Browse Source

Fixups/adds/More tidying/categorization. If you're reading this, look at the tool 'DumpsterFire'. Freakin sweet stuff.

pull/8/head
root 5 years ago
parent
commit
0478fbcd3f
25 changed files with 967 additions and 217 deletions
  1. +35
    -4
      Draft/AnonOpsecPrivacy.md
  2. +6
    -0
      Draft/Building A Pentest Lab.md
  3. +6
    -3
      Draft/Embedded Device & Hardware Hacking -.md
  4. +6
    -0
      Draft/Exploit Development.md
  5. +5
    -1
      Draft/Forensics Incident Response.md
  6. +32
    -11
      Draft/Fuzzing Bug Hunting.md
  7. +16
    -5
      Draft/Game Hacking.md
  8. +19
    -3
      Draft/Interesting Things Useful stuff.md
  9. +19
    -3
      Draft/Malware.md
  10. +16
    -0
      Draft/Network Attacks & Defenses.md
  11. +36
    -31
      Draft/Network Security Monitoring & Logging.md
  12. +3
    -0
      Draft/Password Bruting and Hashcracking.md
  13. +25
    -11
      Draft/Phishing.md
  14. +3
    -0
      Draft/Phyiscal Security.md
  15. +28
    -0
      Draft/Policy-Compliance.md
  16. +54
    -43
      Draft/Privilege Escalation & Post-Exploitation.md
  17. +7
    -4
      Draft/Programming - Languages Libs Courses References.md
  18. +106
    -14
      Draft/Red-Teaming.md
  19. +5
    -4
      Draft/Reverse Engineering.md
  20. +21
    -0
      Draft/SCADA.md
  21. +6
    -0
      Draft/System Internals Windows and Linux Internals Reference.md
  22. +120
    -24
      Draft/Web & Browsers.md
  23. +39
    -27
      Draft/Wireless Networks & RF.md
  24. +351
    -27
      Draft/things-added.md
  25. +3
    -2
      README.md

+ 35
- 4
Draft/AnonOpsecPrivacy.md View File

@ -23,8 +23,6 @@
#### end cull
@ -36,6 +34,20 @@
[Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
[Mobile Phone Data lookup](https://medium.com/@philipn/want-to-see-something-crazy-open-this-link-on-your-phone-with-wifi-turned-off-9e0adb00d024)
### <a name="blog"></a>Blogposts
[De-Anonymizing Alt.Anonymous.Messages](https://ritter.vg/blog-deanonymizing_amm.html)
@ -58,6 +70,10 @@
[The Paranoid's Bible: An anti-dox effort.](https://paranoidsbible.tumblr.com/)
[Debian-Privacy-Server-Guide](https://github.com/drduh/Debian-Privacy-Server-Guide)
* This is a step-by-step guide to configuring and managing a domain, remote server and hosted services, such as VPN, a private and obfuscated Tor bridge, and encrypted chat, using the Debian GNU/Linux operating system and other free software.
[Reminder: Oh, Won't You Please Shut Up? - USA](https://www.popehat.com/2011/12/01/reminder-oh-wont-you-please-shut-up/)
@ -84,7 +100,7 @@
[Detect Tor Exit doing sniffing by passively detecting unique DNS query (via HTML & PCAP parsing/viewing)](https://github.com/NullHypothesis/exitmap/issues/37)
[Managing Pseudonyms with Compartmentalization: Identity Management of Personas](https://www.alienvault.com/blogs/security-essentials/managing-pseudonyms-with-compartmentalization-identity-management-of-personas)
@ -175,7 +191,7 @@
### <a name="Talks">Talks & Videos(& Presentatios)</a>
### <a name="Talks">Talks & Videos(& Presentations)</a>
[Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting](http://securitee.org/files/cookieless_sp2013.pdf)
@ -220,6 +236,21 @@
[You Are Being Tracked: How License Plate Readers Are Being Used to Record Americans' Movements - ACLU](https://www.aclu.org/other/you-are-being-tracked-how-license-plate-readers-are-being-used-record-americans-movements?redirect=technology-and-liberty/you-are-being-tracked-how-license-plate-readers-are-being-used-record)
[David Goulet - Deep Dive Into Tor Onion Services](https://www.youtube.com/watch?v=AkoyCLAXVsc)
[Winning and Quitting the Privacy Game What it REALLY takes to have True Privacy in the 21st Century - Derbycon 7](https://www.youtube.com/watch?v=bxQSu06yuZc)


+ 6
- 0
Draft/Building A Pentest Lab.md View File

@ -19,6 +19,12 @@
[Pentest Environment Deployer](https://github.com/Sliim/pentest-env)
* This repo provides an easy way to deploy a clean and customized pentesting environment with Kali linux using vagrant and virtualbox.
[DumpsterFire](https://github.com/TryCatchHCF/DumpsterFire)
* [Slides](https://github.com/TryCatchHCF/DumpsterFire/raw/master/CactusCon_2017_Presentation/DumpsterFire_CactusCon_2017_Slides.pdf)
* The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Turn paper tabletop exercises into controlled "live fire" range events. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.


+ 6
- 3
Draft/Embedded Device & Hardware Hacking -.md View File

@ -44,8 +44,7 @@ http://greatscottgadgets.com/infiltrate2013/
[umap](https://github.com/nccgroup/umap)
* The USB host security assessment tool
[Pwn2Win 2017 - Shift Register](http://blog.dragonsector.pl/2017/10/pwn2win-2017-shift-register.html)
@ -91,6 +90,10 @@ http://greatscottgadgets.com/infiltrate2013/
[dc25-votingvillage-report](https://github.com/josephlhall/dc25-votingvillage-report)
* A report to synthesize findings from the Defcon 25 Voting Machine Hacking Village
[Secure Tokin’ & Doobiekeys: How to roll your own counterfeit hardware security devices - @securelyfitz, @r00tkillah](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-r00killah-and-securelyfitz-Secure-Tokin-and-Doobiekeys.pdf)
@ -119,7 +122,7 @@ http://greatscottgadgets.com/infiltrate2013/
[Rooting the MikroTik routers (SHA2017)](https://www.youtube.com/watch?v=KZWGD9fWIcM)
* In this talk I describe my journey into reverse engineering parts of MikroTik system to gain access to hardware features and the shell behind the RouterOS that has no “ls”.
[When IoT Attacks: Hacking A Linux-Powered Rifle ](https://www.blackhat.com/docs/us-15/materials/us-15-Sandvik-When-IoT-Attacks-Hacking-A-Linux-Powered-Rifle.pdf)


+ 6
- 0
Draft/Exploit Development.md View File

@ -92,6 +92,12 @@ Sensepost Series on Linux Heap Exploitation (Intro level)
* [Painless intro to the Linux userland heap](https://sensepost.com/blog/2017/painless-intro-to-the-linux-userland-heap/)
* [Linux Heap Exploitation Intro Series: Used and Abused – Use After Free](https://sensepost.com/blog/2017/linux-heap-exploitation-intro-series-used-and-abused-use-after-free/)
* [Linux Heap Exploitation Intro Series: The magicians cape – 1 Byte Overflow](https://sensepost.com/blog/2017/linux-heap-exploitation-intro-series-the-magicians-cape-1-byte-overflow/)
[MS17-010: EternalBlue’s Large Non-Paged Pool Overflow in SRV Driver - blog.trendmicro](http://blog.trendmicro.com/trendlabs-security-intelligence/ms17-010-eternalblue/)
[MS17-010 worawit](https://github.com/worawit/MS17-010)
#### End Sort


+ 5
- 1
Draft/Forensics Incident Response.md View File

@ -24,7 +24,9 @@
#### CULL
* Roll anti into this.
[Commercial Spyware - Detecting the Undetectable](https://www.blackhat.com/docs/us-15/materials/us-15-Dalman-Commercial-Spyware-Detecting-The-Undetectable-wp.pdf)
https://forensiccontrol.com/resources/free-software/
@ -307,6 +309,8 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
[Hiding the breadcrumbs: Forensics and anti-forensics on SAP systems - Juan Perez-Etchegoyen](http://www.irongeek.com/i.php?page=videos/derbycon4/t508-hiding-the-breadcrumbs-forensics-and-anti-forensics-on-sap-systems-juan-perez-etchegoyen)
* The largest organizations in the world rely on SAP platforms to run their critical processes and keep their business crown jewels: financial information, customer data, intellectual property, credit cards, human resources salaries, sensitive materials, suppliers and more. Everything is there and attackers know it. For several years at Onapsis we have been researching on how cyber-criminals might be able to break into ERP systems in order to help organizations better protect themselves. This has enabled us to gain a unique expertise on which are the most critical attack vectors and what kind of traces they leave (and don’t) over the victim’s SAP platforms. SAP systems need to be ready for Forensic Analysis, so the big question is: Are your systems prepared to retain the attackers breadcrumbs in the event of an attack? Join us and learn how to do a forensic analysis of an SAP system, looking for traces of a security breach We will also show novel techniques being used by attackers to avoid being detected during post attack forensic investigations. Vulnerabilities related to anti-forensic techniques will be presented together with their mitigation. **NEW** New attacks never presented before will be shown. JAVA, ABAP and BO systems will be covered.
[int0x80 (of Dual Core) -- Anti-Forensics for the Louise - Derbycon](https://www.youtube.com/watch?v=-HK1JHR7LIM )


