Hacker News new | past | comments | ask | show | jobs | submit login
Penetration Testing Tools Cheat Sheet (highon.coffee)
530 points by adamnemecek on June 25, 2016 | hide | past | favorite | 30 comments

A couple of more security tools:

https://github.com/BinaryDefense/artillery - The Artillery Project is an open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.

https://github.com/trustedsec/social-engineer-toolkit - The Social-Engineer Toolkit (SET) repository from TrustedSec

This cheat sheet shows what a lot of rookies don't understand, pentesting requires knowledge of the same systems and services as that which any linux sysadmin has.

It's amusing to me because I often see people wanting to be hackers, applying for IT-security classes or ethical hacking classes thinking there's a magic education they can take to become a hacker.

When in reality they need the same skills as any good linux sysadmin, understanding protocols, understanding services, and being able to google well in english.

> When in reality they need the same skills as any good linux sysadmin, understanding protocols, understanding services, and being able to google well in english.

It requires much more. The most important being an intrinsic desire to break things. Persistence is another. Understanding of underlying tech and stuff follows.

Oh absolutely, but I file that under character and not technical experience.

You need a character that does not give up and enjoys breaking things apart.

Specifically what's bothered me for many years is people who apply to classes to become hackers, thinking there's a type of certification that will allow them to call themselves hackers. It's become much more popular and romantic lately.

> It requires much more. The most important being an intrinsic desire to break things. Persistence is another.

How do you think most of us learned sysadmin ?

Zdziarski's "iOS Forensic Investigative Methods"[0] is a free eBook which can be helpful if you're interested in native penetration testing.

[0]: http://www.zdziarski.com/blog/?p=2287

The one I've used for 3 years counting:


Its the Pluralsight / Lynda.com but for Computer Security.

Looks cool. Wish you didn't have to pay $100 each time you restarted and the PayPal and email cancelation is not anything I would trust sadly. Just seems to risky for a "well we didn't get your cancelation, sorry" situation.

Does anyone have a recommendation for resources to learn more about (ethical) hacking and penetration testing? I have some knowledge of common web vulnerabilities like XSS, CSRF, SQL injection, etc, but have very little knowledge of networking and how networks and systems are actually attacked.

For example, this course [0] looked great, but I found that it wasn't quite right for me. (Assumed I knew things I didn't, focus was sometimes off-topic, etc.) Any better recommendations?

[0]: https://www.cybrary.it/course/ethical-hacking/

Check out this

https://lab.pentestit.ru and https://www.reddit.com/r/securityCTF and https://pentesterlab.com/bootcamp

Idk if this is what you are looking for.

Here's an example of a write up for one of the labs https://lab.pentestit.ru/docs/TL8_WU_en.pdf

Thanks for the cybrary link, I didn't know about it, and it seems very interesting. The specific course you linked to is one of the "advanced" courses however, so if that course assumes knowledge you don't have, maybe you should check out some of their beginner courses as well. https://www.cybrary.it/coursecatalog/

As for the focus being off-topic, I guess that depends in part on where your focus lies. As an embedded developer, everything that's web (XSS, phishing, etc) isn't all that interesting to me, personally. But it is to other people.

Another interesting course is FSU's offensive computer security : https://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/le...

http://pentesteracademy.com/topics - used it for 3 years. happy customer!

Does anyone actually refer to a "cheatsheet" when they are hacking? Or do they just use Google? It makes me laugh to think someone has some of this stuff printed by their desk for an emergency. For example, "gcc -o exploit exploit.c".

Also, this looks like a ripoff of http://www.amazon.com/Rtfm-Red-Team-Field-Manual/dp/14942955....

I am not a metasploit ninja, my job is mostly in design and defending systems. However, on occasion I'll need to demonstrate a pivot or exploit a common vuln to make a point to a DEV team. I might bust out the cheatsheet because that tool isn't I my muscle memory.

I am not a pen tester, but I love paper cheat sheets on my desk. Currently: gdb, emacs, bash, operator precedance in C, register names/use in x86.

As recently as a few years ago I had a VI cheatsheet taped to my cubicle. For quick go-to commands when you're forgetful, things like this can be handy.

Shameless plug: to run multiple of such security tools at once (nmap, openvas, nikto, etc) I've created https://gauntlet.io -- it's free for few days, but soon won't have such limit.

Is this a different product than http://gauntlt.org ?

Definitely the possibility for brand confusion on security software tools. Something to consider before you go live.

The idea is similar, but the implementation differs a lot: Gauntlt is a gem that will help you run multiple scanners, but won't extend scanner capabilities such as controlling the speed, add custom headers, etc. That's what Gauntlet does, including issue management on the interface for you to classify, notify people, build teams around applications and much more, without needing to know how to configure any of such tools. Gauntlt requires you to host it and Gauntlet is a SaaS. One of the reasons to be a SaaS is to reduce the complexity of running scanners. Of course, the name is almost the same, thanks for pointing out, although it have a reason. The name Gauntlet comes from physical punishment (https://en.wikipedia.org/wiki/Running_the_gauntlet) and it's like an app being 'punished' by multiple scanners. And as far as I know Gauntlt doesn't seem to be that active. And as I dug into it, I can tell: there are many things to do in order to make all scanners work together. It's more complex than it looks. But, anyway, thank you for pointing out.

Anyone has recommendation for companies providing pentest services?

Lyonlim, Couldn't find an email in your profile. Feel free to send me an email (in profile) if you wanted to explore this more.

Is kali linux still considered the best out of the box pen-testing env? I played around with it a few years ago and always have wanted to get back into it.

Out of the box, yes. If you want to have a bit of control/knowing exactly what tools exist then I recommend:



But, those sets of tools don't focus on "pentesting", so much as they do on analysis, and exploitation.


How does one with the requisite skills get a job as a penetration tester? I don’t often see companies hiring for the role.

They don't advertise the roles as regularly as other sectors of IT because they're hard to hire for. A lot of the hiring is word-of-mouth or promoting a developer internally who has infosec interest into the role, or hiring freelancers / outside companies.

It is a sector suited to freelance roles and contracting, or working for a consulting firm in a fulltime capacity.

Build up an online profile on your own website. It can take the form of a blog or just a simple web page with a bio and some published articles/papers.

Mention on your website that you're available for hire, where you are and what type of work you do.

Write some blog posts (anywhere from 2-3 a month or even 2-3 a year if they're a bit longer form), establish specialities that you are good at, produce conference talks and pitch them at CFP's and go and speak at conferences, submit your posts and websites on reddit, here on HN etc.

You'll start getting cold approaches (I average around 3 after every blog post) and you'll have somewhere to point the companies you approach to.

You'll meet people at conferences who want to hire you.

To find companies to approach, find vulnerabilities and send them a note or participate in bug bounty programs. You can also approach companies who have recently been in the news with security issues, or those you find on Twitter where users or other infosec ppl are reporting issues on social networks .

A lot of companies hit a wall when they experience a security incident and they're not sure what to do, who to call or who to hire - so they're very open to hiring contractors to organize that or bringing in their first fulltime infosec hire.

To get the top-end research roles at the big co's you really need to produce good research and you'll be headhunted.

Try to be specific in terms of both specialities and sectors you deal with. If you decide on freelancing, use your first couple of clients as references for potential new clients and ask associated, customers, etc. to refer you other work.

This is helpful. Thank you.

gcc -o exploit exploit.c

the cheat sheet should mention where to find exploit.c


you write it.

I really want to know who can write exploit code in C, but needs a cheat sheet to invoke the compiler.

Also, I always preferred "make exploit" for that. It's just very ... to the point.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact