top of page
  • Photo du rédacteurJulien

Tips by Gabrielle B.

Dernière mise à jour : 7 juil. 2023



Please note that this article will be updated regularly. Put it in your favorites!




[FREE RESOURCES / PENTEST REPORT]


Want to upgrade your reporting skills?

A good report is beneficial for your customer. That’s why you need good writing skills!

You need to be able to explain complex concepts in a simple way for the executive summary.

For the vulnerability report, you have to explain your steps clearly.

Also, do not forget to keep a base of templates so that you can reuse them and adapt them to your new context without having to rewrite the whole thing.


Check out my article about this here:


BONUS: Want to take efficient notes on the go, you can use cherry tree: https://www.giuspen.com/cherrytree/



Check my comment below for other great resources for reporting! 👇


Check out this report, because reading other people's reports is really helpful to make yours better.

Check out this other tools for notekeeping:


[FREE RESOURCES / PENTEST - OSINT]


Want to specialize?


There are many options!

After mastering the fundamentals, basics, and sophisticated attacks, you can go further and find one or two specializations to give you more prospects in the job market.


Today I will share resources for those who wish to learn more about OSINT and maybe specialize in it!

OSINT is often part of a pentest, but you could also become an OSINT specialist!


Check out The Ultimate OSINT collection by Hatless1der: https://start.me/p/DPYPMz/the-ultimate-osint-collection


BONUS: A 5 hours free course by TCM


More resources in comment



COMMENT: Follow OsintCurio.us! They share tons of articles about OSINT: https://osintcurio.us/


[𝐅𝐑𝐄𝐄 𝐑𝐄𝐒𝐎𝐔𝐑𝐂𝐄𝐒 / 𝐏𝐄𝐍𝐓𝐄𝐒𝐓 - 𝐌𝐎𝐁𝐈𝐋𝐄 𝐀𝐏𝐏] 𝟐


Want to specialize?


There are many options!

After mastering the fundamentals, basics, and sophisticated attacks, you can go further and find one or two specializations to give you more prospects in the job market.


Today I will share resources for those who wish to learn more about 𝐌𝐨𝐛𝐢𝐥𝐞 𝐀𝐩𝐩 𝐏𝐞𝐧𝐭𝐞𝐬𝐭 and maybe specialize in it! 📱📱


[𝐓𝐇𝐄𝐎𝐑𝐘] Check out this great blog post on Hackthebox


[𝐏𝐑𝐀𝐂𝐓𝐈𝐂𝐄]


[𝐁𝐎𝐍𝐔𝐒] Check out Nahamsec resources for beginner bug bounty hunters on mobile App


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other good resources on mobile app pentest? Share them in the comment


COMMENT: Check out this course by ASecurity with Abraham Aranguren and John Hammond


[𝗙𝗥𝗘𝗘 𝗥𝗘𝗦𝗢𝗨𝗥𝗖𝗘𝗦 / 𝗣𝗘𝗡𝗧𝗘𝗦𝗧 - 𝗖𝗟𝗢𝗨𝗗] 𝟯


Want to specialize?


There are many options!

After mastering the fundamentals, basics, and sophisticated attacks, you can go further and find one or two specializations to give you more prospects in the job market.


Today I will share resources for those who wish to learn more about 𝗖𝗟𝗢𝗨𝗗 Pentest and maybe specialize in it! ☁️☁️


Check out these methodologies on PayloadAllTheThings



[𝐁𝐎𝐍𝐔𝐒]

Checkout this Cloud Pentest CheatsSheets by dafthack


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other good resources on Cloud pentest? Share them in the comment


Comment

Check out this great blog post on Hackthebox


[𝗙𝗥𝗘𝗘 𝗥𝗘𝗦𝗢𝗨𝗥𝗖𝗘𝗦 / 𝗣𝗘𝗡𝗧𝗘𝗦𝗧 - 𝗜𝗖𝗦] 𝟰

Want to specialize?

