Browse Source

Finally a sync

Some stuff added/changed/removed.
pull/4/head
Robert 7 years ago
parent
commit
2b74b51685
65 changed files with 1535 additions and 1237 deletions
  1. +0
    -107
      Draft/Draft/Anonymity Opsec Privacy -.md
  2. +92
    -0
      Draft/Draft/Anonymity Opsec Privacy -.txt
  3. +0
    -30
      Draft/Draft/Anti-Forensics.md
  4. +13
    -0
      Draft/Draft/Anti-Forensics.txt
  5. +0
    -467
      Draft/Draft/Attacking Defending Android -.md
  6. +326
    -0
      Draft/Draft/Attacking Defending Android -.txt
  7. +0
    -139
      Draft/Draft/Attacking Defending iOS -.md
  8. +107
    -0
      Draft/Draft/Attacking Defending iOS -.txt
  9. +0
    -158
      Draft/Draft/BIOS UEFI Attacks Defenses.md
  10. +128
    -0
      Draft/Draft/BIOS UEFI Attacks Defenses.txt
  11. +0
    -36
      Draft/Draft/Basic Security Information.md
  12. +34
    -0
      Draft/Draft/Basic Security Information.txt
  13. +3
    -3
      Draft/Draft/Building A Pentest Lab.txt
  14. +10
    -1
      Draft/Draft/CTFs & Wargames -.txt
  15. +10
    -0
      Draft/Draft/Cheat sheets reference pages Checklists -.txt
  16. +0
    -0
      Draft/Draft/Conference Video Archives Stuff -.txt
  17. +0
    -0
      Draft/Draft/Counter Surveillance.txt
  18. +0
    -0
      Draft/Draft/Courses & Training -.txt
  19. +0
    -0
      Draft/Draft/CryptoCurrencies.txt
  20. +1
    -0
      Draft/Draft/Cryptography & Encryption.txt
  21. +0
    -0
      Draft/Draft/Darknets -.txt
  22. +0
    -0
      Draft/Draft/Data AnalysisVisualization.txt
  23. +2
    -0
      Draft/Draft/Disclosure -.txt
  24. +8
    -0
      Draft/Draft/Disinformation -.txt
  25. +5
    -3
      Draft/Draft/Documentation & Reports -.txt
  26. +6
    -0
      Draft/Draft/Embedded Device & Hardware Hacking -.txt
  27. +6
    -1
      Draft/Draft/Exfiltration.txt
  28. +79
    -33
      Draft/Draft/Exploit Development.txt
  29. +17
    -4
      Draft/Draft/Forensics Incident Response.txt
  30. +0
    -0
      Draft/Draft/Frameworks Methodologies.txt
  31. +3
    -4
      Draft/Draft/Fuzzing Bug Hunting.txt
  32. +0
    -0
      Draft/Draft/Google Hacking.txt
  33. +0
    -0
      Draft/Draft/Home Security.txt
  34. +0
    -0
      Draft/Draft/Honeypots -.txt
  35. +23
    -2
      Draft/Draft/Interesting Things Useful stuff.txt
  36. +0
    -0
      Draft/Draft/Links.txt
  37. +0
    -0
      Draft/Draft/Lockpicking -.txt
  38. +7
    -3
      Draft/Draft/Malware.txt
  39. +4
    -0
      Draft/Draft/Network Attacks & Defenses.txt
  40. +3
    -0
      Draft/Draft/Network Security Monitoring & Logging.txt
  41. +10
    -2
      Draft/Draft/Open Source Intelligence.txt
  42. +0
    -0
      Draft/Draft/Password Bruting and Hashcracking.txt
  43. +0
    -0
      Draft/Draft/Phishing.txt
  44. +0
    -0
      Draft/Draft/Phyiscal Security.txt
  45. +12
    -1
      Draft/Draft/Privilege Escalation & Post-Exploitation.txt
  46. +0
    -0
      Draft/Draft/Programming - Languages Libs Courses References.txt
  47. +0
    -0
      Draft/Draft/Reverse Engineering - REMath Literature.txt
  48. +22
    -1
      Draft/Draft/Reverse Engineering.txt
  49. +18
    -0
      Draft/Draft/Rootkits.txt
  50. +0
    -0
      Draft/Draft/Sandboxes.txt
  51. +0
    -0
      Draft/Draft/Screen Scraping.txt
  52. +2
    -0
      Draft/Draft/Securing Hardening.txt
  53. +0
    -0
      Draft/Draft/Simulations.txt
  54. +11
    -0
      Draft/Draft/Social Engineering.txt
  55. +0
    -50
      Draft/Draft/Steal Everything Kill Everyone Profit.md
  56. +64
    -0
      Draft/Draft/Steal Everything Kill Everyone Profit.txt
  57. +0
    -0
      Draft/Draft/Sysadmin Stuff.txt
  58. +32
    -115
      Draft/Draft/System Internals Windows and Linux Internals Reference.txt
  59. +0
    -0
      Draft/Draft/Threat Modeling.txt
  60. +0
    -16
      Draft/Draft/To Do/4.txt
  61. +406
    -50
      Draft/Draft/To Do/add cull -2.txt
  62. +2
    -1
      Draft/Draft/UX Design - Because we all know how sexy pgp is.txt
  63. +0
    -0
      Draft/Draft/Various purpiose based OS's.txt
  64. +15
    -0
      Draft/Draft/Web & Browsers.txt
  65. +54
    -10
      Draft/Draft/Wireless Networks & RF.txt

+ 0
- 107
Draft/Draft/Anonymity Opsec Privacy -.md View File

@ -1,107 +0,0 @@
##Anonymity & OpSec & Privacy
I am not a you and may very well be a 12yr old child. Be forewarned.
[Whoer](http://whoer.net/extended)
* Site that lists content based on your metadata/sent info: IP, browser header, scripts check.
* Url is whoer.net/extended.
TOC
Cull
[Articles](#Articles)
[Papers](#Papers)
[Talks/Videos](#Talks)
[Tools](#Tools)
###Cull
[Client Identification Mechanisms](http://www.chromium.org/Home/chromium-security/client-identification-mechanisms)
[Can you track me now? - Defcon20](https://www.youtube.com/watch?v=DxIF66Tcino)
###<a name="Articles">Articles</a>
[De-anonymizing facebook users through CSP](http://www.myseosolution.de/deanonymizing-facebook-users-by-csp-bruteforcing/#inhaltsverzeichnis)
[Anonymous’s Guide to OpSec](http://www.covert.io/research-papers/security/Anonymous%20Hacking%20Group%20--%20OpNewblood-Super-Secret-Security-Handbook.pdf)
[Cat Videos and the Death of Clear Text](https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/)
###<a name="Papers">Papers</a>
[Protocol Misidentification Made Easy with Format-Transforming Encryption](https://eprint.iacr.org/2012/494.pdf)
* Deep packet inspection (DPI) technologies provide much- needed visibility and control of network trac using port- independent protocol identi cation, where a network ow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the rst comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidenti cation attacks, in which adver- saries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic prim- itive called format-transforming encryption (FTE), which extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbi- trary application-layer trac, and we experimentally show that this forces misidenti cation for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and as little as 16% bandwidth overhead compared to standard SSH tunnels. Finally, we integrate our FTE proxy into the Tor anonymity network and demon- strate that it evades real-world censorship by the Great Fire- wall of China.
[Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting](http://securitee.org/files/cookieless_sp2013.pdf)
* Abstract —The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
['I've Got Nothing to Hide' and Other Misunderstandings of Privacy](http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&)
###<a name="Talks">Talks & Videos</a>
[Because Jail is for WUFTPD](https://www.youtube.com/watch?v=9XaYdCdwiWU)
* Legendary talk, a must watch.
* [His blog](http://grugq.tumblr.com/)
(COMSEC: Beyond encryption](https://grugq.github.io/presentations/COMSEC%20beyond%20encryption.pdf)
[DEFCON 20: Can You Track Me Now? Government And Corporate Surveillance Of Mobile Geo-Location Data](https://www.youtube.com/watch?v=NjuhdKUH6U4)
[Detecting and Defending Against a Surveillance State - DEFCON 22 - Robert Rowley](https://www.youtube.com/watch?v=d5jqV06Yijw)
[Detecting and Defending Against a Surveillance State - Robert Rowley - DEF CON 22](https://www.youtube.com/watch?v=d5jqV06Yijw)
[The NSA: Capabilities and Countermeasures - ShmooCon 2014](https://www.youtube.com/watch?v=D5JA8Ytk9EI)
[Blinding The Surveillance State - Christopher Soghoian - DEF CON 22](https://www.youtube.com/watch?v=pM8e0Dbzopk)
[Blinding The Surveillance State - Christopher Soghoian - DEFCON22](https://www.youtube.com/watch?v=pM8e0Dbzopk)
* We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them.
[Masquerade: How a Helpful Man-in-the-Middle Can Help You Evade Monitoring - Defcon22](https://www.youtube.com/watch?v=_KyfJW2lHtk&spfreload=1)
* Sometimes, hiding the existence of a communication is as important as hiding the contents of that communication. While simple network tunneling such as Tor or a VPN can keep the contents of communications confidential, under active network monitoring or a restrictive IDS such tunnels are red flags which can subject the user to extreme scrutiny.Format-Transforming Encryption (FTE) can be used to tunnel traffic within otherwise innocuous protocols, keeping both the contents and existence of the sensitive traffic hidden. However, more advanced automated intrusion detection, or moderately sophisticated manual inspection, raise other red flags when a host reporting to be a laser printer starts browsing the web or opening IM sessions, or when a machine which appears to be a Mac laptop sends network traffic using Windows-specific network settings. We present Masquerade: a system which combines FTE and host OS profile selection to allow the user to emulate a user-selected operating system and application-set in network traffic and settings, evading both automated detection and frustrating after-the-fact analysis.
* [Slides](https://www.portalmasq.com/portal-defcon.pdf)
[The NSA: Capabilities and Countermeasures - Bruce Schneier - ShmooCon 2014](https://www.youtube.com/watch?v=D5JA8Ytk9EI)
* Edward Snowden has given us an unprecedented window into the NSA's surveillance activities. Drawing from both the Snowden documents and revelations from previous whistleblowers, I will describe the sorts of surveillance the NSA does and how it does it. The emphasis is on the technical capabilities of the NSA, not the politics of their actions. This includes how it conducts Internet surveillance on the backbone, but is primarily focused on their offensive capabilities: packet injection attacks from the Internet backbone, exploits against endpoint computers and implants to exfiltrate information, fingerprinting computers through cookies and other means, and so on. I will then talk about what sorts of countermeasures are likely to frustrate the NSA. Basically, these are techniques to raise the cost of wholesale surveillance in favor of targeted surveillance: encryption, target hardening, dispersal, and so on.
[You're Leaking Trade Secrets - Defcon22 Michael Schrenk](https://www.youtube.com/watch?v=JTd5TL6_zgY)
* Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
###<a name="Tools">Tools</a>
[MAT: Metadata Anonymisation Toolkit](https://mat.boum.org/)
* MAT is a toolbox composed of a GUI application, a CLI application and a library.
[fteproxy](https://fteproxy.org/about)
* fteproxy is fast, free, open source, and cross platform. It has been shown to circumvent network monitoring software such as bro, YAF, nProbe, l7-filter, and appid, as well as closed-source commercial DPI systems
[Streisand](https://github.com/jlund/streisand)
* Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.

