- Links
- CTF Sites
- Books
- Services
- Terms
- Principles and Standards
- Linux Commands
- Tools (CLI)
- Tools (GUI)
- Text Editors
- Networking
- Web Exploitation
- Content Discovery
- SQL Injection
- Command Injection
- Directory Traversal
- Authentication Bypass
- Insecure Direct Object Reference (IDOR)
- File Inclusion (LFI/RFI)
- Cross Site Request Forgery (CSRF)
- Cross Site Scripting (XSS)
- Server Side Request Forgery (SSRF)
- Server Side Template Injection (SSTI)
- Server Side Includes (SSI)
- Forensics
- Binary Exploitation
- Reverse Engineering
- Cryptography
- Miscellaneous
- Windows Exploitation
- Shells and Privilege Escalation
- Vulnerabilities & Threats
Abuse.ch - a collection of malware and threat intelligence feeds.
Ahmia - search engine for hidden services on the Tor network
AI Generated Photos - 100.000 AI generated faces.
Aperisolve - all in one steganography analysis
Archive.org - internet Archieve
ASCII Converter - Hex, decimal, binary, base64, and ASCII converter
Assembly Tutorials - assembly tutorials
Base64 Decodr/Encoder - base64 decoder/encoder
Bcrypt Generator - a simple bcrypt generator
Bug Bounty - a list of bug bounty programs
Can I use - provides up-to-date browser support tables for support of front-end web technologies.
Censys - search engine for internet connected devices
Cheatography - over 3,000 free cheat sheets, revision aids and quick references.
CodeBeautify - code Beautifier, Viewer and converter
Common ports - a lists of the most common ports
Cipher Identifier - cipher identifier
Convert Binary - a wide range of different converters for binary numbers
Convertcsv - convert SQL to CSV
Crackstation (Rainbow tables) - hash cracker
CSS Reference - CSS reference
CVECrowd - a platform for sharing and discussing cybersecurity vulnerabilities.
CVE Details - CVE security vulnerability advanced database.
CVE Mitre - list of publicly known cybersecurity vulnerabilities.
CVS - Scoring System Calculator
CyberChef - a web app for encryption, encoding, compression and data analysis.
Cybercrime Tracker - monitors and tracks various malware families that are used to perpetrate cyber crimes.
crt.sh - Certificate Transparency Log Search Engine for subdomain enumeration.
CTF 101 - learn the different CTF topics in cybersecurity
CTF Cryptography - ctf cryptography for beginners
dCode - dcode.fr has many decoders for a lot of ciphers
dehashed - is a hacked database search engine.
Diff Checker - compare images
DNSDumpster - free domain research tool that can discover hosts related to a domain
DogBolt - decompiler explorer
EmailHippo - a free email verification tool.
Explain Shell - a tool to help you understand shell commands.
ExploitDB - searchable archive from The Exploit Database.
fakenamegenerator - your randomly generated identity.
Feodo Tracker - a project by abuse.ch tracking the C2 infrastructure of the Feodo Tracker Botnet.
File Signature - a table of file signatures (aka "magic numbers")
File Signature Wiki - another list of file signatures (aka "magic numbers")
Forensically - a tool to analyze images.
Godbolt - compiler explorer
Google advanced search - google dorking made easy
Google Hacking Database - juicy information found by dorking
GTFOBins - list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems.
HackerOne - HackerOne is a vulnerability coordination and bug bounty platform.
Hacking Glossary - a glossary of hacking terms made by HackTheBox.
Hash Analyzer - tool to identify hash types
Hash Identifier - hash identifier using CyberChef
have i been pwned? - check if you have an account that has been compromised in a data breach.
HexEd - HexEd is a powerful online hex editor running in your web browser
hilite.me - converts your code snippets into pretty-printed HTML formats
HSV to RGB - HSV to RGB color converter
HTML Reference - HTML reference
HTTrack - website copier
Hunter.io - find email addresses in seconds.
Image Color Picker - select a color and get the HTML Color Code of this pixel
Intelix - Search Tor, I2P, data leaks and the public web by email, domain, IP, CIDR, Bitcoin address and more.
JoomScan - Joomla Vulnerability Scanner
k8s-security - kubernetes security notes and best practices.
Kali Linux Tutorials - Kali Linux Tutorials
Keybase - it's open source and powered by public-key cryptography.
LFI - learn about local file inclusion
Linux Commands - a list of linux commands
malc0de - malware search engine.
Malware Bazaar - malware search engine.
MD5 Online - md5Online offers several tools related to the MD5 cryptographic algorithm.
Morse Code Translator a morse code translator
Morse Code Adaptive Audio Decoder - a morse code adaptive audio decoder
Morse Code Audio Decoder - a morse code audio decoder
Morse Code Sound & Vibration Listener - a morse code sound & vibration listener
Namechk - check if your desired username is available on over 500 social networks (username OSINT).
NerdyData - the search engine for source code
ntlm.pw - NTLM password cracker
Observatory by Mozilla- set of tools to analyze your website.
Office Recovery - repair corrupt JPEG, PNG, GIF, BMP, TIFF, and RAW images.
PDF24 - free and easy to use online PDF tools
Phishtool - PhishTool is a free phishing simulation tool.
NPiet - Piet is an esoteric programming language based of using colored pixels to represent commands.
Ping.eu - online Ping, Traceroute, DNS lookup, WHOIS and others.
pipl - is the place to find the person behind the email address, social username or phone number.
Pixrecovery - repair corrupt JPEG, PNG, GIF, BMP, TIFF, and RAW images.
Rapid7 - vulnerability and exploit database.
Regex101 - online regex tester and debugger: PHP, PCRE, Python, Golang and JavaScript.
RegEx Pal - online regex testing tool + other tools.
RegExr - online tool to learn, build, & test Regular Expressions (RegEx / RegExp).
Revshell - reverse shell generator.
RequestBin - RequestBin gives you a URL that collects requests so you can inspect them in a human-friendly way
RGBA Color Picker - an RGBA color picker
ShellCheck - finds bugs in your shell scripts.
