├── cryptography.md ├── README.md ├── SUMMARY.md ├── cloud-computing.md ├── social-engineering.md ├── sql-injection.md ├── footprinting-and-reconnaissance.md ├── denial-of-service.md ├── enumeration.md ├── session-hijacking.md ├── introduction-to-ethical-hacking.md ├── hacking-web-servers.md ├── evading-ids-firewalls-and-honeypots.md ├── hacking-web-applications.md ├── sniffing.md ├── hacking-wireless-networks.md ├── scanning-networks.md ├── hacking-mobile-platforms.md ├── system-hacking.md ├── malware-threats.md └── resources.md /cryptography.md: -------------------------------------------------------------------------------- 1 | # Cryptography 2 | 3 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Home 2 | 3 | #### Ethical Hacking Guide For: 4 | 5 | * Prep for Ec-council Certified Ethical Hacker \(CEH\) Examination 6 | * Reference 7 | 8 | ## CHANGE LOG 9 | 10 | ### 1.0.0 - 2018-04-09 11 | 12 | #### Added 13 | 14 | * Added All Sections of Guide. 15 | * Added Content to 16 | * Introduction to Ethical Hacking 17 | * Footprinting and Reconnaissance 18 | * Scanning Networks 19 | 20 | ### 1.0.1 - 2018-05-29 21 | 22 | #### Added 23 | 24 | * Added Content to 25 | * Footprinting and Reconnaisance 26 | * Scanning Networks 27 | * Enumeration 28 | * System Hacking 29 | * Malware Threats 30 | * Sniffing 31 | * Social Engineering 32 | * Denial of Service 33 | * Session Hijacking 34 | * Hacking Web Servers 35 | * Hacking Web Applications 36 | * SQl Injection 37 | * Hacking Wireless Networks 38 | * Hacking Mobile Platforms 39 | * Evading IDS, Firewalls, and Honeypots 40 | * Cloud Computing 41 | * Resources 42 | 43 | 44 | 45 | 46 | 47 | -------------------------------------------------------------------------------- /SUMMARY.md: -------------------------------------------------------------------------------- 1 | # Table of contents 2 | 3 | * [Home](README.md) 4 | * [Introduction to Ethical Hacking](introduction-to-ethical-hacking.md) 5 | * [Footprinting and Reconnaissance](footprinting-and-reconnaissance.md) 6 | * [Scanning Networks](scanning-networks.md) 7 | * [Enumeration](enumeration.md) 8 | * [System Hacking](system-hacking.md) 9 | * [Malware Threats](malware-threats.md) 10 | * [Sniffing](sniffing.md) 11 | * [Social Engineering](social-engineering.md) 12 | * [Denial of Service](denial-of-service.md) 13 | * [Session Hijacking](session-hijacking.md) 14 | * [Hacking Web Servers](hacking-web-servers.md) 15 | * [Hacking Web Applications](hacking-web-applications.md) 16 | * [SQL Injection](sql-injection.md) 17 | * [Hacking Wireless Networks](hacking-wireless-networks.md) 18 | * [Hacking Mobile Platforms](hacking-mobile-platforms.md) 19 | * [Evading IDS, Firewalls, and Honeypots](evading-ids-firewalls-and-honeypots.md) 20 | * [Cloud Computing](cloud-computing.md) 21 | * [Cryptography](cryptography.md) 22 | * [Resources](resources.md) 23 | 24 | -------------------------------------------------------------------------------- /cloud-computing.md: -------------------------------------------------------------------------------- 1 | # Cloud Computing 2 | 3 | > Objectives: Understanding cloud computing concepts, understanding cloud computing threats, understanding cloud computing attacks, understanding cloud computing security, understanding cloud computing security tools, overview of cloud pen testing 4 | 5 | ### Cloud Computing Concepts 6 | 7 | * Cloud computing is an on-demand delivery of IT capabilities where IT infrastructure applications are provided to subscribers as a metered service 8 | * Types of Cloud Computing Services: 9 | * IaaS: Provides virtual machines and other abstracted hardware and OSs which may be controlled through a service API 10 | * PaaS: Offers development tools, config management, and deployment platforms on-demand and can be used by subscribers to develop custom applications 11 | * SaaS: Offers software to subscribers on-demand over the internet 12 | * Cloud Deployment Models 13 | * Private Cloud: Cloud Infrastructure operated solely for a single organization 14 | * Community Cloud: Shared Infrastructure between several organizations from a specific communications with common concerns 15 | * Hybrid Cloud: Composition of two or more cloud \(private, community or public\) 16 | * Public Cloud: Services are rendered over a network that is open for public use 17 | 18 | ## Cloud Computing Threats 19 | 20 | * Data Breach/Loss, Abuse of Cloud Services, Insecure Interfaces and APIs, Insufficient due diligence, shared technology issues, unknown risk profile, Inadequate infrastructure design and planning, conflicts between client hardening procedures and cloud environment, malicious insiders, illegal access to the cloud, privilege Escalation via error 21 | 22 | -------------------------------------------------------------------------------- /social-engineering.md: -------------------------------------------------------------------------------- 1 | # Social Engineering 2 | 3 | > Objectives: overview of social engineering concepts, understanding various social engineering techniques, understanding insider threats, understanding impersonation on social networking sites, understanding identity theft, social engineering countermeasures, identify theft countermeasures, overview of social engineering pen testing 4 | 5 | ## Social Engineering Concepts 6 | 7 | * Social engineering is the art of convincing people to reveal confidential information 8 | * Depends on the fact people are unaware of their valuable info and careless about protecting it 9 | 10 | ## Social Engineering Techniques 11 | 12 | * Human-based social engineering, Computer-Based social engineering, Mobile-based social engineering 13 | * Human Based Social Engineering 14 | * Reverse social engineering \(attacker presents as authority\) 15 | * Piggybacking \(“I forgot my ID badge, please help\) 16 | * Tailgating \(walking directly behind someone for entrance\) 17 | * Computer Based Social Engineering 18 | * Hoax Letters, free gifts, etc 19 | * Mobile-based social engineering 20 | * Repackaging legitimate apps 21 | * Fake security applications 22 | * Insider attack 23 | * Disgruntled employee 24 | * Prevention: separation and rotation of duties, least privilege, controlled access, logging and auditing, legal policies, archive critical data 25 | 26 | ## Impersonation on Social Networking Sites 27 | 28 | * Social engineering on facebook, twitter, linkedin etc 29 | 30 | ## Identify Theft 31 | 32 | * When someone steals your PI 33 | 34 | ## Social Engineering countermeasures 35 | 36 | * Periodic password change, good policies, etc. 37 | 38 | -------------------------------------------------------------------------------- /sql-injection.md: -------------------------------------------------------------------------------- 1 | # SQL Injection 2 | 3 | > Objectives: Understanding SQL injection concepts, understanding various types of SQL injection attacks, understanding SQL injection methodology, SQL injection tools, understanding different IDS evasion techniques, SQL injection countermeasures, SQL injection detection tools 4 | 5 | ### SQL Injection Concepts 6 | 7 | * SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a web app for execution by the backend database 8 | * Usually to retrieve information 9 | * This is a flaw in web apps 10 | * Attacker can deface a web page with this attack 11 | * They can add info to your website, extract data, and insert new data 12 | 13 | ## Types of SQL Injection 14 | 15 | * Error based SQL Injection: Attacker puts intentional bad input into app to see the database-level error messages. Uses this to create carefully designed SQL Injections 16 | * Blind SQL Injection: Attacker has no error messages from the system with which to work. Instead, attack simply sends a malicious SQL query to the database 17 | * Whenever you see SELECT, it is probably a SQL command 18 | * Union SQL command, joining a forged query to the original query 19 | * Time-Based SQL Injection: evaluates time delay in response to true-false queries 20 | 21 | ## SQL Injection Methodology 22 | 23 | * Information gathering and SQL vulnerability detection 24 | * Attackers analyze web GET and POST requests to identify all input fields 25 | * Afterwards, launch attack 26 | * Advanced SQL injections 27 | * SQL Injection Black Box Pen Testing 28 | * Send single quotes and input data to see where the user input is not sanitized 29 | * Send long strings of junk data to detect buffer overruns 30 | * Used right square bracket as input data 31 | 32 | ## Evasion Techniques 33 | 34 | * Evading IDS 35 | * Obscure input strings 36 | * Hex Encoding 37 | * Manipulating whitespace 38 | * Inline Comment 39 | * Char encoding 40 | 41 | ## Countermeasures 42 | 43 | * Use Firewalls on SQL server 44 | * Make no assumptions about size, type, or content of the data that is received by the application 45 | * Avoid constructing dynamic SQL with concatenated input values 46 | 47 | -------------------------------------------------------------------------------- /footprinting-and-reconnaissance.md: -------------------------------------------------------------------------------- 1 | # Footprinting and Reconnaissance 2 | 3 | ## Concepts 4 | 5 | * Footprinting is process of collecting as much information as possible about a target network 6 | * Footprinting Threats: social engineering, system and network attacks, information leakage, privacy loss, corporate espionage, business loss 7 | 8 | ## Methodology 9 | 10 | 1. Footprinting through search engines 11 | 1. Google, Netcraft \(restricted URL’s, Determine OS\), SHODAN Search Engine,GMAPS, Google Finance, etc 12 | 2. Footprinting using advanced Google Hacking Techniques 13 | 1. Using technique to locate specific strings of text within search results using an advanced operator in the search engine \(finding vulnerable targets\), Google Operators to locate specific strings of text, GHDB 14 | 3. Footprinting through social networking sites 15 | 1. Fake identifies of co-workers, finding personal info, tracking their groups, etc, Facebook, Twitter, LinkedIn etc 16 | 4. Website Footprinting 17 | 1. Looking at system information from websites, personal information, examining HTML source comments, Web Spiders, archive.org, mirroring sites etc 18 | 5. Email Footprinting 19 | 1. Can get recipient's IP address, Geolocation, Email Received and Read, Read Duration, Proxy Detection, Links, OS and Browser info, Forward Email 20 | 6. Competitive Intelligence 21 | 1. Competitive Intelligence gathering is the process of identifying, gathering, analyzing, and verifying, and using the information about your competitors from sources such as the internet. Monitoring web traffic etc. 22 | 2. Non-interfering and subtle in nature 23 | 3. This method is legal 24 | 7. WHOIS Footprinting 25 | 1. WHOIS databases are maintained by regional internet registries and contain PI of domain owners 26 | 8. DNS Footprinting 27 | 1. Attacker can gather DNS information to determine key hosts in the network 28 | 9. Network Footprinting 29 | 1. Network range information assists attackers to create a map of the target network 30 | 2. Find the range of IP addresses using ARIN whois database search 31 | 3. Traceroute programs work on the concept of ICMP protocol and use the TTL field in the header of ICMP packets to discover on the path to a target host 32 | 10. Footprinting through Social Engineering 33 | 1. Art in exploiting human behaviour to extract confidential information 34 | 2. Social engineers depend on the fact that people are unaware 35 | 36 | ## Tools 37 | 38 | * Maltego 39 | * Recon-NG \(Web Reconnaissance Framework\) 40 | 41 | ## Countermeasures 42 | 43 | 1. Restrict the employees to access social networking sites 44 | 2. Configure web servers to avoid information leakage 45 | 3. Educate employees to use pseudonyms 46 | 4. Limit the amount of information that you are publishing 47 | 5. Use footprinting techniques to discover and remove sensitive information 48 | 6. Use anonymous registration services 49 | 7. Enforce security policies 50 | 51 | ## Penetration Testing: Footprinting 52 | 53 | 1. Footprinting pen testing is used to determine organization’s public available information 54 | 2. Tester attempts to gather as much information as possible from the internet and other publicly accessible sources 55 | 3. Define scope and then use footprint search engines 56 | 4. Report Templates 57 | 58 | -------------------------------------------------------------------------------- /denial-of-service.md: -------------------------------------------------------------------------------- 1 | # Denial of Service 2 | 3 | > Objectives: Overview of DOS attacks and DDoS attacks, understanding the techniques of DoS/DDoS Attack Techniques, Understanding the Botnet Network, Understanding Various DoS and DDoS attack tools, DoS/DDoS countermeasures, Overview of DoS attack penetration testing 4 | 5 | ### DoS/DDoS Concepts 6 | 7 | * Denial of Service \(DoS\) is an attack on a computer or network that reduces, restricts or prevents accessibility of system resource to its legitimate users 8 | * Attackers flood a victim system with non-legitimate service requests 9 | * DDoS attack involves a multitude of compromised systems attacking a single targeted system \(botnet\) 10 | 11 | ## DoS/DDoS Attack Techniques 12 | 13 | * Basic categories of the attacks 14 | * Volumetric Attacks: consumes the bandwidth of the target network or service 15 | * Fragmentation: overwhelms target’s ability of reassembling fragmented packets 16 | * TCP state-exhaustion attack: consumes connection state table present such as load balancers ,firewalls, app servers 17 | * Application layer attack: consumes app resources or service making it unavailable to other legitimate users 18 | * SYN Attack 19 | * Attacker sends a large number of SYN request to target server 20 | * Target machine sends back a SYN ACK in response to the request waiting for the ACK to complete session 21 | * Attacker never sends ack 22 | * ICMP flood attack: type of DoS where perpetrators send a large number of ICMP packets causing the system to stop responding to legitimate TCP/IP requests 23 | * To protect yourself: set a threshold limit that invokes a ICMP protection feature 24 | * Peer to Peer Attack: attackers instruct clients of p2p file sharing hubs to disconnect for their p2p network and connect to victims fake website. Attackers can launch massive DoS attacks and compromise websites 25 | * Permanent Denial-of-Service Attack: Also known as phlashing, refers to attacks that cause irreversible damage to system hardware 26 | * Unlike other DoS attacks,, it sabotages the system hardware 27 | * Application-Level Flood Attack: Application-level flood attacks results in the loss of services 28 | * Using this attack , attackers exploit weaknesses in programming source code to prevent in the application from processing legitimate requests 29 | * Distributed Reflection Denial of Service \(DRDoS\) 30 | * Also known as a spoofed attack, involves the use of multiple intermediary and secondary machines that contribute to the actual DDoS attack against the target machine or application 31 | 32 | ## Botnets 33 | 34 | * Bots are software applications that run-automated tasks over the internet 35 | * A botnet is a huge network of compromised systems and can be used by an attacker to launch a DoS attack 36 | * Scanning Methods for Finding Vulnerable Machines: Random Scanning, Hit-list scanning, topological scanning, local subnet scanning, permutation scanning 37 | * DoS and DDoS attack tools 38 | * LOIC, GoldenEye 39 | 40 | ## Countermeasures 41 | 42 | * Techniques 43 | * Activity Profiling 44 | * Increases in activity levels, distinct clusters, average packet rate etc 45 | * Changepoint detection 46 | * Filters network traffic by IP addresses, targeted port numbers, stores traffic flow data in a graph that shows the traffic flow rate vs time 47 | * Wavelet-based signal analysis 48 | * Analyzes network traffic in terms of spectral components. Divides incoming signal into various frequencies for analyzation 49 | * DoS/DDoS countermeasure strategies 50 | * Absorbing the attack \(requiring additional resources\) 51 | * Degrading services \(identify critical services and stop non-critical\) 52 | * Shutting down the services 53 | * Deflect Attacks: Honeypots act as an enticement for an attacker. Serve as a means for gaining information about attackers, stores their activities 54 | * Ingress filtering: protects from flooding attacks. Enables originator be traced to its true source 55 | * Egress Filtering: scanning packet headers of IP address leaving a network. Ensures unauthorized or malicious traffic never leaves the internal network 56 | * Mitigate Attack: Load balancing, throttling 57 | * Post-Attack Forensics 58 | * Analyze traffic patterns for new filtering techniques, analyze router, firewall, and IDS logs , can update load-balancing and throttling countermeasures 59 | 60 | -------------------------------------------------------------------------------- /enumeration.md: -------------------------------------------------------------------------------- 1 | # Enumeration 2 | 3 | ## Enumeration 4 | 5 | ### Enumeration Concepts 6 | 7 | * In the enumeration phase, attacker creates active connections to system and performs directed queries to gain more information. Uses this information to identify system attack points and perform password attacks 8 | * Conducted in an intranet environment 9 | * Techniques for Enumeration 10 | * Extract user names using email IDs 11 | * Extract user names using SNMP 12 | * Extract user groups from windows 13 | * Extract information using the default passwords 14 | * Brute force active directions 15 | * Extract information using DNS Zone Transfer 16 | * Popular Ports to Enumerate 17 | * TCP/UDP 53 - DNS Zone Transfer 18 | * TCP/UDP 135 - Microsoft EPC Endpoint Manager 19 | * UDP 137 - NetBIOS Name Service \(NBNS\) 20 | * TCP 139 - SMB over NetBIOS 21 | * TCP/UDP 445 - SMB over TCP \(direct host\) 22 | * UDP 161 - Simple Network Management Protocol \(SNMP\) 23 | * TCP/UDP 389 - Lightweight Directory Access Protocol \(LDAP\) 24 | * TCP/UDP 3268 - Global Catalog Service 25 | * TCP 25 - Simple Mail Transfer Protocol \(SMTP\) 26 | * TCP/UDP 162 - SNMP Trap 27 | 28 | ## NetBIOS Enumeration 29 | 30 | * NetBIOS name is a unique 16 ASCII string used to identify the network devices \(15 of it are device name, 16 is reserved for service or name record type\) 31 | * Nbtstat utility displays NetBIOS over TCP/IP protocol statistics, NetBIOS name tables/cache 32 | * Net View utility is used to obtain a list of all the shared resources of remote hosts or workgroup 33 | 34 | ## SNMP Enumeration \(simple network Management protocol enumeration\) 35 | 36 | * SNMP enumeration is a process of enumerating user accounts and devices on a target system using SNMP 37 | * SNMP contains a manager and agent. Agends are embedded on every network, manager installed on a seperate computer 38 | * SNMP has two passwords 39 | * Attacker uses default community strings to extract info 40 | * Uses it to extract information about network resources such as hosts, routers, devices, shares 41 | * Management Information Base \(MIB\) 42 | * MIB is a virtual database containing formal description of all the network objects managed using SNMP 43 | 44 | ## LDAP Enumeration 45 | 46 | * LDAP is an internet protocol for accessing distributed directory services 47 | * Attacker queries LDAP service to gather information such as valid user names, addresses, departmental details, etc 48 | 49 | ## NTP Enumeration 50 | 51 | * Network Time Protocol \(NTP\) is designed to synchronize clocks of networked computers 52 | * Uses UDP port 123 53 | * Can use it to find important information on a network 54 | * Can use Nmap, Wireshark 55 | 56 | ## SMTP and DNS Enumeration 57 | 58 | * SMTP has 3 built-in commands 59 | * VRFY - Validates users 60 | * EXPN - Tells actual delivery addresses of aliasses and mailing lists 61 | * RCPT TO - Defines the recipients of the message 62 | * SMTP servers respond differently to these commands 63 | * Attackers can directly interact with SMTP via the telnet prompt and collect a list of valid users on the SMTP Server 64 | 65 | ## Enumeration Countermeasures 66 | 67 | * SNMP countermeasures 68 | * Remove SNMP agent on turn off the SNMP service \(block 161\) 69 | * Change default community string name 70 | * Upgrade to SNMP3, which encrypts passwords/messages 71 | * Implement additional security option called “additional restrictions for anonymous connections” 72 | * Ensure that the access to null session pipes, null session shares, and IPsec filtering are restricted 73 | * DNS countermeasures 74 | * Disable DNS zone transfers to the untrusted hosts 75 | * Make sure private hosts and their IP addresses are not published into DNS zone files of public DNS server 76 | * Use premium DNS registration services to hide sensitive information 77 | * Use standard network admin contacts for dns registrations in order to avoid social engineering attacks 78 | * SMTP countermeasures 79 | * Ignore email messages to unknown recipients 80 | * Disable open relay features 81 | * Do not include sensitive mail server and local host information in mail responses 82 | * LDAP countermeasures 83 | * Restrict access to active directory by using software such as citrix 84 | * Enable account lockout 85 | * Use SSL technology for LDAP traffic 86 | * Enumeration Pen Testing 87 | * Used to identify valid user accounts or poorly protected resource shares 88 | * Information can be users and groups, network resources 89 | * Used in combination with data collected in reconnaissance phase 90 | * Steps in Enumeration Pen Testing 91 | * Find the network range 92 | * Calculate the subnet mask 93 | * Undergo host discovery 94 | * Perform port scanning 95 | * Perform NetBIOS enumeration 96 | * Perform SNMP enumeration 97 | * Perform LDAP enumeration 98 | * Perform NTP enumeration 99 | * Perform SMTP enumeration 100 | * Perform DNS enumeration 101 | * Document all findings 102 | 103 | -------------------------------------------------------------------------------- /session-hijacking.md: -------------------------------------------------------------------------------- 1 | # Session Hijacking 2 | 3 | > Objectives: Understanding session hijacking concepts, Understanding application level session hijacking, Understanding network level session hijacking, Session hijacking tools, Session hijacking countermeasures, Overview of session hijacking penetration testing 4 | 5 | ## Session Hijacking Concepts 6 | 7 | * What is session hijacking? 