Awesome
title: Awesome Security Resources description: A collection of tools, cheatsheets, operating systems, learning materials, and more all related to security. There will also be a section for other Awesome lists that relate to cybersecurity. tags: [penetration-testing, tools, cheatsheet, awesome, security]
Awesome Security Resources
A collection of tools, cheatsheets, operating systems, learning materials, and more all related to security. There will also be a section for other Awesome lists that relate to cybersecurity.
I seem to forget about all the tools and resources when attacking, defending, responding, or looking to learn about cyber security, the purpose of this is to help fix that.
Table of Contents
Security Focused Operating Systems
Name | Description |
---|---|
Commando VM | Virtual Machine dedicated to penetration testing using Windows 10 built by FireEye. |
FLARE-VM | Virtual Machine dedicated to malware analysis and reverse engineering using Windows 10 built by FireEye. |
Kali Linux | Open source linux operating system. Lots of built in tools for penetration testing and offensive security. |
Parrot OS | Debian-based linux operting system focused on security and privacy. Has lots of built in tools. |
SIFT Workstation | A group of free open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings. |
Penetration Testing Tools
These tools are broken up into 4 categories. Enumeration, Exploitation, Privilege Escalation, and Miscellaneous.
-
Enumeration tools are any tools that help in the process of collecting more information about the target being attacked.
-
Exploitation tools are any tools that help in exploiting the target after it has been enumerated.
-
Privilege Escalation tools are the tools that will aid in vertical or horizontal permission change.
-
Micscellaneous tools are any pentesting tools that don't fit in the 3 above categories.
Name | Description |
---|---|
Enumeration | |
Nmap | A free and open source utility for network discovery and security auditing. |
LinEnum | A scripted local linux enumeration tool. |
PSPY | A command line tool designed to snoop on processes without need for root permissions. |
WPScan | A free, for non-commercial use, black box WordPress security scanner written for security professionals and blog maintainers to test the security of their WordPress websites. |
Exploitation | |
Exploit Suggester | Python script to suggesst different exploits to run on different Linux and Windows machines. |
p0wny shell | Single-file PHP shell. |
SharpCat | A Simple Reversed Command Shell which can be started using InstallUtil (Bypassing AppLocker) |
ShellPop | Generate easy and sophisticated reverse or bind shell commands to help you during penetration tests. |
Shellcode tools | About miscellaneous tools written in Python, mostly centered around shellcodes. |
ZackAttack! | A new Tool Set to do NTLM Authentication relaying unlike any other tool currently out there. |
Privilege Escalation | |
DirtyCow POC | Table listing the source code to several different variations of dirtycow. |
GTFOBins | A curated list of Unix binaries that can used to bypass local security restrictions in misconfigured systems. |
Unix Privilege Escalation | Shell script to check for simple privilege escalation vectors on Unix systems. |
Miscellaneous | |
CyberChef | Encoding and decoding tool for a variety of different ciphers. |
Kali Tools | List of all the tools that are pre-installed on Kali linux and an explanation to what they do. |
Hack Tricks | Welcome to the page where you will find each hacking trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news. |
Payload All the Things | A list of useful payloads and bypass for Web Application Security and Pentest/CTF. |
Pentest Book | This book contains a bunch of info, scripts and knowledge used during my pentests. |
Pentest Checklist | Different Checklists to run through durring a pentest engagement. |
PWNTools | CTF framework and exploit development library. |
Red Team Toolkit | A collection of open source and commercial tools that aid in red team operations. |
Various Pentest Tools | Pentesting tools from a pentester. |
DFIR
Name | Description |
---|---|
Jeffrey's Image Metadata Viewer | Shows the data that might be inside a digital image file. |
Steganography Toolkit | Collection of steganography tools - helps with CTF challenges. |
Volatility | An advanced memory forensics framework. |
VolUtility | Web App for Volatility framework |
Malware Analysis
