Browse Source

Adds.

pull/8/head
root 5 years ago
parent
commit
721e06fe3a
34 changed files with 1694 additions and 557 deletions
  1. +5
    -1
      Draft/ATT&CK-Stuff/Windows/Windows_Persistence.md
  2. +6
    -7
      Draft/AnonOpsecPrivacy.md
  3. +36
    -13
      Draft/BIOS UEFI Attacks Defenses.md
  4. +3
    -0
      Draft/CTFs_Wargames.md
  5. +36
    -7
      Draft/Cryptography & Encryption.md
  6. +2
    -0
      Draft/Data AnalysisVisualization.md
  7. +25
    -1
      Draft/Defense.md
  8. +19
    -3
      Draft/Embedded Device & Hardware Hacking -.md
  9. +21
    -0
      Draft/Exfiltration.md
  10. +77
    -17
      Draft/Exploit Development.md
  11. +12
    -0
      Draft/Forensics Incident Response.md
  12. +2
    -1
      Draft/Fuzzing Bug Hunting.md
  13. +1
    -0
      Draft/Honeypots.md
  14. +11
    -1
      Draft/Interesting Things Useful stuff.md
  15. +14
    -21
      Draft/Malware.md
  16. +67
    -8
      Draft/Network Attacks & Defenses.md
  17. +4
    -0
      Draft/Network Security Monitoring & Logging.md
  18. +8
    -6
      Draft/Open Source Intelligence.md
  19. +8
    -0
      Draft/Password Bruting and Hashcracking.md
  20. +6
    -0
      Draft/Phishing.md
  21. +52
    -19
      Draft/Phyiscal Security.md
  22. +3
    -1
      Draft/Policy-Compliance.md
  23. +8
    -0
      Draft/Port_List.md
  24. +77
    -19
      Draft/Privilege Escalation & Post-Exploitation.md
  25. +43
    -0
      Draft/Programming - Languages Libs Courses References.md
  26. +102
    -32
      Draft/Red-Teaming.md
  27. +204
    -138
      Draft/Reverse Engineering.md
  28. +66
    -4
      Draft/SCADA.md
  29. +4
    -5
      Draft/Social Engineering.md
  30. +93
    -45
      Draft/System Internals Windows and Linux Internals Reference.md
  31. +1
    -0
      Draft/Threat Modeling.md
  32. +196
    -94
      Draft/Web & Browsers.md
  33. +9
    -11
      Draft/Wireless Networks & RF.md
  34. +473
    -103
      Draft/things-added.md

+ 5
- 1
Draft/ATT&CK-Stuff/Windows/Windows_Persistence.md View File

@ -1,5 +1,8 @@
# Windows Persistence
### Sort
[Hide files using SSDT hooking](http://blog.sevagas.com/?Hide-files-using-SSDT-hooking)
-------------------------------
### Accessibility Features
@ -104,7 +107,8 @@
[Userland Persistence with Scheduled Tasks and COM Handler Hijacking](https://enigma0x3.net/2016/05/25/userland-persistence-with-scheduled-tasks-and-com-handler-hijacking/)
[Windows Operating System Archaeology](https://www.slideshare.net/enigma0x3/windows-operating-system-archaeology)
* Given at BSides Nashville 2017. The modern Windows Operating System carries with it an incredible amount of legacy code. The Component Object Model (COM) has left a lasting impact on Windows. This technology is far from dead as it continues to be the foundation for many aspects of the Windows Operating System. You can find hundreds of COM Classes defined by CLSID (COM Class Identifiers). Do you know what they do? This talk seeks to expose tactics long forgotten by the modern defender. We seek to bring to light artifacts in the Windows OS that can be used for persistence. We will present novel tactics for persistence using only the registry and COM objects.
-------------------------------


+ 6
- 7
Draft/AnonOpsecPrivacy.md View File

@ -61,11 +61,11 @@
### <a name="Articles">Articles</a>
| Title | Link
| -------- | --------- |
| De-anonymizing facebook users through CSP | http://www.myseosolution.de/deanonymizing-facebook-users-by-csp-bruteforcing/#inhaltsverzeichnis
| Anonymous’s Guide to OpSec | http://www.covert.io/research-papers/security/Anonymous%20Hacking%20Group%20--%20OpNewblood-Super-Secret-Security-Handbook.pdf
| Cat Videos and the Death of Clear Text | https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/
[De-anonymizing facebook users through CSP](http://www.myseosolution.de/deanonymizing-facebook-users-by-csp-bruteforcing/#inhaltsverzeichnis)
[Anonymous’s Guide to OpSec](http://www.covert.io/research-papers/security/Anonymous%20Hacking%20Group%20--%20OpNewblood-Super-Secret-Security-Handbook.pdf)
[Cat Videos and the Death of Clear Text](https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/)
[How to Spot a SpoCTok](https://cryptome.org/dirty-work/spot-spook.htm)
@ -160,8 +160,7 @@
* [Part 2](https://www.youtube.com/watch?v=TQ2bk9kMneI)
* [Article - How Tor Users Got Caught by Government Agencies](http://se.azinstall.net/2015/11/how-tor-users-got-caught.html)
[You Are Being Tracked: How License Plate Readers Are Being Used to Record Americans' Movements - ACLU](https://www.aclu.org/other/you-are-being-tracked-how-license-plate-readers-are-being-used-record-americans-movements?redirect=technology-and-liberty/you-are-being-tracked-how-license-plate-readers-are-being-used-record)


+ 36
- 13
Draft/BIOS UEFI Attacks Defenses.md View File

@ -23,38 +23,41 @@ http://www.stoned-vienna.com/
#### End Sort
-----------------
### <a name="general">General</a>
[Timeline of Low level software and hardware attack papers](http://timeglider.com/timeline/5ca2daa6078caaf4)
----------------
### What is This Stuff?
[Official UEFI Site - Specs](http://www.uefi.org/specsandtesttools)
[UEFI - OSDev Wiki](http://wiki.osdev.org/UEFI)
[Technical Overview of Windows UEFI Startup Process](http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/)
[Extensible Firmware Interface (EFI) and Unified EFI (UEFI)](http://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-homepage-general-technology.html)
[Understanding AMT, UEFI BIOS and Secure boot relationships](https://communities.intel.com/community/itpeernetwork/vproexpert/blog/2013/08/11/understanding-amt-uefi-bios-and-secure-boot-relationships)
[Windows UEFI startup – A technical overview](http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/)
* Through this analysis paper we’ll give a look at Windows 8 (and 8.1) UEFI startup mechanisms and we’ll try to understand their relationship with the underlying hardware platform.
[Introduction to UEFI](http://x86asm.net/articles/introduction-to-uefi/)
[Extensible Firmware Interface (EFI) and Unified EFI (UEFI)](http://www.intel.com/content/www/us/en/architecture-and-technology/unified-extensible-firmware-interface/efi-homepage-general-technology.html)
[What is Intel Mangement Engine?](http://me.bios.io/ME:About)
[Intel ME (Manageability engine) Huffman algorithm](http://io.smashthestack.org/me/)
[Introduction to UEFI](http://x86asm.net/articles/introduction-to-uefi/)
[UEFI Programming - First Steps](http://x86asm.net/articles/uefi-programming-first-steps/)
-----------------
### <a name="general">General</a>
[Dr Sergei Skorobogatov - Researcher in hardware based attacks, good stuff](https://www.cl.cam.ac.uk/~sps32/)
[Timeline of Low level software and hardware attack papers](http://timeglider.com/timeline/5ca2daa6078caaf4)
[UEFI Programming - First Steps](http://x86asm.net/articles/uefi-programming-first-steps/)
[Technical Overview of Windows UEFI Startup Process](http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/)
[Windows UEFI startup – A technical overview](http://news.saferbytes.it/analisi/2013/10/windows-uefi-startup-a-technical-overview/)
* Through this analysis paper we’ll give a look at Windows 8 (and 8.1) UEFI startup mechanisms and we’ll try to understand their relationship with the underlying hardware platform.
[Intel ME (Manageability engine) Huffman algorithm](http://io.smashthestack.org/me/)
[LEGBACORE Research/Publicatoins](http://www.legbacore.com/Research.html)
[What is Intel Mangement Engine?](http://me.bios.io/ME:About)
[Dr Sergei Skorobogatov - Researcher in hardware based attacks, good stuff](https://www.cl.cam.ac.uk/~sps32/)
[Disabling Intel ME 11 via undocumented mode - ptsecurity](http://blog.ptsecurity.com/2017/08/disabling-intel-me.html)
@ -124,6 +127,26 @@ Reverse Engineering Router Firmware walk through
----------------------
### Programming
[UEFI Programming - First Steps](http://x86asm.net/articles/uefi-programming-first-steps/)
[UEFI Programming - First Steps](http://x86asm.net/articles/uefi-programming-first-steps/)
-----------------
### Talks & Presentations
| Title | Link |


+ 3
- 0
Draft/CTFs_Wargames.md View File

@ -138,4 +138,7 @@ Wechall
### Tools handy for CTFs
[pngcheck](http://www.libpng.org/pub/png/apps/pngcheck.html)
* pngcheck verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs [checksums] and decompressing the image data); it can optionally dump almost all of the chunk-level information in the image in human-readable form. For example, it can be used to print the basic statistics about an image (dimensions, bit depth, etc.); to list the color and transparency info in its palette (assuming it has one); or to extract the embedded text annotations. This is a command-line program with batch capabilities.

