Links
Note: This section is constantly evolving. Last update: 01.07.2019.
This is a curated collection of handy bookmarks focusing on hacking, penetration testing and other computer security topics.
In my day to day work I collect and read lots of infosec resources (btw, I use Pocket for this task), so I would like to share the most interesting links with the community.
Inspired by the original project, the Open Penetration Testing Bookmarks Collection, which seems to be no longer maintened, I cleaned it up and added some bookmarks from my personnal collection.
If you want to contribute to this list, feel free to contact me @axcheron.
Medias
If you want to check the news about hacking and security, here are the links I usually read during my morning coffee. By the way, I manage my links with Feedly, a really handy tool !
News
Ars Technica | Security & Hacktivism
Threatpost | The Kaspersky Lab Security News
Computerworld | Security news, trends & analysis
The Register | Security News
Darknet | Ethical Hacking & Pentest
Naked Security | Sophos Security News
Securelist | Viruses, Hackers and Spam
/r/netsec/ | Reddit Infosec News
The Hacker News | Cyber Security & Hacking
Veracode | Application Security
EFF Deeplinks
Packet Storm
Blogs
There are too much bright people with really interesting blogs in the hacking community to list them all. But here is a quick list of some of them.
Schneier on Security
Krebs on Security
Google Project Zero
Carnal0wnage & Attack Research Blog
TaoSecurity
Room362: Blatherings of a security addict
SIPVicious
PortSwigger Web Security Blog
Blog | pentestmonkey
Jeremiah Grossman
Cатсн²² (in)sесuяitу
SkullSecurity: Adventures In Security
Metasploit | Rapid7 Community
Shell is Only the Beginning
tssci security
GDS - Blog
Reiners’ Weblog | anything about Web Security
Common Exploits - Exploitation Tools
SensePost | Blog
Blog | Exploit KB
sirdarckcat
Reusable Security
Blog - NotSoSecure
SpiderLabs Blog
Corelan Team | Peter Van Eeckhoutte (corelanc0d3r)
Blog - DigiNinja
securityweekly.com
deviating.net
wirewatcher | Looking beyond the obvious
gynvael.coldwind//vx
Nullthreat Security
Question Defense: Technical answers for technical questions
XyliBox
Blog | Tomislav Zubcic’s blog
Forums
The Ethical Hacker Network
Kali Linux Forum
HackThisSite
BrightShadows
HackForums
Bug Bounty Forum
Magazines
(IN)SECURE Magazine
Phrack
PoC||GTFO
Wiki
PwnWiki.io
Skull Security Wiki
SQL Injection Wiki
Methodologies
Penetration Test Framework (PTF)
The Penetration Testing Execution Standard (PTES)
OWASP Testing Project
The Official Social Engineering Portal
Wireless Hacking
WiFi
Pyrit - WPA Precomputed Cracker
Practical attacks against WEP and WPA
WiGLE: Wireless Network Mapping
FruityWifi
PixieWPS - An offline WPS bruteforce utility
Reaver - Brute force attack against WPS
Reaver by t6x
SDR
http://www.rtl-sdr.com
http://gnuradio.org/redmine/projects/gnuradio/wiki
https://greatscottgadgets.com/sdr/
http://sdr.osmocom.org/trac/wiki/rtl-sdr
Bluetooth
https://greatscottgadgets.com/ubertoothone/
http://trifinite.org/trifinite_stuff.html
RFID
https://github.com/ApertureLabsLtd/RFIDler
http://scanlime.org/2008/09/using-an-avr-as-an-rfid-tag/
http://www.bishopfox.com/resources/tools/rfid-hacking/attack-tools/
Conferences
Official Websites
DEFCON
BlackHat
ShmooCon
DerbyCon
REcon
CanSecWest
Sector
NorthSec
Hackfest
SSTIC
Hack.lu
BruCON
HackInParis
Calendar
http://infosecevents.net/calendar/
https://tockify.com/infosec.conferences/agenda
https://calendar.google.com/calendar/embed?src=pe2ikdbe6b841od6e26ato0asc@group.calendar.google.com
Web Hacking
SQL Injection
http://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/
http://isc.sans.edu/diary.html?storyid=9397
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/
http://websec.wordpress.com/2010/03/19/exploiting-hard-filtered-sql-injections/
http://sqlzoo.net/hack/
http://www.sqlteam.com/article/sql-server-versions
http://www.krazl.com/blog/?p=3
http://www.owasp.org/index.php/Testing_for_MS_Access
http://web.archive.org/web/20101112061524/
http://seclists.org/pen-test/2003/May/0074.html
http://web.archive.org/web/20080822123152/
http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
http://www.youtube.com/watch?v=WkHkryIoLD0
http://vimeo.com/3418947
http://websec.files.wordpress.com/2010/11/sqli2.pdf
http://lab.mediaservice.net/notes_more.php?id=MSSQL
Upload Tricks
