Open source and Free Alternative to Postman -> Postwoman

Postwoma - postwoman.io
Postwoma – postwoman.io

Postwoman is an open source alternative to Postman. (Usually used for API request building)

Using Postwoman is basically same as using Postman, there should be no learning curve at all if you switch from Postman to Postwoman.

Description from official GitHub page

Features ✨

❤️ Lightweight: Crafted with minimalistic UI design – simple design is the best design.

⚡️ Fast: Send requests and get/copy responses in real-time – fast software is the best software.

Methods:

  • GET – Retrieve information about the REST API resource
  • HEAD – Retrieve response headers identical to those of a GET request, but without the response body.
  • POST – Create a REST API resource
  • PUT – Update a REST API resource
  • DELETE – Delete a REST API resource or related component
  • CONNECT – Establishes a tunnel to the server identified by the target resource
  • OPTIONS – Describe the communication options for the target resource
  • TRACE – Performs a message loop-back test along the path to the target resource
  • PATCH – Apply partial modifications to a REST API resource
  • <custom> – Some APIs use custom request methods such as LIST. Type in your custom methods.

🌈 Make it yours: Customizable combinations for background, foreground and accent colors: because customization is freedom. Customize now ✨.

Customizations:

  • Choose theme: Kinda Dark (default), Clearly White, Just Black and System theme
  • Choose accent color: Green (default), Yellow, Pink, Red, Purple, Orange, Cyan and Blue
  • Toggle multi-colored headings

Customized themes are synced with local session storage

🔥 PWA: Install as a PWA on your device.

Features:

🚀 Request: Retrieve response from endpoint instantly.

  • Choose method
  • Enter URL and Path
  • Send

Features:

  • Copy/share public “Share URL”
  • Generate request code for JavaScript XHRFetch and cURL
  • Copy generated request code to clipboard
  • Import cURL
  • Label requests

🔌 WebSocket: Establish full-duplex communication channels over a single TCP connection.

  • Send and receive data
  • Basic and Bearer Token authentication

📡 Server Sent Events: Receive a stream of updates from a server over a HTTP connection without resorting to polling.

🔮 GraphQL: GraphQL is a query language for APIs and a runtime for fulfilling those queries with your existing data.

  • Set endpoint and get schemas
  • Multi-column docs
  • Set custom request headers
  • Query schema
  • Get query response

🔐 Authentication: Allows to identify the end user.

Types:

  • None
  • Basic
  • Bearer Token
  • OAuth 2.0
  • OIDC Access Token/PKCE (Proof Key for Code Exchange)

📢 Headers: Describes the format the body of your request is being sent as.

  • Add or remove Header list

📫 Parameters: Use request parameters to set varying parts in simulated requests.

📃 Request Body: Used to send and receive data via the REST API.

Options:

  • Set Content Type
  • Add or remove Parameter list
  • Toggle between key-value and RAW input Parameter list

👋 Responses: Contains the status line, headers and the message/response body.

  • Copy response to clipboard
  • Download response to as a file
  • View preview of HTML responses

⏰ History: Request entries are synced with local session storage to reuse with a single click.

Fields:

  • Star
  • Label
  • Method
  • Status code
  • URL
  • Path
  • Timestamp
  • Duration
  • Pre-request script

History entries can be sorted by any fields

Histories can be deleted one-by-one or all together

📁 Collections: Keep your API requests organized with collections and folders. Reuse them with a single click.

Options:

  • Create infinite collections, folders and requests
  • Edit, delete, move, export, import and replace

Collections are synced with local session storage

🌐 Proxy: Enable Proxy Mode from Settings to access blocked APIs.

Features:

  • Hide your IP address
  • Fixes CORS (Cross Origin Resource Sharing) issues
  • Access APIs served in non-HTTPS (http://)
  • Use custom Proxy URL

Official Postwoman Proxy is hosted by ApolloTV – Privacy policy

📜 Pre-Request Scripts β: Snippets of code associated with a request that are executed before the request is sent.

