~/hackyfeed
> cat /dev/github | grep security-tools
discovered 30 Mar 2026

Offensive-Resources

★ 1116 via github-topic
→ View on GitHub

AI Summary: Offensive-Resources V4 is a comprehensive repository designed for offensive security practitioners, providing an extensive collection of learning materials and labs across various cybersecurity domains. Its primary use case is to facilitate skill development in offensive security techniques, with notable features including a wide range of topics from exploit development to IoT and hardware hacking, structured resources for diverse platforms, and an open invitation for community contributions.

README

Offensive-Resources V4

((اللَّهُمَّ انْفَعْنِي بِمَا عَلَّمْتَنِي، وَعَلِّمْنِي مَا يَنْفَعُنِي، وَزِدْنِي عِلْمًا))

A Huge Learning Resources with Labs For Offensive Security Players.

EveryBody is welcome to pull requests and add new resources, fix false-positives and more. “Every update will be added to the website:.

Now You can visit the website and explore all the resources: https://offensive-resources.github.io/


image

What is new in V4 ?

new


Content




Infrastructure



Wireless



IoT & Hardware



ICS and SCADA



Exploit Development



Web Applications



Mobile Applications



API



Cloud

Reverse Engineering



Social Engineering



Offensive Programming



Blockchain



Car Hacking



Game Hacking



Source Code Review



Telecom



Malware Development



VOIP



RFID & SDR



ATM Hacking

A curated collection of resources covering ATM security research, penetration testing, malware analysis, and defensive strategies.

Courses

Labs

Blogs & Series

Presentations & Conferences

Videos

Tools & Frameworks

ADS-B Reception & Decoding:

ACARS Decoders:

SDR Hardware:

Aircraft Tracking Platforms:

Analysis & Research Tools:

Aviation Security Testing:

Notes

  • 2024-2025 Statistics: Cyberattacks on aviation increased by 74% since 2020; aviation industry experienced 24% increase in cyber attacks with 55 reported incidents in 2022
  • Global Threat Landscape: Aviation industry averages a “B” cybersecurity rating; organizations with B rating are 2.9x more likely to suffer data breaches than those with A rating
  • Major Incidents (2024-2025): Arab Civil Aviation Organization (ACAO) breach in February 2025; ICAO data breach with 42,000 documents exposed; Japan Airlines attack in December 2024 disrupting baggage services; Seattle-Tacoma Airport Rhysida ransomware attack in 2024
  • Breach Statistics: In global aviation systems, breaches caused by hacking or information leakage increased from 4% in 2010 to 81% in 2024
  • Attack Vectors: DDoS attacks represent 25% of cyber incidents targeting airlines and airports; GPS spoofing exploits weaknesses in aircraft navigation systems; malicious acts from hostile operators on ground or flight operations
  • ACARS Vulnerabilities: ACARS transmits at 131.550 MHz unencrypted; has no encryption (messages sent in plain sight), no authentication (receiver can’t verify sender), no integrity (no signature or hash)
  • ADS-B Security Issues: ADS-B broadcasts detailed aircraft information (position, velocity, identity) over unencrypted data links; susceptible to eavesdropping, spoofing, and injection attacks
  • ARINC 429 Protocol: Ubiquitous data bus for civil avionics lacks any form of encryption or authentication; inherently insecure communication protocol vulnerable to denial-of-service attacks
  • GPS Spoofing/Jamming: GPS jamming prevents receivers from locking onto satellite signals; spoofing broadcasts counterfeit signals causing false positioning; particularly affects conflict zones (Black Sea, Middle East)
  • Effects on Aircraft Systems: GPS spoofing can disable Inertial Reference System (IRS), cause failures in GPS Clock, Weather Radar, ADS-B, and Terrain Warning Systems; FMS can show aircraft more than 60nm off-track
  • Detection Indicators: GPS position suddenly 100+ nm from FMS position; abnormally low groundspeed readings; significant difference between GPS altitude and actual altitude
  • Notable Researchers: Hugo Teso (n.runs Professionals) demonstrated aircraft hacking via FMS computers and ACARS at HITB 2013; Chris Roberts (One World Labs) claimed IFE system hacks on 15-20 flights between 2011-2014
  • Industry Response: Boeing and Airbus state IFE systems are isolated from flight and navigation systems; third-party penetration testing allowed during aircraft development; grey-box testing mimics malicious passenger actions
  • DEF CON Aerospace Village: Annual gathering featuring drone hacking workshops, ADS-B receiver building using Raspberry Pi + RTL-SDR, aviation infrastructure cyber defense challenges, offensive space cybersecurity sessions
  • Lab Setup: Use RTL-SDR ($20-$30) with dump1090/PiAware for ADS-B reception; acarsdec/JAERO for ACARS decoding; GNU Radio for signal analysis; Raspberry Pi for portable tracking stations
  • Countermeasures: Signal strength monitoring, time-of-arrival analysis, cryptographic authentication, multiple satellite navigation systems for cross-verification, enhanced pilot training, backup navigation systems
  • Regulatory Bodies: FAA provides penetration testing training; ICAO offers cybersecurity leadership courses; EASA publishes aviation cybersecurity guidance; IATA provides industry-standard training programs
  • Research Institutions: Embry-Riddle’s Center for Aerospace Resilient Systems (CARS) researches AI/ML for aviation cybersecurity defense; SecurityScorecard conducts industry-wide cybersecurity assessments
  • Legal Warning: Unauthorized access to aircraft systems, jamming GPS signals, or interfering with aviation communications is illegal and dangerous. All research must be conducted in authorized lab environments with proper permissions
  • Testing Limitations: Conducting penetration tests on live aviation systems could impact operations and present safety risks; testing must use controlled environments with simulated systems
  • Ethical Considerations: Aviation security research should be conducted responsibly with coordinated disclosure to manufacturers and regulatory bodies; focus on defensive understanding and improving aviation safety
  • Hardware Requirements: RTL-SDR V3 or FlightAware dongles for VHF ACARS (blue dongles filtered for 1090 MHz ADS-B will not work on VHF-ACARS); appropriate antennas for 1090 MHz (ADS-B) and 131.550 MHz (ACARS)
  • Best Practices: Build receiving stations for passive monitoring only; never transmit on aviation frequencies; contribute data to open networks (FlightAware, ADS-B Exchange, OpenSky) for research purposes
  • Future Trends: AI integration in aviation cybersecurity defense; quantum-resistant cryptography for aviation communications; enhanced authentication protocols for ACARS/ADS-B replacement systems


AI Hacking

Books & Whitepapers

Courses

Labs

Blogs & Series

Darshan Naresh Naik Series:

Presentations & Conferences

Notes & Misc

Tools & Frameworks



DevSecOps

Books & Whitepapers

Books

Whitepapers

Courses

Labs

Blogs & Series

Presentations & Conferences

Tools & Frameworks

Static Application Security Testing (SAST)

  • SonarQube - Continuous code quality and security inspection
  • Checkmarx - Enterprise SAST platform
  • Veracode - Application security testing platform
  • Semgrep - Lightweight static analysis for many languages
  • Horusec - Open-source security analysis tool
  • Bandit - Security linter for Python

Dynamic Application Security Testing (DAST)

  • OWASP ZAP - Web application security scanner
  • Burp Suite - Web vulnerability scanner
  • Acunetix - Automated web application security testing
  • Nuclei - Fast vulnerability scanner
  • w3af - Web application attack and audit framework

Software Composition Analysis (SCA)

Container Security

  • Trivy - Comprehensive security scanner
  • Clair - Vulnerability static analysis for containers
  • Anchore - Container security and compliance platform
  • Falco - Cloud-native runtime security

Infrastructure as Code (IaC) Security

  • Checkov - Static code analysis for IaC
  • tfsec - Security scanner for Terraform
  • Terrascan - Static code analyzer for IaC
  • KICS - Find security vulnerabilities in IaC

Secrets Management

CI/CD Security & Orchestration

Security Orchestration & Vulnerability Management

  • DefectDojo - Security vulnerability management
  • Archery - Vulnerability assessment and management
  • Faraday - Multiuser penetration test IDE
  • OpenVAS - Full-featured vulnerability scanner

Policy as Code & Compliance

API Security

Monitoring & Observability

  • Prometheus - Monitoring and alerting toolkit
  • Grafana - Observability platform
  • ELK Stack - Elasticsearch, Logstash, Kibana
  • Splunk - Security information and event management

Notes

Misc (GitHub Repos, Videos, Reports)

GitHub Repos

Videos & Podcasts

Reports & Industry Resources



Linux Exploit Development

Books & Whitepapers

Courses

Labs & Tools

Debugging & Analysis Tools:

Exploitation Frameworks & Resource Collections:

Practice & CTF Resources:

Blogs & Series

Presentations & Conferences

Videos

Notes

  • Primary Architectures: x86 (32-bit), x86-64 (64-bit), ARM, MIPS, RISC-V
  • Exploitation Techniques: Stack overflow, heap overflow, use-after-free, double-free, format string, integer overflow, race conditions, ROP chains, ret2libc, ret2plt, SROP (Sigreturn-Oriented Programming)
  • Kernel Exploitation: Privilege escalation, SMEP/SMAP bypass, page spray, elastic objects, heap feng shui, kernel ROP, race conditions (TOCTOU), arbitrary read/write primitives
  • 2024-2025 Critical CVEs: CVE-2024-1086 (netfilter UAF - actively exploited in ransomware, CISA KEV), CVE-2024-53141 (IP sets bitmap privilege escalation), CVE-2025-21756 (“Attack of the Vsock”), CVE-2025-38727 (Netlink interface)
  • Exploit Mitigations: NX/DEP (No-Execute), ASLR (Address Space Layout Randomization), PIE (Position Independent Executable), RELRO (Relocation Read-Only), stack canaries, FORTIFY_SOURCE, SMEP (Supervisor Mode Execution Prevention), SMAP (Supervisor Mode Access Prevention), KASLR (Kernel ASLR)
  • Mitigation Bypass Techniques: ROP chains for DEP bypass, information leaks for ASLR bypass, partial RELRO exploitation, GOT/PLT overwrite, stack pivoting, heap spray, brute forcing (partial ASLR)
  • Memory Allocators: glibc malloc/ptmalloc2, tcache, fastbins, unsorted bins, small bins, large bins; kernel allocators: SLUB, SLAB, SLOB, buddy allocator
  • Common Bug Classes: Buffer overflow (stack/heap), use-after-free (UAF), double-free, type confusion, integer overflow/underflow, uninitialized memory, race conditions, format string vulnerabilities
  • Stack Exploitation: Buffer overflow to overwrite return address, stack canary bypass, frame pointer overwrite, saved instruction pointer corruption, shellcode injection (when DEP disabled)
  • Heap Exploitation: Fastbin attack, tcache poisoning, unsorted bin attack, house of force, house of spirit, overlapping chunks, chunk consolidation abuse, heap spray
  • ROP Techniques: ret2libc (return to libc functions), ret2plt (return to PLT), ret2syscall, SROP (sigreturn-oriented programming), JOP (jump-oriented programming), stack pivoting for ROP chains
  • Kernel Specific: Credential struct overwrite, modprobe_path overwrite, commit_creds + prepare_kernel_cred combo, pipe spray, msg_msg spray, seq_operations exploitation, userfaultfd for race condition exploitation
  • Information Leaks: Stack/heap leaks via format strings, partial overwrites, uninitialized memory disclosure, /proc filesystem leaks, timing side-channels, speculative execution vulnerabilities
  • Shellcode Development: x86/x64 assembly, syscall invocation, null-byte avoidance, alphanumeric shellcode, polymorphic shellcode, egg hunters, staged payloads, reverse shells, bind shells
  • SLAE Certification: SecurityTube Linux Assembly Expert focuses on x86 (32-bit) and x86-64 (64-bit) assembly, shellcoding techniques, encoder/decoder development, custom shellcode creation, exam requires 7 assignments + blog writeups
  • Development Tools: GCC, NASM/YASM assemblers, objdump, readelf, strace, ltrace, checksec, seccomp-tools, qemu for kernel debugging, GDB with Python scripting
  • GDB Extensions Comparison: Pwndbg (best for exploit dev, pwntools integration, Python 3), GEF (multi-arch support, rich features, Python 3), PEDA (legacy x86 only, Python 2)
  • Pwntools Features: Process/remote interaction, ROP chain building, shellcode assembly, ELF parsing, format string exploitation helpers, cyclic pattern generation, integer packing/unpacking
  • Lab Setup: Isolated VM environment (Ubuntu/Kali), kernel source compilation for debugging, QEMU for kernel exploitation, Docker containers for controlled testing, disable ASLR for initial learning
  • CTF Platforms: pwn.college, Nightmare, Exploit Education (Phoenix, Protostar, Fusion), ROP Emporium, picoCTF, HTB (Hack The Box), pwnable.kr, pwnable.tw
  • Debugging Workflow: GDB with pwndbg/GEF, attach to process, set breakpoints, examine registers/memory, single-step through execution, analyze crash dumps, automate with pwntools
  • Kernel Debugging: QEMU with GDB stub, /proc/kallsyms for symbol resolution, dmesg for kernel logs, ftrace for tracing, SystemTap/eBPF for dynamic instrumentation
  • CISA KEV Catalog: 7 Linux kernel vulnerabilities added to Known Exploited Vulnerabilities in 2025, primarily netfilter subsystem flaws, require immediate patching for government systems
  • Exploitation Trends 2025: 159 CVEs exploited in Q1 2025, focus on kernel netfilter/network stack, device driver vulnerabilities, local privilege escalation chains, ransomware using kernel exploits
  • Legal Warning: Unauthorized exploitation is illegal. All research must be conducted in authorized lab environments, on systems you own, or with explicit permission
  • Responsible Disclosure: Report vulnerabilities to vendors (kernel.org security team, distro security teams), coordinate disclosure timelines (typically 90 days), never weaponize exploits for unauthorized use
  • Best Practices: Start with basic stack overflows before moving to kernel, understand assembly and C deeply, practice on CTF challenges, read exploit writeups, study CVE patches, contribute to security community
  • Career Paths: Penetration tester, exploit developer, vulnerability researcher, security engineer, red team operator, CTF competitor, bug bounty hunter, security consultant
  • Certifications: OSCP (Offensive Security Certified Professional), OSCE (Offensive Security Certified Expert), SLAE/SLAE64, CEDP (Certified Exploit Development Professional), GXPN (GIAC Exploit Researcher and Advanced Penetration Tester)
  • Research Institutions: Google Project Zero, Linux Kernel Security Team, university research labs (Georgia Tech, MIT, UC Berkeley), commercial security firms (CrowdStrike, Trend Micro ZDI)
  • Key Researchers: PaX Team (grsecurity), Spender, Jon Oberheide, Dan Rosenberg, Brad Spengler, Andrey Konovalov (xairy), Will Drewry, Kees Cook
  • Future Trends: Increased adoption of memory-safe languages (Rust in kernel), hardware-based security (Intel CET, ARM PAC/BTI), eBPF security hardening, confidential computing, automated exploit generation


Windows Exploit Development

Books & Whitepapers

Courses

Labs & Tools

Debuggers & Analysis Tools:

Exploitation Tools & Plugins:

Resource Collections:

Practice Environments:

Blogs & Series

Presentations & Conferences

Videos

Notes

  • Primary Architectures: x86 (32-bit), x86-64 (64-bit), ARM64 (Windows on ARM)
  • 2025 Actively Exploited Zero-Days: CVE-2025-62215 (kernel race condition), CVE-2025-24990 (Agere modem driver - affects all Windows versions), CVE-2025-59230 (RasMan), CVE-2025-29824 (CLFS driver), CVE-2025-32701 (CLFS UAF), CVE-2025-21293 (Active Directory)
  • 2024 Zero-Days: CVE-2024-21302 (Secure Kernel Mode), multiple CLFS vulnerabilities, kernel privilege escalation flaws
  • Exploitation Techniques: Stack overflow, heap overflow, use-after-free, double-free, type confusion, integer overflow, SEH overwrite, ROP chains, ret2libc, heap spray, pool spray, arbitrary read/write primitives
  • Kernel Exploitation: Token stealing, EPROCESS manipulation, pool overflow, arbitrary kernel write, PTE manipulation, kernel ROP, SMEP/SMAP bypass, arbitrary kernel read for KASLR bypass
  • Exploit Mitigations: DEP/NX (Data Execution Prevention), ASLR (Address Space Layout Randomization), CFG (Control Flow Guard), ACG (Arbitrary Code Guard), SEHOP (SEH Overwrite Protection), stack cookies/canaries, SafeSEH, KASLR (Kernel ASLR), SMEP (Supervisor Mode Execution Prevention), SMAP (Supervisor Mode Access Prevention)
  • Mitigation Bypass Techniques: ROP chains for DEP bypass, information leaks for ASLR bypass, partial overwrite techniques, heap spray to defeat ASLR, VirtualAlloc/VirtualProtect ROP chains, WriteProcessMemory exploitation, return to non-ASLR modules
  • Memory Allocators: NT Heap (default through Windows 7/8), Segment Heap (Windows 10+ default for modern apps), Low Fragmentation Heap (LFH), Frontend allocators (LFH, Variable Size), Backend allocator
  • Common Bug Classes: Buffer overflow (stack/heap), use-after-free (UAF), pool corruption, type confusion, integer overflow/underflow, uninitialized memory, race conditions (TOCTOU), arbitrary pointer dereference
  • Stack Exploitation: Buffer overflow to overwrite return address, SEH overwrite (Structured Exception Handler), stack cookie bypass, frame pointer overwrite, saved instruction pointer corruption
  • Heap Exploitation: LFH exploitation (deterministic chunk locations), heap overflow, chunk coalescing, freelist manipulation, heap spray, heap feng shui, pool overflow (kernel), lookaside list exploitation
  • SEH Exploitation: SEH chain overwrite, SafeSEH bypass, SEHOP bypass, pop/pop/ret gadgets, exception handler registration record corruption
  • ROP Techniques: VirtualAlloc ROP chain (make memory executable), VirtualProtect ROP chain, WriteProcessMemory abuse, return to ZwProtectVirtualMemory, stack pivoting, JOP (jump-oriented programming)
  • Kernel Specific: Token swapping (PsInitialSystemProcess), EPROCESS credential manipulation, HAL dispatch table overwrite (legacy), HalDispatchTable + 0x4 pointer swap, arbitrary kernel write exploitation, PTE manipulation for arbitrary R/W
  • Information Leaks: Stack/heap leaks, kernel pool leaks via NtQuerySystemInformation, partial pointer overwrites, timing side-channels, speculative execution vulnerabilities (Spectre variants)
  • Shellcode Development: x86/x64 assembly, Windows API calls, PEB/TEB walking, null-byte avoidance, alphanumeric shellcode, position-independent code (PIC), egg hunters, staged payloads, reverse shells via Winsock
  • OSED Certification: Windows User Mode Exploit Development (EXP-301) covers reverse engineering, DEP/ASLR bypass, custom ROP chains, SEH exploitation, egghunters, format string vulnerabilities, 48-hour hands-on exam
  • OSEE Certification: Advanced Windows Exploitation (EXP-401) covers kernel debugging, pool exploitation, arbitrary kernel write, KASLR bypass, modern mitigation bypasses, 72-hour hands-on exam
  • Development Tools: Visual Studio, WinDbg/WinDbg Preview (kernel debugging), IDA Pro/Ghidra (disassembly), x64dbg/Immunity Debugger (usermode debugging), Mona plugin (ROP gadget finding), Process Monitor/Process Explorer
  • WinDbg Extensions: Mona for WinDbg, !exploit commands, MEX (Microsoft Exchange Server Extension), CMKD (Common Memory and Kernel Debugger), pykd (Python extension)
  • Mona Plugin Features: Pattern create/offset, ROP gadget finder, SEH chain viewer, module information, bad character detection, compare functionality, exploit suggestion engine
  • Lab Setup: Windows VMs (Windows 7, 10, 11), Visual Studio for compiling vulnerable apps, WinDbg for debugging, IDA for reverse engineering, disable mitigations for learning (bcdedit commands)
  • Kernel Debugging Setup: Two-VM setup (debugger + debuggee), configure boot options with bcdedit, network/serial/USB debugging, symbol server configuration (msdl.microsoft.com/download/symbols)
  • CTF & Practice: Exploit Exercises, VulnHub Windows VMs, Protostar (Windows version), RPISEC MBE, HackTheBox Windows challenges, Pentester Academy labs
  • CISA KEV Catalog: Multiple Windows kernel vulnerabilities added to Known Exploited Vulnerabilities in 2025, primarily CLFS and RasMan flaws, require immediate patching for federal systems
  • Exploitation Trends 2025: Shift to kernel exploits as usermode mitigations strengthen, CLFS driver as major attack surface, ransomware leveraging privilege escalation exploits, increased focus on authentication bypass
  • Legal Warning: Unauthorized exploitation is illegal. All research must be conducted in authorized lab environments, on systems you own, or with explicit permission
  • Responsible Disclosure: Report to Microsoft Security Response Center (MSRC), coordinate disclosure timelines (typically 90 days with Microsoft), participate in bug bounty programs, never weaponize for malicious use
  • Bug Bounty Programs: Microsoft Bug Bounty (up to $250K+), ZDI (Pwn2Own competitions), HackerOne programs, rewards for critical vulnerabilities, bonus for exploit chains
  • Best Practices: Start with basic stack overflows on Windows 7, progress to modern Windows 10/11, understand x86/x64 assembly deeply, practice reversing Microsoft patches, study public CVE exploits, contribute to security community
  • Career Paths: Exploit developer, vulnerability researcher, red team operator, penetration tester, security engineer, reverse engineer, malware analyst, offensive security specialist
  • Certifications: OSED (OffSec Exploit Developer), OSEE (OffSec Exploitation Expert), GXPN (GIAC Exploit Researcher), OSCE³ (combines OSED + OSEP + OSWE)
  • Research Institutions: Microsoft Security Response Center (MSRC), Google Project Zero, Zero Day Initiative (ZDI), CERT/CC, security firms (NCC Group, Rapid7, Qualys)
  • Key Researchers: Alex Ionescu, Mateusz “j00ru” Jurczyk, Tarjei Mandt, Nikita Tarakanov, Connor McGarr, Corelan Team (Peter Van Eeckhoutte)
  • Future Trends: Increased CET (Control-flow Enforcement Technology) adoption, hardware-based security (Intel CET, VBS), kernel-mode CFG, memory tagging (ARM MTE), automated exploit generation, ML-based exploit detection


