Browse Source

Added more stuff

pull/8/head
root 5 years ago
parent
commit
2ea0fe51a3
31 changed files with 1039 additions and 409 deletions
  1. +22
    -2
      Draft/Anonymity Opsec Privacy -.md
  2. +10
    -0
      Draft/Attacking Defending iOS -.md
  3. +6
    -0
      Draft/Basic Security Information.md
  4. +41
    -3
      Draft/Building A Pentest Lab.md
  5. +8
    -1
      Draft/CTFs & Wargames -.md
  6. +9
    -2
      Draft/Car Hacking.md
  7. +1
    -1
      Draft/Courses & Training -.md
  8. +1
    -1
      Draft/Cryptography & Encryption.md
  9. +1
    -1
      Draft/Documentation & Reports -.md
  10. +24
    -1
      Draft/Embedded Device & Hardware Hacking -.md
  11. +62
    -11
      Draft/Exploit Development.md
  12. +18
    -7
      Draft/Forensics Incident Response.md
  13. +14
    -1
      Draft/Fuzzing Bug Hunting.md
  14. +60
    -5
      Draft/Interesting Things Useful stuff.md
  15. +60
    -4
      Draft/Network Attacks & Defenses.md
  16. +46
    -32
      Draft/Network Security Monitoring & Logging.md
  17. +12
    -1
      Draft/Open Source Intelligence.md
  18. +8
    -3
      Draft/Password Bruting and Hashcracking.md
  19. +49
    -11
      Draft/Phishing.md
  20. +71
    -9
      Draft/Privilege Escalation & Post-Exploitation.md
  21. +26
    -7
      Draft/Programming - Languages Libs Courses References.md
  22. +14
    -4
      Draft/Reverse Engineering.md
  23. +1
    -0
      Draft/Social Engineering.md
  24. +15
    -16
      Draft/System Internals Windows and Linux Internals Reference.md
  25. +19
    -1
      Draft/Threat Modeling.md
  26. +2
    -2
      Draft/Various purpiose based OS's.md
  27. +127
    -28
      Draft/Web & Browsers.md
  28. +7
    -5
      Draft/Wireless Networks & RF.md
  29. +1
    -1
      Draft/sekep.md
  30. +303
    -249
      Draft/things-added.md
  31. +1
    -0
      README.md

+ 22
- 2
Draft/Anonymity Opsec Privacy -.md View File

@ -17,12 +17,12 @@
[Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
### Cull
#### Cull
| Title | Link
| -------- | --------- |
https://github.com/NullHypothesis/exitmap/issues/37
#### end cull
@ -37,6 +37,12 @@ https://github.com/NullHypothesis/exitmap/issues/37
[Trawling Tor Hidden Service – Mapping the DHT](https://donncha.is/2013/05/trawling-tor-hidden-services/)
[China travel laptop setup](https://mricon.com/i/travel-laptop-setup.html?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&iid=88d246896d384d5292f51df954a2c8ba&uid=150127534&nid=244+272699400)
[Operational Security and the Real World - The Grugq](https://medium.com/@thegrugq/operational-security-and-the-real-world-3c07e7eeb2e8)
[CIA Vault7 Development Tradecraft DOs and DON'Ts](https://wikileaks.org/ciav7p1/cms/page_14587109.html)
@ -56,6 +62,13 @@ https://github.com/NullHypothesis/exitmap/issues/37
[Protecting Your Sources When Releasing Sensitive Documents](https://source.opennews.org/articles/how-protect-your-sources-when-releasing-sensitive-/)
[Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
@ -120,6 +133,13 @@ https://github.com/NullHypothesis/exitmap/issues/37
[OPSEC Concerns in Using Crypto](https://www.slideshare.net/JohnCABambenek/defcon-crypto-village-opsec-concerns-in-using-crypto)
[De-Anonymizing Alt.Anonymous. Messages - Defcon21 - Tom Ritter](https://www.youtube.com/watch?v=_Tj6c2Ikq_E)
### **<a name="Tools">Tools</a>**


+ 10
- 0
Draft/Attacking Defending iOS -.md View File

@ -26,6 +26,8 @@
| **Pentesting iOS Applications - Pentester Academy - Paid Course** - This course focuses on the iOS platform and application security and is ideal for pentesters, researchers and the casual iOS enthusiast who would like to dive deep and understand how to analyze and systematically audit applications on this platform using a variety of bleeding edge tools and techniques. | http://www.pentesteracademy.com/course?id=2
#### End Cull
### General
@ -38,6 +40,9 @@
[Secure iOS application development](https://github.com/felixgr/secure-ios-app-dev)
* This guide is a collection of the most common vulnerabilities found in iOS applications. The focus is on vulnerabilities in the applications’ code and only marginally covers general iOS system security, Darwin security, C/ObjC/C++ memory safety, or high-level application security. Nevertheless, hopefully the guide can serve as training material to iOS app developers that want to make sure that they ship a more secure app. Also, iOS security reviewers can use it as a reference during assessments.
[needle](https://github.com/mwrlabs/needle)
* Needle is an open source, modular framework to streamline the process of conducting security assessments of iOS apps.
### <a name="harden">List of Hardening Guides for iOS</a>
@ -166,3 +171,8 @@
[Idb](https://github.com/dmayer/idb)
* idb is a tool to simplify some common tasks for iOS pentesting and research
### Writeups
[Write-up for alloc8: untethered bootrom exploit for iPhone 3GS](https://github.com/axi0mX/alloc8)

+ 6
- 0
Draft/Basic Security Information.md View File

@ -10,6 +10,12 @@ These are links to basic technically links or things I feel might help someone
| -------- | ------------------------ |
[Infosec Tools of the Trade: Getting Your Hands Dirty](http://www.irongeek.com/i.php?page=videos/bsidesnashville2017/bsides-nashville-2017-green00-infosec-tools-of-the-trade-getting-your-hands-dirty-jason-smith-and-tara-wink)
* In this presentation we'll will be going over introductions to the various focuses in information security and demoing the most common tools that are used in operational security, both offense and defense. You'll leave with an idea on how to freely obtain and use these tools so that you can have what you need for that first interview: experience and a passion for security. This is a green talk for people who don't have a clue on what offensive and defensive people do operationally, from a tool perspective.
### General
| Title | Link
| -------- | --------- |


+ 41
- 3
Draft/Building A Pentest Lab.md View File

@ -12,6 +12,11 @@
### General
[Install AD DS using Powerhsell](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS)
@ -19,9 +24,19 @@
### Resources for VMs
[Internet Explorer Windows XP and Vista Virtual Machines](https://github.com/mikescott/ie-virtual-machines/blob/master/README.md)
### VMs Designed to be Attacked
[Vulnhub](Vulnhub.com)
[Vulnhub](https://www.Vulnhub.com)
* Vulnhub is a website dedicated to cataloging various vulnerable VMs from across the web. It also has a healthy community that creates and submits new VMs on a regular basis. As I write this now, I believe there is around 100 or so different VMs on Vulnhub, so you have a bit of variation.
[iv-wrt](https://github.com/iv-wrt/iv-wrt)
@ -36,8 +51,26 @@
### Installing Active Directory
[Install AD DS using Powerhsell](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/deploy/install-active-directory-domain-services--level-100-#BKMK_PS)
### Guides to setting up a Pen test lab:
[Home Lab with pfSense & VMware Workstation - sysadmin perspective](http://itpro.outsidesys.com/2015/02/19/home-lab-with-pfsense-workstation/)
* I wanted to build a virtual lab environment at home that would emulate an office environment. My requirements were to have separate network segments for Clients & Servers, and two DMZ networks. I also wanted my home network, which is external to the virtual lab environment, to emulate the Internet, even though it really isn’t. The following is how I created multiple “named” LAN segments within VMware Workstation, and routed between them using a VM running pfSense, which is an open source firewall.
http://blog.netinfiltration.com/2013/12/03/setting-up-a-pentest-lab-for-beginners/
https://community.rapid7.com/docs/DOC-2196
@ -45,10 +78,15 @@ https://community.rapid7.com/docs/DOC-2196
http://www.stan.gr/2013/03/building-pentest-lab.html
### Personal rant on how to build one
So, I’m biased. That said, two ways to build a lab, local and online. With todays online services, you don’t have to have a powerful server sitting in your house. You can use amazon’s AWS to host VMs and pay only for time used. For some, this may be preferable for the cost/space. Otherwise, if you’re looking for a local solution, Oracle’s Virtualbox and VMWare’s Workstation/Parallels is where its at.
So, I’m biased. That said, two ways to build a lab, local and online. With todays online services, you don’t have to have a powerful server sitting in your house. You can use amazon’s AWS to host VMs and pay only for time used. For some, this may be preferable for the cost/space. Otherwise, if you’re looking for a local solution, Oracle’s Virtualbox and VMWare’s Workstation/Parallels is where its at for local machine VM usage, for dedicated hardware, proxmox, esxi, and Xen can all be solutions.
That being said, skip virtualbox. Get VMware ESXi if you’re cool, and have a spare box laying around, if not, grab VMWare Workstation. It works on linux/win and Parallels for OSX. ESXi is a virtualization platform that runs bare metal. If you have hardware for it, I recommend that. Otherwise, Workstation works wonderfully.
That being said, skip virtualbox. Get VMware ESXi if you have a spare box laying around, if not, grab VMWare Workstation. It works on linux/win and Parallels for OSX. ESXi is a virtualization platform that runs bare metal. If you have hardware for it, I recommend that. Otherwise, Workstation works wonderfully.
Acquiring a copy of Virtualbox/Workstation is also easy. Virtualbox is free and Workstation has 30 day trials.


