Reddits Hacking Subreddit Wiki

Original: https://new.reddit.com/r/hacking/wiki/index


Beginning & Basics to hacking

    How do I start hacking?

Hacking is an incredibly broad topic. There's is no single "hacking" action. You will need to describe what you want to learn. This post will help you define hacking. From there, check out resources related to the areas of hacking you are interested in.

    Where should I start?

Again, narrow down what you want to learn. There is simply too much in the wide world of hacking to not narrow it down. Here are a few resources that provide a good general basis:

    Hacking: the art of exploitation (amazon) - General overview of hacker mentality and basic exploitation techniques

    Violent Python (amazon) - Using basic python skills to create powerful tools for offence and defence.

    Web Application Hacker's Handbook (amazon) - Very in depth guide to website security and common vulnerabilities.

    Practical Malware Analysis (amazon) - This will teach you how to analyze malware thoroughly. Yes, it will teach you how malware is written and how malware authors think.

    Has my password been leaked, stolen or compromised? How can I check?

https://haveibeenpwned.com

    Have I been hacked? What do I do if I've been hacked?

http://www.helpivebeenhacked.com/
Resources
News

    https://krebsonsecurity.com/
    https://nakedsecurity.sophos.com/
    https://www.bleepingcomputer.com/
    https://www.fireeye.com/blog/threat-research.html
    https://news.ycombinator.com/
    https://www.proofpoint.com/us/blog
    https://blog.talosintelligence.com
    https://blog.rapid7.com/tag/metasploit/
    https://www.hackaday.com

Conferences

    44Con - Annual Security Conference held in London.
    Blackhat - Las Vegas
    BSides - Worldwide
    CarolinaCon - Infosec conference, held annually in North Carolina.
    Chaos Communication Congress - Germany
    CHCon - Christchurch Hacker Con, Only South Island of New Zealand hacker con.
    DeepSec - Security Conference in Vienna, Austria.
    DEF CON - Las Vegas
    DerbyCon - Louisville
    Ekoparty - Largest Security Conference in Latin America, held annually in Buenos Aires, Argentina.
    Hackers On Planet Earth aka HOPE - Semi-annual conference held in New York City.
    LayerOne - Annual US security conference held every spring in Los Angeles.
    Nolacon - New Orleans
    ShmooCon - Annual US East coast hacker convention.
    SummerCon - One of the oldest hacker conventions in America, held during Summer.
    THOTCON - Chicago
    Wild West Hackin Fest - San Diego

InfoSec Twitters

    https://twitter.com/Bank_Security
    https://twitter.com/briankrebs
    https://twitter.com/IanColdwater
    https://twitter.com/LitMoose
    https://twitter.com/sshell_
    https://twitter.com/zer0pwn
    https://twitter.com/TraceLabs
    https://twitter.com/LooseSecurity
    https://twitter.com/leet_sauce
    https://twitter.com/notdan
    https://twitter.com/thugcrowd
    https://twitter.com/Viking_Sec
    https://twitter.com/netspooky
    https://twitter.com/b1ack0wl
    https://twitter.com/irongeek_adc
    https://twitter.com/deviantollam
    https://twitter.com/AlyssaM_InfoSec
    https://twitter.com/d0rkph0enix
    https://twitter.com/DAkacki
    https://twitter.com/defcon
    https://twitter.com/MalwareTechBlog
    https://twitter.com/Intel471Inc
    https://twitter.com/CISAKrebs
    https://twitter.com/NSACyber
    https://twitter.com/TinkerSec
    https://twitter.com/ihackbanme
    https://twitter.com/UnderTheBreach

History
Reading & Culture

    Another one got caught today, it's all over the papers. "Teenager Arrested in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...

    Damn kids. They're all alike.

    But did you, in your three-piece psychology and 1950's technobrain, ever take a look behind the eyes of the hacker? Did you ever wonder what made him tick, what forces shaped him, what may have molded him?

    I am a hacker, enter my world...

    Mine is a world that begins with school... I'm smarter than most of the other kids, this crap they teach us bores me...

    Damn underachiever. They're all alike.

    I'm in junior high or high school. I've listened to teachers explain for the fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I didn't show my work. I did it in my head..."

    Damn kid. Probably copied it. They're all alike.

    I made a discovery today. I found a computer. Wait a second, this is cool. It does what I want it to. If it makes a mistake, it's because I screwed it up. Not because it doesn't like me... Or feels threatened by me... Or thinks I'm a smart ass... Or doesn't like teaching and shouldn't be here...

    Damn kid. All he does is play games. They're all alike.

    And then it happened... a door opened to a world... rushing through the phone line like heroin through an addict's veins, an electronic pulse is sent out, a refuge from the day-to-day incompetencies is sought... a board is found. "This is it... this is where I belong..." I know everyone here... even if I've never met them, never talked to them, may never hear from them again... I know you all...

    Damn kid. Tying up the phone line again. They're all alike...

    You bet your ass we're all alike... we've been spoon-fed baby food at school when we hungered for steak... the bits of meat that you did let slip through were pre-chewed and tasteless. We've been dominated by sadists, or ignored by the apathetic. The few that had something to teach found us willing pupils, but those few are like drops of water in the desert.

    This is our world now... the world of the electron and the switch, the beauty of the baud. We make use of a service already existing without paying for what could be dirt-cheap if it wasn't run by profiteering gluttons, and you call us criminals. We explore... and you call us criminals. We seek after knowledge... and you call us criminals. We exist without skin color, without nationality, without religious bias... and you call us criminals. You build atomic bombs, you wage wars, you murder, cheat, and lie to us and try to make us believe it's for our own good, yet we're the criminals.

