Browse Source

More cleanup

pull/8/head
root 6 years ago
parent
commit
05331ca92b
16 changed files with 256 additions and 116 deletions
  1. +7
    -0
      Draft/Attacking Defending Android -.md
  2. +5
    -2
      Draft/Attacking Defending iOS -.md
  3. +95
    -46
      Draft/Embedded Device & Hardware Hacking -.md
  4. +39
    -31
      Draft/Exploit Development.md
  5. +5
    -4
      Draft/Forensics Incident Response.md
  6. +10
    -1
      Draft/Fuzzing Bug Hunting.md
  7. +6
    -1
      Draft/Game Hacking.md
  8. +17
    -6
      Draft/Interesting Things Useful stuff.md
  9. +4
    -1
      Draft/Malware.md
  10. +12
    -1
      Draft/Network Attacks & Defenses.md
  11. +4
    -1
      Draft/Programming - Languages Libs Courses References.md
  12. +19
    -5
      Draft/Reverse Engineering.md
  13. +7
    -0
      Draft/Social Engineering.md
  14. +4
    -6
      Draft/System Internals Windows and Linux Internals Reference.md
  15. +8
    -1
      Draft/Web & Browsers.md
  16. +14
    -10
      Draft/Wireless Networks & RF.md

+ 7
- 0
Draft/Attacking Defending Android -.md View File

@ -38,6 +38,8 @@ Cull
### Cull/Sort
[Dex Education 201 - Anti-Emulation.pdf](https://github.com/strazzere/anti-emulator/blob/master/slides/Dex%20Education%20201%20-%20Anti-Emulation.pdf)
https://github.com/ucsb-seclab/baredroid
[Stunneller](https://github.com/ultramancool/Stunneler)
@ -292,6 +294,10 @@ Check the Encryption section of the overall guide for more information.
[Android apps in sheep's clothing](http://www.modzero.ch/modlog/archives/2015/04/01/android_apps_in_sheeps_clothing/index.html)
* We identified a security weakness in Android's approach of handling UI elements, circumventing parts of Android's sandboxing approach. While this attack is simple from a technical point of view, the impact of exploiting such a vulnerability is significant. It affects Android based devices as well as Blackberry mobile devices running the Android runtime environment.
### **<a name="Write">Write-ups</a>**
| Title | Link |
| -------- | ------------------------ |
@ -300,6 +306,7 @@ Check the Encryption section of the overall guide for more information.
| **Understanding the Android bytecode** - Writeup on reversing/understanding Android Bytecode| https://mariokmk.github.io/programming/2015/03/06/learning-android-bytecode.html
| **ClockLockingBeats** - Repo for the DARPA CFT / Clock Locking Beats project. Exploring Android kernel and processor interactions to hide running threads |https://github.com/monk-dot/ClockLockingBeats
[Hacking Android phone. How deep the rabbit hole goes.](https://hackernoon.com/hacking-android-phone-how-deep-the-rabbit-hole-goes-18b62ad65727#.txib8od0m)
[Android Bytecode Obfuscation - Patrick Schulz 2012](http://dexlabs.org/blog/bytecode-obfuscation)
[Android Pattern Lock Cracker](https://github.com/sch3m4/androidpatternlock)


+ 5
- 2
Draft/Attacking Defending iOS -.md View File

@ -30,8 +30,7 @@
[iOSRE](https://github.com/kpwn/iOSRE)
* The aim of this project is to provide useful and updated tools and knowledge on iOS reverse engineering and exploitation. This is an ongoing effort, and still in a very new stage.
### <a name="harden">List of Hardening Guides for iOS</a>
@ -58,6 +57,10 @@
### <a name="train">Training & Tutorials</a>
[iOSRE](https://github.com/kpwn/iOSRE)
* The aim of this project is to provide useful and updated tools and knowledge on iOS reverse engineering and exploitation. This is an ongoing effort, and still in a very new stage.
| Title | Link |
| -------- | ------------------------ |
| **Bypassing SSL Cert Pinning in iOS** | http://chargen.matasano.com/chargen/2015/1/6/bypassing-openssl-certificate-pinning-in-ios-apps.html


