diff --git a/README.md b/README.md
index 75414ae..a936cda 100644
--- a/README.md
+++ b/README.md
@@ -82,6 +82,31 @@ Before adding a pull request, please see the **[contributing guidelines](.github
All **suggestions/PR** are welcome!
+### Code Contributors
+
+This project exists thanks to all the people who contribute.
+
+
+
+### Financial Contributors
+
+
+
+
+
+
+
+
+
+
+#### Individuals
+
+Become a financial contributor and help us sustain our community **[» contribute](https://opencollective.com/the-book-of-secret-knowledge/contribute)**.
+
+#### Organizations
+
+Support this project with your organization. Your logo will show up here with a link to your website **[» contribute](https://opencollective.com/the-book-of-secret-knowledge/contribute)**.
+
## :gift_heart: Support
If this project is useful and important for you or if you really like _the-book-of-secret-knowledge_, you can bring **positive energy** by giving some **good words** or **supporting this project**. Thank you!
@@ -154,12 +179,14 @@ Only main chapters:
:small_orange_diamond: emacs - is an extensible, customizable, free/libre text editor - and more.
:small_orange_diamond: micro - is a modern and intuitive terminal-based text editor.
:small_orange_diamond: neovim - is a free open source, powerful, extensible and usable code editor.
+ :small_orange_diamond: spacemacs - a community-driven Emacs distribution.
##### :black_small_square: Files and directories
:small_orange_diamond: fd - is a simple, fast and user-friendly alternative to find.
+ :small_orange_diamond: ncdu - is an easy to use, fast disk usage analyzer.
##### :black_small_square: Network
@@ -208,6 +235,7 @@ Only main chapters:
:small_orange_diamond: namebench - provides personalized DNS server recommendations based on your browsing history.
:small_orange_diamond: massdns - is a high-performance DNS stub resolver for bulk lookups and reconnaissance.
:small_orange_diamond: knock - is a tool to enumerate subdomains on a target domain through a wordlist.
+ :small_orange_diamond: dnsperf - DNS performance testing tools.
:small_orange_diamond: dnscrypt-proxy 2 - a flexible DNS proxy, with support for encrypted DNS protocols.
:small_orange_diamond: dnsdbq - API client providing access to passive DNS database systems (pDNS at Farsight Security, CIRCL pDNS).
:small_orange_diamond: grimd - fast dns proxy, built to black-hole internet advertisements and malware servers.
@@ -293,12 +321,13 @@ Only main chapters:
:small_orange_diamond: gperftools - high-performance multi-threaded malloc() implementation, plus some performance analysis tools.
:small_orange_diamond: glances - cross-platform system monitoring tool written in Python.
:small_orange_diamond: htop - interactive text-mode process viewer for Unix systems. It aims to be a better 'top'.
+ :small_orange_diamond: nmon - a single executable for performance monitoring and data analysis.
:small_orange_diamond: atop - ASCII performance monitor. Includes statistics for CPU, memory, disk, swap, network, and processes.
:small_orange_diamond: lsof - displays in its output information about files that are opened by processes.
:small_orange_diamond: FlameGraph - stack trace visualizer.
:small_orange_diamond: lsofgraph - small utility to convert Unix lsof output to a graph showing FIFO and UNIX interprocess communication.
:small_orange_diamond: rr - is a lightweight tool for recording, replaying and debugging execution of applications.
- :small_orange_diamond: Performance Co-Pilot - a system performance analysis toolkit.
+ :small_orange_diamond: Performance Co-Pilot - a system performance analysis toolkit.
:small_orange_diamond: hexyl - a command-line hex viewer.
@@ -340,12 +369,14 @@ Only main chapters:
:small_orange_diamond: sysadmin-util - tools for Linux/Unix sysadmins.
:small_orange_diamond: incron - is an inode-based filesystem notification technology.
+ :small_orange_diamond: lsyncd - synchronizes local directories with remote targets (Live Syncing Daemon).
