Office 2019 Commercial Preview Program

Office 2019 Commercial Preview program


Thank you for your interest in the Microsoft Office 2019 Commercial Preview program. This preview program is intended only for organizations that plan to deploy the perpetual (volume licensed) version of Office 2019 when it’s released later this year. For more information, see the Tech Community blog post.


To join the Office 2019 Commercial Preview program, you or your company must be registered with Microsoft Collaborate. If you’re not able to sign in to the Microsoft Collaborate portal, follow the instructions at Microsoft Collaborate: Documentation and guidance.

If you need support with Microsoft Collaborate, see How to get support and troubleshoot common Issues.

Join the Office 2019 Commercial Preview Program

The Preview program is available through Microsoft Collaborate, which is the only location for joining, accessing deployment packages and documentation, and providing feedback.

To join the program, follow these steps:

  1. Sign in to
  2. On the Overview page in your dashboard, select Engagements to view engagements that are available to join.
    Select Engagements
  3. Find the Office 2019 Commercial Preview engagement, select Join, accept the Terms of Use, and then select Join again.
  4. If you no longer want to participate in the Preview program, select Leave.
    Click Leave

How to download packages

  1. From the dashboard, select Packages to go to the Packages page, where you will see all packages that are associated with the engagement.
  2. Select a package to view the details and the list of files that are included in the package.
    Select package
  3. Select the download icon to download the file.

Submit feedback

To submit feedback during the program, select Feedback in the dashboard. You can view all feedback that you submitted to the Office engineering team on the Feedback page.

The value of the State column indicates the state of your feedback:

  • New – New submission.
  • Resolved – The Office team has taken appropriate action and resolved the issue.
  • Closed – The issue is closed. No more action will be taken.

To submit new feedback, follow these steps:

  1. On the All Feedback page, select Submit New Feedback.
    Submit feedback
  2. If you participate in multiple engagements, select the engagement for which you want to provide feedback.
    Select engagement
  3. On the Office 2019 Commercial Preview feedback page, complete the required fields in the feedback template. Provide as much detail as possible, including thorough reproduction steps, and then select Save.

Updates to your feedback will appear in the feedback item until the issue is resolved, such as the status is changed to “Closed.”

Licensing made simple for Windows Server 2016


Windows Server 2016 licensing is licensed per-core.  Because processors always have an even number of cores, licenses are sold in two-core packs.  One “license pack” equals (or is good for) two cores.

To run Windows Server 2016, you need to purchase licenses for a minimum of 16 cores, per two physical processors.

This translates to you needing to purchase a minimum of 8x two-core packs for every two physical processors in your server.  This is the equivalent of a regular standard Windows Server 2012 R2 license.

Simple, right?

If you have more than 8 cores per processor, then all you do is purchase 1x two-core license pack for every two cores past the 16 minimum.

Example:  You have a server with two processors.  Each processor has 10 cores.  You have 20 cores total.  You purchase the minimum 8x two-core packs, which covers 16 of your cores.  You need to purchase an additional 2x two-core license packs to cover the extra 4 cores you have.

Question:  Wait, what?  Is it really that easy?


Question:  So what if my server has two processors, but each processor only has 6 cores each?

You would still need to purchase the minimum 8x two-core packs, licensing you for a total of 16 cores, even though you only have 12 total cores.  Don’t worry, this still comes out to the same thing as a Standard 2012 R2 licensing.

Question:  What if I have 4 physical processors in my server?

Then you would need to purchase twice the minimum… 16x two-core license packs.  Then you buy 1x two-core license pack for every two cores you have after the minimum combined 32-cores.

Virtualization Rights

Virtualization rights with Windows Server 2016 Standard are, relatively speaking, the same as they are with Windows Server 2012 R2 Standard.

You could install Windows Server 2016 Standard on your physical server, installing and using ONLY the Hyper-V (and supporting) roles/features, and then run two Window Server 2016 virtual machines (VM) on that same physical server, using the same Windows Server 2016 license.

Note 1:  As a general rule, you should never (or rarely) install the Standard edition of Windows Server 2016 on a physical server if you are using it as a Hyper-V host.  You should instead install Hyper-V Server 2016 (Microsoft’s free hypervisor OS).

You can run two virtual machines for every 8x two-core license packs you purchase.  In reality, you’d install Hyper-V Server 2016 on your physical server, and purchase a Windows Server 2016 Standard license (8x two-core license packs) for every two Windows Server 2016 virtual machines you want to run on that host.

Note 2:  Virtualization rights only apply to Windows Server VMs.  You can have any unlimited number of Linux VMs running on any version of Windows, providing your hardware can handle the load.

What about Data center Edition?

In regards to virtualization rights, Windows Server 2016 Data center doesn’t start to make any sense until you see yourself needing to run upwards of 13 virtual machines on a single host.  The exact cutoff is 14 virtual machines, but because each minimum (8x two-core license packs) license gives you 2 VMs, 13 is the same cost as 14.  Purchasing 7 Standard edition licenses to run 13 virtual machines on a single host costs the same amount of money as a Data center edition license.

Note 3:  Data center edition has features that Standard edition does not, such as Storage Spaces Direct and Storage Replica… among quite a few others.  So there are some legitimate reasons reasons to run Windows Server 2016 Data center edition on a Hyper-V Host.

Windows Server 2016 Failover Cluster Licensing

In general, each physical node in a cluster must be licensed for any VM that can run on it.

You can lower the number of physical node licensing by preventing VMs from running on specific nodes.  This is done via “Possible Owners” in Failover Cluster Manager as shown below:

FOCM - Possible Owners

Failover Cluster Manager – Possible Owners setting

Keep in mind that if a VM CAN run on a node, the node MUST be licensed appropriately!

Software Assurance (SA)

If you purchased SA with your server license, you have some additional interesting benefits.  Specifically, “License Mobility” and “Fail-over Rights”.

License Mobility

License Mobility can be particularly useful in the clustering and virtualization world, for example, if you have a two-node cluster with one physical server using Data center (NODE1), a second physical server with the free Hyper-V Server 2016 (NODE2), and the cluster is an active-passive cluster.  For simplicity of this example, NODE2 does not have any running VMs.

With License Mobility, you basically have the freedom to move that Data center license to any server you want as often as you want, within the same Server Farm.  The caveat is that all the Windows Server VMs running on it must follow the DC license (or minus what the other server is already licensed for).  This is useful if you need some planned-downtime of NODE1.  You could then temporarily virtually transfer your Data center license to your other server and live-migrate all of your VMs to the other node to prevent any downtime.  Then you are free to update, upgrade, reboot, or whatever you want to NODE1.

Fail-over Rights

This means that in anticipation of a fail-over event, you may run passive fail-over on another qualifying shared server (NODE2).  Keep in mind that the number of licenses that otherwise would be required to run the passive fail-over Instances must not exceed the number of licenses required to run the corresponding production Instances on the same partner’s shared servers.


