When the bitcoin rise to all time high this year it generate once again an opportunity for every one with a decent computer  to earn a lite bit with minimum investment.

Bitcoin Mining software's are specialized tools which uses your computing power in order to mine cryptocurrency. In exchange of mining operation, you can receive a monetary reward in the form of digital currency. These applications provide a detailed report based on your earnings. Many such tools are automated, and hence there is no need for technical skills.

Following is a handpicked list of Top Bitcoin Mining Software, with their popular features and website links. The list contains both open source (free) and commercial (paid) software.

1) Kryptex

Kryptex is an application that helps you to mine cryptocurrency and allows you to pay dollars or bitcoins. This application also works when your PC is idle.

Features:

• You can setup this software with ease.
• This cryptocurrency mining software provides a clean GUI.
• It automatically starts when you turn on the PC.
• Mine with your CPU and GPU.
• It is available in English, Spanish, Portuguese and more.

2) BeMine

Established in early 2018, BeMine provides its services in Russia and CIS countries. They were pioneers of cloudsharing of ASIC-miners. BeMine operates more than ~70,000Th/s placed in Irkutsk, Moscow, and Chelyabinsk region, in Siberia, even in Almaty, Kazakhstan and they keep scaling. BeMine unites Russian data-centers, as well as miners and individuals who want to participate in cryptocurrency around the world.

Features:

• Users can purchase and store mining equipment, without the need for personal presence during the purchase, transportation, installation, configuration, and maintenance of ASIC.
• Miners are invited to store their equipment in partnered data-centers
• If you don’t want to purchase the whole ASIC-miner, you can also try shares. BeMine can sell up to 1/100 share of exact ASIC for a reasonable price, which may become a very useful way to start a coin mining experience without the necessity of purchasing a whole expensive machine itself.
• You can avail door-to-door delivery of ASIC.
• Fare cloud contracts with deposit extraction.

3) ECOS

ECOS is one of the best cloud mining providers out in the industry. It was established in 2017 in the Free Economic Zone along with an agreement signed between the Government of Armenia and the company. It is the first cloud mining provider that is operating with legal status. ECOS has more than 50 000 users of all over the world

Features:

• The minimum price for a mining contract is $49
• Convenient calculator on the website for choosing a mining contract
• Daily payments
• Withdrawals from 0.001 BTC
• Weekly promotions and auctions for registered users
• Get a free mining contract for 1 month after registration

4) Computta

Computta is a software and services create by cryptography professionals to enable you to make digital money. It offers a simple and intuitive interface.

Features:

• Setup with just a couple of mouse clicks.
• Compatible with all computer systems.
• It is an automated tool, hence there is no need for technical skills.
• Provides a detailed report based on your earnings.
• It is a free bitcoin miner software.
• You can customize the way you like.

5) Cudo Miner

Cudeo Miner cryptocurrency miner enables you to earn as much money as possible from your PC or laptop. It is easy to install, secure to use, and safe on your hardware.

Features:

• It offers auto coin switching to maximize profit.
• Provides setting and control to adjust GPU speed and performing optimization.
• Supports CPU, GPU, and ASIC mining.
• It has an advanced hashing algorithm that allows for more customized mining.
• Security through multi-factor authentication.
• You can view your stats, earnings, manage users withdraw funds, and more with ease.
• You can access it from the command line interface.

6) Hashing24

Hashing24 is a software that enables you to mine cryptocurrency without buying any equipment. The tool provides access to real-world data centers. It can automatically deposit your earned mined coins to the balance.

Features:

• You can mine cryptocurrency without any hassle.
• It has data centers in many countries, including Norway, Canada, Georgia, and Iceland.
• The newest ASIC chips.
• Offers intuitive interface.
• It uses the latest air and cooling technology.

Now that people know how to make a passive income in crypto, the traditional financial sector needs to keep up, or else it risks becoming redundant. With the increase in crypto regulation over the last few months, the infrastructure is becoming more robust, appealing to once-skeptics and previous neigh-sayers. As the world of crypto continues to expand, we can expect to see more opportunities to put your money to work with the use of DeFi and other blockchain-based services.  

It doesn't matter if you are a sysadmin or a hacker, if your budget is low and you are looking for a free way, maybe this tutorial will come in handy .

In this tutorial I will use Freenode IRC network, as IRC client MIRC  and a simple old bot written in C .

Install MIRC

mIRC is a full featured Internet Relay Chat client for Windows that can be used to communicate, share, play or work with others on IRC networks around the world, either in multi-user group conferences or in one-to-one private discussions.

It has a clean, practical interface that is highly configurable and supports features such as buddy lists, file transfers, multi-server connections, IPv6, SSL encryption, proxy support, UTF-8 display, UPnP, customizable sounds, spoken messages, tray notifications, message logging, and more.

Getting Started with mIRC

Let's open Mirc to create a channel where we will run my operation command center.

Click Continue twice.

Choose your nickname and click ok.

File -> Select Server.

Select Add.

As a server we will use Freenode server 195.154.200.232 or chat.freenode.net on port 6667

Click the Connect button.

The favorite window should popup if not on the tab menu click Favorite ->More... .

Now I will create a new channel - password protected. My channel will be called DigWalker and the password will be test123 .

To join or create a channel you can run on any window

/j <MyChannelName>

or you can join from Favorite window.

Let's set the password for the new channel.

Mouse click right on the channel window will show the option Channel Modes

Check the Key option, write the channel password and click ok.

Now we are ready! Our command and control center is ready and running.

