{"id":13679324,"url":"https://github.com/CompassSecurity/security_resources","last_synced_at":"2025-04-29T18:32:05.369Z","repository":{"id":42568020,"uuid":"305622505","full_name":"CompassSecurity/security_resources","owner":"CompassSecurity","description":"Collection of online security resources","archived":false,"fork":false,"pushed_at":"2023-09-20T17:24:33.000Z","size":57,"stargazers_count":271,"open_issues_count":0,"forks_count":55,"subscribers_count":37,"default_branch":"main","last_synced_at":"2025-04-05T08:30:38.441Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CompassSecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2020-10-20T07:17:38.000Z","updated_at":"2025-04-01T10:21:20.000Z","dependencies_parsed_at":"2024-01-14T15:23:16.194Z","dependency_job_id":"67307f6e-70d6-4ba7-bc15-1eb764351e0a","html_url":"https://github.com/CompassSecurity/security_resources","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fsecurity_resources","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fsecurity_resources/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fsecurity_resources/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CompassSecurity%2Fsecurity_resources/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CompassSecurity","download_url":"https://codeload.github.com/CompassSecurity/security_resources/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251560082,"owners_count":21609138,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T13:01:04.308Z","updated_at":"2025-04-29T18:32:05.126Z","avatar_url":"https://github.com/CompassSecurity.png","language":null,"readme":"# Security Resources 📖\n\nLinks to online resources \u0026 tools we use during our web application / network\nsecurity [courses](https://compass-security.com/en/trainings).\n\nYou can create a PR or open an issue if you think we missed a useful resource.\n\nShort URL: https://git.io/secres\n\n## Compass Security 🧭\n\n- Compass Security: https://compass-security.com/de/\n- Compass Security Blog: https://blog.compass-security.com/\n- Hacking Lab 1.0: https://www.hacking-lab.com/\n- Hacking Lab 2.0: https://compass.hacking-lab.com/\n- Hacking Lab Live CD: https://livecd.hacking-lab.com/\n\n## General 🌳\n\n### Link Lists\n\n- Awesome Security: https://github.com/sbilly/awesome-security\n- InfoSec Reference That Doesn't Suck!(Much): https://rmusser.net/docs/index.html\n- Awesome Penetration Testing: https://github.com/enaqx/awesome-pentest\n- Security Checklists from pentestlab.blog: https://github.com/netbiosX/Checklists\n- Security Tools Collection: https://tools.tldr.run/\n- Public Pentest Reports: https://github.com/juliocesarfort/public-pentesting-reports\n- Security Zines: https://securityzines.com/\n\n### Hacking-Notebooks\n\n- Payload All The Things: https://github.com/swisskyrepo/PayloadsAllTheThings\n- HackTricks: https://book.hacktricks.xyz/\n- Red Teaming Experiments: https://www.ired.team/\n- Pentester's promiscuous Notebook: https://ppn.snovvcrash.rocks/ (by snovvcrash https://snovvcrash.rocks/)\n\n### Tutorials\n\n- Various Security Tutorials by Prof. Andreas Steffen, strongSec GmbH: https://github.com/strongX509/cyber/\n\n### Online Tools\n\n- CyberChef: https://gchq.github.io/CyberChef/\n- Useful Web Tools by @h43z: https://h.43z.one/\n- Explain Shell Commands: https://explainshell.com/\n- Online Regex Tester \u0026 Debugger: https://regex101.com/\n\n### Reading\n\n- Phrack: http://phrack.org/\n- PoC||GTFO: https://www.alchemistowl.org/pocorgtfo/\n\n### Talks \u0026 Videos\n\n- media.ccc.de: https://media.ccc.de/\n- LiveOverflow: https://www.youtube.com/c/LiveOverflowCTF/\n- Stacksmashing: https://www.youtube.com/channel/UC3S8vxwRfqLBdIhgRlDRVzw\n- IppSec (Hack The Box