Browse Source

Continuing cleanup, check what's new file

pull/8/head
root 6 years ago
parent
commit
48ef4f2183
35 changed files with 2575 additions and 766 deletions
  1. +2
    -2
      Draft/Anonymity Opsec Privacy -.md
  2. +9
    -0
      Draft/Attacking Defending Android -.md
  3. +55
    -4
      Draft/Attacking Defending iOS -.md
  4. +12
    -0
      Draft/BIOS UEFI Attacks Defenses.md
  5. +22
    -2
      Draft/Building A Pentest Lab.md
  6. +59
    -5
      Draft/Car Hacking.md
  7. +25
    -6
      Draft/Courses & Training -.md
  8. +82
    -39
      Draft/Cryptography & Encryption.md
  9. +57
    -46
      Draft/Data AnalysisVisualization.md
  10. +15
    -0
      Draft/Documentation & Reports -.md
  11. +51
    -15
      Draft/Embedded Device & Hardware Hacking -.md
  12. +91
    -47
      Draft/Exploit Development.md
  13. +5
    -4
      Draft/Forensics Incident Response.md
  14. +87
    -35
      Draft/Fuzzing Bug Hunting.md
  15. +83
    -24
      Draft/Honeypots -.md
  16. +43
    -30
      Draft/Interesting Things Useful stuff.md
  17. +2
    -1
      Draft/Lockpicking -.md
  18. +13
    -0
      Draft/Mainframes.md
  19. +55
    -8
      Draft/Malware.md
  20. +42
    -7
      Draft/Network Attacks & Defenses.md
  21. +127
    -48
      Draft/Network Security Monitoring & Logging.md
  22. +67
    -17
      Draft/Open Source Intelligence.md
  23. +38
    -17
      Draft/Password Bruting and Hashcracking.md
  24. +13
    -0
      Draft/Policy-Compliance.md
  25. +181
    -11
      Draft/Privilege Escalation & Post-Exploitation.md
  26. +110
    -60
      Draft/Programming - Languages Libs Courses References.md
  27. +54
    -16
      Draft/Reverse Engineering.md
  28. +21
    -48
      Draft/Securing Hardening.md
  29. +59
    -58
      Draft/Social Engineering.md
  30. +196
    -119
      Draft/System Internals Windows and Linux Internals Reference.md
  31. +4
    -0
      Draft/Threat Modeling.md
  32. +153
    -95
      Draft/Web & Browsers.md
  33. +24
    -2
      Draft/Wireless Networks & RF.md
  34. +0
    -0
      Draft/sekep.md
  35. +718
    -0
      Draft/things-added.md

+ 2
- 2
Draft/Anonymity Opsec Privacy -.md View File

@ -93,7 +93,7 @@ https://github.com/NullHypothesis/exitmap/issues/37
### **<a name="Talks">Talks & Videos</a>**
### **<a name="Talks">Talks & Videos(& Presentatios)</a>**
| Title | Link
| -------- | --------- |
@ -114,7 +114,7 @@ https://github.com/NullHypothesis/exitmap/issues/37
[ Retail Surveillance / Retail Countersurveillance 50 most unwanted retail surveillance technologies / 50 most wanted countersurveillance technologies](https://media.ccc.de/v/33c3-8238-retail_surveillance_retail_countersurveillance#video&t=1993)
[OPSEC Concerns in Using Crypto](https://www.slideshare.net/JohnCABambenek/defcon-crypto-village-opsec-concerns-in-using-crypto)
### **<a name="Tools">Tools</a>**


+ 9
- 0
Draft/Attacking Defending Android -.md View File

@ -30,9 +30,11 @@ Cull
[Droidsec - Pretty much should be your first stop](http://www.droidsec.org/wiki/)
[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
| **csploit** - "The most complete and advanced IT security professional toolkit on Android."(*From their site*) | http://www.csploit.org/docs.html -- [Github Link](https://github.com/cSploit/android/tree/master/cSploit)
### Cull/Sort
[Dex Education 201 - Anti-Emulation.pdf](https://github.com/strazzere/anti-emulator/blob/master/slides/Dex%20Education%20201%20-%20Anti-Emulation.pdf)
@ -235,6 +237,13 @@ Check the Encryption section of the overall guide for more information.
[ARE - Virtual Machine for Android Reverse Engineering](https://redmine.honeynet.org/projects/are)
[Android Applications Reversing 101](https://www.evilsocket.net/2017/04/27/Android-Applications-Reversing-101)
[Android Crackmes](http://www.droidsec.org/wiki/#crack-mes)
[Hacking Android apps with FRIDA I](https://www.codemetrix.net/hacking-android-apps-with-frida-1/)


+ 55
- 4
Draft/Attacking Defending iOS -.md View File

@ -1,10 +1,7 @@
## Attacking & Defending iOS
[Link Title](#anchor-name)
<a name="anchor-name"></a>
[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
@ -19,7 +16,7 @@
[Jailbreaking](#jail)
### <a name="cull">Cull</a>
#### <a name="cull">Cull</a>
| Title | Link |
| -------- | ------------------------ |
@ -29,6 +26,17 @@
| **Pentesting iOS Applications - Pentester Academy - Paid Course** - This course focuses on the iOS platform and application security and is ideal for pentesters, researchers and the casual iOS enthusiast who would like to dive deep and understand how to analyze and systematically audit applications on this platform using a variety of bleeding edge tools and techniques. | http://www.pentesteracademy.com/course?id=2
#### End Cull
### General
[Hacking Your Way Up The Mobile Stack](http://vimeo.com/51270090)
[iOS Application Security Review Methodology](http://research.aurainfosec.io/ios-application-security-review-methodology/#snapshot)
* aurainfosec
### <a name="harden">List of Hardening Guides for iOS</a>
@ -58,6 +66,8 @@
[iOSRE](https://github.com/kpwn/iOSRE)
* The aim of this project is to provide useful and updated tools and knowledge on iOS reverse engineering and exploitation. This is an ongoing effort, and still in a very new stage.
[OWASP iOS crackme tutorial: Solved with Frida](https://www.nowsecure.com/blog/2017/04/27/owasp-ios-crackme-tutorial-frida/)
| Title | Link |
| -------- | ------------------------ |
@ -68,6 +78,13 @@
| **OWASP iGOAT** - “iGoat is a safe environment where iOS developers can learn about the major security pitfalls they face as well as how to avoid them. It is made up of a series of lessons that each teach a single (but vital) security lesson.” | https://www.owasp.org/index.php/OWASP_iGoat_Project
### <a name="test">iOS Security Testing Methodologies/Tools</a>
| Title | Link |
@ -83,12 +100,24 @@
### <a name="papers">General Research Papers</a>
| Title | Link |
| -------- | ------------------------ |
### <a name="re">Reverse Engineering</a>
| Title | Link |
| -------- | ------------------------ |
@ -99,6 +128,15 @@
| **IOS Reverse Engineering toolkit** | https://github.com/S3Jensen/iRET
### <a name="jail">Jailbreaking</a>
| Title | Link |
| -------- | ------------------------ |
@ -107,7 +145,20 @@
| The iPhone Wiki** - The iPhone Wiki is an unofficial wiki dedicated to collecting, storing and providing information on the internals of Apple's amazing iDevices. We hope to pass this information on to the next generation of hackers so that they can go forth into their forebears' footsteps and break the ridiculous bonds Apple has put on their amazing mobile devices. | http://theiphonewiki.com/wiki/Main_Page
| **OWASP Jailbreaking Cheat Sheet** | https://www.owasp.org/index.php/Mobile_Jailbreaking_Cheat_Sheet
### <a name="dev">iOS Development</a>
| Title | Link |
| -------- | ------------------------ |
| **imas** - Defense for your iOS app - for developers | https://project-imas.github.io/
### Tools
[Idb](https://github.com/dmayer/idb)
* idb is a tool to simplify some common tasks for iOS pentesting and research

+ 12
- 0
Draft/BIOS UEFI Attacks Defenses.md View File

@ -23,6 +23,8 @@ http://forums.mydigitallife.info/forums/34-MDL-Projects-and-Applications
http://forums.mydigitallife.info/forums/25-BIOS-Mods
#### End Cull
## <a name="general">General</a>
| Title | Link |
@ -158,6 +160,15 @@ Reverse Engineering Router Firmware walk through
[ida-uefiutils](https://github.com/snare/ida-efiutils/)
* Some scripts for IDA Pro to assist with reverse engineering EFI binaries
[VisualUEFI](https://github.com/ionescu007/VisualUefi)
* A project for allowing EDK-II Development with Visual Studio
[UDKToolbox](https://github.com/smwikipedia/UDKToolbox)
* An toolbox to help adopt Visual Studio for UEFI development.
## Papers & Writeups
| Title | Link |
@ -169,6 +180,7 @@ Reverse Engineering Router Firmware walk through
[SMM Rootkits:A New Breed of OS Independent Malware](http://www.eecs.ucf.edu/~czou/research/SMM-Rootkits-Securecom08.pdf)
* The emergence of hardware virtualization technology has led to the development of OS independent malware such as the Virtual Machine based rootkits (VMBRs). In this paper, we draw attention to a different but related threat that exists on many commodity systems in operation today: The System Management Mode based rootkit (SMBR). System Management Mode (SMM) is a relatively obscure mode on Intel processors used for low-level hardware control. It has its own private memory space and execution environment which is generally invisible to code running outside (e.g., the Operating System). Furthermore, SMM code is completely non-preemptible, lacks any concept of privilege level, and is immune to memory protection mechanisms. These features make it a potentially attractive home for stealthy rootkits. In this paper, we present our development of a proof of concept SMM rootkit. In it, we explore the potential of System Management Mode for malicious use by implementing a chipset level keylogger and a network backdoor capable of directly interacting with the network card to send logged keystrokes to a remote machine via UDP. The rootkit hides its memory footprint and requires no changes to the existing Operating System. It is compared and contrasted with VMBRs. Finally, techniques to defend against these threats are explored. By taking an offensive perspective we hope to help security researchers better understand the depth and scope of the problems posed by an emerging class of OS independent malware.
[How to develop your own Boot Loader](https://www.codeproject.com/Articles/36907/How-to-develop-your-own-Boot-Loader)
### Other