+ 32
- 11
Draft/Fuzzing Bug Hunting.md View File

@ -21,13 +21,6 @@ TOC
https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[Fuzzing for MS15-010](http://blog.beyondtrust.com/fuzzing-for-ms15-010)
* This past Patch Tuesday Microsoft released MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution. This patch addressed multiple privately reported vulnerabilities in win32k.sys and one publicly disclosed vulnerability in cng.sys. This post goes through identifying the patched vulnerability.
[0-day streams: pdfcrack](https://www.youtube.com/watch?v=8VLNPIIgKbQ&app=desktop)
#### end sort
##### To Do
* Add Descriptions/generals to types of fuzzing
@ -81,7 +74,13 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[Taint analysis and pattern matching with Pin - Jonathan Salwan](http://shell-storm.org/blog/Taint-analysis-and-pattern-matching-with-Pin/)
#### Manual Source Code Analysis
[GitHub for Bug Bounty Hunters](https://gist.github.com/EdOverflow/922549f610b258f459b219a32f92d10b)
[Secure Code Review - OpenSecurityTraining.info](http://opensecuritytraining.info/SecureCodeReview.html)
[High-Level Approaches for Finding Vulnerabilities](http://jackson.thuraisamy.me/finding-vulnerabilities.html)
@ -111,6 +110,13 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[Binary SMS - The old backdoor to your new thing](https://www.contextis.com/resources/blog/binary-sms-old-backdoor-your-new-thing/)
[Hacking Virtual Appliances - DerbyconV](https://www.irongeek.com/i.php?page=videos/derbycon5/fix-me08-hacking-virtual-appliances-jeremy-brown)
* Virtual Appliances have become very prevalent these days as virtualization is ubiquitous and hypervisors commonplace. More and more of the major vendors are providing literally virtual clones for many of their once physical-only products. Like IoT and the CAN bus, it's early in the game and vendors are late as usual. One thing that it catching these vendors off guard is the huge additional attack surface, ripe with vulnerabilities, added in the process. Also, many vendors see software appliances as an opportunity for the customer to easily evaluate the product before buying the physical one, making these editions more accessible and debuggable by utilizing features of the platform on which it runs. During this talk, I will provide real case studies for various vulnerabilities created by mistakes that many of the major players made when shipping their appliances. You'll learn how to find these bugs yourself and how the vendors went about fixing them, if at all. By the end of this talk, you should have a firm grasp of how one goes about getting remotes on these appliances.
[Fuzzing for MS15-010](http://blog.beyondtrust.com/fuzzing-for-ms15-010)
* This past Patch Tuesday Microsoft released MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution. This patch addressed multiple privately reported vulnerabilities in win32k.sys and one publicly disclosed vulnerability in cng.sys. This post goes through identifying the patched vulnerability.
@ -145,10 +151,16 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
### <a name="videos">Talks/Videos</a>
#### Bug Hunting
[Browser Bug Hunting and Mobile](http://slides.com/revskills/fzbrowsers#/)
[Upping Your Bug Hunting Skills Using Symbolic Virtual Machines by Anto - x33fcon](https://www.youtube.com/watch?v=IPSZxGaLlyk)
[The Best of Bug Finding - Duo Tech Talk (Charlie Miller)](https://www.youtube.com/watch?v=1M1EOzulQsw)
* I look at how security vulnerabilities are found (or missed) and some of my favorite bugs and exploits I’ve come across in my career.
#### Fuzzing
[Implementing an USB Host Driver Fuzzer - Daniel Mende - Troopers14](https://www.youtube.com/watch?v=h777lF6xjs4)
[The Power Of Pair: One Template That Reveals 100+ Uaf Ie Vulnerabilities - BlackhatEU14](http://www.securitytube.net/video/12924?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SecurityTube+%28SecurityTube.Net%29)
@ -160,6 +172,7 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[Mining for Bugs with Graph Database Queries [31c3]](https://www.youtube.com/watch?v=291hpUE5-3g)
* [Starting out with Joern](http://tsyrklevich.net/2015/03/28/starting-out-with-joern/)
[Fuzz Smarter, Not Harder (An Afl-Fuzz Primer) BSides-SF 2016](http://www.securitytube.net/video/15372)
[File Format Fuzzing in Android](https://deepsec.net/docs/Slides/2015/File_Format_Fuzzing_in_Android_-Alexandru_Blanda.pdf)
@ -174,10 +187,6 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[Introduction to USB and Fuzzing DEFCON23 Matt DuHarte](https://www.youtube.com/watch?v=KWOTXypBt4E)
[Browser Bug Hunting and Mobile](http://slides.com/revskills/fzbrowsers#/)
[Upping Your Bug Hunting Skills Using Symbolic Virtual Machines by Anto - x33fcon](https://www.youtube.com/watch?v=IPSZxGaLlyk)
[Practical File Format Fuzzing](http://www.irongeek.com/i.php?page=videos/derbycon3/3301-practical-file-format-fuzzing-jared-allar)
* File format fuzzing has been very fruitful at discovering exploitable vulnerabilities. Adversaries take advantage of these vulnerabilities to conduct spear-phishing attacks. This talk will cover the basics of file format fuzzing and show you how to use CERT’s fuzzing frameworks to discovery vulnerabilities in file parsers.
@ -186,6 +195,10 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[Introduction to Custom Protocol Fuzzing](https://www.youtube.com/watch?v=ieatSJ7ViBw)
[0-day streams: pdfcrack](https://www.youtube.com/watch?v=8VLNPIIgKbQ&app=desktop)
### <a name="books">Books</a>
@ -193,6 +206,8 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
### <a name="training"></a>Training
[Modern fuzzing of C/C++ Projects - Slides](https://docs.google.com/presentation/d/1pbbXRL7HaNSjyCHWgGkbpNotJuiC4O7L_PDZoGqDf5Q/edit#slide=id.p4)
@ -200,6 +215,12 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
* Materials of "Modern fuzzing of C/C++ Projects" workshop.
### <a name="tools">Tools</a>
#### Non OS Specific


+ 16
- 5
Draft/Game Hacking.md View File

@ -20,8 +20,6 @@
#### Sort
#### End Sort
### <a name="general"></a>General
@ -47,7 +45,14 @@
### <a name="console"></a>Console Hacking
##### Nintendo 3DS
#### Nintendo Gameboy
[Reverse engineering a Gameboy ROM with radare2](https://www.megabeets.net/reverse-engineering-a-gameboy-rom-with-radare2/)
#### Nintendo 3DS
[Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain](https://github.com/Plailect/keyshuffling)
* We demonstrate an attack on the secure bootchain of the Nintendo 3DS in order to gain early code execution. The attack utilizes the block shuffling vulnerability of the ECB cipher mode to rearrange keys in the Nintendo 3DS's encrypted keystore. Because the shuffled keys will deterministically decrypt the encrypted firmware binary to incorrect plaintext data and execute it, and because the device's memory contents are kept between hard reboots, it is possible to reliably reach a branching instruction to a payload in memory. This payload, due to its execution by a privileged processor and its early execution, is able to extract the hash of hardware secrets necessary to decrypt the device's encrypted keystore and set up a persistant exploit of the system.
@ -55,10 +60,14 @@
[Throwback: K9Lhax by Bruteforce](http://douevenknow.us/post/151129092928/throwback-k9lhax-by-bruteforce)
### Nintendo Wii
#### Nintendo Wii
[wiihacks forum](http://www.wiihacks.com/)
[WiiHacks](https://www.reddit.com/r/WiiHacks/)
#### PS Vita
[Hacking the PS Vita](http://yifan.lu/2015/06/21/hacking-the-ps-vita/)
@ -76,9 +85,11 @@
[DEFCON 17: Fragging Game Servers - Bruce Potter](https://www.youtube.com/watch?v=SooVvF9qO_k&app=desktop)
### PC Games
[TruePlay - msdn](https://msdn.microsoft.com/en-us/library/windows/desktop/mt808781(v=vs.85).aspx)
[Valve Anti-Cheat Untrusted Bans (VAC) CSGO](http://dev.cra0kalo.com/?p=521)


+ 19
- 3
Draft/Interesting Things Useful stuff.md View File

@ -30,9 +30,12 @@
* sort and break into policy/high level/ vs interesting things
| **Simplifying the Business Bar Coded Boarding Pass Implementation Guide** | http://www.iata.org/whatwedo/stb/documents/bcbp_implementation_guidev4_jun2009.pdf
| **What’s contained in a boarding pass barcode?** | https://shaun.net/posts/whats-contained-in-a-boarding-pass-barcode
| **Universal Extractor** - Universal Extractor is a program designed to decompress and extract files from any type of archive or installer, such as ZIP or RAR files, self-extracting EXE files, application installers, etc | http://www.legroom.net/software/uniextract
[Simplifying the Business Bar Coded Boarding Pass Implementation Guide](http://www.iata.org/whatwedo/stb/documents/bcbp_implementation_guidev4_jun2009.pdf)
[What’s contained in a boarding pass barcode?](https://shaun.net/posts/whats-contained-in-a-boarding-pass-barcode)
[Universal Extractor](http://www.legroom.net/software/uniextract)
* Universal Extractor is a program designed to decompress and extract files from any type of archive or installer, such as ZIP or RAR files, self-extracting EXE files, application installers, etc
https://www.youtube.com/watch?v=h92vmwg9Tyc
@ -71,6 +74,18 @@ http://spth.virii.lu/articles.htm
* what3words provides a precise and incredibly simple way to talk about location. We have divided the world into a grid of 3m x 3m squares and assigned each one a unique 3 word address.
[Windows Firewall Control - Managing Windows Firewall is now easier than ever](https://www.binisoft.org/wfc.php)
[The Aviation Herald](https://avherald.com/)
[NTSB Aviation Accident Database & Synopses](https://www.ntsb.gov/_layouts/ntsb.aviation/index.aspx)
[autojump - a faster way to navigate your filesystem](https://github.com/wting/autojump)
* autojump is a faster way to navigate your filesystem. It works by maintaining a database of the directories you use the most from the command line.
[OSX for Hackers (Mavericks/Yosemite)](https://gist.github.com/matthewmueller/e22d9840f9ea2fee4716)
[What Colour are your bits?](http://ansuz.sooke.bc.ca/entry/23)
#### End Sort
@ -315,6 +330,7 @@ Philip K. Dick said, reality is that which, when you no longer believe in it, do
[(In)Outsider Trading – Hacking stocks using public information and (influence) - Robert Len - BSides CapeTown16](https://www.youtube.com/watch?v=sfHeguTEkuE)
* This talk will take a look at how inadvertently leaked technical information from businesses, can be used to successfully trade stocks. This results in making huge profits. We look at different methods of influencing the stock market, such as DDOS attacks (at critical time periods) and simple techniques such as Phish-baiting CEO’s to acquire sensitive, relevant information that can be applied in the real world to make massive gains in profit. We will also take a look at historic trends. How previous hacks, breaches and DDOS attacks have affected stock prices and investor confidence over time. Specific reference will be made towards listed South African companies (Or a particular listed SA company) and a POC will hopefully be completed by the presentation date.
[Human Trafficking in the Digital Age](https://www.irongeek.com/i.php?page=videos/derbycon4/t516-human-trafficking-in-the-digital-age-chris-jenks)


