Blogs worth it
- Carnal0wnage
- McGrew Security
- Blog | GNUCITIZEN
- Darknet
- spylogic.net
- TaoSecurity
- Room362.com
- SIPVicious
- PortSwigger.net
- Blog - pentestmonkey.net
- Jeremiah Grossman
- omg.wtf.bbq.
- SkullSecurity
- Metasploit
- Security and Networking
- Skeptikal.org
- Digital Soapbox
- tssci security
- Blog - Gotham Digital Science
- Reiners’ Weblog
- Bernardo Damele A. G.
- Laramies Corner
- Attack and Defense Labs
- Billy (BK) Rios
- Common Exploits
- extern blog SensePost;
- Weapons of Mass Analysis
- Exploit KB
- Security Reliks
- MadIrish.net
- sirdarckcat
- Reusable Security
- Myne-us
- www.notsosecure.com
- SpiderLabs Anterior
- Corelan Team | Peter Van Eeckhoutte (corelanc0d3r)
- DigiNinja
- Home Of PaulDotCom Security Podcast
- Attack Vector
- deviating.net
- Alpha One Labs
- SmashingPasswords.com
- wirewatcher
- gynvael.coldwind//vx.log
- Nullthreat Security
- Archangel Amael's BT Tutorials
- memset's blog
- ihasomgsecurityskills
- punter-infosec
- Security Ninja
- Security and risk
- GRM n00bs
- Kioptrix
- ::eSploit::
- PenTestIT — Your source for Information Security Related information!
- Your source for Information Security related information!
Forums
- Kali Forums
- EliteHackers.info
- InterN0T forum
- Government Security
- Hack This Site Forum
- iExploit Hacking Forum
- Security Override
- bright-shadows.net
- ethicalhacker.net
- sla.ckers.org
Magazines
Video
Methodologies
OSINT
Presentations
- Enterprise Open Source Intelligence Gathering – Part 1 Social Networks spylogic.net
- Enterprise Open Source Intelligence Gathering – Part 2 Blogs, Message Boards and Metadata pylogic.net
- Enterprise Open Source Intelligence Gathering – Part 3 Monitoring and Social Media Policies — spylogic.net
- Tactical Information Gathering
- document_metadata_the_silent_killer__32974 (application/pdf Object)
- footprinting - passive information gathering before a pentest
People and Orginizational
- spokeo.com - People Search
- backgroundchecks.org
- Spoke.com - Business Directory
- Business Network - Social Network for Business Professionals
- ZoomInfo
- Pipl - People Search
- Free People Search by ZabaSearch!
- Free People Finder and Company Search | SearchBug
- Free People Search
- Addictomatic: Inhale the Web
- Real Time Search - Social Mention
- EntityCube
- yasni.com | No. 1 free people search - Find anyone on the web
- Tweepz.com - search, find and discover interesting people on twitter
- TweepSearch :: Twitter Profile and Bio Search
- Glassdoor.com - Company Salaries and Reviews
- Jigsaw Business Contact Directory
- Full Text Search
- TinEye Reverse Image Search
- PeekYou
- PicFog - Quick Image Search
- Twapper Keeper - "We save tweets" - Archive Tweets
- White Pages | Email Lookup | People Find Tools at The Ultimates
Infastructure
- Netcraft Uptime Survey
- SHODAN - Computer Search Engine
- Domain Tools: Whois Lookup and Domain Suggestions
- Free online network utilities - traceroute, nslookup, automatic whois lookup, ping, finger
- http://hackerfantastic.com/
- WHOIS and Reverse IP Service
- SSL Labs - Projects / Public SSL Server Database - SSL Server Test
- MyIPNeighbors Reverse IP Lookup
- Google Hacking Database, GHDB, Google Dorks
- Domain - reports and all about ips, networks and dns
- net toolkit::index
- IHS | GHDB
Exploits and Advisories
Cheat Sheets and Syntax
- Big Port DB | Cirt
- Cheat Sheet : All Cheat Sheets in one page
- Security Advancements at the Monastery » Blog Archive » What’s in Your Folder: Security Cheat Sheets
- Information about developments at the Monastery
Agile Hacking
- Agile Hacking: A Homegrown Telnet-based Portscanner | GNUCITIZEN
- Command Line Kung Fu
- Simple yet effective: Directory Bruteforcing
- The Grammar of WMIC
- Windows Command-Line Kung Fu with WMIC
- Windows CMD Commands
- running a command on every mac
- Syn: Command-Line Ninjitsu
- WMIC, the other OTHER white meat.