Setup an environment

Basic architecture of what I want to accomplish should look like this.

It doesn't mater if bots are dockers or virtual server heck, it will work on some hardware too, like routers and BusyBox's.

Without IRC I will have a bunch of machines working and it will take me more time to configure all of them one by one- for instance if I want to run a "node js install" on all of them.

First lets start up some servers.

As "play ground" I choose Kamatera platform because you can really do things fast there.

Super fast, easy to use and all plans are transparent, with no hidden costs.

After login

Select My Cloud->Servers -> Create New Server

Choose server zone. I choose Europe FRANKFURT

Choose server image. I selected Ubuntu.

The serves will have only Public Network.

Choose server specifications

Here I will generate 4 servers with same spec's and credentials.

I'm choosing hourly billing because the servers will be temporary.

Click CREATE SERVERS and your servers request will be added to the Tasks Queue.

Running the bots

As a bot I choose a little guy written by some one called Konewka.

https://dl.packetstormsecurity.net/irc/kenny.c

If the link will not work contact me for a copy.

The bot was designed to be a backdoor, very simple and will give us the power to run bash commands or disconnect from IRC network.

For something more robust I think you must implement some other options like password on commands, elevate an user permissions as "channel admin" etc...

In this tutorial I will use a "root user" so you need to take care of privilege escalation before going forward.

Login in bot1

Let's make a script to download, compile and run the bot.

Paste the script

Exit vim ":wq" to save as run.sh.

As you see I'm installing gcc and this will change depending on your system.

The bot will run on almost any system.

Make the script executable

Run the script

The bot is running.

As you see my bot is connected and listening to my inputs.

Let's copy the bot on the remaining servers.

We will not compile again because my servers are clones an they don't have different cpu or different OS.

Now let's run the second bot

After we run the bot we will see it on the channel

Now i will do the same thing for bot3 and bot4 in the end i will get the a private channel accessible only with password, me as administrator and 4 bots.

At the end we will have something like this

Let's run some commands with the bots.

Because I write "!sys pwd" on the channels all the bots answered but, if i want only one bot to run something I can open a private message window and send the command only to that specific bot.

As you see the bot will answer on the channel.

We can send a private message from the channel window to a specific user:

/msg ZW11hQ10 !sys date

Now you can delete the botX.out file because the bot will run on memory.

If you deleted the bot file now you have 3 options to kill the bot:

1. Restart the bot OS

2. Send command from IRC "!exit"

3. Kill the bot process.

This article should be use only for educational for purpose only!

If you have any question fill free to drop a message on Facebook.

Digital forensics (sometimes known as digital forensic science) is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. The term digital forensics was originally used as a synonym for computer forensics but has expanded to cover investigation of all devices capable of storing digital data. With roots in the personal computing revolution of the late 1970s and early 1980s, the discipline evolved in a haphazard manner during the 1990s, and it was not until the early 21st century that national policies emerged.

Any digital forensics practitioner will have a wide variety of tools in their kit. At one end of the spectrum you have single-purpose open source tools like the packet sniffer Wireshark or HashKeeper, a free-to-use program that can speed the examination of database files. At the other end, you have powerful commercial software platforms with multiple functions and slick reporting capabilities like Encase, or CAINE, an entire Linux distribution dedicated to forensics work.

Today I will present you some powerful free tools you can play with

• Hex File Headers
• grep/egrep
• sort
• awk
• sed
• uniq
• date
• Windows findstr

Hex File Header and ASCII Equivalent

File headers are used to identify a file by examining the first 4 or 5 bytes of its hexadecimal content.

grep/egrep

grep's strength is extracting information from text files. grep operates on one or multiple files when provided with a command line argument(s) that can also include wildcards:

Example: grep "John" addressbook  Would return the lines that contained the "John" string in the addressbook text file

Some useful flags:

-A Print number of lines after the match -B Print number of lines before match -c Report number of occurrences -f Reads one or more patterns from a file. Pattern are terminated by a newline -h Suppress the file names on the output -i Ignore case -l Report matching files, not matching lines -P Interpret pattern as a Perl Regex -v  Reverse operation: return the lines not matching the string

The egrep (extended grep) utility can be useful to match several possible strings at the same time (in an OR mode):

egrep "John|Peter" addressbook  grep "John|Peter" addressbook

sort

sort, as its name implies, will sort the output. There are a few interesting options you can use:

-d Uses dictionary order. Only letters, digits and blanks. -n  will sort the output assuming it is numerical (instead of string) -u will remove redundant line, 'uniquing' the results

awk

awk is an extremely useful tool, especially for parsing data structured in columns. It is straightforward to use for simple purposes. Its basic use is to select some particular columns from the output: column 1 is referred to as $1, column 2 as $2, etc.

The space is the default awk separator. However if you want to be able to parse data separated by some other character, e.g. ":", you can use the -F flag.

Example:  echo "hello:goodbye" | awk -F: '{print $2}'

Would return "goodbye" as an output

sed

sed is an excellent command for character substitution. Example: if you want to substitute the first occurrence of the 'a' character by an 'e':

echo "hallo" | sed 's/a/e/'

The output would be: hello You can use the g modifier to substitute all instances:

echo "Hallo Janny" | sed 's/a/e/g'

The output would be: Hello Jenny

uniq

The uniq command reads the input and compares adjacent lines. If two or more adjacent lines are identical, all but one is removed.

