Many people believe that the best hacking tools are far-fetched. Some even think you have to be a computer whiz to use them. It is wrong. Hacking tools are computer programs. They help to detect vulnerabilities in computer systems, web applications, servers and networks. There are a lot of them on the market. Some of them are free and open source, while others are paid. Penetration testing and hacking tools are more commonly used in security industries to test network and application vulnerabilities. Here you can find a comprehensive list of Penetration Testing and Hacking Tools that covers Performing Penetration Testing Operations across the Environment. Hacking is the process of gaining access to a computer system for the purpose of fraud, data theft, and invasion of privacy, among other things. Penetration testing and ethical hacking tools are very important for every organization to check for vulnerabilities and fix the vulnerable system. To manage security operations, security experts and researchers must rely on security and hacking tools that help them minimize time and effectively monitor and perform network penetration testing to protect the network.
Metasploit Unleashed is a free course on Metasploit offensive security.
Penetration Testing Execution Standard (PTES) – A standard for performing penetration testing.Documentation intended to provide a common language and capabilities for performing and reporting penetration test results.
Open Web Application Security Project (OWASP) – is a global non-profit charitable organization specializing in improving security, especially for web and application software.
PENTEST-WIKI – A free online security knowledge library for pentesters and researchers.
Penetration Testing Framework (PTF) – A penetration test execution plan designed as a general framework that can be used by both vulnerability analysts and penetration testers.
XSS-Payloads – іThe ultimate resource for all things cross-site, including payloads, tools, games, and documentation.
Open Source Security Testing Methodology Manual (OSSTMM) – a platform for providing test scenarios that lead to verifiable facts on which to base decisions affecting the security of an organization.
MITRE’s Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) – curated knowledge base and behavioral model of cybercriminals.
Shellcode Tutorial – A tutorial on writing shell code.
Shellcode Examples – Shell code database.
Exploit Writing Tutorials – Tutorials on exploit development.
OSINT Framework – A collection of various OSINT hacking tools categorized by category.
Intel Techniques – A collection of OSINT. You can use the menu on the left to navigate through the categories.
NetBootcamp OSINT Tools – A collection of OSINT links and custom web interfaces to other services, such as Facebook Graph Search and various embed sites.
WiGLE.net –Information on wireless networks around the world, with user-friendly desktop and web applications.
Social Engineering Framework – is an information resource for social engineers.
Канал Schuyler Towne – Video Lockpicking and security negotiations.
bosnianbill – More videos on lock selection.
/r/lockpicking – Lockpicking training resources and equipment recommendations.
Security related Operating Systems @ Rawsec – Penetration testing tools and list of hacking tools Related Full list of security operating systems.
Best Linux Penetration Testing Distributions @ CyberPunk – Description of the main distributions for penetration testing.
Security @ Distrowatch – A site dedicated to discussing, reviewing, and updating open source operating systems.
cuckoo – An automated open source malware analysis system.
Computer Aided Investigative Environment (CAINE) – An Italian GNU/Linux distribution created as a digital forensics project.
Digital Evidence & Forensics Toolkit (DEFT) – A Live CD for forensic analysis that runs without interference or damage to the connected devices on which the boot process takes place.
Tails – Live OS is aimed at maintaining confidentiality and anonymity.
Kali – GNU/Linux distribution designed for digital forensics and penetration testing Hacking Tools
ArchStrike – Arch GNU/Linux repository for security professionals and enthusiasts.
BlackArch – GNU/Linux-based Arch distribution with the best hacking tools for penetration testers and security researchers.
Network Security Toolkit (NST) – is a Fedora-based bootable operating system designed to provide easy access to best-in-class open source network security applications.
Pentoo – is a security-oriented live CD based on Gentoo.
BackBox – Ubuntu-based distribution for penetration testing and security assessment.
Parrot – a Kali-like distribution with multiple architectures and 100 hacking tools.
Buscador – a GNU/Linux virtual machine that is pre-configured for online investigators.
