Info
This page for purpose share the idea, community, skillset, technical about Cyber Security and Information Security. How we can improve the skillset via LAB and CTF contest
Awesome Articles / Blogs / Collections InfoSec
Articles
Info
The collection of myself about tool and technique is useful for learning and practicing Cyber and Info Security
- Cloud - Creating unintentional ways to bypass AWS IAM policies when using the “ForAllValues” operator
- Crypto - Practical Cryptography : Talk about Cryptography but explain more about them
- Forensics - Hiding Information by Manipulating an Image’s Height
- Forensics - Information hiding
- Forensics - Modifying Embedded Filesystems in ARM Linux zImages
- Forensics - Steghide - An Easy way to Hide Confidential Data Inside Images and Sound Objects in Linux
- General - Medium - Rust for Cyber Security and Red Teaming
- General - Python for DevSecOps and Any Security Engineer
- Networking - 10 Useful Open Source Security Firewalls for Linux Systems
- Networking - Cisco - Configuring Virtual Private LAN Service (VPLS)
- Networking - Kết nối private LAN qua Cloudflare Tunnels sử dụng Wireguard
- Networking - Medium - SSH Over Openssl Over Haproxy: Bypassing Blocks
- Networking - Medium - Top 9 VPN Alternative Technologies For Future Remote Access
- Networking - Medium - Using Suricata Intrusion Prevention System To Monitor Network Traffic
- Networking - Medium - VPN is dead? Long live the Jump Host?
- Networking - What is multiprotocol label switching (MPLS)?
- Networking - Zero Trust Network Access (ZTNA) vs VPNs
- Pwnable - Different types of Computer Viruses - Computer Virus Classification
- Pwnable - Get Reverse-shell via Windows one-liner - Hacking Articles
- Pwnable - Linux Privilege Escalation - Vietnamese
- Pwnable - Medium - Breaking Free: 26 Advanced Techniques to Escape Docker Containers
- Pwnable - Medium - Docker and runC Vulnerabilities: A Deep Dive into CVE-2024–21626 and Its Counterparts
- Pwnable - Medium - Ping Power — ICMP Tunnel
- Pwnable - Wiz.io - CVE-2024-3094 : Backdoor XZ
- Pwnable - x86 and amd64 instruction reference
- SOC - Networking - Medium - Building an Effective SOC with Open-Source SIEM Tools: My Master’s Project Journey
- Web - Medium - Google Dorking: A Hacker’s Best Friend
- Web - Medium - How to find subdomain takeover using httpx + dig
Blogs
Info
Blog page where provide you more information about techniques, tools and madness things inside information security field
- AttackerKB : CVE analysis
- Blog | hackers-arise
- Cloudflare Blog
- Cloudflare Learning
- ElNiak Blog
- Escape - The API Security Blog
- Hackerone Blog
- Hacking Articles - Raj Chandel’s Blog
- HighOn.Coffee: Penetration Testing && Security Research
- HTB Blog
- Intigriti Blog
- KitPloit - PenTest & Hacking Tools
- LRTV Blog
- Medium - Coded Conversations 🔐💬
- Medium - Infosec Writeups
- Medium - n00🔑
- Medium - OSINT Team: OSINT from multiple perspectives
- Medium - S12 H4CK
- Medium - System Weakness
- Pentester Land - Offensive InfoSec
- Prof Bill Buchanan OBE FRSE : Professor of Cryptography
- Reddit Hacking
- Sebastian Neef - 0day.work
- SSH Academy
- Sun* Cyber Security Team - Vietnamese
- The Hacker News - Cybersecurity News and Analysis
- THM Blog
- tl;dr sec
- Top Cybersecurity And Information Security Guides - HackersOnlineClub
- Troy Hunt
- Vsociety - CVE Org analysis : CVE analysis and publish CVE
- WhiteHat.vn
- With Secure Publications
- Wiz.blog
General
Info
General things will cover a lot of stuff when you want to start with cyber and information security
- Books - bugbounty-cheatsheet/books.md at master · EdOverflow/bugbounty-cheatsheet
- Knowledge - Bill’s Security Site
- Knowledge - HACKING roadmap
- Knowledge - ISO 27001 vs. 27002 vs. 27003: What’s the Difference?