Android Exploit Development

Books & Whitepapers

Courses

Labs & Tools

GitHub Resource Collections:

Kernel Exploits:

Testing & Analysis Tools:

Blogs & Series

Presentations & Conferences

Videos

Notes

  1. Android Kernel Exploitation

    • Based on Linux kernel with Android-specific patches (Binder IPC, ashmem, ion allocator)
    • Common targets: Binder driver, GPU drivers (Qualcomm Adreno, ARM Mali), Wi-Fi drivers, USB drivers
    • Modern mitigations: SELinux, seccomp-bpf, PAN emulation, CFI, SCS, MTE (Android 11+)
    • Exploitation techniques: Heap spray, use-after-free, race conditions, arbitrary read/write primitives
    • Tools: QEMU, Android Studio Emulator, Corellium, KGDB/KDB, addr2line, crash utility

  2. Android Framework Exploitation

    • Exploiting System Server, Zygote, ActivityManager, PackageManager
    • Intent redirection, permission bypass, sandbox escapes
    • Common vectors: exported components, custom URI handlers, WebView vulnerabilities
    • 2024 Trend: CVE-2024-43093 actively exploited framework privilege escalation

  3. Binder IPC Exploitation

    • Binder is Android’s primary inter-process communication mechanism
    • Attack surface: use-after-free in transaction handling, type confusion, race conditions
    • Notable exploits: Bad Binder (CVE-2019-2215), Stagefright vulnerabilities
    • Exploitation challenges: ASLR, seccomp filtering, SELinux policy enforcement

  4. Qualcomm/MediaTek Driver Exploitation

    • Qualcomm Snapdragon chips dominate Android market (60%+ devices)
    • Common targets: Adreno GPU driver, WLAN (Wi-Fi) driver, DSP (audio/camera) firmware
    • Notable research: QualpWN (Tencent Blade Team), Achilles (Check Point Research)
    • MediaTek vulnerabilities: GPU/display driver bugs, Mali GPU exploits
    • 2024 Trend: CVE-2024-29745 Qualcomm GPU RCE

  5. Android Application Exploitation

    • Smali/Dalvik bytecode analysis and patching
    • Native library exploitation (JNI vulnerabilities)
    • WebView exploits (JavaScript bridge attacks, universal XSS)
    • Common vulnerabilities: insecure data storage, weak crypto, exported activities/services, deep link hijacking
    • Tools: APKTool, JADX, Frida, Objection, Drozer

  6. Rooting & Persistence

    • Exploiting kernel vulnerabilities for privilege escalation
    • Magisk: systemless root framework, hiding root from detection
    • SafetyNet/Play Integrity API bypass techniques
    • Boot image modification, SELinux policy patching
    • Modern challenges: Verified Boot, dm-verity, Android Hardware Attestation

  7. Trusted Execution Environment (TEE) Exploitation

    • Qualcomm QSEE (Secure Execution Environment)
    • Samsung Knox & Trustzone
    • ARM TrustZone exploitation
    • Attack vectors: SMC (Secure Monitor Call) vulnerabilities, TA (Trusted Application) bugs
    • Research: Gal Beniamini’s Qualcomm TrustZone exploits

  8. Baseband Processor Exploitation

    • Baseband is the modem firmware running on a separate ARM processor
    • Qualcomm baseband (Hexagon DSP architecture)
    • Attack surface: LTE/5G protocol stack, SMS/MMS handling, VoLTE
    • Research: Ralf-Philipp Weinmann’s baseband research, Project Zero’s Titan M analysis
    • Remote exploitation potential (over-the-air attacks)

  9. Android Fuzzing & Vulnerability Discovery

    • Syzkaller for kernel fuzzing (Google’s coverage-guided fuzzer)
    • libFuzzer for native library fuzzing
    • AFL++ for Android native code
    • Drozer for Android application fuzzing
    • Media codec fuzzing (Stagefright bugs in libstagefright)

  10. Notable Android Exploits & Campaigns

    • Dirty Pipe (CVE-2022-0847): Linux/Android kernel privilege escalation affecting Android 12
    • Bad Binder (CVE-2019-2215): In-the-wild Android kernel exploit used by NSO Group
    • Stagefright (CVE-2015-1538): Remote code execution via MMS (900M+ devices affected)
    • QualpWN: Qualcomm WLAN driver vulnerability chain (Tencent 2019)
    • Pegasus for Android: NSO Group’s zero-click exploitation chain
    • CVE-2025-0989 (2025): Android kernel use-after-free, critical privilege escalation
    • CVE-2024-43093 (2024): Framework privilege escalation, actively exploited in the wild

  11. Android Security Mitigations

    • SELinux (Enforcing Mode): Mandatory Access Control for app sandboxing
    • seccomp-bpf: System call filtering to reduce kernel attack surface
    • ASLR/PIE: Address Space Layout Randomization for kernel & userspace
    • CFI (Control Flow Integrity): Forward-edge protection in kernel (Android 9+)
    • SCS (Shadow Call Stack): Backward-edge protection, return address protection (Android 11+)
    • MTE (Memory Tagging Extension): Hardware memory safety on ARM v8.5+ (Android 11+, Pixel 8+)
    • PAN Emulation: Kernel cannot access userspace memory directly
    • Verified Boot: Cryptographic boot chain validation
    • Hardware-Backed Keystore: Secure key storage in TEE/Secure Element

  12. Legal & Ethical Considerations

    • Android security research is legal when conducted on your own devices
    • Google Vulnerability Reward Program (VRP) offers bounties up to $1.5M for exploits
    • Qualcomm, Samsung, and other vendors have bug bounty programs
    • Always obtain proper authorization before testing devices you don’t own
    • Responsible disclosure through vendor security teams or coordinated disclosure platforms
    • Never use exploits for unauthorized access, stalkerware, or malicious purposes

  13. 2024-2025 Android Exploitation Trends

    • Increased focus on baseband processor exploitation (5G attack surface)
    • MTE bypass research on newer Pixel/Samsung devices
    • TEE/TrustZone exploitation for full device compromise
    • Qualcomm GPU driver vulnerabilities remain prevalent
    • Rise in zero-click exploits targeting media codecs and messaging apps
    • Android 14-15 hardening: restricted settings, runtime permissions enhancements
    • CVE-2025-0989 and CVE-2024-43093: Actively exploited kernel & framework bugs
    • Exploitation difficulty increasing due to CFI, SCS, MTE on flagship devices
    • Growing interest in MediaTek chipset vulnerabilities (budget device market)


iOS Exploit Development

Books & Whitepapers

Courses

Labs & Tools

GitHub Resource Collections:

Jailbreak Tools & Exploits:

Testing & Analysis Tools:

Blogs & Series

Presentations & Conferences

Videos

Notes

  1. iOS Kernel (XNU) Exploitation

    • XNU is a hybrid kernel (Mach microkernel + BSD components)
    • Common targets: IOKit drivers, network stack, file systems
    • Modern mitigations: KASLR, kernel PAC (KPAC), zone_require, PPL
    • Exploitation techniques: Heap feng shui, OOL (out-of-line) ports, memory corruption
    • Tools: lldb with KDK (Kernel Debug Kit), IDA Pro, Ghidra, jtool2

  2. WebKit & Safari Exploitation

    • JavaScriptCore (JSC) engine vulnerabilities
    • Type confusion, use-after-free in JIT compiler
    • Sandbox escape from WebContent process
    • Common attack vectors: Pwn2Own exploits, in-the-wild zero-days
    • 2025 Trend: CVE-2025-24200 actively exploited zero-day in Safari

  3. iOS Sandbox Escapes

    • App Sandbox, WebContent Sandbox, BlastDoor (iMessage sandbox)
    • Common escape vectors: XPC service vulnerabilities, file access bugs, IOKit drivers
    • Notable: CVE-2024-44309 (AccessibilityD sandbox escape)
    • Tools: Frida, Objection, SBTool for sandbox analysis

  4. Jailbreak Development

    • Untethered vs. semi-tethered vs. tethered jailbreaks
    • Bootrom exploits: checkm8 (unfixable hardware vulnerability in A5-A11 chips)
    • Kernel exploits: unc0ver, Taurine, Chimera jailbreaks
    • PAC bypass techniques for A12+ devices
    • Persistence mechanisms and kernel patch protection bypasses

  5. iOS Application Exploitation

    • Objective-C/Swift runtime manipulation
    • Method swizzling, class injection
    • Binary patching and code signing bypasses
    • IPA file analysis and repackaging
    • Common vulnerabilities: insecure data storage, weak crypto, URL scheme hijacking

  6. Pointer Authentication Codes (PAC)

    • Hardware-based code integrity on A12+ chips
    • PACIBSP, PACIA instructions for forward/backward-edge CFI
    • PAC bypass research: JOP (Jump-Oriented Programming), gadget signing
    • 2023-2025: Advanced PAC bypass techniques in Pegasus and Operation Triangulation

  7. iOS Fuzzing & Vulnerability Discovery

    • AFL, LibFuzzer for iOS userland fuzzing
    • WebKit fuzzing: Domato, Fuzzilli, JSFuzzer
    • IOKit driver fuzzing with Corellium virtual devices
    • iMessage/SMS fuzzing (post-BlastDoor hardening)

  8. Notable iOS Exploits & Campaigns

    • Pegasus (NSO Group): Zero-click iMessage exploits, kernel exploits
    • Operation Triangulation (2023): iOS 16 exploit chain via iMessage
    • Checkm8 (2019): Unfixable bootrom exploit for A5-A11 devices
    • FORCEDENTRY (2021): Zero-click iOS 14 exploit using PDF/GIF rendering
    • CVE-2025-24085 (2025): XNU kernel use-after-free, actively exploited in the wild

  9. iOS Security Mitigations

    • PAC (Pointer Authentication): A12+ chips, cryptographic pointer signing
    • PPL (Page Protection Layer): Hypervisor-enforced memory protection for kernel data
    • BlastDoor: Sandbox for parsing untrusted iMessage content (iOS 14+)
    • Secure Enclave: Hardware-isolated processor for cryptographic operations
    • KASLR: Kernel Address Space Layout Randomization
    • Zone_require: Kernel heap zone isolation
    • Memory Tagging (MTE): Future A-series chips (2025+)

  10. iOS Reverse Engineering

    • Tools: Hopper, IDA Pro, Ghidra, class-dump, Cycript
    • Dynamic analysis: Frida, lldb, Objection
    • Kernel cache analysis: jtool2, img4tool, Luca Todesco’s tools
    • Decrypting App Store binaries: Clutch, frida-ios-dump, bfdecrypt
    • File system access: SSH over USB (usbmuxd), AFC (Apple File Conduit)

  11. Legal & Ethical Considerations

    • iOS jailbreaking is legal under DMCA exemptions (US)
    • Exploit development for research/defensive purposes is legitimate
    • Selling iOS exploits to government contractors (e.g., NSO Group, Zerodium) raises ethical concerns
    • Always obtain proper authorization before testing iOS devices you don’t own
    • Bug bounty: Apple Security Bounty offers up to $2 million for critical iOS exploits

  12. 2024-2025 iOS Exploitation Trends

    • Increased focus on zero-click exploits (iMessage, FaceTime, SMS)
    • Advanced PAC bypass techniques for A14-A17 chips
    • Post-BlastDoor iMessage exploitation research
    • iOS 17-18 kernel hardening and PPL improvements
    • Rise in targeted attacks against high-profile iOS users (journalists, activists, politicians)
    • Growing researcher interest in Secure Enclave and SEP firmware exploitation
    • CVE-2025-24085 and CVE-2025-24200: Actively exploited zero-days in iOS 18.3.1 and earlier


Browser Exploitation

Books & Whitepapers

Courses

Labs & Tools

Browser Exploitation Frameworks & Resource Collections:

Fuzzing Tools:

Debugging & Analysis Tools:

Research & PoC Repositories:

Blogs & Series

Presentations & Conferences

Videos

Notes

  • Major Browsers: Google Chrome, Mozilla Firefox, Apple Safari, Microsoft Edge, Opera, Brave (most based on Chromium)
  • JavaScript Engines: V8 (Chrome/Edge/Node.js), SpiderMonkey (Firefox), JavaScriptCore/Nitro (Safari), Chakra (legacy Edge)
  • 2025 Critical Zero-Days: CVE-2025-6554 (Chrome V8 type confusion), CVE-2025-5419 (V8 out-of-bounds), CVE-2025-13223 (Chrome), CVE-2025-2783 (Mojo IPC sandbox escape), CVE-2025-2857 (Firefox IPC), CVE-2025-4609 (Chromium ipcz - $250K bounty)
  • 2024 Statistics: 75 zero-day vulnerabilities exploited in wild (50% increase from 2023), Chrome had majority of attacks, 8+ Chrome zero-days in 2024, Firefox had 5 out of 6 highest vulnerability scores
  • Exploitation Techniques: Memory corruption (use-after-free, buffer overflow, type confusion), JIT spray, heap feng shui, ROP chains, sandbox escape, IPC exploitation, Mojo IPC bugs, speculative execution attacks
  • Attack Vectors: Malicious websites, drive-by downloads, watering hole attacks, browser extensions, WebAssembly exploitation, DOM manipulation, JavaScript engine bugs, renderer process compromise
  • Sandbox Escape: CVE-2025-2783 (Mojo IPC OOB read/write + UAF), CVE-2025-4609 earned $250K (largest single bounty for partial exploit), multi-stage chains combining renderer exploit + sandbox escape + privilege escalation
  • Common Bug Classes: Use-after-free (UAF), type confusion, out-of-bounds read/write, integer overflow, race conditions, uninitialized memory, logic bugs in IPC
  • WebAssembly Risks: Memory corruption from C/C++ code ported to WASM, obfuscation for detection evasion, control flow hijacking, JIT compilation vulnerabilities, lack of native security mitigations (DEP/ASLR), RCE through V8 engine exploits
  • Fuzzing Approaches: Coverage-guided (AFL/AFL++), grammar-based (Domato, Dharma), mutation-based, JIT-targeted (Fuzzilli), in-process fuzzing, DOM fuzzing (Grizzly, Domino)
  • Pwn2Own Rewards: 2022 awarded $1.155M for 25 unique zero-days, single-day record of $800K, sandbox escapes earn premium payouts, full chain exploits (RCE + sandbox escape + privilege escalation) worth $250K+
  • Browser Security Features: Sandboxing (site isolation, process isolation), ASLR, DEP/NX, CFI (Control Flow Integrity), stack canaries, heap hardening, JIT hardening, Mojo IPC validation, seccomp filters
  • Chrome Security: Site Isolation (separate processes per origin), V8 pointer compression, CFI, MiraclePtr, PartitionAlloc hardening, renderer sandboxing via Mojo IPC
  • Firefox Security: Fission (site isolation), IonMonkey JIT hardening, process sandboxing, RLBox WASM sandboxing, content process restrictions
  • Safari Security: Intelligent Tracking Prevention (ITP), WebKit sandboxing, process isolation, JIT restrictions on iOS, Lockdown Mode (iOS 16+)
  • Detection Challenges: Zero-day exploits before patches available, obfuscated JavaScript/WASM, fileless attacks, in-memory exploitation, sandbox escape chains bypass traditional defenses
  • Defense Measures: Keep browsers updated (patch zero-days quickly), disable JavaScript for untrusted sites, use browser isolation technologies, enable Enhanced Safe Browsing (Chrome), deploy EDR/XDR solutions, restrict browser extensions
  • Research Tools Prerequisites: Familiarity with C++ and JavaScript, AMD64 assembly knowledge, understanding of memory corruption, exploitation mitigations (ASLR, DEP, CFI), Linux/Windows debugging experience
  • Lab Setup: Isolated VM environment, debuggers (GDB, WinDbg, rr), fuzzing infrastructure (AFL++, libFuzzer), browser builds with debug symbols, snapshot/restore capabilities
  • Vulnerability Research: Patch diffing, binary analysis, fuzzing (DOM, JS engines, WebAssembly), manual code review, regression testing, exploit PoC development
  • Legal Warning: Unauthorized exploitation of browser vulnerabilities is illegal. All research must follow responsible disclosure policies and be conducted in authorized lab environments
  • Responsible Disclosure: Report to browser vendors (Chrome VRP, Mozilla Bug Bounty, Apple Security Bounty), coordinate disclosure timelines (typically 90 days), never deploy exploits against unauthorized targets
  • Bug Bounty Programs: Chrome Vulnerability Reward Program (up to $250K+), Mozilla Bug Bounty, Apple Security Bounty, Microsoft Edge Bug Bounty, Pwn2Own competitions
  • Research Institutions: Google Project Zero, Microsoft Security Response Center (MSRC), Mozilla Security, RET2 Systems, Exodus Intelligence, STAR Labs, Georgia Tech SSLab
  • Key Researchers: Ivan Fratric (Google Project Zero), Samuel Groß (V8 Security), Exodus Intelligence Team, RET2 Systems Team, Pwn2Own contestants
  • Future Trends: Increased adoption of memory-safe languages (Rust), enhanced sandboxing (site isolation improvements), AI-powered vulnerability discovery, quantum-resistant crypto in browsers, Zero Trust browser architectures
  • Best Practices: Multi-layered defense (network isolation + browser hardening + EDR), principle of least privilege, disable unnecessary features, use dedicated browsers for sensitive tasks, implement browser isolation for enterprise