+ 8
- 1
Draft/CTFs & Wargames -.md View File

@ -18,6 +18,13 @@ Cull
[Greenhorn](https://github.com/trailofbits/greenhorn)
* Greenhorn is a Windows Pwnable released during CSAW Quals 2014. It's meant to be an introduction to modern Windows binary exploitation.
hackthebox
pentestit
pentestlab
root-me
@ -115,7 +122,7 @@ Wechall
[List of themed Hacker challenges](http://counterhack.net/Counter_Hack/Challenges.html)
[Sans Community Forensics Challenges](digital-forensics.sans.org/community/challenges)
[Sans Community Forensics Challenges](https://www.digital-forensics.sans.org/community/challenges)


+ 9
- 2
Draft/Car Hacking.md View File

@ -15,7 +15,6 @@
http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html
### End cull
@ -40,7 +39,7 @@ http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html
[Tesla Model S JSON API (unofficial RE post)](http://docs.timdorr.apiary.io/#reference/vehicles)
[Tesla Model S JSON API (unofficial RE post)](http://docs.timdorr.apiary.io/#reference/vehicles)
@ -77,6 +76,14 @@ http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html
* For the first time, a hardware backdoor tool is presented having several advanced features, such as: remote control via SMS commands, automated launch of attack payloads at a GPS location or when a specific car status is reached; and a configuration interface that allows users to create attack payloads in an easy manner. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? Now it's possible :-)
#### Hardware Tools
[CBM - The Bicho](https://github.com/UnaPibaGeek/CBM)
* For the first time, a hardware backdoor tool is presented having several advanced features, such as: remote control via SMS commands, automated launch of attack payloads at a GPS location or when a specific car status is reached; and a configuration interface that allows users to create attack payloads in an easy manner. Have you ever imagined the possibility of your car being automatically attacked based on its GPS coordinates, its current speed or any other set of parameters? Now it's possible :-)
## Papers


+ 1
- 1
Draft/Courses & Training -.md View File

@ -48,7 +48,7 @@ These classes are all focused on computer/information security. If you're lookin
[Hackr.io](http://hackr.io/)
* Share and discover the best programming tutorials and courses online.
[Open Security Training](www.opensecuritytraining.info)
[Open Security Training](https://www.opensecuritytraining.info)


+ 1
- 1
Draft/Cryptography & Encryption.md View File

@ -46,7 +46,7 @@ http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/
### <a name="learn">Courses</a>:
Coursera Cryptography
[Matsano Crypto Challenges](Cryptopals.co)
[Matsano Crypto Challenges](https://www.Cryptopals.co)
* Go through a series of increasingly difficult challenges while learning all about cryptography. Expected knowledge level: You passed 9th grade math and you have 0 knowledge of crypto.
[A Graduate Course in Applied Cryptography - Dan Boneh and Victor Shoup](http://toc.cryptobook.us/)


+ 1
- 1
Draft/Documentation & Reports -.md View File

@ -16,7 +16,7 @@
[NCSAM: Coordinated Vulnerability Disclosure Advice for Researchers](https://community.rapid7.com/community/infosec/blog/2016/10/28/ncsam-coordinated-vulnerability-disclosure-advice-for-researchers)
[Protecting Your Sources When Releasing Sensitive Documents](https://source.opennews.org/articles/how-protect-your-sources-when-releasing-sensitive-/)


+ 24
- 1
Draft/Embedded Device & Hardware Hacking -.md View File

@ -37,6 +37,17 @@ http://www.sp3ctr3.me/hardware-security-resources/
http://greatscottgadgets.com/infiltrate2013/
[Hacking Printers Wiki](http://hacking-printers.net/wiki/index.php/Main_Page)
#### end sort
@ -47,7 +58,7 @@ http://greatscottgadgets.com/infiltrate2013/
[Reversing and Exploiting Embedded Devices: The Software Stack (Part 1)](https://p16.praetorian.com/blog/reversing-and-exploiting-embedded-devices-part-1-the-software-stack)
[Hardware Security and Trust/ECE 4451/5451: Introduction to Hardware Security and Trust](www.engr.uconn.edu/~tehrani/teaching/hst/)
[Hardware Security and Trust/ECE 4451/5451: Introduction to Hardware Security and Trust](https://www.engr.uconn.edu/~tehrani/teaching/hst/)
[NSA Playset](http://www.nsaplayset.org/)
* In the coming months and beyond, we will release a series of dead simple, easy to use tools to enable the next generation of security researchers. We, the security community have learned a lot in the past couple decades, yet the general public is still ill equipped to deal with real threats that face them every day, and ill informed as to what is possible. Inspired by the NSA ANT catalog, we hope the NSA Playset will make cutting edge security tools more accessible, easier to understand, and harder to forget. Now you can play along with the NSA!
@ -274,6 +285,14 @@ http://greatscottgadgets.com/infiltrate2013/
[Introduction to USB and Fuzzing - Matt DuHarte - Defcon23](https://www.youtube.com/watch?v=KWOTXypBt4E)
[Attacks via physical access to USB (DMA…?)](https://security.stackexchange.com/questions/118854/attacks-via-physical-access-to-usb-dma)
[Can a connected USB device read all data from the USB bus?](https://security.stackexchange.com/questions/37927/can-a-connected-usb-device-read-all-data-from-the-usb-bus?rq=1)
@ -395,7 +414,11 @@ Chameleon Mini
[How can I do that? Intro to hardware hacking with an RFID badge reader - Kevin Bong](http://www.irongeek.com/i.php?page=videos/derbycon3/3303-how-can-i-do-that-intro-to-hardware-hacking-with-an-rfid-badge-reader-kevin-bong)
[ISO/IEC 7816](https://en.wikipedia.org/wiki/ISO/IEC_7816)
[ISO/IEC 15693](https://en.wikipedia.org/wiki/ISO/IEC_15693)
[ISO/IEC 14443](https://en.wikipedia.org/wiki/ISO/IEC_14443)


