Links Úteis

Blogs

• https://secnhack.in/
• https://thehackernews.com/
• https://www.cisoadvisor.com.br/
• https://threatpost.com/
• https://cgreinhold.dev/
• https://snyk.io/blog/
• https://www.troyhunt.com/
• https://samy.pl/
• https://www.malwaretech.com/
• https://minutodaseguranca.blog.br/
• https://www.welivesecurity.com
• https://www.syhunt.com/pt/?n=News.2021-Leaks&key=lucy17 (Leaks Feed)
• https://eskelsen.medium.com/
• https://www.adico.me/
• https://mayfly277.github.io/
• https://www.kitploit.com/
• https://www.felipeprado1975.com/
• https://securityonline.info/

Youtubers

• https://youtube.com/LiveOverflowCTF
• https://youtube.com/c/DavidBombal/
• https://youtube.com/c/JohnHammond010/
• https://youtube.com/stokfredrik
• https://youtube.com/c/GabrielPato/

Github profiles

• https://github.com/carlospolop
• https://github.com/KingOfBugbounty
• https://github.com/helviojunior
• https://github.com/VitorOriel

VMs & Distros

• Kali: https://www.kali.org/
• Kali purple: https://gitlab.com/kalilinux/documentation/kali-purple?s=08
• Whonix | Navegação anônima - https://www.whonix.org/
• Tails | Navegação anônima - https://tails.boum.org/index.pt.html
• REMnux | Malware Analysis - https://remnux.org/ (doc tools https://docs.remnux.org, eg. https://docs.remnux.org/discover-the-tools/analyze+documents/pdf)
• Santoku | Distro focada em forense para mobile - https://santoku-linux.com/about-santoku/
• VMs com CVE exploitable - https://www.vulnmachines.com/about

Web Scanners

• https://gf.dev/toolbox/ | Canivete suiço para ambientes Web
• https://www.ssllabs.com/ssltest/ | Diversas verificações para sistemas Web
• https://hstspreload.org/ | Teste para HSTS simples e direto
• https://observatory.mozilla.org/ | Diversas verificações para sistemas Web
• https://securityheaders.com/ | Verificações focadas em HTTP Headers necessários
• https://www.securityscore.com.br/ | Scan que vai além do sistema web, consulta e-mails e portas associadas ao domínio

Vazamento de Senhas e Dados - Leaks - Threat Intelligence

• https://www.ransomlook.io/recent - Melhor site que está centralizando notícias de vários grupos e empresas afetadas.
• https://haveibeenpwned.com/ | Verificação de vazamento de senhas
• https://intelx.io/ | Consulta à base de dados de vazamentos
• http://pwndb2am4tzkvold.onion/ | Consulta à base de vazamentos
• http://xjypo5vzgmo7jca6b322dnqbsdnp3amd24ybx26x5nxbusccjkm4pwid.onion/ | Consulta à base de vazamentos (DeepSearch)
• http://ransomwr3tsydeii4q43vazm7wofla5ujdajquitomtd47cxjtfgwyyd.onion/| Ransomware Group Sites
• https://breached.vc/ | Antigo raidforums.com desativado - Forum com exposição de vazamentos

OSINT

• https://search.censys.io/ | Scan de IPs e portas
• https://www.shodan.io/ | Scan de IPs e portas
• https://wigle.net/ | Mapeamento mundial de redes wifi
• https://osintframework.com/ | Grande indexador de ferramentas e OSINT’s para reconhecimento e pentest
• https://gf.dev/whois-hosting | Descobrir caminhos de IPs de um site
• https://github.com/sherlock-project/sherlock | Busca de usuário em várias redes sociais públicas
• https://start.me/p/BnBb5v/jornadas-osint | Reune vários links OSINTs, buscadores de nicks, de imagens, de pessoas, etc
• https://www.osintessentials.com/
• https://www.whois.com/whois/site.com.br | Ferramenta recomendada de whois
• https://labs.tib.eu/geoestimation/ | Estimativa de localização de imagens