Use-cases:

  • Include timestamp in the request headers
  • Send a random alphanumeric string in the URL parameters

Requests with Pre-Request Scripts are indicated in History entries

📄 API Documentation: Create and share dynamic API documentation easily, quickly.

Usage:

  1. Add your requests to Collections and Folders
  2. Export Collections and easily share your APIs with the rest of your team
  3. Import Collections and Generate Documentation on-the-go

⌨️ Keyboard Shortcuts: Optimized for efficiency.

Shortcuts:

  • Send Request Ctrl + G
  • Save to Collections Ctrl + S
  • Copy Request Link Ctrl + K
  • Reset Request Ctrl + L

🌎 i18n β: Experience the app in your own language.

  1. Scroll down to the footer
  2. Click “Choose Language” icon button
  3. Select your language from the menu

Keep in mind: Translations aren’t available for all source and target language combinations

To provide a localized experience for users around the world, you can add you own translations.

All i18n contributions are welcome to i18n branch only!

📦 Add-ons: Official add-ons for Postwoman.

  • Proxy β – A simple proxy server created for Postwoman
  • CLI β – A CLI solution for Postwoman
  • Browser Extensions – Browser extensions that simplifies access to Postwoman Firefox (GitHub)  |   Chrome (GitHub)Extensions fixes CORS issues.

Add-ons are developed and maintained under Official Postwoman Organization.

☁️ Auth + Sync: Sign in and sync in real-time.

Sign in with:

  • Google
  • GitHub

Sync:

  • History
  • Collections

✅ Post-Request Tests β: Write tests associated with a request that are executed after the request response.

Use-cases:

  • Check the status code as an integer
  • Filter response headers
  • Parse the response data

To find out more, please check out Postwoman Wiki.

Resources

Postwoman Demo
Official GitHub page


Open source automatic SQL injection & database takeover tool

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

sqlmap
sqlmap

Installation

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-dev

Usage

Get a list of basic options and switches:

python sqlmap.py -h

Get a list of all options and switches:

