Additional Resources
Table of contents
Please support this book: buy it (PDF, EPUB, MOBI)

Additional Resources

VPS

Details on the Metasploit PSExec module
https://community.rapid7.com/community/metasploit/blog/2013/03/09/psexec-demystified

15 Ways to bypass PowerShell Execution Policy
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

Out-CHM blog post from nishang author “Nikhil SamratAshok Mittal”
http://www.labofapenetrationtester.com/2014_11_01_archive.html

Useful details around the Windows scheduled tasks used in Persistence.ps1
https://msdn.microsoft.com/en-us/library/windows/desktop/bb736357(v=vs.85).aspx

Local Linux Enumeration & Privilege Escalation Cheatsheet
https://www.rebootuser.com/?p=1623

Linux_Exploit_Suggester uses the Operating System release version, or fine tune by manually providing the Kernel version
https://github.com/PenturaLabs/Linux_Exploit_Suggester

Windows-Exploit-Suggester compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.
https://github.com/GDSSecurity/Windows-Exploit-Suggester

Network Information Service wiki
https://en.wikipedia.org/wiki/Network_Information_Service

Linux NIS(YP)/NIS+ HowTo
http://www.linux-nis.org/nis-howto/HOWTO/NIS-HOWTO.html

FreeBSD NIS
https://www.freebsd.org/doc/handbook/network-nis.html

Distributed Computing Environment / Remote Procedure Call
https://en.wikipedia.org/wiki/DCE/RPC.

In most cases you will want to shadow your passwords
http://www.tldp.org/HOWTO/Shadow-Password-HOWTO-2.html#ss2.2

SHA scheme for crypt
https://www.akkadia.org/drepper/SHA-crypt.txt

SHA-2
https://en.wikipedia.org/wiki/SHA-2

Some details around /etc/passwd and /etc/shadow

For a plethora of information on hardening and using SSH in creative ways
https://blog.binarymist.net/?s=ssh

SSH Connection and Encryption Process
https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process

SSH, The Secure Shell: The Definitive Guide, 2nd Edition

SSH Specification
https://tools.ietf.org/html/rfc4253

Notes on Cryptography Ciphers
http://rakhesh.com/infrastructure/notes-on-cryptography-ciphers-rsa-dsa-aes-rc4-ecc-ecdsa-sha-and-so-on/

An Overview of Cryptography
http://www.garykessler.net/library/crypto.html

Mounting partitions the right way
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s4.10

mount man page
http://man.he.net/man8/mount

Securing the mail service
http://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html#s5.6

Disabling daemon services
http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s-disableserv

Run levels
https://www.debian.org/doc/debian-policy/ch-opersys.html#s-sysvinit

apt-get --purge remove exim4 exim4-base exim4-config exim4-daemon-light
http://stackoverflow.com/questions/12061358/how-to-cleanly-remove-exim4-mail-server-on-ubuntu

Running the minimum number of services required
http://www.debian.org/doc/manuals/securing-debian-howto/ch3.en.html#s3.6

System audit
http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/services.html#AUDIT

Securing the services that are left
https://www.debian.org/doc/manuals/securing-debian-howto/ch-sec-services.en.html

Which services do we really need
http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/services.html

Centralized logging makes everything better
https://medium.com/starting-up-security/learning-from-a-year-of-security-breaches-ed036ea
05d9b#41e1

Logging and Alerting, where and what are the log files?
http://www.thegeekstuff.com/2011/08/linux-var-log-files/

Nagios Log Monitoring with Swatch
https://assets.nagios.com/downloads/nagiosxi/docs/Log_Monitoring_With_Swatch.pdf#_ga=1 .228044821.985883814.1472695863

Simple Log Watcher examples
http://www.linux-mag.com/id/7807/

Simple Log Watcher man page
http://linux.die.net/man/1/swatch

Logwatch install, set-up, and using
https://www.digitalocean.com/community/tutorials/how-to-install-and-use-logwatch-log-analyzer-and-reporter-on-a-vps

The Debian Manuals have details on how to use and customise logcheck
https://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-custom-logcheck

Fail2ban source code
https://github.com/fail2ban/fail2ban/

Multitail example
https://www.howtoforge.com/monitoring-multiple-log-files-at-a-time-with-multitail-on-debian-lenny