+ 22
- 2
Draft/Building A Pentest Lab.md View File

@ -1,13 +1,30 @@
## Building a Pentest Lab
### VMs Designed to be Attacked
### ToC
* General
* VMs Designed to be Attacked
* Building a Pentest Lab
### General
Now, making your own lab filled with software you’ve configured is great and all, but sometimes you want a bit more of a challenge, you don’t want to know what software is running on the machine, you want to go in blind and hack all the things. For this, I recommend:
### VMs Designed to be Attacked
[Vulnhub](Vulnhub.com)
* Vulnhub is a website dedicated to cataloging various vulnerable VMs from across the web. It also has a healthy community that creates and submits new VMs on a regular basis. As I write this now, I believe there is around 100 or so different VMs on Vulnhub, so you have a bit of variation.
[iv-wrt](https://github.com/iv-wrt/iv-wrt)
* An Intentionally Vulnerable Router Firmware Distribution
[List of VMs that are preconfigured virtual machines](http://www.amanhardikar.com/mindmaps/PracticeUrls.html)
@ -15,6 +32,9 @@ Now, making your own lab filled with software you
* I have talked about counterattacks here before, and this system has implemented a number of aggressive anti-hacker measures. In fact, this VM is downright evil. I am probably legally obligated to tell you that it will try to hack you. So if a calculator or message declaring your pwnedness pops up or shows up on your desktop, you asked for it. But don’t worry, it won’t steal your docs or rm you, it will just demonstrate compromise for the game. To save precious bandwidth, this has been implemented in a minimal tinycore-based VM, and will require VirtualBox to run.
### Guides to setting up a Pen test lab:
http://blog.netinfiltration.com/2013/12/03/setting-up-a-pentest-lab-for-beginners/


+ 59
- 5
Draft/Car Hacking.md View File

@ -1,22 +1,76 @@
#Car Hacking
# Car Hacking
## ToC
* General
* Papers
* Talks & Presentations
* Tools
#### Cull
http://dn5.ljuska.org/cyber-attacks-on-vehicles-2.html
https://github.com/manux81/canspy
### End cull
## General
[Awesome Vehicle Security List(github awesome lists)](https://github.com/jaredthecoder/awesome-vehicle-security)
[Introduction to Hacking in Car Systems - Craig Smith - Troopers15](https://www.youtube.com/watch?v=WHDkf6kpE58)
[Intro to Automotive Security - Ariel Zentner](https://www.youtube.com/watch?v=yAzqFhq06_E)
## Writeups/Blogposts/How-To
[Broadcasting Your Attack: Security Testing DAB Radio In Cars](https://www.youtube.com/watch?v=ryNtz1nxmO4)
## Talks & Presentations
http://illmatics.com/Remote%20Car%20Hacking.pdf
## Tools
Yet Another Car Hacking Tool](https://asintsov.blogspot.ro/2016/03/yet-another-car-hacking-tool.html?m=1)
[CANBus Triple](https://canb.us/)
* General purpose Controller Area Network swiss army knife / development platform.
[Yet Another Car Hacking Tool](https://asintsov.blogspot.ro/2016/03/yet-another-car-hacking-tool.html?m=1)
[CANToolz](https://github.com/eik00d/CANToolz)
* CANToolz is a framework for analysing CAN networks and devices. This tool based on different modules which can be assembled in pipe together and can be used by security researchers and automotive/OEM security testers for black-box analysis and etc. You can use this software for ECU discovery, MITM testing, fuzzing, bruteforcing, scanning or R&D testing and validation
https://canb.us/
[canspy](https://github.com/manux81/canspy)
* Very simple tool for users who need to interface with a device based on CAN (CAN/CANopen/J1939/NMEA2000/DeviceNet) such as motors, sensors and many other devices.
## Papers
[Remote Exploitation of an Unaltered Passenger Vehicle](http://illmatics.com/Remote%20Car%20Hacking.pdf)
## Miscellaneous

+ 25
- 6
Draft/Courses & Training -.md View File

@ -26,10 +26,21 @@ Hackingdojo
BVWA
#### End Cull
[Introduction to Reverse Engineering Software - Dartmouth](http://althing.cs.dartmouth.edu/local/www.acm.uiuc.edu/sigmil/RevEng/)
[CSCI 4974 / 6974 Hardware Reverse Engineering](http://security.cs.rpi.edu/courses/hwre-spring2014/)
## Heads Up
These classes are all focused on computer/information security. If you're looking for online courses to learn material other than the mentioned, check out "coursera.com", Standford's online classes or MIT's online courses.
[Coursera](https://www.coursera.org/)
[MIT OpenCourseware](https://ocw.mit.edu/courses/)
[Standford](http://online.stanford.edu/courses)
[Udemy](https://www.udemy.com/courses/)
### General Sources/Repository of Classes
@ -39,11 +50,7 @@ BVWA
[Open Security Training](www.opensecuritytraining.info)
Udemy
Coursera
Stanfordx
@ -58,7 +65,10 @@ Stanfordx
[Teach Yourself Computer Science](https://teachyourselfcs.com/)
[Technical Development Guide - Google](https://www.google.com/about/careers/students/guide-to-technical-development.html)
[OSS University - Computer Science](https://github.com/open-source-society/computer-science)
* Path to a free self-taught education in Computer Science!
@ -133,7 +143,9 @@ Stanfordx
* How an OS loads a binary into memory and links it on the fly before executing it.
*Along the way we discuss the relevance of security at different stages of a binary’s life, from the tricks that can be played by a malicious compiler, to how viruses really work, to the way which malware “packers” duplicate OS process execution functionality, to the benefit of a security-enhanced OS loader which implements address space layout randomization (ASLR).
[Introduction to Reverse Engineering Software - Dartmouth](http://althing.cs.dartmouth.edu/local/www.acm.uiuc.edu/sigmil/RevEng/)
[CSCI 4974 / 6974 Hardware Reverse Engineering](http://security.cs.rpi.edu/courses/hwre-spring2014/)
@ -154,6 +166,13 @@ Stanfordx
[armpwn](https://github.com/saelo/armpwn)
* Repository to train/learn memory corruption exploitation on the ARM platform. This is the material of a workshop I prepared for my CTF Team.
[BinTut](https://github.com/NoviceLive/bintut)
* Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes
### UEFI/BIOS Training