Microsoft Volume Licensing (direct .doc link):  Microsoft Product Terms – February 1, 2017
Other Languages:  Licensing Terms and Documentation

All Microsoft Products:  Licensing Terms and Documentation

Microsoft Azure Cloud Administrator

Looking to master the core principles of operating a Microsoft Azure-based cloud infrastructure? This learning path is for any technology professional who wants to be involved in the operation and administration of Azure-based solutions and infrastructure. You will learn the fundamentals of implementing, monitoring, and maintaining Microsoft Azure solutions, including major services related to Compute, Storage, Network, and Security. By the end of this learning path, you will be able to implement, monitor, and manage the most commonly used Microsoft Azure services and components, as configured for the most common use cases.

To go deeper follow the deep dive series below.

Azure Cloud Administrator

Primary Skills

Application Management Series

1 hr 6 min

3 hr

2 hr

1 hr

1 hr

3 hr

2 hr

1 hr

1 hr

1 hr

1 hr

Cloud Management Series

15 min

13 min

11 min

1 hr 17 min

1 hr 8 min

4 hr

12 min

6 min

1 hr 18 min

13 min

3 min

52 min

14 min

Device Management Series

1 hr

1 hr 20 min

1 hr 6 min

1 hr 6 min

1 hr 17 min

Identity Management Series

1 hr 5 min

30 min

1 hr 16 min

1 hr 16 min

3 hr

Secondary Skill

Architecture Series

8 hr

7 hr

55 min

Infrastructure – Hybrid/Private Cloud Series

1 hr 20 min

1 hr 10 min

2 hr

2 hr

34 min

5 hr

1 hr 15 min

1 hr 18 min

1 hr 10 min

Infrastructure – Open Source Series

7 min

17 min

11 min

3 hr

1 hr

Infrastructure – Public Cloud Series

3 hr

7 hr


1 hr

2 hr

Security & Privacy Series

1 hr 15 min

1 hr 12 min

1 hr

5 hr

3 hr

1 hr

20 min

1 hr

1 hr

2 hr

1 hr

4 hr

DevOps Series

25 min

29 min

59 min

36 min

38 min

30 min

3 hr

4 hr

30 min

4 hr

48 min

7 hr

1 hr 15 min

If you have been following these series and completed it then its time for Microsoft Certification Path. Join our MVA courses on and start your cloud career.

Use Microsoft Authenticator with Office 365

If your organization is using 2-step verification for Office 365, the easiest verification method to use is Microsoft Authenticator. It’s just one click instead of typing in a 6-digit code. And if you travel, you won’t incur roaming fees when you use it.

Download and install Microsoft Authenticator app

Set up the Microsoft Authenticator app

Step 1: Choose the mobile app

Open a browser on your computer and go to Sign in to your Office 365 for business account.

Use these steps if you see this screen:

Click Set it up now.

  1. Click Set it up now.
  2. Choose Mobile app from the dropdown.
  3. Make sure “Receive notifications for verifications” is selected. Click Set up.

Use these steps if you see this screen:

Choose Settings

  1. Choose Settings Office 365 Settings button > Office 365.
  2. Choose Security & Privacy > Additional security verification > Update my phone numbers used for account security.
  3. In the drop down box under What’s your preferred option, choose Notify me through app.
  4. Check the box for Microsoft Authenticator app, click Configure.

Step 2: Wait for configuration pop-up box.

You should see a window on your computer that looks like this.

Follow the steps on your screen.

Step 3: Add account to Microsoft Authenticator

  1. Open the Microsoft Authenticator app on your phone.

  2. Tap the + > Work or school account.
  3. Use your phone to scan the QR square that is on your computer screen.

    Note: If you can’t use your phone camera, you’ll have to manually enter the 9 digit code and the URL.

  4. Your account will be added automatically to the app and will display a six-digit code.
Tap the + sign int the Azure Authenticator app.

Step 4: Confirm activation status on your computer

  1. Switch back to your computer and click Done.
  2. Now wait for the Checking activation status text to finish configuring your phone.
  3. When it’s complete, you’ll be able to click the Contact me button on the right.

    Note: If configuration fails, just delete retry the previous steps again.

Click Contact Me

Step 5: Approve sign in on your phone

  1. Switch back to your phone and you’ll see a notification for a new sign in.

  2. Go to the Microsoft Authenticator app.
  3. Tap Approve to allow it.
Tap Approve to allow sign in.

Step 6: Finish set up

  1. Back on the computer, follow any prompts that you might see such as adding a mobile number.

  2. You’re good to go!

From now on, whenever you have a new sign in or add your Office 365 work or school account to an app, you’ll open the Authenticator app on your phone and tap Approve.


Configuring Multi-Factor Authentication on Client/ User side

After you have enabled MFA on your tenant, your users can follow these instructions to set up their second sign-in method for Office 365:

Step 1: Set up 2-step verification for Office 365

Once your admin enables your organization with 2-step verification (also called multi-factor authentication), you have to set up your account to use it.

By setting up 2-step verification, you add an extra layer of security to your Office 365 account. You sign in with your password (step 1) and a code sent to your phone (step 2).

  1. Sign in to Office 365 with your work or school account with your password like you normally do. After you choose Sign in, you’ll see this page:

    First Sign in screen

  2. Choose Set it up now.
  3. Select your authentication method and then follow the prompts on the page. Or, watch the video to learn more.

    Choose your authentication method and then follow the prompts on the screen.

  4. Once you complete the instructions to specify how you want to receive your verification code, the next time you sign in to Office 365, you’ll be prompted to enter the code that is sent to you by text message, phone call, etc.

    To have a new code sent to you, press F5.

    When you sign in with 2-step verification, you'll be prompted for a code.

We strongly recommend setting up more than one verification method. For example, if you travel a lot, consider setting up Microsoft Authenticator for your verification method. It’s the easiest verification method to use, and a way to avoid text or call charges.

Step 2: Create an app password for Office 365

An app password is a code that gives an app or device permission to access your Office 365 account.

If your admin has turned on set up 2-step verification for your organization, and you’re using apps that connect to your Office 365 account, you’ll need to generate an app password so the app can connect to Office 365. For example, if you’re using Outlook 2016 or earlier with Office 365, you’ll need to create an app password.

  1. Check whether your Office 365 admin has turned on 2-step verification for your account. If they haven’t, when you try to do these steps you won’t see the options in Office 365.
  2. If you haven’t already done so, set up your account to use 2-step verification.
  3. Sign in to Office 365 using your password and verification code.
  4. Choose Settings Office 365 Settings button > Office 365.
  5. Choose Security & Privacy > Additional security verification.

    Choose Additional security verification.

  6. Choose Update my phone numbers used for account security. This will display the following page:

    Choose app passwords

  7. At the top of the page, choose App Passwords.
  8. Choose create to get an app password.
  9. If prompted, type a name for your app password, and click Next.
  10. Choose copy password to clipboard. You won’t need to memorize this password.

    Choose copy to your clipboard.

    Tip: If you create another app password, you’ll be prompted to name it. For example, you might name it “Outlook.”

  11. Go to the app that you want to connect to your Office 365 account. When prompted to enter a password, paste the app password in the box.

To use the app password in Outlook

You’ll need to do these steps once.

  1. Open Outlook, such as Outlook 2010, 2013, or 2016.
  2. Wherever you’re prompted for your password, paste the app password in the box. For example, if you’ve already added your account to Outlook, when prompted paste the app password here:

    Paste your app password in the Password box.

  3. Or, if you’re adding your Office 365 account to Outlook, enter your app password here:

    Enter your app password in both Password boxes.