Fedora Security Lab – Provides a secure test environment for working on security audits, forensics, system rescue, and training in security testing methodologies.
Pentesters Framework – distribution organized around the Penetration Test Execution Standard (PTES), providing a curated set of utilities that eliminate the often unused toolchain.
AttifyOS – is a GNU/Linux distribution focused on tools useful for assessing the security of the Internet of Things (IoT).
docker pull kalilinux/kali-linux-dockerofficial Kali Linux
docker pull owasp/zap2docker-stable– official OWASP ZAP
docker pull wpscanteam/wpscan– official WPScan
docker pull citizenstig/dvwa– Damn Vulnerable Web Application (DVWA)
docker pull wpscanteam/vulnerablewordpress– Vulnerable WordPress Installation
docker pull hmlio/vaas-cve-2014-6271– Vulnerability as a service: Shellshock
docker pull hmlio/vaas-cve-2014-0160– Vulnerability as a service: Heartbleed
docker pull opendns/security-ninjas– Security Ninjas
docker pull diogomonica/docker-bench-security– Docker Bench for Security
docker pull ismisepaul/securityshepherd– OWASP Security Shepherd
docker pull danmx/docker-owasp-webgoat– OWASP WebGoat Project docker image
docker-compose build && docker-compose up– OWASP NodeGoat
docker pull citizenstig/nowasp– OWASP Mutillidae II Web Pen-Test Practice Application
docker pull bkimminich/juice-shop– OWASP Juice Shop
docker pull kalilinux/kali-linux-docker– Kali Linux Docker Image
docker pull phocean/msf– docker-metasploit
Metasploit – post exploitation hacking tools for offensive security teams to help test vulnerabilities and manage security assessments.
Armitage – Java-based GUI interface for the Metasploit Framework.
Faraday – A multi-user, integrated testing environment for red teams performing joint penetration tests, security audits, and risk assessments.
ExploitPack – a graphical tool for automating penetration tests that comes with many ready-made exploits.
Pupy – a cross-platform (Windows, Linux, macOS, Android) remote administration and post-operational tool.
Nexpose – a commercial vulnerability assessment and risk management engine that integrates with Metasploit, sold by Rapid7.
Nessus – кomerization platform for vulnerability management, customization, and compliance assessment sold by Tenable.
OpenVAS – Free software implementation of the popular Nessus vulnerability assessment system.
Vuls – agentless vulnerability scanner for GNU/Linux and FreeBSD written in Go.
Brakeman – a static analysis vulnerability scanner for Ruby on Rails applications.
cppcheck – an extensible static C/C++ analyzer focused on finding errors.
FindBugs – is a free static analyzer for finding errors in Java code.
sobelow – security-oriented static analysis for the Phoenix Framework.
bandit – is a security-oriented static analyzer for Python code.
Nikto – гA slow but fast scanner for black box web server and web application vulnerabilities.
Arachni – a scripting framework for assessing the security of web applications.
w3af – Hacking tools for attacking and auditing web applications.
Wapiti – black box web application vulnerability scanner with built-in fuzzer.
SecApps – a package for testing the security of web applications in the browser.
WebReaver – is a commercial graphical web application vulnerability scanner designed for macOS.
WPScan – WordPress Vulnerability Scanner black box hacking tools.
cms-explorer – Uncover the specific modules, plugins, components, and themes that run on various websites powered by content management systems.
joomscan -Finding Hacking Tools for the Joomla splashdown scanner.
ACSTIS – Automatic detection of client-side template injection (sandbox escape/bypass) for AngularJS.
zmap – is an open-source network scanner that allows researchers to easily perform network research on the Internet.
nmap – a free security scanner for network research and security audits.
pig – is one of the hacking tools for creating GNU/Linux packages.
scanless – a utility for using websites to perform port scans on your behalf without revealing your own IP address.
tcpdump/libpcap – a general packet analyzer that runs under the command line.
Wireshark – is a widely used graphical cross-platform network protocol analyzer.