+ 82
- 39
Draft/Cryptography & Encryption.md View File

@ -1,9 +1,9 @@
##Cryptography
## Cryptography
#####TOC
##### TOC
* [General Information](#general)
* [Learning/Courses](#learn
* [Learning/Courses](#learn)
* [Writeups](#write)
* [Blogposts/Misc](#blog)
* [Presentations](#presentation)
@ -15,81 +15,92 @@
###Cull
### Cull
http://noiseprotocol.org/noise.html
https://conversations.im/xeps/multi-end.html
http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/
### End Cull
[Homomorphic encryption](https://en.wikipedia.org/wiki/Homomorphic_encryption)
### <a name="general">General Information</a>
[Website detailing various crypto laws around world](http://www.cryptolaw.org/)
[Primer on Zero-Knowledge Proofs](http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html?m=1)
[XOR Bitwise Operations Explained - Khan Academy](https://www.khanacademy.org/computing/computer-science/cryptography/ciphers/a/xor-bitwise-operation)
https://coniks.cs.princeton.edu/
[Homomorphic encryption](https://en.wikipedia.org/wiki/Homomorphic_encryption)
[Differential Cryptanalysis for Dummies - Jon King](https://www.youtube.com/watch?v=xav-GUO_o4s&feature=youtu.be)
http://webee.technion.ac.il/~hugo/sigma.html
[Snake Oil Crypto Competition](https://snakeoil.cr.yp.to/)
[cr.yp.to blog](http://blog.cr.yp.to/index.html)
http://www.tau.ac.il/~tromer/acoustic/
Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
https://crypto.is/blog/
[Differential Cryptanalysis for Dummies - Jon King](https://www.youtube.com/watch?v=xav-GUO_o4s&feature=youtu.be)
### <a name="learn">Courses</a>:
Coursera Cryptography
[Matsano Crypto Challenges](Cryptopals.co)
* Go through a series of increasingly difficult challenges while learning all about cryptography. Expected knowledge level: You passed 9th grade math and you have 0 knowledge of crypto.
###<a name="general">General Information</a>
[Website detailing various crypto laws around world](http://www.cryptolaw.org/)
[Primer on Zero-Knowledge Proofs](http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html?m=1)
[XOR Bitwise Operations Explained - Khan Academy](https://www.khanacademy.org/computing/computer-science/cryptography/ciphers/a/xor-bitwise-operation)
### <a name="write">Writeups</a>
[Attack of the week: FREAK (or 'factoring the NSA for fun and profit')](http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html)
[An Empirical Study of Cryptographic Misuse in Android Applications](https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf)
[Widespread Weak Keys in Network Devices](https://factorable.net/)
[Secrets and LIE-abilities: The State of Modern Secret Management (2017)](https://medium.com/on-docker/secrets-and-lie-abilities-the-state-of-modern-secret-management-2017-c82ec9136a3d)
[How to Implement Crypto Poorly - Sean Cassidy](https://github.com/cxxr/talks/blob/master/2016/grrcon/How%20to%20Implement%20Crypto%20Poorly.pdf)
###<a name="learn">Courses</a>:
Coursera Cryptography
[Matsano Crypto Challenges](Cryptopals.co)
* Go through a series of increasingly difficult challenges while learning all about cryptography. Expected knowledge level: You passed 9th grade math and you have 0 knowledge of crypto.
### <a name="blogs">Blogposts/Misc(doesnt explicitly fit in other sections)</a>
[Encrypting Strings in Android: Let's make better mistakes](http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/)
###<a name="write">Writeups</a>
[Attack of the week: FREAK (or 'factoring the NSA for fun and profit')](http://blog.cryptographyengineering.com/2015/03/attack-of-week-freak-or-factoring-nsa.html)
[Poor Man's Guide to Troubleshooting TLS Failures](http://blogs.technet.com/b/tspring/archive/2015/02/23/poor-man-s-guide-to-troubleshooting-tls-failures.aspx)
[An Empirical Study of Cryptographic Misuse in Android Applications](https://www.cs.ucsb.edu/~chris/research/doc/ccs13_cryptolint.pdf)
[Top 10 Developer Crypto Mistakes](https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/)
[cr.yp.to blog](http://blog.cr.yp.to/index.html)
[Recovering BitLocker Keys on Windows 8.1 and 10](https://tribalchicken.io/recovering-bitlocker-keys-on-windows-8-1-and-10/)
###<a name="blogs">Blogposts/Misc(doesnt explicitly fit in other sections)</a>
[Encrypting Strings in Android: Let's make better mistakes](http://tozny.com/blog/encrypting-strings-in-android-lets-make-better-mistakes/)
[Crypto.is Blog](https://crypto.is/blog/)
* This blog series is intended to be a course on how remailers work, the theory behind them, and many of the choices that must be considered. Some of the topics we intended to dive deeply into in the future is how to have a directory of remailer nodes, how to handle messages that overflow the packet size, more details on Mixminion, as-yet-unimplemented Academic Papers (like Pynchon Gate and Sphinx), and more! Check out posts One, Two, Three, Four, and Five. The comments section should work, so please do leave comments if you have questions, insights, or corrections!
[Poor Man's Guide to Troubleshooting TLS Failures](http://blogs.technet.com/b/tspring/archive/2015/02/23/poor-man-s-guide-to-troubleshooting-tls-failures.aspx)
###<a name="presentation">Presentations/Talks</a>
[Crypto: 48 Dirty Little Secrets Cryptographers Don’t Want You To Know - BlackHat2014](https://www.youtube.com/watch?v=mXdFHNJ6srY)
### <a name="presentation">Presentations/Talks</a>
[Crypto: 48 Dirty Little Secrets Cryptographers Don’t Want You To Know - BlackHat2014](https://www.youtube.com/watch?v=mXdFHNJ6srY)
###<a name="papers">Papers</a>
### <a name="papers">Papers</a>
[Get Your Hands Off My Laptop: Physical Side-Channel Key-Extraction Attacks On PCs](http://www.tau.ac.il/~tromer/handsoff/)
* We demonstrated physical side-channel attacks on a popular software implementation of RSA and ElGamal, running on laptop computers. Our attacks use novel side channels and are based on the observation that the "ground" electric potential in many computers fluctuates in a computation-dependent way. An attacker can measure this signal by touching exposed metal on the computer's chassis with a plain wire, or even with a bare hand. The signal can also be measured at the remote end of Ethernet, VGA or USB cables. Through suitable cryptanalysis and signal processing, we have extracted 4096-bit RSA keys and 3072-bit ElGamal keys from laptops, via each of these channels, as well as via power analysis and electromagnetic probing. Despite the GHz-scale clock rate of the laptops and numerous noise sources, the full attacks require a few seconds of measurements using Medium Frequency signals (around 2 MHz), or one hour using Low Frequency signals (up to 40 kHz).
@ -102,20 +113,52 @@ https://crypto.is/blog/
* Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
[Toward Robust Hidden Volumes Using Write-Only Oblivious RAM](https://eprint.iacr.org/2014/344.pdf)
* With sensitive data being increasingly stored on mobile devices and laptops, hard disk encryption is more important than ever. In partic- ular, being able to plausibly deny that a hard disk contains certain information is a very useful and interesting research goal. However, it has been known for some time that existing “hidden volume” so- lutions, like TrueCrypt, fail in the face of an adversary who is able to observe the contents of a disk on multiple, separate occasions. In this work, we explore more robust constructions for hidden vol- umes and present HIVE, which is resistant to more powerful ad- versaries with multiple-snapshot capabilities. In pursuit of this, we propose the first security definitions for hidden volumes, and prove HIVE secure under these definitions. At the core of HIVE, we de- sign a new write-only Oblivious RAM. We show that, when only hiding writes, it is possible to achieve ORAM with optimal O (1) communication complexity and only poly-logarithmic user mem- ory. This is a significant improvement over existing work and an independently interesting result. We go on to show that our write- only ORAM is specially equipped to provide hidden volume func- tionality with low overhead and significantly increased security. Fi- nally, we implement HIVE as a Linux kernel block device to show both its practicality and usefulness on existing platforms.
* With sensitive data being increasingly stored on mobile devices and laptops, hard disk encryption is more important than ever. In partic- ular, being able to plausibly deny that a hard disk contains certain information is a very useful and interesting research goal. However, it has been known for some time that existing “hidden volume� so- lutions, like TrueCrypt, fail in the face of an adversary who is able to observe the contents of a disk on multiple, separate occasions. In this work, we explore more robust constructions for hidden vol- umes and present HIVE, which is resistant to more powerful ad- versaries with multiple-snapshot capabilities. In pursuit of this, we propose the first security definitions for hidden volumes, and prove HIVE secure under these definitions. At the core of HIVE, we de- sign a new write-only Oblivious RAM. We show that, when only hiding writes, it is possible to achieve ORAM with optimal O (1) communication complexity and only poly-logarithmic user mem- ory. This is a significant improvement over existing work and an independently interesting result. We go on to show that our write- only ORAM is specially equipped to provide hidden volume func- tionality with low overhead and significantly increased security. Fi- nally, we implement HIVE as a Linux kernel block device to show both its practicality and usefulness on existing platforms.
[A Messy State of the Union: Taming the Composite State Machines of TLS](https://www.smacktls.com/smack.pdf)
* Abstract Implementations of the Transport Layer Security (TLS) protocol must handle a variety of protocol versions and extensions, authentication modes and key exchange methods, where each combination may prescribe a different message sequence between the client and the server. We address the problem of designing a robust composite state machine that can correctly multiplex between these different protocol modes. We systematically test popular open-source TLS implementations for state machine bugs and discover several critical security vulnerabilities that have lain hidden in these libraries for years (they are now in the process of being patched). We argue that these vulnerabilities stem from incorrect compositions of individually correct state machines. We present the first verified implementation of a composite TLS state machine in C that can be embedded into OpenSSL and accounts for all its supported ciphersuites. Our attacks expose the need for the formal verifica- tion of core components in cryptographic protocol libraries; our implementation demonstrates that such mechanized proofs are within reach, even for mainstream TLS implementations.
* Abstract —Implementations of the Transport Layer Security (TLS) protocol must handle a variety of protocol versions and extensions, authentication modes and key exchange methods, where each combination may prescribe a different message sequence between the client and the server. We address the problem of designing a robust composite state machine that can correctly multiplex between these different protocol modes. We systematically test popular open-source TLS implementations for state machine bugs and discover several critical security vulnerabilities that have lain hidden in these libraries for years (they are now in the process of being patched). We argue that these vulnerabilities stem from incorrect compositions of individually correct state machines. We present the first verified implementation of a composite TLS state machine in C that can be embedded into OpenSSL and accounts for all its supported ciphersuites. Our attacks expose the need for the formal verifica- tion of core components in cryptographic protocol libraries; our implementation demonstrates that such mechanized proofs are within reach, even for mainstream TLS implementations.
[Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption](https://eprint.iacr.org/2014/309)
* Abstract: We revisit the question of constructing secure general-purpose indistinguishability obfuscation (iO), with a security reduction based on explicit computational assumptions over multi- linear maps. Previous to our work, such reductions were only known to exist based on meta- assumptions and/or ad-hoc assumptions: In the original constructive work of Garg et al. (FOCS 2013), the underlying explicit computational assumption encapsulated an exponential family of assumptions for each pair of circuits to be obfuscated. In the more recent work of Pass et al. (Crypto 2014), the underlying assumption is a meta-assumption that also encapsulates an exponential family of assumptions, and this meta-assumption is invoked in a manner that captures the specific pair of circuits to be obfuscated. The assumptions underlying both these works substantially capture (either explicitly or implicitly) the actual structure of the obfuscation mechanism itself. In our work, we provide the first construction of general-purpose indistinguishability obfuscation proven secure via a reduction to a natural computational assumption over multilinear maps, namely, the Multilinear Subgroup Elimination Assumption. This assumption does not depend on the circuits to be obfuscated (except for its size), and does not correspond to the underlying structure of our obfuscator. The technical heart of our paper is our reduction, which gives a new way to argue about the security of indistinguishability obfuscation.
[RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis](http://www.tau.ac.il/~tromer/acoustic/)
* Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.
[The SIGMA Family of Key-Exchange Protocols ]()
* Summary: SIGMA is a family of cryptographic key-exchange protocols that provide perfect forward secrecy via a Diffie-Hellman exchange authenticated with digital signatures. SIGMA is designed to support a variety of features and trade-offs required in common practical scenarios (such as identity protection and reduced number of protocol rounds) as well as to enjoy sound cryptographic security. This design puts forth the "SIGn-and-MAc" (SIGMA, for short) approach that carefully combines the use of digital signatures and MAC functions to guarantee an authenticated binding between the Diffie-Hellman key and the identities of the parties to the exchange. This simple approach resolves security shortcomings found in previous protocols. The SIGMA protocols serve as the cryptographic basis for the signature-based modes of the standardized Internet Key Exchange (IKE) protocol, and its current revision IKE version 2.
### <a name="software">Software</a>
[CONIKS](https://coniks.cs.princeton.edu/)
* CONIKS is a key management system for end users capable of integration in end-to-end secure communication services. The main idea is that users should not have to worry about managing encryption keys when they want to communicate securely, but they also should not have to trust their secure communication service providers to act in their interest.
[The Noise Protocol Framework](http://noiseprotocol.org/noise.html)
* Noise is a framework for crypto protocols based on Diffie-Hellman key agreement. Noise can describe protocols that consist of a single message as well as interactive protocols.
* A Noise protocol begins with two parties exchanging handshake messages. During this handshake phase the parties exchange DH public keys and perform a sequence of DH operations, hashing the DH results into a shared secret key. After the handshake phase each party can use this shared key to send encrypted transport messages.
[VeraCrypt](https://www.veracrypt.fr/en/Home.html)
* VeraCrypt is a free open source disk encryption software for Windows, Mac OSX and Linux. Brought to you by IDRIX (https://www.idrix.fr) and based on TrueCrypt 7.1a.
###<a name="software">Software</a>
###<a name="steno">Stenography</a>
### <a name="steno">Stenography</a>
[imagejs](https://github.com/jklmnn/imagejs)
* imagejs is a small tool to hide javascript inside a valid image file. The image file is recognized as one by content checking software, e.g. the file command you might now from Linux or other Unix based operation systems.
@ -125,7 +168,7 @@ https://crypto.is/blog/
###<a name="tools">Tools</a>
### <a name="tools">Tools</a>
[Cryptographic Implementations Analysis Toolkit (CIAT)](http://ciat.sourceforge.net/)
* The Cryptographic Implementations Analysis Toolkit (CIAT) is compendium of command line and graphical tools whose aim is to help in the detection and analysis of encrypted byte sequences within files (executable and non-executable).
@ -148,11 +191,11 @@ https://crypto.is/blog/
* hashID is a tool written in Python 3 which supports the identification of over 220 unique hash types using regular expressions. It is able to identify a single hash, parse a file or read multiple files in a directory and identify the hashes within them. hashID is also capable of including the corresponding hashcat mode and/or JohnTheRipper format in its output. hashID works out of the box with Python 2 = 2.7.x or Python 3 = 3.3 on any platform.
[HiVE Hidden Volume Encryption](http://hive.ccs.neu.edu/#four)
[HiVE — Hidden Volume Encryption](http://hive.ccs.neu.edu/#four)
###<a name="">Books</a>:
### <a name="">Books</a>:
Cryptography Engineering
Applied Cryptography


