Browse Source

More stuff as always, Exploit Dev is really looking better

pull/4/head
Robert 8 years ago
parent
commit
2f56997ac4
35 changed files with 688 additions and 403 deletions
  1. +2
    -0
      Draft/Draft/Anonymity Opsec Privacy -.md
  2. +3
    -0
      Draft/Draft/Anti-Forensics.md
  3. +16
    -22
      Draft/Draft/Attacking Defending Android -.md
  4. +2
    -0
      Draft/Draft/BIOS UEFI Attacks Defenses.md
  5. +0
    -0
      Draft/Draft/Basic Security Information.md
  6. +0
    -0
      Draft/Draft/CTFs & Wargames -.md
  7. +4
    -0
      Draft/Draft/Cheat sheets reference pages Checklists -.md
  8. +3
    -0
      Draft/Draft/Counter Surveillance.md
  9. +2
    -0
      Draft/Draft/Courses & Training -.md
  10. +11
    -0
      Draft/Draft/Data AnalysisVisualization.md
  11. +0
    -0
      Draft/Draft/Disinformation -.md
  12. +0
    -0
      Draft/Draft/Documentation & Reports -.md
  13. +3
    -1
      Draft/Draft/Embedded Device & Hardware Hacking -.md
  14. +10
    -0
      Draft/Draft/Exfiltration.md
  15. +266
    -262
      Draft/Draft/Exploit Development.md
  16. +3
    -0
      Draft/Draft/Forensics Incident Response.md
  17. +0
    -0
      Draft/Draft/Frameworks Methodologies.md
  18. +29
    -8
      Draft/Draft/Fuzzing Bug Hunting.md
  19. +0
    -0
      Draft/Draft/Home Security.md
  20. +9
    -0
      Draft/Draft/Interesting Things Useful stuff.md
  21. +64
    -0
      Draft/Draft/Malware.md
  22. +6
    -0
      Draft/Draft/Network Attacks & Defenses.md
  23. +7
    -1
      Draft/Draft/Network Security Monitoring & Logging.md
  24. +19
    -1
      Draft/Draft/Privilege Escalation & Post-Exploitation.md
  25. +6
    -0
      Draft/Draft/Programming - Languages Libs Courses References.md
  26. +82
    -72
      Draft/Draft/Reverse Engineering.md
  27. +23
    -34
      Draft/Draft/Rootkits.md
  28. +23
    -0
      Draft/Draft/Securing Hardening.md
  29. +0
    -0
      Draft/Draft/Simulations.md
  30. +10
    -1
      Draft/Draft/Social Engineering.md
  31. +0
    -0
      Draft/Draft/Sysadmin Stuff.md
  32. +3
    -0
      Draft/Draft/System Internals Windows and Linux Internals Reference.md
  33. +52
    -1
      Draft/Draft/To Do/add cull -2.txt
  34. +3
    -0
      Draft/Draft/Web & Browsers.md
  35. +27
    -0
      Draft/Draft/Wireless Networks & RF.md

Draft/Draft/Anonymity Opsec Privacy.md → Draft/Draft/Anonymity Opsec Privacy -.md View File


+ 3
- 0
Draft/Draft/Anti-Forensics.md View File

@ -6,6 +6,9 @@
[CleanAfterMe](http://www.nirsoft.net/utils/clean_after_me.html)
* CleanAfterMe allows you to easily clean files and Registry entries that are automatically created by the Windows operating system during your regular computer work.
With CleanAfterMe, you can clean the cookies/history/cache/passwords of Internet Explorer, the 'Recent' folder, the Registry entries that record the last opened files, the temporary folder of Windows, the event logs, the Recycle Bin, and more.
[Hiding Data in Hard-Drive's Service Areas](http://recover.co.il/SA-cover/SA-cover.pdf)


+ 16
- 22
Draft/Draft/Attacking Defending Android -.md View File

@ -6,41 +6,25 @@
####TOC
Cull
[Intro](#Intro)
[Android Internals](#AInternals)
[Securing Android](#SecAnd)
Android Apps
[Vulnerabilities](#Vulns)
[Exploits](#Exploits)
[Device Analysis](#DAnalysis)
[Application Analysis](#AppAnalysis)
* Dynamic Analysis
* Static Analysis
* Online APK Analyzers
[Online APK Analyzers](#OnlineAPK)
[Attack Platforms](#APlatforms)
[Android Malware](#Malware)
[Reverse Engineering Android](#RE)
[Interesting Papers](#Papers)
[Write-ups](#Write)
[Educational Materials][#Education)
[Educational Materialsl[#Education)
[Books](#Books)
[Other](#Other)
@ -58,12 +42,22 @@ Android Apps
###Cull
[AndBug - A Scriptable Android Debugger](https://github.com/swdunlop/AndBug)
* AndBug is a debugger targeting the Android platform's Dalvik virtual machine intended for reverse engineers and developers. It uses the same interfaces as Android's Eclipse debugging plugin, the Java Debug Wire Protocol (JDWP) and Dalvik Debug Monitor (DDM) to permit users to hook Dalvik methods, examine process state, and even perform changes.
[AndroChef](http://androiddecompiler.com/)
* AndroChef Java Decompiler is Windows XP, Windows 2003, Windows Vista, Windows 7, Windows 8, 8.1 decompiler for Java that reconstructs the original source code from the compiled binary CLASS files. AndroChef Java Decompiler is able to decompile the most complex Java 6 applets and binaries, producing accurate source code. AndroChef successfully decompiles obfuscated Java 6 and Java 7 .class and .jar files. Support Java language features like generics, enums and annotations. According to some studies, AndroChef Java Decompiler is able to decompile 98.04% of Java applications generated with traditional Java compilers- a very high recovery rate. It is simple but powerful tool that allows you to decompile Java and Dalvik bytecode (DEX, APK) into readable Java source. Easy to use.
http://nelenkov.blogspot.com
[elsim - Elements Similarities](https://code.google.com/p/elsim/wiki/Similarity#Diffing_of_applications)
* Similarities/Differences of applications (aka rip-off indicator)
* This tool detects and reports: the identical methods; the similar methods; the deleted methods; the new methods; the skipped methods.
[playdrone](https://github.com/nviennot/playdrone)
* Google Play Crawler
[hbootdbg](https://github.com/sogeti-esec-lab/hbootdbg/)
* Debugger for HTC phones bootloader (HBOOT).
@ -265,7 +259,7 @@ Android Resources (.arsc).
[Flow Droid - Taint Analysis](http://sseblog.ec-spride.de/tools/flowdroid/)
* FlowDroid is a context-, flow-, field-, object-sensitive and lifecycle-aware static taint analysis tool for Android applications. U
* [Flow Droid Paper- FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps](http://www.bodden.de/pubs/far+14flowdroid.pdf)
* In this work we thus present F LOW D ROID , a novel and highly precise static taint analysis for Android applications. A precise model of AndroidÂ’s lifecycle allows the analysis to properly handle callbacks invoked by the Android framework, while context, flow, field and object-sensitivity allows the analysis to reduce the number of false alarms. Novel on-demand algorithms help F LOW D ROID maintain high efficiency and precision at the same time
* In this work we thus present F LOW D ROID , a novel and highly precise static taint analysis for Android applications. A precise model of Android’s lifecycle allows the analysis to properly handle callbacks invoked by the Android framework, while context, flow, field and object-sensitivity allows the analysis to reduce the number of false alarms. Novel on-demand algorithms help F LOW D ROID maintain high efficiency and precision at the same time
[dedex](https://github.com/mariokmk/dedex)
* Is a command line tool for disassembling Android DEX files.
@ -336,7 +330,7 @@ Android Resources (.arsc).
[Android apk-tool](https://code.google.com/p/android-apktool/)
* It is a tool for reverse engineering 3rd party, closed, binary Android apps. It can decode resources to nearly original form and rebuild them after making some modifications; it makes possible to debug smali code step by step. Also it makes working with app easier because of project-like files structure and automation of some repetitive tasks like building apk, etc.
[Reversing and Auditing AndroidÂ’s Proprietary bits](http://www.slideshare.net/joshjdrake/reversing-and-auditing-androids-proprietary-bits)
[Reversing and Auditing Android’s Proprietary bits](http://www.slideshare.net/joshjdrake/reversing-and-auditing-androids-proprietary-bits)
[Smali](https://code.google.com/p/smali/)
* smali/baksmali is an assembler/disassembler for the dex format used by dalvik, Android's Java VM implementation. The syntax is loosely based on Jasmin's/dedexer's syntax, and supports the full functionality of the dex format (annotations, debug info, line info, etc.)
@ -355,7 +349,7 @@ APKinspector is a powerful GUI tool for analysts to analyze the Android applicat
[Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks](http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf)
* Abstract: The security of smartphone GUI frameworks remains an important yet under-scrutinized topic. In this paper, we report that on the Android system (and likely other OSes), a weaker form of GUI confidentiality can be breached in the form of UI state (not the pixels) by a background app without requiring any permissions. Our finding leads to a class of attacks which we name UI state inference attack.
[List of important whitepapers](http://www.droidsec.org/wiki/#whitepapers)
[List of important whitepapers](https://github.com/droidsec/droidsec.github.io/wiki/Android-Whitepapers)
[Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications](https://anonymous-proxy servers.net/paper/android-remote-code-execution.pdf)
@ -431,8 +425,8 @@ APKinspector is a powerful GUI tool for analysts to analyze the Android applicat
[OWASP GoatDroid](https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project)
* “OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users.
The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.Â
* “OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users.
The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.”
[Insecure Bank v2](https://github.com/dineshshetty/Android-InsecureBankv2)
* This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source code.