Hypervisor Exploitation

Books & Whitepapers

Courses

Labs & Tools

Hypervisor Development Frameworks:

Exploitation & Vulnerability Research:

Fuzzing Tools:

Analysis & Debugging Tools:

Vulnerability Scanners:

Blogs & Series

Presentations & Conferences

Videos

Notes

  • Attack Vectors: Guest-to-host VM escape, hypervisor privilege escalation, denial of service, information leakage, arbitrary code execution, USB controller exploitation, virtual device vulnerabilities
  • Primary Attack Sources: Guest OS users (76% Xen, 85% KVM), cloud administrators, guest OS administrators, remote users
  • Common Attack Types: DoS (44% Xen, 63% KVM), privilege escalation (30% Xen, 11% KVM), information leakage (14% Xen, 19% KVM), arbitrary code execution (7% both)
  • Major Hypervisors Targeted: VMware ESXi/vSphere/Workstation/Fusion, Microsoft Hyper-V, Linux KVM/QEMU, Xen, Oracle VirtualBox, Parallels Desktop
  • 2025 Critical VMware Zero-Days: CVE-2025-22224 (CVSS 9.3), CVE-2025-22225 (CVSS 8.2), CVE-2025-22226 (CVSS 7.1) - actively exploited in the wild, allowing full VM escape and hypervisor compromise
  • 2024 ESXi Authentication Bypass: CVE-2024-37085 - exploited by ransomware groups (Helldown, Black Basta, Akira, Medusa, Scattered Spider) for mass encryption attacks
  • 2024 USB Controller Vulnerabilities: Four critical flaws in VMware ESXi allowing sandbox and hypervisor bypass with privileged guest access
  • VirtualBox Vulnerabilities: CVE-2024-21111 (privilege escalation to NT AUTHORITY\SYSTEM), CVE-2018-2844 (VM escape via VBVA), multiple NAT DoS vulnerabilities
  • Xen Vulnerabilities: XSA-148, XSA-182 (exploitable logic issues), x86 emulator privilege validation flaws enabling sensitive instruction emulation
  • KVM/QEMU Issues: 41+ guest-triggerable CVEs since 2009, VENOM vulnerability, 9pfs implementation flaws, e1000e heap use-after-free, VNC DoS vulnerabilities
  • VM Escape Techniques: Hypervisor-level attacks (exploit hypervisor code), guest-level attacks (exploit guest OS/applications), buffer overflow, command injection, shared hardware cache exploitation
  • Advanced Attacks: VMScape (Spectre BTI attack breaking VM isolation on AMD/Intel), Fire Ant (hypervisor-level espionage), BluePill (theoretical hypervisor rootkit)
  • Fuzzing Approaches: Morphuzz (Red Hat’s QEMU fuzzer using libFuzzer), AFL++ with hypervisor injection, kAFL (hypervisor-based OS fuzzing), pattern-based seed generation
  • Virtualization Technology: Intel VT-x, AMD-V (AMD SVM), EPT (Extended Page Tables), VPID (Virtual Processor ID), VMCS (Virtual Machine Control Structure)
  • Security Features: VBS (Virtualization Based Security), Hyper-V Virtual Secure Mode (VSM), HVCI (Hypervisor-Protected Code Integrity), SEV-SNP (Secure Encrypted Virtualization)
  • Ransomware Targeting: VM escape exploits highly sought after by nation-state actors and organized crime for privilege escalation avoidance and reduced detection footprint
  • Impact: Full virtualized infrastructure compromise, lateral movement across VMs, ransomware deployment at scale, data exfiltration, persistent access
  • Detection Challenges: Hypervisor-level attacks operate below OS visibility, minimal forensic artifacts, difficult to detect with traditional EDR/AV solutions
  • Defense Measures: Regular patching (hypervisor, host OS, guest OS), network segmentation, least privilege access, disable unnecessary virtual devices, enable security features (VBS, SEV), monitoring hypervisor logs
  • Testing Environment: Build isolated lab with nested virtualization support, use snapshots for clean state reversion, avoid testing on production systems
  • Vulnerability Sources: CVE databases (VMware, Oracle, Xen, KVM), vendor security advisories, CISA KEV catalog, security research publications
  • Research Institutions: Microsoft Threat Intelligence (MSTIC), Sygnia, Zero Day Engineering, Red Hat Research, Google Project Zero, SentinelLabs
  • Legal Warning: Unauthorized exploitation of hypervisor vulnerabilities is illegal. All research must be conducted in authorized environments with proper permissions
  • Ethical Considerations: Responsible disclosure to vendors, coordinated vulnerability disclosure programs, focus on defensive understanding and improving virtualization security
  • Best Practices: Keep hypervisors updated, minimize attack surface (disable unused features), implement defense-in-depth, monitor for unusual VM behavior, use hardware security features
  • Certification Requirements: CISA mandated federal agencies patch critical VMware vulnerabilities by March 25, 2025; compliance frameworks (FedRAMP, PCI-DSS) require hypervisor security controls
  • Future Trends: Confidential computing adoption (Intel TDX, AMD SEV-SNP, ARM CCA), AI-powered vulnerability discovery, quantum-resistant hypervisor cryptography, automated exploit detection


Drones Hacking

Books & Whitepapers

Courses

Labs

Blogs & Series

Presentations & Conferences

Videos

Tools & Frameworks

Drone Hacking Frameworks:

GPS Spoofing & Jamming:

Wi-Fi Deauthentication & Attack Tools:

MAVLink Protocol Testing:

Drone Detection & Counter-Drone:

Forensics & Analysis:

OSINT & Reconnaissance:

GitHub Resources & Collections:

Notes

  • Setup your own drone hacking lab using consumer drones (DJI Tello, Parrot AR.Drone, DJI Phantom), SDR hardware (HackRF, BladeRF), and Wi-Fi auditing tools
  • 2024-2025 Statistics: Counter-UAS market projected to reach $6.98 billion by 2029 (CAGR 26.8%); 1.6M+ commercial drones registered in US alone
  • Market Growth: Global drone security market expected to reach $7.5 billion by 2030; compound annual growth rate (CAGR) of 24.3%
  • Security Incidents: 2,000+ reported drone security incidents globally in 2024; 60% involve unauthorized surveillance, 25% critical infrastructure threats
  • Attack Vectors: GPS spoofing (85% success rate on consumer drones), Wi-Fi deauthentication (95% on older models), MAVLink hijacking, RF jamming
  • Common Protocols: MAVLink (ArduPilot, PX4), Lightbridge (DJI), OcuSync (DJI), Parrot SDK, DroneKit API
  • Communication Channels: 2.4GHz/5.8GHz Wi-Fi, 433MHz/915MHz radio control, GPS L1/L2 bands, 4G/5G cellular
  • Popular Targets: DJI Phantom series (35% of consumer market), DJI Mavic series (30%), Parrot AR.Drone (legacy testing), DJI Tello EDU (educational)
  • Attack Types:
    • GPS spoofing and location manipulation
    • Wi-Fi deauthentication and man-in-the-middle attacks
    • MAVLink protocol injection and command hijacking
    • RF jamming and signal disruption
    • Firmware exploitation and backdoor installation
    • Video feed interception and manipulation
    • Autonomous flight takeover
  • GPS Spoofing Success: 85%+ of consumer drones vulnerable to GPS spoofing; can redirect drones up to 10km from intended location
  • Wi-Fi Vulnerabilities: 95% of older drone models (pre-2020) vulnerable to Wi-Fi deauth attacks; modern DJI OcuSync more resilient
  • MAVLink Security: Unencrypted by default; allows command injection, telemetry interception, mission manipulation on ArduPilot/PX4 systems
  • DJI Security Updates: 2024 security patches address firmware vulnerabilities, encrypted communications, geo-fencing improvements
  • Regulatory Context: FAA Remote ID (2023), EASA drone regulations (2024), NIST cybersecurity framework for UAS
  • Legal Warning: Unauthorized interference with aircraft (including drones) is a federal crime in most countries. All testing must be performed on personally owned drones in controlled environments with explicit permission
  • Ethical Use: These tools are for authorized security research, penetration testing of owned systems, and defensive understanding only
  • Lab Hardware: Use DJI Tello EDU ($99), HackRF One ($350), Flipper Zero ($169), WiFi Pineapple ($119), RTL-SDR dongles ($25)
  • Software Stack: Kali Linux, DroneSploit, Aircrack-ng, MAVProxy, QGroundControl, GPS-SDR-SIM, Wireshark
  • Best Practices: Test in isolated environments away from airports/restricted airspace, never compromise flight safety, follow responsible disclosure
  • Counter-Drone Technologies: RF detection systems, radar-based tracking, optical/thermal cameras, GPS jamming, net guns, directed energy weapons
  • Forensics Capabilities: Extract flight logs, analyze telemetry data, recover video footage, identify pilot location, timeline reconstruction
  • OSINT Applications: Track drone registrations, identify operators, analyze flight patterns, monitor drone activity near critical infrastructure
  • Certification Path: DroneSec certifications, Certified Drone Cyber Defense Specialist (CDCDS), EC-Council Drone Hacking Workshop
  • Continuous Learning: Follow DroneSec blog, monitor CVEs for drone firmware, participate in Drone Wars competitions, study C-UAS technologies
  • Notable Vulnerabilities (2023-2024):
    • CVE-2023-XXXX: DJI firmware buffer overflow allowing arbitrary code execution
    • CVE-2024-XXXX: Parrot SDK authentication bypass
    • Multiple MAVLink protocol vulnerabilities in ArduPilot/PX4 (ongoing research)
  • Defense Strategies: Enable Remote ID, use encrypted communication protocols, implement geo-fencing, keep firmware updated, monitor for GPS anomalies
  • Emerging Threats (2024-2025): AI-powered autonomous attack drones, swarm coordination exploits, 5G network vulnerabilities, quantum-resistant encryption needs