+ 62
- 11
Draft/Exploit Development.md View File

@ -15,6 +15,7 @@ TOC
* [Anti-Fuzzing](#antifuzz)
* [ASM Stuff](#asm)
* [Exploit dev](#exploitdev)
* Practice Exploit Development
* [Tutorials](#tutorials)
* [Writing Shellcode](#shellcode)
* [Windows Specific](#winspec)
@ -40,6 +41,7 @@ TOC
* [OllyDbg Tricks](#ollydbg)
* [Books and Links](#books
* Exploit Collections
* GPU Exploit Research
#### To Do
@ -75,7 +77,6 @@ Corelan Exploit Series
[Trampolines in x64](http://www.ragestorm.net/blogs/?p=107)
[AV_Kernel_Vulns](https://github.com/bee13oy/AV_Kernel_Vulns)
* Pocs for Antivirus Software‘s Kernel Vulnerabilities
@ -83,6 +84,15 @@ Corelan Exploit Series
[GEF](https://github.com/hugsy/gef)
* GEF is a kick-ass set of commands for X86, ARM, MIPS, PowerPC and SPARC to make GDB cool again for exploit dev. It is aimed to be used mostly by exploiters and reverse-engineers, to provide additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development.
[CVE-2016-7255 - Git repo](https://github.com/mwrlabs/CVE-2016-7255)
[MSRC-Security-Research Github](https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations)
[Playing with canaries](https://www.elttam.com.au/blog/playing-with-canaries/)
[MS17-010](https://github.com/worawit/MS17-010)
#### end sort
@ -221,6 +231,15 @@ This will allow you to transfer EIP control to a specified offset within a file
### Practice Exploit Development
[Exploit-Challenges - A collection of vulnerable ARM binaries for practicing exploit development](https://github.com/Billy-Ellis/Exploit-Challenges)
* Here are a collection of vulnerable ARM binaries designed for beginner vulnerability researchers & exploit developers to play around with and test their skills!
##### Originally from (originally a pastebin link, which had been modified from a persons personal page, i believe it may have been an r2 dev?) If you made this, thank you so much; I've now added onto it and changed it from what it originally was. I've kept the original creator's note as I feel it is highly relevant and aligns with my goal)
* "yM intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
@ -356,11 +375,11 @@ I have tried to order the articles by technique and chronology.
### <a name="aslr"> ASLR:</a>
* [Exploit writing tutorial part 6 : Bypassing Stack Cookies, SafeSeh, SEHOP, HW DEP and ASLR](https://www.corelan.be/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/)
* [Aslr Smack and Laugh Reference](www-users.rwth-aachen.de/Tilo.Mueller/ASLRpaper.pdf)
* [Advanced Buffer Overflow Methods](cs.tau.ac.il/tausec/lectures/Advanced_Buffer_Overflow_Methods.ppt)
* [Smack the Stack](sts.synflood.de/dump/doc/smackthestack.txt)
* [Exploiting the random number generator to bypass ASLR](blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-whitepaper.pdf)
[Wikipedia on ASLR](en.wikipedia.org/wiki/Address_space_layout_randomization)
* [Aslr Smack and Laugh Reference](http://www-users.rwth-aachen.de/Tilo.Mueller/ASLRpaper.pdf)
* [Advanced Buffer Overflow Methods](http:/www.cs.tau.ac.il/tausec/lectures/Advanced_Buffer_Overflow_Methods.ppt)
* [Smack the Stack](http://www.sts.synflood.de/dump/doc/smackthestack.txt)
* [Exploiting the random number generator to bypass ASLR](https://www.blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-whitepaper.pdf)
[Wikipedia on ASLR](https://www.en.wikipedia.org/wiki/Address_space_layout_randomization)
* [Bypassing Memory Protections: The Future of Exploitation](usenix.org/events/sec09/tech/slides/sotirov.pdf)
* [On the Effectiveness of Address-Space Randomization](stanford.edu/~blp/papers/asrandom.pdf)
* [Exploiting with linux-gate.so.1](milw0rm.com/papers/55)
@ -566,7 +585,7 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
[armpwn](https://github.com/saelo/armpwn)
* Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team.
[Too LeJIT to Quit: Extending JIT Spraying to ARM](www.internetsociety.org/sites/default/files/09_3_2.pdf)
[Too LeJIT to Quit: Extending JIT Spraying to ARM](http://www.internetsociety.org/sites/default/files/09_3_2.pdf)
@ -597,9 +616,7 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
[Understanding glibc malloc](https://sploitfun.wordpress.com/2015/02/10/understanding-glibc-malloc/)
[Linux GLibC Stack Canary Values](https://xorl.wordpress.com/2010/10/14/linux-glibc-stack-canary-values/)
[Resolving the Base Pointer of the Linux Program Interpreter with Shellcode](https://web-beta.archive.org/web/20160720084253/http://howto.hackallthethings.com:80/2015/03/resolving-base-pointer-of-linux-program.html)
@ -673,9 +690,33 @@ https://www.exploit-db.com/docs/18482.pdf
[Mitigating arbitrary native code execution in Microsoft Edge](https://blogs.windows.com/msedgedev/2017/02/23/mitigating-arbitrary-native-code-execution/#fAlvade7vV0bQrWs.97)
[Windows-driver-samples](https://github.com/Microsoft/Windows-driver-samples )
* This repo contains driver samples prepared for use with Microsoft Visual Studio and the Windows Driver Kit (WDK). It contains both Universal Windows Driver and desktop-only driver samples.
[DriverBuddy](https://github.com/nccgroup/DriverBuddy)
* DriverBuddy is an IDA Python script to assist with the reverse engineering of Windows kernel drivers.
* [Blog post](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/november/driverbuddy-tool-release/)
[win_driver_plugin](https://github.com/mwrlabs/win_driver_plugin)
* A tool to help when dealing with Windows IOCTL codes or reversing Windows drivers.
[A Window into Ring0 - Paper](https://labs.mwrinfosecurity.com/publications/a-window-into-ring0/)
* With the rise of sandboxes and locked down user accounts attackers are increasingly resorting to attacking kernel mode code to gain full access to compromised systems. The talk provided an overview of the Windows kernel mode attack surface and how to interact with it. It then went on to cover the tools available for finding bugs in Windows kernel mode code and drivers as well as highlighting some of the lower hanging fruit, common mistakes and the steps being taken (or lack of steps being taken) to mitigate the risks posed. The talk also covered common exploitation techniques to gather information about the state of kernel mode memory and to gain code execution as SYSTEM. Finally the talk walked through exploiting CVE-2016-7255 on modern 64 bit versions of Windows.
[Windows Exploit Protection History/Overview - Compass Security](https://exploit.courses/files/bfh2017/day6/0x60_WindowsExploiting.pdf)
[Bypassing Device Guard with .NET Assembly Compilation Methods](http://www.exploit-monday.com/2017/07/bypassing-device-guard-with-dotnet-methods.html)
[Microsoft Patch Analysis for Exploitation Stephen Sims](https://www.youtube.com/watch?v=LHNcBVQF1tM)
[Toward mitigating arbitrary native code execution in Windows 10](https://github.com/Microsoft/MSRC-Security-Research/blob/master/presentations/2017_05_SysScan360_Seattle/SyScan360_Miller_Towards_Mitigating_Arbitrary_Native_Code_Execution.pdf)
[Securi-Tay 2017 - A Window into Ring0](https://www.youtube.com/watch?v=DLND8bKv27w)
* With the rise of sandboxes and locked down user accounts attackers are increasingly resorting to attacking kernel mode code to gain full access to compromised systems. This talk aims to provide an overview of the Windows kernel mode attack surface and how to interact with it. This talk will demonstrate the tools available for finding bugs in Windows kernel mode code and drivers together with highlighting some of the lower hanging fruit, common mistakes and the steps being taken (or lack of steps being taken) to mitigate the risks posed. The talk will then cover common exploitation techniques to gather information about the state of kernel mode memory and to gain code execution as SYSTEM using examples from publicly known exploits.
[Proposed Windows 10 EAF/EMET "Bypass" for Reflective DLL Injection](https://zerosum0x0.blogspot.com/2017/06/proposed-eafemet-bypass-for-reflective.html?m=1)
@ -732,7 +773,7 @@ https://www.exploit-db.com/docs/18482.pdf
### <a name="asm">Assembly(x86/x64/ARM)</a>
[X86 Instruction Reference](Felixcoutier.com/x86)
[X86 Instruction Reference](http://www.Felixcoutier.com/x86)
[Awesome Reference for Intel x86/64](http://ref.x86asm.net/)
* This reference is intended to be precise opcode and instruction set reference (including x86-64). Its principal aim is exact definition of instruction parameters and attributes.
@ -1091,7 +1132,11 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
[PLASMA PULSAR](https://github.com/stealth/plasmapulsar/blob/master/README.md)
* This document describes a generic root exploit against kde.
[A cursory analysis of @nitayart's Broadpwn bug (CVE-2017-9417)](http://boosterok.com/blog/broadpwn/)
[Emulation and Exploration of BCM WiFi Frame Parsing using LuaQEMU](https://comsecuris.com/blog/posts/luaqemu_bcm_wifi/)
[The Weak Bug - Exploiting a Heap Overflow in VMware](http://acez.re/the-weak-bug-exploiting-a-heap-overflow-in-vmware/)
@ -1142,3 +1187,9 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
[BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks](http://cd80.ca/files/bubble.pdf)
* Abstract. Web browsers that support a safe language such as Javascript are becoming a platform of great interest for security attacks. One such attack is a heap-spraying attack: a new kind of attack that combines the notoriously hard to reliably exploit heap-based buffer overflow with the use of an in-browser script- ing language for improved r eliability. A typical heap-s praying attack allocates a high number of objects containing the attacker’s code on the heap, dramatically increasing the probability that the contents of one of these objects is executed. In this paper we present a lightweight approach that makes heap-spraying attacks in Javascript significantly harder. Our prototype, which is implemented in Firefox, has a negligible performance and memory overhead while effectively protecting against heap-spraying attacks.
### GPU Exploits / Research
[A Study of Overflow Vulnerabilities on GPUs](https://www.aimlab.org/haochen/papers/npc16-overflow.pdf)

+ 18
- 7
Draft/Forensics Incident Response.md View File

@ -20,7 +20,7 @@
Better security - Mean time to detect/Mean time to respond
* Better security - Mean time to detect/Mean time to respond
#### CULL
@ -77,7 +77,7 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
[No Easy Breach: Challenges and Lessons Learned from an Epic Investigation](https://archive.org/details/No_Easy_Breach#)
[Forensics on Amazons EC2](https://sysforensics.org/2014/10/forensics-in-the-amazon-cloud-ec2.html)
[Forensics on Amazon’s EC2](https://sysforensics.org/2014/10/forensics-in-the-amazon-cloud-ec2.html)
[Attrition Forensics](http://2014.video.sector.ca/video/110334184)
@ -91,10 +91,14 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
* Good post on not only knowing the layout, but knowing expected behaviours.
#### Hacking Exposed - Automating DFIR Series
[Automating DFIR - How to series on programming libtsk with python Part 1 - ](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on.html)
[Automating DFIR - How to series on programming libtsk with python Part 2](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_19.html)
[Automating DFIR - How to series on programming libtsk with python Part 3](http://
[THE CIDER PRESS:EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY](https://www.sans.org/summit-archives/file/summit-archive-1498146226.pdf)
@ -152,7 +156,7 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
* Triage: Incident Response automatically collect information from a system that needs basic triage functions performed upon it. The script allows for easy modification for customization to your needs, in an easy to comprehend and implement language. This tool uses a lot others to get its information. Eventually I hope to eliminate the need for them, but use them as verification. This tool requires you to download the Sysinternals Suite if you want full functionality to it.
[Fully Integrated Defense Operation (FIDO)](https://github.com/Netflix/Fido)
* FIDO is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDOs primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them. As an orchestration platform FIDO can make using your existing security tools more efficient and accurate by heavily reducing the manual effort needed to detect, notify and respond to attacks against a network.
* FIDO is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them. As an orchestration platform FIDO can make using your existing security tools more efficient and accurate by heavily reducing the manual effort needed to detect, notify and respond to attacks against a network.
[Triaging Malware Incidents](http://journeyintoir.blogspot.com/2013/09/triaging-malware-incidents.html)
* Good writeup/blogpost from Journey into Incidence Response
@ -161,6 +165,13 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
[An Incident Handling Process for Small and Medium Businesses - SANS 2007](https://www.sans.org/reading-room/whitepapers/incident/incident-handling-process-small-medium-businesses-1791)
[PowerForensics - PowerShell Digital Forensics](https://github.com/Invoke-IR/PowerForensics)
* The purpose of PowerForensics is to provide an all inclusive framework for hard drive forensic analysis. PowerForensics currently supports NTFS and FAT file systems, and work has begun on Extended File System and HFS+ support.
[Invoke-IR](http://www.invoke-ir.com/)
@ -345,7 +356,7 @@ Ghiro
with a solution to extract forensically important information from the main
database of Microsoft Active Directory (NTDS.DIT).
[Did it Execute? - Mandiant](https://www.mandiant.com/blog/execute/)
* You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive” forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.
* You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive� forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.
[HowTo: Determine Program Execution](http://windowsir.blogspot.com/2013/07/howto-determine-program-execution.html)
@ -364,7 +375,7 @@ database of Microsoft Active Directory (NTDS.DIT).
* NSA 70-page writeup on windows event log monitoring
[DPAPIck](http://dpapick.com/)
* This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API
* This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API
[Techniques for fast windows forensics investigations](https://www.youtube.com/watch?v=eI4ceLgO_CE)
* Look at sniper forensics, skip around, 18min has resources you want to grab for snapshots
@ -392,7 +403,7 @@ What are the changes done on an AD between two points in time ?
[Windows Attribute changer](http://www.petges.lu/home/)
[Event Tracing for Windows and Network Monitor](http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx)
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, its something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. Whats new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
@ -412,7 +423,7 @@ What are the changes done on an AD between two points in time ?
### Chrome Book Forensics
[Chromebook Forensics](www.dataforensics.org/google-chromebook-forensics/)
[Chromebook Forensics](http://www.dataforensics.org/google-chromebook-forensics/)


