GitHub上的清单，手册，速查表，博客，黑客，单行代码，cli / web工具等的集合
GitHub上的清单，手册，速查表，博客，黑客，单行代码，cli / web工具等的集合
- is an sh-compatible shell that incorporates useful features from the Korn shell and C shell.
- is a shell designed for interactive use, although it is also a powerful scripting language.
- is a very powerful cross-platform shell, suitable for a huge range of uses.
- is a framework for using, developing and maintaining shell scripts and custom commands.
- is the best framework for managing your Zsh configuration.
- the Fishshell framework.
- the cross-shell prompt written in Rust.
- is a fast reimplementation of Powerlevel9k ZSH theme.
- is a visual file manager, licensed under GNU General Public License.
- is a VIM-inspired filemanager for the console.
- is a tiny, lightning fast, feature-packed file manager.
- is a full-screen window manager that multiplexes a physical terminal.
- is a terminal multiplexer, lets you switch easily between several programs in one terminal.
- is a tool to set comfortable and easy to use functionality, clustering and synchronizing tmux-sessions.
- is one of the most common text editors on Unix.
- is a highly configurable text editor.
- is an extensible, customizable, free/libre text editor - and more.
- is a modern and intuitive terminal-based text editor.
- is a free open source, powerful, extensible and usable code editor.
- a community-driven Emacs distribution.
Files and directories
- is an SSH and telnet client, developed originally by Simon Tatham.
- is a free and open source (license) utility for network discovery and security auditing.
- is a fast single packet network scanner designed for Internet-wide network surveys.
- is the fastest Internet port scanner, spews SYN packets asynchronously.
- is a faster and more efficient stateless SYN scanner and banner grabber.
- is a command-line oriented TCP/IP packet assembler/analyzer.
- is a tool that combines the functionality of the 'traceroute' and 'ping' programs in a single network diagnostic tool.
- is an open source utility which combines the functions of the different network probes in one diagnostic tool.
- is a networking utility which reads and writes data across network connections, using the TCP/IP protocol.
- is a powerful command-line packet analyzer.
- is a tool that allows us to dump and analyze network traffic (wireshark cli).
- is a simple terminal user-interface for tshark.
- is like GNU grep applied to the network layer.
- is a Swiss army knife for your daily Linux network plumbing if you will.
- dump unix domain socket traffic.
- is a packet capture solution which aims to quickly spool all packets to disk.
- visualize packets in TUI.
- is a monitoring and debugging tool to capture networking related statistics and prepare them visually.
- is a console-based network monitoring program for Linux that displays information about IP traffic.
- is a network traffic monitor for Linux and BSD.
- is a tool for active measurements of the maximum achievable bandwidth on IP networks.
- is a Network Performance Measurement Tool for TCP, UDP & HTTP.
- is a Linux CLI based Ethernet and MPLS traffic testing tool.
- is a IP address lookup service.
- packet manipulation CLI tool; craft and inject packets of several protocols.
- a mid-level packet manipulation library for Ruby.
- packet manipulation library; forge, send, decode, capture packets of a wide number of protocols.
- is a collection of Python classes for working with network protocols.
- is a tool for SSH server auditing.
- is a lightweight multi-protocol & multi-source command-line download utility.
- observe the path of packets through the iptables chains.
- is a DNS diagnostics and performance measurement tools.
- is a DNS reconnaissance tool for locating non-contiguous IP space.
- is a subdomain discovery tool that discovers valid subdomains for websites.
- is a fast subdomains enumeration tool for penetration testers.
- is tool that obtains subdomain names by scraping data sources, crawling web archives and more.
- provides personalized DNS server recommendations based on your browsing history.
- is a high-performance DNS stub resolver for bulk lookups and reconnaissance.
- is a tool to enumerate subdomains on a target domain through a wordlist.
- DNS performance testing tools.
- a flexible DNS proxy, with support for encrypted DNS protocols.
- API client providing access to passive DNS database systems (pDNS at Farsight Security, CIRCL pDNS).
- fast dns proxy, built to black-hole internet advertisements and malware servers.
- is a command line tool and library for transferring data with URLs.
- is an alternative to the widely popular curl program, written in Golang.
- is an user-friendly HTTP client.
- is an interactive cli tool for HTTP inspection.
- is a conformance testing tool for HTTP/2 implementation.
- is a simple tool to help sysadmins to hardening their websites.
- is a simple Swiss Army knife for http/https troubleshooting and profiling.
- is a tool that visualizes curl statistics in a way of beauty and clarity.
- is an interactive web server.
- is a text browser for the World Wide Web.
- a list of (almost) all headless web browsers in existence.
- is a single-threaded command line tool for measuring the performance of HTTP web servers.
- is an http load testing and benchmarking utility.
- is a modern HTTP benchmarking tool capable of generating significant load.
- is a constant throughput, correct latency recording variant of wrk.
- is a constant throughput, correct latency recording variant of wrk.
- is a fast cross-platform HTTP benchmarking tool written in Go.
- http/https load testing and benchmarking tool.
- HTTP load generator, ApacheBench (ab) replacement, formerly known as rakyll/boom.
- is a script you can use to quickly smoke-test your web app deployment.
- is a tool that simulates some Application Layer Denial of Service attacks by prolonging HTTP.
- is a free and open source directory/file & DNS busting tool written in Go.