+ 36
- 7
Draft/Cryptography & Encryption.md View File

@ -19,19 +19,19 @@
https://conversations.im/xeps/multi-end.html
### End Cull
### <a name="general">General Information</a>
[Quick'n easy gpg cheatsheet](http://irtfweb.ifa.hawaii.edu/%7Elockhart/gpg/)
[Website detailing various crypto laws around world](http://www.cryptolaw.org/)
[Primer on Zero-Knowledge Proofs](http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html?m=1)
[Snake Oil Crypto Competition](https://snakeoil.cr.yp.to/)
[XOR Bitwise Operations Explained - Khan Academy](https://www.khanacademy.org/computing/computer-science/cryptography/ciphers/a/xor-bitwise-operation)
@ -39,12 +39,14 @@ https://conversations.im/xeps/multi-end.html
[Differential Cryptanalysis for Dummies - Jon King](https://www.youtube.com/watch?v=xav-GUO_o4s&feature=youtu.be)
[Snake Oil Crypto Competition](https://snakeoil.cr.yp.to/)
[Lifetimes of cryptographic hash functions](http://valerieaurora.org/hash.html)
[Top 10 Developer Crypto Mistakes](https://littlemaninmyhead.wordpress.com/2017/04/22/top-10-developer-crypto-mistakes/amp/)
[SSL/TLS and PKI History ](https://www.feistyduck.com/ssl-tls-and-pki-history/)
* A comprehensive history of the most important events that shaped the SSL/TLS and PKI ecosystem. Based on Bulletproof SSL and TLS, by Ivan Ristić.
@ -57,7 +59,9 @@ https://conversations.im/xeps/multi-end.html
[A Graduate Course in Applied Cryptography - Dan Boneh and Victor Shoup](http://toc.cryptobook.us/)
* Version 0.3 - posted Dec. 9, 2016
[Primer on Zero-Knowledge Proofs](http://blog.cryptographyengineering.com/2014/11/zero-knowledge-proofs-illustrated-primer.html?m=1)
[Hyper-encryption - Wikipedia](https://en.wikipedia.org/wiki/Hyper-encryption)
@ -78,6 +82,9 @@ https://conversations.im/xeps/multi-end.html
[A Formal Security Analysis of the Signal Messaging Protocol - Oct2016](https://eprint.iacr.org/2016/1013.pdf)
[Automated Padding Oracle Attacks with PadBuster](https://blog.gdssecurity.com/labs/2010/9/14/automated-padding-oracle-attacks-with-padbuster.html)
[PadBuster v0.3 and the .NET Padding Oracle Attack](https://blog.gdssecurity.com/labs/2010/10/4/padbuster-v03-and-the-net-padding-oracle-attack.html)
@ -181,6 +188,18 @@ https://conversations.im/xeps/multi-end.html
* Real-time Transfer Protocol (RTP) is used by nearly all Voice-over-IP systems to provide the audio channel for calls. As such, it provides ample opportunity for the creation of a covert communication channel due to its very nature. While use of steganographic techniques with various audio cover-medium has been extensively researched, most applications of such have been limited to audio cover-medium of a static nature such as WAV or MP3 file audio data. This paper details a common technique for the use of steganography with audio data cover-medium, outlines the problem issues that arise when attempting to use such techniques to establish a full-duplex communications channel within audio data transmitted via an unreliable streaming protocol, and documents solutions to these problems. An implementation of the ideas discussed entitled SteganRTP is included in the reference materials.
### Talks
[Hunting For Vulnerabilities In Signal - Markus Vervier - HITB 2017 AMS](https://www.youtube.com/watch?v=2n9HmllVftA)
* Signal is the most trusted secure messaging and secure voice application, recommended by Edward Snowden and the Grugq. And indeed Signal uses strong cryptography, relies on a solid system architecture, and you’ve never heard of any vulnerability in its code base. That’s what this talk is about: hunting for vulnerabilities in Signal. We will present vulnerabilities found in the Signal Android client, in the underlying Java libsignal library, and in example usage of the C libsignal library. Our demos will show how these can be used to crash Signal remotely, to bypass the MAC authentication for certain attached files, and to trigger memory corruption bugs. Combined with vulnerabilities in the Android system it is even possible to remotely brick certain Android devices. We will demonstrate how to initiate a permanent boot loop via a single Signal message. We will also describe the general architecture of Signal, its attack surface, the tools you can use to analyze it, and the general threat model for secure mobile communication apps.
### <a name="tools">Tools</a>
@ -209,11 +228,21 @@ https://conversations.im/xeps/multi-end.html
[HiVE — Hidden Volume Encryption](http://hive.ccs.neu.edu/#four)
sheep-wolf](https://github.com/silentsignal/sheep-wolf/)
* Some security tools still stick to MD5 when identifying malware samples years after practical collisions were shown against the algorithm. This can be exploited by first showing these tools a harmless sample (Sheep) and then a malicious one (Wolf) that have the same MD5 hash. Please use this code to test if the security products in your reach use MD5 internally to fingerprint binaries and share your results by issuing a pull request updating the contents of results/!
[pypadbuster](https://github.com/escbar/pypadbuster)
* A Python version of PadBuster.pl by Gotham Digital Security (GDSSecurity on Github)
[padex](https://github.com/szdavid92/padex)
* The goal of this challenge is to find a flag contained in an encrypted message. A decryption oracle and the encrypted message is provided. The student should write an application that cracks the cyphertext by abusing the oracle which is vulnerable to the padding attack.
### <a name="">Books</a>:
Cryptography Engineering
Applied Cryptography
Books:
* Cryptography Engineering
* Applied Cryptography
### Crypto Libraries/Protocols


+ 2
- 0
Draft/Data AnalysisVisualization.md View File

@ -48,6 +48,8 @@ http://www.pentaho.com/
Applied Security Visualization: http://www.secviz.org/content/applied-security-visualization
[Scriptorium-LE](https://github.com/imifos/Scriptorium-LE/)
* A Linux machine state enumeration, data visualisation and analysis tool.
#### End Cull


+ 25
- 1
Draft/Defense.md View File

@ -29,6 +29,8 @@
http://www.scriptjunkie.us/2013/06/fixing-pass-the-hash-and-other-problems/
[Analyzing Malicious Documents Cheat Sheet](https://zeltser.com/analyzing-malicious-documents/)
https://www.dsinternals.com/en/
[Monit](https://mmonit.com/monit/)
@ -108,6 +110,12 @@ http://www.leeholmes.com/blog/2016/10/22/more-detecting-obfuscated-powershell/
The Hitchhiker's Guide to SQL Injection prevention - https://phpdelusions.net/sql_injection
[Amazon S3 Bucket Public Access Considerations](https://aws.amazon.com/articles/5050)
[Filenames and Pathnames in Shell: How to do it Correctly](https://www.dwheeler.com/essays/filenames-in-shell.html)
[Threats and Countermeasures Guide: Security Settings in Windows Server 2008 R2 and Windows 7 - technet](https://technet.microsoft.com/en-us/library/hh125921.aspx)
[Securi-Tay 2017 - Advanced Attack Detection](https://www.youtube.com/watch?v=ihElrBBJQo8)
*
@ -117,6 +125,7 @@ The Hitchhiker's Guide to SQL Injection prevention - https://phpdelusions.net/sq
[Securing Windows Workstations: Developing a Secure Baseline](https://adsecurity.org/?p=3299)
[PowerShell Security at Enterprise Customers - msdn](https://blogs.msdn.microsoft.com/daviddasneves/2017/05/25/powershell-security-at-enterprise-customers/)
[Assimilator](https://github.com/videlanicolas/assimilator)
* Automatic firewall rule orchestator.
@ -149,18 +158,33 @@ The Hitchhiker's Guide to SQL Injection prevention - https://phpdelusions.net/sq
* Explore all the tasks (processes) running on your Mac with TaskExplorer.
[Password Policy - technet](https://technet.microsoft.com/en-us/library/hh994572.aspx)
[Account lockout threshold - technet](https://technet.microsoft.com/en-us/library/hh994574.aspx)
[Guide to Application Whitelisting - NIST Special Publication 800 - 167](http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-167.pdf)
[Script Rules in AppLocker - technet](https://technet.microsoft.com/en-us/library/ee460958.aspx)
[DLL Rules in AppLocker](https://technet.microsoft.com/en-us/library/ee460947.aspx)
[Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997)
* [Microsoft Security Advisory: Update to improve credentials protection and management: May 13, 2014](https://support.microsoft.com/en-us/help/2871997/microsoft-security-advisory-update-to-improve-credentials-protection-a)
[Windows Defender Device Guard deployment guide - docs ms](https://docs.microsoft.com/en-us/windows/device-security/device-guard/device-guard-deployment-guide)
### Active Directory
### Active Directory
### OS X
[netman](https://github.com/iadgov/netman)
* A userland network manager with monitoring and limiting capabilities for macOS.
[netfil](https://github.com/iadgov/netfil)
* A kernel network manager with monitoring and limiting capabilities for macOS.

+ 19
- 3
Draft/Embedded Device & Hardware Hacking -.md View File

@ -16,6 +16,7 @@ https://en.wikipedia.org/wiki/Embedded_system
* [General Tools(S/W & H/W)](#gentools)
* [Miscellaneous](#misc)
* [PCI](#PCI)
* [Printers](#printers)
* [USB](#USB)
* [PenTest Dropboxes](#dropbox)
* [Teensy/Rubberducky Style Attack Tools](#teensy)
@ -40,6 +41,12 @@ http://greatscottgadgets.com/infiltrate2013/
[SPI](https://trmm.net/SPI_flash)
[umap](https://github.com/nccgroup/umap)
* The USB host security assessment tool
#### end sort
@ -60,9 +67,6 @@ http://greatscottgadgets.com/infiltrate2013/
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)
[Hacking Printers Wiki](http://hacking-printers.net/wiki/index.php/Main_Page)
---------------------------
### General Writeups/Articles
@ -130,6 +134,7 @@ http://greatscottgadgets.com/infiltrate2013/
---------------------------
### <a name="routers">Attacking Routers</a>
@ -294,6 +299,17 @@ http://greatscottgadgets.com/infiltrate2013/
----------------------
### Printers
[Hacking Printers Wiki](http://hacking-printers.net/wiki/index.php/Main_Page)
[Attacking *multifunction* printers and getting creds from them](http://www.irongeek.com/i.php?page=videos/bsidescleveland2014/plunder-pillage-and-print-the-art-of-leverage-multifunction-printers-during-penetration-testing-deral-heiland)
[PRET](https://github.com/RUB-NDS/PRET)
* PRET is a new tool for printer security testing developed in the scope of a Master's Thesis at Ruhr University Bochum. It connects to a device via network or USB and exploits the features of a given printer language. Currently PostScript, PJL and PCL are supported which are spoken by most laser printers. This allows cool stuff like capturing or manipulating print jobs, accessing the printer's file system and memory or even causing physical damage to the device. All attacks are documented in detail in the Hacking Printers Wiki.
---------------------------
### <a name="USB">USB</a>


+ 21
- 0
Draft/Exfiltration.md View File

@ -11,6 +11,8 @@
##### Cull
##### End cull
### <a name="general">General</a>
@ -59,7 +61,11 @@
[Inter VM Data Exfiltration: The Art of Cache Timing Covert Channel on x86 Multi-Core - Etienne Martineau](https://www.youtube.com/watch?v=SGqUGHh3UZM)
* On x86 multi-core covert channels between co-located Virtual Machine (VM) are real and practical thanks to the architecture that has many imperfections in the way shared resources are isolated. This talk will demonstrate how a non-privileged application from one VM can ex-filtrate data or even establish a reverse shell into a co-located VM using a cache timing covert channel that is totally hidden from the standard access control mechanisms while being able to offer surprisingly high bps at a low error rate. In this talk you’ll learn about the various concepts, techniques and challenges involve in the design of a cache timing covert channel on x86 multi-core such as: X86 shared resources and fundamental concept behind cache line encoding / decoding. Getting around the hardware pre-fetching logic ( without disabling it from the BIOS! ) Abusing the X86 ‘clflush’ instruction. Bi-directional handshake for free! Data persistency and noise. What can be done? Guest to host page table de-obfuscation. The easy way, the VM’s vendors defense and another way to get around it. Phase Lock Loop and high precision inter-VM synchronization. All about timers. At the end of this talk we will go over a working VM to VM reverse shell example as well as some surprising bandwidth measurement results. We will also cover the detection aspect and the potential countermeasure to defeat such a communication channel.
[Bridging the Air Gap Data Exfiltration from Air Gap Networks - DS15](https://www.youtube.com/watch?v=bThJEX4l_Ks)
[Covert Timing Channels Based on HTTP Cache Headers](https://www.youtube.com/watch?v=DOAG3mtz7H4)
[In Plain Sight: The Perfect Exfiltration Technique - Itzik Kotler and Amit Klein - HITB16](https://www.youtube.com/watch?v=T6PscV43C0w)
@ -98,6 +104,21 @@
[Stunnel](https://www.stunnel.org/index.html)
* [Stunnel TLS Proxy](https://www.stunnel.org/static/stunnel.html)
[dnsftp](https://github.com/breenmachine/dnsftp)
* Client/Server scripts to transfer files over DNS. Client scripts are small and only use native tools on the host OS.
[tcpovericmp](https://github.com/Maksadbek/tcpovericmp)
* TCP implementation over ICMP protocol to bypass firewalls
[icmptunnel](https://github.com/DhavalKapil/icmptunnel)
* Transparently tunnel your IP traffic through ICMP echo and reply packets.
[Outgoing port tester - http://letmeoutofyour.net/](http://letmeoutofyour.net/)
[Outgoing port tester - portquiz.net](http://portquiz.net/)
* This server listens on all TCP ports, allowing you to test any outbound TCP port.
### Papers
[Self-Exfiltration: The Dangers of Browser-Enforced Information Flow Control](http://ericchen.me/self_exfiltration.pdf)


