Browse Source

Fixed README.md

pull/11/head
Robert Musser 5 years ago
parent
commit
42ccda4fd5
48 changed files with 1520 additions and 1961 deletions
  1. +1
    -4
      Draft/AnonOpsecPrivacy.md
  2. +23
    -36
      Draft/Basic Security Information.md
  3. +2
    -2
      Draft/Building A Pentest Lab.md
  4. +2
    -2
      Draft/CTFs_Wargames.md
  5. +1
    -1
      Draft/Car Hacking.md
  6. +16
    -16
      Draft/Cheat sheets reference pages Checklists -.md
  7. +3
    -2
      Draft/Courses_Training.md
  8. +4
    -0
      Draft/CryptoCurrencies.md
  9. +2
    -2
      Draft/Cryptography & Encryption.md
  10. +3
    -9
      Draft/Darknets.md
  11. +5
    -16
      Draft/Data AnalysisVisualization.md
  12. +53
    -28
      Draft/Defense.md
  13. +0
    -52
      Draft/Disclosure.md
  14. +2
    -2
      Draft/Disinformation.md
  15. +28
    -20
      Draft/Documentation & Reports -.md
  16. +1
    -1
      Draft/Drones.md
  17. +2
    -2
      Draft/Embedded Device & Hardware Hacking -.md
  18. +1
    -1
      Draft/Exfiltration.md
  19. +7
    -5
      Draft/Exploit Development.md
  20. +2
    -2
      Draft/Forensics Incident Response.md
  21. +7
    -11
      Draft/Fuzzing Bug Hunting.md
  22. +10
    -6
      Draft/Game Hacking.md
  23. +0
    -26
      Draft/Home Security.md
  24. +2
    -7
      Draft/Honeypots.md
  25. +0
    -4
      Draft/How_To_Suck_at_Information_Security.md
  26. +4
    -1
      Draft/Interesting Things Useful stuff.md
  27. +30
    -33
      Draft/Malware.md
  28. +369
    -320
      Draft/Network Attacks & Defenses.md
  29. +68
    -106
      Draft/Network Security Monitoring & Logging.md
  30. +33
    -44
      Draft/Open Source Intelligence.md
  31. +5
    -8
      Draft/Password Bruting and Hashcracking.md
  32. +50
    -54
      Draft/Phishing.md
  33. +95
    -179
      Draft/Phyiscal Security.md
  34. +22
    -46
      Draft/Policy-Compliance.md
  35. +155
    -143
      Draft/Privilege Escalation & Post-Exploitation.md
  36. +46
    -103
      Draft/Programming - Languages Libs Courses References.md
  37. +0
    -0
      Draft/Rants&Writeups/Bitcoin_Hack.md
  38. +0
    -0
      Draft/Rants&Writeups/Writeups/Lab_for_exploit_dev-basic.md
  39. +4
    -0
      Draft/Red-Teaming.md
  40. +1
    -3
      Draft/Reverse Engineering.md
  41. +2
    -2
      Draft/Rootkits.md
  42. +38
    -46
      Draft/SCADA.md
  43. +6
    -14
      Draft/Social Engineering.md
  44. +209
    -312
      Draft/System Internals Windows and Linux Internals Reference.md
  45. +4
    -6
      Draft/UX Design - Because we all know how sexy pgp is.md
  46. +196
    -275
      Draft/Web & Browsers.md
  47. +3
    -6
      Draft/things-added.md
  48. +3
    -3
      README.md

+ 1
- 4
Draft/AnonOpsecPrivacy.md View File

@ -12,9 +12,6 @@
* [Tools](#Tools)
* [Miscellaneous](#misc)
* [Counter Surveillance](#counter)
* [General/Articles](#genc)
* [Talks/Videos](#csvids)
* [Papers](#cspapers)
@ -225,7 +222,7 @@
## Counter Surveillance
## <a name="counter"></a>Counter Surveillance
* Writeups
* Detecting Surveillance - Spiderlabs blog
* [1 Hardware Implants](http://blog.spiderlabs.com/2014/03/detecting-surveillance-state-surveillance-part-1-hardware-impants.html)


+ 23
- 36
Draft/Basic Security Information.md View File

@ -1,51 +1,38 @@
## Basic Security Principles/Information
# Basic Security Principles/Information
### Basic Information
* [Infosec Tools of the Trade: Getting Your Hands Dirty](http://www.irongeek.com/i.php?page=videos/bsidesnashville2017/bsides-nashville-2017-green00-infosec-tools-of-the-trade-getting-your-hands-dirty-jason-smith-and-tara-wink)
* In this presentation we'll will be going over introductions to the various focuses in information security and demoing the most common tools that are used in operational security, both offense and defense. You'll leave with an idea on how to freely obtain and use these tools so that you can have what you need for that first interview: experience and a passion for security. This is a green talk for people who don't have a clue on what offensive and defensive people do operationally, from a tool perspective.
### How to Suck at InfoSec
* [How to Suck at Information Security – A Cheat Sheet](https://zeltser.com/suck-at-security-cheat-sheet/)
* [How not to Infosec - Dan Tentler](https://www.youtube.com/watch?v=S5O47gemMNQ)
* [So you think you want to be a penetration tester - Defcon24](https://www.youtube.com/watch?v=be7bvZkgFmY)
* So, you think you want to be a penetration tester, or you already are and don't understand what the difference between you and all the other "so called" penetration testers out there. Think you know the difference between a Red Team, Penetration Test and a Vulnerability assessment? Know how to write a report your clients will actually read and understand? Can you leverage the strengths of your team mates to get through tough roadblocks, migrate, pivot, pwn and pillage? No? well this talk is probably for you then! We will go through the fascinating, intense and often crazily boring on-site assessment process. Talk about planning and performing Red Teams, how they are different, and why they can be super effective and have some fun along the way. I'll tell you stories that will melt your face, brain and everything in between. Give you the answers to all of your questions you never knew you had, and probably make you question your life choices. By the end of this session you will be ready to take your next steps into the job you've always wanted, or know deep inside that you should probably look for something else. There will be no judgment or shame, only information, laughter and fun.
### Basic Information
* ['Types of Authentication'](http://www.gfi.com/blog/security-101-authentication-part-2/)
* [Access control best practices](https://srlabs.de/acs/)
* **101**
* [Learning the Ropes 101: Introduction - zsec.uk](https://blog.zsec.uk/101-intro/)
### General
| Title | Link
| -------- | --------- |
| 'Types of Authentication' | http://www.gfi.com/blog/security-101-authentication-part-2/ |
|Information Security For Journalist book - Centre for Investigative Journalism| http://files.gendo.nl/Books/InfoSec_for_Journalists_V1.1.pdf |
| Access control best practices | https://srlabs.de/acs/ |
| Programming Sucks | http://www.stilldrinking.org/programming-sucks |
### Metasploit
* [Introduction To Metasploit – The Basics](http://www.elithecomputerguy.com/2013/02/08/introduction-to-metasploit-the-basics/)
* **Becoming a Penetration Tester**
* [So you think you want to be a penetration tester - Defcon24](https://www.youtube.com/watch?v=be7bvZkgFmY)
* So, you think you want to be a penetration tester, or you already are and don't understand what the difference between you and all the other "so called" penetration testers out there. Think you know the difference between a Red Team, Penetration Test and a Vulnerability assessment? Know how to write a report your clients will actually read and understand? Can you leverage the strengths of your team mates to get through tough roadblocks, migrate, pivot, pwn and pillage? No? well this talk is probably for you then! We will go through the fascinating, intense and often crazily boring on-site assessment process. Talk about planning and performing Red Teams, how they are different, and why they can be super effective and have some fun along the way. I'll tell you stories that will melt your face, brain and everything in between. Give you the answers to all of your questions you never knew you had, and probably make you question your life choices. By the end of this session you will be ready to take your next steps into the job you've always wanted, or know deep inside that you should probably look for something else. There will be no judgment or shame, only information, laughter and fun.
* [Hold my Red Bull Undergraduate Red Teaming Jonathan Gaines](https://www.youtube.com/watch?v=9vgpqRzuvLk)
* [How to become a pentester - Corelan](https://www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester/)
* [Attacking Big Business](https://www.cyberis.co.uk/blog/attacking-big-business)
* **Careers in Information Security**
* [Infosec Tools of the Trade: Getting Your Hands Dirty](http://www.irongeek.com/i.php?page=videos/bsidesnashville2017/bsides-nashville-2017-green00-infosec-tools-of-the-trade-getting-your-hands-dirty-jason-smith-and-tara-wink)
* In this presentation we'll will be going over introductions to the various focuses in information security and demoing the most common tools that are used in operational security, both offense and defense. You'll leave with an idea on how to freely obtain and use these tools so that you can have what you need for that first interview: experience and a passion for security. This is a green talk for people who don't have a clue on what offensive and defensive people do operationally, from a tool perspective.
* [So You Want To Be A H6x0r Getting Started in Cybersecurity Doug White and Russ Beauchemin ](https://www.youtube.com/watch?v=rRJKghTTics)
### Shodan
| Title | Link
| -------- | --------- |
| Shodan Man page | http://www.shodanhq.com/help |
| Shodan Filter Reference | http://www.shodanhq.com/help/filters |
| Shodan FAQ | http://www.shodanhq.com/help/faq |
### I'll sort later
### Tools you should probably know exist
* [Introduction To Metasploit – The Basics](http://www.elithecomputerguy.com/2013/02/08/introduction-to-metasploit-the-basics/)
* [Shodan Man page](http://www.shodanhq.com/help)
* [Attacking Big Business](https://www.cyberis.co.uk/blog/attacking-big-business)
* [304 Hold my Red Bull Undergraduate Red Teaming Jonathan Gaines](https://www.youtube.com/watch?v=9vgpqRzuvLk)
* [100 OWASP Top 10 Hacking Web Applications with Burp Suite Chad Furman](https://www.youtube.com/watch?v=2p6twRRXK_o)
* [213 How not to Infosec Dan Tentler](https://www.youtube.com/watch?v=S5O47gemMNQ)
* [Application Whitelisting Using Microsoft AppLocker](https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm)
* [So You Want To Be A H6x0r Getting Started in Cybersecurity Doug White and Russ Beauchemin ](https://www.youtube.com/watch?v=rRJKghTTics)
* [How to become a pentester - Corelan](https://www.corelan.be/index.php/2015/10/13/how-to-become-a-pentester/)
* [SANS Institute Security Consensus Operational Readiness Evaluation](https://www.sans.org/media/score/checklists/LinuxCheatsheet_2.pdf)
* [Windows Commands Abused by Attackers](http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html)
* [Red Hat Enterprise Linux 6 Security Guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf)
* [Mitigate threats by using Windows 10 security features](https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10)
* [Pass the Hash Guidance](https://github.com/iadgov/Pass-the-Hash-Guidance)
* Configuration guidance for implementing Pass-the-Hash mitigations. iadgov
* [Learning the Ropes 101: Introduction - zsec.uk](https://blog.zsec.uk/101-intro/)
Wireless Deployment Recommendations and Best Practices - n00py](https://www.n00py.io/2016/10/privilege-escalation-on-os-x-without-exploits/)