Shodan - learn various pieces of information about the client’s network, without actively connecting to it.
sploitus - the exploit and tools database.
SRI Hash Generator - Subresource Integrity (SRI) Hash Generator
SSL Scanner - analyze website security.
SSL Scan - sslscan tests SSL/TLS enabled services to discover supported cipher suites
Steganographic Decoder - decodes the payload that was hidden in a JPEG image or a WAV or AU audio file
Stego Tricks - learn stego tricks
Subnet Calculator - IPv4 to IPv6 subnet calculator
Subnet Cheatsheet - subnet cheatsheet
SSL Blacklist - a free SSL blacklist that can be used to detect malicious SSL certificates.
Tabulate - create clean looking tables
Talos Intelligence - threat intelligence from Cisco.
Threat Fox - a resource for sharing indicators of compromise (IOCs).
TIO - TIO is a free online interpreter, compiler and REPL.
URL Haus - a project by abuse.ch to collect and classify malicious URLs.
urlscan.io - service to scan and analyse websites.
urlvoid - this service helps you detect potentially malicious websites.
User-Agent Switcher switch and manage user agents
Vega - web security scanner and web security testing platform
ViewDNS - one source for free DNS related tools and information.
VirusTotal - analyze suspicious files and URLs to detect types of malware.
Visual Subnet Calculator - a visual subnet calculator
WebToolHub-LE - HTML hyperlink extractor
WebToolHub - lots of different web tools
WhatsMyName - social media username enumeration
WHOIS lookup - best whois lookup
Wigle - is a website for collecting information about the different wireless hotspots around the world
WPScan - WordPress security scanner
TryHackMe - TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs.
HackTheBox - HackTheBox is a massive, online cybersecurity practical training platform.
CTFLearn - An online platform built to help ethical hackers learn, practice, and compete.
Challenges - Reverse engineering CTF training platform
Root Me - Root Me is a platform for everyone to test and improve knowledge in computer security and hacking.
ROP Emperium - ROP Emporium is a series of challenges based around Return Oriented Programming (ROP).
pico CTF - picoCTF is a free computer security game targeted at middle and high school students.
- Penetration Testing
- Linux Basics for Hackers
- The Linux Command Line and Shell Scripting Bible
- Black Hat Python
- The Hacker PlayBook 2 & 3
- Hacker Methodology Handbook
- Gray Hat Hacking
- Red Team Field Manual
- Metasploit
- The Web Application Hacker’s Handbook
- Real-World Bug Hunting
- Attacking Network Protocols
An Intrusion Detection and Prevention System (IDPS) or simply Intrusion Prevention System (IPS) is a system that can detect and prevent network intrusions.
IDS setups can be divided based on their location in the network into:
- Host-based IDS (HIDS)
- Network-based IDS (NIDS)
The host-based IDS (HIDS) is installed on an OS along with the other running applications. This setup will give the HIDS the ability to monitor the traffic going in and out of the host; moreover, it can monitor the processes running on the host.
The network-based IDS (NIDS) is a dedicated appliance or server to monitor the network traffic. The NIDS should be connected so that it can monitor all the network traffic of the network or VLANs we want to protect. This can be achieved by connecting the NIDS to a monitor port on the switch. The NIDS will process the network traffic to detect malicious traffic.
A Virtual Private Server (VPS) is an isolated environment created on a physical server using virtualization technology.
Some of these providers are:
Active reconnaissance - Directly interacting with the system.
Asymmetric encryption - Uses different keys to encrypt and decrypt.
Authentication - refers to the ability to prove that the user is whom they claims to be.
Broken Access Control - Ex. we cannot let anyone view the webmail before logging in or modify someone else's account.
Brute force - Attacking cryptography by trying every different password or every different key
Cipher - A method of encrypting or decrypting data. Modern ciphers are cryptographic, but there are many non cryptographic ciphers like Caesar.
Ciphertext - The result of encrypting a plaintext, encrypted data
Credential Stuffing - Credential stuffing is a type of attack where an attacker attempts to gain unauthorized access to an account by using compromised credentials.
Cryptanalysis - Attacking cryptography by finding a weakness in the underlying maths
Defacing - The act of modifying a website to display a message or image.
Defensive security - is the process of protecting an organization's network and computer systems by analyzing and securing any potential digital threats.
Defence-in-Depth refers to creating a security system of multiple levels; hence it is also called Multi-Level Security.
Dynamic SSH Tunneling - Dynamic port forwarding turns your SSH client into a SOCKS proxy server.
Encoding - NOT a form of encryption, just a form of data representation like base64. Immediately reversible.
Encryption - Transforming data into ciphertext, using a cipher.
Firewall appliance - The firewall allows and blocks connections based on a predefined set of rules. It restricts what can enter and what can leave a network.
Hash collision - When 2 different inputs give the same output
IDOR - IDOR stands for Insecure Direct Object Reference and is a type of access control vulnerability.
IP Spoofing - IP spoofing is the creation of Internet Protocol (IP) packets which have a modified source address in order to either hide the identity of the sender, to impersonate another computer system, or both.
IPP - Internet Printing Protocol
IaaS - Infrastructure-as-a-Service
Identification and Authentication Failure - Allowing the attacker to use brute force, or storing the users’ passwords in plain text.
Identification - refers to the ability to identify a user uniquely.
Intrusion Detection System (IDS) appliance - An IDS detects system and network intrusions and intrusion attempts. It tries to detect attackers’ attempts to break into your network.
Intrusion Prevention System (IPS) appliance - An IPS blocks detected intrusions and intrusion attempts. It aims to prevent attackers from breaking into your network.
Key - Some information that is needed to correctly decrypt the ciphertext and obtain the plaintext.
Offensive security - is the process of breaking into computer systems, exploiting software bugs, and finding loopholes in applications to gain unauthorized access to them.
Packet sniffing - Packet sniffing is the act of capturing packets of data flowing across a computer network.
Passive reconnaissance - We rely on publicly available information.