+ 77
- 17
Draft/Exploit Development.md View File

@ -73,14 +73,7 @@ Talks
[MSRC-Security-Research Github](https://github.com/Microsoft/MSRC-Security-Research/tree/master/presentations)
[PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3](http://uninformed.org/?v=all&a=38&t=sumry)
* Since the publication of previous bypass or circumvention techniques for Kernel Patch Protection (otherwise known as "PatchGuard"), Microsoft has continued to refine their patch protection system in an attempt to foil known bypass mechanisms. With the release of Windows Server 2008 Beta 3, and later a full-blown distribution of PatchGuard to Windows Vista and Windows Server 2003 via Windows Update, Microsoft has introduced the next generation of PatchGuard to the general public ("PatchGuard 3"). As with previous updates to PatchGuard, version three represents a set of incremental changes that are designed to address perceived weaknesses and known bypass vectors in earlier versions. Additionally, PatchGuard 3 expands the set of kernel variables that are protected from unauthorized modification, eliminating several mechanisms that might be used to circumvent PatchGuard while co-existing (as opposed to disabling) it. This article describes some of the changes that have been made in PatchGuard 3. This article also proposes several new techniques that can be used to circumvent PatchGuard's defenses. Countermeasures for these techniques are also discussed.
[Subverting PatchGuard Version 2](http://uninformed.org/?v=all&a=28&t=sumry)
* Windows Vista x64 and recently hotfixed versions of the Windows Server 2003 x64 kernel contain an updated version of Microsoft's kernel-mode patch prevention technology known as PatchGuard. This new version of PatchGuard improves on the previous version in several ways, primarily dealing with attempts to increase the difficulty of bypassing PatchGuard from the perspective of an independent software vendor (ISV) deploying a driver that patches the kernel. The feature-set of PatchGuard version 2 is otherwise quite similar to PatchGuard version 1; the SSDT, IDT/GDT, various MSRs, and several kernel global function pointer variables (as well as kernel code) are guarded against unauthorized modification. This paper proposes several methods that can be used to bypass PatchGuard version 2 completely. Potential solutions to these bypass techniques are also suggested. Additionally, this paper describes a mechanism by which PatchGuard version 2 can be subverted to run custom code in place of PatchGuard's system integrity checking code, all while leaving no traces of any kernel patching or custom kernel drivers loaded in the system after PatchGuard has been subverted. This is particularly interesting from the perspective of using PatchGuard's defenses to hide kernel mode code, a goal that is (in many respects) completely contrary to what PatchGuard is designed to do.
[Bypassing PatchGuard on Windows x64](http://uninformed.org/?v=all&a=14&t=sumry)
* The version of the Windows kernel that runs on the x64 platform has introduced a new feature, nicknamed PatchGuard, that is intended to prevent both malicious software and third-party vendors from modifying certain critical operating system structures. These structures include things like specific system images, the SSDT, the IDT, the GDT, and certain critical processor MSRs. This feature is intended to ensure kernel stability by preventing uncondoned behavior, such as hooking. However, it also has the side effect of preventing legitimate products from working properly. For that reason, this paper will serve as an in-depth analysis of PatchGuard's inner workings with an eye toward techniques that can be used to bypass it. Possible solutions will also be proposed for the bypass techniques that are suggested.
[shadow :: De Mysteriis Dom jemalloc](https://github.com/CENSUS/shadow)
* shadow is a jemalloc heap exploitation framework. It has been designed to be agnostic of the target application that uses jemalloc as its heap allocator (be it Android's libc, Firefox, FreeBSD's libc, standalone jemalloc, or whatever else). The current version (2.0) has been tested extensively with the following targets: Android 6 and 7 libc (ARM32 and ARM64); Firefox (x86 and x86-64) on Windows and Linux;
@ -91,7 +84,23 @@ Talks
[BISC: Borrowed Instructions Synthetic Computation](https://github.com/trailofbits/bisc)
* BISC is a Ruby library for demonstrating how to build borrowed-instruction programs. BISC aims to be simple, analogous to a traditional assembler, minimize behind-the-scenes magic, and let users write simple macros. BISC was developed by Dino Dai Zovi for Practical Return-oriented Programming at Blackhat USA 2010 and was used for the Assured Exploitation `ng course.
[Understanding DEP as a mitigation Technology](http://blogs.technet.com/b/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx)
[Offset-DB](http://offset-db.com/)
* This website provide you a list of useful offset that you can use for your exploit.
[Write your first driver - docs ms](https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/writing-your-first-driver)
[nt!_SEP_TOKEN_PRIVILEGES - Single Write EoP Protect - Kyriakos 'kyREcon' Economou](http://anti-reversing.com/Downloads/Sec_Research/ntoskrnl_v10.0.15063_nt!_SEP_TOKEN_PRIVILEGES-Single_Write_EoP_Protect.pdf)
* TL;DR: Abusing enabled token privileges through a kernel exploit to gain EoP it won't be enough anymore as from NT kernel version 10.0.15063 are 'checked' against the privileges present in the token of the calling process. So you will need two writes
[Sharks in the Pool :: Mixed Object Exploitation in the Windows Kernel PoolSharks in the Pool :: Mixed Object Exploitation in the Windows Kernel Pool](http://srcincite.io/blog/2017/09/06/sharks-in-the-pool-mixed-object-exploitation-in-the-windows-kernel-pool.html)
[Analysing the NULL SecurityDescriptor kernel exploitation mitigation in the latest Windows 10 v1607 Build 14393](https://labs.nettitude.com/blog/analysing-the-null-securitydescriptor-kernel-exploitation-mitigation-in-the-latest-windows-10-v1607-build-14393/)
[Example of a DLL Hijack Exploit - Winamp 5.581](https://www.exploit-db.com/exploits/14789/)
#### End Sort
@ -125,6 +134,11 @@ Talks
[Compromise-as-a-Service: Our PleAZURE.](https://www.troopers.de/events/troopers14/49_compromise-as-a-service_our_pleazure/)
* This could be a comprehensive introduction about the ubiquity of virtualization, the essential role of the hypervisor, and how the security posture of the overall environment depends on it. However, we decided otherwise, as this is what everybody is interested in: We will describe the Hyper-V architecture in detail, provide a taxonomy of hypervisor exploits, and demonstrate how we found MS13-092 which had the potential to compromise the whole Azure environment. Live demo included!
[Cisco ASA Episode 3: A Journey In Analysing Heaps by Cedric Halbronn - BSides Manchester2017](https://www.youtube.com/watch?v=ADYdToi6Wn0&index=21&list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP)
-------------
@ -192,6 +206,10 @@ Talks
[BinTut](https://github.com/NoviceLive/bintut)
* Dynamic or live demonstration of classical exploitation techniques of typical memory corruption vulnerabilities, from debugging to payload generation and exploitation, for educational purposes
[ROP Emporium](https://ropemporium.com/)
* Learn return-oriented programming through a series of challenges designed to teach ROP techniques in isolation, with minimal reverse-engineering and bug-hunting.
[Pwnables.kr](https://pwnable.kr)
@ -430,7 +448,8 @@ Other:
[ShellSploit](https://github.com/b3mb4m/shellsploit-framework)
[shellnoob](https://github.com/reyammer/shellnoob)
* A shellcode writing toolkit
# Finding Opcodes:
Methods of finding opcodes:
@ -460,6 +479,8 @@ Methods of finding opcodes:
[Shellcode without Sockets](https://0x00sec.org/t/remote-exploit-shellcode-without-sockets/1440)
[Shellcodes database for study cases](http://shell-storm.org/shellcode/)
#### Talks & Presentations
[Shellcode Time: Come on Grab Your Friends](http://www.irongeek.com/i.php?page=videos/derbycon4/t116-shellcode-time-come-on-grab-your-friends-wartortell)
* Packed shellcode is a common deterrent against reverse engineering. Mainstream software will use it in order to protect intellectual property or prevent software cracking. Malicious binaries and Capture the Flag (CTF) challenges employ packed shellcode to hide their intended functionality. However, creating these binaries is an involved process requiring significant experience with machine language. Due to the complexity of creating packed shellcode, the majority of samples are painstakingly custom-created or encoded with very simple mechanisms, such as a single byte XOR. In order to aid in the creation of packed shellcode and better understand how to reverse engineer it, I created a tool to generate samples of modular packed shellcode. During this talk, I will demonstrate the use of the shellcode creation tool and how to reverse engineer the binaries it creates. I will also demonstrate an automated process for unpacking the binaries that are created.
@ -474,15 +495,30 @@ Methods of finding opcodes:
#### Windows Specific
##### General
[WinAPI for Hackers](https://www.bnxnet.com/wp-content/uploads/2015/01/WinAPIs_for_hackers.pdf)
[History and Advances in Windows Shellcode - Phrack 2004](http://phrack.org/issues/62/7.html)
##### Tools
[sRDI](https://github.com/monoxgas/sRDI)
* Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
[ShellcodeStdio](https://github.com/jackullrich/ShellcodeStdio)
* An extensible framework for easily writing debuggable, compiler optimized, position independent, x86 shellcode for windows platforms.
[History and Advances in Windows Shellcode - Phrack 2004](http://phrack.org/issues/62/7.html)
[WinREPL](https://github.com/zerosum0x0/WinREPL)
* x86 and x64 assembly "read-eval-print loop" shell for Windows
##### Writing it
[Writing Win32 Shellcode with VisualStudio](http://winternl.com/2016/05/02/hello-world/)
* demonstrating how to write optimized (sort of) Win32 shellcode using Visual Studio’s compiler
#### Writeups
Windows Kernel Shellcode on Windows 10
* [Windows Kernel Shellcode on Windows 10 – Part 1](https://improsec.com/blog//windows-kernel-shellcode-on-windows-10-part-1)
* [Windows Kernel Shellcode on Windows 10 – Part 2](https://improsec.com/blog//windows-kernel-shellcode-on-windows-10-part-2)
@ -494,13 +530,11 @@ Introduction to Windows Shellcode Development
* [Introduction to Windows shellcode development – Part 2](https://securitycafe.ro/2015/12/14/introduction-to-windows-shellcode-development-part-2/)
* [Introduction to Windows shellcode development – Part 3](https://securitycafe.ro/2016/02/15/introduction-to-windows-shellcode-development-part-3/)
[Writing Win32 Shellcode with VisualStudio](http://winternl.com/2016/05/02/hello-world/)
* demonstrating how to write optimized (sort of) Win32 shellcode using Visual Studio’s compiler
[Loading and Debugging Windows Kernel Shellcodes with Windbg. Debugging DoublePulsar Shellcode.](https://vallejo.cc/2017/06/23/loading-and-debugging-windows-kernel-shellcodes-with-windbg-debugging-doublepulsar-shellcode/)
[WinAPI for Hackers](https://www.bnxnet.com/wp-content/uploads/2015/01/WinAPIs_for_hackers.pdf)
[sRDI](https://github.com/monoxgas/sRDI)
* Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
@ -581,7 +615,9 @@ AVM Fritz!Box root RCE: From Patch to Metasploit Module
#### Tools
[SideStep](https://github.com/codewatchorg/SideStep)
* SideStep is yet another tool to bypass anti-virus software. The tool generates Metasploit payloads encrypted using the CryptoPP library (license included), and uses several other techniques to evade AV.
f
[UniByAv](https://github.com/Mr-Un1k0d3r/UniByAv)
* UniByAv is a simple obfuscator that take raw shellcode and generate executable that are Anti-Virus friendly. The obfuscation routine is purely writtend in assembly to remain pretty short and efficient. In a nutshell the application generate a 32 bits xor key and brute force the key at run time then perform the decryption of the actually shellcode.
#### Writeups
@ -637,6 +673,8 @@ f
* [Slides, codes and videos of the talk "DEP/ASLR bypass without ROP/JIT" on CanSecWest 2013](https://github.com/tombkeeper/DEP-and-ASLR-bypass-without-ROP-or-JIT)
##### Reference Material
[Understanding DEP as a mitigation Technology](http://blogs.technet.com/b/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx)
[Preventing the Exploitation of SEH Overwrites](http://uninformed.org/?v=all&a=24&t=sumry)
* This paper proposes a technique that can be used to prevent the exploitation of SEH overwrites on 32-bit Windows applications without requiring any recompilation. While Microsoft has attempted to address this attack vector through changes to the exception dispatcher and through enhanced compiler support, such as with /SAFESEH and /GS, the majority of benefits they offer are limited to image files that have been compiled to make use of the compiler enhancements. This limitation means that without all image files being compiled with these enhancements, it may still be possible to leverage an SEH overwrite to gain code execution. In particular, many third-party applications are still vulnerable to SEH overwrites even on the latest versions of Windows because they have not been recompiled to incorporate these enhancements. To that point, the technique described in this paper does not rely on any compile time support and instead can be applied at runtime to existing applications without any noticeable performance degradation. This technique is also backward compatible with all versions of Windows NT+, thus making it a viable and proactive solution for legacy installations.
@ -644,6 +682,9 @@ f
[Preventing the Exploitation of Structured Exception Handler (SEH) Overwrites with SEHOP](http://blogs.technet.com/b/srd/archive/2009/02/02/preventing-the-exploitation-of-seh-overwrites-with-sehop.aspx)
##### Writeups
[Defeating the Matasano C++ Challenge with ASLR enabled](http://timetobleed.com/defeating-the-matasano-c-challenge-with-aslr-enabled/)
@ -1185,6 +1226,14 @@ Check out the 'Reverse Engineering" Section's Tools list for a lot of useful too
[CVE-2016-7255 - Git repo](https://github.com/mwrlabs/CVE-2016-7255)
[Hijacking Arbitrary .NET Application Control Flow](https://www.tophertimzen.com/resources/grayStorm/HijackingArbitraryDotnetApplicationControlFlow.pdf)
* This paper describes the use of Reflection in .NET and how it can be utilized to change the control flow of an arbitrary application at runtime. A tool, Gray Storm, will be introduced that can be injected into an AppDomain and used to control the executing assembly instructions after just-in-time compilation.
[Dissecting Veil-Evasion Powershell Payloads and Converting to a Bind Shell](http://threat.tevora.com/dissecting-veil-evasion-powershell-payloads-and-converting-to-a-bind-shell/)
##### Broadpwn
[A cursory analysis of @nitayart's Broadpwn bug (CVE-2017-9417)](http://boosterok.com/blog/broadpwn/)
@ -1238,6 +1287,17 @@ Check out the 'Reverse Engineering" Section's Tools list for a lot of useful too
[Fun with info leaks](https://rh0dev.github.io/blog/2015/fun-with-info-leaks/)
[PatchGuard Reloaded: A Brief Analysis of PatchGuard Version 3](http://uninformed.org/?v=all&a=38&t=sumry)
* Since the publication of previous bypass or circumvention techniques for Kernel Patch Protection (otherwise known as "PatchGuard"), Microsoft has continued to refine their patch protection system in an attempt to foil known bypass mechanisms. With the release of Windows Server 2008 Beta 3, and later a full-blown distribution of PatchGuard to Windows Vista and Windows Server 2003 via Windows Update, Microsoft has introduced the next generation of PatchGuard to the general public ("PatchGuard 3"). As with previous updates to PatchGuard, version three represents a set of incremental changes that are designed to address perceived weaknesses and known bypass vectors in earlier versions. Additionally, PatchGuard 3 expands the set of kernel variables that are protected from unauthorized modification, eliminating several mechanisms that might be used to circumvent PatchGuard while co-existing (as opposed to disabling) it. This article describes some of the changes that have been made in PatchGuard 3. This article also proposes several new techniques that can be used to circumvent PatchGuard's defenses. Countermeasures for these techniques are also discussed.
[Subverting PatchGuard Version 2](http://uninformed.org/?v=all&a=28&t=sumry)
* Windows Vista x64 and recently hotfixed versions of the Windows Server 2003 x64 kernel contain an updated version of Microsoft's kernel-mode patch prevention technology known as PatchGuard. This new version of PatchGuard improves on the previous version in several ways, primarily dealing with attempts to increase the difficulty of bypassing PatchGuard from the perspective of an independent software vendor (ISV) deploying a driver that patches the kernel. The feature-set of PatchGuard version 2 is otherwise quite similar to PatchGuard version 1; the SSDT, IDT/GDT, various MSRs, and several kernel global function pointer variables (as well as kernel code) are guarded against unauthorized modification. This paper proposes several methods that can be used to bypass PatchGuard version 2 completely. Potential solutions to these bypass techniques are also suggested. Additionally, this paper describes a mechanism by which PatchGuard version 2 can be subverted to run custom code in place of PatchGuard's system integrity checking code, all while leaving no traces of any kernel patching or custom kernel drivers loaded in the system after PatchGuard has been subverted. This is particularly interesting from the perspective of using PatchGuard's defenses to hide kernel mode code, a goal that is (in many respects) completely contrary to what PatchGuard is designed to do.
[Bypassing PatchGuard on Windows x64](http://uninformed.org/?v=all&a=14&t=sumry)
* The version of the Windows kernel that runs on the x64 platform has introduced a new feature, nicknamed PatchGuard, that is intended to prevent both malicious software and third-party vendors from modifying certain critical operating system structures. These structures include things like specific system images, the SSDT, the IDT, the GDT, and certain critical processor MSRs. This feature is intended to ensure kernel stability by preventing uncondoned behavior, such as hooking. However, it also has the side effect of preventing legitimate products from working properly. For that reason, this paper will serve as an in-depth analysis of PatchGuard's inner workings with an eye toward techniques that can be used to bypass it. Possible solutions will also be proposed for the bypass techniques that are suggested.
----------------
### Attacking AntiVirus


