Blogs Worth It:
What the title says. There are a LOT of pentesting blogs, these are the ones i monitor constantly and value in the actual day to day testing work.
http://carnal0wnage.blogspot.com/
http://www.mcgrewsecurity.com/
http://www.gnucitizen.org/blog/
http://taosecurity.blogspot.com/
http://pentestmonkey.net/blog/
http://jeremiahgrossman.blogspot.com/
http://www.skullsecurity.org/blog/
http://preachsecurity.blogspot.com/
http://www.tssci-security.com/
http://www.gdssecurity.com/l/b/
http://bernardodamele.blogspot.com/
http://www.commonexploits.com/
http://www.sensepost.com/blog/
http://securityreliks.wordpress.com/
http://www.madirish.net/index.html
http://sirdarckcat.blogspot.com/
http://reusablesec.blogspot.com/
http://www.smashingpasswords.com/
http://wirewatcher.wordpress.com/
http://www.question-defense.com/
http://archangelamael.blogspot.com/
http://www.securityninja.co.uk/
http://securityandrisk.blogspot.com/
Forums:
Created for forums that will help in both tool usage, syntax, attack techniques, and collection of scripts and tools. Needs some help. I don't really frequent too many underground forums but i actually find nice one-off scripts and info i can roll into my own code in these places. Would like to add more.
http://sla.ckers.org/forum/index.php
http://www.backtrack-linux.org/forums/
http://www.elitehackers.info/forums/
http://www.hackthissite.org/forums/index.php
http://securityoverride.com/forum/index.php
http://www.governmentsecurity.org/forum/
Magazines:
http://www.net-security.org/insecuremag.php
Video:
http://www.irongeek.com/i.php?page=videos/aide-winter-2011
http://avondale.good.net/dl/bd/
http://achtbaan.nikhef.nl/27c3-stream/releases/mkv/
http://www.youtube.com/user/ChRiStIaAn008
http://www.youtube.com/user/HackingCons
Methodologies:
http://www.vulnerabilityassessment.co.uk/Penetration%20Test.html
http://www.pentest-standard.org/index.php/Main_Page
http://projects.webappsec.org/w/page/13246978/Threat-Classification
http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
http://www.social-engineer.org/
OSINT
Presentations:
http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering-%E2%80%93-part-2-blogs-message-boards-and-metadata/
http://www.spylogic.net/2009/10/enterprise-open-source-intelligence-gathering-part-3-monitoring/
http://www.slideshare.net/Laramies/tactical-information-gathering
http://www.sans.org/reading_room/whitepapers/privacy/document_metadata_the_silent_killer__32974
http://infond.blogspot.com/2010/05/toturial-footprinting.html
People and Organizational:
http://www.zoominfo.com/search
http://www.searchbug.com/default.aspx
http://entitycube.research.microsoft.com/
http://www.glassdoor.com/index.htm
http://searchwww.sec.gov/EDGARFSClient/jsp/EDGAR_MainAccess.jsp
http://twapperkeeper.com/index.php
Infrastructure:
https://www.ssllabs.com/ssldb/analyze.html
http://www.my-ip-neighbors.com/
http://www.exploit-db.com/google-dorks/
http://www.hackersforcharity.org/ghdb/
Exploits and Advisories:
http://www.milw0rm.com/ (Down permanently)
http://www.packetstormsecurity.org/
http://www.securityforest.com/wiki/index.php/Main_Page
http://www.securityfocus.com/bid
http://www.nullbyte.org.il/Index.html
http://secdocs.lonerunners.net/
http://www.phenoelit-us.org/whatSAP/index.html
Cheatsheets and Syntax:
http://cirt.net/ports_dl.php?export=services
http://blog.securitymonks.com/2009/08/15/whats-in-your-folder-security-cheat-sheets/
Agile Hacking:
http://www.gnucitizen.org/blog/agile-hacking-a-homegrown-telnet-based-portscanner/
http://blog.commandlinekungfu.com/
http://www.securityaegis.com/simple-yet-effective-directory-bruteforcing/
http://isc.sans.edu/diary.html?storyid=2376
http://isc.sans.edu/diary.html?storyid=1229
http://pauldotcom.com/2010/02/running-a-command-on-every-mac.html
http://synjunkie.blogspot.com/2008/03/command-line-ninjitsu.html
http://www.zonbi.org/2010/06/09/wmic-the-other-other-white-meat/
