Awesome Cybersecurity Links
Useful links for the study of cybersecurity, penetration testing, and red-teaming.
Table of Contents
Interactive tutorials and courses
Is your favorite podcast missing?
PortsWigger Web Security Academy is a fantastic source for learning web security made by the creators of BurpSuite. Each vulnerability is very well explained and followed by practical exercises. The academy is suitable for complete beginners as well as experienced web application penetration testers.
Hacker 101 focuses on web applications, bug bounties, report writing, and mobile application hacking. You can learn by watching videos and then solving Hacker 101 CTF. HackerOne, the largest bug bounty platform for ethical hackers, creates the site. You can also join their Discord community.
Cybrary offers paid, high-quality courses on various topics. You can choose from more than 100 courses and almost 200 hands-on training.
Purple Academy offers free courses on ransomware attacks, continuous security validation, proactive security operations center (SOC), and the MITRE ATT&CK Framework. The difficulty ranges from beginner to advanced. The training is from 30 minutes to one hour long. Most of them are not hands-on.
Let’s Defend is paid service but offers a limited free selection and a 50% discount for students. As the name suggests, the site is focused only on defensive topics. There are 32 courses and 250+ challenges.
Open Security Training offers thirteen courses mainly on the topics of reverse engineering. If you are interested in the architecture of processors and reversing C++ binaries, this is the right place for you.
Videos
Looking for videos of cybersecurity conferences? Check one of these:
- DEF CON
- BlackHat
- Wild West Hacking Fest
- Red Team Village
- Hack In The Box Security Conference
- NahamCon (2022 EU, 2022, 2021, 2020)
- VirSecCon
The list of conferences is by no means complete. Check out InfoCon, the Hacking Conference Archive, for archived videos of a bunch of talks.
Are you looking for a walk-through of HackTheBox and TryHackMe challenges?
IppSec has a video walk-through of almost every Hack The Box machine. The video length ranges from 20 minutes to 2 hours based on the difficulty of the box. IppSec also has a handy website to search for specific techniques and vulnerabilities.
VbScrub is no longer active but has videos hacking Windows machines.
Other great channels are:
- HackTheBox
- Bugcrowd
- Nahamsec
- John Hammond
- The Taggart Institute (also check out his website for various free courses!)
Do you prefer streams instead? Check out infosecstreams.github.io for a list of active streamers.
Český obsah
- InstallFest je konference zaměřená na GNU/Linux.
Podcasts
Malicious Life is an excellent weekly podcast covering the most famous cybersecurity stories. The podcast is detailed enough to entertain IT people but is also approachable for newcomers. With more than two hundred episodes, there is a lot to listen to. Episode length: ≈30 minutes.
Check out Open Source Security Podcast. Two friends meet every week to argue about recent news. Highly opinionated and very entertaining.
One of the most popular technology podcasts today, Darknet Diaries, deserves a place on the list. Former cyber criminals, penetration testers, social engineers, and officers share their stories.
Risky Business is another weekly news podcast. Episodes are about one hour long and cover a broader range of topics than Security Now. Its cousin, Seriously Risky Business, is more focused on international issues and Advanced Persistent Threat and is accompanied by a newsletter.
Other notable podcasts are CYBER, The CyberWire Daily, MalwareTech Podcast, and Naked Security Podcast.
If you are interested in social engineering, then check out Hacking Humans. The PRIVACY, SECURITY, & OSINT Show is an excellent resource for people interested in OSINT and privacy issues.
All Late Night Linux shows are fantastic and entertaining sources about open source, development, and system administration. My favourite shows right now by far.
Newsletters
Toolkit
Kali Linux, ParrotOS Security, BlackBuntu, and BlackArch Linux are distributions for penetration testers and ethical hackers, with Kali Linux being the most popular.
Security Onion is a Linux distribution for threat hunting, enterprise security monitoring, and log management.
Check out this article for Linux distributions for DFIR (Digital Forensics and Incidence Response).
Kali Tools is a list of tools available on Kali Linux, with descriptions and short examples.
CyberChef is a handy web application developed by GCHQ. You can easily reformat data, do some simple crypto, encode strings, and do many other things. As far as I know, everything happens in your browser, and no data is sent to the company. The tool is open-source, so if you’re unsure, grab a copy of GitHub and host it yourself.