Network-Tools.com – A website that offers an interface to many basic network utilities, such as
whois, and more.
netsniff-ng – a Swiss army knife for net sniffing.
Intercepter-NG – Multifunctional networking tools.
SPARTA -a graphical interface that offers scripted, customizable access to existing scanning and enumeration tools for network infrastructure.
dnschef – A highly configurable DNS proxy for pentesters.
DNSDumpster – is one of the hacking tools for an online DNS reconnaissance and search service.
CloudFail – expose server IP addresses hidden behind Cloudflare by searching old database records and identifying misconfigured DNS.
dnsenum – a Perl script that lists DNS information from a domain, attempts to transfer the zone, performs a brute force dictionary attack, and then performs a reverse lookup of the results.
dnsmap – is one of the hacking tools for passive DNS network mapping.
dnsrecon – is one of the hacking tools for the DNS enumeration script.
dnstracer – Determines where this DNS server gets its information from and follows the chain of DNS servers.
passivedns-client – a library and query tool for querying multiple passive DNS providers.
passivedns – a network sniffer that logs all DNS server responses for use in passive DNS configuration.
Mass Scan – best hacking tools for TCP port scanner, asynchronously spews SYN packets, scanning the entire Internet in less than 5 minutes.
Zarp – a network attack tool focused on the exploitation of local networks.
mitmproxy – interactive HTTP proxy with TLS support for penetration testers and software developers.
Morpheus – automated TCP/IP hacking tools.
mallory – HTTP/HTTPS proxy via SSH.
SSH MITM – Intercepts SSH connections from proxies; all text passwords and sessions are logged to disk.
Netzob – Reverse engineering, traffic generation, and fuzzy communication protocols.
DET – Proof of concept for deleting data using one or more channels simultaneously.
pwnat – It pierces holes in firewalls and NATs.
dsniff – A collection of tools for network audit and pentesting.
tgcd – A simple Unix network utility for extending the availability of TCP/IP-based network services beyond firewalls.
smbmap – A convenient SMB listing tool.
scapy – is an interactive Python-based package management program and library.
Dshell – A networked system of forensic analysis.
Debookee – is a simple and powerful network traffic analyzer for macOS.
Dripcap – analyzer of caffeine packets.
Printer Exploitation Toolkit (PRET) – A printer security testing tool capable of IP and USB connectivity, unreadable and exploitable PostScript, PJL and PCL printer language features.
Praeda – An automated multifunctional data collection printer for collecting usable data during a safety assessment.
routersploit – an open source framework similar to Metasploit but designed for embedded devices.
evilgrade – A modular framework to take advantage of bad update implementations by introducing fake updates.
XRay – a tool for automating network (sub)domain detection and intelligence.
Ettercap – a comprehensive, mature package for attacking machines in the middle.
BetterCAP – modular, portable and easily expandable MITM platform.
CrackMapExec – Swiss Army knife for pentesting networks.
impacket – a set of Python classes for working with network protocols.
Aircrack-ng – A set of testing and penetration testing tools for auditing wireless networks.
Kismet – wireless network detector, sniffer, and IDS.
Reaver – brute force attack on a secure WiFi setup.
Wifite – an automated wireless attack tool.
Fluxion – a set of automated WPA attacks based on social engineering.
SSLyze – fast and comprehensive TLS/SSL configuration analyzer to detect incorrect security settings.
tls_prober – Fingerprint implementation of an SSL/TLS server.
testssl.sh – is a command-line tool that checks the server service on any port for support for TLS/SSL ciphers, protocols, and some cryptographic flaws.
OWASP Zed Attack Proxy (ZAP) – a multifunctional, scriptable HTTP proxy server and fuzzer for web application penetration testing.
Fiddler – Free cross-platform web debugging proxies with handy related tools.
Burp Suite – is one of Hacking Tools’ integrated platforms for performing web application security testing.
autochrome – An easy-to-install test browser with all the appropriate settings needed to test web applications with built-in Burp support from NCCGroup.