  4. Restart Outlook.

Step 3: Change how you get 2 step verification

Depending on how your Office 365 admin set up 2-step verification for your organization, you might be able to change how you get your codes.

Tip: Before you can do these steps, your admin needs to set up multi-factor authentication for your account.

  1. Sign in to Office 365 using your password and verification code.
  2. Choose Settings Office 365 Settings button > Office 365.
  3. Choose Security & Privacy > Additional security verification.
  4. Choose Update my phone numbers used for account security. This will display the following page:

    additional security verification page

  5. Choose how you want to get your verification code. Although all options are listed, your admin may not make them all available; you’ll get a message if you choose one your admin didn’t enable.
  6. Follow the prompts on the page.

Configure Multi-Factor Authentication (MFA) for Office 365 users

Set up multi-factor authentication in the Office 365 admin center

  1. Go to the Office 365 admin center.
  2. Navigate to Users > Active users.

    Active users in Office 365 admin center

  3. In the Office 365 admin center, click More > Setup Azure multi-factor auth.

    Set up multifactor authentication

  4. Find the user or users who you want to enable for MFA. In order to see all the users, you might need to change the Multi-Factor Auth status view at the top.

    The views have the following values based on the MFA state of the users:

    • Any    Displays all users. This is the default state
    • Enabled    The user has been enrolled in multi-factor authentication, but has not completed the registration process. They will be prompted to complete the process the next time they sign in.
    • Enforced    The user may or may not have completed registration. If they have completed the registration process then they are using multi-factor authentication. Otherwise, the user will be prompted to complete the process at next sign-in.
  5. Check the check box next to the users you want to enable.

    Users selected for MFA.

  6. On the right user info pane, under quick steps you’ll see Enable and Manage user settings. Choose Enable.
  7. In the dialog box that opens, click enable multi-factor auth.

Allow MFA users to create App Passwords for Office client applications

Important: App passwords are not supported for Office 365 operated by 21Vianet.

Multi-factor authentication is enabled per user. This means that if a user is enabled for multi-factor authentication and they are attempting to use non-browser clients, such as Outlook 2013 with Office 365, they will be unable to do so. An app password allows this to occur. An app password, is a password that is created within the Azure portal that allows the user to bypass the multi-factor authentication and continue to use their application.

All the Office 2016 client applications support multi-factor authentication through the use of the Active Directory Authentication Library (ADAL). This means that app passwords are not required for Office 2016 clients. However, if you find that this is not the case, make sure your Office 365 subscription is enabled for ADAL. Connect to Exchange Online PowerShell and run the Get-OrganizationConfig | Format-Table name, *OAuth* command.

If you need to enable it, run Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true .

  1. Go to the Office 365 admin center.
  2. Navigate to Users > Active users. Your screen should look like one of the following:

    Active users in Office 365 admin center

  3. In the Office 365 admin center, click More > Setup Azure multi-factor auth.

    Set up multifactor authentication

  4. In the multi-factor authentication page, choose service settings.

    MFA service settings.

  5. Under app passwords, choose Allow users to create app passwords to sign into non-browser applications.

    This allows users to use client Office applications, but they will have to enter a password of their choosing first.

  6. Click Save, and then Close.
Manage MFA user settings
  1. In the multi-factor authentication page, check the box next to the user or users you want to manage.
  2. In the user info pane on the right, you’ll see two options: Enable and Manage user settings. Choose Manage User settings.
  3. In the Manage user settings dialog, check one or more of the options: Require selected users to provide contact methods again, Delete all existing app passwords generated by the selected users, or Restore Multi-Factor Authentication on all remembered devices.
  4. Click Save.
Bulk-update users in MFA

You can bulk update the status for existing users using a CSV file. The CSV file will be used only for enabling or disabling multi-factor authentication based on the user names present in the file. It is not used to create new users.

  1. In the multi-factor authentication page, click bulk update.
  2. Browse for the file that contains the updates. The column headings in your file must match the column headings in the following example:

    bulk update CSV sample file

On Premises Exchange Cutover migration to Office 365

Before you begin:

As part of an Office 365 deployment, you can migrate the contents of user mailboxes from a source email system to Office 365. When you do this all at one time, it’s called a cutover migration. Choosing a cutover migration is suggested when:

  • Your current on-premises Exchange organization is Microsoft Exchange Server 2003, Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, or Microsoft Exchange Server 2013.
  • Your on-premises Exchange organization has fewer than 2,000 mailboxes.

    Note: Even though cutover migration supports moving up to 2000 mailboxes, due to length of time it takes to create and migrate 2000 users, it is more reasonable to migrate 150 users or less.


Plan for migration

Things to consider

Setting up an email cutover migration to Office 365 requires careful planning. Before you begin, here are a few things to consider:

  • You can move your entire email organization to Office 365 over a few days and manage user accounts in Office 365.
  • A maximum of 2,000 mailboxes can be migrated to Office 365 by using a cutover Exchange migration. However, it is recommended that you only migrate 150 mailboxes.
  • The primary domain name used for your on-premises Exchange organization must be an accepted as a domain owned by you in your Office 365 organization.
  • After the migration is complete, each user who has an on-premises Exchange mailbox also will be a new user in Office 365. But you’ll still have to assign licenses to users whose mailboxes are migrated.
Impact to users

After your on-premises and Office 365 organizations are set up for a cutover migration, post-setup tasks could impact your users.

  • Administrators or users must configure desktop computers         Make sure that desktop computers are updated and set up for use with Office 365. These actions allow users to use local user credentials to sign in to Office 365 from desktop applications. Users with permission to install applications can update and set up their own desktops. Or updates can be installed for them. After updates are made, users can send email from Outlook 2013, Outlook 2010, or Outlook 2007.
  • Potential delay in email routing        Email sent to on-premises users whose mailboxes were migrated to Office 365 are routed to their on-premises Exchange mailboxes until the MX record is changed.

How does cutover migration work?

The main steps you perform for a cutover migration are shown in the following illustration.

Process for performing a cutover email migration to Office 365

  1. The administrator communicates upcoming changes to users and verifies domain ownership with the domain registrar.
  2. The administrator prepares the servers for a cutover migration and creates empty mail-enabled security groups in Office 365.
  3. The administrator connects Office 365 to the on-premises email system (this is called creating a migration endpoint).
  4. The administrator migrates the mailboxes and then verifies the migration.
  5. Grant Office 365 licences to your users.
  6. The administrator configures the domain to begin routing email directly to Office 365.
  7. The administrator verifies that routing has changed, and then deletes the cutover migration batch.
  8. The administrator completes post-migration tasks in Office 365 (assigns licenses to users and creates an Autodiscover Domain Name System (DNS) record), and optionally decommissions the on-premises Exchange servers.
  9. The administrator sends a welcome letter to users to tell them about Office 365 and to describe how to sign in to their new mailboxes.

Running Cutover Migration:

Prepare for a cutover migration

Before you migrate mailboxes to Office 365 by using a cutover migration, there are a few changes to your Exchange Server environment you must complete first.

Note: If you have turned on directory synchronization, you need to turn it off before you can perform a cutover migration. You can do this by using PowerShell. For instructions, see Turn off directory synchronization for Office 365.