- command-line reference-implementation client for SSL Labs APIs.
- Mozilla HTTP Observatory cli version.
- is a robust, commercial-grade, and full-featured toolkit for the TLS and SSL protocols.
- client program to set up a TLS connection to some other computer.
- fast and powerful SSL/TLS server scanning library.
- tests SSL/TLS enabled services to discover supported cipher suites.
- testing TLS/SSL encryption anywhere on any port.
- a very simple way to find out which SSL ciphersuites are supported by a target.
- is a utility for creating symmetrically encrypted and authenticated pipes between socket addresses.
- is EFF's tool to obtain certs from Let's Encrypt and (optionally) auto-enable HTTPS on your server.
- simple zero-config tool to make locally trusted development certificates with any names you'd like.
- tools to bootstrap CAs, certificate requests, and signed certificates.
- is a security and reconnaissance tool to automatically monitor new subdomains.
- provides a flexible Mandatory Access Control (MAC) system built into the Linux kernel.
- proactively protects the operating system and applications from external or internal threats.
- Automated System Hardening Framework.
- Security + DevOps: Automatic Server Hardening.
- actively monitoring all aspects of system activity with file integrity monitoring.
- provides a way to track security-relevant information on your system.
- is a security tool that can be use both as a security audit and intrusion detection system.
- battle-tested security tool for systems running Linux, macOS, or Unix-based operating system.
- scripted Local Linux Enumeration & Privilege Escalation Checks.
- scanner tool for Linux systems that scans backdoors, rootkits and local exploits on your systems.
- is a light-weight tool that helps to detect malware running on the system.
- diagnostic, debugging and instructional userspace utility for Linux.
- is a performance analysis and troubleshooting tool.
- is a library call tracer, used to trace calls made by programs to library functions.
- is a friendly wrapper around ptrace.
- performance analysis tools based on Linux perf_events (aka perf) and ftrace.
- high-level tracing language for Linux eBPF.
- system exploration and troubleshooting tool with first class support for containers.
- is an instrumentation framework for building dynamic analysis tools.
- high-performance multi-threaded malloc() implementation, plus some performance analysis tools.
- cross-platform system monitoring tool written in Python.
- interactive text-mode process viewer for Unix systems. It aims to be a better 'top'.
- a single executable for performance monitoring and data analysis.
- ASCII performance monitor. Includes statistics for CPU, memory, disk, swap, network, and processes.
- displays in its output information about files that are opened by processes.
- stack trace visualizer.
- small utility to convert Unix lsof output to a graph showing FIFO and UNIX interprocess communication.
- is a lightweight tool for recording, replaying and debugging execution of applications.
- a system performance analysis toolkit.
- a command-line hex viewer.
- universal command-line interface for SQL databases.
- postgres CLI with autocompletion and syntax highlighting.
- terminal client for MySQL with autocompletion and syntax highlighting.
- SQLite CLI with autocompletion and syntax highlighting.
- is a SQL powered operating system instrumentation, monitoring, and analytics framework.
- tools for Linux/Unix sysadmins.
- is an inode-based filesystem notification technology.
- synchronizes local directories with remote targets (Live Syncing Daemon).
- is a terminal based interface for viewing Git repositories.
- text-mode interface for Git.
- simplified and community-driven man pages.
- easily create and extract .zip, .tar, .tar.gz, .tar.bz2, .tar.xz, .tar.lz4, .tar.sz, and .rar.
- make JSON greppable!
- binary editor written in Go.
- is the world’s foremost and widely-used network protocol analyzer.
- is a comprehensive network monitor tool.
- is a graphical network monitoring solution.
- is a networking utility for packet generation and built-in UDP/TCP/SSL client and servers.
- is a packet crafter and traffic generator.
- open source software to load test functional behavior and measure performance.
- scalable user load testing tool written in Python.
- protect your privacy and defend yourself against network surveillance and traffic analysis.
Messengers (end-to-end encryption)
- is an encrypted communications app.
- secure messaging, file sharing, voice calls and video conferences. All protected with end-to-end encryption.
- decentralized anonymous instant messenger on top of Tor Hidden Services.
- an open network for secure, decentralized, real-time communication.
- test your browser's SSL implementation.
- provides up-to-date browser support tables for support of front-end web technologies.
- is your browser safe against tracking?
- see what data is exposed from your browser.
- it's all about Web Browser fingerprinting.
- help a web server developer learn what real world TLS clients were capable of.
- client test (incl TLSv1.3 information).
- free online service performs a deep analysis of the configuration of any SSL web server.
- free online service performs a deep analysis of the configuration of any SSL web server.
- test SSL/TLS (PCI DSS, HIPAA and NIST).
- scan your website for non-secure content.
- test your TLS server configuration (e.g. ciphers).
- service to scan and analyse websites.
- monitoring security policies like CSP and HPKP.
- allows developers and security experts to check if a Content Security Policy.
- public list about CSP in some big players (might make them care a bit more).
- list of the world's top 100 websites by Alexa rank not automatically redirecting insecure requests.
- strong ciphers for Apache, Nginx, Lighttpd and more.*
- public Diffie-Hellman parameter service/tool.
- memorable site for testing clients against bad SSL configs.
- registered for various tests regarding the TLS/SSL protocol.
- generate a CAA policy.
- repository of information about CAs, and their root and intermediate certificates.