8 | * Since most authentication occurs at the start of a TCP session, this allows the attacker to gain access to the machine. He can take the cookie and play it as his own 9 | * Cookie will however expire after sometime. Much easier to steal cookie than brute force a password/token 10 | * Why is session hijacking successful? 11 | * No account lockout for invalid session IDs 12 | * Weak session ID generation algorithm 13 | * Insecure handling of session IDs 14 | * Indefinite session expiration time 15 | * Most computers using TCP/IP are vulnerable 16 | * Most countermeasures do not work unless you use encryption 17 | * Session Hijacking Process 18 | * Referer attack: attacker tries to lure a user to click on a link to malicious site 19 | * Get Request \[pull the web page\] 20 | * During Session Hijacking process \(syn-ack\), attacker must time it to jump into the session 21 | * Brute forcing: attacker attempts difference IDs until he succeeds 22 | * Sniff>Monitor>Session Desynchronization>Session ID prediction>Command Injection 23 | * Types of session hijacking 24 | * Active Attack: Attacker finds active session and takes over 25 | * Passive Attack: Attack hijacks a session but sits back and watches and records all the traffic that is being sent forth 26 | * Session Hijacking in OSI Model: Network Level Hiking, Application Level Hijackings 27 | * Network Level OSI Model: Network level hijacking can be defined as the interception of the packet during transmission between client and server 28 | * Application Level Hijacking: App level hijacking is about gaining control over the HTTPs user session by obtaining the session IDs 29 | * Spoofing vs Hijacking 30 | * Spoofing Attack: pretends to be another user 31 | * Attack pretends to be another user 32 | * Hijacking: process of taking over an existing active session 33 | 34 | ## Application Level Session Hijacking 35 | 36 | * A session token can be compromised in various ways 37 | * Session sniffing 38 | * Sniff to capture valid session token or ID 39 | * Predictable session token 40 | * Predict a session ID generated by a weak algorithm 41 | * Guesses unique session value or deduce session ID 42 | * Man-in-middle attack 43 | * Intruding an existing connection and intercept 44 | * Attackers use different techniques and split the TCP connection 45 | * Man-in-browser attack 46 | * Uses a trojan horse to intercept calls between browser and its security mechanisms 47 | * Can be a malicious extension 48 | * Cross-site script attack 49 | * XSS enables attackers to inject malicious client side scripts into web pages 50 | * Malicious Javascript code 51 | * Trojan horse can change proxy settings in user’s browser 52 | * Cross-site request forgery attack \(CSRF\) 53 | * A CSRF attack exploits victim’s active session with a trusted site in order to perform malicious activities 54 | * Session replay attack 55 | * In session reply, the attacker listens to the conversation between the user and the server and captures the authentication token of the user 56 | * Once authentication token is captured, the attacker replays the request to the server with the authentication token 57 | * Session fixation 58 | * Session fixation is an attack that allows an attacker to hijack a valid user session 59 | * Attack tries to lure a user to authenticate himself with a known session ID and then hijacks the user-validated session 60 | * Attacker has to provide a legitimate web app session ID and try to lure the victim browser to use it 61 | * CSRF Cross site request forgery: 62 | * User visits banking site. Attacker has user somehow visit his site. His site infects and adds onto her session and insert more commands into her session and do things she did not authorize. 63 | 64 | ## Network Level Session Hijacking 65 | 66 | * The 3-way handshake: if the attacker can anticipate the next sequence and ACK number , they can spoof bobs address and start a communication with the server 67 | * TCP/IP Hijacking: 68 | * Blind Hijacking 69 | * Attacker injects malicious data or commands into the intercepted communication in the TCP session even if the source-routing is disabled 70 | * The attacker can send the data or comments but has no access to see the response 71 | * You might be able to see the effects however 72 | * UDP Hijacking 73 | * Manipulating the packet 74 | 75 | ## Session Hijacking Tools 76 | 77 | * ZAP \(zed attack proxy by OWASP\) is an integrated penetration testing tool 78 | * BURP Suite: inspect and modify traffic. Analyzes all kinds of content. Is an interception proxy 79 | 80 | ## Countermeasures 81 | 82 | * IPSec: protocol suite for securing IP communications by authenticating and encrypting each IP packet of a communication session 83 | * Deployed widely to implement virtual private networks \(VPNs\) and for remote user access through dial up connection to private networks 84 | * Transport Mode: Authenticates two connected computers. Option to encrypt data transfer. Compatible with NAT 85 | * Tunnel Mode: Encapsulates packets being transferred. Option to encrypt data. Not compatible with NAT. 86 | 87 | -------------------------------------------------------------------------------- /introduction-to-ethical-hacking.md: -------------------------------------------------------------------------------- 1 | # Introduction to Ethical Hacking 2 | 3 | ## Overview 4 | 5 | ### Terminology 6 | 7 | * **Hack Value**: Notion among hackers that something is worth doing or interesting 8 | * **Vulnerability**: Existence of a weakness, design, or implementation error that can lead to an expected event compromising the security of the system 9 | * **Exploit**: A breach of IT system security through vulnerabilities 10 | * **Payload**: Part of an exploit code that perform the intended malicious action 11 | * **Zero-Day Attack**: An attack that exploits computer app vulnerabilities before the software developer releases a patch for the vulnerability 12 | * **Daisy Chaining**: Gaining access to one network and/or computer and then using the same info to gain access to multiple networks and computer that contains desirable info 13 | * **Doxing**: Publishing personally identifiable information 14 | * **Bot**: software app that can be controlled remotely to execute or automate pre-defined tasks 15 | 16 | ### Elements of Information Security 17 | 18 | * **Non-Repudiation**: Sender of a message cannot later deny having sent the message 19 | * **Confidentiality**: Only authorized users able to view content 20 | * **Integrity**: Trustworthiness of data or resource in prevention of unauthorized changes 21 | * **Availability**: assurance systems are accessible 22 | * **Authenticity**: The quality of being genuine 23 | 24 | ## Threats and Attack Vectors 25 | 26 | * **Cloud computing**: is an on-demand delivery of IT capabilities, and stores data. Must be secure 27 | * **Advanced Persistent Threats**: APT focus on stealing info from victim machine w/o user aware 28 | * **Viruses and Worms**: Capable of infecting a network within seconds 29 | * **Mobile Threats**: Many attackers see mobile phone as a way to gain access 30 | * **Botnet**: huge network of compromised systems 31 | * **Insider Attack**: an attack performed on a corporate network by an entrusted person w/ access 32 | * **Threat categories**: 33 | * Network Threats 34 | * Host Threats 35 | * Application Threats 36 | * **Types of Attacks:** 37 | * OS Attacks 38 | * Mis-Config attacks 39 | * App Level Attacks, 40 | * Shrink Wrap Code Attacks 41 | 42 | ## Hacking Concepts, Types, Phases 43 | 44 | > Hacking: Exploiting system vulnerabilities and compromising security 45 | 46 | ### Five Phases of Hacking: 47 | 48 | * **Reconnaissance** - Preparation phase when an attacker seeks to gather information Does not directly interact with the system, and relies on social engineering and public info. 49 | * **Scanning** - Identify specific vulnerabilities \(in-depth probing\) Using Port scanners to 50 | 51 | detect listening ports \(companies should shut down ports that are not required\) 52 | 53 | * **Gaining Access** - Using vulnerabilities identified during reconnaissance \[DoS, Logic/Time 54 | 55 | Exploit, reconfiguring/crashing system\] 56 | 57 | * **Maintaining Access** - Keeping a low profile, keeping system as a launch pad, etc 58 | * **Clearing Tracks** - Hiding malicious acts while continuing to have access, avoiding 59 | 60 | suspicion 61 | 62 | 63 | 64 | ## Security Controls 65 | 66 | ### Information Assurance 67 | 68 | ### Threat Modeling 69 | 70 | 1. Identify Security Objectives 71 | 2. Application overview 72 | 3. Decompose Application 73 | 4. Identify Threats 74 | 5. Identify Vulnerabilities 75 | 76 | ### Network Security Zoning \(High to Low\) 77 | 78 | * Internet Zone 79 | * Internet DMZ 80 | * Production Network Zone 81 | * Intranet Zone 82 | * Management Network Zone 83 | 84 | ### Security Policies 85 | 86 | > Information security policy defines basic requirements and rules to be implemented in order to protect and secure organizations information systems. 87 | 88 | #### 4 Types of Security Policies 89 | 90 | * Promiscuous Policy 91 | * Permissive Policy 92 | * Prudent Policy 93 | * Paranoid Policy 94 | 95 | ### Vulnerability Assessments 96 | 97 | #### Types of Assessments 98 | 99 | * Active Assessments 100 | * Passive Assessments 101 | * Host-Based assessment 102 | * Internal Assessment 103 | * External Assessment 104 | * Application Assessments 105 | * Network Assessments 106 | * Wireless Network Assessments 107 | 108 | #### Methodology of Assessments 109 | 110 | * Acquisition 111 | * Identification 112 | * Analyzing 113 | * Evaluation 114 | * Reports 115 | 116 | ### Penetration Testing 117 | 118 | > Penetration Testing: Simulating an attack to find out vulnerabilities 119 | 120 | * Blue Team: Detect and Mitigate 121 | * Red Team: Attack w/ limited access w/ or w/o warning 122 | 123 | #### Types of Penetration Testing 124 | 125 | * Black-Box \(no prior knowledge\) 126 | * White-Box \(complete knowledge\) 127 | * Grey-Box \(limited knowledge\) 128 | 129 | #### Security Testing Methodologies 130 | 131 | * OWASP 132 | * NIST 133 | 134 | ## Security Laws and Standards 135 | 136 | ### United States 137 | 138 | #### Laws 139 | 140 | * **Sarbanes Oxley Act \(SOX\)** -Protect investors and public by increasing reliability of 141 | 142 | corporate disclosures 143 | 144 | * **Digital Millennium Copyright Act \(DMCA\)** - Protects intellectual property 145 | * **Gramm-Leech Bliley Act \(GLBA\)** - Controls use of personal financial data 146 | * **Health Information Portability and Protection Act \(HIPPA\)** - Privacy for medical records 147 | * **Family Educational Rights and Privacy Act \(FERPA\)** - Protection for education records 148 | * **Federal Information Security Management Act \(FISMA\)** - Government networks must have security standards 149 | 150 | #### Standards 151 | 152 | * Payment card Industry Data Security Standard \(PCI-DSS\) -Payment Systems 153 | 154 | 155 | 156 | ### Europe 157 | 158 | #### Laws 159 | 160 | * Computer Misuse Act of 1990 - Addresses hacking activities 161 | * Human Rights Act of 1990 - Ensures Privacy 162 | 163 | 164 | 165 | -------------------------------------------------------------------------------- /hacking-web-servers.md: -------------------------------------------------------------------------------- 1 | # Hacking Web Servers 2 | 3 | > Objectives: Understanding web server concepts, understanding web server attacks, understanding webserver attack methodology, webserver attack tools, countermeasures against web server attacks, overview of patch management, webserver security tools, overview of web server penetration testing 4 | 5 | ### Web server Concepts 6 | 7 | * A web server is a program that hosts websites, attackers usually target software vulnerabilities and config errors to compromise the servers 8 | * Nowadays, network and OS level attacks can be well defended using proper network security measures such as firewalls, IDS, etc. Web servers are more vulnerable to attack since they are available on the web 9 | * Why are web servers compromised 10 | * Improper file/directory permissions 11 | * Installing the server with default settings 12 | * Unnecessary services enabled 13 | * Security conflicts 14 | * Lack of proper security policy 15 | * Improper Authentication 16 | * Default Accounts 17 | * Misconfigs 18 | * Bugs in OS 19 | * Misconfigured SSL certificates 20 | * Use of self-signed certs 21 | * IIS \(internet information service\) is a webserver application developed by Microsoft for Windows. 22 | 23 | ## Webserver Attacks 24 | 25 | * DoS/DDoS Attacks: Attackers may send numerous fake requests to the web server which results in the web server crash or become unavailable 26 | * May target high-profile web servers 27 | * DNS Server Hijacking: Attacker compromises DNS server and changes the DNS settings so that all requests coming towards the target web server is redirected to another malicious server 28 | * DNS Amplification Attack: Attacker takes advantage of DNS recursive method of DNS redirection to perform DNS amplification attack 29 | * Attacker uses compromised PCs with spoofed IPs to amplify the DDoS attack by exploiting the DNS recursive method 30 | * Directory Traversal Attack: Attackers use ../ to sequence to access restricted directories outside of the web server root directory \(trial and error\) 31 | * Man-in-the middle Sniffing Attack: MITM attacks allow an attacker to access sensitive info by intercepting and altering communications 32 | * Phishing Attacks: Attacker tricks user to submit login details for website that looks legit but it's not. Attempts to steal credentials 33 | * Website Defacement: intruder maliciously alters visual appearance of a web page by inserting offending data. Variety of methods such as MYSQL injection 34 | * Web Server Configuration: Refers configuration weaknesses in infrastructure such as directory traversal 35 | * HTTP Responses Splitting Attack: involves adding header data into the input field so that the server split the response into two responses. The attack can control the second response to redirect user to malicious website whereas the other response will be discarded by browser 36 | * Web Cache Poisoning: An attacker forces the web server’s cache to flush its actual cache content and sends a specially crafted requests, which will be stored in cache 37 | * SSH Bruteforce Attack: SSH protocols are used to create encrypted SSH Tunnel between two hosts. Attackers can brute force the SSH login credentials 38 | * Webserver Password Cracking: An attacker tries to exploit the weaknesses to hack well-chosen passwords \(social engineering, spoofing, phishing,etc\). 39 | * Web Application Attacks: Vulnerabilities in web apps running on a webserver provide a broad attack path for webserver compromise 40 | * SQL Injection, Directory Traversal, DoS, Cookie Tampering, XSS Attack, Buffer Overflow, CSRF attack, 41 | 42 | ## Attack Methodology: 43 | 44 | Information Gathering, Webserver Footprinting, Mirroring Website, Vulnerability Scanning, Session hijacking, Hacking webserver passwords 45 | 46 | * Information Gathering: Robots.txt file contains list of web server directory and files that website owner wants to hide from web crawlers 47 | * .Use tools such as burp suite to automate session hijacking 48 | 49 | ## Webserver Attack Tools 50 | 51 | * Metasploit: Encapsulates an exploit. 52 | * Payload module: carries a backpack into the system to unload 53 | * Metasploit Aux Module: Performing arbitrary, one-off actions such as port scanning, DoS, and fuzzing 54 | * NOPS module: generate a no-operation instructions used for blocking out buffers 55 | * Password Cracking: THC Hydra, Cain & Abel 56 | 57 | ## Countermeasures 58 | 59 | * An ideal web hosting network should be designed with at least three segments namely: The internet segment, secure server security segment \(DMZ\), internal network 60 | * Placed the web server in DMZ of the network isolated from the public network as well as internal network 61 | * Firewalls should be placed for internal network as well as internet traffic going towards DMZ 62 | * Patches and Updates: Ensure service packs, hotfixes, and security patch levels are consistent on all domain controllers 63 | * Protocols: block all unnecessary ports, ICMPs, and unnecessary protocols such as NetBIOS and SMB. Disable WebDav if not used 64 | * Files and Directories: delete unnecessary files, disable serving of directory listings, disable serving certain file types , avoid virtual directories 65 | * Detecting Hacking Attempts: Run scripts on the server that detects any changes made in the existing executable file. Compare hash values of files on server to detect changes in codebase. Alert user upon any change in detection 66 | * Secure the SAM \(stand-alone servers only\) 67 | * Defending against DNS hijacking: choose ICANN accredited registrar. Install anti-virus 68 | 69 | ## Patch Management 70 | 71 | * Hotfixes are an update to fix a specific customer issue 72 | * A patch is a small piece of software designed to fix problems 73 | * Hotfixes and Patches are sometimes combined for server packs 74 | * Patch Management is a process used to ensure that the appropriate patches are installed on a system to help fix known vulnerabilities 75 | * Before installing a patch, verify the source. 76 | * Patch Management Tools: MBSA \(Microsoft baseline Security Analyzer\) - checks for available updates to OS, SQL Server, .NET framework etc 77 | 78 | Webserver Security Tools 79 | 80 | * Syhunt helps automate web app security testing and guards. N Stalker is a scanner to search vulnerabilities 81 | 82 | Webserver Pen Testing 83 | 84 | * Used to identify, analyze, and report vulnerabilities 85 | 86 | -------------------------------------------------------------------------------- /evading-ids-firewalls-and-honeypots.md: -------------------------------------------------------------------------------- 1 | # Evading IDS, Firewalls, and Honeypots 2 | 3 | > Objectives: Understanding IDS, Firewall, and Honeypot Concept : IDS, Firewall and Honeypot Solutions: Understanding different techniques to bypass IDS : Understanding different techniques to bypass firewalls, IDS/Firewall Evading Tools : Understanding different techniques to detect honeypots : Overview of IDS and Firewall Penetration Testing 4 | 5 | ### IDS, Firewall, and Honeypot Concepts 6 | 7 | * An IDS inspects all inbound and outbound network traffic for suspicious patterns that may indicate a network security breach 8 | * Checks traffic for signatures that match known intrusion patterns 9 | * Anomaly Detection \(behavior detection\) 10 | * Protocol Anomaly Detection 11 | * Indications of Intrusions 12 | * System Intrusions 13 | * Presence of new files/programs 14 | * Changes in file permissions 15 | * Unexplained changes in file size 16 | * Rogue Files 17 | * Unfamiliar file names in directories 18 | * Missing files 19 | * Network Intrusions 20 | * Repeated probes of the available services on your machines 21 | * Connections from unusual locations 22 | * Repeated login attempts from remote hosts 23 | * Arbitrary data in log files 24 | * Firewall Architecture 25 | * Bastion Host 26 | * Computer system designed and configured to protect network resources from attack 27 | * Screened Subnet 28 | * Also known as the DMZ contains hosts that offer public services. DMZ zone only responds to public requests, and has no hosts accessed by the private network 29 | * Multi-homed Firewall 30 | * A firewall with two or more interfaces 31 | * DeMilitarized Zone \(DMZ\) 32 | * A network that serves as a buffer between the internal secure network and insecure internet 33 | * Can be created using firewall with three or more main network interfaces 34 | * Types of Firewall 35 | * Packet Filters: works on the network layers of OSI. Can drop packets if needed 36 | * Circuit Level Gateways: Works at the sessions layer. Information passed to a remote computer through a circuit-level gateway appear to have originated from the gateway. They monitor requests to create sessions, and determines if the session will be allowed. They allow or prevent data streams 37 | * Application Level Gateways: App-level proxies can filter packets at the application later of the OSI 38 | * Stateful Multilayer Inspection Firewalls: combines the aspects of the other three types of firewalls 39 | * Honeypot 40 | * Information system resource that is expressly set up to attract and trap people who attempt to penetrate an organization's network 41 | * Honeypot can log port access attempts, monitor attacker’s keystrokes, show early signs etc 42 | * 2 Types of Honeypots 43 | * Low-interaction Honeypots: simulate only a limited number of services and apps. Cannot be compromised 44 | * High-interaction Honeypots: simulates all services and apps. Can be completely compromised by attackers. 