Вопрос к ребятам кто учился и выпустился на ИБ специальностях в российских ВУЗах за крайние 15 лет. Много ли ваших однокурсников занимаются кибербезом, работают по профилю обучения?
Anonymous Poll
5%
Все работают, все 100% выпуска
9%
50% или половина от всех
14%
25% - 30% от выпуска
19%
Не больше 10%, их единицы
9%
1% (один, два, три человека с выпуска)
3%
0% или вообще никто
36%
Не знаю, смотреть результаты
5%
Свой вариант (пиши в чат)
🤷♂8🤔6👍2❤1😁1
Custom noscript (python) for easy, basic pattern, low difficult automated penetration test, w2hack, 2020/2025
This project is a Python-based automated penetration testing tool designed to streamline the process of assessing the security of a target system. The noscript performs various tasks, including (1) information gathering, (2) reconnaissance, (3) discovery and scanning, (4) vulnerability assessment, (5) exploitation if possible, and final (6) analysis (reporting). It integrates multiple tools to automate the scanning and testing process, making it easier for security professionals to identify and exploit vulnerabilities.
Features
✅ Update CVE Database: Fetches the latest Common Vulnerabilities and Exposures (CVE) from an API for use in vulnerability assessment.
✅ Information Gathering: Collects basic information about the target using tools like whois, nslookup, dig, etc.
✅ Reconnaissance: Uses nmap and nikto (optional) to discover services and potential vulnerabilities.
✅ Discovery and Scanning: Performs a full port scan using nmap and a directory brute-force attack using dirb.
✅ Vulnerability Assessment: Evaluates the target against known CVEs using nmap noscripts and performs an OWASP ZAP scan (web app only).
✅ Exploitation: Attempts to exploit discovered vulnerabilities using msfconsole and brute-force attacks with hydra.
✅ Final Analysis and Review: Reviews the collected data, analyzes open ports and services, and summarizes the findings.
✅ Report: Compiles the results into a comprehensive report for further analysis (auto coloring, etc).
Requirements
❗️ Various external tools like whois, nslookup, dig, fierce, nmap, nikto, dirb, msfconsole, hydra, and zap-cli (w3af) should be installed before run the noscript ❗️
⬇️ GitHub
#tools #pentest
This project is a Python-based automated penetration testing tool designed to streamline the process of assessing the security of a target system. The noscript performs various tasks, including (1) information gathering, (2) reconnaissance, (3) discovery and scanning, (4) vulnerability assessment, (5) exploitation if possible, and final (6) analysis (reporting). It integrates multiple tools to automate the scanning and testing process, making it easier for security professionals to identify and exploit vulnerabilities.
Features
✅ Update CVE Database: Fetches the latest Common Vulnerabilities and Exposures (CVE) from an API for use in vulnerability assessment.
✅ Information Gathering: Collects basic information about the target using tools like whois, nslookup, dig, etc.
✅ Reconnaissance: Uses nmap and nikto (optional) to discover services and potential vulnerabilities.
✅ Discovery and Scanning: Performs a full port scan using nmap and a directory brute-force attack using dirb.
✅ Vulnerability Assessment: Evaluates the target against known CVEs using nmap noscripts and performs an OWASP ZAP scan (web app only).
✅ Exploitation: Attempts to exploit discovered vulnerabilities using msfconsole and brute-force attacks with hydra.
✅ Final Analysis and Review: Reviews the collected data, analyzes open ports and services, and summarizes the findings.
✅ Report: Compiles the results into a comprehensive report for further analysis (auto coloring, etc).
Requirements
Python 3.x + requests library
BeautifulSoup4 library
subprocess library
# Installation
Clone this repository \ unpack the tar
git clone https://github.com/D3One/Automated-Penetration-Testing-Script_v1.git
cd automated-penetration-testing_v1
# Install the required Python libraries:
sudo pip install -r requirements.txt
# Ensure that all the external tools (whois, nmap, etc.) are installed and accessible in your system's PATH.
sudo apt-get install whois dnsutils fierce nmap nikto dirb hydra zaproxy
# Usage
Run the noscript:
python scanner.py
Enter the target IP address or domain when prompted.
enjoy it! :)
#tools #pentest
Please open Telegram to view this post
VIEW IN TELEGRAM
❤4🔥3👍1
simple_automated_pentest_basic_pattern__ver1.1_[w2hack].py
5.6 KB
Custom noscript (python) for easy, basic pattern, low difficult automated penetration test, w2hack, 2020/2025
❤6
Tactics, Techniques, and Procedures by FreeZeroDays, 2021/2025
My big mess of offensive security notes and miscellaneous resources.