- real-time certificate transparency log update stream.
- discovers certificates by continually monitoring all of the publicly known CT.
- deploy the security standards.
- test TLS cipher suite compatibility.
- this service helps you detect potentially malicious websites.
- a proposed standard (generator) which allows websites to define security policies.
- help you follow the Mozilla Server Side TLS configuration guidelines.
HTTP Headers & Web Linters
- one source for free DNS related tools and information.
- is an advanced DNS lookup tool.
- online DNS investigation tool.
- monitor, validate and verify your DNS configurations.
- helps you to control how your DNS works.
- comprehensive DNS tester.
- find subdomains for security assessment penetration test.
- dns recon & research, find & lookup dns records.
- search for DNS records by domain, IP, CIDR, ISP.
- DNS and mail server health checker.
- check the delegation of your domain.
- check, trace and visualize delegation of your domain.
- DS or DNSKEY records validator.
- this site is responsible for the safekeeping of historical reverse DNS records.
- wildcard DNS for everyone.
- one of the best DNS propagation checker (and not only).
- DNS propagation checking tool.
- quickly searching large DNS datasets.
- check an email domain for SMTP TLS support.
- all of your MX record, DNS, blacklist and SMTP diagnostics in one integrated tool.
- complete email test tools for email technicians.
- checks to see if your domain is on a Real Time Spam Blacklist.
- complete IP check for sending Mailservers.
- checks mail authentication and scores messages with Spam Assassin.
Encoders/Decoders and Regex testing
- tool from above to either encode or decode a string of text.
- the online translator for search queries on log data.
- online tool to learn, build, & test Regular Expressions (RegEx / RegExp).
- online regex testing tool.
- online regex testing tool + other tools.
- a web app for encryption, encoding, compression and data analysis.
- detailed report about the site, helping you to make informed choices about their integrity.*
- a global, open, distributed Internet measurement platform.
- uses various sources to gather public information about IP numbers, domain names, host names, routes etc.
- APIs for Security Companies, Researchers and Teams.
- curl test, analyze HTTP Response Headers.
- HTTP API tools, testers, encoders, converters, formatters, and other tools.
- online Ping, Traceroute, DNS lookup, WHOIS and others.
- network tools for webmasters, IT technicians & geeks.
- search for any ASN, IP, Prefix or Resource name.
- provides online communication tools for people and groups working on liberatory social change.
- analyze suspicious files and URLs to detect types of malware.
- finds bugs in your shell scripts.
- get interactive help texts for shell commands.
- online code editor for web application development. Supports React, Vue, Angular, CxJS, Dojo, etc.
- test your PHP code with this code tester.
- an instant IDE to learn, build, collaborate, and host all in one place.
- analyze your site’s speed and make it faster.
- test here the performance of any of your sites from across the globe.
- analyze your site’s speed around the world.
- run website latency tests across multiple geographic regions.
- analyze your site’s speed and make it faster.
- helps developers like you learn and apply the web's modern capabilities to your own sites and apps.
- automated auditing, performance metrics, and best practices for the web.
Mass scanners (search engines)
- platform that helps information security practitioners discover, monitor, and analyze devices.
- the world's first search engine for Internet-connected devices.
- do you use Shodan for everyday work? This tool looks for randomly generated data from Shodan.
- mass scanner such as Shodan and Censys.
- search engine for cyberspace that lets the user find specific network components.
- tools to monitor and understand deep structure of the web.
- is a cyberspace search engine.
- is a search engine for open-source and cyber threat intelligence data collected.
- is a search engine and data archive.
- it scan the entire internet space and create real-time threat intelligence streams and reports.
- is a submission-based catalog of wireless networks. All the networks. Found by Everyone.
- find any alphanumeric snippet, signature or keyword in the web pages HTML, JS and CSS code.
- this repository contains hundreds of online search utilities.
- lets you find email addresses in seconds and connect with the people that matter for your business.
- search by full email address or username.
- was my email affected by data breach?
- world's fastest and largest data breach search engine.
- scans of malicious URLs, IPs, and domains, including port scans and web requests.
- db dumps and more.
- database with public search for Open Amazon S3 Buckets and their contents.
- the breached database directory.
- find out what websites are built with.
- search the web's source code for technologies, across millions of sites.
- if a target has an open FTP site with accessible content it will be listed here.
- focused on gathering information from free tools or resources.
- is a service oriented to cybersecurity analysts for the advanced analysis of indicators of compromise.
- is a collaboration of data found online in the form of a lookup.
- to help everyday individuals secure their online life, avoiding getting hacked.
- is the place to find the person behind the email address, social username or phone number.
- is operated by a random swiss guy fighting malware for non-profit.
- malware search engine.
- monitors and tracks various malware families that are used to perpetrate cyber crimes.
- find GitHub secrets in real time.
- helping you find real world examples of functions, API's and libraries.
- the world biggest directory of online surveillance security cameras.
- contains great stuff like: security, hacking, reverse engineering, cryptography, programming etc.
- is a great resources of datasets from Project Sonar.
- list of publicly known cybersecurity vulnerabilities.
- CVE security vulnerability advanced database.
- CVE compliant archive of public exploits and corresponding vulnerable software.
- exploits market provides you the possibility to buy zero-day exploits and also to sell 0day exploits.
- the exploit and tools database.
- free vulnerability database.
