Defensive Programming Books

• Holistic Info-Sec for Web Developers (Fascicle 0)
• Holistic Info-Sec for Web Developers (Fascicle 1)

Hacker's Handbook Series Books

• Android Hacker's Handbook by Joshua J. Drake et al., 2014
• Car Hacker's Handbook by Craig Smith, 2016
• The Browser Hacker's Handbook by Wade Alcorn et al., 2014
• The Database Hacker's Handbook, David Litchfield et al., 2005
• The Mac Hacker's Handbook by Charlie Miller & Dino Dai Zovi, 2009
• The Mobile Application Hacker's Handbook by Dominic Chell et al., 2015
• The Shellcoder's Handbook by Chris Anley et al., 2007
• The Web Application Hacker's Handbook by D. Stuttard, M. Pinto, 2011
• iOS Hacker's Handbook by Charlie Miller et al., 2012

Lock Picking Books

• Eddie the Wire books
• Lock Picking: Detail Overkill by Solomon

Malware Analysis Books

• Malware Analyst's Cookbook and DVD by Michael Hale Ligh et al., 2010
• Practical Malware Analysis by Michael Sikorski & Andrew Honig, 2012
• The Art of Memory Forensics by Michael Hale Ligh et al., 2014

Network Analysis Books

• Nmap Network Scanning by Gordon Fyodor Lyon, 2009
• Wireshark Network Analysis by by Laura Chappell & Gerald Combs, 2012

Penetration Testing Books

• Btfm: Blue Team Field Manual by Alan J White & Ben Clark, 2017
• Bug Hunter's Diary by Tobias Klein, 2011
• Fuzzing: Brute Force Vulnerability Discovery by Michael Sutton et al., 2007
• Metasploit: The Penetration Tester's Guide by David Kennedy et al., 2011
• Penetration Testing: A Hands-On Introduction to Hacking by Georgia Weidman, 2014
• The Art of Exploitation by Jon Erickson, 2008
• Black Hat Python: Python Programming for Hackers and Pentesters by Justin Seitz, 2014
• Rtfm: Red Team Field Manual by Ben Clark, 2014
• Advanced Penetration Testing for Highly-Secured Environments by Lee Allen, 2012

Reverse Engineering Books

• Hacking the Xbox by Andrew Huang, 2003
• Practical Reverse Engineering by Bruce Dang et al., 2014
• The IDA Pro Book by Chris Eagle, 2011
• Gray Hat Hacking The Ethical Hacker's Handbook by Daniel Regalado et al., 2015

Social Engineering Books

• Ghost in the Wires by Kevin D. Mitnick & William L. Simon, 2011
• Social Engineering in IT Security: Tools, Tactics, and Techniques by Sharon Conheady, 2014
• The Art of Deception by Kevin D. Mitnick & William L. Simon, 2002
• The Art of Intrusion by Kevin D. Mitnick & William L. Simon, 2005
• Unmasking the Social Engineer: The Human Element of Security by Christopher Hadnagy, 2014

Windows Books

• Troubleshooting with the Windows Sysinternals Tools by Mark Russinovich & Aaron Margosis, 2016
• Troubleshooting with the Windows Sysinternals Tools by Mark Russinovich & Aaron Margosis, 2016

• DEF CON Suggested Reading

Windows Books

• Lair - Reactive attack collaboration framework and web application built with meteor.

Asia

• HITB - Deep-knowledge security conference held in Malaysia and The Netherlands.
• SECUINSIDE - Security Conference in Seoul.
• HITCON - Hacks In Taiwan Conference held in Taiwan.

Europe

• 44Con - Annual Security Conference held in London.
• CCC - Annual meeting of the international hacker scene in Germany.
• DeepSec - Security Conference in Vienna, Austria.
• Hack.lu - Annual conference held in Luxembourg.
• SteelCon - Security conference in Sheffield UK.
• Swiss Cyber Storm - Annual security conference in Lucerne, Switzerland.
• HoneyCON - Annual Security Conference in Guadalajara, Spain. Organized by the HoneySEC association.

North America

• CarolinaCon - Infosec conference, held annually in North Carolina.
• DerbyCon - Annual hacker conference based in Louisville.
• Hackers Next Door - Cybersecurity and social technology conference held in New York City.
• Hackers On Planet Earth (HOPE) - Semi-annual conference held in New York City.
• National Cyber Summit - Annual US security conference and Capture the Flag event, held in Huntsville, Alabama, USA.
• PhreakNIC - Technology conference held annually in middle Tennessee.
• RSA Conference USA - Annual security conference in San Francisco, California, USA.
• SummerCon - One of the oldest hacker conventions in America, held during Summer.
• DEF CON - Annual hacker convention in Las Vegas.
• Virus Bulletin Conference - Annual conference going to be held in Denver, USA for 2016.