    Yes, I am a criminal. My crime is that of curiosity. My crime is that of judging people by what they say and think, not what they look like. My crime is that of outsmarting you, something that you will never forgive me for.

    I am a hacker, and this is my manifesto. You may stop this individual, but you can't stop us all... after all, we're all alike.

~ The Conscience of a Hacker aka The Hacker Manifesto - Written on January 8, 1986
Malware
Viruses & Worms

    Anna Kournikova
    Blaster
    Code Red
    Conficker
    ILOVEYOU virus
    Melissa virus
    Morris Worm
    MyDoom
    Santy
    Slammer
    Storm Worm
    Stuxnet
    WannaCry virus
    Welchia

History

    The Strange History of Ransomware

Hackers

    Adrian Lamo - gained media attention for breaking into several high-profile computer networks, including those of The New York Times, Yahoo!, and Microsoft, culminating in his 2003 arrest. Lamo was best known for reporting U.S. soldier Chelsea Manning to Army criminal investigators in 2010 for leaking hundreds of thousands of sensitive U.S. government documents to WikiLeaks.
    Albert Gonzales - an American computer hacker and computer criminal who is accused of masterminding the combined credit card theft and subsequent reselling of more than 170 million card and ATM numbers from 2005 to 2007: the biggest such fraud in history.
    Andrew Auernheimer (known as Weev) - Went to jail for using math against AT&T website.
    Barnaby Jack - was a New Zealand hacker, programmer and computer security expert. He was known for his presentation at the Black Hat computer security conference in 2010, during which he exploited two ATMs and made them dispense fake paper currency on the stage. Among his other most notable works were the exploitation of various medical devices, including pacemakers and insulin pumps.
    Benjamin Delpy - Mimikatz
    DVD-Jon - He wrote the DeCSS software, which decodes the Content Scramble System used for DVD licensing enforcement.
    Eric Corley (known as Emmanuel Goldstein) - 2600
    Gary McKinnon - a Scottish systems administrator and hacker who was accused in 2002 of perpetrating the "biggest military computer hack of all time," although McKinnon himself states that he was merely looking for evidence of free energy suppression and a cover-up of UFO activity and other technologies potentially useful to the public. ????
    George Hotz aka geohot - "The former Facebook engineer took on the giants of the tech world by developing the first iPhone carrier-unlock techniques," says Mark Greenwood, head of data science at Netacea, "followed a few years later by reverse engineering Sonys PlayStation 3, clearing the way for users to run their own code on locked-down hardware. George sparked an interest in a younger generation frustrated with hardware and software restrictions being imposed on them and led to a new scene of opening up devices, ultimately leading to better security and more openness."
    Guccifer 2.0 - a persona which claimed to be the hacker(s) that hacked into the Democratic National Committee (DNC) computer network and then leaked its documents to the media, the website WikiLeaks, and a conference event.
    Hector Monsegur (known as Sabu) - an American computer hacker and co-founder of the hacking group LulzSec. He Monsegur became an informant for the FBI, working with the agency for over ten months to aid them in identifying the other hackers from LulzSec and related groups.
    Jacob Appelbaum - an American independent journalist, computer security researcher, artist, and hacker. He has been employed by the University of Washington, and was a core member of the Tor project, a free software network designed to provide online anonymity.
    James Forshaw - one of the world's foremost bug bounty huners
    Jeanson James Ancheta - On May 9, 2006, Jeanson James Ancheta (born 1985) became the first person to be charged for controlling large numbers of hijacked computers or botnets.
    Jeremy Hammond - He was convicted of computer fraud in 2013 for hacking the private intelligence firm Stratfor and releasing data to the whistle-blowing website WikiLeaks, and sentenced to 10 years in prison.
    John Draper - also known as Captain Crunch, Crunch or Crunchman (after the Cap'n Crunch breakfast cereal mascot), is an American computer programmer and former legendary phone phreak.
    Kevin Mitnick - Free Kevin
    Kimberley Vanvaeck (known as Gigabyte) - a virus writer from Belgium known for a long-standing dispute which involved the internet security firm Sophos and one of its employees, Graham Cluley. Vanvaeck wrote several viruses, including Quis, Coconut and YahaSux (also called Sahay). She also created a Sharp virus (also called "Sharpei"), credited as being the first virus to be written in C#.
    Lauri Love - a British activist charged with stealing data from United States Government computers including the United States Army, Missile Defense Agency, and NASA via computer intrusion.
    Michael Calce (known as MafiaBoy) - a security expert from le Bizard, Quebec who launched a series of highly publicized denial-of-service attacks in February 2000 against large commercial websites, including Yahoo!, Fifa.com, Amazon.com, Dell, Inc., E*TRADE, eBay, and CNN.
    Mudge - Peiter C. Zatko, better known as Mudge, is a network security expert, open source programmer, writer, and a hacker. He was the most prominent member of the high-profile hacker think tank the L0pht as well as the long-lived computer and culture hacking cooperative the Cult of the Dead Cow.
    Phineas Fisher - vigilante hacker god
    PRAGMA - Also known as Impragma or PHOENiX, PRAGMA is the author of Snipr, one of the most prolific credential stuffing tools available online.
    The 414s - The 414s were a group of computer hackers who broke into dozens of high-profile computer systems, including ones at Los Alamos National Laboratory, Sloan-Kettering Cancer Center, and Security Pacific Bank, in 1982 and 1983.
    The Shadow Brokers - is a hacker group who first appeared in the summer of 2016. They published several leaks containing hacking tools from the National Security Agency (NSA), including several zero-day exploits. Specifically, these exploits and vulnerabilities targeted enterprise firewalls, antivirus software, and Microsoft products.[6] The Shadow Brokers originally attributed the leaks to the Equation Group threat actor, who have been tied to the NSA's Tailored Access Operations unit.