- is a database for vulnerabilities and their corresponding source code if available.
- free API for CVE data.
Mobile apps scanners
Private Search Engines
Secure Webmail Providers
- is a secure and easy to use online email service, designed to provide maximum security and privacy.
- is a Tor Hidden Service that allows anyone to send and receive emails anonymously.
- is the world's most secure email service and amazingly easy to use.
- is the world's largest secure email service, developed by CERN and MIT scientists.
- private & encrypted email made easy.
- it's open source and powered by public-key cryptography.
- services for the SKS keyservers used by OpenPGP.
- the most "Unix-like" Linux distribution.
- multi-platform 4.4BSD-based UNIX-like operating system.
- HardenedBSD aims to implement innovative exploit mitigation and security solutions.
- Linux distribution used for Penetration Testing, Ethical Hacking and network security assessments.
- cyber security GNU/Linux environment.
- penetration test and security assessment oriented Ubuntu-based Linux distribution.
- is an Arch Linux-based penetration testing distribution for penetration testers and security researchers.
- is a security-focused livecd based on Gentoo.
- Linux distro for intrusion detection, enterprise security monitoring, and log management.
- is a live system that aims to preserve your privacy and anonymity.
- OpenBSD router boilerplate.
- HTTP accelerator designed for content-heavy dynamic web sites.
- open source web and reverse proxy server that is similar to Apache, but very light weight.
- is a dynamic web platform based on NGINX and LuaJIT.
- a distribution of Nginx with some advanced features.
- is an open source, HTTP/2-enabled web server with HTTPS by default.
- the reliable, high performance TCP/HTTP load balancer.
- tiny free proxy server.
- is a 501(c)(3) nonprofit organization and transit internet service provider (ISP) based in Seattle.
- the Pi-hole® is a DNS sinkhole that protects your devices from unwanted content.
- malicious traffic detection system.
- monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
- secure and fast microVMs for serverless computing.
- sets up a new server running your choice of WireGuard, OpenSSH, OpenVPN, Shadowsocks, and more.
- learn automation by doing it. Right now, right here, in your browser.
- home page of the Network Research Group (NRG); tools, talks, papers and more.
- a collaborative project for the container ecosystem to assemble container-based system.
- open source reverse proxy/load balancer provides easier integration with Docker and Let's encrypt.
- The Cloud-Native API Gateway.
- complete container management platform.
- making Docker management easy.
- automated nginx proxy for Docker containers using docker-gen.
- a quick reference cheat sheet on Docker.
- a curated list of Docker resources and projects.
- learn and understand Docker technologies, with real DevOps practice!
- is a collection of tutorials for learning how to use Docker with various tools.
- various Dockerfiles I use on the desktop and on servers.
- bootstrap Kubernetes the hard way on Google Cloud Platform. No scripts.
- bootstrap Kubernetes the easy way on Google Cloud Platform. No scripts.
- Kubernetes CheatSheets in A4.
- kubernetes security notes and best practices.
- checklists with best-practices for production-ready Kubernetes.
- kubernetes security - best practice guide.
- is a compilation of public failure/horror stories related to Kubernetes.
- is a collection of pure bash alternatives to external processes.
- is a collection of pure POSIX sh alternatives to external processes.
- is a guide to learn bash.
- for those who wanna learn Bash.
- hold documentation of any kind about GNU Bash.
- describes the commands and utilities offered to application programs by POSIX-conformant systems.
- master the command line, in one page.
- a shell style guide for Google-originated open-source projects.
- great multi language vim guide.
Sed & Awk & Other
- advanced sed and awk usage (Parsing for Pentesters 3).
*nix & Network
- linux and unix tutorials for new and seasoned sysadmin.
- the ideal Linux blog for Sysadmins & Geeks.
- free Networking, System Administration and Security tutorials.
- Linux tutorials and cheatsheets. Minimal examples. Mostly user-land CLI utilities.
- collection of Unix/Linux/BSD commands and tasks which are useful for IT work or for advanced users.
- is a collection of lectures and labs Linux kernel topics.
- explanation of everything you can see in htop/top on Linux.
- tutorials on system administration in Fedora and CentOS.
- a little book which introduces strace.
- a detailed document explaining and documenting HTTP/2.
- a document describing the HTTP/3 and QUIC protocols.
- an excellent introduction to the new HTTP/2 standard.
- great stuff to learn network and system programming at a deeper level.
- describes how to improve NGINX performance, security and other important things.
- NGINX config generator on steroids.
- is to help operational teams with the configuration of OpenSSH server and client.
- is a relatively brief description of the SSH handshake.
- a place to record notes while studying for Cisco's CCNP certification.
- attack and defend active directory using modern post exploitation adversary tradecraft activity.
- are secure configuration settings for over 100 technologies, available as a free PDF download.
- this walks you through the steps required to security harden CentOS.
- great guide for hardening CentOS; familiar with OpenSCAP.
- is a collection of security hardening guides, tools and other resources.
- provides a high-level overview of hardening GNU/Linux systems.
Security & Privacy
- LRaj Chandel's Security & Hacking Blog.
- make your AWS cloud environment more secure.
- an inventory of tools and resources about CyberSecurity.
- every byte of a TLS connection explained and reproduced.
- SSL and TLS Deployment Best Practices by SSL Labs.
- learn SELinux by doing. Solve Puzzles, show skillz.