Gentoo rsyslog wiki
https://wiki.gentoo.org/wiki/Rsyslog

Make sure you have reviewed who can write and read your logs and make any modifications necessary to the permissions.
http://www.tldp.org/HOWTO/Security-HOWTO/secure-prep.html#logs

killing processes
http://www.cyberciti.biz/faq/
kill-process-in-linux-or-terminate-a-process-in-unix-or-linux-systems/

Unix signals
https://en.wikipedia.org/wiki/Unix_signal

Terse guide of systemd commands and some other quick start sort of info
https://wiki.archlinux.org/index.php/systemd

Tripwire tutorial
https://www.digitalocean.com/community/tutorials/how-to-use-tripwire-to-detect-server-intrusions-on-an-ubuntu-vps

TLDP Security HowTo
http://www.tldp.org/HOWTO/Security-HOWTO/

TLDP Security Quickstart
http://www.tldp.org/HOWTO/Security-Quickstart-HOWTO/

Securing Debian Howto
http://www.debian.org/doc/manuals/securing-debian-howto/index.en.html

Debian Security
http://www.debianhelp.co.uk/security.htm

Cisecurity
has an excellent resource for hardening docker images which the Docker Security team helped with. This should be consulted in parallel to reading the Docker Countermeasures section

I also conducted an interview called “Docker Security
for Software Engineering Radio in which Docker Security Team Lead Diogo Monica appeared as guest and provided some excellent advice, opinions, and food for thought, be sure to listen to it

Network Namespace source code
https://github.com/torvalds/linux/blob/master/net/core/net_namespace.c

IP-NETNS man page
http://man7.org/linux/man-pages/man8/ip-netns.8.html

Introducing Linux Network Namespaces
http://blog.scottlowe.org/2013/09/04/introducing-linux-network-namespaces/

Network namespaces
https://blogs.igalia.com/dpino/2016/04/10/network-namespaces/

docker network
https://docs.docker.com/engine/reference/commandline/network/

Namespaces in operation
https://lwn.net/Articles/580893/

dockerscan may be worth keeping an eye on for offensive testing
https://github.com/cr0hn/dockerscan

Docker SELinux Man Page
https://www.mankier.com/8/docker_selinux

Understanding and Hardening Linux Containers
https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group
_understanding_hardening_linux_containers-10pdf/

Increasing Attacker Cost using Immutable Infrastructure
https://diogomonica.com/2016/11/19/increasing-attacker-cost-using-immutable-infrastructure/

Diogo Monica on Mutual TLS
https://www.youtube.com/watch?v=apma_C24W58

Diogo Monica on Orchestrating Least Privilege

Comparison of secrets across orchestrators
https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret-managem
ent-2017-c82ec9136a3d#.f6yba66ti

Description of how PKI automatically gets setup in swarm
https://docs.docker.com/engine/swarm/how-swarm-mode-works/pki/

Image signing, and why it is important
https://blog.docker.com/2015/08/content-trust-docker-1-8/

Docker security scanning (content integrity)
https://blog.docker.com/2016/05/docker-security-scanning/

Network

Top 10 Network Security Mistakes - #5: Lack of Segmentation
https://www.optiv.com/blog/top-10-network-security-mistakes-5-lack-of-segmentation

Database security
https://www.owasp.org/index.php/Configuration#Database_security

Dropbox Interview of James Cowling
http://www.se-radio.net/2017/03/se-radio-episode-285-james-cowling-on-dropboxs-distributed-storage-system/

DropSmack
https://media.blackhat.com/eu-13/briefings/Williams/bh-eu-13-dropsmack-jwilliams-slides.pdf

NS1 Using dig +trace
https://ns1.com/articles/using-dig-trace

Difference between Authoritative and Recursive DNS Nameservers by Chris Frost
https://umbrella.cisco.com/blog/blog/2014/07/16/difference-authoritative-recursive-dns-nameservers/

Comparison of DNS Server Types by Justin Ellingwood
https://www.digitalocean.com/community/tutorials/a-comparison-of-dns-server-types-how-to-choose-the-right-dns-configuration

DNS Steps in Detail
http://blog.catchpoint.com/2014/07/01/dns-lookup-domain-name-ip-address/

How long can my SPF record be
https://agari.zendesk.com/hc/en-us/articles/202952749-How-long-can-my-SPF-record-be-