- Knowledge - OWASP
- Knowledge - OWASP Penetration Testing Check List
- Knowledge - SecurityZines : Visualization Hacking, Architecture and Technical by Image with step by step
- TimeStamp - Cybersecurity Conferences
- Youtube - 60 Hacking Commands You NEED to Know
Awesome InfoSec Repository
Info
The madness and badass repository will provide huge information about Cyber and Information Security
Landscape
Repository
- awesome-api-security: A collection of awesome API Security tools and resources. The focus goes to open-source tools and resources that benefit all the community.
- awesome-ctf : A curated list of CTF frameworks, libraries, resources and softwares
- awesome-cybersecurity-handbooks : A huge chunk of my personal notes since I started playing CTFs and working as a Red Teamer.
- awesome-hacker-search-engines : A curated list of awesome search engines useful during Penetration testing, Vulnerability assessments, Red/Blue Team operations, Bug Bounty and more
- awesome-hacking : A collection of various awesome lists for hackers, pentesters and security researchers
- awesome-infosec : A curated list of awesome
infoseccourses and training resources. - awesome-pentest : A collection of awesome penetration testing resources, tools and other shiny things
- awesome-privilege-escalation : A curated list of awesome privilege escalation
- CheatSheetSeries : The OWASP Cheat Sheet Series was created to provide a concise collection of high value information on specific application security topics.
- h4cker : About ethical hacking, bug bounties, digital forensics and incident response (DFIR), artificial intelligence security, vulnerability research, exploit development, reverse engineering, and more.
- HackTricks - Cloud : Wikipedia of Hacking Cloud
- HackTricks - Penatration Testing : Wikipedia of Hacking
- MobileApp-Pentest-Cheatsheet : Arsenal for mobile application attack
- OWASP Collection: Free for Open Source Application Security Tools
- OWASP Project : Collection about OWASP Opensource
- pentest-book: This book contains a bunch of info, scripts and knowledge used during pentests.
- public-pentesting-reports: A list of public penetration test reports published by several consulting firms and academic security groups.
- sec_profile: Chinese Collection about Security with profile vulnerability and awesome hacking technique
- the-book-of-secret-knowledge : A collection of inspiring lists, manuals, cheat-sheets, blogs, hacks, one-liners, cli/web tools and more.
- The Hacker Recipes: providing technical guides on various hacking topics
Topics
Bug Bounty
Info
A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities
You can become participant of Bounty program via
CTF (Capture the flag)
Info
“CTFs are gamified competitive cybersecurity events that are based on different challenges or aspects of information security. They are excellent for both beginners and experienced hackers looking to develop, test, and prove their skills because they gamify hacking concepts. We’re big believers in the power of gamification here at Hack The Box! Gamification makes learning about something like a video game. Because gamification is fun and makes you think creatively, it’s one of the most effective ways to learn and develop skills.”
Best Writeups ever
- CSAW 2k22 ALL WEB WRITEUPS - ./n0s-Writeups
- Noir CSAW22 Writeup - HackMD
- (●´3`●)Goooood
- CSAW CTF
- TFC CTF 2022 Writeup - よっちんのブログ
- KMA - HTB Business CTF 2024: The Vault Of Hope Write Up
Events
- CTFTime : Place where you can find the next CTF events time.
Introduce
- Awesome CTF | awesome-ctf
- Introduction | CTF Resources
- Top 22 Tools for Solving Steganography Challenges - Yeah Hub
- Use these cheatsheets to increase your CTF speed. | by Vicky Aryan | Nov, 2023 | InfoSec Write-ups
Training page
- Bắt đầu với CTF: Tổng hợp các trang WarGame để luyện tập | WhiteHat.vn : Collection of CTF from huge page about security WhiteHat (Vietnamese)
- CTFLearn : CTF challenge page, you can practice more and level up skillset on multiple category of CTF game
- Home Page - ImaginaryCTF : Monthly CTF challenge page, Super cool contents. You will learn a lot from that
- PicoCTF: Best of way for newbie and starter (LEGACY PAGE)
- PWNABLE.VN : Vietnamese group whose create a wonderful page for practicing CTF
- Viblo CTF: Like CTFLearn but Vietnamese version
Youtube Channel
- Almond Force: He write about Web and Forensic CTF challenge, Supper cool guy
- CryptoCat: InfoSec education channel: CTF walkthroughs, binary exploitation, pen-testing, bug bounty, malware analysis, programming/scripting etc.
