Browse Source

Exported to txt and then markdown

Robert 7 years ago
324 changed files with 12525 additions and 11088 deletions
  1. +108
  2. +24
  3. +442
  4. +158
  5. +34
      Draft/Draft/Basic Security
  6. +46
      Draft/Draft/Building A Pentest
  7. +50
      Draft/Draft/Building A Pentest Lab/Lab Buffer Overflows.txt
  8. +129
      Draft/Draft/CTFs &
  9. +76
      Draft/Draft/Cheat sheets reference
  10. +59
      Draft/Draft/Client Side
  11. +0
      Draft/Draft/Common CLI CMD Refs.rtf
  12. +11
      Draft/Draft/Common CLI CMD Refs/Curl.txt
  13. +112
      Draft/Draft/Common CLI CMD Refs/Metasploit.txt
  14. +62
      Draft/Draft/Common CLI CMD Refs/Ncat.txt
  15. +242
      Draft/Draft/Common CLI CMD Refs/Nmap.txt
  16. +57
      Draft/Draft/Common CLI CMD Refs/TCPDump.txt
  17. +3
      Draft/Draft/Common CLI CMD Refs/ToDO.txt
  18. +97
      Draft/Draft/Computer Hardware
  19. +28
      Draft/Draft/Con Videos
  20. +50
  21. +10
  22. +82
      Draft/Draft/Cryptography &
  23. +30
      Draft/Draft/Cryptography & Encryption/Linux Systems.txt
  24. +28
      Draft/Draft/Cryptography & Encryption/Vids Papers Blogposts.txt
  25. +48
      Draft/Draft/Cryptography & Encryption/cull.txt
  26. +25
  27. +4
  28. +36
  29. +46
  30. +21
  31. +63
      Draft/Draft/Documentation &
  32. +0
  33. +0
  34. +0
  35. +0
  36. +0
  37. +0
      Draft/Draft/Draft/Basic Security
  38. +0
      Draft/Draft/Draft/Building A Pentest
  39. +0
      Draft/Draft/Draft/Building A Pentest Lab/Lab Buffer Overflows.html
  40. +0
      Draft/Draft/Draft/CTFs &
  41. +0
      Draft/Draft/Draft/Cheat sheets reference
  42. +0
      Draft/Draft/Draft/Client Side
  43. +0
      Draft/Draft/Draft/Common CLI CMD Refs/Curl.html
  44. +0
      Draft/Draft/Draft/Common CLI CMD Refs/Ncat.html
  45. +0
      Draft/Draft/Draft/Common CLI CMD Refs/Nmap.html
  46. +0
      Draft/Draft/Draft/Common CLI CMD Refs/TCPDump.html
  47. +0
      Draft/Draft/Draft/Common CLI CMD Refs/ToDO.html
  48. +0
      Draft/Draft/Draft/Computer Hardware
  49. +0
      Draft/Draft/Draft/Con Videos
  50. +0
  51. +0
  52. +0
      Draft/Draft/Draft/Cryptography &
  53. +0
      Draft/Draft/Draft/Cryptography & Encryption/Linux Systems.html
  54. +0
      Draft/Draft/Draft/Cryptography & Encryption/Vids Papers Blogposts.html
  55. +0
      Draft/Draft/Draft/Cryptography & Encryption/cull.html
  56. +0
  57. +0
  58. +0
  59. +0
  60. +0
      Draft/Draft/Draft/Documentation &
  61. +0
      Draft/Draft/Draft/Embedded Device
  62. +0
      Draft/Draft/Draft/Exploit Development/Anti-Fuzzing.html
  63. +0
      Draft/Draft/Draft/Exploit Development/Assembly.html
  64. +0
      Draft/Draft/Draft/Exploit Development/Cull.html
  65. +0
      Draft/Draft/Draft/Exploit Development/Exploit Development.html
  66. +0
      Draft/Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing.html
  67. +0
      Draft/Draft/Draft/Exploit Development/Papers Tutorials Walk Throughs.html
  68. +0
      Draft/Draft/Draft/Exploit Development/Writeups.html
  69. +0
  70. +0
      Draft/Draft/Draft/Forensics/Anti-Forensics & Anti-Anti-Forensics – Michael.html
  71. +0
      Draft/Draft/Draft/Forensics/add cull.html
  72. +0
  73. +0
      Draft/Draft/Draft/Frameworks/Metasploit Reference.html
  74. +0
      Draft/Draft/Draft/Frameworks/Meterpreter Scripts and Description.html
  75. +0
      Draft/Draft/Draft/Frameworks/Post Exploitation with Metasploit.html
  76. +0
  77. +0
  78. +0
      Draft/Draft/Draft/Hardware Hacking Teensy-like
  79. +0
  80. +0
  81. +0
      Draft/Draft/Draft/Interesting Things/Writeup of Gamma Group Hack.html
  82. +0
  83. +0
  84. +0
  85. +0
  86. +0
      Draft/Draft/Draft/Malware/Detect Virtualbox C prog.html
  87. +0
      Draft/Draft/Draft/Network Attacks &
  88. +0
      Draft/Draft/Draft/Network Reconnaissance&Enumeration/Getting Busy at the Command Line.html
  89. +0
      Draft/Draft/Draft/Network Reconnaissance&Enumeration/Misc Links.html
  90. +0
      Draft/Draft/Draft/Network Reconnaissance&Enumeration/Nmap Cheat Sheet.html
  91. +0
      Draft/Draft/Draft/Network Reconnaissance&Enumeration/PTES Methodology.html
  92. +0
      Draft/Draft/Draft/Network Reconnaissance&Enumeration/Passive.html
  93. +0
      Draft/Draft/Draft/Network Reconnaissance&Enumeration/Scanning.html
  94. +0
      Draft/Draft/Draft/Network Reconnaissance&Enumeration/Section To-Do List.html
  95. +0
      Draft/Draft/Draft/Network Reconnaissance&Enumeration/Tools.html
  96. +0
      Draft/Draft/Draft/Network Security
  97. +0
      Draft/Draft/Draft/Open Source
  98. +0
      Draft/Draft/Draft/Open Source Intelligence/Active cull.html
  99. BIN
      Draft/Draft/Draft/Open Source Intelligence_files/n6k1xf4s.png
  100. +0
      Draft/Draft/Draft/Password Bruting and

+ 108
- 0
Draft/Draft/ View File

@ -0,0 +1,108 @@
This page is not high on my list of things to be done honestly.
'I've Got Nothing to Hide' and Other Misunderstandings of Privacy
Because Jail is for WUFTPD - Legendary talk, a must watch.
His blog:
[MAT: Metadata Anonymisation Toolkit](
* MAT is a toolbox composed of a GUI application, a CLI application and a library.
* Rdis is a Binary Analysis Tool for Linux.
#####[De-anonymizing facebook users through CSP](
#####[Anonymous’s Guide to OpSec](
#####[Cat Videos and the Death of Clear Text](

+ 24
- 0
Draft/Draft/ View File

@ -0,0 +1,24 @@
[Bindead - static binary binary analysis tool](
* Bindead is an analyzer for executable machine code. It features a disassembler that translates machine code bits into an assembler like language (RREIL) that in turn is then analyzed by the static analysis component using abstract interpretation.
[Applied Appsec](
[Statically Linked Library Detector](
* The BitBlaze project aims to design and develop a powerful binary analysis platform and employ the platform in order to (1) analyze and develop novel COTS protection and diagnostic mechanisms and (2) analyze, understand, and develop defenses against malicious code. The BitBlaze project also strives to open new application areas of binary analysis, which provides sound and effective solutions to applications beyond software security and malicious code defense, such as protocol reverse engineering and fingerprint generation.