Software

    Sub7
    Back Orifice

Groups

    LulzSec
    Goatse Security
    GNAA

Music

    YTCracker
    Crime of Curiosity by Amplitude Problem
    Hairetsu
    yung innanet
    DualCore
    Programming / Coding / Hacking music vol.18
    Programming / Coding / Hacking music vol.17
    Programming / Coding / Hacking music vol.16
    24/7 lofi hip hop radio - beats to study/chill/relax
    Concentration Programming Music
    Concentration \ Programming Music 0100 (Part 4)
    Chillstep Music for Programming / Cyber / Coding - length 2:08:38
    Crime City Nights - Cyberpunk / Dark Synthwave - length 2:05:23
    Cyberpunk 2077 Mix (Best of Cyber Electro) - length - 2:47:56
    'Back To The 80's' | Best of Synthwave And Retro Electro Music Mix for 2 Hours | Vol. 9 - length - 2:01:56

Movies & TV

Movies

    Hackers
    Swordfish
    War Games
    Tron
    Sneakers
    The Net
    The Girl with the Dragon Tattoo
    The Matrix
    Blackhat
    The Score
    Plastic
    Hacker

TV

    Mr. Robot

Anime

    Blame!
    Ghost In The Shell

Tools

    nmap - Port Scanner & Network Exploration Tool

XSS

    XSS Filter Evasion Cheat Sheet
    XSS cheatsheet Esp: for filter evasion
    XSS Vectors Cheat Sheet
    /r/xss

Forums

Popular forums in the hacking scene.

    HackForums (EN)
    BlackHatWorld (EN)
    RaidForums (EN)
    OGUsers (EN)
    SentryMBA (EN)
    Nulled (EN)
    UnKnoWnCheaTs (EN)
    MPGH (EN)
    Cracked.to (EN)
    Leakforums (EN)
    Antichat (RU)
    Exploit.in (RU)
    BHF (RU)
    FuckAV (RU)
    Korovka (RU)

CTFs

New to CTFs

If you know nothing about CTFs or this is your first attempt at doing a CTF, it is suggested you read over the Awesome CTF list first.

What is a CTF?

CTF stands for Capture The Flag, a style of hacking event where you have one goal: hack in and find the flag. Flags are placed in various locations -- they might be in a file, in the database, stuck into source code, or otherwise -- and your goal is to hunt them all down.

CTF for Beginners

    Bandit - The Bandit wargame is aimed at absolute beginners. It will teach the basics needed to be able to play other wargames.

Popular CTFs

    Hack The Box - Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field. Click below to hack our invite challenge, then get started on one of our many live machines or challenges.
    Hacker101 CTF - The Hacker101 CTF is a game designed to let you learn to hack in a safe, rewarding environment. Hacker101 is a free educational site for hackers, run by HackerOne. This CTF is another integral component in our plans to make the world a better place, one bug at a time.
    Root Me CTF - Improve your hacking skills in a realistic environment where the goal is to fully compromise,  root  the host!
    Hack This Site - Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.
    Hack This! - Want to learn about hacking and network security? Discover how hacks, dumps and defacements are performed and secure your website against hackers with HackThis!!
    OverTheWire - is a brilliant beginner resource. It gets you used to Linux, teaches you about a range of different tools, technologies, protocols etc. Even at the beginning at the challenge it points you in the right direction if you are unsure. This has definitely helped me in more advanced CTF challenges.
    picoCTF - is very good for learning a wide range of skills or just practicing old ones. It includes reverse engineering, binary exploitation, web hacking and more. There is also a great number of walkthroughs online for each challenge should you need to view them.
    Vulnhub - Vulnhub is a popular platform that hosts good boot2root vm's that range in difficulty. These too have a lot of online walkthroughs in case you need them.
    The National Cyber League - The National Cyber League (NCL) is a biannual cybersecurity competition for high school and college students. The competition consists of a series of challenges that allows students to demonstrate their ability to identify hackers from forensic data, break into vulnerable websites, recover from ransomware attacks, and more

Want to talk about CTFs or techniques? Check out /r/securityCTF.

Want to make your own CTF? Check out ctfd.
Education
Classes (Free and Paid)

    Udemy - Ethical Hacking
    Udemy - Cyber Security
    Udemy - Penetration Testing
    Udemy - Kali Linux
    Udemy - Metasploit
    Cybrary - Free Hacking Training
    Cybrary - ISC2 CISSP
    Cybrary - WiFi Security: WEP, WPA, and WPA2
    Cybrary - Ethical Hacking
    HackerOne - Start Hacking
    LambdaSchool - Summer Hackers

Certification Help

Professor Messer Videos

    CompTIA Security+ Study Groups
    CompTIA A+ Study Groups
    CompTIA Network+ Study Groups

How To Guides & Tutorials

    Tutorial: Is My Wireless Card Compatible?
    Defeating a Laptop's BIOS Password
    More coming soon

