Additional Resources
Table of contents
Please support this book: buy it (PDF, EPUB, MOBI)

Additional Resources

Starting with the 30,000’ View

Rating of Threats

OWASP Threat Analysis
https://www.owasp.org/index.php/Application_Threat_Modeling#Threat_Analysis

OWASP Ranking of Threats
https://www.owasp.org/index.php/Application_Threat_Modeling#Ranking_of_Threats

Tooling Setup

Kali Linux package version tracking is useful for seeing what versions of tools are currently in the distribution.

TP-LINK TL-WN722N USB Wireless Adapter

  1. ath9k_htc Debian Module
  2. VirtualBox information around setting up the TL-WN722N
  3. TP-LINK TL-WN722N wiki
  4. Loading and unloading Linux Kernel Modules
  5. Kernel Module Blacklisting

Process

Useful Intelligence Gathering resource
http://www.pentest-standard.org/index.php/Intelligence_Gathering

NMap Idle Scan and Decoy Host

http://opensourceforu.efytimes.com/2010/08/nmap-basics/

Idle Scan docs https://nmap.org/book/idlescan.html

Man page is very good http://linux.die.net/man/1/nmap

NMap Script Categories
https://nmap.org/nsedoc/categories/default.html

NMap Scripting Engine
https://nmap.org/book/nse-usage.html

The Hacker Playbook 2 has a good example of how to use recon-ng

Useful New Zealand Web Resources for reconnaissance
Finding details on people: http://searchenginez.com/findpeople_newzealand.html
Finding details on companies: https://www.business.govt.nz/companies/

Firejail tips
http://forums.linuxmint.com/viewtopic.php?f=42&t=202735

Insight on where Qubes is going
http://theinvisiblethings.blogspot.co.nz/2013/03/introducing-qubes-odyssey-framework.html

The Operating System That Can Protect You even when you get hacked
https://micahflee.com/2014/04/the-operating-system-that-can-protect-you-even-if-you-get-
hacked/

Offensive Exploitation tooling setup
For the Black Hat in a potentially hostile environment, one example of a machine configuration might be:
https://scottlinux.com/2015/09/01/use-kali-linux-through-tor-with-whonix-gateway/
on top of
https://www.whonix.org/wiki/Qubes

OpenSSL Heartbleed and Apples Goto Fail could have been prevented if (S)TDD was used. Check out Mike Bland’s excellent study and POC
http://martinfowler.com/articles/testing-culture.html.

BSIMM has some good guidance on security testing
https://www.bsimm.com/online/ssdl/st/

NodeGoat Regression Testing with Zap
https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API

Essentials for Creating and Maintaining a High Performance Development Team
http://blog.binarymist.net/2014/01/25/essentials-for-creating-and-maintaining-a-high-
performance-development-team/

How to Increase Software Developer Productivity
https://speakerdeck.com/binarymist/how-to-increase-software-developer-productivity

Pair Programming Metrics from Fog Creek
http://discuss.fogcreek.com/joelonsoftware1/default.asp?cmd=show&ixPost=33575

People

Morale, Productivity and Engagement Killers: An excellent resource around motivation can be found in Chapter 11 of Steve McConnell’s excellent “Rapid Development” book.

Presentation I performed at AgileNZ 2014 around increasing developer productivity

Social Engineer website has a plethora of excellent resources.

Creating a Custom Wordlist with Crunch
http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-4-creating-
custom-wordlist-with-crunch-0156817/

Creating wordlists with crunch v3.0
http://adaywithtape.blogspot.co.nz/2011/05/creating-wordlists-with-crunch-v30.html

How to Use CUPP to Generate Password Lists
http://null-byte.wonderhowto.com/how-to/use-cupp-generate-password-lists-0162625/

Creating a Custom Wordlist with CeWL
http://null-byte.wonderhowto.com/how-to/hack-like-pro-crack-passwords-part-5-creating-
custom-wordlist-with-cewl-0158855/

Target specific automated dictionary generation with WordHound
http://www.irongeek.com/i.php?page=videos/passwordscon2014/target-specific-automated-
dictionary-generation-matt-marx

WordHound souce code
https://bitbucket.org/mattinfosec/wordhound.git

Hydra source code
https://github.com/vanhauser-thc/thc-hydra

Medusa documentation

SMSspoofing information
http://www.smsspoofing.com/

Vishing scams under the heading “Examples”
http://www.social-engineer.org/framework/attack-vectors/vishing/

The Social Engineer’s Playbook by Jeremiah Talamantes has a collection of Vishing plays near the end of the book.

Phishing scams under the heading “Here are a few social engineering scams executed via phishing”
https://digitalguardian.com/blog/social-engineering-attacks-common-techniques-how-preve
nt-attack

The Social Engineer’s Playbook by Jeremiah Talamantes has a collection of spear phishing plays near the end of the book.

USB Rubber Ducky Home
http://usbrubberducky.com/

Rubber Ducky resources
http://usbrubberducky.com/#!resources.md

Rubber Ducky on github
https://github.com/hak5darren/USB-Rubber-Ducky/wiki

Rubber Ducky manual
https://docs.google.com/viewer?url=https%3A%2F%2Fducky-decode.googlecode.com%2Ffiles
%2FThe%2520USB%2520Rubber%2520Ducky%2520Draft.doc

Rubber Ducky tutorials
https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Tutorials

Ducky on hak5darren
https://github.com/hak5darren/USB-Rubber-Ducky/

Ducky on midnitesnake
https://github.com/midnitesnake/USB-Rubber-Ducky/

Online ducky toolkit
http://ducktoolkit-411.rhcloud.com/Home.jsp

Comunity payloads for ducky
https://github.com/hak5darren/USB-Rubber-Ducky/wiki/Payloads

Simple-Ducky on google code
https://code.google.com/p/simple-ducky-payload-generator/
Moving to github
https://github.com/skysploit/simple-ducky

Social Engineering Toolkit website, under Teensy USB HID Attack Vector has good information on using this device as a penetration testing tool
http://www.social-engineer.org/framework/se-tools/computer-based/social-engineer-toolkit-set/

The following books have been influential for me and the content from the People chapter should reflect that. They are very insightful and well worth the investment.

Tips on preparing for and carrying out exit interviews
http://www.businessballs.com/exitinterviews.htm

Next: Attributions