Bobo T. Jones

Secrets scanning is a checkbox for a pentest but it should also be part of a healthy security operations practice. Before I get to the review of the secrets scanning tools, I want to take a wee detour and share a useful Unix (yes, Unix) tool: script(1). The script command logs everything in a terminal session. Most of the tools I am reviewing are run on the command line in a shell and sometimes it is the case that not all of the work I am doing gets saved in a way that is useful for later. It is very useful at the start of a day to run the script command:

Continuing with the theme of running a pentest, nuclei is a logical next step in the discovery phase after subfinder, in that you have a bunch of targets and you’re going to scan them for known vulnerabilities.

The gist of vulnerability scanning is that there are databases of vulnerabilities scattered around the internet. My goto is the Common Vulnerabilities and Exposures (CVEs) database. These databases are not exhaustive; I’ve personally found and facilitated the remediation of dozens of exploitable oopsies and there are no CVEs (or really anything) with my name on them. Occasionally someone I worked with on an assessment will send me a CVE for something I found and we’ll share a sensible chuckle. See also,

The first phase of a penetration test is almost always discovery. Up until the middle of 2025, I was still using older versions of OWASP amass and Sublist3r for discovery… until a coworker gently mocked me and told me to use subfinder instead.

It was A Moment for me. I realized just how stale my skills had gotten over the last 4 years. An elephant has never sat on me but I’m pretty sure that’s what it feels like when one does. It hurt. That was the inspiration for this sabbatical project, to catch up on all of the training I was promised over the decades but never seem to get. Meanwhile, the “bills for skills” problem in security is a clusterfuck… we’re all expected to know how to hack into anything and everything, even as tech stacks get more bloated and convoluted, to learn on our own AND pay for the 999 services necessary to, you know, practice? Let’s learn together. My treat.

Reluctantly crouched…

This morning, I created a GitHub repo: bigbookofcyber. The inspiration for this work comes from the awesome repos. I started with enaqx/awesome-pentest. While I have shared this repo with many people who are new to the cybersecurity industry, I have not had much time in the past to download, build and use these tools. Because I was busy working. One of my goals for my current sabbatical is to evaluate as much security tooling as I can grind through, starting with the stuff that is most popular and currently maintained. As I work my way through the top 100 of the nearly 2000 repos I have found so far, I will write at least one post for each. This should keep me occupied for a while.

Look! I have a blog! For funsies, here are some survivers from when I tried this before:

• Starfighter, Summer 2015
• Be Coachable

After that… yes I know the font looks weird. I am visually impaired. Deal. XD