access to traces of Internet network traffic, sponsored by ACM SIGCOMM. The traces can be used to study network dynamics, usage characteristics, and growth patterns, as well as providing the grist for trace- driven simulations. The archive is also open to programs for reducing raw trace data to more manageable forms, for generating synthetic traces, and for analyzing traces.

  • Joy: joy is a traffic analysis and parsing tool that was developed. In part to assist in classifying encrypted traffic streams, such as HTTPS traffic. It is able to parse pcap files into usable json files that contain details on the capture statistics and features.

  • Libcrafter: is a high level library for C++ designed to make easier the creation and decoding of network packets. It is able to craft or decode packets of most common network protocols, send them on the wire, capture them and match requests and replies.

  • Libnet: is a collection of routines to help with the construction and handling of network packets. It provides a portable framework for low-level network packet shaping, handling and injection. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and complementary functionality. Using libnet, quick and simple packet assembly applications can be whipped up with little effort.

  • Libnids: designed by Rafal Wojtczuk, is an implementation of an E-component of Network Intrusion Detection System. It emulates the IP stack of Linux 2.0.x. Libnids offers IP defragmentation, TCP stream assembly and TCP port scan detection. The most valuable feature of libnids is reliability. A number of tests were conducted, which proved that libnids predicts behaviour of protected Linux hosts as closely as possible.

  • Multitail: now has a colorscheme included for monitoring the tcpdump output. It can also filter, convert timestamps to timestrings and much more.

  • Netsniff-ng: Netsniff-ng is a toolkit of free Linux networking utilities, a Swiss army knife for your daily Linux network plumbing if you will.

  • NetDude: (NETwork DUmp data Displayer and Editor). From their webpage, “it is a GUI-based tool that allows you to make detailed changes to packets in tcpdump tracefiles.”

  • Network Expect: is a framework that allows to easily build tools that can interact with network traffic. Following a script, traffic can be injected into the network, and decisions can be taken, and acted upon, based on received network traffic. An interpreted language provides branching and high-level control structures to direct the interaction with the network. Network Expect uses libpcap for packet capture and libwireshark (from the Wireshark project) for packet dissection tasks. (GPL, BSD/Linux/OSX).

  • Ntop: Ntop is a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntop is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform and on Win32 as well.

  • Ntopng: Ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntop is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Win32 as well.

  • PacketQ: A tool that provides a basic SQL-frontend to PCAP-files. Outputs JSON, CSV and XML and includes a build-in webserver with JSON-api and a nice looking AJAX GUI.

  • Pcap2har: A program to convert .pcap network capture files to HTTP Archive files using library dpkt.

  • PcapPlusPlus: PcapPlusPlus a multiplatform C++ network sniffing and packet parsing and manipulation framework. It’s meant to be lightweight, efficient and easy to use. It’s a C++ wrapper for popular engines like libpcap, WinPcap, DPDK and PF_RING. It also contains parsing and edit capabilities for many protocols including Ethernet, IPv4, IPv6, ARP, VLAN, MPLS, PPPoE, GRE, TCP, UDP, ICMP, DNS as well as layer 7 protocols like HTTP and SSL/TLS

  • pkt2flow: A simple utility to classify packets into flows. It’s so simple that only one task is aimed to finish. For Deep Packet Inspection or flow classification, it’s so common to analyze the feature of one specific flow. I have make the attempt to use made-ready tools like tcpflows, tcpslice, tcpsplit, but all these tools try to either decrease the trace volume (under requirement) or resemble the packets into flow payloads (over requirement). I have not found a simple tool to classify the packets into flows without further processing.

  • potiron: Normalizes, indexes, enriches and visualizes network captures.

  • pyshark: A Python wrapper for tshark, allowing python packet parsing using wireshark dissectors. There are quite a few python packet parsing modules, this one is different because it doesn’t actually parse any packets, it simply uses tshark’s (wireshark command-line utility) ability to export XMLs to use its parsing.

  • Sanitize: Sanitize is a collection of five Bourne shell scripts for reducing tcpdump traces in order to address security and privacy concerns, by renumbering hosts and stripping out packet contents. Each script takes as input a tcpdump trace file and generates to stdout a reduced, ASCII file in fixed-column format.

  • Scapy: Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can’t handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, …), etc.

  • Sniff: Makes output from the tcpdump program easier to read and parse.

  • Snort: Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire, now owned by Cisco. Combining the benefits of signature, protocol and anomaly- based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and approximately 500,000 registered users, Snort has become the de facto standard for IPS.

  • Socket Sentry: Socket Sentry is a real-time network traffic monitor for KDE Plasma in the same spirit as tools like iftop and netstat.

  • Suricata: Suricata is a free and open source, mature, fast and robust network threat detection engine. The Suricata engine is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.

  • TCP-Reduce: TCP-Reduce is a collection of Bourne shell scripts for reducing tcpdump traces to one-line summaries of each TCP connection present in the trace. The scripts look only at TCP SYN/FIN/RST packets. Connections without SYN packets in the trace (such as those on- going at the beginning of the trace) will not appear in the summary. Garbaged packets (those missing some of their contents) are reported to stderr as bogon’s and are discarded. Occasionally the script gets fooled by retransmissions with altered sequence numbers, and reports erroneous huge connection sizes - always check large connections (say 100 MB or more) for plausibility.