- Hacking Without Tools: Windows - RST
- Pentesting Ninjitsu 1
- Pentesting Ninjitsu 2 Infrastructure and Netcat without Netcat
- [PenTester Scripting]
- windows-scripting-COM-tricks
- Advanced-Command-Exploitation
OS & Scripts
- IPv4 subnetting reference - Wikipedia, the free encyclopedia
- All the Best Linux Cheat Sheets
- SHELLdorado - Shell Tips & Tricks (Beginner)
- Linux Survival :: Where learning Linux is easy
- BashPitfalls - Greg's Wiki
- Rubular: a Ruby regular expression editor and tester
- http://www.iana.org/assignments/port-numbers
- Useful commands for Windows administrators
- All the Best Linux Cheat Sheets
- Rubular: a Ruby regular expression editor
Tools
Distros
Labs
ISO's / VMs
- Web Security Dojo
- OWASP Broken Web applications Project
- Pentest Live CDs
- NETinVM
- :: moth - Bonsai Information Security ::
- Metasploit: Introducing Metasploitable
- Holynix pen-test distribution
- WackoPico
- LAMPSecurity
- Hacking-Lab.com LiveCD
- Virtual Hacking Lab
- Badstore.net
- Mutillidae: A Deliberately Vulnerable Set Of PHP Scripts
- Damn Vulnerable Web App - DVWA
- pWnOS
- The ButterFly - Security Project
Vulnerable Software
- Old Version Downloads - OldApps.com
- OldVersion.com
- Web Application exploits, php exploits, asp exploits
- wavsep - Web Application Vulnerability Scanner Evaluation Project
- OWASP SiteGenerator - OWASP
- Hacme Books | McAfee Free Tools
- Hacme Casino v1.0 | McAfee Free Tools
- Hacme Shipping | McAfee Free Tools
- Hacme Travel | McAfee Free Tools
Test Sites
Exploitation Intro
- Exploitation - it-sec-catalog - References to vulnerability exploitation stuff. - Project Hosting on Google Code
- Myne-us: From 0x90 to 0x4c454554, a journey into exploitation.
- Past, Present, Future of Windows Exploitation | Abysssec Security Research
- Smash the Stack 2010
- The Ethical Hacker Network - Smashing The Modern Stack For Fun And Profit
- x9090's Blog: [TUTORIAL] Exploit Writting Tutorial From Basic To Intermediate
- X86 Opcode and Instruction Reference
- This reference is intended to be precise opcode and instruction set reference (including x86-64). Its principal aim is exact definition of instruction parameters and attributes.
Reverse Engineering & Malware
Passwords and Hashes
- Password Exploitation Class
- Default Passwords Database
- Sinbad Security Blog: MS SQL Server Password Recovery
- Foofus Networking Services - Medusa::SMBNT
- LM/NTLM Challenge / Response Authentication - Foofus.Net Security Stuff
- MD5 Crackers | Password Recovery | Wordlist Downloads
- Password Storage Locations For Popular Windows Applications
- Online Hash Crack MD5 / LM / NTLM / SHA1 / MySQL - Passwords recovery - Reverse hash lookup Online - Hash Calculator
- Requested MD5 Hash queue
- Virus.Org
- Default Password List
- Electric Alchemy: Cracking Passwords in the Cloud: Breaking PGP on EC2 with EDPR
Wordlists
- "Crack Me If You Can" - DEFCON 2011
- Packet Storm Word Lists
- Passwords - SkullSecurity
- Index of /passwd/passwords
Pass the Hash
MitM
- Introduction to dsniff - GIAC Certified Student Practical
- dsniff-n-mirror.pdf (application/pdf Object)
- dsniff.pdf (application/pdf Object)
- A Hacker's Story: Let me tell you just how easily I can steal your personal data - Techvibes.com
- ECCE101.pdf (application/pdf Object)
- 3.pdf (application/pdf Object)
- Seven_Deadliest_UC_Attacks_Ch3.pdf (application/pdf Object)
- cracking-air.pdf (application/pdf Object)
- bh-europe-03-valleri.pdf (application/pdf Object)
- Costa.pdf (application/pdf Object)