Steganography / Esteganografia

• https://www.aperisolve.com | Reune várias ferramentas de análise de imagem e uma única requisição web)
• HxD | Visualizador hexdecimal de arquivos)
• stegseek | Procura por palavras dentro de uma arquivo de imagem baseado em uma lista (rockyou, por exemplo)
• binwalk | Usado principalmente para extrair outros arquivos escondidos dentro de outros arquivos
• steghide | Inserir ou extrair outros arquivos inseridos e protegidos com senha em outros arquivos
• strings | Comando strings, ferramenta linux que analisa possíveis strings de arquivos, locais, etc
• exiftool | Comando/ferramenta linux que analisa as informações EXIF de um arquivo
• goblyn | Captura de metada em arquivo de um website files
• Artigo sobre importância dos metadados para a segurança: https://www.kaspersky.com.br/blog/office-documents-metadata/7192/

Web Tools

• https://gchq.github.io/CyberChef/ | Canivete suiço. Diversos ‘utils’, scrab, estractor, etc
• https://www.processlibrary.com/en/ | Busca de dlls e processos
• https://caniuse.com/ | Verificação de compatibilidade de browsers
• https://grabify.link/ | Encurtado de links com IP logger
• https://archive.org/web/ | Way back machine - Histórico das páginas antigas
• https://beautifier.io/ | Transforma um js minificado para legível
• https://bgp.he.net | BGP Check
• https://www.100security.com.br/rsg | Reverse shell generator
• https://report-uri.com/home/tools | CSP Analyse, CSP Builder, CSP Hash, Header Analyser, SRI HAsh, PEM Decoder

Tools

• https://beefproject.com/
• http://sqlmap.org/
• https://nmap.org/
• https://docs.microsoft.com/en-us/sysinternals/ | Canivete suiço de ferramentas de análise de ambiente
• https://github.com/globocom/huskyCI | Ferramenta feito pela Globo. Orquestrador de análise de código de repositório para rodar junto com um CI
• https://github.com/Genymobile/scrcpy | Solução para transmitir a tela do celular para o computador
• https://www.postman.com/ | Monta requisições Http sob demanda
• https://dbeaver.io/ | Conector com banco de dados universal
• https://github.com/Abdulrahman-Kamel/tokenScanner | Token Scanner - Passa um token para o scanner e ele identifica que tipo de token é de forma simples, informa do que se possivelmente trata o token e já passa uma url de como fazer o exploit e testar

Pentest & Recon

• https://www.kali.org/tools/sublist3r/ / https://github.com/aboul3la/Sublist3r | Procura por subdomínios. Exemplo sublist3r -d kali.org
• https://github.com/six2dez/reconftw | Poderosa ferramenta de recon, utiliza 35 diretas + 24 outras ferramentas por baixo, entre elas o nuclei. Não obtive muitos resultados consistentes nos testes mas não descartar em um serviço de recon, porém não se basear só nele - executar diretamente os serviços que ele diz usar, no repo tem todas as referências
• https://github.com/Abdulrahman-Kamel/extract-comments | Extrai comentários das páginas - Bom se achar um crowler para pegar todas as urls de um domínio para depois passar como parâmetro
• https://github.com/hktalent/scan4all | Projeto com vulnerabilidades para testar ferramentas de scan
• https://github.com/Abdulrahman-Kamel/xssHeaders | Testa Blind XSS Headers - Tem que fazer um conta no site https://xsshunter.com/ para ter o profile no XssHunter.
• https://github.com/KingOfBugbounty/SecretFinder | Procura por possíveis chaves em arquivos HTML ou Js
• https://github.com/assetnote/kiterunner | Endpoint spider
• https://github.com/projectdiscovery/nuclei | Multitool para fazer o scanner de exploits
• https://github.com/skavngr/rapidscan | Multitool web vulnerability scanner
• https://github.com/t3l3machus/psudohash | Gerador de lista de senhas para orquestrar ataques de força bruta, baseado em uma string inicial
• https://github.com/EnableSecurity/wafw00f | Identificação de WAFs: wafw00f (W00f)

  1 2	- Exemplo comando kali > wafw00f -a 'https://enderecosistemas.com.br'

