Exported to txt and then markdown

7 years ago · 3bfc8a3a6a
--- a/Draft/Draft/Anonymity.md
+++ b/Draft/Draft/Anonymity.md
@ -0,0 +1,108 @@
 ##Anonymity



 This page is not high on my list of things to be done honestly.


 'I've Got Nothing to Hide' and Other Misunderstandings of Privacy
 http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565& 




 ###Talks
 Because Jail is for WUFTPD - Legendary talk, a must watch.
 https://www.youtube.com/watch?v=9XaYdCdwiWU
 His blog: http://grugq.tumblr.com/





 ###Tools



 [MAT: Metadata Anonymisation Toolkit](https://mat.boum.org/)
 * MAT is a toolbox composed of a GUI application, a CLI application and a library.





 [Rdis](https://github.com/endeav0r/rdis)
 * Rdis is a Binary Analysis Tool for Linux.



 ###Articles


 #####[De-anonymizing facebook users through CSP](http://www.myseosolution.de/deanonymizing-facebook-users-by-csp-bruteforcing/#inhaltsverzeichnis)

 #####[Anonymous’s Guide to OpSec](http://www.covert.io/research-papers/security/Anonymous%20Hacking%20Group%20--%20OpNewblood-Super-Secret-Security-Handbook.pdf)

 #####[Cat Videos and the Death of Clear Text](https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/)










 https://github.com/jlund/streisand







 https://github.com/chris-barry/darkweb-everywhere/releases

 http://norvig.com/mayzner.html




 http://whoer.net/extended




































--- a/Draft/Draft/AppSec.md
+++ b/Draft/Draft/AppSec.md
@ -0,0 +1,24 @@







 [Bindead - static binary binary analysis tool](https://bitbucket.org/mihaila/bindead/wiki/Home)
 * Bindead is an analyzer for executable machine code. It features a disassembler that translates machine code bits into an assembler like language (RREIL) that in turn is then analyzed by the static analysis component using abstract interpretation. 



 [Applied Appsec](http://www.thotcon.org/archive/0x2presos/10-AppliedApplicationSecurity.pdf)






 [Statically Linked Library Detector](https://github.com/arvinddoraiswamy/slid)


 [BitBlaze](http://bitblaze.cs.berkeley.edu/)
 * The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to (1) analyze and develop novel COTS protection and diagnostic mechanisms and (2) analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation. 
--- a/Draft/Draft/Attacking
+++ b/Draft/Draft/Attacking
@ -0,0 +1,442 @@
 Attacking Android Devices




 #CULL

 ####[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
 [APKinpsector](https://github.com/honeynet/apkinspector/)
 * APKinspector is a powerful GUI tool for analysts to analyze the Android applications. 


 [ Inside the Android Play Service's magic OAuth flow ](http://sbktech.blogspot.com/2014/01/inside-android-play-services-magic.html)
 * Owning google accounts on android devices
 [Manifesto](https://github.com/maldroid/manifesto)
 * PoC framework for APK obfuscation, used to demonstrate some of the obfuscation examples from http://maldr0id.blogspot.com. It supports plugins (located in processing directory) that can do different obfuscation techniques. Main gist is that you run manifesto on the APK file and it produces an obfuscated APK file.

 [Android Hooker](https://github.com/AndroidHooker/hooker)
 * Hooker is an opensource project for dynamic analyses of Android applications. This project provides various tools and applications that can be use to automaticaly intercept and modify any API calls made by a targeted application.


 [Dexter](http://dexter.dexlabs.org/accounts/login/?next=/dashboard)
 * Dexter is a static android application analysis tool. 

 [android-cluster-toolkit](https://github.com/jduck/android-cluster-toolkit)
 * The Android Cluster Toolkit helps organize and manipulate a collection of Android devices. It was designed to work with a collection of devices connected to the same host machine, either directly or via one or more tiers of powered USB hubs. The tools within can operate on single devices, a selected subset, or all connected devices at once.

 [canhazaxs](https://github.com/jduck/canhazaxs)
 * A tool for enumerating the access to entries in the file system of an Android device. 

 [android-cluster-toolkit](https://github.com/jduck/android-cluster-toolkit)
 * The Android Cluster Toolkit helps organize and manipulate a collection of Android devices. It was designed to work with a collection of devices connected to the same host machine, either directly or via one or more tiers of powered USB hubs. The tools within can operate on single devices, a selected subset, or all connected devices at once.

 [APK Studio - Android Reverse Engineering](https://apkstudio.codeplex.com/)
 * APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis.

 [privmap - android](https://github.com/jduck/privmap)
 * A tool for enumerating the effective privileges of processes on an Android device. 






 [List of Android Vulnerabilities](http://androidvulnerabilities.org/all)


 [List of Android Exploits](https://github.com/droidsec/droidsec.github.io/wiki/Vuln-Exploit-List)



 Books
 Android hackers handbook








 [Rundown of Android Packers](http://www.fortiguard.com/uploads/general/Area41Public.pdf)






 Security Analysis

 Santoku Linux


 Android Tamer
 http://androidtamer.com/
 Android Tamer is a one stop tool required to perform any kind of operations on Android devices / applications / network
 VM

 Android Device Testing Framework(DTF)
 From: https://github.com/jakev/dtf/tree/v1.0.3

 The Android Device Testing Framework ("dtf") is a data collection and analysis framework to help individuals answer the question: "Where are the vulnerabilities on this mobile device?" Dtf provides a modular approach and built-in APIs that allows testers to quickly create scripts to interact with their Android devices. The default download of dtf comes with multiple modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges). These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you'll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities.

 drozer
 From their site: 
 drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
 https://github.com/mwrlabs/drozer


 APK Studio - Android Reverse Engineering
 APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis.
 https://apkstudio.codeplex.com/

 Application Analysis

 Androguard
 From their site:
 Androguard is mainly a tool written in python to play with: 
 Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation), 
 APK (Android application) (.apk), 
 Android's binary xml (.xml), 
 Android Resources (.arsc). 
 Androguard is available for Linux/OSX/Windows (python powered).
 https://code.google.com/p/androguard 

 Droidmap	
 From their site:
 DroidBox is developed to offer dynamic analysis of Android applications. The following information is shown in the results, generated when analysis is ended: 
 Hashes for the analyzed package 
 Incoming/outgoing network data 
 File read and write operations 
 Started services and loaded classes through DexClassLoader 
 Information leaks via the network, file and SMS 
 Circumvented permissions 
 Cryptography operations performed using Android API 
 Listing broadcast receivers 
 Sent SMS and phone calls 
 Additionally, two images are generated visualizing the behavior of the package. One showing the temporal order of the operations and the other one being a treemap that can be used to check similarity between analyzed packages. 
 		https://code.google.com/p/droidbox/
 	

 Links:
 Security enhancements in android through its versions
 	www.androidtamer.com


 Attack Platforms

 drozer
 From their site: 
 drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
 https://github.com/mwrlabs/drozer








 Notes:


 Defeating the bootloader
 (HTC Devices)
 -secuflag - security flag in radio firmware - modify radio

 -gold card - specially formatted MicroSD card that can bypass carrier id check when flashing roms

 -white card - special sim card used to bypass bootsec
     Emulate white card with hardware, combine with gold card to enter diagnostics and clear S-ON