+ 95
- 46
Draft/Embedded Device & Hardware Hacking -.md View File

@ -8,13 +8,14 @@ Cull
* [General](#general)
* [Attacking Routers](#routers)
* [Cable Modem Hacking](#modem)
* [Educational](#education)
* [Educational/Information on things you wouldn't find in a Dictionary](#education)
* [Flash Memory](#flash)
* [Internet of Things](#iot)
* [General Tools(S/W & H/W)](#gentools)
* [General Hardware Hacking](#generalhw)
* [Miscellaneous](#misc)
* [PCI](#PCI)
* [USB](#USB)
* [PenTest Dropboxes](#dropbox)
* [Teensy/Rubberducky Style Attack Tools](#teensy)
* [SD Cards](#sdcard)
@ -27,92 +28,77 @@ Cull
###General
[NSA Playset](http://www.nsaplayset.org/)
* In the coming months and beyond, we will release a series of dead simple, easy to use tools to enable the next generation of security researchers. We, the security community have learned a lot in the past couple decades, yet the general public is still ill equipped to deal with real threats that face them every day, and ill informed as to what is possible. Inspired by the NSA ANT catalog, we hope the NSA Playset will make cutting edge security tools more accessible, easier to understand, and harder to forget. Now you can play along with the NSA!
| **NSA USB Playset - ShmooCon201** | https://www.youtube.com/watch?v=eTDBFpLYcGA
###Cull
#### To Sort
http://www.sp3ctr3.me/hardware-security-resources/
https://www.praetorian.com/blog/reversing-and-exploiting-embedded-devices-part-1-the-software-stack
http://greatscottgadgets.com/infiltrate2013/
#### end sort
[Hardware Security and Trust/ECE 4451/5451: Introduction to Hardware Security and Trust](www.engr.uconn.edu/~tehrani/teaching/hst/)
###General
https://github.com/ufrisk/pcileech
[Reversing and Exploiting Embedded Devices: The Software Stack (Part 1)](https://p16.praetorian.com/blog/reversing-and-exploiting-embedded-devices-part-1-the-software-stack)
[Hardware Security and Trust/ECE 4451/5451: Introduction to Hardware Security and Trust](www.engr.uconn.edu/~tehrani/teaching/hst/)
https://www.praetorian.com/blog/reversing-and-exploiting-embedded-devices-part-1-the-software-stack
[NSA Playset](http://www.nsaplayset.org/)
* In the coming months and beyond, we will release a series of dead simple, easy to use tools to enable the next generation of security researchers. We, the security community have learned a lot in the past couple decades, yet the general public is still ill equipped to deal with real threats that face them every day, and ill informed as to what is possible. Inspired by the NSA ANT catalog, we hope the NSA Playset will make cutting edge security tools more accessible, easier to understand, and harder to forget. Now you can play along with the NSA!
[USBProxy](https://github.com/dominicgs/USBProxy)
* A USB man in the middle device using USB On-The-Go, libUSB and gadgetFS
[Chip & PIN is Definitely Broken - Defcon 19](https://www.youtube.com/watch?v=JABJlvrZWbY)
[Hacking the PS Vita](http://yifan.lu/2015/06/21/hacking-the-ps-vita/)
| **NSA USB Playset - ShmooCon201** | https://www.youtube.com/watch?v=eTDBFpLYcGA
[Chip & PIN is Definitely Broken - Defcon 19](https://www.youtube.com/watch?v=JABJlvrZWbY)
[Multiplexed Wired Attack Surfaces - Michael Ossmann & Kos - Toorcon15](https://www.youtube.com/watch?v=4QB79921Nlw)
* Manufacturers of mobile devices often multiplex several wired interfaces onto a single connector. Some of these interfaces, probably intended for test and development, are still enabled when the devices ship. We'll show you how you can get a shell on a popular mobile phone via its USB port without using a USB connection and we will release an open source tool for exploring multiplexed wired interfaces.
Chameleon Mini
* [Chameleon: A Versatile Emulator for Contactless Smartcards - Paper](https://www.ei.rub.de/media/crypto/veroeffentlichungen/2011/11/16/chameleon.pdf)
* [Milking the Digital Cash Cow [29c3] Video Presentation](https://www.youtube.com/watch?v=Y1o2ST03O8I)
* [ChameleonMini Hardware](https://github.com/emsec/ChameleonMini/wiki)
[Anti-Evil Maid](http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html?m=1)
[Implementing an USB Host Driver Fuzzer - Daniel Mende - Troopers14](https://www.youtube.com/watch?v=h777lF6xjs4)
[Introduction to Trusted Execution Environments - Steven J. Murdoch](https://www.cl.cam.ac.uk/~sjm217/talks/rhul14tee.pdf)
[U-Boot -- the Universal Boot Loader](http://www.denx.de/wiki/U-Boot)
* Very popular on embedded devices open source bootloader for linux
* [Manual/Documentation](http://www.denx.de/wiki/DULG/Manual)
[Anti-Evil Maid](http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html?m=1)
[Adapting Software Fault Isolation to Contemporary CPU Architectures](https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/35649.pdf)
* Software Fault Isolation (SFI) is an effective approach to sandboxing binary code of questionable provenance, an interesting use case for native plugins in a Web browser. We present software fault isolation schemes for ARM and x86-64 that provide control-flow and memory integrity with average performance overhead of under 5% on ARM and 7% on x86-64. We believe these are the best known SFI implementations for these architectures, with significantly lower overhead than previous systems for similar architectures. Our experience suggests that these SFI implementations benefit from instruction-level parallelism, and have particularly small impact for work- loads that are data memory-bound, both properties that tend to reduce the impact of our SFI systems for future CPU implementations.
###<a name="routers">Attacking Routers</a>
[Multiplexed Wired Attack Surfaces - Michael Ossmann & Kos - Toorcon15](https://www.youtube.com/watch?v=4QB79921Nlw)
* Manufacturers of mobile devices often multiplex several wired interfaces onto a single connector. Some of these interfaces, probably intended for test and development, are still enabled when the devices ship. We'll show you how you can get a shell on a popular mobile phone via its USB port without using a USB connection and we will release an open source tool for exploring multiplexed wired interfaces.
[More on HNAP - What is it, How to Use it, How to Find it](https://isc.sans.edu/diary/More+on+HNAP+-+What+is+it%2C+How+to+Use+it%2C+How+to+Find+it/17648)
[Router Post-Exploitation Framework](https://github.com/mncoppola/rpef
* Abstracts and expedites the process of backdooring stock firmware images for consumer/SOHO routers.
http://greatscottgadgets.com/infiltrate2013/
[ASUS Router infosvr UDP Broadcast root Command Execution](https://github.com/jduck/asus-cmd)
http://blog.ptsecurity.com/2014/12/4g-security-hacking-usb-modem-and-sim.html
[Unpacking Firmware images from cable modems](http://w00tsec.blogspot.com.br/2013/11/unpacking-firmware-images-from-cable.html0
[From 0-day to exploit – Buffer overflow in Belkin N750 (CVE-2014-1635)](https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/)
[Hacking the D-Link DIR-890L](http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/)
#####TR-069
[I Hunt TR-069 Admins - Pwning ISPs Like a Boss - Defcon 22](https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20video%20and%20slides/DEF%20CON%2022%20Hacking%20Conference%20Presentation%20By%20Shahar%20Tal%20-%20I%20Hunt%20TR%20-%20069%20Admins%20-%20Pwning%20ISPs%20Like%20a%20Boss%20-%20Video%20and%20Slides.m4v)
* [Related to TR-069](http://blog.3slabs.com/2012/12/a-brief-survey-of-cwmp-security.html)
[Analyzing and Running binaries from Firmware Images - Part 1](http://w00tsec.blogspot.com.br/2013/09/analyzing-and-running-binaries-from.html)
###<a name="routers">Attacking Routers</a>