python sqlmap.py -hh

Official User Manual

Usage: python sqlmap.py [options]
Options:
  -h, --help            Show basic help message and exit
  -hh                   Show advanced help message and exit
  --version             Show program's version number and exit
  -v VERBOSE            Verbosity level: 0-6 (default 1)
  Target:
    At least one of these options has to be provided to define the
    target(s)
    -d DIRECT           Connection string for direct database connection
    -u URL, --url=URL   Target URL (e.g. "http://www.site.com/vuln.php?id=1")
    -l LOGFILE          Parse target(s) from Burp or WebScarab proxy log file
    -m BULKFILE         Scan multiple targets given in a textual file
    -r REQUESTFILE      Load HTTP request from a file
    -g GOOGLEDORK       Process Google dork results as target URLs
    -c CONFIGFILE       Load options from a configuration INI file
  Request:
    These options can be used to specify how to connect to the target URL
    --method=METHOD     Force usage of given HTTP method (e.g. PUT)
    --data=DATA         Data string to be sent through POST (e.g. "id=1")
    --param-del=PARA..  Character used for splitting parameter values (e.g. &amp;)
    --cookie=COOKIE     HTTP Cookie header value (e.g. "PHPSESSID=a8d127e..")
    --cookie-del=COO..  Character used for splitting cookie values (e.g. ;)
    --load-cookies=L..  File containing cookies in Netscape/wget format
    --drop-set-cookie   Ignore Set-Cookie header from response
    --user-agent=AGENT  HTTP User-Agent header value
    --random-agent      Use randomly selected HTTP User-Agent header value
    --host=HOST         HTTP Host header value
    --referer=REFERER   HTTP Referer header value
    -H HEADER, --hea..  Extra header (e.g. "X-Forwarded-For: 127.0.0.1")
    --headers=HEADERS   Extra headers (e.g. "Accept-Language: fr\nETag: 123")
    --auth-type=AUTH..  HTTP authentication type (Basic, Digest, NTLM or PKI)
    --auth-cred=AUTH..  HTTP authentication credentials (name:password)
    --auth-file=AUTH..  HTTP authentication PEM cert/private key file
    --ignore-code=IG..  Ignore (problematic) HTTP error code (e.g. 401)
    --ignore-proxy      Ignore system default proxy settings
    --ignore-redirects  Ignore redirection attempts
    --ignore-timeouts   Ignore connection timeouts
    --proxy=PROXY       Use a proxy to connect to the target URL
    --proxy-cred=PRO..  Proxy authentication credentials (name:password)
    --proxy-file=PRO..  Load proxy list from a file
    --tor               Use Tor anonymity network
    --tor-port=TORPORT  Set Tor proxy port other than default
    --tor-type=TORTYPE  Set Tor proxy type (HTTP, SOCKS4 or SOCKS5 (default))
    --check-tor         Check to see if Tor is used properly
    --delay=DELAY       Delay in seconds between each HTTP request
    --timeout=TIMEOUT   Seconds to wait before timeout connection (default 30)
    --retries=RETRIES   Retries when the connection timeouts (default 3)
    --randomize=RPARAM  Randomly change value for given parameter(s)
    --safe-url=SAFEURL  URL address to visit frequently during testing
    --safe-post=SAFE..  POST data to send to a safe URL
    --safe-req=SAFER..  Load safe HTTP request from a file
    --safe-freq=SAFE..  Test requests between two visits to a given safe URL
    --skip-urlencode    Skip URL encoding of payload data
    --csrf-token=CSR..  Parameter used to hold anti-CSRF token
    --csrf-url=CSRFURL  URL address to visit for extraction of anti-CSRF token
    --force-ssl         Force usage of SSL/HTTPS
    --hpp               Use HTTP parameter pollution method
    --eval=EVALCODE     Evaluate provided Python code before the request (e.g.
                        "import hashlib;id2=hashlib.md5(id).hexdigest()")
  Optimization:
    These options can be used to optimize the performance of sqlmap
    -o                  Turn on all optimization switches
    --predict-output    Predict common queries output
    --keep-alive        Use persistent HTTP(s) connections
    --null-connection   Retrieve page length without actual HTTP response body
    --threads=THREADS   Max number of concurrent HTTP(s) requests (default 1)
  Injection:
    These options can be used to specify which parameters to test for,
    provide custom injection payloads and optional tampering scripts
    -p TESTPARAMETER    Testable parameter(s)
    --skip=SKIP         Skip testing for given parameter(s)
    --skip-static       Skip testing parameters that not appear to be dynamic
    --param-exclude=..  Regexp to exclude parameters from testing (e.g. "ses")
    --dbms=DBMS         Force back-end DBMS to provided value
    --dbms-cred=DBMS..  DBMS authentication credentials (user:password)
