OWASP Threat Analysis
https://www.owasp.org/index.php/Application_Threat_Modeling#Threat_Analysis
OWASP Ranking of Threats
https://www.owasp.org/index.php/Application_Threat_Modeling#Ranking_of_Threats
Kali Linux package version tracking is useful for seeing what versions of tools are currently in the distribution.
TP-LINK TL-WN722N USB Wireless Adapter
Useful Intelligence Gathering resource
http://www.pentest-standard.org/index.php/Intelligence_Gathering
NMap Idle Scan and Decoy Host
http://opensourceforu.efytimes.com/2010/08/nmap-basics/
Idle Scan docs https://nmap.org/book/idlescan.html
Man page is very good http://linux.die.net/man/1/nmap
NMap Script Categories
https://nmap.org/nsedoc/categories/default.html
NMap Scripting Engine
https://nmap.org/book/nse-usage.html
The Hacker Playbook 2 has a good example of how to use recon-ng
Useful New Zealand Web Resources for reconnaissance
Finding details on people: http://searchenginez.com/findpeople_newzealand.html
Finding details on companies: https://www.business.govt.nz/companies/
Firejail tips
http://forums.linuxmint.com/viewtopic.php?f=42&t=202735
Insight on where Qubes is going
http://theinvisiblethings.blogspot.co.nz/2013/03/introducing-qubes-odyssey-framework.html
The Operating System That Can Protect You even when you get hacked
https://micahflee.com/2014/04/the-operating-system-that-can-protect-you-even-if-you-get-
hacked/
Offensive Exploitation tooling setup
For the Black Hat in a potentially hostile environment, one example of a machine configuration might be:
https://scottlinux.com/2015/09/01/use-kali-linux-through-tor-with-whonix-gateway/
on top of
https://www.whonix.org/wiki/Qubes
OpenSSL Heartbleed and Apples Goto Fail could have been prevented if (S)TDD was used. Check out Mike Bland’s excellent study and POC
http://martinfowler.com/articles/testing-culture.html.
BSIMM has some good guidance on security testing
https://www.bsimm.com/online/ssdl/st/
NodeGoat Regression Testing with Zap
https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API
Essentials for Creating and Maintaining a High Performance Development Team
http://blog.binarymist.net/2014/01/25/essentials-for-creating-and-maintaining-a-high-
performance-development-team/
How to Increase Software Developer Productivity
https://speakerdeck.com/binarymist/how-to-increase-software-developer-productivity
Pair Programming Metrics from Fog Creek
http://discuss.fogcreek.com/joelonsoftware1/default.asp?cmd=show&ixPost=33575
Morale, Productivity and Engagement Killers: An excellent resource around motivation can be found in Chapter 11 of Steve McConnell’s excellent “Rapid Development” book.
Presentation I performed at AgileNZ 2014 around increasing developer productivity
Social Engineer website has a plethora of excellent resources.
Creating a Custom Wordlist with Crunch
http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-4-creating-
custom-wordlist-with-crunch-0156817/
Creating wordlists with crunch v3.0
http://adaywithtape.blogspot.co.nz/2011/05/creating-wordlists-with-crunch-v30.html
How to Use CUPP to Generate Password Lists
http://null-byte.wonderhowto.com/how-to/use-cupp-generate-password-lists-0162625/
Creating a Custom Wordlist with CeWL
http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-5-creating-
custom-wordlist-with-cewl-0158855/
Target specific automated dictionary generation with WordHound
http://www.irongeek.com/i.php?page=videos/passwordscon2014/target-specific-automated-
dictionary-generation-matt-marx
WordHound souce code
https://bitbucket.org/mattinfosec/wordhound.git
Hydra source code
https://github.com/vanhauser-thc/thc-hydra
Medusa documentation
SMSspoofing information
http://www.smsspoofing.com/
Vishing scams under the heading “Examples”
http://www.social-engineer.org/framework/attack-vectors/vishing/
The Social Engineer’s Playbook by Jeremiah Talamantes has a collection of Vishing plays near the end of the book.
Phishing scams under the heading “Here are a few social engineering scams executed via phishing”
https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-preve
nt-attack
The Social Engineer’s Playbook by Jeremiah Talamantes has a collection of spear phishing plays near the end of the book.
USB Rubber Ducky Home
http://usbrubberducky.com/
Rubber Ducky resources
http://usbrubberducky.com/#!resources.md
Rubber Ducky on github
https://github.com/hak5darren/USB-Rubber-Ducky/wiki
Rubber Ducky manual
https://docs.google.com/viewer?url=https%3A%2F%2Fducky-decode.googlecode.com%2Ffiles
%2FThe%2520USB%2520Rubber%2520Ducky%2520Draft.doc
Rubber Ducky tutorials
https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Tutorials
Ducky on hak5darren
https://github.com/hak5darren/USB-Rubber-Ducky/
Ducky on midnitesnake
https://github.com/midnitesnake/USB-Rubber-Ducky/
Online ducky toolkit
http://ducktoolkit-411.rhcloud.com/Home.jsp
Comunity payloads for ducky
https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads
Simple-Ducky on google code
https://code.google.com/p/simple-ducky-payload-generator/
Moving to github
https://github.com/skysploit/simple-ducky
Social Engineering Toolkit website, under Teensy USB HID Attack Vector has good information on using this device as a penetration testing tool
http://www.social-engineer.org/framework/se-tools/computer-based/social-engineer-toolkit-set/
The following books have been influential for me and the content from the People chapter should reflect that. They are very insightful and well worth the investment.
Tips on preparing for and carrying out exit interviews
http://www.businessballs.com/exitinterviews.htm