Passphrase - Separate to the key, a passphrase is similar to a password and used to protect a key.
Password Spraying - Password spraying is a brute force attack that uses a list of usernames and a single password to try to gain access to a system.
Penetration Tester - Responsible for testing technology products for finding exploitable security vulnerabilities.
Plaintext - Data before encryption, often text but not always. Could be a photograph or other file
Proxy - A proxy server is kind of gateway betweenour application and the internet
Private Blog Network (PBN) - PBN is a network of websites used to build links to a website for the purpose of ranking it higher in the Google search engine.
Port Forwarding - Port forwarding is a technique that is used to allow external devices access to computers services on private networks.
RCE - Remote Code Execution vulnerability allows commands to be executed on the target's system.
Rainbow tables - A rainbow table is a lookup table of hashes to plaintexts
Red Teamer - Plays the role of an adversary, attacking an organization and providing feedback from an enemy's perspective.
Reverse SSH Connection - The remote system connects with your local system
SAM - Security Account Manager is a database that is present on computers running Windows that stores user accounts and security descriptors for users on the local computer
SSH Tunnelling - SSH tunneling is a method of transporting arbitrary networking data over an encrypted SSH connection.
SSL/TLS - Both are cryptographic protocols that securely authenticate and transport data on the Internet. SSL is old, TLS is the new one.
Security Engineer - Design, monitor, and maintain security controls, networks, and systems to help prevent cyberattacks.
Symmetric encryption - Uses the same key to encrypt and decrypt
VPS - Virtual Private Server (is a IaaS)
Virtual Private Network (VPN) concentrator appliance - A VPN ensures that the network traffic cannot be read nor altered by a third party. It protects the confidentiality (secrecy) and integrity of the sent data.
XSS - Cross-Site Scripting is a security vulnerability that's typically found in web applications which can be used to execute a malicious script on the target's machine
Virus: Malware that infects a computer by inserting itself into programs and can cause damage or corruption to data and programs. Needs user interaction to spread.
Worm: Malware that replicates itself to spread to other computers. Does not need user interaction to spread. It can spread through networks, email, or other means.
Trojan horse: Malware disguised as a legitimate program that performs harmful activities once inside a computer system.
Spyware: Malware that collects information about a user's activities and reports it back to the attacker, often used for unethical purposes.
Phishing: A technique used to obtain information by posing as a legitimate organization or individual and requesting sensitive information.
DoS attack: Overloading a computer with messages to disrupt its services.
DDoS attack and botnets: A distributed denial-of-service attack that utilizes a network of compromised computers to overload a target with messages.
Spam: Unwanted junk email that overwhelms the recipient and can be used to spread malware or phishing attempts.
Ransomware: Malware that encrypts a user's data and demands a ransom to decrypt it.
Rootkit: Malware that gives an attacker root access to a computer and hides its presence from the user.
Adware: Malware that displays unwanted advertisements on a user's computer.
CIA Triad is a model designed to guide policies for information security within an organisation. It consists of three core principles being: Confidentiality, Integrity, and Availability.
- Confidentiality ensures that only the intended persons or recipients can access the data.
- Integrity aims to ensure that the data cannot be altered; moreover, we can detect any alteration if it occurs.
- Availability aims to ensure that the system or service is available when needed.
The security of a system is attacked through one of several means. It can be via the disclosure of secret data, alteration of data, or destruction of data. It is the opposite of the CIA triad.
- Disclosure: Unauthorized access to information. Is the opposite of confidentiality.
- Alteration: Unauthorized changes to information. Is the opposite of Integrity
- Destruction: Unauthorized or intentional destruction of information. Is the opposite of Availability
Protecting against disclosure, alteration, and destruction/denial is very important, as this protection is equivalent to working to maintain confidentiality, integrity and availability.
The Bell-LaPadula Model aims to achieve confidentiality by specifying three rules:
- Simple Security Property: This property is referred to as “no read up”; it states that a subject at a lower security level cannot read an object at a higher security level. This rule prevents access to sensitive information above the authorized level.
- Star Security Property: This property is referred to as “no write down”; it states that a subject at a higher security level cannot write to an object at a lower security level. This rule prevents the disclosure of sensitive information to a subject of lower security level.
- Discretionary-Security Property: This property uses an access matrix to allow read and write operations. An example access matrix is shown in the table below and used in conjunction with the first two properties.
The first two properties can be summarized as “write up, read down.” You can share confidential information with people of higher security clearance (write up), and you can receive confidential information from people with lower security clearance (read down).
| Subjects | Object A | Object B |
|---|---|---|
| Subject 1 | Write | No access |
| Subject 2 | Read/Write | Read |
Limitation: It was not designed to handle file-sharing.
The Biba Model aims to achieve integrity by specifying two main rules
- Simple Integrity Property: This property is referred to as “no read down”; a higher integrity subject should not read from a lower integrity object.
- Start Integrity Property: This property is referred to as “no write up”; a lower integrity subject should not write to a higher integrity object.
Limitation: Does not handle internal threats (insider threat).
The Clark-Wilson Model also aims to achieve integrity by using the following concepts:
- Constrained Data Item (CDI): This refers to the data type whose integrity we want to preserve.
- Unconstrained Data Item (UDI): This refers to all data types beyond CDI, such as user and system input.
- Transformation Procedures (TPs): These procedures are programmed operations, such as read and write, and should maintain the integrity of CDIs.
- Integrity Verification Procedures (IVPs): These procedures check and ensure the validity of CDIs.
It is vital to administrate and correctly define the various levels of access to an individuals require. These levels are determined on two primary factors:
- The individual's role/function within the organisation
- The sensitivity of the information being stored on the system
When managing access rights, two crucial concepts are used: Privileged Identity Management (PIM) and Privileged Access Management (PAM).
- PIM is used to translate a user's role within an organisation into an access role on a system.
- PAM is the management of the privileges a system's access role has, amongst other things.
What is essential when discussing privilege and access controls is the principle of least privilege. Simply, users should be given the minimum amount of privileges, and only those that are absolutely necessary for them to perform their duties.