+ 19
- 3
Draft/Malware.md View File

@ -19,7 +19,8 @@ TOC
##### Sort
* sort tools
* Add malicious document section
http://securityxploded.com/malware-analysis-training-reference.php
http://www.malwarearchaeology.com/mmf/
@ -32,7 +33,7 @@ https://brycampbell.co.uk/new-blog/
https://archive.is/Nol3S
[Loffice - Analyzing malicious documents using WinDbg](https://thembits.blogspot.com/2016/06/loffice-analyzing-malicious-documents.html)
@ -43,6 +44,8 @@ https://archive.is/Nol3S
* Abstract: We introduce PyTrigger, a dynamic malware analy- sis system that automatically exercises a malware binary extract- ing its behavioral profile even when specific user activity or input is required. To accomplish this, we developed a novel user activity record and playback framework and a new behavior extraction approach. Unlike existing research, the activity recording and playback includes the context of every object in addition to traditional keyboard and mouse actions. The addition of the con- text makes the playback more accurate and avoids dependenciesand pitfalls that come with pure mouse and keyboard replay. Moreover, playback can become more efficient by condensing common activities into a single action. After playback, PyTrigger analyzes the system trace using a combination of multiple states and behavior differencing to accurately extract the malware behavior and user triggered behavior from the complete system trace log. We present the algorithms, architecture and evaluate the PyTrigger prototype using 3994 real malware samples. Results and analysis are presented showing PyTrigger extracts additional behavior in 21% of the samples
[Windows’ PsSetLoadImageNotifyRoutine Callbacks: the Good, the Bad and the Unclear (Part 2)](https://breakingmalware.com/documentation/windows-pssetloadimagenotifyroutine-callbacks-good-bad-unclear-part-2/)
##### END Sort
@ -109,6 +112,7 @@ https://archive.is/Nol3S
[Decoding ZeuS disguised as an .RTF File](http://phishme.com/decoding-zeus-disguised-as-an-rtf-file/)
* Excellent step by step writeup
[Loffice - Analyzing malicious documents using WinDbg](https://thembits.blogspot.com/2016/06/loffice-analyzing-malicious-documents.html)
[Hacking Team Writeup](https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/)
@ -570,7 +574,8 @@ Regshot is an open-source (LGPL) registry compare utility that allows you to qui
[BasicHook](https://github.com/MalwareTech/BasicHook)
* x86 Inline hooking engine (using trampolines)
[Manalyze - static analyzer for PE files](https://github.com/JusticeRage/Manalyze)
* Manalyze was written in C++ for Windows and Linux and is released under the terms of the GPLv3 license. It is a robust parser for PE files with a flexible plugin architecture which allows users to statically analyze files in-depth.
@ -651,6 +656,17 @@ Duping the Machine: malware strategies, post sandbox detection
[Offensive Malware Analysis: Dissecting OSX FruitFly - Patrick Wardle - DEF CON 25](https://www.youtube.com/watch?v=q7VZtCUphgg)
* FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years. In this talk, we'll focus on the 'B' variant of FruitFly that even now, is only detected by a handful of security products. We'll begin by analyzing the malware's dropper, an obfuscated perl script. As this language is rather archaic and uncommon in malware droppers, we'll discuss some debugging techniques and fully deconstruct the script.
[ZitMo NoM - Derbycon2014](https://www.irongeek.com/i.php?page=videos/derbycon4/t520-zitmo-nom-david-schwartzberg)
* A world without malware is ideal but unlikely. Many of us would prefer *not* to install another layer of protection on their already resource constrained handheld mobile device. Alternatively, Android malware detection sans anti-virus installation has become a reality. Learn about how it’s possible to detect mobile malware using simple text messages with ZitMo NoM. ZeuS in the mobile, known as ZitMo, is infamous for intercepting SMS transmissions then redirecting them to a Command & Control in order steal banking and personal information. Research with SMS transmissions directed at mobile malware has resulted in the ability to detect ZitMo’s presence without anti,virus applications installed. Turning their own tools against them makes this even more of a rewarding endeavor. We are looking for malware researchers to contribute to the continued development of this open tool. The presentation will include the research, the infrastructure and a demonstration of ZitMo NoM. Live malware will be used during this presentation, assuming we get it to behave.


+ 16
- 0
Draft/Network Attacks & Defenses.md View File

@ -50,6 +50,10 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
[BlackNurse attack PoC](https://github.com/jedisct1/blacknurse)
* A simple PoC for the Blacknurse attack. "Blacknurse is a low bandwidth ICMP attack that is capable of doing denial of service to well known firewalls".
* Attacking firewalls
[Fire Away Sinking the Next Gen Firewall Russell Butturini - Derbycon6](https://www.youtube.com/watch?v=Qpty_f0Eu7Y)
##### sort end
@ -408,6 +412,8 @@ Veil Tutorials:
------------
### <a name="ipmi"></a>IPMI
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)
@ -474,7 +480,11 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
* Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification
* It sniffs: URLs visited; POST loads sent; HTTP form logins/passwords; HTTP basic auth logins/passwords; HTTP searches; FTP logins/passwords; IRC logins/passwords; POP logins/passwords; IMAP logins/passwords; Telnet logins/passwords; SMTP logins/passwords; SNMP community string; NTLMv1/v2 all supported protocols like HTTP, SMB, LDAP, etc; Kerberos.
[NTLMssp-Extract](https://github.com/sinnaj-r/NTLMssp-Extract)
* A small Python-Script to extract NetNTLMv2 Hashes from NTMLssp-HTTP-Authentications, which were captured in a pcap.
[ntlmRelayToEWS](https://github.com/Arno0x/NtlmRelayToEWS)
* ntlmRelayToEWS is a tool for performing ntlm relay attacks on Exchange Web Services (EWS). It spawns an SMBListener on port 445 and an HTTPListener on port 80, waiting for incoming connection from the victim. Once the victim connects to one of the listeners, an NTLM negociation occurs and is relayed to the target EWS server.
@ -554,6 +564,12 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[Adding your protocol to Masscan](http://blog.erratasec.com/2014/11/adding-protocols-to-masscan.html)
[changeme - A default credential scanner.](https://github.com/ztgrace/changeme)
* changeme picks up where commercial scanners leave off. It focuses on detecting default and backdoor credentials and not necessarily common credentials. It's default mode is to scan HTTP default credentials, but has support for other credentials. changeme is designed to be simple to add new credentials without having to write any code or modules. changeme keeps credential data separate from code. All credentials are stored in yaml files so they can be both easily read by humans and processed by changeme. Credential files can be created by using the ./changeme.py --mkcred tool and answering a few questions. changeme supports the http/https, mssql, mysql, postgres, ssh, ssh w/key, snmp, mongodb and ftp protocols. Use ./changeme.py --dump to output all of the currently available credentials.
------------