Videos

    I'll Let Myself In: Tactics of Physical Pen Testers
    Youre Probably Not Red Teaming... And Usually Im Not, Either - SANS ICS 2018
    BREAKING in BAD (Im the one who doesnt knock) - Jayson Street
    DEFCON - The Full Documentary
    DEF CON 17 - That Awesome Time I Was Sued For Two Billion Dollars
    DEF CON 18 - Zoz - Pwned By The Owner: What Happens When You Steal A Hacker's Computer
    DEF CON 18 - Chris Paget - Practical Cellphone Spying
    DEF CON 19 - Deviant Ollam - Safe to Armed in Seconds
    DEF CON 21 - ZOZ - Hacking Driverless Vehicles
    DEF CON 22 - Metacortex and Grifter - Touring the Darkside of the Internet. An Introduction to Tor
    DEF CON 22 - Deviant Ollam & Howard Payne - Elevator Hacking - From the Pit to the Penthouse
    DEF CON 22 - Zoz - Don't Fuck It Up!
    DEF CON 23 - Robinson and Mitchell - Knocking my neighbors kids cruddy drone offline
    DEF CON 23 - Van Albert and Banks - Looping Surveillance Cameras through Live Editing
    DEF CON 23 - Chris Rock - I Will Kill You
    DEF CON 24 - Chris Rock - How to Overthrow a Government
    DEF CON 24 - Weston Hecker - Hacking Hotel Keys and Point of Sale Systems
    DEF CON 24 - int0x80 - Anti Forensics AF
    DEF CON 25 - Roger Dingledine - Next Generation Tor Onion Services
    DEF CON 26 - smea - Jailbreaking the 3DS Through 7 Years of Hardening

Reading

    2600
    Phrack

Podcasts

    Darknet Diaries - Darknet Diaries produces audio stories specifically intended to capture, preserve, and explain the culture around hacking and cyber security in order to educate and entertain both technical and non-technical audiences.
    Hacking Humans - Join Dave Bittner and Joe Carrigan each week as they look behind the social engineering scams, phishing schemes, and criminal exploits that are making headlines and taking a heavy toll on organizations around the world.
    Security Now - TechTV's Leo Laporte and I spend somewhat shy of two hours each week to discuss important issues of personal computer security. Sometimes we'll discuss something that just happened. Sometimes we'll talk about long-standing problems, concerns, or solutions. Either way, every week we endeavor to produce something interesting and important for every personal computer user.

Bug Bounty Programs

Get paid to discover vulnerabilities and security issues.

    Bugcrowd
    HackerOne
    Zerodium
    Facebook
    Github
    Google
    Intel
    Microsoft
    HP
    Mozilla

Law

    Computer Fraud and Abuse Act (CFAA) - US - is a United States cybersecurity bill that was enacted in 1986 as an amendment to existing computer fraud law (18 U.S.C.  1030), which had been included in the Comprehensive Crime Control Act of 1984. The law prohibits accessing a computer without authorization, or in excess of authorization.
    Computer Misuse Act 1990 - UK - 1990 is a key piece of legislation that criminalises the act of accessing or modifying data stored on a computer system without appropriate consent or permission.

OSINT

    Bellingcats OSINT Toolkit
    Geonames - Extremely useful for finding alternative names and co-ordinates of places.
    Who Posted What - A search engine for Facebook, built by Henk Van Ess.
    Twitter Advanced Search - An advanced search for Twitter, which also allows you to search by date.
    Google Earth Pro - Much better than normal Google Maps, make sure to check out the historic imagery function.
    Guide To Using Reverse Image Search For Investigations
    A Beginners Guide To Flight Tracking
    How To Tell Stories: A Beginners Guide For Open Source Researchers
    How To Use Google Earths Three Dimensional View: Feat. Syria, Yemen, Sudan
    Spiderfoot - Multi-source OSINT automation tool with a Web UI and report visualizations.
    Maltego - Proprietary software for open source intelligence and forensics, from Paterva.
    chatter - chatter is a proof of concept osint monitoring telegram bot for windows (server, ideally) that monitors tweet content, reddit submission titles and 4chan post content for specific keywords - as well as phrases in quotation marks. it feeds content that is discovered to your telegram group in near real-time depending on your configuration. this is an early beta release with limited features.

Scanning

    OpenDoor - OpenDoor OWASP is console multifunctional web sites scanner. This application find all possible ways to login, index of/ directories, web shells, restricted access points, subdomains, hidden data and large backups.
    Raccoon - A high performance offensive security tool for reconnaissance and vulnerability scanning
    dirmap - An advanced web directory & file scanning tool that will be more powerful than DirBuster, Dirsearch, cansina, and Yu Jian.????web?????????,??????DirBuster?Dirsearch?cansina????
    dirhunt - Dirhunt is a web crawler optimize for search and analyze directories. This tool can find interesting things if the server has the "index of" mode enabled. Dirhunt is also useful if the directory listing is not enabled. It detects directories with false 404 errors, directories where an empty index file has been created to hide things and much more.