http://www.google.com/#hl=en&q=bypassing+upload+file+type&start=40&sa=N&fp=a2bb30ecf4f91972
http://blog.skeptikal.org/2009/11/adobe-responds-sort-of.html
http://perishablepress.com/press/2006/01/10/stupid-htaccess-tricks/
http://ex.ploit.net/f20/tricks-tips-bypassing-image-uploaders-t3hmadhatt3r-38/
http://www.ravenphpscripts.com/article2974.html
http://msdn.microsoft.com/en-us/library/aa478971.aspx
http://dev.tangocms.org/issues/237
http://seclists.org/fulldisclosure/2006/Jun/508
http://www.gnucitizen.org/blog/cross-site-file-upload-attacks/
http://shsc.info/FileUploadSecurity
LFI/RFI
http://pastie.org/840199
http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
http://www.notsosecure.com/folder2/2010/08/20/lfi-code-exec-remote-root/
http://labs.neohapsis.com/2008/07/21/local-file-inclusion-%E2%80%93-tricks-of-the-trade/
http://www.digininja.org/blog/when_all_you_can_do_is_read.php
XSS
http://www.technicalinfo.net/papers/CSS.html
http://msmvps.com/blogs/alunj/archive/2010/07/07/1773441.aspx
http://forum.intern0t.net/web-hacking-war-games/112-cross-site-scripting-attack-defense-guide.html
https://media.blackhat.com/bh-eu-10/presentations/Lindsay_Nava/BlackHat-EU-2010-Lindsay-Nava-IE8-XSS-Filters-slides.pdf
http://sirdarckcat.blogspot.com/2009/08/our-favorite-xss-filters-and-how-to.html
http://www.securityaegis.com/filter-evasion-houdini-on-the-wire/
http://heideri.ch/jso/#javascript
http://www.reddit.com/r/xss/
http://blog.beefproject.com
Exploit Development
Corelan
All the exploit tutorials wrote by Corelan. High quality content !
Exploit Writing Tutorial Part 1: Stack Based Overflows
Exploit Writing Tutorial Part 2: Stack Based Overflows – jumping to shellcode
Exploit Writing Tutorial Part 3: SEH Based Exploits
Exploit Writing Tutorial Part 3b: SEH Based Exploits – just another example
Exploit Writing Tutorial Part 4: From Exploit to Metasploit – The basics
Exploit Writing Tutorial Part 5: How debugger modules & plugins can speed up exploit dev
Exploit Writing Tutorial Part 6: Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR
Exploit Writing Tutorial Part 7: Unicode – from 0x00410041 to calc
Exploit Writing Tutorial Part 8: Win32 Egg Hunting
Exploit Writing Tutorial Part 9: Introduction to Win32 shellcoding
Exploit Writing Tutorial Part 10: Chaining DEP with ROP – the Rubik’s[TM] Cube
Exploit Writing Tutorial Part 11: Heap Spraying Demystified
Hack Notes: Ropping eggs for breakfast
Hack Notes: ROP retn+offset and impact on stack setup
Root Cause Analysis – Memory Corruption Vulnerabilities
Root Cause Analysis – Integer Overflows
Others
http://myne-us.blogspot.com/2010/08/from-0x90-to-0x4c454554-journey-into.html
http://www.mgraziano.info/docs/stsi2010.pdf
http://www.ethicalhacker.net/content/view/122/2/
http://code.google.com/p/it-sec-catalog/wiki/Exploitation
http://x9090.blogspot.com/2010/03/tutorial-exploit-writting-tutorial-from.html
http://ref.x86asm.net/index.html
Exploits and Advisories
Exploits
http://www.exploit-db.com
http://www.packetstormsecurity.org
http://www.vulnerability-lab.com
Advisories
http://www.cvedetails.com
http://secunia.com
http://cve.mitre.org
http://www.securityfocus.com/bid
http://nvd.nist.gov
http://osvdb.org
Bug Bounty
https://hackerone.com
https://bugcrowd.com
https://exploithub.com
http://www.zerodayinitiative.com
https://www.zerodium.com
https://www.bugbountyhq.com
http://www.vulnerability-lab.com/list-of-bug-bounty-programs.php
Hardware Hacking
http://www.devttys0.com
https://inversepath.com/usbarmory
https://greatscottgadgets.com
http://int3.cc/products/facedancer21
http://hardsploit.io
Reverse Engineering & Malwares
http://www.woodmann.com/TiGa/idaseries.html
http://www.binary-auditing.com
http://visi.kenshoto.com
http://www.radare.org/y/
http://www.offensivecomputing.net
http://www.openrce.org
http://www.reteam.org
http://www.crackmes.de
http://uninformed.org
https://tuts4you.com
http://www.woodmann.com/collaborative/knowledge/index.php/Category:RCE_Knowledge
http://qira.me
http://beginners.re
https://remnux.org
Passwords and Hashes
Passwords
http://www.irongeek.com/i.php?page=videos/password-exploitation-class
http://cirt.net/passwords
http://sinbadsecurity.blogspot.com/2008/10/ms-sql-server-password-recovery.html
http://www.foofus.net/~jmk/medusa/medusa-smbnt.html
http://www.foofus.net/?page_id=63
http://hashcrack.blogspot.com
http://www.nirsoft.net/articles/saved_password_location.html
http://www.onlinehashcrack.com
http://www.md5this.com/list.php?