- defcon-17-sam_bowne-hijacking_web_2.0.pdf (application/pdf Object)
- Live_Hacking.pdf (application/pdf Object)
- PasstheParcel-MITMGuide.pdf (application/pdf Object)
- 2010JohnStrandKeynote.pdf (application/pdf Object)
- 18.Ettercap_Spoof.pdf (application/pdf Object)
- EtterCap ARP Spoofing & Beyond.pdf (application/pdf Object)
- Fun With EtterCap Filters.pdf (application/pdf Object)
- The_Magic_of_Ettercap.pdf (application/pdf Object)
- arp_spoofing.pdf (application/pdf Object)
- Ettercap(ManInTheMiddleAttack-tool).pdf (application/pdf Object)
- ICTSecurity-2004-26.pdf (application/pdf Object)
- ettercap_Nov_6_2005-1.pdf (application/pdf Object)
- MadIrish.net Mallory is More than a Proxy
- Thicknet: It does more than Oracle, Steve Ocepek securityjustice on USTREAM. Computers
Tools
OSINT
Metadata
- document-metadata-silent-killer_32974 (application/pdf Object)
- [strike out]
- ExifTool by Phil Harvey
- Edge-Security - Metagoofil - Metadata analyzer - Information Gathering
- Security and Networking - Blog - Metadata Enumeration with FOCA
Google Hacking
Web
- BeEF
- BlindElephant Web Application Fingerprinter
- XSSer: automatic tool for pentesting XSS attacks against different applications
- RIPS | Download RIPS software for free at SourceForge.net
- http://www.divineinvasion.net/authforce/
- Attack and Defense Labs - Tools
- Browser_Exploitation_for_Fun&Profit
- Using sqid (SQL Injection Digger) to look for SQL Injection
- pinata-CSRF-tool
- XSSer: automatic tool for pentesting XSS attacks against different applications
- Clickjacker
- unicode-fun.txt ≈ Packet Storm
- WebService-Attacker
Attack Strings
Shells
Scanners
- w3af - Web Application Attack and Audit Framework
- skipfish - Project Hosting on Google Code
- sqlmap: automatic SQL injection tool
- SQID - SQL Injection digger
- http://www.packetstormsecurity.org/UNIX/scanners/XSSscan.py.txt
- WindowsAttack - fimap - Windows Attacking Example - Project Hosting on Google Code
- fm-fsf - Project Hosting on Google Code
- Websecurify
- News :: Arachni - Web Application Security Scanner Framework
- rfiscan ≈ Packet Storm
- lfi-rfi2 scanner ≈ Packet Storm
- inspathx – Tool For Finding Path Disclosure Vulnerabilities
- DotDotPwn - The Directory Traversal Fuzzer 2.1 ≈ Packet Storm
Proxies
Burp
- fuzzing-approach-credentials-discovery-burp-intruder_33214 (application/pdf Object)
- Constricting the Web: The GDS Burp API - Gotham Digital Science
- Browse Belch - Burp External Channel v1.0 Files on SourceForge.net
- Burp Suite Tutorial – Repeater and Comparer Tools « Security Ninja
- w3af in burp
- Attack and Defense Labs - Tools
- burp suite tutorial - English
- SensePost - reDuh - HTTP Tunneling Proxy
- OWASP WebScarab NG Project - OWASP
- Mallory: Transparent TCP and UDP Proxy – Intrepidus Group - Insight
- Fiddler Web Debugger - A free web debugging tool
- Watcher: Web security testing tool and passive vulnerability scanner
- http://www.hackingeek.com/2010/08/x5s-encuentra-fallos-xss-lfi-rfi-en-tus.html%26hl%3Den&rurl=translate.google.com&twu=1
- koto/squid-imposter - GitHub
- squid-imposter - Phishing attack w/HTML5 offline cache framework based on Squid proxy
Social Engineering
Password
Metasploit
- markremark: Reverse Pivots with Metasploit - How NOT to make the lightbulb
- WmapNikto - msf-hack - One-sentence summary of this page. - Project Hosting on Google Code
- markremark: Metasploit Visual Basic Payloads in action
- Metasploit Mailing List
- PaulDotCom: Archives
- OpenSSH-Script for meterpreter available !