Name | Description |
---|---|
Triage | Malware sandbox or analysis. |
Hybrid Analysis | Free automated malware service |
Virus Total | Online malacious file analyzer |
Reverse Engineering
Name | Description |
---|---|
GDB | The GNU Project Debugger |
IDA | Dissassembler has been the golden standard for years |
Ghidra | Ghidra is a software reverse engineering (SRE) framework created and maintained by the National Security Agency Research Directorate. |
OllyDbg | A 32-bit assembler level analysing debugger for Microsoft Windows. |
Radare2 | A portable reversing framework. |
Networking
Name | Description |
---|---|
CCNA Subreddit | Subreddit dedicated to the CCNA Exam. |
CCNA\CCENT Training Series | A full course of 84 videos for CCNA and CCENT Routing and Switching taught by Cisco Instructor Andrew Crouthamel. |
CCNA Training Series | Youtube Series on CCNA information. |
Impacket | A collection of Python classes for working with network protocols. |
SubnettingPractice | The most extensive subnetting practice site on the web! |
Subnetting.net | Sunetting practice tools. |
Wireshark | The world’s foremost and widely-used network protocol analyzer. |
Wireshark Certified Network Analyst | Youtube series of 15 videos about the WCNA. |
Wireshark Training Documenation | In depth documentation on how to use wireshark. |
Exploit Tools
Name | Description |
---|
OSINT
Name | Description |
---|---|
Bing Image Search | Reverse image search. |
DeHashed | A hacked-database search-engine. |
DNSDumpster | Free domain research tool that can discover hosts related to a domain. |
Jeffrey's Image Metadata Viewer | Simple and free tool that shows the Exif data on images. |
NameCheck | Search site for usernames across different platforms. |
NameCheckup | Search site for usernames across different platforms. |
HaveIBeenPwned | Check to see if an account has been involved in a databreach. |
Scylla.sh | Database dumps search site. |
Sherlock | Hunt down social media accounts by username acrross social networks. |
Threat Jammer | REST API for developers, security engineers, and other IT professionals to access curated threat intelligence data from a variety of sources. |
TinEye | Reverse image search. |
Online Traceroute | Online Traceroute using MTR. |
WhatsMyName | Tool that allows you to enumerate usernames across many websites. |
Yandex | Reverse image search. |
Practice Sites
Name | Description |
---|---|
Attack/Defense Labs | Very well built security attack and defense labs. |
Certified Hacker | Intentionally vulnerable website. |
Defend the Web | An interactive security platform where you can learn and challenge your skills. |
Enigma Group | Web application security training. |
Exploit Education | Provides a variety of resources that can be used to learn about vulnerability analysis, exploit development, software debugging, binary analysis, and general cyber security issues. |
FLAWS | AWS specific security challenge site. |
GameofHacks | This game was designed to test your application hacking skills. |
Gh0st Networks | CTF site for security practice. |
Google CTF | Yearly CTF hosted by Google.com. |
HackMe | Site to share vulnerable web applications for practice in web hacking. |
HackTheBox | Boot to root penetration testing practice site. |
HackThisSite | Wargame prictice site and community forums. |
Hacking Lab | An online ethical hacking, computer network and security challenge platform, dedicated to finding and educating cyber security talents. |
Hellbound Hackers | Hacking practice site. |
IO | Wargame site to practice hacking skills. |
OvertheWire | Begniier wargames that teach the basics of security. |
Microcorruption | Wargame to help in using a debugger and Assembly Language. |
PentestIt | Penetration Testing Laboratories. |
Pentest Practice | Online security training environment. |
Pentest Training | A simple website used as a hub for information revolving around the varies services we offer to help both experienced and new penetration testers practice and hone their skills. |
Permanent CTF List | List of CTFs that are always available online or able to be downloaded. |
Pwnable.kr | Wargame site to help improve hacking skills. |
Pwnable.tw | A wargame site for hackers to test and expand their binary exploiting skills. |
Reversing.kr | Site to test your Cracking and Reverse Engineering ability. |
Ring0CTF | Hacking practice site. |
RootMe | Hacking practice site. |
SmashTheStack | Site with various wargames available to practice. |