Tunneling Data and Commands Over DNS to Bypass Firewalls by Lenny Zeltser
https://zeltser.com/c2-dns-tunneling/

Insufficient Logging - Internal Network System Logging
These resources in order were helpful for establishing a strategy for the unreliable and unconfidental transport UDP
https://forums.freenas.org/index.php?threads/freenas-as-syslog-server.13145/
https://forums.freenas.org/index.php?threads/syslog-through-tcp-protocol.7112/
https://doc.pfsense.org/index.php/Copying_Logs_to_a_Remote_Host_with_Syslog

The ELK stack is also well worth considering
https://logz.io/blog/install-elk-stack-amazon-aws/

BSidesLV IDS talk
https://www.youtube.com/watch?v=iHRwAg8LQtI&feature=youtu.be

Top Free Network-Based Intrusion Detection Systems (IDS) for the Enterprise
https://www.upguard.com/articles/top-free-network-based-intrusion-detection-systems-ids-for-the-enterprise

Suricata-vs-snort
https://www.aldeid.com/wiki/Suricata-vs-snort

Defense and mitigate ARP Spoofing
http://www.jaringankita.com/blog/defense-arp-spoofing

FakeDNS
https://github.com/Crypt0s/FakeDns

Open Sender Policy Framework
http://www.openspf.org/

Wikipedia Sender Policy Framework (SPF)
https://en.wikipedia.org/wiki/Sender_Policy_Framework

Wikipedia DomainKeys Identified Mail (DKIM)
https://en.wikipedia.org/wiki/DomainKeys_Identified_Mail

tcp-over-websockets
https://github.com/derhuerst/tcp-over-websockets

chisel
https://github.com/jpillora/chisel

Dnscat documentation
https://wiki.skullsecurity.org/Dnscat

FakeDns
https://github.com/Crypt0s/FakeDns

Cloud

Secrets out of Docker images
https://www.ctl.io/developers/blog/post/tutorial-protecting-sensitive-info-docker

Darkreading: 10 Password Managers For Business Use
https://www.darkreading.com/endpoint/10-password-managers-for-business-use/d/d-id/
1322326

Using Vault with MySQL
https://dzone.com/articles/using-vault-with-mysql

Infrastructure Secret Management Overview
https://gist.github.com/binarymist/66206419df712bd738c3d664542157d8
Forked from maxvt.

Web Applications

OWASP canonical XSS resource
https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

Hashcat rules based attack
http://hashcat.net/wiki/doku.php?id=rule_based_attack

Details that helped setup NodeJS logging:
https://gist.github.com/rtgibbons/7354879
https://thejsf.wordpress.com/2015/01/18/node-js-logging-with-winston/

Application logging to syslog server on another machine:
http://unix.stackexchange.com/questions/67250/where-does-rsyslog-keep-facility-local0

Or the new style configuration
http://www.rsyslog.com/doc/v8-stable/configuration/modules/imudp.html

Syslog compatible protocol severities
https://wiki.gentoo.org/wiki/Rsyslog#Severity

cr0hn nosqlinjection_wordlists
https://github.com/cr0hn/nosqlinjection_wordlists

Avoiding Command Injection in Node.js
https://blog.liftsecurity.io/2014/08/19/Avoid-Command-Injection-Node.js/

Server-Side JavaScript Injection
https://media.blackhat.com/bh-us-11/Sullivan/BH_US_11_Sullivan_Server_Side_WP.pdf

statsd source code
https://github.com/etsy/statsd/

One of the ways we can generate statistics for our statsd daemon is by using one of the many language specific statsd clients
https://github.com/etsy/statsd/wiki#client-implementations

First statsd spec for metric types
https://github.com/b/statsd_spec/blob/master/README.md
Current, or at least more recent statsd spec for metric types
https://github.com/etsy/statsd/blob/master/docs/metric_types.md

Configuring Graphite for StatsD
https://github.com/etsy/statsd/blob/master/docs/graphite.md

StatsD, what it is and how it can help you
https://www.datadoghq.com/blog/statsd/

Podcast on WebComponents
http://webcomponents.org/

I would recommend NSubstitute instead if you were looking for a mocking framework for .NET.
http://blog.binarymist.net/2013/12/14/evaluation-of-net-mocking-libraries/