:small_orange_diamond: GRV - is a terminal based interface for viewing Git repositories.
:small_orange_diamond: Tig - text-mode interface for Git.
:small_orange_diamond: tldr - simplified and community-driven man pages.
:small_orange_diamond: archiver - easily create and extract .zip, .tar, .tar.gz, .tar.bz2, .tar.xz, .tar.lz4, .tar.sz, and .rar.
:small_orange_diamond: commander.js - minimal CLI creator in JavaScript.
:small_orange_diamond: gron - make JSON greppable!
+ :small_orange_diamond: bed - binary editor written in Go.
#### GUI Tools [[TOC]](#anger-table-of-contents)
@@ -364,6 +395,7 @@ Only main chapters:
:small_orange_diamond: Wireshark - is the world’s foremost and widely-used network protocol analyzer.
:small_orange_diamond: Ettercap - is a comprehensive network monitor tool.
:small_orange_diamond: EtherApe - is a graphical network monitoring solution.
+ :small_orange_diamond: Packet Sender - is a networking utility for packet generation and built-in UDP/TCP/SSL client and servers.
:small_orange_diamond: Ostinato - is a packet crafter and traffic generator.
:small_orange_diamond: JMeter™ - open source software to load test functional behavior and measure performance.
:small_orange_diamond: locust - scalable user load testing tool written in Python.
@@ -432,7 +464,8 @@ Only main chapters:
:small_orange_diamond: CSP Evaluator - allows developers and security experts to check if a Content Security Policy.
:small_orange_diamond: Useless CSP - public list about CSP in some big players (might make them care a bit more).
:small_orange_diamond: Why No HTTPS? - list of the world's top 100 websites by Alexa rank not automatically redirecting insecure requests.
- :small_orange_diamond: cipherli.st - strong ciphers for Apache, Nginx, Lighttpd and more.
+ :small_orange_diamond: TLS Cipher Suite Search
+ :small_orange_diamond: cipherli.st - strong ciphers for Apache, Nginx, Lighttpd and more.*
:small_orange_diamond: dhtool - public Diffie-Hellman parameter service/tool.
:small_orange_diamond: badssl.com - memorable site for testing clients against bad SSL configs.
:small_orange_diamond: tlsfun.de - registered for various tests regarding the TLS/SSL protocol.
@@ -481,7 +514,9 @@ Only main chapters:
##### :black_small_square: Mail
+ :small_orange_diamond: smtp-tls-checker - check an email domain for SMTP TLS support.
:small_orange_diamond: MX Toolbox - all of your MX record, DNS, blacklist and SMTP diagnostics in one integrated tool.
+ :small_orange_diamond: Secure Email - complete email test tools for email technicians.
:small_orange_diamond: blacklistalert - checks to see if your domain is on a Real Time Spam Blacklist.
:small_orange_diamond: MultiRBL - complete IP check for sending Mailservers.
:small_orange_diamond: DKIM SPF & Spam Assassin Validator - checks mail authentication and scores messages with Spam Assassin.
@@ -503,13 +538,14 @@ Only main chapters:
:small_orange_diamond: Netcraft - detailed report about the site, helping you to make informed choices about their integrity.*
- :small_orange_diamond: RIPE NCC - not-for-profit membership association, a Regional Internet Registry and the secretariat for the RIPE.
+ :small_orange_diamond: RIPE NCC Atlas - a global, open, distributed Internet measurement platform.
:small_orange_diamond: Robtex - uses various sources to gather public information about IP numbers, domain names, host names, routes etc.
:small_orange_diamond: Security Trails - APIs for Security Companies, Researchers and Teams.
:small_orange_diamond: Online Curl - curl test, analyze HTTP Response Headers.
:small_orange_diamond: Online Tools for Developers - HTTP API tools, testers, encoders, converters, formatters, and other tools.
:small_orange_diamond: Ping.eu - online Ping, Traceroute, DNS lookup, WHOIS and others.