 White card not needd for cdma

 Once S-OFF, can RAM load a custom boot iamge

 Technique wipes most devices, but not all

 Try it yourself: XTC clip


 Forensics boot image

 -Start early in the boot chain before the main system loads
 -Provide ADB root shell over USB
 -Do not mount anything, including cache to prevent any writes
 -Devices with raw NAND flash and wear leveling implemented in software(YAFFS2) can be prevented from overwriting deleted data

 Build boot image

 upload adbd, busybox, nanddump to /sbin
 default.prop (enable root shell, ro.secure=0)
 init.rc (do not mount partitions, just start adb)

 Flash and RAM load

 Samsung
 -Dump partitions using ODIN(maybe. probably not)
 -Flash with ODIN or HEIMDALL
     heimdall flash --recovery recovery.bin
     heimdall flash --kernel zImage
 HTC
 -fastboot boot recovery.img (Ram loading)
 -fastboot flash recovery recovery.img (flash partition)

 Motorola
 -sbf_flash image name.sbf (make sure it only contains recovery)

 JTAG
 -Flasher Box
     -ORT
     -RiffBox
     -Medusa Box
 -Allows you to dump nandflash directly


 Some devices have debug access via serial cables
 -Use a Bus Pirate and MicroUSB breakout board
     -set bus pirate to 115200 bps, 8-N-1
     -Output type is normal, not open drain
     -Plug in device to MicroUSB and you will see it boot the Primitive Boot Loader followed by the Secondary Boot Loader
     -Hold down enter key on terminal while plugging in device to stop SBL from booting and get to the SBL prompt

 Crack Pin/Password
 -Salt - stored in /data/data/com.android.providers.settings/databases/settings.db

     -SELECT * FROM secure WHERE name = 'lockscreen.password_salt'

 -Pin/Password
     -/data/system/password.key
     -Salted SHA1 of password concatenated with salted MD5

 -Calculate the value of the salt in lowercase hex with no padding
 $python -c 'print '%x' % salt_number_here'

 -Copy the last 32 bytes of password.key(MD5 hash in hex), add a colon and then add the salt

 -Crack with software such as oclHashcat

 Android Encryption:
 Implemented differently by manufacturers

 -Encrypted Master key + salt stored in footer
 -footer stored at end of partition or in a footer file on another partition or as a partition itself
 -Image device and locate footer + encrypted user data partition

 -Parse footer
 -Locate Salt/master key
 -Run a password guess through PBKDF2 with salt, use resulting key and IV to decrypt master key to decrypt first sector of encrypted image, if password is correct, plaintext revealed

 -Cracking PINs takes seconds. Passwords are usually short or follow patterns due to being the same as the lock screen password

 Evil maid attack
 -Load app onto system partition, wait for user to boot phone, get remote access to decrypted user data
 -Rootkits - compile kernel module
 -Evil usb charger


 Desperate Techniques
 -Hard reset - some devices prior to 3.0 don't wipe data properly
 -Chip-off - de-solder NAND chips
 -Screen Smudges

 More Techniques
 -Custom update.zip - can you get one signed? stock needs sig
 -Race condition on updates via SD cards
 -Own a CA? MITM connetion, push app, update/exploit
 -Entry via Google Play, if credentials cached on desktop
     -Screen Lock bypass - Doesn't work on 4.0 ->

 Santoku Linux
 -Free/open bootable linux distro
 -project is collab with pros
 -Mobile Forensics
 -Mobile App Sec Testing
 -Mobile Malware Analysis






 ##Securing Your Android Device




 [Android (In)Security - Defcamp 2014](https://www.youtube.com/watch?v=2aeV1JXYvuQ&index=23&list=PLnwq8gv9MEKgSryzYIFhpmCcqnVzdUWfH)
 * Good video on Android Security



 [Android Forensics Class - Free](http://opensecuritytraining.info/AndroidForensics.html)
 * This class serves as a foundation for mobile digital forensics, forensics of Android operating systems, and penetration testing of Android applications. 


 ###Hardening Guides


 [Android Hardening Guide by the TOR developers](https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy	
 )
 This blog post describes the installation and configuration of a prototype of a secure, full-featured, Android telecommunications device with full Tor support, individual application firewalling, true cell network baseband isolation, and optional ZRTP encrypted voice and video support. ZRTP does run over UDP which is not yet possible to send over Tor, but we are able to send SIP account login and call setup over Tor independently.
 The SIP client we recommend also supports dialing normal telephone numbers if you have a SIP gateway that provides trunking service.
 Aside from a handful of binary blobs to manage the device firmware and graphics acceleration, the entire system can be assembled (and recompiled) using only FOSS components. However, as an added bonus, we will describe how to handle the Google Play store as well, to mitigate the two infamous Google Play Backdoors.


 [Android 4.0+ Hardening Guide/Checklist by University of Texas](https://wikis.utexas.edu/display/ISO/Google+Android+Hardening+Checklist)
 	


 ###Applications

 Firewall
 	* [Android Firewall(Requires Root)](https://play.google.com/store/apps/details?id=com.jtschohl.androidfirewall&hl=en)
 		
 Xprivacy - The Ultimate Android Privacy Manager(Requires Root

 	* [Github](https://github.com/M66B/XPrivacy)
 	* [Google Play](https://play.google.com/store/apps/details?id=biz.bokhorst.xprivacy.installer&hl=en)

 Backups
 	Titanium Backup
 		https://play.google.com/store/apps/details?id=com.keramidas.TitaniumBackup
 Personal favorite for making backups. Backups are stored locally or automatically to various cloud services.
 	Helium Backup(Root Not Required)
 		https://play.google.com/store/apps/details?id=com.koushikdutta.backup&hl=en
 		Backs up data locally or to various cloud services. Local client available for backups directly to PC.

 Analyzing the Attack Surface of your device

 Resources



 Encryption
 Check the Encryption section of the overall guide for more information.










 ###Interesting Android Papers

 [Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks](http://www.cs.ucr.edu/~zhiyunq/pub/sec14_android_activity_inference.pdf)
 * Abstract: The security of smartphone GUI frameworks remains an important yet under-scrutinized topic. In this paper, we report that on the Android system (and likely other OSes), a weaker form of GUI confidentiality can be breached in the form of UI state (not the pixels) by a background app without requiring any permissions. Our finding leads to a class of attacks which we name UI state inference attack.

 [List of important whitepapers](https://github.com/droidsec/droidsec.github.io/wiki/Android-Whitepapers)

 [Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications](https://anonymous-proxy servers.net/paper/android-remote-code-execution.pdf)
 	
 [Rage Against the Droid: Hindering Dynamic analysis of android malware](http://www.syssec-project.eu/m/page-media/3/petsas_rage_against_the_virtual_machine.pdf)

 [APKLancet: Tumor Payload Diagnosis and Purification for Android Applications](http://loccs.sjtu.edu.cn/typecho/usr/uploads/2014/04/1396105336.pdf)

 [DroidRay: A Security Evaluation System for CustomizedAndroid Firmwares](http://www.cs.cuhk.hk/~cslui/PUBLICATION/ASIACCS2014DROIDRAY.pdf)


 [VirtualSwindle: An Automated Attack Against In-App Billing on Android](http://seclab.ccs.neu.edu/static/publications/asiaccs14virtualswindle.pdf)


 [Evading Android Runtime Analysis via Sandbox Detection](https://www.andrew.cmu.edu/user/nicolasc/publications/VC-ASIACCS14.pdf)


 [Enter Sandbox: Android Sandbox Comparison](http://www.mostconf.org/2014/papers/s3p1.pdf)

 [Post-Mortem Memory Analysis of Cold-Booted Android Devices](http://www.homac.de/publications/Post-Mortem-Memory-Analysis-of-Cold-Booted-Android-Devices.pdf)

 [Upgrading Your Android, Elevating My Malware:
 Privilege Escalation Through Mobile OS Updating](http://www.informatics.indiana.edu/xw7/papers/privilegescalationthroughandroidupdating.pdf)


 (Exploring Android KitKat Runtime](http://www.haxpo.nl/wp-content/uploads/2014/02/D1T2-State-of-the-Art-Exploring-the-New-Android-KitKat-Runtime.pdf)

 [Analyzing Inter-Application Communication in Android](https://www.eecs.berkeley.edu/~daw/papers/intents-mobisys11.pdf)

 [Automatically Exploiting Potential Component Leaks in Android Applications](http://orbilu.uni.lu/bitstream/10993/16914/1/tr-pcLeaks.pdf)

 [I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis](http://arxiv.org/pdf/1404.7431v1.pdf)

 [Bifocals: Analyzing WebView Vulnerabilities in Android Applications](http://www.eecs.berkeley.edu/~emc/papers/Chin-WISA-WebViews.pdf)

 [Analyzing Android Browser Apps for file:// Vulnerabilities](http://arxiv.org/pdf/1404.4553v3.pdf)


 [FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps](http://sseblog.ec-spride.de/wp-content/uploads/2013/05/pldi14submissionFlowdroid.pdf)

 [Detecting privacy leaks in Android Apps](https://publications.uni.lu/bitstream/10993/16916/1/ESSoS-DS2014-Li.pdf)

 [From Zygote to Morula:
 Fortifying Weakened ASLR on Android](http://www.cc.gatech.edu/~blee303/paper/morula.pdf)

 [Apposcopy: Semantics-Based Detection of Android Malware through Static Analysis](http://www.cs.utexas.edu/~yufeng/papers/fse14.pdf)

 [MAdFraud: Investigating Ad Fraud in Android Applications](http://www.cs.ucdavis.edu/~hchen/paper/mobisys2014.pdf)

 [Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security](http://www2.dcsec.uni-hannover.de/files/android/p50-fahl.pdf)


 [AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction](https://ece.uwaterloo.ca/~lintan/publications/asdroid-icse14.pdf)

 [NativeGuard: Protecting Android Applications from Third-Party Native Libraries](http://www.cse.lehigh.edu/~gtan/paper/nativeguard.pdf)

 [Into the Droid: Gaining Access to Android User Data - DEFCON](https://www.youtube.com/watch?v=MxhIo95VccI&amp;list=PLCDA5DF85AD6B4ABD)

 [Android Packers](http://www.fortiguard.com/uploads/general/Area41Public.pdf)


 [Xprivacy Android](https://github.com/M66B/XPrivacy#description)


 [An Empirical Study of Cryptographic Misuse
 in Android Applications](https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf)


 Obfuscation in Android malware, and how to fight back
 https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-Android-obfuscation


 ###Educational Material



 OWASP GoatDroid
 From their site: 
 “OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users. 
 The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.”
 https://www.owasp.org/index.php/Projects/OWASP_GoatDroid_Project


 Insecure Bank v2
 Taken from: https://github.com/dineshshetty/Android-InsecureBankv2
 This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source code. 
 The list of vulnerabilities that are currently included in this release are: 
 Insecure Logging mechanism
 Vulnerable Activity Components
 Content providers injection
 Weak Broadcast Receiver permissions
 Android Pasteboard vulnerability
 Local Encryption issues
 Android keyboard cache issues
 Insecure Webview implementation
 Insecure SDCard storage
 Insecure HTTP connections
 Weak Authorization mechanism
 Parameter Manipulation
 Weak Cryptography implementation
 Hardcoded secrets
 Username Enumeration issue
 Developer Backdoors
 Weak change password implementation
 Weak Local storage issues
 https://github.com/dineshshetty/Android-InsecureBankv2




--- a/Draft/Draft/Attacking
+++ b/Draft/Draft/Attacking
@ -0,0 +1,158 @@
 iOS

 CULL



 ####Hacking Your Way Up The Mobile Stack
 http://vimeo.com/51270090

 iPwn  Apps
 :
 Pentesting  iOS  Applications
 https://www.sans.org/reading-room/whitepapers/testing/ipwn-apps-pentesting-ios-applications-34577


 [Bypassing SSL Cert Pinning in iOS](http://chargen.matasano.com/chargen/2015/1/6/bypassing-openssl-certificate-pinning-in-ios-apps.html)

 http://project-imas.github.io/

 https://www.owasp.org/index.php/IOS_Application_Security_Testing_Cheat_Sheet 	

 [idb](https://github.com/dmayer/idb)
 * idb is a tool to simplify some common tasks for iOS pentesting and research. Originally there was a command line version of the tool, but it is no longer under development so you should get the GUI version.



 http://matasano.com/research/Introducing_idb_-_Simplified_Blackbox_iOS_App_Pentesting.pdf


 https://github.com/dmayer/idb
 gidb is a tool to simplify some common tasks for iOS pentesting and research. It is still a work in progress but already provides a bunch of (hopefully) useful commands. The goal was to provide all (or most) functionality for both, iDevices and the iOS simulator. For this, a lot is abstracted internally to make it work transparently for both environments. Although recently the focus has been more on supporting devices.
 http://cysec.org/blog/2014/01/23/idb-ios-research-slash-pentesting-tool/

 http://www.pentesteracademy.com/course?id=2
 This course focuses on the iOS platform and application security and is ideal for pentesters, researchers and the casual iOS enthusiast who would like to dive deep and understand how to analyze and systematically audit applications on this platform using a variety of bleeding edge tools and techniques.









 Attacking iOS





 Vulnerabilities/Exploits
 List of iOS Exploits:
 http://theiphonewiki.com/wiki/Category:Exploits


 Techniques



 Training & Tutorials

 Learning iOS Application Security - 34 part series
 	http://damnvulnerableiosapp.com/#learn

 Damn Vulnerable iOS App
 	iOS app designed to be vulnerable in specific ways to teach security testing of iOS applications.
 	http://damnvulnerableiosapp.com/2013/12/get-started/

 OWASP iGOAT	
 	From: https://www.owasp.org/index.php/OWASP_iGoat_Project
 	“iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.”
 	https://www.owasp.org/index.php/OWASP_iGoat_Project
 	

 iOS Security Testing Methodologies




 General Research Papers




 Reverse Engineering



 IOS Reverse Engineering toolkit:
 	https://github.com/S3Jensen/iRET
 Summary:
 The iOS Reverse Engineering Toolkit is a toolkit designed to automate many of the common tasks associated with iOS penetration testing. It automates a many common tasks including: 
 binary analysis using otool
 keychain analysis using keychain_dumper
 reading database content using sqlite
 reading log and plist files
 binary decryption using dumpdecrypted
 dumping binary headers using class_dump_z
 creating, editing, installing theos tweaks











 Attacking iOS Devices





 Analyzing Attack Surfaces



 Jailbreaking Pros - Cons



 Info Leakage
 	
 Guide to hardening iOS with the goal of privacy:
 	http://cydia.radare.org/sec/



 Jailbreaking


 IPhoneDevWiki
 From: iphonedevwiki.net/index.php/Main_Page 
 	“Our goal is to share the sum of all human[1] knowledge about jailbroken iOS development. In other words, this is a collection of documentation written by developers to help each other write extensions (tweaks) for jailbroken iOS, and you're invited to learn from it and contribute to it too.” 
 http://iphonedevwiki.net/index.php/Main_Page


 The iPhone Wiki
 From: http://theiphonewiki.com/wiki/Main_Page
 The iPhone Wiki is an unofficial wiki dedicated to collecting, storing and providing information on the internals of Apple's amazing iDevices. We hope to pass this information on to the next generation of hackers so that they can go forth into their forebears' footsteps and break the ridiculous bonds Apple has put on their amazing mobile devices. 




