Browse Source

Lots of cleanup, structuring, getting closer

pull/4/head
Robert 7 years ago
parent
commit
38980ec805
56 changed files with 998 additions and 957 deletions
  1. +28
    -0
      Draft/Draft/Attacking Android.md
  2. +18
    -57
      Draft/Draft/Attacking iOS.md
  3. +6
    -1
      Draft/Draft/Basic Security Information.md
  4. +61
    -24
      Draft/Draft/Cheat sheets reference pages.md
  5. +4
    -2
      Draft/Draft/Classes & Training.md
  6. +12
    -4
      Draft/Draft/Client Side Attacks.md
  7. +20
    -0
      Draft/Draft/Common CLI CMD Refs.md
  8. +0
    -0
      Draft/Draft/Common CLI CMD Refs.rtf
  9. +15
    -31
      Draft/Draft/Computer Hardware Attacks.md
  10. +4
    -0
      Draft/Draft/Counter Surveillance.md
  11. +10
    -0
      Draft/Draft/CryptoCurrencies.md
  12. +15
    -10
      Draft/Draft/Cryptography & Encryption.md
  13. +20
    -1
      Draft/Draft/Data Visualization.md
  14. +8
    -3
      Draft/Draft/Disclosure.md
  15. +16
    -1
      Draft/Draft/Disinformation.md
  16. +8
    -1
      Draft/Draft/Documentation & Reports.md
  17. +399
    -0
      Draft/Draft/Exploit Development.md
  18. +0
    -5
      Draft/Draft/Exploit Development/Anti-Fuzzing.md
  19. +0
    -33
      Draft/Draft/Exploit Development/Assembly.md
  20. +0
    -278
      Draft/Draft/Exploit Development/Cull.md
  21. +0
    -230
      Draft/Draft/Exploit Development/Exploit Development.md
  22. +0
    -0
      Draft/Draft/Exploit Development/Exploit Development.rtf
  23. +0
    -0
      Draft/Draft/Exploit Development/Exploit Development_1.rtf
  24. +0
    -0
      Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing.txt
  25. +0
    -0
      Draft/Draft/Exploit Development/MSF Framework Reference.rtf
  26. +0
    -13
      Draft/Draft/Exploit Development/Papers Tutorials Walk Throughs.md
  27. +0
    -41
      Draft/Draft/Exploit Development/Writeups.md
  28. +33
    -0
      Draft/Draft/Forensics Incident Response/add cull.txt
  29. +0
    -0
      Draft/Draft/Game Hacking.rtf
  30. +13
    -1
      Draft/Draft/Google Hacking.md
  31. +35
    -8
      Draft/Draft/Hardware Hacking Teensy-like stuff.md
  32. +62
    -7
      Draft/Draft/Honeypots.md
  33. +52
    -101
      Draft/Draft/Interesting Things.md
  34. +27
    -9
      Draft/Draft/Lockpicking.md
  35. +6
    -3
      Draft/Draft/Malware.md
  36. +6
    -0
      Draft/Draft/Network Security Monitoring.md
  37. +0
    -0
      Draft/Draft/Reverse Engineering/Android.txt
  38. +0
    -0
      Draft/Draft/Reverse Engineering/Cull integrate.txt
  39. +0
    -0
      Draft/Draft/Reverse Engineering/Da List of Info.txt
  40. +0
    -0
      Draft/Draft/Reverse Engineering/Firmware Analysis.txt
  41. +0
    -0
      Draft/Draft/Reverse Engineering/Hardware Focused.txt
  42. +0
    -0
      Draft/Draft/Reverse Engineering/Papers.txt
  43. +0
    -0
      Draft/Draft/Reverse Engineering/Reverse Engineering.txt
  44. +0
    -0
      Draft/Draft/Reverse Engineering/Tools.txt
  45. +0
    -0
      Draft/Draft/Reverse Engineering/Writeups.txt
  46. +0
    -0
      Draft/Draft/Reverse Engineering/iOS OS X.txt
  47. +28
    -0
      Draft/Draft/Rootkits.md
  48. +10
    -1
      Draft/Draft/System Internals Windows and Linux Internals Reference.md
  49. +1
    -1
      Draft/Draft/Threat Modeling.md
  50. +0
    -41
      Draft/Draft/To Do/Sec101.txt
  51. +0
    -48
      Draft/Draft/To Do/Sections that Need Eyes.txt
  52. +0
    -0
      Draft/Draft/To Do/Untitled.rtf
  53. +72
    -0
      Draft/Draft/To Do/add cull -1.txt
  54. +2
    -1
      Draft/Draft/Web Applications/Cull integrate.txt
  55. +0
    -0
      Draft/Draft/Web Applications/Databases.txt
  56. +7
    -1
      Draft/Draft/Wireless Networks.md

+ 28
- 0
Draft/Draft/Attacking Android.md View File

@ -14,6 +14,34 @@ Attacking Android Devices
[Root Tools](https://github.com/Stericson/RootTools)
* RootTools provides rooted developers a standardized set of tools for use in the development of rooted applications
[Understanding the Android bytecode](https://mariokmk.github.io/programming/2015/03/06/learning-android-bytecode.html)
* Writeup on reversing/understanding Android Bytecode
[ClockLockingBeats](https://github.com/monk-dot/ClockLockingBeats)
* Repo for the DARPA CFT / Clock Locking Beats project. Exploring Android kernel and processor interactions to hide running threads
[android-cluster-toolkit](https://github.com/jduck/android-cluster-toolkit)
* The Android Cluster Toolkit helps organize and manipulate a collection of Android devices. It was designed to work with a collection of devices connected to the same host machine, either directly or via one or more tiers of powered USB hubs. The tools within can operate on single devices, a selected subset, or all connected devices at once.
[dedex](https://github.com/mariokmk/dedex)
* Is a command line tool for disassembling Android DEX files.
[DexMac](https://github.com/mariokmk/DexMac)
* Is a native OSX application for disassembling Android DEX files.
[dexdissasembler](https://github.com/mariokmk/dexdisassembler)
* Is a GTK tool for disassembling Android DEX files.
[dex.Net](https://github.com/mariokmk/dex.net)
* A Mono/.NET library to parse Android DEX files. Its main purpose is to support utilities for disassembling and presenting the contents of DEX files.
[apk2gold](https://github.com/lxdvs/apk2gold)
* CLI tool for decompiling Android apps to Java. It does resources! It does Java! Its real easy!
[byte-code viewer](https://github.com/Konloch/bytecode-viewer)
* Bytecode Viewer is an Advanced Lightweight Java Bytecode Viewer, GUI Java Decompiler, GUI Bytecode Editor, GUI Smali, GUI Baksmali, GUI APK Editor, GUI Dex Editor, GUI APK Decompiler, GUI DEX Decompiler, GUI Procyon Java Decompiler, GUI Krakatau, GUI CFR Java Decompiler, GUI FernFlower Java Decompiler, GUI DEX2Jar, GUI Jar2DEX, GUI Jar-Jar, Hex Viewer, Code Searcher, Debugger and more. It's written completely in Java, and it's open sourced. It's currently being maintained and developed by Konloch.


+ 18
- 57
Draft/Draft/Attacking iOS.md View File

@ -10,6 +10,9 @@
CULL
https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet
[MEMSCAN - Dump iPhone app RAM](http://www.cigital.com/justice-league-blog/2015/02/18/memscan-defined/)
* A Cigital consultant – Grant Douglas, recently created a utility called MEMSCAN which enables users to dump the memory contents of a given iPhone app. Dumping the memory contents of a process proves to be a useful technique in identifying keys and credentials in memory. Using the utility, users are able to recover keys or secrets that are statically protected within the application but are less protected at runtime. Users can also use the utility to verify that keys and credentials are appropriately disposed of after use.
@ -44,28 +47,16 @@ This course focuses on the iOS platform and application security and is ideal fo
Attacking iOS
Vulnerabilities/Exploits
###Vulnerabilities/Exploits
List of iOS Exploits:
http://theiphonewiki.com/wiki/Category:Exploits
Techniques
###Techniques
Training & Tutorials
###Training & Tutorials
Learning iOS Application Security - 34 part series
http://damnvulnerableiosapp.com/#learn
@ -80,24 +71,22 @@ OWASP iGOAT
https://www.owasp.org/index.php/OWASP_iGoat_Project
iOS Security Testing Methodologies
###iOS Security Testing Methodologies
General Research Papers
###General Research Papers
Reverse Engineering
###Reverse Engineering
IOS Reverse Engineering toolkit:
https://github.com/S3Jensen/iRET
Summary:
The iOS Reverse Engineering Toolkit is a toolkit designed to automate many of the common tasks associated with iOS penetration testing. It automates a many common tasks including:
[IOS Reverse Engineering toolkit](https://github.com/S3Jensen/iRET)
* The iOS Reverse Engineering Toolkit is a toolkit designed to automate many of the common tasks associated with iOS penetration testing. It automates a many common tasks including:
binary analysis using otool
keychain analysis using keychain_dumper
reading database content using sqlite
@ -108,55 +97,27 @@ creating, editing, installing theos tweaks
###Jailbreaking
Attacking iOS Devices
Analyzing Attack Surfaces
Jailbreaking Pros - Cons
Info Leakage
####Jailbreaking Pros - Cons
Guide to hardening iOS with the goal of privacy:
http://cydia.radare.org/sec/
Jailbreaking
IPhoneDevWiki
From: iphonedevwiki.net/index.php/Main_Page
“Our goal is to share the sum of all human[1] knowledge about jailbroken iOS development. In other words, this is a collection of documentation written by developers to help each other write extensions (tweaks) for jailbroken iOS, and you're invited to learn from it and contribute to it too.”
http://iphonedevwiki.net/index.php/Main_Page
[IPhoneDevWiki](http://iphonedevwiki.net/index.php/Main_Page)
* “Our goal is to share the sum of all human[1] knowledge about jailbroken iOS development. In other words, this is a collection of documentation written by developers to help each other write extensions (tweaks) for jailbroken iOS, and you're invited to learn from it and contribute to it too.”
The iPhone Wiki
From: http://theiphonewiki.com/wiki/Main_Page
The iPhone Wiki is an unofficial wiki dedicated to collecting, storing and providing information on the internals of Apple's amazing iDevices. We hope to pass this information on to the next generation of hackers so that they can go forth into their forebears' footsteps and break the ridiculous bonds Apple has put on their amazing mobile devices.
[The iPhone Wiki](http://theiphonewiki.com/wiki/Main_Page)
* The iPhone Wiki is an unofficial wiki dedicated to collecting, storing and providing information on the internals of Apple's amazing iDevices. We hope to pass this information on to the next generation of hackers so that they can go forth into their forebears' footsteps and break the ridiculous bonds Apple has put on their amazing mobile devices.
Maybe>?
https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet
Defeating iOS cryptography
###Defeating iOS cryptography