- Metasploit: Automating the Metasploit Console
- 561
- Deploying Metasploit as a Payload on a Rooted Box Tutorial
- Metasploit/MeterpreterClient - Wikibooks, collection of open-content textbooks
- SecTor 2010 - HD Moore - Beyond Exploits on Vimeo
- XLSinjector « Milo2012's Security Blog
- Armitage - Cyber Attack Management for Metasploit
- Nsploit
- neurosurgery-with-meterpreter
- (automating msf) UAV-slides.pdf
MSF Exploits or Easy
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
- Tenable Network Security
NSE
Net Scanners & Scripts
- Nmap
- sambascan2 - SMB scanner
- SoftPerfect Network Scanner
- OpenVAS
- Nessus Community | Tenable Network Security
- Nexpose Community | Rapid7
- Retina Community
Post Exploitation
Netcat
- Re: Your favorite Ncat/nc/Netcat trick? - ReadList.com
- ads.pdf (application/pdf Object)
- Netcat_for_the_Masses_DDebeer.pdf (application/pdf Object)
- netcat_cheat_sheet_v1.pdf (application/pdf Object)
- socat
- NetCat tutorial: Day1 [Archive] - Antionline Forums - Maximum Security for a Connected World
- Netcat tricks « Jonathan’s Techno-tales
- Nmap Development: Re: Your favorite Ncat/nc/Netcat trick?
- Few Useful Netcat Tricks « Terminally Incoherent
- Skoudis_pentestsecrets.pdf (application/pdf Object)
- Cracked, inSecure and Generally Broken: Netcat
- Ncat for Netcat Users
Source Inspection
Firefox Addons
- David's Pen Testing (Security) Collection :: Collections :: Pengaya untuk Firefox
- OSVDB :: Add-ons for Firefox
- Packet Storm search plugin. :: Add-ons for Firefox
- Default Passwords - CIRT.net :: Add-ons for Firefox
- Offsec Exploit-db Search :: Add-ons for Firefox
- OVAL repository search plugin :: Add-ons for Firefox
- CVE ® dictionary search plugin :: Add-ons for Firefox
- HackBar :: Add-ons for Firefox
Tool Listings
Training/Classes
Sec / Hacking
- Penetration Testing and Vulnerability Analysis - Home
- Network Sniffers Class for the Kentuckiana ISSA 2011 (Hacking Illustrated Series InfoSec Tutorial Videos)
- CNIT 124: Advanced Ethical Hacking -- Sam Bowne
- CS 279 - Advanced Topics in Security
- CS142 Web Programming and Security - Stanford
- CS155 Computer and Network Security - Stanford
- CSE 227: Computer Security - UCSD
- CS 161: Computer Security - UC Berkley
- Security Talks - UCLA
- CSCI 4971 Secure Software Principles - RPI
- MCS 494 UNIX Security Holes
- Software Security - CMU
- T-110.6220 Special Topics in Ifocsec -TKK
- Sec and Infosec Related - MIT
Metasploit
- Metasploit Unleashed
- Metasploit Class Videos (Hacking Illustrated Series InfoSec Tutorial Videos)
- Metasploit Megaprimer 300+ mins of video
- Metasploit Tips and Tricks - Ryan Linn
- OffSecOhioChapter, Metasploit Class2 - Part1
- OffSecOhioChapter, Metasploit Class2 - Part2
- OffSecOhioChapter, Metasploit Class2 - Part3
Programming
Python
- Google's Python Class - Google's Python Class - Google Code
- Python en:Table of Contents - Notes
- TheNewBoston – Free Educational Video Tutorials on Computer Programming and More! » Python
- Python Videos, Tutorials and Screencasts
- Learning Python Programming Language Through Video Lectures - good coders code, great reuse
Ruby
Other/Misc
Web Vectors
SQLi
- MSSQL Injection Cheat Sheet - pentestmonkey.net
- SQL Injection Cheat Sheet
- EvilSQL Cheatsheet
- RSnake SQL Injection Cheatsheet
- Mediaservice.net SQLi Cheatsheet
- MySQL Injection Cheat Sheet
- Full MSSQL Injection PWNage
- MS Access SQL Injection Cheat Sheet » krazl - ™ ķЯαž£ ™ - bloggerholic
- MS Access SQL Injection Cheat Sheet
- Penetration Testing: Access SQL Injection
- Testing for MS Access - OWASP
- Security Override - Articles: The Complete Guide to SQL Injections
- Obfuscated SQL Injection attacks
- Exploiting hard filtered SQL Injections « Reiners’ Weblog
- SQL Injection Attack
- YouTube - Joe McCray - Advanced SQL Injection - LayerOne 2009
- Joe McCray - Advanced SQL Injection - L1 2009.pdf (application/pdf Object)