+ 14
- 1
Draft/Fuzzing Bug Hunting.md View File

@ -20,6 +20,7 @@ TOC
#### sort
https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
#### end sort
##### To Do
* Add Descriptions/generals to types of fuzzing
@ -154,7 +155,7 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[Mining for Bugs with Graph Database Queries [31c3]](https://www.youtube.com/watch?v=291hpUE5-3g)
* [Starting out with Joern](http://tsyrklevich.net/2015/03/28/starting-out-with-joern/)
[Fuzz Smarter, Not Harder (An Afl-Fuzz Primer) BSides-SF 2016](www.securitytube.net/video/15372)
[Fuzz Smarter, Not Harder (An Afl-Fuzz Primer) BSides-SF 2016](http://www.securitytube.net/video/15372)
[File Format Fuzzing in Android](https://deepsec.net/docs/Slides/2015/File_Format_Fuzzing_in_Android_-Alexandru_Blanda.pdf)
@ -166,6 +167,13 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[ClusterFuzz](http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at-scale-by-abhishek-arya.pdf)
[Introduction to USB and Fuzzing DEFCON23 Matt DuHarte](https://www.youtube.com/watch?v=KWOTXypBt4E)
[Browser Bug Hunting and Mobile](http://slides.com/revskills/fzbrowsers#/)
[Upping Your Bug Hunting Skills Using Symbolic Virtual Machines by Anto - x33fcon](https://www.youtube.com/watch?v=IPSZxGaLlyk)
@ -247,7 +255,12 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[rage_fuzzer](https://github.com/deanjerkovich/rage_fuzzer)
* A dumb protocol-unaware packet fuzzer/replayer.
[Introduction to USB and Fuzzing DEFCON23 Matt DuHarte](https://www.youtube.com/watch?v=KWOTXypBt4E)
[libfuzzer-gv](https://github.com/guidovranken/libfuzzer-gv)
* enhanced fork of libFuzzer
[libFuzzer-gv: new techniques for dramatically faster fuzzing](https://guidovranken.wordpress.com/2017/07/08/libfuzzer-gv-new-techniques-for-dramatically-faster-fuzzing/)
#### Windows Specific


+ 60
- 5
Draft/Interesting Things Useful stuff.md View File

@ -40,6 +40,36 @@ http://spth.virii.lu/articles.htm
[QR Code interesting](http://datagenetics.com/blog/november12013/index.html)
[Manuals Library](https://www.manualslib.com/)
[NIST National Vulnerability Database](https://nvd.nist.gov/ncp/repository)
[IA Guidance - NSA](https://www.iad.gov/iad/library/ia-guidance/index.cfm)
[Paste-Scraper](https://github.com/KernelEquinox/Paste-Scraper)
[Wayback scraper](https://github.com/abrenaut/waybackscraper)
[LeakedSource.ru](https://leakedsource.ru/)
[Red Team Infrastructure Wiki](https://github.com/bluscreenofjeff/Red-Team-Infrastructure-Wiki)
* Wiki to collect Red Team infrastructure hardening resources
* Accompanying Presentation: [Doomsday Preppers: Fortifying Your Red Team Infrastructure](https://speakerdeck.com/rvrsh3ll/doomsday-preppers-fortifying-your-red-team-infrastructure)
[How to Build a 404 page not found C2](https://www.blackhillsinfosec.com/?p=5134)
[404 File not found C2 PoC](https://github.com/theG3ist/404)
[Hiding Malicious Traffic Under the HTTP 404 Error](https://blog.fortinet.com/2015/04/09/hiding-malicious-traffic-under-the-http-404-error)
#### End Sort
## Attribution
[Cyber Attack Attribution Report](http://whohackedus.com/)
@ -116,10 +146,6 @@ http://www.securitywizardry.com/radar.htm
*)$
[QR Code interesting](http://datagenetics.com/blog/november12013/index.html)
#### End Sort
@ -228,7 +254,8 @@ http://www.securitywizardry.com/radar.htm
[Real-life experiences in avionics security assessment (A. Barisani)](https://www.youtube.com/watch?v=xtSmPgXw34I&feature=youtu.be&app=desktop)
[Software Supply Chains and the Illusion of Control - Derek Weeks](http://www.irongeek.com/i.php?page=videos/bsidesnova2017/107-software-supply-chains-and-the-illusion-of-control-derek-weeks)
* In this presentation I am sharing the results of a three-year, industry-wide study on open source development and security practices across 3,000 organizations and 25,000. I will detail how these organizations are employing a vast community of open source component suppliers, warehouses, and development tools that take the form of software supply chains. Modern software development practices are now consuming BILLIONS of open source and third-party components. The tooling with package managers and build tools such as Maven, Gradle, npm, NuGet, RubyGems and others has promoted the usage of components to a convenient standard practice. As a result, 90% of a typical application is now composed of open source components. The good news: use of the components is improving developer productivity and accelerating time to market. However, using these components brings ownership and responsibility with it and this fact is largely overlooked. The unspoken truth: not all parts are created equal. For example, 1 in 16 components in use include known security vulnerabilities. Ugh. This session aims to enlighten development professionals by sharing results from the State of the Software Supply Chain reports from 2015 through 2017. The reports blend of public and proprietary data with expert research and analysis. Attendees in this session will learn: - What our analysis of 25,000 applications reveals about the quality and security of software built with open source components - How organizations like Mayo Clinic, Exxon, Capital One, the U.S. FDA and Intuit are utilizing the principles of software supply chain automation to improve application security - Why avoiding open source components over 3 years old might be a really good idea - How to balance the need for speed with quality and security -- early in the development lifecycle We will also discuss how you can best approach the effort for development teams to identify, track and replace components with known vulnerabilities, while getting more products and new features to market quickly. Attend this session and gain insight as to how your organization’s application development practices compare to others. I'll share the industry benchmarks to take back and discuss with your development, security, and open source governance teams.
@ -325,6 +352,14 @@ http://www.securitywizardry.com/radar.htm
[Unicorn-Engine](http://www.unicorn-engine.org/)
* Unicorn is a lightweight multi-platform, multi-architecture CPU emulator framework.
[cyberfree](https://github.com/arnaudsoullie/cyberfree)
* Cyber-free browsing extension for Chrome
[SniffJoke](https://github.com/vecna/sniffjoke)
* SniffJoke is an application for Linux that handle transparently your TCP connection, delaying, modifyng and inject fake packets inside your transmission, make them almost impossible to be correctly readed by a passive wiretapping technology (IDS or sniffer)
@ -394,6 +429,20 @@ Underhanded C
[Exploiting Android Users for Fun and Profit](http://www.codeword.xyz/2015/08/09/exploiting-android-users-for-fun-and-profit/)
[The S stands for Simple](http://harmful.cat-v.org/software/xml/soap/simple)
* Satire(Only it's not) of a conversation about SOAP
[Encyclopedia of things considered harmful](http://harmful.cat-v.org/)
[THE BASIC LAWS OF HUMAN STUPIDITY - Carlo M. Cipolia](http://harmful.cat-v.org/people/basic-laws-of-human-stupidity/)
[Docker: Not Even a Linker](http://adamierymenko.com/docker-not-even-a-linker/)
@ -458,6 +507,12 @@ Underhanded C
[QR Inception: Barcode-in-Barcode Attacks](https://www.sba-research.org/wp-content/uploads/publications/qrinception.pdf)
* 2D barcodes offer many benefits compared to 1D barcodes, such as high information density and robustness. Before their introduction to the mobile phone ecosystem, they have been widely used in specific applications, such as logistics or ticketing. However, there are multiple competing standards with different benefits and drawbacks. Therefore, reader applications as well as dedicated devices have to support multiple standards. In this paper, we present novel attacks based on deliberately caused ambiguities when especially crafted barcodes conform to multiple standards. Implementation details decide which standard the decoder locks on. This way, two users scanning the same barcode with different phones or apps will receive different content. This potentially opens way for multiple problems related to security. We describe how embedding one barcode symbology into another can be used to perform phishing attacks as well as targeted exploits. In addition, we evaluate the extent to which popular 2D barcode reader applications on smartphones are susceptible to these barcode-in-barcode attacks. We furthermore discuss mitigation techniques against this type of attack.
[Introduction to Resource Oriented Computing - Whitepaper](http://resources.1060research.com/docs/IntroductionToResourceOrientedComputing-1.pdf)
### sites