+ 6
- 1
Draft/Draft/Basic Security Information.md View File

@ -1,7 +1,10 @@
##Basic Security Principles/Information
Shodan Guide
[Shodan Man page](http://www.shodanhq.com/help)
[Shodan Filter Reference](http://www.shodanhq.com/help/filters)
[Shodan FAQ](http://www.shodanhq.com/help/faq)
@ -9,6 +12,8 @@
[Information Security For Journalist book - Centre for Investigative Journalism](http://files.gendo.nl/Books/InfoSec_for_Journalists_V1.1.pdf)


+ 61
- 24
Draft/Draft/Cheat sheets reference pages.md View File

@ -1,68 +1,105 @@
Cheat Sheets & Reference Pages
##Cheat Sheets & Reference Pages
[Metasploit 4.2 documentation](https://community.rapid7.com/docs/DOC-1751)
http://www.amanhardikar.com/mindmaps.html
http://www.amanhardikar.com/mindmaps/Practice.html
[O-Auth Security Cheat Sheet](http://www.oauthsecurity.com/)
[File Signature Table](http://www.garykessler.net/library/file_sigs.html)
[AIX For Pentesters](http://www.giac.org/paper/gpen/6684/aix-penetration-testers/125890)
* Good paper on exploiting/pentesting AIX based machines. From the paper itself “ The paper proposes some basic methods to do comprehensive local security checks and how to exploit the vulnerabilities.”
[RootVG - Website Dedicated to AIX](http://www.rootvg.net/content/view/102/98/)
[WinDbg Cheat Sheet/mindmap](http://tylerhalfpop.com/2014/08/16/windbg-cheatsheet/)
[Tips for Troubleshooting Human Communications](https://zeltser.com/human-communications-cheat-sheet/)
[Pdf of all WinDbg commands](http://windbg.info/download/doc/pdf/WinDbg_cmds.pdf)
[How to Suck at Information Security](https://zeltser.com/suck-at-security-cheat-sheet/)
[x86 opcode structure and instruction overview](http://pnx.tf/files/x86_opcode_structure_and_instruction_overview.pdf)
###General Cheat Sheets
[Mem forenics cheat sheet](http://forensicmethods.com/wp-content/uploads/2012/04/Memory-Forensics-Cheat-Sheet-v1.pdf)
[Metasploit 4.2 documentation](https://community.rapid7.com/docs/DOC-1751)
[MSF Payload Cheat Sheet](http://aerokid240.blogspot.com/2009/11/msfpayload-goodness-cheatsheet.html)
[Nasm x86 reference](https://www.cs.uaf.edu/2006/fall/cs301/support/x86/)
[Metasploit Meterpreter Cheat Sheet](https://scadahacker.com/library/Documents/Cheat_Sheets/Hacking%20-%20Meterpreter%20Cheat%20%20Sheet.pdf)
[O-Auth Security Cheat Sheet](http://www.oauthsecurity.com/)
[Nmap](https://highon.coffee/docs/nmap/)
[Security Architecture Cheat Sheet for Internet Applications](https://zeltser.com/security-architecture-cheat-sheet/)
[General Tricks](http://averagesecurityguy.info/cheat-sheet/)
###Android Cheat Sheets
[Android ADB cheat sheet](https://github.com/maldroid/adb_cheatsheet/blob/master/cheatsheet.pdf?raw=true)
[Windows Startup Application Database](http://www.pacs-portal.co.uk/startup_content.php)
###iOS Cheat Sheets
[Arm instruction set](http://simplemachines.it/doc/arm_inst.pdf)
###Linux Cheat Sheets
[File Signature Table](http://www.garykessler.net/library/file_sigs.html)
###Windows Cheat Sheets
[Radare2 Cheat-Sheet](https://github.com/pwntester/cheatsheets/blob/master/radare2.md
[Nmap](https://highon.coffee/docs/nmap/)
[Windows Startup Application Database](http://www.pacs-portal.co.uk/startup_content.php)
###Exploitation Cheat Sheets
[Linux - Breaking out of shells](https://highon.coffee/docs/linux-commands/#breaking-out-of-limited-shells)
[AIX For Pentesters](http://www.giac.org/paper/gpen/6684/aix-penetration-testers/125890)
* Good paper on exploiting/pentesting AIX based machines. From the paper itself “ The paper proposes some basic methods to do comprehensive local security checks and how to exploit the vulnerabilities.”
[RootVG - Website Dedicated to AIX](http://www.rootvg.net/content/view/102/98/)
[x86 Assembly Guide/Reference - Wikibooks](https://en.wikibooks.org/wiki/X86_Assembly)
* Introduction for those who don’t know ASM and a reference for those that do.
http://www.amanhardikar.com/mindmaps.html
###Exploit Dev Cheat Sheets
[x86 opcode structure and instruction overview](http://pnx.tf/files/x86_opcode_structure_and_instruction_overview.pdf)
[Nasm x86 reference](https://www.cs.uaf.edu/2006/fall/cs301/support/x86/)
###Forensics/IR Cheat Sheets
[File Signature Table](http://www.garykessler.net/library/file_sigs.html)
[Mem forenics cheat sheet](http://forensicmethods.com/wp-content/uploads/2012/04/Memory-Forensics-Cheat-Sheet-v1.pdf)
[Security Incident Survey Cheat Sheet](https://zeltser.com/security-incident-survey-cheat-sheet/)
[Initial Security Incident Questionnaire for responders Cheat Sheet](https://zeltser.com/security-incident-questionnaire-cheat-sheet/)
[Critical Log Review Checklist for Security Incidents](https://zeltser.com/security-incident-log-review-checklist/)
[Network DDOS Incident Response Cheat Sheet](https://zeltser.com/ddos-incident-cheat-sheet/)
###Reverse Engineering Cheat Sheets
[Radare2 Cheat-Sheet](https://github.com/pwntester/cheatsheets/blob/master/radare2.md
[WinDbg Cheat Sheet/mindmap](http://tylerhalfpop.com/2014/08/16/windbg-cheatsheet/)
[Pdf of all WinDbg commands](http://windbg.info/download/doc/pdf/WinDbg_cmds.pdf)
[Arm instruction set](http://simplemachines.it/doc/arm_inst.pdf)
http://www.amanhardikar.com/mindmaps/Practice.html
###Malware Cheat Sheet
https://scadahacker.com/library/Documents/Cheat_Sheets/Hacking%20-%20Meterpreter%20Cheat%20%20Sheet.pdf
[Reverse Engineering Malware Cheat Sheet](https://zeltser.com/reverse-malware-cheat-sheet/)
http://aerokid240.blogspot.com/2009/11/msfpayload-goodness-cheatsheet.html
[Analyzing Malicious Documents Cheat Sheet](https://zeltser.com/analyzing-malicious-documents/)
http://averagesecurityguy.info/cheat-sheet/

+ 4
- 2
Draft/Draft/Classes & Training.md View File

@ -4,10 +4,10 @@
http://www.cis.syr.edu/~wedu/seed/all_labs.html - Training
[exrs - Binary Exploitation/Reverse Engineering Challenge training](https://github.com/wapiflapi/exrs)
* Exercises for learning Reverse Engineering and Exploitation. All binaries for these challenges are ELF 64-bit LSB executable, x86-64.
@ -26,6 +26,8 @@ http://www.cis.syr.edu/~wedu/seed/all_labs.html - Training
[Android Forensics & Security Testing - OpenSecurityTraining.info](http://opensecuritytraining.info/AndroidForensics.html)
[Pentester Lab](https://www.pentesterlab.com/)
* PentesterLab provides vulnerable systems that can be used to test and understand vulnerabilities.


+ 12
- 4
Draft/Draft/Client Side Attacks.md View File

@ -6,7 +6,7 @@ I define client-side attacks as any form of attack that requires deliberate acti
Different forms of client side attacks:
###Different forms of client side attacks:
@ -31,7 +31,7 @@ Need to read Browser hackers handbook
[White Lightning Attack Platform](https://github.com/TweekFawkes/White_Lightning/tree/master/var/www)
[BeEF Browser Exploitation Framework](http://beefproject.com/)
[BeEF Browser Exploitation Framework](http://beefproject.com/
[Technical analysis of client identification mechanisms](http://www.chromium.org/Home/chromium-security/client-identification-mechanisms)
@ -45,15 +45,23 @@ Need to read Browser hackers handbook
[The definition from wikipedia](en.wikipedia.org/wiki/Phishing):
* “Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”
Phishing Techniques:
####Phishing Techniques:
[Post exploitation trick - Phish users for creds on domains, from their own box](https://enigma0x3.wordpress.com/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/)
[Real World Phishing Techniques - Honeynet Project](http://www.honeynet.org/book/export/html/89)
[Tab Napping - Phishing](http://www.exploit-db.com/papers/13950/)
Phishing Frameworks:
[How do I phish? – Advanced Email Phishing Tactics - Pentest Geek](https://www.pentestgeek.com/2013/01/30/how-do-i-phish-advanced-email-phishing-tactics/)
####Phishing Frameworks:
[Phishing Frenzy](http://www.phishingfrenzy.com/)
* Phishing Frenzy is an Open Source Ruby on Rails application that is leveraged by penetration testers to manage email phishing campaigns. The goal of the project is to streamline the phishing process while still providing clients the best realistic phishing campaign possible. This goal is obtainable through campaign management, template reuse, statistical generation, and other features the Frenzy has to offer.
[sptoolkit](https://github.com/sptoolkit/sptoolkit)
* Simple Phishing Toolkit is a super easy to install and use phishing framework built to help Information Security professionals find human vulnerabilities

+ 20
- 0
Draft/Draft/Common CLI CMD Refs.md View File

@ -0,0 +1,20 @@
###Common CLI Commands Reference
TCPDump
Ncat
Nmap
Metasploit
Curl
Netsh
Wget
httpry
dsniff suite