+ 442
- 0
Draft/Draft/Attacking View File

@ -0,0 +1,442 @@
Attacking Android Devices
####[Hacking Your Way Up The Mobile Stack](
* APKinspector is a powerful GUI tool for analysts to analyze the Android applications.
[ Inside the Android Play Service's magic OAuth flow ](
* Owning google accounts on android devices
* PoC framework for APK obfuscation, used to demonstrate some of the obfuscation examples from It supports plugins (located in processing directory) that can do different obfuscation techniques. Main gist is that you run manifesto on the APK file and it produces an obfuscated APK file.
[Android Hooker](
* Hooker is an opensource project for dynamic analyses of Android applications. This project provides various tools and applications that can be use to automaticaly intercept and modify any API calls made by a targeted application.
* Dexter is a static android application analysis tool.
* The Android Cluster Toolkit helps organize and manipulate a collection of Android devices. It was designed to work with a collection of devices connected to the same host machine, either directly or via one or more tiers of powered USB hubs. The tools within can operate on single devices, a selected subset, or all connected devices at once.
* A tool for enumerating the access to entries in the file system of an Android device.
* The Android Cluster Toolkit helps organize and manipulate a collection of Android devices. It was designed to work with a collection of devices connected to the same host machine, either directly or via one or more tiers of powered USB hubs. The tools within can operate on single devices, a selected subset, or all connected devices at once.
[APK Studio - Android Reverse Engineering](
* APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis.
[privmap - android](
* A tool for enumerating the effective privileges of processes on an Android device.
[List of Android Vulnerabilities](
[List of Android Exploits](
Android hackers handbook
[Rundown of Android Packers](
Security Analysis
Santoku Linux
Android Tamer
Android Tamer is a one stop tool required to perform any kind of operations on Android devices / applications / network
Android Device Testing Framework(DTF)
The Android Device Testing Framework ("dtf") is a data collection and analysis framework to help individuals answer the question: "Where are the vulnerabilities on this mobile device?" Dtf provides a modular approach and built-in APIs that allows testers to quickly create scripts to interact with their Android devices. The default download of dtf comes with multiple modules that allow testers to obtain information from their Android device, process this information into databases, and then start searching for vulnerabilities (all without requiring root privileges). These modules help you focus on changes made to AOSP components such as applications, frameworks, system services, as well as lower-level components such as binaries, libraries, and device drivers. In addition, you'll be able to analyze new functionality implemented by the OEMs and other parties to find vulnerabilities.
From their site:
drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
APK Studio - Android Reverse Engineering
APK Studio is an IDE for decompiling/editing & then recompiling of android application binaries. Unlike initial release being Windows exclusive & also didn't support frameworks, this one is completely re-written using QT for cross-platform support. You can now have multiple frameworks installed & pick a particular one on a per project basis.
Application Analysis
From their site:
Androguard is mainly a tool written in python to play with:
Dex/Odex (Dalvik virtual machine) (.dex) (disassemble, decompilation),
APK (Android application) (.apk),
Android's binary xml (.xml),
Android Resources (.arsc).
Androguard is available for Linux/OSX/Windows (python powered).
From their site:
DroidBox is developed to offer dynamic analysis of Android applications. The following information is shown in the results, generated when analysis is ended:
Hashes for the analyzed package
Incoming/outgoing network data
File read and write operations
Started services and loaded classes through DexClassLoader
Information leaks via the network, file and SMS
Circumvented permissions
Cryptography operations performed using Android API
Listing broadcast receivers
Sent SMS and phone calls
Additionally, two images are generated visualizing the behavior of the package. One showing the temporal order of the operations and the other one being a treemap that can be used to check similarity between analyzed packages.
Security enhancements in android through its versions
Attack Platforms
From their site:
drozer allows you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps' IPC endpoints and the underlying OS.
Defeating the bootloader
(HTC Devices)
-secuflag - security flag in radio firmware - modify radio
-gold card - specially formatted MicroSD card that can bypass carrier id check when flashing roms
-white card - special sim card used to bypass bootsec
Emulate white card with hardware, combine with gold card to enter diagnostics and clear S-ON
White card not needd for cdma
Once S-OFF, can RAM load a custom boot iamge
Technique wipes most devices, but not all
Try it yourself: XTC clip
Forensics boot image
-Start early in the boot chain before the main system loads
-Provide ADB root shell over USB
-Do not mount anything, including cache to prevent any writes
-Devices with raw NAND flash and wear leveling implemented in software(YAFFS2) can be prevented from overwriting deleted data
Build boot image
upload adbd, busybox, nanddump to /sbin
default.prop (enable root shell,
init.rc (do not mount partitions, just start adb)
Flash and RAM load
-Dump partitions using ODIN(maybe. probably not)
-Flash with ODIN or HEIMDALL
heimdall flash --recovery recovery.bin
heimdall flash --kernel zImage
-fastboot boot recovery.img (Ram loading)
-fastboot flash recovery recovery.img (flash partition)
-sbf_flash image name.sbf (make sure it only contains recovery)
-Flasher Box
-Medusa Box
-Allows you to dump nandflash directly
Some devices have debug access via serial cables
-Use a Bus Pirate and MicroUSB breakout board
-set bus pirate to 115200 bps, 8-N-1
-Output type is normal, not open drain
-Plug in device to MicroUSB and you will see it boot the Primitive Boot Loader followed by the Secondary Boot Loader
-Hold down enter key on terminal while plugging in device to stop SBL from booting and get to the SBL prompt
Crack Pin/Password
-Salt - stored in /data/data/
-SELECT * FROM secure WHERE name = 'lockscreen.password_salt'
-Salted SHA1 of password concatenated with salted MD5
-Calculate the value of the salt in lowercase hex with no padding
$python -c 'print '%x' % salt_number_here'
-Copy the last 32 bytes of password.key(MD5 hash in hex), add a colon and then add the salt
-Crack with software such as oclHashcat
Android Encryption:
Implemented differently by manufacturers
-Encrypted Master key + salt stored in footer
