Browse Source

Changelog worth a look if you're reading this. Some updates to Phishing and SE primarily. Not what I planned to update, but eh. Will hopefully make another pass on some of the smaller things and update Phishing and Building a Lab in the next few days as well.

pull/33/head
rmusser01 1 year ago
parent
commit
60ff8da689
19 changed files with 1826 additions and 1393 deletions
  1. +0
    -350
      Draft/AOP.md
  2. +0
    -42
      Draft/Archiving
  3. +23
    -0
      Draft/Archiving.md
  4. +5
    -0
      Draft/Cheats.md
  5. +413
    -0
      Draft/Cloud.md
  6. +16
    -0
      Draft/DFIR.md
  7. +26
    -8
      Draft/L-SM-TH.md
  8. +25
    -22
      Draft/Network_Attacks.md
  9. +0
    -349
      Draft/OSI.md
  10. +54
    -26
      Draft/Passwords.md
  11. +676
    -225
      Draft/Phishing.md
  12. +329
    -342
      Draft/PrivescPostEx.md
  13. +75
    -0
      Draft/Rants&Writeups/Hacker_Manifesto
  14. +134
    -0
      Draft/SE.md
  15. +48
    -23
      Draft/sysinternals.md
  16. +1
    -1
      LICENSE
  17. +1
    -1
      README.md
  18. +0
    -4
      SUMMARY.md
  19. BIN
      old.tar

+ 0
- 350
Draft/AOP.md View File

@ -1,350 +0,0 @@
## Anonymity, Opsec & Privacy
### Table of Contents
- [General](#general)
- [Android/iOS/Mobile](#mobile)
- [Browser Related](#browser)
- [Communications Security](#comsec)
- [Data Collection](#dcollect)
- [De-anonymization](#de-anon)
- [Documents/Writing](#writing)
- [Facial Identification](#face)
- [Informative/Educational](#informative)
- [Journalism & Media Publishing](#media)
- [Network Obfuscation](#obfuscation)
- [Operational Security - OPSEC](#opsec)
- [References/Resources](#ref)
- [Wireless Radios](#)
- [Tor](#tor)
- [Traveling](#travel)
- [Miscellaneous Stuff](#misc)
- [Miscellaneous Tools](#misc-tools)
- [Counter-Surveillance](#counter)
- [Writeups](#cwriteup)
- [Videos/Talks](#cvideos)
- [Papers](#cpapers)
- [Emissions Security](#emissions)
- [Papers](#papers)
- [Modern Surveillance](#modern)
- [China](#china)
- [United States](#usa)
- [Disinformation](#disinfo)
--------------
### <a name="general"></a>General
* **101**
* [A Guide to Law Enforcement Spying Technology - EFF](https://www.eff.org/sls)
* [Anonymity](https://en.wikipedia.org/wiki/Anonymity)
* [Operations Security - Wikipedia](https://en.wikipedia.org/wiki/Operations_security)
* **General**
* [OS X Security and Privacy Guide](https://github.com/drduh/OS-X-Security-and-Privacy-Guide)
* [Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
* [Mobile Phone Data lookup](https://medium.com/@philipn/want-to-see-something-crazy-open-this-link-on-your-phone-with-wifi-turned-off-9e0adb00d024)
* [Privacy Online Test And Resource Compendium](https://github.com/CHEF-KOCH/Online-Privacy-Test-Resource-List/blob/master/README.md)
* [Winning and Quitting the Privacy Game What it REALLY takes to have True Privacy in the 21st Century - Derbycon 7](https://www.youtube.com/watch?v=bxQSu06yuZc)
* [We Should All Have Something To Hide - Moxie Marlinspike](https://moxie.org/blog/we-should-all-have-something-to-hide/)
* ['I've Got Nothing to Hide' and Other Misunderstandings of Privacy](http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565&)
* We live in a surveillance state. Law enforcement and intelligence agencies have access to a huge amount of data about us, enabling them to learn intimate, private details about our lives. In part, the ease with which they can obtain such information reflects the fact that our laws have failed to keep up with advances in technology. However, privacy enhancing technologies can offer real protections even when the law does not. That intelligence agencies like the NSA are able to collect records about every telephone call made in the United States, or engage in the bulk surveillance of Internet communications is only possible because so much of our data is transmitted in the clear. The privacy enhancing technologies required to make bulk surveillance impossible and targeted surveillance more difficult already exist. We just need to start using them.
* [The Gruqgs blog](http://grugq.tumblr.com/)
* [How to Cover Your Tracks - ouah.org](http://www.ouah.org/cover_your_tracks1.html)
* [Becoming Virtually Untraceable (Eps1.0_B4s!c_T3chn1qu3s.onion) - Ian Barwise](https://medium.com/@IanBarwise/becoming-virtually-untraceable-part-1-e8470ae60745)
* **Android/iOS/Mobile**<a name="mobile"></a>
* [Click and Dragger: Denial and Deception on Android mobile](https://www.slideshare.net/grugq/mobile-opsec/34-WHAT_ARETHEY_GOOD_FOR_Threat)
* [DEFCON 20: Can You Track Me Now? Government And Corporate Surveillance Of Mobile Geo-Location Data](https://www.youtube.com/watch?v=NjuhdKUH6U4)
* [Can you track me now? - Defcon20](https://wEww.youtube.com/watch?v=DxIF66Tcino)
* [Phones and Privacy for Consumers - Matt Hoy (mattrix) and David Khudaverdyan (deltaflyer)](http://www.irongeek.com/i.php?page=videos/grrcon2015/submerssion-therapy05-phones-and-privacy-for-consumers-matt-hoy-mattrix-and-david-khudaverdyan-deltaflyerhttps://ritter.vg/blog-deanonymizing_amm.html)
* [Hacking FinSpy - a Case Study - Atilla Marosi - Troopers15](https://www.youtube.com/watch?v=Mb4mfBi06K4)
* **Browser Related**<a name="browser"></a>
* [Panopticlick](https://panopticlick.eff.org/)
* Panopticlick will analyze how well your browser and add-ons protect you against online tracking techniques. We’ll also see if your system is uniquely configured—and thus identifiable—even if you are using privacy-protective software.
* [Discovering Browser Extensions via Web Accessible Resources - Chalmers security lab](http://www.cse.chalmers.se/research/group/security/publications/2017/extensions/codaspy-17-full.pdf)
* [Cookieless Monster: Exploring the Ecosystem of Web-based Device Fingerprinting](http://securitee.org/files/cookieless_sp2013.pdf)
* [Client Identification Mechanisms](http://www.chromium.org/Home/chromium-security/client-identification-mechanisms)
* [Technical analysis of client identification mechanisms](http://www.chromium.org/Home/chromium-security/client-identification-mechanisms)
* [What Happens Next Will Amaze You](http://idlewords.com/talks/what_happens_next_will_amaze_you.htm#six_fixes)
* In this paper, we examine how web-based device fingerprinting currently works on the Internet. By analyzing the code of three popular browser-fingerprinting code providers, we reveal the techniques that allow websites to track users without the need of client-side identifiers. Among these techniques, we show how current commercial fingerprinting approaches use questionable practices, such as the circumvention of HTTP proxies to discover a user’s real IP address and the installation of intrusive browser plugins. At the same tim e, we show how fragile the browser ecosystem is against fingerprinting through the use of novel browser- identifying techniques. With so many different vendors involved in browser development, we demonstrate how one can use diversions in the browsers’ implementation to distinguish successfully not only the browser-family, but also specific major and minor versions. Browser extensions that help users spoof the user-agent of their browsers are also evaluated. We show that current commercial approaches can bypass the extensions, and, in addition, take advantage of their shortcomings by using them as additional fingerprinting features.
* [Invasion of Privacy - HackerFactor](http://www.hackerfactor.com/blog/index.php?/archives/703-Invasion-of-Privacy.html)
* **Communication Security**<a name="comsec"></a>
* [A Study of COMINT Personnel Security Standards and Practices](https://www.cia.gov/library/readingroom/document/cia-rdp82s00527r000100060014-6)
* [COMSEC Beyond Encryption](https://grugq.github.io/presentations/COMSEC%20beyond%20encryption.pdf)
* [NSA operation ORCHESTRA: Annual Status Report(2014) - Poul-Henning Kamp - FOSDEM14](https://www.youtube.com/watch?v=fwcl17Q0bpk&feature=youtu.be)
* **Data Collection**<a name="dcollect"></a>
* [This Time, Facebook Is Sharing Its Employees’ Data: Some of the biggest companies turn over their workers’ most personal information to the troubled credit reporting agency Equifax](https://www.fastcompany.com/40485634/equifax-salary-data-and-the-work-number-database)
* [No boundaries: Exfiltration of personal data by session-replay scripts](https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/)
* [Data release: list of websites that have third-party “session replay” scripts ](https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html)
* [.NET Github: .NET core should not SPY on users by default #3093](https://github.com/dotnet/cli/issues/3093)
* [.NET Github: Revisit Telemetry configuration #6086 ](https://github.com/dotnet/cli/issues/6086)
* [iTerm2 Leaks Everything You Hover in Your Terminal via DNS Requests](https://www.bleepingcomputer.com/news/security/iterm2-leaks-everything-you-hover-in-your-terminal-via-dns-requests/)
* **De-Anonymization**<a name="de-anon"></a>
* **Articles/Blogposts/Writeups**
* [De-Anonymizing Alt.Anonymous. Messages - Tom Ritter - Defcon21](https://www.youtube.com/watch?v=_Tj6c2Ikq_E)
* [De-Anonymizing Alt.Anonymous.Messages](https://ritter.vg/blog-deanonymizing_amm.html)
* [Defeating and Detecting Browser Spoofing - Browserprint](https://browserprint.info/blog/defeatingSpoofing)
* [Deanonymizing Windows users and capturing Microsoft and VPN accounts](https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834)
* [De-anonymizing facebook users through CSP](http://www.myseosolution.de/deanonymizing-facebook-users-by-csp-bruteforcing/#inhaltsverzeichnis)
* **Papers**
* [Speaker Recognition in Encrypted Voice Streams - Michael Backes,Goran Doychev,Markus Durmuth,Boris Kopf](http://software.imdea.org/~gdoychev/publications/esorics10.pdf)
* We develop a novel approach for unveiling the identity of speakers who participate in encrypted voice communication, solely by eavesdropping on the encrypted traffic. Our approach exploits the concept of voice activity detection (VAD), a widely used technique for reducing the bandwidth consumption of voice traffic. We show that the reduction of traffic caused by VAD techniques creates patterns in the encrypted traffic, which in turn reveal the patterns of pauses in the underlying voice stream. We show that these patterns are speaker-characteristic, and that they are sufficient to undermine the anonymity of the speaker in encrypted voice communication. In an empirical setup with 20 speakers our analysis is able to correctly identify an unknown speaker in about 48% of all cases. Our work extends and generalizes existing work that exploits variable bit-rate encoding for identifying the conversation language and content of encrypted voice streams)
* **Documents**<a name="writing"></a>
* **Authorship Analysis/Identification**
* [anonymouth](https://github.com/psal/anonymouth)
* Document Anonymization Tool, Version 0.5
* [F⁠ingerprinting documents​ with steganography​](http://blog.fastforwardlabs.com/2017/06/23/fingerprinting-documents-with-steganography.html)
* [Text Authorship Verification through Watermarking - Stefano Giovanni Rizzo, Flavio Bertini, Danilo Montesi](https://pdfs.semanticscholar.org/4028/f904da8e2c50672e6037168bf2bd72bc4cb9.pdf)
* **Obfuscation/Making it harder to OCR/Redaction Tactics and Methods**
* [Redaction of PDF Files Using Adobe Acrobat Professional X - NSA](https://www.cs.columbia.edu/~smb/doc/Redaction-of-PDF-Files-Using-Adobe-Acrobat-Professional-X.pdf)
* [Why Government Agencies Use Ugly, Difficult to Use Scanned PDFs - There's More Than Meets the Eye - circleid.com](http://www.circleid.com/posts/20180720_why_government_agencies_use_ugly_difficul_to_use_scanned_pdfs/)
* **Stegonagraphy**
* [steganos](https://github.com/fastforwardlabs/steganos)
* This is a library to encode bits into text.... steganography in text!
* [Content-preserving Text Watermarking through Unicode Homoglyph Substitution](https://www.researchgate.net/publication/308044170_Content-preserving_Text_Watermarking_through_Unicode_Homoglyph_Substitution)
* Digital watermarking has become crucially important in authentication and copyright protection of the digital contents, since more and more data are daily generated and shared online through digital archives, blogs and social networks. Out of all, text watermarking is a more difficult task in comparison to other media watermarking. Text cannot be always converted into image, it accounts for a far smaller amount of data (eg. social network posts) and the changes in short texts would strongly affect the meaning or the overall visual form. In this paper we propose a text watermarking technique based on homoglyph characters substitution for latin symbols1. The proposed method is able to efficiently embed a password based watermark in short texts by strictly preserving the content. In particular, it uses alternative Unicode symbols to ensure visual indistinguishability and length preservation, namely content-preservation. To evaluate our method, we use a real dataset of 1.8 million New York articles. The results show the effectiveness of our approach providing an average length of 101 characters needed to embed a 64bit password based watermark.
* **Facial Identification**<a name="facial"></a>
* [Achie­ving an­ony­mi­ty against major face re­co­gni­ti­on al­go­rith­ms - Be­ne­dikt Dries­sen, Mar­kus Dür­muth](http://www.mobsec.rub.de/forschung/veroeffentlichungen/driessen-13-face-rec/)
* [IBM Used NYPD Surveillance Footage to Develop Technology That Lets Police Search by Skin Color](https://theintercept.com/2018/09/06/nypd-surveillance-camera-skin-tone-search/)
* **Informative/Educational**<a name="informative"></a>
* [Bugger - Adam Curtis](http://www.bbc.co.uk/blogs/adamcurtis/entries/3662a707-0af9-3149-963f-47bea720b460)
* Maybe the real state secret is that spies aren't very good at their jobs and don't know much about the world
* [Detect Tor Exit doing sniffing by passively detecting unique DNS query (via HTML & PCAP parsing/viewing)](https://github.com/NullHypothesis/exitmap/issues/37)
* [Dutch-Russian cyber crime case reveals how police tap the internet - ElectroSpaces](http://electrospaces.blogspot.de/2017/06/dutch-russian-cyber-crime-case-reveals.html?m=1)
* [An Underground education](https://www.slideshare.net/grugq/underground-education-21151795)
* [How to Spot a Spook](https://cryptome.org/dirty-work/spot-spook.htm)
* **Journalism/Media Publishing**<a name="media"></a>
* [Information Security For Journalist book - Centre for Investigative Journalism](http://files.gendo.nl/Books/InfoSec_for_Journalists_V1.1.pdf)
* [Protecting Your Sources When Releasing Sensitive Documents](https://source.opennews.org/articles/how-protect-your-sources-when-releasing-sensitive-/)
* **Network Obfuscation**<a name="obfuscation"></a>
* [HORNET: High-speed Onion Routing at the Network Layer](http://arxiv.org/pdf/1507.05724v1.pdf)
* [Decoy Routing: Toward Unblockable Internet Communication](https://www.usenix.org/legacy/events/foci11/tech/final_files/Karlin.pdf)
* We present decoy routing, a mechanism capable of circumventing common network filtering strategies. Unlike other circumvention techniques, decoy routing does not require a client to connect to a specific IP address (which is easily blocked) in order to provide circumvention. We show that if it is possible for a client to connect to any unblocked host/service, then decoy routing could be used to connect them to a blocked destination without coop- eration from the host. This is accomplished by placing the circumvention service in the network itself – where a single device could proxy traffic between a significant fraction of hosts – instead of at the edge.
* [obfs4 (The obfourscator)](https://gitweb.torproject.org/pluggable-transports/obfs4.git/tree/doc/obfs4-spec.txt)
* This is a protocol obfuscation layer for TCP protocols. Its purpose is to keep a third party from telling what protocol is in use based on message contents. Unlike obfs3, obfs4 attempts to provide authentication and data integrity, though it is still designed primarily around providing a layer of obfuscation for an existing authenticated protocol like SSH or TLS.
* [obfs3 (The Threebfuscator)](https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/doc/obfs3/obfs3-protocol-spec.txt)
* This is a protocol obfuscation layer for TCP protocols. Its purpose is to keep a third party from telling what protocol is in use based on message contents. Like obfs2, it does not provide authentication or data integrity. It does not hide data lengths. It is more suitable for providing a layer of obfuscation for an existing authenticated protocol, like SSH or TLS.
* **Online Influence Methods**
* [The Art of Deception: Training for a New Generation of Online Covert Operations](https://theintercept.com/document/2014/02/24/art-deception-training-new-generation-online-covert-operations/)
* [How Covert Agents Infiltrate the Internet to Manipulate, Deceive, and Destroy Reputations - TheIntercept](https://theintercept.com/2014/02/24/jtrig-manipulation/)
* **OPSEC(Specifically)**<a name="opsec"></a>
* [Operational Security and the Real World - The Grugq](https://medium.com/@thegrugq/operational-security-and-the-real-world-3c07e7eeb2e8)
* [CIA Vault7 Development Tradecraft DOs and DON'Ts](https://wikileaks.org/ciav7p1/cms/page_14587109.html)
* [Campaign Information Security In Theory and Practice](https://medium.com/@thegrugq/campaign-information-security-ff6ac49966e1)
* [Reminder: Oh, Won't You Please Shut Up? - USA](https://www.popehat.com/2011/12/01/reminder-oh-wont-you-please-shut-up/)
* [Underground Tradecraft Rules of Clandestine Operation](https://grugq.tumblr.com/post/60463307186/rules-of-clandestine-operation)
* [I know places we can hide Opsec tips from Taylor Swift](https://medium.com/@flamsmark/i-know-places-we-can-hide-3a84b1f79963)
* [Operational Security and the Real World - The Grugq](https://medium.com/@thegrugq/operational-security-and-the-real-world-3c07e7eeb2e8)
* [Managing Pseudonyms with Compartmentalization: Identity Management of Personas](https://www.alienvault.com/blogs/security-essentials/managing-pseudonyms-with-compartmentalization-identity-management-of-personas)
* [Because Jail is for WUFTPD - Legendary talk, a must watch.](https://www.youtube.com/watch?v=9XaYdCdwiWU)
* [OPSEC In the Age of The Egotistical Giraffe](https://conference.hitb.org/hitbsecconf2014kul/materials/D1T1%20-%20The%20Grugq%20-%20OPSEC%20in%20the%20Age%20of%20Egotistical%20Giraffe.pdf)
* [OPSEC Concerns in Using Crypto](https://www.slideshare.net/JohnCABambenek/defcon-crypto-village-opsec-concerns-in-using-crypto)
* [You're Leaking Trade Secrets - Defcon22 Michael Schrenk](https://www.youtube.com/watch?v=JTd5TL6_zgY)
* Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
* [The Need for Identity Management - alienvault](https://www.alienvault.com/blogs/security-essentials/managing-pseudonyms-with-compartmentalization-identity-management-of-personas)
* **Reference/Resources**<a name="ref"></a>
* [The Paranoid's Bible: An anti-dox effort.](https://paranoidsbible.tumblr.com/)
* [Debian-Privacy-Server-Guide](https://github.com/drduh/Debian-Privacy-Server-Guide)
* This is a step-by-step guide to configuring and managing a domain, remote server and hosted services, such as VPN, a private and obfuscated Tor bridge, and encrypted chat, using the Debian GNU/Linux operating system and other free software.
