A compilation of all I have done in Cybersecurity.
From CTFs, Interview Prep, to helpful online resources
I want this repository to be a hub of resources. I've often run into an issue when working on a CTF problem, or preparing for an interview, or tackling a box, where I have to look up what tool would be the best to use and sometimes there are those annoying Steg challenges that require you to know certain tools to get the flag.
When I was also preparing for an interview, there was no specific structure for Cybersecurity Interviews, so I want this repo to be a resource for anyone preparing for interviews or a quick read on some topics.
I'm also going to organize the interviews and those experiences by company because each MAANG company has its own unique way of interviewing.
Security Engineers have no structure for interviews. While the official title could be a Security Engineer, you need to study and prepare for multiple aspects during the interview. When compared to SWE interviews, you can grind LeetCode, study system design, and land the job, but for us, it's a different story.
I am not saying that SWE interviews are easy but there are clear benchmarks for Software Devs than for security engineers, and there are many aspects that a security engineer needs to know and prepare for during an interview.
- OSINT
- Forensics
- Web Application
- Cloud Security
- Reverse Engineering
- Cryptography
- Threat Detection
- Bug Bounty
- Cybersecurity Pathways/Roadmaps
- Books to Read
- Exploits
- Threat Modeling
- Interview Experiences
- Platforms to Upskill
- Amazing Research-Papers
- List of Cheatsheets
- Online tools for CTF
- Resources from Reddit and more
- CTI
A curated list of GitHub Repositories full of FREE Resources.
WhatsMyName Web Incredible way to find someone if you know their username or have their username from a platform.
OSINT Framework Helps you visualize how to use OSINT to track/build a profile on someone
Sourcing Games This site helps you pratice and learn with challenges that can help you build OSINT skills.
Data Broker Sites This article I think is a MUST read to understand why having your personal information out in the open is bad.
OWASP Favicon DB Recon tools like Shodan, FOFA, and Censys use favicon hashes to quickly identify web services.
Certificate Search Ever curious to learn more about a certificate about a website? Fear not, as this site will helps you look at the nitty gritty details about a certificate, one of the ways I use it is take the hash of that certificate and click search
Reverse Image Search This was incredibly helpful before google added the reverse image search but it can still come in handy.
Name Checker Trying to learn where a username is available and being used, this can serve as a unique way to peek into where a person may be using the same username
Shodan Imagine if you could go to a website and learn about it's IP, ports, and services that are open. Now what if you can also see the vulns that exist on that website. Yeah, that's shodan. There's also an extension available for it.
Censys Search Engine Just like shodan but better in my opinion
WappAlyzer An extension that helps you learn what frameworks, and how the site is built. The extension comes in very handy.
AbuseIPDB AbuseIPDB is a project dedicated to helping combat the spread of hackers, spammers, and abusive activity on the internet. You can report an IP address associated with malicious activity, or check to see if an IP address has been reported
OSINT4ALL aims to provide practical & easy OSINT toolkit for researchers of all level to use.
Wigle.net Information about all SSIDs that are found by war drivers.
-
StegOnline Runs a couple of CTF checklist from different images
-
AperiSolve Aperi'Solve is an online platform which performs layer analysis on image. The platform also uses zsteg, steghide, outguess, exiftool, binwalk, foremost and strings for deeper steganography analysis. The platform supports the following images format: .png, .jpg, .gif, .bmp, .jpeg, .jfif, .jpe, .tiff...
-
How does SSL/TLS Cert work?
-
- User Creates his own Certificate Authority (rootCA and CA private key)
-
- Generate Server Private Key
-
- Use Server Private Key to Create CSR (Certificate Signing Request) with required info
-
- Use CSR and CA certs to generate SSL
-
- Use self signed certificate with the application
-
- Install user rootCA in browser or OS
-
-
HTTPS, SSL, TLS & CA Explained This is a god tier explanation of how HTTPS works and why we need certificates
-
PenTester Lab Learn by exploiting real-world CVEs and analyzing vulnerabilities at the code level.
-
PortSwigger Academy
-
OWASP Juice Shop
-
A guide on SSRF
-
SQLMap for SQL Injections
-
PicoCTF I practiced a ton of Web Exp here but there's other categories as well!
Awesome Cloud Security Repo A curated list of awesome cloud security related resources.
Cloud Security LabsA list of free cloud native security learning labs. Includes CTF, self-hosted workshops, guided vulnerability labs, and research labs.
Repo with RE Resources This is a collection of resources focused towards Reverse Engineering, it includes, books, challenges, dissassemblers, and many more cool stuff
RE CTF A list of beginner friendly reverse engineering CTF challenges to start off with reverse engineering tools and techniques
Add some Binary Exploitation resources here
- Cipher Identifier and AnalyzerStuck with a cipher or cryptogram? This tool will help you identify the type of cipher, as well as give you information about possibly useful tools to solve it.
- DCode Cipher Identifier There's tons of tools available on D Code as well but they also have a nice cipher identifier
Awesome Threat Detection I found this repository that goes into the deep end of threat detection.