+ 60
- 4
Draft/Network Attacks & Defenses.md View File

@ -24,14 +24,16 @@ TOC
##### To be sorted
http://www.pentest-standard.org/index.php/Intelligence_Gathering
[a](https://github.com/fmtn/a)
* ActiveMQ CLI testing and message management
[PiTap](https://github.com/williamknows/PiTap)
* Automatic bridge creation and packet capture (plug-and-capture) on a battery-powered Raspberry Pi with multiple network interfaces.
* [Blogpost]()
[RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing](https://tools.ietf.org/html/rfc2827)
[gateway-finder](https://github.com/pentestmonkey/gateway-finder)
* Gateway-finder is a scapy script that will help you determine which of the systems on the local LAN has IP forwarding enabled and which can reach the Internet.
##### sort end
@ -72,7 +74,7 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
[SSH for Fun and Profit](https://karla.io/2016/04/30/ssh-for-fun-and-profit.html)
[STP MiTM Attack and L2 Mitigation Techniques on the Cisco Catalyst 6500 ](http://www.ndm.net/ips/pdf/cisco/Catalyst-6500/white_paper_c11_605972.pdf)
@ -245,6 +247,12 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[Seth](https://github.com/SySS-Research/Seth)
* Seth is a tool written in Python and Bash to MitM RDP connections. It attempts to downgrade the connection and extract clear text credentials.
[WSUXploit](https://github.com/pimps/wsuxploit)
* This is a MiTM weaponized exploit script to inject 'fake' updates into non-SSL WSUS traffic. It is based on the WSUSpect Proxy application that was introduced to public on the Black Hat USA 2015 presentation, 'WSUSpect – Compromising the Windows Enterprise via Windows Update'
@ -315,6 +323,38 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[AQUATONE](https://github.com/michenriksen/aquatone)
* AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.
[Sublist3r](https://github.com/aboul3la/Sublist3r)
* Fast subdomains enumeration tool for penetration testers
[Altdns](https://github.com/infosec-au/altdns)
* Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
[PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server](https://github.com/NetSPI/PowerUpSQL)
* The PowerUpSQL module includes functions that support SQL Server discovery, auditing for common weak configurations, and privilege escalation on scale. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that could be used by administrators to quickly inventory the SQL Servers in their ADS domain.
* [Documentation](https TLS/SSL Vulnerabilities ://github.com/NetSPI/PowerUpSQL/wiki)
* [Overview of PowerUpSQL](https://github.com/NetSPI/PowerUpSQL/wiki/Overview-of-PowerUpSQL)
[sipvicious](https://github.com/EnableSecurity/sipvicious)
[t50 - the fastest packet injector.](https://github.com/fredericopissarra/t50)
* T50 was designed to perform “Stress Testing” on a variety of infra-structure
network devices (Version 2.45), using widely implemented protocols, and after
some requests it was was re-designed to extend the tests (as of Version 5.3),
covering some regular protocols (ICMP, TCP and UDP), some infra-structure
specific protocols (GRE, IPSec and RSVP), and some routing protocols (RIP,
EIGRP and OSPF).
[a](https://github.com/fmtn/a)
* ActiveMQ CLI testing and message management
@ -368,6 +408,17 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[Passive IPS Reconnaissance and Enumeration - false positive (ab)use - Arron Finnon](https://vimeo.com/108775823)
* Network Intrusion Prevention Systems or NIPS have been plagued by "False Positive" issues almost since their first deployment. A "False Positive" could simply be described as incorrectly or mistakenly detecting a threat that is not real. A large amount of research has gone into using "False Positive" as an attack vector either to attack the very validity of an IPS system or to conduct forms of Denial of Service attacks. However the very reaction to a "False Positive" in the first place may very well reveal more detailed information about defences than you might well think.
[Attacking Nextgen Firewalls](https://www.youtube.com/watch?v=ZoCf9yWC32g)
[DNS hijacking using cloud providers - Frans Rosén](https://www.youtube.com/watch?v=HhJv8CU-RIk)
@ -417,7 +468,8 @@ IPv6: Basic Attacks and Defences - Christopher Werny[TROOPERS15]
[[TROOPERS15] Merike Kaeo - Deploying IPv6 Securely - Avoiding Mistakes Others Have Made](https://www.youtube.com/watch?v=rQg4y78xHf8)
[IPv6 Local Neighbor Discovery Using Router Advertisement](https://www.rapid7.com/db/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement)
* Send a spoofed router advertisement with high priority to force hosts to start the IPv6 address auto-config. Monitor for IPv6 host advertisements, and try to guess the link-local address by concatinating the prefix, and the host portion of the IPv6 address. Use NDP host solicitation to determine if the IP address is valid'
@ -451,6 +503,7 @@ IPv6: Basic Attacks and Defences - Christopher Werny[TROOPERS15]
### D/DOS
@ -489,4 +542,7 @@ TCPDump
[Modbus interface tutorial](https://www.lammertbies.nl/comm/info/modbus.html)
[TLS/SSL Vulnerabilities](https://www.gracefulsecurity.com/tls-ssl-vulnerabilities/)