:small_orange_diamond: Network-Tools - network tools for webmasters, IT technicians & geeks.
+ :small_orange_diamond: BGPview - search for any ASN, IP, Prefix or Resource name.
:small_orange_diamond: Riseup - provides online communication tools for people and groups working on liberatory social change.
:small_orange_diamond: VirusTotal - analyze suspicious files and URLs to detect types of malware.
@@ -560,17 +596,17 @@ performance of any of your sites from across the globe.
:small_orange_diamond: binaryedge - it scan the entire internet space and create real-time threat intelligence streams and reports.
:small_orange_diamond: wigle - is a submission-based catalog of wireless networks. All the networks. Found by Everyone.
:small_orange_diamond: PublicWWW - find any alphanumeric snippet, signature or keyword in the web pages HTML, JS and CSS code.
- :small_orange_diamond: IntelTechniques - this repository contains hundreds of online search utilities.
- :small_orange_diamond: Hackle - search engine for hackers and security professionals.*
+ :small_orange_diamond: IntelTechniques - this repository contains hundreds of online search utilities.
:small_orange_diamond: hunter - lets you find email addresses in seconds and connect with the people that matter for your business.
:small_orange_diamond: GhostProject? - search by full email address or username.
:small_orange_diamond: databreaches - was my email affected by data breach?
:small_orange_diamond: We Leak Info - world's fastest and largest data breach search engine.
+ :small_orange_diamond: Pulsedive - scans of malicious URLs, IPs, and domains, including port scans and web requests.
:small_orange_diamond: scylla - db dumps and more.
:small_orange_diamond: Buckets by Grayhatwarfar - database with public search for Open Amazon S3 Buckets and their contents.
:small_orange_diamond: Vigilante.pw - the breached database directory.
:small_orange_diamond: builtwith - find out what websites are built with.
- :small_orange_diamond: NerdyData - find where any technology is used, across millions of sites.
+ :small_orange_diamond: NerdyData - search the web's source code for technologies, across millions of sites.
:small_orange_diamond: Mamont's open FTP Index - if a target has an open FTP site with accessible content it will be listed here.
:small_orange_diamond: OSINT Framework - focused on gathering information from free tools or resources.
:small_orange_diamond: maltiverse - is a service oriented to cybersecurity analysts for the advanced analysis of indicators of compromise.
@@ -581,7 +617,6 @@ performance of any of your sites from across the globe.
:small_orange_diamond: malc0de - malware search engine.
:small_orange_diamond: Cybercrime Tracker - monitors and tracks various malware families that are used to perpetrate cyber crimes.
:small_orange_diamond: shhgit - find GitHub secrets in real time.
- :small_orange_diamond: NerdyData - search source code across 65 million websites.
:small_orange_diamond: searchcode - helping you find real world examples of functions, API's and libraries.
:small_orange_diamond: Insecam - the world biggest directory of online surveillance security cameras.
:small_orange_diamond: index-of - contains great stuff like: security, hacking, reverse engineering, cryptography, programming etc.
@@ -591,8 +626,9 @@ performance of any of your sites from across the globe.
:small_orange_diamond: thispersondoesnotexist - generate fake faces in one click - endless possibilities.
- :small_orange_diamond: Intigriti Redirector - open redirect/SSRF payload generator.
:small_orange_diamond: AI Generated Photos - 100.000 AI generated faces.
+ :small_orange_diamond: fakeface - fake faces browser.
+ :small_orange_diamond: Intigriti Redirector - open redirect/SSRF payload generator.
##### :black_small_square: Passwords
@@ -705,6 +741,7 @@ performance of any of your sites from across the globe.
:small_orange_diamond: maltrail - malicious traffic detection system.
:small_orange_diamond: security_monkey - monitors AWS, GCP, OpenStack, and GitHub orgs for assets and their changes over time.
:small_orange_diamond: firecracker - secure and fast microVMs for serverless computing.