+ 92
- 0
Draft/Draft/Anonymity Opsec Privacy -.txt View File

@ -0,0 +1,92 @@
TOC
Cull
| Articles | #Articles
| Papers | #Papers
| Talks/Videos | #Talks
| Tools | #Tools
### Cull
| Title | Link
| -------- | --------- |
| Client Identification Mechanisms | http://www.chromium.org/Home/chromium-security/client-identification-mechanisms
| Can you track me now? - Defcon20 | https://www.youtube.com/watch?v=DxIF66Tcino
Add shadowsocks
### <a name="Articles">Articles</a>
| Title | Link
| -------- | --------- |
| De-anonymizing facebook users through CSP | http://www.myseosolution.de/deanonymizing-facebook-users-by-csp-bruteforcing/#inhaltsverzeichnis
| Anonymous’s Guide to OpSec | http://www.covert.io/research-papers/security/Anonymous%20Hacking%20Group%20--%20OpNewblood-Super-Secret-Security-Handbook.pdf
| Cat Videos and the Death of Clear Text | https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/
### <a name="Papers">Papers</a>
|**Protocol Misidentification Made Easy with Format-Transforming Encryption** |
| -------- |
|**Link:** https://eprint.iacr.org/2012/494.pdf
| **Description**: Deep packet inspection DPI technologies provide much- needed visibility and control of network trac using port- independent protocol identi cation, where a network ow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the most comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidentification attacks, in which adver- saries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic primitive called format-transforming encryption FTE, which extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbi- trary application-layer trac, and we experimentally show that this forces misidenti cation for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and as little as 16% bandwidth overhead compared to standard SSH tunnels. Finally, we integrate our FTE proxy into the Tor anonymity network and demonstrate that it evades real-world censorship by the Great Firewall of China.
|---|
| **'I've Got Nothing to Hide' and Other Misunderstandings of Privacy** | **Link:** http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565& |
| **Description**: The web has become an essential part of our society and is currently the main medium of information delivery. Billions of users browse the web on a daily basis, and there are single websites that have reached over one billion user accounts. In this environment, the ability to track users and their online habits can be very lucrative for advertising companies, yet very intrusive for the privacy of users. In this paper, we examine how web-based device fingerprint- ing currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same time, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
| **'I've Got Nothing to Hide' and Other Misunderstandings of Privacy** : http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&
| **Abstract:** We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them.**
|---|
| **Masquerade: How a Helpful Man-in-the-Middle Can Help You Evade Monitoring** - Defcon22|
| Link: https://www.youtube.com/watch?v=_KyfJW2lHtk&spfreload=1
| **Description:** Sometimes, hiding the existence of a communication is as important as hiding the contents of that communication. While simple network tunneling such as Tor or a VPN can keep the contents of communications confidential, under active network monitoring or a restrictive IDS such tunnels are red flags which can subject the user to extreme scrutiny. Format-Transforming Encryption FTE can be used to tunnel traffic within otherwise innocuous protocols, keeping both the contents and existence of the sensitive traffic hidden. However, more advanced automated intrusion detection, or moderately sophisticated manual inspection, raise other red flags when a host reporting to be a laser printer starts browsing the web or opening IM sessions, or when a machine which appears to be a Mac laptop sends network traffic using Windows-specific network settings. We present Masquerade: a system which combines FTE and host OS profile selection to allow the user to emulate a user-selected operating system and application-set in network traffic and settings, evading both automated detection and frustrating after-the-fact analysis.
| Slides https://www.portalmasq.com/portal-defcon.pdf
| --
| **The NSA: Capabilities and Countermeasures** - Bruce Schneier - ShmooCon 2014
| **Link:** https://www.youtube.com/watch?v=D5JA8Ytk9EI
|**Description:** Edward Snowden has given us an unprecedented window into the NSA's surveillance activities. Drawing from both the Snowden documents and revelations from previous whistleblowers, I will describe the sorts of surveillance the NSA does and how it does it. The emphasis is on the technical capabilities of the NSA, not the politics of their actions. This includes how it conducts Internet surveillance on the backbone, but is primarily focused on their offensive capabilities: packet injection attacks from the Internet backbone, exploits against endpoint computers and implants to exfiltrate information, fingerprinting computers through cookies and other means, and so on. I will then talk about what sorts of countermeasures are likely to frustrate the NSA. Basically, these are techniques to raise the cost of wholesale surveillance in favor of targeted surveillance: encryption, target hardening, dispersal, and so on.
| --
| **You're Leaking Trade Secrets** - Defcon22 Michael Schrenk
| **Link:** https://www.youtube.com/watch?v=JTd5TL6_zgY
|**Description:** Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
### **<a name="Talks">Talks & Videos</a>**
| Title | Link
| -------- | --------- |
| **Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting** | http://securitee.org/files/cookieless_sp2013.pdf |
| **Because Jail is for WUFTPD** - Legendary talk, a must watch. | https://www.youtube.com/watch?v=9XaYdCdwiWU
| **The Gruqgs blog** | http://grugq.tumblr.com/
| **COMSEC: Beyond encryption** | https://grugq.github.io/presentations/COMSEC%20beyond%20encryption.pdf
| **DEFCON 20: Can You Track Me Now? Government And Corporate Surveillance Of Mobile Geo-Location Data** | https://www.youtube.com/watch?v=NjuhdKUH6U4
| **Detecting and Defending Against a Surveillance State** - DEFCON 22 - Robert Rowley | https://www.youtube.com/watch?v=d5jqV06Yijw
| **Detecting and Defending Against a Surveillance State** - Robert Rowley - DEF CON 22 | https://www.youtube.com/watch?v=d5jqV06Yijw
| **The NSA: Capabilities and Countermeasures** - ShmooCon 2014 | https://www.youtube.com/watch?v=D5JA8Ytk9EI
| **Blinding The Surveillance State** - Christopher Soghoian - DEF CON 22 | https://www.youtube.com/watch?v=pM8e0Dbzopk
| **-------------**
### **<a name="Tools">Tools</a>**
| Title | Link
| -------- | --------- |
| **MAT: Metadata Anonymisation Toolkit** - MAT is a toolbox composed of a GUI application, a CLI application and a library. | https://mat.boum.org/
| **fteproxy** - fteproxy is fast, free, open source, and cross platform. It has been shown to circumvent network monitoring software such as bro, YAF, nProbe, l7-filter, and appid, as well as closed-source commercial DPI systems| https://fteproxy.org/about
| **Streisand** - Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.| https://github.com/jlund/streisand

+ 0
- 30
Draft/Draft/Anti-Forensics.md View File

@ -1,30 +0,0 @@
##Anti-Forenics
[CleanAfterMe](http://www.nirsoft.net/utils/clean_after_me.html)
* CleanAfterMe allows you to easily clean files and Registry entries that are automatically created by the Windows operating system during your regular computer work.
With CleanAfterMe, you can clean the cookies/history/cache/passwords of Internet Explorer, the 'Recent' folder, the Registry entries that record the last opened files, the temporary folder of Windows, the event logs, the Recycle Bin, and more.
[Hiding Data in Hard-Drive's Service Areas](http://recover.co.il/SA-cover/SA-cover.pdf)
* In this paper we will demonstrate how spinning hard-drives’ serv ice areas 1 can be used to hide data from the operating-system (or any software using the standard OS’s API or the standard ATA commands to access the hard- drive)
[Anti-Forensics and Anti-Anti-Forensics Attacks - Michael Perkins](https://www.youtube.com/watch?v=J4x8Hz6_hq0)
* Everyone's heard the claim: Security through obscurity is no security at all. Challenging this claim is the entire field of steganography itself - the art of hiding things in plain sight. Most people know you can hide a text file inside a photograph, or embed a photograph inside an MP3. But how does this work under the hood? What's new in the stego field? This talk will explore how various techniques employed by older steganographic tools work and will discuss a new technique developed by the speaker which embodies both data hiding and data enciphering properties by encoding data inside NTFS volumes. A new tool will be released during this talk that will allow attendees to both encode and decode data with this new scheme.
* [Slides](http://www.slideshare.net/the_netlocksmith/defcon-20-antiforensics-and-antiantiforensics)
[Beyond The CPU:Defeating Hardware Based RAM Acquisition](https://www.blackhat.com/presentations/bh-dc-07/Rutkowska/Presentation/bh-dc-07-Rutkowska-up.pdf)
[Hardware Backdooring is Practical -Jonathan Brossard](https://www.youtube.com/watch?v=umBruM-wFUw)

+ 13
- 0
Draft/Draft/Anti-Forensics.txt View File

@ -0,0 +1,13 @@
## **Anti-Forenics**
| Title | Link |
| -------- | ------------------------ |
| **CleanAfterMe** - CleanAfterMe allows you to easily clean files and Registry entries that are automatically created by the Windows operating system during your regular computer work. With CleanAfterMe, you can clean the cookies/history/cache/passwords of Internet Explorer, the 'Recent' folder, the Registry entries that record the last opened files, the temporary folder of Windows, the event logs, the Recycle Bin, and more.| http://www.nirsoft.net/utils/clean_after_me.html
|**Hiding Data in Hard-Drive's Service Areas** - In this paper we will demonstrate how spinning hard-drives’ serv ice areas 1 can be used to hide data from the operating-system (or any software using the standard OS’s API or the standard ATA commands to access the hard- drive)|http://recover.co.il/SA-cover/SA-cover.pdf
| **Anti-Forensics and Anti-Anti-Forensics Attacks** - Michael Perkins - Everyone's heard the claim: Security through obscurity is no security at all. Challenging this claim is the entire field of steganography itself - the art of hiding things in plain sight. Most people know you can hide a text file inside a photograph, or embed a photograph inside an MP3. But how does this work under the hood? What's new in the stego field? This talk will explore how various techniques employed by older steganographic tools work and will discuss a new technique developed by the speaker which embodies both data hiding and data enciphering properties by encoding data inside NTFS volumes. A new tool will be released during this talk that will allow attendees to both encode and decode data with this new scheme. |https://www.youtube.com/watch?v=J4x8Hz6_hq0 - Slides: [Slides(link)](http://www.slideshare.net/the_netlocksmith/defcon-20-antiforensics-and-antiantiforensics)
| **Beyond The CPU:Defeating Hardware Based RAM Acquisition** | https://www.blackhat.com/presentations/bh-dc-07/Rutkowska/Presentation/bh-dc-07-Rutkowska-up.pdf
| **Hardware Backdooring is Practical** -Jonathan Brossard | https://www.youtube.com/watch?v=umBruM-wFUw