  1. Configure Outlook Anywhere on your on-premises Exchange Server     The email migration service uses Outlook Anywhere (also known as RPC over HTTP), to connect to your on-premises Exchange Server. Outlook Anywhere is automatically configured for Exchange 2013. For information about how to set up Outlook Anywhere for Exchange 2010, Exchange 2007, and Exchange 2003, see the following:
  2. You must use a certificate issued by a trusted certification authority (CA) with your Outlook Anywhere configuration in order for Office 365 to run a cutover migration. For cutover migration you will to add the Outlook Anywhere and Autodiscover services to your certificate. For instructions on how to set up certificates, see:
  3. Optional: Verify that you can connect to your Exchange organization using Outlook Anywhere     Try one of the following methods to test your connection settings.
    • Use Outlook from outside your corporate network to connect to your on-premises Exchange mailbox.
    • Use the Microsoft Exchange Remote Connectivity Analyzer to test your connection settings. Use the Outlook Anywhere (RPC over HTTP) or Outlook Autodiscover tests.
    • Wait for the connection to automatically be tested when you connect Office 365 to your email system later in this procedure.
  4. Set permissions     The on-premises user account that you use to connect to your on-premises Exchange organization (also called the migration administrator) must have the necessary permissions to access the on-premises mailboxes that you want to migrate to Office 365. This user account is used when you connect Office 365 to your email system later in this procedure.
  5. To migrate the mailboxes, the admin must have one of the following permissions:
    • The migration administrator must be assigned the FullAccess permission for each on-premises mailbox.


    • The migration administrator must be assigned the Receive As permission on the on-premises mailbox database that stores user mailboxes.

    For instructions about how to set these permissions, see Assign Exchange permissions to migrate mailboxes to Office 365

  6. Disable Unified Messaging (UM)     If UM is turned on for the on-premises mailboxes you’re migrating, turn off UM before migration. Turn on UM or the mailboxes after migration is complete. For how-to steps, see Disable Unified Messaging for users for Exchange 2007.
  7. Create security groups and clean up delegates    Because the email migration service can’t detect whether on-premises Active Directory groups are security groups, it can’t provision any migrated groups as security groups in Office 365. If you want to have security groups in Office 365, you must first provision an empty mail-enabled security group in Office 365 before starting the cutover migration.

    Additionally, this migration method only moves mailboxes, mail users, mail contacts, and mail-enabled groups. If any other Active Directory object, such as user mailbox that is not migrated to Office 365 is assigned as a manager or delegate to an object being migrated, you must remove them from the object before migration.

Step 1: Verify you own the domain

During the migration, the Simple Mail Transfer Protocol (SMTP) address of each on-premises mailbox is used to create the email address for a new Office 365 mailbox. To run a cutover migration, the on-premises domain must be a verified domain in your Office 365 organization.

  1. Sign in to Office 365 with your work or school account.
  2. Go to the Domains page.
  3. On the Domains- page, click Add domain to start the domain wizard.

    Choose Add domain

  4. On the Add a domain page, type in the domain name (for example, you use for your on-premises Exchange organization, and then choose Next.
  5. On the Verify domain page, select either Sign in to GoDaddy (if your DNS records are managed by GoDaddy) or Add a TXT record instead for any other registrars > Next.
  6. Follow the instructions provided for your DNS hosting provider. The TXT record usually is chosen to verify ownership.

    You can also find the instructions in Create DNS records for Office 365 when you manage your DNS records.

    After you add your TXT or MX record, wait about 15 minutes before proceeding to the next step.

  7. In the Office 365 domain wizard, choose done, verify now, and you’ll see a verification page. Choose Finish.

    If the verification fails at first, wait awhile, and try again.

    Do not continue to the next step in the domain wizard. You now have verified that you own the on-premises Exchange organization domain and are ready to continue with an email migration.

Step 2: Connect Office 365 to your email system

A migration endpoint contains the settings and credentials needed to connect the on-premises server that hosts the mailboxes you’re migrating with Office 365. The migration endpoint also defines the number of mailboxes to migrate simultaneously. For a cutover migration, you’ll create an Outlook Anywhere migration endpoint.

  1. Go to the Exchange admin center.
  2. In the Exchange admin center, go to Recipients > Migration.
  3. Choose More More icon > Migration endpoints.

    Select Migration endpoint.

  4. On the Migration endpoints page, choose New New icon .
  5. On the Select the migration endpoint type page, choose Outlook Anywhere > Next.
  6. On the Enter on-premises account credentials page, enter information in the following boxes:
    • Email address     Type the email address of any user in the on-premises Exchange organization that will be migrated. Office 365 will test the connectivity to this user’s mailbox.
    • Account with privileges     Type the user name (domain\user name format or an email address) for an account that has the necessary administrative permissions in the on-premises organization. Office 365 will use this account to detect the migration endpoint and to test the permissions assigned to this account by attempting to access the mailbox with the specified email address.
    • Password of account with privileges     Type the password for the account with privileges that is the administrator account.
  7. Choose Next and do one of the following:
    • If Office 365 successfully connects to the source server, the connection settings are displayed. Choose Next.

      Confirmed connection for Outlook Anywhere endpoint.

    • If the test connection to the source server isn’t successful, provide the following information:
      • Exchange server     Type the fully qualified domain name (FQDN) for the on-premises Exchange Server. This is the host name for your Mailbox server. For example,
      • RPC proxy server     Type the FQDN for the RPC proxy server for Outlook Anywhere. Typically, the proxy server is the same as your Outlook Web App URL. For example,, which is also the URL for the proxy server that Outlook uses to connect to an Exchange Server
  8. On the Enter general information page, type a Migration endpoint name, for example, Test5-endpoint. Leave the other two boxes blank to use the default values.

    Migration endpoint name.

  9. Choose New to create the migration endpoint.

    To validate your Exchange Online is connected to the on-premises server, you can run the command in Example 4 of Test-MigrationServerAvailability.

Step 3: Create the cutover migration batch

In a cutover migration, on-premises mailboxes are migrated to Office 365 in a single migration batch.

  1. In the Exchange admin center, go to Recipients > Migration.
  2. Choose New New icon > Migrate to Exchange Online.

    Select Migrate to Exchange Online

  3. On the Select a migration type page, choose Cutover migration > next.
  4. On the Confirm the migration endpoint page, the migration endpoint information is listed. Verify the information and then choose next.

    New migration batch with confirmed endpoint.

  5. On the Move configuration page, type the name (cannot contain spaces or special characters) of the migration batch, and then choose next. The batch name is displayed in the list of migration batches on the Migration page after you create the migration batch.
  6. On the Start the batch page, choose one of the following:
    • Automatically start the batch     The migration batch is started as soon as you save the new migration batch with a status of Syncing.
    • Manually start the batch later     The migration batch is created but is not started. The status of the batch is set to Created. To start a migration batch, select it on the migration dashboard, and then choose Start.
  7. Choose new to create the migration batch.

    The new migration batch is displayed on the migration dashboard.

Step 4: Start the cutover migration batch

If you created a migration batch and configured it to be started manually, you can start it by using the Exchange admin center.