Information on how jQuery plugins plugin
https://learn.jquery.com/plugins/

jQuery Validation documentation
http://jqueryvalidation.org/documentation/

http://jqueryvalidation.org/validate

http://jqueryvalidation.org/jQuery.validator.addMethod

http://jqueryvalidation.org/rules

express-form
https://github.com/freewil/express-form

XSRF/CSRF Prevention in ASP.NET MVC and Web Pages is good for understanding CSRF
https://docs.microsoft.com/en-us/aspnet/mvc/overview/security/xsrfcsrf-prevention-in-aspnet-mvc-and-web-pages

OWASP CSRF
https://www.owasp.org/index.php/Top_10_2017-A8-Cross-Site_Request_Forgery_(CSRF)

Hacking XPath 2.0
https://media.blackhat.com/bh-eu-12/Siddharth/bh-eu-12-Siddharth-Xpath-WP.pdf

Recording and testing user time expenditure

http://www.smashingmagazine.com/2011/03/in-search-of-the-perfect-captcha/#recording-user-time-expenditure

http://stackoverflow.com/questions/8472/practical-non-image-based-captcha-approaches

Blowfish cipher
https://en.wikipedia.org/wiki/Blowfish_%28cipher%29

PBKDF2
https://en.wikipedia.org/wiki/PBKDF2

Key Derivation Function
https://en.wikipedia.org/wiki/Key_derivation_function (KDF)

bcrypt
https://en.wikipedia.org/wiki/Bcrypt

Cryptographic hash function
https://en.wikipedia.org/wiki/Cryptographic_hash_function: MD5, SHA1, SHA2, etc

Key stretching
https://en.wikipedia.org/wiki/Key_stretching

scrypt
https://en.wikipedia.org/wiki/Scrypt

Good Password Hashing Functions
http://defencely.com/blog/do-you-rely-on-hashing-know-websec-cryptography-indepth/

bcrypt brute-forcing feasible on certain hardware
http://www.openwall.com/presentations/Passwords14-Energy-Efficient-Cracking/
http://www.openwall.com/presentations/Password
s13-Energy-Efficient-Cracking/Passwords13-Energy-Efficient-Cracking.pdf
https://www.usenix.org/system/files/conference/woot14/woot14-malvoni.pdf

Cooling the Xeon Phi
https://ssrb.github.io/hpc/2015/04/17/cooling-down-the-xeon-phi-sku31S1P/

Xeon Phi misconceptions
https://www.pugetsystems.com/labs/hpc/Top-5-Xeon-Phi-Misconceptions-508/

Password Cracking Strategy
http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-2-cracking
-strategy-0156491/

Securing Sessions via cookie attributes
https://www.owasp.org/index.php/HttpOnly

Justin Searls talk on consuming all the open source
http://blog.testdouble.com/posts/2014-12-02-the-social-coding-contract.html

Effecting Change
http://blog.binarymist.net/2013/06/22/ideas-for-more-effective-meetings-and-presentations/

Application Intrusion Detection and Response

Appsensor home
http://appsensor.org/

Sample Appsensor applications
https://github.com/jtmelton/appsensor/tree/master/sample-apps

Slide deck from John Melton (AppSensor project lead)
http://www.slideshare.net/jtmelton/appsensor-near-real-time-event-detection-and-response

Good podcast on OWASP 24/7 soundcloud
https://soundcloud.com/owasp-podcast/john-melton-and-the-owasp-appsensor-project

Gaslighting with Honeypits and Mirages
at OWASP NZ Day 2017 by Kate Pearce demonstrated a collection of very useful techniques for programmatically wasting your attackers time
https://www.owasp.org/index.php/OWASP_New_Zealand_Day_2017#tab=Presentation_Schedule

W3C Web Crypto API Update Slides from Ryan Sleevi
https://www.ietf.org/proceedings/86/slides/slides-86-saag-5.pdf

What’s wrong with in-browser cryptography There is some great advice here, but I also don’t agree with some of it.
https://tonyarcieri.com/whats-wrong-with-webcrypto

Advice from Cryptographer Matt Green to the W3C on the Web Cryptography APIs failure
http://blog.cryptographyengineering.com/2012/12/the-anatomy-of-bad-idea.html

Next: Attributions