-footer stored at end of partition or in a footer file on another partition or as a partition itself
-Image device and locate footer + encrypted user data partition
-Parse footer
-Locate Salt/master key
-Run a password guess through PBKDF2 with salt, use resulting key and IV to decrypt master key to decrypt first sector of encrypted image, if password is correct, plaintext revealed
-Cracking PINs takes seconds. Passwords are usually short or follow patterns due to being the same as the lock screen password
Evil maid attack
-Load app onto system partition, wait for user to boot phone, get remote access to decrypted user data
-Rootkits - compile kernel module
-Evil usb charger
Desperate Techniques
-Hard reset - some devices prior to 3.0 don't wipe data properly
-Chip-off - de-solder NAND chips
-Screen Smudges
More Techniques
-Custom - can you get one signed? stock needs sig
-Race condition on updates via SD cards
-Own a CA? MITM connetion, push app, update/exploit
-Entry via Google Play, if credentials cached on desktop
-Screen Lock bypass - Doesn't work on 4.0 ->
Santoku Linux
-Free/open bootable linux distro
-project is collab with pros
-Mobile Forensics
-Mobile App Sec Testing
-Mobile Malware Analysis
##Securing Your Android Device
[Android (In)Security - Defcamp 2014](
* Good video on Android Security
[Android Forensics Class - Free](
* This class serves as a foundation for mobile digital forensics, forensics of Android operating systems, and penetration testing of Android applications.
###Hardening Guides
[Android Hardening Guide by the TOR developers](
This blog post describes the installation and configuration of a prototype of a secure, full-featured, Android telecommunications device with full Tor support, individual application firewalling, true cell network baseband isolation, and optional ZRTP encrypted voice and video support. ZRTP does run over UDP which is not yet possible to send over Tor, but we are able to send SIP account login and call setup over Tor independently.
The SIP client we recommend also supports dialing normal telephone numbers if you have a SIP gateway that provides trunking service.
Aside from a handful of binary blobs to manage the device firmware and graphics acceleration, the entire system can be assembled (and recompiled) using only FOSS components. However, as an added bonus, we will describe how to handle the Google Play store as well, to mitigate the two infamous Google Play Backdoors.
[Android 4.0+ Hardening Guide/Checklist by University of Texas](
* [Android Firewall(Requires Root)](
Xprivacy - The Ultimate Android Privacy Manager(Requires Root
* [Github](
* [Google Play](
Titanium Backup
Personal favorite for making backups. Backups are stored locally or automatically to various cloud services.
Helium Backup(Root Not Required)
Backs up data locally or to various cloud services. Local client available for backups directly to PC.
Analyzing the Attack Surface of your device
Check the Encryption section of the overall guide for more information.
###Interesting Android Papers
[Peeking into Your App without Actually Seeing It: UI State Inference and Novel Android Attacks](
* Abstract: The security of smartphone GUI frameworks remains an important yet under-scrutinized topic. In this paper, we report that on the Android system (and likely other OSes), a weaker form of GUI confidentiality can be breached in the form of UI state (not the pixels) by a background app without requiring any permissions. Our finding leads to a class of attacks which we name UI state inference attack.
[List of important whitepapers](
[Execute This! Analyzing Unsafe and Malicious Dynamic Code Loading in Android Applications](https://anonymous-proxy
[Rage Against the Droid: Hindering Dynamic analysis of android malware](
[APKLancet: Tumor Payload Diagnosis and Purification for Android Applications](
[DroidRay: A Security Evaluation System for CustomizedAndroid Firmwares](
[VirtualSwindle: An Automated Attack Against In-App Billing on Android](
[Evading Android Runtime Analysis via Sandbox Detection](
[Enter Sandbox: Android Sandbox Comparison](
[Post-Mortem Memory Analysis of Cold-Booted Android Devices](
[Upgrading Your Android, Elevating My Malware:
Privilege Escalation Through Mobile OS Updating](
(Exploring Android KitKat Runtime](
[Analyzing Inter-Application Communication in Android](
[Automatically Exploiting Potential Component Leaks in Android Applications](
[I know what leaked in your pocket: uncovering privacy leaks on Android Apps with Static Taint Analysis](
[Bifocals: Analyzing WebView Vulnerabilities in Android Applications](
[Analyzing Android Browser Apps for file:// Vulnerabilities](
[FlowDroid: Precise Context, Flow, Field, Object-sensitive and Lifecycle-aware Taint Analysis for Android Apps](
[Detecting privacy leaks in Android Apps](
[From Zygote to Morula:
Fortifying Weakened ASLR on Android](
[Apposcopy: Semantics-Based Detection of Android Malware through Static Analysis](
[MAdFraud: Investigating Ad Fraud in Android Applications](
[Why Eve and Mallory Love Android: An Analysis of Android SSL (In)Security](
[AsDroid: Detecting Stealthy Behaviors in Android Applications by User Interface and Program Behavior Contradiction](
[NativeGuard: Protecting Android Applications from Third-Party Native Libraries](
[Into the Droid: Gaining Access to Android User Data - DEFCON](
[Android Packers](
[Xprivacy Android](
[An Empirical Study of Cryptographic Misuse
in Android Applications](
Obfuscation in Android malware, and how to fight back
###Educational Material
OWASP GoatDroid
From their site:
“OWASP GoatDroid is a fully functional and self-contained training environment for educating developers and testers on Android security. GoatDroid requires minimal dependencies and is ideal for both Android beginners as well as more advanced users.
The project currently includes two applications: FourGoats, a location-based social network, and Herd Financial, a mobile banking application. There are also several feature that greatly simplify usage within a training environment or for absolute beginners who want a good introduction to working with the Android platform.”
Insecure Bank v2
Taken from:
This vulnerable Android application is named "InsecureBankv2" and is made for security enthusiasts and developers to learn the Android insecurities by testing this vulnerable application. Its back-end server component is written in python. The client component i.e. the Android InsecureBank.apk can be downloaded along with the source code.
The list of vulnerabilities that are currently included in this release are:
Insecure Logging mechanism
Vulnerable Activity Components
Content providers injection
Weak Broadcast Receiver permissions
Android Pasteboard vulnerability
Local Encryption issues
Android keyboard cache issues
Insecure Webview implementation
Insecure SDCard storage
Insecure HTTP connections
Weak Authorization mechanism
Parameter Manipulation
Weak Cryptography implementation
Hardcoded secrets
Username Enumeration issue
Developer Backdoors
Weak change password implementation
Weak Local storage issues