There are many options!

After mastering the fundamentals, basics, and sophisticated attacks, you can go further and find one or two specializations to give you more prospects in the job market.

Today I will share resources for those who wish to learn more about 𝗜𝗖𝗦 (Industrial Control System) and maybe specialize in it!

Check out Robert M Lee’s Collection of Resources for Getting Started in ICS/SCADA Cybersecurity

https://www.robertmlee.org/a-collection-of-resources-for-getting-started-in-icsscada-cybersecurity/

[𝐁𝐎𝐍𝐔𝐒]

Check out John Hammond’s video on Attacking ICS Devices:

https://www.youtube.com/watch?v=1txnyN_3_zk&ab_channel=JohnHammond

Comment

Check out this comprehensive guide on Mission Secure

https://www.missionsecure.com/ot-cybersecurity



[FREE RESOURCES / REVERSE ENGINEERING]

👉 𝗥𝗲𝘃𝗲𝗿𝘀𝗲 𝗘𝗻𝗴𝗶𝗻𝗲𝗲𝗿𝗶𝗻𝗴

🌟 Reverse Engineering for Beginners by Ophir Harpaz


🌟 Reverse Engineering for Everyone by Kevin Thomas My Technotalent


🌟 Reverse Engineering for beginners by Dennis Yurichev (available in many languages)


🌟 Reverse Engineering 101 by 0x00 (with exercises)


👉 𝗠𝗮𝗹𝘄𝗮𝗿𝗲 𝗔𝗻𝗮𝗹𝘆𝘀𝗶𝘀

🌟 Malware Analysis In 5+ Hours - Full Course - Learn Practical Malware Analysis! by HuskyHacks


🌟 Malware Analysis – Mind Map by Thatintel


🌟 Malware Analysis Tutorials: a Reverse Engineering Approach by Dr Xiang Fu


👉 𝗔𝗺𝗮𝘇𝗶𝗻𝗴 𝗕𝗼𝗻𝘂𝘀

Malware Analysis and Reverse Engineering courses by DFIR Diva


[FREE RESOURCES / PURPLE TEAM] - 2

Pentesting can be at the intersection of several areas.

In this Series I will suggest some of these areas where having an understanding of pentesting can help you in your practice.


Check out this amazing study on Enterprise Purple Teaming by Xena Olsen, Ch33r10 https://github.com/ch33r10/EnterprisePurpleTeaming

Get the book Purple Teaming for dummies by Jonathan Relber Ben Opel Carl Wright for free here:

Check out this article by Scythe on why and how you can go purple https://www.scythe.io/library/actionable-purple-teaming-why-and-how-you-can-and-should-go-purple


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other good resources on Purple Team? Share them in the comment



Comment


[𝗙𝗥𝗘𝗘 𝗥𝗘𝗦𝗢𝗨𝗥𝗖𝗘𝗦 - 𝗖𝗬𝗕𝗘𝗥𝗦𝗘𝗖𝗨𝗥𝗜𝗧𝗬 𝗣𝗢𝗗𝗖𝗔𝗦𝗧𝗦 𝗔𝗡𝗗 𝗕𝗟𝗢𝗚𝗦]


A good way to have a more holistic approach to Cybersecurity is to listen to podcasts or to read blogs.

It is an entertaining way to learn and you get to hear about people in the industry from wherever you are!


Check out Phillip Wylie’s Podcast on ITSP Magazine “The Hacker Factory” here: https://www.itspmagazine.com/the-hacker-factory-podcast

And if you enjoyed why not voting for it for the European Cybersecurity Awards here: https://docs.google.com/forms/d/e/1FAIpQLSdNDzjvToMSq36YkIHQWwhma90SR0E9rLndflZ3Cu_gVI2Axw/viewform




You are more of a reader? 🤓 I’ve got your back! Check this great blog Security Queens

And guess what! You can also vote for them for the European Cybersecurity Awards!