- everything you should know about certificates and PKI but are too afraid to ask.
- a reference for subdomain enumeration techniques.
- the comprehensive guide to quitting Google.
- worldwide not-for-profit charitable organization focused on improving the security of software.
- OWASP Application Security Verification Standard Project.
- simple web app that helps developers understand the ASVS requirements.
- is a list of application security requirements or tests.
- includes a "best practice" penetration testing framework.
- this is the development version of the OWASP Developer Guide.
- focuses specifically on the top ten vulnerabilities in API security.
- help operational teams with creating secure web applications.
- security bulletins that relate to Netflix Open Source.
- security countermeasures when designing, testing, and releasing your API.
- enable cross-origin resource sharing.
- is an initiative to provide all application security related resources at one place.
- reverse proxy related attacks; it is a result of analysis of various reverse proxies, cache proxies, etc.
- great series about malicious payloads.
- show you how to compromise websites by using esoteric web features.
- as a source of sensitive information about web application.
- great blog about cybersec and pentests.
- this paper will take a close look at cookie security.
- help you keep secrets (API keys, db credentials, certificates) out of source code.
- the steps below could be followed to find vulnerabilities and exploits.
- $50 million CTF from Hackerone - writeup.
- an archive of low-level CTF challenges developed over the years.
- collection of some hints and useful links for the beginners.
- it's time for web servers to handle ten thousand clients simultaneously, don't you think?
- great story about the Maximum Transmission Unit.
- sampling tools like dtrace's don't really provide methods to see what programs are blocking on.
- this is the story of a long journey regarding the implementation of SSL.
- some drawings about programming and unix world, zines about systems & debugging tools.
- this great repository is focused on hash collisions exploitation.
- after 3072 hours of manipulating BGP, Job Snijders has succeeded in drawing a Nyancat.
- playing battleships over BGP.
- you type google.com into your browser and press enter?
based on the 'What happens when...' repository.
- great tutorial explain how HTTPS works in the real world.
- how we spent two weeks hunting an NFS bug in the Linux kernel.
- postmortem on the database outage of January 31 2017 with the lessons we learned.
- if you want to be a hacker, keep reading.
- an infographics which should help to estimate costs of certain operations in CPU clocks.
- writing a sqlite clone from scratch in C.
- great resource to understand how computers work under the hood.
- working with 154 million records on Azure Table Storage.
- shows the 500 most powerful commercially available computer systems known to us.
- any "black magic" or hours of frustration like desktop components do.
- 3D visualizations of the CERN computing environments (and more).
- evaluate how fucked your database is with this handy website.
- you know what the problem is, but you cannot solve it?
- how HTTPS works ...in a comic!
- a fun and colorful explanation of how DNS works.
- your postgresql.conf documentation and recommendations.
- amazingly awesome open source sysadmin resources.
- awesome command-line frameworks, toolkits, guides and gizmos.
- from finding text to search and replace, from sorting to beautifying text and more.
- collection of tools developed by other researchers to process network traces.
- a curated list of awesome projects related to eBPF.
- learn where some of the network sysctl variables fit into the Linux/Kernel network flow.
- list of awesome PostgreSQL software, libraries, tools and resources.
- a quick reminder of all SQL queries and examples on how to use them.
- list of Free Software network services and web applications which can be hosted locally.
- huge collection of applications sorted by category, as a reference for those looking for packages.
- build the best interview map.
- DevOps Guide from basic to advanced with Interview Questions and Notes.
- it is a great list of periodical magazines about FreeBSD and other important things.
- contains interview questions on various DevOps and SRE related topics.
- roadmaps, articles and resources to help you choose your path, learn and improve.
- the perfect Front-End Checklist for modern websites and meticulous developers.
- the only Front-End Performance Checklist that runs faster than the others.
- what are magic methods? They're everything in object-oriented Python.
- a collection of surprising Python snippets and lesser-known features.
- a list of books and articles for the discerning web developer to read.
- a guide to understand the importance of commit messages.
- a curated list of Web Security materials and resources.
- a curated list of hacking environments where you can train your cyber skills.
- an authoritative list of awesome devsecops tools.
- is a curated list of amazingly awesome OSINT.
- a curated list of Awesome Threat Intelligence resources.
- a collection of open source and commercial tools that aid in red team operations.
- a curated list of amazingly awesome Burp Extensions.
- list of a Free Security and Hacking eBooks.
- top 100 Hacking & Security E-Books.
- curated list of privacy respecting services and software.
- list of awesome reverse engineering resources.
- a collection of resources for linux reverse engineering.
- a list of Reverse Engineering articles, books, and papers.
- a curated list of awesome web-app firewall (WAF) stuff.
- interesting, funny, and depressing search queries to plug into shodan.io.
- a curated list of the most common and most interesting robots.txt disallowed directories.
- is a small course on exploiting and defending neural networks.
- why you probably shouldn't use a wildcard certificate.
- which is what every third-party "VPN provider" does.
- a curated list of awesome YARA rules, tools, and people.
- guide to securing and improving privacy on macOS.
- is a collected list of awesome security talks.
- list of movies every hacker & cyberpunk must watch.
- over 3,000 free cheat sheets, revision aids and quick references.
- static analysis tools for all programming languages.
- path to a free self-taught education in Computer Science.
- is a collection of postmortems (config errors, hardware failures, and more).