+ 158
- 0
Draft/Draft/Attacking View File

@ -0,0 +1,158 @@
####Hacking Your Way Up The Mobile Stack
iPwn Apps
Pentesting iOS Applications
[Bypassing SSL Cert Pinning in iOS](
* idb is a tool to simplify some common tasks for iOS pentesting and research. Originally there was a command line version of the tool, but it is no longer under development so you should get the GUI version.
gidb is a tool to simplify some common tasks for iOS pentesting and research. It is still a work in progress but already provides a bunch of (hopefully) useful commands. The goal was to provide all (or most) functionality for both, iDevices and the iOS simulator. For this, a lot is abstracted internally to make it work transparently for both environments. Although recently the focus has been more on supporting devices.
This course focuses on the iOS platform and application security and is ideal for pentesters, researchers and the casual iOS enthusiast who would like to dive deep and understand how to analyze and systematically audit applications on this platform using a variety of bleeding edge tools and techniques.
Attacking iOS
List of iOS Exploits:
Training & Tutorials
Learning iOS Application Security - 34 part series
Damn Vulnerable iOS App
iOS app designed to be vulnerable in specific ways to teach security testing of iOS applications.
“iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.”
iOS Security Testing Methodologies
General Research Papers
Reverse Engineering
IOS Reverse Engineering toolkit:
The iOS Reverse Engineering Toolkit is a toolkit designed to automate many of the common tasks associated with iOS penetration testing. It automates a many common tasks including:
binary analysis using otool
keychain analysis using keychain_dumper
reading database content using sqlite
reading log and plist files
binary decryption using dumpdecrypted
dumping binary headers using class_dump_z
creating, editing, installing theos tweaks
Attacking iOS Devices
Analyzing Attack Surfaces
Jailbreaking Pros - Cons
Info Leakage
Guide to hardening iOS with the goal of privacy:
“Our goal is to share the sum of all human[1] knowledge about jailbroken iOS development. In other words, this is a collection of documentation written by developers to help each other write extensions (tweaks) for jailbroken iOS, and you're invited to learn from it and contribute to it too.”
The iPhone Wiki
The iPhone Wiki is an unofficial wiki dedicated to collecting, storing and providing information on the internals of Apple's amazing iDevices. We hope to pass this information on to the next generation of hackers so that they can go forth into their forebears' footsteps and break the ridiculous bonds Apple has put on their amazing mobile devices.
Defeating iOS cryptography

+ 34
- 0
Draft/Draft/Basic Security View File

@ -0,0 +1,34 @@
##Basic Security Principles/Information
[Types of Authentication](

+ 46
- 0
Draft/Draft/Building A Pentest View File

@ -0,0 +1,46 @@
Building a Pentest Lab
So, I’m biased. That said, two ways to build a lab, local and online. With todays online services, you don’t have to have a powerful server sitting in your house. You can use amazon’s AWS to host VMs and pay only for time used. For some, this may be preferable for the cost/space. Otherwise, if you’re looking for a local solution, Oracle’s Virtualbox and VMWare’s Workstation/Parallels is where its at.
That being said, skip virtualbox. Get VMware ESXi if you’re cool, and have a spare box laying around, if not, grab VMWare Workstation. It works on linux/win and Parallels for OSX. ESXi is a virtualization platform that runs bare metal. If you have hardware for it, I recommend that. Otherwise, Workstation works wonderfully.
Acquiring a copy of Virtualbox/Workstation is also easy. Virtualbox is free and Workstation has 30 day trials.
So, assuming you now have a virtualization platform, whether through a dedicated machine or simply from your lap/desktop, you probably want some machines on it.
I recommend the following boxes:
Windows Server 2003
Windows XP
Windows Vista
Windows 7
Windows 8
Windows Server 2008
Windows Server 2012
Centos 6.5
Debian 7
Ubuntu 14.04
That gives you a fair amount of variation in environments as well as allowing you to create specific environments you might see. I list the three most common Distros and all windows going back to XP since, Windows is everywhere.
The Linux distros can be downloaded from their respective sites, and Trials exist for the windows images.
VMs Designed to be Attacked
Now, making your own lab filled with software you’ve configured is great and all, but sometimes you want a bit more of a challenge, you don’t want to know what software is running on the machine, you want to go in blind and hack all the things. For this, I recommend:
Vulnhub is a website dedicated to cataloging various vulnerable VMs from across the web. It also has a healthy community that creates and submits new VMs on a regular basis. As I write this now, I believe there is around 100 or so different VMs on Vulnhub, so you have a bit of variation.
List of VMs that are preconfigured virtual machines.
Guides to setting up a Pen test lab:

+ 50
- 0
Draft/Draft/Building A Pentest Lab/Lab Buffer Overflows.txt View File

@ -0,0 +1,50 @@
Building a Lab to practice Exploit writing
So, this is a thing I found while doing some googling. If you wrote this, I owe you a lot of beer. I redacted the place/username as it was on a less than happy place.
This assumes you have an idea of ASM x86 and general exploitation methods.
Idea with this setup, is that you have a VM of XP SP3 running with the following software and tools installed. You look up the exploits on exploit-db and recreate them. Or you lookup the vulnerabilities and fuzz it yourself knowing where to look.
Start here:
I'm designing exploit lab based on WinXP SP3. As for now I have following vulnerabilities/apps:
1. Simple RET - Ability FTP Server (FTP)
2. Simple RET - FreeFloat FTP (FTP)
3. Simple RET (harder) - CesarFTP (FTP)
4. Simple RET - Easy RM to MP3 Converter (.pls)
5. Simple RET - DL-10 - Need to find copy of
6. SEH - DVDXPlayer
7. SEH - Millenium
8. SEH - Soritong
9. SEH - mp3nator
10. SEH - NNM (hard) - Need to find copy of
11. SEH + UNICODE - ALLPlayer
12. SEH (difficult) - Winamp
with following tools installed:
1. WinDBG + MSEC.dll (!load winext\msec.dll) + byakugan (!load byakugan)
2. Immunity Debugger + (!mona)
3. OllyDBG+Plugins(SSEH+OllySnake+AdvancedOlly+OllyHeapVis+Virtual2Physical)
4. C:\Windows\system32\findjmp2.exe
5. Cygwin + perl + gdb + gcc...
6. Python26 (for IDA) + PyDbg -
6. Python27 (for ImmunityDebugger)+pyDbg
7. lcc-win
8. Wireshark
9. Mantra on Chrome (MoC)
10. Google-Chrome
11. Microsoft Visual C++ 2008 Express
12. Nasm
13. metasploit
14. Alpha3 (c:\Alpha3)
15. IDA
16. Sysinternals (c:\Windows\System32)
17. Proxifier Edition
18. Echo Mirage