Trust in cybersecurity is addressed through two key principles:
- Trust but Verify: Verify the actions of trusted entities through automated security mechanisms like logs and intrusion detection.
- Zero Trust: Assume no trust and require authentication and authorization for all access, reducing the potential impact of breaches. Implementations like microsegmentation enhance security.
Threat modelling is the process of reviewing, improving, and testing the security protocols in place in an organisation's information technology infrastructure and services.
The threat modelling process is very similar to a risk assessment made in workplaces for employees and customers. The principles all return to:
- Preparation
- Identification
- Mitigations
- Review
It is, however, a complex process that needs constant review and discussion with a dedicated team. An effective threat model includes:
- Threat intelligence
- Asset identification
- Mitigation capabilities
- Risk assessment
To help with this, there are frameworks such as STRIDE (Spoofing identity, Tampering with data, Repudiation threats, Information disclosure, Denial of Service and Elevation of privileges) and PASTA (Process for Attack Simulation and Threat Analysis)
- Vulnerability: Vulnerabilities are weaknesses that can be exploited.
- Threat: A threat represents the possibility of harm resulting from the exploitation of a vulnerability.
- Risk: Concerned with the likelihood of a threat actor exploiting a vulnerability and the potential impact on the business. Risk assessment involves evaluating the probability and consequences of security incidents.
Threat Intel is geared towards understanding the relationship between your operational environment and your adversary. With this in mind, we can break down threat intel into the following classifications:
- Strategic Intel: High-level intel that looks into the organisation's threat landscape and maps out the risk areas based on trends, patterns and emerging threats that may impact business decisions.
- Technical Intel: Looks into evidence and artefacts of attack used by an adversary. Incident Response teams can use this intel to create a baseline attack surface to analyse and develop defence mechanisms.
- Tactical Intel: Assesses adversaries' tactics, techniques, and procedures (TTPs). This intel can strengthen security controls and address vulnerabilities through real-time investigations.
- Operational Intel: Looks into an adversary's specific motives and intent to perform an attack. Security teams may use this intel to understand the critical assets available in the organisation (people, processes, and technologies) that may be targeted.
- Using UrlScan.io to scan for malicious URLs.
- Using Abuse.ch to track malware and botnet indicators.
- Investigate phishing emails using PhishTool.
- Using Cisco's Talos Intelligence platform for intel gathering.
The Pyramid of Pain is a cybersecurity concept that refers to a hierarchy of assets within an organization that, if compromised, would cause the most significant harm. The pyramid's height represents the level of harm caused by a security breach, with the most critical assets at the top and less critical assets at the bottom.
The idea is that organizations should focus their cybersecurity efforts on the assets at the top of the pyramid to prevent the most significant damage from a security breach. The components of the Pyramid of Pain may vary depending on the organization and its specific needs, but typically include sensitive data, critical infrastructure, key personnel, and reputation.
- Governance: Managing and directing an organisation or system to achieve its objectives and ensure compliance with laws, regulations, and standards.
- Regulation: A rule or law enforced by a governing body to ensure compliance and protect against harm.
- Compliance: The state of adhering to laws, regulations, and standards that apply to an organisation or system.
Benefits include better security posture, stakeholder confidence, regulatory compliance, alignment with business objectives, informed decision-making, and competitive advantage.
Developing governance documents can involve the following steps:
- Identify Scope and Purpose: Define what the document will cover and its necessity.
- Research and Review: Investigate laws, regulations, and best practices to make the document comprehensive.
- Draft the Document: Create an actionable, specific draft aligned with organizational goals.
- Review and Approval: Involve stakeholders for feedback and final approval.
- Implementation and Communication: Distribute the document and educate employees.
- Review and Update: Regularly update the document for relevance and compliance.
Policies: Formal statements that set organizational goals and how to achieve them.
Standards: Specific requirements for processes, products, or services.
Guidelines: Non-mandatory recommendations for achieving objectives.
Procedures: Step-by-step instructions for specific tasks.
Baselines: Minimum security standards that must be met.
Let's take a real-world scenario of preparing a password policy.
- Define Requirements: Set rules for password length, complexity, and expiration.
- Usage Guidelines: Specify unique passwords for each account and prohibit sharing.
- Storage and Transmission: Use encryption and secure connections.
- Change and Reset Guidelines: Define how often to change passwords.
- Communication and Monitoring: Educate employees and monitor compliance.
Now, let's take a real-world scenario of making an incident response procedure.
- Define Incident Types: Categorize incidents like unauthorized access or data breaches.
- Roles and Responsibilities: Identify key stakeholders.
- Detailed Steps: Create a step-by-step guide for each incident type.
- Reporting and Documentation: Keep records for future reference.
- Communication and Review: Make sure procedures are understood and periodically updated.
Before a penetration test starts, a formal discussion occurs between the penetration tester and the system owner. Various tools, techniques, and systems to be tested are agreed on. This discussion forms the scope of the penetration testing agreement and will determine the course the penetration test takes.
The ROE is a document that is created at the initial stages of a penetration testing engagement. This document consists of three main sections:
- Permission
- Test scope
- Rules
The steps a penetration tester takes during an engagement is known as the methodology. All of them have a general theme of the following stages:
| Stage | Description |
|---|---|
| Information Gathering | This stage involves collecting as much publically accessible information about a target/organisation as possible, for example, OSINT and research. Note: This does not involve scanning any systems. |
| Enumeration/Scanning | This stage involves discovering applications and services running on the systems. For example, finding a web server that may be potentially vulnerable. |
| Exploitation | This stage involves leveraging vulnerabilities discovered on a system or application. This stage can involve the use of public exploits or exploiting application logic. |
| Privilege Escalation | Once you have successfully exploited a system or application (known as a foothold), this stage is the attempt to expand your access to a system. You can escalate horizontally and vertically, where horizontally is accessing another account of the same permission group (i.e. another user), whereas vertically is that of another permission group (i.e. an administrator). |
| Post-exploitation | This stage involves a few sub-stages:
|
There are three primary scopes when testing an application or service.
| Box | Description |
|---|---|
| Black | This testing process is a high-level process where the tester is not given any information about the inner workings of the application or service. |
| Grey | The tester will have some limited knowledge of the internal components of the application or piece of software. |
| White | The tester will have full knowledge of the application and its expected behaviour. |
The Open Source Security Testing Methodology Manual provides a detailed framework of testing strategies for systems, software, applications, communications and the human aspect of cybersecurity.