[More on HNAP - What is it, How to Use it, How to Find it](https://isc.sans.edu/diary/More+on+HNAP+-+What+is+it%2C+How+to+Use+it%2C+How+to+Find+it/17648)
TR-069
[I Hunt TR-069 Admins - Pwning ISPs Like a Boss - Defcon 22](https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20video%20and%20slides/DEF%20CON%2022%20Hacking%20Conference%20Presentation%20By%20Shahar%20Tal%20-%20I%20Hunt%20TR%20-%20069%20Admins%20-%20Pwning%20ISPs%20Like%20a%20Boss%20-%20Video%20and%20Slides.m4v)
* [Related to TR-069](http://blog.3slabs.com/2012/12/a-brief-survey-of-cwmp-security.html)
[Router Post-Exploitation Framework](https://github.com/mncoppola/rpef
* Abstracts and expedites the process of backdooring stock firmware images for consumer/SOHO routers.
[ASUS Router infosvr UDP Broadcast root Command Execution](https://github.com/jduck/asus-cmd)
[Unpacking Firmware images from cable modems](http://w00tsec.blogspot.com.br/2013/11/unpacking-firmware-images-from-cable.html0
[From 0-day to exploit – Buffer overflow in Belkin N750 (CVE-2014-1635)](https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/)
[Hacking the D-Link DIR-890L](http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/)
@ -127,6 +113,15 @@ TR-069
###<a name="education">Educational</a>
[Hardware Hacking for Software People](http://dontstuffbeansupyournose.com/2011/08/25/hardware-hacking-for-software-people/)
@ -147,6 +142,12 @@ TR-069
[Common methods of H/W hacking](https://www.sparkfun.com/news/1314)
[Modbus Protocol Overview](https://www.lammertbies.nl/comm/info/modbus.html)
@ -156,6 +157,12 @@ TR-069
###<a name="iot">Internet of Things</a>
[Smart Nest Thermostat A Smart Spy in Your Home](https://www.youtube.com/watch?v=UFQ9AYMee_Q)
@ -209,16 +216,38 @@ TR-069
[Learn how to send an SMS text message in Python by pushing a button on your Arduino!](http://juliahgrace.com/intro-hardware-hacking-arduino.html)
[U-Boot -- the Universal Boot Loader](http://www.denx.de/wiki/U-Boot)
* Very popular on embedded devices open source bootloader for linux
* [Manual/Documentation](http://www.denx.de/wiki/DULG/Manual)
##1#<a name="pci">PCI</a>
###<a name="pci">PCI</a>
[Inception](https://github.com/carmaa/inception)
* Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces. Inception aims to provide a relatively quick, stable and easy way of performing intrusive and non-intrusive memory hacks against live computers using DMA.
[Stupid PCIe Tricks featuring NSA Playset: PCIe](https://www.youtube.com/watch?v=Zwz61uVxiM0)
[PCILeech](https://github.com/ufrisk/pcileech)
* The PCILeech use the USB3380 chip in order to read from and write to the memory of a target system. This is achieved by using DMA over PCI Express. No drivers are needed on the target system. The USB3380 is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. Reading 8GB of memory from the target system take around one (1) minute. The PCILeech hardware is connected with USB3 to a controlling computer running the PCILeech program. PCILeech is also capable of inserting a wide range of kernel modules into the targeted kernels - allowing for pulling and pushing files, remove the logon password requirement, loading unsigned drivers, executing code and spawn system shells. The software is written in visual studio and runs on Windows 7/Windows 10. Supported target systems are currently the x64 versions of: Linux, FreeBSD, macOS and Windows.
###<a name="USB">USB</a>
[USBProxy](https://github.com/dominicgs/USBProxy)
* A USB man in the middle device using USB On-The-Go, libUSB and gadgetFS
[Implementing an USB Host Driver Fuzzer - Daniel Mende - Troopers14](https://www.youtube.com/watch?v=h777lF6xjs4)
###<a name="dropbox">Pentesting Drop Boxes</a>
@ -269,6 +298,17 @@ https://github.com/pwnieexpress/raspberry_pwn
[DRIVE IT YOURSELF: USB CAR](http://www.linuxvoice.com/drive-it-yourself-usb-car-6/)
* Reversing USB and writing USB Drivers for an RC car.
[Debug Probes - J-Link and J-Trace](https://www.segger.com/jlink-debug-probes.html)
[Analyzing and Running binaries from Firmware Images - Part 1](http://w00tsec.blogspot.com.br/2013/09/analyzing-and-running-binaries-from.html)
###<a name="usb">USB</a>
@ -318,6 +358,14 @@ BadUSB
[Introduction to Smart Card Security](http://resources.infosecinstitute.com/introduction-smartcard-security/)
Chameleon Mini
* [Chameleon: A Versatile Emulator for Contactless Smartcards - Paper](https://www.ei.rub.de/media/crypto/veroeffentlichungen/2011/11/16/chameleon.pdf)
* [Milking the Digital Cash Cow [29c3] Video Presentation](https://www.youtube.com/watch?v=Y1o2ST03O8I)
* [ChameleonMini Hardware](https://github.com/emsec/ChameleonMini/wiki)
[Hacking a USB Modem & SIM](http://blog.ptsecurity.com/2014/12/4g-security-hacking-usb-modem-and-sim.html)
###<a name="papers">Papers</a>
@ -335,9 +383,10 @@ Embedded Systems](http://www.cs.dartmouth.edu/~sws/pubs/bgjss12.pdf)
[Flipping Bits in Memory Without Accessing Them: An Experimental Study of DRAM Disturbance Errors](https://www.ece.cmu.edu/~safari/pubs/kim-isca14.pdf)
* Abstract. Memory isolation is a key property of a reliable and secure computing system — an access to one memory ad- dress should not have unintended side e ects on data stored in other addresses. However, as DRAM process technology scales down to smaller dimensions, it becomes more di  cult to prevent DRAM cells from electrically interacting with each other. In this paper, we expose the vulnerability of commodity DRAM chips to disturbance errors. By reading from the same address in DRAM, we show that it is possible to corrupt data in nearby addresses. More specifically, activating the same row in DRAM corrupts data in nearby rows. We demonstrate this phenomenon on Intel and AMD systems using a malicious program that generates many DRAM accesses. We induce errors in most DRAM modules (110 out of 129) from three major DRAM manufacturers. From this we conclude that many deployed systems are likely to be at risk. We identify the root cause of disturbance errors as the repeated toggling of a DRAM row’s wordline, which stresses inter-cell coupling e ects that accelerate charge leakage from nearby rows. We provide an extensive characterization study of disturbance errors and their behavior using an FPGA-based testing plat- form. Among our key findings, we show that (i) it takes as few as 139K accesses to induce an error and (ii) up to one in every 1.7K cells is susceptible to errors. After examining var- ious potential ways of addressing the problem, we propose a low-overhead solution to prevent the errors.
[Adapting Software Fault Isolation to Contemporary CPU Architectures](https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/35649.pdf)
* Software Fault Isolation (SFI) is an effective approach to sandboxing binary code of questionable provenance, an interesting use case for native plugins in a Web browser. We present software fault isolation schemes for ARM and x86-64 that provide control-flow and memory integrity with average performance overhead of under 5% on ARM and 7% on x86-64. We believe these are the best known SFI implementations for these architectures, with significantly lower overhead than previous systems for similar architectures. Our experience suggests that these SFI implementations benefit from instruction-level parallelism, and have particularly small impact for work- loads that are data memory-bound, both properties that tend to reduce the impact of our SFI systems for future CPU implementations.
[Introduction to Trusted Execution Environments - Steven J. Murdoch](https://www.cl.cam.ac.uk/~sjm217/talks/rhul14tee.pdf)