In similar fashion to other resources of this nature, all commands documented have been manually verified as working and l33t at the time of documentation.
This was inspired by both snovvcrash and sneakerhax's offensive note collections. I highly recommend checking them out if you're looking for additional resources!
🧑🎓 GitHub
🧑🎓 GitBook
See also:
Pentester Tactics, Techniques, and Procedures TTPs by Chris Traynor
#pentest
My big mess of offensive security notes and miscellaneous resources.
In similar fashion to other resources of this nature, all commands documented have been manually verified as working and l33t at the time of documentation.
This was inspired by both snovvcrash and sneakerhax's offensive note collections. I highly recommend checking them out if you're looking for additional resources!
See also:
Pentester Tactics, Techniques, and Procedures TTPs by Chris Traynor
#pentest
Please open Telegram to view this post
VIEW IN TELEGRAM
❤8👍1
Kubernetes Goat is an interactive Kubernetes security learning playground. It has intentionally vulnerable by design scenarios to showcase the common misconfigurations, real-world vulnerabilities, and security issues in Kubernetes clusters, containers, and cloud native environments.
🔻 Main page
✏️ MITRE ATT&CK
🏆 Scenarios
See also:
Attacking Kubernetes by Reza, 2025
Red Team Tactics, Techniques, and Procedures for Kubernetes by sneakerhax, 2025
List of all Attack Techniques by Stratus Red Team, 2025
Attacking Kubernetes by HackTricks Cloud
Kubernetes Threat Matrix (interactive!)
#SecDevOps #pentest
🔻 Main page
See also:
Attacking Kubernetes by Reza, 2025
Red Team Tactics, Techniques, and Procedures for Kubernetes by sneakerhax, 2025
List of all Attack Techniques by Stratus Red Team, 2025
Attacking Kubernetes by HackTricks Cloud
Kubernetes Threat Matrix (interactive!)
#SecDevOps #pentest
Please open Telegram to view this post
VIEW IN TELEGRAM
❤8😁2🔥1
Arm Assembly Internals & Reverse Engineering by Maria Markstedter
Welcome to this tutorial series on ARM assembly basics. This is the preparation for the followup tutorial series on ARM exploit development. Before we can dive into creating ARM shellcode and build ROP chains, we need to cover some ARM Assembly basics first.
🛡 Official page
😺 About author
#hardware #reverse
Welcome to this tutorial series on ARM assembly basics. This is the preparation for the followup tutorial series on ARM exploit development. Before we can dive into creating ARM shellcode and build ROP chains, we need to cover some ARM Assembly basics first.
🛡 Official page
#hardware #reverse
Please open Telegram to view this post
VIEW IN TELEGRAM
❤7🔥5😁1
Media is too big
VIEW IN TELEGRAM
Функции:
✅Работа с RFID и NFC: устройство способно считывать, копировать и эмулировать метки, радиопульты, iButton и цифровые ключи доступа.
✅ Работа с инфракрасными сигналами: Flipper Zero оснащён инфракрасным передатчиком и приёмником, что позволяет управлять телевизорами, кондиционерами и другой техникой, захватывать и воспроизводить сигналы ИК-пультов.
✅ Работа с Sub-GHz-частотами (433 МГц, 868 МГц и другие): устройство умеет передавать и принимать сигналы на низких радиочастотах, что позволяет анализировать радиоуправляемые устройства (например, беспроводные звонки, розетки, умные датчики).
✅ Bluetooth-аналитика и взаимодействие с устройствами: Flipper Zero поддерживает Bluetooth, что позволяет подключаться к мобильному приложению Flipper, анализировать активные Bluetooth-устройства вокруг.
#hardware #fun
Please open Telegram to view this post
VIEW IN TELEGRAM
🔥8👍3
🚨 Flipper Zero ‘DarkWeb’ Firmware Bypasses Rolling Code Security on Major Vehicles
A new and custom firmware for the popular Flipper Zero multi-tool device is reportedly capable of bypassing the rolling code security systems used in most modern vehicles, potentially putting millions of cars at risk of theft.
Demonstrations reveal that the firmware, said to be circulating on the dark web, can clone a vehicle’s keyfob with just a single, brief signal capture.
Sources:
❗️ Article (Eng) + Seclab (Rus)
#hardware
A new and custom firmware for the popular Flipper Zero multi-tool device is reportedly capable of bypassing the rolling code security systems used in most modern vehicles, potentially putting millions of cars at risk of theft.
Demonstrations reveal that the firmware, said to be circulating on the dark web, can clone a vehicle’s keyfob with just a single, brief signal capture.