    --os=OS             Force back-end DBMS operating system to provided value
    --invalid-bignum    Use big numbers for invalidating values
    --invalid-logical   Use logical operations for invalidating values
    --invalid-string    Use random strings for invalidating values
    --no-cast           Turn off payload casting mechanism
    --no-escape         Turn off string escaping mechanism
    --prefix=PREFIX     Injection payload prefix string
    --suffix=SUFFIX     Injection payload suffix string
    --tamper=TAMPER     Use given script(s) for tampering injection data
  Detection:
    These options can be used to customize the detection phase
    --level=LEVEL       Level of tests to perform (1-5, default 1)
    --risk=RISK         Risk of tests to perform (1-3, default 1)
    --string=STRING     String to match when query is evaluated to True
    --not-string=NOT..  String to match when query is evaluated to False
    --regexp=REGEXP     Regexp to match when query is evaluated to True
    --code=CODE         HTTP code to match when query is evaluated to True
    --text-only         Compare pages based only on the textual content
    --titles            Compare pages based only on their titles
  Techniques:
    These options can be used to tweak testing of specific SQL injection
    techniques
    --technique=TECH    SQL injection techniques to use (default "BEUSTQ")
    --time-sec=TIMESEC  Seconds to delay the DBMS response (default 5)
    --union-cols=UCOLS  Range of columns to test for UNION query SQL injection
    --union-char=UCHAR  Character to use for bruteforcing number of columns
    --union-from=UFROM  Table to use in FROM part of UNION query SQL injection
    --dns-domain=DNS..  Domain name used for DNS exfiltration attack
    --second-url=SEC..  Resulting page URL searched for second-order response
    --second-req=SEC..  Load second-order HTTP request from file
  Fingerprint:
    -f, --fingerprint   Perform an extensive DBMS version fingerprint
  Enumeration:
    These options can be used to enumerate the back-end database
    management system information, structure and data contained in the
    tables. Moreover you can run your own SQL statements
    -a, --all           Retrieve everything
    -b, --banner        Retrieve DBMS banner
    --current-user      Retrieve DBMS current user
    --current-db        Retrieve DBMS current database
    --hostname          Retrieve DBMS server hostname
    --is-dba            Detect if the DBMS current user is DBA
    --users             Enumerate DBMS users
    --passwords         Enumerate DBMS users password hashes
    --privileges        Enumerate DBMS users privileges
    --roles             Enumerate DBMS users roles
    --dbs               Enumerate DBMS databases
    --tables            Enumerate DBMS database tables
    --columns           Enumerate DBMS database table columns
    --schema            Enumerate DBMS schema
    --count             Retrieve number of entries for table(s)
    --dump              Dump DBMS database table entries
    --dump-all          Dump all DBMS databases tables entries
    --search            Search column(s), table(s) and/or database name(s)
    --comments          Check for DBMS comments during enumeration
    -D DB               DBMS database to enumerate
    -T TBL              DBMS database table(s) to enumerate
    -C COL              DBMS database table column(s) to enumerate
    -X EXCLUDE          DBMS database identifier(s) to not enumerate
    -U USER             DBMS user to enumerate
    --exclude-sysdbs    Exclude DBMS system databases when enumerating tables
    --pivot-column=P..  Pivot column name
    --where=DUMPWHERE   Use WHERE condition while table dumping
    --start=LIMITSTART  First dump table entry to retrieve
    --stop=LIMITSTOP    Last dump table entry to retrieve
    --first=FIRSTCHAR   First query output word character to retrieve
    --last=LASTCHAR     Last query output word character to retrieve
    --sql-query=QUERY   SQL statement to be executed
    --sql-shell         Prompt for an interactive SQL shell
    --sql-file=SQLFILE  Execute SQL statements from given file(s)
  Brute force:
    These options can be used to run brute force checks
    --common-tables     Check existence of common tables
    --common-columns    Check existence of common columns
  User-defined function injection:
    These options can be used to create custom user-defined functions
    --udf-inject        Inject custom user-defined functions
    --shared-lib=SHLIB  Local path of the shared library
  File system access:
    These options can be used to access the back-end database management
    system underlying file system