MedTech Hcking

Books & Whitepapers

Courses

Labs

Since actual medical hardware is hard to get, use these software simulators:

  • OpenEMR: Open-source electronic medical record system. Install via Docker to practice attacking patient data databases and web vulnerabilities.
  • Orthanc DICOM Server: Open-source server for medical imaging. Use this to practice attacking DICOM protocols and image manipulation.
  • DCM4CHE: Java toolkit for the DICOM standard. Essential for analyzing medical network traffic.
  • Biohacking Village CTF: Keep an eye on VillageB.io for their CTF challenges (often released during DEF CON).
  • HoneyPots: Look into Conpot (ICS honeypot) and configure it to simulate medical device profiles.
  • CICIoMT2024 Dataset: Research dataset with 18 cyberattacks targeted at 40 IoMT devices.
  • Horos DICOM Viewer: Open-source medical image viewer for macOS.
  • Mirth Connect: Open-source HL7 interface engine for healthcare integration testing.

Blogs, Articles & News

Presentations & Conferences

Tools & Frameworks

DICOM Protocol Tools

HL7 Protocol Tools

  • HL7Magic (WithSecure): Tool for proxying, parsing and amending HL7 messages (DEF CON 2023).
  • hl7 (Python): Python library to parse HL7 messages (hospital data protocol).
  • Mirth Connect: Open-source HL7 interface engine.
  • MedAudit: Graphical interface for testing devices using HL7 (BlackHat 2017).

Wireless & Network Testing

  • KillerBee: Framework for ZigBee exploitation (common in older medical devices).
  • Ubertooth: Tools for Bluetooth Low Energy (BLE) monitoring (common in modern wearables).
  • Wireshark: Network protocol analyzer with DICOM dissectors.

Medical Device Simulators

  • OpenEMR: Open-source electronic medical record system.
  • Orthanc: Open-source DICOM server for medical imaging.
  • Conpot: ICS/SCADA honeypot that can simulate medical device profiles.

Security Platforms

  • Medigate (Claroty): IoMT security platform for clinical environments.
  • Armis: Agentless device security platform.
  • Forescout: Device visibility and control platform.
  • MedCrypt: Cybersecurity platform for medical device manufacturers.
  • C2A Security: Risk-driven DevSecOps platform for medical devices.

Notes

Misc (GitHub Repos, Videos, Reports)



CPU Exploitation

Books & Whitepapers

Courses

Labs

Official Vulnerability Sites:

GitHub Resource Collections:

Attack Tools & Frameworks:

Blogs & Series

Presentations & Conferences

Videos

Tools & Frameworks

Spectre & Meltdown Tools:

Cache Attack Tools:

Rowhammer Tools:

SGX/TEE Attack Tools:

Side-Channel Analysis:

Research & Development:

Notes

  • 2024-2025 Major Attacks: Training Solo (May 2025) affects all Intel CPUs with eIBRS; Branch Privilege Injection (May 2025) affects Intel 9th gen+; VMScape (September 2025) exploits incomplete isolation in branch predictor between VMs
  • 2024 Notable Attacks: BHI vulnerability exploitable in Linux user space; TikTag attack against ARM v8.5A Memory Tagging Extension; Indirector attack on Intel Alder/Raptor Lake; TSA attacks on AMD Zen 3/4
  • Transient Execution Attacks: Exploit processor optimizations to bypass security checks and exfiltrate sensitive information through covert channels; affects Intel, AMD, and ARM processors
  • Spectre Family: Exploits speculative execution to access unauthorized memory; multiple variants discovered (v1, v2, BTI, PHT, STL); persists in latest processors despite mitigations
  • Meltdown: Breaks isolation between user applications and operating system; allows reading kernel memory from user space; primarily affects Intel processors
  • TEE.Fail Attack (October 2025): Breaks Intel SGX/TDX and AMD SEV-SNP using sub-$1,000 DDR5 memory bus attack; extracts attestation keys and cryptographic material; built using off-the-shelf hardware
  • Rowhammer: Exploits DRAM cell interaction to flip bits in adjacent memory rows; affects DDR3, DDR4, and DDR5 memory; variants include BLACKSMITH, TRRespass, ρHammer
  • Cache Timing Attacks: Exploit CPU cache behavior to infer secret information; techniques include Flush+Reload, Prime+Probe, Evict+Time, Flush+Flush
  • Side-Channel Attacks: Leverage timing, power consumption, electromagnetic emissions, or acoustic signatures; target cryptographic implementations and secure enclaves
  • Intel SGX Attacks: SGAxe, Foreshadow, Spectre-SGX, SGX-Step; exploit speculative execution and cache timing; compromise enclave confidentiality
  • AMD SEV Attacks: SEVered, SEVerity, CrossLine; exploit memory encryption weaknesses; affect confidential computing in cloud environments
  • RISC-V Security: Emerging attack surface; Security-RISC demonstrates Spectre-v1 and cache attacks on hardware RISC-V; requires vendor-specific mitigations
  • Mitigation Challenges: Microcode updates impact performance (5-30% overhead); some attacks have no complete mitigation; ongoing cat-and-mouse between attackers and defenders
  • Vendor Responses: Intel implements eIBRS, IBPB, STIBP; AMD uses LFENCE dispatch serialization; ARM introduces CSV2, CSV3 mitigations; physical attacks often out-of-scope
  • Attack Prerequisites: Some require local access, others remote timing observation; vary from user-mode to kernel privileges; physical attacks require hardware interposition
  • Testing Tools: MemTest86 for Rowhammer detection; spectre-meltdown-checker for vulnerability assessment; ChipWhisperer for side-channel analysis
  • Research Institutions: Leading work from MIT, ETH Zurich, Georgia Tech, Purdue, VUSec, IAIK Graz, CISPA; publications in USENIX, IEEE S&P, ACM CCS
  • Real-World Impact: Cloud security compromised by VM escape; cryptographic keys extracted from SGX enclaves; browser-based attacks via JavaScript
  • Defense Strategies: Hardware fixes (CPU redesign, memory encryption); software mitigations (kernel page-table isolation, retpoline); compiler-based defenses (lfence insertion)
  • Performance vs Security: Mitigations introduce significant overhead; context switching costs increase; some features disabled (hyperthreading, speculative execution)
  • Future Trends: Quantum-resistant side-channels; AI-accelerated attack discovery; formal verification of microarchitectural security; hardware-software co-design for security
  • Lab Setup: Use vulnerable test systems; QEMU for safe experimentation; logic analyzers for hardware attacks; isolated networks for testing
  • Legal Warning: Unauthorized exploitation of CPU vulnerabilities is illegal; research requires responsible disclosure; testing only on authorized systems with proper permissions
  • Ethical Considerations: Coordinate disclosure with vendors (typically 90-day embargo); publish proof-of-concepts responsibly; consider societal impact before public release
  • Hardware Requirements: Logic analyzer for memory bus attacks; oscilloscope for power analysis; FPGA for custom attack implementations; DDR interposers for TEE.Fail-style attacks
  • Best Practices: Stay updated on latest CVEs; apply security patches promptly; disable hyperthreading if high security required; use constant-time cryptographic implementations
  • Detection Methods: Performance anomaly detection; cache occupancy monitoring; memory access pattern analysis; timing variance detection
  • Academic Resources: arXiv for latest preprints; IACR ePrint for cryptographic attacks; ACM/IEEE digital libraries for peer-reviewed research
  • Industry Standards: Common Vulnerabilities and Exposures (CVE) system; CERT coordination; vendor security advisories; NIST guidelines


GPU Exploitation

Books & Whitepapers

Courses

Labs & Tools

GitHub Resource Collections:

GPU Development & Tools:

Blogs & Series

Presentations & Conferences

Videos

Notes

  1. GPU Driver Kernel Exploitation

    • GPU drivers run in kernel mode with high privileges (Ring 0 on x86, EL1 on ARM)
    • Common vendors: NVIDIA (GeForce, Quadro, Tesla), AMD (Radeon, RDNA), Intel (Arc, Iris Xe), Qualcomm (Adreno), ARM (Mali)
    • Attack surface: IOCTL handlers, memory management (VRAM/system RAM mapping), command submission, shader compilation
    • Common vulnerabilities: use-after-free, buffer overflows, integer overflows, race conditions, type confusion
    • Tools: IDA Pro, Ghidra, WinDbg, LLDB, Syzkaller (GPU driver fuzzing)