45 | * Captures complete information about an attack vector such attack techniques 46 | 47 | ## IDS Tools 48 | 49 | * Snort 50 | 51 | ## Evading IDS 52 | 53 | * Insertion Attack: IDS blindly believes and accepts the packet 54 | * Evasion: End system accepts a packet that an IDS rejects. Attacker is exploiting the host computer 55 | * DoS Attack: Attackers intrusion attempts will not be logged 56 | * Obfuscating: encoding the attack payload in a way that the target computer understands but the IDS will not \(polymorphic code, etc\) 57 | * False Positive Generation: Attackers w/ knowledge of the target IDS, craft packets just to generate alerts. Causes IDS to generate large number of false positive alerts. Then use it to hide real attack traffic 58 | * Session Splicing 59 | * Unicode Evasion Technique: Attackers can convert attack strings to unicode characters to avoid pattern and signature matching at the IDS 60 | * Fragmentation Attack: Attackers will keep sending fragments with 15 second delays until all attack payload is reassembled at the target system 61 | * TTL attacks require attacker to have a prior knowledge of the topology of the victim's network 62 | * Invalid RST Packets 63 | * Uses a checksum to communicate with host even though the IDS thinks that communication has ended 64 | * Urgency Flag 65 | * A URG flag in the TCP header is used to mark the data that requires urgent processing 66 | * Many IDS do not address the URG pointer 67 | * Polymorphic Shellcode: Most IDSs contains signatures for commonly used strings within shellcode. This can be bypassed by using encoded shellcode containing a stub that decodes the shell code 68 | * App Layer Attacks: IDS cannot verify signature of a compressed file 69 | 70 | ## Evading Firewalls 71 | 72 | * Port Scanning is used to identify open ports and services running on these ports 73 | * Open ports can be further probed to identify the version of services, which helps in finding vulnerabilities in these services 74 | * Firewalking: A technique that uses TTL values to determine gateway ACL filters 75 | * Attacker sends a TCP or UDP packet to the targeted firewall with a TTL set to one hop greater 76 | * Banner Grabbing: Banners are service announcements provided by services in response to connection requests, and often carry vendor version information 77 | * IP address spoofing to a trusted machine 78 | * Source Routing: Allows sender of a packet to partially or completely specify the route of a packet through a network, going around a firewall 79 | * Tiny Fragments: Forcing some of the TCP packet’s header info into the next fragment 80 | * ICMP Tunneling: Allows tunneling a backdoor shell in the data portion of ICMP echo packets 81 | * Ack Tunneling: Allows tunneling a backdoor application with TCP packets with the ACK bit set 82 | * HTTP Tunneling Method: allows attackers to perform various internet tasks despite restrictions imposed by firewalls. Method can be implemented if the target company has a public web server with port 80 used for HTTP traffic 83 | 84 | ## Detecting Honeypots 85 | 86 | * Attackers craft malicious probe packets to scan for services such as HTTP over SSL, SMTP over SSL, and IMAP 87 | * Ports that show a particular service running but deny a three-way handshake indicate the presence of a honeypot 88 | 89 | ## Countermeasures 90 | 91 | * Shut down switch ports associated with the known attack hosts 92 | * Reset \(RST\) malicious TCP sessions 93 | 94 | -------------------------------------------------------------------------------- /hacking-web-applications.md: -------------------------------------------------------------------------------- 1 | # Hacking Web Applications 2 | 3 | > Objectives: Understanding Web Application concepts, understanding web app threats, understanding web app hacking methodology, web app hacking tools, understanding web app countermeasures, web app security tools, overview of web app pen testing 4 | 5 | ### Web App Concepts 6 | 7 | * Web apps provide an interface between end users and web servers through a set of pages 8 | * Web tech such as Web 2.0 support critical business functions such as CRM, SCM 9 | 10 | ## Web App Threats 11 | 12 | * Cookie Poisoning: by changing info in a cookie, attackers can bypass authentication process 13 | * Directory Traversal: Gives access to unrestricted directories 14 | * Unvalidated Input: Tempering http requests, form field, hidden fields, query strings, so on. Example of these attacks include SQL injection, XSS, buffer overflows 15 | * Cross Site Scripting: Bypassing client-ID mechanisms to gain privileges, injecting malicious scripts into web pages 16 | * Injection Flaws: Injecting malicious code, commands, scripts into input gates of flawed apps 17 | * SQL Injection: type of attack where attackers inject SQL commands via input data, and then tamper with the data 18 | * LDAP Injection to obtain direct access to databases behind LDAP tree 19 | * Parameter/Form tampering: Manipulates the parameters exchanged between client and server to modify app data such as user cred and permissions. 20 | * DoS: intended to terminate operations 21 | * Broken Access Control: method in which attacker identifies a flaw related to access control and bypasses the authentication, then compromises the network 22 | * Cross-Site Request Forgery: attack in which an authenticated user in made to perform certain tasks on the web app that an attacker chooses. 23 | * Information Leakage: can cause great losses to company. 24 | * Improper Error Handling : important to define how a system or network should behave when an error occurs. Otherwise, error may provide a chance for an attacker to break into the system. Improper error can lead to DoS attack 25 | * Log Tampering: Attackers can inject, delete, or tamper with app logs to hide their identities 26 | * Buffer Overflow: Occurs when app fails to guard its buffer property and allows writing beyond its maximum size 27 | * Broken Session management: When credentials such as passwords are not properly secured 28 | * Security Misconfigurations 29 | * Broken Account Management: account update, forgotten/lost password recovery/reset 30 | * Insecure Storage: Users must maintain the proper security of their storage locations 31 | * Platform Exploits: Each platform \(BEA WEBLOGIC, COLD FUSION\) has its own various vulnerabilities 32 | * Insecure Direct Object References: When developers expose objects such as files, records, result is insecure direct object reference 33 | * Insecure Cryptographic Storage: Sensitive data should be properly encrypted using cryptographic. Some cryptographic techniques have inherent weaknesses however 34 | * Authentication Hijacking: Once an attacker compromises a system, user impersonation can occur 35 | * Network Access attacks: can allow levels of access that standard HTTP app methods could not grant 36 | * Cookie Snooping 37 | * Web Services Attack: Web services are based on XML protocols such SOAP \(simple object access protocol\) for communication between web services 38 | * Insufficient Transport layer protection 39 | * Hidden Manipulation 40 | * DMZ protocol attacks 41 | * Unvalidated redirects and forwards 42 | * Failure to restrict URL access 43 | * Obfuscation Application 44 | * Security Management Exploits 45 | * Session Fixation Attack: Attacker tricks user to access a genuine web server using an explicit session ID value. Attacker assumes identity of the victim and exploits credentials on the server 46 | * Malicious File Execution 47 | 48 | ## Hacking Methodology 49 | 50 | * Hackers first footprint the web infrastructure 51 | * Server discovery, location 52 | * Service Discovery: Scan Ports 53 | * Banner grabbing: footprinting technique to obtain sensitive info about target. They can analyze the server response to certain requests \(server identification\) 54 | * Detecting Web App Firewalls and Proxies on target site 55 | * Use Trace method for proxy, and cookie response for a firewall 56 | * Hidden Content discovery: Web spidering automatically finds hidden content 57 | * Launch web server attack to exploit identified vulnerabilities, launch DoS 58 | * Attacking authentication mechanism 59 | * Username enumeration 60 | * Verbose failure messages. Predictable user names 61 | * Cookie Exploitation 62 | * Poisoning\(tampering\), Sniffing Replay 63 | * Session Attack 64 | * Session prediction, brute forcing, poisoning 65 | * Password Attack: 66 | * Guessing, brute force 67 | * Authorization attack: finds legitimate accounts then slowly escalates privileges 68 | * Attack Session Management Mechanism: involves exchanging sensitive info between server and clients. If session management is insecure, attacker can take advantage of flawed session management session 69 | * Bypassing authentication controls 70 | * Perform injection attacks: exploiting vulnerable input validation mechanism implement 71 | * Attack Data connectivity: attacking database connection that forms link between a database server and its client software 72 | * Connection string injection: attacker injects parameters in a connection string. CSPP attacks \(Connection String Parameter Attacks\). 73 | * Connection Pool DoS: Attacker examines connection pooling settings and constructs large SQL query, and runs multiple queries simultaneously to consume all connections 74 | 75 | ## Countermeasures 76 | 77 | * Encoding Schemes: employing encoding schemes for data to safely handle unusual characters and binary data in the way you intent 78 | * Ex. unicode editing 79 | * How to defend against SQL Injection Attacks 80 | * Limit length of user input 81 | * Perform input validation 82 | * How to defend against xss 83 | * Validate all headers, cookies, strings, form fields. Use firewall 84 | * How to configure against DoS 85 | * Configure firewall to deny ICMP traffic access 86 | * Perform thorough input validation 87 | * How to defend against web services attack 88 | * Multiple layer protection 89 | 90 | ## Tools 91 | 92 | * N-Stalker is effective suite of web security assessment tools 93 | 94 | ## Pen Testing 95 | 96 | 1. Info Gathering 97 | 2. Config Management Testing 98 | 3. Authentication Testing 99 | 4. Session Management testing 100 | 5. Authorization Testings 101 | 6. Data Validation Testing 102 | 7. DoS Testing 103 | 8. Web Services Testing 104 | 9. AJAX Testing 105 | 10. Use Kali Linux tools 106 | 11. Metasploit 107 | 108 | -------------------------------------------------------------------------------- /sniffing.md: -------------------------------------------------------------------------------- 1 | # Sniffing 2 | 3 | ## Sniffing 4 | 5 | > Objectives: Overview of sniffing concepts, understanding MAC attacks, Understanding DHCP attacks, understanding ARP poisoning, Understanding MAC spoofing attacks, Understanding DNS poisoning, Sniffing tools, Sniffing countermeasures, Understanding various techniques to detect sniffing, overview of sniffing pen testing 6 | 7 | ### Sniffing Concepts 8 | 9 | * Sniffing is a process of monitoring and capturing all data packets passing through a given network using sniffing tools \(form of wire tap\) 10 | * Many enterprises switch ports are open 11 | * Anyone in same physical location can plug into network with ethernet 12 | * How a sniffer works 13 | * Sniffer turns on the NIC of a system to the promiscuous mode that it listens to all the data transmitted on its segment 14 | * Each computer has a MAC address and an IP address 15 | * Passive sniffing means through a hub \(involves sending no packets\), on a hub traffic is sent to all ports 16 | * Most modern networks use switches 17 | * Active Sniffing: Searches for traffic on a switched LAN by actively injecting traffic into the LAN. Involves injecting address resolution packets \(ARP\) into the network 18 | * Protocols vulnerable to sniffing: 19 | * HTTP, Telnet and Rlogin, POP, IMAP, SMTP and NNTP 20 | * Sniffers operate at the Data Link layer of the OSI model 21 | * Hardware Protocol Analyzer: equipment that captures signals without altering the traffic in a cable segment 22 | * Can be used to monitor traffic. Allows attacker to see individual data bytes 23 | * Span Port: A port which is configured to receive a copy of every packet that passing through a switch 24 | * Wiretapping: Process of monitoring telephone and internet convo’s by third party 25 | * Via connecting a listening device \(hardware or software\) to the circuit 26 | * Active Wiretapping: Monitors, records, and injects something into the communication or traffic 27 | * Passive Wiretapping: It only monitors and records the traffic and gain knowledge of the data it contains 28 | * Lawful interception: legally intercepting data communication 29 | 30 | ## MAC Attacks 31 | 32 | * Each switch has a fixed size dynamic content addressable memory \(CAM table\) 33 | * CAM table stores information such as MAC address available on physical ports 34 | * If CAM table is flooded with more MAC address it can hold, then the switch turns into a HUB 35 | * Attackers exploit this 36 | * Switch Port Stealing: uses mac flooding to sniff the packets 37 | * How to defend against MAC attacks: use a port security to restrict inbound traffic from only a selected set of mac addresses and limit MAC flooding attacks 38 | 39 | ## DHCP Attacks 40 | 41 | * DHCP servers maintain TCP/IP configuration information \(provides leases\) 42 | * DHCP starvation attack: attacker broadcasts forged DHCP requests and tries to lease all DHCP addresses available in the DHCP scope 43 | * As a result, legitimate user is unable to obtain or renew an IP address 44 | * Rogue DHCP: rogue DHCP server in network and responds to DHCP requests with bogus IP addresses 45 | * How to defend against DHCP starvation and Rogue Server Attack: Enable port security for DHCP starvation, and enable DHCP snooping that allows switch to accept DHCP transactions from a trusted port 46 | 47 | ## ARP Poisoning 48 | 49 | * Address Resolution Protocol \(ARP\) is a stateless protocol used for resolving IP address to machine \(MAC\) addresses 50 | * All network devices broadcasts ARP queries in the network to find machine’s MAC address 51 | * When one machine needs to communicate with another, it looks up to the ARP table. If it’s not there, the ARP\_REQUEST is broadcasted over the network 52 | * ARP packets can be forged 53 | * ARP spoofing involves constructing large number of forged ARP requests 54 | * Switch is set in ‘forwarding mode’ after the ARP table is flooded with spoofed ARP replies 55 | * Attackers flood a target computer’s ARP cache with forged entries, which is also known as poisoning 56 | * ARP spoofing is a method of attacking an ethernet LAN 57 | * Using Fake ARP messages, an attacker can divert all communications between two machines so that all traffic is exchanged via his/her PC 58 | * ARP Tools: Cain & Abel, WinArpAttacker 59 | * How to defend: Implement dynamic ARP inspection, DHCP Snooping, XArp spoofing detection 60 | 61 | ## Spoofing 62 | 63 | * Attacker can sniff network for MAC addresses, then spoof them to receive all the traffic destined for the user. Allows allows attacker to gain access to the network 64 | * IRDP spoofing: ICMP Router discovery protocol allows host to discover the IP address of active routers. 65 | * Attacker sends spoofed IRDP router advertisement message to the host on the subnet, causing it to change its default router 66 | * How to defend: DHCP snooping, Dynamic ARP inspection, IP source guard 67 | 68 | ## DNS Poisoning 69 | 70 | * DNS poisoning is a technique that tricks a DNS server into believing that it has received authentication when it really has not 71 | * Results in substitution of a false IP address 72 | * Attacker can create fake DNS entries 73 | * Intranet DNS spoofing: must be connected to LAN and able to sniff. Works well against switches with ARP poisoning the router. 74 | * Intranet DNS spoofing attacker infects machine with trojan and changes DNS IP to that of attacker 75 | * Proxy Server DNS poisoning: attacker sends a trojan to machine that changes hosts proxy server settings in internet explorer to that of the attacker’s and redirect to fake website 76 | * DNS Cache Poisoning: Refers to altering or adding forged DNS records into DNS resolver cache so that a DNS query is redirected to a malicious site 77 | * How to defend: resolve all DNS queries to local DNS server, Block DNS requests from going to external servers, configure firewall to restrict external DNS lookup, Implement IDS and deploy correct, Implement DNSSEC 78 | 79 | ## Sniffing Tools 80 | 81 | * Wireshark 82 | 83 | ## Counter-Measures 84 | 85 | * Restrict physical access 86 | * Use encryption 87 | * Permanent add MAC address to the gateway to the ARP cache 88 | * Use static IP addresses 89 | * Turn off network ID broadcasts 90 | * Use IPV6 91 | * Use HTTPS instead of HTTP 92 | * Use switch than Hub 93 | * Use SFTP instead of FTP 94 | 95 | ## Sniffing Detection Techniques 96 | 97 | * Runs IDS and notice if mac address of certain machines have changed 98 | * Check which machines are running in the promiscuous mode 99 | * Promiscuous mode allows a network device to intercept and read each network packet 100 | * Only a machine in promiscuous mode cache the ARP information 101 | * A machine in promiscuous mode replies to the ping message as it has correct information about the host sending a ping request 102 | 103 | ## Sniffing Pen Testing 104 | 105 | * Sniffing pen test is used to check if the data transmission from an org is secure from sniffing and interception attacks 106 | 107 | -------------------------------------------------------------------------------- /hacking-wireless-networks.md: -------------------------------------------------------------------------------- 1 | # Hacking Wireless Networks 2 | 3 | > Objectives: Understanding Wireless Concepts, understanding wireless encryption algorithms, understanding wireless threats, understanding wireless hacking methodology, wireless hacking tools, understanding bluetooth hacking techniques, understanding wireless hacking countermeasures, overview of wireless penetration testing 4 | 5 | ### Wireless Concepts 6 | 7 | * GSM: universal system used for mobile transportation for wireless network worldwide 8 | * Bandwidth: Describes amount of information that may be broadcasted over a connection 9 | * BSSID: The MAC address of an access point that has set up a basic service set 10 | * ISM band: a set of frequency for the international industrial, scientific, and medical communities 11 | * Access Point: Used to connect wireless devices to a wireless network 12 | * Hotspot: Places where wireless network is available for public use 13 | * Association: Process of connecting a wireless device to an access point 14 | * Orthogonal Frequency Division Multiplexing: method of encoding digital data on multiple carrier frequencies 15 | * Direct-Sequence Spread Spectrum: original data signal is multiplied with a pseudo random noise spreading code 16 | * Frequency-hopping spread spectrum \(FHSS\): Method of transmitting radio signals rapidly switching a carrier among many frequency channels 17 | * Wireless Networks 18 | * WiFi refers to IEEE 802.11 standard 19 | * * SSID \(service set identifier\) 20 | * Open System Authentication Process: in open system, any wireless client that wants to access a WiFi networks sends a request to the wireless AP for authentication. 21 | * Shared Key Authentication Process: in this process, each wireless station receives a shared secret key over a secure channel that is distinct from the 802.11 comm channels. 22 | * Centralized Authentication server \(RADIUS\) 23 | * WiFi Chalking 24 | * WarChalking: draw symbols in public places to advertise open Wi-Fi networks 25 | * Types of Wireless Antennas 26 | * Directional Antennas: Used to broadcast and obtain radio waves from a single direction 27 | * Omni-Directional Antennas: provides 360 degrees horizontal broadcasts, used in wireless base stations 28 | * Parabolic Grid Antenna: Based on the idea of a satellite dish. Can pick up Wi-Fi signals ten miles or more 29 | * Yagi Antenna: unidirectional antenna 30 | * Dipole Antenna: Bi-Directional Antenna, used to support client connection rather than site-to-site applications 31 | * Parabolic grid antennas let attackers attack from from farther away \(10 miles!