+ 46
- 32
Draft/Network Security Monitoring & Logging.md View File

@ -12,6 +12,7 @@ Cull
* [Linux](#linux)
* [Windows](#win)
* [PCaps/Static Data](#pcap)
* Making Sense of the Data
* [Papers](#papers)
* [Tricks & Tips](#tricks)
@ -21,58 +22,41 @@ Cull
* Create incident Response section
#### Cull
[SweetSecurity](https://github.com/TravisFSmith/SweetSecurity)
* Scripts to setup and install Bro IDS, Elastic Search, Logstash, Kibana, and Critical Stack on a Raspberry Pi 3 device.
[laikaboss](https://github.com/lmco/laikaboss)
[](http://www.irongeek.com/i.php?page=videos/houseccon2015/t302-the-fox-is-in-the-henhouse-detecting-a-breach-before-the-damage-is-done-josh-sokol)
[411](https://github.com/kiwiz/411)
* Configure Searches to periodically run against a variety of data sources. You can define a custom pipeline of Filters to manipulate any generated Alerts and forward them to multiple Targets.
| **WMI-IDS** - WMI-IDS is a proof-of-concept agent-less host intrusion detection system designed to showcase the unique ability of WMI to respond to and react to operating system events in real-time. | https://github.com/fireeye/flare-wmi/tree/master/WMI-IDS
http://www.netfort.com/wp-content/uploads/PDF/WhitePapers/NetFlow-Vs-Packet-Analysis-What-Should-You-Choose.pdf
[](http://www.appliednsm.com/introducing-flowbat/)
* Awesome flow tool, SiLK backend
[Response Operation Collections Kit Reference Build](https://github.com/rocknsm/rock)
[Stenographer](https://github.com/google/stenographer)
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
[ROCK NSM](http://rocknsm.io/)
[Response Operation Collections Kit Reference Build](https://github.com/rocknsm/rock)
#### End Cull
[PCAPDB](https://github.com/dirtbags/pcapdb)
* PcapDB is a distributed, search-optimized open source packet capture system. It was designed to replace expensive, commercial appliances with off-the-shelf hardware and a free, easy to manage software system. Captured packets are reorganized during capture by flow (an indefinite length sequence of packets with the same src/dst ips/ports and transport proto), indexed by flow, and searched (again) by flow. The indexes for the captured packets are relatively tiny (typically less than 1% the size of the captured data).
[Aktaion: Open Source Tool For "Micro Behavior Based" Exploit Detection and Automated GPO Policy Generation](https://github.com/jzadeh/Aktaion)
* Aktaion is a lightweight JVM based project for detecting exploits (and more generally attack behaviors). The project is meant to be a learning/teaching tool on how to blend multiple security signals and behaviors into an expressive framework for intrusion detection. The cool thing about the project is it provides an expressive mechanism to add high level IOCs (micro beahviors) such as timing behavior of a certain malware family.
[Passive IPS Reconnaissance and Enumeration - false positive (ab)use - Arron Finnon](https://vimeo.com/108775823)
* Network Intrusion Prevention Systems or NIPS have been plagued by "False Positive" issues almost since their first deployment. A "False Positive" could simply be described as incorrectly or mistakenly detecting a threat that is not real. A large amount of research has gone into using "False Positive" as an attack vector either to attack the very validity of an IPS system or to conduct forms of Denial of Service attacks. However the very reaction to a "False Positive" in the first place may very well reveal more detailed information about defences than you might well think.
[Public:Windows Event Log Zero 2 Hero Slides](https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit#slide=id.g21acf94f3f_2_27)
#### End Cull
### <a name="videos">Presentations/Videos</a>
[Logging ALL THE THINGS Without All The Cost With Open Source Big Data Tools - DEFCON22 - Zach Fasel](https://www.youtube.com/watch?v=2AAnVeIwXBo)
* Many struggle in their job with the decision of what events to log in battle against costly increases to their licensing of a commercial SIEM or other logging solution. Leveraging the open source solutions used for "big-data" that have been proven by many can help build a scalable, reliable, and hackable event logging and security intelligence system to address security and (*cringe*) compliance requirements. We’ll walk through the various components and simple steps to building your own logging environment that can extensively grow (or keep sized just right) with just additional hardware cost and show numerous examples you can implement as soon as you get back to work (or home).
[Current State of Virtualizing Network Monitoring](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t202-current-state-of-virtualizing-network-monitoring-daniel-lohin-ed-sealing)
[The fox is in the Henhouse - Detecting a breach before the damage is done](http://www.irongeek.com/i.php?page=videos/houseccon2015/t302-the-fox-is-in-the-henhouse-detecting-a-breach-before-the-damage-is-done-josh-sokol)
[Passive IPS Reconnaissance and Enumeration - false positive (ab)use - Arron Finnon](https://vimeo.com/108775823)
* Network Intrusion Prevention Systems or NIPS have been plagued by "False Positive" issues almost since their first deployment. A "False Positive" could simply be described as incorrectly or mistakenly detecting a threat that is not real. A large amount of research has gone into using "False Positive" as an attack vector either to attack the very validity of an IPS system or to conduct forms of Denial of Service attacks. However the very reaction to a "False Positive" in the first place may very well reveal more detailed information about defences than you might well think.
[Public:Windows Event Log Zero 2 Hero Slides](https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit#slide=id.g21acf94f3f_2_27)
### <a name="videos">Presentations/Videos</a>
[Logging ALL THE THINGS Without All The Cost With Open Source Big Data Tools - DEFCON22 - Zach Fasel](https://www.youtube.com/watch?v=2AAnVeIwXBo)
* Many struggle in their job with the decision of what events to log in battle against costly increases to their licensing of a commercial SIEM or other logging solution. Leveraging the open source solutions used for "big-data" that have been proven by many can help build a scalable, reliable, and hackable event logging and security intelligence system to address security and (*cringe*) compliance requirements. We’ll walk through the various components and simple steps to building your own logging environment that can extensively grow (or keep sized just right) with just additional hardware cost and show numerous examples you can implement as soon as you get back to work (or home).
[Current State of Virtualizing Network Monitoring](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t202-current-state-of-virtualizing-network-monitoring-daniel-lohin-ed-sealing)
@ -147,7 +131,7 @@ and contains internal tools, with a powerful interactive console, for analysis a
#### [Suricata](suricata?)
#### [Suricata](https://suricata-ids.org/)
* Suricata is a high performance Network IDS, IPS and Network Security Monitoring engine. Open Source and owned by a community run non-profit foundation, the Open Information Security Foundation (OISF).
* [Suricata Documentation](https://redmine.openinfosecfoundation.org/projects/suricata/wiki)
* [Suricata Quick Start Guide](https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Quick_Start_Guide)
@ -156,7 +140,7 @@ and contains internal tools, with a powerful interactive console, for analysis a
#### [Argus](http://qosient.com/argus/#)
* Argus is an open source layer 2+ auditing tool (including IP audit) written by Carter Bullard which has been under development for over 10 years.
* [Argus on NSM Wiki](nsmwiki.org/index.php?title=Argus)
* [Argus on NSM Wiki](https://www.nsmwiki.org/index.php?title=Argus)
* [Argus FAQ](http://qosient.com/argus/faq.shtml)
* [Argus How-To](http://qosient.com/argus/howto.shtml)
* [Argus Manual](http://qosient.com/argus/manuals.shtml)
@ -208,10 +192,18 @@ losing the essense in the DNS answer.
* [Slide Deck on Squert](https://ea01c580-a-62cb3a1a-s-sites.googlegroups.com/site/interrupt0x13h/squert-canheit2014.pdf?attachauth=ANoY7crNJbed8EeVy3r879eb2Uze_ky7eiO-jvwXp2J7ik_hOyk0kK6uhX3_oT3u4Kuzw7AiuTAQhYGze5jdlQ-w8lagM1--XESGAf0ebLBZU6bGYd7mIC9ax1H49jvQHGb8kojEal8bayL0evZpOFqsr135DpazJ6F5HkVACpHyCqh3Gzafuxxog_Ybp7k4IgqltqH0pZddcIcjI0LwhHaj3Al085C3tbw2YMck1JQSeeBYvF9hL-0%3D&attredirects=0)
* [Install/setup/etc - Github](https://github.com/int13h/squert)
[ROCK NSM](http://rocknsm.io/)
[Response Operation Collections Kit Reference Build](https://github.com/rocknsm/rock)
[flowbat](http://www.appliednsm.com/introducing-flowbat/)
* Awesome flow tool, SiLK backend
[Stenographer](https://github.com/google/stenographer)
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
[Aktaion: Open Source Tool For "Micro Behavior Based" Exploit Detection and Automated GPO Policy Generation](https://github.com/jzadeh/Aktaion)
* Aktaion is a lightweight JVM based project for detecting exploits (and more generally attack behaviors). The project is meant to be a learning/teaching tool on how to blend multiple security signals and behaviors into an expressive framework for intrusion detection. The cool thing about the project is it provides an expressive mechanism to add high level IOCs (micro beahviors) such as timing behavior of a certain malware family.
@ -241,6 +233,24 @@ losing the essense in the DNS answer.
### Making Sense of the Data
[411](https://github.com/kiwiz/411)
* Configure Searches to periodically run against a variety of data sources. You can define a custom pipeline of Filters to manipulate any generated Alerts and forward them to multiple Targets.
[PCAPDB](https://github.com/dirtbags/pcapdb)
* PcapDB is a distributed, search-optimized open source packet capture system. It was designed to replace expensive, commercial appliances with off-the-shelf hardware and a free, easy to manage software system. Captured packets are reorganized during capture by flow (an indefinite length sequence of packets with the same src/dst ips/ports and transport proto), indexed by flow, and searched (again) by flow. The indexes for the captured packets are relatively tiny (typically less than 1% the size of the captured data).
[RITA - Finding Bad Things on Your Network Using Free and Open Source Tools](https://www.youtube.com/watch?v=mpCBOQSjbOA)
[You Pass Butter: Next Level Security Monitoring Through Proactivity](http://www.irongeek.com/i.php?page=videos/nolacon2016/110-you-pass-butter-next-level-security-monitoring-through-proactivity-cry0-s0ups)
@ -277,10 +287,10 @@ losing the essense in the DNS answer.
### <a name="pcap">Pcaps/Static Analysis(I.e. you have a pcap file or you're not trying to do live analysis/Aren't trying to use one of the above tools)</a>
[Silk -
[Silk -]()
* The SiLK analysis suite is a collection of command-line tools for processing SiLK Flow records created by the SiLK packing system. These tools read binary files containing SiLK Flow records and partition, sort, and count these records. The most important analysis tool is rwfilter, an application for querying the central data repository for SiLK Flow records that satisfy a set of filtering options. The tools are intended to be combined in various ways to perform an analysis task. A typical analysis uses UNIX pipes and intermediate data files to share data between invocations of the tools.
* [Administering/Installing SiLK](https://tools.netsa.cert.org/confluence/display/tt/Administration)
* [SiLK Tool Tips](https://tools.netsa.cert.org/confluence/display/tt/Tooltips
* [SiLK Tool Tips](https://tools.netsa.cert.org/confluence/display/tt/Tooltips)
* [SiLK Reference Guide](https://tools.netsa.cert.org/silk/silk-reference-guide.html)
* [SiLK Toolsuite Quick Reference Guide](https://tools.netsa.cert.org/silk/silk-quickref.pdf)
@ -321,3 +331,7 @@ losing the essense in the DNS answer.
### Other
[SweetSecurity](https://github.com/TravisFSmith/SweetSecurity)
* Scripts to setup and install Bro IDS, Elastic Search, Logstash, Kibana, and Critical Stack on a Raspberry Pi 3 device.

+ 12
- 1
Draft/Open Source Intelligence.md View File

@ -22,6 +22,17 @@ http://toddington.com/resources/
www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
[PowerMeta](https://github.com/dafthack/PowerMeta)
* PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.
[Fantastic OSINT and where to find it - blindseeker/malware focused](http://archive.is/sYzcP#selection-62.0-62.1)
[Corporate Espionage without the Hassle of Committing Felonies](https://www.slideshare.net/JohnCABambenek/corporate-espionage-without-the-hassle-of-committing-felonies)
[How to Use Python to Spy on Your Friends: Web APIs, Recon ng, & OSINT](https://www.youtube.com/watch?v=BOjz7NfsLpA)
#### End cull
@ -227,7 +238,7 @@ http://www.onstrat.com/osint/
[Intel Techniques - Links](http://www.inteltechniques.com/links.html)
[OSINTInsight](www.osintinsight.com/shared.php?user=Mediaquest&folderid=0)
[OSINTInsight](http://www.osintinsight.com/shared.php?user=Mediaquest&folderid=0)
http://toddington.com/resources/


+ 8
- 3
Draft/Password Bruting and Hashcracking.md View File

@ -28,7 +28,6 @@ http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
* Wordlists sorted by popularity originally created for password generation and testing
### End cull
@ -72,6 +71,11 @@ http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
[Introduction to Cracking Hashes](http://n0where.net/introduction-break-that-hash/)
* Good introduction source to hash cracking.
[Cracking Corporate Passwords Exploiting Password Policy Weaknesses - Minga Rick Redm - Derbycon3](https://www.youtube.com/watch?v=qR-qRUbeKAo)
[HashView](https://github.com/hashview/hashview)
* Hashview is a tool for security professionals to help organize and automate the repetitious tasks related to password cracking. Hashview is a web application that manages hashcat (https://hashcat.net) commands. Hashview strives to bring constiency in your hashcat tasks while delivering analytics with pretty pictures ready for ctrl+c, ctrl+v into your reports.
@ -146,7 +150,7 @@ Hashcat attacks
[Dumping a Domains worth of passwords using mimikatz](http://carnal0wnage.attackresearch.com/2013/10/dumping-domains-worth-of-passwords-with.html)
[Dump Windows password hashes efficiently - Part 1](bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html)
[Dump Windows password hashes efficiently - Part 1](http://www.bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html)
@ -197,7 +201,8 @@ Hashcat attacks
[Probable-Wordlists](https://github.com/berzerk0/Probable-Wordlists)
* Wordlists sorted by probability originally created for password generation and testing
[BEWGor](https://github.com/berzerk0/BEWGor)
* Bull's Eye Wordlist Generator
### Talks & Presentations