+ 36
- 31
Draft/Network Security Monitoring & Logging.md View File

@ -26,27 +26,10 @@ Cull
#### Cull
[laikaboss](https://github.com/lmco/laikaboss)
| **WMI-IDS** - WMI-IDS is a proof-of-concept agent-less host intrusion detection system designed to showcase the unique ability of WMI to respond to and react to operating system events in real-time. | https://github.com/fireeye/flare-wmi/tree/master/WMI-IDS
http://www.netfort.com/wp-content/uploads/PDF/WhitePapers/NetFlow-Vs-Packet-Analysis-What-Should-You-Choose.pdf
[Response Operation Collections Kit Reference Build](https://github.com/rocknsm/rock)
[Stenographer](https://github.com/google/stenographer/blob/master/README.md)
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
[Netdude](http://netdude.sourceforge.net/)
* The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.
[Introduction to Windows Event Forwarding](https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4)
[Monitoring what matters – Windows Event Forwarding for everyone (even if you already have a SIEM.)](https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/)
#### End Cull
@ -84,7 +67,7 @@ http://www.netfort.com/wp-content/uploads/PDF/WhitePapers/NetFlow-Vs-Packet-Anal
[Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response](https://www.sans.org/reading-room/whitepapers/forensics/building-home-network-configured-collect-artifacts-supporting-network-forensic-incident-response-37302)
[Automating large-scale memory forensics](https://medium.com/@henrikjohansen/automating-large-scale-memory-forensics-fdc302dc3383)
@ -115,6 +98,18 @@ and contains internal tools, with a powerful interactive console, for analysis a
[dnstwist](https://github.com/elceef/dnstwist)
* Domain name permutation engine for detecting typo squatting, phishing and corporate espionage
[PowerShellMethodAuditor](https://github.com/zacbrown/PowerShellMethodAuditor)
[WMI-IDS](https://github.com/fireeye/flare-wmi/tree/master/WMI-IDS)
* WMI-IDS is a proof-of-concept agent-less host intrusion detection system designed to showcase the unique ability of WMI to respond to and react to operating system events in real-time.
[Stenographer](https://github.com/google/stenographer/blob/master/README.md)
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
[Netdude](http://netdude.sourceforge.net/)
* The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.
@ -303,32 +298,42 @@ losing the essense in the DNS answer.
[Advanced Security Audit Policy Settings](https://technet.microsoft.com/en-us/library/dn319056(v=ws.11).aspx)
[Sysinternals Sysmon unleashed](https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed/)
[GetInjectedThreads.ps1](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)
* Looks for threads that were created as a result of code injection.
[check_ioc](https://github.com/oneoffdallas/check_ioc)
* Check_ioc is a script to check for various, selectable indicators of compromise on Windows systems via PowerShell and Event Logs. It was primarily written to be run on a schedule from a monitoring engine such as Nagios, however, it may also be run from a command-line (for incident response).
[Advanced Security Audit Policy Settings(Windows)](https://technet.microsoft.com/en-us/library/dn319056(v=ws.11).aspx)
[SysInternals: SysMon Unleashed](https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed/)
#### Powershell Logging
[Revoke -­ Obfuscation: PowerShell Obfuscation Detection Using Science](https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf)
[Greater Visibility Through PowerShell Logging](https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html)
[block-parser](https://github.com/matthewdunwoody/block-parser)
* Parser for Windows PowerShell script block logs
#### Windows Event Collector
[Windows Event Collector(For centralizing windows domain logging with no local agent, windows actually has built-in logging freely available)](https://msdn.microsoft.com/en-us/library/bb427443(v=vs.85).aspx)
[Windows event Collector - Setting up source initiated Subscriptions](https://msdn.microsoft.com/en-us/library/bb870973(v=vs.85).aspx)
[Use Windows Event Forwarding to help with intrusion detection](https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection)
[GetInjectedThreads.ps1](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)
* Looks for threads that were created as a result of code injection.
#### Windows Event Forwarding
[Sysmon - The Best Free Windows Monitoring Tool You Aren't Using](http://909research.com/sysmon-the-best-free-windows-monitoring-tool-you-arent-using/)
[Introduction to Windows Event Forwarding](https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4)
[check_ioc](https://github.com/oneoffdallas/check_ioc)
* Check_ioc is a script to check for various, selectable indicators of compromise on Windows systems via PowerShell and Event Logs. It was primarily written to be run on a schedule from a monitoring engine such as Nagios, however, it may also be run from a command-line (for incident response).
[Monitoring what matters – Windows Event Forwarding for everyone (even if you already have a SIEM.)](https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/)
[Greater Visibility Through PowerShell Logging](https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html)
[Use Windows Event Forwarding to help with intrusion detection](https://docs.microsoft.com/en-us/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection)
[block-parser](https://github.com/matthewdunwoody/block-parser)
* Parser for Windows PowerShell script block logs
#### Sysinternals
[Revoke -­ Obfuscation: PowerShell Obfuscation Detection Using Science](https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf)
[Sysmon - The Best Free Windows Monitoring Tool You Aren't Using](http://909research.com/sysmon-the-best-free-windows-monitoring-tool-you-arent-using/)
[SysInternals: SysMon Unleashed](https://blogs.technet.microsoft.com/motiba/2016/10/18/sysinternals-sysmon-unleashed/)


+ 3
- 0
Draft/Password Bruting and Hashcracking.md View File

@ -79,6 +79,9 @@ http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
[Cracking Active Directory Passwords or “How to Cook AD Crack"](https://www.sans.org/reading-room/whitepapers/testing/cracking-active-directory-passwords-how-cook-ad-crack-37940)
[Cracking Corporate Passwords – Exploiting Password Policy Weaknesses - Minga / Rick Redman Derbycon 2013](https://www.irongeek.com/i.php?page=videos/derbycon3/1301-cracking-corporate-passwords-exploiting-password-policy-weaknesses-minga-rick-redman)


+ 25
- 11
Draft/Phishing.md View File

@ -15,10 +15,6 @@ TOC
### Cull
#### End cull
@ -33,7 +29,7 @@ TOC
------------------
###<a name="general>General</a>
[Phishing - wikipedia](http://www.en.wikipedia.org/wiki/Phishing):
* “Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”
@ -76,7 +72,7 @@ TOC
------------------
### Tools
[CatMyFish](https://github.com/Mr-Un1k0d3r/CatMyFish)
@ -96,7 +92,7 @@ TOC
------------------
### Microsoft Outlook/Exchange Stuff
[How to bypass Web-Proxy Filtering](https://www.blackhillsinfosec.com/?p=5831)
@ -107,19 +103,34 @@ TOC
[Outlook and Exchange for the Bad Guys Nick Landers](https://www.youtube.com/watch?v=cVhc9VOK5MY)
[Next Gen Office Malware v2.0 - Greg Linares Dagmar Knechtel - Hushcon17](https://prezi.com/view/eZ3CSNMxPMOfIWEHwTje/)
[Outlook and Exchange for the Bad Guys Nick Landers](https://www.youtube.com/watch?v=cVhc9VOK5MY)
[Microsoft Support and Recovery Assistant for Office 365](https://testconnectivity.microsoft.com/)
[Exchange Versions, Builds & Dates](https://eightwone.com/references/versions-builds-dates/)
[morphHTA - Morphing Cobalt Strike's evil.HTA](https://github.com/vysec/morphHTA)
[Outlook and Exchange for the Bad Guys Nick Landers - Derbycon6](https://www.youtube.com/watch?v=cVhc9VOK5MY)
[Malicious Outlook Rules - Nick Landers](https://silentbreaksecurity.com/malicious-outlook-rules/)
------------------
### MS Office
[Exploiting Office native functionality: Word DDE edition](https://www.securityforrealpeople.com/2017/10/exploiting-office-native-functionality.html)
[Next Gen Office Malware v2.0 - Greg Linares Dagmar Knechtel - Hushcon17](https://prezi.com/view/eZ3CSNMxPMOfIWEHwTje/)
------------------
### Writeups
[How do I phish? – Advanced Email Phishing Tactics - Pentest Geek](https://www.pentestgeek.com/2013/01/30/how-do-i-phish-advanced-email-phishing-tactics/)
@ -134,10 +145,13 @@ TOC
------------------
### Talks/Presentations
[Three Years of Phishing - What We've Learned - Mike Morabito](http://www.irongeek.com/i.php?page=videos/centralohioinfosec2015/tech105-three-years-of-phishing-what-weve-learned-mike-morabito)
* Cardinal Health has been aggressively testing and training users to recognize and avoid phishing emails. This presentation covers 3 years of lessons learned from over 18,000 employees tested, 150,000 individual phishes sent, 5 complaints, thousands of positive comments, and a dozen happy executives. Learn from actual phishing templates what works well, doesn,t work at all, and why? See efficient templates for education and reporting results.
[Ichthyology: Phishing as a Science - BH USA 2017](https://www.youtube.com/watch?v=Z20XNp-luNA&app=desktop)
[Ichthyology: Phishing as a Science - BH USA 2017](https://www.youtube.com/watch?v=Z20XNp-luNA&app=desktop)
[Modern Evasion Techniques Jason Lang - Derbycon7](https://www.irongeek.com/i.php?page=videos/derbycon7/t110-modern-evasion-techniques-jason-lang)
* As pentesters, we are often in need of working around security controls. In this talk, we will reveal ways that we bypass in-line network defenses, spam filters (in line and cloud based), as well as current endpoint solutions. Some techniques are old, some are new, but all work in helping to get a foothold established. Defenders: might want to come to this one.

+ 3
- 0
Draft/Phyiscal Security.md View File

@ -22,6 +22,9 @@
[Hacking things by touching them - armadillo](https://www.armadillophone.com/blog/2017/08/27/hacking-things-by-touching-them)
[zoneminder](https://www.zoneminder.com/)
* A full-featured, open source, state-of-the-art video surveillance software system.
#### End Sort


+ 28
- 0
Draft/Policy-Compliance.md View File

@ -8,6 +8,21 @@
* [Miscellaneous](#misc)
* [Papers](#papers)
### <a name="General"></a>General
[The Red Book: A Roadmap for Systems Security Research](http://www.red-book.eu/m/documents/syssec_red_book.pdf)
@ -18,6 +33,16 @@
* [SP 1800-8b: Approach, Architecture, and Security Characteristics ](https://nccoe.nist.gov/publication/draft/1800-8/VolB/)
* [SP 1800-8c: How-To Guides](https://nccoe.nist.gov/publication/draft/1800-8/VolC/)
[SP 800-115: Technical Guide to Information Security Testing and Assessment](https://csrc.nist.gov/publications/detail/sp/800-115/final)
* The purpose of this document is to assist organizations in planning and conducting technical information security tests and examinations, analyzing findings, and developing mitigation strategies. The guide provides practical recommendations for designing, implementing, and maintaining technical information security test and examination processes and procedures. These can be used for several purposes, such as finding vulnerabilities in a system or network and verifying compliance with a policy or other requirements. The guide is not intended to present a comprehensive information security testing and examination program but rather an overview of key elements of technical security testing and examination, with an emphasis on specific technical techniques, the benefits and limitations of each, and recommendations for their use.
[Security Assessment Guidelines for Financial Institutions](https://www.sans.org/reading-room/whitepapers/auditing/security-assessment-guidelines-financial-institutions-993)
[Information Security Risk Assessment Guidelines - mass.gov](http://www.mass.gov/anf/research-and-tech/cyber-security/security-for-state-employees/risk-assessment/risk-assessment-guideline.html)
### <a name="talks"></a>Talks & Presentations
[The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](https://www.youtube.com/watch?v=nL64uj9Xm24)
@ -28,4 +53,7 @@
[The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures](http://web.stanford.edu/class/cs259d/readings/Infrastructure.pdf)
[An Overview of Threat and Risk Assessment](https://www.sans.org/reading-room/whitepapers/auditing/overview-threat-risk-assessment-76)