+ 12
- 0
Draft/Forensics Incident Response.md View File

@ -32,6 +32,18 @@ Forensics wiki
Yelp/Github - OSX Collector - Mass style forensics/management
hackingexposedcomputerforensicsblog.blogspot.com/2015/02/automating-dfir-how-to-series-on_21.html)
[dotNET_WinDBG](https://github.com/Cisco-Talos/dotNET_WinDBG)
* This python script is designed to automate .NET analysis with WinDBG. It can be used to analyse a PowerShell script or to unpack a binary packed using a .NET packer.
[Unravelling .NET with the Help of WinDBG - TALOS](http://blog.talosintelligence.com/2017/07/unravelling-net-with-help-of-windbg.html)
* This article describes:
* How to analyse PowerShell scripts by inserting a breakpoint in the .NET API.
* How to easily create a script to automatically unpack .NET samples following analysis of the packer logic.
[Jeffrey's Image Metadata Viewer](http://exif.regex.info/exif.cgi)
[Happy DPAPI!](http://blog.digital-forensics.it/2015/01/happy-dpapi.html)
#### End Cull


+ 2
- 1
Draft/Fuzzing Bug Hunting.md View File

@ -144,7 +144,7 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
### <a name="presen">Presentations/Videos</a>
### <a name="presen">Talks/Videos</a>
[The Best of Bug Finding - Duo Tech Talk (Charlie Miller)](https://www.youtube.com/watch?v=1M1EOzulQsw)
* I look at how security vulnerabilities are found (or missed) and some of my favorite bugs and exploits I’ve come across in my career.
@ -184,6 +184,7 @@ https://raw.githubusercontent.com/secfigo/Awesome-Fuzzing/master/README.md
[Improving security with Fuzzing and Sanitizers](https://media.ccc.de/v/SHA2017-148-improving_security_with_fuzzing_and_sanitizers)
* A bug in Gstreamer could be used to own a Linux Desktop system. TCPDump released a security update fixing 42 CVEs. We have far too many security critical bugs in the free and open source software stack. But we have powerful tools to find them - we just have to use them.
[Introduction to Custom Protocol Fuzzing](https://www.youtube.com/watch?v=ieatSJ7ViBw)
### <a name="books">Books</a>


+ 1
- 0
Draft/Honeypots.md View File

@ -20,6 +20,7 @@ http://www.cuckoosandbox.org/
http://highaltitudehacks.com/2013/06/15/ghost-usb-honeypot-part-2-installing-and-running-the-honeypot/
[Honeypot Farming: Setup Modern Honey Network](https://medium.com/@theroxyd/honeypot-farming-setup-mhn-f07d241fcac6)
[honeyLambda](https://github.com/0x4D31/honeyLambda)
* a simple, serverless application designed to create and monitor URL {honey}tokens, on top of AWS Lambda and Amazon API Gateway


+ 11
- 1
Draft/Interesting Things Useful stuff.md View File

@ -52,6 +52,11 @@ http://spth.virii.lu/articles.htm
[Delta Copy](http://www.aboutmyip.com/AboutMyXApp/DeltaCopy.jsp)
* In technical terms, DeltaCopy is a "Windows Friendly" wrapper around the Rsync program, currently maintained by Wayne Davison. "rsync" is primarily designed for Unix/Linux/BSD systems. Although ports are available for Windows, they typically require downloading Cygwin libraries and manual configuration.
[what3words](https://what3words.com/about/)
* what3words provides a precise and incredibly simple way to talk about location. We have divided the world into a grid of 3m x 3m squares and assigned each one a unique 3 word address.
[Windows Firewall Control - Managing Windows Firewall is now easier than ever](https://www.binisoft.org/wfc.php)
#### End Sort
@ -189,7 +194,8 @@ http://spth.virii.lu/articles.htm
[Drone Survival Guide](http://dronesurvivalguide.org)
[Digital Show & Tell - xiph.org](https://xiph.org/video/vid2.shtml)
* Continuing the "firehose" tradition of maximum information density, Xiph.Org's second video on digital media explores multiple facets of digital audio signals and how they really behave in the real world.
@ -289,6 +295,10 @@ Philip K. Dick said, reality is that which, when you no longer believe in it, do
[Pwning pwners like a n00b](https://www.youtube.com/watch?v=E8O8bB3I3i0)
* Cybercrime, blackhat hackers and some Ukrainians. If that doesn’t catch your attention, then stop reading. Follow the story of how stupid mistakes, OPSEC fails, and someone with a little too much time on his hands was able to completely dismantle a spamming and webshell enterprise using really simple skills and techniques you could pick up in a week. Did we mention that d0x were had as well? This talk will be an in-depth examination at the investigation and exploitation process involved.
[Money Makes Money: How To Buy An ATM And What You Can Do With It by Leigh Ann Galloway - BSides Manchester2017](https://www.youtube.com/watch?v=0HbLQAGS6no&index=8&list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP)
[(In)Outsider Trading – Hacking stocks using public information and (influence) - Robert Len - BSides CapeTown16](https://www.youtube.com/watch?v=sfHeguTEkuE)
* This talk will take a look at how inadvertently leaked technical information from businesses, can be used to successfully trade stocks. This results in making huge profits. We look at different methods of influencing the stock market, such as DDOS attacks (at critical time periods) and simple techniques such as Phish-baiting CEO’s to acquire sensitive, relevant information that can be applied in the real world to make massive gains in profit. We will also take a look at historic trends. How previous hacks, breaches and DDOS attacks have affected stock prices and investor confidence over time. Specific reference will be made towards listed South African companies (Or a particular listed SA company) and a POC will hopefully be completed by the presentation date.


