And old-school hacker zine that focuses on exploit development, abusing operating systems in fascinating ways, and various forms of malware.
A curated list of search engines useful during penetration testing, vulnerability assessments, red/blue team operations, bug bounties, and more.
The Exploit Database is maintained by OffSec, an information security training company that provides various Information Security Certifications as well as high end penetration testing services. The Exploit Database is a non-profit project that is provided as a public service by OffSec.
The Exploit Database is a CVE compliant archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Our aim is to serve the most comprehensive collection of exploits gathered through direct submissions, mailing lists, as well as other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away.
In these times where a new major data breach occurs on a daily basis, it is important for the personal Internet user, corporations, and governments to stay aware of vulnerabilities that may affect their systems. Packet Storm provides around-the-clock information and tools in order to help mitigate both personal data and fiscal loss on a global scale. As new information surfaces, Packet Storm releases everything immediately through it's RSS feeds, Twitter, and Facebook. The site is referenced in over a hundred books and has a history of being spotlighted in the news.
Packet Storm has been a cornerstone on the Internet since 1998 and is visited monthly by over 190 countries. The site is meant to provide a unique service to everyone on the Internet - shedding full light on real security issues that may affect them. It is home to system administrators who need to keep their network up to date, security researchers who discover and report new findings, governments and corporations that need to understand current events, security vendors that want to develop new signatures for their software, and many others. Get involved and help secure the world.
RSS feeds: https://packetstormsecurity.com/feeds
Possibly one of the oldest threat intel sites out there.
cve-maker is a hub for finding CVEs and exploits. It is based on the official NIST, ExploitDB and Github databases. The tool makes it quick and easy to search for CVEs and their associated exploits. It is able to detect exploit compilation options. It can also be used to list the latest critical vulnerabilities.
Over 100 forks of deliberately vulnerable web applications and APIs to practice on.
I write about security, privacy, vulnerabilities and exploits, retro computing, music, various programming languages, personal projects and general stuff that crosses my mind. Make sure you use encrypted email when sending me any sensitive info.
Tor mirror: http://sizeofaex6zgovemvemn2g3jfmgujievmxxxbcgnbrnmgcjcjpiiprqd.onion/
A utility that, when given a CVE searches Github for a PoC of the vulnerability.
GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.
The project collects legitimate functions of Unix binaries that can be abused to break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
An impressive collection of research papers, exploits, and utilities.
A framework used by penetration testers for building custom exploits for infiltrating systems. Written in Ruby. Comes with a large library of payloads and other nifty and fascinating tools. It's worth learning to use if you're serious about penetration testing or exploit development. Also, the cutting edge of attack technologies winds up coming out of the Metasploit project.
A development library which makes it easier to develop and package your own shellcode for remote exploits. It even includes an ncurses-based front end.
A handy cheatsheet for crafting SQL injection attacks against web applications.
Offensive Security Training has taken over where Milw0rm left off in their archival of live exploits, vulnerability descriptions, attacks, and whitepapers.
A basic framework for forcing heap overflow vulnerabilities in the Linux kernel. This is for the purpose of learning to write heap overflow exploits in the Linux kernel as well as for developing the techniques to find and exploit them. It is entirely possible that this library may destabilize the kernel so practice on a virtual machine that you can revert to a known-stable state when you're done.
Github repo for a tutorial on writing kernel exploits.
Awesome list of curated hacking infosec pentesting resources.