\) 32 | 33 | ## Wireless Encryption 34 | 35 | * WEP \(wired equivalent privacy\): weakest encryption. Uses 24-bit initialization vector. A 64 bit WEP uses a 40 bit key etc 36 | * Can use Cain & Abel to crack 37 | * WPA \(Wifi Protected Access\): Stronger encryption with TKIP. 38 | * You can brute force the keys offline 39 | * You can defend by using stronger passphrases 40 | * WPA2: Stronger data protection with AES 41 | * WPA-2 personal uses a pre-shared key to protect access 42 | * WPA-2 Enterprise includes EAP or RADIUS for centralized authentication w/kerberos etc 43 | 44 | ## Wireless Threats 45 | 46 | * Access Control Attacks: Aims to penetrate a network by evading WLAN access control measures, such as AP MAC filters and Wi-Fi port access controls 47 | * Integrity Attacks: Sending forged control management or data frames over a wireless network 48 | * Confidentiality Attacks: attempt to intercept confidential information sent over wireless associations 49 | * Availability Attacks: DoS 50 | * Authentication Attacks: Steal the identity of Wi-Fi clients, their PI, logins, etc. to unauthorized access of network resources 51 | * Rogue Access Point Attack: Hijacking connections and acting as a middle man sniffing 52 | * Client Mis-Association: Attacker sets up a rogue access point outside of the corporate perimeter and lures the employees of the organization to connect with it 53 | * Misconfigured Access Point Attack: Accidents for configurations that you can exploit 54 | * AD Hoc connection attack: Wifi Clients communicate directly in ad-hoc and do not require AP to relay packet. Attack can attack OS direct since the encryption is weak 55 | * Honeyspot Access Point Attack: Attacker takes advantage of multiple WLAN’s in area and use same SID 56 | * AP MAC Spoofing: Hacker spoofs the MAC address of the WLAN client equipment to mask an authorized client 57 | * Jamming Signal Attack: High gain amplifier 58 | 59 | ## Wireless Hacking Methodology 60 | 61 | 1. WiFi Discovery: discovers the WiFi network 62 | 2. GPS Mapping: Attackers create a map of discovered Wi-Fi network and create a database 63 | 3. Wireless Traffic Analysis: identify vulnerabilities, WiFi reconnaissance, Tools for Packet Capture & Analysis 64 | 4. Launch Wireless Attacks 65 | 1. Fragmentation Attack: can obtain 1500 bytes of PRGA data that can be used for injection attacks 66 | 2. Mac Spoofing: attackers change MAC address to that of an authenticated user to bypass the MAC filtering configured in an access point 67 | 3. Denial of Service: Deauthentication and Disassociation attacks 68 | 4. Man in the middle attack MITM : Attacker spoofs his MAC, sends a deAuth requests and then puts himself in the middle 69 | 5. Wireless ARP poisoning attack: 70 | 6. Rogue Access Point: Wireless APs attacker installs on a network without authorization and are not under management of the network administrator. Are not configured with any security 71 | 7. Evil Twin: Replicates another wireless APs name via common SSID 72 | 5. Crack Wi-Fi encryption 73 | 1. Crack WEP using Aircrack 74 | 2. Crack WPA-PSK using aircrack 75 | 3. WEP cracking using Cain & Abel 76 | 6. Compromise the Wi-Fi Network 77 | * What is spectrum analysis 78 | * RF spectrum analyzers examine Wi-Fi radio transmissions and measure power \(amplitude\) 79 | * Employ statistical analysis to plot spectral usage 80 | * Can be used for DoS attack 81 | 82 | ## Bluetooth Hacking 83 | 84 | * Exploitation of Bluetooth Stack implementation vulnerabilities 85 | * Bluesmacking: DoS attack which overflows Bluetooth-enabled devices with random packets causing device to crash 86 | * Bluejacking: sending unsolicited messages over bluetooth to bluetooth-enabled devices such as mobile phones, laptops, etc 87 | * Bluesnarfing: Theft of information from a wireless device through a bluetooth connection 88 | * Blue Sniff: Proof of concept code for a bluetooth wardriving utility 89 | * Bluebugging: remotely accessing the bluetooth-enabled devices and using its features 90 | * BluePrinting: collecting information about bluetooth enabled devices such as manufacturer, device model, firmware 91 | * MAC spoofing attack: intercepting data intended for other bluetooth enabled devices 92 | * MITM: Modifying data between bluetooth enabled devices communication on a piconet 93 | * Bluetooth Modes: 94 | * Discoverable, Limited Discoverable \(timed\), Non-discoverable 95 | * Pairing Modes 96 | * Non-pairable models: rejects every pairing request 97 | * Pairable mode: will pair upon request 98 | 99 | ## Countermeasures 100 | 101 | * How to defend against bluetooth hacking 102 | * Use non-regular patterns such as PIN keys 103 | * Keep device in non-discoverable mode 104 | * Keep a check of all paired devices 105 | * Always enable encryptions 106 | 107 | ## Wireless Security Tools 108 | 109 | * Wireless Intrusion Prevention Systems 110 | 111 | -------------------------------------------------------------------------------- /scanning-networks.md: -------------------------------------------------------------------------------- 1 | # Scanning Networks 2 | 3 | ## Overview of Networking Scanning 4 | 5 | * Network scanning refers to a set of procedures for identifying hosts, ports, and services in a network 6 | * Network scanning is one of the components of intelligence gathering and attacker uses to create a profile of the target organization 7 | * Types of scanning 8 | 1. Port scanning \(list the open ports and services\) 9 | 2. Network Scanning \(lists IP addresses\) 10 | 3. Vulnerability Scanning \(shows presence of known weaknesses\) 11 | * TCP communication Flags \(controls transmission of data\) 12 | * URG\(urgent\): Data contained in packet should be processed immediately 13 | * PSH\(push\): Sends all buffered data immediately 14 | * FIN\(Finish\): There will be no more transmissions 15 | * ACK\(Acknowledgement\): Acknowledges receipts of a packet 16 | * RST\(Reset\): Resets a connection 17 | * SYN\(Synchronization\): Initiates a connection between hosts 18 | 19 | ## Techniques for Live Systems 20 | 21 | 1. ICMP Scanning: Ping scans involves ICMP ECHO requests to a host. If the host is live, it will return an ICMP ECHO reply 22 | 2. Useful for locating active devices and if ICMP is passing through firewall 23 | 3. Ping sweep is used to determine the live hosts from a range of IP addresses 24 | 4. Attackers calculate subnet masks using Subnet Mask Calculators 25 | 5. Attackers then use the Ping Sweep to create an inventory of live systems in the subnet 26 | 27 | ## Techniques for Ports 28 | 29 | 1. Simple Service Discovery protocol \(SSDP\) works in conjunction with UPnP to detect plug and play devices on a networks 30 | 2. Vulnerabilities in UPnP may allow attackers to launch Buffer overflow or DoS attacks 31 | 3. Scanning IPv6 networks are computationally less feasible due to larger search space \(128 bits\) 32 | 4. Network admins can use Nmap for network inventory, managing service upgrade schedules, and monitoring host or service uptime 33 | 5. Attacker uses Nmap to extract info such as live hosts on the network, services, type of packet filters/firewalls, operating systems and OS versions 34 | 6. Hping2/Hping3: command line network scanning and packet crafting tools for the TCP/IP protocol 35 | 1. It can be used for network security auditing , firewall testing 36 | 7. TCP connect scan detects when a port is open by completing the three-way handshake 37 | 1. TCP connect scan establishes a full connection and tears it down sending a RST packet 38 | 2. It does not require superuser privileges 39 | 8. Attackers send TCP probe packets with a TCP flags \(FIN,URG,PSH\) set or with no flags. No responses means port is open, RST means the port is closed 40 | 9. In Xmas scan, attackers send a TCP frame to a remote device with FIN, URG, and PUSH flags set 41 | 1. Won’t work against any current version of Microsoft Windows 42 | 10. Attackers can an ACK probe packet with random sequence number, no responses means the port is filtered \(stateful firewall is present\) and RST response means the port is not filtered 43 | 11. A port is considered open if an application is listening on the port 44 | 1. Most web servers are on port 80 and mail servers on 25 45 | 2. One way to determine whether a port is open is to send a “SYN” \(session establishment\) packet to the port 46 | 1. The target machine will then send back a SYN\|ACK packet is the port is open, and a RST \(reset\) packet if the port is closed 47 | 3. IDLE Scan 48 | 1. Attack a zombie computer. A zombie machine is one that assigns IPID packets incrementally. 49 | 2. Can retrieve IPID number for IP address spoofing 50 | 12. UDP Scanning: When UDP port is open ---There is not three-way TCP handshake for UDP scan. System does not respond with a me. The system does not respond with a message when the port is open. When UDP port is closed -- the system responds with ICMP port unreachable message. Spywares, Trojan Horses, and other apps use UDP ports 51 | 13. There are port scanners for mobile as well 52 | 14. Port scanning counter measures 53 | 1. Configure firewall, IDS rules to detect/block probes 54 | 2. Run port scanning tools against hosts to determine firewall properly detects port scanning activity 55 | 3. Ensure mechanism used for routing and filtering at the routers and firewalls respectively cannot be bypassed 56 | 4. Ensure sure the router, IDS, and firewall firmware are updated 57 | 5. Use custom rule set to lock down the network and block unwanted ports 58 | 6. Filter all ICMP message at the firewalls and routers 59 | 7. Perform TCP and UDP scanning 60 | 8. Ensure that anti scanning and anti spoofing rules are configured 61 | 62 | ## Various IDS Evasion Techniques 63 | 64 | 1. Evasion techniques: fragmented IP packets, spoofing IP address, source routing, connect to proxy servers 65 | 2. Lower the frequency of packets, split into parts 66 | 67 | ## Understanding Banner Grabbing 68 | 69 | 1. An attacker uses banner grabbing techniques to identify network hosts running versions of applications and OSs with known exploits. 70 | 2. Banner grabbing or OS fingerprinting is the method to determine the operating system running on a remote target system. There are two types 71 | 1. Active Banner Grabbing: specifically crafted packets are sent to remote OS and responses are noted, then compared with a database to determine OS. 72 | 2. Passive Banner Grabbing: Sniffing the network traffic. Banner grabbing from error message, and banner grabbing from page extensions \(stealthy\) 73 | 3. Identifying OS’s allow an attack to figure out the vulnerabilities running on a remote target system 74 | 4. An attacker uses banner grabbing to identify the OS used on the target host and thus determine the system vulnerabilities 75 | 5. Tools like Netcat reads and writes data across network connections 76 | 6. Countermeasures for banner grabbing 77 | 1. Display False Banners 78 | 2. Turn off unnecessary services 79 | 3. Use ServerMask 80 | 7. Hiding file extensions from web pages 81 | 82 | ## Vulnerability Scanning 83 | 84 | 1. Vulnerability scanning identifies vulnerabilities and weaknesses of a system 85 | 2. Nessus is the vulnerability and configuration assessment product 86 | 87 | ## Network Mapping 88 | 89 | 1. A network diagrams helps in analyzing complete network topology. 90 | 2. Drawing target’s network diagram shows logical or physical path to a potential target. Shows network and its architecture to attacker 91 | 92 | ## Understanding Proxies 93 | 94 | 1. Proxy servers serves as an intermediary for connecting with other computers 95 | 1. Hides the source IP 96 | 2. Chain multiple proxies to avoid detection 97 | 2. Many hackers use proxies to hide his/her identity so they cannot be traced. Logs record proxy’s address rather than the attacker’s 98 | 3. Burp suite includes an intercepting proxy, which lets you inspect and modify traffic between your browser and target app. Popular. 99 | 4. Anonymizers removes all identifying information from a user’s computer while user surfs internet 100 | 5. Tails is a live operating system, that user can start on any computer from a DVD, USB stick, or SD card 101 | 6. Can use HPING2 to IPSpoof 102 | 7. IP spoofing counter measures 103 | 1. Encrypt all network traffic 104 | 2. Use multiple firewalls 105 | 3. Do not rely on IP-based authentication 106 | 4. Use random initial sequence number 107 | 5. Ingress filtering: use routers and firewalls at network perimeter to filter incoming packets that appear to come from an internal IP address 108 | 6. Egress filtering: Filter all outgoing packets with an invalid local IP address as source address 109 | 110 | ## Penetration Testing: Scanning 111 | 112 | 1. Pen testing a network determines the network's security posture by identifying live systems, discovering open ports, associating services and grabbing system banners to simulate a network hacking attempt 113 | 2. Here’s how to conduct a pen-test of a target network 114 | 1. Host Discovery: detect live hosts on the target network. It is difficult to detect live hosts behind a firewall \(Nmap, Angry IP scanner, colasoft\) 115 | 2. Port Scanning: Check for open ports \(Nmap, Netscan\) 116 | 3. Banner Grabbing or OS fingerprinting: determine the OS running on the target host 117 | 4. Scan the network for vulnerabilities \(nessus\) 118 | 5. Draw Network Diagrams that help you understand the logical connection 119 | 6. Prepare Proxies: Hides yourself from detection 120 | 7. Document all findings 121 | 122 | -------------------------------------------------------------------------------- /hacking-mobile-platforms.md: -------------------------------------------------------------------------------- 1 | # Hacking Mobile Platforms 2 | 3 | > Objectives: Understanding Mobile platform attack vectors, understanding various Android Threats and Attacks, Understanding various iOS threats and attacks, understanding various Windows Phone OS Threats and Attacks, Understanding various blackberry threats as attacks, understanding mobile device management \(MDM\), Mobile Security Guidelines and Security Tools, Overview of Mobile Pen Testing 4 | 5 | ## Mobile Platform Attack Vectors 6 | 7 | * OWASP Mobile Top 10 Risks 8 | * Insecure Data Storage 9 | * Assumption malware won't enter system. Jailbreaking bypasses encryption 10 | * Unintended Data Leakage 11 | * When a user places sensitive data in a location accessible to other apps 12 | * Broken Cryptography 13 | * Weak encryption algorithms. Users should use ARS or 3DES algoirhms 14 | * Security Decision via Untrusted Inputs 15 | * Apps use protection mechanisms dependent on input values \(cookies, environmental variables, hidden form fields\), but these input values can be altered by an attacker to bypass protection mechanism 16 | * Lack of Binary Protections: Lack of binary protections in a mobile app exposes it and owner to wide variety of technical and business risks if insecure. Must use countermeasures such as 17 | * Secure coding techniques 18 | * Jailbreak detection controls 19 | * Checksum controls 20 | * Certificate Pinning Controls 21 | * Anatomy of a Mobile Attack 22 | * The device -> the network > the data center 23 | * Clicking Jacking: tricking users to click something different than what they think they are clicking. Attackers obtain sensitive info or take control of device 24 | * Framing: a webpage integrated into another webpage using iFrame elements in HTML 25 | * Drive By Downloading: unintended download of software from the internet. Android is affected by this attack 26 | * Man in the Middle: Attacker implants malicious code on victim's mobile device 27 | * Buffer Overflows: writing data to buffer suites , 28 | * Data Caching: Caching in mobile devices used to interact with web apps, attackers attempt to exploit the data caches 29 | * Phone/SMS-Based attacks 30 | * Baseband attacks: exploiting vulnerabilities in phone’s GSM/3GPP baseband processor, which sends/receives signals to towers 31 | * SMiShing - Type of phishing where attacker uses SMS text message to link to malicious site 32 | * RF \(radio frequency\) attacks: exploit vulnerabilities found on different peripheral communication channels normally used in nearby device-device communications 33 | * Application-based attacks 34 | * Sensitive Data Storage: Some apps employ weak security in their database architecture, which make them targets for attacker to hack and steal sensitive user information stored on them 35 | * No encryption/weak encryption: apps transmit data unencrypted or weakly encrypted are susceptible to attack such as session hijacking 36 | * Improper SSL validation: Security Loopholes in apps SSL validation process may allow attackers to circumvent the data security 37 | * Config Manipulation: Apps may use external files and libraries, modifying those entities or affecting apps’ capability of using those results in a config manipulation attack 38 | * Dynamic Runtime Injection: attackers manipulate and abuse the runtime of an app to circumvent security locks, logic checks, access privileges parts of an app, and steal data 39 | * Unintended Permissions: Misconfigured apps can at times open doors to attackers by providing unintended permissions 40 | * Escalated privileges: Attackers engage in privilege escalation attacks , which take advantage of design flaws, programming errors, bugs, or config oversights to gain access to resources 41 | * OS Based Attacks 42 | * iOS Jailbreaking: removing security mechanisms set by apple to prevent malicious code 43 | * Android Rooting: allows users to attain privileged control \(root access\) within android's subsystem. 44 | * Passwords and data accessible 45 | * Carrier-loaded software: pre installed software or apps on devices may contain vulnerabilities that an attacker can exploit to perform malicious activities such as delete, modify, or steal data on the device, eavesdrop on calls 46 | * Zero-day exploits: launch an attack by exploiting a previously unknown vulnerability in a mobile OS or app. 47 | * The Network based point of attacks 48 | * WiFi \(weak encryption or no encryption\) 49 | * Rogue Access Points: attackers install illicit wireless access point by physical means, which allows them to access a protected network by hijacking the connections of network users 50 | * Man in the Middle \(MITM\): attackers eaves on existing network connections between two systems 51 | * SSLStrip: Type of MITM attack which exploits vulnerabilities in the SSL/TLS implementation 52 | * Session Hijacking: Attacker steal valid session ID’s 53 | * DNS Poisoning: Attackers exploit DNS servers, redirect website users to another website of the attacker’s choice 54 | * Fake SSL certificates: Fake SSL certs represent another kind of MITM attacks. Attacker issues a fake SSL cert to intercept traffic on a supposedly secure HTTPS connection 55 | * The Data Center 56 | * Two main point of entry: web server and a database 57 | * Web server-based attacks 58 | * Platform vulnerabilities: Exploiting vulnerabilities in the OS, Server software, or app modules running on the web server 59 | * Server Misconfiguration 60 | * XSS 61 | * CSRF 62 | * Weak Input Validation 63 | * Brute-Force Attacks 64 | * Database Attacks 65 | * SQL Injection 66 | * Data Dumping 67 | * OS command execution 68 | * Privilege Escalation 69 | * Sandboxing: helps protect systems and users by limiting the resources the app can access in the mobile platform; however, malicious apps may exploit vulnerabilities 70 | 71 | ## Hacking Android OS 72 | 73 | * The device administration API provides device administration features at the system level 74 | * Rooting allows android users to attain privileged control \(root access\) 75 | * Involves exploiting security vulnerabilities in the device firmware 76 | * Securing Android Devices: 77 | * Enable screen locks 78 | * Don't root your device 79 | * Download apps only from android market 80 | * Keep device updated with google software 81 | * Do not directly download APK files 82 | * Update OS regularly 83 | * Use free protector app 84 | * Google Apps device policy: allows domain admin to set security policies for your android device 85 | 86 | ## Hacking iOS 87 | 88 | * Layers of the OS 89 | * Cocoa Touch: key framework that help in building iOS app. Defines appearance, basic services such as touch 90 | * Media: contains graphics, audio, and video technology experienced in apps 91 | * Core Services: contains fundamental system services for apps 92 | * Core OS: low level feature on which most on which most other technologies are built 93 | * Tethered \(kernel will be patched upon restart\) and untethered 94 | 95 | ## Hacking Windows Phone 96 | 97 | ## Hacking Blackberry 98 | 99 | * Malicious Code Signing: Blackberry apps must be signed by RIM. Attacker can obtain code-signing keys for a malicious app and post it in the store 100 | * JAD file exploits: A jad file allows a user to go through app details and decide whether to download the app. However, attackers created spoofed .jad files to trick user 101 | * PIM Data Attacks: PIM \(personal information manager\) includes address , books, calendars, tasks 102 | * Malicious apps can delete or modify this data 103 | * TCP/IP Connections Vulnerabilities: If the device firewall is off, signed apps can open TCP connections without the user being prompted. 104 | * Malicious apps create a reverse connection with the attacker enabling him to use the infected device as a TCP proxy and gain access to organization’s internal resources 105 | 106 | ## Mobile Device Management \(MDM\) 107 | 108 | * MDM provides platforms for over the air or wired distribution of application, data and configuration settings for all types of mobile devices, smartphones, tablets, etc. 109 | * Helps implementing enterprise-wide policies to reduce support cost s 110 | * Can manage both company-owned and BYOD devices 111 | 112 | ## Mobile Security Guidelines and Tools 113 | 114 | * General Guidelines 115 | * Do not load too many apps and avoid auto-upload of photos to social networks 116 | * Perform a security assessment of the Application Architecture 117 | * Maintain configuration control and management 118 | * Install apps from trusted app stores 119 | * Securely wipe or delete the data disposing of the device 120 | * Ensure bluetooth is off by default 121 | * Do not share location within GPS enabled apps 122 | * Never connect two separate networks such as Wi-Fi and Bluetooth simultaneously 123 | 124 | -------------------------------------------------------------------------------- /system-hacking.