  2. NVIDIA GPU Driver Exploitation

    • NVIDIA dominates discrete GPU market (80%+ market share)
    • Driver components: nvidia.ko (Linux), nvlddmkm.sys (Windows)
    • Common targets: IOCTL handlers (NV_ESC_RM_* functions), UVM (Unified Virtual Memory), CUDA runtime
    • CVE-2024-0109 (2024): Critical privilege escalation in NVIDIA GPU driver
    • Research: Google Project Zero’s extensive NVIDIA driver research

  3. AMD Radeon GPU Driver Exploitation

    • AMD GPU drivers: amdgpu.ko (Linux), amdkmdag.sys (Windows)
    • ROCm (Radeon Open Compute): Open-source compute platform
    • Common vulnerabilities: DRM (Direct Rendering Manager) bugs, memory mapping issues
    • CVE-2024-21762 (2024): AMD Radeon driver memory corruption

  4. Qualcomm Adreno GPU Exploitation

    • Adreno GPUs dominate Android mobile market (Snapdragon SoCs)
    • Attack surface: kgsl (Kernel Graphics Support Layer), GPU firmware, command submission
    • QualpWN (Tencent Blade Team 2019): Qualcomm GPU/WLAN driver vulnerability chain
    • CVE-2024-23211 (2024): Adreno GPU remote code execution
    • Mobile exploitation: Adreno exploits often used in Android privilege escalation chains

  5. Intel Graphics Driver Exploitation

    • Intel integrated GPUs (Iris Xe, UHD Graphics, Arc discrete GPUs)
    • Drivers: i915.ko (Linux), igdkmd64.sys (Windows)
    • Common vulnerabilities: Display engine bugs, GuC (Graphics Microcontroller) issues
    • CVE-2023-4295 (2023): Intel graphics driver actively exploited in the wild

  6. ARM Mali GPU Exploitation

    • ARM Mali GPUs prevalent in mobile/embedded devices (Samsung Exynos, MediaTek)
    • Attack surface: Mali kernel driver, job scheduling, memory management
    • TrustZone integration: Mali Protected Mode for secure video playback
    • Research: Breaking TrustZone via Mali GPU vulnerabilities

  7. GPU Side-Channel Attacks

    • Timing attacks: Measuring GPU execution time to infer data
    • Cache attacks: GPU cache side-channels (similar to CPU Spectre/Meltdown)
    • GPU memory side-channels: Leaking data through VRAM access patterns
    • Cross-VM attacks: Exploiting shared GPU in cloud environments
    • Notable: LeftoverLocals (2024) - GPU memory disclosure vulnerability affecting AMD, Apple, Qualcomm

  8. GPU DMA (Direct Memory Access) Attacks

    • GPUs can directly access system memory via DMA
    • PCIe DMA attacks: GPU as a rogue DMA device
    • IOMMU bypass: Exploiting IOMMU (Input-Output Memory Management Unit) misconfigurations
    • Physical attacks: GPU DMA for cold boot attacks, memory imaging
    • Mitigations: VT-d (Intel), AMD-Vi, PCIe ACS (Access Control Services)

  9. GPU Virtualization Exploitation

    • GPU passthrough: Dedicated GPU assignment to VMs (VFIO, SR-IOV)
    • vGPU (Virtual GPU): Time-sliced GPU sharing (NVIDIA GRID, AMD MxGPU)
    • Attack vectors: VM escape via GPU driver bugs, GPU memory isolation bypasses
    • Cloud environments: Exploiting shared GPU in AWS, Azure, GCP instances
    • Research: VMware GPU virtualization security research

  10. Graphics API Vulnerabilities

    • OpenGL: Legacy graphics API, vulnerabilities in shader compilers, extensions
    • Vulkan: Modern low-level graphics API, explicit memory management
    • DirectX: Windows graphics API (D3D11, D3D12)
    • Metal: Apple’s graphics API for macOS/iOS
    • Common issues: Shader compiler bugs, invalid API state handling, memory corruption in runtime

  11. GPU Firmware Exploitation

    • GPU VBIOS/UEFI GOP (Graphics Output Protocol) vulnerabilities
    • GPU microcontroller firmware: NVIDIA GSP (GPU System Processor), AMD SMU (System Management Unit)
    • Firmware update mechanisms: Exploiting insecure BIOS flashing
    • Persistent threats: GPU firmware rootkits, BIOS-level implants
    • Tools: NVIDIA NVFlash, AMD VBFlash, GPU-Z BIOS dumping

  12. CUDA & GPU Compute Exploitation

    • CUDA: NVIDIA’s parallel computing platform (widely used in AI/ML)
    • GPU compute vulnerabilities: Kernel memory leaks, buffer overflows in CUDA kernels
    • OpenCL/ROCm exploitation: Cross-platform GPU compute security
    • AI/ML attacks: Poisoning GPU-accelerated machine learning models
    • Cryptocurrency mining malware: GPU hijacking for cryptojacking

  13. GPU Fuzzing & Vulnerability Discovery

    • Syzkaller: Google’s kernel fuzzer, supports GPU driver fuzzing
    • AFL++: Fuzzing GPU userspace libraries and APIs
    • IOCTL fuzzing: Targeting GPU driver control interfaces
    • Shader fuzzing: Finding bugs in shader compilers (GLSL, HLSL, SPIR-V)
    • Coverage-guided fuzzing: Instrumented GPU driver fuzzing for code coverage

  14. Notable GPU Exploits & CVEs

    • CVE-2024-0109 (2024): NVIDIA GPU driver privilege escalation - critical severity
    • CVE-2024-21762 (2024): AMD Radeon driver memory corruption
    • CVE-2024-23211 (2024): Qualcomm Adreno GPU remote code execution
    • CVE-2023-4295 (2023): Intel graphics driver actively exploited
    • LeftoverLocals (2024): GPU memory disclosure affecting AMD, Apple, Qualcomm GPUs
    • QualpWN (2019): Tencent’s Qualcomm Adreno GPU vulnerability chain
    • Project Zero: Numerous NVIDIA/AMD/Intel GPU driver vulnerabilities disclosed

  15. Legal & Ethical Considerations

    • GPU security research is legal when conducted on your own hardware
    • NVIDIA, AMD, Intel, Qualcomm have bug bounty programs for GPU driver vulnerabilities
    • Unauthorized exploitation of cloud GPU instances is illegal
    • Always obtain proper authorization before testing GPU systems
    • Responsible disclosure through vendor security teams or coordinated disclosure platforms

  16. 2024-2025 GPU Exploitation Trends

    • Increased focus on AI/ML GPU workload security (CUDA exploits)
    • Cloud GPU exploitation: Attacking shared GPU in AWS, Azure, GCP
    • LeftoverLocals-style GPU memory disclosure vulnerabilities
    • GPU side-channel attacks for cryptographic key extraction
    • NVIDIA H100/A100 security research (datacenter GPUs)
    • AMD Instinct MI300 exploitation research (AI accelerators)
    • Qualcomm Adreno exploitation for Android privilege escalation
    • GPU firmware rootkit research (persistent GPU-level malware)
    • CVE-2024-0109, CVE-2024-21762, CVE-2024-23211: Critical GPU driver vulnerabilities


macOS Exploitation

Books & Whitepapers

Courses

Labs & Tools

GitHub Resource Collections:

Kernel Exploits:

Official Sources:

Security Tools:

Blogs & Series

Presentations & Conferences

Videos

Notes

  1. XNU Kernel Exploitation

    • XNU is a hybrid kernel (Mach microkernel + BSD components), shared with iOS
    • Common targets: IOKit drivers, network stack, file systems, kext vulnerabilities
    • Modern mitigations: KASLR, kernel PAC (KPAC on Apple Silicon), zone_require, PPL (Page Protection Layer)
    • Exploitation techniques: Use-after-free, heap feng shui, OOL (out-of-line) ports, arbitrary read/write primitives
    • Tools: lldb with KDK (Kernel Debug Kit), IDA Pro, Ghidra, dtrace

  2. Gatekeeper Bypass

    • Gatekeeper enforces code signing and notarization for downloaded applications
    • Historical bypasses: archive format exploits, symlink attacks, quarantine attribute manipulation
    • CVE-2024-27815 (2024): Recent Gatekeeper bypass allowing unsigned code execution
    • Research: Objective-See’s extensive Gatekeeper bypass research (Patrick Wardle)

  3. System Integrity Protection (SIP) Bypass

    • SIP prevents modification of system files and processes, even with root privileges
    • Introduced in macOS El Capitan (10.11), restricts access to /System, /usr, /bin, etc.
    • Bypass techniques: kernel exploits, NVRAM manipulation, Recovery Mode abuse
    • CVE-2021-30892 (2021): SIP bypass via InstallerConnection XPC service
    • Research: Google Project Zero’s SIP bypass research

  4. Transparency, Consent, and Control (TCC) Bypass

    • TCC controls app access to sensitive data (location, camera, microphone, contacts, photos, etc.)
    • TCC database: /Library/Application Support/com.apple.TCC/TCC.db (SQLite)
    • Bypass techniques: synthetic clicks, accessibility API abuse, database manipulation, XPC exploits
    • Notable: CVE-2020-29621 (Music.app TCC bypass), CVE-2024-44243 (Safari TCC bypass)
    • Research: Wojciech Regula’s extensive TCC bypass research

  5. macOS Sandboxing & Entitlements

    • App Sandbox restricts application capabilities (file access, network, IPC)
    • Entitlements define app privileges (e.g., com.apple.security.cs.allow-dyld-environment-variables)
    • Sandbox profiles written in SBPL (Sandbox Profile Language)
    • Exploitation: sandbox escapes via XPC, Mach ports, shared memory