+ 0
- 0
Draft/Draft/Common CLI CMD Refs.rtf View File


+ 15
- 31
Draft/Draft/Computer Hardware Attacks.md View File

@ -14,42 +14,17 @@ http://www.cl.cam.ac.uk/~sps32/
Grab links for his papers
[Implementation and Implications of a Stealth Hard-Drive Backdoor](https://www.ibr.cs.tu-bs.de/users/kurmus/papers/acsac13.pdf)
* Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the rmware of a commercial o -the-shelf hard drive, by resorting only to public information and reverse en- gineering. Using such a compromised rmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back- door . The measured performance overhead of the compro- mised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a re- mote attacker can even establish a communication channel with a compromised disk to in ltrate commands and to ex- ltrate data. In our example, this channel is established over the Internet to an unmodi ed web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage en- gine, lesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environ- ment, could automatically extract sensitive data such as /etc/shadow (or a secret key le) in less than a minute. This paper claims that the diculty of implementing such an at- tack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded crim- inals, botnet herders and academic researchers.
[TAMPER (Tamper And Monitoring Protection Engineering Research)](http://www.cl.cam.ac.uk/research/security/tamper/)
* In the TAMPER Lab, we study existing security products, document how they have been penetrated in the past, develop new attack techniques, and try to forecast how newly available technologies will make it easier to bypass hardware security mechanisms. We then develop and evaluate new countermeasures and assist industrial designers in staying ahead of the game, most of all by giving them an advanced understanding of which attack techniques are most dangerous. We are especially interested in protection systems for mass-market applications, and in forensic applications.
[Implementation and Implications of a Stealth Hard-Drive Backdoor](https://www.ibr.cs.tu-bs.de/users/kurmus/papers/acsac13.pdf)
* Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the firmware of a commercial o -the-shelf hard drive, by resorting only to public information and reverse engineering. Using such a compromised firmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back- door . The measured performance overhead of the compromised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a re- mote attacker can even establish a communication channel with a compromised disk to infiltrate commands and to ex-filtrate data. In our example, this channel is established over the Internet to an unmodified web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage engine, filesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environment, could automatically extract sensitive data such as /etc/shadow (or a secret key le) in less than a minute. This paper claims that the diffculty of implementing such an at- tack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded criminals, botnet herders and academic researchers.
[Attackin the TPM part 2](https://www.youtube.com/watch?v=h-hohCfo4LA)
[Attacking “secure” chips](https://www.youtube.com/watch?v=w7PT0nrK2BE)
[Perimeter-Crossing Buses: a New Attack Surface for
Embedded Systems](http://www.cs.dartmouth.edu/~sws/pubs/bgjss12.pdf)
* Abstract: This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that e ective and ecient injection of trac into the buses is real and easily a ordable. Further, it presents a simple and inexpen-sive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.
[Breaking apple touchID cheaply](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)
[Keykeriki v2.0](http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/index.html)
* Hardware to attack wireless keyboards and other such things
[Stealthy Dopant-Level Hardware Trojans](Hardware level trojans http://sharps.org/wp-content/uploads/BECKER-CHES.pdf)
* Abstract: In this paper we propose an extremely stealthy approach for implement-
ing hardware Trojans below the gate level, and we evaluate their impact
on the security of the target device. Instead of adding additional cir-
cuitry to the target design, we insert our hardware Trojans by changing
the dopant polarity of existing transistors. Since the modi ed circuit ap-
pears legitimate on all wiring layers (including all metal and polysilicon),
our family of Trojans is resistant to most detection techniques, includ-
ing ne-grain optical inspection and checking against \golden chips".
We demonstrate the e ectiveness of our approach by inserting Trojans
into two designs | a digital post-processing derived from Intel's cryp-
tographically secure RNG design used in the Ivy Bridge processors and
a side-channel resistant SBox implementation | and by exploring their
detectability and their e ects on security.
###Tools:
@ -91,9 +66,18 @@ Phison 2251-03 (2303) Custom Firmware & Existing Firmware Patches (BadUSB)
http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html?m=1
###Computer Hardware Attack Writeups
[Perimeter-Crossing Buses: a New Attack Surface for
Embedded Systems](http://www.cs.dartmouth.edu/~sws/pubs/bgjss12.pdf)
* Abstract: This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that e ective and ecient injection of trac into the buses is real and easily a ordable. Further, it presents a simple and inexpen-sive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.
[Breaking apple touchID cheaply](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)
[Keykeriki v2.0](http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/index.html)
* Hardware to attack wireless keyboards and other such things
[Stealthy Dopant-Level Hardware Trojans](Hardware level trojans http://sharps.org/wp-content/uploads/BECKER-CHES.pdf)
* Abstract: In this paper we propose an extremely stealthy approach for implement- ing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional cir- cuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modi ed circuit ap- pears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, includ- ing ne-grain optical inspection and checking against \golden chips". We demonstrate the e ectiveness of our approach by inserting Trojans into two designs | a digital post-processing derived from Intel's cryp- tographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation | and by exploring their detectability and their e ects on security.

+ 4
- 0
Draft/Draft/Counter Surveillance.md View File

@ -1,5 +1,9 @@
##Counter Surveillance
I am not a professional and may be a twelve year old child. Be wary.
###Blogs/Sites


+ 10
- 0
Draft/Draft/CryptoCurrencies.md View File

@ -3,6 +3,16 @@
######I don’t know.
Bitcoin - What other alt coins?
Bitcointalk
/r/bitcoin


+ 15
- 10
Draft/Draft/Cryptography & Encryption.md View File

@ -1,15 +1,22 @@
##Cryptography
###Cull
[Website detailing various crypto laws around world](http://www.cryptolaw.org/)
[Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks On PCs](http://www.tau.ac.il/~tromer/handsoff/)
* We demonstrated physical side-channel attacks on a popular software implementation of RSA and ElGamal, running on laptop computers. Our attacks use novel side channels and are based on the observation that the "ground" electric potential in many computers fluctuates in a computation-dependent way. An attacker can measure this signal by touching exposed metal on the computer's chassis with a plain wire, or even with a bare hand. The signal can also be measured at the remote end of Ethernet, VGA or USB cables. Through suitable cryptanalysis and signal processing, we have extracted 4096-bit RSA keys and 3072-bit ElGamal keys from laptops, via each of these channels, as well as via power analysis and electromagnetic probing. Despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using Medium Frequency signals (around 2 MHz), or one hour using Low Frequency signals (up to 40 kHz).
[Poor Man's Guide to Troubleshooting TLS Failures](http://blogs.technet.com/b/tspring/archive/2015/02/23/poor-man-s-guide-to-troubleshooting-tls-failures.aspx)
[Website detailing various crypto laws around world](http://www.cryptolaw.org/)
[Encrypting Strings in Android: Let's make better mistakes](http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/)
[cr.yp.to blog](http://blog.cr.yp.to/index.html)
[java-aes-crypto (Android class)](https://github.com/tozny/java-aes-crypto)
* A simple Android class for encrypting & decrypting strings, aiming to avoid the classic mistakes that most such classes suffer from.
@ -19,7 +26,8 @@
[keyCzar](http://www.keyczar.org/)
* Keyczar is an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. Keyczar supports authentication and encryption with both symmetric and asymmetric keys.
[RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](http://www.tau.ac.il/~tromer/acoustic/)
* Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
[Primer on Zero-Knowledge Proofs](http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html?m=1)
@ -44,11 +52,8 @@ https://crypto.is/blog/
http://ciat.sourceforge.net/
The Cryptographic Implementations Analysis Toolkit (CIAT) is compendium of command line and graphical tools whose aim is to help in the detection and analysis of encrypted byte sequences within files (executable and non-executable).
[Cryptographic Implementations Analysis Toolkit (CIAT)](http://ciat.sourceforge.net/)
* The Cryptographic Implementations Analysis Toolkit (CIAT) is compendium of command line and graphical tools whose aim is to help in the detection and analysis of encrypted byte sequences within files (executable and non-executable).
@ -57,11 +62,11 @@ The Cryptographic Implementations Analysis Toolkit (CIAT) is compendium of comma
Books:
###Books:
Cryptography Engineering
Applied Cryptography
Courses:
###Courses:
Coursera Cryptography
@ -74,7 +79,7 @@ Courses:
Stenograhpy
###Stenograhpy
[imagejs](https://github.com/jklmnn/imagejs)
* imagejs is a small tool to hide javascript inside a valid image file. The image file is recognized as one by content checking software, e.g. the file command you might now from Linux or other Unix based operation systems.


+ 20
- 1
Draft/Draft/Data Visualization.md View File

@ -1,4 +1,23 @@
##Data Visualization
Check out http://secviz.org/
[Drawing effective network diagrams](https://www.auvik.com/media/blog/effective-network-diagrams/)
d3js
[d3js(Data Driven Documents)](http://d3js.org/)
* D3.js is a JavaScript library for manipulating documents based on data. D3 helps you bring data to life using HTML, SVG, and CSS. D3’s emphasis on web standards gives you the full capabilities of modern browsers without tying yourself to a proprietary framework, combining powerful visualization components and a data-driven approach to DOM manipulation.
[Drawing effective network diagrams](https://www.auvik.com/media/blog/effective-network-diagrams/)
[Data Maps](https://datamaps.github.io/)
* Customizable SVG map visualizations for the web in a single Javascript file using D3.js
[pewpew](https://github.com/hrbrmstr/pewpew)
* In all seriousness, IPew provides a simple framework - based on Datamaps - for displaying cartographic attack data in a (mostly) responsive way and shows how to use dynamic data via javascript event timers and data queues (in case you're here to learn vs have fun - or both!). You can customize the display through a myriad of query string options, including sounds.
Applied Security Visualization: http://www.secviz.org/content/applied-security-visualization

+ 8
- 3
Draft/Draft/Disclosure.md View File

@ -4,7 +4,7 @@
[How to Disclose or Sell an Exploit - DEF CON 21 - James Denaro](https://www.youtube.com/watch?v=N1Xj3f4felg)
[How to Disclose an Exploit Without Getting in TroubleDEF CON 22 - Jim Denaro and Tod Beardsley](https://www.youtube.com/watch?v=Y8Cpio6z9qA)
[How to Disclose an Exploit Without Getting in Trouble DEF CON 22 - Jim Denaro and Tod Beardsley](https://www.youtube.com/watch?v=Y8Cpio6z9qA)
[Good comparison of various forms of disclosure](http://blog.opensecurityresearch.com/2014/06/approaches-to-vulnerability-disclosure.html)
@ -14,12 +14,13 @@
* Recommended reading.
###Dealing with the press/journalists:
[Hacking the media for fame/profit talk](http://www.irongeek.com/i.php?page=videos/derbycon4/Hacking-The-Media-For-Fame-And-Profit-Jenn-Ellis-Steven-Reganh)
###Dealing with the press/journalists:
[Hacking the media for fame/profit talk](http://www.irongeek.com/i.php?page=videos/derbycon4/Hacking-The-Media-For-Fame-And-Profit-Jenn-Ellis-Steven-Reganh)
###Tools
[Cryptoshot](https://github.com/DiabloHorn/cryptoshot)
* This application will make a screenshot of the desktop. If the desktop consists of multiple monitors
@ -42,5 +43,9 @@ The windows project has the added functionality of sending the screenshot to a s

+ 16
- 1
Draft/Draft/Disinformation.md View File

@ -1,6 +1,7 @@
##Disinformation
[The Gentleperson’s Guide to Forum Spies]cryptome.org/2012/07/gent-forum-spies.htm)
@ -9,13 +10,27 @@
[The Gentleperson’s Guide to Forum Spies]cryptome.org/2012/07/gent-forum-spies.htm)
[Attribution As A Weapon & Marketing Tool: Hubris In INFOSEC & NATSEC](https://krypt3ia.wordpress.com/2014/12/30/attribution-as-a-weapon-marketing-tool-hubris-in-infosec-natsec/)
[Disinformation of Charlie Hebdo and The Fake BBC Website](http://thetrendythings.com/read/18256)
[Counterintelligence, False Flags, Disinformation, and Network Defense - krypt3ia](https://krypt3ia.wordpress.com/2012/10/17/counterintelligence-false-flags-disinformation-and-network-defense/)
[PsyOps and Socialbots](http://resources.infosecinstitute.com/psyops-and-socialbots/)
[Governments and UFOs: A Historical Analysis of Disinformation and Deception - Richard Thieme](http://www.irongeek.com/i.php?page=videos/bsideslasvegas2013/1-2-7-governments-and-ufos-a-historical-analysis-of-disinformation-and-deception-richard-thieme)
[Russia Convention on International Information Security](http://cryptome.org/2014/05/ru-international-infosec.htm)
[A Digital World Full of Ghost Armies](http://www.cigtr.info/2015/02/a-digital-world-full-of-ghost-armies.html)
* Not very related to infosec per say, but the general idea/takeaway is very applicable.