Fuzz

• Wfuzz

  1 2 3

  - Enumera subdiretórios baseado em wordlist - Exemplo => wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://192.168.56.102/dvwa/FUZZ - Tem que ter o "FUZZ" no final, não é só exemplo

• ffuf

  1	- Comando exemplo => ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-big.txt -u http://198.211.107.250:1337/FUZZ --fs 169

• Feroxbuster

  1 2 3 4 5

  - Enumeração recursiva similar ao gobuster - Repo: https://github.com/epi052/feroxbuster - Comandos `sudo apt install -y feroxbuster` `feroxbuster -u https://some-example-site.com`

Browser plugins/extensions

• DotGit
• Link Gopher
• Http Header Live
• JS Beautifier
• KeyFinder
• Web scan
• Wappalyzer
• SingleFile | Salvar um site inteiro incluindo imagens, estilos, frames, fontes, etc. num único arquivo HTML.

Pentest (DAST)

• https://www.zaproxy.org/ (scripts link)
• https://subgraph.com/vega/
• https://github.com/1N3/Sn1per/
• https://owasp.org/www-community/Vulnerability_Scanning_Tools | Lista de várias ferramentas pagas e free

Analisadores de tráfego

• https://portswigger.net/burp/
• https://www.charlesproxy.com/
• https://www.telerik.com/fiddler
• https://www.wireshark.org/

Mobile

• https://github.com/Genymobile/scrcpy | Solução para transmitir a tela do celular para o computador
• Santoku | Distro focada em forense para mobile - https://santoku-linux.com/about-santoku/
• https://www.youtube.com/watch?v=hFSuMySq2dA&ab_channel=HackingnaWeb | Como interceptar tráfego de app android, fazendo repack tranpondo seguraça compilação com certificado.

Listas

• https://github.com/nixawk/pentest-wiki | Indexador e guia para recon e pentests
• https://github.com/enaqx/awesome-pentest | Github para pentesters
• https://www.kali.org/tools/seclists | SecLists

  1 2	sudo apt install seclists ls -lh /usr/share/seclists/

• https://github.com/danielmiessler/SecLists | Payloads
• https://github.com/swisskyrepo/PayloadsAllTheThings | Payload para quase tudo
• https://github.com/sindresorhus/awesome#security | Indexador de materiais para pentest, recon, etc
• https://github.com/carpedm20/awesome-hacking#readme | Indexador de materiais para pentest, recon, etc
• https://github.com/qazbnm456/awesome-web-security#readme | Indexador de materiais para pentest, recon, etc
• https://github.com/sbilly/awesome-security#web | Indexador de materiais para pentest, recon, etc
• https://www.routerpasswords.com/ | Lista de senhas padrões de dispositivos
• https://minutodaseguranca.blog.br/lista-completa-de-ferramentas-de-teste-de-penetracao-e-hacking/

Sobre API keys

• https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/API%20Key%20Leaks
• https://community.turgensec.com/finding-hidden-api-keys-how-to-use-them/

Sobre AWS

• Buckets: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/AWS%20Amazon%20Bucket%20S3
• Security Check: https://awscheck.fyi/

Criptografia, Hash databases e crackers

• https://hashdecryption.com/
• https://emn178.github.io/online-tools/
• https://hashtoolkit.com/
• https://www.perturb.org/content/hashes/
• https://md5hashing.net/
• https://sha1.gromweb.com/
• https://www.boxentriq.com/code-breaking/cipher-identifier/ | Analisador de possível tipo de cifra utilizado
• https://www.openwall.com/john/ | John the Ripper password cracker
• https://crackstation.net/crackstation-wordlist-password-cracking-dictionary.htm | Base para download

Wordlists

• https://wordlists.assetnote.io/
• https://github.com/Abdulrahman-Kamel/httpAuth

Aplicação para validação de web scanners

• http://public-firing-range.appspot.com/

Databases para verificação de vulnerabilidade de bibliotecas

• https://snyk.io/vuln
• https://ossindex.sonatype.org/
• https://cve.mitre.org/cve/search_cve_list.html
• https://www.nuget.org/packages/Audit.NET/ | Extensão para Visual Studio
• https://cve.circl.lu/ | CVE Search database