- build your own (insert technology here).
- is a curated list of project-based tutorials in C.
- various README templates & tips on writing high-quality documentation.
- free software that works great, and also happens to be open-source Python.
- a topic-centric list of HQ open datasets.
- compare a simple C program with the compiled machine code of that program.
- is an industry expert in computing performance and cloud computing.
- is a IT security engineer at Google.
- white hat hacker, computer security expert.
- developer, sysadmin, blogger, podcaster and public speaker.
- software developer and systems administrator for Stack Exchange.
- security researcher, international speaker and founder of securityheaders.com and report-uri.com.
- The Washington Post and now an Independent investigative journalist.
- is an internationally renowned security technologist, called a "security guru".
- advocate of practical learning, Chrissy also takes part in bug bounty programs.
- is a hacker at heart who works as a senior penetration tester.
- cybersecurity expert and writer.
- is an American privacy and security researcher, computer hacker.
- is a security advocate at AlienVault, a blogger event speaker and industry commentator.
- public speaker and independent computer security analyst.
- detection engineer at ESET.
- web security expert known for public education and outreach on security topics.
- sysadmin specializing in building high availability cloud environments.
- IT security expert.
- the Linux security blog about auditing, hardening and compliance by Michael Boelen.
- trainings, howtos, checklists, security tools and more.
- collection of useful incantations for wizards, be you computer wizards, magicians, or whatever.
- is the only non-profit, independent and volunteer led publication in the information security space.
- security news that informs and inspires.
Geeky Vendor Blogs
- conversations and interviews related to Cyber Exposure, and more.
- threat news room, giving you news, opinion, advice and research on computer security issues.
- blog featuring the latest news, trends and insights on current information security issues.
- security blog aims to provide insider news about cybersecurity.
- latest news, and trends about cybersecurity.
- about web app security vulns and top tips from our team of web security.
- news on emerging threats and practical advice to simplify threat detection.
- where CISOs and IT Admins come to learn about industry trends, IT security, data breaches, and more.
Geeky Cybersecurity Podcasts
- is a weekly information security podcast featuring news and in-depth interviews.
- stories, and focus on the ideas about cybersecurity.
- conversations and interviews related to Cyber Exposure, and more.
- podcast by Geoff White about cybercrimes.
- featuring stories from a wide range of Infosec people (Whitehat, Greyhat and Blackhat).
- true stories from the dark side of the Internet.
- is the investigative curiosity that helps people be successful in OSINT.
- the latest information security and hacking news.
Geeky Cybersecurity Video Blogs
- offensive, binary exploitation, web application security, vulnerability, hardening, red team, blue team.
- a lot more advanced topics than what is typically offered in paid online courses - but for free.
- the important information regarding our internet security.
- talks, interviews, and article about cybersecurity.
Best Personal Twitter Accounts
- a white-hat hacker/pentester. Intergalactic Minesweeper Champion 1990.
- Co-Founder @ITSPmagazine, at the intersection of IT security and society.
- Linux Evangelist. Malwares. Kernel Dev. Security Enthusiast.
- an InfoSec Professional and Tech Geek.
- CRO at F-Secure, Reverse Engineer, TED Speaker, Supervillain.
- often referred to as ESR, is an American software developer, and open-source software advocate.
- security researcher/programmer, @DragonSectorCTF founder/player, technical streamer.
- Security Researcher & Cyber Observer.
- programmer, malware analyst. Author of PEbear, PEsieve, libPeConv.
- tinkerer, cypherpunk, hacker.
- independent hacker and researcher.
- systems security, industrial safety, sysadmin, author of decentsecurity.com.
- chief scientist at White Ops, is one of just seven people with the authority to restore the DNS root keys.
- is a famous "grey hat" hacker, security researcher, creator of the MySpace "Samy" worm.
- founder & CTO of Security Weekly podcast network.
- @SecurityBSides co-founder.
- Security Researcher.
- a cryptographer and professor at Johns Hopkins University.
Best Commercial Twitter Accounts
- check if you have an account that has been compromised in a data breach.
- trusted by more of the Fortune 500 than any other crowdsourced security platform.
- most trusted security company. Unmatched threat visibility.
- the world's leading Digital Forensics and Incident Response provider.
- AT&T Cybersecurity’s Edge-to-Edge technologies provide threat intelligence, and more.
- an information security focused podcast and group of individuals from all walks of life.
- Hedgehog Cyber. Gibraltar and Manchester's top boutique information security firm.
- the National Cyber Security Centre. Helping to make the UK the safest place to live and work online.
- IT security experts.
A piece of history
- how to configure modems, scan images, record CD-ROMs, and other useful techniques.*
- how Diffie-Hellman Key Exchange worked.
Pentesters arsenal tools
- a penetration-oriented browser with plenty of advanced functionality already built in.
- tool and framework for pentesting system, web and many more, contains a lot a ready to use exploit.
- tool for testing web application security, intercepting proxy to replay, inject, scan and fuzz HTTP requests.
- intercepting proxy to replay, inject, scan and fuzz HTTP requests.
- is a Web Application Attack and Audit Framework.
- an interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
- web server scanner which performs comprehensive tests against web servers for multiple items.
- tool that automates the process of detecting and exploiting SQL injection flaws.
- is a full-featured Web Reconnaissance framework written in Python.