+ 2
- 2
Draft/Building A Pentest Lab.md View File

@ -1,7 +1,7 @@
## Building a Pentest Lab
# Building a Pentest Lab
### Table of Contents
## Table of Contents
* [General](#general)
* [VMs Designed to be Attacked](#vm)


+ 2
- 2
Draft/CTFs_Wargames.md View File

@ -1,6 +1,6 @@
## CTFs & Wargames
# CTFs & Wargames
##### TOC
## Table of Contents
* [General](#general)
* [Wargames](#wargames)
* [Vulnerable VMs](#vulnvm)


+ 1
- 1
Draft/Car Hacking.md View File

@ -1,6 +1,6 @@
# Car Hacking
## ToC
## Table of Contents
* [General](#general)
* [Writeups](#writeup)


+ 16
- 16
Draft/Cheat sheets reference pages Checklists -.md View File

@ -1,7 +1,7 @@
## Cheat Sheets & Reference Pages
# Cheat Sheets & Reference Pages
#### TOC
## Table of Contents
* [General](#General)
* [ASM(x86/64/ARM)](#ASM)
* [Android](#Android)
@ -46,7 +46,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
----------
### <a name="General">General Cheat Sheets</a>
**General Cheat Sheets**
* **General Cheat Sheets**
* [How to Suck at Information Security](https://zeltser.com/suck-at-security-cheat-sheet/)
* [Tips for Troubleshooting Human Communications](https://zeltser.com/human-communications-cheat-sheet/)
* [Nmap](https://highon.coffee/docs/nmap/)
@ -59,7 +59,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
----------
### <a name="ASM">x86/64/ARM</a>
**ASM Cheat Sheets**
* **ASM Cheat Sheets**
* [x86 opcode structure and instruction overview](http://pnx.tf/files/x86_opcode_structure_and_instruction_overview.pdf)
* [Intro to x86 calling conventions](http://codearcana.com/posts/2013/05/21/a-brief-introduction-to-x86-calling-conventions.html)
* [Reading ASM](http://cseweb.ucsd.edu/classes/sp11/cse141/pdf/02/S01_x86_64.key.pdf)
@ -68,7 +68,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
----------
### <a name="Android">Android Cheat Sheets</a>
**Android Cheat Sheets**
* **Android Cheat Sheets**
* [Android ADB cheat sheet](https://github.com/maldroid/adb_cheatsheet/blob/master/cheatsheet.pdf?raw=true)
@ -81,7 +81,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
----------
### <a name="Linux">Linux Cheat Sheets</a>
**Linux Cheat Sheets**
* **Linux Cheat Sheets**
* [Linux Syscall Table](http://www.informatik.htw-dresden.de/~beck/ASM/syscall_list.html)
* Complete listing of all Linux Syscalls
@ -90,14 +90,14 @@ http://www.amanhardikar.com/mindmaps/Practice.html
----------
### <a name="Windows">Windows Cheat Sheets</a>
**Windows Cheat Sheets**
* **Windows Cheat Sheets**
* [Windows Startup Application Database](http://www.pacs-portal.co.uk/startup_content.php)
----------
### <a name="Exploitation">Exploitation Cheat Sheets</a>
**Exploitation Cheat Sheets**
* **Exploitation Cheat Sheets**
* [AIX For Pentesters](http://www.giac.org/paper/gpen/6684/aix-penetration-testers/125890)
* Good paper on exploiting/pentesting AIX based machines. From the paper itself “ The paper proposes some basic methods to do comprehensive local security checks and how to exploit the vulnerabilities.”
* [Linux - Breaking out of shells](https://highon.coffee/docs/linux-commands/#breaking-out-of-limited-shells)
@ -109,14 +109,14 @@ http://www.amanhardikar.com/mindmaps/Practice.html
----------
### <a name="Exploitation">Exploit Dev Cheat Sheets</a>
**Exploit Dev Cheat Sheets**
* **Exploit Dev Cheat Sheets**
* [x86 opcode structure and instruction overview](http://pnx.tf/files/x86_opcode_structure_and_instruction_overview.pdf)
* [Nasm x86 reference](https://www.cs.uaf.edu/2006/fall/cs301/support/x86/)
* [ARM Exploitation Cheat Sheet](https://azeria-labs.com/assembly-basics-cheatsheet/)
----------
### <a name="Metasploit">Metasploit Cheat Sheets</a>
**Metasploit Cheat Sheets**
* **Metasploit Cheat Sheets**
* [Metasploit 4.2 documentation](https://community.rapid7.com/docs/DOC-1751)
* [MSF Payload Cheat Sheet](http://aerokid240.blogspot.com/2009/11/msfpayload-goodness-cheatsheet.html)
* [Metasploit Meterpreter Cheat Sheet](https://scadahacker.com/library/Documents/Cheat_Sheets/Hacking%20-%20Meterpreter%20Cheat%20%20Sheet.pdf)
@ -127,7 +127,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
----------
### <a name="For">Forensics/IR Cheat Sheets</a>
**Forensics/IR Cheat Sheets**
* **Forensics/IR Cheat Sheets**
* [File Signature Table](http://www.garykessler.net/library/file_sigs.html)
* [Mem forenics cheat sheet](http://forensicmethods.com/wp-content/uploads/2012/04/Memory-Forensics-Cheat-Sheet-v1.pdf)
* [Security Incident Survey Cheat Sheet](https://zeltser.com/security-incident-survey-cheat-sheet/)
@ -138,7 +138,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
----------
### <a name="Malware">Malware Cheat Sheet</a>
**Malware Cheat Sheets**
* **Malware Cheat Sheets**
* [Reverse Engineering Malware Cheat Sheet](https://zeltser.com/reverse-malware-cheat-sheet/)
* [Analyzing Malicious Documents Cheat Sheet](https://zeltser.com/analyzing-malicious-documents/)
@ -146,7 +146,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
----------
### <a name="RE">Reverse Engineering Cheat Sheets</a>
**RE Cheat Sheets**
* **RE Cheat Sheets**
* [Radare2 Cheat-Sheet](https://github.com/pwntester/cheatsheets/blob/master/radare2.md)
* [WinDbg Cheat Sheet/mindmap](http://tylerhalfpop.com/2014/08/16/windbg-cheatsheet/)
* [Pdf of all WinDbg commands](http://windbg.info/download/doc/pdf/WinDbg_cmds.pdf)
@ -157,7 +157,7 @@ http://www.amanhardikar.com/mindmaps/Practice.html
----------
### <a name="Web">Web Cheat Sheets</a>
**Web Cheat Sheets**
* **Web Cheat Sheets**
* [Drupal Security Checklist](https://github.com/gfoss/attacking-drupal/blob/master/presentation/drupal-security-checklist.pdf)
* [O-Auth Security Cheat Sheet](http://www.oauthsecurity.com/)
* [OWASP Testing Checklist](https://www.owasp.org/index.php/Testing_Checklist)
@ -167,11 +167,11 @@ http://www.amanhardikar.com/mindmaps/Practice.html
----------
### Wireless Cheat Sheet
**Wireless Cheat Sheets**
* **Wireless Cheat Sheets**
* [Management Frames Reference Sheet](http://download.aircrack-ng.org/wiki-files/other/managementframes.pdf)
----------
### <a name="DB">Database Cheat Sheets</a>
**DB Cheat Sheets**
* **DB Cheat Sheets**
* [Checklist for mongodb](http://blog.mongodirector.com/10-tips-to-improve-your-mongodb-security/)

+ 3
- 2
Draft/Courses_Training.md View File

@ -1,9 +1,9 @@
## Classes & Training
# Classes & Training
### ToC
## Table of Contents
* Cull
* General Security Classes](#general)
@ -26,6 +26,7 @@ Hackingdojo
BVWA
Juiceshop
#### End Sort


+ 4
- 0
Draft/CryptoCurrencies.md View File

@ -9,6 +9,10 @@ ToC
* [Talks & Presentations](#talks)
#### Sort/Add
* Monero
* Zcash
-----
### <a name="general"></a> General
* [cryptocurrency](https://github.com/kilimchoi/cryptocurrency)


+ 2
- 2
Draft/Cryptography & Encryption.md View File

@ -1,6 +1,6 @@
## Cryptography
# Cryptography
##### TOC
## Table of Contents
* [General Information](#general)
* [Learning/Courses](#learn)


+ 3
- 9
Draft/Darknets.md View File

@ -1,14 +1,8 @@
## Darknets
# Darknets
##### ToC
## Table of Contents
* [General](#general)
* [Darknets](#darknets)
* [Discussions](#discussion)
* [Ordering](#ordering)
* [Markets/Sites/Wikis](#markets)
* [Tools](#tools)
### <a name="general">General</a>
General
@ -41,7 +35,7 @@ Darknets
* Freenet
* I2P
* Tor
* Gnunet


+ 5
- 16
Draft/Data AnalysisVisualization.md View File

@ -2,12 +2,10 @@
### ToC
## Table of Contents
* To be sorted
* General
* Writeups
* Tools
* Miscellaneous
* Writeups
@ -95,18 +93,9 @@ Applied Security Visualization: http://www.secviz.org/content/applied-security-v
* Norikra is a open source server software provides "Stream Processing" with SQL, written in JRuby, runs on JVM, licensed under GPLv2.
* [Fluentd](https://www.fluentd.org/architecture)
* Fluentd is an open source data collector, which lets you unify the data collection and consumption for a better use and understanding of data.
Modeling Network Data
* [Flowsynth](https://github.com/secureworks/Flowsynth)
* Flowsynth is a tool for rapidly modelling network traffic. Flowsynth can be used to generate text-based hexdumps of packets as well as native libpcap format packet captures.
-----
### Blogposts
* Modeling Network Data
* [Flowsynth](https://github.com/secureworks/Flowsynth)
* Flowsynth is a tool for rapidly modelling network traffic. Flowsynth can be used to generate text-based hexdumps of packets as well as native libpcap format packet captures.