+ 8
- 1
Draft/Draft/Documentation & Reports.md View File

@ -21,10 +21,17 @@ Start with the first two links, and go from there. They
###Other Materials:
Three parter from jacobian.org:
[What to write](http://jacobian.org/writing/what-to-write/)
[Technical Style](http://jacobian.org/writing/technical-style/)
[Editors](http://jacobian.org/writing/editors/)
[Writing Types of User Documentation](https://en.wikiversity.org/wiki/Technical_writing_Types_of_User_Documentation0
@ -55,7 +62,7 @@ Three parter from jacobian.org:
[Tips for Creating an Information Security Assessment Report Cheat Sheet](https://zeltser.com/security-assessment-report-cheat-sheet/)


+ 399
- 0
Draft/Draft/Exploit Development.md View File

@ -0,0 +1,399 @@
###Exploit Development
Add Exploit Prevention Techniques/Bypass section
###Cull
http://www.oldapps.com/
Finding Opcodes
Methods of finding opcodes:
metasploit opcode DB
memdump
pvefindaddr - mona.py
[Acquiring VMs of any Windows going back to XP to Windows 10](https://www.modern.ie/en-us/virtualization-tools#downloads)
[OneRNG](http://moonbaseotago.com/onerng/theory.html)
[The Ultimate Anti-Debugging Reference(2011)](http://pferrie.host22.com/papers/antidebug.pdf)
* Good reference, though old.
Finding and analyzing Crash dumps:
http://blogs.msdn.com/b/pfedev/archive/2008/09/26/all-the-ways-to-capture-a-dump.aspx
http://blogs.technet.com/b/askperf/archive/2007/05/29/basic-debugging-of-an-application-crash.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx
[Windows Anti-Debug Reference](http://www.symantec.com/connect/articles/windows-anti-debug-reference)
* Good, but also old, Nov2010
[Exploit Mitigation Killchain](http://0xdabbad00.com/wp-content/uploads/2013/04/exploit_mitigation_kill_chain.pdf)
[Introduction to ROP programming]http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html)
[Gentle introduction to ROP programming](http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/)
[ropshell](http://ropshell.com/)
* ropshell is a free online service for generating and searching for Return-Oriented-Programming (ROP) gadgets.
[Exploit Mitigation Killchain](http://0xdabbad00.com/wp-content/uploads/2013/04/exploit_mitigation_kill_chain.pdf)
[exrs - Binary Exploitation/Reverse Engineering Challenge training](https://github.com/wapiflapi/exrs)
* Exercises for learning Reverse Engineering and Exploitation. All binaries for these challenges are ELF 64-bit LSB executable, x86-64.
[Pool Blade: A new approach for kernel pool exploitation](https://zdresearch.com/pool-blade-a-new-approach-for-kernel-pool-exploitation/)
[Understanding DEP as a mitigation Technology](http://blogs.technet.com/b/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx)
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
[ 64-bit Linux Return-Oriented Programming - Standford](https://crypto.stanford.edu/~blynn/rop/)
[Walking Heap using Pydbg](http://www.debasish.in/2015/02/walking-heap-using-pydbg.html)
* This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++.
[OptiROP: The art of hunting ROP gadgets](https://media.blackhat.com/us-13/US-13-Quynh-OptiROP-Hunting-for-ROP-Gadgets-in-Style-WP.pdf)
* [Video](https://www.youtube.com/watch?v=_3uBybBpq48)
* This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver and some creative heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode.
[Obfuscating python](https://reverseengineering.stackexchange.com/questions/1943/what-are-the-techniques-and-tools-to-obfuscate-python-programs)
[Bypassing Windows Hardware-enforced Data Execution Prevention Oct 2, 2005](http://www.uninformed.org/?v=2&a=4&t=txt)
[Open Source Windows x86/x64 Debugger](http://x64dbg.com/)
[Too LeJIT to Quit: Extending JIT Spraying to ARM](www.internetsociety.org/sites/default/files/09_3_2.pdf)
[Fun with info leaks](https://rh0dev.github.io/blog/2015/fun-with-info-leaks/)
[A Brief History of Exploit Techniques and Mitigations on Windows](http://www.hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf)
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
[Bypassing ASLR + DEP Whitepaper](http://www.exploit-db.com/wp-content/themes/exploit/docs/17914.pdf)/
* This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it’s quite nice what can be done with the bug.
[Windows DLL-Injection basics](http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html)
[Using Binwally](http://w00tsec.blogspot.com/2013/12/binwally-directory-tree-diff-tool-using.html)
###Anti-Fuzzing
Intro to Anti-Fuzzing
https://www.nccgroup.com/en/blog/2014/01/introduction-to-anti-fuzzing-a-defence-in-depth-aid/
###Assembly(x86/x64/ARM)
[X86 Instruction Reference](Felixcoutier.com/x86)
[Awesome Reference for Intel x86/64](http://ref.x86asm.net/)
* This reference is intended to be precise opcode and instruction set reference (including x86-64). Its principal aim is exact definition of instruction parameters and attributes.
[Nasm x86 reference](https://www.cs.uaf.edu/2006/fall/cs301/support/x86/)
###Exploit Development
[Mechanization of Exploits](https://github.com/REMath/literature_review/blob/master/mechanization_of_exploits.org)
[Funky File Formats - Advanced Binary Exploitation](http://media.ccc.de/browse/congress/2014/31c3_-_5930_-_en_-_saal_6_-_201412291400_-_funky_file_formats_-_ange_albertini.html#video)
[Exploit Tips and Techniques(ReCon2014 William Peteroy)](https://www.youtube.com/watch?v=FEXnJKXYoLM)
[Smashing the Stack for Fun and Profit in 2010](http://www.mgraziano.info/docs/stsi2010.pdf)
[Fuzzing for MS15-010](http://blog.beyondtrust.com/fuzzing-for-ms15-010)
* This past Patch Tuesday Microsoft released MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution. This patch addressed multiple privately reported vulnerabilities in win32k.sys and one publicly disclosed vulnerability in cng.sys. This post goes through identifying the patched vulnerability.
###Tools
[binwally](https://github.com/bmaia/binwally)
Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)
[meterssh](https://github.com/trustedsec/meterssh)
MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection.
[Equip: python bytecode instrumentation](https://github.com/neuroo/equip)
* equip is a small library that helps with Python bytecode instrumentation. Its API is designed to be small and flexible to enable a wide range of possible instrumentations. The instrumentation is designed around the injection of bytecode inside the bytecode of the program to be instrumented. However, the developer does not need to know anything about the Python bytecode since the injected code is Python source.
[!exploitable Crash Analyzer](https://msecdbg.codeplex.com/)
* !exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at http://www.microsoft.com/security/msec. Additonally, see the blog post at http://blogs.technet.com/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer.aspx, or watch the video at http://channel9.msdn.com/posts/PDCNews/Bang-Exploitable-Security-Analyzer/.
[rp++](https://github.com/0vercl0k/rp)
* rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O (doesn't support the FAT binaries) x86/x64 binaries. It is open-source, documented with Doxygen (well, I'm trying to..) and has been tested on several OS: Debian / Windows 7 / FreeBSD / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible. I almost forgot, it handles both Intel and AT&T syntax (beloved BeaEngine). By the way, the tool is a standalone executable ; I will upload static-compiled binaries for each OS.
[Pattern-Create/offset as a python function](https://github.com/jbertman/pattern_create)
* Metasploit pattern generator in Python, modified to be used as a function
[Findjmp2](http://www.securiteam.com/tools/5LP0C1PEUY.html)
Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push in a loaded DLL. This version includes search for pop/pop/ret set of instructions that is useful to bypass Windows XP SP2 and Windows 2003 stack protection mechanism.
##From a randomly linked Pastebin (if you made this, thank you so much; eventually it will be assimilated, until then:)
This document is in fieri, and, as such, will be subject to change in the near future.
My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
I have tried to order the articles by technique and chronology.
- sar
###Buffer overflows:
-----------------
* [How to write buffer overflows, mudge, 1995](http://insecure.org/stf/mudge_buffer_overflow_tutorial.html)
* [Smashing the stack for fun and profit, Aleph One, 1996](http://www.phrack.com/issues.html?issue=49&id=14)
* [The Frame Pointer Overwrite, klog, 1999](http://www.phrack.com/issues.html?issue=55&id=8)
* [win32 buffer overflows, dark spyrit, 1999](http://www.phrack.com/issues.html?issue=55&id=15)
###Return-into-lib / Return oriented programming:
----------------------------------------------
* [Getting around non-executable stack (and fix) (First public description of a return-into-libc exploit), Solar Designer, 1997](http://marc.info/?l=bugtraq&m=87602746719512)
*[More advanced ret-into-lib(c) techniques, Nergal, 2001](http://www.phrack.com/issues.html?issue=58&id=4)
* [On the effectiveness of address-space randomization, , 2004](http://benpfaff.org/papers/asrandom.pdf)
* [Borrowed code chunks exploitation technique, Sebastian Krahmer, 2005](http://www.suse.de/~krahmer/no-nx.pdf)
* [The Geometry of Innocent Flesh on the Bone: Return-into-libc without function calls, Hovav Shacham, 2007](http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
* [Defeating DEP, the Immunity Debugger way, Pablo Sole,2008](http://www.immunitysec.com/downloads/DEPLIB.pdf)
* [The Case of Return-Oriented Programming and the AVC Advantage, 2009](http://www.usenix.org/event/evtwote09/tech/full_papers/checkoway.pdf)
* [Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010](http://www.sourceconference.com/bos10pubs/Dino.pdf)
###Heap exploitation:
------------------
* [w00w00 on heap overflows, Matt Conover, 1999](http://w00w00.org/files/articles/heaptut.txt)
* [Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001](http://www.phrack.com/issues.html?issue=57&id=8)
* [Once upon a free(), anonymous author, 2001\(http://www.phrack.com/issues.html?issue=57&id=9)
* [Advanced Doug Lea's malloc exploits, jp, 2003](http://www.phrack.com/issues.html?issue=61&id=6)
* [Exploiting the wilderness, Phantasmal Phantasmagoria, 2004](http://www.derkeiler.com/Mailing-Lists/securityfocus/vuln-dev/2004-02/0024.html)
*[Malloc Maleficarum, Phantasmal Phantasmagoria, 2005](http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt)
* [Yet another free() exploitation technique, huku, 2009](http://www.phrack.com/issues.html?issue=66&id=6)
###Format string exploitation:
---------------------------
* [Exploiting format string vulnerabilities, scut / Team-TESO, 2001](http://crypto.stanford.edu/cs155old/cs155-spring08/papers/formatstring-1.2.pdf)