Have a look at Daniel Miessler’s Blog: https://danielmiessler.com/


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other good blogs or podcast? Please share them in the comment!



Comment

Check out the Focal Point Podcast by Angela Marafino and Chantel Sims on ITSP Magazine here: https://www.itspmagazine.com/focal-point-podcast

Have a look at Your Cyber Path podcast: https://www.yourcyberpath.com/podcasts/

Check out the different shows on Hacker Valley: https://hackervalley.com/


[𝗙𝗥𝗘𝗘 𝗥𝗘𝗦𝗢𝗨𝗥𝗖𝗘𝗦 - 𝗧𝗵𝗿𝗲𝗮𝘁 𝗺𝗼𝗱𝗲𝗹𝗶𝗻𝗴] - 𝟯


Pentesting can be at the intersection of several areas.

In this series I will suggest some of these areas where having an understanding of pentesting can help you in your practice.


Lately, we see more and more Threat modeling integrated with pentest processes.


Check out this session about threat modeling on Hackerone: https://www.hacker101.com/sessions/threat_modeling.html



[BONUS] Check out this list of Threat modeling resources on Infosec reference by Robert musser: https://rmusser.net/git/admin-2/Infosec_Reference/src/commit/d44538cb60d7d3ad64880feb45e05362382e550a/Draft/Threat%20Modeling.md


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other resources about Threat Modeling? Please share them in the comment!


Comment

Check out the Threat modeling manifesto here: https://www.threatmodelingmanifesto.org/


[FREE RESOURCES - Secure Code Review]


Want to specialize?


There are many options!

After mastering the fundamentals, basics, and sophisticated attacks, you can go further and find one or two specializations to give you more prospects in the job market.


Moreover, for white box pentest engagements you will have to do code review.


Check out this free introduction to Secure Code Review on Pentesterlab: https://pentesterlab.com/exercises/codereview/course


Check out this security training platform for devs: https://www.hacksplaining.com/


BONUS: Want to make a vulnerable PHP App? Check out this video by Wesley (The XSS Rat) Thijs https://youtu.be/e_dLSVpQy40


𝐒𝐇𝐀𝐑𝐄 - Do you know other resources? Please share them in the comment


Comment

Check out Tanya Janca’s book Alice and Bob learn Application Security https://www.amazon.ca/Alice-Bob-Learn-Application-Security/dp/1119687357


[FREE RESOURCES - Cybersecurity Job hunting]


Finding a new position can be tricky.


Here are a few resources to help you out.


Check out this article by Jay Jay Davey on “How to use Linkedin”: https://www.linkedin.com/pulse/how-use-linkedin-jay-jay-davey-/



Get ready for your interview with these questions


BONUS: Optimize your resume here https://www.jobscan.co/ to get past the applicant tracking systems (ATS)


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other resources? Please share them in the comment


Comment

Check out this article on how to hack into a cyberse

curity career:


[𝐅𝐑𝐄𝐄 𝐑𝐄𝐒𝐎𝐔𝐑𝐂𝐄𝐒 - 𝐀𝐏𝐈 𝐏𝐄𝐍𝐓𝐄𝐒𝐓]


APIs are a significant attack vector.


API attacks increased 𝟲𝟴𝟭% in the last 12 months, according* to Security Magazine

Want to sharpen your skills in API? Now is the time!


Check out MindAPI by David Sopas


Check out Hacking mHealth Apps and APIs on KnightTV with Alissa Valentina Knight


Check out this episode of OWASP DevSlop with Katie Paxton-Fear about API hacking for the Actually Pretty Inexperienced hacker


Want some practice?