Here is a list of the most common options used with uniq:

-c     Prefix line with number of occurrence -f     Avoid comparing the first N fields -i     Ignore case -s     Avoid comparing the first N characters -u     Only print unique lines

Consider this input file:

a      

b      

c          

b

Now run uniq on it: sort testfile | uniq      a      b      c Now run uniq -c on it:                 1   a    

2   b    

1   c

date

Check the date man page for more options.

Returns the real date from epoch time: date –d @1284127201

Return an epoch time of 1288756800: date +%s -d “2010-11-03”

Return a 2 days old date:  date --date="-2 days"  +"%Y-%m-%d"

Return 20:00 hours: date -d @1288310401 +%k:%M

Windows findstr

The Windows findstr has one interesting feature that differs from grep. If you need to search for multiple strings, you need to separate them with a space.

For example, you want or need to look for a match for WHITE or GREEN in a text file, you write your command like this:

findstr "WHITE GREEN" textfile

To make the search case insensitive, add the /I to print all variant of WHITE or GREEN.

Windows findstr Command List

/B Matches pattern if at the beginning of  a line.

/E Matches pattern if at the end of a line.

/L Uses search strings literally.

/R Uses search strings as regular expressions.

/S Searches for matching files in the current directory and all subdirectories.

/I Specifies that the search is not to be case-sensitive.

/X Prints lines that match exactly.

/V Prints only lines that do not contain a match.

/N Prints the line number before each line that matches.

/M Prints only the filename if a file contains a match.

/O Prints character offset before each matching line.

/P Skip files with non-printable characters.

Web Application Vulnerability Scanners are automated tools that scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection, Command Injection, Path Traversal and insecure server configuration. This category of tools is frequently referred to as Dynamic Application Security Testing (DAST) Tools. A large number of both commercial and open source tools of this type are available and all of these tools have their own strengths and weaknesses. If you are interested in the effectiveness of DAST tools, check out the OWASP Benchmark project, which is scientifically measuring the effectiveness of all types of vulnerability detection tools, including DAST.

W3AF

w3af is an open source web application used for security scanning. It is also called web application attack or audit framework. This application provides vulnerabilities scanner and exploiting tools for web applications. This project play an important role in penetration testing engagement because it’s provide information about security vulnerabilities.

Fast HTTP Client

• Proxy support
• HTTP Basic and Digest authentication
• UserAgent faking
• Add custom headers to requests
• Cookie handling
• HTTP response cache
• DNS cache
• File upload using multipart

Fuzzing

• Query string
• POST-data
• Headers
• Cookie values
• Multipart/form file content
• URL filename
• URL path

Nikto

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Nikto is not designed as a stealthy tool. It will test a web server in the quickest time possible, and is obvious in log files or to an IPS/IDS. However, there is support for LibWhisker’s anti-IDS methods in case you want to give it a try (or test your IDS system).

Not every check is a security problem, though most are. There are some items that are “info only” type checks that look for things that may not have a security flaw, but the webmaster or security engineer may not know are present on the server. These items are usually marked appropriately in the information printed. There are also some checks for unknown items which have been seen scanned for in log files.

Features

• SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s Perl/NetSSL)
• Full HTTP proxy support
• Checks for outdated server components
• Save reports in plain text, XML, HTML, NBE or CSV
• Template engine to easily customize reports
• Scan multiple ports on a server, or multiple servers via input file (including nmap output)
• LibWhisker’s IDS encoding techniques
• Easily updated via command line
• Identifies installed software via headers, favicons and files
• Host authentication with Basic and NTLM
• Subdomain guessing
• Apache and cgiwrap username enumeration
• Mutation techniques to “fish” for content on web servers
• Scan tuning to include or exclude entire classes of vulnerability checks
• Guess credentials for authorization realms (including many default id/pw combos)
• Authorization guessing handles any directory, not just the root directory
• Enhanced false positive reduction via multiple methods: headers,
• page content, and content hashing
• Reports “unusual” headers seen
• Interactive status, pause and changes to verbosity settings
• Save full request/response for positive tests
• Replay saved positive requests
• Maximum execution time per target
• Auto-pause at a specified time
• Checks for common “parking” sites
• Logging to Metasploit
• Thorough documentation

Burp Suite

Burp Suite is a Java based Web Penetration Testing framework. It has become an industry standard suite of tools used by information security professionals. Burp Suite helps you identify vulnerabilities and verify attack vectors that are affecting web applications. Because of its popularity and breadth as well as depth of features.

Features

• Easy scan set-up
• Recurring scanning
• Out-of-box configurations
• Multi-faceted AST
• Scheduled scanning
• Agent-led scanning
• Custom configurations
• Burp Scanner

OWASP ZAP

OWASP ZAP, short for Zed Attack Proxy, is an open-source web application security scanner. It is intended to be used by both those new to application security as well as professional penetration testers.

It is one of the most active OWASP projects and has been given Flagship status.

When used as a proxy server it allows the user to manipulate all of the traffic that passes through it, including traffic using https.

It can also run in a daemon mode which is then controlled via a REST API.

Features

• Automatic updates and pull request analysis.
• The scalability of this product is very good.
• The reporting is quite intuitive, which gives you a clear indication of what kind of vulnerability you have that you can drill down on to gather more information.
• The OWASP's tool is free of cost, which gives it a great advantage, especially for smaller companies to make use of the tool.
• It can be used effectively for internal auditing.
• The community edition updates services regularly. They add new vulnerabilities into the scanning list.

Having a website for your business might seem obvious to some, but it turns out more than 50 percent of U.S. small businesses still don't have even a basic website. To many customers, your presence on the web is their first impression of your business. It should be critical to have a website that showcases who you are and what you do.