*[Advances in format string exploitation, gera, 2002](http://www.phrack.com/issues.html?issue=59&id=7)
* [An alternative method in format string exploitation, K-sPecial, 2006](http://www.milw0rm.com/papers/103)
###Integer overflows:
--------------
* [Big Loop Integer Protection, Oded Horovitz, 2002](http://www.phrack.com/issues.html?issue=60&id=9)
* [Basic Integer Overflows, blexim, 2002](http://www.phrack.com/issues.html?issue=60&id=10)
###Null-ptr dereference:
---------------------
* [Large memory management vulnerabilities, Gael Delalleau, 2005](http://cansecwest.com/core05/memory_vulns_delalleau.pdf)
* [Exploiting the Otherwise Non-exploitable on Windows, skape, 2006](http://www.uninformed.org/?v=4&a=5&t=pdf)
* [Vector rewrite attack, Barnaby Jack, 2007](http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf)
* [Application-Specific Attacks: Leveraging the ActionScript Virtual Machine, Mark Dowd, 2008](http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf)
###JIT-spray:
----------
* [Pointer inference and JIT-Spraying, Dion Blazakis, 2010](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf)
* [Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010](http://dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf)
Other:
------
* [Overwriting the .dtors section, Juan M. Bello Rivas, 2000](http://seclists.org/bugtraq/2000/Dec/175)
* [Abusing .CTORS and .DTORS for fun 'n profit, Izik, 2006](http://vxheavens.com/lib/viz00.html)
Unorganized:
------------
http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/
http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf exploit null ptr dereference
http://www.phrack.com/issues.html?issue=57&id=18 writing ia32 alphanumeric shellcode
http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf
http://www.usenix.org/events/sec05/tech/full_papers/kruegel/kruegel_html/attack.html Automating mimicry attacks using static binary analysis
http://cansecwest.com/core05/memory_vulns_delalleau.pdf Large memory management vulnerabilities, Gael Delalleau, 2005
http://timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/
http://www.corelan.be:8800/index.php/category/security/exploit-writing-tutorials/
http://hackitoergosum.org/wp-content/uploads/2010/04/HES10-jvanegue_zero-allocations.pdf
http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
http://www.phrack.com/issues.html?issue=64&id=6, Attacking the Core : Kernel Exploiting Notes, 2007
http://lkml.org/lkml/2010/5/27/490
http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/
http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
•http://eeyeresearch.typepad.com/blog/2006/08/post_ms06035_ma.html
•http://www.phrack.org/phrack/63/p63-0x0e_Shifting_the_Stack_Pointer.txt
•http://seclists.org/vuln-dev/2002/Nov/att-0056/0
•http://www.pine.nl/press/pine-cert-20030101.txt
•http://seclists.org/bugtraq/2000/Jan/0016.html
1.
ASLR:
[Aslr Smack and Laugh Reference](www-users.rwth-aachen.de/Tilo.Mueller/ASLRpaper.pdf)
* [Advanced Buffer Overflow Methods](cs.tau.ac.il/tausec/lectures/Advanced_Buffer_Overflow_Methods.ppt)
* [Smack the Stack](sts.synflood.de/dump/doc/smackthestack.txt)
* [Exploiting the random number generator to bypass ASLR](blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-whitepaper.pdf)
[Wikipedia on ASLR](en.wikipedia.org/wiki/Address_space_layout_randomization)
* [Bypassing Memory Protections: The Future of Exploitation](usenix.org/events/sec09/tech/slides/sotirov.pdf)
* [On the Effectiveness of Address-Space Randomization](stanford.edu/~blp/papers/asrandom.pdf)
* [Exploiting with linux-gate.so.1](milw0rm.com/papers/55)
* [Circumventing the VA kernel patch For Fun and Profit](milw0rm.com/papers/94)
* [Defeating the Matasano C++ Challenge](timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/)
* [Bypassing PaX ASLR protection](phrack.com/issues.html?issue=59&id=9)
* [Thoughts about ASLR, NX Stack and format string attacks](nibbles.tuxfamily.org/?p=1190)
* [Return-into-libc without Function Calls](cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
* [Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes](cr0.org/paper/to-jt-linux-alsr-leak.pdf)
corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
19.
securitytube.net/Exploiting-a-buffer-overflow-under-Linux-kernel-2.6-with-ASLR-through-ret2reg-video.aspx
20.
securitytube.net/Bypassing-the-Linux-Kernel-ASLR-and-Exploiting-a-Buffer-Overflow-Vulnerable-Application-with-ret2esp-video.aspx
21.
securitytube.net/Exploiting-Buffer-Overflows-on-kernels-with-ASLR-enabled-using-Brute-Force-on-the-Stack-Layer-video.aspx
http://ilm.thinkst.com/folklore/index.shtml
###Exploit Dev Papers
[The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
* We present new techniques that allow a return-into-libc attack to be mounted on
x86 executables that calls no functions at all. Our attack combines a large number of short instruction sequences to build gadgets that allow arbitrary computation. We show how to discover such instruction sequences by means of static analysis. We make use, in an essential way, of the
properties of the x86 instruction set.
[Glibc Adventures: The Forgotten Chunks](http://www.contextis.com/documents/117/Glibc_Adventures-The_Forgotten_Chunks.pdf)
* Exploiting Glibc
[Bypassing All the Things](https://www.exodusintel.com/files/Aaron_Portnoy-Bypassing_All_Of_The_Things.pdf)
* Handholding through Vuln Discovery and Exploitation
{Understanding Buffer Overflow Exploits](http://proactivedefender.blogspot.com/2013/05/understanding-buffer-overflows.html)
[Smashing the Stack for Fun and Profit](http://insecure.org/stf/smashstack.html)
[Smashing the Stack for Fun and Profit in 2010](http://www.mgraziano.info/docs/stsi2010.pdf)
###Exploit Writeups
[REMath](https://github.com/REMath/literature_review)
[It All Swings Around - Malicious Macros](http://sketchymoose.blogspot.com/2015/02/it-all-swings-round-malicious-macros.html)
* Writeup and explanation of random Macro exploits
[Portable Executable Injection For Beginners](http://www.malwaretech.com/2013/11/portable-executable-injection-for.html)
[Disarming and Bypassing EMET 5.1 - OffSec](http://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/)
[Smashing the Browser - From fuzzing to 0day on IE11](https://github.com/demi6od/Smashing_The_Browser)
[From Fuzzing to 0day.](http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/)
[From fuzzing to 0-day](http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/)
[Exploiting CVE-2014-4113 on Win8.1](http://www.jodeit.org/research/Exploiting_CVE-2014-4113_on_Windows_8.1.pdf)
[From 0-day to exploit – Buffer overflow in Belkin N750 (CVE-2014-1635)](https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/)
[Exploiting MS14-066](http://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/)
[Shellshock bug writeup by lcamtuf](http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html)
AVM Fritz!Box root RCE: From Patch to Metasploit Module
[Part 1](http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-i)
[Part 2](http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii)
[Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit](http://eshunrd.blogspot.com/2011/09/linux-kernel-26362-econet-privilege.html)
[Coding Malware for Fun and Not for Profit (Because that would be illegal)](http://www.malwaretech.com/2014/04/coding-malware-for-fun-and-not-for.html)
[Exploiting “BadIRET” vulnerability - CVE-2014-9322, Linux kernel privilege escalation](http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/)
[Maximum Overkill Two - From Format String Vulnerability to Remote Code Execution](https://barrebas.github.io/blog/2015/02/22/maximum-overkill-two-from-format-string-vulnerability-to-remote-code-execution/)
[Exploit Writeup on Flash vuln explaining use of ASLR + DEP bypass](
http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf)
[Exploiting CVE-2015-0311: A Use-After-Free in Adobe Flash Player](http://blog.coresecurity.com/2015/03/04/exploiting-cve-2015-0311-a-use-after-free-in-adobe-flash-player/)
* "The vulnerability was first discovered as a zero-day being actively exploited in the wild as part of the Angler Exploit Kit. Although the exploit code was highly obfuscated using the SecureSWF obfuscation tool, malware samples taking advantage of this vulnerability became publicly available, so I decided to dig into the underlying vulnerability in order to exploit it and write the corresponding module for Core Impact Pro and Core Insight."
[A Technical Analysis of CVE 2014-1776](http://blog.fortinet.com/post/a-technical-analysis-of-cve-2014-1776)
[Linux ASLR integer overflow: Reducing stack entropy by four](http://hmarco.org/bugs/linux-ASLR-integer-overflow.html)
* A bug in Linux ASLR implementation for versions prior to 3.19-rc3 has been found. The issue is that the stack for processes is not properly randomized on some 64 bit architectures due to an integer overflow. This is a writeup of the bug and how to fix it.
[Project HeapBleed](http://census-labs.com/news/2014/11/27/project-heapbleed/)
* CENSUS researcher Patroklos Argyroudis has recently presented a talk on heap exploitation abstraction at two conferences, namely ZeroNights 2014 (Moscow, Russia) and BalCCon 2014 (Novi Sad, Serbia). In the talk titled “Project Heapbleed”, Patroklos has collected the experience of exploiting allocators in various different target applications and platforms. He focused on practical, reusable heap attack primitives that aim to reduce the exploit development time and effort.
[Extreme Privelege Escalataion on Windows8 UEFI Systems](https://www.youtube.com/watch?v=UJp_rMwdyyI)
* [Slides](https://www.blackhat.com/docs/us-14/materials/us-14-Kallenberg-Extreme-Privilege-Escalation-On-Windows8-UEFI-Systems.pdf)
* Summary by stormehh from reddit: “In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flash”
[Diving into A Silverlight Exploit and Shellcode - Analysis and Techniques](http://www.checkpoint.com/downloads/partners/TCC-Silverlight-Jan2015.pdf)
* Abstract: We will observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition we will look at the shell-code supplied by the exploit-kit and how it uses encryption to hide the payload’s URL and contents.
[Smashing the Browser](https://github.com/demi6od/Smashing_The_Browser)
* Smashing The Browser: From Vulnerability Discovery To Exploit
* Writeup: going from fuzzing to an IE11 0day exploit development
###Finding Vulnerabilities
[Winmerge](http://winmerge.org/)
* WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.
####High Level Searching
#####Searching Github for vulnerable code/credentials
- [Blogpost](http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html)
- [Code - Automated Tool](https://github.com/convisoappsec/research_github_hack/blob/master/github_hack.pl)
- [Cheatsheet](https://github.com/search#search_cheatsheet_pane)
- [Actual Search Page](https://github.com/search)