+ 14
- 21
Draft/Malware.md View File

@ -27,21 +27,12 @@ https://motherboard.vice.com/read/preserving-the-ancient-art-of-getting-pwned
http://www.exposedbotnets.com/?m=0
https://brycampbell.co.uk/new-blog/
https://archive.is/Nol3S
[The Economics of Exploit Kits & E-Crime](http://www.irongeek.com/i.php?page=videos/bsidescolumbus2016/offense03-the-economics-of-exploit-kits-e-crime-adam-hogan)
* I will discuss how the market for exploit kits has been changing, in techniques, marketing and prices. I argue that the competitiveness between exploit kits shows a maturing market, but will leverage economic theory to demonstrate the limits to which that market will continue to mature. This should allow us to understand how exploit kits affect (and are affected by) the rest of the greater market for hacker services, from malware (as an input) to nation-state level attacks (e.g. trickle down from Hacking Team). I hope to provide a better understanding of how exploit kits work and how their sold as well as how this market can teach us about the rational choice to engage in criminal activity and how we might dissuade them.
[Loffice - Analyzing malicious documents using WinDbg](https://thembits.blogspot.com/2016/06/loffice-analyzing-malicious-documents.html)
[Writing Bad @$$ Malware for OS X - Patrick Wardle](https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf)
[Malware: From your text editor, to the United States Government's Lab (SHA2017)](https://www.youtube.com/watch?v=PtufumVvN-E)
* How Universities in the US collaborate with the United States Government to make America stronger, and the rest weaker. Ever wonder where your malware ends up after you deploy it? Are you curious how the United States Government researches Cyber Security on the backs of students? First, this is not a technical talk. This is an informative talk on the insides of how the inner workings of an Information Security Lab in one of the Top Technical Universities in the United States works with its Government to provide insights in the world of, as the feds like to call it, "CyberSecurity". (All Americans apologize for Trump. We're sorry.)
[rVMI - A New Paradigm For Full System Analysis](https://github.com/fireeye/rvmi)
@ -51,15 +42,6 @@ https://archive.is/Nol3S
* Abstract: We introduce PyTrigger, a dynamic malware analy- sis system that automatically exercises a malware binary extract- ing its behavioral profile even when specific user activity or input is required. To accomplish this, we developed a novel user activity record and playback framework and a new behavior extraction approach. Unlike existing research, the activity recording and playback includes the context of every object in addition to traditional keyboard and mouse actions. The addition of the con- text makes the playback more accurate and avoids dependenciesand pitfalls that come with pure mouse and keyboard replay. Moreover, playback can become more efficient by condensing common activities into a single action. After playback, PyTrigger analyzes the system trace using a combination of multiple states and behavior differencing to accurately extract the malware behavior and user triggered behavior from the complete system trace log. We present the algorithms, architecture and evaluate the PyTrigger prototype using 3994 real malware samples. Results and analysis are presented showing PyTrigger extracts additional behavior in 21% of the samples
[Bypassing VirtualBox Process Hardening on Windows](https://googleprojectzero.blogspot.com/2017/08/bypassing-virtualbox-process-hardening.html)
* This blog post will describe the implementation of Oracle’s VirtualBox protected process and detail three different, but now fixed, ways of bypassing the protection and injecting arbitrary code into the process. The techniques I’ll present can equally be applied to similar implementations of “protected” processes in other applications.
[VBoxHardenedLoader](https://github.com/hfiref0x/VBoxHardenedLoader)
* VirtualBox VM detection mitigation loader
##### END Sort
@ -78,6 +60,7 @@ https://archive.is/Nol3S
[Awesome Malware Analysis - Github Awesome List series](https://github.com/rshipp/awesome-malware-analysis)
[TIPS FOR REVERSE - ENGINEERING MALICIOUS CODE - Lenny Zeltser](https://zeltser.com/media/docs/reverse-engineering-malicious-code-tips.pdf)
@ -188,7 +171,7 @@ https://archive.is/Nol3S
[Dynamic Anti-Emulation using Blackbox Analysis by Second Part To Hell](http://spth.virii.lu/dynamic_anti_emulation.txt)
[AVLeak: Fingerprinting Antivirus Emulators Through Black-Box Testing](https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne_update.pdf)
### <a name="repository">Malware Repositories/Collecting & Obtaining Malware</a>
@ -398,9 +381,9 @@ http://www.cybersquared.com/2012/06/malware-analysis-lab-a-fast-and-cost-effecti
[Awesome Guide to building a VM for anonymous Malware Analysis and Reverse Engineering](https://www.codeandsec.com/Building-Ultimate-Anonymous-Malware-Analysis-and-Reverse-Engineering-Machine)
[malboxes](https://github.com/GoSecure/malboxes)
f* Builds malware analysis Windows VMs so that you don't have to.
* Builds malware analysis Windows VMs so that you don't have to.
[Advanced Desktop Application Sandboxing via AppContainer](https://www.malwaretech.com/2015/09/advanced-desktop-application-sandboxing.html)
@ -656,6 +639,16 @@ Duping the Machine: malware strategies, post sandbox detection
[BG00 Injection on Steroids Code less Code Injections and 0 Day Techniques Paul Schofield Udi Yavo](https://www.youtube.com/watch?v=0BAaAM2wD4s)
[Malvertising: Under The Hood by Chris Boyd - BSides Manchester2017](https://www.youtube.com/watch?v=VESvOsr91_M&index=1&list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP)
[The Economics of Exploit Kits & E-Crime](http://www.irongeek.com/i.php?page=videos/bsidescolumbus2016/offense03-the-economics-of-exploit-kits-e-crime-adam-hogan)
* I will discuss how the market for exploit kits has been changing, in techniques, marketing and prices. I argue that the competitiveness between exploit kits shows a maturing market, but will leverage economic theory to demonstrate the limits to which that market will continue to mature. This should allow us to understand how exploit kits affect (and are affected by) the rest of the greater market for hacker services, from malware (as an input) to nation-state level attacks (e.g. trickle down from Hacking Team). I hope to provide a better understanding of how exploit kits work and how their sold as well as how this market can teach us about the rational choice to engage in criminal activity and how we might dissuade them.
[Malware: From your text editor, to the United States Government's Lab (SHA2017)](https://www.youtube.com/watch?v=PtufumVvN-E)
* How Universities in the US collaborate with the United States Government to make America stronger, and the rest weaker. Ever wonder where your malware ends up after you deploy it? Are you curious how the United States Government researches Cyber Security on the backs of students? First, this is not a technical talk. This is an informative talk on the insides of how the inner workings of an Information Security Lab in one of the Top Technical Universities in the United States works with its Government to provide insights in the world of, as the feds like to call it, "CyberSecurity". (All Americans apologize for Trump. We're sorry.)


+ 67
- 8
Draft/Network Attacks & Defenses.md View File

@ -34,6 +34,27 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
[MQTT](http://mqtt.org/)
* MQTT is a machine-to-machine (M2M)/"Internet of Things" connectivity protocol. It was designed as an extremely lightweight publish/subscribe messaging transport.
[Enteletaor](https://github.com/cr0hn/enteletaor)
* Message Queue & Broker Injection tool that implements attacks to Redis, RabbitMQ and ZeroMQ.
[Nmap (XML) Parser documentation](https://nmap-parser.readthedocs.io/en/latest/)
[OpenSSH User Enumeration Time-Based Attack](http://seclists.org/fulldisclosure/2013/Jul/88)
[Collection of Symantec Endpoint Protection Vulnerabilities + some exploits](http://codewhitesec.blogspot.nl/2015/07/symantec-endpoint-protection.html)
[reGeorg](https://github.com/sensepost/reGeorg)
* The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
[NfSpy](https://github.com/bonsaiviking/NfSpy)
* NfSpy is a Python library for automating the falsification of NFS credentials when mounting an NFS share.
##### sort end
@ -42,7 +63,7 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
* Pivoting Section
* Add RFCs
* Add sslscan/similar
* IPMI section
@ -59,8 +80,6 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
[NSEInfo](https://github.com/christophetd/nmap-nse-info/blob/master/README.md)
* NSEInfo is a tool to interactively search through nmap's NSE scripts.
[A Curated list of assigned ports relevant to pen testing](http://www.vulnerabilityassessment.co.uk/ports.htm)
[pynessus](https://github.com/rmusser01/pynessus)
* Python Parser for Nessus Output
* [Examples](http://www.hackwhackandsmack.com/?p=422)
@ -297,13 +316,27 @@ http://www.pentest-standard.org/index.php/Intelligence_Gathering
[DNSEnum](https://github.com/fwaeytens/dnsenum)
* Multithreaded perl script to enumerate DNS information of a domain and to discover non-contiguous ip blocks.
[DNS Reference Information - technet](https://technet.microsoft.com/en-us/library/dd197499(v=ws.10).aspx)
[DNS Records: an Introduction](https://www.linode.com/docs/networking/dns/dns-records-an-introduction)
[DNS Cache Snooping or Snooping the Cache for Fun and Profit - Luis Grangeia](http://cs.unc.edu/~fabian/course_papers/cache_snooping.pdf)
[nsec3map](https://github.com/anonion0/nsec3map)
* a tool to enumerate the resource records of a DNS zone using its DNSSEC NSEC or NSEC3 chain
------------
### D/DOS
[Davoset](https://github.com/MustLive/DAVOSET)
* DAVOSET - it is console (command line) tool for conducting DDoS attacks on the sites via Abuse of Functionality and XML External Entities vulnerabilities at other sites.
@ -376,7 +409,8 @@ Veil Tutorials:
### IPMI
[Breaking IPMI/BMC](http://fish2.com/ipmi/how-to-break-stuff.html)
@ -402,7 +436,7 @@ IPv6: Basic Attacks and Defences - Christopher Werny[TROOPERS15]
[IPv6 Local Neighbor Discovery Using Router Advertisement](https://www.rapid7.com/db/modules/auxiliary/scanner/discovery/ipv6_neighbor_router_advertisement)
* Send a spoofed router advertisement with high priority to force hosts to start the IPv6 address auto-config. Monitor for IPv6 host advertisements, and try to guess the link-local address by concatinating the prefix, and the host portion of the IPv6 address. Use NDP host solicitation to determine if the IP address is valid'
[IPv6 - Playing with IPv6 for fun and profit](https://github.com/zbetcheckin/IPv6)
@ -493,6 +527,9 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[CloudFail](https://github.com/m0rtem/CloudFail)
* CloudFail is a tactical reconnaissance tool which aims to gather enough information about a target protected by CloudFlare in the hopes of discovering the location of the server.
[HatCloud](https://github.com/HatBashBR/HatCloud)
* HatCloud build in Ruby. It makes bypass in CloudFlare for discover real IP. This can be useful if you need test your server and website. Testing your protection against Ddos (Denial of Service) or Dos. CloudFlare is services and distributed domain name server services, sitting between the visitor and the Cloudflare user's hosting provider, acting as a reverse proxy for websites. Your network protects, speeds up and improves availability for a website or the mobile application with a DNS change.
[discover - Kali Scripts](https://github.com/leebaird/discover)
* For use with Kali Linux - custom bash scripts used to automate various portions of a pentest.
@ -510,9 +547,12 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[OnionScan](https://github.com/s-rah/onionscan)
* [What OnionScan Scans for](https://github.com/s-rah/onionscan/blob/master/doc/what-is-scanned-for.md)
[Ever wanted to scan the internet in a few hours?](http://blog.erratasec.com/2013/10/faq-from-where-can-i-scan-internet.html)
[device-pharmer](https://github.com/DanMcInerney/device-pharmer)
* Opens 1K+ IPs or Shodan search results and attempts to login
[Adding your protocol to Masscan](http://blog.erratasec.com/2014/11/adding-protocols-to-masscan.html)
@ -620,7 +660,8 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[Simple Network Management Pwnd](http://www.irongeek.com/i.php?page=videos/derbycon4/t221-simple-network-management-pwnd-deral-heiland-and-matthew-kienow)
[Cisc0wn - Cisco SNMP Script](https://github.com/nccgroup/cisco-SNMP-enumeration)
* Automated Cisco SNMP Enumeration, Brute Force, Configuration Download and Password Cracking
------------
@ -636,6 +677,23 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
--------------
#### SSL/TLS
[testssl.sh](https://github.com/drwetter/testssl.sh)
* testssl.sh is a free command line tool which checks a server's service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws.
[SSL & TLS Penetration Testing [Definitive Guide]](https://www.aptive.co.uk/blog/tls-ssl-security-testing/)
[ SSL/TLS and PKI History ](https://www.feistyduck.com/ssl-tls-and-pki-history/)
* A comprehensive history of the most important events that shaped the SSL/TLS and PKI ecosystem. Based on Bulletproof SSL and TLS, by Ivan Ristić.
------------
@ -738,6 +796,7 @@ dsniff is a collection of tools for network auditing and penetration testing. ds
[Use DHCP to detect UEFI or Legacy BIOS system and PXE boot to SCCM](http://www.itfaq.dk/2016/07/27/use-dhcp-to-detect-uefi-or-legacy-bios-system-and-pxe-boot-to-sccm/)
[Too Many Cooks; Exploiting the Internet of Tr-069](http://mis.fortunecook.ie/)