+ 0
- 467
Draft/Draft/Attacking Defending Android -.md View File

@ -1,467 +0,0 @@
##Attacking Android Devices
####TOC
Cull
[Intro](#Intro)
[Android Internals](#AInternals)
[Securing Android](#SecAnd)
Android Apps
[Vulnerabilities](#Vulns)
[Exploits](#Exploits)
[Device Analysis](#DAnalysis)
[Application Analysis](#AppAnalysis)
* Dynamic Analysis
* Static Analysis
* Online APK Analyzers
[Online APK Analyzers](#OnlineAPK)
[Attack Platforms](#APlatforms)
[Android Malware](#Malware)
[Reverse Engineering Android](#RE)
[Interesting Papers](#Papers)
[Write-ups](#Write)
[Educational Materialsl[#Education)
[Books](#Books)
[Other](#Other)
[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
[csploit](http://www.csploit.org/docs.html)
* The most complete and advanced IT security professional toolkit on Android.(From their site)
* [Github](https://github.com/cSploit/android/tree/master/cSploit)
[Droidsec - Pretty much should be your first stop](http://www.droidsec.org/wiki/)
###Cull
[AndBug - A Scriptable Android Debugger](https://github.com/swdunlop/AndBug)
* AndBug is a debugger targeting the Android platform's Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android's Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes.
[AndroChef](http://androiddecompiler.com/)
* AndroChef Java Decompiler is Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8, 8.1 decompiler for Java that reconstructs the original source code from the compiled binary CLASS files. AndroChef Java Decompiler is able to decompile the most complex Java 6 applets and binaries, producing accurate source code. AndroChef successfully decompiles obfuscated Java 6 and Java 7 .class and .jar files. Support Java language features like generics, enums and annotations. According to some studies, AndroChef Java Decompiler is able to decompile 98.04% of Java applications generated with traditional Java compilers- a very high recovery rate. It is simple but powerful tool that allows you to decompile Java and Dalvik bytecode (DEX, APK) into readable Java source. Easy to use.
http://nelenkov.blogspot.com
[elsim - Elements Similarities](https://code.google.com/p/elsim/wiki/Similarity#Diffing_of_applications)
* Similarities/Differences of applications (aka rip-off indicator)
* This tool detects and reports: the identical methods; the similar methods; the deleted methods; the new methods; the skipped methods.
[playdrone](https://github.com/nviennot/playdrone)
* Google Play Crawler
[hbootdbg](https://github.com/sogeti-esec-lab/hbootdbg/)
* Debugger for HTC phones bootloader (HBOOT).
[Heimdall](https://github.com/Benjamin-Dobell/Heimdall)
* Heimdall is a cross-platform open-source tool suite used to flash firmware (aka ROMs) onto Samsung Galaxy S devices.
[Android apps in sheep's clothing](http://www.modzero.ch/modlog/archives/2015/04/01/android_apps_in_sheeps_clothing/index.html)
* We identified a security weakness in Android's approach of handling UI elements, circumventing parts of Android's sandboxing approach. While this attack is simple from a technical point of view, the impact of exploiting such a vulnerability is significant. It affects Android based devices as well as Blackberry mobile devices running the Android runtime environment.
[android-gdb](https://github.com/darchons/android-gdb)
* GDB fork targetting Android/Fennec development
[android-vm](https://github.com/dweinstein/android-vm)
* Automated provisioning and configuration of an Ubuntu VM containing the Android development environment, including Android ADT Bundle with SDK, Eclipse & the Android NDK using the Vagrant DevOps tool with Chef and shell-scripts.
[Instrumenting Android Applications with Frida](http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html)
[Dissecting the Android Bouncer](https://www.duosecurity.com/blog/duo-tech-talks-dissecting-the-android-bouncer)
*
[ARE - Virtual Machine for Android Reverse Engineering](https://redmine.honeynet.org/projects/are)
[Android Bytecode Obfuscation - Patrick Schulz 2012](http://dexlabs.org/blog/bytecode-obfuscation)
[Android Pattern Lock Cracker](https://github.com/sch3m4/androidpatternlock)
* A little Python tool to crack the Pattern Lock on Android devices
[PatchDroid: Scalable Third-Party Security Patches for Android Devices](http://www.mulliner.org/collin/academic/publications/patchdroid.pdf)
* Android is currently the largest mobile platform with around 750 million devices worldwide. Unfortunately, more than 30% of all devices contain publicly known security vulnera- bilities and, in practice, cannot be updated through normal mechanisms since they are not longer supported by the man- ufacturer and mobile operator. This failure of traditional patch distribution systems has resulted in the creation of a large population of vulnerable mobile devices. In this paper, we present PatchDroid, a system to dis- tribute and apply third-party security patches for Android. Our system is designed for device-independent patch cre- ation, and uses in-memory patching techniques to address vulnerabilities in both native and managed code. We created a fully usable prototype of PatchDroid, including a number of patches for well-known vulnerabilities in Android devices. We evaluated our system on different devices from multiple manufacturers and show that we can effectively patch se- curity vulnerabilities on Android devices without impacting performance or usability. Therefore, PatchDroid represents a realistic path towards dramatically reducing the number of exploitable Android devices in the wild.
###<a name="AInternals">Android Internals</a>
[Dalvik opcodes](http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html)
[Dalvik Bytecode Format docs](http://source.android.com/devices/tech/dalvik/dex-format.html)
[The Android boot process from power on](http://www.androidenea.com/2009/06/android-boot-process-from-power-on.html)
* Since mobile platforms and embedded systems has some differences compared to Desktop systems in how they initially start up and boot this post will discuss the initial boot stages of an Android phone in some detail.
###<a name="SecAnd">Securing Android</a>
[Android (In)Security - Defcamp 2014](https://www.youtube.com/watch?v=2aeV1JXYvuQ&index=23&list=PLnwq8gv9MEKgSryzYIFhpmCcqnVzdUWfH)
* Good video on Android Security
[Android Forensics Class - Free](http://opensecuritytraining.info/AndroidForensics.html)
* This class serves as a foundation for mobile digital forensics, forensics of Android operating systems, and penetration testing of Android applications.
[Android Hardening Guide by the TOR developers](https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy)
This blog post describes the installation and configuration of a prototype of a secure, full-featured, Android telecommunications device with full Tor support, individual application firewalling, true cell network baseband isolation, and optional ZRTP encrypted voice and video support. ZRTP does run over UDP which is not yet possible to send over Tor, but we are able to send SIP account login and call setup over Tor independently.
The SIP client we recommend also supports dialing normal telephone numbers if you have a SIP gateway that provides trunking service.
Aside from a handful of binary blobs to manage the device firmware and graphics acceleration, the entire system can be assembled (and recompiled) using only FOSS components. However, as an added bonus, we will describe how to handle the Google Play store as well, to mitigate the two infamous Google Play Backdoors.
[Android 4.0+ Hardening Guide/Checklist by University of Texas](https://wikis.utexas.edu/display/ISO/Google+Android+Hardening+Checklist)
####Applications
Firewall
* [Android Firewall(Requires Root)](https://play.google.com/store/apps/details?id=com.jtschohl.androidfirewall&hl=en)
Xprivacy - The Ultimate Android Privacy Manager(Requires Root
* [Github](https://github.com/M66B/XPrivacy)
* [Google Play](https://play.google.com/store/apps/details?id=biz.bokhorst.xprivacy.installer&hl=en)
####Backups
[Titanium Backup](https://play.google.com/store/apps/details?id=com.keramidas.TitaniumBackup)
Personal favorite for making backups. Backups are stored locally or automatically to various cloud services.
[Helium Backup(Root Not Required)](https://play.google.com/store/apps/details?id=com.koushikdutta.backup&hl=en)
* Backs up data locally or to various cloud services. Local client available for backups directly to PC.
###Encryption
Check the Encryption section of the overall guide for more information.
[Android Reverse Engineering Defenses](https://bluebox.com/wp-content/uploads/2013/05/AndroidREnDefenses201305.pdf)
####<a name="Vulns">Vulnerabilities</a>
[List of Android Vulnerabilities](http://androidvulnerabilities.org/all)
####<a name="Exploits">Exploits</a>
[List of Android Exploits](https://github.com/droidsec/droidsec.github.io/wiki/Vuln-Exploit-List)
###<a name="DAnalysis">Device Analysis</a>
[android-cluster-toolkit](https://github.com/jduck/android-cluster-toolkit)
* The Android Cluster Toolkit helps organize and manipulate a collection of Android devices. It was designed to work with a collection of devices connected to the same host machine, either directly or via one or more tiers of powered USB hubs. The tools within can operate on single devices, a selected subset, or all connected devices at once.
[privmap - android](https://github.com/jduck/privmap)
* A tool for enumerating the effective privileges of processes on an Android device.
[canhazaxs](https://github.com/jduck/canhazaxs)
* A tool for enumerating the access to entries in the file system of an Android device.
[Android Device Testing Framework(DTF)](https://github.com/jakev/dtf/tree/v1.0.3)
* The Android Device Testing Framework ("dtf") is a data collection and analysis framework to help individuals answer the question: "Where are the vulnerabilities on this mobile device?" Dtf provides a modular approach and built-in APIs that allows testers to quickly create scripts to interact with their Android devices. The default download of dtf comes with multiple modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges). These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you'll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities.
[drozer](https://github.com/mwrlabs/drozer)
* drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
###<a name="AppAnalysis">Application Analysis</a>
[APK Studio - Android Reverse Engineering](https://apkstudio.codeplex.com/)
* APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis
[Smali-CFGs](https://github.com/EugenioDelfa/Smali-CFGs)
* Smali Control-Flow-Graphs
[PID Cat](https://github.com/JakeWharton/pidcat)
* An update to Jeff Sharkey's excellent logcat color script which only shows log entries for processes from a specific application package. During application development you often want to only display log messages coming from your app. Unfortunately, because the process ID changes every time you deploy to the phone it becomes a challenge to grep for the right thing. This script solves that problem by filtering by application package. Supply the target package as the sole argument to the python script and enjoy a more convenient development process.
[AndBug - Scriptable Android Debugger](https://github.com/swdunlop/AndBug)
* AndBug is a debugger targeting the Android platform's Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android's Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes.
[android-lkms](https://github.com/strazzere/android-lkms)
* Android Loadable Kernel Modules - mostly used for reversing and debugging on controlled systems/emulators.
[Simplify - Simple Android Deobfuscator](https://github.com/CalebFenton/simplify)
* Simplify uses a virtual machine to understand what an app does. Then, it applies optimizations to create code that behaves identically, but is easier for a human to understand. Specifically, it takes Smali files as input and outputs a Dex file with (hopefully) identical semantics but less complicated structure.
###<a name="Dynamic">Dynamic Analysis</a>
[APKinpsector](https://github.com/honeynet/apkinspector/)
* APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
[DroidBox](https://code.google.com/p/droidbox/)
* DroidBox is developed to offer dynamic analysis of Android applications. The following information is shown in the results, generated when analysis is ended:
Hashes for the analyzed package
Incoming/outgoing network data
File read and write operations
Started services and loaded classes through DexClassLoader
Information leaks via the network, file and SMS
Circumvented permissions
Cryptography operations performed using Android API
Listing broadcast receivers
Sent SMS and phone calls
Additionally, two images are generated visualizing the behavior of the package. One showing the temporal order of the operations and the other one being a treemap that can be used to check similarity between analyzed packages.
[ddi - Dynamic Dalvik Instrumentation Toolkit](https://github.com/crmulliner/ddi)
* Simple and easy to use toolkit for dynamic instrumentation of Dalvik code. Instrumentation is based on library injection and hooking method entry points (in-line hooking). The actual instrumentation code is written using the JNI interface. The DDI further supports loading additional dex classes into a process. This enables instrumentation code to be partially written in Java and thus simplifies interacting with the instrumented process and the Android framework.
[Hooker](https://github.com/AndroidHooker/hooker)
* Hooker is an opensource project for dynamic analyses of Android applications. This project provides various tools and applications that can be use to automaticaly intercept and modify any API calls made by a targeted application. It leverages Android Substrate framework to intercept these calls and aggregate all their contextual information (parameters, returned values, ...). Collected information can either be stored in a distributed database (e.g. ElasticSearch) or in json files. A set of python scripts is also provided to automatize the execution of an analysis to collect any API calls made by a set of applications.
[Android-SSL-TrustKiller](https://github.com/iSECPartners/Android-SSL-TrustKiller)
* Blackbox tool to bypass SSL certificate pinning for most applications running on a device.
[JustTrustMe - Cert Pinning using Xposed](https://github.com/fuzion24/justtrustme)
* An xposed module that disables SSL certificate checking. This is useful for auditing an appplication which does certificate pinning. You can read about the practice of cert pinning here(1). There also exists a nice framework built by @moxie to aid in pinning certs in your app: certificate pinning(2).
[1](https://viaforensics.com/resources/reports/best-practices-ios-android-secure-mobile-development/41-certificate-pinning/)
[2](https://github.com/moxie0/AndroidPinning)
###<a name="Static">Static Analysis</a>
[Disect Android APKs like a Pro - Static code analysis](http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/)
Androguard](https://code.google.com/p/androguard)
^ Androguard is mainly a tool written in python to play with:
Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation),
APK (Android application) (.apk),
Android's binary xml (.xml),
Android Resources (.arsc).
^ Androguard is available for Linux/OSX/Windows (python powered).
[Dexter](http://dexter.dexlabs.org/accounts/login/?next=/dashboard)
* Dexter is a static android application analysis tool.
[Static Code Analysis of Major Android Web Browsers](http://opensecurity.in/research/security-analysis-of-android-browsers.html)
[Androwarn](https://github.com/maaaaz/androwarn)
* Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application. The detection is performed with the static analysis of the application's Dalvik bytecode, represented as Smali. This analysis leads to the generation of a report, according to a technical detail level chosen from the user.
[Thresher](http://pl.cs.colorado.edu/projects/thresher/)
* Thresher is a static analysis tool that specializes in checking heap reachability properties. Its secret sauce is using a coarse up-front points-to analysis to focus a precise symbolic analysis on the alarms reported by the points-to analysis.
* [Thresher: Precise Refutations for Heap Reachability](http://www.cs.colorado.edu/~sabl4745/papers/pldi13-thresher.pdf)
[lint - Static Analysis](https://developer.android.com/tools/help/lint.html)
* The Android lint tool is a static code analysis tool that checks your Android project source files for potential bugs and optimization improvements for correctness, security, performance, usability, accessibility, and internationalization.
[Flow Droid - Taint Analysis](http://sseblog.ec-spride.de/tools/flowdroid/)
* FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications. U
* [Flow Droid Paper- FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps](http://www.bodden.de/pubs/far+14flowdroid.pdf)
* In this work we thus present F LOW D ROID , a novel and highly precise static taint analysis for Android applications. A precise model of Android’s lifecycle allows the analysis to properly handle callbacks invoked by the Android framework, while context, flow, field and object-sensitivity allows the analysis to reduce the number of false alarms. Novel on-demand algorithms help F LOW D ROID maintain high efficiency and precision at the same time
[dedex](https://github.com/mariokmk/dedex)
* Is a command line tool for disassembling Android DEX files.
[DexMac](https://github.com/mariokmk/DexMac)
* Is a native OSX application for disassembling Android DEX files.
[dexdissasembler](https://github.com/mariokmk/dexdisassembler)
* Is a GTK tool for disassembling Android DEX files.
[dex.Net](https://github.com/mariokmk/dex.net)
* A Mono/.NET library to parse Android DEX files. Its main purpose is to support utilities for disassembling and presenting the contents of DEX files.
[apk2gold](https://github.com/lxdvs/apk2gold)
* CLI tool for decompiling Android apps to Java. It does resources! It does Java! Its real easy!
[Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0](https://github.com/strazzere/android-unpacker)
* native-unpacker/ - Unpacker for APKProtect/Bangcle/LIAPP/Qihoo Packer that runs natively, no dependency on gdb
* hide-qemu/ - Small hacks for hiding the qemu/debuggers, specifically from APKProtect
[byte-code viewer](https://github.com/Konloch/bytecode-viewer)
* Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more. It's written completely in Java, and it's open sourced. It's currently being maintained and developed by Konloch.
###<a name="OnlineAPK">Online APK Analyzers</a>
[Mobile Sandbox](http://mobilesandbox.org/)
* Provide an Android application file (apk-file) and the Mobile-Sandbox will analyze the file for any malicious behaviour.
[CopperDroid](http://copperdroid.isg.rhul.ac.uk/copperdroid/)
* Upload an .apk for static analysis
[Andrototal[(http://andrototal.org/)
* AndroTotal is a free service to scan suspicious APKs against multiple mobile antivirus apps.
###<a name="APlatforms">Attack Platforms</a>
[drozer](https://github.com/mwrlabs/drozer)
* drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
[Android Tamer](http://androidtamer.com/)
* Android Tamer is a one stop tool required to perform any kind of operations on Android devices / applications / network VM
###<a name="Malware">Android Malware</a>
[Rundown of Android Packers](http://www.fortiguard.com/uploads/general/Area41Public.pdf)
[APK File Infection on an Android System](https://www.youtube.com/watch?v=HZI1hCdqKjQ&amp;list=PLCDA5DF85AD6B4ABD)
[Manifesto](https://github.com/maldroid/manifesto)
* PoC framework for APK obfuscation, used to demonstrate some of the obfuscation examples from http://maldr0id.blogspot.com. It supports plugins (located in processing directory) that can do different obfuscation techniques. Main gist is that you run manifesto on the APK file and it produces an obfuscated APK file.
[Android Hacker Protection Level 0 - DEF CON 22 - Tim Strazzere and Jon Sawyer](https://www.youtube.com/watch?v=vLU92bNeIdI)
* Obfuscator here, packer there - the Android ecosystem is becoming a bit cramped with different protectors for developers to choose. With such limited resources online about attacking these protectors, what is a new reverse engineer to do? Have no fear, after drinking all the cheap wine two Android hackers have attacked all the protectors currently available for everyones enjoyment! Whether you've never reversed Android before or are a hardened veteran there will be something for you, along with all the glorious PoC tools and plugins for your little heart could ever desire.
###<a name="RE">Reverse Engineering Android</a>
[APK Studio - Android Reverse Engineering](https://apkstudio.codeplex.com/)
* APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis.
[Android apk-tool](https://code.google.com/p/android-apktool/)
* It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.
[Reversing and Auditing Android’s Proprietary bits](http://www.slideshare.net/joshjdrake/reversing-and-auditing-androids-proprietary-bits)
[Smali](https://code.google.com/p/smali/)
* smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)
[Dexter](http://dexter.dexlabs.org/accounts/login/?next=/dashboard)
* Dexter is a static android application analysis tool
[APKinpsector](https://github.com/honeynet/apkinspector/)
APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
[Reversing Android Apps Slides](http://www.floyd.ch/download/Android_0sec.pdf)
###<a name="Papers">Interesting Android Papers</a>
[Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks](http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf)
* Abstract: The security of smartphone GUI frameworks remains an important yet under-scrutinized topic. In this paper, we report that on the Android system (and likely other OSes), a weaker form of GUI confidentiality can be breached in the form of UI state (not the pixels) by a background app without requiring any permissions. Our finding leads to a class of attacks which we name UI state inference attack.
[List of important whitepapers](https://github.com/droidsec/droidsec.github.io/wiki/Android-Whitepapers)
[Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications](https://anonymous-proxy servers.net/paper/android-remote-code-execution.pdf)
[Rage Against the Droid: Hindering Dynamic analysis of android malware](http://www.syssec-project.eu/m/page-media/3/petsas_rage_against_the_virtual_machine.pdf)
[APKLancet: Tumor Payload Diagnosis and Purification for Android Applications](http://loccs.sjtu.edu.cn/typecho/usr/uploads/2014/04/1396105336.pdf)
[DroidRay: A Security Evaluation System for CustomizedAndroid Firmwares](http://www.cs.cuhk.hk/~cslui/PUBLICATION/ASIACCS2014DROIDRAY.pdf)
[VirtualSwindle: An Automated Attack Against In-App Billing on Android](http://seclab.ccs.neu.edu/static/publications/asiaccs14virtualswindle.pdf)
[Evading Android Runtime Analysis via Sandbox Detection](https://www.andrew.cmu.edu/user/nicolasc/publications/VC-ASIACCS14.pdf)
[Enter Sandbox: Android Sandbox Comparison](http://www.mostconf.org/2014/papers/s3p1.pdf)
[Post-Mortem Memory Analysis of Cold-Booted Android Devices](http://www.homac.de/publications/Post-Mortem-Memory-Analysis-of-Cold-Booted-Android-Devices.pdf)
[Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating](http://www.informatics.indiana.edu/xw7/papers/privilegescalationthroughandroidupdating.pdf)
(Exploring Android KitKat Runtime](http://www.haxpo.nl/wp-content/uploads/2014/02/D1T2-State-of-the-Art-Exploring-the-New-Android-KitKat-Runtime.pdf)
[Analyzing Inter-Application Communication in Android](https://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf)
[Automatically Exploiting Potential Component Leaks in Android Applications](http://orbilu.uni.lu/bitstream/10993/16914/1/tr-pcLeaks.pdf)
[I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis](http://arxiv.org/pdf/1404.7431v1.pdf)
[Bifocals: Analyzing WebView Vulnerabilities in Android Applications](http://www.eecs.berkeley.edu/~emc/papers/Chin-WISA-WebViews.pdf)
[Analyzing Android Browser Apps for file:// Vulnerabilities](http://arxiv.org/pdf/1404.4553v3.pdf)
[FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps](http://sseblog.ec-spride.de/wp-content/uploads/2013/05/pldi14submissionFlowdroid.pdf)
[Detecting privacy leaks in Android Apps](https://publications.uni.lu/bitstream/10993/16916/1/ESSoS-DS2014-Li.pdf)
[From Zygote to Morula: Fortifying Weakened ASLR on Android](http://www.cc.gatech.edu/~blee303/paper/morula.pdf)
[Apposcopy: Semantics-Based Detection of Android Malware through Static Analysis](http://www.cs.utexas.edu/~yufeng/papers/fse14.pdf)
[MAdFraud: Investigating Ad Fraud in Android Applications](http://www.cs.ucdavis.edu/~hchen/paper/mobisys2014.pdf)
[Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security](http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf)
[AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction](https://ece.uwaterloo.ca/~lintan/publications/asdroid-icse14.pdf)
[NativeGuard: Protecting Android Applications from Third-Party Native Libraries](http://www.cse.lehigh.edu/~gtan/paper/nativeguard.pdf)
[Into the Droid: Gaining Access to Android User Data - DEFCON](https://www.youtube.com/watch?v=MxhIo95VccI&amp;list=PLCDA5DF85AD6B4ABD)
[Android Packers](http://www.fortiguard.com/uploads/general/Area41Public.pdf)
[Xprivacy Android](https://github.com/M66B/XPrivacy#description)
[An Empirical Study of Cryptographic Misuse in Android Applications](https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf)
[PowerSpy: Location Tracking using Mobile Device Power Analysis]http://arxiv.org/abs/1502.03182)
[Obfuscation in Android malware, and how to fight back](https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-Android-obfuscation)
###<a name="Education">Educational Material</a>
[OWASP GoatDroid](https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project)
* “OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users.
The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.”
[Insecure Bank v2](https://github.com/dineshshetty/Android-InsecureBankv2)
* This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source code.
###<a name="Write">Write-ups</a>
[ Inside the Android Play Service's magic OAuth flow ](http://sbktech.blogspot.com/2014/01/inside-android-play-services-magic.html)
* Owning google accounts on android devices
[Security enhancements in android through its versions](www.androidtamer.com)
[Understanding the Android bytecode](https://mariokmk.github.io/programming/2015/03/06/learning-android-bytecode.html)
* Writeup on reversing/understanding Android Bytecode
[ClockLockingBeats](https://github.com/monk-dot/ClockLockingBeats)
* Repo for the DARPA CFT / Clock Locking Beats project. Exploring Android kernel and processor interactions to hide running threads
###<a name="Books">Books</a>
* Android Hackers Handbook
* Android System Security Internals
###<a name="Other">Other</a>
[Android-x86 Project - Run Android on Your PC](http://www.android-x86.org/)
* This is a project to port Android open source project to x86 platform, formerly known as "patch hosting for android x86 support". The original plan is to host different patches for android x86 support from open source community. A few months after we created the project, we found out that we could do much more than just hosting patches. So we decide to create our code base to provide support on different x86 platforms, and set up a git server to host it.
[Root Tools](https://github.com/Stericson/RootTools)
* RootTools provides rooted developers a standardized set of tools for use in the development of rooted applications

