Merge branch 'master' of https://github.com/The-Art-of-Hacking/art-of-hacking

CONTRIBUTING.md

@@ -0,0 +1,73 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+education, socio-economic status, nationality, personal appearance, race,
+religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, and other contributions
+that are not aligned to this Code of Conduct, or to ban temporarily or
+permanently any contributor for other behaviors that they deem inappropriate,
+threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces and in public spaces
+when an individual is representing the project or its community. Examples of
+representing a project or community include using an official project e-mail
+address, posting via an official social media account, or acting as an appointed
+representative at an online or offline event. Representation of a project may be
+further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at [INSERT EMAIL ADDRESS]. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org

README.md

@@ -5,10 +5,10 @@ The following are the different video courses that will be part of the Art of Ha
 
 * [Security Penetration Testing (The Art of Hacking Series) LiveLessons](https://www.safaribooksonline.com/library/view/security-penetration-testing/9780134833989/)
 * [Wireless Networks, IoT, and Mobile Devices Hacking (The Art of Hacking Series) LiveLessons](https://www.safaribooksonline.com/library/view/wireless-networks-iot/9780134854632/)
-* Enterprise Penetration Testing and Continuous Monitoring (the Art of Hacking Series)
-* Advanced Web Applications Penetration Testing (The Art of Hacking Series) LiveLessons
-* Advanced Network Hacking (The Art of Hacking Series) LiveLessons
+* Enterprise Penetration Testing and Continuous Monitoring (the Art of Hacking Series) - Available in May 2018.
+* Advanced Web Applications Penetration Testing (The Art of Hacking Series) LiveLessons - Coming Soon!
+* Advanced Network Hacking (The Art of Hacking Series) LiveLessons - Coming Soon!
 
-These courses serve as comprehensive guide for any network and security professional who is starting a career in ethical hacking and penetration testing. It also can help individuals preparing for the Offensive Security Certified Professional (OSCP), the Certified Ethical Hacker (CEH), and any other ethical hacking certification. This course helps any cyber security professional that want to learn the skills required to becoming a professional ethical hacker or that want to learn more about general hacking methodologies and concepts.
+These courses serve as comprehensive guide for any network and security professional who is starting a career in ethical hacking and penetration testing. It also can help individuals preparing for the [Offensive Security Certified Professional (OSCP)](https://www.offensive-security.com/information-security-certifications/), the [Certified Ethical Hacker (CEH)](https://www.eccouncil.org/programs/certified-ethical-hacker-ceh/), [CompTIA PenTest+](https://certification.comptia.org/certifications/pentest) and any other ethical hacking certification. This course helps any cyber security professional that want to learn the skills required to becoming a professional ethical hacker or that want to learn more about general hacking methodologies and concepts.
 
-These video courses are published by Pearson, but this GitHub repository is maintained and supported by the lead author of the series (Omar Santos). 
+These video courses are published by Pearson, but this GitHub repository is maintained and supported by the lead author of the series [Omar Santos](https://omarsantos.io/). 

capture_the_flag/README.md

@@ -1,7 +1,14 @@
 # Capture The Flag (CTF) Information
 Capture the flag (CTF) is a computer security competition that is designed for educational purposes. In Lesson 6.4, "Learning How to Host Enterprise Capture the Flag Events" of the "Enterprise Penetration Testing and Continuous Monitoring (the Art of Hacking Series) LiveLessons" video course, you learned how these CTF work and how you can potentially create these as a "cyber range" within your enterprise. The following are a few links that provide numerous resources and references to past and current CTF events, as well as online practice sites.
 
+## This is one of the best resources: 
+* https://github.com/apsdehal/awesome-ctf
+
+## Some others:
 * https://ctftime.org
 * https://ctf365.com
 * http://captf.com
 * https://pentesterlab.com/exercises
+* http://vulnhub.com
+* https://challenges.re/
+* http://cryptopals.com/

pen_testing_reports/README.md

@@ -8,3 +8,4 @@ The following are several resources that are useful when writing penetration tes
 | Offensive Security example |https://www.offensive-security.com/reports/sample-penetration-testing-report.pdf |
 | NII Consulting sample report | http://www.niiconsulting.com/services/security-assessment/NII_Sample_PT_Report.pdf |
 | PCI Security report guidance | https://www.pcisecuritystandards.org/documents/Penetration_Testing_Guidance_March_2015.pdf |
+| Dradis Framework | https://dradisframework.com/ce/ |

reverse_engineering/README.md

@@ -19,6 +19,40 @@
 * [objdump](http://linux.die.net/man/1/objdump)
 * [Radare](http://www.radare.org/r/)
 