Try2Hack | This site provides several security-oriented challenges. |
TryHackMe | Room based site for hacking practice with good instruction. |
VulnHub | Downloadable virtual machines to practice hacking. |
WeChall | Security challenge site. |
WeChalls | Wargames to practice hacking. |
Practice Labs | |
Metasploitable | Intentionally vulnerable target machine for evaluating Metasploit |
Pentest Lab | contains examples to deploy a penetration testing lab on OpenStack provisioned with Heat, Chef and Docker. |
SecGen | Creates vulnerable virtual machines, lab environments, and hacking challenges, so students can learn security penetration testing techniques. |
WebGOAT | A deliberately insecure application that allows interested developers just like you to test vulnerabilities commonly found in Java-based applications that use common and popular open source components. |
Youtube Channels
Name | Description |
---|---|
13Cubed | This channel covers information security-related topics including Digital Forensics and Incident Response (DFIR) and Penetration Testing. |
Blackhat | This is the channel for the security conference, with lots of talks and demonstrations on different security topics. |
Guided Hacking | A hacking and reverse engineering community with a focus on game hacking. |
IppSec | This channel shows walkthroughs of different HackTheBox machines. |
John Hammond | This channel covers solving CTFs and programming. |
Learn Forensics | This channel is devoted to computer forensics. |
LiveOverflow | Just a wannabe hacker... making videos about various IT security topics and participating in hacking competitions. |
Stacksmashing | This channel uses Ghidra to reverse engineer various things. |
Awesome Repos
Name | Description |
---|---|
Android Security | A collection of android security related resources. |
Application Security | A curated list of resources for learning about application security. |
CTF | A curated list of CTF frameworks, libraries, resources and softwares. |
Cybersecurity Blue Team | A curated collection of awesome resources, tools, and other shiny things for cybersecurity blue teams. |
DevSecOps | Curating the best DevSecOps resources and tooling. |
Embedded and IoT Security | A curated list of awesome embedded and IoT security resources. |
Fuzzing | A curated list of awesome Fuzzing(or Fuzz Testing) for software security. |
GDPR | Protection of natural persons with regard to the processing of personal data and on the free movement of such data. |
Hacking - carpedm20 | A curated list of awesome Hacking tutorials, tools and resources. |
Hacking - Hack with Github | A collection of various awesome lists for hackers, pentesters and security researchers. |
Hacking - vitalysim | A collection of hacking / penetration testing resources to make you better! |
Honeypots | An awesome list of honeypot resources |
Industrial Control Systems Security | A curated list of resources related to Industrial Control System (ICS) security. |
ICS Writeups | Collection of writeups on ICS/SCADA security. |
Incident Response | A curated list of tools for incident response. |
Lockpicking | A curated list of awesome guides, tools, and other resources related to the security and compromise of locks, safes, and keys. |
Malware Analysis | A collention of awesome malware analysis tools |
Pentest | A collection of awesome penetration testing resources, tools, and other shiny things. |
Pcap Tools | A collection of tools developed by other researchers in the Computer Science area to process network traces. All the right reserved for the original authors. |
Reversing | A curated list of awesome reversing resources. |
Security | A collection of awesome software, libraries, documents, books, resources and cools stuffs about security. |
Vehicle Security and Car Hacking | A curated list of resources for learning about vehicle security and car hacking. |
Web Security | A curated list of Web Security materials and resources. |
Windows Exploitation | A curated list of awesome Windows Exploitation resources, and shiny things. |
Walkthroughs
Name | Description |
---|---|
Hackso.me | CTF, HacktheBox, and Vulnhub walkthroughs |
HackTheBox Guides | Guides/Walkthroughs for various retired HacktheBox machines. |
Learning Materials
Name | Description |
---|---|
Enumeration | |
Advanced Nmap:Scanning Firewalls | Advanced Nmap techniques for how to scann various types of firewalls. |
Learning Nmap: The Basics - Part 1 | The basics of how to use nmap. |