 Maybe>?
 https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet

 Defeating iOS cryptography







--- a/Draft/Draft/Basic
+++ b/Draft/Draft/Basic
@ -0,0 +1,34 @@
 ##Basic Security Principles/Information






 [Types of Authentication](http://www.gfi.com/blog/security-101-authentication-part-2/)


























--- a/Draft/Draft/Building
+++ b/Draft/Draft/Building
@ -0,0 +1,46 @@
 Building a Pentest Lab


 So, I’m biased. That said, two ways to build a lab, local and online. With todays online services, you don’t have to have a powerful server sitting in your house. You can use amazon’s AWS to host VMs and pay only for time used. For some, this may be preferable for the cost/space. Otherwise, if you’re looking for a local solution, Oracle’s Virtualbox and VMWare’s Workstation/Parallels is where its at.

 That being said, skip virtualbox. Get VMware ESXi if you’re cool, and have a spare box laying around, if not, grab VMWare Workstation. It works on linux/win and Parallels for OSX. ESXi is a virtualization platform that runs bare metal. If you have hardware for it, I recommend that. Otherwise, Workstation works wonderfully.

 Acquiring a copy of Virtualbox/Workstation is also easy. Virtualbox is free and Workstation has 30 day trials.

 So, assuming you now have a virtualization platform, whether through a dedicated machine or simply from your lap/desktop, you probably want some machines on it.

 I recommend the following boxes:
 Windows Server 2003
 Windows XP
 Windows Vista
 Windows 7
 Windows 8
 Windows Server 2008
 Windows Server 2012 
 for
 Centos 6.5
 Debian 7
 Ubuntu 14.04

 That gives you a fair amount of variation in environments as well as allowing you to create specific environments you might see. I list the three most common Distros and all windows going back to XP since, Windows is everywhere.
 i
 The Linux distros can be downloaded from their respective sites, and Trials exist for the windows images.

 VMs Designed to be Attacked

 Now, making your own lab filled with software you’ve configured is great and all, but sometimes you want a bit more of a challenge, you don’t want to know what software is running on the machine, you want to go in blind and hack all the things. For this, I recommend:

 Vulnhub.com
 Vulnhub is a website dedicated to cataloging various vulnerable VMs from across the web. It also has a healthy community that creates and submits new VMs on a regular basis. As I write this now, I believe there is around 100 or so different VMs on Vulnhub, so you have a bit of variation.


 List of VMs that are preconfigured virtual machines.
 http://www.amanhardikar.com/mindmaps/PracticeUrls.html

 Guides to setting up a Pen test lab:

 http://blog.netinfiltration.com/2013/12/03/setting-up-a-pentest-lab-for-beginners/

 https://community.rapid7.com/docs/DOC-2196

 http://www.stan.gr/2013/03/building-pentest-lab.html
--- a/Draft/Draft/Building
+++ b/Draft/Draft/Building
@ -0,0 +1,50 @@
 Building a Lab to practice Exploit writing



 So, this is a thing I found while doing some googling. If you wrote this, I owe you a lot of beer. I redacted the place/username as it was on a less than happy place.
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 This assumes you have an idea of ASM x86 and general exploitation methods.

 Idea with this setup, is that you have a VM of XP SP3 running with the following software and tools installed. You look up the exploits on exploit-db and recreate them. Or you lookup the vulnerabilities and fuzz it yourself knowing where to look.

 
 Start here:
 I'm designing exploit lab based on WinXP SP3. As for now I have following vulnerabilities/apps:

 1. Simple RET - Ability FTP Server (FTP)
 2. Simple RET - FreeFloat FTP (FTP)
 3. Simple RET (harder) - CesarFTP (FTP)
 4. Simple RET - Easy RM to MP3 Converter (.pls)
 5. Simple RET - DL-10 - Need to find copy of
 6. SEH - DVDXPlayer
 7. SEH - Millenium
 8. SEH - Soritong
 9. SEH - mp3nator
 10. SEH - NNM (hard) - Need to find copy of
 11. SEH + UNICODE - ALLPlayer
 12. SEH (difficult) - Winamp

 with following tools installed:

 1. WinDBG + MSEC.dll (!load winext\msec.dll) + byakugan (!load byakugan)
 2. Immunity Debugger + mona.py (!mona)
 3. OllyDBG+Plugins(SSEH+OllySnake+AdvancedOlly+OllyHeapVis+Virtual2Physical)
 4. C:\Windows\system32\findjmp2.exe
 5. Cygwin + perl + gdb + gcc...
 6. Python26 (for IDA) + PyDbg - https://code.google.com/p/pydbgr/wiki/HowToInstall
 6. Python27 (for ImmunityDebugger)+pyDbg
 7. lcc-win
 8. Wireshark
 9. Mantra on Chrome (MoC)
 10. Google-Chrome
 11. Microsoft Visual C++ 2008 Express
 12. Nasm
 13. metasploit
 14. Alpha3 (c:\Alpha3)
 15. IDA
 16. Sysinternals (c:\Windows\System32)
 17. Proxifier Edition
 18. Echo Mirage


--- a/Draft/Draft/CTFs
+++ b/Draft/Draft/CTFs
@ -0,0 +1,129 @@
 #Online Courses and CTFs

 ###Capture The Flag(CTF) events

 #####event lists goes here
 [ctf-time](https://ctftime.org/)






 CULL

 [The Many Maxims of Maximally Effective CTFs](http://captf.com/maxims.html)


 ###CTF Event Write-ups

 #####[CTF Writeups](https://github.com/ctfs/write-ups)[Archive of recent CTFs](http://repo.shell-storm.org/CTF/)

 #####[CTF Writeups](https://github.com/ctfs/write-ups)[Captf](http://captf.com/)

 *  This site is primarily the work of psifertex since he needed a dump site for a variety of CTF material and since many other public sites documenting the art and sport of Hacking Capture the Flag events have come and gone over the years.

 #####[CTF Writeups](https://github.com/ctfs/write-ups)

 ###Wargames


 #####[Ringzer0 team CTF](http://ringzer0team.com/)
 Description: RingZer0 Team's online CTF offers you tons of challenges designed to test and improve your hacking skills thru hacking challenge. Register and get a flag for every challenges. 

 #####[pwn0 Wargame](https://pwn0.com/)
 * “pwn0 is a network where (almost) anything goes. Just sign up, connect to the VPN, and start hacking. #pwn0 on freenode “

 #####[Microcorruption](https://microcorruption.com/login)
 * Awesome wargame.

 #####[OverTheWire Wargames](http://overthewire.org/wargames/)
 * OverTheWire provides several wargames publicly/freely available. All very good quality. Highly recommended.

 #####[Smash the Stack Wargames](http://smashthestack.org/)
 * Smash the stack hosts several public wargames of very good quality for free use. Highly recommended.