Cracking

Hashes

    Hash Killer
    Crackstation
    OnlineHashCrack
    GPUHash.me
    Hashes.com

Passwords

    hashcat
    HAT - HAT (Hashcat Automation Tool) - An Automated Hashcat Tool for common wordlists and rules to speed up the process of cracking hashes during engagements. Created for Linux based systems
    John The Ripper
    SentryMBA
    Open Bullet
    SNIPR

Password & Wordlists (HTTP/HTTPS) - working as of 10/2019

    Probable Wordlists - Version 2.0 - Version 2 is live! Wordlists sorted by probability originally created for password generation and testing - make sure your passwords aren't popular!
    Real Passwords - These are REAL passwords.
    Dictionary-Style Lists - Files including dictionaries, encyclopedic lists and miscellaneous. Wordlists in this folder were not necessarily associated with the "password" label.
    NetgearKiller.dict - my Netgear WPA dict
    https://github.com/kennyn510/wpa2-wordlists
    https://github.com/danielmiessler/SecLists/tree/master/Passwords
    https://github.com/xajkep/wordlists
    http://www.md5this.com/tools/wordlists.html
    https://wiki.skullsecurity.org/Passwords
    https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm
    https://github.com/brannondorsey/naive-hashcat/releases/download/data/rockyou.txt (~14,300,000 words)
    http://www.mediafire.com/file/9tf3n2d45tgktq1/Rocktastic12a.7z/file (1.37GB - Compressed)
    https://github.com/dwyl/english-words/blob/master/words.txt (~466,000 words)
    http://storage.aircrack-ng.org/users/PsycO/PsycOPacKv2.rar (1.4GB)
    https://download.g0tmi1k.com/wordlists/large/sp00ks_merged_file_uniq.7z (2.7 GB - Compressed)
    https://srv-file4.gofile.io/download/NHXEGm/sp00ks_merged_file_uniq.7z (8.2 GB - mirror)
    https://crackstation.net/files/crackstation-human-only.txt.gz (4.2 GB)
    https://download.g0tmi1k.com/wordlists/large/crackstation.txt.gz (4.5 GB)
    https://download.g0tmi1k.com/wordlists/large/10-million-combos.zip (8.8 GB)
    https://download.g0tmi1k.com/wordlists/large/36.4GB-18_in_1.lst.7z (48.4 GB)
    https://download.g0tmi1k.com/wordlists/large/b0n3z-wordlist-sorted-something.tar.gz (165 GB)
    http://download1568.mediafire.com/yuh4jmehecwg/8oazhwqzexid771/WordlistBySheez_v8.7z (166.17 GB)

WPA/WPA2

    Aircrack-ng - Aircrack-ng is a complete suite of tools to assess WiFi network security.
    Cracking my first WPA2 password!
    Cracking WPA/WPA2 with hashcat
    Practical WPA2 Attacks on NETGEAR Routers

hashcat

    Hashcat GPU benchmarking table for Nvidia & AMD (WPA2 hashes) - If you are planning to create a cracking rig for research purposes check out GPU hashcat benchmark table below.
    Hashcat Cheatsheet for OSCP
    hashcat - Howtos, Videos, Papers, Articles, etc. in the wild

Google Dorks

    Google Hacking Database

SQLi

    sqlmap - Automatic SQL injection and database takeover tool
    SQLi Dumper

Useful Github Resources
Awesome Lists

    Awesome OSINT - A curated list of amazingly awesome OSINT
    Awesome Malware Analysis - A curated list of awesome malware analysis tools and resources.
    Awesome CTF - A curated list of Capture The Flag (CTF) frameworks, libraries, resources, softwares and tutorials. This list aims to help starters as well as seasoned CTF players to find everything related to CTFs at one place.
    Awesome Hacking - A curated list of awesome Hacking.
    Awesome Honeypots - A curated list of awesome honeypots, plus related components and much more, divided into categories such as Web, services, and others, with a focus on free and open source projects.
    Awesome Incident Response - A curated list of tools and resources for security incident response, aimed to help security analysts and DFIR teams.
    Awesome Vehicle Security - curated list of awesome resources, books, hardware, software, applications, people to follow, and more cool stuff about vehicle security, car hacking, and tinkering with the functionality of your car.
    Awesome Web Security - Curated list of Web Security materials and resources.
    Awesome Lockpicking - A curated list of awesome guides, tools, and other resources relating to the security and compromise of locks, safes, and keys.
    Awesome Cybersecurity Blue Team - A collection of awesome resources, tools, and other shiny things for cybersecurity blue teams.
    Awesome AppSec - A curated list of resources for learning about application security. Contains books, websites, blog posts, and self-assessment quizzes.
    Awesome Security - A collection of awesome software, libraries, documents, books, resources and cool stuff about security.
    Awesome Pentest - A collection of awesome penetration testing resources, tools and other shiny things

Cracking & Bruteforce & Scanning

    Subdomain bruteforce - a subdomain brute forcing tool for windows
    Instashell - Multi-threaded Instagram Brute Forcer without password limit
    Nuclei - a fast tool for configurable targeted scanning based on templates offering massive extensibility and ease of use.

WordPress

    WPScan - WPScan is a free, for non-commercial use, black box WordPress Vulnerability Scanner written for security professionals and blog maintainers to test the security of their WordPress websites. Can be used to discover usernames and bruteforce logins.
    WordPress Exploit Framework - WPXF. A Ruby framework designed to aid in the penetration testing of WordPress systems.
    CMSeeK - CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSs

Remote Administration & Payloads

    pupy - Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python
    BYOB (Build Your Own Botnet) - BYOB is an open-source project that provides a framework for security researchers and developers to build and operate a basic botnet to deepen their understanding of the sophisticated malware that infects millions of devices every year and spawns modern botnets, in order to improve their ability to develop counter-measures against these threats.
    QuasarRAT - Free, Open-Source Remote Administration Tool for Windows

Red Team

    Antivirus Evasion - Various Antivirus evasion tools
    UACMe - Defeating Windows User Account Control by abusing built-in Windows AutoElevate backdoor.
    Genesis Scripting Engine (gscript) - framework to rapidly implement custom droppers for all three major operating systems
    SlackPirate - This is a tool developed in Python which uses the native Slack APIs to extract 'interesting' information from a Slack workspace given an access token.
    Empire - Empire 3.0 is a PowerShell and Python 3.x post-exploitation framework.