- Martin Carlisle: Super cool and bring you more knowledge about CTF, especially for newbie via PicoCTF
- SloppyJoePirates CTF Writeups: Trust me, he is really rare CTF player with most of passion and helpful contents
Tools and Techniques
Cloud
Info
Cloud computing security or, more simply, cloud security, refers to a broad set of policies, technologies, applications, and controls utilized to protect virtualized IP, data, applications, services, and the associated infrastructure of cloud computing. It is a sub-domain of computer security, network security, and, more broadly, information security. Source: Wikipedia
- Hacking the Cloud: An encyclopedia of the attacks/tactics/techniques that offensive security professionals can use on their next cloud exploitation adventure.
- T Wiki : Chinese page who talk about Security Cloud with multiple provider like Azure, AWS, GCP, …
Exploitation
Info
In this phase, ethical hacker need to attack to target and try to grasp some thing about weakness of system or applications
Collections about Attack and Defend
- Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
- AD-Attack-Defense : Attack and defend active directory using modern post exploitation adversary tradecraft activity
- Application Security Cheat Sheet: Application Security Cheat Sheet
- Awesome-Hacking-Resources : A collection of hacking / penetration testing resources to make you better!
- CAPEC : Common Attack Pattern Enumeration and Classification (CAPEC™)
- Defend MITRE: Defend skillset base on real-world secenarios
- GTFOBins : A curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
- impacket-examples-windows: The great impacket example scripts compiled for Windows
- MAAD Attack Framework : An attack tool for simple, fast & effective security testing of M365 & Entra ID (Azure AD).
- Metaspoit: Metasploit Framework for penetration testing
- MITRE ATT&CK® : Globally-accessible knowledge base of adversary tactics and techniques based on real-world observations.
- OWASP Cheat Sheet Series : Provide a concise collection of high value information on specific application security topics
- PENTESTING-BIBLE: Attack and Defend articles in PDF
Cryptography
- Boxentriq : Cipher Identifier (online tool)
- CrackStation: Online Password Hash Cracking
- cryptii: Modular conversion, encoding and encryption online
- CrypTool: Try crypto tools, learn cryptography and solve puzzles
- CyberChef: The bunch of cyber tools for crypto and file format
- dCode: Solveurs, Crypto, Maths, Codes, Outils en Ligne
- Morse Code World: Morse Code crypto for encrypt and decrypt
- RapidTables.com : Online Calculators & Tools
- Unicode Text Steganography Encoders/Decoders : Unicode Text Steganography Encoders/Decoders
Forensics
- Aperi’Solve : Forensic integrate all tool in one platform
- BertNase’s Own - npiet fun!
- Brightness and contrast online:
- FTK Forensic Toolkit : Toolkit for Forensic
- HexEd.it : Browser-based Online and Offline Hex Editing
- Steganographic Comparator
- Volatility 3 — Volatility 3 2.4.0 documentation: Arsenal for digital forensics
Privilege Escalation (RCE)
- chisel : A fast TCP/UDP tunnel over HTTP
- GTFOBLookup : GTFO Lookup
- nishang : Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
- Online - Reverse Shell Generator
- PEASS-ng : PEASS - Privilege Escalation Awesome Scripts SUITE
Reverse Engineer (RE)
- Compiler Explorer
- CPUlator Computer System Simulator
- Decompiler Explorer
- Valgrind - An instrumentation framework for building dynamic analysis tools and use to detect memory leaking
Webhook
- Beeceptor : API Mocking
- Mockoon: Locally mock API
- Webhook.site : Generates free, unique URLs and e-mail addresses and lets you see everything that’s sent there instantly. (Usage: Steal cookies, bypass authorized, …)
External
Info
The collection of myself about something are need for prepare for security and explore about how the applications prevent with attack to network, code and moreover
Burp extension
- agartha : A Burp extension helps identifying injection flaws (LFI, RCE, SQLi), authentication/authorization issues, and HTTP 403 access violations, while also converting HTTP requests to JavaScript for enhanced XSS exploitation.
Code Search Engine
- grep.app | code search : Search specify code block on github community
Code Validate
- codeql: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
IAST (Interactive Application Security Testing)
- DongTai: (IAST) tool that enables real-time detection of common vulnerabilities in Java applications and third-party components through passive instrumentation.
Mobile
- Apktool: A tool for reverse engineering Android apk files
- mobile-nuclei-templates : Mobile Template for using with nuclei
SOC Operation system
- VultureOS : An operating system based on HardenedBSD. It has been design to deliverer cybersecurity services for the Advens SOC.
Vulnerability management
- django-DefectDojo : DevSecOps, ASPM, Vulnerability Management. All on one platform.