 ###Making/Hosting your own CTF
 #####[CTFd](https://github.com/isislab/CTFd)
 * CTFd is a CTF in a can. Easily modifiable and has everything you need to run a jeopardy style CTF.
 #####[iCTF Framwork](https://github.com/ucsb-seclab/ictf-framework)
 * This is the framework that the UC Santa Barbara Seclab uses to host the iCTF, and that can be used to create your own CTFs at http://ictf.cs.ucsb.edu/framework. The framework creates several VMs: one for the organizers and one for every team. 


 ##Online Training Courses

 ###General Online Courses

 Offensive Computer Security
 http://www.cs.fsu.edu/~redwood/OffensiveComputerSecurity/


 #####[Open Security Training](www.opensecuritytraining.info)
 * Taken from their front page:

 >In the spirit of OpenCourseWare and the Khan Academy, OpenSecurityTraining.info is dedicated to sharing training material for computer security classes, on any topic, that are at least one day long.

 >All material is licensed with an open license like CreativeCommons, allowing anyone to use the material however they see fit, so long as they share modified works back to the community.

 >We highly encourage people who already know these topic areas to take the provided material and pursue paid and unpaid teaching opportunities.

 >Those who can, teach.

 #####[XSS Challenge Wiki](https://github.com/cure53/xss-challenge-wiki/wiki)
 * [List without spoilers:](https://github.com/cure53/xss-challenge-wiki/wiki/Older-Challenges-and-Write-Ups)


 ###Vulnerable Virtual Machines

 #####[Vulnhub](Https://www.Vulnhub.com)





 ###Challenge Sites

 Wechall
 * An amazing site. Tracks, lists, scores, various challenge sites. If you’re looking for a challenge or two, and not a wargame, this is the site you want to hit up first.

 #####[XSS Challenge Wiki](https://github.com/cure53/xss-challenge-wiki/wiki)
 * A wiki that contains various xss challenges.

 #####[Halls of Valhalla](http://halls-of-valhalla.org/beta/challenges)

 #####[EnigmaGroup](http://www.enigmagroup.org/)


 #####[Canyouhackit](http://canyouhack.it/)
 * Can You Hack It is a Hacking Challenge site designed to not only allow you to test and improve your skills in a wide variety of categories but to socialise both on the forums and on our IRC channel with other security enthusiasts. 



 #####[Tasteless](http://chall.tasteless.se/)


 #####[Hack This](https://www.hackthis.co.uk/)






 ##One-off Challenges and Puzzles


 #####[Forensics Contest](http://forensicscontest.com/)

 #####[List of themed Hacker challenges](http://counterhack.net/Counter_Hack/Challenges.html)

 #####[Sans Community Forensics Challenges](digital-forensics.sans.org/community/challenges)










--- a/Draft/Draft/Cheat
+++ b/Draft/Draft/Cheat
@ -0,0 +1,76 @@
 Cheat Sheets & Reference Pages


 [Metasploit 4.2 documentation](https://community.rapid7.com/docs/DOC-1751)

 [O-Auth Security Cheat Sheet](http://www.oauthsecurity.com/)

 [File Signature Table](http://www.garykessler.net/library/file_sigs.html)

 [AIX For Pentesters](http://www.giac.org/paper/gpen/6684/aix-penetration-testers/125890)
 * Good paper on exploiting/pentesting AIX based machines. From the paper itself “ The paper proposes some basic methods to do comprehensive local security checks and how to exploit the vulnerabilities.”

 [RootVG - Website Dedicated to AIX](http://www.rootvg.net/content/view/102/98/)


 [WinDbg Cheat Sheet/mindmap](http://tylerhalfpop.com/2014/08/16/windbg-cheatsheet/)


 [Pdf of all WinDbg commands](http://windbg.info/download/doc/pdf/WinDbg_cmds.pdf)

 [x86 opcode structure and instruction overview](http://pnx.tf/files/x86_opcode_structure_and_instruction_overview.pdf)


 [Mem forenics cheat sheet](http://forensicmethods.com/wp-content/uploads/2012/04/Memory-Forensics-Cheat-Sheet-v1.pdf)


 [Nasm x86 reference](https://www.cs.uaf.edu/2006/fall/cs301/support/x86/)


 [Android ADB cheat sheet](https://github.com/maldroid/adb_cheatsheet/blob/master/cheatsheet.pdf?raw=true)


 [Windows Startup Application Database](http://www.pacs-portal.co.uk/startup_content.php)


 [Arm instruction set](http://simplemachines.it/doc/arm_inst.pdf)


 [File Signature Table](http://www.garykessler.net/library/file_sigs.html)


 [Radare2 Cheat-Sheet](https://github.com/pwntester/cheatsheets/blob/master/radare2.md


 [Nmap](https://highon.coffee/docs/nmap/)


 [Linux - Breaking out of shells](https://highon.coffee/docs/linux-commands/#breaking-out-of-limited-shells)


 [x86 Assembly Guide/Reference - Wikibooks](https://en.wikibooks.org/wiki/X86_Assembly)
 * Introduction for those who don’t know ASM and a reference for those that do.











 http://www.amanhardikar.com/mindmaps.html




 http://www.amanhardikar.com/mindmaps/Practice.html


 https://scadahacker.com/library/Documents/Cheat_Sheets/Hacking%20-%20Meterpreter%20Cheat%20%20Sheet.pdf

 http://aerokid240.blogspot.com/2009/11/msfpayload-goodness-cheatsheet.html

 http://averagesecurityguy.info/cheat-sheet/
--- a/Draft/Draft/Client
+++ b/Draft/Draft/Client
@ -0,0 +1,59 @@
 ##Client-Side Attacks


 I define client-side attacks as any form of attack that requires deliberate action from the victim or end-user.




 Different forms of client side attacks:





 [3 Types of XSS](https://www.owasp.org/index.php/Types_of_Cross-Site_Scripting)
 	* Dom-based
 	* Reflected
 	* Persistent

 [Cross Frame Scripting](https://www.owasp.org/index.php/Cross_Frame_Scripting)
 [Cross Site Request Forgery](https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29)

 
 [Client Side attacks using Powershell](http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html)


 Attacking Browsers

 Need to read Browser hackers handbook


 [White Lightning Attack Platform](https://github.com/TweekFawkes/White_Lightning/tree/master/var/www)

 [BeEF Browser Exploitation Framework](http://beefproject.com/)

 [Technical analysis of client identification mechanisms](http://www.chromium.org/Home/chromium-security/client-identification-mechanisms) 



 ###Phishing 




 	[The definition from wikipedia](en.wikipedia.org/wiki/Phishing):
 * “Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”

 Phishing Techniques:

 [Post exploitation trick - Phish users for creds on domains, from their own box](https://enigma0x3.wordpress.com/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/)



 Phishing Frameworks:

 [Phishing Frenzy](http://www.phishingfrenzy.com/)
 * Phishing Frenzy is an Open Source Ruby on Rails application that is leveraged by penetration testers to manage email phishing campaigns. The goal of the project is to streamline the phishing process while still providing clients the best realistic phishing campaign possible. This goal is obtainable through campaign management, template reuse, statistical generation, and other features the Frenzy has to offer.


--- a/Draft/Draft/Draft/Common
+++ b/Draft/Draft/Draft/Common
--- a/Draft/Draft/Common
+++ b/Draft/Draft/Common
@ -0,0 +1,11 @@
 Curl

 About Curl
 Taken from: http://curl.haxx.se/docs/manpage.html
 Curl is a tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP). The command is designed to work without user interaction. 
 curl offers a busload of useful tricks like proxy support, user authentication, FTP upload, HTTP post, SSL connections, cookies, file transfer resume, Metalink, and more.