  1. In the Exchange admin center, go to Recipients > Migration.
  2. On the migration dashboard, select the batch and then choose Start.
  3. If a migration batch starts successfully, its status on the migration dashboard changes to Syncing.

    Micgration batch is syncing

Verify the synchronization worked

  • You’ll be able to follow the sync status on the migration dashboard. If there are errors, you can view a log file that gives you more information about them.
  • You can also verify that the users get created in the Office 365 admin center as the migration proceeds.

    After the migration is done, the sync status is Synced.

Optional: Reduce email delays

Although this task is optional, doing it can help avoid delays in the receiving email in the new Office 365 mailboxes.

When people outside of your organization send you email, their email systems don’t double-check where to send that email every time. Instead, their systems save the location of your email system based on a setting in your DNS server known as a time-to-live (TTL). If you change the location of your email system before the TTL expires, the sender’s email system tries to send email to the old location before figuring out that the location changed. This location change can result in a mail delivery delay. One way to avoid this is to lower the TTL that your DNS server gives to servers outside of your organization. This will make the other organizations refresh the location of your email system more often.

Most email systems ask for an update each hour if a short interval such as 3,600 seconds (one hour) is set. We recommend that you set the interval at least this low before you start the email migration. This setting allows all the systems that send you email enough time to process the change. Then, when you make the final switch over to Office 365, you can change the TTL back to a longer interval.

The place to change the TTL setting is on your email system’s MX record. This lives on your public-facing DNS system. If you have more than one MX record, you need to change the value on each record to 3,600 seconds or less.

If you need some help configuring your DNS settings, see Create DNS records for Office 365 when you manage your DNS records.

Step 5: Route your email directly to Office 365

Email systems use a DNS record called an MX record to figure out where to deliver emails. During the email migration process, your MX record was pointing to your source email system. Now that the email migration to Office 365 is complete, it’s time to point your MX record at Office 365. This helps make sure that email is delivered to your Office 365 mailboxes. Moving the MX record will also let you turn off your old email system when you’re ready.

For many DNS providers, there are specific instructions to change your MX record. If your DNS provider isn’t included, or if you want to get a sense of the general directions, general MX record instructions are provided as well.

It can take up to 72 hours for the email systems of your customers and partners to recognize the changed MX record. Wait at least 72 hours before you proceed to the next task: Delete the cutover migration batch.

Step 6: Delete the cutover migration batch

After you change the MX record and verify that all email is being routed to Office 365 mailboxes, notify the users that their mail is going to Office 365. After this you can delete the cutover migration batch. Verify the following before you delete the migration batch.

  • All users are using Office 365 mailboxes. After the batch is deleted, mail sent to mailboxes on the on-premises Exchange Server isn’t copied to the corresponding Office 365 mailboxes.
  • Office 365 mailboxes were synchronized at least once after mail began being sent directly to them. To do this, make sure that the value in the Last Synced Time box for the migration batch is more recent than when mail started being routed directly to Office 365 mailboxes.

When you delete a cutover migration batch, the migration service cleans up any records related to the migration batch and then deletes the migration batch. The batch is removed from the list of migration batches on the migration dashboard.

  1. In the Exchange admin center, go to Recipients > Migration.
  2. On the migration dashboard, select the batch, and then choose Delete.

    Note: It can take a few minutes or the batch to be removed.

  3. In the Exchange admin center, go to Recipients > Migration.
  4. Verify that the migration batch is no longer listed on the migration dashboard.
Step 7: Assign licenses to Office 365 users

Activate Office 365 user accounts for the migrated accounts by assigning licenses.    If you don’t assign a license, the mailbox is disabled when the grace period ends (30 days). To assign a license in the Office 365 admin center, see Assign licenses to users in Office 365 for Business.

Complete post migration tasks

After migrating mailboxes to Office 365, there are post-migration tasks that must be completed.

  1. Create an Autodiscover DNS record so users can easily get to their mailboxes.    After all on-premises mailboxes are migrated to Office 365, you can configure an Autodiscover DNS record for your Office 365 organization to enable users to easily connect to their new Office 365 mailboxes with Outlook and mobile clients. This new Autodiscover DNS record has to use the same namespace that you’re using for your Office 365 organization. For example, if your cloud-based namespace is, the Autodiscover DNS record you need to create is

    If you keep your Exchange Server, you should also make sure that Autodiscover DNS CNAME record has to point to exOffice365 in both internal and external DNS after the migration so that the Outlook client will to connect to the correct mailbox.

    Note:  In Exchange 2007, Exchange 2010, and Exchange 2013 you should also set Set-ClientAccessServer AutodiscoverInternalConnectionURI to Null.

    Office 365 uses a CNAME record to implement the Autodiscover service for Outlook and mobile clients. The Autodiscover CNAME record must contain the following information:

    • Alias:    autodiscover
    • Target:

    For more information, see Create DNS records for Office 365 when you manage your DNS records.

  2. Decommission on-premises Exchange Servers.    After you’ve verified that all email is being routed directly to the Office 365 mailboxes, and no longer need to maintain your on-premises email organization or don’t plan on implementing a single sign-on solution, you can uninstall Exchange from your servers and remove your on-premises Exchange organization.

    For more information, see the following:

    Note: Decommissioning Exchange can have unintended consequences. Before decommissioning your on-premises Exchange organization, we recommend that you contact Microsoft Support.

    Disclaimer: This article has been published for the learning purpose only for the real-time migration consult with your IT team and Exchange professional or expert near you. If there is any issue which you caused by doing anything wrong will be your responsibility.

Get Office 365 Education for free

Teachers want to save time and help their student get more done in the classroom and life. Office 365 Education is Microsoft’s classroom offering built for teachers and students, completely free, and full of powerful tools to organize in one place, engage students in new ways, and individualize student learning. Office 365 is fully integrated set of tools, to help students and teachers complete all important school tasks online, offline, or on mobile devices.

OneNote provides one place to organize lessons and distribute assignments, while bringing students together in a collaborative space or giving them individual support in private notebooks. With Learning Tools, built-in reading and writing tools improve learning outcomes for all students. Office Online offers you web versions of familiar Word, PowerPoint, Excel, OneNote and more that work in all modern browsers. And it’s available everywhere for free with nothing to install. Collaborate with anyone and see what your co-authors type as it’s happening. You can move smoothly from light work and collaboration in Office Online to heavy-duty creation in the Office desktop application without ever leaving your document or losing your formatting.

Sway is new digital storytelling app from Office that is great for project or problem-based learning. Teachers can create interactive web-based lessons, assignments, project recaps, newsletters, and more right from a phone, tablet, or browser. Students can collaborate and use Sway to create engaging reports, assignments, projects, study materials, and portfolios. Sways are easy to share with the class or the world and look great on any screen.

Get Office 365 Education for free at Microsoft Education Partner program.