+ 129
- 0
Draft/Draft/CTFs & View File

@ -0,0 +1,129 @@
#Online Courses and CTFs
###Capture The Flag(CTF) events
#####event lists goes here
[The Many Maxims of Maximally Effective CTFs](
###CTF Event Write-ups
#####[CTF Writeups]([Archive of recent CTFs](
#####[CTF Writeups]([Captf](
* This site is primarily the work of psifertex since he needed a dump site for a variety of CTF material and since many other public sites documenting the art and sport of Hacking Capture the Flag events have come and gone over the years.
#####[CTF Writeups](
#####[Ringzer0 team CTF](
Description: RingZer0 Team's online CTF offers you tons of challenges designed to test and improve your hacking skills thru hacking challenge. Register and get a flag for every challenges.
#####[pwn0 Wargame](
* “pwn0 is a network where (almost) anything goes. Just sign up, connect to the VPN, and start hacking. #pwn0 on freenode “
* Awesome wargame.
#####[OverTheWire Wargames](
* OverTheWire provides several wargames publicly/freely available. All very good quality. Highly recommended.
#####[Smash the Stack Wargames](
* Smash the stack hosts several public wargames of very good quality for free use. Highly recommended.
###Making/Hosting your own CTF
* CTFd is a CTF in a can. Easily modifiable and has everything you need to run a jeopardy style CTF.
#####[iCTF Framwork](
* This is the framework that the UC Santa Barbara Seclab uses to host the iCTF, and that can be used to create your own CTFs at The framework creates several VMs: one for the organizers and one for every team.
##Online Training Courses
###General Online Courses
Offensive Computer Security
#####[Open Security Training](
* Taken from their front page:
>In the spirit of OpenCourseWare and the Khan Academy, is dedicated to sharing training material for computer security classes, on any topic, that are at least one day long.
>All material is licensed with an open license like CreativeCommons, allowing anyone to use the material however they see fit, so long as they share modified works back to the community.
>We highly encourage people who already know these topic areas to take the provided material and pursue paid and unpaid teaching opportunities.
>Those who can, teach.
#####[XSS Challenge Wiki](
* [List without spoilers:](
###Vulnerable Virtual Machines
###Challenge Sites
* An amazing site. Tracks, lists, scores, various challenge sites. If you’re looking for a challenge or two, and not a wargame, this is the site you want to hit up first.
#####[XSS Challenge Wiki](
* A wiki that contains various xss challenges.
#####[Halls of Valhalla](
* Can You Hack It is a Hacking Challenge site designed to not only allow you to test and improve your skills in a wide variety of categories but to socialise both on the forums and on our IRC channel with other security enthusiasts.
#####[Hack This](
##One-off Challenges and Puzzles
#####[Forensics Contest](
#####[List of themed Hacker challenges](
#####[Sans Community Forensics Challenges](

+ 76
- 0
Draft/Draft/Cheat sheets reference View File

@ -0,0 +1,76 @@
Cheat Sheets & Reference Pages
[Metasploit 4.2 documentation](
[O-Auth Security Cheat Sheet](
[File Signature Table](
[AIX For Pentesters](
* Good paper on exploiting/pentesting AIX based machines. From the paper itself “ The paper proposes some basic methods to do comprehensive local security checks and how to exploit the vulnerabilities.”
[RootVG - Website Dedicated to AIX](
[WinDbg Cheat Sheet/mindmap](
[Pdf of all WinDbg commands](
[x86 opcode structure and instruction overview](
[Mem forenics cheat sheet](
[Nasm x86 reference](
[Android ADB cheat sheet](
[Windows Startup Application Database](
[Arm instruction set](
[File Signature Table](
[Radare2 Cheat-Sheet](
[Linux - Breaking out of shells](
[x86 Assembly Guide/Reference - Wikibooks](
* Introduction for those who don’t know ASM and a reference for those that do.

+ 59
- 0
Draft/Draft/Client Side View File

@ -0,0 +1,59 @@
##Client-Side Attacks
I define client-side attacks as any form of attack that requires deliberate action from the victim or end-user.
Different forms of client side attacks:
[3 Types of XSS](
* Dom-based
* Reflected
* Persistent
[Cross Frame Scripting](
[Cross Site Request Forgery](
[Client Side attacks using Powershell](
Attacking Browsers
Need to read Browser hackers handbook
[White Lightning Attack Platform](
[BeEF Browser Exploitation Framework](
[Technical analysis of client identification mechanisms](
[The definition from wikipedia](
* “Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money) by masquerading as a trustworthy entity in an electronic communication.”
Phishing Techniques:
[Post exploitation trick - Phish users for creds on domains, from their own box](
Phishing Frameworks:
[Phishing Frenzy](
* Phishing Frenzy is an Open Source Ruby on Rails application that is leveraged by penetration testers to manage email phishing campaigns. The goal of the project is to streamline the phishing process while still providing clients the best realistic phishing campaign possible. This goal is obtainable through campaign management, template reuse, statistical generation, and other features the Frenzy has to offer.

Draft/Draft/Draft/Common CLI CMD Refs.rtf → Draft/Draft/Common CLI CMD Refs.rtf View File

+ 11
- 0
Draft/Draft/Common CLI CMD Refs/Curl.txt View File

@ -0,0 +1,11 @@
About Curl
Taken from:
Curl is a tool to transfer data from or to a server, using one of the supported protocols (DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP). The command is designed to work without user interaction.
curl offers a busload of useful tricks like proxy support, user authentication, FTP upload, HTTP post, SSL connections, cookies, file transfer resume, Metalink, and more.

+ 112
- 0
Draft/Draft/Common CLI CMD Refs/Metasploit.txt View File

@ -0,0 +1,112 @@
Metasploit Reference
*The* Guide to Metasploit
Metasploit: Penetration Tester’s Guide Book
CMD Cheat Sheet
Meterpreter CMD Reference
Video training series for Metasploit(free)
Using the Metasploit Framework
Metasploit Commands
? - help menu
background - moves the current session to the background
bgkill - kills a background meterpreter script
bglist - provides a list of all running background scripts
bgrun - runs a script as a background thread
channel - displays active channels
close - closes a channel
exit - terminates a meterpreter session
help - help menu
interact - interacts with a channel
irb - go into Ruby scripting mode
migrate - moves the active process to a designated PID
quit - terminates the meterpreter session
read - reads the data from a channel
run - executes the meterpreter script designated after it
use - loads a meterpreter extension
write - writes data to a channel
File System Commands
cat - read and output to stdout the contents of a file
cd - change directory on the victim
del - delete a file on the victim
download - download a file from the victim system to the attacker system
edit - edit a file with vim
getlwd - print the local directory
getwd - print working directory
lcd - change local directory
lpwd - print local directory
ls - list files in current directory
mkdir - make a directory on the victim system
pwd - print working directory
rm - delete a file
rmdir - remove directory on the victim system
upload - upload a file from the attacker system to the victim
Networking Commands
ipconfig - displays network interfaces with key information including IP address, etc.
portfwd - forwards a port on the victim system to a remote service
route - view or modify the victim routing table
System Commands
clearav - clears the event logs on the victim's computer
drop_token - drops a stolen token
execute - executes a command
getpid - gets the current process ID (PID)
getprivs - gets as many privileges as possible
getuid - get the user that the server is running as
kill - terminate the process designated by the PID
ps - list running processes
reboot - reboots the victim computer
reg - interact with the victim's registry
rev2self - calls RevertToSelf() on the victim machine
shell - opens a command shell on the victim machine
shutdown - shuts down the victim's computer
steal_token - attempts to steal the token of a specified (PID) process
sysinfo - gets the details about the victim computer such as OS and name
User Interface Commands
enumdesktops - lists all accessible desktops
getdesktop - get the current meterpreter desktop
idletime - checks to see how long since the victim system has been idle
keyscan_dump - dumps the contents of the software keylogger
keyscan_start - starts the software keylogger when associated with a process such as Word or browser
keyscan_stop - stops the software keylogger
screenshot - grabs a screenshot of the meterpreter desktop
set_desktop - changes the meterpreter desktop
uictl - enables control of some of the user interface components
Privilege Escalation Commands
getsystem - uses 15 built-in methods to gain sysadmin privileges

