Last updated: April 16, 2016 Version: 0.5 (It's 2018, so I'm working on an update.)
This list of information security resources is partly for you and partly for me. :)
If you know of some killer resource that belongs in one of these sections, feel free to contact me about it.
The items listed in each section are in no particular order.
Here are resources for wordlists.
- Password Lists: Good course of password lists to use. Many of the collections are a little older, but people don’t change much. It’s a good starting point.
- SecList: Many lists to be had from this GitHub repo. If you’re going to use Kali Linux, these lists are already on your system.
- Ophcrack Rainbow Tables: Source of rainbow tables for Windows-based auth cracking.
Here’s a list of some sites I think are important for one reason or another.
- PrivacyTools.io: Great place to learn about steps to take to increase your privacy (browser fingerprinting, etc). They also recommend services, such as proxies. I highly recommend you venture over there and take a look. There's also a sub-Reddit here.
I’m a Linux guy and have used Linux for many years, both on servers and my workstations. I love Linux, because I happen to love freedom of choice and control. In Linux land, there really isn’t an overall best. It’s all about what works for you.
For example, some might say Kali is the best Linux distro for security, others Parrot and others whatever. But the reality is that the best really depends on what you’re trying to do. Some distros do one thing well, but other things not so much. And of course, you could just roll your own distro or build off a base distro, such as Arch.
These days I tend to use Fedora as my main daily driver for general use and Kali for security-based work.
Over the last couple of years, I had this to say about Arch Linux: "I use it on my main desktop and main laptop for starters. I love it. I’m a big fan of starting with as few things as possible and building up. With Arch, I have an awesome system that’s everything I want."
But if you're not wanting to dive into the OS and build it up, you're better off with a ready-to-go distro. For those new to Linux, Ubuntu is a great starting point.
As mentioned, for security I use Kali primarily. It’s offensive-minded and based off Debian. The Kali distro is from the Offensive Security group.
I listen to many podcasts each week (makes the commute enjoyable). Here are a few of my favorites. I broke them into two categories: without fail and often.
- Trusted Sec
- Paul’s Security Weekly
- Risky Business
- Down the Security Rabbithole
- Defensive Security Podcast
- The Southern Fried Security Podcast
- Hacker Public Radio
- OWASP 24/7
- SANS Internet Storm Center
- Security Now
- Security Slice
- The Social-Engineer Podcast
I’m a huge reader and have always loved books and the bookstore. Rather than create some huge list of books, which may or may not be relevant to you, I’m just going to list a few at any one time that I think are interesting.
I will add that people are the weakest link in security, so reading books / articles about psychology pay off.
Whether or not you should read these books depends on your interests in the field, skill level and time available.
- Rtfm: Red Team Field Manual
- Wireshark 101: Essential Skills for Network Analysis
- How Linux Works: What Every Superuser Should Know
- Black Hat Python
- Hacking Wireless Exposed
- Python for Secret Agents: Because, why not. :)
- The Dark Net: Inside the Digital Underworld
- @War: The Rise of the Military-Internet Complex
- Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World
- Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It
On my to-read list currently:
- Violent Python
- Open Source Intelligence Techniques: Resources for Searching and Analyzing Online Information
Here’s a list of software you might want to take a look at. I’ve avoided listed some pieces of software, such as Aircrack, Wireshark, Nmap, NCAT and more that typically come in an offensive security linux distro, such as Kali.
- Fing and/or Net Analyzer: Good apps for scanning your network for clients connected. Of course, NMAP is the go-to, but these are good options too.
- Flipboard: I’ve built it up now so each day I have a wide net of stories to check out. Generally, I flip through them and send to Pocket all those that I think might be interesting.
- Apple News: This app is on Apple devices and I found it to be very good for finding stories on topics.
- Pocket: I’m constantly sending content into Pocket for scrubbing. This is where I generally read the content and then push off to Evernote if I want to keep the item.
- Evernote: Great way to store content and organize.
- KeepNote: I discovered this software while reading over some documentation from Offensive Security for the OSCP and I really like. It’s become my go-to notebook for many things (since Evernote isn’t on Linux and I’ve gotten away from cloud-based solutions for important things).
- LastPass: This is the password service I normally recommend to friends (especially my non-tech friends).
- KeePass: While LastPass is convenient, it's not locally stored. This is where KeePass comes in. This is my go-to password manager. I like that I can guard my passwords with both a master password and a key file. There are also ways to hook it into the browsers (if that’s something you like), so that if functions more like LastPass.
- Overcast: If you have an iOS device and like podcasts, get this app. It runs great and is my favorite podcasting app by far. I've used it for years now and love it.
Capture the Flag & Ethical Hacking
Just a quick note to those who might be learning. If you’ve never done a CTF before, I want you to stop everything and go start one right now. Seriously, they are a great way to learn and a lot of fun.
Best of all, you can do these on your own time and without any real pressure. If you’re looking to get started, I recommend trying out Tr0ll at Vulnhub (link is below). It was my first CTF and it’s a blast.
- Vulnhub: Great site for getting CTF VMs. This is the site where I did my first CTF. If you’re learning, go here and grab a couple walkthroughs for the VM you’re doing. Here’s the first one I did ever.
- Hack This Site: LOL, seriously, go hack it. It’s ok.
- Pentester Lab
- We Chall
- Hack This
- Hack Challenges
- [Hellbound Hackers](Hellbound Hackers)
- OWASP WebGoat Project
- HACK.ME: Discovered this after starting certification courses at eLearnSecurity. Give it a try.