+ 2
- 0
Draft/Draft/BIOS UEFI Attacks Defenses.md View File

@ -14,6 +14,8 @@ Writeups
###Cull
[20 Ways Past Secure Boot - Job de Haas - Troopers14](https://www.youtube.com/watch?v=74SzIe9qiM8
[Intel ME (Manageability engine) Huffman algorithm](http://io.smashthestack.org/me/)
[CHIPSEC module that exploits UEFI boot script table vulnerability](https://github.com/Cr4sh/UEFI_boot_script_expl)


Draft/Draft/Basic Security Informd.md → Draft/Draft/Basic Security Information.md View File


Draft/Draft/CTFs & Wargamd.md → Draft/Draft/CTFs & Wargames -.md View File


+ 4
- 0
Draft/Draft/Cheat sheets reference pages Checklists -.md View File

@ -25,6 +25,10 @@ TOC
CULL
[Management Frames Reference Sheet](http://download.aircrack-ng.org/wiki-files/other/managementframes.pdf)
[Radare2 Cheat sheet](https://github.com/pwntester/cheatsheets/blob/master/radare2.md)
[How to Suck at Information Security](https://zeltser.com/suck-at-security-cheat-sheet/)


+ 3
- 0
Draft/Draft/Counter Surveillance.md View File

@ -33,6 +33,9 @@ Detecting Surveillance - Spiderlabs blog
###<a name="videos">Videos</a>
[F*ck These Guys: Practical Countersurveillance Lisa Lorenzin - BsidesSF15](http://www.irongeek.com/i.php?page=videos/bsidessf2015/201-fck-these-guys-practical-countersurveillance-lisa-lorenzin)
* We've all seen the steady stream of revelations about the NSA's unconstitutional, illegal mass surveillance. Seems like there's a new transgression revealed every week! I'm getting outrage fatigue. So I decided to fight back... by looking for practical, realistic, everyday actions I can take to protect my privacy and civil liberties on the Internet, and sharing them with my friends. Join me in using encryption and privacy technology to resist eavesdropping and tracking, and to start to opt out of the bulk data collection that the NSA has unilaterally decided to secretly impose upon the world. Let's take back the Internet, one encrypted bit at a time.
[Dr. Philip Polstra - Am I Being Spied On?](https://www.youtube.com/watch?v=Bc7WoDXhcjM)
* Talk on cheap/free counter measures


+ 2
- 0
Draft/Draft/Courses & Training -.md View File

@ -30,6 +30,8 @@ Reverse Engineering Classes/Training
[armpwn](https://github.com/saelo/armpwn)
* Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team.
DVWA


+ 11
- 0
Draft/Draft/Data AnalysisVisualization.md View File

@ -9,6 +9,17 @@ Tools
Cull
http://linkurio.us/toolkit/
http://marvl.infotech.monash.edu/webcola/
[simgaJS-webcola](https://github.com/qinfchen/sigmajs-webcola)
* webcola plugin for sigmajs
http://www.yasiv.com/graphs#Bai/rw496
[Airodump-NG Scan Visualizer](http://hackoftheday.securitytube.net/2015/03/airodump-ng-scan-visualizer-ver-01.html)


Draft/Draft/Disinformd.md → Draft/Draft/Disinformation -.md View File


Draft/Draft/Documd.md → Draft/Draft/Documentation & Reports -.md View File


Draft/Draft/Emd.md → Draft/Draft/Embedded Device & Hardware Hacking -.md View File


+ 10
- 0
Draft/Draft/Exfiltration.md View File

@ -11,6 +11,9 @@
Cull
Stunnel
iodine
@ -32,6 +35,13 @@ Draft emails
###<a name="tools">Tools</a>
[iodine](https://github.com/yarrick/iodine)
* This is a piece of software that lets you tunnel IPv4 data through a DNS server. This can be usable in different situations where internet access is firewalled, but DNS queries are allowed.
[dnscat2](https://github.com/iagox86/dnscat2)
* Welcome to dnscat2, a DNS tunnel that WON'T make you sick and kill you! This tool is designed to create a command-and-control (C&C) channel over the DNS protocol, which is an effective tunnel out of almost every network.
[fraud-bridge](https://github.com/stealth/fraud-bridge)
* fraud-bridge allows to tunnel TCP connections through ICMP, ICMPv6, DNS via UDP or DNS via UDP6. Project, not stable


Draft/Draft/Exploit Developmd.md → Draft/Draft/Exploit Development.md View File


+ 3
- 0
Draft/Draft/Forensics Incident Response.md View File

@ -25,6 +25,9 @@ Better security - Mean time to detect/Mean time to respond
###CULL
[Fully Integrated Defense Operation (FIDO)](https://github.com/Netflix/Fido)
* FIDO is an orchestration layer used to automate the incident response process by evaluating, assessing and responding to malware. FIDO’s primary purpose is to handle the heavy manual effort needed to evaluate threats coming from today's security stack and the large number of alerts generated by them. As an orchestration platform FIDO can make using your existing security tools more efficient and accurate by heavily reducing the manual effort needed to detect, notify and respond to attacks against a network.
[Unmasking Careto through Memory Analysis - Andrew Case](http://2014.video.sector.ca/video/110388398)
[IRMA - Incident Response & Malware Analysis](http://irma.quarkslab.com/index.html)