If you haven't created a website yet, some simple tools can help you bring your business online, where the customers are,  so you can keep doing what you do best:

Weebly

Weebly offers a drag-and-drop website builder with 40+ mobile-friendly themes. It includes a blog, image galleries and an online store. Next to the free plan there is Weebly Professional at $12/month, which is the cheapest ad-free plan and lets you use your own domain name.

Colors

Pick colors that are complementary and match the characteristics of your brand.

Pigment - This awesome tool by shapefactory helps showcase complementary colors with a vibe that kind of looks like an early 70s carpet.

Adobe Color Wheel - A great way to experiment with different color combinations.

Brand colors - If you ever wanted to know what colors your favorite brand uses, this site has a fairly comprehensive list.

Coolors - A fun way to generate color schemes with an image uploader that can read the colors from your image and output a color scheme.

Color Palette Guide - They do an excellent job of laying out this information, so if you want to learn more, check it out!

Font

Fonts can say a lot about your brand, and like colors, it’s important that you choose fonts that pair well with each other. You can have one font for our titles or headers and another font for the text on the body of our site.

Font Pair - Extremely comprehensive list of font pairings.

Logos

As mentioned earlier, logos are really fun. Playing around with logo makers can easily become a new hobby. That being said, it can be difficult to get an output from a logo maker that doesn’t...look like it came from a logo maker.

Here are some services that make hiring a designer easy and hassle-free:

99Designs - We love this service. It’s a great way to find a designer, while already specifying what exactly you need. There’s also a wide range of prices — from hiring a super professional logo designer to someone still in college who just might be the next Paul Rand.

Fiverr - An easy service for hiring freelancers.

If you’re set on going with a web-based logo service, here a few of the best:

Logo by Shapefactory - A bit more expensive than other services, but there’s a feeling of high design to the logos that is hard to find elsewhere.

Logojoy - Another great logo design program that’s only getting better. A good one to try with a very fun onboarding process.

Tailor Brands - Another logo building tool with an easy onboarding flow.

Logo Maker - A great tool that’s in the Weebly App Center.

Content

Once you have your colors, fonts and logos, you’re probably going to want to do something with them. Here are a few tools that help you apply your brand identity to things like Instagram content, blog posts and more.

Adobe Spark - Adobe’s tool that helps you make elements for social media, using your brand guidelines. It’s easy to use — and more importantly, easy to make your assets look good.

Canva - Easy-to-use tools that help make adding text to images a breeze.

Copywriting

If you’re someone who has difficulty with typos, or always needs a proofreader, there are apps that help clarify your language and make sure what you’re writing is readable and clear.

Grammarly - This tool is an amazing spelling and grammar checker that also tracks how well you’re doing with your accuracy. Great for writing copy — and generally just helps you write better.

Hemingway App - This app will help turn your boring, everyday paragraphs into powerful, concise novellas about the human condition and very nature of man. Just kidding! It just helps you write clearer sentences — which is always good for copy and marketing materials.

Just about every geek and nerd that wants to be a hacker always wants to skip straight to the good stuff, and it’s no wonder why. There’s a certain amount of mystery, intrigue, and awe in being able to used advanced tools (such as those found on Kali Linux like Metasploit) to hack into another computing system. Hackers have been around for decades now, and are frequently present in action and thriller films, such as The Matrix.

But there’s one big problem. These tools work almost exclusively at the command line, or in Linux, the BASH shell.

Here is the Cheatsheet for Bash that will help you to build your skills:

Example

#!/usr/bin/env bash

NAME="John"
echo "Hello $NAME!"

Variables

NAME="John"
echo $NAME
echo "$NAME"
echo "${NAME}!"

String quotes

NAME="John"
echo "Hi $NAME"  #=> Hi John
echo 'Hi $NAME'  #=> Hi $NAME

Shell execution

echo "I'm in $(pwd)"
echo "I'm in `pwd`"
# Same

Conditional execution

git commit && git push
git commit || echo "Commit failed"

Functions

get_name() {
  echo "John"
}

echo "You are $(get_name)"

Conditionals

if [[ -z "$string" ]]; then
  echo "String is empty"
elif [[ -n "$string" ]]; then
  echo "String is not empty"
fi

Strict mode

set -euo pipefail
IFS=$'\n\t'

Brace expansion

echo {A,B}.js

{A,B}Same as A B{A,B}.jsSame as A.js B.js{1..5}Same as 1 2 3 4 5

Basics

name="John"
echo ${name}
echo ${name/J/j}    #=> "john" (substitution)
echo ${name:0:2}    #=> "Jo" (slicing)
echo ${name::2}     #=> "Jo" (slicing)
echo ${name::-1}    #=> "Joh" (slicing)
echo ${name:(-1)}   #=> "n" (slicing from right)
echo ${name:(-2):1} #=> "h" (slicing from right)
echo ${food:-Cake}  #=> $food or "Cake"

length=2
echo ${name:0:length}  #=> "Jo"

STR="/path/to/foo.cpp"
echo ${STR%.cpp}    # /path/to/foo
echo ${STR%.cpp}.o  # /path/to/foo.o

echo ${STR##*.}     # cpp (extension)
echo ${STR##*/}     # foo.cpp (basepath)

echo ${STR#*/}      # path/to/foo.cpp
echo ${STR##*/}     # foo.cpp

echo ${STR/foo/bar} # /path/to/bar.cpp

STR="Hello world"
echo ${STR:6:5}   # "world"
echo ${STR:-5:5}  # "world"