+ 326
- 0
Draft/Draft/Attacking Defending Android -.txt View File

@ -0,0 +1,326 @@
| Title | Link |
| -------- | ------------------------ |
##Attacking Android Devices
#### TOC
Cull
* [Intro](#Intro)
* [Android Internals](#AInternals)
* [Securing Android](#SecAnd)
* [Android Apps](#Apps)
* [Vulnerabilities](#Vulns)
* [Exploits](#Exploits)
* [Device Analysis](#DAnalysis)
* [Application Analysis](#AppAnalysis)
* Dynamic Analysis
* Static Analysis
* Online APK Analyzers
* [Online APK Analyzers](#OnlineAPK)
* [Attack Platforms](#APlatforms)
* [Android Malware](#Malware)
* [Reverse Engineering Android](#RE)
* [Interesting Papers](#Papers)
* [Write-ups](#Write)
* [Educational Materials](#Education)
* [Books](#Books)
* [Other](#Other)
[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
| **csploit** - "The most complete and advanced IT security professional toolkit on Android."(*From their site*) | http://www.csploit.org/docs.html -- [Github Link](https://github.com/cSploit/android/tree/master/cSploit)
[Droidsec - Pretty much should be your first stop](http://www.droidsec.org/wiki/)
### Cull/Sort
[AndBug - A Scriptable Android Debugger](https://github.com/swdunlop/AndBug)
* AndBug is a debugger targeting the Android platform's Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android's Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes.
[AndroChef](http://androiddecompiler.com/)
* AndroChef Java Decompiler is Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8, 8.1 decompiler for Java that reconstructs the original source code from the compiled binary CLASS files. AndroChef Java Decompiler is able to decompile the most complex Java 6 applets and binaries, producing accurate source code. AndroChef successfully decompiles obfuscated Java 6 and Java 7 .class and .jar files. Support Java language features like generics, enums and annotations. According to some studies, AndroChef Java Decompiler is able to decompile 98.04% of Java applications generated with traditional Java compilers- a very high recovery rate. It is simple but powerful tool that allows you to decompile Java and Dalvik bytecode (DEX, APK) into readable Java source. Easy to use.
[Mobile self-defense - Karsten Nohl](https://www.youtube.com/watch?v=GeCkO0fWWqc)
[Appie – Android Pentesting Portable Integrated Environment](https://manifestsecurity.com/appie/)
http://nelenkov.blogspot.com
[elsim - Elements Similarities](https://code.google.com/p/elsim/wiki/Similarity#Diffing_of_applications)
* Similarities/Differences of applications (aka rip-off indicator)
* This tool detects and reports: the identical methods; the similar methods; the deleted methods; the new methods; the skipped methods.
[playdrone](https://github.com/nviennot/playdrone)
* Google Play Crawler
[hbootdbg](https://github.com/sogeti-esec-lab/hbootdbg/)
* Debugger for HTC phones bootloader (HBOOT).
[Heimdall](https://github.com/Benjamin-Dobell/Heimdall)
* Heimdall is a cross-platform open-source tool suite used to flash firmware (aka ROMs) onto Samsung Galaxy S devices.
[Android apps in sheep's clothing](http://www.modzero.ch/modlog/archives/2015/04/01/android_apps_in_sheeps_clothing/index.html)
* We identified a security weakness in Android's approach of handling UI elements, circumventing parts of Android's sandboxing approach. While this attack is simple from a technical point of view, the impact of exploiting such a vulnerability is significant. It affects Android based devices as well as Blackberry mobile devices running the Android runtime environment.
[android-gdb](https://github.com/darchons/android-gdb)
* GDB fork targetting Android/Fennec development
[android-vm](https://github.com/dweinstein/android-vm)
* Automated provisioning and configuration of an Ubuntu VM containing the Android development environment, including Android ADT Bundle with SDK, Eclipse & the Android NDK using the Vagrant DevOps tool with Chef and shell-scripts.
[Instrumenting Android Applications with Frida](http://blog.mdsec.co.uk/2015/04/instrumenting-android-applications-with.html)
[Dissecting the Android Bouncer](https://www.duosecurity.com/blog/duo-tech-talks-dissecting-the-android-bouncer)
*
[ARE - Virtual Machine for Android Reverse Engineering](https://redmine.honeynet.org/projects/are)
[Android Bytecode Obfuscation - Patrick Schulz 2012](http://dexlabs.org/blog/bytecode-obfuscation)
[Android Pattern Lock Cracker](https://github.com/sch3m4/androidpatternlock)
* A little Python tool to crack the Pattern Lock on Android devices
[PatchDroid: Scalable Third-Party Security Patches for Android Devices](http://www.mulliner.org/collin/academic/publications/patchdroid.pdf)
* Android is currently the largest mobile platform with around 750 million devices worldwide. Unfortunately, more than 30% of all devices contain publicly known security vulnera- bilities and, in practice, cannot be updated through normal mechanisms since they are not longer supported by the man- ufacturer and mobile operator. This failure of traditional patch distribution systems has resulted in the creation of a large population of vulnerable mobile devices. In this paper, we present PatchDroid, a system to dis- tribute and apply third-party security patches for Android. Our system is designed for device-independent patch cre- ation, and uses in-memory patching techniques to address vulnerabilities in both native and managed code. We created a fully usable prototype of PatchDroid, including a number of patches for well-known vulnerabilities in Android devices. We evaluated our system on different devices from multiple manufacturers and show that we can effectively patch se- curity vulnerabilities on Android devices without impacting performance or usability. Therefore, PatchDroid represents a realistic path towards dramatically reducing the number of exploitable Android devices in the wild.
### **<a name="AInternals">Android Internals</a>**
| Title | Link |
| -------- | ------------------------ |
| **Dalvik opcodes** | http://pallergabor.uw.hu/androidblog/dalvik_opcodes.html
| **Dalvik Bytecode Format docs** | http://source.android.com/devices/tech/dalvik/dex-format.html
| **The Android boot process from power on** | http://www.androidenea.com/2009/06/android-boot-process-from-power-on.html
| **Trustedt Execution Environments(and Android** | https://usmile.at/sites/default/files/androidsecuritysymposium/presentations/Ekberg_AndroidAndTrustedExecutionEnvironments.pdf
### **<a name="SecAnd">Securing Android</a>**
| Title | Link |
| -------- | ------------------------ |
| **Android (In)Security** - Defcamp 2014 | https://www.youtube.com/watch?v=2aeV1JXYvuQ&index=23&list=PLnwq8gv9MEKgSryzYIFhpmCcqnVzdUWfH)
| **Android Forensics Class** - Free - This class serves as a foundation for mobile digital forensics, forensics of Android operating systems, and penetration testing of Android applications.| http://opensecuritytraining.info/AndroidForensics.html)
| **Android Hardening Guide by the TOR developers** - This blog post describes the installation and configuration of a prototype of a secure, full-featured, Android telecommunications device with full Tor support, individual application firewalling, true cell network baseband isolation, and optional ZRTP encrypted voice and video support. ZRTP does run over UDP which is not yet possible to send over Tor, but we are able to send SIP account login and call setup over Tor independently. The SIP client we recommend also supports dialing normal telephone numbers if you have a SIP gateway that provides trunking service. Aside from a handful of binary blobs to manage the device firmware and graphics acceleration, the entire system can be assembled (and recompiled) using only FOSS components. However, as an added bonus, we will describe how to handle the Google Play store as well, to mitigate the two infamous Google Play Backdoors.| https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy)
| **Android 4.0+ Hardening Guide/Checklist by University of Texas** | https://wikis.utexas.edu/display/ISO/Google+Android+Hardening+Checklist)
#### Applications
| Title | Link |
| -------- | ------------------------ |
Firewall
* [Android Firewall(Requires Root)](https://play.google.com/store/apps/details?id=com.jtschohl.androidfirewall&hl=en)
Xprivacy - The Ultimate Android Privacy Manager(Requires Root
* [Github](https://github.com/M66B/XPrivacy)
* [Google Play](https://play.google.com/store/apps/details?id=biz.bokhorst.xprivacy.installer&hl=en)
#### Backups
[Titanium Backup](https://play.google.com/store/apps/details?id=com.keramidas.TitaniumBackup)
Personal favorite for making backups. Backups are stored locally or automatically to various cloud services.
[Helium Backup(Root Not Required)](https://play.google.com/store/apps/details?id=com.koushikdutta.backup&hl=en)
* Backs up data locally or to various cloud services. Local client available for backups directly to PC.
### Encryption
Check the Encryption section of the overall guide for more information.
[Android Reverse Engineering Defenses](https://bluebox.com/wp-content/uploads/2013/05/AndroidREnDefenses201305.pdf)
#### **<a name="Vulns">Vulnerabilities</a>**
| Title | Link |
| -------- | ------------------------ |
| **List of Android Vulnerabilities** |http://androidvulnerabilities.org/all
#### **<a name="Exploits">Exploits</a>**
| Title | Link |
| -------- | ------------------------ |
| **List of Android Exploits** | https://github.com/droidsec/droidsec.github.io/wiki/Vuln-Exploit-List)
### **<a name="DAnalysis">Device Analysis</a>**
| Title | Link |
| -------- | ------------------------ |
| **android-cluster-toolkit** - The Android Cluster Toolkit helps organize and manipulate a collection of Android devices. It was designed to work with a collection of devices connected to the same host machine, either directly or via one or more tiers of powered USB hubs. The tools within can operate on single devices, a selected subset, or all connected devices at once. |https://github.com/jduck/android-cluster-toolkit
| **privmap - android** - A tool for enumerating the effective privileges of processes on an Android device. |https://github.com/jduck/privmap
| **canhazaxs** - A tool for enumerating the access to entries in the file system of an Android device. |https://github.com/jduck/canhazaxs
| **Android Device Testing Framework(DTF)** - The Android Device Testing Framework ("dtf") is a data collection and analysis framework to help individuals answer the question: "Where are the vulnerabilities on this mobile device?" Dtf provides a modular approach and built-in APIs that allows testers to quickly create scripts to interact with their Android devices. The default download of dtf comes with multiple modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges). These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you'll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities. |https://github.com/jakev/dtf/tree/v1.0.3
| **drozer** - drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.| https://github.com/mwrlabs/drozer
### **<a name="AppAnalysis">Application Analysis</a>**
| Title | Link |
| -------- | ------------------------ |
| **APK Studio - Android Reverse Engineering** - APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis|https://apkstudio.codeplex.com/
| **Smali-CFGs** - Smali Control-Flow-Graphs | https://github.com/EugenioDelfa/Smali-CFGs
| **PID Cat** - An update to Jeff Sharkey's excellent logcat color script which only shows log entries for processes from a specific application package. During application development you often want to only display log messages coming from your app. Unfortunately, because the process ID changes every time you deploy to the phone it becomes a challenge to grep for the right thing. This script solves that problem by filtering by application package. Supply the target package as the sole argument to the python script and enjoy a more convenient development process. | https://github.com/JakeWharton/pidcat
| **AndBug - Scriptable Android Debugger** - AndBug is a debugger targeting the Android platform's Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android's Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes.| https://github.com/swdunlop/AndBug
| **android-lkms** - Android Loadable Kernel Modules - mostly used for reversing and debugging on controlled systems/emulators.| https://github.com/strazzere/android-lkms
| **Simplify - Simple Android Deobfuscator** - Simplify uses a virtual machine to understand what an app does. Then, it applies optimizations to create code that behaves identically, but is easier for a human to understand. Specifically, it takes Smali files as input and outputs a Dex file with (hopefully) identical semantics but less complicated structure. | https://github.com/CalebFenton/simplify
### **<a name="Dynamic">Dynamic Analysis</a>**
| Title | Link |
| -------- | ------------------------ |
| **APKInspector** - APKinspector is a powerful GUI tool for analysts to analyze the Android applications.| https://github.com/honeynet/apkinspector/
| DroidBox** - DroidBox is developed to offer dynamic analysis of Android applications. Additionally, two images are generated visualizing the behavior of the package. One showing the temporal order of the operations and the other one being a treemap that can be used to check similarity between analyzed packages.| https://code.google.com/p/droidbox/)
| **ddi - Dynamic Dalvik Instrumentation Toolkit** - Simple and easy to use toolkit for dynamic instrumentation of Dalvik code. Instrumentation is based on library injection and hooking method entry points (in-line hooking). The actual instrumentation code is written using the JNI interface. The DDI further supports loading additional dex classes into a process. This enables instrumentation code to be partially written in Java and thus simplifies interacting with the instrumented process and the Android framework.|https://github.com/crmulliner/ddi
| **Hooker** - Hooker is an opensource project for dynamic analyses of Android applications. This project provides various tools and applications that can be use to automaticaly intercept and modify any API calls made by a targeted application. It leverages Android Substrate framework to intercept these calls and aggregate all their contextual information (parameters, returned values, ...). Collected information can either be stored in a distributed database (e.g. ElasticSearch) or in json files. A set of python scripts is also provided to automatize the execution of an analysis to collect any API calls made by a set of applications.|https://github.com/AndroidHooker/hooker