Draft/Draft/Framd.md → Draft/Draft/Frameworks Methodologies.md View File


+ 29
- 8
Draft/Draft/Fuzzing Bug Hunting.md View File

@ -2,13 +2,14 @@
TOC
* [Videos/Presentations](#presentation)
* [Techniques](#tech)
[Methodologies](#method)
[Write-ups](#writeup)
[Tools](#tools)
[Papers](#papers)
[Books](#books)
[Miscellaneous](#misc)
* [Methodologies](#method)
* [Write-ups](#writeup)
* [Tools](#tools)
* [Papers](#papers)
* [Books](#books)
* [Miscellaneous](#misc)
[Quick explanation of fuzzing and various fuzzers](http://whoisjoe.info/?p=16)
@ -16,12 +17,29 @@ TOC
###Cull
[From Fuzzing to 0day.](http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/)
http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at-scale-by-abhishek-arya.pdf
###<a name="presentation">Presentations/Videos</a>
[The Best of Bug Finding - Duo Tech Talk (Charlie Miller)](https://www.youtube.com/watch?v=1M1EOzulQsw)
* I look at how security vulnerabilities are found (or missed) and some of my favorite bugs and exploits I’ve come across in my career.
[Implementing an USB Host Driver Fuzzer - Daniel Mende - Troopers14](https://www.youtube.com/watch?v=h777lF6xjs4)
[The Power Of Pair: One Template That Reveals 100+ Uaf Ie Vulnerabilities - BlackhatEU14](http://www.securitytube.net/video/12924?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SecurityTube+%28SecurityTube.Net%29)
[What Happens In Windows 7 Stays In Windows 7 - Marion Marschalek & Joseph Moti - Troopers14](https://www.youtube.com/watch?v=s_7Cy2w2dCw)
* Diffing libs in Win7 compared to Win8 to id vuln dlls.
* [DiffRay](https://github.com/pinkflawd/DiffRay)
..* Tool for diffing Win7 & Win8 Libraries based on textfile outputs from IDA Pro.
[Mining for Bugs with Graph Database Queries [31c3]](https://www.youtube.com/watch?v=291hpUE5-3g)
* [Starting out with Joern](http://tsyrklevich.net/2015/03/28/starting-out-with-joern/)
[Implementing an USB Host Driver Fuzzer - Daniel Mende - Troopers14](https://www.youtube.com/watch?v=h777lF6xjs4)
http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at-scale-by-abhishek-arya.pdf
###General Writeups
@ -88,6 +106,9 @@ http://nullcon.net/website/archives/ppt/goa-15/analyzing-chrome-crash-reports-at
* Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes. Grinder Nodes provide an automated way to fuzz a browser, and generate useful crash information (such as call stacks with symbol information as well as logging information which can be used to generate reproducible test cases at a later stage). A Grinder Server provides a central location to collate crashes and, through a web interface, allows multiple users to login and manage all the crashes being generated by all of the Grinder Nodes.
[crashwalk](https://github.com/bnagy/crashwalk)
* Bucket and triage on-disk crashes. OSX and Linux.(automated triaging of AFL-based crashes)
[CERT’s Failure Observation Engine (FOE)](https://www.cert.org/vulnerability-analysis/tools/foe.cfm)
* The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways looking for cases that cause crashes.) The FOE automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. The goal of FOE is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.


Draft/Draft/Homd.md → Draft/Draft/Home Security.md View File


+ 9
- 0
Draft/Draft/Interesting Things Useful stuff.md View File

@ -33,6 +33,13 @@ http://www.securitywizardry.com/radar.htm
###CULL
[Creating A Kewl And Simple Cheating Platform On Android - DeepSec2014](http://www.securitytube.net/video/12547?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SecurityTube+%28SecurityTube.Net%29)
*
[Anti-Virus Software Gone Wrong](http://uninformed.org/?v=all&a=21&t=sumry)
* Anti-virus software is becoming more and more prevalent on end-user computers today. Many major computer vendors (such as Dell) bundle anti-virus software and other personal security suites in the default configuration of newly-sold computer systems. As a result, it is becoming increasingly important that anti-virus software be well-designed, secure by default, and interoperable with third-party applications. Software that is installed and running by default constitutes a prime target for attack and, as such, it is especially important that said software be designed with security and interoperability in mind. In particular, this article provides examples of issues found in well-known anti-virus products. These issues range from not properly validating input from an untrusted source (especially within the context of a kernel driver) to failing to conform to API contracts when hooking or implementing an intermediary between applications and the underlying APIs upon which they rely. For popular software, or software that is installed by default, errors of this sort can become a serious problem to both system stability and security. Beyond that, it can impact the ability of independent software vendors to deploy functioning software on end-user systems.
@ -64,6 +71,8 @@ http://datagenetics.com/blog/november12013/index.html
###Interesting Videos
[Kim Jong-il and Me: How to Build a Cyber Army to Defeat the U.S. - Charlie MIller](https://www.youtube.com/watch?v=4up0yTGlpaU)
[Just What The Doctor Ordered? - Scott Erven and Shawn Merdinger - DEF CON 22](https://www.youtube.com/watch?v=wTEMSBXtkAc)
* This discussion will also highlight the fallout from security standards not being a requirement for medical device manufacturers, and our experience in identifying and reporting vulnerabilities. We will provide our insight into what needs to be done for healthcare organizations to respond to the new threat of cyber-attack against medical devices. We are working towards a future where cyber security issues in medical devices are a thing of the past. We will discuss the recent success and traction we have gained with healthcare organizations, federal agencies and device manufacturers in addressing these security issues. The train is now moving, so please join us to find out how you can get involved and make a difference by ensuring patient safety.


+ 64
- 0
Draft/Draft/Malware.md View File

@ -15,7 +15,68 @@ TOC
###Cull
[packer-breaker](http://www.sysreveal.com/category/packerbreaker/)
* Unpacker for a variety of packing tools.
[Unpacking with OllyBonE](http://www.joestewart.org/ollybone/tutorial.html)
* This is a brief tutorial giving the basic steps to unpack code using the OllyBonE plugin.
[COM Object hijacking: the discreet way of persistence](https://blog.gdatasoftware.com/blog/article/com-object-hijacking-the-discreet-way-of-persistence.html)
[Poweliks: the persistent malware without a file](https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html)
[Temporal Persistence with bitsadmin and schtasks](http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html)
[License to Kill: Malware Hunting with the Sysinternals Tools](https://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B308)
[Many ways of malware persistence (that you were always afraid to ask) ](http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-persistence-that.html)
[Thousand ways to backdoor a Windows domain (forest)](http://jumpespjump.blogspot.com/2015/03/thousand-ways-to-backdoor-windows.html)
[INetSim](http://www.inetsim.org/)
* INetSim is a software suite for simulating common internet services in a lab environment, e.g. for analyzing the network behaviour of unknown malware samples.
[Regshot](http://sourceforge.net/projects/regshot/)
Regshot is an open-source (LGPL) registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product.
[Mandiant ApateDNS](https://www.mandiant.com/resources/download/research-tool-mandiant-apatedns)
* Mandiant ApateDNS is a tool for controlling DNS responses though an easy to use GUI. As a phony DNS server, Mandiant ApateDNS spoofs DNS responses to a user-specified IP address by listening on UDP port 53 on the local machine. Mandiant ApateDNS also automatically sets the local DNS to localhost. Upon exiting the tool, it sets back the original local DNS settings.
[Dependency Walker](http://www.dependencywalker.com/)
* Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more.
http://www.exposedbotnets.com/?m=0
[ Analyzing Malware for Embedded Devices: TheMoon Worm ](http://w00tsec.blogspot.com/2014/02/analyzing-malware-for-embedded-devices.html)
[ antivmdetection](https://github.com/nsmfoo/antivmdetection)
* Script to create templates to use with VirtualBox to make vm detection harder
http://www.securityxploded.com/malware-analysis-training-reference.php
[Analysis of a Romanian Botnet](http://www.politoinc.com/2015/04/analysis-of-a-romanian-botnet/)
* Going from first sighting in logs to tracing attackers to their C2 IRC room
@ -23,6 +84,9 @@ TOC
http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/
[Nesting doll: unwrapping Vawtrak](https://www.virusbtn.com/virusbulletin/archive/2015/01/vb201501-Vawtrak) * https://www.virusbtn.com/virusbulletin/archive/2015/01/vb201501-Vawtrak
[Malcom - Malware Communication Analyzer](https://github.com/tomchop/malcom)
* Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.


+ 6
- 0
Draft/Draft/Network Attacks & Defenses.md View File

@ -35,6 +35,12 @@ http://www.exploit-db.com/papers/35425/
###Cull
[DNS Dumpster](DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.)
[More on HNAP - What is it, How to Use it, How to Find it](https://isc.sans.edu/diary/More+on+HNAP+-+What+is+it%2C+How+to+Use+it%2C+How+to+Find+it/17648)
[ms15-034.nse Script](https://github.com/pr4jwal/quick-scripts/blob/master/ms15-034.nse)
[TCP Catcher](http://www.tcpcatcher.org/)
* TcpCatcher is a free TCP, SOCKS, HTTP and HTTPS proxy monitor server software.