Phishing

    Gophish - Open-Source Phishing Toolkit
    SocialFish - Educational Phishing Tool & Information Collector
    Blackeye - The most complete Phishing Tool, with 32 templates +1 customizable
    Hidden Eye - Modern Phishing Tool With Advanced Functionality
    Evilginx2 - Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
    Modlishka - Modlishka is a powerful and flexible HTTP reverse proxy. It implements an entirely new and interesting approach of handling browser-based HTTP traffic flow, which allows to transparently proxy multi-domain destination traffic, both TLS and non-TLS, over a single domain, without a requirement of installing any additional certificate on the client. What does this exactly mean? In short, it simply has a lot of potential, that can be used in many use case scenarios.

Routers

    RouterSploit - The RouterSploit Framework is an open-source exploitation framework dedicated to embedded devices.

Wifi

    Fluxion - MITM WPA attack toolset
    howmanypeoplearearound - Count the number of people around you ???????? by monitoring wifi signals ??
    Wifiphisher - The Rogue Access Point Framework
    wifite2 - Rewrite of the popular wireless network auditor, "wifite"
    wifijammer - Continuously jam all wifi clients and access points within range. The effectiveness of this script is constrained by your wireless card. Alfa cards seem to effectively jam within about a block radius with heavy access point saturation. Granularity is given in the options for more effective targeting.
    hashcatch - Capture handshakes of nearby WiFi networks automatically
    pwnagotchi - Pwnagotchi is an A2C-based AI powered by bettercap and running on a Raspberry Pi Zero W that learns from its surrounding WiFi environment in order to maximize the crackable WPA key material it captures (either through passive sniffing or by performing deauthentication and association attacks). This material is collected on disk as PCAP files containing any form of handshake supported by hashcat, including full and half WPA handshakes as well as PMKIDs.
    bettercap - The Swiss Army knife for 802.11, BLE and Ethernet networks reconnaissance and MITM attacks.

Shells

    ShellPop
    Reverse Shell Cheat Sheet

Internet of Things

    Cotopaxi - Set of tools for security testing of Internet of Things devices using protocols: AMQP, CoAP, DTLS, HTCPCP, mDNS, MQTT, MQTT-SN, QUIC, RTSP, SSDP.

Misc.

    LaZagne - The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software
    Lazy script
    Sonar.js - A framework for identifying and launching exploits against internal network hosts. Works via WebRTC IP enumeration, WebSocket host scanning, and external resource fingerprinting.

Organizations

    The Tor Project
    Electronic Frontier Foundation
    TOOOL - The Open Organisation Of Lockpickers

Operating Systems
Privacy

    Tails - The Amnesic Incognito Live System. Tails is a live system that aims to preserve your privacy and anonymity. It helps you to use the Internet anonymously and circumvent censorship almost anywhere you go and on any computer but leaving no trace unless you ask it to explicitly.
    Whonix - A High Security Method of Surfing the Internet. Whonix is a desktop operating system designed for advanced security and privacy.
    QubesOS - Qubes is a security-oriented, free and open-source operating system for personal computers that allows you to securely compartmentalize your digital life.

Pentesting

    Kali Linux - /r/KaliLinux - a Debian-derived Linux distribution designed for digital forensics and penetration testing.
    Parrot OS - /r/ParrotOS - a Linux distribution based on Debian with a focus on computer security. It is designed for penetration testing, vulnerability assessment and mitigation, computer forensics and anonymous web browsing.
    BlackArch - an Arch Linux-based penetration testing distribution for penetration testers and security researchers.

Hosting

    Debian - The Universal Operating System
    FreeBSD - FreeBSD is an operating system used to power modern servers, desktops, and embedded platforms.
    Ubuntu - Ubuntu is an open source software operating system that runs from the desktop, to the cloud, to all your internet connected things.
    Fedora - Fedora creates an innovative, free, and open source platform for hardware, clouds, and containers that enables software developers and community members to build tailored solutions for their users.
    CentOS - a Linux distribution that provides a free, enterprise-class, community-supported computing platform functionally compatible with its upstream source, Red Hat Enterprise Linux (RHEL).
    Windows Server 2019

Android

    LineageOS - /r/lineageos - A free and open-source operating system for various devices, based on the Android mobile platform.
    GrapheneOS - /r/GrapheneOS - GrapheneOS is a privacy and security focused mobile OS with Android app compatibility.

Misc.

    Mint - Linux Mint is an elegant, easy to use, up to date and comfortable GNU/Linux desktop distribution.
    Rasberrian - Raspbian is a free operating system based on Debian optimized for the Raspberry Pi hardware.