+ :small_orange_diamond: streisand - sets up a new server running your choice of WireGuard, OpenSSH, OpenVPN, Shadowsocks, and more.
#### Networks [[TOC]](#anger-table-of-contents)
@@ -842,6 +879,7 @@ performance of any of your sites from across the globe.
:small_orange_diamond: CIS Benchmarks - are secure configuration settings for over 100 technologies, available as a free PDF download.
:small_orange_diamond: Security Harden CentOS 7 - this walks you through the steps required to security harden CentOS.
:small_orange_diamond: CentOS 7 Server Hardening Guide - great guide for hardening CentOS; familiar with OpenSCAP.
+ :small_orange_diamond: awesome-security-hardening - is a collection of security hardening guides, tools and other resources.
:small_orange_diamond: The Practical Linux Hardening Guide - provides a high-level overview of hardening GNU/Linux systems.
@@ -868,6 +906,7 @@ performance of any of your sites from across the globe.
:small_orange_diamond: OWASP ASVS 4.0 - is a list of application security requirements or tests.
:small_orange_diamond: OWASP Testing Guide v4 - includes a "best practice" penetration testing framework.
:small_orange_diamond: OWASP Dev Guide - this is the development version of the OWASP Developer Guide.
+ :small_orange_diamond: OWASP API Security Project - focuses specifically on the top ten vulnerabilities in API security.
:small_orange_diamond: Mozilla Web Security - help operational teams with creating secure web applications.
:small_orange_diamond: security-bulletins - security bulletins that relate to Netflix Open Source.
:small_orange_diamond: API-Security-Checklist - security countermeasures when designing, testing, and releasing your API.
@@ -919,7 +958,7 @@ performance of any of your sites from across the globe.
:small_orange_diamond: How to build a 8 GPU password cracker - any "black magic" or hours of frustration like desktop components do.
:small_orange_diamond: CERN Data Centre - 3D visualizations of the CERN computing environments (and more).
:small_orange_diamond: How fucked is my database - evaluate how fucked your database is with this handy website.
- :small_orange_diamond: Five Whys - you know what the problem is, but you cannot solve it?
+ :small_orange_diamond: Five Whys - you know what the problem is, but you cannot solve it?
:small_orange_diamond: howhttps.works - how HTTPS works ...in a comic!
:small_orange_diamond: howdns.works - a fun and colorful explanation of how DNS works.
@@ -979,6 +1018,7 @@ performance of any of your sites from across the globe.
:small_orange_diamond: Don't use VPN services - which is what every third-party "VPN provider" does.
:small_orange_diamond: awesome-yara - a curated list of awesome YARA rules, tools, and people.
:small_orange_diamond: macOS-Security-and-Privacy-Guide - guide to securing and improving privacy on macOS.
+ :small_orange_diamond: awesome-sec-talks - is a collected list of awesome security talks.
:small_orange_diamond: Movies for Hackers - list of movies every hacker & cyberpunk must watch.
@@ -993,6 +1033,7 @@ performance of any of your sites from across the globe.
:small_orange_diamond: Project-Based-Tutorials-in-C - is a curated list of project-based tutorials in C.
:small_orange_diamond: The-Documentation-Compendium - various README templates & tips on writing high-quality documentation.
:small_orange_diamond: awesome-python-applications - free software that works great, and also happens to be open-source Python.
+ :small_orange_diamond: awesome-public-datasets - a topic-centric list of HQ open datasets.
#### Blogs/Podcasts/Videos [[TOC]](#anger-table-of-contents)
@@ -1040,7 +1081,6 @@ performance of any of your sites from across the globe.
:small_orange_diamond:
Linux Security Expert - trainings, howtos, checklists, security tools and more.
:small_orange_diamond: The Grymoire - collection of useful incantations for wizards, be you computer wizards, magicians, or whatever.
- :small_orange_diamond: PortSwigger Web Security Blog - about web app security vulns and top tips from our team of web security.
