Tom Hudson

(aka TomNomNom)



I'm from Bradford in the UK. I like to fix things, make things, and teach people things. If you want to contact me you can Tweet at me or email me.



My most successful open source project. gron is a tool to make it easier to understand big blobs of JSON. It works by turning JSON into a series of discrete assignments so that you can grep for what you want and see the full 'path' to the values you find. You can turn filtered output back into JSON too.


A common tactic when pentesting web applications is to brute-force files and directories. I'm not a fan of flooding servers with lots of traffic, so I wrote meg to look for one thing in lots of places instead of lots of things in one place.


I wrote unfurl because I was fed up of writing the same regular expressions over and over again to pull bits out of URLs. It parses URLs provided on stdin and lets you specify the parts of the URL you want to pull out. It supports custom output formats by using a printf-style set of format specifiers.


I wrote comb because I often found myself writing pretty much the same nested loops in bash to output every permutation of the lines in two files. Having a dedicated tool speeds things up a lot.

waybackurls's Wayback Machine is a fantastic resource for mapping web applications. I wrote waybackurls to fetch all of the URLs that the Wayback Machine knows about for a set of domains.


gf is a simple wrapper around grep to manage sets of complex and commonly used patterns. I use it when auditing codebases or examining the output of meg.


In the process of writing meg I found myself needing to send requests that had malformed escape sequences and other unusual payloads that Go's HTTP library did not support. I wrote the rawhttp package to give me more fine-grained control over HTTP request.


Link headers are often used in HTTP APIs for pagination, and parsing them turns out to not be all that easy. I wrote the linkheader Go package to do the heavy lifting.


Wake On LAN is a way to make computers power on by sending them a 'Magic' packet over a local network. phpwol is a PHP library to do just that.


It's a fairly common pattern to use a symlink to point to the current version of a codebase. Sometimes it's neccesary to restart processes or clear caches when the version of a codebase changes, so I wrote symwatch to poll a symlink for changes and run a command when they happen.


A while ago I had a need to figure out which xterm color code was the closest to a 24bit color, so I wrote a Go palette and command line tool called xtermcolor to do it for me.


globwatch is a Go package I wrote to watch a glob pattern (e.g. *.log) and emit 'events' when new files match the pattern, files are deleted, or truncated.


Several years ago I found myself writing quite a few command line tools in PHP, and I noticed I was writing very similar code in every tool to process arguments, output things as tables etc. I wrote phargs as a little toolkit to make those kinds of tasks easier.


flatclass is a debugging tool I wrote to make it easier to read and debug PHP classes with deep inheritance trees. It uses reflection to 'flatten' an inheritance tree by recursively copying parent methods into the target class.


httprobe takes a list of domains on stdin and checks for listening HTTP servers. It defaults to looking for HTTP on port 80 and HTTPS on port 443, but you can specify additional ports to try too.


Although meg is useful, it lacks some of the options that curl does. I wrote concurl for the situations where I need a bit more of the power that curl offers. Really it's just a wrapper around running concurrent curl processes to fetch the URLs provided on stdin.


If you want to know more about how computers work, you should watch Ben Eater's fantastic 8-Bit Breadboard Computer project. I didn't have the time to build a real version of his 8-bit computer, so I wrote an emulator for it instead.


Not a single project, but my hacks repo contains ideas I'm trying out, simple tools I'm not quite sure about yet, and one-off scripts that I might need again one day. Several of my other projects started in this repo and graduated to their own repository once I decided they were useful enough to warrant it.


Passive-ish Recon Techniques - BSides Leeds (2018-01-26)

My first security related talk, and the first ever BSides Leeds was a fantastic venue for it. I talk about (mostly) passive ways to gather information on a target for pentesting or taking part in bug bounty programs; like Google Dorking, grepping through GitHub repos, decompiling Android applications, and using's Wayback Machine.

I also introduce a tool I wrote for 'breadth-first' scanning, and some examples of the kinds of things I've found with it.

Big Numbers and the 1Hz CPU - Agile Yorkshire (2017-12-13)

A lightning talk about how humans suck at big numbers, and how long things would take in the world of a 1Hz CPU.

All of the slides were hand-drawn, and I was wearing a party hat because it was Christmas.

Writing Readable Code - Sky Betting & Gaming (2017-03-22)

A compliation of tips and tricks I've gathered across more than a decade of reading source code.

There's nothing particularly groundbreaking here, but I really wanted to collect all of the things that I think make it easier to read code into one place.

Let's Build a Virtual Machine! - Hey! (2014-10-28)

Live-coding a simple language VM on stage. What could possibly Go wrong?

Things like the JVM used to just seem like magic black boxes to me, so I decided to learn how they work. Once I'd realised how simple the core concepts are I couldn't help myself but to share.

© Tom Hudson 2024