+ 53
- 28
Draft/Defense.md View File

@ -1,11 +1,26 @@
# Defense:
#### In Progress
# Defense
## In Progress
## Table of Contents
* [Amazon S3](#s3)
* [Application Whitelisting](#whitelist)
* [AppSec](#appsec)
* [Attack Surface Analysis/Reduction](#asa)
* [Auditing Account Passwords/Privileges](#aapp)
* [Auditing Processes](#ap)
* [Baselining](#baseline)
* [Hardening](#harden)
* [Leaks](#leak)
* [Linux/Unix](#linux)
* [Malicious USB](#malusb)
* [Network](#network)
* [OS X](#osx)
* [Ransomware](#ransom)
* [Web](#web)
* [WAF(#waf)
* [Windows](#windows)
* [Powershell](#powershell)
### Sort
* [limacharlie](https://github.com/refractionpoint/limacharlie)
@ -29,6 +44,13 @@
[Secure SMB Connections](http://techgenix.com/secure-smb-connections/)
* [Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014](https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a)
* [Application Whitelisting Using Microsoft AppLocker](https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm)
* [SANS Institute Security Consensus Operational Readiness Evaluation](https://www.sans.org/media/score/checklists/LinuxCheatsheet_2.pdf)
* [Windows Commands Abused by Attackers](http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html)
* [Mitigate threats by using Windows 10 security features](https://docs.microsoft.com/en-us/windows/threat-protection/overview-of-threat-mitigations-in-windows-10)
* [Pass the Hash Guidance](https://github.com/iadgov/Pass-the-Hash-Guidance)
* Configuration guidance for implementing Pass-the-Hash mitigations. iadgov
### End Sort
@ -36,11 +58,11 @@
### Amazon S3
### <a name="s3"></a>Amazon S3
* [Amazon S3 Bucket Public Access Considerations](https://aws.amazon.com/articles/5050)
### Application Whitelisting
### <a name="whitelist"></a>Application Whitelisting
* [Guide to Application Whitelisting - NIST Special Publication 800 - 167](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf)
* [Script Rules in AppLocker - technet](https://technet.microsoft.com/en-us/library/ee460958.aspx)
* [DLL Rules in AppLocker](https://technet.microsoft.com/en-us/library/ee460947.aspx)
@ -49,7 +71,7 @@
### Appsec
### <a name="appsec"></a>Appsec
* [OWASP Application Security Verification Standard](https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project)
* [What I learned from doing 1000 code reviews](https://hackernoon.com/what-i-learned-from-doing-1000-code-reviews-fe28d4d11c71)
@ -57,7 +79,7 @@
### Attack Surface Analysis/Reduction
### <a name="asa"></a>Attack Surface Analysis/Reduction
* General
* [Intrigue-core](https://github.com/intrigueio/intrigue-core)
* Intrigue-core is a framework for automated attack surface discovery.
@ -66,7 +88,7 @@
### Auditing Account Passwords/Privileges
### <a name="aapp"></a>Auditing Account Passwords/Privileges
* [Account lockout threshold - technet](https://technet.microsoft.com/en-us/library/hh994574.aspx)
* [Password Policy - technet](https://technet.microsoft.com/en-us/library/hh994572.aspx)
* [AccessChk](https://docs.microsoft.com/en-us/sysinternals/downloads/accesschk)
@ -75,7 +97,7 @@
### Auditing Processes
### <a name="ap"></a>Auditing Processes
* [Know your Windows Processes or Die Trying - sysforensics](https://sysforensics.org/2014/01/know-your-windows-processes/)
* [TaskExplorer](https://objective-see.com/products/taskexplorer.html)
* Explore all the tasks (processes) running on your Mac with TaskExplorer.
@ -85,7 +107,7 @@
### Baselining
### <a name="baseline"></a>Baselining
* [Measure Boot Performance with the Windows Assessment and Deployment Toolkit](https://blogs.technet.microsoft.com/mspfe/2012/09/19/measure-boot-performance-with-the-windows-assessment-and-deployment-toolkit/)
* [Securing Windows Workstations: Developing a Secure Baseline](https://adsecurity.org/?p=3299)
@ -94,7 +116,7 @@
* [The Malware Management Framework](https://www.malwarearchaeology.com/mmf/)
### Hardening
### <a name="hardening"></a>Hardening
* [ERNW Repository of Hardening Guides](https://github.com/ernw/hardening)
* [OWASP Secure Configuration Guide](https://www.owasp.org/index.php/Secure_Configuration_Guide)
* [PHP Secure Configuration Checker](https://github.com/sektioneins/pcc)
@ -109,7 +131,11 @@
### Leaks
----------------------
### <a name="journalist"></a>Journalist
* [Information Security For Journalist book - Centre for Investigative Journalism](http://files.gendo.nl/Books/InfoSec_for_Journalists_V1.1.pdf)
### <a name="leaks"></a>Leaks
* General
* [AIL framework - Analysis Information Leak framework](https://github.com/CIRCL/AIL-framework)
* AIL is a modular framework to analyse potential information leaks from unstructured data sources like pastes from Pastebin or similar services or unstructured data streams. AIL framework is flexible and can be extended to support other functionalities to mine sensitive information.
@ -119,28 +145,28 @@
* KeyNuker scans public activity across all Github users in your Github organization(s) and proactively deletes any AWS keys that are accidentally leaked. It gets the list of AWS keys to scan by directly connecting to the AWS API.
### Linux/Unix
### <a name="linux"></a>Linux/Unix
* [LUNAR](https://github.com/lateralblast/lunar)
* A UNIX security auditing tool based on several security frameworks
* [Filenames and Pathnames in Shell: How to do it Correctly](https://www.dwheeler.com/essays/filenames-in-shell.html)
* [Monit](https://mmonit.com/monit/)
* Monit is a small Open Source utility for managing and monitoring Unix systems. Monit conducts automatic maintenance and repair and can execute meaningful causal actions in error situations.
* [Red Hat Enterprise Linux 6 Security Guide](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Security_Guide/Red_Hat_Enterprise_Linux-6-Security_Guide-en-US.pdf)
### Malicious USBs
### <a name="malusb"></a>Malicious USBs
* [BEAMGUN](https://github.com/JLospinoso/beamgun)
* A rogue-USB-device defeat program for Windows.
### Network
### <a name="network"></a>Network
* [Defending the Enterprise Against Network Infrastructure Attacks - Paul Coggin - Troopers15](https://www.youtube.com/watch?v=K0X3RDf5XK8)
### OS X
### <a name="osx"></a>OS X
* [netman](https://github.com/iadgov/netman)
* A userland network manager with monitoring and limiting capabilities for macOS.
@ -150,15 +176,14 @@
* OverSight monitors a mac's mic and webcam, alerting the user when the internal mic is activated, or whenever a process accesses the webcam.
### Ransomware
### <a name="ransomware"></a>Ransomware
* [Decryptonite](https://github.com/DecryptoniteTeam/Decryptonite)
* Decryptonite is a tool that uses heuristics and behavioural analysis to monitor for and stop ransomware.
### Web
### <a name="web"></a>Web
* [The Hitchhiker's Guide to SQL Injection prevention](https://phpdelusions.net/sql_injection)
#### WAF
### <a name="waf"></a>WAF
* NAXSI
* [naxsi](https://github.com/nbs-system/naxsi)
* NAXSI is an open-source, high performance, low rules maintenance WAF for NGINX
@ -167,7 +192,7 @@
* [ModSecurity](https://www.modsecurity.org/)
* [ModSecurity Reference Manual](https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual)
### Windows
### <a name="windows"></a>Windows
* General
* [Windows Firewall Hook Enumeration](https://www.nccgroup.com/en/blog/2015/01/windows-firewall-hook-enumeration/)
* We’re going to look in detail at Microsoft Windows Firewall Hook drivers from Windows 2000, XP and 2003. This functionality was leveraged by the Derusbi family of malicious code to implement port-knocking like functionality. We’re going to discuss the problem we faced, the required reverse engineering to understand how these hooks could be identified and finally how the enumeration tool was developed.
@ -260,7 +285,7 @@
#### PowerShell
#### <a name="powershell"></a>PowerShell
* General
* [Powershell Security at Enterprise Customers - blogs.msdn](https://blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers/)
* [More Detecting Obfuscated PowerShell](http://www.leeholmes.com/blog/2016/10/22/more-detecting-obfuscated-powershell/)


+ 0
- 52
Draft/Disclosure.md View File

@ -1,52 +0,0 @@
# Disclosure
-----
### General
* [Responsible Disclosure is Wrong](https://adamcaudill.com/2015/11/19/responsible-disclosure-is-wrong/)
* [Portcullis Computer Security Co-ordinated Disclosure Toolkit](https://github.com/portcullislabs/co-ordinated-disclosure-toolkit)
* [How to Disclose or Sell an Exploit - DEF CON 21 - James Denaro](https://www.youtube.com/watch?v=N1Xj3f4felg)
* [How to Disclose an Exploit Without Getting in Trouble DEF CON 22 - Jim Denaro and Tod Beardsley](https://www.youtube.com/watch?v=Y8Cpio6z9qA)
* [Good comparison of various forms of disclosure](http://blog.opensecurityresearch.com/2014/06/approaches-to-vulnerability-disclosure.html)
* [Clean writeup of Full-Disclosure release policy that is more similar to Coordinated Disclosure.](http://www.ilias.de/docu/goto_docu_wiki_1357_RFPolicy.html)
-------
### CVE
* [Request a CVE ID](http://cve.mitre.org/cve/request_id.html#cna_coverage)
* [My first CVE-2016-1000329 in BlogPHP](https://www.stevencampbell.info/2016/12/my-first-cve-2016-1000329-in-blogphp/)
-----
### Dealing with the press/journalists:
* [Hacking the media for fame/profit talk](http://www.irongeek.com/i.php?page=videos/derbycon4/Hacking-The-Media-For-Fame-And-Profit-Jenn-Ellis-Steven-Reganh)
-----
### Tools
* [Cryptoshot](https://github.com/DiabloHorn/cryptoshot)
* This application will make a screenshot of the desktop. If the desktop consists of multiple monitors
it should still work fine. However it has only been tested with a dual monitor setup.
The windows project has the added functionality of sending the screenshot to a server of your choosing.
* [Record terminal sessions and have the ability to replay it](http://linux.byexamples.com/archives/279/record-the-terminal-session-and-replay-later/)

+ 2
- 2
Draft/Disinformation.md View File

@ -1,9 +1,9 @@
## Disinformation
# Disinformation
-----
### <a name="talks">General
**General**
* **General**
* [25 Rules of Disinformation](http://vigilantcitizen.com/latestnews/the-25-rules-of-disinformation/)
* [8 Traits of the Disinformationalist](https://calloutjoe.wordpress.com/psyop/eight-traits-of-the-disinformationalist/)
* [Governments and UFOs: A Historical Analysis of Disinformation and Deception - Richard Thieme](http://www.irongeek.com/i.php?page=videos/bsideslasvegas2013/1-2-7-governments-and-ufos-a-historical-analysis-of-disinformation-and-deception-richard-thieme)