SRC="/path/to/foo.cpp"
BASE=${SRC##*/}   #=> "foo.cpp" (basepath)
DIR=${SRC%$BASE}  #=> "/path/to/" (dirpath)

Substitution ${FOO%suffix}Remove suffix${FOO#prefix}Remove prefix${FOO%%suffix}Remove long suffix${FOO##prefix}Remove long prefix${FOO/from/to}Replace first match${FOO//from/to}Replace all${FOO/%from/to}Replace suffix${FOO/#from/to}Replace prefix

Comments

# Single line comment

: '
This is a
multi line
comment
'

Substrings${FOO:0:3}Substring (position, length)${FOO:-3:3}Substring from the right

Length${#FOO}Length of $FOO

Manipulation

STR="HELLO WORLD!"
echo ${STR,}   #=> "hELLO WORLD!" (lowercase 1st letter)
echo ${STR,,}  #=> "hello world!" (all lowercase)

STR="hello world!"
echo ${STR^}   #=> "Hello world!" (uppercase 1st letter)
echo ${STR^^}  #=> "HELLO WORLD!" (all uppercase)

Default values${FOO:-val}$FOO, or val if not set${FOO:=val}Set $FOO to val if not set${FOO:+val}val if $FOO is set${FOO:?message}Show error message and exit if $FOO is not set

Basic for loop

for i in /etc/rc.*; do
  echo $i
done

C-like for loop

for ((i = 0 ; i < 100 ; i++)); do
  echo $i
done

Ranges

for i in {1..5}; do
    echo "Welcome $i"
done

With step size

for i in {5..50..5}; do
    echo "Welcome $i"
done

Reading lines

cat file.txt | while read line; do
  echo $line
done

Forever

while true; do
  ···
done

Defining functions

myfunc() {
    echo "hello $1"
}

# Same as above (alternate syntax)
function myfunc() {
    echo "hello $1"
}

myfunc "John"

Returning values

myfunc() {
    local myresult='some value'
    echo $myresult
}

result="$(myfunc)"

Raising errors

myfunc() {
  return 1
}

if myfunc; then
  echo "success"
else
  echo "failure"
fi

Arguments $#Number of arguments$*All arguments$@All arguments, starting from first$1First argument$_Last argument of the previous command

Conditionals

Conditions

Note that [[ is actually a command/program that returns either 0 (true) or 1 (false). Any program that obeys the same logic (like all base utils, such as grep(1) or ping(1)) can be used as condition, see examples. [[ -z STRING ]]Empty string[[ -n STRING ]]Not empty string[[ STRING == STRING ]]Equal[[ STRING != STRING ]]Not Equal[[ NUM -eq NUM ]]Equal[[ NUM -ne NUM ]]Not equal[[ NUM -lt NUM ]]Less than[[ NUM -le NUM ]]Less than or equal[[ NUM -gt NUM ]]Greater than[[ NUM -ge NUM ]]Greater than or equal[[ STRING =~ STRING ]]Regexp(( NUM < NUM ))Numeric conditions [[ -o noclobber ]]If OPTIONNAME is enabled[[ ! EXPR ]]Not[[ X ]] && [[ Y ]]And[[ X ]] || [[ Y ]]Or

File conditions [[ -e FILE ]]Exists[[ -r FILE ]]Readable[[ -h FILE ]]Symlink[[ -d FILE ]]Directory[[ -w FILE ]]Writable[[ -s FILE ]]Size is > 0 bytes[[ -f FILE ]]File[[ -x FILE ]]Executable[[ FILE1 -nt FILE2 ]]1 is more recent than 2[[ FILE1 -ot FILE2 ]]2 is more recent than 1[[ FILE1 -ef FILE2 ]]Same files

Example

# String
if [[ -z "$string" ]]; then
  echo "String is empty"
elif [[ -n "$string" ]]; then
  echo "String is not empty"
fi

# Combinations
if [[ X ]] && [[ Y ]]; then
  ...
fi

# Equal
if [[ "$A" == "$B" ]]

# Regex
if [[ "A" =~ . ]]

if (( $a < $b )); then
   echo "$a is smaller than $b"
fi

if [[ -e "file.txt" ]]; then
  echo "file exists"
fi

Defining arrays

Fruits=('Apple' 'Banana' 'Orange')

Fruits[0]="Apple"
Fruits[1]="Banana"
Fruits[2]="Orange"

Working with arrays

echo ${Fruits[0]}           # Element #0
echo ${Fruits[@]}           # All elements, space-separated
echo ${#Fruits[@]}          # Number of elements
echo ${#Fruits}             # String length of the 1st element
echo ${#Fruits[3]}          # String length of the Nth element
echo ${Fruits[@]:3:2}       # Range (from position 3, length 2)

Operations

Fruits=("${Fruits[@]}" "Watermelon")    # Push
Fruits+=('Watermelon')                  # Also Push
Fruits=( ${Fruits[@]/Ap*/} )            # Remove by regex match
unset Fruits[2]                         # Remove one item
Fruits=("${Fruits[@]}")                 # Duplicate
Fruits=("${Fruits[@]}" "${Veggies[@]}") # Concatenate
lines=(`cat "logfile"`)                 # Read from file

Iteration

for i in "${arrayName[@]}"; do
  echo $i
done

Defining

declare -A sounds

sounds[dog]="bark"
sounds[cow]="moo"
sounds[bird]="tweet"
sounds[wolf]="howl"