Bug Bounty Repo This repo focuses on resources that anyone wants to dive in on how to get started with Big Bounty, very beginner friendly
There's a HackTheBox Pathway as well
HackerOne Bug Bounty
-
Cyber Career Pathways Tool This tool presents a new and interactive way to explore the updated work roles within the Workforce Framework for Cybersecurity (NICE Framework). It depicts the Cyber Workforce according to five distinct, yet complementary, skill communities. It also highlights core attributes among each of the 52 work roles and offers actionable insights for employers, professionals, and those considering a career in Cyber.
-
Security Certification Roadmap by Paul Jerimy This can look a little overwhelming but it's a great resource on finding a domain of cybersecurity that you are interested in an understand where it stands and the cost of getting that cert.
-
TCM Security This will take you to a Ethical Hacking course by TCM but have heard good things about it and it's less expensive than SANS, especially PJPT is one of their famous certs to get.
-
CS 50 by Harvard This is the online course of Intro to Cybersecurity by Harvard. Course presents both high-level and low-level examples of threats, providing students with all they need know technically to understand both. Assignments inspired by real-world events.
- Book Reviews I am not aware of how the decision gets made but Ohio State University has this site where there are always interesting and fun books to read
- [ExploitDB] (https://www.exploit-db.com/) Need an exploit? Search the service and it's version. Tons of great scripts to exploit a vulnerability.
- Excellent talk on "Defense Against the Dark Arts" by Lilly Ryan (contains many Harry Potter spoilers)
Apply your Coding Knowledge Series
Applying CS Skills Course by Google
-
HackTheBox
-
TryHackMe
-
HackerOne
-
PicoCTF
-
OverTheWire
A list of research papers that I think are cool and a must read
Blue Team Cheatsheet
Nmap Cheatsheet
Red Team Cheatsheet
-
Password Cracking Tools
- Hashes.com
- Hash Analyzer
- Hash Analyzer by Hashes.com
- NTLM Encrypt & Decrypt
- Crackstation
- Hash Identifier Your own cli tool to help you identify hashes
-
Password Wordlists Weakpass.com is a collection of password lists for various purposes from penetration testing to improving password security.
-
SecLists More Password Wordlists
-
WPScan Need to scan a WordPress Site for Vulns, fear not for WPScan targets common vulns present in WP sites.
-
LinPeas Enumerate a Linux Box for vulnerabilties and then you can either harden them or exploit them
-
WinPeas Enumerate a Windows Box for vulnerabilties and then you can either harden them or exploit them
-
Payloads of All Things Check out the other lists as well, there's so much useful content here
-
SysMon This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing. The file should function as a great starting point for system change monitoring in a self-contained and accessible package. This configuration and results should give you a good idea of what's possible for Sysmon. Note that this does not track things like authentication and other Windows events that are also vital for incident investigation.
-
GTFOBins GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks.
-
[DenCode] (https://dencode.com/en/) Tons of encoding and decoding tools
-
JWT Decode Paste a JWT below that you'd like to decode, validate, and verify.
-
HTTP Security Headers Scans for missing security headers by Snyk
-
Quip Quip Runs frquency analysis on ciphers and quipqiup is a fast and automated cryptogram solver by Edwin Olson.
-
XSS Hunter Express A tool to find XSS vulns
-
Interview Study Notes by Nolang on GitHub. I have borrowed the idea of notes, while this repo by nolang talks about what helped them prepare for interview. I want to take this a step further. I WOULD HIGHLY SUGGEST going through this as there might be some overlap for concepts but that repo goes into more detail than mine will.
-
Security Engineer Interviews at MAANG This is another good read to get an insight as they did multiple on-site interviews at big tech companies.
-
RegEx Learn RegEx in a fun way, this comes very handy when you are working on bash, powershell, or Python Scripts
-
Piping Understand how piping actually works in terminal
-
ICS/OT Youtube Channel There are some really cool videos on ICS if anyone is interested
-
DNS Dumpster DNSDumpster.com is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.
-
Awesome Annual Reports This list aims to cut through the noise by providing a vendor-neutral resource for the latest security trends, tools, and partnerships. It curates information from trusted sources, making it easier for security leaders to make informed decisions.
-
Hacking Google This is a YouTube series about Google and gives a good insight on how the security works at Google and the big major teams at Google
-
TCP Handshake This video for me personally does a really good explantation on what happens during the three-way handshake and it also goes into the Wireshark pcap at the end to see it in action.
-
Networking Tutorial Playlist A great playlist to get information and cover a lot of information on what you need to know about networks as you get started
-
Podcasts
- Darknet Diaries
- Shared Secrets
-
CTF Time You can always find an online CTF to participate and upskill
-
DFIR Report Real Intrusions by Real Attackers, The Truth Behind the Intrusion
-
[DNSSec] (https://howdnssec.works/) How DNSSEC works
-
Cyber Defenders Blue Team Traning Platform for SOC and DFIR