Browser Exploitation Framework (BeEF) – a command-and-control server for delivering exploits to controlled web browsers.
Offensive Web Testing Framework (OWTF) – a Python-based framework for web applications based on the OWASP testing guidelines.
WordPress Exploit Framework – A Ruby framework for developing and using modules that help in penetration testing of WordPress-based websites and systems.
WPSploit – Exploiting WordPress websites with Metasploit.
SQLmap – automatic SQL implementation and database capture tool.
tplmap – Automatic server-side template deployment and web server hacking tools.
weevely3 – Weaponized Web.
Wappalyzer – Wappalyzer discloses the technology used on websites.
WhatWeb – website imprint.
BlindElephant – Fingerprint web application.
wafw00f – Identify and fingerprint web application firewall (WAF) products.
fimap – Search, prepare, audit, operate, and even Google automatically for LFI/RFI errors.
Kadabra – automatic operator and LFI scanner.
Kadimus – a tool for scanning and using LFI.
liffy – LFI operation tool.
Commix – automated universal tool for implementing and operating operating system commands.
DVCS Ripper – Rip web-based (distributed) version control systems: SVN/GIT/HG/BZR.
GitTools – one of the hacking tools that automatically finds and downloads repositories available on the Internet
sslstrip -One of the hacking tools demonstrating HTTPS removal attacks.
sslstrip2 – version of SSLStrip to defeat HSTS.
NoSQLmap – automatic tool for NoSQL implementation and database capture.
VHostScan – A virtual host scanner that performs reverse lookups can be used with consolidated management tools to detect all scripts, aliases, and default dynamic pages.
FuzzDB – A dictionary of attack templates and primitives for black box application bug injection and resource exploitation.
EyeWitness – іA tool to take screenshots of websites, provide some information about the server header, and determine default credentials, if applicable.
webscreenshot – a simple script to take screenshots of a list of websites.
HexEdit.js – Browser-based hexadecimal editing.
Hexinator – the world’s best (proprietary, commercial) hex editor.
Frhed – is a binary file editor for Windows.
0xED – macOS’s own hex editor that supports plugins for displaying custom data types.
Veles – a tool for visualizing and analyzing binary data.
Hachoir – Python library for viewing and editing a binary stream as a tree of fields and tools for extracting metadata.
Veil – Generate metasploit payloads that bypass common antivirus solutions.
shellsploit – It generates custom shell code, backdoors, injectors, and optionally runs each byte using encoders.
Hyperion – runtime encryption for 32-bit portable executables(“PE
AntiVirus Evasion Tool (AVET) – post-process exploits that contain executable files designed for Windows machines to avoid detection by anti-virus software.
peCloak.py – Automates the process of hiding a malicious Windows executable from antivirus (AV) detection.
peCloakCapstone – a multi-platform fork of the automated malware evasion tool peCloak.py.
UniByAv – a simple obfuscator that takes raw shell code and generates virus-friendly executables using a brute-force 32-bit XOR key.
John the Ripper – One of the best password cracking tools to crack passwords quickly.
Hashcat – Another hacking tool, a faster hash cracker.
CeWL – Creates customized word lists by crawling the target audience’s website and collecting unique words.
JWT Cracker – A simple HS256 JWT token cracker with brute force.
Rar Crack – RAR cracker with brute force.
BruteForce Wallet – Find the password to the encrypted wallet file (i.e.
Sysinternals Suite – Sysinternals troubleshooting utilities.
Windows Credentials Editor – Check login sessions and add, change, recalculate, and delete associated credentials, including Kerberos tickets.
mimikatz – a credential recovery tool for the Windows operating system.
PowerSploit – PowerShell Post-Exploitation Framework.
Windows Exploit Suggester – detects potential missing patches on the target.
Responder – LLMNR, NBT-NS and MDNS.
Bloodhound – Graphical Active Directory trust relationship explorer.
Empire – Pure PowerShell agent.