+ 57
- 46
Draft/Data AnalysisVisualization.md View File

@ -3,14 +3,22 @@
### ToC
* Cull
* General
* Writeups
* Tools
* Miscellaneous
## Tools
### Cull
[Generalizing Data Flow Information](http://uninformed.org/?v=all&a=34&t=sumry)
* Generalizing information is a common method of reducing the quantity of data that must be considered during analysis. This fact has been plainly illustrated in relation to static data flow analysis where previous research has described algorithms that can be used to generalize data flow information. These generalizations have helped support more optimal data flow analysis in certain situations. In the same vein, this paper describes a process that can be employed to generalize and persist data flow information along multiple generalization tiers. Each generalization tier is meant to describe the data flow behaviors of a conceptual software element such as an instruction, a basic block, a procedure, a data type, and so on. This process makes use of algorithms described in previous literature to support the generalization of data flow information. To illustrate the usefulness of the generalization process, this paper also presents an algorithm that can be used to determine reachability at each generalization tier. The algorithm determines reachability starting from the least specific generalization tier and uses the set of reachable paths found to progressively qualify data flow information for each successive generalization tier. This helps to constrain the amount of data flow information that must be considered to a minimal subset.
#### To Do
* Split into Data visualization/Working with data
#### Cull
Apache Nifi - supports powerful and scalable directed graphs of data routing, transformation, and system mediation logic.
https://nifi.apache.org/
@ -19,92 +27,95 @@ http://linkurio.us/toolkit/
http://marvl.infotech.monash.edu/webcola/
[simgaJS-webcola](https://github.com/qinfchen/sigmajs-webcola)
* webcola plugin for sigmajs
http://www.yasiv.com/graphs#Bai/rw496
[Airodump-NG Scan Visualizer](http://hackoftheday.securitytube.net/2015/03/airodump-ng-scan-visualizer-ver-01.html)
http://plaso.kiddaland.net/
[plaso](https://github.com/log2timeline/plaso)
* plaso (Plaso Langar Að Safna Öllu) is a Python-based backend engine for the tool log2timeline.
Check out http://secviz.org/
[Graphite - Scalable Realtime Graphing](http://graphite.wikidot.com/start)
* [Quick Start Guide](http://graphite.wikidot.com/quickstart-guide)
http://sourceforge.net/projects/rapidminer/
[StatsD](https://github.com/etsy/statsd/)
* A network daemon that runs on the Node.js platform and listens for statistics, like counters and timers, sent over UDP or TCP and sends aggregates to one or more pluggable backend services (e.g., Graphite).
http://orange.biolab.si/
[Kismet Log Viewer - KLV](http://mindflip.org/klv/)
* The Kismet Log Viewer (KLV) takes Kismet .xml log files and produces a nicely formatted html interface to browse the logs with. KLV has the ability to utilize available GPS information to create links for external maps via the net, and provides the ability for those with Snort to generate a page of Snort output for each specific bssid that has data available. KLV also comes with my Kismet Log Combiner script to help users consolidate multiple .xml and .dump log files.
https://rapidminer.com/
http://ipython.org/
https://www.documentcloud.org/home
[kippo-graph](https://github.com/ikoniaris/kippo-graph)
* Visualize statistics from a Kippo SSH honeypot
http://www.pentaho.com/
Applied Security Visualization: http://www.secviz.org/content/applied-security-visualization
#### End Cull
Check out http://secviz.org/
### Tools
[d3js(Data Driven Documents)](http://d3js.org/)
* D3.js is a JavaScript library for manipulating documents based on data. D3 helps you bring data to life using HTML, SVG, and CSS. D3’s emphasis on web standards gives you the full capabilities of modern browsers without tying yourself to a proprietary framework, combining powerful visualization components and a data-driven approach to DOM manipulation.
[Data Science Toolkit](https://github.com/petewarden/dstk)
* A collection of the best open data sets and open-source tools for data science, wrapped in an easy-to-use REST/JSON API with command line, Python and Javascript interfaces. Available as a self-contained VM or EC2 AMI that you can deploy yourself.
* [Documentation](http://www.datasciencetoolkit.org/developerdocs)
[*ORA](http://www.casos.cs.cmu.edu/projects/ora/)
* ORA is a dynamic meta-network assessment and analysis tool developed by CASOS at Carnegie Mellon. It contains hundreds of social network, dynamic network metrics, trail metrics, procedures for grouping nodes, identifying local patterns, comparing and contrasting networks, groups, and individuals from a dynamic meta-network perspective. *ORA has been used to examine how networks change through space and time, contains procedures for moving back and forth between trail data (e.g. who was where when) and network data (who is connected to whom, who is connected to where …), and has a variety of geo-spatial network metrics, and change detection techniques. *ORA can handle multi-mode, multi-plex, multi-level networks. It can identify key players, groups and vulnerabilities, model network changes over time, and perform COA analysis. It has been tested with large networks (106 nodes per 5 entity classes).Distance based, algorithmic, and statistical procedures for comparing and contrasting networks are part of this toolkit. Based on network theory, social psychology, operations research, and management theory a series of measures of “criticality” have been developed at CMU. Just as critical path algorithms can be used to locate those tasks that are critical from a project management perspective, the *ORA algorithms can find those people, types of skills or knowledge and tasks that are critical from a performance and information security perspective.
http://sourceforge.net/projects/rapidminer/#
[pewpew](https://github.com/hrbrmstr/pewpew)
* In all seriousness, IPew provides a simple framework - based on Datamaps - for displaying cartographic attack data in a (mostly) responsive way and shows how to use dynamic data via javascript event timers and data queues (in case you're here to learn vs have fun - or both!). You can customize the display through a myriad of query string options, including sounds.
http://orange.biolab.si/
[Data Maps](https://datamaps.github.io/)
* Customizable SVG map visualizations for the web in a single Javascript file using D3.js
https://rapidminer.com/
[Import.IO](https://import.io/)
* Use our tool to build APIs to all your favorite websites with just a few clicks of the mouse. - Data Scraping
[kippo-graph](https://github.com/ikoniaris/kippo-graph)
* Visualize statistics from a Kippo SSH honeypot
http://ipython.org/
[simgaJS-webcola](https://github.com/qinfchen/sigmajs-webcola)
* webcola plugin for sigmajs
[Airodump-NG Scan Visualizer](http://hackoftheday.securitytube.net/2015/03/airodump-ng-scan-visualizer-ver-01.html)
[*ORA](http://www.casos.cs.cmu.edu/projects/ora/)
* *ORA is a dynamic meta-network assessment and analysis tool developed by CASOS at Carnegie Mellon. It contains hundreds of social network, dynamic network metrics, trail metrics, procedures for grouping nodes, identifying local patterns, comparing and contrasting networks, groups, and individuals from a dynamic meta-network perspective. *ORA has been used to examine how networks change through space and time, contains procedures for moving back and forth between trail data (e.g. who was where when) and network data (who is connected to whom, who is connected to where …), and has a variety of geo-spatial network metrics, and change detection techniques. *ORA can handle multi-mode, multi-plex, multi-level networks. It can identify key players, groups and vulnerabilities, model network changes over time, and perform COA analysis. It has been tested with large networks (106 nodes per 5 entity classes).Distance based, algorithmic, and statistical procedures for comparing and contrasting networks are part of this toolkit. Based on network theory, social psychology, operations research, and management theory a series of measures of “criticality” have been developed at CMU. Just as critical path algorithms can be used to locate those tasks that are critical from a project management perspective, the *ORA algorithms can find those people, types of skills or knowledge and tasks that are critical from a performance and information security perspective.
[Graphite - Scalable Realtime Graphing](http://graphite.wikidot.com/start)
* [Quick Start Guide](http://graphite.wikidot.com/quickstart-guide)
[StatsD](https://github.com/etsy/statsd/)
* A network daemon that runs on the Node.js platform and listens for statistics, like counters and timers, sent over UDP or TCP and sends aggregates to one or more pluggable backend services (e.g., Graphite).
[Kismet Log Viewer - KLV](http://mindflip.org/klv/)
* The Kismet Log Viewer (KLV) takes Kismet .xml log files and produces a nicely formatted html interface to browse the logs with. KLV has the ability to utilize available GPS information to create links for external maps via the net, and provides the ability for those with Snort to generate a page of Snort output for each specific bssid that has data available. KLV also comes with my Kismet Log Combiner script to help users consolidate multiple .xml and .dump log files.
[Data Science Toolkit](https://github.com/petewarden/dstk)
* A collection of the best open data sets and open-source tools for data science, wrapped in an easy-to-use REST/JSON API with command line, Python and Javascript interfaces. Available as a self-contained VM or EC2 AMI that you can deploy yourself.
* [Documentation](http://www.datasciencetoolkit.org/developerdocs)
[plaso](https://github.com/log2timeline/plaso)
* plaso (Plaso Langar Að Safna Öllu) is a Python-based backend engine for the tool log2timeline.
[huginn](https://github.com/huginn/huginn)
* Create agents that monitor and act on your behalf. Your agents are standing by!
* Huginn is a system for building agents that perform automated tasks for you online. They can read the web, watch for events, and take actions on your behalf. Huginn's Agents create and consume events, propagating them along a directed graph. Think of it as a hackable version of IFTTT or Zapier on your own server. You always know who has your data. You do.
[Import.IO](https://import.io/)
* Use our tool to build APIs to all your favorite websites with just a few clicks of the mouse. - Data Scraping
https://www.documentcloud.org/home
http://www.pentaho.com/
### Blogposts
[d3js(Data Driven Documents)](http://d3js.org/)
* D3.js is a JavaScript library for manipulating documents based on data. D3 helps you bring data to life using HTML, SVG, and CSS. D3’s emphasis on web standards gives you the full capabilities of modern browsers without tying yourself to a proprietary framework, combining powerful visualization components and a data-driven approach to DOM manipulation.
[Drawing effective network diagrams](https://www.auvik.com/media/blog/effective-network-diagrams/)
[Data Maps](https://datamaps.github.io/)
* Customizable SVG map visualizations for the web in a single Javascript file using D3.js
[Using amCharts to Create Beautiful Wireshark Visualizations](http://www.thevisiblenetwork.com/2015/03/19/using-amcharts-to-create-beautiful-wireshark-visualizations/)
[pewpew](https://github.com/hrbrmstr/pewpew)
* In all seriousness, IPew provides a simple framework - based on Datamaps - for displaying cartographic attack data in a (mostly) responsive way and shows how to use dynamic data via javascript event timers and data queues (in case you're here to learn vs have fun - or both!). You can customize the display through a myriad of query string options, including sounds.
### Writeups
[Generalizing Data Flow Information](http://uninformed.org/?v=all&a=34&t=sumry)
* Generalizing information is a common method of reducing the quantity of data that must be considered during analysis. This fact has been plainly illustrated in relation to static data flow analysis where previous research has described algorithms that can be used to generalize data flow information. These generalizations have helped support more optimal data flow analysis in certain situations. In the same vein, this paper describes a process that can be employed to generalize and persist data flow information along multiple generalization tiers. Each generalization tier is meant to describe the data flow behaviors of a conceptual software element such as an instruction, a basic block, a procedure, a data type, and so on. This process makes use of algorithms described in previous literature to support the generalization of data flow information. To illustrate the usefulness of the generalization process, this paper also presents an algorithm that can be used to determine reachability at each generalization tier. The algorithm determines reachability starting from the least specific generalization tier and uses the set of reachable paths found to progressively qualify data flow information for each successive generalization tier. This helps to constrain the amount of data flow information that must be considered to a minimal subset.
[Using amCharts to Create Beautiful Wireshark Visualizations](http://www.thevisiblenetwork.com/2015/03/19/using-amcharts-to-create-beautiful-wireshark-visualizations/)
Applied Security Visualization: http://www.secviz.org/content/applied-security-visualization
[Drawing effective network diagrams](https://www.auvik.com/media/blog/effective-network-diagrams/)