Check out VAmPI

And here is vAPI


More resources in comment 👇👇


𝐒𝐇𝐀𝐑𝐄 - Do you know other resources? Please share them in the comment


[𝐅𝐫𝐞𝐞 𝐑𝐞𝐬𝐨𝐮𝐫𝐜𝐞𝐬 - 𝐂𝐨𝐧𝐟𝐞𝐫𝐞𝐧𝐜𝐞𝐬]


𝗪𝗛𝗬 𝗚𝗢 𝗧𝗢 𝗖𝗢𝗡𝗙𝗘𝗥𝗘𝗡𝗖𝗘𝗦?


These last days on LinkedIn's feeds, most of you read many posts about the RSA Conference.


Why is it so popular?


- Conferences are part of lifelong learning in Cybersecurity

- They keep you up to date and give you the latest trends in the industry

- You learn about the latest solutions

- You can hear about advanced topics

- It is an opportunity to do business or look for your next job opportunity


You do not need to spend a lot of money on it.

Indeed you can go to conferences near you like the chapters conference of Wicys, OWASP, BSides, Isaca, …


𝐂𝐡𝐞𝐜𝐤 𝐨𝐮𝐭 𝐭𝐡𝐞𝐬𝐞 𝐥𝐢𝐧𝐤𝐬 𝐭𝐨 𝐟𝐢𝐧𝐝 𝐲𝐨𝐮𝐫 𝐧𝐞𝐱𝐭 𝐜𝐨𝐧𝐟𝐞𝐫𝐞𝐧𝐜𝐞:


Do you master a topic? Give a talk about it, another way to attend a conference.


𝐂𝐡𝐞𝐜𝐤 𝐨𝐮𝐭 𝐭𝐡𝐞𝐬𝐞 𝐥𝐢𝐧𝐤𝐬 𝐭𝐨 𝐟𝐢𝐧𝐝 𝐭𝐡𝐞 𝐥𝐚𝐬𝐭 𝐨𝐩𝐞𝐧 𝐜𝐚𝐥𝐥 𝐟𝐨𝐫 𝐩𝐚𝐩𝐞𝐫𝐬:


Finally, Conferences are a great way to network and have fun.


𝐅𝐑𝐄𝐄 𝐑𝐄𝐒𝐎𝐔𝐑𝐂𝐄𝐒 - 𝐂𝐋𝐎𝐔𝐃 𝐏𝐄𝐍𝐓𝐄𝐒𝐓]


In 2021 50% of corporate data where stored in the cloud according* to Statista


Want to learn on Cloud pentest?

See below


Familiarize yourself with the different technologies with this great list of free trainings: “Awesome Cloud Native Trainings” by Jose Adan Ortiz:


Check out this list of cloud pentesting resources from reconshell:


Check out Awesome Cloud Pentest by Joas Antonio https://lnkd.in/eqWe3KGn


See these Cloud Pentest Cheatsheet by Dafthack: https://lnkd.in/eKDGvzgx


Want some practice?

Check out TerraformGoat: https://lnkd.in/eHQagQJF by Selefra


BONUS: See the Google Cloud Platform chapter of my gitbook: https://lnkd.in/edanr38C



[𝐅𝐑𝐄𝐄 𝐑𝐄𝐒𝐎𝐔𝐑𝐂𝐄𝐒 - 𝐖𝐄𝐁 𝐏𝐄𝐍𝐓𝐄𝐒𝐓]


Want to learn about Web pentesting? Check out these links


👉 Web Security Academy by PortSwigger: https://lnkd.in/eK7SmN6J

Couple it with Rana Khalil’s videos on Youtube where she explains plenty of labs step by step: https://lnkd.in/eggVnD9C


👉 Wesley Thijs XSSrat’s youtube channel where he has plenty of videos on web vulnerabilities: https://lnkd.in/eKaWezND


👉 The Pentesting Web Checklist on Pentest Book by six2dez


👉 And of course stay close to the standards with OWASP® Foundation Top 10: https://lnkd.in/eNy6kQ3f

🤫Psst! Did you know they have a list of Vulnerable Web Applications to practice on?