Fibratus – is a tool for studying and tracking the Windows kernel.
wePWNise – Generates architecture-independent VBA code for use in Office documents or templates and automates application management software traversal and usage.
redsnarf – A post-exploitation tool for retrieving password and credential hashes from Windows workstations, servers, and domain controllers.
Magic Unicorn – Shellcode generator for numerous attack vectors, including Microsoft Office macros, PowerShell, HTML applications (HTA), or
certutil(using fake certificates).
DeathStar – a Python script that uses Empire’s RESTful API to automate the acquisition of domain administrator rights in Active Directory environments.
Linux Exploit Suggester – heuristic reporting of potentially viable exploits for this GNU/Linux system.
Bella – is a pure Python data mining and remote administration tool for macOS.
LOIC – is an open source network stress tool for Windows.
SlowLoris – a DoS tool that exploits low bandwidth on the attacker’s side.
HOIC – The updated version of the Low Orbit Ion Cannon has “boosters” to bypass common countermeasures.
T50 – a tool for faster network voltage.
UFONet – Abuses OSI Layer 7 HTTP to create/control “zombies” and conduct various attacks using;
POST, multithreading, proxies, source spoofing methods, cache evasion methods, etc.
Social Engineer Toolkit (SET) – an open source testing framework designed for social engineering with a number of custom attack vectors to quickly implement plausible attacks.
King Phisher – is one of the Hacking Tools for Phishing campaign tools used to create and manage multiple simultaneous phishing attacks with user email and server content.
Evilginx – MITM attack platform used to phish credentials and session cookies from any web service.
wififisher – Automated phishing attacks on Wi-Fi networks.
Catphish – a tool for phishing and corporate espionage written in Ruby.
Beelogger – a tool for creating keyloogers.
Maltego – is one of the hacking tools and open-source proprietary intelligence and forensic software from Paterva.
theHarvester – E-mail, subdomain, and people’s names.
creepy -OSINT geolocation tool.
metagoofil – metadata harvester.
Google Hacking Database – Google’s database of assholes; can be used for intelligence.
Google-дорки – The usual Google jerks and others you probably don’t know.
GooDork – Google’s command line tool dorking.
dork-cli – Google dork tool of the command row.
Censys – collects data about hosts and websites through daily scanning of ZMap and ZGrab.
Shodan – is the world’s first search engine for Internet-connected devices.
recon-ng – is one of the full-featured web intelligence tools written in Python.
github-dorks – CLI tool for scanning Github repositories/organizations for potential leaks of confidential information.
vcsmap – A plug-in-based tool for scanning publicly available version control systems for confidential information.
Spiderfoot – multi-source OSINT automation tool with web interface and report visualization
BinGoo – Bing and Google Dorking Tool based on GNU/Linux.
fast-recon – perform Google jerks against the domain.
snitch – Gathering information through assholes.
Sn1per – hacking tools for the automated scanner Pentest Recon.
Threat Crowd – Search for threats.
Virus Total – VirusTotal is a free service that analyzes suspicious files and URLs and makes it easy to quickly detect viruses, worms, trojans, and all kinds of malware.
DataSploit – an OSINT visualizer that uses Shodan, Censys, Clearbit, EmailHunter, FullContact, and Zoomeye behind the scenes.
AQUATONE – a subdomain detection tool using various open sources that generates a report that can be used as input for other tools.
Intrigue – automated OSINT and Attack Surface detection platform with a powerful API, user interface, and CLI.
ZoomEye – A search engine for cyberspace that allows the user to find specific network components.
Tor – free software and an overlay network with onion routing to help you protect yourself from traffic analysis.
OnionScan – is one of the hacking tools for investigating the Dark Web by looking for operational security issues introduced by Tor hidden service operators.
I2P – An invisible Internet project.
Nipe – a script to redirect all traffic from the machine to the Tor network.
What Every Browser Knows About You– a comprehensive detection page to check your own web browser configuration for privacy and identity leaks.
VPN – A virtual private network masks your real IP address and physical location, replacing it with the server you are connecting to.
