sec-pentesting-toolkit/README.md

Gray Hacker Resources

For fun or profit.

Resource Links

* CTFs and WARGAMES

* CRYPTOGRAPHY

* FORENSICS

* LINUX HACKING

* MEMORY EXPLOITS

* VULNERABILITIES AND EXPLOITS

* NETWORK and 802.11

* REVERSE ENGINEERING

* RUBBER DUCK

* STEGANOGRAPHY

* WEB EXPLOITS

* OTHER HACKINGS

* PEN TESTING

* MOBILE

* BOTNETS

---

Post-Exploitation

• Metasploit Post Exploitation Command List

• Obscure Systems (AIX, Embeded, etc) Post-Exploit Command List.

• OSX Post-Exploitation.

• Windows Post-Exploitation Command List.

• Linux/Unix/BSD Post-Exploitation Command List.

---

Useful CLI

Searching

grep word f1

sort | uniq -c

diff f1 f2

find -size f1

Compressed Files

zcat f1 > f2

gzip -d file

bzip2 -d f1

tar -xvf file

Connecting to a Server/Port

nc localhost 30000

echo 4wcYUJFw0k0XLShlDzztnTBHiqxU3b3e | nc localhost 30000

openssl s_client -connect localhost:30001 -quiet

nmap -p 31000-32000 localhost

telnet localhost 3000

---

References:

Security analyzers and scanners for CI/CD pipelines

• Static code security analyzers: SonarQube (Javascript scanner), NodeJsScan.
• Package dependency security analyzers: Snyk
• Docker image security analyzers: Hadolint, Clair, Anchore
• AWS IAM permission analyzers: IAM access advisor APIs, PMapper.
• AWS S3 permission analyzers: s3audit.
• Docker runtime anomaly detection: Falco.
• Kubernetes policy security analyzers: RBAC.
• Policy auditing tools: Rakkess.

Books I Recommend

Technical

• Bulletproof SSL and TLS
• Reversing: Secrets of Reverse Engineering
• The Art of Memory Forensics
• The C Programming Language
• The Unix Programming Environment
• UNIX Network Programming
• Threat Modeling: Designing for Security
• The Tangled Web
• The Art of Exploitation
• The Art of Software Security Assessment
• Practical Packet Analysis
• Gray Hat Python
• Black Hat Python
• Violent Python
• Shellcoders Handbook
• Practice Malware Analysis

Articles:

• Continuous security.
• How to not get hacked.

Fun

• Spam Nation
• The Art of Intrusion
• This Machine Kills Secrets

Other Resources

• Krebs Series on how to be in InfoSec: Thomas Ptacek, Bruce Schneier, Charlie Miller
• How to be a InfoSec Geek
• My Blog

License

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. When making a reference to my work, please use my website.