| **Android-SSL-TrustKiller** - Blackbox tool to bypass SSL certificate pinning for most applications running on a device.|https://github.com/iSECPartners/Android-SSL-TrustKiller
| (**JustTrustMe - Cert Pinning using Xposed** - An xposed module that disables SSL certificate checking. This is useful for auditing an appplication which does certificate pinning. You can read about the practice of cert pinning here(1). There also exists a nice framework built by @moxie to aid in pinning certs in your app: certificate pinning|https://github.com/fuzion24/justtrustme
| **AndroidPinning** - AndroidPinning is a standalone Android library project that facilitates certificate pinning for SSL connections from Android apps, in order to minimize dependence on Certificate Authorities. | https://github.com/moxie0/AndroidPinning
### **<a name="Static">Static Analysis</a>**
| Title | Link |
| -------- | ------------------------ |
| **Disect Android APKs like a Pro - Static code analysis** |http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/
| **Androguard** - Androguard is mainly a tool written in python to play with: Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation), APK (Android application) (.apk), Android's binary xml (.xml), Android Resources (.arsc). Androguard is available for Linux/OSX/Windows (python powered).| https://code.google.com/p/androguard
| **Dexter** - Dexter is a static android application analysis tool. | http://dexter.dexlabs.org/accounts/login/?next=/dashboard)
| **Static Code Analysis of Major Android Web Browsers** |http://opensecurity.in/research/security-analysis-of-android-browsers.html
| **Androwarn** - Androwarn is a tool whose main aim is to detect and warn the user about potential malicious behaviours developped by an Android application. The detection is performed with the static analysis of the application's Dalvik bytecode, represented as Smali. This analysis leads to the generation of a report, according to a technical detail level chosen from the user.| https://github.com/maaaaz/androwarn
| **Thresher** - Thresher is a static analysis tool that specializes in checking heap reachability properties. Its secret sauce is using a coarse up-front points-to analysis to focus a precise symbolic analysis on the alarms reported by the points-to analysis.|http://pl.cs.colorado.edu/projects/thresher/)
| **[PAPER]Thresher: Precise Refutations for Heap Reachability** |http://www.cs.colorado.edu/~sabl4745/papers/pldi13-thresher.pdf
| **lint - Static Analysis** - The Android lint tool is a static code analysis tool that checks your Android project source files for potential bugs and optimization improvements for correctness, security, performance, usability, accessibility, and internationalization.|https://developer.android.com/tools/help/lint.html
| **Flow Droid - Taint Analysis** - FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications. |http://sseblog.ec-spride.de/tools/flowdroid/
| **[PAPER]FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps** - In this work we thus present F LOW D ROID , a novel and highly precise static taint analysis for Android applications. A precise model of Android’s lifecycle allows the analysis to properly handle callbacks invoked by the Android framework, while context, flow, field and object-sensitivity allows the analysis to reduce the number of false alarms. Novel on-demand algorithms help F LOW D ROID maintain high efficiency and precision at the same time| http://www.bodden.de/pubs/far+14flowdroid.pdf
| **dedex** - Is a command line tool for disassembling Android DEX files.|https://github.com/mariokmk/dedex
| **DexMac** - Is a native OSX application for disassembling Android DEX files. | https://github.com/mariokmk/DexMac
| **dexdissasembler** - Is a GTK tool for disassembling Android DEX files. }https://github.com/mariokmk/dexdisassemble
| **dex.Net** - A Mono/.NET library to parse Android DEX files. Its main purpose is to support utilities for disassembling and presenting the contents of DEX files. | (https://github.com/mariokmk/dex.net
| **apk2gold** - CLI tool for decompiling Android apps to Java. It does resources! It does Java! Its real easy! | https://github.com/lxdvs/apk2gold
| **Android Unpacker presented at Defcon 22: Android Hacker Protection Level 0** |https://github.com/strazzere/android-unpacker
| **byte-code viewer** - Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more. It's written completely in Java, and it's open sourced. It's currently being maintained and developed by Konloch. | https://github.com/Konloch/bytecode-viewer
### **<a name="OnlineAPK">Online APK Analyzers</a>**
| Title | Link |
| -------- | ------------------------ |
| **Mobile Sandbox** - Provide an Android application file (apk-file) and the Mobile-Sandbox will analyze the file for any malicious behaviour.|http://mobilesandbox.org/
| **CopperDroid** - Upload an .apk for static analysis|http://copperdroid.isg.rhul.ac.uk/copperdroid/
| **Andrototal** - AndroTotal is a free service to scan suspicious APKs against multiple mobile antivirus apps. | http://andrototal.org/
### **<a name="APlatforms">Attack Platforms</a>**
| Title | Link |
| -------- | ------------------------ |
| **drozer** - drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.|https://github.com/mwrlabs/drozer
| **Android Tamer** - Android Tamer is a one stop tool required to perform any kind of operations on Android devices / applications / network VM| http://androidtamer.com/
### **<a name="Malware">Android Malware</a>**
| Title | Link |
| -------- | ------------------------ |
| **Rundown of Android Packers** |http://www.fortiguard.com/uploads/general/Area41Public.pdf
| **APK File Infection on an Android System** | https://www.youtube.com/watch?v=HZI1hCdqKjQ&amp;list=PLCDA5DF85AD6B4ABD
| **Manifesto** - PoC framework for APK obfuscation, used to demonstrate some of the obfuscation examples from http://maldr0id.blogspot.com. It supports plugins (located in processing directory) that can do different obfuscation techniques. Main gist is that you run manifesto on the APK file and it produces an obfuscated APK file. |https://github.com/maldroid/manifesto
| **Android Hacker Protection Level 0** - DEF CON 22 - Tim Strazzere and Jon Sawyer - Obfuscator here, packer there - the Android ecosystem is becoming a bit cramped with different protectors for developers to choose. With such limited resources online about attacking these protectors, what is a new reverse engineer to do? Have no fear, after drinking all the cheap wine two Android hackers have attacked all the protectors currently available for everyones enjoyment! Whether you've never reversed Android before or are a hardened veteran there will be something for you, along with all the glorious PoC tools and plugins for your little heart could ever desire. | https://www.youtube.com/watch?v=vLU92bNeIdI
### **<a name="RE">Reverse Engineering Android</a>**
| Title | Link |
| -------- | ------------------------ |
| **APK Studio - Android Reverse Engineering** - APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis. |https://apkstudio.codeplex.com/
| **Android apk-tool** - It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc. | https://code.google.com/p/android-apktool/
| **Reversing and Auditing Android’s Proprietary bits** |http://www.slideshare.net/joshjdrake/reversing-and-auditing-androids-proprietary-bits
| **Smali** - smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.) |https://code.google.com/p/smali/
| APKinpsector** - APKinspector is a powerful GUI tool for analysts to analyze the Android applications.| https://github.com/honeynet/apkinspector/
| **Dexter** - Dexter is a static android application analysis tool |http://dexter.dexlabs.org/accounts/login/?next=/dashboard
| **Reversing Android Apps Slides** | http://www.floyd.ch/download/Android_0sec.pdf
### **<a name="Papers">Interesting Android Papers</a>**
| Title | Link |
| -------- | ------------------------ |
| **List of important whitepapers** | https://github.com/droidsec/droidsec.github.io/wiki/Android-Whitepapers
| **Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks** | http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf|
| **Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications** |https://anonymous-proxy-servers.net/paper/android-remote-code-execution.pdf
| **Rage Against the Droid: Hindering Dynamic analysis of android malware** | http://www.syssec-project.eu/m/page-media/3/petsas_rage_against_the_virtual_machine.pdf
| **APKLancet: Tumor Payload Diagnosis and Purification for Android Applications** | http://loccs.sjtu.edu.cn/typecho/usr/uploads/2014/04/1396105336.pdf
| **DroidRay: A Security Evaluation System for CustomizedAndroid Firmwares** | http://www.cs.cuhk.hk/~cslui/PUBLICATION/ASIACCS2014DROIDRAY.pdf
| **VirtualSwindle: An Automated Attack Against In-App Billing on Android** | http://seclab.ccs.neu.edu/static/publications/asiaccs14virtualswindle.pdf
| **Evading Android Runtime Analysis via Sandbox Detection** | https://www.andrew.cmu.edu/user/nicolasc/publications/VC-ASIACCS14.pdf
| **Enter Sandbox: Android Sandbox Comparison** | http://www.mostconf.org/2014/papers/s3p1.pdf
| **Post-Mortem Memory Analysis of Cold-Booted Android Devices** | http://www.homac.de/publications/Post-Mortem-Memory-Analysis-of-Cold-Booted-Android-Devices.pdf
| **Upgrading Your Android, Elevating My Malware: Privilege Escalation Through Mobile OS Updating** | http://www.informatics.indiana.edu/xw7/papers/privilegescalationthroughandroidupdating.pdf
| **Exploring Android KitKat Runtime** | http://www.haxpo.nl/wp-content/uploads/2014/02/D1T2-State-of-the-Art-Exploring-the-New-Android-KitKat-Runtime.pdf
| **Analyzing Inter-Application Communication in Android** | https://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf
| **Automatically Exploiting Potential Component Leaks in Android Applications** | http://orbilu.uni.lu/bitstream/10993/16914/1/tr-pcLeaks.pdf
| **I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis** | http://arxiv.org/pdf/1404.7431v1.pdf
| **Bifocals: Analyzing WebView Vulnerabilities in Android Applications** | http://www.eecs.berkeley.edu/~emc/papers/Chin-WISA-WebViews.pdf
| **Analyzing Android Browser Apps for file:// Vulnerabilities** | http://arxiv.org/pdf/1404.4553v3.pdf
| **FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps** | http://sseblog.ec-spride.de/wp-content/uploads/2013/05/pldi14submissionFlowdroid.pdf
| **Detecting privacy leaks in Android Apps** | https://publications.uni.lu/bitstream/10993/16916/1/ESSoS-DS2014-Li.pdf
| **From Zygote to Morula: Fortifying Weakened ASLR on Android** | http://www.cc.gatech.edu/~blee303/paper/morula.pdf
| **Apposcopy: Semantics-Based Detection of Android Malware through Static Analysis](http://www.cs.utexas.edu/~yufeng/papers/fse14.pdf
| **MAdFraud: Investigating Ad Fraud in Android Applications](http://www.cs.ucdavis.edu/~hchen/paper/mobisys2014.pdf
| **Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security** | http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf
| **AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction** | https://ece.uwaterloo.ca/~lintan/publications/asdroid-icse14.pdf
| **NativeGuard: Protecting Android Applications from Third-Party Native Libraries**|http://www.cse.lehigh.edu/~gtan/paper/nativeguard.pdf
| **Into the Droid: Gaining Access to Android User Data** - DEFCON |https://www.youtube.com/watch?v=MxhIo95VccI&amp;list=PLCDA5DF85AD6B4ABD)
| **Android Packers** | http://www.fortiguard.com/uploads/general/Area41Public.pdf
| **Xprivacy Android** | https://github.com/M66B/XPrivacy#description
| **An Empirical Study of Cryptographic Misuse in Android Applications** | https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf
| **PowerSpy: Location Tracking using Mobile Device Power Analysis** | http://arxiv.org/abs/1502.03182
| **Obfuscation in Android malware, and how to fight back** | https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-Android-obfuscation)
### **<a name="Education">Educational Material</a>**
| Title | Link |
| -------- | ------------------------ |
| **OWASP GoatDroid** - “OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.” |https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project
| **Insecure Bank v2** - This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source code. |https://github.com/dineshshetty/Android-InsecureBankv2
### **<a name="Write">Write-ups</a>**
| Title | Link |
| -------- | ------------------------ |
| **Inside the Android Play Service's magic OAuth flow** - Owning google accounts on android devices | http://sbktech.blogspot.com/2014/01/inside-android-play-services-magic.html
| **Security enhancements in android through its versions** | www.androidtamer.com
| **Understanding the Android bytecode** - Writeup on reversing/understanding Android Bytecode| https://mariokmk.github.io/programming/2015/03/06/learning-android-bytecode.html
| **ClockLockingBeats** - Repo for the DARPA CFT / Clock Locking Beats project. Exploring Android kernel and processor interactions to hide running threads |https://github.com/monk-dot/ClockLockingBeats
### **<a name="Books">Books</a>**
| Title |
| -------- |
| Android Hackers Handbook
| Android System Security Internals
### **<a name="Other">Other</a>**
| Title | Link |
| -------- | ------------------------ |
| **Android-x86 Project - Run Android on Your PC** - This is a project to port Android open source project to x86 platform, formerly known as "patch hosting for android x86 support". The original plan is to host different patches for android x86 support from open source community. A few months after we created the project, we found out that we could do much more than just hosting patches. So we decide to create our code base to provide support on different x86 platforms, and set up a git server to host it.|http://www.android-x86.org/
| **Root Tools** - RootTools provides rooted developers a standardized set of tools for use in the development of rooted applications | https://github.com/Stericson/RootTools