+ 62
- 0
Draft/Draft/Common CLI CMD Refs/Ncat.txt View File

@ -0,0 +1,62 @@
Ncat is a piece of software created by the same person who made Nmap, Fyodor, as an upgrade to netcat.
Ncat command output:(from:
Ncat 6.46 ( )
Usage: ncat [options] [hostname] [port]
Options taking a time assume seconds. Append 'ms' for milliseconds,
's' for seconds, 'm' for minutes, or 'h' for hours (e.g. 500ms).
-4 Use IPv4 only
-6 Use IPv6 only
-U, --unixsock Use Unix domain sockets only
-C, --crlf Use CRLF for EOL sequence
-c, --sh-exec <command> Executes the given command via /bin/sh
-e, --exec <command> Executes the given command
--lua-exec <filename> Executes the given Lua script
-g hop1[,hop2,...] Loose source routing hop points (8 max)
-G <n> Loose source routing hop pointer (4, 8, 12, ...)
-m, --max-conns <n> Maximum <n> simultaneous connections
-h, --help Display this help screen
-d, --delay <time> Wait between read/writes
-o, --output <filename> Dump session data to a file
-x, --hex-dump <filename> Dump session data as hex to a file
-i, --idle-timeout <time> Idle read/write timeout
-p, --source-port port Specify source port to use
-s, --source addr Specify source address to use (doesn't affect -l)
-l, --listen Bind and listen for incoming connections
-k, --keep-open Accept multiple connections in listen mode
-n, --nodns Do not resolve hostnames via DNS
-t, --telnet Answer Telnet negotiations
-u, --udp Use UDP instead of default TCP
--sctp Use SCTP instead of default TCP
-v, --verbose Set verbosity level (can be used several times)
-w, --wait <time> Connect timeout
--append-output Append rather than clobber specified output files
--send-only Only send data, ignoring received; quit on EOF
--recv-only Only receive data, never send anything
--allow Allow only given hosts to connect to Ncat
--allowfile A file of hosts allowed to connect to Ncat
--deny Deny given hosts from connecting to Ncat
--denyfile A file of hosts denied from connecting to Ncat
--broker Enable Ncat's connection brokering mode
--chat Start a simple Ncat chat server
--proxy <addr[:port]> Specify address of host to proxy through
--proxy-type <type> Specify proxy type ("http" or "socks4" or "socks5")
--proxy-auth <auth> Authenticate with HTTP or SOCKS proxy server
--ssl Connect or listen with SSL
--ssl-cert Specify SSL certificate file (PEM) for listening
--ssl-key Specify SSL private key (PEM) for listening
--ssl-verify Verify trust and domain name of certificates
--ssl-trustfile PEM file containing trusted SSL certificates
--version Display Ncat's version information and exit
See the ncat(1) manpage for full options, descriptions and usage examples