Verificação de DNS

• https://toolbox.googleapps.com/apps/dig/
• https://dnslytics.com/

E-mail Analysis

• https://mxtoolbox.com/

Malware Analysis

• https://app.any.run | Interactive Malware Analysis
• https://tria.ge/ | Malware analysis sandbox
• https://remnux.org/ | REMnux VM Malware Analysis Tools
• https://id-ransomware.malwarehunterteam.com/ | Identificar ransomware

Mapas mentais, diagramas e prototipação

• https://www.mindmeister.com/
• https://miro.com/app/

Compartilhamento de arquivos e textos

• https://gofile.io/
• https://pastebin.com/
• http://dontpad.com/
• https://onionshare.org/

Emissão de certificado Https baixo ou nenhum custo

• https://letsencrypt.org/

CORS ByPass

• https://cors-anywhere.herokuapp.com/
• https://portswigger.net/research/exploiting-cors-misconfigurations-for-bitcoins-and-bounties

Reverse Tabnabbing

• https://owasp.org/www-community/attacks/Reverse_Tabnabbing
• https://github.com/OWASP/www-community/blob/master/pages/attacks/Reverse_Tabnabbing.md

Third party libraries

• https://deps.dev/ | Mais simples de ver quais vulnerabildiade uma determinada versão de uma biblioteca tem diretamente, por exemplo https://deps.dev/npm/jquery/2.2.1
• https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
• https://www.srihash.org/

CSP

• https://csper.io/evaluator | Avaliador para CSP
• https://csper.io/generator/ | Gerador de CSP
• https://developer.mozilla.org/pt-BR/docs/Web/HTTP/CSP

Lax vs Strict
https://blog.benpri.me/blog/2019/05/13/samesite-cookies-in-practice/

CTF - Security Games & Learning

• https://tryhackme.com/room/ohsint
• https://xss-game.appspot.com | XSS Game
• https://overthewire.org/wargames/natas/natas0.html | Natas: Web Hacking
• https://overthewire.org/wargames/bandit/bandit0.html | Bandit: Linux SSH Enviroment Hacking

I Know What You Download
https://iknowwhatyoudownload.com/en/peer/

Regras de boas práticas para desenvolvimento do Sonar
https://rules.sonarsource.com/csharp

CheatSheets e prevenções

Sniping Insecure Cookies with XSS

• https://breakdev.org/sniping-insecure-cookies-with-xss/

Angular template injection

• https://portswigger.net/research/xss-without-html-client-side-template-injection-with-angularjs
• Procurar por ‘ng-app’.
• https://www.youtube.com/watch?v=19gqZU953pY

Web Cache Deception

• http://omergil.blogspot.com/2017/02/web-cache-deception-attack.html
• Examples for some of the past vulnerable pages:

  1 2 3

  - https://www.paypal.com/myaccount/home/attack.css - https://www.paypal.com/myaccount/settings/notifications/attack.css - https://history.paypal.com/cgi-bin/webscr/attack.css?cmd=_history-details

Services

• https://www.kvstore.io/ | a simple key/value API based storage service
• https://nordvpn.com/ | VPN para comunicação segura - Pago

.Net

• https://github.com/pwntester/ysoserial.net | Exploit unsafe .NET object deserialization

Calcular nível de vulnerabilidades

• https://www.owasp-risk-rating.com/
• https://www.first.org/cvss/calculator/3.0
• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator

Coleção de relatórios de pentestes

• https://github.com/juliocesarfort/public-pentesting-reports
• https://github.com/hmaverickadams/TCM-Security-Sample-Pentest-Report/tree/master

Eventos

• https://bekk.christmas/
• https://tryhackme.com/room/25daysofchristmas

Eventos/Conferências Brasileiras de SI

• https://www.h2hc.com.br/
• https://bhack.com.br
• https://www.ysts.org/
• https://www.roadsec.com.br/
• https://www.mindthesec.com.br/
• https://www.cybersecuritysummit.com.br/
• https://nullbyte-con.org/
• https://speakfy.io/ | Site que concentra eventos de SI:

Security Awareness

Personal Security Checklist

• https://github.com/Lissy93/personal-security-checklist

Cofre de senhas

• https://bitwarden.com/

Phishing

• https://phishingquiz.withgoogle.com/ | Quiz do Google
• https://github.com/mrd0x/BITB | Browser inside a Browser - https://mrd0x.com/browser-in-the-browser-phishing-attack/
• https://getgophish.com/ | Gerenciamento de campanhas de phishing
• https://github.com/thewhiteh4t/seeker | Criação de phishing que colate localização de GPS precisas

IA geradore de perfis que não existem

• https://thispersondoesnotexist.com/

Critérios de segurança no código

• https://security-code-scan.github.io/

Guides

Red e Blue Team Tools List
https://github.com/A-poc/RedTeam-Tools
https://github.com/A-poc/BlueTeam-Tools

HackTricks
https://book.hacktricks.xyz

The National Cyber Security Centre
https://www.ncsc.gov.uk/

CTO Security Checklist/Guide
https://www.goldfiglabs.com/guide/saas-cto-security-checklist/

OWASP Top 10 controle proativos
https://owasp.org/www-project-proactive-controls/

IoT Security
https://www.bekk.christmas/post/2021/14/segment-your-home-network-today

Bugbounty Tips
https://github.com/KingOfBugbounty/KingOfBugBountyTips

Verificação de assinaturas de arquivos
https://www.garykessler.net/library/file_sigs.html

Analisando mensagens HTTP com Burp Suite e FoxyProxy
https://luan-cf-bnu.medium.com/analisando-mensagens-http-com-burp-suite-e-foxyproxy-9fb0a32d6fa4

4 coisas que todo relatório deve ter
https://rhinosecuritylabs.com/penetration-testing/four-things-every-penetration-test-report/

Focar nos itens importantes do guide, como e o que utilizar
https://www.apriorit.com/dev-blog/622-qa-web-application-pen-testing-owasp-checklist

Security Design Guidelines for Web Services
https://msdn.microsoft.com/en-us/library/ff649737.aspx

Sobre HSTS
https://www.troyhunt.com/understanding-http-strict-transport

12 Discas contra DDoS
https://blog.4linux.com.br/12-metodos-para-prevenir-ddos/

Como implementar corretamente o Salt
https://crackstation.net/hashing-security.htm

Dicas para quem programa em .Net
https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html (Tópico ‘ASP NET Web Forms Guidance’, sobre CSRF e ViewState)

Comunicação segura: Jitsi, Signal ou Wire
https://thehackernews.com/2020/04/zoom-cybersecurity-hacking.html

For everything else that requires sharing sensitive information, there are more secure options like self-hosted Jitsi, Signal and Wire.

WCF: Dicas de client
https://www.oreilly.com/library/view/programming-wcf-services/9781449382476/ch01s13.html

Fundamentos do GC
https://docs.microsoft.com/en-us/dotnet/standard/garbage-collection/fundamentals?redirectedfrom=MSDN#background_server_garbage_collection

CVE-2021-44228 - Log4j

1
2
3
4

https://youtu.be/7qoPDq41xhQ

Exploit Demo: https://github.com/leonjza/log4jpwn
Shell Check: https://log4shell.huntress.com/

Livros

The Code Book: The Secrets Behind Codebreaking
The Art of Deception (Kevin Mitnick)

Cursos, certificados e conteúdos gratuítos

• Cursos Grátis: https://codered.eccouncil.org/ (Ethical Hacking Essentials [EHE])
• Threat Hunting: https://elearning.securityblue.team/home/courses/free-courses/introduction-to-threat-hunting
• Darkweb Operations: https://elearning.securityblue.team/home/courses/free-courses/introduction-to-dark-web-operations
• Digital Forensics: https://elearning.securityblue.team/home/courses/free-courses/introduction-to-digital-forensics
• OSINT: https://elearning.securityblue.team/home/courses/free-courses/introduction-to-osint
• Network Analysis: https://elearning.securityblue.team/home/courses/free-courses/introduction-to-network-analysis
• Cyber Threat Intelligence 101: https://arcx.io/courses/cyber-threat-intelligence-101