Looking for a wordlist or payload? Check out:
Cheatsheets and tutorials
HackTricks is one of the most comprehensive resources for ethical hackers. Pentesting web apps, wifi, mobile apps, various internet services, cloud apps, and lateral movement - HackTricks has it all.
Are you trying to get started with Metasploit? Metasploit Unleashed is the right book for you.
GTFOBins is especially useful for privilege escalation. Do you have access to a low-privileged user? GTFOBins helps you abuse misconfigured binaries to escalate your privileges.
OWASP Cheat Sheet Series is aimed at developers who seek advice on securing their applications.
Virtual machines and sandboxes for hacking
Inexperienced penetration testers may not feel comfortable using their newly-learned skills on live targets. A mistake during penetration testing may lead to data loss, exposure of sensitive information on the internet, or other damage to the targeted system. A virtual machine on your computer is a secure environment where you can practice freshly learned cybersecurity techniques.
Note
Running virtual machines requires many resources on your local device and can sometimes be challenging to set up. Check out the section about online platforms and interactive tutorials and courses.
The OWASP Vulnerable Web Applications Directory is a comprehensive and well-maintained registry of vulnerable web and mobile applications. Out of the web applications, the OWASP Juice Shop Project is by far the most popular and feature-rich. It is great if you already have some basic web security training.
On the other hand, if you’re just dipping your toes in this area, check out the Damn Vulnerable Web Application. Thanks to its simplicity and straightforward nature, it is suitable for beginners. Because the application has been around for a long time, many write-ups and video tutorials are available.
Metasploitable 3 features vulnerabilities of various services, including but not limited to web applications. It is especially useful if you want to gain practice with MetaSploit.
CTF and online hacking platforms
Are you up for a challenge? Learning by doing is the best way to learn, and hacking is no different. Dive deep into vulnerable boxes with HackTheBox or TryHackMe and conquer the root. Many CTF competitions are happening online every month. See CTF Time for a list of upcoming and past competitions.
Český obsah
- Kybersoutěž je celostátní soutěž pro studenty středních a vysokých škol.
- thecatch.cz je CTF organizovaná sdružením CESNET
- SafeWeb.cz je CTF organizovaná společností ThreatMark
Below is a list I made of various hacking challenges online a while ago. I had no time to check them all, so I don’t know the quality or difficulty.
- Hack This Site
- hackertest.net
- root-me.org
- Secure Code Warrior
- attackdefense.com
- 237ctf
- CyberSecLabs
- Over The Wire
- defendtheweb.net
Bug bounty platforms
Bug bounty programs are set up by organizations to invite security researchers and ethical hackers to find vulnerabilities in their systems. Participants can earn money and other rewards for each vulnerability they discover, which can be a valuable way to gain experience and improve their skills in this field.
There are a few platforms for you to check out:
By the way, disclosed Hacker One reports are a great way to study! Check out the most upvoted report on Hacker One Takeover an account that doesn’t have a Shopify ID and more that received a $22,500 bounty.
Other resources
OWASP Top Ten Project is a resource everyone interested in cyber security should know. Once every few years, the Open Worldwide Application Security Project (OWASP) releases the top ten web application vulnerabilities. This is a great place to start if you are interested in web security.
OWASP Web Security Testing Guide is a framework for testing web applications for various security issues. The document is very long, and there is no point learning all techniques by heart, especially if you’re just starting on the journey, but it is beneficial to browse through them and see what kinds of issues to look for.
Also, check out the following:
- Resources for Beginner Bug Bounty Hunters
- Awesome Incident Response
- Penetration Testing collection
- Rayhan0x01’s Blog
Malware analysis
| name | description |
|---|---|
| VirusTotal | analysis of malware, hash, URL, PCAP |
| AnyRun | online interactive malware analysis |
| Triage | dynamic and static malware analysis |
| VMRay | dynamic malware analysis, paid service |
| Hybrid Analysis | dynamic malware analysis |
Temporary domains, urls, emails, and oob servers
| name | description |
|---|---|
| webhook.site | probably the best choice, up to 500 requests, offers VIP |
| pingb.in | data exfiltration by DNS: dig rand.SECRET.ns.pingb.in |
| RequestBin.net | public URL, displays HTTP headers, GET and POST parameters |
| maildrop.cc | throw away email addresses |