It’s important to establish a solid toolkit for any kind of security work. The list below is what we consider a good foundation for our members to start from, which you can build on as you get more experienced. Though we don't include links here, you can find most of these tools on Kali Linux (a VM every security practitioner should have) and on the Kali Linux tool site. You can also find all of these through Google, some are even already on your computer!
- Google Chrome
- Google Chrome Plugins
- SwitchySharp (Proxy Switcher)
- Burp Suite
- Shell commands : dig, whois, traceroute
Dissasemblers and Decompilers
- IDA Pro
- Java Decompiler
- Immunity Debugger
General Reverse Engineering
- Shell commands: strings, xxd, file
- PE Finder
- Sysinternals Suite
- Metasploit (general exploits)
- BeEF (browser exploitation)
- crackle (Bluetooth hacking)
- ShellNoob (shellcode utilities)
- Sublime Text 3
- Hex Workshop
- 010 Editor
- HexEdit (OS X)
- GHex (Linux)
- HxD (Windows)
- John the Ripper (Password/hash cracking)
- Hashcat (Password/hash cracking)
- Aircrack-ng (Wifi cracking)
- Ubuntu 12.04 x32 & x64
- Windows XP SP3 x32
- Windows 7 SP1 x64
- Kali Linux
- Python 2.7.X and pip
- VMWare or Virtualbox
Whether is a list of past attacks, write-ups on CTF challenges or online data formatting utilities, the internet will be your best friend when it comes to researching cyber security topics. This is a good place to start.
- HackUTK's Github - The club's github page where you'll find most of the club's work and challenges.
- Mitre Attack Matrix - A large collection of attacks and vulnerabilities, as they are reported.
- Everything cURL - `cURL` is a command line interface for interacting with web protocols. It's incredible raw nature allows GETting or POSTing to a specific url. Perfect for constructing web-based attacks.
- CyberChef - Have you ever wanted to convert a set of data into another format? This site has way too many conversion tools.
- CTF Time - Huge leaderboard of the leading teams competing in CTFs. Why should I go here? Because most completed challenges will include a writeup of how the team completed the problem. A ton you can learn from the best.
- Awesome CTF - Yet another large list of CTF challenges to familiarize yourself with.
- HackTheBox - Large base of challenges involving finding vulnerabilities on a network. Join the HackUTK team and score us points.
- IppSec videos on HackTheBox - The #1 place to go if you're trying to learn. IppSec will take retired HackTheBox challenges and solve them in real-time, offering a great insight into a hacker's workflow and discovery process.
Wargames are a set of challenges focused on a particular topic of programming or computer security, like network analysis or web exploitation. We would like to thank RPISEC for some of compiling these resources. If you're looking for hands-on experience, this is the best start.
- EnigmaGroup - Has a wide selection of wargames. Notable are the multi-stage “realistic scenarios”.
- HackThisSite - Another wide selection. The ‘Basic’ and ‘ExtBasic’ challenges are good introductory material.
- OverTheWire - Has several very focused wargames, including:
- Bandit - A fun intro to the command line
- Natas - Website exploitation
- Krypton - Intro to Cryptography
- Semtex - Programming and networking challenges
- SmashTheStack - Binary exploitation, buffer overflows, disassembly and more fun
- MicroCorruption - Embedded security, assembly, and binary exploitation
- CryptoPals - Introduction to breaking cryptography
- Pwnable - More reverse engineering challenges
- W3Challs - Wide range of challenges and learing: "Hacking, "Cracking, Wargame, Forensic, Cryptography, Steganography and Programming"
- IO NetGarage - More reverse engineering challenges, harder than others
There are a number of vulnerable virtual machines that come bundled with all the tools, tutorials, and challenges necessary to start and get better at a wide range of security skills, from web exploitation to linux exploitation. We have listed some here. You will need VirtualBox or VMWare to run these.
- WebDojo - Has an array of different vulnerable websites built in that you can follow along tutorials while exploiting them.
- Gruyere A VM and web application that shows how web application vulnerabilities can be exploited and how to defend against these attacks. You get to do real penetration testing, actually exploiting a real application
- OWASP Broken Web Apps Project - A VM for exploring many broken web apps and learning about web security along the way.
- Protostar - Introduces in a friendly way, network programming, byte ordering, handling sockets, stack overflows, format strings, and heap overflows.
- Nebula - Takes the particpant through a variety of common (and less than common) weaknesses and vulnerabilities in Linux, including permissions, $PATH weaknesses, race conditions, SUID files, and more.