* [Anonymous’s Guide to OpSec](http://www.covert.io/research-papers/security/Anonymous%20Hacking%20Group%20--%20OpNewblood-Super-Secret-Security-Handbook.pdf)
* **WiFi**<a name="wifi"></a>
* [Wifi Tracking: Collecting the (probe) Breadcrumbs - David Switzer](https://www.youtube.com/watch?v=HzQHWUM8cNo)
* Wifi probes have provided giggles via Karma and Wifi Pineapples for years, but is there more fun to be had? Like going from sitting next to someone on a bus, to knowing where they live and hang out? Why try to MITM someone’s wireless device in an enterprise environment where they may notice — when getting them at their favorite burger joint is much easier. In this talk we will review ways of collecting and analyzing probes. We’ll use the resulting data to figure out where people live, their daily habits, and discuss uses (some nice, some not so nice) for this information. We’ll also dicuss how to make yourself a little less easy to track using these methods. Stingrays are price prohibitive, but for just tracking people’s movements.. this is cheap and easy.
* **Tool Configuration**
* [How to stop Firefox from making automatic connections](https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections)
* **Tor**<a name="tor"></a>
* **101**
* [Tor - Wikipedia](https://en.wikipedia.org/wiki/Tor_(anonymity_network))
* [Onion Routing](https://www.onion-router.net/History.html)
* [Tor Project Overview](https://www.torproject.org/about/overview.html.en)
* [Tor Official FAQ](https://www.torproject.org/docs/faq.html.en)
* [Tor Official Documentation](https://www.torproject.org/docs/documentation.html.en)
* [Tor Wiki](https://trac.torproject.org/projects/tor/wiki)
* **Articles/Blogposts/Writeups**
* [Trawling Tor Hidden Service – Mapping the DHT](https://donncha.is/2013/05/trawling-tor-hidden-services/)
* [How Tor Users Got Caught by Government Agencies](http://se.azinstall.net/2015/11/how-tor-users-got-caught.html)
* **Talks/Presentations/Videos**
* [How Tor Users Got Caught - Defcon 22](https://www.youtube.com/watch?v=7G1LjQSYM5Q)
* [Part 2](https://www.youtube.com/watch?v=TQ2bk9kMneI)
* [Deep Dive Into Tor Onion Services - David Goulet](https://www.youtube.com/watch?v=AkoyCLAXVsc)
* **Tools**
* [Nipe](https://github.com/GouveaHeitor/nipe)
* Nipe is a script to make Tor Network your default gateway.
* [P.O.R.T.A.L.](https://github.com/grugq/portal)
* PORTAL is a project that aims to keep people out of jail. It is a dedicated hardware device (a router) which forces all internet traffic to be sent over the Tor network. This significantly increases the odds of using Tor effectively, and reduces the potential to make fatal mistakes.
* [PORTAL of Pi](https://github.com/grugq/PORTALofPi)
* This will guide you through configuring an Arch based RaspberryPi installation which transparently forwards all TCP traffic over the Tor network. There is also a Tor SOCKS proxy for explicitly interacting with the Tor network, either for more security, or to access a Hidden Service.
* [Nipe](https://github.com/GouveaHeitor/nipe)
* Nipe is a script to make Tor Network your default gateway.
* **Papers**
* [SkypeMorph: Protocol Obfuscation for Tor Bridges](https://www.cypherpunks.ca/~iang/pubs/skypemorph-ccs.pdf)
* The Tor network is designed to provide users with low- latency anonymous communications. Tor clients build circuits with publicly listed relays to anonymously reach their destinations. However, since the relays are publicly listed, they can be easily blocked by censoring adversaries. Consequently, the Tor project envisioned the possibility of unlisted entry points to the Tor network, commonly known as bridges. We address the issue of preventing censors from detecting the bridges by observing the communications between them and nodes in their network. We propose a model in which the client obfuscates its messages to the bridge in a widely used protocol over the Inter- net. We investigate using Skype video calls as our target protocol and our goal is to make it difficult for the censor- ing adversary to distinguish between the obfuscated bridge connections and actual Skype calls using statistical compar- isons. We have implemented our model as a proof-of-concept pluggable transport for Tor, which is available under an open-source licence. Using this implementation we observed the obfuscated bridge communications and compared it with those of Skype calls and presented the results.
* [StegoTorus: A Camouflage Proxy for the Tor Anonymity System](https://research.owlfolio.org/pubs/2012-stegotorus.pdf)
* Internet censorship by governments is an increasingly common practice worldwide. Internet users and censors are locked in an arms race: as users find ways to evade censorship schemes, the censors develop countermeasures for the evasion tactics. One of the most popular and effective circumvention tools, Tor, must regularly adjust its network traffic signature to remain usable. We present StegoTorus, a tool that comprehensively disguises Tor from protocol analysis. To foil analysis of packet contents, Tor’s traffic is steganographed to resemble an innocuous cover protocol, such as HTTP. To foil analysis at the transport level, the Tor circuit is distributed over many shorter-lived connections with per-packet characteristics that mimic cover-protocol traffic. Our evaluation demonstrates that StegoTorus improves the resilience of Tor to fingerprinting attacks and delivers usable performance.
* [Spoiled Onions](https://www.cs.kau.se/philwint/spoiled_onions/)
* In this research project, we were monitoring all exit relays for several months in order to expose, document, and thwart malicious or misconfigured relays. In particular, we monitor exit relays with two scanners we developed specifically for that purpose: exitmap and HoneyConnector. Since September 2013, we discovered 65 malicious or misconfigured exit relays which are listed in Table 1 and Table 2 in our research paper. These exit relays engaged in various attacks such as SSH and HTTPS MitM, HTML injection, SSL stripping, and traffic sniffing. We also found exit relays which were unintentionally interfering with network traffic because they were subject to DNS censorship.
* **Travel**<a name="travel"></a>
* [China travel laptop setup](https://mricon.com/i/travel-laptop-setup.html?t=1&cn=ZmxleGlibGVfcmVjcw%3D%3D&iid=88d246896d384d5292f51df954a2c8ba&uid=150127534&nid=244+272699400)
* **Misc/Unsorted**
* [Cat Videos and the Death of Clear Text](https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/)
* [You Are Being Tracked: How License Plate Readers Are Being Used to Record Americans' Movements - ACLU](https://www.aclu.org/other/you-are-being-tracked-how-license-plate-readers-are-being-used-record-americans-movements?redirect=technology-and-liberty/you-are-being-tracked-how-license-plate-readers-are-being-used-record)
* [A Technical Description of Psiphon](https://psiphon.ca/en/blog/psiphon-a-technical-description)
* **Papers**
* [Deep-Spying: Spying using Smartwatch and Deep Learning - Tony Beltramelli](https://arxiv.org/pdf/1512.05616v1.pdf)
* **Miscellaneous Tools**<a name="tools-misc"></a>
* [FakeNameGenerator](http://www.fakenamegenerator.com/)
* [MAT: Metadata Anonymisation Toolkit](https://mat.boum.org/)
* MAT is a toolbox composed of a GUI application, a CLI application and a library.
* [fteproxy](https://fteproxy.org/about)
* fteproxy is fast, free, open source, and cross platform. It has been shown to circumvent network monitoring software such as bro, YAF, nProbe, l7-filter, and appid, as well as closed-source commercial DPI systems
* [Streisand](https://github.com/jlund/streisand)
* Streisand sets up a new server running L2TP/IPsec, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, and a Tor bridge. It also generates custom configuration instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
* [exitmap](https://github.com/NullHypothesis/exitmap)
* Exitmap is a fast and modular Python-based scanner for Tor exit relays. Exitmap modules implement tasks that are run over (a subset of) all exit relays. If you have a background in functional programming, think of exitmap as a map() interface for Tor exit relays. Modules can perform any TCP-based networking task; fetching a web page, uploading a file, connecting to an SSH server, or joining an IRC channel.
* [OnionCat - an Anonymous VPN adapter](https://www.onioncat.org/about-onioncat/)
* [howmanypeoplearearound](https://github.com/schollz/howmanypeoplearearound)
* Count the number of people around you 👨‍👨‍👦 by monitoring wifi signals 📡
* [Decentraleyes](https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/)
* Protects you against tracking through "free", centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. Complements regular content blockers.
* [Decentraleyes - Github](https://github.com/Synzvato/decentraleyes)
* A web browser extension that emulates Content Delivery Networks to improve your online privacy. It intercepts traffic, finds supported resources locally, and injects them into the environment. All of this happens automatically, so no prior configuration is required.
* [Destroy-Windows-10-Spying](https://github.com/Nummer/Destroy-Windows-10-Spying)
* Destroy Windows Spying tool
* [meek](https://github.com/Yawning/meek)
* meek is a blocking-resistant pluggable transport for Tor. It encodes a data stream as a sequence of HTTPS requests and responses. Requests are reflected through a hard-to-block third-party web server in order to avoid talking directly to a Tor bridge. HTTPS encryption hides fingerprintable byte patterns in Tor traffic.sek
* [HTTPLeaks](https://github.com/cure53/HTTPLeaks)
* HTTPLeaks - All possible ways, a website can leak HTTP requests
* [haven](https://guardianproject.github.io/haven/)
* Android application that leverages on-device sensors to provide monitoring and protection of physical spaces.
--------------------------
## <a name="counter"></a>Counter Surveillance
* **Articles**
* **Writeups**<a name="cwriteup"></a>
* Detecting Surveillance - Spiderlabs blog
* [1 Hardware Implants](http://blog.spiderlabs.com/2014/03/detecting-surveillance-state-surveillance-part-1-hardware-impants.html)
* [2 Radio Frequency Exfiltration](http://blog.spiderlabs.com/2014/03/detecting-a-surveillance-state-part-2-radio-frequency-exfiltration.html)
* [3 Infected Firmware](http://blog.spiderlabs.com/2014/04/detecting-a-surveillance-state-part-3-infected-firmware.html)
* [A Simple Guide to TSCM Sweeps](http://www.international-intelligence.co.uk/tscm-sweep-guide.html)
* [Dutch-Russian cyber crime case reveals how police tap the internet - ElectroSpaces](http://electrospaces.blogspot.de/2017/06/dutch-russian-cyber-crime-case-reveals.html?m=1)
* **Presentations/Talks/Videos**<a name="cvideos"></a>
* [PISSED: Privacy In a Surveillance State Evading Detection - Joe Cicero - CYPHERCON11 ](https://www.youtube.com/watch?v=keA3WcKwZwA)
* [Fuck These Guys: Practical Countersurveillance Lisa Lorenzin - BsidesSF15](http://www.irongeek.com/i.php?page=videos/bsidessf2015/201-fck-these-guys-practical-countersurveillance-lisa-lorenzin)
* We've all seen the steady stream of revelations about the NSA's unconstitutional, illegal mass surveillance. Seems like there's a new transgression revealed every week! I'm getting outrage fatigue. So I decided to fight back... by looking for practical, realistic, everyday actions I can take to protect my privacy and civil liberties on the Internet, and sharing them with my friends. Join me in using encryption and privacy technology to resist eavesdropping and tracking, and to start to opt out of the bulk data collection that the NSA has unilaterally decided to secretly impose upon the world. Let's take back the Internet, one encrypted bit at a time.
* [Dr. Philip Polstra - Am I Being Spied On?](https://www.youtube.com/watch?v=Bc7WoDXhcjM)
* Talk on cheap/free counter measures
* [DNS May Be Hazardous to Your Health - Robert Stucke](https://www.youtube.com/watch?v=ZPbyDSvGasw)
* Great talk on attacking DNS
* [Blinding The Surveillance State - Christopher Soghoian - DEF CON 22](https://www.youtube.com/watch?v=pM8e0Dbzopk)
* [CounterStrike Lawful Interception](https://www.youtube.com/watch?v=7HXLaRWk1SM)
* This short talk will cover the standards, devices and implementation of a mandatory part of our western Internet infrastructure. The central question is whether an overarching interception functionality might actually put national Internet infrastructure at a higher risk of being attacked successfully. The question is approached in this talk from a purely technical point of view, looking at how LI functionality is implemented by a major vendor and what issues arise from that implementation. Routers and other devices may get hurt in the process.
* [Slides](http://phenoelit.org/stuff/CSLI.pdf)
* [Detecting and Defending Against a Surveillance State - Robert Rowley - DEF CON 22](https://www.youtube.com/watch?v=d5jqV06Yijw)
* [Retail Surveillance / Retail Countersurveillance 50 most unwanted retail surveillance technologies / 50 most wanted countersurveillance technologies](https://media.ccc.de/v/33c3-8238-retail_surveillance_retail_countersurveillance#video&t=1993)
* [Masquerade: How a Helpful Man-in-the-Middle Can Help You Evade Monitoring** - Defcon22](https://www.youtube.com/watch?v=_KyfJW2lHtk&spfreload=1)
* Sometimes, hiding the existence of a communication is as important as hiding the contents of that communication. While simple network tunneling such as Tor or a VPN can keep the contents of communications confidential, under active network monitoring or a restrictive IDS such tunnels are red flags which can subject the user to extreme scrutiny. Format-Transforming Encryption FTE can be used to tunnel traffic within otherwise innocuous protocols, keeping both the contents and existence of the sensitive traffic hidden. However, more advanced automated intrusion detection, or moderately sophisticated manual inspection, raise other red flags when a host reporting to be a laser printer starts browsing the web or opening IM sessions, or when a machine which appears to be a Mac laptop sends network traffic using Windows-specific network settings. We present Masquerade: a system which combines FTE and host OS profile selection to allow the user to emulate a user-selected operating system and application-set in network traffic and settings, evading both automated detection and frustrating after-the-fact analysis.
* [Slides](https://www.portalmasq.com/portal-defcon.pdf)
* [The NSA: Capabilities and Countermeasures** - Bruce Schneier - ShmooCon 2014](https://www.youtube.com/watch?v=D5JA8Ytk9EI)
* Edward Snowden has given us an unprecedented window into the NSA's surveillance activities. Drawing from both the Snowden documents and revelations from previous whistleblowers, I will describe the sorts of surveillance the NSA does and how it does it. The emphasis is on the technical capabilities of the NSA, not the politics of their actions. This includes how it conducts Internet surveillance on the backbone, but is primarily focused on their offensive capabilities: packet injection attacks from the Internet backbone, exploits against endpoint computers and implants to exfiltrate information, fingerprinting computers through cookies and other means, and so on. I will then talk about what sorts of countermeasures are likely to frustrate the NSA. Basically, these are techniques to raise the cost of wholesale surveillance in favor of targeted surveillance: encryption, target hardening, dispersal, and so on.
* [Wagging the Tail:Covert Passive Surveillance - Si, Agent X - DEF CON 26](https://www.youtube.com/watch?v=tYFOXeItRFM)
* This talk will focus on mobile and foot surveillance techniques used by surveillance teams. It will also include tips on identifying if you are under surveillance and how to make their life difficult.
* **Papers**<a name="cpapers"></a>
* [Ghostbuster: Detecting the Presence of Hidden Eavesdroppers](https://synrg.csl.illinois.edu/papers/ghostbuster-mobicom18.pdf)
* [Exploiting Lawful Intercept to Wiretap the Internet](https://www.blackhat.com/presentations/bh-dc-10/Cross_Tom/BlackHat-DC-2010-Cross-Attacking-LawfulI-Intercept-wp.pdf)
* This paper will review Cisco's architecture for lawful intercept from asecurity perspective. We explain how a number of different weaknesses in its design coupled with publicly disclosed security vulnerabilities could enable a malicious person to access the interface and spy on communications without leaving a trace. We then provide a set of recommendations for the redesign of the interface as well as SNMP authentication in general to better mitigate the security risks.
* [Protocol Misidentification Made Easy with Format-Transforming Encryption](https://kpdyer.com/publications/ccs2013-fte.pdf)
* Deep packet inspection (DPI) technologies provide much needed visibility and control of network traffic using port- independent protocol identification, where a network flow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the first comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidentification attacks, in which adver- saries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic prim- itive called format-transforming encryption (FTE), which extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbitrary application-layer traffic, and we experimentally show that this forces misidentification for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and as little as 16% bandwidth overhead compared to standard SSH tunnels. Finally, we integrate our FTE proxy into the Tor anonymity network and demon- strate that it evades real-world censorship by the Great Fire- wall of China
* [Protocol Misidentification Made Easy with Format-Transforming Encryption](https://eprint.iacr.org/2012/494.pdf)
* Deep packet inspection DPI technologies provide much- needed visibility and control of network traffic using port- independent protocol identification, where a network ow is labeled with its application-layer protocol based on packet contents. In this paper, we provide the most comprehensive evaluation of a large set of DPI systems from the point of view of protocol misidentification attacks, in which adver- saries on the network attempt to force the DPI to mislabel connections. Our approach uses a new cryptographic primitive called format-transforming encryption FTE, which extends conventional symmetric encryption with the ability to transform the ciphertext into a format of our choosing. We design an FTE-based record layer that can encrypt arbi- trary application-layer traffic, and we experimentally show that this forces misidentification for all of the evaluated DPI systems. This set includes a proprietary, enterprise-class DPI system used by large corporations and nation-states. We also show that using FTE as a proxy system incurs no latency overhead and as little as 16% bandwidth overhead compared to standard SSH tunnels. Finally, we integrate our FTE proxy into the Tor anonymity network and demonstrate that it evades real-world censorship by the Great Firewall of China.