+ 28
- 20
Draft/Documentation & Reports -.md View File

@ -1,30 +1,23 @@
## Documentation & Reporting
# Documentation & Reporting
#### For writing technical documentation.
## Table of Contents
##### TOC
* [Writing](#writing)
* [Reports](#reports)
* [Collaboration Tools](#collab)
* [Meta](#meta)
* [Video Documentation](#video)
-----
### General/Disclosure
* [NCSAM: Coordinated Vulnerability Disclosure Advice for Researchers](https://community.rapid7.com/community/infosec/blog/2016/10/28/ncsam-coordinated-vulnerability-disclosure-advice-for-researchers)
* [Protecting Your Sources When Releasing Sensitive Documents](https://source.opennews.org/articles/how-protect-your-sources-when-releasing-sensitive-/)
* [Disclosure](#disclosure)
-----------------
### Start
* [How I read a research paper](https://muratbuffalo.blogspot.com/2013/07/how-i-read-research-paper.html?m=1
-----
### <a name="writing">Writing</a>
Start with the first two links, and go from there. They’re both great resources to writing technical documentation, the first being a beginners guide and the second being a general guide that beginners can understand.
* [A beginners guide to writing documentation](http://docs.writethedocs.org/writing/beginners-guide-to-docs/)
* [Teach, Don’t Tell](http://stevelosh.com/blog/2013/09/teach-dont-tell/)
@ -96,15 +89,13 @@ Other Materials:
-----
### <a name="video">Video Recording</a>
### <a name="video">Video Recording/Recording</a>
* [Open Broadcaster Software OBS](https://obsproject.com/)
* Open Broadcaster Software is free and open source software for video recording and live streaming.
* Cross Platform, Windows/OsX/Linux
-----
### <a name="reading">Reading Papers</a>
* [How I read a research paper](https://muratbuffalo.blogspot.com/2013/07/how-i-read-research-paper.html?m=1)
* [Cryptoshot](https://github.com/DiabloHorn/cryptoshot)
* This application will make a screenshot of the desktop. If the desktop consists of multiple monitors, it should still work fine. However it has only been tested with a dual monitor setup. The windows project has the added functionality of sending the screenshot to a server of your choosing.
* [Record terminal sessions and have the ability to replay it](http://linux.byexamples.com/archives/279/record-the-terminal-session-and-replay-later/)
------
### De/Briefing
@ -113,4 +104,21 @@ Other Materials:
* An open-source screen recorder built with web technology
* [Debriefing: A Simple Tool to Help Your Team Tackle Tough Problems](https://hbr.org/2015/07/debriefing-a-simple-tool-to-help-your-team-tackle-tough-problems)
* [Sample Debriefing Statement - Albion College](https://www.albion.edu/academics/student-research/institutional-review-board/submitting-a-proposal/sample-debriefing-statement)
* [A Project Post Mortem Template](http://brolik.com/blog/project-post-mortem-template/)
* [A Project Post Mortem Template](http://brolik.com/blog/project-post-mortem-template/)
----
### <a name="disclosure"></a>Disclosure
* [NCSAM: Coordinated Vulnerability Disclosure Advice for Researchers](https://community.rapid7.com/community/infosec/blog/2016/10/28/ncsam-coordinated-vulnerability-disclosure-advice-for-researchers)
* [Protecting Your Sources When Releasing Sensitive Documents](https://source.opennews.org/articles/how-protect-your-sources-when-releasing-sensitive-/)
* [Responsible Disclosure is Wrong](https://adamcaudill.com/2015/11/19/responsible-disclosure-is-wrong/)
* [Portcullis Computer Security Co-ordinated Disclosure Toolkit](https://github.com/portcullislabs/co-ordinated-disclosure-toolkit)
* [How to Disclose or Sell an Exploit - DEF CON 21 - James Denaro](https://www.youtube.com/watch?v=N1Xj3f4felg)
* [How to Disclose an Exploit Without Getting in Trouble DEF CON 22 - Jim Denaro and Tod Beardsley](https://www.youtube.com/watch?v=Y8Cpio6z9qA)
* [Good comparison of various forms of disclosure](http://blog.opensecurityresearch.com/2014/06/approaches-to-vulnerability-disclosure.html)
* [Clean writeup of Full-Disclosure release policy that is more similar to Coordinated Disclosure.](http://www.ilias.de/docu/goto_docu_wiki_1357_RFPolicy.html)
* **CVE**
* [Request a CVE ID](http://cve.mitre.org/cve/request_id.html#cna_coverage)
* [My first CVE-2016-1000329 in BlogPHP](https://www.stevencampbell.info/2016/12/my-first-cve-2016-1000329-in-blogphp/)
* **Dealing with the press/journalists:**
* [Hacking the media for fame/profit talk](http://www.irongeek.com/i.php?page=videos/derbycon4/Hacking-The-Media-For-Fame-And-Profit-Jenn-Ellis-Steven-Reganh)

+ 1
- 1
Draft/Drones.md View File

@ -1,4 +1,4 @@
## Drone Hacking
# Drone Hacking


+ 2
- 2
Draft/Embedded Device & Hardware Hacking -.md View File

@ -1,8 +1,8 @@
## Embedded Device Security
# Embedded Device Security
##### ToC
## Table of Contents
* [General](#general)
* [General Hardware Hacking](#generalhw)
* [General Hardware Articles/Writeups](#generalwriteups)


+ 1
- 1
Draft/Exfiltration.md View File

@ -1,7 +1,7 @@
# Exfiltration
### TOC
## Table of Contents
* [General](#general)
* [Methodologies](#methods)


+ 7
- 5
Draft/Exploit Development.md View File

@ -1,10 +1,6 @@
# Exploit Development
TOC
Sort
Talks
## Table of Contents
* [General Stuff/Techniques](#general)
* [General Stuff I can't figure where else to put](#eh)
* [Acquiring Old/Vulnerable Software](#acquire)
@ -71,6 +67,12 @@ Talks
#### Sort:
* [scdbg](http://sandsprite.com/blogs/index.php?uid=7&pid=152)
* scdbg is an open source, multi-platform, shellcode analysis application that runs shellcode through a virtual machine that emulates a 32bit processor, memory, and basic Windows API environment. scdbg uses the libemu library to provide this environment. Builds of scdbg exist for both Windows and Unix users.
* [scdbg Manual](http://sandsprite.com/CodeStuff/scdbg_manual/MANUAL_EN.html)
* [Blackbone](https://github.com/DarthTon/Blackbone)
* Windows memory hacking library


+ 2
- 2
Draft/Forensics Incident Response.md View File

@ -1,7 +1,7 @@
## Forensics & Incident Response
# Forensics & Incident Response
##### Table of Contents
## Table of Contents
* General
* Tools
* [Presentations/Talks](#talks)


+ 7
- 11
Draft/Fuzzing Bug Hunting.md View File

@ -1,6 +1,8 @@
## Fuzzing
# Fuzzing (and bug hunting)
TOC
## Table of Contents
* [General](#general)
* [Videos/Presentations](#videos)
@ -163,15 +165,9 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
------------
### <a name="training"></a>Training
[Modern fuzzing of C/C++ Projects - Slides](https://docs.google.com/presentation/d/1pbbXRL7HaNSjyCHWgGkbpNotJuiC4O7L_PDZoGqDf5Q/edit#slide=id.p4)
[libfuzzer-workshop](https://github.com/Dor1s/libfuzzer-workshop)
* Materials of "Modern fuzzing of C/C++ Projects" workshop.
* [Modern fuzzing of C/C++ Projects - Slides](https://docs.google.com/presentation/d/1pbbXRL7HaNSjyCHWgGkbpNotJuiC4O7L_PDZoGqDf5Q/edit#slide=id.p4)
* [libfuzzer-workshop](https://github.com/Dor1s/libfuzzer-workshop)
* Materials of "Modern fuzzing of C/C++ Projects" workshop.
------------


+ 10
- 6
Draft/Game Hacking.md View File

@ -1,7 +1,7 @@
## Game Hacking
# Game Hacking
### TOC
## Table of Contents
* [General](#general)
* [Writeups](#writeups)
* [Console Hacking](#console)
@ -21,7 +21,7 @@
#### Sort
* [OwnedCore](http://www.ownedcore.com/forums/)
* [Cathook Training Software](https://github.com/nullifiedcat/cathook)
#### End Sort
@ -46,14 +46,16 @@
* [Unravelling Konami's Arcade DRM](http://mon.im/2017/12/konami-arcade-drm.html)
------------
## <a name="console"></a>Console Hacking
### <a name="console"></a>Console Hacking
------------
#### Nintendo Gameboy
* [Reverse engineering a Gameboy ROM with radare2](https://www.megabeets.net/reverse-engineering-a-gameboy-rom-with-radare2/)
------------
#### Nintendo 3DS
* [Keyshuffling Attack for Persistent Early Code Execution in the Nintendo 3DS Secure Bootchain](https://github.com/Plailect/keyshuffling)
* We demonstrate an attack on the secure bootchain of the Nintendo 3DS in order to gain early code execution. The attack utilizes the block shuffling vulnerability of the ECB cipher mode to rearrange keys in the Nintendo 3DS's encrypted keystore. Because the shuffled keys will deterministically decrypt the encrypted firmware binary to incorrect plaintext data and execute it, and because the device's memory contents are kept between hard reboots, it is possible to reliably reach a branching instruction to a payload in memory. This payload, due to its execution by a privileged processor and its early execution, is able to extract the hash of hardware secrets necessary to decrypt the device's encrypted keystore and set up a persistant exploit of the system.
@ -85,7 +87,9 @@
* [Inside Blizzard: Battle.net](http://uninformed.org/?v=all&a=8&t=sumry)
* This paper intends to describe a variety of the problems Blizzard Entertainment has encountered from a practical standpoint through their implementation of the large-scale online game matchmaking and chat service, Battle.net. The paper provides some background historical information into the design and purpose of Battle.net and continues on to discuss a variety of flaws that have been observed in the implementation of the system. Readers should come away with a better understanding of problems that can be easily introduced in designing a matchmaking/chat system to operate on such a large scale in addition to some of the serious security-related consequences of not performing proper parameter validation of untrusted clients.
* [An Objective Analysis of the Lockdown Protection System for Battle.net](http://uninformed.org/?v=all&a=40&t=sumry)
* Near the end of 2006, Blizzard deployed the first major update to the version check and client software authentication system used to verify the authenticity of clients connecting to Battle.net using the binary game client protocol. This system had been in use since just after the release of the original Diablo game and the public launch of Battle.net. The new authentication module (Lockdown) introduced a variety of mechanisms designed to raise the bar with respect to spoofing a game client when logging on to Battle.net. In addition, the new authentication module also introduced run-time integrity checks of client binaries in memory. This is meant to provide simple detection of many client modifications (often labeled "hacks") that patch game code in-memory in order to modify game behavior. The Lockdown authentication module also introduced some anti-debugging techniques that are designed to make it more difficult to reverse engineer the module. In addition, several checks that are designed to make it difficult to simply load and run the Blizzard Lockdown module from the context of an unauthorized, non-Blizzard-game process. After all, if an attacker can simply load and run the Lockdown module in his or her own process, it becomes trivially easy to spoof the game client logon process, or to allow a modified game client to log on to Battle.net successfully. However, like any protection mechanism, the new Lockdown module is not without its flaws, some of which are discussed in detail in this paper.
* Near the end of 2006, Blizzard deployed the first major update to the version check and client software authentication system used to verify the authenticity of clients connecting to Battle.net using the binary game client protocol. This system had been in use since just after the release of the original Diablo game and the public launch of Battle.net. The new authentication module (Lockdown) introduced a variety of mechanisms designed to raise the bar with respect to spoofing a game client wheCathook Training Software
n logging on to Battle.net. In addition, the new authentication module also introduced run-time integrity checks of client binaries in memory. This is meant to provide simple detection of many client modifications (often labeled "hacks") that patch game code in-memory in order to modify game behavior. The Lockdown authentication module also introduced some anti-debugging techniques that are designed to make it more difficult to reverse engineer the module. In addition, several checks that are designed to make it difficult to simply load and run the Blizzard Lockdown module from the context of an unauthorized, non-Blizzard-game process. After all, if an attacker can simply load and run the Lockdown module in his or her own process, it becomes trivially easy to spoof the game client logon process, or to allow a modified game client to log on to Battle.net successfully. However, like any protection mechanism, the new Lockdown module is not without its flaws, some of which are discussed in detail in this paper.
------------