+ 0
- 139
Draft/Draft/Attacking Defending iOS -.md View File

@ -1,139 +0,0 @@
##Attacking & Defending iOS
[Link Title](#anchor-name)
<a name="anchor-name"></a>
[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
TOC
Cull
Hardening Guides
Techniques
Training & Tutorials
Security Testing Methodologies
General Research Papers
Reverse Engineering
Jailbreaking
###CULL
[iOS 678 Security - A Study in Fail](https://www.syscan.org/index.php/download/get/bec31d45168aa331fc01f84451e11186/SyScan15%20Stefan%20Esser%20-%20iOS%20678%20Security%20-%20A%20Study%20in%20Fail.pdf)
[Jailbreak Stories - Cyril Cattiaux(pod2g) - WWJC 2014](https://www.youtube.com/watch?v=OBFLTb-AY38)
[Pentesting iOS Applications - Pentester Academy - Paid Course](http://www.pentesteracademy.com/course?id=2)
* This course focuses on the iOS platform and application security and is ideal for pentesters, researchers and the casual iOS enthusiast who would like to dive deep and understand how to analyze and systematically audit applications on this platform using a variety of bleeding edge tools and techniques.
###List of Hardening Guides for iOS
[Excellent forum post detailing general security practices](https://forum.raymond.cc/threads/hardening-apple-ios-iphone-ipad-ipod.37451/)
[Apple’s white paper on their security mechanisms built into iOS](https://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf)
[University of Texas’s Checklist/Guide to securing iOS](https://wikis.utexas.edu/display/ISO/Apple+iOS+Hardening+Checklist)
[Center for Internet Security Guide to securing iOS 7](https://benchmarks.cisecurity.org/tools2/iphone/CIS_Apple_iOS_7_Benchmark_v1.1.0.pdf)
[Australian Signals Intel Guide to securing iOS 7](http://www.asd.gov.au/publications/iOS7_Hardening_Guide.pdf)
[Excellent forum post detailing general security practices](https://forum.raymond.cc/threads/hardening-apple-ios-iphone-ipad-ipod.37451/)
[Guide to hardening iOS with the goal of privacy](http://cydia.radare.org/sec/)
###Vulnerabilities/Exploits
[List of iOS Exploits](http://theiphonewiki.com/wiki/Category:Exploits)
###Techniques
###Training & Tutorials
[Bypassing SSL Cert Pinning in iOS](http://chargen.matasano.com/chargen/2015/1/6/bypassing-openssl-certificate-pinning-in-ios-apps.html)
[Learning iOS Application Security - 34 part series - damnvulnerableiosapp](http://damnvulnerableiosapp.com/#learn)
* iOS app designed to be vulnerable in specific ways to teach security testing of iOS applications.
* [Damn Vulnerable iOS App - Getting Started](http://damnvulnerableiosapp.com/2013/12/get-started/)
[OWASP iGOAT](https://www.owasp.org/index.php/OWASP_iGoat_Project)
* “iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.”
###iOS Security Testing Methodologies/Tools
[iPwn Apps: Pentesting iOS Applications - SANS](https://www.sans.org/reading-room/whitepapers/testing/ipwn-apps-pentesting-ios-applications-34577)
[iOS Application Security Testing Cheat Sheet](https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet)
[idb](https://github.com/dmayer/idb)
* idb is a tool to simplify some common tasks for iOS pentesting and research. It is still a work in progress but already provides a bunch of (hopefully) useful commands. The goal was to provide all (or most) functionality for both, iDevices and the iOS simulator. For this, a lot is abstracted internally to make it work transparently for both environments. Although recently the focus has been more on supporting devices.
* [idb project page](http://cysec.org/blog/2014/01/23/idb-ios-research-slash-pentesting-tool/)
* [idb - iOS Blackbox Pentesting - Daniel A Meyer](http://matasano.com/research/Introducing_idb_-_Simplified_Blackbox_iOS_App_Pentesting.pdf)
* [github page](https://github.com/dmayer/idb)
###General Research Papers
###Reverse Engineering
[IODIDE - The IOS Debugger and Integrated Disassembler Environment](https://github.com/nccgroup/IODIDE)
[Clutch](https://github.com/KJCracks/Clutch)
* Fast iOS executable dumper
[MEMSCAN - Dump iPhone app RAM](http://www.cigital.com/justice-league-blog/2015/02/18/memscan-defined/)
* A Cigital consultant – Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use.
[IOS Reverse Engineering toolkit](https://github.com/S3Jensen/iRET)
* The iOS Reverse Engineering Toolkit is a toolkit designed to automate many of the common tasks associated with iOS penetration testing. It automates a many common tasks including:
binary analysis using otool
keychain analysis using keychain_dumper
reading database content using sqlite
reading log and plist files
binary decryption using dumpdecrypted
dumping binary headers using class_dump_z
creating, editing, installing theos tweaks
###Jailbreaking
[Guide to hardening iOS with the goal of privacy](http://cydia.radare.org/sec/)
[IPhoneDevWiki](http://iphonedevwiki.net/index.php/Main_Page)
* “Our goal is to share the sum of all human[1] knowledge about jailbroken iOS development. In other words, this is a collection of documentation written by developers to help each other write extensions (tweaks) for jailbroken iOS, and you're invited to learn from it and contribute to it too.”
[The iPhone Wiki](http://theiphonewiki.com/wiki/Main_Page)
* The iPhone Wiki is an unofficial wiki dedicated to collecting, storing and providing information on the internals of Apple's amazing iDevices. We hope to pass this information on to the next generation of hackers so that they can go forth into their forebears' footsteps and break the ridiculous bonds Apple has put on their amazing mobile devices.
[OWASP Jailbreaking Cheat Sheet](https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet)
###iOS Development
[imas](https://project-imas.github.io/)
* Defense for your iOS app - for developers

+ 107
- 0
Draft/Draft/Attacking Defending iOS -.txt View File

@ -0,0 +1,107 @@
## Attacking & Defending iOS
[Link Title](#anchor-name)
<a name="anchor-name"></a>
[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
#### TOC
[Cull](#cull)
[Hardening Guides](#harden)
[Techniques](#tech)
[Training & Tutorials](#train)
[Security Testing Methodologies](#test)
[General Research Papers](#research)
[Reverse Engineering](#re)
[Jailbreaking](#jail)
### <a name="cull">Cull</a>
| Title | Link |
| -------- | ------------------------ |
| **iOS 678 Security - A Study in Fail** | https://www.syscan.org/index.php/download/get/bec31d45168aa331fc01f84451e11186/SyScan15%20Stefan%20Esser%20-%20iOS%20678%20Security%20-%20A%20Study%20in%20Fail.pdf
| **Jailbreak Stories - Cyril Cattiaux(pod2g) - WWJC 2014** | https://www.youtube.com/watch?v=OBFLTb-AY38
| **Mobile self-defense - Karsten Nohl** | https://www.youtube.com/watch?v=GeCkO0fWWqc
| **Pentesting iOS Applications - Pentester Academy - Paid Course** - This course focuses on the iOS platform and application security and is ideal for pentesters, researchers and the casual iOS enthusiast who would like to dive deep and understand how to analyze and systematically audit applications on this platform using a variety of bleeding edge tools and techniques. | http://www.pentesteracademy.com/course?id=2
### <a name="harden">List of Hardening Guides for iOS</a>
| Title | Link |
| -------- | ------------------------ |
| **Excellent forum post detailing general security practices** | https://forum.raymond.cc/threads/hardening-apple-ios-iphone-ipad-ipod.37451/
| **Apple’s white paper on their security mechanisms built into iOS** | https://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf)
| **University of Texas’s Checklist/Guide to securing iOS** | https://wikis.utexas.edu/display/ISO/Apple+iOS+Hardening+Checklist
| **Center for Internet Security Guide to securing iOS 7** | https://benchmarks.cisecurity.org/tools2/iphone/CIS_Apple_iOS_7_Benchmark_v1.1.0.pdf
| **Australian Signals Intel Guide to securing iOS 7** | http://www.asd.gov.au/publications/iOS7_Hardening_Guide.pdf
| **Excellent forum post detailing general security practices** | https://forum.raymond.cc/threads/hardening-apple-ios-iphone-ipad-ipod.37451/
| **Guide to hardening iOS with the goal of privacy** | http://cydia.radare.org/sec/
### <a name="vuln">Vulnerabilities/Exploits</a>
[List of iOS Exploits](http://theiphonewiki.com/wiki/Category:Exploits)
### <a name="tech">Techniques</a>
| Title | Link |
| -------- | ------------------------ |
### <a name="train">Training & Tutorials</a>
| Title | Link |
| -------- | ------------------------ |
| **Bypassing SSL Cert Pinning in iOS** | http://chargen.matasano.com/chargen/2015/1/6/bypassing-openssl-certificate-pinning-in-ios-apps.html
| **Learning iOS Application Security - 34 part series - damnvulnerableiosapp** | http://damnvulnerableiosapp.com/#learn
| **iOS app designed to be vulnerable in specific ways to teach security testing of iOS applications.
| **Damn Vulnerable iOS App - Getting Started** | http://damnvulnerableiosapp.com/2013/12/get-started/
| **OWASP iGOAT** - “iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.” | https://www.owasp.org/index.php/OWASP_iGoat_Project
### <a name="test">iOS Security Testing Methodologies/Tools</a>
| Title | Link |
| -------- | ------------------------ |
| **iPwn Apps: Pentesting iOS Applications - SANS** | https://www.sans.org/reading-room/whitepapers/testing/ipwn-apps-pentesting-ios-applications-34577
| **iOS Application Security Testing Cheat Sheet** | https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet
| **idb** - idb is a tool to simplify some common tasks for iOS pentesting and research. It is still a work in progress but already provides a bunch of (hopefully) useful commands. The goal was to provide all (or most) functionality for both, iDevices and the iOS simulator. For this, a lot is abstracted internally to make it work transparently for both environments. Although recently the focus has been more on supporting devices. | https://github.com/dmayer/idb
| **idb project page** | http://cysec.org/blog/2014/01/23/idb-ios-research-slash-pentesting-tool/)
| **idb - iOS Blackbox Pentesting - Daniel A Meyer** | http://matasano.com/research/Introducing_idb_-_Simplified_Blackbox_iOS_App_Pentesting.pdf
| **idb github page** | https://github.com/dmayer/idb
### <a name="papers">General Research Papers</a>
| Title | Link |
| -------- | ------------------------ |
### <a name="re">Reverse Engineering</a>
| Title | Link |
| -------- | ------------------------ |
| **IODIDE - The IOS Debugger and Integrated Disassembler Environment** | https://github.com/nccgroup/IODIDE
| **Clutch** - Fast iOS executable dumper | https://github.com/KJCracks/Clutch
| **MEMSCAN - Dump iPhone app RAM** - A Cigital consultant – Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use. | http://www.cigital.com/justice-league-blog/2015/02/18/memscan-defined/
| **IOS Reverse Engineering toolkit** | https://github.com/S3Jensen/iRET
### <a name="jail">Jailbreaking</a>
| Title | Link |
| -------- | ------------------------ |
| **Guide to hardening iOS with the goal of privacy** | http://cydia.radare.org/sec/
| **IPhoneDevWiki** - “Our goal is to share the sum of all human[1] knowledge about jailbroken iOS development. In other words, this is a collection of documentation written by developers to help each other write extensions (tweaks) for jailbroken iOS, and you're invited to learn from it and contribute to it too.”| http://iphonedevwiki.net/index.php/Main_Page
| The iPhone Wiki** - The iPhone Wiki is an unofficial wiki dedicated to collecting, storing and providing information on the internals of Apple's amazing iDevices. We hope to pass this information on to the next generation of hackers so that they can go forth into their forebears' footsteps and break the ridiculous bonds Apple has put on their amazing mobile devices. | http://theiphonewiki.com/wiki/Main_Page
| **OWASP Jailbreaking Cheat Sheet** | https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet
### <a name="dev">iOS Development</a>
| Title | Link |
| -------- | ------------------------ |
| **imas** - Defense for your iOS app - for developers | https://project-imas.github.io/

