June 13, 2017

Domain, Site & IP Information

SANS Internet Storm Center: Summarizes the overall security health of the Internet. Shows security trends including the top 10 rising ports. Also has a quick and easy to use port/ip lookup search feature at the top right.

ARIN WHOIS Database Search: Provides a mechanism for finding contact and registration information for resources registered with ARIN. Often used in penetration testing for discovering all the IP address space registered by an organization.

Robtex: A collection of various online tools such as DNS, whois, blacklist checking, reverse IP, etc., for examining domain names and IP addresses.

DNS History: Historical archive for DNS records. A DNS blacklist and Forward Confirmed reverse DNS tool for checking multiple blacklists simultaneously. Used to see if a given IP is in any of the hundreds of separate blacklists, likely for spam or abuse reasons.

SHODAN: Search engine that looks for public service banners.

Namedroppers: Lists registered domain names that match your search query. Useful for showing possible phishing sites.

Team Cymru: Provides charts and graphs on malicious Internet activity, as well as an always up-to-date bogon list (series of IP blocks that should never be routed globally on the Internet. These IP addresses, which change periodically as IANA sees fit, are commonly found as the source address of DDoS attacks, which is why they should be included in your ingress/egress filters). They also manage the Darknet Project.

URLVoid: Allows visitors to submit a domain name and have it scanned by multiple web site reputation engines in order to flag malicious web sites.

Google Safe Browsing: Enter an address at the end of the URL ( used as an example) to see whether the site engages in malicious behavior such as drive by downloads. Allows you to process the response to a URL request to see if there is anything malicious. Very detailed.

Unmask Parasites: Submit a web site name and have the page scanned for external references and suspicious scripts.

LongURL: Expand the shortened URLs that were compacted by any one of hundreds of different URL shortening services. Will also reveal any redirects and information about the final destination page.

Web Sniffer: Allows you to view the HTTP requests and responses of a site without visiting it. A similar site is Rex Swain's HTTP Viewer.

SSL Labs: SSL test for websites, allowing you to verify SSL metrics for a web site. Test your browser or MITM web proxy's SSL/TLS configuration to identify insecure settings. Easiest method is to click on Dashboard to perform all of the tests at once.

SSL Pulse: A survey of the SSL implementation of the most popular web sites.

Malware, Crime, & Exploits

Note: Some of the following may contain links to actual exploits, hacking tools, and/or possible "underground" sites. Do not click carelessly.

VirusTotal: An online service that allows you to upload a file and have it scanned by over 40 different virus scanners in order to detect any possible malware. Another site that provides similar services is Jotti's malware scan.

Comodo Instant Malware Analysis: Allows you to submit a suspicious executable for behavioral analysis. See the changes that the executable makes to registry keys, files, directories, drivers, processes, threads, as well as network behavior such as DNS queries, HTTP traffic generated, etc. Other good sites for this are, and

Shadowserver Foundation: The Shadowserver Foundation is a volunteer watchdog group of security professionals that gather, track, and report on malware, botnet activity, and electronic fraud. The purpose of the site is to raise awareness of the presence of compromised servers, malicious attackers, and the spread of malware.

PhishTank: A collaborative clearing house where anyone can submit, verify, track and share phishing data.

Exploit-DB: A repository of exploits that is frequently updated with the latest attacks. A somewhat similar site would be Packet Storm.

Offensive Computing: A well stocked-database of malware used for analysis purposes.

Malware Domain List: A list of malicious domains and URLs.

HACKMAGEDDON: A listing and timeline of cyber attacks.

News & Publications

Security Wizardry Computer Network Defence Situational Awareness: A site that is probably familiar to most people who have worked in a SOC. If you plan on displaying it 24x7 in an enterprise, as a safety measure we would recommend doing so on a dedicated hardened system (a hardened system with a browser that has no plugins enabled, with security extensions installed, and that isn't logged into the dashboards of your security appliances).

Threatpost: Up to date security news delivered by Kaspersky Labs.

Computer Crime Research Center: Divulges the latest cybercrime news.

Global Incident Map: Combines security news and events with Google maps. Very interesting to see.

(IN)SECURE Magazine: Free downloadable magazine that discusses the latest security topics on a technical and operational level.

Cryptology ePrint Archive: Archive of cryptology research papers.

Infosec Writers: A collection of various Information Security articles, white papers, and projects, contributed by people willing to share their knowledge and experiences on various aspects such as cryptography, email security, exploitation, firewalls, forensics, general security concepts, honeypots, IDS, malware, wireless security, etc.

CSIS Technology Publications: The Washington DC based Center for Strategic & International Studies' publications on technology topics, many of which relate to cybersecurity issues.

Symantec Internet Security Threat Report: Lengthy, well-presented report offered in multiple formats (PDF, Flash, Podcast) that provides analysis and discussion of threat activity over a six-month period, covering Internet attacks, vulnerabilities, malicious code, Phishing, spam, security risks, and future trends.

Microsoft Security Intelligence Report: A semi-annual report from Microsoft that analyzes threats, vulnerabilities, exploits and attacks based on data from hundreds of millions of systems worldwide.

Media Destruction Guidance: The National Security Agency Media Destruction Guidance.

NIST Computer Security Special Publications (800 Series): A collection of documents published by NIST's Information Technology Laboratory that are of general interest to the computer security community.

Media Archives of Security Conventions

DEFCON Media Archive: A listing of all the content (audio, video, PDF, PowerPoint, executables, etc.) that was presented at DEFCON.

Black Hat Archives: Essentially the same as above but for the Black Hat briefings.

BlueHat Archive: An invitation-only Microsoft security conference held twice a year.

USENIX Multimedia Archives: Various conferences, workshops, and symposiums sponsored by the Advanced Computing Systems Association.