http://rstcenter.com/forum/22324-hacking-without-tools-windows.rst
http://www.coresecurity.com/files/p_w_uploads/Core_Define_and_Win_Cmd_Line.pdf
http://www.pentesterscripting.com/
http://www.sans.org/reading_room/whitepapers/hackers/windows-script-host-hack-windows_33583
OS and Scripts:
http://en.wikipedia.org/wiki/IPv4_subnetting_reference
http://www.nixtutor.com/linux/all-the-best-linux-cheat-sheets/
http://shelldorado.com/shelltips/beginner.html
http://mywiki.wooledge.org/BashPitfalls
http://www.iana.org/assignments/port-numbers
http://www.robvanderwoude.com/ntadmincommands.php
http://www.nixtutor.com/linux/all-the-best-linux-cheat-sheets/
Tools:
http://www.sans.org/security-resources/sec560/netcat_cheat_sheet_v1.pdf
http://www.secguru.com/files/cheatsheet/nessusNMAPcheatSheet.pdf
http://sbdtools.googlecode.com/files/hping3_cheatsheet_v1.0-ENG.pdf
http://sbdtools.googlecode.com/files/Nmap5%20cheatsheet%20eng%20v1.pdf
http://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf
http://rmccurdy.com/scripts/Metasploit%20meterpreter%20cheat%20sheet%20reference.html
http://h.ackack.net/cheat-sheets/netcat
Distros:
http://www.backtrack-linux.org/
http://samurai.inguardians.com/
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://www.hackfromacave.com/articles_and_adventures/katana_v2_release.html
http://www.piotrbania.com/all/kon-boot/
http://www.linuxfromscratch.org/
http://sumolinux.suntzudata.com/
http://blog.0x0e.org/2009/11/20/pentesting-with-an-ubuntu-box/#comments
Labs:
ISOs and VMs:
http://sourceforge.net/projects/websecuritydojo/
http://code.google.com/p/owaspbwa/wiki/ProjectSummary
http://informatica.uv.es/~carlos/docencia/netinvm/
http://www.bonsai-sec.com/en/research/moth.php
http://blog.metasploit.com/2010/05/introducing-metasploitable.html
http://pynstrom.net/holynix.php
http://gnacktrack.co.uk/download.php
http://sourceforge.net/projects/lampsecurity/files/
https://www.hacking-lab.com/news/newspage/livecd-v4.3-available.html
http://sourceforge.net/projects/virtualhacking/files/
http://www.irongeek.com/i.php?page=security/mutillidae-deliberately-vulnerable-php-owasp-top-10
http://sourceforge.net/projects/thebutterflytmp/
Vulnerable Software:
http://www.exploit-db.com/webapps/
http://code.google.com/p/wavsep/downloads/list
http://www.owasp.org/index.php/Owasp_SiteGenerator
http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx
http://www.mcafee.com/us/downloads/free-tools/hacmeshipping.aspx
http://www.mcafee.com/us/downloads/free-tools/hacmetravel.aspx
Test Sites:
http://crackme.cenzic.com/Kelev/view/home.php
http://zero.webappsecurity.com/banklogin.asp?
http://testaspnet.vulnweb.com/
http://hackme.ntobjectives.com/
Exploitation Intro:
If you'd like to get into exploit dev, these are really the guides and docs that will start you off in the right direction. Since Exploit dev is not my primary occupation this section could always use help.
http://myne-us.blogspot.com/2010/08/from-0x90-to-0x4c454554-journey-into.html
http://www.mgraziano.info/docs/stsi2010.pdf
http://www.abysssec.com/blog/2010/05/past-present-future-of-windows-exploitation/
http://www.ethicalhacker.net/content/view/122/2/
http://code.google.com/p/it-sec-catalog/wiki/Exploitation
http://x9090.blogspot.com/2010/03/tutorial-exploit-writting-tutorial-from.html
http://ref.x86asm.net/index.html
Reverse Engineering & Malware:
http://www.woodmann.com/TiGa/idaseries.html
http://www.binary-auditing.com/
http://www.offensivecomputing.net/
Passwords and Hashes:
http://www.irongeek.com/i.php?page=videos/password-exploitation-class
http://sinbadsecurity.blogspot.com/2008/10/ms-sql-server-password-recovery.html
http://www.foofus.net/~jmk/medusa/medusa-smbnt.html
http://www.foofus.net/?page_id=63
http://hashcrack.blogspot.com/
http://www.nirsoft.net/articles/saved_password_location.html
http://www.onlinehashcrack.com/
http://www.md5this.com/list.php?