  • Tcpdpriv: Tcpdpriv is program for eliminating confidential information (user data and addresses) from packets collected on a network interface (or, from trace files created using the -w argument to tcpdump). Tcpdpriv removes the payload of TCP and UDP, and the entire IP payload for other protocols. It implements several address scrambling methods; the sequential numbering method and its variants, and a hash method with preserving address prefix.

  • Tcpflow: A program that captures data transmitted as part of TCP connections (flows), and stores the data in a way that is convenient for protocol analysis or debugging. A program like ‘tcpdump’ shows a summary of packets seen on the wire, but usually doesn’t store the data that’s actually being transmitted. In contrast, tcpflow reconstructs the actual data streams and stores each flow in a separate file for later analysis. Yet, optionally, it can isolate pcap flows per tcp flow for granularized inspection. Original link.

  • Tcplook: Tracelook is an Tcl/TK program for graphically viewing the contents of trace files created using the -w argument to tcpdump. Tracelook should look at all protocols, but presently only looks at TCP connections. The program is slow and uses system resources prodigiously.

  • Tcpreplay: Replays a pcap file on an interface using libnet.

  • Tcpslice: Tcpslice is a tool for extracting portions of packet trace files generated using tcpdump’s -w flag. It can combine multiple trace files, and/or extract portions of one or more traces based on time. From the tcpdump CVS server.

  • Tcpsplit: A tool to break a single libpcap packet trace into some number of sub- traces, breaking the trace along TCP connection boundaries so that a TCP connection doesn’t end up split across two sub-traces. This is useful for making large trace files tractable for in- depth analysis and for subsetting a trace for developing analysis on only part of a trace.

  • Tcpstat: Tcpstat reports certain network interface statistics much like vmstat does for system statistics. tcpstat gets its information by either monitoring a specific interface, or by reading previously saved tcpdump data from a file.

  • Tcptrace: A tool written by Shawn Ostermann at Ohio University, for analysis of TCP dump files. It can take as input the files produced by several popular packet- capture programs, including tcpdump, snoop, etherpeek, HP Net Metrix, and WinDump. tcptrace can produce several different types of output containing information on each connection seen, such as elapsed time, bytes and segments sent and received, retransmissions, round trip times, window advertisements, throughput, and more. It can also produce a number of graphs for further analysis.

  • TraceWrangler: TraceWrangler is a network capture file toolkit running on Windows (or on Linux, using WINE) that supports PCAP as well as the new PCAPng file format, which is now the standard file format used by Wireshark. The most prominent use case for TraceWrangler is the easy sanitization and anonymization of PCAP and PCAPng files (sometimes called “trace files”, “capture files” or “packet captures”), removing or replacing sensitive data while being easy to use.

  • Tstat: A passive sniffer able to provide several insight on the traffic patterns at both the network and transport levels with a tremendous set of flow features.

  • WAND: A wonderful collection of tools built on libtrace to process network traffic, which is from The University of Waikato. I love this project!

  • WinPcap: An extract of a message from Guy Harris on state of WinPcap and WinDump.

  • WireEdit: WireEdit is a free desktop WYSIWYG editor for network packets. It allows editing any stack layer as “rich text” without having any knowledge of packets syntax and encoding rules. The input and output file format is Pcap.

  • Wireshark suit: The well-known tool suit to support packet analyzer and protocol decoder. It also includes a few practical tools and scripts to support most of the common usage.

  • Xplot: The program xplot was written in the late 1980s to support the analysis of TCP packet traces.

  • yaraPcap: Process HTTP Pcaps With YARA

  • yaraprocessor: With yaraprocessor YARA can be run against individual packet payloads as well as a concatenation of some or all of the payloads. It was originally written for use in Chopshop, but can also be used without it.

DNS Utilities

  • dnsgram: dnsgram is a debugging tool for intermittent resolver failures. it takes one or more input PCAP files and generates statistics on 5 second segments allowing the study of intermittent resolver issues.

  • dnsreplay: Dnsreplay takes recorded questions and answers and replays them to the specified nameserver and reporting afterwards which percentage of answers matched, were worse or better. Then compares the answers and some other metrics with the actual ones with those found in the dumpfile.

  • dnsscan: dnsscan takes one or more INFILEs in PCAP format and generates a list of the number of queries per query type.

  • dnsscope: dnsscope takes an input PCAP and generates some simple statistics outputs these to console.

  • dnswasher: dnswasher takes an input file in PCAP format and writes out a PCAP file, while obfuscating end-user IP addresses. This is useful to share data with third parties while attempting to protect the privacy of your users.

File Extraction

  • Chaosreader: A freeware tool to trace TCP/UDP/… sessions and fetch application data from snoop or tcpdump logs. This is a type of “any-snarf” program, as it will fetch telnet sessions, FTP files, HTTP transfers (HTML, GIF, JPEG, …), SMTP emails, … from the captured data inside network traffic logs. A html index file is created that links to all the session details, including realtime replay programs for telnet, rlogin, IRC, X11 and VNC sessions; and reports such as image reports and HTTP GET/POST content reports.