Interactive Disassembler (IDA Pro) – a proprietary multiprocessor disassembler and debugger for Windows, GNU/Linux or macOS; also has a free versionIDA Free.
WDK/WinDbg – a set of Windows and WinDbg drivers.
OllyDbg – an x86 debugger for Windows binaries that focuses on analyzing binary code.
Radare2 – an open-source, cross-platform reverse engineering framework.
x64dbg – open-source x64/x32 debugger for Windows.
Immunity Debugger – is a powerful way to write exploits and analyze malware.
Evan’s debugger – OllyDbg-like debugger for GNU/Linux.
Medusa – is a cross-platform interactive open-source disassembler.
plasma – interactive disassembler for x86/ARM/MIPS. Generates pseudo-code with indentation with colored syntax code.
peda – assistance in developing a Python Exploit for GDB.
dnSpy – is one of the hacking tools for reverse engineering. NET assembly.
binwalk – is a fast and easy-to-use tool for analyzing, reverse engineering, and extracting firmware images.
PyREBox – Python Reverse Engineering scripting sandbox from Cisco-Talos.
Voltron – an extensible set of debugger user interface tools written in Python.
Capstone – lightweight multi-platform disassembly structure with multiple architectures.
rVMI – A debugger on steroids; checking user space processes, kernel drivers, and pre-boot environments in one tool.
Frida – A dynamic toolkit for developers, reverse engineers, and security researchers.
LAN Turtle – a hidden “USB Ethernet Adapter” that provides remote access, network information collection, and MITM capabilities when installed on a local network.
USB Rubber Ducky – A customizable attack platform for keylogging under a USB drive.
Poisontap – Siphons cookies, provides an internal (LAN-side) router and installs a web backdoor on blocked computers.
WiFi Pineapple – a platform for wireless auditing and penetration testing.
Proxmark3 – a set of tools for cloning, reproducing, and spoofing RFID/NFC, often used to analyze and attack contactless cards/readers, wireless keys/keyboards, and more.
ChipWhisperer – A complete chain of open source tools for analyzing side-channel power and glitch attacks.
ctf-tools – A collection of installation scripts for installing various security research tools that can be deployed quickly and easily to new machines.
Pwntools – a fast exploit development platform designed for use in CTF.
RsaCtfTool – Decrypts data encrypted with RSA weak keys and recovers private keys from public keys using various automated attacks.
Public Pentesting Reports – A curated list of public penetration test reports published by several consulting companies and academic security groups.
Pentesting Report Template – testandverification.com template.
Pentesting Report Template – hitachi-systems-security.com template.
Pentesting Report Template – lucideus.com template.
Pentesting Report Template – crest-approved.org template.
Pentesting Report Template – template pcisecuritystandards.org.
Metasploit: A Penetration Tester’s Guide, David Kennedy et al. 2011
Penetration Testing: A Practical Introduction to Hacking, Georgia Weidman, 2014
Fundamentals of Hacking and Penetration Testing, Patrick Engebretson, 2013
Advanced penetration testing for highly secure environments, Lee Allen, 2012
Fuzzing: Identifying Brute Force Vulnerabilities, Michael Sutton et al. 2007
Black Hat Python: Python Programming for Hackers and Pentesters, Justin Seitz, 2014
Penetration testing: EU Council Procedures and Methodologies, 2010
Unauthorized access: Physical Penetration Testing for IT Security Teams, Wil Allsopp, 2010
Advanced hacker defense against persistent threats: The Art and Science of Hacking Any Organization, Tyler Wrightson, 2014
The Mac Hacker’s Handbook by Charlie Miller and Dino Dai Call, 2009
Handbook of web application hackers D. Stuttard, M. Pinto, 20111
The Android Hacker’s Handbook by Joshua J. Drake et al, 2012
The Android Hacker’s Handbook by Joshua J. Drake et al. 2014
A Handbook for Mobile Application Hackers, Dominic Chell et al. 2015
A comprehensive information section for web developers (Fascicle1)
Wireshark network analysis by Laura Chappell and Gerald Combs, 2012.