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: >- 3 | System hacking is one of the most important and sometimes ultimate goal of an 4 | attacker. 5 | --- 6 | 7 | # System Hacking 8 | 9 | ## System Hacking 10 | 11 | ### Information at hand before system hacking stage 12 | 13 | 1. Footprinting: IP range, Namespace, Employees 14 | 2. Scanning module: target assessment, identified systems, identified services 15 | 3. Enumeration: Intrusive probing, user lists, security flaws 16 | 17 | ### System Hacking Goals: 18 | 19 | 1. Gaining Access - password cracking, social engineering 20 | 2. Escalating Privileges \(get other passwords\) - exploiting known system vulnerabilities 21 | 3. Executing Applications \(backdoors\) - Trojans, Spywares, Backdoors, Keyloggers 22 | 4. Hiding Files - Rootkits, Steganography 23 | 5. Covering Tracks - Clearing logs 24 | 25 | ## Cracking Passwords 26 | 27 | * Password cracking techniques are used to recover passwords from computer systems 28 | * Attackers use password cracking techniques to gain unauthorized access 29 | * Most cracks are successful due to guessable passwords 30 | * Types of password attacks 31 | * Non-electronic attacks: Attacker does not need technical knowledge to crack password \(looking at keyboard/screen, convincing people, trash bins etc\) 32 | * Active Online Attacks: Attacker performs cracking by directly communicating with the victim machine \(dictionary, brute force, rule based - some info known\) 33 | * Passive Online Attacks: Performs cracking without communicating with party 34 | * Offline Attack: attacker copies password file and tried to crack it 35 | * Default passwords are set by the manufacturer 36 | * Trojans can collect usernames and passwords and send to attacker, run in background 37 | * Can use USB drive for a physical approach 38 | * Hash Injection Attack: attacker injects compromised hash into local session then use it to validate network resource. Finds and extracts a logged on domain admin account hash 39 | * Passive Online Attack: Wire Sniffing 40 | * Packet Sniffer tools on LAN 41 | * Capture data may include sensitive information such as passwords 42 | * Sniffed credentials are used to gain unauthorized access 43 | * Rainbow table attack 44 | * Precomputed table which contains word lists like dictionary files, brute force lists, and their hash values 45 | * Compare the hashes 46 | * Easy to recover passwords by comparing captured password hashes to precomputed tables 47 | * Offline Attack: Distributed Network Attack \(DNA\) 48 | * A DNA technique is used for recovering passwords from hashes or password protected files using the unused processing power of machines across the network to decrypt passwords 49 | * Microsoft Authentication 50 | * Windows stores passwords in the Security Accounts Manager \(SAM\) Database, or in the Active Directory database in domains. They are hashed. 51 | * NTLM Authentication 52 | * NTLM authentication protocol types 53 | * LM authentication protocol 54 | * These protocols stores user’s password in the SAM database using different hashing methods 55 | * Kerberos Authentication 56 | * Microsoft has upgraded its default authentication protocol 57 | * Password Salting 58 | * Random strings of characters are added to the password before calculating their hases 59 | * Advantage: salting makes it more difficult to reverse hashes 60 | * Use password crackers like L0phtCrack, Cain&Abel, RainbowCrack 61 | * Enable SYSKEY with strong password to encrypt and protect the SAM database 62 | 63 | ## Escalating Privileges 64 | 65 | * An attacker can gain access to the network using a non-admin user account, next step is to gain admin privileges 66 | * Privilege Escalation Using DLL Hijacking 67 | * If attackers place a malicious DLL in the application directory, it will be executed in place of the real DLL 68 | * Resetting passwords using command prompt 69 | * An admin can reset passwords while an administrator 70 | * Countermeasures: restrict interactive login privileges, use least privilege policy, implement multi-factor, run services as unprivileged accounts, patch systems regularly, use encryption technique, reduce amount of code, perform debugging 71 | 72 | ## Executing Applications 73 | 74 | * Attackers execute malicious programs remotely in the victim's machine to gather information 75 | * Backdoors 76 | * Crackers 77 | * Keyloggers 78 | * Spyware 79 | * Software like RemoteExec can remotely install software, execute programs/scripts 80 | * There are hardware and software keystroke loggers \(USB vs App\) 81 | * Spyware 82 | * Records user’s interaction 83 | * Hides its process 84 | * Hidden component of freeware program 85 | * Gather info about victim or organization 86 | * GPS spyware also exists 87 | * Countermeasures for Keyloggers 88 | * Pop-up blocker 89 | * anti-spyware/virus 90 | * Firewall software 91 | * Anti-keylogging software 92 | * Recognize phishing emails and delete 93 | * Choose new passwords for different online accounts 94 | * Avoid opening junk emails 95 | * There are Anti-keyloggers out there 96 | * Rootkits are programs that hide their presence and an attacker's malicious activities, granting them full access to the server or host at the time or in future 97 | * Typical Rootkit has backdoor programs, DDos programs, packet sniffers, log-wiping utilities, IRC bots, etc 98 | * 6 Types of Rootkits 99 | * Hypervisor Level Rootkit: Acts as hypervisor and modifies boot sequence of the computer to load the host OS as a virtual machine. 100 | * Boot Loader level rootkit: replaces original boot loader with one controlled by attacker 101 | * Hardware/Firmware Rootkit: Hides in hardware devices or platform firmware which is not inspected for code integrity 102 | * Application level rootkit: replaces regular application binaries with fake trojan, or modifies the behavior of existing applications 103 | * Kernel Level Rootkit: Adds malicious code or replaces original OS kernel and device driver codes 104 | * Library Level Rootkits: Replaces original system calls with fake ones to hide information about attacker 105 | * Detecting Rootkits 106 | * Integrity-Based detection: compares a snapshot of the filesystem,boot records, or memory 107 | * Signature-based technology: compares characteristics of all system processes and executable files with a database of known rootkit fingerprints 108 | * Heuristic/Behavior based detection: any deviations in the systems normal activity 109 | * Runtime Execution path profiling: compares runtime execution paths of all system processes before and after rootkit infection 110 | * Cross View-Based detection: enumerates key elements in the computer system such as system files, processes, and registry keys and compares them to an algorithm to generate a similar data set that does not rely on common APIs 111 | * NTFS Data Stream 112 | * NTFS alternate data stream \(ADS\) is a windows hidden stream which contains metadata for the file such as attributes, word count, author name, access and modification time of files 113 | * Using NTFS stream, an attacker can almost completely hide files within the system. 114 | * You can hide a file side another file \(trojan in a readme.txt\) 115 | * Countermeasures: use a third party file integrity checker 116 | * Steganography 117 | * Steganography is a technique of hiding a secret message within an ordinary message and extracting it at the destination 118 | * Utilizing a graphic image as a cover is the most popular method to conceal the data in files 119 | * Attackers can use steganography to hide messages such as list of compromised servers, source code for the hacking tools, plans for future attacks, etc 120 | * Technical Steganography: invisible ink/microdots, physical methods to hide 121 | * Linguistic Steganography: Type that hides the message in another file 122 | * Semagrams: use of symbols to hide information 123 | * Least Significant bit insertion: The rightmost bit of a pixel is called the LSB 124 | * Masking and Filtering: Making technique hides data similar to watermarks on actual paper. Can be detection with simple statistical analysis. Mostly in grayscale images. 125 | * Algorithms and Transformation 126 | * Hide data in mathematical functions used in compression algorithms 127 | * Data is embedded by changing the coefficients of a transform of an image 128 | * Audio steganography - information in hidden frequency 129 | * Steganalysis 130 | * Art of discovering and rendering covert messages using steganography. It attacks steganography efforts 131 | 132 | ## Covering Tracks 133 | 134 | * Techniques used for covering tracks 135 | * Disable Auditing: disabling audit features of target system 136 | * Clearing logs: attacker clears/delete the system log entries for their activities 137 | * Manipulating logs: Manipulates logs in a way they won't be caught in legal actions 138 | * If system is exploited with metasploit, attacker uses meterpreter shell to wipe logs 139 | 140 | ## Penetration Testing 141 | 142 | * Password Cracking 143 | * Privilege Escalation 144 | * Execute Applications 145 | * Hiding Files 146 | * Covering Tracks 147 | 148 | -------------------------------------------------------------------------------- /malware-threats.md: -------------------------------------------------------------------------------- 1 | # Malware Threats 2 | 3 | ## Malware Threats 4 | 5 | * Malware is a malicious software that damages or disables computer systems and give limited control or full control of the systems to the attacker for the purpose of theft or fraud 6 | * Examples of Malware: Trojan Horse, Backdoor, Rootkit, Ransomware, Adware, Virus, Worms, Spyware, Botnet, Crypter 7 | * Common techniques attackers use to distribute malware: Blackhat SEO, Social Engineer Clickjacking, Spear Phishing sites, Malvertising, Compromised legitimate websites, Drive by downloads on browser vulnerabilities 8 | 9 | ## Trojan Concepts 10 | 11 | * A trojan is a program which the malicious or harmful code is contained inside an apparently harmless program or in such a way it can get control and cause damage, such as ruining a file allocation table on your hard disk 12 | * Trojans get activated upon user’s certain predefined actions, and conduct abnormal activities on the system 13 | * When a trojan is installed, they attacker can basically do anything to your computer 14 | * How to infect systems using a trojan 15 | * Create a new trojan packet using a trojan horse construction kit 16 | * Create a dropper, which is part in a trojanized packet that installs the malicious code on the target system 17 | * A wrapper binds a trojan executable with an innocent looking .EXE application such as games or office applications. When an EXE is executed, it first installs the trojan in the background. 18 | * Attackers use crypters to hide viruses, spyware, keyloggers to make them undetectable by antivirus 19 | * Attackers can deploy a trojan by creating a malicious link/email attachments 20 | * Exploit kit: Platform to deliver exploits and payloads such as trojans, backdoors, bots, buffer overflow scripts,etc 21 | * Evading Anti-Virus Techniques: 22 | * Break the trojan file into multiple pieces and zip them as a single file 23 | * ALWAYS write your own Trojan, and embed it into an application 24 | * Change the Trojans Syntax 25 | * Convert EXE to VB script 26 | * Change the content of the Trojan using Hex Editor and also change the checksum and encrypt the file 27 | * Never use trojans downloaded from the web \(antivirus can detect these easily\) 28 | * Command shell trojans give remote control of a command shell 29 | * Trojan server is installed on the victim’s machine, which opens a port for attacker to connect. 30 | * Defacement Trojans: Can destroy or change entire content present in a database. Much more dangerous when attackers target websites 31 | * Botnet Trojans: infect a large number of computers to create a network of bots\(chewbacca\) 32 | * Proxy Server Trojans: Converts user’s computer into proxy servers, thus making them accessible to specific attackers. 33 | * VNC Trojan: VNC trojan starts a VNC server daemon in the infected systems. Attacker can connect to the victim using any VNC viewer 34 | * HTTP/HTTPS Trojans: bypass firewall, spawn a child program and child program appears to be a user to the firewall 35 | * ICMP Tunneling 36 | * Covert channels are methods in which an attacker can hide the data in a protocol that is undetectable 37 | * They rely on techniques called tunneling, which allow on protocol be carried over to another protocol . very stealthy 38 | * Remote Access Trojans: provide attackers with full control over the victim’s system 39 | * E Banking Trojans - intercept a victim’s account information before it is encrypted 40 | * Steals victim’s data such as credit card information 41 | * Notification Trojans: Sends the location of the victim’s IP address to attacker 42 | * Whenever victim’s computer connected to the internet, the attacker receives the notification 43 | 44 | ## Viruses and Worm Concepts 45 | 46 | * Virus: A self replicating program that produces its own copy by attacking itself to another program, computer boot sector or document 47 | * Transmitted through downloads, infected flash drives, email attachments 48 | * Stages of Virus Life 49 | * Design: creating the virus 50 | * Replication: Replicating the virus on target system 51 | * Launch: launching/running the virus \(.exe file\) 52 | * Detection: Target system identifies virus 53 | * Incorporation : Anti-virus softwares update 54 | * Elimination: users install anti-virus update to eliminate virus 55 | * Indications of a virus attack: abnormal activities \(slow, anti virus alerts, folders missing, etc\) 56 | * There are many Fake Anti-Viruses that are actually viruses 57 | * Ransomware restrict computer files until a sum is paid 58 | * Boot Sector Viruses: moves MBR to another location on hard disk 59 | * File Virus: Infects files which are executed or interpreted on the system such as \(COM, EXE, SYL, OVL, OBJ, MNU and BAT files 60 | * Multipartite Virus: Infect the system boot sector and the executable files at the same time \(hybrid, top 2 combined\)\) 61 | * Macro Viruses: Infect files created by Microsoft Word or Excel. Most of these are written in macro language Visual Basic for Applications \(VBA\) 62 | * Infect Templates, convert infected documents into template files 63 | * Cluster Viruses: These modify directory table contents so that it points users to system processes to the virus code isntead of the actual program 64 | * There is only one copy of the virus on the disk infecting all the programs in the computer system 65 | * Will launch itself first when any program on the computer system is started 66 | * Stealth/Tunneling Virus: This virus evades anti-virus software by intercepting its requests to the operating system 67 | * Virus can return an uninfected version of the file to the anti-virus software, so it appears as if the file is “clean” 68 | * Encryption Viruses: uses simple encryption to encipher the code. Virus is encrypted with different key for each infected file. AV Scanner cannot directly detect these types fo viruses using signature detection methods 69 | * Polymorphic Code: Code that mutates while keeping the original algorithm intact. Well written polymorphic code has no parts that stay the same on each infection 70 | * Metamorphic Viruses: Rewrite themselves completely each they are to infect new executable 71 | * Can Reprogram itself by translating its own code into a temporary representation and then back to the normal code again 72 | * File Overwriting or Cavity Virus: Overwrites a part of the host file that is constant \(usually nulls\), without increasing the length of the file and preserving its functionality 73 | * Sparse Infector Viruses: Infects only occasionally, or only files whose length falls within a narrow range. By infection less often, they try to minimize the probability of being discovered 74 | * Companion/camouflage Viruses: Creates a companion file for each executable file the viruses infects. Therefor, a companion virus may save itself as notepad.com and every time the user executes notepad.exe \(good program\), the computer will load the virus notepad.com and infect 75 | * Shell Viruses: Virus code forms a shell around the target host program’s code, making itself the original program and host code as its sub-routine. Almost all boot program are shell viruses 76 | * File Extension Viruses: changes the extensions of files. Ex. .TXT is a safe file. Virus file is BAD.TXT.VBS but will only show up as bad.txt . When opened a script executes. 77 | * Add-on Virus: adds on their code to the host code without making any changes to the latter or relocate the host code to insert their own code at the beginning 78 | * Intrusive Viruses: Overwrite the host code partly or completely with the viral code 79 | * Transient/Direct Action Virus: Transfers all the controls of the host code to where it resides in the memory. Virus runs when the host code is run and terminates itself or exits memory as soon as host code execution ends 80 | * Terminate and Stay Resident Virus: remains permanently in the memory during entire work session even after the host’s program is executed and terminated. Removed only by rebooting system. 81 | * Computer Worms: Malicious programs that replicate, execute, and spread across network connections independently without human interaction. Most are created only to replicate and spread, but some have payloads 82 | * Attackers use payloads to install backdoors which turns them into a zombie for a botnet 83 | * A worm is a special type of malware that can replicate itself and use memory, but cannot attach itself to other programs 84 | * A worm takes advantage of file or information transport features on a computer and spreads through the infected network 85 | 86 | ## Malware Reverse Engineering 87 | 88 | * Sheep Dipping refers to the analysis of suspect files, incoming messages, for malware 89 | * A sheep dip computer is installed with port monitors, file monitors, network monitors and antivirus software and connects to a network only under strictly controlled conditions 90 | * Anti-Virus Sensor Systems: Collection of computer software that detects and analyzes malicious code threats 91 | * Malware Analysis Procedure: 92 | * Perform static analysis when the malware is inactive 93 | * Collect info of string values found in binary with tools 94 | * Setup network connection and check there are no errors 95 | * Run the virus and monitor the process actions and system information with help of process monitor/explorer 96 | * Record network traffic information using monitoring tools \(TCP view, netResident\) 97 | * Determine the files added, processes spawn, and changes to registry with tools 98 | * Collect Service requests and DNS tables information, attempts for incoming and outgoing connections using tools 99 | 100 | ## Malware Detection 101 | 102 | * Trojans open unused ports in victims machine to connect back to Trojan handlers 103 | * Look for connection established to unknown or suspicious IP addresses 104 | * You can use a port monitoring tool 105 | * Scanning for Suspicious Processes 106 | * Trojans camouflage themselves as genuine Windows services 107 | * Some trojans use Portable Executable to inject into various processes 108 | * Processes are visible but may look like a legitimate processes and helps bypass desktop firewalls 109 | * Trojans can also use rootkit methods to hide their processes 110 | * Use process monitoring tools to detect hidden trojans and backdoors 111 | * Trojans are installed along with device drivers downloaded from untrusted sources 112 | * Scan suspicious drivers and verify they are genuine and downloaded from publishers original site 113 | * Trojans normally modify system’s files and folders. Use these tools to detect changes 114 | * SIGVERIF: checks integrity of critical files digitally signed by microsoft 115 | * FCIV - Computes MD5 or SHA-1 cryptographic hashes for files 116 | * TRIPWIRE: system integrity verifier that scan and reports critical system file for changes 117 | * Scanning for suspicious network activities 118 | * Trojans connect back to handlers and send confidential info to attackers 119 | * Use network scanners 120 | * Virus Detection Methods 121 | * Anti-virus executes the malicious code to simulate. Effective for dealing with encrypted and polymorphic viruses 122 | * Heuristic Analysis: Can be static or dynamic. In static, anti-virus analyzes the file format and code structure to determine is code is viral. In dynamic, the AV performs a code emulation 123 | 124 | ## Counter-Measures 125 | 126 | * Trojan Countermeasures 127 | * Avoid opening email attachments from unknown senders 128 | * Block unnecessary ports 129 | * Avoid accepting programs transferred by instant messaging 130 | * Hard weak default configs and unused functionality including protocols/services 131 | * Monitor internal network traffic for odd ports 132 | * Avoid downloading and executing apps from untrusted sources 133 | * Install security updates 134 | * Scan CD’s and DVD’s w/ antivirus software 135 | * Restrict permissions within desktop environment 136 | * Manage local workstation file integrity 137 | * Run Host-Based Antivirus 138 | * Backdoor Countermeasures 139 | * Anti-viruses 140 | * Educate users not to download from untrusted sites 141 | 142 | ## Anti-Malware Software 143 | 144 | Norton, Mcafee, Nessus etc. 145 | 146 | -------------------------------------------------------------------------------- /resources.md: -------------------------------------------------------------------------------- 1 | # Resources 2 | 3 | ## Network 4 | 5 | ### Scanning / Pentesting 6 | 7 | * [OpenVAS](http://www.openvas.org/) - OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution. 