+ 4
- 0
Draft/Network Security Monitoring & Logging.md View File

@ -38,6 +38,10 @@ http://www.netfort.com/wp-content/uploads/PDF/WhitePapers/NetFlow-Vs-Packet-Anal
[Netdude](http://netdude.sourceforge.net/)
* The Network Dump data Displayer and Editor is a framework for inspection, analysis and manipulation of tcpdump trace files. It addresses the need for a toolset that allows easy inspection, modification, and creation of pcap/tcpdump trace files. Netdude builds on any popular UNIX-like OS, such as Linux, the BSDs, or OSX.
[Introduction to Windows Event Forwarding](https://hackernoon.com/the-windows-event-forwarding-survival-guide-2010db7a68c4)
[Monitoring what matters – Windows Event Forwarding for everyone (even if you already have a SIEM.)](https://blogs.technet.microsoft.com/jepayne/2015/11/23/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem/)


+ 8
- 6
Draft/Open Source Intelligence.md View File

@ -23,11 +23,7 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
* Add list of Sources:
* UCC - Uniform Commercial Code; DOC - Current Industrial Patents; DMV - Vehicle Ownership applications; Patents - Patent DBs; Operating Licenses/Permits; Trade Journals;
* SWOT - Strengths, Weaknesses, Opportunities, Threats
[GlobalFileSearch](https://ftplike.com)
* An FTP Search Engine that may come in handy.
#### End cull
@ -35,7 +31,8 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
--------------------
### General
General
* SWOT - Strengths, Weaknesses, Opportunities, Threats
[Open Source Intelligence - Wikipedia](http://en.wikipedia.org/wiki/Open-source_intelligence)
[Intelligence Gathering - PTES](http://www.pentest-standard.org/index.php/Intelligence_Gathering)
@ -59,6 +56,8 @@ www.osintinsight.com/shared.php?user=Mediaquest&folderid=0\
[PasteLert](https://www.andrewmohawk.com/pasteLert/)
* PasteLert is a simple system to search pastebin.com and set up alerts (like google alerts) for pastebin.com entries. This means you will automatically recieve email whenever your term(s) is/are found in new pastebin entries!
[NATO Open Source Intelligence Handbook](http://www.oss.net/dynamaster/file_archive/030201/ca5fb66734f540fbb4f8f6ef759b258c/NATO%20OSINT%20Handbook%20v1.2%20%2d%20Jan%202002.pdf)
#### Miscellaneous Sites/Resources
@ -182,7 +181,8 @@ Reference Site: http://osintinsight.com/shared.php?expand=169,175&folderid=0&use
[TouchGraph SEO Browser](http://www.touchgraph.com/seo)
* Use this free Java application to explore the connections between related websites.
[GlobalFileSearch](https://ftplike.com)
* An FTP Search Engine that may come in handy.
@ -396,6 +396,8 @@ when directory browsing is turned off.
[OneMillionTweetMap](http://onemilliontweetmap.com/)
* This page maps the last geolocalized tweets delivered by the twitter stream API. ... YES - IN REAL-TIME - and we keep "only" the last one million tweets.
[AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump)
* AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for loot. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for delicious files as well as download interesting files if you're not afraid to quickly fill up your hard drive.


+ 8
- 0
Draft/Password Bruting and Hashcracking.md View File

@ -211,6 +211,14 @@ Hashcat attacks
[BEWGor](https://github.com/berzerk0/BEWGor)
* Bull's Eye Wordlist Generator
[Probable-Wordlists](https://github.com/berzerk0/Probable-Wordlists)
* Wordlists sorted by probability originally created for password generation and testing
### Talks & Presentations


+ 6
- 0
Draft/Phishing.md View File

@ -17,7 +17,13 @@ TOC
[Next Gen Office Malware v2.0 - Greg Linares Dagmar Knechtel - Hushcon17](https://prezi.com/view/eZ3CSNMxPMOfIWEHwTje/)
[Outlook and Exchange for the Bad Guys Nick Landers](https://www.youtube.com/watch?v=cVhc9VOK5MY)
[Next Gen Office Malware v2.0 - Greg Linares Dagmar Knechtel - Hushcon17](https://prezi.com/view/eZ3CSNMxPMOfIWEHwTje/)
[Microsoft Support and Recovery Assistant for Office 365](https://testconnectivity.microsoft.com/)
[Exchange Versions, Builds & Dates](https://eightwone.com/references/versions-builds-dates/)
#### End cull


+ 52
- 19
Draft/Phyiscal Security.md View File

@ -15,6 +15,10 @@
#### Sort
[Hacking things by touching them - armadillo](https://www.armadillophone.com/blog/2017/08/27/hacking-things-by-touching-them)
#### End Sort
@ -104,17 +108,6 @@
-----------------------
### Videos/Talks
[Lockpicking by Deviant Ollam](http://deviating.net/lockpicking/videos.html)
* Glorious set of videos and instructional information. Must watch.
[Lockpicking how to video using a cut-away lock](http://www.youtube.com/watch?v=LSt0RxkA_f8)
[Distinguishing Lockpicks: Raking vs Lifting vs Jiggling and More - Deviant Ollam](https://www.youtube.com/watch?v=e07VRxJ01Fs)
[Electronic Safe Fail](http://www.irongeek.com/i.php?page=videos/centralohioinfosec2015/tech204-electronic-safe-fail-jeff-popio)
* Commonly safes are used in IT to secure backup tapes, certificate roots, and other sensitive material. This talk will demonstrate that many of the safes used to secure these sensitive materials are ineffective. Today there are many varieties of electronic safes that utilize a VERY weak mechanism to physically lock the safe. In many cases there are ways to open the safe in less than a minute that leaves no evidence behind. (Sometimes only a few seconds) This talk will cover my experience discovering the flaw and dealing with a safe vendor to issue a fix, then discovering the inadequacies of the fix itself and vendor's continuing ignorance of the problem with most electronic locks. Fixing these problems can be relatively easy. There will be general instruction on how to fix the problems and what needs to be done by the vendors to make safes well... safer."
[Physical Security - Everything That's Wrong With Your Typical Door - Deviant Ollam - SANS Webcast](https://www.youtube.com/watch?v=raBMFqZRB0s&t=&feature=youtu.be&app=desktop)
[Safe to Armed in Seconds - Deviant Ollam - DEF CON 19](https://www.youtube.com/watch?v=3SVMT_zNlgA)
@ -122,31 +115,68 @@
[I'll Let Myself In Tactics of Physical Pentesters - Deviant Ollam -B-sides Orlando 2017](https://www.youtube.com/watch?v=Rctzi66kCX4)
[Mastering Master Keys - Deviant Ollam - HOPE Number 9](https://www.youtube.com/watch?v=aVPSaKLKHd4)
#### Alarm Systems
[Ways your alarm system can fail - abak Javadi Keith Howell](https://www.youtube.com/watch?v=g4-B7d3ZQUA)
[Alarmed About Your Alarm System Yet - Keith Howell, Babak Javadi](https://www.youtube.com/watch?v=5rnkhqEj_Po)
[Hacking Wireless Home Security Systems by Eric Escobar - BSides Manchester2017](https://www.youtube.com/watch?v=kERUpg5YMis&index=12&list=PLcgqQkap1lNrOBNCXqpPqpPAqckxv0XhP)
[Home Insecurity: No Alarms, False Alarms, and SIGINT](https://media.defcon.org/DEF%20CON%2022/DEF%20CON%2022%20presentations/Logan%20Lamb/DEFCON-22-Logan-Lamb-HOME-INSECURITY-NO-ALARMS-FALSE-ALARMS-AND-SIGINT-WP.pdf)
[Let's get physical: Breaking home security systems & bypassing controls - Black Hat USA 2013](https://www.youtube.com/watch?v=O4ya3z-PCQs)
#### Doors
[What Does The Perfect Door Or Padlock Look Like? - Deviant Ollam - BruCON 0x08](https://www.youtube.com/watch?v=4skSBwBBI-s)
[The Search for the Perfect Door - Deviant Ollam - Shakacon](https://www.youtube.com/watch?v=4YYvBLAF4T8)
* You have spent lots of money on a high-grade, pick-resistant, ANSI-rated lock for your door. Your vendor has assured you how it will resist attack and how difficult it would be for someone to copy your key. Maybe they’re right. But… the bulk of attacks that both penetration testers and also criminals attempt against doors have little or nothing to do with the lock itself! This talk will be a hard-hitting exploration (full of photo and video examples) of the ways in which your door — the most fundamental part of your physical security — can possibly be thwarted by someone attempting illicit entry. The scary problems will be immediately followed by simple solutions that are instantly implementable and usually very within-budget. You, too, can have a near-perfect door… if you’re willing to learn and understand the problems that all doors tend to have.
[Physical Security - Everything That's Wrong With Your Typical Door - Deviant Ollam - SANS Webcast](https://www.youtube.com/watch?v=raBMFqZRB0s&t=&feature=youtu.be&app=desktop)
[Door Control Systems: An Examination of Lines of Attack](https://www.nccgroup.com/en/blog/2013/09/door-control-systems-an-examination-of-lines-of-attack/)
#### Lockpicking
[Introduction to Lockpicking and Physical Security - DEFCON 13](https://www.youtube.com/watch?v=JupQ3BpKGYg)
[Lockpicking by Deviant Ollam](http://deviating.net/lockpicking/videos.html)
* Glorious set of videos and instructional information. Must watch.
[Electronic Locks - are really secure?!](https://www.youtube.com/watch?v=ZK0MfE7o4HU)
* Many people are familiar with the ways in which mechanical locks can be attacked, compromised, and bypassed. Indeed, the hands-on workshops and the availability of pick tools at the Lockpick Village is an enduring part of the fun at DeepSec and other popular security conferences around the world. Often, attendees will ask questions like, "So, this is really great... but what if someone is using an electronic lock? How hard is it to open the door, then?" Unfortunately, due to time and space constraints, our answer is typically, "Well... that's a very complicated question. Sometimes they're good, and sometimes they're weak." We often promise greater detail another day, another time... but until now that time has not come. Finally now, however, TOOOL will describe some of the most popular electronic locks and show examples of how they can sometimes be attacked.
[Distinguishing Lockpicks: Raking vs Lifting vs Jiggling and More - Deviant Ollam](https://www.youtube.com/watch?v=e07VRxJ01Fs)
[Introduction to Lockpicking and Physical Security - DEFCON 13](https://www.youtube.com/watch?v=JupQ3BpKGYg)
[Mastering Master Keys - Deviant Ollam - HOPE Number 9](https://www.youtube.com/watch?v=aVPSaKLKHd4)
[What Does The Perfect Door Or Padlock Look Like? - Deviant Ollam - BruCON 0x08](https://www.youtube.com/watch?v=4skSBwBBI-s)
[!$@$Lockpicking & Physical security - Deviant Ollam - Best lockpicking course abc tutorial diy](https://www.youtube.com/watch?v=j6WCe-4XQ3Q)
[Lockpicking, Safecracking, & More by Deviant Ollam & renderman at ShmooCon 3](https://www.youtube.com/watch?v=WTgUVhjts2U)
* For the first time on the same stage together at ShmooCon, renderman and i give a funny and informative presentation about lockpicking using much of my traditional material as well as a whole load of new content that my favorite Canadian demonstrates. In addition to his all-around general badassery, renderman even opened up a locked safe on stage... one that he had never seen before and was simply given by an audience member. That took fucking balls.
["Lockpicking in Real Life versus on the Screen" - The Eleventh HOPE (2016)](https://www.youtube.com/watch?v=mjBSocgMCPU)
* We all know that Hollywood has a difficult time portraying hackers accurately. This quirk often extends to the realm of showing lockpicking in movies and on TV. But sometimes, a film gets it really right! This talk is both an introduction to lockpicking (in case you still need to learn) as well as a walk through some of the best - and some of the worst - scenes of lockpicking that have ever been seen by movie and TV audiences. Learn about how to be a better lockpicker and a better filmmaker... all at the same time!
[Lockpicking, Safecracking, & More by Deviant Ollam & renderman at ShmooCon 3](https://www.youtube.com/watch?v=WTgUVhjts2U)
* For the first time on the same stage together at ShmooCon, renderman and i give a funny and informative presentation about lockpicking using much of my traditional material as well as a whole load of new content that my favorite Canadian demonstrates. In addition to his all-around general badassery, renderman even opened up a locked safe on stage... one that he had never seen before and was simply given by an audience member. That took fucking balls.
[Electronic Safe Fail](http://www.irongeek.com/i.php?page=videos/centralohioinfosec2015/tech204-electronic-safe-fail-jeff-popio)
* Commonly safes are used in IT to secure backup tapes, certificate roots, and other sensitive material. This talk will demonstrate that many of the safes used to secure these sensitive materials are ineffective. Today there are many varieties of electronic safes that utilize a VERY weak mechanism to physically lock the safe. In many cases there are ways to open the safe in less than a minute that leaves no evidence behind. (Sometimes only a few seconds) This talk will cover my experience discovering the flaw and dealing with a safe vendor to issue a fix, then discovering the inadequacies of the fix itself and vendor's continuing ignorance of the problem with most electronic locks. Fixing these problems can be relatively easy. There will be general instruction on how to fix the problems and what needs to be done by the vendors to make safes well... safer."
[Lockpicking how to video using a cut-away lock](http://www.youtube.com/watch?v=LSt0RxkA_f8)
[Distinguishing Lockpicks: Raking vs Lifting vs Jiggling and More - Deviant Ollam](https://www.youtube.com/watch?v=e07VRxJ01Fs)
[!$@$Lockpicking & Physical security - Deviant Ollam - Best lockpicking course abc tutorial diy](https://www.youtube.com/watch?v=j6WCe-4XQ3Q)
[The Search for the Perfect Door - Deviant Ollam - Shakacon](https://www.youtube.com/watch?v=4YYvBLAF4T8)
* You have spent lots of money on a high-grade, pick-resistant, ANSI-rated lock for your door. Your vendor has assured you how it will resist attack and how difficult it would be for someone to copy your key. Maybe they’re right. But… the bulk of attacks that both penetration testers and also criminals attempt against doors have little or nothing to do with the lock itself! This talk will be a hard-hitting exploration (full of photo and video examples) of the ways in which your door — the most fundamental part of your physical security — can possibly be thwarted by someone attempting illicit entry. The scary problems will be immediately followed by simple solutions that are instantly implementable and usually very within-budget. You, too, can have a near-perfect door… if you’re willing to learn and understand the problems that all doors tend to have.
@ -187,3 +217,6 @@
### Tamper Resistance
[Tamper resistance and hardware security](https://www.cl.cam.ac.uk/~sps32/PartII_030214.pdf)