+ 39
- 31
Draft/Exploit Development.md View File

@ -63,6 +63,14 @@ TOC
https://repo.zenk-security.com/Reversing%20.%20cracking/Bypassing%20SEHOP.pdf
[gargoyle, a memory scanning evasion technique](https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)
[The Chakra Exploit and the Limitations of Modern Mitigation Techniques](https://www.endgame.com/blog/chakra-exploit-and-limitations-modern-mitigation-techniques)
*
http://xcon.xfocus.org/XCon2004/archives/14_Reliable%20Windows%20Heap%20Exploits_BY_SHOK.pdf
[SideStep](https://github.com/codewatchorg/SideStep)
@ -83,6 +91,9 @@ http://www.ptsecurity.com/download/defeating-xpsp2-heap-protection.pdf
https://blog.coresecurity.com/2016/06/28/ms16-039-windows-10-64-bits-integer-overflow-exploitation-by-using-gdi-objects/
[Embedding reverse shell in .lnk file or Old horse attacks](http://onready.me/old_horse_attacks.html)
[Stack Smashing Protector](http://wiki.osdev.org/Stack_Smashing_Protector)
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/
@ -90,7 +101,7 @@ https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writi
* A PEDA replacement. In the spirit of our good friend windbg, pwndbg is pronounced pwnd-bag.
* Uses capstone as backend.
[Introduction to Return Oriented Programming (ROP) - ketansingh.net](https://ketansingh.net/Introduction-to-Return-Oriented-Programming-ROP/)
[Differential Slicing: Identifying Causal Execution Diffe
rences for
@ -128,8 +139,8 @@ https://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/
https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/
[Attacking the XNU Kernel For Fun And Profit – Part 1](http://blog.qwertyoruiop.com/?p=38)
* This blog post is part of a series of posts in which I will discuss several techniques to own XNU, the kernel used by Apple’s OS X and iOS. My focus will be on heap-based attacks, such as heap overflows, double frees, use-after-frees and zone confusion.
[Attacking the XNU Kernel For Fun And Profit – Part 1](http://blog.qwertyoruiop.com/?p=38)
* This blog post is part of a series of posts in which I will discuss several techniques to own XNU, the kernel used by AppleÂ’s OS X and iOS. My focus will be on heap-based attacks, such as heap overflows, double frees, use-after-frees and zone confusion.
[Advanced PDF Tricks - Ange Albertini, Kurt Pfeifle - [TROOPERS15]](https://www.youtube.com/watch?v=k9g9jZdjRcE)
[Debugging Windows kernel under VMWare using IDA's GDB debugger](https://cyberview.files.wordpress.com/2010/09/gdb_vmware_winkernel.pdf)
[Pandora's Cash Box - The Ghost under your POS - RECON2015](https://recon.cx/2015/slides/recon2015-17-nitay-artenstein-shift-reduce-Pandora-s-Cash-Box-The-Ghost-Under-Your-POS.pdf)
@ -160,7 +171,7 @@ http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pd
Understanding JIT Spray
http://blog.cdleary.com/2011/08/understanding-jit-spray/
A Crash Course on the Depths of Win32™ Structured Exception Handling
A Crash Course on the Depths of Win32™ Structured Exception Handling
https://www.microsoft.com/msj/0197/exception/exception.aspx
Meterpreter Payload Stage 1 with Obsfuscation and Evasion
@ -236,9 +247,11 @@ This will allow you to transfer EIP control to a specified offset within a file
..* bin2py: Embed binary files into Python source code.
..* shellcode2exe: Convert shellcodes into executable files for multiple platforms.
[Writing Manual Shellcode by Hand](https://www.exploit-db.com/docs/17065.pdf)
[BMP / x86 Polyglot](https://warroom.securestate.com/bmp-x86-polyglot/)
[Writing Manual Shellcode by Hand](https://www.exploit-db.com/docs/17065.pdf)
#### end sort
@ -410,6 +423,9 @@ I have tried to order the articles by technique and chronology.
###<a name="heap">Heap exploitation:</a>
------------------
* [how2heap - shellphish](https://github.com/shellphish/how2heap)
* * A repository for learning various heap exploitation techniques.
* [w00w00 on heap overflows, Matt Conover, 1999](http://w00w00.org/files/articles/heaptut.txt)
* [Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001](http://www.phrack.com/issues.html?issue=57&id=8)
* [Once upon a free(), anonymous author, 2001\(http://www.phrack.com/issues.html?issue=57&id=9)
@ -502,7 +518,7 @@ I have tried to order the articles by technique and chronology.
* [Return-into-libc without Function Calls](cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
* [Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes](cr0.org/paper/to-jt-linux-alsr-leak.pdf)
* [Fun With Info-Leaks(DEP+ASLR bypass)](https://rh0dev.github.io/blog/2015/fun-with-info-leaks/)/
..* This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it’s quite nice what can be done with the bug.
..* This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, itÂ’s quite nice what can be done with the bug.
* [Exploiting Buffer Overflows On Kernels With Aslr Enabled Using Brute Force On The Stack Layer](http://www.securitytube.net/video/273)
* [Bypassing The Linux Kernel Aslr And Exploiting A Buffer Overflow Vulnerable Application With Ret2esp](http://www.securitytube.net/video/178)
* This video tutorial illustrates how to exploit an application vulnerable to buffer overflow under a modern 2.6 Linux kernel with ASLR, bypassing stack layer randomization by search a jmp *%esp inside the executable file and forcing our program to jump there.
@ -587,11 +603,11 @@ Other:
[From fuzzing to 0-day](http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/)
[SQL Injection to MIPS Overflows: Part Deux](https://s3.amazonaws.com/zcutlip_storage/SQL%20Injection%20to%20MIPS%20Overflows%20-%20Part%20Deux.pdf)
* This paper is a followup to a paper presented at BlackHat USA 2012, entitled “SQL Injec0ons to MIPS Overflows: Rooting SOHO Routers." That previous paper described how to combine SQL injection vulnerabili0es with MIPS Linux buffer overflows in order to gain root on Netgear SOHO routers. This paper revisits the “MiniDLNA” UPnP server that ships on nearly all Netgear routers in order to explore what has changed in the past two years.
* This paper is a followup to a paper presented at BlackHat USA 2012, entitled “SQL Injec0ons to MIPS Overflows: Rooting SOHO Routers." That previous paper described how to combine SQL injection vulnerabili0es with MIPS Linux buffer overflows in order to gain root on Netgear SOHO routers. This paper revisits the “MiniDLNA” UPnP server that ships on nearly all Netgear routers in order to explore what has changed in the past two years.
[Writing a stack-based overflow exploit in Ruby with the help of vulnserver.exe and Spike 2.9](https://cyberandspace.wordpress.com/category/kali-linux/)
[From 0-day to exploit – Buffer overflow in Belkin N750 (CVE-2014-1635)](https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/)
[From 0-day to exploit – Buffer overflow in Belkin N750 (CVE-2014-1635)](https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/)
[Smashing The Browser: From Vulnerability Discovery To Exploit](https://github.com/demi6od/Smashing_The_Browser)
* Goes from introducing a fuzzer to producing an IE11 0day
@ -609,7 +625,7 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
[Defeating the Matasano C++ Challenge with ASLR enabled](http://timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/)
[Fun With Info-Leaks(DEP+ASLR bypass)](https://rh0dev.github.io/blog/2015/fun-with-info-leaks/)/
* This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it’s quite nice what can be done with the bug.
* This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, itÂ’s quite nice what can be done with the bug.
[Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005](http://www.uninformed.org/?v=2&a=4&t=txt)
@ -626,7 +642,7 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
[Exploit Mitigation Killchain](http://0xdabbad00.com/wp-content/uploads/2013/04/exploit_mitigation_kill_chain.pdf)
[Bypassing EMET’s EAF with custom shellcode using kernel pointer](https://www.greyhathacker.net/?p=483)
[Bypassing EMETÂ’s EAF with custom shellcode using kernel pointer](https://www.greyhathacker.net/?p=483)
[Bypassing EMET 4.1](http://labs.bromium.com/2014/02/24/bypassing-emet-4-1/)
* [Paper](https://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf)
@ -805,11 +821,12 @@ http://repo.palkeo.com/hacking/bas%20niveau/SEH%20overwrite.pdf
[Nasm x86 reference](https://www.cs.uaf.edu/2006/fall/cs301/support/x86/)
[Intel Pentium Instruction Set Reference (A)](http://faydoc.tripod.com/cpu/index_a.htm)
[Iczelion's Win32 Assembly Homepage](http://www.programminghorizon.com/win32assembly/)
[cgasm](https://github.com/bnagy/cgasm)
* cgasm is a standalone, offline terminal-based tool with no dependencies that gives me x86 assembly documentation. It is pronounced "SeekAzzem".
@ -864,7 +881,7 @@ MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever
* equip is a small library that helps with Python bytecode instrumentation. Its API is designed to be small and flexible to enable a wide range of possible instrumentations. The instrumentation is designed around the injection of bytecode inside the bytecode of the program to be instrumented. However, the developer does not need to know anything about the Python bytecode since the injected code is Python source.