+ 54
- 43
Draft/Privilege Escalation & Post-Exploitation.md View File

@ -38,13 +38,6 @@
https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List#escalating
[Windows Security Center: Fooling WMI Consumers](https://www.opswat.com/blog/windows-security-center-fooling-wmi-consumers)
[Shim Database Talks](http://sdb.tools/talks.html)
[Hiding Files by Exploiting Spaces in Windows Paths](http://blakhal0.blogspot.com/2012/08/hiding-files-by-exploiting-spaces-in.html)
[The Art of Becoming TrustedInstaller](https://tyranidslair.blogspot.co.uk/2017/08/the-art-of-becoming-trustedinstaller.html)
* There's many ways of getting the TI token other than these 3 techniques. For example as Vincent Yiu pointed out on Twitter if you've got easy access to a system token, say using Metasploit's getsystem command you can impersonate system and then open the TI token, it's just IMO less easy :-). If you get a system token with SeTcbPrivilege you can also call LogonUserExExW or LsaLogonUser where you can specify an set of additional groups to apply to a service token. Finally if you get a system token with SeCreateTokenPrivilege (say from LSASS.exe if it's not running PPL) you can craft an arbitrary token using the NtCreateToken system call.
@ -54,11 +47,11 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Decrypting IIS Passwords to Break Out of the DMZ: Part 1 ](https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-1/)
* [Decrypting IIS Passwords to Break Out of the DMZ: Part 2](https://blog.netspi.com/decrypting-iis-passwords-to-break-out-of-the-dmz-part-2/)
[Evading Autoruns Kyle Hanslovan Chris Bisnett - DerbyCon 7](https://www.youtube.com/watch?v=AEmuhCwFL5I&app=desktop)
[Untethered initroot (USENIX WOOT '17)](https://alephsecurity.com/2017/08/30/untethered-initroot/)
[The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://www.slideshare.net/harmj0y/the-travelling-pentester-diaries-of-the-shortest-path-to-compromise)
#### end sort
@ -97,7 +90,7 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Requiem For An Admin, Walter Legowski (@SadProcessor) - BSides Amsterdam 2017](https://www.youtube.com/watch?v=uMg18TvLAcE&index=3&list=PLwZycuzv10iLBFwRIWNAR-s4iuuUMRuEB)
* Orchestrating BloodHound and Empire for Automated AD Post-Exploitation. Lateral Movement and Privilege Escalation are two of the main steps in the Active Directory attacker kill- chain. Applying the 'assume breach' mentality, more and more companies are asking for red-teaming type of assessments, and security researcher have therefor developed a wide range of open-source tools to assist them during these engagements. Out of these, two have quickly gained a solid reputation: PowerShell Empire and BloodHound (Both by @Harmj0y & ex-ATD Crew). In this Session, I will be presenting DogStrike, a new tool (PowerShell Modules) made to interface Empire & BloodHound, allowing penetration testers to merge their Empire infrastructure into the bloodhound graph database. Doing so allows the operator to request a bloodhound path that is 'Agent Aware', and makes it possible to automate the entire kill chain, from initial foothold to DA - or any desired part of an attacker's routine. Presentation will be demo-driven. Code for the module will be made public after the presentation. Automation of Active Directory post-exploitation is going to happen sooner than you might think. (Other tools are being released with the same goal*). Is it a good thing? Is it a bad thing? If I do not run out of time, I would like to finish the presentation by opening the discussion with the audience and see what the consequences of automated post- exploitation could mean, from the red, the blue or any other point of view... *: DeathStar by @Byt3Bl33d3r | GoFetch by @TalTheMaor.
[Evading Autoruns Kyle Hanslovan Chris Bisnett - DerbyCon 7](https://www.youtube.com/watch?v=AEmuhCwFL5I&app=desktop)
@ -218,7 +211,9 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
* [Slides](https://www.blackhat.com/docs/us-14/materials/us-14-Kallenberg-Extreme-Privilege-Escalation-On-Windows8-UEFI-Systems.pdf)
* Summary by stormehh from reddit: “In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flash”
[The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://www.slideshare.net/harmj0y/the-travelling-pentester-diaries-of-the-shortest-path-to-compromise)
[Windows Privilege Escalation - Riyaz Walikar](https://www.slideshare.net/riyazwalikar/windows-privilege-escalation)
@ -248,6 +243,12 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
----------------
### <a name="powershell-stuff">Powershell Things</a>
[Empire](https://github.com/EmpireProject/Empire)
* Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. It is the merge of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at BSidesLV in 2015 and Python EmPyre premeiered at HackMiami 2016.
[Koadic](https://github.com/zerosum0x0/koadic)
* Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. The major difference is that Koadic does most of its operations using Windows Script Host (a.k.a. JScript/VBScript), with compatibility in the core to support a default installation of Windows 2000 with no service packs (and potentially even versions of NT4) all the way through Windows 10.
[Get-Help: An Intro to PowerShell and How to Use it for Evil - Jared Haight](https://www.psattack.com/presentations/get-help-an-intro-to-powershell-and-how-to-use-it-for-evil/)
[PowerOPS: PowerShell for Offensive Operations](https://labs.portcullis.co.uk/blog/powerops-powershell-for-offensive-operations/)
@ -262,6 +263,12 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[UnmanagedPowerShell](https://github.com/leechristensen/UnmanagedPowerShell/tree/master)
[ps1-toolkit](https://github.com/vysec/ps1-toolkit)
* This is a set of PowerShell scripts that are used by many penetration testers released by multiple leading professionals. This is simply a collection of scripts that are prepared and obfuscated to reduce level of detectability and to slow down incident response from understanding the actions performed by an attacker.
@ -558,6 +565,8 @@ Finding your external IP:
[Shimming for Post Exploitation(blog)](http://www.sdb.tools/)
[Hiding Files by Exploiting Spaces in Windows Paths](http://blakhal0.blogspot.com/2012/08/hiding-files-by-exploiting-spaces-in.html)
------------
### <a name="ad"></a>Active Directory
@ -627,6 +636,12 @@ Finding your external IP:
[pywerview](https://github.com/the-useless-one/pywerview)
* A (partial) Python rewriting of PowerSploit's PowerView
[BloodHound](https://github.com/BloodHoundAD/BloodHound)
* BloodHound is a single page Javascript web application, built on top of Linkurious, compiled with Electron, with a Neo4j database fed by a PowerShell ingestor. BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory environment. Attackers can use BloodHound to easily identify highly complex attack paths that would otherwise be impossible to quickly identify. Defenders can use BloodHound to identify and eliminate those same attack paths. Both blue and red teams can use BloodHound to easily gain a deeper understanding of privilege relationships in an Active Directory environment.
[ANGRYPUPPY](https://github.com/vysec/ANGRYPUPPY)
* Bloodhound Attack Path Execution for Cobalt Strike
[GoFetch](https://github.com/GoFetchAD/GoFetch)
* GoFetch is a tool to automatically exercise an attack plan generated by the BloodHound application. GoFetch first loads a path of local admin users and computers generated by BloodHound and converts it to its own attack plan format. Once the attack plan is ready, GoFetch advances towards the destination according to plan step by step, by successively applying remote code execution techniques and compromising credentials with Mimikatz.
@ -822,7 +837,6 @@ Finding your external IP:
---------------
### <a name="persistence">Persistence Techniques</a>
[List of low-level attacks/persistence techniques. HIGHLY RECOMMENDED!](http://timeglider.com/timeline/5ca2daa6078caaf4)
[An Introduction to Backdooring Operating Systems for Fun and trolling - Defcon22](https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20video%20and%20slides/DEF%20CON%2022%20Hacking%20Conference%20Presentation%20By%20Nemus%20-%20An%20Introduction%20to%20Back%20Dooring%20Operating%20Systems%20for%20Fun%20and%20Trolling%20-%20Video%20and%20Slides.m4v)
@ -830,51 +844,53 @@ Finding your external IP:
### <a name="winpersist">Windows Persistence</a>
[Windows Startup Application Database](http://www.pacs-portal.co.uk/startup_content.php)
[Windows Event Log Driven Back Doors](http://blakhal0.blogspot.com/2015/03/windows-event-log-driven-back-doors.html)
#### Blogposts/Writeups
[Thousand ways to backdoor a Windows domain (forest)](http://jumpespjump.blogspot.com/2015/03/thousand-ways-to-backdoor-windows.html)
[Using Alternate Data Streams to Persist on a Compromised Machine](https://enigma0x3.wordpress.com/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/)
[Windows Firewall Hook Enumeration](https://www.nccgroup.com/en/blog/2015/01/windows-firewall-hook-enumeration/)
* We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.
[Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services](http://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services)
[NTFS Alternate Data Streams for pentesters (part 1)](https://labs.portcullis.co.uk/blog/ntfs-alternate-data-streams-for-pentesters-part-1/)
[Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services](http://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services)
[Using Alternate Data Streams to Persist on a Compromised Machine](https://enigma0x3.wordpress.com/2015/03/05/using-alternate-data-streams-to-persist-on-a-compromised-machine/)
[Windows Registry Persistence, Part 2: The Run Keys and Search-Order](http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order)
[WPAD Persistence](http://room362.com/post/2016/wpad-persistence/)
[Temporal Persistence with bitsadmin and schtasks](http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html)
#### Registry
[Windows Event Log Driven Back Doors](http://blakhal0.blogspot.com/2015/03/windows-event-log-driven-back-doors.html)
[Windows Registry Attacks: Knowledge Is the Best Defense](https://www.redcanary.com/blog/windows-registry-attacks-threat-detection/)
[COM Object hijacking: the discreet way of persistence](https://blog.gdatasoftware.com/blog/article/com-object-hijacking-the-discreet-way-of-persistence.html)
[Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services](http://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services)
[Thousand ways to backdoor a Windows domain (forest)](http://jumpespjump.blogspot.com/2015/03/thousand-ways-to-backdoor-windows.html)
[Windows Registry Persistence, Part 2: The Run Keys and Search-Order](http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order)
[Windows Firewall Hook Enumeration](https://www.nccgroup.com/en/blog/2015/01/windows-firewall-hook-enumeration/)
* We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.
[List of autorun keys / malware persistence Windows registry entries](https://www.peerlyst.com/posts/list-of-autorun-keys-malware-persistence-windows-registry-entries-benjamin-infosec)
[NTFS Alternate Data Streams for pentesters (part 1)](https://labs.portcullis.co.uk/blog/ntfs-alternate-data-streams-for-pentesters-part-1/)
[Windows Event Log Driven Backdoors](http://blakhal0.blogspot.com/2015/03/windows-event-log-driven-back-doors.html)
#### Scheduled Tasks/Startup/COM Object Hijacking
[WPAD Persistence](http://room362.com/post/2016/wpad-persistence/)
[Userland Persistence with Scheduled Tasks and COM Handler Hijacking](https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/)
[Script Task](https://docs.microsoft.com/en-us/sql/integration-services/control-flow/script-task)
* Persistence Via MSSQL
[Userland Persistence with Scheduled Tasks and COM Handler Hijacking](https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/)
[SYSTEM Context Persistence in GPO Startup Scripts](https://cybersyndicates.com/2016/01/system-context-persistence-in-gpo-startup/)
[Post Exploitation Persistence With Application Shims (Intro)](http://blacksunhackers.club/2016/08/post-exploitation-persistence-with-application-shims-intro/)
[COM Object hijacking: the discreet way of persistence](https://blog.gdatasoftware.com/blog/article/com-object-hijacking-the-discreet-way-of-persistence.html)
[SYSTEM Context Persistence in GPO Startup Scripts](https://cybersyndicates.com/2016/01/system-context-persistence-in-gpo-startup/)
[Windows Startup Application Database](http://www.pacs-portal.co.uk/startup_content.php)
[Windows Registry Persistence, Part 2: The Run Keys and Search-Order](https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order)
[Temporal Persistence with bitsadmin and schtasks](http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html)
[Windows Registry Attacks: Knowledge Is the Best Defense](https://www.redcanary.com/blog/windows-registry-attacks-threat-detection/)
[List of autorun keys / malware persistence Windows registry entries](https://www.peerlyst.com/posts/list-of-autorun-keys-malware-persistence-windows-registry-entries-benjamin-infosec)
#### Shims
[Post Exploitation Persistence With Application Shims (Intro)](http://blacksunhackers.club/2016/08/post-exploitation-persistence-with-application-shims-intro/)
[Shim Database Talks](http://sdb.tools/talks.html)
[Userland Persistence with Scheduled Tasks and COM Handler Hijacking](https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/)
@ -891,15 +907,6 @@ Finding your external IP:
* JSRAT is a Simple JS Reverse Shell over HTTP for Windows.
````
How to start a hidden process?
Start-Process -WindowStyle hidden -FilePath “path-to-exe-to-be-hidden”
````
Startup folder on Win8
* C:\Users\YOURUSER\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
### <a name="linpersist">Linux Persistence</a>
@ -1023,6 +1030,10 @@ Startup folder on Win8
[Whitelist Evasion revisited](https://khr0x40sh.wordpress.com/2015/05/27/whitelist-evasion-revisited/)
[VMware Escape Exploit](https://github.com/unamer/vmware_escape)
* VMware Escape Exploit before VMware WorkStation 12.5.5
[Breaking out of secured Python environments](http://tomforb.es/breaking-out-of-secured-python-environments)