* [Unblocking the Internet: Social networks foil censors](http://kscope.news.cs.nyu.edu/pub/TR-2008-918.pdf)
* Many countries and administrative domains exploit control over their communication infrastructure to censor online content. This paper presents the design, im plementation and evaluation of Kaleidoscope , a peer-to-peer system of relays that enables users within a censored domain to access blocked content. The main challenge facing Kaleidoscope is to resist the cens or’s efforts to block the circumvention system itself. Kaleidoscope achieves blocking-resilienc e using restricted service discovery that allows each user to discover a small set of unblocked relays while only exposing a small fraction of relays to the censor. To restrict service discovery, Kaleidoscope leverages a trust network where links reflects real-world social relationships among users and uses a limited advertisement protocol based on random routes to disseminate relay addresses along the trust netwo rk; the number of nodes reached by a relay advertisement should ideally be inversely proportional to the maximum fraction of infiltration and is independent of the network size. To increase service availa bility in large networks with few exit relay nodes, Kaleidoscope forwards the actual data traffic across multiple relay hops without risking exposure of exit relays. Using detailed analysis and simulations, we show that Kaleidoscope provides > 90% service availability even under substantial infiltration (close to 0.5% of edges) and when only 30% of the relay nodes are online. We have implemented and deployed our system on a small scale serving over 100,000 requests to 40 censored users (relatively small user base to realize Kaleidoscope’s anti-blocking guarantees) spread across different countries and administrative domains over a 6-month period
* [Chipping Away at Censorship Firewalls with User-Generated Content](https://www.usenix.org/legacy/event/sec10/tech/full_papers/Burnett.pdf)
* Oppressive regimes and even democratic governments restrict Internet access. Existing anti-censorship systems often require users to connect through proxies, but these systems are relatively easy for a censor to discover and block. This paper offers a possible next step in the cen- sorship arms race: rather than relying on a single system or set of proxies to circumvent censorship firewalls, we explore whether the vast deployment of sites that host user-generated content can breach these firewalls. To explore this possibility, we have developed Collage, which allows users to exchange messages through hidden chan- nels in sites that host user-generated content. Collage has two components: a message vector layer for embedding content in cover traffic; and a rendezvous mechanism to allow parties to publish and retrieve messages in the cover traffic. Collage uses user-generated content (e.g. , photo-sharing sites) as “drop sites” for hidden messages. To send a message, a user embeds it into cover traffic and posts the content on some site, where receivers retrieve this content using a sequence of tasks. Collage makes it difficult for a censor to monitor or block these messages by exploiting the sheer number of sites where users can exchange messages and the variety of ways that a mes- sage can be hidden. Our evaluation of Collage shows that the performance overhead is acceptable for sending small messages (e.g., Web articles, email). We show how Collage can be used to build two applications: a direct messaging application, and a Web content delivery system
* [Cirripede: Circumvention Infrastructure using Router Redirection with Plausible Deniability](http://hatswitch.org/~nikita/papers/cirripede-ccs11.pdf)
* Many users face surveillance of their Internet communications and a significant fraction suffer from outright blocking of certain destinations. Anonymous communication systems allow users to conceal the destinations they communicate with, but do not hide the fact that the users are using them. The mere use of such systems may invite suspicion, or access to them may be blocked. We therefore propose Cirripede, a system that can be used for unobservable communication with Internet destinations. Cirripede is designed to be deployed by ISPs; it intercepts connections from clients to innocent-looking desti- nations and redirects them to the true destination requested by the client. The communication is encoded in a way that is indistinguishable from normal communications to anyone without the master secret key, while public-key cryptogra- phy is used to eliminate the need for any secret information that must be shared with Cirripede users. Cirripede is designed to work scalably with routers that handle large volumes of traffic while imposing minimal over- head on ISPs and not disrupting existing traffic. This allows Cirripede proxies to be strategically deployed at central lo- cations, making access to Cirripede very difficult to block. We built a proof-of-concept implementation of Cirripede and performed a testbed evaluation of its performance proper- ties
* [TapDance: End-to-Middle Anticensorship without Flow Blocking](https://jhalderm.com/pub/papers/tapdance-sec14.pdf)
* In response to increasingly sophisticated state-sponsored Internet censorship, recent work has proposed a new ap- proach to censorship resistance: end-to-middle proxying. This concept, developed in systems such as Telex, Decoy Routing, and Cirripede, moves anticensorship technology into the core of the network, at large ISPs outside the censoring country. In this paper, we focus on two technical obstacles to the deployment of certain end-to-middle schemes: the need to selectively block flows and the need to observe both directions of a connection. We propose a new construction, TapDance, that removes these require- ments. TapDance employs a novel TCP-level technique that allows the anticensorship station at an ISP to function as a passive network tap, without an inline blocking com- ponent. We also apply a novel steganographic encoding to embed control messages in TLS ciphertext, allowing us to operate on HTTPS connections even under asymmetric routing. We implement and evaluate a TapDance proto- type that demonstrates how the system could function with minimal impact on an ISP’s network operations.
* [Of Moles and Molehunters: A Review of Counterintelligence Literature, 1977-92](https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/books-and-monographs/U-Oct%20%201993-%20Of%20Moles%20-%20Molehunters%20-%20A%20Review%20of%20Counterintelligence%20Literature-%201977-92%20-v2.pdf)
* [Ghostbuster: Detecting the Presence of Hidden Eavesdroppers]()https://synrg.csl.illinois.edu/papers/ghostbuster-mobicom18.pdf)]
* **Misc**
* [Laser Surveillance Defeater - Shomer-Tec](https://www.shomer-tec.com/laser-surveillance-defeater.html)
--------------------------
### <a name="emissions"></a> Emissions Security
* **101**
* **Articles/Blogposts/Writeups**
* **Presentations/Talks/Videos**
* **Papers**
* [Com­pro­mi­sing Re­flec­tions - or - How to Read LCD Mo­ni­tors Around the Cor­ner- Micha­el Ba­ckes, Mar­kus Dür­muth, Do­mi­ni­que Unruh](https://kodu.ut.ee/~unruh/publications/reflections.pdf)
* We present a novel eavesdropping technique for spying at a distance on data that is displayed on an arbitrary computer screen, including the currently prevalent LCD monitors. Our technique exploits reflections of the screen’s optical emanations in various objects that one commonly finds in close proximity to the screen and uses those reflections to recover the original screen content. Such objects include eyeglasses, tea pots, spoons, plastic bottles, and even the eye of the user. We have demonstrated that this attack can be successfully mounted to spy on even small fonts using inexpensive, off-the-shelf equipment (less than 1500 dollars) from a distance of up to 10 meters. Relying on more expensive equipment allowed us to conduct this attack from over 30 meters away, demonstrating that similar at- tacks are feasible from the other side of the street or from a close-by building. We additionally establish theoretical limitations of the attack; these limitations may help to estimate the risk that this attack can be successfully mounted in a given environment.
* [Acoustic Side-Channel Attacks on Printers -Michael Backes,Markus Drmuth,Sebastian Gerling,Manfred Pinkal,Caroline Sporleder](http://www.usenix.net/legacy/events/sec10/tech/full_papers/Backes.pdf)
* We examine the problem of acoustic emanations of printers. We present a novel attack that recovers what a dot- matrix printer processing English text is printing based on a record of the sound it makes, if the microphone is close enough to the printer. In our experiments, the attack recovers up to 72% of printed words, and up to 95% if we assume contextual knowledge about the text, with a microphone at a distance of 10 cm from the printer. After an upfront training phase, the attack is fully automated and uses a combination of machine learning, audio processing, and speech recognition techniques, including spectrum features, Hidden Markov Models and linear classification; moreover, it allows for feedback-based incremental learning. We evaluate the effectiveness of countermeasures, and we describe how we successfully mounted the attack in-field (with appropriate privacy protections) in a doctor’s practice to recover the content of medical prescriptions.
* [Tempest in a Teapot: Compromising Reflections Revisited](http://www.mia.uni-saarland.de/Publications/backes-sp09.pdf)
* Reflecting objects such as tea pots and glasses, but also diffusely reflecting objects such as a user’s shirt, can be used to spy on confidential data displayed on a monitor. First, we show how reflections in the user’s eye can be exploited for spying on confidential data. Second, we investigate to what extent monitor images can be reconstructed from the diffuse reflections on a wall or the user’s clothes, and provide information- theoretic bounds limiting this type of attack. Third, we evaluate the effectiveness of several countermeasures
* [GSMem: Data Exfiltration from Air-Gapped Computers over GSM Frequencies - usenix conference](https://www.usenix.org/system/files/conference/usenixsecurity15/sec15-paper-guri-update.pdf)
* **Tools**
* **Miscellaneous**
-------------------------
### <a name="modern"></a> Modern Surveillance
* **Vendors**
* [buggedplanet.info](https://buggedplanet.info/index.php?title=Main_Page)
* **Articles**
* [Understanding & Improving Privacy "Audits" under FTC Orders](https://cyberlaw.stanford.edu/blog/2018/04/understanding-improving-privacy-audits-under-ftc-orders)
* This new white paper, entitled “Understanding and Improving Privacy ‘Audits’ under FTC Orders,” carefully parses the third-party audits that Google and Facebook are required to conduct under their 2012 Federal Trade Commission consent orders. Using only publicly available documents, the article contrasts the FTC’s high expectations for the audits with what the FTC actually received (as released to the public in redacted form). These audits, as a practical matter, are often the only “tooth” in FTC orders to protect consumer privacy. They are critically important to accomplishing the agency’s privacy mission. As such, a failure to attend to their robust enforcement can have unintended consequences, and arguably, provide consumers with a false sense of security. The paper shows how the audits are not actually audits as commonly understood. Instead, because the FTC order language only requires third-party “assessments,” the companies submit reports that are termed “attestations.” Attestations fundamentally rely on a few vague privacy program aspects that are self-selected by the companies themselves. While the FTC could reject attestation-type assessments, the agency could also insist the companies bolster certain characteristics of the attestation assessments to make them more effective and replicate audit attributes. For example, the FTC could require a broader and deeper scope for the assessments. The agency could also require that assessors evaluate Fair Information Practices, data flows, notice/consent effectiveness, all company privacy assurances, and known order violations.
* **China**<a name="china"></a>
* [ China's Xinjiang Region A Surveillance State Unlike Any the World Has Ever Seen - Spiegel.de](http://www.spiegel.de/international/world/china-s-xinjiang-province-a-surveillance-state-unlike-any-the-world-has-ever-seen-a-1220174.html)
* [China's 5 Steps for Recruiting Spies - Wired](https://www.wired.com/story/china-spy-recruitment-us/)
* **France**
* **Germany**
* **United States**<a name="usa"></a>
* **Japan**
* [The Untold Story of Japan’s Secret Spy Agency - TheIntercept](https://theintercept.com/2018/05/19/japan-dfs-surveillance-agency/)
* **License Plate Tracking**
* [Private companies know where you've been, thanks to license plate cameras - syracuse.com](https://www.syracuse.com/news/index.ssf/2015/01/private_companies_know_where_youve_been_thanks_to_license_plate_cameras.html)
* **Things**
* [RF-Capture](http://rfcapture.csail.mit.edu/)
* RF-Capture is a device that captures a human figure through walls and occlusions. It transmits wireless signals and reconstructs a human figure by analyzing the signals' reflections. RF-Capture does not require the person to wear any sensor, and its transmitted power is 10,000 times lower than that of a standard cell-phone.
* [Paper](http://rfcapture.csail.mit.edu/rfcapture-paper.pdf)
-----
### <a name="talks">General
* **General**
* [Russia Convention on International Information Security](http://cryptome.org/2014/05/ru-international-infosec.htm)
* [The Gentleperson’s Guide to Forum Spies](cryptome.org/2012/07/gent-forum-spies.htm)
* [A Digital World Full of Ghost Armies](http://www.cigtr.info/2015/02/a-digital-world-full-of-ghost-armies.html)
* **Articles/BlogPosts/Writeups**
* [25 Rules of Disinformation](http://vigilantcitizen.com/latestnews/the-25-rules-of-disinformation/)
* [8 Traits of the Disinformationalist](https://calloutjoe.wordpress.com/psyop/eight-traits-of-the-disinformationalist/)
* [Attribution As A Weapon & Marketing Tool: Hubris In INFOSEC & NATSEC](https://krypt3ia.wordpress.com/2014/12/30/attribution-as-a-weapon-marketing-tool-hubris-in-infosec-natsec/)
* [Disinformation of Charlie Hebdo and The Fake BBC Website](http://thetrendythings.com/read/18256)
* [Counterintelligence, False Flags, Disinformation, and Network Defense - krypt3ia](https://krypt3ia.wordpress.com/2012/10/17/counterintelligence-false-flags-disinformation-and-network-defense/)
* [PsyOps and Socialbots](http://resources.infosecinstitute.com/psyops-and-socialbots/)
* [IRA Code Words Spell Real Threat](https://articles.latimes.com/1997-04-19/news/mn-50393_1_code-words)
* [‘A man who’s seen society's black underbelly’ Meduza meets ‘Anonymous International’](https://meduza.io/en/feature/2015/02/02/a-man-who-s-seen-society-s-black-underbelly)
* [Down the Memory Hole: NYT Erases CIA’s Efforts to Overthrow Syria’s Government](https://web.archive.org/web/20150921054800id_/http://fair.org/home/down-the-memory-hole-nyt-erases-cias-efforts-to-overthrow-syrias-government/)
* **Talks**
* [Governments and UFOs: A Historical Analysis of Disinformation and Deception - Richard Thieme](http://www.irongeek.com/i.php?page=videos/bsideslasvegas2013/1-2-7-governments-and-ufos-a-historical-analysis-of-disinformation-and-deception-richard-thieme)
* [[TROOPERS15] Azhar Desai, Marco Slaviero - Weapons of Mass Distraction](https://www.youtube.com/watch?v=jdaPJLJCK1M)

+ 0
- 42
Draft/Archiving View File

@ -1,42 +0,0 @@
# Archiving
From: https://gist.githubusercontent.com/mullnerz/9fff80593d6b442d5c1b/raw/2c511e82f998bc489d9e300870f8789c77c2b49b/archive-website.md
```
## The command I use to archive a single website
```sh
wget -mpck --html-extension --user-agent="" -e robots=off --wait 1 -P . www.foo.com
```
## Explanation of the parameters used
- -m (Mirror)
Turns on mirror-friendly settings like infinite recursion depth, timestamps, etc.
- -c (Continue)
Resumes a partially-downloaded transfer
- -p (Page requisites)
Downloads any page dependencies like images, style sheets, etc.
- -k (Convert)
After completing retrieval of all files…
converts all absolute links to other downloaded files into relative links
converts all relative links to any files that weren’t downloaded into absolute, external links
in a nutshell: makes your website archive work locally
- --html-extension
this adds .html after the downloaded filename, to make sure it plays nicely on whatever system you’re going to view the archive on
- –user-agent=””
Sometimes websites use robots.txt to block certain agents like web crawlers (e.g. GoogleBot) and Wget. This tells Wget to send a blank user-agent, preventing identification. You could alternatively use a web browser’s user-agent and make it look like a web browser, but it probably doesn’t matter.
- -e robots=off
Sometimes you’ll run into a site with a robots.txt that blocks everything. In these cases, this setting will tell Wget to ignore it. Like the user-agent, I usually leave this on for the sake of convenience.
- –wait 1
Tells Wget to wait 1 second between each action. This will make it a bit less taxing on the servers.
- -P .
set the download directory to something. I left it at the default “.” (which means “here”) but this is where you could pass in a directory path to tell wget to save the archived site. Handy, if you’re doing this on a regular basis (say, as a cron job or something…)
http://url-to-site: this is the full URL of the site to download. You’ll likely want to change this.
## Sources
- [Archiving a (WordPress) website with wget | D’Arcy Norman dot net] (http://darcynorman.net/2011/12/24/archiving-a-wordpress-website-with-wget/)
- [Archiving a Website With Wget] (http://www.dheinemann.com/2011/archiving-with-wget/)
```

+ 23
- 0
Draft/Archiving.md View File

@ -0,0 +1,23 @@
### A Guide to Archiving Websites
* From: https://gist.githubusercontent.com/mullnerz/9fff80593d6b442d5c1b/raw/2c511e82f998bc489d9e300870f8789c77c2b49b/archive-website.md
* "The command I use to archive a single website"
* `sh wget -mpck --html-extension --user-agent="" -e robots=off --wait 1 -P . www.foo.com`
* **Explanation of the parameters used**
* `-m` (Mirror) Turns on mirror-friendly settings like infinite recursion depth, timestamps, etc.
* `-c` (Continue) Resumes a partially-downloaded transfer
* `-p` (Page requisites) Downloads any page dependencies like images, style sheets, etc.
* `-k` (Convert) After completing retrieval of all files…
* converts all absolute links to other downloaded files into relative links
* converts all relative links to any files that weren’t downloaded into absolute, external links
* In a nutshell: makes your website archive work locally
* `--html-extension` this adds .html after the downloaded filename, to make sure it plays nicely on whatever system you’re going to view the archive on
* `–user-agent=””` - Sometimes websites use robots.txt to block certain agents like web crawlers (e.g. GoogleBot) and Wget. This tells Wget to send a blank user-agent, preventing identification. You could alternatively use a web browser’s user-agent and make it look like a web browser, but it probably doesn’t matter.
* `-e robots=off` - Sometimes you’ll run into a site with a robots.txt that blocks everything. In these cases, this setting will tell Wget to ignore it. Like the user-agent, I usually leave this on for the sake of convenience.
* `–wait 1` - Tells Wget to wait 1 second between each action. This will make it a bit less taxing on the servers.
* `-P .` - set the download directory to something. I left it at the default “.” (which means “here”) but this is where you could pass in a directory path to tell wget to save the archived site. Handy, if you’re doing this on a regular basis (say, as a cron job or something…)
* `http://url-to-site` - this is the full URL of the site to download. You’ll likely want to change this.
* **Sources**
- [Archiving a (WordPress) website with wget | D’Arcy Norman dot net](http://darcynorman.net/2011/12/24/archiving-a-wordpress-website-with-wget/)
- [Archiving a Website With Wget](http://www.dheinemann.com/2011/archiving-with-wget/)
```

+ 5
- 0
Draft/Cheats.md View File

@ -3,6 +3,8 @@
### Cheat Sheets
* **General Cheat Sheets**
@ -67,6 +69,9 @@
* [Windows Privilege Escalation Cheat Sheet/Tricks](http://it-ovid.blogspot.fr/2012/02/windows-privilege-escalation.html)
* [Attack Surface Analysis Cheat Sheet](https://www.owasp.org/index.php/Attack_Surface_Analysis_Cheat_Sheet)
* [Web Application Penetration Testing Cheat Sheet - jdow.io](https://jdow.io/blog/2018/03/18/web-application-penetration-testing-methodology/)
* [Pentesting CheatSheets - @spotheplanet](https://ired.team/offensive-security-experiments/offensive-security-cheetsheets)
* [Active Directory Cheat Sheet](https://github.com/Integration-IT/Active-Directory-Exploitation-Cheat-Sheet)
* This repository contains a general methodology in the Active Directory environment. It is offered with a selection of quick commands from the most efficient tools based on Powershell, C, .Net 3.5 and .Net 4.5.
* **PowerShell**
* [PowerShell Remoting Cheatsheet - Scott Sutherland](https://blog.netspi.com/powershell-remoting-cheatsheet/)
* **RE Cheat Sheets**<a name="re"></a>


+ 413
- 0
Draft/Cloud.md View File

@ -0,0 +1,413 @@
# The 'Cloud' aka Someone's Else's Data Center
----------------------------------
## Table of Contents
- [Cloud Provider Agnostic](#agnostic)
- [Amazon Web Services](#aws)
- [101](#101)
- [Attacking](#atkws)
- [IAM](#awsiam)
- [Google Cloud Platform](#gcp)
- [MS Azure](#azure)
--------------------
### <a name="agnostic"></a>Cloud Provider Agnostic
* **101**<a name="101ag"></a>
* [Cloud Security Wiki - NotSoSecure](https://cloudsecwiki.com)
* Cloud Security Wiki is an initiative to provide all Cloud security related resources to Security Researchers and developers at one place.
* **Attacking/Assessing Security of**
* **Articles/Blogposts/Writeups**
* [A Placement Vulnerability Study in Multi-Tenant Public Clouds](https://www.usenix.org/node/191017)
* **Tools**
* [ScoutSuite](https://github.com/nccgroup/ScoutSuite)
* Scout Suite is an open source multi-cloud security-auditing tool, which enables security posture assessment of cloud environments. Using the APIs exposed by cloud providers, Scout Suite gathers configuration data for manual inspection and highlights risk areas. Rather than going through dozens of pages on the web consoles, Scout Suite presents a clear view of the attack surface automatically.
* **Containers**
* [Cloud Container Attack Tool (CCAT)](https://github.com/RhinoSecurityLabs/ccat)
* Cloud Container Attack Tool (CCAT) is a tool for testing security of container environments.
* **Cloud Migrations**
* [Case studies in cloud migration: Netflix, Pinterest, and Symantec - Increment(2017)](https://increment.com/cloud/case-studies-in-cloud-migration/)
* **Compliance Monitoring**
* [PacBot](https://github.com/tmobile/pacbot)
Policy as Code Bot (PacBot) is a platform for continuous compliance monitoring, compliance reporting and security automation for the cloud. In PacBot, security and compliance policies are implemented as code. All resources discovered by PacBot are evaluated against these policies to gauge policy conformance. The PacBot auto-fix framework provides the ability to automatically respond to policy violations by taking predefined actions. PacBot packs in powerful visualization features, giving a simplified view of compliance and making it easy to analyze and remediate policy violations. PacBot is more than a tool to manage cloud misconfiguration, it is a generic platform that can be used to do continuous compliance monitoring and reporting for any domain.