Working with dictionaries

echo ${sounds[dog]} # Dog's sound
echo ${sounds[@]}   # All values
echo ${!sounds[@]}  # All keys
echo ${#sounds[@]}  # Number of elements
unset sounds[dog]   # Delete dog

Iteration

Iterate over values

for val in "${sounds[@]}"; do
  echo $val
done

Iterate over keys

for key in "${!sounds[@]}"; do
  echo $key
done

Options

set -o noclobber  # Avoid overlay files (echo "hi" > foo)
set -o errexit    # Used to exit upon error, avoiding cascading errors
set -o pipefail   # Unveils hidden failures
set -o nounset    # Exposes unset variables

Glob options

shopt -s nullglob    # Non-matching globs are removed  ('*.foo' => '')
shopt -s failglob    # Non-matching globs throw errors
shopt -s nocaseglob  # Case insensitive globs
shopt -s dotglob     # Wildcards match dotfiles ("*.sh" => ".foo.sh")
shopt -s globstar    # Allow ** for recursive matches ('lib/**/*.rb' => 'lib/a/b/c.rb')

CommandshistoryShow historyshopt -s histverifyDon’t execute expanded result immediately

Expansions!$Expand last parameter of most recent command!*Expand all parameters of most recent command!-nExpand nth most recent command!nExpand nth command in history!<command>Expand most recent invocation of command <command>

Operations!!Execute last command again!!:s/<FROM>/<TO>/Replace first occurrence of <FROM> to <TO> in most recent command!!:gs/<FROM>/<TO>/Replace all occurrences of <FROM> to <TO> in most recent command!$:tExpand only basename from last parameter of most recent command!$:hExpand only directory from last parameter of most recent command

!! and !$ can be replaced with any valid expansion.

Slices!!:nExpand only nth token from most recent command (command is 0; first argument is 1)!^Expand first argument from most recent command!$Expand last token from most recent command!!:n-mExpand range of tokens from most recent command!!:n-$Expand nth token to last from most recent command

!! can be replaced with any valid expansion i.e. !cat, !-2, !42, etc.

Numeric calculations

$((a + 200))      # Add 200 to $a

$((RANDOM%=200))  # Random number 0..200

Subshells

(cd somedir; echo "I'm now in $PWD")
pwd # still in first directory

Redirection

python hello.py > output.txt   # stdout to (file)
python hello.py >> output.txt  # stdout to (file), append
python hello.py 2> error.log   # stderr to (file)
python hello.py 2>&1           # stderr to stdout
python hello.py 2>/dev/null    # stderr to (null)
python hello.py &>/dev/null    # stdout and stderr to (null)

python hello.py < foo.txt      # feed foo.txt to stdin for python

Inspecting commands

command -V cd
#=> "cd is a function/alias/whatever"

Trap errors

trap 'echo Error at about $LINENO' ERR

or

traperr() {
  echo "ERROR: ${BASH_SOURCE[1]} at about ${BASH_LINENO[0]}"
}

set -o errtrace
trap traperr ERR

Case/switch

case "$1" in
  start | up)
    vagrant up
    ;;

  *)
    echo "Usage: $0 {start|stop|ssh}"
    ;;
esac

Source relative

source "${0%/*}/../share/foo.sh"

printf

printf "Hello %s, I'm %s" Sven Olga
#=> "Hello Sven, I'm Olga

printf "1 + 1 = %d" 2
#=> "1 + 1 = 2"

printf "This is how you print a float: %f" 2
#=> "This is how you print a float: 2.000000"

Directory of script

DIR="${0%/*}"

Getting options

while [[ "$1" =~ ^- && ! "$1" == "--" ]]; do case $1 in
  -V | --version )
    echo $version
    exit
    ;;
  -s | --string )
    shift; string=$1
    ;;
  -f | --flag )
    flag=1
    ;;
esac; shift; done
if [[ "$1" == '--' ]]; then shift; fi

Heredoc

cat <<END
hello world
END

Reading input

echo -n "Proceed? [y/n]: "
read ans
echo $ans

read -n 1 ans    # Just one character

Special variables$?Exit status of last task$!PID of last background task$$PID of shell$0Filename of the shell script

Go to previous directory

pwd # /home/user/foo
cd bar/
pwd # /home/user/foo/bar
cd -
pwd # /home/user/foo

Check for command’s result

if ping -c 1 google.com; then
  echo "It appears you have a working internet connection"
fi

Grep check

if grep -q 'foo' ~/.bash_history; then
  echo "You appear to have typed 'foo' in the past"
fi

Since you are reading this, I’ll assume you are are looking to improve your security posture. If so you will want to adopt the habit of verifying the signature of software you download.

Here’s a list of various Linux distributions focusing on security. These distros provide multiple tools that are needed for assessing networking security and other similar tasks. The list is in no particular order.

Archstrike

ArchStrike (previously known as ArchAssault) is a project based on Arch Linux for penetration testers and security professionals.

It comes with all the best parts of Arch Linux amd additional tools for penetration testing and cyber security. ArchStrike includes thousands of tools and applications, all categorized into modular package groups.

There are around 5000 packages available for almost everything you need in various categories, and some of them are:

• Exploit
• Malware
• Spoofing/Sniffing
• DDoS
• Social Engineering
• Enumeration
• Networking
• Forensics
• Brute Force

ArchStrike is straightforward and lightweight, so give a try and see if that works for you.

BlackArch Linux

BlackArch is a penetration testing and security research distro built on top of Arch Linux.