http://www.phenoelit.org/dpl/dpl.html
http://news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html
Rainbow Tables
http://ophcrack.sourceforge.net/tables.php
Wordlists
http://contest.korelogic.com/wordlists.html
http://packetstormsecurity.org/Crackers/wordlists/
http://www.skullsecurity.org/wiki/index.php/Passwords
http://www.ericheitzman.com/passwd/passwords/
http://www.infosecisland.com/blogview/11968-Brute-Forcing-Passwords-and-Word-List-Resources.html
Practice and Labs
ISO & VMs
http://sourceforge.net/projects/websecuritydojo/
http://hackingdojo.com/dojo-media/
http://informatica.uv.es/~carlos/docencia/netinvm/
http://www.bonsai-sec.com/en/research/moth.php
http://blog.metasploit.com/2010/05/introducing-metasploitable.html
http://sourceforge.net/projects/lampsecurity/files/
http://sourceforge.net/projects/virtualhacking/files/
http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
http://www.dvwa.co.uk
http://sourceforge.net/projects/thebutterflytmp/
https://exploit-exercises.com
Vulnerables Softwares
http://www.oldapps.com
http://www.oldversion.com
http://www.exploit-db.com/webapps/
http://code.google.com/p/wavsep/downloads/list
http://www.owasp.org/index.php/Owasp_SiteGenerator
http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
Test Sites
http://www.webscantest.com/
http://testaspnet.vulnweb.com/
http://testasp.vulnweb.com/
http://testphp.vulnweb.com/
http://demo.testfire.net/
http://hackme.ntobjectives.com/
Tools
Metadata
http://www.sans.org/reading_room/whitepapers/privacy/document-metadata-silent-killer_32974
http://lcamtuf.coredump.cx/strikeout/
http://www.sno.phy.queensu.ca/~phil/exiftool/
http://www.edge-security.com/metagoofil.php
http://www.darkoperator.com/blog/2009/4/24/metadata-enumeration-with-foca.html
Google Hacking
http://sqid.rubyforge.org/#next
http://voidnetwork.org/5ynL0rd/darkc0de/python_script/dorkScan.html
http://www.googleguide.com/advanced_operators_reference.htm
Web
http://blindelephant.sourceforge.net/
http://xsser.sourceforge.net/
http://sourceforge.net/projects/rips-scanner/
http://www.divineinvasion.net/authforce/
http://andlabs.org/tools.html#sotf
http://www.taddong.com/docs/Browser_Exploitation_for_Fun&Profit_Taddong-RaulSiles_Nov2010_v1.1.pdf
http://carnal0wnage.blogspot.com/2007/07/using-sqid-sql-injection-digger-to-look.html
http://code.google.com/p/pinata-csrf-tool/
http://xsser.sourceforge.net/#intro
http://packetstormsecurity.org/files/view/69896/unicode-fun.txt
http://sourceforge.net/projects/ws-attacker/files/
https://github.com/koto/squid-imposter
http://code.google.com/p/fuzzdb/
http://www.owasp.org/index.php/Category:OWASP_Fuzzing_Code_Database#tab=Statements
http://sourceforge.net/projects/yokoso/
http://sourceforge.net/projects/ajaxshell/
http://w3af.sourceforge.net/
http://code.google.com/p/skipfish/
http://sqlmap.sourceforge.net/
http://sqid.rubyforge.org/#next
http://packetstormsecurity.org/UNIX/scanners/XSSscan.py.txt
http://code.google.com/p/fimap/wiki/WindowsAttack
http://code.google.com/p/fm-fsf/
http://www.sans.org/reading_room/whitepapers/testing/fuzzing-approach-credentials-discovery-burp-intruder_33214
http://www.gdssecurity.com/l/b/2010/08/10/constricting-the-web-the-gds-burp-api/
http://sourceforge.net/projects/belch/files/
http://www.securityninja.co.uk/application-security/burp-suite-tutorial-repeater-and-comparer-tools
http://blog.ombrepixel.com/
http://andlabs.org/tools.html#dser
http://www.owasp.org/index.php/OWASP_WebScarab_NG_Project
http://intrepidusgroup.com/insight/mallory/
http://www.fiddler2.com/fiddler2/
http://websecuritytool.codeplex.com/documentation?referringTitle=Home
http://translate.google.com/translate?hl=en&sl=es&u=http://xss.codeplex.com/releases/view/43170&prev=/search%3Fq%3D