- is a network reconnaissance tool which performs automated enumeration of services.
- an Integrated Multiuser Pentest Environment.
- incredibly fast crawler designed for OSINT.
- most advanced XSS detection suite.
- automated pentest framework for offensive security experts.
- is an agent-less vulnerability scanner for Linux, FreeBSD, and other.
- a tool for domain flyovers.
- information gathering tool for a website or IP address.
- detect and bypass web application firewalls and protection systems.
- CORS misconfiguration scanner.
- is a high performance offensive security tool for reconnaissance and vulnerability scanning.
- find web directories without bruteforce.
- is a fast password cracker, currently available for many flavors of Unix, Windows, and other.
- world's fastest and most advanced password recovery utility.
- is a tool to identify the players behind any incidental TCP/IP communications.
- a prototype SSH configuration and policy scanner.
- find open databases - powered by Binaryedge.io
- searchable archive from The Exploit Database.
- is a command line utility for searching and downloading exploits.
- some setup scripts for security research tools.
- CTF framework and exploit development library.
- collection of small security tools created mostly in Python. CTFs, pentests and so on.
- is a package of Pentest scripts.
- python tools for penetration testers.
- dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
- is an unsupervised, coverage-guided kernel fuzzer.
- exploit development and reverse engineering with GDB made easy.
- Python Exploit Development Assistance for GDB.
- framework for reverse-engineering and analyzing binaries.
- exploitation framework for embedded devices.
- is a software reverse engineering (SRE) framework.
- open-source pentesting management and automation platform by Salesforce Product Security.
- is a graphical tool for custom wordlist generation.
- vulnerability assessment and management helps to perform scans and manage vulnerabilities.
- fully automated offensive security tool for reconnaissance and vulnerability scanning.
- the browser exploitation framework project.
- automated mass exploiter.
- is a tool to identify and exploit sudo rules' misconfigurations and vulnerabilities.
- the pattern matching swiss knife.
- a little tool to play with Windows security.
- is a tool used to create threat model diagrams and to record possible threats.
Pentests bookmarks collection
- the penetration testing execution standard.
- amazing mind map with vulnerable apps and systems.
- incredible mind map for WebApps security tests.
- master the art of Cross Site Scripting.
- contains many vectors that can help you bypass WAFs and filters.
- security bookmarks collection, all things that author need to pass OSCP.
- collection of the cheat sheets useful for pentesting.
- awesome lists for hackers, pentesters and security researchers.
- a curated list of awesome hacking tutorials, tools and resources.
- collection of hacking/penetration testing resources to make you better.
- collection of awesome penetration testing resources, tools and other shiny things.
- is a curated list of awesome Hacking Tools.
- author hacking and pentesting notes.
- official Black Hat arsenal security tools repository.
- the complete list of Infosec related cheat sheets.
- includes thousands of cybersecurity-related references and resources.
- there are a LOT of pentesting blogs.
- Penetration Testing Reference Bank - OSCP/PTP & PTX Cheatsheet.
- to aid the development of techniques and hypothesis for hunting campaigns.
- notes for beginner network pentesting course.
- is a list of resources that author have been gathering in preparation for the OSCP.
- a list of useful payloads and bypass for Web Application Security and Pentest/CTF.
- git all the Payloads! A collection of web attack payloads.
- command injection payload list.
- is a collection of Awesome XSS resources.
- common php webshells.
- a quick reference high level overview for typical penetration testing engagements
- is a collection of high value information on specific application security topics.
- is an open source solution the OWASP Top 10 2013 entry.
- OWASP Top 10 Proactive Controls 2018.
- hacking & penetration testing & red team & cyber security & computer science resources.
- is a free online security knowledge library for pentesters/researchers.
- great stuff from DEFCON.
- a curated list of awesome malware analysis tools and resources.
- detailed technical information about the many different variants of the SQL Injection.
- great and detailed reference about vulnerabilities.
- a collection of HTML5 related XSS attack vectors.
- for generating XSS code to check your input validation filters against XSS.
- list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
- collection of security, system, network and pentest cheatsheets.
- a collection of SSRF Tips.
- great archive of CTFs.
- CTF (Capture The Flag) writeups, code snippets, notes, scripts.
- collection of CTF Web challenges.
- The Mobile Security Testing Guide (MSTG) is a comprehensive manual for mobile app security testing.
- notes on the most common things for an Internal Network Penetration Test.
- shows quick ways in which API keys leaked by a bug bounty program can be checked.
- various Proof of Concepts of security research performed by Securitum.
- is a list of public penetration test reports released by several consulting security groups.
- a great journey into security.
- a collection of PHP backdoors. For educational or testing purposes only.
Wordlists and Weak passwords
- for any kind of bruteforce find wordlists or unleash the power of them all at once!
- is a free online hash resolving service incorporating many unparalleled techniques.
- collection of multiple types of lists used during security assessments, collected in one place.
- sorted by probability originally created for password generation and testing.
- password dictionaries and leaked passwords repository.
- official dictionary created by the team on the forum bezpieka.org.
- wordlists for creating statistically likely username lists for use in password attacks.
- bug bounty platform with infosec jobs.
- allows any security researcher reporting a vulnerability on any website.
- global hacker community to surface the most relevant security issues.
- crowdsourced cybersecurity for the enterprise.
- crowdsourced security & bug bounty management.