+ 3
- 1
Draft/Policy-Compliance.md View File

@ -13,6 +13,8 @@
[The foundation is rotting and the basement is flooding: A deeper look at the implicit trust relationships in your organization](https://www.youtube.com/watch?v=nL64uj9Xm24)
[IT Law Wiki](http://itlaw.wikia.com/wiki/The_IT_Law_Wiki))
[A Survey of Insider Attack Detection Research - 2008](http://web.stanford.edu/class/cs259d/readings/Insider_survey.pdf)
[The “Big Picture” of Insider IT Sabotage Across U.S. Critical Infrastructures](http://web.stanford.edu/class/cs259d/readings/Infrastructure.pdf)
@ -20,4 +22,4 @@
[NIST Cybersecurity Practice Guide, Securing Wireless Infusion Pumps in Healthcare Delivery Organizations](https://nccoe.nist.gov/projects/use-cases/medical-devices)
* [SP 1800-8a: Executive Summary](https://nccoe.nist.gov/publication/draft/1800-8/VolA/)
* [SP 1800-8b: Approach, Architecture, and Security Characteristics ](https://nccoe.nist.gov/publication/draft/1800-8/VolB/)
* [SP 1800-8c: How-To Guides](https://nccoe.nist.gov/publication/draft/1800-8/VolC/)
* [SP 1800-8c: How-To Guides](https://nccoe.nist.gov/publication/draft/1800-8/VolC/)

+ 8
- 0
Draft/Port_List.md View File

@ -42,6 +42,7 @@
|175|tcp|IBM Network Job Entry||
|179|tcp|BGP||
|195|tcp|TA14-353a||
|264||Checkpoint Firewall||
|311|tcp|OS X Server Manager||
|389|tcp|ldap|ldap://`target`/dc=com|
|443|tcp|https|openssl s_client -host www.yahoo.com -port 443<BR>sslscan www.yahoo.com<BR>tlssled www.yahoo.com 443<BR>nmap --script sslv2 www.yahoo.com<BR>nmap --script ssl-cert www.yahoo.com<BR>nmap --script ssl-date www.yahoo.com<BR>nmap --script ssl-enum-ciphers www.yahoo.com<BR>nmap --script ssl-google-cert-catalog www.yahoo.com<BR>msf > use auxiliary/pro/web_ssl_scan<BR>msf > use auxiliary/scanner/ssl/openssl_heartbleed<BR>msf > use auxiliary/server/openssl_heartbeat_client_memory|
@ -66,6 +67,7 @@
|789|tcp|Redlion Crimson3||
|873|tcp|rsync|rsync -a user@host::tools/<BR>nmap -p 873 --script rsync-brute --script-args 'rsync-brute.module=www' `target`<BR>nmap -p 873 --script rsync-list-modules `target`<BR>msf >use auxiliary/scanner/rsync/modules_list|
|902|tcp|VMware authentication||
|953||BIND Contorl Port||
|992|tcp|Telnet(secure)||
|993|tcp|IMAPs||
|995|tcp|POP3s||
@ -104,6 +106,7 @@
|2455||CoDeSys||
|2480||OrientDB||
|2628||Dictionary||
|2967||Symantec System Center Alert Management System||
|3000||ntop||
|3128|tcp|squid||
|3299|tcp|sap|msf > use auxiliary/scanner/sap/sap_router_portscanner|
@ -163,21 +166,26 @@
|8101|tcp|apache karaf||
|8180|tcp|apache tomcat|msf > use exploit/multi/http/tomcat_mgr_deploy|
|8443|tcp|https||
|8443||Symantec SEP Manager||
|8554|tcp|rtsp||
|8649|tcp|ganglia||
|9009|tcp|Julia||
|9043|tcp|WebSpeher||
|9090||Symantec SEP Manager||
|9151|tcp|Tor Control||
|9160||Apache Cassandra||
|9200|tcp|elasticsearch|msf >use exploit/multi/elasticsearch/search_groovy_script|
|9418|tcp|git||
|10000|tcp|virtualmin/webmin||
|11211|tcp|memcache|msf > use auxiliary/gather/memcached_extractor<br>$ nc x.x.x.x 11211<BR>stats\r\n|
|12174|tcp|Symantec System Center Alert Management System||
|13579||Media Player classic web interface||
|17185||VxWorks WDBRPC||
|18083|tcp|vbox server||
|27017|tcp|mongodb|msf >use auxiliary/scanner/mongodb/mongodb_login<BR>$ mongo host:port/database<BR>MongoDB shell version: 2.6.12<BR>> help|
|28017|tcp|mongodb||
|37777||Dahua DVR||
|38292||Symantec System Center Alert Management System||
|44818||EtherNet/IP||
|49153||WeMo Link||
|50000|tcp|sap||