- faraday: Open Source Vulnerability Management Platform
- ThreatMapper: Open Source Cloud Native Application Protection Platform (CNAPP). Documentation
- vuls: Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
Vulnerability Scanner
- Nettacker : Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management
- nuclei : Fast and customizable vulnerability scanner based on simple YAML based DSL. Doc and Cloud Platform
- zaproxy : The ZAP core project
Vulnerables Search Engine
- 💀 Sploitus : Exploit & Hacktool Search Engine
- Bug Bounty Hunting Search Engine
- CVE MITRE - CVE
- CVE-Search
- CVE security vulnerability database. Security vulnerabilities, exploits, references and more
- CVE Trends
- CWE - Common Weakness Enumeration
- Exploit Database : Find PoC and Exploit method for Penetration Testers, Researchers, and Ethical Hackers
- NVD NIST
- Search Engine for Security Intelligence | Vulners
- Vulmon - Vulnerability Intelligence Search Engine
- Vulnerability Database 🛡
- Vulnerability & Exploit Database : Exploit DB of Rapid7 (Metasploit product)
Web Application Firewall (WAF)
- lua-resty-waf : High-performance WAF built on the OpenResty stack
- ModSecurity : An open source, cross platform web application firewall (WAF) engine for Apache, IIS and Nginx.
- naxsi : An open-source, high performance, low rules maintenance WAF for NGINX
- Nginx-Lua-Anti-DDoS : A Anti-DDoS script to protect Nginx web servers using Lua with a HTML Javascript
Networking
Info
Security techniques take the concept around networking and techniques related
External Networking Techniques
- awesome-tunneling : List of ngrok/Cloudflare Tunnel alternatives and other tunneling software and services. Focus on self-hosting.
- frp: A fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet.
- GO Simple Tunnel: A simple security tunnel written in golang
- localtunnel: Localtunnel allows you to easily share a web service on your local development machine without messing with DNS and firewall settings.
- NetExec : The Network Execution Tool. Website
- wstunnel : Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available
- Xray-core: Xray, Penetrates Everything. Also the best v2ray-core, with XTLS support. Fully compatible configuration.
- ZTM : A privacy-first open-source decentralized network software based on HTTP/2 tunnels.
General knowledge
- DomainTools: Reverse IP Lookup - All Names Hosted at an IP
- Subnet Calculator: Calculator CIDR concept of subnet
- VLSM Calculator: Calculator VLSM concept of subnet
VPN
Give applause for Nyr for contributing a wonderful setup, with those script, you just need 1 minutes for creating your own VPN and safely connected remotely with your network
- openvpn-install.sh: Setting up
openvpnfor your host (Author: Nyr) - wireguard-install.sh: Setting up
wireguardvpnfor your host (Author: Nyr)
Reconnaissance (All categories)
Info
In this phase, the tester gathers as much information about the target system as they can, including information about the network topology, operating systems and applications, user accounts, and other relevant information. The goal is to gather as much data as possible so that the tester can plan an effective attack strategy.
Browser Search
Container
- crane: A tool for interacting with remote images and registries
- dive : A tool for exploring each layer in a docker image
- trivy: Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more
OSINT
- GPS coordinates, latitude and longitude with interactive Maps
- Internet Archive: Wayback Machine
- TinEye Reverse Image Search
Web
- Censys Search Engine : Web recon tool
- crt.sh : Certificate Search
- digwebinterface : Dig on browser
- DNSdumpster.com: dns recon and research, find and lookup dns records
- Google Public DNS : Find and validate dns with Google DNS
- jwt.io : JSON Web Tokens
- SecLists : Wordlist for attacking
- Shodan Search Engine : Web recon tool
- Snyk : DAST and SAST tools
Thread Intelligent
- openappsec: A machine learning security engine that preemptively and automatically prevents threats against Web Application & APIs.
- teleport: The easiest, and most secure way to access and protect all of your infrastructure.