+ 7
- 1
Draft/Draft/Network Security Monitoring & Logging.md View File

@ -16,7 +16,13 @@ Cull
###Cull
###Cull - Create incident Response section
[Many ways of malware persistence (that you were always afraid to ask) ](http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-persistence-that.html)
——
[Malcom - Malware Communication Analyzer](https://github.com/tomchop/malcom)
* Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.


+ 19
- 1
Draft/Draft/Privilege Escalation & Post-Exploitation.md View File

@ -31,6 +31,7 @@ http://carnal0wnage.attackresearch.com/2012/10/group-policy-preferences-and-gett
http://blog.securestate.com/how-to-pwn-systems-through-group-policy-preferences/
Article Explaining what the KRBTGT account in AD is:
http://windowsitpro.com/security/q-what-krbtgt-account-used-active-directory-ad-environment
@ -128,6 +129,10 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
###<a name="winpost">Post-Exploitation Windows</a>
[PShell Script: Extract All GPO Set Passwords From Domain](http://www.nathanv.com/2012/07/04/pshell-script-extract-all-gpo-set-passwords-from-domain/)
* This script parses the domain’s Policies folder looking for Group.xml files. These files contain either a username change, password setting, or both. This gives you the raw data for local accounts and/or passwords enforced using Group Policy Preferences. Microsoft chose to use a static AES key for encrypting this password. How awesome is that!
[Client Side attacks using Powershell](http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html)
[I Hunt Sysadmins 2.0](http://www.slideshare.net/harmj0y/i-hunt-sys-admins-20)
@ -178,6 +183,18 @@ Simply curl any of the following addresses: ident.me, ifconfig.me or whatsmyip.a
###<a name="winpersist">Windows</a>
[Windows Registry Persistence, Part 1: Introduction, Attack Phases and Windows Services](http://blog.cylance.com/windows-registry-persistence-part-1-introduction-attack-phases-and-windows-services)
[Windows Registry Persistence, Part 2: The Run Keys and Search-Order](http://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order)
[Temporal Persistence with bitsadmin and schtasks](http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html)
[Windows Event Log Driven Back Doors](http://blakhal0.blogspot.com/2015/03/windows-event-log-driven-back-doors.html)
[COM Object hijacking: the discreet way of persistence](https://blog.gdatasoftware.com/blog/article/com-object-hijacking-the-discreet-way-of-persistence.html)
[Thousand ways to backdoor a Windows domain (forest)](http://jumpespjump.blogspot.com/2015/03/thousand-ways-to-backdoor-windows.html)
[Windows Firewall Hook Enumeration](https://www.nccgroup.com/en/blog/2015/01/windows-firewall-hook-enumeration/)
* We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.
@ -206,7 +223,8 @@ Linux cron tab
###<a name="osxpersist">OS X</a>
[What's the easiest way to have a script run at boot time in OS X? - Stack Overflow](https://superuser.com/questions/245713/whats-the-easiest-way-to-have-a-script-run-at-boot-time-in-os-x)
[Userland Persistence On Mac Os X "It Just Works" - Shmoocon 2015](http://www.securitytube.net/video/12428?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:%20SecurityTube%20%28SecurityTube.Net%29)
* Got root on OSX? Do you want to persist between reboots and have access whenever you need it? You do not need plists, new binaries, scripts, or other easily noticeable techniques. Kext programming and kernel patching can be troublesome! Leverage already running daemon processes to guarantee your access. As the presentation will show, if given userland administrative access (read: root), how easy it is to persist between reboots without plists, non-native binaries, scripting, and kexts or kernel patching using the Backdoor Factory.


Draft/Draft/Programmd.md → Draft/Draft/Programming - Languages Libs Courses References.md View File