+ 15
- 0
Draft/Documentation & Reports -.md View File

@ -12,6 +12,16 @@
### General/Disclosure
[NCSAM: Coordinated Vulnerability Disclosure Advice for Researchers](https://community.rapid7.com/community/infosec/blog/2016/10/28/ncsam-coordinated-vulnerability-disclosure-advice-for-researchers)
### <a name="writing">Writing</a>
Start with the first two links, and go from there. They’re both great resources to writing technical documentation, the first being a beginners guide and the second being a general guide that beginners can understand.
@ -39,6 +49,11 @@ Three parter from jacobian.org:
[Learn Technical Writing in Two Hours per Week - Norman Ramsey](http://www.cs.tufts.edu/~nr/pubs/learn-two.pdf)
[Politics and the English Language - George Orwell](http://www.npr.org/blogs/ombudsman/Politics_and_the_English_Language-1.pdf)
### <a name="reports">Writing Reports</a>


+ 51
- 15
Draft/Embedded Device & Hardware Hacking -.md View File

@ -6,13 +6,13 @@ https://en.wikipedia.org/wiki/Embedded_system
Cull
* [General](#general)
* [General Hardware Hacking](#generalhw)
* [Attacking Routers](#routers)
* [Cable Modem Hacking](#modem)
* [Educational/Information on things you wouldn't find in a Dictionary](#education)
* [Flash Memory](#flash)
* [Internet of Things](#iot)
* [General Tools(S/W & H/W)](#gentools)
* [General Hardware Hacking](#generalhw)
* [Miscellaneous](#misc)
* [PCI](#PCI)
* [USB](#USB)
@ -33,7 +33,7 @@ Cull
#### To Sort
http://www.sp3ctr3.me/hardware-security-resources/
http://www.sp3ctr3.me/hardware-security-resources/
http://greatscottgadgets.com/infiltrate2013/
@ -68,6 +68,36 @@ http://greatscottgadgets.com/infiltrate2013/
### <a name="generalhw">General Hardware Hacking</a>
[Door Control Systems: An Examination of Lines of Attack](https://www.nccgroup.com/en/blog/2013/09/door-control-systems-an-examination-of-lines-of-attack/)
[ChipWhisperer](http://www.newae.com/chipwhisperer)
* ChipWhisperer is the first ever open-source solution that provides a complete toolchain for research and analysis of embedded hardware security. Side Channel Power Analysis, Clock Glitching, VCC Glitching, and more are all possible with this unique tool.
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)
[Deconstructing the Circuit Board Sandwich DEF CON 22 - Joe Grand aka Kingpin](https://www.youtube.com/watch?v=O8FQZIPkgZM)
[The Sorcerer’s Apprentice Guide to Fault Attacks](https://eprint.iacr.org/2004/100.pdf)
* The effect of faults on electronic systems has been studied since the 1970s when it was noticed that radioactive particles caused errors in chips. This led to further research on the effect of charged particles on silicon, motivated by the aerospace industry who was becoming concerned about the effect of faults in airborne electronic systems. Since then various mechanisms for fault creation and propagation have been discovered and researched. This paper covers the various methods that can be used to induce faults in semiconductors and exploit such errors maliciously. Several examples of attacks stemming from the exploiting of faults are explained. Finally a series of countermeasures to thwart these attacks are described.
[A Survey of Remote Automotive Attack Surfaces - Black Hat USA 2014](https://www.youtube.com/watch?v=mNhFGJVq2HE)
[Smart Parking Meters](http://uninformed.org/?v=all&a=6&t=sumry)
* Security through obscurity is unfortunately much more common than people think: many interfaces are built on the premise that since they are a "closed system" they can ignore standard security practices. This paper will demonstrate how parking meter smart cards implement their protocol and will point out some weaknesses in their design that open the doors to the system. It will also present schematics and code that you can use to perform these basic techniques for auditing almost any type of blackblox secure memory card.
[SATELLITE TV RECEIVERS: FROM REMOTE CONTROL TO ROOT SHELL - Sofiane Talmat](https://vimeo.com/album/3682874/video/148910624)
[Hardware Hacking the Easyware Way](http://www.irongeek.com/i.php?page=videos/derbycon6/417-hardware-hacking-the-easyware-way-brian-fehrman)
* Interested in hardware hacking but not quite sure where to start? Does the thought of soldering thrill you (or scare you)? Come check out this talk to see just how easy it is to jump into this exciting field of research! Many people and companies use similar models of hardware. Unlike software, these devices rarely receive security updates. Sometimes, used devices are sold without clearing the configurations and important data is left behind. After this talk, you will know how to find hidden interfaces on these devices, start searching for vulnerabilities and sensitive information, and have irresistible urges to go home and tear apart all your old networking equipment. Did we mention...live demo?
### <a name="routers">Attacking Routers</a>
[More on HNAP - What is it, How to Use it, How to Find it](https://isc.sans.edu/diary/More+on+HNAP+-+What+is+it%2C+How+to+Use+it%2C+How+to+Find+it/17648)
@ -116,6 +146,7 @@ http://greatscottgadgets.com/infiltrate2013/
### <a name="education">Educational</a>
[Hardware Hacking for Software People](http://dontstuffbeansupyournose.com/2011/08/25/hardware-hacking-for-software-people/)
[Glitching for n00bs - A journey to coax out chips' inner seccrets](http://media.ccc.de/browse/congress/2014/31c3_-_6499_-_en_-_saal_2_-_201412271715_-_glitching_for_n00bs_-_exide.html#video)
@ -145,10 +176,11 @@ http://greatscottgadgets.com/infiltrate2013/
### <a name="flash">Flash Memory</a>
[Reverse Engineering Flash Memory for Fun and Benefit - BlackHat 2014](https://www.youtube.com/watch?v=E8BSnS4-Kpw)
[Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques](https://pdfs.semanticscholar.org/b9bc/a3c9f531002854af48de121cdcc8e0520c7f.pdf)
@ -181,24 +213,13 @@ http://greatscottgadgets.com/infiltrate2013/
* JTAGulator is an open source hardware tool that assists in identifying OCD connections from test points, vias, or component pads on a target device.
### <a name="generalhw">General Hardware Hacking</a>
[Door Control Systems: An Examination of Lines of Attack](https://www.nccgroup.com/en/blog/2013/09/door-control-systems-an-examination-of-lines-of-attack/)
[ChipWhisperer](http://www.newae.com/chipwhisperer)
* ChipWhisperer is the first ever open-source solution that provides a complete toolchain for research and analysis of embedded hardware security. Side Channel Power Analysis, Clock Glitching, VCC Glitching, and more are all possible with this unique tool.
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)
[Deconstructing the Circuit Board Sandwich DEF CON 22 - Joe Grand aka Kingpin](https://www.youtube.com/watch?v=O8FQZIPkgZM)
[The Sorcerer’s Apprentice Guide to Fault Attacks](https://eprint.iacr.org/2004/100.pdf)
* The effect of faults on electronic systems has been studied since the 1970s when it was noticed that radioactive particles caused errors in chips. This led to further research on the effect of charged particles on silicon, motivated by the aerospace industry who was becoming concerned about the effect of faults in airborne electronic systems. Since then various mechanisms for fault creation and propagation have been discovered and researched. This paper covers the various methods that can be used to induce faults in semiconductors and exploit such errors maliciously. Several examples of attacks stemming from the exploiting of faults are explained. Finally a series of countermeasures to thwart these attacks are described.
[A Survey of Remote Automotive Attack Surfaces - Black Hat USA 2014](https://www.youtube.com/watch?v=mNhFGJVq2HE)
[Smart Parking Meters](http://uninformed.org/?v=all&a=6&t=sumry)
* Security through obscurity is unfortunately much more common than people think: many interfaces are built on the premise that since they are a "closed system" they can ignore standard security practices. This paper will demonstrate how parking meter smart cards implement their protocol and will point out some weaknesses in their design that open the doors to the system. It will also present schematics and code that you can use to perform these basic techniques for auditing almost any type of blackblox secure memory card.
### <a name="misc">Miscellaneous</a>
@ -218,6 +239,7 @@ http://greatscottgadgets.com/infiltrate2013/
### <a name="pci">PCI</a>
@ -240,6 +262,8 @@ http://greatscottgadgets.com/infiltrate2013/
[WHID Injector: an USB-Rubberducky/BadUSB on Steroids](https://whid-injector.blogspot.lt/2017/04/whid-injector-how-to-bring-hid-attacks.html)
[Introduction to USB and Fuzzing - Matt DuHarte - Defcon23](https://www.youtube.com/watch?v=KWOTXypBt4E)
@ -295,8 +319,9 @@ https://github.com/pwnieexpress/raspberry_pwn
[Analyzing and Running binaries from Firmware Images - Part 1](http://w00tsec.blogspot.com.br/2013/09/analyzing-and-running-binaries-from.html)
[Jailbreaks and Pirate Tractors: Reverse Engineering Do’s and Don’ts](https://www.youtube.com/watch?v=8_mMTVsOM6Y)
[Lost your "secure" HDD PIN? We can help!](https://syscall.eu/pdf/2016-Lenoir_Rigo-HDD_PIN-paper.pdf)
@ -358,6 +383,17 @@ Chameleon Mini
[Hacking a USB Modem & SIM](http://blog.ptsecurity.com/2014/12/4g-security-hacking-usb-modem-and-sim.html)
[How can I do that? Intro to hardware hacking with an RFID badge reader - Kevin Bong](http://www.irongeek.com/i.php?page=videos/derbycon3/3303-how-can-i-do-that-intro-to-hardware-hacking-with-an-rfid-badge-reader-kevin-bong)