+ 0
- 5
Draft/Draft/Exploit Development/Anti-Fuzzing.md View File

@ -1,5 +0,0 @@
Anti-Fuzzing
Intro to Anti-Fuzzing
https://www.nccgroup.com/en/blog/2014/01/introduction-to-anti-fuzzing-a-defence-in-depth-aid/

+ 0
- 33
Draft/Draft/Exploit Development/Assembly.md View File

@ -1,33 +0,0 @@
Assembly(x86/x64)
X86 Instruction Reference
Felixcoutier.com/x86
Awesome Reference for Intel x86/64
Link: http://ref.x86asm.net/
Description:
This reference is intended to be precise opcode and instruction set reference (including x86-64). Its principal aim is exact definition of instruction parameters and attributes.
Nasm x86 reference
https://www.cs.uaf.edu/2006/fall/cs301/support/x86/

+ 0
- 278
Draft/Draft/Exploit Development/Cull.md View File

@ -1,278 +0,0 @@
Finding Opcodes
Methods of finding opcodes:
metasploit opcode DB
memdump
pvefindaddr - mona.py
[Fuzzing for MS15-010](http://blog.beyondtrust.com/fuzzing-for-ms15-010)
* This past Patch Tuesday Microsoft released MS15-010: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution. This patch addressed multiple privately reported vulnerabilities in win32k.sys and one publicly disclosed vulnerability in cng.sys. This post goes through identifying the patched vulnerability.
[A Technical Analysis of CVE 2014-1776](http://blog.fortinet.com/post/a-technical-analysis-of-cve-2014-1776)
Try/Catch Exception in Powershell
"""
try {
#stuff
} catch {
$ErrorMessage = $_.Exception.Message
$ErrorSource = $_.Exception.Source
$err = $ErrorSource + " reports: " + $ErrorMessage
}
"""
[ropshell](http://ropshell.com/)
* ropshell is a free online service for generating and searching for Return-Oriented-Programming (ROP) gadgets.
[Komodia Rootkit Writeupn](https://gist.github.com/Wack0/f865ef369eb8c23ee028)
* Komodia rootkit findings by @TheWack0lian
[!exploitable Crash Analyzer](https://msecdbg.codeplex.com/)
* !exploitable (pronounced “bang exploitable”) is a Windows debugging extension (Windbg) that provides automated crash analysis and security risk assessment. The tool first creates hashes to determine the uniqueness of a crash and then assigns an exploitability rating to the crash: Exploitable, Probably Exploitable, Probably Not Exploitable, or Unknown. There is more detailed information about the tool in the following .pptx file or at http://www.microsoft.com/security/msec. Additonally, see the blog post at http://blogs.technet.com/srd/archive/2009/04/08/the-history-of-the-exploitable-crash-analyzer.aspx, or watch the video at http://channel9.msdn.com/posts/PDCNews/Bang-Exploitable-Security-Analyzer/.
[It All Swings Around - Malicious Macros](http://sketchymoose.blogspot.com/2015/02/it-all-swings-round-malicious-macros.html)
* Writeup and explanation of random Macro exploits
[ClockLockingBeats](https://github.com/monk-dot/ClockLockingBeats)
* Repo for the DARPA CFT / Clock Locking Beats project. Exploring Android kernel and processor interactions to hide running threads
[Handler Diaries - Another Hunting Post(DFIR)](http://blog.handlerdiaries.com/?p=775)
* Good post on not only knowing the layout, but knowing expected behaviours.
[IOC Bucket](https://www.iocbucket.com/)
* IOC sharing platform
####Hacking Exposed - Automating DFIR Series
[Automating DFIR - How to series on programming libtsk with python Part 1 - ](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on.html)
[Automating DFIR - How to series on programming libtsk with python Part 2](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_19.html)
[Automating DFIR - How to series on programming libtsk with python Part 3](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_21.html)
[exrs - Binary Exploitation/Reverse Engineering Challenge training](https://github.com/wapiflapi/exrs)
* Exercises for learning Reverse Engineering and Exploitation. All binaries for these challenges are ELF 64-bit LSB executable, x86-64.
[rp++](https://github.com/0vercl0k/rp)
* rp++ is a full-cpp written tool that aims to find ROP sequences in PE/Elf/Mach-O (doesn't support the FAT binaries) x86/x64 binaries. It is open-source, documented with Doxygen (well, I'm trying to..) and has been tested on several OS: Debian / Windows 7 / FreeBSD / Mac OSX Lion (10.7.3). Moreover, it is x64 compatible. I almost forgot, it handles both Intel and AT&T syntax (beloved BeaEngine). By the way, the tool is a standalone executable ; I will upload static-compiled binaries for each OS.
[OptiROP: The art of hunting ROP gadgets](https://media.blackhat.com/us-13/US-13-Quynh-OptiROP-Hunting-for-ROP-Gadgets-in-Style-WP.pdf)
* [Video](https://www.youtube.com/watch?v=_3uBybBpq48)
* This research attempts to solve the problem by introducing a tool named OptiROP that lets exploitation writers search for ROP gadgets with semantic queries. Combining sophisticated techniques such as code normalization, code optimization, code slicing, SMT solver and some creative heuristic searching methods, OptiROP is able to discover desired gadgets very quickly, with much less efforts. Our tool also provides the detail semantic meaning of each gadget found, so users can easily decide how to chain their gadgets for the final shellcode.
[ 64-bit Linux Return-Oriented Programming - Standford](https://crypto.stanford.edu/~blynn/rop/)
[Exploit Mitigation Killchain](http://0xdabbad00.com/wp-content/uploads/2013/04/exploit_mitigation_kill_chain.pdf)
[Open Source Windows x86/x64 Debugger](http://x64dbg.com/)
[Too LeJIT to Quit: Extending JIT Spraying to ARM](www.internetsociety.org/sites/default/files/09_3_2.pdf)
[Project HeapBleed](http://census-labs.com/news/2014/11/27/project-heapbleed/)
* CENSUS researcher Patroklos Argyroudis has recently presented a talk on heap exploitation abstraction at two conferences, namely ZeroNights 2014 (Moscow, Russia) and BalCCon 2014 (Novi Sad, Serbia). In the talk titled “Project Heapbleed”, Patroklos has collected the experience of exploiting allocators in various different target applications and platforms. He focused on practical, reusable heap attack primitives that aim to reduce the exploit development time and effort.
[Obfuscating python](https://reverseengineering.stackexchange.com/questions/1943/what-are-the-techniques-and-tools-to-obfuscate-python-programs)
[Understanding DEP as a mitigation Technology](http://blogs.technet.com/b/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx)
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
[15 Ways to bypass Powershell execution-policy settings](https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/)
* Does what it says on the tin. Overall, its clear that execution-policy was not meant as a security method. Or if it was, someone was drinking a bit too much.
[A Brief History of Exploit Techniques and Mitigations on Windows](http://www.hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf)
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
[Bypassing Windows Hardware-enforced Data Execution Prevention
Oct 2, 2005](http://www.uninformed.org/?v=2&a=4&t=txt)
[Walking Heap using Pydbg](http://www.debasish.in/2015/02/walking-heap-using-pydbg.html)
* This is the simplest implementation of HeapWalk() API based on pydbg. Heap walk API enumerates the memory blocks in the specified heap. If you are not very familiar with HeapWalk() API this page has a very good example in C++.
[android-cluster-toolkit](https://github.com/jduck/android-cluster-toolkit)
* The Android Cluster Toolkit helps organize and manipulate a collection of Android devices. It was designed to work with a collection of devices connected to the same host machine, either directly or via one or more tiers of powered USB hubs. The tools within can operate on single devices, a selected subset, or all connected devices at once.
[Bypassing ASLR + DEP Whitepaper](http://www.exploit-db.com/wp-content/themes/exploit/docs/17914.pdf)/
* This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it’s quite nice what can be done with the bug.
[Fun with info leaks](https://rh0dev.github.io/blog/2015/fun-with-info-leaks/)
[Exploit Writeup on Flash vuln explaining use of ASLR + DEP bypass](
http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Slides-v2.pdf)
[The Ultimate Anti-Debugging Reference(2011)](http://pferrie.host22.com/papers/antidebug.pdf)
* Good reference, though old.
[Windows Anti-Debug Reference](http://www.symantec.com/connect/articles/windows-anti-debug-reference)
* Good, but also old, Nov2010