+ 82
- 72
Draft/Draft/Reverse Engineering.md View File

@ -1,12 +1,25 @@
##Reverse Engineering
TableOfContents
Reverse Engineering - Wikipedia
https://en.wikipedia.org/wiki/Reverse_engineering
[High Level view of what Reverse Engineering is](http://www.program-transformation.org/Transform/DecompilationAndReverseEngineering)
[What is Reverse Engineering?](http://www.program-transformation.org/Transform/DecompilationAndReverseEngineering)
[Introduction to Reverse Engineering Software](http://althing.cs.dartmouth.edu/local/www.acm.uiuc.edu/sigmil/RevEng/)
* This book is an attempt to provide an introduction to reverse engineering software under both Linux and Microsoft Windows©. Since reverse engineering is under legal fire, the authors figure the best response is to make the knowledge widespread. The idea is that since discussing specific reverse engineering feats is now illegal in many cases, we should then discuss general approaches, so that it is within every motivated user's ability to obtain information locked inside the black box. Furthermore, interoperability issues with closed-source proprietary systems are just plain annoying, and something needs to be done to educate more open source developers as to how to implement this functionality in their software.
[Starting from Scratch?](http://www.reddit.com/r/ReverseEngineering/comments/smf4u/reverser_wanting_to_develop_mathematically/)
TOC
Intro
Cull
* [Frameworks](#frameworks)
* [Debuggers](#dbg)
* [Debuggers & Related Techniques](#dbg)
* [Decompilers](#decom)
* [Comparison Tools](#ct)
* [Tools](#tools)
@ -22,65 +35,15 @@ Cull
* [Papers](#papers)
* [Wikis & Useful Sites](#wikis)
Reverse Engineering - Wikipedia
https://en.wikipedia.org/wiki/Reverse_engineering
[High Level view of what Reverse Engineering is](http://www.program-transformation.org/Transform/DecompilationAndReverseEngineering)
[What is Reverse Engineering?](http://www.program-transformation.org/Transform/DecompilationAndReverseEngineering)
[Introduction to Reverse Engineering Software](http://althing.cs.dartmouth.edu/local/www.acm.uiuc.edu/sigmil/RevEng/)
* This book is an attempt to provide an introduction to reverse engineering software under both Linux and Microsoft Windows©. Since reverse engineering is under legal fire, the authors figure the best response is to make the knowledge widespread. The idea is that since discussing specific reverse engineering feats is now illegal in many cases, we should then discuss general approaches, so that it is within every motivated user's ability to obtain information locked inside the black box. Furthermore, interoperability issues with closed-source proprietary systems are just plain annoying, and something needs to be done to educate more open source developers as to how to implement this functionality in their software.
[Starting from Scratch?](http://www.reddit.com/r/ReverseEngineering/comments/smf4u/reverser_wanting_to_develop_mathematically/)
###Cull
[SATCOM Terminals Hacking by Air, Sea, and Land - Black Hat USA 2014](https://www.youtube.com/watch?v=tRHDuT__GoM)
[Pip3line, the Swiss army knife of byte manipulation](https://nccgroup.github.io/pip3line/index.html)
* Pip3line is a raw bytes manipulation utility, able to apply well known and less well known transformations from anywhere to anywhere (almost).
[Instruments - OS X system analysis](https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/InstrumentsUserGuide/Introduction/Introduction.html)
* Instruments is a performance-analysis and testing tool for dynamically tracing and profiling OS X and iOS code. It is a flexible and powerful tool that lets you track a process, collect data, and examine the collected data. In this way, Instruments helps you understand the behavior of both user apps and the operating system.
Reversing iOS/OS X http://newosxbook.com/forum/viewforum.php?f=8
[Construct2](https://github.com/construct/construct)
* Construct is a powerful declarative parser (and builder) for binary data. Instead of writing imperative code to parse a piece of data, you declaratively define a data structure that describes your data. As this data structure is not code, you can use it in one direction to parse data into Pythonic objects, and in the other direction, convert ("build") objects into binary data.
[binglide](https://github.com/wapiflapi/binglide)
* binglide is a visual reverse engineering tool. It is designed to offer a quick overview of the different data types that are present in a file.
[BARF-Project](https://github.com/programa-stic/barf-project)
* BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework
* Presentation: Barfing Gadgets - Ekoparty 2014](https://github.com/programa-stic/barf-project/raw/master/documentation/presentations/barfing-gadgets.ekoparty2014.es.pdf)
[Deviare2](https://github.com/nektra/deviare2)
* Deviare is a professional hooking engine for instrumenting arbitrary Win32 functions, COM objects, and functions which symbols are located in program databases (PDBs). It can intercept unmanaged code in 32-bit and 64-bit applications. It is implemented as a COM component, so it can be integrated with all the programming languages which support COM, such as C/C++, VB, C#, Delphi, and Python.
[Reverse Engineering Flash Memory for Fun and Benefit - BlackHat 2014](https://www.youtube.com/watch?v=E8BSnS4-Kpw)
[PE File Format Graphs](http://blog.dkbza.org/2012/08/pe-file-format-graphs.html?view=mosaic)
https://github.com/droidsec/droidsec.github.io/wiki/Android-Crackmes
[Bindead - static binary binary analysis tool](https://bitbucket.org/mihaila/bindead/wiki/Home)
* Bindead is an analyzer for executable machine code. It features a disassembler that translates machine code bits into an assembler like language (RREIL) that in turn is then analyzed by the static analysis component using abstract interpretation.
[Statically Linked Library Detector](https://github.com/arvinddoraiswamy/slid)
[BitBlaze](http://bitblaze.cs.berkeley.edu/)
* The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to (1) analyze and develop novel COTS protection and diagnostic mechanisms and (2) analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation.
###<a name="general">General Research/Stuff</a>
@ -92,31 +55,66 @@ https://github.com/droidsec/droidsec.github.io/wiki/Android-Crackmes
[Theorem prover, symbolic execution and practical reverse-engineering](https://doar-e.github.io/presentations/securityday2015/SecDay-Lille-2015-Axel-0vercl0k-Souchet.html#/)
[PE File Format Graphs](http://blog.dkbza.org/2012/08/pe-file-format-graphs.html?view=mosaic)
###<a name="tools">Tools</a>
Will sort to static/dynamic/OS specific
[Frida](http://www.frida.re/docs/home/)
* Inject JS into native apps
[Dependency Walker](http://www.dependencywalker.com/)
* Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more.
[Rdis](https://github.com/endeav0r/rdis)
* Rdis is a Binary Analysis Tool for Linux.
[Python RE tools list](http://pythonarsenal.erpscan.com/)
[Statically Linked Library Detector](https://github.com/arvinddoraiswamy/slid)
[Bindead - static binary binary analysis tool](https://bitbucket.org/mihaila/bindead/wiki/Home)
* Bindead is an analyzer for executable machine code. It features a disassembler that translates machine code bits into an assembler like language (RREIL) that in turn is then analyzed by the static analysis component using abstract interpretation.
[Static binary analysis tool](https://github.com/bdcht/amoco)
* Amoco is a python package dedicated to the (static) analysis of binaries.
* Worth a check on the Github
[Binwalk](https://github.com/devttys0/binwalk)
Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images.
[Cryptoshark](https://github.com/frida/cryptoshark)
* Interactive code tracer for reverse-engineering proprietary software
[Pip3line, the Swiss army knife of byte manipulation](https://nccgroup.github.io/pip3line/index.html)
* Pip3line is a raw bytes manipulation utility, able to apply well known and less well known transformations from anywhere to anywhere (almost).
[Instruments - OS X system analysis](https://developer.apple.com/library/mac/documentation/DeveloperTools/Conceptual/InstrumentsUserGuide/Introduction/Introduction.html)
* Instruments is a performance-analysis and testing tool for dynamically tracing and profiling OS X and iOS code. It is a flexible and powerful tool that lets you track a process, collect data, and examine the collected data. In this way, Instruments helps you understand the behavior of both user apps and the operating system.
Reversing iOS/OS X http://newosxbook.com/forum/viewforum.php?f=8
[Construct2](https://github.com/construct/construct)
* Construct is a powerful declarative parser (and builder) for binary data. Instead of writing imperative code to parse a piece of data, you declaratively define a data structure that describes your data. As this data structure is not code, you can use it in one direction to parse data into Pythonic objects, and in the other direction, convert ("build") objects into binary data.
[Deviare2](https://github.com/nektra/deviare2)
* Deviare is a professional hooking engine for instrumenting arbitrary Win32 functions, COM objects, and functions which symbols are located in program databases (PDBs). It can intercept unmanaged code in 32-bit and 64-bit applications. It is implemented as a COM component, so it can be integrated with all the programming languages which support COM, such as C/C++, VB, C#, Delphi, and Python.
####Binary Visualization Tools
[binglide](https://github.com/wapiflapi/binglide)
* binglide is a visual reverse engineering tool. It is designed to offer a quick overview of the different data types that are present in a file. This tool does not know about any particular file format, everything is done using the same analysis working on the data. This means it works even if headers are missing or corrupted or if the file format is unknown.