RSS Feeds

Credit to u/PM_ME_YOUR_SHELLCODE
Technical Blogs

    nedwills security blog - https://nedwill.github.io/blog/feed.xml (https://nedwill.github.io/blog/)
    Realmode Labs - Medium - https://medium.com/feed/realmodelabs (https://medium.com/realmodelabs)
    Hanno's blog - https://blog.hboeck.de/feeds/index.rss2 (https://blog.hboeck.de/)
    Active Directory Security - https://adsecurity.org/?feed=rss2 (https://adsecurity.org)
    Mogozobo - https://www.mogozobo.com/?feed=rss2 (https://www.mogozobo.com)
    Jump ESP, jump! - https://jumpespjump.blogspot.com/feeds/posts/default (https://jumpespjump.blogspot.com/)
    Carnal0wnage & Attack Research Blog - http://carnal0wnage.attackresearch.com/feeds/posts/default (http://carnal0wnage.attackresearch.com/)
    gynvael.coldwind//vx.log (pl) - http://feeds.feedburner.com/GynvaelColdwindPL (https://gynvael.coldwind.pl/)
    Raelize - https://raelize.com/posts/index.xml (https://raelize.com/posts/)
    DigiNinja - https://digi.ninja/rss.xml (https://digi.ninja/rss.xml)
    enigma0x3 - https://enigma0x3.net/feed/ (https://enigma0x3.net)
    Randy Westergren - https://randywestergren.com/feed/ (https://randywestergren.com)
    ZeroSec - Adventures In Information Security - https://blog.zsec.uk/rss/ (https://blog.zsec.uk/)
    Max Justicz - https://justi.cz/feed.xml (https://justi.cz)
    Blog of Osanda - https://osandamalith.com/feed/ (https://osandamalith.com)
    ADD / XOR / ROL - http://addxorrol.blogspot.com/feeds/posts/default (http://addxorrol.blogspot.com/)
    Intercept the planet! - https://intercepter-ng.blogspot.com/feeds/posts/default (https://intercepter-ng.blogspot.com/)
    The Exploit Laboratory - https://blog.exploitlab.net/feeds/posts/default (https://blog.exploitlab.net/)
    Linux Audit - https://linux-audit.com/feed/ (https://linux-audit.com)
    markitzeroday.com - https://markitzeroday.com/feed.xml (https://markitzeroday.com/)
    The Human Machine Interface - https://h0mbre.github.io/feed.xml (https://h0mbre.github.io/)
    Trail of Bits Blog - https://blog.trailofbits.com/feed/ (https://blog.trailofbits.com)
    F-Secure Labs - https://labs.f-secure.com/blog/rss.xml (https://labs.f-secure.com/blog/)
    Exodus Intelligence - https://blog.exodusintel.com/feed/ (https://blog.exodusintel.com)
    Diary of a reverse-engineer - https://doar-e.github.io/feeds/rss.xml (https://doar-e.github.io/)
    Sean Heelan's Blog - https://sean.heelan.io/feed/ (https://sean.heelan.io)
    Alex Chapman's Blog - https://ajxchapman.github.io/feed.xml (https://ajxchapman.github.io/)
    MKSB(en) - https://mksben.l0.cm/feeds/posts/default?alt=rss (https://mksben.l0.cm/)
    pi3 blog - http://blog.pi3.com.pl/?feed=rss2 (http://blog.pi3.com.pl)
    Mozilla Attack & Defense - https://blog.mozilla.org/attack-and-defense/feed/ (https://blog.mozilla.org/attack-and-defense)
    Doyensec's Blog - https://blog.doyensec.com/atom.xml (https://blog.doyensec.com//)
    TRIOX - https://trioxsecurity.com/feed/ (https://trioxsecurity.com)
    secret club - https://secret.club/feed.xml (https://secret.club/)
    Va_start's Vulnerability Research - https://blog.vastart.dev/feeds/posts/default (https://blog.whtaguy.com/)
    Revers.engineering - https://revers.engineering/feed/ (https://revers.engineering)
    phoenhex team - https://phoenhex.re/feed.xml (https://phoenhex.re/)
    Rhino Security Labs - https://rhinosecuritylabs.com/feed/ (https://rhinosecuritylabs.com)
    Zero Day Initiative - Blog - https://www.zerodayinitiative.com/blog?format=rss (https://www.thezdi.com/blog/)
    BlackArrow - https://www.blackarrow.net/feed/ (https://www.blackarrow.net)
    PortSwigger Research - https://portswigger.net/research/rss (https://portswigger.net/research)
    Praetorian Security Blog - https://www.praetorian.com/blog/rss.xml (https://www.praetorian.com)
    research.securitum.com - https://research.securitum.com/feed/ (https://research.securitum.com)
    Project Zero - http://googleprojectzero.blogspot.com/feeds/posts/default (https://googleprojectzero.blogspot.com/)
    Corelan Team - https://www.corelan.be/index.php/feed/ (https://www.corelan.be)
    NCC Group Research - https://research.nccgroup.com/feed/ (https://research.nccgroup.com)
    Zeta-Two.com - https://zeta-two.com/feed.xml (https://zeta-two.com/)
    Grsecurity Blog RSS Feed - https://grsecurity.net/blog.rss (https://www.grsecurity.net/blog.rss)
    Positive Technologies - learn and secure - http://feeds.feedburner.com/positiveTechnologiesResearchLab (http://blog.ptsecurity.com/)
    Alexander Popov - https://a13xp0p0v.github.io/feed.xml (https://a13xp0p0v.github.io/)
    Windows Internals Blog - https://windows-internals.com/feed/ (https://windows-internals.com)
    Tyranid's Lair (James Foreshaw) - https://www.tiraniddo.dev/feeds/posts/default (https://www.tiraniddo.dev/)

