Thursday, January 27, 2022


[1.] Hacking: The Art of Exploitation, 2nd Edition
This book covers coding (C, x86 assembly), exploitation (stack overflow, heap overflow, Format String), Networking
(and network-based attacks), writing shellcode, countermeasures and some crypto. It's the very first book to read since it
doesn't expect you to know anything before you start, though some experience with a programming language will
certainly make things a lot easier.
[2.] Web application Hacker's Handbook, 2nd Edition
Covers pretty much all areas of web application security, could be seen as a reference guide, or a book to be read from
start to finish. I'd recommend reading at least the first chapters before jumping back and forth in the book.
[3.] Introductory Intel x86: Architecture, Assembly, Applications, & Alliteration
A video course teaching you Intel x86, something you'll really want to know if you plan on pwning gibsons. It's a long
course, but absolutely amazing which gives you a real good foundation for learning Software Exploitation and Reverse
Engineering. Some of the stuff covered here are also in Hacking: The Art of Exploitation, but practice makes perfect.
[4.] Exploits 1: Introduction to Software Exploits
Another great video course from the guys over at OpenSecurityTraining. 

This time we'll delve deep into the art of
exploitation. The Course covers Stack Overflow, Heap Overflow, writing shellcode and an intro to exploit mitigations
[5.] Offensive Computer Security
Another course, this time from FSU.
Secure Coding in C / Code Auditing
Reverse Engineering
Exploit Development
 Stack/Heap/Format String
 ret2libc
 ASLR, NX/DEP, Stack Cookies, EMET
 Return Oriented Programming (ROP)
Web application Hacking/Security
Post Exploitation
Forenscics and Incident Response
Physical Security and Social Engineering
[6.] TrailOfBits – CTF Field Guide
A text and video course covering:
 Vulnerability Discovery
- Auditing Source
- Auditing Binaries
- Auditing Webapps
 Exploit Creation
- Binary Exploits
- Webapp Exploits
 Forensics
[7.] The Shellcoder's Handbook: Discovering and Exploiting Security Holes
Amazing book. Covers stack overflows, heap overflows, format strings, writing shellcode (duh), linux x86, Windows,
Solaris, OS X, Cisco IOS, exploit mitigations, fuzzing, source code auditing, binary auditing (reverse engineering),
kernel exploitation on Unix/Windows and a lot more...
Note: Not a beginners book.
[8.] A Guide to Kernel Exploitation: Attacking the Core
You wanna write kernel exploits? Of course you do. Look no further.
Note: Also not a beginners book.
The following books didn't really fit in the introduction list of learning material, but are just as
important if you wish to continue your security journey.
[Exploit Development]
 Gray Hat Hacking: The Ethical Hacker's Handbook, Fourth Edition
 The Mac Hacker's Handbook
[Reverse Enginnering]
 Reverse Engineering for Beginners (
 Reversing: Secrets of Reverse Engineering
 Practical Reverse Engineering: x86, x64, ARM, Windows Kernel, Reversing Tools, and Obfuscation
 IDA Pro Book, 2nd Edition
 Hacking the Xbox: An Introduction to reverse Engineering (
 The C Programming Language (by K&R)
 Learn C The Hard Way (
 Violent Python: A Cookbook for Hackers, Forensic Analysts, Penetration Testers and Security Engineers
 Gray Hat Python: Python Programming for Hackers and Reverse Engineers
 PC Assembly Language ( (x86 NASM)
 Programming from the Ground Up ( (x86 AT&T)
 Assembly Language Step by Step: Programming with Linux 3rd Edition
 64 Bit Intel Assembly Language Programming for Linux
[Auditing and Vulnerability discovery]
 A Bug Hunter's Diary: A Guided Tour Through the Wilds of Software Security
 The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities
 Fuzzing: Brute Force Vulnerability Discovery
[Penetration Testing]
 Metasploit Unleashed (
 Metasploit: The Penetration Tester's Guide
 The Hacker Playbook: Practical Guide To Penetration Testing
 RTFM: Red Team Field Manual
[Web Security]
 The Tangled Web: A Guide to Securing Modern Web Applications
 SQL Injection Attacks and Defense, Second Edition
 The Browser Hacker's Handbook
 Web Application Obfuscation: '-/WAFs..Evasion..Filters//alert(/Obfuscation/)-'
[Malware, Forensics and Anti-Forensics]
 The Rootkit Arsenal: Escape and Evasion: Escape and Evasion in the Dark Corners of the System
 Designing BSD Rootkits: An Introduction to Kernel Hacking
 Rootkits: Subverting the Windows Kernel
 Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
[Mobile Security]
 iOS Hacker's Handbook
 Android Hacker's Handbook
 The Mobile Application Hacker's Handbook
Video Courses
Exploits 1: Introduction To Software Exploits
Exploits 2: Exploitation in the Windows Environment
Introduction To Reverse Engineering Software
Intermediate Intel x86: Architecture, Assembly, Applications, & Alliteration
MIT 6.858: Computer Systems Security
Tutorial Series
Exploit Development:
[ Fuzzing ]
american fuzzy lop
 “American fuzzy lop is a security-oriented fuzzer that employs a novel type of compile-time instrumentation
and genetic algorithms to automatically discover clean, interesting test cases that trigger new internal states in
the targeted binary. This substantially improves the functional coverage for the fuzzed code.”
PEACH Community Fuzzer
 “Peach is a SmartFuzzer that is capable of performing both generation and mutation based fuzzing.”
 “Written in C, exposes a custom API for fuzzer development. Probably the most widely used and popular
framework.” or
Zulu – The Interactive Fuzzer
 “Zulu is an interactive GUI-based fuzzer. It is as much as possible, input and output-agnostic so once you are
happy with using the fuzzing engine that's driven by the GUI you are only limited by the input and output
modules that have been developed for it.“
 “A pure-python fully automated and unattended fuzzing framework.”
zzuf - multi-purpose fuzzer
 “zzuf is a transparent application input fuzzer.”
More information on fuzzers:
[ Exploit Development ]
 A debugger plugin for Windows exploit development.
 Python Exploit Development Assistance for GDB
 pwntools is a CTF framework and exploit development library. Written in Python, it is designed for rapid
prototyping and development, and intended to make exploit writing as simple as possible.
Metasploit Framework
 This framework has some pretty great tools for exploit development. I encourage you to go read the wiki
which will help you setup a development environment and getting started:
[ Debuggers ]
(will finish this later)
Immunity Debugger
 add more content (whitepapers etc)
 write an introduction
 organize shit better
pantsu && lsd