CanSecWest Material Archives: Three-day digital security conference held in Vancouver, Canada.

SecTor Presentation Archive: Security conference held in Toronto, Canada.

RECON Archive: Security conference with a focus on reverse engineering and exploitation, held annually in Montreal, Canada.

DFRWS Archives: Papers and slides presented at the annual Digital Forensic Research Workshop conferences. Archive: Conference held in Luxembourg that discusses computer security, privacy, and the implication of IT on society.

Chaos Communication Congress Archive: The Chaos Computer Club's Chaos Communication Congress, held in Germany.

VB Conference: Virus Bulletin conference held in various locations with a focus on anti-malware.

Security Blogs

Metasploit: Blog related to the Metasploit Project.

Schneier on Security: Known by almost everybody in the security community.

F-Secure Weblog: Frequently updated with detailed analysis of recent malware and online scams.

Sophos Naked Security Blog: Lists the latest online scams and malware threats.

Mandiant M-unition: Insightful technical blog by Mandiant.

Krebs on Security: Brian Krebs has written many excellent reports for The Washington Post, some that resulted in action being taken against the criminal organizations. He now continues on his own with his blog.

Google Online Security Blog: Security news and insight from Google.

Websense Security Labs Blog: A frequent source of insight on new web-based security threats.

Twitter Security Feeds

Mikko Hypponen: Always tweeting interesting things.

Malware Domain List: Updates from Malware Domain List.

Microsoft Security Response: Important security-related information from Microsoft.

Vulnerability Information

Secunia Security Advisories: Excellent up-to-date source for the latest vulnerabilities. Another good source for similar content is SecurityFocus.

CVE Details: Billed as the ultimate security vulnerability datasource. default password list: A list of default hardware and software passwords, searchable by vendor, product, and model number. If you are currently using a product with the default password still set, or with a variant of the default password, change it now! A mailing list dedicated to discussing patches.


Packet Clearing House: Provides the worldwide list of Internet Exchange Points which form the core of the global Internet.

The Cooperative Association for Internet Data Analysis: Offers research, analysis, and visualization efforts into the behavior, usage, evolution, and infrastructure of the Internet. Provides a list of public route servers that anybody can telnet to. Use them to run traceroutes and to help troubleshoot network issues.

IP to CIDR: One of the few CIDR calculators that converts IP ranges into CIDR notation.

Internet Traffic Report: Reveals the overall performance of the Internet's bandwidth.

GRC's Shields UP! test: Runs an online scan against your ports. Helpful for knowing which one of your ports are visible on the Internet. Given that many people's home Internet connections are behind a router or DSL model with a built-in firewall, this type of scan is very helpful in revealing which ports are open on the Internet versus which ports are open on your local network.

Operating Systems & Applications

CentOS: CentOS is essentially a binary copy of Red Hat Enterprise Linux (RHEL), except that contrary to RHEL, CentOS is 100% free. Probably this author's favorite Linux distribution for running a server (yes, more so than Debian). CentOS is stable, secure, easy to use, and is supported for a good length of time, unlike certain Linux distributions which cease supporting their distributions 1 year after the newest version is released. For example, CentOS 4, released in 2005, will have maintenance updates until 2012. It is also arguably the best known and most popular of the Red Hat Enterprise Linux clones. For those who are comfortable with your "*nix" skills and don't mind spending time configuring, you may also want to look into FreeBSD, which (for the uninitiated) is a Unix-like OS outside of the Linux family.

Qubes OS: An open source operating system designed to provide strong security through isolation.

Alpine Linux: A security-oriented, lightweight minimalist Linux distribution that can be used for various purposes.

Windows Sysinternals: A collection of several useful Windows tools, including network connection monitors, rootkit scanners, event log dumps, etc.

Microsoft Technet security tools list: Another collection of various Microsoft information security related tools. An archive of older versions of software programs. Can be a useful educational tool in order to experiment with certain software vulnerabilities that become patched in newer versions. A similar site is

PRISM Break: Provides software suggestions to help opt out of global surveillance programs.


Open Reverse Code Engineering: A user community for reverse engineering focused heavily on malware and security tools.

Open HUB: Provides information regarding code for open source projects.

The Center for Internet Security: A not-for-profit organization that develops best practice guidance such as security hardening recommendations for the Internet community. Their benchmarks are well worth submitting your e-mail address to download.

FILExt: Online database of file extensions. Also provides the unique identifying characters for certain file types. Can be helpful for computer forensics. See also TrID for a downloadable utility that provides similar functionality.

Keylength: Use Keylength to easily compare encryption key requirements as recommended by various organizations.

Free Rainbow Tables: One of the better places to download rainbow tables and to understand the security implications of relying on hashes for password authentication.

Yellowpipe Encrypter / Decoder: Online tool that allows you to encode and decode documents in various formats. For example by using the URL Decode function, you can decode a obscure URL such as "" into its human-readable text equivalent which would be "", or to decode a string that was encoded in base64 as an attempt of IDS evasion.

RegExr: Site to learn, build, and test Regular Expressions. Useful for people who wish to understand Snort rules.

User Agent String.Com: Analyzes user agent strings to reveal browser and operating system information.

AccountKiller: Provides specific instructions for deleting your account or profile from popular web sites such as Facebook, MSN, Gmail, Yahoo, etc. A similar site is Just Delete Me.

DuckDuckGo: A search engine with a focus on privacy, that unlike many other search engines doesn't track you.

Market Share: Displays charts, statistics, and trends of the market share for web browsers, operating systems and search engines.

Two Factor Auth List: List of popular web sites and online services and whether they support two factor authentication.

ProtonMail: One of the better, more popular free encrypted email services hosted in Switzerland. Another one to consider is Tutanota. Both have apps for iOS and Android.