BlackArch can be installed on top of Arch Linux or from ISO. Documentation is available in English, French, Turkish, and Brazillian language.

BlackArch has its own repository containing thousands of tools organized in various groups. And the list is growing over time.

If you are already an Arch Linux user, you can set up the BlackArch tools collection on top of it.

Kali Linux

Kali Linux is the most widely known Linux distro for ethical hacking and penetration testing. Kali Linux is developed by Offensive Security and previously by BackTrack.

Kali Linux is based on Debian. It comes with a large amount of penetration testing tools from various fields of security and forensics.

Kali Linux is available in 64 bit, 32 bit, and virtual images to download. Lately, it was made available in AWS and Azure cloud.

Having more than 350 tools in the following category and extensive documentation makes Kali excellent.

• Information Gathering
• Vulnerability Analysis
• Wireless, Password, Hardware Attacks
• Web Applications
• Exploitation, Forensics. Stress Testing, Reporting
• Sniffing, Spoofing,
• Reverse Engineering

Kali is an open-source maintained by offensive security.

Samurai Web Testing Framework

Samurai Web Testing Framework is developed with the sole purpose of penetration testing on the web. Another aspect of this distro is that it comes as a virtual machine, supported by Virtualbox and VMware.

Samurai Web Testing Framework is based on Ubuntu and contains the best free and open-source tools that focus on testing and attacking websites.

It also includes a pre-configured wiki set up to store information during your penetration tests.

The virtual machine is pre-configured with many open source security tools, including the following.

• Fierce domain scanner
• Maltego
• WebScarab
• Ratproxy
• W3af
• Burp
• Beef
• AJAXShell

Bugtraq

Bugtraq is a Linux distro with a huge range of penetration, forensic and laboratory tools.

Bugtraq is available with the XFCE, GNOME and KDE desktop environments, in Ubuntu, Debian and OpenSUSE versions. It’s also available in 11 different languages.

Bugtraq packs in a huge arsenal of penetration testing tools: mobile forensics, malware testing laboratories and tools specifically designed by the Bugtraq community.

Bugtraq is an advanced, robust pen-testing platform available in 11 languages. It comes with more than 500 security tools and ready to download in either 32bit or 64bit.

Bugtraq is based on GNU/Linux, so you get an excellent menu and user-interface and the following customization.

• Syslinux boot entry
• Pressed file
• Services
• Kernel

Some of the following essential tools you will get with Bugtraq:

• Nessus
• Burt Suite
• Nikto
• Evil-grade
• Hydra
• Wireshark
• Beef

Want to get this installed on your Mobile? Good news, you can do that on Android.

Enterprises need to keep pace with latest security technological advancements to protect their online web data from malicious attacks and threats. Online businesses need to monitor their websites constantly and mobile infrastructure to create a strong defense against malware, DDoS, phishing, data exfiltration among other advanced attacks.

Attackers devise mechanisms such as designing and inserting codes or overwriting codes to interfere with your website, altering web values and queries, and automating data extraction from the web among other advanced attacks. If attackers succeed with their malicious plans, it can cost the business billions of dollars in operational costs or bring about irrevocable damage to the enterprise.

So, how then can a company ensure that it is aware of attacks and has protection against them? The solution is in the acquisition of web application firewalls.

According to wikipedia A web application firewall (or WAF) filters, monitors, and blocks HTTPtraffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. By inspecting HTTP traffic, it can prevent attacks stemming from web application security flaws, such as SQL injection, cross-site scripting (XSS), file inclusion, and security misconfigurations.

Cloudflare WAF

Built for the modern enterprise architecture

An intelligent, integrated and scalable solution to protect your business-critical web applications from malicious attacks, with no changes to your existing infrastructure.

Cloudflare Web Application Firewall's intuitive dashboard enables users to build powerful rules through easy clicks and also provides Terraform integration. Every request to the WAF is inspected against the rule engine and the threat intelligence curated from protecting over 20 Million websites. Suspicious requests can be blocked, challenged or logged as per the needs of the user while legitimate requests are routed to the destination, agnostic of whether it lives on-premise or in the cloud. Analytics and Cloudflare Logs enable visibility into actionable metrics for the user.

Between $0/yr and Ask for Quote $/yr depending on business needs.

Sucuri Website Firewall

When it comes to web firewall comparison lists, Sucuri Website Firewall is a serious contender. It offers protection from hackers trying to exploit OWASP Top 10 vulnerabilities, including SQLi, XSS, and CSRF.

It also includes mitigation of the Distribution Denial of Service (DDoS) attacks backed by continuous monitoring. Sucuri Website Firewall intercepts and inspects all incoming HTTP/HTTPS requests site.

Although it does not offer custom rules, it has a fast response policy for zero-day vulnerabilities. As and when the vulnerability is made public, Sucuri engineers patch your environment to block attacks trying to exploit that vulnerability.

Between $200/yr and $500/yr.

AWS WAF

AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define. You can get started quickly using Managed Rules for AWS WAF, a pre-configured set of rules managed by AWS or AWS Marketplace Sellers. The Managed Rules for WAF address issues like the OWASP Top 10 security risks. These rules are regularly updated as new issues emerge. AWS WAF includes a full-featured API that you can use to automate the creation, deployment, and maintenance of security rules.

With AWS WAF, you pay only for what you use. The pricing is based on how many rules you deploy and how many web requests your application receives. There are no upfront commitments.

Good planning is crucial to ensure that you have a solid strategy for web application security as an integral part of wider cybersecurity. This includes developing formal strategy documents, fostering a security-first culture throughout the organization, and documenting your web assets so you know what you’re working with.