Yes! It’s here: https://lnkd.in/eyhmGJAr


[𝐅𝐑𝐄𝐄 𝐑𝐄𝐒𝐎𝐔𝐑𝐂𝐄𝐒 - 𝐁𝐔𝐆 𝐁𝐎𝐔𝐍𝐓𝐘]


Want to get into Bug Bounty? Here is a list of resources


👉 A great introduction on how to get into bug bounty by Wesley Thijs xssrat


👉 A list of bug bounty platforms by Bughacking

👉 A list of bug bounty programs by vpnmentor:


👉 Want to apply to the Synack Red Team Artemis program?

An exclusive community open to security professionals who identify as women, trans and nonbinary people, and others who identify as a gender minority. See this link:


👉 Farah Hawa has a great video about bug bounty resources:


👉 The Bug Hunter Handbook by Gowthams


👉 A repo “AllAboutBugBounty” by daffainfo


[𝗙𝗥𝗘𝗘 𝗥𝗘𝗦𝗢𝗨𝗥𝗖𝗘𝗦 / 𝗣𝗘𝗡𝗧𝗘𝗦𝗧 𝗥𝗘𝗣𝗢𝗥𝗧]


👉 𝗦𝘁𝗿𝘂𝗰𝘁𝘂𝗿𝗲 𝗼𝗳 𝗮 𝗽𝗲𝗻𝘁𝗲𝘀𝘁 𝗿𝗲𝗽𝗼𝗿𝘁

🌟My article on how to write a pentest report:

https://lnkd.in/eH92fT8Q


👉 𝗛𝗼𝘄 𝘁𝗼 𝘁𝗮𝗸𝗲 𝗻𝗼𝘁𝗲𝘀

🌟 Cherry Tree

https://lnkd.in/eqTjHYKi

🌟 Joplin

https://joplinapp.org/

🌟 Keepnote

http://keepnote.org/


👉 𝗧𝗶𝗽𝘀 𝗳𝗿𝗼𝗺 𝗘𝘅𝗽𝗲𝗿𝘁𝘀

🌟 Writing Tips for IT Professionals by Lenny Zeltser

https://lnkd.in/eMSiEpeZ

🌟 How to write a Penetration Testing Report by HackerSploit

https://lnkd.in/ekSu5vAp


👉 𝗔𝘂𝘁𝗼𝗺𝗮𝘁𝗶𝗼𝗻

🌟 Blackstone project by micro-joan

https://lnkd.in/eBSy58Ur

🌟 Pentext by Radically Open Security

https://lnkd.in/eNPhHHdx


👉 𝗘𝘅𝗮𝗺𝗽𝗹𝗲𝘀 𝗼𝗳 𝗿𝗲𝗽𝗼𝗿𝘁𝘀

🌟 A list of public pentest reports by juliocesarfort

https://lnkd.in/ebeJwVXQ

🌟 A list of bug bounty writeup on Pentester Land


[𝗙𝗥𝗘𝗘 𝗥𝗘𝗦𝗢𝗨𝗥𝗖𝗘𝗦 - 𝗣𝗘𝗡𝗧𝗘𝗦𝗧 𝗧𝗢𝗢𝗟𝗦]


There are many different tools for each phase of a pentest. But how to choose?

These resources can help you:


👉 See Rajneesh Gupta’s post about some of the Practical web Pentesting tools. He even share them according to the pentest steps:

https://lnkd.in/ei7R8gsx

🚨 Follow Rajneesh he offers amazing content 🚨


👉 You know the Nmap project? Well they have a list of the top 125 Network Security Tools:

https://sectools.org/


👉 You want Open Source?