Advanced Nmap: Some Scan Types - Part 2 | Various Nmap scan types, and the practical use of these commands to scan various devices and networks. |
Advanced Nmap: Scanning Techniques Continued - Part 3 | More interesting scanning techniques. |
Advanced Nmap: Fin Scan & OS Detection | Various other command-line options. |
db_nmap | Running nmap from within metasploit. |
GoBuster Guide | Comprehensive guide on GoBuster tool. |
Parsing ls | Why you shouldn't parse the output of ls(1). |
Exploitation | |
AppLocker Bypass | Using Rundll32 to bypass Applocker. |
Attacking & Securing WordPress | Tecniques for enumeration and exploitation of wordpress sites. |
Executing Meterpreter in Memory | technique for executing an obfuscated PowerShell payload using Invoke-CradleCrafter in memory. |
How to hack a Wordpress site | Hacking a wordpress sites using different techniques. |
How to pentest your WordPress site | How to perform a pentest on you a wordpress site. More techniques and tools. |
Metasploit Tutorial | Metasploit Tutorial for beginners: Master in 5 minutes. |
Practical guide to NTLM Relaying | Practical guide to help clear up any confusion regarding NTLM relaying. |
WordPress plugin Vulneribilities | List of all vulnerabilities for WordPress plugins. |
Reverse Engineering | |
Assembly Programming Tutorial | A tutorial on programming in nasm Assembly. |
Beginners Guide to Assembly | This guide will explain exactly what is necessary to begin cheat creation for generally any online computer game, including both fields to study, and tools to use. |
Beginner Reverse Engineering Info | Reddit collection of beginner information on getting into Reverse Engineering. |
Building a Home Lab for Offensive Security | Guide on how to build a home lab for security purposes. |
Ghidra Simple Keygen Generation | From installing ghidra on ubuntu to writing a working keygen in python. |
Ghidra Tutorial | Youtube playlist on how to use ghidra using different example files. |
Guide to x86 Assembly | This guide describes the basics of 32-bit x86 assembly language programming, covering a small but useful subset of the available instructions and assembler directives. |
Guide to Assmebly in VS .NET | This tutorial explains how to use assembly code in a Visual Studio .NET project. |
How to start out in Reverse Engineering | Reddit post on the steps to get started in Reverse Engineering. |
IDA Pro Tutorial | Tutorial on how to reverse engineer with IDA Pro. |
Intel 64 and IA32 Software Manual | This document contains all four volumes of the Intel 64 and IA-32 Architectures Software Developer's Manual. |
Intermediate x86 | Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration. Part 2 to Into to x86. |
Intro to Malware Analysis and Reverse Engineering | Malware analysis course to learn how to perform dynamic and static analysis on all major files types, how to carve malicious executables from documents and how to recognize common malware tactics and debug and disassemble malicious binaries. |
Intro to x86 | Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration. |
Malware Analysis Tutorial | Malware Analysis Tutorials: a Reverse Engineering Approach. |
Mastering Ghidra | Video from Infiltrate 2019 on mastering Ghidra. |
Myne-US | From 0x90 to 0x4c454554, a journey into exploitation. |
Reverse Engineering 101 | Vimeo video by Dan Guido |
Reverse Engineering 101 - Malware Unicorn | Malwareunicorn.org provides workshops and resources for reverse engineering in the infosec space. Workshop content is now available. |
Reverse Engineering 102 | Vimeo video by Dan Guido |
Reversing for Newbies | A collection of tutorials aimed particularly for newbie reverse engineers. |
RE Guide for beginners | Methodology and Tools of reverse engineering. |
So you want to be a Malware Analyst | Malwarebytes blog on becomming a malware analyst and what all is involved. |
Windows oneliners to download and execute code | Oneliners for executing arbitrary command lines and eventually compromising a system. |
Where to start in leaning reverse engineering | Forum post detailing the process to start learning reverse engineering. |
Privilege Escalation | |
Basic Linux Privilege Escalation | Blog teaching the basics of Linux Privelege Escalation. |
Linux Privilege Escalation Techniques | SANS papers on the linux privilege escalation. |
Linux Privilege Escalation tools/tactics | List of different linux privilege escalation tools and techniques as well as several scripts to download to automate the process. |