* **Hardening**
* **Articles/Blogposts/Writeups**
* **Talks/Presentations/Videos**
* **Tools**
* [LUNAR](https://github.com/lateralblast/lunar)
* "This scripts generates a scored audit report of a Unix host's security. It is based on the CIS and other frameworks. Where possible there are references to the CIS and other benchmarks in the code documentation."
* **IAM**
* [SkyArk](https://github.com/cyberark/SkyArk)
* SkyArk helps to discover, assess and secure the most privileged entities in Azure and AWS
* **Logging**
* **Articles/Blogposts/Writeups**
* [Logging in the Cloud: From Zero to (Incident Response) Hero - Jonathon Poling(2020)](https://www.youtube.com/watch?v=n7ec0REBFkk)
* [Slides](https://ponderthebits.com/wp-content/uploads/2020/02/Logging-in-the-Cloud-From-Zero-to-Incident-Response-Hero-Public.pdf)
* So many logs, so little time. What logs even exist? Which are enabled by default? Which are the most critical to enable and configure for effective incident response? AWS. Azure. GCP. My. Dear. God. Send help! And, help you this presentation shall. This session will walk through the most important logging to enable (and how) in each cloud provider to take you from zero to incident response hero!Pre-Requisites: Basic familiarity operating with the three major Cloud providers: AWS, Azure, and GCP.
* **Talks/Presentations/Videos**
* **Tools**
* [cloud-service-enum](https://github.com/NotSoSecure/cloud-service-enum)
* **Monitoring**
* **Articles/Blogposts/Writeups**
* [Part 1: AWS Continuous Monitoring - Ashish Kurmi, Kaibo Ma, Ankit Kumar(2020)](https://medium.com/@ubersecurity/part-1-aws-continuous-monitoring-f39f81ea6801)
* [Part 2](https://medium.com/@ubersecurity/part-2-aws-monitoring-case-studies-9fbc613aff28)
* **Rules Engine**
* **Articles/Blogposts/Writeups**
* **Talks/Presentations/Videos**
* **Tools**
* [Cloud Custodian](https://github.com/cloud-custodian/cloud-custodian/)
* Cloud Custodian is a rules engine for managing public cloud accounts and resources. It allows users to define policies to enable a well managed cloud infrastructure, that's both secure and cost optimized. It consolidates many of the adhoc scripts organizations have into a lightweight and flexible tool, with unified metrics and reporting. Custodian can be used to manage AWS, Azure, and GCP environments by ensuring real time compliance to security policies (like encryption and access requirements), tag policies, and cost management via garbage collection of unused resources and off-hours resource management. Custodian policies are written in simple YAML configuration files that enable users to specify policies on a resource type (EC2, ASG, Redshift, CosmosDB, PubSub Topic) and are constructed from a vocabulary of filters and actions. It integrates with the cloud native serverless capabilities of each provider to provide for real time enforcement of policies with builtin provisioning. Or it can be run as a simple cron job on a server to execute against large existing fleets.
* **Security Auditing**
* **Articles/Blogposts/Writeups**
* **Tools**
* [Cloud Security Suite](https://github.com/SecurityFTW/cs-suite)
* One stop tool for auditing the security posture of AWS & GCP infrastructure.
* [CloudSploit Scans](https://github.com/cloudsploit/scans)
* CloudSploit scans is an open-source project designed to allow detection of security risks in cloud infrastructure accounts, including: Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), and Oracle Cloud Infrastructure (OCI). These scripts are designed to return a series of potential misconfigurations and security risks.
* **"Serverless"**
* [Peeking Behind the Curtains of Serverless Platforms - Liang Wang, Mengyuan Li, Yinqian Zhang, Thomas Ristenpart, Michael Swift](http://pages.cs.wisc.edu/~liangw/pub/atc18-final298.pdf)
* Taking on the viewpoint of a serverless customer, we conduct the largest measurement study to date, launching more than 50,000 function instances across these three services, in order to characterize their architectures, performance, and resource management efficiency. We explain how the platforms isolate the functions of different accounts, using either virtual machines or containers, which has important security implications. We characterize performance in terms of scalability, coldstart latency, and resource efficiency, with highlights including that AWS Lambda adopts a bin-packing-like strategy to maximize VM memory utilization, that severe contention between functions can arise in AWS and Azure, and that Google had bugs that allow customers to use resources for free.
--------------------
### <a name="aws"></a>AWS
* **101**<a name="aws101"></a>
* **Articles/Blogposts/Writeups**
* [AWS Security Audit Guidelines - docs.aws](https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html)
* [AWS Services Explained through Pictures](https://www.awsgeek.com/?mc_cid=065d80dbfd&mc_eid=f956a0c5ca)
* [Request form for performing Pentesting on AWS Infrastructure](https://aws.amazon.com/premiumsupport/knowledge-center/penetration-testing/)
* **Talks/Presentations/Videos**
* [The Fundamentals of AWS Cloud Security - Becky Weiss(AWS re:Inforce 2019)](https://www.youtube.com/watch?v=-ObImxw1PmI)
* The services that make up AWS are many and varied, but the set of concepts you need to secure your data and infrastructure is simple and straightforward. By the end of this session, you will know the fundamental patterns that you can apply to secure any workload you run in AWS with confidence. We cover the basics of network security, the process of reading and writing access management policies, and data encryption.
* [Security Best Practices the Well-Architected Way - Ben Potter(AWS re:Inforce 2019)](https://www.youtube.com/watch?v=u6BCVkXkPnM)
* As you continually evolve your use of the AWS platform, it’s important to consider ways to improve your security posture and take advantage of new security services and features. In this advanced session, we share architectural patterns for meeting common challenges, service limits and tips, tricks, and ways to continually evaluate your architecture against best practices. Automation and tools are featured throughout, and there will be code giveaways! Be prepared for a technically deep session on AWS security.
* **Attacking**<a name="atkaws"></a>
* **Articles/Blogposts/Writeups**
* [An Introduction to Penetration Testing AWS: Same Same, but Different - GracefulSecurity](https://www.gracefulsecurity.com/an-introduction-to-penetration-testing-aws/)
* [Using DNS to Break Out of Isolated Networks in a AWS Cloud Environment](https://dejandayoff.com/using-dns-to-break-out-of-isolated-networks-in-a-aws-cloud-environment/)
* Customers can utilize AWS' DNS infrastructure in VPCs (enabled by default). Traffic destined to the AmazonProvidedDNS is traffic bound for AWS management infrastructure and does not egress via the same network links as standard customer traffic and is not evaluated by Security Groups. Using DNS exfiltration, it is possible to exfiltrate data out of an isolated network.
* [AWS IAM Privilege Escalation – Methods and Mitigation - Spencer Gietzen](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation/)
* [AWS IAM Exploitation - Evan Perotti](https://securityriskadvisors.com/blog/aws-iam-exploitation/)
* [AWS IAM Privilege Escalation – Methods and Mitigation – Part 2 - Spencer Gietzen](https://rhinosecuritylabs.com/aws/aws-privilege-escalation-methods-mitigation-part-2/)
* [Penetration Testing AWS Storage: Kicking the S3 Bucket](https://rhinosecuritylabs.com/penetration-testing/penetration-testing-aws-storage/)
* [Disrupting AWS logging - Daniel Grzelak](https://danielgrzelak.com/disrupting-aws-logging-a42e437d6594?gi=dde97e1f07f7)
* [Abusing the AWS metadata service using SSRF vulnerabilities - Christophe Tafani-Dereeper](https://blog.christophetd.fr/abusing-aws-metadata-service-using-ssrf-vulnerabilities/https://0xdf.gitlab.io/2019/08/02/bypassing-php-disable_functions-with-chankro.html)
* [Bypass GuardDuty PenTest Alerts - Nick Frichette](https://frichetten.com/blog/bypass-guardduty-pentest-alerts)
* [Getting shell and data access in AWS by chaining vulnerabilities - Riyaz Wilaker](https://blog.appsecco.com/getting-shell-and-data-access-in-aws-by-chaining-vulnerabilities-7630fa57c7ed)
* [Securing the Cloud: A Story of Research, Discovery, and Disclosure - Jordan Drysdale](https://www.blackhillsinfosec.com/securing-the-cloud-a-story-of-research-discovery-and-disclosure/)
* BHIS made some interesting discoveries while working with a customer to audit their Amazon Web Services (AWS) infrastructure. At the time of the discovery, we found two paths to ingress the customer’s virtual private cloud (VPC) through the elastic map reduce (EMR) application stacks. One of the vulns that gained us internal access was the Hadoop Unauthenticated RCE, which was patched by Apache a while back now. Another, and a bit more interesting entry point, was the HUE interface, which, by default, allows the creation of a new admin user for the web interface. Once in the web interface, HUE is similar to Jupyter in that it helps visualize code flow and operations. Here, you can create schedules that will send egress shells from the cluster worker nodes. Which, consequently, provides a window to a virtual private cloud network.
* **Talks/Presentations/Videos**
* [Step By Step AWS Cloud Hacking - Andres Riancho(SecTor19)](https://sector.ca/sessions/step-by-step-aws-cloud-hacking/)
* [Gone in 60 Milliseconds - Intrusion and Exfiltration in Server-less Architectures](https://media.ccc.de/v/33c3-7865-gone_in_60_milliseconds)
* More and more businesses are moving away from monolithic servers and turning to event-driven microservices powered by cloud function providers like AWS Lambda. So, how do we hack in to a server that only exists for 60 milliseconds? This talk will show novel attack vectors using cloud event sources, exploitabilities in common server-less patterns and frameworks, abuse of undocumented features in AWS Lambda for persistent malware injection, identifying valuable targets for pilfering, and, of course, how to exfiltrate juicy data out of a secure Virtual Private Cloud.
* [Pivoting in Amazon Clouds - Andres Riancho - BHUSA14](https://www.youtube.com/watch?v=2NF4LjjwoZw)
* "From no access at all, to the company Amazon's root account, this talk will teach attendees about the components used in cloud applications like: EC2, SQS, IAM, RDS, meta-data, user-data, Celery; and how misconfigurations in each can be abused to gain access to operating systems, database information, application source code, and Amazon's services through its API. The talk will follow a knowledgeable intruder from the first second after identifying a vulnerability in a cloud-deployed Web application and all the steps he takes to reach the root account for the Amazon user. Except for the initial vulnerability, a classic remote file included in a Web application which grants access to the front-end EC2 instance, all the other vulnerabilities and weaknesses exploited by this intruder are going to be cloud-specific.
* [Paper](https://andresriancho.github.io/nimbostratus/pivoting-in-amazon-clouds.pdf)
* [Abusing AWS Metadata Service - Casey Goodrich](https://www.youtube.com/watch?v=gZsmpPLZQJM)
* [Step by step AWS Cloud Hacking - Andres Riancho(SecTor19)](https://sector.ca/sessions/step-by-step-aws-cloud-hacking/)
* [Account Jumping Post Infection Perstistency & Lateral Movement In AWS - Dan Amiga, Dor Knafo(BH-US16)](https://www.blackhat.com/docs/us-16/materials/us-16-Amiga-Account-Jumping-Post-Infection-Persistency-And-Lateral-Movement-In-AWS-wp.pdf)
* **Tools**
* [My Arsenal of AWS Security Tools - toniblyx](https://github.com/toniblyx/my-arsenal-of-aws-security-tools)
* [Prowler: AWS CIS Benchmark Tool](https://github.com/toniblyx/prowler)
* Prowler is a command line tool for AWS Security Best Practices Assessment, Auditing, Hardening and Forensics Readiness Tool. It follows guidelines of the CIS Amazon Web Services Foundations Benchmark (49 checks) and has 40 additional checks including related to GDPR and HIPAA.
* [AWS pwn](https://github.com/dagrz/aws_pwn)
* This is a collection of horribly written scripts for performing various tasks related to penetration testing AWS. Please don't be sad if it doesn't work for you. It might be that AWS has changed since a given tool was written or it might be that the code sux. Either way, please feel free to contribute. Most of this junk was written by Daniel Grzelak but there's been plenty of contributions, most notably Mike Fuller.
* **Active Directory**
* [CloudCopy](https://github.com/Static-Flow/CloudCopy)
* This tool implements a cloud version of the Shadow Copy attack against domain controllers running in AWS. Any AWS user possessing the EC2:CreateSnapshot permission can steal the hashes of all domain users by creating a snapshot of the Domain Controller mounting it to an instance they control and exporting the NTDS.dit and SYSTEM registry hive file for use with Impacket's secretsdump project.
* **CloudFront**
* [CloudFrunt](https://github.com/MindPointGroup/cloudfrunt)
* CloudFrunt is a tool for identifying misconfigured CloudFront domains.
* [CloudJack](https://github.com/prevade/cloudjack)
* CloudJack assesses AWS accounts for subdomain hijacking vulnerabilities as a result of decoupled Route53 and CloudFront configurations. This vulnerability exists if a Route53 alias references 1) a deleted CloudFront web distribution or 2) an active CloudFront web distribution with deleted CNAME(s). If this decoupling is discovered by an attacker, they can simply create a CloudFront web distribution and/or CloudFront NAME(s) in their account that match the victim account's Route53 A record host name. Exploitation of this vulnerability results in the ability to spoof the victim's web site content, which otherwise would have been accessed through the victim's account.
* **Discovery**
* [cred_scanner](https://github.com/disruptops/cred_scanner)
* A simple command line tool for finding AWS credentials in files. Optimized for use with Jenkins and other CI systems.
* [gitleaks](https://github.com/zricethezav/gitleaks)
* Gitleaks is a SAST tool for detecting hardcoded secrets like passwords, api keys, and tokens in git repos. Gitleaks aims to be the easy-to-use, all-in-one solution for finding secrets, past or present, in your code.
* [truffleHog](https://github.com/dxa4481/truffleHog)
* Searches through git repositories for high entropy strings and secrets, digging deep into commit history
* [DumpsterDiver](https://github.com/securing/DumpsterDiver)
* DumpsterDiver is a tool, which can analyze big volumes of data in search of hardcoded secrets like keys (e.g. AWS Access Key, Azure Share Key or SSH keys) or passwords. Additionally, it allows creating a simple search rules with basic conditions (e.g. report only csv files including at least 10 email addresses). The main idea of this tool is to detect any potential secret leaks.
* [Whispers](https://github.com/Skyscanner/whispers)
* Whispers is a static code analysis tool designed for parsing various common data formats in search of hardcoded credentials and dangerous functions. Whispers can run in the CLI or you can integrate it in your CI/CD pipeline.
* [Dufflebag](https://github.com/BishopFox/dufflebag)
* Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in. You may be surprised by all the passwords and secrets just laying around!
* **Frameworks**
* [weirdAAL](https://github.com/carnal0wnage/weirdAAL)
* The WeirdAAL project has two goals: 1. Answer what can I do with this AWS Keypair [blackbox]?; 2. Be a repository of useful functions (offensive & defensive) to interact with AWS services.
* [Pacu](https://github.com/RhinoSecurityLabs/pacu)
* Pacu is an open source AWS exploitation framework, designed for offensive security testing against cloud environments. Created and maintained by Rhino Security Labs, Pacu allows penetration testers to exploit configuration flaws within an AWS account, using modules to easily expand its functionality. Current modules enable a range of attacks, including user privilege escalation, backdooring of IAM users, attacking vulnerable Lambda functions, and much more.
* [barq](https://github.com/Voulnet/barq)
* barq is a post-exploitation framework that allows you to easily perform attacks on a running AWS infrastructure. It allows you to attack running EC2 instances without having the original instance SSH keypairs. It also allows you to perform enumeration and extraction of stored Secrets and Parameters in AWS.
* **IAM**
* [Enumerate IAM permissions](https://github.com/andresriancho/enumerate-iam)
* Enumerate the permissions associated with AWS credential set
* **Nuking**
* [cloud-nuke](https://github.com/gruntwork-io/cloud-nuke)
* This repo contains a CLI tool to delete all resources in an AWS account. cloud-nuke was created for situations when you might have an account you use for testing and need to clean up leftover resources so you're not charged for them. Also great for cleaning out accounts with redundant resources. Also great for removing unnecessary defaults like default VPCs and permissive ingress/egress rules in default security groups.
* **Persistence**
* [MadKing Amazon Web Services Attack Platform](https://github.com/ThreatResponse/mad-king)
This project was created as a proof of concept. A marriage of serverless frameworks and the techniques of researcher Daniel Grzelak for persistance in an AWS account.
* **Scripts & One-offs**
* [RedDolphin](https://github.com/elitest/RedDolphin)
* RedDolphin is a collection of scripts that use the Amazon SDK for Python boto3 to perform red team operations against the AWS API.
* **Auditing/Compliance Monitoring**<a name="compliance"></a>
* [Hammer](https://github.com/dowjones/hammer)
* Dow Jones Hammer is a multi-account cloud security tool for AWS. It identifies misconfigurations and insecure data exposures within most popular AWS resources, across all regions and accounts. It has near real-time reporting capabilities (e.g. JIRA, Slack) to provide quick feedback to engineers and can perform auto-remediation of some misconfigurations. This helps to protect products deployed on cloud by creating secure guardrails.
* [ElectricEye](https://github.com/jonrau1/ElectricEye)
* ElectricEye is a set of Python scripts (affectionately called Auditors) that continuously monitor your AWS infrastructure looking for configurations related to confidentiality, integrity and availability that do not align with AWS best practices. All findings from these scans will be sent to AWS Security Hub where you can perform basic correlation against other AWS and 3rd Party services that send findings to Security Hub. Security Hub also provides a centralized view from which account owners and other responsible parties can view and take action on findings. ElectricEye supports both AWS commercial and GovCloud Regions, however, Auditors for services not supported in GovCloud were not removed. Running these scans in Fargate will not fail the entire task if a service is not supported in GovCloud, in those cases they will fail gracefully.
* **Detecting Credential Compromise**
* See Defense
* [SkyWrapper](https://github.com/cyberark/SkyWrapper)
* SkyWrapper is an open-source project which analyzes behaviors of temporary tokens created in a given AWS account. The tool is aiming to find suspicious creation forms and uses of temporary tokens to detect malicious activity in the account. The tool analyzes the AWS account, and creating an excel sheet includes all the currently living temporary tokens. A summary of the finding printed to the screen after each run.
* **EBS**<a name="ebs"></a>
* [Dufflebag](https://github.com/BishopFox/dufflebag)
* Dufflebag is a tool that searches through public Elastic Block Storage (EBS) snapshots for secrets that may have been accidentally left in. You may be surprised by all the passwords and secrets just laying around!
* **External-Monitoring**<a name="external"></a>
* [aws_public_ips](https://github.com/arkadiyt/aws_public_ips)
* Fetch all public IP addresses tied to your AWS account. Works with IPv4/IPv6, Classic/VPC networking, and across all AWS services
* **IAM**<a name="awsiam"></a>
* [AWS IAM Policy Generator for AWS CDK](https://github.com/aletheia/iam-policy-generator)
* A simple library to generate IAM policy statements with no need to remember all the actions APIs. Remembering IAM policy actions is nearly impossible and sticking to the documentation is time consuming. This library provides a set of predefined constants to be used with any IDE intellisense for autocompletion and a factory class that builds a AWS CDK PolicyStatement with ease. This project goal is to offer simple code handlers, so developers won't have to remember al the complex syntax. This library primary intention is to be used as an helper when writing AWS CDK stack scripts, but it can be used also as a standalone utility in any script.