 Scripting 



--- a/Refs/Metasploit.txt
+++ b/Refs/Metasploit.txt
@ -0,0 +1,112 @@
 Metasploit Reference


 *The* Guide to Metasploit
 http://www.offensive-security.com/metasploit-unleashed/Main_Page

 Metasploit: Penetration Tester’s Guide Book
 http://www.nostarch.com/metasploit

 http://pentestlab.wordpress.com/2012/03/13/msfconsole-commands-cheat-sheet/

 CMD Cheat Sheet
 http://ultimatepeter.com/how-to-hack-ultimate-metasploit-meterpreter-command-cheat-sheet/

 Meterpreter CMD Reference
 http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics

 Video training series for Metasploit(free)
 http://www.securitytube.net/groups?operation=view&groupId=10


 Using the Metasploit Framework
 https://wiki.archlinux.org/index.php/Metasploit_Framework#Usage


 Metasploit Commands
 ? - help menu
 background - moves the current session to the background
 bgkill - kills a background meterpreter script
 bglist - provides a list of all running background scripts
 bgrun - runs a script as a background thread
 channel - displays active channels
 close - closes a channel
 exit - terminates a meterpreter session
 help - help menu
 interact - interacts with a channel
 irb - go into Ruby scripting mode
 migrate - moves the active process to a designated PID
 quit - terminates the meterpreter session
 read - reads the data from a channel
 run - executes the meterpreter script designated after it
 use - loads a meterpreter extension
 write - writes data to a channel 

 File System Commands
 cat - read and output to stdout the contents of a file
 cd - change directory on the victim
 del - delete a file on the victim
 download - download a file from the victim system to the attacker system
 edit - edit a file with vim
 getlwd - print the local directory
 getwd - print working directory
 lcd - change local directory
 lpwd - print local directory
 ls - list files in current directory
 mkdir - make a directory on the victim system
 pwd - print working directory
 rm - delete a file
 rmdir - remove directory on the victim system
 upload - upload a file from the attacker system to the victim 

 Networking Commands
 ipconfig - displays network interfaces with key information including IP address, etc.
 portfwd - forwards a port on the victim system to a remote service
 route - view or modify the victim routing table 


 System Commands
 clearav - clears the event logs on the victim's computer
 drop_token - drops a stolen token
 execute - executes a command
 getpid - gets the current process ID (PID)
 getprivs - gets as many privileges as possible
 getuid - get the user that the server is running as
 kill - terminate the process designated by the PID
 ps - list running processes
 reboot - reboots the victim computer
 reg - interact with the victim's registry
 rev2self - calls RevertToSelf() on the victim machine
 shell - opens a command shell on the victim machine
 shutdown - shuts down the victim's computer
 steal_token - attempts to steal the token of a specified (PID) process
 sysinfo - gets the details about the victim computer such as OS and name 


 User Interface Commands
 enumdesktops - lists all accessible desktops
 getdesktop - get the current meterpreter desktop
 idletime - checks to see how long since the victim system has been idle
 keyscan_dump - dumps the contents of the software keylogger
 keyscan_start - starts the software keylogger when associated with a process such as Word or browser
 keyscan_stop - stops the software keylogger
 screenshot - grabs a screenshot of the meterpreter desktop
 set_desktop - changes the meterpreter desktop
 uictl - enables control of some of the user interface components 

 Privilege Escalation Commands
 getsystem - uses 15 built-in methods to gain sysadmin privileges














--- a/Draft/Draft/Common
+++ b/Draft/Draft/Common
@ -0,0 +1,62 @@
 Ncat

 Ncat is a piece of software created by the same person who made Nmap, Fyodor, as an upgrade to netcat.








 Ncat command output:(from: http://nmap.org/book/ncat-man-options-summary.html) 
 Ncat 6.46 ( http://nmap.org/ncat )
 Usage: ncat [options] [hostname] [port]

 Options taking a time assume seconds. Append 'ms' for milliseconds,
 's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).
  -4                         Use IPv4 only
  -6                         Use IPv6 only
  -U, --unixsock             Use Unix domain sockets only
  -C, --crlf                 Use CRLF for EOL sequence
  -c, --sh-exec <command>    Executes the given command via /bin/sh
  -e, --exec <command>       Executes the given command
      --lua-exec <filename>  Executes the given Lua script
  -g hop1[,hop2,...]         Loose source routing hop points (8 max)
  -G <n>                     Loose source routing hop pointer (4, 8, 12, ...)
  -m, --max-conns <n>        Maximum <n> simultaneous connections
  -h, --help                 Display this help screen
  -d, --delay <time>         Wait between read/writes
  -o, --output <filename>    Dump session data to a file
  -x, --hex-dump <filename>  Dump session data as hex to a file
  -i, --idle-timeout <time>  Idle read/write timeout
  -p, --source-port port     Specify source port to use
  -s, --source addr          Specify source address to use (doesn't affect -l)
  -l, --listen               Bind and listen for incoming connections
  -k, --keep-open            Accept multiple connections in listen mode
  -n, --nodns                Do not resolve hostnames via DNS
  -t, --telnet               Answer Telnet negotiations
  -u, --udp                  Use UDP instead of default TCP
      --sctp                 Use SCTP instead of default TCP
  -v, --verbose              Set verbosity level (can be used several times)
  -w, --wait <time>          Connect timeout
      --append-output        Append rather than clobber specified output files
      --send-only            Only send data, ignoring received; quit on EOF
      --recv-only            Only receive data, never send anything
      --allow                Allow only given hosts to connect to Ncat
      --allowfile            A file of hosts allowed to connect to Ncat
      --deny                 Deny given hosts from connecting to Ncat
      --denyfile             A file of hosts denied from connecting to Ncat
      --broker               Enable Ncat's connection brokering mode
      --chat                 Start a simple Ncat chat server
      --proxy <addr[:port]>  Specify address of host to proxy through
      --proxy-type <type>    Specify proxy type ("http" or "socks4" or "socks5")
      --proxy-auth <auth>    Authenticate with HTTP or SOCKS proxy server
      --ssl                  Connect or listen with SSL
      --ssl-cert             Specify SSL certificate file (PEM) for listening
      --ssl-key              Specify SSL private key (PEM) for listening
      --ssl-verify           Verify trust and domain name of certificates
      --ssl-trustfile        PEM file containing trusted SSL certificates
      --version              Display Ncat's version information and exit

 See the ncat(1) manpage for full options, descriptions and usage examples
--- a/Draft/Draft/Common
+++ b/Draft/Draft/Common
@ -0,0 +1,242 @@
 Nmap

 Man Pages:
 http://nmap.org/book/man.html

 Nmap Scripting Engine
 http://nmap.org/book/nse.html

 Nmap Scripting Engine list of current scripts
 http://nmap.org/nsedoc/index.html

 Nmap Scripting Engine Documentation
 http://nmap.org/book/nse.html




 Common Nmap Comman Examples
 http://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/

 30 Nmap Command Examples
 http://www.cyberciti.biz/networking/nmap-command-examples-tutorials/


 Handy Examples:
 Nmap Basics:

 Scan a single target
 	nmap [IP]

 Scan multiple IPs
 	nmap [IP1,IP2,IP3…]

 Scan a list
 	nmap -iL [list.txt]

 Scan a range of hosts
 	nmap [10.1.1.1-10.1.1.200]