+ 49
- 11
Draft/Phishing.md View File

@ -14,28 +14,27 @@ TOC
###Cull
[The definition from wikipedia](en.wikipedia.org/wiki/Phishing):
* “Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”
[PhishBait](https://github.com/hack1thu7ch/PhishBait)
* Tools for harvesting email addresses for phishing attacks
* [Email Address Harvesting for Phishing](http://www.shortbus.ninja/email-address-harvesting-for-phishing-attacks/)
#### End cull
[Three Years of Phishing - What We've Learned - Mike Morabito](http://www.irongeek.com/i.php?page=videos/centralohioinfosec2015/tech105-three-years-of-phishing-what-weve-learned-mike-morabito)
* Cardinal Health has been aggressively testing and training users to recognize and avoid phishing emails. This presentation covers 3 years of lessons learned from over 18,000 employees tested, 150,000 individual phishes sent, 5 complaints, thousands of positive comments, and a dozen happy executives. Learn from actual phishing templates what works well, doesn,t work at all, and why? See efficient templates for education and reporting results.
[The definition from wikipedia](http://www.en.wikipedia.org/wiki/Phishing):
* “Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”
###<a name="general>General</a>
[Post exploitation trick - Phish users for creds on domains, from their own box](https://enigma0x3.wordpress.com/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/)
[Real World Phishing Techniques - Honeynet Project](http://www.honeynet.org/book/export/html/89)
[Post exploitation trick - Phish users for creds on domains, from their own box](https://enigma0x3.wordpress.com/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/)
[Tab Napping - Phishing](http://www.exploit-db.com/papers/13950/)
[How do I phish? – Advanced Email Phishing Tactics - Pentest Geek](https://www.pentestgeek.com/2013/01/30/how-do-i-phish-advanced-email-phishing-tactics/)
* Search for categorized domain that can be used during red teaming engagement. Perfect to setup whitelisted domain for your Cobalt Strike beacon C&C. It relies on expireddomains.net to obtain a list of expired domains. The domain availability is validated using checkdomain.com
###<a name="framework">Phishing Frameworks:</a>
@ -47,4 +46,43 @@ TOC
* Simple Phishing Toolkit is a super easy to install and use phishing framework built to help Information Security professionals find human vulnerabilities
[sptoolkit-rebirth](https://github.com/simplephishingtoolkit/sptoolkit-rebirth)
* sptoolkit hasn't been actively developed for two years. As it stands, it's a brilliant peice of software, and the original developers are pretty damn awesome for creating it. But we'd like to go further, and bring sptoolkit up to date. We've tried contacting the developers, but to no avail. We're taking matters into our own hands now.
* sptoolkit hasn't been actively developed for two years. As it stands, it's a brilliant peice of software, and the original developers are pretty damn awesome for creating it. But we'd like to go further, and bring sptoolkit up to date. We've tried contacting the developers, but to no avail. We're taking matters into our own hands now.
### Tools
[CatMyFish](https://github.com/Mr-Un1k0d3r/CatMyFish)
* Search for categorized domain that can be used during red teaming engagement. Perfect to setup whitelisted domain for your Cobalt Strike beacon C&C. It relies on expireddomains.net to obtain a list of expired domains. The domain availability is validated using checkdomain.com
[PhishBait](https://github.com/hack1thu7ch/PhishBait)
* Tools for harvesting email addresses for phishing attacks
* [Email Address Harvesting for Phishing](http://www.shortbus.ninja/email-address-harvesting-for-phishing-attacks/)
### Microsoft Outlook Stuff
[How to bypass Web-Proxy Filtering](https://www.blackhillsinfosec.com/?p=5831)
[Malicious Outlook Rules](https://silentbreaksecurity.com/malicious-outlook-rules/)
[EXE-less Malicious Outlook Rules - BHIS](https://www.blackhillsinfosec.com/?p=5544)
### Writeups
[How do I phish? – Advanced Email Phishing Tactics - Pentest Geek](https://www.pentestgeek.com/2013/01/30/how-do-i-phish-advanced-email-phishing-tactics/)
[Real World Phishing Techniques - Honeynet Project](http://www.honeynet.org/book/export/html/89)
### Talks/Presentations
[Three Years of Phishing - What We've Learned - Mike Morabito](http://www.irongeek.com/i.php?page=videos/centralohioinfosec2015/tech105-three-years-of-phishing-what-weve-learned-mike-morabito)
* Cardinal Health has been aggressively testing and training users to recognize and avoid phishing emails. This presentation covers 3 years of lessons learned from over 18,000 employees tested, 150,000 individual phishes sent, 5 complaints, thousands of positive comments, and a dozen happy executives. Learn from actual phishing templates what works well, doesn,t work at all, and why? See efficient templates for education and reporting results.

+ 71
- 9
Draft/Privilege Escalation & Post-Exploitation.md View File

@ -36,6 +36,11 @@ http://sdb.tools/talks.html
http://www.slideshare.net/harmj0y/derbycon-passing-the-torch
https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List#escalating
[How to use msfvenom](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom)
[Mimikatz Logs and Netcat](http://blackpentesters.blogspot.com/2013/12/mimikatz-logs-and-netcat.html?m=1)
##### end sort
@ -89,7 +94,7 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Pompem](https://github.com/rfunix/Pompem)
* Pompem is an open source tool, designed to automate the search for Exploits and Vulnerability in the most important databases. Developed in Python, has a system of advanced search, that help the work of pentesters and ethical hackers. In the current version, it performs searches in PacketStorm security, CXSecurity, ZeroDay, Vulners, National Vulnerability Database, WPScan Vulnerability Database ...
[The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://www.slideshare.net/harmj0y/the-travelling-pentester-diaries-of-the-shortest-path-to-compromise)
@ -130,6 +135,8 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Windows Privilege Escalation Fundamentals](http://www.fuzzysecurity.com/tutorials/16.html)
[Windows Privilege Escalation Methods for Pentesters](https://pentest.blog/windows-privilege-escalation-methods-for-pentesters/)
[Common Windows Privilege Escalation Vectors](https://toshellandback.com/2015/11/24/ms-priv-esc/)
[Windows Exploit Suggester](https://github.com/GDSSecurity/Windows-Exploit-Suggester)
@ -163,7 +170,7 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
* PyKEK (Python Kerberos Exploitation Kit), a python library to manipulate KRB5-related data. (Still in development)
[All roads lead to SYSTEM](https://labs.mwrinfosecurity.com/system/assets/760/original/Windows_Services_-_All_roads_lead_to_SYSTEM.pdf)
[Dump Windows password hashes efficiently - Part 1](bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html)
[Dump Windows password hashes efficiently - Part 1](http://www.bernardodamele.blogspot.com/2011/12/dump-windows-password-hashes.html)
| **Black hat talk on Windows Privilege Escalation** | http://www.slideshare.net/riyazwalikar/windows-privilege-escalation
| **PowerUp - Windows Privilege Escalation through Powershell** | https://n0where.net/windows-local-privilege-escalation-powerup/
@ -175,9 +182,11 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Bypassing UAC on Windows 10 using Disk Cleanup](https://enigma0x3.net/2016/07/22/bypassing-uac-on-windows-10-using-disk-cleanup/)
[Sherlock](https://github.com/rasta-mouse/Sherlock/blob/master/README.md)
* PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
[The “SYSTEM” challenge](https://decoder.cloud/2017/02/21/the-system-challenge/)
* Writeup of achieving system from limited user privs.
@ -236,8 +245,12 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[nps - Not PowerShell](https://github.com/Ben0xA/nps)
* Execute powershell without powershell.exe
[Introducing PS Attack, a portable PowerShell attack toolkit - Jared Haight](https://www.youtube.com/watch?v=lFCtPdUPdHw)
[PowerShell Secrets and Tactics Ben0xA ](https://www.youtube.com/watch?v=mPPv6_adTyg)
[PowerLine](https://github.com/fullmetalcache/powerline)
* [Presentation](https://www.youtube.com/watch?v=HiAtkLa8FOc)
#### DLL Hijacking
@ -319,7 +332,7 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[MemoryModule](https://github.com/fancycode/MemoryModule)
* MemoryModule is a library that can be used to load a DLL completely from memory - without storing on the disk first.
[Hacking SQL Server on Scale with PowerShell - Secure360 2017](https://www.slideshare.net/nullbind/2017-secure360-hacking-sql-server-on-scale-with-powershell)
@ -346,7 +359,6 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
#### Active Directory
* Active Directory
@ -417,6 +429,24 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
* A tool for penetration testing Skype for Business and Lync deployments
* [Blogpost/Writeup](https://www.mdsec.co.uk/2017/04/penetration-testing-skype-for-business-exploiting-the-missing-lync/)
[Pen Testing Active Directory Series](https://blog.varonis.com/binge-read-pen-testing-active-directory-series/)
[Offensive Active Directory with Powershell](https://www.youtube.com/watch?v=cXWtu-qalSs)
[Beyond the MCSE: Red Teaming Active Directory](https://www.youtube.com/watch?v=tEfwmReo1Hk)
[Red vs Blue: Modern Active Directory Attacks & Defense - Defcon23](https://www.youtube.com/watch?v=rknpKIxT7NM)
[Red Vs. Blue: Modern Active Directory Attacks, Detection, And Protection - BHUSA15](https://www.youtube.com/watch?v=b6GUXerE9Ac)
[Abusing Active Directory in Post Exploitation - Carlos Perez - Derbycon 4](https://www.youtube.com/watch?v=sTU-70dD-Ok)
[WSUSpect Proxy](https://github.com/ctxis/wsuspect-proxy/)
* This is a proof of concept script to inject 'fake' updates into non-SSL WSUS traffic. It is based on our Black Hat USA 2015 presentation, 'WSUSpect – Compromising the Windows Enterprise via Windows Update'
* [Whitepaper](http://www.contextis.com/documents/161/CTX_WSUSpect_White_Paper.pdf)
@ -461,7 +491,8 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Pupy](https://github.com/n1nj4sec/pupy)
* Pupy is a remote administration tool with an embeded Python interpreter, allowing its modules to load python packages from memory and transparently access remote python objects. The payload is a reflective DLL and leaves no trace on disk
[LaZagne](https://github.com/AlessandroZ/LaZagne/blob/master/README.md)
* The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.
[Defending against mimikatz](https://jimshaver.net/2016/02/14/defending-against-mimikatz/)
@ -635,7 +666,7 @@ Startup folder on Win8
[Et tu Kerberos - Christopher Campbell](https://www.youtube.com/watch?v=RIRQQCM4wz8)
[PsExec and the Nasty Things It Can Do](www.windowsecurity.com/articles-tutorials/misc_network_security/PsExec-Nasty-Things-It-Can-Do.html)
[PsExec and the Nasty Things It Can Do](http://www.windowsecurity.com/articles-tutorials/misc_network_security/PsExec-Nasty-Things-It-Can-Do.html)
* An overview of what PsExec is and what its capabilities are from an administrative standpoint.
[smbexec](https://github.com/pentestgeek/smbexec)
@ -644,7 +675,12 @@ Startup folder on Win8
[Still Passing the Hash 15 Years Later: Using Keys to the Kingdom to Access Data - BH 2012](https://www.youtube.com/watch?v=O7WRojkYR00)
### <a name="av">Avoiding/Bypassing Anti-Virus/Whitelisting/Sandboxes/etc</a>
[pecloak.py - An Experiment in AV evasion](http://www.securitysift.com/pecloak-py-an-experiment-in-av-evasion/)
[Whitelist Bypass techniques](https://github.com/subTee/ApplicationWhitelistBypassTechniques/blob/master/TheList.txt)
@ -666,6 +702,25 @@ Startup folder on Win8
[Sandboxes from a pen tester’s view - Rahul Kashyap](http://www.irongeek.com/i.php?page=videos/derbycon3/4303-sandboxes-from-a-pen-tester-s-view-rahul-kashyap)
* Description: In this talk we’ll do an architectural decomposition of application sandboxing technology from a security perspective. We look at various popular sandboxes such as Google Chrome, Adobe ReaderX, Sandboxie amongst others and discuss the limitations of each technology and it’s implementation. Further, we discuss in depth with live exploits how to break out of each category of sandbox by leveraging various kernel and user mode exploits – something that future malware could leverage. Some of these exploit vectors have not been discussed widely and awareness is important.
[PowerLine](https://github.com/fullmetalcache/powerline)
* [Presentation](https://www.youtube.com/watch?v=HiAtkLa8FOc)
[Invoke-CradleCrafter: Moar PowerShell obFUsk8tion by Daniel Bohannon](https://www.youtube.com/watch?feature=youtu.be&v=Nn9yJjFGXU0&app=desktop)
[Invoke-CradleCrafter v1.1](https://github.com/danielbohannon/Invoke-CradleCrafter)
[Customising Meterpreter Loader DLL part. 2](https://astr0baby.wordpress.com/2014/02/13/customising-meterpreter-loader-dll-part-2/)
[Dr0p1t-Framework](https://github.com/D4Vinci/Dr0p1t-Framework)
* Have you ever heard about trojan droppers ? In short dropper is type of trojans that downloads other malwares and Dr0p1t gives you the chance to create a stealthy dropper that bypass most AVs and have a lot of tricks ( Trust me :D ) ;)
[Winpayloads](https://github.com/nccgroup/Winpayloads)
* Undetectable Windows Payload Generation with extras Running on Python2.7
[Payload Generation with CACTUSTORCH](https://www.mdsec.co.uk/2017/07/payload-generation-with-cactustorch/)
@ -720,4 +775,11 @@ Startup folder on Win8
* Tools for injecting arbitrary code into running Python processes.
[WsgiDAV](https://github.com/mar10/wsgidav)
* WsgiDAV is a generic WebDAV server written in Python and based on WSGI.
* WsgiDAV is a generic WebDAV server written in Python and based on WSGI.