+ 0
- 158
Draft/Draft/BIOS UEFI Attacks Defenses.md View File

@ -1,158 +0,0 @@
##Low Level Attacks/Firmware/BIOS/UEFI
[Timeline of Low level software and hardware attack papers](http://timeglider.com/timeline/5ca2daa6078caaf4)
BIOS/UEFI Firmware
Writeups
###Cull
[Exploiting UEFI boot script table vulnerability](http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html)
[20 Ways Past Secure Boot - Job de Haas - Troopers14](https://www.youtube.com/watch?v=74SzIe9qiM8)
[Intel ME (Manageability engine) Huffman algorithm](http://io.smashthestack.org/me/)
[CHIPSEC module that exploits UEFI boot script table vulnerability](https://github.com/Cr4sh/UEFI_boot_script_expl)
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)
[Understanding AMT, UEFI BIOS and Secure boot relationships](https://communities.intel.com/community/itpeernetwork/vproexpert/blog/2013/08/11/understanding-amt-uefi-bios-and-secure-boot-relationships)
[Debug Agent Based UEFI Debugging](https://software.intel.com/en-us/articles/xdb-agent-based-uefi-debug)
* The Intel® System Debugger now supports non-JTAG based debug of UEFI BIOS, this requires the use of a target-side debug agent and a USB or serial connection to the debug agent. This article takes you through the steps necessary and the the debug methodology used bey the Intel® System Debugger to use this method to supplement the pure JTAG based UEFI debug method it also supports
[Official UEFI Site - Specs](http://www.uefi.org/specsandtesttools)
[UEFI - OSDev Wiki](http://wiki.osdev.org/UEFI)
[Easily create UEFI applications using Visual Studio 2013 ](http://pete.akeo.ie/2015/01/easily-create-uefi-applications-using.html)
[Extensible Firmware Interface (EFI) and Unified EFI (UEFI)](http://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-homepage-general-technology.html)
[Windows UEFI startup – A technical overview](http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/)
* Through this analysis paper we’ll give a look at Windows 8 (and 8.1) UEFI startup mechanisms and we’ll try to understand their relationship with the underlying hardware platform.
http://www.legbacore.com/Research.html
http://www.legbacore.com/Research.html
http://www.stoned-vienna.com/11111
https://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-SLIDES.pdf
http://forums.mydigitallife.info/forums/34-MDL-Projects-and-Applications
http://forums.mydigitallife.info/forums/25-BIOS-Mods
https://01.org/linux-uefi-validation/overview
[Technical Overview of Windows UEFI Startup Process](http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/)
[Hacking Measured Boot and UEFI - Defcon20](https://www.youtube.com/watch?v=oiqcog1sk2E)
* There's been a lot buzz about UEFI Secure Booting, and the ability of hardware and software manufacturers to lock out third-party loaders (and rootkits). Even the NSA has been advocating the adoption of measured boot and hardware-based integrity checks. But what does this trend mean to the open source and hacker communities? In this talk I'll demonstrate measured boot in action. I'll also be releasing my new Measured Boot Tool which allows you to view Trusted Platform Module (TPM) boot data and identify risks such as unsigned early-boot drivers. And, I'll demonstrate how measured boot is used for remote device authentication. Finally, I'll discuss weaknesses in the system (hint: bootstrapping trust is still hard), what this technology means to the consumerization trend in IT, and what software and services gaps exist in this space for aspiring entrepreneurs.
[BIOS Chronomancy: Fixing the Core Root of Trust for Measurement - BlackHat 2013](https://www.youtube.com/watch?v=NbYZ4UCN9GY)
###Firmware Analysis
[An Introduction to Firmware Analysis[30c3]](https://www.youtube.com/watch?v=kvfP7StmFxY)
* This talk gives an introduction to firmware analysis: It starts with how to retrieve the binary, e.g. get a plain file from manufacturer, extract it from an executable or memory device, or even sniff it out of an update process or internal CPU memory, which can be really tricky. After that it introduces the necessary tools, gives tips on how to detect the processor architecture, and explains some more advanced analysis techniques, including how to figure out the offsets where the firmware is loaded to, and how to start the investigation.
Reverse Engineering Router Firmware walk through
* [Part 1](http://www.secforce.com/blog/2014/04/reverse-engineer-router-firmware-part-1/)
* [Part 2](http://www.secforce.com/blog/2014/07/reverse-engineer-router-firmware-part-2/)
[Firmware Modifcation kit](https://code.google.com/p/firmware-mod-kit/)
* This kit is a collection of scripts and utilities to extract and rebuild linux based firmware images.
[Binwalk](https://github.com/devttys0/binwalk)
Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
[Analyzing and Running binaries from Firmware Images - Part 1](http://w00tsec.blogspot.com.br/2013/09/analyzing-and-running-binaries-from.html
)
[SIMET Box Firmware Analysis: Embedded Device Hacking & Forensics](http://w00tsec.blogspot.com.br/2013/08/simet-box-firmware-analysis-embedded.html)
[hwlat_detector: A system hardware latency detector -Linux Kernel Module](http://ftp.dei.uc.pt/pub/linux/kernel/people/jcm/hwlat_detector/hwlat-detector-1.0.0.patch)
* This patch introduces a new hardware latency detector module that can be used
to detect high hardware-induced latencies within the system. It was originally
written for use in the RT kernel, but has wider applications.
[Attacking Intel ® Trusted Execution Technology Rafal Wojtczuk and Joanna Rutkowska](https://www.blackhat.com/presentations/bh-dc-09/Wojtczuk_Rutkowska/BlackHat-DC-09-Rutkowska-Attacking-Intel-TXT-slides.pdf)
http://forums.mydigitallife.info/forums/25-BIOS-Mods
[System Management Mode Hack Using SMM for "Other Purposes](http://phrack.org/issues/65/7.html)
* The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger.
[A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers - Filip Wecherowski](http://phrack.org/issues/66/11.html#article)
* The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger.
[Exploiting UEFI boot script table vulnerability](http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html)
[Attacking UEFI Boot Script](https://frab.cccv.de/system/attachments/2566/original/venamis_whitepaper.pdf)
* Abstract—UEFI Boot Script is a data structure interpreted by UEFI firmware during S3 resume. We show that on many systems, an attacker with ring0 privileges can alter this data structure. As a result, by forcing S3 suspend/resume cycle, an attacker can run arbitrary code on a platform that is not yet fully locked. The consequences include ability to overwrite the flash storage and take control over SMM.
[BIOS Chronomancy: Fixing the Core Root of Trust for Measurement - BlackHat 2013](https://www.youtube.com/watch?v=NbYZ4UCN9GY)
[WindSLIC SLIC injectors](https://github.com/untermensch/WindSLIC)
* includes UEFI, NTFS, bootmgr SLIC injectors and installers.
[ UEFI Firmware Parser](https://github.com/theopolis/uefi-firmware-parser)
* The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats too. Please use the example scripts for parsing tutorials.
Professor’s page:
http://www.cl.cam.ac.uk/~sps32/
Grab links for his papers
[Hardware Backdooring is Practical -Jonathan Brossard - Defcon20](https://www.youtube.com/watch?v=umBruM-wFUw)
[Attackin the TPM part 2](https://www.youtube.com/watch?v=h-hohCfo4LA)
[Attacking “secure” chips](https://www.youtube.com/watch?v=w7PT0nrK2BE)
[Breaking apple touchID cheaply](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)