Docker Containers of Intentionally Vulnerable Systems

• Damn Vulnerable Web Application (DVWA) - `docker pull citizenstig/dvwa`.
• OWASP Mutillidae II Web Pen-Test Practice Application - `docker pull citizenstig/nowasp`.
• OWASP Security Shepherd - `docker pull ismisepaul/securityshepherd`.
• Vulnerability as a service: Heartbleed - `docker pull hmlio/vaas-cve-2014-0160`.
• Vulnerability as a service: Shellshock - `docker pull hmlio/vaas-cve-2014-6271`.
• Vulnerable WordPress Installation - `docker pull wpscanteam/vulnerablewordpress`.

Docker Containers of Penetration Testing Distributions and Tools

• Docker Bench for Security - `docker pull diogomonica/docker-bench-security`.
• Official Kali Linux - `docker pull kalilinux/kali-linux-docker`.
• Official WPScan - `docker pull wpscanteam/wpscan`.
• Security Ninjas - `docker pull opendns/security-ninjas`.
• docker-metasploit - `docker pull phocean/msf`.

Docker Containers of Penetration Testing Distributions and Tools

• Kaitai Struct - File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
• peepdf - Python tool to explore PDF files in order to find out if the file can be harmful or not.
• Veles - Binary data visualization and analysis tool.

Docker Containers of Penetration Testing Distributions and Tools

• Lynis - Auditing tool for UNIX-based systems.

Docker Containers of Penetration Testing Distributions and Tools

• CeWL - Generates custom wordlists by spidering a target's website and collecting unique words.
• Rar Crack - RAR bruteforce cracker.

Docker Containers of Penetration Testing Distributions and Tools

• 0xED - Native macOS hex editor that supports plug-ins to display custom data types.
• Hexinator - World's finest (proprietary, commercial) Hex Editor.
• wxHexEditor - Free GUI hex editor for GNU/Linux, macOS, and Windows.

Docker Containers of Penetration Testing Distributions and Tools

• Armitage - Java-based GUI front-end for the Metasploit Framework.
• Metasploit - Software for offensive security teams to help verify vulnerabilities and manage security assessments.

Docker Containers of Penetration Testing Distributions and Tools

• Intercepter-NG - Multifunctional network toolkit.
• Ncrack - High-speed network authentication cracking tool built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords.
• Praeda - Automated multi-function printer data harvester for gathering usable data during security assessments.
• dsniff - Collection of tools for network auditing and pentesting.
• SPARTA - Graphical interface offering scriptable, configurable access to existing network infrastructure scanning and enumeration tools.

DDoS Tools

• Anevicon - Powerful UDP-based load generator, written in Rust.
• HOIC - Updated version of Low Orbit Ion Cannon, has 'boosters' to get around common counter measures.
• T50 - Faster network stress tool.

Exfiltration Tools

• Iodine - Tunnel IPv4 data through a DNS server; useful for exfiltration from networks where Internet access is firewalled, but DNS queries are allowed.

Network Reconnaissance Tools

• DNSDumpster - Online DNS recon and search service.
• dnstracer - Determines where a given DNS server gets its information from, and follows the chain of DNS servers.
• nmap - Free security scanner for network exploration & security audits.
• zmap - Open source network scanner that enables researchers to easily perform Internet-wide network studies.

Protocol Analyzers and Sniffers

• Wireshark - Widely-used graphical, cross-platform network protocol analyzer.
• Debookee - Simple and powerful network traffic analyzer for macOS.

Network Traffic Replay and Editing Tools

• TraceWrangler - Network capture file toolkit that can edit and merge `pcap` or `pcapng` files with batch editing features.
• tcpreplay - Suite of free Open Source utilities for editing and replaying previously captured network traffic.

Proxies and Machine-in-the-Middle (MITM) Tools

• BetterCAP - Modular, portable and easily extensible MITM framework.
• mitmproxy - Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.

Wireless Network Tools

• Aircrack-ng - Set of tools for auditing wireless networks.
• BoopSuite - Suite of tools written in Python for wireless auditing.
• Kismet - Wireless network detector, sniffer, and IDS.
• Reaver - Brute force attack against WiFi Protected Setup.
• Bully - Implementation of the WPS brute force attack, written in C.

Wireless Network Tools

• Nexpose - Commercial vulnerability and risk management assessment engine that integrates with Metasploit, sold by Rapid7.