http://www.hackingeek.com/2010/08/x5s-encuentra-fallos-xss-lfi-rfi-en-tus.html%26hl%3Den&rurl=translate.google.com&twu=1
Social Enginnering
Passwords Cracking
Ncrack
Medusa
John the Ripper
Ophcrack
hashkill
Metasploit
http://www.indepthdefense.com/2009/02/reverse-pivots-with-metasploit-how-not.html
http://code.google.com/p/msf-hack/wiki/WmapNikto
http://www.indepthdefense.com/2009/01/metasploit-visual-basic-payloads-in.html
http://seclists.org/metasploit/
http://meterpreter.illegalguy.hostzi.com/
http://www.workrobot.com/sansfire2009/561.html
http://www.securitytube.net/video/711
http://en.wikibooks.org/wiki/Metasploit/MeterpreterClient#download
http://vimeo.com/16852783
http://milo2012.wordpress.com/2009/09/27/xlsinjector/
http://www.fastandeasyhacking.com/
http://trac.happypacket.net/
http://www.blackhat.com/presentations/bh-dc-10/Ames_Colin/BlackHat-DC-2010-colin-david-neurosurgery-with-meterpreter-wp.pdf
http://www.blackhat.com/presentations/bh-dc-10/Egypt/BlackHat-DC-2010-Egypt-UAV-slides.pdf
Network Scanner
http://nmap.org/
http://asturio.gmxhome.de/software/sambascan2/i.html
http://www.softperfect.com/products/networkscanner/
http://www.openvas.org/
http://tenable.com/products/nessus
http://www.rapid7.com/vulnerability-scanner.jsp
http://www.eeye.com/products/retina/community
Post Exploitation
http://www.awarenetwork.org/home/rattle/source/python/exe2bat.py
http://www.phx2600.org/archive/2008/08/29/metacab/
Netcat
http://readlist.com/lists/insecure.org/nmap-dev/1/7779.html
http://www.radarhack.com/tutorial/ads.pdf
http://www.infosecwriters.com/text_resources/pdf/Netcat_for_the_Masses_DDebeer.pdf
http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
socat
http://www.antionline.com/archive/index.php/t-230603.html
http://technotales.wordpress.com/2009/06/14/netcat-tricks/
http://seclists.org/nmap-dev/2009/q1/581
http://www.terminally-incoherent.com/blog/2007/08/07/few-useful-netcat-tricks/
http://www.inguardians.com/research/docs/Skoudis_pentestsecrets.pdf
Source Inspection
Fuzzing
american fuzzy lop
angr
kitty
libFuzzer - a library for coverage-guided fuzz testing
funfuzz - JavaScript engine & DOM fuzzers
Grinder
Radamsa
Avalanche
Peach
FuzzManager - A fuzzing management tools collection
marifuzz
https://github.com/attekett/NodeFuzz
https://github.com/DCNWS/FuzzLabs
https://github.com/hgascon/pulsar
http://neural-fuzzer.org/
https://github.com/samhocevar/zzuf
https://github.com/OpenRCE/sulley
https://github.com/ernw/dizzy
https://github.com/joxeankoret/nightmare
Misc
CTF and Wargames
CTF
CTF365: Capture the Flag - Security Training Platform
UC Santa Barbara International CTF (iCTF)
Ghost in the Shellcode
CSAW
Wargames
DareYourMind :: Learn about computer security
NewbieContest : Challenge informatique francophone
WeChall
OverTheWire: Wargame
SmashTheStack Wargaming Network
The Enigma Group
HackThis!! - The Hackers Playground
Embedded Security CTF
Exploit Exercises
Crackmes.de
ZenK-Security
Planning
Lockpicking
Lock Picking 101 Forum
locksport.fr
Sparrows Lockpicks
Ouverture Fine
Southord Lockpicks
Awesome Lists
A curated list of Awesome lists. An awesome list is a collection of links focused on a specific topic. If you don’t find what you are looking for, it does not exist !
Awesome | Pentest
Awesome | Malware Analysis
Awesome | Hacking
Awesome | Hacking Spots
Awesome | Security
Awesome | Incident Response
Awesome | Android Security
Awesome | CTF
Awesome | Honeypots
Awesome | Web Hacking
Awesome | Reverse Engineering & Binary Analysis
Awesome | OSINT
Awesome | Windows Exploitation
Awesome | Curated List of Awesome Lists
Awesome | Hacking Resources
Awesome | Fuzzing
Awesome | Static Analysis