[binvis.io](http://binvis.io/#/)
* visual analysis of binary files
[cantor.dust](https://sites.google.com/site/xxcantorxdustxx/home)
* a powerful, dynamic, interactive binary visualization tool
####<a name="frameworks"Frameworks</a>
@ -135,11 +133,22 @@ Radare2 - unix-like reverse engineering framework and commandline tools ](http:/
[Platform for Architecture-Neutral Dynamic Analysis](https://github.com/moyix/panda)
[BitBlaze](http://bitblaze.cs.berkeley.edu/)
* The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to (1) analyze and develop novel COTS protection and diagnostic mechanisms and (2) analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation.
[BARF-Project](https://github.com/programa-stic/barf-project)
* BARF : A multiplatform open source Binary Analysis and Reverse engineering Framework
* Presentation: Barfing Gadgets - Ekoparty 2014](https://github.com/programa-stic/barf-project/raw/master/documentation/presentations/barfing-gadgets.ekoparty2014.es.pdf)
####<a name="dbg">Debuggers</a>
[OllyDbg](http://www.ollydbg.de/)
* OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
* OllyDbg is a 32-bit assembler level analysing debugger for Microsoft® Windows®. Emphasis on binary code analysis makes it particularly useful in cases where source is unavailable.
* [OllyDbg Tricks for Exploit Development](http://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/)
[GDB - GNU Debugger](https://www.gnu.org/software/gdb/)
@ -169,6 +178,9 @@ Radare2 - unix-like reverse engineering framework and commandline tools ](http:/
[xnippet](https://github.com/isislab/xnippet)
* xnippet is a tool that lets you load code snippets or isolated functions (no matter the operating system they came from), pass parameters to it in several formats (signed decimal, string, unsigned hexadecimal...), hook other functions called by the snippet and analyze the result. The tool is written in a way that will let me improve it in a future, defining new calling conventions and output argument pointers.
[HyperDbg](https://github.com/rmusser01/hyperdbg/)
* HyperDbg is a kernel debugger that leverages hardware-assisted virtualization. More precisely, HyperDbg is based on a minimalistic hypervisor that is installed while the system runs. Compared to traditional kernel debuggers (e.g., WinDbg, SoftIce, Rasta R0 Debugger) HyperDbg is completely transparent to the kernel and can be used to debug kernel code without the need of serial (or USB) cables. For example, HyperDbg allows to single step the execution of the kernel, even when the kernel is executing exception and interrupt handlers. Compared to traditional virtual machine based debuggers (e.g., the VMware builtin debugger), HyperDbg does not require the kernel to be run as a guest of a virtual machine, although it is as powerful.
* [Paper](http://roberto.greyhats.it/pubs/ase10.pdf)
####<a name="decom">Decompilers & Disassemblers</a>
@ -188,26 +200,24 @@ programming environment.
[FLARE-Ida](https://github.com/fireeye/flare-ida)
* This repository contains a collection of IDA Pro scripts and plugins used by the FireEye Labs Advanced Reverse Engineering (FLARE) team.
[Hopper](http://www.hopperapp.com/)
* Hopper is a reverse engineering tool for OS X and Linux, that lets you disassemble, decompile and debug your 32/64bits Intel Mac, Linux, Windows and iOS executables!
* quote from a friend on irc: "IF u RLY like guis this is also a cheap option"
[Reverse](https://github.com/joelpx/reverse)
* Reverse engineering for x86 binaries (elf-format). Generate a more readable code (pseudo-C) with colored syntax. Warning, the project is still in development, use it at your own risks. This tool will try to disassemble one function (by default main). The address of the function, or its symbol, can be passed by argument.
####<a name="ct">Comparison Tools</a>s
[binwally](https://github.com/bmaia/binwally)
* Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)
* [Using binwally - a directory tree diff tool](http://w00tsec.blogspot.com/2013/12/binwally-directory-tree-diff-tool-using.html)
####<a name="lt">Linux Specific Tools</a>
[readelf](https://sourceware.org/binutils/docs/binutils/readelf.html)
* Unix Tool
@ -217,10 +227,8 @@ programming environment.
[Statically Linked Library Detector](https://github.com/arvinddoraiswamy/slid)
####<a name="wt">Windows Specific Tools</a>
[PEview](http://wjradburn.com/software/)
* PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.
@ -232,7 +240,7 @@ programming environment.
* pestudio is a tool that performs the static analysis of 32-bit and 64-bit Windows executable files. Malicious executable attempts to hide its malicious intents and to evade detection. In doing so, it generally presents anomalies and suspicious patterns. The goal of pestudio is to detect these anomalies, provide indicators and score the executable being analyzed. Since the executable file being analyzed is never started, you can inspect any unknown or malicious executable with no risk.
[DotPeek](http://www.jetbrains.com/decompiler/features/)
* dotPeek is a .NET decompiler that has several handy features. I havenÂ’t used it much, and donÂ’t do much in .NET so I canÂ’t say if its a good one, only that IÂ’ve had success in using it.
* dotPeek is a .NET decompiler that has several handy features. I haven’t used it much, and don’t do much in .NET so I can’t say if its a good one, only that I’ve had success in using it.
[API Monitor](http://www.rohitab.com/apimonitor)
* API Monitor is a free software that lets you monitor and control API calls made by applications and services. Its a powerful tool for seeing how applications and services work or for tracking down problems that you have in your own applications.
@ -315,19 +323,17 @@ Hacking the Dropcam series
###<a name="writeups">Writeups</a>
[A Technical Analysis of CVE 2014-1776](http://blog.fortinet.com/post/a-technical-analysis-of-cve-2014-1776)
[Reverse engineering radio weather station](http://blog.atx.name/reverse-engineering-radio-weather-station/)
[Introduction to Reverse Engineering Win32 Applications](http://uninformed.org/?v=all&a=7&t=sumry)
* During the course of this paper the reader will be (re)introduced to many concepts and tools essential to understanding and controlling native Win32 applications through the eyes of Windows Debugger (WinDBG). Throughout, WinMine will be utilized as a vehicle to deliver and demonstrate the functionality provided by WinDBG and how this functionality can be harnessed to aid the reader in reverse engineering native Win32 applications. Topics covered include an introductory look at IA-32 assembly, register significance, memory protection, stack usage, various WinDBG commands, call stacks, endianness, and portions of the Windows API. Knowledge gleaned will be used to develop an application designed to reveal and/or remove bombs from the WinMine playing grid.
[Somfy Smoove Origin RTS Protocol](https://pushstack.wordpress.com/somfy-rts-protocol/)
* This document describes the Somfy RTS protocol as used by the “Somfy Smoove Origin RTS”. Most information in this document is based on passive observation of the data send by the Smoove Origin RTS remote, and thus can be inaccurate or incorrect!
* This document describes the Somfy RTS protocol as used by the “Somfy Smoove Origin RTS”. Most information in this document is based on passive observation of the data send by the Smoove Origin RTS remote, and thus can be inaccurate or incorrect!
[ Reverse Engineering The eQSO Protocol](https://gist.github.com/anonymous/7a9d713e61ba990a3a17)
* Today I reverse engineered the eQSO protocol. If you didn't know, eQSO is a small program that allows radio amateurs to talk to each other online. Sadly this program isn't as popular as it used to be (Well, neither is the radio).
[You can ring my bell! Adventures in sub-GHz RF landÂ](http://adamsblog.aperturelabs.com/2013/03/you-can-ring-my-bell-adventures-in-sub.html)
[You can ring my bell! Adventures in sub-GHz RF land…](http://adamsblog.aperturelabs.com/2013/03/you-can-ring-my-bell-adventures-in-sub.html)
Reverse engineering walk htrouhg; guy rev eng alarm system from shelf to replay
@ -346,7 +352,11 @@ Part 8: http://cybergibbons.com/uncategorized/reverse-engineering-a-wireless-bur
[Cyber Necromancy - Reverse engineering dead protocols - Defcamp 2014 ](https://www.youtube.com/watch?v=G0v2FO2Ru0w&index=6&list=PLnwq8gv9MEKgSryzYIFhpmCcqnVzdUWfH)
[Event Tracing for Windows and Network Monitor](http://blogs.technet.com/b/netmon/archive/2009/05/13/event-tracing-for-windows-and-network-monitor.aspx)
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, itÂ’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. WhatÂ’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
* "Event Tracing for Windows, (ETW), has been around for quite a while now as it was introduced in Windows 2000. It's basically instrumented logging that describes what a component is doing. Conceptually, it’s something like the proverbial printf("here1") concept used by programmers, but it is present in retail builds. When you enable logging in a component the result is an ETL (Event Trace Log) file. What’s new is that that Network Monitor can read any ETL file. And with the supplied parsers many network oriented ETW providers can be decoded."
[Reverse Engineering Flash Memory for Fun and Benefit - BlackHat 2014](https://www.youtube.com/watch?v=E8BSnS4-Kpw)
[SATCOM Terminals Hacking by Air, Sea, and Land - Black Hat USA 2014](https://www.youtube.com/watch?v=tRHDuT__GoM)
###<a name="papers">Papers</a>
@ -398,4 +408,4 @@ informed, and determined reverser
*
*