1. Define and Adopt a Cybersecurity Framework

A formal policy document and strategy approach is a must for large organizations. To make sure you cover all the vital areas without reinventing the wheel, it’s a good idea to start with existing industry standards. Cybersecurity frameworks provide a detailed blueprint for developing your own policies. While they are far too extensive for most organizations, you can pick and mix to select a starting set of policies that works for you. See our article on cybersecurity frameworks in web application security to get started.

2. Make Security Everyone’s Business

Organizations can no longer afford to leave cybersecurity to just the security professionals, and this also applies to web application security. Just as IT security policies and practices should involve a wide cross-section of functions, so web app security should also be integrated into all stages of the development, operations, and testing process. This is the idea behind DevSecOps – an approach that embeds security practices into the combined development and operations processes of DevOps.

3. Know Your Web Assets

A large organization can have hundreds or even thousands of web assets, including websites, web applications, web services, and web APIs. Even if you have only a handful of applications, they might be connecting to dozens of services and exposing their functionality via multiple interfaces. There might also be forgotten test and staging environments that are still live – but you still need to test every single point of web access. That’s why asset discovery is a crucial step in any cybersecurity program. Netsparker provides a web application discovery service to help you find your assets so you know exactly what you need to secure.

Security in Web Application Development

The traditional approach to securing a web application has been to develop first and test later. With the rapid pace of development of modern applications combined with the growing intensity of web application attacks, this is no longer workable. Security must be an integral part of the software development lifecycle. Automation has also become a practical necessity, especially when a small team has to secure multiple new and existing websites and applications.

4. Incorporate Security into Software Development Practices

It goes without saying that prevention is better than remediation – you don’t need to fix vulnerabilities that were never introduced in the first place. Security training for developers is crucial not just to minimize the number of security issues that make it into application code but also to involve developers in the security process from the very beginning. With the increasing cybersecurity skills gap, web security teams are often understaffed and overworked, so a proactive approach to securing web application takes the load off the security professionals and speeds up the whole development pipeline.

5. Fix Vulnerabilities, Not Just Bugs

If you look at changes across the years in lists of common web security flaws such as the OWASP Top 10 or CWE Top 25, you will notice that some types of bugs keep coming back year after year: cross-site scripting (XSS), SQL injection, cross-site request forgery (CSRF), buffer overflows – the list goes on. This is why communication and education are so important in web application security.

If developers treat vulnerabilities as just another bug to fix, it is likely they will make the same types of errors in the future. In effect, you will never run out of vulnerabilities, because new ones will appear just as quickly as existing ones are fixed. To see progress and build more secure applications, developers and security professionals need to work together to understand vulnerabilities and eliminate their root causes, not merely to fix bugs.

6. Automate and Integrate

At any one time, large organizations can have many hundreds of web assets to maintain and multiple new applications in development. This can mean thousands of vulnerabilities to identify, process, and fix. The only way to ensure web application security at that kind of scale is to automate everything that can be automated and integrate security tools directly into the software development lifecycle.

When this is done right, reliable reports of automatically verified vulnerabilities are loaded directly into the developers’ bug trackers and go straight to the fixing stage, bypassing the bottleneck of manual verification by the security team. Netsparker provides extensive integration capabilities that aid automation and allow security professionals to focus on issues that only a human can solve.

Secure Web Application Operations

The real security test starts when your application is deployed to the web. By choosing the right tools and processes, you can minimize the risk of a successful cyberattack and maintain a solid security posture.

7. Use Enterprise-Grade Security Solutions

Cybersecurity has always been a game of cat-and-mouse, with criminals keeping at least one step ahead of the security industry. By using a cutting-edge web vulnerability scanner, you can accurately find vulnerabilities and confidently address them. If developers can’t immediately fix a critical vulnerability, you can use a web application firewall (WAF) to temporarily block that attack vector until a fix is deployed.

8. Minimize Your Attack Surface with the Latest Web Technologies

Even if your application code is secure, you still need to make sure the application is securely deployed and used. Many security measures exist to protect against specific types of attacks. For example, well-configured Content Security Policy (CSP) headers can stop many XSS attempts, while enforcing strong passwords can help to secure sensitive data and prevent data breaches caused by unauthorized access. On an operational level, you can use DDoS mitigation services to help protect your application against DDoS attacks.

9. Keep up to Date

As in network security, it is good practice to have and follow a patching and update policy for your web application environments. A modern web application can rely on multiple components in several layers, and they all need to be up to date. If you maintain your own infrastructure, you might start with the web server, application server, and database server. If you run a CMS such as WordPress, keep track of its development and be sure to use the most recent version for maximum security.

If you develop your own applications, they are likely to use frameworks, JavaScript libraries, templates, styles, and other external resources that need to be updated to always include the latest security patches. Netsparker’s Technologies feature is a great tool to help you detect both active and unused technologies that are present in your environment.

10. Test Your Defenses

Even if you have a solid security process and use leading-edge vulnerability scanning solutions, attackers might still be able to find a weakness somewhere. Periodic manual penetration testing by experienced security professionals will help you identify attack vectors that don’t show up during automated scanning. For example, a real-life attacker might combine several minor weaknesses into a critical vulnerability.

Red team vs blue team security exercises are one way of identifying vulnerabilities and testing the organization’s defensive response. You can also run a bounty program to encourage white-hat hackers to test your defenses and report vulnerabilities before cyber criminals can exploit them.