It’s important to establish a solid toolkit for any kind of security work. The list below is what we consider a good foundation for our members to start from, which you can build on as you get more experienced. Though we don't include links here, you can find most of these tools on Kali Linux (a VM every security practitioner should have) and on the Kali Linux tool site. You can also find all of these through Google, some are even already on your computer!
- Google Chrome
- Google Chrome Plugins
- SwitchySharp (Proxy Switcher)
- Burp Suite
- Shell commands : dig, whois, traceroute
Dissasemblers and Decompilers
- IDA Pro
- Java Decompiler
- Immunity Debugger
General Reverse Engineering
- Shell commands: strings, xxd, file
- PE Finder
- Sysinternals Suite
- Metasploit (general exploits)
- BeEF (browser exploitation)
- crackle (Bluetooth hacking)
- ShellNoob (shellcode utilities)
- Sublime Text 3
- Hex Workshop
- 010 Editor
- HexEdit (OS X)
- GHex (Linux)
- HxD (Windows)
- John the Ripper (Password/hash cracking)
- Hashcat (Password/hash cracking)
- Aircrack-ng (Wifi cracking)
- Ubuntu 12.04 x32 & x64
- Windows XP SP3 x32
- Windows 7 SP1 x64
- Kali Linux
- Python 2.7.X and pip
- VMWare or Virtualbox
Wargames are a set of challenges focused on a particular topic of programming or computer security, like network analysis or web exploitation. We would like to thank RPISEC for some of compiling these resources.
- EnigmaGroup - Has a wide selection of wargames. Notable are the multi-stage “realistic scenarios”.
- HackThisSite - Another wide selection. The ‘Basic’ and ‘ExtBasic’ challenges are good introductory material.
- OverTheWire - Has several very focused wargames, including:
- Bandit - A fun intro to the command line
- Natas - Website exploitation
- Krypton - Intro to Cryptography
- Semtex - Programming and networking challenges
- SmashTheStack - Binary exploitation, buffer overflows, disassembly and more fun
- MicroCorruption - Embedded security, assembly, and binary exploitation
- CryptoPals - Introduction to breaking cryptography
- Pwnable - More reverse engineering challenges
- W3Challs - Wide range of challenges and learing: "Hacking, "Cracking, Wargame, Forensic, Cryptography, Steganography and Programming"
- IO NetGarage - More reverse engineering challenges, harder than others
There are a number of vulnerable virtual machines that come bundled with all the tools, tutorials, and challenges necessary to start and get better at a wide range of security skills, from web exploitation to linux exploitation. We have listed some here. You will need VirtualBox or VMWare to run these.
- WebDojo - Has an array of different vulnerable websites built in that you can follow along tutorials while exploiting them.
- Gruyere A VM and web application that shows how web application vulnerabilities can be exploited and how to defend against these attacks. You get to do real penetration testing, actually exploiting a real application
- OWASP Broken Web Apps Project - A VM for exploring many broken web apps and learning about web security along the way.
- Protostar - Introduces in a friendly way, network programming, byte ordering, handling sockets, stack overflows, format strings, and heap overflows.
- Nebula - Takes the particpant through a variety of common (and less than common) weaknesses and vulnerabilities in Linux, including permissions, $PATH weaknesses, race conditions, SUID files, and more.