+ 23
- 34
Draft/Draft/Rootkits.md View File

@ -14,6 +14,7 @@ Cull
* [Developing](#dev)
* [Identifying/Defending](#id)
* [Writeups](#writeups)
* [Tools](#tools)
* [Talks & Videos](#talks)
* [Papers](#papers)
@ -24,42 +25,9 @@ Cull
https://github.com/rrbranco/Troopers2015
[BoutiqueKit: Playing WarGames with Expensive Rootkits and Malware- Defcon 21](https://www.youtube.com/watch?v=gKUleWyfut0)
[How Many Million BIOSes Would you Like to Infect?](http://conference.hitb.org/hitbsecconf2015ams/sessions/how-many-million-bioses-would-you-like-to-infect/)
* This talk is going to be all about how the automation of BIOS vulnerability exploitation and leveraging of built-in capabilities can yield highly portable UEFI firmware malware. And how millions of systems will be vulnerable for years, because no one cares enough to patch the BIOS bugs we’ve found. So you think you’re doing OPSEC right, right? You’re going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live DVD like TAILS. Guess what? BIOS malware doesn’t care! BIOS malware doesn’t give a shit
[A Catalog of Windows Local Kernel-mode Backdoors](http://uninformed.org/?v=all&a=35&t=sumry)
* This paper presents a detailed catalog of techniques that can be used to create local kernel-mode backdoors on Windows. These techniques include function trampolines, descriptor table hooks, model-specific register hooks, page table modifications, as well as others that have not previously been described. The majority of these techniques have been publicly known far in advance of this paper. However, at the time of this writing, there appears to be no detailed single point of reference for many of them. The intention of this paper is to provide a solid understanding on the subject of local kernel-mode backdoors. This understanding is necessary in order to encourage the thoughtful discussion of potential countermeasures and perceived advancements. In the vein of countermeasures, some additional thoughts are given to the common misconception that PatchGuard, in its current design, can be used to prevent kernel-mode rootkits.
[UEFITool](https://github.com/LongSoft/UEFITool)
* UEFITool is a cross-platform C++/Qt program for parsing, extracting and modifying UEFI firmware images. It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes.
[All Your Boot Are Belong To Us - Intel Security](https://cansecwest.com/slides/2014/AllYourBoot_csw14-intel-final.pdf)
[Implementation and Implications of a Stealth Hard-Drive Backdoor](https://www.ibr.cs.tu-bs.de/users/kurmus/papers/acsac13.pdf)
* Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the firmware of a commercial o -the-shelf hard drive, by resorting only to public information and reverse engineering. Using such a compromised firmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back- door . The measured performance overhead of the compromised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a re- mote attacker can even establish a communication channel with a compromised disk to infiltrate commands and to ex-filtrate data. In our example, this channel is established over the Internet to an unmodified web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage engine, filesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environment, could automatically extract sensitive data such as /etc/shadow (or a secret key le) in less than a minute. This paper claims that the diffculty of implementing such an at- tack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded criminals, botnet herders and academic researchers.
[Killing the Rootkit](http://blog.ioactive.com/2014/09/killing-rootkit.html)
Defeating Sniffers and Intrustion Detection Systems - Horizon, 12/25/1998
Armouring the ELF: Binary Encryption on the UNIX Platform - grugq, scut, 12/28/2001
Runtime Process Infection - anonymous, 07/28/2002
Polymorphic Shellcode Engine Using Spectrum Analysis - theo detristan et al, 08/13/2003
Next-generation Runtime Binary Encryption using On-demand Function Extraction - Zeljko Vrba, 08/01/2005
Stealth Hooking: Another Way to Subvert the Windows Kernel - mxatone, ivanlef0u, 04/11/2008
Mystifying the Debugger for Ultimate Stealthness - halfdead, 04/11/2008
Binary Mangling with Radare - pancake, 06/11/2009
[Concepts for the Steal the Windows Rootkit (The Chameleon Project)Joanna Rutkowska2003](http://repo.hackerzvoice.net/depot_madchat/vxdevl/avtech/Concepts%20for%20the%20Stealth%20Windows%20Rootkit%20%28The%20Chameleon%20Project%29.pdf)
* Many people do not realize the real danger from rootkit technology. One reason for this is probably that publicly available rootkits for Windows OS are relatively easy to detect by conventional methods (i.e.memoryscanningbased). However, we can imagine some techniques of rootkit implementation, which will be undetectable by these methods, even if the rootkit concept will be publicly available. 000In order to convince people that traditional rootkit detection is insufficient it would be desirable to have a working rootkit implementing such sophisticated technology. Besides, it would be fun.
http://www.phrack.com/papers/revisiting-mac-os-x-kernel-rootkits.html
@ -116,9 +84,15 @@ Thunderstrike is the name for the Apple EFI firmware security vulnerability that
[Advanced Bootkit Techniques on Android](http://www.syscan360.org/slides/2014_EN_AdvancedBootkitTechniquesOnAndroid_ChenZhangqiShendi.pdf)
###<a name="tools">Tools</a>
[UEFITool](https://github.com/LongSoft/UEFITool)
* UEFITool is a cross-platform C++/Qt program for parsing, extracting and modifying UEFI firmware images. It supports parsing of full BIOS images starting with the flash descriptor or any binary files containing UEFI volumes.
###<a name="talks">Talks/Videos</a>
[BoutiqueKit: Playing WarGames with Expensive Rootkits and Malware- Defcon 21](https://www.youtube.com/watch?v=gKUleWyfut0)
###<a name="talks">Videos</a>
[Persistent, Stealthy, Remote-controlled Dedicated Hardware Malware [30c3]](https://www.youtube.com/watch?v=Ck8bIjAUJgE)
[Intel Management Engine Secrets by Igor Skochinsky](https://www.youtube.com/watch?v=Y2_-VXz9E-w)
@ -126,14 +100,29 @@ Thunderstrike is the name for the Apple EFI firmware security vulnerability that
[MoRE Shadow Walker : TLB - splitting on Modern x86](https://www.youtube.com/watch?v=XU1uNGZ7HnY)
* This presentation provides a cohesive overview of the work performed by AIS, Inc. on the DARPA CFT MoRE effort. MoRE was a 4-month effort which examined the feasibility of utilizing TLB splitting as a mechanism for periodic measurement of dynamically changing binaries. The effort created a proof-of-concept system to split the TLB for target applications, allowing dynamic applications to be measured and can detect code corruption with low performance overhead.
[How Many Million BIOSes Would you Like to Infect?](http://conference.hitb.org/hitbsecconf2015ams/sessions/how-many-million-bioses-would-you-like-to-infect/)
* This talk is going to be all about how the automation of BIOS vulnerability exploitation and leveraging of built-in capabilities can yield highly portable UEFI firmware malware. And how millions of systems will be vulnerable for years, because no one cares enough to patch the BIOS bugs we’ve found. So you think you’re doing OPSEC right, right? You’re going to crazy lengths to protect yourself, reinstalling your main OS every month, or using a privacy-conscious live DVD like TAILS. Guess what? BIOS malware doesn’t care! BIOS malware doesn’t give a shit
[Measurement of Running Executables](http://vimeo.com/81335517)
[From Kernel to VM](https://www.youtube.com/watch?v=FSw8Ff1SFLM)
* Description from stormeh on reddit(https://www.reddit.com/r/rootkit/comments/25hsc4/jacob_i_torrey_from_kernel_to_vmm/): Although it's not directly a lecture about rootkit development, the topics discussed are very much of interest: hardware virtualization, page table and TLB manipulation, hypervisors and privilege levels below ring 0, etc. The speaker does also go on to mention how prior rootkits such as Blue Pill and Shadow Walker leveraged these features, as well as defensive technologies such as PaX.
* [Slides](http://jacobtorrey.com/VMMLecture.pdf)
[All Your Boot Are Belong To Us - Intel Security](https://cansecwest.com/slides/2014/AllYourBoot_csw14-intel-final.pdf)
[Concepts for the Steal the Windows Rootkit (The Chameleon Project)Joanna Rutkowska2003](http://repo.hackerzvoice.net/depot_madchat/vxdevl/avtech/Concepts%20for%20the%20Stealth%20Windows%20Rootkit%20%28The%20Chameleon%20Project%29.pdf)\
###<a name="papers">Papers</a>
[A Catalog of Windows Local Kernel-mode Backdoors](http://uninformed.org/?v=all&a=35&t=sumry)
* This paper presents a detailed catalog of techniques that can be used to create local kernel-mode backdoors on Windows. These techniques include function trampolines, descriptor table hooks, model-specific register hooks, page table modifications, as well as others that have not previously been described. The majority of these techniques have been publicly known far in advance of this paper. However, at the time of this writing, there appears to be no detailed single point of reference for many of them. The intention of this paper is to provide a solid understanding on the subject of local kernel-mode backdoors. This understanding is necessary in order to encourage the thoughtful discussion of potential countermeasures and perceived advancements. In the vein of countermeasures, some additional thoughts are given to the common misconception that PatchGuard, in its current design, can be used to prevent kernel-mode rootkits.
[Implementation and Implications of a Stealth Hard-Drive Backdoor](https://www.ibr.cs.tu-bs.de/users/kurmus/papers/acsac13.pdf)
* Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the firmware of a commercial o -the-shelf hard drive, by resorting only to public information and reverse engineering. Using such a compromised firmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back- door . The measured performance overhead of the compromised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a re- mote attacker can even establish a communication channel with a compromised disk to infiltrate commands and to ex-filtrate data. In our example, this channel is established over the Internet to an unmodified web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage engine, filesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environment, could automatically extract sensitive data such as /etc/shadow (or a secret key le) in less than a minute. This paper claims that the diffculty of implementing such an at- tack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded criminals, botnet herders and academic researchers.
[futo](http://uninformed.org/?v=all&a=17&t=sumry)
* Since the introduction of FU, the rootkit world has moved away from implementing system hooks to hide their presence. Because of this change in offense, a new defense had to be developed. The new algorithms used by rootkit detectors, such as BlackLight, attempt to find what the rootkit is hiding instead of simply detecting the presence of the rootkit's hooks. This paper will discuss an algorithm that is used by both Blacklight and IceSword to detect hidden processes. This paper will also document current weaknesses in the rootkit detection field and introduce a more complete stealth technique implemented as a prototype in FUTo.