+ 77
- 19
Draft/Privilege Escalation & Post-Exploitation.md View File

@ -30,44 +30,50 @@ http://sdb.tools/talks.html
https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List#escalating
[Windows Security Center: Fooling WMI Consumers](https://www.opswat.com/blog/windows-security-center-fooling-wmi-consumers)
[JSRat-Py](https://github.com/Hood3dRob1n/JSRat-Py)
* implementation of JSRat.ps1 in Python so you can now run the attack server from any OS instead of being limited to a Windows OS with Powershell enabled
[Shimming for Post Exploitation(blog)](http://www.sdb.tools/)
[Vulnerable Docker VM](https://www.notsosecure.com/vulnerable-docker-vm/)
* For practicing pen testing docker instances
[Hiding Files by Exploiting Spaces in Windows Paths](http://blakhal0.blogspot.com/2012/08/hiding-files-by-exploiting-spaces-in.html)
[Adapting Software Fault Isolation to Contemporary CPU Architectures](https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/35649.pdf)
* Adapting Software Fault Isolation to Contemporary CPU ArchitecturesSoftware Fault Isolation (SFI) is an effective approach to sandboxing binary code of questionable provenance, an interesting use case for native plugins in a Web browser. We present software fault isolation schemes for ARM and x86-64 that provide control-flow and memory integrity with average performance overhead of under 5% on ARM and 7% on x86-64. We believe these are the best known SFI implementations for these architectures, with significantly lower overhead than previous systems for similar architectures. Our experience suggests that these SFI implementations benefit from instruction-level parallelism, and have particularly small impact for work- loads that are data memory-bound, both properties that tend to reduce the impact of our SFI systems for future CPU implementations.](https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/35649.pdf)
[KeeFarce](https://github.com/denandz/KeeFarce)
* Extracts passwords from a KeePass 2.x database, directly from memory.
[KeeThief](https://github.com/HarmJ0y/KeeThief)
* Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory.
[Hiding Files by Exploiting Spaces in Windows Paths](http://blakhal0.blogspot.com/2012/08/hiding-files-by-exploiting-spaces-in.html)
[The Art of Becoming TrustedInstaller](https://tyranidslair.blogspot.co.uk/2017/08/the-art-of-becoming-trustedinstaller.html)
* there's many ways of getting the TI token other than these 3 techniques. For example as Vincent Yiu pointed out on Twitter if you've got easy access to a system token, say using Metasploit's getsystem command you can impersonate system and then open the TI token, it's just IMO less easy :-). If you get a system token with SeTcbPrivilege you can also call LogonUserExExW or LsaLogonUser where you can specify an set of additional groups to apply to a service token. Finally if you get a system token with SeCreateTokenPrivilege (say from LSASS.exe if it's not running PPL) you can craft an arbitrary token using the NtCreateToken system call.
* There's many ways of getting the TI token other than these 3 techniques. For example as Vincent Yiu pointed out on Twitter if you've got easy access to a system token, say using Metasploit's getsystem command you can impersonate system and then open the TI token, it's just IMO less easy :-). If you get a system token with SeTcbPrivilege you can also call LogonUserExExW or LsaLogonUser where you can specify an set of additional groups to apply to a service token. Finally if you get a system token with SeCreateTokenPrivilege (say from LSASS.exe if it's not running PPL) you can craft an arbitrary token using the NtCreateToken system call.
[The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://www.slideshare.net/harmj0y/the-travelling-pentester-diaries-of-the-shortest-path-to-compromise)
[Adobe Sandbox: When the Broker is Broken - Peter Vreugdenhill](https://cansecwest.com/slides/2013/Adobe%20Sandbox.pdf)
[NaCl SFI model on x86-64 systems](https://developer.chrome.com/native-client/reference/sandbox_internals/x86-64-sandbox#x86-64-sandbox)
* This document addresses the details of the Software Fault Isolation (SFI) model for executable code that can be run in Native Client on an x86-64 system
[Sandboxed Execution Environment ](http://pythonhosted.org/python-see)
* [Documentation](http://pythonhosted.org/python-see)
* Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments.
[Adapting Software Fault Isolation to Contemporary CPU Architectures](https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/35649.pdf)
* Adapting Software Fault Isolation to Contemporary CPU ArchitecturesSoftware Fault Isolation (SFI) is an effective approach to sandboxing binary code of questionable provenance, an interesting use case for native plugins in a Web browser. We present software fault isolation schemes for ARM and x86-64 that provide control-flow and memory integrity with average performance overhead of under 5% on ARM and 7% on x86-64. We believe these are the best known SFI implementations for these architectures, with significantly lower overhead than previous systems for similar architectures. Our experience suggests that these SFI implementations benefit from instruction-level parallelism, and have particularly small impact for work- loads that are data memory-bound, both properties that tend to reduce the impact of our SFI systems for future CPU implementations.](https://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/35649.pdf)
[AVLeak: Fingerprinting Antivirus Emulators Through Black-Box Testing](https://www.usenix.org/system/files/conference/woot16/woot16-paper-blackthorne_update.pdf)
[Usermode Sandboxing](http://www.malwaretech.com/2014/10/usermode-sandboxing.html)
[Advanced Desktop Application Sandboxing via AppContainer](https://www.malwaretech.com/2015/09/advanced-desktop-application-sandboxing.html)
[VirtualBox Detection Via WQL Queries](http://waleedassar.blogspot.com/)
[Bypassing VirtualBox Process Hardening on Windows](https://googleprojectzero.blogspot.com/2017/08/bypassing-virtualbox-process-hardening.html)
[VBoxHardenedLoader](https://github.com/hfiref0x/VBoxHardenedLoader)
* VirtualBox VM detection mitigation loader
[The Travelling Pentester: Diaries of the Shortest Path to Compromise](https://www.slideshare.net/harmj0y/the-travelling-pentester-diaries-of-the-shortest-path-to-compromise)
[Triple-Fetch-Kernel-Creds](https://github.com/coffeebreakerz/Tripple-Fetch-Kernel-Creds)
* Attempt to steal kernelcredentials from launchd + task_t pointer (Based on: CVE-2017-7047)
[rundll32 lockdown testing goodness](https://www.attackdebris.com/?p=143)
@ -107,6 +113,14 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[You Can Type, but You Can’t Hide: A Stealthy GPU-based Keylogger](http://www.cs.columbia.edu/~mikepo/papers/gpukeylogger.eurosec13.pdf)
* Keyloggers are a prominent class of malware that harvests sensitive data by recording any typed in information. Key- logger implementations strive to hide their presence using rootkit-like techniques to evade detection by antivirus and other system protections. In this paper, we present a new approach for implementing a stealthy keylogger: we explore the possibility of leveraging the graphics card as an alterna- tive environment for hosting the operation of a keylogger. The key idea behind our approach is to monitor the system’s keyboard buffer directly from the GPU via DMA, without any hooks or modifications in the kernel’s code and data structures besides the page table. The evaluation of our pro- totype implementation shows that a GPU-based keylogger can effectively record all user keystrokes, store them in the memory space of the GPU, and even analyze the recorded data in-place, with negligible runtime overhead.
[Requiem For An Admin, Walter Legowski (@SadProcessor) - BSides Amsterdam 2017](https://www.youtube.com/watch?v=uMg18TvLAcE&index=3&list=PLwZycuzv10iLBFwRIWNAR-s4iuuUMRuEB)
* Orchestrating BloodHound and Empire for Automated AD Post-Exploitation. Lateral Movement and Privilege Escalation are two of the main steps in the Active Directory attacker kill- chain. Applying the 'assume breach' mentality, more and more companies are asking for red-teaming type of assessments, and security researcher have therefor developed a wide range of open-source tools to assist them during these engagements. Out of these, two have quickly gained a solid reputation: PowerShell Empire and BloodHound (Both by @Harmj0y & ex-ATD Crew). In this Session, I will be presenting DogStrike, a new tool (PowerShell Modules) made to interface Empire & BloodHound, allowing penetration testers to merge their Empire infrastructure into the bloodhound graph database. Doing so allows the operator to request a bloodhound path that is 'Agent Aware', and makes it possible to automate the entire kill chain, from initial foothold to DA - or any desired part of an attacker's routine. Presentation will be demo-driven. Code for the module will be made public after the presentation. Automation of Active Directory post-exploitation is going to happen sooner than you might think. (Other tools are being released with the same goal*). Is it a good thing? Is it a bad thing? If I do not run out of time, I would like to finish the presentation by opening the discussion with the audience and see what the consequences of automated post- exploitation could mean, from the red, the blue or any other point of view... *: DeathStar by @Byt3Bl33d3r | GoFetch by @TalTheMaor.
@ -224,6 +238,12 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
* Windows Privilege Escalation through Powershell
--------
### Misc Privilege Escalation
[dtappgather-poc.sh](https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh)
* Exploit PoC reverse engineered from EXTREMEPARR which provides local root on Solaris 7 - 11 (x86 & SPARC). Uses a environment variable of setuid binary dtappgather to manipulate file permissions and create a user owned directory anywhere on the system (as root). Can then add a shared object to locale folder and run setuid binaries with an untrusted library file.
----------------
### <a name="powershell-stuff">Powershell Things</a>
@ -240,6 +260,7 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Brosec](https://github.com/gabemarshall/Brosec)
* Brosec is a terminal based reference utility designed to help us infosec bros and broettes with usefuPowershelll (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.
[UnmanagedPowerShell](https://github.com/leechristensen/UnmanagedPowerShell/tree/master)
@ -290,6 +311,7 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
#### Dumping/Grabbing Creds
[PShell Script: Extract All GPO Set Passwords From Domain](http://www.nathanv.com/2012/07/04/pshell-script-extract-all-gpo-set-passwords-from-domain/)
@ -318,6 +340,18 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[SessionGopher](https://github.com/fireeye/SessionGopher)
* SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
[CC_Checker](https://github.com/NetSPI/PS_CC_Checker)
* CC_Checker cracks credit card hashes with PowerShell.
[SearchForCC](https://github.com/eelsivart/SearchForCC)
* A collection of open source/common tools/scripts to perform a system memory dump and/or process memory dump on Windows-based PoS systems and search for unencrypted credit card track data.
[KeeFarce](https://github.com/denandz/KeeFarce)
* Extracts passwords from a KeePass 2.x database, directly from memory.
[KeeThief](https://github.com/HarmJ0y/KeeThief)
* Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory.
@ -385,7 +419,7 @@ https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-
[Harness](https://github.com/Rich5/Harness)
* Harness is remote access payload with the ability to provide a remote interactive PowerShell interface from a Windows system to virtually any TCP socket. The primary goal of the Harness Project is to provide a remote interface with the same capabilities and overall feel of the native PowerShell executable bundled with the Windows OS.
[Empire without PowerShell.exe](https://bneg.io/2017/07/26/empire-without-powershell-exe/)
@ -480,6 +514,8 @@ Finding your external IP:
[How to use msfvenom](https://github.com/rapid7/metasploit-framework/wiki/How-to-use-msfvenom)
[RemoteRecon](https://github.com/xorrior/RemoteRecon)
* RemoteRecon provides the ability to execute post-exploitation capabilities against a remote host, without having to expose your complete toolkit/agent. Often times as operator's we need to compromise a host, just so we can keylog or screenshot (or some other miniscule task) against a person/host of interest. Why should you have to push over beacon, empire, innuendo, meterpreter, or a custom RAT to the target? This increases the footprint that you have in the target environment, exposes functionality in your agent, and most likely your C2 infrastructure. An alternative would be to deploy a secondary agent to targets of interest and collect intelligence. Then store this data for retrieval at your discretion. If these compromised endpoints are discovered by IR teams, you lose those endpoints and the information you've collected, but nothing more.
@ -511,6 +547,10 @@ Finding your external IP:
[Windows Driver and Service enumeration with Python](https://cybersyndicates.com/2015/09/windows-driver-and-service-enumeration-with-python/)
[Post Exploitation Persistence With Application Shims (Intro)](http://blacksunhackers.club/2016/08/post-exploitation-persistence-with-application-shims-intro/)
[Shimming for Post Exploitation(blog)](http://www.sdb.tools/)
------------
### Active Directory
@ -962,6 +1002,7 @@ Startup folder on Win8
-------------------
### Avoiding/Bypass UAC
@ -1004,17 +1045,33 @@ Startup folder on Win8
[Shackles, Shims, and Shivs - Understanding Bypass Techniques](http://www.irongeek.com/i.php?page=videos/derbycon6/535-shackles-shims-and-shivs-understanding-bypass-techniques-mirovengi)
[RunMe.c](https://gist.github.com/hugsy/e5c4ce99cd7821744f95)
* Trick to run arbitrary command when code execution policy is enforced (i.e. AppLocker or equivalent). Works on Win98 (lol) and up - tested on 7/8
------------------------
### Sandbox Bypass
### Sandbox Bypass/Escape
[Sandboxes from a pen tester’s view - Rahul Kashyap](http://www.irongeek.com/i.php?page=videos/derbycon3/4303-sandboxes-from-a-pen-tester-s-view-rahul-kashyap)
* Description: In this talk we’ll do an architectural decomposition of application sandboxing technology from a security perspective. We look at various popular sandboxes such as Google Chrome, Adobe ReaderX, Sandboxie amongst others and discuss the limitations of each technology and it’s implementation. Further, we discuss in depth with live exploits how to break out of each category of sandbox by leveraging various kernel and user mode exploits – something that future malware could leverage. Some of these exploit vectors have not been discussed widely and awareness is important.
[chw00t: chroot escape tool](https://github.com/earthquake/chw00t)
[Breaking Out of a Chroot Jail Using PERL](http://pentestmonkey.net/blog/chroot-breakout-perl)
[ssh environment - circumvention of restricted shells](http://www.opennet.ru/base/netsoft/1025195882_355.txt.html)
[Adobe Sandbox: When the Broker is Broken - Peter Vreugdenhill](https://cansecwest.com/slides/2013/Adobe%20Sandbox.pdf)
[Escaping a Python sandbox with a memory corruption bug](https://hackernoon.com/python-sandbox-escape-via-a-memory-corruption-bug-19dde4d5fea5)
[Sandboxed Execution Environment ](http://pythonhosted.org/python-see)
* [Documentation](http://pythonhosted.org/python-see)
* Sandboxed Execution Environment (SEE) is a framework for building test automation in secured Environments. The Sandboxes, provided via libvirt, are customizable allowing high degree of flexibility. Different type of Hypervisors (Qemu, VirtualBox, LXC) can be employed to run the Test Environments.
[Usermode Sandboxing](http://www.malwaretech.com/2014/10/usermode-sandboxing.html)
[Breaking out of secured Python environments](http://tomforb.es/breaking-out-of-secured-python-environments)
@ -1092,7 +1149,8 @@ Startup folder on Win8
[Why Anti-Virus Software Fails](https://deepsec.net/docs/Slides/2014/Why_Antivirus_Fails_-_Daniel_Sauder.pdf)
[avepoc](https://github.com/govolution/avepoc)
* some pocs for antivirus evasion


+ 43
- 0
Draft/Programming - Languages Libs Courses References.md View File

@ -32,6 +32,16 @@ http://en.cppreference.com/w/c
* 5. Oh, I see.
* 6. How did that ever work?
[x86 Call/Return Protocol](http://pages.cs.wisc.edu/~remzi/Classes/354/Fall2012/Handouts/Handout-CallReturn.pdf)
[Diving deep into Python – the not-so-obvious language parts](http://sebastianraschka.com/Articles/2014_deep_python.html)
[PEP: 551 Title: Security transparency in the Python runtime Version](https://github.com/python/peps/blob/cd795ec53c939e5b40808bb9d7a80c428c85dd52/pep-0551.rst)
[Build an API under 30 lines of code with Python and Flask](https://impythonist.wordpress.com/2015/07/12/build-an-api-under-30-lines-of-code-with-python-and-flask/
#### End Cull
@ -122,6 +132,10 @@ Additionally it includes CPD, the copy-paste-detector. CPD finds duplicated code
[PumaScan](https://github.com/pumasecurity/puma-scan)
* provides real time, continuous source code analysis
[How to find 56 potential vulnerabilities in FreeBSD code in one evening](https://www.viva64.com/en/b/0496/)
@ -299,6 +313,9 @@ https://en.wikipedia.org/wiki/Java_(programming_language)
[How to C in 2016](https://matt.sh/howto-c)
* [A critique of "How to C in 2016" by Matt](https://github.com/Keith-S-Thompson/how-to-c-response)
[C Right-Left Rule](http://ieng9.ucsd.edu/~cs30x/rt_lt.rule.html)