Gitrob is a command line tool which can help organizations and security professionals find sensitive information lingering in publicly available files on GitHub. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files that typically contain sensitive or dangerous information.


AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.

Data Flow Diagram and Attack Tree libraries for

Data Flow Diagrams (DFD) and Attack Trees are common tools when performing threat modeling of systems. Unfortunately there aren't a lot of tools out there to do this, which lead me to create custom libraries for doing both DFD and Attack Trees in the free and cros-platform diagramming tool.


Birdwatcher is a data analysis and OSINT framework for Twitter. Birdwatcher supports creating multiple workspaces where arbitrary Twitter users can be added and their tweets harvested through the Twitter API for offline storage and analysis. Birdwatcher comes with several modules which can be envoked to further enrich collected data or work with it, e.g. Retrieving user's Klout score, generating social graphs between users and weighted word clouds based on their Tweets.


Searchpass is a simple tool for offline searching of default credentials for network devices, web applications and more.

Diceware Password Generator

Diceware is a method for creating secure passphrases. The normal procedure requires several rolls with a die which can be pretty time consuming, but the Diceware Passphrase Generator simulates this procedure in code to make it much faster. The passphrase generation is done with client-side Javascript, so no passphrase is ever transfered over the wires, and the Javascript code is delivered over TLS/SSL which provides reasonable protection against tampering.


HackPad is a web application hacker's toolbox. It is meant as a central place to access all the common encoding and decoding functions that are often used when doing a security assessment on a web application. All functions are implemented in client-side Javascript, so there is no risk of leaking sensitive data.


This far from a complete list of tools and projects, I play around with stuff all the time and open-source most of it. You can check out my GitHub profile for more.