+ 7
- 4
Draft/Programming - Languages Libs Courses References.md View File

@ -33,16 +33,15 @@ http://en.cppreference.com/w/c
* 6. How did that ever work?
[x86 Call/Return Protocol](http://pages.cs.wisc.edu/~remzi/Classes/354/Fall2012/Handouts/Handout-CallReturn.pdf)
[Diving deep into Python – the not-so-obvious language parts](http://sebastianraschka.com/Articles/2014_deep_python.html)
[Alamofire](https://github.com/Alamofire/Alamofire)
* Alamofire is an HTTP networking library written in Swift.
[plog](https://github.com/SergiusTheBest/plog)
* Portable, simple and extensible C++ logging library
[SafeSQL](https://github.com/stripe/safesql)
* SafeSQL is a static analysis tool for Go that protects against SQL injections.
#### End Cull
@ -635,7 +634,11 @@ $err = $ErrorSource + " reports: " + $ErrorMessage
----------
### SQL
[SafeSQL](https://github.com/stripe/safesql)
* SafeSQL is a static analysis tool for Go that protects against SQL injections.


+ 106
- 14
Draft/Red-Teaming.md View File

@ -17,13 +17,6 @@
### Sort
[PowerLurk](https://github.com/Sw4mpf0x/PowerLurk)
* PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions. The goal is to make WMI events easier to fire off during a penetration test or red team engagement.
* [Creeping on Users with WMI Events: Introducing PowerLurk](https://pentestarmoury.com/2016/07/13/151/)
#### End sort
@ -40,6 +33,8 @@
--------------
### <a name="general"></a>General
[Red Team - Wikipedia](https://en.m.wikipedia.org/wiki/Red_team)
[Common Ground Part 1: Red Team History & Overview](https://www.sixdub.net/?p=705)
[Red Teaming Tips - Vincent Yiu](https://threatintel.eu/2017/06/03/red-teaming-tips-by-vincent-yiu/)
@ -50,11 +45,22 @@
* Wiki to collect Red Team infrastructure hardening resources
* Accompanying Presentation: [Doomsday Preppers: Fortifying Your Red Team Infrastructure](https://speakerdeck.com/rvrsh3ll/doomsday-preppers-fortifying-your-red-team-infrastructure)
[Target Analysis - Wikipedia](https://en.wikipedia.org/wiki/Target_analysis)
[Center of Gravity Analysis - Dale C. Eikmeier](http://www.au.af.mil/au/awc/awcgate/milreview/eikmeier.pdf)
* Center of Gravity: A system's source of power to act.
[A Tradecraft Primer: Structured Analytic Techniques for Improving Intelligence Analysis - USGov 2009](https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/Tradecraft%20Primer-apr09.pdf)
--------------
### <a name="talks"></a>Talks/Videos
[Full Contact Recon int0x80 of Dual Core savant - Derbycon7](https://www.youtube.com/watch?v=XBqmvpzrNfs)
[Stupid RedTeamer Tricks - Laurent Desaulniers](https://www.youtube.com/watch?v=2g_8oHM0nwA&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe&index=11)
[Abusing Webhooks for Command and Control - Dimitry Snezhkov](https://www.youtube.com/watch?v=1d3QCA2cR8o&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe&index=12)
@ -87,7 +93,8 @@
[The Impact of Dark Knowledge and Secrets on Security and Intelligence Professionals - Richard Thieme](https://www.youtube.com/watch?v=0MzcPBAj88A&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe)
* Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact on life, work, and relationships of building a different map of reality than “normal people” use. One has to calibrate narratives to what another believes. One has to live defensively, warily. This causes at the least cognitive dissonance which some manage by denial. But refusing to feel the pain does not make it go away. It just intensifies the consequences when they erupt. Philip K. Dick said, reality is that which, when you no longer believe in it, does not go away. When cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one’s peril. But the very constraints of one’s work often make it impossible to speak aloud about those symptoms, because that might threaten one’s clearances, work, and career. And whistle blower protection is often non-existent.
[Modern Evasion Techniques Jason Lang - Derbycon7](https://www.irongeek.com/i.php?page=videos/derbycon7/t110-modern-evasion-techniques-jason-lang)
* As pentesters, we are often in need of working around security controls. In this talk, we will reveal ways that we bypass in-line network defenses, spam filters (in line and cloud based), as well as current endpoint solutions. Some techniques are old, some are new, but all work in helping to get a foothold established. Defenders: might want to come to this one.
@ -128,6 +135,35 @@
[Offensive Encrypted Data Storage (DPAPI edition)](https://posts.specterops.io/offensive-encrypted-data-storage-dpapi-edition-adda90e212ab)
[LinkedInt: A LinkedIn scraper for reconnaissance during adversary simulation](https://github.com/mdsecactivebreach/LinkedInt)
[10 Red Teaming Lessons Learned over 20 Years](https://redteamjournal.com/2015/10/10-red-teaming-lessons-learned-over-20-years/)
[Goodbye OODA Loop](http://armedforcesjournal.com/goodbye-ooda-loop/)
[Preparing for the War of the Future in the Wake of Defeat: The Evolution of German Strategic Thought, 1919 - 1935 - Mark Shannon](https://www.ciaonet.org/attachments/25573/uploads)
[Red team versus blue team: How to run an effective simulation - CSOonline](https://www.csoonline.com/article/2122440/disaster-recovery/emergency-preparedness-red-team-versus-blue-team-how-to-run-an-effective-simulation.html)
[Red Teaming and the Adversarial Mindset: Have a Plan, Backup Plan and Escape Plan - ITS](https://www.itstactical.com/digicom/security/red-teaming-and-the-adversarial-mindset-have-a-plan-backup-plan-and-escape-plan/)
--------------
### Red Team Experience Writeups
[Red Teams - Facebook Experiences Writeup - Ryan McGeehan](https://medium.com/starting-up-security/red-teams-6faa8d95f602)
[Red Teaming: Using Cutting-Edge Threat Simulation to Harden the Microsoft Enterprise Cloud](https://azure.microsoft.com/en-us/blog/red-teaming-using-cutting-edge-threat-simulation-to-harden-the-microsoft-enterprise-cloud/)
@ -146,6 +182,40 @@
[Software Distribution Malware Infection Vector](https://dl.packetstormsecurity.net/papers/general/Software.Distribution.Malware.Infection.Vector.pdf)
[Red Teaming Guide - UK Ministry of Defense](https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/142533/20130301_red_teaming_ed2.pdf)
[Red Team Handbook(2012) - University of Foreign Military And Cultural studies](http://www.au.af.mil/au/awc/awcgate/army/ufmcs_red_team_handbook_apr2012.pdf)
[The Applied Critical Thinking Handbook(2015) - University of Foreign Military And Cultural studies](http://usacac.army.mil/sites/default/files/documents/ufmcs/The_Applied_Critical_Thinking_Handbook_v7.0.pdf)
[Red Teaming of Advanced Information Assurance Concepts - Bradley Wood, Ruth Duggan](http://cs.uccs.edu/~gsc/pub/master/sjelinek/doc/research/red.pdf)
[A GUIDE TO RED TEAMING - NATO](http://www.act.nato.int/images/stories/events/2011/cde/rr_ukdcdc.pdf)
[Reflections from a Red Team Leader - Susan Craig](http://usacac.army.mil/CAC2/MilitaryReview/Archives/English/MilitaryReview_20070430_art011.pdf)
[Cyber Red Teaming Organisational, technical and legal implications in a military context - NATO](https://ccdcoe.org/sites/default/files/multimedia/pdf/Cyber_Red_Team.pdf)
[TRADITIONS IN MILITARY-STRATEGIC THOUGHT IN GERMANY AND THE PROBLEM OF DETERRENCE - 1989 - Detlef Bald](http://www.mgfa.de/html/einsatzunterstuetzung/downloads/ap018englisch.pdf?PHPSESSID=931748af0e86616800373655acaf2902)
[Red teaming - A Short Introduction (1.0) June 2009 - Mark Mateski](https://redteamjournal.com/papers/A%20Short%20Introduction%20to%20Red%20Teaming%20(1dot0).pdf)
[Modeling and Simulation of Red Teaming - Part 1: Why Red Team M&S? - Michael J Skroch](https://redteamjournal.com/wp-content/uploads/2009/12/msrt0.3-2nov2009-sand2009-7215J.pdf)
[Moving Forward with Computational Red Teaming - Scott Wheeler - Australian DoD](http://www.dtic.mil/dtic/tr/fulltext/u2/a569437.pdf)
[Force Protection and Suicide Bombers: The Necessity for Two Types of Canadian Military Red Teams](http://www.journal.forces.gc.ca/vol12/no4/page35-eng.asp)
--------------
@ -222,8 +292,21 @@
--------------
## Tactics
[DumpsterFire](https://github.com/TryCatchHCF/DumpsterFire)
* [Slides](https://github.com/TryCatchHCF/DumpsterFire/raw/master/CactusCon_2017_Presentation/DumpsterFire_CactusCon_2017_Slides.pdf)
* The DumpsterFire Toolset is a modular, menu-driven, cross-platform tool for building repeatable, time-delayed, distributed security events. Easily create custom event chains for Blue Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Turn paper tabletop exercises into controlled "live fire" range events. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
[PowerLurk](https://github.com/Sw4mpf0x/PowerLurk)
* PowerLurk is a PowerShell toolset for building malicious WMI Event Subsriptions. The goal is to make WMI events easier to fire off during a penetration test or red team engagement.
* [Creeping on Users with WMI Events: Introducing PowerLurk](https://pentestarmoury.com/2016/07/13/151/)
[Windows Security Center: Fooling WMI Consumers](https://www.opswat.com/blog/windows-security-center-fooling-wmi-consumers)
-----------
### <a name="front"></a>Domain Fronting
[FindFrontableDomains](https://github.com/rvrsh3ll/FindFrontableDomains)
@ -241,7 +324,6 @@
--------------
### <a name="egress"></a>Egress
#### Talks
@ -266,6 +348,11 @@
[Data Sound Modulation POC](https://github.com/iiamit/data-sound-poc)
------------------
#### Writeups
[Egressing Bluecoat with CobaltStike & Let's Encrypt](https://cybersyndicates.com/2016/12/egressing-bluecoat-with-cobaltstike-letsencrypt/)
@ -282,7 +369,7 @@
--------------
### <a name="persistence"></a>Persistence
[Staying Persistent in Software Defined Networks](https://www.blackhat.com/docs/us-15/materials/us-15-Pickett-Staying-Persistent-In-Software-Defined-Networks-wp.pdf)
@ -293,8 +380,13 @@
* This script walks thread stacks of Event Log Service process (spesific svchost.exe) and identify Event Log Threads to kill Event Log Service Threads. So the system will not be able to collect logs and at the same time the Event Log Service will appear to be running.
--------------
### Code Injection
#### Code Injection
[injectAllTheThings](https://github.com/fdiskyou/injectAllTheThings/)
@ -328,7 +420,7 @@ Domain Reputation Sites
[AIX for Penetration Testers 2017 thevivi.net](https://thevivi.net/2017/03/19/aix-for-penetration-testers/)
[Penetration Testing Trends John Strand - Derbycon6](https://www.youtube.com/watch?v=QyxdUe1iMNk)