+ 91
- 47
Draft/Exploit Development.md View File

@ -39,36 +39,18 @@ TOC
* [Papers](#papers)
* [OllyDbg Tricks](#ollydbg)
* [Books and Links](#books
* Exploit Collections
#### To Do
* Split writing shellcode sections into platform specific
* Sort tools better, like enviromental tools vs use-specific tools
#### Sort:
[Tracking Down Heap Overflows with rr](https://sean.heelan.io/2016/05/31/tracking-down-heap-overflows-with-rr/)
[The Danger of Unrandomized Code](https://www.usenix.org/system/files/login/articles/105516-Schwartz.pdf)
[Owning Internet Printing - A Case Study in Modern Software Exploitation](https://googleprojectzero.blogspot.com/2015/06/owning-internet-printing-case-study-in.html?m=1)
Finding Opcodes
Methods of finding opcodes:
metasploit opcode DB
@ -78,30 +60,29 @@ pvefindaddr - mona.py
Corelan Exploit Series
[Writing Win32 Shellcode with VisualStudio](http://winternl.com/2016/05/02/hello-world/)
* demonstrating how to write optimized (sort of) Win32 shellcode using Visual Studio’s compiler
[rex](https://github.com/shellphish/rex)
* Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.
[Patcherex](https://github.com/shellphish/patcherex)
* Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.
[Anti-Virus Software Gone Wrong](http://uninformed.org/?v=all&a=21&t=sumry)
* Anti-virus software is becoming more and more prevalent on end-user computers today. Many major computer vendors (such as Dell) bundle anti-virus software and other personal security suites in the default configuration of newly-sold computer systems. As a result, it is becoming increasingly important that anti-virus software be well-designed, secure by default, and interoperable with third-party applications. Software that is installed and running by default constitutes a prime target for attack and, as such, it is especially important that said software be designed with security and interoperability in mind. In particular, this article provides examples of issues found in well-known anti-virus products. These issues range from not properly validating input from an untrusted source (especially within the context of a kernel driver) to failing to conform to API contracts when hooking or implementing an intermediary between applications and the underlying APIs upon which they rely. For popular software, or software that is installed by default, errors of this sort can become a serious problem to both system stability and security. Beyond that, it can impact the ability of independent software vendors to deploy functioning software on end-user systems.
#### end sort
[BuBBle: A Javascript Engine Level Countermeasure against Heap-Spraying Attacks](http://cd80.ca/files/bubble.pdf)
* Abstract. Web browsers that support a safe language such as Javascript are becoming a platform of great interest for security attacks. One such attack is a heap-spraying attack: a new kind of attack that combines the notoriously hard to reliably exploit heap-based buffer overflow with the use of an in-browser script- ing language for improved r eliability. A typical heap-s praying attack allocates a high number of objects containing the attacker’s code on the heap, dramatically increasing the probability that the contents of one of these objects is executed. In this paper we present a lightweight approach that makes heap-spraying attacks in Javascript significantly harder. Our prototype, which is implemented in Firefox, has a negligible performance and memory overhead while effectively protecting against heap-spraying attacks.
[DotNetToJScript](https://github.com/tyranid/DotNetToJScript)
* A tool to create a JScript file which loads a .NET v2 assembly from memory.
[Code segment encryption](http://blog.sevagas.com/?Code-segment-encryption)
[BYPASS CONTROL FLOW GUARD COMPREHENSIVELY - Zhang Yunhai](https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf)
[Hello MS08-067, My Old Friend!](https://labs.mwrinfosecurity.com/assets/BlogFiles/hello-ms08-067-my-old-friend.pdf)
[Trampolines in x64](http://www.ragestorm.net/blogs/?p=107)
#### end sort
### General Videos/Presentations(that aren't
### General Videos/Presentations(that aren't...something...idk?)
[Hacking FinSpy - a Case Study - Atilla Marosi - Troopers15](https://www.youtube.com/watch?v=Mb4mfBi06K4)
@ -114,7 +95,7 @@ Corelan Exploit Series
### <a name="general">General Techniques/ Tricks</a>
### <a name="general">General Techniques/Tricks</a>
[Shellcode Debugging with OllyDbg](https://blackc0.de/2014/06/shellcode-debugging-ollydbg/)
@ -147,9 +128,6 @@ Corelan Exploit Series
[Root Cause Analysis – Memory Corruption Vulnerabilities](https://www.corelan.be/index.php/2013/02/26/root-cause-analysis-memory-corruption-vulnerabilities/)
[BinTut](https://github.com/NoviceLive/bintut)
* Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes
| **RAP: RIP ROP (GRSEC/PaX team)** | https://pax.grsecurity.net/docs/PaXTeam-H2HC15-RAP-RIP-ROP.pdf
[Counterfeit Object-oriented Programming](http://syssec.rub.de/media/emma/veroeffentlichungen/2015/03/28/COOP-Oakland15.pdf)
@ -170,6 +148,16 @@ This will allow you to transfer EIP control to a specified offset within a file
[gargoyle, a memory scanning evasion technique](https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)
[BinTut](https://github.com/NoviceLive/bintut)
* Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes
### <a name="oldsoft">Acquiring Old/Vulnerable Software</a>
@ -222,7 +210,7 @@ This will allow you to transfer EIP control to a specified offset within a file
[The Birth of a Complete IE11 Exploit Under the New Exploit Mitigations](https://www.syscan.org/index.php/download/get/aef11ba81927bf9aa02530bab85e303a/SyScan15%20Yuki%20Chen%20-%20The%20Birth%20of%20a%20Complete%20IE11%20Exploit%20Under%20the%20New%20Exploit%20Mitigations.pdf)
[ BISC: Borrowed Instructions Synthetic Computation](https://github.com/trailofbits/bisc)
* BISC is a Ruby library for demonstrating how to build borrowed-instruction programs. BISC aims to be simple, analogous to a traditional assembler, minimize behind-the-scenes magic, and let users write simple macros. BISC was developed by Dino Dai Zovi for Practical Return-oriented Programming at Blackhat USA 2010 and was used for the Assured Exploitation training course.
* BISC is a Ruby library for demonstrating how to build borrowed-instruction programs. BISC aims to be simple, analogous to a traditional assembler, minimize behind-the-scenes magic, and let users write simple macros. BISC was developed by Dino Dai Zovi for Practical Return-oriented Programming at Blackhat USA 2010 and was used for the Assured Exploitation `ng course.
[Introduction to Return Oriented Programming (ROP) - ketansingh.net](https://ketansingh.net/Introduction-to-Return-Oriented-Programming-ROP/)
@ -293,7 +281,8 @@ I have tried to order the articles by technique and chronology.
*[Malloc Maleficarum, Phantasmal Phantasmagoria, 2005](http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt)
* [Yet another free() exploitation technique, huku, 2009](http://www.phrack.com/issues.html?issue=66&id=6)
* [Heap Feng Shui in JavaScript](https://www.blackhat.com/presentations/bh-usa-07/Sotirov/Whitepaper/bh-usa-07-sotirov-WP.pdf)
* [heap-exploitation](https://github.com/DhavalKapil/heap-exploitation)
* This book on heap exploitation is a guide to understanding the internals of glibc's heap and various attacks possible on the heap structure.
@ -305,7 +294,7 @@ I have tried to order the articles by technique and chronology.
*[Advances in format string exploitation, gera, 2002](http://www.phrack.com/issues.html?issue=59&id=7)
* [An alternative method in format string exploitation, K-sPecial, 2006](http://www.milw0rm.com/papers/103)
* [Maximum Overkill Two - From Format String Vulnerability to Remote Code Execution](https://barrebas.github.io/blog/2015/02/22/maximum-overkill-two-from-format-string-vulnerability-to-remote-code-execution/)
* [Exploiting Format Strings: Getting the Shell](http://resources.infosecinstitute.com/exploiting-format-strings-getting-the-shell/)
@ -475,7 +464,7 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
* [Part 1](http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-i)
*[Part 2](http://breaking.systems/blog/2014/04/avm-fritzbox-root-rce-from-patch-to-metasploit-module-ii)
[Tracking Down Heap Overflows with rr](https://sean.heelan.io/2016/05/31/tracking-down-heap-overflows-with-rr/)
@ -545,7 +534,7 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
[X86 Shellcode Obfuscation - Part 1 - breakdev.org](https://breakdev.org/x86-shellcode-obfuscation-part-1/)
[BYPASS CONTROL FLOW GUARD COMPREHENSIVELY - Zhang Yunhai](https://www.blackhat.com/docs/us-15/materials/us-15-Zhang-Bypass-Control-Flow-Guard-Comprehensively-wp.pdf)
@ -642,8 +631,7 @@ Getting Started with WindDbg Series - OpenSecurity Research
[Exploiting the Otherwise Non-Exploitable on Windows](http://uninformed.org/?v=all&a=22&t=sumry)
* This paper describes a technique that can be applied in certain situations to gain arbitrary code execution through software bugs that would not otherwise be exploitable, such as NULL pointer dereferences. To facilitate this, an attacker gains control of the top-level unhandled exception filter for a process in an indirect fashion. While there has been previous work illustrating the usefulness in gaining control of the top-level unhandled exception filter, Microsoft has taken steps in XPSP2 and beyond, such as function pointer encoding, to prevent attackers from being able to overwrite and control the unhandled exception filter directly. While this security enhancement is a marked improvement, it is still possible for an attacker to gain control of the top-level unhandled exception filter by taking advantage of a design flaw in the way unhandled exception filters are chained. This approach, however, is limited by an attacker's ability to control the chaining of unhandled exception filters, such as through the loading and unloading of DLLs. This does reduce the global impact of this approach; however, there are some interesting cases where it can be immediately applied, such as with Internet Explorer.
Attacking x86 Windows Binaries by Jump Oriented Programming
http://www.uni-obuda.hu/users/szakala/INES%202013%20pendrive/61_ines2013.pdf
[Attacking x86 Windows Binaries by Jump Oriented Programming](http://www.uni-obuda.hu/users/szakala/INES%202013%20pendrive/61_ines2013.pdf)
[HackSys Extreme Vulnerable Driver](http://www.payatu.com/hacksys-extreme-vulnerable-driver/)
* HackSys Extreme Vulnerable Driver is intentionally vulnerable Windows driver developed for security enthusiasts to learn and polish their exploitation skills at Kernel level.
@ -658,6 +646,32 @@ https://www.exploit-db.com/docs/18482.pdf
[WinAPI for Hackers](https://www.bnxnet.com/wp-content/uploads/2015/01/WinAPIs_for_hackers.pdf)
[Writing Win32 Shellcode with VisualStudio](http://winternl.com/2016/05/02/hello-world/)
* demonstrating how to write optimized (sort of) Win32 shellcode using Visual Studio’s compiler
[Intro to Windows kernel exploitation 1/N: Kernel Debugging](https://www.whitehatters.academy/intro-to-kernel-exploitation-part-1/)
[Intro to Windows kernel exploitation 2/N: HackSys Extremely Vulnerable Driver](https://www.whitehatters.academy/intro-to-windows-kernel-exploitation-2-windows-drivers/)
[Microsoft Patch Analysis for Exploitation](https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims)
* Since the early 2000's Microsoft has distributed patches on the second Tuesday of each month. Bad guys, good guys, and many in-between compare the newly released patches to the unpatched version of the files to identify the security fixes. Many organizations take weeks to patch and the faster someone can reverse engineer the patches and get a working exploit written, the more valuable it is as an attack vector. Analysis also allows a researcher to identify common ways that Microsoft fixes bugs which can be used to find 0-days. Microsoft has recently moved to mandatory cumulative patches which introduces complexity in extracting patches for analysis. Join me in this presentation while I demonstrate the analysis of various patches and exploits, as well as the best-known method for modern patch extraction.
[Introduction to Windows shellcode development – Part 1](https://securitycafe.ro/2015/10/30/introduction-to-windows-shellcode-development-part1/)
[Introduction to Windows shellcode development – Part 2](https://securitycafe.ro/2015/12/14/introduction-to-windows-shellcode-development-part-2/)
[Introduction to Windows shellcode development – Part 3](https://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/)
[Writing Exploits for Win32 Systems from Scratch](https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/writing-exploits-for-win32-systems-from-scratch/)
#### SEH/SE-HOP Defeat/Bypass
@ -832,6 +846,26 @@ fREedom is a primitive attempt to provide an IDA Pro independent means of extrac
[Setting up fREedom and BinNavi](https://summitroute.com/blog/2015/12/31/setting_up_freedom_and_binnavi/)
[lisa.py](https://github.com/ant4g0nist/lisa.py)
* An Exploit Dev Swiss Army Knife.
[SCANSPLOIT](https://github.com/huntergregal/scansploit)
* Exploit using barcodes, QRcodes, earn13, datamatrix
[sandbox-attacksurface-analysis-tools](https://github.com/google/sandbox-attacksurface-analysis-tools)
* This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
### <a name="decom">Decompilers & Disassemblers</a>
@ -960,8 +994,8 @@ Metasploit
[Automating Mimicry Attacks Using Static Binary Analysis](https://www.usenix.org/legacy/events/sec05/tech/full_papers/kruegel/kruegel_html/attack.html)
* Intrusion detection systems that monitor sequences of system calls have recently become more sophisticated in defining legitimate application behavior. In particular, additional information, such as the value of the program counter and the configuration of the program's call stack at each system call, has been used to achieve better characterization of program behavior. While there is common agreement that this additional information complicates the task for the attacker, it is less clear to which extent an intruder is constrained. In this paper, we present a novel technique to evade the extended detection features of state-of-the-art intrusion detection systems and reduce the task of the intruder to a traditional mimicry attack. Given a legitimate sequence of system calls, our technique allows the attacker to execute each system call in the correct execution context by obtaining and relinquishing the control of the application's execution flow through manipulation of code pointers. We have developed a static analysis tool for Intel x86 binaries that uses symbolic execution to automatically identify instructions that can be used to redirect control flow and to compute the necessary modifications to the environment of the process. We used our tool to successfully exploit three vulnerable programs and evade detection by existing state-of-the-art system call monitors. In addition, we analyzed three real-world applications to verify the general applicability of our techniques.
[Anti-Virus Software Gone Wrong](http://uninformed.org/?v=all&a=21&t=sumry)
* Anti-virus software is becoming more and more prevalent on end-user computers today. Many major computer vendors (such as Dell) bundle anti-virus software and other personal security suites in the default configuration of newly-sold computer systems. As a result, it is becoming increasingly important that anti-virus software be well-designed, secure by default, and interoperable with third-party applications. Software that is installed and running by default constitutes a prime target for attack and, as such, it is especially important that said software be designed with security and interoperability in mind. In particular, this article provides examples of issues found in well-known anti-virus products. These issues range from not properly validating input from an untrusted source (especially within the context of a kernel driver) to failing to conform to API contracts when hooking or implementing an intermediary between applications and the underlying APIs upon which they rely. For popular software, or software that is installed by default, errors of this sort can become a serious problem to both system stability and security. Beyond that, it can impact the ability of independent software vendors to deploy functioning software on end-user systems.
@ -1023,6 +1057,7 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
[Diving into A Silverlight Exploit and Shellcode - Analysis and Techniques](http://www.checkpoint.com/downloads/partners/TCC-Silverlight-Jan2015.pdf)
* Abstract: We will observe how the exploit is obfuscated; how it loads parts of the code dynamically into the memory in order to reduce the chances of being detected by signature based protections and how to extract these components from the exploit. In addition we will look at the shell-code supplied by the exploit-kit and how it uses encryption to hide the payload’s URL and contents.
[Owning Internet Printing - A Case Study in Modern Software Exploitation](https://googleprojectzero.blogspot.com/2015/06/owning-internet-printing-case-study-in.html?m=1)
[The Chakra Exploit and the Limitations of Modern Mitigation Techniques](https://www.endgame.com/blog/chakra-exploit-and-limitations-modern-mitigation-techniques)
@ -1044,7 +1079,8 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
[MS16-039 - "Windows 10" 64 bits Integer Overflow exploitation by using GDI objects](https://www.coresecurity.com/blog/ms16-039-windows-10-64-bits-integer-overflow-exploitation-by-using-gdi-objects)
[PLASMA PULSAR](https://github.com/stealth/plasmapulsar/blob/master/README.md)
* This document describes a generic root exploit against kde.
@ -1081,4 +1117,12 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
### Online Resources
[ropshell](http://ropshell.com/)
* ropshell is a free online service for generating and searching for Return-Oriented-Programming (ROP) gadgets.fi8ter8
* ropshell is a free online service for generating and searching for Return-Oriented-Programming (ROP) gadgets.fi8ter8
### Exploit Collections
[XiphosResearch PoC Exploits](https://github.com/XiphosResearch/exploits)
* Miscellaneous proof of concept exploit code written at Xiphos Research for testing purposes.
[exploit-db.org](https://www.exploit-db.org)