[!exploitable Crash Analyzer](https://msecdbg.codeplex.com/)
* !exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at http://www.microsoft.com/security/msec. Additonally, see the blog post at http://blogs.technet.com/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer.aspx, or watch the video at http://channel9.msdn.com/posts/PDCNews/Bang-Exploitable-Security-Analyzer/.
* !exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at http://www.microsoft.com/security/msec. Additonally, see the blog post at http://blogs.technet.com/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer.aspx, or watch the video at http://channel9.msdn.com/posts/PDCNews/Bang-Exploitable-Security-Analyzer/.
[rp++](https://github.com/0vercl0k/rp)
* rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O (doesn't support the FAT binaries) x86/x64 binaries. It is open-source, documented with Doxygen (well, I'm trying to..) and has been tested on several OS: Debian / Windows 7 / FreeBSD / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible. I almost forgot, it handles both Intel and AT&T syntax (beloved BeaEngine). By the way, the tool is a standalone executable ; I will upload static-compiled binaries for each OS.
@ -925,7 +942,7 @@ Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push
* Binaries are files like any text file or a bitmap. They can be modified and changed.With some basic understanding of assembly language anyone can take a binary and modify its execution in a debugger and using a hex editor change how it executes. In this presentation I will cover the basics of binary manipulation and the use of debuggers to change program execution.
[OllyDbg](http://www.ollydbg.de/)
* OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
* OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
* [OllyDbg Tricks for Exploit Development](http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/)
[GDB - GNU Debugger](https://www.gnu.org/software/gdb/)
@ -990,7 +1007,7 @@ Metasploit
[Temporal Return Addresses ](http://uninformed.org/?v=all&a=9&t=sumry)
* Nearly all existing exploitation vectors depend on some knowledge of a process' address space prior to an attack in order to gain meaningful control of execution flow. In cases where this is necessary, exploit authors generally make use of static addresses that may or may not be portable between various operating system and application revisions. This fact can make exploits unreliable depending on how well researched the static addresses were at the time that the exploit was implemented. In some cases, though, it may be possible to predict and make use of certain addresses in memory that do not have static contents. This document introduces the concept of temporal addresses and describes how they can be used, under certain circumstances, to make exploitation more reliable.
[Modern Binary Attacks and Defences in the Windows Environment – Fighting Against Microsoft EMET in Seven Rounds](https://drive.google.com/file/d/0B6nX_hw9OjVyVXU1OW9LbHlVRWs/view?pli=1)
[Modern Binary Attacks and Defences in the Windows Environment – Fighting Against Microsoft EMET in Seven Rounds](https://drive.google.com/file/d/0B6nX_hw9OjVyVXU1OW9LbHlVRWs/view?pli=1)
[Reducing the Effective Entropy of GS Cookies](http://uninformed.org/?v=all&a=32&t=sumry)
* This paper describes a technique that can be used to reduce the effective entropy in a given GS cookie by roughly 15 bits. This reduction is made possible because GS uses a number of weak entropy sources that can, with varying degrees of accuracy, be calculated by an attacker. It is important to note, however, that the ability to calculate the values of these sources for an arbitrary cookie currently relies on an attacker having local access to the machine, such as through the local console or through terminal services. This effectively limits the use of this technique to stack-based local privilege escalation vulnerabilities. In addition to the general entropy reduction technique, this paper discusses the amount of effective entropy that exists in services that automatically start during system boot. It is hypothesized that these services may have more predictable states of entropy due to the relative consistency of the boot process. While the techniques described in this paper do not illustrate a complete break of GS, any inherent weakness can have disastrous consequences given that GS is a static, compile-time security solution. It is not possible to simply distribute a patch. Instead, applications must be recompiled to take advantage of any security improvements. In that vein, the paper proposes some solutions that could be applied to address the problems that are outlined.
@ -1033,7 +1050,7 @@ Metasploit
[Exploiting the DRAM rowhammer bug to gain kernel privileges](http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html)
* "Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process.
* "Rowhammer” is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process.
When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
* [Program for testing for the DRAM "rowhammer" problem](https://github.com/google/rowhammer-test)
@ -1047,7 +1064,7 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
[Coding Malware for Fun and Not for Profit (Because that would be illegal)](http://www.malwaretech.com/2014/04/coding-malware-for-fun-and-not-for.html)
[Exploiting “BadIRET” vulnerability - CVE-2014-9322, Linux kernel privilege escalation](http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/)
[Exploiting “BadIRET” vulnerability - CVE-2014-9322, Linux kernel privilege escalation](http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/)
[The Userland Exploits of Pangu 8](http://blog.pangu.io/wp-content/uploads/2015/03/CanSecWest2015_Final.pdf)
@ -1057,12 +1074,12 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
[A Technical Analysis of CVE 2014-1776](http://blog.fortinet.com/post/a-technical-analysis-of-cve-2014-1776)
[Project HeapBleed](http://census-labs.com/news/2014/11/27/project-heapbleed/)
* CENSUS researcher Patroklos Argyroudis has recently presented a talk on heap exploitation abstraction at two conferences, namely ZeroNights 2014 (Moscow, Russia) and BalCCon 2014 (Novi Sad, Serbia). In the talk titled “Project Heapbleed”, Patroklos has collected the experience of exploiting allocators in various different target applications and platforms. He focused on practical, reusable heap attack primitives that aim to reduce the exploit development time and effort.
* CENSUS researcher Patroklos Argyroudis has recently presented a talk on heap exploitation abstraction at two conferences, namely ZeroNights 2014 (Moscow, Russia) and BalCCon 2014 (Novi Sad, Serbia). In the talk titled “Project Heapbleed”, Patroklos has collected the experience of exploiting allocators in various different target applications and platforms. He focused on practical, reusable heap attack primitives that aim to reduce the exploit development time and effort.
[A Technical Analysis of CVE 2014-1776](http://blog.fortinet.com/post/a-technical-analysis-of-cve-2014-1776)
[Extreme Privelege Escalataion on Windows8 UEFI Systems](https://www.youtube.com/watch?v=UJp_rMwdyyI)
* [Slides](https://www.blackhat.com/docs/us-14/materials/us-14-Kallenberg-Extreme-Privilege-Escalation-On-Windows8-UEFI-Systems.pdf)
* Summary by stormehh from reddit: “In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flash”
* Summary by stormehh from reddit: “In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flashÂ
[Fun with info leaks](https://rh0dev.github.io/blog/2015/fun-with-info-leaks/)
[Smashing the Browser](https://github.com/demi6od/Smashing_The_Browser)
@ -1070,7 +1087,7 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
* Writeup: going from fuzzing to an IE11 0day exploit development
[Diving into A Silverlight Exploit and Shellcode - Analysis and Techniques](http://www.checkpoint.com/downloads/partners/TCC-Silverlight-Jan2015.pdf)
* Abstract: We will observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition we will look at the shell-code supplied by the exploit-kit and how it uses encryption to hide the payload’s URL and contents.
* Abstract: We will observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition we will look at the shell-code supplied by the exploit-kit and how it uses encryption to hide the payloadÂ’s URL and contents.
###<a name="findingvuln">Finding Vulnerabilities</a>
@ -1099,13 +1116,4 @@ Finding and analyzing Crash dumps
###Online Resources
[ropshell](http://ropshell.com/)
* ropshell is a free online service for generating and searching for Return-Oriented-Programming (ROP) gadgets.
* ropshell is a free online service for generating and searching for Return-Oriented-Programming (ROP) gadgets.fi8ter8