Windows Privilege Escalation | Guide on techniques for Windows Privilege Escalation. |
LXD Privilege Escalation | Describes how an account on the system that is a member of the lxd group is able to escalate the root privilege by exploiting the features of LXD. |
Shells | |
How to build a RAT | Building a RAT from scratch for educational purposes. |
How to create a backdoor | Article on how to create a nearly undetectable backdoor with Cryptcat. |
How to create a remote command shell | Creating a remote command shell using a default windows command line tools |
How to create a reverse Shell | Article detailing how to create a reverse shell and when to do it. |
Reverse Shell in Bash | Reverse shells in bash for Dummies by a Dummy. |
Hacking and Pentesting | |
Pentesting Methodology | Step by step walkthough of a basic pentesting methodology. |
The Hacking Process | Lots of information on the hacking process. |
Guide to Penetration Testing | Varonis Seven Part Guide to Penetration Testing. |
CTF | |
CTF Field Guide | How to get started in CTFs |
Books and Cheatsheets
Name | Description |
---|---|
Books | |
Programming from the Ground Up | Using Linux assembly language to teach new programmers the most important concepts in programming. |
Cheatsheets | |
DFIR Infographics | Infographics about various DFI topics including file info, volume info, attribute info. |
General DFIR | Cheatsheets for general dfir info. |
Malware Analysis | Cheatsheets for different aspects of malware analysis. |
Memory Forensics | Cheatsheets for memory forensics. SANS memory forensics. |
OSINT | Cheatsheets for OSINT strategies and tools. |
Pentesting Tools Cheatsheet | A quick reference high level overview. |
Radare2 Cheatsheet | Cheatsheet of common commands for program Radare2 |
Reverse Shell Cheatsheet | Several different types of reverse shells |
SANS DFIR | Digital Forensics and Incident Response cheatsheets from SANS. |
SANS Pentest Posters | These are Pentesting Posters that SANS supplies. |
SANS Cheatsheets | Various SANS cheatsheets. |
THC Favorite tips, tricks and hacks | Various tips & tricks for typical penetration testing engagements from highon.coffee. |
Volatility Command Reference | Quick reference command list for Volatility. |
Windows Post Exploitation Command List | Quick Reference command list used in post-exploitation of windows machines. |
Windows Registry Forensics | Cheatsheets on windows registry for different tools and information. |
x86 and and64 instruction reference | Reference for instructions with included summary of each. |
Podcasts
Name | Description |
---|---|
7 Minute Security | A weekly infosec podcast about pentesting, blue teaming and building a career in security. |
Hackable? | Hackable? gives us a front row seat to explore where we’re vulnerable in our daily routines, without even realizing it. |
InfoSec ICU | The Health Information Security podcast from the Medical University of South Carolina. |
Malicious Life | Malicious Life by Cybereason tells the unknown stories of the history of cybersecurity, with comments and reflections by real hackers, security experts, journalists, and politicians. |
Risky Business | Risky Business podcast features news and in-depth commentary from security industry luminaries. |
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast | A brief daily summary of what is important in cyber security. |
Security Now! | Security podcast with Steve Gibson and Leo Laporte. |
The CyberWire Daily | The daily cybersecurity news and analysis industry leaders depend on. |
Documentation
Name | Description |
---|---|
Security Policy Templates | SANS has developed and posted here a set of security policy templates for your use. |
Programming
Name | Description |
---|---|
C | |
Learn C | Free interactive C tutorial. |
Python | |
Learn Python | Free Python tutorial. |
Industrial Control System Info
Name | Description |
---|---|
Learning Materials | |
Getting Started in ICS | A Collection of Resources for Getting Started in ICS/SCADA Cybersecurity. |
SCADA Hacking | Information on how to hack ICS/SCADA devices. |
Tools | |
Cronpot | ICS/SCADA honeypot. |
ICS Security Tools | Tools, tips, tricks, and more for exploring ICS Security. |
Contributing
Your contributions are always welcome! Please take a look at the contribution guidelines first.
If you have any question about this opinionated list, do not hesitate to contact me @johnson90512 on Twitter or open an issue on GitHub.