+ 5
- 4
Draft/Forensics Incident Response.md View File

@ -31,11 +31,11 @@ Forensics wiki
Yelp/Github - OSX Collector - Mass style forensics/management
https://sysforensics.org/2014/01/know-your-windows-processes.html
https://santoku-linux.com/howtos
[Know your Windows' Processes](https://sysforensics.org/2014/01/know-your-windows-processes.html)
hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_21.html)
[Santoku Linux How-Tos'](https://santoku-linux.com/howtos)
hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_21.html)
#### End Cull
@ -122,7 +122,8 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
[PEview](http://wjradburn.com/software/)
* PEview provides a quick and easy way to view the structure and content of 32-bit Portable Executable (PE) and Component Object File Format (COFF) files. This PE/COFF file viewer displays header, section, directory, import table, export table, and resource information within EXE, DLL, OBJ, LIB, DBG, and other file types.
[firepwd.py](https://github.com/lclevy/firepwd)
* firepwd.py, an open source tool to decrypt Mozilla protected passwords


+ 87
- 35
Draft/Fuzzing Bug Hunting.md View File

@ -17,26 +17,33 @@ TOC
#### sort
[honggfuzz])(https://github.com/google/honggfuzz)
* Security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (sw and hw) http://google.github.io/honggfuzz/
#### end sort
### General
[Fuzzing basics...how to break software - grid - Scott M](http://www.irongeek.com/i.php?page=videos/derbycon6/411-fuzzing-basicshow-to-break-software-grid-aka-scott-m)
* Ever wanted to break software? You know you want to...it's fun! In this talk, I will share some tools & techniques I've used to improve software by breaking it.
[Quick explanation of fuzzing and various fuzzers](http://whoisjoe.info/?p=16)
[Basic fuzzing framework](https://www.cert.org/vulnerability-analysis/tools/bff-download.cfm)
### Blogposts
[Fools of Golden Gate](https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/)
* How major vulnerabilities/large amounts of publicly vulnerable systems can exist without public recognition for long periods of time. (i.e. CVEs(10.0) exist, but no mapping in nessus/metasploit/etc)
#### end sort
### General Writeups
[Fuzzing for MS15-010](http://blog.beyondtrust.com/fuzzing-for-ms15-010)
* Is what it says on the tin.
[Advice From A Researcher: Hunting XXE For Fun and Profit](https://blog.bugcrowd.com/advice-from-a-researcher-xxe/)
[Quick explanation of fuzzing and various fuzzers](http://whoisjoe.info/?p=16)
@ -50,6 +57,13 @@ TOC
### <a name="writeup">Writeups</a>
[From Fuzzing to 0day.](http://blog.techorganic.com/2014/05/14/from-fuzzing-to-0-day/)
@ -61,6 +75,17 @@ TOC
[How to fuzz a server with American Fuzzy Lop](https://www.fastly.com/blog/how-fuzz-server-american-fuzzy-lop)
[Fuzzing for MS15-010](http://blog.beyondtrust.com/fuzzing-for-ms15-010)
* Is what it says on the tin.
[Advice From A Researcher: Hunting XXE For Fun and Profit](https://blog.bugcrowd.com/advice-from-a-researcher-xxe/)
[Running Windows 64-bit in QEMU Emulation Mode](https://www.invincealabs.com/blog/2016/07/running-windows-64bit-qemu/)
[There's a lot of vulnerable OS X applications out there](https://vulnsec.com/2016/osx-apps-vulnerabilities/)
[Binary SMS - The old backdoor to your new thing](https://www.contextis.com/resources/blog/binary-sms-old-backdoor-your-new-thing/)
@ -82,6 +107,15 @@ TOC
[TAJ: Effective Taint Analysis of Web Applications - Java Webapps](http://manu.sridharan.net/files/pldi153-tripp.pdf)
* Taint analysis, a form of information-flow analysis, establishes whether values from untrusted methods and parameters may flow into security-sensitive operations. Taint analysis can detect many common vulnerabilities in Web applications, and so has attracted much attention from both the research community and industry. However, most static taint-analysis tools do not address criti- cal requirements for an industrial-strength tool. Specifically, an industrial-strength tool must scale to large industrial Web applica- tions, model essential Web-application code artifacts, and generate consumable reports for a wide range of attack vectors. We have designed and implemented a static Taint Analysis for Java (TAJ) that meets the requirements of industry-level applica- tions. TAJ can analyze applications of virtually any size, as it em- ploys a set of techniques designed to produce useful answers given limited time and space. TAJ addresses a wide variety of attack vec- tors, with techniques to handle reflective calls, flow through con- tainers, nested taint, and issues in generating useful reports. This paper provides a description of the algorithms comprising TAJ, evaluates TAJ against production-level benchmarks, and compares it with alternative solutions.
[Fuzzing the Phone in your Phone](https://www.blackhat.com/presentations/bh-usa-09/MILLER/BHUSA09-Miller-FuzzingPhone-PAPER.pdf)
@ -126,6 +160,50 @@ TOC
### <a name="tools">Tools</a>
#### Non OS Specific
[honggfuzz](https://github.com/google/honggfuzz)
* Security oriented fuzzer with powerful analysis options. Supports evolutionary, feedback-driven fuzzing based on code coverage (sw and hw) http://google.github.io/honggfuzz/
[Grinder - Fuzzer](https://github.com/stephenfewer/grinder)
* Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes. Grinder Nodes provide an automated way to fuzz a browser, and generate useful crash information (such as call stacks with symbol information as well as logging information which can be used to generate reproducible test cases at a later stage). A Grinder Server provides a central location to collate crashes and, through a web interface, allows multiple users to login and manage all the crashes being generated by all of the Grinder Nodes.
| **USB Fuzzing Basics: From fuzzing to bug reporting** | http://blog.quarkslab.com/usb-fuzzing-basics-from-fuzzing-to-bug-reporting.html
[libFuzzer]((http://llvm.org/docs/LibFuzzer.html
* library for in-process evolutionary fuzzing of other libraries.
[crashwalk](https://github.com/bnagy/crashwalk)
* Bucket and triage on-disk crashes. OSX and Linux.(automated triaging of AFL-based crashes)
[CERT’s Failure Observation Engine (FOE)](https://www.cert.org/vulnerability-analysis/tools/foe.cfm)
* The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways looking for cases that cause crashes.) The FOE automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. The goal of FOE is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.
[Zulu Fuzzer](https://github.com/nccgroup/Zulu)
* The Zulu fuzzer
[Radamsa](https://code.google.com/p/ouspg/wiki/Radamsa)
* Radamsa is a test case generator for robustness testing, aka a fuzzer. It can be used to test how well a program can stand malformed and potentially malicious inputs. It operates based on given sample inputs and thus requires minimal effort to set up. The main selling points of radamsa are that it is easy to use, contains several old and new fuzzing algorithms, is easy to script from command line and has already been used to find a slew of bugs in programs that actually matter.
[browserfuzz](https://bitbucket.org/blackaura/browserfuzz)
* A very simple browser fuzzer based on tornado.
[sandbox-attacksurface-analysis-tools](https://github.com/google/sandbox-attacksurface-analysis-tools)
* This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
[Kitty][https://github.com/cisco-sas/kitty]
* Fuzzing framework written in python(Not a fuzzer)
#### Windows Specific
[WinAFL] (https://github.com/ivanfratric/winafl)
* A fork of AFL for fuzzing Windows binaries
@ -156,32 +234,6 @@ TOC
#### Non OS Specific
| **honggfuzz** - A general-purpose, easy-to-use fuzzer with interesting analysis options. Supports feedback-driven fuzzing based on code coverage | https://github.com/google/honggfuzz
[Grinder - Fuzzer](https://github.com/stephenfewer/grinder)
* Grinder is a system to automate the fuzzing of web browsers and the management of a large number of crashes. Grinder Nodes provide an automated way to fuzz a browser, and generate useful crash information (such as call stacks with symbol information as well as logging information which can be used to generate reproducible test cases at a later stage). A Grinder Server provides a central location to collate crashes and, through a web interface, allows multiple users to login and manage all the crashes being generated by all of the Grinder Nodes.
| **USB Fuzzing Basics: From fuzzing to bug reporting** | http://blog.quarkslab.com/usb-fuzzing-basics-from-fuzzing-to-bug-reporting.html
[libFuzzer]((http://llvm.org/docs/LibFuzzer.html
* library for in-process evolutionary fuzzing of other libraries.
[crashwalk](https://github.com/bnagy/crashwalk)
* Bucket and triage on-disk crashes. OSX and Linux.(automated triaging of AFL-based crashes)
[CERT’s Failure Observation Engine (FOE)](https://www.cert.org/vulnerability-analysis/tools/foe.cfm)
* The CERT Failure Observation Engine (FOE) is a software testing tool that finds defects in applications that run on the Windows platform. FOE performs mutational fuzzing on software that consumes file input. (Mutational fuzzing is the act of taking well-formed input data and corrupting it in various ways looking for cases that cause crashes.) The FOE automatically collects test cases that cause software to crash in unique ways, as well as debugging information associated with the crashes. The goal of FOE is to minimize the effort required for software vendors and security researchers to efficiently discover and analyze security vulnerabilities found via fuzzing.
[Zulu Fuzzer](https://github.com/nccgroup/Zulu)
* The Zulu fuzzer
[Radamsa](https://code.google.com/p/ouspg/wiki/Radamsa)
* Radamsa is a test case generator for robustness testing, aka a fuzzer. It can be used to test how well a program can stand malformed and potentially malicious inputs. It operates based on given sample inputs and thus requires minimal effort to set up. The main selling points of radamsa are that it is easy to use, contains several old and new fuzzing algorithms, is easy to script from command line and has already been used to find a slew of bugs in programs that actually matter.
[browserfuzz](https://bitbucket.org/blackaura/browserfuzz)
* A very simple browser fuzzer based on tornado.