8 | * [Metasploit Framework](https://github.com/rapid7/metasploit-framework) - A tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research. 9 | * [Kali](https://www.kali.org/) - Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. Kali Linux is preinstalled with numerous penetration-testing programs, including nmap \(a port scanner\), Wireshark \(a packet analyzer\), John the Ripper \(a password cracker\), and Aircrack-ng \(a software suite for penetration-testing wireless LANs\). 10 | * [pig](https://github.com/rafael-santiago/pig) - A Linux packet crafting tool. 11 | * [scapy](https://github.com/secdev/scapy) - Scapy: the python-based interactive packet manipulation program & library. 12 | * [Pompem](https://github.com/rfunix/Pompem) - Pompem is an open source tool, which is designed to automate the search for exploits in major databases. Developed in Python, has a system of advanced search, thus facilitating the work of pentesters and ethical hackers. In its current version, performs searches in databases: Exploit-db, 1337day, Packetstorm Security... 13 | * [Nmap](https://nmap.org) - Nmap is a free and open source utility for network discovery and security auditing. 14 | * [Amass](https://github.com/caffix/amass) - Amass performs DNS subdomain enumeration by scraping the largest number of disparate data sources, recursive brute forcing, crawling of web archives, permuting and altering names, reverse DNS sweeping and other techniques. 15 | 16 | ### Monitoring / Logging 17 | 18 | * [justniffer](http://justniffer.sourceforge.net/) - Justniffer is a network protocol analyzer that captures network traffic and produces logs in a customized way, can emulate Apache web server log files, track response times and extract all "intercepted" files from the HTTP traffic. 19 | * [httpry](http://dumpsterventures.com/jason/httpry/) - httpry is a specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications. 20 | * [ngrep](http://ngrep.sourceforge.net/) - ngrep strives to provide most of GNU grep's common features, applying them to the network layer. ngrep is a pcap-aware tool that will allow you to specify extended regular or hexadecimal expressions to match against data payloads of packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF filter logic in the same fashion as more common packet sniffing tools, such as tcpdump and snoop. 21 | * [passivedns](https://github.com/gamelinux/passivedns) - A tool to collect DNS records passively to aid Incident handling, Network Security Monitoring \(NSM\) and general digital forensics. PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate DNS answers in-memory, limiting the amount of data in the logfile without loosing the essens in the DNS answer. 22 | * [sagan](http://sagan.quadrantsec.com/) - Sagan uses a 'Snort like' engine and rules to analyze logs \(syslog/event log/snmptrap/netflow/etc\). 23 | * [Node Security Platform](https://nodesecurity.io/) - Similar feature set to Snyk, but free in most cases, and very cheap for others. 24 | * [ntopng](http://www.ntop.org/products/traffic-analysis/ntop/) - Ntopng is a network traffic probe that shows the network usage, similar to what the popular top Unix command does. 25 | * [Fibratus](https://github.com/rabbitstack/fibratus) - Fibratus is a tool for exploration and tracing of the Windows kernel. It is able to capture the most of the Windows kernel activity - process/thread creation and termination, file system I/O, registry, network activity, DLL loading/unloading and much more. Fibratus has a very simple CLI which encapsulates the machinery to start the kernel event stream collector, set kernel event filters or run the lightweight Python modules called filaments. 26 | 27 | ### IDS / IPS / Host IDS / Host IPS 28 | 29 | * [Snort](https://www.snort.org/) - Snort is a free and open source network intrusion prevention system \(NIPS\) and network intrusion detection system \(NIDS\)created by Martin Roesch in 1998. Snort is now developed by Sourcefire, of which Roesch is the founder and CTO. In 2009, Snort entered InfoWorld's Open Source Hall of Fame as one of the "greatest \[pieces of\] open source software of all time". 30 | * [Bro](https://www.bro.org/) - Bro is a powerful network analysis framework that is much different from the typical IDS you may know. 31 | * [OSSEC](https://ossec.github.io/) - Comprehensive Open Source HIDS. Not for the faint of heart. Takes a bit to get your head around how it works. Performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response. It runs on most operating systems, including Linux, MacOS, Solaris, HP-UX, AIX and Windows. Plenty of reasonable documentation. Sweet spot is medium to large deployments. 32 | * [Suricata](http://suricata-ids.org/) - Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation \(OISF\). Suricata is developed by the OISF and its supporting vendors. 33 | * [Security Onion](http://blog.securityonion.net/) - Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes! 34 | * [sshwatch](https://github.com/marshyski/sshwatch) - IPS for SSH similar to DenyHosts written in Python. It also can gather information about attacker during the attack in a log. 35 | * [Stealth](https://fbb-git.github.io/stealth/) - File integrity checker that leaves virtually no sediment. Controller runs from another machine, which makes it hard for an attacker to know that the file system is being checked at defined pseudo random intervals over SSH. Highly recommended for small to medium deployments. 36 | * [AIEngine](https://bitbucket.org/camp0/aiengine) - AIEngine is a next generation interactive/programmable Python/Ruby/Java/Lua packet inspection engine with capabilities of learning without any human intervention, NIDS\(Network Intrusion Detection System\) functionality, DNS domain classification, network collector, network forensics and many others. 37 | * [Denyhosts](http://denyhosts.sourceforge.net/) - Thwart SSH dictionary based attacks and brute force attacks. 38 | * [Fail2Ban](http://www.fail2ban.org/wiki/index.php/Main_Page) - Scans log files and takes action on IPs that show malicious behavior. 39 | * [SSHGuard](http://www.sshguard.net/) - A software to protect services in addition to SSH, written in C 40 | * [Lynis](https://cisofy.com/lynis/) - an open source security auditing tool for Linux/Unix. 41 | 42 | ### Honey Pot / Honey Net 43 | 44 | * [awesome-honeypots](https://github.com/paralax/awesome-honeypots) - The canonical awesome honeypot list. 45 | * [HoneyPy](https://github.com/foospidy/HoneyPy) - HoneyPy is a low to medium interaction honeypot. It is intended to be easy to: deploy, extend functionality with plugins, and apply custom configurations. 46 | * [Dionaea](https://www.edgis-security.org/honeypot/dionaea/) - Dionaea is meant to be a nepenthes successor, embedding python as scripting language, using libemu to detect shellcodes, supporting ipv6 and tls. 47 | * [Conpot](http://conpot.org/) - ICS/SCADA Honeypot. Conpot is a low interactive server side Industrial Control Systems honeypot designed to be easy to deploy, modify and extend. By providing a range of common industrial control protocols we created the basics to build your own system, capable to emulate complex infrastructures to convince an adversary that he just found a huge industrial complex. To improve the deceptive capabilities, we also provided the possibility to server a custom human machine interface to increase the honeypots attack surface. The response times of the services can be artificially delayed to mimic the behaviour of a system under constant load. Because we are providing complete stacks of the protocols, Conpot can be accessed with productive HMI's or extended with real hardware. Conpot is developed under the umbrella of the Honeynet Project and on the shoulders of a couple of very big giants. 48 | * [Amun](https://github.com/zeroq/amun) - Amun Python-based low-interaction Honeypot. 49 | * [Glastopf](http://glastopf.org/) - Glastopf is a Honeypot which emulates thousands of vulnerabilities to gather data from attacks targeting web applications. The principle behind it is very simple: Reply the correct response to the attacker exploiting the web application. 50 | * [Kippo](https://github.com/desaster/kippo) - Kippo is a medium interaction SSH honeypot designed to log brute force attacks and, most importantly, the entire shell interaction performed by the attacker. 51 | * [Kojoney](http://kojoney.sourceforge.net/) - Kojoney is a low level interaction honeypot that emulates an SSH server. The daemon is written in Python using the Twisted Conch libraries. 52 | * [HonSSH](https://github.com/tnich/honssh) - HonSSH is a high-interaction Honey Pot solution. HonSSH will sit between an attacker and a honey pot, creating two separate SSH connections between them. 53 | * [Bifrozt](http://sourceforge.net/projects/bifrozt/) - Bifrozt is a NAT device with a DHCP server that is usually deployed with one NIC connected directly to the Internet and one NIC connected to the internal network. What differentiates Bifrozt from other standard NAT devices is its ability to work as a transparent SSHv2 proxy between an attacker and your honeypot. If you deployed an SSH server on Bifrozt’s internal network it would log all the interaction to a TTY file in plain text that could be viewed later and capture a copy of any files that were downloaded. You would not have to install any additional software, compile any kernel modules or use a specific version or type of operating system on the internal SSH server for this to work. It will limit outbound traffic to a set number of ports and will start to drop outbound packets on these ports when certain limits are exceeded. 54 | * [HoneyDrive](http://bruteforce.gr/honeydrive) - HoneyDrive is the premier honeypot Linux distro. It is a virtual appliance \(OVA\) with Xubuntu Desktop 12.04.4 LTS edition installed. It contains over 10 pre-installed and pre-configured honeypot software packages such as Kippo SSH honeypot, Dionaea and Amun malware honeypots, Honeyd low-interaction honeypot, Glastopf web honeypot and Wordpot, Conpot SCADA/ICS honeypot, Thug and PhoneyC honeyclients and more. Additionally it includes many useful pre-configured scripts and utilities to analyze, visualize and process the data it can capture, such as Kippo-Graph, Honeyd-Viz, DionaeaFR, an ELK stack and much more. Lastly, almost 90 well-known malware analysis, forensics and network monitoring related tools are also present in the distribution. 55 | * [Cuckoo Sandbox](http://www.cuckoosandbox.org/) - Cuckoo Sandbox is an Open Source software for automating analysis of suspicious files. To do so it makes use of custom components that monitor the behavior of the malicious processes while running in an isolated environment. 56 | * [T-Pot Honeypot Distro](http://dtag-dev-sec.github.io/mediator/feature/2017/11/07/t-pot-17.10.html) - T-Pot is based on the network installer of Ubuntu Server 16/17.x LTS. The honeypot daemons as well as other support components being used have been containerized using docker. This allows us to run multiple honeypot daemons on the same network interface while maintaining a small footprint and constrain each honeypot within its own environment. Installation over vanilla Ubuntu - [T-Pot Autoinstall](https://github.com/dtag-dev-sec/t-pot-autoinstall) - This script will install T-Pot 16.04/17.10 on a fresh Ubuntu 16.04.x LTS \(64bit\). It is intended to be used on hosted servers, where an Ubuntu base image is given and there is no ability to install custom ISO images. Successfully tested on vanilla Ubuntu 16.04.3 in VMware. 57 | 58 | ### Full Packet Capture / Forensic 59 | 60 | * [tcpflow](https://github.com/simsong/tcpflow) - tcpflow is a program that captures data transmitted as part of TCP connections \(flows\), and stores the data in a way that is convenient for protocol analysis and debugging. Each TCP flow is stored in its own file. Thus, the typical TCP flow will be stored in two files, one for each direction. tcpflow can also process stored 'tcpdump' packet flows. 61 | * [Xplico](http://www.xplico.org/) - The goal of Xplico is extract from an internet traffic capture the applications data contained. For example, from a pcap file Xplico extracts each email \(POP, IMAP, and SMTP protocols\), all HTTP contents, each VoIP call \(SIP\), FTP, TFTP, and so on. Xplico isn’t a network protocol analyzer. Xplico is an open source Network Forensic Analysis Tool \(NFAT\). 62 | * [Moloch](https://github.com/aol/moloch) - Moloch is an open source, large scale IPv4 packet capturing \(PCAP\), indexing and database system. A simple web interface is provided for PCAP browsing, searching, and exporting. APIs are exposed that allow PCAP data and JSON-formatted session data to be downloaded directly. Simple security is implemented by using HTTPS and HTTP digest password support or by using apache in front. Moloch is not meant to replace IDS engines but instead work along side them to store and index all the network traffic in standard PCAP format, providing fast access. Moloch is built to be deployed across many systems and can scale to handle multiple gigabits/sec of traffic. 63 | * [OpenFPC](http://www.openfpc.org) - OpenFPC is a set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log management tools. 64 | * [Dshell](https://github.com/USArmyResearchLab/Dshell) - Dshell is a network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures. 65 | * [stenographer](https://github.com/google/stenographer) - Stenographer is a packet capture solution which aims to quickly spool all packets to disk, then provide simple, fast access to subsets of those packets. 66 | 67 | ### Sniffer 68 | 69 | * [wireshark](https://www.wireshark.org) - Wireshark is a free and open-source packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education. Wireshark is very similar to tcpdump, but has a graphical front-end, plus some integrated sorting and filtering options. 70 | * [netsniff-ng](http://netsniff-ng.org/) - netsniff-ng is a free Linux networking toolkit, a Swiss army knife for your daily Linux network plumbing if you will. Its gain of performance is reached by zero-copy mechanisms, so that on packet reception and transmission the kernel does not need to copy packets from kernel space to user space and vice versa. 71 | * [Live HTTP headers](https://addons.mozilla.org/de/firefox/addon/live-http-headers/) - Live HTTP headers is a free firefox addon to see your browser requests in real time. It shows the entire headers of the requests and can be used to find the security loopholes in implementations. 72 | 73 | ### Security Information & Event Management 74 | 75 | * [Prelude](https://www.prelude-siem.org/) - Prelude is a Universal "Security Information & Event Management" \(SIEM\) system. Prelude collects, normalizes, sorts, aggregates, correlates and reports all security-related events independently of the product brand or license giving rise to such events; Prelude is "agentless". 76 | * [OSSIM](https://www.alienvault.com/open-threat-exchange/projects) - OSSIM provides all of the features that a security professional needs from a SIEM offering – event collection, normalization, and correlation. 77 | * [FIR](https://github.com/certsocietegenerale/FIR) - Fast Incident Response, a cybersecurity incident management platform. 78 | 79 | ### VPN 80 | 81 | * [OpenVPN](https://openvpn.net/) - OpenVPN is an open source software application that implements virtual private network \(VPN\) techniques for creating secure point-to-point or site-to-site connections in routed or bridged configurations and remote access facilities. It uses a custom security protocol that utilizes SSL/TLS for key exchange. 82 | 83 | ### Fast Packet Processing 84 | 85 | * [DPDK](http://dpdk.org/) - DPDK is a set of libraries and drivers for fast packet processing. 86 | * [PFQ](https://github.com/pfq/PFQ) - PFQ is a functional networking framework designed for the Linux operating system that allows efficient packets capture/transmission \(10G and beyond\), in-kernel functional processing and packets steering across sockets/end-points. 87 | * [PF\_RING](http://www.ntop.org/products/packet-capture/pf_ring/) - PF\_RING is a new type of network socket that dramatically improves the packet capture speed. 88 | * [PF\_RING ZC \(Zero Copy\)](http://www.ntop.org/products/packet-capture/pf_ring/pf_ring-zc-zero-copy/) - PF\_RING ZC \(Zero Copy\) is a flexible packet processing framework that allows you to achieve 1/10 Gbit line rate packet processing \(both RX and TX\) at any packet size. It implements zero copy operations including patterns for inter-process and inter-VM \(KVM\) communications. 89 | * [PACKET\_MMAP/TPACKET/AF\_PACKET](http://lxr.free-electrons.com/source/Documentation/networking/packet_mmap.txt) - It's fine to use PACKET\_MMAP to improve the performance of the capture and transmission process in Linux. 90 | * [netmap](http://info.iet.unipi.it/~luigi/netmap/) - netmap is a framework for high speed packet I/O. Together with its companion VALE software switch, it is implemented as a single kernel module and available for FreeBSD, Linux and now also Windows. 91 | 92 | ### Firewall 93 | 94 | * [pfSense](https://www.pfsense.org/) - Firewall and Router FreeBSD distribution. 95 | * [OPNsense](https://opnsense.org/) - is an open source, easy-to-use and easy-to-build FreeBSD based firewall and routing platform. OPNsense includes most of the features available in expensive commercial firewalls, and more in many cases. It brings the rich feature set of commercial offerings with the benefits of open and verifiable sources. 96 | * [fwknop](https://www.cipherdyne.org/fwknop/) - Protects ports via Single Packet Authorization in your firewall. 97 | 98 | ### Anti-Spam 99 | 100 | * [SpamAssassin](https://spamassassin.apache.org/) - A powerful and popular email spam filter employing a variety of detection technique. 101 | 102 | ### Docker Images for Penetration Testing & Security 103 | 104 | * `docker pull kalilinux/kali-linux-docker` [official Kali Linux](https://hub.docker.com/r/kalilinux/kali-linux-docker/) 105 | * `docker pull owasp/zap2docker-stable` - [official OWASP ZAP](https://github.com/zaproxy/zaproxy) 106 | * `docker pull wpscanteam/wpscan` - [official WPScan](https://hub.docker.com/r/wpscanteam/wpscan/) 107 | * `docker pull remnux/metasploit` - [docker-metasploit](https://hub.docker.com/r/remnux/metasploit/) 108 | * `docker pull citizenstig/dvwa` - [Damn Vulnerable Web Application \(DVWA\)](https://hub.docker.com/r/citizenstig/dvwa/) 109 | * `docker pull wpscanteam/vulnerablewordpress` - [Vulnerable WordPress Installation](https://hub.docker.com/r/wpscanteam/vulnerablewordpress/) 110 | * `docker pull hmlio/vaas-cve-2014-6271` - [Vulnerability as a service: Shellshock](https://hub.docker.com/r/hmlio/vaas-cve-2014-6271/) 111 | * `docker pull hmlio/vaas-cve-2014-0160` - [Vulnerability as a service: Heartbleed](https://hub.docker.com/r/hmlio/vaas-cve-2014-0160/) 112 | * `docker pull opendns/security-ninjas` - [Security Ninjas](https://hub.docker.com/r/opendns/security-ninjas/) 113 | * `docker pull diogomonica/docker-bench-security` - [Docker Bench for Security](https://hub.docker.com/r/diogomonica/docker-bench-security/) 114 | * `docker pull ismisepaul/securityshepherd` - [OWASP Security Shepherd](https://hub.docker.com/r/ismisepaul/securityshepherd/) 115 | * `docker pull danmx/docker-owasp-webgoat` - [OWASP WebGoat Project docker image](https://hub.docker.com/r/danmx/docker-owasp-webgoat/) 116 | * `docker-compose build && docker-compose up` - [OWASP NodeGoat](https://github.com/owasp/nodegoat#option-3---run-nodegoat-on-docker) 117 | * `docker pull citizenstig/nowasp` - [OWASP Mutillidae II Web Pen-Test Practice Application](https://hub.docker.com/r/citizenstig/nowasp/) 118 | 119 | ## Endpoint 120 | 121 | ### Anti-Virus / Anti-Malware 122 | 123 | * [Linux Malware Detect](https://www.rfxn.com/projects/linux-malware-detect/) - A malware scanner for Linux designed around the threats faced in shared hosted environments. 124 | 125 | ### Content Disarm & Reconstruct 126 | 127 | * [DocBleach](https://github.com/docbleach/DocBleach) - An open-source Content Disarm & Reconstruct software sanitizing Office, PDF and RTF Documents. 