+ 5
- 4
Draft/Reverse Engineering.md View File

@ -50,11 +50,10 @@ https://www.hex-rays.com/products/ida/tech/flirt/in_depth.shtml
[mammon_'s tales to his grandson](https://mammon.github.io/tales/)
[Unicorn-Engine](http://www.unicorn-engine.org/)
* Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework.
[Reversing Prince Harming’s Kiss of Death]( https://reverse.put.as/2015/07/01/reversing-prince-harmings-kiss-of-death/)
[Hacking travel routers like it’s 1999](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Mikhail-Sosonkin-Hacking-Travel-Routers-Like-1999.pdf)
https://objective-see.com/
[Bytecode Club - RE Forum](https://the.bytecode.club/)
@ -64,7 +63,6 @@ https://objective-see.com/
[PNG File Format](http://fileformats.archiveteam.org/wiki/PNG)
[Microsoft.Diagnostics.Runtime.dll(CLR MD)](https://github.com/Microsoft/clrmd)
* Microsoft.Diagnostics.Runtime.dll (nicknamed "CLR MD") is a process and crash dump introspection library. This allows you to write tools and debugger plugins which can do thing similar to SOS and PSSCOR.
@ -79,6 +77,9 @@ https://objective-see.com/
[pegasus - Windbg extension DLL for emulation](https://github.com/0a777h/pegasus)
* Windbg emulation plugin
[Unicorn-Engine](http://www.unicorn-engine.org/)
* Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework.
### End sort


+ 21
- 0
Draft/SCADA.md View File

@ -48,6 +48,8 @@
------------------------
### <a name="talks"></a>Talks/Presentations
#### Attacking
[SCADA Strangelove or: How I Learned to Start Worrying and Love Nuclear Plants](https://www.youtube.com/watch?v=o2r7jbwTv6w)
* Modern civilization unconditionally depends on information systems. It is paradoxical but true that ICS/SCADA systems are the most insecure systems in the world. From network to application, SCADA is full of configuration issues and vulnerabilities. During our report, we will demonstrate how to obtain full access to a plant via:
* a sniffer and a packet generator; FTP and Telnet; Metasploit and oslq; a webserver and a browser;
@ -70,6 +72,19 @@
[Hacking Mainframes; Vulnerabilities in applications exposed over TN3270 - Dominic White](http://www.irongeek.com/i.php?page=videos/derbycon4/t217-hacking-mainframes-vulnerabilities-in-applications-exposed-over-tn3270-dominic-white)
* IBM System Z Mainframes are in regular use in Fortune 500 companies. Far from being legacy these systems are running an actively maintained operating system (z/OS). Applications on these often occupy roles critical to the business processes they underpin, with much of the later technology built around them, rather than replacing them. However, these systems are often bypassed by security testing due to worried of availability or assumptions about legacy. This talk will introduce you to assessing mainframe applications, which turn out to be quite similar to web applications. For this purpose we built a tool, Big Iron Recon & Pwnage (BIRP), to assist with performing such assessments. Importantly, our research uncovered a family of mainframe application vulnerabilities introduced by the TN3270 protocol. We found numerous applications, but not all, vulnerable to these flaws. Applications running within the two most popular transaction managers (CICS and IMS) as well as one of IBM’s own applications. The tool released assists with the exploitation of these flaws.
[Rocking the pocket book: Hacking chemical plants for competition and extortion](https://www.youtube.com/watch?v=lsY3bkMI-90)
[Adventures in Attacking Wind Farm Control Networks - Jason Stagg](https://www.blackhat.com/docs/us-17/wednesday/us-17-Staggs-Adventures-In-Attacking-Wind-Farm-Control-Networks.pdf)
#### Learning
[Serial Communication RS232 & RS485](https://www.youtube.com/watch?v=2DQdEHvnqvI)
[How Ethernet TCP/IP is Used by Industrial Protocols](https://www.youtube.com/watch?v=DL_zIjhCEpU)
@ -94,8 +109,14 @@
--------------------
### <a name="tools"></a>Tools
[python-opcua](https://github.com/FreeOpcUa/python-opcua/blob/master/README.md)
* OPC UA binary protocol implementation is quasi complete and has been tested against many different OPC UA stacks. API offers both a low level interface to send and receive all UA defined structures and high level classes allowing to write a server or a client in a few lines. It is easy to mix high level objects and low level UA calls in one application.


+ 6
- 0
Draft/System Internals Windows and Linux Internals Reference.md View File

@ -36,6 +36,12 @@
[Debugging Functions - msdn](https://msdn.microsoft.com/en-us/library/windows/desktop/ms679303.aspx)
[Authenticode - MSDN](https://msdn.microsoft.com/en-us/library/ms537359(v=vs.85).aspx)
* Microsoft Authenticode, which is based on industry standards, allows developers to include information about themselves and their code with their programs through the use of digital signatures.
[Security Configuration Wizard](https://technet.microsoft.com/en-us/library/cc754997(v=ws.11).aspx)
* The Security Configuration Wizard (SCW) guides you through the process of creating, editing, applying, or rolling back a security policy. A security policy that you create with SCW is an .xml file that, when applied, configures services, network security, specific registry values, and audit policy. SCW is a role-based tool: you can use it to create a policy that enables services, firewall rules, and settings that are required for a selected server to perform specific roles, such as a file server, a print server, or a domain controller.
#### End Sort