  6. XPC Service Exploitation

    • XPC (Inter-Process Communication) is macOS’s primary IPC mechanism
    • Attack surface: privileged helper tools, LaunchDaemons, XPC services running as root
    • Common vulnerabilities: improper entitlement checks, lack of input validation, race conditions
    • Research: NCC Group’s “Attacking the macOS XPC Model” (2020)

  7. Code Signing & Notarization

    • All apps must be signed with valid Apple Developer ID
    • Notarization: Apple scans apps for malware before distribution (macOS 10.15+)
    • Ad-hoc signing vs. Developer ID signing
    • Self-signing techniques for local exploitation

  8. macOS Persistence Techniques

    • LaunchAgents/LaunchDaemons (plist files in /Library/LaunchAgents, ~/Library/LaunchAgents)
    • Login items (LSSharedFileList API)
    • Cron jobs, periodic scripts
    • Dylib hijacking, dylib proxying
    • Kernel extensions (kexts) - deprecated on Apple Silicon
    • System extensions (macOS 10.15+)
    • Tools: KnockKnock, BlockBlock for persistence detection

  9. Notable macOS Exploits & Campaigns

    • FORCEDENTRY (2021): Zero-click iMessage exploit targeting macOS/iOS (NSO Group Pegasus)
    • XCSSET (2020-2021): macOS malware exploiting Xcode projects, Safari 0-days
    • Silver Sparrow (2021): macOS M1 malware discovered on 30,000+ Macs
    • CVE-2025-24085 (2025): XNU kernel use-after-free, actively exploited in the wild
    • CVE-2024-44133 (2024): Kernel privilege escalation exploited in the wild
    • CVE-2024-27815 (2024): Gatekeeper bypass allowing unsigned code execution

  10. Apple Silicon (M1/M2/M3/M4) Security

    • ARM64 architecture with Apple-designed SoCs
    • Pointer Authentication (PAC): Hardware-based code integrity
    • Secure Enclave: Hardware-isolated processor for cryptographic operations
    • Kernel extensions (kexts) no longer supported, replaced by System Extensions
    • Boot security: Secure Boot, Signed System Volume (SSV)
    • Research challenges: Limited kernel debugging on Apple Silicon

  11. macOS Malware Analysis

    • Common malware families: Shlayer, OSX.Dok, MacKeeper, Genieo, Flashback
    • 2024-2025 trends: Infostealer malware targeting crypto wallets, password managers
    • Detection evasion: TCC bypasses, Gatekeeper bypasses, process injection
    • Tools: Objective-See suite (KnockKnock, BlockBlock, LuLu, OverSight), VirusTotal, ANY.RUN

  12. Legal & Ethical Considerations

    • macOS security research is legal when conducted on your own devices
    • Apple Security Bounty offers rewards up to $1 million for critical macOS exploits
    • Unauthorized access to others’ macOS systems is illegal under CFAA (US)
    • Responsible disclosure through Apple Product Security or coordinated disclosure platforms
    • Never use exploits for unauthorized access, stalkerware, or malicious purposes

  13. 2024-2025 macOS Exploitation Trends

    • Increased focus on TCC bypass techniques (privacy controls evasion)
    • Apple Silicon (M-series) exploitation research growing
    • Zero-click exploits targeting iMessage, FaceTime, AirDrop
    • Gatekeeper bypass research continues (notarization evasion)
    • SIP bypass research for persistence and defense evasion
    • macOS Sequoia (macOS 15) hardening: enhanced TCC, improved XPC validation
    • CVE-2025-24085 and CVE-2024-44133: Actively exploited kernel vulnerabilities
    • Growing macOS malware ecosystem targeting enterprise environments
    • M4 chip security research (released 2024)


Satellite Hacking

Books & Whitepapers

Courses

Labs

Blogs & Series

Presentations & Conferences

Notes

Misc (GitHub Repos, Videos, Reports)



Robots Hacking

Books & Whitepapers

Courses

Labs

Blogs & Series

Presentations & Conferences

Tools & Frameworks

ROS Security & Penetration Testing:

Static Analysis & Vulnerability Scanning:

Robot Exploitation & Security Research:

Industrial Robot Security:

Notes

2024-2025 Market & Threat Statistics:

  • Global cybersecurity in robotics market size: $4.1-$15.2 billion (2024), projected to reach $9.2-$45.3 billion by 2031-2035
  • Market CAGR: 12.20%-18% (2024-2035)
  • 70% of organizations reported experiencing cyber attacks in 2024
  • Over 60% of robotic deployments are now connected to networks
  • 80% of manufacturing firms experienced security incidents or breaches in 2024
  • Cyberattacks on ICS and OT systems surged by 50% from 2021-2023
  • North America leads the market with 38-40% global share
  • Asia-Pacific is the fastest-growing regional market

Critical Vulnerabilities (2024-2025):

  • Sensor Exploits: Temperature fluctuations, electromagnetic/acoustic interference, ambient light variations can be weaponized
  • AI/ML Jailbreaking: 100% success rate in jailbreaking AI-powered robots demonstrated in research (2024)
  • Authentication Issues: Unpatched operating systems, default manufacturer passwords, unsecured internet protocols
  • Physical Access: Exposed USB ports, RJ-45 ports, debug interfaces
  • Bluetooth Vulnerabilities: Ecovacs robots hijacked via malicious Bluetooth signals (DEF CON 32, 2024)
  • Network Attacks: Cross-site scripting, Telnet pivoting, man-in-the-middle attacks

Impact & Financial Losses:

  • Downtime costs: $10,000-$100,000 per hour
  • Average loss per cyberattack: Up to $2 million for manufacturers
  • 2022 incident: Compromised robotic arm caused real-world equipment damage

Attack Vectors:

  • IoT connectivity vulnerabilities
  • ROS/ROS2 exposed to internet (Shodan-discoverable systems)
  • Corrupted sensor logic and training data
  • Rewriting control logic and disabling safety mechanisms
  • XMLRPC exploitation in ROS Master and Nodes
  • DDS (Data Distribution Service) security weaknesses

Security Standards & Best Practices:

  • Implement IEC 62443 series for industrial control systems
  • Network segmentation and encrypted communications
  • Continuous system updates and patch management
  • Regular penetration testing using ROSPenTo, HAROS, and other tools
  • Secure authentication mechanisms and access controls
  • Monitor for exposed ROS systems on public internet
  • Deploy OT security platforms (Nozomi Networks, Claroty, Dragos)

Regional Compliance Requirements:

  • GDPR compliance in Europe (31.8% market share)
  • HIPAA compliance for healthcare robotics in North America
  • ISO 27001/27002 for information security management

Legal Warning:

  • Robot hacking without authorization is illegal and may violate Computer Fraud and Abuse Act (CFAA), ICS security regulations, and local laws
  • Always obtain written permission before testing robot systems
  • Only perform security research in authorized environments (labs, CTFs, bug bounty programs)
  • Unauthorized access to industrial robots can cause physical harm, equipment damage, and production shutdowns

Research Focus Areas:

  • Cyber-physical systems (CPS) security
  • Real-time security for time-sensitive robotics applications
  • DevSecOps integration in robotics development lifecycle
  • Robot Operating System 2 (ROS2) security architecture improvements
  • AI/ML model security and adversarial robustness

Misc (GitHub Repos, Videos, Reports)



Vending Machine Hacking

Books & Whitepapers

Courses & Labs (Practical Guides)

Blogs & Series (Case Studies)

Presentations & Conferences

Notes

Misc (GitHub Repos, Tools)



OSINT

Books & Whitepapers

Courses

Labs

Blogs & Series

Presentations & Conferences

Tools & Frameworks

All-in-One OSINT Platforms

  • OSINT Framework - Comprehensive collection of OSINT tools organized by category
  • SpiderFoot - Automated OSINT reconnaissance tool
  • Maltego - Interactive data mining and link analysis platform
  • Recon-ng - Full-featured reconnaissance framework
  • theHarvester - E-mail, subdomain, and name harvesting
  • OSINT-SPY - All-in-one OSINT toolkit

Username & Social Media OSINT

  • Sherlock - Hunt down social media accounts by username
  • Maigret - Collect info about people by username across 3000+ sites
  • Blackbird - Search usernames across 500+ websites
  • WhatsMyName - Username enumeration tool
  • social-analyzer - API, CLI, and web app for social media analysis

Search & Discovery Tools

  • Photon - Fast web crawler for OSINT
  • Shodan - Search engine for Internet-connected devices
  • Censys - Internet-wide scanner and search engine
  • Wayback Machine - Internet archive for historical website snapshots
  • URLScan.io - URL and website scanner

Email & Phone OSINT

  • Holehe - Check if an email is attached to accounts
  • h8mail - Email OSINT and breach hunting
  • Phoneinfoga - Phone number intelligence gathering
  • Epieos - Email and phone lookup tool

Geolocation & Image OSINT

  • GeoSpy - AI-powered geolocation from images
  • PimEyes - Reverse image search for faces
  • TinEye - Reverse image search
  • Google Earth - Satellite and street-level imagery
  • SunCalc - Calculate sun position for geolocation verification

Domain & Network OSINT

Advanced & Specialized Tools

  • sn0int - Semi-automatic OSINT framework and package manager
  • Coeus - Chinese-focused OSINT framework
  • FBI-tools - Collection of OSINT browser tools
  • OSINT-Search - Custom search queries for investigators
  • IntelOwl - Intelligence orchestration platform
  • OSINT Combine - Commercial OSINT platform and tools

Notes

Misc (GitHub Repos, Videos, Reports)

GitHub Repos & Awesome Lists

Browser Extensions & Add-ons

Commercial & Professional Platforms

Standards & Frameworks

Videos & Documentaries

Created By

Zeyad Azima

Thank u all and have a good hacking time to make internet more secure. :) Happy Hacking

red-team web-security cloud-security