* [PMapper](https://github.com/nccgroup/PMapper)
* Principal Mapper (PMapper) is a script and library for identifying risks in the configuration of AWS Identity and Access Management (IAM) in an AWS account. PMapper allows users to identify which IAM users and roles have access to certain actions and resources in an AWS account. This is important for ensuring that sensitive resources, such as S3 objects with PII, are isolated.
* [AWS Lambda - IAM Access Key Disabler](https://github.com/te-papa/aws-key-disabler)
* The AWS Key disabler is a Lambda Function that disables AWS IAM User Access Keys after a set amount of time in order to reduce the risk associated with old access keys.
* **Least-Privileges**
* [AirIAM](https://github.com/bridgecrewio/AirIAM)
* AirIAM is an AWS IAM to least privilege Terraform execution framework. It compiles AWS IAM usage and leverages that data to create a least-privilege IAM Terraform that replaces the exiting IAM management method. AirIAM was created to promote immutable and version-controlled IAM management to replace today's manual and error prone methods.
* [Policy Sentry](https://github.com/salesforce/policy_sentry)
* IAM Least Privilege Policy Generator and analysis database.
* [CloudTracker](https://github.com/duo-labs/cloudtracker)
* CloudTracker helps you find over-privileged IAM users and roles by comparing CloudTrail logs with current IAM policies.
* [Blogpost](https://duo.com/blog/introducing-cloudtracker-an-aws-cloudtrail-log-analyzer)
* [repokid](https://github.com/Netflix/repokid)
* AWS Least Privilege for Distributed, High-Velocity Deployment
* **Inventory**<a name="inventory"></a>
* **Tools**
* [aws-inventory(janiko71)](https://github.com/janiko71/aws-inventory)
* This python script lists all the main resources of your AWS account. This inventory may be uncomplete, but it should help you to find what I call "main" resources that are, in my mind, resources that should affect billing and/or security. Intended for personal use (even if I added some professional features like logging), and for only one account.
* [clinv](https://github.com/lyz-code/clinv)
* command line inventory for DevSecOps resources in AWS.
* [aws-inventory(NCCGroup)](https://github.com/nccgroup/aws-inventory)
* This is a tool that tries to discover all AWS resources created in an account. AWS has many products (a.k.a. services) with new ones constantly being added and existing ones expanded with new features. The ecosystem allows users to piece together many different services to form a customized cloud experience. The ability to instantly spin up services at scale comes with a manageability cost. It can quickly become difficult to audit an AWS account for the resources being used. It is not only important for billing purposes, but also for security. Dormant resources and unknown resources are more prone to security configuration weaknesses. Additionally, resources with unexpected dependencies pose availability, access control, and authorization issues.
* [resource-counter](https://github.com/disruptops/resource-counter)
* This command line tool counts the number of resources in different categories across Amazon regions. This is a simple Python app that will count resources across different regions and display them on the command line. It first shows the dictionary of the results for the monitored services on a per-region basis, then it shows totals across all regions in a friendlier format. It tries to use the most-efficient query mechanism for each resource in order to manage the impact of API activity. I wrote this to help me scope out assessments and know where resources are in a target account.
* [antiope](https://github.com/turnerlabs/antiope)
* AWS Inventory and Compliance Framework - intended to be an open sourced framework for managing resources across hundreds of AWS Accounts. From a trusted Security Account, Antiope will leverage Cross Account Assume Roles to gather up resource data and store them in an inventory bucket. This bucket can then be index by ELK or your SEIM of choice to provide easy searching of resources across hundreds of AWS accounts.
* **Lambda**<a name="lambda"></a>
* [Gaining Persistency on Vulnerable Lambdas - Yuval Avrahami](https://www.twistlock.com/labs-blog/gaining-persistency-vulnerable-lambdas/)
* [Reverse engineering AWS Lambda - denialof.service](https://www.denialof.services/lambda/)
* **Logging**<a name="logging"></a>
* **Tools**
* [trailscraper](https://github.com/flosell/trailscraper)
* A command-line tool to get valuable information out of AWS CloudTrail and a general purpose toolbox for working with IAM policies
* [TrailBlazer](https://github.com/willbengtson/trailblazer-aws)
* TrailBlazer is a tool written to determine what AWS API calls are logged by CloudTrail and what they are logged as. You can also use TrailBlazer as an attack simulation framework.
* [StreamAlert](https://github.com/airbnb/streamalert)
* StreamAlert is a serverless, real-time data analysis framework which empowers you to ingest, analyze, and alert on data from any environment, using data sources and alerting logic you define. ]
* **Mapping**<a name="mapping"></a>
* **Tools**
* [Cartography](https://github.com/lyft/cartography)
* Cartography is a Python tool that consolidates infrastructure assets and the relationships between them in an intuitive graph view powered by a Neo4j database.
* [awspx](https://github.com/FSecureLABS/awspx)
* awspx is a graph-based tool for visualizing effective access and resource relationships within AWS. It resolves policy information to determine what actions affect which resources, while taking into account how these actions may be combined to produce attack paths. Unlike tools like Bloodhound, awspx requires permissions to function — it is not expected to be useful in cases where these privileges have not been granted.
* [CloudMapper](https://github.com/duo-labs/cloudmapper)
* CloudMapper generates network diagrams of Amazon Web Services (AWS) environments and displays them via your browser. It helps you understand visually what exists in your accounts and identify possible network misconfigurations.
* **Resource Usage Tracking**<a name="aresource"></a>
* [Ice](https://github.com/Teevity/ice)
* Ice provides a birds-eye view of our large and complex cloud landscape from a usage and cost perspective. It consists of three parts: processor, reader and UI. Processor processes the Amazon detailed billing file into data readable by reader. Reader reads data generated by processor and renders them to UI. UI queries reader and renders interactive graphs and tables in the browser.
* **S3 Buckets**<a name="s3atk>"></a>
* **Articles/Blogposts/Writeups**
* [A deep dive into AWS S3 access controls – taking full control over your assets - labs.detectify](https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/)
* [S3 Bucket Namesquatting - Abusing predictable S3 bucket names - Ian Mckay](https://onecloudplease.com/blog/s3-bucket-namesquatting)
* [A deep dive into AWS S3 access controls – taking full control over your assets(2017)](https://labs.detectify.com/2017/07/13/a-deep-dive-into-aws-s3-access-controls-taking-full-control-over-your-assets/)
* **General Tools**
* [s3-utils](https://github.com/whitfin/s3-utils)
* Utilities and tools based around Amazon S3 to provide convenience APIs in a CLI.
* [Amazon-Web-Shenanigans](https://github.com/vr00n/Amazon-Web-Shenanigans)
* A lambda function that checks your account for Public buckets and emails you whenever a new public s3 bucket is created
* **Discovery/Enumeration of**
* [Teh S3 Bucketeers](https://github.com/tomdev/teh_s3_bucketeers)
* Script to scan for buckets with given creds
* [BuQuikker](https://github.com/Quikko/BuQuikker)
* This project is intended to show how easy it is to find poorly configured AWS buckets. This project is build on top of bucketeer. It should make the life of a bugbounty hunter much easier. The user needs to provide a list and each word in the list will be used in combination with the teh_s3_bucketeers script. Whenever the script finds an open bucket, the teh_s3_bucketeers script will write it into `result-<name-of-searchword>.txt`
* [Bucket Stream](https://github.com/eth0izzle/bucket-stream)
* This tool simply listens to various certificate transparency logs (via certstream) and attempts to find public S3 buckets from permutations of the certificates domain name.
* [slurp](https://github.com/random-robbie/slurp)
* Enumerates S3 buckets manually or via certstream
* [s3finder](https://github.com/magisterquis/s3finder)
* Yet another program to find readable S3 buckets. Can search using a wordlist or by monitoring the certstream network for domain names from certificate transparency logs. If a name contains dots, a name with the dots replaced by dashes will be tried, as well. All queries are done via HTTPS. Found buckets will be written to stdout. All other messages are written to stderr, to make for easy logging.
* [S3scan](https://github.com/abhn/S3Scan)
* A simple script to find open Amazon AWS S3 buckets in your target websites. S3 buckets are a popular way of storing static contents among web developers. Often, developers tend to set the bucket permissions insecurely during development, and forget to set them correctly in prod, leading to (security) issues.
* [s3-buckets-bruteforcer](https://github.com/gwen001/s3-buckets-finder)
* PHP tool to brute force Amazon S3 bucket
* [s3-fuzzer](https://github.com/pbnj/s3-fuzzer)
* A concurrent, command-line AWS S3 Fuzzer. Written in Go.
* [buckethead.py](https://github.com/RhinoSecurityLabs/Security-Research/tree/master/tools/aws-pentest-tools)
* buckethead.py searches across every AWS region for a variety of bucket names based on a domain name, subdomains, affixes given and more. Currently the tool will only present to you whether or not the bucket exists or if they're listable.
* [lazys3](https://github.com/nahamsec/lazys3)
* A Ruby script to bruteforce for AWS s3 buckets using different permutations.
* [inSp3ctor](https://github.com/brianwarehime/inSp3ctor)
* AWS S3 Bucket/Object Finder
* **Permissions**
* [S3-Inspector](https://github.com/clario-tech/s3-inspector)
* Tool to check AWS S3 bucket permissions.
* **Searching Contents of**
* [AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump)
* AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you're not afraid to quickly fill up your hard drive.
* [S3Scanner](https://github.com/sa7mon/S3Scanner)
* A tool to find open S3 buckets and dump their contents
* [bucketcat](https://github.com/Atticuss/bucketcat)
* Brute-forces objects within a given bucket using Hashcat mask-like syntax
* [aws-s3-data-finder](https://github.com/Ucnt/aws-s3-data-finder)
* Find suspicious files (e.g. data backups, PII, credentials) across a large set of AWS S3 buckets and write the first 200k keys (by default) of listable buckets to a .json or .xml file (in buckets/) via awscli OR unauthenticated via HTTP requests.
* [Bucketlist](https://github.com/michenriksen/bucketlist)
* Bucketlist is a quick project I threw together to find and crawl Amazon S3 buckets and put all the data into a PostgreSQL database for querying.
* **Security Groups**
* [aws-security-viz](https://github.com/anaynayak/aws-security-viz)
* Need a quick way to visualize your current aws/amazon ec2 security group configuration? aws-security-viz does just that based on the EC2 security group ingress configuration.
* **Securing & Hardening**
* **101**
* [CIS Amazon Web Services Foundations](https://d0.awsstatic.com/whitepapers/compliance/AWS_CIS_Foundations_Benchmark.pdf)
* [asecure.cloud](https://asecure.cloud)
* A free repository of customizable AWS security configurations and best practices
* [aws-security-benchmark](https://github.com/awslabs/aws-security-benchmark)
* Collection of resources related to security benchmark frameworks.
* [AWS Security Primer](https://cloudonaut.io/aws-security-primer/#fn:2)
* [AWS Security Hub](https://aws.amazon.com/security-hub/)
* AWS Security Hub gives you a comprehensive view of your high-priority security alerts and security posture across your AWS accounts.
* [Amazon Inspector](https://aws.amazon.com/inspector/)
* Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for vulnerabilities or deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity. These findings can be reviewed directly or as part of detailed assessment reports which are available via the Amazon Inspector console or API.
* **Articles/Blogposts/Writeups**
* **Tools**
* [Cloudsplaining](https://github.com/salesforce/cloudsplaining)
* Cloudsplaining is an AWS IAM Security Assessment tool that identifies violations of least privilege and generates a risk-prioritized HTML report.
* [LambdaGuard](https://github.com/Skyscanner/LambdaGuard)
* LambdaGuard is an AWS Lambda auditing tool designed to create asset visibility and provide actionable results. It provides a meaningful overview in terms of statistical analysis, AWS service dependencies and configuration checks from the security perspective.
* [Cloud-Reports](https://github.com/tensult/cloud-reports)
* Collects info about various cloud resources and analyzes them against best practices and give a JSON, CSV, HTML, or PDF reports.
* [Zeus](https://github.com/DenizParlak/Zeus)
* Zeus is a powerful tool for AWS EC2 / S3 / CloudTrail / CloudWatch / KMS best hardening practices. It checks security settings according to the profiles the user creates and changes them to recommended settings based on the CIS AWS Benchmark source at request of the user.
* [terraform-aws-secure-baseline](https://github.com/nozaq/terraform-aws-secure-baseline)
* Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations.
* **Tools**
* [aws_pwn](https://github.com/dagrz/aws_pwn)
* This is a collection of horribly written scripts for performing various tasks related to penetration testing AWS. Please don't be sad if it doesn't work for you. It might be that AWS has changed since a given tool was written or it might be that the code sux. Either way, please feel free to contribute. Most of this junk was written by Daniel Grzelak but there's been plenty of contributions, most notably Mike Fuller.
* [Nimbostratus](https://github.com/andresriancho/nimbostratus)
* Tools for fingerprinting and exploiting Amazon cloud infrastructures
* [cloudfrunt](https://github.com/MindPointGroup/cloudfrunt)
* A tool for identifying misconfigured CloudFront domains
* [cred_scanner](https://github.com/disruptops/cred_scanner)
* A simple command line tool for finding AWS credentials in files. Optimized for use with Jenkins and other CI systems.
* **Training**
* [AWS Security Workshops](https://github.com/aws-samples/aws-security-workshops)
* Here you'll find a collection of security workshops and other hands-on content that will guide you through prepared scenarios that represent common use cases and security operational tasks on Amazon Web Services (AWS). The workshops closely align with the NIST Cyber Security Framework and will provide a deep dive into a variety of AWS security services, techniques, and best practices that'll you'll be able to apply to your own environments to better improve your security posture.
* [Serverless Security Workshop](https://github.com/aws-samples/aws-serverless-security-workshop)
* In this workshop, you will learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora.
----------------
### <a name="ms-azure"></a>Microsoft Azure
* **101**<a name="a101"></a>
* [Microsoft Azure: Penetration Testing - Official Documentation](https://docs.microsoft.com/en-us/azure/security/azure-security-pen-testing)
* [Microsoft Azure Datacenter IP Ranges - ms.com](https://www.microsoft.com/en-us/download/details.aspx?id=41653)
* **Documentation**<a name="adoc"></a>
* [Azure ATP Security Alerts - docs.ms](https://docs.microsoft.com/en-us/azure-advanced-threat-protection/suspicious-activity-guide)
* **Compliance**<a name="acompliance"></a>
* [New Azure maps make identifying local compliance options easy - David Burt(2020 azure.microsoft)](https://azure.microsoft.com/en-gb/blog/new-azure-maps-make-identifying-local-compliance-options-easy/)
* **Educational**<a name="aedu"></a>
* [So you want to learn Azure Security? - Michael Howard(2020)](https://michaelhowardsecure.blog/2020/02/14/so-you-want-to-learn-azure-security/)
* **Articles/Writeups**
* [An Introduction to PenTesting Azure](https://www.gracefulsecurity.com/an-introduction-to-pentesting-azure/)
* [Azure operational security checklist - docs.ms](https://docs.microsoft.com/en-us/azure/security/azure-operational-security-checklist)
* [Security services and technologies available on Azure - docs.ms](https://docs.microsoft.com/en-us/azure/security/azure-security-services-technologies)
* [Red Teaming Microsoft: Part 1 – Active Directory Leaks via Azure - Mike Felch](https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/)
* [Identifying & Exploiting Leaked Azure Storage Keys - Sunil Yadav](https://www.notsosecure.com/identifying-exploiting-leaked-azure-storage-keys/)
* **Presentations/Talks/Videos**
* [Blue Cloud of Death: Red Teaming Azure - Bryce Kunz](https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1B)
* [I'm in your cloud: A year of hacking Azure AD - Dirk-Jan Mollema](https://www.youtube.com/watch?v=fpUZJxFK72k)
* **Tools**
* [Azurite - Azurite Explorer and Azurite Visualizer](https://github.com/mwrlabs/Azurite)
* consists of two helper scripts: Azurite Explorer and Azurite Visualizer. The scripts are used to collect, passively, verbose information of the main components within a deployment to be reviewed offline, and visulise the assosiation between the resources using an interactive representation. One of the main features of the visual representation is to provide a quick way to identify insecure Network Security Groups (NSGs) in a subnet or Virtual Machine configuration.
------------------
### <a name="gcloud"></a>Google Cloud
* **101**<a name="g101"></a>
* **Articles/Writeups**
* [Abusing Google App Scripting Through Social Engineering](http://www.redblue.team/2017/02/abusing-google-app-scripting-through.html)
* [Persistent GCP backdoors with Google’s Cloud Shell - Juan Berner](https://medium.com/@89berner/persistant-gcp-backdoors-with-googles-cloud-shell-2f75c83096ec)
* [Red Team Tactics for Cracking the GSuite Perimeter - Michael Felch](https://www.slideshare.net/MichaelFelch/red-team-tactics-for-cracking-the-gsuite-perimeter)
* **Containers**<a name="gcon"></a>
* [Getting vulnerabilities and metadata for images - cloud.google](https://cloud.google.com/container-registry/docs/get-image-vulnerabilities)
* **Monitoring**<a name="gmon"></a>
* [Setting up advanced network threat detection with Packet Mirroring - Shishir Agrawal, Yang Liang(cloud.google)](https://cloud.google.com/blog/products/networking/packet-mirroring-enables-better-network-monitoring-and-security)
* **Presentations/Talks/Videos**
* [G-Jacking AppEngine-based applications - HITB2014](https://conference.hitb.org/hitbsecconf2014ams/materials/D2T1-G-Jacking-AppEngine-based-Applications.pdf)
* **Tools**<a name="gtools"></a>
* **Attacking**
* [Introducing G-Scout](https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2017/august/introducing-g-scout/)
* G-Scout is a tool to help assess the security of Google Cloud Platform (GCP) environment configurations. By leveraging the Google Cloud API, G-Scout automatically gathers a variety of configuration data and analyzes this data to determine security risks. It produces HTML output.
* [Google Cloud Platform Security Tool](https://github.com/nccgroup/G-Scout)
* **Securing**
* [Google Cloud Security Scanner](https://cloud.google.com/security-scanner/)
* Cloud Security Scanner is a web security scanner for common vulnerabilities in Google App Engine applications. It can automatically scan and detect four common vulnerabilities, including cross-site-scripting (XSS), Flash injection, mixed content (HTTP in HTTPS), and outdated/insecure libraries. It enables early identification and delivers very low false positive rates. You can easily setup, run, schedule, and manage security scans and it is free for Google Cloud Platform users.
* [Hayat](https://github.com/DenizParlak/Hayat)
* Google Cloud Platform Auditing & Hardening Script

+ 16
- 0
Draft/DFIR.md View File

@ -268,6 +268,8 @@
* [And That's How I Lost My Other Eye...Explorations in Data Destruction](https://www.youtube.com/watch?v=-bpX8YvNg6Y)
* [An Anti-Forensics Primer - Jason Andress](http://www.irongeek.com/i.php?page=videos/derbycon3/s216-an-anti-forensics-primer-jason-andress)
* This talk will cover the basics of anti-forensics, the tools and techniques that can be used to make life harder for computer forensic examiners. We will cover some of the basic methods that are used (disk wiping, time stomping, encryption, etc…) and talk about which of these methods might actually work and which are easily surmounted with common forensic tools.