Walkthroughs): https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA\n- /dev/null: https://www.youtube.com/channel/UCGISJ8ZHkmIv1CaoHovK-Xw\n- DEFCON Switzerland / Area41: https://www.youtube.com/user/defconswitzerland/\n- Swiss Cyber Storm: https://www.youtube.com/channel/UCY-Wb3JuBv_xpa8s6ZrpUxg/\n- Cooper Recordings: https://administraitor.video/\n- DEFCON: https://www.youtube.com/user/DEFCONConference/\n- Black Hat: https://www.youtube.com/user/BlackHatOfficialYT\n\n## Web Application Security 🐝\n\n### References\n\n- HTML Standard: https://html.spec.whatwg.org/\n- W3Schools: https://www.w3schools.com/\n- Mozilla Developer Network (MDN): https://developer.mozilla.org/\n\n### General\n\n- Compass Demo: https://www.compass-demo.com/\n- PortSwigger Online Seminar: https://portswigger.net/web-security\n- OWASP: https://owasp.org/\n  - OWASP Top 10\n    - Project Page: https://owasp.org/www-project-top-ten/\n    - New Project Page: https://www.owasptopten.org/\n    - GitHub: https://github.com/OWASP/Top10\n  - OWASP Application Security Verification Standard (ASVS)\n    - Project Page: https://owasp.org/www-project-application-security-verification-standard/\n    - GitHub: https://github.com/OWASP/ASVS\n  - API Security: https://www2.owasp.org/www-project-api-security/\n  - Cheat Sheet Series: https://cheatsheetseries.owasp.org/\n  - Juice Shop\n    - Project Page: https://owasp-juice.shop/, https://owasp.org/www-project-juice-shop/\n    - GitHub: https://github.com/bkimminich/juice-shop\n    - Companion Guide: https://pwning.owasp-juice.shop/\n    - Demo: https://juice-shop.herokuapp.com/\n  - OWASP Switzerland\n    - Chapter Page: https://owasp.org/www-chapter-switzerland/\n    - Mailing List: https://groups.google.com/a/owasp.org/forum/#!forum/switzerland-chapter\n    - Twitter: https://twitter.com/owasp_ch\n    - YouTube: https://www.youtube.com/channel/UCut4rjo2pUSdtnX3hUbi9_Q\n    - Presentation Slides Repo:https://github.com/OWASP/www-chapter-switzerland/tree/master/assets/slides\n- Stanford Web Security Class: https://web.stanford.edu/class/cs253/\n\n### HTTP \u0026 Web Basics\n\n- HTTP Status Codes: https://httpstatuses.com/\n- Can I Use (Browser Support Matrix): https://caniuse.com/\n- Mozilla Developer Network: https://developer.mozilla.org/\n\n### Web Standards\n\n- W3C Overview: https://www.w3.org/TR/\n- CORS: https://www.w3.org/TR/2020/SPSD-cors-20200602/\n- HTTP/2 Explained: https://http2-explained.haxx.se/\n- HTTP/3 Explained: https://http3-explained.haxx.se/\n- HTTP/2 Speed Demo: https://http2.akamai.com/demo\n\n### Reverse Proxies\n\n- Weird Proxies: https://github.com/GrrrDog/weird_proxies\n\n### Authentication \u0026 Login\n\n- Have I Been Pwned (Password Leaks): https://haveibeenpwned.com/\n- Pwned Passwords: https://haveibeenpwned.com/Passwords\n- Dehashed Leaked Passwords Database: https://www.dehashed.com/\n- Hashes.org (Password Hash Database): https://hashes.org/ \n\n### OAuth 2.0 / OpenID Connect (OIDC)\n\n- OAuth.net: https://oauth.net/2/\n- OAuth 2.0 Simplified: https://www.oauth.com/\n- The OAuth 2.0 Authorization Framework, RFC 6749: https://tools.ietf.org/html/rfc6749\n- OAuth 2.0 Security Best Current Practice: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16\n- OpenID Connect \u0026 OAuth 2.0 - Security Best Practices, Dominick Baier, 2020: https://www.youtube.com/watch?v=AUgZffkurK0\n- OAuth 2.0 for Browser-Based Apps: https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-07\n- OIDC Discovery: https://auth0.com/docs/protocols/configure-applications-with-oidc-discovery)\n- Real-life OIDC Security: https://security.lauritz-holtmann.de/post/sso-security-overview/\n\n### Cross-Site Scripting (XSS)\n\n- PortSwigger XSS Cheat Sheet: https://portswigger.net/web-security/cross-site-scripting/cheat-sheet\n- XSS Payloads: https://html5sec.org/\n- XSS Hunter: https://xsshunter.com/\n- XSS Polyglot: https://github.com/0xsobky/HackVault/wiki/Unleashing-an-Ultimate-XSS-Polyglot\n- Script Gadgets: https://github.com/google/security-research-pocs (bypass overview: https://github.com/google/security-research-pocs/blob/master/script-gadgets/bypasses.md)\n- Browser Exploitation Framework (BeEF): https://beefproject.com/\n- Attack Examples\n  - XSS in Electron App leads to RCE: https://blog.doyensec.com/2017/08/03/electron-framework-security.html\n  - XSS in Google Search Field: https://www.youtube.com/watch?v=lG7U3fuNw3A\n  - XSS in Tweetdeck Twitter Client: https://twitter.com/dergeruhn/status/476764918763749376?lang=en\n\n### Cross-Site Request Forgery (CSRF)\n\n- Same-Site Cookie Flag: https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-06\n- Public Suffix List (https://publicsuffix.org): https://publicsuffix.org/list/public_suffix_list.dat\n\n### Security Headers\n\n- Security Headers: https://securityheaders.com/\n- Content Security Policy (CSP) Evaluator: https://csp-evaluator.withgoogle.com/ (Code: https://github.com/google/csp-evaluator)\n- HSTS Preloading: https://hstspreload.org\n\n### JSON Web Tokens (JWT)\n\n- JWT Decoder/Encoder: https://jwt.io/\n- PentesterLab JWT Cheat Sheet: https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf\n- JWT Tool for testing: https://github.com/ticarpi/jwt_tool\n- Convert JWK to PEM:\n  - Crypto Playground: https://8gwifi.org/jwkconvertfunctions.jsp\n  - Keytool: https://keytool.online/\n- Attack Examples\n    - Algorithm Confusion\n      - Auth0 Info: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/\n      - pyjwt CVE-2017-11424: https://www.cvedetails.com/cve/CVE-2017-11424/\n      - pyjwt fix: https://github.com/jpadilla/pyjwt/commit/88a9fc56bdc6c870aa6af93bda401414a217db2a, https://github.com/jpadilla/pyjwt/commit/37926ea0dd207db070b45473438853447e4c1392\n\n### SQL Injection (SQLi)\n\n- PortSwigger SQL Injection Cheat Sheet: https://portswigger.net/web-security/sql-injection/cheat-sheet\n\n### XML External Entities (XXE)\n\n- Attack Examples\n  - Sending mails via SMTP using XXE: https://shiftordie.de/blog/2017/02/18/smtp-over-xxe/\n\n### Tools\n\n- Burp Suite: https://portswigger.net/burp/communitydownload\n- SQLMap: https://sqlmap.org/\n  - SQLMap cheat sheet: https://www.comparitech.com/net-admin/sqlmap-cheat-sheet/\n- Burp Suite Extensions\n  - Burp Suite Extensions Overview: https://apps.burpsuite.guide/\n  - SAML Raider: https://portswigger.net/bappstore/c61cfa893bb14db4b01775554f7b802e, https://github.com/CompassSecurity/SAMLRaider\n  - JSON Web Tokens: https://portswigger.net/bappstore/f923cbf91698420890354c1d8958fee6, https://github.com/portswigger/json-web-tokens\n- Talk \"Automated security testing for Software Developers who dont know security!\" (shows how to use OWASP ZAP in a CI/CD pipeline): https://media.ccc.de/v/Camp2019-10181-automated_security_testing_for_software_developers_who_dont_know_security\n\n### Hacking Environments\n\n- OWASP Web Goat: https://owasp.org/www-project-webgoat/\n- Damn Vulnerable Web Application: https://www.dvwa.co.uk/\n- OWASP JuiceShop: https://owasp.org/www-project-juice-shop/\n\n## Transport Layer Security (TLS) 🔐\n\n### TLS Information\n\n- SSL/TLS and PKI History: https://www.feistyduck.com/ssl-tls-and-pki-history/\n- Every Byte of a TLS Connection: https://tls12.xargs.org/\n- Every Byte of a TLS Connection for TLS 1.3: https://tls13.xargs.org/\n- Cipher Suite Ratings: https://ciphersuite.info/\n\n### Online Services\n\n- SSL Labs (TLS Server Test): https://ssllabs.com\n- Hardenize: https://hardenize.com/\n- BadSSL: Weak TLS Configuration Test Page: https://badssl.com\n- Certificate Transparency Search: https://crt.sh/\n\n### Tools\n\n- SSLyze TLS Server Test Tool: https://github.com/nabla-c0d3/sslyze\n\n## Cryptography 🔏\n\n- Key Lengths: https://keylength.com\n- Cryptopals Crypto Challenges: https://cryptopals.com/\n- CryptoHack: https://cryptohack.org/\n- Key generation / conversion: https://keytool.online/\n\n## Container Security 🐳\n\n- contained.af (separation examples): https://contained.af/\n\n## Network Pentesting 💻\n\n### General\n\n- Hacking Tools Cheat Sheet: https://github.com/CompassSecurity/Hacking_Tools_Cheat_Sheet\n- Porchetta Industries OpenSource Tools Support: https://porchetta.industries/\n- Security Best Practices for On-Premise Environments: https://github.com/CompassSecurity/OnPremSecurityBestPractices\n\n### Information Gathering \u0026 Wordlists\n\n- Amass: https://github.com/OWASP/Amass\n- Sublist3r: https://github.com/aboul3la/Sublist3r\n- Shodan: https://www.shodan.io/\n- Censys: https://censys.io/\n- Payload All The Things: https://github.com/swisskyrepo/PayloadsAllTheThings\n- VirusTotal: https://www.virustotal.com/\n- FuzzDB: https://github.com/fuzzdb-project/fuzzdb\n- SecLists: https://github.com/danielmiessler/SecLists\n- Rapid7 Open Data: https://opendata.rapid7.com/\n- CeWL: https://github.com/digininja/CeWL\n\n### Online Services\n\n- PortQuiz: http://portquiz.net/\n- nip.io (wildcard DNS): https://nip.io/\n- RequestBin.NET: https://requestbin.net/\n- ngrok: https://ngrok.com/\n- Various useful tools: https://h.43z.one/\n  - Request Logger: https://log.43z.one/\n  - IP Address Convertor (useful for SSRF): https://h.43z.one/ipconverter/\n\n### Scanning\n\n- Nmap: https://nmap.org/\n- Nmap-parse-output: https://github.com/ernw/nmap-parse-output\n- Aquatone: https://github.com/michenriksen/aquatone\n- SMBMap: https://github.com/ShawnDEvans/smbmap\n- Snaffler: https://github.com/SnaffCon/Snaffler\n- Subjack: https://github.com/haccer/subjack\n\n### Sniffing\n\n- Sniffing Tools\n  - tcpdump: https://www.tcpdump.org/\n  - Wireshark / Tshark: https://www.wireshark.org/\n- PCAP Collection\n  - Wireshark Samle Captures: https://wiki.wireshark.org/SampleCaptures\n- Sniffing Analysis\n  - PacketTotal: https://packettotal.com/\n  - A-Packets: https://apackets.com/\n- Extract credentials from network interfaces / PCAP files\n  - net-creds: https://github.com/DanMcInerney/net-creds\n  - PCredz: https://github.com/lgandx/PCredz\n\n## Protocol Hacking\n\n- Network Programming in Python: https://0xbharath.github.io/python-network-programming/\n- Python Foundations: https://0xbharath.github.io/python-foundations/\n- Scapy: https://scapy.net/\n- Workshop: The Art of Packet Crafting with Scapy by @0xbharath\n  - GitHub: https://github.com/0xbharath/art-of-packet-crafting-with-scapy\n  - Online Notes: https://scapy.disruptivelabs.in/\n\n### Protocols\n\n- DNS\n  - DNSViz (show DNSSEC chain): https://dnsviz.net/\n  - Public .ch DNS Zone: https://www.switch.ch/open-data/#tab-c5442a19-67cf-11e8-9cf6-5254009dc73c-3\n    - Search Tool: https://search-ch-domains.idocker.hacking-lab.com/\n- Mailing\n  - Email Infrastructure: https://www.hardenize.com/labs/policy?s=09\n  - Email Spoofing Mitigations\n    - Google: Help prevent spoofing and spam with DMARC: https://support.google.com/a/answer/2466580\n    - Actually, DMARC works fine with mailing lists: https://begriffs.com/posts/2018-09-18-dmarc-mailing-list.html\n    - Learn and Test DMARC: https://www.learndmarc.com/\n\n### Exploiting\n\n- Vulnerability Database: https://cvedetails.com/\n- Exploit Database: https://www.exploit-db.com/\n- Metasploit: https://www.metasploit.com/\n- Reverse Shell Generator: https://www.revshells.com/\n- Hak5 Gadget Shop: https://shop.hak5.org/\n- Covenant: https://github.com/cobbr/Covenant\n\n### Cracking\n\n- General Information\n  - Talk \"G1234! - Password Cracking 201: Beyond the Basics - Royce Williams\": https://www.youtube.com/watch?v=cSOjQI0qbuU\n- Online Brute Force Tools\n  - Ncrack: https://nmap.org/ncrack/\n  - Hydra: https://github.com/vanhauser-thc/thc-hydra\n- Offline Brute Force Tools\n  - Name-That-Hash: https://github.com/HashPals/Name-That-Hash\n  - Hashcat: https://hashcat.net/hashcat/\n  - John The Ripper: https://www.openwall.com/john/\n- Offline Burte Force Services\n  - CrackStation: https://crackstation.net/\n  - Crack.sh (DES Cracker): https://crack.sh/\n- Wordlists\n  - Password Lists from SecLists: https://github.com/danielmiessler/SecLists/tree/master/Passwords\n  - CrackStation Dictionary: https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm\n  - PWDB - New generation of Password Mass-Analysis: https://github.com/ignis-sec/Pwdb-Public\n- Rules\n  - NSA Rules: https://github.com/NSAKEY/nsa-rules\n  - Hob0Rules: https://github.com/praetorian-inc/Hob0Rules\n  - Corporate Rule: https://github.com/sparcflow/StratJumbo/blob/master/chap3/corporate.rule\n  - OneRuleToRuleThemAll: https://github.com/NotSoSecure/password_cracking_rules\n  - Hashcat Rules: https://github.com/hashcat/hashcat/tree/master/rules (e.g. best64 rule)\n\n### Linux Privilege Escalation\n\n- Enumeration\n  - LinEnum: https://github.com/rebootuser/LinEnum\n  - linPEAS: https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS\n  - pspy (unprivileged Linux process snooping): https://github.com/DominicBreuker/pspy\n  - Glyptodon (search for suspicious files): https://blog.sevagas.com/?-Glyptodon\n  - Lynis: https://cisofy.com/lynis/\n- Privilege Escalation Methods\n  - Sudo privesc on Compass Blog: https://blog.compass-security.com/tag/sudo/\n  - HackTricks Linux Privilege Escalation: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist and https://book.hacktricks.xyz/linux-unix/privilege-escalation\n  - PayloadsAllTheThings Linux Privilege Escalation: https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md\n  - Back To The Future: Unix Wildcards Gone Wild (Wildcard Injection): https://www.exploit-db.com/papers/33930\n- Exploitation Tools\n  - LES (Linux Exploit Suggester): https://github.com/mzet-/linux-exploit-suggester\n  - GTFOBins: https://gtfobins.github.io/\n  - GTFOBLookup: https://github.com/nccgroup/GTFOBLookup\n- Hardening\n  - Distribution Independent Linux CIS Benchmark: https://www.cisecurity.org/benchmark/distribution_independent_linux/\n\n### Windows \u0026 Active Directory (AD)\n\n- Attacks / Methodologies\n  - Active Directory Security: https://adsecurity.org/\n  - AD Exploitation Cheat Sheet: https://github.com/S1ckB0y1337/Active-Directory-Exploitation-Cheat-Sheet\n  - Orange Cyberdefense Active Directory Pentest Mindmap: https://orange-cyberdefense.github.io/ocd-mindmaps/\n  - The Dog Whisperer's Handbook: https://www.ernw.de/download/BloodHoundWorkshop/ERNW_DogWhispererHandbook.pdf\n  - Not A Security Boundary: Breaking Forest Trusts: https://posts.specterops.io/not-a-security-boundary-breaking-forest-trusts-cd125829518d\n  - Attacking Active Directory: 0 to 0.9: https://zer1t0.gitlab.io/posts/attacking_ad/?s=09\n  - Windows \u0026 Active Directory Exploitation Cheat Sheet and Command Reference: https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/\n- Kerberos\n  - Introduction Videos by ATTL4S (https://twitter.com/DaniLJ94)\n    - You Do (Not) Understand Kerberos: Introduction: https://www.youtube.com/watch?v=4LDpb1R3Ghg\n    - You Do (Not) Understand Kerberos Delegation - Introduction: https://www.youtube.com/watch?v=p9QFdITuvgU\n    - You Do (Not) Understand Kerberos Delegation - Unconstrained Delegation: https://www.youtube.com/watch?v=xDFRUYv1-eU\u0026t=580s\n    - You Do (Not) Understand Kerberos Delegation - Constrained Delegation: https://www.youtube.com/watch?v=gzqq2r6cZjc\u0026t=2288s\n    - You Do (Not) Understand Kerberos Delegation - RBCD: https://www.youtube.com/watch?v=vlKwCTvp5_w\u0026t=1185s\n  - CVE-2020-17049: Kerberos Bronze Bit Attack Theory: https://www.netspi.com/blog/technical/network-penetration-testing/cve-2020-17049-kerberos-bronze-bit-theory/\n  - Wagging the Dog: Abusing Resource-Based Constrained Delegation to Attack Active Directory: https://shenaniganslabs.io/2019/01/28/Wagging-the-Dog.html\n  - Active Directory Security Risk #101: Kerberos Unconstrained Delegation (or How Compromise of a Single Server Can Compromise the Domain): https://adsecurity.org/?p=1667\n  - Kerberos Attack Cheat Sheet: https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a\n- Active Directory Certificate Services\n  - Abusing Active Directory Certificate Services Whitepaper: https://specterops.io/assets/resources/Certified_Pre-Owned.pdf\n  - Abusing Active Directory Certificate Services Blogpost: https://posts.specterops.io/certified-pre-owned-d95910965cd2\n- Best Practices\n  - Domain-Join Computers the Proper Way: https://blog.compass-security.com/2020/03/domain-join-computers-the-proper-way/\n  - Administrative Tier Model (Archived Article): https://web.archive.org/web/20201210154206/https://docs.microsoft.com/en-us/windows-[…]ivileged-access/securing-privileged-access-reference-material\n- Tools\n  - Sysinternals: https://docs.microsoft.com/en-us/sysinternals/#sysinternals-live\n  - Sysinternals Direct Download: https://live.sysinternals.com/\n  - PowerSploit: https://github.com/PowerShellMafia/PowerSploit\n  - PowerUpSQL: https://github.com/NetSPI/PowerUpSQL\n  - Mimikatz: https://github.com/gentilkiwi/mimikatz\n  - Impacket: https://github.com/SecureAuthCorp/impacket\n  - Responder: https://github.com/lgandx/Responder\n  - CrackMapExec: https://github.com/byt3bl33d3r/CrackMapExec\n  - CredNinja: https://github.com/Raikia/CredNinja\n  - BloodHound\n    - Project Page: https://github.com/BloodHoundAD/BloodHound\n    - Compass Custom BloodHound Queries: https://github.com/CompassSecurity/BloodHoundQueries\n  - PingCastle\n    - Project Page: https://www.pingcastle.com/\n    - Healthcheck Rules: https://www.pingcastle.com/PingCastleFiles/ad_hc_rules_list.html\n  - Kerbrute: https://github.com/ropnop/kerbrute\n\n### Cloud\n\n- A Cloud Guru Online Trainings: https://acloudguru.com/\n\n### Container\n\n- Docker Security\n  - How Containers Work!, Julia Evans, https://jvns.ca/blog/2020/04/27/new-zine-how-containers-work/\n  - Practical Docker Security: https://docs.google.com/presentation/d/1jZkq-osQYOCcpR6gU2V1M7JvM4MsazcgVpvGqOUIh-s/edit#slide=id.g4405d38279_0_218\n  - Docker.com: Docker Security Concepts: https://docs.docker.com/engine/security/security/\n  - Docker Security Blogpost: https://blog.sqreen.com/docker-security/\n  - 7 Docker Security Vulnerabilities: https://sysdig.com/blog/7-docker-security-vulnerabilities/\n  - Docker.com: Docker Breakout in 2014: https://blog.docker.com/2014/06/docker-container-breakout-proof-of-concept-exploit/\n  - Understanding Docker Container Escapes: https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/\n  - Docker \u0026 Capabilities by RedHat: https://www.redhat.com/en/blog/secure-your-containers-one-weird-trick\n  - Docker.com: Seccomp: https://docs.docker.com/engine/security/seccomp/\n  - Docker Capabilities and no-new-privileges: https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/\n  - Dockerfile Best Practices: https://docs.docker.com/develop/develop-images/dockerfile_best-practices/\n  - Dockerfile Security Best Practices: https://cloudberry.engineering/article/dockerfile-security-best-practices/\n  - Docker Images 10 Tips: https://snyk.io/blog/10-docker-image-security-best-practices/\n  - How to Keep Docker Secrets Secure: Complete Guide: https://spacelift.io/blog/docker-secrets\n- Kubernetes\n  - Bad Pods: Kubernetes Pod Privilege Escalation: https://labs.bishopfox.com/tech-blog/bad-pods-kubernetes-pod-privilege-escalation#pod8\n  - Talk \"Kubernetes from an Attacker's Perspective\" by Abhisek Datta: https://www.youtube.com/watch?v=aloi74MH4zk\n  - Talk \"Advanced Persistence Threats: The Future of Kubernetes Attacks\" by Ian Coldwater and Ian Coldwater: https://www.youtube.com/watch?v=CH7S5rE3j8w\n  - Kubernetes Security Jupyter Notebooks: https://github.com/thomasfricke/training-kubernetes-security\n\n### Hacking Environments\n\n- Hack the Box: https://www.hackthebox.eu/\n- Hack the Box Academy: https://academy.hackthebox.eu/\n- PentesterLab: https://pentesterlab.com/\n- Metasploitable: https://sourceforge.net/projects/metasploitable/\n- Root Me: https://www.root-me.org\n- VulnHub: https://www.vulnhub.com/\n\n## Social Engineering 🎅\n\n- Homograph Attacks: https://dev.to/logan/homographs-attack--5a1p\n  - Tool: https://github.com/evilsocket/ditto\n  - Example: https://раураӏ.com/\n\n## Mobile Application Security 📱\n\n### General\n\n- Frida Hooking Framework: https://frida.re/\n- Frida Hooks Collection: https://codeshare.frida.re/\n- objection - Runtime Mobile Exploration: https://github.com/sensepost/objection\n\n### Android\n\n- Frida\n  - Frida Hook Examples: https://github.com/antojoseph/frida-android-hooks\n  - Frida Code Share: https://codeshare.frida.re/browse\n  - Frida Code Snippets for Android: https://erev0s.com/blog/frida-code-snippets-for-android/\n- F-Secure Android Keystore Audit\n  - Blogpost: https://labs.f-secure.com/blog/how-secure-is-your-android-keystore-authentication/\n  - GitHub Project: https://github.com/FSecureLABS/android-keystore-audit\n\n## Security for Small and medium-sized enterprises (SMEs) 🖖\n\n- Merkblatt Informationssicherheit für KMUs vom Nationales Zentrum für Cybersicherheit NCSC: https://www.ncsc.admin.ch/dam/ncsc/de/dokumente/infos-unternehmen/ncsc-merkblatt-kmu-sicherheit.pdf.download.pdf/ncsc-merkblatt-kmu-sicherheit_de.pdf\n- Generelle Informationen zu Cyber Security für Unternehmen: https://www.ibarry.ch/de/\n- Resourcen von der Polizei Bern: https://www.cyber.police.be.ch/de/start/informationen-fuer-kmu.html insbesondere interessant für euch:\n  - Cyberdelikte verhindern - Wegleitung für KMU: https://www.cyber.police.be.ch/content/dam/police/dokumente/cyber/d/broschuere-cyberdelikte-verhindern-de.pdf\n  - Zehn Tipps, um Cyberangriffe zu verhindern: https://www.cyber.police.be.ch/content/dam/police/dokumente/cyber/d/cybercrime-zehn-tipps-de.pdf\n  - Selbstassessment für die Unternehmensleitung: https://www.cyber.police.be.ch/content/dam/police/dokumente/cyber/d/selbstassessment-de.pdf\n  - Cyberattacke - wie sich schützen. Checkliste für Unternehmensleitung: https://www.cyber.police.be.ch/content/dam/police/dokumente/cyber/d/checkliste-cyberattacke-unternehmensleitung-de.pdf\n- Cyber Security für Kleine und Mittlere Unternehmen: https://www.enisa.europa.eu/publications/enisa-report-cybersecurity-for-smes/@@download/fullReport\n","funding_links":[],"categories":["Others"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCompassSecurity%2Fsecurity_resources","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FCompassSecurity%2Fsecurity_resources","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FCompassSecurity%2Fsecurity_resources/lists"}