OWASP, the Open Web Application Security Project, is a nonprofit foundation that works to improve software security. It provides free, openly available articles, methodologies, documentation, tools, and technologies in the field of web application security.
OWASP is known for its widely-referenced OWASP Top 10, a standard awareness document for developers and web application security that lists the most critical security risks to web applications.
The NIST Cybersecurity Framework is a popular framework used to improve an organisations cybersecurity standards and manage the risk of cyber threats.
The NCSC Cyber Assessment Framework (CAF) is a structured guide designed to ensure the security of organizations, particularly those part of the Critical National Infrastructure.
The CAF aligns with NIS regulations and is structured around 14 objectives, categorized into four main goals: managing security risk, protecting against cyber attacks, detecting cybersecurity events, and minimizing the impact of incidents. It provides comprehensive indicators of good practice for organizations to assess and improve their security posture
ISO/IEC 19249 outlines architectural and design principles for creating secure IT products and systems
- Least Privilege: This principle emphasizes providing the minimum permissions necessary for individuals or entities to perform their tasks. (Design Principle: 1)
- Attack Surface Minimization: It focuses on reducing the potential points of attack by eliminating unnecessary services and reducing vulnerabilities. (Design Principle: 2)
- Centralized Parameter Validation: This principle suggests centralizing the validation of input parameters to prevent threats that may exploit vulnerabilities. (Design Principle: 3)
- Centralized General Security Services: It advocates for centralizing security services such as authentication to enhance control and reduce potential points of failure. (Design Principle: 4)
- Preparing for Error and Exception Handling: This principle emphasizes designing systems to handle errors and exceptions gracefully and securely, ensuring they do not leak sensitive information. (Design Principle: 5)
The five architectural principles outlined in ISO/IEC 19249:
- Domain Separation: Components are grouped into distinct entities, each with its own domain and set of security attributes. This separation helps control access and privileges. (Architectural Principle: 1)
- Layering: The system is structured into abstract levels or layers, enabling the imposition of security policies at different levels and facilitating validation of system operations. (Architectural Principle: 2)
- Encapsulation: Involves hiding low-level implementations and preventing direct manipulation of data by providing specific methods, similar to object-oriented programming, to ensure data integrity. (Architectural Principle: 3)
- Redundancy: Ensures availability and integrity by implementing redundancy measures. Examples include redundant power supplies or RAID configurations in data storage. (Architectural Principle: 4)
- Virtualization: Sharing a single set of hardware among multiple operating systems, which enhances security boundaries and containment of malicious programs, particularly relevant in the context of cloud services. (Architectural Principle: 5)
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies), where ISO27001 is an international standard on how to manage information security.
An ISMS consists of the policies, procedures, guidelines, and associated resources and activities, collectively managed by an organization, in the pursuit of protecting its information assets.
It is a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. It is based on a risk assessment and the organization’s risk acceptance levels designed to effectively treat and manage risks.
Hackers are sorted into three hats, where their ethics and motivations behind their actions determine what hat category they are placed into.
| Hat | Description |
|---|---|
| Black hat | These people are criminals and often seek to damage organisations or gain some form of financial benefit at the cost of others. |
| Grey hat | These people use their skills to benefit others often; however, they do not respect/follow the law or ethical standards at all times. |
| White hat | These hackers are considered the "good people". They remain within the law and use their skills to benefit others. |
| Career | Description |
|---|---|
| Security Analyst | Responsible for maintaining the security of an organisation's data |
| Security Engineer | Design, monitor and maintain security controls, networks, and systems to help prevent cyberattacks |
| Incident Responder | Identifies and mitigates attacks whilst an attackers operations are still unfolding |
| Digital Forensics Examiner | Responsible for using digital forensics to investigate incidents and crimes |
| Malware Analyst | Analyses all types of malware to learn more about how they work and what they do |
| Penetration Tester | Responsible for testing technology products for security loopholes |
| Red Teamer | Plays the role of an adversary, attacking an organisation and providing feedback from an enemies perspective |
Also includes other useful CLI tools and commands for Linux and Windows.
cat is a Linux shell command that concatenates files and prints on the standard output. It is often used to view the content of a file. For Windows, the equivalent command is type.
Example
cat -n example.txt
Options
-n number all output lines
ls is a Linux shell command that lists directory contents of files and directories.
-i list file's inode index number
-a list all files including hidden file starting with '.'
-l list with long format - show permissions
-d list directories - with ' */'
-s list file size
-S sort by file size
-t sort by time & date
-X sort by extension name
Created directories
Syntax
mkdir <name>
The command mkdir has an option marked -p to add parent directories.
mkdir -p Folder/i/am/in
Creates a file
Example:
touch file.txt
We can look at the whole structure after creating the parent directories with the tool tree.
Syntax:
tree .
Shows the processes for the current shell
PID – the unique process ID
TTY – terminal type that the user is logged into
TIME – amount of CPU in minutes and seconds that the process has been running
CMD – name of the command that launched the process.
-a all processes from all users
-u user-oriented format, details
-x will display all processes even those not associated with the current tty
-t Processes associated with the terminal run
htop is an interactive process viewer for Unix systems
sudo apt install htop
Options
-d Delay between updates, in tenths of seconds
-u Show only processes owned by a specified user
-p Show only processes with specified process IDs
-s Sort by specified column (use --sort-key help for a list)
-t Tree view
-U Do not use unicode but plain ASCII
Deletes files
Example:
rm -rf /tmp/*
-r Deletes every file in the directory
-f Suppresses all warning prompts
Moves/renames files
Example (relocate):
mv file.txt /tmp
Example (rename):
mv file.txt file2.txt
top command is used to show the Linux processes. It provides a dynamic real-time view of the running system
lsof stands for list open files. It is a command-line utility that lists all the open files and the processes that opened them.