Sources:
#hardware
Please open Telegram to view this post
VIEW IN TELEGRAM
1🔥4👍3
Threat Hunting and Detection by Mehmet E. (Cyb3r-Monk), 2025
Repository for threat hunting and detection queries, etc. for Defender for Endpoint and Microsoft Sentinel in KQL (Kusto Query Language).
🔤 GitHub
See also:
❗️ ATT&CK + D3FEND = D.E.A.T.H
❗️ D3FEND Matrix
#defensive
Repository for threat hunting and detection queries, etc. for Defender for Endpoint and Microsoft Sentinel in KQL (Kusto Query Language).
See also:
#defensive
Please open Telegram to view this post
VIEW IN TELEGRAM
1🔥6
The Threat Hunter Playbook by OTRF, Roberto Rodriguez (Cyb3rWard0g), 2022
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient, ll the detection documents in this project follow the structure of MITRE ATT&CK categorizing post-compromise adversary behavior in tactical groups and are available in the form of interactive notebooks.
⚔️ GitHub
📔 The Book
See also:
❗️ Awesome Threat Detection and Hunting by 0x4D31
❗️ The Threat Hunting Project + GitHub
❗️ Malware + DFIR analysis notes by antonyn0p
#defensive
A community-driven, open-source project to share detection logic, adversary tradecraft and resources to make detection development more efficient, ll the detection documents in this project follow the structure of MITRE ATT&CK categorizing post-compromise adversary behavior in tactical groups and are available in the form of interactive notebooks.
See also:
#defensive
Please open Telegram to view this post
VIEW IN TELEGRAM
1🔥5👍2
𝗦𝗲𝗰𝘂𝗿𝗲 𝗯𝘆 𝗗𝗲𝘀𝗶𝗴𝗻 - 𝗪𝗲𝗯 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 & 𝗔𝗣𝗜 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 by DevSecOps Guides, 2025
𝗧𝗮𝗯𝗹𝗲 𝗼𝗳 𝗰𝗼𝗻𝘁𝗲𝗻𝘁:
🔴 𝗘𝗻𝗱-𝘁𝗼-𝗘𝗻𝗱 𝗘𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻 HTTP exposure → SSL stripping → HSTS with preload → unbreakable TLS tunnels.
🔴 𝗢𝗔𝘂𝘁𝗵 𝟮.𝟬 & 𝗣𝗞𝗖𝗘 Auth code interception → malicious app replay → PKCE enforcement → no token without proof key.
🔴 𝗝𝗪𝗧 𝗟𝗶𝗳𝗲𝗰𝘆𝗰𝗹𝗲 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 HS256 secret theft → forged admin tokens → RS256 + short-lived tokens → revoked refresh tokens.
🔴 𝗠𝘂𝘁𝘂𝗮𝗹 𝗧𝗟𝗦 (𝗺𝗧𝗟𝗦) Stolen static API key → partner impersonation → client certificate auth → cryptographic identity.
🔴 𝗗𝗗𝗼𝗦 & 𝗥𝗮𝘁𝗲 𝗟𝗶𝗺𝗶𝘁𝗶𝗻𝗴 Naive IP limits → low-and-slow scraping → dynamic, user-aware throttling → edge WAF protection.
🔴 𝗜𝗻𝗽𝘂𝘁 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 & 𝗢𝘂𝘁𝗽𝘂𝘁 𝗘𝗻𝗰𝗼𝗱𝗶𝗻𝗴 SQLi & XSS payloads → data exfiltration & session hijacking → parameterized queries & contextual encoding → neutralized threats.
🔴 𝗔𝗣𝗜 𝗚𝗮𝘁𝗲𝘄𝗮𝘆 & 𝗪𝗔𝗙 Inconsistent microservice security → finding the weakest link → centralized WAF at the gateway → uniform defense.
🔴 𝗦𝗲𝗰𝘂𝗿𝗲 𝗦𝗲𝘀𝘀𝗶𝗼𝗻 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 Cookie theft via XSS → session hijacking → HttpOnly, Secure, SameSite=Strict cookies → locked-down sessions.
🔴 𝗔𝗣𝗜 𝗩𝗲𝗿𝘀𝗶𝗼𝗻𝗶𝗻𝗴 & 𝗗𝗲𝗽𝗿𝗲𝗰𝗮𝘁𝗶𝗼𝗻 Zombie v1 API → exploiting old bugs → forced deprecation & brownouts → controlled demolition.