+ 5
- 4
Draft/Forensics Incident Response.md View File

@ -26,6 +26,9 @@ Better security - Mean time to detect/Mean time to respond
https://github.com/SekoiaLab/Fastir_Collector
http://www.sekoia.fr/blog/wp-content/uploads/2015/10/FastIR-Collector-on-advanced-threats_v1.4.pdf
[Fixing an Infected PHP/WordPress Web Server](https://cachecrew.com/fixing-infected-php-web-server/)
* Writeup of hunting an infection
[OS X Forensics Generals](https://davidkoepi.wordpress.com/category/os-x-forensics-10-8/)
[usbkill](https://github.com/stemid/usbkill)
@ -39,10 +42,8 @@ http://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/
https://sroberts.github.io/2016/01/11/introduction-to-dfir-the-beginning/
[MIG: Mozilla InvestiGator](https://http://mig.mozilla.org/)
* Mozilla's real-time digital forensics and investigation platform.
[OSX Lion User Interface Preservation Analysis](https://digital-forensics.sans.org/blog/2011/10/03/osx-lion-user-interface-preservation-analysis#)


+ 10
- 1
Draft/Fuzzing Bug Hunting.md View File

@ -16,13 +16,22 @@ TOC
####sort
[honggfuzz])(https://github.com/google/honggfuzz)
* Security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (sw and hw) http://google.github.io/honggfuzz/
[Google - AddressSanitizer, ThreadSanitizer, MemorySanitizer, LeaksSanitizer](https://github.com/google/sanitizers)
* This project is the home for Sanitizers: AddressSanitizer, MemorySanitizer, ThreadSanitizer, LeakSanitizer. The actual code resides in the LLVM repository. Here we keep extended documentation, bugs and some helper code.
#### end sort
###General Writeups
[Fuzzing for MS15-010](http://blog.beyondtrust.com/fuzzing-for-ms15-010)
* Is what it says on the tin.
[Advice From A Researcher: Hunting XXE For Fun and Profit](https://blog.bugcrowd.com/advice-from-a-researcher-xxe/)
[Quick explanation of fuzzing and various fuzzers](http://whoisjoe.info/?p=16)


+ 6
- 1
Draft/Game Hacking.md View File

@ -7,8 +7,13 @@ PINCE is a gdb front-end/reverse engineering tool focused on games, but it can b
https://gbatemp.net/threads/arm9loader-technical-details-and-discussion.408537/
[Hacking the PS Vita](http://yifan.lu/2015/06/21/hacking-the-ps-vita/)
[ARM9Loader Technical Details - GBAtemp](https://gbatemp.net/threads/arm9loader-technical-details-and-discussion.408537/)
[Reverse Engineering Strike Commander](http://fabiensanglard.net/reverse_engineering_strike_commander/index.php)
[The Multibillion Dollar Industry That's Ignored](http://www.irongeek.com/i.php?page=videos/derbycon4/t204-the-multibillion-dollar-industry-thats-ignored-jason-montgomery-and-ryan-sevey

+ 17
- 6
Draft/Interesting Things Useful stuff.md View File

@ -1,11 +1,11 @@
##Interesting Things & Useful Stuff
TOC
Interesting & Useful Attacks
Interesting & Useful Papers
Interesting & Useful Projects
Interesting & Useful Software
Interesting & Useful Write-ups
* Interesting & Useful Attacks
* Interesting & Useful Papers
* Interesting & Useful Projects
* Interesting & Useful Software
* Interesting & Useful Write-ups
@ -36,7 +36,13 @@ http://www.securitywizardry.com/radar.htm
###CULL
#### To Sort
[Internet Timeline](https://www.zakon.org/robert/internet/timeline/)
[wxHex Editor](http://www.wxhexeditor.org/home.php)
* wxHexEditor is another Free Hex Editor, build because there is no good hex editor for Linux system, specially for big files.
https://github.com/sasq64/chipmachine
@ -225,6 +231,11 @@ http://datagenetics.com/blog/november12013/index.html
[ Playstation Portable Cracking [24c3]](https://www.youtube.com/watch?v=TgzxyO2QO1M)
###Interesting Attacks
[VM as injection payload ](http://infiltratecon.com/downloads/python_deflowered.pdf)
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)


+ 4
- 1
Draft/Malware.md View File

@ -29,6 +29,7 @@ https://motherboard.vice.com/read/preserving-the-ancient-art-of-getting-pwned
http://www.exposedbotnets.com/?m=0
#####END Sort
@ -46,7 +47,9 @@ http://www.exposedbotnets.com/?m=0
[Automating Removal of JS Obfuscators](http://www.contextis.com/resources/blog/automating-removal-java-obfuscation/)
* In this post we detail a method to improve analysis of Java code for a particular obfuscator, we document the process that was followed and demonstrate the results of automating our method. Obscurity will not stop an attacker and once the method is known, methodology can be developed to automate the process.
{DIY Android Malware Analysis with OBAD](http://securityintelligence.com/diy-android-malware-analysis-taking-apart-obad-part-1/)
[Malware Analysis 101 - N00b to Ninja in 60 Minutes at CactusCon on April 4, 2014](https://www.slideshare.net/grecsl/malware-analysis-101-n00b-to-ninja-in-60-minutes-at-cactuscon-on-april-4-2014)
[DIY Android Malware Analysis with OBAD](http://securityintelligence.com/diy-android-malware-analysis-taking-apart-obad-part-1/)
[Cuckoo Sandbox Hardening(2013)](http://0xmalware.blogspot.com/2013/10/cuckoo-sandbox-hardening-virtualbox.html)


+ 12
- 1
Draft/Network Attacks & Defenses.md View File

@ -20,8 +20,15 @@ TOC
#####To be sorted
[Simple domain fronting PoC with GAE C2 server](https://www.securityartwork.es/2017/01/31/simple-domain-fronting-poc-with-gae-c2-server/)
* In this entry we continue with domain fronting; on this occasion we will explore how to implement a simple PoC of a command and control and exfiltration server on Google App Engine (GAE), and we will see how to do the domain fronting from Windows, with a VBS or PowerShell script, to hide interactions with the C2 server.
[More on HNAP - What is it, How to Use it,How to Find it](https://isc.sans.edu/diary/More+on+HNAP+-+What+is+it%2C+How+to+Use+it%2C+How+to+Find+it/17648)
[Modbus interface tutorial](https://www.lammertbies.nl/comm/info/modbus.html)
[Post Exploitation Using netNTLM Downgrade attacks - Fishnet/Archive.org](https://web.archive.org/web/20131023064257/http://www.fishnetsecurity.com/6labs/blog/post-exploitation-using-netntlm-downgrade-attacks)
[iv-wrt](https://github.com/iv-wrt/iv-wrt)
* An Intentionally Vulnerable Router Firmware Distribution[
@ -59,6 +66,7 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
[Ditch PsExec, SprayWMI is here ;)](http://www.pentest.guru/index.php/2015/10/19/ditch-psexec-spraywmi-is-here/)
[Windows Attacks AT is the new black](https://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607)
[WMIOps](https://github.com/ChrisTruncer/WMIOps)
* WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It's designed primarily for use on penetration tests or red team engagements.
@ -90,8 +98,11 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
[ms15-034.nse Script](https://github.com/pr4jwal/quick-scripts/blob/master/ms15-034.nse)
[Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)
* Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator.
* [Presentation](https://www.youtube.com/watch?v=P1lkflnWb0I)
[How to Bypass Anti-Virus to Run Mimikatz](http://www.blackhillsinfosec.com/?p=5555)


+ 4
- 1
Draft/Programming - Languages Libs Courses References.md View File

@ -22,10 +22,13 @@ Cull
[java-aes-crypto (Android class)](https://github.com/tozny/java-aes-crypto)
* A simple Android class for encrypting & decrypting strings, aiming to avoid the classic mistakes that most such classes suffer from.
[Secure Coding Cheat Sheet - OWASP](https://www.owasp.org/index.php/Secure_Coding_Cheat_Sheet)
http://www.irongeek.com/i.php?page=videos/derbycon4/t205-code-insecurity-or-code-in-security-mano-dash4rk-paul
[Reverse debugging for Python](https://morepypy.blogspot.com/2016/07/reverse-debugging-for-python.html?m=1)
[Reverse debugging for Python](https://morepypy.blogspot.com/2016/07/reverse-debugging-for-python.html?m=1)
Getting Started with WindDbg Series - OpenSecurity Research
[Getting Started with WinDbg part 1](http://blog.opensecurityresearch.com/2013/12/getting-started-with-windbg-part-1.html)