+## Dynamic Analysis
+
+* [Autoruns](https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns)
+* [Process Monitor](https://docs.microsoft.com/en-us/sysinternals/downloads/procmon)
+* [Process Explorer](https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer)
+* [Process Hacker](https://processhacker.sourceforge.io/)
+* [Noriben - Portable, Simple, Malware Analysis Sandbox](https://github.com/Rurik/Noriben)
+* [API Monitor](http://www.rohitab.com/apimonitor)
+* [INetSim: Internet Services Simulation Suite](http://www.inetsim.org/)
+* [FakeNet](https://practicalmalwareanalysis.com/fakenet/)
+* [Volatility Framework](https://github.com/volatilityfoundation/volatility)
+* [Stardust](https://my.comae.io/login)
+* [LiME: Linux Memory Extractor](https://github.com/504ensicsLabs/LiME)
+
+## Sandbox and Stuff
+* [Cuckoo](https://cuckoosandbox.org/)
+
+## Deobfuscation
+
+* [Balbuzard](https://bitbucket.org/decalage/balbuzard/wiki/Home)
+* [de4dot](https://github.com/0xd4d/de4dot)
+* [ex_pe_xor](ex_pe_xor)
+* [iheartxor](http://hooked-on-mnemonics.blogspot.com/p/iheartxor.html)
+* [FLOSS](https://github.com/fireeye/flare-floss)
+* [NoMoreXOR](https://github.com/hiddenillusion/NoMoreXOR)
+* [PackerAttacker](https://github.com/BromiumLabs/PackerAttacker)
+* [unpacker](https://github.com/malwaremusings/unpacker/)
+* [unxor](https://github.com/tomchop/unxor/)
+* [VirtualDeobfuscator](https://github.com/jnraber/VirtualDeobfuscator)
+* [XORBruteForcer](http://eternal-todo.com/var/scripts/xorbruteforcer)
+* [XORSearch & XORStrings](https://blog.didierstevens.com/programs/xorsearch/)
+* [xortool](https://github.com/hellman/xortool)
+
+
 ## Awesome Reversing
 * https://github.com/fdivrp/awesome-reversing - a plethora of references of tools, practice sites, and other reverse engineering information
 

useful_commands_and_scripts/letmeout.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# quick script to test exfil ports
+# using mubix letmeoutofyour.net website
+# omar santos @santosomar
+
+
+for i in $(eval echo {$1..$2})
+do
+    echo "Is port $i open for potential exfil?"
+    curl http://letmeoutofyour.net:$i
+
+done

web_application_testing/README.md

@@ -0,0 +1,26 @@
+# Web Application Testing References
+
+
+## Vulnerable Servers
+There are a series of vulnerable web applications that you can use to practice your skills in a safe environment. You can get more information about them in the [vulnerable_servers directory in this repository](https://github.com/The-Art-of-Hacking/art-of-hacking/tree/master/vulnerable_servers).
+
+## A Few Popular Tools
+The following are a few popular tools that you learned in the video courses part of these series:
+* [Burp Suite](https://portswigger.net/burp)
+* [OWASP Zed Attack Proxy (ZAP)](https://github.com/zaproxy/zaproxy)
+* [sqlmap](http://sqlmap.org/)
+* [Paros Proxy](http://sectools.org/tool/paros/)
+* [httrack](https://www.httrack.com/)
+* [skipfish](https://code.google.com/archive/p/skipfish/)
+
+## How to Integrate OWASP ZAP with Jenkins
+You can integrate ZAP with Jenkins and even automatically create Jira issues based on your findings. You can download the [ZAP plug in here](https://wiki.jenkins.io/display/JENKINS/zap+plugin).
+
+[This video](https://www.youtube.com/watch?v=mmHZLSffCUg) provides an overview of how to integrate  
+
+## Popular Commercial Tools
+* [Qualys Web Scanning](https://www.qualys.com/apps/web-app-scanning/)
+* [IBM Security AppScan](https://www.ibm.com/security/application-security/appscan)
+
+## TONS of #AWESOME Web Security Resources
+* https://github.com/qazbnm456/awesome-web-security

windows/README.md

@@ -0,0 +1,7 @@
+# Resources for Windows-based Assessments
+
+* [The Active Directory module for Windows PowerShell is a PowerShell module that consolidates a group of cmdlets.](https://docs.microsoft.com/en-us/powershell/module/addsadministration/?view=win10-ps)
+* [PowerSploit](https://github.com/PowerShellMafia/PowerSploit)
+* [CimSweep](https://github.com/PowerShellMafia/CimSweep)
+* [PowerSCCM](https://github.com/PowerShellMafia/PowerSCCM)
+* [SANS PowerShell Cheat Sheet](https://pen-testing.sans.org/blog/2016/05/25/sans-powershell-cheat-sheet/)