[Pattern-Create/offset as a python function](https://github.com/jbertman/pattern_create)
* Metasploit pattern generator in Python, modified to be used as a function
[Exploit Mitigation Killchain](http://0xdabbad00.com/wp-content/uploads/2013/04/exploit_mitigation_kill_chain.pdf)
[Introduction to ROP programming]http://codearcana.com/posts/2013/05/28/introduction-to-return-oriented-programming-rop.html)
[Gentle introduction to ROP programming](http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/)
[Generate MS Office Macro Malware Script](https://github.com/enigma0x3/Generate-Macro/blob/master/Generate-Macro.ps1)
* Standalone Powershell script that will generate a malicious Microsoft Office document with a specified payload and persistence method
[Pool Blade: A new approach for kernel pool exploitation](https://zdresearch.com/pool-blade-a-new-approach-for-kernel-pool-exploitation/)
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
[Diving into A Silverlight Exploit and Shellcode - Analysis and Techniques](http://www.checkpoint.com/downloads/partners/TCC-Silverlight-Jan2015.pdf)
* Abstract: We will observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition we will look at the shell-code supplied by the exploit-kit and how it uses encryption to hide the payload’s URL and contents.
[Smashing the Browser](https://github.com/demi6od/Smashing_The_Browser)
* Smashing The Browser: From Vulnerability Discovery To Exploit
* Writeup: going from fuzzing to an IE11 0day exploit development
Finding and analyzing Crash dumps:
http://blogs.msdn.com/b/pfedev/archive/2008/09/26/all-the-ways-to-capture-a-dump.aspx
http://blogs.technet.com/b/askperf/archive/2007/05/29/basic-debugging-of-an-application-crash.aspx
http://msdn.microsoft.com/en-us/library/windows/desktop/bb787181%28v=vs.85%29.aspx
binwally
https://github.com/bmaia/binwally
Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)
http://w00tsec.blogspot.com/2013/12/binwally-directory-tree-diff-tool-using.html
http://www.securiteam.com/tools/5LP0C1PEUY.html
Findjmp2 is a modified version of Findjmp from eEye.com to find jmp, call, push in a loaded DLL. This version includes search for pop/pop/ret set of instructions that is useful to bypass Windows XP SP2 and Windows 2003 stack protection mechanism.
https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf
Abstract
We present new techniques that allow a return-into-libc attack to be mounted on
x86 executables that calls no functions at all. Our attack combines a large number of short instruction sequences to build gadgets that allow arbitrary computation. We show how to discover such instruction sequences by means of static analysis. We make use, in an essential way, of the
properties of the x86 instruction set.
https://github.com/trustedsec/meterssh
MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection.
[Equip: python bytecode instrumentation](https://github.com/neuroo/equip)
* equip is a small library that helps with Python bytecode instrumentation. Its API is designed to be small and flexible to enable a wide range of possible instrumentations.
The instrumentation is designed around the injection of bytecode inside the bytecode of the program to be instrumented. However, the developer does not need to know anything about the Python bytecode since the injected code is Python source.
##AV Evasion Techniques
[Bypass AV through several basic/effective techniques](http://packetstorm.foofus.com/papers/virus/BypassAVDynamics.pdf)
[AV Evasion; One Packer to Rule them all - Empirical identification comparison and circumvention of current AV detection techniques](http://www.arneswinnen.net/wp-content/uploads/2014/08/WP-us-14-Mesbahi-Swinnen-One-packer-to-rule-them-all-Empirical-identification-comparison-and-circumvention-of-current-Antivirus-detection-techniques.pdf)
Following articles are from Phrack:
Defeating Sniffers and Intrustion Detection Systems - Horizon, 12/25/1998
Armouring the ELF: Binary Encryption on the UNIX Platform - grugq, scut, 12/28/2001
Runtime Process Infection - anonymous, 07/28/2002
Polymorphic Shellcode Engine Using Spectrum Analysis - theo detristan et al, 08/13/2003
Next-generation Runtime Binary Encryption using On-demand Function Extraction - Zeljko Vrba, 08/01/2005
Stealth Hooking: Another Way to Subvert the Windows Kernel - mxatone, ivanlef0u, 04/11/2008
Mystifying the Debugger for Ultimate Stealthness - halfdead, 04/11/2008
Binary Mangling with Radare - pancake, 06/11/2009
##Finding Vulnerabilities
[Winmerge](http://winmerge.org/)
* WinMerge is an Open Source differencing and merging tool for Windows. WinMerge can compare both folders and files, presenting differences in a visual text format that is easy to understand and handle.
###High Level Searching
####Searching Github for vulnerable code/credentials
- [Blogpost](http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html)
- [Code - Automated Tool](https://github.com/convisoappsec/research_github_hack/blob/master/github_hack.pl)
- [Cheatsheet](https://github.com/search#search_cheatsheet_pane)
- [Actual Search Page](https://github.com/search)
##Rootkits
[Advanced Bootkit Techniques on Android](http://www.syscan360.org/slides/2014_EN_AdvancedBootkitTechniquesOnAndroid_ChenZhangqiShendi.pdf)
[Using Kernel Rootkits to conceal infected MBR](http://www.malwaretech.com/2015/01/using-kernel-rootkits-to-conceal.html)
* [Code](https://github.com/MalwareTech/FakeMBR/)
[From Kernel to VM](https://www.youtube.com/watch?v=FSw8Ff1SFLM)
* Description from stormeh on reddit(https://www.reddit.com/r/rootkit/comments/25hsc4/jacob_i_torrey_from_kernel_to_vmm/): Although it's not directly a lecture about rootkit development, the topics discussed are very much of interest: hardware virtualization, page table and TLB manipulation, hypervisors and privilege levels below ring 0, etc. The speaker does also go on to mention how prior rootkits such as Blue Pill and Shadow Walker leveraged these features, as well as defensive technologies such as PaX.
* [Slides](http://jacobtorrey.com/VMMLecture.pdf)
* [Hypervisor code](https://github.com/ainfosec/more)
[MoRE Shadow Walker: The Progression Of TLB Splitting On x86](https://www.blackhat.com/docs/us-14/materials/us-14-Torrey-MoRE-Shadow-Walker-The-Progression-Of-TLB-Splitting-On-x86-WP.pdf)
[Raising The Bar For Windows Rootkit Detection - Phrack](http://www.phrack.org/issues/63/8.html)
[Linux ASLR integer overflow: Reducing stack entropy by four](http://hmarco.org/bugs/linux-ASLR-integer-overflow.html)
* A bug in Linux ASLR implementation for versions prior to 3.19-rc3 has been found. The issue is that the stack for processes is not properly randomized on some 64 bit architectures due to an integer overflow. This is a writeup of the bug and how to fix it.
[Measurement of Running Executables](http://vimeo.com/81335517)
* This presentation provides a cohesive overview of the work performed by AIS, Inc. on the DARPA CFT MoRE effort. MoRE was a 4-month effort which examined the feasibility of utilizing TLB splitting as a mechanism for periodic measurement of dynamically changing binaries. The effort created a proof-of-concept system to split the TLB for target applications, allowing dynamic applications to be measured and can detect code corruption with low performance overhead.
[TLB Synchronization (Split TLB)](http://uninformed.org/index.cgi?v=6&a=1&p=21)
[Extreme Privelege Escalataion on Windows8 UEFI Systems](https://www.youtube.com/watch?v=UJp_rMwdyyI)
* [Slides](https://www.blackhat.com/docs/us-14/materials/us-14-Kallenberg-Extreme-Privilege-Escalation-On-Windows8-UEFI-Systems.pdf)
* Summary by stormehh from reddit: “In this whitepaper (and accompanying Defcon/Blackhat presentations), the authors demonstrate vulnerabilities in the UEFI "Runtime Service" interface accessible by a privileged userland process on Windows 8. This paper steps through the exploitation process in great detail and demonstrates the ability to obtain code execution in SMM and maintain persistence by means of overwriting SPI flash”
##Packers
[One packer to rule them all: Empirical identification, comparison and circumvention of current Antivirus detection techniques](http://www.arneswinnen.net/wp-content/uploads/2014/08/WP-us-14-Mesbahi-Swinnen-One-packer-to-rule-them-all-Empirical-identification-comparison-and-circumvention-of-current-Antivirus-detection-techniques.pdf)