Network forensics: tracking hackers through cyberspace by Sherry Davidoff and Jonathan Ham, 2012.
Gray Hat Hacking The Ethical Hacker’s Handbook by Daniel Regalado et al.
Troubleshooting with Windows Sysinternals Tools by Mark Russinovich and Aaron Margos, 2016.
The Art of Deception by Kevin D. Mytnik and William L. Simon, 2002
The Art of the Invasion by Kevin D. Mytnik and William L. Simon, 2005
The Ghost in the Wires by Kevin D. Mytnik and William L. Simon, 2011
Social Engineering: The Art of Human Hacking by Christopher Hadnagy, 2010.
Exposing the Social Engineer: The Human Element of Security, by Christopher Hadnagy, 2014.
Social Engineering in IT Security: Tools, Tactics and Techniques, Sharon Conhead, 2014
Common vulnerabilities and exposures (CVEs) – a dictionary of common names (i.e., CVE identifiers) for publicly available security vulnerabilities.
National Vulnerability Database (NVD) – The U.S. government’s National Vulnerability Database provides additional metadata (CPE, CVSS score) of the standard CVE list along with a fine-grained search engine.
US-CERT vulnerability notes database – Summaries, technical details, troubleshooting information, and lists of vendors affected by software vulnerabilities are aggregated by the U.S. Computer Emergency Response Team (US-CERT).
Full disclosure of information– a public, vendor-neutral forum for detailed discussion of vulnerabilities, often publishing details before many other sources.
Bugtraq (BID) – A database of software security bug identification compiled from the Penetration Testing Toolkit and other sources managed by Symantec, Inc.
Exploit-DB – is a non-profit project hosting exploits for software vulnerabilities provided as a public service by Offensive Security.
Microsoft security bulletins – Announcements of security issues found in Microsoft software published by the Microsoft Security Response Center (MSRC).
Microsoft security recommendations – Archive of security recommendations affecting Microsoft software.
Mozilla Foundation security guidelines – Archive of security advisories affecting Mozilla software, including the Firefox web browser.
Packet Storm – A collection of exploits, guidelines, tools, and other security-related resources collected from across the industry.
CXSecurity – Archive of published CVE and Bugtraq software vulnerabilities, cross-referenced with the Google dork database to identify the listed vulnerability.
SecuriTeam – an independent source of information about software vulnerabilities.
Vulnerability Lab – An open forum for security recommendations, organized by categories of targeted exploits.
Ініціатива “Нульовий день – Bug bounty program with a publicly accessible archive of published security recommendations managed by TippingPoint.
Vulners – A security database of software vulnerabilities.
Inj3ct0r (Serge Luk) – exploit market and aggregator of vulnerability information.
Open Source Vulnerability Database (OSVDB) – A historical archive of security vulnerabilities in computerized equipment that no longer adds to its vulnerability database as of April 2016. Hacking tools.
HPI-VDB – a cross-referenced software vulnerability aggregator offering free API access provided by the Hasso-Plattner Institute, Potsdam. Hacking tools
Training on offensive security – training from BackTrack/Kali developers.
SANS security training – Computer security training and certification.
Open security training – Training material for computer security classes.
CTF field guide – Everything you need to win your next CTF contest.
ARIZONA CYBER WARFARE RANGE – 24×7 live fire exercises for beginners through real operations; the ability to move up into the real world of cyber warfare.
Cybrary – Free courses on ethical hacking and advanced penetration testing. Advanced Penetration Testing courses are based on the book Penetration Testing for Highly Secure Environments.
Computer security student – Lots of free tutorials, great for beginners, a $10/month membership unlocks all the content.
European Union Agency for Network and Information Security – ENISA cybersecurity training material.
DEF CON – Annual hacker convention in Las Vegas.
Black Hat – annual security conference in Las Vegas.
BSides – the basis for organizing and holding security conferences.
