WirelessKeyView recovers all wireless network security keys/passwords (WEP/WPA) stored in your computer by the 'Wireless Zero Configuration' service of Windows XP or by the 'WLAN AutoConfig' service of Windows Vista, Windows 7, Windows 8, and Windows Server 2008. It allows you to easily save all keys to text/html/xml file, or copy a single key to the clipboard. You can also export your wireless keys into a file and import these keys into another computer.

[Download]

 WAF-FLE is a OpenSource Console for ModSecurity, it allow the modsec admin to view and search events sent by mlogc (modsecurity event log handler).

Features:

• Central event console
• Support Modsecurity in “traditional” and “Anomaly Scoring”
• Able to receive events sent from mlogc (in real time or in batch using mlogc-batch-load.pl)
• No sensor number limit
• Dashboard with recent events information
• Drill down of events with filter
• Every (almost) data is “clickable” to drill down the filter
• Inverted filter (to filter for “all but this item”)
• Filter for network (in CIDR format, x.x.x.x/22)
• Raw event download
• Use Mysql as database
• Open Source released under GPL v2

Download WAF-FLE v0.6.3

Charles is a web proxy (HTTP Proxy / HTTP Monitor) that runs on your own computer. Your web browser (or any other Internet application) is then configured to access the Internet through Charles, and Charles is then able to record and display for you all of the data that is sent and received.

In Web and Internet development you are unable to see what is being sent and received between your web browser / client and the server. Without this visibility it is difficult and time-consuming to determine exactly where the fault is. Charles makes it easy to see what is happening, so you can quickly diagnose and fix problems.

Charles makes debugging quick, reliable and advanced; saving you time and frustration!

Key Features

• SSL Proxying – view SSL requests and responses in plain text
• Bandwidth Throttling to simulate slower Internet connections including latency
• AJAX debugging – view XML and JSON requests and responses as a tree or as text
• AMF – view the contents of Flash Remoting / Flex Remoting messages as a tree
• Repeat requests to test back-end changes
• Edit requests to test different inputs
• Breakpoints to intercept and edit requests or responses
• Validate recorded HTML, CSS and RSS/atom responses using the W3C validator

[Download Charles]

SecLists is a collection of multiple types of lists used during security assessments. List types include usernames, passwords, URLs, sensitive data grep strings, fuzzing payloads, and many more.

The goal is to enable a security tester to pull this repo onto a new testing box and have access to every type of list that may be needed.

If you have any ideas for things we should include, please send them to daniel.miessler@owasp.org or jason.haddix@owasp.org. Also note that any lists that have been meticulously assembled by someone else will only be used with permission of the creator.

This project is maintained by Daniel Miessler and Jason Haddix. 

Credits:

- Ron Bowes of SkullSecurity for collaborating and including all his lists here

- Clarkson University for their research that led to the Clarkson list

- All the authors listed in the XSS with context doc, which was found on pastebin and added to by us

- Ferruh Mavitina for the begginings of the LFI Fuzz list

- Adam Muntner and  for the FuzzDB content, including all authors from the FuzzDB project

- Kevin Johnson for laudnaum shells

- RSnake for fierce hostname list 

[Download SecLists]

The Suricata Engine is an Open Source Next Generation Intrusion Detection and Prevention Engine. This engine is not intended to just replace or emulate the existing tools in the industry, but will bring new ideas and technologies to the field.

OISF is part of and funded by the Department of Homeland Security's Directorate for Science and Technology HOST program (Homeland Open Security Technology), by the the Navy's Space and Naval Warfare Systems Command (SPAWAR), as well as through the very generous support of the members of the OISF Consortium. More information about the Consortium is available, as well as a list of our current Consortium Members. 

 The Suricata Engine and the HTP Library are available to use under the GPLv2. 

The HTP Library is an HTTP normalizer and parser written by Ivan Ristic of Mod Security fame for the OISF. This integrates and provides very advanced processing of HTTP streams for Suricata. The HTP library is required by the engine, but may also be used independently in a range of applications and tools. 

Improvements

• No longer force "nocase" to be used on http_host
• Invalidate rule if uppercase content is used for http_host w/o nocase
• Warn user if bpf is used in af-packet IPS mode
• Better test for available libjansson version

Fixes

• Fixed accuracy issues with relative pcre matching (#784)
• Improved accuracy of file_data keyword (#788)
• Invalidate negative depth (#770)
• Fix http host parsing for IPv6 addresses (#761)
• Fix fast.log formatting issues (#773)
• Fixed deadlock in flowvar set code for http buffers (#801)
• Various signature ordering improvements
• Minor stream engine fix

[Download]

Hardanger is an Open Source web application penetration testing tool led by security researchers from SecurityWire. The project aims to bridge the gap between current open source web application testing tools commonly used in a Linux environment and bring the same level of tools to native Windows based platforms. Hardanger aims to deliver a user friendly experience for semi-automated web application penetration testing by building tools on top of the excellent Fiddler2 web debugger.

The project deliverable is a Fiddler2 (http://www.fiddler2.com) add-on dll written in C# that is easily installed using a .msi installer and a standalone application is also be available for users that do not want the integrated Fiddler2 experience. Hardanger has been architected so it can be easily expanded to add other functionality. The first version only includes a simple HTTP(S) GET and POST parameter fuzzer but will has built a foundation where it is trivial to plug in additional fuzzers and detection engines as well as other features. Once server fuzzing is perfected and state of the art, this project will continue to add new features such as a web browser fuzzer, brute force tool, manual tampering, crawler, passive vulnerability detection, recon tools, etc.

Current Features

• Native Windows feel via Windows Presentation Foundation
• Can run as a Fiddler2 add-on or standalone
• ClickOnce installer with automatic updates (standalone version)
• Context tab allowing inspection of full HTTP requests
• Server fuzzer tab to configure and launch the server fuzzer
• Basic random fuzzer generates random strings of UTF8 characters of random lengths
• Non HTTP 200 detection engine
• Results window keeping track of successful detections
• Ability to review requests/responses in the results details window

[Download]

Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server.

The name Androrat is a mix of Android and RAT (Remote Access Tool).

It has been developed in a team of 4 for a university project. It has been realised in one month. The goal of the application is to give the control of the android system remotely and retrieve informations from it.

Technical matters

• The android application is the client for the server which receive all the connections.
• The android application run as a service(not an activity) that is started during the boot. So the user does not need to interact with the service (Even though there is a debug activity that allow to configure the IP and the port to connect to).
• The connection to the server can be triggered by a SMS or a call (this can be configured)

All the available functionalities are

• Get contacts (and all theirs informations)
• Get call logs
• Get all messages
• Location by GPS/Network
• Monitoring received messages in live
• Monitoring phone state in live (call received, call sent, call missed..)
• Take a picture from the camera
• Stream sound from microphone (or other sources..)
• Streaming video (for activity based client only)
• Do a toast
• Send a text message
• Give call
• Open an URL in the default browser
• Do vibrate the phone

Folders

The project contains the following folders:

• doc: Will soonly contain all the documentation about the project
• Experiment: Contain an experimental version of the client articulated around an activity wish allow by the way to stream video
• src/Androrat: Contain the source code of the client that should be put on the android plateform
• src/AndroratServer: Contain the sources of the Java/Swing server that can be run on any plateform
• src/api: Contain all the different api used in the project (JMapViewer for the map, forms for swing, and vlcj for video streaming)
• src/InOut: Contain the code of the content common for the client and the server which is basically the protocol implementation

[Download]