+ 83
- 24
Draft/Honeypots -.md View File

@ -16,41 +16,30 @@ Cull
###Cull
[Hflow2](https://projects.honeynet.org/hflow)
* Data Analysis System
[Tango Honeypot Intelligence](https://github.com/aplura/Tango)
* Honeypot Intelligence with Splunk
[Security Onions and Honey Potz - Ethan Dodge - BSidesSLC2015](https://www.youtube.com/watch?v=1Jbm1zwiGTM)
http://www.cuckoosandbox.org/
https://www.shadowserver.org/wiki/pmwiki.php/Information/Honeypots
http://highaltitudehacks.com/2013/06/15/ghost-usb-honeypot-part-2-installing-and-running-the-honeypot/
https://en.wikipedia.org/wiki/Honeypot_%28computing%29
[Static Low-interaction Honeypots](http://www.frameloss.org/2014/07/12/static-low-interaction-honeypots/)
#### End Cull
(Setting Honeytraps with Modsecurity - Adding fake hidden form fields](http://blog.spiderlabs.com/2014/06/setting-honeytraps-with-modsecurity-adding-fake-hidden-form-fields.html0
### General
[Honeypots - ShadowServer](https://www.shadowserver.org/wiki/pmwiki.php/Information/Honeypots)
[Honeypot Computing - Wikipedia](https://en.wikipedia.org/wiki/Honeypot_%28computing%29)
Types:
##### Types:
Zero
Low
Medium
High
HoneyData - Strings, shares/drives, etc.
*Zero
* Low
* Medium
* High
* HoneyData - Strings, shares/drives, etc.
###<a name="honey">Honeypots/nets</a>
### <a name="honey">Honeypots/nets</a>
[Modern Honey Network(MHN)](https://threatstream.github.io/mhn/)
* From the secure deployment to the aggregation of thousands of events MHN provides enteprise grade management of the most current open source honeypot software. MHN is completely free open source software which supports external and internal honeypot deployments at a large and distributed scale. MHN uses the HPFeeds standard and low-interaction honeypots to keep effectiveness and security at enterprise grade levels. MHN provides full REST API out of the box and we are making CEF and STIX support available now for direct SIEM integration through our Commercial platform Optic.
@ -121,14 +110,68 @@ Beeswarm](http://www.beeswarm-ids.org/)
[Truman](http://www.secureworks.com/cyber-threat-intelligence/tools/truman/)
* Truman can be used to build a "sandnet", a tool for analyzing malware in an environment that is isolated, yet provides a virtual Internet for the malware to interact with. It runs on native hardware, therefore it is not stymied by malware which can detect VMWare and other VMs. The major stumbling block to not using VMs is the difficulty involved with repeatedly imaging machines for re-use. Truman automates this process, leaving the researcher with only minimal work to do in order to get an initial analysis of a piece of malware. Truman consists of a Linux boot image (originally based on Chas Tomlin's Windows Image Using Linux) and a collection of scripts. Also provided is pmodump, a Perl-based tool to reconstruct the virtual memory space of a process from a PhysicalMemory dump. With this tool it is possible to circumvent most packers to perform strings analysis on the dumped malware.
[Static Low-interaction Honeypots](http://www.frameloss.org/2014/07/12/static-low-interaction-honeypots/)
### Tools
[DCEPT](https://github.com/secureworks/dcept)
* A tool for deploying and detecting use of Active Directory honeytokens
[Hflow2](https://projects.honeynet.org/hflow)
* Data Analysis System
[Tango Honeypot Intelligence](https://github.com/aplura/Tango)
* Honeypot Intelligence with Splunk
###Presentations
### Presentations
[Honeypots for Active Defense - A Practical Guide to Deploying Honeynets Within the Enterprise - Greg Foss](http://www.irongeek.com/i.php?page=videos/centralohioinfosec2015/tech201-honeypots-for-active-defense-a-practical-guide-to-deploying-honeynets-within-the-enterprise-greg-foss)
* InfoSec analysts are all somewhat familiar with honeypots. When they are given the proper attention, care and feeding, they produce invaluable information. This intelligence has been primarily used by security researchers and organizations with advanced defensive capabilities to study their adversaries and learn from their actions. But what about the rest of us? Honeypots are a lot of work to configure, maintain, and monitor -- how can an organization that is not focused on research gain valuable intelligence using honeypots and actively defend their network using the data obtained? The answer is honeypots for active defense. There are currently many open source security tool distributions that come pre-loaded with honeypots among other useful tools, however the honeypot software is often not deployed in an effective manner. This session will discuss techniques to deploy honeypots in ways that will not overburden the security team with massive logs to sift through and focuses on correlating active threat data observed in the honeypot with the production environment. When deploying honeypots effectively, this can give security analysts one additional mechanism to tip them off to nefarious activity within their network.
[Global Honeypot Trends - Elliot Brink](https://www.youtube.com/watch?v=rjd-r4WA0PU)
* Many of my computer systems are constantly compromised, attacked, hacked, 24/7. How do I know this? I've been allowing it. This presentation will cover over one year of research running several vulnerable systems (or honeypots) in multiple countries including the USA, mainland China, Russia and others. We'll be taking a look at: a brief introduction to honeypots, common attacker trends (both sophisticated and script kiddie), brief malware analysis and the statistical analysis of attackers based on GeoIP. Are there differences in attacks based on where a computer system is located? Let's investigate this together! Beginners to the topic of honeypots fear not, the basics will be covered.
[Security Onions and Honey Potz - Ethan Dodge - BSidesSLC2015](https://www.youtube.com/watch?v=1Jbm1zwiGTM)
###<a name="writeup">Writeups</a>
### <a name="writeup">Writeups</a>
[ Deploying Dionaea on a Raspberry Pi using MHN](https://github.com/threatstream/mhn/wiki/Deploying-Dionaea-on-a-Raspberry-Pi)
@ -148,3 +191,19 @@ Beeswarm](http://www.beeswarm-ids.org/)
* Abstract. A Honeypot is a software based security device, deployed to attract hackers by displaying services and open ports which are potentially vulnerable. While the attackers are diverted, t heir activities can then be monitored and an a- lysed to identify current a ttack methods and trends. A low - interaction Honeypot called Dion aea was chosen for this project because it can simulate services while preventing an attacker from gaining full control. Results were collected over the six week period of the experiment. The logged information of the o b- served attacks was analysed and compared with current vulnerabilities, the loc a- tions where the attacks were originating from and the time of day at the orig i- nating site. A profile of individual attackers can then be built to ga in an insight into the current attack trends in order to improve network defences.
[POSTER: Dragging Attackers to Honeypots for Effective Analysis of Cyber Threats](http://www.aims-conference.org/2014/POSTER-Dragging_Attackers_to_Honeypots_for_Effective_Analysis_of_Cyber_Threats.pdf)
[Setting Honeytraps with Modsecurity - Adding fake hidden form fields](http://blog.spiderlabs.com/2014/06/setting-honeytraps-with-modsecurity-adding-fake-hidden-form-fields.html)

+ 43
- 30
Draft/Interesting Things Useful stuff.md View File

@ -8,6 +8,11 @@ TOC
* [Interesting & Useful Write-ups](#writeup)
## Attribution
[Cyber Attack Attribution Report](http://whohackedus.com/)
### General
@ -39,11 +44,15 @@ http://www.securitywizardry.com/radar.htm
[The Distribution of Users’ Computer Skills: Worse Than You Think](https://www.nngroup.com/articles/computer-skill-levels/)
[Infosec Podcasts](http://www.getmon.com/)