🔴 𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗟𝗼𝗴𝗶𝗰 𝗙𝗹𝗮𝘄𝘀 Price tampering → checkout abuse → server-side re-validation → trust nothing from the client.
🔴 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗠𝗲𝘀𝗵 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 Lateral movement in-cluster → compromised pod escalates → zero-trust mTLS → granular authorization policies.
🔣 Web page
#AppSec
𝗧𝗮𝗯𝗹𝗲 𝗼𝗳 𝗰𝗼𝗻𝘁𝗲𝗻𝘁:
🔴 𝗘𝗻𝗱-𝘁𝗼-𝗘𝗻𝗱 𝗘𝗻𝗰𝗿𝘆𝗽𝘁𝗶𝗼𝗻 HTTP exposure → SSL stripping → HSTS with preload → unbreakable TLS tunnels.
🔴 𝗢𝗔𝘂𝘁𝗵 𝟮.𝟬 & 𝗣𝗞𝗖𝗘 Auth code interception → malicious app replay → PKCE enforcement → no token without proof key.
🔴 𝗝𝗪𝗧 𝗟𝗶𝗳𝗲𝗰𝘆𝗰𝗹𝗲 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 HS256 secret theft → forged admin tokens → RS256 + short-lived tokens → revoked refresh tokens.
🔴 𝗠𝘂𝘁𝘂𝗮𝗹 𝗧𝗟𝗦 (𝗺𝗧𝗟𝗦) Stolen static API key → partner impersonation → client certificate auth → cryptographic identity.
🔴 𝗗𝗗𝗼𝗦 & 𝗥𝗮𝘁𝗲 𝗟𝗶𝗺𝗶𝘁𝗶𝗻𝗴 Naive IP limits → low-and-slow scraping → dynamic, user-aware throttling → edge WAF protection.
🔴 𝗜𝗻𝗽𝘂𝘁 𝗩𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗼𝗻 & 𝗢𝘂𝘁𝗽𝘂𝘁 𝗘𝗻𝗰𝗼𝗱𝗶𝗻𝗴 SQLi & XSS payloads → data exfiltration & session hijacking → parameterized queries & contextual encoding → neutralized threats.
🔴 𝗔𝗣𝗜 𝗚𝗮𝘁𝗲𝘄𝗮𝘆 & 𝗪𝗔𝗙 Inconsistent microservice security → finding the weakest link → centralized WAF at the gateway → uniform defense.
🔴 𝗦𝗲𝗰𝘂𝗿𝗲 𝗦𝗲𝘀𝘀𝗶𝗼𝗻 𝗠𝗮𝗻𝗮𝗴𝗲𝗺𝗲𝗻𝘁 Cookie theft via XSS → session hijacking → HttpOnly, Secure, SameSite=Strict cookies → locked-down sessions.
🔴 𝗔𝗣𝗜 𝗩𝗲𝗿𝘀𝗶𝗼𝗻𝗶𝗻𝗴 & 𝗗𝗲𝗽𝗿𝗲𝗰𝗮𝘁𝗶𝗼𝗻 Zombie v1 API → exploiting old bugs → forced deprecation & brownouts → controlled demolition.
🔴 𝗕𝘂𝘀𝗶𝗻𝗲𝘀𝘀 𝗟𝗼𝗴𝗶𝗰 𝗙𝗹𝗮𝘄𝘀 Price tampering → checkout abuse → server-side re-validation → trust nothing from the client.
🔴 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 𝗠𝗲𝘀𝗵 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 Lateral movement in-cluster → compromised pod escalates → zero-trust mTLS → granular authorization policies.
#AppSec
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
1❤6👍2😱1
𝗦𝗲𝗰𝘂𝗿𝗲_𝗯𝘆_𝗗𝗲𝘀𝗶𝗴𝗻_𝗪𝗲𝗯_𝗦𝗲𝗿𝘃𝗶𝗰𝗲_&_𝗔𝗣𝗜_𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆.pdf
2.4 MB
𝗦𝗲𝗰𝘂𝗿𝗲 𝗯𝘆 𝗗𝗲𝘀𝗶𝗴𝗻 - 𝗪𝗲𝗯 𝗦𝗲𝗿𝘃𝗶𝗰𝗲 & 𝗔𝗣𝗜 𝗦𝗲𝗰𝘂𝗿𝗶𝘁𝘆 by DevSecOps Guides, 2025
❤4👍2
SANS Linux Incident Response_2025.pdf
2 MB
SANS Linux Incident Response, 2025
Cybersecurity e-learning (courses) by Pentester Academy, 2020/2024
👉 FTP catalog + torrent + Medium
See also:
🛡 INE catalog
🛡 SANS (old courses)
🛡 MEGA PACK of torrents by Mohammed Helal (Google Drive)
#education
See also:
#education
Please open Telegram to view this post
VIEW IN TELEGRAM
1🔥11❤3🤝2👍1🥱1
Diablo – Pentesting, Hacking & Reporting Framework by AnLoMinus, 2023/2025
Tested out Diablo – a full-featured offensive security toolkit for reconnaissance, exploitation, and reporting, all from your terminal ⚔️
💡 Key Features:
✅ Anonymity Surfing
✅ Recon & Vulnerability Scanning (nmap, dirb, whois, etc.)