:small_orange_diamond: Secjuice - is the only non-profit, independent and volunteer led publication in the information security space.
:small_orange_diamond: Decipher - security news that informs and inspires.
@@ -1053,6 +1093,7 @@ Linux Security Expert - trainings, howtos, checklists, security tools an
:small_orange_diamond: Tripwire State of Security - blog featuring the latest news, trends and insights on current information security issues.
:small_orange_diamond: Malwarebytes Labs Blog - security blog aims to provide insider news about cybersecurity.
:small_orange_diamond: TrustedSec - latest news, and trends about cybersecurity.
+ :small_orange_diamond: PortSwigger Web Security Blog - about web app security vulns and top tips from our team of web security.
:small_orange_diamond: AT&T Cybersecurity blog - news on emerging threats and practical advice to simplify threat detection.
:small_orange_diamond: Thycotic - where CISOs and IT Admins come to learn about industry trends, IT security, data breaches, and more.
@@ -1144,6 +1185,7 @@ CyberTalks - talks, interviews, and article about cybersecurity.
:small_orange_diamond: Nikto2 - web server scanner which performs comprehensive tests against web servers for multiple items.
:small_orange_diamond: sqlmap - tool that automates the process of detecting and exploiting SQL injection flaws.
:small_orange_diamond: Recon-ng - is a full-featured Web Reconnaissance framework written in Python.
+ :small_orange_diamond: AutoRecon - is a network reconnaissance tool which performs automated enumeration of services.
:small_orange_diamond: Faraday - an Integrated Multiuser Pentest Environment.
:small_orange_diamond: Photon - incredibly fast crawler designed for OSINT.
:small_orange_diamond: XSStrike - most advanced XSS detection suite.
@@ -1165,6 +1207,7 @@ CyberTalks - talks, interviews, and article about cybersecurity.
:small_orange_diamond: ctf-tools - some setup scripts for security research tools.
:small_orange_diamond: pwntools - CTF framework and exploit development library.
:small_orange_diamond: security-tools - collection of small security tools created mostly in Python. CTFs, pentests and so on.
+ :small_orange_diamond: pentestpackage - is a package of Pentest scripts.
:small_orange_diamond: python-pentest-tools - python tools for penetration testers.
:small_orange_diamond: fuzzdb - dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
:small_orange_diamond: syzkaller - is an unsupervised, coverage-guided kernel fuzzer.
@@ -1182,6 +1225,7 @@ CyberTalks - talks, interviews, and article about cybersecurity.
:small_orange_diamond: AutoSploit - automated mass exploiter.
:small_orange_diamond: SUDO_KILLER - is a tool to identify and exploit sudo rules' misconfigurations and vulnerabilities.
:small_orange_diamond: yara - the pattern matching swiss knife.
+ :small_orange_diamond: mimikatz - a little tool to play with Windows security.
##### :black_small_square: Pentests bookmarks collection
@@ -1208,6 +1252,7 @@ CyberTalks - talks, interviews, and article about cybersecurity.
:small_orange_diamond: ThreatHunter-Playbook - to aid the development of techniques and hypothesis for hunting campaigns.
:small_orange_diamond: PayloadsAllTheThings - a list of useful payloads and bypass for Web Application Security and Pentest/CTF.
:small_orange_diamond: payloads - git all the Payloads! A collection of web attack payloads.
+ :small_orange_diamond: command-injection-payload-list - command injection payload list.
:small_orange_diamond: AwesomeXSS - is a collection of Awesome XSS resources.
:small_orange_diamond: php-webshells - common php webshells.
:small_orange_diamond: Pentesting Tools Cheat Sheet - a quick reference high level overview for typical penetration testing engagements.
@@ -1271,6 +1316,8 @@ CyberTalks - talks, interviews, and article about cybersecurity.
:small_orange_diamond: OWASP-VWAD - comprehensive and well maintained registry of all known vulnerable web applications.