+ 0
- 26
Draft/Home Security.md View File

@ -1,26 +0,0 @@
##Home Security & Defense
Anchored window covers
[Home Alone with localhost - Automating Home Defense - Chris Littlebury Defcon22](https://www.youtube.com/watch?v=9Tbft190x3Q)
[Physical Home Security Options - DiabloHorn](https://diablohorn.wordpress.com/2014/07/13/physical-home-security-options/#more-984)

+ 2
- 7
Draft/Honeypots.md View File

@ -1,12 +1,7 @@
## Honeypots
# Honeypots
## Table of Contents
### TOC
* Cull
* [General](#general)
* [Honeypots/nets](#honey)
* [Presentations](#talks)


+ 0
- 4
Draft/How_To_Suck_at_Information_Security.md View File

@ -1,4 +0,0 @@
# How To Suck at Information Security
* [How to Suck at Information Security – A Cheat Sheet](https://zeltser.com/suck-at-security-cheat-sheet/)

+ 4
- 1
Draft/Interesting Things Useful stuff.md View File

@ -1,6 +1,6 @@
# Interesting Things & Useful Stuff
### TOC
## Table of Contents
* [Attribution](#attribution)
* [News/Reports](#news)
* [General](#general)
@ -29,6 +29,9 @@
#### To Sort
* sort and break into policy/high level/ vs interesting things
* [Programming Sucks](http://www.stilldrinking.org/programming-sucks)
http://spth.virii.lu/articles.htm
* [Virtualization Based Security - Part 2: kernel communications](http://blog.amossys.fr/virtualization-based-security-part2.html)


+ 30
- 33
Draft/Malware.md View File

@ -1,4 +1,4 @@
##Malware
# Malware
Table of Contents
* [General](#general)
@ -155,7 +155,7 @@ Android
APTs
### APTs
* [Clean up on Aisle APT - Mark Parsons](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t101-clean-up-on-aisle-apt-mark-parsons)
* This presentation will discuss findings from running multiple sinkholes over the past year. I have purchased multiple domains associated with 'APT' activity after the domains have expired. I will discuss initial expectations before beginning this journey and then discuss actual results and findings. To assist other researchers, suggestions and lessons learned from this experiment will be shared.
* [Decoding ZeuS disguised as an .RTF File](http://phishme.com/decoding-zeus-disguised-as-an-rtf-file/)
@ -183,13 +183,13 @@ APTs
AV
### AV
* [Escaping The Avast Sandbox Using A Single IOCTL](https://www.nettitude.co.uk/escaping-avast-sandbox-using-single-ioctl-cve-2016-4025)
* [AVLeak: Fingerprinting Antivirus Emulators Through Black-Box Testing](https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne_update.pdf)
Botnets
### Botnets
* [Case study of the miner botnet](http://pnx.tf/files/2012_cycon-official_miner_plohmann_padilla.pdf)
* [Analysis of a Romanian Botnet](http://www.politoinc.com/2015/04/analysis-of-a-romanian-botnet/)
* Going from first sighting in logs to tracing attackers to their C2 IRC room
@ -200,7 +200,7 @@ Botnets
C2 Infrastructure
### C2 Infrastructure
* [Dead RATs: Exploiting malware C2 servers](https://samvartaka.github.io/exploitation/2016/06/03/dead-rats-exploiting-malware)
* [Hiding in Plain Sight: Advances in malware covert communication channels - BH2015 Pierre-Marc Bureau, Christian Dietrich](https://www.blackhat.com/docs/eu-15/materials/eu-15-Bureau-Hiding-In-Plain-Sight-Advances-In-Malware-Covert-Communication-Channels-wp.pdf)
* [fastfluxanalysis](https://github.com/staaldraad/fastfluxanalysis)
@ -210,7 +210,7 @@ C2 Infrastructure
Dynamic Analysis
### Dynamic Analysis
* [Unicorn VS. Malware](https://r3v3rs3r.wordpress.com/2015/12/12/unicorn-vs-malware/)
* [Dynamic Anti-Emulation using Blackbox Analysis by Second Part To Hell](http://spth.virii.lu/dynamic_anti_emulation.txt)
* Papers
@ -252,19 +252,19 @@ Dynamic Analysis
* rVMI is a debugger on steroids. It leverages Virtual Machine Introspection (VMI) and memory forensics to provide full system analysis. This means that an analyst can inspect userspace processes, kernel drivers, and preboot environments in a single tool. It was specifially designed for interactive dynamic malware analysis. rVMI isolates itself from the malware by placing its interactive debugging environment out of the virtual machine (VM) onto the hypervisor-level. Through the use of VMI the analyst still has full control of the VM, which allows her to pause the VM at any point in time and to use typical debugging features such as breakpoints and watchpoints. In addtion, rVMI provides access to the entire Rekall feature set, which enables an analyst to inspect the kernel and its data structures with ease.
Embedded
### Embedded
* [Analyzing Malware for Embedded Devices: TheMoon Worm](http://w00tsec.blogspot.com/2014/02/analyzing-malware-for-embedded-devices.html)
Exploit Kits
### Exploit Kits
* [How exploit packs are concealed in a Flash object](https://securelist.com/analysis/publications/69727/how-exploit-packs-are-concealed-in-a-flash-object/?utm_content=buffer5de59&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer)
* [RIG Exploit Kit Writeup](https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/)
* [The Economics of Exploit Kits & E-Crime](http://www.irongeek.com/i.php?page=videos/bsidescolumbus2016/offense03-the-economics-of-exploit-kits-e-crime-adam-hogan)
* I will discuss how the market for exploit kits has been changing, in techniques, marketing and prices. I argue that the competitiveness between exploit kits shows a maturing market, but will leverage economic theory to demonstrate the limits to which that market will continue to mature. This should allow us to understand how exploit kits affect (and are affected by) the rest of the greater market for hacker services, from malware (as an input) to nation-state level attacks (e.g. trickle down from Hacking Team). I hope to provide a better understanding of how exploit kits work and how their sold as well as how this market can teach us about the rational choice to engage in criminal activity and how we might dissuade them.
Hashing
### Hashing
* [binwally](https://github.com/bmaia/binwally)
* [Binary and Directory tree comparison tool using the Fuzzy Hashing concept (ssdeep)](http://w00tsec.blogspot.com/2013/12/binwally-directory-tree-diff-tool-using.html)
* [Ssdeep](http://ssdeep.sourceforge.net/)
@ -272,27 +272,27 @@ Hashing
iOS
### iOS
General Analysis
### General Analysis
* [PortEX: Robust static anaylsis of Portable Executable Malware](https://evilzone.org/reverse-engineering/%28pdf%29-robust-static-analysis-of-portable-executable-malware/)
General
### General
* [Malvertising: Under The Hood by Chris Boyd - BSides Manchester2017](https://www.youtube.com/watch?v=VESvOsr91_M&index=1&list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP)
Hunting Down Malware
### Hunting Down Malware
* [License to Kill: Malware Hunting with the Sysinternals Tools](https://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B308)
Mac/OS X
### Mac/OS X
* [Writing Bad @$$ Malware for OS X - Patrick Wardle](https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf)
* [Offensive Malware Analysis: Dissecting OSX FruitFly - Patrick Wardle - DEF CON 25](https://www.youtube.com/watch?v=q7VZtCUphgg)
* FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years. In this talk, we'll focus on the 'B' variant of FruitFly that even now, is only detected by a handful of security products. We'll begin by analyzing the malware's dropper, an obfuscated perl script. As this language is rather archaic and uncommon in malware droppers, we'll discuss some debugging techniques and fully deconstruct the script.
* [I got 99 Problems, but 
Little Snitch ain’t one! - Defcon2016](https://speakerdeck.com/patrickwardle/defcon-2016-i-got-99-problems-but-little-snitch-aint-one)
* [Let's Play Doctor:Practical OSX Malware Detection and Analysis - Patrick Wardle](https://www.youtube.com/watch?v=V9oAIUYjzl8)
Malware Repos
### Malware Repos
* [The Zoo](https://github.com/ytisf/theZoo)
* A repository of LIVE malwares for your own joy and pleasure
* [Mobile Malware dumps - Contagio](http://contagiominidump.blogspot.ca/)
@ -313,16 +313,16 @@ Malware Repos
* [ViruSign](http://www.virusign.com/)
Obfuscation
### Obfuscation
* [Data Obfuscation: Now you see me... Now you don't...](http://malwageddon.blogspot.com/2015/03/data-obfuscation-now-you-see-me-now-you.html)
* This blog post shows how malware authors use Adobe Flash files to hide their creations' 'sensitive' data. I'll be using 2 recent Neutrino EK and 1 FlashPack malvertising samples to demonstrate it. In the case of Neutrino EK our goal will be extraction and decryption of its configuration file and in the malvertising case we'll be after the initial payload URL + exploit shellcode.
Office Documents
### Office Documents
* [Loffice - Analyzing malicious documents using WinDbg](https://thembits.blogspot.com/2016/06/loffice-analyzing-malicious-documents.html)
Online Checkers
### Online Checkers
* [VirusTotal Mining](http://blog.9bplus.com/wp-content/uploads/2014/08/VirusTotal-Mining.pdf)
* [Malice](https://github.com/maliceio/malice)
* Malice's mission is to be a free open source version of VirusTotal that anyone can use at any scale from an independent researcher to a fortune 500 company.
@ -333,7 +333,7 @@ Online Checkers
(Un)Packers/Encoders
### (Un)Packers/Encoders
* --> See 'Packers' section under 'Writeups' in RE
* [Corkami - Packers](https://corkami.googlecode.com/files/packers.pdf)
* Beautiful.
@ -360,7 +360,7 @@ WP-us-14-Mesbahi-Swinnen-One-packer-to-rule-them-all-Empirical-identification-co
* de4dot is an open source (GPLv3) .NET deobfuscator and unpacker written in C#. It will try its best to restore a packed and obfuscated assembly to almost the original assembly. Most of the obfuscation can be completely restored (eg. string encryption), but symbol renaming is impossible to restore since the original names aren't (usually) part of the obfuscated assembly.
Persistence
### Persistence
* [Poweliks: the persistent malware without a file](https://blog.gdatasoftware.com/blog/article/poweliks-the-persistent-malware-without-a-file.html)
* [Temporal Persistence with bitsadmin and schtasks](http://0xthem.blogspot.com/2014/03/t-emporal-persistence-with-and-schtasks.html)
* [Many ways of malware persistence (that you were always afraid to ask) ](http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-persistence-that.html)
@ -368,7 +368,7 @@ Persistence
Static Analysis
### Static Analysis
* Tools
* [Pyew](https://code.google.com/p/pyew/)
* Pyew is a (command line) python tool to analyse malware. It does have support for hexadecimal viewing, disassembly (Intel 16, 32 and 64 bits), PE and ELF file formats (it performs code analysis and let you write scripts using an API to perform many types of analysis), follows direct call/jmp instructions in the interactive command line, displays function names and string data references; supports OLE2 format, PDF format and more. It also supports plugins to add more features to the tool.
@ -379,17 +379,16 @@ Static Analysis
* [Presentation](https://www.youtube.com/watch?v=OPRqgEZXWOE)
* [Dependency Walker](http://www.dependencywalker.com/)
* Dependency Walker is a free utility that scans any 32-bit or 64-bit Windows module (exe, dll, ocx, sys, etc.) and builds a hierarchical tree diagram of all dependent modules. For each module found, it lists all the functions that are exported by that module, and which of those functions are actually being called by other modules. Another view displays the minimum set of required files, along with detailed information about each file including a full path to the file, base address, version numbers, machine type, debug information, and more.
Techniques
* [BG00 Injection on Steroids Code less Code Injections and 0 Day Techniques Paul Schofield Udi Yavo](https://www.youtube.com/watch?v=0BAaAM2wD4s)
* [[Slides]Injection on Steroids: Code-less Code Injections and 0-Day Techniques](https://breakingmalware.com/injection-techniques/code-less-code-injections-and-0-day-techniques/)
* [Amoco - Static binary analysis tool](https://github.com/bdcht/amoco)
* Amoco is a python package dedicated to the (static) analysis of binaries.
* [Code Injection Techniques -2013](http://resources.infosecinstitute.com/code-injection-techniques/)
* Techniques
* [BG00 Injection on Steroids Code less Code Injections and 0 Day Techniques Paul Schofield Udi Yavo](https://www.youtube.com/watch?v=0BAaAM2wD4s)
* [[Slides]Injection on Steroids: Code-less Code Injections and 0-Day Techniques](https://breakingmalware.com/injection-techniques/code-less-code-injections-and-0-day-techniques/)
* [Amoco - Static binary analysis tool](https://github.com/bdcht/amoco)
* Amoco is a python package dedicated to the (static) analysis of binaries.
* [Code Injection Techniques -2013](http://resources.infosecinstitute.com/code-injection-techniques/)
Virtual Machines
### Virtual Machines
* [antivmdetection](https://github.com/nsmfoo/antivmdetection)
* Script to create templates to use with VirtualBox to make vm detection harder.
* [Breaking the Sandbox - Sudeep Singh](http://www.exploit-db.com/wp-content/themes/exploit/docs/34591.pdf)
@ -411,7 +410,7 @@ Virtual Machines
* [Win32_BIOS class](https://msdn.microsoft.com/en-us/library/aa394077(v=vs.85).aspx)
Windows
### Windows
* [Trojan.Foxy writeup](http://www.cyberesi.com/2011/08/31/trojan-foxy/)
* Today I will write about a sample that I will refer to as Trojan.Foxy. Trojan.Foxy requests and parses .JPG images that contain encoded instructions. The encoding algorithm used by this Trojan is loosely based off of the Vigenère cipher; however there is a deviation in how the cipher is applied.
* [Uroburos](https://blog.gdatasoftware.com/blog/article/uroburos-highly-complex-espionage-software-with-russian-roots.html)
@ -443,9 +442,7 @@ Windows
* Inject JS into native apps
* [Maltrail](https://github.com/stamparm/maltrail)
* Maltrail is a malicious traffic detection system, utilizing publicly available (black)lists containing malicious and/or generally suspicious trails, along with static trails compiled from various AV reports and custom user defined lists, where trail can be anything from domain name (e.g. zvpprsensinaix.com for Banjori malware), URL (e.g. http://109.162.38.120/harsh02.exe for known malicious executable), IP address (e.g. 185.130.5.231 for known attacker) or HTTP User-Agent header value (e.g. sqlmap for automatic SQL injection and database takeover tool). Also, it uses (optional) advanced heuristic mechanisms that can help in discovery of unknown threats (e.g. new malware).
[PowerLoaderEX](https://github.com/BreakingMalware/PowerLoaderEx)
* [PowerLoaderEX](https://github.com/BreakingMalware/PowerLoaderEx)
* [Software Distribution Malware Infection Vector](http://dl.packetstormsecurity.net/papers/general/Software.Distribution.Malware.Infection.Vector.pdf)
* In this paper we present an efficient mechanism as well as the corresponding reference implementation for on- the-fly infecting of executable code with malicious soft- ware. Our algorithm deploys virus infection routines and network redirection attacks, without requiring to modify the application itself. This allows to even infect executa- bles with a embedded signature when the signature is not automatically verified before execution. We briefly dis- cuss also countermeasures such as secure channels, code authentication as well as trusted virtualization that en- ables the isolation of untrusted downloads from other ap- plication running in trusted domains or compartments.
* [Statistical Structures: Fingerprinting Malware for Classification and Analysis - Daniel Bilar](https://www.blackhat.com/presentations/bh-usa-06/BH-US-06-Bilar.pdf)