Training page (LAB)
Info
The collections of mine about what you need to learn, how to solve problem and figure out what you decide on hacking, doing security and have fun
Forensics
Info
Network + Forensics + Digital Forensics
- JPEG FIF : Detail explanation about JPEG File Interchange Format
- Malware-Traffic-Analysis.net - Traffic Analysis Exercises : Labs of Networking where you can gain the knowledge on analysis network traffic
- MemLabs : Educational, CTF-styled labs for individuals interested in Memory Forensics
Introduce
- HackTricks - HackTricks : Wikipedia of Hacking
- Hacktrick Training: Learn Cloud Hacking & Become HackTricks Training Certified
- Hardware All The Things: A curated collection of valuable payloads and bypass techniques tailored for Hardware and IoT Security
- Internal All The Things : Active Directory and Internal Pentest Cheatsheets
- List of hacking websites | RazviOverflow
- Payloads All The Things: Useful payloads and bypasses for Web Application Security
- Web-CTF-Cheatsheet
Reverse Engineer
- Crackme : Place to improving the RE skill
- Nightmare: Intro to binary exploitation / reverse engineering course based around ctf challenges
Security Lab
Info
Misc + Lab Machine
- Application Security Training For Developers | Kontra : Vulnerables Site which visual on illustration and take you image what happen when attacking occur
- Attack-Defense Labs : More Labs you can take and archive your knowledge, bro trust me.
- GOAD: Game of active directory
- Hack The Box: Hacking Training For The Best | Individuals & Companies : Lab Machine where you can put the effort for pwn the machine and learn about red, blue team skillset
- HackThisSite : Legally site where you can make penetration test
- Online Cyber Security Blue Team Training - CyberDefenders: Learn and try to improving the defensive skillset on Blue Team
- OverTheWire: Wargames : The level competition which you need to find the key for reach to next level (HELPFUL - FOR UPGRADE LINUX SKILL)
- PentesterLab: Learn Web Penetration Testing: The Right Way: Learn and try practical with Lab via Penetration Test
- Root Me : Hacking and Information Security learning platform : Like HTB and THM but you will have fun things to exploit
- TryHackMe | Cyber Security Training : Like HTB but more tutorials
- UnderTheWire: Wargames: Wargames where help you improve hacking skill (HELPFUL - FOR UPGRADE POWERSHELL SKILL)
- Vulnerable By Design ~ VulnHub : Like HTB and THM, but you need to learn about virtualization to setup the pentest environment
- Web Application Security, Testing, & Scanning - PortSwigger : Learn about web hacking fundamentals (HELPFUL)
Walkthrough
Info
HacktheBox/CTF solution, hacking technical and OSCP
- 0xdf hacks stuff | CTF solutions, malware analysis, home lab development
- IppSec Achievement
- OSCP Room Prep - NetSecFocus Trophy Room
- Roadmap to OSCP 2023. Crack OSCP in 6 months, starting from… | by Usman Shah | Medium
- @TJ_Null’s OSCP Prep - YouTube
Youtube Channel
Info
Hacking/InfoSec Youtube Channel
- 13Cubed: Digital Forensics. Hacking. Home Labs.
- Computerphile: All about computers and computer stuff
- Cristi Vlad
- David Bombal : Networking Guy with hand on in physical network items, hacking conservation and guide you on hacking journey with cool contribute
- DAY0: Previous
DAY[0]podcasts as well as other reverse engineering / exploit development-related media - DC CyberSec: Freelance in Cybersecurity Guy
- Grant Collins: Funny guy who guide you about Cybersecurity career, education, and the occasional deeboodah shenanigans.
- HackerSploit : HackerSploit is the leading provider of free Infosec and cybersecurity training
- Hak5
- InsiderPhD: She is guiding about bug bounty for starter, cool contents and technics
- IppSec: Best ever on HTB Solution, Guide you pwn a box and learn about scenarios to reaching them
- John Hammond : Super dope and cool guy who teach you helpful things, cool stuff about hacking, cyber security
- LiveOverflow: Binary exploiting guy with guide you about that, more about IT security
- Loi Liang Yang: Super cool technic with hacking can explore
- LTN Labs: Empowering others through building engaging educational experiences and communities
- Motasem Hamdan: HTB and THM resolution, creative guy who will guide you about security
- NahamSec: Bug bounty guy with impressed technics, conversation hacking and moreover
- NetworkChuck: Very Helpful, super dope and friendly guy with detailing explanation, who can be able to guide you about network, cloud, linux and more about homelab (Recommendation)
- Null Byte : Aspiring ethical hackers, computer scientists, and the infosec community
- SecurityFWD: SecurityFWD shows the latest security tools, amazing projects, and keeps you on the edge of what’s possible in security today.
- Seytonic : Break down and dissect cyber security related tech news
- STÖK: Bug Bounty sharing, explain and suggest a cool mindset prep for bug bounty
- The Cyber Mentor: TCM Security, Very clear contents for starters
- Zanidd: Hacker, Dev & Educator
- zSecurity: Provide for guideline to becoming Ethical Hacker