✅ Gaining & Maintaining Access
✅ Analysis & Reporting (Markdown logs)
❗️GitHub
#hacktool
Tested out Diablo – a full-featured offensive security toolkit for reconnaissance, exploitation, and reporting, all from your terminal ⚔️
💡 Key Features:
✅ Anonymity Surfing
✅ Recon & Vulnerability Scanning (nmap, dirb, whois, etc.)
✅ Gaining & Maintaining Access
✅ Analysis & Reporting (Markdown logs)
❗️GitHub
#hacktool
3👏6
Web Penetration Testing: Advanced Guide | Create 45 Security Assessments | Including OWASP Top 10, Nathan Beckford, 2025
This comprehensive, action-driven manual walks you through 45 real-world security assessments based on modern application architectures and the OWASP Top 10 vulnerabilities—including Broken Access Control, Injection, SSRF, and more. Every chapter bridges theory with practice, giving you step-by-step labs, exploitation techniques, and mitigation strategies to master both the attacker’s and defender’s perspectives.
Inside, you’ll learn how to:
✅ Set up your own safe penetration testing lab using virtual machines and containers
✅ Master the tools of the trade, including Burp Suite, sqlmap, Nmap, and custom noscripts
✅ Identify and exploit vulnerabilities across frontend, backend, APIs, and cloud services
✅ Conduct thorough reconnaissance and map attack surfaces like a professional
✅ Apply real-world testing methodologies from PTES, OWASP, and NIST frameworks
✅ Perform deep-dive assessments across all layers of modern web apps
✅ Build professional-grade reports and remediation plans for stakeholders
#book #web
This comprehensive, action-driven manual walks you through 45 real-world security assessments based on modern application architectures and the OWASP Top 10 vulnerabilities—including Broken Access Control, Injection, SSRF, and more. Every chapter bridges theory with practice, giving you step-by-step labs, exploitation techniques, and mitigation strategies to master both the attacker’s and defender’s perspectives.
Inside, you’ll learn how to:
✅ Set up your own safe penetration testing lab using virtual machines and containers
✅ Master the tools of the trade, including Burp Suite, sqlmap, Nmap, and custom noscripts
✅ Identify and exploit vulnerabilities across frontend, backend, APIs, and cloud services
✅ Conduct thorough reconnaissance and map attack surfaces like a professional
✅ Apply real-world testing methodologies from PTES, OWASP, and NIST frameworks
✅ Perform deep-dive assessments across all layers of modern web apps
✅ Build professional-grade reports and remediation plans for stakeholders
#book #web
👍6
Web Penetration Testing 2025.pdf
3.9 MB
Web Penetration Testing: Advanced Guide | Create 45 Security Assessments | Including OWASP Top 10, Nathan Beckford, 2025
👍5
Среди пакета предложенных мер — запрет на распространение информации, связанной с практикой ИБ. В случае вступления этих мер в силу более половины статей «Хакера» окажется вне закона. Это же касается и Telegram каналов, форумов, сайтов, личных блогов и других ресурсов, где размещаются материалы связанных с ИБ.
Дмитрий Агарунов, основатель «Хакера»:
«Любой запрет на публикации и обмен научно-технической информацией является фактическим запретом на обучение. ИБ-специалистам просто негде будет приобретать знания. С учетом того, что новая информация поступает ежесекундно, такая поправка может парализовать кибербезопасность страны.
Кроме того, данная мера бьет исключительно по своим: запретить можно только легальным, зарегистрированным, официальным ресурсам. Публикации на иностранных сайтах, в чатах, каналах, целенаправленную рассылку враждебных приказов и инструкций такая поправка запретить не может. Специалисты врагов спокойно продолжат обучение».
Призываем читателей «Хакера» и все неравнодушных, поддерживающих нашу точку зрения,
Может мы ничего и не изменим, но мнение свое скажем!
Please open Telegram to view this post
VIEW IN TELEGRAM
👎9🔥7❤🔥4😱1