List of InfoSec resources
I get this question a lot so I compiled a big list that I can just link people to directly.
Where to start?
- How to start hacking? The ultimate two path guide to information security. - /r/hacking
- LiveOverflow's YouTube channel
- Advice for young hackers. How to teach yourself
CTFs
If you are new, you should start with high school level and eventually level up to college level.
- https://ctftime.org - Find CTFs and write-ups
- https://picoctf.com/ (high school level)
- NSA Codebreaker challenge
- CSAW RED (high school level) - Formerly known as CSAW HSF
- CSAW CTF (college level)
- HackTheBox - I never did this, but it's popular
Binary Exploitation
- pwn.college - Guide written by Zardus and adam doupe, former organisers of DEF CON CTF
- Gatech Sslab CS 6265: InfoSec Lab - GREAT resource on intro to binex.
- how2heap - intro to glibc heap exploitation
- Dhaval Kapil's heap explotation guide - intro to glibc heap exploitation. slightly outdated but still good
- http://pwnable.tw/ - more pwnables
- https://microcorruption.com/login
- Extreme Vulnerable Driver - a vulnerable driver you can learn to pwn drivers with
- exploit.education - Learn exploit dev, binary analysis (Suggested by @gautammenghani, not vetted by me)
Game hacking and reversing
- Pointers for REAL dummies - This is how I finally understood pointers when I was 12 years old. GREAT guide and it will teach you about C and what is memory.
- Fl33p's CS:S bunnyhop hack tutorial (YT) - A bit outdated but this is what helped me finally understand how to use a debugger and Cheat Engine and Visual Studio. The explanations are not 100% accurate but most importantly it is really beginner friendly for noobs
- godbolt.org Compiler Explorer - Good to learn what code looks like when it gets compiled
- Reverse Engineering Stack Exchange - Good place to figure out how to do something in IDA Pro.
- osdev wiki - Has some outdated or inaccurate info, but usually a good starting point.
Smart contracts / blockchain
- The Auditooor Grindset
- ETHSecurity Telegram channel
Discord servers
Remember to be nice, don't be rude or annoying, etc. Act like an adult.
- Reverse Engineering discord - do NOT discuss game hacking in this Discord or you will be banned.
- Capture the Flag discord - CTF community
- Secret club public discord - Administered by Carl Schou and Derek Rynd.
- gynvael's server - administered by gynvael.
- Day0 podcast server - administered by zi and Specter.
- Awesome Fuzzing - fuzzing enthusiasts.
- Back.engineering server - administered by xeroxz.
- osdev server - I don't know this server, but it's popular.
Blogs (in no particular order)
- Google Project Zero blog - Cutting-edge vulnerability research.
- Secret Club - Syndicated publication on various innovative research on reverse engineering, esp. game hacking.
- Can Bölük's blog - Hypervisors, Windows internals, anticheats. He is a legendary reverse engineer
- Derek Rynd and Aidan Khoury's blog (revers.engineering) - Hypervisors, Windows internals, Anticheats. They are both way smarter than me
- Sinaei's blog - Hypervisor from scratch
- Orange Tsai's blog - Lot of cutting-edge research on a broad range of topics. He is totally an infosec legend
- Alex Ionescu and Yarden Shafir's blog - Windows internals, systems, kernel.
- Rolf Rolles' blog - Reverse engineering, program analysis, (de)obfuscation, IDA Pro
- back.engineering - Mainly xeroxz's blog but also features some syndicated articles.
- lcamtuf's blog - Fuzzing and systems.
- Halvarflake's blog - Various topics in systems and security.
- Trail of Bits blog - State-of-the-art research on cryptography, program analysis, bug hunting
- Bruce Dawson's blog - Systems, compilers, and performance.
- Travis Downs' blog - Systems, compilers, and performance.
- Krebs on Security - Mainstream InfoSec news.
- Bruce Schneier's blog - Cryptography and privacy news.
- Hex-Rays blog - Tips and tricks for IDA Pro
Other InfoSec newsletters, zines, and publications
- LWN - Linux internals
- /r/securityCreators/
- zSecurity Twitter
- phrack magazine
Favorite Tools
I am a Windows user so I mainly use Windows tools. Sorry Linux users.
Must-have, essential tools
- Python 3 - hacker's best friend
- x64dbg - Windows userland debugger
- Process Hacker
- IDA Pro (or Ghidra) - disassembler
- HxD - hex editor
- Cheat Engine - memory hacking tool
- CFF explorer - PE editor
- Windows Calculator, MSpaint, and notepad
- diffchecker.com
- cyberchef - data processing multitool
- Sublime Text
- Sysinternals suite
- mitmproxy
Other handy tools
- Wireshark
- WinDbg - for Windows kernel debugging
- Pestudio - pe dissector and triage tool
- ReClassEx - in-memory struct dissector
- 010 hex editor - fancier, but paid, hex editor. I don't use this often but it's popular
- JDA Java disassembler - for Java applications
- dnSpy - for .NET applications
- apktool - for Android shit
- java-deobfuscator - written by samczsun who is smart as hell
- de4dot - .NET deobfuscator
- Detect It Easy (DIE) - detect compiler and packers. I don't often use this since I can usually recognize by experience
- Sage - for cryptography
- Proxifier - basically proxychains for Windows
- Krakatau - Good java disassembler
Hex-Rays plugins
- HexRaysPyTools - must-have
- ClassInformer - RTTI parser (for Win32)
- ret-sync
- Labelless
- abyss
x64dbg plugins
- ScyllaHide - Anti-anti-debug
- xHotspots - Sometimes useful for reversing GUI shit
Lectures and slides
Reference materials
- Intel Manual volume 3 - they say that every question you have is answered somewhere in this book. the question is where to find it. and also how to understand it. since this shit is not easy nor fun to read. sometimes if you ask some stupid question people will tell you to go read the intel manual. it's an advanced way to tell people to fuck off.
- Hacker's Delight - bit hacking tricks, you see them used by compilers often. Division constants
- Dragon Book - popular compilers textbook
- SSA book - resource for advanced topics on single static assignment form in compilers