+ 128
- 0
Draft/Draft/BIOS UEFI Attacks Defenses.txt View File

@ -0,0 +1,128 @@
## Low Level Attacks/Firmware/BIOS/UEFI
[Timeline of Low level software and hardware attack papers](http://timeglider.com/timeline/5ca2daa6078caaf4)
TOC
* [General](#general)
* [BIOS/UEFI Firmware Analysis](#firmware)
* [Exploitation](#exploit)
* [Tools](#tools)
* [Writeups](#writeups)
### Cull
[Building reliable SMM backdoor for UEFI based platforms](http://blog.cr4.sh/2015/07/building-reliable-smm-backdoor-for-uefi.html)
http://www.legbacore.com/Research.html
http://www.legbacore.com/Research.html
http://www.stoned-vienna.com/11111
https://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-SLIDES.pdf
http://forums.mydigitallife.info/forums/34-MDL-Projects-and-Applications
http://forums.mydigitallife.info/forums/25-BIOS-Mods
https://01.org/linux-uefi-validation/overview
[The Empire Strikes Back Apple – how your Mac firmware security is completely broken](https://reverse.put.as/2015/05/29/the-empire-strikes-back-apple-how-your-mac-firmware-security-is-completely-broken/)
* Writeup on compromise of UEFI on apple hardware.
[ida-uefiutils](https://github.com/snare/ida-efiutils/)
* Some scripts for IDA Pro to assist with reverse engineering EFI binaries
Professor’s page:
http://www.cl.cam.ac.uk/~sps32/
Grab links for his papers
http://forums.mydigitallife.info/forums/25-BIOS-Mods
## <a name="general">General</a>
| Title | Link |
| -------- | ------------------------ |
| **Official UEFI Site - Specs** | http://www.uefi.org/specsandtesttools
| **UEFI - OSDev Wiki** | http://wiki.osdev.org/UEFI
| **Technical Overview of Windows UEFI Startup Process** | http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/
| **Understanding AMT, UEFI BIOS and Secure boot relationships** | https://communities.intel.com/community/itpeernetwork/vproexpert/blog/2013/08/11/understanding-amt-uefi-bios-and-secure-boot-relationships
| **Windows UEFI startup – A technical overview]** - Through this analysis paper we’ll give a look at Windows 8 (and 8.1) UEFI startup mechanisms and we’ll try to understand their relationship with the underlying hardware platform.| http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/
| **Extensible Firmware Interface (EFI) and Unified EFI (UEFI)** | http://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-homepage-general-technology.html
| **Intel ME (Manageability engine) Huffman algorithm]** | http://io.smashthestack.org/me/
## Talks & Presentations
| Title | Link |
| -------- | ------------------------ |
| **BIOS Chronomancy: Fixing the Core Root of Trust for Measurement - BlackHat 2013** | https://www.youtube.com/watch?v=NbYZ4UCN9GY
| **Hacking Measured Boot and UEFI - Defcon20** - There's been a lot buzz about UEFI Secure Booting, and the ability of hardware and software manufacturers to lock out third-party loaders (and rootkits). Even the NSA has been advocating the adoption of measured boot and hardware-based integrity checks. But what does this trend mean to the open source and hacker communities? In this talk I'll demonstrate measured boot in action. I'll also be releasing my new Measured Boot Tool which allows you to view Trusted Platform Module (TPM) boot data and identify risks such as unsigned early-boot drivers. And, I'll demonstrate how measured boot is used for remote device authentication. Finally, I'll discuss weaknesses in the system (hint: bootstrapping trust is still hard), what this technology means to the consumerization trend in IT, and what software and services gaps exist in this space for aspiring entrepreneurs.| https://www.youtube.com/watch?v=oiqcog1sk2E
| **Hardware Backdooring is Practical -Jonathan Brossard** | https://www.youtube.com/watch?v=umBruM-wFUw
| **Attacking “secure” chips** | https://www.youtube.com/watch?v=w7PT0nrK2BE
| **Attackin the TPM part 2https://www.youtube.com/watch?v=h-hohCfo4LA
| **Breaking apple touchID cheaply** | http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)
## Firmware Analysis
| Title | Link |
| -------- | ------------------------ |
| **An Introduction to Firmware Analysis[30c3]** - This talk gives an introduction to firmware analysis: It starts with how to retrieve the binary, e.g. get a plain file from manufacturer, extract it from an executable or memory device, or even sniff it out of an update process or internal CPU memory, which can be really tricky. After that it introduces the necessary tools, gives tips on how to detect the processor architecture, and explains some more advanced analysis techniques, including how to figure out the offsets where the firmware is loaded to, and how to start the investigation. | https://www.youtube.com/watch?v=kvfP7StmFxY
| **Analyzing and Running binaries from Firmware Images - Part 1** | http://w00tsec.blogspot.com.br/2013/09/analyzing-and-running-binaries-from.html
| **Binwalk** - Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images. | https://github.com/devttys0/binwalk
| **SIMET Box Firmware Analysis: Embedded Device Hacking & Forensics** | http://w00tsec.blogspot.com.br/2013/08/simet-box-firmware-analysis-embedded.html
| **hw0lat_detector: A system hardware latency detector -Linux Kernel Module** - This patch introduces a new hardware latency detector module that can be used to detect high hardware-induced latencies within the system. It was originally written for use in the RT kernel, but has wider applications.| http://ftp.dei.uc.pt/pub/linux/kernel/people/jcm/hwlat_detector/hwlat-detector-1.0.0.patch
Reverse Engineering Router Firmware walk through
* [Part 1](http://www.secforce.com/blog/2014/04/reverse-engineer-router-firmware-part-1/)
* [Part 2](http://www.secforce.com/blog/2014/07/reverse-engineer-router-firmware-part-2/)
## Exploitation
| Title | Link |
| -------- | ------------------------ |
| **CHIPSEC module that exploits UEFI boot script table vulnerability** | https://github.com/Cr4sh/UEFI_boot_script_expl
| **System Management Mode Hack Using SMM for "Other Purposes** - The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger. | http://phrack.org/issues/65/7.html)
| **A Real SMM Rootkit: Reversing and Hooking BIOS SMI Handlers - Filip Wecherowski** - The research provided in this paper describes in details how to reverse engineer and modify System Management Interrupt (SMI) handlers in the BIOS system firmware and how to implement and detect SMM keystroke logger. This work also presents proof of concept code of SMM keystroke logger that uses I/O Trap based keystroke interception and a code for detection of such keystroke logger. | http://phrack.org/issues/66/11.html#article
| **Exploiting UEFI boot script table vulnerability** | http://blog.cr4.sh/2015/02/exploiting-uefi-boot-script-table.html
| **Attacking Intel ® Trusted Execution Technology Rafal Wojtczuk and Joanna Rutkowska** | https://www.blackhat.com/presentations/bh-dc-09/Wojtczuk_Rutkowska/BlackHat-DC-09-Rutkowska-Attacking-Intel-TXT-slides.pdf
| **Attacking UEFI Boot Script** - Abstract—UEFI Boot Script is a data structure interpreted by UEFI firmware during S3 resume. We show that on many systems, an attacker with ring0 privileges can alter this data structure. As a result, by forcing S3 suspend/resume cycle, an attacker can run arbitrary code on a platform that is not yet fully locked. The consequences include ability to overwrite the flash storage and take control over SMM.| https://frab.cccv.de/system/attachments/2566/original/venamis_whitepaper.pdf
| **Breaking IPMI/BMC** | http://fish2.com/ipmi/how-to-break-stuff.html
| **20 Ways Past Secure Boot - Job de Haas - Troopers14** | https://www.youtube.com/watch?v=74SzIe9qiM8
## Tools
| | |
| -------- | ------------------------ |
| **WindSLIC SLIC injectors** - includes UEFI, NTFS, bootmgr SLIC injectors and installers. | https://github.com/untermensch/WindSLIC
| **UEFI Firmware Parser** - The UEFI firmware parser is a simple module and set of scripts for parsing, extracting, and recreating UEFI firmware volumes. This includes parsing modules for BIOS, OptionROM, Intel ME and other formats too. Please use the example scripts for parsing tutorials. | https://github.com/theopolis/uefi-firmware-parser
| **Firmware Modifcation kit** - This kit is a collection of scripts and utilities to extract and rebuild linux based firmware images.| https://code.google.com/p/firmware-mod-kit/
| **Debug Agent Based UEFI Debugging** - The Intel® System Debugger now supports non-JTAG based debug of UEFI BIOS, this requires the use of a target-side debug agent and a USB or serial connection to the debug agent. This article takes you through the steps necessary and the the debug methodology used bey the Intel® System Debugger to use this method to supplement the pure JTAG based UEFI debug method it also supports | https://software.intel.com/en-us/articles/xdb-agent-based-uefi-debug
## Papers & Writeups
| Title | Link |
| -------- | ------------------------ |
| **Security Evaluation of Intel's Active Management Technology** | http://people.kth.se/~maguire/DEGREE-PROJECT-REPORTS/100402-Vassilios_Ververis-with-cover.pdf
| **Easily create UEFI applications using Visual Studio 2013* | http://pete.akeo.ie/2015/01/easily-create-uefi-applications-using.html

+ 0
- 36
Draft/Draft/Basic Security Information.md View File

@ -1,36 +0,0 @@
##Basic Security Principles/Information
[Types of Authentication](http://www.gfi.com/blog/security-101-authentication-part-2/)
[Information Security For Journalist book - Centre for Investigative Journalism](http://files.gendo.nl/Books/InfoSec_for_Journalists_V1.1.pdf)
[Access control best practices](https://srlabs.de/acs/)
Shodan Guide
[Shodan Man page](http://www.shodanhq.com/help)
[Shodan Filter Reference](http://www.shodanhq.com/help/filters)
[Shodan FAQ](http://www.shodanhq.com/help/faq)

+ 34
- 0
Draft/Draft/Basic Security Information.txt View File

@ -0,0 +1,34 @@
## Basic Security Principles/Information
### Basic Information
These are links to basic technically links or things I feel might help someone new to the field.
| Title | Link |
| -------- | ------------------------ |
### General
| Title | Link
| -------- | --------- |
| 'Types of Authentication' | http://www.gfi.com/blog/security-101-authentication-part-2/ |
|Information Security For Journalist book - Centre for Investigative Journalism| http://files.gendo.nl/Books/InfoSec_for_Journalists_V1.1.pdf |
| Access control best practices | https://srlabs.de/acs/ |
| Programming Sucks | http://www.stilldrinking.org/programming-sucks |
### Metasploit
| Title | Link
| -------- | --------- |
| Introduction To Metasploit – The Basics | http://www.elithecomputerguy.com/2013/02/08/introduction-to-metasploit-the-basics/ |
### Shodan
| Title | Link
| -------- | --------- |
| Shodan Man page | http://www.shodanhq.com/help |
| Shodan Filter Reference | http://www.shodanhq.com/help/filters |
| Shodan FAQ | http://www.shodanhq.com/help/faq |

Draft/Draft/Building A Pentest Lab.md → Draft/Draft/Building A Pentest Lab.txt View File


Draft/Draft/CTFs & Wargames -.md → Draft/Draft/CTFs & Wargames -.txt View File


Draft/Draft/Cheat sheets reference pages Checklists -.md → Draft/Draft/Cheat sheets reference pages Checklists -.txt View File


Draft/Draft/Conference Video Archives Stuff -.md → Draft/Draft/Conference Video Archives Stuff -.txt View File


Draft/Draft/Counter Surveillance.md → Draft/Draft/Counter Surveillance.txt View File


Draft/Draft/Courses & Training -.md → Draft/Draft/Courses & Training -.txt View File


Draft/Draft/CryptoCurrencies.md → Draft/Draft/CryptoCurrencies.txt View File


Draft/Draft/Cryptography & Encryption.md → Draft/Draft/Cryptography & Encryption.txt View File


Draft/Draft/Darknets -.md → Draft/Draft/Darknets -.txt View File


Draft/Draft/Data AnalysisVisualization.md → Draft/Draft/Data AnalysisVisualization.txt View File


Draft/Draft/Disclosure -.md → Draft/Draft/Disclosure -.txt View File


Draft/Draft/Disinformation -.md → Draft/Draft/Disinformation -.txt View File


Draft/Draft/Documentation & Reports -.md → Draft/Draft/Documentation & Reports -.txt View File


Draft/Draft/Embedded Device & Hardware Hacking -.md → Draft/Draft/Embedded Device & Hardware Hacking -.txt View File


Draft/Draft/Exfiltration.md → Draft/Draft/Exfiltration.txt View File


Draft/Draft/Exploit Development.md → Draft/Draft/Exploit Development.txt View File


Draft/Draft/Forensics Incident Response.md → Draft/Draft/Forensics Incident Response.txt View File


Draft/Draft/Frameworks Methodologies.md → Draft/Draft/Frameworks Methodologies.txt View File


Draft/Draft/Fuzzing Bug Hunting.md → Draft/Draft/Fuzzing Bug Hunting.txt View File


Draft/Draft/Google Hacking.md → Draft/Draft/Google Hacking.txt View File


Draft/Draft/Home Security.md → Draft/Draft/Home Security.txt View File


Draft/Draft/Honeypots -.md → Draft/Draft/Honeypots -.txt View File


Draft/Draft/Interesting Things Useful stuff.md → Draft/Draft/Interesting Things Useful stuff.txt View File


Draft/Draft/Links.md → Draft/Draft/Links.txt View File


Draft/Draft/Lockpicking -.md → Draft/Draft/Lockpicking -.txt View File


Draft/Draft/Malware.md → Draft/Draft/Malware.txt View File


Draft/Draft/Network Attacks & Defenses.md → Draft/Draft/Network Attacks & Defenses.txt View File


Draft/Draft/Network Security Monitoring & Logging.md → Draft/Draft/Network Security Monitoring & Logging.txt View File


Draft/Draft/Open Source Intelligence.md → Draft/Draft/Open Source Intelligence.txt View File


Draft/Draft/Password Bruting and Hashcracking.md → Draft/Draft/Password Bruting and Hashcracking.txt View File


Draft/Draft/Phishing.md → Draft/Draft/Phishing.txt View File


Draft/Draft/Phyiscal Security.md → Draft/Draft/Phyiscal Security.txt View File


Draft/Draft/Privilege Escalation & Post-Exploitation.md → Draft/Draft/Privilege Escalation & Post-Exploitation.txt View File


Draft/Draft/Programming - Languages Libs Courses References.md → Draft/Draft/Programming - Languages Libs Courses References.txt View File


Draft/Draft/Reverse Engineering - REMath Literature.md → Draft/Draft/Reverse Engineering - REMath Literature.txt View File


Draft/Draft/Reverse Engineering.md → Draft/Draft/Reverse Engineering.txt View File


Draft/Draft/Rootkits.md → Draft/Draft/Rootkits.txt View File


Draft/Draft/Sandboxes.md → Draft/Draft/Sandboxes.txt View File


Draft/Draft/Screen Scraping.md → Draft/Draft/Screen Scraping.txt View File


Draft/Draft/Securing Hardening.md → Draft/Draft/Securing Hardening.txt View File


Draft/Draft/Simulations.md → Draft/Draft/Simulations.txt View File


Draft/Draft/Social Engineering.md → Draft/Draft/Social Engineering.txt View File


+ 0
- 50
Draft/Draft/Steal Everything Kill Everyone Profit.md View File

@ -1,50 +0,0 @@
###Steal Everything; Kill Everyone; Profit!
#####j/k please don’t. :3
[Too Many Cooks; Exploiting the Internet of Tr-069](http://mis.fortunecook.ie/)
[Ever wanted to scan the internet in a few hours?](http://blog.erratasec.com/2013/10/faq-from-where-can-i-scan-internet.html)
[The Eavesdropper’s Dillemma](http://www.crypto.com/papers/internet-tap.pdf)
Coding Malware for fun and no profit
* [Git Page](https://github.com/MalwareTech/TinyXPB)
* [TinyXPB-Winxp Bootkit](http://www.scribd.com/doc/217533462/TinyXPB-Windows-XP-32-Bit-Bootkit)
* [Writing Malware for fun but not profit](http://www.malwaretech.com/2014/04/coding-malware-for-fun-and-not-for.html)
[Use google bots to perform SQL injections on websites](http://blog.sucuri.net/2013/11/google-bots-doing-sql-injection-attacks.html)
[Device Pharmer](https://github.com/DanMcInerney/device-pharmer)
[Door Control Systems: An Examination of Lines of Attack](https://www.nccgroup.com/en/blog/2013/09/door-control-systems-an-examination-of-lines-of-attack/)
[Implanting a Dropcam](https://www.defcon.org/images/defcon-22/dc-22-presentations/Moore-Wardle/DEFCON-22-Colby-Moore-Patrick-Wardle-Synack-DropCam-Updated.pdf)
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)
[Achilles Heel of the American Banking System](http://www.irongeek.com/i.php?page=videos/derbycon4/the-achilles-heel-of-the-banking-system)
[Different Type of SCADA](http://scadastrangelove.blogspot.com/2014/10/different-type-of-scada.html)
[Attacking *multifunction* printers and getting creds from them](www.irongeek.com/i.php?page=videos/bsidescleveland2014/plunder-pillage-and-print-the-art-of-leverage-multifunction-printers-during-penetration-testing-deral-heiland)
[Spidernet](https://github.com/wandering-nomad/Spidernet)
* Proof of Concept of SSH Botnet C&C Using Python
[Weapons of Mass Distraction](http://conference.hitb.org/hitbsecconf2014kul/materials/D2T1%20-%20Haroon%20Meer%20Azhar%20Desai%20and%20Marco%20Slaviero%20-%20Weapons%20of%20Mass%20Distraction.pdf)
* In this talk, we aim to briefly cover the background of sock puppets (and related attacks) before moving on to real world demonstrations & “attacks“. Rigging polls, abusing Twitter, causing Reddit riots & targeting popular news organisations are some of the (many) attacks covered. In all these cases we discuss what we tried, what worked, what didn’t and what the implications are of the attacks. Where possible we will cover defences and solutions.