128 | 129 | ### Configuration Management 130 | 131 | * [Rudder](http://www.rudder-project.org/) - Rudder is an easy to use, web-driven, role-based solution for IT Infrastructure Automation & Compliance. Automate common system administration tasks \(installation, configuration\); Enforce configuration over time \(configuring once is good, ensuring that configuration is valid and automatically fixing it is better\); Inventory of all managed nodes; Web interface to configure and manage nodes and their configuration; Compliance reporting, by configuration and/or by node. 132 | 133 | ### Authentication 134 | 135 | * [google-authenticator](https://github.com/google/google-authenticator) - The Google Authenticator project includes implementations of one-time passcode generators for several mobile platforms, as well as a pluggable authentication module \(PAM\). One-time passcodes are generated using open standards developed by the Initiative for Open Authentication \(OATH\) \(which is unrelated to OAuth\). These implementations support the HMAC-Based One-time Password \(HOTP\) algorithm specified in RFC 4226 and the Time-based One-time Password \(TOTP\) algorithm specified in RFC 6238. [Tutorials: How to set up two-factor authentication for SSH login on Linux](http://xmodulo.com/two-factor-authentication-ssh-login-linux.html) 136 | 137 | ### Mobile / Android / iOS 138 | 139 | * [android-security-awesome](https://github.com/ashishb/android-security-awesome) - A collection of android security related resources. A lot of work is happening in academia and industry on tools to perform dynamic analysis, static analysis and reverse engineering of android apps. 140 | * [SecMobi Wiki](http://wiki.secmobi.com/) - A collection of mobile security resources which including articles, blogs, books, groups, projects, tools and conferences. \* 141 | * [OWASP Mobile Security Testing Guide](https://github.com/OWASP/owasp-mstg) - A comprehensive manual for mobile app security testing and reverse engineering. 142 | 143 | ### Forensics 144 | 145 | * [grr](https://github.com/google/grr) - GRR Rapid Response is an incident response framework focused on remote live forensics. 146 | * [Volatility](https://github.com/volatilityfoundation/volatility) - Python based memory extraction and analysis framework. 147 | * [mig](http://mig.mozilla.org/) - MIG is a platform to perform investigative surgery on remote endpoints. It enables investigators to obtain information from large numbers of systems in parallel, thus accelerating investigation of incidents and day-to-day operations security. 148 | * [ir-rescue](https://github.com/diogo-fernan/ir-rescue) - _ir-rescue_ is a Windows Batch script and a Unix Bash script to comprehensively collect host forensic data during incident response. 149 | * [Logdissect](https://github.com/dogoncouch/logdissect) - CLI utility and Python API for analyzing log files and other data. 150 | 151 | ## Threat Intelligence 152 | 153 | * [abuse.ch](https://www.abuse.ch/) - ZeuS Tracker / SpyEye Tracker / Palevo Tracker / Feodo Tracker tracks Command&Control servers \(hosts\) around the world and provides you a domain- and an IP-blocklist. 154 | * [Emerging Threats - Open Source](http://doc.emergingthreats.net/bin/view/Main/EmergingFAQ) - Emerging Threats began 10 years ago as an open source community for collecting Suricata and SNORT® rules, firewall rules, and other IDS rulesets. The open source community still plays an active role in Internet security, with more than 200,000 active users downloading the ruleset daily. The ETOpen Ruleset is open to any user or organization, as long as you follow some basic guidelines. Our ETOpen Ruleset is available for download any time. 155 | * [PhishTank](http://www.phishtank.com/) - PhishTank is a collaborative clearing house for data and information about phishing on the Internet. Also, PhishTank provides an open API for developers and researchers to integrate anti-phishing data into their applications at no charge. 156 | * [SBL / XBL / PBL / DBL / DROP / ROKSO](http://www.spamhaus.org/) - The Spamhaus Project is an international nonprofit organization whose mission is to track the Internet's spam operations and sources, to provide dependable realtime anti-spam protection for Internet networks, to work with Law Enforcement Agencies to identify and pursue spam and malware gangs worldwide, and to lobby governments for effective anti-spam legislation. 157 | * [Internet Storm Center](https://www.dshield.org/reports.html) - The ISC was created in 2001 following the successful detection, analysis, and widespread warning of the Li0n worm. Today, the ISC provides a free analysis and warning service to thousands of Internet users and organizations, and is actively working with Internet Service Providers to fight back against the most malicious attackers. 158 | * [AutoShun](https://www.autoshun.org/) - AutoShun is a Snort plugin that allows you to send your Snort IDS logs to a centralized server that will correlate attacks from your sensor logs with other snort sensors, honeypots, and mail filters from around the world. 159 | * [DNS-BH](http://www.malwaredomains.com/) - The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting. 160 | * [AlienVault Open Threat Exchange](http://www.alienvault.com/open-threat-exchange/dashboard) - AlienVault Open Threat Exchange \(OTX\), to help you secure your networks from data loss, service disruption and system compromise caused by malicious IP addresses. 161 | * [Tor Bulk Exit List](https://metrics.torproject.org/collector.html) - CollecTor, your friendly data-collecting service in the Tor network. CollecTor fetches data from various nodes and services in the public Tor network and makes it available to the world. If you're doing research on the Tor network, or if you're developing an application that uses Tor network data, this is your place to start. [TOR Node List](https://www.dan.me.uk/tornodes) / [DNS Blacklists](https://www.dan.me.uk/dnsbl) / [Tor Node List](http://torstatus.blutmagie.de/) 162 | * [leakedin.com](http://www.leakedin.com/) - The primary purpose of leakedin.com is to make visitors aware about the risks of loosing data. This blog just compiles samples of data lost or disclosed on sites like pastebin.com. 163 | * [FireEye OpenIOCs](https://github.com/fireeye/iocs) - FireEye Publicly Shared Indicators of Compromise \(IOCs\) 164 | * [OpenVAS NVT Feed](http://www.openvas.org/openvas-nvt-feed.html) - The public feed of Network Vulnerability Tests \(NVTs\). It contains more than 35,000 NVTs \(as of April 2014\), growing on a daily basis. This feed is configured as the default for OpenVAS. 165 | * [Project Honey Pot](http://www.projecthoneypot.org/) - Project Honey Pot is the first and only distributed system for identifying spammers and the spambots they use to scrape addresses from your website. Using the Project Honey Pot system you can install addresses that are custom-tagged to the time and IP address of a visitor to your site. If one of these addresses begins receiving email we not only can tell that the messages are spam, but also the exact moment when the address was harvested and the IP address that gathered it. 166 | * [virustotal](https://www.virustotal.com/) - VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners. At the same time, it may be used as a means to detect false positives, i.e. innocuous resources detected as malicious by one or more scanners. 167 | * [IntelMQ](https://github.com/certtools/intelmq/) - IntelMQ is a solution for CERTs for collecting and processing security feeds, pastebins, tweets using a message queue protocol. It's a community driven initiative called IHAP \(Incident Handling Automation Project\) which was conceptually designed by European CERTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs. [ENSIA Homepage](https://www.enisa.europa.eu/activities/cert/support/incident-handling-automation). 168 | * [CIFv2](https://github.com/csirtgadgets/massive-octo-spice) - CIF is a cyber threat intelligence management system. CIF allows you to combine known malicious threat information from many sources and use that information for identification \(incident response\), detection \(IDS\) and mitigation \(null route\). 169 | * [CriticalStack](https://intel.criticalstack.com/) - Free aggregated threat intel for the Bro network security monitoring platform. 170 | * [MISP - Open Source Threat Intelligence Platform ](https://www.misp-project.org/) - MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators. A threat intelligence platform for gathering, sharing, storing and correlating Indicators of Compromise of targeted attacks, threat intelligence, financial fraud information, vulnerability information or even counter-terrorism information. The MISP project includes software, common libraries \([taxonomies](https://www.misp-project.org/taxonomies.html), [threat-actors and various malware](https://www.misp-project.org/galaxy.html)\), an extensive data model to share new information using [objects](https://www.misp-project.org/objects.html) and default [feeds](https://www.misp-project.org/feeds/). 171 | 172 | ## Web 173 | 174 | ### Organization 175 | 176 | * [OWASP](http://www.owasp.org) - The Open Web Application Security Project \(OWASP\) is a 501\(c\)\(3\) worldwide not-for-profit charitable organization focused on improving the security of software. 177 | 178 | ### Web Application Firewall 179 | 180 | * [ModSecurity](http://www.modsecurity.org/) - ModSecurity is a toolkit for real-time web application monitoring, logging, and access control. 181 | * [NAXSI](https://github.com/nbs-system/naxsi) - NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX, NAXSI means Nginx Anti Xss & Sql Injection. 182 | * [sql\_firewall](https://github.com/uptimejp/sql_firewall) SQL Firewall Extension for PostgreSQL 183 | * [ironbee](https://github.com/ironbee/ironbee) - IronBee is an open source project to build a universal web application security sensor. IronBee as a framework for developing a system for securing web applications - a framework for building a web application firewall \(WAF\). 184 | 185 | ### Scanning / Pentesting 186 | 187 | * [sqlmap](http://sqlmap.org/) - sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections. 188 | * [ZAP](https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project) - The Zed Attack Proxy \(ZAP\) is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications. It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing. ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually. 189 | * [OWASP Testing Checklist v4](https://www.owasp.org/index.php/Testing_Checklist) - List of some controls to test during a web vulnerability assessment. Markdown version may be found [here](https://github.com/amocrenco/owasp-testing-checklist-v4-markdown/blob/master/README.md). 190 | * [w3af](http://w3af.org/) - w3af is a Web Application Attack and Audit Framework. The project’s goal is to create a framework to help you secure your web applications by finding and exploiting all web application vulnerabilities. 191 | * [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng) - Recon-ng is a full-featured Web Reconnaissance framework written in Python. Recon-ng has a look and feel similar to the Metasploit Framework. 192 | * [PTF](https://github.com/trustedsec/ptf) - The Penetration Testers Framework \(PTF\) is a way for modular support for up-to-date tools. 193 | * [Infection Monkey](https://github.com/guardicore/monkey) - A semi automatic pen testing tool for mapping/pen-testing networks. Simulates a human attacker. 194 | * [ACSTIS](https://github.com/tijme/angularjs-csti-scanner) - ACSTIS helps you to scan certain web applications for AngularJS Client-Side Template Injection \(sometimes referred to as CSTI, sandbox escape or sandbox bypass\). It supports scanning a single request but also crawling the entire web application for the AngularJS CSTI vulnerability. 195 | 196 | ### Runtime Application Self-Protection 197 | 198 | * [Sqreen](https://www.sqreen.io/) - Sqreen is a Runtime Application Self-Protection \(RASP\) solution for software teams. An in-app agent instruments and monitors the app. Suspicious user activities are reported and attacks are blocked at runtime without code modification or traffic redirection. 199 | * [OpenRASP](https://github.com/baidu/openrasp) - An open source RASP solution actively maintained by Baidu Inc. With context-aware detection algorithm the project achieved nearly no false positives. And less than 3% performance reduction is observed under heavy server load. 200 | 201 | ### Development 202 | 203 | * [Secure by Design](https://www.manning.com/books/secure-by-design?a_aid=danbjson&a_bid=0b3fac80) - Book that identifies design patterns and coding styles that make lots of security vulnerabilities less likely. \(early access, published continuously, final release fall 2017\) 204 | * [Securing DevOps](https://www.manning.com/books/securing-devops) - Book that explores how the techniques of DevOps and Security should be applied together to make cloud services safer. \(early access, published continuously, final release January 2018\) 205 | * [Understanding API Security](https://www.manning.com/books/understanding-api-security) - Free eBook sampler that gives some context for how API security works in the real world by showing how APIs are put together and how the OAuth protocol can be used to protect them. 206 | * [OAuth 2 in Action](https://www.manning.com/books/oauth-2-in-action) - Book that teaches you practical use and deployment of OAuth 2 from the perspectives of a client, an authorization server, and a resource server. 207 | 208 | ## Usability 209 | 210 | * [Usable Security Course](https://pt.coursera.org/learn/usable-security) - Usable Security course at coursera. Quite good for those looking for how security and usability intersects. 211 | 212 | ## Big Data 213 | 214 | * [data\_hacking](https://github.com/ClickSecurity/data_hacking) - Examples of using IPython, Pandas, and Scikit Learn to get the most out of your security data. 215 | * [hadoop-pcap](https://github.com/RIPE-NCC/hadoop-pcap) - Hadoop library to read packet capture \(PCAP\) files. 216 | * [Workbench](http://workbench.readthedocs.org/) - A scalable python framework for security research and development teams. 217 | * [OpenSOC](https://github.com/OpenSOC/opensoc) - OpenSOC integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis. 218 | * [Apache Metron \(incubating\)](https://github.com/apache/incubator-metron) - Metron integrates a variety of open source big data technologies in order to offer a centralized tool for security monitoring and analysis. 219 | * [Apache Spot \(incubating\)](https://github.com/apache/incubator-spot) - Apache Spot is open source software for leveraging insights from flow and packet analysis. 220 | * [binarypig](https://github.com/endgameinc/binarypig) - Scalable Binary Data Extraction in Hadoop. Malware Processing and Analytics over Pig, Exploration through Django, Twitter Bootstrap, and Elasticsearch. 221 | 222 | ## DevOps 223 | 224 | * [Securing DevOps](https://manning.com/books/securing-devops?a_aid=securingdevops&a_bid=1353bcd8) - A book on Security techniques for DevOps that reviews state of the art practices used in securing web applications and their infrastructure. 225 | 226 | ## Operating Systems 227 | 228 | ### Online resources 229 | 230 | * [Security related Operating Systems @ Rawsec](http://rawsec.ml/en/security-related-os/) - Complete list of security related operating systems 231 | * [Best Linux Penetration Testing Distributions @ CyberPunk](https://n0where.net/best-linux-penetration-testing-distributions/) - Description of main penetration testing distributions 232 | * [Security @ Distrowatch](http://distrowatch.com/search.php?category=Security) - Website dedicated to talking about, reviewing and keeping up to date with open source operating systems 233 | 234 | ## Datastores 235 | 236 | * [blackbox](https://github.com/StackExchange/blackbox) - Safely store secrets in a VCS repo using GPG 237 | * [confidant](https://github.com/lyft/confidant) - Stores secrets in AWS DynamoDB, encrypted at rest and integrates with IAM 238 | * [dotgpg](https://github.com/ConradIrwin/dotgpg) - A tool for backing up and versioning your production secrets or shared passwords securely and easily. 239 | * [redoctober](https://github.com/cloudflare/redoctober) - Server for two-man rule style file encryption and decryption. 240 | * [aws-vault](https://github.com/99designs/aws-vault) - Store AWS credentials in the OSX Keychain or an encrypted file 241 | * [credstash](https://github.com/fugue/credstash) - Store secrets using AWS KMS and DynamoDB 242 | * [chamber](https://github.com/segmentio/chamber) - Store secrets using AWS KMS and SSM Parameter Store 243 | * [Safe](https://github.com/starkandwayne/safe) - A Vault CLI that makes reading from and writing to the Vault easier to do. 244 | * [Sops](https://github.com/mozilla/sops) - An editor of encrypted files that supports YAML, JSON and BINARY formats and encrypts with AWS KMS and PGP. 245 | * [passbolt](https://www.passbolt.com/) - The password manager your team was waiting for. Free, open source, extensible, based on OpenPGP. 246 | * [passpie](https://github.com/marcwebbie/passpie) - Multiplatform command-line password manager 247 | * [Vault](https://www.vaultproject.io/) - An encrypted datastore secure enough to hold environment and application secrets. 248 | 249 | ## EBooks 250 | 251 | * [Holistic Info-Sec for Web Developers](https://holisticinfosecforwebdevelopers.com/) - Free and downloadable book series with very broad and deep coverage of what Web Developers and DevOps Engineers need to know in order to create robust, reliable, maintainable and secure software, networks and other, that are delivered continuously, on time, with no nasty surprises 252 | * [Docker Security - Quick Reference: For DevOps Engineers](https://binarymist.io/publication/docker-security/) - A book on understanding the Docker security defaults, how to improve them \(theory and practical\), along with many tools and techniques. 253 | 254 | ## Improve Skills 255 | 256 | | Site name | Description | 257 | | :--- | :--- | 258 | | [$natch competition](http://blog.phdays.com/2012/05/once-again-about-remote-banking.html) | Remote banking system containing common vulnerabilities. | 259 | | [Arizona Cyber Warfare Range](http://azcwr.org/) | The ranges offer an excellent platform for you to learn computer network attack \(CNA\), computer network defense \(CND\), and digital forensics \(DF\). You can play any of these roles. | 260 | | [Avatao](https://www.avatao.com/) | More than 350 hands-on challenges \(free and paid\) to master IT security and it's growing day by day. | 261 | | [BodgeIt Store](https://github.com/psiinon/bodgeit) | The BodgeIt Store is a vulnerable web application which is currently aimed at people who are new to pen testing. | 262 | | [Bright Shadows](http://www.bright-shadows.net/) | Training in Programming, JavaScript, PHP, Java, Steganography, and Cryptography \(among others\). | 263 | | [bWAPP](http://www.itsecgames.com/) | bWAPP, or a buggy web application, is a free and open source deliberately insecure web application. | 264 | | [Cyber Degrees](http://www.cyberdegrees.org/resources/free-online-courses/) | Free online cyber security Massive Open Online Courses \(MOOCS\). | 265 | | [Commix testbed](https://github.com/commixproject/commix-testbed) | A collection of web pages, vulnerable to command injection flaws. | 266 | | [CryptOMG](https://github.com/SpiderLabs/CryptOMG) | CryptOMG is a configurable CTF style test bed that highlights common flaws in cryptographic implementations. | 267 | | [Cyber Security Base](https://cybersecuritybase.github.io/) | Cyber Security Base is a page with free courses by the University of Helsinki in collaboration with F-Secure. | 268 | | [Cybersecuritychallenge UK](https://pod.cybersecuritychallenge.org.uk/) | Cyber Security Challenge UK runs a series of competitions designed to test your cyber security skills. | 269 | | [CyberTraining 365](https://www.cybertraining365.com/cybertraining/FreeClasses) | Cybertraining365 has paid material but also offers free classes. The link is directed at the free classes. | 270 | | [Cybrary.it](https://www.cybrary.it/) | Free and Open Source Cyber Security Learning. | 271 | | [Damn Small Vulnerable Web](https://github.com/stamparm/DSVW) | Damn Small Vulnerable Web \(DSVW\) is a deliberately vulnerable web application written in under 100 lines of code, created for educational purposes. It supports the majority of \(most popular\) web application vulnerabilities together with appropriate attacks. | 272 | | [Damn Vulnerable Android App](https://code.google.com/archive/p/dvaa/) | Damn Vulnerable Android App \(DVAA\) is an Android application which contains intentional vulnerabilities. | 273 | | [Damn Vulnerable Hybrid Mobile App](https://github.com/logicalhacking/DVHMA) | Damn Vulnerable Hybrid Mobile App \(DVHMA\) is a hybrid mobile app \(for Android\) that intentionally contains vulnerabilities. | 274 | | [Damn Vulnerable iOS App](http://damnvulnerableiosapp.com/) | Damn Vulnerable iOS App \(DVIA\) is an iOS application that is damn vulnerable. | 275 | | [Damn Vulnerable Linux](http://www.computersecuritystudent.com/SECURITY_TOOLS/DVL/lesson1/) | Damn Vulnerable Linux \(DVL\) is everything a good Linux distribution isn't. Its developers have spent hours stuffing it with broken, ill-configured, outdated, and exploitable software that makes it vulnerable to attacks. | 276 | | [Damn Vulnerable Router Firmware](https://github.com/praetorian-inc/DVRF) | The goal of this project is to simulate a real-world environment to help