Web Vulnerability Scanners

• Nikto - Noisy but fast black box web server and web application vulnerability scanner.
• SecApps - In-browser web application security testing suite.
• WPScan - Black box WordPress vulnerability scanner.
• WebReaver - Commercial, graphical web application vulnerability scanner designed for macOS.
• cms-explorer - Reveal the specific modules, plugins, components and themes that various websites powered by content management systems are running.

Data broker and search engine services

• Hunter.io - Data broker providing a Web search interface for discovering the email addresses and other organizational details of a company.
• Threat Crowd - Search engine for threats.

Metadata harvesting and analysis

• FOCA (Fingerprinting Organizations with Collected Archives) - Automated document harvester that searches Google, Bing, and DuckDuckGo to find and extrapolate internal company organizational structures.

Network device discovery tools

• Shodan - World's first search engine for Internet-connected devices.
• ZoomEye - Search engine for cyberspace that lets the user find specific network components.
• Censys - Collects data on hosts and websites through daily ZMap and ZGrab scans.

Web Vulnerability Scanners

• Intrigue - Automated OSINT & Attack Surface discovery framework with powerful API, UI and CLI.
• Maltego - Proprietary software for open source intelligence and forensics, from Paterva.

Online Exploit Development Resources

• Exploit Writing Tutorials - Tutorials on how to develop exploits.
• Shellcode Examples - Shellcodes database.

Online Lock Picking Resources

• /r/lockpicking - Resources for learning lockpicking, equipment recommendations.
• bosnianbill - Instructional lockpicking videos made by an expert.

Online Open Sources Intelligence (OSINT) Resources

• GhostProject - Searchable database of billions of cleartext passwords, partially visible for free.
• NetBootcamp OSINT Tools - Collection of OSINT links and custom Web interfaces to other services.
• WiGLE.net - Information about wireless networks world-wide, with user-friendly desktop and web applications.

Online Operating Systems Resources

• DistroWatch.com's Security Category - Website dedicated to talking about, reviewing, and keeping up to date with open source operating systems.

Online Penetration Testing Resources

• MITRE's Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) - Curated knowledge base and model for cyber adversary behavior.
• Penetration Testing Framework (PTF) - Outline for performing penetration tests compiled as a general framework usable by vulnerability analysts and penetration testers alike.
• XSS-Payloads - Resource dedicated to all things XSS (cross-site), including payloads, tools, games, and documentation.
• XSS-Payloads - Resource dedicated to all things XSS (cross-site), including payloads, tools, games, and documentation.
• XSS-Payloads - Resource dedicated to all things XSS (cross-site), including payloads, tools, games, and documentation.
• XSS-Payloads - Resource dedicated to all things XSS (cross-site), including payloads, tools, games, and documentation.
• XSS-Payloads - Resource dedicated to all things XSS (cross-site), including payloads, tools, games, and documentation.
• XSS-Payloads - Resource dedicated to all things XSS (cross-site), including payloads, tools, games, and documentation.

Other Lists Online

• .NET Programming - Software framework for Microsoft Windows platform development.
• Android Security - Collection of Android security related resources.
• AppSec - Resources for learning about application security.
• Awesome Awesomness - The List of the Lists.
• C/C++ Programming - One of the main language for open source security tools.
• CTFs - Capture The Flag frameworks, libraries, etc.
• Hacking - Tutorials, tools, and resources.
• Honeypots - Honeypots, tools, components, and more.
• Security-related Operating Systems - List of security related operating systems.
• JavaScript Programming - In-browser development and scripting.
• Malware Analysis - Tools and resources for analysts.
• PCAP Tools - Tools for processing network traffic.
• Python Programming by @vinta - General Python programming.
• Ruby Programming by @markets - The de-facto language for writing exploits.
• Security - Software, libraries, documents, and other resources.
• Shell Scripting - Command line frameworks, toolkits, guides and gizmos.
• InfoSec § Hacking challenges - Comprehensive directory of CTFs, wargames, hacking challenge websites, pentest practice lab exercises, and more.

Penetration Testing Report Templates

• T&VS Pentesting Report Template - Pentest report template provided by Test and Verification Services, Ltd.

Penetration Testing Report Templates

• Android Tamer - Distribution built for Android security professionals that includes tools required for Android security testing.
• ArchStrike - Arch GNU/Linux repository for security professionals and enthusiasts.
• BlackArch - Arch GNU/Linux-based distribution for penetration testers and security researchers.
• Buscador - GNU/Linux virtual machine that is pre-configured for online investigators.
• Kali - Rolling Debian-based GNU/Linux distribution designed for penetration testing and digital forensics.
• Parrot - Distribution similar to Kali, with support for multiple hardware architectures.
• PentestBox - Open source pre-configured portable penetration testing environment for the Windows Operating System.