+ 369
- 320
Draft/Network Attacks & Defenses.md
File diff suppressed because it is too large
View File


+ 68
- 106
Draft/Network Security Monitoring & Logging.md View File

@ -1,8 +1,9 @@
##Network Security Monitoring
# Logging/Network Security Monitoring
Cull
## Table of Contents
* [Presentations/Videos](#videos)
* [Writeups](#writeups)
* [Tools](#tools)
@ -48,17 +49,13 @@ http://www.netfort.com/wp-content/uploads/PDF/WhitePapers/NetFlow-Vs-Packet-Anal
### <a name="videos">Presentations/Videos</a>
[Logging ALL THE THINGS Without All The Cost With Open Source Big Data Tools - DEFCON22 - Zach Fasel](https://www.youtube.com/watch?v=2AAnVeIwXBo)
* Many struggle in their job with the decision of what events to log in battle against costly increases to their licensing of a commercial SIEM or other logging solution. Leveraging the open source solutions used for "big-data" that have been proven by many can help build a scalable, reliable, and hackable event logging and security intelligence system to address security and (*cringe*) compliance requirements. We’ll walk through the various components and simple steps to building your own logging environment that can extensively grow (or keep sized just right) with just additional hardware cost and show numerous examples you can implement as soon as you get back to work (or home).
[Current State of Virtualizing Network Monitoring](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t202-current-state-of-virtualizing-network-monitoring-daniel-lohin-ed-sealing)
[The fox is in the Henhouse - Detecting a breach before the damage is done](http://www.irongeek.com/i.php?page=videos/houseccon2015/t302-the-fox-is-in-the-henhouse-detecting-a-breach-before-the-damage-is-done-josh-sokol)
[Passive IPS Reconnaissance and Enumeration - false positive (ab)use - Arron Finnon](https://vimeo.com/108775823)
* Network Intrusion Prevention Systems or NIPS have been plagued by "False Positive" issues almost since their first deployment. A "False Positive" could simply be described as incorrectly or mistakenly detecting a threat that is not real. A large amount of research has gone into using "False Positive" as an attack vector either to attack the very validity of an IPS system or to conduct forms of Denial of Service attacks. However the very reaction to a "False Positive" in the first place may very well reveal more detailed information about defences than you might well think.
[Public:Windows Event Log Zero 2 Hero Slides](https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit#slide=id.g21acf94f3f_2_27)
* [Logging ALL THE THINGS Without All The Cost With Open Source Big Data Tools - DEFCON22 - Zach Fasel](https://www.youtube.com/watch?v=2AAnVeIwXBo)
* Many struggle in their job with the decision of what events to log in battle against costly increases to their licensing of a commercial SIEM or other logging solution. Leveraging the open source solutions used for "big-data" that have been proven by many can help build a scalable, reliable, and hackable event logging and security intelligence system to address security and (*cringe*) compliance requirements. We’ll walk through the various components and simple steps to building your own logging environment that can extensively grow (or keep sized just right) with just additional hardware cost and show numerous examples you can implement as soon as you get back to work (or home).
* [[Current State of Virtualizing Network Monitoring](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t202-current-state-of-virtualizing-network-monitoring-daniel-lohin-ed-sealing)
* [[The fox is in the Henhouse - Detecting a breach before the damage is done](http://www.irongeek.com/i.php?page=videos/houseccon2015/t302-the-fox-is-in-the-henhouse-detecting-a-breach-before-the-damage-is-done-josh-sokol)
* [[Passive IPS Reconnaissance and Enumeration - false positive (ab)use - Arron Finnon](https://vimeo.com/108775823)
* Network Intrusion Prevention Systems or NIPS have been plagued by "False Positive" issues almost since their first deployment. A "False Positive" could simply be described as incorrectly or mistakenly detecting a threat that is not real. A large amount of research has gone into using "False Positive" as an attack vector either to attack the very validity of an IPS system or to conduct forms of Denial of Service attacks. However the very reaction to a "False Positive" in the first place may very well reveal more detailed information about defences than you might well think.
* [[Public:Windows Event Log Zero 2 Hero Slides](https://docs.google.com/presentation/d/1dkrldTTlN3La-OjWtkWJBb4hVk6vfsSMBFBERs6R8zA/edit#slide=id.g21acf94f3f_2_27)
@ -68,15 +65,11 @@ http://www.netfort.com/wp-content/uploads/PDF/WhitePapers/NetFlow-Vs-Packet-Anal
### <a name="writeups"></a>Writeups
[Many ways of malware persistence (that you were always afraid to ask) ](http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-persistence-that.html)
[Shellcode Analysis Pipeline](https://7h3ram.github.io/2014/3/18/shellcode-pipeline/)
* I recently required an automated way of analyzing shellcode and verifying if it is detected by Libemu, Snort, Suricata, Bro, etc. Shellcode had to come from public sources like Shell-Storm, Exploit-DB and Metasploit. I needed an automated way of sourcing shellcode from these projects and pass it on to the analysis engines in a pipeline-like mechanism. This posts documents the method I used to complete this task and the overall progress of the project.
[Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response](https://www.sans.org/reading-room/whitepapers/forensics/building-home-network-configured-collect-artifacts-supporting-network-forensic-incident-response-37302)
[Automating large-scale memory forensics](https://medium.com/@henrikjohansen/automating-large-scale-memory-forensics-fdc302dc3383)
* [[Many ways of malware persistence (that you were always afraid to ask) ](http://jumpespjump.blogspot.com/2015/05/many-ways-of-malware-persistence-that.html)
* [[Shellcode Analysis Pipeline](https://7h3ram.github.io/2014/3/18/shellcode-pipeline/)
* I recently required an automated way of analyzing shellcode and verifying if it is detected by Libemu, Snort, Suricata, Bro, etc. Shellcode had to come from public sources like Shell-Storm, Exploit-DB and Metasploit. I needed an automated way of sourcing shellcode from these projects and pass it on to the analysis engines in a pipeline-like mechanism. This posts documents the method I used to complete this task and the overall progress of the project.
* [[Building a Home Network Configured to Collect Artifacts for Supporting Network Forensic Incident Response](https://www.sans.org/reading-room/whitepapers/forensics/building-home-network-configured-collect-artifacts-supporting-network-forensic-incident-response-37302)
* [[Automating large-scale memory forensics](https://medium.com/@henrikjohansen/automating-large-scale-memory-forensics-fdc302dc3383)
@ -84,39 +77,27 @@ http://www.netfort.com/wp-content/uploads/PDF/WhitePapers/NetFlow-Vs-Packet-Anal
### <a name="tools">Tools</a>
[Security Onion](http://blog.securityonion.net/p/securityonion.html)
* Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
[Pip3line, the Swiss army knife of byte manipulation](https://nccgroup.github.io/pip3line/index.html)
* Pip3line is a raw bytes manipulation utility, able to apply well known and less well known transformations from anywhere to anywhere (almost).
[RITA - Real Intelligence Threat Analytics](https://github.com/ocmdev/rita)
* RITA is an open source network traffic analysis framework.
[Malcom - Malware Communication Analyzer](https://github.com/tomchop/malcom)
* Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.
[Captipper](http://www.omriher.com/2015/01/captipper-malicious-http-traffic.html)
* CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic.
CapTipper sets up a web server that acts exactly as the server in the PCAP file,
and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.
[CapLoader](http://www.netresec.com/?page=CapLoader)
* CapLoader is a Windows tool designed to handle large amounts of captured network traffic. CapLoader performs indexing of PCAP/PcapNG files and visualizes their contents as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.
[dnstwist](https://github.com/elceef/dnstwist)
* Domain name permutation engine for detecting typo squatting, phishing and corporate espionage
[PowerShellMethodAuditor](https://github.com/zacbrown/PowerShellMethodAuditor)
[WMI-IDS](https://github.com/fireeye/flare-wmi/tree/master/WMI-IDS)
* WMI-IDS is a proof-of-concept agent-less host intrusion detection system designed to showcase the unique ability of WMI to respond to and react to operating system events in real-time.
[Stenographer](https://github.com/google/stenographer/blob/master/README.md)
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
[Netdude](http://netdude.sourceforge.net/)
* The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.
* [[Security Onion](http://blog.securityonion.net/p/securityonion.html)
* Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
* [[Pip3line, the Swiss army knife of byte manipulation](https://nccgroup.github.io/pip3line/index.html)
* Pip3line is a raw bytes manipulation utility, able to apply well known and less well known transformations from anywhere to anywhere (almost).
* [[RITA - Real Intelligence Threat Analytics](https://github.com/ocmdev/rita)
* RITA is an open source network traffic analysis framework.
* [[Malcom - Malware Communication Analyzer](https://github.com/tomchop/malcom)
* Malcom is a tool designed to analyze a system's network communication using graphical representations of network traffic, and cross-reference them with known malware sources. This comes handy when analyzing how certain malware species try to communicate with the outside world.
* [[Captipper](http://www.omriher.com/2015/01/captipper-malicious-http-traffic.html)
* CapTipper is a python tool to analyze, explore and revive HTTP malicious traffic. CapTipper sets up a web server that acts exactly as the server in the PCAP file, and contains internal tools, with a powerful interactive console, for analysis and inspection of the hosts, objects and conversations found.
* [[CapLoader](http://www.netresec.com/?page=CapLoader)
* CapLoader is a Windows tool designed to handle large amounts of captured network traffic. CapLoader performs indexing of PCAP/PcapNG files and visualizes their contents as a list of TCP and UDP flows. Users can select the flows of interest and quickly filter out those packets from the loaded PCAP files. Sending the selected flows/packets to a packet analyzer tool like Wireshark or NetworkMiner is then just a mouse click away.
