Browse Source

A nice update

pull/8/head
root 5 years ago
parent
commit
0935315f24
38 changed files with 774 additions and 246 deletions
  1. +30
    -12
      Draft/Anonymity Opsec Privacy -.md
  2. +32
    -11
      Draft/Attacking Defending Android -.md
  3. +9
    -6
      Draft/Attacking Defending iOS -.md
  4. +18
    -12
      Draft/BIOS UEFI Attacks Defenses.md
  5. +13
    -0
      Draft/Basic Security Information.md
  6. +8
    -0
      Draft/CTFs & Wargames -.md
  7. +10
    -5
      Draft/Car Hacking.md
  8. +2
    -4
      Draft/Courses & Training -.md
  9. +7
    -2
      Draft/Cryptography & Encryption.md
  10. +3
    -2
      Draft/Documentation & Reports -.md
  11. +12
    -0
      Draft/Embedded Device & Hardware Hacking -.md
  12. +7
    -0
      Draft/Exfiltration.md
  13. +30
    -3
      Draft/Exploit Development.md
  14. +3
    -7
      Draft/Frameworks Methodologies.md
  15. +2
    -0
      Draft/Fuzzing Bug Hunting.md
  16. +74
    -21
      Draft/Interesting Things Useful stuff.md
  17. +34
    -14
      Draft/Malware.md
  18. +8
    -0
      Draft/Network Attacks & Defenses.md
  19. +7
    -0
      Draft/Network Security Monitoring & Logging.md
  20. +10
    -0
      Draft/Open Source Intelligence.md
  21. +1
    -1
      Draft/Password Bruting and Hashcracking.md
  22. +2
    -1
      Draft/Phishing.md
  23. +5
    -0
      Draft/Phyiscal Security.md
  24. +5
    -0
      Draft/Policy-Compliance.md
  25. +69
    -13
      Draft/Privilege Escalation & Post-Exploitation.md
  26. +39
    -8
      Draft/Programming - Languages Libs Courses References.md
  27. +12
    -0
      Draft/Red-Teaming.md
  28. +24
    -0
      Draft/Reverse Engineering.md
  29. +1
    -1
      Draft/SCADA.md
  30. +2
    -0
      Draft/Sandboxes.md
  31. +5
    -0
      Draft/Social Engineering.md
  32. +9
    -0
      Draft/System Internals Windows and Linux Internals Reference.md
  33. +1
    -0
      Draft/UX Design - Because we all know how sexy pgp is.md
  34. +66
    -6
      Draft/Web & Browsers.md
  35. +12
    -0
      Draft/Wireless Networks & RF.md
  36. +18
    -0
      Draft/help.md
  37. +182
    -117
      Draft/things-added.md
  38. +2
    -0
      README.md

+ 30
- 12
Draft/Anonymity Opsec Privacy -.md View File

@ -3,27 +3,32 @@
### TOC
* Cull
* Articles #Articles
* How-Tos #howtos
* Papers #Papers
* Talks/Videos #Talks
* Tools #Tools
* [Articles](#Articles)
* [How-Tos](#howtos)
* [Papers](#Papers)
* [Talks/Videos](#Talks)
* [Tools](#Tools)
| OS X Security and Privacy Guide | https://github.com/drduh/OS-X-Security-and-Privacy-Guide |
[Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
#### Cull
https://github.com/NullHypothesis/exitmap/issues/37
#### end cull
### General
[OS X Security and Privacy Guide](https://github.com/drduh/OS-X-Security-and-Privacy-Guide)
[Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
### Blogposts
@ -71,7 +76,7 @@ https://github.com/NullHypothesis/exitmap/issues/37
[Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
[Detect Tor Exit doing sniffing by passively detecting unique DNS query (via HTML & PCAP parsing/viewing)](https://github.com/NullHypothesis/exitmap/issues/37)
@ -143,6 +148,13 @@ https://github.com/NullHypothesis/exitmap/issues/37
[PISSED: Privacy In a Surveillance State Evading Detection - Joe Cicero - CYPHERCON11 ](https://www.youtube.com/watch?v=keA3WcKwZwA)
[What Happens Next Will Amaze You](http://idlewords.com/talks/what_happens_next_will_amaze_you.htm#six_fixes)
@ -164,11 +176,17 @@ https://github.com/NullHypothesis/exitmap/issues/37
[howmanypeoplearearound](https://github.com/schollz/howmanypeoplearearound)
* Count the number of people around you 👨‍👨‍👦 by monitoring wifi signals 📡
[Decentraleyes](https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/)
* Protects you against tracking through "free", centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. Complements regular content blockers.
[Decentraleyes - Github](https://github.com/Synzvato/decentraleyes)
* A web browser extension that emulates Content Delivery Networks to improve your online privacy. It intercepts traffic, finds supported resources locally, and injects them into the environment. All of this happens automatically, so no prior configuration is required.
[Destroy-Windows-10-Spying](https://github.com/Nummer/Destroy-Windows-10-Spying)
* Destroy Windows Spying tool
[meek](https://github.com/Yawning/meek)
* meek is a blocking-resistant pluggable transport for Tor. It encodes a data stream as a sequence of HTTPS requests and responses. Requests are reflected through a hard-to-block third-party web server in order to avoid talking directly to a Tor bridge. HTTPS encryption hides fingerprintable byte patterns in Tor traffic.sek


+ 32
- 11
Draft/Attacking Defending Android -.md View File

@ -29,23 +29,35 @@ Cull
[Droidsec - Pretty much should be your first stop](http://www.droidsec.org/wiki/)
[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
| **csploit** - "The most complete and advanced IT security professional toolkit on Android."(*From their site*) | http://www.csploit.org/docs.html -- [Github Link](https://github.com/cSploit/android/tree/master/cSploit)
### Cull/Sort
* Redo formatting
https://blog.gdssecurity.com/labs/2015/2/18/when-efbfbd-and-friends-come-knocking-observations-of-byte-a.html
### Cull/Sort
http://nelenkov.blogspot.com
[Appie – Android Pentesting Portable Integrated Environment](https://manifestsecurity.com/appie/)
[Add Security Exception to APK](https://github.com/levyitay/AddSecurityExceptionAndroid)
[DonkeyGuard](https://github.com/CollegeDev/DonkeyGuard/)
* DonkeyGuard allows you a fine-grained tuning of access to your private data. It currently supports 41 restrictions which can be applied for every application. Specifically, it is a Privacy service provider which implements a set of modifications to the Android Framework to allow you to interact with applications which are trying to access your private data.
[The Android boot process](https://thecyberfibre.com/android-boot-process/)
https://blog.gdssecurity.com/labs/2015/2/18/when-efbfbd-and-friends-come-knocking-observations-of-byte-a.html
[Intercepting HTTPS traffic of Android Nougat Applications](https://serializethoughts.com/2016/09/10/905/)
* TL;DR To intercept network traffic for Android 7.0 targeted applications, introduce a res/xml/network_security_config.xml file.
http://nelenkov.blogspot.com
### End cull
[Add Security Exception to APK](https://github.com/levyitay/AddSecurityExceptionAndroid)
### General
[Droidsec - Pretty much should be your first stop](http://www.droidsec.org/wiki/)
[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
| **csploit** - "The most complete and advanced IT security professional toolkit on Android."(*From their site*) | http://www.csploit.org/docs.html -- [Github Link](https://github.com/cSploit/android/tree/master/cSploit)
[Mobile Application Penetration Testing Cheat Sheet](https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet)
@ -110,6 +122,11 @@ Check the Encryption section of the overall guide for more information.
| -------- | ------------------------ |
| **List of Android Exploits** | https://github.com/droidsec/droidsec.github.io/wiki/Vuln-Exploit-List)
[Android_Kernel_CVE_POC](https://github.com/ScottyBauer/Android_Kernel_CVE_POCs)
[plzdonthack.me](https://plzdonthack.me/)
* personal site of scotty bauer
### **<a name="DAnalysis">Device Analysis</a>**
| Title | Link |
@ -157,6 +174,8 @@ Check the Encryption section of the overall guide for more information.
[android-gdb](https://github.com/darchons/android-gdb)
* GDB fork targetting Android/Fennec development
[How to avoid certificate pinning in the latest versions of Android](https://www.welivesecurity.com/2016/09/08/avoid-certificate-pinning-latest-versions-androidESET%20Blog:%20We%20Live%20Security)
### **<a name="Static">Static Analysis</a>**
@ -171,7 +190,7 @@ Check the Encryption section of the overall guide for more information.
| **[PAPER]Thresher: Precise Refutations for Heap Reachability** |http://www.cs.colorado.edu/~sabl4745/papers/pldi13-thresher.pdf
| **lint - Static Analysis** - The Android lint tool is a static code analysis tool that checks your Android project source files for potential bugs and optimization improvements for correctness, security, performance, usability, accessibility, and internationalization.|https://developer.android.com/tools/help/lint.html
| **Flow Droid - Taint Analysis** - FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications. |http://sseblog.ec-spride.de/tools/flowdroid/
| **[PAPER]FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps** - In this work we thus present F LOW D ROID , a novel and highly precise static taint analysis for Android applications. A precise model of Androids lifecycle allows the analysis to properly handle callbacks invoked by the Android framework, while context, flow, field and object-sensitivity allows the analysis to reduce the number of false alarms. Novel on-demand algorithms help F LOW D ROID maintain high efficiency and precision at the same time| http://www.bodden.de/pubs/far+14flowdroid.pdf
| **[PAPER]FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps** - In this work we thus present F LOW D ROID , a novel and highly precise static taint analysis for Android applications. A precise model of Android’s lifecycle allows the analysis to properly handle callbacks invoked by the Android framework, while context, flow, field and object-sensitivity allows the analysis to reduce the number of false alarms. Novel on-demand algorithms help F LOW D ROID maintain high efficiency and precision at the same time| http://www.bodden.de/pubs/far+14flowdroid.pdf
| **dedex** - Is a command line tool for disassembling Android DEX files.|https://github.com/mariokmk/dedex
| **DexMac** - Is a native OSX application for disassembling Android DEX files. | https://github.com/mariokmk/DexMac
| **dexdissasembler** - Is a GTK tool for disassembling Android DEX files. }https://github.com/mariokmk/dexdisassemble
@ -221,7 +240,7 @@ Check the Encryption section of the overall guide for more information.
| -------- | ------------------------ |
| **APK Studio - Android Reverse Engineering** - APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis. |https://apkstudio.codeplex.com/
| **Android apk-tool** - It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc. | https://code.google.com/p/android-apktool/
| **Reversing and Auditing Androids Proprietary bits** |http://www.slideshare.net/joshjdrake/reversing-and-auditing-androids-proprietary-bits
| **Reversing and Auditing Android’s Proprietary bits** |http://www.slideshare.net/joshjdrake/reversing-and-auditing-androids-proprietary-bits
| **Smali** - smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.) |https://code.google.com/p/smali/
| APKinpsector** - APKinspector is a powerful GUI tool for analysts to analyze the Android applications.| https://github.com/honeynet/apkinspector/
| **Dexter** - Dexter is a static android application analysis tool |http://dexter.dexlabs.org/accounts/login/?next=/dashboard
@ -301,7 +320,7 @@ Check the Encryption section of the overall guide for more information.
### **<a name="Education">Educational Material</a>**
| Title | Link |
| -------- | ------------------------ |
| **OWASP GoatDroid** - OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform. |https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
| **OWASP GoatDroid** - “OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.� |https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
| **Insecure Bank v2** - This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source code. |https://github.com/dineshshetty/Android-InsecureBankv2
@ -344,9 +363,11 @@ Check the Encryption section of the overall guide for more information.
| **Root Tools** - RootTools provides rooted developers a standardized set of tools for use in the development of rooted applications | https://github.com/Stericson/RootTools
[Protect Your Java Code — Through Obfuscators And Beyond](https://www.excelsior-usa.com/articles/java-obfuscators.html)
[fdroidcl](https://github.com/mvdan/fdroidcl#advantages-over-the-android-clientx)
* F-Droid desktop client.
[Heimdall](https://github.com/Benjamin-Dobell/Heimdall)
* Heimdall is a cross-platform open-source tool suite used to flash firmware (aka ROMs) onto Samsung Galaxy S devices.


+ 9
- 6
Draft/Attacking Defending iOS -.md View File

@ -25,6 +25,9 @@
| **Mobile self-defense - Karsten Nohl** | https://www.youtube.com/watch?v=GeCkO0fWWqc
| **Pentesting iOS Applications - Pentester Academy - Paid Course** - This course focuses on the iOS platform and application security and is ideal for pentesters, researchers and the casual iOS enthusiast who would like to dive deep and understand how to analyze and systematically audit applications on this platform using a variety of bleeding edge tools and techniques. | http://www.pentesteracademy.com/course?id=2
[Mobile Application Penetration Testing Cheat Sheet](https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet)
* Redo formatting
#### End Cull
### General
@ -35,7 +38,7 @@
* aurainfosec
[Secure iOS application development](https://github.com/felixgr/secure-ios-app-dev)
* This guide is a collection of the most common vulnerabilities found in iOS applications. The focus is on vulnerabilities in the applications code and only marginally covers general iOS system security, Darwin security, C/ObjC/C++ memory safety, or high-level application security. Nevertheless, hopefully the guide can serve as training material to iOS app developers that want to make sure that they ship a more secure app. Also, iOS security reviewers can use it as a reference during assessments.
* This guide is a collection of the most common vulnerabilities found in iOS applications. The focus is on vulnerabilities in the applications’ code and only marginally covers general iOS system security, Darwin security, C/ObjC/C++ memory safety, or high-level application security. Nevertheless, hopefully the guide can serve as training material to iOS app developers that want to make sure that they ship a more secure app. Also, iOS security reviewers can use it as a reference during assessments.
[needle](https://github.com/mwrlabs/needle)
* Needle is an open source, modular framework to streamline the process of conducting security assessments of iOS apps.
@ -47,8 +50,8 @@
| Title | Link |
| -------- | ------------------------ |
| **Excellent forum post detailing general security practices** | https://forum.raymond.cc/threads/hardening-apple-ios-iphone-ipad-ipod.37451/
| **Apples white paper on their security mechanisms built into iOS** | https://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf)
| **University of Texass Checklist/Guide to securing iOS** | https://wikis.utexas.edu/display/ISO/Apple+iOS+Hardening+Checklist
| **Apple’s white paper on their security mechanisms built into iOS** | https://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf)
| **University of Texas’s Checklist/Guide to securing iOS** | https://wikis.utexas.edu/display/ISO/Apple+iOS+Hardening+Checklist
| **Center for Internet Security Guide to securing iOS 7** | https://benchmarks.cisecurity.org/tools2/iphone/CIS_Apple_iOS_7_Benchmark_v1.1.0.pdf
| **Australian Signals Intel Guide to securing iOS 7** | http://www.asd.gov.au/publications/iOS7_Hardening_Guide.pdf
| **Excellent forum post detailing general security practices** | https://forum.raymond.cc/threads/hardening-apple-ios-iphone-ipad-ipod.37451/
@ -78,7 +81,7 @@
| **Learning iOS Application Security - 34 part series - damnvulnerableiosapp** | http://damnvulnerableiosapp.com/#learn
| **iOS app designed to be vulnerable in specific ways to teach security testing of iOS applications.
| **Damn Vulnerable iOS App - Getting Started** | http://damnvulnerableiosapp.com/2013/12/get-started/
| **OWASP iGOAT** - iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson. | https://www.owasp.org/index.php/OWASP_iGoat_Project
| **OWASP iGOAT** - “iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.� | https://www.owasp.org/index.php/OWASP_iGoat_Project
@ -127,7 +130,7 @@
| -------- | ------------------------ |
| **IODIDE - The IOS Debugger and Integrated Disassembler Environment** | https://github.com/nccgroup/IODIDE
| **Clutch** - Fast iOS executable dumper | https://github.com/KJCracks/Clutch
| **MEMSCAN - Dump iPhone app RAM** - A Cigital consultant Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use. | http://www.cigital.com/justice-league-blog/2015/02/18/memscan-defined/
| **MEMSCAN - Dump iPhone app RAM** - A Cigital consultant – Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use. | http://www.cigital.com/justice-league-blog/2015/02/18/memscan-defined/
| **MEMSCAN - A memory scanning tool which uses mach_vm* to either dump memory or look for a specific sequence of bytes. | https://github.com/hexploitable/MEMSCAN
| **IOS Reverse Engineering toolkit** | https://github.com/S3Jensen/iRET
@ -145,7 +148,7 @@
| Title | Link |
| -------- | ------------------------ |
| **Guide to hardening iOS with the goal of privacy** | http://cydia.radare.org/sec/
| **IPhoneDevWiki** - Our goal is to share the sum of all human[1] knowledge about jailbroken iOS development. In other words, this is a collection of documentation written by developers to help each other write extensions (tweaks) for jailbroken iOS, and you're invited to learn from it and contribute to it too.| http://iphonedevwiki.net/index.php/Main_Page
| **IPhoneDevWiki** - “Our goal is to share the sum of all human[1] knowledge about jailbroken iOS development. In other words, this is a collection of documentation written by developers to help each other write extensions (tweaks) for jailbroken iOS, and you're invited to learn from it and contribute to it too.�| http://iphonedevwiki.net/index.php/Main_Page
| The iPhone Wiki** - The iPhone Wiki is an unofficial wiki dedicated to collecting, storing and providing information on the internals of Apple's amazing iDevices. We hope to pass this information on to the next generation of hackers so that they can go forth into their forebears' footsteps and break the ridiculous bonds Apple has put on their amazing mobile devices. | http://theiphonewiki.com/wiki/Main_Page
| **OWASP Jailbreaking Cheat Sheet** | https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet


+ 18
- 12
Draft/BIOS UEFI Attacks Defenses.md View File

@ -17,15 +17,15 @@ TOC
#### Cull
http://www.stoned-vienna.com/11111
http://www.stoned-vienna.com/
http://forums.mydigitallife.info/forums/34-MDL-Projects-and-Applications
http://forums.mydigitallife.info/forums/25-BIOS-Mods
[ Hyper-V backdoor for UEFI](https://gist.github.com/Cr4sh/55a54e7f3c113316efd2d66457df68dd)
[Advice for writing a Bootloader? - reddit](https://www.reddit.com/r/lowlevel/comments/30toah/advices_for_a_bootloader/)
#### End Cull
## <a name="general">General</a>
| Title | Link |
| -------- | ------------------------ |
@ -33,7 +33,7 @@ http://forums.mydigitallife.info/forums/25-BIOS-Mods
| **UEFI - OSDev Wiki** | http://wiki.osdev.org/UEFI
| **Technical Overview of Windows UEFI Startup Process** | http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/
| **Understanding AMT, UEFI BIOS and Secure boot relationships** | https://communities.intel.com/community/itpeernetwork/vproexpert/blog/2013/08/11/understanding-amt-uefi-bios-and-secure-boot-relationships
| **Windows UEFI startup – A technical overview]** - Through this analysis paper we’ll give a look at Windows 8 (and 8.1) UEFI startup mechanisms and we’ll try to understand their relationship with the underlying hardware platform.| http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/
| **Windows UEFI startup – A technical overview]** - Through this analysis paper we’ll give a look at Windows 8 (and 8.1) UEFI startup mechanisms and we’ll try to understand their relationship with the underlying hardware platform.| http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/
| **Extensible Firmware Interface (EFI) and Unified EFI (UEFI)** | http://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-homepage-general-technology.html
| **Intel ME (Manageability engine) Huffman algorithm]** | http://io.smashthestack.org/me/
@ -59,13 +59,13 @@ http://forums.mydigitallife.info/forums/25-BIOS-Mods
| **BIOS Chronomancy: Fixing the Core Root of Trust for Measurement - BlackHat 2013** | https://www.youtube.com/watch?v=NbYZ4UCN9GY
| **Hacking Measured Boot and UEFI - Defcon20** - There's been a lot buzz about UEFI Secure Booting, and the ability of hardware and software manufacturers to lock out third-party loaders (and rootkits). Even the NSA has been advocating the adoption of measured boot and hardware-based integrity checks. But what does this trend mean to the open source and hacker communities? In this talk I'll demonstrate measured boot in action. I'll also be releasing my new Measured Boot Tool which allows you to view Trusted Platform Module (TPM) boot data and identify risks such as unsigned early-boot drivers. And, I'll demonstrate how measured boot is used for remote device authentication. Finally, I'll discuss weaknesses in the system (hint: bootstrapping trust is still hard), what this technology means to the consumerization trend in IT, and what software and services gaps exist in this space for aspiring entrepreneurs.| https://www.youtube.com/watch?v=oiqcog1sk2E
| **Hardware Backdooring is Practical -Jonathan Brossard** | https://www.youtube.com/watch?v=umBruM-wFUw
| **Attacking “secure” chips** | https://www.youtube.com/watch?v=w7PT0nrK2BE
| **Attacking “secure� chips** | https://www.youtube.com/watch?v=w7PT0nrK2BE
| **Attackin the TPM part 2https://www.youtube.com/watch?v=h-hohCfo4LA
| **Breaking apple touchID cheaply** | http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)
[Attacks on UEFI Security - Rafal Wojtczuk&Corey Kallenberg(https://bromiumlabs.files.wordpress.com/2015/01/attacksonuefi_slides.pdf)
[The Empire Strikes Back Apple how your Mac firmware security is completely broken](https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/)
[The Empire Strikes Back Apple – how your Mac firmware security is completely broken](https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/)
* Writeup on compromise of UEFI on apple hardware.
[Bootkit Threats: In Depth Reverse Engineering & Defense- Eugene Rodionov&Aleksandr Matrosov](https://www.eset.com/fileadmin/Images/US/Docs/Business/presentations/conference_papers/REcon2012.pdf)
@ -103,7 +103,7 @@ Reverse Engineering Router Firmware walk through
[Reverse Engineering UEFI Firmware](https://jbeekman.nl/blog/2015/03/reverse-engineering-uefi-firmware/)
[Intel® System Studio – UEFI BIOS Debugging](https://software.intel.com/en-us/articles/intel-system-studio-2014-uefi-bios-debugging)
[Intel® System Studio – UEFI BIOS Debugging](https://software.intel.com/en-us/articles/intel-system-studio-2014-uefi-bios-debugging)
[Debug SPI BIOS after Power Up Sequence](https://software.intel.com/en-us/articles/debug-spi-bios-after-power-up-sequence)
@ -130,8 +130,8 @@ Reverse Engineering Router Firmware walk through
| **System Management Mode Hack Using SMM for "Other Purposes** - The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger. | http://phrack.org/issues/65/7.html)
| **A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers - Filip Wecherowski** - The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger. | http://phrack.org/issues/66/11.html#article
| **Exploiting UEFI boot script table vulnerability** | http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html
| **Attacking Intel ® Trusted Execution Technology Rafal Wojtczuk and Joanna Rutkowska** | https://www.blackhat.com/presentations/bh-dc-09/Wojtczuk_Rutkowska/BlackHat-DC-09-Rutkowska-Attacking-Intel-TXT-slides.pdf
| **Attacking UEFI Boot Script** - AbstractUEFI Boot Script is a data structure interpreted by UEFI firmware during S3 resume. We show that on many systems, an attacker with ring0 privileges can alter this data structure. As a result, by forcing S3 suspend/resume cycle, an attacker can run arbitrary code on a platform that is not yet fully locked. The consequences include ability to overwrite the flash storage and take control over SMM.| https://frab.cccv.de/system/attachments/2566/original/venamis_whitepaper.pdf
| **Attacking Intel ® Trusted Execution Technology Rafal Wojtczuk and Joanna Rutkowska** | https://www.blackhat.com/presentations/bh-dc-09/Wojtczuk_Rutkowska/BlackHat-DC-09-Rutkowska-Attacking-Intel-TXT-slides.pdf
| **Attacking UEFI Boot Script** - Abstract—UEFI Boot Script is a data structure interpreted by UEFI firmware during S3 resume. We show that on many systems, an attacker with ring0 privileges can alter this data structure. As a result, by forcing S3 suspend/resume cycle, an attacker can run arbitrary code on a platform that is not yet fully locked. The consequences include ability to overwrite the flash storage and take control over SMM.| https://frab.cccv.de/system/attachments/2566/original/venamis_whitepaper.pdf
| **Breaking IPMI/BMC** | http://fish2.com/ipmi/how-to-break-stuff.html
| **20 Ways Past Secure Boot - Job de Haas - Troopers14** | https://www.youtube.com/watch?v=74SzIe9qiM8
@ -155,7 +155,7 @@ Reverse Engineering Router Firmware walk through
| **WindSLIC SLIC injectors** - includes UEFI, NTFS, bootmgr SLIC injectors and installers. | https://github.com/untermensch/WindSLIC
| **UEFI Firmware Parser** - The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats too. Please use the example scripts for parsing tutorials. | https://github.com/theopolis/uefi-firmware-parser
| **Firmware Modifcation kit** - This kit is a collection of scripts and utilities to extract and rebuild linux based firmware images.| https://code.google.com/p/firmware-mod-kit/
| **Debug Agent Based UEFI Debugging** - The Intel® System Debugger now supports non-JTAG based debug of UEFI BIOS, this requires the use of a target-side debug agent and a USB or serial connection to the debug agent. This article takes you through the steps necessary and the the debug methodology used bey the Intel® System Debugger to use this method to supplement the pure JTAG based UEFI debug method it also supports | https://software.intel.com/en-us/articles/xdb-agent-based-uefi-debug
| **Debug Agent Based UEFI Debugging** - The Intel® System Debugger now supports non-JTAG based debug of UEFI BIOS, this requires the use of a target-side debug agent and a USB or serial connection to the debug agent. This article takes you through the steps necessary and the the debug methodology used bey the Intel® System Debugger to use this method to supplement the pure JTAG based UEFI debug method it also supports | https://software.intel.com/en-us/articles/xdb-agent-based-uefi-debug
[ida-uefiutils](https://github.com/snare/ida-efiutils/)
* Some scripts for IDA Pro to assist with reverse engineering EFI binaries
@ -184,4 +184,10 @@ Reverse Engineering Router Firmware walk through
### Other
[Notes on Intel Microcode Updates](http://hireme.geek.nz/Intel_x86_NSA_Microcode_Updates.pdf)
[Notes on Intel Microcode Updates](http://hireme.geek.nz/Intel_x86_NSA_Microcode_Updates.pdf)
[BIOS Mods - mydigitallife](https://forums.mydigitallife.net/forums/bios-mods.25/)
[MDL Projects and Applications](https://forums.mydigitallife.net/forums/mdl-projects-and-applications.34/)
[Advice for writing a Bootloader? - reddit](https://www.reddit.com/r/lowlevel/comments/30toah/advices_for_a_bootloader/)

+ 13
- 0
Draft/Basic Security Information.md View File

@ -53,3 +53,16 @@ These are links to basic technically links or things I feel might help someone
[So You Want To Be A H6x0r Getting Started in Cybersecurity Doug White and Russ Beauchemin ](https://www.youtube.com/watch?v=rRJKghTTics)
[How to become a pentester - Corelan](https://www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester/)
[SANS Institute Security Consensus Operational Readiness Evaluation](https://www.sans.org/media/score/checklists/LinuxCheatsheet_2.pdf)
[Windows Commands Abused by Attackers](http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html)
[Red Hat Enterprise Linux 6 Security Guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf)
[Mitigate threats by using Windows 10 security features](https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10)
https://blog.zsec.uk/101-intro/

+ 8
- 0
Draft/CTFs & Wargames -.md View File

@ -27,6 +27,9 @@ pentestlab
root-me
#### end cull
### <a name="general">General</a>
@ -39,6 +42,8 @@ root-me
[CTF write-ups 2015](https://github.com/ctfs/write-ups-2015)
[CTF write-ups 2017](https://github.com/ctfs/write-ups-2017)
[Archive of recent CTFs](http://repo.shell-storm.org/CTF/)
[The Many Maxims of Maximally Effective CTFs](http://captf.com/maxims.html)
@ -101,6 +106,9 @@ Wechall
[EnigmaGroup](http://www.enigmagroup.org/)
[cmdchallenge](https://github.com/jarv/cmdchallenge)
* This repo holds the challenges for cmdchallenge.com
* command-line challenges - can add your own/modify existing challenges
[Canyouhackit](http://canyouhack.it/)
* Can You Hack It is a Hacking Challenge site designed to not only allow you to test and improve your skills in a wide variety of categories but to socialise both on the forums and on our IRC channel with other security enthusiasts.


+ 10
- 5
Draft/Car Hacking.md View File

@ -12,11 +12,6 @@
#### Cull
http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html
### End cull
@ -43,7 +38,9 @@ Seriously check this first ---> [Awesome Vehicle Security List(github awesome li
[Tesla Model S JSON API (unofficial RE post)](http://docs.timdorr.apiary.io/#reference/vehicles)
[Cyber-attacks on vehicles P-I!](http://dn5.ljuska.org/napadi-na-auto-sistem-1.html)
[Cyber-attacks on vehicles P-II!](http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html)
@ -59,6 +56,14 @@ Seriously check this first ---> [Awesome Vehicle Security List(github awesome li
[A Survey of Remote Automotive Attack Surfaces - Black Hat USA 2014](https://www.youtube.com/watch?v=mNhFGJVq2HE)
[Broadcasting your attack: Security testing DAB radio in cars - Andy Davis](http://2015.ruxcon.org.au/assets/2015/slides/Broadcasting-your-attack-Security-testing-DAB-radio-in-cars.pdf)
[A Vulnerability in Modern Automotive Standards and How We Exploited It](https://documents.trendmicro.com/assets/A-Vulnerability-in-Modern-Automotive-Standards-and-How-We-Exploited-It.pdf)
[Car hacking: getting from A to B with Eve (SHA2017)](https://www.youtube.com/watch?v=l9760bzUN3E)
* Car security is, not surprisingly, a hot topic; after all they are fast and heavy computer controlled machinery that nowadays come with all kinds of internet connectivity. So we decided to have a look at it. In our presentation, we’ll first cover some theory behind the IT-part of car architecture. We’ll discuss attack vectors and their likelihood of success, and then discuss the various vulnerabilities we found. Finally, we will combine these vulnerabilities into a remote attack. Depending on the disclosure process with the vendor, which is pending, we might be able to demonstrate the attack.
## Tools


+ 2
- 4
Draft/Courses & Training -.md View File

@ -50,8 +50,8 @@ These classes are all focused on computer/information security. If you're lookin
[Open Security Training](https://www.opensecuritytraining.info)
[Class Central](https://www.class-central.com/)
* Search engine for MooCs
### General Classes
@ -60,8 +60,6 @@ These classes are all focused on computer/information security. If you're lookin
* Free Coursera Course
* About this course: This course gives you easy access to the invaluable learning techniques used by experts in art, music, literature, math, science, sports, and many other disciplines. We’ll learn about the how the brain uses two very different learning modes and how it encapsulates (“chunks”) information. We’ll also cover illusions of learning, memory techniques, dealing with procrastination, and best practices shown by research to be most effective in helping you master tough subjects.
[ENISA CERT Exercises and Training](http://www.enisa.europa.eu/activities/cert/support/exercise)
* ENISA CERT Exercises and training material was introduced in 2008, in 2012 and 2013 it was complemented with new exercise scenarios containing essential material for success in the CERT community and in the field of information security. In this page you will find the ENISA CERT Exercise material, containing Handbook for teachers, Toolset for students and Virtual Image to support hands on training sessions.


+ 7
- 2
Draft/Cryptography & Encryption.md View File

@ -19,7 +19,6 @@
https://conversations.im/xeps/multi-end.html
### End Cull
@ -71,6 +70,12 @@ https://conversations.im/xeps/multi-end.html
[CBC Byte Flipping Attack—101 Approach](http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/)
[Demystifying the Signal Protocol for End-to-End Encryption (E2EE)](https://medium.com/@justinomora/demystifying-the-signal-protocol-for-end-to-end-encryption-e2ee-ad6a567e6cb4)
[A Formal Security Analysis of the Signal Messaging Protocol - Oct2016](https://eprint.iacr.org/2016/1013.pdf)
### <a name="blogs">Blogposts/Misc(doesnt explicitly fit in other sections)</a>
@ -95,7 +100,7 @@ https://conversations.im/xeps/multi-end.html
### <a name="presentation">Presentations/Talks</a>
[Crypto: 48 Dirty Little Secrets Cryptographers Don’t Want You To Know - BlackHat2014](https://www.youtube.com/watch?v=mXdFHNJ6srY)
[SHA2017 Conference Videos](https://www.youtube.com/channel/UCHmPMdU0O9P_W6I1hNyvBIQ/videos)


+ 3
- 2
Draft/Documentation & Reports -.md View File

@ -73,7 +73,6 @@ Three parter from jacobian.org:
[Teach Technical Writing in Two Hours per Week](http://www.cs.tufts.edu/~nr/pubs/two-abstract.html)
[Learn Technical Writing in Two Hours per Week - Norman Ramsey](http://www.cs.tufts.edu/~nr/pubs/learn-two.pdf)
[Report Template from vulnerabilityassessment.co.uk](http://www.vulnerabilityassessment.co.uk/report%20template.html)
[Penetration Testing Execution Standard section on Reporting](http://www.pentest-standard.org/index.php/Reporting)
@ -83,10 +82,12 @@ Three parter from jacobian.org:
[Tips for Creating an Information Security Assessment Report Cheat Sheet](https://zeltser.com/security-assessment-report-cheat-sheet/)
[SANS InfoSec Policy Templates](https://www.sans.org/security-resources/policies/)
| **HowTo: Write pentest reports the easy way** | http://blog.dornea.nu/2014/05/20/howto-write-pentest-reports-the-easy-way/
[HowTo: Write pentest reports the easy way](http://blog.dornea.nu/2014/05/20/howto-write-pentest-reports-the-easy-way/)
[The 7 Rules for Writing World Class Technical Documentation](http://www.developer.com/tech/article.php/3848981/The-7-Rules-for-Writing-World-Class-Technical-Documentation.htm)
[Learning the Ropes 101: Stay Beautiful, Stay Verbose](https://blog.zsec.uk/stay-beautiful-stay-verbose/)
### <a name="meta">Meta</a>


+ 12
- 0
Draft/Embedded Device & Hardware Hacking -.md View File

@ -75,6 +75,18 @@ http://greatscottgadgets.com/infiltrate2013/
[Can a connected USB device read all data from the USB bus?](https://security.stackexchange.com/questions/37927/can-a-connected-usb-device-read-all-data-from-the-usb-bus?rq=1)
[Introduction to Glitch Attacks](https://wiki.newae.com/Tutorial_A2_Introduction_to_Glitch_Attacks_(including_Glitch_Explorer))
* This advanced tutorial will demonstrate clock glitch attacks using the ChipWhisperer system. This will introduce you to many required features of the ChipWhisperer system when it comes to glitching. This will be built on in later tutorials to generate voltage glitching attacks, or when you wish to attack other targets.
[Hacking Voting Machines at DEF CON 25](https://blog.horner.tj/post/hacking-voting-machines-def-con-25)
[dc25-votingvillage-report](https://github.com/josephlhall/dc25-votingvillage-report/blob/master/notes-from-folks-redact.md)
[dc25-votingvillage-report](https://github.com/josephlhall/dc25-votingvillage-report)
* A report to synthesize findings from the Defcon 25 Voting Machine Hacking Village
### General Talks/Presentations


+ 7
- 0
Draft/Exfiltration.md View File

@ -15,6 +15,13 @@ Stunnel
[[Virus] Self-modifying code-short overview for beginners](http://phimonlinemoinhat.blogspot.com/2010/12/virus-self-modifying-code-short.html)
[PlugBot-C2C](https://github.com/redteamsecurity/PlugBot-C2C)
* This is the Command & Control component of the PlugBot project
[Data Exfiltration (Tunneling) Attacks against Corporate Network](https://pentest.blog/data-exfiltration-tunneling-attacks-against-corporate-network/)
[canisrufus](https://github.com/maldevel/canisrufus)
* A stealthy Python based Windows backdoor that uses Github as a command and control server
https://github.com/sensepost/det


+ 30
- 3
Draft/Exploit Development.md View File

@ -70,6 +70,33 @@ Corelan Exploit Series
[MS17-010](https://github.com/worawit/MS17-010)
[Breaking the links: Exploiting the linker](https://www.nth-dimension.org.uk/pub/BTL.pdf)
[sRDI](https://github.com/monoxgas/sRDI)
* Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
[WinREPL](https://github.com/zerosum0x0/WinREPL)
* x86 and x64 assembly "read-eval-print loop" shell for Windows
[rappel](https://github.com/yrp604/rappel/)
* Rappel is a pretty janky assembly REPL. It works by creating a shell ELF, starting it under ptrace, then continiously rewriting/running the .text section, while showing the register states. It's maybe half done right now, and supports Linux x86, amd64, armv7 (no thumb), and armv8 at the moment.(As of Aug 2017)
[Modern Windows Exploit Development](http://expdev-kiuhnm.rhcloud.com/download-the-book/)
[radare2 as an alternative to gdb-peda](https://monosource.github.io/2016/10/radare2-peda)
[WinHeap-Explorer](https://github.com/WinHeapExplorer/WinHeap-Explorer)
* The efficient and transparent proof-of-concept tool for heap-based bugs detection in x86 machine code for Windows applications.
[Firmware Exploitation with JEB: Part 1](https://www.pnfsoftware.com/blog/firmware-exploitation-with-jeb-part-1/)
[shadow :: De Mysteriis Dom jemalloc](https://github.com/CENSUS/shadow)
* shadow is a jemalloc heap exploitation framework. It has been designed to be agnostic of the target application that uses jemalloc as its heap allocator (be it Android's libc, Firefox, FreeBSD's libc, standalone jemalloc, or whatever else). The current version (2.0) has been tested extensively with the following targets: Android 6 and 7 libc (ARM32 and ARM64); Firefox (x86 and x86-64) on Windows and Linux;
[Overview of Android's jemalloc structures using shadow](https://github.com/CENSUS/shadow/blob/master/docs/android_heap.md)
* In this document we explore Android's jemalloc structures using shadow. A simplified view of the heap is presented here. The intention of this document is to get you started with jemalloc structures and shadow's commands.
#### end sort
@ -374,8 +401,8 @@ I have tried to order the articles by technique and chronology.
* [Defeating the Matasano C++ Challenge](https://timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/)
* [Bypassing PaX ASLR protection](https://www.phrack.com/issues.html?issue=59&id=9)
* [Thoughts about ASLR, NX Stack and format string attacks](https://www.nibbles.tuxfamily.org/?p=1190)
* [Return-into-libc without Function Calls](cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
* [Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes](cr0.org/paper/to-jt-linux-alsr-leak.pdf)
* [Return-into-libc without Function Calls](http://www.cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
* [Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes](https://www.cr0.org/paper/to-jt-linux-alsr-leak.pdf)
* [Fun With Info-Leaks(DEP+ASLR bypass)](https://rh0dev.github.io/blog/2015/fun-with-info-leaks/)/
..* This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it's quite nice what can be done with the bug.
* [Exploiting Buffer Overflows On Kernels With Aslr Enabled Using Brute Force On The Stack Layer](http://www.securitytube.net/video/273)
@ -464,7 +491,7 @@ Introduction to Windows Shellcode Development
* [Introduction to Windows shellcode development – Part 2](https://securitycafe.ro/2015/12/14/introduction-to-windows-shellcode-development-part-2/)
* [Introduction to Windows shellcode development – Part 3](https://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/)
[History and Advances in Windows Shellcode - Phrack 2004](http://phrack.org/issues/62/7.html)


+ 3
- 7
Draft/Frameworks Methodologies.md View File

@ -11,17 +11,13 @@ Metasploit Framework
[What is Metasploit?](https://www.youtube.com/watch?v=TCPyoWHy4eA)
This website should eventually be your go-to reference for Metasploit: https://metasploit.github.io/
* It is the official “reference” page for the metasploit framework
[Metasploit - github.io](https://metasploit.github.io/)
* It is the official “reference� page for the metasploit framework
[Facts and Myths about AV Evasion with the Metasploit Framework](http://schierlm.users.sourceforge.net/avevasion.html)
[MSF/Meterpreter cmd reference](http://hacking-class.blogspot.com/2011/08/metasploit-cheat-sheet-metasploit.html)
[Empire - Powershell Post-Exploitation Agent](http://www.powershellempire.com/)
* Empire is a pure PowerShell post-exploitation agent built on cryptologically-secure communications and a flexible architecture. Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework.
@ -132,7 +128,7 @@ Windows exploitation framework composed of Powershell modules
Veil-Pillage is a modular post-exploitation framework that integrates with Veil-Evasion for payload generation.
[Veil Power-View[](https://github.com/Veil-Framework/Veil-PowerView/)
* Veil-PowerView is a powershell tool to gain network situational awareness on Windows domains. Veil-PowerViews code is located at
* Veil-PowerView is a powershell tool to gain network situational awareness on Windows domains. Veil-PowerView’s code is located at
[DomainTrustExplorer](https://github.com/sixdub/DomainTrustExplorer)
* Python script for analyis of the "Trust.csv" file generated by Veil PowerView. Provides graph based analysis and output. The graph output will represent access direction (opposite of trust direction)


+ 2
- 0
Draft/Fuzzing Bug Hunting.md View File

@ -174,6 +174,8 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[Practical File Format Fuzzing](http://www.irongeek.com/i.php?page=videos/derbycon3/3301-practical-file-format-fuzzing-jared-allar)
* File format fuzzing has been very fruitful at discovering exploitable vulnerabilities. Adversaries take advantage of these vulnerabilities to conduct spear-phishing attacks. This talk will cover the basics of file format fuzzing and show you how to use CERT’s fuzzing frameworks to discovery vulnerabilities in file parsers.
[Improving security with Fuzzing and Sanitizers](https://media.ccc.de/v/SHA2017-148-improving_security_with_fuzzing_and_sanitizers)
* A bug in Gstreamer could be used to own a Linux Desktop system. TCPDump released a security update fixing 42 CVEs. We have far too many security critical bugs in the free and open source software stack. But we have powerful tools to find them - we just have to use them.


+ 74
- 21
Draft/Interesting Things Useful stuff.md View File

@ -20,9 +20,23 @@ TOC
#### To Sort
* sort and break into policy/high level/ vs interesting things
[U.S. Department of Health and Human Services Office for Civil Rights Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information](https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf)
[Webrecorder](https://webrecorder.io/)
* Create high-fidelity, interactive web archives of any web site you browse
[pdf-bot](https://github.com/esbenp/pdf-bot)
* 🤖 A Node queue API for generating PDFs using headless Chrome. Comes with a CLI, S3 storage and webhooks for notifying subscribers about generated PDFs
[symbolhound](http://symbolhound.com/)
* SymbolHound is a search engine that doesn't ignore special characters. This means you can easily search for symbols like &, %, and π. We hope SymbolHound will help programmers find information about their chosen languages and frameworks more easily.
[Windows Commands Abused by Attackers](http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html)
https://www.youtube.com/watch?v=h92vmwg9Tyc
@ -33,18 +47,34 @@ http://spth.virii.lu/articles.htm
[LuxBase](https://github.com/kienankb/LuxBase)
| **Simplifying the Business Bar Coded Boarding Pass Implementation Guide** | http://www.iata.org/whatwedo/stb/documents/bcbp_implementation_guidev4_jun2009.pdf
| **Whats contained in a boarding pass barcode?** | https://shaun.net/posts/whats-contained-in-a-boarding-pass-barcode
| **What’s contained in a boarding pass barcode?** | https://shaun.net/posts/whats-contained-in-a-boarding-pass-barcode
| **Universal Extractor** - Universal Extractor is a program designed to decompress and extract files from any type of archive or installer, such as ZIP or RAR files, self-extracting EXE files, application installers, etc | http://www.legroom.net/software/uniextract
| **NSA USB Playset - ShmooCon201** | https://www.youtube.com/watch?v=eTDBFpLYcGA
[Your Project from Idea to Reality](http://www.slideshare.net/maltman23/your-project-from-idea-to-reality)
[Beyond Information Warfare: You aint seen nothing yet - Winn Scwartau](http://www.irongeek.com/i.php?page=videos/derbycon3/2206-beyond-information-warfare-you-ain-t-seen-nothing-yet-winn-schwartau)
[Bootstrapping A Security Research Project Andrew Hay](https://www.youtube.com/watch?v=gNU2J-IcK4E)
* It has become increasingly common to see a headline in the mainstream media talking about the latest car, television, or other IoT device being hacked (hopefully by a researcher). In each report, blog, or presentation, we learn about the alarming lack of security and privacy associated with the device's hardware, communications mechanisms, software/app, and hosting infrastructure in addition to how easy it might be for an attacker to take advantage of one, or multiple, threat vectors. The truth is, anyone can perform this kind of research if given the right guidance. To many security professionals, however, the act of researching something isn,t the problem...it's what to research, how to start, and when to stop. Academics think nothing of researching something until they feel it's "done" (or their funding/tenure runs out). Security professionals, however, often do not have that luxury. This session will discuss how to research, well, ANYTHING. Proven methods for starting, continuing, ending, leading, and collaborating on reproducible research will be discussed - taking into account real-world constraints such as time, money, and a personal life. We will also discuss how to generate data, design your experiments, analyze your results, and present (and in some cases defend) your research to the public.
[Killing you softly Josh Bressers](http://www.irongeek.com/i.php?page=videos/circlecitycon2016/302-killing-you-softly-josh-bressers)
* The entire security industry has a serious skill problem. We,re technically able, but we have no soft skills. We can,t talk to normal people at all. We can barely even talk to each other, and it's killing our industry. Every successful industry relies on the transfer of skills from the experienced to the inexperienced. Security lacks this today. If I asked you how you learned what you know about security, what would your answer be? In most cases you learned everything you know on your own. There was minimal learning from someone else. This has left us with an industry full of magicians, but even worse it puts us in a place where there is no way to transfer skill and knowledge from one generation to the next. Magicians don,t scale. If we think about this in the context of how we engage non security people it's even worse! Most non security people have no idea what security is, what security does, or even why security is important. It's easy to laugh at the horrible security problems almost everything has today, but in reality we,re laughing at ourselves. Historically we,ve blamed everything else for this problem when in reality it's 100% our fault. One of the our great weaknesses is failing to get the regular people to understand security and why it's important. This isn,t a surprise if you think about how the industry communicates. We can barely talk to each other, how can we possibly talk to someone who doesn,t know anything about security? Normal people are confused and scared, they want to do the right thing but they have no idea what that is. The future leaders in security are going to have to be able to teach and talk to their security peers, but more importantly they will have to engage everyone else. Security is being paid attention to like never before, and yet we have nothing to say to anyone. What has changed in the last few years? If we don,t do our jobs, someone else will do them for us, and we,re not going to like the results. Security isn,t a technical problem, technical problems are easy, security is a communication problem. Communications problems are difficult. Let's figure out how we can fix that.
[Medical Device Law: Compliance Issues, Best Practices and Trends - American Bar Association](https://www.americanbar.org/content/dam/aba/events/cle/2015/10/ce1510mdm/ce1510mdm_interactive.authcheckdam.pdf)
[Virtualization Based Security - Part 2: kernel communications](http://blog.amossys.fr/virtualization-based-security-part2.html)
[recap](https://github.com/rackerlabs/recap)
* recap is a reporting script that generates reports of various information about the server.
[NSARCHIVE - The Cyber Vault](http://nsarchive.gwu.edu/cybervault/)
* An online resource documenting cyber activities of the U.S. and foreign governments as well as international organizations.
[“Considered Harmful� Essays Considered Harmful](http://meyerweb.com/eric/comment/chech.html)
[Detecting Automation of Twitter Accounts:Are You a Human, Bot, or Cyborg](http://www.cs.wm.edu/~hnw/paper/tdsc12b.pdf)
[QR Code interesting](http://datagenetics.com/blog/november12013/index.html)
@ -97,14 +127,14 @@ http://www.securitywizardry.com/radar.htm
[[TROOPERS15] Andreas Lindh - Defender Economics](https://www.youtube.com/watch?v=mAP38Xy52X0)
[Alexseys TTPs](https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551#.y2krgov7t)
[Alexsey’s TTPs](https://medium.com/@chrismcnab/alexseys-ttps-1204d9050551#.y2krgov7t)
* Short writeup on large breaches(Short: Shit ain't secure.)
[The Distribution of Users Computer Skills: Worse Than You Think](https://www.nngroup.com/articles/computer-skill-levels/)
[The Distribution of Users’ Computer Skills: Worse Than You Think](https://www.nngroup.com/articles/computer-skill-levels/)
[Infosec Podcasts](http://www.getmon.com/)
[What happens when](https://github.com/alex/what-happens-when)
[What happens when…](https://github.com/alex/what-happens-when)
* An attempt to answer the age old interview question "What happens when you type google.com into your browser and press enter?"
[Encyclopedia of things considered harmful](http://harmful.cat-v.org/)
@ -166,7 +196,7 @@ http://www.securitywizardry.com/radar.htm
[Underhanded C contest](http://underhanded-c.org/)
[DIY Nukeproofing: A New Dig at “Data-Mining”](https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-3alarmlampscooter-DIY-Nukeproofing.pdf)
[DIY Nukeproofing: A New Dig at “Data-Mining�](https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/DEFCON-23-3alarmlampscooter-DIY-Nukeproofing.pdf)
[How They Did It: An Analysis of Emission Defeat Devices in Modern Automobiles](https://www.ieee-security.org/TC/SP2017/papers/101.pdf)
@ -189,7 +219,7 @@ http://www.securitywizardry.com/radar.htm
[Evaluating the APT Armor - Matthias Luft, Felix Wilhelm](https://www.youtube.com/watch?v=3vh2s9Pui0E)
[Psychology of Security - Stefan Schumacher - Trooper14](https://www.youtube.com/watch?v=vZKAi4RAIvA)
* In this talk I will introduce the Institutes research programme about the Psychology of Security. We are going to research the psychological basics of IT security, including: How do people experience IT security? How are they motivated? How do they learn? Why do people tend to make the same mistakes again and again (Buffer Overflow, anyone?)? What can we do to prevent security incidents? Which curricula should be taught about IT security?
* In this talk I will introduce the Institute’s research programme about the Psychology of Security. We are going to research the psychological basics of IT security, including: How do people experience IT security? How are they motivated? How do they learn? Why do people tend to make the same mistakes again and again (Buffer Overflow, anyone?)? What can we do to prevent security incidents? Which curricula should be taught about IT security?
[You're Leaking Trade Secrets - Defcon22 Michael Schrenk](https://www.youtube.com/watch?v=JTd5TL6_zgY)
* Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
@ -225,11 +255,11 @@ http://www.securitywizardry.com/radar.htm
[Real-life experiences in avionics security assessment (A. Barisani)](https://www.youtube.com/watch?v=xtSmPgXw34I&feature=youtu.be&app=desktop)
[Software Supply Chains and the Illusion of Control - Derek Weeks](http://www.irongeek.com/i.php?page=videos/bsidesnova2017/107-software-supply-chains-and-the-illusion-of-control-derek-weeks)
* In this presentation I am sharing the results of a three-year, industry-wide study on open source development and security practices across 3,000 organizations and 25,000. I will detail how these organizations are employing a vast community of open source component suppliers, warehouses, and development tools that take the form of software supply chains. Modern software development practices are now consuming BILLIONS of open source and third-party components. The tooling with package managers and build tools such as Maven, Gradle, npm, NuGet, RubyGems and others has promoted the usage of components to a convenient standard practice. As a result, 90% of a typical application is now composed of open source components. The good news: use of the components is improving developer productivity and accelerating time to market. However, using these components brings ownership and responsibility with it and this fact is largely overlooked. The unspoken truth: not all parts are created equal. For example, 1 in 16 components in use include known security vulnerabilities. Ugh. This session aims to enlighten development professionals by sharing results from the State of the Software Supply Chain reports from 2015 through 2017. The reports blend of public and proprietary data with expert research and analysis. Attendees in this session will learn: - What our analysis of 25,000 applications reveals about the quality and security of software built with open source components - How organizations like Mayo Clinic, Exxon, Capital One, the U.S. FDA and Intuit are utilizing the principles of software supply chain automation to improve application security - Why avoiding open source components over 3 years old might be a really good idea - How to balance the need for speed with quality and security -- early in the development lifecycle We will also discuss how you can best approach the effort for development teams to identify, track and replace components with known vulnerabilities, while getting more products and new features to market quickly. Attend this session and gain insight as to how your organizations application development practices compare to others. I'll share the industry benchmarks to take back and discuss with your development, security, and open source governance teams.
* In this presentation I am sharing the results of a three-year, industry-wide study on open source development and security practices across 3,000 organizations and 25,000. I will detail how these organizations are employing a vast community of open source component suppliers, warehouses, and development tools that take the form of software supply chains. Modern software development practices are now consuming BILLIONS of open source and third-party components. The tooling with package managers and build tools such as Maven, Gradle, npm, NuGet, RubyGems and others has promoted the usage of components to a convenient standard practice. As a result, 90% of a typical application is now composed of open source components. The good news: use of the components is improving developer productivity and accelerating time to market. However, using these components brings ownership and responsibility with it and this fact is largely overlooked. The unspoken truth: not all parts are created equal. For example, 1 in 16 components in use include known security vulnerabilities. Ugh. This session aims to enlighten development professionals by sharing results from the State of the Software Supply Chain reports from 2015 through 2017. The reports blend of public and proprietary data with expert research and analysis. Attendees in this session will learn: - What our analysis of 25,000 applications reveals about the quality and security of software built with open source components - How organizations like Mayo Clinic, Exxon, Capital One, the U.S. FDA and Intuit are utilizing the principles of software supply chain automation to improve application security - Why avoiding open source components over 3 years old might be a really good idea - How to balance the need for speed with quality and security -- early in the development lifecycle We will also discuss how you can best approach the effort for development teams to identify, track and replace components with known vulnerabilities, while getting more products and new features to market quickly. Attend this session and gain insight as to how your organization’s application development practices compare to others. I'll share the industry benchmarks to take back and discuss with your development, security, and open source governance teams.
[303 Hacks Lies Nation States Mario DiNatale](https://www.youtube.com/watch?v=nyh_ORq1Qwk)
[Paul Rascagneres - Modern Reconnaissance Phase by APT Protection Layer](https://www.youtube.com/watch?v=4JVrK7bRKb0&index=10&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe)
[Paul Rascagneres - Modern Reconnaissance Phase by APT – Protection Layer](https://www.youtube.com/watch?v=4JVrK7bRKb0&index=10&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe)
[BE YOUR OWN VPN PROVIDER WITH OPENBSD (v2)](https://networkfilter.blogspot.com/2017/04/be-your-own-vpn-provider-with-openbsd-v2.html)
@ -241,8 +271,16 @@ http://www.securitywizardry.com/radar.htm
* When do you ? and other coders, hackers, developers, and tinkerers ? think or worry about the law? If your answer is, ?Not very often,? then this talk is for you. We all need to think about the law. And it?s not just privacy, or computer fraud, or even anti-circumvention law, that we should think about. We need to think about law as a whole and how it can help us do or stop us from doing what we want to do. This talk will start with a broad overview of the ways in which we implicate law when we do what we do, and then will focus on what that means for us and the broader implications that can arise from our various activities. Do you think the law would stop you from doing what you want to do or punish you for doing it? It might, but it also might not. If you think it does, do you think you should be able to do what you want to do? If you do, then we need to hack the law, and to do that we?ll need to talk to the legal coders, those writers of our cultural software. This talk will tackle not only law and working with code, but also why it matters for us to be aware of the law and engaged in improving it.
[Richard Thieme - The Impact of Dark Knowledge and Secrets on Security and Intelligence Professionals](https://www.youtube.com/watch?v=0MzcPBAj88A&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe)
* Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact on life, work, and relationships of building a different map of reality than “normal people” use. One has to calibrate narratives to what another believes. One has to live defensively, warily. This causes at the least cognitive dissonance which some manage by denial. But refusing to feel the pain does not make it go away. It just intensifies the consequences when they erupt.
Philip K. Dick said, reality is that which, when you no longer believe in it, does not go away. When cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one’s peril. But the very constraints of one’s work often make it impossible to speak aloud about those symptoms, because that might threaten one’s clearances, work, and career. And whistle blower protection is often non-existent.
* Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact on life, work, and relationships of building a different map of reality than “normal people� use. One has to calibrate narratives to what another believes. One has to live defensively, warily. This causes at the least cognitive dissonance which some manage by denial. But refusing to feel the pain does not make it go away. It just intensifies the consequences when they erupt.
Philip K. Dick said, reality is that which, when you no longer believe in it, does not go away. When cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one’s peril. But the very constraints of one’s work often make it impossible to speak aloud about those symptoms, because that might threaten one’s clearances, work, and career. And whistle blower protection is often non-existent.
[Game of Drones - Brown,Latimer - Defcon25](https://www.youtube.com/watch?v=iG7hUE2BZZo)
* We’ve taken a MythBusters-style approach to testing the effectiveness of a variety of drone defense solutions, pitting them against our DangerDrone. Videos demonstrating the results should be almost as fun for you to watch as they were for us to produce. Expect to witness epic aerial battles against an assortment of drone defense types
[Hacks, Lies, & Nation States - Mario DiNatale - ANYCON 2017](http://www.irongeek.com/i.php?page=videos/anycon2017/303-hacks-lies-nation-states-mario-dinatale)
* A hilarious and non-technical skewering of the current state of Cybersecurity, the Cybersecurity
@ -258,7 +296,7 @@ Philip K. Dick said, reality is that which, when you no longer believe in it, do
[Palinopsia - Is your VirtualBox reading your E-Mail? Reconstruction of FrameBuffers from VRAM](https://hsmr.cc/palinopsia/)
[Exploiting the DRAM rowhammer bug to gain kernel privileges](http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html)
* "Rowhammer is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
* "Rowhammer� is a problem with some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows. We tested a selection of laptops and found that a subset of them exhibited the problem. We built two working privilege escalation exploits that use this effect. One exploit uses rowhammer-induced bit flips to gain kernel privileges on x86-64 Linux when run as an unprivileged userland process. When run on a machine vulnerable to the rowhammer problem, the process was able to induce bit flips in page table entries (PTEs). It was able to use this to gain write access to its own page table, and hence gain read-write access to all of physical memory.
[Program for testing for the DRAM "rowhammer" problem](https://github.com/google/rowhammer-test)
@ -266,7 +304,7 @@ Philip K. Dick said, reality is that which, when you no longer believe in it, do
[If it fits - it sniffs: Adventures in WarShipping](http://www.irongeek.com/i.php?page=videos/derbycon4/t104-if-it-fits-it-sniffs-adventures-in-warshipping-larry-pesce)
[A Look In the Mirror: Attacks on Package Managers](https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf)
@ -351,6 +389,21 @@ Philip K. Dick said, reality is that which, when you no longer believe in it, do
[Wayback scraper](https://github.com/abrenaut/waybackscraper)
[WizTree](http://www.majorgeeks.com/files/details/wiztree.html)
* WizTree is a disk space analyzer that will quickly scan your entire hard drive and shows you which files and folders are using the most disk space. WizTree obtains information by directly scanning the MFT file, so it can only work with local (directly attached) drives formatted with the NTFS file system. It won't work with network drives, substituted drives or non-NTFS formatted drives. We may add support for other drive types in the future if there's enough demand.
[CyberChef - GCHQ](https://github.com/gchq/CyberChef)
* CyberChef is a simple, intuitive web app for carrying out all manner of "cyber" operations within a web browser. These operations include simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, creating binary and hexdumps, compression and decompression of data, calculating hashes and checksums, IPv6 and X.509 parsing, changing character encodings, and much more.
[gibbersense](https://github.com/smxlabs/gibbersense)
* Extract Sense out of Gibberish stuff
[Netdude](http://netdude.sourceforge.net/)
* The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.
[recap](https://github.com/rackerlabs/recap)
* recap is a reporting script that generates reports of various information about the server.
@ -403,7 +456,7 @@ Underhanded C
[OSINT Through Sender Policy Framework Records](https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf-records)
[Smart TV Security - #1984 in 21 st century](https://cansecwest.com/slides/2013/SmartTV%20Security.pdf)
* This talk is more about security bugs and rootkits than about firmware for TVs. This talk more covers rootkits than security bugs and exploitation thereof, as theyre not different to traditional techniques. This talk is about general security issues of all Smart TV vendors.
* This talk is more about security bugs and rootkits than about firmware for TVs. This talk more covers rootkits than security bugs and exploitation thereof, as they’re not different to traditional techniques. This talk is about general security issues of all Smart TV vendors.
[Postcards from a Post-XSS World - Michael Zalewski](http://lcamtuf.coredump.cx/postxss/#dangling-markup-injection)
* This page is a rough collection of notes on some of the fundamental alternatives to direct script injection that would be available to attackers following the universal deployment of CSP or other security mechanisms designed to prevent the execution of unauthorized scripts. I hope to demonstrate that in many cases, the capabilities offered by these alternative methods are highly compatible with the goals of contemporary XSS attacks.
@ -414,7 +467,7 @@ Underhanded C
[More on Using Bash's Built-in /dev/tcp File (TCP/IP)](http://www.linuxjournal.com/content/more-using-bashs-built-devtcp-file-tcpip More on Using Bash's Built-in /dev/tcp File (TCP/IP))
[Chinas Great Cannon](https://citizenlab.org/2015/04/chinas-great-cannon/) * This post describes our analysis of China’s “Great Cannon,” our term for an attack tool that we identify as separate from, but co-located with, the Great Firewall of China. The first known usage of the Great Cannon is in the recent large-scale novel DDoS attack on both GitHub and servers used by GreatFire.org.
[China’s Great Cannon](https://citizenlab.org/2015/04/chinas-great-cannon/) * This post describes our analysis of China’s “Great Cannon,� our term for an attack tool that we identify as separate from, but co-located with, the Great Firewall of China. The first known usage of the Great Cannon is in the recent large-scale novel DDoS attack on both GitHub and servers used by GreatFire.org.
[Exploiting Android Users for Fun and Profit](http://www.codeword.xyz/2015/08/09/exploiting-android-users-for-fun-and-profit/)
@ -431,7 +484,7 @@ Underhanded C
[Locking Your Registry Keys for Fun and, Well, Just Fun I Guess](https://tyranidslair.blogspot.co.uk/2017/07/locking-your-registry-keys-for-fun-and.html)
[How to Steal a Nuclear Warhead Without Voiding Your XBox Warranty (paper)](https://www.scribd.com/document/47334072/How-to-Steal-a-Nuclear-Warhead-Without-Voiding-Your-XBox-Warranty-paper)
@ -447,7 +500,7 @@ Underhanded C
[Wars Within](http://uninformed.org/?v=all&a=26&t=sumry)
* In this paper I will uncover the information exchange of what may be classified as one of the highest money making schemes coordinated by 'organized crime'. I will elaborate on information gathered from a third party individual directly involved in all aspects of the scheme at play. I will provide a detailed explanation of this market's origin, followed by a brief description of some of the actions strategically performed by these individuals in order to ensure their success. Finally, I will elaborate on real world examples of how a single person can be labeled a spammer, malware author, cracker, and an entrepreneur gone thief. For the purposes of avoiding any legal matters, and unwanted media, I will refrain from mentioning the names of any individuals and corporations who are involved in the schemes described in this paper.
[The Eavesdroppers Dillemma](http://www.crypto.com/papers/internet-tap.pdf)
[The Eavesdropper’s Dillemma](http://www.crypto.com/papers/internet-tap.pdf)
[Mov is turing ocmplete](http://www.cl.cam.ac.uk/~sd601/papers/mov.pdf)
@ -455,7 +508,7 @@ Underhanded C
[Thousands of MongoDB installations on the net unprotected](http://cispa.saarland/wp-content/uploads/2015/02/MongoDB_documentation.pdf)
[Why Qubes doesnt work on Windows.](http://www.invisiblethingslab.com/resources/2014/A%20crack%20on%20the%20glass.pdf)
[Why Qubes doesn’t work on Windows.](http://www.invisiblethingslab.com/resources/2014/A%20crack%20on%20the%20glass.pdf)
[Towards Optimization-Safe Systems: Analyzing the Impact of Undefined Behavior](http://pdos.csail.mit.edu/~xi/papers/stack-sosp13.pdf)
* This paper studies an emerging class of software bugs called optimization-unstable code: code that is unexpectedly discarded by compiler optimizations due to undefined behavior in the program. Unstable code is present in many systems, including the Linux kernel and the Postgres database. The consequences of unstable code range from incorrect functionality to missing security checks. To reason about unstable code, this paper proposes a novel model, which views unstable code in terms of optimizations that leverage undefined behavior. Using this model, we introduce a new static checker called Stack that precisely identifies unstable code. Applying Stack to widely used systems has uncovered 160 new bugs that have been confirmed and fixed by developers
@ -481,10 +534,10 @@ Underhanded C
[Ceremony Design and Analysis](http://eprint.iacr.org/2007/399.pdf)
* Abstract: The concept of Ceremony is introduced as an extension of the concept of network protocol, with human nodes alongside computer nodes and with communication links that include UI, human-to-human communication and transfers of physical objects that carry data. What is out-of-band to a protocol is in-band to a ceremony, and therefore subject to design and analysis using variants of the same mature techniques used for the design and analysis of protocols. Ceremonies include all protocols, as well as all applications with a user interface, all workflow and all provisioning scenarios. A secure ceremony is secure against both normal attacks and social engineering. However, some secure protocols imply ceremonies that cannot be made secure.
[Its all about the timing. . . Blackhat talk](https://www.blackhat.com/presentations/bh-usa-07/Meer_and_Slaviero/Whitepaper/bh-usa-07-meer_and_slaviero-WP.pdf)
[It’s all about the timing. . . Blackhat talk](https://www.blackhat.com/presentations/bh-usa-07/Meer_and_Slaviero/Whitepaper/bh-usa-07-meer_and_slaviero-WP.pdf)
* Description: This paper is broken up into several distinct parts, all related loosely to timing and its role in information se- curity today. While timing has long been recognized as an important component in the crypt-analysts arse- nal, it has not featured very prominently in the domain of Application Security Testing. This paper aims at highlighting some of the areas in which timing can be used with great effect, where traditional avenues fail. In this paper, a brief overview of previous timing attacks is provided, the use of timing as a covert channel is examined and the effectiveness of careful timing during traditional web application and SQL injection attacks is demonstrated. The use of Cross Site Timing in bypass- ing the Same Origin policy is explored as we believe the technique has interesting possibilities for turning innocent browsers into bot-nets aimed at, for instance, brute-force attacks against third party web-sites
[Seven Months Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse](https://lirias.kuleuven.be/bitstream/123456789/471369/3/typos-final.pdf)
[Seven Months’ Worth of Mistakes: A Longitudinal Study of Typosquatting Abuse](https://lirias.kuleuven.be/bitstream/123456789/471369/3/typos-final.pdf)
* Abstract: Typosquatting is the act of purposefully registering a domain name that is a mistype of a popular domain name. It is a concept that has been known and studied for over 15 years, yet still thoroughly practiced up until this day. While previous typosquatting studies have always taken a snapshot of the typosquatting landscape or base their longitudinal results only on domain registration data, we present the first content- based , longitudinal study of typosquatting. We collected data about the typosquatting domains of the 500 most popular sites of the Internet every day, for a period of seven months, and we use this data to establish whether previously discovered typosquatting trends still hold today, and to provide new results and insights in the typosquatting landscape. In particular we reveal that, even though 95% of the popular domains we investigated are actively targeted by typosquatters, only few trademark owners protect themselves against this practice by proactively registering their own typosquatting domains. We take advantage of the longitudinal aspect of our study to show, among other results, that typosquatting domains change hands from typosquatters to legitimate owners and vice versa, and that typosquatters vary their monetization strategy by hosting different types of pages over time. Our study also reveals that a large fraction of typosquatting domains can be traced back to a small group of typosquatting page hosters and that certain top-level domains are much more prone to typosquatting than others
[RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](http://www.tau.ac.il/~tromer/acoustic/)


+ 34
- 14
Draft/Malware.md View File

@ -27,24 +27,36 @@ https://motherboard.vice.com/read/preserving-the-ancient-art-of-getting-pwned
http://www.exposedbotnets.com/?m=0
[malboxes](https://github.com/GoSecure/malboxes)
f* Builds malware analysis Windows VMs so that you don't have to.
[PlugBot-C2C](https://github.com/redteamsecurity/PlugBot-C2C)
* This is the Command & Control component of the PlugBot project
[hiddentear](https://github.com/goliate/hidden-tear)
* It's a ransomware-like file crypter sample which can be modified for specific purposes.
https://brycampbell.co.uk/new-blog/
https://archive.is/Nol3S
[Hiding in Plain Sight: Advances in malware covert communication channels - BH2015 Pierre-Marc Bureau, Christian Dietrich](https://www.blackhat.com/docs/eu-15/materials/eu-15-Bureau-Hiding-In-Plain-Sight-Advances-In-Malware-Covert-Communication-Channels-wp.pdf)
[rVMI - A New Paradigm For Full System Analysis](https://github.com/fireeye/rvmi)
* rVMI is a debugger on steroids. It leverages Virtual Machine Introspection (VMI) and memory forensics to provide full system analysis. This means that an analyst can inspect userspace processes, kernel drivers, and preboot environments in a single tool. It was specifially designed for interactive dynamic malware analysis. rVMI isolates itself from the malware by placing its interactive debugging environment out of the virtual machine (VM) onto the hypervisor-level. Through the use of VMI the analyst still has full control of the VM, which allows her to pause the VM at any point in time and to use typical debugging features such as breakpoints and watchpoints. In addtion, rVMI provides access to the entire Rekall feature set, which enables an analyst to inspect the kernel and its data structures with ease.
[PyTrigger: A System to Trigger & Extract User-Activated Malware Behavior](http://cs.gmu.edu/~astavrou/research/PyTrigger_ARES2013.pdf)
* Abstract: We introduce PyTrigger, a dynamic malware analy- sis system that automatically exercises a malware binary extract- ing its behavioral profile even when specific user activity or input is required. To accomplish this, we developed a novel user activity record and playback framework and a new behavior extraction approach. Unlike existing research, the activity recording and playback includes the context of every object in addition to traditional keyboard and mouse actions. The addition of the con- text makes the playback more accurate and avoids dependenciesand pitfalls that come with pure mouse and keyboard replay. Moreover, playback can become more efficient by condensing common activities into a single action. After playback, PyTrigger analyzes the system trace using a combination of multiple states and behavior differencing to accurately extract the malware behavior and user triggered behavior from the complete system trace log. We present the algorithms, architecture and evaluate the PyTrigger prototype using 3994 real malware samples. Results and analysis are presented showing PyTrigger extracts additional behavior in 21% of the samples
[Code Injection Techniques -2013](http://resources.infosecinstitute.com/code-injection-techniques/)
[PowerLoaderEX](https://github.com/BreakingMalware/PowerLoaderEx)
[BasicHook](https://github.com/MalwareTech/BasicHook)
* x86 Inline hooking engine (using trampolines)
[VirtualBox Detection Via WQL Queries](http://waleedassar.blogspot.com/)
[Bypassing VirtualBox Process Hardening on Windows](https://googleprojectzero.blogspot.com/2017/08/bypassing-virtualbox-process-hardening.html)
* This blog post will describe the implementation of Oracle’s VirtualBox protected process and detail three different, but now fixed, ways of bypassing the protection and injecting arbitrary code into the process. The techniques I’ll present can equally be applied to similar implementations of “protected” processes in other applications.
[VBoxHardenedLoader](https://github.com/hfiref0x/VBoxHardenedLoader)
* VirtualBox VM detection mitigation loader
##### END Sort
@ -122,7 +134,7 @@ https://archive.is/Nol3S
[Android/Beita.A malware analysis](http://www.jamesejr.com/android-beita-malware-analysis/)
[Trojan.Foxy writeup](http://www.cyberesi.com/2011/08/31/trojan-foxy/?ModPagespeed=noscrip
[Trojan.Foxy writeup](http://www.cyberesi.com/2011/08/31/trojan-foxy/)
* Today I will write about a sample that I will refer to as Trojan.Foxy. Trojan.Foxy requests and parses .JPG images that contain encoded instructions. The encoding algorithm used by this Trojan is loosely based off of the Vigenère cipher; however there is a deviation in how the cipher is applied.
[Uroburos](https://blog.gdatasoftware.com/blog/article/uroburos-highly-complex-espionage-software-with-russian-roots.html)
@ -135,7 +147,7 @@ https://archive.is/Nol3S
[Full details on CVE-2015-0096 and the failed MS10-046 Stuxnet fix](http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VP9cTDTF-PU)
[ How exploit packs are concealed in a Flash object](https://securelist.com/analysis/publications/69727/how-exploit-packs-are-concealed-in-a-flash-object/?utm_content=buffer5de59&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer)
[How exploit packs are concealed in a Flash object](https://securelist.com/analysis/publications/69727/how-exploit-packs-are-concealed-in-a-flash-object/?utm_content=buffer5de59&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer)
[North Korean Malware Writeup](https://www.codeandsec.com/Supreme-Leaders-Not-That-Supreme-Malwares)
@ -149,6 +161,7 @@ https://archive.is/Nol3S
[Unpacking with OllyBonE](http://www.joestewart.org/ollybone/tutorial.html)
* This is a brief tutorial giving the basic steps to unpack code using the OllyBonE plugin.
[Hiding in Plain Sight: Advances in malware covert communication channels - BH2015 Pierre-Marc Bureau, Christian Dietrich](https://www.blackhat.com/docs/eu-15/materials/eu-15-Bureau-Hiding-In-Plain-Sight-Advances-In-Malware-Covert-Communication-Channels-wp.pdf)
[Thousand ways to backdoor a Windows domain (forest)](http://jumpespjump.blogspot.com/2015/03/thousand-ways-to-backdoor-windows.html)
@ -215,7 +228,7 @@ Contagio/Contagio mobile
[Cuckoo-Droid](https://github.com/i[danr1986/cuckoo-droid/blob/master/README.md)
* CuckooDroid is an extension of Cuckoo Sandbox the Open Source software for automating analysis of suspicious files, CuckooDroid brigs to cuckoo the capabilities of execution and analysis of android application.
[List of autorun keys / malware persistence Windows registry entries](https://www.peerlyst.com/posts/list-of-autorun-keys-malware-persistence-windows-registry-entries-benjamin-infosec)
@ -382,7 +395,8 @@ http://www.cybersquared.com/2012/06/malware-analysis-lab-a-fast-and-cost-effecti
[Awesome Guide to building a VM for anonymous Malware Analysis and Reverse Engineering](https://www.codeandsec.com/Building-Ultimate-Anonymous-Malware-Analysis-and-Reverse-Engineering-Machine)
[malboxes](https://github.com/GoSecure/malboxes)
f* Builds malware analysis Windows VMs so that you don't have to.
@ -628,6 +642,12 @@ Duping the Machine: malware strategies, post sandbox detection
[The Economics of Exploit Kits & E-Crime](http://www.irongeek.com/i.php?page=videos/bsidescolumbus2016/offense03-the-economics-of-exploit-kits-e-crime-adam-hogan)
* I will discuss how the market for exploit kits has been changing, in techniques, marketing and prices. I argue that the competitiveness between exploit kits shows a maturing market, but will leverage economic theory to demonstrate the limits to which that market will continue to mature. This should allow us to understand how exploit kits affect (and are affected by) the rest of the greater market for hacker services, from malware (as an input) to nation-state level attacks (e.g. trickle down from Hacking Team). I hope to provide a better understanding of how exploit kits work and how their sold as well as how this market can teach us about the rational choice to engage in criminal activity and how we might dissuade them.
[The Economics of Exploit Kits & E-Crime](http://www.irongeek.com/i.php?page=videos/bsidescolumbus2016/offense03-the-economics-of-exploit-kits-e-crime-adam-hogan)
* I will discuss how the market for exploit kits has been changing, in techniques, marketing and prices. I argue that the competitiveness between exploit kits shows a maturing market, but will leverage economic theory to demonstrate the limits to which that market will continue to mature. This should allow us to understand how exploit kits affect (and are affected by) the rest of the greater market for hacker services, from malware (as an input) to nation-state level attacks (e.g. trickle down from Hacking Team). I hope to provide a better understanding of how exploit kits work and how their sold as well as how this market can teach us about the rational choice to engage in criminal activity and how we might dissuade them.
[Injection on Steroids: Code-less Code Injections and 0-Day Techniques](https://breakingmalware.com/injection-techniques/code-less-code-injections-and-0-day-techniques/)
[BG00 Injection on Steroids Code less Code Injections and 0 Day Techniques Paul Schofield Udi Yavo](https://www.youtube.com/watch?v=0BAaAM2wD4s)


+ 8
- 0
Draft/Network Attacks & Defenses.md View File

@ -31,6 +31,11 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
[Scanning Effectively Through a SOCKS Pivot with Nmap and Proxychains](https://cybersyndicates.com/2015/12/nmap-and-proxychains-scanning-through-a-socks-piviot/)
* [Script](https://github.com/killswitch-GUI/PenTesting-Scripts/blob/master/Proxychains-Nmap.py)
[RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2](https://tools.ietf.org/html/rfc5246)
[Udp2raw-tunnel](https://github.com/wangyu-/udp2raw-tunnel)
* A Tunnel which tunnels UDP via FakeTCP/UDP/ICMP Traffic by using Raw Socket, helps you Bypass UDP FireWalls(or Unstable UDP Environment). Its Encrypted, Anti-Replay and Multiplexed. It also acts as a Connection Stabilizer.)
##### sort end
@ -267,6 +272,9 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[SIMPLYEMAIL](https://github.com/killswitch-GUI/SimplyEmail)
* What is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt was desperately needed after building my first module for theHarvester.
[Swaks - Swiss Army Knife for SMTP](http://www.jetmore.org/john/code/swaks/)
#### Network Host/Service:


+ 7
- 0
Draft/Network Security Monitoring & Logging.md View File

@ -78,6 +78,13 @@ http://www.netfort.com/wp-content/uploads/PDF/WhitePapers/NetFlow-Vs-Packet-Anal
[Shellcode Analysis Pipeline](https://7h3ram.github.io/2014/3/18/shellcode-pipeline/)
* I recently required an automated way of analyzing shellcode and verifying if it is detected by Libemu, Snort, Suricata, Bro, etc. Shellcode had to come from public sources like Shell-Storm, Exploit-DB and Metasploit. I needed an automated way of sourcing shellcode from these projects and pass it on to the analysis engines in a pipeline-like mechanism. This posts documents the method I used to complete this task and the overall progress of the project.
[Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response](https://www.sans.org/reading-room/whitepapers/forensics/building-home-network-configured-collect-artifacts-supporting-network-forensic-incident-response-37302)
### <a name="tools">Tools</a>


+ 10
- 0
Draft/Open Source Intelligence.md View File

@ -23,6 +23,11 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
* Add list of Sources:
* UCC - Uniform Commercial Code; DOC - Current Industrial Patents; DMV - Vehicle Ownership applications; Patents - Patent DBs; Operating Licenses/Permits; Trade Journals;
* SWOT - Strengths, Weaknesses, Opportunities, Threats
#### End cull
@ -142,6 +147,11 @@ A tool to perform various OSINT techniques, aggregate all the raw data, and give
..* user mentions by the the Twitter user and when are occurred (date and time)
..* topics used by the Twitter user
[GoogD0rker](https://github.com/ZephrFish/GoogD0rker)
* GoogD0rker is a tool for firing off google dorks against a target domain, it is purely for OSINT against a specific target domain. Designed for OSX originally however googD0rker txt now works on all nix platforms.


+ 1
- 1
Draft/Password Bruting and Hashcracking.md View File

@ -26,7 +26,6 @@ http://blog.erratasec.com/2011/06/password-cracking-mining-and-gpus.html#.VG3xsp
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
* Wordlists sorted by popularity originally created for password generation and testing
### End cull
@ -75,6 +74,7 @@ http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
[HashView](https://github.com/hashview/hashview)
* Hashview is a tool for security professionals to help organize and automate the repetitious tasks related to password cracking. Hashview is a web application that manages hashcat (https://hashcat.net) commands. Hashview strives to bring constiency in your hashcat tasks while delivering analytics with pretty pictures ready for ctrl+c, ctrl+v into your reports.
[Cracking Active Directory Passwords or “How to Cook AD Crack"](https://www.sans.org/reading-room/whitepapers/testing/cracking-active-directory-passwords-how-cook-ad-crack-37940)


+ 2
- 1
Draft/Phishing.md View File

@ -32,9 +32,10 @@ TOC
[Tab Napping - Phishing](http://www.exploit-db.com/papers/13950/)
[Top 10 Email Subjects for Company Phishing Attacks](http://www.pandasecurity.com/mediacenter/security/top-10-email-subjects-phishing-attacks/)
* Search for categorized domain that can be used during red teaming engagement. Perfect to setup whitelisted domain for your Cobalt Strike beacon C&C. It relies on expireddomains.net to obtain a list of expired domains. The domain availability is validated using checkdomain.com


+ 5
- 0
Draft/Phyiscal Security.md View File

@ -26,6 +26,11 @@ http://www.irongeek.com/i.php?page=videos/derbycon4/t540-physical-security-from-
[Physical Penetration Testing You Keep a Knockin But You Cant Come In Phil Grime](https://www.youtube.com/watch?v=_0gz_iWoMT0)
[Home Insecurity: No Alarms, False Alarms, and SIGINT](https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20presentations/Logan%20Lamb/DEFCON-22-Logan-Lamb-HOME-INSECURITY-NO-ALARMS-FALSE-ALARMS-AND-SIGINT-WP.pdf)
* The market share of home security systems has substantially increased as vendors incorporate more desirable features: intrusion detection, automation, wireless, and LCD touch panel controls. Wireless connectivity allows vendors to manufacture cheaper, more featureful products that require little to no home modification to install. Consumer win, since adding devices is easier. The result: an ostensibly more secure, convenient, and connected home for a larger number of citizens. Sadly, this hypothesis is flawed; the idea of covering a home with more security sensors does not translate into a more secure home. Additionally, the number of homes using these vulnerable systems is large, and the growth rate is increasing producing a even larger problem. In this paper, we will demonstrate a generalized approach for compromising three systems: ADT, the largest home security dealer in North America; Honeywell, one of the largest manufacturers of security devices; and Vivint, a top 5 security dealer. We will suppress alarms, create false alarms, and collect artifacts that facilitate tracking the movements of individuals in their homes
### Tools


+ 5
- 0
Draft/Policy-Compliance.md View File

@ -11,3 +11,8 @@
### General
[The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](https://www.youtube.com/watch?v=nL64uj9Xm24)
[A Survey of Insider Attack Detection Research - 2008](http://web.stanford.edu/class/cs259d/readings/Insider_survey.pdf)
[The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures](http://web.stanford.edu/class/cs259d/readings/Infrastructure.pdf)

+ 69
- 13
Draft/Privilege Escalation & Post-Exploitation.md View File

@ -35,17 +35,62 @@ http://sdb.tools/talks.html
https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List#escalating
[injectAllTheThings](https://github.com/fdiskyou/injectAllTheThings/)
* Single Visual Studio project implementing multiple DLL injection techniques (actually 7 different techniques) that work both for 32 and 64 bits. Each technique has its own source code file to make it easy way to read and understand.
[Inject All the Things - Shut up and hack](http://blog.deniable.org/blog/2017/07/16/inject-all-the-things/)
* Accompanying above project
[PowerLoaderEX](https://github.com/BreakingMalware/PowerLoaderEx)
[Injection on Steroids: Code-less Code Injections and 0-Day Techniques](https://breakingmalware.com/injection-techniques/code-less-code-injections-and-0-day-techniques/)
[Injection on Steroids: Code less Code Injections and 0 Day Techniques - Paul Schofield Udi Yavo](https://www.youtube.com/watch?v=0BAaAM2wD4s)
[Piper](https://github.com/p3nt4/Piper)
* Creates a local or remote port forwarding through named pipes.
[KeeFarce](https://github.com/denandz/KeeFarce)
* Extracts passwords from a KeePass 2.x database, directly from memory.
[KeeThief](https://github.com/HarmJ0y/KeeThief)
* Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory.
[Getting Started with VBA in Office](https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office)
[Hiding Files by Exploiting Spaces in Windows Paths](http://blakhal0.blogspot.com/2012/08/hiding-files-by-exploiting-spaces-in.html)
[Windows Registry Persistence, Part 2: The Run Keys and Search-Order](https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order)
[Windows Registry Attacks: Knowledge Is the Best Defense](https://www.redcanary.com/blog/windows-registry-attacks-threat-detection/)
[List of autorun keys / malware persistence Windows registry entries](https://www.peerlyst.com/posts/list-of-autorun-keys-malware-persistence-windows-registry-entries-benjamin-infosec)
[Generate-Macro](https://github.com/enigma0x3/Generate-Macro)
* This Powershell script will generate a malicious Microsoft Office document with a specified payload and persistence method.
[Babadook](https://github.com/jseidl/Babadook)
* Connection-less Powershell Persistent and Resilient Backdoor
[Harness](https://github.com/Rich5/Harness)
* Harness is remote access payload with the ability to provide a remote interactive PowerShell interface from a Windows system to virtually any TCP socket. The primary goal of the Harness Project is to provide a remote interface with the same capabilities and overall feel of the native PowerShell executable bundled with the Windows OS.
[Introduction to Logical Privilege Escalation on Windows - James Forshaw](https://conference.hitb.org/hitbsecconf2017ams/materials/D2T3%20-%20James%20Forshaw%20-%20Introduction%20to%20Logical%20Privilege%20Escalation%20on%20Windows.pdf)
* [Windows Logical EoP Workbook](https://docs.google.com/document/d/1qujIzDmFrcFCBeIgMjWDZTLNMCAHChAnKDkHdWYEomM/edit)
[Attack and Defend: Linux Privilege Escalation Techniques of 2016](https://pen-testing.sans.org/resources/papers/gcih/attack-defend-linux-privilege-escalation-techniques-2016-152744)
[Windows: DCOM DCE/RPC Local NTLM Reflection Elevation of Privilege](https://bugs.chromium.org/p/project-zero/issues/detail?id=325&redir=1)
[Bypass Cylance Memory Exploitation Defense & Script Cntrl](https://www.xorrior.com/You-Have-The-Right-to-Remain-Cylance/)
[Abusing Token Privileges For LPE - drone/breenmachine](https://github.com/hatRiot/token-priv/blob/master/abusing_token_eop_1.0.txt)
[Backdoor-Minimalist.sct](https://gist.github.com/subTee/24c7d8e1ff0f5602092f58cbb3f7d302)
* Applocker bypass
[Research on CMSTP.exe](https://msitpros.com/?p=3960)
* Methods to bypass UAC and load a DLL over webdav
[LNKUp](https://github.com/Plazmaz/LNKUp)
* Generates malicious LNK file payloads for data exfiltration
[The Art of Becoming TrustedInstaller](https://tyranidslair.blogspot.co.uk/2017/08/the-art-of-becoming-trustedinstaller.html)
* there's many ways of getting the TI token other than these 3 techniques. For example as Vincent Yiu pointed out on Twitter if you've got easy access to a system token, say using Metasploit's getsystem command you can impersonate system and then open the TI token, it's just IMO less easy :-). If you get a system token with SeTcbPrivilege you can also call LogonUserExExW or LsaLogonUser where you can specify an set of additional groups to apply to a service token. Finally if you get a system token with SeCreateTokenPrivilege (say from LSASS.exe if it's not running PPL) you can craft an arbitrary token using the NtCreateToken system call.
#### end sort
@ -91,6 +136,10 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
#### General Tools
[SSHDog](https://github.com/Matir/sshdog)
@ -855,12 +904,6 @@ Startup folder on Win8
#### <a name="exfil">Exfiltration</a>
[Data Exfiltration (Tunneling) Attacks against Corporate Network](https://pentest.blog/data-exfiltration-tunneling-attacks-against-corporate-network/)
### Payloads/Stuff/Idk
[genHTA](https://github.com/vysec/GenHTA)
@ -884,3 +927,16 @@ Startup folder on Win8
### Code Injection
[injectAllTheThings](https://github.com/fdiskyou/injectAllTheThings/)
* Single Visual Studio project implementing multiple DLL injection techniques (actually 7 different techniques) that work both for 32 and 64 bits. Each technique has its own source code file to make it easy way to read and understand.
[Inject All the Things - Shut up and hack](http://blog.deniable.org/blog/2017/07/16/inject-all-the-things/)
* Accompanying above project
[PowerLoaderEX](https://github.com/BreakingMalware/PowerLoaderEx)
[Injection on Steroids: Code-less Code Injections and 0-Day Techniques](https://breakingmalware.com/injection-techniques/code-less-code-injections-and-0-day-techniques/)
[Injection on Steroids: Code less Code Injections and 0 Day Techniques - Paul Schofield Udi Yavo](https://www.youtube.com/watch?v=0BAaAM2wD4s)

+ 39
- 8
Draft/Programming - Languages Libs Courses References.md View File

@ -24,14 +24,23 @@ Cull
http://www.irongeek.com/i.php?page=videos/derbycon4/t205-code-insecurity-or-code-in-security-mano-dash4rk-paul
http://en.cppreference.com/w/c
[aslrepl](https://github.com/enferex/asrepl)
* asrepl is an assembly based REPL. The REPL processes each line of user input, the output can be witnessed by issuing the command 'regs' and looking at the register state.
[Six Stages of debugging](http://plasmasturm.org/log/6debug/)
* 1. That can’t happen.
* 2. That doesn’t happen on my machine.
* 3. That shouldn’t happen.
* 4. Why does that happen?
* 5. Oh, I see.
* 6. How did that ever work?
#### End Cull
[Six Stages of debugging](http://plasmasturm.org/log/6debug/)
* 1. That can’t happen.
* 2. That doesn’t happen on my machine.
* 3. That shouldn’t happen.
* 4. Why does that happen?
* 5. Oh, I see.
* 6. How did that ever work?
@ -143,6 +152,13 @@ Additionally it includes CPD, the copy-paste-detector. CPD finds duplicated code
[x86 Assembly Crash Course](https://www.youtube.com/watch?v=75gBFiFtAb8)
[WinREPL](https://github.com/zerosum0x0/WinREPL)
* x86 and x64 assembly "read-eval-print loop" shell for Windows
[aslrepl](https://github.com/enferex/asrepl)
* asrepl is an assembly based REPL. The REPL processes each line of user input, the output can be witnessed by issuing the command 'regs' and looking at the register state.
#### Reference
[Nasm x86 reference](https://www.cs.uaf.edu/2006/fall/cs301/support/x86/)
@ -220,6 +236,11 @@ Additionally it includes CPD, the copy-paste-detector. CPD finds duplicated code
[What a C programmer should know about memory](http://marek.vavrusa.com/c/memory/2015/02/20/memory/)
[How to C in 2016](https://matt.sh/howto-c)
* [A critique of "How to C in 2016" by Matt](https://github.com/Keith-S-Thompson/how-to-c-response)
### <a name="go">Go</a>
@ -256,8 +277,7 @@ Additionally it includes CPD, the copy-paste-detector. CPD finds duplicated code
[Useful Powershell scripts](https://github.com/clymb3r/PowerShell)
Try/Catch Exception in Powershell
"""
'''Try/Catch Exception in Powershell
try {
#stuff
@ -267,12 +287,23 @@ $ErrorSource = $_.Exception.Source
$err = $ErrorSource + " reports: " + $ErrorMessage
}
"""
'''
[Pester](https://github.com/pester/Pester)
* Pester provides a framework for running unit tests to execute and validate PowerShell commands from within PowerShell. Pester consists of a simple set of functions that expose a testing domain-specific language (DSL) for isolating, running, evaluating and reporting the results of PowerShell commands.
### PHP
[PHP: a fractal of bad design](https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/)
[awesome-php](https://github.com/ziadoz/awesome-php)
* A curated list of amazingly awesome PHP libraries, resources and shiny things.
### <a name="python">Python</a>


+ 12
- 0
Draft/Red-Teaming.md View File

@ -59,6 +59,11 @@ Philip K. Dick said, reality is that which, when you no longer believe in it, do
[Adam Compton - Hillbilly Storytime - Pentest Fails](https://www.youtube.com/watch?v=GSbKeTPv2TU)
* Whether or not you are just starting in InfoSec, it is always important to remember that mistakes happen, even to the best and most seasoned of analysts. The key is to learn from your mistakes and keep going. So, if you have a few minutes and want to talk a load off for a bit, come and join in as a hillbilly spins a yarn about a group unfortunate pentesters and their misadventures. All stories and events are true (but the names have been be changed to prevent embarrassment).
[88MPH Digital tricks to bypass Physical security - ZaCon4 - Andrew MacPherson](https://vimeo.com/52865794)
@ -100,6 +105,13 @@ Philip K. Dick said, reality is that which, when you no longer believe in it, do
[Abusing Windows Management Instrumentation (WMI) to Build a Persistent, Asyncronous, and Fileless Backdoor](https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management-Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf)
[Command & Control: Understanding, Denying and Detecting - 2014](https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf)
* Joseph Gardiner, Marco Cova, Shishir Nagaraja
[Project Loki - Phrack 7-49](http://phrack.org/issues/49/6.html)
* This whitepaper is intended as a complete description of the covert channel that exists in networks that allow ping traffic (hereon referred to in the more general sense of ICMP_ECHO traffic --see below) to pass.


+ 24
- 0
Draft/Reverse Engineering.md View File

@ -90,6 +90,30 @@ https://objective-see.com/
[Binacle](https://github.com/ANSSI-FR/Binacle)
* Indexation "full-bin" of binary files
[Microsoft.Diagnostics.Runtime.dll(CLR MD)](https://github.com/Microsoft/clrmd)
* Microsoft.Diagnostics.Runtime.dll (nicknamed "CLR MD") is a process and crash dump introspection library. This allows you to write tools and debugger plugins which can do thing similar to SOS and PSSCOR.
[Getting Started with CLR MD](https://github.com/Microsoft/clrmd/blob/master/Documentation/GettingStarted.md)
[Reverse Engineering IoT Devices](https://iayanpahwa.github.io/Reverse-Engineering-IoT-Devices/)
[radare2 as an alternative to gdb-peda](https://monosource.github.io/2016/10/radare2-peda)
[jefferson](https://github.com/sviehb/jefferson)
* JFFS2 filesystem extraction tool
[Reverse Engineering Firmware Primer](https://wiki.securityweekly.com/Reverse_Engineering_Firmware_Primer)
[Hacking Linksys E4200v2 firmware](https://blog.bramp.net/post/2012/01/24/hacking-linksys-e4200v2-firmware/)
[Defeating ioli with radare2](https://dustri.org/b/defeating-ioli-with-radare2.html)
[Gynvael’s Mission 11 (en): Python bytecode reverse-engineering](https://chriswarrick.com/blog/2017/08/03/gynvaels-mission-11-en-python-bytecode-reverse-engineering/)
### End sort


+ 1
- 1
Draft/SCADA.md View File

@ -17,7 +17,7 @@
### General
[Cassandra coefficient and ICS cyber – is this why the system is broken](http://www.controlglobal.com/blogs/unfettered/cassandra-coefficient-and-ics-cyber-is-this-why-the-system-is-broken/)
### Articles/Blogposts


+ 2
- 0
Draft/Sandboxes.md View File

@ -30,7 +30,9 @@ Sandboxed Execution Environment (SEE) is a framework for building test automatio
[Usermode Sandboxing](http://www.malwaretech.com/2014/10/usermode-sandboxing.html)
[Advanced Desktop Application Sandboxing via AppContainer](https://www.malwaretech.com/2015/09/advanced-desktop-application-sandboxing.html)


+ 5
- 0
Draft/Social Engineering.md View File

@ -196,6 +196,11 @@ Paul Ekmans research
[Construal-Level Theory of Psychological Distance](http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3152826/)
* Abstract: People are capable of thinking about the future, the past, remote locations, another person’s perspective, and counterfactual alternatives. Without denying the uniqueness of each process, it is proposed that they constitute different forms of traversing psychological distance. Psychological distance is egocentric: Its reference point is the self in the here and now, and the different ways in which an object might be removed from that point—in time, in space, in social distance, and in hypotheticality—constitute different distance dimensions. Transcending the self in the here and now entails mental construal, and the farther removed an object is from direct experience, the higher (more abstract) the level of construal of that object. Supporting this analysis, research shows (a) that the various distances are cognitively related to each other, (b) that they similarly influence and are influenced by level of mental construal, and (c) that they similarly affect prediction, preference, and action.
[The Neural Basis of Decision-Making During Sensemaking: Implications for Human-System Interaction](https://www.researchgate.net/publication/278679336_The_Neural_Basis_of_Decision-Making_During_Sensemaking_Implications_for_Human-System_Interaction)
### Tools


+ 9
- 0
Draft/System Internals Windows and Linux Internals Reference.md View File

@ -62,6 +62,11 @@
[BATTLE OF SKM AND IUM - How Windows 10 rewrites OS Architecture - Alex Ionescu](http://www.alex-ionescu.com/blackhat2015.pdf)
[RtlEncryptMemory function](https://msdn.microsoft.com/en-us/library/windows/desktop/aa387693(v=vs.85).aspx)
[RtlDecryptMemory function](https://msdn.microsoft.com/en-us/library/windows/desktop/aa387692(v=vs.85).aspx)
#### Access Control
@ -87,6 +92,8 @@
[Windows Data Protection](https://msdn.microsoft.com/en-us/library/ms995355.aspx)
[The Component Object Model](https://msdn.microsoft.com/library/ms694363.aspx)
##### Exploit Mitigations
@ -108,6 +115,8 @@
[Memory Translation and Segmentation](http://duartes.org/gustavo/blog/post/memory-translation-and-segmentation/)
[Exploring Windows virtual memory management](http://www.triplefault.io/2017/08/exploring-windows-virtual-memory.html)
##### Networking


+ 1
- 0
Draft/UX Design - Because we all know how sexy pgp is.md View File

@ -10,6 +10,7 @@ Required Reading: [The Design of Everyday Things](http://www.jnd.org/books/desig
http://www.usability.gov/what-and-why/user-interface-design.html
[The unexpected dangers of preg_replace()](https://bitquark.co.uk/blog/2013/07/23/the_unexpected_dangers_of_preg_replace)