Syntax
lsof <options> <file>
Examples
Only show openvpn processes
lsof -i | grep openvpn
Used to kill a process
The most commonly used signals are:
1 (HUP) - Reload a process.
9 (KILL) - Kill a process.
15 (TERM) - Gracefully stop a process.
kill -9 PID_ID
The find command is used to search and locate the list of files and directories
Syntax
find <location> <options>
Examples
Find all config files that are bigger than 25kilobytes and are newer than 2020-03-03, and then execure the ls -la command without printing the error in the terminal
find / -type f -name *.conf -size +25k -newermt 2020-03-03 -exec ls -al {} \; 2>/dev/null
Search for files from root
find / -type f -name passwords.txt
Find any file with the extension of ".txt"
find / -name *.txt
Check the permissions for what the ‘users’ group can do
find / -group users -type f 2>/dev/null
Location specific options
No specification = this folder
/ = root folder
. = this folder and its subdirectories
Other options
-name = specify file specific name/descriptions to be found
-iname = Like -name, but the match is case insensitive.
-print = It prints the pathname of the current file to standard output.
-regex = True if the whole path of the file matches pattern using expression
-type = With -type, you can use d to only find directories, and f to only find files.
-user = specify owner
-size = specify size
-perm = specify permissions
Time specific
min and time. a(acessed), m(modified), c
To put it all together: in order to specify that a file was last accessed more than 30 minutes ago, the option -amin +30 is used.
To specify that it was modified less than 7 days ago, the option -mtime -7 is used.
When you want to specify that a file was modified within the last 24 hours, the option -mtime 0 is used.
Note
- Suppress the output of any possible errors to make the output more readable. This is done by appending
2> /dev/nullto your command. This way, you won’t see any results you’re not allowed to access. - The second thing is the
-execflag. You can use it in your find command to execute a new command, following the -exec flag, like so:-exec whoami \;. (can be used for privilege escalation)'
This tool returns the path to the file or link that should be executed.
Syntax
where python3
This tool is used to get a short description of a command.
Syntax
whatis <command>
This tool is used to find files by their name.
Syntax
locate <file_name>
This tool is used to search for a command by its description.
Syntax
apropos <something>
Example
apropos hexeditor
Displays detailed information about given files or file systems. These informations can be: file name, file size, blocks, type, inode, UID, GID, access, modify, change and creation times.
Example usage:
stat file.txt
df is a command-line utility for reporting file system disk space usage
Example usage:
get the size of the file system in gigabytes
df -BG
Options:
--block-size=SIZE scale sizes by SIZE. E.g., -BM prints sizes in units of 1,048,576 bytes.
--exclude-type=TYPE exclude file systems of type TYPE
-h print sizes in human readable format (e.g., 1K 234M 2G)
-T print file system type
-t limit listing to file systems of type TYPE
du is a command that can be used to estimate file space usage. It is a part of the GNU coreutils suite.
Example usage:
du -shL BreachCompilation
Options:
-a to display an entry for each file in a file hierarchy
-c displays total size at the end
-d <number> to specify the depth of the directory tree to be displayed
-h to get a human-readable output
-L dereference all symbolic links
-s to get the total size of the directory
--time get the results with timestamps of last modification
ncdu is a disk usage analyzer with an ncurses interface. It is a part of the ncdu suite.
Example usage:
ncdu -x --si BreachCompilation
Options:
-x - This option prevents ncdu from following symbolic links.
--si - This option tells ncdu to use SI units (powers of 10) to display the file sizes, which makes them easier to read than the default binary units (powers of 2).
free is a command-line utility that displays the total amount of free and used physical and swap memory in the system, as well as the buffers and caches used by the kernel.
Example usage:
free -h
Options:
-b - to display the amount of memory in bytes
-k - to display the amount of memory in kilobytes
-m - to display the amount of memory in megabytes
-g - to display the amount of memory in gigabytes
-h - to display the amount of memory in a human-readable format
-s N - to update the output every N seconds
uniq is a command-line utility that removes duplicate lines from a sorted file.
Example
uniq file.txt
Options
-c count the number of occurrences of each line
-d only print duplicate lines
-u only print unique lines
-i to ignore case
sort is a command-line utility that sorts lines of text files.
Syntax:
sort [OPTION] [FILE]
Options:
-b - ignore leading blanks
-c - check if the file is sorted
-r - to sort in reverse order
-o - to write output to a file
-u - sort and remove duplicate lines
-n - to sort numerically
-g - to sort general-numeric
-h - to sort human readable numbers
-f - ignore case
diff is a command-line utility that allows you to compare two files line by line
Example usage:
diff a.txt b.txt
The tail/head command, as the name implies, print the last/first N number of data of the given input
Options:
-n <number> number of lines to show
-c <numbers> number of bytes
sort to sort
history command in Linux is a built-in shell tool that displays a list of commands used in the terminal session
Find the full Path to our current working directory
Chmod allows you to set the different permissions for a file
Example:
chmod 777 file.txt
Permissions
| Digit | Meaning |
|---|---|
| 1 | That file can be executed |
| 2 | That file can be written to |
| 3 | That file can be executed and written to |
| 4 | That file can be read |
| 5 | That file can be read and executed |
| 6 | That file can be written to and read |
| 7 | That file can be read, written to, and executed |
To make a binary file just executable for the owner of the file, you can use:
chmod u+x file.txt
Change the user and group for any file
Syntax:
chown user:group file change user/group
Example (change the owner):
chown berkan file.txt
-R to operate on every file in the directory at once
The curl command transfers data to or from a network server, using one of the supported protocols (HTTP, HTTPS, FTP, FTPS, SCP, SFTP, TFTP, DICT, TELNET, LDAP or FILE).
Syntax:
curl <URL> simply fetches the URL and prints it to the terminal.