  • Dsniff: Dsniff is a collection of tools for network auditing and penetration testing. dsniff, filesnarf, mailsnarf, msgsnarf, urlsnarf, and webspy passively monitor a network for interesting data (passwords, e-mail, files, etc.). arpspoof, dnsspoof, and macof facilitate the interception of network traffic normally unavailable to an attacker (e.g, due to layer-2 switching). sshmitm and webmitm implement active monkey-in-the-middle attacks against redirected SSH and HTTPS sessions by exploiting weak bindings in ad-hoc PKI.

  • Foremost: is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.

  • Justniffer: Justniffer is a network protocol analyzer that captures network traffic and produces logs in a customized way, can emulate Apache web server log files, track response times and extract all “intercepted” files from the HTTP traffic.

  • NetworkMiner: NetworkMiner is a Network Forensic Analysis Tool (NFAT) for Windows (but also works in Linux / Mac OS X / FreeBSD). NetworkMiner can be used as a passive network sniffer/packet capturing tool in order to detect operating systems, sessions, hostnames, open ports etc. without putting any traffic on the network. NetworkMiner can also parse PCAP files for off-line analysis and to regenerate/ reassemble transmitted files and certificates from PCAP files.

  • pcapfex - Packet CAPture Forensic Evidence eXtractor (pcapfex) is a tool that finds and extracts files from packet capture files. Its power lies in its ease of use. Just provide it a pcap file, and it will try to extract all of the files. It is an extensible platform, so additional file types to recognize and extract can be added easily.

  • scalpel: Scalpel is an open source data carving tool.

  • Snort: is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire, now owned by Cisco. Combining the benefits of signature, protocol and anomaly- based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.

  • Tcpick: is a textmode sniffer libpcap-based that can track, reassemble and reorder tcp streams. Tcpick is able to save the captured flows in different files or displays them in the terminal, and so it is useful to sniff files that are transmitted via ftp or http. It can display all the stream on the terminal, when the connection is closed in different display modes like hexdump, hexdump + ascii, only printable characters, raw mode and so on.

  • Tcpxtract: is a tool for extracting files from network traffic based on file signatures. Extracting files based on file type headers and footers (sometimes called “carving”) is an age old data recovery technique.

  • Xplico: The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email (POP, IMAP, and SMTP protocols), all HTTP contents, each VoIP call (SIP), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic An alysis Tool (NFAT). Xplico is released under the GNU General Public License and with some scripts under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported (CC BY-NC-SA 3.0) License.


Capture tools

  • usbmon - a subsystem of Linux kernel to capture usb packets.
  • USBPcap - a solution for Windows.


  • USBPcapOdinDumper - transforms .pcap files with usbmon and USBPcap frames format of captures from flashing an Android phone with Odin or Heimdall into a set of files with frames payload. Useful for reverse-engineering. Has a modular architecture easily transformable for other applications formats.
  • BPF for Ultrix: A distribution of BPF for Ultrix 4.2, with both source code and binary modules.

  • BPF+: Exploiting Global Data-flow Optimization in a Generalized Packet Filter Architecture By Andrew Begel, Steven McCanne, and Susan Graham.

  • FFT-FGN-C: is a program for synthesizing a type of self-similar process known as fractional Gaussian noise. The program is fast but approximate. Fractional Gaussian noise is only one type of self-similar process. When using this program for synthesizing network traffic, you must keep in mind that it may be that the traffic you seek is better modeled using one of the other processes.

  • Haka: An open source security oriented language which allows to describe protocols and apply security policies on (live) captured traffic. The scope of Haka language is twofold. First of all, it allows to write security rules in order to filter/alter/drop unwanted packets and log and report malicious activities. Second, Haka features a grammar enabling to specify network protocols and their underlying state machine.

  • RIPE-NCC Hadoop for PCAP: A Hadoop library to read packet capture (PCAP) files. Bundles the code used to read PCAPs. Can be used within MapReduce jobs to natively read PCAP files. Also features a Hive Serializer/Deserializer (SerDe) to query PCAPs using SQL like commands.

  • Traffic Data Repository at the WIDE Project: It becomes increasingly important for both network researchers and operators to know the trend of network traffic and to find anomaly in their network traffic. This paper describes an on-going effort within the WIDE project to collect a set of free tools to build a traffic data repository containing detailed information of our backbone traffic. Traffic traces are collected by tcpdump and, after removing privacy information, the traces are made open to the public. We review the issues on user privacy, and then, the tools used to build the WIDE traffic repository. We will report the current status and findings in the early stage of our IPv6 deployment.

  • Usenix93 Paper on BPF: The libpcap interface supports a filtering mechanism based on the architecture in the BSD packet filter. BPF is described in the 1993 Winter Usenix paper “The BSD Packet Filter: A New Architecture for User-level Packet Capture”.


Welcome to my small it security blog! This is the first post, not containing that much information.
Soon there will be more content….