    --file-read=FILE..  Read a file from the back-end DBMS file system
    --file-write=FIL..  Write a local file on the back-end DBMS file system
    --file-dest=FILE..  Back-end DBMS absolute filepath to write to
  Operating system access:
    These options can be used to access the back-end database management
    system underlying operating system
    --os-cmd=OSCMD      Execute an operating system command
    --os-shell          Prompt for an interactive operating system shell
    --os-pwn            Prompt for an OOB shell, Meterpreter or VNC
    --os-smbrelay       One click prompt for an OOB shell, Meterpreter or VNC
    --os-bof            Stored procedure buffer overflow exploitation
    --priv-esc          Database process user privilege escalation
    --msf-path=MSFPATH  Local path where Metasploit Framework is installed
    --tmp-path=TMPPATH  Remote absolute path of temporary files directory
  Windows registry access:
    These options can be used to access the back-end database management
    system Windows registry
    --reg-read          Read a Windows registry key value
    --reg-add           Write a Windows registry key value data
    --reg-del           Delete a Windows registry key value
    --reg-key=REGKEY    Windows registry key
    --reg-value=REGVAL  Windows registry key value
    --reg-data=REGDATA  Windows registry key value data
    --reg-type=REGTYPE  Windows registry key value type
  General:
    These options can be used to set some general working parameters
    -s SESSIONFILE      Load session from a stored (.sqlite) file
    -t TRAFFICFILE      Log all HTTP traffic into a textual file
    --batch             Never ask for user input, use the default behavior
    --binary-fields=..  Result fields having binary values (e.g. "digest")
    --check-internet    Check Internet connection before assessing the target
    --crawl=CRAWLDEPTH  Crawl the website starting from the target URL
    --crawl-exclude=..  Regexp to exclude pages from crawling (e.g. "logout")
    --csv-del=CSVDEL    Delimiting character used in CSV output (default ",")
    --charset=CHARSET   Blind SQL injection charset (e.g. "0123456789abcdef")
    --dump-format=DU..  Format of dumped data (CSV (default), HTML or SQLITE)
    --encoding=ENCOD..  Character encoding used for data retrieval (e.g. GBK)
    --eta               Display for each output the estimated time of arrival
    --flush-session     Flush session files for current target
    --forms             Parse and test forms on target URL
    --fresh-queries     Ignore query results stored in session file
    --har=HARFILE       Log all HTTP traffic into a HAR file
    --hex               Use hex conversion during data retrieval
    --output-dir=OUT..  Custom output directory path
    --parse-errors      Parse and display DBMS error messages from responses
    --preprocess=PRE..  Use given script(s) for preprocessing of response data
    --repair            Redump entries having unknown character marker (?)
    --save=SAVECONFIG   Save options to a configuration INI file
    --scope=SCOPE       Regexp to filter targets from provided proxy log
    --test-filter=TE..  Select tests by payloads and/or titles (e.g. ROW)
    --test-skip=TEST..  Skip tests by payloads and/or titles (e.g. BENCHMARK)
    --update            Update sqlmap
  Miscellaneous:
    -z MNEMONICS        Use short mnemonics (e.g. "flu,bat,ban,tec=EU")
    --alert=ALERT       Run host OS command(s) when SQL injection is found
    --answers=ANSWERS   Set predefined answers (e.g. "quit=N,follow=N")
    --beep              Beep on question and/or when SQL injection is found
    --cleanup           Clean up the DBMS from sqlmap specific UDF and tables
    --dependencies      Check for missing (optional) sqlmap dependencies
    --disable-coloring  Disable console output coloring
    --gpage=GOOGLEPAGE  Use Google dork results from specified page number
    --identify-waf      Make a thorough testing for a WAF/IPS protection
    --list-tampers      Display list of available tamper scripts
    --mobile            Imitate smartphone through HTTP User-Agent header
    --offline           Work in offline mode (only use session data)
    --purge             Safely remove all content from sqlmap data directory
    --skip-waf          Skip heuristic detection of WAF/IPS protection
    --smart             Conduct thorough tests only if positive heuristic(s)
    --sqlmap-shell      Prompt for an interactive sqlmap shell
    --tmp-dir=TMPDIR    Local directory for storing temporary files
    --web-root=WEBROOT  Web server document root directory (e.g. "/var/www")
    --wizard            Simple wizard interface for beginner users