:small_orange_diamond: DVWA - PHP/MySQL web application that is damn vulnerable.
+ :small_orange_diamond: metasploitable2 - vulnerable web application amongst security researchers.
+ :small_orange_diamond: metasploitable3 - is a VM that is built from the ground up with a large amount of security vulnerabilities.
:small_orange_diamond: DSVW - is a deliberately vulnerable web application written in under 100 lines of code.
:small_orange_diamond: OWASP Mutillidae II - free, open source, deliberately vulnerable web-application.
:small_orange_diamond: OWASP Juice Shop Project - the most bug-free vulnerable application in existence.
@@ -1292,13 +1339,6 @@ AWS deployment tool.
:small_orange_diamond: RootTheBox - a Game of Hackers (CTF Scoreboard & Game Manager).
-##### :black_small_square: Vulnerable virtual machines
-
-
- :small_orange_diamond: metasploitable 2 - vulnerable web application amongst security researchers.
- :small_orange_diamond: metasploitable3 - is a VM that is built from the ground up with a large amount of security vulnerabilities.
-
-
##### :black_small_square: Labs (ethical hacking platforms/trainings/CTFs)
@@ -1328,7 +1368,6 @@ AWS deployment tool.
:small_orange_diamond: Crackmes - download crackmes to help improve your reverse engineering skills.
:small_orange_diamond: DomGoat - DOM XSS security learning and practicing platform.
:small_orange_diamond: Stereotyped Challenges - upgrade your web hacking techniques today!
- :small_orange_diamond: OverTheWire - can help you to learn and practice security concepts in the form of fun-filled games.
:small_orange_diamond: Vulnhub - allows anyone to gain practical 'hands-on' experience in digital security.
:small_orange_diamond: W3Challs - is a penetration testing training platform, which offers various computer challenges.
:small_orange_diamond: RingZer0 CTF - offers you tons of challenges designed to test and improve your hacking skills.
@@ -2373,6 +2412,12 @@ ___
echo | openssl s_client -connect google.com:443 -showcerts
```
+###### Testing connection to the remote host (debug mode)
+
+```bash
+echo | openssl s_client -connect google.com:443 -showcerts -tlsextdebug -status
+```
+
###### Testing connection to the remote host (with SNI support)
```bash
@@ -2468,6 +2513,8 @@ openssl req -out ${_fd_csr} -new -key ${_fd} )
###### Generate CSR (metadata from existing certificate)
+ > Where `private.key` is the existing private key. As you can see you do not generate this CSR from your certificate (public key). Also you do not generate the "same" CSR, just a new one to request a new certificate.
+
```bash
( _fd="private.key" ; _fd_csr="request.csr" ; _fd_crt="cert.crt" ; \
openssl x509 -x509toreq -in ${_fd_crt} -out ${_fd_csr} -signkey ${_fd} )
@@ -2479,7 +2526,7 @@ openssl x509 -x509toreq -in ${_fd_crt} -out ${_fd_csr} -signkey ${_fd} )
( _fd="private.key" ; _fd_csr="request.csr" ; \
openssl req -new -sha256 -key ${_fd} -out ${_fd_csr} \
-config <(
-cat <<-EOF
+cat << __EOF__
[req]
default_bits = 2048
default_md = sha256
@@ -2502,7 +2549,7 @@ subjectAltName = @alt_names
DNS.1 =
DNS.2 =
DNS.3 =
-EOF
+__EOF__
))
```
@@ -2669,6 +2716,13 @@ openssl req -text -noout -in ${_fd_csr} )
openssl x509 -noout -modulus -in certificate.crt | openssl md5) | uniq
```
+###### Check whether the private key and the CSR match
+
+```bash
+(openssl rsa -noout -modulus -in private.key | openssl md5 ; \
+openssl req -noout -modulus -in request.csr | openssl md5) | uniq
+```
+
___
##### Tool: [secure-delete](https://wiki.archlinux.org/index.php/Securely_wipe_disk)