* [Anti-Forensics for Fun and Privacy - Alissa Gilbert(Shmoocon 2020)](https://www.youtube.com/watch?v=eSmsiSvvAQs)
* Want to learn how to avoid surveillance and investigators? Anti-forensics is the practice of modifying or removing data so that others cannot find it later during an investigation. While annoying to forensic practitioners and law enforcement, it is unavoidable to help maintain privacy in a world of shady ToS, snooping partners, and potential search and seizures. How far do you need to go to maintain your privacy? This talk will break down anti-forensics techniques that you can use to protect yourself from audiences like your mom to an extreme nation-state level actor. The only thing more fun than forensics is anti-forensics.
* **Tools**
* [usbkill](https://github.com/stemid/usbkill)
* A tool that shuts down your computer if USB devices change, for example if you unplug or plug-in a device.
@ -856,3 +858,17 @@
--------------
#### Bootkit Disk Forensics
* **101**
* **Articles/Papers/Talks/Writeups**
* [Bootkit Disk Forensics – Part 1 - MalwareTech](http://www.malwaretech.com/2015/02/bootkit-disk-forensics-part-1.html)
* [Part 2](http://www.malwaretech.com/2015/03/bootkit-disk-forensics-part-2.html)
* **General**
* **Tools**
* **Miscellaneous**

+ 26
- 8
Draft/L-SM-TH.md View File

@ -14,7 +14,7 @@
- [Breach Detection/Response](#brdp)
- [Infrastructure Monitoring](#inframon)
- [Network-based](#netmon)
- [IDS/IPS](ips)
- [IDS/IPS](#ips)
- [IDS/IPS Monitoring tools](#ipsmon)
- [Linux](#linmon)
- [macOS/OS X](#macmon)
@ -31,6 +31,10 @@
- [Linux](#thlin)
- [macOS](#thmac)
- [Windows](#thwin)
- [Cloud](#cloud)
- [AWS](#aws)
- [Azure](#azure)
- [GCP](#gcp)
- [Simulation & Testing](#simulation)
- [Data Storage & Analysis](#stacks )
- [ELK](#elk)
@ -352,6 +356,9 @@
* Configure Searches to periodically run against a variety of data sources. You can define a custom pipeline of Filters to manipulate any generated Alerts and forward them to multiple Targets.
* [Pattern](https://github.com/clips/pattern/blob/master/README.md)
* Pattern is a web mining module for Python. It has tools for: Data Mining: web services (Google,; Twitter, Wikipedia), web crawler, HTML DOM parser; Natural Language Processing: part-of-speech taggers, n-gram search, sentiment analysis, WordNet; Machine Learning: vector space model, clustering, classification (KNN, SVM, Perceptron); Network Analysis: graph centrality and visualization.
* **File Analysis**
* [BinaryAlert](https://github.com/airbnb/binaryalert)
* BinaryAlert is an open-source serverless AWS pipeline where any file uploaded to an S3 bucket is immediately scanned with a configurable set of YARA rules. An alert will fire as soon as any match is found, giving an incident response team the ability to quickly contain the threat before it spreads.
* **Infrastructure Monitoring**<a name="inframon"></a>
* [Ninja Level Infrastructure Monitoring Workshop - Defcon24](https://github.com/appsecco/defcon24-infra-monitoring-workshop)
* This repository contains all the presentation, documentation and the configuration, sample logs, ansible playbook, customized dashboards and more.
@ -695,6 +702,7 @@
* **Data Analysis**<a name="data"></a>
* **Articles/Blogposts/Writeups**
* [An In-Depth Look Into Data Stacking - M-Labs](https://www.fireeye.com/blog/threat-research/2012/11/indepth-data-stacking.html)
* Data stacking is the application of frequency analysis to large volumes of similar data in an effort to isolate and identify anomalies. In short, data stacking is an investigative technique that can be used to find a needle in a digital haystack. It involves an iterative process of reducing large amounts of data into manageable chunks that can be consumed and investigated.
* **Labs**
* HELK
* [HELK - The Hunting ELK](https://github.com/Cyb3rWard0g/HELK)
@ -774,8 +782,6 @@
* **Articles/Writeups**
* [Hunting Your DNS Dragons - Derek King(2018)](https://www.splunk.com/en_us/blog/security/hunting-your-dns-dragons.html)
* [Threat hunting using DNS firewalls and data enrichment - Adam Ziaja](https://blog.redteam.pl/2019/08/threat-hunting-dns-firewall.html)
* **Traffic Analysis**<a name="traffic"></a>
* [Behavioral Analysis using DNS, Network Traffic and Logs, Josh Pyorre (@joshpyorre)](https://www.youtube.com/watch?v=oLemvzZjDOs&index=13&list=PLwZycuzv10iLBFwRIWNAR-s4iuuUMRuEB)
* Multiple methods exist for detecting malicious activity in a network, including intrusion detection, anti-virus, and log analysis. However, the majority of these use signatures, looking for already known events and they typically require some level of human intervention and maintenance. Using behavioral analysis methods, it may be possible to observe and create a baseline of average behavior on a network, enabling intelligent notification of anomalous activity. This talk will demonstrate methods of performing this activity in different environments. Attendees will learn new methods which they can apply to further monitor and secure their networks
@ -881,6 +887,8 @@
* **Articles/Writeups**
* [Hunting COM Objects - Charles Hamilton](https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html)
* [Hunting COM Objects (Part Two) - Brett Hawkins](https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects-part-two.html)
* **CSharp**
* [Interesting DFIR traces of .NET CLR Usage Logs - menasec.net](https://blog.menasec.net/2019/07/interesting-difr-traces-of-net-clr.html)
* **Event Logs**
* **Articles/Writeups**
* **Talks/Presentations/Videos**
@ -931,17 +939,16 @@
* **Processes**
* **Articles/Writeups**
* [Verifying Running Processes against VirusTotal - Domain-Wide - Rob VandenBrink(isc.sans 2019)](https://isc.sans.edu/diary/Verifying+Running+Processes+against+VirusTotal+-+Domain-Wide/25078)
* [Engineering Process Injection Detections - Part 1: Research - Jonathan Johnson(2020)](https://posts.specterops.io/engineering-process-injection-detections-part-1-research-951e96ad3c85)
* [Code](https://github.com/jsecurity101/Detecting-Process-Injection-Techniques)
* **Talks/Presentations/Videos**
* [Tricking modern endpoint security products - Michel Coene(SANS2020)](https://www.youtube.com/watch?v=xmNpS9mbwEc)
* The current endpoint monitoring capabilities we have available to us are unprecedented. Many tools and our self/community-built detection rules rely on parent-child relationships and command-line arguments to detect malicious activity taking place on a system. There are, however, ways the adversaries can get around these detections. During this presentation, we'll talk about the following techniques and how we can detect them: Parent-child relationships spoofing; Command-line arguments spoofing; Process injection; Process hollowing
* **Tools**
* [PE-Sieve](https://github.com/hasherezade/pe-sieve)
* [..]tool that helps to detect malware running on the system, as well as to collect the potentially malicious material for further analysis. Recognizes and dumps variety of implants within the scanned process: replaced/injected PEs, shellcodes, hooks, and other in-memory patches. Detects inline hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection, etc.
* **Process Injection**
* **Articles/Writeups**
* [Engineering Process Injection Detections - Part 1: Research - Jonathan Johnson(2020)](https://posts.specterops.io/engineering-process-injection-detections-part-1-research-951e96ad3c85)
* [Code](https://github.com/jsecurity101/Detecting-Process-Injection-Techniques)
* **Tools**
* [hollows_hunter](https://github.com/hasherezade/hollows_hunter)
* Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
* [Get-InjectedThread.ps1](https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2)
* Looks for threads that were created as a result of code injection.
* **PowerShell**
@ -1009,6 +1016,17 @@
* **Tools**
* [BLUESPAWN](https://github.com/ION28/BLUESPAWN)
* BLUESPAWN is an active defense and endpoint detection and response tool which means it can be used by defenders to quickly detect, identify, and eliminate malicious activity and malware across a network.
* [CimSweep](https://github.com/PowerShellMafia/CimSweep)
* CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. CimSweep may also be used to engage in offensive reconnaisance without the need to drop any payload to disk.
* **Cloud**<a name='cloud'></a>
* **AWS**<a name="aws"></a>
* **Articles/Writeups**
* **Talks & Presentations**
* [Actionable threat hunting in AWS (SEC339) - Chris Farris, Suman Koduri(AWS re:Invent 2019)](https://www.youtube.com/watch?v=kNtiskRtfeY)
* Learn how WarnerMedia leveraged Amazon GuardDuty, AWS CloudTrail, and its own serverless inventory tool (Antiope) to root out cloud vulnerabilities, insecure behavior, and potential account compromise activities across a large number of accounts. We cover how WarnerMedia centralizes and automates its security tooling, offer detailed Splunk queries for GuardDuty and CloudTrail, and discuss how Antiope is used for vulnerability hunting. We cover the scaling issues incurred during a large enterprise merger. Leave this session with a strategy and an actionable set of detections for finding potential data breaches and account compromises.
* [Blogpost](https://www.chrisfarris.com/post/reinvent2019-sec339/)
* **Azure**<a name="azure"></a>
* **GCP**<a name="gcp"></a>
* **Simulation & Testing**<a name='simulation'></a>
* **Articles/Blogposts/Writeups**
* **Talks/Presentations/Videos**


+ 25
- 22
Draft/Network_Attacks.md View File

@ -1,5 +1,6 @@
# Network Attacks & Defenses
--------------------------------------------------------
## Table of Contents
- [General](#general)
- [Protocols(Mostly)](#protocols)
@ -59,6 +60,7 @@
- [Printers](#printers)
- [Proxies](#proxy)
- [Redis](#redis)
- [Preboot Execution Environment (PXE)](#pxe)
- [Software Defined Networking(SDN)](#sdn)
- [SQL](#sql)
- [Switches](#switches)
@ -71,6 +73,7 @@
- [Other](#other)
- [MISC](#misc2)
* Need to Add
* BGP
* Captive portals
@ -127,28 +130,6 @@
* Automate Nessus scans against AWS EC2/RDS endpoints.
-------------------------------------------------------------------------------------------------------------------------------------------------
### <a name="redis"></a>Redis
* **101**
* [redis - Wikipedia](https://en.wikipedia.org/wiki/Redis)
* [Introduction to redis - redis.io](https://redis.io/topics/introduction)
* **Articles/Presentations/Talks/Writeups**
* [redis security - redis.io](https://redis.io/topics/security)
* [A Few Things About redis Security - antirez](http://antirez.com/news/96)
* [Securing redis - redis.io](https://redis.io/topics/quickstart#securing-redis)
* [Pentesting Redis Servers - averagesecurityguy](https://averagesecurityguy.github.io/code/pentest/2015/09/17/pentesting-redis-servers/)
* **Tools**
* [redis-dump](http://delanotes.com/redis-dump/)
* [Script attempted to create global variable - Stackoverflow](https://stackoverflow.com/questions/19997647/script-attempted-to-create-global-variable)
-----------
### <a name="other">Other</a> (Breaking Routers)
* [ASUS Router infosvr UDP Broadcast root Command Execution](https://github.com/jduck/asus-cmd)
@ -407,8 +388,13 @@
------------
### <a name="ipsec"></a>IPSEC
* **101**
* [IPSec - Wikipedia](https://en.wikipedia.org/wiki/IPsec)
* [IPSec RFCs - docs.oracle](https://docs.oracle.com/cd/E19253-01/816-4554/ipsec-ov-14/index.html)
* **Attacking***
* **Articles/Blogposts/Writeups**
* **Presentations/Talks/Videos**
@ -1967,6 +1953,23 @@
-------------------------------------------------------------------------------------------------------------------------------------------------
### <a name="redis"></a>Redis
* **101**
* [redis - Wikipedia](https://en.wikipedia.org/wiki/Redis)
* [Introduction to redis - redis.io](https://redis.io/topics/introduction)
* **Articles/Presentations/Talks/Writeups**
* [redis security - redis.io](https://redis.io/topics/security)
* [A Few Things About redis Security - antirez](http://antirez.com/news/96)
* [Securing redis - redis.io](https://redis.io/topics/quickstart#securing-redis)
* [Pentesting Redis Servers - averagesecurityguy](https://averagesecurityguy.github.io/code/pentest/2015/09/17/pentesting-redis-servers/)
* **Tools**
* [redis-dump](http://delanotes.com/redis-dump/)
* [Script attempted to create global variable - Stackoverflow](https://stackoverflow.com/questions/19997647/script-attempted-to-create-global-variable)
-------------
### <a name="sdn"></a>Software Defined Networking (SDN)
* **101**


+ 0
- 349
Draft/OSI.md View File

@ -1,349 +0,0 @@
# Open Source Intelligence
## Table of Contents
- [General](#general)
- [Articles/Writeups](#writeups)
- [Presentations & Talks](#talks)
- [Tools](#tools))
- [CVS/Git/Similar](#cvs)
- [DNS Stuff/related](#dns)
- [Email Gathering](#email)
- [Fancy Search Engines](#search)
- [Search Engine Dorks](#gh)
- [Site Specific Tools](#site)
- [Social Media Search/Enumeration](#social)
- [Company/People Searching](#ppl)
- [Reference Sites](#reference)
- [Miscellaneous](#misc)
#### Sort
* Add list of Sources:
* UCC - Uniform Commercial Code;
* DOC - Current Industrial Patents;
* DMV - Vehicle Ownership applications;
* Patents - Patent DBs;
* Operating Licenses/Permits;
* Trade Journals;
--------------------
### <a name="general"></a>General
* **General**
* SWOT - Strengths, Weaknesses, Opportunities, Threats
* **101**
* [Open Source Intelligence - Wikipedia](http://en.wikipedia.org/wiki/Open-source_intelligence)
* **Articles/Writeups**
* [Hunting Pastebin with PasteHunter](https://techanarchy.net/2017/09/hunting-pastebin-with-pastehunter/)
* [Open Source Intelligence Gathering 101 - appseco.com](https://blog.appsecco.com/open-source-intelligence-gathering-101-d2861d4429e3)
* [Open Source Intelligence Gathering 201 - appseco.com](https://blog.appsecco.com/open-source-intelligence-gathering-201-covering-12-additional-techniques-b76417b5a544)
* [Open Source Intelligence Gathering: Techniques, Automation, and Visualization - Christopher Maddalena](https://posts.specterops.io/gathering-open-source-intelligence-bee58de48e05)
* [The OSINT Connection: Intelligence In Executive Protection - protectioncircle.com](https://protectioncircle.org/2017/03/06/the-osint-connection-intelligence-in-executive-protection/)
* **Alerting**
* [Google Trends](https://trends.google.com/trends/)
* See what are the popular related topics people are searching for. This will help widen your search scope.
* [Google Alerts](https://www.google.com/alerts)
* Google Alerts are email updates of the latest relevant Google results (web, news, etc.) based on your queries.
* [PasteLert](https://www.andrewmohawk.com/pasteLert/)
* PasteLert is a simple system to search pastebin.com and set up alerts (like google alerts) for pastebin.com entries. This means you will automatically recieve email whenever your term(s) is/are found in new pastebin entries!
* **Educational**
* [Intelligence Gathering - PTES](http://www.pentest-standard.org/index.php/Intelligence_Gathering)
* [Corporate Espionage without the Hassle of Committing Felonies](https://www.slideshare.net/JohnCABambenek/corporate-espionage-without-the-hassle-of-committing-felonies)
* [NATO Open Source Intelligence Handbook](http://www.oss.net/dynamaster/file_archive/030201/ca5fb66734f540fbb4f8f6ef759b258c/NATO%20OSINT%20Handbook%20v1.2%20%2d%20Jan%202002.pdf)
* [OSINT toolbag guide - pdf](http://www.phibetaiota.net/wp-content/uploads/2013/07/2013-07-11-OSINT-2ool-Kit-On-The-Go-Bag-O-Tradecraft.pdf)
* **OSINT Based News**
* [JustSecurity](https://www.justsecurity.org/)
* Just Security is an online forum for the rigorous analysis of U.S. national security law and policy. We aim to promote principled and pragmatic solutions to national security problems that decision-makers face. Our Board of Editors includes individuals with significant government experience, civil society attorneys, academics, and other leading voices. Just Security is based at the Center for Human Rights and Global Justice at New York University School of Law.
* [OSINTInsight](http://www.osintinsight.com/shared.php?user=Mediaquest&folderid=0)
* [Janes](http://www.janes.com/)
* [bell?ngcat](https://www.bellingcat.com/)
* By and for citizen investigative journalists
* [NightWatch](http://www.kforcegov.com/Solutions/IAO/NightWatch/About.aspx)
* NightWatch is an executive commentary and analysis of events that pose or advance threats to US national security interests. It is deliberately edgy in the interest of clarity and brevity. As a product for executives, the distribution and all feedback comments are anonymous.
* [RSOE EDIS - Emergency and Disaster Information Service](http://hisz.rsoe.hu/alertmap/index2.php)
* **Resources**
* [Awesome-OSINT](https://github.com/jivoi/awesome-osint)
* [OSINT Framework](http://osintframework.com/)
* [OSINT Resources - greynetwork2](https://sites.google.com/site/greynetwork2/home/osint-resources)
* [Intel Techniques - Links](http://www.inteltechniques.com/links.html)
* [toddington - resources](https://www.toddington.com/resources/)
* [onstrat - osint](http://www.onstrat.com/osint/)
* http://osintinsight.com/shared.php?expand=169,175&folderid=0&user=Mediaquest
* [Open Source Intelligence (OSINT) Tools & Resources - osint.link](http://osint.link/)
* Seems pretty good.
* [Midasearch.org](https://midasearch.org/)
* [Open Source Intelligence Resources - toddington.com](https://www.toddington.com/resources/)
* [OSINT - onstrat](http://www.onstrat.com/osint/)
* **IntelTechniques OSINT Flowcharts**
* [Email Address](https://inteltechniques.com/data/Email.png)
* [Domain Name](https://inteltechniques.com/data/Domain.png)
* [Real Name](https://inteltechniques.com/data/Real%20Name.png)
* [Telephone #](https://inteltechniques.com/data/Telephone.png)
* [Location](https://inteltechniques.com/data/location.png)
* [User Name](https://inteltechniques.com/data/Username.png)
* **Writeups**
* [Fantastic OSINT and where to find it - blindseeker/malware focused](http://archive.is/sYzcP#selection-62.0-62.1)
* [Some blog posts describing/bringing you up to speed on OSINT by krypt3ia](http://krypt3ia.wordpress.com/2012/01/11/the-subtle-art-of-osint/)
* [Glass Reflections in Pictures + OSINT = More Accurate Location](http://blog.ioactive.com/2014/05/glass-reflections-in-pictures-osint.html)
* [Exploring the Github Firehose](http://blog.scalyr.com/2013/10/exploring-the-github-firehose/)
* [OSINT Through Sender Policy Framework (SPF) Records](https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf-records)
* [Hunting with ꓘamerka 2.0 aka FIST (Flickr, Instagram, Shodan, Twitter)](https://hackernoon.com/hunting-with-%EA%93%98amerka-2-0-aka-fist-flickr-instagram-shodan-twitter-ca363f12562a)
* [ꓘamerka 2.0 aka FIST (Flickr, Instagram, Shodan, Twitter)](https://github.com/woj-ciech/kamerka)
* Build interactive map of cameras, printers, tweets and photos. The script creates a map of cameras, printers, tweets and photos based on your coordinates. Everything is clearly presented in form of interactive map with icons and popups.