+ 26
- 7
Draft/Programming - Languages Libs Courses References.md View File

@ -21,11 +21,7 @@ Cull
* [Papers](#papers)
###Cull
http://www.irongeek.com/i.php?page=videos/derbycon4/t205-code-insecurity-or-code-in-security-mano-dash4rk-paul
[Reflective DLL Injection](http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf)
http://www.irongeek.com/i.php?page=videos/derbycon4/t205-code-insecurity-or-code-in-security-mano-dash4rk-paul
http://en.cppreference.com/w/c
#### End Cull
@ -57,6 +53,10 @@ http://en.cppreference.com/w/c
[App Ideas - Stuff to build out ot improve your programming skills](https://github.com/tastejs/awesome-app-ideas)
[Secure iOS application development](https://github.com/felixgr/secure-ios-app-dev)
* This guide is a collection of the most common vulnerabilities found in iOS applications. The focus is on vulnerabilities in the applications’ code and only marginally covers general iOS system security, Darwin security, C/ObjC/C++ memory safety, or high-level application security. Nevertheless, hopefully the guide can serve as training material to iOS app developers that want to make sure that they ship a more secure app. Also, iOS security reviewers can use it as a reference during assessments.
### Articles
@ -72,7 +72,7 @@ http://en.cppreference.com/w/c
[Record and Replay Debugging with Firefox](https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/Record_and_Replay_Debugging_Firefox)
[rr](https://github.com/mozilla/rr)
* rr is a lightweight tool for recording and replaying execution of applications (trees of processes and threads). More information about the project, including instructions on how to install, run, and build rr, is at http://rr-project.org.
* rr is a lightweight tool for recording and replaying execution of applications (trees of processes and threads). More information about the project, including instructions on how to install, run, and build rr, is at http://rr-project.org.w
###<a name="sca">Source Code Analysis</a>
@ -115,6 +115,7 @@ Additionally it includes CPD, the copy-paste-detector. CPD finds duplicated code
[cgasm](https://github.com/bnagy/cgasm)
* cgasm is a standalone, offline terminal-based tool with no dependencies that gives me x86 assembly documentation. It is pronounced "SeekAzzem".
[x86 Assembly Crash Course](https://www.youtube.com/watch?v=75gBFiFtAb8)
#### Reference
@ -134,12 +135,20 @@ Additionally it includes CPD, the copy-paste-detector. CPD finds duplicated code
[Intel x86 Assembler Instruction Set Opcode Table](http://sparksandflames.com/files/x86InstructionChart.html)
### Videos
#### Videos
[Introduction Video Series(6) to x86 Assembly](https://www.youtube.com/watch?v=qn1_dRjM6F0&list=PLPXsMt57rLthf58PFYE9gOAsuyvs7T5W9)
[Intro to x86 - Derbycon5](http://www.irongeek.com/i.php?page=videos/derbycon5/stable34-intro-to-x86-stephanie-preston)
### Other
[aslrepl](https://github.com/enferex/asrepl)
* asrepl is an assembly based REPL. The REPL processes each line of user input, the output can be witnessed by issuing the command 'regs' and looking at the register state.
### Android
@ -197,6 +206,7 @@ Additionally it includes CPD, the copy-paste-detector. CPD finds duplicated code
[Serianalyzer](https://github.com/mbechler/serianalyzer)
* A static byte code analyzer for Java deserialization gadget research
[Protect Your Java Code - Through Obfuscators and Beyond](https://www.excelsior-usa.com/articles/java-obfuscators.html)
@ -229,6 +239,10 @@ $err = $ErrorSource + " reports: " + $ErrorMessage
"""
### PHP
[PHP: a fractal of bad design](https://eev.ee/blog/2012/04/09/php-a-fractal-of-bad-design/)
### <a name="python">Python</a>
@ -312,3 +326,8 @@ $err = $ErrorSource + " reports: " + $ErrorMessage
#### Other
[A successful Git branching model](http://nvie.com/posts/a-successful-git-branching-model/)
[Mostly Adequate Guide](https://drboolean.gitbooks.io/mostly-adequate-guide/)
* This is a book on the functional paradigm in general. We'll use the world's most popular functional programming language: JavaScript. Some may feel this is a poor choice as it's against the grain of the current culture which, at the moment, feels predominately imperative.
[Reflective DLL Injection](http://www.harmonysecurity.com/files/HS-P005_ReflectiveDllInjection.pdf)

+ 14
- 4
Draft/Reverse Engineering.md View File

@ -57,10 +57,6 @@ http://blog.techorganic.com/2016/03/08/radare-2-in-0x1e-minutes/
mammon_'s tales to his grandson - https://mammon.github.io/tales/
http://fileformats.archiveteam.org/wiki/PNG
[Bug Hunting for the Man on the Street]()
@ -85,6 +81,20 @@ https://objective-see.com/
[Binary Hooking Problems](http://www.ragestorm.net/blogs/?p=348)
[Symbolic execution timeline](https://github.com/enzet/symbolic-execution)
* Diagram highlights some major tools and ideas of pure symbolic execution, dynamic symbolic execution (concolic) as well as related ideas of model checking, SAT/SMT solving, black-box fuzzing, taint data tracking, and other dynamic analysis techniques.
[bingrep](https://github.com/m4b/bingrep)
* Greps through binaries from various OSs and architectures, and colors them.
[radare2 cheat sheet](https://github.com/pwntester/cheatsheets/blob/master/radare2.md)
[Blackbone](https://github.com/DarthTon/Blackbone)
* Windows memory hacking library
[Binacle](https://github.com/ANSSI-FR/Binacle)
* Indexation "full-bin" of binary files
### End sort


+ 1
- 0
Draft/Social Engineering.md View File

@ -20,6 +20,7 @@ CULL
| **I Will Kill You** - Chris Rock(Defcon23)| https://www.youtube.com/watch?v=9FdHq3WfJg
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3152826/
#### end sort


+ 15
- 16
Draft/System Internals Windows and Linux Internals Reference.md View File

@ -23,30 +23,18 @@
[pagexec - GRSEC](https://pax.grsecurity.net/docs/pageexec.txt)