Less Technical Blogs

    anti-virus rants - http://feeds.feedburner.com/Anti-virusRants (http://anti-virus-rants.blogspot.com/)
    Secureworks Blog - https://www.secureworks.com/rss?feed=blog (https://www.secureworks.com/blog)
    Microsoft Security Response Center - https://msrc-blog.microsoft.com/feed/ (https://msrc-blog.microsoft.com)
    ColbaltStrike Blog - https://blog.cobaltstrike.com/feed/ (https://blog.cobaltstrike.com)
    CERT Blogs - https://insights.sei.cmu.edu/cert/atom.xml (https://insights.sei.cmu.edu/cert/)
    xorl %eax, %eax - https://xorl.wordpress.com/feed/ (https://xorl.wordpress.com)
    TRUESEC Blog - https://blog.truesec.com/feed/ (https://blog.truesec.com)
    The Daily Swig - https://portswigger.net/daily-swig/rss (https://portswigger.net/daily-swig)
    (IN)SECURE Magazine Notifications RSS - http://feeds.feedburner.com/insecuremagazine (http://www.insecuremag.com)
    Unit42 - http://feeds.feedburner.com/Unit42 (https://unit42.paloaltonetworks.com)
    r2c website - https://r2c.dev/rss.xml (https://r2c.dev)
    BREAKDEV - https://feeds.feedburner.com/breakdev (https://breakdev.org/)
    Deeplinks - https://www.eff.org/rss/updates.xml (https://www.eff.org/rss/updates.xml)
    SANS Internet Storm Center, InfoCON: green - https://isc.sans.edu/rssfeed_full.xml (https://isc.sans.edu)
    NotSoSecure - https://notsosecure.com/feed/ (https://notsosecure.com)
    TrustedSec - https://www.trustedsec.com/feed/ (https://www.trustedsec.com)
    Microsoft Security - https://www.microsoft.com/security/blog/feed/ (https://www.microsoft.com/security/blog)
    Zimperium Mobile Security Blog - https://blog.zimperium.com/feed/ (https://blog.zimperium.com)
    Bugcrowd - https://www.bugcrowd.com/feed/ (https://www.bugcrowd.com)
    codeblog - https://outflux.net/blog/feed/ (https://outflux.net/blog)
    Google Online Security Blog - https://security.googleblog.com/feeds/posts/default (http://security.googleblog.com/)
    Mozilla Security Blog - https://blog.mozilla.org/security/feed/ (https://blog.mozilla.org/security)
    HackerOne - https://www.hackerone.com/blog.rss (https://www.hackerone.com/)
    Rendition Infosec - https://blog.renditioninfosec.com/feed/ (https://blog.renditioninfosec.com)
    Check Point Research - https://research.checkpoint.com/feed/ (https://research.checkpoint.com)
    Offensive Security - https://www.offensive-security.com/feed/ (https://www.offensive-security.com)
    Rapid7 Blog - https://blog.rapid7.com/rss/ (https://blog.rapid7.com/)

Social

    newest submissions : ExploitDev - https://www.reddit.com/r/exploitdev/new.rss (https://www.reddit.com/r/exploitdev/new)
    disclose.io - Latest topics - https://community.disclose.io/latest.rss (https://community.disclose.io/latest)
    newest submissions : netsec - https://www.reddit.com/r/netsec/new.rss (https://www.reddit.com/r/netsec/new)
    newest submissions : websecurityresearch - https://www.reddit.com/r/websecurityresearch/new.rss (https://www.reddit.com/r/websecurityresearch/new)
    newest submissions : ReverseEngineering - https://www.reddit.com/r/ReverseEngineering/new.rss (https://www.reddit.com/r/ReverseEngineering/new)
    newest submissions : lowlevel - https://www.reddit.com/r/lowlevel/new.rss (https://www.reddit.com/r/lowlevel/new)

News

    Wired - Security Latest - https://www.wired.com/feed/category/security/latest/rss (https://www.wired.com/category/security/latest)
    News  Packet Storm - https://rss.packetstormsecurity.com/news/ (https://packetstormsecurity.com/)
    Naked Security - https://nakedsecurity.sophos.com/feed (https://nakedsecurity.sophos.com)
    The Hacker News - http://www.thehackernews.com/feeds/posts/default (https://thehackernews.com/)
    ZDNet - Security - http://www.zdnet.com/topic/security/rss.xml (https://www.zdnet.com/)
    Ars Technica - http://feeds.arstechnica.com/arstechnica/index/ (https://arstechnica.com)
    Threatpost | The first stop for security news - http://threatpost.com/feed/ (https://threatpost.com)
    Krebs on Security - http://krebsonsecurity.com/feed/atom/ (https://krebsonsecurity.com)
    Dark Reading: - http://www.darkreading.com/rss_simple.asp (https://www.darkreading.com)
    BleepingComputer - http://www.bleepingcomputer.com/feed/ (https://www.bleepingcomputer.com/)

Research

    arXiv Crypto and Security Papers - http://export.arxiv.org/api/query?search_query=cat:cs.CR&sortBy=submittedDate&sortOrder=descending&max_results=50
    IACR Transactions on Cryptographic Hardware and Embedded Systems - https://tches.iacr.org/index.php/TCHES/gateway/plugin/WebFeedGatewayPlugin/atom (https://tches.iacr.org/index.php/TCHES)
    Full Disclosure - http://seclists.org/rss/fulldisclosure.rss (http://seclists.org/#fulldisclosure)
    Files  Packet Storm - https://rss.packetstormsecurity.com/files/ (https://packetstormsecurity.com/)