- Joseph McCray SQL Injection
- sla.ckers.org web application security forum :: Obfuscation :: SQL filter evasion
- sqli2.pdf (application/pdf Object)
- SQL Server Version - SQLTeam.com
- Overlooked SQL Injection 20071021.pdf (application/pdf Object)
- SQLInjectionCommentary20071021.pdf (application/pdf Object)
uploadtricks
- bypassing upload file type - Google Search
- Skeptikal.org: Adobe Responds... Sort Of
- Secure File Upload in PHP Web Applications | INSIC DESIGNS
- Stupid htaccess Tricks • Perishable Press
- Tricks and Tips: Bypassing Image Uploaders. - By: t3hmadhatt3r
- Security FCKeditor ADS File Upload Vulnerability - Windows Only
- Cross Site Scripting scanner – Free XSS Security Scanner
- VUPEN - Microsoft IIS File Extension Processing Security Bypass Vulnerability / Exploit (Security Advisories - VUPEN/ADV-2009-3634)
- Uploading Files Using the File Field Control
- TangoCMS - Security #237: File Upload Filter Bypass in TangoCMS <=2.5.0 - TangoCMS Project
- Full Disclosure: Zeroboard File Upload & extension bypass Vulnerability
- Cross-site File Upload Attacks | GNUCITIZEN
- TikiWiki jhot.php Script File Upload Security Bypass Vulnerability
- FileUploadSecurity - SH/SC Wiki
LFI/RFI
- http://pastie.org/840199
- Exploiting PHP File Inclusion – Overview « Reiners’ Weblog
- LFI..Code Exec..Remote Root!
- Local File Inclusion – Tricks of the Trade « Neohapsis Labs
- Blog, When All You Can Do Is Read - DigiNinja
XSS
- The Anatomy of Cross Site Scripting
- Whitepapers - www.technicalinfo.net
- Cross-Site Scripting (XSS) – no script required - Tales from the Crypto
- Guide Cross Site Scripting - Attack and Defense guide - InterN0T - Underground Security Training
- BlackHat-EU-2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf (application/pdf Object)
- sirdarckcat: Our Favorite XSS Filters and how to Attack them
- Filter Evasion – Houdini on the Wire « Security Aegis
- HTML5 Security Cheatsheet
- XSS - Cross Site Scripting
- sla.ckers.org web application security forum :: XSS Info
- [DOM Based Cross Site Scripting or XSS of the Third Kind] Web Security Articles - Web Application Security Consortium
- What's Possible with XSS?
Coldfusion
- ColdFusion directory traversal FAQ (CVE-2010-2861) | GNUCITIZEN
- Attacking ColdFusion. | Sigurnost i zastita informacija
- Attacking ColdFusion
- HP Blogs - Adobe ColdFusion's Directory Traversal Disaster - The HP Blog Hub
- 254_ShlomyGantz_August2009_HackProofingColdFusion.pdf (application/pdf Object)
- Adobe XML Injection Metasploit Module | carnal0wnage.attackresearch.com
- Computer Security Blog: PR10-08 Various XSS and information disclosure flaws within Adobe ColdFusion administration console
SharePoint
Lotus
- Lotus Notes/Domino Security - David Robert's -castlebbs- Blog
- Penetration Testing: Re: Lotus Notes
- Hacking Lotus Domino | SecTechno
jboss
- Whitepaper-Hacking-jBoss-using-a-Browser.pdf (application/pdf Object)
- Minded Security Blog: Good Bye Critical Jboss 0day
vmware web
Oracle appserver
- hideaway [dot] net: Hacking Oracle Application Servers
- Testing for Oracle - OWASP
- OraScan
- NGSSQuirreL for Oracle
- hpoas.pdf (application/pdf Object)
SAP
Wireless
Capture the Flag/Wargames
misc/unsorted
- http://www.ikkisoft.com/stuff/SMH_XSS.txt
- XFS 101: Cross-Frame Scripting Explained | SecureState Information Security Blog
- What The Fuck Is My Information Security Strategy?
- OWASP_DanielCutbert_Evolution_WebAppPenTest.mp4
- DeepSec 2007 - Aaron Portnoy Cody Pierce - RPC Auditing Tools and Techniques
- extern blog SensePost;
- Zen One: PCI Compliance - Disable SSLv2 and Weak Ciphers
- HD Moore on Metasploit, Exploitation and the Art of Pen Testing | threatpost
- Network Time Protocol (NTP) Fun | carnal0wnage.attackresearch.com
- black-box-scanners-dimva2010.pdf (application/pdf Object)
- Database_Pen_Testing_ISSA_March_25_V2.pdf (application/pdf Object)
- Stupid htaccess Tricks • Perishable Press