The 5 Hacking NewsLetter 64

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 19 to 26 of July.

T5HN64.png

Our favorite 5 hacking items

1. Tutorial of the week

Markdown For Penetration testers & Bug-bounty hunters

This is an excellent tutorial on how to organize your pentest and bug bounty notes using a static website created with Mardown and Mkdocs.

I know… SwiftnessX and many other options already exist for taking notes. Why this one too?

Well, it’s worth trying if you’re looking for a self-hosted solution, want to use or learn markdown, want to share your notes with the world or make your site private, want a lightweight web-based tool to access your notes from any device…

More …

The 5 Hacking NewsLetter 63

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 12 to 19 of July.

T5HN63.png

Our favorite 5 hacking items

1. Tutorial of the week

Using Wireshark over SSH (WS on Windows traffic on Linux)

This is a short how-to for using Wireshark over SSH. It’ll be really handy if your main host is Windows, and you are using a Linux VPS for tests.

The steps described will allow you to run Wireshark locally, and use it to analyze traffic captured on the remote Linux server (even if you don’t have a GUI on the latter!).

More …

The 5 Hacking NewsLetter 62

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 05 to 12 of July.

T5HN62.png

Our favorite 5 hacking items

1. Tips of the week

All you need to know to exit VIM without unplugging your laptop
10 tips that are helpful if you are not finding vulns/bugs
Why http://1.0.0.1 is the same as http://1.1
How to use Tmux/Screen AFTER you’ve started Nmap

These tweets are so good that I had to mention all four. They’re about:

  • How to exit VIM, and more importantly how to make :!Q (which isn’t currently an option) quit it too
  • Awesome advice to improve your environment and methodology, and start finding vulns/bugs
  • Why some SSRF payloads include IP addresses like 1.1.1, and how routers know that it means 1.1.0.1 and not 1.1.1.0. I’ve been wondering about that and the answer was… RTFM!
  • What to do when you’re hours into an Nmap scan and you forgot to start it in a Tmux/Screen session (Genius!)
More …

The 5 Hacking NewsLetter 61

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 28 of June to 05 of July.

T5HN61.png

Our favorite 5 hacking items

1. Webinar of the week

Intro to Cloud for Pentesters and Bug hunters | Security and Research Company (SECARMY)

This is an excellent introduction to cloud security for pentesters and bug hunters. If you’ve ever felt intimidated by AWS testing, this is a perfect opportunity to tackle this topic. You’ll learn about cloud computing, the difference between IaaS, PaaS and SaaS, common misconfigurations of four components of AWS (including AWS S3 and IAM) with examples and links to writeups.

More …

The 5 Hacking NewsLetter 60

Hey hackers! These are our favorite resources shared by pentesters and bug hunters last week.

This issue covers the week from 21 to 28 of June.

T5HN60.png

Our favorite 5 hacking items

1. Discussion of the week

Do you use vulnerability scanner on bug bounty program? How is the result?

This is an interesting discussion for beginner bug hunters on why you shouldn’t use scanners in bug bounty. Vulnerability scanners are of low added value because many other people (including internal pentesters) have probably already run them. So it’s improbable that they’ll allow you to find anything new of real value. This, combined with the risk of causing Denial of Service if many bug hunters use scanners on the same target, is why scanners are generally not allowed.

The following reasons apply to pentesting too: the risk of causing an email flood to a client email address (happened to me once!), and the risk of deleting resources by using spidering on authenticated pages.

These risks are good to know whether you’re a bug hunter or pentester. It helps decide which tools to run or not and avoid causing service disruptions.

Also, I find cym13’s stance on Burp interesting. There really is no ‘one size fits all’!

More …