Ethical Hacking and Penetration Testing Resources

(Free) Virtual Networks (VPNs)

Custom Personal Targets




Security Courses

Penetration Testing Methodologies, Tools and Technique

Penetration Testing Resources

Exploit Development

OSINT Resources

Social Engineering Resources

Lock Picking Resources

Operating Systems


Penetration Testing Distributions

  • Kali – GNU/Linux distribution designed for digital forensics and penetration testing.
  • ArchStrike – Arch GNU/Linux repository for security professionals and enthusiasts.
  • BlackArch – Arch GNU/Linux-based distribution for penetration testers and security researchers.
  • Network Security Toolkit (NST) – Fedora-based bootable live operating system designed to provide easy access to best-of-breed open source network security applications.
  • Pentoo – Security-focused live CD based on Gentoo.
  • BackBox – Ubuntu-based distribution for penetration tests and security assessments.
  • Parrot – Distribution similar to Kali, with multiple architecture.
  • Buscador – GNU/Linux virtual machine that is pre-configured for online investigators.
  • Fedora Security Lab – Provides a safe test environment to work on security auditing, forensics, system rescue and teaching security testing methodologies.
  • The Pentesters Framework – Distro organized around the Penetration Testing Execution Standard (PTES), providing a curated collection of utilities that eliminates often unused toolchains.
  • AttifyOS – GNU/Linux distribution focused on tools useful during Internet of Things (IoT) security assessments.

Docker for Penetration Testing

Multi-paradigm Frameworks

  • Metasploit – Software for offensive security teams to help verify vulnerabilities and manage security assessments.
  • Armitage – Java-based GUI front-end for the Metasploit Framework.
  • Faraday – Multiuser integrated pentesting environment for red teams performing cooperative penetration tests, security audits, and risk assessments.
  • ExploitPack – Graphical tool for automating penetration tests that ships with many pre-packaged exploits.
  • Pupy – Cross-platform (Windows, Linux, macOS, Android) remote administration and post-exploitation tool.

Vulnerability Scanners

  • Nexpose – Commercial vulnerability and risk management assessment engine that integrates with Metasploit, sold by Rapid7.
  • Nessus – Commercial vulnerability management, configuration, and compliance assessment platform, sold by Tenable.
  • OpenVAS – Free software implementation of the popular Nessus vulnerability assessment system.
  • Vuls – Agentless vulnerability scanner for GNU/Linux and FreeBSD, written in Go.

Static Analyzers

  • Brakeman – Static analysis security vulnerability scanner for Ruby on Rails applications.
  • cppcheck – Extensible C/C++ static analyzer focused on finding bugs.
  • FindBugs – Free software static analyzer to look for bugs in Java code.
  • sobelow – Security-focused static analysis for the Phoenix Framework.

Web Scanners

  • Nikto – Noisy but fast black box web server and web application vulnerability scanner.
  • Arachni – Scriptable framework for evaluating the security of web applications.
  • w3af – Web application attack and audit framework.
  • Wapiti – Black box web application vulnerability scanner with built-in fuzzer.
  • SecApps – In-browser web application security testing suite.
  • WebReaver – Commercial, graphical web application vulnerability scanner designed for macOS.
  • WPScan – Black box WordPress vulnerability scanner.
  • cms-explorer – Reveal the specific modules, plugins, components and themes that various websites powered by content management systems are running.
  • joomscan – Joomla vulnerability scanner.

Network Tools

  • zmap – Open source network scanner that enables researchers to easily perform Internet-wide network studies.
  • nmap – Free security scanner for network exploration & security audits.
  • pig – GNU/Linux packet crafting tool.
  • scanless – Utility for using websites to perform port scans on your behalf so as not to reveal your own IP.
  • tcpdump/libpcap – Common packet analyzer that runs under the command line.
  • Wireshark – Widely-used graphical, cross-platform network protocol analyzer.
  • – Website offering an interface to numerous basic network utilities like ping, traceroute, whois, and more.
  • netsniff-ng – Swiss army knife for for network sniffing.
  • Intercepter-NG – Multifunctional network toolkit.
  • SPARTA – Graphical interface offering scriptable, configurable access to existing network infrastructure scanning and enumeration tools.
  • dnschef – Highly configurable DNS proxy for pentesters.
  • DNSDumpster – Online DNS recon and search service.
  • CloudFail – Unmask server IP addresses hidden behind Cloudflare by searching old database records and detecting misconfigured DNS.
  • dnsenum – Perl script that enumerates DNS information from a domain, attempts zone transfers, performs a brute force dictionary style attack, and then performs reverse look-ups on the results.
  • dnsmap – Passive DNS network mapper.
  • dnsrecon – DNS enumeration script.
  • dnstracer – Determines where a given DNS server gets its information from, and follows the chain of DNS servers.
  • passivedns-client – Library and query tool for querying several passive DNS providers.
  • passivedns – Network sniffer that logs all DNS server replies for use in a passive DNS setup.
  • Mass Scan – TCP port scanner, spews SYN packets asynchronously, scanning entire Internet in under 5 minutes.
  • Zarp – Network attack tool centered around the exploitation of local networks.
  • mitmproxy – Interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers.
  • Morpheus – Automated ettercap TCP/IP Hijacking tool.
  • mallory – HTTP/HTTPS proxy over SSH.
  • SSH MITM – Intercept SSH connections with a proxy; all plaintext passwords and sessions are logged to disk.
  • Netzob – Reverse engineering, traffic generation and fuzzing of communication protocols.
  • DET – Proof of concept to perform data exfiltration using either single or multiple channel(s) at the same time.
  • pwnat – Punches holes in firewalls and NATs.
  • dsniff – Collection of tools for network auditing and pentesting.
  • tgcd – Simple Unix network utility to extend the accessibility of TCP/IP based network services beyond firewalls.
  • smbmap – Handy SMB enumeration tool.
  • scapy – Python-based interactive packet manipulation program & library.
  • Dshell – Network forensic analysis framework.
  • Debookee – Simple and powerful network traffic analyzer for macOS.
  • Dripcap – Caffeinated packet analyzer.
  • Printer Exploitation Toolkit (PRET) – Tool for printer security testing capable of IP and USB connectivity, fuzzing, and exploitation of PostScript, PJL, and PCL printer language features.
  • Praeda – Automated multi-function printer data harvester for gathering usable data during security assessments.
  • routersploit – Open source exploitation framework similar to Metasploit but dedicated to embedded devices.
  • evilgrade – Modular framework to take advantage of poor upgrade implementations by injecting fake updates.
  • XRay – Network (sub)domain discovery and reconnaissance automation tool.
  • Ettercap – Comprehensive, mature suite for machine-in-the-middle attacks.
  • BetterCAP – Modular, portable and easily extensible MITM framework.

Wireless Network Tools

  • Aircrack-ng – Set of tools for auditing wireless networks.
  • Kismet – Wireless network detector, sniffer, and IDS.
  • Reaver – Brute force attack against WiFi Protected Setup.
  • Wifite – Automated wireless attack tool.
  • Fluxion – Suite of automated social engineering based WPA attacks.

Transport Layer Security Tools

  • SSLyze – Fast and comprehensive TLS/SSL configuration analyzer to help identify security mis-configurations.
  • tls_prober – Fingerprint a server’s SSL/TLS implementation.