+ 19
- 5
Draft/Reverse Engineering.md View File

@ -46,6 +46,12 @@ To be sorted
http://stunnix.com/prod/cxxo/
[IDAnt-wanna](https://github.com/strazzere/IDAnt-wanna)
* ELF header abuse
[REhints MEX - WinDBG addons](https://github.com/REhints/WinDbg/tree/master/MEX)
[EasyHook] https://easyhook.github.io/
EasyHook makes it possible to extend (via hooking) unmanaged code APIs with pure managed functions, from within a fully managed environment on 32- or 64-bit Windows XP SP2, Windows Vista x64, Windows Server 2008 x64, Windows 7, Windows 8.1, and Windows 10.
@ -57,6 +63,10 @@ EasyHook makes it possible to extend (via hooking) unmanaged code APIs with pure
[python-oletools](https://github.com/decalage2/oletools)
* python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.
[asar](https://github.com/electron/asar)
* Simple extensive tar-like archive format with indexing
https://speakerdeck.com/patrickwardle/defcon-2016-i-got-99-problems-but-little-snitch-aint-one
[The Empire Strikes Back Apple – how your Mac firmware security is completely broken](https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/)
@ -94,11 +104,12 @@ http://blog.techorganic.com/2016/03/08/radare-2-in-0x1e-minutes/
mammon_'s tales to his grandson - https://mammon.github.io/tales/
[Make Confide great again? No, we cannot](http://blog.quarkslab.com/make-confide-great-again-no-we-cannot.html)
* RE'ing an electron based "secure communications" app
Voltron https://github.com/snare/voltron
Voltron is an extensible debugger UI toolkit written in Python. It aims to improve the user experience of various debuggers (LLDB, GDB, VDB and WinDbg) by enabling the attachment of utility views that can retrieve and display data from the debugger host. By running these views in other TTYs, you can build a customised debugger user interface to suit your needs.
[Voltro](https://github.com/snare/voltron)
* Voltron is an extensible debugger UI toolkit written in Python. It aims to improve the user experience of various debuggers (LLDB, GDB, VDB and WinDbg) by enabling the attachment of utility views that can retrieve and display data from the debugger host. By running these views in other TTYs, you can build a customised debugger user interface to suit your needs.
[CSCI 4974 / 6974 Hardware Reverse Engineering](http://security.cs.rpi.edu/courses/hwre-spring2014/)
https://github.com/BinaryAnalysisPlatform/bap-ida-python
@ -128,8 +139,8 @@ http://fileformats.archiveteam.org/wiki/PNG
fREedom - capstone based disassembler for extracting to binnavi
fREedom is a primitive attempt to provide an IDA Pro independent means of extracting disassembly information from executables for use with binnavi (https://github.com/google/binnavi).
[fREedom](capstone based disassembler for extracting to binnavi )
* fREedom is a primitive attempt to provide an IDA Pro independent means of extracting disassembly information from executables for use with binnavi (https://github.com/google/binnavi).
[Reverse Engineering Windows AFD.sys](https://recon.cx/2015/slides/recon2015-20-steven-vittitoe-Reverse-Engineering-Windows-AFD-sys.pdf)
[Kam1n0-Plugin-IDA-Pro](https://github.com/McGill-DMaS/Kam1n0-Plugin-IDA-Pro)
@ -169,6 +180,9 @@ https://github.com/droidsec/droidsec.github.io/wiki/Android-Crackmes
[PE File Format Graphs](http://blog.dkbza.org/2012/08/pe-file-format-graphs.html?view=mosaic)
[Encyclopedia of Graphics File Formats](http://fileformats.archiveteam.org/wiki/Encyclopedia_of_Graphics_File_Formats)
###<a name="tools">Tools</a>


+ 7
- 0
Draft/Social Engineering.md View File

@ -29,6 +29,13 @@ http://www.irongeek.com/i.php?page=videos/derbycon5/break-me08-pwning-people-per
[PG01 Dropping hell0days Business Interaction for Security Professionals Or Anyone Else Elliot Johnso ](https://www.youtube.com/watch?v=COyN3NwY1v0)
[king-phisher](https://github.com/securestate/king-phisher)
* Phishing Campaign Toolkit
[gophish documentation](https://getgophish.com/documentation/)
[Area41 2016: Dominique-Cédric Brack: Professional Social Engineering](https://youtu.be/NcpmhsSVzuM)


+ 4
- 6
Draft/System Internals Windows and Linux Internals Reference.md View File

@ -17,9 +17,7 @@ To Do:
* Clear Cull List
* Split sections into reference material and writeup material(quick vs long reference)
CULL
#### Sort
http://linux-audit.com/elf-binaries-on-linux-understanding-and-analysis/?utm_content=buffere95dc&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
@ -29,6 +27,7 @@ http://duartes.org/gustavo/blog/category/internals/
https://www.bnxnet.com/wp-content/uploads/2015/01/WinAPIs_for_hackers.pdf
[Stack Smashing Protector](http://wiki.osdev.org/Stack_Smashing_Protector)
https://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/
@ -51,12 +50,11 @@ https://tribalchicken.com.au/technical/recovering-bitlocker-keys-on-windows-8-1-
[Hyper-V internals](https://hvinternals.blogspot.fr/2015/10/hyper-v-internals.html)
http://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx
#### End Sort
###<a name="general">General Internals</a>
[C Function Call Conventions and the Stack](https://archive.is/o2nD5)


+ 8
- 1
Draft/Web & Browsers.md View File

@ -49,7 +49,7 @@ Java Serialization papers/stuff
####Cull
#### Sort
https://github.com/qll/attacking-browser-extensions
http://console-cowboys.blogspot.com/2011/05/web-hacking-video-series-1-automating.html
@ -76,6 +76,13 @@ XSS game http://escape.alf.nu/
[Server-side browsing considered harmful](http://www.agarri.fr/docs/AppSecEU15-Server_side_browsing_considered_harmful.pdf)
[File scanner web app (Part 1 of 5): Stand-up and webserver](http://0xdabbad00.com/2013/09/02/file-scanner-web-app-part-1-of-5-stand-up-and-webserver/)
[gethead](https://github.com/httphacker/gethead)
* HTTP Header Analysis Vulnerability Tool
#### End Sort