CCC – The annual meeting of the international hacker scene in Germany.
DerbyCon – is an annual hacker conference based in Louisville.
PhreakNIC – A technology conference held annually in the center of Tennessee.
ShmooCon – is an annual hacker convention on the East Coast of the United States.
CarolinaCon – Infosec conference, which is held annually in North Carolina.
CHCon – Christchurch hacking scam, New Zealand’s only south island hacking scam.
SummerCon – is one of the oldest hacker conventions held in the summer.
Hack.lu – An annual conference held in Luxembourg.
Hackfest – is the largest hacker conference in Canada.
HITB – Deep Knowledge Security Conference held in Malaysia and the Netherlands.
Troopers – Annual international IT security event with workshops held in Heidelberg, Germany.
Hack3rCon – is an annual hacker conference in the United States.
ThotCon – is an annual US hacker conference held in Chicago.
LayerOne – is an annual US security conference held every spring in Los Angeles.
DeepSec – Security conference in Vienna, Austria.
SkyDogCon – Technology conference in Nashville.
SECUINSIDE – Security conference in Seoul.
DefCamp -is the largest security conference in Eastern Europe, held annually in Bucharest, Romania.
AppSecUSA – is an annual conference organized by OWASP.
BruCON -Annual security conference in Belgium.
Infosecurity Europe – is the number one information security event in Europe, held in London, UK.
Nullcon – annual conference in Delhi and Goa, India.
Conference RSA USA – annual security conference in San Francisco, California, USA.
Swiss Cyber Storm – annual security conference in Lucerne, Switzerland.
Virus Bulletin conference – annual conference to be held in Denver, USA, in 2016.
Ekoparty – is the largest security conference in Latin America, held annually in Buenos Aires, Argentina.
44Con – is an annual security conference held in London.
BalCCon – Balkan Computer Congress, held annually in Novi Sad, Serbia.
FSec– Croatian information security team in Varazdin, Croatia.
2600: The Hacker Quarterly – is an American publication about technology and the computer “underground”.
Phrack Magazine – The longest hacker magazine.
Tools Kali Linux – A list of hacking tools present in Kali Linux.
SecTools – 125 best network security hacking tools.
Pentest cheat sheets – Stunning Pentest cheat sheets.
Programming in C/C++ – is one of the main languages for open source security tools.
. NET Programming – The software framework for the development of the Microsoft Windows platform.
Shell Scripting – command line frameworks, toolkits, guides, and gizmos.
Ruby programming by @dreikanter – is a de facto language for writing exploits.
Ruby Programming from @markets – is a de facto language for writing exploits.
Ruby programming by @Sdogruyol – is a de facto language for writing exploits.
Node.js Programming by @sindresorhus – A curated list of great Node.js packages and resources.
Python tools for penetration testers – Many testing tools are written in Python.
Programming onPhon by @svaksha – General programming in Python.
Programming in Python by @vinta – General programming in Python.
Android security – A collection of resources related to Android security.
Stunning stupendous – a list of lists.
AppSec -Resources for studying application security.
CTF – Capture The Flag frameworks, libraries, etc.
InfoSec § Hacking problems – A complete catalog of CTFs, wargames, hacking challenge websites, penetration testing tools, a list of practical lab exercises, and much more.
Hacking – training manuals, tools, and resources.
Honey pots – honey pots, tools, components, and much more.
Infosec – Information security resources for pentesting, forensics, and more.
Criminalistics – free (mostly open source) forensic analysis tools and resources.
Analysis of malicious programs – tools and resources for analysts.
PCAP tools – Tools for processing network traffic.
Security. – software, libraries, documents, and other resources.
Awesome Lockpicking– Awesome guides, tools, and other resources about the security and compromise of locks, safes, and keys.
SecLists – Collecting several types of lists used in security assessments.
Negotiations on security issues – A curated list of security conferences.
OSINT – A terrific OSINT list with great resources.
YARA – YARA rules, tools and people.