- crowdsourced security & bug bounty programs, crowd security intelligence platform and more.
- bug bounty platform.
Web Training Apps (local installation)
- comprehensive and well maintained registry of all known vulnerable web applications.
- PHP/MySQL web application that is damn vulnerable.
- vulnerable web application amongst security researchers.
- is a VM that is built from the ground up with a large amount of security vulnerabilities.
- is a deliberately vulnerable web application written in under 100 lines of code.
- free, open source, deliberately vulnerable web-application.
- the most bug-free vulnerable application in existence.
- OWASP Top 10 security risks apply to web applications developed using Node.js.
- run Capture the Flags and Security Trainings with OWASP Juice Shop.
- web and mobile application security training platform.
- open source application security training program.
- a modern vulnerable web app.
- damn vulnerable NodeJS application.
- is an open-source application vulnerability correlation and security orchestration tool.
- web application exploits and defenses.
- is a playground focused on learning the exploitation of client-side web vulnerabilities.
- single vm lab with the purpose of combining several vulnerable appliations in one environment.
- pre-built Vulnerable Environments based on docker-compose.
- the new & improved "Vulnerable by Design" AWS deployment tool.
- is a laboratory for learning secure web development in a practical manner.
- sample vulnerable code and its exploit code.
- a Game of Hackers (CTF Scoreboard & Game Manager).
Labs (ethical hacking platforms/trainings/CTFs)
- true performance-based penetration testing training for over a decade.
- online platform allowing you to test your penetration testing skills.
- online ethical hacking, computer network and security challenge platform.
- non-commercial wargame site which provides various pwn challenges regarding system exploitation.
- is a wargame site for hackers to test and expand their binary exploiting skills.
- is a free computer security game targeted at middle and high school students.
- is an online platform built to help ethical hackers learn and practice their cybersecurity knowledge and skills.
- CTF archive and a place, where you can get some another CTF-related info.
- high quality security testing services.
- pentest lab, take your Hacking skills to the next level.
- the fast, easy, and affordable way to train your hacking skills.
- a great platform to train your pentesting skills.
- learning Cyber Security made easy.
- is a realistic web application hacking game, designed to help players of all abilities develop their skills.
- it's full of nasty app sec holes.
- can help you to learn and practice security concepts in the form of fun-filled games.
- is an online Penetration Testing Lab.
- provides vulnerable systems that can be used to test and understand vulnerabilities.
- tons of challenges designed to test and improve your hacking skills.
- several security-oriented challenges for your entertainment.
- preconfigured lab environments.
- emulate IT infrastructures of real companies for legal pen testing and improving penetration testing skills.
- reversal challenges done in the web interface.
- download crackmes to help improve your reverse engineering skills.
- DOM XSS security learning and practicing platform.
- upgrade your web hacking techniques today!
- allows anyone to gain practical 'hands-on' experience in digital security.
- is a penetration testing training platform, which offers various computer challenges.
- offers you tons of challenges designed to test and improve your hacking skills.
- a platform where you can build, host and share vulnerable web apps for educational and research purposes.
- discover how hacks, dumps and defacements are performed and secure your website against hackers.
- these challenges cover the exploits listed in the OWASP Top 10 Project.
- challenges, exercises, problems and tasks - by level, by type, and more.
- the home of the Hacker - Malware, Reverse Engineering, and Computer Science.
- there are exist a lots of different challenge types.
- is the go-to place for hackers who want to test their skills.
- is a free class for web security.
- a stupid game for learning about containers, capabilities, and syscalls.
- a series of levels you'll learn about common mistakes and gotchas when using AWS.
- provides web hacking challenges derived from bounty write-ups.
- CTF Web App challenges.
- most of the challenges used in the Google CTF 2017.
- is a free, safe and legal training ground for hackers.
- is a browser-based cloud labs.
- open source education content for the researcher community.
- a list of resources and scripts that I have been gathering in preparation for the OSCP.
- test your web apps with real-world examples (two-part series).
- an awesome collection of articles from several respected hackers and other thinkers.
Your daily knowledge and news
- hackerspace IRC channels.
- leading news source dedicated to promoting awareness for security experts and hackers.
- provides the latest hacking news, exploits and vulnerabilities for ethical hackers.
- security news as a weekly digest (email notifications).
- the latest news and insights from Google on security and safety on the Internet.
- expert network security guidance and news.
- connecting the Information Security Community.
- latest hacking tools, hacker news, cybersecurity best practices, ethical hacking & pen-testing.
- public disclosure watcher who keeps you up to date about the recently disclosed bugs.
- a subreddit dedicated to hacking and hackers.
- information security services, news, files, tools, exploits, advisories and whitepapers.
- about security, penetration tests, vulnerabilities and many others (PL/EN).
- basic aspects and mechanisms of Linux operating system security (PL).
- is a community of hackers; news & podcasts for developers and hackers.
Other Cheat Sheets
Build your own DNS Servers
- a validating, recursive, and caching DNS server.
- how to get faster and more secure DNS resolution with Knot Resolver on Fedora.
- tutorial to setup your own DNS-over-HTTPS (DoH) server.
- a cartoon intro to DNS over HTTPS.
- following to your DoH server, setup your DNS-over-TLS (DoT) server.
- how (and why) i run my own DNS Servers.
Build your own Certificate Authority
Build your own System/Virtual Machine
Table of Contents