+ 23
- 0
Draft/Draft/Securing Hardening.md View File

@ -1,7 +1,10 @@
##Securing & Hardening
For now should just look in the Folder.
TOC
cull
* [General](#general)
@ -21,9 +24,29 @@ cull
[Defending the Enterprise Against Network Infrastructure Attacks - Paul Coggin - Troopers15](https://www.youtube.com/watch?v=K0X3RDf5XK8)
[Kerberos Golden Ticket: Mitigating pass the ticket on Active Directory](http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf)
[How to prevent eavesdropping on office VoIP calls - Dmitry Dessiatnikov - BSides SLC 2015](https://www.youtube.com/watch?v=gjDeseWATnM)
[Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory](http://adsecurity.org/?p=1515)
###<a name="general">General</a>


Draft/Draft/Simd.md → Draft/Draft/Simulations.md View File


+ 10
- 1
Draft/Draft/Social Engineering.md View File

@ -24,6 +24,7 @@ CULL
http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3152826/
@ -65,6 +66,13 @@ Influence Without Authority
###<a name="talks">Presentations</a>:
[Social Engineering Like In Movies -- Reality of awareness and manipulation - Dale Pearson- #days](https://www.youtube.com/watch?v=XUIWi5p0oFI)
[Manipulating Human Minds: The Psychological Side of Social Engineering - Christina Camilleri - CrikeyCon](https://www.youtube.com/watch?v=8enkIWl79_4)
[Psychological Tricks of the Social Engineer - William Tarkington - GrrCON2012](https://www.youtube.com/watch?v=bk-TK4MPs8s&index=10&list=PL_At9BlHdC-_764ciDVexbJL0hwsCzqLK)
* While several Social Engineering talks and books focus on the techniques no one clearly explains why they work. Learn why the techniques are used and what impact they have on behavior. Discover aspects of human social interaction that can be leveraged to accomplish discrete and specific goals. Gain a firm understanding of the limitations of humans objective reasoning. Finally understand the social rules that are used to navigate within the social engineering construct.
[Social Engineering: The Good, the Bad, and the Ugly -- Stephanie Carruthers ](https://www.youtube.com/watch?v=9wCrUOYQlCI&index=31&list=PL_At9BlHdC-_764ciDVexbJL0hwsCzqLK)
[Deceiving the heavens to cross the sea Jayson E Street](https://www.youtube.com/watch?v=EzGwO5L9oq4&feature=player_embedded)
@ -103,7 +111,8 @@ Influence Without Authority
[Social Engineering, or "hacking people" - DefCamp 2014](https://www.youtube.com/watch?v=JAOTRgWdPTU&index=49&list=PL_At9BlHdC-_764ciDVexbJL0hwsCzqLK)
[The Future of Social Engineering - Sharon Conheady - DeepSec2010](https://www.youtube.com/watch?v=aVIq9mdVHlc&index=11&list=PL_At9BlHdC-_764ciDVexbJL0hwsCzqLK)
* Social engineering is hitting the headlines more than ever. As computer security becomes more sophisticated, hackers are combining their technical expertise with social engineering to gain access to IT infrastructures and critical information. In any security programme people are the weakest link. It can often be easier and quicker to target the end user than using technical hacking techniques. When you combine both social engineering and traditional hacking techniques, you have an extremely dangerous attack. So what's next on the social engineering agenda? What are the emerging trends and what social engineering techniques might we expect to see in the future? In this talk, I will give an overview of the types of social engineering attacks people have used throughout the ages, from tricks used by the classic conmen of the past to the phishing attacks that are at an all time high, and the proliferation of social networking and how useful this is to social engineers. I will describe some of the new social engineering techniques and trends that are emerging and discuss war stories from my experience of social engineering, describing techniques I have used to gain access to sensitive information
[Disguise - Appearance Hacking](http://www.irongeek.com/i.php?page=videos/derbycon2/valerie-thomas-appearance-hacking-101-the-art-of-everyday-camouflage)
* [Transcript](http://www.ted.com/talks/amy_cuddy_your_body_language_shapes_who_you_are/transcript)


Draft/Draft/Sysadmd.md → Draft/Draft/Sysadmin Stuff.md View File


Draft/Draft/Systemd.md → Draft/Draft/System Internals Windows and Linux Internals Reference.md View File


Draft/Draft/To Do/add cull -1.txt → Draft/Draft/To Do/add cull -2.txt View File


+ 3
- 0
Draft/Draft/Web & Browsers.md View File

@ -53,6 +53,9 @@ Cul
[SSLsplit - transparent and scalable SSL/TLS interception](https://www.roe.ch/SSLsplit)
* SSLsplit is a tool for man-in-the-middle attacks against SSL/TLS encrypted network connections. Connections are transparently intercepted through a network address translation engine and redirected to SSLsplit. SSLsplit terminates SSL/TLS and initiates a new SSL/TLS connection to the original destination address, while logging all data transmitted. SSLsplit is intended to be useful for network forensics and penetration testing. SSLsplit supports plain TCP, plain SSL, HTTP and HTTPS connections over both IPv4 and IPv6.
[HardenFlash](https://github.com/HaifeiLi/HardenFlash)
* Patching Flash binary to stop Flash exploits and zero-days
[Exploiting ShellShock getting a reverse shell](http://www.fantaghost.com/exploiting-shellshock-getting-reverse-shell)
[Highly Effective Joomla Backdoor with Small Profile](http://blog.sucuri.net/2014/02/highly-effective-joomla-backdoor-with-small-profile.html)


+ 27
- 0
Draft/Draft/Wireless Networks & RF.md View File

@ -24,6 +24,23 @@ Cull
###CULL
[Guide to Basics of Wireless Networking](http://documentation.netgear.com/reference/fra/wireless/TOC.html)
[Wi-Fi Protected Access 2 (WPA2) Overview](https://technet.microsoft.com/library/bb878054)
[Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i - NIST](http://csrc.nist.gov/publications/nistpubs/800-97/SP800-97.pdf)
[Brute forcing W i - Fi Protected Setup - Stefan Viehböck](https://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf)
* The original paper on WPS cracking.
[IEEE 802.11 Tutorial](http://wow.eecs.berkeley.edu/ergen/docs/ieee.pdf)
This document describes IEEE 802.11 Wireless Local Area Network (WLAN) Standard. It describes IEEE 802.11 MAC Layer in detail and it briefly mentions IEEE 802.11a, IEEE 802.11b physical layer standard and IEEE 802.11e MAC layer standard
[Management Frames Reference Sheet](http://download.aircrack-ng.org/wiki-files/other/managementframes.pdf)
http://www.irongeek.com/i.php?page=videos/defcon-wireless-village-2014/17-phys-macs-and-sdrs-robert-ghilduta
@ -46,6 +63,8 @@ Bluez.org
PyBT
###<a name="general">General</a>
[RF Testing Methodology - NCCGroup](https://nccgroup.github.io/RFTM/)
@ -73,6 +92,14 @@ PyBT
###<a name="cn">Cellular Networks</a>
[gr-gsm](https://github.com/ptrkrysik/gr-gsm)
* Gnuradio blocks and tools for receiving GSM transmissions
[GSM MAP](http://gsmmap.org/#!/about)
* The GSM Security Map compares the protection capabilities of mobile networks. Networks are rated in their protection capabilities relative to a reference network that implements all protection measures that have been seen “in the wild”. The reference is regularly updated to reflect new protection ideas becoming commercially available. Networks, therefore, have to improve continuously to maintain their score, just as hackers are continuously improving their capabilities.
[Mobile self-defense - Karsten Nohl](https://www.youtube.com/watch?v=GeCkO0fWWqc)
[Osmocom SIMtrace](http://bb.osmocom.org/trac/wiki/SIMtrace)
* Osmocom SIMtrace is a software and hardware system for passively tracing SIM-ME communication between the SIM card and the mobile phone.


Loading…
Cancel
Save