* **Talks & Presentations**
* [Cognitive Bias and Critical Thinking in Open Source Intelligence - Defcamp 2014](https://www.youtube.com/watch?v=pVAM21UERLU&index=24&list=PLnwq8gv9MEKgSryzYIFhpmCcqnVzdUWfH)
* [Dark Arts of OSINT Skydogcon](https://www.youtube.com/watch?v=062pLOoZhk8)
* [Developing a Open Source Threat Intelligence Program—Edward McCabe](http://www.irongeek.com/i.php?page=videos/circlecitycon2014/105-developing-a-open-source-threat-intelligence-program-edward-mccabe)
* What if you could get out in front of common threats such as botnets, scanners and malware? Good news, you can. Learn about one geeks struggle with life on the Internet of (bad) things when it comes to being online, identifying “odd” things, and developing an Open Source Threat Intelligence Program from Open Source Tools and Public Sources.
* [Corporate Espionage: Gathering Actionable Intelligence Via Covert Operations - Brent White - Defcon22](https://www.youtube.com/watch?v=D2N6FclMMTg)
* [How to Use Python to Spy on Your Friends: Web APIs, Recon ng, & OSINT](https://www.youtube.com/watch?v=BOjz7NfsLpA)
* [Practical OSINT - Shane MacDougall](https://www.youtube.com/watch?v=cLmEJLy7dv8)
* There’s more to life to OSINT than google scraping and social media harvesting. Learn some practical methods to automate information gathering, explore some of the most useful tools, and learn how to recognize valuable data when you see it. Not only will we explore various tools, attendees will get access to unpublished transforms they can use/modify for their own use.
* [Pwning People Personally - Josh Schwartz](https://www.youtube.com/watch?v=T2Ha-ZLZTz0)
* [You're Leaking Trade Secrets - Defcon22 Michael Schrenk](https://www.youtube.com/watch?v=JTd5TL6_zgY)
* Networks don't need to be hacked for information to be compromised. This is particularly true for organizations that are trying to keep trade secrets. While we hear a lot about personal privacy, little is said in regard to organizational privacy. Organizations, in fact, leak information at a much greater rate than individuals, and usually do so with little fanfare. There are greater consequences for organizations when information is leaked because the secrets often fall into the hands of competitors. This talk uses a variety of real world examples to show how trade secrets are leaked online, and how organizational privacy is compromised by seemingly innocent use of The Internet.
* [ZOMG Its OSINT Heaven Tazz Tazz](https://www.youtube.com/watch?v=cLmEJLy7dv8)
* **OSINT Tools/Resources** <a name="tools"></a>
* **Tools**
* **DNS**
* [blacksheepwall](https://github.com/tomsteele/blacksheepwall)
* blacksheepwall is a hostname reconnaissance tool
* **All-in-One**
* [Maltego](https://www.paterva.com/web6/products/maltego.php)
* Description: What you use to tie everything together.
* [Oryon C Portable](http://osintinsight.com/oryon.php)
* Oryon C Portable is a web browser designed to assist researchers in conducting Open Source Intelligence investigations. Oryon comes with dozens of pre-installed tools and a select set of links cataloged by category – including those that can be found in the OI Shared Resources.
* [OSINT Mantra](http://www.getmantra.com/hackery/osint.html)
* [Recon-ng](https://bitbucket.org/LaNMaSteR53/recon-ng)
* Description: Recon-ng is a full-featured Web Reconnaissance framework written in Python. Complete with independent modules, database interaction, built in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.
* [TouchGraph SEO Browser](http://www.touchgraph.com/seo)
* Use this free Java application to explore the connections between related websites.
* [Th3inspector](https://github.com/Moham3dRiahi/Th3inspector)
* Tool that automates OSINT collection. Seems to gather from a variety of sources. Perl script.
* [gasmask](https://github.com/twelvesec/gasmask)
* All in one Information gathering tool - OSINT
* **Data Manipulation**
* [Danger-zone](https://github.com/woj-ciech/Danger-zone/blob/master/README.md)
* Correlate data between domains, ips and email addresses, present it as a graph and store everything into Elasticsearch and JSON files.
* [Article](https://medium.com/@woj_ciech/osint-tool-for-visualizing-relationships-between-domains-ips-and-email-addresses-94377aa1f20a)
* [OpenRefine](https://github.com/OpenRefine/OpenRefine)
* Description: OpenRefine is a power tool that allows you to load data, understand it, clean it up, reconcile it to master database, and augment it with data coming from Freebase or other web sources. All with the comfort and privacy of your own computer.
* [OSRFramework](https://github.com/i3visio/osrframework)
* OSRFramework is a GNU AGPLv3+ set of libraries developed by i3visio to perform Open Source Intelligence tasks. They include references to a bunch of different applications related to username checking, DNS lookups, information leaks research, deep web search, regular expressions extraction and many others. At the same time, by means of ad-hoc Maltego transforms, OSRFramework provides a way of making these queries graphically as well as several interfaces to interact with like OSRFConsole or a Web interface.
* **Geolocation**
* [Creepy.py](http://ilektrojohn.github.io/creepy/)
* Description: Creepy is a geolocation OSINT tool. Gathers geolocation related information from online sources, and allows for presentation on map, search filtering based on exact location and/or date, export in csv format or kml for further analysis in Google Maps.
* **Research Collection/Organization**
* [hunch.ly](https://hunch.ly/)
* Paid web archiving tool
* [zotero.org](https://www.zotero.org/)
* Research Collection/Organization Tool
* **Company/People Searching** <a name="ppl"></a>
* [data.com](https://www.data.com/)
* [LittleSis](https://littlesis.org/)
* LittleSis is a free database of who-knows-who at the heights of business and government.
* [Jigsaw](http://jigsawbusinessgroup.com/what-we-do/people/)
* Jigsaw is a prospecting tool used by sales professionals, marketers and recruiters to get fresh and accurate sales leads and business contact information.
* [Spokeo](https://www.spokeo.com/)
* Spokeo is a people search engine that organizes white pages listings, public records and social network information into simple profiles to help you safely find and learn about people.\
* [Hoovers](http://www.hoovers.com/)
* Search over 85 million companies within 900 industry segments; Hoover's Reports Easy-to-read reports on key competitors, financials, and executives
* [Market Visual](http://www.marketvisual.com/)
* Search Professionals by Name, Company or Title
* [Glass Door](https://www.glassdoor.com/)
* Search jobs then look inside. Company salaries, reviews, interview questions, and more all posted anonymously by employees and job seekers.
* [192](http://www.192.com/)
* Find people, businesses and places in the UK with 192.com. Directory enquiries, a people finder, business listings and detailed maps with aerial photos.
* [corporationwiki](https://www.corporationwiki.com/)
* [orbis](https://orbisdirectory.bvdinfo.com/version-2017821/OrbisDirectory/Companies)
* Company information across the globe
* **Country Specific Resources**
* **USA**
* [SEC EDGAR Search](https://www.sec.gov/edgar/searchedgar/webusers.htm)
* [US Congressional Research Service - crsreports.congress.gov](https://crsreports.congress.gov/search/#/?termsToSearch=&orderBy=Date)
* **CVS/Git/Similar Focused** <a name="cvs"></a>
* [repo-supervisor](https://github.com/auth0/repo-supervisor)
* [GitPrey](https://github.com/repoog/GitPrey)
* GitPrey is a tool for searching sensitive information or data according to company name or key word something.The design mind is from searching sensitive data leakling in Github:
* [git-all-secrets](https://github.com/anshumanbh/git-all-secrets)
* A tool to capture all the git secrets by leveraging multiple open source git searching tools
* [github-firehose](https://www.npmjs.com/package/github-firehose)
* A library that will connect to github and emit events from the Github Event API in near-real-time
* [Exploring the Github Firehose](http://blog.scalyr.com/2013/10/exploring-the-github-firehose/)
* [Gitem](https://github.com/mschwager/gitem)
* Gitem is a tool for performing Github organizational reconnaissance.
* [Truffle Hog](https://github.com/dxa4481/truffleHog)
* Searches through git repositories for high entropy strings, digging deep into commit history and branches. This is effective at finding secrets accidentally committed that contain high entropy.
* [dvcs-ripper](https://github.com/kost/dvcs-ripper)
* Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, ... It can rip repositories even when directory browsing is turned off.
* [Truffle Hog](https://github.com/dxa4481/truffleHog)
* Searches through git repositories for high entropy strings, digging deep into commit history
* [DVCS-Pillage](https://github.com/evilpacket/DVCS-Pillage)
* Pillage web accessible GIT, HG and BZR repositories. I thought it would be useful to automate some other techniques I found to extract code, configs and other information from a git,hg, and bzr repo's identified in a web root that was not 100% cloneable. Each script extracts as much knowledge about the repo as possible through predictable file names and known object hashes, etc.
* [gitdigger](https://github.com/wick2o/gitDigger)
* gitDigger: Creating realworld wordlists from github hosted data.
* [gitrob](https://github.com/michenriksen/gitrob)
* Gitrob is a command line tool which can help organizations and security professionals find sensitive information lingering in publicly available files on GitHub. The tool will iterate over all public organization and member repositories and match filenames against a range of patterns for files that typically contain sensitive or dangerous information. Looking for sensitive information in GitHub repositories is not a new thing, it has been [known for a while](http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html) that things such as private keys and credentials can be found with GitHub's search functionality, however Gitrob makes it easier to focus the effort on a specific organization.
* [reposcanner](https://github.com/Dionach/reposcanner)
* Python script to scan Git repos for interesting strings
* [gitleaks](https://github.com/zricethezav/gitleaks)
* Searches full repo history for secrets and keys
* [Reposcanner](https://github.com/Dionach/reposcanner)
* Reposcanner is a python script to search through the commit history of Git repositories looking for interesting strings such as API keys, inspired by truffleHog.
* **DNS Stuff** <a name="dns"></a>
* [dauntless](https://github.com/cmeister2/dauntless)
* Tools for analysing the forward DNS data set published at https://scans.io/study/sonar.fdns_v2
* [dnstwist](https://github.com/elceef/dnstwist)
* Domain name permutation engine for detecting typo squatting, phishing and corporate espionage
* [typofinder](https://github.com/nccgroup/typofinder)
* Typofinder for domain typo discovery
* **Domain Recon**
* **Tools**
* [Waybackpack](https://github.com/jsvine/waybackpack)
* Waybackpack is a command-line tool that lets you download the entire Wayback Machine archive for a given URL.
* [domain - jhaddix](https://github.com/jhaddix/domain)
* Recon-ng and Alt-DNS are awesome. This script combines the power of these tools with the ability to run multiple domains within the same session. TLDR; I just want to do my subdomain discovery via ONE command and be done with it. Only 1 module needs an api key (/api/google_site) find instructions for that on the recon-ng wiki. Script to enumerate subdomains, leveraging recon-ng. Uses google scraping, bing scraping, baidu scraping, yahoo scraping, netcraft, and bruteforces to find subdomains. Plus resolves to IP
* [check0365](https://github.com/vysecurity/checkO365)
* checkO365 is a tool to check if a target domain is using O365
* **Email Gathering/Reconnaissance** <a name="email"></a>
* **Articles/Writeups**
* [OSINT Through Sender Policy Framework Records](https://community.rapid7.com/community/infosec/blog/2015/02/23/osint-through-sender-policy-framework-spf-records)
* [The most complete guide to finding anyone’s email - Timur Daudpota](https://www.blurbiz.io/blog/the-most-complete-guide-to-finding-anyones-email)
* **Tools**
* [SimplyEmail](https://github.com/killswitch-GUI/SimplyEmail)
* What is the simple email recon tool? This tool was based off the work of theHarvester and kind of a port of the functionality. This was just an expansion of what was used to build theHarvester and will incorporate his work but allow users to easily build Modules for the Framework. Which I felt was desperately needed after building my first module for theHarvester.
* [Email Reconnaissance and Phishing Template Generation Made Simple](https://cybersyndicates.com/2016/05/email-reconnaissance-phishing-template-generation-made-simple/)
* [theHarvester](https://github.com/laramies/theHarvester)
* theHarvester is a tool for gathering e-mail accounts, subdomain names, virtual hosts, open ports/ banners, and employee names from different public sources (search engines, pgp key servers).
* [discover.sh](https://github.com/leebaird/discover)
* For use with Kali Linux. Custom bash scripts used to automate various pentesting tasks.
* [Cr3dOv3r](https://github.com/D4Vinci/Cr3dOv3r)
* Cr3dOv3r simply you give it an email then it does two simple jobs (but useful): Search for public leaks for the email and if it any, it returns with all available details about the leak (Using hacked-emails site API). Now you give it this email's old or leaked password then it checks this credentials against 16 websites (ex: facebook, twitter, google...) then it tells you if login successful in any website!
* [Infoga](https://github.com/m4ll0k/Infoga)
* Infoga is a tool gathering email accounts informations (ip,hostname,country,...) from different public source (search engines, pgp key servers and shodan) and check if emails was leaked using haveibeenpwned.com API. Is a really simple tool, but very effective for the early stages of a penetration test or just to know the visibility of your company in the Internet.
* **Facial Mapping Data**
* [Social Mapper](https://github.com/SpiderLabs/social_mapper)
* Social Mapper is a Open Source Intelligence Tool that uses facial recognition to correlate social media profiles across different sites on a large scale. It takes an automated approach to searching popular social media sites for targets names and pictures to accurately detect and group a person’s presence, outputting the results into report that a human operator can quickly review.
* **Fancy Search Engines** <a name="search"></a>
* [Entity Cube](http://entitycube.research.microsoft.com/)
* EntityCube is a research prototype for exploring object-level search technologies, which automatically summarizes the Web for entities (such as people, locations and organizations) with a modest web presence.
* [Silobreaker](http://www.silobreaker.com/)
* Enterprise Semantic Search Engine, allows virtualisation of data, analytics and exploration of key data.
* [iSeek](http://www.iseek.com/#/web)
* Another handy search engine that break results down into easy to manage categories.
* [Carrot2](http://search.carrot2.org/stable/search)
* Carrot2 organizes your search results into topics. With an instant overview of what's available, you will quickly find what you're looking for.
* [Sqoop](http://sqoop.com/)
* OSINT search engine of public documents(handy)
* [GlobalFileSearch](https://ftplike.com)
* An FTP Search Engine that may come in handy.
* [NAPALM FTP Indexer](https://www.searchftps.net/)
* **General Meta Data** <a name="meta"></a>
* [Just-Metadata](https://github.com/ChrisTruncer/Just-Metadata)
* Just-Metadata is a tool that can be used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has "gather" modules which are used to gather metadata about IPs loaded into the framework across multiple resources on the internet. Just-Metadata also has "analysis" modules. These are used to analyze the data loaded Just-Metadata and perform various operations that can identify potential relationships between the loaded systems.
* [MetaGooFil](https://code.google.com/p/metagoofil/)
* Description: Metagoofil is an information gathering tool designed for extracting metadata of public documents (pdf,doc,xls,ppt,docx,pptx,xlsx) belonging to a target company. The tool will perform a search in Google to identify and download the documents to local disk and then will extract the metadata with different libraries like Hachoir, PdfMiner and others. With the results it will generate a report with usernames, software versions and servers or machine names that will help Penetration testers in the information gathering phase.
* [Metashield Analyzer](https://metashieldanalyzer.elevenpaths.com/)
* Description: Metadata documents can help a malicious user to obtain information that is beyond our control in an enterprise environment. Metashield Analyzer is an online service that allows easily check if your office documents contain metadata.
* [PowerMeta](https://github.com/dafthack/PowerMeta)
* PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.
* **General Data Scrapers** <a name="scrape"></a>
* [XRAY](https://github.com/evilsocket/xray)
* XRay is a tool for recon, mapping and OSINT gathering from public networks.
* [NameCheck](https://www.namecheck.com)
* Search usernames across multiple services/domain registries
* [TheHarvester](From: https://code.google.com/p/theharvester/)
* Description: The objective of this program is to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database. This tool is intended to help Penetration testers in the early stages of the penetration test in order to understand the customer footprint on the Internet. It is also useful for anyone that wants to know what an attacker can see about their organization.
* [OSINT OPSEC Tool](https://github.com/hyprwired/osint-opsec-tool)
* Description: The OSINT OPSEC Tool monitors multiple 21st Century OSINT sources real-time for keywords, then analyses the results, generates alerts, and maps trends of the data, finding all sorts of info people probably don't want others to see...
* [Pattern](https://github.com/clips/pattern/blob/master/README.md)
* Pattern is a web mining module for Python. It has tools for: Data Mining: web services (Google,; Twitter, Wikipedia), web crawler, HTML DOM parser; Natural Language Processing: part-of-speech taggers, n-gram search, sentiment analysis, WordNet; Machine Learning: vector space model, clustering, classification (KNN, SVM, Perceptron); Network Analysis: graph centrality and visualization.
* **Search Engine Dorks** <a name="gh"></a>
* **101**
* [Google Hacking for Penetration Testers](https://www.blackhat.com/presentations/bh-europe-05/BH_EU_05-Long.pdf)
* [How to Find (Almost) Anything on Google - Barbara Davidson](https://www.netcredit.com/blog/how-to-find-anything-on-google/)
* **Databases/Lists**
* [ExpoitDB archive of the google hacking database](http://www.exploit-db.com/google-dorks/)
* [Google Hacking Database](http://www.hackersforcharity.org/ghdb/)
* We call them 'googledorks': Inept or foolish people as revealed by Google. Whatever you call these fools, you've found the center of the Google Hacking Universe!
* [4500+ Google Dork List 2018 - conzu.de](http://www.conzu.de/en/google-dork-liste-2018-conzu/)
* **Tools**
* [GooHak](https://github.com/1N3/Goohak)
* Automatically launch google hacking queries against a target domain to find vulnerabilities and enumerate a target.
* [Google Hacking - Search Diggity tool](http://www.bishopfox.com/resources/tools/google-hacking-diggity/attack-tools/)
* SearchDiggity 3.1 is the primary attack tool of the Google Hacking Diggity Project. It is Bishop Fox’s MS Windows GUI application that serves as a front-end to the most recent versions of our Diggity tools: GoogleDiggity, BingDiggity, Bing LinkFromDomainDiggity, CodeSearchDiggity, DLPDiggity, FlashDiggity, MalwareDiggity, PortScanDiggity, SHODANDiggity, BingBinaryMalwareSearch, and NotInMyBackYard Diggity.
* [GoogD0rker](https://github.com/ZephrFish/GoogD0rker)
* GoogD0rker is a tool for firing off google dorks against a target domain, it is purely for OSINT against a specific target domain. Designed for OSX originally however googD0rker txt now works on all nix platforms.
* **Network Information Search Engines** <a name="nin"></a>
* [Whoisology](https://whoisology.com/)
* Whoisology is a domain name ownership archive with literally billions of searchable and cross referenced domain name whois records.
* **Site Specific** <a name="site"></a>
* **AWS**
* [AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump)
* AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you're not afraid to quickly fill up your hard drive.
* **Facebook**
* [pymk-inspector](https://github.com/GMG-Special-Projects-Desk/pymk-inspector/blob/master/README.md)
* The pymk-inspector is a tool built by Gizmodo's Special Projects Desk that we used for our investigation into Facebook's people you may know (pymk) algorithm.