http://www.virus.org/default-password
http://www.phenoelit-us.org/dpl/dpl.html
http://news.electricalchemy.net/2009/10/cracking-passwords-in-cloud.html
Wordlists:
http://contest.korelogic.com/wordlists.html
http://packetstormsecurity.org/Crackers/wordlists/
http://www.skullsecurity.org/wiki/index.php/Passwords
http://www.ericheitzman.com/passwd/passwords/
Pass the Hash:
http://www.sans.org/reading_room/whitepapers/testing/pass-the-hash-attacks-tools-mitigation_33283
http://www.sans.org/reading_room/whitepapers/testing/crack-pass-hash_33219
http://carnal0wnage.blogspot.com/2008/03/using-pash-hash-toolkit.html
MiTM:
http://www.giac.org/certified_professionals/practicals/gsec/0810.php
http://www.linuxsecurity.com/docs/PDF/dsniff-n-mirror.pdf
http://www.cs.uiuc.edu/class/sp08/cs498sh/slides/dsniff.pdf
http://www.mindcenter.net/uploads/ECCE101.pdf
http://toorcon.org/pres12/3.pdf
http://media.techtarget.com/searchUnifiedCommunications/downloads/Seven_Deadliest_UC_Attacks_Ch3.pdf
http://packetstormsecurity.org/papers/wireless/cracking-air.pdf
http://www.blackhat.com/presentations/bh-europe-03/bh-europe-03-valleri.pdf
http://www.oact.inaf.it/ws-ssri/Costa.pdf
http://mcafeeseminar.com/focus/downloads/Live_Hacking.pdf
http://www.seanobriain.com/docs/PasstheParcel-MITMGuide.pdf
http://www.more.net/sites/default/files/2010JohnStrandKeynote.pdf
http://www.leetupload.com/database/Misc/Papers/Asta%20la%20Vista/18.Ettercap_Spoof.pdf
http://bandwidthco.com/whitepapers/netforensics/arp/EtterCap%20ARP%20Spoofing%20&%20Beyond.pdf
http://bandwidthco.com/whitepapers/netforensics/arp/Fun%20With%20EtterCap%20Filters.pdf
http://www.iac.iastate.edu/iasg/libarchive/0910/The_Magic_of_Ettercap/The_Magic_of_Ettercap.pdf
http://articles.manugarg.com/arp_spoofing.pdf
http://academy.delmar.edu/Courses/ITSY2430/eBooks/Ettercap(ManInTheMiddleAttack-tool).pdf
http://www.ucci.it/docs/ICTSecurity-2004-26.pdf
http://blog.spiderlabs.com/2010/12/thicknet.html
http://www.hackyeah.com/2010/10/ettercap-filters-with-metasploit-browser_autopwn/
http://www.go4expert.com/forums/showthread.php?t=11842
http://www.irongeek.com/i.php?page=security/ettercapfilter
http://openmaniak.com/ettercap_filter.php
http://www.irongeek.com/i.php?page=videos/dns-spoofing-with-ettercap-pharming
http://www.irongeek.com/i.php?page=videos/ettercap-plugins-find-ip-gw-discover-isolate
http://www.irongeek.com/i.php?page=videos/ettercapfiltervid1
http://spareclockcycles.org/2010/06/10/sergio-proxy-released/
Tools:
OSINT:
http://www.edge-security.com/theHarvester.php
http://www.mavetju.org/unix/dnstracer-man.php
Metadata:
http://www.sans.org/reading_room/whitepapers/privacy/document-metadata-silent-killer_32974
http://lcamtuf.coredump.cx/strikeout/
http://www.sno.phy.queensu.ca/~phil/exiftool/
http://www.edge-security.com/metagoofil.php
http://www.darkoperator.com/blog/2009/4/24/metadata-enumeration-with-foca.html
Google Hacking:
http://www.stachliu.com/index.php/resources/tools/google-hacking-diggity-project/
http://midnightresearch.com/projects/search-engine-assessment-tool/#downloads
http://sqid.rubyforge.org/#next
http://voidnetwork.org/5ynL0rd/darkc0de/python_script/dorkScan.html
Web:
http://www.bindshell.net/tools/beef
http://blindelephant.sourceforge.net/
http://sourceforge.net/projects/rips-scanner/
http://www.divineinvasion.net/authforce/
http://andlabs.org/tools.html#sotf
http://www.taddong.com/docs/Browser_Exploitation_for_Fun&Profit_Taddong-RaulSiles_Nov2010_v1.1.pdf
http://carnal0wnage.blogspot.com/2007/07/using-sqid-sql-injection-digger-to-look.html
http://code.google.com/p/pinata-csrf-tool/
http://xsser.sourceforge.net/#intro
http://www.contextis.co.uk/resources/tools/clickjacking-tool/
http://packetstormsecurity.org/files/view/69896/unicode-fun.txt
http://sourceforge.net/projects/ws-attacker/files/
https://github.com/koto/squid-imposter
-----------------------------------