More can be found here: https://github.com/sqlmapproject/sqlmap/wiki/Usage

http://sqlmap.org/

https://github.com/sqlmapproject/sqlmap/


iGoat – A Learning Tool for iOS App Pentesting and Security (Open Web Application Security Project – OWASP)

iGoat is a learning tool for iOS developers (iPhone, iPad, etc.) and mobile app pentesters. It was inspired by the WebGoat project, and has a similar conceptual flow to it.

As such, iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.

The lessons are laid out in the following steps:

  1. Brief introduction to the problem.
  2. Verify the problem by exploiting it.
  3. Brief description of available remediations to the problem.
  4. Fix the problem by correcting and rebuilding the iGoat program.

Step 4 is optional, but highly recommended for all iOS developers. Assistance is available within iGoat if you don’t know how to fix a specific problem.

Vulnerabities Covered (version 3.0):

  • Key Management
    • Hardcoded Encryption Keys
    • Key Storage Server Side
    • Random Key Generation
  • URL Scheme Attack
  • Social Engineering
  • Reverse Engineering
    • String Analysis
  • Data Protection (Rest)
    • Local Data Storage (SQLite)
    • Plist Storage
    • Keychain Usage
    • NSUserDefaults Storage
  • Data Protection (Transit)
    • Server Communication
    • Public Key Pinning
  • Authentication
    • Remote Authentication
  • Side Channel Data Leaks
    • Device Logs
    • Cut-and-Paste
    • Backgrounding
    • Keystroke Logging
  • Tampering
    • Method Swizzling
  • Injection Flaws
    • SQL Injection
    • Cross Site Scripting
  • Broken Cryptography

More on: https://github.com/owasp/igoat


Another Web/Web Vulnerability Scanner – xray

A powerful security assessment tool

Supports Active and Passive scanning.

Supports Linux, Windows, macOS

Demo
Demo

1 Use basic crawler to scan a website

xray webscan --basic-crawler http://example.com --html-output crawler.html

2 Run as a HTTP proxy to scan passively

xray webscan --listen 127.0.0.1:7777 --html-output proxy.html

Configure the browser to use http proxy http://127.0.0.1:7777, then the proxy traffic can be automatically analyzed and scanned.

3 Scan a single url

xray webscan --url http://example.com/?a=b --html-output single-url.html

4 Specify the plugins to run manually

By default, all built-in plugins are enabled, and the following commands can be used to enable specific plugins for this scan.

xray webscan --plugins cmd_injection,sqldet --url http://example.com
xray webscan --plugins cmd_injection,sqldet --listen 127.0.0.1:7777 

5 Specify plugin output path

You can specify the output path of the vulnerability information:

xray webscan --url http://example.com/?a=b \ --text-output result.txt --json-output result.json --html-output report.html

6 proxy https traffic

6.1 Download xray binary

6.2 Generate certificate and configuration file

xray genca

6.3 Install the certificate

6.4 We can configure the browser to use proxy server “127.0.0.1:8080” then execute following command

xray webscan --listen 127.0.0.1:8080 --html-output results.htm

Resource


Open source Online Document Management System for Developers – ShowDoc

ShowDoc is a tool greatly applicable for an IT team to share documents online. It can promote communication efficiency among members of the team.

What can it be used for?

  • API Document ( Demo

With the development of mobile Internet, BaaS (Backend as a Service) becomes more and more popular. The Server end provides API, and the APP end or Webpage frontend can invoke data conveniently. Using ShowDoc can compile exquisite API documents in a very fast and convenient way.

  • Data Dictionary ( Demo

A good Data Dictionary can easily exhibit database structure to other people, such as definition of each field and the like.

  • Explanation Document ( Demo

You can absolutely use ShowDoc to compile the explanation documents for some tools, as well as to compile some technical specifications explanation documents for the team to look up.

What functions does it have?

  • Sharing and Exporting

Responsive webpage design can share the project documents to computer or mobile devices for reading. It can also export the project into word document for browsing offline.

  • Permission Management
  • Public Project and Private ProjectProjects on ShowDoc are divided into two categories including Public Project and Private Project. Public Project can be visited by any user no matter he/she logs in or not, while inputting password for verification is needed for visiting the Private Project. The password is set by project creator.
  • Project Transfer

The project creator can transfer the project to other users of the website freely.

  • Project Members

You can easily add or delete project members in the project of ShowDoc. Members of the project can edit the project, but they can not transfer or delete the project (only creator of the project has the permission).

  • Edit Function
    • Markdown Edit
    ShowDoc adopts Markdown Editor, and it is excellent both in editing and reading experience. If you know nothing about Markdown, please search “Learning and Introduction of Markdown” on the search engine.
    • Template Insert
    On the editing page of ShowDoc, a click on the button which is on the top of the Editor can easily insert API interface template and data dictionary template. After inserting the template, altering data is the only thing that need to do and it reduces a lot of work in editing.
    • History Version
    ShowDoc provides a function of History Version on the page, and you can easily restore the page to the former version.