Options:
-s to suppress the output (statistics)
-# show progress bar
-o page.html <URL> to save the output to a file
-O <URL> to save the output to a file with the same name as the file in the URL
-I <URL> to get the headers only
-L <URL> to follow redirects
-b <NAME1=VALUE1;NAME2=VALUE2> specify cookies
-d <data> <URL> to send data
-X <METHOD> <URL> to change the request method
-T <FILE> <URL> to upload a file
-u <USER>:<PASSWORD> to authenticate
-A <AGENT> <URL> to change the user agent
--referer <URL_REF> <URL> to change the referer
-H <HEADER> <URL> to add headers
-H "DNT: 1" <URL> to change the DNT(do not track) header
-H "X-Forwarded-For: <IP>" <URL> to change the X-Forwarded-For header
-H "Accept-Language: da-DK" <URL> to change the Accept-Language header (ex. Danish)
-H "Date: Mon, 23 11 2018 23:23:23 GMT" <URL> to change the date
Example:
Real use case example
# Download a file
curl -O http://example.com/file.txt
# Advanced curl command to get the flag
curl -s -A "PicoBrowser" -H "Date: Mon, 23 11 2018 23:23:23 GMT" -H "DNT: 1" -H "X-Forwarded-For: 2.71.255.255" -H "Accept-Language: sv-SE" --referer http://mercury.picoctf.net:36622 http://mercury.picoctf.net:36622/ | grep -oI "picoCTF{.*}"`The wget command downloads files from HTTP, HTTPS, or FTP connection a network.
Get ftp files recursively
wget -r ftp://ftpuser:<USER>@<IP>
Options:
-O to specify the output file
-b to run in the background
-r to download recursively
-q to download in quiet mode
Wash is a tool that can be used to crack WPA/WPA2 handshakes. It is a part of the aircrack-ng suite.
Example usage:
wash -i wlan0mon - to scan for WPA/WPA2 networks
Netdiscover is a tool that can be used to scan for live hosts on a network. It is a part of the aircrack-ng suite.
Example usage:
netdiscover -i wlan0mon or netdiscover -r <ip>/24 - to scan for live hosts on a network
Netstat is a command-line utility that displays network connections for TCP (both incoming and outgoing)
Example usage:
netstat -tulpn - to display all active listening ports
ss is a command-line utility that displays network connections for TCP, UDP, Unix sockets, and more. (modern)
Example usage:
ss -tulpn - to display all active listening ports
tcpdump is a command-line utility that allows you to capture and analyze network traffic going through your system
Example usage:
tcpdump -i wlan0mon - to capture all network traffic on the wlan0mon interface
Whatweb is a handy tool and contains much functionality to automate web application enumeration across a network. We can extract the version of web servers, supporting frameworks, and applications using the command-line tool.
Example usage:
whatweb --no-errors 10.10.10.0/24
Options:
-a=LEVEL Aggresion level
-U=AGENT User agent
--header HTTP header
--max-redirects=NUM Maximum number of redirects
-u=<user:password> Basic authentication
-c=COOKIES Use cookies
--cookie-jar=FILE Read cookies from a file
-g=STRING|REGEXP Search for a string
--no-errors Suppress error messages
-p=LIST List all plugins
-l List all plugins
-v Verbose mode
-q Quiet output
-h to show help (highly recommended)
apt is a command-line utility for installing, updating, removing, and otherwise managing deb packages
sudo apt update This will pull the latest changes from the APT repositories:
sudo apt upgrade To upgrade the installed packages to their latest versions
sudo apt full-upgrade The difference between upgrade and full-upgrade is that the later will remove the installed packages if that is needed to upgrade the whole system.
sudo apt install package_name Install packages
sudo apt remove package_name Remove packages
sudo apt autoremove Remove unused packages
sudo apt list List packages
dig command stands for Domain Information Groper. It is used for retrieving information about DNS name servers
dig [server] [name] [type]
dig google.com
Options:
-x Specify IP adress
+noall +answer Detailed information
Save to a file:
dig -f domain_research.txt +short
tar is a command that allows creating, maintaining, modifying, and extracting files that are archived in the tar format (tar, gzip, zip).
The most common example for tar extraction would be:
tar -xf archive.tar
Compressing files with tar
tar -czvf stuff.tar.gz
Uncompressing files with tar
tar -xvzf myfolder.tar.gz -C myfolder/
Options:
-c tells tar to create an archive.
-z tells tar to compress the archive with gzip.
-v tells tar to be verbose.
-f tells tar that the next argument will be the name of the archive to operate on.
-C tells tar to change to the directory specified before performing any operations.
-x tells tar to extract files from an archive.
gzip - a file format and a software application used for file compression and decompression. gzip-compressed files have .gz extension.
gzip filename.txt compression
Switches:
-d decompression
Example:
gzip -d file.gz
Search the contents of files for specific values
grep "hello world" file.txt
Search for an ip using regular expressions
grep -Eo '[0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3}\.[0–9]{1,3}'
Search for binaries (ex. "/usr/bin/sudo")
grep '^/.../.../....$'
Grep for CTF flag 1/2
grep -oi '\S*flag\S*' <path>
Grep for CTF flag 2/2
grep "flag{.*}"
Options
-n line numbers for every string found
-E regular expressions
-R recursive grep
-i case insensitive
Word count
wc -l file.txt get numbers of entries
Options
-l count number of lines
-c count number of bytes
-w count number of words
-m count number of characters
Cut parts of lines from specified files or piped data and print the result to standard output.
Syntax
cut OPTION FILE
Example usage
/etc/passwd | cut -d":" -f1
Options
-f - Select by specifying a field, a set of fields, or a range of fields. This is the most commonly used option.
-c - Select by specifying a character, a set of characters, or a range of characters.
-d - Specify a delimiter that will be used instead of the default “TAB” delimiter.