+ 0
- 230
Draft/Draft/Exploit Development/Exploit Development.md View File

@ -1,230 +0,0 @@
Exploit Development
[Funky File Formats - Advanced Binary Exploitation](http://media.ccc.de/browse/congress/2014/31c3_-_5930_-_en_-_saal_6_-_201412291400_-_funky_file_formats_-_ange_albertini.html#video)
For newer:
Smashing the Stack for Fun and Profit
http://insecure.org/stf/smashstack.html
Smashing the Stack for Fun and Profit in 2010
http://www.mgraziano.info/docs/stsi2010.pdf
Understanding Buffer Overflow Exploits
http://proactivedefender.blogspot.com/2013/05/understanding-buffer-overflows.html
For more experienced:
Mechanization of Exploits
https://github.com/REMath/literature_review/blob/master/mechanization_of_exploits.org
And
https://github.com/REMath/literature_review
Exploit Tips and Techniques(ReCon2014 William Peteroy)
https://www.youtube.com/watch?v=FEXnJKXYoLM
Portable Executable Injection For Beginners
http://www.malwaretech.com/2013/11/portable-executable-injection-for.html
http://www.offensive-security.com/vulndev/disarming-and-bypassing-emet-5-1/
Smashing the Browser - From fuzzing to 0day on IE11
https://github.com/demi6od/Smashing_The_Browser
http://www.oldapps.com/
Acquiring VMs of any Windows going back to XP to Windows 10:
https://www.modern.ie/en-us/virtualization-tools#downloads
##From a randomly linked Pastebin (if you made this, thank you so much)
This document is in fieri, and, as such, will be subject to change in the near future.
My intention with this document is for it to be somewhat of a recommended reading list for the aspiring hacker.
I have tried to order the articles by technique and chronology.
- sar
###Buffer overflows:
-----------------
* [How to write buffer overflows, mudge, 1995](http://insecure.org/stf/mudge_buffer_overflow_tutorial.html)
* [Smashing the stack for fun and profit, Aleph One, 1996](http://www.phrack.com/issues.html?issue=49&id=14)
* [The Frame Pointer Overwrite, klog, 1999](http://www.phrack.com/issues.html?issue=55&id=8)
* [win32 buffer overflows, dark spyrit, 1999](http://www.phrack.com/issues.html?issue=55&id=15)
###Return-into-lib / Return oriented programming:
----------------------------------------------
* [Getting around non-executable stack (and fix) (First public description of a return-into-libc exploit), Solar Designer, 1997](http://marc.info/?l=bugtraq&m=87602746719512)
*[More advanced ret-into-lib(c) techniques, Nergal, 2001](http://www.phrack.com/issues.html?issue=58&id=4)
* [On the effectiveness of address-space randomization, , 2004](http://benpfaff.org/papers/asrandom.pdf)
* [Borrowed code chunks exploitation technique, Sebastian Krahmer, 2005](http://www.suse.de/~krahmer/no-nx.pdf)
* [The Geometry of Innocent Flesh on the Bone: Return-into-libc without function calls, Hovav Shacham, 2007](http://cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
* [Defeating DEP, the Immunity Debugger way, Pablo Sole,2008](http://www.immunitysec.com/downloads/DEPLIB.pdf)
* [The Case of Return-Oriented Programming and the AVC Advantage, 2009](http://www.usenix.org/event/evtwote09/tech/full_papers/checkoway.pdf)
* [Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010](http://www.sourceconference.com/bos10pubs/Dino.pdf)
###Heap exploitation:
------------------
* [w00w00 on heap overflows, Matt Conover, 1999](http://w00w00.org/files/articles/heaptut.txt)
* [Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001](http://www.phrack.com/issues.html?issue=57&id=8)
* [Once upon a free(), anonymous author, 2001\(http://www.phrack.com/issues.html?issue=57&id=9)
* [Advanced Doug Lea's malloc exploits, jp, 2003](http://www.phrack.com/issues.html?issue=61&id=6)
* [Exploiting the wilderness, Phantasmal Phantasmagoria, 2004](http://www.derkeiler.com/Mailing-Lists/securityfocus/vuln-dev/2004-02/0024.html)
*[Malloc Maleficarum, Phantasmal Phantasmagoria, 2005](http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt)
* [Yet another free() exploitation technique, huku, 2009](http://www.phrack.com/issues.html?issue=66&id=6)
###Format string exploitation:
---------------------------
* [Exploiting format string vulnerabilities, scut / Team-TESO, 2001](http://crypto.stanford.edu/cs155old/cs155-spring08/papers/formatstring-1.2.pdf)
*[Advances in format string exploitation, gera, 2002](http://www.phrack.com/issues.html?issue=59&id=7)
* [An alternative method in format string exploitation, K-sPecial, 2006](http://www.milw0rm.com/papers/103)
###Integer overflows:
--------------
* [Big Loop Integer Protection, Oded Horovitz, 2002](http://www.phrack.com/issues.html?issue=60&id=9)
* [Basic Integer Overflows, blexim, 2002](http://www.phrack.com/issues.html?issue=60&id=10)
###Null-ptr dereference:
---------------------
* [Large memory management vulnerabilities, Gael Delalleau, 2005](http://cansecwest.com/core05/memory_vulns_delalleau.pdf)
* [Exploiting the Otherwise Non-exploitable on Windows, skape, 2006](http://www.uninformed.org/?v=4&a=5&t=pdf)
* [Vector rewrite attack, Barnaby Jack, 2007](http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf)
* [Application-Specific Attacks: Leveraging the ActionScript Virtual Machine, Mark Dowd, 2008](http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf)
###JIT-spray:
----------
* [Pointer inference and JIT-Spraying, Dion Blazakis, 2010](http://www.semantiscope.com/research/BHDC2010/BHDC-2010-Paper.pdf)
* [Writing JIT shellcode for fun and profit, Alexey Sintsov, 2010](http://dsecrg.com/files/pub/pdf/Writing%20JIT-Spray%20Shellcode%20for%20fun%20and%20profit.pdf)
Other:
------
* [Overwriting the .dtors section, Juan M. Bello Rivas, 2000](http://seclists.org/bugtraq/2000/Dec/175)
* [Abusing .CTORS and .DTORS for fun 'n profit, Izik, 2006](http://vxheavens.com/lib/viz00.html)
Unorganized:
------------
http://blog.zynamics.com/2010/03/12/a-gentle-introduction-to-return-oriented-programming/
http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf exploit null ptr dereference
http://www.phrack.com/issues.html?issue=57&id=18 writing ia32 alphanumeric shellcode
http://documents.iss.net/whitepapers/IBM_X-Force_WP_final.pdf
http://www.usenix.org/events/sec05/tech/full_papers/kruegel/kruegel_html/attack.html Automating mimicry attacks using static binary analysis
http://cansecwest.com/core05/memory_vulns_delalleau.pdf Large memory management vulnerabilities, Gael Delalleau, 2005
http://timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/
http://www.corelan.be:8800/index.php/category/security/exploit-writing-tutorials/
http://hackitoergosum.org/wp-content/uploads/2010/04/HES10-jvanegue_zero-allocations.pdf
http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
http://www.phrack.com/issues.html?issue=64&id=6, Attacking the Core : Kernel Exploiting Notes, 2007
http://lkml.org/lkml/2010/5/27/490
http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
http://blog.ksplice.com/2010/04/exploiting-kernel-null-dereferences/
http://www.ruxcon.org.au/files/2006/unusual_bugs.pdf
•http://eeyeresearch.typepad.com/blog/2006/08/post_ms06035_ma.html
•http://www.phrack.org/phrack/63/p63-0x0e_Shifting_the_Stack_Pointer.txt
•http://seclists.org/vuln-dev/2002/Nov/att-0056/0
•http://www.pine.nl/press/pine-cert-20030101.txt
•http://seclists.org/bugtraq/2000/Jan/0016.html
1.
ASLR:
[Aslr Smack and Laugh Reference](www-users.rwth-aachen.de/Tilo.Mueller/ASLRpaper.pdf)
* [Advanced Buffer Overflow Methods](cs.tau.ac.il/tausec/lectures/Advanced_Buffer_Overflow_Methods.ppt)
* [Smack the Stack](sts.synflood.de/dump/doc/smackthestack.txt)
* [Exploiting the random number generator to bypass ASLR](blackhat.com/presentations/bh-europe-09/Fritsch/Blackhat-Europe-2009-Fritsch-Bypassing-aslr-whitepaper.pdf)
[Wikipedia on ASLR](en.wikipedia.org/wiki/Address_space_layout_randomization)
* [Bypassing Memory Protections: The Future of Exploitation](usenix.org/events/sec09/tech/slides/sotirov.pdf)
* [On the Effectiveness of Address-Space Randomization](stanford.edu/~blp/papers/asrandom.pdf)
* [Exploiting with linux-gate.so.1](milw0rm.com/papers/55)
* [Circumventing the VA kernel patch For Fun and Profit](milw0rm.com/papers/94)
* [Defeating the Matasano C++ Challenge](timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/)
* [Bypassing PaX ASLR protection](phrack.com/issues.html?issue=59&id=9)
* [Thoughts about ASLR, NX Stack and format string attacks](nibbles.tuxfamily.org/?p=1190)
* [Return-into-libc without Function Calls](cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
* [Linux ASLR Curiosities. Tavis Ormandy. Julien Tinnes](cr0.org/paper/to-jt-linux-alsr-leak.pdf)
corelan.be:8800/index.php/2009/09/21/exploit-writing-tutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/
19.
securitytube.net/Exploiting-a-buffer-overflow-under-Linux-kernel-2.6-with-ASLR-through-ret2reg-video.aspx
20.
securitytube.net/Bypassing-the-Linux-Kernel-ASLR-and-Exploiting-a-Buffer-Overflow-Vulnerable-Application-with-ret2esp-video.aspx
21.
securitytube.net/Exploiting-Buffer-Overflows-on-kernels-with-ASLR-enabled-using-Brute-Force-on-the-Stack-Layer-video.aspx
http://ilm.thinkst.com/folklore/index.shtml

+ 0
- 0
Draft/Draft/Exploit Development/Exploit Development.rtf View File


+ 0
- 0
Draft/Draft/Exploit Development/Exploit Development_1.rtf View File


Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing.md → Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing.txt View File


+ 0
- 0
Draft/Draft/Exploit Development/MSF Framework Reference.rtf View File


+ 0
- 13
Draft/Draft/Exploit Development/Papers Tutorials Walk Throughs.md View File

@ -1,13 +0,0 @@
Tutorials/Crackmes/Walk-Throughs
[The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86)](https://cseweb.ucsd.edu/~hovav/dist/geometry.pdf)
* We present new techniques that allow a return-into-libc attack to be mounted on
x86 executables that calls no functions at all. Our attack combines a large number of short instruction sequences to build gadgets that allow arbitrary computation. We show how to discover such instruction sequences by means of static analysis. We make use, in an essential way, of the
properties of the x86 instruction set.
From Fuzzing to 0day.
http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/

+ 0
- 41
Draft/Draft/Exploit Development/Writeups.md View File

@ -1,41 +0,0 @@
Exploit Writeups
[Glibc Adventures: The Forgotten Chunks](http://www.contextis.com/documents/117/Glibc_Adventures-The_Forgotten_Chunks.pdf)
* Exploiting Glibc
[From fuzzing to 0-day](http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/)
[Exploiting CVE-2014-4113 on Win8.1](http://www.jodeit.org/research/Exploiting_CVE-2014-4113_on_Windows_8.1.pdf)
[From 0-day to exploit – Buffer overflow in Belkin N750 (CVE-2014-1635)](https://labs.integrity.pt/articles/from-0-day-to-exploit-buffer-overflow-in-belkin-n750-cve-2014-1635/)
[Exploiting MS14-066](http://www.securitysift.com/exploiting-ms14-066-cve-2014-6321-aka-winshock/)
[Shellshock bug writeup by lcamtuf](http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html)
AVM Fritz!Box root RCE: From Patch to Metasploit Module
Part 1: http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-i
Part 2: http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii
[Linux Kernel < 2.6.36.2 Econet Privilege Escalation Exploit](http://eshunrd.blogspot.com/2011/09/linux-kernel-26362-econet-privilege.html)
[Bypassing All the Things](https://www.exodusintel.com/files/Aaron_Portnoy-Bypassing_All_Of_The_Things.pdf)
* Handholding through Vuln Discovery and Exploitation
[Coding Malware for Fun and Not for Profit (Because that would be illegal)](http://www.malwaretech.com/2014/04/coding-malware-for-fun-and-not-for.html)
[OneRNG](http://moonbaseotago.com/onerng/theory.html)
[Exploiting “BadIRET” vulnerability - CVE-2014-9322, Linux kernel privilege escalation](http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerability-cve-2014-9322-linux-kernel-privilege-escalation/)
[Maximum Overkill Two - From Format String Vulnerability to Remote Code Execution](https://barrebas.github.io/blog/2015/02/22/maximum-overkill-two-from-format-string-vulnerability-to-remote-code-execution/)

+ 33
- 0
Draft/Draft/Forensics Incident Response/add cull.txt View File

@ -7,12 +7,36 @@
* NSA 70-page writeup on windows event log monitoring
[Forensics on Amazon’s EC2](https://sysforensics.org/2014/10/forensics-in-the-amazon-cloud-ec2.html)
[Did it Execute? - Mandiant](https://www.mandiant.com/blog/execute/)
* You found a malicious executable! Now you’ve got a crucial question to answer: did the file execute? We’ll discuss a few sources of evidence you can use to answer this question. In this post, we will focus on static or “dead drive” forensics on Windows systems. We will cover four main sources of evidence: Windows Prefetch, Registry, Log Files, and File Information.
[Handler Diaries - Another Hunting Post(DFIR)](http://blog.handlerdiaries.com/?p=775)
* Good post on not only knowing the layout, but knowing expected behaviours.
[DPAPIck](http://dpapick.com/)
* This is a forensic tool to deal, in an offline way, with Microsoft Windows® protected data, using the DPAPI (Data Protection API).
####Hacking Exposed - Automating DFIR Series
[Automating DFIR - How to series on programming libtsk with python Part 1 - ](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on.html)
[Automating DFIR - How to series on programming libtsk with python Part 2](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_19.html)
[Automating DFIR - How to series on programming libtsk with python Part 3](http://hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_21.html)
[Know your Windows Processes or Die Trying](https://sysforensics.org/2014/01/know-your-windows-processes.html)
* Excellent quick reference on Windows proccesses with a focus on Win7. Good resource.
[IOC Bucket](https://www.iocbucket.com/)