+ 120
- 24
Draft/Web & Browsers.md View File

@ -11,6 +11,7 @@ Web TOC
* [Different Typs of Web Based Attacks](#difatk)
* [Abuse of Functionality](#abuse)
* [Brute Force Fuzzing](#brute)
* [Attacking Continous Integration Systems](#ci)
* [Cross-Site-Request Forgery](#csrf)
* [De/Encoders](#encode)
* [Data Structure Attacks](#dsa)
@ -63,10 +64,10 @@ Clickjacking attacks
[sonar.js](https://thehackerblog.com/sonar-a-framework-for-scanning-and-exploiting-internal-hosts-with-a-webpage/)
* A Framework for Scanning and Exploiting Internal Hosts With a Webpage
[Discover DevTools](https://www.codeschool.com/courses/discover-devtools)
* Learn how Chrome DevTools can sharpen your dev process and discover the tools that can optimize your workflow and make life easier.
[ABUSING CERTIFICATE TRANSPARENCY OR HOW TO HACK WEB APPLICATIONS BEFORE INSTALLATION - Hanno Bock](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-Hanno-Boeck-Abusing-Certificate-Transparency-Logs.pdf)
[Exploiting CVE-2017-8759: SOAP WSDL Parser Code Injection](https://www.mdsec.co.uk/2017/09/exploiting-cve-2017-8759-soap-wsdl-parser-code-injection/)
#### End Sort
@ -114,6 +115,8 @@ https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
[Big List of Naughty Strings](https://github.com/minimaxir/big-list-of-naughty-strings)
* The Big List of Naughty Strings is an evolving list of strings which have a high probability of causing issues when used as user-input data. This is intended for use in helping both automated and manual QA testing; useful for whenever your QA engineer walks into a bar.
[Discover DevTools](https://www.codeschool.com/courses/discover-devtools)
* Learn how Chrome DevTools can sharpen your dev process and discover the tools that can optimize your workflow and make life easier.
@ -185,6 +188,15 @@ https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
[DOM Based Angular Sandbox Escapes by Gareth Heyes - BSides Manchester2017](https://www.youtube.com/watch?v=jlSI5aVTEIg&index=16&list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP)
[Popular Approaches to Preventing Code Injection Attacks are Dangerously Wrong - AppSecUSA 2017](https://www.youtube.com/watch?v=GjK0bB4K2zA&app=desktop)
[Web Application testing approach and cheating to win Jim McMurry Lee Neely Chelle Clements - Derbycon7](https://www.youtube.com/watch?v=Z8ZAv_EN-9M)
[Abusing Webhooks for Command and Control - Dimitry Snezhkov - BSides LV 2017](https://www.youtube.com/watch?v=TmLoTrJuung)
* [octohook](https://github.com/dsnezhkov/octohook)
@ -273,6 +285,21 @@ Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for f
### Attacking Continous Integration Systems
[cider - Continuous Integration and Deployment Exploiter](https://github.com/spaceB0x/cider)
* CIDER is a framework written in node js that aims to harness the functions necessary for exploiting Continuous Integration (CI) systems and their related infrastructure and build chain (eg. Travis-CI, Drone, Circle-CI). Most of the exploits in CIDER exploit CI build systems through open GitHub repositories via malicious Pull Requests. It is built modularly to encourage contributions, so more exploits, attack surfaces, and build chain services will be integrated in the future.
[Rotten Apple](https://github.com/claudijd/rotten_apple)
* A tool for testing continuous integration (CI) or continuous delivery (CD) system security
[Exploiting Continuous Integration (CI) and Automated Build Systems - spaceb0x](https://media.defcon.org/DEF%20CON%2025/DEF%20CON%2025%20presentations/DEFCON-25-spaceB0x-Exploiting-Continuous-Integration.pdf)
-------------------
#### <a name="csrf"></a>Cross Site Request Forgery (CSRF)
[Cross Site Request Forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)
@ -300,6 +327,14 @@ Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for f
[EXPLOITING XXE IN FILE UPLOAD FUNCTIONALITY](https://www.blackhat.com/docs/us-15/materials/us-15-Vandevanter-Exploiting-XXE-Vulnerabilities-In-File-Parsing-Functionality.pdf)
[Hunting in the Dark - Blind XXE](https://blog.zsec.uk/blind-xxe-learning/)
[Security Implications of DTD Attacks Against a Wide Range of XML Parsers](https://www.nds.rub.de/media/nds/arbeiten/2015/11/04/spaeth-dtd_attacks.pdf)
[Comma Separated Vulnerabilities](https://www.contextis.com/blog/comma-separated-vulnerabilities)
-------------------
@ -487,6 +522,7 @@ Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for f
[MongoDB: Typical Security Weaknesses in a NoSQL DB](http://blog.spiderlabs.com/2013/03/mongodb-security-weaknesses-in-a-typical-nosql-database.html)
[MongoDB Pentesting for Absolute Beginners](https://github.com/nixawk/pentest-wiki/blob/master/2.Vulnerability-Assessment/Database-Assessment/mongodb/MongoDB%20Pentesting%20for%20Absolute%20Beginners.pdf)
#### PostgreSQL
@ -516,6 +552,7 @@ Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for f
[What is Server Side Request Forgery (SSRF)?](https://www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/)
[SSRF (Server Side Request Forgery) testing resources](https://github.com/cujanovic/SSRF-Testing/)
--------------------
@ -575,7 +612,12 @@ Advanced Flash Vulnerabilities in Youtube Writeups Series
[timing_attack](https://github.com/ffleming/timing_attack)
* Perform timing attacks against web applications
[Race conditions on the web ](https://www.josipfranjkovic.com/blog/race-conditions-on-web)
[Practical Race Condition Vulnerabilities in Web Applications](https://defuse.ca/race-conditions-in-web-applications.htm)
[Race condition exploit](https://github.com/andresriancho/race-condition-exploit)
* Tool to help with the exploitation of web application race conditions
@ -668,6 +710,10 @@ Advanced Flash Vulnerabilities in Youtube Writeups Series
[Shuriken](https://github.com/shogunlab/shuriken)
* Cross-Site Scripting (XSS) command line tool for testing lists of XSS payloads on web apps.
#### Writeups
@ -749,6 +795,8 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
----------------
### <a name="html5">HTML 5</a>
@ -774,26 +822,53 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
--------------
### <a name="php"></a>PHP
[Is PHP unserialize() exploitable without any 'interesting' methods? - StackOverflow](https://security.stackexchange.com/questions/77549/is-php-unserialize-exploitable-without-any-interesting-methods)
[Browser Security Whitepaper - Cure53](https://cure53.de/browser-security-whitepaper.pdf/)
[Remote code execution via PHP [Unserialize] - notsosecure](https://www.notsosecure.com/remote-code-execution-via-php-unserialize/)
[OWASP Proactive Controls 3.0](https://docs.google.com/document/d/1bQKisfXQ2XRwkcUaTvVTR7bpzVgbwIhDA1O6hUbywiY/mobilebasic)
[PHP Magic Tricks: Type Juggling](https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf)
[Php Codz Hacking](https://github.com/80vul/phpcodz)
* Writeups of specific PHP vulns
[Browser Security Whitepaper - Cure53](https://cure53.de/browser-security-whitepaper.pdf/)
[OWASP Proactive Controls 3.0](https://docs.google.com/document/d/1bQKisfXQ2XRwkcUaTvVTR7bpzVgbwIhDA1O6hUbywiY/mobilebasic)
#### Code Reuse
[The ReflectionClass class](https://secure.php.net/ReflectionClass)
[Autoloading Classes](http://www.php.net/language.oop5.autoload)
[PHP Autoload Invalid Classname Injection](https://hakre.wordpress.com/2013/02/10/php-autoload-invalid-classname-injection/)
[Writing Exploits For Exotic Bug Classes: PHP Type Juggling](https://turbochaos.blogspot.com.au/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
[Code Reuse Attacks in PHP: Automated POP Chain Generation](https://www.syssec.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf)
* In this paper, we study code reuse attacks in the con- text of PHP-based web applications. We analyze how PHP object injection (POI) vulnerabilities can be exploited via property-oriented programming (POP) and perform a systematic analysis of available gadgets in common PHP applications. Furthermore, we introduce an automated approach to statically detect POI vulnerabilities in object-oriented PHP code. Our approach is also capable of generating POP chains in an automated way. We implemented a prototype of the proposed approach and evaluated it with 10 well-known applications. Overall, we detected 30 new POI vulnerabilities and 28 new gadget chains
[PHP’s “Magic Hash” Vulnerability (Or Beware Of Type Juggling)](https://web.archive.org/web/20150530075600/http://blog.astrumfutura.com/2015/05/phps-magic-hash-vulnerability-or-beware-of-type-juggling)
[Utilizing Code Reuse/ROP in PHP Application Exploits - BH 2010](https://www.owasp.org/images/9/9e/Utilizing-Code-Reuse-Or-Return-Oriented-Programming-In-PHP-Application-Exploits.pdf)
[POP-Exploit](https://github.com/enddo/POP-Exploit)
* Research into Property Oriented Programming about php applications.
#### De/Serialization
[serialize - php](http://us3.php.net/serialize)
[unserialize - php](https://secure.php.net/unserialize)
[PHP Object Injection](https://www.owasp.org/index.php/PHP_Object_Injection)
[Writing Exploits For Exotic Bug Classes: unserialize()](https://www.alertlogic.com/blog/writing-exploits-for-exotic-bug-classes-unserialize()/)
[Php Codz Hacking](https://github.com/80vul/phpcodz)
* Writeups of specific PHP vulns
[Is PHP unserialize() exploitable without any 'interesting' methods? - StackOverflow](https://security.stackexchange.com/questions/77549/is-php-unserialize-exploitable-without-any-interesting-methods)
[Remote code execution via PHP [Unserialize] - notsosecure](https://www.notsosecure.com/remote-code-execution-via-php-unserialize/)
#### Type Juggling
[Writing Exploits For Exotic Bug Classes: PHP Type Juggling](https://turbochaos.blogspot.com.au/2013/08/exploiting-exotic-bugs-php-type-juggling.html)
[PHP Magic Tricks: Type Juggling](https://www.owasp.org/images/6/6b/PHPMagicTricks-TypeJuggling.pdf)
[PHP’s “Magic Hash” Vulnerability (Or Beware Of Type Juggling)](https://web.archive.org/web/20150530075600/http://blog.astrumfutura.com/2015/05/phps-magic-hash-vulnerability-or-beware-of-type-juggling)
@ -801,11 +876,10 @@ Joomla! is probably the most widely-used CMS out there due to its flexibility, u
----------------
### <a name="rest"></a>REST & Web Services
### <a name="rest"></a>REST & Web Services(WSDL)
[REST Security Cheat Sheet](REST Security Cheat Sheet)