Penetration Testing Report Templates

• 2600: The Hacker Quarterly - American publication about technology and computer "underground" culture.
• Phrack Magazine - By far the longest running hacker zine.

Penetration Testing Report Templates

• AT Commands - Use AT commands over an Android device's USB port to rewrite device firmware, bypass security mechanisms, exfiltrate sensitive information, perform screen unlocks, and inject touch events.
• Poisontap - Siphons cookies, exposes internal (LAN-side) router and installs web backdoor on locked computers.
• Proxmark3 - RFID/NFC cloning, replay, and spoofing toolkit often used for analyzing and attacking proximity cards/readers, wireless keys/keyfobs, and more.
• Thunderclap - Open source I/O security research platform for auditing physical DMA-enabled hardware peripheral ports.

Penetration Testing Report Templates

• Capstone - Lightweight multi-platform, multi-architecture disassembly framework.
• Ghidra - Suite of free software reverse engineering tools developed by NSA's Research Directorate originally exposed in WikiLeaks's "Vault 7" publication and now maintained as open source software.
• Immunity Debugger - Powerful way to write exploits and analyze malware.
• Interactive Disassembler (IDA Pro) - Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, [IDA Free](https://www.hex-rays.com/products/ida/support/download_freeware.shtml).
• OllyDbg - x86 debugger for Windows binaries that emphasizes binary code analysis.

Penetration Testing Report Templates

• Offensive Security Training - Training from BackTrack/Kali developers.

Penetration Testing Report Templates

• ShellPhish - Social media site cloner and phishing tool built atop SocialFish.

Penetration Testing Report Templates

• Bugtraq (BID) - Software security bug identification database compiled from submissions to the SecurityFocus mailing list and other sources, operated by Symantec, Inc.
• CXSecurity - Archive of published CVE and Bugtraq software vulnerabilities cross-referenced with a Google dork database for discovering the listed vulnerability.
• China National Vulnerability Database (CNNVD) - Chinese government-run vulnerability database analoguous to the United States's CVE database hosted by Mitre Corporation.
• Common Vulnerabilities and Exposures (CVE) - Dictionary of common names (i.e., CVE Identifiers) for publicly known security vulnerabilities.
• Exploit-DB - Non-profit project hosting exploits for software vulnerabilities, provided as a public service by Offensive Security.
• HPI-VDB - Aggregator of cross-referenced software vulnerabilities offering free-of-charge API access, provided by the Hasso-Plattner Institute, Potsdam.
• Inj3ct0r - Exploit marketplace and vulnerability information aggregator. ([Onion service](http://mvfjfugdwgc5uwho.onion/).)
• National Vulnerability Database (NVD) - United States government's National Vulnerability Database provides additional meta-data (CPE, CVSS scoring) of the standard CVE List along with a fine-grained search engine.
• US-CERT Vulnerability Notes Database - Summaries, technical details, remediation information, and lists of vendors affected by software vulnerabilities, aggregated by the United States Computer Emergency Response Team (US-CERT).
• Vulnerability Lab - Open forum for security advisories organized by category of exploit target.
• Vulners - Security database of software vulnerabilities.
• Vulmon - Vulnerability search engine with vulnerability intelligence features that conducts full text searches in its database.

Penetration Testing Report Templates

• Fiddler - Free cross-platform web debugging proxy with user-friendly companion tools.
• OWASP Zed Attack Proxy (ZAP) - Feature-rich, scriptable HTTP intercepting proxy and fuzzer for penetration testing web applications.
• Wappalyzer - Wappalyzer uncovers the technologies used on websites.
• autochrome - Easy to install a test browser with all the appropriate setting needed for web application testing with native Burp support, from NCCGroup.
• sslstrip - Demonstration of the HTTPS stripping attacks.
• EyeWitness - Tool to take screenshots of websites, provide some server header info, and identify default credentials if possible.

Penetration Testing Report Templates

• Android Open Pwn Project (AOPP) - Variant of the Android Open Source Project (AOSP), called Pwnix, is built from the ground up for network hacking and pentesting.
• cSploit - Advanced IT security professional toolkit on Android featuring an integrated Metasploit daemon and MITM capabilities.

Penetration Testing Report Templates

• Empire - Pure PowerShell post-exploitation agent.
• Windows Credentials Editor - Inspect logon sessions and add, change, list, and delete associated credentials, including Kerberos tickets.
• wePWNise - Generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software.

Penetration Testing Report Templates

• Bella - Pure Python post-exploitation data mining and remote administration tool for macOS.