Resource

https://github.com/star7th/showdoc

Open source and Free Gif Maker – ScreenToGif

SreenToGif
SreenToGif
  • Open source and completely free
  • Multilingual
  • Easy to use
  • Builtin editor
  • Builtin Screen Recorder
  • Builtin Webcam Recorder
  • Builtin Board Recorder (For recording drawings)
  • Single file mode (No installation required, download and use)
  • Standard setup mode

ScreenToGif - Editor
ScreenToGif – Editor
ScreenToGif - Options
ScreenToGif – Options
ScreenToGif -> Option -> Language
ScreenToGif -> Option -> Language

Why use ScreenToGif?

Why use ScreenToGif?
Why use ScreenToGif?

Useful links

Free and Open source TrafficMonitor software – TrafficMonitor

Keywords: Traffic Monitor, open source, free, CPU monitor, RAM monitor, CPU usage, RAM usage, skin, Traffic history

TrafficMonitor

TrafficMonitor - Main Window
TrafficMonitor – Main Window
  • Completely Free and Open source
  • No advertisements
  • Monitoring Internet/Traffic usage
  • Traffic history
  • Monitoring CPU usage
  • Monitoring RAM usage
  • Supports customised skin
  • Multilingual (English, Simplified Chinese, Traditional Chinese)
TrafficMonitor - Option Settings - Main Window Settings
TrafficMonitor – Option Settings – Main Window Settings
TrafficMonitor - Option Settings - Tasbar Window Settings
TrafficMonitor – Option Settings – Tasbar Window Settings
TrafficMonitor - Option Settings - General Settings
TrafficMonitor – Option Settings – General Settings
TrafficMonitor - Main Window - Mouse hover tip
TrafficMonitor – Main Window – Mouse hover tip
TrafficMonitor - Main Window - Right click menu
TrafficMonitor – Main Window – Right click menu
TrafficMonitor - Main Window - Right click menu - Other Functions
TrafficMonitor – Main Window – Right click menu – Other Functions
TrafficMonitor - Taskbar Window
TrafficMonitor – Taskbar Window

Download:

https://github.com/zhongyang219/TrafficMonitor/releases

Search Hacking, Google Hacking, Google Dork, Shodan

Google

QueryDescriptionExample
filetypeSearch for file typefiletype:txt
inurlSearch URLinurl:”/login.html”
intextSearch Text from articlesintext:”Download”
intitleSearch Titleintitle:”Joomla”

Documents

"default username password" filetype:pdf
"scanned by camscanner" filetype:pdf
Document with default username and password included
Document with default username and password included

Data

intitle:"Namenode information" AND inurl:":50070/dfshealth.html"
hadoop HDFS
hadoop HDFS

intitle:"netdata dashboard" AND intext:"Costa Tsaousis"
netdata dashboard
netdata dashboard

Video

intitle:"Live View / – AXIS"
intitle:"Network Camera NetworkCamera"
intitle:"Yawcam" inurl:8081
intitle:"VB Viewer"
inurl:embed.html inurl:dvr
inurl:/guestimage.html
inurl:"/view/view.shtml?id="
inurl:embed.html inurl:dvr
inurl:embed.html inurl:dvr

Github

Email credential

@gmail.com smtp
Github Search “@gmail.com smtp”

Database credential

mysql_pass
Github Search - "mysql_pass"
Github Search – “mysql_pass”

Bonus: More Google Hacking tricks can be found here: Google Hacking Database

Shodan

Shodan – Search engine which allow users to discover various types of devices (routers, webcams, computers etc.)

Note: Shodan is not completely free, it is more like freemium.

Shodan Search - webcam 7
Shodan Search – webcam 7
  • city: find devices in a particular city
  • country: find devices in a particular country
  • geo: search coordinaters
  • hostname: find the hostname that matches
  • os: search particular operating system
  • port: find particular open ports
  • before/after: find results with a specific timeframe

Find Apache servers in Germany

apache city:“Germany”

Find Nginx servers in Russia

nginx country:"RU"

Find GWS (Google Web Server):

"Server:gws" hostname:"google"

Find Cisco devices on a particular subnet

cisco net:"xxx.xxx.xxx.x/24"