Web Exploitation

  • OWASP Zed Attack Proxy (ZAP) – Feature-rich, scriptable HTTP intercepting proxy and fuzzer for penetration testing web applications.
  • Fiddler – Free cross-platform web debugging proxy with user-friendly companion tools.
  • Burp Suite – Integrated platform for performing security testing of web applications.
  • autochrome – Easy to install a test browser with all the appropriate setting needed for web application testing with native Burp support, from NCCGroup.
  • Browser Exploitation Framework (BeEF) – Command and control server for delivering exploits to commandeered Web browsers.
  • Offensive Web Testing Framework (OWTF) – Python-based framework for pentesting Web applications based on the OWASP Testing Guide.
  • WordPress Exploit Framework – Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems.
  • WPSploit – Exploit WordPress-powered websites with Metasploit.
  • SQLmap – Automatic SQL injection and database takeover tool.
  • tplmap – Automatic server-side template injection and Web server takeover tool.
  • weevely3 – Weaponized web shell.
  • Wappalyzer – Wappalyzer uncovers the technologies used on websites.
  • WhatWeb – Website fingerprinter.
  • BlindElephant – Web application fingerprinter.
  • wafw00f – Identifies and fingerprints Web Application Firewall (WAF) products.
  • fimap – Find, prepare, audit, exploit and even Google automatically for LFI/RFI bugs.
  • Kadabra – Automatic LFI exploiter and scanner.
  • Kadimus – LFI scan and exploit tool.
  • liffy – LFI exploitation tool.
  • Commix – Automated all-in-one operating system command injection and exploitation tool.
  • DVCS Ripper – Rip web accessible (distributed) version control systems: SVN/GIT/HG/BZR.
  • GitTools – Automatically find and download Web-accessible .git repositories.
  • sslstrip – Demonstration of the HTTPS stripping attacks.
  • sslstrip2 – SSLStrip version to defeat HSTS.

Hex Editors

  • HexEdit.js – Browser-based hex editing.
  • Hexinator – World’s finest (proprietary, commercial) Hex Editor.
  • Frhed – Binary file editor for Windows.
  • 0xED – Native macOS hex editor that supports plug-ins to display custom data types.

File Format Analysis Tools

  • Kaitai Struct – File formats and network protocols dissection language and web IDE, generating parsers in C++, C#, Java, JavaScript, Perl, PHP, Python, Ruby.
  • Veles – Binary data visualization and analysis tool.
  • Hachoir – Python library to view and edit a binary stream as tree of fields and tools for metadata extraction.

Defense Evasion Tools

  • Veil – Generate metasploit payloads that bypass common anti-virus solutions.
  • shellsploit – Generates custom shellcode, backdoors, injectors, optionally obfuscates every byte via encoders.
  • Hyperion – Runtime encryptor for 32-bit portable executables (“PE .exes”).
  • AntiVirus Evasion Tool (AVET) – Post-process exploits containing executable files targeted for Windows machines to avoid being recognized by antivirus software.
  • – Automates the process of hiding a malicious Windows executable from antivirus (AV) detection.
  • peCloakCapstone – Multi-platform fork of the automated malware antivirus evasion tool.
  • UniByAv – Simple obfuscator that takes raw shellcode and generates Anti-Virus friendly executables by using a brute-forcable, 32-bit XOR key.

Hash Cracking Tools

  • John the Ripper – Fast password cracker.
  • Hashcat – The more fast hash cracker.
  • CeWL – Generates custom wordlists by spidering a target’s website and collecting unique words.

Windows Utilities

  • Sysinternals Suite – The Sysinternals Troubleshooting Utilities.
  • Windows Credentials Editor – Inspect logon sessions and add, change, list, and delete associated credentials, including Kerberos tickets.
  • mimikatz – Credentials extraction tool for Windows operating system.
  • PowerSploit – PowerShell Post-Exploitation Framework.
  • Windows Exploit Suggester – Detects potential missing patches on the target.
  • Responder – LLMNR, NBT-NS and MDNS poisoner.
  • Bloodhound – Graphical Active Directory trust relationship explorer.
  • Empire – Pure PowerShell post-exploitation agent.
  • Fibratus – Tool for exploration and tracing of the Windows kernel.
  • wePWNise – Generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software.
  • redsnarf – Post-exploitation tool for retrieving password hashes and credentials from Windows workstations, servers, and domain controllers.
  • Magic Unicorn – Shellcode generator for numerous attack vectors, including Microsoft Office macros, PowerShell, HTML applications (HTA), or certutil (using fake certificates).

GNU/Linux Utilities

macOS Utilities

  • Bella – Pure Python post-exploitation data mining and remote administration tool for macOS.

DDoS Tools

  • LOIC – Open source network stress tool for Windows.
  • JS LOIC – JavaScript in-browser version of LOIC.
  • SlowLoris – DoS tool that uses low bandwidth on the attacking side.
  • HOIC – Updated version of Low Orbit Ion Cannon, has ‘boosters’ to get around common counter measures.
  • T50 – Faster network stress tool.
  • UFONet – Abuses OSI layer 7 HTTP to create/manage ‘zombies’ and to conduct different attacks using; GET/POST, multithreading, proxies, origin spoofing methods, cache evasion techniques, etc.

Social Engineering Tools

  • Social Engineer Toolkit (SET) – Open source pentesting framework designed for social engineering featuring a number of custom attack vectors to make believable attacks quickly.
  • King Phisher – Phishing campaign toolkit used for creating and managing multiple simultaneous phishing attacks with custom email and server content.
  • Evilginx – MITM attack framework used for phishing credentials and session cookies from any Web service.
  • wifiphisher – Automated phishing attacks against WiFi networks.
  • Catphish – Tool for phishing and corporate espionage written in Ruby.


  • Maltego – Proprietary software for open source intelligence and forensics, from Paterva.
  • theHarvester – E-mail, subdomain and people names harvester.
  • creepy – Geolocation OSINT tool.
  • metagoofil – Metadata harvester.
  • Google Hacking Database – Database of Google dorks; can be used for recon.
  • Google-dorks – Common Google dorks and others you probably don’t know.
  • GooDork – Command line Google dorking tool.
  • dork-cli – Command line Google dork tool.
  • Censys – Collects data on hosts and websites through daily ZMap and ZGrab scans.
  • Shodan – World’s first search engine for Internet-connected devices.
  • recon-ng – Full-featured Web Reconnaissance framework written in Python.
  • github-dorks – CLI tool to scan github repos/organizations for potential sensitive information leak.
  • vcsmap – Plugin-based tool to scan public version control systems for sensitive information.
  • Spiderfoot – Multi-source OSINT automation tool with a Web UI and report visualizations
  • BinGoo – GNU/Linux bash based Bing and Google Dorking Tool.
  • fast-recon – Perform Google dorks against a domain.
  • snitch – Information gathering via dorks.
  • Sn1per – Automated Pentest Recon Scanner.
  • Threat Crowd – Search engine for threats.
  • Virus Total – VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
  • DataSploit – OSINT visualizer utilizing Shodan, Censys, Clearbit, EmailHunter, FullContact, and Zoomeye behind the scenes.
  • AQUATONE – Subdomain discovery tool utilizing various open sources producing a report that can be used as input to other tools.

Anonymity Tools

  • Tor – Free software and onion routed overlay network that helps you defend against traffic analysis.
  • OnionScan – Tool for investigating the Dark Web by finding operational security issues introduced by Tor hidden service operators.
  • I2P – The Invisible Internet Project.
  • Nipe – Script to redirect all traffic from the machine to the Tor network.
  • What Every Browser Knows About You – Comprehensive detection page to test your own Web browser’s configuration for privacy and identity leaks.