Another possibility to replace certain characters from a line with characters defined by us is the tool tr
Example usage
Change delimeter from ":" to " " (space).
tr ":" " "
Change from lowercase to uppercase
tr 'a-z' 'A-Z
Options
-d delete characters
-s squeeze characters
Since such results can often have an unclear representation, the tool column is well suited to display such results in tabular form using the "-t"
Example usage:
column -t
Awk is a utility that enables a programmer to write tiny but effective programs in the form of statement
Syntax
awk [flags] [select pattern/find(sort)/commands] [input file]
Example usage
Print the first and second field of a file
awk '{print $1, $2}
Print number of lines
awk '{print NR, $0}
Options
-F field separator (without 'Begin')
-v variable assignment
-o output file
$0: Represents the entire line of text.
$1: Represents the first field.
$2: Represents the second field.
$7: Represents the seventh field.
$45: Represents the 45th field.
$NF: Stands for “number of fields,” and represents the last field.
$NR: Number the lines
$FS: Field separator
$RS: Record separator
$OFS: Output field separator
$ORS: Output record separator
/<pattern>/: Represents a pattern to match.
Advanced examples
# Split on space
awk -F: '{RS=" "} {print $1}'
# Print the first and third field of the /etc/passwd file
awk -F: '{print $1, $3}' /etc/passwd
# Print the first and third field of a file, split on "o" and print the total number of rows
awk 'BEGIN {FS="o"} {print $1,$3} END{print "Total Rows=",NR}'
# Print the first and fourth field of file and print as "Name:ID"
awk 'BEGIN {FS=" "; OFS=":"} {print $1,$4}' file.txt
ippsec:34024
john:50024
thecybermentor:25923
liveoverflow:45345
nahamsec:12365
stok:1234
# Print the first field of a file and separate with a comma
awk 'BEGIN {ORS=","} {print $1}' file.txt
ippsec,john,thecybermentor,liveoverflow,nahamsec,stokExample usage
Replace the word "bin" with "BK."
sed 's/bin/BK/g'
Format trailing space with a colon
sed 's/ */:/g' file.txt
Only get alphanumeric values
sed 's/[[:digit:]]//g' file.txt
The "s" flag at the beginning stands for the substitute command. Then we specify the pattern we want to replace. After the slash (/), we enter the pattern we want to use as a replacement in the third position. Finally, we use the "g" flag, which stands for replacing all matches.
Find out what user we're currently logged in as
Prints basic information about the operating system name and system hardware
uname -a will print all available information
FTP or File Transfer Protocol is a network communication protocol that enables two computers to communicate
Standard use
ftp <IP>
Enter your username and password to log in to the server. Some FTP servers allow anonymous logins with a username and password of "anonymous".
Commands:
ls - list files
cd - change directory
get - download file
put - upload file
quit - exit
See more commands here.
SSH or Secure Shell is a network communication protocol that enables two computers to communicate
Standard use
ssh user@ip and type the password
Login with a key
ssh -i path_to_pem user@ip
Specify other ports than 22
ssh user@ip -p <port>
Create an SSH tunnel
ssh -D 8080 -C -q -N user@ip # Create a tunnel
chromium --no-sandbox --proxy-server="socks5://localhost:8080" # Use the tunnelSCP or Secure Copy Protocol is a network communication protocol that enables two computers to communicate and transfer files between them using the SSH protocol.
Copy a file to a remote server
scp /path/to/file user@ip:/path/to/remote/file
Copy a file from a remote server to a local server
scp user@ip:/path/to/remote/file /path/to/file
Example (file to a remote server ):
scp example.txt berkan@192.168.100.123:/home/berkan/
Searchsploit is a command line search tool for the offline version of Exploit-DB
Usage:
searchsploit [options] term1 term2 term3 ...
Example:
searchsploit afd windows local
Options:
-c, --case [Term] - Perform a case-sensitive search (Default is inSEnsITiVe)
-e, --exact [Term] - Perform an EXACT search (e.g. "WordPress 4.1" would not detect "WordPress Core 4.1")
-s, --strict - Perform a strict search, so input values must exist("1.1" would not be detected in "1.0 < 1.3")
-t, --title [Term] - Search JUST the exploit title (Default is title AND the file's path
-p, --path [EDB-ID] - Show the full path to an exploit
-w, --www - Show URLs to Exploit-DB.com rather than the local path
--exclude="term" Remove values from results. By using "|" to separate, you can chain multiple values e.g. --exclude="term1|term2|term3”
xfreerdp is an X11 Remote Desktop Protocol (RDP) client
Usage:
xfreerdp [options] server[:port] [[options] server[:port] ...]
Options:
/u:<username> - Username
/p:<password> - Password
/v:<hostname>:<port> - Server hostname
/cert:ignore - Ignore certificate
/ipv6, /6 - Prefer IPv6 AAA record over IPv4 A record
Read and modify hex of a file (This tool is also helpful when it comes to CTFs and text is hidden inside a file or when the magic number of a file was altered.) Alternatives are: xxd, hexedit, GHex (GNOME GUI) & HxD (Windows).
Example usage
hexeditor -n file.txt
Options
-a Print all text characters.
-n Force Gray scale, no colors.
Controls:
CTRL + F - Go to last line
CTRL + C - Exit without saving
CTRL + X - Exit and save
CTRL + U - Undo
CTRL + W - Search
Binwalk allows users to analyze and extract firmware images and helps in identifying code, files, and other information embedded in those, or inside another file
Usage:
binwalk [options] <file>
Examples:
binwalk -e firmware.bin - Extract files
binwalk -Me firmware.bin - Recursively scan extracted files (matryoshka)
binwalk -e firmware.bin - Extract files
-e - Extract files
-M - Recursively scan extracted files (matryoshka)
-v - Verbose output
-q - Quiet output
Sudo is Linux's 'run as administrator' command
Options
-u <user> specify user
su change to root
-l list current sudo priviliges
Hashid will analyze and output the potential algorithm that is used to hash your input. Supports over 250 hash types.
hashid option hash
-e - list all possible hash algorithms including salted passwords
-m - include corresponding hashcat mode in output
-j - include corresponding JohnTheRipper format in output
-o FILE - write output to file (default: STDOUT)
-h - show help message and exit