 Scan an entire subnet
 	nmap [IP address/cdir]

 Excluding targets from a scan
 	nmap [IP] –exclude [IP]

 Excluding targets using a list
 	nmap [IPs] –excludefile [list.txt]

 Create a list of hosts scanned
  	nmap -sL [IPs

     Evasion
 Fragment packets
 	nmap -f [IP]

 Specify a specific MTU
 	nmap –mtu [MTU] [IP]

 Append random data
 	nmap –data-length [size] [IP]

 Spoof MAC Address
 	nmap –spoof-mac [MAC|0|vendor] [IP]

 Send bad checksums
 	nmap –badsum [IP]

 Output
 Save output to a text file
 	nmap -oN [scan.txt] [IP]

 Save output to a xml file
 	nmap -oX [scan.xml] [IP]

 Grepable output
 	nmap -oG [scan.txt] [IP]

 Output all supported file types
 	nmap -oA [path/filename] [IP

 Comparing Scan Results
 Comparison using Ndiff 
 	ndiff [scan1.xml] [scan2.xml]

 Ndiff verbose mode
 	ndiff -v [scan1.xml] [scan2.xml]

 XML output mode 
 	ndiff –xml [scan1.xm] [scan2.xml]]

 Nmap Scripting Engine

 Execute individual NSE scripts
 	nmap –script [script.nse] [IP]

 Execute multiple NSE scripts
 	nmap –script [script1.nse,script2.nse…] [IP]

 Execute NSE scripts by category
 	nmap –script [cat] [target]

 Execute multiple NSE script categories
 	nmap –script [auth, default…] [IP]

 NSE Script categories:
 all 
 auth
 default
 discovery
 external
 intrusive
 malware
 safe

 Nmap default commands:
 Usage: nmap [Scan Type(s)] [Options] {target specification}

 TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.

  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file

 HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host

 SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan

 PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>

 SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)

 SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.

 OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively

 TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second

 FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum

 OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --log-errors: Log errors/warnings to the normal-format output file
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output

 MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.

 EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
 SEE THE MAN PAGE (http://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES
--- a/Draft/Draft/Common
+++ b/Draft/Draft/Common
@ -0,0 +1,57 @@
 TCPDump:








 SANS TCPDump reference
 https://www.sans.org/security-resources/tcpip.pdf



 Cheat Sheet reference guide
 http://packetlife.net/media/library/12/tcpdump.pdf

 Excellent TCPDump Reference Guide
 http://danielmiessler.com/study/tcpdump/


 Sample commands: 
 	Port Ranges // see traffic to any port in a range
 		tcpdump port range 21-23 
 	
 	Capture all Port 80 Traffic to a File
 		tcpdump -s 1514 port 80 -w capture_file 
 	
 	host // look for traffic based on IP address (also works with hostname if you’re not using -n)

 		tcpdump host 1.2.3.4

 	src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)

 		tcpdump src 2.3.4.5
 		tcpdump dst 3.4.5.6

 	net // capture an entire network using CIDR notation

 		tcpdump net 1.2.3.0/24

 	proto // works for tcp, udp, and icmp

 		tcpdump icmp

 	port // see only traffic to or from a certain port

 		tcpdump port 3389

 	src, dst port // filter based on the source or destination port

 		tcpdump src port 1025 # tcpdump dst port 389

 	src/dst, port, protocol // combine all three

 		tcpdump src port 1025 and tcp
 		tcpdump udp and src port 53 
--- a/Draft/Draft/Common
+++ b/Draft/Draft/Common
@ -0,0 +1,3 @@
 Tools that need cmd refs:


--- a/Draft/Draft/Computer
+++ b/Draft/Draft/Computer
@ -0,0 +1,97 @@
 Computer Hardware Attacks




 [Timeline of Low level software and hardware attack papers - Essentially a list of all well known papers on pc hardware attacks](http://timeglider.com/timeline/5ca2daa6078caaf4)


 Professor’s page:
 http://www.cl.cam.ac.uk/~sps32/

 Grab links for his papers


 [Implementation and Implications of a Stealth Hard-Drive Backdoor](https://www.ibr.cs.tu-bs.de/users/kurmus/papers/acsac13.pdf)
 * Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the rmware of a commercial o-the-shelf hard drive, by resorting only to public information and reverse en- gineering. Using such a compromised rmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back- door . The measured performance overhead of the compro- mised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a re- mote attacker can even establish a communication channel with a compromised disk to inltrate commands and to ex- ltrate data. In our example, this channel is established over the Internet to an unmodied web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage en- gine, lesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environ- ment, could automatically extract sensitive data such as /etc/shadow (or a secret key le) in less than a minute. This paper claims that the diculty of implementing such an at- tack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded crim- inals, botnet herders and academic researchers.


 [Attackin the TPM part 2](https://www.youtube.com/watch?v=h-hohCfo4LA)

 [Attacking “secure” chips](https://www.youtube.com/watch?v=w7PT0nrK2BE)

 [Perimeter-Crossing Buses: a New Attack Surface for
 Embedded Systems](http://www.cs.dartmouth.edu/~sws/pubs/bgjss12.pdf)
 * Abstract: This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that e ective and ecient injection of trac into the buses is real and easily a ordable. Further, it presents a simple and inexpen-sive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.



 [Breaking apple touchID cheaply](http://www.ccc.de/en/updates/2013/ccc-breaks-apple-touchid)


 [Keykeriki v2.0](http://www.remote-exploit.org/articles/keykeriki_v2_0__8211_2_4ghz/index.html)
 * Hardware to attack wireless keyboards and other such things


 [Stealthy Dopant-Level Hardware Trojans](Hardware level trojans http://sharps.org/wp-content/uploads/BECKER-CHES.pdf)
 * Abstract: In this paper we propose an extremely stealthy approach for implement-
 ing hardware Trojans below the gate level, and we evaluate their impact
 on the security of the target device. Instead of adding additional cir-
 cuitry to the target design, we insert our hardware Trojans by changing
 the dopant polarity of existing transistors. Since the modi ed circuit ap-
 pears legitimate on all wiring layers (including all metal and polysilicon),
 our family of Trojans is resistant to most detection techniques, includ-
 ing ne-grain optical inspection and checking against \golden chips".
 We demonstrate the e ectiveness of our approach by inserting Trojans
 into two designs | a digital post-processing derived from Intel's cryp-
 tographically secure RNG design used in the Ivy Bridge processors and
 a side-channel resistant SBox implementation | and by exploring their
 detectability and their e ects on security.



 ###Tools: 
 [Psychson](https://github.com/adamcaudill/Psychson)




 Phison 2251-03 (2303) Custom Firmware & Existing Firmware Patches (BadUSB) 



 ###Defending Against Hardware Attacks


 [Anti-Evil Maid](http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html?m=1)

 ###USB

 [USB in a Nutshell](http://www.beyondlogic.org/usbnutshell/usb1.shtml)
 * Great explanation of the USB standard in depth

 [Psychson](https://github.com/adamcaudill/Psychson)

 [USB Device Drivers: A Stepping Stone into your Kernel](https://www.youtube.com/watch?v=HQWFHskIY2)
 * [Slides])(www.jodeit.org/research/DeepSec2009_USB_Device_Drivers.pdf)

 [Lowering the USB Fuzzing Barrier by Transparent Two-Way Emulation](https://www.usenix.org/system/files/conference/woot14/woot14-vantonder.pdf)
 * Abstract: Increased focus on the Universal Serial Bus (USB) attack surface of devices has recently resulted in a number of new vulnerabilities. Much of this advance has been aided by the advent of hardware-based USB emulation techniques. However, existing tools and methods are far from ideal, requiring a significant investment of time, money, and effort. In this work, we present a USB testing framework that improves significantly over existing methods in providing a cost-effective and flexible way to read and modify USB communication. Amongst other benefits, the framework enables man-in-the-middle fuzz testing between a host and peripheral. We achieve this by performing two-way emulation using inexpensive bespoke USB testing hardware, thereby delivering capa-bilities of a USB analyzer at a tenth of the cost. Mutational fuzzing is applied during live communication between a host and peripheral, yielding new security-relevant bugs. Lastly, we comment on the potential of the framework to improve current exploitation techniques on the USB channel.