✴️Julien Maury shared a Top 10 on eSecurity Planet:

https://lnkd.in/ezNgTvfF

✴️And SANS has a list of tools including plenty of pentest tools: https://lnkd.in/eHmusQYg


👉 Finally arch3rPro has an amazing amount of tools listed on github:


𝙂𝙤𝙫𝙚𝙧𝙣𝙖𝙣𝙘𝙚, 𝙍𝙞𝙨𝙠 𝙈𝙖𝙣𝙖𝙜𝙚𝙢𝙚𝙣𝙩, 𝙖𝙣𝙙 𝘾𝙤𝙢𝙥𝙡𝙞𝙖𝙣𝙘𝙚


👉 𝗪𝗵𝗮𝘁 𝗶𝘀 𝗚𝗥𝗖?

🌟 Introduction to GRC on Cyber Judo


🌟 What is GRC in Cybersecurity by 👉🏼 Gerald Auger, Ph.D.


👉 𝗟𝗲𝗮𝗿𝗻 𝗚𝗥𝗖

🌟 Course: GRC Analyst class by Gerald Auger on Simply Cyber


🌟 Course: The GRC approach to Managing Cybersecurity by Herbert J. Mattord on Coursera


🌟 Resources: Free resources that will help you break into GRC by Aron Lange


🌟 Resources: Awesome Security GRC by Arudjreis


👉 𝗦𝘁𝗮𝘆 𝗶𝗻𝗳𝗼𝗿𝗺𝗲𝗱

🌟 Newsletter: Security Decrypted by Aron Lange


[𝐅𝐑𝐄𝐄 𝐑𝐄𝐒𝐎𝐔𝐑𝐂𝐄𝐒 - 𝐌𝐀𝐋𝐖𝐀𝐑𝐄 𝐀𝐍𝐀𝐋𝐘𝐒𝐈𝐒]


👉 𝗪𝗢𝗥𝗞 𝗢𝗡 𝗧𝗛𝗘 𝗙𝗨𝗡𝗗𝗔𝗠𝗘𝗡𝗧𝗔𝗟𝗦

🌟 Architecture 1001: x86-64 Assembly on OpenSecurityTraining2 by Xeno Kovah


🌟 Learn C


🌟 Malware Analysis Fundamentals by MalwareAficionado


👉 𝗠𝗔𝗟𝗪𝗔𝗥𝗘 𝗔𝗡𝗔𝗟𝗬𝗦𝗜𝗦 𝟭𝟬𝟭&𝟮𝟬𝟭

🌟 How can you start learning Malware Analysis by Lenny Zeltser


🌟 Malware Analysis and Reverse Engineering Study Plan for Beginners by Alex Perotti


🌟 Malware Noob2Ninja Course by Neil Fox


🌟 Malware Analysis in 5+ Hours - Full Course - Learn Practical Malware Analysis by HuskyHacks


🌟 Malware Analysis Bootcamp by HackerSploit


👉 𝗧𝗢𝗢𝗟𝗦

🌟 5 steps to building a malware analysis toolkit using free tools by Lenny Zeltser


🌟 Malware Analysis Home-Lab v1.0 by Rajneesh Gupta


👉 𝗣𝗥𝗔𝗖𝗧𝗜𝗖𝗘

🌟 Malware Traffic Analysis by the community


🌟 Reverse Engineering for Beginners by Ophir Harpaz


🌟 BlueYard - BlueTeam Challenges


👉 𝗥𝗘𝗦𝗢𝗨𝗥𝗖𝗘𝗦

🌟 Awesome Malware and Reverse Engineering by Joas A Santos


🌟 Awesome Malware Analysis by rshipp


🌟 Cheat Sheet for Analyzing malicious software by Lenny Zeltser


🌟 Analyzing Malicious Documents Cheat Sheet by Lenny Zeltser


👉 𝗕𝗢𝗡𝗨𝗦: 𝗠𝗔𝗟𝗪𝗔𝗥𝗘 𝗗𝗘𝗩𝗘𝗟𝗢𝗣𝗠𝗘𝗡𝗧

🌟 Awesome Malware Development by rootkit-io


🌟 Malware Development par 1 of 9 by 0xPat

111 vues0 commentaire

Posts récents

Voir tout

Comentarios


bottom of page