* [Find FB profiles by Email](https://booleanstrings.com/2018/05/06/how-to-identify-facebook-profiles-from-email-addresses/)
* **Github**
* [profile-summary-for-github](https://github.com/tipsy/profile-summary-for-github)
* Tool for visualizing GitHub profiles
* [Github dorks - finding vulns](http://blog.conviso.com.br/2013/06/github-hacking-for-fun-and-sensitive.html)
* **LinkedIn**
* [InSpy](https://github.com/gojhonny/InSpy)
* A LinkedIn enumeration tool
* [linkedin](https://github.com/eracle/linkedin)
* Linkedin Scraper using Selenium Web Driver, Firefox 45, Ubuntu and Scrapy
* [LinkedInt: A LinkedIn scraper for reconnaissance during adversary simulation](https://github.com/mdsecactivebreach/LinkedInt)
* [LinkedIn Gatherer](https://github.com/DisK0nn3cT/linkedin-gatherer)
* [socilab](http://socilab.com/#home)
* This site allows users to visualize and analyze their LinkedIn network using methods derived from social-scientific research. Full sample output is shown here. The site is free and open-source. Have fun!
* [Linkedin_profiles](https://github.com/wpentester/Linkedin_profiles)
* This script uses selenium to scrape linkedin employee details from a specified company. If the script isn't working, you can always browse to the desired company's employee page and paste in the link on line 69 like this: "employees_page = url"
* [The Secrets of LinkedIn](https://webbreacher.com/2017/01/14/the-secrets-of-linkedin/)
* Grabbing usernames/connections(link analysis)
* [The Endorser](https://github.com/eth0izzle/the-endorser)
* An OSINT tool that allows you to draw out relationships between people on LinkedIn via endorsements/skills.
* [ScrapedIn](https://github.com/dchrastil/ScrapedIn)
* this tool assists in performing reconnaissance using the LinkedIn.com website/API. Provide a search string just as you would on the original website and let ScrapedIn do all the dirty work. Output is stored as an XLSX file, however it is intended to be used with Google Spreadsheets. After importing the XLSX into Google Spreadsheets there will be a "dataset" worksheet and a "report" worksheet.
* [Gathering Usernames from Google LinkedIn Results Using Burp Suite Pro - BHIS](https://www.blackhillsinfosec.com/gathering-usernames-from-google-linkedin-results-using-burp-suite-pro/)
* [GatherContacts](https://github.com/clr2of8/GatherContacts)
* A Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results.
* [linkedin2username](https://github.com/initstring/linkedin2username)
* **Tinder**
* [OSINT: Advanced tinder capture](https://www.learnallthethings.net/osmosis)
* **Twitter**
* [OneMillionTweetMap](http://onemilliontweetmap.com/)
* This page maps the last geolocalized tweets delivered by the twitter stream API. ... YES - IN REAL-TIME - and we keep "only" the last one million tweets.
* [tweets_analyzer](https://github.com/x0rz/tweets_analyzer)
* Tweets metadata scraper & activity analyzer
* [Tweet Archivist](https://www.tweetarchivist.com/)
* [tweets_analyzer](https://github.com/x0rz/tweets_analyzer)
* Tweets metadata scraper & activity analyzer
* [Tinfoleak](http://vicenteaguileradiaz.com/tools/)
* tinfoleak is a simple Python script that allow to obtain: basic information about a Twitter user (name, picture, location, followers, etc.); devices and operating systems used by the Twitter user; applications and social networks used by the Twitter user; place and geolocation coordinates to generate a tracking map of locations visited; show user tweets in Google Earth!; download all pics from a Twitter user; hashtags used by the Twitter user and when are used (date and time); user mentions by the the Twitter user and when are occurred (date and time); topics used by the Twitter user
* [How to Find the Twitter ID from an Email Address - booleanstrings.com](https://booleanstrings.com/2018/05/02/how-to-find-the-twitter-id-from-an-email-address/)
* [Twint](https://github.com/twintproject/twint)
* Formerly known as Tweep, Twint is an advanced Twitter scraping tool written in Python that allows for scraping Tweets from Twitter profiles without using Twitter's API. Twint utilizes Twitter's search operators to let you scrape Tweets from specific users, scrape Tweets relating to certain topics, hashtags & trends, or sort out sensitive information from Tweets like e-mail and phone numbers. I find this very useful, and you can get really creative with it too. Twint also makes special queries to Twitter allowing you to also scrape a Twitter user's followers, Tweets a user has liked, and who they follow without any authentication, API, Selenium, or browser emulation.
* **Social Media Search/Enumeration** <a name="social"></a>
* [CheckUsernames](http://checkusernames.com/)
* Check the use of your brand or username on 160 Social Networks
* [NameCHK](https://namechk.com/)
* Check to see if your desired username or vanity url is still available at dozens of popular Social Networking and Social Bookmarking websites.
* [Scythe](https://github.com/ChrisJohnRiley/Scythe)
* The ability to test a range of email addresses across a range of sites (e.g. social media, blogging platforms, etc...) to find where those targets have active accounts. This can be useful in a social engineering test where you have email accounts for a company and want to list where these users have used their work email for 3rd party web based services.
* [Social Mention](http://www.socialmention.com/)
* Social Mention is a social media search engine that searches user-generated content such as blogs, comments, bookmarks, events, news, videos, and more
* [Whos Talkin](http://www.whostalkin.com/)
* social media search tool that allows users to search for conversations surrounding the topics that they care about most.

+ 54
- 26
Draft/Passwords.md View File

@ -16,28 +16,24 @@
https://github.com/Raikia/CredNinja
* [HVAZARD Dictionary Modifier](https://github.com/MichaelDim02/Hvazard)
* Remove short passwords & duplicates, change lowercase to uppercase & reverse, combine wordlists!
https://allanfeid.com/content/cracking-zip-files-fcrackzip
https://github.com/hyc/fcrackzip
http://pdfcrack.sourceforge.net/
https://www.betterbuys.com/estimating-password-cracking-times/
* [brut3k1t](https://github.com/ex0dus-0x/brut3k1t)
https://github.com/clr2of8/DPAT
* [Comprehensive Guide on Cewl Tool - rajhackingarticles.blogspot.com](https://rajhackingarticles.blogspot.com/2018/11/hello-friends-in-this-article-we-are.html)
* [Exploiting Password Reuse on Personal Accounts: How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 1 - BHIS](https://www.blackhillsinfosec.com/exploiting-password-reuse-on-personal-accounts-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-1/)
* [Password Spraying Outlook Web Access – How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 2 - BHIS](https://www.blackhillsinfosec.com/password-spraying-outlook-web-access-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-2/)
* [Brute Forcing with Burp - Pentesters Tips & Tricks Week 1 - securenetwork.com](https://www.securenetworkinc.com/news/2017/7/16/brute-forcing-with-burp-pentesters-tips-tricks-week-1)
* [Exploiting Password Reuse on Personal Accounts: How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 1 - Beau Bullock](https://www.blackhillsinfosec.com/exploiting-password-reuse-on-personal-accounts-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-1/)
* [Password Spraying Outlook Web Access – How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 2 - Beau Bullock](https://www.blackhillsinfosec.com/password-spraying-outlook-web-access-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-2/)
Default Oracle Creds:
http://www.petefinnigan.com/default/default_password_list.htm
---------------------------
### Password Spraying <a name="spray"></a>
* **General**
* **Articles/Papers/Talks/Writeups**
* [Exploiting Password Reuse on Personal Accounts: How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 1 - Beau Bullock](https://www.blackhillsinfosec.com/exploiting-password-reuse-on-personal-accounts-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-1/)
* [Password Spraying Outlook Web Access – How to Gain Access to Domain Credentials Without Being on a Target’s Network: Part 2 - Beau Bullock](https://www.blackhillsinfosec.com/password-spraying-outlook-web-access-how-to-gain-access-to-domain-credentials-without-being-on-a-targets-network-part-2/)
* [Brute Forcing with Burp - Pentesters Tips & Tricks Week 1 - securenetwork.com](https://www.securenetworkinc.com/news/2017/7/16/brute-forcing-with-burp-pentesters-tips-tricks-week-1)
* **Tools**
* [brut3k1t](https://github.com/ex0dus-0x/brut3k1t)
* brute is a Python-based library framework and engine that enables security professionals to rapidly construct bruteforce / credential stuffing attacks. It features both a multi-purpose command-line application (brute), and a software library that can be used in tandem to quickly generate standalone module scripts for attack.
* **MS Outlook/Office365**
* **Articles/Papers/Talks/Writeups**
* **Tools**
* [MSOLSpray](https://github.com/dafthack/MSOLSpray)
* A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.
* [SprayingToolkit](https://github.com/byt3bl33d3r/SprayingToolkit)
* Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient
---------------------------
### <a name="general"></a> General
@ -67,8 +63,11 @@ http://www.petefinnigan.com/default/default_password_list.htm
* **Wordlist Generation** <a name="wordlistgen"></a>
* **Articles/Writeups**
* [Generating Wordlists](http://netsec.ws/?p=457)
* [Weak in, Weak out: Keeping Password Lists Current - @NYXGEEK](https://www.trustedsec.com/blog/weak-in-weak-out-keeping-password-lists-current/)
* **Source: From Nothing**
* [Creating Wordlists with Crunch](http://adaywithtape.blogspot.com/2011/05/creating-wordlists-with-crunch-v30.html)
* [weakpass_generator](https://github.com/nyxgeek/weakpass_generator)
* generates weak passwords based on current date
* **Source: Keyboard Walks**
* [Generating Keyboard Walks - bytesdarkly.com](https://bytesdarkly.com/2014/08/generating-keyboard-walks/)
* [Methods to Generate Keyboard Walks for Password Cracking - Rich Kelley](https://github.com/Rich5/Keyboard-Walk-Generators)
@ -90,9 +89,15 @@ http://www.petefinnigan.com/default/default_password_list.htm
* [CeWL](http://digi.ninja/projects/cewl.php)
* CeWL is a ruby app which spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper.
* [Comprehensive Guide on Cewl Tool - Raj Chandel](https://rajhackingarticles.blogspot.com/2018/11/hello-friends-in-this-article-we-are.html)
* [rhodiola](https://github.com/utkusen/rhodiola)
* Rhodiola tool is developed to narrow the brute force combination pool by creating a personalized wordlist for target people. It finds interest areas of a given user by analyzing his/her tweets, and builds a personalized wordlist.
* [Generating Personalized Wordlists by Analyzing Targets Tweets - Utku Sen(DEFCON27 ReconVillage)](https://www.youtube.com/watch?v=R3XuI9JUFDA&list=PL9fPq3eQfaaCkpP6XOD4uCQB6NpGrbujo&index=4&t=0s)
* **BigData**
* [Commonspeak2](https://github.com/assetnote/commonspeak2)
* Commonspeak2 leverages publicly available datasets from Google BigQuery to generate content discovery and subdomain wordlists. As these datasets are updated on a regular basis, the wordlists generated via Commonspeak2 reflect the current technologies used on the web. By using the Golang client for BigQuery, we can stream the data and process it very quickly. The future of this project will revolve around improving the quality of wordlists generated by creating automated filters and substitution functions. Let's turn creating wordlists from a manual task, into a reproducible and reliable science with BigQuery.
* **Modifying Wordlists**
* [HVAZARD Dictionary Modifier](https://github.com/MichaelDim02/Hvazard)
* Remove short passwords & duplicates, change lowercase to uppercase & reverse, combine wordlists!
* **Wordlists** <a name="wordlists"></a>
* [Probable-Wordlists](https://github.com/berzerk0/Probable-Wordlists)
* Wordlists sorted by probability originally created for password generation and testing
@ -158,11 +163,19 @@ http://www.petefinnigan.com/default/default_password_list.htm
* PACK (Password Analysis and Cracking Toolkit) is a collection of utilities developed to aid in analysis of password lists in order to enhance password cracking through pattern detection of masks, rules, character-sets and other password characteristics. The toolkit generates valid input files for Hashcat family of password crackers.
* [BarsWF](https://3.14.by/en/md5)
* MD5 Cracker
* [Cryptbreaker](https://github.com/Sy14r/Cryptbreaker)
* Upload files and use AWS Spot Instances to crack passwords. Using cloud capabilities you can even prevent plaintext credentials from leaving the isolated cracking box ensuring that you get usable statistics on passwords while minimizing plaintext credential exposure.
* **Miscellaneous**
* **Windows**
* [LM, NTLM, Net-NTLMv2, oh my! A Pentester’s Guide to Windows Hashes- Peter Gombos](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4)
* [ntlmv1-multi](https://github.com/evilmog/ntlmv1-multi)
* This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
* **Articles/Papers/Talks/Writeups**
* [Cracking NTLMv1 \w ESS/SSP - crack.sh]()https://crack.sh/cracking-ntlmv1-w-ess-ssp/
* [LM, NTLM, Net-NTLMv2, oh my! A Pentester’s Guide to Windows Hashes- Peter Gombos](https://medium.com/@petergombos/lm-ntlm-net-ntlmv2-oh-my-a9b235c58ed4)
* **Tools**
* [Rainbow Crackalack v1.2](https://github.com/jtesta/rainbowcrackalack)
* This project produces open-source code to generate rainbow tables as well as use them to look up password hashes. While the current release only supports NTLM, future releases may support MD5, SHA-1, SHA-256, and possibly more. Both Linux and Windows are supported!
* [Homepage](https://www.rainbowcrackalack.com/)
* [ntlmv1-multi](https://github.com/evilmog/ntlmv1-multi)
* This tool modifies NTLMv1/NTLMv1-ESS/MSCHAPv2 hashes so they can be cracked with DES Mode 14000 in hashcat
* **App Specific Tools(as in single application focus)**<a name="appt"></a>
* [crackxls2003 0.4](https://github.com/GavinSmith0123/crackxls2003)
* This program may be used to break the encryption on Microsoft Excel and Microsoft Word file which have been encrypted using the RC4 method, which uses a 40-bit-long key. This was the default encryption method in Word and Excel 97/2000/2002/2003. This program will not work on files encrypted using Word or Excel 2007 or later, or for versions 95 or earlier. It will not work if a file was encrypted with a non-default method. Additionally, documents created with the Windows system locale set to France may use a different encryption method.
@ -181,6 +194,8 @@ http://www.petefinnigan.com/default/default_password_list.htm
* [Hate_Crack](https://github.com/trustedsec/hate_crack)
* A tool for automating cracking methodologies through Hashcat from the TrustedSec team.
* [Automated Password Cracking: Use oclHashcat To Launch A Fingerprint Attack](https://www.question-defense.com/2010/08/15/automated-password-cracking-use-oclhashcat-to-launch-a-fingerprint-attack)
* [HAT - Hashcat Automation Tool](https://github.com/sp00ks-git/hat)
* An automated Hashcat tool for common wordlists and rules to speed up the process of cracking hashes during engagements. HAT is simply a wrapper for Hashcat (with a few extra features) - https://hashcat.net, however I take no credit for that superb tool.
* **Hashcat Attacks**
* [Mask atttack](http://hashcat.net/wiki/doku.php?id=mask_attack)
* Try all combinations from a given keyspace just like in Brute-Force attack, but more specific.
@ -205,12 +220,19 @@ http://www.petefinnigan.com/default/default_password_list.htm
* [OCLHashcat Hash Examples + hash code](https://hashcat.net/wiki/doku.php?id=example_hashes)
* **Hashcat Related Stuff**
* [Password Analysis To Hashcat (PATH) script](https://tickorone.wordpress.com/2012/06/02/password-analysis-to-hashcat-path-script/)
* [nsa-rules](https://github.com/NSAKEY/nsa-rules)
* Password cracking rules and masks for hashcat that I generated from cracked passwords.
* **Hashcat-related Tools**
* [Hashtopolis](https://github.com/s3inlc/hashtopolis)
* Hashtopolis is a multi-platform client-server tool for distributing hashcat tasks to multiple computers. The main goals for Hashtopolis's development are portability, robustness, multi-user support, and multiple groups management.
* [CrackerJack](https://github.com/ctxis/crackerjack)
* Web Interface for Hashcat by Context Information Security
* [Cracklord](https://github.com/jmmcatee/cracklord)
* CrackLord is a system designed to provide a scalable, pluggable, and distributed system for both password cracking as well as any other jobs needing lots of computing resources. Better said, CrackLord is a way to load balance the resources, such as CPU, GPU, Network, etc. from multiple hardware systems into a single queueing service across two primary services: the Resource and Queue. It won't make these tasks faster, but it will make it easier to manage them.
* **Tools** <a name="generalt"></a>
* [Patator](https://github.com/lanjelot/patator)
* Patator was written out of frustration from using Hydra, Medusa, Ncrack, Metasploit modules and Nmap NSE scripts for password guessing attacks. I opted for a different approach in order to not create yet another brute-forcing tool and avoid repeating the same shortcomings. Patator is a multi-threaded tool written in Python, that strives to be more reliable and flexible than his fellow predecessors.
* [Firefox password cracker](https://github.com/pradeep1288/ffpasscracker)
* [Cracklord](https://github.com/jmmcatee/cracklord)
* CrackLord is a system designed to provide a scalable, pluggable, and distributed system for both password cracking as well as any other jobs needing lots of computing resources. Better said, CrackLord is a way to load balance the resources, such as CPU, GPU, Network, etc. from multiple hardware systems into a single queueing service across two primary services: the Resource and Queue. It won't make these tasks faster, but it will make it easier to manage them.
* [Dagon](https://github.com/Ekultek/Dagon)
* Named after the prince of Hell, Dagon (day-gone) is an advanced hash cracking and manipulation system, capable of bruteforcing multiple hash types, creating bruteforce dictionaries, automatic hashing algorithm verification, random salt generation from Unicode to ASCII, and much more.
* [Gladius](https://github.com/praetorian-inc/gladius)
@ -227,6 +249,12 @@ http://www.petefinnigan.com/default/default_password_list.htm
* This repository contains code for the [PassGAN: A Deep Learning Approach for Password Guessing paper](https://arxiv.org/abs/1709.00440). The model from PassGAN is taken from [Improved Training of Wasserstein GANs](https://arxiv.org/abs/1704.00028) and it is assumed that the authors of PassGAN used the [improved_wgan_training tensorflow](https://github.com/igul222/improved_wgan_training) implementation in their work. For this reason, I have modified that reference implementation in this repository to make it easy to train (train.py) and sample (sample.py) from.
* [Mnemonic Password Formulas](http://uninformed.org/?v=all&a=33&t=sumry)
* The current information technology landscape is cluttered with a large number of information systems that each have their own individual authentication schemes. Even with single sign-on and multi-system authentication methods, systems within disparate management domains are likely to be utilized by users of various levels of involvement within the landscape as a whole. Due to this complexity and the abundance of authentication requirements, many users are required to manage numerous credentials across various systems. This has given rise to many different insecurities relating to the selection and management of passwords. This paper details a subset of issues facing users and managers of authentication systems involving passwords, discusses current approaches to mitigating those issues, and finally introduces a new method for password management and recalls termed Mnemonic Password Formulas.
* **ZIP Archives**
* [Cracking ZIP files with fcrackzip - Allan Feid(2009)](https://allanfeid.com/content/cracking-zip-files-fcrackzip)
* [fcrackzip](https://github.com/hyc/fcrackzip)
* A braindead program for cracking encrypted ZIP archives. Forked from http://oldhome.schmorp.de/marc/fcrackzip.html
* [PDFCrack](http://pdfcrack.sourceforge.net/)
* PDFCrack is a GNU/Linux (other POSIX-compatible systems should work too) tool for recovering passwords and content from PDF-files. It is small, command line driven without external dependencies. The application is Open Source (GPL).


+ 676
- 225
Draft/Phishing.md
File diff suppressed because it is too large
View File


+ 329
- 342
Draft/PrivescPostEx.md View File

@ -101,7 +101,6 @@
------------------------------------------------------------------------------------------------------------------------
## <a name="privesc"></a>Privilege Escalation
@ -359,10 +358,6 @@