 ###SD Cards
 [The Exploration and Exploitation of an SD Memory Card](https://www.youtube.com/watch?v=Tj-zI8Tl218)
 * This talk demonstrates a method for reverse engineering and loading code into the microcontroller within a SD memory card.


 ###RFID




 http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html?m=1





--- a/Draft/Draft/Con
+++ b/Draft/Draft/Con
@ -0,0 +1,28 @@
 http://cdn.media.ccc.de/congress/31C3/



 [Archive of security conference videos](http://wipkip.nikhef.nl/events/)


 [Shmoocon 2015 Videos](https://archive.org/details/shmoocon-2015-videos-playlist)




















--- a/Draft/Draft/Counter
+++ b/Draft/Draft/Counter
@ -0,0 +1,50 @@
 Counter Surveillance


 Blogs/Sites

 Detecting Surveillance - Spiderlabs blog
 [1 Hardware Implants](http://blog.spiderlabs.com/2014/03/detecting-surveillance-state-surveillance-part-1-hardware-impants.html)
 [2 Radio Frequency Exfiltration](http://blog.spiderlabs.com/2014/03/detecting-a-surveillance-state-part-2-radio-frequency-exfiltration.html)
 [3 Infected Firmware](http://blog.spiderlabs.com/2014/04/detecting-a-surveillance-state-part-3-infected-firmware.html)


 [A Simple Guide to TSCM Sweeps](http://www.international-intelligence.co.uk/tscm-sweep-guide.html)






 Videos

 [Dr. Philip Polstra - Am I Being Spied On?](https://www.youtube.com/watch?v=Bc7WoDXhcjM)
 * Talk on cheap/free counter measures


 [DNS May Be Hazardous to Your Health - Robert Stucke](https://www.youtube.com/watch?v=ZPbyDSvGasw)
 * Great talk on attacking DNS
 	

 [CounterStrike Lawful Interception](https://www.youtube.com/watch?v=7HXLaRWk1SM)
 * This short talk will cover the standards, devices and implementation of a mandatory part of our western Internet infrastructure. The central question is whether an overarching interception functionality might actually put national Internet infrastructure at a higher risk of being attacked successfully. The question is approached in this talk from a purely technical point of view, looking at how LI functionality is implemented by a major vendor and what issues arise from that implementation. Routers and other devices may get hurt in the process.
 * [Slides](http://phenoelit.org/stuff/CSLI.pdf)




 Papers

 [Exploiting Lawful Intercept to Wiretap the Internet](https://www.blackhat.com/presentations/bh-dc-10/Cross_Tom/BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-wp.pdf)
 * This paper will review Cisco's architecture for lawful intercept from asecurity perspective. We explain how a number of different weaknesses in its design coupled with publicly disclosed security vulnerabilities could enable a malicious person to access the interface and spy on communications without leaving a trace. We then provide a set of recommendations for the redesign of the interface as well as SNMP authentication in general to better mitigate the security risks. 











--- a/Draft/Draft/CryptoCurrencies.md
+++ b/Draft/Draft/CryptoCurrencies.md
@ -0,0 +1,10 @@
 ##CryptoCurrencies

 ######I don’t know.





 [Deanonymisation of Clients in Bitcoin P2P Network](http://orbilu.uni.lu/bitstream/10993/18679/1/Ccsfp614s-biryukovATS.pdf)
 * We present an effcient method to deanonymize Bitcoin users, which allows to link user pseudonyms to the IP addresses where the transactions are generated. Our techniques work for the most common and the most challenging scenario when users are behind NATs or rewalls of their ISPs. They allow to link transactions of a user behind a NAT and to distinguish connections and transactions of different users behind the same NAT. We also show that a natural countermeasure of using Tor or other anonymity services can be cut-o by abusing anti-DoS countermeasures of the Bitcoin network. Our attacks require only a few machines and have been experimentally verifed. The estimated success rate is between 11% and 60% depending on how stealthy an attacker wants to be. We propose several countermeasures to mitigate these new attacks.
--- a/Draft/Draft/Cryptography
+++ b/Draft/Draft/Cryptography
@ -0,0 +1,82 @@
 Cryptography


 [Website detailing various crypto laws around world](http://www.cryptolaw.org/)





 [Encrypting Strings in Android: Let's make better mistakes](http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/)



 [java-aes-crypto (Android class)](https://github.com/tozny/java-aes-crypto)
 * A simple Android class for encrypting & decrypting strings, aiming to avoid the classic mistakes that most such classes suffer from.



 [keyCzar](http://www.keyczar.org/)
 * Keyczar is an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. Keyczar supports authentication and encryption with both symmetric and asymmetric keys.




 [Primer on Zero-Knowledge Proofs](http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html?m=1)


 [Widespread Weak Keys in Network Devices](https://factorable.net/)


 http://www.tau.ac.il/~tromer/acoustic/
 Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.


 [Why does cryptographic software fail? A case study and open problems](http://pdos.csail.mit.edu/papers/cryptobugs:apsys14.pdf)
 * Abstract: Mistakes in cryptographic software implementations often undermine the strong security guarantees offered by cryptography. This paper presents a systematic study of cryptographic vulnerabilities in practice, an examination of state-of-the-art techniques to prevent such vulnerabilities, and a discussion of open problems and possible future research directions. Our study covers 269 cryptographic vulnerabilities reported in the CVE database from January 2011 to May 2014. The results show that just 17% of the bugs are in cryptographic libraries (which often have devastating consequences), and the remaining 83% are misuses of cryptographic libraries by individual applications. We observe that preventing bugs in different parts of a system requires different techniques, and that no effective techniques exist to deal with certain classes of mistakes, such as weak key generation.


 https://crypto.is/blog/

 [Matsano Crypto Challenges](Cryptopals.co)

 [Simple crypto tools](http://rumkin.com/tools/)



 http://ciat.sourceforge.net/
 The Cryptographic Implementations Analysis Toolkit (CIAT) is compendium of command line and graphical tools whose aim is to help in the detection and analysis of encrypted byte sequences within files (executable and non-executable). 






 [An Empirical Study of Cryptographic Misuse in Android Applications](https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf)




 Books:
 	Cryptography Engineering
 	Applied Cryptography
 	
 Courses:
 	Coursera Cryptography



 	Matsano Crypto Challenges
 	Go through a series of increasingly difficult challenges while learning all about cryptography.
 	Expected knowledge level: You passed 9th grade math and you have 0 knowledge of crypto.
 		http://cryptopals.com/	




 Stenograhpy

 [imagejs](https://github.com/jklmnn/imagejs)
 * imagejs is a small tool to hide javascript inside a valid image file. The image file is recognized as one by content checking software, e.g. the file command you might now from Linux or other Unix based operation systems.