Reverse Engineering Tools

  • Interactive Disassembler (IDA Pro) – Proprietary multi-processor disassembler and debugger for Windows, GNU/Linux, or macOS; also has a free version, IDA Free.
  • WDK/WinDbg – Windows Driver Kit and WinDbg.
  • OllyDbg – x86 debugger for Windows binaries that emphasizes binary code analysis.
  • Radare2 – Open source, crossplatform reverse engineering framework.
  • x64dbg – Open source x64/x32 debugger for windows.
  • Immunity Debugger – Powerful way to write exploits and analyze malware.
  • Evan’s Debugger – OllyDbg-like debugger for GNU/Linux.
  • Medusa – Open source, cross-platform interactive disassembler.
  • plasma – Interactive disassembler for x86/ARM/MIPS. Generates indented pseudo-code with colored syntax code.
  • peda – Python Exploit Development Assistance for GDB.
  • dnSpy – Tool to reverse engineer .NET assemblies.
  • binwalk – Fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
  • PyREBox – Python scriptable Reverse Engineering sandbox by Cisco-Talos.
  • Voltron – Extensible debugger UI toolkit written in Python.
  • Capstone – Lightweight multi-platform, multi-architecture disassembly framework.

Physical Access Tools

  • LAN Turtle – Covert “USB Ethernet Adapter” that provides remote access, network intelligence gathering, and MITM capabilities when installed in a local network.
  • USB Rubber Ducky – Customizable keystroke injection attack platform masquerading as a USB thumbdrive.
  • Poisontap – Siphons cookies, exposes internal (LAN-side) router and installs web backdoor on locked computers.
  • WiFi Pineapple – Wireless auditing and penetration testing platform.
  • Proxmark3 – RFID/NFC cloning, replay, and spoofing toolkit often used for analyzing and attacking proximity cards/readers, wireless keys/keyfobs, and more.

Side-channel Tools

  • ChipWhisperer – Complete open-source toolchain for side-channel power analysis and glitching attacks.

CTF Tools

  • ctf-tools – Collection of setup scripts to install various security research tools easily and quickly deployable to new machines.
  • Pwntools – Rapid exploit development framework built for use in CTFs.
  • RsaCtfTool – Decrypt data enciphered using weak RSA keys, and recover private keys from public keys using a variety of automated attacks.

Penetration Testing Report Templates


Penetration Testing Books

Hackers Handbook Series

Defensive Development

Network Analysis Books

Reverse Engineering Books

Malware Analysis Books

Windows Books

Social Engineering Books

Lock Picking Books

Defcon Suggested Reading

Vulnerability Databases

  • Common Vulnerabilities and Exposures (CVE) – Dictionary of common names (i.e., CVE Identifiers) for publicly known security vulnerabilities.
  • National Vulnerability Database (NVD) – United States government’s National Vulnerability Database provides additional meta-data (CPE, CVSS scoring) of the standard CVE List along with a fine-grained search engine.
  • US-CERT Vulnerability Notes Database – Summaries, technical details, remediation information, and lists of vendors affected by software vulnerabilities, aggregated by the United States Computer Emergency Response Team (US-CERT).
  • Full-Disclosure – Public, vendor-neutral forum for detailed discussion of vulnerabilities, often publishes details before many other sources.
  • Bugtraq (BID) – Software security bug identification database compiled from submissions to the SecurityFocus mailing list and other sources, operated by Symantec, Inc.
  • Exploit-DB – Non-profit project hosting exploits for software vulnerabilities, provided as a public service by Offensive Security.
  • Microsoft Security Bulletins – Announcements of security issues discovered in Microsoft software, published by the Microsoft Security Response Center (MSRC).
  • Microsoft Security Advisories – Archive of security advisories impacting Microsoft software.
  • Mozilla Foundation Security Advisories – Archive of security advisories impacting Mozilla software, including the Firefox Web Browser.
  • Packet Storm – Compendium of exploits, advisories, tools, and other security-related resources aggregated from across the industry.
  • CXSecurity – Archive of published CVE and Bugtraq software vulnerabilities cross-referenced with a Google dork database for discovering the listed vulnerability.
  • SecuriTeam – Independent source of software vulnerability information.
  • Vulnerability Lab – Open forum for security advisories organized by category of exploit target.
  • Zero Day Initiative – Bug bounty program with publicly accessible archive of published security advisories, operated by TippingPoint.
  • Vulners – Security database of software vulnerabilities.
  • Inj3ct0r (Onion service) – Exploit marketplace and vulnerability information aggregator.
  • Open Source Vulnerability Database (OSVDB) – Historical archive of security vulnerabilities in computerized equipment, no longer adding to its vulnerability database as of April, 2016.
  • HPI-VDB – Aggregator of cross-referenced software vulnerabilities offering free-of-charge API access, provided by the Hasso-Plattner Institute, Potsdam.

Security Courses

Information Security Conferences

  • DEF CON – Annual hacker convention in Las Vegas.
  • Black Hat – Annual security conference in Las Vegas.
  • BSides – Framework for organising and holding security conferences.
  • CCC – Annual meeting of the international hacker scene in Germany.
  • DerbyCon – Annual hacker conference based in Louisville.
  • PhreakNIC – Technology conference held annually in middle Tennessee.
  • ShmooCon – Annual US East coast hacker convention.
  • CarolinaCon – Infosec conference, held annually in North Carolina.
  • CHCon – Christchurch Hacker Con, Only South Island of New Zealand hacker con.
  • SummerCon – One of the oldest hacker conventions, held during Summer.
  • – Annual conference held in Luxembourg.
  • Hackfest – Largest hacking conference in Canada.
  • HITB – Deep-knowledge security conference held in Malaysia and The Netherlands.
  • Troopers – Annual international IT Security event with workshops held in Heidelberg, Germany.
  • Hack3rCon – Annual US hacker conference.
  • ThotCon – Annual US hacker conference held in Chicago.
  • LayerOne – Annual US security conference held every spring in Los Angeles.
  • DeepSec – Security Conference in Vienna, Austria.
  • SkyDogCon – Technology conference in Nashville.
  • SECUINSIDE – Security Conference in Seoul.
  • DefCamp – Largest Security Conference in Eastern Europe, held annually in Bucharest, Romania.
  • AppSecUSA – Annual conference organized by OWASP.
  • BruCON – Annual security conference in Belgium.
  • Infosecurity Europe – Europe’s number one information security event, held in London, UK.
  • Nullcon – Annual conference in Delhi and Goa, India.
  • RSA Conference USA – Annual security conference in San Francisco, California, USA.
  • Swiss Cyber Storm – Annual security conference in Lucerne, Switzerland.
  • Virus Bulletin Conference – Annual conference going to be held in Denver, USA for 2016.
  • Ekoparty – Largest Security Conference in Latin America, held annually in Buenos Aires, Argentina.
  • 44Con – Annual Security Conference held in London.
  • BalCCon – Balkan Computer Congress, annually held in Novi Sad, Serbia.
  • FSec – FSec – Croatian Information Security Gathering in Varaždin, Croatia.

Information Security Magazines

Awesome Lists

Credit and Original Location:

This article has been provided for educational purpose only.