* [[dnstwist](https://github.com/elceef/dnstwist)
* Domain name permutation engine for detecting typo squatting, phishing and corporate espionage
* [[PowerShellMethodAuditor](https://github.com/zacbrown/PowerShellMethodAuditor)
* [[WMI-IDS](https://github.com/fireeye/flare-wmi/tree/master/WMI-IDS)
* WMI-IDS is a proof-of-concept agent-less host intrusion detection system designed to showcase the unique ability of WMI to respond to and react to operating system events in real-time.
* [[Stenographer](https://github.com/google/stenographer/blob/master/README.md)
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
* [[Netdude](http://netdude.sourceforge.net/)
* The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.
@ -145,15 +126,12 @@ and contains internal tools, with a powerful interactive console, for analysis a
* [Bro QuickStart](https://www.bro.org/sphinx/quickstart/index.html)
* [Writing Bro Scripts](https://www.bro.org/sphinx/scripting/index.html)
* [Bro Script References](https://www.bro.org/sphinx/script-reference/index.html)
[ bro-intel-generator](https://github.com/exp0se/bro-intel-generator)
* Script for generating Bro intel files from pdf or html reports
[bro-domain-generation](https://github.com/denji/bro-domain-generation)
* Detect domain generation algorithms (DGA) with Bro. The module will regularly generate domains by any implemented algorithms and watch for those domains in DNS queries. This script only works with Bro 2.1+.
[Exfil Framework](https://github.com/reservoirlabs/bro-scripts/tree/master/exfil-detection-framework)
* The Exfil Framework is a suite of Bro scripts that detect file uploads in TCP connections. The Exfil Framework can detect file uploads in most TCP sessions including sessions that have encrypted payloads (SCP,SFTP,HTTPS).
* [[ bro-intel-generator](https://github.com/exp0se/bro-intel-generator)
* Script for generating Bro intel files from pdf or html reports
* [[bro-domain-generation](https://github.com/denji/bro-domain-generation)
* Detect domain generation algorithms (DGA) with Bro. The module will regularly generate domains by any implemented algorithms and watch for those domains in DNS queries. This script only works with Bro 2.1+.
* [[Exfil Framework](https://github.com/reservoirlabs/bro-scripts/tree/master/exfil-detection-framework)
* The Exfil Framework is a suite of Bro scripts that detect file uploads in TCP connections. The Exfil Framework can detect file uploads in most TCP sessions including sessions that have encrypted payloads (SCP,SFTP,HTTPS).
@ -171,8 +149,8 @@ and contains internal tools, with a powerful interactive console, for analysis a
* [Argus How-To](http://qosient.com/argus/howto.shtml)
* [Argus Manual](http://qosient.com/argus/manuals.shtml)
[bmon - bandwidth monitor and rate estimator](https://github.com/tgraf/bmon)
* bmon is a monitoring and debugging tool to capture networking related statistics and prepare them visually in a human friendly way. It features various output methods including an interactive curses user interface and a programmable text output for scripting.
* [bmon - bandwidth monitor and rate estimator](https://github.com/tgraf/bmon)
* bmon is a monitoring and debugging tool to capture networking related statistics and prepare them visually in a human friendly way. It features various output methods including an interactive curses user interface and a programmable text output for scripting.
@ -180,20 +158,13 @@ and contains internal tools, with a powerful interactive console, for analysis a
### DNS
[DNSChef](https://thesprawl.org/projects/dnschef/)
* DNSChef is a highly configurable DNS proxy for Penetration Testers and Malware Analysts. A DNS proxy (aka "Fake DNS") is a tool used for application network traffic analysis among other uses. For example, a DNS proxy can be used to fake requests for "badguy.com" to point to a local machine for termination or interception instead of a real host somewhere on the Internet.
[Passive DNS](https://github.com/gamelinux/passivedns)
* A tool to collect DNS records passively to aid Incident handling, Network Security Monitoring (NSM) and general digital forensics. * PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate DNS answers in-memory, limiting the amount of data in the logfile without losing the essense in the DNS answer.
[Passive DNS](https://github.com/gamelinux/passivedns)
* A tool to collect DNS records passively to aid Incident handling, Network
Security Monitoring (NSM) and general digital forensics.
* PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs
the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate
DNS answers in-memory, limiting the amount of data in the logfile without
losing the essense in the DNS answer.
* [DNSChef](https://thesprawl.org/projects/dnschef/)
* DNSChef is a highly configurable DNS proxy for Penetration Testers and Malware Analysts. A DNS proxy (aka "Fake DNS") is a tool used for application network traffic analysis among other uses. For example, a DNS proxy can be used to fake requests for "badguy.com" to point to a local machine for termination or interception instead of a real host somewhere on the Internet.
* [Passive DNS](https://github.com/gamelinux/passivedns)
* A tool to collect DNS records passively to aid Incident handling, Network Security Monitoring (NSM) and general digital forensics. * PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate DNS answers in-memory, limiting the amount of data in the logfile without losing the essense in the DNS answer.
* [Passive DNS](https://github.com/gamelinux/passivedns)
* A tool to collect DNS records passively to aid Incident handling, Network Security Monitoring (NSM) and general digital forensics.
* PassiveDNS sniffs traffic from an interface or reads a pcap-file and outputs the DNS-server answers to a log file. PassiveDNS can cache/aggregate duplicate DNS answers in-memory, limiting the amount of data in the logfile without losing the essense in the DNS answer.
@ -203,33 +174,24 @@ losing the essense in the DNS answer.
### <a name="monitor">IDS/IPS Monitoring Tools</a>
[Snorby](https://www.snorby.org/)
[Snorby - Github](https://github.com/snorby/snorby)
* Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are simplicity, organization and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.
[Squil](https://bammv.github.io/sguil/index.html)
* Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, *BSD, Solaris, MacOS, and Win32).
* [Squil FAQ](http://nsmwiki.org/Sguil_FAQ)
[Squert](
* Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.
* [Slide Deck on Squert](https://ea01c580-a-62cb3a1a-s-sites.googlegroups.com/site/interrupt0x13h/squert-canheit2014.pdf?attachauth=ANoY7crNJbed8EeVy3r879eb2Uze_ky7eiO-jvwXp2J7ik_hOyk0kK6uhX3_oT3u4Kuzw7AiuTAQhYGze5jdlQ-w8lagM1--XESGAf0ebLBZU6bGYd7mIC9ax1H49jvQHGb8kojEal8bayL0evZpOFqsr135DpazJ6F5HkVACpHyCqh3Gzafuxxog_Ybp7k4IgqltqH0pZddcIcjI0LwhHaj3Al085C3tbw2YMck1JQSeeBYvF9hL-0%3D&attredirects=0)
* [Snorby](https://www.snorby.org/)
* [Snorby - Github](https://github.com/snorby/snorby)
* Snorby is a ruby on rails web application for network security monitoring that interfaces with current popular intrusion detection systems (Snort, Suricata and Sagan). The basic fundamental concepts behind Snorby are simplicity, organization and power. The project goal is to create a free, open source and highly competitive application for network monitoring for both private and enterprise use.
* [Squil](https://bammv.github.io/sguil/index.html)
* Sguil (pronounced sgweel) is built by network security analysts for network security analysts. Sguil's main component is an intuitive GUI that provides access to realtime events, session data, and raw packet captures. Sguil facilitates the practice of Network Security Monitoring and event driven analysis. The Sguil client is written in tcl/tk and can be run on any operating system that supports tcl/tk (including Linux, * BSD, Solaris, MacOS, and Win32).
* [Squil FAQ](http://nsmwiki.org/Sguil_FAQ)
* [Squert](
* Squert is a web application that is used to query and view event data stored in a Sguil database (typically IDS alert data). Squert is a visual tool that attempts to provide additional context to events through the use of metadata, time series representations and weighted and logically grouped result sets. The hope is that these views will prompt questions that otherwise may not have been asked.
* [Slide Deck on Squert](https://ea01c580-a-62cb3a1a-s-sites.googlegroups.com/site/interrupt0x13h/squert-canheit2014.pdf?attachauth=ANoY7crNJbed8EeVy3r879eb2Uze_ky7eiO-jvwXp2J7ik_hOyk0kK6uhX3_oT3u4Kuzw7AiuTAQhYGze5jdlQ-w8lagM1--XESGAf0ebLBZU6bGYd7mIC9ax1H49jvQHGb8kojEal8bayL0evZpOFqsr135DpazJ6F5HkVACpHyCqh3Gzafuxxog_Ybp7k4IgqltqH0pZddcIcjI0LwhHaj3Al085C3tbw2YMck1JQSeeBYvF9hL-0%3D&attredirects=0)
* [Install/setup/etc - Github](https://github.com/int13h/squert)
[ROCK NSM](http://rocknsm.io/)
[Response Operation Collections Kit Reference Build](https://github.com/rocknsm/rock)
[flowbat](http://www.appliednsm.com/introducing-flowbat/)
* Awesome flow tool, SiLK backend
[Stenographer](https://github.com/google/stenographer)
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
[Aktaion: Open Source Tool For "Micro Behavior Based" Exploit Detection and Automated GPO Policy Generation](https://github.com/jzadeh/Aktaion)
* Aktaion is a lightweight JVM based project for detecting exploits (and more generally attack behaviors). The project is meant to be a learning/teaching tool on how to blend multiple security signals and behaviors into an expressive framework for intrusion detection. The cool thing about the project is it provides an expressive mechanism to add high level IOCs (micro beahviors) such as timing behavior of a certain malware family.
* [ROCK NSM](http://rocknsm.io/)
* [Response Operation Collections Kit Reference Build](https://github.com/rocknsm/rock)
* [flowbat](http://www.appliednsm.com/introducing-flowbat/)
* Awesome flow tool, SiLK backend
* [Stenographer](https://github.com/google/stenographer)
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
* [Aktaion: Open Source Tool For "Micro Behavior Based" Exploit Detection and Automated GPO Policy Generation](https://github.com/jzadeh/Aktaion)
* Aktaion is a lightweight JVM based project for detecting exploits (and more generally attack behaviors). The project is meant to be a learning/teaching tool on how to blend multiple security signals and behaviors into an expressive framework for intrusion detection. The cool thing about the project is it provides an expressive mechanism to add high level IOCs (micro beahviors) such as timing behavior of a certain malware family.