people learn about other CPU architectures outside of the x86\_64 space. This project will also help people get into discovering new things about hardware. | 277 | | [Damn Vulnerable Stateful Web App](https://github.com/silentsignal/damn-vulnerable-stateful-web-app) | Short and simple vulnerable PHP web application that naïve scanners found to be perfectly safe. | 278 | | [Damn Vulnerable Thick Client App](https://github.com/secvulture/dvta) | DVTA is a Vulnerable Thick Client Application developed in C\# .NET with many vulnerabilities. | 279 | | [Damn Vulnerable Web App](http://www.dvwa.co.uk/) | Damn Vulnerable Web App \(DVWA\) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a classroom environment. | 280 | | [Damn Vulnerable Web Services](https://github.com/snoopysecurity/dvws) | Damn Vulnerable Web Services is an insecure web application with multiple vulnerable web service components that can be used to learn real-world web service vulnerabilities. | 281 | | [Damn Vulnerable Web Sockets](https://github.com/interference-security/DVWS) | Damn Vulnerable Web Sockets \(DVWS\) is a vulnerable web application which works on web sockets for client-server communication. | 282 | | [Damnvulnerable.me](https://github.com/skepticfx/damnvulnerable.me) | A deliberately vulnerable modern-day app with lots of DOM-related bugs. | 283 | | [Dareyourmind](http://www.dareyourmind.net/) | Online game, hacker challenge. | 284 | | [DIVA Android](https://github.com/payatu/diva-android) | Damn Insecure and vulnerable App for Android. | 285 | | [EnigmaGroup](https://www.enigmagroup.org/) | Safe security resource, trains in exploits listed in the OWASP Top 10 Project and teach members the many other types of exploits that are found in today's applications. | 286 | | [ENISA Training Material](https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists/online-training-material) | The European Union Agency for Network and Information Security \(ENISA\) Cyber Security Training. You will find training materials, handbooks for teachers, toolsets for students and Virtual Images to support hands-on training sessions. | 287 | | [exploit.co.il Vulnerable Web App](https://sourceforge.net/projects/exploitcoilvuln/?source=recommended) | exploit.co.il Vulnerable Web app designed as a learning platform to test various SQL injection Techniques. | 288 | | [Exploit-exercises.com](https://exploit-exercises.com/) | exploit-exercises.com provides a variety of virtual machines, documentation and challenges that can be used to learn about a variety of computer security issues such as privilege escalation, vulnerability analysis, exploit development, debugging, reverse engineering, and general cyber security issues. | 289 | | [ExploitMe Mobile](http://securitycompass.github.io/AndroidLabs/index.html) | Set of labs and an exploitable framework for you to hack mobile an application on Android. | 290 | | [Game of Hacks](http://www.gameofhacks.com/) | This game was designed to test your application hacking skills. You will be presented with vulnerable pieces of code and your mission if you choose to accept it is to find which vulnerability exists in that code as quickly as possible. | 291 | | [GameOver](https://sourceforge.net/projects/null-gameover/) | Project GameOver was started with the objective of training and educating newbies about the basics of web security and educate them about the common web attacks and help them understand how they work. | 292 | | [Gh0stlab](http://www.gh0st.net/?p=19) | A security research network where like-minded individuals could work together towards the common goal of knowledge. | 293 | | [GoatseLinux](http://neutronstar.org/goatselinux.html) | GSL is a Vmware image you can run for penetration testing purposes. | 294 | | [Google Gruyere](http://google-gruyere.appspot.com/) | Labs that cover how an application can be attacked using common web security vulnerabilities, like cross-site scripting vulnerabilities \(XSS\) and cross-site request forgery \(XSRF\). Also, you can find labs how to find, fix, and avoid these common vulnerabilities and other bugs that have a security impact, such as denial-of-service, information disclosure, or remote code execution. | 295 | | [Gracefully Vulnerable Virtual Machine](https://www.gracefulsecurity.com/vulnvm/) | Graceful’s VulnVM is VM web app designed to simulate a simple eCommerce style website which is purposely vulnerable to a number of well know security issues commonly seen in web applications. | 296 | | [Hack The Box](https://www.hackthebox.eu/) | Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with other members of similar interests. In order to join you should solve an entry-level challenge. | 297 | | [Hack This Site](https://www.hackthissite.org/) | More than just another hacker wargames site, Hack This Site is a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. | 298 | | [Hack Yourself First](https://hackyourselffirst.troyhunt.com/) | This course is designed to help web developers on all frameworks identify risks in their own websites before attackers do and it uses this site extensively to demonstrate risks. | 299 | | [Hack.me](https://hack.me/) | Hack.me aims to be the largest collection of "runnable" vulnerable web applications, code samples and CMS's online. The platform is available without any restriction to any party interested in Web Application Security. | 300 | | [Hackademic](https://github.com/Hackademic/hackademic) | Offers realistic scenarios full of known vulnerabilities \(especially, of course, the OWASP Top Ten\) for those trying to practice their attack skills. | 301 | | [Hackazon](https://github.com/rapid7/hackazon) | A modern vulnerable web app. | 302 | | [Hackertest.net](http://www.hackertest.net/) | HackerTest.net is your own online hacker simulation with 20 levels. | 303 | | [Hacking-Lab](https://www.hacking-lab.com/Remote_Sec_Lab/) | Hacking-Lab is an online ethical hacking, computer network and security challenge platform, dedicated to finding and educating cyber security talents. Furthermore, Hacking-Lab is providing the CTF and mission style challenges for the European Cyber Security Challenge with Austria, Germany, Switzerland, UK, Spain, Romania and provides free OWASP TOP 10 online security labs. | 304 | | [HackSys Extreme Vulnerable Driver](http://payatu.com/hacksys-extreme-vulnerable-driver/) | HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level. | 305 | | [HackThis!!](https://www.hackthis.co.uk/) | Test your skills with 50+ hacking levels, covering all aspects of security. | 306 | | [Hackxor](http://hackxor.sourceforge.net/cgi-bin/index.pl) | Hackxor is a web app hacking game where players must locate and exploit vulnerabilities to progress through the story. Think WebGoat but with a plot and a focus on realism&difficulty. Contains XSS, CSRF, SQLi, ReDoS, DOR, command injection, etc. | 307 | | [Halls of Valhalla](http://halls-of-valhalla.org/beta/challenges) | Challenges you can solve. Valhalla is a place for sharing knowledge and ideas. Users can submit code, as well as science, technology, and engineering-oriented news and articles. | 308 | | [Hax.Tor](http://hax.tor.hu/welcome/) | Provides numerous interesting “hacking” challenges to the user. | 309 | | [Hellbound Hackers](https://www.hellboundhackers.org/) | Learn a hands-on approach to computer security. Learn how hackers break in, and how to keep them out. | 310 | | [Holynix](https://sourceforge.net/projects/holynix/files/) | Holynix is a Linux VMware image that was deliberately built to have security holes for the purposes of penetration testing. | 311 | | [HSCTF3](http://hsctf.com/) | HSCTF is an international online hacking competition designed to educate high schoolers in computer science. | 312 | | [Information Assurance Support Environment \(IASE\)](http://iase.disa.mil/eta/Pages/index.aspx) | Great site with Cybersecurity Awareness Training, Cybersecurity Training for IT Managers, Cybersecurity Training for Cybersecurity Professionals, Cybersecurity Technical Training, NetOps Training, Cyber Law Awareness, and FSO Tools Training available online. | 313 | | [InfoSec Institute](http://resources.infosecinstitute.com/free-cissp-training-study-guide/) | Free CISSP Training course. | 314 | | [ISC2 Center for Cyber Safety and Education](https://safeandsecureonline.org/) | Site to empower students, teachers, and whole communities to secure their online life through cyber security education and awareness with the Safe and Secure Online educational program; information security scholarships; and industry and consumer research. | 315 | | [Java Vulnerable Lab](https://github.com/CSPF-Founder/JavaVulnerableLab) | Vulnerable Java based Web Application. | 316 | | [Juice Shop](https://github.com/bkimminich/juice-shop) | OWASP Juice Shop is an intentionally insecure web app for security training written entirely in Javascript which encompasses the entire OWASP Top Ten and other severe security flaws. | 317 | | [Kioptrix VM](http://www.kioptrix.com/blog/a-new-vm-after-almost-2-years/) | This vulnerable machine is a good starting point for beginners. | 318 | | [LAMPSecurity Training](https://sourceforge.net/projects/lampsecurity/) | LAMPSecurity training is designed to be a series of vulnerable virtual machine images along with complementary documentation designed to teach Linux,apache,PHP,MySQL security. | 319 | | [Magical Code Injection Rainbow](https://github.com/SpiderLabs/MCIR) | The Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerability testbeds. MCIR is also a collection of configurable vulnerability testbeds. | 320 | | [McAfee HacMe Sites](http://www.mcafee.com/us/downloads/free-tools/index.aspx) | Search the page for HacMe and you'll find a suite of learning tools. | 321 | | [Metasploit Unleashed](https://www.offensive-security.com/metasploit-unleashed/) | Free Ethical Hacking Course. | 322 | | [Metasploitable 3](https://github.com/rapid7/metasploitable3) | Metasploitable3 is a VM that is built from the ground up with a large number of security vulnerabilities. | 323 | | [Microcorruption CTF](https://microcorruption.com/login) | Challenge: given a debugger and a device, find an input that unlocks it. Solve the level with that input. | 324 | | [Morning Catch](http://blog.cobaltstrike.com/2014/08/06/introducing-morning-catch-a-phishing-paradise/) | Morning Catch is a VMware virtual machine, similar to Metasploitable, to demonstrate and teach about targeted client-side attacks and post-exploitation. | 325 | | [Moth](http://www.bonsai-sec.com/en/research/moth.php) | Moth is a VMware image with a set of vulnerable Web Applications and scripts. | 326 | | [Mutillidae](https://sourceforge.net/projects/mutillidae/) | OWASP Mutillidae II is a free, open source, deliberately vulnerable web application providing a target for web-security enthusiast. | 327 | | [MysteryTwister C3](https://www.mysterytwisterc3.org/en/) | MysteryTwister C3 lets you solve crypto challenges, starting from the simple Caesar cipher all the way to modern AES, they have challenges for everyone. | 328 | | [National Institutes of Health \(NIH\)](https://irtsectraining.nih.gov/publicUser.aspx) | Short courses on Information Security and Privacy Awareness. They have a section for executives, managers and IT Administrators as well. | 329 | | [OpenSecurityTraining.info](http://opensecuritytraining.info/Training.html/) | OpenSecurityTraining.info is dedicated to sharing training material for computer security classes, on any topic, that are at least one day long. | 330 | | [Overthewire](http://overthewire.org/wargames/) | The wargames offered by the OverTheWire community can help you to learn and practice security concepts in the form of fun-filled games. | 331 | | [OWASP Broken Web Applications Project](https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project) | OWASP Broken Web Applications Project is a collection of vulnerable web applications that is distributed on a Virtual Machine. | 332 | | [OWASP GoatDroid](https://github.com/jackMannino/OWASP-GoatDroid-Project) | OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. | 333 | | [OWASP iGoat](https://www.owasp.org/index.php/OWASP_iGoat_Project) | iGoat is a learning tool for iOS developers \(iPhone, iPad, etc.\). | 334 | | [OWASP Mutillidae II](https://sourceforge.net/projects/mutillidae/) | OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast. | 335 | | [OWASP Security Shepherd](https://www.owasp.org/index.php/OWASP_Security_Shepherd) | The OWASP Security Shepherd project is a web and mobile application security training platform. | 336 | | [OWASP SiteGenerator](https://www.owasp.org/index.php/Owasp_SiteGenerator) | OWASP SiteGenerator allows the creating of dynamic websites based on XML files and predefined vulnerabilities \(some simple, some complex\) covering .Net languages and web development architectures \(for example, navigation: Html, Javascript, Flash, Java, etc...\). | 337 | | [Pentest.Training](https://pentest.training/) | Pentest.Training offers a fully functioning penetration testing lab which is ever increasing in size, complexity and diversity. The lab has a fully functioning Windows domain with various Windows OS's. There is also a selection of Boot2Root Linux machines to practice your CTF and escalation techniques and finally, pre-built web application training machines. | 338 | | [Pentesterlab](https://pentesterlab.com/exercises/from_sqli_to_shell) | This exercise explains how you can, from a SQL injection, gain access to the administration console, then in the administration console, how you can run commands on the system. | 339 | | [Pentestit.ru](https://lab.pentestit.ru/) | Pentestit.ru has free labs that emulate real IT infrastructures. It is created for practicing legal pen testing and improving penetration testing skills. OpenVPN is required to connect to the labs. | 340 | | [Peruggia](https://sourceforge.net/projects/peruggia/) | Peruggia is designed as a safe, legal environment to learn about and try common attacks on web applications. Peruggia looks similar to an image gallery but contains several controlled vulnerabilities to practice on. | 341 | | [PicoCTF](https://picoctf.com/) | picoCTF is a computer security game targeted at middle and high school students. The game consists of a series of challenges centered around a unique storyline where participants must reverse engineer, break, hack, decrypt, or do whatever it takes to solve the challenge. | 342 | | [Professor Messer](http://www.professormesser.com/) | Good free training video's, not only on Security but on CompTIA A+, Network and Microsoft related as well. | 343 | | [Puzzlemall](https://code.google.com/archive/p/puzzlemall/) | PuzzleMall - A vulnerable web application for practicing session puzzling. | 344 | | [Pwnable.kr](http://pwnable.kr/) | 'pwnable.kr' is a non-commercial wargame site which provides various pwn challenges regarding system exploitation. while playing pwnable.kr, you could learn/improve system hacking skills but that shouldn't be your only purpose. | 345 | | [Pwnos](http://www.pwnos.com/) | PwnOS is a vulnerable by design OS .. and there are many ways you can hack it. | 346 | | [Reversing.kr](http://reversing.kr) | This site tests your ability to Cracking & Reverse Code Engineering. | 347 | | [Ringzero](https://ringzer0team.com/challenges) | Challenges you can solve and gain points. | 348 | | [Risk3Sixty](http://www.risk3sixty.com/free-information-security-training/) | Free Information Security training video, an information security examination and the exam answer key. | 349 | | [Root Me](https://www.root-me.org/) | Hundreds of challenges and virtual environments. Each challenge can be associated with a multitude of solutions so you can learn. | 350 | | [RPISEC/MBE](https://github.com/RPISEC/MBE) | Modern Binary Exploitation Course materials. | 351 | | [RPISEC/Malware](https://github.com/RPISEC/Malware) | Malware Analysis Course materials. | 352 | | [SANS Cyber Aces](http://www.cyberaces.org/courses/) | SANS Cyber Aces Online makes available, free and online, selected courses from the professional development curriculum offered by The SANS Institute, the global leader in cyber security training. | 353 | | [Scene One](https://www.vulnhub.com/entry/21ltr-scene-1,3/) | Scene One is a pen testing scenario liveCD made for a bit of fun and learning. | 354 | | [SEED Labs](http://www.cis.syr.edu/~wedu/seed/all_labs.html) | The SEED project has labs on Software, Network, Web, Mobile and System security and Cryptography labs. | 355 | | [SentinelTestbed](https://github.com/dobin/SentinelTestbed) | Vulnerable website. Used to test sentinel features. | 356 | | [SG6 SecGame](http://sg6-labs.blogspot.nl/2007/12/secgame-1-sauron.html) | Spanish language, vulnerable GNU/Linux systems. | 357 | | [SlaveHack](http://www.slavehack.com/) | My personal favorite: Slavehack is a virtual hack simulation game. Great for starters, I've seen kids in elementary school playing this! | 358 | | [SlaveHack 2 _BETA_](https://www.slavehack2.com/) | Slavehack 2 is a sequel to the original Slavehack. It's also a virtual hack simulation game but you will find features much closer to today's Cyber reality. | 359 | | [Smashthestack](http://smashthestack.org/) | This network hosts several different wargames, ranging in difficulty. A wargame, in this context, is an environment that simulates software vulnerabilities and allows for the legal execution of exploitation techniques. | 360 | | [SocketToMe](https://digi.ninja/projects/sockettome.php) | SocketToMe SocketToMe is little application for testing web sockets. | 361 | | [SQLI labs](https://github.com/Audi-1/sqli-labs) | SQLI labs to test error based, Blind boolean based, Time based. | 362 | | [Sqlilabs](https://github.com/himadriganguly/sqlilabs) | Lab set-up for learning SQL Injection Techniques. | 363 | | [SQLzoo](http://sqlzoo.net/hack/) | Try your Hacking skills against this test system. It takes you through the exploit step-by-step. | 364 | | [Stanford SecuriBench](https://suif.stanford.edu/~livshits/securibench/) | Stanford SecuriBench is a set of open source real-life programs to be used as a testing ground for static and dynamic security tools. Release .91a focuses on Web-based applications written in Java. | 365 | | [The ButterFly - Security Project](https://sourceforge.net/projects/thebutterflytmp/?source=navbar) | The ButterFly project is an educational environment intended to give an insight into common web application and PHP vulnerabilities. The environment also includes examples demonstrating how such vulnerabilities are mitigated. | 366 | | [ThisIsLegal](http://www.thisislegal.com/) | A hacker wargames site but also with much more. | 367 | | [Try2Hack](http://www.try2hack.nl/) | Try2hack provides several security-oriented challenges for your entertainment. The challenges are diverse and get progressively harder. | 368 | | [UltimateLAMP](http://www.amanhardikar.com/mindmaps/practice-links.html) | UltimateLAMP is a fully functional environment allowing you to easily try and evaluate a number of LAMP stack software products without requiring any specific setup or configuration of these products. | 369 | | [Vicnum](http://vicnum.ciphertechs.com/) | Vicnum is an OWASP project consisting of vulnerable web applications based on games commonly used to kill time. These applications demonstrate common web security problems such as cross-site scripting, SQL injections, and session management issues. | 370 | | [Vulnhub](https://www.vulnhub.com/) | An extensive collection of vulnerable VMs with user-created solutions. | 371 | | [Vulnix](https://www.rebootuser.com/?page_id=1041) | A vulnerable Linux host with configuration weaknesses rather than purposely vulnerable software versions. | 372 | | [Vulnserver](http://www.thegreycorner.com/2010/12/introducing-vulnserver.html) | Windows-based threaded TCP server application that is designed to be exploited. | 373 | | [W3Challs](https://w3challs.com) | W3Challs is a penetration testing training platform, which offers various computer challenges, in categories related to security | 374 | | [WackoPicko](https://github.com/adamdoupe/WackoPicko) | WackoPicko is a vulnerable web application used to test web application vulnerability scanners. | 375 | | [Web Attack and Exploitation Distro](http://www.waed.info/) | WAED is pre-configured with various real-world vulnerable web applications in a sandboxed environment. It includes pen testing tools as well. | 376 | | [Web Security Dojo](https://sourceforge.net/projects/websecuritydojo/) | Web Security Dojo is a preconfigured, stand-alone training environment for Web Application Security. | 377 | | [WebGoat](https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project) | WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. | 378 | | [Wechall](http://www.wechall.net/) | Focussed on offering computer-related problems. You will find Cryptographic, Crackit, Steganography, Programming, Logic and Math/Science. The difficulty of these challenges varies as well. | 379 | | [XSS-game](https://xss-game.appspot.com/) | In this training program, you will learn to find and exploit XSS bugs. You'll use this knowledge to confuse and infuriate your adversaries by preventing such bugs from happening in your applications. | 380 | | [XVWA](https://github.com/s4n7h0/xvwa) | XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. | 381 | 382 | --------------------------------------------------------------------------------