+ 14
- 10
Draft/Wireless Networks & RF.md View File

@ -22,17 +22,22 @@ Cull
###CULL
#### Sort
http://umtrx.org/
http://dl.aircrack-ng.org/wiki-files/doc/technique_papers/Meiners,_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you_-_slides.pdf
[RZUSBstick](http://www.atmel.com/tools/rzusbstick.aspx)
* The starter kit accelerates development, debugging, and demonstration for a wide range of low power wireless applications including IEEE 802.15.4, 6LoWPAN, and ZigBee networks. The kit includes one USB stick with a 2.4GHz transceiver and a USB connector. The included AT86RF230 transceiver's high sensitivity supports the longest range for wireless products. The AT90USB1287 incorporates fast USB On-the-Go.
http://dl.aircrack-ng.org/wiki-files/doc/technique_papers/Meiners,_Sor_-_WPA_Migration_Mode_WEP_is_back_to_haunt_you_-_slides.pdf
[rtlamr](https://github.com/bemasher/rtlamr)
* An rtl-sdr receiver for Itron ERT compatible smart meters operating in the 900MHz ISM band.
[HOPE Number Nine (2012): Practical Insecurity in Encrypted Radio](https://www.youtube.com/watch?v=7or-_gT8TWU&app=desktop)
[sysmocom publicly releases Osmocom user manuals](https://www.sysmocom.de/news/sysmocom-publicly-releases-osmocom-user-manuals/)
[Building a portable GSM BTS using the Nuand bladeRF, Raspberry Pi and YateBTS (The Definitive and Step by Step Guide) ](https://blog.strcpy.info/2016/04/21/building-a-portable-gsm-bts-using-bladerf-raspberry-and-yatebts-the-definitive-guide/)
@ -44,8 +49,8 @@ https://media.blackhat.com/us-13/us-13-Nohl-Rooting-SIM-cards-Slides.pdf
[Universal Radio Hacker](https://github.com/jopohl/urh)
| **Security of RFID Protocols – A Case Study** |
In the context of Dolev-Yao style analysis of security proto cols, we investigate the security claims of a pro- posed strong-security RFID authentication protocol. We ex hibit a flaw which has gone unnoticed in RFID protocol literature and present the resulting attacks on au thentication, untraceability, and desynchroniza- tion resistance. We analyze and discuss the authors’ proofs of security. References to other vulnerable protocols are given.
| **Security of RFID Protocols – A Case Study** |
In the context of Dolev-Yao style analysis of security proto cols, we investigate the security claims of a pro- posed strong-security RFID authentication protocol. We ex hibit a flaw which has gone unnoticed in RFID protocol literature and present the resulting attacks on au thentication, untraceability, and desynchroniza- tion resistance. We analyze and discuss the authorsÂ’ proofs of security. References to other vulnerable protocols are given.
https://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fun-and-profit/
@ -65,7 +70,7 @@ http://www.irongeek.com/i.php?page=videos/derbycon5/stable18-stealthy-and-persis
A modified version of scapy that can leverage GNU Radio to handle a SDR card
GNU Radio flow graphs (GRC files) we have build that allows full duplex communication
GNU Radio blocks we have written to handle several protocols
[The big GSM write-up – how to capture, analyze and crack GSM?](http://domonkos.tomcsanyi.net/?p=418)
[The big GSM write-up – how to capture, analyze and crack GSM?](http://domonkos.tomcsanyi.net/?p=418)
[KillerBee](https://github.com/riverloopsec/killerbee)
* Framework and Tools for Attacking ZigBee and IEEE 802.15.4 networks.
@ -99,7 +104,7 @@ https://www.evilsocket.net/2016/03/31/how-to-build-your-own-rogue-gsm-bts-for-fu
* SnoopSnitch is an Android app that collects and analyzes mobile radio data to make you aware of your mobile network security and to warn you about threats like fake base stations (IMSI catchers), user tracking and over-the-air updates. With SnoopSnitch you can use the data collected in the GSM Security Map at gsmmap.org and contribute your own data to GSM Map. This application currently only works on Android phones with a Qualcomm chipset and a stock Android ROM (or a suitable custom ROM with Qualcomm DIAG driver). It requires root priviliges to capture mobile network data.
[Brute forcing Wi-Fi Protected Setup - Stefan Viehböck](https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf)
[Brute forcing Wi-Fi Protected Setup - Stefan Viehböck](https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf)
* The original paper on WPS cracking.
[IEEE 802.11 Tutorial](http://wow.eecs.berkeley.edu/ergen/docs/ieee.pdf)
@ -113,12 +118,12 @@ This document describes IEEE 802.11 Wireless Local Area Network (WLAN) Standard.
[Sniffing GSM with HackRF](https://web.archive.org/web/20130825000211/http://binaryrf.com/viewtopic.php?t=6&f=9)
[ CampZer0 // Domonkos Tomcsányi: GSM - have we overslept the last wake-up call?](https://www.youtube.com/watch?v=3cnnQFP3VqE)
[ CampZer0 // Domonkos Tomcsányi: GSM - have we overslept the last wake-up call?](https://www.youtube.com/watch?v=3cnnQFP3VqE)
[Intercepting GSM Traffic](https://www.blackhat.com/presentations/bh-dc-08/Steve-DHulton/Presentation/bh-dc-08-steve-dhulton.pdf)
[GSM: SRSLY?](https://events.ccc.de/congress/2009/Fahrplan/events/3654.en.html)
* The worlds most popular radio system has over 3 billion handsets in 212 countries and not even strong encryption. Perhaps due to cold-war era laws, GSM's security hasn't received the scrutiny it deserves given its popularity. This bothered us enough to take a look; the results were surprising. From the total lack of network to handset authentication, to the "Of course I'll give you my IMSI" message, to the iPhone that really wanted to talk to us. It all came as a surprise – stunning to see what $1500 of USRP can do. Add a weak cipher trivially breakable after a few months of distributed table generation and you get the most widely deployed privacy threat on the planet. Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS'ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever
* The worlds most popular radio system has over 3 billion handsets in 212 countries and not even strong encryption. Perhaps due to cold-war era laws, GSM's security hasn't received the scrutiny it deserves given its popularity. This bothered us enough to take a look; the results were surprising. From the total lack of network to handset authentication, to the "Of course I'll give you my IMSI" message, to the iPhone that really wanted to talk to us. It all came as a surprise – stunning to see what $1500 of USRP can do. Add a weak cipher trivially breakable after a few months of distributed table generation and you get the most widely deployed privacy threat on the planet. Cloning, spoofing, man-in-the-middle, decrypting, sniffing, crashing, DoS'ing, or just plain having fun. If you can work a BitTorrent client and a standard GNU build process then you can do it all, too. Prepare to change the way you look at your cell phone, forever
[Wideband GSM Sniffing [27C3]](https://www.youtube.com/watch?v=ZrbatnnRxFc)
* GSM is still the most widely used security technology in the world with a user base of 5 billion and a quickly growing number of critical applications. 26C3's rainbow table attack on GSM's A5/1 encryption convinced many users that GSM calls should be considered unprotected. The network operators, however, have not woken up to the threat yet. Perhaps the new capabilities to be unleashed this year -- like wide-band sniffing and real-time signal processing -- will wake them up. Now that GSM A5/1 encryption can be cracked in seconds, the complexity of wireless phone snooping moved to signal processing. Since GSM hops over a multitude of channels, a large chunk of radio spectrum needs to be analyzed, for example with USRPs, and decoded before storage or decoding. We demonstrate how this high bandwidth task can be achieved with cheap programmable phones.
@ -183,7 +188,7 @@ PyBT
* Gnuradio blocks and tools for receiving GSM transmissions
[GSM MAP](http://gsmmap.org/#!/about)
* The GSM Security Map compares the protection capabilities of mobile networks. Networks are rated in their protection capabilities relative to a reference network that implements all protection measures that have been seen “in the wild”. The reference is regularly updated to reflect new protection ideas becoming commercially available. Networks, therefore, have to improve continuously to maintain their score, just as hackers are continuously improving their capabilities.
* The GSM Security Map compares the protection capabilities of mobile networks. Networks are rated in their protection capabilities relative to a reference network that implements all protection measures that have been seen “in the wild”. The reference is regularly updated to reflect new protection ideas becoming commercially available. Networks, therefore, have to improve continuously to maintain their score, just as hackers are continuously improving their capabilities.
[Mobile self-defense - Karsten Nohl](https://www.youtube.com/watch?v=GeCkO0fWWqc)
@ -359,4 +364,3 @@ In this article, we proved the capabilities of an inexpensive wireless adapter a
[US Marine Antenna Handbook](http://www.zerobeat.net/r3403c.pdf?1)

Loading…
Cancel
Save