+ 242
- 0
Draft/Draft/Common CLI CMD Refs/Nmap.txt View File

@ -0,0 +1,242 @@
Man Pages:
Nmap Scripting Engine
Nmap Scripting Engine list of current scripts
Nmap Scripting Engine Documentation
Common Nmap Comman Examples
30 Nmap Command Examples
Handy Examples:
Nmap Basics:
Scan a single target
nmap [IP]
Scan multiple IPs
nmap [IP1,IP2,IP3…]
Scan a list
nmap -iL [list.txt]
Scan a range of hosts
nmap []
Scan an entire subnet
nmap [IP address/cdir]
Excluding targets from a scan
nmap [IP] –exclude [IP]
Excluding targets using a list
nmap [IPs] –excludefile [list.txt]
Create a list of hosts scanned
nmap -sL [IPs
Fragment packets
nmap -f [IP]
Specify a specific MTU
nmap –mtu [MTU] [IP]
Append random data
nmap –data-length [size] [IP]
Spoof MAC Address
nmap –spoof-mac [MAC|0|vendor] [IP]
Send bad checksums
nmap –badsum [IP]
Save output to a text file
nmap -oN [scan.txt] [IP]
Save output to a xml file
nmap -oX [scan.xml] [IP]
Grepable output
nmap -oG [scan.txt] [IP]
Output all supported file types
nmap -oA [path/filename] [IP
Comparing Scan Results
Comparison using Ndiff
ndiff [scan1.xml] [scan2.xml]
Ndiff verbose mode
ndiff -v [scan1.xml] [scan2.xml]
XML output mode
ndiff –xml [scan1.xm] [scan2.xml]]
Nmap Scripting Engine
Execute individual NSE scripts
nmap –script [script.nse] [IP]
Execute multiple NSE scripts
nmap –script [script1.nse,script2.nse…] [IP]
Execute NSE scripts by category
nmap –script [cat] [target]
Execute multiple NSE script categories
nmap –script [auth, default…] [IP]
NSE Script categories:
Nmap default commands:
Usage: nmap [Scan Type(s)] [Options] {target specification}
Can pass hostnames, IP addresses, networks, etc.
Ex:,,; 10.0.0-255.1-254
-iL <inputfilename>: Input from list of hosts/networks
-iR <num hosts>: Choose random targets
--exclude <host1[,host2][,host3],...>: Exclude hosts/networks
--excludefile <exclude_file>: Exclude list from file
-sL: List Scan - simply list targets to scan
-sn: Ping Scan - disable port scan
-Pn: Treat all hosts as online -- skip host discovery
-PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
-PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
-PO[protocol list]: IP Protocol Ping
-n/-R: Never do DNS resolution/Always resolve [default: sometimes]
--dns-servers <serv1[,serv2],...>: Specify custom DNS servers
--system-dns: Use OS's DNS resolver
--traceroute: Trace hop path to each host
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
-sU: UDP Scan
-sN/sF/sX: TCP Null, FIN, and Xmas scans
--scanflags <flags>: Customize TCP scan flags
-sI <zombie host[:probeport]>: Idle scan
-sO: IP protocol scan
-b <FTP relay host>: FTP bounce scan
-p <port ranges>: Only scan specified ports
Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
--exclude-ports <port ranges>: Exclude the specified ports from scanning
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--port-ratio <ratio>: Scan ports more common than <ratio>
-sV: Probe open ports to determine service/version info
--version-intensity <level>: Set from 0 (light) to 9 (try all probes)
--version-light: Limit to most likely probes (intensity 2)
--version-all: Try every single probe (intensity 9)
--version-trace: Show detailed version scan activity (for debugging)
-sC: equivalent to --script=default
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-args-file=filename: provide NSE script args in a file
--script-trace: Show all data sent and received
--script-updatedb: Update the script database.
--script-help=<Lua scripts>: Show help about scripts.
<Lua scripts> is a comma-separated list of script-files or
-O: Enable OS detection
--osscan-limit: Limit OS detection to promising targets
--osscan-guess: Guess OS more aggressively
Options which take <time> are in seconds, or append 'ms' (milliseconds),
's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
-T<0-5>: Set timing template (higher is faster)
--min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
--min-parallelism/max-parallelism <numprobes>: Probe parallelization
--min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
probe round trip time.
--max-retries <tries>: Caps number of port scan probe retransmissions.
--host-timeout <time>: Give up on target after this long
--scan-delay/--max-scan-delay <time>: Adjust delay between probes
--min-rate <number>: Send packets no slower than <number> per second
--max-rate <number>: Send packets no faster than <number> per second
-f; --mtu <val>: fragment packets (optionally w/given MTU)
-D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
-S <IP_Address>: Spoof source address
-e <iface>: Use specified interface
-g/--source-port <portnum>: Use given port number
--proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
--data <hex string>: Append a custom payload to sent packets
--data-string <string>: Append a custom ASCII string to sent packets
--data-length <num>: Append random data to sent packets
--ip-options <options>: Send packets with specified ip options
--ttl <val>: Set IP time-to-live field
--spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
--badsum: Send packets with a bogus TCP/UDP/SCTP checksum
-oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
and Grepable format, respectively, to the given filename.
-oA <basename>: Output in the three major formats at once
-v: Increase verbosity level (use -vv or more for greater effect)
-d: Increase debugging level (use -dd or more for greater effect)
--reason: Display the reason a port is in a particular state
--open: Only show open (or possibly open) ports
--packet-trace: Show all packets sent and received
--iflist: Print host interfaces and routes (for debugging)
--log-errors: Log errors/warnings to the normal-format output file
--append-output: Append to rather than clobber specified output files
--resume <filename>: Resume an aborted scan
--stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
--webxml: Reference stylesheet from Nmap.Org for more portable XML
--no-stylesheet: Prevent associating of XSL stylesheet w/XML output
-6: Enable IPv6 scanning
-A: Enable OS detection, version detection, script scanning, and traceroute
--datadir <dirname>: Specify custom Nmap data file location
--send-eth/--send-ip: Send using raw ethernet frames or IP packets
--privileged: Assume that the user is fully privileged
--unprivileged: Assume the user lacks raw socket privileges
-V: Print version number
-h: Print this help summary page.
nmap -v -A
nmap -v -sn
nmap -v -iR 10000 -Pn -p 80

+ 57
- 0
Draft/Draft/Common CLI CMD Refs/TCPDump.txt View File

@ -0,0 +1,57 @@
SANS TCPDump reference
Cheat Sheet reference guide
Excellent TCPDump Reference Guide
Sample commands:
Port Ranges // see traffic to any port in a range
tcpdump port range 21-23
Capture all Port 80 Traffic to a File
tcpdump -s 1514 port 80 -w capture_file
host // look for traffic based on IP address (also works with hostname if you’re not using -n)
tcpdump host
src, dst // find traffic from only a source or destination (eliminates one side of a host conversation)
tcpdump src
tcpdump dst
net // capture an entire network using CIDR notation
tcpdump net
proto // works for tcp, udp, and icmp
tcpdump icmp
port // see only traffic to or from a certain port
tcpdump port 3389
src, dst port // filter based on the source or destination port
tcpdump src port 1025 # tcpdump dst port 389
src/dst, port, protocol // combine all three
tcpdump src port 1025 and tcp
tcpdump udp and src port 53

+ 3
- 0
Draft/Draft/Common CLI CMD Refs/ToDO.txt View File

@ -0,0 +1,3 @@
Tools that need cmd refs:

+ 97
- 0
Draft/Draft/Computer Hardware View File

@ -0,0 +1,97 @@
Computer Hardware Attacks
[Timeline of Low level software and hardware attack papers - Essentially a list of all well known papers on pc hardware attacks](
Professor’s page:
Grab links for his papers
[Implementation and Implications of a Stealth Hard-Drive Backdoor](
* Modern workstations and servers implicitly trust hard disks to act as well-behaved block devices. This paper analyzes the catastrophic loss of security that occurs when hard disks are not trustworthy. First, we show that it is possible to compromise the rmware of a commercial o -the-shelf hard drive, by resorting only to public information and reverse en- gineering. Using such a compromised rmware, we present a stealth rootkit that replaces arbitrary blocks from the disk while they are written, providing a data replacement back- door . The measured performance overhead of the compro- mised disk drive is less than 1% compared with a normal, non-malicious disk drive. We then demonstrate that a re- mote attacker can even establish a communication channel with a compromised disk to in ltrate commands and to ex- ltrate data. In our example, this channel is established over the Internet to an unmodi ed web server that relies on the compromised drive for its storage, passing through the original webserver, database server, database storage en- gine, lesystem driver, and block device driver. Additional experiments, performed in an emulated disk-drive environ- ment, could automatically extract sensitive data such as /etc/shadow (or a secret key le) in less than a minute. This paper claims that the diculty of implementing such an at- tack is not limited to the area of government cyber-warfare; rather, it is well within the reach of moderately funded crim- inals, botnet herders and academic researchers.
[Attackin the TPM part 2](
[Attacking “secure” chips](
[Perimeter-Crossing Buses: a New Attack Surface for
Embedded Systems](
* Abstract: This paper maps out the bus-facing attack surface of a modern operating system, and demonstrates that e ective and ecient injection of trac into the buses is real and easily a ordable. Further, it presents a simple and inexpen-sive hardware tool for the job, outlining the architectural and computation-theoretic challenges to creating a defensive OS/driver architecture comparable to that which has been achieved for network stacks.
[Breaking apple touchID cheaply](
[Keykeriki v2.0](
* Hardware to attack wireless keyboards and other such things
[Stealthy Dopant-Level Hardware Trojans](Hardware level trojans
* Abstract: In this paper we propose an extremely stealthy approach for implement-
ing hardware Trojans below the gate level, and we evaluate their impact
on the security of the target device. Instead of adding additional cir-
cuitry to the target design, we insert our hardware Trojans by changing
the dopant polarity of existing transistors. Since the modi ed circuit ap-
pears legitimate on all wiring layers (including all metal and polysilicon),
our family of Trojans is resistant to most detection techniques, includ-
ing ne-grain optical inspection and checking against \golden chips".
We demonstrate the e ectiveness of our approach by inserting Trojans
into two designs | a digital post-processing derived from Intel's cryp-
tographically secure RNG design used in the Ivy Bridge processors and
a side-channel resistant SBox implementation | and by exploring their
detectability and their e ects on security.
Phison 2251-03 (2303) Custom Firmware & Existing Firmware Patches (BadUSB)
###Defending Against Hardware Attacks
[Anti-Evil Maid](
[USB in a Nutshell](
* Great explanation of the USB standard in depth
[USB Device Drivers: A Stepping Stone into your Kernel](
* [Slides])(
[Lowering the USB Fuzzing Barrier by Transparent Two-Way Emulation](
* Abstract: Increased focus on the Universal Serial Bus (USB) attack surface of devices has recently resulted in a number of new vulnerabilities. Much of this advance has been aided by the advent of hardware-based USB emulation techniques. However, existing tools and methods are far from ideal, requiring a significant investment of time, money, and effort. In this work, we present a USB testing framework that improves significantly over existing methods in providing a cost-effective and flexible way to read and modify USB communication. Amongst other benefits, the framework enables man-in-the-middle fuzz testing between a host and peripheral. We achieve this by performing two-way emulation using inexpensive bespoke USB testing hardware, thereby delivering capa-bilities of a USB analyzer at a tenth of the cost. Mutational fuzzing is applied during live communication between a host and peripheral, yielding new security-relevant bugs. Lastly, we comment on the potential of the framework to improve current exploitation techniques on the USB channel.
###SD Cards
[The Exploration and Exploitation of an SD Memory Card](
* This talk demonstrates a method for reverse engineering and loading code into the microcontroller within a SD memory card.

+ 28
- 0
Draft/Draft/Con Videos View File

@ -0,0 +1,28 @@
[Archive of security conference videos](
[Shmoocon 2015 Videos](

+ 50
- 0
Draft/Draft/Counter View File

@ -0,0 +1,50 @@
Counter Surveillance
Detecting Surveillance - Spiderlabs blog
[1 Hardware Implants](
[2 Radio Frequency Exfiltration](
[3 Infected Firmware](
[A Simple Guide to TSCM Sweeps](
[Dr. Philip Polstra - Am I Being Spied On?](
* Talk on cheap/free counter measures
[DNS May Be Hazardous to Your Health - Robert Stucke](
* Great talk on attacking DNS
[CounterStrike Lawful Interception](
* This short talk will cover the standards, devices and implementation of a mandatory part of our western Internet infrastructure. The central question is whether an overarching interception functionality might actually put national Internet infrastructure at a higher risk of being attacked successfully. The question is approached in this talk from a purely technical point of view, looking at how LI functionality is implemented by a major vendor and what issues arise from that implementation. Routers and other devices may get hurt in the process.
* [Slides](
[Exploiting Lawful Intercept to Wiretap the Internet](
* This paper will review Cisco's architecture for lawful intercept from asecurity perspective. We explain how a number of different weaknesses in its design coupled with publicly disclosed security vulnerabilities could enable a malicious person to access the interface and spy on communications without leaving a trace. We then provide a set of recommendations for the redesign of the interface as well as SNMP authentication in general to better mitigate the security risks.

+ 10
- 0
Draft/Draft/ View File

@ -0,0 +1,10 @@
######I don’t know.
[Deanonymisation of Clients in Bitcoin P2P Network](
* We present an effcient method to deanonymize Bitcoin users, which allows to link user pseudonyms to the IP addresses where the transactions are generated. Our techniques work for the most common and the most challenging scenario when users are behind NATs or rewalls of their ISPs. They allow to link transactions of a user behind a NAT and to distinguish connections and transactions of different users behind the same NAT. We also show that a natural countermeasure of using Tor or other anonymity services can be cut-o by abusing anti-DoS countermeasures of the Bitcoin network. Our attacks require only a few machines and have been experimentally verifed. The estimated success rate is between 11% and 60% depending on how stealthy an attacker wants to be. We propose several countermeasures to mitigate these new attacks.

+ 82
- 0
Draft/Draft/Cryptography & View File

@ -0,0 +1,82 @@
[Website detailing various crypto laws around world](
[Encrypting Strings in Android: Let's make better mistakes](
[java-aes-crypto (Android class)](
* A simple Android class for encrypting & decrypting strings, aiming to avoid the classic mistakes that most such classes suffer from.
* Keyczar is an open source cryptographic toolkit designed to make it easier and safer for developers to use cryptography in their applications. Keyczar supports authentication and encryption with both symmetric and asymmetric keys.
[Primer on Zero-Knowledge Proofs](
[Widespread Weak Keys in Network Devices](
Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
[Why does cryptographic software fail? A case study and open problems](
* Abstract: Mistakes in cryptographic software implementations often undermine the strong security guarantees offered by cryptography. This paper presents a systematic study of cryptographic vulnerabilities in practice, an examination of state-of-the-art techniques to prevent such vulnerabilities, and a discussion of open problems and possible future research directions. Our study covers 269 cryptographic vulnerabilities reported in the CVE database from January 2011 to May 2014. The results show that just 17% of the bugs are in cryptographic libraries (which often have devastating consequences), and the remaining 83% are misuses of cryptographic libraries by individual applications. We observe that preventing bugs in different parts of a system requires different techniques, and that no effective techniques exist to deal with certain classes of mistakes, such as weak key generation.
[Matsano Crypto Challenges](
[Simple crypto tools](
The Cryptographic Implementations Analysis Toolkit (CIAT) is compendium of command line and graphical tools whose aim is to help in the detection and analysis of encrypted byte sequences within files (executable and non-executable).
[An Empirical Study of Cryptographic Misuse in Android Applications](
Cryptography Engineering
Applied Cryptography
Coursera Cryptography
Matsano Crypto Challenges
Go through a series of increasingly difficult challenges while learning all about cryptography.
Expected knowledge level: You passed 9th grade math and you have 0 knowledge of crypto.
* imagejs is a small tool to hide javascript inside a valid image file. The image file is recognized as one by content checking software, e.g. the file command you might now from Linux or other Unix based operation systems.