The human fondness for annual lists ranking the “best of” apparently does not skip the Chinese hacking world. A post on a prominent Chinese hacking forum, published on the afternoon of December 29, 2019, has gained much recognition and popularity both inside and outside the forum in recent weeks. The post, written by the forum’s admin and named “2019 year-end hacking tools inventory,” lists the 30 “most outstanding” hacking tools for 2019, as recommended for the forum’s members.

Starting hours after its initial publication, and continuing for several days thereafter, the post was copied to other Chinese forums, as well as to web security blogs and web security sections in popular Chinese portals. Within the forum itself, it has attracted dozens of supportive comments, most of them praising and thanking the forum’s admin for his “contribution to the community.” This post is part of a larger tendency in Chinese hacking forums, where lists of hacking tools intended for novices who use these forums as learning platforms are becoming increasingly prevalent and popular.

The original forum post, showing the first tool on the list – Cobalt Strike

A Diversified Collection

The list contains 30 tools ranked according to their “superiority”, efficiency and utility. Most of the tools on the list (22) are of non-Chinese origin, whereas the rest (8) seem to be original Chinese creations. Although the original post does not provide links for downloading the tools, most are easily traceable and accessible for downloading on the web. The non-Chinese tools are widely available either from the official or designated website of the developer or on GitHub, whereas most Chinese tools are available either on GitHub or on local Chinese web platforms.

Not all recommended tools on the list are attack tools per se. On the contrary, some are legitimate tools, published as commercial programs by established companies, aimed at increasing users’ awareness and protection levels against vulnerabilities. Others are penetration testing tools, aimed at improving users’ web security protection. However, some are primarily attack tools providing framework for conducting brute-force attacks, DDoS attacks and phishing, among other malicious activities. Furthermore, many of the ‘tamer’ tools presented in the original post, such as vulnerability scanners, penetration testing or intelligence collection tools, can be used by threat actors to detect vulnerabilities among potential victims. That point is also stressed in the description of tools inside the post, which implies the potential use of basically defensive tools as attack accessories. Although many of the non-Chinese and a few of the Chinese tools listed in the post are slightly outdated, and were originally uploaded to GitHub or other platforms well before 2019, the post demonstrates that some members of the Chinese hacking community are well-versed in the hacking world outside China and make use of platforms and tools published abroad. Moreover, a fair amount of the original Chinese tools listed in the post were also uploaded to GitHub, a non-Chinese platform, which may imply an outbound approach of some members in the Chinese web security and hacking community.

GodOfHacker – The #1 Chinese Magic Hacking Tool

Of the original Chinese tools listed, the one that grabbed the number one ranking (and third overall) is a tool named GodOfHacker. This tool was uploaded to GitHub about a year ago by a Chinese prolific user, who frequently uses slang and curse words to describe his creation’s traits. Both in the forum post and on GitHub, the program is portrayed as an all-purpose “magic-tool” for hackers, which “combines all sorts of first-class hacking techniques that cover a wide range of functions.” Its uniqueness is that all its features are available using “one-click.” The program is described as highly customized and one that possesses various powerful plug-ins that can be used to “enrich” its functions .

Screenshot of the 1st section of the program “the comprehensive section for fucking websites”

The program is divided into several sections or columns, each with numerous features. The first section is called “Comprehensive Section for Harming [or, using the original word “fucking”] Websites”, and its features are as follows, to name a few:

Performing one-click attacks or one-click zero-day attacks based on domain names or IP defined by the attacker.

Carrying out one-click attacks by choosing a specific vulnerability defined by the attacker.

Defacement, DDoS, knocking down websites’ backend, gaining full admin rights and implanting Trojans, all by one-click.

Knocking down batches of web pages on either Baidu or Google, getting free access online.

Stealing QQ accounts/numbers, using QQ virtual coins, using [website] membership rights, making free phone calls and charging phone/SIM cards.

Gaining access to intranets, surpassing the Great Firewall of China (the Chinese government’s Internet censorship tool), gaining access to gambling arenas in Macao and an IP location finder.

Damaging educational systems, “mining” for vulnerabilities, publishing vulnerabilities, reading internal memory, all be one-click.

The second section is called “Cracking” and features the following functions:

One-click cracking and source-code reversing based on file type.

One-click code annotation (AI), system activation, system penetration and POC generator (for penetration testing purposes).

One-click mobile application cracking, gaming and localization [into Chinese].

The third section features several functions related to Hacker CTF (“Capture the Flag”), a game designed to provide a tutorial environment for students of hacking techniques. The fourth section provides features related to WiFi, including one-click WiFi scraping, WiFi middle-man attacks and access to mobile devices’ picture galleries. In addition, this section also has features such as one-click fake-base station [FBS] attacks (where devices connected to a cellular network are made to connect to it to gather information from those devices), WiFi eavesdropping and WiFi phishing. The fifth section, named “Hardware,” features functions such as harming ATMs, harming unmanned machines, stealing bank cards and charging them and other types of cards.

The tool contains several plug-ins (including using txt and exe files as plug-ins) and supports various languages, such as C/C++, Java, Python, Ruby, JavaScript, php and more.

The plug-in section of the program, showing how a certain IP address is entered by the user and then given the option to conduct tests in English, Chinese or Japanese or to perform brute-force attacks against the site’s backend