+ 33
- 44
Draft/Open Source Intelligence.md View File

@ -1,8 +1,7 @@
## Open Source Intelligence
# Open Source Intelligence
### TOC
* Cull
## Table of Contents
* [General](#general)
* [Articles/Writeups](#writeups)
* [Presentations & Talks](#talks)
@ -55,12 +54,12 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
--------------------
### <a name="general"></a>General
General
* SWOT - Strengths, Weaknesses, Opportunities, Threats
* **General**
* SWOT - Strengths, Weaknesses, Opportunities, Threats
* 101
* [Open Source Intelligence - Wikipedia](http://en.wikipedia.org/wiki/Open-source_intelligence)
* Alerting
* [Google Trends](https://trends.google.com/trends/)
* [Google Trends](https://trends.google.com/trends/)
* See what are the popular related topics people are searching for. This will help widen your search scope.
* [Google Alerts](https://www.google.com/alerts)
* Google Alerts are email updates of the latest relevant Google results (web, news, etc.) based on your queries.
@ -119,27 +118,26 @@ General
-------------
### <a name="tools"></a>OSINT Tools/Resources
**Tools**
* [blacksheepwall](https://github.com/tomsteele/blacksheepwall)
* blacksheepwall is a hostname reconnaissance tool
* [Creepy.py](http://ilektrojohn.github.io/creepy/)
* Description: Creepy is a geolocation OSINT tool. Gathers geolocation related information from online sources, and allows for presentation on map, search filtering based on exact location and/or date, export in csv format or kml for further analysis in Google Maps.
* [Maltego](https://www.paterva.com/web6/products/maltego.php)
* Description: What you use to tie everything together.
* [OpenRefine](https://github.com/OpenRefine/OpenRefine)
* Description: OpenRefine is a power tool that allows you to load data, understand it, clean it up, reconcile it to master database, and augment it with data coming from Freebase or other web sources. All with the comfort and privacy of your own computer.
* [Oryon C Portable](http://osintinsight.com/oryon.php)
* Oryon C Portable is a web browser designed to assist researchers in conducting Open Source Intelligence investigations. Oryon comes with dozens of pre-installed tools and a select set of links cataloged by category – including those that can be found in the OI Shared Resources.
* [OSINT Mantra](http://www.getmantra.com/hackery/osint.html)
* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
* Description: Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
* [TouchGraph SEO Browser](http://www.touchgraph.com/seo)
* Use this free Java application to explore the connections between related websites.
* **Tools**
* [blacksheepwall](https://github.com/tomsteele/blacksheepwall)
* blacksheepwall is a hostname reconnaissance tool
* [Creepy.py](http://ilektrojohn.github.io/creepy/)
* Description: Creepy is a geolocation OSINT tool. Gathers geolocation related information from online sources, and allows for presentation on map, search filtering based on exact location and/or date, export in csv format or kml for further analysis in Google Maps.
* [Maltego](https://www.paterva.com/web6/products/maltego.php)
* Description: What you use to tie everything together.
* [OpenRefine](https://github.com/OpenRefine/OpenRefine)
* Description: OpenRefine is a power tool that allows you to load data, understand it, clean it up, reconcile it to master database, and augment it with data coming from Freebase or other web sources. All with the comfort and privacy of your own computer.
* [Oryon C Portable](http://osintinsight.com/oryon.php)
* Oryon C Portable is a web browser designed to assist researchers in conducting Open Source Intelligence investigations. Oryon comes with dozens of pre-installed tools and a select set of links cataloged by category – including those that can be found in the OI Shared Resources.
* [OSINT Mantra](http://www.getmantra.com/hackery/osint.html)
* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
* Description: Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
* [TouchGraph SEO Browser](http://www.touchgraph.com/seo)
* Use this free Java application to explore the connections between related websites.
------------------
#### <a name="ppl"></a>Company/People Searching
Company/People Searching
* [data.com](https://www.data.com/)
* [LittleSis](https://littlesis.org/)
* LittleSis is a free database of who-knows-who at the heights of business and government.
@ -162,7 +160,6 @@ Company/People Searching
-------------
#### <a name="cvs"></a>CVS/Git/Similar Focused
CVS/Git/Similar Focused
* [repo-supervisor](https://github.com/auth0/repo-supervisor)
* [GitPrey](https://github.com/repoog/GitPrey)
* GitPrey is a tool for searching sensitive information or data according to company name or key word something.The design mind is from searching sensitive data leakling in Github:
@ -185,7 +182,6 @@ when directory browsing is turned off.
----------------
###### <a name="dns"></a>DNS Stuff
DNS Stuff
* [dauntless](https://github.com/cmeister2/dauntless)
* Tools for analysing the forward DNS data set published at https://scans.io/study/sonar.fdns_v2
* [dnstwist](https://github.com/elceef/dnstwist)
@ -198,7 +194,7 @@ DNS Stuff
-------------
#### <a name="email"></a>Email Gathering/Reconnaissance
Email Gathering/Reconnaissance
* **Articles/Writeups**
* [OSINT Through Sender Policy Framework Records](https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf-records)
* Tools
* [SimplyEmail](https://github.com/killswitch-GUI/SimplyEmail)
@ -215,24 +211,22 @@ Email Gathering/Reconnaissance
-------------
#### <a name="search"></a>Fancy Search Engines
Fancy Search Engines
* [Entity Cube](http://entitycube.research.microsoft.com/)
* EntityCube is a research prototype for exploring object-level search technologies, which automatically summarizes the Web for entities (such as people, locations and organizations) with a modest web presence.
* [Silobreaker](http://www.silobreaker.com/)
* Enterprise Semantic Search Engine, allows virtualisation of data, analytics and exploration of key data.
* [iSeek](http://www.iseek.com/#/web)
* Another handy search engine that break results down into easy to manage categories.
* [Carrot2](http://search.carrot2.org/stable/search)
* Carrot2 organizes your search results into topics. With an instant overview of what's available, you will quickly find what you're looking for.
* [Sqoop](http://sqoop.com/)
* OSINT search engine of public documents(handy)
* [GlobalFileSearch](https://ftplike.com)
* [Entity Cube](http://entitycube.research.microsoft.com/)
* EntityCube is a research prototype for exploring object-level search technologies, which automatically summarizes the Web for entities (such as people, locations and organizations) with a modest web presence.
* [Silobreaker](http://www.silobreaker.com/)
* Enterprise Semantic Search Engine, allows virtualisation of data, analytics and exploration of key data.
* [iSeek](http://www.iseek.com/#/web)
* Another handy search engine that break results down into easy to manage categories.
* [Carrot2](http://search.carrot2.org/stable/search)
* Carrot2 organizes your search results into topics. With an instant overview of what's available, you will quickly find what you're looking for.
* [Sqoop](http://sqoop.com/)
* OSINT search engine of public documents(handy)
* [GlobalFileSearch](https://ftplike.com)
* An FTP Search Engine that may come in handy.
-------------
#### <a name="meta"></a>General Meta Data
General Meta-Data
* [Just-Metadata](https://github.com/ChrisTruncer/Just-Metadata)
* Just-Metadata is a tool that can be used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has "gather" modules which are used to gather metadata about IPs loaded into the framework across multiple resources on the internet. Just-Metadata also has "analysis" modules. These are used to analyze the data loaded Just-Metadata and perform various operations that can identify potential relationships between the loaded systems.
* [MetaGooFil](https://code.google.com/p/metagoofil/)
@ -249,7 +243,6 @@ General Meta-Data
-------------
#### <a name="scrape"></a> General Data Scrapers
General Data Scrapers
* [XRAY](https://github.com/evilsocket/xray)
* XRay is a tool for recon, mapping and OSINT gathering from public networks.
* [NameCheck](https://www.namecheck.com)
@ -262,7 +255,6 @@ General Data Scrapers
-------------
#### <a name="gh"></a>Google Hacking
Google Hacking
* [Google Hacking for Penetration Testers](https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf)
* [ExpoitDB archive of the google hacking database](http://www.exploit-db.com/google-dorks/)
* [Google Hacking Database](http://www.hackersforcharity.org/ghdb/)
@ -278,7 +270,6 @@ Google Hacking
-----------
### <a name="nin"></a>Network Information Search Engines
Network Information Search Engines
* [Whoisology](https://whoisology.com/)
* Whoisology is a domain name ownership archive with literally billions of searchable and cross referenced domain name whois records.
@ -288,7 +279,6 @@ Network Information Search Engines
------------------------
##### <a name="site"></a>Site Specific
Site Specific Tools
* AWS
* [AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump)
* AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you're not afraid to quickly fill up your hard drive.