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

Great Free Cyber Security Courses

↓  Core ↓
Cisco Network Essentials - https://www.netacad.com/courses/networking/networking-essentials
Palo Alto - https://www.paloaltonetworks.com/cyberpedia/free-cybersecurity-education-courses
AWS Cloud - https://explore.skillbuilder.aws/learn/signin
Azure Cloud - https://learn.microsoft.com/en-us/training/azure/
GCP Cloud - https://cloud.google.com/learn/training

↓  Fundamentals ↓
SANS Aces - https://www.sans.org/cyberaces/
ISC(2) Certified in Cyber - https://www.isc2.org/Certifications/CC
Coursera - https://www.coursera.org/learn/foundations-cybersecurity
EC-Council - https://www.eccouncil.org/cybersecurity-exchange/cyber-novice/free-cybersecurity-courses-beginners/
Cyber Security - https://www.classcentral.com/course/swayam-cyber-security-13978
Cisco Cyber Induction - https://www.netacad.com/courses/cybersecurity/introduction-cybersecurity
Fortinet NSE - https://www.fortinet.com/training/cybersecurity-professionals

↓ Penetration Testing ↓
TCM-Security - https://academy.tcm-sec.com/p/learn-penetration-testing-free
PortSwigger Web Hacking - https://portswigger.net/web-security
CodeRed Hacking Essentials - https://codered.eccouncil.org/course/ethical-hacking-essentials
RedTeaming - https://taggartinstitute.org/p/responsible-red-teaming
METASPLOIT UNLEASHED - https://www.offsec.com/metasploit-unleashed/
Hacker101 - https://www.hackerone.com/hackers/hacker101

↓ Vulnerability Management ↓
Qualys - https://www.qualys.com/training/
Class Central - https://www.classcentral.com/course/get-started-with-vulnerability-assessment-70775

↓ SIEM ↓
Splunk - https://www.splunk.com/en_us/training/free-courses/overview.html
QRadar - https://www.securitylearningacademy.com/local/navigator/index.php?level=siem01&roadmapId=65
Elastic - https://www.elastic.co/training/elastic-security-fundamentals-siem
XPERT - https://www.siemxpert.com/online-cybersecurity-courses.html

↓ Engineering ↓
Oxford - https://www.oxfordhomestudy.com/courses/cyber-security-courses/free-cyber-security-courses
IoT Privacy - https://www.edx.org/course/cybersecurity-and-privacy-in-the-iot
Secure Software Development - https://training.linuxfoundation.org/training/developing-secure-software-lfd121/
Maryland Software Security - https://www.classcentral.com/course/software-security-1728

𝗙𝗿𝗲𝗲 𝗩𝗶𝗱𝗲𝗼𝘀: ISO 27001, SOC 2, and PCI DSS Full Framework Reviews

1
2
3
4
5
6
7
8
9
10
11

𝟭. 𝗜𝗦𝗢 𝟮𝟳𝟬𝟬𝟭 𝗙𝘂𝗹𝗹 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸 𝗥𝗲𝘃𝗶𝗲𝘄 (https://youtu.be/Ou8cFdjMYWw?si=TeTT47YGVYCzCb3n)

We spend an hour covering every control in ISO 27001 Annex A line by line. We offer advice on how you can implement, what the auditor will look for, and a few tips.

𝟮. 𝗦𝗢𝗖 𝟮 𝗙𝘂𝗹𝗹 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸 𝗥𝗲𝘃𝗶𝗲𝘄 (https://www.youtube.com/watch?v=2rAz9VohEdE&ab_channel=risk3sixty)

This is one I did myself. SOC 2 criteria up on the screen. I cover every point of focus and common controls that will meet the SOC 2 criteria. I also give some tips on how to implement and what and auditor would look for.

𝟯. 𝗣𝗖𝗜 𝗗𝗦𝗦 𝗙𝘂𝗹𝗹 𝗙𝗿𝗮𝗺𝗲𝘄𝗼𝗿𝗸 𝗥𝗲𝘃𝗶𝗲𝘄 (https://www.youtube.com/watch?v=OIRrDbuRfO8&ab_channel=risk3sixty)

We spend an hour covering all 12 PCI DSS requirements. There is also a great breakdown of common assessment findings we see often during audits.